From 3d84995e41adce70924f2df864cb58ce092d6a6b Mon Sep 17 00:00:00 2001 From: Renovate Bot Date: Mon, 21 Feb 2022 00:58:47 +0000 Subject: [PATCH 0001/1479] Update Helm release argo-cd to v3.33.6 --- services/argocd/Chart.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/services/argocd/Chart.yaml b/services/argocd/Chart.yaml index e406c500dd..1dd9d4c1f5 100644 --- a/services/argocd/Chart.yaml +++ b/services/argocd/Chart.yaml @@ -3,7 +3,7 @@ name: argo-cd version: 1.0.0 dependencies: - name: argo-cd - version: 3.33.5 + version: 3.33.6 repository: https://argoproj.github.io/argo-helm - name: pull-secret version: 0.1.2 From 1165962fc64e9c62b507c7b71bca1fc515b98dd8 Mon Sep 17 00:00:00 2001 From: Renovate Bot Date: Tue, 22 Feb 2022 17:01:24 +0000 Subject: [PATCH 0002/1479] Update Helm release strimzi-kafka-operator to v0.28.0 --- services/strimzi/Chart.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/services/strimzi/Chart.yaml b/services/strimzi/Chart.yaml index 51e3bb71df..aa89f9558d 100644 --- a/services/strimzi/Chart.yaml +++ b/services/strimzi/Chart.yaml @@ -6,5 +6,5 @@ version: 0.1.0 appVersion: "0.26.0" dependencies: - name: strimzi-kafka-operator - version: "0.27.1" + version: "0.28.0" repository: https://strimzi.io/charts/ From e0114f4332d37649714560f2fcd607dcd1dfe476 Mon Sep 17 00:00:00 2001 From: Russ Allbery Date: Tue, 22 Feb 2022 16:36:15 -0800 Subject: [PATCH 0003/1479] Update vo-cutouts chart, install in IDF prod Update to the vo-cutouts 0.3.0 chart and adjust the data-int configuration accordingly. Pin to a newer ticket branch. Add configuration for IDF prod and enable it. Update the configuration for data-dev similarly. --- science-platform/values-idfprod.yaml | 2 +- services/vo-cutouts/Chart.yaml | 2 +- services/vo-cutouts/values-idfdev.yaml | 6 +++++- services/vo-cutouts/values-idfint.yaml | 6 +++++- services/vo-cutouts/values-idfprod.yaml | 28 +++++++++++++++++++++++++ 5 files changed, 40 insertions(+), 4 deletions(-) create mode 100644 services/vo-cutouts/values-idfprod.yaml diff --git a/science-platform/values-idfprod.yaml b/science-platform/values-idfprod.yaml index afb59831be..ce00407b8a 100644 --- a/science-platform/values-idfprod.yaml +++ b/science-platform/values-idfprod.yaml @@ -57,4 +57,4 @@ tap_schema: vault_secrets_operator: enabled: true vo_cutouts: - enabled: false + enabled: true diff --git a/services/vo-cutouts/Chart.yaml b/services/vo-cutouts/Chart.yaml index c08386ebb1..202b49a7ee 100644 --- a/services/vo-cutouts/Chart.yaml +++ b/services/vo-cutouts/Chart.yaml @@ -3,7 +3,7 @@ name: vo-cutouts version: 1.0.0 dependencies: - name: vo-cutouts - version: 0.2.2 + version: 0.3.0 repository: https://lsst-sqre.github.io/charts/ - name: pull-secret version: 0.1.2 diff --git a/services/vo-cutouts/values-idfdev.yaml b/services/vo-cutouts/values-idfdev.yaml index 17ae2e4f9a..3f0a0907f4 100644 --- a/services/vo-cutouts/values-idfdev.yaml +++ b/services/vo-cutouts/values-idfdev.yaml @@ -7,7 +7,7 @@ vo-cutouts: image: pullPolicy: "Always" - tag: "tickets-DM-33513" + tag: "tickets-DM-33604" config: # There is currently no working Butler in data-dev, so this configuration @@ -23,6 +23,10 @@ vo-cutouts: instanceConnectionName: "science-platform-dev-7696:us-central1:science-platform-dev-e9e11de2" serviceAccount: "vo-cutouts@science-platform-dev-7696.iam.gserviceaccount.com" + cutoutWorker: + pullPolicy: "Always" + tag: "tickets-DM-33604" + pull-secret: enabled: true path: "secret/k8s_operator/data-dev.lsst.cloud/pull-secret" diff --git a/services/vo-cutouts/values-idfint.yaml b/services/vo-cutouts/values-idfint.yaml index 77c26adb14..149ae9715a 100644 --- a/services/vo-cutouts/values-idfint.yaml +++ b/services/vo-cutouts/values-idfint.yaml @@ -7,7 +7,7 @@ vo-cutouts: image: pullPolicy: "Always" - tag: "tickets-DM-33513" + tag: "tickets-DM-33604" config: butlerRepository: "s3://butler-us-central1-panda-dev/dc2/butler-external.yaml" @@ -19,6 +19,10 @@ vo-cutouts: instanceConnectionName: "science-platform-int-dc5d:us-central1:science-platform-int-8f439af2" serviceAccount: "vo-cutouts@science-platform-int-dc5d.iam.gserviceaccount.com" + cutoutWorker: + pullPolicy: "Always" + tag: "tickets-DM-33604" + pull-secret: enabled: true path: "secret/k8s_operator/data-int.lsst.cloud/pull-secret" diff --git a/services/vo-cutouts/values-idfprod.yaml b/services/vo-cutouts/values-idfprod.yaml new file mode 100644 index 0000000000..4a2c197983 --- /dev/null +++ b/services/vo-cutouts/values-idfprod.yaml @@ -0,0 +1,28 @@ +vo-cutouts: + imagePullSecrets: + - name: "pull-secret" + ingress: + host: "data.lsst.cloud" + vaultSecretsPath: "secret/k8s_operator/data.lsst.cloud/vo-cutouts" + + image: + pullPolicy: "Always" + tag: "tickets-DM-33604" + + config: + butlerRepository: "s3://butler-us-central1-panda-dev/dc2/butler-external.yaml" + databaseUrl: "postgresql://vo-cutouts@localhost/vo-cutouts" + gcsBucketUrl: "s3://rubin-cutouts-stable-us-central1-output/" + + cloudsql: + enabled: true + instanceConnectionName: "science-platform-stable-6994:us-central1:science-platform-stable-0c29612b" + serviceAccount: "vo-cutouts@science-platform-stable-6994.iam.gserviceaccount.com" + + cutoutWorker: + pullPolicy: "Always" + tag: "tickets-DM-33604" + +pull-secret: + enabled: true + path: "secret/k8s_operator/data-int.lsst.cloud/pull-secret" From 4ba5e1a65e856084d2f8a3c2e67cfc7f127c6ba8 Mon Sep 17 00:00:00 2001 From: Russ Allbery Date: Tue, 22 Feb 2022 17:12:06 -0800 Subject: [PATCH 0004/1479] Fix specification of the cutout worker image --- services/vo-cutouts/values-idfdev.yaml | 5 +++-- services/vo-cutouts/values-idfint.yaml | 5 +++-- services/vo-cutouts/values-idfprod.yaml | 5 +++-- 3 files changed, 9 insertions(+), 6 deletions(-) diff --git a/services/vo-cutouts/values-idfdev.yaml b/services/vo-cutouts/values-idfdev.yaml index 3f0a0907f4..c04e9dfdec 100644 --- a/services/vo-cutouts/values-idfdev.yaml +++ b/services/vo-cutouts/values-idfdev.yaml @@ -24,8 +24,9 @@ vo-cutouts: serviceAccount: "vo-cutouts@science-platform-dev-7696.iam.gserviceaccount.com" cutoutWorker: - pullPolicy: "Always" - tag: "tickets-DM-33604" + image: + pullPolicy: "Always" + tag: "tickets-DM-33604" pull-secret: enabled: true diff --git a/services/vo-cutouts/values-idfint.yaml b/services/vo-cutouts/values-idfint.yaml index 149ae9715a..61fc07b3c7 100644 --- a/services/vo-cutouts/values-idfint.yaml +++ b/services/vo-cutouts/values-idfint.yaml @@ -20,8 +20,9 @@ vo-cutouts: serviceAccount: "vo-cutouts@science-platform-int-dc5d.iam.gserviceaccount.com" cutoutWorker: - pullPolicy: "Always" - tag: "tickets-DM-33604" + image: + pullPolicy: "Always" + tag: "tickets-DM-33604" pull-secret: enabled: true diff --git a/services/vo-cutouts/values-idfprod.yaml b/services/vo-cutouts/values-idfprod.yaml index 4a2c197983..2e1501bf8d 100644 --- a/services/vo-cutouts/values-idfprod.yaml +++ b/services/vo-cutouts/values-idfprod.yaml @@ -20,8 +20,9 @@ vo-cutouts: serviceAccount: "vo-cutouts@science-platform-stable-6994.iam.gserviceaccount.com" cutoutWorker: - pullPolicy: "Always" - tag: "tickets-DM-33604" + image: + pullPolicy: "Always" + tag: "tickets-DM-33604" pull-secret: enabled: true From cbd9d5865ea39323355f2abba0692500b98258b7 Mon Sep 17 00:00:00 2001 From: Russ Allbery Date: Tue, 22 Feb 2022 17:25:18 -0800 Subject: [PATCH 0005/1479] Bump version of vo-cutouts chart Pick up several fixes. --- services/vo-cutouts/Chart.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/services/vo-cutouts/Chart.yaml b/services/vo-cutouts/Chart.yaml index 202b49a7ee..d94e651826 100644 --- a/services/vo-cutouts/Chart.yaml +++ b/services/vo-cutouts/Chart.yaml @@ -3,7 +3,7 @@ name: vo-cutouts version: 1.0.0 dependencies: - name: vo-cutouts - version: 0.3.0 + version: 0.3.2 repository: https://lsst-sqre.github.io/charts/ - name: pull-secret version: 0.1.2 From 26ca6b18b4a89de2d33f11b18141085a60bdf5a9 Mon Sep 17 00:00:00 2001 From: Russ Allbery Date: Wed, 23 Feb 2022 09:32:21 -0800 Subject: [PATCH 0006/1479] Fix Butler repository URL for vo-cutouts IDF prod IDF prod uses a different Butler repository URL than IDF int. --- services/vo-cutouts/values-idfprod.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/services/vo-cutouts/values-idfprod.yaml b/services/vo-cutouts/values-idfprod.yaml index 2e1501bf8d..8ad32a86ef 100644 --- a/services/vo-cutouts/values-idfprod.yaml +++ b/services/vo-cutouts/values-idfprod.yaml @@ -10,7 +10,7 @@ vo-cutouts: tag: "tickets-DM-33604" config: - butlerRepository: "s3://butler-us-central1-panda-dev/dc2/butler-external.yaml" + butlerRepository: "s3://butler-us-central1-dp01" databaseUrl: "postgresql://vo-cutouts@localhost/vo-cutouts" gcsBucketUrl: "s3://rubin-cutouts-stable-us-central1-output/" From 6fc61288cf41f33ed00565d221dceae46f7a0dd9 Mon Sep 17 00:00:00 2001 From: Angelo Fausti Date: Thu, 24 Feb 2022 09:41:33 -0700 Subject: [PATCH 0007/1479] Debug Chronograf OIDC authentication - By setting GENERIC_API_KEY=sub we use the sub token claim, which corresponds to the user's username, instead of the user's email address as Gafaelfawr does not always have an email address for a user. --- services/sasquatch/values-idfdev.yaml | 1 + services/sasquatch/values-minikube.yaml | 1 + 2 files changed, 2 insertions(+) diff --git a/services/sasquatch/values-idfdev.yaml b/services/sasquatch/values-idfdev.yaml index c678530b54..3888b959ae 100644 --- a/services/sasquatch/values-idfdev.yaml +++ b/services/sasquatch/values-idfdev.yaml @@ -23,6 +23,7 @@ chronograf: JWKS_URL: https://data-dev.lsst.cloud/.well-known/jwks.json GENERIC_API_URL: https://data-dev.lsst.cloud/auth/userinfo GENERIC_SCOPES: openid + GENERIC_API_KEY: sub PUBLIC_URL: https://data-dev.lsst.cloud/ STATUS_FEED_URL: "https://lsst-sqre.github.io/sasquatch/feeds/idfdev.json" diff --git a/services/sasquatch/values-minikube.yaml b/services/sasquatch/values-minikube.yaml index bc0a81dc4c..4bb276e70d 100644 --- a/services/sasquatch/values-minikube.yaml +++ b/services/sasquatch/values-minikube.yaml @@ -23,6 +23,7 @@ chronograf: JWKS_URL: https://minikube.lsst.codes/.well-known/jwks.json GENERIC_API_URL: https://minikube.lsst.codes/auth/userinfo GENERIC_SCOPES: openid + GENERIC_API_KEY: sub PUBLIC_URL: https://minikube.lsst.codes STATUS_FEED_URL: "https://lsst-sqre.github.io/sasquatch/feeds/minikube.json" From 9346b14b452883edd0687d905c8b92b6087c7324 Mon Sep 17 00:00:00 2001 From: Russ Allbery Date: Thu, 24 Feb 2022 08:55:58 -0800 Subject: [PATCH 0008/1479] Remove container pins for vo-cutouts 0.3.0 has been released, so we can now go back to using the default images. --- services/vo-cutouts/values-idfdev.yaml | 9 --------- services/vo-cutouts/values-idfint.yaml | 9 --------- services/vo-cutouts/values-idfprod.yaml | 9 --------- 3 files changed, 27 deletions(-) diff --git a/services/vo-cutouts/values-idfdev.yaml b/services/vo-cutouts/values-idfdev.yaml index c04e9dfdec..ef77c098a3 100644 --- a/services/vo-cutouts/values-idfdev.yaml +++ b/services/vo-cutouts/values-idfdev.yaml @@ -5,10 +5,6 @@ vo-cutouts: host: "data-dev.lsst.cloud" vaultSecretsPath: "secret/k8s_operator/data-dev.lsst.cloud/vo-cutouts" - image: - pullPolicy: "Always" - tag: "tickets-DM-33604" - config: # There is currently no working Butler in data-dev, so this configuration # won't work. Leaving it here anyway since it has the correct @@ -23,11 +19,6 @@ vo-cutouts: instanceConnectionName: "science-platform-dev-7696:us-central1:science-platform-dev-e9e11de2" serviceAccount: "vo-cutouts@science-platform-dev-7696.iam.gserviceaccount.com" - cutoutWorker: - image: - pullPolicy: "Always" - tag: "tickets-DM-33604" - pull-secret: enabled: true path: "secret/k8s_operator/data-dev.lsst.cloud/pull-secret" diff --git a/services/vo-cutouts/values-idfint.yaml b/services/vo-cutouts/values-idfint.yaml index 61fc07b3c7..84943c2d6b 100644 --- a/services/vo-cutouts/values-idfint.yaml +++ b/services/vo-cutouts/values-idfint.yaml @@ -5,10 +5,6 @@ vo-cutouts: host: "data-int.lsst.cloud" vaultSecretsPath: "secret/k8s_operator/data-int.lsst.cloud/vo-cutouts" - image: - pullPolicy: "Always" - tag: "tickets-DM-33604" - config: butlerRepository: "s3://butler-us-central1-panda-dev/dc2/butler-external.yaml" databaseUrl: "postgresql://vo-cutouts@localhost/vo-cutouts" @@ -19,11 +15,6 @@ vo-cutouts: instanceConnectionName: "science-platform-int-dc5d:us-central1:science-platform-int-8f439af2" serviceAccount: "vo-cutouts@science-platform-int-dc5d.iam.gserviceaccount.com" - cutoutWorker: - image: - pullPolicy: "Always" - tag: "tickets-DM-33604" - pull-secret: enabled: true path: "secret/k8s_operator/data-int.lsst.cloud/pull-secret" diff --git a/services/vo-cutouts/values-idfprod.yaml b/services/vo-cutouts/values-idfprod.yaml index 8ad32a86ef..7ada1cff9c 100644 --- a/services/vo-cutouts/values-idfprod.yaml +++ b/services/vo-cutouts/values-idfprod.yaml @@ -5,10 +5,6 @@ vo-cutouts: host: "data.lsst.cloud" vaultSecretsPath: "secret/k8s_operator/data.lsst.cloud/vo-cutouts" - image: - pullPolicy: "Always" - tag: "tickets-DM-33604" - config: butlerRepository: "s3://butler-us-central1-dp01" databaseUrl: "postgresql://vo-cutouts@localhost/vo-cutouts" @@ -19,11 +15,6 @@ vo-cutouts: instanceConnectionName: "science-platform-stable-6994:us-central1:science-platform-stable-0c29612b" serviceAccount: "vo-cutouts@science-platform-stable-6994.iam.gserviceaccount.com" - cutoutWorker: - image: - pullPolicy: "Always" - tag: "tickets-DM-33604" - pull-secret: enabled: true path: "secret/k8s_operator/data-int.lsst.cloud/pull-secret" From 9bea60213daaa0354ade6b768f7b6af967d0bc95 Mon Sep 17 00:00:00 2001 From: adam Date: Thu, 24 Feb 2022 10:26:34 -0700 Subject: [PATCH 0009/1479] Adopt newer charts for async k8s/GAR --- services/cachemachine/Chart.yaml | 2 +- services/nublado2/Chart.yaml | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/services/cachemachine/Chart.yaml b/services/cachemachine/Chart.yaml index 8a3a424fc5..1a09c14738 100644 --- a/services/cachemachine/Chart.yaml +++ b/services/cachemachine/Chart.yaml @@ -3,5 +3,5 @@ name: cachemachine version: 1.0.0 dependencies: - name: cachemachine - version: 1.2.2 + version: 1.2.3 repository: https://lsst-sqre.github.io/charts/ diff --git a/services/nublado2/Chart.yaml b/services/nublado2/Chart.yaml index 543a7c9157..daa7b7e2e1 100644 --- a/services/nublado2/Chart.yaml +++ b/services/nublado2/Chart.yaml @@ -3,7 +3,7 @@ name: nublado2 version: 1.0.0 dependencies: - name: nublado2 - version: 0.7.0 + version: 0.8.1 repository: https://lsst-sqre.github.io/charts/ - name: pull-secret version: 0.1.2 From 88ccddaa7d49f8e449ae286fb9ccfa4ba47f6d8d Mon Sep 17 00:00:00 2001 From: adam Date: Thu, 24 Feb 2022 11:10:02 -0700 Subject: [PATCH 0010/1479] Need newer Chart version --- services/nublado2/Chart.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/services/nublado2/Chart.yaml b/services/nublado2/Chart.yaml index daa7b7e2e1..0103c480c5 100644 --- a/services/nublado2/Chart.yaml +++ b/services/nublado2/Chart.yaml @@ -3,7 +3,7 @@ name: nublado2 version: 1.0.0 dependencies: - name: nublado2 - version: 0.8.1 + version: 0.8.2 repository: https://lsst-sqre.github.io/charts/ - name: pull-secret version: 0.1.2 From 1a391144d5b306ee23e8b5bad8f3479bbfde4b78 Mon Sep 17 00:00:00 2001 From: adam Date: Thu, 24 Feb 2022 12:04:49 -0700 Subject: [PATCH 0011/1479] Fix up dev repo images --- services/cachemachine/values-idfdev.yaml | 25 +++++++++++------------- 1 file changed, 11 insertions(+), 14 deletions(-) diff --git a/services/cachemachine/values-idfdev.yaml b/services/cachemachine/values-idfdev.yaml index b334bbd647..d4d9920929 100644 --- a/services/cachemachine/values-idfdev.yaml +++ b/services/cachemachine/values-idfdev.yaml @@ -14,24 +14,21 @@ cachemachine: "name": "jupyter", "labels": {}, "repomen": [ + { + "type": "RubinRepoMan", + "registry_url": "us-central1-docker.pkg.dev", + "repo": "rubin-shared-services-7e1c/sciplat/sciplat-lab", + "recommended_tag": "recommended", + "num_releases": 1, + "num_weeklies": 2, + "num_dailies": 3 + }, { "type": "SimpleRepoMan", "images": [ { - "image_url": "us-central1-docker.pkg.dev/rubin-shared-services-71ec/sciplat/sciplat-lab:exp_w_2022_06_pdf", - "name": "Experimental Weekly 2022_06 (PDF)" - }, - { - "image_url": "us-central1-docker.pkg.dev/rubin-shared-services-71ec/sciplat/sciplat-lab:exp_w_2022_06_tickets-DM-33448", - "name": "Experimental Weekly 2022_06 (tickets/DM-33448)" - }, - { - "image_url": "us-central1-docker.pkg.dev/rubin-shared-services-71ec/sciplat/sciplat-lab:exp_w_2022_05_shallowclone", - "name": "Experimental Weekly 2022_05 (shallowclone)" - }, - { - "image_url": "us-central1-docker.pkg.dev/rubin-shared-services-71ec/sciplat/sciplat-lab:exp_w_2022_04_mamba", - "name": "Experimental Weekly 2022_04 (mamba)" + "image_url": "us-central1-docker.pkg.dev/rubin-shared-services-71ec/sciplat/sciplat-lab:w_2021_49", + "name": "Weekly 2021_49" } ] } From acf51f7100c43a1a9ed02bf79947417db3b8d1b8 Mon Sep 17 00:00:00 2001 From: adam Date: Thu, 24 Feb 2022 12:16:32 -0700 Subject: [PATCH 0012/1479] Adopt newer cachemachine --- services/cachemachine/Chart.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/services/cachemachine/Chart.yaml b/services/cachemachine/Chart.yaml index 1a09c14738..dfb4eae1d8 100644 --- a/services/cachemachine/Chart.yaml +++ b/services/cachemachine/Chart.yaml @@ -3,5 +3,5 @@ name: cachemachine version: 1.0.0 dependencies: - name: cachemachine - version: 1.2.3 + version: 1.2.4 repository: https://lsst-sqre.github.io/charts/ From aed6982345ac854d04cf52a51d8fa03827cf5086 Mon Sep 17 00:00:00 2001 From: adam Date: Thu, 24 Feb 2022 12:18:15 -0700 Subject: [PATCH 0013/1479] correct URL typo --- services/cachemachine/values-idfdev.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/services/cachemachine/values-idfdev.yaml b/services/cachemachine/values-idfdev.yaml index d4d9920929..98fe5b49e4 100644 --- a/services/cachemachine/values-idfdev.yaml +++ b/services/cachemachine/values-idfdev.yaml @@ -17,7 +17,7 @@ cachemachine: { "type": "RubinRepoMan", "registry_url": "us-central1-docker.pkg.dev", - "repo": "rubin-shared-services-7e1c/sciplat/sciplat-lab", + "repo": "rubin-shared-services-71ec/sciplat/sciplat-lab", "recommended_tag": "recommended", "num_releases": 1, "num_weeklies": 2, From 7b833d214af54e4c370be1ed176a94f104e0cbd5 Mon Sep 17 00:00:00 2001 From: adam Date: Thu, 24 Feb 2022 12:42:39 -0700 Subject: [PATCH 0014/1479] Pick up chart with 'read:metrics' --- services/nublado2/Chart.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/services/nublado2/Chart.yaml b/services/nublado2/Chart.yaml index 0103c480c5..dea15f1b8e 100644 --- a/services/nublado2/Chart.yaml +++ b/services/nublado2/Chart.yaml @@ -3,7 +3,7 @@ name: nublado2 version: 1.0.0 dependencies: - name: nublado2 - version: 0.8.2 + version: 0.8.3 repository: https://lsst-sqre.github.io/charts/ - name: pull-secret version: 0.1.2 From 31a2316e81e8c1c9e50ae99b5fc0687b5cc3ddee Mon Sep 17 00:00:00 2001 From: adam Date: Thu, 24 Feb 2022 14:27:09 -0700 Subject: [PATCH 0015/1479] Point IDF at GAR --- services/cachemachine/values-idfint.yaml | 6 +++--- services/cachemachine/values-idfprod.yaml | 6 +++--- 2 files changed, 6 insertions(+), 6 deletions(-) diff --git a/services/cachemachine/values-idfint.yaml b/services/cachemachine/values-idfint.yaml index eb3ccb8c86..a2cf96433b 100644 --- a/services/cachemachine/values-idfint.yaml +++ b/services/cachemachine/values-idfint.yaml @@ -16,8 +16,8 @@ cachemachine: "repomen": [ { "type": "RubinRepoMan", - "registry_url": "registry.hub.docker.com", - "repo": "lsstsqre/sciplat-lab", + "registry_url": "us-central1-docker.pkg.dev", + "repo": "rubin-shared-services-71ec/sciplat/sciplat-lab", "recommended_tag": "recommended", "num_releases": 1, "num_weeklies": 2, @@ -27,7 +27,7 @@ cachemachine: "type": "SimpleRepoMan", "images": [ { - "image_url": "registry.hub.docker.com/lsstsqre/sciplat-lab:w_2021_49", + "image_url": "us-central1-docker.pkg.dev/rubin-shared-services-71ec/sciplat/sciplat-lab:w_2021_49", "name": "Weekly 2021_49" } ] diff --git a/services/cachemachine/values-idfprod.yaml b/services/cachemachine/values-idfprod.yaml index 8d5b007bb6..5d0c7c90ec 100644 --- a/services/cachemachine/values-idfprod.yaml +++ b/services/cachemachine/values-idfprod.yaml @@ -16,8 +16,8 @@ cachemachine: "repomen": [ { "type": "RubinRepoMan", - "registry_url": "registry.hub.docker.com", - "repo": "lsstsqre/sciplat-lab", + "registry_url": "us-central1-docker.pkg.dev", + "repo": "rubin-shared-services-71ec/sciplat/sciplat-lab", "recommended_tag": "recommended", "num_releases": 1, "num_weeklies": 2, @@ -27,7 +27,7 @@ cachemachine: "type": "SimpleRepoMan", "images": [ { - "image_url": "registry.hub.docker.com/lsstsqre/sciplat-lab:w_2021_49", + "image_url": "us-central1-docker.pkg.dev/rubin-shared-services-71ec/sciplat/sciplat-lab:w_2021_49", "name": "Weekly 2021_49" } ] From f9aee609516507688695327b12380a728a1039e4 Mon Sep 17 00:00:00 2001 From: adam Date: Thu, 24 Feb 2022 14:29:20 -0700 Subject: [PATCH 0016/1479] Only do IDF int for now --- services/cachemachine/values-idfprod.yaml | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/services/cachemachine/values-idfprod.yaml b/services/cachemachine/values-idfprod.yaml index 5d0c7c90ec..8d5b007bb6 100644 --- a/services/cachemachine/values-idfprod.yaml +++ b/services/cachemachine/values-idfprod.yaml @@ -16,8 +16,8 @@ cachemachine: "repomen": [ { "type": "RubinRepoMan", - "registry_url": "us-central1-docker.pkg.dev", - "repo": "rubin-shared-services-71ec/sciplat/sciplat-lab", + "registry_url": "registry.hub.docker.com", + "repo": "lsstsqre/sciplat-lab", "recommended_tag": "recommended", "num_releases": 1, "num_weeklies": 2, @@ -27,7 +27,7 @@ cachemachine: "type": "SimpleRepoMan", "images": [ { - "image_url": "us-central1-docker.pkg.dev/rubin-shared-services-71ec/sciplat/sciplat-lab:w_2021_49", + "image_url": "registry.hub.docker.com/lsstsqre/sciplat-lab:w_2021_49", "name": "Weekly 2021_49" } ] From a6750e42b74bf0a7f2c777b16586f68bc21acef5 Mon Sep 17 00:00:00 2001 From: Russ Allbery Date: Thu, 24 Feb 2022 13:30:58 -0800 Subject: [PATCH 0017/1479] Fix pull-secret path for vo-cutouts in IDF prod --- services/vo-cutouts/values-idfprod.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/services/vo-cutouts/values-idfprod.yaml b/services/vo-cutouts/values-idfprod.yaml index 7ada1cff9c..2fd39a400d 100644 --- a/services/vo-cutouts/values-idfprod.yaml +++ b/services/vo-cutouts/values-idfprod.yaml @@ -17,4 +17,4 @@ vo-cutouts: pull-secret: enabled: true - path: "secret/k8s_operator/data-int.lsst.cloud/pull-secret" + path: "secret/k8s_operator/data.lsst.cloud/pull-secret" From 110d34bf0cee641251df9092e588720a1094f2c1 Mon Sep 17 00:00:00 2001 From: Jonathan Sick Date: Fri, 25 Feb 2022 13:57:13 -0500 Subject: [PATCH 0018/1479] Add times-square application --- .../templates/times-square-application.yaml | 29 +++++++++++++++++++ science-platform/values-base.yaml | 2 ++ science-platform/values-idfdev.yaml | 2 ++ science-platform/values-idfint.yaml | 2 ++ science-platform/values-idfprod.yaml | 2 ++ science-platform/values-int.yaml | 2 ++ science-platform/values-minikube.yaml | 2 ++ science-platform/values-red-five.yaml | 2 ++ science-platform/values-roe.yaml | 2 ++ science-platform/values-squash-sandbox.yaml | 2 ++ science-platform/values-stable.yaml | 2 ++ science-platform/values-summit.yaml | 2 ++ science-platform/values-tucson-teststand.yaml | 2 ++ science-platform/values.yaml | 2 ++ services/times-square/Chart.yaml | 10 +++++++ services/times-square/values-idfdev.yaml | 15 ++++++++++ 16 files changed, 80 insertions(+) create mode 100644 science-platform/templates/times-square-application.yaml create mode 100644 services/times-square/Chart.yaml create mode 100644 services/times-square/values-idfdev.yaml diff --git a/science-platform/templates/times-square-application.yaml b/science-platform/templates/times-square-application.yaml new file mode 100644 index 0000000000..a52868191a --- /dev/null +++ b/science-platform/templates/times-square-application.yaml @@ -0,0 +1,29 @@ +{{- if .Values.times_square.enabled -}} +apiVersion: v1 +kind: Namespace +metadata: + name: times-square +spec: + finalizers: + - kubernetes +--- +apiVersion: argoproj.io/v1alpha1 +kind: Application +metadata: + name: times-square + namespace: argocd + finalizers: + - resources-finalizer.argocd.argoproj.io +spec: + destination: + namespace: times-square + server: https://kubernetes.default.svc + project: default + source: + path: services/times-square + repoURL: {{ .Values.repoURL }} + targetRevision: {{ .Values.revision }} + helm: + valueFiles: + - values-{{ .Values.environment }}.yaml +{{- end -}} diff --git a/science-platform/values-base.yaml b/science-platform/values-base.yaml index f6fc25bcdf..e204ece055 100644 --- a/science-platform/values-base.yaml +++ b/science-platform/values-base.yaml @@ -52,6 +52,8 @@ tap: enabled: false tap_schema: enabled: false +times_square: + enabled: false vault_secrets_operator: enabled: true vo_cutouts: diff --git a/science-platform/values-idfdev.yaml b/science-platform/values-idfdev.yaml index 092a95bd57..605c6492fe 100644 --- a/science-platform/values-idfdev.yaml +++ b/science-platform/values-idfdev.yaml @@ -54,6 +54,8 @@ tap: enabled: true tap_schema: enabled: true +times_square: + enabled: true vault_secrets_operator: enabled: true vo_cutouts: diff --git a/science-platform/values-idfint.yaml b/science-platform/values-idfint.yaml index 829ca638d1..641d734833 100644 --- a/science-platform/values-idfint.yaml +++ b/science-platform/values-idfint.yaml @@ -54,6 +54,8 @@ tap: enabled: true tap_schema: enabled: true +times_square: + enabled: false vault_secrets_operator: enabled: true vo_cutouts: diff --git a/science-platform/values-idfprod.yaml b/science-platform/values-idfprod.yaml index ce00407b8a..fad1db469f 100644 --- a/science-platform/values-idfprod.yaml +++ b/science-platform/values-idfprod.yaml @@ -54,6 +54,8 @@ tap: enabled: true tap_schema: enabled: true +times_square: + enabled: false vault_secrets_operator: enabled: true vo_cutouts: diff --git a/science-platform/values-int.yaml b/science-platform/values-int.yaml index 8a3e73bc12..d1932c7e67 100644 --- a/science-platform/values-int.yaml +++ b/science-platform/values-int.yaml @@ -54,6 +54,8 @@ tap: enabled: true tap_schema: enabled: true +times_square: + enabled: false vault_secrets_operator: enabled: true vo_cutouts: diff --git a/science-platform/values-minikube.yaml b/science-platform/values-minikube.yaml index 61a43e4981..b7c92edbc5 100644 --- a/science-platform/values-minikube.yaml +++ b/science-platform/values-minikube.yaml @@ -54,6 +54,8 @@ tap: enabled: true tap_schema: enabled: true +times_square: + enabled: false vault_secrets_operator: enabled: true vo_cutouts: diff --git a/science-platform/values-red-five.yaml b/science-platform/values-red-five.yaml index 21b98f9439..5699d8dc8c 100644 --- a/science-platform/values-red-five.yaml +++ b/science-platform/values-red-five.yaml @@ -52,6 +52,8 @@ tap: enabled: true tap_schema: enabled: true +times_square: + enabled: false vault_secrets_operator: enabled: true vo_cutouts: diff --git a/science-platform/values-roe.yaml b/science-platform/values-roe.yaml index 02b6bd9779..1079503b9b 100644 --- a/science-platform/values-roe.yaml +++ b/science-platform/values-roe.yaml @@ -50,6 +50,8 @@ tap: enabled: true tap_schema: enabled: true +times_square: + enabled: false vault_secrets_operator: enabled: true vo_cutouts: diff --git a/science-platform/values-squash-sandbox.yaml b/science-platform/values-squash-sandbox.yaml index 6ce8cd7738..76b98979ca 100644 --- a/science-platform/values-squash-sandbox.yaml +++ b/science-platform/values-squash-sandbox.yaml @@ -52,6 +52,8 @@ tap: enabled: false tap_schema: enabled: false +times_square: + enabled: false vault_secrets_operator: enabled: true vo_cutouts: diff --git a/science-platform/values-stable.yaml b/science-platform/values-stable.yaml index 19e55ae044..585f224d84 100644 --- a/science-platform/values-stable.yaml +++ b/science-platform/values-stable.yaml @@ -54,6 +54,8 @@ tap: enabled: true tap_schema: enabled: true +times_square: + enabled: false vault_secrets_operator: enabled: true vo_cutouts: diff --git a/science-platform/values-summit.yaml b/science-platform/values-summit.yaml index 7502399305..2ed4bc4dc0 100644 --- a/science-platform/values-summit.yaml +++ b/science-platform/values-summit.yaml @@ -54,6 +54,8 @@ tap: enabled: false tap_schema: enabled: false +times_square: + enabled: false vault_secrets_operator: enabled: true vo_cutouts: diff --git a/science-platform/values-tucson-teststand.yaml b/science-platform/values-tucson-teststand.yaml index e346915c05..d7974e819e 100644 --- a/science-platform/values-tucson-teststand.yaml +++ b/science-platform/values-tucson-teststand.yaml @@ -52,6 +52,8 @@ tap: enabled: false tap_schema: enabled: false +times_square: + enabled: false vault_secrets_operator: enabled: true vo_cutouts: diff --git a/science-platform/values.yaml b/science-platform/values.yaml index aecf274369..494bb56df0 100644 --- a/science-platform/values.yaml +++ b/science-platform/values.yaml @@ -50,6 +50,8 @@ tap: enabled: false tap_schema: enabled: false +times_square: + enabled: false vault_secrets_operator: enabled: false vo_cutouts: diff --git a/services/times-square/Chart.yaml b/services/times-square/Chart.yaml new file mode 100644 index 0000000000..84dba95356 --- /dev/null +++ b/services/times-square/Chart.yaml @@ -0,0 +1,10 @@ +apiVersion: v2 +name: times-square +version: 1.0.0 +dependencies: + - name: times-square + version: 0.1.7 + repository: https://lsst-sqre.github.io/charts/ + - name: pull-secret + version: 0.1.2 + repository: https://lsst-sqre.github.io/charts/ diff --git a/services/times-square/values-idfdev.yaml b/services/times-square/values-idfdev.yaml new file mode 100644 index 0000000000..588457e172 --- /dev/null +++ b/services/times-square/values-idfdev.yaml @@ -0,0 +1,15 @@ +times-square: + image: + tag: tickets-DM-33627 + vaultSecretsPath: "secret/k8s_operator/data-dev.lsst.cloud/times-square" + config: + environmentUrl: "https://data-dev.lsst.cloud" + databaseUrl: "postgresql://times-square@localhost/times-square" + cloudsql: + enabled: true + instanceConnectionName: "science-platform-dev-7696:us-central1:science-platform-dev-e9e11de2" + serviceAccount: "times-square@science-platform-dev-7696.iam.gserviceaccount.com" + +pull-secret: + enabled: true + path: secret/k8s_operator/data-dev.lsst.cloud/pull-secret From 5dfaf9bff029bc751d238c432de32b65df7c6454 Mon Sep 17 00:00:00 2001 From: Jonathan Sick Date: Fri, 25 Feb 2022 15:01:30 -0500 Subject: [PATCH 0019/1479] Update times-square chart to 0.1.8 --- services/times-square/Chart.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/services/times-square/Chart.yaml b/services/times-square/Chart.yaml index 84dba95356..97b962f89f 100644 --- a/services/times-square/Chart.yaml +++ b/services/times-square/Chart.yaml @@ -3,7 +3,7 @@ name: times-square version: 1.0.0 dependencies: - name: times-square - version: 0.1.7 + version: 0.1.8 repository: https://lsst-sqre.github.io/charts/ - name: pull-secret version: 0.1.2 From 55540eb7e6d451152074c7862d9fc4671735d307 Mon Sep 17 00:00:00 2001 From: Jonathan Sick Date: Fri, 25 Feb 2022 15:16:10 -0500 Subject: [PATCH 0020/1479] Configure ingress host name --- services/times-square/values-idfdev.yaml | 2 ++ 1 file changed, 2 insertions(+) diff --git a/services/times-square/values-idfdev.yaml b/services/times-square/values-idfdev.yaml index 588457e172..7710480cbc 100644 --- a/services/times-square/values-idfdev.yaml +++ b/services/times-square/values-idfdev.yaml @@ -1,6 +1,8 @@ times-square: image: tag: tickets-DM-33627 + ingress: + host: "data-dev.lsst.cloud" vaultSecretsPath: "secret/k8s_operator/data-dev.lsst.cloud/times-square" config: environmentUrl: "https://data-dev.lsst.cloud" From e2f29a52a9f60bc34683f0717ead075868c0c5c1 Mon Sep 17 00:00:00 2001 From: Jonathan Sick Date: Fri, 25 Feb 2022 15:16:25 -0500 Subject: [PATCH 0021/1479] Configure imagePullSecrets for times-square --- services/times-square/values-idfdev.yaml | 2 ++ 1 file changed, 2 insertions(+) diff --git a/services/times-square/values-idfdev.yaml b/services/times-square/values-idfdev.yaml index 7710480cbc..f6aac01198 100644 --- a/services/times-square/values-idfdev.yaml +++ b/services/times-square/values-idfdev.yaml @@ -3,6 +3,8 @@ times-square: tag: tickets-DM-33627 ingress: host: "data-dev.lsst.cloud" + imagePullSecrets: + - name: "pull-secret" vaultSecretsPath: "secret/k8s_operator/data-dev.lsst.cloud/times-square" config: environmentUrl: "https://data-dev.lsst.cloud" From da80db5a395497760dabe07c2ed6398913d8b827 Mon Sep 17 00:00:00 2001 From: adam Date: Fri, 18 Feb 2022 13:42:32 -0700 Subject: [PATCH 0022/1479] Document database addition (and do a step I missed last time) --- docs/ops/postgres/add-database.rst | 136 +++++++++++++++++++++++++++++ docs/ops/postgres/index.rst | 2 +- installer/generate_secrets.py | 1 + 3 files changed, 138 insertions(+), 1 deletion(-) create mode 100644 docs/ops/postgres/add-database.rst diff --git a/docs/ops/postgres/add-database.rst b/docs/ops/postgres/add-database.rst new file mode 100644 index 0000000000..4871b2539b --- /dev/null +++ b/docs/ops/postgres/add-database.rst @@ -0,0 +1,136 @@ +##################### +Adding a new database +##################### + +From time to time you might need to add a new database to the internal +Postgres instance. + +Before you do, please ask yourself how valuable the data is: the +internal Postgres is not intended to be either highly available or +extremely reliable. It's designed for persistent storage for low-value +data, such as the JupyterHub session database, or Gafaelfawr's +authentication tokens, where the worst thing that happens, if it is +wiped out, is that a bunch of users lose their running sessions and have +to reauthenticate. + +Assuming that the internal Postgres is indeed the right choice for your +needs, there are several steps. + +========================= +Decide on a database name +========================= + +In general the database will require three things: a database name, a +username, and a password. Usually the database name and user should be +identical and should reflect the service that will consume the database, +e.g. ``gafaelfawr`` or ``exposurelog``. We will use ``exposurelog`` as +the model for the remainder of this document. + +========================== +Add the database to charts +========================== + +First, create the entries in ``charts``. Go to the +``charts/postgres/templates`` directory, and edit ``deployment.yaml`` to +add the new database/password entry. You should copy an existing +entry, and it should look like this: + + .. code-block:: yaml + + {{- with .Values.exposurelog_db }} + - name: VRO_DB_EXPOSURELOG_USER + value: {{ .user }} + - name: VRO_DB_EXPOSURELOG_DB + value: {{ .db }} + - name: VRO_DB_EXPOSURELOG_PASSWORD + valueFrom: + secretKeyRef: + name: postgres + key: exposurelog_password + {{- end }} + +Once you've done that, make sure you increment the chart version number in +``charts/postgres/Chart.yaml``. + +=========================== +Add the database to phalanx +=========================== + +Next, tackle ``phalanx``. First, add the password entry to Phalanx's +installer, so the next time a new cluster is deployed or an extant +cluster is redeployed, the password will be created. This belongs in +``installer/generate_secrets.py`` in the ``_postgres()`` method. + +Typically we use passwords that are ASCII representations of random +32-byte hexadecimal sequences. The passwords for all the non-root +Postgres users already look like that, so copying an existing line +and changing the name to reflect your service is usually correct: + + .. code-block:: python + + self._set_generated("postgres", "exposurelog_password", secrets.token_hex(32)) + +Make the Phalanx ``services/postgres/Chart.yaml`` entry depend on the +new chart version you earlier created. + +Finally, go edit the postgres ``values-.yaml`` files and add +a section for your new database with appropriate ``user`` and ``db`` +entries: + + .. code-block:: yaml + + exposurelog_db: + user: 'exposurelog' + db: 'exposurelog' + +Now start the PR and review process. However, there is a step you still +must do before you can synchronize the updated services: put the +password into Vault so it appears in the postgres secrets. + +================================ +Manually add the secret to Vault +================================ + +Since you have already added generation of the password to the +installer, you could just generate new secrets for each environment and +push them into Vault. That, however, would require that you restart +everything with randomly-generated passwords, and that's a fairly +disruptive operation, so you probably are better off manually injecting +just your new password. + +* Consult ``1Password`` and retrieve the appropriate vault write token for + the instance you're working with from ``vault_keys.json``. +* Set up your environment: ``export VAULT_ADDR=vault.lsst.codes ; export + VAULT_FORMAT=json ; export VAULT_TOKEN=`` +* Run ``vault kv get secret/k8s_operator//postgres > + pg_secret.json`` to retrieve the current secret to a local file. +* Edit ``pg_secret.json`` (throw away the entire file except for the + contents of ``data.data``: those contents become the new top-level + object). +* Create a new password; I generally use ``openssl rand -hex 32`` to + generate a suitable string. +* Add the new password to ``pg_secret.json`` +* Run ``vault kv put secret/k8s_operator//postgres + @pg_secret.json`` to insert the secret into Vault. +* ``rm pg_secret.json`` so you don't leave the passwords hanging around + your machine. +* Delete the ``postgres`` secret from the ``postgres`` namespace to + force Vault Secrets Operator to recreate it. +* Repeat for each environment where you need the new database. + +======================= +Restart with new values +======================= + +Now it's finally time to synchronize Postgres in each environment. + +This will cause a brief service interruption in the cluster, so bear +that and your cluster's maintenance window policy in mind. + +Much of the time, the restart of the ``postgres`` deployment gets stuck +and the old Pod will not terminate and allow the new one to run. If +that happens, you need to identify the ReplicaSet responsible for the +stuck Pod, and delete that ReplicaSet. + +Once Postgres restarts, the new database will be present, with the user +and password set. At that point it is ready for use by your new service. diff --git a/docs/ops/postgres/index.rst b/docs/ops/postgres/index.rst index 2c0379007e..2ef0d56b10 100644 --- a/docs/ops/postgres/index.rst +++ b/docs/ops/postgres/index.rst @@ -36,4 +36,4 @@ A simple Argo CD sync is sufficient. .. toctree:: recreate-pvc - + add-database diff --git a/installer/generate_secrets.py b/installer/generate_secrets.py index 2508139475..236af4b522 100755 --- a/installer/generate_secrets.py +++ b/installer/generate_secrets.py @@ -139,6 +139,7 @@ def _postgres(self): self._set_generated("postgres", "jupyterhub_password", secrets.token_hex(32)) self._set_generated("postgres", "root_password", secrets.token_hex(64)) self._set_generated("postgres", "vo-cutouts_password", secrets.token_hex(32)) + self._set_generated("postgres", "narrativelog_password", secrets.token_hex(32)) def _nublado2(self): crypto_key = secrets.token_hex(32) From e654d8d041dbd66485306e77deba2651ee16db1f Mon Sep 17 00:00:00 2001 From: adam Date: Wed, 23 Feb 2022 13:53:28 -0700 Subject: [PATCH 0023/1479] Incorporate Angelo's simplification --- docs/ops/postgres/add-database.rst | 15 +++------------ 1 file changed, 3 insertions(+), 12 deletions(-) diff --git a/docs/ops/postgres/add-database.rst b/docs/ops/postgres/add-database.rst index 4871b2539b..88f289959f 100644 --- a/docs/ops/postgres/add-database.rst +++ b/docs/ops/postgres/add-database.rst @@ -102,18 +102,9 @@ just your new password. the instance you're working with from ``vault_keys.json``. * Set up your environment: ``export VAULT_ADDR=vault.lsst.codes ; export VAULT_FORMAT=json ; export VAULT_TOKEN=`` -* Run ``vault kv get secret/k8s_operator//postgres > - pg_secret.json`` to retrieve the current secret to a local file. -* Edit ``pg_secret.json`` (throw away the entire file except for the - contents of ``data.data``: those contents become the new top-level - object). -* Create a new password; I generally use ``openssl rand -hex 32`` to - generate a suitable string. -* Add the new password to ``pg_secret.json`` -* Run ``vault kv put secret/k8s_operator//postgres - @pg_secret.json`` to insert the secret into Vault. -* ``rm pg_secret.json`` so you don't leave the passwords hanging around - your machine. +* Run ``vault kv patch secret/k8s_operator//postgres + _password=$(openssl rand -hex 32)`` to generate and + store a new random password. * Delete the ``postgres`` secret from the ``postgres`` namespace to force Vault Secrets Operator to recreate it. * Repeat for each environment where you need the new database. From bd100f18d286cebcc5900a23daca80908fe94196 Mon Sep 17 00:00:00 2001 From: adam Date: Mon, 28 Feb 2022 08:58:28 -0700 Subject: [PATCH 0024/1479] Make image policy 'desired' at IDF only --- services/nublado2/Chart.yaml | 2 +- services/nublado2/values-idfdev.yaml | 1 + services/nublado2/values-idfint.yaml | 1 + services/nublado2/values-idfprod.yaml | 1 + 4 files changed, 4 insertions(+), 1 deletion(-) diff --git a/services/nublado2/Chart.yaml b/services/nublado2/Chart.yaml index dea15f1b8e..6a59189252 100644 --- a/services/nublado2/Chart.yaml +++ b/services/nublado2/Chart.yaml @@ -3,7 +3,7 @@ name: nublado2 version: 1.0.0 dependencies: - name: nublado2 - version: 0.8.3 + version: 0.8.4 repository: https://lsst-sqre.github.io/charts/ - name: pull-secret version: 0.1.2 diff --git a/services/nublado2/values-idfdev.yaml b/services/nublado2/values-idfdev.yaml index a7736eb5c3..f09111d404 100644 --- a/services/nublado2/values-idfdev.yaml +++ b/services/nublado2/values-idfdev.yaml @@ -14,6 +14,7 @@ nublado2: base_url: "https://data-dev.lsst.cloud" butler_secret_path: "secret/k8s_operator/data-dev.lsst.cloud/butler-secret" pull_secret_path: "secret/k8s_operator/data-dev.lsst.cloud/pull-secret" + cachemachine_image_policy: "desired" lab_environment: PGPASSFILE: "/opt/lsst/software/jupyterlab/butler-secret/postgres-credentials.txt" AWS_SHARED_CREDENTIALS_FILE: "/opt/lsst/software/jupyterlab/butler-secret/aws-credentials.ini" diff --git a/services/nublado2/values-idfint.yaml b/services/nublado2/values-idfint.yaml index cf4cbe7d22..b53edaf6ab 100644 --- a/services/nublado2/values-idfint.yaml +++ b/services/nublado2/values-idfint.yaml @@ -13,6 +13,7 @@ nublado2: base_url: "https://data-int.lsst.cloud" butler_secret_path: "secret/k8s_operator/data-int.lsst.cloud/butler-secret" pull_secret_path: "secret/k8s_operator/data-int.lsst.cloud/pull-secret" + cachemachine_image_policy: "desired" lab_environment: PGPASSFILE: "/opt/lsst/software/jupyterlab/butler-secret/postgres-credentials.txt" AWS_SHARED_CREDENTIALS_FILE: "/opt/lsst/software/jupyterlab/butler-secret/aws-credentials.ini" diff --git a/services/nublado2/values-idfprod.yaml b/services/nublado2/values-idfprod.yaml index a6252cf53d..aeb0d47189 100644 --- a/services/nublado2/values-idfprod.yaml +++ b/services/nublado2/values-idfprod.yaml @@ -13,6 +13,7 @@ nublado2: base_url: "https://data.lsst.cloud" butler_secret_path: "secret/k8s_operator/data.lsst.cloud/butler-secret" pull_secret_path: "secret/k8s_operator/data.lsst.cloud/pull-secret" + cachemachine_image_policy: "desired" lab_environment: PGPASSFILE: "/opt/lsst/software/jupyterlab/butler-secret/postgres-credentials.txt" AWS_SHARED_CREDENTIALS_FILE: "/opt/lsst/software/jupyterlab/butler-secret/aws-credentials.ini" From 6be06485a1832f6d727174ab586467e7d3a6130a Mon Sep 17 00:00:00 2001 From: adam Date: Mon, 28 Feb 2022 10:17:24 -0700 Subject: [PATCH 0025/1479] add cachemachineImagePolicy --- services/mobu/Chart.yaml | 2 +- services/mobu/values-idfdev.yaml | 1 + services/mobu/values-idfint.yaml | 1 + services/mobu/values-idfprod.yaml | 1 + 4 files changed, 4 insertions(+), 1 deletion(-) diff --git a/services/mobu/Chart.yaml b/services/mobu/Chart.yaml index 8eae3417d8..c171553f03 100644 --- a/services/mobu/Chart.yaml +++ b/services/mobu/Chart.yaml @@ -3,7 +3,7 @@ name: mobu version: 1.0.0 dependencies: - name: mobu - version: ">=3.0.0" + version: ">=3.2.3" repository: https://lsst-sqre.github.io/charts/ - name: pull-secret version: 0.1.2 diff --git a/services/mobu/values-idfdev.yaml b/services/mobu/values-idfdev.yaml index a10bf962e3..09294cce59 100644 --- a/services/mobu/values-idfdev.yaml +++ b/services/mobu/values-idfdev.yaml @@ -5,6 +5,7 @@ mobu: ingress: host: "data-dev.lsst.cloud" + cachemachineImagePolicy: "desired" environmentUrl: "https://data-dev.lsst.cloud" vaultSecretsPath: "secret/k8s_operator/data-dev.lsst.cloud/mobu" diff --git a/services/mobu/values-idfint.yaml b/services/mobu/values-idfint.yaml index b7a9497ed5..e5ad31834a 100644 --- a/services/mobu/values-idfint.yaml +++ b/services/mobu/values-idfint.yaml @@ -5,6 +5,7 @@ mobu: ingress: host: "data-int.lsst.cloud" + cachemachineImagePolicy: "desired" environmentUrl: "https://data-int.lsst.cloud" vaultSecretsPath: "secret/k8s_operator/data-int.lsst.cloud/mobu" diff --git a/services/mobu/values-idfprod.yaml b/services/mobu/values-idfprod.yaml index e102dc85ee..bbde643ce2 100644 --- a/services/mobu/values-idfprod.yaml +++ b/services/mobu/values-idfprod.yaml @@ -5,6 +5,7 @@ mobu: ingress: host: "data.lsst.cloud" + cachemachineImagePolicy: "desired" environmentUrl: "https://data.lsst.cloud" vaultSecretsPath: "secret/k8s_operator/data.lsst.cloud/mobu" From effc6642ef3ebe919a32a7dfd935480faf17fb72 Mon Sep 17 00:00:00 2001 From: Renovate Bot Date: Mon, 28 Feb 2022 19:23:32 +0000 Subject: [PATCH 0026/1479] Update Helm release argo-cd to v3.33.8 --- services/argocd/Chart.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/services/argocd/Chart.yaml b/services/argocd/Chart.yaml index 1dd9d4c1f5..9b2f0fbaea 100644 --- a/services/argocd/Chart.yaml +++ b/services/argocd/Chart.yaml @@ -3,7 +3,7 @@ name: argo-cd version: 1.0.0 dependencies: - name: argo-cd - version: 3.33.6 + version: 3.33.8 repository: https://argoproj.github.io/argo-helm - name: pull-secret version: 0.1.2 From b145219560425e6e0f5ca86dcf64bbcf2fc7e2ac Mon Sep 17 00:00:00 2001 From: adam Date: Mon, 28 Feb 2022 15:16:35 -0700 Subject: [PATCH 0027/1479] pick up prometheus unauthed changes --- services/nublado2/Chart.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/services/nublado2/Chart.yaml b/services/nublado2/Chart.yaml index 6a59189252..2f4e6170ca 100644 --- a/services/nublado2/Chart.yaml +++ b/services/nublado2/Chart.yaml @@ -3,7 +3,7 @@ name: nublado2 version: 1.0.0 dependencies: - name: nublado2 - version: 0.8.4 + version: 0.8.5 repository: https://lsst-sqre.github.io/charts/ - name: pull-secret version: 0.1.2 From 964020ac327fdfc76f1c4d86c20c3d4d93954b49 Mon Sep 17 00:00:00 2001 From: Renovate Bot Date: Tue, 1 Mar 2022 00:12:20 +0000 Subject: [PATCH 0028/1479] Update Helm release gafaelfawr to v4.6.0 --- services/gafaelfawr/Chart.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/services/gafaelfawr/Chart.yaml b/services/gafaelfawr/Chart.yaml index 69d8b6684a..02fef38ea3 100644 --- a/services/gafaelfawr/Chart.yaml +++ b/services/gafaelfawr/Chart.yaml @@ -3,7 +3,7 @@ name: gafaelfawr version: 1.0.0 dependencies: - name: gafaelfawr - version: 4.5.5 + version: 4.6.0 repository: https://lsst-sqre.github.io/charts/ - name: pull-secret version: 0.1.2 From b920b87fb842a74f126061c250f3230e36d0df59 Mon Sep 17 00:00:00 2001 From: Angelo Fausti Date: Thu, 24 Feb 2022 11:17:18 -0700 Subject: [PATCH 0029/1479] Add telegraf chart as dependency of sasquatch - Telegraf is a metric collector developed by InfluxData --- services/sasquatch/Chart.yaml | 3 +++ 1 file changed, 3 insertions(+) diff --git a/services/sasquatch/Chart.yaml b/services/sasquatch/Chart.yaml index eb1493fd8e..7f9896076b 100644 --- a/services/sasquatch/Chart.yaml +++ b/services/sasquatch/Chart.yaml @@ -19,3 +19,6 @@ dependencies: - name: kapacitor version: 1.4.3 repository: https://helm.influxdata.com/ + - name: telegraf + version: 1.8.14 + repository: https://helm.influxdata.com/ From b342c3470709b4c6776e725e991206940bff7ee9 Mon Sep 17 00:00:00 2001 From: Angelo Fausti Date: Thu, 24 Feb 2022 11:19:36 -0700 Subject: [PATCH 0030/1479] Add default values for telegraf - Get the telegraf password from the sasquatch secret - Use the InfluxDB instance in sasquatch as the default output destination - It assumes the telegraf database and user exist in the InfluxDB instance --- services/sasquatch/values.yaml | 30 ++++++++++++++++++++++++++++++ 1 file changed, 30 insertions(+) diff --git a/services/sasquatch/values.yaml b/services/sasquatch/values.yaml index 9a56752f17..6bcd73c6be 100644 --- a/services/sasquatch/values.yaml +++ b/services/sasquatch/values.yaml @@ -98,6 +98,36 @@ kapacitor: envVars: KAPACITOR_SLACK_ENABLED: true +telegraf: + env: + # -- Telegraf password. + - name: TELEGRAF_PASSWORD + valueFrom: + secretKeyRef: + name: sasquatch + key: telegraf-password + service: + # -- Telegraf service. + enabled: false + config: + # -- Telegraf processor plugins. + processors: {} + # -- Telegraf input plugins. Must be set. + inputs: + - prometheus: + urls: + - http://hub.nublado2:8081/nb/hub/metrics + # See https://docs.influxdata.com/influxdb/v2.1/reference/prometheus-metrics/ + metric_version: 2 + # -- Telegraf default output destination. + outputs: + - influxdb: + urls: + - "http://sasquatch-influxdb.sasquatch:8086" + database: "telegraf" + username: "telegraf" + password: "$TELEGRAF_PASSWORD" + # -- Path to the Vault secrets (`secret/k8s_operator//sasquatch`) # @default -- None, must be set vaultSecretsPath: "" From 72ab92088fc166b075bbc74992a94f2a4e89acd9 Mon Sep 17 00:00:00 2001 From: Angelo Fausti Date: Mon, 28 Feb 2022 17:15:57 -0700 Subject: [PATCH 0031/1479] Add podLabel for nublado2 network policy - Allow network connection from the telegraf pod to the hub pod --- services/sasquatch/values.yaml | 2 ++ 1 file changed, 2 insertions(+) diff --git a/services/sasquatch/values.yaml b/services/sasquatch/values.yaml index 6bcd73c6be..65429c3168 100644 --- a/services/sasquatch/values.yaml +++ b/services/sasquatch/values.yaml @@ -99,6 +99,8 @@ kapacitor: KAPACITOR_SLACK_ENABLED: true telegraf: + podLabels: + hub.jupyter.org/network-access-hub: "true" env: # -- Telegraf password. - name: TELEGRAF_PASSWORD From 8ef6b111850a3f1c213c1719384938a5dfc0ffe6 Mon Sep 17 00:00:00 2001 From: Angelo Fausti Date: Thu, 24 Feb 2022 11:24:51 -0700 Subject: [PATCH 0032/1479] Run helm-docs --- services/sasquatch/README.md | 7 +++++++ services/sasquatch/values.yaml | 5 ++++- 2 files changed, 11 insertions(+), 1 deletion(-) diff --git a/services/sasquatch/README.md b/services/sasquatch/README.md index c55c460dac..a34a88d228 100644 --- a/services/sasquatch/README.md +++ b/services/sasquatch/README.md @@ -11,6 +11,7 @@ SQuaRE telemetry data service. | https://helm.influxdata.com/ | chronograf | 1.2.3 | | https://helm.influxdata.com/ | influxdb | 4.10.6 | | https://helm.influxdata.com/ | kapacitor | 1.4.3 | +| https://helm.influxdata.com/ | telegraf | 1.8.14 | | https://lsst-sqre.github.io/charts/ | strimzi-registry-operator | 1.2.0 | ## Values @@ -35,6 +36,12 @@ SQuaRE telemetry data service. | kapacitor.persistence | object | `{"enabled":true,"size":"16Gi"}` | Chronograf data persistence configuration. | | strimzi-kafka | object | `{}` | Override strimzi-kafka configuration. | | strimzi-registry-operator | object | `{"clusterName":"sasquatch","operatorNamespace":"sasquatch","watchNamespace":"sasquatch"}` | strimzi-registry-operator configuration. | +| telegraf.config.inputs | list | `[{"prometheus":{"metric_version":2,"urls":["http://hub.nublado2:8081/nb/hub/metrics"]}}]` | Telegraf input plugins. Collect JupyterHub Prometheus metrics by dedault. See https://jupyterhub.readthedocs.io/en/stable/reference/metrics.html | +| telegraf.config.outputs | list | `[{"influxdb":{"database":"telegraf","password":"$TELEGRAF_PASSWORD","urls":["http://sasquatch-influxdb.sasquatch:8086"],"username":"telegraf"}}]` | Telegraf default output destination. | +| telegraf.config.processors | object | `{}` | Telegraf processor plugins. | +| telegraf.env[0] | object | `{"name":"TELEGRAF_PASSWORD","valueFrom":{"secretKeyRef":{"key":"telegraf-password","name":"sasquatch"}}}` | Telegraf password. | +| telegraf.podLabels | object | `{"hub.jupyter.org/network-access-hub":"true"}` | Allow network access to JupyterHub pod. | +| telegraf.service.enabled | bool | `false` | Telegraf service. | | vaultSecretsPath | string | None, must be set | Path to the Vault secrets (`secret/k8s_operator//sasquatch`) | ---------------------------------------------- diff --git a/services/sasquatch/values.yaml b/services/sasquatch/values.yaml index 65429c3168..cfb136fb8e 100644 --- a/services/sasquatch/values.yaml +++ b/services/sasquatch/values.yaml @@ -99,6 +99,7 @@ kapacitor: KAPACITOR_SLACK_ENABLED: true telegraf: + # -- Allow network access to JupyterHub pod. podLabels: hub.jupyter.org/network-access-hub: "true" env: @@ -114,7 +115,9 @@ telegraf: config: # -- Telegraf processor plugins. processors: {} - # -- Telegraf input plugins. Must be set. + # -- Telegraf input plugins. + # Collect JupyterHub Prometheus metrics by dedault. + # See https://jupyterhub.readthedocs.io/en/stable/reference/metrics.html inputs: - prometheus: urls: From 24c3641c05db2666600ba7461197b56d9d0f181e Mon Sep 17 00:00:00 2001 From: adam Date: Wed, 2 Mar 2022 13:11:18 -0700 Subject: [PATCH 0033/1479] Move NCSA int to ghcr.io --- services/cachemachine/values-int.yaml | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/services/cachemachine/values-int.yaml b/services/cachemachine/values-int.yaml index 2454bc8628..caf782f9ad 100644 --- a/services/cachemachine/values-int.yaml +++ b/services/cachemachine/values-int.yaml @@ -20,8 +20,8 @@ cachemachine: "repomen": [ { "type": "RubinRepoMan", - "registry_url": "registry.hub.docker.com", - "repo": "lsstsqre/sciplat-lab", + "registry_url": "ghcr.io", + "repo": "lsst-sqre/sciplat-lab", "recommended_tag": "recommended", "num_releases": 1, "num_weeklies": 2, @@ -31,7 +31,7 @@ cachemachine: "type": "SimpleRepoMan", "images": [ { - "image_url": "registry.hub.docker.com/lsstsqre/sciplat-lab:w_2021_49", + "image_url": "ghcr.io/lsst-sqre/sciplat-lab:w_2021_49", "name": "Weekly 2021_49" } ] From fa2ad2fb3654ecd1ed83de849a6a453a33ae287a Mon Sep 17 00:00:00 2001 From: adam Date: Wed, 2 Mar 2022 13:16:56 -0700 Subject: [PATCH 0034/1479] Revert "Move NCSA int to ghcr.io" This reverts commit 24c3641c05db2666600ba7461197b56d9d0f181e. --- services/cachemachine/values-int.yaml | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/services/cachemachine/values-int.yaml b/services/cachemachine/values-int.yaml index caf782f9ad..2454bc8628 100644 --- a/services/cachemachine/values-int.yaml +++ b/services/cachemachine/values-int.yaml @@ -20,8 +20,8 @@ cachemachine: "repomen": [ { "type": "RubinRepoMan", - "registry_url": "ghcr.io", - "repo": "lsst-sqre/sciplat-lab", + "registry_url": "registry.hub.docker.com", + "repo": "lsstsqre/sciplat-lab", "recommended_tag": "recommended", "num_releases": 1, "num_weeklies": 2, @@ -31,7 +31,7 @@ cachemachine: "type": "SimpleRepoMan", "images": [ { - "image_url": "ghcr.io/lsst-sqre/sciplat-lab:w_2021_49", + "image_url": "registry.hub.docker.com/lsstsqre/sciplat-lab:w_2021_49", "name": "Weekly 2021_49" } ] From 54442accf2b108733b8ddbdb720fb20e3037d9a0 Mon Sep 17 00:00:00 2001 From: adam Date: Wed, 2 Mar 2022 13:18:00 -0700 Subject: [PATCH 0035/1479] move IDF prod to GAR --- services/cachemachine/values-idfprod.yaml | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/services/cachemachine/values-idfprod.yaml b/services/cachemachine/values-idfprod.yaml index 8d5b007bb6..5d0c7c90ec 100644 --- a/services/cachemachine/values-idfprod.yaml +++ b/services/cachemachine/values-idfprod.yaml @@ -16,8 +16,8 @@ cachemachine: "repomen": [ { "type": "RubinRepoMan", - "registry_url": "registry.hub.docker.com", - "repo": "lsstsqre/sciplat-lab", + "registry_url": "us-central1-docker.pkg.dev", + "repo": "rubin-shared-services-71ec/sciplat/sciplat-lab", "recommended_tag": "recommended", "num_releases": 1, "num_weeklies": 2, @@ -27,7 +27,7 @@ cachemachine: "type": "SimpleRepoMan", "images": [ { - "image_url": "registry.hub.docker.com/lsstsqre/sciplat-lab:w_2021_49", + "image_url": "us-central1-docker.pkg.dev/rubin-shared-services-71ec/sciplat/sciplat-lab:w_2021_49", "name": "Weekly 2021_49" } ] From b94545b255a74747a835f7c3d85d293d103f8dd7 Mon Sep 17 00:00:00 2001 From: Christine Banek Date: Wed, 2 Mar 2022 20:16:08 -0700 Subject: [PATCH 0036/1479] [DM-33787] Sherlock chart to 0.1.6 --- services/sherlock/Chart.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/services/sherlock/Chart.yaml b/services/sherlock/Chart.yaml index 651bc48eaf..12f1849cd1 100644 --- a/services/sherlock/Chart.yaml +++ b/services/sherlock/Chart.yaml @@ -3,5 +3,5 @@ name: sherlock version: 1.0.0 dependencies: - name: sherlock - version: 0.1.5 + version: 0.1.6 repository: https://lsst-sqre.github.io/charts/ From 929ca84d7266673484267c66871083da65652240 Mon Sep 17 00:00:00 2001 From: adam Date: Thu, 3 Mar 2022 08:20:27 -0700 Subject: [PATCH 0037/1479] Enable Flux in IDF dev --- services/sasquatch/values-idfdev.yaml | 3 +++ 1 file changed, 3 insertions(+) diff --git a/services/sasquatch/values-idfdev.yaml b/services/sasquatch/values-idfdev.yaml index 3888b959ae..101e3902fd 100644 --- a/services/sasquatch/values-idfdev.yaml +++ b/services/sasquatch/values-idfdev.yaml @@ -4,6 +4,9 @@ influxdb: ingress: enabled: true hostname: data-dev.lsst.cloud + config: + http: + flux-enabled: true kafka-connect-manager: influxdbSink: From ca018c76b1cd37e594a22c56d7e1b7e5b21d3c09 Mon Sep 17 00:00:00 2001 From: adam Date: Thu, 3 Mar 2022 10:54:16 -0700 Subject: [PATCH 0038/1479] Make flux a global default; try snake_case --- services/sasquatch/values-idfdev.yaml | 3 --- services/sasquatch/values.yaml | 1 + 2 files changed, 1 insertion(+), 3 deletions(-) diff --git a/services/sasquatch/values-idfdev.yaml b/services/sasquatch/values-idfdev.yaml index 101e3902fd..3888b959ae 100644 --- a/services/sasquatch/values-idfdev.yaml +++ b/services/sasquatch/values-idfdev.yaml @@ -4,9 +4,6 @@ influxdb: ingress: enabled: true hostname: data-dev.lsst.cloud - config: - http: - flux-enabled: true kafka-connect-manager: influxdbSink: diff --git a/services/sasquatch/values.yaml b/services/sasquatch/values.yaml index cfb136fb8e..a4258e82a9 100644 --- a/services/sasquatch/values.yaml +++ b/services/sasquatch/values.yaml @@ -36,6 +36,7 @@ influxdb: trace_logging_enabled: true http: enabled: true + flux_enabled: true auth_enabled: true max_row_limit: 0 coordinator: From c5ffa5be689db62b4d413011137c34ba52d323d3 Mon Sep 17 00:00:00 2001 From: adam Date: Thu, 3 Mar 2022 11:17:21 -0700 Subject: [PATCH 0039/1479] Apparently it really is a dash in the config --- services/sasquatch/values.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/services/sasquatch/values.yaml b/services/sasquatch/values.yaml index a4258e82a9..e4fef54b8f 100644 --- a/services/sasquatch/values.yaml +++ b/services/sasquatch/values.yaml @@ -36,7 +36,7 @@ influxdb: trace_logging_enabled: true http: enabled: true - flux_enabled: true + flux-enabled: true auth_enabled: true max_row_limit: 0 coordinator: From 7f14dd7398842ad84b32c84838b04d0323727999 Mon Sep 17 00:00:00 2001 From: adam Date: Thu, 3 Mar 2022 14:38:20 -0700 Subject: [PATCH 0040/1479] Turn off alert-stream-broker at IDF int --- science-platform/values-idfint.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/science-platform/values-idfint.yaml b/science-platform/values-idfint.yaml index 641d734833..abfd14ecb6 100644 --- a/science-platform/values-idfint.yaml +++ b/science-platform/values-idfint.yaml @@ -3,7 +3,7 @@ fqdn: data-int.lsst.cloud vault_path_prefix: secret/k8s_operator/data-int.lsst.cloud alert_stream_broker: - enabled: true + enabled: false cachemachine: enabled: true cert_issuer: From 98fb011d48dda4c5d0a065f875dd57fd9dc4be6e Mon Sep 17 00:00:00 2001 From: adam Date: Thu, 3 Mar 2022 14:59:47 -0700 Subject: [PATCH 0041/1479] remove strimzi* at int as well --- science-platform/values-idfint.yaml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/science-platform/values-idfint.yaml b/science-platform/values-idfint.yaml index abfd14ecb6..0d12427e64 100644 --- a/science-platform/values-idfint.yaml +++ b/science-platform/values-idfint.yaml @@ -47,9 +47,9 @@ squareone: squash_api: enabled: false strimzi: - enabled: true + enabled: false strimzi_registry_operator: - enabled: true + enabled: false tap: enabled: true tap_schema: From b146c472729ff9bfa7d4878f65362b8829b80e9b Mon Sep 17 00:00:00 2001 From: Angelo Fausti Date: Thu, 3 Mar 2022 18:28:23 -0700 Subject: [PATCH 0042/1479] Fix name of InfluxDB configuration keys - The upstream InfluxDB helm chart used in sasquatch does not rewrite the configuration keys replacing "_" with "-" anymore. --- services/sasquatch/values.yaml | 18 +++++++++--------- 1 file changed, 9 insertions(+), 9 deletions(-) diff --git a/services/sasquatch/values.yaml b/services/sasquatch/values.yaml index e4fef54b8f..78def2482e 100644 --- a/services/sasquatch/values.yaml +++ b/services/sasquatch/values.yaml @@ -31,19 +31,19 @@ influxdb: # See https://docs.influxdata.com/influxdb/v1.8/administration/config config: data: - cache_max_memory_size: 0 - wal_fsync_delay: "100ms" - trace_logging_enabled: true + cache-max-memory-size: 0 + wal-fsync-delay: "100ms" + trace-logging-enabled: true http: enabled: true flux-enabled: true - auth_enabled: true - max_row_limit: 0 + auth-enabled: true + max-row-limit: 0 coordinator: - write_timeout: "60s" - max_concurrent_queries: 10 - query_timeout: "900s" - log_queries_after: "15s" + write-timeout: "60s" + max-concurrent-queries: 10 + query-timeout: "900s" + log-queries-after: "15s" continuous_queries: enabled: false # -- InfluxDB Custom initialization scripts. From 683174be1f988d4fddf008d42b20be5b75fa4649 Mon Sep 17 00:00:00 2001 From: Angelo Fausti Date: Thu, 3 Mar 2022 18:28:45 -0700 Subject: [PATCH 0043/1479] Run helm-docs --- services/sasquatch/README.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/services/sasquatch/README.md b/services/sasquatch/README.md index a34a88d228..e8ecb0919e 100644 --- a/services/sasquatch/README.md +++ b/services/sasquatch/README.md @@ -23,7 +23,7 @@ SQuaRE telemetry data service. | chronograf.image | object | `{"repository":"quay.io/influxdb/chronograf","tag":"1.9.3"}` | Chronograf image tag. | | chronograf.ingress | object | disabled | Chronograf ingress configuration. | | chronograf.persistence | object | `{"enabled":true,"size":"16Gi"}` | Chronograf data persistence configuration. | -| influxdb.config | object | `{"continuous_queries":{"enabled":false},"coordinator":{"log_queries_after":"15s","max_concurrent_queries":10,"query_timeout":"900s","write_timeout":"60s"},"data":{"cache_max_memory_size":0,"trace_logging_enabled":true,"wal_fsync_delay":"100ms"},"http":{"auth_enabled":true,"enabled":true,"max_row_limit":0}}` | Override InfluxDB configuration. See https://docs.influxdata.com/influxdb/v1.8/administration/config | +| influxdb.config | object | `{"continuous_queries":{"enabled":false},"coordinator":{"log-queries-after":"15s","max-concurrent-queries":10,"query-timeout":"900s","write-timeout":"60s"},"data":{"cache-max-memory-size":0,"trace-logging-enabled":true,"wal-fsync-delay":"100ms"},"http":{"auth-enabled":true,"enabled":true,"flux-enabled":true,"max-row-limit":0}}` | Override InfluxDB configuration. See https://docs.influxdata.com/influxdb/v1.8/administration/config | | influxdb.image | object | `{"tag":"1.8.10"}` | InfluxDB image tag. | | influxdb.ingress | object | disabled | InfluxDB ingress configuration. | | influxdb.initScripts | object | `{"enabled":true,"scripts":{"init.iql":"CREATE DATABASE \"telegraf\" WITH DURATION 30d REPLICATION 1 NAME \"rp_30d\"\n\n"}}` | InfluxDB Custom initialization scripts. | From 23e9b79288bb9d244b6354838c543523eb21b264 Mon Sep 17 00:00:00 2001 From: Angelo Fausti Date: Fri, 4 Mar 2022 11:10:28 -0700 Subject: [PATCH 0044/1479] Enable strimzi operator in idfdev --- science-platform/values-idfdev.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/science-platform/values-idfdev.yaml b/science-platform/values-idfdev.yaml index 605c6492fe..ffb0ec8dca 100644 --- a/science-platform/values-idfdev.yaml +++ b/science-platform/values-idfdev.yaml @@ -47,7 +47,7 @@ squareone: squash_api: enabled: false strimzi: - enabled: false + enabled: true strimzi_registry_operator: enabled: false tap: From 8e28230b634df9e33cecf9b15786fed7abb05fdb Mon Sep 17 00:00:00 2001 From: Jonathan Sick Date: Mon, 7 Mar 2022 16:12:58 -0500 Subject: [PATCH 0045/1479] Add times-square-ui to times-square svc --- services/times-square/Chart.yaml | 2 ++ services/times-square/values-idfdev.yaml | 5 +++++ 2 files changed, 7 insertions(+) diff --git a/services/times-square/Chart.yaml b/services/times-square/Chart.yaml index 97b962f89f..848d52e56e 100644 --- a/services/times-square/Chart.yaml +++ b/services/times-square/Chart.yaml @@ -7,4 +7,6 @@ dependencies: repository: https://lsst-sqre.github.io/charts/ - name: pull-secret version: 0.1.2 + - name: times-square-ui + version: 0.1.0-alpha.1 repository: https://lsst-sqre.github.io/charts/ diff --git a/services/times-square/values-idfdev.yaml b/services/times-square/values-idfdev.yaml index f6aac01198..320b32a572 100644 --- a/services/times-square/values-idfdev.yaml +++ b/services/times-square/values-idfdev.yaml @@ -17,3 +17,8 @@ times-square: pull-secret: enabled: true path: secret/k8s_operator/data-dev.lsst.cloud/pull-secret +times-square-ui: + image: + tag: tickets-dm-33930 + ingress: + host: "data-dev.lsst.cloud" From 49f0da0b71673050efc404e92de6781570fa8027 Mon Sep 17 00:00:00 2001 From: Jonathan Sick Date: Mon, 7 Mar 2022 16:13:37 -0500 Subject: [PATCH 0046/1479] Pull times-square from GitHub Container Registry The pull-secret is not longer needed since we're not using the DockerHub pull secret here. --- services/times-square/Chart.yaml | 2 -- services/times-square/values-idfdev.yaml | 6 +----- 2 files changed, 1 insertion(+), 7 deletions(-) diff --git a/services/times-square/Chart.yaml b/services/times-square/Chart.yaml index 848d52e56e..bc80e40417 100644 --- a/services/times-square/Chart.yaml +++ b/services/times-square/Chart.yaml @@ -5,8 +5,6 @@ dependencies: - name: times-square version: 0.1.8 repository: https://lsst-sqre.github.io/charts/ - - name: pull-secret - version: 0.1.2 - name: times-square-ui version: 0.1.0-alpha.1 repository: https://lsst-sqre.github.io/charts/ diff --git a/services/times-square/values-idfdev.yaml b/services/times-square/values-idfdev.yaml index 320b32a572..2854c0bbd8 100644 --- a/services/times-square/values-idfdev.yaml +++ b/services/times-square/values-idfdev.yaml @@ -1,10 +1,9 @@ times-square: image: + repository: ghcr.io/lsst-sqre/times-square tag: tickets-DM-33627 ingress: host: "data-dev.lsst.cloud" - imagePullSecrets: - - name: "pull-secret" vaultSecretsPath: "secret/k8s_operator/data-dev.lsst.cloud/times-square" config: environmentUrl: "https://data-dev.lsst.cloud" @@ -14,9 +13,6 @@ times-square: instanceConnectionName: "science-platform-dev-7696:us-central1:science-platform-dev-e9e11de2" serviceAccount: "times-square@science-platform-dev-7696.iam.gserviceaccount.com" -pull-secret: - enabled: true - path: secret/k8s_operator/data-dev.lsst.cloud/pull-secret times-square-ui: image: tag: tickets-dm-33930 From 4d50666f90825d0090bffd35b4d7dd8f6250defd Mon Sep 17 00:00:00 2001 From: Renovate Bot Date: Mon, 7 Mar 2022 23:09:16 +0000 Subject: [PATCH 0047/1479] Update actions/setup-python action to v3 --- .github/workflows/ci.yaml | 2 +- .github/workflows/docs.yaml | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/.github/workflows/ci.yaml b/.github/workflows/ci.yaml index 25289bcb46..980967031c 100644 --- a/.github/workflows/ci.yaml +++ b/.github/workflows/ci.yaml @@ -28,7 +28,7 @@ jobs: fetch-depth: 0 - name: Set up Python - uses: actions/setup-python@v2 + uses: actions/setup-python@v3 with: python-version: 3.9 diff --git a/.github/workflows/docs.yaml b/.github/workflows/docs.yaml index f1e4a44686..8fc180516c 100644 --- a/.github/workflows/docs.yaml +++ b/.github/workflows/docs.yaml @@ -27,7 +27,7 @@ jobs: - uses: actions/checkout@v2 - name: Set up Python - uses: actions/setup-python@v2 + uses: actions/setup-python@v3 with: python-version: 3.9 From 24144f26c7747fa843d2eef8308437195b54797c Mon Sep 17 00:00:00 2001 From: Renovate Bot Date: Mon, 7 Mar 2022 23:38:47 +0000 Subject: [PATCH 0048/1479] Update actions/checkout action to v3 --- .github/workflows/ci.yaml | 6 +++--- .github/workflows/docs.yaml | 2 +- 2 files changed, 4 insertions(+), 4 deletions(-) diff --git a/.github/workflows/ci.yaml b/.github/workflows/ci.yaml index 980967031c..72adcf926b 100644 --- a/.github/workflows/ci.yaml +++ b/.github/workflows/ci.yaml @@ -11,7 +11,7 @@ jobs: steps: - name: Checkout - uses: actions/checkout@v2 + uses: actions/checkout@v3 - name: yaml-lint uses: ibiqlik/action-yamllint@master @@ -23,7 +23,7 @@ jobs: steps: - name: Checkout - uses: actions/checkout@v2 + uses: actions/checkout@v3 with: fetch-depth: 0 @@ -55,7 +55,7 @@ jobs: steps: - name: Checkout - uses: actions/checkout@v2 + uses: actions/checkout@v3 - name: Filter paths uses: dorny/paths-filter@v2 diff --git a/.github/workflows/docs.yaml b/.github/workflows/docs.yaml index 8fc180516c..6d6cc18299 100644 --- a/.github/workflows/docs.yaml +++ b/.github/workflows/docs.yaml @@ -24,7 +24,7 @@ jobs: runs-on: ubuntu-latest steps: - - uses: actions/checkout@v2 + - uses: actions/checkout@v3 - name: Set up Python uses: actions/setup-python@v3 From 50e436b9f504a4d78eb9161994c1b20552e154de Mon Sep 17 00:00:00 2001 From: Renovate Bot Date: Mon, 7 Mar 2022 23:47:07 +0000 Subject: [PATCH 0049/1479] Update Helm release ingress-nginx to v4.0.18 --- services/ingress-nginx/Chart.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/services/ingress-nginx/Chart.yaml b/services/ingress-nginx/Chart.yaml index d86ced117e..651df6c06e 100644 --- a/services/ingress-nginx/Chart.yaml +++ b/services/ingress-nginx/Chart.yaml @@ -3,7 +3,7 @@ name: ingress-nginx version: 1.0.0 dependencies: - name: ingress-nginx - version: 4.0.17 + version: 4.0.18 repository: https://kubernetes.github.io/ingress-nginx - name: pull-secret version: ">=0.1.2" From 7d8ef034cd1a134448576e277aaa2a52ee4db4e7 Mon Sep 17 00:00:00 2001 From: Renovate Bot Date: Mon, 7 Mar 2022 23:57:37 +0000 Subject: [PATCH 0050/1479] Update Helm release argo-cd to v3.35.2 --- services/argocd/Chart.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/services/argocd/Chart.yaml b/services/argocd/Chart.yaml index 9b2f0fbaea..975a346270 100644 --- a/services/argocd/Chart.yaml +++ b/services/argocd/Chart.yaml @@ -3,7 +3,7 @@ name: argo-cd version: 1.0.0 dependencies: - name: argo-cd - version: 3.33.8 + version: 3.35.2 repository: https://argoproj.github.io/argo-helm - name: pull-secret version: 0.1.2 From 723088ac46f64230bf511a2061876e05b82fb1f9 Mon Sep 17 00:00:00 2001 From: Jonathan Sick Date: Tue, 8 Mar 2022 10:24:56 -0500 Subject: [PATCH 0051/1479] Use unique path prefix for times-square-ui This is to debug why access to /times-square/ was not possible. --- services/times-square/values-idfdev.yaml | 1 + 1 file changed, 1 insertion(+) diff --git a/services/times-square/values-idfdev.yaml b/services/times-square/values-idfdev.yaml index 2854c0bbd8..20411d2fb9 100644 --- a/services/times-square/values-idfdev.yaml +++ b/services/times-square/values-idfdev.yaml @@ -18,3 +18,4 @@ times-square-ui: tag: tickets-dm-33930 ingress: host: "data-dev.lsst.cloud" + path: "/ts-ui" From 2d1bba113d49405488324ad28c3fccc08dd2f8b4 Mon Sep 17 00:00:00 2001 From: Jonathan Sick Date: Tue, 8 Mar 2022 20:31:38 -0500 Subject: [PATCH 0052/1479] DM-33930: Update times-square-ui 0.1.0-alpha.2 - Restores ingress path to /times-square - Adopts 0.1.0-alpha.2 chart version which fixes the network policy - Adopt fullnameOverride to make times-square-ui resources easier to work with --- services/times-square/Chart.yaml | 2 +- services/times-square/values-idfdev.yaml | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/services/times-square/Chart.yaml b/services/times-square/Chart.yaml index bc80e40417..4ce2d58427 100644 --- a/services/times-square/Chart.yaml +++ b/services/times-square/Chart.yaml @@ -6,5 +6,5 @@ dependencies: version: 0.1.8 repository: https://lsst-sqre.github.io/charts/ - name: times-square-ui - version: 0.1.0-alpha.1 + version: 0.1.0-alpha.2 repository: https://lsst-sqre.github.io/charts/ diff --git a/services/times-square/values-idfdev.yaml b/services/times-square/values-idfdev.yaml index 20411d2fb9..48f2dc0824 100644 --- a/services/times-square/values-idfdev.yaml +++ b/services/times-square/values-idfdev.yaml @@ -14,8 +14,8 @@ times-square: serviceAccount: "times-square@science-platform-dev-7696.iam.gserviceaccount.com" times-square-ui: + fullnameOverride: times-square-ui image: tag: tickets-dm-33930 ingress: host: "data-dev.lsst.cloud" - path: "/ts-ui" From 6bd5bcc62348f3806ae34ddf1fe54bd5398838bb Mon Sep 17 00:00:00 2001 From: Russ Allbery Date: Wed, 9 Mar 2022 10:59:43 -0800 Subject: [PATCH 0053/1479] Test new mobu on data-int Switch to the new build from GitHub Container Registry and start a TAP runner. --- services/mobu/values-idfint.yaml | 13 +++++++++++++ 1 file changed, 13 insertions(+) diff --git a/services/mobu/values-idfint.yaml b/services/mobu/values-idfint.yaml index e5ad31834a..f41d338f3f 100644 --- a/services/mobu/values-idfint.yaml +++ b/services/mobu/values-idfint.yaml @@ -5,6 +5,11 @@ mobu: ingress: host: "data-int.lsst.cloud" + image: + repository: "ghcr.io/lsst-sqre/mobu" + pullPolicy: "Always" + tag: "tickets-DM-33813" + cachemachineImagePolicy: "desired" environmentUrl: "https://data-int.lsst.cloud" vaultSecretsPath: "secret/k8s_operator/data-int.lsst.cloud/mobu" @@ -35,6 +40,14 @@ mobu: repo_url: "https://github.com/lsst-sqre/system-test.git" repo_branch: "prod" restart: true + - name: "tap" + count: 1 + users: + - username: "systemtest03" + uidnumber: 74770 + scopes: ["read:tap"] + business: "TAPQueryRunner" + restart: true pull-secret: enabled: true From 71db7b4af923483127e721727133b2b7fce8b3aa Mon Sep 17 00:00:00 2001 From: Russ Allbery Date: Wed, 9 Mar 2022 13:31:08 -0800 Subject: [PATCH 0054/1479] Deploy mobu TAP runner on IDF prod Remove the image settings for IDF int since the new version of mobu has been released, and copy the TAP runner configuration to prod. --- services/mobu/values-idfint.yaml | 5 ----- services/mobu/values-idfprod.yaml | 8 ++++++++ 2 files changed, 8 insertions(+), 5 deletions(-) diff --git a/services/mobu/values-idfint.yaml b/services/mobu/values-idfint.yaml index f41d338f3f..c436cce5ad 100644 --- a/services/mobu/values-idfint.yaml +++ b/services/mobu/values-idfint.yaml @@ -5,11 +5,6 @@ mobu: ingress: host: "data-int.lsst.cloud" - image: - repository: "ghcr.io/lsst-sqre/mobu" - pullPolicy: "Always" - tag: "tickets-DM-33813" - cachemachineImagePolicy: "desired" environmentUrl: "https://data-int.lsst.cloud" vaultSecretsPath: "secret/k8s_operator/data-int.lsst.cloud/mobu" diff --git a/services/mobu/values-idfprod.yaml b/services/mobu/values-idfprod.yaml index bbde643ce2..0589cc87c9 100644 --- a/services/mobu/values-idfprod.yaml +++ b/services/mobu/values-idfprod.yaml @@ -66,6 +66,14 @@ mobu: max_executions: 1 working_directory: "notebooks/tutorial-notebooks" restart: true + - name: "tap" + count: 1 + users: + - username: "systemtest08" + uidnumber: 74775 + scopes: ["read:tap"] + business: "TAPQueryRunner" + restart: true pull-secret: enabled: true From 62ae537c53d7e3ed6f560ce32cc60a480d81dafb Mon Sep 17 00:00:00 2001 From: Russ Allbery Date: Wed, 9 Mar 2022 14:00:49 -0800 Subject: [PATCH 0055/1479] Move mobu chart to Phalanx Following RFC-830, move the mobu chart from the separate charts repository to Phalanx. Use the same README.md template that sasquatch is using. For now, continue to use the pull-secret chart (this will probably change later). Remove obsolete configuration settings from the autostart configuration for IDF prod. --- .../templates/mobu-application.yaml | 1 + services/mobu/Chart.yaml | 5 +- services/mobu/README.md | 39 +++++ services/mobu/README.md.gotmpl | 9 ++ services/mobu/templates/_helpers.tpl | 53 +++++++ .../mobu/templates/configmap-autostart.yaml | 11 ++ services/mobu/templates/gafaelfawr-token.yaml | 11 ++ services/mobu/templates/ingress.yaml | 41 ++++++ services/mobu/templates/networkpolicy.yaml | 23 +++ services/mobu/templates/service.yaml | 14 ++ services/mobu/templates/statefulset.yaml | 98 +++++++++++++ services/mobu/templates/vault-secret.yaml | 9 ++ services/mobu/values-idfdev.yaml | 39 +++-- services/mobu/values-idfint.yaml | 83 ++++++----- services/mobu/values-idfprod.yaml | 135 ++++++++---------- services/mobu/values-int.yaml | 43 +++--- services/mobu/values-minikube.yaml | 13 +- services/mobu/values-red-five.yaml | 13 +- services/mobu/values-roe.yaml | 65 +++++---- services/mobu/values-stable.yaml | 59 ++++---- services/mobu/values.yaml | 80 +++++++++++ 21 files changed, 607 insertions(+), 237 deletions(-) create mode 100644 services/mobu/README.md create mode 100644 services/mobu/README.md.gotmpl create mode 100644 services/mobu/templates/_helpers.tpl create mode 100644 services/mobu/templates/configmap-autostart.yaml create mode 100644 services/mobu/templates/gafaelfawr-token.yaml create mode 100644 services/mobu/templates/ingress.yaml create mode 100644 services/mobu/templates/networkpolicy.yaml create mode 100644 services/mobu/templates/service.yaml create mode 100644 services/mobu/templates/statefulset.yaml create mode 100644 services/mobu/templates/vault-secret.yaml create mode 100644 services/mobu/values.yaml diff --git a/science-platform/templates/mobu-application.yaml b/science-platform/templates/mobu-application.yaml index 83f169f52f..0afc89e852 100644 --- a/science-platform/templates/mobu-application.yaml +++ b/science-platform/templates/mobu-application.yaml @@ -25,5 +25,6 @@ spec: targetRevision: {{ .Values.revision }} helm: valueFiles: + - values.yaml - values-{{ .Values.environment }}.yaml {{- end -}} diff --git a/services/mobu/Chart.yaml b/services/mobu/Chart.yaml index c171553f03..52bf804311 100644 --- a/services/mobu/Chart.yaml +++ b/services/mobu/Chart.yaml @@ -1,10 +1,9 @@ apiVersion: v2 name: mobu version: 1.0.0 +description: Generate system load by pretending to be a random scientist +home: https://github.com/lsst-sqre/mobu dependencies: - - name: mobu - version: ">=3.2.3" - repository: https://lsst-sqre.github.io/charts/ - name: pull-secret version: 0.1.2 repository: https://lsst-sqre.github.io/charts/ diff --git a/services/mobu/README.md b/services/mobu/README.md new file mode 100644 index 0000000000..281ffd419b --- /dev/null +++ b/services/mobu/README.md @@ -0,0 +1,39 @@ +# mobu + +Generate system load by pretending to be a random scientist + +## Requirements + +| Repository | Name | Version | +|------------|------|---------| +| https://lsst-sqre.github.io/charts/ | pull-secret | 0.1.2 | + +## Values + +| Key | Type | Default | Description | +|-----|------|---------|-------------| +| affinity | object | `{}` | Affinity rules for the mobu frontend pod | +| autostart | list | `[]` | Autostart specification. Must be a list of mobu flock specifications. Each flock listed will be automatically started when mobu is started. | +| cachemachineImagePolicy | string | `"available"` | Cachemachine image policy. Must be one of `desired` or `available`. Determines whether cachemachine reports the images it has or the ones it wants. Should be `desired` in environments with image streaming enabled (e.g. IDF). | +| environmentUrl | string | None, must be set | Base URL used to find other services in the environment such as Nublado and TAP | +| fullnameOverride | string | `""` | Override the full name for resources (includes the release name) | +| image.pullPolicy | string | `"IfNotPresent"` | Pull policy for the mobu image | +| image.repository | string | `"ghcr.io/lsst-sqre/mobu"` | mobu image to use | +| image.tag | string | The appVersion of the chart | Tag of mobu image to use | +| imagePullSecrets | list | `[]` | Secret names to use for all Docker pulls | +| ingress.annotations | object | `{}` | Additional annotations to add to the ingress | +| ingress.enabled | bool | `true` | Whether to create an ingress | +| ingress.gafaelfawrAuthQuery | string | `"scope=exec:admin"` | Gafaelfawr auth query string | +| ingress.host | string | None, must be set if the ingress is enabled | Hostname for the ingress | +| ingress.tls | list | `[]` | Configures TLS for the ingress if needed. If multiple ingresses share the same hostname, only one of them needs a TLS configuration. | +| nameOverride | string | `""` | Override the base name for resources | +| nodeSelector | object | `{}` | Node selector rules for the mobu frontend pod | +| podAnnotations | object | `{}` | Annotations for the mobu frontend pod | +| resources | object | `{}` | Resource limits and requests for the mobu frontend pod | +| service.port | int | `80` | Port of the service to create and map to the ingress | +| service.type | string | `"ClusterIP"` | Type of service to create | +| tolerations | list | `[]` | Tolerations for the mobu frontend pod | +| vaultSecretsPath | string | None, must be set | Path to the Vault secret containing the Slack alert hook | + +---------------------------------------------- +Autogenerated from chart metadata using [helm-docs v1.5.0](https://github.com/norwoodj/helm-docs/releases/v1.5.0) diff --git a/services/mobu/README.md.gotmpl b/services/mobu/README.md.gotmpl new file mode 100644 index 0000000000..4531459bbb --- /dev/null +++ b/services/mobu/README.md.gotmpl @@ -0,0 +1,9 @@ +{{ template "chart.header" . }} + +{{ template "chart.description" . }} + +{{ template "chart.requirementsSection" . }} + +{{ template "chart.valuesSection" . }} + +{{ template "helm-docs.versionFooter" . }} diff --git a/services/mobu/templates/_helpers.tpl b/services/mobu/templates/_helpers.tpl new file mode 100644 index 0000000000..b28af543ea --- /dev/null +++ b/services/mobu/templates/_helpers.tpl @@ -0,0 +1,53 @@ +{{/* vim: set filetype=mustache: */}} +{{/* +Expand the name of the chart. +*/}} +{{- define "mobu.name" -}} +{{- default .Chart.Name .Values.nameOverride | trunc 63 | trimSuffix "-" -}} +{{- end -}} + +{{/* +Create a default fully qualified app name. +We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec). +If release name contains chart name it will be used as a full name. +*/}} +{{- define "mobu.fullname" -}} +{{- if .Values.fullnameOverride -}} +{{- .Values.fullnameOverride | trunc 63 | trimSuffix "-" -}} +{{- else -}} +{{- $name := default .Chart.Name .Values.nameOverride -}} +{{- if contains $name .Release.Name -}} +{{- .Release.Name | trunc 63 | trimSuffix "-" -}} +{{- else -}} +{{- printf "%s-%s" .Release.Name $name | trunc 63 | trimSuffix "-" -}} +{{- end -}} +{{- end -}} +{{- end -}} + +{{/* +Create chart name and version as used by the chart label. +*/}} +{{- define "mobu.chart" -}} +{{- printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" -}} +{{- end -}} + +{{/* +Common labels +*/}} +{{- define "mobu.labels" -}} +app.kubernetes.io/name: {{ include "mobu.name" . }} +helm.sh/chart: {{ include "mobu.chart" . }} +app.kubernetes.io/instance: {{ .Release.Name }} +{{- if .Chart.AppVersion }} +app.kubernetes.io/version: {{ .Chart.AppVersion | quote }} +{{- end }} +app.kubernetes.io/managed-by: {{ .Release.Service }} +{{- end -}} + +{{/* +Selector labels +*/}} +{{- define "mobu.selectorLabels" -}} +app.kubernetes.io/name: {{ include "mobu.name" . }} +app.kubernetes.io/instance: {{ .Release.Name }} +{{- end }} diff --git a/services/mobu/templates/configmap-autostart.yaml b/services/mobu/templates/configmap-autostart.yaml new file mode 100644 index 0000000000..06a1949ff8 --- /dev/null +++ b/services/mobu/templates/configmap-autostart.yaml @@ -0,0 +1,11 @@ +{{- if .Values.autostart -}} +apiVersion: v1 +kind: ConfigMap +metadata: + name: {{ include "mobu.fullname" . }}-autostart + labels: + {{- include "mobu.labels" . | nindent 4 }} +data: + autostart.yaml: | + {{- toYaml .Values.autostart | nindent 4 }} +{{- end }} diff --git a/services/mobu/templates/gafaelfawr-token.yaml b/services/mobu/templates/gafaelfawr-token.yaml new file mode 100644 index 0000000000..57d59fb715 --- /dev/null +++ b/services/mobu/templates/gafaelfawr-token.yaml @@ -0,0 +1,11 @@ +apiVersion: gafaelfawr.lsst.io/v1alpha1 +kind: GafaelfawrServiceToken +metadata: + name: {{ include "mobu.fullname" . }}-gafaelfawr-token + labels: + {{- include "mobu.labels" . | nindent 4 }} +spec: + service: "mobu" + scopes: + - "admin:token" + - "exec:admin" diff --git a/services/mobu/templates/ingress.yaml b/services/mobu/templates/ingress.yaml new file mode 100644 index 0000000000..0017e048ca --- /dev/null +++ b/services/mobu/templates/ingress.yaml @@ -0,0 +1,41 @@ +{{- if .Values.ingress.enabled -}} +apiVersion: networking.k8s.io/v1 +kind: Ingress +metadata: + annotations: + kubernetes.io/ingress.class: "nginx" + {{- if .Values.ingress.gafaelfawrAuthQuery }} + nginx.ingress.kubernetes.io/auth-method: "GET" + nginx.ingress.kubernetes.io/auth-response-headers: "X-Auth-Request-User" + nginx.ingress.kubernetes.io/auth-signin: "https://{{ .Values.ingress.host }}/login" + nginx.ingress.kubernetes.io/auth-url: "https://{{ .Values.ingress.host }}/auth?{{ .Values.ingress.gafaelfawrAuthQuery }}" + {{- end }} + {{- with .Values.ingress.annotations }} + {{- toYaml . | nindent 4 }} + {{- end }} + name: {{ template "mobu.fullname" . }} + labels: + {{- include "mobu.labels" . | nindent 4 }} +spec: + rules: + - host: {{ required "ingress.host must be set" .Values.ingress.host | quote }} + http: + paths: + - path: "/mobu" + pathType: "Prefix" + backend: + service: + name: {{ template "mobu.fullname" . }} + port: + number: {{ .Values.service.port }} + {{- if .Values.ingress.tls }} + tls: + {{- range .Values.ingress.tls }} + - hosts: + {{- range .hosts }} + - {{ . | quote }} + {{- end }} + secretName: {{ .secretName }} + {{- end }} + {{- end }} +{{- end }} diff --git a/services/mobu/templates/networkpolicy.yaml b/services/mobu/templates/networkpolicy.yaml new file mode 100644 index 0000000000..db80cb0b6a --- /dev/null +++ b/services/mobu/templates/networkpolicy.yaml @@ -0,0 +1,23 @@ +{{- if .Values.ingress.enabled -}} +apiVersion: networking.k8s.io/v1 +kind: NetworkPolicy +metadata: + name: {{ include "mobu.fullname" . }} +spec: + podSelector: + matchLabels: + {{- include "mobu.selectorLabels" . | nindent 6 }} + policyTypes: + - Ingress + ingress: + # Allow inbound access from pods (in any namespace) labeled + # gafaelfawr.lsst.io/ingress: true. + - from: + - namespaceSelector: {} + podSelector: + matchLabels: + gafaelfawr.lsst.io/ingress: "true" + ports: + - protocol: "TCP" + port: 8080 +{{- end }} diff --git a/services/mobu/templates/service.yaml b/services/mobu/templates/service.yaml new file mode 100644 index 0000000000..5ff81d982a --- /dev/null +++ b/services/mobu/templates/service.yaml @@ -0,0 +1,14 @@ +apiVersion: v1 +kind: Service +metadata: + name: {{ include "mobu.fullname" . }} + labels: + {{- include "mobu.labels" . | nindent 4 }} +spec: + type: {{ .Values.service.type }} + ports: + - port: {{ .Values.service.port }} + targetPort: "http" + protocol: "TCP" + selector: + {{- include "mobu.selectorLabels" . | nindent 4 }} diff --git a/services/mobu/templates/statefulset.yaml b/services/mobu/templates/statefulset.yaml new file mode 100644 index 0000000000..eaf8d632a7 --- /dev/null +++ b/services/mobu/templates/statefulset.yaml @@ -0,0 +1,98 @@ +apiVersion: apps/v1 +kind: StatefulSet +metadata: + name: {{ include "mobu.fullname" . }} + labels: + {{- include "mobu.labels" . | nindent 4 }} +spec: + replicas: 1 + selector: + matchLabels: + {{- include "mobu.selectorLabels" . | nindent 6 }} + serviceName: "mobu" + template: + metadata: + {{- with .Values.podAnnotations }} + annotations: + {{- toYaml . | nindent 8 }} + {{- end }} + labels: + {{- include "mobu.selectorLabels" . | nindent 8 }} + spec: + {{- with .Values.imagePullSecrets }} + imagePullSecrets: + {{- toYaml . | nindent 8 }} + {{- end }} + securityContext: + runAsNonRoot: true + runAsUser: 1000 + runAsGroup: 1000 + automountServiceAccountToken: false + containers: + - name: {{ .Chart.Name }} + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + readOnlyRootFilesystem: true + image: "{{ .Values.image.repository }}:{{ .Values.image.tag | default .Chart.AppVersion }}" + imagePullPolicy: {{ .Values.image.pullPolicy | quote }} + env: + - name: "ALERT_HOOK" + valueFrom: + secretKeyRef: + name: {{ template "mobu.fullname" . }}-secret + key: "ALERT_HOOK" + {{- if .Values.autostart }} + - name: "AUTOSTART" + value: "/etc/mobu/autostart.yaml" + {{- end }} + - name: "CACHEMACHINE_IMAGE_POLICY" + value: {{ .Values.cachemachineImagePolicy }} + - name: "ENVIRONMENT_URL" + value: {{ .Values.environmentUrl }} + - name: "GAFAELFAWR_TOKEN" + valueFrom: + secretKeyRef: + name: {{ template "mobu.fullname" . }}-gafaelfawr-token + key: "token" + ports: + - name: "http" + containerPort: 8080 + protocol: "TCP" + readinessProbe: + httpGet: + path: "/mobu/flocks" + port: "http" + timeoutSeconds: 10 + resources: + {{- toYaml .Values.resources | nindent 12 }} + volumeMounts: + {{- if .Values.autostart }} + - name: "autostart" + mountPath: "/etc/mobu" + readOnly: true + {{- end }} + - name: "tmp" + mountPath: "/tmp" + volumes: + {{- if .Values.autostart }} + - name: "autostart" + configMap: + name: {{ include "mobu.fullname" . }}-autostart + {{- end }} + - name: "tmp" + emptyDir: {} + {{- with .Values.nodeSelector }} + nodeSelector: + {{- toYaml . | nindent 8 }} + {{- end }} + {{- with .Values.affinity }} + affinity: + {{- toYaml . | nindent 8 }} + {{- end }} + {{- with .Values.tolerations }} + tolerations: + {{- toYaml . | nindent 8 }} + {{- end }} diff --git a/services/mobu/templates/vault-secret.yaml b/services/mobu/templates/vault-secret.yaml new file mode 100644 index 0000000000..d4039253c4 --- /dev/null +++ b/services/mobu/templates/vault-secret.yaml @@ -0,0 +1,9 @@ +apiVersion: ricoberger.de/v1alpha1 +kind: VaultSecret +metadata: + name: {{ template "mobu.fullname" . }}-secret + labels: + {{- include "mobu.labels" . | nindent 4 }} +spec: + path: {{ required "vaultSecretsPath must be set" .Values.vaultSecretsPath | quote }} + type: Opaque diff --git a/services/mobu/values-idfdev.yaml b/services/mobu/values-idfdev.yaml index 09294cce59..bce48effef 100644 --- a/services/mobu/values-idfdev.yaml +++ b/services/mobu/values-idfdev.yaml @@ -1,26 +1,25 @@ -mobu: - imagePullSecrets: - - name: "pull-secret" +imagePullSecrets: + - name: "pull-secret" - ingress: - host: "data-dev.lsst.cloud" +ingress: + host: "data-dev.lsst.cloud" - cachemachineImagePolicy: "desired" - environmentUrl: "https://data-dev.lsst.cloud" - vaultSecretsPath: "secret/k8s_operator/data-dev.lsst.cloud/mobu" +cachemachineImagePolicy: "desired" +environmentUrl: "https://data-dev.lsst.cloud" +vaultSecretsPath: "secret/k8s_operator/data-dev.lsst.cloud/mobu" - autostart: - - name: "python" - count: 1 - users: - - username: "systemtest01" - uidnumber: 74768 - scopes: ["exec:notebook"] - business: "JupyterPythonLoop" - options: - jupyter: - image_size: "Small" - restart: true +autostart: + - name: "python" + count: 1 + users: + - username: "systemtest01" + uidnumber: 74768 + scopes: ["exec:notebook"] + business: "JupyterPythonLoop" + options: + jupyter: + image_size: "Small" + restart: true pull-secret: enabled: true diff --git a/services/mobu/values-idfint.yaml b/services/mobu/values-idfint.yaml index c436cce5ad..50dfc0659c 100644 --- a/services/mobu/values-idfint.yaml +++ b/services/mobu/values-idfint.yaml @@ -1,48 +1,47 @@ -mobu: - imagePullSecrets: - - name: "pull-secret" +imagePullSecrets: + - name: "pull-secret" - ingress: - host: "data-int.lsst.cloud" +ingress: + host: "data-int.lsst.cloud" - cachemachineImagePolicy: "desired" - environmentUrl: "https://data-int.lsst.cloud" - vaultSecretsPath: "secret/k8s_operator/data-int.lsst.cloud/mobu" +cachemachineImagePolicy: "desired" +environmentUrl: "https://data-int.lsst.cloud" +vaultSecretsPath: "secret/k8s_operator/data-int.lsst.cloud/mobu" - autostart: - - name: "firefighter" - count: 1 - users: - - username: "systemtest01" - uidnumber: 74768 - scopes: ["exec:notebook", "exec:portal", "read:tap"] - business: "NotebookRunner" - options: - repo_url: "https://github.com/SimonKrughoff/system-test.git" - repo_branch: "prod" - max_executions: 1 - restart: true - - name: "weekly" - count: 1 - users: - - username: "systemtest02" - uidnumber: 74769 - scopes: ["exec:notebook", "exec:portal", "read:tap"] - business: "NotebookRunner" - options: - jupyter: - image_class: "latest-weekly" - repo_url: "https://github.com/lsst-sqre/system-test.git" - repo_branch: "prod" - restart: true - - name: "tap" - count: 1 - users: - - username: "systemtest03" - uidnumber: 74770 - scopes: ["read:tap"] - business: "TAPQueryRunner" - restart: true +autostart: + - name: "firefighter" + count: 1 + users: + - username: "systemtest01" + uidnumber: 74768 + scopes: ["exec:notebook", "exec:portal", "read:tap"] + business: "NotebookRunner" + options: + repo_url: "https://github.com/SimonKrughoff/system-test.git" + repo_branch: "prod" + max_executions: 1 + restart: true + - name: "weekly" + count: 1 + users: + - username: "systemtest02" + uidnumber: 74769 + scopes: ["exec:notebook", "exec:portal", "read:tap"] + business: "NotebookRunner" + options: + jupyter: + image_class: "latest-weekly" + repo_url: "https://github.com/lsst-sqre/system-test.git" + repo_branch: "prod" + restart: true + - name: "tap" + count: 1 + users: + - username: "systemtest03" + uidnumber: 74770 + scopes: ["read:tap"] + business: "TAPQueryRunner" + restart: true pull-secret: enabled: true diff --git a/services/mobu/values-idfprod.yaml b/services/mobu/values-idfprod.yaml index 0589cc87c9..535e5d1fe4 100644 --- a/services/mobu/values-idfprod.yaml +++ b/services/mobu/values-idfprod.yaml @@ -1,79 +1,68 @@ -mobu: - imagePullSecrets: - - name: "pull-secret" +imagePullSecrets: + - name: "pull-secret" - ingress: - host: "data.lsst.cloud" +ingress: + host: "data.lsst.cloud" - cachemachineImagePolicy: "desired" - environmentUrl: "https://data.lsst.cloud" - vaultSecretsPath: "secret/k8s_operator/data.lsst.cloud/mobu" +cachemachineImagePolicy: "desired" +environmentUrl: "https://data.lsst.cloud" +vaultSecretsPath: "secret/k8s_operator/data.lsst.cloud/mobu" - autostart: - - name: "firefighter" - count: 5 - users: - - username: "systemtest01" - uidnumber: 74768 - - username: "systemtest02" - uidnumber: 74769 - - username: "systemtest03" - uidnumber: 74770 - - username: "systemtest04" - uidnumber: 74771 - - username: "systemtest05" - uidnumber: 74772 - scopes: ["exec:notebook", "exec:portal", "read:tap"] - business: "NotebookRunner" - options: - repo_url: "https://github.com/lsst-sqre/system-test.git" - repo_branch: "prod" - max_executions: 1 - restart: true - - name: "quickbeam" - count: 1 - users: - - username: "systemtest06" - uidnumber: 74773 - scopes: ["exec:notebook", "exec:portal", "read:tap"] - business: "NotebookRunner" - options: - jupyter_options_form: - image: "registry.hub.docker.com/lsstsqre/sciplat-lab:recommended" - image_list: "registry.hub.docker.com/lsstsqre/sciplat-lab:recommended|Recommended|" - image_dropdown: "use_image_from_dropdown" - size: "Small" - repo_url: "https://github.com/lsst-sqre/system-test.git" - repo_branch: "prod" - idle_time: 900 - delete_lab: false - restart: true - - name: "tutorial" - count: 1 - users: - - username: "systemtest07" - uidnumber: 74774 - scopes: ["exec:notebook", "exec:portal", "read:tap"] - business: "NotebookRunner" - options: - jupyter_options_form: - image: "registry.hub.docker.com/lsstsqre/sciplat-lab:recommended" - image_list: "registry.hub.docker.com/lsstsqre/sciplat-lab:recommended|Recommended|" - image_dropdown: "use_image_from_dropdown" - size: "Large" - repo_url: "https://github.com/rubin-dp0/tutorial-notebooks.git" - repo_branch: "prod" - max_executions: 1 - working_directory: "notebooks/tutorial-notebooks" - restart: true - - name: "tap" - count: 1 - users: - - username: "systemtest08" - uidnumber: 74775 - scopes: ["read:tap"] - business: "TAPQueryRunner" - restart: true +autostart: + - name: "firefighter" + count: 5 + users: + - username: "systemtest01" + uidnumber: 74768 + - username: "systemtest02" + uidnumber: 74769 + - username: "systemtest03" + uidnumber: 74770 + - username: "systemtest04" + uidnumber: 74771 + - username: "systemtest05" + uidnumber: 74772 + scopes: ["exec:notebook", "exec:portal", "read:tap"] + business: "NotebookRunner" + options: + repo_url: "https://github.com/lsst-sqre/system-test.git" + repo_branch: "prod" + max_executions: 1 + restart: true + - name: "quickbeam" + count: 1 + users: + - username: "systemtest06" + uidnumber: 74773 + scopes: ["exec:notebook", "exec:portal", "read:tap"] + business: "NotebookRunner" + options: + repo_url: "https://github.com/lsst-sqre/system-test.git" + repo_branch: "prod" + idle_time: 900 + delete_lab: false + restart: true + - name: "tutorial" + count: 1 + users: + - username: "systemtest07" + uidnumber: 74774 + scopes: ["exec:notebook", "exec:portal", "read:tap"] + business: "NotebookRunner" + options: + repo_url: "https://github.com/rubin-dp0/tutorial-notebooks.git" + repo_branch: "prod" + max_executions: 1 + working_directory: "notebooks/tutorial-notebooks" + restart: true + - name: "tap" + count: 1 + users: + - username: "systemtest08" + uidnumber: 74775 + scopes: ["read:tap"] + business: "TAPQueryRunner" + restart: true pull-secret: enabled: true diff --git a/services/mobu/values-int.yaml b/services/mobu/values-int.yaml index b23efcb4da..5329ea4593 100644 --- a/services/mobu/values-int.yaml +++ b/services/mobu/values-int.yaml @@ -1,28 +1,27 @@ -mobu: - imagePullSecrets: - - name: "pull-secret" +imagePullSecrets: + - name: "pull-secret" - ingress: - annotations: - nginx.ingress.kubernetes.io/auth-url: "https://lsst-lsp-int.ncsa.illinois.edu/auth?scope=exec:admin" - host: "lsst-lsp-int.ncsa.illinois.edu" +ingress: + annotations: + nginx.ingress.kubernetes.io/auth-url: "https://lsst-lsp-int.ncsa.illinois.edu/auth?scope=exec:admin" + host: "lsst-lsp-int.ncsa.illinois.edu" - environmentUrl: "https://lsst-lsp-int.ncsa.illinois.edu" - vaultSecretsPath: "secret/k8s_operator/lsst-lsp-int.ncsa.illinois.edu/mobu" +environmentUrl: "https://lsst-lsp-int.ncsa.illinois.edu" +vaultSecretsPath: "secret/k8s_operator/lsst-lsp-int.ncsa.illinois.edu/mobu" - autostart: - - name: "firefighter" - count: 1 - users: - - username: "lsptestuser01" - uidnumber: 60181 - scopes: ["exec:notebook", "exec:portal", "read:tap"] - business: "NotebookRunner" - options: - repo_url: "https://github.com/lsst-sqre/system-test.git" - repo_branch: "NCSA-prod" - max_executions: 1 - restart: true +autostart: + - name: "firefighter" + count: 1 + users: + - username: "lsptestuser01" + uidnumber: 60181 + scopes: ["exec:notebook", "exec:portal", "read:tap"] + business: "NotebookRunner" + options: + repo_url: "https://github.com/lsst-sqre/system-test.git" + repo_branch: "NCSA-prod" + max_executions: 1 + restart: true pull-secret: enabled: true diff --git a/services/mobu/values-minikube.yaml b/services/mobu/values-minikube.yaml index adac4a2270..9cc3420472 100644 --- a/services/mobu/values-minikube.yaml +++ b/services/mobu/values-minikube.yaml @@ -1,12 +1,11 @@ -mobu: - imagePullSecrets: - - name: "pull-secret" +imagePullSecrets: + - name: "pull-secret" - ingress: - host: "minikube.lsst.codes" +ingress: + host: "minikube.lsst.codes" - environmentUrl: "https://minikube.lsst.codes" - vaultSecretsPath: "secret/k8s_operator/minikube.lsst.codes/mobu" +environmentUrl: "https://minikube.lsst.codes" +vaultSecretsPath: "secret/k8s_operator/minikube.lsst.codes/mobu" pull-secret: enabled: true diff --git a/services/mobu/values-red-five.yaml b/services/mobu/values-red-five.yaml index 23a4ffc80a..d249718f55 100644 --- a/services/mobu/values-red-five.yaml +++ b/services/mobu/values-red-five.yaml @@ -1,12 +1,11 @@ -mobu: - imagePullSecrets: - - name: "pull-secret" +imagePullSecrets: + - name: "pull-secret" - ingress: - host: "red-five.lsst.codes" +ingress: + host: "red-five.lsst.codes" - environmentUrl: "https://red-five.lsst.codes" - vaultSecretsPath: "secret/k8s_operator/red-five.lsst.codes/mobu" +environmentUrl: "https://red-five.lsst.codes" +vaultSecretsPath: "secret/k8s_operator/red-five.lsst.codes/mobu" pull-secret: enabled: true diff --git a/services/mobu/values-roe.yaml b/services/mobu/values-roe.yaml index 6a73f25bf1..2c5a3c8307 100644 --- a/services/mobu/values-roe.yaml +++ b/services/mobu/values-roe.yaml @@ -1,39 +1,38 @@ -mobu: - imagePullSecrets: - - name: "pull-secret" +imagePullSecrets: + - name: "pull-secret" - ingress: - host: "rsp.lsst.ac.uk" +ingress: + host: "rsp.lsst.ac.uk" - environmentUrl: "https://rsp.lsst.ac.uk" - vaultSecretsPath: "secret/k8s_operator/roe/mobu" +environmentUrl: "https://rsp.lsst.ac.uk" +vaultSecretsPath: "secret/k8s_operator/roe/mobu" - autostart: - - name: "firefighter" - count: 1 - users: - - username: "systemtest01" - uidnumber: 74768 - scopes: ["exec:notebook", "exec:portal", "read:tap"] - business: "NotebookRunner" - options: - repo_url: "https://github.com/SimonKrughoff/system-test.git" - repo_branch: "prod" - max_executions: 1 - restart: true - - name: "weekly" - count: 1 - users: - - username: "systemtest02" - uidnumber: 74769 - scopes: ["exec:notebook", "exec:portal", "read:tap"] - business: "NotebookRunner" - options: - jupyter: - image_class: "latest-weekly" - repo_url: "https://github.com/lsst-sqre/system-test.git" - repo_branch: "prod" - restart: true +autostart: + - name: "firefighter" + count: 1 + users: + - username: "systemtest01" + uidnumber: 74768 + scopes: ["exec:notebook", "exec:portal", "read:tap"] + business: "NotebookRunner" + options: + repo_url: "https://github.com/SimonKrughoff/system-test.git" + repo_branch: "prod" + max_executions: 1 + restart: true + - name: "weekly" + count: 1 + users: + - username: "systemtest02" + uidnumber: 74769 + scopes: ["exec:notebook", "exec:portal", "read:tap"] + business: "NotebookRunner" + options: + jupyter: + image_class: "latest-weekly" + repo_url: "https://github.com/lsst-sqre/system-test.git" + repo_branch: "prod" + restart: true pull-secret: enabled: true diff --git a/services/mobu/values-stable.yaml b/services/mobu/values-stable.yaml index 26a8be819e..817e0eff95 100644 --- a/services/mobu/values-stable.yaml +++ b/services/mobu/values-stable.yaml @@ -1,36 +1,35 @@ -mobu: - imagePullSecrets: - - name: "pull-secret" +imagePullSecrets: + - name: "pull-secret" - ingress: - annotations: - nginx.ingress.kubernetes.io/auth-url: "https://lsst-lsp-stable.ncsa.illinois.edu/auth?scope=exec:admin" - host: "lsst-lsp-stable.ncsa.illinois.edu" +ingress: + annotations: + nginx.ingress.kubernetes.io/auth-url: "https://lsst-lsp-stable.ncsa.illinois.edu/auth?scope=exec:admin" + host: "lsst-lsp-stable.ncsa.illinois.edu" - environmentUrl: "https://lsst-lsp-stable.ncsa.illinois.edu" - vaultSecretsPath: "secret/k8s_operator/lsst-lsp-stable.ncsa.illinois.edu/mobu" +environmentUrl: "https://lsst-lsp-stable.ncsa.illinois.edu" +vaultSecretsPath: "secret/k8s_operator/lsst-lsp-stable.ncsa.illinois.edu/mobu" - autostart: - - name: "firefighter" - count: 5 - users: - - username: "lsptestuser01" - uidnumber: 60181 - - username: "lsptestuser02" - uidnumber: 60182 - - username: "lsptestuser03" - uidnumber: 60183 - - username: "lsptestuser04" - uidnumber: 60184 - - username: "lsptestuser05" - uidnumber: 60185 - scopes: ["exec:notebook", "exec:portal", "read:tap"] - business: "NotebookRunner" - options: - repo_url: "https://github.com/lsst-sqre/system-test.git" - repo_branch: "NCSA-prod" - max_executions: 1 - restart: true +autostart: + - name: "firefighter" + count: 5 + users: + - username: "lsptestuser01" + uidnumber: 60181 + - username: "lsptestuser02" + uidnumber: 60182 + - username: "lsptestuser03" + uidnumber: 60183 + - username: "lsptestuser04" + uidnumber: 60184 + - username: "lsptestuser05" + uidnumber: 60185 + scopes: ["exec:notebook", "exec:portal", "read:tap"] + business: "NotebookRunner" + options: + repo_url: "https://github.com/lsst-sqre/system-test.git" + repo_branch: "NCSA-prod" + max_executions: 1 + restart: true pull-secret: enabled: true diff --git a/services/mobu/values.yaml b/services/mobu/values.yaml new file mode 100644 index 0000000000..81c7588e58 --- /dev/null +++ b/services/mobu/values.yaml @@ -0,0 +1,80 @@ +# Default values for mobu. + +# -- Override the base name for resources +nameOverride: "" + +# -- Override the full name for resources (includes the release name) +fullnameOverride: "" + +# -- Autostart specification. Must be a list of mobu flock specifications. +# Each flock listed will be automatically started when mobu is started. +autostart: [] + +# -- Cachemachine image policy. Must be one of `desired` or +# `available`. Determines whether cachemachine reports the images it +# has or the ones it wants. Should be `desired` in environments with +# image streaming enabled (e.g. IDF). +cachemachineImagePolicy: "available" + +# -- Base URL used to find other services in the environment such as Nublado +# and TAP +# @default -- None, must be set +environmentUrl: "" + +# -- Path to the Vault secret containing the Slack alert hook +# @default -- None, must be set +vaultSecretsPath: "" + +image: + # -- mobu image to use + repository: "ghcr.io/lsst-sqre/mobu" + + # -- Pull policy for the mobu image + pullPolicy: "IfNotPresent" + + # -- Tag of mobu image to use + # @default -- The appVersion of the chart + tag: "" + +# -- Secret names to use for all Docker pulls +imagePullSecrets: [] + +service: + # -- Type of service to create + type: "ClusterIP" + + # -- Port of the service to create and map to the ingress + port: 80 + +ingress: + # -- Whether to create an ingress + enabled: true + + # -- Gafaelfawr auth query string + gafaelfawrAuthQuery: "scope=exec:admin" + + # -- Hostname for the ingress + # @default -- None, must be set if the ingress is enabled + host: "" + + # -- Additional annotations to add to the ingress + annotations: {} + + # -- Configures TLS for the ingress if needed. If multiple ingresses share + # the same hostname, only one of them needs a TLS configuration. + tls: [] + +# -- Resource limits and requests for the mobu frontend pod +resources: {} + +# -- Annotations for the mobu frontend pod +podAnnotations: {} + +# -- Node selector rules for the mobu frontend pod +nodeSelector: {} + +# -- Tolerations for the mobu frontend pod +tolerations: [] + +# -- Affinity rules for the mobu frontend pod +affinity: {} From e62b7330a78d870368b7b1bffd77b5f5858f6436 Mon Sep 17 00:00:00 2001 From: Russ Allbery Date: Wed, 9 Mar 2022 15:32:37 -0800 Subject: [PATCH 0056/1479] Drop the mobu pull-secret chart dependency Change vaultSecretsPath to take the root path instead of the service-specific path, unconditionally create pull-secret and hard-code its name, and remove all the configuration and dependency on the pull-secret chart. --- services/mobu/Chart.yaml | 4 ---- services/mobu/templates/statefulset.yaml | 4 +--- services/mobu/templates/vault-secret.yaml | 14 ++++++++++++-- services/mobu/values-idfdev.yaml | 9 +-------- services/mobu/values-idfint.yaml | 9 +-------- services/mobu/values-idfprod.yaml | 9 +-------- services/mobu/values-int.yaml | 9 +-------- services/mobu/values-minikube.yaml | 9 +-------- services/mobu/values-red-five.yaml | 9 +-------- services/mobu/values-roe.yaml | 9 +-------- services/mobu/values-stable.yaml | 9 +-------- 11 files changed, 21 insertions(+), 73 deletions(-) diff --git a/services/mobu/Chart.yaml b/services/mobu/Chart.yaml index 52bf804311..dee48c061d 100644 --- a/services/mobu/Chart.yaml +++ b/services/mobu/Chart.yaml @@ -3,7 +3,3 @@ name: mobu version: 1.0.0 description: Generate system load by pretending to be a random scientist home: https://github.com/lsst-sqre/mobu -dependencies: - - name: pull-secret - version: 0.1.2 - repository: https://lsst-sqre.github.io/charts/ diff --git a/services/mobu/templates/statefulset.yaml b/services/mobu/templates/statefulset.yaml index eaf8d632a7..acbe4f433d 100644 --- a/services/mobu/templates/statefulset.yaml +++ b/services/mobu/templates/statefulset.yaml @@ -19,10 +19,8 @@ spec: labels: {{- include "mobu.selectorLabels" . | nindent 8 }} spec: - {{- with .Values.imagePullSecrets }} imagePullSecrets: - {{- toYaml . | nindent 8 }} - {{- end }} + - name: "pull-secret" securityContext: runAsNonRoot: true runAsUser: 1000 diff --git a/services/mobu/templates/vault-secret.yaml b/services/mobu/templates/vault-secret.yaml index d4039253c4..ac0f61553f 100644 --- a/services/mobu/templates/vault-secret.yaml +++ b/services/mobu/templates/vault-secret.yaml @@ -5,5 +5,15 @@ metadata: labels: {{- include "mobu.labels" . | nindent 4 }} spec: - path: {{ required "vaultSecretsPath must be set" .Values.vaultSecretsPath | quote }} - type: Opaque + path: "{{ required "vaultSecretsPath must be set" .Values.vaultSecretsPath }}/mobu" + type: "Opaque" +--- +apiVersion: ricoberger.de/v1alpha1 +kind: VaultSecret +metadata: + name: "pull-secret" + labels: + {{- include "mobu.labels" . | nindent 4 }} +spec: + path: "{{ .Values.vaultSecretsPath }}/pull-secret" + type: "kubernetes.io/dockerconfigjson" diff --git a/services/mobu/values-idfdev.yaml b/services/mobu/values-idfdev.yaml index bce48effef..cff0c8d7c2 100644 --- a/services/mobu/values-idfdev.yaml +++ b/services/mobu/values-idfdev.yaml @@ -1,12 +1,9 @@ -imagePullSecrets: - - name: "pull-secret" - ingress: host: "data-dev.lsst.cloud" cachemachineImagePolicy: "desired" environmentUrl: "https://data-dev.lsst.cloud" -vaultSecretsPath: "secret/k8s_operator/data-dev.lsst.cloud/mobu" +vaultSecretsPath: "secret/k8s_operator/data-dev.lsst.cloud" autostart: - name: "python" @@ -20,7 +17,3 @@ autostart: jupyter: image_size: "Small" restart: true - -pull-secret: - enabled: true - path: "secret/k8s_operator/data-dev.lsst.cloud/pull-secret" diff --git a/services/mobu/values-idfint.yaml b/services/mobu/values-idfint.yaml index 50dfc0659c..76378359c3 100644 --- a/services/mobu/values-idfint.yaml +++ b/services/mobu/values-idfint.yaml @@ -1,12 +1,9 @@ -imagePullSecrets: - - name: "pull-secret" - ingress: host: "data-int.lsst.cloud" cachemachineImagePolicy: "desired" environmentUrl: "https://data-int.lsst.cloud" -vaultSecretsPath: "secret/k8s_operator/data-int.lsst.cloud/mobu" +vaultSecretsPath: "secret/k8s_operator/data-int.lsst.cloud" autostart: - name: "firefighter" @@ -42,7 +39,3 @@ autostart: scopes: ["read:tap"] business: "TAPQueryRunner" restart: true - -pull-secret: - enabled: true - path: "secret/k8s_operator/data-int.lsst.cloud/pull-secret" diff --git a/services/mobu/values-idfprod.yaml b/services/mobu/values-idfprod.yaml index 535e5d1fe4..eebf1878b2 100644 --- a/services/mobu/values-idfprod.yaml +++ b/services/mobu/values-idfprod.yaml @@ -1,12 +1,9 @@ -imagePullSecrets: - - name: "pull-secret" - ingress: host: "data.lsst.cloud" cachemachineImagePolicy: "desired" environmentUrl: "https://data.lsst.cloud" -vaultSecretsPath: "secret/k8s_operator/data.lsst.cloud/mobu" +vaultSecretsPath: "secret/k8s_operator/data.lsst.cloud" autostart: - name: "firefighter" @@ -63,7 +60,3 @@ autostart: scopes: ["read:tap"] business: "TAPQueryRunner" restart: true - -pull-secret: - enabled: true - path: "secret/k8s_operator/data.lsst.cloud/pull-secret" diff --git a/services/mobu/values-int.yaml b/services/mobu/values-int.yaml index 5329ea4593..831a2195c4 100644 --- a/services/mobu/values-int.yaml +++ b/services/mobu/values-int.yaml @@ -1,13 +1,10 @@ -imagePullSecrets: - - name: "pull-secret" - ingress: annotations: nginx.ingress.kubernetes.io/auth-url: "https://lsst-lsp-int.ncsa.illinois.edu/auth?scope=exec:admin" host: "lsst-lsp-int.ncsa.illinois.edu" environmentUrl: "https://lsst-lsp-int.ncsa.illinois.edu" -vaultSecretsPath: "secret/k8s_operator/lsst-lsp-int.ncsa.illinois.edu/mobu" +vaultSecretsPath: "secret/k8s_operator/lsst-lsp-int.ncsa.illinois.edu" autostart: - name: "firefighter" @@ -22,7 +19,3 @@ autostart: repo_branch: "NCSA-prod" max_executions: 1 restart: true - -pull-secret: - enabled: true - path: "secret/k8s_operator/lsst-lsp-int.ncsa.illinois.edu/pull-secret" diff --git a/services/mobu/values-minikube.yaml b/services/mobu/values-minikube.yaml index 9cc3420472..243552aeea 100644 --- a/services/mobu/values-minikube.yaml +++ b/services/mobu/values-minikube.yaml @@ -1,12 +1,5 @@ -imagePullSecrets: - - name: "pull-secret" - ingress: host: "minikube.lsst.codes" environmentUrl: "https://minikube.lsst.codes" -vaultSecretsPath: "secret/k8s_operator/minikube.lsst.codes/mobu" - -pull-secret: - enabled: true - path: "secret/k8s_operator/minikube.lsst.codes/pull-secret" +vaultSecretsPath: "secret/k8s_operator/minikube.lsst.codes" diff --git a/services/mobu/values-red-five.yaml b/services/mobu/values-red-five.yaml index d249718f55..72c96553a4 100644 --- a/services/mobu/values-red-five.yaml +++ b/services/mobu/values-red-five.yaml @@ -1,12 +1,5 @@ -imagePullSecrets: - - name: "pull-secret" - ingress: host: "red-five.lsst.codes" environmentUrl: "https://red-five.lsst.codes" -vaultSecretsPath: "secret/k8s_operator/red-five.lsst.codes/mobu" - -pull-secret: - enabled: true - path: "secret/k8s_operator/red-five.lsst.codes/pull-secret" +vaultSecretsPath: "secret/k8s_operator/red-five.lsst.codes" diff --git a/services/mobu/values-roe.yaml b/services/mobu/values-roe.yaml index 2c5a3c8307..cbb66f4369 100644 --- a/services/mobu/values-roe.yaml +++ b/services/mobu/values-roe.yaml @@ -1,11 +1,8 @@ -imagePullSecrets: - - name: "pull-secret" - ingress: host: "rsp.lsst.ac.uk" environmentUrl: "https://rsp.lsst.ac.uk" -vaultSecretsPath: "secret/k8s_operator/roe/mobu" +vaultSecretsPath: "secret/k8s_operator/roe" autostart: - name: "firefighter" @@ -33,7 +30,3 @@ autostart: repo_url: "https://github.com/lsst-sqre/system-test.git" repo_branch: "prod" restart: true - -pull-secret: - enabled: true - path: "secret/k8s_operator/roe/pull-secret" diff --git a/services/mobu/values-stable.yaml b/services/mobu/values-stable.yaml index 817e0eff95..b2a40d7c18 100644 --- a/services/mobu/values-stable.yaml +++ b/services/mobu/values-stable.yaml @@ -1,13 +1,10 @@ -imagePullSecrets: - - name: "pull-secret" - ingress: annotations: nginx.ingress.kubernetes.io/auth-url: "https://lsst-lsp-stable.ncsa.illinois.edu/auth?scope=exec:admin" host: "lsst-lsp-stable.ncsa.illinois.edu" environmentUrl: "https://lsst-lsp-stable.ncsa.illinois.edu" -vaultSecretsPath: "secret/k8s_operator/lsst-lsp-stable.ncsa.illinois.edu/mobu" +vaultSecretsPath: "secret/k8s_operator/lsst-lsp-stable.ncsa.illinois.edu" autostart: - name: "firefighter" @@ -30,7 +27,3 @@ autostart: repo_branch: "NCSA-prod" max_executions: 1 restart: true - -pull-secret: - enabled: true - path: "secret/k8s_operator/lsst-lsp-stable.ncsa.illinois.edu/pull-secret" From faed1cdeed62850d5da0859bd30a24c8f12eb72c Mon Sep 17 00:00:00 2001 From: Russ Allbery Date: Wed, 9 Mar 2022 16:08:36 -0800 Subject: [PATCH 0057/1479] Try new method of passing parameters to mobu Define various global settings in the mobu Application and use them in the chart instead of using normal values parameters, which in turn allows deleting all of those parameters from the individual per-environment files. Delete some configuration parameters we will never use (TLS configuration and disabling the ingress). --- .../templates/mobu-application.yaml | 33 ++++++++++------- services/mobu/Chart.yaml | 1 + services/mobu/README.md | 14 ++------ services/mobu/templates/ingress.yaml | 18 ++-------- services/mobu/templates/statefulset.yaml | 34 +++++++++--------- services/mobu/templates/vault-secret.yaml | 4 +-- services/mobu/values-idfdev.yaml | 5 --- services/mobu/values-idfint.yaml | 5 --- services/mobu/values-idfprod.yaml | 5 --- services/mobu/values-int.yaml | 8 ----- services/mobu/values-minikube.yaml | 5 --- services/mobu/values-red-five.yaml | 5 --- services/mobu/values-roe.yaml | 6 ---- services/mobu/values-stable.yaml | 8 ----- services/mobu/values.yaml | 35 ++++++++----------- 15 files changed, 62 insertions(+), 124 deletions(-) diff --git a/science-platform/templates/mobu-application.yaml b/science-platform/templates/mobu-application.yaml index 0afc89e852..2dc600fdb8 100644 --- a/science-platform/templates/mobu-application.yaml +++ b/science-platform/templates/mobu-application.yaml @@ -2,29 +2,36 @@ apiVersion: v1 kind: Namespace metadata: - name: mobu + name: "mobu" spec: finalizers: - - kubernetes + - "kubernetes" --- apiVersion: argoproj.io/v1alpha1 kind: Application metadata: - name: mobu - namespace: argocd + name: "mobu" + namespace: "argocd" finalizers: - - resources-finalizer.argocd.argoproj.io + - "resources-finalizer.argocd.argoproj.io" spec: destination: - namespace: mobu - server: https://kubernetes.default.svc - project: default + namespace: "mobu" + server: "https://kubernetes.default.svc" + project: "default" source: - path: services/mobu - repoURL: {{ .Values.repoURL }} - targetRevision: {{ .Values.revision }} + path: "services/mobu" + repoURL: {{ .Values.repoURL | quote }} + targetRevision: {{ .Values.revision | quote }} helm: + parameters: + - name: "globals.host" + value: {{ .Values.fqdn | quote }} + - name: "globals.baseUrl" + value: "https://{{ .Values.fqdn }}" + - name: "globals.vaultSecretsPath" + value: {{ .Values.vault_path_prefix | quote }} valueFiles: - - values.yaml - - values-{{ .Values.environment }}.yaml + - "values.yaml" + - "values-{{ .Values.environment }}.yaml" {{- end -}} diff --git a/services/mobu/Chart.yaml b/services/mobu/Chart.yaml index dee48c061d..be6bc4e018 100644 --- a/services/mobu/Chart.yaml +++ b/services/mobu/Chart.yaml @@ -3,3 +3,4 @@ name: mobu version: 1.0.0 description: Generate system load by pretending to be a random scientist home: https://github.com/lsst-sqre/mobu +appVersion: "4.2.0" diff --git a/services/mobu/README.md b/services/mobu/README.md index 281ffd419b..d66d2309b1 100644 --- a/services/mobu/README.md +++ b/services/mobu/README.md @@ -2,12 +2,6 @@ Generate system load by pretending to be a random scientist -## Requirements - -| Repository | Name | Version | -|------------|------|---------| -| https://lsst-sqre.github.io/charts/ | pull-secret | 0.1.2 | - ## Values | Key | Type | Default | Description | @@ -15,17 +9,16 @@ Generate system load by pretending to be a random scientist | affinity | object | `{}` | Affinity rules for the mobu frontend pod | | autostart | list | `[]` | Autostart specification. Must be a list of mobu flock specifications. Each flock listed will be automatically started when mobu is started. | | cachemachineImagePolicy | string | `"available"` | Cachemachine image policy. Must be one of `desired` or `available`. Determines whether cachemachine reports the images it has or the ones it wants. Should be `desired` in environments with image streaming enabled (e.g. IDF). | -| environmentUrl | string | None, must be set | Base URL used to find other services in the environment such as Nublado and TAP | | fullnameOverride | string | `""` | Override the full name for resources (includes the release name) | +| globals.baseUrl | string | Set by Argo CD | Base URL for the environment | +| globals.host | string | Set by Argo CD | Host name for ingress | +| globals.vaultSecretsPath | string | Set by Argo CD | Base path for Vault secrets | | image.pullPolicy | string | `"IfNotPresent"` | Pull policy for the mobu image | | image.repository | string | `"ghcr.io/lsst-sqre/mobu"` | mobu image to use | | image.tag | string | The appVersion of the chart | Tag of mobu image to use | | imagePullSecrets | list | `[]` | Secret names to use for all Docker pulls | | ingress.annotations | object | `{}` | Additional annotations to add to the ingress | -| ingress.enabled | bool | `true` | Whether to create an ingress | | ingress.gafaelfawrAuthQuery | string | `"scope=exec:admin"` | Gafaelfawr auth query string | -| ingress.host | string | None, must be set if the ingress is enabled | Hostname for the ingress | -| ingress.tls | list | `[]` | Configures TLS for the ingress if needed. If multiple ingresses share the same hostname, only one of them needs a TLS configuration. | | nameOverride | string | `""` | Override the base name for resources | | nodeSelector | object | `{}` | Node selector rules for the mobu frontend pod | | podAnnotations | object | `{}` | Annotations for the mobu frontend pod | @@ -33,7 +26,6 @@ Generate system load by pretending to be a random scientist | service.port | int | `80` | Port of the service to create and map to the ingress | | service.type | string | `"ClusterIP"` | Type of service to create | | tolerations | list | `[]` | Tolerations for the mobu frontend pod | -| vaultSecretsPath | string | None, must be set | Path to the Vault secret containing the Slack alert hook | ---------------------------------------------- Autogenerated from chart metadata using [helm-docs v1.5.0](https://github.com/norwoodj/helm-docs/releases/v1.5.0) diff --git a/services/mobu/templates/ingress.yaml b/services/mobu/templates/ingress.yaml index 0017e048ca..96f7e5d46b 100644 --- a/services/mobu/templates/ingress.yaml +++ b/services/mobu/templates/ingress.yaml @@ -1,4 +1,3 @@ -{{- if .Values.ingress.enabled -}} apiVersion: networking.k8s.io/v1 kind: Ingress metadata: @@ -7,8 +6,8 @@ metadata: {{- if .Values.ingress.gafaelfawrAuthQuery }} nginx.ingress.kubernetes.io/auth-method: "GET" nginx.ingress.kubernetes.io/auth-response-headers: "X-Auth-Request-User" - nginx.ingress.kubernetes.io/auth-signin: "https://{{ .Values.ingress.host }}/login" - nginx.ingress.kubernetes.io/auth-url: "https://{{ .Values.ingress.host }}/auth?{{ .Values.ingress.gafaelfawrAuthQuery }}" + nginx.ingress.kubernetes.io/auth-signin: "{{ .Values.globals.baseUrl }}/login" + nginx.ingress.kubernetes.io/auth-url: "{{ .Values.globals.baseUrl }}/auth?{{ .Values.ingress.gafaelfawrAuthQuery }}" {{- end }} {{- with .Values.ingress.annotations }} {{- toYaml . | nindent 4 }} @@ -18,7 +17,7 @@ metadata: {{- include "mobu.labels" . | nindent 4 }} spec: rules: - - host: {{ required "ingress.host must be set" .Values.ingress.host | quote }} + - host: {{ required "globals.host must be set" .Values.globals.host | quote }} http: paths: - path: "/mobu" @@ -28,14 +27,3 @@ spec: name: {{ template "mobu.fullname" . }} port: number: {{ .Values.service.port }} - {{- if .Values.ingress.tls }} - tls: - {{- range .Values.ingress.tls }} - - hosts: - {{- range .hosts }} - - {{ . | quote }} - {{- end }} - secretName: {{ .secretName }} - {{- end }} - {{- end }} -{{- end }} diff --git a/services/mobu/templates/statefulset.yaml b/services/mobu/templates/statefulset.yaml index acbe4f433d..6bbe4132d7 100644 --- a/services/mobu/templates/statefulset.yaml +++ b/services/mobu/templates/statefulset.yaml @@ -19,23 +19,9 @@ spec: labels: {{- include "mobu.selectorLabels" . | nindent 8 }} spec: - imagePullSecrets: - - name: "pull-secret" - securityContext: - runAsNonRoot: true - runAsUser: 1000 - runAsGroup: 1000 automountServiceAccountToken: false containers: - name: {{ .Chart.Name }} - securityContext: - allowPrivilegeEscalation: false - capabilities: - drop: - - ALL - readOnlyRootFilesystem: true - image: "{{ .Values.image.repository }}:{{ .Values.image.tag | default .Chart.AppVersion }}" - imagePullPolicy: {{ .Values.image.pullPolicy | quote }} env: - name: "ALERT_HOOK" valueFrom: @@ -49,12 +35,14 @@ spec: - name: "CACHEMACHINE_IMAGE_POLICY" value: {{ .Values.cachemachineImagePolicy }} - name: "ENVIRONMENT_URL" - value: {{ .Values.environmentUrl }} + value: {{ .Values.globals.baseUrl }} - name: "GAFAELFAWR_TOKEN" valueFrom: secretKeyRef: name: {{ template "mobu.fullname" . }}-gafaelfawr-token key: "token" + image: "{{ .Values.image.repository }}:{{ .Values.image.tag | default .Chart.AppVersion }}" + imagePullPolicy: {{ .Values.image.pullPolicy | quote }} ports: - name: "http" containerPort: 8080 @@ -64,8 +52,16 @@ spec: path: "/mobu/flocks" port: "http" timeoutSeconds: 10 + {{- with .Values.resources }} resources: - {{- toYaml .Values.resources | nindent 12 }} + {{- toYaml . | nindent 12 }} + {{- end }} + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + readOnlyRootFilesystem: true volumeMounts: {{- if .Values.autostart }} - name: "autostart" @@ -74,6 +70,12 @@ spec: {{- end }} - name: "tmp" mountPath: "/tmp" + imagePullSecrets: + - name: "pull-secret" + securityContext: + runAsNonRoot: true + runAsUser: 1000 + runAsGroup: 1000 volumes: {{- if .Values.autostart }} - name: "autostart" diff --git a/services/mobu/templates/vault-secret.yaml b/services/mobu/templates/vault-secret.yaml index ac0f61553f..66b29a3e56 100644 --- a/services/mobu/templates/vault-secret.yaml +++ b/services/mobu/templates/vault-secret.yaml @@ -5,7 +5,7 @@ metadata: labels: {{- include "mobu.labels" . | nindent 4 }} spec: - path: "{{ required "vaultSecretsPath must be set" .Values.vaultSecretsPath }}/mobu" + path: "{{ .Values.globals.vaultSecretsPath }}/mobu" type: "Opaque" --- apiVersion: ricoberger.de/v1alpha1 @@ -15,5 +15,5 @@ metadata: labels: {{- include "mobu.labels" . | nindent 4 }} spec: - path: "{{ .Values.vaultSecretsPath }}/pull-secret" + path: "{{ .Values.globals.vaultSecretsPath }}/pull-secret" type: "kubernetes.io/dockerconfigjson" diff --git a/services/mobu/values-idfdev.yaml b/services/mobu/values-idfdev.yaml index cff0c8d7c2..5b91917a2f 100644 --- a/services/mobu/values-idfdev.yaml +++ b/services/mobu/values-idfdev.yaml @@ -1,9 +1,4 @@ -ingress: - host: "data-dev.lsst.cloud" - cachemachineImagePolicy: "desired" -environmentUrl: "https://data-dev.lsst.cloud" -vaultSecretsPath: "secret/k8s_operator/data-dev.lsst.cloud" autostart: - name: "python" diff --git a/services/mobu/values-idfint.yaml b/services/mobu/values-idfint.yaml index 76378359c3..dbe2a6064e 100644 --- a/services/mobu/values-idfint.yaml +++ b/services/mobu/values-idfint.yaml @@ -1,9 +1,4 @@ -ingress: - host: "data-int.lsst.cloud" - cachemachineImagePolicy: "desired" -environmentUrl: "https://data-int.lsst.cloud" -vaultSecretsPath: "secret/k8s_operator/data-int.lsst.cloud" autostart: - name: "firefighter" diff --git a/services/mobu/values-idfprod.yaml b/services/mobu/values-idfprod.yaml index eebf1878b2..f4524f54f4 100644 --- a/services/mobu/values-idfprod.yaml +++ b/services/mobu/values-idfprod.yaml @@ -1,9 +1,4 @@ -ingress: - host: "data.lsst.cloud" - cachemachineImagePolicy: "desired" -environmentUrl: "https://data.lsst.cloud" -vaultSecretsPath: "secret/k8s_operator/data.lsst.cloud" autostart: - name: "firefighter" diff --git a/services/mobu/values-int.yaml b/services/mobu/values-int.yaml index 831a2195c4..23a108f803 100644 --- a/services/mobu/values-int.yaml +++ b/services/mobu/values-int.yaml @@ -1,11 +1,3 @@ -ingress: - annotations: - nginx.ingress.kubernetes.io/auth-url: "https://lsst-lsp-int.ncsa.illinois.edu/auth?scope=exec:admin" - host: "lsst-lsp-int.ncsa.illinois.edu" - -environmentUrl: "https://lsst-lsp-int.ncsa.illinois.edu" -vaultSecretsPath: "secret/k8s_operator/lsst-lsp-int.ncsa.illinois.edu" - autostart: - name: "firefighter" count: 1 diff --git a/services/mobu/values-minikube.yaml b/services/mobu/values-minikube.yaml index 243552aeea..e69de29bb2 100644 --- a/services/mobu/values-minikube.yaml +++ b/services/mobu/values-minikube.yaml @@ -1,5 +0,0 @@ -ingress: - host: "minikube.lsst.codes" - -environmentUrl: "https://minikube.lsst.codes" -vaultSecretsPath: "secret/k8s_operator/minikube.lsst.codes" diff --git a/services/mobu/values-red-five.yaml b/services/mobu/values-red-five.yaml index 72c96553a4..e69de29bb2 100644 --- a/services/mobu/values-red-five.yaml +++ b/services/mobu/values-red-five.yaml @@ -1,5 +0,0 @@ -ingress: - host: "red-five.lsst.codes" - -environmentUrl: "https://red-five.lsst.codes" -vaultSecretsPath: "secret/k8s_operator/red-five.lsst.codes" diff --git a/services/mobu/values-roe.yaml b/services/mobu/values-roe.yaml index cbb66f4369..cd8efbfaf6 100644 --- a/services/mobu/values-roe.yaml +++ b/services/mobu/values-roe.yaml @@ -1,9 +1,3 @@ -ingress: - host: "rsp.lsst.ac.uk" - -environmentUrl: "https://rsp.lsst.ac.uk" -vaultSecretsPath: "secret/k8s_operator/roe" - autostart: - name: "firefighter" count: 1 diff --git a/services/mobu/values-stable.yaml b/services/mobu/values-stable.yaml index b2a40d7c18..ee845089d8 100644 --- a/services/mobu/values-stable.yaml +++ b/services/mobu/values-stable.yaml @@ -1,11 +1,3 @@ -ingress: - annotations: - nginx.ingress.kubernetes.io/auth-url: "https://lsst-lsp-stable.ncsa.illinois.edu/auth?scope=exec:admin" - host: "lsst-lsp-stable.ncsa.illinois.edu" - -environmentUrl: "https://lsst-lsp-stable.ncsa.illinois.edu" -vaultSecretsPath: "secret/k8s_operator/lsst-lsp-stable.ncsa.illinois.edu" - autostart: - name: "firefighter" count: 5 diff --git a/services/mobu/values.yaml b/services/mobu/values.yaml index 81c7588e58..3f77c0eb11 100644 --- a/services/mobu/values.yaml +++ b/services/mobu/values.yaml @@ -16,15 +16,6 @@ autostart: [] # image streaming enabled (e.g. IDF). cachemachineImagePolicy: "available" -# -- Base URL used to find other services in the environment such as Nublado -# and TAP -# @default -- None, must be set -environmentUrl: "" - -# -- Path to the Vault secret containing the Slack alert hook -# @default -- None, must be set -vaultSecretsPath: "" - image: # -- mobu image to use repository: "ghcr.io/lsst-sqre/mobu" @@ -47,23 +38,12 @@ service: port: 80 ingress: - # -- Whether to create an ingress - enabled: true - # -- Gafaelfawr auth query string gafaelfawrAuthQuery: "scope=exec:admin" - # -- Hostname for the ingress - # @default -- None, must be set if the ingress is enabled - host: "" - # -- Additional annotations to add to the ingress annotations: {} - # -- Configures TLS for the ingress if needed. If multiple ingresses share - # the same hostname, only one of them needs a TLS configuration. - tls: [] - # -- Resource limits and requests for the mobu frontend pod resources: {} @@ -78,3 +58,18 @@ tolerations: [] # -- Affinity rules for the mobu frontend pod affinity: {} + +# The following will be set by parameters injected by Argo CD and should not +# be set in the individual environment values files. +globals: + # -- Base URL for the environment + # @default -- Set by Argo CD + baseUrl: "" + + # -- Host name for ingress + # @default -- Set by Argo CD + host: "" + + # -- Base path for Vault secrets + # @default -- Set by Argo CD + vaultSecretsPath: "" From bb6d2ef8e85e329e5adcf4e17cdc9e303bae0386 Mon Sep 17 00:00:00 2001 From: Russ Allbery Date: Wed, 9 Mar 2022 16:36:13 -0800 Subject: [PATCH 0058/1479] Update mobu type, enable NetworkPolicy Change the StatefulSet back to a Deployment, but use a Recreate strategy so that only one will be running at a time. Remove the conditional around NetworkPolicy now that there's no boolean setting whether to create an ingress. --- .../mobu/templates/{statefulset.yaml => deployment.yaml} | 5 +++-- services/mobu/templates/networkpolicy.yaml | 2 -- 2 files changed, 3 insertions(+), 4 deletions(-) rename services/mobu/templates/{statefulset.yaml => deployment.yaml} (98%) diff --git a/services/mobu/templates/statefulset.yaml b/services/mobu/templates/deployment.yaml similarity index 98% rename from services/mobu/templates/statefulset.yaml rename to services/mobu/templates/deployment.yaml index 6bbe4132d7..44b5cd8573 100644 --- a/services/mobu/templates/statefulset.yaml +++ b/services/mobu/templates/deployment.yaml @@ -1,5 +1,5 @@ apiVersion: apps/v1 -kind: StatefulSet +kind: Deployment metadata: name: {{ include "mobu.fullname" . }} labels: @@ -9,7 +9,8 @@ spec: selector: matchLabels: {{- include "mobu.selectorLabels" . | nindent 6 }} - serviceName: "mobu" + strategy: + type: "Recreate" template: metadata: {{- with .Values.podAnnotations }} diff --git a/services/mobu/templates/networkpolicy.yaml b/services/mobu/templates/networkpolicy.yaml index db80cb0b6a..9ac98c6c65 100644 --- a/services/mobu/templates/networkpolicy.yaml +++ b/services/mobu/templates/networkpolicy.yaml @@ -1,4 +1,3 @@ -{{- if .Values.ingress.enabled -}} apiVersion: networking.k8s.io/v1 kind: NetworkPolicy metadata: @@ -20,4 +19,3 @@ spec: ports: - protocol: "TCP" port: 8080 -{{- end }} From 23d78346a90a928c19d87d6194a3277513b51fd8 Mon Sep 17 00:00:00 2001 From: adam Date: Thu, 10 Mar 2022 11:03:30 -0700 Subject: [PATCH 0059/1479] increase hub memory at IDF --- services/nublado2/values-idfdev.yaml | 4 ++-- services/nublado2/values-idfint.yaml | 2 +- services/nublado2/values-idfprod.yaml | 2 +- 3 files changed, 4 insertions(+), 4 deletions(-) diff --git a/services/nublado2/values-idfdev.yaml b/services/nublado2/values-idfdev.yaml index f09111d404..5e170a21a1 100644 --- a/services/nublado2/values-idfdev.yaml +++ b/services/nublado2/values-idfdev.yaml @@ -3,8 +3,8 @@ nublado2: hub: resources: requests: - cpu: 300m - memory: 512Mi + cpu: "2" + memory: 3Gi ingress: hosts: ["data-dev.lsst.cloud"] annotations: diff --git a/services/nublado2/values-idfint.yaml b/services/nublado2/values-idfint.yaml index b53edaf6ab..ff10daaf2b 100644 --- a/services/nublado2/values-idfint.yaml +++ b/services/nublado2/values-idfint.yaml @@ -3,7 +3,7 @@ nublado2: hub: resources: requests: - cpu: "1" + cpu: "2" memory: 3Gi ingress: hosts: ["data-int.lsst.cloud"] diff --git a/services/nublado2/values-idfprod.yaml b/services/nublado2/values-idfprod.yaml index aeb0d47189..e955cb9bee 100644 --- a/services/nublado2/values-idfprod.yaml +++ b/services/nublado2/values-idfprod.yaml @@ -3,7 +3,7 @@ nublado2: hub: resources: requests: - cpu: "1" + cpu: "2" memory: 3Gi ingress: hosts: ["data.lsst.cloud"] From 768365cf2ead7b8450ca17e94472407f022b3c0b Mon Sep 17 00:00:00 2001 From: Russ Allbery Date: Thu, 10 Mar 2022 12:32:10 -0800 Subject: [PATCH 0060/1479] Update to new Portal chart Rewrite the local configuration for each environment for the new Portal chart. --- services/portal/Chart.yaml | 4 +- services/portal/values-base.yaml | 33 +++--------- services/portal/values-idfdev.yaml | 31 +++-------- services/portal/values-idfint.yaml | 43 +++++---------- services/portal/values-idfprod.yaml | 43 +++++---------- services/portal/values-int.yaml | 55 +++++++------------- services/portal/values-minikube.yaml | 31 +++-------- services/portal/values-red-five.yaml | 31 +++-------- services/portal/values-roe.yaml | 33 +++--------- services/portal/values-stable.yaml | 55 +++++++------------- services/portal/values-summit.yaml | 33 +++--------- services/portal/values-tucson-teststand.yaml | 33 +++--------- 12 files changed, 109 insertions(+), 316 deletions(-) diff --git a/services/portal/Chart.yaml b/services/portal/Chart.yaml index 3902c631fb..9ad890e5b3 100644 --- a/services/portal/Chart.yaml +++ b/services/portal/Chart.yaml @@ -2,8 +2,8 @@ apiVersion: v2 name: portal version: 1.0.0 dependencies: - - name: firefly - version: 0.3.7 + - name: portal + version: 0.4.1 repository: https://lsst-sqre.github.io/charts/ - name: pull-secret version: 0.1.2 diff --git a/services/portal/values-base.yaml b/services/portal/values-base.yaml index c6fa254c00..f06de47899 100644 --- a/services/portal/values-base.yaml +++ b/services/portal/values-base.yaml @@ -1,35 +1,16 @@ -firefly: - pull_secret: 'pull-secret' +portal: + imagePullSecrets: + - name: "pull-secret" ingress: - host: 'base-lsp.lsst.codes' - annotations: - nginx.ingress.kubernetes.io/auth-method: GET - nginx.ingress.kubernetes.io/auth-response-headers: X-Auth-Request-Uid, X-Auth-Request-Token - nginx.ingress.kubernetes.io/auth-signin: "https://base-lsp.lsst.codes/login" - nginx.ingress.kubernetes.io/auth-url: "https://base-lsp.lsst.codes/auth?scope=exec:portal&delegate_to=portal&delegate_scope=read:tap" - nginx.ingress.kubernetes.io/configuration-snippet: | - proxy_set_header X-Original-URI $request_uri; - proxy_set_header X-Forwarded-Proto https; - proxy_set_header X-Forwarded-Port 443; - proxy_set_header X-Forwarded-Path /portal/app; + host: "base-lsp.lsst.codes" resources: limits: - memory: 32Gi + memory: "32Gi" - secrets: - enabled: false - - vault_secrets: - enabled: true - path: secret/k8s_operator/base-lsp.lsst.codes/portal - - redis: - resources: - limits: - memory: 20Mi + vaultSecretsPath: "secret/k8s_operator/base-lsp.lsst.codes/portal" pull-secret: enabled: true - path: secret/k8s_operator/base-lsp.lsst.codes/pull-secret + path: "secret/k8s_operator/base-lsp.lsst.codes/pull-secret" diff --git a/services/portal/values-idfdev.yaml b/services/portal/values-idfdev.yaml index d188933b54..036661e7ba 100644 --- a/services/portal/values-idfdev.yaml +++ b/services/portal/values-idfdev.yaml @@ -1,35 +1,16 @@ -firefly: - pull_secret: 'pull-secret' +portal: + imagePullSecrets: + - name: "pull-secret" ingress: host: "data-dev.lsst.cloud" - annotations: - nginx.ingress.kubernetes.io/auth-method: GET - nginx.ingress.kubernetes.io/auth-response-headers: X-Auth-Request-User,X-Auth-Request-Email,X-Auth-Request-Token - nginx.ingress.kubernetes.io/auth-signin: "https://data-dev.lsst.cloud/login" - nginx.ingress.kubernetes.io/auth-url: "https://data-dev.lsst.cloud/auth?scope=exec:portal&delegate_to=portal&delegate_scope=read:tap" - nginx.ingress.kubernetes.io/configuration-snippet: | - proxy_set_header X-Original-URI $request_uri; - proxy_set_header X-Forwarded-Proto https; - proxy_set_header X-Forwarded-Port 443; - proxy_set_header X-Forwarded-Path /portal/app; resources: limits: - memory: 8Gi + memory: "8Gi" - secrets: - enabled: false - - vault_secrets: - enabled: true - path: secret/k8s_operator/data-dev.lsst.cloud/portal - - redis: - resources: - limits: - memory: 20Mi + vaultSecretsPath: "secret/k8s_operator/data-dev.lsst.cloud/portal" pull-secret: enabled: true - path: secret/k8s_operator/data-dev.lsst.cloud/pull-secret + path: "secret/k8s_operator/data-dev.lsst.cloud/pull-secret" diff --git a/services/portal/values-idfint.yaml b/services/portal/values-idfint.yaml index a55b28aefe..23b3b1f51e 100644 --- a/services/portal/values-idfint.yaml +++ b/services/portal/values-idfint.yaml @@ -1,43 +1,24 @@ -firefly: - pull_secret: 'pull-secret' +portal: replicaCount: 4 - volumes: - firefly_shared_workarea_nfs: - path: /share1/home/firefly/shared-workarea - server: 10.22.240.130 + imagePullSecrets: + - name: "pull-secret" + + config: + volumes: + workareaNfs: + path: "/share1/home/firefly/shared-workarea" + server: "10.22.240.130" ingress: host: "data-int.lsst.cloud" - annotations: - nginx.ingress.kubernetes.io/auth-method: GET - nginx.ingress.kubernetes.io/auth-response-headers: X-Auth-Request-User,X-Auth-Request-Email,X-Auth-Request-Token - nginx.ingress.kubernetes.io/auth-signin: "https://data-int.lsst.cloud/login" - nginx.ingress.kubernetes.io/auth-url: "https://data-int.lsst.cloud/auth?scope=exec:portal&delegate_to=portal&delegate_scope=read:tap" - nginx.ingress.kubernetes.io/proxy-read-timeout: "600" - nginx.ingress.kubernetes.io/proxy-send-timeout: "600" - nginx.ingress.kubernetes.io/configuration-snippet: | - proxy_set_header X-Original-URI $request_uri; - proxy_set_header X-Forwarded-Proto https; - proxy_set_header X-Forwarded-Port 443; - proxy_set_header X-Forwarded-Path /portal/app; resources: limits: - memory: 30Gi - - secrets: - enabled: false - - vault_secrets: - enabled: true - path: secret/k8s_operator/data-int.lsst.cloud/portal + memory: "30Gi" - redis: - resources: - limits: - memory: 20Mi + vaultSecretsPath: "secret/k8s_operator/data-int.lsst.cloud/portal" pull-secret: enabled: true - path: secret/k8s_operator/data-int.lsst.cloud/pull-secret + path: "secret/k8s_operator/data-int.lsst.cloud/pull-secret" diff --git a/services/portal/values-idfprod.yaml b/services/portal/values-idfprod.yaml index 98e0f2c392..645ecdbb52 100644 --- a/services/portal/values-idfprod.yaml +++ b/services/portal/values-idfprod.yaml @@ -1,43 +1,24 @@ -firefly: - pull_secret: 'pull-secret' +portal: replicaCount: 4 - volumes: - firefly_shared_workarea_nfs: - path: /share1/home/firefly/shared-workarea - server: 10.13.105.122 + imagePullSecrets: + - name: "pull-secret" + + config: + volumes: + workareaNfs: + path: "/share1/home/firefly/shared-workarea" + server: "10.13.105.122" ingress: host: "data.lsst.cloud" - annotations: - nginx.ingress.kubernetes.io/auth-method: GET - nginx.ingress.kubernetes.io/auth-response-headers: X-Auth-Request-User,X-Auth-Request-Email,X-Auth-Request-Token - nginx.ingress.kubernetes.io/auth-signin: "https://data.lsst.cloud/login" - nginx.ingress.kubernetes.io/auth-url: "https://data.lsst.cloud/auth?scope=exec:portal&delegate_to=portal&delegate_scope=read:tap" - nginx.ingress.kubernetes.io/proxy-read-timeout: "600" - nginx.ingress.kubernetes.io/proxy-send-timeout: "600" - nginx.ingress.kubernetes.io/configuration-snippet: | - proxy_set_header X-Original-URI $request_uri; - proxy_set_header X-Forwarded-Proto https; - proxy_set_header X-Forwarded-Port 443; - proxy_set_header X-Forwarded-Path /portal/app; resources: limits: - memory: 30Gi - - secrets: - enabled: false - - vault_secrets: - enabled: true - path: secret/k8s_operator/data.lsst.cloud/portal + memory: "30Gi" - redis: - resources: - limits: - memory: 20Mi + vaultSecretsPath: "secret/k8s_operator/data.lsst.cloud/portal" pull-secret: enabled: true - path: secret/k8s_operator/data.lsst.cloud/pull-secret + path: "secret/k8s_operator/data.lsst.cloud/pull-secret" diff --git a/services/portal/values-int.yaml b/services/portal/values-int.yaml index 54dc374ed7..a26d7c64fa 100644 --- a/services/portal/values-int.yaml +++ b/services/portal/values-int.yaml @@ -1,53 +1,36 @@ -firefly: - pull_secret: 'pull-secret' +portal: replicaCount: 2 + imagePullSecrets: + - name: "pull-secret" + + config: + volumes: + workareaHostPath: "/sui/firefly/workarea" + configHostPath: "/sui/firefly/config" + ingress: - host: 'lsst-lsp-int.ncsa.illinois.edu' - annotations: - nginx.ingress.kubernetes.io/auth-method: GET - nginx.ingress.kubernetes.io/auth-response-headers: X-Auth-Request-User,X-Auth-Request-Email,X-Auth-Request-Token - nginx.ingress.kubernetes.io/auth-signin: "https://lsst-lsp-int.ncsa.illinois.edu/login" - nginx.ingress.kubernetes.io/auth-url: "https://lsst-lsp-int.ncsa.illinois.edu/auth?scope=exec:portal&delegate_to=portal&delegate_scope=read:tap" - nginx.ingress.kubernetes.io/configuration-snippet: | - proxy_set_header X-Original-URI $request_uri; - proxy_set_header X-Forwarded-Proto https; - proxy_set_header X-Forwarded-Port 443; - proxy_set_header X-Forwarded-Path /portal/app; - - secrets: - enabled: false - - vault_secrets: - enabled: true - path: 'secret/k8s_operator/lsst-lsp-int.ncsa.illinois.edu/portal' - - redis: - resources: - limits: - memory: 20Mi + host: "lsst-lsp-int.ncsa.illinois.edu" + + vaultSecretsPath: "secret/k8s_operator/lsst-lsp-int.ncsa.illinois.edu/portal" nodeSelector: - environment: portal-int + environment: "portal-int" tolerations: - - effect: NoSchedule - key: dedicated - operator: Equal - value: portal + - effect: "NoSchedule" + key: "dedicated" + operator: "Equal" + value: "portal" resources: limits: - memory: 24Gi + memory: "24Gi" securityContext: runAsUser: 101 runAsGroup: 102 - volumes: - firefly_shared_workarea_hostpath: /sui/firefly/workarea - firefly_config_hostpath: /sui/firefly/config - pull-secret: enabled: true - path: secret/k8s_operator/lsst-lsp-int.ncsa.illinois.edu/pull-secret + path: "secret/k8s_operator/lsst-lsp-int.ncsa.illinois.edu/pull-secret" diff --git a/services/portal/values-minikube.yaml b/services/portal/values-minikube.yaml index 8ba2d28b82..6b99598f1f 100644 --- a/services/portal/values-minikube.yaml +++ b/services/portal/values-minikube.yaml @@ -1,36 +1,17 @@ -firefly: - pull_secret: 'pull-secret' +portal: + imagePullSecrets: + - name: "pull-secret" ingress: host: "minikube.lsst.codes" - annotations: - nginx.ingress.kubernetes.io/auth-method: GET - nginx.ingress.kubernetes.io/auth-response-headers: X-Auth-Request-Uid, X-Auth-Request-Token - nginx.ingress.kubernetes.io/auth-signin: "https://minikube.lsst.codes/login" - nginx.ingress.kubernetes.io/auth-url: "http://gafaelfawr.gafaelfawr.svc.cluster.local:8080/auth?scope=exec:portal&delegate_to=portal&delegate_scope=read:tap" - nginx.ingress.kubernetes.io/configuration-snippet: | - proxy_set_header X-Original-URI $request_uri; - proxy_set_header X-Forwarded-Proto https; - proxy_set_header X-Forwarded-Port 443; - proxy_set_header X-Forwarded-Path /portal/app; resources: limits: cpu: 0.3 - memory: 2Gi + memory: "2Gi" - secrets: - enabled: false - - vault_secrets: - enabled: true - path: secret/k8s_operator/minikube.lsst.codes/portal - - redis: - resources: - limits: - memory: 20Mi + vaultSecretsPath: "secret/k8s_operator/minikube.lsst.codes/portal" pull-secret: enabled: true - path: secret/k8s_operator/minikube.lsst.codes/pull-secret + path: "secret/k8s_operator/minikube.lsst.codes/pull-secret" diff --git a/services/portal/values-red-five.yaml b/services/portal/values-red-five.yaml index 74b371a943..dafb966e71 100644 --- a/services/portal/values-red-five.yaml +++ b/services/portal/values-red-five.yaml @@ -1,35 +1,16 @@ -firefly: - pull_secret: 'pull-secret' +portal: + imagePullSecrets: + - name: "pull-secret" ingress: host: "red-five.lsst.codes" - annotations: - nginx.ingress.kubernetes.io/auth-method: GET - nginx.ingress.kubernetes.io/auth-response-headers: X-Auth-Request-Uid, X-Auth-Request-Token - nginx.ingress.kubernetes.io/auth-signin: "https://red-five.lsst.codes/login" - nginx.ingress.kubernetes.io/auth-url: "https://red-five.lsst.codes/auth?scope=exec:portal&delegate_to=portal&delegate_scope=read:tap" - nginx.ingress.kubernetes.io/configuration-snippet: | - proxy_set_header X-Original-URI $request_uri; - proxy_set_header X-Forwarded-Proto https; - proxy_set_header X-Forwarded-Port 443; - proxy_set_header X-Forwarded-Path /portal/app; resources: limits: - memory: 8Gi + memory: "8Gi" - secrets: - enabled: false - - vault_secrets: - enabled: true - path: secret/k8s_operator/red-five.lsst.codes/portal - - redis: - resources: - limits: - memory: 20Mi + vaultSecretsPath: "secret/k8s_operator/red-five.lsst.codes/portal" pull-secret: enabled: true - path: secret/k8s_operator/red-five.lsst.codes/pull-secret + path: "secret/k8s_operator/red-five.lsst.codes/pull-secret" diff --git a/services/portal/values-roe.yaml b/services/portal/values-roe.yaml index 626f2456a9..ffd2df4681 100644 --- a/services/portal/values-roe.yaml +++ b/services/portal/values-roe.yaml @@ -1,37 +1,16 @@ -firefly: - pull_secret: 'pull-secret' +portal: + imagePullSecrets: + - name: "pull-secret" ingress: host: "rsp.lsst.ac.uk" - annotations: - nginx.ingress.kubernetes.io/auth-method: GET - nginx.ingress.kubernetes.io/auth-response-headers: X-Auth-Request-User,X-Auth-Request-Email,X-Auth-Request-Token - nginx.ingress.kubernetes.io/auth-signin: "https://rsp.lsst.ac.uk/login" - nginx.ingress.kubernetes.io/auth-url: "https://rsp.lsst.ac.uk/auth?scope=exec:portal&delegate_to=portal&delegate_scope=read:tap" - nginx.ingress.kubernetes.io/configuration-snippet: | - proxy_set_header X-Original-URI $request_uri; - proxy_set_header X-Forwarded-Proto https; - proxy_set_header X-Forwarded-Port 443; - proxy_set_header X-Forwarded-Path /portal/app; - - max_jvm_size: "7G" resources: limits: - memory: 8Gi - - secrets: - enabled: false - - vault_secrets: - enabled: true - path: secret/k8s_operator/roe/portal + memory: "8Gi" - redis: - resources: - limits: - memory: 20Mi + vaultSecretsPath: "secret/k8s_operator/roe/portal" pull-secret: enabled: true - path: secret/k8s_operator/roe/pull-secret + path: "secret/k8s_operator/roe/pull-secret" diff --git a/services/portal/values-stable.yaml b/services/portal/values-stable.yaml index 87a50f9dd9..cdf40d791f 100644 --- a/services/portal/values-stable.yaml +++ b/services/portal/values-stable.yaml @@ -1,53 +1,36 @@ -firefly: - pull_secret: 'pull-secret' +portal: replicaCount: 2 + imagePullSecrets: + - name: "pull-secret" + + config: + volumes: + workareaHostPath: "/sui/firefly/workarea" + configHostPath: "/sui/firefly/config" + ingress: - host: 'lsst-lsp-stable.ncsa.illinois.edu' - annotations: - nginx.ingress.kubernetes.io/auth-method: GET - nginx.ingress.kubernetes.io/auth-response-headers: X-Auth-Request-User,X-Auth-Request-Email,X-Auth-Request-Token - nginx.ingress.kubernetes.io/auth-signin: "https://lsst-lsp-stable.ncsa.illinois.edu/login" - nginx.ingress.kubernetes.io/auth-url: "https://lsst-lsp-stable.ncsa.illinois.edu/auth?scope=exec:portal&delegate_to=portal&delegate_scope=read:tap" - nginx.ingress.kubernetes.io/configuration-snippet: | - proxy_set_header X-Original-URI $request_uri; - proxy_set_header X-Forwarded-Proto https; - proxy_set_header X-Forwarded-Port 443; - proxy_set_header X-Forwarded-Path /portal/app; - - secrets: - enabled: false - - vault_secrets: - enabled: true - path: 'secret/k8s_operator/lsst-lsp-stable.ncsa.illinois.edu/portal' - - redis: - resources: - limits: - memory: 20Mi + host: "lsst-lsp-stable.ncsa.illinois.edu" + + vaultSecretsPath: "secret/k8s_operator/lsst-lsp-stable.ncsa.illinois.edu/portal" nodeSelector: - environment: portal-stable + environment: "portal-stable" tolerations: - - effect: NoSchedule - key: dedicated - operator: Equal - value: portal + - effect: "NoSchedule" + key: "dedicated" + operator: "Equal" + value: "portal" resources: limits: - memory: 24Gi + memory: "24Gi" securityContext: runAsUser: 101 runAsGroup: 102 - volumes: - firefly_shared_workarea_hostpath: /sui/firefly/workarea - firefly_config_hostpath: /sui/firefly/config - pull-secret: enabled: true - path: secret/k8s_operator/lsst-lsp-stable.ncsa.illinois.edu/pull-secret + path: "secret/k8s_operator/lsst-lsp-stable.ncsa.illinois.edu/pull-secret" diff --git a/services/portal/values-summit.yaml b/services/portal/values-summit.yaml index 889a1ff376..21c2c44c98 100644 --- a/services/portal/values-summit.yaml +++ b/services/portal/values-summit.yaml @@ -1,35 +1,16 @@ -firefly: - pull_secret: 'pull-secret' +portal: + imagePullSecrets: + - name: "pull-secret" ingress: - host: 'summit-lsp.lsst.codes' - annotations: - nginx.ingress.kubernetes.io/auth-method: GET - nginx.ingress.kubernetes.io/auth-response-headers: X-Auth-Request-Uid, X-Auth-Request-Token - nginx.ingress.kubernetes.io/auth-signin: "https://summit-lsp.lsst.codes/login" - nginx.ingress.kubernetes.io/auth-url: "https://summit-lsp.lsst.codes/auth?scope=exec:portal&delegate_to=portal&delegate_scope=read:tap" - nginx.ingress.kubernetes.io/configuration-snippet: | - proxy_set_header X-Original-URI $request_uri; - proxy_set_header X-Forwarded-Proto https; - proxy_set_header X-Forwarded-Port 443; - proxy_set_header X-Forwarded-Path /portal/app; + host: "summit-lsp.lsst.codes" resources: limits: - memory: 32Gi + memory: "32Gi" - secrets: - enabled: false - - vault_secrets: - enabled: true - path: secret/k8s_operator/summit-lsp.lsst.codes/portal - - redis: - resources: - limits: - memory: 20Mi + vaultSecretsPath: "secret/k8s_operator/summit-lsp.lsst.codes/portal" pull-secret: enabled: true - path: secret/k8s_operator/summit-lsp.lsst.codes/pull-secret + path: "secret/k8s_operator/summit-lsp.lsst.codes/pull-secret" diff --git a/services/portal/values-tucson-teststand.yaml b/services/portal/values-tucson-teststand.yaml index c30e046e68..8928375b56 100644 --- a/services/portal/values-tucson-teststand.yaml +++ b/services/portal/values-tucson-teststand.yaml @@ -1,35 +1,16 @@ -firefly: - pull_secret: 'pull-secret' +portal: + imagePullSecrets: + - name: "pull-secret" ingress: - host: 'tucson-teststand.lsst.codes' - annotations: - nginx.ingress.kubernetes.io/auth-method: GET - nginx.ingress.kubernetes.io/auth-response-headers: X-Auth-Request-Uid, X-Auth-Request-Token - nginx.ingress.kubernetes.io/auth-signin: "https://tucson-teststand.lsst.codes/login" - nginx.ingress.kubernetes.io/auth-url: "https://tucson-teststand.lsst.codes/auth?scope=exec:portal&delegate_to=portal&delegate_scope=read:tap" - nginx.ingress.kubernetes.io/configuration-snippet: | - proxy_set_header X-Original-URI $request_uri; - proxy_set_header X-Forwarded-Proto https; - proxy_set_header X-Forwarded-Port 443; - proxy_set_header X-Forwarded-Path /portal/app; + host: "tucson-teststand.lsst.codes" resources: limits: - memory: 32Gi + memory: "32Gi" - secrets: - enabled: false - - vault_secrets: - enabled: true - path: secret/k8s_operator/tucson-teststand.lsst.codes/portal - - redis: - resources: - limits: - memory: 20Mi + vaultSecretsPath: "secret/k8s_operator/tucson-teststand.lsst.codes/portal" pull-secret: enabled: true - path: secret/k8s_operator/tucson-teststand.lsst.codes/pull-secret + path: "secret/k8s_operator/tucson-teststand.lsst.codes/pull-secret" From 7fc53239e2f4da529fa974f580f37df0b7586ae1 Mon Sep 17 00:00:00 2001 From: Russ Allbery Date: Thu, 10 Mar 2022 17:44:34 -0800 Subject: [PATCH 0061/1479] Update to the new obstap chart This requires changes to the environment-specific values files (and allows deleting some things now handled by the chart). --- services/obstap/Chart.yaml | 2 +- services/obstap/values-idfdev.yaml | 22 +++++------ services/obstap/values-idfint.yaml | 22 +++++------ services/obstap/values-idfprod.yaml | 22 +++++------ services/obstap/values-int.yaml | 56 ++++++++++++++-------------- services/obstap/values-minikube.yaml | 22 +++++------ services/obstap/values-red-five.yaml | 22 +++++------ services/obstap/values-roe.yaml | 17 ++++----- services/obstap/values-stable.yaml | 56 ++++++++++++++-------------- 9 files changed, 114 insertions(+), 127 deletions(-) diff --git a/services/obstap/Chart.yaml b/services/obstap/Chart.yaml index c07bcc16a6..1a5e9672d7 100644 --- a/services/obstap/Chart.yaml +++ b/services/obstap/Chart.yaml @@ -3,7 +3,7 @@ name: obstap version: 1.0.0 dependencies: - name: cadc-tap-postgres - version: ">=0.1.0" + version: 0.2.0 repository: https://lsst-sqre.github.io/charts/ - name: pull-secret version: 0.1.2 diff --git a/services/obstap/values-idfdev.yaml b/services/obstap/values-idfdev.yaml index 66559b5f23..40870bf137 100644 --- a/services/obstap/values-idfdev.yaml +++ b/services/obstap/values-idfdev.yaml @@ -1,18 +1,16 @@ cadc-tap-postgres: - pull_secret: 'pull-secret' - tag: "1.1" - host: "data-dev.lsst.cloud" + fullnameOverride: "obstap" - secrets: - enabled: false + imagePullSecrets: + - name: "pull-secret" + ingress: + host: "data-dev.lsst.cloud" + vaultSecretsPath: "secret/k8s_operator/data-dev.lsst.cloud/tap" - vault_secrets: - enabled: true - path: 'secret/k8s_operator/data-dev.lsst.cloud/tap' - - gcs_bucket: 'async-results.lsst.codes' - gcs_bucket_url: 'http://async-results.lsst.codes' + config: + gcsBucket: "async-results.lsst.codes" + gcsBucketUrl: "http://async-results.lsst.codes" pull-secret: enabled: true - path: secret/k8s_operator/data-dev.lsst.cloud/pull-secret + path: "secret/k8s_operator/data-dev.lsst.cloud/pull-secret" diff --git a/services/obstap/values-idfint.yaml b/services/obstap/values-idfint.yaml index befb9f9557..6ea91a0766 100644 --- a/services/obstap/values-idfint.yaml +++ b/services/obstap/values-idfint.yaml @@ -1,18 +1,16 @@ cadc-tap-postgres: - pull_secret: 'pull-secret' - tag: "1.1" - host: "data-int.lsst.cloud" + fullnameOverride: "obstap" - secrets: - enabled: false + imagePullSecrets: + - name: "pull-secret" + ingress: + host: "data-int.lsst.cloud" + vaultSecretsPath: "secret/k8s_operator/data-int.lsst.cloud/tap" - vault_secrets: - enabled: true - path: 'secret/k8s_operator/data-int.lsst.cloud/tap' - - gcs_bucket: 'async-results.lsst.codes' - gcs_bucket_url: 'http://async-results.lsst.codes' + config: + gcsBucket: "async-results.lsst.codes" + gcsBucketUrl: "http://async-results.lsst.codes" pull-secret: enabled: true - path: secret/k8s_operator/data-int.lsst.cloud/pull-secret + path: "secret/k8s_operator/data-int.lsst.cloud/pull-secret" diff --git a/services/obstap/values-idfprod.yaml b/services/obstap/values-idfprod.yaml index 5d7994882b..8713c4abf4 100644 --- a/services/obstap/values-idfprod.yaml +++ b/services/obstap/values-idfprod.yaml @@ -1,18 +1,16 @@ cadc-tap-postgres: - pull_secret: 'pull-secret' - tag: "1.1" - host: "data.lsst.cloud" + fullnameOverride: "obstap" - secrets: - enabled: false + imagePullSecrets: + - name: "pull-secret" + ingress: + host: "data.lsst.cloud" + vaultSecretsPath: "secret/k8s_operator/data.lsst.cloud/tap" - vault_secrets: - enabled: true - path: 'secret/k8s_operator/data.lsst.cloud/tap' - - gcs_bucket: 'async-results.lsst.codes' - gcs_bucket_url: 'http://async-results.lsst.codes' + config: + gcsBucket: "async-results.lsst.codes" + gcsBucketUrl: "http://async-results.lsst.codes" pull-secret: enabled: true - path: secret/k8s_operator/data.lsst.cloud/pull-secret + path: "secret/k8s_operator/data.lsst.cloud/pull-secret" diff --git a/services/obstap/values-int.yaml b/services/obstap/values-int.yaml index 277a485009..09984dc612 100644 --- a/services/obstap/values-int.yaml +++ b/services/obstap/values-int.yaml @@ -1,42 +1,42 @@ cadc-tap-postgres: - pull_secret: 'pull-secret' - tag: "1.1" - host: "lsst-lsp-int.ncsa.illinois.edu" - - secrets: - enabled: false - - vault_secrets: - enabled: true - path: 'secret/k8s_operator/lsst-lsp-int.ncsa.illinois.edu/tap' + fullnameOverride: "obstap" + imagePullSecrets: + - name: "pull-secret" ingress: - authenticated_annotations: - nginx.ingress.kubernetes.io/auth-response-headers: X-Auth-Request-Uid, X-Auth-Request-Token - nginx.ingress.kubernetes.io/auth-url: "https://lsst-lsp-int.ncsa.illinois.edu/auth?scope=read:tap&auth_type=basic" - nginx.ingress.kubernetes.io/configuration-snippet: | - auth_request_set $auth_token $upstream_http_x_auth_request_token; - proxy_set_header Authorization "Bearer $auth_token"; + host: "lsst-lsp-int.ncsa.illinois.edu" + vaultSecretsPath: "secret/k8s_operator/lsst-lsp-int.ncsa.illinois.edu/tap" resources: requests: cpu: 2.0 - memory: 2G + memory: "2G" limits: cpu: 8.0 - memory: 16G + memory: "16G" - aux_resources: - requests: - cpu: 0.25 - memory: 1G - limits: - cpu: 2.0 - memory: 4G + db: + resources: + requests: + cpu: 0.25 + memory: "1G" + limits: + cpu: 2.0 + memory: "4G" + + uws: + resources: + requests: + cpu: 0.25 + memory: "1G" + limits: + cpu: 2.0 + memory: "4G" - gcs_bucket: 'async-results.lsst.codes' - gcs_bucket_url: 'http://async-results.lsst.codes' + config: + gcsBucket: "async-results.lsst.codes" + gcsBucketUrl: "http://async-results.lsst.codes" pull-secret: enabled: true - path: secret/k8s_operator/lsst-lsp-int.ncsa.illinois.edu/pull-secret + path: "secret/k8s_operator/lsst-lsp-int.ncsa.illinois.edu/pull-secret" diff --git a/services/obstap/values-minikube.yaml b/services/obstap/values-minikube.yaml index 0488f65eab..fff2b57958 100644 --- a/services/obstap/values-minikube.yaml +++ b/services/obstap/values-minikube.yaml @@ -1,18 +1,16 @@ cadc-tap-postgres: - pull_secret: 'pull-secret' - tag: "1.1" - host: "minikube.lsst.codes" + fullnameOverride: "obstap" - secrets: - enabled: false + imagePullSecret: + - name: "pull-secret" + ingress: + host: "minikube.lsst.codes" + vaultSecretsPath: "secret/k8s_operator/minikube.lsst.codes/tap" - vault_secrets: - enabled: true - path: 'secret/k8s_operator/minikube.lsst.codes/tap' - - gcs_bucket: 'async-results.lsst.codes' - gcs_bucket_url: 'http://async-results.lsst.codes' + config: + gcsBucket: "async-results.lsst.codes" + gcsBucketUrl: "http://async-results.lsst.codes" pull-secret: enabled: true - path: secret/k8s_operator/minikube.lsst.codes/pull-secret + path: "secret/k8s_operator/minikube.lsst.codes/pull-secret" diff --git a/services/obstap/values-red-five.yaml b/services/obstap/values-red-five.yaml index 5c17bf4dd1..37d6f5dbcf 100644 --- a/services/obstap/values-red-five.yaml +++ b/services/obstap/values-red-five.yaml @@ -1,18 +1,16 @@ cadc-tap-postgres: - pull_secret: 'pull-secret' - tag: "1.1" - host: "red-five.lsst.codes" + fullnameOverride: "obstap" - secrets: - enabled: false + imagePullSecrets: + - name: "pull-secret" + ingress: + host: "red-five.lsst.codes" + vaultSecretsPath: "secret/k8s_operator/red-five.lsst.codes/tap" - vault_secrets: - enabled: true - path: 'secret/k8s_operator/red-five.lsst.codes/tap' - - gcs_bucket: 'async-results.lsst.codes' - gcs_bucket_url: 'http://async-results.lsst.codes' + config: + gcsBucket: "async-results.lsst.codes" + gcsBucketUrl: "http://async-results.lsst.codes" pull-secret: enabled: true - path: secret/k8s_operator/red-five.lsst.codes/pull-secret + path: "secret/k8s_operator/red-five.lsst.codes/pull-secret" diff --git a/services/obstap/values-roe.yaml b/services/obstap/values-roe.yaml index cac61a205c..16f1c99e69 100644 --- a/services/obstap/values-roe.yaml +++ b/services/obstap/values-roe.yaml @@ -1,15 +1,12 @@ cadc-tap-postgres: - pull_secret: 'pull-secret' - tag: "1.1" - host: "rsp.lsst.ac.uk" + fullnameOverride: "obstap" - secrets: - enabled: false - - vault_secrets: - enabled: true - path: 'secret/k8s_operator/roe/tap' + imagePullSecrets: + - name: "pull-secret" + ingress: + host: "rsp.lsst.ac.uk" + vaultSecretsPath: "secret/k8s_operator/roe/tap" pull-secret: enabled: true - path: secret/k8s_operator/roe/pull-secret + path: "secret/k8s_operator/roe/pull-secret" diff --git a/services/obstap/values-stable.yaml b/services/obstap/values-stable.yaml index ffb30de8c5..702d3f3f85 100644 --- a/services/obstap/values-stable.yaml +++ b/services/obstap/values-stable.yaml @@ -1,42 +1,42 @@ cadc-tap-postgres: - pull_secret: 'pull-secret' - tag: "1.1" - host: "lsst-lsp-stable.ncsa.illinois.edu" - - secrets: - enabled: false - - vault_secrets: - enabled: true - path: 'secret/k8s_operator/lsst-lsp-stable.ncsa.illinois.edu/tap' + fullnameOverride: "obstap" + imagePullSecrets: + - name: "pull-secret" ingress: - authenticated_annotations: - nginx.ingress.kubernetes.io/auth-response-headers: X-Auth-Request-Uid, X-Auth-Request-Token - nginx.ingress.kubernetes.io/auth-url: "https://lsst-lsp-stable.ncsa.illinois.edu/auth?scope=read:tap&auth_type=basic" - nginx.ingress.kubernetes.io/configuration-snippet: | - auth_request_set $auth_token $upstream_http_x_auth_request_token; - proxy_set_header Authorization "Bearer $auth_token"; + host: "lsst-lsp-stable.ncsa.illinois.edu" + vaultSecretsPath: "secret/k8s_operator/lsst-lsp-stable.ncsa.illinois.edu/tap" resources: requests: cpu: 2.0 - memory: 2G + memory: "2G" limits: cpu: 8.0 - memory: 16G + memory: "16G" - aux_resources: - requests: - cpu: 0.25 - memory: 1G - limits: - cpu: 2.0 - memory: 4G + db: + resources: + requests: + cpu: 0.25 + memory: "1G" + limits: + cpu: 2.0 + memory: "4G" + + uws: + resources: + requests: + cpu: 0.25 + memory: "1G" + limits: + cpu: 2.0 + memory: "4G" - gcs_bucket: 'async-results.lsst.codes' - gcs_bucket_url: 'http://async-results.lsst.codes' + config: + gcsBucket: "async-results.lsst.codes" + gcsBucketUrl: "http://async-results.lsst.codes" pull-secret: enabled: true - path: secret/k8s_operator/lsst-lsp-stable.ncsa.illinois.edu/pull-secret + path: "secret/k8s_operator/lsst-lsp-stable.ncsa.illinois.edu/pull-secret" From 11204011d57b71da11fc709723ba2ec65646f36c Mon Sep 17 00:00:00 2001 From: Russ Allbery Date: Thu, 10 Mar 2022 17:47:57 -0800 Subject: [PATCH 0062/1479] Bump version of tap chart Picks up a very minor fix. --- services/tap/Chart.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/services/tap/Chart.yaml b/services/tap/Chart.yaml index 6533eb0136..44759cd33f 100644 --- a/services/tap/Chart.yaml +++ b/services/tap/Chart.yaml @@ -3,7 +3,7 @@ name: tap version: 1.0.0 dependencies: - name: cadc-tap - version: 1.0.5 + version: 1.0.6 repository: https://lsst-sqre.github.io/charts/ - name: pull-secret version: 0.1.2 From 5ddf879df464a73ef67c19f48051ddb9ac4da76a Mon Sep 17 00:00:00 2001 From: Russ Allbery Date: Thu, 10 Mar 2022 18:07:56 -0800 Subject: [PATCH 0063/1479] Bump version of obstap chart Pick up some fixes. --- services/obstap/Chart.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/services/obstap/Chart.yaml b/services/obstap/Chart.yaml index 1a5e9672d7..f1973188d9 100644 --- a/services/obstap/Chart.yaml +++ b/services/obstap/Chart.yaml @@ -3,7 +3,7 @@ name: obstap version: 1.0.0 dependencies: - name: cadc-tap-postgres - version: 0.2.0 + version: 0.2.1 repository: https://lsst-sqre.github.io/charts/ - name: pull-secret version: 0.1.2 From 54885cac59185b9bd1e59d94c63668c3276928cf Mon Sep 17 00:00:00 2001 From: Russ Allbery Date: Thu, 10 Mar 2022 18:28:32 -0800 Subject: [PATCH 0064/1479] Bump obstap chart version Pick up more fixes. --- services/obstap/Chart.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/services/obstap/Chart.yaml b/services/obstap/Chart.yaml index f1973188d9..107ca0f4c3 100644 --- a/services/obstap/Chart.yaml +++ b/services/obstap/Chart.yaml @@ -3,7 +3,7 @@ name: obstap version: 1.0.0 dependencies: - name: cadc-tap-postgres - version: 0.2.1 + version: 0.2.2 repository: https://lsst-sqre.github.io/charts/ - name: pull-secret version: 0.1.2 From 76916808374ad70180bfdc67c3a7c1355049eb7b Mon Sep 17 00:00:00 2001 From: Renovate Bot Date: Mon, 14 Mar 2022 05:46:51 +0000 Subject: [PATCH 0065/1479] Update Helm release vo-cutouts to v0.3.3 --- services/vo-cutouts/Chart.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/services/vo-cutouts/Chart.yaml b/services/vo-cutouts/Chart.yaml index d94e651826..1eb1a6249d 100644 --- a/services/vo-cutouts/Chart.yaml +++ b/services/vo-cutouts/Chart.yaml @@ -3,7 +3,7 @@ name: vo-cutouts version: 1.0.0 dependencies: - name: vo-cutouts - version: 0.3.2 + version: 0.3.3 repository: https://lsst-sqre.github.io/charts/ - name: pull-secret version: 0.1.2 From af5cf4f1ea85d08b955f68f61b350eede17b5ee1 Mon Sep 17 00:00:00 2001 From: Renovate Bot Date: Mon, 14 Mar 2022 18:39:51 +0000 Subject: [PATCH 0066/1479] Update Helm release gafaelfawr to v4.6.1 --- services/gafaelfawr/Chart.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/services/gafaelfawr/Chart.yaml b/services/gafaelfawr/Chart.yaml index 02fef38ea3..e00d9766f3 100644 --- a/services/gafaelfawr/Chart.yaml +++ b/services/gafaelfawr/Chart.yaml @@ -3,7 +3,7 @@ name: gafaelfawr version: 1.0.0 dependencies: - name: gafaelfawr - version: 4.6.0 + version: 4.6.1 repository: https://lsst-sqre.github.io/charts/ - name: pull-secret version: 0.1.2 From dc1ca6d003bdf543f5352287dbf4788c245c88bf Mon Sep 17 00:00:00 2001 From: Renovate Bot Date: Mon, 14 Mar 2022 18:50:21 +0000 Subject: [PATCH 0067/1479] Update Helm release argo-cd to v3.35.4 --- services/argocd/Chart.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/services/argocd/Chart.yaml b/services/argocd/Chart.yaml index 975a346270..ec210ba3c7 100644 --- a/services/argocd/Chart.yaml +++ b/services/argocd/Chart.yaml @@ -3,7 +3,7 @@ name: argo-cd version: 1.0.0 dependencies: - name: argo-cd - version: 3.35.2 + version: 3.35.4 repository: https://argoproj.github.io/argo-helm - name: pull-secret version: 0.1.2 From b5bc50b7632291b6980d5d8ef34251417c75e527 Mon Sep 17 00:00:00 2001 From: adam Date: Tue, 15 Mar 2022 09:44:39 -0700 Subject: [PATCH 0068/1479] Add Google app credentials/butler index --- services/nublado2/values-idfdev.yaml | 2 ++ services/nublado2/values-idfint.yaml | 2 ++ services/nublado2/values-idfprod.yaml | 2 ++ 3 files changed, 6 insertions(+) diff --git a/services/nublado2/values-idfdev.yaml b/services/nublado2/values-idfdev.yaml index 5e170a21a1..a9395fa68a 100644 --- a/services/nublado2/values-idfdev.yaml +++ b/services/nublado2/values-idfdev.yaml @@ -19,6 +19,8 @@ nublado2: PGPASSFILE: "/opt/lsst/software/jupyterlab/butler-secret/postgres-credentials.txt" AWS_SHARED_CREDENTIALS_FILE: "/opt/lsst/software/jupyterlab/butler-secret/aws-credentials.ini" S3_ENDPOINT_URL: "https://storage.googleapis.com" + GOOGLE_APPLICATION_CREDENTIALS: "/opt/lsst/software/jupyterlab/butler-secret/butler-gcs-idf-creds.json" + DAF_BUTLER_REPOSITORY_INDEX: "s3://butler-us-central1-repo-locations/data-int-repos.yaml" AUTO_REPO_URLS: https://github.com/lsst-sqre/system-test,https://github.com/rubin-dp0/tutorial-notebooks AUTO_REPO_BRANCH: prod AUTO_REPO_SPECS: https://github.com/lsst-sqre/system-test@prod,https://github.com/rubin-dp0/tutorial-notebooks@prod diff --git a/services/nublado2/values-idfint.yaml b/services/nublado2/values-idfint.yaml index ff10daaf2b..7d10cbadea 100644 --- a/services/nublado2/values-idfint.yaml +++ b/services/nublado2/values-idfint.yaml @@ -18,6 +18,8 @@ nublado2: PGPASSFILE: "/opt/lsst/software/jupyterlab/butler-secret/postgres-credentials.txt" AWS_SHARED_CREDENTIALS_FILE: "/opt/lsst/software/jupyterlab/butler-secret/aws-credentials.ini" S3_ENDPOINT_URL: "https://storage.googleapis.com" + GOOGLE_APPLICATION_CREDENTIALS: "/opt/lsst/software/jupyterlab/butler-secret/butler-gcs-idf-creds.json" + DAF_BUTLER_REPOSITORY_INDEX: "s3://butler-us-central1-repo-locations/data-int-repos.yaml" AUTO_REPO_URLS: https://github.com/lsst-sqre/system-test,https://github.com/rubin-dp0/tutorial-notebooks AUTO_REPO_BRANCH: prod AUTO_REPO_SPECS: https://github.com/lsst-sqre/system-test@prod,https://github.com/rubin-dp0/tutorial-notebooks@prod diff --git a/services/nublado2/values-idfprod.yaml b/services/nublado2/values-idfprod.yaml index e955cb9bee..eaeb96eba4 100644 --- a/services/nublado2/values-idfprod.yaml +++ b/services/nublado2/values-idfprod.yaml @@ -17,6 +17,8 @@ nublado2: lab_environment: PGPASSFILE: "/opt/lsst/software/jupyterlab/butler-secret/postgres-credentials.txt" AWS_SHARED_CREDENTIALS_FILE: "/opt/lsst/software/jupyterlab/butler-secret/aws-credentials.ini" + GOOGLE_APPLICATION_CREDENTIALS: "/opt/lsst/software/jupyterlab/butler-secret/butler-gcs-idf-creds.json" + DAF_BUTLER_REPOSITORY_INDEX: "s3://butler-us-central1-repo-locations/data-repos.yaml" S3_ENDPOINT_URL: "https://storage.googleapis.com" AUTO_REPO_URLS: https://github.com/lsst-sqre/system-test,https://github.com/rubin-dp0/tutorial-notebooks AUTO_REPO_BRANCH: prod From d1617bf41fc36bce208c4b056b93b0fb33e6a276 Mon Sep 17 00:00:00 2001 From: Angelo Fausti Date: Thu, 10 Mar 2022 11:21:25 -0700 Subject: [PATCH 0069/1479] Add values for ncsa int - Use local-path storageClass for the NCSA int environment --- services/sasquatch/values-int.yaml | 43 ++++++++++++++++++++++++++++++ 1 file changed, 43 insertions(+) create mode 100644 services/sasquatch/values-int.yaml diff --git a/services/sasquatch/values-int.yaml b/services/sasquatch/values-int.yaml new file mode 100644 index 0000000000..32d19e1293 --- /dev/null +++ b/services/sasquatch/values-int.yaml @@ -0,0 +1,43 @@ +strimzi-kafka: + kafka: + storage: + storageClassName: local-path + zookeeper: + storage: + storageClassName: local-path + +influxdb: + persistence: + storageClass: local-path + ingress: + enabled: true + hostname: lsst-lsp-int.ncsa.illinois.edu + +kafka-connect-manager: + influxdbSink: + influxdb-sink: + enabled: true + +chronograf: + persistence: + storageClass: local-path + ingress: + enabled: true + hostname: lsst-lsp-int.ncsa.illinois.edu + env: + GENERIC_NAME: "OIDC" + GENERIC_AUTH_URL: https://lsst-lsp-int.ncsa.illinois.edu/auth/openid/login + GENERIC_TOKEN_URL: https://lsst-lsp-int.ncsa.illinois.edu/auth/openid/token + USE_ID_TOKEN: 1 + JWKS_URL: https://lsst-lsp-int.ncsa.illinois.edu/.well-known/jwks.json + GENERIC_API_URL: https://lsst-lsp-int.ncsa.illinois.edu/auth/userinfo + GENERIC_SCOPES: openid + GENERIC_API_KEY: sub + PUBLIC_URL: https://lsst-lsp-int.ncsa.illinois.edu + STATUS_FEED_URL: https://lsst-sqre.github.io/sasquatch/feeds/int.json + +kapacitor: + persistence: + storageClass: local-path + +vaultSecretsPath: secret/k8s_operator/lsst-lsp-int.ncsa.illinois.edu From 4d24cb893059f1dfd070951e953394890aa09c2e Mon Sep 17 00:00:00 2001 From: Angelo Fausti Date: Thu, 10 Mar 2022 11:29:16 -0700 Subject: [PATCH 0070/1479] Use custom strimzi-kafka image - Custom strimzi-kafka image with connector plugins used by sasquatch. --- services/sasquatch/charts/strimzi-kafka/templates/connect.yaml | 2 +- services/sasquatch/charts/strimzi-kafka/values.yaml | 2 ++ 2 files changed, 3 insertions(+), 1 deletion(-) diff --git a/services/sasquatch/charts/strimzi-kafka/templates/connect.yaml b/services/sasquatch/charts/strimzi-kafka/templates/connect.yaml index 40dd1c18df..841538028a 100644 --- a/services/sasquatch/charts/strimzi-kafka/templates/connect.yaml +++ b/services/sasquatch/charts/strimzi-kafka/templates/connect.yaml @@ -6,7 +6,7 @@ metadata: # Use Connect REST API to configure connectors strimzi.io/use-connector-resources: "false" spec: - version: {{ .Values.kafka.version | quote }} + image: {{ .Values.connect.image | quote }} replicas: {{ .Values.connect.replicas }} bootstrapServers: {{ .Values.cluster.name }}-kafka-bootstrap:9093 tls: diff --git a/services/sasquatch/charts/strimzi-kafka/values.yaml b/services/sasquatch/charts/strimzi-kafka/values.yaml index b805b6cab3..a0d3428c93 100644 --- a/services/sasquatch/charts/strimzi-kafka/values.yaml +++ b/services/sasquatch/charts/strimzi-kafka/values.yaml @@ -32,6 +32,8 @@ zookeeper: storageClassName: "" connect: + # -- Custom strimzi-kafka image with connector plugins used by sasquatch. + image: lsstsqre/strimzi-0.27.1-kafka-3.0.0:master # -- Number of Kafka Connect replicas to run. replicas: 1 From 4b89e4e6b0c6d9cf7761c964e02f8644f1bfa25a Mon Sep 17 00:00:00 2001 From: Angelo Fausti Date: Mon, 14 Mar 2022 08:27:44 -0700 Subject: [PATCH 0071/1479] Enable OIDC server in Gafaelfawr - Enable OIDC server in Gafaelfawr to support Chronograf authentication via OIDC --- services/gafaelfawr/values-int.yaml | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/services/gafaelfawr/values-int.yaml b/services/gafaelfawr/values-int.yaml index 7b5e57347a..16b7b8f33c 100644 --- a/services/gafaelfawr/values-int.yaml +++ b/services/gafaelfawr/values-int.yaml @@ -19,6 +19,10 @@ gafaelfawr: proxies: - "141.142.181.0/24" + # Support OpenID Connect clients like Chronograf. + oidcServer: + enabled: true + # Use CILogon authentication. cilogon: clientId: "cilogon:/client_id/6ca7b54ac075b65bccb9c885f9ba4a75" From d4d641ec334d3b973c146a72fc3e5a0b4a506fab Mon Sep 17 00:00:00 2001 From: Angelo Fausti Date: Mon, 14 Mar 2022 11:50:47 -0700 Subject: [PATCH 0072/1479] Enable strimzi and sasquatch services on int - Strimzi is the operator do deploy the Kafka cluster defined in sasquatch --- science-platform/values-int.yaml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/science-platform/values-int.yaml b/science-platform/values-int.yaml index d1932c7e67..ffbb980640 100644 --- a/science-platform/values-int.yaml +++ b/science-platform/values-int.yaml @@ -37,7 +37,7 @@ portal: postgres: enabled: true sasquatch: - enabled: false + enabled: true semaphore: enabled: false sherlock: @@ -47,7 +47,7 @@ squareone: squash_api: enabled: false strimzi: - enabled: false + enabled: true strimzi_registry_operator: enabled: false tap: From df573a952bd34a560fb6141cf3b28fd09b192aa0 Mon Sep 17 00:00:00 2001 From: Angelo Fausti Date: Mon, 14 Mar 2022 12:32:45 -0700 Subject: [PATCH 0073/1479] Add values for strimzi - Watch the sasquatch namespace on int - Enable debug logs on int for now - Move idfint specific configuration to values-idfint.yaml and remove values.yaml --- services/strimzi/values-idfint.yaml | 5 ++++- services/strimzi/values-int.yaml | 4 ++++ services/strimzi/values.yaml | 4 ---- 3 files changed, 8 insertions(+), 5 deletions(-) create mode 100644 services/strimzi/values-int.yaml delete mode 100644 services/strimzi/values.yaml diff --git a/services/strimzi/values-idfint.yaml b/services/strimzi/values-idfint.yaml index a12314beaa..0d90ffd616 100644 --- a/services/strimzi/values-idfint.yaml +++ b/services/strimzi/values-idfint.yaml @@ -1 +1,4 @@ -# This file intentionally blank - no customization needed +strimzi-kafka-operator: + watchNamespaces: + - "alert-stream-broker" + logLevel: "INFO" diff --git a/services/strimzi/values-int.yaml b/services/strimzi/values-int.yaml new file mode 100644 index 0000000000..e4cd2e47e1 --- /dev/null +++ b/services/strimzi/values-int.yaml @@ -0,0 +1,4 @@ +strimzi-kafka-operator: + watchNamespaces: + - "sasquatch" + logLevel: "DEBUG" diff --git a/services/strimzi/values.yaml b/services/strimzi/values.yaml deleted file mode 100644 index 0d90ffd616..0000000000 --- a/services/strimzi/values.yaml +++ /dev/null @@ -1,4 +0,0 @@ -strimzi-kafka-operator: - watchNamespaces: - - "alert-stream-broker" - logLevel: "INFO" From 85cf99d0f85b59173305d910b89679c7e840d833 Mon Sep 17 00:00:00 2001 From: Renovate Bot Date: Thu, 17 Mar 2022 00:14:55 +0000 Subject: [PATCH 0074/1479] Update Helm release kapacitor to v1.4.4 --- services/sasquatch/Chart.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/services/sasquatch/Chart.yaml b/services/sasquatch/Chart.yaml index 7f9896076b..94240a7674 100644 --- a/services/sasquatch/Chart.yaml +++ b/services/sasquatch/Chart.yaml @@ -17,7 +17,7 @@ dependencies: version: 1.2.3 repository: https://helm.influxdata.com/ - name: kapacitor - version: 1.4.3 + version: 1.4.4 repository: https://helm.influxdata.com/ - name: telegraf version: 1.8.14 From f603fce9bf792cc7810c7f49628c22a3146ac305 Mon Sep 17 00:00:00 2001 From: Angelo Fausti Date: Wed, 16 Mar 2022 17:10:49 -0700 Subject: [PATCH 0075/1479] Add values for ncsa stable - Use local-path storageClass for the ncsa stable environment --- services/sasquatch/values-stable.yaml | 43 +++++++++++++++++++++++++++ 1 file changed, 43 insertions(+) create mode 100644 services/sasquatch/values-stable.yaml diff --git a/services/sasquatch/values-stable.yaml b/services/sasquatch/values-stable.yaml new file mode 100644 index 0000000000..7f7a49250b --- /dev/null +++ b/services/sasquatch/values-stable.yaml @@ -0,0 +1,43 @@ +strimzi-kafka: + kafka: + storage: + storageClassName: local-path + zookeeper: + storage: + storageClassName: local-path + +influxdb: + persistence: + storageClass: local-path + ingress: + enabled: true + hostname: lsst-lsp-stable.ncsa.illinois.edu + +kafka-connect-manager: + influxdbSink: + influxdb-sink: + enabled: true + +chronograf: + persistence: + storageClass: local-path + ingress: + enabled: true + hostname: lsst-lsp-stable.ncsa.illinois.edu + env: + GENERIC_NAME: "OIDC" + GENERIC_AUTH_URL: https://lsst-lsp-stable.ncsa.illinois.edu/auth/openid/login + GENERIC_TOKEN_URL: https://lsst-lsp-stable.ncsa.illinois.edu/auth/openid/token + USE_ID_TOKEN: 1 + JWKS_URL: https://lsst-lsp-stable.ncsa.illinois.edu/.well-known/jwks.json + GENERIC_API_URL: https://lsst-lsp-stable.ncsa.illinois.edu/auth/userinfo + GENERIC_SCOPES: openid + GENERIC_API_KEY: sub + PUBLIC_URL: https://lsst-lsp-stable.ncsa.illinois.edu + STATUS_FEED_URL: https://lsst-sqre.github.io/sasquatch/feeds/stable.json + +kapacitor: + persistence: + storageClass: local-path + +vaultSecretsPath: secret/k8s_operator/lsst-lsp-stable.ncsa.illinois.edu From e1130359523d53046eb69bdcc6662ff686e6cba3 Mon Sep 17 00:00:00 2001 From: Angelo Fausti Date: Wed, 16 Mar 2022 17:15:02 -0700 Subject: [PATCH 0076/1479] Enable OIDC server in Gafaelfawr - Enable OIDC server in Gafaelfawr to support Chronograf authentication via OIDC --- services/gafaelfawr/values-stable.yaml | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/services/gafaelfawr/values-stable.yaml b/services/gafaelfawr/values-stable.yaml index 9c19d82f9f..9eae1c8b91 100644 --- a/services/gafaelfawr/values-stable.yaml +++ b/services/gafaelfawr/values-stable.yaml @@ -21,6 +21,10 @@ gafaelfawr: proxies: - "41.142.182.128/26" + # Support OpenID Connect clients like Chronograf. + oidcServer: + enabled: true + # Use CILogon authentication. cilogon: clientId: "cilogon:/client_id/7ae419868b97e81644ced9886ffbcec" From 421ad1538fc951b4143819c771d4ffeb6f6a9f63 Mon Sep 17 00:00:00 2001 From: Angelo Fausti Date: Wed, 16 Mar 2022 17:18:25 -0700 Subject: [PATCH 0077/1479] Enable strimzi and sasquatch services on stable - Strimzi is the operator to deploy the Kafka cluster defined in sasquatch --- science-platform/values-stable.yaml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/science-platform/values-stable.yaml b/science-platform/values-stable.yaml index 585f224d84..5c6c120791 100644 --- a/science-platform/values-stable.yaml +++ b/science-platform/values-stable.yaml @@ -37,7 +37,7 @@ portal: postgres: enabled: true sasquatch: - enabled: false + enabled: true semaphore: enabled: false sherlock: @@ -47,7 +47,7 @@ squareone: squash_api: enabled: false strimzi: - enabled: false + enabled: true strimzi_registry_operator: enabled: false tap: From d415e3cb8d0108ddcdf679c49fc7a2849a2525b5 Mon Sep 17 00:00:00 2001 From: Angelo Fausti Date: Wed, 16 Mar 2022 17:20:13 -0700 Subject: [PATCH 0078/1479] Add values for strimzi - Watch the sasquatch namespace on int - Enable debug logs on int for now --- services/strimzi/values-stable.yaml | 4 ++++ 1 file changed, 4 insertions(+) create mode 100644 services/strimzi/values-stable.yaml diff --git a/services/strimzi/values-stable.yaml b/services/strimzi/values-stable.yaml new file mode 100644 index 0000000000..e4cd2e47e1 --- /dev/null +++ b/services/strimzi/values-stable.yaml @@ -0,0 +1,4 @@ +strimzi-kafka-operator: + watchNamespaces: + - "sasquatch" + logLevel: "DEBUG" From b51b72b050271dd13295e9340452cf7c0d4bb7e1 Mon Sep 17 00:00:00 2001 From: Renovate Bot Date: Mon, 21 Mar 2022 03:50:32 +0000 Subject: [PATCH 0079/1479] Update Helm release argo-cd to v4 --- services/argocd/Chart.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/services/argocd/Chart.yaml b/services/argocd/Chart.yaml index ec210ba3c7..e41e310d9a 100644 --- a/services/argocd/Chart.yaml +++ b/services/argocd/Chart.yaml @@ -3,7 +3,7 @@ name: argo-cd version: 1.0.0 dependencies: - name: argo-cd - version: 3.35.4 + version: 4.2.1 repository: https://argoproj.github.io/argo-helm - name: pull-secret version: 0.1.2 From a269cf8aef7faebc6baa4b7f49b8a94054b6638c Mon Sep 17 00:00:00 2001 From: Renovate Bot Date: Mon, 21 Mar 2022 18:08:28 +0000 Subject: [PATCH 0080/1479] Update helm/chart-testing-action action to v2.2.1 --- .github/workflows/ci.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/ci.yaml b/.github/workflows/ci.yaml index 72adcf926b..b5560c7c99 100644 --- a/.github/workflows/ci.yaml +++ b/.github/workflows/ci.yaml @@ -39,7 +39,7 @@ jobs: run: tests/expand-services - name: Set up chart-testing - uses: helm/chart-testing-action@v2.2.0 + uses: helm/chart-testing-action@v2.2.1 - name: Run chart-testing (lint) run: ct lint --all --config ct.yaml From 73303e0ac60e1b7e61fbefea148c502ebbdfa57f Mon Sep 17 00:00:00 2001 From: Russ Allbery Date: Mon, 21 Mar 2022 17:42:59 -0700 Subject: [PATCH 0081/1479] Move Gafaelfawr chart into Phalanx Following RFC-830, move the gafaelfawr chart from the separate charts repository to Phalanx. Use the same README.md template that sasquatch is using. Drop a bunch of configuration options that aren't necessary now that the scope of the chart is much smaller and were never used. Directly create the pull-secret rather than including a chart. --- .../templates/gafaelfawr-application.yaml | 32 +- services/gafaelfawr/Chart.yaml | 10 +- services/gafaelfawr/README.md | 78 +++++ services/gafaelfawr/README.md.gotmpl | 9 + services/gafaelfawr/crds/service-token.yaml | 155 ++++++++++ services/gafaelfawr/templates/_helpers.tpl | 52 ++++ services/gafaelfawr/templates/configmap.yaml | 140 +++++++++ .../templates/deployment-tokens.yaml | 96 ++++++ services/gafaelfawr/templates/deployment.yaml | 111 +++++++ .../gafaelfawr/templates/ingress-rewrite.yaml | 25 ++ services/gafaelfawr/templates/ingress.yaml | 60 ++++ .../gafaelfawr/templates/networkpolicy.yaml | 25 ++ .../templates/redis-networkpolicy.yaml | 30 ++ .../gafaelfawr/templates/redis-service.yml | 16 + .../templates/redis-statefulset.yaml | 107 +++++++ services/gafaelfawr/templates/service.yaml | 16 + .../templates/serviceaccount-tokens.yaml | 39 +++ .../gafaelfawr/templates/serviceaccount.yaml | 12 + .../gafaelfawr/templates/vault-secret.yaml | 19 ++ services/gafaelfawr/values-base.yaml | 88 +++--- services/gafaelfawr/values-idfdev.yaml | 106 +++---- services/gafaelfawr/values-idfint.yaml | 121 ++++---- services/gafaelfawr/values-idfprod.yaml | 135 ++++----- services/gafaelfawr/values-int.yaml | 94 +++--- services/gafaelfawr/values-minikube.yaml | 72 ++--- services/gafaelfawr/values-red-five.yaml | 68 ++--- services/gafaelfawr/values-roe.yaml | 72 ++--- .../gafaelfawr/values-squash-sandbox.yaml | 80 +++-- services/gafaelfawr/values-stable.yaml | 96 +++--- services/gafaelfawr/values-summit.yaml | 90 +++--- .../gafaelfawr/values-tucson-teststand.yaml | 90 +++--- services/gafaelfawr/values.yaml | 280 ++++++++++++++++++ 32 files changed, 1776 insertions(+), 648 deletions(-) create mode 100644 services/gafaelfawr/README.md create mode 100644 services/gafaelfawr/README.md.gotmpl create mode 100644 services/gafaelfawr/crds/service-token.yaml create mode 100644 services/gafaelfawr/templates/_helpers.tpl create mode 100644 services/gafaelfawr/templates/configmap.yaml create mode 100644 services/gafaelfawr/templates/deployment-tokens.yaml create mode 100644 services/gafaelfawr/templates/deployment.yaml create mode 100644 services/gafaelfawr/templates/ingress-rewrite.yaml create mode 100644 services/gafaelfawr/templates/ingress.yaml create mode 100644 services/gafaelfawr/templates/networkpolicy.yaml create mode 100644 services/gafaelfawr/templates/redis-networkpolicy.yaml create mode 100644 services/gafaelfawr/templates/redis-service.yml create mode 100644 services/gafaelfawr/templates/redis-statefulset.yaml create mode 100644 services/gafaelfawr/templates/service.yaml create mode 100644 services/gafaelfawr/templates/serviceaccount-tokens.yaml create mode 100644 services/gafaelfawr/templates/serviceaccount.yaml create mode 100644 services/gafaelfawr/templates/vault-secret.yaml create mode 100644 services/gafaelfawr/values.yaml diff --git a/science-platform/templates/gafaelfawr-application.yaml b/science-platform/templates/gafaelfawr-application.yaml index 257015fc6c..1b8dab545e 100644 --- a/science-platform/templates/gafaelfawr-application.yaml +++ b/science-platform/templates/gafaelfawr-application.yaml @@ -2,28 +2,36 @@ apiVersion: v1 kind: Namespace metadata: - name: gafaelfawr + name: "gafaelfawr" spec: finalizers: - - kubernetes + - "kubernetes" --- apiVersion: argoproj.io/v1alpha1 kind: Application metadata: - name: gafaelfawr - namespace: argocd + name: "gafaelfawr" + namespace: "argocd" finalizers: - - resources-finalizer.argocd.argoproj.io + - "resources-finalizer.argocd.argoproj.io" spec: destination: - namespace: gafaelfawr - server: https://kubernetes.default.svc - project: default + namespace: "gafaelfawr" + server: "https://kubernetes.default.svc" + project: "default" source: - path: services/gafaelfawr - repoURL: {{ .Values.repoURL }} - targetRevision: {{ .Values.revision }} + path: "services/gafaelfawr" + repoURL: {{ .Values.repoURL | quote }} + targetRevision: {{ .Values.revision | quote }} helm: + parameters: + - name: "globals.host" + value: {{ .Values.fqdn | quote }} + - name: "globals.baseUrl" + value: "https://{{ .Values.fqdn }}" + - name: "globals.vaultSecretsPath" + value: {{ .Values.vault_path_prefix | quote }} valueFiles: - - values-{{ .Values.environment }}.yaml + - "values.yaml" + - "values-{{ .Values.environment }}.yaml" {{- end -}} diff --git a/services/gafaelfawr/Chart.yaml b/services/gafaelfawr/Chart.yaml index e00d9766f3..e1bb651988 100644 --- a/services/gafaelfawr/Chart.yaml +++ b/services/gafaelfawr/Chart.yaml @@ -1,10 +1,6 @@ apiVersion: v2 name: gafaelfawr version: 1.0.0 -dependencies: - - name: gafaelfawr - version: 4.6.1 - repository: https://lsst-sqre.github.io/charts/ - - name: pull-secret - version: 0.1.2 - repository: https://lsst-sqre.github.io/charts/ +description: Science Platform authentication and authorization system +home: https://gafaelfawr.lsst.io/ +appVersion: 3.6.0 diff --git a/services/gafaelfawr/README.md b/services/gafaelfawr/README.md new file mode 100644 index 0000000000..159f5c607b --- /dev/null +++ b/services/gafaelfawr/README.md @@ -0,0 +1,78 @@ +# gafaelfawr + +Science Platform authentication and authorization system + +## Values + +| Key | Type | Default | Description | +|-----|------|---------|-------------| +| affinity | object | `{}` | Affinity rules for the Gafaelfawr frontend pod | +| cloudsql.enabled | bool | `false` | Enable the Cloud SQL Auth Proxy sidecar, used with CloudSQL databases on Google Cloud | +| cloudsql.image.pullPolicy | string | `"IfNotPresent"` | Pull policy for Cloud SQL Auth Proxy images | +| cloudsql.image.repository | string | `"gcr.io/cloudsql-docker/gce-proxy"` | Cloud SQL Auth Proxy image to use | +| cloudsql.image.tag | string | `"1.29.0"` | Cloud SQL Auth Proxy tag to use | +| cloudsql.instanceConnectionName | string | `""` | Instance connection name for a CloudSQL PostgreSQL instance | +| cloudsql.serviceAccount | string | `""` | The Google service account that has an IAM binding to the `gafaelfawr` and `gafaelfawr-tokens` Kubernetes service accounts and has the `cloudsql.client` role | +| config.cilogon.clientId | string | `""` | CILogon client ID. One and only one of this, `config.github.clientId`, or `config.oidc.clientId` must be set. | +| config.cilogon.loginParams | object | `{"skin":"LSST"}` | Additional parameters to add | +| config.cilogon.redirectUrl | string | `/login` at the value of config.host | Return URL given to CILogon (must match the CILogon configuration) | +| config.cilogon.test | bool | `false` | Whether to use the test instance of CILogon | +| config.databaseUrl | string | None, must be set | URL for the PostgreSQL database | +| config.errorFooter | string | `""` | HTML footer to add to any login error page (inside a

tag). | +| config.github.clientId | string | `""` | GitHub client ID. One and only one of this, `config.cilogon.clientId`, or `config.oidc.clientId` must be set. | +| config.groupMapping | object | `{}` | Defines a mapping of scopes to groups that provide that scope. Tokens from an OpenID Connect provider such as CILogon that include groups in an `isMemberOf` claim will be granted scopes based on this mapping. | +| config.initialAdmins | list | `[]` | Usernames to add as administrators when initializing a new database. Used only if there are no administrators. | +| config.issuer.expMinutes | int | `43200` (30 days) | Session length and token expiration (in minutes) | +| config.issuer.influxdb.enabled | bool | `false` | Whether to issue tokens for InfluxDB. If set to true, `influxdb-secret` must be set in the Gafaelfawr secret. | +| config.issuer.influxdb.username | string | `""` | If set, force all InfluxDB tokens to have that username instead of the authenticated identity of the user requesting a token | +| config.knownScopes | object | See the `values.yaml` file | Names and descriptions of all scopes in use. This is used to populate the new token creation page. Only scopes listed here will be options when creating a new token. | +| config.ldap.baseDn | string | None, must be set | Base DN for the LDAP search to find a user's groups | +| config.ldap.groupMemberAttr | string | `"member"` | Member attribute of the object class. Values must match the username returned in the token from the OpenID Connect authentication server. | +| config.ldap.groupObjectClass | string | `"posixGroup"` | Object class containing group information | +| config.ldap.uidAttr | string | `"uidNumber"` | Attribute containing the user's UID number (only used if uidBaseDn is set) | +| config.ldap.uidBaseDn | string | Get the UID number from the upstream authentication provider | Base DN for the LDAP search to find a user's UID number | +| config.ldap.url | string | Do not use LDAP | LDAP server URL from which to retrieve user group information | +| config.loglevel | string | `"INFO"` | Choose from the text form of Python logging levels | +| config.oidc.audience | string | Value of `config.oidc.clientId` | Audience for the JWT token | +| config.oidc.clientId | string | `""` | Client ID for generic OpenID Connect support. One and only one of this, `config.cilogon.clientId`, or `config.github.clientId` must be set. | +| config.oidc.issuer | string | None, must be set | Issuer for the JWT token | +| config.oidc.loginParams | object | `{}` | Additional parameters to add to the login request | +| config.oidc.loginUrl | string | None, must be set | URL to which to redirect the user for authorization | +| config.oidc.scopes | list | `["openid"]` | Scopes to request from the OpenID Connect provider | +| config.oidc.tokenUrl | string | None, must be set | URL from which to retrieve the token for the user | +| config.oidcServer.enabled | bool | `false` | Whether to support OpenID Connect clients. If set to true, `oidc-server-secrets` must be set in the Gafaelfawr secret. | +| config.proxies | list | [`10.0.0.0/8`, `172.16.0.0/12`, `192.168.0.0/16`] | List of netblocks used for internal Kubernetes IP addresses, used to determine the true client IP for logging | +| fullnameOverride | string | `""` | Override the full name for resources (includes the release name) | +| globals.baseUrl | string | Set by Argo CD | Base URL for the environment | +| globals.host | string | Set by Argo CD | Host name for ingress | +| globals.vaultSecretsPath | string | Set by Argo CD | Base path for Vault secrets | +| image.pullPolicy | string | `"IfNotPresent"` | Pull policy for the Gafaelfawr image | +| image.repository | string | `"lsstsqre/gafaelfawr"` | Gafaelfawr image to use | +| image.tag | string | The appVersion of the chart | Tag of Gafaelfawr image to use | +| ingress.annotations | object | `{}` | Additional annotations to add to the ingress | +| nameOverride | string | `""` | Override the base name for resources | +| nodeSelector | object | `{}` | Node selector rules for the Gafaelfawr frontend pod | +| podAnnotations | object | `{}` | Annotations for the Gafaelfawr frontend pod | +| redis.affinity | object | `{}` | Affinity rules for the Redis pod | +| redis.image.pullPolicy | string | `"IfNotPresent"` | Pull policy for the Redis image | +| redis.image.repository | string | `"redis"` | Redis image to use | +| redis.image.tag | string | `"6.2.6"` | Redis image tag to use | +| redis.nodeSelector | object | `{}` | Node selection rules for the Redis pod | +| redis.persistence.accessMode | string | `"ReadWriteOnce"` | Access mode of storage to request | +| redis.persistence.enabled | bool | `true` | Whether to persist Redis storage and thus tokens. Setting this to false will use `emptyDir` and reset all tokens on every restart. Only use this for a test deployment. | +| redis.persistence.size | string | `"1Gi"` | Amount of persistent storage to request | +| redis.persistence.storageClass | string | `""` | Class of storage to request | +| redis.persistence.volumeClaimName | string | `""` | Use an existing PVC, not dynamic provisioning. If this is set, the size, storageClass, and accessMode settings are ignored. | +| redis.podAnnotations | object | `{}` | Pod annotations for the Redis pod | +| redis.tolerations | list | `[]` | Tolerations for the Redis pod | +| replicaCount | int | `1` | Number of web frontend pods to start | +| resources | object | `{}` | Resource limits and requests for the Gafaelfawr frontend pod | +| tokens.affinity | object | `{}` | Affinity rules for the token management pod | +| tokens.nodeSelector | object | `{}` | Node selection rules for the token management pod | +| tokens.podAnnotations | object | `{}` | Annotations for the token management pod | +| tokens.resources | object | `{}` | Resource limits and requests for the Gafaelfawr token management pod | +| tokens.tolerations | list | `[]` | Tolerations for the token management pod | +| tolerations | list | `[]` | Tolerations for the Gafaelfawr frontend pod | + +---------------------------------------------- +Autogenerated from chart metadata using [helm-docs v1.5.0](https://github.com/norwoodj/helm-docs/releases/v1.5.0) diff --git a/services/gafaelfawr/README.md.gotmpl b/services/gafaelfawr/README.md.gotmpl new file mode 100644 index 0000000000..4531459bbb --- /dev/null +++ b/services/gafaelfawr/README.md.gotmpl @@ -0,0 +1,9 @@ +{{ template "chart.header" . }} + +{{ template "chart.description" . }} + +{{ template "chart.requirementsSection" . }} + +{{ template "chart.valuesSection" . }} + +{{ template "helm-docs.versionFooter" . }} diff --git a/services/gafaelfawr/crds/service-token.yaml b/services/gafaelfawr/crds/service-token.yaml new file mode 100644 index 0000000000..8db2835515 --- /dev/null +++ b/services/gafaelfawr/crds/service-token.yaml @@ -0,0 +1,155 @@ +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + name: gafaelfawrservicetokens.gafaelfawr.lsst.io + labels: + app.kubernetes.io/name: gafaelfawr.lsst.io + app.kubernetes.io/part-of: gafaelfawr + annotations: + helm.sh/hook: crd-install +spec: + group: gafaelfawr.lsst.io + scope: Namespaced + names: + plural: gafaelfawrservicetokens + singular: gafaelfawrservicetoken + kind: GafaelfawrServiceToken + versions: + - name: v1alpha1 + served: true + storage: true + additionalPrinterColumns: + - description: "Service for which to create a token" + jsonPath: ".spec.service" + name: "Service" + type: string + - description: "If the secret was created/updated successfully" + jsonPath: >- + .status.conditions[?(@.type=="SecretCreated")].status + name: "Succeeded" + type: string + - description: "Reason for the current status" + jsonPath: >- + .status.conditions[?(@.type=="SecretCreated")].reason + name: "Reason" + type: string + - description: "More information about the current status" + jsonPath: >- + .status.conditions[?(@.type=="SecretCreated")].message + name: "Message" + type: string + - description: "Time when the condition was last updated" + jsonPath: >- + .status.conditions[?(@.type=="SecretCreated")].lastTransitionTime + name: "Last Transition" + type: date + - description: "Time when the GafaelfawrServiceToken was created" + jsonPath: .metadata.creationTimestamp + name: Age + type: date + subresources: + status: {} + schema: + openAPIV3Schema: + description: >- + GafaelfawrServiceTokenSpec defines the desired state of the + GafaelfawrServiceToken. + type: object + properties: + spec: + type: object + description: "Specification of the token secret to create." + properties: + service: + type: string + description: "Username field of the service token." + scopes: + type: array + description: >- + Array of scopes that should be granted to the service + token. + items: + type: string + pattern: "^[a-zA-Z0-9:._-]+$" + status: + type: object + description: >- + GafaelfawrServiceTokenStatus defines the observed state of the + GafaelfawrServiceToken. + properties: + conditions: + type: array + description: >- + Condition contains details for one aspect of the current + state of this API Resource. SecretCreated is the only + known .status.conditions.type value. + items: + type: object + required: + - lastTransitionTime + - message + - reason + - status + - type + properties: + lastTransitionTime: + type: string + format: date-time + description: > + lastTransitionTime is the last time the condition + transitioned from one status to another. This should + be when the underlying condition changed. If that is + not known, then using the time when the API field + changed is acceptable. + message: + type: string + description: > + message is a human readable message indicating + details about the transition. This may be an empty + string. + maxLength: 32768 + observedGeneration: + description: > + observedGeneration represents the + .metadata.generation that the condition was set + based upon. For instance, if .metadata.generation is + currently 12, but the + .status.conditions[x].observedGeneration is 9, the + condition is out of date with respect to the current + state of the instance. + format: int64 + minimum: 0 + type: integer + reason: + type: string + description: > + reason contains a programmatic identifier indicating + the reason for the condition's last + transition. Producers of specific condition types + may define expected values and meanings for this + field, and whether the values are considered a + guaranteed API. The value should be a CamelCase + string. This field may not be empty. + maxLength: 1024 + minLength: 1 + pattern: "^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$" + status: + type: string + description: > + status of the condition, one of True, False, Unknown. + enum: + - "True" + - "False" + - "Unknown" + type: + type: string + description: > + type of condition in CamelCase or in + foo.example.com/CamelCase. Many .condition.type + values are consistent across resources like + Available, but because arbitrary conditions can be + useful (see .node.status.conditions), the ability to + deconflict is important. The regex it matches is + (dns1123SubdomainFmt/)?(qualifiedNameFmt) + maxLength: 316 + pattern: "^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$" diff --git a/services/gafaelfawr/templates/_helpers.tpl b/services/gafaelfawr/templates/_helpers.tpl new file mode 100644 index 0000000000..57265a82b9 --- /dev/null +++ b/services/gafaelfawr/templates/_helpers.tpl @@ -0,0 +1,52 @@ +{{/* vim: set filetype=mustache: */}} +{{/* +Expand the name of the chart. +*/}} +{{- define "gafaelfawr.name" -}} +{{- default .Chart.Name .Values.nameOverride | trunc 63 | trimSuffix "-" }} +{{- end }} + +{{/* +Create a default fully qualified app name. +We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec). +If release name contains chart name it will be used as a full name. +*/}} +{{- define "gafaelfawr.fullname" -}} +{{- if .Values.fullnameOverride }} +{{- .Values.fullnameOverride | trunc 63 | trimSuffix "-" }} +{{- else }} +{{- $name := default .Chart.Name .Values.nameOverride }} +{{- if contains $name .Release.Name }} +{{- .Release.Name | trunc 63 | trimSuffix "-" }} +{{- else }} +{{- printf "%s-%s" .Release.Name $name | trunc 63 | trimSuffix "-" }} +{{- end }} +{{- end }} +{{- end }} + +{{/* +Create chart name and version as used by the chart label. +*/}} +{{- define "gafaelfawr.chart" -}} +{{- printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" }} +{{- end }} + +{{/* +Common labels +*/}} +{{- define "gafaelfawr.labels" -}} +helm.sh/chart: {{ include "gafaelfawr.chart" . }} +{{ include "gafaelfawr.selectorLabels" . }} +{{- if .Chart.AppVersion }} +app.kubernetes.io/version: {{ .Chart.AppVersion | quote }} +{{- end }} +app.kubernetes.io/managed-by: {{ .Release.Service }} +{{- end }} + +{{/* +Selector labels +*/}} +{{- define "gafaelfawr.selectorLabels" -}} +app.kubernetes.io/name: {{ include "gafaelfawr.name" . }} +app.kubernetes.io/instance: {{ .Release.Name }} +{{- end }} diff --git a/services/gafaelfawr/templates/configmap.yaml b/services/gafaelfawr/templates/configmap.yaml new file mode 100644 index 0000000000..acc01f877f --- /dev/null +++ b/services/gafaelfawr/templates/configmap.yaml @@ -0,0 +1,140 @@ +apiVersion: v1 +kind: ConfigMap +metadata: + name: {{ template "gafaelfawr.fullname" . }}-config + labels: + {{- include "gafaelfawr.labels" . | nindent 4 }} +data: + gafaelfawr.yaml: | + realm: {{ required "globals.host must be set" .Values.globals.host | quote }} + loglevel: {{ .Values.config.loglevel | quote }} + session_secret_file: "/etc/gafaelfawr/secrets/session-secret" + database_url: {{ required "config.databaseUrl must be set" .Values.config.databaseUrl | quote }} + redis_url: "redis://{{ template "gafaelfawr.fullname" . }}-redis.{{ .Release.Namespace }}:6379/0" + redis_password_file: "/etc/gafaelfawr/secrets/redis-password" + {{- if .Values.config.proxies }} + proxies: + {{- range $netblock := .Values.config.proxies }} + - {{ $netblock | quote }} + {{- end }} + {{- end }} + after_logout_url: {{ required "globals.baseUrl must be set" .Values.globals.baseUrl }} + {{- if .Values.config.errorFooter }} + error_footer: {{ .Values.config.errorFooter | quote }} + {{- end }} + + issuer: + iss: "https://{{ .Values.globals.host }}" + key_id: "reissuer" + aud: "https://{{ .Values.globals.host }}" + key_file: "/etc/gafaelfawr/secrets/signing-key" + exp_minutes: {{ .Values.config.issuer.expMinutes }} + {{- if .Values.config.issuer.influxdb.enabled }} + influxdb_secret_file: "/etc/gafaelfawr/secrets/influxdb-secret" + {{- if .Values.config.issuer.influxdb.username }} + influxdb_username: {{ .Values.config.issuer.influxdb.username | quote }} + {{- end }} + {{- end }} + + {{- if .Values.config.github.clientId }} + + github: + client_id: {{ .Values.config.github.clientId | quote }} + client_secret_file: "/etc/gafaelfawr/secrets/github-client-secret" + + {{- else if .Values.config.cilogon.clientId }} + + oidc: + client_id: {{ .Values.config.cilogon.clientId | quote }} + client_secret_file: "/etc/gafaelfawr/secrets/cilogon-client-secret" + {{- if .Values.config.cilogon.test }} + login_url: "https://test.cilogon.org/authorize" + token_url: "https://test.cilogon.org/oauth2/token" + issuer: "https://test.cilogon.org" + {{- else }} + login_url: "https://cilogon.org/authorize" + token_url: "https://cilogon.org/oauth2/token" + issuer: "https://cilogon.org" + {{- end }} + {{- if .Values.config.cilogon.loginParams }} + login_params: + {{- range $key, $value := .Values.config.cilogon.loginParams }} + {{ $key }}: {{ $value | quote }} + {{- end }} + {{- end }} + {{- if .Values.config.cilogon.redirectUrl }} + redirect_url: {{ .Values.config.cilogon.redirectUrl | quote }} + {{- else }} + redirect_url: "{{ .Values.globals.baseUrl }}/login" + {{- end }} + scopes: + - "email" + - "org.cilogon.userinfo" + audience: {{ .Values.config.cilogon.clientId | quote }} + key_ids: + - "244B235F6B28E34108D101EAC7362C4E" + + {{- else if .Values.config.oidc.clientId }} + + oidc: + client_id: {{ .Values.config.oidc.clientId | quote }} + client_secret_file: "/etc/gafaelfawr/secrets/oidc-client-secret" + {{- if .Values.config.oidc.audience }} + audience: {{ .Values.config.oidc.audience | quote }} + {{- else }} + audience: {{ .Values.config.oidc.clientId | quote }} + {{- end }} + login_url: {{ required "config.oidc.loginUrl must be set" .Values.config.oidc.loginUrl | quote }} + token_url: {{ required "config.oidc.tokenUrl must be set" .Values.config.oidc.tokenUrl | quote }} + issuer: {{ required "config.oidc.issuer must be set" .Values.config.oidc.issuer | quote }} + {{- if .Values.config.oidc.redirectUrl }} + redirect_url: {{ .Values.config.oidc.redirectUrl | quote }} + {{- else }} + redirect_url: "{{ .Values.globals.baseUrl }}/login" + {{- end }} + scopes: + {{- with .Values.config.oidc.scopes }} + {{- toYaml . | nindent 8 }} + {{- end }} + {{- with .Values.config.oidc.loginParams }} + login_params: + {{- toYaml . | nindent 8 }} + {{- end }} + + {{- end }} + + {{- if .Values.config.ldap.url }} + ldap: + url: {{ .Values.config.ldap.url | quote }} + base_dn: {{ required "config.ldap.baseDn must be set" .Values.config.ldap.baseDn | quote }} + group_object_class: {{ .Values.config.ldap.groupObjectClass | quote }} + group_member_attr: {{ .Values.config.ldap.groupMemberAttr | quote }} + {{- if .Values.config.uidBaseDn }} + uid_base_dn: {{ .Values.config.uidBaseDn | quote }} + uid_attr: {{ .Values.config.uidAttr | quote }} + {{- end }} + {{- end }} + + {{- if .Values.config.oidcServer.enabled }} + oidc_server_secrets_file: "/etc/gafaelfawr/secrets/oidc-server-secrets" + {{- end }} + + known_scopes: + {{- range $key, $value := .Values.config.knownScopes }} + {{ $key | quote }}: {{ $value | quote }} + {{- end }} + + group_mapping: + {{- range $key, $value := .Values.config.groupMapping }} + {{ $key | quote }}: + {{- range $group := $value }} + - {{ $group | quote }} + {{- end }} + {{- end }} + + {{- if .Values.config.initialAdmins }} + initial_admins: + {{- range $admin := .Values.config.initialAdmins }} + - {{ $admin | quote }} + {{- end }} + {{- end }} diff --git a/services/gafaelfawr/templates/deployment-tokens.yaml b/services/gafaelfawr/templates/deployment-tokens.yaml new file mode 100644 index 0000000000..85007c6c0f --- /dev/null +++ b/services/gafaelfawr/templates/deployment-tokens.yaml @@ -0,0 +1,96 @@ +apiVersion: apps/v1 +kind: Deployment +metadata: + name: {{ template "gafaelfawr.fullname" . }}-tokens + labels: + {{- include "gafaelfawr.labels" . | nindent 4 }} +spec: + replicas: 1 + selector: + matchLabels: + {{- include "gafaelfawr.selectorLabels" . | nindent 6 }} + app.kubernetes.io/component: "tokens" + template: + metadata: + annotations: + checksum/config: {{ include (print $.Template.BasePath "/configmap.yaml") . | sha256sum }} + {{- with .Values.tokens.podAnnotations }} + {{- toYaml . | nindent 8 }} + {{- end }} + labels: + {{- include "gafaelfawr.selectorLabels" . | nindent 8 }} + app.kubernetes.io/component: "tokens" + spec: + serviceAccountName: {{ include "gafaelfawr.fullname" . }}-tokens + containers: + {{- if .Values.cloudsql.enabled }} + - name: "cloud-sql-proxy" + command: + - "/cloud_sql_proxy" + - "-ip_address_types=PRIVATE" + - "-instances={{ required "cloudsql.instanceConnectionName must be specified" .Values.cloudsql.instanceConnectionName }}=tcp:5432" + image: "{{ .Values.cloudsql.image.repository }}:{{ .Values.cloudsql.image.tag }}" + imagePullPolicy: {{ .Values.cloudsql.image.pullPolicy | quote }} + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - "all" + readOnlyRootFilesystem: true + runAsUser: 65532 + runAsGroup: 65532 + {{- end }} + - name: "gafaelfawr-tokens" + command: + - "gafaelfawr" + - "kubernetes-controller" + env: + - name: "GAFAELFAWR_DATABASE_PASSWORD" + valueFrom: + secretKeyRef: + name: {{ template "gafaelfawr.fullname" . }}-secret + key: "database-password" + image: "{{ .Values.image.repository }}:{{ .Values.image.tag | default .Chart.AppVersion }}" + imagePullPolicy: {{ .Values.image.pullPolicy | quote }} + {{- with .Values.resources }} + resources: + {{- toYaml .Values.tokens.resources | nindent 12 }} + {{- end }} + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - "all" + readOnlyRootFilesystem: true + volumeMounts: + - name: "config" + mountPath: "/etc/gafaelfawr" + readOnly: true + - name: "secret" + mountPath: "/etc/gafaelfawr/secrets" + readOnly: true + imagePullSecrets: + - name: "pull-secret" + securityContext: + runAsNonRoot: true + runAsUser: 1000 + runAsGroup: 1000 + volumes: + - name: "config" + configMap: + name: {{ template "gafaelfawr.fullname" . }}-config + - name: "secret" + secret: + secretName: {{ template "gafaelfawr.fullname" . }}-secret + {{- with .Values.tokens.nodeSelector }} + nodeSelector: + {{- toYaml . | nindent 8 }} + {{- end }} + {{- with .Values.tokens.affinity }} + affinity: + {{- toYaml . | nindent 8 }} + {{- end }} + {{- with .Values.tokens.tolerations }} + tolerations: + {{- toYaml . | nindent 8 }} + {{- end }} diff --git a/services/gafaelfawr/templates/deployment.yaml b/services/gafaelfawr/templates/deployment.yaml new file mode 100644 index 0000000000..83f03a8e77 --- /dev/null +++ b/services/gafaelfawr/templates/deployment.yaml @@ -0,0 +1,111 @@ +apiVersion: apps/v1 +kind: Deployment +metadata: + name: {{ template "gafaelfawr.fullname" . }} + labels: + {{- include "gafaelfawr.labels" . | nindent 4 }} +spec: + replicas: {{ .Values.replicaCount }} + selector: + matchLabels: + {{- include "gafaelfawr.selectorLabels" . | nindent 6 }} + app.kubernetes.io/component: "frontend" + template: + metadata: + annotations: + checksum/config: {{ include (print $.Template.BasePath "/configmap.yaml") . | sha256sum }} + {{- with .Values.podAnnotations }} + {{- toYaml . | nindent 8 }} + {{- end }} + labels: + {{- include "gafaelfawr.selectorLabels" . | nindent 8 }} + app.kubernetes.io/component: "frontend" + spec: + {{- if .Values.cloudsql.enabled }} + serviceAccountName: {{ include "gafaelfawr.fullname" . }} + {{- else }} + automountServiceAccountToken: false + {{- end }} + containers: + {{- if .Values.cloudsql.enabled }} + - name: "cloud-sql-proxy" + command: + - "/cloud_sql_proxy" + - "-ip_address_types=PRIVATE" + - "-instances={{ required "cloudsql.instanceConnectionName must be specified" .Values.cloudsql.instanceConnectionName }}=tcp:5432" + image: "{{ .Values.cloudsql.image.repository }}:{{ .Values.cloudsql.image.tag }}" + imagePullPolicy: {{ .Values.cloudsql.image.pullPolicy | quote }} + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - "all" + readOnlyRootFilesystem: true + runAsNonRoot: true + runAsUser: 65532 + runAsGroup: 65532 + {{- end }} + - name: "gafaelfawr" + env: + - name: "GAFAELFAWR_BOOTSTRAP_TOKEN" + valueFrom: + secretKeyRef: + name: {{ template "gafaelfawr.fullname" . }}-secret + key: "bootstrap-token" + - name: "GAFAELFAWR_DATABASE_PASSWORD" + valueFrom: + secretKeyRef: + name: {{ template "gafaelfawr.fullname" . }}-secret + key: "database-password" + image: "{{ .Values.image.repository }}:{{ .Values.image.tag | default .Chart.AppVersion }}" + imagePullPolicy: {{ .Values.image.pullPolicy | quote }} + ports: + - containerPort: 8080 + name: "http" + protocol: "TCP" + readinessProbe: + httpGet: + path: "/" + port: "http" + {{- with .Values.resources }} + resources: + {{- toYaml .Values.resources | nindent 12 }} + {{- end }} + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - "all" + readOnlyRootFilesystem: true + volumeMounts: + - name: "config" + mountPath: "/etc/gafaelfawr" + readOnly: true + - name: "secret" + mountPath: "/etc/gafaelfawr/secrets" + readOnly: true + imagePullSecrets: + - name: "pull-secret" + securityContext: + runAsNonRoot: true + runAsUser: 1000 + runAsGroup: 1000 + volumes: + - name: "config" + configMap: + name: {{ template "gafaelfawr.fullname" . }}-config + - name: "secret" + secret: + secretName: {{ template "gafaelfawr.fullname" . }}-secret + {{- with .Values.nodeSelector }} + nodeSelector: + {{- toYaml . | nindent 8 }} + {{- end }} + {{- with .Values.affinity }} + affinity: + {{- toYaml . | nindent 8 }} + {{- end }} + {{- with .Values.tolerations }} + tolerations: + {{- toYaml . | nindent 8 }} + {{- end }} diff --git a/services/gafaelfawr/templates/ingress-rewrite.yaml b/services/gafaelfawr/templates/ingress-rewrite.yaml new file mode 100644 index 0000000000..0f39d1bc92 --- /dev/null +++ b/services/gafaelfawr/templates/ingress-rewrite.yaml @@ -0,0 +1,25 @@ +apiVersion: networking.k8s.io/v1 +kind: Ingress +metadata: + annotations: + kubernetes.io/ingress.class: "nginx" + nginx.ingress.kubernetes.io/rewrite-target: "/auth/tokens/" + nginx.ingress.kubernetes.io/use-regex: "true" + {{- with .Values.ingress.annotations }} + {{- toYaml . | nindent 4 }} + {{- end }} + name: {{ template "gafaelfawr.fullname" . }}-rewrite + labels: + {{- include "gafaelfawr.labels" . | nindent 4 }} +spec: + rules: + - host: {{ required "globals.host must be set" .Values.globals.host | quote }} + http: + paths: + - path: "/auth/tokens/id/.*" + pathType: "ImplementationSpecific" + backend: + service: + name: {{ template "gafaelfawr.fullname" . }} + port: + number: 8080 diff --git a/services/gafaelfawr/templates/ingress.yaml b/services/gafaelfawr/templates/ingress.yaml new file mode 100644 index 0000000000..9496464a38 --- /dev/null +++ b/services/gafaelfawr/templates/ingress.yaml @@ -0,0 +1,60 @@ +apiVersion: networking.k8s.io/v1 +kind: Ingress +metadata: + annotations: + kubernetes.io/ingress.class: "nginx" + {{- with .Values.ingress.annotations }} + {{- toYaml . | nindent 4 }} + {{- end }} + name: {{ template "gafaelfawr.fullname" . }} + labels: + {{- include "gafaelfawr.labels" . | nindent 4 }} +spec: + rules: + - host: {{ required "globals.host must be set" .Values.globals.host | quote }} + http: + paths: + - path: "/auth" + pathType: Prefix + backend: + service: + name: {{ template "gafaelfawr.fullname" . }} + port: + number: 8080 + - path: "/login" + pathType: Exact + backend: + service: + name: {{ template "gafaelfawr.fullname" . }} + port: + number: 8080 + - path: "/logout" + pathType: Exact + backend: + service: + name: {{ template "gafaelfawr.fullname" . }} + port: + number: 8080 + - path: "/oauth2/callback" + pathType: Exact + backend: + service: + name: {{ template "gafaelfawr.fullname" . }} + port: + number: 8080 + - path: "/.well-known/jwks.json" + pathType: Exact + backend: + service: + name: {{ template "gafaelfawr.fullname" . }} + port: + number: 8080 + {{- if .Values.config.oidcServer.enabled }} + - path: "/.well-known/openid-configuration" + pathType: Exact + backend: + service: + name: {{ template "gafaelfawr.fullname" . }} + port: + number: 8080 + {{- end }} diff --git a/services/gafaelfawr/templates/networkpolicy.yaml b/services/gafaelfawr/templates/networkpolicy.yaml new file mode 100644 index 0000000000..f5104e820d --- /dev/null +++ b/services/gafaelfawr/templates/networkpolicy.yaml @@ -0,0 +1,25 @@ +apiVersion: networking.k8s.io/v1 +kind: NetworkPolicy +metadata: + name: {{ template "gafaelfawr.fullname" . }} + labels: + {{- include "gafaelfawr.labels" . | nindent 4 }} +spec: + podSelector: + # This policy controls inbound access to the frontend component. + matchLabels: + {{- include "gafaelfawr.selectorLabels" . | nindent 6 }} + app.kubernetes.io/component: "frontend" + policyTypes: + - Ingress + ingress: + # Allow inbound access to the frontend from pods (in any namespace) + # labeled gafaelfawr.lsst.io/ingress: true. + - from: + - namespaceSelector: {} + podSelector: + matchLabels: + gafaelfawr.lsst.io/ingress: "true" + ports: + - protocol: "TCP" + port: 8080 diff --git a/services/gafaelfawr/templates/redis-networkpolicy.yaml b/services/gafaelfawr/templates/redis-networkpolicy.yaml new file mode 100644 index 0000000000..7423b2805b --- /dev/null +++ b/services/gafaelfawr/templates/redis-networkpolicy.yaml @@ -0,0 +1,30 @@ +apiVersion: networking.k8s.io/v1 +kind: NetworkPolicy +metadata: + name: {{ template "gafaelfawr.fullname" . }}-redis + labels: + {{- include "gafaelfawr.labels" . | nindent 4 }} +spec: + podSelector: + # This policy controls inbound and outbound access to the Redis component. + matchLabels: + {{- include "gafaelfawr.selectorLabels" . | nindent 6 }} + app.kubernetes.io/component: "redis" + policyTypes: + - Ingress + # Deny all outbound access; Redis doesn't need to talk to anything. + - Egress + ingress: + # Allow inbound access to Redis from all other components. + - from: + - podSelector: + matchLabels: + {{- include "gafaelfawr.selectorLabels" . | nindent 14 }} + app.kubernetes.io/component: "frontend" + - podSelector: + matchLabels: + {{- include "gafaelfawr.selectorLabels" . | nindent 14 }} + app.kubernetes.io/component: "tokens" + ports: + - protocol: "TCP" + port: 6379 diff --git a/services/gafaelfawr/templates/redis-service.yml b/services/gafaelfawr/templates/redis-service.yml new file mode 100644 index 0000000000..8824f01e36 --- /dev/null +++ b/services/gafaelfawr/templates/redis-service.yml @@ -0,0 +1,16 @@ +apiVersion: v1 +kind: Service +metadata: + name: {{ template "gafaelfawr.fullname" . }}-redis + labels: + {{- include "gafaelfawr.labels" . | nindent 4 }} +spec: + type: ClusterIP + ports: + - port: 6379 + protocol: "TCP" + targetPort: 6379 + selector: + {{- include "gafaelfawr.selectorLabels" . | nindent 4 }} + app.kubernetes.io/component: "redis" + sessionAffinity: None diff --git a/services/gafaelfawr/templates/redis-statefulset.yaml b/services/gafaelfawr/templates/redis-statefulset.yaml new file mode 100644 index 0000000000..99fe2a841e --- /dev/null +++ b/services/gafaelfawr/templates/redis-statefulset.yaml @@ -0,0 +1,107 @@ +apiVersion: apps/v1 +kind: StatefulSet +metadata: + name: {{ template "gafaelfawr.fullname" . }}-redis + labels: + {{- include "gafaelfawr.labels" . | nindent 4 }} +spec: + replicas: 1 + selector: + matchLabels: + {{- include "gafaelfawr.selectorLabels" . | nindent 6 }} + app.kubernetes.io/component: "redis" + serviceName: "redis" + template: + metadata: + {{- with .Values.redis.podAnnotations }} + annotations: + {{- toYaml . | nindent 8 }} + {{- end }} + labels: + {{- include "gafaelfawr.selectorLabels" . | nindent 8 }} + app.kubernetes.io/component: "redis" + spec: + automountServiceAccountToken: false + containers: + - name: "redis" + args: + - "redis-server" + - "--appendonly" + - "yes" + - "--requirepass" + - "$(REDIS_PASSWORD)" + env: + - name: "REDIS_PASSWORD" + valueFrom: + secretKeyRef: + name: {{ template "gafaelfawr.fullname" . }}-secret + key: "redis-password" + image: "{{ .Values.redis.image.repository }}:{{ .Values.redis.image.tag }}" + imagePullPolicy: {{ .Values.redis.image.pullPolicy | quote }} + livenessProbe: + exec: + command: + - "sh" + - "-c" + - "redis-cli -h $(hostname) incr health:counter" + initialDelaySeconds: 15 + periodSeconds: 30 + ports: + - containerPort: 6379 + resources: + limits: + cpu: "1" + requests: + cpu: "100m" + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - "all" + readOnlyRootFilesystem: true + volumeMounts: + - name: {{ template "gafaelfawr.fullname" . }}-redis-data + mountPath: "/data" + imagePullSecrets: + - name: "pull-secret" + securityContext: + fsGroup: 999 + runAsNonRoot: true + runAsUser: 999 + runAsGroup: 999 + {{- if (not .Values.redis.persistence.enabled) }} + volumes: + - name: {{ template "gafaelfawr.fullname" . }}-redis-data + emptyDir: {} + {{- else if .Values.redis.persistence.volumeClaimName }} + volumes: + - name: {{ template "gafaelfawr.fullname" . }}-redis-data + persistentVolumeClaim: + claimName: {{ .Values.redis.persistence.volumeClaimName | quote }} + {{- end }} + {{- with .Values.redis.nodeSelector }} + nodeSelector: + {{- toYaml . | nindent 8 }} + {{- end }} + {{- with .Values.redis.affinity }} + affinity: + {{- toYaml . | nindent 8 }} + {{- end }} + {{- with .Values.redis.tolerations }} + tolerations: + {{- toYaml . | nindent 8 }} + {{- end }} + {{- if (and .Values.redis.persistence.enabled (not .Values.redis.persistence.volumeClaimName)) }} + volumeClaimTemplates: + - metadata: + name: {{ template "gafaelfawr.fullname" . }}-redis-data + spec: + accessModes: + - {{ .Values.redis.persistence.accessMode | quote }} + resources: + requests: + storage: {{ .Values.redis.persistence.size | quote }} + {{- if .Values.redis.persistence.storageClass }} + storageClassName: {{ .Values.redis.persistence.storageClass | quote }} + {{- end }} + {{- end }} diff --git a/services/gafaelfawr/templates/service.yaml b/services/gafaelfawr/templates/service.yaml new file mode 100644 index 0000000000..27e6cdb0f0 --- /dev/null +++ b/services/gafaelfawr/templates/service.yaml @@ -0,0 +1,16 @@ +apiVersion: v1 +kind: Service +metadata: + name: {{ template "gafaelfawr.fullname" . }} + labels: + {{- include "gafaelfawr.labels" . | nindent 4 }} +spec: + type: ClusterIP + ports: + - protocol: "TCP" + port: 8080 + targetPort: "http" + selector: + {{- include "gafaelfawr.selectorLabels" . | nindent 4 }} + app.kubernetes.io/component: "frontend" + sessionAffinity: None diff --git a/services/gafaelfawr/templates/serviceaccount-tokens.yaml b/services/gafaelfawr/templates/serviceaccount-tokens.yaml new file mode 100644 index 0000000000..70104dcbd9 --- /dev/null +++ b/services/gafaelfawr/templates/serviceaccount-tokens.yaml @@ -0,0 +1,39 @@ +apiVersion: v1 +kind: ServiceAccount +metadata: + name: {{ include "gafaelfawr.fullname" . }}-tokens + labels: + {{- include "gafaelfawr.labels" . | nindent 4 }} + annotations: + {{- if .Values.cloudsql.enabled }} + iam.gke.io/gcp-service-account: {{ required "cloudsql.serviceAccount must be set to a valid Google service account" .Values.cloudsql.serviceAccount | quote }} + {{- end }} +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: {{ include "gafaelfawr.fullname" . }}-tokens + labels: + {{- include "gafaelfawr.labels" . | nindent 4 }} +rules: + - apiGroups: [""] + resources: ["secrets"] + verbs: ["create", "get", "patch", "update"] + - apiGroups: ["gafaelfawr.lsst.io"] + resources: ["gafaelfawrservicetokens", "gafaelfawrservicetokens/status"] + verbs: ["get", "list", "patch", "watch"] +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + name: {{ include "gafaelfawr.fullname" . }}-tokens + labels: + {{- include "gafaelfawr.labels" . | nindent 4 }} +subjects: + - kind: ServiceAccount + name: {{ include "gafaelfawr.fullname" . }}-tokens + namespace: {{ .Release.Namespace }} +roleRef: + kind: ClusterRole + name: {{ include "gafaelfawr.fullname" . }}-tokens + apiGroup: rbac.authorization.k8s.io diff --git a/services/gafaelfawr/templates/serviceaccount.yaml b/services/gafaelfawr/templates/serviceaccount.yaml new file mode 100644 index 0000000000..770808516a --- /dev/null +++ b/services/gafaelfawr/templates/serviceaccount.yaml @@ -0,0 +1,12 @@ +{{- if .Values.cloudsql.enabled -}} +apiVersion: v1 +kind: ServiceAccount +metadata: + name: {{ include "gafaelfawr.fullname" . }} + labels: + {{- include "gafaelfawr.labels" . | nindent 4 }} + annotations: + {{- if .Values.cloudsql.enabled }} + iam.gke.io/gcp-service-account: {{ required "cloudsql.serviceAccount must be set to a valid Google service account" .Values.cloudsql.serviceAccount | quote }} + {{- end }} +{{- end }} diff --git a/services/gafaelfawr/templates/vault-secret.yaml b/services/gafaelfawr/templates/vault-secret.yaml new file mode 100644 index 0000000000..ca5230200d --- /dev/null +++ b/services/gafaelfawr/templates/vault-secret.yaml @@ -0,0 +1,19 @@ +apiVersion: ricoberger.de/v1alpha1 +kind: VaultSecret +metadata: + name: {{ template "gafaelfawr.fullname" . }}-secret + labels: + {{- include "gafaelfawr.labels" . | nindent 4 }} +spec: + path: "{{ .Values.globals.vaultSecretsPath }}/gafaelfawr" + type: Opaque +--- +apiVersion: ricoberger.de/v1alpha1 +kind: VaultSecret +metadata: + name: "pull-secret" + labels: + {{- include "gafaelfawr.labels" . | nindent 4 }} +spec: + path: "{{ .Values.globals.vaultSecretsPath }}/pull-secret" + type: "kubernetes.io/dockerconfigjson" diff --git a/services/gafaelfawr/values-base.yaml b/services/gafaelfawr/values-base.yaml index 641e1196a6..3b346f6505 100644 --- a/services/gafaelfawr/values-base.yaml +++ b/services/gafaelfawr/values-base.yaml @@ -1,54 +1,42 @@ -gafaelfawr: - imagePullSecrets: - - name: "pull-secret" - ingress: - host: "base-lsp.lsst.codes" - vaultSecretsPath: "secret/k8s_operator/base-lsp.lsst.codes/gafaelfawr" +# Reset token storage on every Redis restart for now. This should change to +# use persistent volumes once we can coordinate that. +redis: + persistence: + enabled: false - # Reset token storage on every Redis restart for now. This should change to - # use persistent volumes once we can coordinate that. - redis: - persistence: - enabled: false +config: + databaseUrl: "postgresql://gafaelfawr@postgres.postgres/gafaelfawr" - config: - host: "base-lsp.lsst.codes" - databaseUrl: "postgresql://gafaelfawr@postgres.postgres/gafaelfawr" + github: + clientId: "ec88b9b897f302b620d1" - github: - clientId: "ec88b9b897f302b620d1" + # Allow access by GitHub team. + groupMapping: + "admin:provision": + - "lsst-sqre-square" + "exec:admin": + - "lsst-sqre-square" + "exec:notebook": + - "lsst-sqre-square" + - "lsst-sqre-friends" + - "lsst-ts-base-access" + - "rubin-summit-rsp-access" + "exec:portal": + - "lsst-sqre-square" + - "lsst-sqre-friends" + - "lsst-ts-base-access" + - "rubin-summit-rsp-access" + "read:tap": + - "lsst-sqre-square" + - "lsst-sqre-friends" + - "lsst-ts-base-access" + - "rubin-summit-rsp-access" - # Allow access by GitHub team. - groupMapping: - "admin:provision": - - "lsst-sqre-square" - "exec:admin": - - "lsst-sqre-square" - "exec:notebook": - - "lsst-sqre-square" - - "lsst-sqre-friends" - - "lsst-ts-base-access" - - "rubin-summit-rsp-access" - "exec:portal": - - "lsst-sqre-square" - - "lsst-sqre-friends" - - "lsst-ts-base-access" - - "rubin-summit-rsp-access" - "read:tap": - - "lsst-sqre-square" - - "lsst-sqre-friends" - - "lsst-ts-base-access" - - "rubin-summit-rsp-access" - - initialAdmins: - - "afausti" - - "athornton" - - "cbanek" - - "frossie" - - "jonathansick" - - "rra" - - "simonkrughoff" - -pull-secret: - enabled: true - path: "secret/k8s_operator/base-lsp.lsst.codes/pull-secret" + initialAdmins: + - "afausti" + - "athornton" + - "cbanek" + - "frossie" + - "jonathansick" + - "rra" + - "simonkrughoff" diff --git a/services/gafaelfawr/values-idfdev.yaml b/services/gafaelfawr/values-idfdev.yaml index c67f1ee830..35b2b68594 100644 --- a/services/gafaelfawr/values-idfdev.yaml +++ b/services/gafaelfawr/values-idfdev.yaml @@ -1,64 +1,52 @@ -gafaelfawr: - imagePullSecrets: - - name: "pull-secret" - ingress: - host: "data-dev.lsst.cloud" - vaultSecretsPath: "secret/k8s_operator/data-dev.lsst.cloud/gafaelfawr" +# Use the CSI storage class so that we can use snapshots. +redis: + persistence: + storageClass: "standard-rwo" - # Use the CSI storage class so that we can use snapshots. - redis: - persistence: - storageClass: "standard-rwo" +config: + databaseUrl: "postgresql://gafaelfawr@localhost/gafaelfawr" - config: - host: "data-dev.lsst.cloud" - databaseUrl: "postgresql://gafaelfawr@localhost/gafaelfawr" - - # Support OpenID Connect clients like Chronograf. - oidcServer: - enabled: true - - github: - clientId: "f46555b3f4c524e764ac" - - # Allow access by GitHub team. - groupMapping: - "admin:provision": - - "lsst-sqre-square" - "exec:admin": - - "lsst-sqre-square" - "exec:notebook": - - "lsst-sqre-square" - - "lsst-sqre-friends" - "exec:portal": - - "lsst-sqre-square" - - "lsst-sqre-friends" - "read:image": - - "lsst-sqre-square" - - "lsst-sqre-friends" - "read:tap": - - "lsst-sqre-square" - - "lsst-sqre-friends" - - initialAdmins: - - "afausti" - - "athornton" - - "cbanek" - - "frossie" - - "jonathansick" - - "rra" - - "simonkrughoff" - - errorFooter: | - To report problems or ask for help, please open an issue in the - GitHub - rubin-dp0/Support project. - - cloudsql: + # Support OpenID Connect clients like Chronograf. + oidcServer: enabled: true - instanceConnectionName: "science-platform-dev-7696:us-central1:science-platform-dev-e9e11de2" - serviceAccount: "gafaelfawr@science-platform-dev-7696.iam.gserviceaccount.com" -pull-secret: + github: + clientId: "f46555b3f4c524e764ac" + + # Allow access by GitHub team. + groupMapping: + "admin:provision": + - "lsst-sqre-square" + "exec:admin": + - "lsst-sqre-square" + "exec:notebook": + - "lsst-sqre-square" + - "lsst-sqre-friends" + "exec:portal": + - "lsst-sqre-square" + - "lsst-sqre-friends" + "read:image": + - "lsst-sqre-square" + - "lsst-sqre-friends" + "read:tap": + - "lsst-sqre-square" + - "lsst-sqre-friends" + + initialAdmins: + - "afausti" + - "athornton" + - "cbanek" + - "frossie" + - "jonathansick" + - "rra" + - "simonkrughoff" + + errorFooter: | + To report problems or ask for help, please open an issue in the + GitHub + rubin-dp0/Support project. + +cloudsql: enabled: true - path: "secret/k8s_operator/data-dev.lsst.cloud/pull-secret" + instanceConnectionName: "science-platform-dev-7696:us-central1:science-platform-dev-e9e11de2" + serviceAccount: "gafaelfawr@science-platform-dev-7696.iam.gserviceaccount.com" diff --git a/services/gafaelfawr/values-idfint.yaml b/services/gafaelfawr/values-idfint.yaml index 175601c301..37216d2af2 100644 --- a/services/gafaelfawr/values-idfint.yaml +++ b/services/gafaelfawr/values-idfint.yaml @@ -1,68 +1,55 @@ -gafaelfawr: - imagePullSecrets: - - name: "pull-secret" - ingress: - host: "data-int.lsst.cloud" - vaultSecretsPath: "secret/k8s_operator/data-int.lsst.cloud/gafaelfawr" - - # Use the CSI storage class so that we can use snapshots. - redis: - persistence: - storageClass: "standard-rwo" - - config: - loglevel: "DEBUG" - host: "data-int.lsst.cloud" - databaseUrl: "postgresql://gafaelfawr@localhost/gafaelfawr" - - github: - clientId: "0c4cc7eaffc0f89b9ace" - - # Allow access by GitHub team. - groupMapping: - "admin:provision": - - "lsst-sqre-square" - "exec:admin": - - "lsst-sqre-square" - "exec:notebook": - - "lsst-ops-panda" - - "lsst-sqre-square" - - "lsst-sqre-friends" - "exec:portal": - - "lsst-ops-panda" - - "lsst-sqre-square" - - "lsst-sqre-friends" - "read:alertdb": - - "lsst-sqre-square" - - "lsst-sqre-friends" - "read:image": - - "lsst-ops-panda" - - "lsst-sqre-square" - - "lsst-sqre-friends" - "read:tap": - - "lsst-ops-panda" - - "lsst-sqre-square" - - "lsst-sqre-friends" - - initialAdmins: - - "afausti" - - "athornton" - - "cbanek" - - "frossie" - - "jonathansick" - - "rra" - - "simonkrughoff" - - errorFooter: | - To report problems or ask for help, please open an issue in the - GitHub - rubin-dp0/Support project. - - cloudsql: - enabled: true - instanceConnectionName: "science-platform-int-dc5d:us-central1:science-platform-int-8f439af2" - serviceAccount: "gafaelfawr@science-platform-int-dc5d.iam.gserviceaccount.com" - -pull-secret: +# Use the CSI storage class so that we can use snapshots. +redis: + persistence: + storageClass: "standard-rwo" + +config: + databaseUrl: "postgresql://gafaelfawr@localhost/gafaelfawr" + + github: + clientId: "0c4cc7eaffc0f89b9ace" + + # Allow access by GitHub team. + groupMapping: + "admin:provision": + - "lsst-sqre-square" + "exec:admin": + - "lsst-sqre-square" + "exec:notebook": + - "lsst-ops-panda" + - "lsst-sqre-square" + - "lsst-sqre-friends" + "exec:portal": + - "lsst-ops-panda" + - "lsst-sqre-square" + - "lsst-sqre-friends" + "read:alertdb": + - "lsst-sqre-square" + - "lsst-sqre-friends" + "read:image": + - "lsst-ops-panda" + - "lsst-sqre-square" + - "lsst-sqre-friends" + "read:tap": + - "lsst-ops-panda" + - "lsst-sqre-square" + - "lsst-sqre-friends" + + initialAdmins: + - "afausti" + - "athornton" + - "cbanek" + - "frossie" + - "jonathansick" + - "rra" + - "simonkrughoff" + + errorFooter: | + To report problems or ask for help, please open an issue in the + GitHub + rubin-dp0/Support project. + +cloudsql: enabled: true - path: "secret/k8s_operator/data-int.lsst.cloud/pull-secret" + instanceConnectionName: "science-platform-int-dc5d:us-central1:science-platform-int-8f439af2" + serviceAccount: "gafaelfawr@science-platform-int-dc5d.iam.gserviceaccount.com" diff --git a/services/gafaelfawr/values-idfprod.yaml b/services/gafaelfawr/values-idfprod.yaml index ec443eb303..7284c8bf50 100644 --- a/services/gafaelfawr/values-idfprod.yaml +++ b/services/gafaelfawr/values-idfprod.yaml @@ -1,75 +1,62 @@ -gafaelfawr: - replicaCount: 2 - - imagePullSecrets: - - name: "pull-secret" - ingress: - host: "data.lsst.cloud" - vaultSecretsPath: "secret/k8s_operator/data.lsst.cloud/gafaelfawr" - - # Use the CSI storage class so that we can use snapshots. - redis: - persistence: - storageClass: "standard-rwo" - - config: - loglevel: "DEBUG" - host: "data.lsst.cloud" - databaseUrl: "postgresql://gafaelfawr@localhost/gafaelfawr" - - github: - clientId: "65b6333a066375091548" - - # Allow access by GitHub team. - groupMapping: - "admin:provision": - - "lsst-sqre-square" - "exec:admin": - - "lsst-sqre-square" - "exec:notebook": - - "lsst-sqre-square" - - "lsst-data-management" - - "lsst-ops" - - "rubin-dp0-delegates" - - "rubin-dp0-friends" - "exec:portal": - - "lsst-sqre-square" - - "lsst-data-management" - - "lsst-ops" - - "rubin-dp0-delegates" - - "rubin-dp0-friends" - "read:image": - - "lsst-sqre-square" - - "lsst-data-management" - - "lsst-ops" - - "rubin-dp0-delegates" - - "rubin-dp0-friends" - "read:tap": - - "lsst-sqre-square" - - "lsst-data-management" - - "lsst-ops" - - "rubin-dp0-delegates" - - "rubin-dp0-friends" - - initialAdmins: - - "afausti" - - "athornton" - - "cbanek" - - "frossie" - - "jonathansick" - - "rra" - - "simonkrughoff" - - errorFooter: | - To report problems or ask for help, please open an issue in the - GitHub - rubin-dp0/Support project. - - cloudsql: - enabled: true - instanceConnectionName: "science-platform-stable-6994:us-central1:science-platform-stable-0c29612b" - serviceAccount: "gafaelfawr@science-platform-stable-6994.iam.gserviceaccount.com" - -pull-secret: +replicaCount: 2 + +# Use the CSI storage class so that we can use snapshots. +redis: + persistence: + storageClass: "standard-rwo" + +config: + databaseUrl: "postgresql://gafaelfawr@localhost/gafaelfawr" + + github: + clientId: "65b6333a066375091548" + + # Allow access by GitHub team. + groupMapping: + "admin:provision": + - "lsst-sqre-square" + "exec:admin": + - "lsst-sqre-square" + "exec:notebook": + - "lsst-sqre-square" + - "lsst-data-management" + - "lsst-ops" + - "rubin-dp0-delegates" + - "rubin-dp0-friends" + "exec:portal": + - "lsst-sqre-square" + - "lsst-data-management" + - "lsst-ops" + - "rubin-dp0-delegates" + - "rubin-dp0-friends" + "read:image": + - "lsst-sqre-square" + - "lsst-data-management" + - "lsst-ops" + - "rubin-dp0-delegates" + - "rubin-dp0-friends" + "read:tap": + - "lsst-sqre-square" + - "lsst-data-management" + - "lsst-ops" + - "rubin-dp0-delegates" + - "rubin-dp0-friends" + + initialAdmins: + - "afausti" + - "athornton" + - "cbanek" + - "frossie" + - "jonathansick" + - "rra" + - "simonkrughoff" + + errorFooter: | + To report problems or ask for help, please open an issue in the + GitHub + rubin-dp0/Support project. + +cloudsql: enabled: true - path: "secret/k8s_operator/data.lsst.cloud/pull-secret" + instanceConnectionName: "science-platform-stable-6994:us-central1:science-platform-stable-0c29612b" + serviceAccount: "gafaelfawr@science-platform-stable-6994.iam.gserviceaccount.com" diff --git a/services/gafaelfawr/values-int.yaml b/services/gafaelfawr/values-int.yaml index 16b7b8f33c..8fc35b6979 100644 --- a/services/gafaelfawr/values-int.yaml +++ b/services/gafaelfawr/values-int.yaml @@ -1,53 +1,41 @@ -gafaelfawr: - imagePullSecrets: - - name: "pull-secret" - ingress: - host: "lsst-lsp-int.ncsa.illinois.edu" - vaultSecretsPath: "secret/k8s_operator/lsst-lsp-int.ncsa.illinois.edu/gafaelfawr" - - # Use an existing, manually-managed PVC for Redis. - redis: - persistence: - volumeClaimName: "auth-int-volume-claim" - - config: - host: "lsst-lsp-int.ncsa.illinois.edu" - databaseUrl: "postgresql://gafaelfawr@postgres.postgres/gafaelfawr" - - # IP range used by the cluster, used to determine the true client IP for - # logging. - proxies: - - "141.142.181.0/24" - - # Support OpenID Connect clients like Chronograf. - oidcServer: - enabled: true - - # Use CILogon authentication. - cilogon: - clientId: "cilogon:/client_id/6ca7b54ac075b65bccb9c885f9ba4a75" - redirectUrl: "https://lsst-lsp-int.ncsa.illinois.edu/oauth2/callback" - test: true - loginParams: - skin: "LSST" - - # Use NCSA groups to determine token scopes. - groupMapping: - "admin:provision": ["lsst_int_lsp_admin"] - "exec:admin": ["lsst_int_lsp_admin"] - "exec:notebook": ["lsst_int_lspdev"] - "exec:portal": ["lsst_int_lspdev"] - "read:tap": ["lsst_int_lspdev"] - - initialAdmins: - - "afausti" - - "athornto" - - "cbanek" - - "frossie" - - "jsick" - - "krughoff" - - "rra" - -pull-secret: - enabled: true - path: "secret/k8s_operator/lsst-lsp-int.ncsa.illinois.edu/pull-secret" +# Use an existing, manually-managed PVC for Redis. +redis: + persistence: + volumeClaimName: "auth-int-volume-claim" + +config: + databaseUrl: "postgresql://gafaelfawr@postgres.postgres/gafaelfawr" + + # IP range used by the cluster, used to determine the true client IP for + # logging. + proxies: + - "141.142.181.0/24" + + # Support OpenID Connect clients like Chronograf. + oidcServer: + enabled: true + + # Use CILogon authentication. + cilogon: + clientId: "cilogon:/client_id/6ca7b54ac075b65bccb9c885f9ba4a75" + redirectUrl: "https://lsst-lsp-int.ncsa.illinois.edu/oauth2/callback" + test: true + loginParams: + skin: "LSST" + + # Use NCSA groups to determine token scopes. + groupMapping: + "admin:provision": ["lsst_int_lsp_admin"] + "exec:admin": ["lsst_int_lsp_admin"] + "exec:notebook": ["lsst_int_lspdev"] + "exec:portal": ["lsst_int_lspdev"] + "read:tap": ["lsst_int_lspdev"] + + initialAdmins: + - "afausti" + - "athornto" + - "cbanek" + - "frossie" + - "jsick" + - "krughoff" + - "rra" diff --git a/services/gafaelfawr/values-minikube.yaml b/services/gafaelfawr/values-minikube.yaml index 99a58a4cd4..502d9dec7f 100644 --- a/services/gafaelfawr/values-minikube.yaml +++ b/services/gafaelfawr/values-minikube.yaml @@ -1,47 +1,35 @@ -gafaelfawr: - imagePullSecrets: - - name: "pull-secret" - ingress: - host: "minikube.lsst.codes" - vaultSecretsPath: "secret/k8s_operator/minikube.lsst.codes/gafaelfawr" +# Reset token storage on every Redis restart. +redis: + persistence: + enabled: false - # Reset token storage on every Redis restart. - redis: - persistence: - enabled: false +config: + databaseUrl: "postgresql://gafaelfawr@postgres.postgres/gafaelfawr" - config: - host: "minikube.lsst.codes" - databaseUrl: "postgresql://gafaelfawr@postgres.postgres/gafaelfawr" + # Support OpenID Connect clients like Chronograf. + oidcServer: + enabled: true - # Support OpenID Connect clients like Chronograf. - oidcServer: - enabled: true + # Use CILogon authentication. + cilogon: + clientId: "cilogon:/client_id/74e865cd71a3a327096d36081166b739" + redirectUrl: "https://minikube.lsst.codes/login" + loginParams: + skin: "LSST" - # Use CILogon authentication. - cilogon: - clientId: "cilogon:/client_id/74e865cd71a3a327096d36081166b739" - redirectUrl: "https://minikube.lsst.codes/login" - loginParams: - skin: "LSST" + # Use NCSA groups to determine token scopes. + groupMapping: + "exec:admin": ["lsst_int_lsp_admin"] + "exec:notebook": ["lsst_int_lspdev"] + "exec:portal": ["lsst_int_lspdev"] + "exec:user": ["lsst_int_lspdev"] + "read:tap": ["lsst_int_lspdev"] - # Use NCSA groups to determine token scopes. - groupMapping: - "exec:admin": ["lsst_int_lsp_admin"] - "exec:notebook": ["lsst_int_lspdev"] - "exec:portal": ["lsst_int_lspdev"] - "exec:user": ["lsst_int_lspdev"] - "read:tap": ["lsst_int_lspdev"] - - initialAdmins: - - "afausti" - - "athornton" - - "cbanek" - - "frossie" - - "jonathansick" - - "rra" - - "simonkrughoff" - -pull-secret: - enabled: true - path: "secret/k8s_operator/minikube.lsst.codes/pull-secret" + initialAdmins: + - "afausti" + - "athornton" + - "cbanek" + - "frossie" + - "jonathansick" + - "rra" + - "simonkrughoff" diff --git a/services/gafaelfawr/values-red-five.yaml b/services/gafaelfawr/values-red-five.yaml index 0cc981eace..5bee48208b 100644 --- a/services/gafaelfawr/values-red-five.yaml +++ b/services/gafaelfawr/values-red-five.yaml @@ -1,46 +1,30 @@ -gafaelfawr: - imagePullSecrets: - - name: "pull-secret" - ingress: - host: "red-five.lsst.codes" - vaultSecretsPath: "secret/k8s_operator/red-five.lsst.codes/gafaelfawr" +# Reset token storage on every Redis restart. +redis: + persistence: + enabled: false - # Reset token storage on every Redis restart. - redis: - persistence: - enabled: false +config: + databaseUrl: "postgresql://gafaelfawr@postgres.postgres/gafaelfawr" - config: - host: "red-five.lsst.codes" - databaseUrl: "postgresql://gafaelfawr@postgres.postgres/gafaelfawr" + # Use CILogon authentication. + cilogon: + clientId: "cilogon:/client_id/51ea95a5fac24d5a6f33e658d7d77d2a" + loginParams: + skin: "LSST" - # Disabled but kept so that the client ID is easily accessible. - # github: - # clientId: "a19e79298a352f3e5650" + # Use NCSA groups to determine token scopes. + groupMapping: + "admin:provision": ["lsst_int_lsp_admin"] + "exec:admin": ["lsst_int_lsp_admin"] + "exec:notebook": ["lsst_int_lspdev"] + "exec:portal": ["lsst_int_lspdev"] + "read:tap": ["lsst_int_lspdev"] - # Use CILogon authentication. - cilogon: - clientId: "cilogon:/client_id/51ea95a5fac24d5a6f33e658d7d77d2a" - loginParams: - skin: "LSST" - - # Use NCSA groups to determine token scopes. - groupMapping: - "admin:provision": ["lsst_int_lsp_admin"] - "exec:admin": ["lsst_int_lsp_admin"] - "exec:notebook": ["lsst_int_lspdev"] - "exec:portal": ["lsst_int_lspdev"] - "read:tap": ["lsst_int_lspdev"] - - initialAdmins: - - "afausti" - - "athornto" - - "cbanek" - - "frossie" - - "jsick" - - "krughoff" - - "rra" - -pull-secret: - enabled: true - path: "secret/k8s_operator/red-five.lsst.codes/pull-secret" + initialAdmins: + - "afausti" + - "athornto" + - "cbanek" + - "frossie" + - "jsick" + - "krughoff" + - "rra" diff --git a/services/gafaelfawr/values-roe.yaml b/services/gafaelfawr/values-roe.yaml index c579149a4c..f7a607cbfe 100644 --- a/services/gafaelfawr/values-roe.yaml +++ b/services/gafaelfawr/values-roe.yaml @@ -1,47 +1,33 @@ -gafaelfawr: - imagePullSecrets: - - name: "pull-secret" - ingress: - host: "rsp.lsst.ac.uk" - vaultSecretsPath: "secret/k8s_operator/roe/gafaelfawr" +redis: + persistence: + enabled: false - redis: - persistence: - enabled: false +config: + databaseUrl: "postgresql://gafaelfawr@postgres.postgres/gafaelfawr" + github: + clientId: "10172b4db1b67ee31620" - config: - loglevel: "DEBUG" - host: "rsp.lsst.ac.uk" - databaseUrl: "postgresql://gafaelfawr@postgres.postgres/gafaelfawr" - github: - clientId: "10172b4db1b67ee31620" + # Allow access by GitHub team. + groupMapping: + "exec:admin": + - "lsp-uk-dev" + "exec:notebook": + - "lsp-uk-dev" + "read:workspace": + - "lsp-uk-dev" + "read:workspace/user": + - "lsp-uk-dev" + "write:workspace/user": + - "lsp-uk-dev" + "exec:portal": + - "lsp-uk-dev" + "exec:user": + - "lsp-uk-dev" + "read:tap": + - "lsp-uk-dev" + "read:image": + - "lsp-uk-dev" - # Allow access by GitHub team. - groupMapping: - "exec:admin": - - "lsp-uk-dev" - "exec:notebook": - - "lsp-uk-dev" - "read:workspace": - - "lsp-uk-dev" - "read:workspace/user": - - "lsp-uk-dev" - "write:workspace/user": - - "lsp-uk-dev" - "exec:portal": - - "lsp-uk-dev" - "exec:user": - - "lsp-uk-dev" - "read:tap": - - "lsp-uk-dev" - "read:image": - - "lsp-uk-dev" - - initialAdmins: - - "stvoutsin" - - -pull-secret: - enabled: true - path: secret/k8s_operator/roe/pull-secret + initialAdmins: + - "stvoutsin" diff --git a/services/gafaelfawr/values-squash-sandbox.yaml b/services/gafaelfawr/values-squash-sandbox.yaml index 05d37fec61..c7f9a65429 100644 --- a/services/gafaelfawr/values-squash-sandbox.yaml +++ b/services/gafaelfawr/values-squash-sandbox.yaml @@ -1,49 +1,43 @@ -gafaelfawr: - ingress: - host: "squash-sandbox.lsst.codes" - vaultSecretsPath: "secret/k8s_operator/squash-sandbox/gafaelfawr" +# Reset token storage on every Redis restart. +redis: + persistence: + enabled: false - # Reset token storage on every Redis restart. - redis: - persistence: - enabled: false +config: + databaseUrl: "postgresql://gafaelfawr@postgres.postgres/gafaelfawr" - config: - host: "squash-sandbox.lsst.codes" - databaseUrl: "postgresql://gafaelfawr@postgres.postgres/gafaelfawr" - - # Whether to issue tokens for InfluxDB. If set to true, influxdb-secret - # must be set in the Gafaelfawr secret. - issuer: - influxdb: - enabled: true - username: "efdreader" - - # Whether to support OpenID Connect clients. If set to true, - # oidc-server-secrets must be set in the Gafaelfawr secret. - oidcServer: + # Whether to issue tokens for InfluxDB. If set to true, influxdb-secret + # must be set in the Gafaelfawr secret. + issuer: + influxdb: enabled: true + username: "efdreader" + + # Whether to support OpenID Connect clients. If set to true, + # oidc-server-secrets must be set in the Gafaelfawr secret. + oidcServer: + enabled: true - # Use CILogon authentication. - cilogon: - clientId: "cilogon:/client_id/232eaabf026dab8b26f9c9770873cb7e" - redirectUrl: "https://squash-sandbox.lsst.codes/login" - loginParams: - skin: "LSST" + # Use CILogon authentication. + cilogon: + clientId: "cilogon:/client_id/232eaabf026dab8b26f9c9770873cb7e" + redirectUrl: "https://squash-sandbox.lsst.codes/login" + loginParams: + skin: "LSST" - # Use NCSA groups to determine token scopes. - groupMapping: - "admin:provision": ["lsst_int_lsp_admin"] - "exec:admin": ["lsst_int_lsp_admin"] - "exec:notebook": ["lsst_int_lspdev"] - "exec:portal": ["lsst_int_lspdev"] - "read:tap": ["lsst_int_lspdev"] + # Use NCSA groups to determine token scopes. + groupMapping: + "admin:provision": ["lsst_int_lsp_admin"] + "exec:admin": ["lsst_int_lsp_admin"] + "exec:notebook": ["lsst_int_lspdev"] + "exec:portal": ["lsst_int_lspdev"] + "read:tap": ["lsst_int_lspdev"] - initialAdmins: - - "afausti" - - "athornto" - - "cbanek" - - "frossie" - - "jsick" - - "krughoff" - - "rra" + initialAdmins: + - "afausti" + - "athornto" + - "cbanek" + - "frossie" + - "jsick" + - "krughoff" + - "rra" diff --git a/services/gafaelfawr/values-stable.yaml b/services/gafaelfawr/values-stable.yaml index 9eae1c8b91..b02eb57576 100644 --- a/services/gafaelfawr/values-stable.yaml +++ b/services/gafaelfawr/values-stable.yaml @@ -1,54 +1,42 @@ -gafaelfawr: - replicaCount: 2 - - imagePullSecrets: - - name: "pull-secret" - ingress: - host: "lsst-lsp-stable.ncsa.illinois.edu" - vaultSecretsPath: "secret/k8s_operator/lsst-lsp-stable.ncsa.illinois.edu/gafaelfawr" - - # Use an existing, manually-managed PVC for Redis. - redis: - persistence: - volumeClaimName: "auth-redis-volume-claim" - - config: - host: "lsst-lsp-stable.ncsa.illinois.edu" - databaseUrl: "postgresql://gafaelfawr@postgres.postgres/gafaelfawr" - - # IP range used by the cluster, used to determine the true client IP for - # logging. - proxies: - - "41.142.182.128/26" - - # Support OpenID Connect clients like Chronograf. - oidcServer: - enabled: true - - # Use CILogon authentication. - cilogon: - clientId: "cilogon:/client_id/7ae419868b97e81644ced9886ffbcec" - redirectUrl: "https://lsst-lsp-stable.ncsa.illinois.edu/oauth2/callback" - loginParams: - skin: "LSST" - - # Use NCSA groups to determine token scopes. - groupMapping: - "admin:provision": ["lsst_int_lsp_admin"] - "exec:admin": ["lsst_int_lsp_admin"] - "exec:notebook": ["lsst_int_lspdev"] - "exec:portal": ["lsst_int_lspdev"] - "read:tap": ["lsst_int_lspdev"] - - initialAdmins: - - "afausti" - - "athornto" - - "cbanek" - - "frossie" - - "jsick" - - "krughoff" - - "rra" - -pull-secret: - enabled: true - path: "secret/k8s_operator/lsst-lsp-stable.ncsa.illinois.edu/pull-secret" +replicaCount: 2 + +# Use an existing, manually-managed PVC for Redis. +redis: + persistence: + volumeClaimName: "auth-redis-volume-claim" + +config: + databaseUrl: "postgresql://gafaelfawr@postgres.postgres/gafaelfawr" + + # IP range used by the cluster, used to determine the true client IP for + # logging. + proxies: + - "41.142.182.128/26" + + # Support OpenID Connect clients like Chronograf. + oidcServer: + enabled: true + + # Use CILogon authentication. + cilogon: + clientId: "cilogon:/client_id/7ae419868b97e81644ced9886ffbcec" + redirectUrl: "https://lsst-lsp-stable.ncsa.illinois.edu/oauth2/callback" + loginParams: + skin: "LSST" + + # Use NCSA groups to determine token scopes. + groupMapping: + "admin:provision": ["lsst_int_lsp_admin"] + "exec:admin": ["lsst_int_lsp_admin"] + "exec:notebook": ["lsst_int_lspdev"] + "exec:portal": ["lsst_int_lspdev"] + "read:tap": ["lsst_int_lspdev"] + + initialAdmins: + - "afausti" + - "athornto" + - "cbanek" + - "frossie" + - "jsick" + - "krughoff" + - "rra" diff --git a/services/gafaelfawr/values-summit.yaml b/services/gafaelfawr/values-summit.yaml index 431adad2b3..11aa1823d7 100644 --- a/services/gafaelfawr/values-summit.yaml +++ b/services/gafaelfawr/values-summit.yaml @@ -1,55 +1,43 @@ -gafaelfawr: - imagePullSecrets: - - name: "pull-secret" - ingress: - host: "summit-lsp.lsst.codes" - vaultSecretsPath: "secret/k8s_operator/summit-lsp.lsst.codes/gafaelfawr" +# Reset token storage on every Redis restart for now. This should change to +# use persistent volumes once we can coordinate that. +redis: + persistence: + enabled: false - # Reset token storage on every Redis restart for now. This should change to - # use persistent volumes once we can coordinate that. - redis: - persistence: - enabled: false +config: + databaseUrl: "postgresql://gafaelfawr@postgres.postgres/gafaelfawr" - config: - host: "summit-lsp.lsst.codes" - databaseUrl: "postgresql://gafaelfawr@postgres.postgres/gafaelfawr" + # Use GitHub authentication. + github: + clientId: "220d64cbf46f9d2b7873" - # Use GitHub authentication. - github: - clientId: "220d64cbf46f9d2b7873" + # Allow access by GitHub team. + groupMapping: + "admin:provision": + - "lsst-sqre-square" + "exec:admin": + - "lsst-sqre-square" + "exec:notebook": + - "lsst-sqre-square" + - "lsst-sqre-friends" + - "lsst-ts-summit-access" + - "rubin-summit-rsp-access" + "exec:portal": + - "lsst-sqre-square" + - "lsst-sqre-friends" + - "lsst-ts-summit-access" + - "rubin-summit-rsp-access" + "read:tap": + - "lsst-sqre-square" + - "lsst-sqre-friends" + - "lsst-ts-summit-access" + - "rubin-summit-rsp-access" - # Allow access by GitHub team. - groupMapping: - "admin:provision": - - "lsst-sqre-square" - "exec:admin": - - "lsst-sqre-square" - "exec:notebook": - - "lsst-sqre-square" - - "lsst-sqre-friends" - - "lsst-ts-summit-access" - - "rubin-summit-rsp-access" - "exec:portal": - - "lsst-sqre-square" - - "lsst-sqre-friends" - - "lsst-ts-summit-access" - - "rubin-summit-rsp-access" - "read:tap": - - "lsst-sqre-square" - - "lsst-sqre-friends" - - "lsst-ts-summit-access" - - "rubin-summit-rsp-access" - - initialAdmins: - - "afausti" - - "athornton" - - "cbanek" - - "frossie" - - "jonathansick" - - "rra" - - "simonkrughoff" - -pull-secret: - enabled: true - path: "secret/k8s_operator/summit-lsp.lsst.codes/pull-secret" + initialAdmins: + - "afausti" + - "athornton" + - "cbanek" + - "frossie" + - "jonathansick" + - "rra" + - "simonkrughoff" diff --git a/services/gafaelfawr/values-tucson-teststand.yaml b/services/gafaelfawr/values-tucson-teststand.yaml index f919620bda..28f953753a 100644 --- a/services/gafaelfawr/values-tucson-teststand.yaml +++ b/services/gafaelfawr/values-tucson-teststand.yaml @@ -1,55 +1,43 @@ -gafaelfawr: - imagePullSecrets: - - name: "pull-secret" - ingress: - host: "tucson-teststand.lsst.codes" - vaultSecretsPath: "secret/k8s_operator/tucson-teststand.lsst.codes/gafaelfawr" +# Reset token storage on every Redis restart for now. This should change to +# use persistent volumes once we can coordinate that. +redis: + persistence: + enabled: false - # Reset token storage on every Redis restart for now. This should change to - # use persistent volumes once we can coordinate that. - redis: - persistence: - enabled: false +config: + databaseUrl: "postgresql://gafaelfawr@postgres.postgres/gafaelfawr" - config: - host: "tucson-teststand.lsst.codes" - databaseUrl: "postgresql://gafaelfawr@postgres.postgres/gafaelfawr" + # Use GitHub authentication. + github: + clientId: "49533cbd8a8079730dcf" - # Use GitHub authentication. - github: - clientId: "49533cbd8a8079730dcf" + # Allow access by GitHub team. + groupMapping: + "admin:provision": + - "lsst-sqre-square" + "exec:admin": + - "lsst-sqre-square" + "exec:notebook": + - "lsst-sqre-square" + - "lsst-sqre-friends" + - "lsst-ts-base-access" + - "rubin-summit-rsp-access" + "exec:portal": + - "lsst-sqre-square" + - "lsst-sqre-friends" + - "lsst-ts-base-access" + - "rubin-summit-rsp-access" + "read:tap": + - "lsst-sqre-square" + - "lsst-sqre-friends" + - "lsst-ts-base-access" + - "rubin-summit-rsp-access" - # Allow access by GitHub team. - groupMapping: - "admin:provision": - - "lsst-sqre-square" - "exec:admin": - - "lsst-sqre-square" - "exec:notebook": - - "lsst-sqre-square" - - "lsst-sqre-friends" - - "lsst-ts-base-access" - - "rubin-summit-rsp-access" - "exec:portal": - - "lsst-sqre-square" - - "lsst-sqre-friends" - - "lsst-ts-base-access" - - "rubin-summit-rsp-access" - "read:tap": - - "lsst-sqre-square" - - "lsst-sqre-friends" - - "lsst-ts-base-access" - - "rubin-summit-rsp-access" - - initialAdmins: - - "afausti" - - "athornton" - - "cbanek" - - "frossie" - - "jonathansick" - - "rra" - - "simonkrughoff" - -pull-secret: - enabled: true - path: "secret/k8s_operator/tucson-teststand.lsst.codes/pull-secret" + initialAdmins: + - "afausti" + - "athornton" + - "cbanek" + - "frossie" + - "jonathansick" + - "rra" + - "simonkrughoff" diff --git a/services/gafaelfawr/values.yaml b/services/gafaelfawr/values.yaml new file mode 100644 index 0000000000..74e8378f6a --- /dev/null +++ b/services/gafaelfawr/values.yaml @@ -0,0 +1,280 @@ +# Default values for Gafaelfawr. + +# -- Override the base name for resources +nameOverride: "" + +# -- Override the full name for resources (includes the release name) +fullnameOverride: "" + +# -- Number of web frontend pods to start +replicaCount: 1 + +image: + # -- Gafaelfawr image to use + repository: "lsstsqre/gafaelfawr" + + # -- Pull policy for the Gafaelfawr image + pullPolicy: "IfNotPresent" + + # -- Tag of Gafaelfawr image to use + # @default -- The appVersion of the chart + tag: "" + +ingress: + # -- Additional annotations to add to the ingress + annotations: {} + +# -- Resource limits and requests for the Gafaelfawr frontend pod +resources: {} + +# -- Annotations for the Gafaelfawr frontend pod +podAnnotations: {} + +# -- Node selector rules for the Gafaelfawr frontend pod +nodeSelector: {} + +# -- Tolerations for the Gafaelfawr frontend pod +tolerations: [] + +# -- Affinity rules for the Gafaelfawr frontend pod +affinity: {} + +config: + # -- URL for the PostgreSQL database + # @default -- None, must be set + databaseUrl: "" + + # -- Choose from the text form of Python logging levels + loglevel: "INFO" + + # -- List of netblocks used for internal Kubernetes IP addresses, used to + # determine the true client IP for logging + # @default -- [`10.0.0.0/8`, `172.16.0.0/12`, `192.168.0.0/16`] + proxies: + - "10.0.0.0/8" + - "172.16.0.0/12" + - "192.168.0.0/16" + + cilogon: + # -- CILogon client ID. One and only one of this, + # `config.github.clientId`, or `config.oidc.clientId` must be set. + clientId: "" + + # -- Return URL given to CILogon (must match the CILogon configuration) + # @default -- `/login` at the value of config.host + redirectUrl: "" + + # -- Whether to use the test instance of CILogon + test: false + + # -- Additional parameters to add + loginParams: + skin: "LSST" + + github: + # -- GitHub client ID. One and only one of this, `config.cilogon.clientId`, + # or `config.oidc.clientId` must be set. + clientId: "" + + oidc: + # -- Client ID for generic OpenID Connect support. One and only one of + # this, `config.cilogon.clientId`, or `config.github.clientId` must be set. + clientId: "" + + # -- Audience for the JWT token + # @default -- Value of `config.oidc.clientId` + audience: "" + + # -- URL to which to redirect the user for authorization + # @default -- None, must be set + loginUrl: "" + + # -- Additional parameters to add to the login request + loginParams: {} + + # -- URL from which to retrieve the token for the user + # @default -- None, must be set + tokenUrl: "" + + # -- Issuer for the JWT token + # @default -- None, must be set + issuer: "" + + # -- Scopes to request from the OpenID Connect provider + scopes: + - "openid" + + ldap: + # -- LDAP server URL from which to retrieve user group information + # @default -- Do not use LDAP + url: "" + + # -- Base DN for the LDAP search to find a user's groups + # @default -- None, must be set + baseDn: "" + + # -- Object class containing group information + groupObjectClass: "posixGroup" + + # -- Member attribute of the object class. Values must match the username + # returned in the token from the OpenID Connect authentication server. + groupMemberAttr: "member" + + # -- Base DN for the LDAP search to find a user's UID number + # @default -- Get the UID number from the upstream authentication provider + uidBaseDn: "" + + # -- Attribute containing the user's UID number (only used if uidBaseDn is + # set) + uidAttr: "uidNumber" + + issuer: + # -- Session length and token expiration (in minutes) + # @default -- `43200` (30 days) + expMinutes: 43200 + + influxdb: + # -- Whether to issue tokens for InfluxDB. If set to true, + # `influxdb-secret` must be set in the Gafaelfawr secret. + enabled: false + + # -- If set, force all InfluxDB tokens to have that username instead of + # the authenticated identity of the user requesting a token + username: "" + + oidcServer: + # -- Whether to support OpenID Connect clients. If set to true, + # `oidc-server-secrets` must be set in the Gafaelfawr secret. + enabled: false + + # -- Names and descriptions of all scopes in use. This is used to populate + # the new token creation page. Only scopes listed here will be options when + # creating a new token. + # @default -- See the `values.yaml` file + knownScopes: + "admin:token": >- + Can create and modify tokens for any user + "admin:provision": >- + Can perform privileged user provisioning + "exec:admin": >- + Administrative access to all APIs + "exec:notebook": >- + Use the Notebook Aspect + "exec:portal": >- + Use the Portal Aspect + "read:alertdb": >- + Retrieve alert packets and schemas from the alert archive database + "read:image": >- + Retrieve images from project datasets + "read:tap": >- + Execute SELECT queries in the TAP interface on project datasets + "user:token": >- + Can create and modify user tokens + + # -- Defines a mapping of scopes to groups that provide that scope. Tokens + # from an OpenID Connect provider such as CILogon that include groups in an + # `isMemberOf` claim will be granted scopes based on this mapping. + groupMapping: {} + + # -- Usernames to add as administrators when initializing a new database. + # Used only if there are no administrators. + initialAdmins: [] + + # -- HTML footer to add to any login error page (inside a

tag). + errorFooter: "" + +cloudsql: + # -- Enable the Cloud SQL Auth Proxy sidecar, used with CloudSQL databases + # on Google Cloud + enabled: false + + image: + # -- Cloud SQL Auth Proxy image to use + repository: "gcr.io/cloudsql-docker/gce-proxy" + + # -- Cloud SQL Auth Proxy tag to use + tag: "1.29.0" + + # -- Pull policy for Cloud SQL Auth Proxy images + pullPolicy: "IfNotPresent" + + # -- Instance connection name for a CloudSQL PostgreSQL instance + instanceConnectionName: "" + + # -- The Google service account that has an IAM binding to the `gafaelfawr` + # and `gafaelfawr-tokens` Kubernetes service accounts and has the + # `cloudsql.client` role + serviceAccount: "" + +tokens: + # -- Resource limits and requests for the Gafaelfawr token management pod + resources: {} + + # -- Annotations for the token management pod + podAnnotations: {} + + # -- Node selection rules for the token management pod + nodeSelector: {} + + # -- Tolerations for the token management pod + tolerations: [] + + # -- Affinity rules for the token management pod + affinity: {} + +redis: + image: + # -- Redis image to use + repository: "redis" + + # -- Redis image tag to use + tag: "6.2.6" + + # -- Pull policy for the Redis image + pullPolicy: "IfNotPresent" + + persistence: + # -- Whether to persist Redis storage and thus tokens. Setting this to + # false will use `emptyDir` and reset all tokens on every restart. Only + # use this for a test deployment. + enabled: true + + # -- Amount of persistent storage to request + size: "1Gi" + + # -- Class of storage to request + storageClass: "" + + # -- Access mode of storage to request + accessMode: "ReadWriteOnce" + + # -- Use an existing PVC, not dynamic provisioning. If this is set, the + # size, storageClass, and accessMode settings are ignored. + volumeClaimName: "" + + # -- Pod annotations for the Redis pod + podAnnotations: {} + + # -- Node selection rules for the Redis pod + nodeSelector: {} + + # -- Tolerations for the Redis pod + tolerations: [] + + # -- Affinity rules for the Redis pod + affinity: {} + +# The following will be set by parameters injected by Argo CD and should not +# be set in the individual environment values files. +globals: + # -- Base URL for the environment + # @default -- Set by Argo CD + baseUrl: "" + + # -- Host name for ingress + # @default -- Set by Argo CD + host: "" + + # -- Base path for Vault secrets + # @default -- Set by Argo CD + vaultSecretsPath: "" From 44e787135b8786b15880a09e9f2f3ae36214eb7e Mon Sep 17 00:00:00 2001 From: Russell Owen Date: Mon, 21 Mar 2022 10:46:55 -0700 Subject: [PATCH 0082/1479] Update exposurelog and narrativelog Update for new versions of both packages. Move chart and template files from the charts package to this package. --- services/exposurelog/Chart.yaml | 22 ++-- services/exposurelog/templates/_helpers.tpl | 51 ++++++++ .../exposurelog/templates/deployment.yaml | 110 ++++++++++++++++++ services/exposurelog/templates/hpa.yaml | 28 +++++ services/exposurelog/templates/ingress.yaml | 34 ++++++ services/exposurelog/templates/service.yaml | 15 +++ .../templates/tests/test-connection.yaml | 15 +++ services/exposurelog/values-base.yaml | 20 +--- services/exposurelog/values-roe.yaml | 20 +--- services/exposurelog/values-summit.yaml | 20 +--- .../exposurelog/values-tucson-teststand.yaml | 20 ++++ services/exposurelog/values.yaml | 92 +++++++++++++++ services/narrativelog/Chart.yaml | 22 ++-- services/narrativelog/templates/_helpers.tpl | 51 ++++++++ .../narrativelog/templates/deployment.yaml | 82 +++++++++++++ services/narrativelog/templates/hpa.yaml | 28 +++++ services/narrativelog/templates/ingress.yaml | 34 ++++++ .../narrativelog/templates/networkpolicy.yaml | 23 ++++ services/narrativelog/templates/service.yaml | 15 +++ .../templates/tests/test-connection.yaml | 15 +++ services/narrativelog/values.yaml | 75 ++++++++++++ 21 files changed, 731 insertions(+), 61 deletions(-) create mode 100644 services/exposurelog/templates/_helpers.tpl create mode 100644 services/exposurelog/templates/deployment.yaml create mode 100644 services/exposurelog/templates/hpa.yaml create mode 100644 services/exposurelog/templates/ingress.yaml create mode 100644 services/exposurelog/templates/service.yaml create mode 100644 services/exposurelog/templates/tests/test-connection.yaml create mode 100644 services/exposurelog/values-tucson-teststand.yaml create mode 100644 services/exposurelog/values.yaml create mode 100644 services/narrativelog/templates/_helpers.tpl create mode 100644 services/narrativelog/templates/deployment.yaml create mode 100644 services/narrativelog/templates/hpa.yaml create mode 100644 services/narrativelog/templates/ingress.yaml create mode 100644 services/narrativelog/templates/networkpolicy.yaml create mode 100644 services/narrativelog/templates/service.yaml create mode 100644 services/narrativelog/templates/tests/test-connection.yaml create mode 100644 services/narrativelog/values.yaml diff --git a/services/exposurelog/Chart.yaml b/services/exposurelog/Chart.yaml index ef1bd0ba94..d3c86bca6f 100644 --- a/services/exposurelog/Chart.yaml +++ b/services/exposurelog/Chart.yaml @@ -1,10 +1,16 @@ apiVersion: v2 name: exposurelog -version: 0.0.1 -dependencies: -- name: exposurelog - version: ">=0.1.0" - repository: https://lsst-sqre.github.io/charts/ -- name: pull-secret - version: 0.1.2 - repository: https://lsst-sqre.github.io/charts/ +description: Exposure log service +maintainers: + - name: r-owen +type: application + +# This is the chart version. This version number should be incremented each time you make changes +# to the chart and its templates, including the app version. +# Versions are expected to follow Semantic Versioning (https://semver.org/) +version: 0.3.0 + +# This is the version number of the application being deployed. This version number should be +# incremented each time you make changes to the application. Versions are not expected to +# follow Semantic Versioning. They should reflect the version the application is using. +appVersion: 0.9.0 diff --git a/services/exposurelog/templates/_helpers.tpl b/services/exposurelog/templates/_helpers.tpl new file mode 100644 index 0000000000..c8389c67db --- /dev/null +++ b/services/exposurelog/templates/_helpers.tpl @@ -0,0 +1,51 @@ +{{/* +Expand the name of the chart. +*/}} +{{- define "exposurelog.name" -}} +{{- default .Chart.Name .Values.nameOverride | trunc 63 | trimSuffix "-" }} +{{- end }} + +{{/* +Create a default fully qualified app name. +We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec). +If release name contains chart name it will be used as a full name. +*/}} +{{- define "exposurelog.fullname" -}} +{{- if .Values.fullnameOverride }} +{{- .Values.fullnameOverride | trunc 63 | trimSuffix "-" }} +{{- else }} +{{- $name := default .Chart.Name .Values.nameOverride }} +{{- if contains $name .Release.Name }} +{{- .Release.Name | trunc 63 | trimSuffix "-" }} +{{- else }} +{{- printf "%s-%s" .Release.Name $name | trunc 63 | trimSuffix "-" }} +{{- end }} +{{- end }} +{{- end }} + +{{/* +Create chart name and version as used by the chart label. +*/}} +{{- define "exposurelog.chart" -}} +{{- printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" }} +{{- end }} + +{{/* +Common labels +*/}} +{{- define "exposurelog.labels" -}} +helm.sh/chart: {{ include "exposurelog.chart" . }} +{{ include "exposurelog.selectorLabels" . }} +{{- if .Chart.AppVersion }} +app.kubernetes.io/version: {{ .Chart.AppVersion | quote }} +{{- end }} +app.kubernetes.io/managed-by: {{ .Release.Service }} +{{- end }} + +{{/* +Selector labels +*/}} +{{- define "exposurelog.selectorLabels" -}} +app.kubernetes.io/name: {{ include "exposurelog.name" . }} +app.kubernetes.io/instance: {{ .Release.Name }} +{{- end }} diff --git a/services/exposurelog/templates/deployment.yaml b/services/exposurelog/templates/deployment.yaml new file mode 100644 index 0000000000..2e5ea14c37 --- /dev/null +++ b/services/exposurelog/templates/deployment.yaml @@ -0,0 +1,110 @@ +apiVersion: apps/v1 +kind: Deployment +metadata: + name: {{ include "exposurelog.fullname" . }} + labels: + {{- include "exposurelog.labels" . | nindent 4 }} +spec: + {{- if not .Values.autoscaling.enabled }} + replicas: {{ .Values.replicaCount }} + {{- end }} + selector: + matchLabels: + {{- include "exposurelog.selectorLabels" . | nindent 6 }} + template: + metadata: + {{- with .Values.podAnnotations }} + annotations: + {{- toYaml . | nindent 8 }} + {{- end }} + labels: + {{- include "exposurelog.selectorLabels" . | nindent 8 }} + spec: + {{- with .Values.imagePullSecrets }} + imagePullSecrets: + {{- toYaml . | nindent 8 }} + {{- end }} + securityContext: + runAsNonRoot: true + runAsUser: 1000 + runAsGroup: 1000 + containers: + - name: {{ .Chart.Name }} + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - all + readOnlyRootFilesystem: true + image: "{{ .Values.image.repository }}:{{ .Values.image.tag | default .Chart.AppVersion }}" + imagePullPolicy: {{ .Values.image.pullPolicy }} + ports: + - name: http + containerPort: {{ .Values.service.port }} + protocol: TCP + livenessProbe: + httpGet: + path: /exposurelog + port: http + readinessProbe: + httpGet: + path: /exposurelog + port: http + resources: + {{- toYaml .Values.resources | nindent 12 }} + env: + - name: BUTLER_URI_1 + value: {{ .Values.butler_uri_1 | quote }} + - name: BUTLER_URI_2 + value: {{ .Values.butler_uri_2 | quote }} + - name: EXPOSURELOG_DB_USER + value: exposurelog + - name: EXPOSURELOG_DB_PASSWORD + valueFrom: + secretKeyRef: + name: postgres + key: exposurelog_password + - name: EXPOSURELOG_DB_HOST + value: postgres.postgres + - name: EXPOSURELOG_DB_PORT + value: "5432" + - name: EXPOSURELOG_DB_DATABSE + value: exposurelog + - name: SITE_ID + value: {{ .Values.site_id | quote }} + volumeMounts: + {{- if .Values.nfs_path_1 }} + - mountPath: /volume_1 + name: volume1 + {{- end }} + {{- if .Values.nfs_path_2 }} + - mountPath: /volume_2 + name: volume2 + {{- end }} + volumes: + {{- if .Values.nfs_path_1 }} + - name: volume1 + nfs: + path: {{ .Values.nfs_path_1 }} + readOnly: true + server: {{ .Values.nfs_server_1 }} + {{- end }} + {{- if .Values.nfs_path_2 }} + - name: volume2 + nfs: + path: {{ .Values.nfs_path_2 }} + readOnly: true + server: {{ .Values.nfs_server_2 }} + {{- end }} + {{- with .Values.nodeSelector }} + nodeSelector: + {{- toYaml . | nindent 8 }} + {{- end }} + {{- with .Values.affinity }} + affinity: + {{- toYaml . | nindent 8 }} + {{- end }} + {{- with .Values.tolerations }} + tolerations: + {{- toYaml . | nindent 8 }} + {{- end }} diff --git a/services/exposurelog/templates/hpa.yaml b/services/exposurelog/templates/hpa.yaml new file mode 100644 index 0000000000..d7e30c1a63 --- /dev/null +++ b/services/exposurelog/templates/hpa.yaml @@ -0,0 +1,28 @@ +{{- if .Values.autoscaling.enabled }} +apiVersion: autoscaling/v2beta1 +kind: HorizontalPodAutoscaler +metadata: + name: {{ include "exposurelog.fullname" . }} + labels: + {{- include "exposurelog.labels" . | nindent 4 }} +spec: + scaleTargetRef: + apiVersion: apps/v1 + kind: Deployment + name: {{ include "exposurelog.fullname" . }} + minReplicas: {{ .Values.autoscaling.minReplicas }} + maxReplicas: {{ .Values.autoscaling.maxReplicas }} + metrics: + {{- if .Values.autoscaling.targetCPUUtilizationPercentage }} + - type: Resource + resource: + name: cpu + targetAverageUtilization: {{ .Values.autoscaling.targetCPUUtilizationPercentage }} + {{- end }} + {{- if .Values.autoscaling.targetMemoryUtilizationPercentage }} + - type: Resource + resource: + name: memory + targetAverageUtilization: {{ .Values.autoscaling.targetMemoryUtilizationPercentage }} + {{- end }} +{{- end }} diff --git a/services/exposurelog/templates/ingress.yaml b/services/exposurelog/templates/ingress.yaml new file mode 100644 index 0000000000..bda7b27988 --- /dev/null +++ b/services/exposurelog/templates/ingress.yaml @@ -0,0 +1,34 @@ +{{- if .Values.ingress.enabled -}} +apiVersion: networking.k8s.io/v1 +kind: Ingress +metadata: + name: {{ template "exposurelog.fullname" . }} + labels: + {{- include "exposurelog.labels" . | nindent 4 }} + annotations: + kubernetes.io/ingress.class: "nginx" + {{- if .Values.ingress.gafaelfawrAuthQuery }} + nginx.ingress.kubernetes.io/auth-method: "GET" + nginx.ingress.kubernetes.io/auth-response-headers: "X-Auth-Request-User,X-Auth-Request-Email,X-Auth-Request-Token" + nginx.ingress.kubernetes.io/auth-signin: "https://{{ .Values.ingress.host }}/login" + nginx.ingress.kubernetes.io/auth-url: "https://{{ .Values.ingress.host }}/auth?{{ .Values.ingress.gafaelfawrAuthQuery }}" + {{- end }} + {{- with .Values.ingress.annotations }} + {{- toYaml . | nindent 4 }} + {{- end }} +spec: + {{- if .Values.ingress.className }} + ingressClassName: {{ .Values.ingress.className }} + {{- end }} + rules: + - host: {{ required "ingress.host must be set" .Values.ingress.host | quote }} + http: + paths: + - path: {{ default "/exposurelog" .Values.ingress.path }} + pathType: {{ default "Prefix" .Values.ingress.pathType }} + backend: + service: + name: {{ include "exposurelog.fullname" . }} + port: + number: {{ .Values.service.port }} +{{- end }} diff --git a/services/exposurelog/templates/service.yaml b/services/exposurelog/templates/service.yaml new file mode 100644 index 0000000000..d482f5c0fc --- /dev/null +++ b/services/exposurelog/templates/service.yaml @@ -0,0 +1,15 @@ +apiVersion: v1 +kind: Service +metadata: + name: {{ include "exposurelog.fullname" . }} + labels: + {{- include "exposurelog.labels" . | nindent 4 }} +spec: + type: {{ .Values.service.type }} + ports: + - port: {{ .Values.service.port }} + targetPort: http + protocol: TCP + name: http + selector: + {{- include "exposurelog.selectorLabels" . | nindent 4 }} diff --git a/services/exposurelog/templates/tests/test-connection.yaml b/services/exposurelog/templates/tests/test-connection.yaml new file mode 100644 index 0000000000..c8964e4f02 --- /dev/null +++ b/services/exposurelog/templates/tests/test-connection.yaml @@ -0,0 +1,15 @@ +apiVersion: v1 +kind: Pod +metadata: + name: "{{ include "exposurelog.fullname" . }}-test-connection" + labels: + {{- include "exposurelog.labels" . | nindent 4 }} + annotations: + "helm.sh/hook": test +spec: + containers: + - name: wget + image: busybox + command: ['wget'] + args: ['{{ include "exposurelog.fullname" . }}:{{ .Values.service.port }}'] + restartPolicy: Never diff --git a/services/exposurelog/values-base.yaml b/services/exposurelog/values-base.yaml index db15e4c24f..7569f71524 100644 --- a/services/exposurelog/values-base.yaml +++ b/services/exposurelog/values-base.yaml @@ -1,7 +1,11 @@ # WARNING: this is a "playground" deployment # using exposurelog's built-in test butler registries. exposurelog: - pull_secret: pull-secret + imagePullSecrets: + - name: pull-secret + ingress: + enabled: true + host: base-lsp.lsst.codes site_id: test # Use the test butler registries. @@ -9,20 +13,6 @@ exposurelog: butler_uri_1: LSSTCam butler_uri_2: LATISS - ingress: - enabled: true - annotations: {} - # kubernetes.io/ingress.class: nginx - # kubernetes.io/tls-acme: "true" - hosts: - - host: base-lsp.lsst.codes - paths: - - /exposurelog - tls: [] - # - secretName: chart-example-tls - # hosts: - # - chart-example.local - vault_path: secret/k8s_operator/base-lsp.lsst.codes/postgres pull-secret: diff --git a/services/exposurelog/values-roe.yaml b/services/exposurelog/values-roe.yaml index da905413c0..5fa1ee8f9c 100644 --- a/services/exposurelog/values-roe.yaml +++ b/services/exposurelog/values-roe.yaml @@ -1,7 +1,11 @@ # WARNING: this is a "playground" deployment # using exposurelog's built-in test butler registries. exposurelog: - pull_secret: pull-secret + imagePullSecrets: + - name: pull-secret + ingress: + enabled: true + host: rsp.lsst.ac.uk site_id: test # Use the test butler registries. @@ -9,20 +13,6 @@ exposurelog: butler_uri_1: LSSTCam butler_uri_2: LATISS - ingress: - enabled: true - annotations: {} - # kubernetes.io/ingress.class: nginx - # kubernetes.io/tls-acme: "true" - hosts: - - host: rsp.lsst.ac.uk - paths: - - /exposurelog - tls: [] - # - secretName: chart-example-tls - # hosts: - # - chart-example.local - vault_path: secret/k8s_operator/roe/postgres pull-secret: diff --git a/services/exposurelog/values-summit.yaml b/services/exposurelog/values-summit.yaml index d3f9f94552..299a094731 100644 --- a/services/exposurelog/values-summit.yaml +++ b/services/exposurelog/values-summit.yaml @@ -1,5 +1,9 @@ exposurelog: - pull_secret: pull-secret + imagePullSecrets: + - name: pull-secret + ingress: + enabled: true + host: summit-lsp.lsst.codes site_id: summit nfs_path_1: /repo/LSSTComCam # Mounted as /volume_1 @@ -10,20 +14,6 @@ exposurelog: nfs_server_2: atarchiver.cp.lsst.org butler_uri_2: /volume_2 - ingress: - enabled: true - annotations: {} - # kubernetes.io/ingress.class: nginx - # kubernetes.io/tls-acme: "true" - hosts: - - host: summit-lsp.lsst.codes - paths: - - /exposurelog - tls: [] - # - secretName: chart-example-tls - # hosts: - # - chart-example.local - vault_path: secret/k8s_operator/summit-lsp.lsst.codes/postgres pull-secret: diff --git a/services/exposurelog/values-tucson-teststand.yaml b/services/exposurelog/values-tucson-teststand.yaml new file mode 100644 index 0000000000..cefdbe8cd0 --- /dev/null +++ b/services/exposurelog/values-tucson-teststand.yaml @@ -0,0 +1,20 @@ +# WARNING: this is a "playground" deployment +# using exposurelog's built-in test butler registries. +exposurelog: + imagePullSecrets: + - name: pull-secret + ingress: + enabled: true + host: tucson-teststand.lsst.codes + + site_id: test + # Use the test butler registries. + # Note: exposurelog's Dockerfile copies the test repos to the top of the container + butler_uri_1: LSSTCam + butler_uri_2: LATISS + +vault_path: secret/k8s_operator/tucson-teststand.lsst.codes/postgres + +pull-secret: + enabled: true + path: secret/k8s_operator/tucson-teststand.lsst.codes/pull-secret diff --git a/services/exposurelog/values.yaml b/services/exposurelog/values.yaml new file mode 100644 index 0000000000..995bc45e0a --- /dev/null +++ b/services/exposurelog/values.yaml @@ -0,0 +1,92 @@ +# Default values for exposurelog. +# This is a YAML-formatted file. +# Declare variables to be passed into your templates. + +replicaCount: 1 + +image: + repository: lsstsqre/exposurelog + pullPolicy: Always + # Overrides the image tag whose default is the chart appVersion. + tag: "" + +# If not blank then mount the specified NFS path as internal volume /volume_1 or /volume_2, respectively. +nfs_path_1: "" +nfs_path_2: "" + +# Name of the NFS server that exports nfs_path_1 or nfs_path_2, respectively. +nfs_server_1: "" +nfs_server_2: "" + +# URIs for butler registry 1 (required) and 2 (optional). Format: +# * For a volume mounted using `nfs_path_1` or `nfs_path_2` (see above): +# An absolute path starting with `/volume_1/` or /volume_2/`. +# * For a network URI: see the daf_butler documentation. +# The default for butler_uri_1 is a local toy registry, because *some* value is necessary. +# Always override that for production use. +butler_uri_1: /home/appuser/hsc_raw +butler_uri_2: "" + +# Site ID; a non-empty string of up to 16 characters. +# This must be different for each deployment, in order to support +# synchronization of records from one message database to another. +site_id: "" + +imagePullSecrets: [] +nameOverride: "" +fullnameOverride: "" + +podAnnotations: {} + +podSecurityContext: {} + # fsGroup: 2000 + +securityContext: {} + # capabilities: + # drop: + # - ALL + # readOnlyRootFilesystem: true + # runAsNonRoot: true + # runAsUser: 1000 + +service: + type: ClusterIP + port: 8080 + +ingress: + enabled: false + annotations: {} + # kubernetes.io/ingress.class: nginx + # kubernetes.io/tls-acme: "true" + hosts: + - host: bleed.lsst.codes + paths: ["/exposurelog"] + tls: [] + # - secretName: chart-example-tls + # hosts: + # - chart-example.local + +resources: {} + # We usually recommend not to specify default resources and to leave this as a conscious + # choice for the user. This also increases chances charts run on environments with little + # resources, such as Minikube. If you do want to specify resources, uncomment the following + # lines, adjust them as necessary, and remove the curly braces after 'resources:'. + # limits: + # cpu: 100m + # memory: 128Mi + # requests: + # cpu: 100m + # memory: 128Mi + +autoscaling: + enabled: false + minReplicas: 1 + maxReplicas: 100 + targetCPUUtilizationPercentage: 80 + # targetMemoryUtilizationPercentage: 80 + +nodeSelector: {} + +tolerations: [] + +affinity: {} diff --git a/services/narrativelog/Chart.yaml b/services/narrativelog/Chart.yaml index 3c96dd8481..28db5994d9 100644 --- a/services/narrativelog/Chart.yaml +++ b/services/narrativelog/Chart.yaml @@ -1,10 +1,16 @@ apiVersion: v2 name: narrativelog -version: 0.0.1 -dependencies: - - name: narrativelog - version: ">=0.0.1" - repository: https://lsst-sqre.github.io/charts/ - - name: pull-secret - version: 0.1.2 - repository: https://lsst-sqre.github.io/charts/ +description: Narrative log service +maintainers: + - name: r-owen +type: application + +# This is the chart version. This version number should be incremented each time you make changes +# to the chart and its templates, including the app version. +# Versions are expected to follow Semantic Versioning (https://semver.org/) +version: 0.1.1 + +# This is the version number of the application being deployed. This version number should be +# incremented each time you make changes to the application. Versions are not expected to +# follow Semantic Versioning. They should reflect the version the application is using. +appVersion: 0.2.0 diff --git a/services/narrativelog/templates/_helpers.tpl b/services/narrativelog/templates/_helpers.tpl new file mode 100644 index 0000000000..fdd165f0a6 --- /dev/null +++ b/services/narrativelog/templates/_helpers.tpl @@ -0,0 +1,51 @@ +{{/* +Expand the name of the chart. +*/}} +{{- define "narrativelog.name" -}} +{{- default .Chart.Name .Values.nameOverride | trunc 63 | trimSuffix "-" }} +{{- end }} + +{{/* +Create a default fully qualified app name. +We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec). +If release name contains chart name it will be used as a full name. +*/}} +{{- define "narrativelog.fullname" -}} +{{- if .Values.fullnameOverride }} +{{- .Values.fullnameOverride | trunc 63 | trimSuffix "-" }} +{{- else }} +{{- $name := default .Chart.Name .Values.nameOverride }} +{{- if contains $name .Release.Name }} +{{- .Release.Name | trunc 63 | trimSuffix "-" }} +{{- else }} +{{- printf "%s-%s" .Release.Name $name | trunc 63 | trimSuffix "-" }} +{{- end }} +{{- end }} +{{- end }} + +{{/* +Create chart name and version as used by the chart label. +*/}} +{{- define "narrativelog.chart" -}} +{{- printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" }} +{{- end }} + +{{/* +Common labels +*/}} +{{- define "narrativelog.labels" -}} +helm.sh/chart: {{ include "narrativelog.chart" . }} +{{ include "narrativelog.selectorLabels" . }} +{{- if .Chart.AppVersion }} +app.kubernetes.io/version: {{ .Chart.AppVersion | quote }} +{{- end }} +app.kubernetes.io/managed-by: {{ .Release.Service }} +{{- end }} + +{{/* +Selector labels +*/}} +{{- define "narrativelog.selectorLabels" -}} +app.kubernetes.io/name: {{ include "narrativelog.name" . }} +app.kubernetes.io/instance: {{ .Release.Name }} +{{- end }} diff --git a/services/narrativelog/templates/deployment.yaml b/services/narrativelog/templates/deployment.yaml new file mode 100644 index 0000000000..5486f4d508 --- /dev/null +++ b/services/narrativelog/templates/deployment.yaml @@ -0,0 +1,82 @@ +apiVersion: apps/v1 +kind: Deployment +metadata: + name: {{ include "narrativelog.fullname" . }} + labels: + {{- include "narrativelog.labels" . | nindent 4 }} +spec: + {{- if not .Values.autoscaling.enabled }} + replicas: {{ .Values.replicaCount }} + {{- end }} + selector: + matchLabels: + {{- include "narrativelog.selectorLabels" . | nindent 6 }} + template: + metadata: + {{- with .Values.podAnnotations }} + annotations: + {{- toYaml . | nindent 8 }} + {{- end }} + labels: + {{- include "narrativelog.selectorLabels" . | nindent 8 }} + spec: + {{- with .Values.imagePullSecrets }} + imagePullSecrets: + {{- toYaml . | nindent 8 }} + {{- end }} + securityContext: + runAsNonRoot: true + runAsUser: 1000 + runAsGroup: 1000 + containers: + - name: {{ .Chart.Name }} + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - all + readOnlyRootFilesystem: true + image: "{{ .Values.image.repository }}:{{ .Values.image.tag | default .Chart.AppVersion }}" + imagePullPolicy: {{ .Values.image.pullPolicy }} + ports: + - name: http + containerPort: {{ .Values.service.port }} + protocol: TCP + livenessProbe: + httpGet: + path: /narrativelog + port: http + readinessProbe: + httpGet: + path: /narrativelog + port: http + resources: + {{- toYaml .Values.resources | nindent 12 }} + env: + - name: NARRATIVELOG_DB_USER + value: narrativelog + - name: NARRATIVELOG_DB_PASSWORD + valueFrom: + secretKeyRef: + name: postgres + key: narrativelog_password + - name: NARRATIVELOG_DB_HOST + value: postgres.postgres + - name: NARRATIVELOG_DB_PORT + value: "5432" + - name: NARRATIVELOG_DB_DATABSE + value: narrativelog + - name: SITE_ID + value: {{ .Values.site_id | quote }} + {{- with .Values.nodeSelector }} + nodeSelector: + {{- toYaml . | nindent 8 }} + {{- end }} + {{- with .Values.affinity }} + affinity: + {{- toYaml . | nindent 8 }} + {{- end }} + {{- with .Values.tolerations }} + tolerations: + {{- toYaml . | nindent 8 }} + {{- end }} diff --git a/services/narrativelog/templates/hpa.yaml b/services/narrativelog/templates/hpa.yaml new file mode 100644 index 0000000000..f6f914dabb --- /dev/null +++ b/services/narrativelog/templates/hpa.yaml @@ -0,0 +1,28 @@ +{{- if .Values.autoscaling.enabled }} +apiVersion: autoscaling/v2beta1 +kind: HorizontalPodAutoscaler +metadata: + name: {{ include "narrativelog.fullname" . }} + labels: + {{- include "narrativelog.labels" . | nindent 4 }} +spec: + scaleTargetRef: + apiVersion: apps/v1 + kind: Deployment + name: {{ include "narrativelog.fullname" . }} + minReplicas: {{ .Values.autoscaling.minReplicas }} + maxReplicas: {{ .Values.autoscaling.maxReplicas }} + metrics: + {{- if .Values.autoscaling.targetCPUUtilizationPercentage }} + - type: Resource + resource: + name: cpu + targetAverageUtilization: {{ .Values.autoscaling.targetCPUUtilizationPercentage }} + {{- end }} + {{- if .Values.autoscaling.targetMemoryUtilizationPercentage }} + - type: Resource + resource: + name: memory + targetAverageUtilization: {{ .Values.autoscaling.targetMemoryUtilizationPercentage }} + {{- end }} +{{- end }} diff --git a/services/narrativelog/templates/ingress.yaml b/services/narrativelog/templates/ingress.yaml new file mode 100644 index 0000000000..40639c348a --- /dev/null +++ b/services/narrativelog/templates/ingress.yaml @@ -0,0 +1,34 @@ +{{- if .Values.ingress.enabled -}} +apiVersion: networking.k8s.io/v1 +kind: Ingress +metadata: + name: {{ template "narrativelog.fullname" . }} + labels: + {{- include "narrativelog.labels" . | nindent 4 }} + annotations: + kubernetes.io/ingress.class: "nginx" + {{- if .Values.ingress.gafaelfawrAuthQuery }} + nginx.ingress.kubernetes.io/auth-method: "GET" + nginx.ingress.kubernetes.io/auth-response-headers: "X-Auth-Request-User,X-Auth-Request-Email,X-Auth-Request-Token" + nginx.ingress.kubernetes.io/auth-signin: "https://{{ .Values.ingress.host }}/login" + nginx.ingress.kubernetes.io/auth-url: "https://{{ .Values.ingress.host }}/auth?{{ .Values.ingress.gafaelfawrAuthQuery }}" + {{- end }} + {{- with .Values.ingress.annotations }} + {{- toYaml . | nindent 4 }} + {{- end }} +spec: + {{- if .Values.ingress.className }} + ingressClassName: {{ .Values.ingress.className }} + {{- end }} + rules: + - host: {{ required "ingress.host must be set" .Values.ingress.host | quote }} + http: + paths: + - path: {{ default "/narrativelog" .Values.ingress.path }} + pathType: {{ default "Prefix" .Values.ingress.pathType }} + backend: + service: + name: {{ include "narrativelog.fullname" . }} + port: + number: {{ .Values.service.port }} +{{- end }} diff --git a/services/narrativelog/templates/networkpolicy.yaml b/services/narrativelog/templates/networkpolicy.yaml new file mode 100644 index 0000000000..99615234a1 --- /dev/null +++ b/services/narrativelog/templates/networkpolicy.yaml @@ -0,0 +1,23 @@ +{{- if .Values.ingress.enabled -}} +apiVersion: networking.k8s.io/v1 +kind: NetworkPolicy +metadata: + name: {{ include "narrativelog.fullname" . }} +spec: + podSelector: + matchLabels: + {{- include "narrativelog.selectorLabels" . | nindent 6 }} + policyTypes: + - Ingress + ingress: + # Allow inbound access from pods (in any namespace) labeled + # gafaelfawr.lsst.io/ingress: true. + - from: + - namespaceSelector: {} + podSelector: + matchLabels: + gafaelfawr.lsst.io/ingress: "true" + ports: + - protocol: "TCP" + port: 8080 +{{- end }} diff --git a/services/narrativelog/templates/service.yaml b/services/narrativelog/templates/service.yaml new file mode 100644 index 0000000000..e8998542f0 --- /dev/null +++ b/services/narrativelog/templates/service.yaml @@ -0,0 +1,15 @@ +apiVersion: v1 +kind: Service +metadata: + name: {{ include "narrativelog.fullname" . }} + labels: + {{- include "narrativelog.labels" . | nindent 4 }} +spec: + type: {{ .Values.service.type }} + ports: + - port: {{ .Values.service.port }} + targetPort: http + protocol: TCP + name: http + selector: + {{- include "narrativelog.selectorLabels" . | nindent 4 }} diff --git a/services/narrativelog/templates/tests/test-connection.yaml b/services/narrativelog/templates/tests/test-connection.yaml new file mode 100644 index 0000000000..4fa4b38980 --- /dev/null +++ b/services/narrativelog/templates/tests/test-connection.yaml @@ -0,0 +1,15 @@ +apiVersion: v1 +kind: Pod +metadata: + name: "{{ include "narrativelog.fullname" . }}-test-connection" + labels: + {{- include "narrativelog.labels" . | nindent 4 }} + annotations: + "helm.sh/hook": test +spec: + containers: + - name: wget + image: busybox + command: ['wget'] + args: ['{{ include "narrativelog.fullname" . }}:{{ .Values.service.port }}'] + restartPolicy: Never diff --git a/services/narrativelog/values.yaml b/services/narrativelog/values.yaml new file mode 100644 index 0000000000..051eb0df7c --- /dev/null +++ b/services/narrativelog/values.yaml @@ -0,0 +1,75 @@ +# Default values for narrativelog. +# This is a YAML-formatted file. +# Declare variables to be passed into your templates. + +replicaCount: 1 + +image: + repository: lsstsqre/narrativelog + pullPolicy: Always + # Overrides the image tag whose default is the chart appVersion. + tag: "" + +# Site ID; a non-empty string of up to 16 characters. +# This must be different for each deployment, in order to support +# synchronization of records from one message database to another. +site_id: "" + +imagePullSecrets: [] +nameOverride: "" +fullnameOverride: "" + +podAnnotations: {} + +podSecurityContext: {} + # fsGroup: 2000 + +securityContext: {} + # capabilities: + # drop: + # - ALL + # readOnlyRootFilesystem: true + # runAsNonRoot: true + # runAsUser: 1000 + +service: + type: ClusterIP + port: 8080 + +ingress: + enabled: false + annotations: {} + # kubernetes.io/ingress.class: nginx + # kubernetes.io/tls-acme: "true" + hosts: + - host: bleed.lsst.codes + paths: ["/narrativelog"] + tls: [] + # - secretName: chart-example-tls + # hosts: + # - chart-example.local + +resources: {} + # We usually recommend not to specify default resources and to leave this as a conscious + # choice for the user. This also increases chances charts run on environments with little + # resources, such as Minikube. If you do want to specify resources, uncomment the following + # lines, adjust them as necessary, and remove the curly braces after 'resources:'. + # limits: + # cpu: 100m + # memory: 128Mi + # requests: + # cpu: 100m + # memory: 128Mi + +autoscaling: + enabled: false + minReplicas: 1 + maxReplicas: 100 + targetCPUUtilizationPercentage: 80 + # targetMemoryUtilizationPercentage: 80 + +nodeSelector: {} + +tolerations: [] + +affinity: {} From 0f91417e5fb43e796de20fc0c4d1e7118e0194a9 Mon Sep 17 00:00:00 2001 From: adam Date: Wed, 9 Mar 2022 13:15:28 -0700 Subject: [PATCH 0083/1479] Break out telegraf service --- services/telegraf/Chart.yaml | 8 ++++ services/telegraf/README.md | 25 +++++++++++ services/telegraf/README.md.gotmpl | 9 ++++ services/telegraf/templates/vault-secret.yaml | 16 +++++++ services/telegraf/values-idfdev.yaml | 6 +++ services/telegraf/values-minikube.yaml | 6 +++ services/telegraf/values.yaml | 43 +++++++++++++++++++ 7 files changed, 113 insertions(+) create mode 100644 services/telegraf/Chart.yaml create mode 100644 services/telegraf/README.md create mode 100644 services/telegraf/README.md.gotmpl create mode 100644 services/telegraf/templates/vault-secret.yaml create mode 100644 services/telegraf/values-idfdev.yaml create mode 100644 services/telegraf/values-minikube.yaml create mode 100644 services/telegraf/values.yaml diff --git a/services/telegraf/Chart.yaml b/services/telegraf/Chart.yaml new file mode 100644 index 0000000000..da41808597 --- /dev/null +++ b/services/telegraf/Chart.yaml @@ -0,0 +1,8 @@ +apiVersion: v2 +name: telegraf +version: 1.0.0 +description: SQuaRE telemetry collection service +dependencies: + - name: telegraf + version: 1.8.14 + repository: https://helm.influxdata.com/ diff --git a/services/telegraf/README.md b/services/telegraf/README.md new file mode 100644 index 0000000000..8dedaf40d8 --- /dev/null +++ b/services/telegraf/README.md @@ -0,0 +1,25 @@ +# telegraf + +SQuaRE telemetry collection service + +## Requirements + +| Repository | Name | Version | +|------------|------|---------| +| https://helm.influxdata.com/ | telegraf | 1.8.14 | + +## Values + +| Key | Type | Default | Description | +|-----|------|---------|-------------| +| telegraf.config.global_tags.cluster | string | `""` | | +| telegraf.config.inputs | list | `[{"prometheus":{"metric_version":2,"urls":["http://hub.nublado2:8081/nb/hub/metrics"]}}]` | Telegraf input plugins. Collect JupyterHub Prometheus metrics by dedault. See https://jupyterhub.readthedocs.io/en/stable/reference/metrics.html | +| telegraf.config.outputs | list | `[{"influxdb":{"database":"telegraf","password":"$TELEGRAF_PASSWORD","urls":["https://data-dev.lst.cloud/influxdb"],"username":"telegraf"}}]` | Telegraf default output destination. | +| telegraf.config.processors | object | `{}` | Telegraf processor plugins. | +| telegraf.env[0] | object | `{"name":"TELEGRAF_PASSWORD","valueFrom":{"secretKeyRef":{"key":"telegraf-password","name":"telegraf"}}}` | Telegraf password. | +| telegraf.podLabels | object | `{"hub.jupyter.org/network-access-hub":"true"}` | Allow network access to JupyterHub pod. | +| telegraf.service.enabled | bool | `false` | Telegraf service. | +| vaultSecretsPath | string | None, must be set | Path to the Vault secrets (`secret/k8s_operator//telegraf`) | + +---------------------------------------------- +Autogenerated from chart metadata using [helm-docs v1.7.0](https://github.com/norwoodj/helm-docs/releases/v1.7.0) diff --git a/services/telegraf/README.md.gotmpl b/services/telegraf/README.md.gotmpl new file mode 100644 index 0000000000..4531459bbb --- /dev/null +++ b/services/telegraf/README.md.gotmpl @@ -0,0 +1,9 @@ +{{ template "chart.header" . }} + +{{ template "chart.description" . }} + +{{ template "chart.requirementsSection" . }} + +{{ template "chart.valuesSection" . }} + +{{ template "helm-docs.versionFooter" . }} diff --git a/services/telegraf/templates/vault-secret.yaml b/services/telegraf/templates/vault-secret.yaml new file mode 100644 index 0000000000..b6c046ae26 --- /dev/null +++ b/services/telegraf/templates/vault-secret.yaml @@ -0,0 +1,16 @@ +apiVersion: ricoberger.de/v1alpha1 +kind: VaultSecret +metadata: + name: telegraf + namespace: telegraf +spec: + path: {{ .Values.vaultSecretsPath }}/telegraf + type: Opaque +--- +apiVersion: ricoberger.de/v1alpha1 +kind: VaultSecret +metadata: + name: pull-secret +spec: + path: {{ .Values.vaultSecretsPath }}/pull-secret + type: kubernetes.io/dockerconfigjson diff --git a/services/telegraf/values-idfdev.yaml b/services/telegraf/values-idfdev.yaml new file mode 100644 index 0000000000..3c98a4f098 --- /dev/null +++ b/services/telegraf/values-idfdev.yaml @@ -0,0 +1,6 @@ +telegraf: + config: + global_tags: + cluster: data-dev.lsst.cloud + +vaultSecretsPath: secret/k8s_operator/data-dev.lsst.cloud diff --git a/services/telegraf/values-minikube.yaml b/services/telegraf/values-minikube.yaml new file mode 100644 index 0000000000..4f24c2bb3b --- /dev/null +++ b/services/telegraf/values-minikube.yaml @@ -0,0 +1,6 @@ +telegraf: + config: + global_tags: + cluster: minikube.lsst.codes + +vaultSecretsPath: secret/k8s_operator/minikube.lsst.codes diff --git a/services/telegraf/values.yaml b/services/telegraf/values.yaml new file mode 100644 index 0000000000..41417aa7dc --- /dev/null +++ b/services/telegraf/values.yaml @@ -0,0 +1,43 @@ +telegraf: + # -- Allow network access to JupyterHub pod. + podLabels: + hub.jupyter.org/network-access-hub: "true" + env: + # -- Telegraf password. + - name: TELEGRAF_PASSWORD + valueFrom: + secretKeyRef: + name: telegraf + key: telegraf-password + service: + # -- Telegraf service. + enabled: false + config: + global_tags: + # -- Cluster name -- should be same as FQDN of RSP endpoint + # @default -- None, must be set + cluster: "" + # -- Telegraf processor plugins. + processors: {} + # -- Telegraf input plugins. + # Collect JupyterHub Prometheus metrics by dedault. + # See https://jupyterhub.readthedocs.io/en/stable/reference/metrics.html + inputs: + - prometheus: + urls: + - http://hub.nublado2:8081/nb/hub/metrics + # See https://docs.influxdata.com/influxdb/v2.1/reference/prometheus-metrics/ + metric_version: 2 + # -- Telegraf default output destination. + outputs: + - influxdb: + urls: + # Eventually change for Roundtable + - "https://data-dev.lst.cloud/influxdb" + database: "telegraf" + username: "telegraf" + password: "$TELEGRAF_PASSWORD" + +# -- Path to the Vault secrets (`secret/k8s_operator//telegraf`) +# @default -- None, must be set +vaultSecretsPath: "" From 9c0248a3d474a7131b4aac11c6ec9e02e1f2f802 Mon Sep 17 00:00:00 2001 From: adam Date: Wed, 9 Mar 2022 13:19:14 -0700 Subject: [PATCH 0084/1479] Remove telegraf from sasquatch --- services/sasquatch/Chart.yaml | 3 -- services/sasquatch/README.md | 9 +---- .../charts/kafka-connect-manager/README.md | 2 +- .../sasquatch/charts/strimzi-kafka/README.md | 2 +- services/sasquatch/values.yaml | 35 ------------------- 5 files changed, 3 insertions(+), 48 deletions(-) diff --git a/services/sasquatch/Chart.yaml b/services/sasquatch/Chart.yaml index 94240a7674..34a4bc1107 100644 --- a/services/sasquatch/Chart.yaml +++ b/services/sasquatch/Chart.yaml @@ -19,6 +19,3 @@ dependencies: - name: kapacitor version: 1.4.4 repository: https://helm.influxdata.com/ - - name: telegraf - version: 1.8.14 - repository: https://helm.influxdata.com/ diff --git a/services/sasquatch/README.md b/services/sasquatch/README.md index e8ecb0919e..d0bba03883 100644 --- a/services/sasquatch/README.md +++ b/services/sasquatch/README.md @@ -11,7 +11,6 @@ SQuaRE telemetry data service. | https://helm.influxdata.com/ | chronograf | 1.2.3 | | https://helm.influxdata.com/ | influxdb | 4.10.6 | | https://helm.influxdata.com/ | kapacitor | 1.4.3 | -| https://helm.influxdata.com/ | telegraf | 1.8.14 | | https://lsst-sqre.github.io/charts/ | strimzi-registry-operator | 1.2.0 | ## Values @@ -36,13 +35,7 @@ SQuaRE telemetry data service. | kapacitor.persistence | object | `{"enabled":true,"size":"16Gi"}` | Chronograf data persistence configuration. | | strimzi-kafka | object | `{}` | Override strimzi-kafka configuration. | | strimzi-registry-operator | object | `{"clusterName":"sasquatch","operatorNamespace":"sasquatch","watchNamespace":"sasquatch"}` | strimzi-registry-operator configuration. | -| telegraf.config.inputs | list | `[{"prometheus":{"metric_version":2,"urls":["http://hub.nublado2:8081/nb/hub/metrics"]}}]` | Telegraf input plugins. Collect JupyterHub Prometheus metrics by dedault. See https://jupyterhub.readthedocs.io/en/stable/reference/metrics.html | -| telegraf.config.outputs | list | `[{"influxdb":{"database":"telegraf","password":"$TELEGRAF_PASSWORD","urls":["http://sasquatch-influxdb.sasquatch:8086"],"username":"telegraf"}}]` | Telegraf default output destination. | -| telegraf.config.processors | object | `{}` | Telegraf processor plugins. | -| telegraf.env[0] | object | `{"name":"TELEGRAF_PASSWORD","valueFrom":{"secretKeyRef":{"key":"telegraf-password","name":"sasquatch"}}}` | Telegraf password. | -| telegraf.podLabels | object | `{"hub.jupyter.org/network-access-hub":"true"}` | Allow network access to JupyterHub pod. | -| telegraf.service.enabled | bool | `false` | Telegraf service. | | vaultSecretsPath | string | None, must be set | Path to the Vault secrets (`secret/k8s_operator//sasquatch`) | ---------------------------------------------- -Autogenerated from chart metadata using [helm-docs v1.6.0](https://github.com/norwoodj/helm-docs/releases/v1.6.0) +Autogenerated from chart metadata using [helm-docs v1.7.0](https://github.com/norwoodj/helm-docs/releases/v1.7.0) diff --git a/services/sasquatch/charts/kafka-connect-manager/README.md b/services/sasquatch/charts/kafka-connect-manager/README.md index 41b0cfe86f..454e7fac0b 100644 --- a/services/sasquatch/charts/kafka-connect-manager/README.md +++ b/services/sasquatch/charts/kafka-connect-manager/README.md @@ -74,4 +74,4 @@ A sub chart to deploy the Kafka connectors used by Sasquatch. | s3Sink.topicsRegex | string | `".*"` | Regex to select topics from Kafka. | ---------------------------------------------- -Autogenerated from chart metadata using [helm-docs v1.6.0](https://github.com/norwoodj/helm-docs/releases/v1.6.0) +Autogenerated from chart metadata using [helm-docs v1.7.0](https://github.com/norwoodj/helm-docs/releases/v1.7.0) diff --git a/services/sasquatch/charts/strimzi-kafka/README.md b/services/sasquatch/charts/strimzi-kafka/README.md index 84c2c604dd..bd80e77c10 100644 --- a/services/sasquatch/charts/strimzi-kafka/README.md +++ b/services/sasquatch/charts/strimzi-kafka/README.md @@ -23,4 +23,4 @@ A sub chart to deploy Strimzi Kafka components for Sasquatch. | zookeeper.storage.storageClassName | string | `""` | Name of a StorageClass to use when requesting persistent volumes. | ---------------------------------------------- -Autogenerated from chart metadata using [helm-docs v1.6.0](https://github.com/norwoodj/helm-docs/releases/v1.6.0) +Autogenerated from chart metadata using [helm-docs v1.7.0](https://github.com/norwoodj/helm-docs/releases/v1.7.0) diff --git a/services/sasquatch/values.yaml b/services/sasquatch/values.yaml index 78def2482e..12e04b7eeb 100644 --- a/services/sasquatch/values.yaml +++ b/services/sasquatch/values.yaml @@ -99,41 +99,6 @@ kapacitor: envVars: KAPACITOR_SLACK_ENABLED: true -telegraf: - # -- Allow network access to JupyterHub pod. - podLabels: - hub.jupyter.org/network-access-hub: "true" - env: - # -- Telegraf password. - - name: TELEGRAF_PASSWORD - valueFrom: - secretKeyRef: - name: sasquatch - key: telegraf-password - service: - # -- Telegraf service. - enabled: false - config: - # -- Telegraf processor plugins. - processors: {} - # -- Telegraf input plugins. - # Collect JupyterHub Prometheus metrics by dedault. - # See https://jupyterhub.readthedocs.io/en/stable/reference/metrics.html - inputs: - - prometheus: - urls: - - http://hub.nublado2:8081/nb/hub/metrics - # See https://docs.influxdata.com/influxdb/v2.1/reference/prometheus-metrics/ - metric_version: 2 - # -- Telegraf default output destination. - outputs: - - influxdb: - urls: - - "http://sasquatch-influxdb.sasquatch:8086" - database: "telegraf" - username: "telegraf" - password: "$TELEGRAF_PASSWORD" - # -- Path to the Vault secrets (`secret/k8s_operator//sasquatch`) # @default -- None, must be set vaultSecretsPath: "" From d1bd5c55f0456a57819087a95e46af25f538705a Mon Sep 17 00:00:00 2001 From: adam Date: Wed, 9 Mar 2022 13:27:08 -0700 Subject: [PATCH 0085/1479] Add telegraf application and enabling switch --- .../templates/telegraf-application.yaml | 29 +++++++++++++++++++ science-platform/values-base.yaml | 2 ++ science-platform/values-idfdev.yaml | 2 ++ science-platform/values-idfint.yaml | 2 ++ science-platform/values-idfprod.yaml | 2 ++ science-platform/values-minikube.yaml | 2 ++ science-platform/values-red-five.yaml | 2 ++ science-platform/values-roe.yaml | 2 ++ science-platform/values-squash-sandbox.yaml | 2 ++ science-platform/values-stable.yaml | 2 ++ science-platform/values-summit.yaml | 2 ++ science-platform/values-tucson-teststand.yaml | 2 ++ science-platform/values.yaml | 2 ++ 13 files changed, 53 insertions(+) create mode 100644 science-platform/templates/telegraf-application.yaml diff --git a/science-platform/templates/telegraf-application.yaml b/science-platform/templates/telegraf-application.yaml new file mode 100644 index 0000000000..77a4fcdb60 --- /dev/null +++ b/science-platform/templates/telegraf-application.yaml @@ -0,0 +1,29 @@ +{{- if .Values.telegraf.enabled -}} +apiVersion: v1 +kind: Namespace +metadata: + name: telegraf +spec: + finalizers: + - kubernetes +--- +apiVersion: argoproj.io/v1alpha1 +kind: Application +metadata: + name: telegraf + namespace: argocd + finalizers: + - resources-finalizer.argocd.argoproj.io +spec: + destination: + namespace: telegraf + server: https://kubernetes.default.svc + project: default + source: + path: services/telegraf + repoURL: {{ .Values.repoURL }} + targetRevision: {{ .Values.revision }} + helm: + valueFiles: + - values-{{ .Values.environment }}.yaml +{{- end -}} diff --git a/science-platform/values-base.yaml b/science-platform/values-base.yaml index e204ece055..588f1ee24f 100644 --- a/science-platform/values-base.yaml +++ b/science-platform/values-base.yaml @@ -52,6 +52,8 @@ tap: enabled: false tap_schema: enabled: false +telegraf: + enabled: false times_square: enabled: false vault_secrets_operator: diff --git a/science-platform/values-idfdev.yaml b/science-platform/values-idfdev.yaml index ffb0ec8dca..bc65d035af 100644 --- a/science-platform/values-idfdev.yaml +++ b/science-platform/values-idfdev.yaml @@ -54,6 +54,8 @@ tap: enabled: true tap_schema: enabled: true +telegraf: + enabled: true times_square: enabled: true vault_secrets_operator: diff --git a/science-platform/values-idfint.yaml b/science-platform/values-idfint.yaml index 0d12427e64..f88fee6371 100644 --- a/science-platform/values-idfint.yaml +++ b/science-platform/values-idfint.yaml @@ -54,6 +54,8 @@ tap: enabled: true tap_schema: enabled: true +telegraf: + enabled: false times_square: enabled: false vault_secrets_operator: diff --git a/science-platform/values-idfprod.yaml b/science-platform/values-idfprod.yaml index fad1db469f..6b78fc569f 100644 --- a/science-platform/values-idfprod.yaml +++ b/science-platform/values-idfprod.yaml @@ -54,6 +54,8 @@ tap: enabled: true tap_schema: enabled: true +telegraf: + enabled: false times_square: enabled: false vault_secrets_operator: diff --git a/science-platform/values-minikube.yaml b/science-platform/values-minikube.yaml index b7c92edbc5..f9421c6471 100644 --- a/science-platform/values-minikube.yaml +++ b/science-platform/values-minikube.yaml @@ -54,6 +54,8 @@ tap: enabled: true tap_schema: enabled: true +telegraf: + enabled: false times_square: enabled: false vault_secrets_operator: diff --git a/science-platform/values-red-five.yaml b/science-platform/values-red-five.yaml index 5699d8dc8c..da41a5919e 100644 --- a/science-platform/values-red-five.yaml +++ b/science-platform/values-red-five.yaml @@ -52,6 +52,8 @@ tap: enabled: true tap_schema: enabled: true +telegraf: + enabled: false times_square: enabled: false vault_secrets_operator: diff --git a/science-platform/values-roe.yaml b/science-platform/values-roe.yaml index 1079503b9b..fb3abae17a 100644 --- a/science-platform/values-roe.yaml +++ b/science-platform/values-roe.yaml @@ -50,6 +50,8 @@ tap: enabled: true tap_schema: enabled: true +telegraf: + enabled: false times_square: enabled: false vault_secrets_operator: diff --git a/science-platform/values-squash-sandbox.yaml b/science-platform/values-squash-sandbox.yaml index 76b98979ca..030b2aa3a6 100644 --- a/science-platform/values-squash-sandbox.yaml +++ b/science-platform/values-squash-sandbox.yaml @@ -52,6 +52,8 @@ tap: enabled: false tap_schema: enabled: false +telegraf: + enabled: false times_square: enabled: false vault_secrets_operator: diff --git a/science-platform/values-stable.yaml b/science-platform/values-stable.yaml index 5c6c120791..4d895e8b99 100644 --- a/science-platform/values-stable.yaml +++ b/science-platform/values-stable.yaml @@ -54,6 +54,8 @@ tap: enabled: true tap_schema: enabled: true +telegraf: + enabled: false times_square: enabled: false vault_secrets_operator: diff --git a/science-platform/values-summit.yaml b/science-platform/values-summit.yaml index 2ed4bc4dc0..93f869d596 100644 --- a/science-platform/values-summit.yaml +++ b/science-platform/values-summit.yaml @@ -54,6 +54,8 @@ tap: enabled: false tap_schema: enabled: false +telegraf: + enabled: false times_square: enabled: false vault_secrets_operator: diff --git a/science-platform/values-tucson-teststand.yaml b/science-platform/values-tucson-teststand.yaml index d7974e819e..3fca34e7dc 100644 --- a/science-platform/values-tucson-teststand.yaml +++ b/science-platform/values-tucson-teststand.yaml @@ -52,6 +52,8 @@ tap: enabled: false tap_schema: enabled: false +telegraf: + enabled: false times_square: enabled: false vault_secrets_operator: diff --git a/science-platform/values.yaml b/science-platform/values.yaml index 494bb56df0..94b9abf28c 100644 --- a/science-platform/values.yaml +++ b/science-platform/values.yaml @@ -34,6 +34,8 @@ postgres: enabled: false sasquatch: enabled: false +telegraf: + enabled: false semaphore: enabled: false sherlock: From 8e3dbe29ec5e4ba80db0520948024b601a835e06 Mon Sep 17 00:00:00 2001 From: adam Date: Thu, 10 Mar 2022 13:21:24 -0700 Subject: [PATCH 0086/1479] Add influxdb2 --- .../templates/influxdb2-application.yaml | 29 +++++++++++ science-platform/values-base.yaml | 2 + science-platform/values-idfdev.yaml | 2 + science-platform/values-idfint.yaml | 2 + science-platform/values-idfprod.yaml | 2 + science-platform/values-int.yaml | 2 + science-platform/values-minikube.yaml | 2 + science-platform/values-red-five.yaml | 2 + science-platform/values-roe.yaml | 2 + science-platform/values-squash-sandbox.yaml | 2 + science-platform/values-stable.yaml | 2 + science-platform/values-summit.yaml | 2 + science-platform/values-tucson-teststand.yaml | 2 + science-platform/values.yaml | 2 + services/influxdb2/Chart.yaml | 8 ++++ services/influxdb2/README.md | 23 +++++++++ services/influxdb2/README.md.gotmpl | 9 ++++ .../influxdb2/templates/vault-secret.yaml | 16 +++++++ services/influxdb2/values-idfdev.yaml | 1 + services/influxdb2/values-minikube.yaml | 1 + services/influxdb2/values.yaml | 48 +++++++++++++++++++ 21 files changed, 161 insertions(+) create mode 100644 science-platform/templates/influxdb2-application.yaml create mode 100644 services/influxdb2/Chart.yaml create mode 100644 services/influxdb2/README.md create mode 100644 services/influxdb2/README.md.gotmpl create mode 100644 services/influxdb2/templates/vault-secret.yaml create mode 100644 services/influxdb2/values-idfdev.yaml create mode 100644 services/influxdb2/values-minikube.yaml create mode 100644 services/influxdb2/values.yaml diff --git a/science-platform/templates/influxdb2-application.yaml b/science-platform/templates/influxdb2-application.yaml new file mode 100644 index 0000000000..05ca1a7e10 --- /dev/null +++ b/science-platform/templates/influxdb2-application.yaml @@ -0,0 +1,29 @@ +{{- if .Values.influxdb2.enabled -}} +apiVersion: v1 +kind: Namespace +metadata: + name: influxdb2 +spec: + finalizers: + - kubernetes +--- +apiVersion: argoproj.io/v1alpha1 +kind: Application +metadata: + name: influxdb2 + namespace: argocd + finalizers: + - resources-finalizer.argocd.argoproj.io +spec: + destination: + namespace: influxdb2 + server: https://kubernetes.default.svc + project: default + source: + path: services/influxdb2 + repoURL: {{ .Values.repoURL }} + targetRevision: {{ .Values.revision }} + helm: + valueFiles: + - values-{{ .Values.environment }}.yaml +{{- end -}} diff --git a/science-platform/values-base.yaml b/science-platform/values-base.yaml index 588f1ee24f..8c09a33dc1 100644 --- a/science-platform/values-base.yaml +++ b/science-platform/values-base.yaml @@ -16,6 +16,8 @@ exposurelog: enabled: true gafaelfawr: enabled: true +influxdb2: + enabled: false mobu: enabled: false moneypenny: diff --git a/science-platform/values-idfdev.yaml b/science-platform/values-idfdev.yaml index bc65d035af..5809a500f2 100644 --- a/science-platform/values-idfdev.yaml +++ b/science-platform/values-idfdev.yaml @@ -16,6 +16,8 @@ exposurelog: enabled: false gafaelfawr: enabled: true +influxdb2: + enabled: true mobu: enabled: true moneypenny: diff --git a/science-platform/values-idfint.yaml b/science-platform/values-idfint.yaml index f88fee6371..7eea11a750 100644 --- a/science-platform/values-idfint.yaml +++ b/science-platform/values-idfint.yaml @@ -16,6 +16,8 @@ exposurelog: enabled: false gafaelfawr: enabled: true +influxdb2: + enabled: false mobu: enabled: true moneypenny: diff --git a/science-platform/values-idfprod.yaml b/science-platform/values-idfprod.yaml index 6b78fc569f..b80747595b 100644 --- a/science-platform/values-idfprod.yaml +++ b/science-platform/values-idfprod.yaml @@ -16,6 +16,8 @@ exposurelog: enabled: false gafaelfawr: enabled: true +influxdb2: + enabled: false mobu: enabled: true moneypenny: diff --git a/science-platform/values-int.yaml b/science-platform/values-int.yaml index ffbb980640..0c9b8505cc 100644 --- a/science-platform/values-int.yaml +++ b/science-platform/values-int.yaml @@ -16,6 +16,8 @@ exposurelog: enabled: false gafaelfawr: enabled: true +influxdb2: + enabled: false mobu: enabled: true moneypenny: diff --git a/science-platform/values-minikube.yaml b/science-platform/values-minikube.yaml index f9421c6471..a576162492 100644 --- a/science-platform/values-minikube.yaml +++ b/science-platform/values-minikube.yaml @@ -16,6 +16,8 @@ exposurelog: enabled: false gafaelfawr: enabled: true +influxdb2: + enabled: false mobu: enabled: true moneypenny: diff --git a/science-platform/values-red-five.yaml b/science-platform/values-red-five.yaml index da41a5919e..89a3161f9c 100644 --- a/science-platform/values-red-five.yaml +++ b/science-platform/values-red-five.yaml @@ -16,6 +16,8 @@ exposurelog: enabled: false gafaelfawr: enabled: true +influxdb2: + enabled: false mobu: enabled: true ingress_nginx: diff --git a/science-platform/values-roe.yaml b/science-platform/values-roe.yaml index fb3abae17a..b03bcb4dea 100644 --- a/science-platform/values-roe.yaml +++ b/science-platform/values-roe.yaml @@ -16,6 +16,8 @@ exposurelog: enabled: false gafaelfawr: enabled: true +influxdb2: + enabled: false mobu: enabled: true moneypenny: diff --git a/science-platform/values-squash-sandbox.yaml b/science-platform/values-squash-sandbox.yaml index 030b2aa3a6..d1673ddee8 100644 --- a/science-platform/values-squash-sandbox.yaml +++ b/science-platform/values-squash-sandbox.yaml @@ -16,6 +16,8 @@ exposurelog: enabled: false gafaelfawr: enabled: true +influxdb2: + enabled: false mobu: enabled: false moneypenny: diff --git a/science-platform/values-stable.yaml b/science-platform/values-stable.yaml index 4d895e8b99..3d58a62c6f 100644 --- a/science-platform/values-stable.yaml +++ b/science-platform/values-stable.yaml @@ -16,6 +16,8 @@ exposurelog: enabled: false gafaelfawr: enabled: true +influxdb2: + enabled: false mobu: enabled: true moneypenny: diff --git a/science-platform/values-summit.yaml b/science-platform/values-summit.yaml index 93f869d596..7ad2e8a515 100644 --- a/science-platform/values-summit.yaml +++ b/science-platform/values-summit.yaml @@ -16,6 +16,8 @@ exposurelog: enabled: true gafaelfawr: enabled: true +influxdb2: + enabled: false mobu: enabled: false moneypenny: diff --git a/science-platform/values-tucson-teststand.yaml b/science-platform/values-tucson-teststand.yaml index 3fca34e7dc..6f59366d25 100644 --- a/science-platform/values-tucson-teststand.yaml +++ b/science-platform/values-tucson-teststand.yaml @@ -16,6 +16,8 @@ exposurelog: enabled: true gafaelfawr: enabled: true +influxdb2: + enabled: false mobu: enabled: false moneypenny: diff --git a/science-platform/values.yaml b/science-platform/values.yaml index 94b9abf28c..1b4df7c45f 100644 --- a/science-platform/values.yaml +++ b/science-platform/values.yaml @@ -12,6 +12,8 @@ exposurelog: enabled: false gafaelfawr: enabled: false +influxdb2: + enabled: false ingress_nginx: enabled: false mobu: diff --git a/services/influxdb2/Chart.yaml b/services/influxdb2/Chart.yaml new file mode 100644 index 0000000000..cc1ae19d57 --- /dev/null +++ b/services/influxdb2/Chart.yaml @@ -0,0 +1,8 @@ +apiVersion: v2 +name: influxdb2 +version: 1.0.0 +description: SQuaRE packaging of InfluxDB2 time-series database +dependencies: + - name: influxdb2 + version: 2.0.9 + repository: https://helm.influxdata.com/ diff --git a/services/influxdb2/README.md b/services/influxdb2/README.md new file mode 100644 index 0000000000..5534e75cdd --- /dev/null +++ b/services/influxdb2/README.md @@ -0,0 +1,23 @@ +# influxdb2 + +SQuaRE packaging of InfluxDB2 time-series database + +## Requirements + +| Repository | Name | Version | +|------------|------|---------| +| https://helm.influxdata.com/ | influxdb2 | 2.0.9 | + +## Values + +| Key | Type | Default | Description | +|-----|------|---------|-------------| +| influxdb2.config | object | `{"continuous_queries":{"enabled":false},"coordinator":{"log-queries-after":"15s","max-concurrent-queries":10,"query-timeout":"900s","write-timeout":"60s"},"data":{"cache-max-memory-size":0,"trace-logging-enabled":true,"wal-fsync-delay":"100ms"},"http":{"auth-enabled":true,"enabled":true,"flux-enabled":true,"max-row-limit":0}}` | Override InfluxDB configuration. See https://docs.influxdata.com/influxdb/v1.8/administration/config | +| influxdb2.image | object | `{"tag":"2.0.9"}` | InfluxDB image tag. | +| influxdb2.ingress | object | disabled | InfluxDB ingress configuration. | +| influxdb2.initScripts | object | `{"enabled":true,"scripts":{"init.iql":"CREATE DATABASE \"telegraf\" WITH DURATION 30d REPLICATION 1 NAME \"rp_30d\"\n\n"}}` | InfluxDB Custom initialization scripts. | +| influxdb2.setDefaultUser | object | `{"enabled":true,"user":{"existingSecret":"influxdb2"}}` | Default InfluxDB user, use influxb-user and influxdb-password keys from secret. | +| vaultSecretsPath | string | None, must be set | Path to the Vault secrets (`secret/k8s_operator//telegraf`) | + +---------------------------------------------- +Autogenerated from chart metadata using [helm-docs v1.7.0](https://github.com/norwoodj/helm-docs/releases/v1.7.0) diff --git a/services/influxdb2/README.md.gotmpl b/services/influxdb2/README.md.gotmpl new file mode 100644 index 0000000000..4531459bbb --- /dev/null +++ b/services/influxdb2/README.md.gotmpl @@ -0,0 +1,9 @@ +{{ template "chart.header" . }} + +{{ template "chart.description" . }} + +{{ template "chart.requirementsSection" . }} + +{{ template "chart.valuesSection" . }} + +{{ template "helm-docs.versionFooter" . }} diff --git a/services/influxdb2/templates/vault-secret.yaml b/services/influxdb2/templates/vault-secret.yaml new file mode 100644 index 0000000000..b6c046ae26 --- /dev/null +++ b/services/influxdb2/templates/vault-secret.yaml @@ -0,0 +1,16 @@ +apiVersion: ricoberger.de/v1alpha1 +kind: VaultSecret +metadata: + name: telegraf + namespace: telegraf +spec: + path: {{ .Values.vaultSecretsPath }}/telegraf + type: Opaque +--- +apiVersion: ricoberger.de/v1alpha1 +kind: VaultSecret +metadata: + name: pull-secret +spec: + path: {{ .Values.vaultSecretsPath }}/pull-secret + type: kubernetes.io/dockerconfigjson diff --git a/services/influxdb2/values-idfdev.yaml b/services/influxdb2/values-idfdev.yaml new file mode 100644 index 0000000000..1cea9c026e --- /dev/null +++ b/services/influxdb2/values-idfdev.yaml @@ -0,0 +1 @@ +vaultSecretsPath: secret/k8s_operator/data-dev.lsst.cloud diff --git a/services/influxdb2/values-minikube.yaml b/services/influxdb2/values-minikube.yaml new file mode 100644 index 0000000000..c7e771eda8 --- /dev/null +++ b/services/influxdb2/values-minikube.yaml @@ -0,0 +1 @@ +vaultSecretsPath: secret/k8s_operator/minikube.lsst.codes diff --git a/services/influxdb2/values.yaml b/services/influxdb2/values.yaml new file mode 100644 index 0000000000..a80afd2586 --- /dev/null +++ b/services/influxdb2/values.yaml @@ -0,0 +1,48 @@ +influxdb2: + # -- InfluxDB image tag. + image: + tag: "2.0.9" + # -- Default InfluxDB user, use influxb-user and influxdb-password keys from secret. + setDefaultUser: + enabled: true + user: + existingSecret: influxdb2 + # -- InfluxDB ingress configuration. + # @default -- disabled + ingress: + enabled: false + tls: false + hostname: "" + annotations: + kubernetes.io/ingress.class: "nginx" + nginx.ingress.kubernetes.io/rewrite-target: /$2 + path: /influxdb2(/|$)(.*) + # -- Override InfluxDB configuration. + # See https://docs.influxdata.com/influxdb/v1.8/administration/config + config: + data: + cache-max-memory-size: 0 + wal-fsync-delay: "100ms" + trace-logging-enabled: true + http: + enabled: true + flux-enabled: true + auth-enabled: true + max-row-limit: 0 + coordinator: + write-timeout: "60s" + max-concurrent-queries: 10 + query-timeout: "900s" + log-queries-after: "15s" + continuous_queries: + enabled: false + # -- InfluxDB Custom initialization scripts. + initScripts: + enabled: true + scripts: + init.iql: |+ + CREATE DATABASE "telegraf" WITH DURATION 30d REPLICATION 1 NAME "rp_30d" + +# -- Path to the Vault secrets (`secret/k8s_operator//telegraf`) +# @default -- None, must be set +vaultSecretsPath: "" From 628974f0e308c750d53e8ff11fe7b41a08ec5941 Mon Sep 17 00:00:00 2001 From: adam Date: Thu, 10 Mar 2022 13:25:33 -0700 Subject: [PATCH 0087/1479] repoint telegraf to influxdb2 --- services/telegraf/values.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/services/telegraf/values.yaml b/services/telegraf/values.yaml index 41417aa7dc..352cb47a7d 100644 --- a/services/telegraf/values.yaml +++ b/services/telegraf/values.yaml @@ -33,7 +33,7 @@ telegraf: - influxdb: urls: # Eventually change for Roundtable - - "https://data-dev.lst.cloud/influxdb" + - "https://data-dev.lst.cloud/influxdb2" database: "telegraf" username: "telegraf" password: "$TELEGRAF_PASSWORD" From 121ed0d3fb5556964a076b1efa2a2e955863a25c Mon Sep 17 00:00:00 2001 From: adam Date: Thu, 10 Mar 2022 13:32:38 -0700 Subject: [PATCH 0088/1479] Straighten out configuration and get newer versions. --- installer/generate_secrets.py | 13 ++++ services/influxdb2/Chart.yaml | 2 +- .../influxdb2/templates/vault-secret.yaml | 6 +- services/influxdb2/values-idfdev.yaml | 5 ++ services/influxdb2/values.yaml | 63 +++++++------------ services/telegraf/Chart.yaml | 2 +- services/telegraf/values-idfdev.yaml | 16 ++++- services/telegraf/values-minikube.yaml | 8 +++ services/telegraf/values.yaml | 22 +++---- 9 files changed, 81 insertions(+), 56 deletions(-) diff --git a/installer/generate_secrets.py b/installer/generate_secrets.py index 236af4b522..f2db542904 100755 --- a/installer/generate_secrets.py +++ b/installer/generate_secrets.py @@ -52,6 +52,8 @@ def generate(self): self._argocd() self._portal() self._vo_cutouts() + self._influxdb2() + self._telegraf() self.input_field("cert-manager", "enabled", "Use cert-manager? (y/n):") use_cert_manager = self.secrets["cert-manager"]["enabled"] @@ -251,6 +253,17 @@ def _argocd(self): self._set_generated("argocd", "server.secretkey", secrets.token_hex(16)) + def _influxdb2(self): + set._set_generated("influxdb2", "admin-password", + secrets.token_hex(16)) + set._set_generated("influxdb2", "admin-token", secrets.token_hex(16)) + + def _telegraf(self): + # Note that this will be *wrong* but will give us the correct + # structure, anyway. Whoever is administering the central InfluxDB2 + # should make a token for each telegraf satellite. + self._set_generated("telegraf", "influx-token", secrets.token_hex(16)) + def _portal(self): pw = secrets.token_hex(32) self._set_generated("portal", "ADMIN_PASSWORD", pw) diff --git a/services/influxdb2/Chart.yaml b/services/influxdb2/Chart.yaml index cc1ae19d57..a9f790bb00 100644 --- a/services/influxdb2/Chart.yaml +++ b/services/influxdb2/Chart.yaml @@ -4,5 +4,5 @@ version: 1.0.0 description: SQuaRE packaging of InfluxDB2 time-series database dependencies: - name: influxdb2 - version: 2.0.9 + version: 2.0.10 repository: https://helm.influxdata.com/ diff --git a/services/influxdb2/templates/vault-secret.yaml b/services/influxdb2/templates/vault-secret.yaml index b6c046ae26..e68c277cd2 100644 --- a/services/influxdb2/templates/vault-secret.yaml +++ b/services/influxdb2/templates/vault-secret.yaml @@ -1,10 +1,10 @@ apiVersion: ricoberger.de/v1alpha1 kind: VaultSecret metadata: - name: telegraf - namespace: telegraf + name: influxdb2 + namespace: influxdb2 spec: - path: {{ .Values.vaultSecretsPath }}/telegraf + path: {{ .Values.vaultSecretsPath }}/influxdb2 type: Opaque --- apiVersion: ricoberger.de/v1alpha1 diff --git a/services/influxdb2/values-idfdev.yaml b/services/influxdb2/values-idfdev.yaml index 1cea9c026e..91bfa066f3 100644 --- a/services/influxdb2/values-idfdev.yaml +++ b/services/influxdb2/values-idfdev.yaml @@ -1 +1,6 @@ +influxdb2: + ingress: + enabled: true + hostname: data-dev-monitoring.lsst.cloud + vaultSecretsPath: secret/k8s_operator/data-dev.lsst.cloud diff --git a/services/influxdb2/values.yaml b/services/influxdb2/values.yaml index a80afd2586..a43d4779c7 100644 --- a/services/influxdb2/values.yaml +++ b/services/influxdb2/values.yaml @@ -1,48 +1,33 @@ influxdb2: - # -- InfluxDB image tag. - image: - tag: "2.0.9" - # -- Default InfluxDB user, use influxb-user and influxdb-password keys from secret. - setDefaultUser: - enabled: true - user: - existingSecret: influxdb2 - # -- InfluxDB ingress configuration. - # @default -- disabled + # -- InfluxDB2 admin user; uses admin-password/admin-token keys from + # secret. + adminUser: + # Too silly? + organization: "lizard" + bucket: "telegraf" + retention_policy: "30d" + existingSecret: influxdb2 + # -- InfluxDB2 ingress configuration. ingress: + # @default -- False enabled: false - tls: false + tls: true + secretName: influxdb2-tls + # InfluxDB2 can't run behind a routed path--it must be on the root. + # @default -- None, must be set, must not be the same as RSP ingress. hostname: "" + # Note that this requires a CNAME + # from: _acme_challenge.. + # to: _acme_challenge.tls. + # cf https://phalanx.lsst.io/ops/cert-issuer/bootstrapping.html + ingressClassName: nginx annotations: kubernetes.io/ingress.class: "nginx" - nginx.ingress.kubernetes.io/rewrite-target: /$2 - path: /influxdb2(/|$)(.*) - # -- Override InfluxDB configuration. - # See https://docs.influxdata.com/influxdb/v1.8/administration/config - config: - data: - cache-max-memory-size: 0 - wal-fsync-delay: "100ms" - trace-logging-enabled: true - http: - enabled: true - flux-enabled: true - auth-enabled: true - max-row-limit: 0 - coordinator: - write-timeout: "60s" - max-concurrent-queries: 10 - query-timeout: "900s" - log-queries-after: "15s" - continuous_queries: - enabled: false - # -- InfluxDB Custom initialization scripts. - initScripts: - enabled: true - scripts: - init.iql: |+ - CREATE DATABASE "telegraf" WITH DURATION 30d REPLICATION 1 NAME "rp_30d" + nginx.ingress.kubernetes.io/rewrite-target: / + cert-manager.io/cluster-issuer: cert-issuer-letsencrypt-dns + path: / + pathType: Prefix -# -- Path to the Vault secrets (`secret/k8s_operator//telegraf`) +# -- Path to the Vault secrets (`secret/k8s_operator//influxdb2`) # @default -- None, must be set vaultSecretsPath: "" diff --git a/services/telegraf/Chart.yaml b/services/telegraf/Chart.yaml index da41808597..9583e3c3ee 100644 --- a/services/telegraf/Chart.yaml +++ b/services/telegraf/Chart.yaml @@ -4,5 +4,5 @@ version: 1.0.0 description: SQuaRE telemetry collection service dependencies: - name: telegraf - version: 1.8.14 + version: 1.8.17 repository: https://helm.influxdata.com/ diff --git a/services/telegraf/values-idfdev.yaml b/services/telegraf/values-idfdev.yaml index 3c98a4f098..b3fc280244 100644 --- a/services/telegraf/values-idfdev.yaml +++ b/services/telegraf/values-idfdev.yaml @@ -2,5 +2,19 @@ telegraf: config: global_tags: cluster: data-dev.lsst.cloud - + outputs: + # ARGH Helm and YAML lists not merging. + - influxdb_v2: + urls: + - "https://data-dev-monitoring.lsst.cloud/" + bucket: "telegraf" + token: "$INFLUX_TOKEN" + organization: "lizard" + # Should be less silly, I guess. + inputs: + - prometheus: + urls: + - "https://data-dev.lsst.cloud/nb/hub/metrics" + metric_version: 2 + vaultSecretsPath: secret/k8s_operator/data-dev.lsst.cloud diff --git a/services/telegraf/values-minikube.yaml b/services/telegraf/values-minikube.yaml index 4f24c2bb3b..af38aaffca 100644 --- a/services/telegraf/values-minikube.yaml +++ b/services/telegraf/values-minikube.yaml @@ -2,5 +2,13 @@ telegraf: config: global_tags: cluster: minikube.lsst.codes + outputs: + - influxdb_v2: + urls: + - "https://data-dev-monitoring.lsst.cloud/" + bucket: "telegraf" + token: "$INFLUX_TOKEN" + organization: "lizard" + # Should be less silly, I guess. vaultSecretsPath: secret/k8s_operator/minikube.lsst.codes diff --git a/services/telegraf/values.yaml b/services/telegraf/values.yaml index 352cb47a7d..ad702af04f 100644 --- a/services/telegraf/values.yaml +++ b/services/telegraf/values.yaml @@ -3,12 +3,12 @@ telegraf: podLabels: hub.jupyter.org/network-access-hub: "true" env: - # -- Telegraf password. - - name: TELEGRAF_PASSWORD + # -- Token to communicate with Influx + - name: INFLUX_TOKEN valueFrom: secretKeyRef: name: telegraf - key: telegraf-password + key: influx-token service: # -- Telegraf service. enabled: false @@ -20,23 +20,23 @@ telegraf: # -- Telegraf processor plugins. processors: {} # -- Telegraf input plugins. - # Collect JupyterHub Prometheus metrics by dedault. + # Collect JupyterHub Prometheus metrics by default. # See https://jupyterhub.readthedocs.io/en/stable/reference/metrics.html inputs: - prometheus: urls: - - http://hub.nublado2:8081/nb/hub/metrics + - https://${telegraf.config.global_tags.cluster}/nb/hub/metrics # See https://docs.influxdata.com/influxdb/v2.1/reference/prometheus-metrics/ metric_version: 2 # -- Telegraf default output destination. outputs: - - influxdb: + - influxdb_v2: urls: - # Eventually change for Roundtable - - "https://data-dev.lst.cloud/influxdb2" - database: "telegraf" - username: "telegraf" - password: "$TELEGRAF_PASSWORD" + - "https://roundtable-monitoring.lsst.cloud" + bucket: "telegraf" + token: "$INFLUX_TOKEN" + organization: "lizard" + # Should be less silly, I guess. # -- Path to the Vault secrets (`secret/k8s_operator//telegraf`) # @default -- None, must be set From 22001da14fe5e393d56c7fa4932fb259dadfab78 Mon Sep 17 00:00:00 2001 From: adam Date: Fri, 18 Mar 2022 13:06:40 -0700 Subject: [PATCH 0089/1479] freshen docs --- services/influxdb2/README.md | 11 ++++------- services/telegraf/README.md | 8 ++++---- 2 files changed, 8 insertions(+), 11 deletions(-) diff --git a/services/influxdb2/README.md b/services/influxdb2/README.md index 5534e75cdd..2072c7b1d3 100644 --- a/services/influxdb2/README.md +++ b/services/influxdb2/README.md @@ -6,18 +6,15 @@ SQuaRE packaging of InfluxDB2 time-series database | Repository | Name | Version | |------------|------|---------| -| https://helm.influxdata.com/ | influxdb2 | 2.0.9 | +| https://helm.influxdata.com/ | influxdb2 | 2.0.10 | ## Values | Key | Type | Default | Description | |-----|------|---------|-------------| -| influxdb2.config | object | `{"continuous_queries":{"enabled":false},"coordinator":{"log-queries-after":"15s","max-concurrent-queries":10,"query-timeout":"900s","write-timeout":"60s"},"data":{"cache-max-memory-size":0,"trace-logging-enabled":true,"wal-fsync-delay":"100ms"},"http":{"auth-enabled":true,"enabled":true,"flux-enabled":true,"max-row-limit":0}}` | Override InfluxDB configuration. See https://docs.influxdata.com/influxdb/v1.8/administration/config | -| influxdb2.image | object | `{"tag":"2.0.9"}` | InfluxDB image tag. | -| influxdb2.ingress | object | disabled | InfluxDB ingress configuration. | -| influxdb2.initScripts | object | `{"enabled":true,"scripts":{"init.iql":"CREATE DATABASE \"telegraf\" WITH DURATION 30d REPLICATION 1 NAME \"rp_30d\"\n\n"}}` | InfluxDB Custom initialization scripts. | -| influxdb2.setDefaultUser | object | `{"enabled":true,"user":{"existingSecret":"influxdb2"}}` | Default InfluxDB user, use influxb-user and influxdb-password keys from secret. | -| vaultSecretsPath | string | None, must be set | Path to the Vault secrets (`secret/k8s_operator//telegraf`) | +| influxdb2.adminUser | object | `{"bucket":"telegraf","existingSecret":"influxdb2","organization":"lizard","retention_policy":"30d"}` | InfluxDB2 admin user; uses admin-password/admin-token keys from secret. | +| influxdb2.ingress | object | `{"annotations":{"cert-manager.io/cluster-issuer":"cert-issuer-letsencrypt-dns","kubernetes.io/ingress.class":"nginx","nginx.ingress.kubernetes.io/rewrite-target":"/"},"enabled":false,"hostname":"","ingressClassName":"nginx","path":"/","pathType":"Prefix","secretName":"influxdb2-tls","tls":true}` | InfluxDB2 ingress configuration. | +| vaultSecretsPath | string | None, must be set | Path to the Vault secrets (`secret/k8s_operator//influxdb2`) | ---------------------------------------------- Autogenerated from chart metadata using [helm-docs v1.7.0](https://github.com/norwoodj/helm-docs/releases/v1.7.0) diff --git a/services/telegraf/README.md b/services/telegraf/README.md index 8dedaf40d8..f6f9f88872 100644 --- a/services/telegraf/README.md +++ b/services/telegraf/README.md @@ -6,17 +6,17 @@ SQuaRE telemetry collection service | Repository | Name | Version | |------------|------|---------| -| https://helm.influxdata.com/ | telegraf | 1.8.14 | +| https://helm.influxdata.com/ | telegraf | 1.8.17 | ## Values | Key | Type | Default | Description | |-----|------|---------|-------------| | telegraf.config.global_tags.cluster | string | `""` | | -| telegraf.config.inputs | list | `[{"prometheus":{"metric_version":2,"urls":["http://hub.nublado2:8081/nb/hub/metrics"]}}]` | Telegraf input plugins. Collect JupyterHub Prometheus metrics by dedault. See https://jupyterhub.readthedocs.io/en/stable/reference/metrics.html | -| telegraf.config.outputs | list | `[{"influxdb":{"database":"telegraf","password":"$TELEGRAF_PASSWORD","urls":["https://data-dev.lst.cloud/influxdb"],"username":"telegraf"}}]` | Telegraf default output destination. | +| telegraf.config.inputs | list | `[{"prometheus":{"metric_version":2,"urls":["https://${telegraf.config.global_tags.cluster}/nb/hub/metrics"]}}]` | Telegraf input plugins. Collect JupyterHub Prometheus metrics by default. See https://jupyterhub.readthedocs.io/en/stable/reference/metrics.html | +| telegraf.config.outputs | list | `[{"influxdb_v2":{"bucket":"telegraf","organization":"lizard","token":"$INFLUX_TOKEN","urls":["https://roundtable-monitoring.lsst.cloud"]}}]` | Telegraf default output destination. | | telegraf.config.processors | object | `{}` | Telegraf processor plugins. | -| telegraf.env[0] | object | `{"name":"TELEGRAF_PASSWORD","valueFrom":{"secretKeyRef":{"key":"telegraf-password","name":"telegraf"}}}` | Telegraf password. | +| telegraf.env[0] | object | `{"name":"INFLUX_TOKEN","valueFrom":{"secretKeyRef":{"key":"influx-token","name":"telegraf"}}}` | Token to communicate with Influx | | telegraf.podLabels | object | `{"hub.jupyter.org/network-access-hub":"true"}` | Allow network access to JupyterHub pod. | | telegraf.service.enabled | bool | `false` | Telegraf service. | | vaultSecretsPath | string | None, must be set | Path to the Vault secrets (`secret/k8s_operator//telegraf`) | From eb290d4c13a9b95f0b6a82dcb37e9a0bb23b1e1a Mon Sep 17 00:00:00 2001 From: adam Date: Tue, 22 Mar 2022 10:58:36 -0700 Subject: [PATCH 0090/1479] Remove influxdb2 and reconfigure telegraf for shared monitoring --- services/influxdb2/Chart.yaml | 8 ----- services/influxdb2/README.md | 20 ----------- services/influxdb2/README.md.gotmpl | 9 ----- .../influxdb2/templates/vault-secret.yaml | 16 --------- services/influxdb2/values-idfdev.yaml | 6 ---- services/influxdb2/values-minikube.yaml | 1 - services/influxdb2/values.yaml | 33 ------------------- services/telegraf/values-idfdev.yaml | 10 +----- services/telegraf/values-minikube.yaml | 12 +++---- services/telegraf/values.yaml | 7 ++-- 10 files changed, 9 insertions(+), 113 deletions(-) delete mode 100644 services/influxdb2/Chart.yaml delete mode 100644 services/influxdb2/README.md delete mode 100644 services/influxdb2/README.md.gotmpl delete mode 100644 services/influxdb2/templates/vault-secret.yaml delete mode 100644 services/influxdb2/values-idfdev.yaml delete mode 100644 services/influxdb2/values-minikube.yaml delete mode 100644 services/influxdb2/values.yaml diff --git a/services/influxdb2/Chart.yaml b/services/influxdb2/Chart.yaml deleted file mode 100644 index a9f790bb00..0000000000 --- a/services/influxdb2/Chart.yaml +++ /dev/null @@ -1,8 +0,0 @@ -apiVersion: v2 -name: influxdb2 -version: 1.0.0 -description: SQuaRE packaging of InfluxDB2 time-series database -dependencies: - - name: influxdb2 - version: 2.0.10 - repository: https://helm.influxdata.com/ diff --git a/services/influxdb2/README.md b/services/influxdb2/README.md deleted file mode 100644 index 2072c7b1d3..0000000000 --- a/services/influxdb2/README.md +++ /dev/null @@ -1,20 +0,0 @@ -# influxdb2 - -SQuaRE packaging of InfluxDB2 time-series database - -## Requirements - -| Repository | Name | Version | -|------------|------|---------| -| https://helm.influxdata.com/ | influxdb2 | 2.0.10 | - -## Values - -| Key | Type | Default | Description | -|-----|------|---------|-------------| -| influxdb2.adminUser | object | `{"bucket":"telegraf","existingSecret":"influxdb2","organization":"lizard","retention_policy":"30d"}` | InfluxDB2 admin user; uses admin-password/admin-token keys from secret. | -| influxdb2.ingress | object | `{"annotations":{"cert-manager.io/cluster-issuer":"cert-issuer-letsencrypt-dns","kubernetes.io/ingress.class":"nginx","nginx.ingress.kubernetes.io/rewrite-target":"/"},"enabled":false,"hostname":"","ingressClassName":"nginx","path":"/","pathType":"Prefix","secretName":"influxdb2-tls","tls":true}` | InfluxDB2 ingress configuration. | -| vaultSecretsPath | string | None, must be set | Path to the Vault secrets (`secret/k8s_operator//influxdb2`) | - ----------------------------------------------- -Autogenerated from chart metadata using [helm-docs v1.7.0](https://github.com/norwoodj/helm-docs/releases/v1.7.0) diff --git a/services/influxdb2/README.md.gotmpl b/services/influxdb2/README.md.gotmpl deleted file mode 100644 index 4531459bbb..0000000000 --- a/services/influxdb2/README.md.gotmpl +++ /dev/null @@ -1,9 +0,0 @@ -{{ template "chart.header" . }} - -{{ template "chart.description" . }} - -{{ template "chart.requirementsSection" . }} - -{{ template "chart.valuesSection" . }} - -{{ template "helm-docs.versionFooter" . }} diff --git a/services/influxdb2/templates/vault-secret.yaml b/services/influxdb2/templates/vault-secret.yaml deleted file mode 100644 index e68c277cd2..0000000000 --- a/services/influxdb2/templates/vault-secret.yaml +++ /dev/null @@ -1,16 +0,0 @@ -apiVersion: ricoberger.de/v1alpha1 -kind: VaultSecret -metadata: - name: influxdb2 - namespace: influxdb2 -spec: - path: {{ .Values.vaultSecretsPath }}/influxdb2 - type: Opaque ---- -apiVersion: ricoberger.de/v1alpha1 -kind: VaultSecret -metadata: - name: pull-secret -spec: - path: {{ .Values.vaultSecretsPath }}/pull-secret - type: kubernetes.io/dockerconfigjson diff --git a/services/influxdb2/values-idfdev.yaml b/services/influxdb2/values-idfdev.yaml deleted file mode 100644 index 91bfa066f3..0000000000 --- a/services/influxdb2/values-idfdev.yaml +++ /dev/null @@ -1,6 +0,0 @@ -influxdb2: - ingress: - enabled: true - hostname: data-dev-monitoring.lsst.cloud - -vaultSecretsPath: secret/k8s_operator/data-dev.lsst.cloud diff --git a/services/influxdb2/values-minikube.yaml b/services/influxdb2/values-minikube.yaml deleted file mode 100644 index c7e771eda8..0000000000 --- a/services/influxdb2/values-minikube.yaml +++ /dev/null @@ -1 +0,0 @@ -vaultSecretsPath: secret/k8s_operator/minikube.lsst.codes diff --git a/services/influxdb2/values.yaml b/services/influxdb2/values.yaml deleted file mode 100644 index a43d4779c7..0000000000 --- a/services/influxdb2/values.yaml +++ /dev/null @@ -1,33 +0,0 @@ -influxdb2: - # -- InfluxDB2 admin user; uses admin-password/admin-token keys from - # secret. - adminUser: - # Too silly? - organization: "lizard" - bucket: "telegraf" - retention_policy: "30d" - existingSecret: influxdb2 - # -- InfluxDB2 ingress configuration. - ingress: - # @default -- False - enabled: false - tls: true - secretName: influxdb2-tls - # InfluxDB2 can't run behind a routed path--it must be on the root. - # @default -- None, must be set, must not be the same as RSP ingress. - hostname: "" - # Note that this requires a CNAME - # from: _acme_challenge.. - # to: _acme_challenge.tls. - # cf https://phalanx.lsst.io/ops/cert-issuer/bootstrapping.html - ingressClassName: nginx - annotations: - kubernetes.io/ingress.class: "nginx" - nginx.ingress.kubernetes.io/rewrite-target: / - cert-manager.io/cluster-issuer: cert-issuer-letsencrypt-dns - path: / - pathType: Prefix - -# -- Path to the Vault secrets (`secret/k8s_operator//influxdb2`) -# @default -- None, must be set -vaultSecretsPath: "" diff --git a/services/telegraf/values-idfdev.yaml b/services/telegraf/values-idfdev.yaml index b3fc280244..8244533ae2 100644 --- a/services/telegraf/values-idfdev.yaml +++ b/services/telegraf/values-idfdev.yaml @@ -2,17 +2,9 @@ telegraf: config: global_tags: cluster: data-dev.lsst.cloud - outputs: - # ARGH Helm and YAML lists not merging. - - influxdb_v2: - urls: - - "https://data-dev-monitoring.lsst.cloud/" - bucket: "telegraf" - token: "$INFLUX_TOKEN" - organization: "lizard" - # Should be less silly, I guess. inputs: - prometheus: + # Must specify metric_version too, because YAML lists don't merge urls: - "https://data-dev.lsst.cloud/nb/hub/metrics" metric_version: 2 diff --git a/services/telegraf/values-minikube.yaml b/services/telegraf/values-minikube.yaml index af38aaffca..946c9505bd 100644 --- a/services/telegraf/values-minikube.yaml +++ b/services/telegraf/values-minikube.yaml @@ -2,13 +2,11 @@ telegraf: config: global_tags: cluster: minikube.lsst.codes - outputs: - - influxdb_v2: + inputs: + - prometheus: + # Must specify metric_version too, because YAML lists don't merge urls: - - "https://data-dev-monitoring.lsst.cloud/" - bucket: "telegraf" - token: "$INFLUX_TOKEN" - organization: "lizard" - # Should be less silly, I guess. + - "https://minikube.lsst.codes/nb/hub/metrics" + metric_version: 2 vaultSecretsPath: secret/k8s_operator/minikube.lsst.codes diff --git a/services/telegraf/values.yaml b/services/telegraf/values.yaml index ad702af04f..092bb688a9 100644 --- a/services/telegraf/values.yaml +++ b/services/telegraf/values.yaml @@ -32,11 +32,10 @@ telegraf: outputs: - influxdb_v2: urls: - - "https://roundtable-monitoring.lsst.cloud" - bucket: "telegraf" + - "https://monitoring.lsst.codes" + bucket: "monitoring" token: "$INFLUX_TOKEN" - organization: "lizard" - # Should be less silly, I guess. + organization: "square" # -- Path to the Vault secrets (`secret/k8s_operator//telegraf`) # @default -- None, must be set From 46130a46579c09c047d66f3de27d11197f3fdff9 Mon Sep 17 00:00:00 2001 From: adam Date: Tue, 22 Mar 2022 11:10:49 -0700 Subject: [PATCH 0091/1479] Remove influxdb2 application --- installer/generate_secrets.py | 15 ++++------ .../templates/influxdb2-application.yaml | 29 ------------------- science-platform/values-base.yaml | 2 -- science-platform/values-idfdev.yaml | 2 -- science-platform/values-idfint.yaml | 2 -- science-platform/values-idfprod.yaml | 2 -- science-platform/values-int.yaml | 2 -- science-platform/values-minikube.yaml | 2 -- science-platform/values-red-five.yaml | 2 -- science-platform/values-roe.yaml | 2 -- science-platform/values-squash-sandbox.yaml | 2 -- science-platform/values-stable.yaml | 2 -- science-platform/values-summit.yaml | 2 -- science-platform/values-tucson-teststand.yaml | 2 -- science-platform/values.yaml | 2 -- 15 files changed, 5 insertions(+), 65 deletions(-) delete mode 100644 science-platform/templates/influxdb2-application.yaml diff --git a/installer/generate_secrets.py b/installer/generate_secrets.py index f2db542904..a5b74cc76b 100755 --- a/installer/generate_secrets.py +++ b/installer/generate_secrets.py @@ -52,7 +52,6 @@ def generate(self): self._argocd() self._portal() self._vo_cutouts() - self._influxdb2() self._telegraf() self.input_field("cert-manager", "enabled", "Use cert-manager? (y/n):") @@ -253,16 +252,12 @@ def _argocd(self): self._set_generated("argocd", "server.secretkey", secrets.token_hex(16)) - def _influxdb2(self): - set._set_generated("influxdb2", "admin-password", - secrets.token_hex(16)) - set._set_generated("influxdb2", "admin-token", secrets.token_hex(16)) - def _telegraf(self): - # Note that this will be *wrong* but will give us the correct - # structure, anyway. Whoever is administering the central InfluxDB2 - # should make a token for each telegraf satellite. - self._set_generated("telegraf", "influx-token", secrets.token_hex(16)) + self.input_field( + "telegraf", + "influx-token", + "Token for communicating with monitoring InfluxDB2 instance", + ) def _portal(self): pw = secrets.token_hex(32) diff --git a/science-platform/templates/influxdb2-application.yaml b/science-platform/templates/influxdb2-application.yaml deleted file mode 100644 index 05ca1a7e10..0000000000 --- a/science-platform/templates/influxdb2-application.yaml +++ /dev/null @@ -1,29 +0,0 @@ -{{- if .Values.influxdb2.enabled -}} -apiVersion: v1 -kind: Namespace -metadata: - name: influxdb2 -spec: - finalizers: - - kubernetes ---- -apiVersion: argoproj.io/v1alpha1 -kind: Application -metadata: - name: influxdb2 - namespace: argocd - finalizers: - - resources-finalizer.argocd.argoproj.io -spec: - destination: - namespace: influxdb2 - server: https://kubernetes.default.svc - project: default - source: - path: services/influxdb2 - repoURL: {{ .Values.repoURL }} - targetRevision: {{ .Values.revision }} - helm: - valueFiles: - - values-{{ .Values.environment }}.yaml -{{- end -}} diff --git a/science-platform/values-base.yaml b/science-platform/values-base.yaml index 8c09a33dc1..588f1ee24f 100644 --- a/science-platform/values-base.yaml +++ b/science-platform/values-base.yaml @@ -16,8 +16,6 @@ exposurelog: enabled: true gafaelfawr: enabled: true -influxdb2: - enabled: false mobu: enabled: false moneypenny: diff --git a/science-platform/values-idfdev.yaml b/science-platform/values-idfdev.yaml index 5809a500f2..bc65d035af 100644 --- a/science-platform/values-idfdev.yaml +++ b/science-platform/values-idfdev.yaml @@ -16,8 +16,6 @@ exposurelog: enabled: false gafaelfawr: enabled: true -influxdb2: - enabled: true mobu: enabled: true moneypenny: diff --git a/science-platform/values-idfint.yaml b/science-platform/values-idfint.yaml index 7eea11a750..f88fee6371 100644 --- a/science-platform/values-idfint.yaml +++ b/science-platform/values-idfint.yaml @@ -16,8 +16,6 @@ exposurelog: enabled: false gafaelfawr: enabled: true -influxdb2: - enabled: false mobu: enabled: true moneypenny: diff --git a/science-platform/values-idfprod.yaml b/science-platform/values-idfprod.yaml index b80747595b..6b78fc569f 100644 --- a/science-platform/values-idfprod.yaml +++ b/science-platform/values-idfprod.yaml @@ -16,8 +16,6 @@ exposurelog: enabled: false gafaelfawr: enabled: true -influxdb2: - enabled: false mobu: enabled: true moneypenny: diff --git a/science-platform/values-int.yaml b/science-platform/values-int.yaml index 0c9b8505cc..ffbb980640 100644 --- a/science-platform/values-int.yaml +++ b/science-platform/values-int.yaml @@ -16,8 +16,6 @@ exposurelog: enabled: false gafaelfawr: enabled: true -influxdb2: - enabled: false mobu: enabled: true moneypenny: diff --git a/science-platform/values-minikube.yaml b/science-platform/values-minikube.yaml index a576162492..f9421c6471 100644 --- a/science-platform/values-minikube.yaml +++ b/science-platform/values-minikube.yaml @@ -16,8 +16,6 @@ exposurelog: enabled: false gafaelfawr: enabled: true -influxdb2: - enabled: false mobu: enabled: true moneypenny: diff --git a/science-platform/values-red-five.yaml b/science-platform/values-red-five.yaml index 89a3161f9c..da41a5919e 100644 --- a/science-platform/values-red-five.yaml +++ b/science-platform/values-red-five.yaml @@ -16,8 +16,6 @@ exposurelog: enabled: false gafaelfawr: enabled: true -influxdb2: - enabled: false mobu: enabled: true ingress_nginx: diff --git a/science-platform/values-roe.yaml b/science-platform/values-roe.yaml index b03bcb4dea..fb3abae17a 100644 --- a/science-platform/values-roe.yaml +++ b/science-platform/values-roe.yaml @@ -16,8 +16,6 @@ exposurelog: enabled: false gafaelfawr: enabled: true -influxdb2: - enabled: false mobu: enabled: true moneypenny: diff --git a/science-platform/values-squash-sandbox.yaml b/science-platform/values-squash-sandbox.yaml index d1673ddee8..030b2aa3a6 100644 --- a/science-platform/values-squash-sandbox.yaml +++ b/science-platform/values-squash-sandbox.yaml @@ -16,8 +16,6 @@ exposurelog: enabled: false gafaelfawr: enabled: true -influxdb2: - enabled: false mobu: enabled: false moneypenny: diff --git a/science-platform/values-stable.yaml b/science-platform/values-stable.yaml index 3d58a62c6f..4d895e8b99 100644 --- a/science-platform/values-stable.yaml +++ b/science-platform/values-stable.yaml @@ -16,8 +16,6 @@ exposurelog: enabled: false gafaelfawr: enabled: true -influxdb2: - enabled: false mobu: enabled: true moneypenny: diff --git a/science-platform/values-summit.yaml b/science-platform/values-summit.yaml index 7ad2e8a515..93f869d596 100644 --- a/science-platform/values-summit.yaml +++ b/science-platform/values-summit.yaml @@ -16,8 +16,6 @@ exposurelog: enabled: true gafaelfawr: enabled: true -influxdb2: - enabled: false mobu: enabled: false moneypenny: diff --git a/science-platform/values-tucson-teststand.yaml b/science-platform/values-tucson-teststand.yaml index 6f59366d25..3fca34e7dc 100644 --- a/science-platform/values-tucson-teststand.yaml +++ b/science-platform/values-tucson-teststand.yaml @@ -16,8 +16,6 @@ exposurelog: enabled: true gafaelfawr: enabled: true -influxdb2: - enabled: false mobu: enabled: false moneypenny: diff --git a/science-platform/values.yaml b/science-platform/values.yaml index 1b4df7c45f..94b9abf28c 100644 --- a/science-platform/values.yaml +++ b/science-platform/values.yaml @@ -12,8 +12,6 @@ exposurelog: enabled: false gafaelfawr: enabled: false -influxdb2: - enabled: false ingress_nginx: enabled: false mobu: From 71b3f62b8f01bd06fe31936a217e4f10c0eefecc Mon Sep 17 00:00:00 2001 From: adam Date: Tue, 22 Mar 2022 11:23:57 -0700 Subject: [PATCH 0092/1479] Set org-id too in generate_secrets.py --- installer/generate_secrets.py | 1 + 1 file changed, 1 insertion(+) diff --git a/installer/generate_secrets.py b/installer/generate_secrets.py index a5b74cc76b..f9dff72b5b 100755 --- a/installer/generate_secrets.py +++ b/installer/generate_secrets.py @@ -258,6 +258,7 @@ def _telegraf(self): "influx-token", "Token for communicating with monitoring InfluxDB2 instance", ) + self._set("telegraf", "org-id", "square") def _portal(self): pw = secrets.token_hex(32) From 86724eec2edd5c8d93ba735d5d38c9875431a697 Mon Sep 17 00:00:00 2001 From: adam Date: Tue, 22 Mar 2022 11:29:32 -0700 Subject: [PATCH 0093/1479] Restore original sasquatch --- services/sasquatch/Chart.yaml | 3 ++ services/sasquatch/README.md | 9 ++++- .../charts/kafka-connect-manager/README.md | 2 +- .../sasquatch/charts/strimzi-kafka/README.md | 2 +- services/sasquatch/values.yaml | 35 +++++++++++++++++++ 5 files changed, 48 insertions(+), 3 deletions(-) diff --git a/services/sasquatch/Chart.yaml b/services/sasquatch/Chart.yaml index 34a4bc1107..94240a7674 100644 --- a/services/sasquatch/Chart.yaml +++ b/services/sasquatch/Chart.yaml @@ -19,3 +19,6 @@ dependencies: - name: kapacitor version: 1.4.4 repository: https://helm.influxdata.com/ + - name: telegraf + version: 1.8.14 + repository: https://helm.influxdata.com/ diff --git a/services/sasquatch/README.md b/services/sasquatch/README.md index d0bba03883..e8ecb0919e 100644 --- a/services/sasquatch/README.md +++ b/services/sasquatch/README.md @@ -11,6 +11,7 @@ SQuaRE telemetry data service. | https://helm.influxdata.com/ | chronograf | 1.2.3 | | https://helm.influxdata.com/ | influxdb | 4.10.6 | | https://helm.influxdata.com/ | kapacitor | 1.4.3 | +| https://helm.influxdata.com/ | telegraf | 1.8.14 | | https://lsst-sqre.github.io/charts/ | strimzi-registry-operator | 1.2.0 | ## Values @@ -35,7 +36,13 @@ SQuaRE telemetry data service. | kapacitor.persistence | object | `{"enabled":true,"size":"16Gi"}` | Chronograf data persistence configuration. | | strimzi-kafka | object | `{}` | Override strimzi-kafka configuration. | | strimzi-registry-operator | object | `{"clusterName":"sasquatch","operatorNamespace":"sasquatch","watchNamespace":"sasquatch"}` | strimzi-registry-operator configuration. | +| telegraf.config.inputs | list | `[{"prometheus":{"metric_version":2,"urls":["http://hub.nublado2:8081/nb/hub/metrics"]}}]` | Telegraf input plugins. Collect JupyterHub Prometheus metrics by dedault. See https://jupyterhub.readthedocs.io/en/stable/reference/metrics.html | +| telegraf.config.outputs | list | `[{"influxdb":{"database":"telegraf","password":"$TELEGRAF_PASSWORD","urls":["http://sasquatch-influxdb.sasquatch:8086"],"username":"telegraf"}}]` | Telegraf default output destination. | +| telegraf.config.processors | object | `{}` | Telegraf processor plugins. | +| telegraf.env[0] | object | `{"name":"TELEGRAF_PASSWORD","valueFrom":{"secretKeyRef":{"key":"telegraf-password","name":"sasquatch"}}}` | Telegraf password. | +| telegraf.podLabels | object | `{"hub.jupyter.org/network-access-hub":"true"}` | Allow network access to JupyterHub pod. | +| telegraf.service.enabled | bool | `false` | Telegraf service. | | vaultSecretsPath | string | None, must be set | Path to the Vault secrets (`secret/k8s_operator//sasquatch`) | ---------------------------------------------- -Autogenerated from chart metadata using [helm-docs v1.7.0](https://github.com/norwoodj/helm-docs/releases/v1.7.0) +Autogenerated from chart metadata using [helm-docs v1.6.0](https://github.com/norwoodj/helm-docs/releases/v1.6.0) diff --git a/services/sasquatch/charts/kafka-connect-manager/README.md b/services/sasquatch/charts/kafka-connect-manager/README.md index 454e7fac0b..41b0cfe86f 100644 --- a/services/sasquatch/charts/kafka-connect-manager/README.md +++ b/services/sasquatch/charts/kafka-connect-manager/README.md @@ -74,4 +74,4 @@ A sub chart to deploy the Kafka connectors used by Sasquatch. | s3Sink.topicsRegex | string | `".*"` | Regex to select topics from Kafka. | ---------------------------------------------- -Autogenerated from chart metadata using [helm-docs v1.7.0](https://github.com/norwoodj/helm-docs/releases/v1.7.0) +Autogenerated from chart metadata using [helm-docs v1.6.0](https://github.com/norwoodj/helm-docs/releases/v1.6.0) diff --git a/services/sasquatch/charts/strimzi-kafka/README.md b/services/sasquatch/charts/strimzi-kafka/README.md index bd80e77c10..84c2c604dd 100644 --- a/services/sasquatch/charts/strimzi-kafka/README.md +++ b/services/sasquatch/charts/strimzi-kafka/README.md @@ -23,4 +23,4 @@ A sub chart to deploy Strimzi Kafka components for Sasquatch. | zookeeper.storage.storageClassName | string | `""` | Name of a StorageClass to use when requesting persistent volumes. | ---------------------------------------------- -Autogenerated from chart metadata using [helm-docs v1.7.0](https://github.com/norwoodj/helm-docs/releases/v1.7.0) +Autogenerated from chart metadata using [helm-docs v1.6.0](https://github.com/norwoodj/helm-docs/releases/v1.6.0) diff --git a/services/sasquatch/values.yaml b/services/sasquatch/values.yaml index 12e04b7eeb..78def2482e 100644 --- a/services/sasquatch/values.yaml +++ b/services/sasquatch/values.yaml @@ -99,6 +99,41 @@ kapacitor: envVars: KAPACITOR_SLACK_ENABLED: true +telegraf: + # -- Allow network access to JupyterHub pod. + podLabels: + hub.jupyter.org/network-access-hub: "true" + env: + # -- Telegraf password. + - name: TELEGRAF_PASSWORD + valueFrom: + secretKeyRef: + name: sasquatch + key: telegraf-password + service: + # -- Telegraf service. + enabled: false + config: + # -- Telegraf processor plugins. + processors: {} + # -- Telegraf input plugins. + # Collect JupyterHub Prometheus metrics by dedault. + # See https://jupyterhub.readthedocs.io/en/stable/reference/metrics.html + inputs: + - prometheus: + urls: + - http://hub.nublado2:8081/nb/hub/metrics + # See https://docs.influxdata.com/influxdb/v2.1/reference/prometheus-metrics/ + metric_version: 2 + # -- Telegraf default output destination. + outputs: + - influxdb: + urls: + - "http://sasquatch-influxdb.sasquatch:8086" + database: "telegraf" + username: "telegraf" + password: "$TELEGRAF_PASSWORD" + # -- Path to the Vault secrets (`secret/k8s_operator//sasquatch`) # @default -- None, must be set vaultSecretsPath: "" From 5944d634e34989b51fcda0ff50e61f2ca1acf994 Mon Sep 17 00:00:00 2001 From: adam Date: Tue, 22 Mar 2022 11:35:11 -0700 Subject: [PATCH 0094/1479] remove whitespace for YAML linting --- services/telegraf/values-idfdev.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/services/telegraf/values-idfdev.yaml b/services/telegraf/values-idfdev.yaml index 8244533ae2..e7eea0662e 100644 --- a/services/telegraf/values-idfdev.yaml +++ b/services/telegraf/values-idfdev.yaml @@ -8,5 +8,5 @@ telegraf: urls: - "https://data-dev.lsst.cloud/nb/hub/metrics" metric_version: 2 - + vaultSecretsPath: secret/k8s_operator/data-dev.lsst.cloud From 93f8c7a748315b8a7172479739b6d34c39a06c23 Mon Sep 17 00:00:00 2001 From: adam Date: Tue, 22 Mar 2022 14:38:18 -0700 Subject: [PATCH 0095/1479] list top-level values.yaml file as well --- science-platform/templates/telegraf-application.yaml | 1 + 1 file changed, 1 insertion(+) diff --git a/science-platform/templates/telegraf-application.yaml b/science-platform/templates/telegraf-application.yaml index 77a4fcdb60..26d877e6c8 100644 --- a/science-platform/templates/telegraf-application.yaml +++ b/science-platform/templates/telegraf-application.yaml @@ -25,5 +25,6 @@ spec: targetRevision: {{ .Values.revision }} helm: valueFiles: + - values.yaml - values-{{ .Values.environment }}.yaml {{- end -}} From 4e3f4c5fb42a2a9a5bd24e0d086c0bb1ae70936a Mon Sep 17 00:00:00 2001 From: Russell Owen Date: Tue, 22 Mar 2022 12:25:20 -0700 Subject: [PATCH 0096/1479] Tweak exposurelog and narrativelog versions --- services/exposurelog/Chart.yaml | 4 ++-- services/narrativelog/Chart.yaml | 4 ++-- 2 files changed, 4 insertions(+), 4 deletions(-) diff --git a/services/exposurelog/Chart.yaml b/services/exposurelog/Chart.yaml index d3c86bca6f..9a386ea0b2 100644 --- a/services/exposurelog/Chart.yaml +++ b/services/exposurelog/Chart.yaml @@ -8,9 +8,9 @@ type: application # This is the chart version. This version number should be incremented each time you make changes # to the chart and its templates, including the app version. # Versions are expected to follow Semantic Versioning (https://semver.org/) -version: 0.3.0 +version: 0.3.1 # This is the version number of the application being deployed. This version number should be # incremented each time you make changes to the application. Versions are not expected to # follow Semantic Versioning. They should reflect the version the application is using. -appVersion: 0.9.0 +appVersion: 0.9.1 diff --git a/services/narrativelog/Chart.yaml b/services/narrativelog/Chart.yaml index 28db5994d9..a395fbbb4c 100644 --- a/services/narrativelog/Chart.yaml +++ b/services/narrativelog/Chart.yaml @@ -8,9 +8,9 @@ type: application # This is the chart version. This version number should be incremented each time you make changes # to the chart and its templates, including the app version. # Versions are expected to follow Semantic Versioning (https://semver.org/) -version: 0.1.1 +version: 0.1.2 # This is the version number of the application being deployed. This version number should be # incremented each time you make changes to the application. Versions are not expected to # follow Semantic Versioning. They should reflect the version the application is using. -appVersion: 0.2.0 +appVersion: 0.2.1 From 3a996e1f30b8c6129e1328093a811d764ccaf711 Mon Sep 17 00:00:00 2001 From: adam Date: Wed, 23 Mar 2022 09:34:46 -0700 Subject: [PATCH 0097/1479] add syslog receiver and simplify hub metric collection --- services/telegraf/values-base.yaml | 6 ++++++ services/telegraf/values-idfdev.yaml | 6 ------ services/telegraf/values-idfint.yaml | 6 ++++++ services/telegraf/values-idfprod.yaml | 6 ++++++ services/telegraf/values-int.yaml | 6 ++++++ services/telegraf/values-minikube.yaml | 6 ------ services/telegraf/values-stable.yaml | 6 ++++++ services/telegraf/values-summit.yaml | 6 ++++++ services/telegraf/values-tucson-teststand.yaml | 6 ++++++ services/telegraf/values.yaml | 6 +++++- 10 files changed, 47 insertions(+), 13 deletions(-) create mode 100644 services/telegraf/values-base.yaml create mode 100644 services/telegraf/values-idfint.yaml create mode 100644 services/telegraf/values-idfprod.yaml create mode 100644 services/telegraf/values-int.yaml create mode 100644 services/telegraf/values-stable.yaml create mode 100644 services/telegraf/values-summit.yaml create mode 100644 services/telegraf/values-tucson-teststand.yaml diff --git a/services/telegraf/values-base.yaml b/services/telegraf/values-base.yaml new file mode 100644 index 0000000000..7f645ae14a --- /dev/null +++ b/services/telegraf/values-base.yaml @@ -0,0 +1,6 @@ +telegraf: + config: + global_tags: + cluster: base-lsp.lsst.codes + +vaultSecretsPath: secret/k8s_operator/base-lsp.lsst.codes diff --git a/services/telegraf/values-idfdev.yaml b/services/telegraf/values-idfdev.yaml index e7eea0662e..3c98a4f098 100644 --- a/services/telegraf/values-idfdev.yaml +++ b/services/telegraf/values-idfdev.yaml @@ -2,11 +2,5 @@ telegraf: config: global_tags: cluster: data-dev.lsst.cloud - inputs: - - prometheus: - # Must specify metric_version too, because YAML lists don't merge - urls: - - "https://data-dev.lsst.cloud/nb/hub/metrics" - metric_version: 2 vaultSecretsPath: secret/k8s_operator/data-dev.lsst.cloud diff --git a/services/telegraf/values-idfint.yaml b/services/telegraf/values-idfint.yaml new file mode 100644 index 0000000000..6d5503ce40 --- /dev/null +++ b/services/telegraf/values-idfint.yaml @@ -0,0 +1,6 @@ +telegraf: + config: + global_tags: + cluster: data-int.lsst.cloud + +vaultSecretsPath: secret/k8s_operator/data-int.lsst.cloud diff --git a/services/telegraf/values-idfprod.yaml b/services/telegraf/values-idfprod.yaml new file mode 100644 index 0000000000..194d279a2e --- /dev/null +++ b/services/telegraf/values-idfprod.yaml @@ -0,0 +1,6 @@ +telegraf: + config: + global_tags: + cluster: data.lsst.cloud + +vaultSecretsPath: secret/k8s_operator/data.lsst.cloud diff --git a/services/telegraf/values-int.yaml b/services/telegraf/values-int.yaml new file mode 100644 index 0000000000..67125edb94 --- /dev/null +++ b/services/telegraf/values-int.yaml @@ -0,0 +1,6 @@ +telegraf: + config: + global_tags: + cluster: lsst-lsp-int.ncsa.illinois.edu + +vaultSecretsPath: secret/k8s_operator/lsst-lsp-int.ncsa.illinois.edu diff --git a/services/telegraf/values-minikube.yaml b/services/telegraf/values-minikube.yaml index 946c9505bd..4f24c2bb3b 100644 --- a/services/telegraf/values-minikube.yaml +++ b/services/telegraf/values-minikube.yaml @@ -2,11 +2,5 @@ telegraf: config: global_tags: cluster: minikube.lsst.codes - inputs: - - prometheus: - # Must specify metric_version too, because YAML lists don't merge - urls: - - "https://minikube.lsst.codes/nb/hub/metrics" - metric_version: 2 vaultSecretsPath: secret/k8s_operator/minikube.lsst.codes diff --git a/services/telegraf/values-stable.yaml b/services/telegraf/values-stable.yaml new file mode 100644 index 0000000000..ce3d3c3871 --- /dev/null +++ b/services/telegraf/values-stable.yaml @@ -0,0 +1,6 @@ +telegraf: + config: + global_tags: + cluster: lsst-lsp-stable.ncsa.illinois.edu + +vaultSecretsPath: secret/k8s_operator/lsst-lsp-stable.ncsa.illinois.edu diff --git a/services/telegraf/values-summit.yaml b/services/telegraf/values-summit.yaml new file mode 100644 index 0000000000..0f4b053b78 --- /dev/null +++ b/services/telegraf/values-summit.yaml @@ -0,0 +1,6 @@ +telegraf: + config: + global_tags: + cluster: summit-lsp.lsst.codes + +vaultSecretsPath: secret/k8s_operator/summit-lsp.lsst.codes diff --git a/services/telegraf/values-tucson-teststand.yaml b/services/telegraf/values-tucson-teststand.yaml new file mode 100644 index 0000000000..2f2f8d929b --- /dev/null +++ b/services/telegraf/values-tucson-teststand.yaml @@ -0,0 +1,6 @@ +telegraf: + config: + global_tags: + cluster: tucson-teststand.lsst.codes + +vaultSecretsPath: secret/k8s_operator/tucson-teststand.lsst.codes diff --git a/services/telegraf/values.yaml b/services/telegraf/values.yaml index 092bb688a9..fe63d7433e 100644 --- a/services/telegraf/values.yaml +++ b/services/telegraf/values.yaml @@ -13,6 +13,8 @@ telegraf: # -- Telegraf service. enabled: false config: + agent: + omit_hostname: true global_tags: # -- Cluster name -- should be same as FQDN of RSP endpoint # @default -- None, must be set @@ -25,9 +27,11 @@ telegraf: inputs: - prometheus: urls: - - https://${telegraf.config.global_tags.cluster}/nb/hub/metrics + - http://hub.nublado:8081/metrics # See https://docs.influxdata.com/influxdb/v2.1/reference/prometheus-metrics/ metric_version: 2 + - syslog: + server: "tcp://:6514" # -- Telegraf default output destination. outputs: - influxdb_v2: From 77a980739b77811b82f067bad3cf8a78bd13d3eb Mon Sep 17 00:00:00 2001 From: adam Date: Wed, 23 Mar 2022 11:13:22 -0700 Subject: [PATCH 0098/1479] enable telegraf everywhere --- science-platform/values-base.yaml | 2 +- science-platform/values-idfint.yaml | 2 +- science-platform/values-idfprod.yaml | 2 +- science-platform/values-int.yaml | 2 ++ science-platform/values-minikube.yaml | 2 +- science-platform/values-red-five.yaml | 2 +- science-platform/values-roe.yaml | 2 +- science-platform/values-squash-sandbox.yaml | 2 +- science-platform/values-stable.yaml | 2 +- science-platform/values-summit.yaml | 2 +- science-platform/values-tucson-teststand.yaml | 2 +- 11 files changed, 12 insertions(+), 10 deletions(-) diff --git a/science-platform/values-base.yaml b/science-platform/values-base.yaml index 588f1ee24f..12f4138016 100644 --- a/science-platform/values-base.yaml +++ b/science-platform/values-base.yaml @@ -53,7 +53,7 @@ tap: tap_schema: enabled: false telegraf: - enabled: false + enabled: true times_square: enabled: false vault_secrets_operator: diff --git a/science-platform/values-idfint.yaml b/science-platform/values-idfint.yaml index f88fee6371..625e2bb541 100644 --- a/science-platform/values-idfint.yaml +++ b/science-platform/values-idfint.yaml @@ -55,7 +55,7 @@ tap: tap_schema: enabled: true telegraf: - enabled: false + enabled: true times_square: enabled: false vault_secrets_operator: diff --git a/science-platform/values-idfprod.yaml b/science-platform/values-idfprod.yaml index 6b78fc569f..2090956bac 100644 --- a/science-platform/values-idfprod.yaml +++ b/science-platform/values-idfprod.yaml @@ -55,7 +55,7 @@ tap: tap_schema: enabled: true telegraf: - enabled: false + enabled: true times_square: enabled: false vault_secrets_operator: diff --git a/science-platform/values-int.yaml b/science-platform/values-int.yaml index ffbb980640..517b059c78 100644 --- a/science-platform/values-int.yaml +++ b/science-platform/values-int.yaml @@ -54,6 +54,8 @@ tap: enabled: true tap_schema: enabled: true +telegraf: + enabled: true times_square: enabled: false vault_secrets_operator: diff --git a/science-platform/values-minikube.yaml b/science-platform/values-minikube.yaml index f9421c6471..9bf16e6946 100644 --- a/science-platform/values-minikube.yaml +++ b/science-platform/values-minikube.yaml @@ -55,7 +55,7 @@ tap: tap_schema: enabled: true telegraf: - enabled: false + enabled: true times_square: enabled: false vault_secrets_operator: diff --git a/science-platform/values-red-five.yaml b/science-platform/values-red-five.yaml index da41a5919e..9331dd9ca7 100644 --- a/science-platform/values-red-five.yaml +++ b/science-platform/values-red-five.yaml @@ -53,7 +53,7 @@ tap: tap_schema: enabled: true telegraf: - enabled: false + enabled: true times_square: enabled: false vault_secrets_operator: diff --git a/science-platform/values-roe.yaml b/science-platform/values-roe.yaml index fb3abae17a..0fda1afb3a 100644 --- a/science-platform/values-roe.yaml +++ b/science-platform/values-roe.yaml @@ -51,7 +51,7 @@ tap: tap_schema: enabled: true telegraf: - enabled: false + enabled: true times_square: enabled: false vault_secrets_operator: diff --git a/science-platform/values-squash-sandbox.yaml b/science-platform/values-squash-sandbox.yaml index 030b2aa3a6..6c2af52365 100644 --- a/science-platform/values-squash-sandbox.yaml +++ b/science-platform/values-squash-sandbox.yaml @@ -53,7 +53,7 @@ tap: tap_schema: enabled: false telegraf: - enabled: false + enabled: true times_square: enabled: false vault_secrets_operator: diff --git a/science-platform/values-stable.yaml b/science-platform/values-stable.yaml index 4d895e8b99..57caacf7db 100644 --- a/science-platform/values-stable.yaml +++ b/science-platform/values-stable.yaml @@ -55,7 +55,7 @@ tap: tap_schema: enabled: true telegraf: - enabled: false + enabled: true times_square: enabled: false vault_secrets_operator: diff --git a/science-platform/values-summit.yaml b/science-platform/values-summit.yaml index 93f869d596..1b218d569e 100644 --- a/science-platform/values-summit.yaml +++ b/science-platform/values-summit.yaml @@ -55,7 +55,7 @@ tap: tap_schema: enabled: false telegraf: - enabled: false + enabled: true times_square: enabled: false vault_secrets_operator: diff --git a/science-platform/values-tucson-teststand.yaml b/science-platform/values-tucson-teststand.yaml index 3fca34e7dc..adb7773d71 100644 --- a/science-platform/values-tucson-teststand.yaml +++ b/science-platform/values-tucson-teststand.yaml @@ -53,7 +53,7 @@ tap: tap_schema: enabled: false telegraf: - enabled: false + enabled: true times_square: enabled: false vault_secrets_operator: From 4e3a757726f2e7ae4654e89fc36f6f1df0ac4188 Mon Sep 17 00:00:00 2001 From: adam Date: Wed, 23 Mar 2022 11:15:39 -0700 Subject: [PATCH 0099/1479] fix namespace name --- services/telegraf/values.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/services/telegraf/values.yaml b/services/telegraf/values.yaml index fe63d7433e..6cfc61f6db 100644 --- a/services/telegraf/values.yaml +++ b/services/telegraf/values.yaml @@ -27,7 +27,7 @@ telegraf: inputs: - prometheus: urls: - - http://hub.nublado:8081/metrics + - http://hub.nublado2:8081/metrics # See https://docs.influxdata.com/influxdb/v2.1/reference/prometheus-metrics/ metric_version: 2 - syslog: From a40b47fb06d8dbc77360e88109d54703345268d7 Mon Sep 17 00:00:00 2001 From: Russell Owen Date: Wed, 23 Mar 2022 11:20:39 -0700 Subject: [PATCH 0100/1479] exposurelog: add a writable /tmp dir and weak existing volumeMount entries to put the name first, for consistency with other deployments. --- services/exposurelog/Chart.yaml | 2 +- services/exposurelog/templates/deployment.yaml | 12 ++++++++---- 2 files changed, 9 insertions(+), 5 deletions(-) diff --git a/services/exposurelog/Chart.yaml b/services/exposurelog/Chart.yaml index 9a386ea0b2..eee0c7ca36 100644 --- a/services/exposurelog/Chart.yaml +++ b/services/exposurelog/Chart.yaml @@ -8,7 +8,7 @@ type: application # This is the chart version. This version number should be incremented each time you make changes # to the chart and its templates, including the app version. # Versions are expected to follow Semantic Versioning (https://semver.org/) -version: 0.3.1 +version: 0.3.2 # This is the version number of the application being deployed. This version number should be # incremented each time you make changes to the application. Versions are not expected to diff --git a/services/exposurelog/templates/deployment.yaml b/services/exposurelog/templates/deployment.yaml index 2e5ea14c37..b5863bb8ff 100644 --- a/services/exposurelog/templates/deployment.yaml +++ b/services/exposurelog/templates/deployment.yaml @@ -74,13 +74,15 @@ spec: value: {{ .Values.site_id | quote }} volumeMounts: {{- if .Values.nfs_path_1 }} - - mountPath: /volume_1 - name: volume1 + - name: volume1 + mountPath: /volume_1 {{- end }} {{- if .Values.nfs_path_2 }} - - mountPath: /volume_2 - name: volume2 + - name: volume2 + mountPath: /volume_2 {{- end }} + - name: tmp + mountPath: /tmp volumes: {{- if .Values.nfs_path_1 }} - name: volume1 @@ -96,6 +98,8 @@ spec: readOnly: true server: {{ .Values.nfs_server_2 }} {{- end }} + - name: tmp + emptyDir: {} {{- with .Values.nodeSelector }} nodeSelector: {{- toYaml . | nindent 8 }} From a94d14f79395ed4d4549d944291d96f2b632b335 Mon Sep 17 00:00:00 2001 From: Russell Owen Date: Wed, 23 Mar 2022 11:25:52 -0700 Subject: [PATCH 0101/1479] Add README files for exposurelog and narrativelog --- services/exposurelog/README.md | 6 ++++++ services/narrativelog/README.md | 6 ++++++ 2 files changed, 12 insertions(+) create mode 100644 services/exposurelog/README.md create mode 100644 services/narrativelog/README.md diff --git a/services/exposurelog/README.md b/services/exposurelog/README.md new file mode 100644 index 0000000000..2bf346d371 --- /dev/null +++ b/services/exposurelog/README.md @@ -0,0 +1,6 @@ +# exposurelog + +Deployment of the exposurelog service, which manages a database of log messages associated with exposures. +Similar to narrativelog, but narrativelog messages are not associated with exposures. + +exposurelog is developed at https://github.com/lsst-sqre/exposurelog and uses OpenAPI to document the API. diff --git a/services/narrativelog/README.md b/services/narrativelog/README.md new file mode 100644 index 0000000000..a06f57f6ed --- /dev/null +++ b/services/narrativelog/README.md @@ -0,0 +1,6 @@ +# narrativelog + +Deployment of the narrativelog service, which manages a database of log messages. +Similar to exposurelog, but exposurelog messages are associated with exposures. + +narrativelog is developed at https://github.com/lsst-sqre/narrativelog and uses OpenAPI to document the API. From aeb50b3ac8972db9eda5b55253a7efb6dc0e87c3 Mon Sep 17 00:00:00 2001 From: Jonathan Sick Date: Wed, 16 Mar 2022 17:31:50 -0400 Subject: [PATCH 0102/1479] Migrate noteburst chart into phalanx This migrates the chart per RFC-830. This also takes advantage of Helm globals set on the Argo CD application to streamline the Vault and host/baseUrl settings. --- .../templates/noteburst-application.yaml | 32 +++-- services/noteburst/Chart.yaml | 20 ++- services/noteburst/README.md | 53 ++++++++ services/noteburst/README.md.gotmpl | 11 ++ services/noteburst/templates/NOTES.txt | 22 ++++ services/noteburst/templates/_helpers.tpl | 62 ++++++++++ services/noteburst/templates/configmap.yaml | 11 ++ services/noteburst/templates/deployment.yaml | 77 ++++++++++++ .../noteburst/templates/gafaelfawrtoken.yaml | 11 ++ services/noteburst/templates/hpa.yaml | 28 +++++ services/noteburst/templates/ingress.yaml | 31 +++++ services/noteburst/templates/service.yaml | 15 +++ .../noteburst/templates/serviceaccount.yaml | 12 ++ .../templates/tests/test-connection.yaml | 15 +++ services/noteburst/templates/vaultsecret.yaml | 9 ++ .../noteburst/templates/worker-configmap.yaml | 12 ++ .../templates/worker-deployment.yaml | 71 +++++++++++ .../worker-identities-configmap.yaml | 9 ++ services/noteburst/values-base.yaml | 17 --- services/noteburst/values-idfdev.yaml | 36 ++---- services/noteburst/values-idfint.yaml | 17 --- services/noteburst/values-idfprod.yaml | 17 --- services/noteburst/values-int.yaml | 17 --- services/noteburst/values-minikube.yaml | 27 ---- services/noteburst/values-red-five.yaml | 17 --- services/noteburst/values-stable.yaml | 17 --- services/noteburst/values-summit.yaml | 17 --- .../noteburst/values-tucson-teststand.yaml | 17 --- services/noteburst/values.yaml | 116 ++++++++++++++++++ 29 files changed, 609 insertions(+), 207 deletions(-) create mode 100644 services/noteburst/README.md create mode 100644 services/noteburst/README.md.gotmpl create mode 100644 services/noteburst/templates/NOTES.txt create mode 100644 services/noteburst/templates/_helpers.tpl create mode 100644 services/noteburst/templates/configmap.yaml create mode 100644 services/noteburst/templates/deployment.yaml create mode 100644 services/noteburst/templates/gafaelfawrtoken.yaml create mode 100644 services/noteburst/templates/hpa.yaml create mode 100644 services/noteburst/templates/ingress.yaml create mode 100644 services/noteburst/templates/service.yaml create mode 100644 services/noteburst/templates/serviceaccount.yaml create mode 100644 services/noteburst/templates/tests/test-connection.yaml create mode 100644 services/noteburst/templates/vaultsecret.yaml create mode 100644 services/noteburst/templates/worker-configmap.yaml create mode 100644 services/noteburst/templates/worker-deployment.yaml create mode 100644 services/noteburst/templates/worker-identities-configmap.yaml delete mode 100644 services/noteburst/values-base.yaml delete mode 100644 services/noteburst/values-idfint.yaml delete mode 100644 services/noteburst/values-idfprod.yaml delete mode 100644 services/noteburst/values-int.yaml delete mode 100644 services/noteburst/values-minikube.yaml delete mode 100644 services/noteburst/values-red-five.yaml delete mode 100644 services/noteburst/values-stable.yaml delete mode 100644 services/noteburst/values-summit.yaml delete mode 100644 services/noteburst/values-tucson-teststand.yaml create mode 100644 services/noteburst/values.yaml diff --git a/science-platform/templates/noteburst-application.yaml b/science-platform/templates/noteburst-application.yaml index 479fbd5a86..b8322d4c15 100644 --- a/science-platform/templates/noteburst-application.yaml +++ b/science-platform/templates/noteburst-application.yaml @@ -2,28 +2,36 @@ apiVersion: v1 kind: Namespace metadata: - name: noteburst + name: "noteburst" spec: finalizers: - - kubernetes + - "kubernetes" --- apiVersion: argoproj.io/v1alpha1 kind: Application metadata: - name: noteburst - namespace: argocd + name: "noteburst" + namespace: "argocd" finalizers: - - resources-finalizer.argocd.argoproj.io + - "resources-finalizer.argocd.argoproj.io" spec: destination: - namespace: noteburst - server: https://kubernetes.default.svc - project: default + namespace: "noteburst" + server: "https://kubernetes.default.svc" + project: "default" source: - path: services/noteburst - repoURL: {{ .Values.repoURL }} - targetRevision: {{ .Values.revision }} + path: "services/noteburst" + repoURL: {{ .Values.repoURL | quote }} + targetRevision: {{ .Values.revision | quote }} helm: + parameters: + - name: "globals.host" + value: {{ .Values.fqdn | quote }} + - name: "globals.baseUrl" + value: "https://{{ .Values.fqdn }}" + - name: "globals.vaultSecretsPathPrefix" + value: {{ .Values.vault_path_prefix | quote }} valueFiles: - - values-{{ .Values.environment }}.yaml + - "values.yaml" + - "values-{{ .Values.environment }}.yaml" {{- end -}} diff --git a/services/noteburst/Chart.yaml b/services/noteburst/Chart.yaml index fe22ca0114..76e44c1498 100644 --- a/services/noteburst/Chart.yaml +++ b/services/noteburst/Chart.yaml @@ -1,10 +1,18 @@ apiVersion: v2 name: noteburst version: 1.0.0 +appVersion: 0.2.0 +description: Noteburst is a notebook execution service for the Rubin Science Platform. +type: application +home: https://noteburst.lsst.io/ +sources: + - https://github.com/lsst-sqre/noteburst +maintainers: + - name: jonathansick + url: https://github.com/jonathansick + +# Additional charts that this chart uses dependencies: - - name: noteburst - version: 0.2.0-alpha.3 - repository: https://lsst-sqre.github.io/charts/ - - name: pull-secret - version: 0.1.2 - repository: https://lsst-sqre.github.io/charts/ + - name: redis + version: 16.5.3 + repository: https://charts.bitnami.com/bitnami diff --git a/services/noteburst/README.md b/services/noteburst/README.md new file mode 100644 index 0000000000..fa79d61ec3 --- /dev/null +++ b/services/noteburst/README.md @@ -0,0 +1,53 @@ +# noteburst + +Noteburst is a notebook execution service for the Rubin Science Platform. + +## Source Code + +* + +## Requirements + +| Repository | Name | Version | +|------------|------|---------| +| https://charts.bitnami.com/bitnami | redis | 16.5.3 | + +## Values + +| Key | Type | Default | Description | +|-----|------|---------|-------------| +| affinity | object | `{}` | | +| autoscaling.enabled | bool | `false` | | +| autoscaling.maxReplicas | int | `100` | | +| autoscaling.minReplicas | int | `1` | | +| autoscaling.targetCPUUtilizationPercentage | int | `80` | | +| config.logLevel | string | `"INFO"` | Logging level: "DEBUG", "INFO", "WARNING", "ERROR", "CRITICAL" | +| config.worker.identities | list | `[]` | Science Platform user identities that workers can acquire. Each item is an object with username and uuid keys | +| config.worker.workerCount | int | `1` | Number of workers to run | +| fullnameOverride | string | `""` | Override the full name for resources (includes the release name) | +| globals.baseUrl | string | Set by Argo CD | Base URL for the environment | +| globals.host | string | Set by Argo CD | Host name for ingress | +| globals.vaultSecretsPathPrefix | string | Set by Argo CD | Base path for Vault secrets | +| image.pullPolicy | string | `"IfNotPresent"` | Image pull policy | +| image.repository | string | `"ghcr.io/lsst-sqre/noteburst"` | Noteburst image repository | +| image.tag | string | The appVersion of the chart | Tag of the image | +| imagePullSecrets | list | `[]` | Secret names to use for all Docker pulls | +| ingress.annotations | object | `{}` | Additional annotations to add to the ingress | +| ingress.enabled | bool | `true` | Enable ingress | +| ingress.gafaelfawrAuthQuery | string | `"scope=exec:admin&auth_type=basic"` | Gafaelfawr auth query string | +| ingress.path | string | `"/noteburst"` | Path prefix where noteburst is hosted | +| nameOverride | string | `""` | Override the base name for resources | +| nodeSelector | object | `{}` | | +| podAnnotations | object | `{}` | Annotations for API and worker pods | +| redis.auth.enabled | bool | `false` | | +| replicaCount | int | `1` | Number of API pods to run | +| resources | object | `{}` | | +| service.port | int | `80` | Port of the service to create and map to the ingress | +| service.type | string | `"ClusterIP"` | Type of service to create | +| serviceAccount.annotations | object | `{}` | Annotations to add to the service account | +| serviceAccount.create | bool | `true` | Specifies whether a service account should be created | +| serviceAccount.name | string | `""` | | +| tolerations | list | `[]` | | + +---------------------------------------------- +Autogenerated from chart metadata using [helm-docs v1.5.0](https://github.com/norwoodj/helm-docs/releases/v1.5.0) diff --git a/services/noteburst/README.md.gotmpl b/services/noteburst/README.md.gotmpl new file mode 100644 index 0000000000..18ae54f339 --- /dev/null +++ b/services/noteburst/README.md.gotmpl @@ -0,0 +1,11 @@ +{{ template "chart.header" . }} + +{{ template "chart.description" . }} + +{{ template "chart.sourcesSection" . }} + +{{ template "chart.requirementsSection" . }} + +{{ template "chart.valuesSection" . }} + +{{ template "helm-docs.versionFooter" . }} diff --git a/services/noteburst/templates/NOTES.txt b/services/noteburst/templates/NOTES.txt new file mode 100644 index 0000000000..4040d0b8b2 --- /dev/null +++ b/services/noteburst/templates/NOTES.txt @@ -0,0 +1,22 @@ +1. Get the application URL by running these commands: +{{- if .Values.ingress.enabled }} +{{- range $host := .Values.ingress.hosts }} + {{- range .paths }} + http{{ if $.Values.ingress.tls }}s{{ end }}://{{ $host.host }}{{ .path }} + {{- end }} +{{- end }} +{{- else if contains "NodePort" .Values.service.type }} + export NODE_PORT=$(kubectl get --namespace {{ .Release.Namespace }} -o jsonpath="{.spec.ports[0].nodePort}" services {{ include "noteburst.fullname" . }}) + export NODE_IP=$(kubectl get nodes --namespace {{ .Release.Namespace }} -o jsonpath="{.items[0].status.addresses[0].address}") + echo http://$NODE_IP:$NODE_PORT +{{- else if contains "LoadBalancer" .Values.service.type }} + NOTE: It may take a few minutes for the LoadBalancer IP to be available. + You can watch the status of by running 'kubectl get --namespace {{ .Release.Namespace }} svc -w {{ include "noteburst.fullname" . }}' + export SERVICE_IP=$(kubectl get svc --namespace {{ .Release.Namespace }} {{ include "noteburst.fullname" . }} --template "{{"{{ range (index .status.loadBalancer.ingress 0) }}{{.}}{{ end }}"}}") + echo http://$SERVICE_IP:{{ .Values.service.port }} +{{- else if contains "ClusterIP" .Values.service.type }} + export POD_NAME=$(kubectl get pods --namespace {{ .Release.Namespace }} -l "app.kubernetes.io/name={{ include "noteburst.name" . }},app.kubernetes.io/instance={{ .Release.Name }}" -o jsonpath="{.items[0].metadata.name}") + export CONTAINER_PORT=$(kubectl get pod --namespace {{ .Release.Namespace }} $POD_NAME -o jsonpath="{.spec.containers[0].ports[0].containerPort}") + echo "Visit http://127.0.0.1:8080 to use your application" + kubectl --namespace {{ .Release.Namespace }} port-forward $POD_NAME 8080:$CONTAINER_PORT +{{- end }} diff --git a/services/noteburst/templates/_helpers.tpl b/services/noteburst/templates/_helpers.tpl new file mode 100644 index 0000000000..b4ce5c66f4 --- /dev/null +++ b/services/noteburst/templates/_helpers.tpl @@ -0,0 +1,62 @@ +{{/* +Expand the name of the chart. +*/}} +{{- define "noteburst.name" -}} +{{- default .Chart.Name .Values.nameOverride | trunc 63 | trimSuffix "-" }} +{{- end }} + +{{/* +Create a default fully qualified app name. +We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec). +If release name contains chart name it will be used as a full name. +*/}} +{{- define "noteburst.fullname" -}} +{{- if .Values.fullnameOverride }} +{{- .Values.fullnameOverride | trunc 63 | trimSuffix "-" }} +{{- else }} +{{- $name := default .Chart.Name .Values.nameOverride }} +{{- if contains $name .Release.Name }} +{{- .Release.Name | trunc 63 | trimSuffix "-" }} +{{- else }} +{{- printf "%s-%s" .Release.Name $name | trunc 63 | trimSuffix "-" }} +{{- end }} +{{- end }} +{{- end }} + +{{/* +Create chart name and version as used by the chart label. +*/}} +{{- define "noteburst.chart" -}} +{{- printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" }} +{{- end }} + +{{/* +Common labels +*/}} +{{- define "noteburst.labels" -}} +helm.sh/chart: {{ include "noteburst.chart" . }} +{{ include "noteburst.selectorLabels" . }} +{{- if .Chart.AppVersion }} +app.kubernetes.io/version: {{ .Chart.AppVersion | quote }} +{{- end }} +app.kubernetes.io/managed-by: {{ .Release.Service }} +{{- end }} + +{{/* +Selector labels +*/}} +{{- define "noteburst.selectorLabels" -}} +app.kubernetes.io/name: {{ include "noteburst.name" . }} +app.kubernetes.io/instance: {{ .Release.Name }} +{{- end }} + +{{/* +Create the name of the service account to use +*/}} +{{- define "noteburst.serviceAccountName" -}} +{{- if .Values.serviceAccount.create }} +{{- default (include "noteburst.fullname" .) .Values.serviceAccount.name }} +{{- else }} +{{- default "default" .Values.serviceAccount.name }} +{{- end }} +{{- end }} diff --git a/services/noteburst/templates/configmap.yaml b/services/noteburst/templates/configmap.yaml new file mode 100644 index 0000000000..f0b054a563 --- /dev/null +++ b/services/noteburst/templates/configmap.yaml @@ -0,0 +1,11 @@ +apiVersion: v1 +kind: ConfigMap +metadata: + name: {{ include "noteburst.fullname" . }} + labels: + {{- include "noteburst.labels" . | nindent 4 }} +data: + SAFIR_LOG_LEVEL: {{ .Values.config.logLevel | quote }} + NOTEBURST_PATH_PREFIX: {{ .Values.ingress.path | quote }} + NOTEBURST_ENVIRONMENT_URL: {{ .Values.globals.baseUrl | quote }} + NOTEBURST_REDIS_URL: "redis://{{ include "noteburst.fullname" . }}-redis-master.{{ .Release.Namespace }}:{{ .Values.redis.master.service.ports.redis }}/0" diff --git a/services/noteburst/templates/deployment.yaml b/services/noteburst/templates/deployment.yaml new file mode 100644 index 0000000000..de23bbeea3 --- /dev/null +++ b/services/noteburst/templates/deployment.yaml @@ -0,0 +1,77 @@ +apiVersion: apps/v1 +kind: Deployment +metadata: + name: {{ include "noteburst.fullname" . }} + labels: + {{- include "noteburst.labels" . | nindent 4 }} +spec: + {{- if not .Values.autoscaling.enabled }} + replicas: {{ .Values.replicaCount }} + {{- end }} + selector: + matchLabels: + {{- include "noteburst.selectorLabels" . | nindent 6 }} + template: + metadata: + annotations: + checksum/config: {{ include (print $.Template.BasePath "/configmap.yaml") . | sha256sum }} + {{- with .Values.podAnnotations }} + {{- toYaml . | nindent 8 }} + {{- end }} + labels: + {{- include "noteburst.selectorLabels" . | nindent 8 }} + spec: + {{- with .Values.imagePullSecrets }} + imagePullSecrets: + {{- toYaml . | nindent 8 }} + {{- end }} + serviceAccountName: {{ include "noteburst.serviceAccountName" . }} + securityContext: + runAsNonRoot: true + runAsUser: 1000 + runAsGroup: 1000 + containers: + - name: {{ .Chart.Name }} + image: "{{ .Values.image.repository }}:{{ .Values.image.tag | default .Chart.AppVersion }}" + imagePullPolicy: {{ .Values.image.pullPolicy }} + ports: + - name: http + containerPort: 8080 + protocol: TCP + livenessProbe: + httpGet: + path: / + port: http + readinessProbe: + httpGet: + path: / + port: http + resources: + {{- toYaml .Values.resources | nindent 12 }} + envFrom: + - configMapRef: + name: {{ include "noteburst.fullname" . }} + env: + - name: "NOTEBURST_GAFAELFAWR_TOKEN" + valueFrom: + secretKeyRef: + name: {{ template "noteburst.fullname" . }}-gafaelfawr-token + key: "token" + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + readOnlyRootFilesystem: true + {{- with .Values.nodeSelector }} + nodeSelector: + {{- toYaml . | nindent 8 }} + {{- end }} + {{- with .Values.affinity }} + affinity: + {{- toYaml . | nindent 8 }} + {{- end }} + {{- with .Values.tolerations }} + tolerations: + {{- toYaml . | nindent 8 }} + {{- end }} diff --git a/services/noteburst/templates/gafaelfawrtoken.yaml b/services/noteburst/templates/gafaelfawrtoken.yaml new file mode 100644 index 0000000000..7113fdc3e9 --- /dev/null +++ b/services/noteburst/templates/gafaelfawrtoken.yaml @@ -0,0 +1,11 @@ +apiVersion: gafaelfawr.lsst.io/v1alpha1 +kind: GafaelfawrServiceToken +metadata: + name: {{ include "noteburst.fullname" . }}-gafaelfawr-token + labels: + {{- include "noteburst.labels" . | nindent 4 }} +spec: + service: "noteburst" + scopes: + - "admin:token" + - "exec:admin" diff --git a/services/noteburst/templates/hpa.yaml b/services/noteburst/templates/hpa.yaml new file mode 100644 index 0000000000..6aa4c907a0 --- /dev/null +++ b/services/noteburst/templates/hpa.yaml @@ -0,0 +1,28 @@ +{{- if .Values.autoscaling.enabled }} +apiVersion: autoscaling/v2beta1 +kind: HorizontalPodAutoscaler +metadata: + name: {{ include "noteburst.fullname" . }} + labels: + {{- include "noteburst.labels" . | nindent 4 }} +spec: + scaleTargetRef: + apiVersion: apps/v1 + kind: Deployment + name: {{ include "noteburst.fullname" . }} + minReplicas: {{ .Values.autoscaling.minReplicas }} + maxReplicas: {{ .Values.autoscaling.maxReplicas }} + metrics: + {{- if .Values.autoscaling.targetCPUUtilizationPercentage }} + - type: Resource + resource: + name: cpu + targetAverageUtilization: {{ .Values.autoscaling.targetCPUUtilizationPercentage }} + {{- end }} + {{- if .Values.autoscaling.targetMemoryUtilizationPercentage }} + - type: Resource + resource: + name: memory + targetAverageUtilization: {{ .Values.autoscaling.targetMemoryUtilizationPercentage }} + {{- end }} +{{- end }} diff --git a/services/noteburst/templates/ingress.yaml b/services/noteburst/templates/ingress.yaml new file mode 100644 index 0000000000..68020ae8b7 --- /dev/null +++ b/services/noteburst/templates/ingress.yaml @@ -0,0 +1,31 @@ +{{- if .Values.ingress.enabled -}} +apiVersion: networking.k8s.io/v1 +kind: Ingress +metadata: + name: {{ template "noteburst.fullname" . }} + labels: + {{- include "noteburst.labels" . | nindent 4 }} + annotations: + kubernetes.io/ingress.class: nginx + {{- if .Values.ingress.gafaelfawrAuthQuery }} + nginx.ingress.kubernetes.io/auth-method: "GET" + nginx.ingress.kubernetes.io/auth-response-headers: X-Auth-Request-User,X-Auth-Request-Email,X-Auth-Request-Token + nginx.ingress.kubernetes.io/auth-signin: "{{ .Values.globals.baseUrl }}/login" + nginx.ingress.kubernetes.io/auth-url: "{{ .Values.globals.baseUrl }}/auth?{{ .Values.ingress.gafaelfawrAuthQuery }}" + {{- end }} + {{- with .Values.ingress.annotations }} + {{- toYaml . | nindent 4 }} + {{- end }} +spec: + rules: + - host: {{ required "globals.host must be set" .Values.globals.host | quote }} + http: + paths: + - path: {{ .Values.ingress.path }} + pathType: "Prefix" + backend: + service: + name: {{ template "noteburst.fullname" . }} + port: + number: {{ .Values.service.port }} +{{- end }} diff --git a/services/noteburst/templates/service.yaml b/services/noteburst/templates/service.yaml new file mode 100644 index 0000000000..7a2c392379 --- /dev/null +++ b/services/noteburst/templates/service.yaml @@ -0,0 +1,15 @@ +apiVersion: v1 +kind: Service +metadata: + name: {{ include "noteburst.fullname" . }} + labels: + {{- include "noteburst.labels" . | nindent 4 }} +spec: + type: {{ .Values.service.type }} + ports: + - port: {{ .Values.service.port }} + targetPort: http + protocol: TCP + name: http + selector: + {{- include "noteburst.selectorLabels" . | nindent 4 }} diff --git a/services/noteburst/templates/serviceaccount.yaml b/services/noteburst/templates/serviceaccount.yaml new file mode 100644 index 0000000000..5035d4622b --- /dev/null +++ b/services/noteburst/templates/serviceaccount.yaml @@ -0,0 +1,12 @@ +{{- if .Values.serviceAccount.create -}} +apiVersion: v1 +kind: ServiceAccount +metadata: + name: {{ include "noteburst.serviceAccountName" . }} + labels: + {{- include "noteburst.labels" . | nindent 4 }} + {{- with .Values.serviceAccount.annotations }} + annotations: + {{- toYaml . | nindent 4 }} + {{- end }} +{{- end }} diff --git a/services/noteburst/templates/tests/test-connection.yaml b/services/noteburst/templates/tests/test-connection.yaml new file mode 100644 index 0000000000..c83e8c28ff --- /dev/null +++ b/services/noteburst/templates/tests/test-connection.yaml @@ -0,0 +1,15 @@ +apiVersion: v1 +kind: Pod +metadata: + name: "{{ include "noteburst.fullname" . }}-test-connection" + labels: + {{- include "noteburst.labels" . | nindent 4 }} + annotations: + "helm.sh/hook": test +spec: + containers: + - name: wget + image: busybox + command: ['wget'] + args: ['{{ include "noteburst.fullname" . }}:{{ .Values.service.port }}'] + restartPolicy: Never diff --git a/services/noteburst/templates/vaultsecret.yaml b/services/noteburst/templates/vaultsecret.yaml new file mode 100644 index 0000000000..4191ac2b8c --- /dev/null +++ b/services/noteburst/templates/vaultsecret.yaml @@ -0,0 +1,9 @@ +apiVersion: ricoberger.de/v1alpha1 +kind: VaultSecret +metadata: + name: {{ include "noteburst.fullname" . }} + labels: + {{- include "noteburst.labels" . | nindent 4 }} +spec: + path: "{{ .Values.globals.vaultSecretsPath }}/noteburst" + type: Opaque diff --git a/services/noteburst/templates/worker-configmap.yaml b/services/noteburst/templates/worker-configmap.yaml new file mode 100644 index 0000000000..9ff110cd97 --- /dev/null +++ b/services/noteburst/templates/worker-configmap.yaml @@ -0,0 +1,12 @@ +apiVersion: v1 +kind: ConfigMap +metadata: + name: {{ include "noteburst.fullname" . }}-worker + labels: + {{- include "noteburst.labels" . | nindent 4 }} +data: + SAFIR_PROFILE: {{ .Values.config.profile | quote }} + SAFIR_LOG_LEVEL: {{ .Values.config.logLevel | quote }} + NOTEBURST_ENVIRONMENT_URL: {{ .Values.globals.baseUrl | quote }} + NOTEBURST_REDIS_URL: "redis://{{ include "noteburst.fullname" . }}-redis-master.{{ .Release.Namespace }}:{{ .Values.redis.master.service.ports.redis }}/0" + NOTEBURST_WORKER_LOCK_REDIS_URL: "redis://{{ include "noteburst.fullname" . }}-redis-master.{{ .Release.Namespace }}:{{ .Values.redis.master.service.ports.redis }}/1" diff --git a/services/noteburst/templates/worker-deployment.yaml b/services/noteburst/templates/worker-deployment.yaml new file mode 100644 index 0000000000..7e5611a687 --- /dev/null +++ b/services/noteburst/templates/worker-deployment.yaml @@ -0,0 +1,71 @@ +apiVersion: apps/v1 +kind: Deployment +metadata: + name: {{ include "noteburst.fullname" . }}-worker + labels: + {{- include "noteburst.labels" . | nindent 4 }} +spec: + {{- if not .Values.autoscaling.enabled }} + replicas: {{ .Values.config.worker.workerCount }} + {{- end }} + selector: + matchLabels: + {{- include "noteburst.selectorLabels" . | nindent 6 }} + template: + metadata: + annotations: + checksum/config: {{ include (print $.Template.BasePath "/worker-configmap.yaml") . | sha256sum }} + {{- with .Values.podAnnotations }} + {{- toYaml . | nindent 8 }} + {{- end }} + labels: + {{- include "noteburst.selectorLabels" . | nindent 8 }} + spec: + {{- with .Values.imagePullSecrets }} + imagePullSecrets: + {{- toYaml . | nindent 8 }} + {{- end }} + serviceAccountName: {{ include "noteburst.serviceAccountName" . }} + securityContext: + {{- toYaml .Values.podSecurityContext | nindent 8 }} + containers: + - name: {{ .Chart.Name }} + securityContext: + {{- toYaml .Values.securityContext | nindent 12 }} + image: "{{ .Values.image.repository }}:{{ .Values.image.tag | default .Chart.AppVersion }}" + imagePullPolicy: {{ .Values.image.pullPolicy }} + command: ["arq"] + args: ["noteburst.worker.main.WorkerSettings"] + resources: + {{- toYaml .Values.resources | nindent 12 }} + envFrom: + - configMapRef: + name: {{ include "noteburst.fullname" . }}-worker + env: + - name: "NOTEBURST_GAFAELFAWR_TOKEN" + valueFrom: + secretKeyRef: + name: {{ template "noteburst.fullname" . }}-gafaelfawr-token + key: "token" + - name: "NOTEBURST_WORKER_IDENTITIES_PATH" + value: "/etc/noteburst/identities.yaml" + volumeMounts: + - name: "identities" + mountPath: "/etc/noteburst" + readOnly: true + volumes: + - name: "identities" + configMap: + name: {{ include "noteburst.fullname" . }}-worker-identities + {{- with .Values.nodeSelector }} + nodeSelector: + {{- toYaml . | nindent 8 }} + {{- end }} + {{- with .Values.affinity }} + affinity: + {{- toYaml . | nindent 8 }} + {{- end }} + {{- with .Values.tolerations }} + tolerations: + {{- toYaml . | nindent 8 }} + {{- end }} diff --git a/services/noteburst/templates/worker-identities-configmap.yaml b/services/noteburst/templates/worker-identities-configmap.yaml new file mode 100644 index 0000000000..cff6f95d8a --- /dev/null +++ b/services/noteburst/templates/worker-identities-configmap.yaml @@ -0,0 +1,9 @@ +apiVersion: v1 +kind: ConfigMap +metadata: + name: {{ include "noteburst.fullname" . }}-worker-identities + labels: + {{- include "noteburst.labels" . | nindent 4 }} +data: + identities.yaml: | + {{- toYaml .Values.config.worker.identities | nindent 4 }} diff --git a/services/noteburst/values-base.yaml b/services/noteburst/values-base.yaml deleted file mode 100644 index 4257454135..0000000000 --- a/services/noteburst/values-base.yaml +++ /dev/null @@ -1,17 +0,0 @@ -noteburst: - ingress: - enabled: true - annotations: - kubernetes.io/ingress.class: nginx - hosts: - - host: "base-lsp.lsst.codes" - paths: - - path: "/noteburst" - pathType: Prefix - imagePullSecrets: - - name: "pull-secret" - vaultSecretsPath: "secret/k8s_operator/base-lsp.lsst.codes/noteburst" - -pull-secret: - enabled: true - path: secret/k8s_operator/base-lsp.lsst.codes/pull-secret diff --git a/services/noteburst/values-idfdev.yaml b/services/noteburst/values-idfdev.yaml index 79aa8df89c..c88d8a3d2c 100644 --- a/services/noteburst/values-idfdev.yaml +++ b/services/noteburst/values-idfdev.yaml @@ -1,27 +1,11 @@ -noteburst: - image: - pullPolicy: Always - tag: tickets-DM-33025 - ingress: - enabled: true - annotations: - kubernetes.io/ingress.class: nginx - hosts: - - host: "data-dev.lsst.cloud" - paths: - - path: "/noteburst" - pathType: Prefix - imagePullSecrets: - - name: "pull-secret" - vaultSecretsPath: "secret/k8s_operator/data-dev.lsst.cloud/noteburst" - config: - environmentUrl: "https://data-dev.lsst.cloud" - worker: - workerCount: 1 - identities: - - uuid: 90000 - username: "noteburst90000" +# Uncomment image to enable development builds +# image: +# pullPolicy: Always +# tag: tickets-DM-33025 -pull-secret: - enabled: true - path: secret/k8s_operator/data-dev.lsst.cloud/pull-secret +config: + worker: + workerCount: 1 + identities: + - uuid: 90000 + username: "noteburst90000" diff --git a/services/noteburst/values-idfint.yaml b/services/noteburst/values-idfint.yaml deleted file mode 100644 index 74bd2e783a..0000000000 --- a/services/noteburst/values-idfint.yaml +++ /dev/null @@ -1,17 +0,0 @@ -noteburst: - ingress: - enabled: true - annotations: - kubernetes.io/ingress.class: nginx - hosts: - - host: "data-int.lsst.cloud" - paths: - - path: "/noteburst" - pathType: Prefix - imagePullSecrets: - - name: "pull-secret" - vaultSecretsPath: "secret/k8s_operator/data-int.lsst.cloud/noteburst" - -pull-secret: - enabled: true - path: secret/k8s_operator/data-int.lsst.cloud/pull-secret diff --git a/services/noteburst/values-idfprod.yaml b/services/noteburst/values-idfprod.yaml deleted file mode 100644 index 4a705c588a..0000000000 --- a/services/noteburst/values-idfprod.yaml +++ /dev/null @@ -1,17 +0,0 @@ -noteburst: - ingress: - enabled: true - annotations: - kubernetes.io/ingress.class: nginx - hosts: - - host: "data.lsst.cloud" - paths: - - path: "/noteburst" - pathType: Prefix - imagePullSecrets: - - name: "pull-secret" - vaultSecretsPath: "secret/k8s_operator/data.lsst.cloud/noteburst" - -pull-secret: - enabled: true - path: secret/k8s_operator/data.lsst.cloud/pull-secret diff --git a/services/noteburst/values-int.yaml b/services/noteburst/values-int.yaml deleted file mode 100644 index 1186b1186f..0000000000 --- a/services/noteburst/values-int.yaml +++ /dev/null @@ -1,17 +0,0 @@ -noteburst: - ingress: - enabled: true - annotations: - kubernetes.io/ingress.class: nginx - hosts: - - host: "lsst-lsp-int.ncsa.illinois.edu" - paths: - - path: "/noteburst" - pathType: Prefix - imagePullSecrets: - - name: "pull-secret" - vaultSecretsPath: "secret/k8s_operator/lsst-lsp-int.ncsa.illinois.edu/noteburst" - -pull-secret: - enabled: true - path: secret/k8s_operator/lsst-lsp-int.ncsa.illinois.edu/pull-secret diff --git a/services/noteburst/values-minikube.yaml b/services/noteburst/values-minikube.yaml deleted file mode 100644 index 4c309318e2..0000000000 --- a/services/noteburst/values-minikube.yaml +++ /dev/null @@ -1,27 +0,0 @@ -noteburst: - image: - pullPolicy: Always - tag: tickets-DM-33025 - ingress: - enabled: true - annotations: - kubernetes.io/ingress.class: nginx - hosts: - - host: "minikube.lsst.codes" - paths: - - path: "/noteburst" - pathType: Prefix - imagePullSecrets: - - name: "pull-secret" - vaultSecretsPath: "secret/k8s_operator/minikube.lsst.codes/noteburst" - config: - environmentUrl: "https://minikube.lsst.cloud" - worker: - workerCount: 1 - identities: - - uuid: 90000 - username: "noteburst90000" - -pull-secret: - enabled: true - path: secret/k8s_operator/minikube.lsst.codes/pull-secret diff --git a/services/noteburst/values-red-five.yaml b/services/noteburst/values-red-five.yaml deleted file mode 100644 index 166bea6aad..0000000000 --- a/services/noteburst/values-red-five.yaml +++ /dev/null @@ -1,17 +0,0 @@ -noteburst: - ingress: - enabled: true - annotations: - kubernetes.io/ingress.class: nginx - hosts: - - host: "red-five.lsst.codes" - paths: - - path: "/noteburst" - pathType: Prefix - imagePullSecrets: - - name: "pull-secret" - vaultSecretsPath: "secret/k8s_operator/red-five.lsst.codes/noteburst" - -pull-secret: - enabled: true - path: secret/k8s_operator/red-five.lsst.codes/pull-secret diff --git a/services/noteburst/values-stable.yaml b/services/noteburst/values-stable.yaml deleted file mode 100644 index 7ae818681c..0000000000 --- a/services/noteburst/values-stable.yaml +++ /dev/null @@ -1,17 +0,0 @@ -noteburst: - ingress: - enabled: true - annotations: - kubernetes.io/ingress.class: nginx - hosts: - - host: "lsst-lsp-stable.ncsa.illinois.edu" - paths: - - path: "/noteburst" - pathType: Prefix - imagePullSecrets: - - name: "pull-secret" - vaultSecretsPath: "secret/k8s_operator/lsst-lsp-stable.ncsa.illinois.edu/noteburst" - -pull-secret: - enabled: true - path: secret/k8s_operator/lsst-lsp-stable.ncsa.illinois.edu/pull-secret diff --git a/services/noteburst/values-summit.yaml b/services/noteburst/values-summit.yaml deleted file mode 100644 index 5515a94d7f..0000000000 --- a/services/noteburst/values-summit.yaml +++ /dev/null @@ -1,17 +0,0 @@ -noteburst: - ingress: - enabled: true - annotations: - kubernetes.io/ingress.class: nginx - hosts: - - host: "summit-lsp.lsst.codes" - paths: - - path: "/noteburst" - pathType: Prefix - imagePullSecrets: - - name: "pull-secret" - vaultSecretsPath: "secret/k8s_operator/summit-lsp.lsst.codes/noteburst" - -pull-secret: - enabled: true - path: secret/k8s_operator/summit-lsp.lsst.codes/pull-secret diff --git a/services/noteburst/values-tucson-teststand.yaml b/services/noteburst/values-tucson-teststand.yaml deleted file mode 100644 index b1322b5547..0000000000 --- a/services/noteburst/values-tucson-teststand.yaml +++ /dev/null @@ -1,17 +0,0 @@ -noteburst: - ingress: - enabled: true - annotations: - kubernetes.io/ingress.class: nginx - hosts: - - host: "tucson-teststand.lsst.codes" - paths: - - path: "/noteburst" - pathType: Prefix - imagePullSecrets: - - name: "pull-secret" - vaultSecretsPath: "secret/k8s_operator/tucson-teststand.lsst.codes/noteburst" - -pull-secret: - enabled: true - path: secret/k8s_operator/tucson-teststand.lsst.codes/pull-secret diff --git a/services/noteburst/values.yaml b/services/noteburst/values.yaml new file mode 100644 index 0000000000..4db6dec4ab --- /dev/null +++ b/services/noteburst/values.yaml @@ -0,0 +1,116 @@ +# Default values for noteburst. +# This is a YAML-formatted file. +# Declare variables to be passed into your templates. +# +# Global parameters will be set by parameters injected by Argo CD and should +# not be set in the individual environment values files. +globals: + # -- Base URL for the environment + # @default -- Set by Argo CD + baseUrl: "" + + # -- Host name for ingress + # @default -- Set by Argo CD + host: "" + + # -- Base path for Vault secrets + # @default -- Set by Argo CD + vaultSecretsPathPrefix: "" + +# -- Number of API pods to run +replicaCount: 1 + +image: + # -- Noteburst image repository + repository: ghcr.io/lsst-sqre/noteburst + + # -- Image pull policy + pullPolicy: IfNotPresent + + # -- Tag of the image + # @default -- The appVersion of the chart + tag: "" + +# -- Secret names to use for all Docker pulls +imagePullSecrets: [] + +# -- Override the base name for resources +nameOverride: "" + +# -- Override the full name for resources (includes the release name) +fullnameOverride: "" + +serviceAccount: + # -- Specifies whether a service account should be created + create: true + + # -- Annotations to add to the service account + annotations: {} + + # The name of the service account to use. + # @default -- Generated using the fullname template + name: "" + +# -- Annotations for API and worker pods +podAnnotations: {} + +service: + # -- Type of service to create + type: ClusterIP + + # -- Port of the service to create and map to the ingress + port: 80 + +ingress: + # -- Enable ingress + enabled: true + + # -- Gafaelfawr auth query string + gafaelfawrAuthQuery: "scope=exec:admin&auth_type=basic" + + # -- Additional annotations to add to the ingress + annotations: {} + + # -- Path prefix where noteburst is hosted + path: "/noteburst" + +resources: {} + # We usually recommend not to specify default resources and to leave this as a conscious + # choice for the user. This also increases chances charts run on environments with little + # resources, such as Minikube. If you do want to specify resources, uncomment the following + # lines, adjust them as necessary, and remove the curly braces after 'resources:'. + # limits: + # cpu: 100m + # memory: 128Mi + # requests: + # cpu: 100m + # memory: 128Mi + +autoscaling: + enabled: false + minReplicas: 1 + maxReplicas: 100 + targetCPUUtilizationPercentage: 80 + # targetMemoryUtilizationPercentage: 80 + +nodeSelector: {} + +tolerations: [] + +affinity: {} + +config: + # -- Logging level: "DEBUG", "INFO", "WARNING", "ERROR", "CRITICAL" + logLevel: "INFO" + + worker: + # -- Science Platform user identities that workers can acquire. Each item + # is an object with username and uuid keys + identities: [] + + # -- Number of workers to run + workerCount: 1 + +redis: + auth: + enabled: false From d952dbf1a4c2b6a357b7c4ebaaf71727044d3b86 Mon Sep 17 00:00:00 2001 From: Jonathan Sick Date: Tue, 22 Mar 2022 17:58:57 -0400 Subject: [PATCH 0103/1479] Migrate times-square charts into phalanx The times-square and times-square-ui charts are now manually-maintained sub-charts within a top-level times-square chart. Also take advantage of Helm globals set on the argo cd Application for Vault and ingress host/baseUrl configurations. --- .../templates/times-square-application.yaml | 32 ++-- services/noteburst/templates/vaultsecret.yaml | 2 +- services/times-square/Chart.yaml | 15 +- services/times-square/README.md | 25 ++++ services/times-square/README.md.gotmpl | 11 ++ .../charts/times-square-ui/Chart.yaml | 18 +++ .../charts/times-square-ui/README.md | 42 ++++++ .../charts/times-square-ui/README.md.gotmpl | 11 ++ .../times-square-ui/templates/_helpers.tpl | 51 +++++++ .../times-square-ui/templates/configmap.yaml | 17 +++ .../times-square-ui/templates/deployment.yaml | 81 +++++++++++ .../charts/times-square-ui/templates/hpa.yaml | 28 ++++ .../times-square-ui/templates/ingress.yaml | 35 +++++ .../templates/networkpolicy.yaml | 23 +++ .../times-square-ui/templates/service.yaml | 15 ++ .../charts/times-square-ui/values.yaml | 91 ++++++++++++ .../charts/times-square/Chart.yaml | 22 +++ .../charts/times-square/README.md | 59 ++++++++ .../charts/times-square/README.md.gotmpl | 11 ++ .../times-square/templates/_helpers.tpl | 63 ++++++++ .../times-square/templates/configmap.yaml | 14 ++ .../times-square/templates/deployment.yaml | 104 +++++++++++++ .../templates/gafaelfawrtoken.yaml | 11 ++ .../charts/times-square/templates/hpa.yaml | 28 ++++ .../times-square/templates/ingress.yaml | 35 +++++ .../times-square/templates/networkpolicy.yaml | 23 +++ .../times-square/templates/service.yaml | 15 ++ .../templates/serviceaccount.yaml | 15 ++ .../times-square/templates/vault-secret.yaml | 9 ++ .../charts/times-square/values.yaml | 137 ++++++++++++++++++ services/times-square/values-idfdev.yaml | 14 +- services/times-square/values.yaml | 33 +++++ 32 files changed, 1060 insertions(+), 30 deletions(-) create mode 100644 services/times-square/README.md create mode 100644 services/times-square/README.md.gotmpl create mode 100644 services/times-square/charts/times-square-ui/Chart.yaml create mode 100644 services/times-square/charts/times-square-ui/README.md create mode 100644 services/times-square/charts/times-square-ui/README.md.gotmpl create mode 100644 services/times-square/charts/times-square-ui/templates/_helpers.tpl create mode 100644 services/times-square/charts/times-square-ui/templates/configmap.yaml create mode 100644 services/times-square/charts/times-square-ui/templates/deployment.yaml create mode 100644 services/times-square/charts/times-square-ui/templates/hpa.yaml create mode 100644 services/times-square/charts/times-square-ui/templates/ingress.yaml create mode 100644 services/times-square/charts/times-square-ui/templates/networkpolicy.yaml create mode 100644 services/times-square/charts/times-square-ui/templates/service.yaml create mode 100644 services/times-square/charts/times-square-ui/values.yaml create mode 100644 services/times-square/charts/times-square/Chart.yaml create mode 100644 services/times-square/charts/times-square/README.md create mode 100644 services/times-square/charts/times-square/README.md.gotmpl create mode 100644 services/times-square/charts/times-square/templates/_helpers.tpl create mode 100644 services/times-square/charts/times-square/templates/configmap.yaml create mode 100644 services/times-square/charts/times-square/templates/deployment.yaml create mode 100644 services/times-square/charts/times-square/templates/gafaelfawrtoken.yaml create mode 100644 services/times-square/charts/times-square/templates/hpa.yaml create mode 100644 services/times-square/charts/times-square/templates/ingress.yaml create mode 100644 services/times-square/charts/times-square/templates/networkpolicy.yaml create mode 100644 services/times-square/charts/times-square/templates/service.yaml create mode 100644 services/times-square/charts/times-square/templates/serviceaccount.yaml create mode 100644 services/times-square/charts/times-square/templates/vault-secret.yaml create mode 100644 services/times-square/charts/times-square/values.yaml create mode 100644 services/times-square/values.yaml diff --git a/science-platform/templates/times-square-application.yaml b/science-platform/templates/times-square-application.yaml index a52868191a..5e8d94e211 100644 --- a/science-platform/templates/times-square-application.yaml +++ b/science-platform/templates/times-square-application.yaml @@ -2,28 +2,36 @@ apiVersion: v1 kind: Namespace metadata: - name: times-square + name: "times-square" spec: finalizers: - - kubernetes + - "kubernetes" --- apiVersion: argoproj.io/v1alpha1 kind: Application metadata: - name: times-square - namespace: argocd + name: "times-square" + namespace: "argocd" finalizers: - - resources-finalizer.argocd.argoproj.io + - "resources-finalizer.argocd.argoproj.io" spec: destination: - namespace: times-square - server: https://kubernetes.default.svc - project: default + namespace: "times-square" + server: "https://kubernetes.default.svc" + project: "default" source: - path: services/times-square - repoURL: {{ .Values.repoURL }} - targetRevision: {{ .Values.revision }} + path: "services/times-square" + repoURL: {{ .Values.repoURL |quote }} + targetRevision: {{ .Values.revision | quote }} helm: + parameters: + - name: "globals.host" + value: {{ .Values.fqdn | quote }} + - name: "globals.baseUrl" + value: "https://{{ .Values.fqdn }}" + - name: "globals.vaultSecretsPathPrefix" + value: {{ .Values.vault_path_prefix | quote }} valueFiles: - - values-{{ .Values.environment }}.yaml + - "values.yaml" + - "values-{{ .Values.environment }}.yaml" {{- end -}} diff --git a/services/noteburst/templates/vaultsecret.yaml b/services/noteburst/templates/vaultsecret.yaml index 4191ac2b8c..801c671071 100644 --- a/services/noteburst/templates/vaultsecret.yaml +++ b/services/noteburst/templates/vaultsecret.yaml @@ -5,5 +5,5 @@ metadata: labels: {{- include "noteburst.labels" . | nindent 4 }} spec: - path: "{{ .Values.globals.vaultSecretsPath }}/noteburst" + path: "{{ .Values.globals.vaultSecretsPathPrefix }}/noteburst" type: Opaque diff --git a/services/times-square/Chart.yaml b/services/times-square/Chart.yaml index 4ce2d58427..7594bc7664 100644 --- a/services/times-square/Chart.yaml +++ b/services/times-square/Chart.yaml @@ -1,10 +1,11 @@ apiVersion: v2 name: times-square version: 1.0.0 -dependencies: - - name: times-square - version: 0.1.8 - repository: https://lsst-sqre.github.io/charts/ - - name: times-square-ui - version: 0.1.0-alpha.2 - repository: https://lsst-sqre.github.io/charts/ +description: | + A parameterized notebook web viewer for the Rubin Science Platform. + + See the embedded Helm sub-charts for additional configuration docs: + + - [`times-square` (API)](charts/times-square) + - [`times-square-ui` (Next.js / React front-end)](charts/times-square-ui) +type: application diff --git a/services/times-square/README.md b/services/times-square/README.md new file mode 100644 index 0000000000..17f21ffd6f --- /dev/null +++ b/services/times-square/README.md @@ -0,0 +1,25 @@ +# times-square + +A parameterized notebook web viewer for the Rubin Science Platform. + +See the embedded Helm sub-charts for additional configuration docs: + +- [`times-square` (API)](charts/times-square) +- [`times-square-ui` (Next.js / React front-end)](charts/times-square-ui) + +## Values + +| Key | Type | Default | Description | +|-----|------|---------|-------------| +| globals.baseUrl | string | Set by times-square Argo CD Application | Base URL for the environment | +| globals.host | string | Set by times-square Argo CD Application | Host name for ingress | +| globals.vaultSecretsPathPrefix | string | Set by times-square Argo CD Application | Base path for Vault secrets | +| times-square-ui.fullnameOverride | string | `"times-square-ui"` | | +| times-square-ui.image.pullPolicy | string | `"IfNotPresent"` | | +| times-square-ui.image.tag | string | `"tickets-DM-34030"` | | +| times-square.fullnameOverride | string | `"times-square"` | | +| times-square.image.pullPolicy | string | `"IfNotPresent"` | | +| times-square.image.tag | string | `"tickets-DM-34030"` | | + +---------------------------------------------- +Autogenerated from chart metadata using [helm-docs v1.5.0](https://github.com/norwoodj/helm-docs/releases/v1.5.0) diff --git a/services/times-square/README.md.gotmpl b/services/times-square/README.md.gotmpl new file mode 100644 index 0000000000..18ae54f339 --- /dev/null +++ b/services/times-square/README.md.gotmpl @@ -0,0 +1,11 @@ +{{ template "chart.header" . }} + +{{ template "chart.description" . }} + +{{ template "chart.sourcesSection" . }} + +{{ template "chart.requirementsSection" . }} + +{{ template "chart.valuesSection" . }} + +{{ template "helm-docs.versionFooter" . }} diff --git a/services/times-square/charts/times-square-ui/Chart.yaml b/services/times-square/charts/times-square-ui/Chart.yaml new file mode 100644 index 0000000000..ab34aa66fe --- /dev/null +++ b/services/times-square/charts/times-square-ui/Chart.yaml @@ -0,0 +1,18 @@ +apiVersion: v2 +description: The front-end for Times Square, a parameterized notebook web viewer for the Rubin Science Platform +name: times-square-ui +type: application +sources: + - https://github.com/lsst-sqre/times-square-ui +maintainers: + - name: jonathansick + url: https://github.com/jonathansick + +# The chart version. This is not used in practice since the Helm chart is +# not published. +version: 1.0.0 + +# The app's version corresponding to the image tag. +# Use times-square-ui.image.tag to manage this from the top-level values +# instead. +appVersion: "1.0.0" diff --git a/services/times-square/charts/times-square-ui/README.md b/services/times-square/charts/times-square-ui/README.md new file mode 100644 index 0000000000..00c648d5e3 --- /dev/null +++ b/services/times-square/charts/times-square-ui/README.md @@ -0,0 +1,42 @@ +# times-square-ui + +The front-end for Times Square, a parameterized notebook web viewer for the Rubin Science Platform + +## Source Code + +* + +## Values + +| Key | Type | Default | Description | +|-----|------|---------|-------------| +| affinity | object | `{}` | Affinity rules for the times-square-ui deployment pod | +| autoscaling.enabled | bool | `false` | Enable autoscaling of times-square-ui deployment | +| autoscaling.maxReplicas | int | `100` | Maximum number of times-square-ui deployment pods | +| autoscaling.minReplicas | int | `1` | Minimum number of times-square-ui deployment pods | +| autoscaling.targetCPUUtilizationPercentage | int | `80` | Target CPU utilization of times-square-ui deployment pods | +| config.semaphorePath | string | `nil` | Semaphore API URL path (default is no Semaphore integration) | +| config.siteDescription | string | `"Times Square hosts Jupyter Notebooks that are rendered on the fly on the Rubin Science Platform."` | Description, used in HTML metadata | +| config.siteName | string | `"Times Square"` | Name, used in the HTML header | +| config.timesSquareApiPath | string | `"/times-square/api"` | Times Square API URL path | +| fullnameOverride | string | `""` | Override the full name for resources (includes the release name) | +| image.pullPolicy | string | `"Always"` | Pull policy for the times-square-ui image | +| image.repository | string | `"ghcr.io/lsst-sqre/times-square-ui"` | Image to use in the times-square-ui deployment | +| image.tag | string | `""` | Overrides the image tag whose default is the chart appVersion. | +| imagePullSecrets | list | `[]` | Secret names to use for all Docker pulls | +| ingress.annotations | object | `{}` | Additional annotations for the ingress rule | +| ingress.enabled | bool | `true` | Create an ingress resource | +| ingress.gafaelfawrAuthQuery | string | `"scope=exec:notebook&auth_type=basic"` | Gafaelfawr auth query string | +| ingress.path | string | `"/times-square"` | URL path to dispatch to the times-square-ui deployment pod | +| ingress.pathType | string | `"ImplementationSpecific"` | Path type for the ingress rule | +| nameOverride | string | `""` | Override the base name for resources | +| nodeSelector | object | `{}` | Node selection rules for the times-square-ui deployment pod | +| podAnnotations | object | `{}` | Annotations for the times-square-ui deployment pod | +| replicaCount | int | `1` | Number of web deployment pods to start | +| resources | object | `{}` | Resource limits and requests for the times-square-ui deployment pod | +| service.port | int | `8080` | Port of the service to create and map to the ingress | +| service.type | string | `"ClusterIP"` | Type of service to create | +| tolerations | list | `[]` | Tolerations for the times-square-ui deployment pod | + +---------------------------------------------- +Autogenerated from chart metadata using [helm-docs v1.5.0](https://github.com/norwoodj/helm-docs/releases/v1.5.0) diff --git a/services/times-square/charts/times-square-ui/README.md.gotmpl b/services/times-square/charts/times-square-ui/README.md.gotmpl new file mode 100644 index 0000000000..18ae54f339 --- /dev/null +++ b/services/times-square/charts/times-square-ui/README.md.gotmpl @@ -0,0 +1,11 @@ +{{ template "chart.header" . }} + +{{ template "chart.description" . }} + +{{ template "chart.sourcesSection" . }} + +{{ template "chart.requirementsSection" . }} + +{{ template "chart.valuesSection" . }} + +{{ template "helm-docs.versionFooter" . }} diff --git a/services/times-square/charts/times-square-ui/templates/_helpers.tpl b/services/times-square/charts/times-square-ui/templates/_helpers.tpl new file mode 100644 index 0000000000..bc266e59b8 --- /dev/null +++ b/services/times-square/charts/times-square-ui/templates/_helpers.tpl @@ -0,0 +1,51 @@ +{{/* +Expand the name of the chart. +*/}} +{{- define "times-square-ui.name" -}} +{{- default .Chart.Name .Values.nameOverride | trunc 63 | trimSuffix "-" }} +{{- end }} + +{{/* +Create a default fully qualified app name. +We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec). +If release name contains chart name it will be used as a full name. +*/}} +{{- define "times-square-ui.fullname" -}} +{{- if .Values.fullnameOverride }} +{{- .Values.fullnameOverride | trunc 63 | trimSuffix "-" }} +{{- else }} +{{- $name := default .Chart.Name .Values.nameOverride }} +{{- if contains $name .Release.Name }} +{{- .Release.Name | trunc 63 | trimSuffix "-" }} +{{- else }} +{{- printf "%s-%s" .Release.Name $name | trunc 63 | trimSuffix "-" }} +{{- end }} +{{- end }} +{{- end }} + +{{/* +Create chart name and version as used by the chart label. +*/}} +{{- define "times-square-ui.chart" -}} +{{- printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" }} +{{- end }} + +{{/* +Common labels +*/}} +{{- define "times-square-ui.labels" -}} +helm.sh/chart: {{ include "times-square-ui.chart" . }} +{{ include "times-square-ui.selectorLabels" . }} +{{- if .Chart.AppVersion }} +app.kubernetes.io/version: {{ .Chart.AppVersion | quote }} +{{- end }} +app.kubernetes.io/managed-by: {{ .Release.Service }} +{{- end }} + +{{/* +Selector labels +*/}} +{{- define "times-square-ui.selectorLabels" -}} +app.kubernetes.io/name: {{ include "times-square-ui.name" . }} +app.kubernetes.io/instance: {{ .Release.Name }} +{{- end }} diff --git a/services/times-square/charts/times-square-ui/templates/configmap.yaml b/services/times-square/charts/times-square-ui/templates/configmap.yaml new file mode 100644 index 0000000000..7a7aa595c8 --- /dev/null +++ b/services/times-square/charts/times-square-ui/templates/configmap.yaml @@ -0,0 +1,17 @@ +apiVersion: v1 +kind: ConfigMap +metadata: + name: {{ include "times-square-ui.fullname" . }} + labels: + {{- include "times-square-ui.labels" . | nindent 4 }} +data: + times-square.config.yaml: | + siteName: {{ .Values.config.siteName | quote }} + siteDescription: | + {{ .Values.config.siteDescription }} + baseUrl: "{{ .Values.globals.baseUrl }}{{ .Values.ingress.path }}" + timesSquareApiUrl: "{{ .Values.globals.baseUrl }}{{ .Values.config.timesSquareApiPath }}" + {{- if .Values.config.semaphoreUrl }} + semaphoreUrl: "{{ .Values.globals.baseUrl }}{{ .Values.config.semaphorePath }}" + {{ .Values.config.semaphoreUrl }} + {{- end}} diff --git a/services/times-square/charts/times-square-ui/templates/deployment.yaml b/services/times-square/charts/times-square-ui/templates/deployment.yaml new file mode 100644 index 0000000000..f48c55f006 --- /dev/null +++ b/services/times-square/charts/times-square-ui/templates/deployment.yaml @@ -0,0 +1,81 @@ +apiVersion: apps/v1 +kind: Deployment +metadata: + name: {{ include "times-square-ui.fullname" . }} + labels: + {{- include "times-square-ui.labels" . | nindent 4 }} +spec: + {{- if not .Values.autoscaling.enabled }} + replicas: {{ .Values.replicaCount }} + {{- end }} + selector: + matchLabels: + {{- include "times-square-ui.selectorLabels" . | nindent 6 }} + template: + metadata: + {{- with .Values.podAnnotations }} + annotations: + {{- toYaml . | nindent 8 }} + {{- end }} + labels: + {{- include "times-square-ui.selectorLabels" . | nindent 8 }} + spec: + automountServiceAccountToken: false + {{- with .Values.imagePullSecrets }} + imagePullSecrets: + {{- toYaml . | nindent 8 }} + {{- end }} + securityContext: + runAsNonRoot: true + runAsUser: 1000 + runAsGroup: 1000 + containers: + - name: {{ .Chart.Name }} + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - all + readOnlyRootFilesystem: true + image: "{{ .Values.image.repository }}:{{ .Values.image.tag | default .Chart.AppVersion }}" + imagePullPolicy: {{ .Values.image.pullPolicy }} + ports: + - name: http + containerPort: 3000 + protocol: TCP + livenessProbe: + httpGet: + path: "{{ .Values.ingress.path }}/" + port: http + readinessProbe: + httpGet: + path: "{{ .Values.ingress.path }}/" + port: http + resources: + {{- toYaml .Values.resources | nindent 12 }} + env: + - name: "TS_CONFIG_PATH" + value: "/etc/times-square/times-square.config.yaml" + volumeMounts: + - name: "config" + mountPath: "/etc/times-square" + - name: "next-image-cache" + mountPath: "/app/.next/cache/images" + {{- with .Values.nodeSelector }} + nodeSelector: + {{- toYaml . | nindent 8 }} + {{- end }} + {{- with .Values.affinity }} + affinity: + {{- toYaml . | nindent 8 }} + {{- end }} + {{- with .Values.tolerations }} + tolerations: + {{- toYaml . | nindent 8 }} + {{- end }} + volumes: + - name: "config" + configMap: + name: {{ include "times-square-ui.fullname" . }} + - name: "next-image-cache" + emptyDir: {} diff --git a/services/times-square/charts/times-square-ui/templates/hpa.yaml b/services/times-square/charts/times-square-ui/templates/hpa.yaml new file mode 100644 index 0000000000..0edfe0c0fe --- /dev/null +++ b/services/times-square/charts/times-square-ui/templates/hpa.yaml @@ -0,0 +1,28 @@ +{{- if .Values.autoscaling.enabled }} +apiVersion: autoscaling/v2beta1 +kind: HorizontalPodAutoscaler +metadata: + name: {{ include "times-square-ui.fullname" . }} + labels: + {{- include "times-square-ui.labels" . | nindent 4 }} +spec: + scaleTargetRef: + apiVersion: apps/v1 + kind: Deployment + name: {{ include "times-square-ui.fullname" . }} + minReplicas: {{ .Values.autoscaling.minReplicas }} + maxReplicas: {{ .Values.autoscaling.maxReplicas }} + metrics: + {{- if .Values.autoscaling.targetCPUUtilizationPercentage }} + - type: Resource + resource: + name: cpu + targetAverageUtilization: {{ .Values.autoscaling.targetCPUUtilizationPercentage }} + {{- end }} + {{- if .Values.autoscaling.targetMemoryUtilizationPercentage }} + - type: Resource + resource: + name: memory + targetAverageUtilization: {{ .Values.autoscaling.targetMemoryUtilizationPercentage }} + {{- end }} +{{- end }} diff --git a/services/times-square/charts/times-square-ui/templates/ingress.yaml b/services/times-square/charts/times-square-ui/templates/ingress.yaml new file mode 100644 index 0000000000..319b607196 --- /dev/null +++ b/services/times-square/charts/times-square-ui/templates/ingress.yaml @@ -0,0 +1,35 @@ +{{- if .Values.ingress.enabled -}} +{{- $fullName := include "times-square-ui.fullname" . -}} +apiVersion: networking.k8s.io/v1 +kind: Ingress +metadata: + name: {{ $fullName }} + labels: + {{- include "times-square-ui.labels" . | nindent 4 }} + annotations: + kubernetes.io/ingress.class: "nginx" + {{- if .Values.ingress.gafaelfawrAuthQuery }} + nginx.ingress.kubernetes.io/auth-method: "GET" + nginx.ingress.kubernetes.io/auth-response-headers: "X-Auth-Request-User,X-Auth-Request-Email,X-Auth-Request-Token" + nginx.ingress.kubernetes.io/auth-signin: "{{ .Values.globals.baseUrl }}/login" + nginx.ingress.kubernetes.io/auth-url: "{{ .Values.globals.baseUrl }}/auth?{{ .Values.ingress.gafaelfawrAuthQuery }}" + {{- end }} + {{- with .Values.ingress.annotations }} + {{- toYaml . | nindent 4 }} + {{- end }} +spec: + {{- if .Values.ingress.className }} + ingressClassName: {{ .Values.ingress.className }} + {{- end }} + rules: + - host: {{ required "ingress.host must be set" .Values.ingress.host | quote }} + http: + paths: + - path: {{ .Values.ingress.path }} + pathType: {{ default "Prefix" .Values.ingress.pathType }} + backend: + service: + name: {{ $fullName }} + port: + number: {{ .Values.service.port }} +{{- end }} diff --git a/services/times-square/charts/times-square-ui/templates/networkpolicy.yaml b/services/times-square/charts/times-square-ui/templates/networkpolicy.yaml new file mode 100644 index 0000000000..f52e9ff245 --- /dev/null +++ b/services/times-square/charts/times-square-ui/templates/networkpolicy.yaml @@ -0,0 +1,23 @@ +{{- if .Values.ingress.enabled -}} +apiVersion: networking.k8s.io/v1 +kind: NetworkPolicy +metadata: + name: {{ include "times-square-ui.fullname" . }} +spec: + podSelector: + matchLabels: + {{- include "times-square-ui.selectorLabels" . | nindent 6 }} + policyTypes: + - Ingress + ingress: + # Allow inbound access from pods (in any namespace) labeled + # gafaelfawr.lsst.io/ingress: true. + - from: + - namespaceSelector: {} + podSelector: + matchLabels: + gafaelfawr.lsst.io/ingress: "true" + ports: + - protocol: "TCP" + port: 3000 +{{- end }} diff --git a/services/times-square/charts/times-square-ui/templates/service.yaml b/services/times-square/charts/times-square-ui/templates/service.yaml new file mode 100644 index 0000000000..4d126946f0 --- /dev/null +++ b/services/times-square/charts/times-square-ui/templates/service.yaml @@ -0,0 +1,15 @@ +apiVersion: v1 +kind: Service +metadata: + name: {{ include "times-square-ui.fullname" . }} + labels: + {{- include "times-square-ui.labels" . | nindent 4 }} +spec: + type: {{ .Values.service.type }} + ports: + - port: {{ .Values.service.port }} + targetPort: http + protocol: TCP + name: http + selector: + {{- include "times-square-ui.selectorLabels" . | nindent 4 }} diff --git a/services/times-square/charts/times-square-ui/values.yaml b/services/times-square/charts/times-square-ui/values.yaml new file mode 100644 index 0000000000..900107b89c --- /dev/null +++ b/services/times-square/charts/times-square-ui/values.yaml @@ -0,0 +1,91 @@ +# Default values for times-square-ui. +# This is a YAML-formatted file. +# Declare variables to be passed into your templates. + +# -- Number of web deployment pods to start +replicaCount: 1 + +image: + # -- Image to use in the times-square-ui deployment + repository: ghcr.io/lsst-sqre/times-square-ui + + # -- Pull policy for the times-square-ui image + pullPolicy: Always + + # -- Overrides the image tag whose default is the chart appVersion. + tag: "" + +# -- Secret names to use for all Docker pulls +imagePullSecrets: [] + +# -- Override the base name for resources +nameOverride: "" + +# -- Override the full name for resources (includes the release name) +fullnameOverride: "" + +# -- Annotations for the times-square-ui deployment pod +podAnnotations: {} + +service: + # -- Type of service to create + type: ClusterIP + + # -- Port of the service to create and map to the ingress + port: 8080 + +ingress: + # -- Create an ingress resource + enabled: true + + # -- Gafaelfawr auth query string + gafaelfawrAuthQuery: "scope=exec:notebook&auth_type=basic" + + # -- Additional annotations for the ingress rule + annotations: {} + + # -- Path type for the ingress rule + pathType: ImplementationSpecific + + # -- URL path to dispatch to the times-square-ui deployment pod + path: "/times-square" + +# -- Resource limits and requests for the times-square-ui deployment pod +resources: {} + +autoscaling: + # -- Enable autoscaling of times-square-ui deployment + enabled: false + + # -- Minimum number of times-square-ui deployment pods + minReplicas: 1 + + # -- Maximum number of times-square-ui deployment pods + maxReplicas: 100 + + # -- Target CPU utilization of times-square-ui deployment pods + targetCPUUtilizationPercentage: 80 + # targetMemoryUtilizationPercentage: 80 + +# -- Node selection rules for the times-square-ui deployment pod +nodeSelector: {} + +# -- Tolerations for the times-square-ui deployment pod +tolerations: [] + +# -- Affinity rules for the times-square-ui deployment pod +affinity: {} + +# Configurations for the times-square-ui application +config: + # -- Name, used in the HTML header + siteName: "Times Square" + + # -- Description, used in HTML metadata + siteDescription: "Times Square hosts Jupyter Notebooks that are rendered on the fly on the Rubin Science Platform." + + # -- Semaphore API URL path (default is no Semaphore integration) + semaphorePath: null + + # -- Times Square API URL path + timesSquareApiPath: "/times-square/api" diff --git a/services/times-square/charts/times-square/Chart.yaml b/services/times-square/charts/times-square/Chart.yaml new file mode 100644 index 0000000000..8b8d9dec08 --- /dev/null +++ b/services/times-square/charts/times-square/Chart.yaml @@ -0,0 +1,22 @@ +description: A parameterized notebook web viewer for the Rubin Science Platform. +name: times-square +type: application +sources: + - https://github.com/lsst-sqre/times-square +maintainers: + - name: jonathansick + url: https://github.com/jonathansick + +# The chart version. +version: 1.0.0 + +# The app's version corresponding to the image tag. +# Use times-square.image.tag to manage this from the top-level values +# instead. +appVersion: "1.0.0" + +# Additional charts that this chart uses +dependencies: + - name: redis + version: 16.0.1 + repository: https://charts.bitnami.c diff --git a/services/times-square/charts/times-square/README.md b/services/times-square/charts/times-square/README.md new file mode 100644 index 0000000000..ea67b258e7 --- /dev/null +++ b/services/times-square/charts/times-square/README.md @@ -0,0 +1,59 @@ +# times-square + +A parameterized notebook web viewer for the Rubin Science Platform. + +## Source Code + +* + +## Requirements + +| Repository | Name | Version | +|------------|------|---------| +| https://charts.bitnami.c | redis | 16.0.1 | + +## Values + +| Key | Type | Default | Description | +|-----|------|---------|-------------| +| affinity | object | `{}` | Affinity rules for the times-square deployment pod | +| autoscaling.enabled | bool | `false` | Enable autoscaling of times-square deployment | +| autoscaling.maxReplicas | int | `100` | Maximum number of times-square deployment pods | +| autoscaling.minReplicas | int | `1` | Minimum number of times-square deployment pods | +| autoscaling.targetCPUUtilizationPercentage | int | `80` | Target CPU utilization of times-square deployment pods | +| cloudsql.enabled | bool | `false` | Enable the Cloud SQL Auth Proxy sidecar, used with CloudSQL databases on Google Cloud | +| cloudsql.image.pullPolicy | string | `"IfNotPresent"` | Pull policy for Cloud SQL Auth Proxy images | +| cloudsql.image.repository | string | `"gcr.io/cloudsql-docker/gce-proxy"` | Cloud SQL Auth Proxy image to use | +| cloudsql.image.tag | string | `"1.29.0"` | Cloud SQL Auth Proxy tag to use | +| cloudsql.instanceConnectionName | string | `""` | Instance connection name for a CloudSQL PostgreSQL instance | +| cloudsql.serviceAccount | string | `""` | The Google service account that has an IAM binding to the `times-square` Kubernetes service accounts and has the `cloudsql.client` role | +| config.databaseUrl | string | None, must be set | URL for the PostgreSQL database | +| config.logLevel | string | `"INFO"` | Logging level: "DEBUG", "INFO", "WARNING", "ERROR", "CRITICAL" | +| config.name | string | `"times-square"` | Name of the service. | +| config.profile | string | `"production"` | Run profile: "production" or "development" | +| fullnameOverride | string | `""` | Override the full name for resources (includes the release name) | +| image.pullPolicy | string | `"Always"` | Pull policy for the times-square image | +| image.repository | string | `"ghcr.io/lsst-sqre/times-square"` | Image to use in the times-square deployment | +| image.tag | string | `""` | Overrides the image tag whose default is the chart appVersion. | +| imagePullSecrets | list | `[]` | Secret names to use for all Docker pulls | +| ingress.annotations | object | `{}` | Additional annotations for the ingress rule | +| ingress.enabled | bool | `true` | Create an ingress resource | +| ingress.gafaelfawrAuthQuery | string | `"scope=exec:admin&auth_type=basic"` | Gafaelfawr auth query string | +| ingress.path | string | `"/times-square/api"` | URL path to dispatch to the times-square deployment pod | +| ingress.pathType | string | `"ImplementationSpecific"` | Path type for the ingress rule | +| nameOverride | string | `""` | Override the base name for resources | +| nodeSelector | object | `{}` | Node selection rules for the times-square deployment pod | +| podAnnotations | object | `{}` | Annotations for the times-square deployment pod | +| redis.auth.enabled | bool | `false` | | +| replicaCount | int | `1` | Number of web deployment pods to start | +| resources | object | `{}` | Resource limits and requests for the times-square deployment pod | +| service.port | int | `8080` | Port of the service to create and map to the ingress | +| service.type | string | `"ClusterIP"` | Type of service to create | +| serviceAccount.annotations | object | `{}` | Annotations to add to the service account. If CloudSQL is in use, the annotation specifying the Google service account will also be added. | +| serviceAccount.create | bool | `false` | Force creation of a service account. Normally, no service account is used or mounted. If CloudSQL is enabled, a service account is always created regardless of this value. | +| serviceAccount.name | string | Name based on the fullname template | Name of the service account to use | +| tolerations | list | `[]` | Tolerations for the times-square deployment pod | +| vaultSecretsPath | string | None, must be set | Path to the Vault secret (`secret/k8s_operator//times-square`, for example) | + +---------------------------------------------- +Autogenerated from chart metadata using [helm-docs v1.5.0](https://github.com/norwoodj/helm-docs/releases/v1.5.0) diff --git a/services/times-square/charts/times-square/README.md.gotmpl b/services/times-square/charts/times-square/README.md.gotmpl new file mode 100644 index 0000000000..18ae54f339 --- /dev/null +++ b/services/times-square/charts/times-square/README.md.gotmpl @@ -0,0 +1,11 @@ +{{ template "chart.header" . }} + +{{ template "chart.description" . }} + +{{ template "chart.sourcesSection" . }} + +{{ template "chart.requirementsSection" . }} + +{{ template "chart.valuesSection" . }} + +{{ template "helm-docs.versionFooter" . }} diff --git a/services/times-square/charts/times-square/templates/_helpers.tpl b/services/times-square/charts/times-square/templates/_helpers.tpl new file mode 100644 index 0000000000..4fe2a60721 --- /dev/null +++ b/services/times-square/charts/times-square/templates/_helpers.tpl @@ -0,0 +1,63 @@ +{{/* +Expand the name of the chart. +*/}} +{{- define "times-square.name" -}} +{{- default .Chart.Name .Values.nameOverride | trunc 63 | trimSuffix "-" }} +{{- end }} + +{{/* +Create a default fully qualified app name. +We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec). +If release name contains chart name it will be used as a full name. +*/}} +{{- define "times-square.fullname" -}} +{{- if .Values.fullnameOverride }} +{{- .Values.fullnameOverride | trunc 63 | trimSuffix "-" }} +{{- else }} +{{- $name := default .Chart.Name .Values.nameOverride }} +{{- if contains $name .Release.Name }} +{{- .Release.Name | trunc 63 | trimSuffix "-" }} +{{- else }} +{{- printf "%s-%s" .Release.Name $name | trunc 63 | trimSuffix "-" }} +{{- end }} +{{- end }} +{{- end }} + +{{/* +Create chart name and version as used by the chart label. +*/}} +{{- define "times-square.chart" -}} +{{- printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" }} +{{- end }} + +{{/* +Common labels +*/}} +{{- define "times-square.labels" -}} +helm.sh/chart: {{ include "times-square.chart" . }} +{{ include "times-square.selectorLabels" . }} +{{- if .Chart.AppVersion }} +app.kubernetes.io/version: {{ .Chart.AppVersion | quote }} +{{- end }} +app.kubernetes.io/managed-by: {{ .Release.Service }} +{{- end }} + +{{/* +Selector labels +*/}} +{{- define "times-square.selectorLabels" -}} +app.kubernetes.io/name: {{ include "times-square.name" . }} +app.kubernetes.io/instance: {{ .Release.Name }} +{{- end }} + + +{{/* +Create the name of the service account to use +*/}} +{{- define "times-square.serviceAccountName" -}} +{{- if or .Values.serviceAccount.create .Values.cloudsql.enabled }} +{{- default (include "times-square.fullname" .) .Values.serviceAccount.name }} +{{- else }} +{{- default "default" .Values.serviceAccount.name }} +{{- end }} +{{- end }} diff --git a/services/times-square/charts/times-square/templates/configmap.yaml b/services/times-square/charts/times-square/templates/configmap.yaml new file mode 100644 index 0000000000..904426d029 --- /dev/null +++ b/services/times-square/charts/times-square/templates/configmap.yaml @@ -0,0 +1,14 @@ +apiVersion: v1 +kind: ConfigMap +metadata: + name: {{ include "times-square.fullname" . }} + labels: + {{- include "times-square.labels" . | nindent 4 }} +data: + SAFIR_NAME: {{ .Values.config.name | quote }} + SAFIR_PROFILE: {{ .Values.config.profile | quote }} + SAFIR_LOG_LEVEL: {{ .Values.config.logLevel | quote }} + TS_ENVIRONMENT_URL: {{ .Values.globals.baseUrl | quote }} + TS_PATH_PREFIX: {{ .Values.ingress.path }} + TS_DATABASE_URL: {{ required "config.databaseUrl must be set" .Values.config.databaseUrl | quote }} + TS_REDIS_URL: "redis://{{ include "times-square.fullname" . }}-redis-master.{{ .Release.Namespace }}:{{ .Values.redis.master.service.ports.redis }}/0" diff --git a/services/times-square/charts/times-square/templates/deployment.yaml b/services/times-square/charts/times-square/templates/deployment.yaml new file mode 100644 index 0000000000..93754faf9b --- /dev/null +++ b/services/times-square/charts/times-square/templates/deployment.yaml @@ -0,0 +1,104 @@ +apiVersion: apps/v1 +kind: Deployment +metadata: + name: {{ include "times-square.fullname" . }} + labels: + {{- include "times-square.labels" . | nindent 4 }} +spec: + {{- if not .Values.autoscaling.enabled }} + replicas: {{ .Values.replicaCount }} + {{- end }} + selector: + matchLabels: + {{- include "times-square.selectorLabels" . | nindent 6 }} + template: + metadata: + annotations: + checksum/config: {{ include (print $.Template.BasePath "/configmap.yaml") . | sha256sum }} + {{- with .Values.podAnnotations }} + {{- toYaml . | nindent 8 }} + {{- end }} + labels: + {{- include "times-square.selectorLabels" . | nindent 8 }} + spec: + {{- with .Values.imagePullSecrets }} + imagePullSecrets: + {{- toYaml . | nindent 8 }} + {{- end }} + {{- if or .Values.serviceAccount.create .Values.cloudsql.enabled }} + serviceAccountName: {{ include "times-square.serviceAccountName" . }} + {{- else }} + automountServiceAccountToken: false + {{- end }} + securityContext: + runAsNonRoot: true + runAsUser: 1000 + runAsGroup: 1000 + containers: + {{- if .Values.cloudsql.enabled }} + - name: "cloud-sql-proxy" + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - "all" + readOnlyRootFilesystem: true + runAsNonRoot: true + runAsUser: 65532 + runAsGroup: 65532 + image: "{{ .Values.cloudsql.image.repository }}:{{ .Values.cloudsql.image.tag }}" + imagePullPolicy: {{ .Values.cloudsql.image.pullPolicy | quote }} + command: + - "/cloud_sql_proxy" + - "-ip_address_types=PRIVATE" + - "-instances={{ required "cloudsql.instanceConnectionName must be specified" .Values.cloudsql.instanceConnectionName }}=tcp:5432" + {{- end }} + - name: {{ .Chart.Name }} + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - all + readOnlyRootFilesystem: true + image: "{{ .Values.image.repository }}:{{ .Values.image.tag | default .Chart.AppVersion }}" + imagePullPolicy: {{ .Values.image.pullPolicy }} + ports: + - name: http + containerPort: 8080 + protocol: TCP + livenessProbe: + httpGet: + path: / + port: http + readinessProbe: + httpGet: + path: / + port: http + resources: + {{- toYaml .Values.resources | nindent 12 }} + envFrom: + - configMapRef: + name: {{ include "times-square.fullname" . }} + env: + - name: "TS_GAFAELFAWR_TOKEN" + valueFrom: + secretKeyRef: + name: {{ template "times-square.fullname" . }}-gafaelfawr-token + key: "token" + - name: "TS_DATABASE_PASSWORD" + valueFrom: + secretKeyRef: + name: {{ template "times-square.fullname" . }}-secret + key: "TS_DATABASE_PASSWORD" + {{- with .Values.nodeSelector }} + nodeSelector: + {{- toYaml . | nindent 8 }} + {{- end }} + {{- with .Values.affinity }} + affinity: + {{- toYaml . | nindent 8 }} + {{- end }} + {{- with .Values.tolerations }} + tolerations: + {{- toYaml . | nindent 8 }} + {{- end }} diff --git a/services/times-square/charts/times-square/templates/gafaelfawrtoken.yaml b/services/times-square/charts/times-square/templates/gafaelfawrtoken.yaml new file mode 100644 index 0000000000..670ed49093 --- /dev/null +++ b/services/times-square/charts/times-square/templates/gafaelfawrtoken.yaml @@ -0,0 +1,11 @@ +apiVersion: gafaelfawr.lsst.io/v1alpha1 +kind: GafaelfawrServiceToken +metadata: + name: {{ include "times-square.fullname" . }}-gafaelfawr-token + labels: + {{- include "times-square.labels" . | nindent 4 }} +spec: + service: "times-square" + scopes: + - "admin:token" + - "exec:admin" diff --git a/services/times-square/charts/times-square/templates/hpa.yaml b/services/times-square/charts/times-square/templates/hpa.yaml new file mode 100644 index 0000000000..6989b5af1e --- /dev/null +++ b/services/times-square/charts/times-square/templates/hpa.yaml @@ -0,0 +1,28 @@ +{{- if .Values.autoscaling.enabled }} +apiVersion: autoscaling/v2beta1 +kind: HorizontalPodAutoscaler +metadata: + name: {{ include "times-square.fullname" . }} + labels: + {{- include "times-square.labels" . | nindent 4 }} +spec: + scaleTargetRef: + apiVersion: apps/v1 + kind: Deployment + name: {{ include "times-square.fullname" . }} + minReplicas: {{ .Values.autoscaling.minReplicas }} + maxReplicas: {{ .Values.autoscaling.maxReplicas }} + metrics: + {{- if .Values.autoscaling.targetCPUUtilizationPercentage }} + - type: Resource + resource: + name: cpu + targetAverageUtilization: {{ .Values.autoscaling.targetCPUUtilizationPercentage }} + {{- end }} + {{- if .Values.autoscaling.targetMemoryUtilizationPercentage }} + - type: Resource + resource: + name: memory + targetAverageUtilization: {{ .Values.autoscaling.targetMemoryUtilizationPercentage }} + {{- end }} +{{- end }} diff --git a/services/times-square/charts/times-square/templates/ingress.yaml b/services/times-square/charts/times-square/templates/ingress.yaml new file mode 100644 index 0000000000..d77eba0eb4 --- /dev/null +++ b/services/times-square/charts/times-square/templates/ingress.yaml @@ -0,0 +1,35 @@ +{{- if .Values.ingress.enabled -}} +{{- $fullName := include "times-square.fullname" . -}} +apiVersion: networking.k8s.io/v1 +kind: Ingress +metadata: + name: {{ $fullName }} + labels: + {{- include "times-square.labels" . | nindent 4 }} + annotations: + kubernetes.io/ingress.class: "nginx" + {{- if .Values.ingress.gafaelfawrAuthQuery }} + nginx.ingress.kubernetes.io/auth-method: GET + nginx.ingress.kubernetes.io/auth-response-headers: X-Auth-Request-User,X-Auth-Request-Email,X-Auth-Request-Token + nginx.ingress.kubernetes.io/auth-signin: "{{ .Values.globals.baseUrl }}/login" + nginx.ingress.kubernetes.io/auth-url: "{{ .Values.globals.baseUrl }}/auth?{{ .Values.ingress.gafaelfawrAuthQuery }}" + {{- end }} + {{- with .Values.ingress.annotations }} + {{- toYaml . | nindent 4 }} + {{- end }} +spec: + {{- if .Values.ingress.className }} + ingressClassName: {{ .Values.ingress.className }} + {{- end }} + rules: + - host: {{ required "ingress.host must be set" .Values.ingress.host | quote }} + http: + paths: + - path: {{ .Values.ingress.path }} + pathType: {{ default "Prefix" .Values.ingress.pathType }} + backend: + service: + name: {{ $fullName }} + port: + number: {{ .Values.service.port }} +{{- end }} diff --git a/services/times-square/charts/times-square/templates/networkpolicy.yaml b/services/times-square/charts/times-square/templates/networkpolicy.yaml new file mode 100644 index 0000000000..14637aa6bd --- /dev/null +++ b/services/times-square/charts/times-square/templates/networkpolicy.yaml @@ -0,0 +1,23 @@ +{{- if .Values.ingress.enabled -}} +apiVersion: networking.k8s.io/v1 +kind: NetworkPolicy +metadata: + name: {{ include "times-square.fullname" . }} +spec: + podSelector: + matchLabels: + {{- include "times-square.selectorLabels" . | nindent 6 }} + policyTypes: + - Ingress + ingress: + # Allow inbound access from pods (in any namespace) labeled + # gafaelfawr.lsst.io/ingress: true. + - from: + - namespaceSelector: {} + podSelector: + matchLabels: + gafaelfawr.lsst.io/ingress: "true" + ports: + - protocol: "TCP" + port: 8080 +{{- end }} diff --git a/services/times-square/charts/times-square/templates/service.yaml b/services/times-square/charts/times-square/templates/service.yaml new file mode 100644 index 0000000000..477632df17 --- /dev/null +++ b/services/times-square/charts/times-square/templates/service.yaml @@ -0,0 +1,15 @@ +apiVersion: v1 +kind: Service +metadata: + name: {{ include "times-square.fullname" . }} + labels: + {{- include "times-square.labels" . | nindent 4 }} +spec: + type: {{ .Values.service.type }} + ports: + - port: {{ .Values.service.port }} + targetPort: http + protocol: TCP + name: http + selector: + {{- include "times-square.selectorLabels" . | nindent 4 }} diff --git a/services/times-square/charts/times-square/templates/serviceaccount.yaml b/services/times-square/charts/times-square/templates/serviceaccount.yaml new file mode 100644 index 0000000000..bbc698585b --- /dev/null +++ b/services/times-square/charts/times-square/templates/serviceaccount.yaml @@ -0,0 +1,15 @@ +{{- if or .Values.serviceAccount.create .Values.cloudsql.enabled -}} +apiVersion: v1 +kind: ServiceAccount +metadata: + name: {{ include "times-square.serviceAccountName" . }} + labels: + {{- include "times-square.labels" . | nindent 4 }} + annotations: + {{- if .Values.cloudsql.enabled }} + iam.gke.io/gcp-service-account: {{ required "cloudsql.serviceAccount must be set to a valid Google service account" .Values.cloudsql.serviceAccount | quote }} + {{- end }} + {{- with .Values.serviceAccount.annotations }} + {{- toYaml . | nindent 4 }} + {{- end }} +{{- end }} diff --git a/services/times-square/charts/times-square/templates/vault-secret.yaml b/services/times-square/charts/times-square/templates/vault-secret.yaml new file mode 100644 index 0000000000..aec617f5c3 --- /dev/null +++ b/services/times-square/charts/times-square/templates/vault-secret.yaml @@ -0,0 +1,9 @@ +apiVersion: ricoberger.de/v1alpha1 +kind: VaultSecret +metadata: + name: {{ template "times-square.fullname" . }}-secret + labels: + {{- include "times-square.labels" . | nindent 4 }} +spec: + path: "{{ .Values.globals.vaultSecretsPathPrefix }}/times-square" + type: Opaque diff --git a/services/times-square/charts/times-square/values.yaml b/services/times-square/charts/times-square/values.yaml new file mode 100644 index 0000000000..01f3bb934f --- /dev/null +++ b/services/times-square/charts/times-square/values.yaml @@ -0,0 +1,137 @@ +# Default values for times-square. +# This is a YAML-formatted file. +# Declare variables to be passed into your templates. + +# -- Number of web deployment pods to start +replicaCount: 1 + +image: + # -- Image to use in the times-square deployment + repository: ghcr.io/lsst-sqre/times-square + + # -- Pull policy for the times-square image + pullPolicy: Always + + # -- Overrides the image tag whose default is the chart appVersion. + tag: "" + +# -- Secret names to use for all Docker pulls +imagePullSecrets: [] + +# -- Override the base name for resources +nameOverride: "" + +# -- Override the full name for resources (includes the release name) +fullnameOverride: "" + +# -- Annotations for the times-square deployment pod +podAnnotations: {} + +serviceAccount: + # -- Force creation of a service account. Normally, no service account is + # used or mounted. If CloudSQL is enabled, a service account is always + # created regardless of this value. + create: false + + # -- Annotations to add to the service account. If CloudSQL is in use, the + # annotation specifying the Google service account will also be added. + annotations: {} + + # -- Name of the service account to use + # @default -- Name based on the fullname template + name: "" + +service: + # -- Type of service to create + type: ClusterIP + + # -- Port of the service to create and map to the ingress + port: 8080 + +ingress: + # -- Create an ingress resource + enabled: true + + # -- Gafaelfawr auth query string + gafaelfawrAuthQuery: "scope=exec:admin&auth_type=basic" + + # -- Additional annotations for the ingress rule + annotations: {} + + # -- Path type for the ingress rule + pathType: ImplementationSpecific + + # -- URL path to dispatch to the times-square deployment pod + path: "/times-square/api" + +# -- Resource limits and requests for the times-square deployment pod +resources: {} + +autoscaling: + # -- Enable autoscaling of times-square deployment + enabled: false + + # -- Minimum number of times-square deployment pods + minReplicas: 1 + + # -- Maximum number of times-square deployment pods + maxReplicas: 100 + + # -- Target CPU utilization of times-square deployment pods + targetCPUUtilizationPercentage: 80 + # targetMemoryUtilizationPercentage: 80 + +# -- Node selection rules for the times-square deployment pod +nodeSelector: {} + +# -- Tolerations for the times-square deployment pod +tolerations: [] + +# -- Affinity rules for the times-square deployment pod +affinity: {} + +# -- Path to the Vault secret (`secret/k8s_operator//times-square`, for +# example) +# @default -- None, must be set +vaultSecretsPath: "" + +# Configurations for the times-square application. +config: + # -- Name of the service. + name: "times-square" + + # -- Run profile: "production" or "development" + profile: "production" + + # -- Logging level: "DEBUG", "INFO", "WARNING", "ERROR", "CRITICAL" + logLevel: "INFO" + + # -- URL for the PostgreSQL database + # @default -- None, must be set + databaseUrl: "" + +cloudsql: + # -- Enable the Cloud SQL Auth Proxy sidecar, used with CloudSQL databases + # on Google Cloud + enabled: false + + image: + # -- Cloud SQL Auth Proxy image to use + repository: "gcr.io/cloudsql-docker/gce-proxy" + + # -- Cloud SQL Auth Proxy tag to use + tag: "1.29.0" + + # -- Pull policy for Cloud SQL Auth Proxy images + pullPolicy: "IfNotPresent" + + # -- Instance connection name for a CloudSQL PostgreSQL instance + instanceConnectionName: "" + + # -- The Google service account that has an IAM binding to the `times-square` + # Kubernetes service accounts and has the `cloudsql.client` role + serviceAccount: "" + +redis: + auth: + enabled: false diff --git a/services/times-square/values-idfdev.yaml b/services/times-square/values-idfdev.yaml index 48f2dc0824..517a5d9285 100644 --- a/services/times-square/values-idfdev.yaml +++ b/services/times-square/values-idfdev.yaml @@ -1,12 +1,8 @@ times-square: image: - repository: ghcr.io/lsst-sqre/times-square - tag: tickets-DM-33627 - ingress: - host: "data-dev.lsst.cloud" - vaultSecretsPath: "secret/k8s_operator/data-dev.lsst.cloud/times-square" + tag: "tickets-DM-34030" + pullPolicy: Always config: - environmentUrl: "https://data-dev.lsst.cloud" databaseUrl: "postgresql://times-square@localhost/times-square" cloudsql: enabled: true @@ -14,8 +10,6 @@ times-square: serviceAccount: "times-square@science-platform-dev-7696.iam.gserviceaccount.com" times-square-ui: - fullnameOverride: times-square-ui image: - tag: tickets-dm-33930 - ingress: - host: "data-dev.lsst.cloud" + tag: "tickets-dm-34030" + pullPolicy: Always diff --git a/services/times-square/values.yaml b/services/times-square/values.yaml new file mode 100644 index 0000000000..d1660952c8 --- /dev/null +++ b/services/times-square/values.yaml @@ -0,0 +1,33 @@ +times-square: + + fullnameOverride: times-square + + image: + tag: "tickets-DM-34030" + + pullPolicy: "IfNotPresent" + +times-square-ui: + + fullnameOverride: times-square-ui + + image: + tag: "tickets-DM-34030" + + pullPolicy: "IfNotPresent" + +# Global parameters will be set by parameters injected via the Argo CD +# Application resource and should not be set in the individual environment +# values files. +globals: + # -- Base URL for the environment + # @default -- Set by times-square Argo CD Application + baseUrl: "" + + # -- Host name for ingress + # @default -- Set by times-square Argo CD Application + host: "" + + # -- Base path for Vault secrets + # @default -- Set by times-square Argo CD Application + vaultSecretsPathPrefix: "" From 2cc944d1bd12bb438247d5bbfc0d615050d3f1cf Mon Sep 17 00:00:00 2001 From: Jonathan Sick Date: Tue, 22 Mar 2022 18:39:15 -0400 Subject: [PATCH 0104/1479] Use true Helm global in noteburst Helm global values are "global" not "globals" --- science-platform/templates/noteburst-application.yaml | 6 +++--- services/noteburst/README.md | 6 +++--- services/noteburst/templates/configmap.yaml | 2 +- services/noteburst/templates/ingress.yaml | 6 +++--- services/noteburst/templates/vaultsecret.yaml | 2 +- services/noteburst/templates/worker-configmap.yaml | 2 +- services/noteburst/values.yaml | 2 +- 7 files changed, 13 insertions(+), 13 deletions(-) diff --git a/science-platform/templates/noteburst-application.yaml b/science-platform/templates/noteburst-application.yaml index b8322d4c15..6193ad79e2 100644 --- a/science-platform/templates/noteburst-application.yaml +++ b/science-platform/templates/noteburst-application.yaml @@ -25,11 +25,11 @@ spec: targetRevision: {{ .Values.revision | quote }} helm: parameters: - - name: "globals.host" + - name: "global.host" value: {{ .Values.fqdn | quote }} - - name: "globals.baseUrl" + - name: "global.baseUrl" value: "https://{{ .Values.fqdn }}" - - name: "globals.vaultSecretsPathPrefix" + - name: "global.vaultSecretsPathPrefix" value: {{ .Values.vault_path_prefix | quote }} valueFiles: - "values.yaml" diff --git a/services/noteburst/README.md b/services/noteburst/README.md index fa79d61ec3..0219d9d6b1 100644 --- a/services/noteburst/README.md +++ b/services/noteburst/README.md @@ -25,9 +25,9 @@ Noteburst is a notebook execution service for the Rubin Science Platform. | config.worker.identities | list | `[]` | Science Platform user identities that workers can acquire. Each item is an object with username and uuid keys | | config.worker.workerCount | int | `1` | Number of workers to run | | fullnameOverride | string | `""` | Override the full name for resources (includes the release name) | -| globals.baseUrl | string | Set by Argo CD | Base URL for the environment | -| globals.host | string | Set by Argo CD | Host name for ingress | -| globals.vaultSecretsPathPrefix | string | Set by Argo CD | Base path for Vault secrets | +| global.baseUrl | string | Set by Argo CD | Base URL for the environment | +| global.host | string | Set by Argo CD | Host name for ingress | +| global.vaultSecretsPathPrefix | string | Set by Argo CD | Base path for Vault secrets | | image.pullPolicy | string | `"IfNotPresent"` | Image pull policy | | image.repository | string | `"ghcr.io/lsst-sqre/noteburst"` | Noteburst image repository | | image.tag | string | The appVersion of the chart | Tag of the image | diff --git a/services/noteburst/templates/configmap.yaml b/services/noteburst/templates/configmap.yaml index f0b054a563..1a1bdfc099 100644 --- a/services/noteburst/templates/configmap.yaml +++ b/services/noteburst/templates/configmap.yaml @@ -7,5 +7,5 @@ metadata: data: SAFIR_LOG_LEVEL: {{ .Values.config.logLevel | quote }} NOTEBURST_PATH_PREFIX: {{ .Values.ingress.path | quote }} - NOTEBURST_ENVIRONMENT_URL: {{ .Values.globals.baseUrl | quote }} + NOTEBURST_ENVIRONMENT_URL: {{ .Values.global.baseUrl | quote }} NOTEBURST_REDIS_URL: "redis://{{ include "noteburst.fullname" . }}-redis-master.{{ .Release.Namespace }}:{{ .Values.redis.master.service.ports.redis }}/0" diff --git a/services/noteburst/templates/ingress.yaml b/services/noteburst/templates/ingress.yaml index 68020ae8b7..c76210668a 100644 --- a/services/noteburst/templates/ingress.yaml +++ b/services/noteburst/templates/ingress.yaml @@ -10,15 +10,15 @@ metadata: {{- if .Values.ingress.gafaelfawrAuthQuery }} nginx.ingress.kubernetes.io/auth-method: "GET" nginx.ingress.kubernetes.io/auth-response-headers: X-Auth-Request-User,X-Auth-Request-Email,X-Auth-Request-Token - nginx.ingress.kubernetes.io/auth-signin: "{{ .Values.globals.baseUrl }}/login" - nginx.ingress.kubernetes.io/auth-url: "{{ .Values.globals.baseUrl }}/auth?{{ .Values.ingress.gafaelfawrAuthQuery }}" + nginx.ingress.kubernetes.io/auth-signin: "{{ .Values.global.baseUrl }}/login" + nginx.ingress.kubernetes.io/auth-url: "{{ .Values.global.baseUrl }}/auth?{{ .Values.ingress.gafaelfawrAuthQuery }}" {{- end }} {{- with .Values.ingress.annotations }} {{- toYaml . | nindent 4 }} {{- end }} spec: rules: - - host: {{ required "globals.host must be set" .Values.globals.host | quote }} + - host: {{ required "global.host must be set" .Values.global.host | quote }} http: paths: - path: {{ .Values.ingress.path }} diff --git a/services/noteburst/templates/vaultsecret.yaml b/services/noteburst/templates/vaultsecret.yaml index 801c671071..7d5f4a62bb 100644 --- a/services/noteburst/templates/vaultsecret.yaml +++ b/services/noteburst/templates/vaultsecret.yaml @@ -5,5 +5,5 @@ metadata: labels: {{- include "noteburst.labels" . | nindent 4 }} spec: - path: "{{ .Values.globals.vaultSecretsPathPrefix }}/noteburst" + path: "{{ .Values.global.vaultSecretsPathPrefix }}/noteburst" type: Opaque diff --git a/services/noteburst/templates/worker-configmap.yaml b/services/noteburst/templates/worker-configmap.yaml index 9ff110cd97..4f12afe972 100644 --- a/services/noteburst/templates/worker-configmap.yaml +++ b/services/noteburst/templates/worker-configmap.yaml @@ -7,6 +7,6 @@ metadata: data: SAFIR_PROFILE: {{ .Values.config.profile | quote }} SAFIR_LOG_LEVEL: {{ .Values.config.logLevel | quote }} - NOTEBURST_ENVIRONMENT_URL: {{ .Values.globals.baseUrl | quote }} + NOTEBURST_ENVIRONMENT_URL: {{ .Values.global.baseUrl | quote }} NOTEBURST_REDIS_URL: "redis://{{ include "noteburst.fullname" . }}-redis-master.{{ .Release.Namespace }}:{{ .Values.redis.master.service.ports.redis }}/0" NOTEBURST_WORKER_LOCK_REDIS_URL: "redis://{{ include "noteburst.fullname" . }}-redis-master.{{ .Release.Namespace }}:{{ .Values.redis.master.service.ports.redis }}/1" diff --git a/services/noteburst/values.yaml b/services/noteburst/values.yaml index 4db6dec4ab..113207b7f0 100644 --- a/services/noteburst/values.yaml +++ b/services/noteburst/values.yaml @@ -4,7 +4,7 @@ # # Global parameters will be set by parameters injected by Argo CD and should # not be set in the individual environment values files. -globals: +global: # -- Base URL for the environment # @default -- Set by Argo CD baseUrl: "" From 650eaf4a97c23f3fdff359fd236e1e12c339ddb4 Mon Sep 17 00:00:00 2001 From: Jonathan Sick Date: Tue, 22 Mar 2022 18:43:02 -0400 Subject: [PATCH 0105/1479] Use "global" values in times-square True Helm global variables are "global" not "globals" --- science-platform/templates/times-square-application.yaml | 6 +++--- .../charts/times-square-ui/templates/configmap.yaml | 6 +++--- .../charts/times-square-ui/templates/ingress.yaml | 6 +++--- .../charts/times-square/templates/configmap.yaml | 2 +- .../times-square/charts/times-square/templates/ingress.yaml | 6 +++--- .../charts/times-square/templates/vault-secret.yaml | 2 +- services/times-square/values.yaml | 2 +- 7 files changed, 15 insertions(+), 15 deletions(-) diff --git a/science-platform/templates/times-square-application.yaml b/science-platform/templates/times-square-application.yaml index 5e8d94e211..f3056cf055 100644 --- a/science-platform/templates/times-square-application.yaml +++ b/science-platform/templates/times-square-application.yaml @@ -25,11 +25,11 @@ spec: targetRevision: {{ .Values.revision | quote }} helm: parameters: - - name: "globals.host" + - name: "global.host" value: {{ .Values.fqdn | quote }} - - name: "globals.baseUrl" + - name: "global.baseUrl" value: "https://{{ .Values.fqdn }}" - - name: "globals.vaultSecretsPathPrefix" + - name: "global.vaultSecretsPathPrefix" value: {{ .Values.vault_path_prefix | quote }} valueFiles: - "values.yaml" diff --git a/services/times-square/charts/times-square-ui/templates/configmap.yaml b/services/times-square/charts/times-square-ui/templates/configmap.yaml index 7a7aa595c8..cefd23a44d 100644 --- a/services/times-square/charts/times-square-ui/templates/configmap.yaml +++ b/services/times-square/charts/times-square-ui/templates/configmap.yaml @@ -9,9 +9,9 @@ data: siteName: {{ .Values.config.siteName | quote }} siteDescription: | {{ .Values.config.siteDescription }} - baseUrl: "{{ .Values.globals.baseUrl }}{{ .Values.ingress.path }}" - timesSquareApiUrl: "{{ .Values.globals.baseUrl }}{{ .Values.config.timesSquareApiPath }}" + baseUrl: "{{ .Values.global.baseUrl }}{{ .Values.ingress.path }}" + timesSquareApiUrl: "{{ .Values.global.baseUrl }}{{ .Values.config.timesSquareApiPath }}" {{- if .Values.config.semaphoreUrl }} - semaphoreUrl: "{{ .Values.globals.baseUrl }}{{ .Values.config.semaphorePath }}" + semaphoreUrl: "{{ .Values.global.baseUrl }}{{ .Values.config.semaphorePath }}" {{ .Values.config.semaphoreUrl }} {{- end}} diff --git a/services/times-square/charts/times-square-ui/templates/ingress.yaml b/services/times-square/charts/times-square-ui/templates/ingress.yaml index 319b607196..25b7b5dd11 100644 --- a/services/times-square/charts/times-square-ui/templates/ingress.yaml +++ b/services/times-square/charts/times-square-ui/templates/ingress.yaml @@ -11,8 +11,8 @@ metadata: {{- if .Values.ingress.gafaelfawrAuthQuery }} nginx.ingress.kubernetes.io/auth-method: "GET" nginx.ingress.kubernetes.io/auth-response-headers: "X-Auth-Request-User,X-Auth-Request-Email,X-Auth-Request-Token" - nginx.ingress.kubernetes.io/auth-signin: "{{ .Values.globals.baseUrl }}/login" - nginx.ingress.kubernetes.io/auth-url: "{{ .Values.globals.baseUrl }}/auth?{{ .Values.ingress.gafaelfawrAuthQuery }}" + nginx.ingress.kubernetes.io/auth-signin: "{{ .Values.global.baseUrl }}/login" + nginx.ingress.kubernetes.io/auth-url: "{{ .Values.global.baseUrl }}/auth?{{ .Values.ingress.gafaelfawrAuthQuery }}" {{- end }} {{- with .Values.ingress.annotations }} {{- toYaml . | nindent 4 }} @@ -22,7 +22,7 @@ spec: ingressClassName: {{ .Values.ingress.className }} {{- end }} rules: - - host: {{ required "ingress.host must be set" .Values.ingress.host | quote }} + - host: {{ required "global.host must be set" .Values.global.host | quote }} http: paths: - path: {{ .Values.ingress.path }} diff --git a/services/times-square/charts/times-square/templates/configmap.yaml b/services/times-square/charts/times-square/templates/configmap.yaml index 904426d029..c476e34a55 100644 --- a/services/times-square/charts/times-square/templates/configmap.yaml +++ b/services/times-square/charts/times-square/templates/configmap.yaml @@ -8,7 +8,7 @@ data: SAFIR_NAME: {{ .Values.config.name | quote }} SAFIR_PROFILE: {{ .Values.config.profile | quote }} SAFIR_LOG_LEVEL: {{ .Values.config.logLevel | quote }} - TS_ENVIRONMENT_URL: {{ .Values.globals.baseUrl | quote }} + TS_ENVIRONMENT_URL: {{ .Values.global.baseUrl | quote }} TS_PATH_PREFIX: {{ .Values.ingress.path }} TS_DATABASE_URL: {{ required "config.databaseUrl must be set" .Values.config.databaseUrl | quote }} TS_REDIS_URL: "redis://{{ include "times-square.fullname" . }}-redis-master.{{ .Release.Namespace }}:{{ .Values.redis.master.service.ports.redis }}/0" diff --git a/services/times-square/charts/times-square/templates/ingress.yaml b/services/times-square/charts/times-square/templates/ingress.yaml index d77eba0eb4..6a784621c3 100644 --- a/services/times-square/charts/times-square/templates/ingress.yaml +++ b/services/times-square/charts/times-square/templates/ingress.yaml @@ -11,8 +11,8 @@ metadata: {{- if .Values.ingress.gafaelfawrAuthQuery }} nginx.ingress.kubernetes.io/auth-method: GET nginx.ingress.kubernetes.io/auth-response-headers: X-Auth-Request-User,X-Auth-Request-Email,X-Auth-Request-Token - nginx.ingress.kubernetes.io/auth-signin: "{{ .Values.globals.baseUrl }}/login" - nginx.ingress.kubernetes.io/auth-url: "{{ .Values.globals.baseUrl }}/auth?{{ .Values.ingress.gafaelfawrAuthQuery }}" + nginx.ingress.kubernetes.io/auth-signin: "{{ .Values.global.baseUrl }}/login" + nginx.ingress.kubernetes.io/auth-url: "{{ .Values.global.baseUrl }}/auth?{{ .Values.ingress.gafaelfawrAuthQuery }}" {{- end }} {{- with .Values.ingress.annotations }} {{- toYaml . | nindent 4 }} @@ -22,7 +22,7 @@ spec: ingressClassName: {{ .Values.ingress.className }} {{- end }} rules: - - host: {{ required "ingress.host must be set" .Values.ingress.host | quote }} + - host: {{ required "global.host must be set" .Values.global.host | quote }} http: paths: - path: {{ .Values.ingress.path }} diff --git a/services/times-square/charts/times-square/templates/vault-secret.yaml b/services/times-square/charts/times-square/templates/vault-secret.yaml index aec617f5c3..a7960d8b21 100644 --- a/services/times-square/charts/times-square/templates/vault-secret.yaml +++ b/services/times-square/charts/times-square/templates/vault-secret.yaml @@ -5,5 +5,5 @@ metadata: labels: {{- include "times-square.labels" . | nindent 4 }} spec: - path: "{{ .Values.globals.vaultSecretsPathPrefix }}/times-square" + path: "{{ .Values.global.vaultSecretsPathPrefix }}/times-square" type: Opaque diff --git a/services/times-square/values.yaml b/services/times-square/values.yaml index d1660952c8..0135fb4bcf 100644 --- a/services/times-square/values.yaml +++ b/services/times-square/values.yaml @@ -19,7 +19,7 @@ times-square-ui: # Global parameters will be set by parameters injected via the Argo CD # Application resource and should not be set in the individual environment # values files. -globals: +global: # -- Base URL for the environment # @default -- Set by times-square Argo CD Application baseUrl: "" From cd84f85db2bca05045dd0facb1c06446f6aa8757 Mon Sep 17 00:00:00 2001 From: Jonathan Sick Date: Tue, 22 Mar 2022 19:05:18 -0400 Subject: [PATCH 0106/1479] Add dependencies info --- services/times-square/Chart.yaml | 6 ++++++ services/times-square/README.md | 13 ++++++++++--- 2 files changed, 16 insertions(+), 3 deletions(-) diff --git a/services/times-square/Chart.yaml b/services/times-square/Chart.yaml index 7594bc7664..b3b51443f7 100644 --- a/services/times-square/Chart.yaml +++ b/services/times-square/Chart.yaml @@ -9,3 +9,9 @@ description: | - [`times-square` (API)](charts/times-square) - [`times-square-ui` (Next.js / React front-end)](charts/times-square-ui) type: application + +dependencies: + - name: times-square + version: 1.0.0 + - name: times-square-ui + version: 1.0.0 diff --git a/services/times-square/README.md b/services/times-square/README.md index 17f21ffd6f..3222e555a5 100644 --- a/services/times-square/README.md +++ b/services/times-square/README.md @@ -7,13 +7,20 @@ See the embedded Helm sub-charts for additional configuration docs: - [`times-square` (API)](charts/times-square) - [`times-square-ui` (Next.js / React front-end)](charts/times-square-ui) +## Requirements + +| Repository | Name | Version | +|------------|------|---------| +| | times-square | | +| | times-square-ui | | + ## Values | Key | Type | Default | Description | |-----|------|---------|-------------| -| globals.baseUrl | string | Set by times-square Argo CD Application | Base URL for the environment | -| globals.host | string | Set by times-square Argo CD Application | Host name for ingress | -| globals.vaultSecretsPathPrefix | string | Set by times-square Argo CD Application | Base path for Vault secrets | +| global.baseUrl | string | Set by times-square Argo CD Application | Base URL for the environment | +| global.host | string | Set by times-square Argo CD Application | Host name for ingress | +| global.vaultSecretsPathPrefix | string | Set by times-square Argo CD Application | Base path for Vault secrets | | times-square-ui.fullnameOverride | string | `"times-square-ui"` | | | times-square-ui.image.pullPolicy | string | `"IfNotPresent"` | | | times-square-ui.image.tag | string | `"tickets-DM-34030"` | | From 01c7aa2d575201bf848eb0d8b956cd0848e1367d Mon Sep 17 00:00:00 2001 From: Jonathan Sick Date: Wed, 23 Mar 2022 10:52:12 -0400 Subject: [PATCH 0107/1479] Add noteburst values for minikube environment --- services/noteburst/values-minikube.yaml | 6 ++++++ 1 file changed, 6 insertions(+) create mode 100644 services/noteburst/values-minikube.yaml diff --git a/services/noteburst/values-minikube.yaml b/services/noteburst/values-minikube.yaml new file mode 100644 index 0000000000..48a64212a7 --- /dev/null +++ b/services/noteburst/values-minikube.yaml @@ -0,0 +1,6 @@ +config: + worker: + workerCount: 1 + identities: + - uuid: 90000 + username: "noteburst90000" From 0e90863c9f30a52251447e65d4c597de62658507 Mon Sep 17 00:00:00 2001 From: Jonathan Sick Date: Wed, 23 Mar 2022 15:10:45 -0400 Subject: [PATCH 0108/1479] Drop SAFIR_PROFILE from working config The default set in the app is appropriate, so no need to reset it via the config map. --- services/noteburst/templates/worker-configmap.yaml | 1 - services/noteburst/values-idfdev.yaml | 1 + 2 files changed, 1 insertion(+), 1 deletion(-) diff --git a/services/noteburst/templates/worker-configmap.yaml b/services/noteburst/templates/worker-configmap.yaml index 4f12afe972..aecb717ffe 100644 --- a/services/noteburst/templates/worker-configmap.yaml +++ b/services/noteburst/templates/worker-configmap.yaml @@ -5,7 +5,6 @@ metadata: labels: {{- include "noteburst.labels" . | nindent 4 }} data: - SAFIR_PROFILE: {{ .Values.config.profile | quote }} SAFIR_LOG_LEVEL: {{ .Values.config.logLevel | quote }} NOTEBURST_ENVIRONMENT_URL: {{ .Values.global.baseUrl | quote }} NOTEBURST_REDIS_URL: "redis://{{ include "noteburst.fullname" . }}-redis-master.{{ .Release.Namespace }}:{{ .Values.redis.master.service.ports.redis }}/0" diff --git a/services/noteburst/values-idfdev.yaml b/services/noteburst/values-idfdev.yaml index c88d8a3d2c..11853d1895 100644 --- a/services/noteburst/values-idfdev.yaml +++ b/services/noteburst/values-idfdev.yaml @@ -4,6 +4,7 @@ # tag: tickets-DM-33025 config: + logLevel: "DEBUG" worker: workerCount: 1 identities: From a1000dedce0396cb50dd185b22facf0cbfbf9318 Mon Sep 17 00:00:00 2001 From: Jonathan Sick Date: Wed, 23 Mar 2022 17:09:21 -0400 Subject: [PATCH 0109/1479] Noteburst: change uuid to uid --- services/noteburst/values-idfdev.yaml | 2 +- services/noteburst/values-minikube.yaml | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/services/noteburst/values-idfdev.yaml b/services/noteburst/values-idfdev.yaml index 11853d1895..61e3309e84 100644 --- a/services/noteburst/values-idfdev.yaml +++ b/services/noteburst/values-idfdev.yaml @@ -8,5 +8,5 @@ config: worker: workerCount: 1 identities: - - uuid: 90000 + - uid: 90000 username: "noteburst90000" diff --git a/services/noteburst/values-minikube.yaml b/services/noteburst/values-minikube.yaml index 48a64212a7..0b427c0ee9 100644 --- a/services/noteburst/values-minikube.yaml +++ b/services/noteburst/values-minikube.yaml @@ -2,5 +2,5 @@ config: worker: workerCount: 1 identities: - - uuid: 90000 + - uid: 90000 username: "noteburst90000" From 4a77b1de3e9d0bb68f0d0e49331e76b37f11b136 Mon Sep 17 00:00:00 2001 From: adam Date: Wed, 23 Mar 2022 14:36:31 -0700 Subject: [PATCH 0110/1479] Update summit NFS server names --- services/nublado2/values-summit.yaml | 12 ++++++------ 1 file changed, 6 insertions(+), 6 deletions(-) diff --git a/services/nublado2/values-summit.yaml b/services/nublado2/values-summit.yaml index 9038db69df..67e3a88175 100644 --- a/services/nublado2/values-summit.yaml +++ b/services/nublado2/values-summit.yaml @@ -40,12 +40,12 @@ nublado2: - name: auxtel nfs: path: /lsstdata - server: atarchiver.cp.lsst.org + server: auxtel-archiver.cp.lsst.org readOnly: true - name: comcam nfs: path: /lsstdata - server: comcam-arctl01.cp.lsst.org + server: comcam-archiver.cp.lsst.org readOnly: true - name: other nfs: @@ -55,20 +55,20 @@ nublado2: - name: latiss nfs: path: /repo/LATISS - server: atarchiver.cp.lsst.org + server: auxtel-atarchiver.cp.lsst.org - name: base-auxtel nfs: path: /lsstdata/base/auxtel - server: atarchiver.cp.lsst.org + server: auxtel-atarchiver.cp.lsst.org readOnly: true - name: lsstcomcam nfs: path: /repo/LSSTComCam - server: comcam-arctl01.cp.lsst.org + server: comcam-archiver.cp.lsst.org - name: base-comcam nfs: path: /lsstdata/base/comcam - server: comcam-arctl01.cp.lsst.org + server: comcam-archiver.cp.lsst.org readOnly: true volume_mounts: - name: home From ba6e0c5dc6eeba7f286d656d087739d340c513f9 Mon Sep 17 00:00:00 2001 From: adam Date: Wed, 23 Mar 2022 14:42:37 -0700 Subject: [PATCH 0111/1479] remove stray 'at's from hostnames --- services/nublado2/values-summit.yaml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/services/nublado2/values-summit.yaml b/services/nublado2/values-summit.yaml index 67e3a88175..2261761ef9 100644 --- a/services/nublado2/values-summit.yaml +++ b/services/nublado2/values-summit.yaml @@ -55,11 +55,11 @@ nublado2: - name: latiss nfs: path: /repo/LATISS - server: auxtel-atarchiver.cp.lsst.org + server: auxtel-archiver.cp.lsst.org - name: base-auxtel nfs: path: /lsstdata/base/auxtel - server: auxtel-atarchiver.cp.lsst.org + server: auxtel-archiver.cp.lsst.org readOnly: true - name: lsstcomcam nfs: From fe2a1f6f21a21b3b10947320b98753de119783e8 Mon Sep 17 00:00:00 2001 From: Jonathan Sick Date: Wed, 23 Mar 2022 17:51:13 -0400 Subject: [PATCH 0112/1479] DM-34090: Fix typo in redis dependency declaration --- services/times-square/charts/times-square/Chart.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/services/times-square/charts/times-square/Chart.yaml b/services/times-square/charts/times-square/Chart.yaml index 8b8d9dec08..9b6ff95898 100644 --- a/services/times-square/charts/times-square/Chart.yaml +++ b/services/times-square/charts/times-square/Chart.yaml @@ -19,4 +19,4 @@ appVersion: "1.0.0" dependencies: - name: redis version: 16.0.1 - repository: https://charts.bitnami.c + repository: https://charts.bitnami.com From a4fa3482faf121a7f1095083583e151fd41e40bf Mon Sep 17 00:00:00 2001 From: adam Date: Wed, 23 Mar 2022 15:07:11 -0700 Subject: [PATCH 0113/1479] turn off telegraf at TTS --- science-platform/values-tucson-teststand.yaml | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/science-platform/values-tucson-teststand.yaml b/science-platform/values-tucson-teststand.yaml index adb7773d71..e34a42581a 100644 --- a/science-platform/values-tucson-teststand.yaml +++ b/science-platform/values-tucson-teststand.yaml @@ -52,8 +52,9 @@ tap: enabled: false tap_schema: enabled: false +# EFD already provides telegraf namespace. Gotta work that out. telegraf: - enabled: true + enabled: false times_square: enabled: false vault_secrets_operator: From 7bb3411fb018dbd1d9022f54f74539a9711c7494 Mon Sep 17 00:00:00 2001 From: Jonathan Sick Date: Wed, 23 Mar 2022 20:50:51 -0400 Subject: [PATCH 0114/1479] Hard code redis port Helm / argo cd is having trouble resolving the pointer to the port; so we'll hard code it for now. --- .../times-square/charts/times-square/templates/configmap.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/services/times-square/charts/times-square/templates/configmap.yaml b/services/times-square/charts/times-square/templates/configmap.yaml index c476e34a55..42e96a8746 100644 --- a/services/times-square/charts/times-square/templates/configmap.yaml +++ b/services/times-square/charts/times-square/templates/configmap.yaml @@ -11,4 +11,4 @@ data: TS_ENVIRONMENT_URL: {{ .Values.global.baseUrl | quote }} TS_PATH_PREFIX: {{ .Values.ingress.path }} TS_DATABASE_URL: {{ required "config.databaseUrl must be set" .Values.config.databaseUrl | quote }} - TS_REDIS_URL: "redis://{{ include "times-square.fullname" . }}-redis-master.{{ .Release.Namespace }}:{{ .Values.redis.master.service.ports.redis }}/0" + TS_REDIS_URL: "redis://{{ include "times-square.fullname" . }}-redis-master.{{ .Release.Namespace }}:6379/0" From 05e2457a9aeca018964690a2a31095849b295b01 Mon Sep 17 00:00:00 2001 From: Jonathan Sick Date: Wed, 23 Mar 2022 21:02:39 -0400 Subject: [PATCH 0115/1479] Restore api version in times square chart --- services/times-square/charts/times-square/Chart.yaml | 1 + 1 file changed, 1 insertion(+) diff --git a/services/times-square/charts/times-square/Chart.yaml b/services/times-square/charts/times-square/Chart.yaml index 9b6ff95898..5b94e0ce48 100644 --- a/services/times-square/charts/times-square/Chart.yaml +++ b/services/times-square/charts/times-square/Chart.yaml @@ -1,3 +1,4 @@ +apiVersion: v2 description: A parameterized notebook web viewer for the Rubin Science Platform. name: times-square type: application From d14beae2e91a72fbfbf0bb108c77533f21d979fc Mon Sep 17 00:00:00 2001 From: Jonathan Sick Date: Wed, 23 Mar 2022 21:03:10 -0400 Subject: [PATCH 0116/1479] Use full URL for bitnami charts repo --- services/times-square/charts/times-square/Chart.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/services/times-square/charts/times-square/Chart.yaml b/services/times-square/charts/times-square/Chart.yaml index 5b94e0ce48..4c1a4cdbe6 100644 --- a/services/times-square/charts/times-square/Chart.yaml +++ b/services/times-square/charts/times-square/Chart.yaml @@ -20,4 +20,4 @@ appVersion: "1.0.0" dependencies: - name: redis version: 16.0.1 - repository: https://charts.bitnami.com + repository: https://charts.bitnami.com/bitnami From 556e2f998ba03596e023e02d584abddeacad1e16 Mon Sep 17 00:00:00 2001 From: Jonathan Sick Date: Wed, 23 Mar 2022 21:04:23 -0400 Subject: [PATCH 0117/1479] Restore dynamic redis port setting --- .../times-square/charts/times-square/templates/configmap.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/services/times-square/charts/times-square/templates/configmap.yaml b/services/times-square/charts/times-square/templates/configmap.yaml index 42e96a8746..c476e34a55 100644 --- a/services/times-square/charts/times-square/templates/configmap.yaml +++ b/services/times-square/charts/times-square/templates/configmap.yaml @@ -11,4 +11,4 @@ data: TS_ENVIRONMENT_URL: {{ .Values.global.baseUrl | quote }} TS_PATH_PREFIX: {{ .Values.ingress.path }} TS_DATABASE_URL: {{ required "config.databaseUrl must be set" .Values.config.databaseUrl | quote }} - TS_REDIS_URL: "redis://{{ include "times-square.fullname" . }}-redis-master.{{ .Release.Namespace }}:6379/0" + TS_REDIS_URL: "redis://{{ include "times-square.fullname" . }}-redis-master.{{ .Release.Namespace }}:{{ .Values.redis.master.service.ports.redis }}/0" From d3c431cc8593fe21da81254803f84f70bd67a5da Mon Sep 17 00:00:00 2001 From: Jonathan Sick Date: Wed, 23 Mar 2022 21:08:15 -0400 Subject: [PATCH 0118/1479] Times Square: cannot dynamically set redis port --- .../times-square/charts/times-square/templates/configmap.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/services/times-square/charts/times-square/templates/configmap.yaml b/services/times-square/charts/times-square/templates/configmap.yaml index c476e34a55..42e96a8746 100644 --- a/services/times-square/charts/times-square/templates/configmap.yaml +++ b/services/times-square/charts/times-square/templates/configmap.yaml @@ -11,4 +11,4 @@ data: TS_ENVIRONMENT_URL: {{ .Values.global.baseUrl | quote }} TS_PATH_PREFIX: {{ .Values.ingress.path }} TS_DATABASE_URL: {{ required "config.databaseUrl must be set" .Values.config.databaseUrl | quote }} - TS_REDIS_URL: "redis://{{ include "times-square.fullname" . }}-redis-master.{{ .Release.Namespace }}:{{ .Values.redis.master.service.ports.redis }}/0" + TS_REDIS_URL: "redis://{{ include "times-square.fullname" . }}-redis-master.{{ .Release.Namespace }}:6379/0" From bf4d48e4faa1416e8783399cab1d28902b704808 Mon Sep 17 00:00:00 2001 From: adam Date: Thu, 24 Mar 2022 07:43:45 -0700 Subject: [PATCH 0119/1479] Add Butler repository index at TTS, Summit, and NCSA --- services/nublado2/values-int.yaml | 1 + services/nublado2/values-stable.yaml | 1 + services/nublado2/values-summit.yaml | 1 + services/nublado2/values-tucson-teststand.yaml | 1 + 4 files changed, 4 insertions(+) diff --git a/services/nublado2/values-int.yaml b/services/nublado2/values-int.yaml index 2dd300ecd6..4404a48bd3 100644 --- a/services/nublado2/values-int.yaml +++ b/services/nublado2/values-int.yaml @@ -14,6 +14,7 @@ nublado2: AUTO_REPO_URLS: "https://github.com/lsst-sqre/system-test" AUTO_REPO_BRANCH: "NCSA-prod" AUTO_REPO_SPECS: "https://github.com/lsst-sqre/system-test@NCSA-prod" + DAF_BUTLER_REPOSITORY_INDEX: "/project/data-repos.yaml" pinned_images: - image_url: registry.hub.docker.com/lsstsqre/sciplat-lab:recommended name: Recommended diff --git a/services/nublado2/values-stable.yaml b/services/nublado2/values-stable.yaml index 676ad84d35..bebeeaf375 100644 --- a/services/nublado2/values-stable.yaml +++ b/services/nublado2/values-stable.yaml @@ -14,6 +14,7 @@ nublado2: AUTO_REPO_URLS: "https://github.com/lsst-sqre/system-test" AUTO_REPO_BRANCH: "NCSA-prod" AUTO_REPO_SPECS: "https://github.com/lsst-sqre/system-test@NCSA-prod" + DAF_BUTLER_REPOSITORY_INDEX: "/project/data-repos.yaml" volumes: - name: datasets hostPath: diff --git a/services/nublado2/values-summit.yaml b/services/nublado2/values-summit.yaml index 2261761ef9..75f157635d 100644 --- a/services/nublado2/values-summit.yaml +++ b/services/nublado2/values-summit.yaml @@ -22,6 +22,7 @@ nublado2: AUTO_REPO_URLS: "https://github.com/lsst-sqre/system-test" AUTO_REPO_BRANCH: "prod" AUTO_REPO_SPECS: "https://github.com/lsst-sqre/system-test@prod" + DAF_BUTLER_REPOSITORY_INDEX: "/project/data-repos.yaml" LSST_DDS_INTERFACE: net1 LSST_DDS_PARTITION_PREFIX: summit volumes: diff --git a/services/nublado2/values-tucson-teststand.yaml b/services/nublado2/values-tucson-teststand.yaml index 17423aeae8..88f0b9b9fb 100644 --- a/services/nublado2/values-tucson-teststand.yaml +++ b/services/nublado2/values-tucson-teststand.yaml @@ -22,6 +22,7 @@ nublado2: AUTO_REPO_URLS: "https://github.com/lsst-sqre/system-test" AUTO_REPO_BRANCH: "prod" AUTO_REPO_SPECS: "https://github.com/lsst-sqre/system-test@prod" + DAF_BUTLER_REPOSITORY_INDEX: "/project/data-repos.yaml" LSST_DDS_INTERFACE: net1 LSST_DDS_PARTITION_PREFIX: tucson volumes: From 59fa2fa0d9bda17a0a8a02f7f4b02f77eb77920a Mon Sep 17 00:00:00 2001 From: Jonathan Sick Date: Thu, 24 Mar 2022 12:06:13 -0400 Subject: [PATCH 0120/1479] Move redis dependency to top-level chart Helm was not showing the redis deployment when it was a sub-sub-chart (via the time-square subchart). Moving redis up to the top-level as a normal sub-chart should resolve this problem. It does mean that the redis URL now needs to be hard-coded, but this shouldn't be a difficulty since the redis deployment is fully under this Helm chart's control. --- services/times-square/Chart.yaml | 3 ++ .../charts/times-square/Chart.yaml | 6 --- .../times-square/templates/configmap.yaml | 2 +- .../charts/times-square/values.yaml | 4 ++ services/times-square/values.yaml | 39 ++++++++++++------- 5 files changed, 33 insertions(+), 21 deletions(-) diff --git a/services/times-square/Chart.yaml b/services/times-square/Chart.yaml index b3b51443f7..31c398b4a1 100644 --- a/services/times-square/Chart.yaml +++ b/services/times-square/Chart.yaml @@ -15,3 +15,6 @@ dependencies: version: 1.0.0 - name: times-square-ui version: 1.0.0 + - name: redis + version: 16.0.1 + repository: https://charts.bitnami.com/bitnami diff --git a/services/times-square/charts/times-square/Chart.yaml b/services/times-square/charts/times-square/Chart.yaml index 4c1a4cdbe6..96f44209b9 100644 --- a/services/times-square/charts/times-square/Chart.yaml +++ b/services/times-square/charts/times-square/Chart.yaml @@ -15,9 +15,3 @@ version: 1.0.0 # Use times-square.image.tag to manage this from the top-level values # instead. appVersion: "1.0.0" - -# Additional charts that this chart uses -dependencies: - - name: redis - version: 16.0.1 - repository: https://charts.bitnami.com/bitnami diff --git a/services/times-square/charts/times-square/templates/configmap.yaml b/services/times-square/charts/times-square/templates/configmap.yaml index 42e96a8746..ed1f2c16c5 100644 --- a/services/times-square/charts/times-square/templates/configmap.yaml +++ b/services/times-square/charts/times-square/templates/configmap.yaml @@ -11,4 +11,4 @@ data: TS_ENVIRONMENT_URL: {{ .Values.global.baseUrl | quote }} TS_PATH_PREFIX: {{ .Values.ingress.path }} TS_DATABASE_URL: {{ required "config.databaseUrl must be set" .Values.config.databaseUrl | quote }} - TS_REDIS_URL: "redis://{{ include "times-square.fullname" . }}-redis-master.{{ .Release.Namespace }}:6379/0" + TS_REDIS_URL: {{ required "config.redisUrl must be set" .Values.config.redusUrl | quote }} diff --git a/services/times-square/charts/times-square/values.yaml b/services/times-square/charts/times-square/values.yaml index 01f3bb934f..79f99e0751 100644 --- a/services/times-square/charts/times-square/values.yaml +++ b/services/times-square/charts/times-square/values.yaml @@ -110,6 +110,10 @@ config: # @default -- None, must be set databaseUrl: "" + # -- URL for the Redis cache + # @default -- None, must be set + redisUrl: "" + cloudsql: # -- Enable the Cloud SQL Auth Proxy sidecar, used with CloudSQL databases # on Google Cloud diff --git a/services/times-square/values.yaml b/services/times-square/values.yaml index 0135fb4bcf..7a7103073a 100644 --- a/services/times-square/values.yaml +++ b/services/times-square/values.yaml @@ -1,3 +1,19 @@ +# Global parameters will be set by parameters injected via the Argo CD +# Application resource and should not be set in the individual environment +# values files. +global: + # -- Base URL for the environment + # @default -- Set by times-square Argo CD Application + baseUrl: "" + + # -- Host name for ingress + # @default -- Set by times-square Argo CD Application + host: "" + + # -- Base path for Vault secrets + # @default -- Set by times-square Argo CD Application + vaultSecretsPathPrefix: "" + times-square: fullnameOverride: times-square @@ -7,6 +23,11 @@ times-square: pullPolicy: "IfNotPresent" + config: + # -- Redis URL + # @default -- Points to embedded Redis + redisUrl: "redis://times-square-redis-master:6379/0" + times-square-ui: fullnameOverride: times-square-ui @@ -16,18 +37,8 @@ times-square-ui: pullPolicy: "IfNotPresent" -# Global parameters will be set by parameters injected via the Argo CD -# Application resource and should not be set in the individual environment -# values files. -global: - # -- Base URL for the environment - # @default -- Set by times-square Argo CD Application - baseUrl: "" +redis: + fullnameOverride: times-square-redis - # -- Host name for ingress - # @default -- Set by times-square Argo CD Application - host: "" - - # -- Base path for Vault secrets - # @default -- Set by times-square Argo CD Application - vaultSecretsPathPrefix: "" + auth: + enabled: false From 5da3946d6f480d621664ef7e8b50bf55bb2e41c6 Mon Sep 17 00:00:00 2001 From: Russ Allbery Date: Thu, 24 Mar 2022 11:14:09 -0700 Subject: [PATCH 0121/1479] Fix Vault prefix for NCSA int --- science-platform/values-int.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/science-platform/values-int.yaml b/science-platform/values-int.yaml index 517b059c78..35f16d6265 100644 --- a/science-platform/values-int.yaml +++ b/science-platform/values-int.yaml @@ -1,6 +1,6 @@ environment: int fqdn: lsst-lsp-int.ncsa.illinois.edu -vault_path_prefix: secret/k8s_operator/lsst-lsp-int.lsst.codes +vault_path_prefix: secret/k8s_operator/lsst-lsp-int.ncsa.illinois.edu alert_stream_broker: enabled: false From 7aab850a26d0f70b8ca59cf5025df9140bd0505c Mon Sep 17 00:00:00 2001 From: Russell Owen Date: Wed, 23 Mar 2022 16:04:10 -0700 Subject: [PATCH 0122/1479] exposurelog and narrativelog: fix value namespace Moving the charts from charts to this package broke value namespaces. Rather than move the some of the names up a level, I put application-specific values into namespace "config". I also removed some values from values.yaml, replacing them with comments, so that the site-specific file MUST override some values in order for deployment to work. This is to avoid the current situation where the service may run with incorrect default values. Finally, update the application files to load the values.yaml default files and update the chart versions to match SQuaRE standards. --- .../templates/exposurelog-application.yaml | 1 + .../templates/narrativelog-application.yaml | 1 + services/exposurelog/Chart.yaml | 8 +- .../exposurelog/templates/deployment.yaml | 22 ++--- services/exposurelog/values-base.yaml | 16 ++-- services/exposurelog/values-roe.yaml | 16 ++-- services/exposurelog/values-summit.yaml | 12 ++- .../exposurelog/values-tucson-teststand.yaml | 16 ++-- services/exposurelog/values.yaml | 81 ++++++++++--------- services/narrativelog/Chart.yaml | 6 +- .../narrativelog/templates/deployment.yaml | 2 +- services/narrativelog/values-base.yaml | 12 ++- services/narrativelog/values-summit.yaml | 12 ++- .../narrativelog/values-tucson-teststand.yaml | 12 ++- services/narrativelog/values.yaml | 44 +++++----- 15 files changed, 131 insertions(+), 130 deletions(-) diff --git a/science-platform/templates/exposurelog-application.yaml b/science-platform/templates/exposurelog-application.yaml index c3051b5546..76e3bc5bea 100644 --- a/science-platform/templates/exposurelog-application.yaml +++ b/science-platform/templates/exposurelog-application.yaml @@ -22,5 +22,6 @@ spec: targetRevision: {{ .Values.revision }} helm: valueFiles: + - values.yaml - values-{{ .Values.environment }}.yaml {{- end -}} diff --git a/science-platform/templates/narrativelog-application.yaml b/science-platform/templates/narrativelog-application.yaml index d3d95cd80b..d12d0e3572 100644 --- a/science-platform/templates/narrativelog-application.yaml +++ b/science-platform/templates/narrativelog-application.yaml @@ -22,5 +22,6 @@ spec: targetRevision: {{ .Values.revision }} helm: valueFiles: + - values.yaml - values-{{ .Values.environment }}.yaml {{- end -}} diff --git a/services/exposurelog/Chart.yaml b/services/exposurelog/Chart.yaml index eee0c7ca36..445cfe3ddb 100644 --- a/services/exposurelog/Chart.yaml +++ b/services/exposurelog/Chart.yaml @@ -5,12 +5,10 @@ maintainers: - name: r-owen type: application -# This is the chart version. This version number should be incremented each time you make changes -# to the chart and its templates, including the app version. -# Versions are expected to follow Semantic Versioning (https://semver.org/) -version: 0.3.2 +# The chart version. SQuaRE convention is to use 1.0.0 +version: 1.0.0 # This is the version number of the application being deployed. This version number should be # incremented each time you make changes to the application. Versions are not expected to # follow Semantic Versioning. They should reflect the version the application is using. -appVersion: 0.9.1 +appVersion: 0.9.2 diff --git a/services/exposurelog/templates/deployment.yaml b/services/exposurelog/templates/deployment.yaml index b5863bb8ff..d8be8904c9 100644 --- a/services/exposurelog/templates/deployment.yaml +++ b/services/exposurelog/templates/deployment.yaml @@ -54,9 +54,9 @@ spec: {{- toYaml .Values.resources | nindent 12 }} env: - name: BUTLER_URI_1 - value: {{ .Values.butler_uri_1 | quote }} + value: {{ .Values.config.butler_uri_1 | quote }} - name: BUTLER_URI_2 - value: {{ .Values.butler_uri_2 | quote }} + value: {{ .Values.config.butler_uri_2 | quote }} - name: EXPOSURELOG_DB_USER value: exposurelog - name: EXPOSURELOG_DB_PASSWORD @@ -71,32 +71,32 @@ spec: - name: EXPOSURELOG_DB_DATABSE value: exposurelog - name: SITE_ID - value: {{ .Values.site_id | quote }} + value: {{ .Values.config.site_id | quote }} volumeMounts: - {{- if .Values.nfs_path_1 }} + {{- if .Values.config.nfs_path_1 }} - name: volume1 mountPath: /volume_1 {{- end }} - {{- if .Values.nfs_path_2 }} + {{- if .Values.config.nfs_path_2 }} - name: volume2 mountPath: /volume_2 {{- end }} - name: tmp mountPath: /tmp volumes: - {{- if .Values.nfs_path_1 }} + {{- if .Values.config.nfs_path_1 }} - name: volume1 nfs: - path: {{ .Values.nfs_path_1 }} + path: {{ .Values.config.nfs_path_1 }} readOnly: true - server: {{ .Values.nfs_server_1 }} + server: {{ .Values.config.nfs_server_1 }} {{- end }} - {{- if .Values.nfs_path_2 }} + {{- if .Values.config.nfs_path_2 }} - name: volume2 nfs: - path: {{ .Values.nfs_path_2 }} + path: {{ .Values.config.nfs_path_2 }} readOnly: true - server: {{ .Values.nfs_server_2 }} + server: {{ .Values.config.nfs_server_2 }} {{- end }} - name: tmp emptyDir: {} diff --git a/services/exposurelog/values-base.yaml b/services/exposurelog/values-base.yaml index 7569f71524..0f98352715 100644 --- a/services/exposurelog/values-base.yaml +++ b/services/exposurelog/values-base.yaml @@ -1,18 +1,16 @@ -# WARNING: this is a "playground" deployment -# using exposurelog's built-in test butler registries. -exposurelog: - imagePullSecrets: - - name: pull-secret - ingress: - enabled: true - host: base-lsp.lsst.codes - +config: + # WARNING: this is a "playground" deployment + # using exposurelog's built-in test butler registries. site_id: test # Use the test butler registries. # Note: exposurelog's Dockerfile copies the test repos to the top of the container butler_uri_1: LSSTCam butler_uri_2: LATISS +ingress: + enabled: true + host: base-lsp.lsst.codes + vault_path: secret/k8s_operator/base-lsp.lsst.codes/postgres pull-secret: diff --git a/services/exposurelog/values-roe.yaml b/services/exposurelog/values-roe.yaml index 5fa1ee8f9c..373287d991 100644 --- a/services/exposurelog/values-roe.yaml +++ b/services/exposurelog/values-roe.yaml @@ -1,18 +1,16 @@ -# WARNING: this is a "playground" deployment -# using exposurelog's built-in test butler registries. -exposurelog: - imagePullSecrets: - - name: pull-secret - ingress: - enabled: true - host: rsp.lsst.ac.uk - +config: + # WARNING: this is a "playground" deployment + # using exposurelog's built-in test butler registries. site_id: test # Use the test butler registries. # Note: exposurelog's Dockerfile copies the test repos to the top of the container butler_uri_1: LSSTCam butler_uri_2: LATISS +ingress: + enabled: true + host: rsp.lsst.ac.uk + vault_path: secret/k8s_operator/roe/postgres pull-secret: diff --git a/services/exposurelog/values-summit.yaml b/services/exposurelog/values-summit.yaml index 299a094731..f8ff17e962 100644 --- a/services/exposurelog/values-summit.yaml +++ b/services/exposurelog/values-summit.yaml @@ -1,10 +1,4 @@ -exposurelog: - imagePullSecrets: - - name: pull-secret - ingress: - enabled: true - host: summit-lsp.lsst.codes - +config: site_id: summit nfs_path_1: /repo/LSSTComCam # Mounted as /volume_1 nfs_server_1: comcam-arctl01.cp.lsst.org @@ -14,6 +8,10 @@ exposurelog: nfs_server_2: atarchiver.cp.lsst.org butler_uri_2: /volume_2 +ingress: + enabled: true + host: summit-lsp.lsst.codes + vault_path: secret/k8s_operator/summit-lsp.lsst.codes/postgres pull-secret: diff --git a/services/exposurelog/values-tucson-teststand.yaml b/services/exposurelog/values-tucson-teststand.yaml index cefdbe8cd0..389d313319 100644 --- a/services/exposurelog/values-tucson-teststand.yaml +++ b/services/exposurelog/values-tucson-teststand.yaml @@ -1,18 +1,16 @@ -# WARNING: this is a "playground" deployment -# using exposurelog's built-in test butler registries. -exposurelog: - imagePullSecrets: - - name: pull-secret - ingress: - enabled: true - host: tucson-teststand.lsst.codes - +config: + # WARNING: this is a "playground" deployment + # using exposurelog's built-in test butler registries. site_id: test # Use the test butler registries. # Note: exposurelog's Dockerfile copies the test repos to the top of the container butler_uri_1: LSSTCam butler_uri_2: LATISS +ingress: + enabled: true + host: tucson-teststand.lsst.codes + vault_path: secret/k8s_operator/tucson-teststand.lsst.codes/postgres pull-secret: diff --git a/services/exposurelog/values.yaml b/services/exposurelog/values.yaml index 995bc45e0a..ebba6937eb 100644 --- a/services/exposurelog/values.yaml +++ b/services/exposurelog/values.yaml @@ -10,29 +10,51 @@ image: # Overrides the image tag whose default is the chart appVersion. tag: "" -# If not blank then mount the specified NFS path as internal volume /volume_1 or /volume_2, respectively. -nfs_path_1: "" -nfs_path_2: "" - -# Name of the NFS server that exports nfs_path_1 or nfs_path_2, respectively. -nfs_server_1: "" -nfs_server_2: "" - -# URIs for butler registry 1 (required) and 2 (optional). Format: -# * For a volume mounted using `nfs_path_1` or `nfs_path_2` (see above): -# An absolute path starting with `/volume_1/` or /volume_2/`. -# * For a network URI: see the daf_butler documentation. -# The default for butler_uri_1 is a local toy registry, because *some* value is necessary. -# Always override that for production use. -butler_uri_1: /home/appuser/hsc_raw -butler_uri_2: "" - -# Site ID; a non-empty string of up to 16 characters. -# This must be different for each deployment, in order to support -# synchronization of records from one message database to another. -site_id: "" - -imagePullSecrets: [] +# Application-specific configuration +config: + # NFS path to butler registry 1 and/or 2. + # Only specify a non-blank value if reading the registry from an NFS-mounted file. + # If not blank then mount the specified NFS path as internal volume /volume_1 or /volume_2, respectively. + nfs_path_1: "" + nfs_path_2: "" + + # Name of the NFS server that exports nfs_path_1 or nfs_path_2, respectively. + # Specify a non-blank value if and only if the corresponding nfs_path_1/2 is not blank. + nfs_server_1: "" + nfs_server_2: "" + + # URIs for butler registry 1 (required) and 2 (optional). Format: + # * For a volume mounted using `nfs_path_1` or `nfs_path_2` (see above): + # An absolute path starting with `/volume_1/` or `/volume_2/`. + # * For a network URI: see the daf_butler documentation. + # * For a sandbox deployment: specify `LSSTCam` for butler_uri_1 and `LATISS` for butler_uri_2. + butler_uri_1: "" + butler_uri_2: "" + + # Site ID; a non-empty string of up to 16 characters. + # This should be different for each non-sandbox deployment. + # Sandboxes should use `test`. + site_id: "" + +# Site-specific values files should specify: +# +# ingress: +# enabled: true +# host: ... +# +# vault-path: secret/k8s_operator/.../postgres +# +# pull-secret: +# enabled: true +# path: secret/k8s_operator/.../pull-secret + +# This is needed for the CI job to run +ingress: + enabled: false + +imagePullSecrets: + - name: pull-secret + nameOverride: "" fullnameOverride: "" @@ -53,19 +75,6 @@ service: type: ClusterIP port: 8080 -ingress: - enabled: false - annotations: {} - # kubernetes.io/ingress.class: nginx - # kubernetes.io/tls-acme: "true" - hosts: - - host: bleed.lsst.codes - paths: ["/exposurelog"] - tls: [] - # - secretName: chart-example-tls - # hosts: - # - chart-example.local - resources: {} # We usually recommend not to specify default resources and to leave this as a conscious # choice for the user. This also increases chances charts run on environments with little diff --git a/services/narrativelog/Chart.yaml b/services/narrativelog/Chart.yaml index a395fbbb4c..5a7a7da954 100644 --- a/services/narrativelog/Chart.yaml +++ b/services/narrativelog/Chart.yaml @@ -5,10 +5,8 @@ maintainers: - name: r-owen type: application -# This is the chart version. This version number should be incremented each time you make changes -# to the chart and its templates, including the app version. -# Versions are expected to follow Semantic Versioning (https://semver.org/) -version: 0.1.2 +# The chart version. SQuaRE convention is to use 1.0.0 +version: 1.0.0 # This is the version number of the application being deployed. This version number should be # incremented each time you make changes to the application. Versions are not expected to diff --git a/services/narrativelog/templates/deployment.yaml b/services/narrativelog/templates/deployment.yaml index 5486f4d508..c05d88691c 100644 --- a/services/narrativelog/templates/deployment.yaml +++ b/services/narrativelog/templates/deployment.yaml @@ -67,7 +67,7 @@ spec: - name: NARRATIVELOG_DB_DATABSE value: narrativelog - name: SITE_ID - value: {{ .Values.site_id | quote }} + value: {{ .Values.config.site_id | quote }} {{- with .Values.nodeSelector }} nodeSelector: {{- toYaml . | nindent 8 }} diff --git a/services/narrativelog/values-base.yaml b/services/narrativelog/values-base.yaml index 836cc179fa..63bfd5e4de 100644 --- a/services/narrativelog/values-base.yaml +++ b/services/narrativelog/values-base.yaml @@ -1,12 +1,10 @@ -narrativelog: - imagePullSecrets: - - name: pull-secret - ingress: - enabled: true - host: base-lsp.lsst.codes - +config: site_id: base +ingress: + enabled: true + host: base-lsp.lsst.codes + vault_path: secret/k8s_operator/base-lsp.lsst.codes/postgres pull-secret: diff --git a/services/narrativelog/values-summit.yaml b/services/narrativelog/values-summit.yaml index 6822c91375..9c385a5854 100644 --- a/services/narrativelog/values-summit.yaml +++ b/services/narrativelog/values-summit.yaml @@ -1,12 +1,10 @@ -narrativelog: - imagePullSecrets: - - name: pull-secret - ingress: - enabled: true - host: summit-lsp.lsst.codes - +config: site_id: summit +ingress: + enabled: true + host: summit-lsp.lsst.codes + vault_path: secret/k8s_operator/summit-lsp.lsst.codes/postgres pull-secret: diff --git a/services/narrativelog/values-tucson-teststand.yaml b/services/narrativelog/values-tucson-teststand.yaml index ede618f4cf..0d63534dd4 100644 --- a/services/narrativelog/values-tucson-teststand.yaml +++ b/services/narrativelog/values-tucson-teststand.yaml @@ -1,12 +1,10 @@ -narrativelog: - imagePullSecrets: - - name: pull-secret - ingress: - enabled: true - host: tucson-teststand.lsst.codes - +config: site_id: tucson +ingress: + enabled: true + host: tucson-teststand.lsst.codes + vault_path: secret/k8s_operator/tucson-teststand.lsst.codes/postgres pull-secret: diff --git a/services/narrativelog/values.yaml b/services/narrativelog/values.yaml index 051eb0df7c..846a7f05f5 100644 --- a/services/narrativelog/values.yaml +++ b/services/narrativelog/values.yaml @@ -10,12 +10,33 @@ image: # Overrides the image tag whose default is the chart appVersion. tag: "" -# Site ID; a non-empty string of up to 16 characters. -# This must be different for each deployment, in order to support -# synchronization of records from one message database to another. -site_id: "" +# Application-specific configuration +config: + # Site ID; a non-empty string of up to 16 characters. + # This should be different for each non-sandbox deployment. + # Sandboxes should use `test`. + site_id: "" + + +# Site-specific values files should specify: +# +# ingress: +# enabled: true +# host: ... +# +# vault-path: secret/k8s_operator/.../postgres +# +# pull-secret: +# enabled: true +# path: secret/k8s_operator/.../pull-secret + +# This is needed for the CI job to run +ingress: + enabled: false + +imagePullSecrets: + - name: pull-secret -imagePullSecrets: [] nameOverride: "" fullnameOverride: "" @@ -36,19 +57,6 @@ service: type: ClusterIP port: 8080 -ingress: - enabled: false - annotations: {} - # kubernetes.io/ingress.class: nginx - # kubernetes.io/tls-acme: "true" - hosts: - - host: bleed.lsst.codes - paths: ["/narrativelog"] - tls: [] - # - secretName: chart-example-tls - # hosts: - # - chart-example.local - resources: {} # We usually recommend not to specify default resources and to leave this as a conscious # choice for the user. This also increases chances charts run on environments with little From 4a9285722502b7ab123b0bae4a375c1e18043279 Mon Sep 17 00:00:00 2001 From: Russell Owen Date: Thu, 24 Mar 2022 11:45:16 -0700 Subject: [PATCH 0123/1479] exposurelog: update summit nfs_server_x to match the new names implemented today. --- services/exposurelog/values-summit.yaml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/services/exposurelog/values-summit.yaml b/services/exposurelog/values-summit.yaml index f8ff17e962..3b11807de2 100644 --- a/services/exposurelog/values-summit.yaml +++ b/services/exposurelog/values-summit.yaml @@ -1,11 +1,11 @@ config: site_id: summit nfs_path_1: /repo/LSSTComCam # Mounted as /volume_1 - nfs_server_1: comcam-arctl01.cp.lsst.org + nfs_server_1: comcam-archiver.cp.lsst.org butler_uri_1: /volume_1 nfs_path_2: /repo/LATISS # Mounted as /volume_2 - nfs_server_2: atarchiver.cp.lsst.org + nfs_server_2: auxtel-archiver.cp.lsst.org butler_uri_2: /volume_2 ingress: From 827a37a841952644a60489a3336e885d6fd38b37 Mon Sep 17 00:00:00 2001 From: Jonathan Sick Date: Thu, 24 Mar 2022 15:18:15 -0400 Subject: [PATCH 0124/1479] Fix typo in times square config map --- .../times-square/charts/times-square/templates/configmap.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/services/times-square/charts/times-square/templates/configmap.yaml b/services/times-square/charts/times-square/templates/configmap.yaml index ed1f2c16c5..74a1b79ade 100644 --- a/services/times-square/charts/times-square/templates/configmap.yaml +++ b/services/times-square/charts/times-square/templates/configmap.yaml @@ -11,4 +11,4 @@ data: TS_ENVIRONMENT_URL: {{ .Values.global.baseUrl | quote }} TS_PATH_PREFIX: {{ .Values.ingress.path }} TS_DATABASE_URL: {{ required "config.databaseUrl must be set" .Values.config.databaseUrl | quote }} - TS_REDIS_URL: {{ required "config.redisUrl must be set" .Values.config.redusUrl | quote }} + TS_REDIS_URL: {{ required "config.redisUrl must be set" .Values.config.redisUrl | quote }} From 99d4a6fde85e27fe164582026821f3c7fe4b70d7 Mon Sep 17 00:00:00 2001 From: dspeck1 Date: Thu, 24 Mar 2022 15:26:25 -0500 Subject: [PATCH 0125/1479] values for idf dev culling --- services/nublado2/values-idfdev.yaml | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/services/nublado2/values-idfdev.yaml b/services/nublado2/values-idfdev.yaml index a9395fa68a..3c2a5bd089 100644 --- a/services/nublado2/values-idfdev.yaml +++ b/services/nublado2/values-idfdev.yaml @@ -24,6 +24,12 @@ nublado2: AUTO_REPO_URLS: https://github.com/lsst-sqre/system-test,https://github.com/rubin-dp0/tutorial-notebooks AUTO_REPO_BRANCH: prod AUTO_REPO_SPECS: https://github.com/lsst-sqre/system-test@prod,https://github.com/rubin-dp0/tutorial-notebooks@prod + NO_ACTIVITY_TIMEOUT: "300" + CULL_KERNEL_IDLE_TIMEOUT: "300" + CULL_KERNEL_CONNECTED: "True" + CULL_KERNEL_INTERVAL: "60" + CULL_TERMINAL_INACTIVE_TIMEOUT: "300" + CULL_TERMINAL_INTERVAL: "60" volumes: - name: home nfs: From 186d307f12dd653125ed9b598f565f55da565d75 Mon Sep 17 00:00:00 2001 From: Russ Allbery Date: Thu, 24 Mar 2022 13:08:17 -0700 Subject: [PATCH 0126/1479] Move tap-schema chart into Phalanx Simplify the configuration and update the Helm resources to match our current standards. Update the documentation for how to push out a new TAP schema. --- docs/service-guide/update-tap-schema.rst | 7 +-- services/tap-schema/Chart.yaml | 10 +--- services/tap-schema/README.md.gotmpl | 9 +++ services/tap-schema/templates/_helpers.tpl | 51 +++++++++++++++++ .../templates/tap-schema-db-deployment.yaml | 55 +++++++++++++++++++ .../templates/tap-schema-db-service.yaml | 14 +++++ .../tap-schema/templates/vault-secrets.yaml | 9 +++ services/tap-schema/values-idfdev.yaml | 7 --- services/tap-schema/values-idfint.yaml | 9 +-- services/tap-schema/values-idfprod.yaml | 9 +-- services/tap-schema/values-int.yaml | 9 +-- services/tap-schema/values-minikube.yaml | 7 --- services/tap-schema/values-red-five.yaml | 7 --- services/tap-schema/values-roe.yaml | 7 --- services/tap-schema/values-stable.yaml | 9 +-- services/tap-schema/values.yaml | 48 ++++++++++++++++ 16 files changed, 200 insertions(+), 67 deletions(-) create mode 100644 services/tap-schema/README.md.gotmpl create mode 100644 services/tap-schema/templates/_helpers.tpl create mode 100644 services/tap-schema/templates/tap-schema-db-deployment.yaml create mode 100644 services/tap-schema/templates/tap-schema-db-service.yaml create mode 100644 services/tap-schema/templates/vault-secrets.yaml create mode 100644 services/tap-schema/values.yaml diff --git a/docs/service-guide/update-tap-schema.rst b/docs/service-guide/update-tap-schema.rst index 692f0139ab..5471b48087 100644 --- a/docs/service-guide/update-tap-schema.rst +++ b/docs/service-guide/update-tap-schema.rst @@ -5,10 +5,9 @@ The ``TAP_SCHEMA`` table stores information about the tables available in a give This table is kept in sync with the felis files using the following process: #. Make a PR to the `sdm_schemas repository `__ with a change to a felis YAML file. -#. After this is merged, make a GitHub release with a new version number. +#. After this is merged, make a GitHub release of sdm_schemas with a new semver version number. + (Ignore the weekly tags that are added by other processes.) This will create a tag and run a publishing pipeline GitHub Action. That publishing pipeline will run the Python felis library against the YAML files in the ``yml`` directory and make different Docker images for the different supported environments. It will then push the images to DockerHub. -#. Update the version of the `tap-schema chart `__ following the instructions in :doc:`upgrade`. - The ``appVersion`` in ``Chart.yaml`` should be updated to match the version of the new release, and the ``version`` of the chart increased following normal semver conventions. -#. Sync the ``tap-schema`` application in Argo CD in the relevant environment or environments (see :doc:`sync-argo-cd`). +#. Update the ``appVersion`` version to the version of the new release in the `tap-schema Phalanx service `__. diff --git a/services/tap-schema/Chart.yaml b/services/tap-schema/Chart.yaml index c5281a40fd..192ba2e2c3 100644 --- a/services/tap-schema/Chart.yaml +++ b/services/tap-schema/Chart.yaml @@ -1,10 +1,6 @@ apiVersion: v2 +appVersion: 1.1.7 +description: The TAP_SCHEMA database +home: https://github.com/lsst-sqre/lsst-tap-service name: tap-schema version: 1.0.0 -dependencies: -- name: tap-schema - version: ">=0.1.0" - repository: https://lsst-sqre.github.io/charts/ -- name: pull-secret - version: 0.1.2 - repository: https://lsst-sqre.github.io/charts/ diff --git a/services/tap-schema/README.md.gotmpl b/services/tap-schema/README.md.gotmpl new file mode 100644 index 0000000000..4531459bbb --- /dev/null +++ b/services/tap-schema/README.md.gotmpl @@ -0,0 +1,9 @@ +{{ template "chart.header" . }} + +{{ template "chart.description" . }} + +{{ template "chart.requirementsSection" . }} + +{{ template "chart.valuesSection" . }} + +{{ template "helm-docs.versionFooter" . }} diff --git a/services/tap-schema/templates/_helpers.tpl b/services/tap-schema/templates/_helpers.tpl new file mode 100644 index 0000000000..02b4b76755 --- /dev/null +++ b/services/tap-schema/templates/_helpers.tpl @@ -0,0 +1,51 @@ +{{/* +Expand the name of the chart. +*/}} +{{- define "tap-schema.name" -}} +{{- default .Chart.Name .Values.nameOverride | trunc 63 | trimSuffix "-" }} +{{- end }} + +{{/* +Create a default fully qualified app name. +We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec). +If release name contains chart name it will be used as a full name. +*/}} +{{- define "tap-schema.fullname" -}} +{{- if .Values.fullnameOverride }} +{{- .Values.fullnameOverride | trunc 63 | trimSuffix "-" }} +{{- else }} +{{- $name := default .Chart.Name .Values.nameOverride }} +{{- if contains $name .Release.Name }} +{{- .Release.Name | trunc 63 | trimSuffix "-" }} +{{- else }} +{{- printf "%s-%s" .Release.Name $name | trunc 63 | trimSuffix "-" }} +{{- end }} +{{- end }} +{{- end }} + +{{/* +Create chart name and version as used by the chart label. +*/}} +{{- define "tap-schema.chart" -}} +{{- printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" }} +{{- end }} + +{{/* +Common labels +*/}} +{{- define "tap-schema.labels" -}} +helm.sh/chart: {{ include "tap-schema.chart" . }} +{{ include "tap-schema.selectorLabels" . }} +{{- if .Chart.AppVersion }} +app.kubernetes.io/version: {{ .Chart.AppVersion | quote }} +{{- end }} +app.kubernetes.io/managed-by: {{ .Release.Service }} +{{- end }} + +{{/* +Selector labels +*/}} +{{- define "tap-schema.selectorLabels" -}} +app.kubernetes.io/name: {{ include "tap-schema.name" . }} +app.kubernetes.io/instance: {{ .Release.Name }} +{{- end }} diff --git a/services/tap-schema/templates/tap-schema-db-deployment.yaml b/services/tap-schema/templates/tap-schema-db-deployment.yaml new file mode 100644 index 0000000000..6782db63b5 --- /dev/null +++ b/services/tap-schema/templates/tap-schema-db-deployment.yaml @@ -0,0 +1,55 @@ +apiVersion: apps/v1 +kind: Deployment +metadata: + name: {{ template "tap-schema.fullname" . }}-db + labels: + {{- include "tap-schema.labels" . | nindent 4 }} +spec: + replicas: 1 + selector: + matchLabels: + {{- include "tap-schema.selectorLabels" . | nindent 6 }} + template: + metadata: + {{- with .Values.podAnnotations }} + annotations: + {{- toYaml . | nindent 8 }} + {{- end }} + labels: + {{- include "tap-schema.selectorLabels" . | nindent 8 }} + spec: + automountServiceAccountToken: false + containers: + - name: {{ .Chart.Name }} + env: + - name: MYSQL_DATABASE + value: "TAP_SCHEMA" + - name: MYSQL_USER + value: "TAP_SCHEMA" + - name: MYSQL_PASSWORD + value: "TAP_SCHEMA" + - name: MYSQL_ROOT_HOST + value: "%" + image: "{{ .Values.image.repository }}:{{ .Values.image.tag | default .Chart.AppVersion }}" + imagePullPolicy: {{ .Values.image.pullPolicy | quote }} + ports: + - containerPort: 3306 + protocol: "TCP" + {{- with .Values.resources }} + resources: + {{- toYaml . | nindent 12 }} + {{- end }} + imagePullSecrets: + - name: "pull-secret" + {{- with .Values.nodeSelector }} + nodeSelector: + {{- toYaml . | nindent 8 }} + {{- end }} + {{- with .Values.affinity }} + affinity: + {{- toYaml . | nindent 8 }} + {{- end }} + {{- with .Values.tolerations }} + tolerations: + {{- toYaml . | nindent 8 }} + {{- end }} diff --git a/services/tap-schema/templates/tap-schema-db-service.yaml b/services/tap-schema/templates/tap-schema-db-service.yaml new file mode 100644 index 0000000000..523ef266f2 --- /dev/null +++ b/services/tap-schema/templates/tap-schema-db-service.yaml @@ -0,0 +1,14 @@ +kind: Service +apiVersion: v1 +metadata: + name: {{ template "tap-schema.fullname" . }}-db + labels: + {{- include "tap-schema.labels" . | nindent 4 }} +spec: + type: "ClusterIP" + ports: + - protocol: "TCP" + port: 3306 + targetPort: 3306 + selector: + {{- include "tap-schema.selectorLabels" . | nindent 4 }} diff --git a/services/tap-schema/templates/vault-secrets.yaml b/services/tap-schema/templates/vault-secrets.yaml new file mode 100644 index 0000000000..24b38cc3f1 --- /dev/null +++ b/services/tap-schema/templates/vault-secrets.yaml @@ -0,0 +1,9 @@ +apiVersion: ricoberger.de/v1alpha1 +kind: VaultSecret +metadata: + name: "pull-secret" + labels: + {{- include "tap-schema.labels" . | nindent 4 }} +spec: + path: "{{ .Values.globals.vaultSecretsPath }}/pull-secret" + type: "kubernetes.io/dockerconfigjson" diff --git a/services/tap-schema/values-idfdev.yaml b/services/tap-schema/values-idfdev.yaml index 8dd89a7a3e..e69de29bb2 100644 --- a/services/tap-schema/values-idfdev.yaml +++ b/services/tap-schema/values-idfdev.yaml @@ -1,7 +0,0 @@ -tap-schema: - pull_secret: 'pull-secret' - image: lsstsqre/tap-schema-mock - -pull-secret: - enabled: true - path: secret/k8s_operator/data-dev.lsst.cloud/pull-secret diff --git a/services/tap-schema/values-idfint.yaml b/services/tap-schema/values-idfint.yaml index 0affa75646..60572be44b 100644 --- a/services/tap-schema/values-idfint.yaml +++ b/services/tap-schema/values-idfint.yaml @@ -1,7 +1,2 @@ -tap-schema: - pull_secret: 'pull-secret' - image: lsstsqre/tap-schema-idfint - -pull-secret: - enabled: true - path: secret/k8s_operator/data-int.lsst.cloud/pull-secret +image: + repository: "lsstsqre/tap-schema-idfint" diff --git a/services/tap-schema/values-idfprod.yaml b/services/tap-schema/values-idfprod.yaml index 082b482651..7dd2ec1bc8 100644 --- a/services/tap-schema/values-idfprod.yaml +++ b/services/tap-schema/values-idfprod.yaml @@ -1,7 +1,2 @@ -tap-schema: - pull_secret: 'pull-secret' - image: lsstsqre/tap-schema-idfprod - -pull-secret: - enabled: true - path: secret/k8s_operator/data.lsst.cloud/pull-secret +image: + repository: "lsstsqre/tap-schema-idfprod" diff --git a/services/tap-schema/values-int.yaml b/services/tap-schema/values-int.yaml index eb81bf56e8..08ae0e92ed 100644 --- a/services/tap-schema/values-int.yaml +++ b/services/tap-schema/values-int.yaml @@ -1,7 +1,2 @@ -tap-schema: - pull_secret: 'pull-secret' - image: lsstsqre/tap-schema-int - -pull-secret: - enabled: true - path: secret/k8s_operator/lsst-lsp-int.ncsa.illinois.edu/pull-secret +image: + repository: "lsstsqre/tap-schema-int" diff --git a/services/tap-schema/values-minikube.yaml b/services/tap-schema/values-minikube.yaml index 35acec1115..e69de29bb2 100644 --- a/services/tap-schema/values-minikube.yaml +++ b/services/tap-schema/values-minikube.yaml @@ -1,7 +0,0 @@ -tap-schema: - pull_secret: 'pull-secret' - image: lsstsqre/tap-schema-mock - -pull-secret: - enabled: true - path: secret/k8s_operator/minikube.lsst.codes/pull-secret diff --git a/services/tap-schema/values-red-five.yaml b/services/tap-schema/values-red-five.yaml index 57ec1f8e93..e69de29bb2 100644 --- a/services/tap-schema/values-red-five.yaml +++ b/services/tap-schema/values-red-five.yaml @@ -1,7 +0,0 @@ -tap-schema: - pull_secret: 'pull-secret' - image: lsstsqre/tap-schema-mock - -pull-secret: - enabled: true - path: secret/k8s_operator/red-five.lsst.codes/pull-secret diff --git a/services/tap-schema/values-roe.yaml b/services/tap-schema/values-roe.yaml index 1e2816fe6a..e69de29bb2 100644 --- a/services/tap-schema/values-roe.yaml +++ b/services/tap-schema/values-roe.yaml @@ -1,7 +0,0 @@ -tap-schema: - pull_secret: 'pull-secret' - image: lsstsqre/tap-schema-mock - -pull-secret: - enabled: true - path: secret/k8s_operator/roe/pull-secret diff --git a/services/tap-schema/values-stable.yaml b/services/tap-schema/values-stable.yaml index b5345a1133..1dc6425b00 100644 --- a/services/tap-schema/values-stable.yaml +++ b/services/tap-schema/values-stable.yaml @@ -1,7 +1,2 @@ -tap-schema: - pull_secret: 'pull-secret' - image: lsstsqre/tap-schema-stable - -pull-secret: - enabled: true - path: secret/k8s_operator/lsst-lsp-stable.ncsa.illinois.edu/pull-secret +image: + repository: "lsstsqre/tap-schema-stable" diff --git a/services/tap-schema/values.yaml b/services/tap-schema/values.yaml new file mode 100644 index 0000000000..0d6ecf5394 --- /dev/null +++ b/services/tap-schema/values.yaml @@ -0,0 +1,48 @@ +# Default values for tap-schema. + +# -- Override the base name for resources +nameOverride: "" + +# -- Override the full name for resources (includes the release name) +fullnameOverride: "" + +image: + # -- tap-schema image to use + repository: "lsstdax/tap-schema-mock" + + # -- Pull policy for the tap-schema image + pullPolicy: "IfNotPresent" + + # -- Tag of tap-schema image to use + # @default -- The appVersion of the chart + tag: "" + +# -- Resource limits and requests for the MySQL pod +resources: {} + +# -- Annotations for the MySQL pod +podAnnotations: {} + +# -- Node selector rules for the MySQL pod +nodeSelector: {} + +# -- Tolerations for the MySQL pod +tolerations: [] + +# -- Affinity rules for the MySQL pod +affinity: {} + +# The following will be set by parameters injected by Argo CD and should not +# be set in the individual environment values files. +globals: + # -- Base URL for the environment + # @default -- Set by Argo CD + baseUrl: "" + + # -- Host name for ingress + # @default -- Set by Argo CD + host: "" + + # -- Base path for Vault secrets + # @default -- Set by Argo CD + vaultSecretsPath: "" From 5e008fcfcc773d233df67dd484b641dee8d1bebf Mon Sep 17 00:00:00 2001 From: Russ Allbery Date: Thu, 24 Mar 2022 13:41:41 -0700 Subject: [PATCH 0127/1479] Update tap-schema Application for new layout --- .../templates/tap-schema-application.yaml | 32 ++++++++++++------- 1 file changed, 20 insertions(+), 12 deletions(-) diff --git a/science-platform/templates/tap-schema-application.yaml b/science-platform/templates/tap-schema-application.yaml index debd3f4f86..2337ce84d2 100644 --- a/science-platform/templates/tap-schema-application.yaml +++ b/science-platform/templates/tap-schema-application.yaml @@ -2,28 +2,36 @@ apiVersion: v1 kind: Namespace metadata: - name: tap-schema + name: "tap-schema" spec: finalizers: - - kubernetes + - "kubernetes" --- apiVersion: argoproj.io/v1alpha1 kind: Application metadata: - name: tap-schema - namespace: argocd + name: "tap-schema" + namespace: "argocd" finalizers: - - resources-finalizer.argocd.argoproj.io + - "resources-finalizer.argocd.argoproj.io" spec: destination: - namespace: tap-schema - server: https://kubernetes.default.svc - project: default + namespace: "tap-schema" + server: "https://kubernetes.default.svc" + project: "default" source: - path: services/tap-schema - repoURL: {{ .Values.repoURL }} - targetRevision: {{ .Values.revision }} + path: "services/tap-schema" + repoURL: {{ .Values.repoURL | quote }} + targetRevision: {{ .Values.revision | quote }} helm: + parameters: + - name: "globals.host" + value: {{ .Values.fqdn | quote }} + - name: "globals.baseUrl" + value: "https://{{ .Values.fqdn }}" + - name: "globals.vaultSecretsPath" + value: {{ .Values.vault_path_prefix | quote }} valueFiles: - - values-{{ .Values.environment }}.yaml + - "values.yaml" + - "values-{{ .Values.environment }}.yaml" {{- end -}} From 6212762c143e5c296806faf2b0100a2072c71d02 Mon Sep 17 00:00:00 2001 From: Russ Allbery Date: Thu, 24 Mar 2022 14:00:21 -0700 Subject: [PATCH 0128/1479] Fix repository for tap-schema images --- services/tap-schema/values.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/services/tap-schema/values.yaml b/services/tap-schema/values.yaml index 0d6ecf5394..4ae1572a98 100644 --- a/services/tap-schema/values.yaml +++ b/services/tap-schema/values.yaml @@ -8,7 +8,7 @@ fullnameOverride: "" image: # -- tap-schema image to use - repository: "lsstdax/tap-schema-mock" + repository: "lsstsqre/tap-schema-mock" # -- Pull policy for the tap-schema image pullPolicy: "IfNotPresent" From 635b4d42eec195786adf498facf16b7f071157f4 Mon Sep 17 00:00:00 2001 From: adam Date: Thu, 24 Mar 2022 15:06:36 -0700 Subject: [PATCH 0129/1479] disable telegraf at NCSA stable --- science-platform/values-stable.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/science-platform/values-stable.yaml b/science-platform/values-stable.yaml index 57caacf7db..4d895e8b99 100644 --- a/science-platform/values-stable.yaml +++ b/science-platform/values-stable.yaml @@ -55,7 +55,7 @@ tap: tap_schema: enabled: true telegraf: - enabled: true + enabled: false times_square: enabled: false vault_secrets_operator: From 480dfe44b5edc12049d5232bfa78dca707c7a786 Mon Sep 17 00:00:00 2001 From: Russ Allbery Date: Tue, 22 Mar 2022 16:40:07 -0700 Subject: [PATCH 0130/1479] Remove key_ids config for Gafaelfawr We were pinning the key ID for CILogon in the Gafaelfawr configuration. Support for doing this sort of pinning has been dropped from Gafaelfawr since it adds complexity and prevents key rotation for dubious benefits. Remove the setting. --- services/gafaelfawr/templates/configmap.yaml | 2 -- 1 file changed, 2 deletions(-) diff --git a/services/gafaelfawr/templates/configmap.yaml b/services/gafaelfawr/templates/configmap.yaml index acc01f877f..d5572cbe44 100644 --- a/services/gafaelfawr/templates/configmap.yaml +++ b/services/gafaelfawr/templates/configmap.yaml @@ -71,8 +71,6 @@ data: - "email" - "org.cilogon.userinfo" audience: {{ .Values.config.cilogon.clientId | quote }} - key_ids: - - "244B235F6B28E34108D101EAC7362C4E" {{- else if .Values.config.oidc.clientId }} From 923cc94da9576903a131e758bd57360b54d074ef Mon Sep 17 00:00:00 2001 From: Russ Allbery Date: Tue, 22 Mar 2022 16:42:59 -0700 Subject: [PATCH 0131/1479] Update Gafaelfawr InfluxDB configuration Move the InfluxDB token issuer configuration to its own section and update the values.yaml files accordingly. --- services/gafaelfawr/README.md | 4 ++-- services/gafaelfawr/templates/configmap.yaml | 10 ++++++---- services/gafaelfawr/values-squash-sandbox.yaml | 7 +++---- services/gafaelfawr/values.yaml | 16 ++++++++-------- 4 files changed, 19 insertions(+), 18 deletions(-) diff --git a/services/gafaelfawr/README.md b/services/gafaelfawr/README.md index 159f5c607b..0091ab336e 100644 --- a/services/gafaelfawr/README.md +++ b/services/gafaelfawr/README.md @@ -21,10 +21,10 @@ Science Platform authentication and authorization system | config.errorFooter | string | `""` | HTML footer to add to any login error page (inside a

tag). | | config.github.clientId | string | `""` | GitHub client ID. One and only one of this, `config.cilogon.clientId`, or `config.oidc.clientId` must be set. | | config.groupMapping | object | `{}` | Defines a mapping of scopes to groups that provide that scope. Tokens from an OpenID Connect provider such as CILogon that include groups in an `isMemberOf` claim will be granted scopes based on this mapping. | +| config.influxdb.enabled | bool | `false` | Whether to issue tokens for InfluxDB. If set to true, `influxdb-secret` must be set in the Gafaelfawr secret. | +| config.influxdb.username | string | `""` | If set, force all InfluxDB tokens to have that username instead of the authenticated identity of the user requesting a token | | config.initialAdmins | list | `[]` | Usernames to add as administrators when initializing a new database. Used only if there are no administrators. | | config.issuer.expMinutes | int | `43200` (30 days) | Session length and token expiration (in minutes) | -| config.issuer.influxdb.enabled | bool | `false` | Whether to issue tokens for InfluxDB. If set to true, `influxdb-secret` must be set in the Gafaelfawr secret. | -| config.issuer.influxdb.username | string | `""` | If set, force all InfluxDB tokens to have that username instead of the authenticated identity of the user requesting a token | | config.knownScopes | object | See the `values.yaml` file | Names and descriptions of all scopes in use. This is used to populate the new token creation page. Only scopes listed here will be options when creating a new token. | | config.ldap.baseDn | string | None, must be set | Base DN for the LDAP search to find a user's groups | | config.ldap.groupMemberAttr | string | `"member"` | Member attribute of the object class. Values must match the username returned in the token from the OpenID Connect authentication server. | diff --git a/services/gafaelfawr/templates/configmap.yaml b/services/gafaelfawr/templates/configmap.yaml index d5572cbe44..fb71883ea9 100644 --- a/services/gafaelfawr/templates/configmap.yaml +++ b/services/gafaelfawr/templates/configmap.yaml @@ -29,12 +29,14 @@ data: aud: "https://{{ .Values.globals.host }}" key_file: "/etc/gafaelfawr/secrets/signing-key" exp_minutes: {{ .Values.config.issuer.expMinutes }} - {{- if .Values.config.issuer.influxdb.enabled }} - influxdb_secret_file: "/etc/gafaelfawr/secrets/influxdb-secret" + + {{- if .Values.config.influxdb.enabled }} + influxdb: + secret_file: "/etc/gafaelfawr/secrets/influxdb-secret" {{- if .Values.config.issuer.influxdb.username }} - influxdb_username: {{ .Values.config.issuer.influxdb.username | quote }} - {{- end }} + username: {{ .Values.config.issuer.influxdb.username | quote }} {{- end }} + {{- end }} {{- if .Values.config.github.clientId }} diff --git a/services/gafaelfawr/values-squash-sandbox.yaml b/services/gafaelfawr/values-squash-sandbox.yaml index c7f9a65429..f937598ce7 100644 --- a/services/gafaelfawr/values-squash-sandbox.yaml +++ b/services/gafaelfawr/values-squash-sandbox.yaml @@ -8,10 +8,9 @@ config: # Whether to issue tokens for InfluxDB. If set to true, influxdb-secret # must be set in the Gafaelfawr secret. - issuer: - influxdb: - enabled: true - username: "efdreader" + influxdb: + enabled: true + username: "efdreader" # Whether to support OpenID Connect clients. If set to true, # oidc-server-secrets must be set in the Gafaelfawr secret. diff --git a/services/gafaelfawr/values.yaml b/services/gafaelfawr/values.yaml index 74e8378f6a..74335dd67a 100644 --- a/services/gafaelfawr/values.yaml +++ b/services/gafaelfawr/values.yaml @@ -133,14 +133,14 @@ config: # @default -- `43200` (30 days) expMinutes: 43200 - influxdb: - # -- Whether to issue tokens for InfluxDB. If set to true, - # `influxdb-secret` must be set in the Gafaelfawr secret. - enabled: false - - # -- If set, force all InfluxDB tokens to have that username instead of - # the authenticated identity of the user requesting a token - username: "" + influxdb: + # -- Whether to issue tokens for InfluxDB. If set to true, + # `influxdb-secret` must be set in the Gafaelfawr secret. + enabled: false + + # -- If set, force all InfluxDB tokens to have that username instead of + # the authenticated identity of the user requesting a token + username: "" oidcServer: # -- Whether to support OpenID Connect clients. If set to true, From b523fe635c25376a2210aa7b11a339115382ff74 Mon Sep 17 00:00:00 2001 From: Russ Allbery Date: Tue, 22 Mar 2022 16:43:35 -0700 Subject: [PATCH 0132/1479] Bump Gafaelfawr app version to 4.0.0 --- services/gafaelfawr/Chart.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/services/gafaelfawr/Chart.yaml b/services/gafaelfawr/Chart.yaml index e1bb651988..215cc6bdbe 100644 --- a/services/gafaelfawr/Chart.yaml +++ b/services/gafaelfawr/Chart.yaml @@ -3,4 +3,4 @@ name: gafaelfawr version: 1.0.0 description: Science Platform authentication and authorization system home: https://gafaelfawr.lsst.io/ -appVersion: 3.6.0 +appVersion: 4.0.0 From 3e78fcb6ecbc4b5228aecf8d96bee331dc426e16 Mon Sep 17 00:00:00 2001 From: Russ Allbery Date: Tue, 22 Mar 2022 17:20:12 -0700 Subject: [PATCH 0133/1479] Update Gafaelfawr lifetime configuration The Gafaelfawr token lifetime is now configured via a top-level tokenLifetimeMinutes configuration option, rather than something under issuer. --- services/gafaelfawr/README.md | 2 +- services/gafaelfawr/templates/configmap.yaml | 2 +- services/gafaelfawr/values.yaml | 9 ++++----- 3 files changed, 6 insertions(+), 7 deletions(-) diff --git a/services/gafaelfawr/README.md b/services/gafaelfawr/README.md index 0091ab336e..17e76dd08b 100644 --- a/services/gafaelfawr/README.md +++ b/services/gafaelfawr/README.md @@ -24,7 +24,6 @@ Science Platform authentication and authorization system | config.influxdb.enabled | bool | `false` | Whether to issue tokens for InfluxDB. If set to true, `influxdb-secret` must be set in the Gafaelfawr secret. | | config.influxdb.username | string | `""` | If set, force all InfluxDB tokens to have that username instead of the authenticated identity of the user requesting a token | | config.initialAdmins | list | `[]` | Usernames to add as administrators when initializing a new database. Used only if there are no administrators. | -| config.issuer.expMinutes | int | `43200` (30 days) | Session length and token expiration (in minutes) | | config.knownScopes | object | See the `values.yaml` file | Names and descriptions of all scopes in use. This is used to populate the new token creation page. Only scopes listed here will be options when creating a new token. | | config.ldap.baseDn | string | None, must be set | Base DN for the LDAP search to find a user's groups | | config.ldap.groupMemberAttr | string | `"member"` | Member attribute of the object class. Values must match the username returned in the token from the OpenID Connect authentication server. | @@ -42,6 +41,7 @@ Science Platform authentication and authorization system | config.oidc.tokenUrl | string | None, must be set | URL from which to retrieve the token for the user | | config.oidcServer.enabled | bool | `false` | Whether to support OpenID Connect clients. If set to true, `oidc-server-secrets` must be set in the Gafaelfawr secret. | | config.proxies | list | [`10.0.0.0/8`, `172.16.0.0/12`, `192.168.0.0/16`] | List of netblocks used for internal Kubernetes IP addresses, used to determine the true client IP for logging | +| config.tokenLifetimeMinutes | int | `43200` (30 days) | Session length and token expiration (in minutes) | | fullnameOverride | string | `""` | Override the full name for resources (includes the release name) | | globals.baseUrl | string | Set by Argo CD | Base URL for the environment | | globals.host | string | Set by Argo CD | Host name for ingress | diff --git a/services/gafaelfawr/templates/configmap.yaml b/services/gafaelfawr/templates/configmap.yaml index fb71883ea9..255d7a7576 100644 --- a/services/gafaelfawr/templates/configmap.yaml +++ b/services/gafaelfawr/templates/configmap.yaml @@ -12,6 +12,7 @@ data: database_url: {{ required "config.databaseUrl must be set" .Values.config.databaseUrl | quote }} redis_url: "redis://{{ template "gafaelfawr.fullname" . }}-redis.{{ .Release.Namespace }}:6379/0" redis_password_file: "/etc/gafaelfawr/secrets/redis-password" + token_lifetime_minutes: {{ .Values.config.tokenLifetimeMinutes }} {{- if .Values.config.proxies }} proxies: {{- range $netblock := .Values.config.proxies }} @@ -28,7 +29,6 @@ data: key_id: "reissuer" aud: "https://{{ .Values.globals.host }}" key_file: "/etc/gafaelfawr/secrets/signing-key" - exp_minutes: {{ .Values.config.issuer.expMinutes }} {{- if .Values.config.influxdb.enabled }} influxdb: diff --git a/services/gafaelfawr/values.yaml b/services/gafaelfawr/values.yaml index 74335dd67a..bc5922d2c1 100644 --- a/services/gafaelfawr/values.yaml +++ b/services/gafaelfawr/values.yaml @@ -47,6 +47,10 @@ config: # -- Choose from the text form of Python logging levels loglevel: "INFO" + # -- Session length and token expiration (in minutes) + # @default -- `43200` (30 days) + tokenLifetimeMinutes: 43200 + # -- List of netblocks used for internal Kubernetes IP addresses, used to # determine the true client IP for logging # @default -- [`10.0.0.0/8`, `172.16.0.0/12`, `192.168.0.0/16`] @@ -128,11 +132,6 @@ config: # set) uidAttr: "uidNumber" - issuer: - # -- Session length and token expiration (in minutes) - # @default -- `43200` (30 days) - expMinutes: 43200 - influxdb: # -- Whether to issue tokens for InfluxDB. If set to true, # `influxdb-secret` must be set in the Gafaelfawr secret. From fda3b3b016cc4334c58197b80e99786aba531229 Mon Sep 17 00:00:00 2001 From: Russ Allbery Date: Wed, 23 Mar 2022 13:51:22 -0700 Subject: [PATCH 0134/1479] Update Gafaelfawr OIDC Server configuration The internal configuration parameters have changed structure. Update the ConfigMap accordingly. --- services/gafaelfawr/templates/configmap.yaml | 13 ++++++------- 1 file changed, 6 insertions(+), 7 deletions(-) diff --git a/services/gafaelfawr/templates/configmap.yaml b/services/gafaelfawr/templates/configmap.yaml index 255d7a7576..16a608e23a 100644 --- a/services/gafaelfawr/templates/configmap.yaml +++ b/services/gafaelfawr/templates/configmap.yaml @@ -24,12 +24,6 @@ data: error_footer: {{ .Values.config.errorFooter | quote }} {{- end }} - issuer: - iss: "https://{{ .Values.globals.host }}" - key_id: "reissuer" - aud: "https://{{ .Values.globals.host }}" - key_file: "/etc/gafaelfawr/secrets/signing-key" - {{- if .Values.config.influxdb.enabled }} influxdb: secret_file: "/etc/gafaelfawr/secrets/influxdb-secret" @@ -116,7 +110,12 @@ data: {{- end }} {{- if .Values.config.oidcServer.enabled }} - oidc_server_secrets_file: "/etc/gafaelfawr/secrets/oidc-server-secrets" + oidc_server: + iss: "https://{{ .Values.globals.host }}" + key_id: "gafaelfawr" + aud: "https://{{ .Values.globals.host }}" + key_file: "/etc/gafaelfawr/secrets/signing-key" + secrets_file: "/etc/gafaelfawr/secrets/oidc-server-secrets" {{- end }} known_scopes: From 1df685d2ec32fda67ff99a37e38ddace289d9257 Mon Sep 17 00:00:00 2001 From: Russ Allbery Date: Fri, 25 Mar 2022 12:34:19 -0700 Subject: [PATCH 0135/1479] Remove Gafaelfawr ingress annotations configuration We aren't using this in any environments, so remove it to simplify the chart. We can always add it back in later if needed. --- services/gafaelfawr/README.md | 1 - services/gafaelfawr/templates/ingress-rewrite.yaml | 3 --- services/gafaelfawr/templates/ingress.yaml | 3 --- services/gafaelfawr/values.yaml | 4 ---- 4 files changed, 11 deletions(-) diff --git a/services/gafaelfawr/README.md b/services/gafaelfawr/README.md index 17e76dd08b..f645c69314 100644 --- a/services/gafaelfawr/README.md +++ b/services/gafaelfawr/README.md @@ -49,7 +49,6 @@ Science Platform authentication and authorization system | image.pullPolicy | string | `"IfNotPresent"` | Pull policy for the Gafaelfawr image | | image.repository | string | `"lsstsqre/gafaelfawr"` | Gafaelfawr image to use | | image.tag | string | The appVersion of the chart | Tag of Gafaelfawr image to use | -| ingress.annotations | object | `{}` | Additional annotations to add to the ingress | | nameOverride | string | `""` | Override the base name for resources | | nodeSelector | object | `{}` | Node selector rules for the Gafaelfawr frontend pod | | podAnnotations | object | `{}` | Annotations for the Gafaelfawr frontend pod | diff --git a/services/gafaelfawr/templates/ingress-rewrite.yaml b/services/gafaelfawr/templates/ingress-rewrite.yaml index 0f39d1bc92..9f36cb2f73 100644 --- a/services/gafaelfawr/templates/ingress-rewrite.yaml +++ b/services/gafaelfawr/templates/ingress-rewrite.yaml @@ -5,9 +5,6 @@ metadata: kubernetes.io/ingress.class: "nginx" nginx.ingress.kubernetes.io/rewrite-target: "/auth/tokens/" nginx.ingress.kubernetes.io/use-regex: "true" - {{- with .Values.ingress.annotations }} - {{- toYaml . | nindent 4 }} - {{- end }} name: {{ template "gafaelfawr.fullname" . }}-rewrite labels: {{- include "gafaelfawr.labels" . | nindent 4 }} diff --git a/services/gafaelfawr/templates/ingress.yaml b/services/gafaelfawr/templates/ingress.yaml index 9496464a38..b6af28bf75 100644 --- a/services/gafaelfawr/templates/ingress.yaml +++ b/services/gafaelfawr/templates/ingress.yaml @@ -3,9 +3,6 @@ kind: Ingress metadata: annotations: kubernetes.io/ingress.class: "nginx" - {{- with .Values.ingress.annotations }} - {{- toYaml . | nindent 4 }} - {{- end }} name: {{ template "gafaelfawr.fullname" . }} labels: {{- include "gafaelfawr.labels" . | nindent 4 }} diff --git a/services/gafaelfawr/values.yaml b/services/gafaelfawr/values.yaml index bc5922d2c1..8f0c603f8d 100644 --- a/services/gafaelfawr/values.yaml +++ b/services/gafaelfawr/values.yaml @@ -20,10 +20,6 @@ image: # @default -- The appVersion of the chart tag: "" -ingress: - # -- Additional annotations to add to the ingress - annotations: {} - # -- Resource limits and requests for the Gafaelfawr frontend pod resources: {} From d07175178e11dfe6ead6c98e31aa1b5350809237 Mon Sep 17 00:00:00 2001 From: Russ Allbery Date: Fri, 25 Mar 2022 12:47:57 -0700 Subject: [PATCH 0136/1479] Deploy minikube and IDF dev from branch Test the upcoming new Gafaelfawr 4.0.0 release. --- services/gafaelfawr/values-idfdev.yaml | 3 +++ services/gafaelfawr/values-minikube.yaml | 3 +++ 2 files changed, 6 insertions(+) diff --git a/services/gafaelfawr/values-idfdev.yaml b/services/gafaelfawr/values-idfdev.yaml index 35b2b68594..9eaa9ede50 100644 --- a/services/gafaelfawr/values-idfdev.yaml +++ b/services/gafaelfawr/values-idfdev.yaml @@ -1,3 +1,6 @@ +image: + tag: "tickets-DM-34097" + # Use the CSI storage class so that we can use snapshots. redis: persistence: diff --git a/services/gafaelfawr/values-minikube.yaml b/services/gafaelfawr/values-minikube.yaml index 502d9dec7f..ea74a71307 100644 --- a/services/gafaelfawr/values-minikube.yaml +++ b/services/gafaelfawr/values-minikube.yaml @@ -1,3 +1,6 @@ +image: + tag: "tickets-DM-34097" + # Reset token storage on every Redis restart. redis: persistence: From 6867ed093384dca35cfd117968fa77c8b9ca3d8c Mon Sep 17 00:00:00 2001 From: Russ Allbery Date: Fri, 25 Mar 2022 13:30:56 -0700 Subject: [PATCH 0137/1479] Fix Gafaelfawr OIDC server configuration settings Missed some renamings of parameters to the OIDC server. --- services/gafaelfawr/templates/configmap.yaml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/services/gafaelfawr/templates/configmap.yaml b/services/gafaelfawr/templates/configmap.yaml index 16a608e23a..571bd7d645 100644 --- a/services/gafaelfawr/templates/configmap.yaml +++ b/services/gafaelfawr/templates/configmap.yaml @@ -111,9 +111,9 @@ data: {{- if .Values.config.oidcServer.enabled }} oidc_server: - iss: "https://{{ .Values.globals.host }}" + issuer: "https://{{ .Values.globals.host }}" key_id: "gafaelfawr" - aud: "https://{{ .Values.globals.host }}" + audience: "https://{{ .Values.globals.host }}" key_file: "/etc/gafaelfawr/secrets/signing-key" secrets_file: "/etc/gafaelfawr/secrets/oidc-server-secrets" {{- end }} From e3782230ca2a26be06692bb0978040ebc683fd04 Mon Sep 17 00:00:00 2001 From: Russ Allbery Date: Fri, 25 Mar 2022 15:41:02 -0700 Subject: [PATCH 0138/1479] Always pull the image on IDF dev --- services/gafaelfawr/values-idfdev.yaml | 1 + 1 file changed, 1 insertion(+) diff --git a/services/gafaelfawr/values-idfdev.yaml b/services/gafaelfawr/values-idfdev.yaml index 9eaa9ede50..571b2c94ed 100644 --- a/services/gafaelfawr/values-idfdev.yaml +++ b/services/gafaelfawr/values-idfdev.yaml @@ -1,5 +1,6 @@ image: tag: "tickets-DM-34097" + pullPolicy: "Always" # Use the CSI storage class so that we can use snapshots. redis: From 53d8f441f4ccb72c48d060209394eba07ba21ff8 Mon Sep 17 00:00:00 2001 From: Russ Allbery Date: Fri, 25 Mar 2022 16:00:13 -0700 Subject: [PATCH 0139/1479] Use 4.0.0 of Gafaelfawr everywhere The new release is out, so undo the image pinning used for testing. --- services/gafaelfawr/values-idfdev.yaml | 4 ---- services/gafaelfawr/values-minikube.yaml | 3 --- 2 files changed, 7 deletions(-) diff --git a/services/gafaelfawr/values-idfdev.yaml b/services/gafaelfawr/values-idfdev.yaml index 571b2c94ed..35b2b68594 100644 --- a/services/gafaelfawr/values-idfdev.yaml +++ b/services/gafaelfawr/values-idfdev.yaml @@ -1,7 +1,3 @@ -image: - tag: "tickets-DM-34097" - pullPolicy: "Always" - # Use the CSI storage class so that we can use snapshots. redis: persistence: diff --git a/services/gafaelfawr/values-minikube.yaml b/services/gafaelfawr/values-minikube.yaml index ea74a71307..502d9dec7f 100644 --- a/services/gafaelfawr/values-minikube.yaml +++ b/services/gafaelfawr/values-minikube.yaml @@ -1,6 +1,3 @@ -image: - tag: "tickets-DM-34097" - # Reset token storage on every Redis restart. redis: persistence: From 1abd97379dd2c72fb0b5c18ccb90822685ff3652 Mon Sep 17 00:00:00 2001 From: Russ Allbery Date: Fri, 25 Mar 2022 16:20:26 -0700 Subject: [PATCH 0140/1479] Move the mobu application to a different namespace --- science-platform/templates/mobu-application.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/science-platform/templates/mobu-application.yaml b/science-platform/templates/mobu-application.yaml index 2dc600fdb8..92f52f9c0a 100644 --- a/science-platform/templates/mobu-application.yaml +++ b/science-platform/templates/mobu-application.yaml @@ -11,7 +11,7 @@ apiVersion: argoproj.io/v1alpha1 kind: Application metadata: name: "mobu" - namespace: "argocd" + namespace: "mobu" finalizers: - "resources-finalizer.argocd.argoproj.io" spec: From 8e33068524300aa3d7d336a75de5171383858248 Mon Sep 17 00:00:00 2001 From: Russ Allbery Date: Fri, 25 Mar 2022 16:47:35 -0700 Subject: [PATCH 0141/1479] Revert "Move the mobu application to a different namespace" This reverts commit 1abd97379dd2c72fb0b5c18ccb90822685ff3652. Still not supported by Argo CD. --- science-platform/templates/mobu-application.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/science-platform/templates/mobu-application.yaml b/science-platform/templates/mobu-application.yaml index 92f52f9c0a..2dc600fdb8 100644 --- a/science-platform/templates/mobu-application.yaml +++ b/science-platform/templates/mobu-application.yaml @@ -11,7 +11,7 @@ apiVersion: argoproj.io/v1alpha1 kind: Application metadata: name: "mobu" - namespace: "mobu" + namespace: "argocd" finalizers: - "resources-finalizer.argocd.argoproj.io" spec: From 99476f0ee83a27edf95d1f299f5120a9ce529dfe Mon Sep 17 00:00:00 2001 From: Christine Banek Date: Fri, 25 Mar 2022 19:04:42 -0700 Subject: [PATCH 0142/1479] [DM-34074] Sherlock to 0.1.4, set publish urls --- services/sherlock/Chart.yaml | 2 +- services/sherlock/values-idfdev.yaml | 2 ++ services/sherlock/values-idfint.yaml | 2 ++ services/sherlock/values-idfprod.yaml | 2 ++ 4 files changed, 7 insertions(+), 1 deletion(-) diff --git a/services/sherlock/Chart.yaml b/services/sherlock/Chart.yaml index 12f1849cd1..27db512328 100644 --- a/services/sherlock/Chart.yaml +++ b/services/sherlock/Chart.yaml @@ -3,5 +3,5 @@ name: sherlock version: 1.0.0 dependencies: - name: sherlock - version: 0.1.6 + version: 0.1.7 repository: https://lsst-sqre.github.io/charts/ diff --git a/services/sherlock/values-idfdev.yaml b/services/sherlock/values-idfdev.yaml index df9043146a..de834ee79f 100644 --- a/services/sherlock/values-idfdev.yaml +++ b/services/sherlock/values-idfdev.yaml @@ -1,3 +1,5 @@ sherlock: ingress: host: "data-dev.lsst.cloud" + + publish_url: "https://status.lsst.codes/data-dev" diff --git a/services/sherlock/values-idfint.yaml b/services/sherlock/values-idfint.yaml index 35da44d596..b1f707df4c 100644 --- a/services/sherlock/values-idfint.yaml +++ b/services/sherlock/values-idfint.yaml @@ -1,3 +1,5 @@ sherlock: ingress: host: "data-int.lsst.cloud" + + publish_url: "https://status.lsst.codes/data-int" diff --git a/services/sherlock/values-idfprod.yaml b/services/sherlock/values-idfprod.yaml index d0ae11fa1b..ca41ed84d2 100644 --- a/services/sherlock/values-idfprod.yaml +++ b/services/sherlock/values-idfprod.yaml @@ -1,3 +1,5 @@ sherlock: ingress: host: "data.lsst.cloud" + + publish_url: "https://status.lsst.codes/data" From de638b51e3d2f62fd8780660e430519c714b816c Mon Sep 17 00:00:00 2001 From: Christine Banek Date: Fri, 25 Mar 2022 19:50:06 -0700 Subject: [PATCH 0143/1479] [DM-34074] Fix sherlock publish url Oops forgot the /api part of the URL. --- services/sherlock/values-idfdev.yaml | 2 +- services/sherlock/values-idfint.yaml | 2 +- services/sherlock/values-idfprod.yaml | 2 +- 3 files changed, 3 insertions(+), 3 deletions(-) diff --git a/services/sherlock/values-idfdev.yaml b/services/sherlock/values-idfdev.yaml index de834ee79f..0ba6237ad6 100644 --- a/services/sherlock/values-idfdev.yaml +++ b/services/sherlock/values-idfdev.yaml @@ -2,4 +2,4 @@ sherlock: ingress: host: "data-dev.lsst.cloud" - publish_url: "https://status.lsst.codes/data-dev" + publish_url: "https://status.lsst.codes/api/data-dev" diff --git a/services/sherlock/values-idfint.yaml b/services/sherlock/values-idfint.yaml index b1f707df4c..85682c6e2e 100644 --- a/services/sherlock/values-idfint.yaml +++ b/services/sherlock/values-idfint.yaml @@ -2,4 +2,4 @@ sherlock: ingress: host: "data-int.lsst.cloud" - publish_url: "https://status.lsst.codes/data-int" + publish_url: "https://status.lsst.codes/api/data-int" diff --git a/services/sherlock/values-idfprod.yaml b/services/sherlock/values-idfprod.yaml index ca41ed84d2..9f7253d222 100644 --- a/services/sherlock/values-idfprod.yaml +++ b/services/sherlock/values-idfprod.yaml @@ -2,4 +2,4 @@ sherlock: ingress: host: "data.lsst.cloud" - publish_url: "https://status.lsst.codes/data" + publish_url: "https://status.lsst.codes/api/data" From b6a78c8b1a91eef94ccfac0d6140f5c94d15feb8 Mon Sep 17 00:00:00 2001 From: Renovate Bot Date: Mon, 28 Mar 2022 14:34:20 +0000 Subject: [PATCH 0144/1479] Update Helm release argo-cd to v4.2.3 --- services/argocd/Chart.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/services/argocd/Chart.yaml b/services/argocd/Chart.yaml index e41e310d9a..075c287b55 100644 --- a/services/argocd/Chart.yaml +++ b/services/argocd/Chart.yaml @@ -3,7 +3,7 @@ name: argo-cd version: 1.0.0 dependencies: - name: argo-cd - version: 4.2.1 + version: 4.2.3 repository: https://argoproj.github.io/argo-helm - name: pull-secret version: 0.1.2 From 48a088740c311321edb6517c2095902f5d3f088e Mon Sep 17 00:00:00 2001 From: Renovate Bot Date: Mon, 28 Mar 2022 16:53:52 +0000 Subject: [PATCH 0145/1479] Update Helm release cert-manager to v1.7.2 --- services/cert-manager/Chart.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/services/cert-manager/Chart.yaml b/services/cert-manager/Chart.yaml index 1744880ef8..b5ba8f8f11 100644 --- a/services/cert-manager/Chart.yaml +++ b/services/cert-manager/Chart.yaml @@ -3,7 +3,7 @@ name: cert-manager version: 1.0.0 dependencies: - name: cert-manager - version: v1.7.1 + version: v1.7.2 repository: https://charts.jetstack.io - name: pull-secret version: 0.1.2 From 35d690c3f88668d6787668aaded37bf711f56ba2 Mon Sep 17 00:00:00 2001 From: Russ Allbery Date: Mon, 28 Mar 2022 15:18:59 -0700 Subject: [PATCH 0146/1479] Grant IDF Argo CD access to dspeck --- services/argocd/values-idfdev.yaml | 1 + services/argocd/values-idfint.yaml | 1 + services/argocd/values-idfprod.yaml | 1 + 3 files changed, 3 insertions(+) diff --git a/services/argocd/values-idfdev.yaml b/services/argocd/values-idfdev.yaml index 8b94cfff84..c907107fc4 100644 --- a/services/argocd/values-idfdev.yaml +++ b/services/argocd/values-idfdev.yaml @@ -49,6 +49,7 @@ argo-cd: g, adam@lsst.cloud, role:admin g, afausti@lsst.cloud, role:admin g, christine@lsst.cloud, role:admin + g, dspeck@lsst.cloud, role:admin g, frossie@lsst.cloud, role:admin g, jsick@lsst.cloud, role:admin g, krughoff@lsst.cloud, role:admin diff --git a/services/argocd/values-idfint.yaml b/services/argocd/values-idfint.yaml index 7d6e87e9a3..3328b4fab2 100644 --- a/services/argocd/values-idfint.yaml +++ b/services/argocd/values-idfint.yaml @@ -49,6 +49,7 @@ argo-cd: g, adam@lsst.cloud, role:admin g, afausti@lsst.cloud, role:admin g, christine@lsst.cloud, role:admin + g, dspeck@lsst.cloud, role:admin g, frossie@lsst.cloud, role:admin g, jsick@lsst.cloud, role:admin g, krughoff@lsst.cloud, role:admin diff --git a/services/argocd/values-idfprod.yaml b/services/argocd/values-idfprod.yaml index ade495e7c6..eec769ee2f 100644 --- a/services/argocd/values-idfprod.yaml +++ b/services/argocd/values-idfprod.yaml @@ -49,6 +49,7 @@ argo-cd: g, adam@lsst.cloud, role:admin g, afausti@lsst.cloud, role:admin g, christine@lsst.cloud, role:admin + g, dspeck@lsst.cloud, role:admin g, frossie@lsst.cloud, role:admin g, jsick@lsst.cloud, role:admin g, krughoff@lsst.cloud, role:admin From d997d59537d218e46f6edc2b36085d911cc4ad26 Mon Sep 17 00:00:00 2001 From: Michael Reuter Date: Mon, 28 Mar 2022 17:51:30 -0700 Subject: [PATCH 0147/1479] TTS: Update cachemachine to cycle 25. --- services/cachemachine/values-tucson-teststand.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/services/cachemachine/values-tucson-teststand.yaml b/services/cachemachine/values-tucson-teststand.yaml index 8c0a7cc763..ce040e5713 100644 --- a/services/cachemachine/values-tucson-teststand.yaml +++ b/services/cachemachine/values-tucson-teststand.yaml @@ -22,7 +22,7 @@ cachemachine: "num_releases": 1, "num_weeklies": 3, "num_dailies": 2, - "cycle": 24, + "cycle": 25, "alias_tags": [ "latest", "latest_daily", From 6ad97a97fe3da6d19e8b5541eb7420dcaa097dac Mon Sep 17 00:00:00 2001 From: Frossie Date: Wed, 30 Mar 2022 11:48:25 -0700 Subject: [PATCH 0148/1479] Add lsst ops team to IDF-int Since it's now the DP0.2 staging environment --- services/gafaelfawr/values-idfint.yaml | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/services/gafaelfawr/values-idfint.yaml b/services/gafaelfawr/values-idfint.yaml index 37216d2af2..e77a53c6fb 100644 --- a/services/gafaelfawr/values-idfint.yaml +++ b/services/gafaelfawr/values-idfint.yaml @@ -17,11 +17,13 @@ config: - "lsst-sqre-square" "exec:notebook": - "lsst-ops-panda" + - "lsst-ops" - "lsst-sqre-square" - "lsst-sqre-friends" "exec:portal": - "lsst-ops-panda" - "lsst-sqre-square" + - "lsst-ops" - "lsst-sqre-friends" "read:alertdb": - "lsst-sqre-square" @@ -29,10 +31,12 @@ config: "read:image": - "lsst-ops-panda" - "lsst-sqre-square" + - "lsst-ops" - "lsst-sqre-friends" "read:tap": - "lsst-ops-panda" - "lsst-sqre-square" + - "lsst-ops" - "lsst-sqre-friends" initialAdmins: From 3a32f8ba103b1dd061859ba36c7a39110c6f8776 Mon Sep 17 00:00:00 2001 From: adam Date: Wed, 30 Mar 2022 16:31:34 -0700 Subject: [PATCH 0149/1479] make TTS 'recommended' cycle-dependent --- services/cachemachine/values-tucson-teststand.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/services/cachemachine/values-tucson-teststand.yaml b/services/cachemachine/values-tucson-teststand.yaml index ce040e5713..0b7141e52a 100644 --- a/services/cachemachine/values-tucson-teststand.yaml +++ b/services/cachemachine/values-tucson-teststand.yaml @@ -18,7 +18,7 @@ cachemachine: "type": "RubinRepoMan", "registry_url": "ts-dockerhub.lsst.org", "repo": "sal-sciplat-lab", - "recommended_tag": "recommended", + "recommended_tag": "recommended_c0025", "num_releases": 1, "num_weeklies": 3, "num_dailies": 2, From f23647f6e7832ada3c4acf906fae9ece8dea0757 Mon Sep 17 00:00:00 2001 From: adam Date: Fri, 25 Mar 2022 15:00:26 -0700 Subject: [PATCH 0150/1479] enable more metric collection --- services/argocd/values-idfdev.yaml | 16 ++++++++++ services/ingress-nginx/values-idfdev.yaml | 2 ++ services/telegraf/Chart.yaml | 5 ++- services/telegraf/README.md | 15 +++++++-- services/telegraf/values-idfdev.yaml | 5 +++ services/telegraf/values.yaml | 38 ++++++++++++++++++++--- 6 files changed, 72 insertions(+), 9 deletions(-) diff --git a/services/argocd/values-idfdev.yaml b/services/argocd/values-idfdev.yaml index c907107fc4..9e0ae8c310 100644 --- a/services/argocd/values-idfdev.yaml +++ b/services/argocd/values-idfdev.yaml @@ -1,8 +1,24 @@ argo-cd: redis: enabled: true + metrics: + enabled: true + + controller: + metrics: + enabled: true + + repoServer: + metrics: + enabled: true + + notifications: + metrics: + enabled: true server: + metrics: + enabled: true ingress: enabled: true hosts: diff --git a/services/ingress-nginx/values-idfdev.yaml b/services/ingress-nginx/values-idfdev.yaml index 61568d9ad8..07e4381428 100644 --- a/services/ingress-nginx/values-idfdev.yaml +++ b/services/ingress-nginx/values-idfdev.yaml @@ -13,6 +13,8 @@ ingress-nginx: podLabels: gafaelfawr.lsst.io/ingress: "true" hub.jupyter.org/network-access-proxy-http: "true" + metrics: + enabled: true vault_certificate: enabled: false diff --git a/services/telegraf/Chart.yaml b/services/telegraf/Chart.yaml index 9583e3c3ee..b4e4487e7d 100644 --- a/services/telegraf/Chart.yaml +++ b/services/telegraf/Chart.yaml @@ -1,8 +1,11 @@ apiVersion: v2 name: telegraf -version: 1.0.0 +version: 1.0.1 description: SQuaRE telemetry collection service dependencies: - name: telegraf version: 1.8.17 repository: https://helm.influxdata.com/ +# - name: telegraf-ds +# version: 1.0.32 +# repository: https://helm.influxdata.com/ diff --git a/services/telegraf/README.md b/services/telegraf/README.md index f6f9f88872..14afab9924 100644 --- a/services/telegraf/README.md +++ b/services/telegraf/README.md @@ -12,13 +12,22 @@ SQuaRE telemetry collection service | Key | Type | Default | Description | |-----|------|---------|-------------| +| telegraf.config.agent.omit_hostname | bool | `true` | | | telegraf.config.global_tags.cluster | string | `""` | | -| telegraf.config.inputs | list | `[{"prometheus":{"metric_version":2,"urls":["https://${telegraf.config.global_tags.cluster}/nb/hub/metrics"]}}]` | Telegraf input plugins. Collect JupyterHub Prometheus metrics by default. See https://jupyterhub.readthedocs.io/en/stable/reference/metrics.html | -| telegraf.config.outputs | list | `[{"influxdb_v2":{"bucket":"telegraf","organization":"lizard","token":"$INFLUX_TOKEN","urls":["https://roundtable-monitoring.lsst.cloud"]}}]` | Telegraf default output destination. | -| telegraf.config.processors | object | `{}` | Telegraf processor plugins. | +| telegraf.config.inputs[0].prometheus.metric_version | int | `2` | | +| telegraf.config.inputs[0].prometheus.urls[0] | string | `"http://hub.nublado2:8081/metrics"` | | +| telegraf.config.inputs[0].prometheus.urls[1] | string | `"http://cert-manager.cert-manager:9402/metrics"` | | +| telegraf.config.inputs[0].prometheus.urls[2] | string | `"http://argocd-application-controller-metrics.argocd:8082/metrics"` | | +| telegraf.config.inputs[0].prometheus.urls[3] | string | `"http://argocd-notifications-controller-metrics.argocd:9001/metrics"` | | +| telegraf.config.inputs[0].prometheus.urls[4] | string | `"http://argocd-redis-metrics.argocd:9121/metrics"` | | +| telegraf.config.inputs[0].prometheus.urls[5] | string | `"http://argocd-repo-server-metrics.argocd:8084/metrics"` | | +| telegraf.config.inputs[0].prometheus.urls[6] | string | `"http://argocd-server-metrics.argocd:8083/metrics"` | | +| telegraf.config.inputs[0].prometheus.urls[7] | string | `"http://ingress-nginx-controller-metrics.ingress-nginx:10254/metrics"` | | +| telegraf.config.outputs | list | `[{"influxdb_v2":{"bucket":"monitoring","organization":"square","token":"$INFLUX_TOKEN","urls":["https://monitoring.lsst.codes"]}}]` | Telegraf default output destination. | | telegraf.env[0] | object | `{"name":"INFLUX_TOKEN","valueFrom":{"secretKeyRef":{"key":"influx-token","name":"telegraf"}}}` | Token to communicate with Influx | | telegraf.podLabels | object | `{"hub.jupyter.org/network-access-hub":"true"}` | Allow network access to JupyterHub pod. | | telegraf.service.enabled | bool | `false` | Telegraf service. | +| telegraf.tplVersion | int | `2` | | | vaultSecretsPath | string | None, must be set | Path to the Vault secrets (`secret/k8s_operator//telegraf`) | ---------------------------------------------- diff --git a/services/telegraf/values-idfdev.yaml b/services/telegraf/values-idfdev.yaml index 3c98a4f098..3987f69439 100644 --- a/services/telegraf/values-idfdev.yaml +++ b/services/telegraf/values-idfdev.yaml @@ -3,4 +3,9 @@ telegraf: global_tags: cluster: data-dev.lsst.cloud +# telegraf-ds: +# config: +# global_tags: +# cluster: data-dev.lsst.cloud + vaultSecretsPath: secret/k8s_operator/data-dev.lsst.cloud diff --git a/services/telegraf/values.yaml b/services/telegraf/values.yaml index 6cfc61f6db..ca9096ff6b 100644 --- a/services/telegraf/values.yaml +++ b/services/telegraf/values.yaml @@ -19,19 +19,21 @@ telegraf: # -- Cluster name -- should be same as FQDN of RSP endpoint # @default -- None, must be set cluster: "" - # -- Telegraf processor plugins. - processors: {} - # -- Telegraf input plugins. # Collect JupyterHub Prometheus metrics by default. # See https://jupyterhub.readthedocs.io/en/stable/reference/metrics.html inputs: - prometheus: urls: - http://hub.nublado2:8081/metrics + - http://cert-manager.cert-manager:9402/metrics + - http://argocd-application-controller-metrics.argocd:8082/metrics + - http://argocd-notifications-controller-metrics.argocd:9001/metrics + - http://argocd-redis-metrics.argocd:9121/metrics + - http://argocd-repo-server-metrics.argocd:8084/metrics + - http://argocd-server-metrics.argocd:8083/metrics + - http://ingress-nginx-controller-metrics.ingress-nginx:10254/metrics # See https://docs.influxdata.com/influxdb/v2.1/reference/prometheus-metrics/ metric_version: 2 - - syslog: - server: "tcp://:6514" # -- Telegraf default output destination. outputs: - influxdb_v2: @@ -40,6 +42,32 @@ telegraf: bucket: "monitoring" token: "$INFLUX_TOKEN" organization: "square" + tplVersion: 2 + +# telegraf-ds: +# env: +# # -- Token to communicate with Influx +# - name: INFLUX_TOKEN +# valueFrom: +# secretKeyRef: +# name: telegraf +# key: influx-token +# config: +# global_tags: +# # -- Cluster name -- should be same as FQDN of RSP endpoint +# # @default -- None, must be set +# cluster: "" +# # -- Set for differentiation of Telegraf service from +# # Telegraf-daemonset +# daemonset: "true" +# processors: {} +# outputs: +# - influxdb_v2: +# urls: +# - "https://monitoring.lsst.codes" +# bucket: "monitoring" +# token: "$INFLUX_TOKEN" +# organization: "square" # -- Path to the Vault secrets (`secret/k8s_operator//telegraf`) # @default -- None, must be set From 54fd19fa8e5534ac3bf1e2c56d97437a9b608da9 Mon Sep 17 00:00:00 2001 From: adam Date: Mon, 28 Mar 2022 15:18:31 -0700 Subject: [PATCH 0151/1479] add Dan to argo admins at IDF Dev --- services/argocd/values-idfdev.yaml | 1 + 1 file changed, 1 insertion(+) diff --git a/services/argocd/values-idfdev.yaml b/services/argocd/values-idfdev.yaml index 9e0ae8c310..829d584302 100644 --- a/services/argocd/values-idfdev.yaml +++ b/services/argocd/values-idfdev.yaml @@ -70,6 +70,7 @@ argo-cd: g, jsick@lsst.cloud, role:admin g, krughoff@lsst.cloud, role:admin g, rra@lsst.cloud, role:admin + g, dspeck@lsst.cloud, role:admin scopes: "[email]" configs: From a95973e23015d6ff802524a6f3112963d947f5a0 Mon Sep 17 00:00:00 2001 From: adam Date: Tue, 29 Mar 2022 09:19:51 -0700 Subject: [PATCH 0152/1479] break out telegraf-ds into own app and namespace, like EFD does it --- .../templates/telegraf-ds-application.yaml | 30 ++++++++++++++++++ science-platform/values-base.yaml | 2 ++ science-platform/values-idfdev.yaml | 2 ++ science-platform/values-idfint.yaml | 2 ++ science-platform/values-idfprod.yaml | 2 ++ science-platform/values-int.yaml | 2 ++ science-platform/values-minikube.yaml | 2 ++ science-platform/values-red-five.yaml | 2 ++ science-platform/values-roe.yaml | 2 ++ science-platform/values-squash-sandbox.yaml | 2 ++ science-platform/values-stable.yaml | 2 ++ science-platform/values-summit.yaml | 2 ++ science-platform/values-tucson-teststand.yaml | 2 ++ science-platform/values.yaml | 2 ++ services/telegraf-ds/Chart.yaml | 8 +++++ services/telegraf-ds/README.md.gotmpl | 9 ++++++ .../telegraf-ds/templates/vault-secret.yaml | 17 ++++++++++ services/telegraf-ds/values-base.yaml | 6 ++++ services/telegraf-ds/values-idfdev.yaml | 6 ++++ services/telegraf-ds/values-idfint.yaml | 6 ++++ services/telegraf-ds/values-idfprod.yaml | 6 ++++ services/telegraf-ds/values-int.yaml | 6 ++++ services/telegraf-ds/values-minikube.yaml | 6 ++++ services/telegraf-ds/values-stable.yaml | 6 ++++ services/telegraf-ds/values-summit.yaml | 6 ++++ .../telegraf-ds/values-tucson-teststand.yaml | 6 ++++ services/telegraf-ds/values.yaml | 31 +++++++++++++++++++ services/telegraf/Chart.yaml | 3 -- services/telegraf/values-idfdev.yaml | 5 --- 29 files changed, 175 insertions(+), 8 deletions(-) create mode 100644 science-platform/templates/telegraf-ds-application.yaml create mode 100644 services/telegraf-ds/Chart.yaml create mode 100644 services/telegraf-ds/README.md.gotmpl create mode 100644 services/telegraf-ds/templates/vault-secret.yaml create mode 100644 services/telegraf-ds/values-base.yaml create mode 100644 services/telegraf-ds/values-idfdev.yaml create mode 100644 services/telegraf-ds/values-idfint.yaml create mode 100644 services/telegraf-ds/values-idfprod.yaml create mode 100644 services/telegraf-ds/values-int.yaml create mode 100644 services/telegraf-ds/values-minikube.yaml create mode 100644 services/telegraf-ds/values-stable.yaml create mode 100644 services/telegraf-ds/values-summit.yaml create mode 100644 services/telegraf-ds/values-tucson-teststand.yaml create mode 100644 services/telegraf-ds/values.yaml diff --git a/science-platform/templates/telegraf-ds-application.yaml b/science-platform/templates/telegraf-ds-application.yaml new file mode 100644 index 0000000000..acf550e6dc --- /dev/null +++ b/science-platform/templates/telegraf-ds-application.yaml @@ -0,0 +1,30 @@ +{{- if .Values.telegraf.enabled -}} +apiVersion: v1 +kind: Namespace +metadata: + name: telegraf-ds +spec: + finalizers: + - kubernetes +--- +apiVersion: argoproj.io/v1alpha1 +kind: Application +metadata: + name: telegraf-ds + namespace: argocd + finalizers: + - resources-finalizer.argocd.argoproj.io +spec: + destination: + namespace: telegraf-ds + server: https://kubernetes.default.svc + project: default + source: + path: services/telegraf-ds + repoURL: {{ .Values.repoURL }} + targetRevision: {{ .Values.revision }} + helm: + valueFiles: + - values.yaml + - values-{{ .Values.environment }}.yaml +{{- end -}} diff --git a/science-platform/values-base.yaml b/science-platform/values-base.yaml index 12f4138016..d69e44b25e 100644 --- a/science-platform/values-base.yaml +++ b/science-platform/values-base.yaml @@ -54,6 +54,8 @@ tap_schema: enabled: false telegraf: enabled: true +telegraf-ds: + enabled: true times_square: enabled: false vault_secrets_operator: diff --git a/science-platform/values-idfdev.yaml b/science-platform/values-idfdev.yaml index bc65d035af..c18e0bea6f 100644 --- a/science-platform/values-idfdev.yaml +++ b/science-platform/values-idfdev.yaml @@ -56,6 +56,8 @@ tap_schema: enabled: true telegraf: enabled: true +telegraf-ds: + enabled: true times_square: enabled: true vault_secrets_operator: diff --git a/science-platform/values-idfint.yaml b/science-platform/values-idfint.yaml index 625e2bb541..9fa849bade 100644 --- a/science-platform/values-idfint.yaml +++ b/science-platform/values-idfint.yaml @@ -56,6 +56,8 @@ tap_schema: enabled: true telegraf: enabled: true +telegraf-ds: + enabled: true times_square: enabled: false vault_secrets_operator: diff --git a/science-platform/values-idfprod.yaml b/science-platform/values-idfprod.yaml index 2090956bac..3c50e65456 100644 --- a/science-platform/values-idfprod.yaml +++ b/science-platform/values-idfprod.yaml @@ -56,6 +56,8 @@ tap_schema: enabled: true telegraf: enabled: true +telegraf-ds: + enabled: true times_square: enabled: false vault_secrets_operator: diff --git a/science-platform/values-int.yaml b/science-platform/values-int.yaml index 35f16d6265..ca00ebfe5b 100644 --- a/science-platform/values-int.yaml +++ b/science-platform/values-int.yaml @@ -56,6 +56,8 @@ tap_schema: enabled: true telegraf: enabled: true +telegraf-ds: + enabled: true times_square: enabled: false vault_secrets_operator: diff --git a/science-platform/values-minikube.yaml b/science-platform/values-minikube.yaml index 9bf16e6946..2c09324996 100644 --- a/science-platform/values-minikube.yaml +++ b/science-platform/values-minikube.yaml @@ -56,6 +56,8 @@ tap_schema: enabled: true telegraf: enabled: true +telegraf-ds: + enabled: true times_square: enabled: false vault_secrets_operator: diff --git a/science-platform/values-red-five.yaml b/science-platform/values-red-five.yaml index 9331dd9ca7..8682b8ab4c 100644 --- a/science-platform/values-red-five.yaml +++ b/science-platform/values-red-five.yaml @@ -54,6 +54,8 @@ tap_schema: enabled: true telegraf: enabled: true +telegraf-ds: + enabled: true times_square: enabled: false vault_secrets_operator: diff --git a/science-platform/values-roe.yaml b/science-platform/values-roe.yaml index 0fda1afb3a..1ac766f80a 100644 --- a/science-platform/values-roe.yaml +++ b/science-platform/values-roe.yaml @@ -52,6 +52,8 @@ tap_schema: enabled: true telegraf: enabled: true +telegraf-ds: + enabled: true times_square: enabled: false vault_secrets_operator: diff --git a/science-platform/values-squash-sandbox.yaml b/science-platform/values-squash-sandbox.yaml index 6c2af52365..81de56f598 100644 --- a/science-platform/values-squash-sandbox.yaml +++ b/science-platform/values-squash-sandbox.yaml @@ -54,6 +54,8 @@ tap_schema: enabled: false telegraf: enabled: true +telegraf-ds: + enabled: true times_square: enabled: false vault_secrets_operator: diff --git a/science-platform/values-stable.yaml b/science-platform/values-stable.yaml index 4d895e8b99..3cef7933e8 100644 --- a/science-platform/values-stable.yaml +++ b/science-platform/values-stable.yaml @@ -56,6 +56,8 @@ tap_schema: enabled: true telegraf: enabled: false +telegraf-ds: + enabled: false times_square: enabled: false vault_secrets_operator: diff --git a/science-platform/values-summit.yaml b/science-platform/values-summit.yaml index 1b218d569e..0c50caec00 100644 --- a/science-platform/values-summit.yaml +++ b/science-platform/values-summit.yaml @@ -56,6 +56,8 @@ tap_schema: enabled: false telegraf: enabled: true +telegraf-ds: + enabled: true times_square: enabled: false vault_secrets_operator: diff --git a/science-platform/values-tucson-teststand.yaml b/science-platform/values-tucson-teststand.yaml index e34a42581a..2bfb0a2425 100644 --- a/science-platform/values-tucson-teststand.yaml +++ b/science-platform/values-tucson-teststand.yaml @@ -55,6 +55,8 @@ tap_schema: # EFD already provides telegraf namespace. Gotta work that out. telegraf: enabled: false +telegraf-ds: + enabled: false times_square: enabled: false vault_secrets_operator: diff --git a/science-platform/values.yaml b/science-platform/values.yaml index 94b9abf28c..6c6b2326bc 100644 --- a/science-platform/values.yaml +++ b/science-platform/values.yaml @@ -36,6 +36,8 @@ sasquatch: enabled: false telegraf: enabled: false +telegraf-ds: + enabled: false semaphore: enabled: false sherlock: diff --git a/services/telegraf-ds/Chart.yaml b/services/telegraf-ds/Chart.yaml new file mode 100644 index 0000000000..3d70f54e8e --- /dev/null +++ b/services/telegraf-ds/Chart.yaml @@ -0,0 +1,8 @@ +apiVersion: v2 +name: telegraf-ds +version: 1.0.0 +description: SQuaRE DaemonSet (K8s) telemetry collection service +dependencies: + - name: telegraf-ds + version: 1.0.32 + repository: https://helm.influxdata.com/ diff --git a/services/telegraf-ds/README.md.gotmpl b/services/telegraf-ds/README.md.gotmpl new file mode 100644 index 0000000000..4531459bbb --- /dev/null +++ b/services/telegraf-ds/README.md.gotmpl @@ -0,0 +1,9 @@ +{{ template "chart.header" . }} + +{{ template "chart.description" . }} + +{{ template "chart.requirementsSection" . }} + +{{ template "chart.valuesSection" . }} + +{{ template "helm-docs.versionFooter" . }} diff --git a/services/telegraf-ds/templates/vault-secret.yaml b/services/telegraf-ds/templates/vault-secret.yaml new file mode 100644 index 0000000000..cd3ac2d7d9 --- /dev/null +++ b/services/telegraf-ds/templates/vault-secret.yaml @@ -0,0 +1,17 @@ +apiVersion: ricoberger.de/v1alpha1 +kind: VaultSecret +metadata: + name: telegraf + namespace: telegraf-ds +spec: + # Use regular telegraf path--it's the same secret + path: {{ .Values.vaultSecretsPath }}/telegraf + type: Opaque +--- +apiVersion: ricoberger.de/v1alpha1 +kind: VaultSecret +metadata: + name: pull-secret +spec: + path: {{ .Values.vaultSecretsPath }}/pull-secret + type: kubernetes.io/dockerconfigjson diff --git a/services/telegraf-ds/values-base.yaml b/services/telegraf-ds/values-base.yaml new file mode 100644 index 0000000000..886449ee01 --- /dev/null +++ b/services/telegraf-ds/values-base.yaml @@ -0,0 +1,6 @@ +telegraf-ds: + config: + global_tags: + cluster: base-lsp.lsst.codes + +vaultSecretsPath: secret/k8s_operator/base-lsp.lsst.codes diff --git a/services/telegraf-ds/values-idfdev.yaml b/services/telegraf-ds/values-idfdev.yaml new file mode 100644 index 0000000000..5251a34be3 --- /dev/null +++ b/services/telegraf-ds/values-idfdev.yaml @@ -0,0 +1,6 @@ +telegraf-ds: + config: + global_tags: + cluster: data-dev.lsst.cloud + +vaultSecretsPath: secret/k8s_operator/data-dev.lsst.cloud diff --git a/services/telegraf-ds/values-idfint.yaml b/services/telegraf-ds/values-idfint.yaml new file mode 100644 index 0000000000..f9e088f19a --- /dev/null +++ b/services/telegraf-ds/values-idfint.yaml @@ -0,0 +1,6 @@ +telegraf-ds: + config: + global_tags: + cluster: data-int.lsst.cloud + +vaultSecretsPath: secret/k8s_operator/data-int.lsst.cloud diff --git a/services/telegraf-ds/values-idfprod.yaml b/services/telegraf-ds/values-idfprod.yaml new file mode 100644 index 0000000000..59d5804154 --- /dev/null +++ b/services/telegraf-ds/values-idfprod.yaml @@ -0,0 +1,6 @@ +telegraf-ds: + config: + global_tags: + cluster: data.lsst.cloud + +vaultSecretsPath: secret/k8s_operator/data.lsst.cloud diff --git a/services/telegraf-ds/values-int.yaml b/services/telegraf-ds/values-int.yaml new file mode 100644 index 0000000000..9e8d8c6234 --- /dev/null +++ b/services/telegraf-ds/values-int.yaml @@ -0,0 +1,6 @@ +telegraf-ds: + config: + global_tags: + cluster: lsst-lsp-int.ncsa.illinois.edu + +vaultSecretsPath: secret/k8s_operator/lsst-lsp-int.ncsa.illinois.edu diff --git a/services/telegraf-ds/values-minikube.yaml b/services/telegraf-ds/values-minikube.yaml new file mode 100644 index 0000000000..7f7b78ada0 --- /dev/null +++ b/services/telegraf-ds/values-minikube.yaml @@ -0,0 +1,6 @@ +telegraf-ds: + config: + global_tags: + cluster: minikube.lsst.codes + +vaultSecretsPath: secret/k8s_operator/minikube.lsst.codes diff --git a/services/telegraf-ds/values-stable.yaml b/services/telegraf-ds/values-stable.yaml new file mode 100644 index 0000000000..9df526ff0c --- /dev/null +++ b/services/telegraf-ds/values-stable.yaml @@ -0,0 +1,6 @@ +telegraf-ds: + config: + global_tags: + cluster: lsst-lsp-stable.ncsa.illinois.edu + +vaultSecretsPath: secret/k8s_operator/lsst-lsp-stable.ncsa.illinois.edu diff --git a/services/telegraf-ds/values-summit.yaml b/services/telegraf-ds/values-summit.yaml new file mode 100644 index 0000000000..6169dd9560 --- /dev/null +++ b/services/telegraf-ds/values-summit.yaml @@ -0,0 +1,6 @@ +telegraf-ds: + config: + global_tags: + cluster: summit-lsp.lsst.codes + +vaultSecretsPath: secret/k8s_operator/summit-lsp.lsst.codes diff --git a/services/telegraf-ds/values-tucson-teststand.yaml b/services/telegraf-ds/values-tucson-teststand.yaml new file mode 100644 index 0000000000..cb6dff6a4f --- /dev/null +++ b/services/telegraf-ds/values-tucson-teststand.yaml @@ -0,0 +1,6 @@ +telegraf-ds: + config: + global_tags: + cluster: tucson-teststand.lsst.codes + +vaultSecretsPath: secret/k8s_operator/tucson-teststand.lsst.codes diff --git a/services/telegraf-ds/values.yaml b/services/telegraf-ds/values.yaml new file mode 100644 index 0000000000..ac18e3b4bc --- /dev/null +++ b/services/telegraf-ds/values.yaml @@ -0,0 +1,31 @@ +telegraf-ds: + env: + # -- Token to communicate with Influx + - name: INFLUX_TOKEN + valueFrom: + secretKeyRef: + name: telegraf + key: influx-token + config: + global_tags: + # -- Cluster name -- should be same as FQDN of RSP endpoint + # @default -- None, must be set + cluster: "" + # -- Set for differentiation of Telegraf service from + # Telegraf-daemonset + telegraf_daemonset: "true" + agent: + hostname: "telegraf-$HOSTIP" + outputs: + - influxdb_v2: + urls: + - "https://monitoring.lsst.codes" + bucket: "monitoring" + token: "$INFLUX_TOKEN" + organization: "square" + docker_endpoint: "" + +# -- Path to the Vault secrets (`secret/k8s_operator//telegraf`) +# shared with telegraf (non-DaemonSet) +# @default -- None, must be set +vaultSecretsPath: "" diff --git a/services/telegraf/Chart.yaml b/services/telegraf/Chart.yaml index b4e4487e7d..fa5c63633c 100644 --- a/services/telegraf/Chart.yaml +++ b/services/telegraf/Chart.yaml @@ -6,6 +6,3 @@ dependencies: - name: telegraf version: 1.8.17 repository: https://helm.influxdata.com/ -# - name: telegraf-ds -# version: 1.0.32 -# repository: https://helm.influxdata.com/ diff --git a/services/telegraf/values-idfdev.yaml b/services/telegraf/values-idfdev.yaml index 3987f69439..3c98a4f098 100644 --- a/services/telegraf/values-idfdev.yaml +++ b/services/telegraf/values-idfdev.yaml @@ -3,9 +3,4 @@ telegraf: global_tags: cluster: data-dev.lsst.cloud -# telegraf-ds: -# config: -# global_tags: -# cluster: data-dev.lsst.cloud - vaultSecretsPath: secret/k8s_operator/data-dev.lsst.cloud From 2a4eaf472bd33b89f98245813621bc68e75c8904 Mon Sep 17 00:00:00 2001 From: adam Date: Wed, 30 Mar 2022 17:29:02 -0700 Subject: [PATCH 0153/1479] Try adding app labels --- services/argocd/values-idfdev.yaml | 3 +++ services/telegraf-ds/values-idfdev.yaml | 2 +- services/telegraf/values.yaml | 25 ------------------------- 3 files changed, 4 insertions(+), 26 deletions(-) diff --git a/services/argocd/values-idfdev.yaml b/services/argocd/values-idfdev.yaml index 829d584302..b4f919246b 100644 --- a/services/argocd/values-idfdev.yaml +++ b/services/argocd/values-idfdev.yaml @@ -7,6 +7,9 @@ argo-cd: controller: metrics: enabled: true + applicationLabels: + enabled: true + labels: ["name", "instance"] repoServer: metrics: diff --git a/services/telegraf-ds/values-idfdev.yaml b/services/telegraf-ds/values-idfdev.yaml index 5251a34be3..2a3cbd110c 100644 --- a/services/telegraf-ds/values-idfdev.yaml +++ b/services/telegraf-ds/values-idfdev.yaml @@ -2,5 +2,5 @@ telegraf-ds: config: global_tags: cluster: data-dev.lsst.cloud - + vaultSecretsPath: secret/k8s_operator/data-dev.lsst.cloud diff --git a/services/telegraf/values.yaml b/services/telegraf/values.yaml index ca9096ff6b..f1a05dcdbf 100644 --- a/services/telegraf/values.yaml +++ b/services/telegraf/values.yaml @@ -44,31 +44,6 @@ telegraf: organization: "square" tplVersion: 2 -# telegraf-ds: -# env: -# # -- Token to communicate with Influx -# - name: INFLUX_TOKEN -# valueFrom: -# secretKeyRef: -# name: telegraf -# key: influx-token -# config: -# global_tags: -# # -- Cluster name -- should be same as FQDN of RSP endpoint -# # @default -- None, must be set -# cluster: "" -# # -- Set for differentiation of Telegraf service from -# # Telegraf-daemonset -# daemonset: "true" -# processors: {} -# outputs: -# - influxdb_v2: -# urls: -# - "https://monitoring.lsst.codes" -# bucket: "monitoring" -# token: "$INFLUX_TOKEN" -# organization: "square" - # -- Path to the Vault secrets (`secret/k8s_operator//telegraf`) # @default -- None, must be set vaultSecretsPath: "" From 1963d912033e7161a48f2086513fb798746565a3 Mon Sep 17 00:00:00 2001 From: dspeck1 Date: Thu, 31 Mar 2022 10:20:10 -0500 Subject: [PATCH 0154/1479] deploying new cachemachine gar image to dev --- services/cachemachine/values-idfdev.yaml | 10 +++++++++- 1 file changed, 9 insertions(+), 1 deletion(-) diff --git a/services/cachemachine/values-idfdev.yaml b/services/cachemachine/values-idfdev.yaml index 98fe5b49e4..bf3e1a5da1 100644 --- a/services/cachemachine/values-idfdev.yaml +++ b/services/cachemachine/values-idfdev.yaml @@ -2,6 +2,11 @@ cachemachine: imagePullSecrets: - name: "cachemachine-secret" + image: + repository: lsstsqre/cachemachine + pullPolicy: IfNotPresent + tag: tickets-DM-33755 + ingress: enabled: true host: "data-dev.lsst.cloud" @@ -15,9 +20,12 @@ cachemachine: "labels": {}, "repomen": [ { - "type": "RubinRepoMan", + "type": "RubinRepoGar", "registry_url": "us-central1-docker.pkg.dev", "repo": "rubin-shared-services-71ec/sciplat/sciplat-lab", + "gar_repository": "sciplat", + "project_id": "rubin-shared-services-71ec", + "location": "us-central1", "recommended_tag": "recommended", "num_releases": 1, "num_weeklies": 2, From 955fe60146498c9d02b81ba66cfbd850b185fab3 Mon Sep 17 00:00:00 2001 From: dspeck1 Date: Thu, 31 Mar 2022 13:06:35 -0500 Subject: [PATCH 0155/1479] removed repo as not used --- services/cachemachine/values-idfdev.yaml | 1 - 1 file changed, 1 deletion(-) diff --git a/services/cachemachine/values-idfdev.yaml b/services/cachemachine/values-idfdev.yaml index bf3e1a5da1..6d21998b47 100644 --- a/services/cachemachine/values-idfdev.yaml +++ b/services/cachemachine/values-idfdev.yaml @@ -22,7 +22,6 @@ cachemachine: { "type": "RubinRepoGar", "registry_url": "us-central1-docker.pkg.dev", - "repo": "rubin-shared-services-71ec/sciplat/sciplat-lab", "gar_repository": "sciplat", "project_id": "rubin-shared-services-71ec", "location": "us-central1", From d2bc6de917a3571b0223382dc0beeb246ddacba3 Mon Sep 17 00:00:00 2001 From: Renovate Bot Date: Fri, 1 Apr 2022 17:31:57 +0000 Subject: [PATCH 0156/1479] Update Helm release chronograf to v1.2.5 --- services/sasquatch/Chart.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/services/sasquatch/Chart.yaml b/services/sasquatch/Chart.yaml index 94240a7674..374e2dfa4e 100644 --- a/services/sasquatch/Chart.yaml +++ b/services/sasquatch/Chart.yaml @@ -14,7 +14,7 @@ dependencies: - name: kafka-connect-manager version: 1.0.0 - name: chronograf - version: 1.2.3 + version: 1.2.5 repository: https://helm.influxdata.com/ - name: kapacitor version: 1.4.4 From f246b3f3700734832cfa9577236dc8bde3b13fee Mon Sep 17 00:00:00 2001 From: Renovate Bot Date: Fri, 1 Apr 2022 21:06:22 +0000 Subject: [PATCH 0157/1479] Update Helm release kapacitor --- services/sasquatch/Chart.yaml | 2 +- services/sasquatch/values.yaml | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/services/sasquatch/Chart.yaml b/services/sasquatch/Chart.yaml index 374e2dfa4e..b04c22b779 100644 --- a/services/sasquatch/Chart.yaml +++ b/services/sasquatch/Chart.yaml @@ -17,7 +17,7 @@ dependencies: version: 1.2.5 repository: https://helm.influxdata.com/ - name: kapacitor - version: 1.4.4 + version: 1.4.6 repository: https://helm.influxdata.com/ - name: telegraf version: 1.8.14 diff --git a/services/sasquatch/values.yaml b/services/sasquatch/values.yaml index 78def2482e..6e084f03fc 100644 --- a/services/sasquatch/values.yaml +++ b/services/sasquatch/values.yaml @@ -86,7 +86,7 @@ kapacitor: # -- Kapacitor image tag. image: repository: kapacitor - tag: 1.6.3 + tag: 1.6.4 # -- Chronograf data persistence configuration. persistence: enabled: true From ab6991baf4728c2bef4f12acda53b411cbe0479f Mon Sep 17 00:00:00 2001 From: Renovate Bot Date: Fri, 1 Apr 2022 21:17:14 +0000 Subject: [PATCH 0158/1479] Update Helm release telegraf to v1.8.18 --- services/sasquatch/Chart.yaml | 2 +- services/telegraf/Chart.yaml | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/services/sasquatch/Chart.yaml b/services/sasquatch/Chart.yaml index b04c22b779..6cac7dfb0d 100644 --- a/services/sasquatch/Chart.yaml +++ b/services/sasquatch/Chart.yaml @@ -20,5 +20,5 @@ dependencies: version: 1.4.6 repository: https://helm.influxdata.com/ - name: telegraf - version: 1.8.14 + version: 1.8.18 repository: https://helm.influxdata.com/ diff --git a/services/telegraf/Chart.yaml b/services/telegraf/Chart.yaml index fa5c63633c..e6319163b8 100644 --- a/services/telegraf/Chart.yaml +++ b/services/telegraf/Chart.yaml @@ -4,5 +4,5 @@ version: 1.0.1 description: SQuaRE telemetry collection service dependencies: - name: telegraf - version: 1.8.17 + version: 1.8.18 repository: https://helm.influxdata.com/ From c7279ca63fe8182344ac0d7ba37090f044636b25 Mon Sep 17 00:00:00 2001 From: Angelo Fausti Date: Fri, 1 Apr 2022 14:42:40 -0700 Subject: [PATCH 0159/1479] Add values for tucson-teststand - Use rook-ceph-block storageClass for the tucson-teststand environment --- .../sasquatch/values-tucson-teststand.yaml | 43 +++++++++++++++++++ 1 file changed, 43 insertions(+) create mode 100644 services/sasquatch/values-tucson-teststand.yaml diff --git a/services/sasquatch/values-tucson-teststand.yaml b/services/sasquatch/values-tucson-teststand.yaml new file mode 100644 index 0000000000..7d7979d0d1 --- /dev/null +++ b/services/sasquatch/values-tucson-teststand.yaml @@ -0,0 +1,43 @@ +strimzi-kafka: + kafka: + storage: + storageClassName: rook-ceph-block + zookeeper: + storage: + storageClassName: rook-ceph-block + +influxdb: + persistence: + storageClass: rook-ceph-block + ingress: + enabled: true + hostname: tucson-teststand.lsst.codes + +kafka-connect-manager: + influxdbSink: + influxdb-sink: + enabled: true + +chronograf: + persistence: + storageClass: rook-ceph-block + ingress: + enabled: true + hostname: tucson-teststand.lsst.codes + env: + GENERIC_NAME: "OIDC" + GENERIC_AUTH_URL: https://tucson-teststand.lsst.codes/auth/openid/login + GENERIC_TOKEN_URL: https://tucson-teststand.lsst.codes/auth/openid/token + USE_ID_TOKEN: 1 + JWKS_URL: https://tucson-teststand.lsst.codes/.well-known/jwks.json + GENERIC_API_URL: https://tucson-teststand.lsst.codes/auth/userinfo + GENERIC_SCOPES: openid + GENERIC_API_KEY: sub + PUBLIC_URL: https://tucson-teststand.lsst.codes + STATUS_FEED_URL: https://lsst-sqre.github.io/sasquatch/feeds/tucson-teststand.json + +kapacitor: + persistence: + storageClass: rook-ceph-block + +vaultSecretsPath: secret/k8s_operator/tucson-teststand.lsst.codes From 170682053ffa34ae754cb07e126d14b2e03d1b2a Mon Sep 17 00:00:00 2001 From: Angelo Fausti Date: Fri, 1 Apr 2022 14:45:09 -0700 Subject: [PATCH 0160/1479] Enable OIDC server in Gafaelfawr - Enable OIDC server in Gafaelfawr to support Chronograf authentication via OIDC --- services/gafaelfawr/values-tucson-teststand.yaml | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/services/gafaelfawr/values-tucson-teststand.yaml b/services/gafaelfawr/values-tucson-teststand.yaml index 28f953753a..e95005a5e6 100644 --- a/services/gafaelfawr/values-tucson-teststand.yaml +++ b/services/gafaelfawr/values-tucson-teststand.yaml @@ -7,6 +7,10 @@ redis: config: databaseUrl: "postgresql://gafaelfawr@postgres.postgres/gafaelfawr" + # Support OpenID Connect clients like Chronograf. + oidcServer: + enabled: true + # Use GitHub authentication. github: clientId: "49533cbd8a8079730dcf" From 3b69e6fed4985ebf84413397026028f9c46a3696 Mon Sep 17 00:00:00 2001 From: Angelo Fausti Date: Fri, 1 Apr 2022 14:47:43 -0700 Subject: [PATCH 0161/1479] Enable strimzi and sasquatch services - Strimzi is the operator to deploy the Kafka cluster defined in sasquatch --- science-platform/values-tucson-teststand.yaml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/science-platform/values-tucson-teststand.yaml b/science-platform/values-tucson-teststand.yaml index 2bfb0a2425..b5d7f32f14 100644 --- a/science-platform/values-tucson-teststand.yaml +++ b/science-platform/values-tucson-teststand.yaml @@ -37,7 +37,7 @@ portal: postgres: enabled: true sasquatch: - enabled: false + enabled: true semaphore: enabled: false squareone: @@ -45,7 +45,7 @@ squareone: squash_api: enabled: false strimzi: - enabled: false + enabled: true strimzi_registry_operator: enabled: false tap: From 3825471b984a9f870ca897f3698b0d268df46500 Mon Sep 17 00:00:00 2001 From: Angelo Fausti Date: Fri, 1 Apr 2022 14:50:08 -0700 Subject: [PATCH 0162/1479] Add values for strimzi - Watch the sasquatch namespace - Enable debug logs on int for now --- services/strimzi/values-tucson-teststand.yaml | 4 ++++ 1 file changed, 4 insertions(+) create mode 100644 services/strimzi/values-tucson-teststand.yaml diff --git a/services/strimzi/values-tucson-teststand.yaml b/services/strimzi/values-tucson-teststand.yaml new file mode 100644 index 0000000000..e4cd2e47e1 --- /dev/null +++ b/services/strimzi/values-tucson-teststand.yaml @@ -0,0 +1,4 @@ +strimzi-kafka-operator: + watchNamespaces: + - "sasquatch" + logLevel: "DEBUG" From 295f79b58a2912072e9e7be5079040ef1cc1ad26 Mon Sep 17 00:00:00 2001 From: Renovate Bot Date: Mon, 4 Apr 2022 01:04:12 +0000 Subject: [PATCH 0163/1479] Update Helm release ingress-nginx to v4.0.19 --- services/ingress-nginx/Chart.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/services/ingress-nginx/Chart.yaml b/services/ingress-nginx/Chart.yaml index 651df6c06e..d63f08490a 100644 --- a/services/ingress-nginx/Chart.yaml +++ b/services/ingress-nginx/Chart.yaml @@ -3,7 +3,7 @@ name: ingress-nginx version: 1.0.0 dependencies: - name: ingress-nginx - version: 4.0.18 + version: 4.0.19 repository: https://kubernetes.github.io/ingress-nginx - name: pull-secret version: ">=0.1.2" From 315beb5c926672828f4861683aba389dd67295bf Mon Sep 17 00:00:00 2001 From: adam Date: Thu, 31 Mar 2022 09:22:02 -0700 Subject: [PATCH 0164/1479] Move nublado chart into phalanx; replace clear_local with reset_user_env; freshen JH --- .../templates/nublado2-application.yaml | 1 + services/nublado2/Chart.yaml | 18 +- services/nublado2/templates/_helpers.tpl | 56 ++ services/nublado2/templates/clusterrole.yml | 28 + .../nublado2/templates/clusterrolebinding.yml | 13 + .../nublado2/templates/gafaelfawr-token.yaml | 10 + services/nublado2/templates/netpol.yaml | 27 + .../nublado2/templates/nublado-config.yaml | 9 + .../templates/nublado2-vault-secret.yaml | 23 + services/nublado2/values-idfdev.yaml | 103 ++-- services/nublado2/values.yaml | 480 ++++++++++++++++++ 11 files changed, 712 insertions(+), 56 deletions(-) create mode 100644 services/nublado2/templates/_helpers.tpl create mode 100644 services/nublado2/templates/clusterrole.yml create mode 100644 services/nublado2/templates/clusterrolebinding.yml create mode 100644 services/nublado2/templates/gafaelfawr-token.yaml create mode 100644 services/nublado2/templates/netpol.yaml create mode 100644 services/nublado2/templates/nublado-config.yaml create mode 100644 services/nublado2/templates/nublado2-vault-secret.yaml create mode 100644 services/nublado2/values.yaml diff --git a/science-platform/templates/nublado2-application.yaml b/science-platform/templates/nublado2-application.yaml index 2f7a6c7778..4bc41c5d23 100644 --- a/science-platform/templates/nublado2-application.yaml +++ b/science-platform/templates/nublado2-application.yaml @@ -25,5 +25,6 @@ spec: targetRevision: {{ .Values.revision }} helm: valueFiles: + - values.yaml - values-{{ .Values.environment }}.yaml {{- end -}} diff --git a/services/nublado2/Chart.yaml b/services/nublado2/Chart.yaml index 2f4e6170ca..caa8ca9182 100644 --- a/services/nublado2/Chart.yaml +++ b/services/nublado2/Chart.yaml @@ -1,10 +1,20 @@ apiVersion: v2 name: nublado2 -version: 1.0.0 +version: 1.1.0 +appVersion: "2.1.0" +description: Nublado2 JupyterHub installation +home: https://github.com/lsst-sqre/nublado2 +maintainers: + - name: cbanek +sources: + - https://github.com/lsst-sqre/nublado2 +# Match the jupyterhub Helm chart for kubeVersion +kubeVersion: ">=1.20.0-0" dependencies: - - name: nublado2 - version: 0.8.5 - repository: https://lsst-sqre.github.io/charts/ + - name: jupyterhub + # Change when there's an asyncio z2jh officially released + version: "1.1.3-n410.hd8ae7348" + repository: https://jupyterhub.github.io/helm-chart/ - name: pull-secret version: 0.1.2 repository: https://lsst-sqre.github.io/charts/ diff --git a/services/nublado2/templates/_helpers.tpl b/services/nublado2/templates/_helpers.tpl new file mode 100644 index 0000000000..7b318e97f0 --- /dev/null +++ b/services/nublado2/templates/_helpers.tpl @@ -0,0 +1,56 @@ +{{/* vim: set filetype=mustache: */}} +{{/* +Expand the name of the chart. +*/}} +{{- define "nublado2.name" -}} +{{- default .Chart.Name .Values.nameOverride | trunc 63 | trimSuffix "-" -}} +{{- end -}} + +{{/* +Create a default fully qualified app name. +We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec). +If release name contains chart name it will be used as a full name. +*/}} +{{- define "nublado2.fullname" -}} +{{- if .Values.fullnameOverride -}} +{{- .Values.fullnameOverride | trunc 63 | trimSuffix "-" -}} +{{- else -}} +{{- $name := default .Chart.Name .Values.nameOverride -}} +{{- if contains $name .Release.Name -}} +{{- .Release.Name | trunc 63 | trimSuffix "-" -}} +{{- else -}} +{{- printf "%s-%s" .Release.Name $name | trunc 63 | trimSuffix "-" -}} +{{- end -}} +{{- end -}} +{{- end -}} + +{{/* +Create chart name and version as used by the chart label. +*/}} +{{- define "nublado2.chart" -}} +{{- printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" -}} +{{- end -}} + +{{/* +Common labels +*/}} +{{- define "nublado2.labels" -}} +app.kubernetes.io/name: {{ include "nublado2.name" . }} +helm.sh/chart: {{ include "nublado2.chart" . }} +app.kubernetes.io/instance: {{ .Release.Name }} +{{- if .Chart.AppVersion }} +app.kubernetes.io/version: {{ .Chart.AppVersion | quote }} +{{- end }} +app.kubernetes.io/managed-by: {{ .Release.Service }} +{{- end -}} + +{{/* +Create the name of the service account to use +*/}} +{{- define "nublado2.serviceAccountName" -}} +{{- if .Values.serviceAccount.create -}} + {{ default (include "nublado2.fullname" .) .Values.serviceAccount.name }} +{{- else -}} + {{ default "default" .Values.serviceAccount.name }} +{{- end -}} +{{- end -}} diff --git a/services/nublado2/templates/clusterrole.yml b/services/nublado2/templates/clusterrole.yml new file mode 100644 index 0000000000..cc8a8b5e99 --- /dev/null +++ b/services/nublado2/templates/clusterrole.yml @@ -0,0 +1,28 @@ +kind: ClusterRole +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + name: {{ template "nublado2.fullname" . }}-hub +rules: +- apiGroups: [""] + resources: ["pods","events", "namespaces", "serviceaccounts", "services", + "persistentvolumeclaims", "persistentvolumes", "resourcequotas", + "configmaps", "pods/log", "pods/exec"] + verbs: ["get", "list", "create", "watch", "delete", "update", "patch"] +- apiGroups: [""] + resources: ["secrets"] + verbs: ["get", "create", "delete"] +- apiGroups: ["policy"] + resources: ["poddisruptionbudgets"] + verbs: ["create", "delete", "get", "list", "watch"] +- apiGroups: ["rbac.authorization.k8s.io"] + resources: ["roles", "rolebindings"] + verbs: ["get", "list", "create", "delete"] +- apiGroups: ["argoproj.io"] + resources: ["workflows", "workflows/finalizers"] + verbs: ["get", "list", "create", "watch", "delete", "update", "patch"] +- apiGroups: ["argoproj.io"] + resources: ["workflowtemplates", "workflowtemplates/finalizers"] + verbs: ["get", "list", "watch"] +- apiGroups: ["ricoberger.de"] + resources: ["vaultsecrets"] + verbs: ["get", "create", "delete", "list"] diff --git a/services/nublado2/templates/clusterrolebinding.yml b/services/nublado2/templates/clusterrolebinding.yml new file mode 100644 index 0000000000..cdb0c5fd53 --- /dev/null +++ b/services/nublado2/templates/clusterrolebinding.yml @@ -0,0 +1,13 @@ +kind: ClusterRoleBinding +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + name: {{ template "nublado2.fullname" . }}-hub +subjects: + # Note: this service account is created by the jupyterhub subchart + - kind: ServiceAccount + name: hub + namespace: {{ .Release.Namespace }} +roleRef: + kind: ClusterRole + name: {{ template "nublado2.fullname" . }}-hub + apiGroup: rbac.authorization.k8s.io diff --git a/services/nublado2/templates/gafaelfawr-token.yaml b/services/nublado2/templates/gafaelfawr-token.yaml new file mode 100644 index 0000000000..2d65a218bc --- /dev/null +++ b/services/nublado2/templates/gafaelfawr-token.yaml @@ -0,0 +1,10 @@ +apiVersion: gafaelfawr.lsst.io/v1alpha1 +kind: GafaelfawrServiceToken +metadata: + name: "gafaelfawr-token" + labels: + {{- include "nublado2.labels" . | nindent 4 }} +spec: + service: "nublado2" + scopes: + - "admin:provision" diff --git a/services/nublado2/templates/netpol.yaml b/services/nublado2/templates/netpol.yaml new file mode 100644 index 0000000000..91da074252 --- /dev/null +++ b/services/nublado2/templates/netpol.yaml @@ -0,0 +1,27 @@ +{{- if .Values.network_policy.enabled }} +apiVersion: networking.k8s.io/v1 +kind: NetworkPolicy +metadata: + name: hub + labels: + {{- include "nublado2.labels" . | nindent 4 }} +spec: + podSelector: + matchLabels: + app: jupyterhub + component: hub + release: {{ .Release.Name }} + policyTypes: + - Ingress + + ingress: + # allowed pods (hub.jupyter.org/network-access-hub) --> hub + - ports: + - port: http + - port: 8081 + from: + - podSelector: + matchLabels: + hub.jupyter.org/network-access-hub: "true" + namespaceSelector: {} +{{- end }} diff --git a/services/nublado2/templates/nublado-config.yaml b/services/nublado2/templates/nublado-config.yaml new file mode 100644 index 0000000000..fbc234d394 --- /dev/null +++ b/services/nublado2/templates/nublado-config.yaml @@ -0,0 +1,9 @@ +kind: ConfigMap +apiVersion: v1 +metadata: + name: nublado-config + labels: + {{- include "nublado2.labels" . | nindent 4 }} +data: + nublado_config.yaml: | + {{- toYaml .Values.config | nindent 4 }} diff --git a/services/nublado2/templates/nublado2-vault-secret.yaml b/services/nublado2/templates/nublado2-vault-secret.yaml new file mode 100644 index 0000000000..4a33833efb --- /dev/null +++ b/services/nublado2/templates/nublado2-vault-secret.yaml @@ -0,0 +1,23 @@ +apiVersion: ricoberger.de/v1alpha1 +kind: VaultSecret +metadata: + name: {{ .Values.vault_secret_name }} +spec: + path: {{ .Values.vault_secret_path }} + type: Opaque + + templates: + {{- /* dump in values.yaml for jupyterhub, without changing it */}} + {{- /* this is copied from the zero-to-jupyterhub chart where it does this */}} + {{- $values := merge dict .Values.jupyterhub }} + {{- /* passthrough subset of Chart / Release */}} + {{- $_ := set $values "Chart" (dict "Name" .Chart.Name "Version" .Chart.Version) }} + {{- $_ := set $values "Release" (pick .Release "Name" "Namespace" "Service") }} + values.yaml: {{ $values | toYaml | quote }} + + {{- /* dump in the rest of the keys in this path and their values */}} + {{- /* this uses the templating provided by vault-secrets-operator */}} + hub.db.password: "{% .Secrets.hub_db_password %}" + hub.config.JupyterHub.cookie_secret: "{% .Secrets.crypto_key %}" + hub.config.CryptKeeper.keys: "{% .Secrets.cryptkeeper_key %}" + hub.config.ConfigurableHTTPProxy.auth_token: "{% .Secrets.proxy_token %}" diff --git a/services/nublado2/values-idfdev.yaml b/services/nublado2/values-idfdev.yaml index 3c2a5bd089..5bae607aad 100644 --- a/services/nublado2/values-idfdev.yaml +++ b/services/nublado2/values-idfdev.yaml @@ -1,57 +1,56 @@ -nublado2: - jupyterhub: - hub: - resources: - requests: - cpu: "2" - memory: 3Gi - ingress: - hosts: ["data-dev.lsst.cloud"] - annotations: - nginx.ingress.kubernetes.io/auth-signin: "https://data-dev.lsst.cloud/login" +jupyterhub: + hub: + resources: + requests: + cpu: "2" + memory: 3Gi + ingress: + hosts: ["data-dev.lsst.cloud"] + annotations: + nginx.ingress.kubernetes.io/auth-signin: "https://data-dev.lsst.cloud/login" - config: - base_url: "https://data-dev.lsst.cloud" - butler_secret_path: "secret/k8s_operator/data-dev.lsst.cloud/butler-secret" - pull_secret_path: "secret/k8s_operator/data-dev.lsst.cloud/pull-secret" - cachemachine_image_policy: "desired" - lab_environment: - PGPASSFILE: "/opt/lsst/software/jupyterlab/butler-secret/postgres-credentials.txt" - AWS_SHARED_CREDENTIALS_FILE: "/opt/lsst/software/jupyterlab/butler-secret/aws-credentials.ini" - S3_ENDPOINT_URL: "https://storage.googleapis.com" - GOOGLE_APPLICATION_CREDENTIALS: "/opt/lsst/software/jupyterlab/butler-secret/butler-gcs-idf-creds.json" - DAF_BUTLER_REPOSITORY_INDEX: "s3://butler-us-central1-repo-locations/data-int-repos.yaml" - AUTO_REPO_URLS: https://github.com/lsst-sqre/system-test,https://github.com/rubin-dp0/tutorial-notebooks - AUTO_REPO_BRANCH: prod - AUTO_REPO_SPECS: https://github.com/lsst-sqre/system-test@prod,https://github.com/rubin-dp0/tutorial-notebooks@prod - NO_ACTIVITY_TIMEOUT: "300" - CULL_KERNEL_IDLE_TIMEOUT: "300" - CULL_KERNEL_CONNECTED: "True" - CULL_KERNEL_INTERVAL: "60" - CULL_TERMINAL_INACTIVE_TIMEOUT: "300" - CULL_TERMINAL_INTERVAL: "60" - volumes: - - name: home - nfs: - path: /share1/home - server: 10.87.86.26 - - name: project - nfs: - path: /share1/project - server: 10.87.86.26 - - name: scratch - nfs: - path: /share1/scratch - server: 10.87.86.26 - volume_mounts: - - name: home - mountPath: /home - - name: project - mountPath: /project - - name: scratch - mountPath: /scratch +config: + base_url: "https://data-dev.lsst.cloud" + butler_secret_path: "secret/k8s_operator/data-dev.lsst.cloud/butler-secret" + pull_secret_path: "secret/k8s_operator/data-dev.lsst.cloud/pull-secret" + cachemachine_image_policy: "desired" + lab_environment: + PGPASSFILE: "/opt/lsst/software/jupyterlab/butler-secret/postgres-credentials.txt" + AWS_SHARED_CREDENTIALS_FILE: "/opt/lsst/software/jupyterlab/butler-secret/aws-credentials.ini" + S3_ENDPOINT_URL: "https://storage.googleapis.com" + GOOGLE_APPLICATION_CREDENTIALS: "/opt/lsst/software/jupyterlab/butler-secret/butler-gcs-idf-creds.json" + DAF_BUTLER_REPOSITORY_INDEX: "s3://butler-us-central1-repo-locations/data-int-repos.yaml" + AUTO_REPO_URLS: https://github.com/lsst-sqre/system-test,https://github.com/rubin-dp0/tutorial-notebooks + AUTO_REPO_BRANCH: prod + AUTO_REPO_SPECS: https://github.com/lsst-sqre/system-test@prod,https://github.com/rubin-dp0/tutorial-notebooks@prod + NO_ACTIVITY_TIMEOUT: "300" + CULL_KERNEL_IDLE_TIMEOUT: "300" + CULL_KERNEL_CONNECTED: "True" + CULL_KERNEL_INTERVAL: "60" + CULL_TERMINAL_INACTIVE_TIMEOUT: "300" + CULL_TERMINAL_INTERVAL: "60" + volumes: + - name: home + nfs: + path: /share1/home + server: 10.87.86.26 + - name: project + nfs: + path: /share1/project + server: 10.87.86.26 + - name: scratch + nfs: + path: /share1/scratch + server: 10.87.86.26 + volume_mounts: + - name: home + mountPath: /home + - name: project + mountPath: /project + - name: scratch + mountPath: /scratch - vault_secret_path: "secret/k8s_operator/data-dev.lsst.cloud/nublado2" +vault_secret_path: "secret/k8s_operator/data-dev.lsst.cloud/nublado2" pull-secret: enabled: true diff --git a/services/nublado2/values.yaml b/services/nublado2/values.yaml new file mode 100644 index 0000000000..d866444b08 --- /dev/null +++ b/services/nublado2/values.yaml @@ -0,0 +1,480 @@ +# Default values for nublado2. +# This is a YAML-formatted file. +# Declare variables to be passed into your templates. + +jupyterhub: + hub: + authenticatePrometheus: false + image: + name: lsstsqre/nublado2 + tag: "2.1.0" + config: + Authenticator: + enable_auth_state: true + JupyterHub: + authenticator_class: nublado2.auth.GafaelfawrAuthenticator + ServerApp: + shutdown_no_activity_timeout: 604800 # one week + db: + # Password comes from the nublado2-secret. + type: "postgres" + password: "true" + url: "postgresql://jovyan@postgres.postgres/jupyterhub" + containerSecurityContext: + runAsUser: 768 + runAsGroup: 768 + allowPrivilegeEscalation: false + baseUrl: "/nb" + # Note: this has to match up with the kubernetes secret created by the + # vault secret, and since you can't put templating in a values file, I'm + # just setting the name here, as well as in vault_secret_name, which + # should match. + existingSecret: "nublado2-secret" + extraConfig: + nublado.py: | + import nublado2.hub_config + nublado2.hub_config.HubConfig().configure(c) + extraVolumes: + - name: nublado-config + configMap: + name: nublado-config + - name: nublado-gafaelfawr + secret: + secretName: gafaelfawr-token + extraVolumeMounts: + - name: nublado-config + mountPath: /etc/jupyterhub/nublado_config.yaml + subPath: nublado_config.yaml + - name: nublado-gafaelfawr + mountPath: /etc/keys/gafaelfawr-token + subPath: token + # We still have to use our own, enabled at the top level, which is + # similar but not identical. This one still doesn't work, even if + # you explicitly enable port 8081 so the labs can talk to the Hub. + networkPolicy: + enabled: false + loadRoles: + self: + scopes: ['admin:servers!user', 'read:metrics'] + server: + scopes: ['inherit'] # Let server use API like user + + prePuller: + continuous: + enabled: false + hook: + enabled: false + + singleuser: + cloudMetadata: + blockWithIptables: false + cmd: "/opt/lsst/software/jupyterlab/runlab.sh" + defaultUrl: "/lab" + extraAnnotations: + argocd.argoproj.io/compare-options: 'IgnoreExtraneous' + argocd.argoproj.io/sync-options: 'Prune=false' + extraLabels: + hub.jupyter.org/network-access-hub: 'true' + argocd.argoproj.io/instance: 'nublado-users' + storage: + extraVolumes: + - name: dask + configMap: + name: dask + - name: idds-config + configMap: + name: idds-config + - name: tmp + emptyDir: {} + - name: butler-secret + secret: + secretName: butler-secret + - name: lab-environment + configMap: + defaultMode: 420 + name: lab-environment + - name: passwd + configMap: + defaultMode: 420 + name: passwd + - name: group + configMap: + defaultMode: 420 + name: group + - name: shadow + configMap: + defaultMode: 384 + name: shadow + - name: gshadow + configMap: + defaultMode: 384 + name: gshadow + extraVolumeMounts: + - name: dask + mountPath: /etc/dask + - name: idds-config + mountPath: /opt/lsst/software/jupyterlab/panda + - name: tmp + mountPath: /tmp + - name: butler-secret + mountPath: /opt/lsst/software/jupyterlab/butler-secret + - name: lab-environment + mountPath: /opt/lsst/software/jupyterlab/environment + - name: passwd + mountPath: /etc/passwd + readOnly: true + subPath: passwd + - name: group + mountPath: /etc/group + readOnly: true + subPath: group + - name: shadow + mountPath: /etc/shadow + readOnly: true + subPath: shadow + - name: gshadow + mountPath: /etc/gshadow + readOnly: true + subPath: gshadow + type: none + + proxy: + service: + type: ClusterIP + chp: + networkPolicy: + interNamespaceAccessLabels: accept + # This currently causes Minikube deployment in GH-actions to fail. + # We want it sometime but it's not critical; it will help with + # scale-down + # pdb: + # enabled: true + # minAvailable: 1 + + # Any instantiation of this chart must also set ingress.hosts and add + # the nginx.ingress.kubernetes.io/auth-signin annotation pointing to the + # appropriate fully-qualified URLs for the Gafaelfawr /login route. + ingress: + enabled: true + annotations: + kubernetes.io/ingress.class: nginx + nginx.ingress.kubernetes.io/auth-method: GET + nginx.ingress.kubernetes.io/auth-response-headers: "X-Auth-Request-Token" + nginx.ingress.kubernetes.io/auth-url: "http://gafaelfawr.gafaelfawr.svc.cluster.local:8080/auth?scope=exec:notebook¬ebook=true" + nginx.ingress.kubernetes.io/configuration-snippet: | + error_page 403 = "/auth/forbidden?scope=exec:notebook"; + pathSuffix: "*" + + cull: + enabled: true + timeout: 2592000 # 30 days -- shorten later + every: 600 # Check every ten minutes + users: true # log out user when we cull + removeNamedServers: true # Post-stop hook may already do this + maxAge: 5184000 # 60 days -- shorten later + + imagePullSecrets: + - name: pull-secret + + scheduling: + userScheduler: + enabled: false + userPlaceholder: + enabled: false + +config: + # base_url must be set in each instantiation of this chart to the URL of + # the primary ingress. It's used to construct API requests to the + # authentication service (which should go through the ingress). + base_url: "" + # butler_secret_path must be set here, because it's passed through to + # the lab rather than being part of the Hub configuration + butler_secret_path: "" + # same with pull_secret_path; it specifies resource in the lab namespace + pull_secret_path: "" + pinned_images: [] + # One of "available" or "desired" + cachemachine_image_policy: "available" + sizes: + - name: Small + cpu: 1 + ram: 3072M + - name: Medium + cpu: 2 + ram: 6144M + - name: Large + cpu: 4 + ram: 12288M + volumes: [] + volume_mounts: [] + + # -- Environment variables to set in spawned lab containers. Each value will + # be expanded using Jinja 2 templating. + # @default -- See `values.yaml` + lab_environment: + EXTERNAL_INSTANCE_URL: "{{ base_url }}" + FIREFLY_ROUTE: /portal/app + HUB_ROUTE: "{{ nublado_base_url }}" + JS9_ROUTE: /js9 + API_ROUTE: /api + TAP_ROUTE: /api/tap + SODA_ROUTE: /api/image/soda + WORKFLOW_ROUTE: /wf + AUTO_REPO_URLS: https://github.com/lsst-sqre/notebook-demo + NO_SUDO: "TRUE" + EXTERNAL_GROUPS: "{{ external_groups }}" + EXTERNAL_UID: "{{ uid }}" + ACCESS_TOKEN: "{{ token }}" + IMAGE_DIGEST: "{{ options.image_info.digest }}" + IMAGE_DESCRIPTION: "{{ options.image_info.display_name }}" + RESET_USER_ENV: "{{ options.reset_user_env }}" + DEBUG: "{{ options.debug }}" + + # -- Templates for the user resources to create for each lab spawn. This is + # a string that can be templated and then loaded as YAML to generate a list + # of Kubernetes objects to create. + # @default -- See `values.yaml` + user_resources_template: | + - apiVersion: v1 + kind: Namespace + metadata: + name: "{{ user_namespace }}" + - apiVersion: v1 + kind: ConfigMap + metadata: + name: group + namespace: "{{ user_namespace }}" + data: + group: | + root:x:0: + bin:x:1: + daemon:x:2: + sys:x:3: + adm:x:4: + tty:x:5: + disk:x:6: + lp:x:7: + mem:x:8: + kmem:x:9: + wheel:x:10: + cdrom:x:11: + mail:x:12: + man:x:15: + dialout:x:18: + floppy:x:19: + games:x:20: + tape:x:33: + video:x:39: + ftp:x:50: + lock:x:54: + audio:x:63: + nobody:x:99: + users:x:100: + utmp:x:22: + utempter:x:35: + input:x:999: + systemd-journal:x:190: + systemd-network:x:192: + dbus:x:81: + ssh_keys:x:998: + lsst_lcl:x:1000:{{ user }} + tss:x:59: + cgred:x:997: + screen:x:84: + jovyan:x:768:{{ user }} + provisionator:x:769: + {{user}}:x:{{uid}}:{% for group in groups %} + {{ group.name }}:x:{{ group.id }}:{{ user }}{% endfor %} + - apiVersion: v1 + kind: ConfigMap + metadata: + name: gshadow + namespace: "{{ user_namespace }}" + data: + gshadow: | + root:!:: + bin:!:: + daemon:!:: + sys:!:: + adm:!:: + tty:!:: + disk:!:: + lp:!:: + mem:!:: + kmem:!:: + wheel:!:: + cdrom:!:: + mail:!:: + man:!:: + dialout:!:: + floppy:!:: + games:!:: + tape:!:: + video:!:: + ftp:!:: + lock:!:: + audio:!:: + nobody:!:: + users:!:: + utmp:!:: + utempter:!:: + input:!:: + systemd-journal:!:: + systemd-network:!:: + dbus:!:: + ssh_keys:!:: + lsst_lcl:!::{{ user }} + tss:!:: + cgred:!:: + screen:!:: + jovyan:!::{{ user }} + provisionator:!:: + {{ user }}:!::{% for g in groups %} + {{ g.name }}:!::{{ user }}{% endfor %} + - apiVersion: v1 + kind: ConfigMap + metadata: + name: passwd + namespace: "{{ user_namespace }}" + data: + passwd: | + root:x:0:0:root:/root:/bin/bash + bin:x:1:1:bin:/bin:/sbin/nologin + daemon:x:2:2:daemon:/sbin:/sbin/nologin + adm:x:3:4:adm:/var/adm:/sbin/nologin + lp:x:4:7:lp:/var/spool/lpd:/sbin/nologin + sync:x:5:0:sync:/sbin:/bin/sync + shutdown:x:6:0:shutdown:/sbin:/sbin/shutdown + halt:x:7:0:halt:/sbin:/sbin/halt + mail:x:8:12:mail:/var/spool/mail:/sbin/nologin + operator:x:11:0:operator:/root:/sbin/nologin + games:x:12:100:games:/usr/games:/sbin/nologin + ftp:x:14:50:FTP User:/var/ftp:/sbin/nologin + nobody:x:99:99:Nobody:/:/sbin/nologin + systemd-network:x:192:192:systemd Network Management:/:/sbin/nologin + dbus:x:81:81:System message bus:/:/sbin/nologin + lsst_lcl:x:1000:1000::/home/lsst_lcl:/bin/bash + tss:x:59:59:Account used by the trousers package to sandbox the tcsd daemon:/dev/null:/sbin/nologin + provisionator:x:769:769:Lab provisioning user:/home/provisionator:/bin/bash + {{ user }}:x:{{ uid }}:{{ uid }}::/home/{{ user }}:/bin/bash + - apiVersion: v1 + kind: ConfigMap + metadata: + name: shadow + namespace: "{{ user_namespace }}" + data: + shadow: | + root:*:18000:0:99999:7::: + bin:*:18000:0:99999:7::: + daemon:*:18000:0:99999:7::: + adm:*:18000:0:99999:7::: + lp:*:18000:0:99999:7::: + sync:*:18000:0:99999:7::: + shutdown:*:18000:0:99999:7::: + halt:*:18000:0:99999:7::: + mail:*:18000:0:99999:7::: + operator:*:18000:0:99999:7::: + games:*:18000:0:99999:7::: + ftp:*:18000:0:99999:7::: + nobody:*:18000:0:99999:7::: + systemd-network:*:18000:0:99999:7::: + dbus:*:18000:0:99999:7::: + lsst_lcl:*:18000:0:99999:7::: + tss:*:18000:0:99999:7::: + provisionator:*:18000:0:99999:7::: + {{user}}:*:18000:0:99999:7::: + - apiVersion: v1 + kind: ConfigMap + metadata: + name: dask + namespace: "{{ user_namespace }}" + data: + dask_worker.yml: | + {{ dask_yaml | indent(6) }} + # When we break out the resources we should make this per-instance + # configurable. + - apiVersion: v1 + kind: ConfigMap + metadata: + name: idds-config + namespace: "{{ user_namespace }}" + data: + idds_cfg.client.template: | + # Licensed under the Apache License, Version 2.0 (the "License"); + # You may not use this file except in compliance with the License. + # You may obtain a copy of the License at http://www.apache.org/licenses/LICENSE-2.0 + # + # Authors: + # - Wen Guan, , 2020 + [common] + # if logdir is configured, idds will write to idds.log in this directory. + # else idds will go to stdout/stderr. + # With supervisord, it's good to write to stdout/stderr, then supervisord can manage and rotate logs. + # logdir = /var/log/idds + loglevel = INFO + [rest] + host = https://iddsserver.cern.ch:443/idds + #url_prefix = /idds + #cacher_dir = /tmp + cacher_dir = /data/idds + - apiVersion: v1 + kind: ServiceAccount + metadata: + name: "{{ user }}-serviceaccount" + namespace: "{{ user_namespace }}" + imagePullSecrets: + - name: pull-secret + - apiVersion: rbac.authorization.k8s.io/v1 + kind: Role + metadata: + name: "{{ user }}-role" + namespace: "{{ user_namespace }}" + rules: + # cf https://kubernetes.dask.org/en/latest/kubecluster.html + - apiGroups: [""] + resources: ["pods", "services"] + verbs: ["create", "delete", "get", "list", "watch"] + - apiGroups: [""] + resources: ["pods/log"] + verbs: ["get","list"] + - apiGroups: ["policy"] + resources: ["poddisruptionbudgets"] + verbs: ["create", "delete", "get", "list", "watch"] + - apiVersion: rbac.authorization.k8s.io/v1 + kind: RoleBinding + metadata: + name: "{{ user }}-rolebinding" + namespace: "{{ user_namespace }}" + roleRef: + apiGroup: rbac.authorization.k8s.io + kind: Role + name: "{{ user }}-role" + subjects: + - kind: ServiceAccount + name: "{{ user }}-serviceaccount" + namespace: "{{ user_namespace }}" + - apiVersion: ricoberger.de/v1alpha1 + kind: VaultSecret + metadata: + name: butler-secret + namespace: "{{ user_namespace }}" + spec: + path: "{{ butler_secret_path }}" + type: Opaque + - apiVersion: ricoberger.de/v1alpha1 + kind: VaultSecret + metadata: + name: pull-secret + namespace: "{{ user_namespace }}" + spec: + path: "{{ pull_secret_path }}" + type: kubernetes.io/dockerconfigjson + +# Note: See note above about existingSecret. +vault_secret_name: "nublado2-secret" +vault_secret_path: "" + +# Built-in network policy doesn't quite work (Labs can't talk to Hub, +# even with port 8081 explicitly enabled), so let's use our own for now. +network_policy: + enabled: true From e80e0022f38623389cb7ca3e865f9cd0c6956862 Mon Sep 17 00:00:00 2001 From: adam Date: Thu, 31 Mar 2022 10:27:04 -0700 Subject: [PATCH 0165/1479] set CLEAR_DOTLOCAL as well --- services/nublado2/values.yaml | 3 +++ 1 file changed, 3 insertions(+) diff --git a/services/nublado2/values.yaml b/services/nublado2/values.yaml index d866444b08..6f40171ab7 100644 --- a/services/nublado2/values.yaml +++ b/services/nublado2/values.yaml @@ -228,6 +228,9 @@ config: IMAGE_DIGEST: "{{ options.image_info.digest }}" IMAGE_DESCRIPTION: "{{ options.image_info.display_name }}" RESET_USER_ENV: "{{ options.reset_user_env }}" + # We need to set CLEAR_DOTLOCAL until all images that didn't know + # about RESET_USER_ENV have aged out (late 2022) + CLEAR_DOTLOCAL: "{{ options.reset_user_env }}" DEBUG: "{{ options.debug }}" # -- Templates for the user resources to create for each lab spawn. This is From 7a2a30499838ab11afbfad41c6a564b5ddf863b3 Mon Sep 17 00:00:00 2001 From: adam Date: Thu, 31 Mar 2022 14:57:06 -0700 Subject: [PATCH 0166/1479] fix indentation for all environments to reflect chart import --- services/nublado2/values-base.yaml | 89 ++- services/nublado2/values-idfint.yaml | 617 +++++++++--------- services/nublado2/values-idfprod.yaml | 577 ++++++++-------- services/nublado2/values-int.yaml | 83 ++- services/nublado2/values-minikube.yaml | 45 +- services/nublado2/values-red-five.yaml | 85 ++- services/nublado2/values-roe.yaml | 81 ++- services/nublado2/values-stable.yaml | 111 ++-- services/nublado2/values-summit.yaml | 185 +++--- .../nublado2/values-tucson-teststand.yaml | 155 +++-- 10 files changed, 1009 insertions(+), 1019 deletions(-) diff --git a/services/nublado2/values-base.yaml b/services/nublado2/values-base.yaml index 14d95ee162..5f6a67d270 100644 --- a/services/nublado2/values-base.yaml +++ b/services/nublado2/values-base.yaml @@ -1,51 +1,50 @@ -nublado2: - jupyterhub: - ingress: - hosts: ["base-lsp.lsst.codes"] - annotations: - nginx.ingress.kubernetes.io/auth-signin: "https://base-lsp.lsst.codes/login" +jupyterhub: + ingress: + hosts: ["base-lsp.lsst.codes"] + annotations: + nginx.ingress.kubernetes.io/auth-signin: "https://base-lsp.lsst.codes/login" - singleuser: - extraAnnotations: - k8s.v1.cni.cncf.io/networks: "kube-system/macvlan-conf" - initContainers: - - name: "multus-init" - image: "lsstit/ddsnet4u:latest" - securityContext: - privileged: true + singleuser: + extraAnnotations: + k8s.v1.cni.cncf.io/networks: "kube-system/macvlan-conf" + initContainers: + - name: "multus-init" + image: "lsstit/ddsnet4u:latest" + securityContext: + privileged: true - config: - base_url: "https://base-lsp.lsst.codes" - butler_secret_path: "secret/k8s_operator/base-lsp.lsst.codes/butler-secret" - pull_secret_path: "secret/k8s_operator/base-lsp.lsst.codes/pull-secret" - lab_environment: - AUTO_REPO_URLS: "https://github.com/lsst-sqre/system-test" - AUTO_REPO_BRANCH: "prod" - AUTO_REPO_SPECS: "https://github.com/lsst-sqre/system-test@prod" - LSST_DDS_INTERFACE: net1 - LSST_DDS_PARTITION_PREFIX: base - volumes: - - name: home - nfs: - path: /lsstdata/user/staff/jhome - server: ddn-nfs.ls.lsst.org - - name: project - nfs: - path: /lsstdata/user/staff/project - server: ddn-nfs.ls.lsst.org - - name: scratch - nfs: - path: /lsstdata/user/staff/scratch - server: ddn-nfs.ls.lsst.org - volume_mounts: - - name: home - mountPath: /home - - name: project - mountPath: /project - - name: scratch - mountPath: /scratch +config: + base_url: "https://base-lsp.lsst.codes" + butler_secret_path: "secret/k8s_operator/base-lsp.lsst.codes/butler-secret" + pull_secret_path: "secret/k8s_operator/base-lsp.lsst.codes/pull-secret" + lab_environment: + AUTO_REPO_URLS: "https://github.com/lsst-sqre/system-test" + AUTO_REPO_BRANCH: "prod" + AUTO_REPO_SPECS: "https://github.com/lsst-sqre/system-test@prod" + LSST_DDS_INTERFACE: net1 + LSST_DDS_PARTITION_PREFIX: base + volumes: + - name: home + nfs: + path: /lsstdata/user/staff/jhome + server: ddn-nfs.ls.lsst.org + - name: project + nfs: + path: /lsstdata/user/staff/project + server: ddn-nfs.ls.lsst.org + - name: scratch + nfs: + path: /lsstdata/user/staff/scratch + server: ddn-nfs.ls.lsst.org + volume_mounts: + - name: home + mountPath: /home + - name: project + mountPath: /project + - name: scratch + mountPath: /scratch - vault_secret_path: "secret/k8s_operator/base-lsp.lsst.codes/nublado2" +vault_secret_path: "secret/k8s_operator/base-lsp.lsst.codes/nublado2" pull-secret: enabled: true diff --git a/services/nublado2/values-idfint.yaml b/services/nublado2/values-idfint.yaml index 7d10cbadea..27be78b054 100644 --- a/services/nublado2/values-idfint.yaml +++ b/services/nublado2/values-idfint.yaml @@ -1,315 +1,314 @@ -nublado2: - jupyterhub: - hub: - resources: - requests: - cpu: "2" - memory: 3Gi - ingress: - hosts: ["data-int.lsst.cloud"] - annotations: - nginx.ingress.kubernetes.io/auth-signin: "https://data-int.lsst.cloud/login" - config: - base_url: "https://data-int.lsst.cloud" - butler_secret_path: "secret/k8s_operator/data-int.lsst.cloud/butler-secret" - pull_secret_path: "secret/k8s_operator/data-int.lsst.cloud/pull-secret" - cachemachine_image_policy: "desired" - lab_environment: - PGPASSFILE: "/opt/lsst/software/jupyterlab/butler-secret/postgres-credentials.txt" - AWS_SHARED_CREDENTIALS_FILE: "/opt/lsst/software/jupyterlab/butler-secret/aws-credentials.ini" - S3_ENDPOINT_URL: "https://storage.googleapis.com" - GOOGLE_APPLICATION_CREDENTIALS: "/opt/lsst/software/jupyterlab/butler-secret/butler-gcs-idf-creds.json" - DAF_BUTLER_REPOSITORY_INDEX: "s3://butler-us-central1-repo-locations/data-int-repos.yaml" - AUTO_REPO_URLS: https://github.com/lsst-sqre/system-test,https://github.com/rubin-dp0/tutorial-notebooks - AUTO_REPO_BRANCH: prod - AUTO_REPO_SPECS: https://github.com/lsst-sqre/system-test@prod,https://github.com/rubin-dp0/tutorial-notebooks@prod - PANDA_AUTH: oidc - PANDA_VERIFY_HOST: "off" - PANDA_AUTH_VO: Rubin - PANDA_URL_SSL: https://pandaserver-doma.cern.ch:25443/server/panda - PANDA_URL: http://pandaserver-doma.cern.ch:25080/server/panda - IDDS_CONFIG: /opt/lsst/software/jupyterlab/panda/idds.cfg.client.template - PANDA_CONFIG_ROOT: "~" - sizes: - - name: Small - cpu: 1 - ram: 3072M - - name: Medium - cpu: 2 - ram: 6144M - - name: Large - cpu: 4 - ram: 12288M - - name: Huge - cpu: 8 - ram: 24576M - volumes: - - name: home - nfs: - path: /share1/home - server: 10.22.240.130 - - name: project - nfs: - path: /share1/project - server: 10.22.240.130 - - name: scratch - nfs: - path: /share1/scratch - server: 10.22.240.130 - volume_mounts: - - name: home - mountPath: /home - - name: project - mountPath: /project - - name: scratch - mountPath: /scratch - # Workaround to impose resource quotas at IDF - user_resources_template: | - - apiVersion: v1 - kind: Namespace - metadata: - name: "{{ user_namespace }}" - - apiVersion: v1 - kind: ConfigMap - metadata: - name: group - namespace: "{{ user_namespace }}" - data: - group: | - root:x:0: - bin:x:1: - daemon:x:2: - sys:x:3: - adm:x:4: - tty:x:5: - disk:x:6: - lp:x:7: - mem:x:8: - kmem:x:9: - wheel:x:10: - cdrom:x:11: - mail:x:12: - man:x:15: - dialout:x:18: - floppy:x:19: - games:x:20: - tape:x:33: - video:x:39: - ftp:x:50: - lock:x:54: - audio:x:63: - nobody:x:99: - users:x:100: - utmp:x:22: - utempter:x:35: - input:x:999: - systemd-journal:x:190: - systemd-network:x:192: - dbus:x:81: - ssh_keys:x:998: - lsst_lcl:x:1000:{{ user }} - tss:x:59: - cgred:x:997: - screen:x:84: - jovyan:x:768:{{ user }} - provisionator:x:769: - {{user}}:x:{{uid}}:{% for group in groups %} - {{ group.name }}:x:{{ group.id }}:{{ user }}{% endfor %} - - apiVersion: v1 - kind: ConfigMap - metadata: - name: gshadow - namespace: "{{ user_namespace }}" - data: - gshadow: | - root:!:: - bin:!:: - daemon:!:: - sys:!:: - adm:!:: - tty:!:: - disk:!:: - lp:!:: - mem:!:: - kmem:!:: - wheel:!:: - cdrom:!:: - mail:!:: - man:!:: - dialout:!:: - floppy:!:: - games:!:: - tape:!:: - video:!:: - ftp:!:: - lock:!:: - audio:!:: - nobody:!:: - users:!:: - utmp:!:: - utempter:!:: - input:!:: - systemd-journal:!:: - systemd-network:!:: - dbus:!:: - ssh_keys:!:: - lsst_lcl:!::{{ user }} - tss:!:: - cgred:!:: - screen:!:: - jovyan:!::{{ user }} - provisionator:!:: - {{ user }}:!::{% for g in groups %} - {{ g.name }}:!::{{ user }}{% endfor %} - - apiVersion: v1 - kind: ConfigMap - metadata: - name: passwd - namespace: "{{ user_namespace }}" - data: - passwd: | - root:x:0:0:root:/root:/bin/bash - bin:x:1:1:bin:/bin:/sbin/nologin - daemon:x:2:2:daemon:/sbin:/sbin/nologin - adm:x:3:4:adm:/var/adm:/sbin/nologin - lp:x:4:7:lp:/var/spool/lpd:/sbin/nologin - sync:x:5:0:sync:/sbin:/bin/sync - shutdown:x:6:0:shutdown:/sbin:/sbin/shutdown - halt:x:7:0:halt:/sbin:/sbin/halt - mail:x:8:12:mail:/var/spool/mail:/sbin/nologin - operator:x:11:0:operator:/root:/sbin/nologin - games:x:12:100:games:/usr/games:/sbin/nologin - ftp:x:14:50:FTP User:/var/ftp:/sbin/nologin - nobody:x:99:99:Nobody:/:/sbin/nologin - systemd-network:x:192:192:systemd Network Management:/:/sbin/nologin - dbus:x:81:81:System message bus:/:/sbin/nologin - lsst_lcl:x:1000:1000::/home/lsst_lcl:/bin/bash - tss:x:59:59:Account used by the trousers package to sandbox the tcsd daemon:/dev/null:/sbin/nologin - provisionator:x:769:769:Lab provisioning user:/home/provisionator:/bin/bash - {{ user }}:x:{{ uid }}:{{ uid }}::/home/{{ user }}:/bin/bash - - apiVersion: v1 - kind: ConfigMap - metadata: - name: shadow - namespace: "{{ user_namespace }}" - data: - shadow: | - root:*:18000:0:99999:7::: - bin:*:18000:0:99999:7::: - daemon:*:18000:0:99999:7::: - adm:*:18000:0:99999:7::: - lp:*:18000:0:99999:7::: - sync:*:18000:0:99999:7::: - shutdown:*:18000:0:99999:7::: - halt:*:18000:0:99999:7::: - mail:*:18000:0:99999:7::: - operator:*:18000:0:99999:7::: - games:*:18000:0:99999:7::: - ftp:*:18000:0:99999:7::: - nobody:*:18000:0:99999:7::: - systemd-network:*:18000:0:99999:7::: - dbus:*:18000:0:99999:7::: - lsst_lcl:*:18000:0:99999:7::: - tss:*:18000:0:99999:7::: - provisionator:*:18000:0:99999:7::: - {{user}}:*:18000:0:99999:7::: - - apiVersion: v1 - kind: ConfigMap - metadata: - name: dask - namespace: "{{ user_namespace }}" - data: - dask_worker.yml: | - {{ dask_yaml | indent(6) }} - # When we break out the resources we should make this per-instance - # configurable. - - apiVersion: v1 - kind: ConfigMap - metadata: - name: idds-config - namespace: "{{ user_namespace }}" - data: - idds.cfg.client.template: | - # Licensed under the Apache License, Version 2.0 (the "License"); - # You may not use this file except in compliance with the License. - # You may obtain a copy of the License at http://www.apache.org/licenses/LICENSE-2.0 - # - # Authors: - # - Wen Guan, , 2020 - [common] - # if logdir is configured, idds will write to idds.log in this directory. - # else idds will go to stdout/stderr. - # With supervisord, it's good to write to stdout/stderr, then supervisord can manage and rotate logs. - # logdir = /var/log/idds - loglevel = INFO - [rest] - host = https://iddsserver.cern.ch:443/idds - #url_prefix = /idds - #cacher_dir = /tmp - cacher_dir = /data/idds - - apiVersion: v1 - kind: ServiceAccount - metadata: - name: "{{ user }}-serviceaccount" - namespace: "{{ user_namespace }}" - imagePullSecrets: - - name: pull-secret - - apiVersion: rbac.authorization.k8s.io/v1 +jupyterhub: + hub: + resources: + requests: + cpu: "2" + memory: 3Gi + ingress: + hosts: ["data-int.lsst.cloud"] + annotations: + nginx.ingress.kubernetes.io/auth-signin: "https://data-int.lsst.cloud/login" +config: + base_url: "https://data-int.lsst.cloud" + butler_secret_path: "secret/k8s_operator/data-int.lsst.cloud/butler-secret" + pull_secret_path: "secret/k8s_operator/data-int.lsst.cloud/pull-secret" + cachemachine_image_policy: "desired" + lab_environment: + PGPASSFILE: "/opt/lsst/software/jupyterlab/butler-secret/postgres-credentials.txt" + AWS_SHARED_CREDENTIALS_FILE: "/opt/lsst/software/jupyterlab/butler-secret/aws-credentials.ini" + S3_ENDPOINT_URL: "https://storage.googleapis.com" + GOOGLE_APPLICATION_CREDENTIALS: "/opt/lsst/software/jupyterlab/butler-secret/butler-gcs-idf-creds.json" + DAF_BUTLER_REPOSITORY_INDEX: "s3://butler-us-central1-repo-locations/data-int-repos.yaml" + AUTO_REPO_URLS: https://github.com/lsst-sqre/system-test,https://github.com/rubin-dp0/tutorial-notebooks + AUTO_REPO_BRANCH: prod + AUTO_REPO_SPECS: https://github.com/lsst-sqre/system-test@prod,https://github.com/rubin-dp0/tutorial-notebooks@prod + PANDA_AUTH: oidc + PANDA_VERIFY_HOST: "off" + PANDA_AUTH_VO: Rubin + PANDA_URL_SSL: https://pandaserver-doma.cern.ch:25443/server/panda + PANDA_URL: http://pandaserver-doma.cern.ch:25080/server/panda + IDDS_CONFIG: /opt/lsst/software/jupyterlab/panda/idds.cfg.client.template + PANDA_CONFIG_ROOT: "~" + sizes: + - name: Small + cpu: 1 + ram: 3072M + - name: Medium + cpu: 2 + ram: 6144M + - name: Large + cpu: 4 + ram: 12288M + - name: Huge + cpu: 8 + ram: 24576M + volumes: + - name: home + nfs: + path: /share1/home + server: 10.22.240.130 + - name: project + nfs: + path: /share1/project + server: 10.22.240.130 + - name: scratch + nfs: + path: /share1/scratch + server: 10.22.240.130 + volume_mounts: + - name: home + mountPath: /home + - name: project + mountPath: /project + - name: scratch + mountPath: /scratch + # Workaround to impose resource quotas at IDF + user_resources_template: | + - apiVersion: v1 + kind: Namespace + metadata: + name: "{{ user_namespace }}" + - apiVersion: v1 + kind: ConfigMap + metadata: + name: group + namespace: "{{ user_namespace }}" + data: + group: | + root:x:0: + bin:x:1: + daemon:x:2: + sys:x:3: + adm:x:4: + tty:x:5: + disk:x:6: + lp:x:7: + mem:x:8: + kmem:x:9: + wheel:x:10: + cdrom:x:11: + mail:x:12: + man:x:15: + dialout:x:18: + floppy:x:19: + games:x:20: + tape:x:33: + video:x:39: + ftp:x:50: + lock:x:54: + audio:x:63: + nobody:x:99: + users:x:100: + utmp:x:22: + utempter:x:35: + input:x:999: + systemd-journal:x:190: + systemd-network:x:192: + dbus:x:81: + ssh_keys:x:998: + lsst_lcl:x:1000:{{ user }} + tss:x:59: + cgred:x:997: + screen:x:84: + jovyan:x:768:{{ user }} + provisionator:x:769: + {{user}}:x:{{uid}}:{% for group in groups %} + {{ group.name }}:x:{{ group.id }}:{{ user }}{% endfor %} + - apiVersion: v1 + kind: ConfigMap + metadata: + name: gshadow + namespace: "{{ user_namespace }}" + data: + gshadow: | + root:!:: + bin:!:: + daemon:!:: + sys:!:: + adm:!:: + tty:!:: + disk:!:: + lp:!:: + mem:!:: + kmem:!:: + wheel:!:: + cdrom:!:: + mail:!:: + man:!:: + dialout:!:: + floppy:!:: + games:!:: + tape:!:: + video:!:: + ftp:!:: + lock:!:: + audio:!:: + nobody:!:: + users:!:: + utmp:!:: + utempter:!:: + input:!:: + systemd-journal:!:: + systemd-network:!:: + dbus:!:: + ssh_keys:!:: + lsst_lcl:!::{{ user }} + tss:!:: + cgred:!:: + screen:!:: + jovyan:!::{{ user }} + provisionator:!:: + {{ user }}:!::{% for g in groups %} + {{ g.name }}:!::{{ user }}{% endfor %} + - apiVersion: v1 + kind: ConfigMap + metadata: + name: passwd + namespace: "{{ user_namespace }}" + data: + passwd: | + root:x:0:0:root:/root:/bin/bash + bin:x:1:1:bin:/bin:/sbin/nologin + daemon:x:2:2:daemon:/sbin:/sbin/nologin + adm:x:3:4:adm:/var/adm:/sbin/nologin + lp:x:4:7:lp:/var/spool/lpd:/sbin/nologin + sync:x:5:0:sync:/sbin:/bin/sync + shutdown:x:6:0:shutdown:/sbin:/sbin/shutdown + halt:x:7:0:halt:/sbin:/sbin/halt + mail:x:8:12:mail:/var/spool/mail:/sbin/nologin + operator:x:11:0:operator:/root:/sbin/nologin + games:x:12:100:games:/usr/games:/sbin/nologin + ftp:x:14:50:FTP User:/var/ftp:/sbin/nologin + nobody:x:99:99:Nobody:/:/sbin/nologin + systemd-network:x:192:192:systemd Network Management:/:/sbin/nologin + dbus:x:81:81:System message bus:/:/sbin/nologin + lsst_lcl:x:1000:1000::/home/lsst_lcl:/bin/bash + tss:x:59:59:Account used by the trousers package to sandbox the tcsd daemon:/dev/null:/sbin/nologin + provisionator:x:769:769:Lab provisioning user:/home/provisionator:/bin/bash + {{ user }}:x:{{ uid }}:{{ uid }}::/home/{{ user }}:/bin/bash + - apiVersion: v1 + kind: ConfigMap + metadata: + name: shadow + namespace: "{{ user_namespace }}" + data: + shadow: | + root:*:18000:0:99999:7::: + bin:*:18000:0:99999:7::: + daemon:*:18000:0:99999:7::: + adm:*:18000:0:99999:7::: + lp:*:18000:0:99999:7::: + sync:*:18000:0:99999:7::: + shutdown:*:18000:0:99999:7::: + halt:*:18000:0:99999:7::: + mail:*:18000:0:99999:7::: + operator:*:18000:0:99999:7::: + games:*:18000:0:99999:7::: + ftp:*:18000:0:99999:7::: + nobody:*:18000:0:99999:7::: + systemd-network:*:18000:0:99999:7::: + dbus:*:18000:0:99999:7::: + lsst_lcl:*:18000:0:99999:7::: + tss:*:18000:0:99999:7::: + provisionator:*:18000:0:99999:7::: + {{user}}:*:18000:0:99999:7::: + - apiVersion: v1 + kind: ConfigMap + metadata: + name: dask + namespace: "{{ user_namespace }}" + data: + dask_worker.yml: | + {{ dask_yaml | indent(6) }} + # When we break out the resources we should make this per-instance + # configurable. + - apiVersion: v1 + kind: ConfigMap + metadata: + name: idds-config + namespace: "{{ user_namespace }}" + data: + idds.cfg.client.template: | + # Licensed under the Apache License, Version 2.0 (the "License"); + # You may not use this file except in compliance with the License. + # You may obtain a copy of the License at http://www.apache.org/licenses/LICENSE-2.0 + # + # Authors: + # - Wen Guan, , 2020 + [common] + # if logdir is configured, idds will write to idds.log in this directory. + # else idds will go to stdout/stderr. + # With supervisord, it's good to write to stdout/stderr, then supervisord can manage and rotate logs. + # logdir = /var/log/idds + loglevel = INFO + [rest] + host = https://iddsserver.cern.ch:443/idds + #url_prefix = /idds + #cacher_dir = /tmp + cacher_dir = /data/idds + - apiVersion: v1 + kind: ServiceAccount + metadata: + name: "{{ user }}-serviceaccount" + namespace: "{{ user_namespace }}" + imagePullSecrets: + - name: pull-secret + - apiVersion: rbac.authorization.k8s.io/v1 + kind: Role + metadata: + name: "{{ user }}-role" + namespace: "{{ user_namespace }}" + rules: + # cf https://kubernetes.dask.org/en/latest/kubecluster.html + - apiGroups: [""] + resources: ["pods", "services"] + verbs: ["create", "delete", "get", "list", "watch"] + - apiGroups: [""] + resources: ["pods/log"] + verbs: ["get","list"] + - apiGroups: ["policy"] + resources: ["poddisruptionbudgets"] + verbs: ["create", "delete", "get", "list", "watch"] + - apiVersion: rbac.authorization.k8s.io/v1 + kind: RoleBinding + metadata: + name: "{{ user }}-rolebinding" + namespace: "{{ user_namespace }}" + roleRef: + apiGroup: rbac.authorization.k8s.io kind: Role - metadata: - name: "{{ user }}-role" - namespace: "{{ user_namespace }}" - rules: - # cf https://kubernetes.dask.org/en/latest/kubecluster.html - - apiGroups: [""] - resources: ["pods", "services"] - verbs: ["create", "delete", "get", "list", "watch"] - - apiGroups: [""] - resources: ["pods/log"] - verbs: ["get","list"] - - apiGroups: ["policy"] - resources: ["poddisruptionbudgets"] - verbs: ["create", "delete", "get", "list", "watch"] - - apiVersion: rbac.authorization.k8s.io/v1 - kind: RoleBinding - metadata: - name: "{{ user }}-rolebinding" - namespace: "{{ user_namespace }}" - roleRef: - apiGroup: rbac.authorization.k8s.io - kind: Role - name: "{{ user }}-role" - subjects: - - kind: ServiceAccount - name: "{{ user }}-serviceaccount" - namespace: "{{ user_namespace }}" - - apiVersion: ricoberger.de/v1alpha1 - kind: VaultSecret - metadata: - name: butler-secret - namespace: "{{ user_namespace }}" - spec: - path: "{{ butler_secret_path }}" - type: Opaque - - apiVersion: ricoberger.de/v1alpha1 - kind: VaultSecret - metadata: - name: pull-secret - namespace: "{{ user_namespace }}" - spec: - path: "{{ pull_secret_path }}" - type: kubernetes.io/dockerconfigjson - - apiVersion: v1 - kind: ResourceQuota - metadata: - name: user-quota + name: "{{ user }}-role" + subjects: + - kind: ServiceAccount + name: "{{ user }}-serviceaccount" namespace: "{{ user_namespace }}" - spec: - hard: - limits.cpu: 9 - limits.memory: 27Gi + - apiVersion: ricoberger.de/v1alpha1 + kind: VaultSecret + metadata: + name: butler-secret + namespace: "{{ user_namespace }}" + spec: + path: "{{ butler_secret_path }}" + type: Opaque + - apiVersion: ricoberger.de/v1alpha1 + kind: VaultSecret + metadata: + name: pull-secret + namespace: "{{ user_namespace }}" + spec: + path: "{{ pull_secret_path }}" + type: kubernetes.io/dockerconfigjson + - apiVersion: v1 + kind: ResourceQuota + metadata: + name: user-quota + namespace: "{{ user_namespace }}" + spec: + hard: + limits.cpu: 9 + limits.memory: 27Gi - vault_secret_path: "secret/k8s_operator/data-int.lsst.cloud/nublado2" +vault_secret_path: "secret/k8s_operator/data-int.lsst.cloud/nublado2" pull-secret: enabled: true diff --git a/services/nublado2/values-idfprod.yaml b/services/nublado2/values-idfprod.yaml index eaeb96eba4..9fec61e9f9 100644 --- a/services/nublado2/values-idfprod.yaml +++ b/services/nublado2/values-idfprod.yaml @@ -1,295 +1,294 @@ -nublado2: - jupyterhub: - hub: - resources: - requests: - cpu: "2" - memory: 3Gi - ingress: - hosts: ["data.lsst.cloud"] - annotations: - nginx.ingress.kubernetes.io/auth-signin: "https://data.lsst.cloud/login" - config: - base_url: "https://data.lsst.cloud" - butler_secret_path: "secret/k8s_operator/data.lsst.cloud/butler-secret" - pull_secret_path: "secret/k8s_operator/data.lsst.cloud/pull-secret" - cachemachine_image_policy: "desired" - lab_environment: - PGPASSFILE: "/opt/lsst/software/jupyterlab/butler-secret/postgres-credentials.txt" - AWS_SHARED_CREDENTIALS_FILE: "/opt/lsst/software/jupyterlab/butler-secret/aws-credentials.ini" - GOOGLE_APPLICATION_CREDENTIALS: "/opt/lsst/software/jupyterlab/butler-secret/butler-gcs-idf-creds.json" - DAF_BUTLER_REPOSITORY_INDEX: "s3://butler-us-central1-repo-locations/data-repos.yaml" - S3_ENDPOINT_URL: "https://storage.googleapis.com" - AUTO_REPO_URLS: https://github.com/lsst-sqre/system-test,https://github.com/rubin-dp0/tutorial-notebooks - AUTO_REPO_BRANCH: prod - AUTO_REPO_SPECS: https://github.com/lsst-sqre/system-test@prod,https://github.com/rubin-dp0/tutorial-notebooks@prod - volumes: - - name: home - nfs: - path: /share1/home - server: 10.13.105.122 - - name: project - nfs: - path: /share1/project - server: 10.13.105.122 - - name: scratch - nfs: - path: /share1/scratch - server: 10.13.105.122 - volume_mounts: - - name: home - mountPath: /home - - name: project - mountPath: /project - - name: scratch - mountPath: /scratch - # Workaround to impose resource quotas at IDF - user_resources_template: | - - apiVersion: v1 - kind: Namespace - metadata: - name: "{{ user_namespace }}" - - apiVersion: v1 - kind: ConfigMap - metadata: - name: group - namespace: "{{ user_namespace }}" - data: - group: | - root:x:0: - bin:x:1: - daemon:x:2: - sys:x:3: - adm:x:4: - tty:x:5: - disk:x:6: - lp:x:7: - mem:x:8: - kmem:x:9: - wheel:x:10: - cdrom:x:11: - mail:x:12: - man:x:15: - dialout:x:18: - floppy:x:19: - games:x:20: - tape:x:33: - video:x:39: - ftp:x:50: - lock:x:54: - audio:x:63: - nobody:x:99: - users:x:100: - utmp:x:22: - utempter:x:35: - input:x:999: - systemd-journal:x:190: - systemd-network:x:192: - dbus:x:81: - ssh_keys:x:998: - lsst_lcl:x:1000:{{ user }} - tss:x:59: - cgred:x:997: - screen:x:84: - jovyan:x:768:{{ user }} - provisionator:x:769: - {{user}}:x:{{uid}}:{% for group in groups %} - {{ group.name }}:x:{{ group.id }}:{{ user }}{% endfor %} - - apiVersion: v1 - kind: ConfigMap - metadata: - name: gshadow - namespace: "{{ user_namespace }}" - data: - gshadow: | - root:!:: - bin:!:: - daemon:!:: - sys:!:: - adm:!:: - tty:!:: - disk:!:: - lp:!:: - mem:!:: - kmem:!:: - wheel:!:: - cdrom:!:: - mail:!:: - man:!:: - dialout:!:: - floppy:!:: - games:!:: - tape:!:: - video:!:: - ftp:!:: - lock:!:: - audio:!:: - nobody:!:: - users:!:: - utmp:!:: - utempter:!:: - input:!:: - systemd-journal:!:: - systemd-network:!:: - dbus:!:: - ssh_keys:!:: - lsst_lcl:!::{{ user }} - tss:!:: - cgred:!:: - screen:!:: - jovyan:!::{{ user }} - provisionator:!:: - {{ user }}:!::{% for g in groups %} - {{ g.name }}:!::{{ user }}{% endfor %} - - apiVersion: v1 - kind: ConfigMap - metadata: - name: passwd - namespace: "{{ user_namespace }}" - data: - passwd: | - root:x:0:0:root:/root:/bin/bash - bin:x:1:1:bin:/bin:/sbin/nologin - daemon:x:2:2:daemon:/sbin:/sbin/nologin - adm:x:3:4:adm:/var/adm:/sbin/nologin - lp:x:4:7:lp:/var/spool/lpd:/sbin/nologin - sync:x:5:0:sync:/sbin:/bin/sync - shutdown:x:6:0:shutdown:/sbin:/sbin/shutdown - halt:x:7:0:halt:/sbin:/sbin/halt - mail:x:8:12:mail:/var/spool/mail:/sbin/nologin - operator:x:11:0:operator:/root:/sbin/nologin - games:x:12:100:games:/usr/games:/sbin/nologin - ftp:x:14:50:FTP User:/var/ftp:/sbin/nologin - nobody:x:99:99:Nobody:/:/sbin/nologin - systemd-network:x:192:192:systemd Network Management:/:/sbin/nologin - dbus:x:81:81:System message bus:/:/sbin/nologin - lsst_lcl:x:1000:1000::/home/lsst_lcl:/bin/bash - tss:x:59:59:Account used by the trousers package to sandbox the tcsd daemon:/dev/null:/sbin/nologin - provisionator:x:769:769:Lab provisioning user:/home/provisionator:/bin/bash - {{ user }}:x:{{ uid }}:{{ uid }}::/home/{{ user }}:/bin/bash - - apiVersion: v1 - kind: ConfigMap - metadata: - name: shadow - namespace: "{{ user_namespace }}" - data: - shadow: | - root:*:18000:0:99999:7::: - bin:*:18000:0:99999:7::: - daemon:*:18000:0:99999:7::: - adm:*:18000:0:99999:7::: - lp:*:18000:0:99999:7::: - sync:*:18000:0:99999:7::: - shutdown:*:18000:0:99999:7::: - halt:*:18000:0:99999:7::: - mail:*:18000:0:99999:7::: - operator:*:18000:0:99999:7::: - games:*:18000:0:99999:7::: - ftp:*:18000:0:99999:7::: - nobody:*:18000:0:99999:7::: - systemd-network:*:18000:0:99999:7::: - dbus:*:18000:0:99999:7::: - lsst_lcl:*:18000:0:99999:7::: - tss:*:18000:0:99999:7::: - provisionator:*:18000:0:99999:7::: - {{user}}:*:18000:0:99999:7::: - - apiVersion: v1 - kind: ConfigMap - metadata: - name: dask - namespace: "{{ user_namespace }}" - data: - dask_worker.yml: | - {{ dask_yaml | indent(6) }} - # When we break out the resources we should make this per-instance - # configurable. - - apiVersion: v1 - kind: ConfigMap - metadata: - name: idds-config - namespace: "{{ user_namespace }}" - data: - idds_cfg.client.template: | - # Licensed under the Apache License, Version 2.0 (the "License"); - # You may not use this file except in compliance with the License. - # You may obtain a copy of the License at http://www.apache.org/licenses/LICENSE-2.0 - # - # Authors: - # - Wen Guan, , 2020 - [common] - # if logdir is configured, idds will write to idds.log in this directory. - # else idds will go to stdout/stderr. - # With supervisord, it's good to write to stdout/stderr, then supervisord can manage and rotate logs. - # logdir = /var/log/idds - loglevel = INFO - [rest] - host = https://iddsserver.cern.ch:443/idds - #url_prefix = /idds - #cacher_dir = /tmp - cacher_dir = /data/idds - - apiVersion: v1 - kind: ServiceAccount - metadata: - name: "{{ user }}-serviceaccount" - namespace: "{{ user_namespace }}" - imagePullSecrets: - - name: pull-secret - - apiVersion: rbac.authorization.k8s.io/v1 +jupyterhub: + hub: + resources: + requests: + cpu: "2" + memory: 3Gi + ingress: + hosts: ["data.lsst.cloud"] + annotations: + nginx.ingress.kubernetes.io/auth-signin: "https://data.lsst.cloud/login" +config: + base_url: "https://data.lsst.cloud" + butler_secret_path: "secret/k8s_operator/data.lsst.cloud/butler-secret" + pull_secret_path: "secret/k8s_operator/data.lsst.cloud/pull-secret" + cachemachine_image_policy: "desired" + lab_environment: + PGPASSFILE: "/opt/lsst/software/jupyterlab/butler-secret/postgres-credentials.txt" + AWS_SHARED_CREDENTIALS_FILE: "/opt/lsst/software/jupyterlab/butler-secret/aws-credentials.ini" + GOOGLE_APPLICATION_CREDENTIALS: "/opt/lsst/software/jupyterlab/butler-secret/butler-gcs-idf-creds.json" + DAF_BUTLER_REPOSITORY_INDEX: "s3://butler-us-central1-repo-locations/data-repos.yaml" + S3_ENDPOINT_URL: "https://storage.googleapis.com" + AUTO_REPO_URLS: https://github.com/lsst-sqre/system-test,https://github.com/rubin-dp0/tutorial-notebooks + AUTO_REPO_BRANCH: prod + AUTO_REPO_SPECS: https://github.com/lsst-sqre/system-test@prod,https://github.com/rubin-dp0/tutorial-notebooks@prod + volumes: + - name: home + nfs: + path: /share1/home + server: 10.13.105.122 + - name: project + nfs: + path: /share1/project + server: 10.13.105.122 + - name: scratch + nfs: + path: /share1/scratch + server: 10.13.105.122 + volume_mounts: + - name: home + mountPath: /home + - name: project + mountPath: /project + - name: scratch + mountPath: /scratch + # Workaround to impose resource quotas at IDF + user_resources_template: | + - apiVersion: v1 + kind: Namespace + metadata: + name: "{{ user_namespace }}" + - apiVersion: v1 + kind: ConfigMap + metadata: + name: group + namespace: "{{ user_namespace }}" + data: + group: | + root:x:0: + bin:x:1: + daemon:x:2: + sys:x:3: + adm:x:4: + tty:x:5: + disk:x:6: + lp:x:7: + mem:x:8: + kmem:x:9: + wheel:x:10: + cdrom:x:11: + mail:x:12: + man:x:15: + dialout:x:18: + floppy:x:19: + games:x:20: + tape:x:33: + video:x:39: + ftp:x:50: + lock:x:54: + audio:x:63: + nobody:x:99: + users:x:100: + utmp:x:22: + utempter:x:35: + input:x:999: + systemd-journal:x:190: + systemd-network:x:192: + dbus:x:81: + ssh_keys:x:998: + lsst_lcl:x:1000:{{ user }} + tss:x:59: + cgred:x:997: + screen:x:84: + jovyan:x:768:{{ user }} + provisionator:x:769: + {{user}}:x:{{uid}}:{% for group in groups %} + {{ group.name }}:x:{{ group.id }}:{{ user }}{% endfor %} + - apiVersion: v1 + kind: ConfigMap + metadata: + name: gshadow + namespace: "{{ user_namespace }}" + data: + gshadow: | + root:!:: + bin:!:: + daemon:!:: + sys:!:: + adm:!:: + tty:!:: + disk:!:: + lp:!:: + mem:!:: + kmem:!:: + wheel:!:: + cdrom:!:: + mail:!:: + man:!:: + dialout:!:: + floppy:!:: + games:!:: + tape:!:: + video:!:: + ftp:!:: + lock:!:: + audio:!:: + nobody:!:: + users:!:: + utmp:!:: + utempter:!:: + input:!:: + systemd-journal:!:: + systemd-network:!:: + dbus:!:: + ssh_keys:!:: + lsst_lcl:!::{{ user }} + tss:!:: + cgred:!:: + screen:!:: + jovyan:!::{{ user }} + provisionator:!:: + {{ user }}:!::{% for g in groups %} + {{ g.name }}:!::{{ user }}{% endfor %} + - apiVersion: v1 + kind: ConfigMap + metadata: + name: passwd + namespace: "{{ user_namespace }}" + data: + passwd: | + root:x:0:0:root:/root:/bin/bash + bin:x:1:1:bin:/bin:/sbin/nologin + daemon:x:2:2:daemon:/sbin:/sbin/nologin + adm:x:3:4:adm:/var/adm:/sbin/nologin + lp:x:4:7:lp:/var/spool/lpd:/sbin/nologin + sync:x:5:0:sync:/sbin:/bin/sync + shutdown:x:6:0:shutdown:/sbin:/sbin/shutdown + halt:x:7:0:halt:/sbin:/sbin/halt + mail:x:8:12:mail:/var/spool/mail:/sbin/nologin + operator:x:11:0:operator:/root:/sbin/nologin + games:x:12:100:games:/usr/games:/sbin/nologin + ftp:x:14:50:FTP User:/var/ftp:/sbin/nologin + nobody:x:99:99:Nobody:/:/sbin/nologin + systemd-network:x:192:192:systemd Network Management:/:/sbin/nologin + dbus:x:81:81:System message bus:/:/sbin/nologin + lsst_lcl:x:1000:1000::/home/lsst_lcl:/bin/bash + tss:x:59:59:Account used by the trousers package to sandbox the tcsd daemon:/dev/null:/sbin/nologin + provisionator:x:769:769:Lab provisioning user:/home/provisionator:/bin/bash + {{ user }}:x:{{ uid }}:{{ uid }}::/home/{{ user }}:/bin/bash + - apiVersion: v1 + kind: ConfigMap + metadata: + name: shadow + namespace: "{{ user_namespace }}" + data: + shadow: | + root:*:18000:0:99999:7::: + bin:*:18000:0:99999:7::: + daemon:*:18000:0:99999:7::: + adm:*:18000:0:99999:7::: + lp:*:18000:0:99999:7::: + sync:*:18000:0:99999:7::: + shutdown:*:18000:0:99999:7::: + halt:*:18000:0:99999:7::: + mail:*:18000:0:99999:7::: + operator:*:18000:0:99999:7::: + games:*:18000:0:99999:7::: + ftp:*:18000:0:99999:7::: + nobody:*:18000:0:99999:7::: + systemd-network:*:18000:0:99999:7::: + dbus:*:18000:0:99999:7::: + lsst_lcl:*:18000:0:99999:7::: + tss:*:18000:0:99999:7::: + provisionator:*:18000:0:99999:7::: + {{user}}:*:18000:0:99999:7::: + - apiVersion: v1 + kind: ConfigMap + metadata: + name: dask + namespace: "{{ user_namespace }}" + data: + dask_worker.yml: | + {{ dask_yaml | indent(6) }} + # When we break out the resources we should make this per-instance + # configurable. + - apiVersion: v1 + kind: ConfigMap + metadata: + name: idds-config + namespace: "{{ user_namespace }}" + data: + idds_cfg.client.template: | + # Licensed under the Apache License, Version 2.0 (the "License"); + # You may not use this file except in compliance with the License. + # You may obtain a copy of the License at http://www.apache.org/licenses/LICENSE-2.0 + # + # Authors: + # - Wen Guan, , 2020 + [common] + # if logdir is configured, idds will write to idds.log in this directory. + # else idds will go to stdout/stderr. + # With supervisord, it's good to write to stdout/stderr, then supervisord can manage and rotate logs. + # logdir = /var/log/idds + loglevel = INFO + [rest] + host = https://iddsserver.cern.ch:443/idds + #url_prefix = /idds + #cacher_dir = /tmp + cacher_dir = /data/idds + - apiVersion: v1 + kind: ServiceAccount + metadata: + name: "{{ user }}-serviceaccount" + namespace: "{{ user_namespace }}" + imagePullSecrets: + - name: pull-secret + - apiVersion: rbac.authorization.k8s.io/v1 + kind: Role + metadata: + name: "{{ user }}-role" + namespace: "{{ user_namespace }}" + rules: + # cf https://kubernetes.dask.org/en/latest/kubecluster.html + - apiGroups: [""] + resources: ["pods", "services"] + verbs: ["create", "delete", "get", "list", "watch"] + - apiGroups: [""] + resources: ["pods/log"] + verbs: ["get","list"] + - apiGroups: ["policy"] + resources: ["poddisruptionbudgets"] + verbs: ["create", "delete", "get", "list", "watch"] + - apiVersion: rbac.authorization.k8s.io/v1 + kind: RoleBinding + metadata: + name: "{{ user }}-rolebinding" + namespace: "{{ user_namespace }}" + roleRef: + apiGroup: rbac.authorization.k8s.io kind: Role - metadata: - name: "{{ user }}-role" - namespace: "{{ user_namespace }}" - rules: - # cf https://kubernetes.dask.org/en/latest/kubecluster.html - - apiGroups: [""] - resources: ["pods", "services"] - verbs: ["create", "delete", "get", "list", "watch"] - - apiGroups: [""] - resources: ["pods/log"] - verbs: ["get","list"] - - apiGroups: ["policy"] - resources: ["poddisruptionbudgets"] - verbs: ["create", "delete", "get", "list", "watch"] - - apiVersion: rbac.authorization.k8s.io/v1 - kind: RoleBinding - metadata: - name: "{{ user }}-rolebinding" - namespace: "{{ user_namespace }}" - roleRef: - apiGroup: rbac.authorization.k8s.io - kind: Role - name: "{{ user }}-role" - subjects: - - kind: ServiceAccount - name: "{{ user }}-serviceaccount" - namespace: "{{ user_namespace }}" - - apiVersion: ricoberger.de/v1alpha1 - kind: VaultSecret - metadata: - name: butler-secret - namespace: "{{ user_namespace }}" - spec: - path: "{{ butler_secret_path }}" - type: Opaque - - apiVersion: ricoberger.de/v1alpha1 - kind: VaultSecret - metadata: - name: pull-secret - namespace: "{{ user_namespace }}" - spec: - path: "{{ pull_secret_path }}" - type: kubernetes.io/dockerconfigjson - - apiVersion: v1 - kind: ResourceQuota - metadata: - name: user-quota + name: "{{ user }}-role" + subjects: + - kind: ServiceAccount + name: "{{ user }}-serviceaccount" namespace: "{{ user_namespace }}" - spec: - hard: - limits.cpu: 9 - limits.memory: 27Gi + - apiVersion: ricoberger.de/v1alpha1 + kind: VaultSecret + metadata: + name: butler-secret + namespace: "{{ user_namespace }}" + spec: + path: "{{ butler_secret_path }}" + type: Opaque + - apiVersion: ricoberger.de/v1alpha1 + kind: VaultSecret + metadata: + name: pull-secret + namespace: "{{ user_namespace }}" + spec: + path: "{{ pull_secret_path }}" + type: kubernetes.io/dockerconfigjson + - apiVersion: v1 + kind: ResourceQuota + metadata: + name: user-quota + namespace: "{{ user_namespace }}" + spec: + hard: + limits.cpu: 9 + limits.memory: 27Gi - vault_secret_path: "secret/k8s_operator/data.lsst.cloud/nublado2" +vault_secret_path: "secret/k8s_operator/data.lsst.cloud/nublado2" pull-secret: enabled: true diff --git a/services/nublado2/values-int.yaml b/services/nublado2/values-int.yaml index 4404a48bd3..f98588d3a3 100644 --- a/services/nublado2/values-int.yaml +++ b/services/nublado2/values-int.yaml @@ -1,47 +1,46 @@ -nublado2: - jupyterhub: - ingress: - hosts: ["lsst-lsp-int.ncsa.illinois.edu"] - annotations: - nginx.ingress.kubernetes.io/auth-signin: "https://lsst-lsp-int.ncsa.illinois.edu/login" - nginx.ingress.kubernetes.io/auth-url: "https://lsst-lsp-int.ncsa.illinois.edu/auth?scope=exec:notebook¬ebook=true" +jupyterhub: + ingress: + hosts: ["lsst-lsp-int.ncsa.illinois.edu"] + annotations: + nginx.ingress.kubernetes.io/auth-signin: "https://lsst-lsp-int.ncsa.illinois.edu/login" + nginx.ingress.kubernetes.io/auth-url: "https://lsst-lsp-int.ncsa.illinois.edu/auth?scope=exec:notebook¬ebook=true" - config: - base_url: "https://lsst-lsp-int.ncsa.illinois.edu" - butler_secret_path: "secret/k8s_operator/lsst-lsp-int.ncsa.illinois.edu/butler-secret" - pull_secret_path: "secret/k8s_operator/lsst-lsp-int.ncsa.illinois.edu/pull-secret" - lab_environment: - AUTO_REPO_URLS: "https://github.com/lsst-sqre/system-test" - AUTO_REPO_BRANCH: "NCSA-prod" - AUTO_REPO_SPECS: "https://github.com/lsst-sqre/system-test@NCSA-prod" - DAF_BUTLER_REPOSITORY_INDEX: "/project/data-repos.yaml" - pinned_images: - - image_url: registry.hub.docker.com/lsstsqre/sciplat-lab:recommended - name: Recommended - volumes: - - name: datasets - hostPath: - path: /lsstdata/user/precursor_data/datasets - - name: home - hostPath: - path: /lsstdata/user/staff/jhome - - name: project - hostPath: - path: /lsstdata/user/staff/project - - name: scratch - hostPath: - path: /lsstdata/user/staff/scratch - volume_mounts: - - name: datasets - mountPath: /datasets - - name: home - mountPath: /home - - name: project - mountPath: /project - - name: scratch - mountPath: /scratch +config: + base_url: "https://lsst-lsp-int.ncsa.illinois.edu" + butler_secret_path: "secret/k8s_operator/lsst-lsp-int.ncsa.illinois.edu/butler-secret" + pull_secret_path: "secret/k8s_operator/lsst-lsp-int.ncsa.illinois.edu/pull-secret" + lab_environment: + AUTO_REPO_URLS: "https://github.com/lsst-sqre/system-test" + AUTO_REPO_BRANCH: "NCSA-prod" + AUTO_REPO_SPECS: "https://github.com/lsst-sqre/system-test@NCSA-prod" + DAF_BUTLER_REPOSITORY_INDEX: "/project/data-repos.yaml" + pinned_images: + - image_url: registry.hub.docker.com/lsstsqre/sciplat-lab:recommended + name: Recommended + volumes: + - name: datasets + hostPath: + path: /lsstdata/user/precursor_data/datasets + - name: home + hostPath: + path: /lsstdata/user/staff/jhome + - name: project + hostPath: + path: /lsstdata/user/staff/project + - name: scratch + hostPath: + path: /lsstdata/user/staff/scratch + volume_mounts: + - name: datasets + mountPath: /datasets + - name: home + mountPath: /home + - name: project + mountPath: /project + - name: scratch + mountPath: /scratch - vault_secret_path: "secret/k8s_operator/lsst-lsp-int.ncsa.illinois.edu/nublado2" +vault_secret_path: "secret/k8s_operator/lsst-lsp-int.ncsa.illinois.edu/nublado2" pull-secret: enabled: true diff --git a/services/nublado2/values-minikube.yaml b/services/nublado2/values-minikube.yaml index a824676526..36582e3cec 100644 --- a/services/nublado2/values-minikube.yaml +++ b/services/nublado2/values-minikube.yaml @@ -1,27 +1,26 @@ -nublado2: - jupyterhub: - debug: - enabled: true - ingress: - hosts: ["minikube.lsst.codes"] - annotations: - nginx.ingress.kubernetes.io/auth-signin: "https://minikube.lsst.codes/login" - config: - base_url: "https://minikube.lsst.codes" - butler_secret_path: "secret/k8s_operator/minikube.lsst.codes/butler-secret" - pull_secret_path: "secret/k8s_operator/minikube.lsst.codes/pull-secret" - lab_environment: - AUTO_REPO_URLS: "https://github.com/lsst-sqre/system-test" - AUTO_REPO_BRANCH: "prod" - AUTO_REPO_SPECS: "https://github.com/lsst-sqre/system-test@prod" - volumes: - - name: home - emptyDir: {} - volume_mounts: - - name: home - mountPath: /home +jupyterhub: + debug: + enabled: true + ingress: + hosts: ["minikube.lsst.codes"] + annotations: + nginx.ingress.kubernetes.io/auth-signin: "https://minikube.lsst.codes/login" +config: + base_url: "https://minikube.lsst.codes" + butler_secret_path: "secret/k8s_operator/minikube.lsst.codes/butler-secret" + pull_secret_path: "secret/k8s_operator/minikube.lsst.codes/pull-secret" + lab_environment: + AUTO_REPO_URLS: "https://github.com/lsst-sqre/system-test" + AUTO_REPO_BRANCH: "prod" + AUTO_REPO_SPECS: "https://github.com/lsst-sqre/system-test@prod" + volumes: + - name: home + emptyDir: {} + volume_mounts: + - name: home + mountPath: /home - vault_secret_path: "secret/k8s_operator/minikube.lsst.codes/nublado2" +vault_secret_path: "secret/k8s_operator/minikube.lsst.codes/nublado2" pull-secret: enabled: true diff --git a/services/nublado2/values-red-five.yaml b/services/nublado2/values-red-five.yaml index b406f4eeff..4c2ec2b90e 100644 --- a/services/nublado2/values-red-five.yaml +++ b/services/nublado2/values-red-five.yaml @@ -1,49 +1,48 @@ -nublado2: - jupyterhub: - debug: - enabled: true +jupyterhub: + debug: + enabled: true - ingress: - hosts: ["red-five.lsst.codes"] - annotations: - nginx.ingress.kubernetes.io/auth-signin: "https://red-five.lsst.codes/login" + ingress: + hosts: ["red-five.lsst.codes"] + annotations: + nginx.ingress.kubernetes.io/auth-signin: "https://red-five.lsst.codes/login" - config: - base_url: "https://red-five.lsst.codes" - butler_secret_path: "secret/k8s_operator/red-five.lsst.codes/butler-secret" - pull_secret_path: "secret/k8s_operator/red-five.lsst.codes/pull-secret" - lab_environment: - AUTO_REPO_URLS: "https://github.com/lsst-sqre/system-test" - AUTO_REPO_BRANCH: "prod" - AUTO_REPO_SPECS: "https://github.com/lsst-sqre/system-test@prod" - volumes: - - name: home - nfs: - path: /exports/home - server: 10.128.0.49 - - name: datasets - nfs: - path: /exports/datasets - server: 10.128.0.49 - - name: project - nfs: - path: /exports/project - server: 10.128.0.49 - - name: scratch - nfs: - path: /exports/scratch - server: 10.128.0.49 - volume_mounts: - - name: home - mountPath: /home - - name: datasets - mountPath: /datasets - - name: project - mountPath: /project - - name: scratch - mountPath: /scratch +config: + base_url: "https://red-five.lsst.codes" + butler_secret_path: "secret/k8s_operator/red-five.lsst.codes/butler-secret" + pull_secret_path: "secret/k8s_operator/red-five.lsst.codes/pull-secret" + lab_environment: + AUTO_REPO_URLS: "https://github.com/lsst-sqre/system-test" + AUTO_REPO_BRANCH: "prod" + AUTO_REPO_SPECS: "https://github.com/lsst-sqre/system-test@prod" + volumes: + - name: home + nfs: + path: /exports/home + server: 10.128.0.49 + - name: datasets + nfs: + path: /exports/datasets + server: 10.128.0.49 + - name: project + nfs: + path: /exports/project + server: 10.128.0.49 + - name: scratch + nfs: + path: /exports/scratch + server: 10.128.0.49 + volume_mounts: + - name: home + mountPath: /home + - name: datasets + mountPath: /datasets + - name: project + mountPath: /project + - name: scratch + mountPath: /scratch - vault_secret_path: "secret/k8s_operator/red-five.lsst.codes/nublado2" +vault_secret_path: "secret/k8s_operator/red-five.lsst.codes/nublado2" pull-secret: enabled: true diff --git a/services/nublado2/values-roe.yaml b/services/nublado2/values-roe.yaml index ce312639c7..919ad4f472 100644 --- a/services/nublado2/values-roe.yaml +++ b/services/nublado2/values-roe.yaml @@ -1,46 +1,45 @@ -nublado2: - jupyterhub: - ingress: - hosts: ["rsp.lsst.ac.uk"] - annotations: - nginx.ingress.kubernetes.io/auth-signin: "https://rsp.lsst.ac.uk/login" - nginx.ingress.kubernetes.io/auth-url: "https://rsp.lsst.ac.uk/auth?scope=exec:notebook¬ebook=true" +jupyterhub: + ingress: + hosts: ["rsp.lsst.ac.uk"] + annotations: + nginx.ingress.kubernetes.io/auth-signin: "https://rsp.lsst.ac.uk/login" + nginx.ingress.kubernetes.io/auth-url: "https://rsp.lsst.ac.uk/auth?scope=exec:notebook¬ebook=true" - config: - base_url: "https://rsp.lsst.ac.uk" - butler_secret_path: "secret/k8s_operator/roe/butler-secret" - pull_secret_path: "secret/k8s_operator/roe/pull-secret" - lab_environment: - AUTO_REPO_URLS: "https://github.com/lsst-sqre/system-test" - AUTO_REPO_BRANCH: "prod" - AUTO_REPO_SPECS: "https://github.com/lsst-sqre/system-test@prod" - pinned_images: - - image_url: registry.hub.docker.com/lsstsqre/sciplat-lab:recommended - name: Recommended - volumes: - - name: datasets - hostPath: - path: /lsstdata/user/precursor_data/datasets - - name: home - hostPath: - path: /lsstdata/user/staff/jhome - - name: project - hostPath: - path: /lsstdata/user/staff/project - - name: scratch - hostPath: - path: /lsstdata/user/staff/scratch - volume_mounts: - - name: datasets - mountPath: /datasets - - name: home - mountPath: /home - - name: project - mountPath: /project - - name: scratch - mountPath: /scratch +config: + base_url: "https://rsp.lsst.ac.uk" + butler_secret_path: "secret/k8s_operator/roe/butler-secret" + pull_secret_path: "secret/k8s_operator/roe/pull-secret" + lab_environment: + AUTO_REPO_URLS: "https://github.com/lsst-sqre/system-test" + AUTO_REPO_BRANCH: "prod" + AUTO_REPO_SPECS: "https://github.com/lsst-sqre/system-test@prod" + pinned_images: + - image_url: registry.hub.docker.com/lsstsqre/sciplat-lab:recommended + name: Recommended + volumes: + - name: datasets + hostPath: + path: /lsstdata/user/precursor_data/datasets + - name: home + hostPath: + path: /lsstdata/user/staff/jhome + - name: project + hostPath: + path: /lsstdata/user/staff/project + - name: scratch + hostPath: + path: /lsstdata/user/staff/scratch + volume_mounts: + - name: datasets + mountPath: /datasets + - name: home + mountPath: /home + - name: project + mountPath: /project + - name: scratch + mountPath: /scratch - vault_secret_path: "secret/k8s_operator/roe/nublado2" +vault_secret_path: "secret/k8s_operator/roe/nublado2" pull-secret: enabled: true diff --git a/services/nublado2/values-stable.yaml b/services/nublado2/values-stable.yaml index bebeeaf375..358deb4a31 100644 --- a/services/nublado2/values-stable.yaml +++ b/services/nublado2/values-stable.yaml @@ -1,61 +1,60 @@ -nublado2: - jupyterhub: - ingress: - hosts: ["lsst-lsp-stable.ncsa.illinois.edu"] - annotations: - nginx.ingress.kubernetes.io/auth-signin: "https://lsst-lsp-stable.ncsa.illinois.edu/login" - nginx.ingress.kubernetes.io/auth-url: "https://lsst-lsp-stable.ncsa.illinois.edu/auth?scope=exec:notebook¬ebook=true" +jupyterhub: + ingress: + hosts: ["lsst-lsp-stable.ncsa.illinois.edu"] + annotations: + nginx.ingress.kubernetes.io/auth-signin: "https://lsst-lsp-stable.ncsa.illinois.edu/login" + nginx.ingress.kubernetes.io/auth-url: "https://lsst-lsp-stable.ncsa.illinois.edu/auth?scope=exec:notebook¬ebook=true" - config: - base_url: "https://lsst-lsp-stable.ncsa.illinois.edu" - butler_secret_path: "secret/k8s_operator/lsst-lsp-stable.ncsa.illinois.edu/butler-secret" - pull_secret_path: "secret/k8s_operator/lsst-lsp-stable.ncsa.illinois.edu/pull-secret" - lab_environment: - AUTO_REPO_URLS: "https://github.com/lsst-sqre/system-test" - AUTO_REPO_BRANCH: "NCSA-prod" - AUTO_REPO_SPECS: "https://github.com/lsst-sqre/system-test@NCSA-prod" - DAF_BUTLER_REPOSITORY_INDEX: "/project/data-repos.yaml" - volumes: - - name: datasets - hostPath: - path: /lsstdata/user/precursor_data/datasets - - name: home - hostPath: - path: /lsstdata/user/staff/jhome - - name: project - hostPath: - path: /lsstdata/user/staff/project - - name: scratch - hostPath: - path: /lsstdata/user/staff/scratch - - name: teststand - hostPath: - path: /lsstdata/offline/teststand - - name: instrument - hostPath: - path: /lsstdata/offline/instrument - - name: repo - hostPath: - path: /repo - volume_mounts: - - name: datasets - mountPath: /datasets - - name: home - mountPath: /home - - name: project - mountPath: /project - - name: scratch - mountPath: /scratch - - name: teststand - mountPath: /lsstdata/offline/teststand - readOnly: true - - name: instrument - mountPath: /lsstdata/offline/instrument - readOnly: true - - name: repo - mountPath: /repo +config: + base_url: "https://lsst-lsp-stable.ncsa.illinois.edu" + butler_secret_path: "secret/k8s_operator/lsst-lsp-stable.ncsa.illinois.edu/butler-secret" + pull_secret_path: "secret/k8s_operator/lsst-lsp-stable.ncsa.illinois.edu/pull-secret" + lab_environment: + AUTO_REPO_URLS: "https://github.com/lsst-sqre/system-test" + AUTO_REPO_BRANCH: "NCSA-prod" + AUTO_REPO_SPECS: "https://github.com/lsst-sqre/system-test@NCSA-prod" + DAF_BUTLER_REPOSITORY_INDEX: "/project/data-repos.yaml" + volumes: + - name: datasets + hostPath: + path: /lsstdata/user/precursor_data/datasets + - name: home + hostPath: + path: /lsstdata/user/staff/jhome + - name: project + hostPath: + path: /lsstdata/user/staff/project + - name: scratch + hostPath: + path: /lsstdata/user/staff/scratch + - name: teststand + hostPath: + path: /lsstdata/offline/teststand + - name: instrument + hostPath: + path: /lsstdata/offline/instrument + - name: repo + hostPath: + path: /repo + volume_mounts: + - name: datasets + mountPath: /datasets + - name: home + mountPath: /home + - name: project + mountPath: /project + - name: scratch + mountPath: /scratch + - name: teststand + mountPath: /lsstdata/offline/teststand + readOnly: true + - name: instrument + mountPath: /lsstdata/offline/instrument + readOnly: true + - name: repo + mountPath: /repo - vault_secret_path: "secret/k8s_operator/lsst-lsp-stable.ncsa.illinois.edu/nublado2" +vault_secret_path: "secret/k8s_operator/lsst-lsp-stable.ncsa.illinois.edu/nublado2" pull-secret: enabled: true diff --git a/services/nublado2/values-summit.yaml b/services/nublado2/values-summit.yaml index 75f157635d..61d159608f 100644 --- a/services/nublado2/values-summit.yaml +++ b/services/nublado2/values-summit.yaml @@ -1,104 +1,103 @@ -nublado2: - jupyterhub: - ingress: - hosts: ["summit-lsp.lsst.codes"] - annotations: - nginx.ingress.kubernetes.io/auth-signin: "https://summit-lsp.lsst.codes/login" +jupyterhub: + ingress: + hosts: ["summit-lsp.lsst.codes"] + annotations: + nginx.ingress.kubernetes.io/auth-signin: "https://summit-lsp.lsst.codes/login" - singleuser: - extraAnnotations: - k8s.v1.cni.cncf.io/networks: "kube-system/macvlan-conf" - initContainers: - - name: "multus-init" - image: "lsstit/ddsnet4u:latest" - securityContext: - privileged: true + singleuser: + extraAnnotations: + k8s.v1.cni.cncf.io/networks: "kube-system/macvlan-conf" + initContainers: + - name: "multus-init" + image: "lsstit/ddsnet4u:latest" + securityContext: + privileged: true - config: - base_url: "https://summit-lsp.lsst.codes" - butler_secret_path: "secret/k8s_operator/summit-lsp.lsst.codes/butler-secret" - pull_secret_path: "secret/k8s_operator/summit-lsp.lsst.codes/pull-secret" - lab_environment: - AUTO_REPO_URLS: "https://github.com/lsst-sqre/system-test" - AUTO_REPO_BRANCH: "prod" - AUTO_REPO_SPECS: "https://github.com/lsst-sqre/system-test@prod" - DAF_BUTLER_REPOSITORY_INDEX: "/project/data-repos.yaml" - LSST_DDS_INTERFACE: net1 - LSST_DDS_PARTITION_PREFIX: summit - volumes: - - name: home - nfs: - path: /jhome - server: nfs1.cp.lsst.org - - name: project - nfs: - path: /project - server: nfs1.cp.lsst.org - - name: scratch - nfs: - path: /scratch - server: nfs1.cp.lsst.org - - name: auxtel - nfs: - path: /lsstdata - server: auxtel-archiver.cp.lsst.org - readOnly: true - - name: comcam - nfs: - path: /lsstdata - server: comcam-archiver.cp.lsst.org - readOnly: true - - name: other - nfs: - path: /lsstdata - server: nfs1.cp.lsst.org - readOnly: true - - name: latiss - nfs: - path: /repo/LATISS - server: auxtel-archiver.cp.lsst.org - - name: base-auxtel - nfs: - path: /lsstdata/base/auxtel - server: auxtel-archiver.cp.lsst.org - readOnly: true - - name: lsstcomcam - nfs: - path: /repo/LSSTComCam - server: comcam-archiver.cp.lsst.org - - name: base-comcam - nfs: - path: /lsstdata/base/comcam - server: comcam-archiver.cp.lsst.org - readOnly: true - volume_mounts: - - name: home - mountPath: /home - - name: project - mountPath: /project - - name: scratch - mountPath: /scratch - - name: auxtel - mountPath: /readonly/lsstdata/auxtel +config: + base_url: "https://summit-lsp.lsst.codes" + butler_secret_path: "secret/k8s_operator/summit-lsp.lsst.codes/butler-secret" + pull_secret_path: "secret/k8s_operator/summit-lsp.lsst.codes/pull-secret" + lab_environment: + AUTO_REPO_URLS: "https://github.com/lsst-sqre/system-test" + AUTO_REPO_BRANCH: "prod" + AUTO_REPO_SPECS: "https://github.com/lsst-sqre/system-test@prod" + DAF_BUTLER_REPOSITORY_INDEX: "/project/data-repos.yaml" + LSST_DDS_INTERFACE: net1 + LSST_DDS_PARTITION_PREFIX: summit + volumes: + - name: home + nfs: + path: /jhome + server: nfs1.cp.lsst.org + - name: project + nfs: + path: /project + server: nfs1.cp.lsst.org + - name: scratch + nfs: + path: /scratch + server: nfs1.cp.lsst.org + - name: auxtel + nfs: + path: /lsstdata + server: auxtel-archiver.cp.lsst.org readOnly: true - - name: comcam - mountPath: /readonly/lsstdata/comcam + - name: comcam + nfs: + path: /lsstdata + server: comcam-archiver.cp.lsst.org readOnly: true - - name: other - mountPath: /readonly/lsstdata/other + - name: other + nfs: + path: /lsstdata + server: nfs1.cp.lsst.org readOnly: true - - name: latiss - mountPath: /repo/LATISS - - name: base-auxtel - mountPath: /data/lsstdata/base/auxtel + - name: latiss + nfs: + path: /repo/LATISS + server: auxtel-archiver.cp.lsst.org + - name: base-auxtel + nfs: + path: /lsstdata/base/auxtel + server: auxtel-archiver.cp.lsst.org readOnly: true - - name: lsstcomcam - mountPath: /repo/LSSTComCam - - name: base-comcam - mountPath: /data/lsstdata/base/comcam + - name: lsstcomcam + nfs: + path: /repo/LSSTComCam + server: comcam-archiver.cp.lsst.org + - name: base-comcam + nfs: + path: /lsstdata/base/comcam + server: comcam-archiver.cp.lsst.org readOnly: true + volume_mounts: + - name: home + mountPath: /home + - name: project + mountPath: /project + - name: scratch + mountPath: /scratch + - name: auxtel + mountPath: /readonly/lsstdata/auxtel + readOnly: true + - name: comcam + mountPath: /readonly/lsstdata/comcam + readOnly: true + - name: other + mountPath: /readonly/lsstdata/other + readOnly: true + - name: latiss + mountPath: /repo/LATISS + - name: base-auxtel + mountPath: /data/lsstdata/base/auxtel + readOnly: true + - name: lsstcomcam + mountPath: /repo/LSSTComCam + - name: base-comcam + mountPath: /data/lsstdata/base/comcam + readOnly: true - vault_secret_path: "secret/k8s_operator/summit-lsp.lsst.codes/nublado2" +vault_secret_path: "secret/k8s_operator/summit-lsp.lsst.codes/nublado2" pull-secret: enabled: true diff --git a/services/nublado2/values-tucson-teststand.yaml b/services/nublado2/values-tucson-teststand.yaml index 88f0b9b9fb..d578228cbb 100644 --- a/services/nublado2/values-tucson-teststand.yaml +++ b/services/nublado2/values-tucson-teststand.yaml @@ -1,86 +1,85 @@ -nublado2: - jupyterhub: - ingress: - hosts: ["tucson-teststand.lsst.codes"] - annotations: - nginx.ingress.kubernetes.io/auth-signin: "https://tucson-teststand.lsst.codes/login" +jupyterhub: + ingress: + hosts: ["tucson-teststand.lsst.codes"] + annotations: + nginx.ingress.kubernetes.io/auth-signin: "https://tucson-teststand.lsst.codes/login" - singleuser: - extraAnnotations: - k8s.v1.cni.cncf.io/networks: "kube-system/misc-dds" - initContainers: - - name: "multus-init" - image: "lsstit/ddsnet4u:latest" - securityContext: - privileged: true + singleuser: + extraAnnotations: + k8s.v1.cni.cncf.io/networks: "kube-system/misc-dds" + initContainers: + - name: "multus-init" + image: "lsstit/ddsnet4u:latest" + securityContext: + privileged: true - config: - base_url: "https://tucson-teststand.lsst.codes" - butler_secret_path: "secret/k8s_operator/tucson-teststand.lsst.codes/butler-secret" - pull_secret_path: "secret/k8s_operator/tucson-teststand.lsst.codes/pull-secret" - lab_environment: - AUTO_REPO_URLS: "https://github.com/lsst-sqre/system-test" - AUTO_REPO_BRANCH: "prod" - AUTO_REPO_SPECS: "https://github.com/lsst-sqre/system-test@prod" - DAF_BUTLER_REPOSITORY_INDEX: "/project/data-repos.yaml" - LSST_DDS_INTERFACE: net1 - LSST_DDS_PARTITION_PREFIX: tucson - volumes: - - name: home - nfs: - path: /jhome - server: nfs-jhome.tu.lsst.org - - name: project - nfs: - path: /project - server: nfs-project.tu.lsst.org - - name: scratch - nfs: - path: /scratch - server: nfs-scratch.tu.lsst.org - - name: datasets - nfs: - path: /lsstdata - server: nfs-lsstdata.tu.lsst.org - - name: auxtel-butler - nfs: - path: /repo/LATISS - server: auxtel-archiver.tu.lsst.org - - name: auxtel-oods - nfs: - path: /lsstdata/TTS/auxtel - server: auxtel-archiver.tu.lsst.org - readOnly: true - - name: comcam-butler - nfs: - path: /repo/LSSTComCam - server: comcam-archiver.tu.lsst.org - - name: comcam-oods - nfs: - path: /lsstdata/TTS/comcam - server: comcam-archiver.tu.lsst.org - readOnly: true - volume_mounts: - - name: home - mountPath: /home - - name: datasets - mountPath: /datasets - - name: project - mountPath: /project - - name: scratch - mountPath: /scratch - - name: auxtel-butler - mountPath: /repo/LATISS - - name: auxtel-oods - mountPath: /data/lsstdata/TTS/auxtel +config: + base_url: "https://tucson-teststand.lsst.codes" + butler_secret_path: "secret/k8s_operator/tucson-teststand.lsst.codes/butler-secret" + pull_secret_path: "secret/k8s_operator/tucson-teststand.lsst.codes/pull-secret" + lab_environment: + AUTO_REPO_URLS: "https://github.com/lsst-sqre/system-test" + AUTO_REPO_BRANCH: "prod" + AUTO_REPO_SPECS: "https://github.com/lsst-sqre/system-test@prod" + DAF_BUTLER_REPOSITORY_INDEX: "/project/data-repos.yaml" + LSST_DDS_INTERFACE: net1 + LSST_DDS_PARTITION_PREFIX: tucson + volumes: + - name: home + nfs: + path: /jhome + server: nfs-jhome.tu.lsst.org + - name: project + nfs: + path: /project + server: nfs-project.tu.lsst.org + - name: scratch + nfs: + path: /scratch + server: nfs-scratch.tu.lsst.org + - name: datasets + nfs: + path: /lsstdata + server: nfs-lsstdata.tu.lsst.org + - name: auxtel-butler + nfs: + path: /repo/LATISS + server: auxtel-archiver.tu.lsst.org + - name: auxtel-oods + nfs: + path: /lsstdata/TTS/auxtel + server: auxtel-archiver.tu.lsst.org readOnly: true - - name: comcam-butler - mountPath: /repo/LSSTComCam - - name: comcam-oods - mountPath: /data/lsstdata/TTS/comcam + - name: comcam-butler + nfs: + path: /repo/LSSTComCam + server: comcam-archiver.tu.lsst.org + - name: comcam-oods + nfs: + path: /lsstdata/TTS/comcam + server: comcam-archiver.tu.lsst.org readOnly: true + volume_mounts: + - name: home + mountPath: /home + - name: datasets + mountPath: /datasets + - name: project + mountPath: /project + - name: scratch + mountPath: /scratch + - name: auxtel-butler + mountPath: /repo/LATISS + - name: auxtel-oods + mountPath: /data/lsstdata/TTS/auxtel + readOnly: true + - name: comcam-butler + mountPath: /repo/LSSTComCam + - name: comcam-oods + mountPath: /data/lsstdata/TTS/comcam + readOnly: true - vault_secret_path: "secret/k8s_operator/tucson-teststand.lsst.codes/nublado2" +vault_secret_path: "secret/k8s_operator/tucson-teststand.lsst.codes/nublado2" pull-secret: enabled: true From e9a1f98f04f5f95b016d58ee59d45f2a03972c7f Mon Sep 17 00:00:00 2001 From: adam Date: Mon, 4 Apr 2022 11:31:13 -0700 Subject: [PATCH 0167/1479] hardcode nublado2-secret secret name --- services/nublado2/templates/nublado2-vault-secret.yaml | 2 +- services/nublado2/values.yaml | 4 +--- 2 files changed, 2 insertions(+), 4 deletions(-) diff --git a/services/nublado2/templates/nublado2-vault-secret.yaml b/services/nublado2/templates/nublado2-vault-secret.yaml index 4a33833efb..66a143d2e3 100644 --- a/services/nublado2/templates/nublado2-vault-secret.yaml +++ b/services/nublado2/templates/nublado2-vault-secret.yaml @@ -1,7 +1,7 @@ apiVersion: ricoberger.de/v1alpha1 kind: VaultSecret metadata: - name: {{ .Values.vault_secret_name }} + name: "nublado2-secret" spec: path: {{ .Values.vault_secret_path }} type: Opaque diff --git a/services/nublado2/values.yaml b/services/nublado2/values.yaml index 6f40171ab7..33a8f74a93 100644 --- a/services/nublado2/values.yaml +++ b/services/nublado2/values.yaml @@ -27,8 +27,7 @@ jupyterhub: baseUrl: "/nb" # Note: this has to match up with the kubernetes secret created by the # vault secret, and since you can't put templating in a values file, I'm - # just setting the name here, as well as in vault_secret_name, which - # should match. + # just setting the name here. existingSecret: "nublado2-secret" extraConfig: nublado.py: | @@ -474,7 +473,6 @@ config: type: kubernetes.io/dockerconfigjson # Note: See note above about existingSecret. -vault_secret_name: "nublado2-secret" vault_secret_path: "" # Built-in network policy doesn't quite work (Labs can't talk to Hub, From a583a8847c8e6ec620416d68b421ff18ca41fdc4 Mon Sep 17 00:00:00 2001 From: adam Date: Mon, 4 Apr 2022 11:50:59 -0700 Subject: [PATCH 0168/1479] update versions --- services/telegraf-ds/Chart.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/services/telegraf-ds/Chart.yaml b/services/telegraf-ds/Chart.yaml index 3d70f54e8e..a105ea7262 100644 --- a/services/telegraf-ds/Chart.yaml +++ b/services/telegraf-ds/Chart.yaml @@ -4,5 +4,5 @@ version: 1.0.0 description: SQuaRE DaemonSet (K8s) telemetry collection service dependencies: - name: telegraf-ds - version: 1.0.32 + version: 1.0.33 repository: https://helm.influxdata.com/ From 8d5e4e5aa37292909d9f52b997ecd2ea02a79fce Mon Sep 17 00:00:00 2001 From: Renovate Bot Date: Mon, 4 Apr 2022 19:57:46 +0000 Subject: [PATCH 0169/1479] Update helm values quay.io/influxdb/chronograf to v1.9.4 --- services/sasquatch/values.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/services/sasquatch/values.yaml b/services/sasquatch/values.yaml index 6e084f03fc..10d247d78d 100644 --- a/services/sasquatch/values.yaml +++ b/services/sasquatch/values.yaml @@ -60,7 +60,7 @@ chronograf: # -- Chronograf image tag. image: repository: "quay.io/influxdb/chronograf" - tag: 1.9.3 + tag: 1.9.4 # -- Chronograf data persistence configuration. persistence: enabled: true From d50a019256eef9cdc09e931b673a531c21878f1a Mon Sep 17 00:00:00 2001 From: Renovate Bot Date: Mon, 4 Apr 2022 20:26:45 +0000 Subject: [PATCH 0170/1479] Update Helm release influxdb to v4.10.7 --- services/sasquatch/Chart.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/services/sasquatch/Chart.yaml b/services/sasquatch/Chart.yaml index 6cac7dfb0d..649cd33d05 100644 --- a/services/sasquatch/Chart.yaml +++ b/services/sasquatch/Chart.yaml @@ -9,7 +9,7 @@ dependencies: version: 1.2.0 repository: https://lsst-sqre.github.io/charts/ - name: influxdb - version: 4.10.6 + version: 4.10.7 repository: https://helm.influxdata.com/ - name: kafka-connect-manager version: 1.0.0 From 1986b2f96c412853b5748975748855f36881fdc6 Mon Sep 17 00:00:00 2001 From: Russ Allbery Date: Tue, 5 Apr 2022 16:48:29 -0700 Subject: [PATCH 0171/1479] Move Portal chart into Phalanx Move the current Portal chart into Phalanx and move data that can be injected via the application into globals and out of values. Add unlimited communication between Portal pods to the NetworkPolicy. --- .../templates/portal-application.yaml | 30 +++-- services/portal/.helmignore | 22 +++ services/portal/Chart.yaml | 10 +- services/portal/README.md | 53 ++++++++ services/portal/README.md.gotmpl | 9 ++ services/portal/templates/_helpers.tpl | 51 +++++++ services/portal/templates/deployment.yaml | 105 +++++++++++++++ services/portal/templates/ingress.yaml | 44 ++++++ services/portal/templates/networkpolicy.yaml | 29 ++++ .../portal/templates/redis-deployment.yaml | 76 +++++++++++ .../portal/templates/redis-networkpolicy.yaml | 26 ++++ services/portal/templates/redis-service.yaml | 15 +++ services/portal/templates/service.yaml | 14 ++ services/portal/templates/vault-secret.yaml | 19 +++ services/portal/values-base.yaml | 19 +-- services/portal/values-idfdev.yaml | 19 +-- services/portal/values-idfint.yaml | 31 ++--- services/portal/values-idfprod.yaml | 31 ++--- services/portal/values-int.yaml | 49 +++---- services/portal/values-minikube.yaml | 21 +-- services/portal/values-red-five.yaml | 19 +-- services/portal/values-roe.yaml | 19 +-- services/portal/values-stable.yaml | 49 +++---- services/portal/values-summit.yaml | 19 +-- services/portal/values-tucson-teststand.yaml | 19 +-- services/portal/values.yaml | 125 ++++++++++++++++++ 26 files changed, 686 insertions(+), 237 deletions(-) create mode 100644 services/portal/.helmignore create mode 100644 services/portal/README.md create mode 100644 services/portal/README.md.gotmpl create mode 100644 services/portal/templates/_helpers.tpl create mode 100644 services/portal/templates/deployment.yaml create mode 100644 services/portal/templates/ingress.yaml create mode 100644 services/portal/templates/networkpolicy.yaml create mode 100644 services/portal/templates/redis-deployment.yaml create mode 100644 services/portal/templates/redis-networkpolicy.yaml create mode 100644 services/portal/templates/redis-service.yaml create mode 100644 services/portal/templates/service.yaml create mode 100644 services/portal/templates/vault-secret.yaml create mode 100644 services/portal/values.yaml diff --git a/science-platform/templates/portal-application.yaml b/science-platform/templates/portal-application.yaml index 0ad1c88f50..dcee34ec82 100644 --- a/science-platform/templates/portal-application.yaml +++ b/science-platform/templates/portal-application.yaml @@ -2,25 +2,33 @@ apiVersion: v1 kind: Namespace metadata: - name: portal + name: "portal" --- apiVersion: argoproj.io/v1alpha1 kind: Application metadata: - name: portal - namespace: argocd + name: "portal" + namespace: "argocd" finalizers: - - resources-finalizer.argocd.argoproj.io + - "resources-finalizer.argocd.argoproj.io" spec: destination: - namespace: portal - server: https://kubernetes.default.svc - project: default + namespace: "portal" + server: "https://kubernetes.default.svc" + project: "default" source: - path: services/portal - repoURL: {{ .Values.repoURL }} - targetRevision: {{ .Values.revision }} + path: "services/portal" + repoURL: {{ .Values.repoURL | quote }} + targetRevision: {{ .Values.revision | quote }} helm: + parameters: + - name: "globals.host" + value: {{ .Values.fqdn | quote }} + - name: "globals.baseUrl" + value: "https://{{ .Values.fqdn }}" + - name: "globals.vaultSecretsPath" + value: {{ .Values.vault_path_prefix | quote }} valueFiles: - - values-{{ .Values.environment }}.yaml + - "values.yaml" + - "values-{{ .Values.environment }}.yaml" {{- end -}} diff --git a/services/portal/.helmignore b/services/portal/.helmignore new file mode 100644 index 0000000000..50af031725 --- /dev/null +++ b/services/portal/.helmignore @@ -0,0 +1,22 @@ +# Patterns to ignore when building packages. +# This supports shell glob matching, relative path matching, and +# negation (prefixed with !). Only one pattern per line. +.DS_Store +# Common VCS dirs +.git/ +.gitignore +.bzr/ +.bzrignore +.hg/ +.hgignore +.svn/ +# Common backup files +*.swp +*.bak +*.tmp +*~ +# Various IDEs +.project +.idea/ +*.tmproj +.vscode/ diff --git a/services/portal/Chart.yaml b/services/portal/Chart.yaml index 9ad890e5b3..7c08e8aa8f 100644 --- a/services/portal/Chart.yaml +++ b/services/portal/Chart.yaml @@ -1,10 +1,6 @@ apiVersion: v2 name: portal version: 1.0.0 -dependencies: - - name: portal - version: 0.4.1 - repository: https://lsst-sqre.github.io/charts/ - - name: pull-secret - version: 0.1.2 - repository: https://lsst-sqre.github.io/charts/ +description: "Rubin Science Platform portal aspect" +home: "https://github.com/lsst/suit" +appVersion: "suit-233-7-dev" diff --git a/services/portal/README.md b/services/portal/README.md new file mode 100644 index 0000000000..1ff592a7c5 --- /dev/null +++ b/services/portal/README.md @@ -0,0 +1,53 @@ +# portal + +![Version: 0.4.1](https://img.shields.io/badge/Version-0.4.1-informational?style=flat-square) ![AppVersion: suit-233-7-dev](https://img.shields.io/badge/AppVersion-suit--233--7--dev-informational?style=flat-square) + +Rubin Science Platform portal aspect + +**Homepage:** + +## Maintainers + +| Name | Email | Url | +| ---- | ------ | --- | +| cbanek | | | + +## Values + +| Key | Type | Default | Description | +|-----|------|---------|-------------| +| affinity | object | `{}` | Affinity rules for the Portal pod | +| config.cleanupInterval | string | `"36h"` | How long results should be retained before being deleted | +| config.debug | string | `"FALSE"` | Set to `TRUE` to enable service debugging | +| config.visualizeFitsSearchPath | string | `"/datasets"` | Search path for FITS files | +| config.volumes.configHostPath | string | Use an `emptyDir` | hostPath to mount as configuration. Set either this of `configNfs`, not both. | +| config.volumes.configNfs | object | Use an `emptyDir` | NFS information for a configuration. If set, must have keys for path and server, Set either this of `configHostPath`, not both. | +| config.volumes.workareaHostPath | string | Use an `emptyDir` | hostPath to mount as a shared work area. Set either this or `workareaNfs`, not both. | +| config.volumes.workareaNfs | object | Use an `emptyDir` | NFS information for a shared work area. If set, must have keys for path and server. Set either this or `workareaHostPath`, not both. | +| fullnameOverride | string | `""` | Override the full name for resources (includes the release name) | +| image.pullPolicy | string | `"IfNotPresent"` | Pull policy for the Portal image | +| image.repository | string | `"ipac/suit"` | Portal image to use | +| image.tag | string | The appVersion of the chart | Tag of Portal image to use | +| imagePullSecrets | list | `[]` | Secret names to use for all Docker pulls | +| ingress.annotations | object | `{}` | Additional annotations to add to the ingress | +| ingress.gafaelfawrAuthQuery | string | `"scope=exec:portal&delegate_to=portal&delegate_scope=read:tap"` | Gafaelfawr auth query string | +| ingress.host | string | None, must be set | Hostname for the ingress | +| nameOverride | string | `""` | Override the base name for resources | +| nodeSelector | object | `{}` | Node selector rules for the Portal pod | +| podAnnotations | object | `{}` | Annotations for the Portal pod | +| redis.affinity | object | `{}` | Affinity rules for the Redis pod | +| redis.image.pullPolicy | string | `"IfNotPresent"` | Pull policy for the Redis image | +| redis.image.repository | string | `"redis"` | Redis image to use | +| redis.image.tag | string | `"6.2.6"` | Redis image tag to use | +| redis.nodeSelector | object | `{}` | Node selection rules for the Redis pod | +| redis.podAnnotations | object | `{}` | Pod annotations for the Redis pod | +| redis.resources | object | `{"limits":{"memory":"20Mi"}}` | Resource limits and requests | +| redis.tolerations | list | `[]` | Tolerations for the Redis pod | +| replicaCount | int | `1` | Number of pods to start | +| resources | object | `{"limits":{"cpu":2,"memory":"6Gi"}}` | Resource limits and requests. The Portal will use (by default) 93% of container RAM. This is a smallish Portal; tweak it as you need to in instance definitions in Phalanx. | +| securityContext | object | `{}` | Security context for the Portal pod | +| tolerations | list | `[]` | Tolerations for the Portal pod | +| vaultSecretsPath | string | None, must be set | Path to the Vault secret (`secret/k8s_operator//portal`, for example) | + +---------------------------------------------- +Autogenerated from chart metadata using [helm-docs v1.5.0](https://github.com/norwoodj/helm-docs/releases/v1.5.0) diff --git a/services/portal/README.md.gotmpl b/services/portal/README.md.gotmpl new file mode 100644 index 0000000000..4531459bbb --- /dev/null +++ b/services/portal/README.md.gotmpl @@ -0,0 +1,9 @@ +{{ template "chart.header" . }} + +{{ template "chart.description" . }} + +{{ template "chart.requirementsSection" . }} + +{{ template "chart.valuesSection" . }} + +{{ template "helm-docs.versionFooter" . }} diff --git a/services/portal/templates/_helpers.tpl b/services/portal/templates/_helpers.tpl new file mode 100644 index 0000000000..114b6681fe --- /dev/null +++ b/services/portal/templates/_helpers.tpl @@ -0,0 +1,51 @@ +{{/* +Expand the name of the chart. +*/}} +{{- define "portal.name" -}} +{{- default .Chart.Name .Values.nameOverride | trunc 63 | trimSuffix "-" }} +{{- end }} + +{{/* +Create a default fully qualified app name. +We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec). +If release name contains chart name it will be used as a full name. +*/}} +{{- define "portal.fullname" -}} +{{- if .Values.fullnameOverride }} +{{- .Values.fullnameOverride | trunc 63 | trimSuffix "-" }} +{{- else }} +{{- $name := default .Chart.Name .Values.nameOverride }} +{{- if contains $name .Release.Name }} +{{- .Release.Name | trunc 63 | trimSuffix "-" }} +{{- else }} +{{- printf "%s-%s" .Release.Name $name | trunc 63 | trimSuffix "-" }} +{{- end }} +{{- end }} +{{- end }} + +{{/* +Create chart name and version as used by the chart label. +*/}} +{{- define "portal.chart" -}} +{{- printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" }} +{{- end }} + +{{/* +Common labels +*/}} +{{- define "portal.labels" -}} +helm.sh/chart: {{ include "portal.chart" . }} +{{ include "portal.selectorLabels" . }} +{{- if .Chart.AppVersion }} +app.kubernetes.io/version: {{ .Chart.AppVersion | quote }} +{{- end }} +app.kubernetes.io/managed-by: {{ .Release.Service }} +{{- end }} + +{{/* +Selector labels +*/}} +{{- define "portal.selectorLabels" -}} +app.kubernetes.io/name: {{ include "portal.name" . }} +app.kubernetes.io/instance: {{ .Release.Name }} +{{- end }} diff --git a/services/portal/templates/deployment.yaml b/services/portal/templates/deployment.yaml new file mode 100644 index 0000000000..faa44d8df6 --- /dev/null +++ b/services/portal/templates/deployment.yaml @@ -0,0 +1,105 @@ +apiVersion: apps/v1 +kind: Deployment +metadata: + name: {{ include "portal.fullname" . }} + labels: + {{- include "portal.labels" . | nindent 4 }} +spec: + replicas: {{ .Values.replicaCount }} + selector: + matchLabels: + {{- include "portal.selectorLabels" . | nindent 6 }} + app.kubernetes.io/component: "firefly" + template: + metadata: + {{- with .Values.podAnnotations }} + annotations: + {{- toYaml . | nindent 8 }} + {{- end }} + labels: + {{- include "portal.selectorLabels" . | nindent 8 }} + app.kubernetes.io/component: "firefly" + spec: + automountServiceAccountToken: false + containers: + - name: "firefly" + image: "{{ .Values.image.repository }}:{{ .Values.image.tag | default .Chart.AppVersion }}" + imagePullPolicy: {{ .Values.image.pullPolicy }} + env: + - name: "MANAGER" + value: "TRUE" + - name: "ADMIN_PASSWORD" + valueFrom: + secretKeyRef: + name: {{ include "portal.fullname" . }}-secret + key: "ADMIN_PASSWORD" + - name: "REDIS_PASSWORD" + valueFrom: + secretKeyRef: + name: {{ include "portal.fullname" . }}-secret + key: "ADMIN_PASSWORD" + - name: "FIREFLY_OPTS" + value: "-Dredis.host={{ include "portal.fullname" . }}-redis -Dsso.req.auth.hosts={{ .Values.globals.host }}" + - name: "SERVER_CONFIG_DIR" + value: "/firefly/config" + - name: "CLEANUP_INTERVAL" + value: "{{ .Values.config.cleanupInterval }}" + - name: VISUALIZE_FITS_SEARCH_PATH + value: "{{ .Values.config.visualizeFitsSearchPath }}" + - name: DEBUG + value: "{{ .Values.config.debug }}" + ports: + - containerPort: 8080 + {{- with .Values.resources }} + resources: + {{- toYaml . | nindent 12 }} + {{- end }} + volumeMounts: + - mountPath: "/firefly/shared-workarea" + name: "firefly-shared-workarea" + - mountPath: "/firefly/config" + name: "firefly-config" + readOnly: true + imagePullSecrets: + - name: "pull-secret" + {{- with .Values.securityContext }} + securityContext: + {{- toYaml . | nindent 8 }} + {{- end }} + volumes: + - name: "firefly-shared-workarea" + {{- if .Values.config.volumes.workareaHostPath }} + hostPath: + path: {{ .Values.config.volumes.workareaHostPath | quote }} + type: "Directory" + {{- else if .Values.config.volumes.workareaNfs }} + nfs: + path: {{ .Values.config.volumes.workareaNfs.path | quote }} + server: {{ .Values.config.volumes.workareaNfs.server | quote }} + {{- else }} + emptyDir: {} + {{- end }} + - name: "firefly-config" + {{- if .Values.config.volumes.configHostPath }} + hostPath: + path: {{ .Values.config.volumes.configHostPath | quote }} + type: "Directory" + {{- else if .Values.config.volumes.configNfs }} + nfs: + path: {{ .Values.config.volumes.configNfs.path | quote }} + server: {{ .Values.config.volumes.configNfs.server | quote }} + {{- else }} + emptyDir: {} + {{- end }} + {{- with .Values.nodeSelector }} + nodeSelector: + {{- toYaml . | nindent 8 }} + {{- end }} + {{- with .Values.affinity }} + affinity: + {{- toYaml . | nindent 8 }} + {{- end }} + {{- with .Values.tolerations }} + tolerations: + {{- toYaml . | nindent 8 }} + {{- end }} diff --git a/services/portal/templates/ingress.yaml b/services/portal/templates/ingress.yaml new file mode 100644 index 0000000000..1e550b2d3b --- /dev/null +++ b/services/portal/templates/ingress.yaml @@ -0,0 +1,44 @@ +apiVersion: networking.k8s.io/v1 +kind: Ingress +metadata: + name: {{ include "portal.fullname" . }} + labels: + {{- include "portal.labels" . | nindent 4 }} + annotations: + kubernetes.io/ingress.class: "nginx" + nginx.ingress.kubernetes.io/ssl-redirect: "true" + nginx.ingress.kubernetes.io/affinity: "cookie" + nginx.ingress.kubernetes.io/proxy-body-size: "0m" + nginx.ingress.kubernetes.io/proxy-buffer-size: "24k" + nginx.ingress.kubernetes.io/client-header-buffer-size: "24k" + nginx.ingress.kubernetes.io/rewrite-target: "/suit$1$2" + nginx.ingress.kubernetes.io/proxy-redirect-from: "/suit/" + nginx.ingress.kubernetes.io/proxy-redirect-to: "/portal/app/" + nginx.ingress.kubernetes.io/proxy-cookie-path: "/suit /portal/app" + nginx.ingress.kubernetes.io/session-cookie-path: "/portal/app" + nginx.ingress.kubernetes.io/configuration-snippet: | + proxy_set_header X-Original-URI $request_uri; + proxy_set_header X-Forwarded-Proto https; + proxy_set_header X-Forwarded-Port 443; + proxy_set_header X-Forwarded-Path /firefly; + {{- if .Values.ingress.gafaelfawrAuthQuery }} + nginx.ingress.kubernetes.io/auth-method: "GET" + nginx.ingress.kubernetes.io/auth-response-headers: "X-Auth-Request-User,X-Auth-Request-Email,X-Auth-Request-Token" + nginx.ingress.kubernetes.io/auth-signin: "{{ .Values.globals.baseUrl }}/login" + nginx.ingress.kubernetes.io/auth-url: "{{ .Values.globals.baseUrl }}/auth?{{ .Values.ingress.gafaelfawrAuthQuery }}" + {{- end }} + {{- with .Values.ingress.annotations }} + {{- toYaml . | nindent 4 }} + {{- end }} +spec: + rules: + - host: {{ required "globals.host must be set" .Values.globals.host | quote }} + http: + paths: + - path: "/portal/app(/|$)(.*)" + pathType: "ImplementationSpecific" + backend: + service: + name: {{ include "portal.fullname" . }} + port: + number: 8080 diff --git a/services/portal/templates/networkpolicy.yaml b/services/portal/templates/networkpolicy.yaml new file mode 100644 index 0000000000..c0b85c662c --- /dev/null +++ b/services/portal/templates/networkpolicy.yaml @@ -0,0 +1,29 @@ +apiVersion: networking.k8s.io/v1 +kind: NetworkPolicy +metadata: + name: {{ include "portal.fullname" . }} +spec: + podSelector: + matchLabels: + {{- include "portal.selectorLabels" . | nindent 6 }} + app.kubernetes.io/component: "firefly" + policyTypes: + - "Ingress" + ingress: + # Allow inbound access from pods (in any namespace) labeled + # gafaelfawr.lsst.io/ingress: true. + - from: + - namespaceSelector: {} + podSelector: + matchLabels: + gafaelfawr.lsst.io/ingress: "true" + ports: + - protocol: "TCP" + port: 8080 + # Allow all traffic between the Portal pods. They talk to each other on + # random ports to synchronize requests. + - from: + - podSelector: + matchLabels: + {{- include "portal.selectorLabels" . | nindent 14 }} + app.kubernetes.io/component: "firefly" diff --git a/services/portal/templates/redis-deployment.yaml b/services/portal/templates/redis-deployment.yaml new file mode 100644 index 0000000000..2e8da8e6b4 --- /dev/null +++ b/services/portal/templates/redis-deployment.yaml @@ -0,0 +1,76 @@ +apiVersion: apps/v1 +kind: Deployment +metadata: + name: {{ include "portal.fullname" . }}-redis + labels: + {{- include "portal.labels" . | nindent 4 }} +spec: + replicas: 1 + selector: + matchLabels: + {{- include "portal.selectorLabels" . | nindent 6 }} + app.kubernetes.io/component: "redis" + template: + metadata: + {{- with .Values.redis.podAnnotations }} + annotations: + {{- toYaml . | nindent 8 }} + {{- end }} + labels: + {{- include "portal.selectorLabels" . | nindent 8 }} + app.kubernetes.io/component: "redis" + spec: + automountServiceAccountToken: false + {{- with .Values.imagePullSecrets }} + imagePullSecrets: + {{- toYaml . | nindent 8 }} + {{- end }} + securityContext: + fsGroup: 999 + runAsNonRoot: true + runAsUser: 999 + runAsGroup: 999 + containers: + - name: "redis" + image: "{{ .Values.redis.image.repository }}:{{ .Values.redis.image.tag }}" + imagePullPolicy: {{ .Values.redis.image.pullPolicy | quote }} + args: + - "redis-server" + - "--requirepass" + - "$(REDIS_PASSWORD)" + env: + - name: "REDIS_PASSWORD" + valueFrom: + secretKeyRef: + name: {{ include "portal.fullname" . }}-secret + key: "ADMIN_PASSWORD" + ports: + - containerPort: 6379 + {{- with .Values.redis.resources }} + resources: + {{- toYaml . | nindent 12 }} + {{- end }} + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - "all" + readOnlyRootFilesystem: true + volumeMounts: + - name: "data" + mountPath: "/data" + volumes: + - name: "data" + emptyDir: {} + {{- with .Values.redis.nodeSelector }} + nodeSelector: + {{- toYaml . | nindent 8 }} + {{- end }} + {{- with .Values.redis.affinity }} + affinity: + {{- toYaml . | nindent 8 }} + {{- end }} + {{- with .Values.redis.tolerations }} + tolerations: + {{- toYaml . | nindent 8 }} + {{- end }} diff --git a/services/portal/templates/redis-networkpolicy.yaml b/services/portal/templates/redis-networkpolicy.yaml new file mode 100644 index 0000000000..56d8372d53 --- /dev/null +++ b/services/portal/templates/redis-networkpolicy.yaml @@ -0,0 +1,26 @@ +apiVersion: networking.k8s.io/v1 +kind: NetworkPolicy +metadata: + name: {{ template "portal.fullname" . }}-redis + labels: + {{- include "portal.labels" . | nindent 4 }} +spec: + podSelector: + # This policy controls inbound and outbound access to the Redis component. + matchLabels: + {{- include "portal.selectorLabels" . | nindent 6 }} + app.kubernetes.io/component: "redis" + policyTypes: + - Ingress + # Deny all outbound access; Redis doesn't need to talk to anything. + - Egress + ingress: + # Allow inbound access to Redis from all other components. + - from: + - podSelector: + matchLabels: + {{- include "portal.selectorLabels" . | nindent 14 }} + app.kubernetes.io/component: "firefly" + ports: + - protocol: "TCP" + port: 6379 diff --git a/services/portal/templates/redis-service.yaml b/services/portal/templates/redis-service.yaml new file mode 100644 index 0000000000..8a2d9113fd --- /dev/null +++ b/services/portal/templates/redis-service.yaml @@ -0,0 +1,15 @@ +apiVersion: v1 +kind: Service +metadata: + name: {{ include "portal.fullname" . }}-redis + labels: + {{- include "portal.labels" . | nindent 4 }} +spec: + type: "ClusterIP" + ports: + - protocol: "TCP" + port: 6379 + targetPort: 6379 + selector: + {{- include "portal.selectorLabels" . | nindent 4 }} + app.kubernetes.io/component: "redis" diff --git a/services/portal/templates/service.yaml b/services/portal/templates/service.yaml new file mode 100644 index 0000000000..c4ac3dedbf --- /dev/null +++ b/services/portal/templates/service.yaml @@ -0,0 +1,14 @@ +apiVersion: v1 +kind: Service +metadata: + name: {{ include "portal.fullname" . }} + labels: + {{- include "portal.labels" . | nindent 4 }} +spec: + type: "ClusterIP" + ports: + - protocol: "TCP" + port: 8080 + targetPort: 8080 + selector: + {{- include "portal.selectorLabels" . | nindent 4 }} diff --git a/services/portal/templates/vault-secret.yaml b/services/portal/templates/vault-secret.yaml new file mode 100644 index 0000000000..2263ca5c92 --- /dev/null +++ b/services/portal/templates/vault-secret.yaml @@ -0,0 +1,19 @@ +apiVersion: ricoberger.de/v1alpha1 +kind: VaultSecret +metadata: + name: {{ template "portal.fullname" . }}-secret + labels: + {{- include "portal.labels" . | nindent 4 }} +spec: + path: "{{ .Values.globals.vaultSecretsPath }}/portal" + type: "Opaque" +--- +apiVersion: ricoberger.de/v1alpha1 +kind: VaultSecret +metadata: + name: "pull-secret" + labels: + {{- include "portal.labels" . | nindent 4 }} +spec: + path: "{{ .Values.globals.vaultSecretsPath }}/pull-secret" + type: "kubernetes.io/dockerconfigjson" diff --git a/services/portal/values-base.yaml b/services/portal/values-base.yaml index f06de47899..30b83cac99 100644 --- a/services/portal/values-base.yaml +++ b/services/portal/values-base.yaml @@ -1,16 +1,3 @@ -portal: - imagePullSecrets: - - name: "pull-secret" - - ingress: - host: "base-lsp.lsst.codes" - - resources: - limits: - memory: "32Gi" - - vaultSecretsPath: "secret/k8s_operator/base-lsp.lsst.codes/portal" - -pull-secret: - enabled: true - path: "secret/k8s_operator/base-lsp.lsst.codes/pull-secret" +resources: + limits: + memory: "32Gi" diff --git a/services/portal/values-idfdev.yaml b/services/portal/values-idfdev.yaml index 036661e7ba..2451c233b2 100644 --- a/services/portal/values-idfdev.yaml +++ b/services/portal/values-idfdev.yaml @@ -1,16 +1,3 @@ -portal: - imagePullSecrets: - - name: "pull-secret" - - ingress: - host: "data-dev.lsst.cloud" - - resources: - limits: - memory: "8Gi" - - vaultSecretsPath: "secret/k8s_operator/data-dev.lsst.cloud/portal" - -pull-secret: - enabled: true - path: "secret/k8s_operator/data-dev.lsst.cloud/pull-secret" +resources: + limits: + memory: "8Gi" diff --git a/services/portal/values-idfint.yaml b/services/portal/values-idfint.yaml index 23b3b1f51e..bbff39a615 100644 --- a/services/portal/values-idfint.yaml +++ b/services/portal/values-idfint.yaml @@ -1,24 +1,11 @@ -portal: - replicaCount: 4 +replicaCount: 4 - imagePullSecrets: - - name: "pull-secret" +config: + volumes: + workareaNfs: + path: "/share1/home/firefly/shared-workarea" + server: "10.22.240.130" - config: - volumes: - workareaNfs: - path: "/share1/home/firefly/shared-workarea" - server: "10.22.240.130" - - ingress: - host: "data-int.lsst.cloud" - - resources: - limits: - memory: "30Gi" - - vaultSecretsPath: "secret/k8s_operator/data-int.lsst.cloud/portal" - -pull-secret: - enabled: true - path: "secret/k8s_operator/data-int.lsst.cloud/pull-secret" +resources: + limits: + memory: "30Gi" diff --git a/services/portal/values-idfprod.yaml b/services/portal/values-idfprod.yaml index 645ecdbb52..d3325ec38f 100644 --- a/services/portal/values-idfprod.yaml +++ b/services/portal/values-idfprod.yaml @@ -1,24 +1,11 @@ -portal: - replicaCount: 4 +replicaCount: 4 - imagePullSecrets: - - name: "pull-secret" +config: + volumes: + workareaNfs: + path: "/share1/home/firefly/shared-workarea" + server: "10.13.105.122" - config: - volumes: - workareaNfs: - path: "/share1/home/firefly/shared-workarea" - server: "10.13.105.122" - - ingress: - host: "data.lsst.cloud" - - resources: - limits: - memory: "30Gi" - - vaultSecretsPath: "secret/k8s_operator/data.lsst.cloud/portal" - -pull-secret: - enabled: true - path: "secret/k8s_operator/data.lsst.cloud/pull-secret" +resources: + limits: + memory: "30Gi" diff --git a/services/portal/values-int.yaml b/services/portal/values-int.yaml index a26d7c64fa..5efe67737b 100644 --- a/services/portal/values-int.yaml +++ b/services/portal/values-int.yaml @@ -1,36 +1,23 @@ -portal: - replicaCount: 2 +replicaCount: 2 - imagePullSecrets: - - name: "pull-secret" +config: + volumes: + workareaHostPath: "/sui/firefly/workarea" + configHostPath: "/sui/firefly/config" - config: - volumes: - workareaHostPath: "/sui/firefly/workarea" - configHostPath: "/sui/firefly/config" +nodeSelector: + environment: "portal-int" - ingress: - host: "lsst-lsp-int.ncsa.illinois.edu" +tolerations: + - effect: "NoSchedule" + key: "dedicated" + operator: "Equal" + value: "portal" - vaultSecretsPath: "secret/k8s_operator/lsst-lsp-int.ncsa.illinois.edu/portal" +resources: + limits: + memory: "24Gi" - nodeSelector: - environment: "portal-int" - - tolerations: - - effect: "NoSchedule" - key: "dedicated" - operator: "Equal" - value: "portal" - - resources: - limits: - memory: "24Gi" - - securityContext: - runAsUser: 101 - runAsGroup: 102 - -pull-secret: - enabled: true - path: "secret/k8s_operator/lsst-lsp-int.ncsa.illinois.edu/pull-secret" +securityContext: + runAsUser: 101 + runAsGroup: 102 diff --git a/services/portal/values-minikube.yaml b/services/portal/values-minikube.yaml index 6b99598f1f..2592098cb3 100644 --- a/services/portal/values-minikube.yaml +++ b/services/portal/values-minikube.yaml @@ -1,17 +1,4 @@ -portal: - imagePullSecrets: - - name: "pull-secret" - - ingress: - host: "minikube.lsst.codes" - - resources: - limits: - cpu: 0.3 - memory: "2Gi" - - vaultSecretsPath: "secret/k8s_operator/minikube.lsst.codes/portal" - -pull-secret: - enabled: true - path: "secret/k8s_operator/minikube.lsst.codes/pull-secret" +resources: + limits: + cpu: 0.3 + memory: "2Gi" diff --git a/services/portal/values-red-five.yaml b/services/portal/values-red-five.yaml index dafb966e71..2451c233b2 100644 --- a/services/portal/values-red-five.yaml +++ b/services/portal/values-red-five.yaml @@ -1,16 +1,3 @@ -portal: - imagePullSecrets: - - name: "pull-secret" - - ingress: - host: "red-five.lsst.codes" - - resources: - limits: - memory: "8Gi" - - vaultSecretsPath: "secret/k8s_operator/red-five.lsst.codes/portal" - -pull-secret: - enabled: true - path: "secret/k8s_operator/red-five.lsst.codes/pull-secret" +resources: + limits: + memory: "8Gi" diff --git a/services/portal/values-roe.yaml b/services/portal/values-roe.yaml index ffd2df4681..2451c233b2 100644 --- a/services/portal/values-roe.yaml +++ b/services/portal/values-roe.yaml @@ -1,16 +1,3 @@ -portal: - imagePullSecrets: - - name: "pull-secret" - - ingress: - host: "rsp.lsst.ac.uk" - - resources: - limits: - memory: "8Gi" - - vaultSecretsPath: "secret/k8s_operator/roe/portal" - -pull-secret: - enabled: true - path: "secret/k8s_operator/roe/pull-secret" +resources: + limits: + memory: "8Gi" diff --git a/services/portal/values-stable.yaml b/services/portal/values-stable.yaml index cdf40d791f..1b2a815b15 100644 --- a/services/portal/values-stable.yaml +++ b/services/portal/values-stable.yaml @@ -1,36 +1,23 @@ -portal: - replicaCount: 2 +replicaCount: 2 - imagePullSecrets: - - name: "pull-secret" +config: + volumes: + workareaHostPath: "/sui/firefly/workarea" + configHostPath: "/sui/firefly/config" - config: - volumes: - workareaHostPath: "/sui/firefly/workarea" - configHostPath: "/sui/firefly/config" +nodeSelector: + environment: "portal-stable" - ingress: - host: "lsst-lsp-stable.ncsa.illinois.edu" +tolerations: + - effect: "NoSchedule" + key: "dedicated" + operator: "Equal" + value: "portal" - vaultSecretsPath: "secret/k8s_operator/lsst-lsp-stable.ncsa.illinois.edu/portal" +resources: + limits: + memory: "24Gi" - nodeSelector: - environment: "portal-stable" - - tolerations: - - effect: "NoSchedule" - key: "dedicated" - operator: "Equal" - value: "portal" - - resources: - limits: - memory: "24Gi" - - securityContext: - runAsUser: 101 - runAsGroup: 102 - -pull-secret: - enabled: true - path: "secret/k8s_operator/lsst-lsp-stable.ncsa.illinois.edu/pull-secret" +securityContext: + runAsUser: 101 + runAsGroup: 102 diff --git a/services/portal/values-summit.yaml b/services/portal/values-summit.yaml index 21c2c44c98..30b83cac99 100644 --- a/services/portal/values-summit.yaml +++ b/services/portal/values-summit.yaml @@ -1,16 +1,3 @@ -portal: - imagePullSecrets: - - name: "pull-secret" - - ingress: - host: "summit-lsp.lsst.codes" - - resources: - limits: - memory: "32Gi" - - vaultSecretsPath: "secret/k8s_operator/summit-lsp.lsst.codes/portal" - -pull-secret: - enabled: true - path: "secret/k8s_operator/summit-lsp.lsst.codes/pull-secret" +resources: + limits: + memory: "32Gi" diff --git a/services/portal/values-tucson-teststand.yaml b/services/portal/values-tucson-teststand.yaml index 8928375b56..30b83cac99 100644 --- a/services/portal/values-tucson-teststand.yaml +++ b/services/portal/values-tucson-teststand.yaml @@ -1,16 +1,3 @@ -portal: - imagePullSecrets: - - name: "pull-secret" - - ingress: - host: "tucson-teststand.lsst.codes" - - resources: - limits: - memory: "32Gi" - - vaultSecretsPath: "secret/k8s_operator/tucson-teststand.lsst.codes/portal" - -pull-secret: - enabled: true - path: "secret/k8s_operator/tucson-teststand.lsst.codes/pull-secret" +resources: + limits: + memory: "32Gi" diff --git a/services/portal/values.yaml b/services/portal/values.yaml new file mode 100644 index 0000000000..92d5ad41c7 --- /dev/null +++ b/services/portal/values.yaml @@ -0,0 +1,125 @@ +# Default values for the Portal Aspect. + +# -- Number of pods to start +replicaCount: 1 + +# -- Override the base name for resources +nameOverride: "" + +# -- Override the full name for resources (includes the release name) +fullnameOverride: "" + +image: + # -- Portal image to use + repository: "ipac/suit" + + # -- Pull policy for the Portal image + pullPolicy: "IfNotPresent" + + # -- Tag of Portal image to use + # @default -- The appVersion of the chart + tag: "" + +ingress: + # -- Gafaelfawr auth query string + gafaelfawrAuthQuery: "scope=exec:portal&delegate_to=portal&delegate_scope=read:tap" + + # -- Additional annotations to add to the ingress + annotations: {} + +# -- Resource limits and requests. The Portal will use (by default) 93% of +# container RAM. This is a smallish Portal; tweak it as you need to in +# instance definitions in Phalanx. +resources: + limits: + cpu: 2.0 + memory: "6Gi" + +# -- Annotations for the Portal pod +podAnnotations: {} + +# -- Node selector rules for the Portal pod +nodeSelector: {} + +# -- Tolerations for the Portal pod +tolerations: [] + +# -- Affinity rules for the Portal pod +affinity: {} + +# -- Security context for the Portal pod +securityContext: {} + +config: + # -- Set to `TRUE` to enable service debugging + debug: "FALSE" + + # -- How long results should be retained before being deleted + cleanupInterval: "36h" + + # -- Search path for FITS files + visualizeFitsSearchPath: "/datasets" + + volumes: + # -- hostPath to mount as a shared work area. Set either this or + # `workareaNfs`, not both. + # @default -- Use an `emptyDir` + workareaHostPath: "" + + # -- NFS information for a shared work area. If set, must have keys for + # path and server. Set either this or `workareaHostPath`, not both. + # @default -- Use an `emptyDir` + workareaNfs: {} + + # -- hostPath to mount as configuration. Set either this of + # `configNfs`, not both. + # @default -- Use an `emptyDir` + configHostPath: "" + + # -- NFS information for a configuration. If set, must have keys for path + # and server, Set either this of `configHostPath`, not both. + # @default -- Use an `emptyDir` + configNfs: {} + +redis: + image: + # -- Redis image to use + repository: "redis" + + # -- Redis image tag to use + tag: "6.2.6" + + # -- Pull policy for the Redis image + pullPolicy: "IfNotPresent" + + # -- Resource limits and requests + resources: + limits: + memory: "20Mi" + + # -- Pod annotations for the Redis pod + podAnnotations: {} + + # -- Node selection rules for the Redis pod + nodeSelector: {} + + # -- Tolerations for the Redis pod + tolerations: [] + + # -- Affinity rules for the Redis pod + affinity: {} + +# The following will be set by parameters injected by Argo CD and should not +# be set in the individual environment values files. +globals: + # -- Base URL for the environment + # @default -- Set by Argo CD + baseUrl: "" + + # -- Host name for ingress + # @default -- Set by Argo CD + host: "" + + # -- Base path for Vault secrets + # @default -- Set by Argo CD + vaultSecretsPath: "" From 1fdc41c8756179bcf435fcb78329066ccbfbbe8d Mon Sep 17 00:00:00 2001 From: Renovate Bot Date: Wed, 6 Apr 2022 00:41:15 +0000 Subject: [PATCH 0172/1479] Update Helm release telegraf-ds to v1.0.34 --- services/telegraf-ds/Chart.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/services/telegraf-ds/Chart.yaml b/services/telegraf-ds/Chart.yaml index a105ea7262..b94d21e69f 100644 --- a/services/telegraf-ds/Chart.yaml +++ b/services/telegraf-ds/Chart.yaml @@ -4,5 +4,5 @@ version: 1.0.0 description: SQuaRE DaemonSet (K8s) telemetry collection service dependencies: - name: telegraf-ds - version: 1.0.33 + version: 1.0.34 repository: https://helm.influxdata.com/ From 2e83d8f6a49116e49ff14027d14263ac12601b41 Mon Sep 17 00:00:00 2001 From: Russ Allbery Date: Tue, 5 Apr 2022 16:48:29 -0700 Subject: [PATCH 0173/1479] Add pull-secret for Portal Redis This was accidentally dropped when moving the chart from charts. --- services/portal/templates/redis-deployment.yaml | 12 +++++++----- 1 file changed, 7 insertions(+), 5 deletions(-) diff --git a/services/portal/templates/redis-deployment.yaml b/services/portal/templates/redis-deployment.yaml index 2e8da8e6b4..75e94b0203 100644 --- a/services/portal/templates/redis-deployment.yaml +++ b/services/portal/templates/redis-deployment.yaml @@ -25,11 +25,6 @@ spec: imagePullSecrets: {{- toYaml . | nindent 8 }} {{- end }} - securityContext: - fsGroup: 999 - runAsNonRoot: true - runAsUser: 999 - runAsGroup: 999 containers: - name: "redis" image: "{{ .Values.redis.image.repository }}:{{ .Values.redis.image.tag }}" @@ -59,6 +54,13 @@ spec: volumeMounts: - name: "data" mountPath: "/data" + imagePullSecrets: + - name: "pull-secret" + securityContext: + fsGroup: 999 + runAsNonRoot: true + runAsUser: 999 + runAsGroup: 999 volumes: - name: "data" emptyDir: {} From 12e8be8e3bef5e73a205e17030193d1e759b34fc Mon Sep 17 00:00:00 2001 From: Russ Allbery Date: Wed, 6 Apr 2022 09:24:15 -0700 Subject: [PATCH 0174/1479] Update Portal chart documentation --- services/portal/README.md | 16 +++------------- 1 file changed, 3 insertions(+), 13 deletions(-) diff --git a/services/portal/README.md b/services/portal/README.md index 1ff592a7c5..b4932920c1 100644 --- a/services/portal/README.md +++ b/services/portal/README.md @@ -1,17 +1,7 @@ # portal -![Version: 0.4.1](https://img.shields.io/badge/Version-0.4.1-informational?style=flat-square) ![AppVersion: suit-233-7-dev](https://img.shields.io/badge/AppVersion-suit--233--7--dev-informational?style=flat-square) - Rubin Science Platform portal aspect -**Homepage:** - -## Maintainers - -| Name | Email | Url | -| ---- | ------ | --- | -| cbanek | | | - ## Values | Key | Type | Default | Description | @@ -25,13 +15,14 @@ Rubin Science Platform portal aspect | config.volumes.workareaHostPath | string | Use an `emptyDir` | hostPath to mount as a shared work area. Set either this or `workareaNfs`, not both. | | config.volumes.workareaNfs | object | Use an `emptyDir` | NFS information for a shared work area. If set, must have keys for path and server. Set either this or `workareaHostPath`, not both. | | fullnameOverride | string | `""` | Override the full name for resources (includes the release name) | +| globals.baseUrl | string | Set by Argo CD | Base URL for the environment | +| globals.host | string | Set by Argo CD | Host name for ingress | +| globals.vaultSecretsPath | string | Set by Argo CD | Base path for Vault secrets | | image.pullPolicy | string | `"IfNotPresent"` | Pull policy for the Portal image | | image.repository | string | `"ipac/suit"` | Portal image to use | | image.tag | string | The appVersion of the chart | Tag of Portal image to use | -| imagePullSecrets | list | `[]` | Secret names to use for all Docker pulls | | ingress.annotations | object | `{}` | Additional annotations to add to the ingress | | ingress.gafaelfawrAuthQuery | string | `"scope=exec:portal&delegate_to=portal&delegate_scope=read:tap"` | Gafaelfawr auth query string | -| ingress.host | string | None, must be set | Hostname for the ingress | | nameOverride | string | `""` | Override the base name for resources | | nodeSelector | object | `{}` | Node selector rules for the Portal pod | | podAnnotations | object | `{}` | Annotations for the Portal pod | @@ -47,7 +38,6 @@ Rubin Science Platform portal aspect | resources | object | `{"limits":{"cpu":2,"memory":"6Gi"}}` | Resource limits and requests. The Portal will use (by default) 93% of container RAM. This is a smallish Portal; tweak it as you need to in instance definitions in Phalanx. | | securityContext | object | `{}` | Security context for the Portal pod | | tolerations | list | `[]` | Tolerations for the Portal pod | -| vaultSecretsPath | string | None, must be set | Path to the Vault secret (`secret/k8s_operator//portal`, for example) | ---------------------------------------------- Autogenerated from chart metadata using [helm-docs v1.5.0](https://github.com/norwoodj/helm-docs/releases/v1.5.0) From 54a723593f20a40e2451aaee11b4364096cc37c0 Mon Sep 17 00:00:00 2001 From: Jonathan Sick Date: Wed, 6 Apr 2022 12:16:11 -0400 Subject: [PATCH 0175/1479] Migrate squareone chart templates into Phalanx The source for these templates is https://github.com/lsst-sqre/charts and moved with minimal changes. Changed values file to correspond to the lack of a sub-chart for squareone, and added helm-docs comments. --- .../templates/squareone-application.yaml | 25 ++--- services/squareone/Chart.yaml | 14 ++- services/squareone/README.md | 58 ++++++++++ services/squareone/README.md.gotmpl | 15 +++ services/squareone/templates/NOTES.txt | 22 ++++ services/squareone/templates/_helpers.tpl | 62 +++++++++++ services/squareone/templates/configmap.yaml | 16 +++ services/squareone/templates/deployment.yaml | 76 +++++++++++++ services/squareone/templates/hpa.yaml | 28 +++++ services/squareone/templates/ingress.yaml | 37 +++++++ services/squareone/templates/service.yaml | 15 +++ .../squareone/templates/serviceaccount.yaml | 12 +++ .../templates/tests/test-connection.yaml | 15 +++ services/squareone/values-base.yaml | 25 +++-- services/squareone/values-idfdev.yaml | 30 +++--- services/squareone/values-idfint.yaml | 27 +++-- services/squareone/values-idfprod.yaml | 29 +++-- services/squareone/values-minikube.yaml | 13 ++- services/squareone/values-red-five.yaml | 25 +++-- services/squareone/values-roe.yaml | 15 ++- services/squareone/values-stable.yaml | 13 ++- services/squareone/values-summit.yaml | 25 +++-- .../squareone/values-tucson-teststand.yaml | 25 +++-- services/squareone/values.yaml | 102 ++++++++++++++++++ 24 files changed, 592 insertions(+), 132 deletions(-) create mode 100644 services/squareone/README.md create mode 100644 services/squareone/README.md.gotmpl create mode 100644 services/squareone/templates/NOTES.txt create mode 100644 services/squareone/templates/_helpers.tpl create mode 100644 services/squareone/templates/configmap.yaml create mode 100644 services/squareone/templates/deployment.yaml create mode 100644 services/squareone/templates/hpa.yaml create mode 100644 services/squareone/templates/ingress.yaml create mode 100644 services/squareone/templates/service.yaml create mode 100644 services/squareone/templates/serviceaccount.yaml create mode 100644 services/squareone/templates/tests/test-connection.yaml create mode 100644 services/squareone/values.yaml diff --git a/science-platform/templates/squareone-application.yaml b/science-platform/templates/squareone-application.yaml index 8fa37f1892..625f3742a4 100644 --- a/science-platform/templates/squareone-application.yaml +++ b/science-platform/templates/squareone-application.yaml @@ -2,28 +2,29 @@ apiVersion: v1 kind: Namespace metadata: - name: squareone + name: "squareone" spec: finalizers: - - kubernetes + - "kubernetes" --- apiVersion: argoproj.io/v1alpha1 kind: Application metadata: - name: squareone - namespace: argocd + name: "squareone" + namespace: "argocd" finalizers: - - resources-finalizer.argocd.argoproj.io + - "resources-finalizer.argocd.argoproj.io" spec: destination: - namespace: squareone - server: https://kubernetes.default.svc - project: default + namespace: "squareone" + server: "https://kubernetes.default.svc" + project: "default" source: - path: services/squareone - repoURL: {{ .Values.repoURL }} - targetRevision: {{ .Values.revision }} + path: "services/squareone" + repoURL: {{ .Values.repoURL | quote }} + targetRevision: {{ .Values.revision | quote }} helm: valueFiles: - - values-{{ .Values.environment }}.yaml + - "values.yaml" + - "values-{{ .Values.environment }}.yaml" {{- end -}} diff --git a/services/squareone/Chart.yaml b/services/squareone/Chart.yaml index c5c9508e19..3d1015cc54 100644 --- a/services/squareone/Chart.yaml +++ b/services/squareone/Chart.yaml @@ -1,10 +1,18 @@ apiVersion: v2 name: squareone version: 1.0.0 +description: Squareone is the homepage UI for the Rubin Science Platform. +home: https://squareone.lsst.io/ +sources: + - https://github.com/lsst-sqre/squareone +maintainers: + - name: jonathansick + url: https://github.com/jonathansick + +# The default version tag of the squareone docker image +appVersion: "0.4.0" + dependencies: - - name: squareone - version: 0.4.1 - repository: https://lsst-sqre.github.io/charts/ - name: pull-secret version: 0.1.2 repository: https://lsst-sqre.github.io/charts/ diff --git a/services/squareone/README.md b/services/squareone/README.md new file mode 100644 index 0000000000..7708773504 --- /dev/null +++ b/services/squareone/README.md @@ -0,0 +1,58 @@ +# squareone + +![AppVersion: 0.4.0](https://img.shields.io/badge/AppVersion-0.4.0-informational?style=flat-square) + +Squareone is the homepage UI for the Rubin Science Platform. + +**Homepage:** + +## Source Code + +* + +## Requirements + +| Repository | Name | Version | +|------------|------|---------| +| https://lsst-sqre.github.io/charts/ | pull-secret | 0.1.2 | + +## Values + +| Key | Type | Default | Description | +|-----|------|---------|-------------| +| affinity | object | `{}` | | +| autoscaling.enabled | bool | `false` | | +| autoscaling.maxReplicas | int | `100` | | +| autoscaling.minReplicas | int | `1` | | +| autoscaling.targetCPUUtilizationPercentage | int | `80` | | +| config.semaphoreUrl | string | `nil` | URL to the Semaphore (user notifications) API service. @default null disables the Semaphore integration | +| config.siteDescription | string | `"Access Rubin Observatory Legacy Survey of Space and Time data.\n"` | Site description, used in meta tags | +| config.siteName | string | `"Rubin Science Platform"` | Name of the site, used in the title and meta tags. | +| fullnameOverride | string | `""` | Overrides the full name for resources (includes the release name) | +| image.pullPolicy | string | `"IfNotPresent"` | Image pull policy (tip: use Always for development) | +| image.repository | string | `"lsstsqre/squareone"` | Squareone Docker image repository | +| image.tag | string | Chart's appVersion | Overrides the image tag. | +| imagePullSecrets | list | `[]` | Secret names to use for all Docker pulls | +| ingress.annotations | object | `{}` | Additional annotations to add to the ingress | +| ingress.enabled | bool | `true` | Enable ingress | +| ingress.host | string | `"chart-example.local"` | | +| ingress.tls | list | `[]` | | +| nameOverride | string | `""` | Overrides the base name for resources | +| nodeSelector | object | `{}` | | +| podAnnotations | object | `{}` | Annotations for squareone pods | +| podSecurityContext.runAsGroup | int | `1000` | | +| podSecurityContext.runAsNonRoot | bool | `true` | | +| podSecurityContext.runAsUser | int | `1000` | | +| replicaCount | int | `1` | Number of squareone pods to run in the deployment. | +| resources | object | `{}` | | +| securityContext.capabilities.drop[0] | string | `"all"` | | +| securityContext.readOnlyRootFilesystem | bool | `true` | | +| service.port | int | `80` | Port of the service to create and map to the ingress | +| service.type | string | `"ClusterIP"` | Type of service to create | +| serviceAccount.annotations | object | `{}` | Annotations to add to the service account | +| serviceAccount.create | bool | `true` | Specifies whether a service account should be created | +| serviceAccount.name | string | Generated using the fullname template | The name of the service account to use. | +| tolerations | list | `[]` | | + +---------------------------------------------- +Autogenerated from chart metadata using [helm-docs v1.8.1](https://github.com/norwoodj/helm-docs/releases/v1.8.1) diff --git a/services/squareone/README.md.gotmpl b/services/squareone/README.md.gotmpl new file mode 100644 index 0000000000..e10cdfb560 --- /dev/null +++ b/services/squareone/README.md.gotmpl @@ -0,0 +1,15 @@ +{{ template "chart.header" . }} + +{{ template "chart.appVersionBadge" . }} + +{{ template "chart.description" . }} + +{{ template "chart.homepageLine" . }} + +{{ template "chart.sourcesSection" . }} + +{{ template "chart.requirementsSection" . }} + +{{ template "chart.valuesSection" . }} + +{{ template "helm-docs.versionFooter" . }} diff --git a/services/squareone/templates/NOTES.txt b/services/squareone/templates/NOTES.txt new file mode 100644 index 0000000000..61eaffa975 --- /dev/null +++ b/services/squareone/templates/NOTES.txt @@ -0,0 +1,22 @@ +1. Get the application URL by running these commands: +{{- if .Values.ingress.enabled }} +{{- range $host := .Values.ingress.hosts }} + {{- range .paths }} + http{{ if $.Values.ingress.tls }}s{{ end }}://{{ $host.host }}{{ .path }} + {{- end }} +{{- end }} +{{- else if contains "NodePort" .Values.service.type }} + export NODE_PORT=$(kubectl get --namespace {{ .Release.Namespace }} -o jsonpath="{.spec.ports[0].nodePort}" services {{ include "squareone.fullname" . }}) + export NODE_IP=$(kubectl get nodes --namespace {{ .Release.Namespace }} -o jsonpath="{.items[0].status.addresses[0].address}") + echo http://$NODE_IP:$NODE_PORT +{{- else if contains "LoadBalancer" .Values.service.type }} + NOTE: It may take a few minutes for the LoadBalancer IP to be available. + You can watch the status of by running 'kubectl get --namespace {{ .Release.Namespace }} svc -w {{ include "squareone.fullname" . }}' + export SERVICE_IP=$(kubectl get svc --namespace {{ .Release.Namespace }} {{ include "squareone.fullname" . }} --template "{{"{{ range (index .status.loadBalancer.ingress 0) }}{{.}}{{ end }}"}}") + echo http://$SERVICE_IP:{{ .Values.service.port }} +{{- else if contains "ClusterIP" .Values.service.type }} + export POD_NAME=$(kubectl get pods --namespace {{ .Release.Namespace }} -l "app.kubernetes.io/name={{ include "squareone.name" . }},app.kubernetes.io/instance={{ .Release.Name }}" -o jsonpath="{.items[0].metadata.name}") + export CONTAINER_PORT=$(kubectl get pod --namespace {{ .Release.Namespace }} $POD_NAME -o jsonpath="{.spec.containers[0].ports[0].containerPort}") + echo "Visit http://127.0.0.1:8080 to use your application" + kubectl --namespace {{ .Release.Namespace }} port-forward $POD_NAME 8080:$CONTAINER_PORT +{{- end }} diff --git a/services/squareone/templates/_helpers.tpl b/services/squareone/templates/_helpers.tpl new file mode 100644 index 0000000000..bfeabf8000 --- /dev/null +++ b/services/squareone/templates/_helpers.tpl @@ -0,0 +1,62 @@ +{{/* +Expand the name of the chart. +*/}} +{{- define "squareone.name" -}} +{{- default .Chart.Name .Values.nameOverride | trunc 63 | trimSuffix "-" }} +{{- end }} + +{{/* +Create a default fully qualified app name. +We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec). +If release name contains chart name it will be used as a full name. +*/}} +{{- define "squareone.fullname" -}} +{{- if .Values.fullnameOverride }} +{{- .Values.fullnameOverride | trunc 63 | trimSuffix "-" }} +{{- else }} +{{- $name := default .Chart.Name .Values.nameOverride }} +{{- if contains $name .Release.Name }} +{{- .Release.Name | trunc 63 | trimSuffix "-" }} +{{- else }} +{{- printf "%s-%s" .Release.Name $name | trunc 63 | trimSuffix "-" }} +{{- end }} +{{- end }} +{{- end }} + +{{/* +Create chart name and version as used by the chart label. +*/}} +{{- define "squareone.chart" -}} +{{- printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" }} +{{- end }} + +{{/* +Common labels +*/}} +{{- define "squareone.labels" -}} +helm.sh/chart: {{ include "squareone.chart" . }} +{{ include "squareone.selectorLabels" . }} +{{- if .Chart.AppVersion }} +app.kubernetes.io/version: {{ .Chart.AppVersion | quote }} +{{- end }} +app.kubernetes.io/managed-by: {{ .Release.Service }} +{{- end }} + +{{/* +Selector labels +*/}} +{{- define "squareone.selectorLabels" -}} +app.kubernetes.io/name: {{ include "squareone.name" . }} +app.kubernetes.io/instance: {{ .Release.Name }} +{{- end }} + +{{/* +Create the name of the service account to use +*/}} +{{- define "squareone.serviceAccountName" -}} +{{- if .Values.serviceAccount.create }} +{{- default (include "squareone.fullname" .) .Values.serviceAccount.name }} +{{- else }} +{{- default "default" .Values.serviceAccount.name }} +{{- end }} +{{- end }} diff --git a/services/squareone/templates/configmap.yaml b/services/squareone/templates/configmap.yaml new file mode 100644 index 0000000000..738e12a395 --- /dev/null +++ b/services/squareone/templates/configmap.yaml @@ -0,0 +1,16 @@ +apiVersion: v1 +kind: ConfigMap +metadata: + name: {{ include "squareone.fullname" . }} + labels: + {{- include "squareone.labels" . | nindent 4 }} +data: + squareone.config.yaml: | + siteName: {{ .Values.config.siteName | quote }} + baseUrl: https://{{ .Values.ingress.host | default "example.com" }} + siteDescription: | + {{ .Values.config.siteDescription }} + {{- if .Values.config.semaphoreUrl }} + semaphoreUrl: | + {{ .Values.config.semaphoreUrl }} + {{- end}} diff --git a/services/squareone/templates/deployment.yaml b/services/squareone/templates/deployment.yaml new file mode 100644 index 0000000000..cd581c2706 --- /dev/null +++ b/services/squareone/templates/deployment.yaml @@ -0,0 +1,76 @@ +apiVersion: apps/v1 +kind: Deployment +metadata: + name: {{ include "squareone.fullname" . }} + labels: + {{- include "squareone.labels" . | nindent 4 }} +spec: + {{- if not .Values.autoscaling.enabled }} + replicas: {{ .Values.replicaCount }} + {{- end }} + selector: + matchLabels: + {{- include "squareone.selectorLabels" . | nindent 6 }} + template: + metadata: + annotations: + checksum/config: {{ include (print $.Template.BasePath "/configmap.yaml") . | sha256sum }} + {{- with .Values.podAnnotations }} + {{- toYaml . | nindent 8 }} + {{- end }} + labels: + {{- include "squareone.selectorLabels" . | nindent 8 }} + spec: + {{- with .Values.imagePullSecrets }} + imagePullSecrets: + {{- toYaml . | nindent 8 }} + {{- end }} + serviceAccountName: {{ include "squareone.serviceAccountName" . }} + securityContext: + {{- toYaml .Values.podSecurityContext | nindent 8 }} + containers: + - name: {{ .Chart.Name }} + securityContext: + {{- toYaml .Values.securityContext | nindent 12 }} + image: "{{ .Values.image.repository }}:{{ .Values.image.tag | default .Chart.AppVersion }}" + imagePullPolicy: {{ .Values.image.pullPolicy }} + ports: + - name: http + containerPort: 3000 + protocol: TCP + livenessProbe: + httpGet: + path: / + port: http + readinessProbe: + httpGet: + path: / + port: http + resources: + {{- toYaml .Values.resources | nindent 12 }} + env: + - name: "SQUAREONE_CONFIG_PATH" + value: "/etc/squareone/squareone.config.yaml" + volumeMounts: + - name: "config" + mountPath: "/etc/squareone" + - name: "next-image-cache" + mountPath: "/app/.next/cache/images" + {{- with .Values.nodeSelector }} + nodeSelector: + {{- toYaml . | nindent 8 }} + {{- end }} + {{- with .Values.affinity }} + affinity: + {{- toYaml . | nindent 8 }} + {{- end }} + {{- with .Values.tolerations }} + tolerations: + {{- toYaml . | nindent 8 }} + {{- end }} + volumes: + - name: "config" + configMap: + name: {{ include "squareone.fullname" . }} + - name: "next-image-cache" + emptyDir: {} diff --git a/services/squareone/templates/hpa.yaml b/services/squareone/templates/hpa.yaml new file mode 100644 index 0000000000..e0f0c7f7dd --- /dev/null +++ b/services/squareone/templates/hpa.yaml @@ -0,0 +1,28 @@ +{{- if .Values.autoscaling.enabled }} +apiVersion: autoscaling/v2beta1 +kind: HorizontalPodAutoscaler +metadata: + name: {{ include "squareone.fullname" . }} + labels: + {{- include "squareone.labels" . | nindent 4 }} +spec: + scaleTargetRef: + apiVersion: apps/v1 + kind: Deployment + name: {{ include "squareone.fullname" . }} + minReplicas: {{ .Values.autoscaling.minReplicas }} + maxReplicas: {{ .Values.autoscaling.maxReplicas }} + metrics: + {{- if .Values.autoscaling.targetCPUUtilizationPercentage }} + - type: Resource + resource: + name: cpu + targetAverageUtilization: {{ .Values.autoscaling.targetCPUUtilizationPercentage }} + {{- end }} + {{- if .Values.autoscaling.targetMemoryUtilizationPercentage }} + - type: Resource + resource: + name: memory + targetAverageUtilization: {{ .Values.autoscaling.targetMemoryUtilizationPercentage }} + {{- end }} +{{- end }} diff --git a/services/squareone/templates/ingress.yaml b/services/squareone/templates/ingress.yaml new file mode 100644 index 0000000000..bd6e443b6e --- /dev/null +++ b/services/squareone/templates/ingress.yaml @@ -0,0 +1,37 @@ +{{- if .Values.ingress.enabled -}} +{{- $fullName := include "squareone.fullname" . -}} +{{- $svcPort := .Values.service.port -}} +apiVersion: networking.k8s.io/v1 +kind: Ingress +metadata: + name: {{ $fullName }} + labels: + {{- include "squareone.labels" . | nindent 4 }} + annotations: + kubernetes.io/ingress.class: nginx + {{- with .Values.ingress.annotations }} + {{- toYaml . | nindent 4 }} + {{- end }} +spec: + {{- if .Values.ingress.tls }} + tls: + {{- range .Values.ingress.tls }} + - hosts: + {{- range .hosts }} + - {{ . | quote }} + {{- end }} + secretName: {{ .secretName }} + {{- end }} + {{- end }} + rules: + - host: {{ .Values.ingress.host | quote }} + http: + paths: + - path: / + pathType: Prefix + backend: + service: + name: {{ $fullName }} + port: + number: {{ $svcPort }} + {{- end }} diff --git a/services/squareone/templates/service.yaml b/services/squareone/templates/service.yaml new file mode 100644 index 0000000000..405401c513 --- /dev/null +++ b/services/squareone/templates/service.yaml @@ -0,0 +1,15 @@ +apiVersion: v1 +kind: Service +metadata: + name: {{ include "squareone.fullname" . }} + labels: + {{- include "squareone.labels" . | nindent 4 }} +spec: + type: {{ .Values.service.type }} + ports: + - port: {{ .Values.service.port }} + targetPort: http + protocol: TCP + name: http + selector: + {{- include "squareone.selectorLabels" . | nindent 4 }} diff --git a/services/squareone/templates/serviceaccount.yaml b/services/squareone/templates/serviceaccount.yaml new file mode 100644 index 0000000000..a7ebaf566b --- /dev/null +++ b/services/squareone/templates/serviceaccount.yaml @@ -0,0 +1,12 @@ +{{- if .Values.serviceAccount.create -}} +apiVersion: v1 +kind: ServiceAccount +metadata: + name: {{ include "squareone.serviceAccountName" . }} + labels: + {{- include "squareone.labels" . | nindent 4 }} + {{- with .Values.serviceAccount.annotations }} + annotations: + {{- toYaml . | nindent 4 }} + {{- end }} +{{- end }} diff --git a/services/squareone/templates/tests/test-connection.yaml b/services/squareone/templates/tests/test-connection.yaml new file mode 100644 index 0000000000..7e57cf570e --- /dev/null +++ b/services/squareone/templates/tests/test-connection.yaml @@ -0,0 +1,15 @@ +apiVersion: v1 +kind: Pod +metadata: + name: "{{ include "squareone.fullname" . }}-test-connection" + labels: + {{- include "squareone.labels" . | nindent 4 }} + annotations: + "helm.sh/hook": test +spec: + containers: + - name: wget + image: busybox + command: ['wget'] + args: ['{{ include "squareone.fullname" . }}:{{ .Values.service.port }}'] + restartPolicy: Never diff --git a/services/squareone/values-base.yaml b/services/squareone/values-base.yaml index 54debdc61a..336baf2433 100644 --- a/services/squareone/values-base.yaml +++ b/services/squareone/values-base.yaml @@ -1,16 +1,15 @@ -squareone: - ingress: - host: "base-lsp.lsst.codes" - annotations: - cert-manager.io/cluster-issuer: cert-issuer-letsencrypt-dns - tls: - - secretName: squareone-tls - hosts: - - "base-lsp.lsst.codes" - imagePullSecrets: - - name: "pull-secret" - config: - siteName: "Rubin Science Platform @ Base" +ingress: + host: "base-lsp.lsst.codes" + annotations: + cert-manager.io/cluster-issuer: cert-issuer-letsencrypt-dns + tls: + - secretName: squareone-tls + hosts: + - "base-lsp.lsst.codes" +imagePullSecrets: + - name: "pull-secret" +config: + siteName: "Rubin Science Platform @ Base" pull-secret: enabled: true diff --git a/services/squareone/values-idfdev.yaml b/services/squareone/values-idfdev.yaml index 10460ecb2c..c36f33ebc2 100644 --- a/services/squareone/values-idfdev.yaml +++ b/services/squareone/values-idfdev.yaml @@ -1,17 +1,19 @@ -squareone: - ingress: - host: "data-dev.lsst.cloud" - annotations: - cert-manager.io/cluster-issuer: cert-issuer-letsencrypt-dns - tls: - - secretName: squareone-tls - hosts: - - "data-dev.lsst.cloud" - imagePullSecrets: - - name: "pull-secret" - config: - siteName: "Rubin Science Platform @ data-dev" - semaphoreUrl: "https://data-dev.lsst.cloud/semaphore" +image: + pullPolicy: Always + +ingress: + host: "data-dev.lsst.cloud" + annotations: + cert-manager.io/cluster-issuer: cert-issuer-letsencrypt-dns + tls: + - secretName: squareone-tls + hosts: + - "data-dev.lsst.cloud" +imagePullSecrets: + - name: "pull-secret" +config: + siteName: "Rubin Science Platform @ data-dev" + semaphoreUrl: "https://data-dev.lsst.cloud/semaphore" pull-secret: enabled: true diff --git a/services/squareone/values-idfint.yaml b/services/squareone/values-idfint.yaml index 2de36d6ff2..79d6ed10a8 100644 --- a/services/squareone/values-idfint.yaml +++ b/services/squareone/values-idfint.yaml @@ -1,17 +1,16 @@ -squareone: - ingress: - host: "data-int.lsst.cloud" - annotations: - cert-manager.io/cluster-issuer: cert-issuer-letsencrypt-dns - tls: - - secretName: squareone-tls - hosts: - - "data-int.lsst.cloud" - imagePullSecrets: - - name: "pull-secret" - config: - siteName: "Rubin Science Platform @ data-int" - semaphoreUrl: "https://data-int.lsst.cloud/semaphore" +ingress: + host: "data-int.lsst.cloud" + annotations: + cert-manager.io/cluster-issuer: cert-issuer-letsencrypt-dns + tls: + - secretName: squareone-tls + hosts: + - "data-int.lsst.cloud" +imagePullSecrets: + - name: "pull-secret" +config: + siteName: "Rubin Science Platform @ data-int" + semaphoreUrl: "https://data-int.lsst.cloud/semaphore" pull-secret: enabled: true diff --git a/services/squareone/values-idfprod.yaml b/services/squareone/values-idfprod.yaml index a0d6cb08db..22f72b118f 100644 --- a/services/squareone/values-idfprod.yaml +++ b/services/squareone/values-idfprod.yaml @@ -1,18 +1,17 @@ -squareone: - replicaCount: 3 - ingress: - host: "data.lsst.cloud" - annotations: - cert-manager.io/cluster-issuer: cert-issuer-letsencrypt-dns - tls: - - secretName: squareone-tls - hosts: - - "data.lsst.cloud" - imagePullSecrets: - - name: "pull-secret" - config: - siteName: "Rubin Science Platform" - semaphoreUrl: "https://data.lsst.cloud/semaphore" +replicaCount: 3 +ingress: + host: "data.lsst.cloud" + annotations: + cert-manager.io/cluster-issuer: cert-issuer-letsencrypt-dns + tls: + - secretName: squareone-tls + hosts: + - "data.lsst.cloud" +imagePullSecrets: + - name: "pull-secret" +config: + siteName: "Rubin Science Platform" + semaphoreUrl: "https://data.lsst.cloud/semaphore" pull-secret: enabled: true diff --git a/services/squareone/values-minikube.yaml b/services/squareone/values-minikube.yaml index 379b8a6d32..8ccfc0523c 100644 --- a/services/squareone/values-minikube.yaml +++ b/services/squareone/values-minikube.yaml @@ -1,10 +1,9 @@ -squareone: - ingress: - host: "minikube.lsst.codes" - imagePullSecrets: - - name: "pull-secret" - config: - siteName: "Rubin Science Platform @ minikube" +ingress: + host: "minikube.lsst.codes" +imagePullSecrets: + - name: "pull-secret" +config: + siteName: "Rubin Science Platform @ minikube" pull-secret: enabled: true diff --git a/services/squareone/values-red-five.yaml b/services/squareone/values-red-five.yaml index 534ff624ce..e6a77b4305 100644 --- a/services/squareone/values-red-five.yaml +++ b/services/squareone/values-red-five.yaml @@ -1,16 +1,15 @@ -squareone: - ingress: - host: "red-five.lsst.codes" - annotations: - cert-manager.io/cluster-issuer: cert-issuer-letsencrypt-dns - tls: - - secretName: squareone-tls - hosts: - - "red-five.lsst.codes" - imagePullSecrets: - - name: "pull-secret" - config: - siteName: "Rubin Science Platform @ red-five" +ingress: + host: "red-five.lsst.codes" + annotations: + cert-manager.io/cluster-issuer: cert-issuer-letsencrypt-dns + tls: + - secretName: squareone-tls + hosts: + - "red-five.lsst.codes" +imagePullSecrets: + - name: "pull-secret" +config: + siteName: "Rubin Science Platform @ red-five" pull-secret: enabled: true diff --git a/services/squareone/values-roe.yaml b/services/squareone/values-roe.yaml index 1c4745709b..09a33a4457 100644 --- a/services/squareone/values-roe.yaml +++ b/services/squareone/values-roe.yaml @@ -1,11 +1,10 @@ -squareone: - ingress: - host: "rsp.lsst.ac.uk" - imagePullSecrets: - - name: "pull-secret" - config: - siteName: "Rubin Science Platform" - semaphoreUrl: "https://rsp.lsst.ac.uk/semaphore" +ingress: + host: "rsp.lsst.ac.uk" +imagePullSecrets: + - name: "pull-secret" +config: + siteName: "Rubin Science Platform" + semaphoreUrl: "https://rsp.lsst.ac.uk/semaphore" pull-secret: enabled: true diff --git a/services/squareone/values-stable.yaml b/services/squareone/values-stable.yaml index fe4d58d15e..631aef6227 100644 --- a/services/squareone/values-stable.yaml +++ b/services/squareone/values-stable.yaml @@ -1,10 +1,9 @@ -squareone: - ingress: - host: "lsst-lsp-stable.ncsa.illinois.edu" - imagePullSecrets: - - name: "pull-secret" - config: - siteName: "Rubin Science Platform @ lsp-stable" +ingress: + host: "lsst-lsp-stable.ncsa.illinois.edu" +imagePullSecrets: + - name: "pull-secret" +config: + siteName: "Rubin Science Platform @ lsp-stable" pull-secret: enabled: true diff --git a/services/squareone/values-summit.yaml b/services/squareone/values-summit.yaml index d3363a24c8..eaf7b3ea4b 100644 --- a/services/squareone/values-summit.yaml +++ b/services/squareone/values-summit.yaml @@ -1,16 +1,15 @@ -squareone: - ingress: - host: "summit-lsp.lsst.codes" - annotations: - cert-manager.io/cluster-issuer: cert-issuer-letsencrypt-dns - tls: - - secretName: squareone-tls - hosts: - - "summit-lsp.lsst.codes" - imagePullSecrets: - - name: "pull-secret" - config: - siteName: "Rubin Science Platform @ Summit" +ingress: + host: "summit-lsp.lsst.codes" + annotations: + cert-manager.io/cluster-issuer: cert-issuer-letsencrypt-dns + tls: + - secretName: squareone-tls + hosts: + - "summit-lsp.lsst.codes" +imagePullSecrets: + - name: "pull-secret" +config: + siteName: "Rubin Science Platform @ Summit" pull-secret: enabled: true diff --git a/services/squareone/values-tucson-teststand.yaml b/services/squareone/values-tucson-teststand.yaml index cf13fd2a85..8f5ffa6a26 100644 --- a/services/squareone/values-tucson-teststand.yaml +++ b/services/squareone/values-tucson-teststand.yaml @@ -1,16 +1,15 @@ -squareone: - ingress: - host: "tucson-teststand.lsst.codes" - annotations: - cert-manager.io/cluster-issuer: cert-issuer-letsencrypt-dns - tls: - - secretName: squareone-tls - hosts: - - "tucson-teststand.lsst.codes" - imagePullSecrets: - - name: "pull-secret" - config: - siteName: "Rubin Science Platform @ Tucson" +ingress: + host: "tucson-teststand.lsst.codes" + annotations: + cert-manager.io/cluster-issuer: cert-issuer-letsencrypt-dns + tls: + - secretName: squareone-tls + hosts: + - "tucson-teststand.lsst.codes" +imagePullSecrets: + - name: "pull-secret" +config: + siteName: "Rubin Science Platform @ Tucson" pull-secret: enabled: true diff --git a/services/squareone/values.yaml b/services/squareone/values.yaml new file mode 100644 index 0000000000..ca92a73465 --- /dev/null +++ b/services/squareone/values.yaml @@ -0,0 +1,102 @@ +# Default values for squareone. + +# -- Number of squareone pods to run in the deployment. +replicaCount: 1 + +image: + # -- Squareone Docker image repository + repository: lsstsqre/squareone + + # -- Image pull policy (tip: use Always for development) + pullPolicy: IfNotPresent + + # -- Overrides the image tag. + # @default -- Chart's appVersion + tag: "" + +# -- Secret names to use for all Docker pulls +imagePullSecrets: [] + +# -- Overrides the base name for resources +nameOverride: "" + +# -- Overrides the full name for resources (includes the release name) +fullnameOverride: "" + +serviceAccount: + # -- Specifies whether a service account should be created + create: true + # -- Annotations to add to the service account + annotations: {} + # -- The name of the service account to use. + # @default -- Generated using the fullname template + name: "" + +# -- Annotations for squareone pods +podAnnotations: {} + +podSecurityContext: + runAsNonRoot: true + runAsUser: 1000 + runAsGroup: 1000 + +securityContext: + capabilities: + drop: + - "all" + readOnlyRootFilesystem: true + +service: + # -- Type of service to create + type: ClusterIP + + # -- Port of the service to create and map to the ingress + port: 80 + +ingress: + # -- Enable ingress + enabled: true + + # -- Additional annotations to add to the ingress + annotations: {} + + host: "chart-example.local" + tls: [] + +resources: {} + # We usually recommend not to specify default resources and to leave this as a conscious + # choice for the user. This also increases chances charts run on environments with little + # resources, such as Minikube. If you do want to specify resources, uncomment the following + # lines, adjust them as necessary, and remove the curly braces after 'resources:'. + # limits: + # cpu: 100m + # memory: 128Mi + # requests: + # cpu: 100m + # memory: 128Mi + +autoscaling: + enabled: false + minReplicas: 1 + maxReplicas: 100 + targetCPUUtilizationPercentage: 80 + # targetMemoryUtilizationPercentage: 80 + +nodeSelector: {} + +tolerations: [] + +affinity: {} + +# Squareone app configuration +config: + # -- Name of the site, used in the title and meta tags. + siteName: "Rubin Science Platform" + + # -- Site description, used in meta tags + siteDescription: | + Access Rubin Observatory Legacy Survey of Space and Time data. + + # -- URL to the Semaphore (user notifications) API service. + # @default null disables the Semaphore integration + semaphoreUrl: null From 2c8d3a8029d43d8f7a91a2eda83111110a5737f3 Mon Sep 17 00:00:00 2001 From: Jonathan Sick Date: Wed, 6 Apr 2022 13:38:33 -0400 Subject: [PATCH 0176/1479] Bake pod security into deployment To simplify the chart, remove this configuration since it should always be used. --- services/squareone/README.md | 5 ----- services/squareone/templates/deployment.yaml | 12 +++++++++--- services/squareone/values.yaml | 11 ----------- 3 files changed, 9 insertions(+), 19 deletions(-) diff --git a/services/squareone/README.md b/services/squareone/README.md index 7708773504..3fd3f66eb3 100644 --- a/services/squareone/README.md +++ b/services/squareone/README.md @@ -40,13 +40,8 @@ Squareone is the homepage UI for the Rubin Science Platform. | nameOverride | string | `""` | Overrides the base name for resources | | nodeSelector | object | `{}` | | | podAnnotations | object | `{}` | Annotations for squareone pods | -| podSecurityContext.runAsGroup | int | `1000` | | -| podSecurityContext.runAsNonRoot | bool | `true` | | -| podSecurityContext.runAsUser | int | `1000` | | | replicaCount | int | `1` | Number of squareone pods to run in the deployment. | | resources | object | `{}` | | -| securityContext.capabilities.drop[0] | string | `"all"` | | -| securityContext.readOnlyRootFilesystem | bool | `true` | | | service.port | int | `80` | Port of the service to create and map to the ingress | | service.type | string | `"ClusterIP"` | Type of service to create | | serviceAccount.annotations | object | `{}` | Annotations to add to the service account | diff --git a/services/squareone/templates/deployment.yaml b/services/squareone/templates/deployment.yaml index cd581c2706..88249b701e 100644 --- a/services/squareone/templates/deployment.yaml +++ b/services/squareone/templates/deployment.yaml @@ -27,13 +27,19 @@ spec: {{- end }} serviceAccountName: {{ include "squareone.serviceAccountName" . }} securityContext: - {{- toYaml .Values.podSecurityContext | nindent 8 }} + runAsNonRoot: true + runAsUser: 1000 + runAsGroup: 1000 containers: - name: {{ .Chart.Name }} - securityContext: - {{- toYaml .Values.securityContext | nindent 12 }} image: "{{ .Values.image.repository }}:{{ .Values.image.tag | default .Chart.AppVersion }}" imagePullPolicy: {{ .Values.image.pullPolicy }} + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + readOnlyRootFilesystem: true ports: - name: http containerPort: 3000 diff --git a/services/squareone/values.yaml b/services/squareone/values.yaml index ca92a73465..09c349d5d5 100644 --- a/services/squareone/values.yaml +++ b/services/squareone/values.yaml @@ -35,17 +35,6 @@ serviceAccount: # -- Annotations for squareone pods podAnnotations: {} -podSecurityContext: - runAsNonRoot: true - runAsUser: 1000 - runAsGroup: 1000 - -securityContext: - capabilities: - drop: - - "all" - readOnlyRootFilesystem: true - service: # -- Type of service to create type: ClusterIP From 8e5d71687c56ccdfa515d14f77190eec5e62fa0d Mon Sep 17 00:00:00 2001 From: Jonathan Sick Date: Wed, 6 Apr 2022 14:05:27 -0400 Subject: [PATCH 0177/1479] Use Helm globals set by Application resource Use the environment's configurations for host, baseUrl, and vaultSecretsPathPrefix. Note that the host is still backed into environment values for TLS; not sure of the best way to move this up to the environment Argo CD application level. Also the pull secret still uses a backed in vault secrets path; this will get dropped soon when we move Squareone to the GitHub Container Registry. --- .../templates/squareone-application.yaml | 7 +++++++ services/squareone/README.md | 4 +++- services/squareone/templates/configmap.yaml | 2 +- services/squareone/templates/ingress.yaml | 2 +- services/squareone/values-base.yaml | 1 - services/squareone/values-idfdev.yaml | 1 - services/squareone/values-idfint.yaml | 1 - services/squareone/values-idfprod.yaml | 1 - services/squareone/values-int.yaml | 2 -- services/squareone/values-minikube.yaml | 2 -- services/squareone/values-red-five.yaml | 1 - services/squareone/values-roe.yaml | 2 -- services/squareone/values-stable.yaml | 2 -- services/squareone/values-summit.yaml | 1 - services/squareone/values-tucson-teststand.yaml | 1 - services/squareone/values.yaml | 16 +++++++++++++++- 16 files changed, 27 insertions(+), 19 deletions(-) diff --git a/science-platform/templates/squareone-application.yaml b/science-platform/templates/squareone-application.yaml index 625f3742a4..63dd926704 100644 --- a/science-platform/templates/squareone-application.yaml +++ b/science-platform/templates/squareone-application.yaml @@ -24,6 +24,13 @@ spec: repoURL: {{ .Values.repoURL | quote }} targetRevision: {{ .Values.revision | quote }} helm: + parameters: + - name: "global.host" + value: {{ .Values.fqdn | quote }} + - name: "global.baseUrl" + value: "https://{{ .Values.fqdn }}" + - name: "global.vaultSecretsPathPrefix" + value: {{ .Values.vault_path_prefix | quote }} valueFiles: - "values.yaml" - "values-{{ .Values.environment }}.yaml" diff --git a/services/squareone/README.md b/services/squareone/README.md index 3fd3f66eb3..3baf3d7823 100644 --- a/services/squareone/README.md +++ b/services/squareone/README.md @@ -29,13 +29,15 @@ Squareone is the homepage UI for the Rubin Science Platform. | config.siteDescription | string | `"Access Rubin Observatory Legacy Survey of Space and Time data.\n"` | Site description, used in meta tags | | config.siteName | string | `"Rubin Science Platform"` | Name of the site, used in the title and meta tags. | | fullnameOverride | string | `""` | Overrides the full name for resources (includes the release name) | +| global.baseUrl | string | Set by Argo CD Application | Base URL for the environment | +| global.host | string | Set by Argo CD Application | Host name for ingress | +| global.vaultSecretsPathPrefix | string | Set by Argo CD Application | Base path for Vault secrets | | image.pullPolicy | string | `"IfNotPresent"` | Image pull policy (tip: use Always for development) | | image.repository | string | `"lsstsqre/squareone"` | Squareone Docker image repository | | image.tag | string | Chart's appVersion | Overrides the image tag. | | imagePullSecrets | list | `[]` | Secret names to use for all Docker pulls | | ingress.annotations | object | `{}` | Additional annotations to add to the ingress | | ingress.enabled | bool | `true` | Enable ingress | -| ingress.host | string | `"chart-example.local"` | | | ingress.tls | list | `[]` | | | nameOverride | string | `""` | Overrides the base name for resources | | nodeSelector | object | `{}` | | diff --git a/services/squareone/templates/configmap.yaml b/services/squareone/templates/configmap.yaml index 738e12a395..1193be4629 100644 --- a/services/squareone/templates/configmap.yaml +++ b/services/squareone/templates/configmap.yaml @@ -7,7 +7,7 @@ metadata: data: squareone.config.yaml: | siteName: {{ .Values.config.siteName | quote }} - baseUrl: https://{{ .Values.ingress.host | default "example.com" }} + baseUrl: {{ .Values.global.baseUrl | quote }} siteDescription: | {{ .Values.config.siteDescription }} {{- if .Values.config.semaphoreUrl }} diff --git a/services/squareone/templates/ingress.yaml b/services/squareone/templates/ingress.yaml index bd6e443b6e..dba684e18c 100644 --- a/services/squareone/templates/ingress.yaml +++ b/services/squareone/templates/ingress.yaml @@ -24,7 +24,7 @@ spec: {{- end }} {{- end }} rules: - - host: {{ .Values.ingress.host | quote }} + - host: {{ required "global.host must be set" .Values.global.host | quote }} http: paths: - path: / diff --git a/services/squareone/values-base.yaml b/services/squareone/values-base.yaml index 336baf2433..2af61cdb74 100644 --- a/services/squareone/values-base.yaml +++ b/services/squareone/values-base.yaml @@ -1,5 +1,4 @@ ingress: - host: "base-lsp.lsst.codes" annotations: cert-manager.io/cluster-issuer: cert-issuer-letsencrypt-dns tls: diff --git a/services/squareone/values-idfdev.yaml b/services/squareone/values-idfdev.yaml index c36f33ebc2..7cb9f2c749 100644 --- a/services/squareone/values-idfdev.yaml +++ b/services/squareone/values-idfdev.yaml @@ -2,7 +2,6 @@ image: pullPolicy: Always ingress: - host: "data-dev.lsst.cloud" annotations: cert-manager.io/cluster-issuer: cert-issuer-letsencrypt-dns tls: diff --git a/services/squareone/values-idfint.yaml b/services/squareone/values-idfint.yaml index 79d6ed10a8..528783c529 100644 --- a/services/squareone/values-idfint.yaml +++ b/services/squareone/values-idfint.yaml @@ -1,5 +1,4 @@ ingress: - host: "data-int.lsst.cloud" annotations: cert-manager.io/cluster-issuer: cert-issuer-letsencrypt-dns tls: diff --git a/services/squareone/values-idfprod.yaml b/services/squareone/values-idfprod.yaml index 22f72b118f..0105b4ef8a 100644 --- a/services/squareone/values-idfprod.yaml +++ b/services/squareone/values-idfprod.yaml @@ -1,6 +1,5 @@ replicaCount: 3 ingress: - host: "data.lsst.cloud" annotations: cert-manager.io/cluster-issuer: cert-issuer-letsencrypt-dns tls: diff --git a/services/squareone/values-int.yaml b/services/squareone/values-int.yaml index b22e3d1d65..dcd3fa33d7 100644 --- a/services/squareone/values-int.yaml +++ b/services/squareone/values-int.yaml @@ -1,6 +1,4 @@ squareone: - ingress: - host: "lsst-lsp-int.ncsa.illinois.edu" imagePullSecrets: - name: "pull-secret" config: diff --git a/services/squareone/values-minikube.yaml b/services/squareone/values-minikube.yaml index 8ccfc0523c..75e35426d9 100644 --- a/services/squareone/values-minikube.yaml +++ b/services/squareone/values-minikube.yaml @@ -1,5 +1,3 @@ -ingress: - host: "minikube.lsst.codes" imagePullSecrets: - name: "pull-secret" config: diff --git a/services/squareone/values-red-five.yaml b/services/squareone/values-red-five.yaml index e6a77b4305..bfac137a16 100644 --- a/services/squareone/values-red-five.yaml +++ b/services/squareone/values-red-five.yaml @@ -1,5 +1,4 @@ ingress: - host: "red-five.lsst.codes" annotations: cert-manager.io/cluster-issuer: cert-issuer-letsencrypt-dns tls: diff --git a/services/squareone/values-roe.yaml b/services/squareone/values-roe.yaml index 09a33a4457..42a5814858 100644 --- a/services/squareone/values-roe.yaml +++ b/services/squareone/values-roe.yaml @@ -1,5 +1,3 @@ -ingress: - host: "rsp.lsst.ac.uk" imagePullSecrets: - name: "pull-secret" config: diff --git a/services/squareone/values-stable.yaml b/services/squareone/values-stable.yaml index 631aef6227..69a16d4c43 100644 --- a/services/squareone/values-stable.yaml +++ b/services/squareone/values-stable.yaml @@ -1,5 +1,3 @@ -ingress: - host: "lsst-lsp-stable.ncsa.illinois.edu" imagePullSecrets: - name: "pull-secret" config: diff --git a/services/squareone/values-summit.yaml b/services/squareone/values-summit.yaml index eaf7b3ea4b..1289b6e1ef 100644 --- a/services/squareone/values-summit.yaml +++ b/services/squareone/values-summit.yaml @@ -1,5 +1,4 @@ ingress: - host: "summit-lsp.lsst.codes" annotations: cert-manager.io/cluster-issuer: cert-issuer-letsencrypt-dns tls: diff --git a/services/squareone/values-tucson-teststand.yaml b/services/squareone/values-tucson-teststand.yaml index 8f5ffa6a26..982840660e 100644 --- a/services/squareone/values-tucson-teststand.yaml +++ b/services/squareone/values-tucson-teststand.yaml @@ -1,5 +1,4 @@ ingress: - host: "tucson-teststand.lsst.codes" annotations: cert-manager.io/cluster-issuer: cert-issuer-letsencrypt-dns tls: diff --git a/services/squareone/values.yaml b/services/squareone/values.yaml index 09c349d5d5..20f9719808 100644 --- a/services/squareone/values.yaml +++ b/services/squareone/values.yaml @@ -49,7 +49,6 @@ ingress: # -- Additional annotations to add to the ingress annotations: {} - host: "chart-example.local" tls: [] resources: {} @@ -89,3 +88,18 @@ config: # -- URL to the Semaphore (user notifications) API service. # @default null disables the Semaphore integration semaphoreUrl: null + +# Global parameters are set by parameters injected by the Argo CD Application +# and should not be set in the individual environment values files. +global: + # -- Base URL for the environment + # @default -- Set by Argo CD Application + baseUrl: "" + + # -- Host name for ingress + # @default -- Set by Argo CD Application + host: "" + + # -- Base path for Vault secrets + # @default -- Set by Argo CD Application + vaultSecretsPathPrefix: "" From 5dbfdf4d07003d817b9ec4ceafe4b72049cbb71d Mon Sep 17 00:00:00 2001 From: Jonathan Sick Date: Thu, 7 Apr 2022 10:22:25 -0400 Subject: [PATCH 0178/1479] Drop NOTES.txt Unused by Argo CD. --- services/squareone/templates/NOTES.txt | 22 ---------------------- 1 file changed, 22 deletions(-) delete mode 100644 services/squareone/templates/NOTES.txt diff --git a/services/squareone/templates/NOTES.txt b/services/squareone/templates/NOTES.txt deleted file mode 100644 index 61eaffa975..0000000000 --- a/services/squareone/templates/NOTES.txt +++ /dev/null @@ -1,22 +0,0 @@ -1. Get the application URL by running these commands: -{{- if .Values.ingress.enabled }} -{{- range $host := .Values.ingress.hosts }} - {{- range .paths }} - http{{ if $.Values.ingress.tls }}s{{ end }}://{{ $host.host }}{{ .path }} - {{- end }} -{{- end }} -{{- else if contains "NodePort" .Values.service.type }} - export NODE_PORT=$(kubectl get --namespace {{ .Release.Namespace }} -o jsonpath="{.spec.ports[0].nodePort}" services {{ include "squareone.fullname" . }}) - export NODE_IP=$(kubectl get nodes --namespace {{ .Release.Namespace }} -o jsonpath="{.items[0].status.addresses[0].address}") - echo http://$NODE_IP:$NODE_PORT -{{- else if contains "LoadBalancer" .Values.service.type }} - NOTE: It may take a few minutes for the LoadBalancer IP to be available. - You can watch the status of by running 'kubectl get --namespace {{ .Release.Namespace }} svc -w {{ include "squareone.fullname" . }}' - export SERVICE_IP=$(kubectl get svc --namespace {{ .Release.Namespace }} {{ include "squareone.fullname" . }} --template "{{"{{ range (index .status.loadBalancer.ingress 0) }}{{.}}{{ end }}"}}") - echo http://$SERVICE_IP:{{ .Values.service.port }} -{{- else if contains "ClusterIP" .Values.service.type }} - export POD_NAME=$(kubectl get pods --namespace {{ .Release.Namespace }} -l "app.kubernetes.io/name={{ include "squareone.name" . }},app.kubernetes.io/instance={{ .Release.Name }}" -o jsonpath="{.items[0].metadata.name}") - export CONTAINER_PORT=$(kubectl get pod --namespace {{ .Release.Namespace }} $POD_NAME -o jsonpath="{.spec.containers[0].ports[0].containerPort}") - echo "Visit http://127.0.0.1:8080 to use your application" - kubectl --namespace {{ .Release.Namespace }} port-forward $POD_NAME 8080:$CONTAINER_PORT -{{- end }} From 62d1809e83aa057bd6e03d0ac9fd9823ece3aabe Mon Sep 17 00:00:00 2001 From: Jonathan Sick Date: Thu, 7 Apr 2022 10:32:05 -0400 Subject: [PATCH 0179/1479] Drop ServiceAccount for squareone Squareone doesn't need a service account, so we can drop this complication from the chart starter. --- services/squareone/README.md | 3 --- services/squareone/templates/_helpers.tpl | 11 ----------- services/squareone/templates/deployment.yaml | 2 +- services/squareone/templates/serviceaccount.yaml | 12 ------------ services/squareone/values.yaml | 9 --------- 5 files changed, 1 insertion(+), 36 deletions(-) delete mode 100644 services/squareone/templates/serviceaccount.yaml diff --git a/services/squareone/README.md b/services/squareone/README.md index 3baf3d7823..70d5356e12 100644 --- a/services/squareone/README.md +++ b/services/squareone/README.md @@ -46,9 +46,6 @@ Squareone is the homepage UI for the Rubin Science Platform. | resources | object | `{}` | | | service.port | int | `80` | Port of the service to create and map to the ingress | | service.type | string | `"ClusterIP"` | Type of service to create | -| serviceAccount.annotations | object | `{}` | Annotations to add to the service account | -| serviceAccount.create | bool | `true` | Specifies whether a service account should be created | -| serviceAccount.name | string | Generated using the fullname template | The name of the service account to use. | | tolerations | list | `[]` | | ---------------------------------------------- diff --git a/services/squareone/templates/_helpers.tpl b/services/squareone/templates/_helpers.tpl index bfeabf8000..96acff7412 100644 --- a/services/squareone/templates/_helpers.tpl +++ b/services/squareone/templates/_helpers.tpl @@ -49,14 +49,3 @@ Selector labels app.kubernetes.io/name: {{ include "squareone.name" . }} app.kubernetes.io/instance: {{ .Release.Name }} {{- end }} - -{{/* -Create the name of the service account to use -*/}} -{{- define "squareone.serviceAccountName" -}} -{{- if .Values.serviceAccount.create }} -{{- default (include "squareone.fullname" .) .Values.serviceAccount.name }} -{{- else }} -{{- default "default" .Values.serviceAccount.name }} -{{- end }} -{{- end }} diff --git a/services/squareone/templates/deployment.yaml b/services/squareone/templates/deployment.yaml index 88249b701e..f8a30a7efe 100644 --- a/services/squareone/templates/deployment.yaml +++ b/services/squareone/templates/deployment.yaml @@ -20,12 +20,12 @@ spec: {{- end }} labels: {{- include "squareone.selectorLabels" . | nindent 8 }} + automountServiceAccountToken: false spec: {{- with .Values.imagePullSecrets }} imagePullSecrets: {{- toYaml . | nindent 8 }} {{- end }} - serviceAccountName: {{ include "squareone.serviceAccountName" . }} securityContext: runAsNonRoot: true runAsUser: 1000 diff --git a/services/squareone/templates/serviceaccount.yaml b/services/squareone/templates/serviceaccount.yaml deleted file mode 100644 index a7ebaf566b..0000000000 --- a/services/squareone/templates/serviceaccount.yaml +++ /dev/null @@ -1,12 +0,0 @@ -{{- if .Values.serviceAccount.create -}} -apiVersion: v1 -kind: ServiceAccount -metadata: - name: {{ include "squareone.serviceAccountName" . }} - labels: - {{- include "squareone.labels" . | nindent 4 }} - {{- with .Values.serviceAccount.annotations }} - annotations: - {{- toYaml . | nindent 4 }} - {{- end }} -{{- end }} diff --git a/services/squareone/values.yaml b/services/squareone/values.yaml index 20f9719808..d7e558bd8c 100644 --- a/services/squareone/values.yaml +++ b/services/squareone/values.yaml @@ -23,15 +23,6 @@ nameOverride: "" # -- Overrides the full name for resources (includes the release name) fullnameOverride: "" -serviceAccount: - # -- Specifies whether a service account should be created - create: true - # -- Annotations to add to the service account - annotations: {} - # -- The name of the service account to use. - # @default -- Generated using the fullname template - name: "" - # -- Annotations for squareone pods podAnnotations: {} From 6bbbfe156238b4b456094abe35c1b937079bfa55 Mon Sep 17 00:00:00 2001 From: Jonathan Sick Date: Thu, 7 Apr 2022 10:46:17 -0400 Subject: [PATCH 0180/1479] Hard-code the image pull secrets --- services/squareone/README.md | 1 - services/squareone/templates/deployment.yaml | 28 +++++++++----------- services/squareone/values.yaml | 3 --- 3 files changed, 13 insertions(+), 19 deletions(-) diff --git a/services/squareone/README.md b/services/squareone/README.md index 70d5356e12..c896ae2e74 100644 --- a/services/squareone/README.md +++ b/services/squareone/README.md @@ -35,7 +35,6 @@ Squareone is the homepage UI for the Rubin Science Platform. | image.pullPolicy | string | `"IfNotPresent"` | Image pull policy (tip: use Always for development) | | image.repository | string | `"lsstsqre/squareone"` | Squareone Docker image repository | | image.tag | string | Chart's appVersion | Overrides the image tag. | -| imagePullSecrets | list | `[]` | Secret names to use for all Docker pulls | | ingress.annotations | object | `{}` | Additional annotations to add to the ingress | | ingress.enabled | bool | `true` | Enable ingress | | ingress.tls | list | `[]` | | diff --git a/services/squareone/templates/deployment.yaml b/services/squareone/templates/deployment.yaml index f8a30a7efe..541f5fe2b9 100644 --- a/services/squareone/templates/deployment.yaml +++ b/services/squareone/templates/deployment.yaml @@ -20,16 +20,7 @@ spec: {{- end }} labels: {{- include "squareone.selectorLabels" . | nindent 8 }} - automountServiceAccountToken: false spec: - {{- with .Values.imagePullSecrets }} - imagePullSecrets: - {{- toYaml . | nindent 8 }} - {{- end }} - securityContext: - runAsNonRoot: true - runAsUser: 1000 - runAsGroup: 1000 containers: - name: {{ .Chart.Name }} image: "{{ .Values.image.repository }}:{{ .Values.image.tag | default .Chart.AppVersion }}" @@ -62,6 +53,19 @@ spec: mountPath: "/etc/squareone" - name: "next-image-cache" mountPath: "/app/.next/cache/images" + automountServiceAccountToken: false + imagePullSecrets: + - name: "pull-secret" + securityContext: + runAsNonRoot: true + runAsUser: 1000 + runAsGroup: 1000 + volumes: + - name: "config" + configMap: + name: {{ include "squareone.fullname" . }} + - name: "next-image-cache" + emptyDir: {} {{- with .Values.nodeSelector }} nodeSelector: {{- toYaml . | nindent 8 }} @@ -74,9 +78,3 @@ spec: tolerations: {{- toYaml . | nindent 8 }} {{- end }} - volumes: - - name: "config" - configMap: - name: {{ include "squareone.fullname" . }} - - name: "next-image-cache" - emptyDir: {} diff --git a/services/squareone/values.yaml b/services/squareone/values.yaml index d7e558bd8c..e0d08294a1 100644 --- a/services/squareone/values.yaml +++ b/services/squareone/values.yaml @@ -14,9 +14,6 @@ image: # @default -- Chart's appVersion tag: "" -# -- Secret names to use for all Docker pulls -imagePullSecrets: [] - # -- Overrides the base name for resources nameOverride: "" From 578df904d12fbe1e61a85c592947a72c398fa464 Mon Sep 17 00:00:00 2001 From: Jonathan Sick Date: Thu, 7 Apr 2022 10:50:29 -0400 Subject: [PATCH 0181/1479] Hard-code the service port configuration --- services/squareone/README.md | 2 -- services/squareone/templates/ingress.yaml | 3 +-- services/squareone/templates/service.yaml | 4 ++-- services/squareone/templates/tests/test-connection.yaml | 2 +- services/squareone/values.yaml | 7 ------- 5 files changed, 4 insertions(+), 14 deletions(-) diff --git a/services/squareone/README.md b/services/squareone/README.md index c896ae2e74..26ad332b82 100644 --- a/services/squareone/README.md +++ b/services/squareone/README.md @@ -43,8 +43,6 @@ Squareone is the homepage UI for the Rubin Science Platform. | podAnnotations | object | `{}` | Annotations for squareone pods | | replicaCount | int | `1` | Number of squareone pods to run in the deployment. | | resources | object | `{}` | | -| service.port | int | `80` | Port of the service to create and map to the ingress | -| service.type | string | `"ClusterIP"` | Type of service to create | | tolerations | list | `[]` | | ---------------------------------------------- diff --git a/services/squareone/templates/ingress.yaml b/services/squareone/templates/ingress.yaml index dba684e18c..d3e8e7b716 100644 --- a/services/squareone/templates/ingress.yaml +++ b/services/squareone/templates/ingress.yaml @@ -1,6 +1,5 @@ {{- if .Values.ingress.enabled -}} {{- $fullName := include "squareone.fullname" . -}} -{{- $svcPort := .Values.service.port -}} apiVersion: networking.k8s.io/v1 kind: Ingress metadata: @@ -33,5 +32,5 @@ spec: service: name: {{ $fullName }} port: - number: {{ $svcPort }} + number: 80 {{- end }} diff --git a/services/squareone/templates/service.yaml b/services/squareone/templates/service.yaml index 405401c513..1acfffc8e8 100644 --- a/services/squareone/templates/service.yaml +++ b/services/squareone/templates/service.yaml @@ -5,9 +5,9 @@ metadata: labels: {{- include "squareone.labels" . | nindent 4 }} spec: - type: {{ .Values.service.type }} + type: ClusterIP ports: - - port: {{ .Values.service.port }} + - port: 80 targetPort: http protocol: TCP name: http diff --git a/services/squareone/templates/tests/test-connection.yaml b/services/squareone/templates/tests/test-connection.yaml index 7e57cf570e..78149a04f1 100644 --- a/services/squareone/templates/tests/test-connection.yaml +++ b/services/squareone/templates/tests/test-connection.yaml @@ -11,5 +11,5 @@ spec: - name: wget image: busybox command: ['wget'] - args: ['{{ include "squareone.fullname" . }}:{{ .Values.service.port }}'] + args: ['{{ include "squareone.fullname" . }}:80'] restartPolicy: Never diff --git a/services/squareone/values.yaml b/services/squareone/values.yaml index e0d08294a1..29b636506d 100644 --- a/services/squareone/values.yaml +++ b/services/squareone/values.yaml @@ -23,13 +23,6 @@ fullnameOverride: "" # -- Annotations for squareone pods podAnnotations: {} -service: - # -- Type of service to create - type: ClusterIP - - # -- Port of the service to create and map to the ingress - port: 80 - ingress: # -- Enable ingress enabled: true From 0100ab3466cd1e48263b7d53d5de3592ae0aff7a Mon Sep 17 00:00:00 2001 From: Jonathan Sick Date: Thu, 7 Apr 2022 10:53:03 -0400 Subject: [PATCH 0182/1479] Improve config map formatting --- services/squareone/templates/configmap.yaml | 6 ++---- 1 file changed, 2 insertions(+), 4 deletions(-) diff --git a/services/squareone/templates/configmap.yaml b/services/squareone/templates/configmap.yaml index 1193be4629..bec6c0f18c 100644 --- a/services/squareone/templates/configmap.yaml +++ b/services/squareone/templates/configmap.yaml @@ -8,9 +8,7 @@ data: squareone.config.yaml: | siteName: {{ .Values.config.siteName | quote }} baseUrl: {{ .Values.global.baseUrl | quote }} - siteDescription: | - {{ .Values.config.siteDescription }} + siteDescription: {{ .Values.config.siteDescription | quote }} {{- if .Values.config.semaphoreUrl }} - semaphoreUrl: | - {{ .Values.config.semaphoreUrl }} + semaphoreUrl: {{ .Values.config.semaphoreUrl | quote }} {{- end}} From a24837aed6f7dde2141cb64f0cebc0188ffd570f Mon Sep 17 00:00:00 2001 From: Jonathan Sick Date: Thu, 7 Apr 2022 11:10:08 -0400 Subject: [PATCH 0183/1479] Hard code TLS for Let's Encrypt use case ingress.tls is now a boolean (default true) that when true, inserts our common Let's Encrypt-based TLS set up. Environments that have a custom TLS set up can disable this by setting ingress.tls = false. --- services/squareone/README.md | 2 +- services/squareone/templates/ingress.yaml | 11 +++++------ services/squareone/values-base.yaml | 9 --------- services/squareone/values-idfdev.yaml | 9 --------- services/squareone/values-idfint.yaml | 9 --------- services/squareone/values-idfprod.yaml | 9 --------- services/squareone/values-int.yaml | 10 +++++----- services/squareone/values-minikube.yaml | 5 +++-- services/squareone/values-red-five.yaml | 9 --------- services/squareone/values-roe.yaml | 5 +++-- services/squareone/values-stable.yaml | 6 ++---- services/squareone/values-summit.yaml | 9 --------- services/squareone/values-tucson-teststand.yaml | 9 --------- services/squareone/values.yaml | 4 +++- 14 files changed, 22 insertions(+), 84 deletions(-) diff --git a/services/squareone/README.md b/services/squareone/README.md index 26ad332b82..ca2753eb0b 100644 --- a/services/squareone/README.md +++ b/services/squareone/README.md @@ -37,7 +37,7 @@ Squareone is the homepage UI for the Rubin Science Platform. | image.tag | string | Chart's appVersion | Overrides the image tag. | | ingress.annotations | object | `{}` | Additional annotations to add to the ingress | | ingress.enabled | bool | `true` | Enable ingress | -| ingress.tls | list | `[]` | | +| ingress.tls | bool | `true` | Enable Let's Encrypt TLS management in this chart. This should be false if TLS is managed elsewhere, such as in an ingress-nginx app. | | nameOverride | string | `""` | Overrides the base name for resources | | nodeSelector | object | `{}` | | | podAnnotations | object | `{}` | Annotations for squareone pods | diff --git a/services/squareone/templates/ingress.yaml b/services/squareone/templates/ingress.yaml index d3e8e7b716..dd3deb331e 100644 --- a/services/squareone/templates/ingress.yaml +++ b/services/squareone/templates/ingress.yaml @@ -8,19 +8,18 @@ metadata: {{- include "squareone.labels" . | nindent 4 }} annotations: kubernetes.io/ingress.class: nginx + {{- if .Values.ingress.tls }} + cert-manager.io/cluster-issuer: cert-issuer-letsencrypt-dns + {{- end }} {{- with .Values.ingress.annotations }} {{- toYaml . | nindent 4 }} {{- end }} spec: {{- if .Values.ingress.tls }} tls: - {{- range .Values.ingress.tls }} - hosts: - {{- range .hosts }} - - {{ . | quote }} - {{- end }} - secretName: {{ .secretName }} - {{- end }} + - {{ required "global.host must be set" .Values.global.host | quote }} + secretName: squareone-tls {{- end }} rules: - host: {{ required "global.host must be set" .Values.global.host | quote }} diff --git a/services/squareone/values-base.yaml b/services/squareone/values-base.yaml index 2af61cdb74..9c1f83666a 100644 --- a/services/squareone/values-base.yaml +++ b/services/squareone/values-base.yaml @@ -1,12 +1,3 @@ -ingress: - annotations: - cert-manager.io/cluster-issuer: cert-issuer-letsencrypt-dns - tls: - - secretName: squareone-tls - hosts: - - "base-lsp.lsst.codes" -imagePullSecrets: - - name: "pull-secret" config: siteName: "Rubin Science Platform @ Base" diff --git a/services/squareone/values-idfdev.yaml b/services/squareone/values-idfdev.yaml index 7cb9f2c749..fb48ae7878 100644 --- a/services/squareone/values-idfdev.yaml +++ b/services/squareone/values-idfdev.yaml @@ -1,15 +1,6 @@ image: pullPolicy: Always -ingress: - annotations: - cert-manager.io/cluster-issuer: cert-issuer-letsencrypt-dns - tls: - - secretName: squareone-tls - hosts: - - "data-dev.lsst.cloud" -imagePullSecrets: - - name: "pull-secret" config: siteName: "Rubin Science Platform @ data-dev" semaphoreUrl: "https://data-dev.lsst.cloud/semaphore" diff --git a/services/squareone/values-idfint.yaml b/services/squareone/values-idfint.yaml index 528783c529..0386b784bf 100644 --- a/services/squareone/values-idfint.yaml +++ b/services/squareone/values-idfint.yaml @@ -1,12 +1,3 @@ -ingress: - annotations: - cert-manager.io/cluster-issuer: cert-issuer-letsencrypt-dns - tls: - - secretName: squareone-tls - hosts: - - "data-int.lsst.cloud" -imagePullSecrets: - - name: "pull-secret" config: siteName: "Rubin Science Platform @ data-int" semaphoreUrl: "https://data-int.lsst.cloud/semaphore" diff --git a/services/squareone/values-idfprod.yaml b/services/squareone/values-idfprod.yaml index 0105b4ef8a..bc959aebf3 100644 --- a/services/squareone/values-idfprod.yaml +++ b/services/squareone/values-idfprod.yaml @@ -1,13 +1,4 @@ replicaCount: 3 -ingress: - annotations: - cert-manager.io/cluster-issuer: cert-issuer-letsencrypt-dns - tls: - - secretName: squareone-tls - hosts: - - "data.lsst.cloud" -imagePullSecrets: - - name: "pull-secret" config: siteName: "Rubin Science Platform" semaphoreUrl: "https://data.lsst.cloud/semaphore" diff --git a/services/squareone/values-int.yaml b/services/squareone/values-int.yaml index dcd3fa33d7..677a7e23c1 100644 --- a/services/squareone/values-int.yaml +++ b/services/squareone/values-int.yaml @@ -1,8 +1,8 @@ -squareone: - imagePullSecrets: - - name: "pull-secret" - config: - siteName: "Rubin Science Platform @ lsp-int" +config: + siteName: "Rubin Science Platform @ lsp-int" + +ingress: + tls: false pull-secret: enabled: true diff --git a/services/squareone/values-minikube.yaml b/services/squareone/values-minikube.yaml index 75e35426d9..beed405067 100644 --- a/services/squareone/values-minikube.yaml +++ b/services/squareone/values-minikube.yaml @@ -1,8 +1,9 @@ -imagePullSecrets: - - name: "pull-secret" config: siteName: "Rubin Science Platform @ minikube" +ingress: + tls: false + pull-secret: enabled: true path: secret/k8s_operator/minikube.lsst.codes/pull-secret diff --git a/services/squareone/values-red-five.yaml b/services/squareone/values-red-five.yaml index bfac137a16..e4df9ea2fd 100644 --- a/services/squareone/values-red-five.yaml +++ b/services/squareone/values-red-five.yaml @@ -1,12 +1,3 @@ -ingress: - annotations: - cert-manager.io/cluster-issuer: cert-issuer-letsencrypt-dns - tls: - - secretName: squareone-tls - hosts: - - "red-five.lsst.codes" -imagePullSecrets: - - name: "pull-secret" config: siteName: "Rubin Science Platform @ red-five" diff --git a/services/squareone/values-roe.yaml b/services/squareone/values-roe.yaml index 42a5814858..1a08f52bc0 100644 --- a/services/squareone/values-roe.yaml +++ b/services/squareone/values-roe.yaml @@ -1,9 +1,10 @@ -imagePullSecrets: - - name: "pull-secret" config: siteName: "Rubin Science Platform" semaphoreUrl: "https://rsp.lsst.ac.uk/semaphore" +ingress: + tls: false + pull-secret: enabled: true path: secret/k8s_operator/roe/pull-secret diff --git a/services/squareone/values-stable.yaml b/services/squareone/values-stable.yaml index 69a16d4c43..f4dfe4ea7f 100644 --- a/services/squareone/values-stable.yaml +++ b/services/squareone/values-stable.yaml @@ -1,7 +1,5 @@ -imagePullSecrets: - - name: "pull-secret" -config: - siteName: "Rubin Science Platform @ lsp-stable" +ingress: + tls: false pull-secret: enabled: true diff --git a/services/squareone/values-summit.yaml b/services/squareone/values-summit.yaml index 1289b6e1ef..1c2db3348c 100644 --- a/services/squareone/values-summit.yaml +++ b/services/squareone/values-summit.yaml @@ -1,12 +1,3 @@ -ingress: - annotations: - cert-manager.io/cluster-issuer: cert-issuer-letsencrypt-dns - tls: - - secretName: squareone-tls - hosts: - - "summit-lsp.lsst.codes" -imagePullSecrets: - - name: "pull-secret" config: siteName: "Rubin Science Platform @ Summit" diff --git a/services/squareone/values-tucson-teststand.yaml b/services/squareone/values-tucson-teststand.yaml index 982840660e..b5d54de851 100644 --- a/services/squareone/values-tucson-teststand.yaml +++ b/services/squareone/values-tucson-teststand.yaml @@ -1,12 +1,3 @@ -ingress: - annotations: - cert-manager.io/cluster-issuer: cert-issuer-letsencrypt-dns - tls: - - secretName: squareone-tls - hosts: - - "tucson-teststand.lsst.codes" -imagePullSecrets: - - name: "pull-secret" config: siteName: "Rubin Science Platform @ Tucson" diff --git a/services/squareone/values.yaml b/services/squareone/values.yaml index 29b636506d..84de8a7078 100644 --- a/services/squareone/values.yaml +++ b/services/squareone/values.yaml @@ -30,7 +30,9 @@ ingress: # -- Additional annotations to add to the ingress annotations: {} - tls: [] + # -- Enable Let's Encrypt TLS management in this chart. This should be false + # if TLS is managed elsewhere, such as in an ingress-nginx app. + tls: true resources: {} # We usually recommend not to specify default resources and to leave this as a conscious From e03354acc003d1d235b5ab929d71e6f3b7f676ce Mon Sep 17 00:00:00 2001 From: Jonathan Sick Date: Thu, 7 Apr 2022 11:26:17 -0400 Subject: [PATCH 0184/1479] Upgrade to squareone 0.5.0 from ghcr.io --- services/squareone/Chart.yaml | 2 +- services/squareone/README.md | 4 ++-- services/squareone/values.yaml | 2 +- 3 files changed, 4 insertions(+), 4 deletions(-) diff --git a/services/squareone/Chart.yaml b/services/squareone/Chart.yaml index 3d1015cc54..2c77bd8b39 100644 --- a/services/squareone/Chart.yaml +++ b/services/squareone/Chart.yaml @@ -10,7 +10,7 @@ maintainers: url: https://github.com/jonathansick # The default version tag of the squareone docker image -appVersion: "0.4.0" +appVersion: "0.5.0" dependencies: - name: pull-secret diff --git a/services/squareone/README.md b/services/squareone/README.md index ca2753eb0b..ed2cc8844c 100644 --- a/services/squareone/README.md +++ b/services/squareone/README.md @@ -1,6 +1,6 @@ # squareone -![AppVersion: 0.4.0](https://img.shields.io/badge/AppVersion-0.4.0-informational?style=flat-square) +![AppVersion: 0.5.0](https://img.shields.io/badge/AppVersion-0.5.0-informational?style=flat-square) Squareone is the homepage UI for the Rubin Science Platform. @@ -33,7 +33,7 @@ Squareone is the homepage UI for the Rubin Science Platform. | global.host | string | Set by Argo CD Application | Host name for ingress | | global.vaultSecretsPathPrefix | string | Set by Argo CD Application | Base path for Vault secrets | | image.pullPolicy | string | `"IfNotPresent"` | Image pull policy (tip: use Always for development) | -| image.repository | string | `"lsstsqre/squareone"` | Squareone Docker image repository | +| image.repository | string | `"ghcr.io/lsst-sqre/squareone"` | Squareone Docker image repository | | image.tag | string | Chart's appVersion | Overrides the image tag. | | ingress.annotations | object | `{}` | Additional annotations to add to the ingress | | ingress.enabled | bool | `true` | Enable ingress | diff --git a/services/squareone/values.yaml b/services/squareone/values.yaml index 84de8a7078..48ef2a8079 100644 --- a/services/squareone/values.yaml +++ b/services/squareone/values.yaml @@ -5,7 +5,7 @@ replicaCount: 1 image: # -- Squareone Docker image repository - repository: lsstsqre/squareone + repository: ghcr.io/lsst-sqre/squareone # -- Image pull policy (tip: use Always for development) pullPolicy: IfNotPresent From c2ac31f1d7a1f629516ba85e1c03d3806880b052 Mon Sep 17 00:00:00 2001 From: adam Date: Thu, 7 Apr 2022 08:34:13 -0700 Subject: [PATCH 0185/1479] update cachemachine --- services/cachemachine/Chart.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/services/cachemachine/Chart.yaml b/services/cachemachine/Chart.yaml index dfb4eae1d8..ebad8940f9 100644 --- a/services/cachemachine/Chart.yaml +++ b/services/cachemachine/Chart.yaml @@ -3,5 +3,5 @@ name: cachemachine version: 1.0.0 dependencies: - name: cachemachine - version: 1.2.4 + version: 1.2.5 repository: https://lsst-sqre.github.io/charts/ From cf641577162ce00b6c07fb3f8a87a09e0160fd11 Mon Sep 17 00:00:00 2001 From: Christine Banek Date: Tue, 5 Apr 2022 18:02:26 -0700 Subject: [PATCH 0186/1479] [DM-34317] Add sherlock secrets, fix vo-cutouts So the vocutouts thing had a keyerror exception when running it, because postgres was generating it one way, and then we tried pulling out the wrong key. So that's the vo-cutouts fix. Now that we have that working, add the sherlock generated secret for publishing. --- installer/generate_secrets.py | 8 +++++++- 1 file changed, 7 insertions(+), 1 deletion(-) diff --git a/installer/generate_secrets.py b/installer/generate_secrets.py index f9dff72b5b..123eb7caab 100755 --- a/installer/generate_secrets.py +++ b/installer/generate_secrets.py @@ -53,6 +53,7 @@ def generate(self): self._portal() self._vo_cutouts() self._telegraf() + self._sherlock() self.input_field("cert-manager", "enabled", "Use cert-manager? (y/n):") use_cert_manager = self.secrets["cert-manager"]["enabled"] @@ -139,7 +140,7 @@ def _postgres(self): self._set_generated("postgres", "gafaelfawr_password", secrets.token_hex(32)) self._set_generated("postgres", "jupyterhub_password", secrets.token_hex(32)) self._set_generated("postgres", "root_password", secrets.token_hex(64)) - self._set_generated("postgres", "vo-cutouts_password", secrets.token_hex(32)) + self._set_generated("postgres", "vo_cutouts_password", secrets.token_hex(32)) self._set_generated("postgres", "narrativelog_password", secrets.token_hex(32)) def _nublado2(self): @@ -285,6 +286,11 @@ def _vo_cutouts(self): postgres = self.secrets["butler-secret"]["postgres-credentials.txt"] self._set("vo-cutouts", "postgres-credentials", postgres) + def _sherlock(self): + """This secret is for sherlock to push status to status.lsst.codes.""" + publish_key = secrets.token_hex(32) + self._set_generated("sherlock", "publish_key", publish_key) + class OnePasswordSecretGenerator(SecretGenerator): """A secret generator that syncs 1Password secrets into a secrets directory From 4078676ff3e4e8d9bb47590e87a63f6ea9194fc0 Mon Sep 17 00:00:00 2001 From: Christine Banek Date: Thu, 7 Apr 2022 14:32:19 -0700 Subject: [PATCH 0187/1479] [DM-34317] Sherlock chart to 0.1.9 --- services/sherlock/Chart.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/services/sherlock/Chart.yaml b/services/sherlock/Chart.yaml index 27db512328..687ec342ee 100644 --- a/services/sherlock/Chart.yaml +++ b/services/sherlock/Chart.yaml @@ -3,5 +3,5 @@ name: sherlock version: 1.0.0 dependencies: - name: sherlock - version: 0.1.7 + version: 0.1.9 repository: https://lsst-sqre.github.io/charts/ From 5aa02ecba2d2ae0c7bbe1ff2de1c15f0178285ec Mon Sep 17 00:00:00 2001 From: Christine Banek Date: Thu, 7 Apr 2022 14:51:18 -0700 Subject: [PATCH 0188/1479] [DM-34317] Set sherlock secrets And use new chart version that gates the creation of the vault secret to having a publish URL. --- services/sherlock/Chart.yaml | 2 +- services/sherlock/values-idfdev.yaml | 1 + services/sherlock/values-idfint.yaml | 1 + services/sherlock/values-idfprod.yaml | 1 + 4 files changed, 4 insertions(+), 1 deletion(-) diff --git a/services/sherlock/Chart.yaml b/services/sherlock/Chart.yaml index 687ec342ee..31ec2b9fd6 100644 --- a/services/sherlock/Chart.yaml +++ b/services/sherlock/Chart.yaml @@ -3,5 +3,5 @@ name: sherlock version: 1.0.0 dependencies: - name: sherlock - version: 0.1.9 + version: 0.1.10 repository: https://lsst-sqre.github.io/charts/ diff --git a/services/sherlock/values-idfdev.yaml b/services/sherlock/values-idfdev.yaml index 0ba6237ad6..705dffab2e 100644 --- a/services/sherlock/values-idfdev.yaml +++ b/services/sherlock/values-idfdev.yaml @@ -3,3 +3,4 @@ sherlock: host: "data-dev.lsst.cloud" publish_url: "https://status.lsst.codes/api/data-dev" + vaultSecretsPath: "secret/k8s_operator/data-dev.lsst.codes/sherlock" diff --git a/services/sherlock/values-idfint.yaml b/services/sherlock/values-idfint.yaml index 85682c6e2e..0f5b349c59 100644 --- a/services/sherlock/values-idfint.yaml +++ b/services/sherlock/values-idfint.yaml @@ -3,3 +3,4 @@ sherlock: host: "data-int.lsst.cloud" publish_url: "https://status.lsst.codes/api/data-int" + vaultSecretsPath: "secret/k8s_operator/data-int.lsst.codes/sherlock" diff --git a/services/sherlock/values-idfprod.yaml b/services/sherlock/values-idfprod.yaml index 9f7253d222..ff04dfec07 100644 --- a/services/sherlock/values-idfprod.yaml +++ b/services/sherlock/values-idfprod.yaml @@ -3,3 +3,4 @@ sherlock: host: "data.lsst.cloud" publish_url: "https://status.lsst.codes/api/data" + vaultSecretsPath: "secret/k8s_operator/data.lsst.codes/sherlock" From 6295b1faa9072f3ce0ef2feac3d831627e110a0e Mon Sep 17 00:00:00 2001 From: Christine Banek Date: Thu, 7 Apr 2022 15:08:13 -0700 Subject: [PATCH 0189/1479] [DM-34317] Fix secret name .codes -> .cloud --- services/sherlock/values-idfdev.yaml | 2 +- services/sherlock/values-idfint.yaml | 2 +- services/sherlock/values-idfprod.yaml | 2 +- 3 files changed, 3 insertions(+), 3 deletions(-) diff --git a/services/sherlock/values-idfdev.yaml b/services/sherlock/values-idfdev.yaml index 705dffab2e..b597adcf9f 100644 --- a/services/sherlock/values-idfdev.yaml +++ b/services/sherlock/values-idfdev.yaml @@ -3,4 +3,4 @@ sherlock: host: "data-dev.lsst.cloud" publish_url: "https://status.lsst.codes/api/data-dev" - vaultSecretsPath: "secret/k8s_operator/data-dev.lsst.codes/sherlock" + vaultSecretsPath: "secret/k8s_operator/data-dev.lsst.cloud/sherlock" diff --git a/services/sherlock/values-idfint.yaml b/services/sherlock/values-idfint.yaml index 0f5b349c59..07eb816022 100644 --- a/services/sherlock/values-idfint.yaml +++ b/services/sherlock/values-idfint.yaml @@ -3,4 +3,4 @@ sherlock: host: "data-int.lsst.cloud" publish_url: "https://status.lsst.codes/api/data-int" - vaultSecretsPath: "secret/k8s_operator/data-int.lsst.codes/sherlock" + vaultSecretsPath: "secret/k8s_operator/data-int.lsst.cloud/sherlock" diff --git a/services/sherlock/values-idfprod.yaml b/services/sherlock/values-idfprod.yaml index ff04dfec07..40f7024786 100644 --- a/services/sherlock/values-idfprod.yaml +++ b/services/sherlock/values-idfprod.yaml @@ -3,4 +3,4 @@ sherlock: host: "data.lsst.cloud" publish_url: "https://status.lsst.codes/api/data" - vaultSecretsPath: "secret/k8s_operator/data.lsst.codes/sherlock" + vaultSecretsPath: "secret/k8s_operator/data.lsst.cloud/sherlock" From c356f9db6a92f270279034e8c2a15c43acbbe8eb Mon Sep 17 00:00:00 2001 From: Russ Allbery Date: Fri, 8 Apr 2022 12:39:04 -0700 Subject: [PATCH 0190/1479] Remove red-five environment We haven't used this in a while, using minikube and data-dev instead, so remove it to simplify the configuration. --- installer/update_all_secrets.sh | 1 - science-platform/values-red-five.yaml | 64 ------------------- services/argocd/values-red-five.yaml | 43 ------------- services/cert-issuer/values-red-five.yaml | 7 -- services/cert-manager/values-red-five.yaml | 9 --- services/datalinker/values-red-five.yaml | 8 --- services/gafaelfawr/values-red-five.yaml | 30 --------- services/ingress-nginx/values-red-five.yaml | 21 ------ services/mobu/values-red-five.yaml | 0 services/moneypenny/values-red-five.yaml | 9 --- services/nublado2/values-red-five.yaml | 49 -------------- services/obstap/values-red-five.yaml | 16 ----- services/portal/values-red-five.yaml | 3 - services/postgres/values-red-five.yaml | 17 ----- services/semaphore/values-red-five.yaml | 19 ------ services/squareone/values-red-five.yaml | 6 -- services/tap-schema/values-red-five.yaml | 0 services/tap/values-red-five.yaml | 16 ----- .../values-red-five.yaml | 15 ----- 19 files changed, 333 deletions(-) delete mode 100644 science-platform/values-red-five.yaml delete mode 100644 services/argocd/values-red-five.yaml delete mode 100644 services/cert-issuer/values-red-five.yaml delete mode 100644 services/cert-manager/values-red-five.yaml delete mode 100644 services/datalinker/values-red-five.yaml delete mode 100644 services/gafaelfawr/values-red-five.yaml delete mode 100644 services/ingress-nginx/values-red-five.yaml delete mode 100644 services/mobu/values-red-five.yaml delete mode 100644 services/moneypenny/values-red-five.yaml delete mode 100644 services/nublado2/values-red-five.yaml delete mode 100644 services/obstap/values-red-five.yaml delete mode 100644 services/portal/values-red-five.yaml delete mode 100644 services/postgres/values-red-five.yaml delete mode 100644 services/semaphore/values-red-five.yaml delete mode 100644 services/squareone/values-red-five.yaml delete mode 100644 services/tap-schema/values-red-five.yaml delete mode 100644 services/tap/values-red-five.yaml delete mode 100644 services/vault-secrets-operator/values-red-five.yaml diff --git a/installer/update_all_secrets.sh b/installer/update_all_secrets.sh index 61a810aa60..5c4b5c064b 100755 --- a/installer/update_all_secrets.sh +++ b/installer/update_all_secrets.sh @@ -5,7 +5,6 @@ ./update_secrets.sh base-lsp.lsst.codes ./update_secrets.sh summit-lsp.lsst.codes ./update_secrets.sh tucson-teststand.lsst.codes -./update_secrets.sh red-five.lsst.codes ./update_secrets.sh data.lsst.cloud ./update_secrets.sh data-int.lsst.cloud ./update_secrets.sh data-dev.lsst.cloud diff --git a/science-platform/values-red-five.yaml b/science-platform/values-red-five.yaml deleted file mode 100644 index 8682b8ab4c..0000000000 --- a/science-platform/values-red-five.yaml +++ /dev/null @@ -1,64 +0,0 @@ -environment: red-five -fqdn: red-five.lsst.codes -vault_path_prefix: secret/k8s_operator/red-five.lsst.codes - -alert_stream_broker: - enabled: false -cachemachine: - enabled: true -cert_issuer: - enabled: true -cert_manager: - enabled: true -datalinker: - enabled: true -exposurelog: - enabled: false -gafaelfawr: - enabled: true -mobu: - enabled: true -ingress_nginx: - enabled: true -moneypenny: - enabled: true -narrativelog: - enabled: false -noteburst: - enabled: false -nublado2: - enabled: true -obstap: - enabled: true -plot_navigator: - enabled: false -portal: - enabled: true -postgres: - enabled: true -sasquatch: - enabled: false -semaphore: - enabled: false -squareone: - enabled: true -squash_api: - enabled: false -strimzi: - enabled: false -strimzi_registry_operator: - enabled: false -tap: - enabled: true -tap_schema: - enabled: true -telegraf: - enabled: true -telegraf-ds: - enabled: true -times_square: - enabled: false -vault_secrets_operator: - enabled: true -vo_cutouts: - enabled: false diff --git a/services/argocd/values-red-five.yaml b/services/argocd/values-red-five.yaml deleted file mode 100644 index 30691c666f..0000000000 --- a/services/argocd/values-red-five.yaml +++ /dev/null @@ -1,43 +0,0 @@ -argo-cd: - redis: - enabled: true - - server: - ingress: - enabled: true - hosts: - - "red-five.lsst.codes" - annotations: - kubernetes.io/ingress.class: nginx - nginx.ingress.kubernetes.io/rewrite-target: "/$2" - paths: - - /argo-cd(/|$)(.*) - - extraArgs: - - "--basehref=/argo-cd" - - "--insecure=true" - - config: - helm.repositories: | - - url: https://lsst-sqre.github.io/charts/ - name: lsst-sqre - - url: https://ricoberger.github.io/helm-charts/ - name: ricoberger - - url: https://kubernetes.github.io/ingress-nginx/ - name: ingress-nginx - - url: https://charts.helm.sh/stable - name: stable - - url: https://strimzi.io/charts/ - name: strimzi - - configs: - secret: - createSecret: false - -vault_secret: - enabled: true - path: secret/k8s_operator/red-five.lsst.codes/argocd - -pull-secret: - enabled: true - path: secret/k8s_operator/red-five.lsst.codes/pull-secret diff --git a/services/cert-issuer/values-red-five.yaml b/services/cert-issuer/values-red-five.yaml deleted file mode 100644 index a19ce460d3..0000000000 --- a/services/cert-issuer/values-red-five.yaml +++ /dev/null @@ -1,7 +0,0 @@ -cert-issuer: - config: - email: "sqre-admin@lists.lsst.org" - route53: - awsAccessKeyId: "AKIAQSJOS2SFLUEVXZDB" - hostedZone: "Z06873202D7WVTZUFOQ42" - vaultSecretPath: "secret/k8s_operator/red-five.lsst.codes/cert-manager" diff --git a/services/cert-manager/values-red-five.yaml b/services/cert-manager/values-red-five.yaml deleted file mode 100644 index a3e61a2a8f..0000000000 --- a/services/cert-manager/values-red-five.yaml +++ /dev/null @@ -1,9 +0,0 @@ -cert-manager: - installCRDs: true - extraArgs: - - --dns01-recursive-nameservers-only - - --dns01-recursive-nameservers=8.8.8.8:53,1.1.1.1:53 - -pull-secret: - enabled: true - path: secret/k8s_operator/red-five.lsst.codes/pull-secret diff --git a/services/datalinker/values-red-five.yaml b/services/datalinker/values-red-five.yaml deleted file mode 100644 index ea01b10a25..0000000000 --- a/services/datalinker/values-red-five.yaml +++ /dev/null @@ -1,8 +0,0 @@ -datalinker: - ingress: - enabled: true - host: "red-five.lsst.codes" - -pull-secret: - enabled: true - path: secret/k8s_operator/red-five.lsst.codes/pull-secret diff --git a/services/gafaelfawr/values-red-five.yaml b/services/gafaelfawr/values-red-five.yaml deleted file mode 100644 index 5bee48208b..0000000000 --- a/services/gafaelfawr/values-red-five.yaml +++ /dev/null @@ -1,30 +0,0 @@ -# Reset token storage on every Redis restart. -redis: - persistence: - enabled: false - -config: - databaseUrl: "postgresql://gafaelfawr@postgres.postgres/gafaelfawr" - - # Use CILogon authentication. - cilogon: - clientId: "cilogon:/client_id/51ea95a5fac24d5a6f33e658d7d77d2a" - loginParams: - skin: "LSST" - - # Use NCSA groups to determine token scopes. - groupMapping: - "admin:provision": ["lsst_int_lsp_admin"] - "exec:admin": ["lsst_int_lsp_admin"] - "exec:notebook": ["lsst_int_lspdev"] - "exec:portal": ["lsst_int_lspdev"] - "read:tap": ["lsst_int_lspdev"] - - initialAdmins: - - "afausti" - - "athornto" - - "cbanek" - - "frossie" - - "jsick" - - "krughoff" - - "rra" diff --git a/services/ingress-nginx/values-red-five.yaml b/services/ingress-nginx/values-red-five.yaml deleted file mode 100644 index 87187b9389..0000000000 --- a/services/ingress-nginx/values-red-five.yaml +++ /dev/null @@ -1,21 +0,0 @@ -ingress-nginx: - controller: - config: - compute-full-forwarded-for: "true" - large-client-header-buffers: "4 64k" - proxy-body-size: "100m" - proxy-buffer-size: "64k" - ssl-redirect: "true" - use-forwarded-headers: "true" - service: - externalTrafficPolicy: Local - podLabels: - gafaelfawr.lsst.io/ingress: "true" - hub.jupyter.org/network-access-proxy-http: "true" - -vault_certificate: - enabled: false - -pull-secret: - enabled: true - path: secret/k8s_operator/red-five.lsst.codes/pull-secret diff --git a/services/mobu/values-red-five.yaml b/services/mobu/values-red-five.yaml deleted file mode 100644 index e69de29bb2..0000000000 diff --git a/services/moneypenny/values-red-five.yaml b/services/moneypenny/values-red-five.yaml deleted file mode 100644 index 491617f1c0..0000000000 --- a/services/moneypenny/values-red-five.yaml +++ /dev/null @@ -1,9 +0,0 @@ -moneypenny: - imagePullSecrets: - - name: "pull-secret" - ingress: - host: "red-five.lsst.codes" - -pull-secret: - enabled: true - path: "secret/k8s_operator/red-five.lsst.codes/pull-secret" diff --git a/services/nublado2/values-red-five.yaml b/services/nublado2/values-red-five.yaml deleted file mode 100644 index 4c2ec2b90e..0000000000 --- a/services/nublado2/values-red-five.yaml +++ /dev/null @@ -1,49 +0,0 @@ -jupyterhub: - debug: - enabled: true - - ingress: - hosts: ["red-five.lsst.codes"] - annotations: - nginx.ingress.kubernetes.io/auth-signin: "https://red-five.lsst.codes/login" - -config: - base_url: "https://red-five.lsst.codes" - butler_secret_path: "secret/k8s_operator/red-five.lsst.codes/butler-secret" - pull_secret_path: "secret/k8s_operator/red-five.lsst.codes/pull-secret" - lab_environment: - AUTO_REPO_URLS: "https://github.com/lsst-sqre/system-test" - AUTO_REPO_BRANCH: "prod" - AUTO_REPO_SPECS: "https://github.com/lsst-sqre/system-test@prod" - volumes: - - name: home - nfs: - path: /exports/home - server: 10.128.0.49 - - name: datasets - nfs: - path: /exports/datasets - server: 10.128.0.49 - - name: project - nfs: - path: /exports/project - server: 10.128.0.49 - - name: scratch - nfs: - path: /exports/scratch - server: 10.128.0.49 - volume_mounts: - - name: home - mountPath: /home - - name: datasets - mountPath: /datasets - - name: project - mountPath: /project - - name: scratch - mountPath: /scratch - -vault_secret_path: "secret/k8s_operator/red-five.lsst.codes/nublado2" - -pull-secret: - enabled: true - path: "secret/k8s_operator/red-five.lsst.codes/pull-secret" diff --git a/services/obstap/values-red-five.yaml b/services/obstap/values-red-five.yaml deleted file mode 100644 index 37d6f5dbcf..0000000000 --- a/services/obstap/values-red-five.yaml +++ /dev/null @@ -1,16 +0,0 @@ -cadc-tap-postgres: - fullnameOverride: "obstap" - - imagePullSecrets: - - name: "pull-secret" - ingress: - host: "red-five.lsst.codes" - vaultSecretsPath: "secret/k8s_operator/red-five.lsst.codes/tap" - - config: - gcsBucket: "async-results.lsst.codes" - gcsBucketUrl: "http://async-results.lsst.codes" - -pull-secret: - enabled: true - path: "secret/k8s_operator/red-five.lsst.codes/pull-secret" diff --git a/services/portal/values-red-five.yaml b/services/portal/values-red-five.yaml deleted file mode 100644 index 2451c233b2..0000000000 --- a/services/portal/values-red-five.yaml +++ /dev/null @@ -1,3 +0,0 @@ -resources: - limits: - memory: "8Gi" diff --git a/services/postgres/values-red-five.yaml b/services/postgres/values-red-five.yaml deleted file mode 100644 index dc712f1b48..0000000000 --- a/services/postgres/values-red-five.yaml +++ /dev/null @@ -1,17 +0,0 @@ -postgres: - pull_secret: 'pull-secret' - vault_secrets: - path: 'secret/k8s_operator/red-five.lsst.codes/postgres' - debug: 'true' - jupyterhub_db: - user: 'jovyan' - db: 'jupyterhub' - gafaelfawr_db: - user: 'gafaelfawr' - db: 'gafaelfawr' - image: - tag: '0.0.2' - -pull-secret: - enabled: true - path: secret/k8s_operator/red-five.lsst.codes/pull-secret diff --git a/services/semaphore/values-red-five.yaml b/services/semaphore/values-red-five.yaml deleted file mode 100644 index 28164317b7..0000000000 --- a/services/semaphore/values-red-five.yaml +++ /dev/null @@ -1,19 +0,0 @@ -semaphore: - config: - phalanx_env: "red-five" - ingress: - enabled: true - annotations: - kubernetes.io/ingress.class: nginx - hosts: - - host: "red-five.lsst.codes" - paths: - - path: "/semaphore" - pathType: Prefix - imagePullSecrets: - - name: "pull-secret" - vaultSecretsPath: "secret/k8s_operator/red-five.lsst.codes/semaphore" - -pull-secret: - enabled: true - path: secret/k8s_operator/red-five.lsst.codes/pull-secret diff --git a/services/squareone/values-red-five.yaml b/services/squareone/values-red-five.yaml deleted file mode 100644 index e4df9ea2fd..0000000000 --- a/services/squareone/values-red-five.yaml +++ /dev/null @@ -1,6 +0,0 @@ -config: - siteName: "Rubin Science Platform @ red-five" - -pull-secret: - enabled: true - path: secret/k8s_operator/red-five.lsst.codes/pull-secret diff --git a/services/tap-schema/values-red-five.yaml b/services/tap-schema/values-red-five.yaml deleted file mode 100644 index e69de29bb2..0000000000 diff --git a/services/tap/values-red-five.yaml b/services/tap/values-red-five.yaml deleted file mode 100644 index b3e6d9ca9e..0000000000 --- a/services/tap/values-red-five.yaml +++ /dev/null @@ -1,16 +0,0 @@ -cadc-tap: - fullnameOverride: "cadc-tap" - - imagePullSecrets: - - name: "pull-secret" - ingress: - host: "red-five.lsst.codes" - vaultSecretsPath: "secret/k8s_operator/red-five.lsst.codes/tap" - - config: - gcsBucket: "async-results.lsst.codes" - gcsBucketUrl: "http://async-results.lsst.codes" - -pull-secret: - enabled: true - path: "secret/k8s_operator/red-five.lsst.codes/pull-secret" diff --git a/services/vault-secrets-operator/values-red-five.yaml b/services/vault-secrets-operator/values-red-five.yaml deleted file mode 100644 index 51a1243b2d..0000000000 --- a/services/vault-secrets-operator/values-red-five.yaml +++ /dev/null @@ -1,15 +0,0 @@ -vault-secrets-operator: - environmentVars: - - name: VAULT_TOKEN - valueFrom: - secretKeyRef: - name: vault-secrets-operator - key: VAULT_TOKEN - - name: VAULT_TOKEN_LEASE_DURATION - valueFrom: - secretKeyRef: - name: vault-secrets-operator - key: VAULT_TOKEN_LEASE_DURATION - vault: - address: "https://vault.lsst.codes" - reconciliationTime: 60 From 70a44f85513978d4c1bc7f4168f88237f9d14df0 Mon Sep 17 00:00:00 2001 From: Russ Allbery Date: Fri, 8 Apr 2022 12:39:50 -0700 Subject: [PATCH 0191/1479] Remove add-pull-secrets We're no longer doing pull secrets this way, and this script is no longer useful. --- tools/addpullsecret/add-pull-secrets.bash | 158 ---------------------- 1 file changed, 158 deletions(-) delete mode 100755 tools/addpullsecret/add-pull-secrets.bash diff --git a/tools/addpullsecret/add-pull-secrets.bash b/tools/addpullsecret/add-pull-secrets.bash deleted file mode 100755 index 6eadf1393f..0000000000 --- a/tools/addpullsecret/add-pull-secrets.bash +++ /dev/null @@ -1,158 +0,0 @@ -#!/usr/bin/env bash - -# Requires Bash 4 because we use hashes; brew install bash if you're on -# OS X (it's a GPL3 thing) - -function usage() { - echo 1>&2 "Usage: $0 phalanx-directory" - exit 1 -} - -bv=$(echo ${BASH_VERSION} | cut -d '.' -f 1) -if [ ${bv} -lt 4 ]; then - echo 1>&2 "$0 requires at least bash version 4" - exit 2 -fi - -# Customize as necessary -topdir=$1 - -if [ -z "${topdir}" ]; then - usage -fi -if [ -n "$2" ]; then - usage -fi - -# This builds a list of services that have associated namespaces. -# For instance, cert-manager and cert-issuer share a namespace; we only -# inject a vault secret for pull once per namespace -svcs="argocd cert-manager exposurelog gafaelfawr influxdb kapacitor" -svcs="${svcs} landing-page mobu ingress-nginx narrativelog nublado obstap" -svcs="${svcs} portal postgres tap" - -# This is a list of environments. -envs="base bleed gold-leader idfdev idfint idfprod int kueyen minikube" -envs="${envs} red-five rogue-two stable summit tucson-teststand" - -# These are the services that we're going to add the pull-secret string to: -# Skip cachemachine and nublado2 for now. -# -# Cachemachine, it's called "cachemachine-secret" rather than "pull-secret", -# and counterintuitively, nublado2 doesn't need it--the pods it spawns do, -# and it handles that in the nublado2 resource template yaml. -add_pull="tap obstap exposurelog portal gafaelfawr influxdb kapacitor" -add_pull="${add_pull} landing-page mobu narrativelog nublado postgres" - -# This is what I have run it with so far. -#envs="nublado" - -IFS='' read -r -d '' addreq <<'EOF' -- name: pull-secret - version: 0.1.2 - repository: https://lsst-sqre.github.io/charts/ -EOF - -declare -A pull_secret -for e in ${envs}; do - np="${topdir}/services/nublado/values-${e}.yaml" - if ! [ -e ${np} ]; then - echo 1>&2 "No nublado to query for secret path in env ${e}!" - continue - fi - tops=$(grep "secret/k8s_operator" ${np} | head -1 | cut -d / -f 3 ) - if [ -z "${tops}" ] ;then - echo 1>&2 "Could not determine vault secret path for ${e}." - continue - fi - pull_secret[${e}]="secret/k8s_operator/${tops}/pull-secret" -done -for s in ${svcs}; do - svcdir="${topdir}/services/${s}" - for e in ${envs}; do - psp="${pull_secret[${e}]}" - if [ -z "${psp}" ]; then - echo 1>&2 "No vault secret path for ${e}." - continue - fi - IFS='' read -r -d '' addsec </dev/null - rc=$? - if [ ${rc} -eq 0 ] ; then - echo 1>&2 "${efile} already has pull-secret." - else - echo -n "${addsec}" >> ${efile} - fi - done - # Add pull-secret to requirements file. - # ingress-nginx has its dependencies right in Chart.yaml - rfile="${svcdir}/requirements.yaml" - if [ "${s}" == "ingress-nginx" ]; then - rfile="${svcdir}/Chart.yaml" - fi - grep -q "pull-secret" ${rfile} 2>/dev/null - rc=$? - if [ ${rc} -eq 0 ] ; then - echo 1>&2 "${rfile} already has pull-secret." - else - echo -n "${addreq}" >> ${rfile} - fi -done - -for ap in ${add_pull}; do - for e in ${envs}; do - chartname=${ap} - case ${ap} in - tap) - chartname="cadc-tap" - ;; - obstap) - chartname="cadc-tap-postgres" - ;; - portal) - chartname="firefly" - ;; - *) - ;; - esac - svcdir="${topdir}/services/${ap}" - efile="${svcdir}/values-${e}.yaml" - if [ ! -e ${efile} ]; then # Don't add it if it doesn't exist. - continue - fi - # We also need to check for pull_secret being defined in the - # top-level app: this is the glue to actually enable it. - grep -q '^ pull_secret:' ${efile} - rc=$? - if [ ${rc} -eq 0 ] ; then - echo 1>&2 "${efile} already has pull_secret." - else - # Do we have the first line of the values file equalling the - # key? If not, make it so. - head -n 1 ${efile} | grep -q "^${chartname}:" - rc=$? - # Sorry about the newlines; running on macOS and real BSD sed - if [ ${rc} -ne 0 ]; then - sed -i .init "0 a \\ -${chartname}: -" ${efile} - fi - sed -i .bak "1 a \\ - pull_secret: 'pull-secret' -" ${efile} - fi - done -done -exit 0 From cf21a928dd34c76446fe25c4a2350187f24957c3 Mon Sep 17 00:00:00 2001 From: Russ Allbery Date: Fri, 8 Apr 2022 12:40:14 -0700 Subject: [PATCH 0192/1479] Add roe to installer/update_all_secrets.sh This is supposed to list all environments, so add that one in. --- installer/update_all_secrets.sh | 1 + 1 file changed, 1 insertion(+) diff --git a/installer/update_all_secrets.sh b/installer/update_all_secrets.sh index 5c4b5c064b..66746ed231 100755 --- a/installer/update_all_secrets.sh +++ b/installer/update_all_secrets.sh @@ -8,3 +8,4 @@ ./update_secrets.sh data.lsst.cloud ./update_secrets.sh data-int.lsst.cloud ./update_secrets.sh data-dev.lsst.cloud +./update_secrets.sh roe From 5c73464e2b277390b5262203aa50fae3a8d083bc Mon Sep 17 00:00:00 2001 From: Russ Allbery Date: Fri, 8 Apr 2022 15:46:23 -0700 Subject: [PATCH 0193/1479] Merge cert-manager and cert-issuer Rather than separate cert-manager and cert-issuer applications, the latter using a separate chart from the charts repository, merge all three into a single Argo CD application that optionally creates a cluster issuer. Reduce a lot of repitition between different values files. Drop the dependency on pull-secret, which is pointless since all the containers come from quay.io, for which we don't have a pull secret. --- .../templates/cert-issuer-application.yaml | 21 -------- .../templates/cert-manager-application.yaml | 37 +++++++------ services/cert-issuer/Chart.yaml | 7 --- services/cert-issuer/README.md | 5 -- services/cert-issuer/values-base.yaml | 7 --- services/cert-issuer/values-idfdev.yaml | 7 --- services/cert-issuer/values-idfint.yaml | 7 --- services/cert-issuer/values-idfprod.yaml | 7 --- services/cert-issuer/values-minikube.yaml | 7 --- services/cert-issuer/values-roe.yaml | 7 --- .../cert-issuer/values-squash-sandbox.yaml | 7 --- services/cert-issuer/values-summit.yaml | 7 --- .../cert-issuer/values-tucson-teststand.yaml | 7 --- services/cert-manager/Chart.yaml | 10 ++-- services/cert-manager/README.md | 25 +++++++++ services/cert-manager/README.md.gotmpl | 9 ++++ services/cert-manager/templates/_helpers.tpl | 52 +++++++++++++++++++ .../templates/cluster-issuer.yaml | 24 +++++++++ .../cert-manager/templates/vault-secrets.yaml | 11 ++++ services/cert-manager/values-base.yaml | 13 ++--- services/cert-manager/values-idfdev.yaml | 13 ++--- services/cert-manager/values-idfint.yaml | 13 ++--- services/cert-manager/values-idfprod.yaml | 13 ++--- services/cert-manager/values-minikube.yaml | 11 +--- services/cert-manager/values-roe.yaml | 14 ++--- .../cert-manager/values-squash-sandbox.yaml | 4 ++ services/cert-manager/values-stable.yaml | 9 ---- services/cert-manager/values-summit.yaml | 13 ++--- .../cert-manager/values-tucson-teststand.yaml | 13 ++--- services/cert-manager/values.yaml | 38 +++++++++++++- 30 files changed, 218 insertions(+), 200 deletions(-) delete mode 100644 science-platform/templates/cert-issuer-application.yaml delete mode 100644 services/cert-issuer/Chart.yaml delete mode 100644 services/cert-issuer/README.md delete mode 100644 services/cert-issuer/values-base.yaml delete mode 100644 services/cert-issuer/values-idfdev.yaml delete mode 100644 services/cert-issuer/values-idfint.yaml delete mode 100644 services/cert-issuer/values-idfprod.yaml delete mode 100644 services/cert-issuer/values-minikube.yaml delete mode 100644 services/cert-issuer/values-roe.yaml delete mode 100644 services/cert-issuer/values-squash-sandbox.yaml delete mode 100644 services/cert-issuer/values-summit.yaml delete mode 100644 services/cert-issuer/values-tucson-teststand.yaml create mode 100644 services/cert-manager/README.md create mode 100644 services/cert-manager/README.md.gotmpl create mode 100644 services/cert-manager/templates/_helpers.tpl create mode 100644 services/cert-manager/templates/cluster-issuer.yaml create mode 100644 services/cert-manager/templates/vault-secrets.yaml create mode 100644 services/cert-manager/values-squash-sandbox.yaml delete mode 100644 services/cert-manager/values-stable.yaml diff --git a/science-platform/templates/cert-issuer-application.yaml b/science-platform/templates/cert-issuer-application.yaml deleted file mode 100644 index 40d20da92b..0000000000 --- a/science-platform/templates/cert-issuer-application.yaml +++ /dev/null @@ -1,21 +0,0 @@ -{{- if .Values.cert_issuer.enabled -}} -apiVersion: argoproj.io/v1alpha1 -kind: Application -metadata: - name: cert-issuer - namespace: argocd - finalizers: - - resources-finalizer.argocd.argoproj.io -spec: - destination: - namespace: cert-manager - server: https://kubernetes.default.svc - project: default - source: - path: services/cert-issuer - repoURL: {{ .Values.repoURL }} - targetRevision: {{ .Values.revision }} - helm: - valueFiles: - - values-{{ .Values.environment }}.yaml -{{- end -}} diff --git a/science-platform/templates/cert-manager-application.yaml b/science-platform/templates/cert-manager-application.yaml index 2069b76dd4..6c6315f45e 100644 --- a/science-platform/templates/cert-manager-application.yaml +++ b/science-platform/templates/cert-manager-application.yaml @@ -2,34 +2,41 @@ apiVersion: v1 kind: Namespace metadata: - name: cert-manager + name: "cert-manager" spec: finalizers: - - kubernetes + - "kubernetes" --- apiVersion: argoproj.io/v1alpha1 kind: Application metadata: - name: cert-manager - namespace: argocd + name: "cert-manager" + namespace: "argocd" finalizers: - - resources-finalizer.argocd.argoproj.io + - "resources-finalizer.argocd.argoproj.io" spec: destination: - namespace: cert-manager - server: https://kubernetes.default.svc - project: default + namespace: "cert-manager" + server: "https://kubernetes.default.svc" + project: "default" source: - path: services/cert-manager - repoURL: {{ .Values.repoURL }} - targetRevision: {{ .Values.revision }} + path: "services/cert-manager" + repoURL: {{ .Values.repoURL | quote }} + targetRevision: {{ .Values.revision | quote }} + helm: + parameters: + - name: "globals.vaultSecretsPath" + value: {{ .Values.vault_path_prefix | quote }} + valueFiles: + - "values.yaml" + - "values-{{ .Values.environment }}.yaml" ignoreDifferences: - - group: admissionregistration.k8s.io - kind: MutatingWebhookConfiguration + - group: "admissionregistration.k8s.io" + kind: "MutatingWebhookConfiguration" jsonPointers: - "/webhooks/0/clientConfig/caBundle" - - group: admissionregistration.k8s.io - kind: ValidatingWebhookConfiguration + - group: "admissionregistration.k8s.io" + kind: "ValidatingWebhookConfiguration" jsonPointers: - "/webhooks/0/clientConfig/caBundle" {{- end -}} diff --git a/services/cert-issuer/Chart.yaml b/services/cert-issuer/Chart.yaml deleted file mode 100644 index f82895ba32..0000000000 --- a/services/cert-issuer/Chart.yaml +++ /dev/null @@ -1,7 +0,0 @@ -apiVersion: v2 -name: cert-issuer -version: 1.0.0 -dependencies: - - name: cert-issuer - version: 1.0.0 - repository: https://lsst-sqre.github.io/charts/ diff --git a/services/cert-issuer/README.md b/services/cert-issuer/README.md deleted file mode 100644 index 8e183b2b21..0000000000 --- a/services/cert-issuer/README.md +++ /dev/null @@ -1,5 +0,0 @@ -# cert-issuer - -Set up a cert-manager cluster issuer for a Science Platform environment. -Only used in environments where we control our own certificates. -The issuer is separate from the cert-manager application to support environments where someone else manages cert-manager. diff --git a/services/cert-issuer/values-base.yaml b/services/cert-issuer/values-base.yaml deleted file mode 100644 index ff5c31ee08..0000000000 --- a/services/cert-issuer/values-base.yaml +++ /dev/null @@ -1,7 +0,0 @@ -cert-issuer: - config: - email: "sqre-admin@lists.lsst.org" - route53: - awsAccessKeyId: "AKIAQSJOS2SFLUEVXZDB" - hostedZone: "Z06873202D7WVTZUFOQ42" - vaultSecretPath: "secret/k8s_operator/base-lsp.lsst.codes/cert-manager" diff --git a/services/cert-issuer/values-idfdev.yaml b/services/cert-issuer/values-idfdev.yaml deleted file mode 100644 index 8acbacb82d..0000000000 --- a/services/cert-issuer/values-idfdev.yaml +++ /dev/null @@ -1,7 +0,0 @@ -cert-issuer: - config: - email: "sqre-admin@lists.lsst.org" - route53: - awsAccessKeyId: "AKIAQSJOS2SFL5I4TYND" - hostedZone: "Z0567328105IEHEMIXLCO" - vaultSecretPath: "secret/k8s_operator/data-dev.lsst.cloud/cert-manager" diff --git a/services/cert-issuer/values-idfint.yaml b/services/cert-issuer/values-idfint.yaml deleted file mode 100644 index 19689bb194..0000000000 --- a/services/cert-issuer/values-idfint.yaml +++ /dev/null @@ -1,7 +0,0 @@ -cert-issuer: - config: - email: "sqre-admin@lists.lsst.org" - route53: - awsAccessKeyId: "AKIAQSJOS2SFL5I4TYND" - hostedZone: "Z0567328105IEHEMIXLCO" - vaultSecretPath: "secret/k8s_operator/data-int.lsst.cloud/cert-manager" diff --git a/services/cert-issuer/values-idfprod.yaml b/services/cert-issuer/values-idfprod.yaml deleted file mode 100644 index 84a5d4a1f4..0000000000 --- a/services/cert-issuer/values-idfprod.yaml +++ /dev/null @@ -1,7 +0,0 @@ -cert-issuer: - config: - email: "sqre-admin@lists.lsst.org" - route53: - awsAccessKeyId: "AKIAQSJOS2SFL5I4TYND" - hostedZone: "Z0567328105IEHEMIXLCO" - vaultSecretPath: "secret/k8s_operator/data.lsst.cloud/cert-manager" diff --git a/services/cert-issuer/values-minikube.yaml b/services/cert-issuer/values-minikube.yaml deleted file mode 100644 index 5da7cbb959..0000000000 --- a/services/cert-issuer/values-minikube.yaml +++ /dev/null @@ -1,7 +0,0 @@ -cert-issuer: - config: - email: "sqre-admin@lists.lsst.org" - route53: - awsAccessKeyId: "AKIAQSJOS2SFLUEVXZDB" - hostedZone: "Z06873202D7WVTZUFOQ42" - vaultSecretPath: "secret/k8s_operator/minikube.lsst.codes/cert-manager" diff --git a/services/cert-issuer/values-roe.yaml b/services/cert-issuer/values-roe.yaml deleted file mode 100644 index fe52807d9b..0000000000 --- a/services/cert-issuer/values-roe.yaml +++ /dev/null @@ -1,7 +0,0 @@ -cert-issuer: - config: - email: "rsp@roe.ac.uk" - route53: - awsAccessKeyId: "AKIAQSJOS2SFL5I4TYND" - hostedZone: "Z0567328105IEHEMIXLCO" - vaultSecretPath: "secret/k8s_operator/roe/cert-manager" diff --git a/services/cert-issuer/values-squash-sandbox.yaml b/services/cert-issuer/values-squash-sandbox.yaml deleted file mode 100644 index 3939cfc204..0000000000 --- a/services/cert-issuer/values-squash-sandbox.yaml +++ /dev/null @@ -1,7 +0,0 @@ -cert-issuer: - config: - email: "sqre-admin@lists.lsst.org" - route53: - awsAccessKeyId: "AKIAQSJOS2SFLUEVXZDB" - hostedZone: "Z06873202D7WVTZUFOQ42" - vaultSecretPath: "secret/k8s_operator/squash-sandbox.lsst.codes/cert-manager" diff --git a/services/cert-issuer/values-summit.yaml b/services/cert-issuer/values-summit.yaml deleted file mode 100644 index 579d9f243b..0000000000 --- a/services/cert-issuer/values-summit.yaml +++ /dev/null @@ -1,7 +0,0 @@ -cert-issuer: - config: - email: "sqre-admin@lists.lsst.org" - route53: - awsAccessKeyId: "AKIAQSJOS2SFLUEVXZDB" - hostedZone: "Z06873202D7WVTZUFOQ42" - vaultSecretPath: "secret/k8s_operator/summit-lsp.lsst.codes/cert-manager" diff --git a/services/cert-issuer/values-tucson-teststand.yaml b/services/cert-issuer/values-tucson-teststand.yaml deleted file mode 100644 index cf206b9d87..0000000000 --- a/services/cert-issuer/values-tucson-teststand.yaml +++ /dev/null @@ -1,7 +0,0 @@ -cert-issuer: - config: - email: "sqre-admin@lists.lsst.org" - route53: - awsAccessKeyId: "AKIAQSJOS2SFLUEVXZDB" - hostedZone: "Z06873202D7WVTZUFOQ42" - vaultSecretPath: "secret/k8s_operator/tucson-teststand.lsst.codes/cert-manager" diff --git a/services/cert-manager/Chart.yaml b/services/cert-manager/Chart.yaml index b5ba8f8f11..6bcedf4bbe 100644 --- a/services/cert-manager/Chart.yaml +++ b/services/cert-manager/Chart.yaml @@ -1,10 +1,8 @@ apiVersion: v2 name: cert-manager version: 1.0.0 +description: "Let's Encrypt certificate management" dependencies: -- name: cert-manager - version: v1.7.2 - repository: https://charts.jetstack.io -- name: pull-secret - version: 0.1.2 - repository: https://lsst-sqre.github.io/charts/ + - name: cert-manager + version: v1.7.2 + repository: https://charts.jetstack.io diff --git a/services/cert-manager/README.md b/services/cert-manager/README.md new file mode 100644 index 0000000000..a95ce2b7c1 --- /dev/null +++ b/services/cert-manager/README.md @@ -0,0 +1,25 @@ +# cert-manager + +Let's Encrypt certificate management + +## Requirements + +| Repository | Name | Version | +|------------|------|---------| +| https://charts.jetstack.io | cert-manager | v1.7.2 | + +## Values + +| Key | Type | Default | Description | +|-----|------|---------|-------------| +| cert-manager | object | Install CRDs, force use of Google and Cloudfront DNS servers | Configuration for upstream cert-manager chart | +| config.createIssuer | bool | `true` | Whether to create a Let's Encrypt DNS-based cluster issuer | +| config.email | string | sqre-admin | Contact email address registered with Let's Encrypt | +| config.route53.awsAccessKeyId | string | None, must be set if `createIssuer` is true | AWS access key ID for Route 53 (must match `aws-secret-access-key` in Vault secret referenced by `config.vaultSecretPath`) | +| config.route53.hostedZone | string | None, must be set if `createIssuer` is true | Route 53 hosted zone in which to create challenge records | +| fullnameOverride | string | `""` | Override the full name for resources (includes the release name) | +| globals.vaultSecretsPath | string | Set by Argo CD | Base path for Vault secrets | +| nameOverride | string | `""` | Override the base name for resources | + +---------------------------------------------- +Autogenerated from chart metadata using [helm-docs v1.5.0](https://github.com/norwoodj/helm-docs/releases/v1.5.0) diff --git a/services/cert-manager/README.md.gotmpl b/services/cert-manager/README.md.gotmpl new file mode 100644 index 0000000000..4531459bbb --- /dev/null +++ b/services/cert-manager/README.md.gotmpl @@ -0,0 +1,9 @@ +{{ template "chart.header" . }} + +{{ template "chart.description" . }} + +{{ template "chart.requirementsSection" . }} + +{{ template "chart.valuesSection" . }} + +{{ template "helm-docs.versionFooter" . }} diff --git a/services/cert-manager/templates/_helpers.tpl b/services/cert-manager/templates/_helpers.tpl new file mode 100644 index 0000000000..8707bd4fcd --- /dev/null +++ b/services/cert-manager/templates/_helpers.tpl @@ -0,0 +1,52 @@ +{{/* vim: set filetype=mustache: */}} +{{/* +Expand the name of the chart. +*/}} +{{- define "cert-manager.name" -}} +{{- default .Chart.Name .Values.nameOverride | trunc 63 | trimSuffix "-" }} +{{- end }} + +{{/* +Create a default fully qualified app name. +We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec). +If release name contains chart name it will be used as a full name. +*/}} +{{- define "cert-manager.fullname" -}} +{{- if .Values.fullnameOverride }} +{{- .Values.fullnameOverride | trunc 63 | trimSuffix "-" }} +{{- else }} +{{- $name := default .Chart.Name .Values.nameOverride }} +{{- if contains $name .Release.Name }} +{{- .Release.Name | trunc 63 | trimSuffix "-" }} +{{- else }} +{{- printf "%s-%s" .Release.Name $name | trunc 63 | trimSuffix "-" }} +{{- end }} +{{- end }} +{{- end }} + +{{/* +Create chart name and version as used by the chart label. +*/}} +{{- define "cert-manager.chart" -}} +{{- printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" }} +{{- end }} + +{{/* +Common labels +*/}} +{{- define "cert-manager.labels" -}} +helm.sh/chart: {{ include "cert-manager.chart" . }} +{{ include "cert-manager.selectorLabels" . }} +{{- if .Chart.AppVersion }} +app.kubernetes.io/version: {{ .Chart.AppVersion | quote }} +{{- end }} +app.kubernetes.io/managed-by: {{ .Release.Service }} +{{- end }} + +{{/* +Selector labels +*/}} +{{- define "cert-manager.selectorLabels" -}} +app.kubernetes.io/name: {{ include "cert-manager.name" . }} +app.kubernetes.io/instance: {{ .Release.Name }} +{{- end }} diff --git a/services/cert-manager/templates/cluster-issuer.yaml b/services/cert-manager/templates/cluster-issuer.yaml new file mode 100644 index 0000000000..4b18b7c3d1 --- /dev/null +++ b/services/cert-manager/templates/cluster-issuer.yaml @@ -0,0 +1,24 @@ +{{- if .Values.config.createIssuer -}} +apiVersion: cert-manager.io/v1 +kind: ClusterIssuer +metadata: + name: {{ include "cert-manager.fullname" . }}-letsencrypt-dns + labels: + {{- include "cert-manager.labels" . | nindent 4 }} +spec: + acme: + email: {{ required "config.email must be set" .Values.config.email | quote }} + server: "https://acme-v02.api.letsencrypt.org/directory" + privateKeySecretRef: + name: {{ include "cert-manager.fullname" . }}-letsencrypt + solvers: + - dns01: + cnameStrategy: "Follow" + route53: + region: "us-east-1" + accessKeyID: {{ required "config.route53.awsAccessKeyId must be set" .Values.config.route53.awsAccessKeyId | quote }} + hostedZoneID: {{ required "config.route53.hostedZone must be set" .Values.config.route53.hostedZone | quote }} + secretAccessKeySecretRef: + name: {{ include "cert-manager.fullname" . }} + key: "aws-secret-access-key" +{{- end }} diff --git a/services/cert-manager/templates/vault-secrets.yaml b/services/cert-manager/templates/vault-secrets.yaml new file mode 100644 index 0000000000..f700d1c3c6 --- /dev/null +++ b/services/cert-manager/templates/vault-secrets.yaml @@ -0,0 +1,11 @@ +{{- if .Values.config.createIssuer -}} +apiVersion: ricoberger.de/v1alpha1 +kind: VaultSecret +metadata: + name: {{ include "cert-manager.fullname" . }} + labels: + {{- include "cert-manager.labels" . | nindent 4 }} +spec: + path: "{{ required "globals.vaultSecretsPath must be set" .Values.globals.vaultSecretsPath }}/cert-manager" + type: Opaque +{{- end }} diff --git a/services/cert-manager/values-base.yaml b/services/cert-manager/values-base.yaml index f9df5cd28d..958b34c026 100644 --- a/services/cert-manager/values-base.yaml +++ b/services/cert-manager/values-base.yaml @@ -1,9 +1,4 @@ -cert-manager: - installCRDs: true - extraArgs: - - --dns01-recursive-nameservers-only - - --dns01-recursive-nameservers=8.8.8.8:53,1.1.1.1:53 - -pull-secret: - enabled: true - path: secret/k8s_operator/base-lsp.lsst.codes/pull-secret +config: + route53: + awsAccessKeyId: "AKIAQSJOS2SFLUEVXZDB" + hostedZone: "Z06873202D7WVTZUFOQ42" diff --git a/services/cert-manager/values-idfdev.yaml b/services/cert-manager/values-idfdev.yaml index b106943dd5..b1676a6375 100644 --- a/services/cert-manager/values-idfdev.yaml +++ b/services/cert-manager/values-idfdev.yaml @@ -1,9 +1,4 @@ -cert-manager: - installCRDs: true - extraArgs: - - --dns01-recursive-nameservers-only - - --dns01-recursive-nameservers=8.8.8.8:53,1.1.1.1:53 - -pull-secret: - enabled: true - path: secret/k8s_operator/data-dev.lsst.cloud/pull-secret +config: + route53: + awsAccessKeyId: "AKIAQSJOS2SFL5I4TYND" + hostedZone: "Z0567328105IEHEMIXLCO" diff --git a/services/cert-manager/values-idfint.yaml b/services/cert-manager/values-idfint.yaml index 708eb5566f..b1676a6375 100644 --- a/services/cert-manager/values-idfint.yaml +++ b/services/cert-manager/values-idfint.yaml @@ -1,9 +1,4 @@ -cert-manager: - installCRDs: true - extraArgs: - - --dns01-recursive-nameservers-only - - --dns01-recursive-nameservers=8.8.8.8:53,1.1.1.1:53 - -pull-secret: - enabled: true - path: secret/k8s_operator/data-int.lsst.cloud/pull-secret +config: + route53: + awsAccessKeyId: "AKIAQSJOS2SFL5I4TYND" + hostedZone: "Z0567328105IEHEMIXLCO" diff --git a/services/cert-manager/values-idfprod.yaml b/services/cert-manager/values-idfprod.yaml index c43fef53b1..b1676a6375 100644 --- a/services/cert-manager/values-idfprod.yaml +++ b/services/cert-manager/values-idfprod.yaml @@ -1,9 +1,4 @@ -cert-manager: - installCRDs: true - extraArgs: - - --dns01-recursive-nameservers-only - - --dns01-recursive-nameservers=8.8.8.8:53,1.1.1.1:53 - -pull-secret: - enabled: true - path: secret/k8s_operator/data.lsst.cloud/pull-secret +config: + route53: + awsAccessKeyId: "AKIAQSJOS2SFL5I4TYND" + hostedZone: "Z0567328105IEHEMIXLCO" diff --git a/services/cert-manager/values-minikube.yaml b/services/cert-manager/values-minikube.yaml index 329b8ef770..a311844928 100644 --- a/services/cert-manager/values-minikube.yaml +++ b/services/cert-manager/values-minikube.yaml @@ -1,9 +1,2 @@ -cert-manager: - installCRDs: true - extraArgs: - - --dns01-recursive-nameservers-only - - --dns01-recursive-nameservers=8.8.8.8:53,1.1.1.1:53 - -pull-secret: - enabled: true - path: secret/k8s_operator/minikube.lsst.codes/pull-secret +config: + createIssuer: false diff --git a/services/cert-manager/values-roe.yaml b/services/cert-manager/values-roe.yaml index 113b9af27d..2c27644d49 100644 --- a/services/cert-manager/values-roe.yaml +++ b/services/cert-manager/values-roe.yaml @@ -1,9 +1,5 @@ -cert-manager: - installCRDs: true - extraArgs: - - --dns01-recursive-nameservers-only - - --dns01-recursive-nameservers=8.8.8.8:53,1.1.1.1:53 - -pull-secret: - enabled: true - path: secret/k8s_operator/roe/pull-secret +config: + email: "rsp@roe.ac.uk" + route53: + awsAccessKeyId: "AKIAQSJOS2SFL5I4TYND" + hostedZone: "Z0567328105IEHEMIXLCO" diff --git a/services/cert-manager/values-squash-sandbox.yaml b/services/cert-manager/values-squash-sandbox.yaml new file mode 100644 index 0000000000..958b34c026 --- /dev/null +++ b/services/cert-manager/values-squash-sandbox.yaml @@ -0,0 +1,4 @@ +config: + route53: + awsAccessKeyId: "AKIAQSJOS2SFLUEVXZDB" + hostedZone: "Z06873202D7WVTZUFOQ42" diff --git a/services/cert-manager/values-stable.yaml b/services/cert-manager/values-stable.yaml deleted file mode 100644 index 580d528f76..0000000000 --- a/services/cert-manager/values-stable.yaml +++ /dev/null @@ -1,9 +0,0 @@ -cert-manager: - installCRDs: true - extraArgs: - - --dns01-recursive-nameservers-only - - --dns01-recursive-nameservers=8.8.8.8:53,1.1.1.1:53 - -pull-secret: - enabled: true - path: secret/k8s_operator/lsst-lsp-stable.ncsa.illinois.edu/pull-secret diff --git a/services/cert-manager/values-summit.yaml b/services/cert-manager/values-summit.yaml index 9368f1e2fe..958b34c026 100644 --- a/services/cert-manager/values-summit.yaml +++ b/services/cert-manager/values-summit.yaml @@ -1,9 +1,4 @@ -cert-manager: - installCRDs: true - extraArgs: - - --dns01-recursive-nameservers-only - - --dns01-recursive-nameservers=8.8.8.8:53,1.1.1.1:53 - -pull-secret: - enabled: true - path: secret/k8s_operator/summit-lsp.lsst.codes/pull-secret +config: + route53: + awsAccessKeyId: "AKIAQSJOS2SFLUEVXZDB" + hostedZone: "Z06873202D7WVTZUFOQ42" diff --git a/services/cert-manager/values-tucson-teststand.yaml b/services/cert-manager/values-tucson-teststand.yaml index 2ee2048b5d..958b34c026 100644 --- a/services/cert-manager/values-tucson-teststand.yaml +++ b/services/cert-manager/values-tucson-teststand.yaml @@ -1,9 +1,4 @@ -cert-manager: - installCRDs: true - extraArgs: - - --dns01-recursive-nameservers-only - - --dns01-recursive-nameservers=8.8.8.8:53,1.1.1.1:53 - -pull-secret: - enabled: true - path: secret/k8s_operator/tucson-teststand.lsst.codes/pull-secret +config: + route53: + awsAccessKeyId: "AKIAQSJOS2SFLUEVXZDB" + hostedZone: "Z06873202D7WVTZUFOQ42" diff --git a/services/cert-manager/values.yaml b/services/cert-manager/values.yaml index bdbcf1edf0..7c82069d04 100644 --- a/services/cert-manager/values.yaml +++ b/services/cert-manager/values.yaml @@ -1,5 +1,39 @@ +# -- Override the base name for resources +nameOverride: "" + +# -- Override the full name for resources (includes the release name) +fullnameOverride: "" + +config: + # -- Whether to create a Let's Encrypt DNS-based cluster issuer + createIssuer: true + + # -- Contact email address registered with Let's Encrypt + # @default -- sqre-admin + email: "sqre-admin@lists.lsst.org" + + # Currently, DNS with Route 53 is the only supported solver mechanism + route53: + # -- AWS access key ID for Route 53 (must match `aws-secret-access-key` in + # Vault secret referenced by `config.vaultSecretPath`) + # @default -- None, must be set if `createIssuer` is true + awsAccessKeyId: "" + + # -- Route 53 hosted zone in which to create challenge records + # @default -- None, must be set if `createIssuer` is true + hostedZone: "" + +# -- Configuration for upstream cert-manager chart +# @default -- Install CRDs, force use of Google and Cloudfront DNS servers cert-manager: installCRDs: true extraArgs: - - --dns01-recursive-nameservers-only - - --dns01-recursive-nameservers=8.8.8.8:53,1.1.1.1:53 + - "--dns01-recursive-nameservers-only" + - "--dns01-recursive-nameservers=8.8.8.8:53,1.1.1.1:53" + +# The following will be set by parameters injected by Argo CD and should not +# be set in the individual environment values files. +globals: + # -- Base path for Vault secrets + # @default -- Set by Argo CD + vaultSecretsPath: "" From 7e54a4ea714a5d56acf101a868ef38db6d279b7c Mon Sep 17 00:00:00 2001 From: Russ Allbery Date: Fri, 8 Apr 2022 15:56:44 -0700 Subject: [PATCH 0194/1479] Use global, not globals Helm's global variable space is global, not globals. We were using the latter accidentally for several applications. Fix that to use the correct variable. --- .../templates/cert-manager-application.yaml | 2 +- .../templates/gafaelfawr-application.yaml | 6 +++--- science-platform/templates/mobu-application.yaml | 6 +++--- science-platform/templates/portal-application.yaml | 6 +++--- .../templates/tap-schema-application.yaml | 6 +++--- services/cert-manager/README.md | 2 +- services/cert-manager/templates/vault-secrets.yaml | 2 +- services/cert-manager/values.yaml | 2 +- services/gafaelfawr/README.md | 6 +++--- services/gafaelfawr/templates/configmap.yaml | 12 ++++++------ services/gafaelfawr/templates/ingress-rewrite.yaml | 2 +- services/gafaelfawr/templates/ingress.yaml | 2 +- services/gafaelfawr/templates/vault-secret.yaml | 4 ++-- services/gafaelfawr/values.yaml | 2 +- services/mobu/README.md | 6 +++--- services/mobu/templates/deployment.yaml | 2 +- services/mobu/templates/ingress.yaml | 6 +++--- services/mobu/templates/vault-secret.yaml | 4 ++-- services/mobu/values.yaml | 2 +- services/portal/README.md | 6 +++--- services/portal/templates/deployment.yaml | 2 +- services/portal/templates/ingress.yaml | 6 +++--- services/portal/templates/vault-secret.yaml | 4 ++-- services/portal/values.yaml | 2 +- services/tap-schema/templates/vault-secrets.yaml | 2 +- services/tap-schema/values.yaml | 2 +- 26 files changed, 52 insertions(+), 52 deletions(-) diff --git a/science-platform/templates/cert-manager-application.yaml b/science-platform/templates/cert-manager-application.yaml index 6c6315f45e..5bb27033f6 100644 --- a/science-platform/templates/cert-manager-application.yaml +++ b/science-platform/templates/cert-manager-application.yaml @@ -25,7 +25,7 @@ spec: targetRevision: {{ .Values.revision | quote }} helm: parameters: - - name: "globals.vaultSecretsPath" + - name: "global.vaultSecretsPath" value: {{ .Values.vault_path_prefix | quote }} valueFiles: - "values.yaml" diff --git a/science-platform/templates/gafaelfawr-application.yaml b/science-platform/templates/gafaelfawr-application.yaml index 1b8dab545e..4eec7a8cb7 100644 --- a/science-platform/templates/gafaelfawr-application.yaml +++ b/science-platform/templates/gafaelfawr-application.yaml @@ -25,11 +25,11 @@ spec: targetRevision: {{ .Values.revision | quote }} helm: parameters: - - name: "globals.host" + - name: "global.host" value: {{ .Values.fqdn | quote }} - - name: "globals.baseUrl" + - name: "global.baseUrl" value: "https://{{ .Values.fqdn }}" - - name: "globals.vaultSecretsPath" + - name: "global.vaultSecretsPath" value: {{ .Values.vault_path_prefix | quote }} valueFiles: - "values.yaml" diff --git a/science-platform/templates/mobu-application.yaml b/science-platform/templates/mobu-application.yaml index 2dc600fdb8..135dc420da 100644 --- a/science-platform/templates/mobu-application.yaml +++ b/science-platform/templates/mobu-application.yaml @@ -25,11 +25,11 @@ spec: targetRevision: {{ .Values.revision | quote }} helm: parameters: - - name: "globals.host" + - name: "global.host" value: {{ .Values.fqdn | quote }} - - name: "globals.baseUrl" + - name: "global.baseUrl" value: "https://{{ .Values.fqdn }}" - - name: "globals.vaultSecretsPath" + - name: "global.vaultSecretsPath" value: {{ .Values.vault_path_prefix | quote }} valueFiles: - "values.yaml" diff --git a/science-platform/templates/portal-application.yaml b/science-platform/templates/portal-application.yaml index dcee34ec82..87861b1ae4 100644 --- a/science-platform/templates/portal-application.yaml +++ b/science-platform/templates/portal-application.yaml @@ -22,11 +22,11 @@ spec: targetRevision: {{ .Values.revision | quote }} helm: parameters: - - name: "globals.host" + - name: "global.host" value: {{ .Values.fqdn | quote }} - - name: "globals.baseUrl" + - name: "global.baseUrl" value: "https://{{ .Values.fqdn }}" - - name: "globals.vaultSecretsPath" + - name: "global.vaultSecretsPath" value: {{ .Values.vault_path_prefix | quote }} valueFiles: - "values.yaml" diff --git a/science-platform/templates/tap-schema-application.yaml b/science-platform/templates/tap-schema-application.yaml index 2337ce84d2..f3fa0673f8 100644 --- a/science-platform/templates/tap-schema-application.yaml +++ b/science-platform/templates/tap-schema-application.yaml @@ -25,11 +25,11 @@ spec: targetRevision: {{ .Values.revision | quote }} helm: parameters: - - name: "globals.host" + - name: "global.host" value: {{ .Values.fqdn | quote }} - - name: "globals.baseUrl" + - name: "global.baseUrl" value: "https://{{ .Values.fqdn }}" - - name: "globals.vaultSecretsPath" + - name: "global.vaultSecretsPath" value: {{ .Values.vault_path_prefix | quote }} valueFiles: - "values.yaml" diff --git a/services/cert-manager/README.md b/services/cert-manager/README.md index a95ce2b7c1..1ff6b789b3 100644 --- a/services/cert-manager/README.md +++ b/services/cert-manager/README.md @@ -18,7 +18,7 @@ Let's Encrypt certificate management | config.route53.awsAccessKeyId | string | None, must be set if `createIssuer` is true | AWS access key ID for Route 53 (must match `aws-secret-access-key` in Vault secret referenced by `config.vaultSecretPath`) | | config.route53.hostedZone | string | None, must be set if `createIssuer` is true | Route 53 hosted zone in which to create challenge records | | fullnameOverride | string | `""` | Override the full name for resources (includes the release name) | -| globals.vaultSecretsPath | string | Set by Argo CD | Base path for Vault secrets | +| global.vaultSecretsPath | string | Set by Argo CD | Base path for Vault secrets | | nameOverride | string | `""` | Override the base name for resources | ---------------------------------------------- diff --git a/services/cert-manager/templates/vault-secrets.yaml b/services/cert-manager/templates/vault-secrets.yaml index f700d1c3c6..85cd69ef37 100644 --- a/services/cert-manager/templates/vault-secrets.yaml +++ b/services/cert-manager/templates/vault-secrets.yaml @@ -6,6 +6,6 @@ metadata: labels: {{- include "cert-manager.labels" . | nindent 4 }} spec: - path: "{{ required "globals.vaultSecretsPath must be set" .Values.globals.vaultSecretsPath }}/cert-manager" + path: "{{ required "global.vaultSecretsPath must be set" .Values.global.vaultSecretsPath }}/cert-manager" type: Opaque {{- end }} diff --git a/services/cert-manager/values.yaml b/services/cert-manager/values.yaml index 7c82069d04..760b83fe1e 100644 --- a/services/cert-manager/values.yaml +++ b/services/cert-manager/values.yaml @@ -33,7 +33,7 @@ cert-manager: # The following will be set by parameters injected by Argo CD and should not # be set in the individual environment values files. -globals: +global: # -- Base path for Vault secrets # @default -- Set by Argo CD vaultSecretsPath: "" diff --git a/services/gafaelfawr/README.md b/services/gafaelfawr/README.md index f645c69314..cfa7fd3496 100644 --- a/services/gafaelfawr/README.md +++ b/services/gafaelfawr/README.md @@ -43,9 +43,9 @@ Science Platform authentication and authorization system | config.proxies | list | [`10.0.0.0/8`, `172.16.0.0/12`, `192.168.0.0/16`] | List of netblocks used for internal Kubernetes IP addresses, used to determine the true client IP for logging | | config.tokenLifetimeMinutes | int | `43200` (30 days) | Session length and token expiration (in minutes) | | fullnameOverride | string | `""` | Override the full name for resources (includes the release name) | -| globals.baseUrl | string | Set by Argo CD | Base URL for the environment | -| globals.host | string | Set by Argo CD | Host name for ingress | -| globals.vaultSecretsPath | string | Set by Argo CD | Base path for Vault secrets | +| global.baseUrl | string | Set by Argo CD | Base URL for the environment | +| global.host | string | Set by Argo CD | Host name for ingress | +| global.vaultSecretsPath | string | Set by Argo CD | Base path for Vault secrets | | image.pullPolicy | string | `"IfNotPresent"` | Pull policy for the Gafaelfawr image | | image.repository | string | `"lsstsqre/gafaelfawr"` | Gafaelfawr image to use | | image.tag | string | The appVersion of the chart | Tag of Gafaelfawr image to use | diff --git a/services/gafaelfawr/templates/configmap.yaml b/services/gafaelfawr/templates/configmap.yaml index 571bd7d645..bc7da1a66f 100644 --- a/services/gafaelfawr/templates/configmap.yaml +++ b/services/gafaelfawr/templates/configmap.yaml @@ -6,7 +6,7 @@ metadata: {{- include "gafaelfawr.labels" . | nindent 4 }} data: gafaelfawr.yaml: | - realm: {{ required "globals.host must be set" .Values.globals.host | quote }} + realm: {{ required "global.host must be set" .Values.global.host | quote }} loglevel: {{ .Values.config.loglevel | quote }} session_secret_file: "/etc/gafaelfawr/secrets/session-secret" database_url: {{ required "config.databaseUrl must be set" .Values.config.databaseUrl | quote }} @@ -19,7 +19,7 @@ data: - {{ $netblock | quote }} {{- end }} {{- end }} - after_logout_url: {{ required "globals.baseUrl must be set" .Values.globals.baseUrl }} + after_logout_url: {{ required "global.baseUrl must be set" .Values.global.baseUrl }} {{- if .Values.config.errorFooter }} error_footer: {{ .Values.config.errorFooter | quote }} {{- end }} @@ -61,7 +61,7 @@ data: {{- if .Values.config.cilogon.redirectUrl }} redirect_url: {{ .Values.config.cilogon.redirectUrl | quote }} {{- else }} - redirect_url: "{{ .Values.globals.baseUrl }}/login" + redirect_url: "{{ .Values.global.baseUrl }}/login" {{- end }} scopes: - "email" @@ -84,7 +84,7 @@ data: {{- if .Values.config.oidc.redirectUrl }} redirect_url: {{ .Values.config.oidc.redirectUrl | quote }} {{- else }} - redirect_url: "{{ .Values.globals.baseUrl }}/login" + redirect_url: "{{ .Values.global.baseUrl }}/login" {{- end }} scopes: {{- with .Values.config.oidc.scopes }} @@ -111,9 +111,9 @@ data: {{- if .Values.config.oidcServer.enabled }} oidc_server: - issuer: "https://{{ .Values.globals.host }}" + issuer: "https://{{ .Values.global.host }}" key_id: "gafaelfawr" - audience: "https://{{ .Values.globals.host }}" + audience: "https://{{ .Values.global.host }}" key_file: "/etc/gafaelfawr/secrets/signing-key" secrets_file: "/etc/gafaelfawr/secrets/oidc-server-secrets" {{- end }} diff --git a/services/gafaelfawr/templates/ingress-rewrite.yaml b/services/gafaelfawr/templates/ingress-rewrite.yaml index 9f36cb2f73..30e399a298 100644 --- a/services/gafaelfawr/templates/ingress-rewrite.yaml +++ b/services/gafaelfawr/templates/ingress-rewrite.yaml @@ -10,7 +10,7 @@ metadata: {{- include "gafaelfawr.labels" . | nindent 4 }} spec: rules: - - host: {{ required "globals.host must be set" .Values.globals.host | quote }} + - host: {{ required "global.host must be set" .Values.global.host | quote }} http: paths: - path: "/auth/tokens/id/.*" diff --git a/services/gafaelfawr/templates/ingress.yaml b/services/gafaelfawr/templates/ingress.yaml index b6af28bf75..8f7f27b24b 100644 --- a/services/gafaelfawr/templates/ingress.yaml +++ b/services/gafaelfawr/templates/ingress.yaml @@ -8,7 +8,7 @@ metadata: {{- include "gafaelfawr.labels" . | nindent 4 }} spec: rules: - - host: {{ required "globals.host must be set" .Values.globals.host | quote }} + - host: {{ required "global.host must be set" .Values.global.host | quote }} http: paths: - path: "/auth" diff --git a/services/gafaelfawr/templates/vault-secret.yaml b/services/gafaelfawr/templates/vault-secret.yaml index ca5230200d..701e9afaf7 100644 --- a/services/gafaelfawr/templates/vault-secret.yaml +++ b/services/gafaelfawr/templates/vault-secret.yaml @@ -5,7 +5,7 @@ metadata: labels: {{- include "gafaelfawr.labels" . | nindent 4 }} spec: - path: "{{ .Values.globals.vaultSecretsPath }}/gafaelfawr" + path: "{{ .Values.global.vaultSecretsPath }}/gafaelfawr" type: Opaque --- apiVersion: ricoberger.de/v1alpha1 @@ -15,5 +15,5 @@ metadata: labels: {{- include "gafaelfawr.labels" . | nindent 4 }} spec: - path: "{{ .Values.globals.vaultSecretsPath }}/pull-secret" + path: "{{ .Values.global.vaultSecretsPath }}/pull-secret" type: "kubernetes.io/dockerconfigjson" diff --git a/services/gafaelfawr/values.yaml b/services/gafaelfawr/values.yaml index 8f0c603f8d..bb42dc6799 100644 --- a/services/gafaelfawr/values.yaml +++ b/services/gafaelfawr/values.yaml @@ -261,7 +261,7 @@ redis: # The following will be set by parameters injected by Argo CD and should not # be set in the individual environment values files. -globals: +global: # -- Base URL for the environment # @default -- Set by Argo CD baseUrl: "" diff --git a/services/mobu/README.md b/services/mobu/README.md index d66d2309b1..a5845bc133 100644 --- a/services/mobu/README.md +++ b/services/mobu/README.md @@ -10,9 +10,9 @@ Generate system load by pretending to be a random scientist | autostart | list | `[]` | Autostart specification. Must be a list of mobu flock specifications. Each flock listed will be automatically started when mobu is started. | | cachemachineImagePolicy | string | `"available"` | Cachemachine image policy. Must be one of `desired` or `available`. Determines whether cachemachine reports the images it has or the ones it wants. Should be `desired` in environments with image streaming enabled (e.g. IDF). | | fullnameOverride | string | `""` | Override the full name for resources (includes the release name) | -| globals.baseUrl | string | Set by Argo CD | Base URL for the environment | -| globals.host | string | Set by Argo CD | Host name for ingress | -| globals.vaultSecretsPath | string | Set by Argo CD | Base path for Vault secrets | +| global.baseUrl | string | Set by Argo CD | Base URL for the environment | +| global.host | string | Set by Argo CD | Host name for ingress | +| global.vaultSecretsPath | string | Set by Argo CD | Base path for Vault secrets | | image.pullPolicy | string | `"IfNotPresent"` | Pull policy for the mobu image | | image.repository | string | `"ghcr.io/lsst-sqre/mobu"` | mobu image to use | | image.tag | string | The appVersion of the chart | Tag of mobu image to use | diff --git a/services/mobu/templates/deployment.yaml b/services/mobu/templates/deployment.yaml index 44b5cd8573..d77db21405 100644 --- a/services/mobu/templates/deployment.yaml +++ b/services/mobu/templates/deployment.yaml @@ -36,7 +36,7 @@ spec: - name: "CACHEMACHINE_IMAGE_POLICY" value: {{ .Values.cachemachineImagePolicy }} - name: "ENVIRONMENT_URL" - value: {{ .Values.globals.baseUrl }} + value: {{ .Values.global.baseUrl }} - name: "GAFAELFAWR_TOKEN" valueFrom: secretKeyRef: diff --git a/services/mobu/templates/ingress.yaml b/services/mobu/templates/ingress.yaml index 96f7e5d46b..224615154c 100644 --- a/services/mobu/templates/ingress.yaml +++ b/services/mobu/templates/ingress.yaml @@ -6,8 +6,8 @@ metadata: {{- if .Values.ingress.gafaelfawrAuthQuery }} nginx.ingress.kubernetes.io/auth-method: "GET" nginx.ingress.kubernetes.io/auth-response-headers: "X-Auth-Request-User" - nginx.ingress.kubernetes.io/auth-signin: "{{ .Values.globals.baseUrl }}/login" - nginx.ingress.kubernetes.io/auth-url: "{{ .Values.globals.baseUrl }}/auth?{{ .Values.ingress.gafaelfawrAuthQuery }}" + nginx.ingress.kubernetes.io/auth-signin: "{{ .Values.global.baseUrl }}/login" + nginx.ingress.kubernetes.io/auth-url: "{{ .Values.global.baseUrl }}/auth?{{ .Values.ingress.gafaelfawrAuthQuery }}" {{- end }} {{- with .Values.ingress.annotations }} {{- toYaml . | nindent 4 }} @@ -17,7 +17,7 @@ metadata: {{- include "mobu.labels" . | nindent 4 }} spec: rules: - - host: {{ required "globals.host must be set" .Values.globals.host | quote }} + - host: {{ required "global.host must be set" .Values.global.host | quote }} http: paths: - path: "/mobu" diff --git a/services/mobu/templates/vault-secret.yaml b/services/mobu/templates/vault-secret.yaml index 66b29a3e56..ce08e483b4 100644 --- a/services/mobu/templates/vault-secret.yaml +++ b/services/mobu/templates/vault-secret.yaml @@ -5,7 +5,7 @@ metadata: labels: {{- include "mobu.labels" . | nindent 4 }} spec: - path: "{{ .Values.globals.vaultSecretsPath }}/mobu" + path: "{{ .Values.global.vaultSecretsPath }}/mobu" type: "Opaque" --- apiVersion: ricoberger.de/v1alpha1 @@ -15,5 +15,5 @@ metadata: labels: {{- include "mobu.labels" . | nindent 4 }} spec: - path: "{{ .Values.globals.vaultSecretsPath }}/pull-secret" + path: "{{ .Values.global.vaultSecretsPath }}/pull-secret" type: "kubernetes.io/dockerconfigjson" diff --git a/services/mobu/values.yaml b/services/mobu/values.yaml index 3f77c0eb11..1ec175569e 100644 --- a/services/mobu/values.yaml +++ b/services/mobu/values.yaml @@ -61,7 +61,7 @@ affinity: {} # The following will be set by parameters injected by Argo CD and should not # be set in the individual environment values files. -globals: +global: # -- Base URL for the environment # @default -- Set by Argo CD baseUrl: "" diff --git a/services/portal/README.md b/services/portal/README.md index b4932920c1..fc91c17a32 100644 --- a/services/portal/README.md +++ b/services/portal/README.md @@ -15,9 +15,9 @@ Rubin Science Platform portal aspect | config.volumes.workareaHostPath | string | Use an `emptyDir` | hostPath to mount as a shared work area. Set either this or `workareaNfs`, not both. | | config.volumes.workareaNfs | object | Use an `emptyDir` | NFS information for a shared work area. If set, must have keys for path and server. Set either this or `workareaHostPath`, not both. | | fullnameOverride | string | `""` | Override the full name for resources (includes the release name) | -| globals.baseUrl | string | Set by Argo CD | Base URL for the environment | -| globals.host | string | Set by Argo CD | Host name for ingress | -| globals.vaultSecretsPath | string | Set by Argo CD | Base path for Vault secrets | +| global.baseUrl | string | Set by Argo CD | Base URL for the environment | +| global.host | string | Set by Argo CD | Host name for ingress | +| global.vaultSecretsPath | string | Set by Argo CD | Base path for Vault secrets | | image.pullPolicy | string | `"IfNotPresent"` | Pull policy for the Portal image | | image.repository | string | `"ipac/suit"` | Portal image to use | | image.tag | string | The appVersion of the chart | Tag of Portal image to use | diff --git a/services/portal/templates/deployment.yaml b/services/portal/templates/deployment.yaml index faa44d8df6..c0e69caca8 100644 --- a/services/portal/templates/deployment.yaml +++ b/services/portal/templates/deployment.yaml @@ -39,7 +39,7 @@ spec: name: {{ include "portal.fullname" . }}-secret key: "ADMIN_PASSWORD" - name: "FIREFLY_OPTS" - value: "-Dredis.host={{ include "portal.fullname" . }}-redis -Dsso.req.auth.hosts={{ .Values.globals.host }}" + value: "-Dredis.host={{ include "portal.fullname" . }}-redis -Dsso.req.auth.hosts={{ .Values.global.host }}" - name: "SERVER_CONFIG_DIR" value: "/firefly/config" - name: "CLEANUP_INTERVAL" diff --git a/services/portal/templates/ingress.yaml b/services/portal/templates/ingress.yaml index 1e550b2d3b..74943d7d0e 100644 --- a/services/portal/templates/ingress.yaml +++ b/services/portal/templates/ingress.yaml @@ -24,15 +24,15 @@ metadata: {{- if .Values.ingress.gafaelfawrAuthQuery }} nginx.ingress.kubernetes.io/auth-method: "GET" nginx.ingress.kubernetes.io/auth-response-headers: "X-Auth-Request-User,X-Auth-Request-Email,X-Auth-Request-Token" - nginx.ingress.kubernetes.io/auth-signin: "{{ .Values.globals.baseUrl }}/login" - nginx.ingress.kubernetes.io/auth-url: "{{ .Values.globals.baseUrl }}/auth?{{ .Values.ingress.gafaelfawrAuthQuery }}" + nginx.ingress.kubernetes.io/auth-signin: "{{ .Values.global.baseUrl }}/login" + nginx.ingress.kubernetes.io/auth-url: "{{ .Values.global.baseUrl }}/auth?{{ .Values.ingress.gafaelfawrAuthQuery }}" {{- end }} {{- with .Values.ingress.annotations }} {{- toYaml . | nindent 4 }} {{- end }} spec: rules: - - host: {{ required "globals.host must be set" .Values.globals.host | quote }} + - host: {{ required "global.host must be set" .Values.global.host | quote }} http: paths: - path: "/portal/app(/|$)(.*)" diff --git a/services/portal/templates/vault-secret.yaml b/services/portal/templates/vault-secret.yaml index 2263ca5c92..c3bbbb8046 100644 --- a/services/portal/templates/vault-secret.yaml +++ b/services/portal/templates/vault-secret.yaml @@ -5,7 +5,7 @@ metadata: labels: {{- include "portal.labels" . | nindent 4 }} spec: - path: "{{ .Values.globals.vaultSecretsPath }}/portal" + path: "{{ .Values.global.vaultSecretsPath }}/portal" type: "Opaque" --- apiVersion: ricoberger.de/v1alpha1 @@ -15,5 +15,5 @@ metadata: labels: {{- include "portal.labels" . | nindent 4 }} spec: - path: "{{ .Values.globals.vaultSecretsPath }}/pull-secret" + path: "{{ .Values.global.vaultSecretsPath }}/pull-secret" type: "kubernetes.io/dockerconfigjson" diff --git a/services/portal/values.yaml b/services/portal/values.yaml index 92d5ad41c7..54f5fdd2cc 100644 --- a/services/portal/values.yaml +++ b/services/portal/values.yaml @@ -111,7 +111,7 @@ redis: # The following will be set by parameters injected by Argo CD and should not # be set in the individual environment values files. -globals: +global: # -- Base URL for the environment # @default -- Set by Argo CD baseUrl: "" diff --git a/services/tap-schema/templates/vault-secrets.yaml b/services/tap-schema/templates/vault-secrets.yaml index 24b38cc3f1..10a383ca63 100644 --- a/services/tap-schema/templates/vault-secrets.yaml +++ b/services/tap-schema/templates/vault-secrets.yaml @@ -5,5 +5,5 @@ metadata: labels: {{- include "tap-schema.labels" . | nindent 4 }} spec: - path: "{{ .Values.globals.vaultSecretsPath }}/pull-secret" + path: "{{ .Values.global.vaultSecretsPath }}/pull-secret" type: "kubernetes.io/dockerconfigjson" diff --git a/services/tap-schema/values.yaml b/services/tap-schema/values.yaml index 4ae1572a98..3cef8a7833 100644 --- a/services/tap-schema/values.yaml +++ b/services/tap-schema/values.yaml @@ -34,7 +34,7 @@ affinity: {} # The following will be set by parameters injected by Argo CD and should not # be set in the individual environment values files. -globals: +global: # -- Base URL for the environment # @default -- Set by Argo CD baseUrl: "" From b18f78e23269227afddd8f88802476f5091cecb2 Mon Sep 17 00:00:00 2001 From: Russ Allbery Date: Fri, 8 Apr 2022 16:23:01 -0700 Subject: [PATCH 0195/1479] Update cert-manager cluster issuer and docs Remove the cert-issuer docs and merge them with the cert-manager docs now that the services have been merged. Rename the cluster issuer to avoid both the cert-manager and cert-issuer prefix and just call it letsencrypt-issuer. Update the installer to stop trying to sync cert-issuer. Remove cert-issuer from the science-platform values files. --- docs/index.rst | 1 - docs/ops/bootstrapping.rst | 6 +-- docs/ops/cert-issuer/index.rst | 48 ------------------- .../bootstrapping.rst | 33 ++++++------- docs/ops/cert-manager/index.rst | 36 +++++++++++--- .../route53-setup.rst | 8 ++-- docs/ops/ingress-nginx/certificates.rst | 2 +- docs/ops/squash-api/index.rst | 1 - installer/install.sh | 8 ---- science-platform/values-base.yaml | 2 - science-platform/values-idfdev.yaml | 2 - science-platform/values-idfint.yaml | 2 - science-platform/values-idfprod.yaml | 2 - science-platform/values-int.yaml | 2 - science-platform/values-minikube.yaml | 2 - science-platform/values-roe.yaml | 2 - science-platform/values-squash-sandbox.yaml | 2 - science-platform/values-stable.yaml | 2 - science-platform/values-summit.yaml | 2 - science-platform/values-tucson-teststand.yaml | 2 - science-platform/values.yaml | 2 - .../templates/cluster-issuer.yaml | 2 +- services/squareone/templates/ingress.yaml | 4 +- .../squash-api/values-squash-sandbox.yaml | 4 +- 24 files changed, 58 insertions(+), 119 deletions(-) delete mode 100644 docs/ops/cert-issuer/index.rst rename docs/ops/{cert-issuer => cert-manager}/bootstrapping.rst (70%) rename docs/ops/{cert-issuer => cert-manager}/route53-setup.rst (93%) diff --git a/docs/index.rst b/docs/index.rst index 0126dd397c..51169c4054 100644 --- a/docs/index.rst +++ b/docs/index.rst @@ -62,7 +62,6 @@ Services ops/argo-cd/index ops/cachemachine/index - ops/cert-issuer/index ops/cert-manager/index ops/gafaelfawr/index ops/ingress-nginx/index diff --git a/docs/ops/bootstrapping.rst b/docs/ops/bootstrapping.rst index 50258ac671..89cc879eba 100644 --- a/docs/ops/bootstrapping.rst +++ b/docs/ops/bootstrapping.rst @@ -37,7 +37,7 @@ Checklist If you are using a cloud provider or something like minikube where the IP address is not yet known, then you will need to create that record once the top-level ingress is created and has an external IP address. The first time you set up the RSP for a given domain (note: *not* hostname, but *domain*, so if you were setting up ``dev.my-rsp.net`` and ``prod.my-rsp.net``, ``dev`` first, you would only need to do this when you created ``dev``), if you are using Let's Encrypt for certificate management (which we highly recommend), you will need to create glue records to enable Let's Encrypt to manage TLS for the domain. - See :doc:`cert-issuer/route53-setup` for more details. + See :doc:`cert-manager/route53-setup` for more details. #. For each enabled service, create a corresponding ``values-.yaml`` file in the relevant directory under `/services `__. Customization will vary from service to service, but the most common change required is to set the fully-qualified domain name of the environment to the one that will be used for your new deployment. @@ -74,7 +74,7 @@ There are supported two mechanisms to configure that TLS certificate: #. Configure Let's Encrypt to obtain a certificate via the DNS solver. Once this is configured, TLS will be handled automatically without further human intervention. However, this approach is far more complex to set up and has some significant prerequisites. - For more information, see :doc:`cert-issuer/bootstrapping`. + For more information, see :doc:`cert-manager/bootstrapping`. To use the second approach, you must have the following: @@ -179,7 +179,7 @@ This means adding something like the following to ``values-.yaml`` ingress: host: "rsp.example.com" annotations: - cert-manager.io/cluster-issuer: cert-issuer-letsencrypt-dns + cert-manager.io/cluster-issuer: letsencrypt-dns tls: - secretName: squareone-tls hosts: diff --git a/docs/ops/cert-issuer/index.rst b/docs/ops/cert-issuer/index.rst deleted file mode 100644 index 5a1884575d..0000000000 --- a/docs/ops/cert-issuer/index.rst +++ /dev/null @@ -1,48 +0,0 @@ -########### -cert-issuer -########### - -.. list-table:: - :widths: 10,40 - - * - Edit on GitHub - - `/services/cert-issuer `__ - * - Type - - Helm_ - * - Namespace - - ``cert-issuer`` - -.. rubric:: Overview - -The ``cert-issuer`` service creates a cluster issuer for the use of the Rubin Science Platform. -It depends on `cert-manager `__. -The issuer is named ``cert-issuer-letsencrypt-dns``. - -On most clusters where the Rubin Science Platform manages certificates, this is also handled by the Rubin Science Platform Argo CD, but on the base and summit clusters, cert-manager is maintained by IT and installed outside of Argo CD. -NCSA clusters use NCSA certificates issued via an internal process. - -``cert-issuer`` should only be enabled in environments using Route 53 for DNS and using cert-manager with the DNS solver. -For more information, see :ref:`hostnames`. - -.. rubric:: Using cert-issuer - -To configure an ingress to use certificates issued by it, add a ``tls`` configuration to the ingress and the annotation: - -.. code-block:: yaml - - cert-manager.io/cluster-issuer: cert-issuer-letsencrypt-dns - -This should be done on one and only one ingress for a deployment using ``cert-issuer``. -The RSP conventionally uses the ``landing-page`` service. - -.. rubric:: Guides - -.. toctree:: - - route53-setup - bootstrapping - -.. seealso:: - - * :doc:`../cert-manager/index` - * `cert-manager documentation for Route 53 `__. diff --git a/docs/ops/cert-issuer/bootstrapping.rst b/docs/ops/cert-manager/bootstrapping.rst similarity index 70% rename from docs/ops/cert-issuer/bootstrapping.rst rename to docs/ops/cert-manager/bootstrapping.rst index c639253908..46c5e2f4ed 100644 --- a/docs/ops/cert-issuer/bootstrapping.rst +++ b/docs/ops/cert-manager/bootstrapping.rst @@ -1,15 +1,15 @@ -######################### -Bootstrapping cert-issuer -######################### +########################## +Bootstrapping cert-manager +########################## -The issuer defined in the ``cert-issuer`` service uses the DNS solver. +The issuer defined in the ``cert-manager`` service uses the DNS solver. The advantage of the DNS solver is that it works behind firewalls and can provision certificates for environments not exposed to the Internet, such as the Tucson teststand. The DNS solver uses an AWS service user with write access to Route 53 to answer Let's Encrypt challenges. -In order to use ``cert-issuer``, you must be hosting the DNS for the external hostname of the Science Platform installation in AWS Route 53. +In order to use ``cert-manager``, you must be hosting the DNS for the external hostname of the Science Platform installation in AWS Route 53. See :ref:`hostnames` for more information. -First, ensure that ``cert-issuer`` is set up for the domain in which the cluster will be hosted. +First, ensure that ``cert-manager`` is set up for the domain in which the cluster will be hosted. If this is a new domain, follow the instructions in :doc:`route53-setup`. Then, in Route 53, create a CNAME from ``_acme-challenge.`` to ``_acme-challenge.tls.`` where ```` is the domain in which the cluster is located (such as ``lsst.codes`` or ``lsst.cloud``). @@ -23,13 +23,10 @@ Add the following to the ``values-*.yaml`` file for an environment: .. code-block:: yaml - solver: + config: route53: - aws-access-key-id: - hosted-zone: - vault-secret-path: "secret/k8s_operator//cert-manager" - -replacing ```` with the FQDN of the cluster, corresponding to the root of the Vault secrets for that cluster (see :doc:`../vault-secrets-operator/index`). + awsAccessKeyId: "" + hostedZone: "" ```` and ```` must correspond to the domain under which the cluster is hosted. The values for the two most common Rubin Science Platform domains are: @@ -37,11 +34,11 @@ The values for the two most common Rubin Science Platform domains are: .. code-block:: yaml lsst.codes: - aws-access-key-id: AKIAQSJOS2SFLUEVXZDB - hosted-zone: Z06873202D7WVTZUFOQ42 + awsAccessKeyId: "AKIAQSJOS2SFLUEVXZDB" + hostedZone: "Z06873202D7WVTZUFOQ42" lsst.cloud: - aws-access-key-id: AKIAQSJOS2SFKQBMDRGR - hosted-zone: Z0567328105IEHEMIXLCO + awsAccessKeyId: "AKIAQSJOS2SFKQBMDRGR" + hostedZone: "Z0567328105IEHEMIXLCO" This key ID is for an AWS service user that has write access to the ``tls`` subdomain of the domain in which the cluster is hosted, and therefore can answer challenges. @@ -51,8 +48,8 @@ The Vault secret should look something like this: .. code-block:: yaml data: - aws-access-key-id: - aws-secret-access-key: + aws-access-key-id: "" + aws-secret-access-key: "" The secrets for the SQuaRE-maintained Rubin Science Platform domains are stored in 1Password (search for ``cert-manager-lsst-codes`` or ``cert-manager-lsst-cloud``). If this cluster is in the same domain as another, working cluster, you can copy the secret from that cluster into the appropriate path for the new cluster. diff --git a/docs/ops/cert-manager/index.rst b/docs/ops/cert-manager/index.rst index 532b5bf953..719f3ac520 100644 --- a/docs/ops/cert-manager/index.rst +++ b/docs/ops/cert-manager/index.rst @@ -17,19 +17,43 @@ cert-manager The ``cert-manager`` service is an installation of `cert-manager `__ from its `Helm chart repository `__. It creates TLS certificates via `Let's Encrypt `__ and automatically renews them. -See the :doc:`cert-issuer service <../cert-issuer/index>` for how ``cert-manager`` is used. - This service is only deployed on clusters managed by SQuaRE. NCSA clusters use NCSA certificates issued via an internal process. -IT manages the cert-manager installation on the base and summit Rubin Science Platform clusters. + +``cert-manager`` creates a cluster issuer that uses the DNS solver and Route 53 for DNS by default. +Set ``config.createIssuer`` to ``false`` for environments where cert-manager should be installed but not use a Route 53 cluster issuer. +For more information, see :ref:`hostnames`. + +.. rubric:: Using cert-manager + +To configure an ingress to use certificates issued by it, add a ``tls`` configuration to the ingress and the annotation: + +.. code-block:: yaml + + cert-manager.io/cluster-issuer: "letsencrypt-dns" + +This should be done on one and only one ingress for a deployment using ``cert-manager``. +The RSP conventionally uses the ``squareone`` service. + +.. rubric:: Upgrading Upgrading cert-manager is generally painless. -The only custom configuration that we use is to tell the Helm chart to install the Custom Resource Definitions. -Watch for changes that require updating ``ClusterIssuer`` or ``Certificate`` resources; those will require corresponding changes to the resources defined in `/services/cert-issuer `__. +The only custom configuration that we use, beyond installing a cluster issuer, is to tell the Helm chart to install the Custom Resource Definitions. Normally, it's not necessary to explicitly test cert-manager after a routine upgrade. We will notice if the certificates expire, and have monitoring of the important ones. -However, if you want to be sure that cert-manager is still working after an upgrade, delete the TLS secret in the ``nublado`` namespace. +However, if you want to be sure that cert-manager is still working after an upgrade, delete the TLS secret in the ``squareone`` namespace. It should be recreated by cert-manager. (You may have to also delete the ``Certificate`` resource of the same name and let Argo CD re-create it to trigger this.) This may cause an outage for the Science Platform since it is using this certificate, so you may want to be prepared to port-forward to get to the Argo CD UI in case something goes wrong. + +.. rubric:: Guides + +.. toctree:: + + route53-setup + bootstrapping + +.. seealso:: + + * `cert-manager documentation for Route 53 `__. diff --git a/docs/ops/cert-issuer/route53-setup.rst b/docs/ops/cert-manager/route53-setup.rst similarity index 93% rename from docs/ops/cert-issuer/route53-setup.rst rename to docs/ops/cert-manager/route53-setup.rst index 3743b9d5b8..ca3f582fbc 100644 --- a/docs/ops/cert-issuer/route53-setup.rst +++ b/docs/ops/cert-manager/route53-setup.rst @@ -1,8 +1,8 @@ -################################### -Setting up Route 53 for cert-issuer -################################### +#################################### +Setting up Route 53 for cert-manager +#################################### -Each domain under which ``cert-issuer`` needs to issue certificates must be configured in AWS. +Each domain under which ``cert-manager`` needs to issue certificates must be configured in AWS. This involves creating a new hosted zone for the DNS challenges for that domain, creating an AWS service user with an appropriate IAM policy, and creating an access key for that user which will be used by ``cert-manager``. Normally, DNS challenges work by writing a text record to the ``_acme-challenge.`` record for the hostname for which one is obtaining a certificate. diff --git a/docs/ops/ingress-nginx/certificates.rst b/docs/ops/ingress-nginx/certificates.rst index f6d62034f6..ed7198dd73 100644 --- a/docs/ops/ingress-nginx/certificates.rst +++ b/docs/ops/ingress-nginx/certificates.rst @@ -6,7 +6,7 @@ The entire Science Platform uses the same external hostname and relies on NGINX As discussed in :ref:`hostnames`, TLS for the Science Platform can be configured with either a default certificate in ``ingress-nginx`` or through Let's Encrypt with the DNS solver. If an installation is using Let's Encrypt with the DNS solver, no further configuration of the NGINX ingresss is required. -See :doc:`../cert-issuer/bootstrapping` for setup information. +See :doc:`../cert-manager/bootstrapping` for setup information. When using a commercial certificate, that certificate should be configured in the ``values-*.yaml`` for ``ingress-nginx`` for that environment. Specifically, add the following under ``ingress-nginx.controller``: diff --git a/docs/ops/squash-api/index.rst b/docs/ops/squash-api/index.rst index fb44c8e1f2..227b6c8ab5 100644 --- a/docs/ops/squash-api/index.rst +++ b/docs/ops/squash-api/index.rst @@ -22,7 +22,6 @@ You can learn more about SQuaSH in SQR-009_. Currently, the ``squash-api`` is deployed using the ``squash-sandbox`` and ``squash-prod`` environments along with other services: - argo-cd -- cert-issuer - cert-manager - chronograf - gafaelfawr diff --git a/installer/install.sh b/installer/install.sh index 2d1fc0c504..1f1dc6afa7 100755 --- a/installer/install.sh +++ b/installer/install.sh @@ -95,14 +95,6 @@ then kubectl -n cert-manager rollout status deploy/cert-manager-webhook fi -if [ $(yq -r .cert_issuer.enabled ../science-platform/values-$ENVIRONMENT.yaml) == "true" ]; -then - echo "Syncing cert-issuer..." - argocd app sync cert-issuer \ - --port-forward \ - --port-forward-namespace argocd -fi - if [ $(yq -r .postgres.enabled ../science-platform/values-$ENVIRONMENT.yaml) == "true" ]; then echo "Syncing postgres..." diff --git a/science-platform/values-base.yaml b/science-platform/values-base.yaml index d69e44b25e..a74e7c6c4a 100644 --- a/science-platform/values-base.yaml +++ b/science-platform/values-base.yaml @@ -6,8 +6,6 @@ alert_stream_broker: enabled: false cachemachine: enabled: true -cert_issuer: - enabled: true cert_manager: enabled: true datalinker: diff --git a/science-platform/values-idfdev.yaml b/science-platform/values-idfdev.yaml index c18e0bea6f..c70f4c3cb1 100644 --- a/science-platform/values-idfdev.yaml +++ b/science-platform/values-idfdev.yaml @@ -6,8 +6,6 @@ alert_stream_broker: enabled: false cachemachine: enabled: true -cert_issuer: - enabled: true cert_manager: enabled: true datalinker: diff --git a/science-platform/values-idfint.yaml b/science-platform/values-idfint.yaml index 9fa849bade..7e831a870f 100644 --- a/science-platform/values-idfint.yaml +++ b/science-platform/values-idfint.yaml @@ -6,8 +6,6 @@ alert_stream_broker: enabled: false cachemachine: enabled: true -cert_issuer: - enabled: true cert_manager: enabled: true datalinker: diff --git a/science-platform/values-idfprod.yaml b/science-platform/values-idfprod.yaml index 3c50e65456..3d91dde6ca 100644 --- a/science-platform/values-idfprod.yaml +++ b/science-platform/values-idfprod.yaml @@ -6,8 +6,6 @@ alert_stream_broker: enabled: false cachemachine: enabled: true -cert_issuer: - enabled: true cert_manager: enabled: true datalinker: diff --git a/science-platform/values-int.yaml b/science-platform/values-int.yaml index ca00ebfe5b..90c994ee5c 100644 --- a/science-platform/values-int.yaml +++ b/science-platform/values-int.yaml @@ -6,8 +6,6 @@ alert_stream_broker: enabled: false cachemachine: enabled: true -cert_issuer: - enabled: false cert_manager: enabled: false datalinker: diff --git a/science-platform/values-minikube.yaml b/science-platform/values-minikube.yaml index 2c09324996..d62c9ba578 100644 --- a/science-platform/values-minikube.yaml +++ b/science-platform/values-minikube.yaml @@ -6,8 +6,6 @@ alert_stream_broker: enabled: false cachemachine: enabled: true -cert_issuer: - enabled: false cert_manager: enabled: true datalinker: diff --git a/science-platform/values-roe.yaml b/science-platform/values-roe.yaml index 1ac766f80a..3159a23554 100644 --- a/science-platform/values-roe.yaml +++ b/science-platform/values-roe.yaml @@ -6,8 +6,6 @@ alert_stream_broker: enabled: false cachemachine: enabled: true -cert_issuer: - enabled: true cert_manager: enabled: true datalinker: diff --git a/science-platform/values-squash-sandbox.yaml b/science-platform/values-squash-sandbox.yaml index 81de56f598..6f3f3c09d4 100644 --- a/science-platform/values-squash-sandbox.yaml +++ b/science-platform/values-squash-sandbox.yaml @@ -6,8 +6,6 @@ alert_stream_broker: enabled: false cachemachine: enabled: false -cert_issuer: - enabled: true cert_manager: enabled: true datalinker: diff --git a/science-platform/values-stable.yaml b/science-platform/values-stable.yaml index 3cef7933e8..8fcd45d336 100644 --- a/science-platform/values-stable.yaml +++ b/science-platform/values-stable.yaml @@ -6,8 +6,6 @@ alert_stream_broker: enabled: false cachemachine: enabled: true -cert_issuer: - enabled: false cert_manager: enabled: false datalinker: diff --git a/science-platform/values-summit.yaml b/science-platform/values-summit.yaml index 0c50caec00..8e57d2f693 100644 --- a/science-platform/values-summit.yaml +++ b/science-platform/values-summit.yaml @@ -6,8 +6,6 @@ alert_stream_broker: enabled: false cachemachine: enabled: true -cert_issuer: - enabled: true cert_manager: enabled: true datalinker: diff --git a/science-platform/values-tucson-teststand.yaml b/science-platform/values-tucson-teststand.yaml index b5d7f32f14..7d83d04092 100644 --- a/science-platform/values-tucson-teststand.yaml +++ b/science-platform/values-tucson-teststand.yaml @@ -6,8 +6,6 @@ alert_stream_broker: enabled: false cachemachine: enabled: true -cert_issuer: - enabled: true cert_manager: enabled: true datalinker: diff --git a/science-platform/values.yaml b/science-platform/values.yaml index 6c6b2326bc..97da6b3471 100644 --- a/science-platform/values.yaml +++ b/science-platform/values.yaml @@ -2,8 +2,6 @@ alert_stream_broker: enabled: false cachemachine: enabled: false -cert_issuer: - enabled: false cert_manager: enabled: false datalinker: diff --git a/services/cert-manager/templates/cluster-issuer.yaml b/services/cert-manager/templates/cluster-issuer.yaml index 4b18b7c3d1..f36dddfceb 100644 --- a/services/cert-manager/templates/cluster-issuer.yaml +++ b/services/cert-manager/templates/cluster-issuer.yaml @@ -2,7 +2,7 @@ apiVersion: cert-manager.io/v1 kind: ClusterIssuer metadata: - name: {{ include "cert-manager.fullname" . }}-letsencrypt-dns + name: "letsencrypt-dns" labels: {{- include "cert-manager.labels" . | nindent 4 }} spec: diff --git a/services/squareone/templates/ingress.yaml b/services/squareone/templates/ingress.yaml index dd3deb331e..232bf01236 100644 --- a/services/squareone/templates/ingress.yaml +++ b/services/squareone/templates/ingress.yaml @@ -7,9 +7,9 @@ metadata: labels: {{- include "squareone.labels" . | nindent 4 }} annotations: - kubernetes.io/ingress.class: nginx + kubernetes.io/ingress.class: "nginx" {{- if .Values.ingress.tls }} - cert-manager.io/cluster-issuer: cert-issuer-letsencrypt-dns + cert-manager.io/cluster-issuer: "letsencrypt-dns" {{- end }} {{- with .Values.ingress.annotations }} {{- toYaml . | nindent 4 }} diff --git a/services/squash-api/values-squash-sandbox.yaml b/services/squash-api/values-squash-sandbox.yaml index 67e1c0cc7b..248713888d 100644 --- a/services/squash-api/values-squash-sandbox.yaml +++ b/services/squash-api/values-squash-sandbox.yaml @@ -27,8 +27,8 @@ squash-api: enabled: true annotations: kubernetes.io/ingress.class: "nginx" - nginx.ingress.kubernetes.io/rewrite-target: / - cert-manager.io/cluster-issuer: cert-issuer-letsencrypt-dns + nginx.ingress.kubernetes.io/rewrite-target: "/" + cert-manager.io/cluster-issuer: "letsencrypt-dns" hosts: - host: squash-sandbox.lsst.codes paths: ["/"] From e9d4c03d737f13c7731a8fc62163d8192b112756 Mon Sep 17 00:00:00 2001 From: adam Date: Mon, 11 Apr 2022 09:48:02 -0700 Subject: [PATCH 0196/1479] add gar_image to phalanx --- services/cachemachine/values-idfdev.yaml | 1 + 1 file changed, 1 insertion(+) diff --git a/services/cachemachine/values-idfdev.yaml b/services/cachemachine/values-idfdev.yaml index 6d21998b47..cd43c02465 100644 --- a/services/cachemachine/values-idfdev.yaml +++ b/services/cachemachine/values-idfdev.yaml @@ -23,6 +23,7 @@ cachemachine: "type": "RubinRepoGar", "registry_url": "us-central1-docker.pkg.dev", "gar_repository": "sciplat", + "gar_image": "sciplat-lab", "project_id": "rubin-shared-services-71ec", "location": "us-central1", "recommended_tag": "recommended", From 70559b67f2f77a35b5a852630f51757dc6c7e597 Mon Sep 17 00:00:00 2001 From: adam Date: Mon, 11 Apr 2022 09:52:22 -0700 Subject: [PATCH 0197/1479] Update autostart to RubinRepoGar for int and prod IDF --- services/cachemachine/values-idfint.yaml | 7 +++++-- services/cachemachine/values-idfprod.yaml | 7 +++++-- 2 files changed, 10 insertions(+), 4 deletions(-) diff --git a/services/cachemachine/values-idfint.yaml b/services/cachemachine/values-idfint.yaml index a2cf96433b..65f467c2be 100644 --- a/services/cachemachine/values-idfint.yaml +++ b/services/cachemachine/values-idfint.yaml @@ -15,9 +15,12 @@ cachemachine: "labels": {}, "repomen": [ { - "type": "RubinRepoMan", + "type": "RubinRepoGar", "registry_url": "us-central1-docker.pkg.dev", - "repo": "rubin-shared-services-71ec/sciplat/sciplat-lab", + "gar_repository": "sciplat", + "gar_image": "sciplat-lab", + "project_id": "rubin-shared-services-71ec", + "location": "us-central1", "recommended_tag": "recommended", "num_releases": 1, "num_weeklies": 2, diff --git a/services/cachemachine/values-idfprod.yaml b/services/cachemachine/values-idfprod.yaml index 5d0c7c90ec..fea4dba53b 100644 --- a/services/cachemachine/values-idfprod.yaml +++ b/services/cachemachine/values-idfprod.yaml @@ -15,9 +15,12 @@ cachemachine: "labels": {}, "repomen": [ { - "type": "RubinRepoMan", + "type": "RubinRepoGar", "registry_url": "us-central1-docker.pkg.dev", - "repo": "rubin-shared-services-71ec/sciplat/sciplat-lab", + "gar_repository": "sciplat", + "gar_image": "sciplat-lab", + "project_id": "rubin-shared-services-71ec", + "location": "us-central1", "recommended_tag": "recommended", "num_releases": 1, "num_weeklies": 2, From 5264b75ea7a909bd41088178f8d228db37cb4451 Mon Sep 17 00:00:00 2001 From: adam Date: Mon, 11 Apr 2022 09:55:31 -0700 Subject: [PATCH 0198/1479] Revert "Update autostart to RubinRepoGar for int and prod IDF" This reverts commit 70559b67f2f77a35b5a852630f51757dc6c7e597. --- services/cachemachine/values-idfint.yaml | 7 ++----- services/cachemachine/values-idfprod.yaml | 7 ++----- 2 files changed, 4 insertions(+), 10 deletions(-) diff --git a/services/cachemachine/values-idfint.yaml b/services/cachemachine/values-idfint.yaml index 65f467c2be..a2cf96433b 100644 --- a/services/cachemachine/values-idfint.yaml +++ b/services/cachemachine/values-idfint.yaml @@ -15,12 +15,9 @@ cachemachine: "labels": {}, "repomen": [ { - "type": "RubinRepoGar", + "type": "RubinRepoMan", "registry_url": "us-central1-docker.pkg.dev", - "gar_repository": "sciplat", - "gar_image": "sciplat-lab", - "project_id": "rubin-shared-services-71ec", - "location": "us-central1", + "repo": "rubin-shared-services-71ec/sciplat/sciplat-lab", "recommended_tag": "recommended", "num_releases": 1, "num_weeklies": 2, diff --git a/services/cachemachine/values-idfprod.yaml b/services/cachemachine/values-idfprod.yaml index fea4dba53b..5d0c7c90ec 100644 --- a/services/cachemachine/values-idfprod.yaml +++ b/services/cachemachine/values-idfprod.yaml @@ -15,12 +15,9 @@ cachemachine: "labels": {}, "repomen": [ { - "type": "RubinRepoGar", + "type": "RubinRepoMan", "registry_url": "us-central1-docker.pkg.dev", - "gar_repository": "sciplat", - "gar_image": "sciplat-lab", - "project_id": "rubin-shared-services-71ec", - "location": "us-central1", + "repo": "rubin-shared-services-71ec/sciplat/sciplat-lab", "recommended_tag": "recommended", "num_releases": 1, "num_weeklies": 2, From 900b53b255cf7a78304b17ea02805e74d765dc13 Mon Sep 17 00:00:00 2001 From: adam Date: Fri, 1 Apr 2022 15:32:13 -0700 Subject: [PATCH 0199/1479] Split up prometheus inputs and outputs --- services/telegraf/values.yaml | 49 ++++++++++++++++++++++++++++++++--- 1 file changed, 46 insertions(+), 3 deletions(-) diff --git a/services/telegraf/values.yaml b/services/telegraf/values.yaml index f1a05dcdbf..11458136d4 100644 --- a/services/telegraf/values.yaml +++ b/services/telegraf/values.yaml @@ -19,19 +19,36 @@ telegraf: # -- Cluster name -- should be same as FQDN of RSP endpoint # @default -- None, must be set cluster: "" - # Collect JupyterHub Prometheus metrics by default. - # See https://jupyterhub.readthedocs.io/en/stable/reference/metrics.html inputs: - prometheus: + # Collect JupyterHub Prometheus metrics by default. + # See https://jupyterhub.readthedocs.io/en/stable/reference/metrics.html urls: - http://hub.nublado2:8081/metrics + tags: + - prometheus_app: "hub" + metric_version: 2 + - prometheus: + urls: - http://cert-manager.cert-manager:9402/metrics + tags: + - prometheus_app: "certmanager" + metric_version: 2 + - prometheus: + urls: - http://argocd-application-controller-metrics.argocd:8082/metrics - http://argocd-notifications-controller-metrics.argocd:9001/metrics - http://argocd-redis-metrics.argocd:9121/metrics - http://argocd-repo-server-metrics.argocd:8084/metrics - http://argocd-server-metrics.argocd:8083/metrics + tags: + - prometheus_app: "argocd" + metric_version: 2 + - prometheus: + urls: - http://ingress-nginx-controller-metrics.ingress-nginx:10254/metrics + tags: + - prometheus_app: "ingressnginx" # See https://docs.influxdata.com/influxdb/v2.1/reference/prometheus-metrics/ metric_version: 2 # -- Telegraf default output destination. @@ -39,9 +56,35 @@ telegraf: - influxdb_v2: urls: - "https://monitoring.lsst.codes" - bucket: "monitoring" + bucket: "prometheus_argocd" + token: "$INFLUX_TOKEN" + organization: "square" + tagpass: + - prometheus_app: "argocd" + - influxdb_v2: + urls: + - "https://monitoring.lsst.codes" + bucket: "prometheus_hub" + token: "$INFLUX_TOKEN" + organization: "square" + tagpass: + - prometheus_app: "hub" + - influxdb_v2: + urls: + - "https://monitoring.lsst.codes" + bucket: "prometheus_certmanager" + token: "$INFLUX_TOKEN" + organization: "square" + tagpass: + - prometheus_app: "certmanager" + - influxdb_v2: + urls: + - "https://monitoring.lsst.codes" + bucket: "prometheus_ingressnginx" token: "$INFLUX_TOKEN" organization: "square" + tagpass: + - prometheus_app: "ingressnginx" tplVersion: 2 # -- Path to the Vault secrets (`secret/k8s_operator//telegraf`) From 780467f6434fdb9b89a428f059551b040261dfe7 Mon Sep 17 00:00:00 2001 From: adam Date: Fri, 1 Apr 2022 16:00:37 -0700 Subject: [PATCH 0200/1479] split up inputs and outputs by app --- services/telegraf-ds/values.yaml | 180 ++++++++++++++++++++++++++++++- 1 file changed, 179 insertions(+), 1 deletion(-) diff --git a/services/telegraf-ds/values.yaml b/services/telegraf-ds/values.yaml index ac18e3b4bc..d45d67879d 100644 --- a/services/telegraf-ds/values.yaml +++ b/services/telegraf-ds/values.yaml @@ -20,9 +20,187 @@ telegraf-ds: - influxdb_v2: urls: - "https://monitoring.lsst.codes" - bucket: "monitoring" + bucket: "k8s_argocd" token: "$INFLUX_TOKEN" organization: "square" + tagpass: + - namespace: "argocd" + - influxdb_v2: + urls: + - "https://monitoring.lsst.codes" + bucket: "k8s_cachemachine" + token: "$INFLUX_TOKEN" + organization: "square" + tagpass: + - namespace: "cachemachine" + - influxdb_v2: + urls: + - "https://monitoring.lsst.codes" + bucket: "k8s_certmanager" + token: "$INFLUX_TOKEN" + organization: "square" + tagpass: + - namespace: "cert-manager" + - influxdb_v2: + urls: + - "https://monitoring.lsst.codes" + bucket: "k8s_datalinker" + token: "$INFLUX_TOKEN" + organization: "square" + tagpass: + - namespace: "datalinker" + - influxdb_v2: + urls: + - "https://monitoring.lsst.codes" + bucket: "k8s_gafaelfawr" + token: "$INFLUX_TOKEN" + organization: "square" + tagpass: + - namespace: "gafaelfawr" + - influxdb_v2: + urls: + - "https://monitoring.lsst.codes" + bucket: "k8s_ingressnginx" + token: "$INFLUX_TOKEN" + organization: "square" + tagpass: + - namespace: "ingress-nginx" + - influxdb_v2: + urls: + - "https://monitoring.lsst.codes" + bucket: "k8s_mobu" + token: "$INFLUX_TOKEN" + organization: "square" + tagpass: + - namespace: "mobu" + - influxdb_v2: + urls: + - "https://monitoring.lsst.codes" + bucket: "k8s_moneypenny" + token: "$INFLUX_TOKEN" + organization: "square" + tagpass: + - namespace: "moneypenny" + - influxdb_v2: + urls: + - "https://monitoring.lsst.codes" + bucket: "k8s_noteburst" + token: "$INFLUX_TOKEN" + organization: "square" + tagpass: + - namespace: "noteburst" + - influxdb_v2: + urls: + - "https://monitoring.lsst.codes" + bucket: "k8s_obstap" + token: "$INFLUX_TOKEN" + organization: "square" + tagpass: + - namespace: "obstap" + - influxdb_v2: + urls: + - "https://monitoring.lsst.codes" + bucket: "k8s_portal" + token: "$INFLUX_TOKEN" + organization: "square" + tagpass: + - namespace: "portal" + - influxdb_v2: + urls: + - "https://monitoring.lsst.codes" + bucket: "k8s_postgres" + token: "$INFLUX_TOKEN" + organization: "square" + tagpass: + - namespace: "postgres" + - influxdb_v2: + urls: + - "https://monitoring.lsst.codes" + bucket: "k8s_sasquatch" + token: "$INFLUX_TOKEN" + organization: "square" + tagpass: + - namespace: "sasquatch" + - influxdb_v2: + urls: + - "https://monitoring.lsst.codes" + bucket: "k8s_semaphore" + token: "$INFLUX_TOKEN" + organization: "square" + tagpass: + - namespace: "semaphore" + - influxdb_v2: + urls: + - "https://monitoring.lsst.codes" + bucket: "k8s_sherlock" + token: "$INFLUX_TOKEN" + organization: "square" + tagpass: + - namespace: "sherlock" + - influxdb_v2: + urls: + - "https://monitoring.lsst.codes" + bucket: "k8s_squareone" + token: "$INFLUX_TOKEN" + organization: "square" + tagpass: + - namespace: "squareone" + - influxdb_v2: + urls: + - "https://monitoring.lsst.codes" + bucket: "k8s_strimzi" + token: "$INFLUX_TOKEN" + organization: "square" + tagpass: + - namespace: "strimzi" + - influxdb_v2: + urls: + - "https://monitoring.lsst.codes" + bucket: "k8s_tap" + token: "$INFLUX_TOKEN" + organization: "square" + tagpass: + - namespace: "tap" + - influxdb_v2: + urls: + - "https://monitoring.lsst.codes" + bucket: "k8s_tapschema" + token: "$INFLUX_TOKEN" + organization: "square" + tagpass: + - namespace: "tap-schema" + - influxdb_v2: + urls: + - "https://monitoring.lsst.codes" + bucket: "k8s_telegraf" + token: "$INFLUX_TOKEN" + organization: "square" + tagpass: + - namespace: "telegraf" + - influxdb_v2: + urls: + - "https://monitoring.lsst.codes" + bucket: "k8s_telegrafds" + token: "$INFLUX_TOKEN" + organization: "square" + tagpass: + - namespace: "telegraf-ds" + - influxdb_v2: + urls: + - "https://monitoring.lsst.codes" + bucket: "k8s_timessquare" + token: "$INFLUX_TOKEN" + organization: "square" + tagpass: + - namespace: "times-square" + - influxdb_v2: + urls: + - "https://monitoring.lsst.codes" + bucket: "k8s_vaultsecretsoperator" + token: "$INFLUX_TOKEN" + organization: "square" + tagpass: + - namespace: "vault-secrets-operator" docker_endpoint: "" # -- Path to the Vault secrets (`secret/k8s_operator//telegraf`) From f0047dd533503557eda18ffc083c5eec012de48d Mon Sep 17 00:00:00 2001 From: adam Date: Mon, 4 Apr 2022 16:09:05 -0700 Subject: [PATCH 0201/1479] YAML -> TOML syntax --- services/telegraf/values.yaml | 16 ++++++++-------- 1 file changed, 8 insertions(+), 8 deletions(-) diff --git a/services/telegraf/values.yaml b/services/telegraf/values.yaml index 11458136d4..43cf9bf029 100644 --- a/services/telegraf/values.yaml +++ b/services/telegraf/values.yaml @@ -26,13 +26,13 @@ telegraf: urls: - http://hub.nublado2:8081/metrics tags: - - prometheus_app: "hub" + prometheus_app: "hub" metric_version: 2 - prometheus: urls: - http://cert-manager.cert-manager:9402/metrics tags: - - prometheus_app: "certmanager" + prometheus_app: "certmanager" metric_version: 2 - prometheus: urls: @@ -42,13 +42,13 @@ telegraf: - http://argocd-repo-server-metrics.argocd:8084/metrics - http://argocd-server-metrics.argocd:8083/metrics tags: - - prometheus_app: "argocd" + prometheus_app: "argocd" metric_version: 2 - prometheus: urls: - http://ingress-nginx-controller-metrics.ingress-nginx:10254/metrics tags: - - prometheus_app: "ingressnginx" + prometheus_app: "ingressnginx" # See https://docs.influxdata.com/influxdb/v2.1/reference/prometheus-metrics/ metric_version: 2 # -- Telegraf default output destination. @@ -60,7 +60,7 @@ telegraf: token: "$INFLUX_TOKEN" organization: "square" tagpass: - - prometheus_app: "argocd" + prometheus_app: "argocd" - influxdb_v2: urls: - "https://monitoring.lsst.codes" @@ -68,7 +68,7 @@ telegraf: token: "$INFLUX_TOKEN" organization: "square" tagpass: - - prometheus_app: "hub" + prometheus_app: "hub" - influxdb_v2: urls: - "https://monitoring.lsst.codes" @@ -76,7 +76,7 @@ telegraf: token: "$INFLUX_TOKEN" organization: "square" tagpass: - - prometheus_app: "certmanager" + prometheus_app: "certmanager" - influxdb_v2: urls: - "https://monitoring.lsst.codes" @@ -84,7 +84,7 @@ telegraf: token: "$INFLUX_TOKEN" organization: "square" tagpass: - - prometheus_app: "ingressnginx" + prometheus_app: "ingressnginx" tplVersion: 2 # -- Path to the Vault secrets (`secret/k8s_operator//telegraf`) From a4e2b4b7f1dc6d9abbfdf2d4bcf1e880af1b2901 Mon Sep 17 00:00:00 2001 From: adam Date: Mon, 4 Apr 2022 16:15:24 -0700 Subject: [PATCH 0202/1479] More config syntax --- services/telegraf/values.yaml | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/services/telegraf/values.yaml b/services/telegraf/values.yaml index 43cf9bf029..1d302126f0 100644 --- a/services/telegraf/values.yaml +++ b/services/telegraf/values.yaml @@ -60,7 +60,7 @@ telegraf: token: "$INFLUX_TOKEN" organization: "square" tagpass: - prometheus_app: "argocd" + prometheus_app: ["argocd"] - influxdb_v2: urls: - "https://monitoring.lsst.codes" @@ -68,7 +68,7 @@ telegraf: token: "$INFLUX_TOKEN" organization: "square" tagpass: - prometheus_app: "hub" + prometheus_app: ["hub"] - influxdb_v2: urls: - "https://monitoring.lsst.codes" @@ -76,7 +76,7 @@ telegraf: token: "$INFLUX_TOKEN" organization: "square" tagpass: - prometheus_app: "certmanager" + prometheus_app: ["certmanager"] - influxdb_v2: urls: - "https://monitoring.lsst.codes" @@ -84,7 +84,7 @@ telegraf: token: "$INFLUX_TOKEN" organization: "square" tagpass: - prometheus_app: "ingressnginx" + prometheus_app: ["ingressnginx"] tplVersion: 2 # -- Path to the Vault secrets (`secret/k8s_operator//telegraf`) From 3e91edc548fd4be897b801b32015b57402a75a22 Mon Sep 17 00:00:00 2001 From: adam Date: Wed, 6 Apr 2022 10:05:37 -0700 Subject: [PATCH 0203/1479] Split argocd measurements with name_override --- services/telegraf/values.yaml | 31 ++++++++++++++++++++++++++++++- 1 file changed, 30 insertions(+), 1 deletion(-) diff --git a/services/telegraf/values.yaml b/services/telegraf/values.yaml index 1d302126f0..ba9a765b8c 100644 --- a/services/telegraf/values.yaml +++ b/services/telegraf/values.yaml @@ -35,14 +35,43 @@ telegraf: prometheus_app: "certmanager" metric_version: 2 - prometheus: + # Get all the ArgoCD measurements, and put them into an "argocd" bucket + # but override the measurement names so each category gets its own + # measurements + name_override: "application_controller" + metric_version: 2 + tags: + prometheus_app: "argocd" urls: - http://argocd-application-controller-metrics.argocd:8082/metrics + - prometheus: + name_override: "notifications_controller" + metric_version: 2 + tags: + prometheus_app: "argocd" + urls: - http://argocd-notifications-controller-metrics.argocd:9001/metrics + - prometheus: + name_override: "redis" + metric_version: 2 + tags: + prometheus_app: "argocd" + urls: - http://argocd-redis-metrics.argocd:9121/metrics + - prometheus: + name_override: "repo_server" + metric_version: 2 + tags: + prometheus_app: "argocd" + urls: - http://argocd-repo-server-metrics.argocd:8084/metrics - - http://argocd-server-metrics.argocd:8083/metrics + - prometheus: + name_override: "server" + metric_version: 2 tags: prometheus_app: "argocd" + urls: + - http://argocd-server-metrics.argocd:8083/metrics metric_version: 2 - prometheus: urls: From 6163114f0026e19fa7878113edd4cb5c043371b7 Mon Sep 17 00:00:00 2001 From: adam Date: Wed, 6 Apr 2022 10:05:51 -0700 Subject: [PATCH 0204/1479] Add RBAC for K8s input --- services/telegraf/values.yaml | 36 +++++++++++++++++++++++++++++++++++ 1 file changed, 36 insertions(+) diff --git a/services/telegraf/values.yaml b/services/telegraf/values.yaml index ba9a765b8c..5fc605bd7d 100644 --- a/services/telegraf/values.yaml +++ b/services/telegraf/values.yaml @@ -9,6 +9,42 @@ telegraf: secretKeyRef: name: telegraf key: influx-token + rbac: + enabled: true + clusterWide: true + # When using the prometheus input to scrape all pods you need extra + # rules set to the ClusterRole to be able to scan the pods for + # scraping labels. The following rules have been taken from: + # https://github.com/helm/charts/blob/master/stable/prometheus/templates/server-clusterrole.yaml#L8-L46 + rules: + - apiGroups: + - "" + resources: + - nodes + - nodes/proxy + - nodes/metrics + - services + - endpoints + - pods + - ingresses + - configmaps + verbs: + - get + - list + - watch + - apiGroups: + - "extensions" + resources: + - ingresses/status + - ingresses + verbs: + - get + - list + - watch + - nonResourceURLs: + - "/metrics" + verbs: + - get service: # -- Telegraf service. enabled: false From 325cb0c2b61acf57f576d6cf70edcd99e2c1e06c Mon Sep 17 00:00:00 2001 From: adam Date: Wed, 6 Apr 2022 10:07:25 -0700 Subject: [PATCH 0205/1479] Add Commented-out Kubernetes input --- services/telegraf/values.yaml | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/services/telegraf/values.yaml b/services/telegraf/values.yaml index 5fc605bd7d..24b142d8de 100644 --- a/services/telegraf/values.yaml +++ b/services/telegraf/values.yaml @@ -116,6 +116,10 @@ telegraf: prometheus_app: "ingressnginx" # See https://docs.influxdata.com/influxdb/v2.1/reference/prometheus-metrics/ metric_version: 2 +# - kubernetes: +# bearer_token = "/var/run/secrets/kubernetes.io/serviceaccount/token" +# insecure_skip_verify = true +# url = "https://kubernetes.default.svc" # -- Telegraf default output destination. outputs: - influxdb_v2: From 0afe1afc0d447675328b23e5e7a95228c6da44d4 Mon Sep 17 00:00:00 2001 From: adam Date: Wed, 6 Apr 2022 10:40:21 -0700 Subject: [PATCH 0206/1479] Add K8s pod monitoring --- services/telegraf/values.yaml | 22 ++++++++++++++++++---- 1 file changed, 18 insertions(+), 4 deletions(-) diff --git a/services/telegraf/values.yaml b/services/telegraf/values.yaml index 24b142d8de..1d7759e0ba 100644 --- a/services/telegraf/values.yaml +++ b/services/telegraf/values.yaml @@ -43,6 +43,7 @@ telegraf: - watch - nonResourceURLs: - "/metrics" + - "/stats" verbs: - get service: @@ -116,10 +117,13 @@ telegraf: prometheus_app: "ingressnginx" # See https://docs.influxdata.com/influxdb/v2.1/reference/prometheus-metrics/ metric_version: 2 -# - kubernetes: -# bearer_token = "/var/run/secrets/kubernetes.io/serviceaccount/token" -# insecure_skip_verify = true -# url = "https://kubernetes.default.svc" + - kubernetes: + bearer_token: "/var/run/secrets/kubernetes.io/serviceaccount/token" + insecure_skip_verify: true + url: "https://kubernetes.default.svc" + # We only care about the applications; GKE does a good job + # with the overall cluster. + namepass: ["kubernetes_pod_container"] # -- Telegraf default output destination. outputs: - influxdb_v2: @@ -154,6 +158,16 @@ telegraf: organization: "square" tagpass: prometheus_app: ["ingressnginx"] + # Kubernetes: split by namespace + - influxdb_v2: + token: "$INFLUX_TOKEN" + urls: + - "https://monitoring.lsst.codes" + organization: "square" + bucket: "k8s_argocd" + namepass: ["kubernetes_pod_container"] + tagpass: + namespace: ["argocd"] tplVersion: 2 # -- Path to the Vault secrets (`secret/k8s_operator//telegraf`) From 079a76e656d322505431a7402750c0cb801d2583 Mon Sep 17 00:00:00 2001 From: adam Date: Wed, 6 Apr 2022 10:51:16 -0700 Subject: [PATCH 0207/1479] Comment out k8s input again --- services/telegraf/values.yaml | 14 +++++++------- 1 file changed, 7 insertions(+), 7 deletions(-) diff --git a/services/telegraf/values.yaml b/services/telegraf/values.yaml index 1d7759e0ba..b9f2d2e122 100644 --- a/services/telegraf/values.yaml +++ b/services/telegraf/values.yaml @@ -117,13 +117,13 @@ telegraf: prometheus_app: "ingressnginx" # See https://docs.influxdata.com/influxdb/v2.1/reference/prometheus-metrics/ metric_version: 2 - - kubernetes: - bearer_token: "/var/run/secrets/kubernetes.io/serviceaccount/token" - insecure_skip_verify: true - url: "https://kubernetes.default.svc" - # We only care about the applications; GKE does a good job - # with the overall cluster. - namepass: ["kubernetes_pod_container"] +# - kubernetes: +# bearer_token: "/var/run/secrets/kubernetes.io/serviceaccount/token" +# insecure_skip_verify: true +# url: "https://kubernetes.default.svc" +# # We only care about the applications; GKE does a good job +# # with the overall cluster. +# namepass: ["kubernetes_pod_container"] # -- Telegraf default output destination. outputs: - influxdb_v2: From 15f15442c452bd7f558bdcd6e6d9b417b54525d5 Mon Sep 17 00:00:00 2001 From: adam Date: Wed, 6 Apr 2022 11:46:26 -0700 Subject: [PATCH 0208/1479] Use literal TOML --- services/telegraf-ds/scripts/generate_toml.py | 63 +++ services/telegraf-ds/values-idfdev.yaml | 183 ++++++++- services/telegraf-ds/values.yaml | 376 +++++++++--------- 3 files changed, 423 insertions(+), 199 deletions(-) create mode 100644 services/telegraf-ds/scripts/generate_toml.py diff --git a/services/telegraf-ds/scripts/generate_toml.py b/services/telegraf-ds/scripts/generate_toml.py new file mode 100644 index 0000000000..e86a786582 --- /dev/null +++ b/services/telegraf-ds/scripts/generate_toml.py @@ -0,0 +1,63 @@ +#!/usr/bin/env python3 + +# Run this with one argument: the cluster name that you want tagged in +# the database (e.g. "data-dev.lsst.cloud"). It will generate the +# override_config.toml field for the appropriate configuration, on stdout. + +import sys + +try: + c=sys.argv[1] +except: + c="" + +print( " override_config:") +print( " toml: |+") +print( " [ global_tags ]") +print(f" cluster = \"{c}\"") +print( +""" [ agent ] + hostname = "telegraf-$HOSTIP" + [[inputs.kubernetes]] + url = "https://$HOSTIP:10250" + bearer_token = "/var/run/secrets/kubernetes.io/serviceaccount/token" + insecure_skip_verify = true + namepass = ["kubernetes_pod_container"] + fieldpass = ["cpu_usage_nanocores", "memory_usage_bytes"]""") + +namespaces = ("argocd", + "cachemachine", + "cert-manager", + "datalinker", + "gafaelfawr", + "ingress-nginx", + "mobu", + "moneypenny", + "noteburst", + "nublado2", + "obstap", + "portal", + "postgres", + "sasquatch", + "semaphore", + "sherlock", + "squareone", + "strimzi", + "tap", + "tap-schema", + "telegraf", + "telegraf-ds", + "times-square", + "vault-secrets-operator") + +for n in namespaces: + print( + ''' [[outputs.influxdb_v2]] + urls = ["https://monitoring.lsst.codes"] + token = "$INFLUX_TOKEN" + organization = "square"''') + b=n.replace("-","_") + print(f" bucket = \"k8s_{b}\"") + print( " [outputs.influxdb_v2.tagpass]") + print(f" namespace = [\"{n}\"]") + diff --git a/services/telegraf-ds/values-idfdev.yaml b/services/telegraf-ds/values-idfdev.yaml index 2a3cbd110c..281edd3ab8 100644 --- a/services/telegraf-ds/values-idfdev.yaml +++ b/services/telegraf-ds/values-idfdev.yaml @@ -1,6 +1,183 @@ telegraf-ds: - config: - global_tags: - cluster: data-dev.lsst.cloud + override_config: + toml: |+ + [ global_tags ] + cluster = "data-dev.lsst.cloud" + [ agent ] + hostname = "telegraf-$HOSTIP" + [[inputs.kubernetes]] + url = "https://$HOSTIP:10250" + bearer_token = "/var/run/secrets/kubernetes.io/serviceaccount/token" + insecure_skip_verify = true + namepass = ["kubernetes_pod_container"] + fieldpass = ["cpu_usage_nanocores", "memory_usage_bytes"] + [[outputs.influxdb_v2]] + urls = ["https://monitoring.lsst.codes"] + token = "$INFLUX_TOKEN" + organization = "square" + bucket = "k8s_argocd" + [outputs.influxdb_v2.tagpass] + namespace = ["argocd"] + [[outputs.influxdb_v2]] + urls = ["https://monitoring.lsst.codes"] + token = "$INFLUX_TOKEN" + organization = "square" + bucket = "k8s_cachemachine" + [outputs.influxdb_v2.tagpass] + namespace = ["cachemachine"] + [[outputs.influxdb_v2]] + urls = ["https://monitoring.lsst.codes"] + token = "$INFLUX_TOKEN" + organization = "square" + bucket = "k8s_cert_manager" + [outputs.influxdb_v2.tagpass] + namespace = ["cert-manager"] + [[outputs.influxdb_v2]] + urls = ["https://monitoring.lsst.codes"] + token = "$INFLUX_TOKEN" + organization = "square" + bucket = "k8s_datalinker" + [outputs.influxdb_v2.tagpass] + namespace = ["datalinker"] + [[outputs.influxdb_v2]] + urls = ["https://monitoring.lsst.codes"] + token = "$INFLUX_TOKEN" + organization = "square" + bucket = "k8s_gafaelfawr" + [outputs.influxdb_v2.tagpass] + namespace = ["gafaelfawr"] + [[outputs.influxdb_v2]] + urls = ["https://monitoring.lsst.codes"] + token = "$INFLUX_TOKEN" + organization = "square" + bucket = "k8s_ingress_nginx" + [outputs.influxdb_v2.tagpass] + namespace = ["ingress-nginx"] + [[outputs.influxdb_v2]] + urls = ["https://monitoring.lsst.codes"] + token = "$INFLUX_TOKEN" + organization = "square" + bucket = "k8s_mobu" + [outputs.influxdb_v2.tagpass] + namespace = ["mobu"] + [[outputs.influxdb_v2]] + urls = ["https://monitoring.lsst.codes"] + token = "$INFLUX_TOKEN" + organization = "square" + bucket = "k8s_moneypenny" + [outputs.influxdb_v2.tagpass] + namespace = ["moneypenny"] + [[outputs.influxdb_v2]] + urls = ["https://monitoring.lsst.codes"] + token = "$INFLUX_TOKEN" + organization = "square" + bucket = "k8s_noteburst" + [outputs.influxdb_v2.tagpass] + namespace = ["noteburst"] + [[outputs.influxdb_v2]] + urls = ["https://monitoring.lsst.codes"] + token = "$INFLUX_TOKEN" + organization = "square" + bucket = "k8s_nublado2" + [outputs.influxdb_v2.tagpass] + namespace = ["nublado2"] + [[outputs.influxdb_v2]] + urls = ["https://monitoring.lsst.codes"] + token = "$INFLUX_TOKEN" + organization = "square" + bucket = "k8s_obstap" + [outputs.influxdb_v2.tagpass] + namespace = ["obstap"] + [[outputs.influxdb_v2]] + urls = ["https://monitoring.lsst.codes"] + token = "$INFLUX_TOKEN" + organization = "square" + bucket = "k8s_portal" + [outputs.influxdb_v2.tagpass] + namespace = ["portal"] + [[outputs.influxdb_v2]] + urls = ["https://monitoring.lsst.codes"] + token = "$INFLUX_TOKEN" + organization = "square" + bucket = "k8s_postgres" + [outputs.influxdb_v2.tagpass] + namespace = ["postgres"] + [[outputs.influxdb_v2]] + urls = ["https://monitoring.lsst.codes"] + token = "$INFLUX_TOKEN" + organization = "square" + bucket = "k8s_sasquatch" + [outputs.influxdb_v2.tagpass] + namespace = ["sasquatch"] + [[outputs.influxdb_v2]] + urls = ["https://monitoring.lsst.codes"] + token = "$INFLUX_TOKEN" + organization = "square" + bucket = "k8s_semaphore" + [outputs.influxdb_v2.tagpass] + namespace = ["semaphore"] + [[outputs.influxdb_v2]] + urls = ["https://monitoring.lsst.codes"] + token = "$INFLUX_TOKEN" + organization = "square" + bucket = "k8s_sherlock" + [outputs.influxdb_v2.tagpass] + namespace = ["sherlock"] + [[outputs.influxdb_v2]] + urls = ["https://monitoring.lsst.codes"] + token = "$INFLUX_TOKEN" + organization = "square" + bucket = "k8s_squareone" + [outputs.influxdb_v2.tagpass] + namespace = ["squareone"] + [[outputs.influxdb_v2]] + urls = ["https://monitoring.lsst.codes"] + token = "$INFLUX_TOKEN" + organization = "square" + bucket = "k8s_strimzi" + [outputs.influxdb_v2.tagpass] + namespace = ["strimzi"] + [[outputs.influxdb_v2]] + urls = ["https://monitoring.lsst.codes"] + token = "$INFLUX_TOKEN" + organization = "square" + bucket = "k8s_tap" + [outputs.influxdb_v2.tagpass] + namespace = ["tap"] + [[outputs.influxdb_v2]] + urls = ["https://monitoring.lsst.codes"] + token = "$INFLUX_TOKEN" + organization = "square" + bucket = "k8s_tap_schema" + [outputs.influxdb_v2.tagpass] + namespace = ["tap-schema"] + [[outputs.influxdb_v2]] + urls = ["https://monitoring.lsst.codes"] + token = "$INFLUX_TOKEN" + organization = "square" + bucket = "k8s_telegraf" + [outputs.influxdb_v2.tagpass] + namespace = ["telegraf"] + [[outputs.influxdb_v2]] + urls = ["https://monitoring.lsst.codes"] + token = "$INFLUX_TOKEN" + organization = "square" + bucket = "k8s_telegraf_ds" + [outputs.influxdb_v2.tagpass] + namespace = ["telegraf-ds"] + [[outputs.influxdb_v2]] + urls = ["https://monitoring.lsst.codes"] + token = "$INFLUX_TOKEN" + organization = "square" + bucket = "k8s_times_square" + [outputs.influxdb_v2.tagpass] + namespace = ["times-square"] + [[outputs.influxdb_v2]] + urls = ["https://monitoring.lsst.codes"] + token = "$INFLUX_TOKEN" + organization = "square" + bucket = "k8s_vault_secrets_operator" + [outputs.influxdb_v2.tagpass] + namespace = ["vault-secrets-operator"] vaultSecretsPath: secret/k8s_operator/data-dev.lsst.cloud diff --git a/services/telegraf-ds/values.yaml b/services/telegraf-ds/values.yaml index d45d67879d..8c9dfdcc8f 100644 --- a/services/telegraf-ds/values.yaml +++ b/services/telegraf-ds/values.yaml @@ -6,202 +6,186 @@ telegraf-ds: secretKeyRef: name: telegraf key: influx-token - config: - global_tags: - # -- Cluster name -- should be same as FQDN of RSP endpoint - # @default -- None, must be set - cluster: "" - # -- Set for differentiation of Telegraf service from - # Telegraf-daemonset - telegraf_daemonset: "true" - agent: - hostname: "telegraf-$HOSTIP" - outputs: - - influxdb_v2: - urls: - - "https://monitoring.lsst.codes" - bucket: "k8s_argocd" - token: "$INFLUX_TOKEN" - organization: "square" - tagpass: - - namespace: "argocd" - - influxdb_v2: - urls: - - "https://monitoring.lsst.codes" - bucket: "k8s_cachemachine" - token: "$INFLUX_TOKEN" - organization: "square" - tagpass: - - namespace: "cachemachine" - - influxdb_v2: - urls: - - "https://monitoring.lsst.codes" - bucket: "k8s_certmanager" - token: "$INFLUX_TOKEN" - organization: "square" - tagpass: - - namespace: "cert-manager" - - influxdb_v2: - urls: - - "https://monitoring.lsst.codes" - bucket: "k8s_datalinker" - token: "$INFLUX_TOKEN" - organization: "square" - tagpass: - - namespace: "datalinker" - - influxdb_v2: - urls: - - "https://monitoring.lsst.codes" - bucket: "k8s_gafaelfawr" - token: "$INFLUX_TOKEN" - organization: "square" - tagpass: - - namespace: "gafaelfawr" - - influxdb_v2: - urls: - - "https://monitoring.lsst.codes" - bucket: "k8s_ingressnginx" - token: "$INFLUX_TOKEN" - organization: "square" - tagpass: - - namespace: "ingress-nginx" - - influxdb_v2: - urls: - - "https://monitoring.lsst.codes" - bucket: "k8s_mobu" - token: "$INFLUX_TOKEN" - organization: "square" - tagpass: - - namespace: "mobu" - - influxdb_v2: - urls: - - "https://monitoring.lsst.codes" - bucket: "k8s_moneypenny" - token: "$INFLUX_TOKEN" - organization: "square" - tagpass: - - namespace: "moneypenny" - - influxdb_v2: - urls: - - "https://monitoring.lsst.codes" - bucket: "k8s_noteburst" - token: "$INFLUX_TOKEN" - organization: "square" - tagpass: - - namespace: "noteburst" - - influxdb_v2: - urls: - - "https://monitoring.lsst.codes" - bucket: "k8s_obstap" - token: "$INFLUX_TOKEN" - organization: "square" - tagpass: - - namespace: "obstap" - - influxdb_v2: - urls: - - "https://monitoring.lsst.codes" - bucket: "k8s_portal" - token: "$INFLUX_TOKEN" - organization: "square" - tagpass: - - namespace: "portal" - - influxdb_v2: - urls: - - "https://monitoring.lsst.codes" - bucket: "k8s_postgres" - token: "$INFLUX_TOKEN" - organization: "square" - tagpass: - - namespace: "postgres" - - influxdb_v2: - urls: - - "https://monitoring.lsst.codes" - bucket: "k8s_sasquatch" - token: "$INFLUX_TOKEN" - organization: "square" - tagpass: - - namespace: "sasquatch" - - influxdb_v2: - urls: - - "https://monitoring.lsst.codes" - bucket: "k8s_semaphore" - token: "$INFLUX_TOKEN" - organization: "square" - tagpass: - - namespace: "semaphore" - - influxdb_v2: - urls: - - "https://monitoring.lsst.codes" - bucket: "k8s_sherlock" - token: "$INFLUX_TOKEN" - organization: "square" - tagpass: - - namespace: "sherlock" - - influxdb_v2: - urls: - - "https://monitoring.lsst.codes" - bucket: "k8s_squareone" - token: "$INFLUX_TOKEN" - organization: "square" - tagpass: - - namespace: "squareone" - - influxdb_v2: - urls: - - "https://monitoring.lsst.codes" - bucket: "k8s_strimzi" - token: "$INFLUX_TOKEN" - organization: "square" - tagpass: - - namespace: "strimzi" - - influxdb_v2: - urls: - - "https://monitoring.lsst.codes" - bucket: "k8s_tap" - token: "$INFLUX_TOKEN" - organization: "square" - tagpass: - - namespace: "tap" - - influxdb_v2: - urls: - - "https://monitoring.lsst.codes" - bucket: "k8s_tapschema" - token: "$INFLUX_TOKEN" - organization: "square" - tagpass: - - namespace: "tap-schema" - - influxdb_v2: - urls: - - "https://monitoring.lsst.codes" - bucket: "k8s_telegraf" - token: "$INFLUX_TOKEN" - organization: "square" - tagpass: - - namespace: "telegraf" - - influxdb_v2: - urls: - - "https://monitoring.lsst.codes" - bucket: "k8s_telegrafds" - token: "$INFLUX_TOKEN" - organization: "square" - tagpass: - - namespace: "telegraf-ds" - - influxdb_v2: - urls: - - "https://monitoring.lsst.codes" - bucket: "k8s_timessquare" - token: "$INFLUX_TOKEN" - organization: "square" - tagpass: - - namespace: "times-square" - - influxdb_v2: - urls: - - "https://monitoring.lsst.codes" - bucket: "k8s_vaultsecretsoperator" - token: "$INFLUX_TOKEN" - organization: "square" - tagpass: - - namespace: "vault-secrets-operator" - docker_endpoint: "" + override_config: + toml: |+ + [ global_tags ] + cluster = "" + [ agent ] + hostname = "telegraf-$HOSTIP" + [[inputs.kubernetes]] + url = "https://$HOSTIP:10250" + bearer_token = "/var/run/secrets/kubernetes.io/serviceaccount/token" + insecure_skip_verify = true + namepass = ["kubernetes_pod_container"] + fieldpass = ["cpu_usage_nanocores", "memory_usage_bytes"] + [[outputs.influxdb_v2]] + urls = ["https://monitoring.lsst.codes"] + token = "$INFLUX_TOKEN" + organization = "square" + bucket = "k8s_argocd" + [outputs.influxdb_v2.tagpass] + namespace = ["argocd"] + [[outputs.influxdb_v2]] + urls = ["https://monitoring.lsst.codes"] + token = "$INFLUX_TOKEN" + organization = "square" + bucket = "k8s_cachemachine" + [outputs.influxdb_v2.tagpass] + namespace = ["cachemachine"] + [[outputs.influxdb_v2]] + urls = ["https://monitoring.lsst.codes"] + token = "$INFLUX_TOKEN" + organization = "square" + bucket = "k8s_cert_manager" + [outputs.influxdb_v2.tagpass] + namespace = ["cert-manager"] + [[outputs.influxdb_v2]] + urls = ["https://monitoring.lsst.codes"] + token = "$INFLUX_TOKEN" + organization = "square" + bucket = "k8s_datalinker" + [outputs.influxdb_v2.tagpass] + namespace = ["datalinker"] + [[outputs.influxdb_v2]] + urls = ["https://monitoring.lsst.codes"] + token = "$INFLUX_TOKEN" + organization = "square" + bucket = "k8s_gafaelfawr" + [outputs.influxdb_v2.tagpass] + namespace = ["gafaelfawr"] + [[outputs.influxdb_v2]] + urls = ["https://monitoring.lsst.codes"] + token = "$INFLUX_TOKEN" + organization = "square" + bucket = "k8s_ingress_nginx" + [outputs.influxdb_v2.tagpass] + namespace = ["ingress-nginx"] + [[outputs.influxdb_v2]] + urls = ["https://monitoring.lsst.codes"] + token = "$INFLUX_TOKEN" + organization = "square" + bucket = "k8s_mobu" + [outputs.influxdb_v2.tagpass] + namespace = ["mobu"] + [[outputs.influxdb_v2]] + urls = ["https://monitoring.lsst.codes"] + token = "$INFLUX_TOKEN" + organization = "square" + bucket = "k8s_moneypenny" + [outputs.influxdb_v2.tagpass] + namespace = ["moneypenny"] + [[outputs.influxdb_v2]] + urls = ["https://monitoring.lsst.codes"] + token = "$INFLUX_TOKEN" + organization = "square" + bucket = "k8s_noteburst" + [outputs.influxdb_v2.tagpass] + namespace = ["noteburst"] + [[outputs.influxdb_v2]] + urls = ["https://monitoring.lsst.codes"] + token = "$INFLUX_TOKEN" + organization = "square" + bucket = "k8s_nublado2" + [outputs.influxdb_v2.tagpass] + namespace = ["nublado2"] + [[outputs.influxdb_v2]] + urls = ["https://monitoring.lsst.codes"] + token = "$INFLUX_TOKEN" + organization = "square" + bucket = "k8s_obstap" + [outputs.influxdb_v2.tagpass] + namespace = ["obstap"] + [[outputs.influxdb_v2]] + urls = ["https://monitoring.lsst.codes"] + token = "$INFLUX_TOKEN" + organization = "square" + bucket = "k8s_portal" + [outputs.influxdb_v2.tagpass] + namespace = ["portal"] + [[outputs.influxdb_v2]] + urls = ["https://monitoring.lsst.codes"] + token = "$INFLUX_TOKEN" + organization = "square" + bucket = "k8s_postgres" + [outputs.influxdb_v2.tagpass] + namespace = ["postgres"] + [[outputs.influxdb_v2]] + urls = ["https://monitoring.lsst.codes"] + token = "$INFLUX_TOKEN" + organization = "square" + bucket = "k8s_sasquatch" + [outputs.influxdb_v2.tagpass] + namespace = ["sasquatch"] + [[outputs.influxdb_v2]] + urls = ["https://monitoring.lsst.codes"] + token = "$INFLUX_TOKEN" + organization = "square" + bucket = "k8s_semaphore" + [outputs.influxdb_v2.tagpass] + namespace = ["semaphore"] + [[outputs.influxdb_v2]] + urls = ["https://monitoring.lsst.codes"] + token = "$INFLUX_TOKEN" + organization = "square" + bucket = "k8s_sherlock" + [outputs.influxdb_v2.tagpass] + namespace = ["sherlock"] + [[outputs.influxdb_v2]] + urls = ["https://monitoring.lsst.codes"] + token = "$INFLUX_TOKEN" + organization = "square" + bucket = "k8s_squareone" + [outputs.influxdb_v2.tagpass] + namespace = ["squareone"] + [[outputs.influxdb_v2]] + urls = ["https://monitoring.lsst.codes"] + token = "$INFLUX_TOKEN" + organization = "square" + bucket = "k8s_strimzi" + [outputs.influxdb_v2.tagpass] + namespace = ["strimzi"] + [[outputs.influxdb_v2]] + urls = ["https://monitoring.lsst.codes"] + token = "$INFLUX_TOKEN" + organization = "square" + bucket = "k8s_tap" + [outputs.influxdb_v2.tagpass] + namespace = ["tap"] + [[outputs.influxdb_v2]] + urls = ["https://monitoring.lsst.codes"] + token = "$INFLUX_TOKEN" + organization = "square" + bucket = "k8s_tap_schema" + [outputs.influxdb_v2.tagpass] + namespace = ["tap-schema"] + [[outputs.influxdb_v2]] + urls = ["https://monitoring.lsst.codes"] + token = "$INFLUX_TOKEN" + organization = "square" + bucket = "k8s_telegraf" + [outputs.influxdb_v2.tagpass] + namespace = ["telegraf"] + [[outputs.influxdb_v2]] + urls = ["https://monitoring.lsst.codes"] + token = "$INFLUX_TOKEN" + organization = "square" + bucket = "k8s_telegraf_ds" + [outputs.influxdb_v2.tagpass] + namespace = ["telegraf-ds"] + [[outputs.influxdb_v2]] + urls = ["https://monitoring.lsst.codes"] + token = "$INFLUX_TOKEN" + organization = "square" + bucket = "k8s_times_square" + [outputs.influxdb_v2.tagpass] + namespace = ["times-square"] + [[outputs.influxdb_v2]] + urls = ["https://monitoring.lsst.codes"] + token = "$INFLUX_TOKEN" + organization = "square" + bucket = "k8s_vault_secrets_operator" + [outputs.influxdb_v2.tagpass] + namespace = ["vault-secrets-operator"] # -- Path to the Vault secrets (`secret/k8s_operator//telegraf`) # shared with telegraf (non-DaemonSet) From 737a818ec61c850376d135437cd02bf04c432932 Mon Sep 17 00:00:00 2001 From: adam Date: Thu, 7 Apr 2022 16:30:17 -0700 Subject: [PATCH 0209/1479] Add generated configuration to telegraf-ds --- science-platform/values.yaml | 8 +- services/telegraf-ds/README.md | 20 ++ services/telegraf-ds/scripts/generate-values | 219 ++++++++++++++++++ services/telegraf-ds/scripts/generate_toml.py | 63 ----- services/telegraf-ds/scripts/requirements.txt | 1 + services/telegraf-ds/values-base.yaml | 115 ++++++++- services/telegraf-ds/values-idfdev.yaml | 147 ++++++------ services/telegraf-ds/values-idfint.yaml | 164 ++++++++++++- services/telegraf-ds/values-idfprod.yaml | 157 ++++++++++++- services/telegraf-ds/values-int.yaml | 143 +++++++++++- services/telegraf-ds/values-minikube.yaml | 157 ++++++++++++- services/telegraf-ds/values-red-five.yaml | 132 +++++++++++ services/telegraf-ds/values-roe.yaml | 118 ++++++++++ .../telegraf-ds/values-squash-sandbox.yaml | 69 ++++++ services/telegraf-ds/values-stable.yaml | 129 ++++++++++- services/telegraf-ds/values-summit.yaml | 122 +++++++++- .../telegraf-ds/values-tucson-teststand.yaml | 115 ++++++++- services/telegraf-ds/values.yaml | 179 +------------- 18 files changed, 1699 insertions(+), 359 deletions(-) create mode 100644 services/telegraf-ds/README.md create mode 100755 services/telegraf-ds/scripts/generate-values delete mode 100644 services/telegraf-ds/scripts/generate_toml.py create mode 100644 services/telegraf-ds/scripts/requirements.txt create mode 100644 services/telegraf-ds/values-red-five.yaml create mode 100644 services/telegraf-ds/values-roe.yaml create mode 100644 services/telegraf-ds/values-squash-sandbox.yaml diff --git a/science-platform/values.yaml b/science-platform/values.yaml index 97da6b3471..f2a56f5336 100644 --- a/science-platform/values.yaml +++ b/science-platform/values.yaml @@ -32,10 +32,6 @@ postgres: enabled: false sasquatch: enabled: false -telegraf: - enabled: false -telegraf-ds: - enabled: false semaphore: enabled: false sherlock: @@ -52,6 +48,10 @@ tap: enabled: false tap_schema: enabled: false +telegraf: + enabled: false +telegraf-ds: + enabled: false times_square: enabled: false vault_secrets_operator: diff --git a/services/telegraf-ds/README.md b/services/telegraf-ds/README.md new file mode 100644 index 0000000000..9cda49d1c5 --- /dev/null +++ b/services/telegraf-ds/README.md @@ -0,0 +1,20 @@ +# telegraf-ds + +SQuaRE DaemonSet (K8s) telemetry collection service + +## Requirements + +| Repository | Name | Version | +|------------|------|---------| +| https://helm.influxdata.com/ | telegraf-ds | 1.0.34 | + +## Values + +| Key | Type | Default | Description | +|-----|------|---------|-------------| +| telegraf-ds.env[0] | object | `{"name":"INFLUX_TOKEN","valueFrom":{"secretKeyRef":{"key":"influx-token","name":"telegraf"}}}` | Token to communicate with Influx | +| telegraf-ds.override_config.toml | string | `"[ global_tags ]\n cluster = \"no_endpoint\"\n[ agent ]\n hostname = \"telegraf-$HOSTIP\"\n[[inputs.kubernetes]]\n url = \"https://$HOSTIP:10250\"\n bearer_token = \"/var/run/secrets/kubernetes.io/serviceaccount/token\"\n insecure_skip_verify = true\n namepass = [\"kubernetes_pod_container\"]\n fieldpass = [\"cpu_usage_nanocores\", \"memory_usage_bytes\"]\n"` | | +| vaultSecretsPath | string | None, must be set | Path to the Vault secrets (`secret/k8s_operator//telegraf`) shared with telegraf (non-DaemonSet) | + +---------------------------------------------- +Autogenerated from chart metadata using [helm-docs v1.7.0](https://github.com/norwoodj/helm-docs/releases/v1.7.0) diff --git a/services/telegraf-ds/scripts/generate-values b/services/telegraf-ds/scripts/generate-values new file mode 100755 index 0000000000..d9a8b2003d --- /dev/null +++ b/services/telegraf-ds/scripts/generate-values @@ -0,0 +1,219 @@ +#!/usr/bin/env python3 + +# Run this with no arguments. It will generate the values files in the +# directory above the one where this script lives. +# +# This is handy because, as long as we're specifying the Telegraf TOML +# directly, which we have to do because telegraf-ds hasn't been updated to +# template version 2, we can't do the input and output splitting we want to +# do. + +import glob +import json +import logging +import os +import re +import sys +import yaml + +from os.path import basename +from pathlib import Path +from typing import Any, Dict, Set, Tuple + +class TelegrafDSValuesWriter(object): + """ + The TelegrafDSValuesWriter uses its knowledge of where it lives (the + scripts directory in the telegraf-ds service) to parse the science-platform + configurations to determine for which environments it should create files, + and then to generate the files to write. + """ + def __init__(self, *args, **kwargs) -> None: + logging.basicConfig(encoding='utf-8', level=logging.DEBUG) + self.log = logging.getLogger() + self.template_re = re.compile('(\{\{.*?\}\})') + self.instances: Dict[str,Any] = {} + self.applications: Tuple(str) = tuple() + self.config: Dict[str,str] = {} + self.namespaces: Dict[str,Set[str]] = {} + + def load_config(self) -> None: + """Populate our instance attributes with data from our yaml.""" + self.instances = self.find_instances() + self.applications = self.find_applications() + self.namespaces = self.find_app_namespaces() + + def _get_science_platform_path(self) -> str: + """Convenience method to extract the science-platform root directory. + """ + me = Path.resolve(Path(sys.argv[0])) + # ./..[telegraf-ds]/..[services]/science-platform + sp_path = str(me.parents[3]) + "/science-platform" + return sp_path + + def find_instances(self) -> Dict[str,Any]: + """Read the science-platform config to determine which instances + there are.""" + val_path = self._get_science_platform_path() + val_files = glob.glob(val_path + "/values-*yaml") + inst_settings = dict() + for v in val_files: + iname = v.split('-')[-1][:-5] + with open(v) as f: + inst_settings[iname] = yaml.safe_load(f) + return inst_settings + + def find_applications(self) -> Tuple[str]: + """Find all the defined applications from science-platform config.""" + val_path = self._get_science_platform_path() + val_file = val_path + "/values.yaml" + applications = tuple() + with open(val_file) as f: + apps=yaml.safe_load(f) + for app in apps: + # Skip the fields that are not apps + if app in ("repoURL", "revision", "onepassword_uuid"): + continue + applications += (app,) + return applications + + def find_app_namespaces(self) -> Dict[str,Set[str]]: + """From our list of applications, parse the application YAML for each + to determine whether it has namespaces, and create that mapping. + """ + apps = self.applications + ns = {} + for app in apps: + ns[app] = self.parse_app_template(app) + return ns + + def parse_app_template(self, app:str) -> Set[str]: + """Read the application definition to extract its namespace(s) if any. + """ + # In general, if there's a namespace defined for the app, there's + # only one and it's the app name with _ replaced by -, so all this + # is kind of superfluous. + val_path = self._get_science_platform_path() + namespaces = set() + if app == "vault_secrets_operator": + # The namespace is precreated so the read secret can be + # preinstalled. + namespaces.add("vault-secrets-operator") + return namespaces + dashapp = app.replace('_', '-') + app_file = f"{val_path}/templates/{dashapp}-application.yaml" + detemplated_contents = self.strip_templates(app_file) + app_docs=yaml.safe_load_all(detemplated_contents) + for doc in app_docs: + kind = doc.get("kind","") + if kind != "Namespace": + continue + ns = doc["metadata"]["name"] + namespaces.add(ns) + return namespaces + + def strip_templates(self, app_file:str) -> str: + """The YAML is actually Helm-templated yaml. For what we're doing, + just stripping all the templates out works fine. + """ + contents = "" + with open(app_file) as f: + while True: + inp_l = f.readline() + if not inp_l: + break + outp_l = re.sub(self.template_re,'', inp_l) + contents += outp_l + return contents + + def build_telegraf_override_conf(self, instance: str) -> str: + """For each instance, generate the (literal) contents for + telegraf.conf""" + endpoint=self.instances.get(instance,{}).get("fqdn","no_endpoint") + tc = " override_config:\n" + tc += " toml: |+\n" + tc += " [ global_tags ]\n" + tc += f" cluster = \"{endpoint}\"\n" + tc += """ [ agent ] + hostname = "telegraf-$HOSTIP" + [[inputs.kubernetes]] + url = "https://$HOSTIP:10250" + bearer_token = "/var/run/secrets/kubernetes.io/serviceaccount/token" + insecure_skip_verify = true + namepass = ["kubernetes_pod_container"] + fieldpass = ["cpu_usage_nanocores", "memory_usage_bytes"] +""" + tc += self.build_outputs(instance) + return tc + + def build_outputs(self, instance: str) -> str: + """For each instance, generate the list of outputs for each metric. + """ + outp = "" + i_obj = self.instances.get(instance, {}) + for app in self.applications: + if not i_obj.get(app,{}).get("enabled",False): + continue + namespace_set = self.namespaces.get(app, None) + if not namespace_set: + continue + for namespace in namespace_set: + outp +=''' [[outputs.influxdb_v2]] + urls = ["https://monitoring.lsst.codes"] + token = "$INFLUX_TOKEN" + organization = "square" +''' + bucket = namespace.replace("-", "_") + outp += f" bucket = \"k8s_{bucket}\"\n" + outp += " [outputs.influxdb_v2.tagpass]\n" + outp += f" namespace = [\"{namespace}\"]\n" + return outp + + def build_yaml(self) -> None: + self.config["generic"] = self.build_generic_yaml() + for instance in self.instances: + self.config[instance]=self.build_instance_yaml(instance) + + def build_generic_yaml(self) -> None: + cf='''# -- Path to the Vault secrets (`secret/k8s_operator//telegraf`) +# shared with telegraf (non-DaemonSet) +# @default -- None, must be set +vaultSecretsPath: "" +telegraf-ds: + env: + # -- Token to communicate with Influx + - name: INFLUX_TOKEN + valueFrom: + secretKeyRef: + name: telegraf + key: influx-token +''' + cf += self.build_telegraf_override_conf("generic") + return cf + + def build_instance_yaml(self, instance:str) -> str: + secrets_path=self.instances[instance].get("fqdn","") + cf = f"vaultSecretsPath: \"{secrets_path}\"\n" + cf = "telegraf-ds:\n" + cf += self.build_telegraf_override_conf(instance) + return cf + + def write_yaml(self) -> None: + me = Path.resolve(Path(sys.argv[0])) + val_path = str(me.parents[1]) + for instance in self.config: + if instance == "generic": + val_file = f"{val_path}/values.yaml" + else: + env_name = self.instances[instance]["environment"] + val_file = f"{val_path}/values-{env_name}.yaml" + with open(val_file,"w") as f: + f.write(self.config[instance]) + +def main() -> None: + gen = TelegrafDSValuesWriter() + gen.load_config() + gen.build_yaml() + gen.write_yaml() + +if __name__ == "__main__": + main() diff --git a/services/telegraf-ds/scripts/generate_toml.py b/services/telegraf-ds/scripts/generate_toml.py deleted file mode 100644 index e86a786582..0000000000 --- a/services/telegraf-ds/scripts/generate_toml.py +++ /dev/null @@ -1,63 +0,0 @@ -#!/usr/bin/env python3 - -# Run this with one argument: the cluster name that you want tagged in -# the database (e.g. "data-dev.lsst.cloud"). It will generate the -# override_config.toml field for the appropriate configuration, on stdout. - -import sys - -try: - c=sys.argv[1] -except: - c="" - -print( " override_config:") -print( " toml: |+") -print( " [ global_tags ]") -print(f" cluster = \"{c}\"") -print( -""" [ agent ] - hostname = "telegraf-$HOSTIP" - [[inputs.kubernetes]] - url = "https://$HOSTIP:10250" - bearer_token = "/var/run/secrets/kubernetes.io/serviceaccount/token" - insecure_skip_verify = true - namepass = ["kubernetes_pod_container"] - fieldpass = ["cpu_usage_nanocores", "memory_usage_bytes"]""") - -namespaces = ("argocd", - "cachemachine", - "cert-manager", - "datalinker", - "gafaelfawr", - "ingress-nginx", - "mobu", - "moneypenny", - "noteburst", - "nublado2", - "obstap", - "portal", - "postgres", - "sasquatch", - "semaphore", - "sherlock", - "squareone", - "strimzi", - "tap", - "tap-schema", - "telegraf", - "telegraf-ds", - "times-square", - "vault-secrets-operator") - -for n in namespaces: - print( - ''' [[outputs.influxdb_v2]] - urls = ["https://monitoring.lsst.codes"] - token = "$INFLUX_TOKEN" - organization = "square"''') - b=n.replace("-","_") - print(f" bucket = \"k8s_{b}\"") - print( " [outputs.influxdb_v2.tagpass]") - print(f" namespace = [\"{n}\"]") - diff --git a/services/telegraf-ds/scripts/requirements.txt b/services/telegraf-ds/scripts/requirements.txt new file mode 100644 index 0000000000..5500f007d0 --- /dev/null +++ b/services/telegraf-ds/scripts/requirements.txt @@ -0,0 +1 @@ +PyYAML diff --git a/services/telegraf-ds/values-base.yaml b/services/telegraf-ds/values-base.yaml index 886449ee01..829333c176 100644 --- a/services/telegraf-ds/values-base.yaml +++ b/services/telegraf-ds/values-base.yaml @@ -1,6 +1,111 @@ telegraf-ds: - config: - global_tags: - cluster: base-lsp.lsst.codes - -vaultSecretsPath: secret/k8s_operator/base-lsp.lsst.codes + override_config: + toml: |+ + [ global_tags ] + cluster = "base-lsp.lsst.codes" + [ agent ] + hostname = "telegraf-$HOSTIP" + [[inputs.kubernetes]] + url = "https://$HOSTIP:10250" + bearer_token = "/var/run/secrets/kubernetes.io/serviceaccount/token" + insecure_skip_verify = true + namepass = ["kubernetes_pod_container"] + fieldpass = ["cpu_usage_nanocores", "memory_usage_bytes"] + [[outputs.influxdb_v2]] + urls = ["https://monitoring.lsst.codes"] + token = "$INFLUX_TOKEN" + organization = "square" + bucket = "k8s_cachemachine" + [outputs.influxdb_v2.tagpass] + namespace = ["cachemachine"] + [[outputs.influxdb_v2]] + urls = ["https://monitoring.lsst.codes"] + token = "$INFLUX_TOKEN" + organization = "square" + bucket = "k8s_cert_manager" + [outputs.influxdb_v2.tagpass] + namespace = ["cert-manager"] + [[outputs.influxdb_v2]] + urls = ["https://monitoring.lsst.codes"] + token = "$INFLUX_TOKEN" + organization = "square" + bucket = "k8s_exposurelog" + [outputs.influxdb_v2.tagpass] + namespace = ["exposurelog"] + [[outputs.influxdb_v2]] + urls = ["https://monitoring.lsst.codes"] + token = "$INFLUX_TOKEN" + organization = "square" + bucket = "k8s_gafaelfawr" + [outputs.influxdb_v2.tagpass] + namespace = ["gafaelfawr"] + [[outputs.influxdb_v2]] + urls = ["https://monitoring.lsst.codes"] + token = "$INFLUX_TOKEN" + organization = "square" + bucket = "k8s_ingress_nginx" + [outputs.influxdb_v2.tagpass] + namespace = ["ingress-nginx"] + [[outputs.influxdb_v2]] + urls = ["https://monitoring.lsst.codes"] + token = "$INFLUX_TOKEN" + organization = "square" + bucket = "k8s_moneypenny" + [outputs.influxdb_v2.tagpass] + namespace = ["moneypenny"] + [[outputs.influxdb_v2]] + urls = ["https://monitoring.lsst.codes"] + token = "$INFLUX_TOKEN" + organization = "square" + bucket = "k8s_narrativelog" + [outputs.influxdb_v2.tagpass] + namespace = ["narrativelog"] + [[outputs.influxdb_v2]] + urls = ["https://monitoring.lsst.codes"] + token = "$INFLUX_TOKEN" + organization = "square" + bucket = "k8s_nublado2" + [outputs.influxdb_v2.tagpass] + namespace = ["nublado2"] + [[outputs.influxdb_v2]] + urls = ["https://monitoring.lsst.codes"] + token = "$INFLUX_TOKEN" + organization = "square" + bucket = "k8s_portal" + [outputs.influxdb_v2.tagpass] + namespace = ["portal"] + [[outputs.influxdb_v2]] + urls = ["https://monitoring.lsst.codes"] + token = "$INFLUX_TOKEN" + organization = "square" + bucket = "k8s_postgres" + [outputs.influxdb_v2.tagpass] + namespace = ["postgres"] + [[outputs.influxdb_v2]] + urls = ["https://monitoring.lsst.codes"] + token = "$INFLUX_TOKEN" + organization = "square" + bucket = "k8s_squareone" + [outputs.influxdb_v2.tagpass] + namespace = ["squareone"] + [[outputs.influxdb_v2]] + urls = ["https://monitoring.lsst.codes"] + token = "$INFLUX_TOKEN" + organization = "square" + bucket = "k8s_telegraf" + [outputs.influxdb_v2.tagpass] + namespace = ["telegraf"] + [[outputs.influxdb_v2]] + urls = ["https://monitoring.lsst.codes"] + token = "$INFLUX_TOKEN" + organization = "square" + bucket = "k8s_telegraf_ds" + [outputs.influxdb_v2.tagpass] + namespace = ["telegraf-ds"] + [[outputs.influxdb_v2]] + urls = ["https://monitoring.lsst.codes"] + token = "$INFLUX_TOKEN" + organization = "square" + bucket = "k8s_vault_secrets_operator" + [outputs.influxdb_v2.tagpass] + namespace = ["vault-secrets-operator"] diff --git a/services/telegraf-ds/values-idfdev.yaml b/services/telegraf-ds/values-idfdev.yaml index 281edd3ab8..97f140d1ed 100644 --- a/services/telegraf-ds/values-idfdev.yaml +++ b/services/telegraf-ds/values-idfdev.yaml @@ -12,172 +12,163 @@ telegraf-ds: namepass = ["kubernetes_pod_container"] fieldpass = ["cpu_usage_nanocores", "memory_usage_bytes"] [[outputs.influxdb_v2]] - urls = ["https://monitoring.lsst.codes"] - token = "$INFLUX_TOKEN" - organization = "square" - bucket = "k8s_argocd" - [outputs.influxdb_v2.tagpass] - namespace = ["argocd"] - [[outputs.influxdb_v2]] - urls = ["https://monitoring.lsst.codes"] - token = "$INFLUX_TOKEN" - organization = "square" + urls = ["https://monitoring.lsst.codes"] + token = "$INFLUX_TOKEN" + organization = "square" bucket = "k8s_cachemachine" [outputs.influxdb_v2.tagpass] namespace = ["cachemachine"] [[outputs.influxdb_v2]] - urls = ["https://monitoring.lsst.codes"] - token = "$INFLUX_TOKEN" - organization = "square" + urls = ["https://monitoring.lsst.codes"] + token = "$INFLUX_TOKEN" + organization = "square" bucket = "k8s_cert_manager" [outputs.influxdb_v2.tagpass] namespace = ["cert-manager"] [[outputs.influxdb_v2]] - urls = ["https://monitoring.lsst.codes"] - token = "$INFLUX_TOKEN" - organization = "square" + urls = ["https://monitoring.lsst.codes"] + token = "$INFLUX_TOKEN" + organization = "square" bucket = "k8s_datalinker" [outputs.influxdb_v2.tagpass] namespace = ["datalinker"] [[outputs.influxdb_v2]] - urls = ["https://monitoring.lsst.codes"] - token = "$INFLUX_TOKEN" - organization = "square" + urls = ["https://monitoring.lsst.codes"] + token = "$INFLUX_TOKEN" + organization = "square" bucket = "k8s_gafaelfawr" [outputs.influxdb_v2.tagpass] namespace = ["gafaelfawr"] [[outputs.influxdb_v2]] - urls = ["https://monitoring.lsst.codes"] - token = "$INFLUX_TOKEN" - organization = "square" + urls = ["https://monitoring.lsst.codes"] + token = "$INFLUX_TOKEN" + organization = "square" bucket = "k8s_ingress_nginx" [outputs.influxdb_v2.tagpass] namespace = ["ingress-nginx"] [[outputs.influxdb_v2]] - urls = ["https://monitoring.lsst.codes"] - token = "$INFLUX_TOKEN" - organization = "square" + urls = ["https://monitoring.lsst.codes"] + token = "$INFLUX_TOKEN" + organization = "square" bucket = "k8s_mobu" [outputs.influxdb_v2.tagpass] namespace = ["mobu"] [[outputs.influxdb_v2]] - urls = ["https://monitoring.lsst.codes"] - token = "$INFLUX_TOKEN" - organization = "square" + urls = ["https://monitoring.lsst.codes"] + token = "$INFLUX_TOKEN" + organization = "square" bucket = "k8s_moneypenny" [outputs.influxdb_v2.tagpass] namespace = ["moneypenny"] [[outputs.influxdb_v2]] - urls = ["https://monitoring.lsst.codes"] - token = "$INFLUX_TOKEN" - organization = "square" + urls = ["https://monitoring.lsst.codes"] + token = "$INFLUX_TOKEN" + organization = "square" bucket = "k8s_noteburst" [outputs.influxdb_v2.tagpass] namespace = ["noteburst"] [[outputs.influxdb_v2]] - urls = ["https://monitoring.lsst.codes"] - token = "$INFLUX_TOKEN" - organization = "square" + urls = ["https://monitoring.lsst.codes"] + token = "$INFLUX_TOKEN" + organization = "square" bucket = "k8s_nublado2" [outputs.influxdb_v2.tagpass] namespace = ["nublado2"] [[outputs.influxdb_v2]] - urls = ["https://monitoring.lsst.codes"] - token = "$INFLUX_TOKEN" - organization = "square" + urls = ["https://monitoring.lsst.codes"] + token = "$INFLUX_TOKEN" + organization = "square" bucket = "k8s_obstap" [outputs.influxdb_v2.tagpass] namespace = ["obstap"] [[outputs.influxdb_v2]] - urls = ["https://monitoring.lsst.codes"] - token = "$INFLUX_TOKEN" - organization = "square" + urls = ["https://monitoring.lsst.codes"] + token = "$INFLUX_TOKEN" + organization = "square" bucket = "k8s_portal" [outputs.influxdb_v2.tagpass] namespace = ["portal"] [[outputs.influxdb_v2]] - urls = ["https://monitoring.lsst.codes"] - token = "$INFLUX_TOKEN" - organization = "square" + urls = ["https://monitoring.lsst.codes"] + token = "$INFLUX_TOKEN" + organization = "square" bucket = "k8s_postgres" [outputs.influxdb_v2.tagpass] namespace = ["postgres"] [[outputs.influxdb_v2]] - urls = ["https://monitoring.lsst.codes"] - token = "$INFLUX_TOKEN" - organization = "square" + urls = ["https://monitoring.lsst.codes"] + token = "$INFLUX_TOKEN" + organization = "square" bucket = "k8s_sasquatch" [outputs.influxdb_v2.tagpass] namespace = ["sasquatch"] [[outputs.influxdb_v2]] - urls = ["https://monitoring.lsst.codes"] - token = "$INFLUX_TOKEN" - organization = "square" + urls = ["https://monitoring.lsst.codes"] + token = "$INFLUX_TOKEN" + organization = "square" bucket = "k8s_semaphore" [outputs.influxdb_v2.tagpass] namespace = ["semaphore"] [[outputs.influxdb_v2]] - urls = ["https://monitoring.lsst.codes"] - token = "$INFLUX_TOKEN" - organization = "square" + urls = ["https://monitoring.lsst.codes"] + token = "$INFLUX_TOKEN" + organization = "square" bucket = "k8s_sherlock" [outputs.influxdb_v2.tagpass] namespace = ["sherlock"] [[outputs.influxdb_v2]] - urls = ["https://monitoring.lsst.codes"] - token = "$INFLUX_TOKEN" - organization = "square" + urls = ["https://monitoring.lsst.codes"] + token = "$INFLUX_TOKEN" + organization = "square" bucket = "k8s_squareone" [outputs.influxdb_v2.tagpass] namespace = ["squareone"] [[outputs.influxdb_v2]] - urls = ["https://monitoring.lsst.codes"] - token = "$INFLUX_TOKEN" - organization = "square" + urls = ["https://monitoring.lsst.codes"] + token = "$INFLUX_TOKEN" + organization = "square" bucket = "k8s_strimzi" [outputs.influxdb_v2.tagpass] namespace = ["strimzi"] [[outputs.influxdb_v2]] - urls = ["https://monitoring.lsst.codes"] - token = "$INFLUX_TOKEN" - organization = "square" + urls = ["https://monitoring.lsst.codes"] + token = "$INFLUX_TOKEN" + organization = "square" bucket = "k8s_tap" [outputs.influxdb_v2.tagpass] namespace = ["tap"] [[outputs.influxdb_v2]] - urls = ["https://monitoring.lsst.codes"] - token = "$INFLUX_TOKEN" - organization = "square" + urls = ["https://monitoring.lsst.codes"] + token = "$INFLUX_TOKEN" + organization = "square" bucket = "k8s_tap_schema" [outputs.influxdb_v2.tagpass] namespace = ["tap-schema"] [[outputs.influxdb_v2]] - urls = ["https://monitoring.lsst.codes"] - token = "$INFLUX_TOKEN" - organization = "square" + urls = ["https://monitoring.lsst.codes"] + token = "$INFLUX_TOKEN" + organization = "square" bucket = "k8s_telegraf" [outputs.influxdb_v2.tagpass] namespace = ["telegraf"] [[outputs.influxdb_v2]] - urls = ["https://monitoring.lsst.codes"] - token = "$INFLUX_TOKEN" - organization = "square" + urls = ["https://monitoring.lsst.codes"] + token = "$INFLUX_TOKEN" + organization = "square" bucket = "k8s_telegraf_ds" [outputs.influxdb_v2.tagpass] namespace = ["telegraf-ds"] [[outputs.influxdb_v2]] - urls = ["https://monitoring.lsst.codes"] - token = "$INFLUX_TOKEN" - organization = "square" + urls = ["https://monitoring.lsst.codes"] + token = "$INFLUX_TOKEN" + organization = "square" bucket = "k8s_times_square" [outputs.influxdb_v2.tagpass] namespace = ["times-square"] [[outputs.influxdb_v2]] - urls = ["https://monitoring.lsst.codes"] - token = "$INFLUX_TOKEN" - organization = "square" + urls = ["https://monitoring.lsst.codes"] + token = "$INFLUX_TOKEN" + organization = "square" bucket = "k8s_vault_secrets_operator" [outputs.influxdb_v2.tagpass] namespace = ["vault-secrets-operator"] - -vaultSecretsPath: secret/k8s_operator/data-dev.lsst.cloud diff --git a/services/telegraf-ds/values-idfint.yaml b/services/telegraf-ds/values-idfint.yaml index f9e088f19a..7e5f90a00d 100644 --- a/services/telegraf-ds/values-idfint.yaml +++ b/services/telegraf-ds/values-idfint.yaml @@ -1,6 +1,160 @@ telegraf-ds: - config: - global_tags: - cluster: data-int.lsst.cloud - -vaultSecretsPath: secret/k8s_operator/data-int.lsst.cloud + override_config: + toml: |+ + [ global_tags ] + cluster = "data-int.lsst.cloud" + [ agent ] + hostname = "telegraf-$HOSTIP" + [[inputs.kubernetes]] + url = "https://$HOSTIP:10250" + bearer_token = "/var/run/secrets/kubernetes.io/serviceaccount/token" + insecure_skip_verify = true + namepass = ["kubernetes_pod_container"] + fieldpass = ["cpu_usage_nanocores", "memory_usage_bytes"] + [[outputs.influxdb_v2]] + urls = ["https://monitoring.lsst.codes"] + token = "$INFLUX_TOKEN" + organization = "square" + bucket = "k8s_cachemachine" + [outputs.influxdb_v2.tagpass] + namespace = ["cachemachine"] + [[outputs.influxdb_v2]] + urls = ["https://monitoring.lsst.codes"] + token = "$INFLUX_TOKEN" + organization = "square" + bucket = "k8s_cert_manager" + [outputs.influxdb_v2.tagpass] + namespace = ["cert-manager"] + [[outputs.influxdb_v2]] + urls = ["https://monitoring.lsst.codes"] + token = "$INFLUX_TOKEN" + organization = "square" + bucket = "k8s_datalinker" + [outputs.influxdb_v2.tagpass] + namespace = ["datalinker"] + [[outputs.influxdb_v2]] + urls = ["https://monitoring.lsst.codes"] + token = "$INFLUX_TOKEN" + organization = "square" + bucket = "k8s_gafaelfawr" + [outputs.influxdb_v2.tagpass] + namespace = ["gafaelfawr"] + [[outputs.influxdb_v2]] + urls = ["https://monitoring.lsst.codes"] + token = "$INFLUX_TOKEN" + organization = "square" + bucket = "k8s_ingress_nginx" + [outputs.influxdb_v2.tagpass] + namespace = ["ingress-nginx"] + [[outputs.influxdb_v2]] + urls = ["https://monitoring.lsst.codes"] + token = "$INFLUX_TOKEN" + organization = "square" + bucket = "k8s_mobu" + [outputs.influxdb_v2.tagpass] + namespace = ["mobu"] + [[outputs.influxdb_v2]] + urls = ["https://monitoring.lsst.codes"] + token = "$INFLUX_TOKEN" + organization = "square" + bucket = "k8s_moneypenny" + [outputs.influxdb_v2.tagpass] + namespace = ["moneypenny"] + [[outputs.influxdb_v2]] + urls = ["https://monitoring.lsst.codes"] + token = "$INFLUX_TOKEN" + organization = "square" + bucket = "k8s_nublado2" + [outputs.influxdb_v2.tagpass] + namespace = ["nublado2"] + [[outputs.influxdb_v2]] + urls = ["https://monitoring.lsst.codes"] + token = "$INFLUX_TOKEN" + organization = "square" + bucket = "k8s_obstap" + [outputs.influxdb_v2.tagpass] + namespace = ["obstap"] + [[outputs.influxdb_v2]] + urls = ["https://monitoring.lsst.codes"] + token = "$INFLUX_TOKEN" + organization = "square" + bucket = "k8s_plot_navigator" + [outputs.influxdb_v2.tagpass] + namespace = ["plot-navigator"] + [[outputs.influxdb_v2]] + urls = ["https://monitoring.lsst.codes"] + token = "$INFLUX_TOKEN" + organization = "square" + bucket = "k8s_portal" + [outputs.influxdb_v2.tagpass] + namespace = ["portal"] + [[outputs.influxdb_v2]] + urls = ["https://monitoring.lsst.codes"] + token = "$INFLUX_TOKEN" + organization = "square" + bucket = "k8s_postgres" + [outputs.influxdb_v2.tagpass] + namespace = ["postgres"] + [[outputs.influxdb_v2]] + urls = ["https://monitoring.lsst.codes"] + token = "$INFLUX_TOKEN" + organization = "square" + bucket = "k8s_semaphore" + [outputs.influxdb_v2.tagpass] + namespace = ["semaphore"] + [[outputs.influxdb_v2]] + urls = ["https://monitoring.lsst.codes"] + token = "$INFLUX_TOKEN" + organization = "square" + bucket = "k8s_sherlock" + [outputs.influxdb_v2.tagpass] + namespace = ["sherlock"] + [[outputs.influxdb_v2]] + urls = ["https://monitoring.lsst.codes"] + token = "$INFLUX_TOKEN" + organization = "square" + bucket = "k8s_squareone" + [outputs.influxdb_v2.tagpass] + namespace = ["squareone"] + [[outputs.influxdb_v2]] + urls = ["https://monitoring.lsst.codes"] + token = "$INFLUX_TOKEN" + organization = "square" + bucket = "k8s_tap" + [outputs.influxdb_v2.tagpass] + namespace = ["tap"] + [[outputs.influxdb_v2]] + urls = ["https://monitoring.lsst.codes"] + token = "$INFLUX_TOKEN" + organization = "square" + bucket = "k8s_tap_schema" + [outputs.influxdb_v2.tagpass] + namespace = ["tap-schema"] + [[outputs.influxdb_v2]] + urls = ["https://monitoring.lsst.codes"] + token = "$INFLUX_TOKEN" + organization = "square" + bucket = "k8s_telegraf" + [outputs.influxdb_v2.tagpass] + namespace = ["telegraf"] + [[outputs.influxdb_v2]] + urls = ["https://monitoring.lsst.codes"] + token = "$INFLUX_TOKEN" + organization = "square" + bucket = "k8s_telegraf_ds" + [outputs.influxdb_v2.tagpass] + namespace = ["telegraf-ds"] + [[outputs.influxdb_v2]] + urls = ["https://monitoring.lsst.codes"] + token = "$INFLUX_TOKEN" + organization = "square" + bucket = "k8s_vault_secrets_operator" + [outputs.influxdb_v2.tagpass] + namespace = ["vault-secrets-operator"] + [[outputs.influxdb_v2]] + urls = ["https://monitoring.lsst.codes"] + token = "$INFLUX_TOKEN" + organization = "square" + bucket = "k8s_vo_cutouts" + [outputs.influxdb_v2.tagpass] + namespace = ["vo-cutouts"] diff --git a/services/telegraf-ds/values-idfprod.yaml b/services/telegraf-ds/values-idfprod.yaml index 59d5804154..096d98f6eb 100644 --- a/services/telegraf-ds/values-idfprod.yaml +++ b/services/telegraf-ds/values-idfprod.yaml @@ -1,6 +1,153 @@ telegraf-ds: - config: - global_tags: - cluster: data.lsst.cloud - -vaultSecretsPath: secret/k8s_operator/data.lsst.cloud + override_config: + toml: |+ + [ global_tags ] + cluster = "data.lsst.cloud" + [ agent ] + hostname = "telegraf-$HOSTIP" + [[inputs.kubernetes]] + url = "https://$HOSTIP:10250" + bearer_token = "/var/run/secrets/kubernetes.io/serviceaccount/token" + insecure_skip_verify = true + namepass = ["kubernetes_pod_container"] + fieldpass = ["cpu_usage_nanocores", "memory_usage_bytes"] + [[outputs.influxdb_v2]] + urls = ["https://monitoring.lsst.codes"] + token = "$INFLUX_TOKEN" + organization = "square" + bucket = "k8s_cachemachine" + [outputs.influxdb_v2.tagpass] + namespace = ["cachemachine"] + [[outputs.influxdb_v2]] + urls = ["https://monitoring.lsst.codes"] + token = "$INFLUX_TOKEN" + organization = "square" + bucket = "k8s_cert_manager" + [outputs.influxdb_v2.tagpass] + namespace = ["cert-manager"] + [[outputs.influxdb_v2]] + urls = ["https://monitoring.lsst.codes"] + token = "$INFLUX_TOKEN" + organization = "square" + bucket = "k8s_datalinker" + [outputs.influxdb_v2.tagpass] + namespace = ["datalinker"] + [[outputs.influxdb_v2]] + urls = ["https://monitoring.lsst.codes"] + token = "$INFLUX_TOKEN" + organization = "square" + bucket = "k8s_gafaelfawr" + [outputs.influxdb_v2.tagpass] + namespace = ["gafaelfawr"] + [[outputs.influxdb_v2]] + urls = ["https://monitoring.lsst.codes"] + token = "$INFLUX_TOKEN" + organization = "square" + bucket = "k8s_ingress_nginx" + [outputs.influxdb_v2.tagpass] + namespace = ["ingress-nginx"] + [[outputs.influxdb_v2]] + urls = ["https://monitoring.lsst.codes"] + token = "$INFLUX_TOKEN" + organization = "square" + bucket = "k8s_mobu" + [outputs.influxdb_v2.tagpass] + namespace = ["mobu"] + [[outputs.influxdb_v2]] + urls = ["https://monitoring.lsst.codes"] + token = "$INFLUX_TOKEN" + organization = "square" + bucket = "k8s_moneypenny" + [outputs.influxdb_v2.tagpass] + namespace = ["moneypenny"] + [[outputs.influxdb_v2]] + urls = ["https://monitoring.lsst.codes"] + token = "$INFLUX_TOKEN" + organization = "square" + bucket = "k8s_nublado2" + [outputs.influxdb_v2.tagpass] + namespace = ["nublado2"] + [[outputs.influxdb_v2]] + urls = ["https://monitoring.lsst.codes"] + token = "$INFLUX_TOKEN" + organization = "square" + bucket = "k8s_obstap" + [outputs.influxdb_v2.tagpass] + namespace = ["obstap"] + [[outputs.influxdb_v2]] + urls = ["https://monitoring.lsst.codes"] + token = "$INFLUX_TOKEN" + organization = "square" + bucket = "k8s_portal" + [outputs.influxdb_v2.tagpass] + namespace = ["portal"] + [[outputs.influxdb_v2]] + urls = ["https://monitoring.lsst.codes"] + token = "$INFLUX_TOKEN" + organization = "square" + bucket = "k8s_postgres" + [outputs.influxdb_v2.tagpass] + namespace = ["postgres"] + [[outputs.influxdb_v2]] + urls = ["https://monitoring.lsst.codes"] + token = "$INFLUX_TOKEN" + organization = "square" + bucket = "k8s_semaphore" + [outputs.influxdb_v2.tagpass] + namespace = ["semaphore"] + [[outputs.influxdb_v2]] + urls = ["https://monitoring.lsst.codes"] + token = "$INFLUX_TOKEN" + organization = "square" + bucket = "k8s_sherlock" + [outputs.influxdb_v2.tagpass] + namespace = ["sherlock"] + [[outputs.influxdb_v2]] + urls = ["https://monitoring.lsst.codes"] + token = "$INFLUX_TOKEN" + organization = "square" + bucket = "k8s_squareone" + [outputs.influxdb_v2.tagpass] + namespace = ["squareone"] + [[outputs.influxdb_v2]] + urls = ["https://monitoring.lsst.codes"] + token = "$INFLUX_TOKEN" + organization = "square" + bucket = "k8s_tap" + [outputs.influxdb_v2.tagpass] + namespace = ["tap"] + [[outputs.influxdb_v2]] + urls = ["https://monitoring.lsst.codes"] + token = "$INFLUX_TOKEN" + organization = "square" + bucket = "k8s_tap_schema" + [outputs.influxdb_v2.tagpass] + namespace = ["tap-schema"] + [[outputs.influxdb_v2]] + urls = ["https://monitoring.lsst.codes"] + token = "$INFLUX_TOKEN" + organization = "square" + bucket = "k8s_telegraf" + [outputs.influxdb_v2.tagpass] + namespace = ["telegraf"] + [[outputs.influxdb_v2]] + urls = ["https://monitoring.lsst.codes"] + token = "$INFLUX_TOKEN" + organization = "square" + bucket = "k8s_telegraf_ds" + [outputs.influxdb_v2.tagpass] + namespace = ["telegraf-ds"] + [[outputs.influxdb_v2]] + urls = ["https://monitoring.lsst.codes"] + token = "$INFLUX_TOKEN" + organization = "square" + bucket = "k8s_vault_secrets_operator" + [outputs.influxdb_v2.tagpass] + namespace = ["vault-secrets-operator"] + [[outputs.influxdb_v2]] + urls = ["https://monitoring.lsst.codes"] + token = "$INFLUX_TOKEN" + organization = "square" + bucket = "k8s_vo_cutouts" + [outputs.influxdb_v2.tagpass] + namespace = ["vo-cutouts"] diff --git a/services/telegraf-ds/values-int.yaml b/services/telegraf-ds/values-int.yaml index 9e8d8c6234..6aada9f0b6 100644 --- a/services/telegraf-ds/values-int.yaml +++ b/services/telegraf-ds/values-int.yaml @@ -1,6 +1,139 @@ telegraf-ds: - config: - global_tags: - cluster: lsst-lsp-int.ncsa.illinois.edu - -vaultSecretsPath: secret/k8s_operator/lsst-lsp-int.ncsa.illinois.edu + override_config: + toml: |+ + [ global_tags ] + cluster = "lsst-lsp-int.ncsa.illinois.edu" + [ agent ] + hostname = "telegraf-$HOSTIP" + [[inputs.kubernetes]] + url = "https://$HOSTIP:10250" + bearer_token = "/var/run/secrets/kubernetes.io/serviceaccount/token" + insecure_skip_verify = true + namepass = ["kubernetes_pod_container"] + fieldpass = ["cpu_usage_nanocores", "memory_usage_bytes"] + [[outputs.influxdb_v2]] + urls = ["https://monitoring.lsst.codes"] + token = "$INFLUX_TOKEN" + organization = "square" + bucket = "k8s_cachemachine" + [outputs.influxdb_v2.tagpass] + namespace = ["cachemachine"] + [[outputs.influxdb_v2]] + urls = ["https://monitoring.lsst.codes"] + token = "$INFLUX_TOKEN" + organization = "square" + bucket = "k8s_datalinker" + [outputs.influxdb_v2.tagpass] + namespace = ["datalinker"] + [[outputs.influxdb_v2]] + urls = ["https://monitoring.lsst.codes"] + token = "$INFLUX_TOKEN" + organization = "square" + bucket = "k8s_gafaelfawr" + [outputs.influxdb_v2.tagpass] + namespace = ["gafaelfawr"] + [[outputs.influxdb_v2]] + urls = ["https://monitoring.lsst.codes"] + token = "$INFLUX_TOKEN" + organization = "square" + bucket = "k8s_mobu" + [outputs.influxdb_v2.tagpass] + namespace = ["mobu"] + [[outputs.influxdb_v2]] + urls = ["https://monitoring.lsst.codes"] + token = "$INFLUX_TOKEN" + organization = "square" + bucket = "k8s_moneypenny" + [outputs.influxdb_v2.tagpass] + namespace = ["moneypenny"] + [[outputs.influxdb_v2]] + urls = ["https://monitoring.lsst.codes"] + token = "$INFLUX_TOKEN" + organization = "square" + bucket = "k8s_nublado2" + [outputs.influxdb_v2.tagpass] + namespace = ["nublado2"] + [[outputs.influxdb_v2]] + urls = ["https://monitoring.lsst.codes"] + token = "$INFLUX_TOKEN" + organization = "square" + bucket = "k8s_obstap" + [outputs.influxdb_v2.tagpass] + namespace = ["obstap"] + [[outputs.influxdb_v2]] + urls = ["https://monitoring.lsst.codes"] + token = "$INFLUX_TOKEN" + organization = "square" + bucket = "k8s_portal" + [outputs.influxdb_v2.tagpass] + namespace = ["portal"] + [[outputs.influxdb_v2]] + urls = ["https://monitoring.lsst.codes"] + token = "$INFLUX_TOKEN" + organization = "square" + bucket = "k8s_postgres" + [outputs.influxdb_v2.tagpass] + namespace = ["postgres"] + [[outputs.influxdb_v2]] + urls = ["https://monitoring.lsst.codes"] + token = "$INFLUX_TOKEN" + organization = "square" + bucket = "k8s_sasquatch" + [outputs.influxdb_v2.tagpass] + namespace = ["sasquatch"] + [[outputs.influxdb_v2]] + urls = ["https://monitoring.lsst.codes"] + token = "$INFLUX_TOKEN" + organization = "square" + bucket = "k8s_sherlock" + [outputs.influxdb_v2.tagpass] + namespace = ["sherlock"] + [[outputs.influxdb_v2]] + urls = ["https://monitoring.lsst.codes"] + token = "$INFLUX_TOKEN" + organization = "square" + bucket = "k8s_squareone" + [outputs.influxdb_v2.tagpass] + namespace = ["squareone"] + [[outputs.influxdb_v2]] + urls = ["https://monitoring.lsst.codes"] + token = "$INFLUX_TOKEN" + organization = "square" + bucket = "k8s_strimzi" + [outputs.influxdb_v2.tagpass] + namespace = ["strimzi"] + [[outputs.influxdb_v2]] + urls = ["https://monitoring.lsst.codes"] + token = "$INFLUX_TOKEN" + organization = "square" + bucket = "k8s_tap" + [outputs.influxdb_v2.tagpass] + namespace = ["tap"] + [[outputs.influxdb_v2]] + urls = ["https://monitoring.lsst.codes"] + token = "$INFLUX_TOKEN" + organization = "square" + bucket = "k8s_tap_schema" + [outputs.influxdb_v2.tagpass] + namespace = ["tap-schema"] + [[outputs.influxdb_v2]] + urls = ["https://monitoring.lsst.codes"] + token = "$INFLUX_TOKEN" + organization = "square" + bucket = "k8s_telegraf" + [outputs.influxdb_v2.tagpass] + namespace = ["telegraf"] + [[outputs.influxdb_v2]] + urls = ["https://monitoring.lsst.codes"] + token = "$INFLUX_TOKEN" + organization = "square" + bucket = "k8s_telegraf_ds" + [outputs.influxdb_v2.tagpass] + namespace = ["telegraf-ds"] + [[outputs.influxdb_v2]] + urls = ["https://monitoring.lsst.codes"] + token = "$INFLUX_TOKEN" + organization = "square" + bucket = "k8s_vault_secrets_operator" + [outputs.influxdb_v2.tagpass] + namespace = ["vault-secrets-operator"] diff --git a/services/telegraf-ds/values-minikube.yaml b/services/telegraf-ds/values-minikube.yaml index 7f7b78ada0..c8bbd70986 100644 --- a/services/telegraf-ds/values-minikube.yaml +++ b/services/telegraf-ds/values-minikube.yaml @@ -1,6 +1,153 @@ telegraf-ds: - config: - global_tags: - cluster: minikube.lsst.codes - -vaultSecretsPath: secret/k8s_operator/minikube.lsst.codes + override_config: + toml: |+ + [ global_tags ] + cluster = "minikube.lsst.codes" + [ agent ] + hostname = "telegraf-$HOSTIP" + [[inputs.kubernetes]] + url = "https://$HOSTIP:10250" + bearer_token = "/var/run/secrets/kubernetes.io/serviceaccount/token" + insecure_skip_verify = true + namepass = ["kubernetes_pod_container"] + fieldpass = ["cpu_usage_nanocores", "memory_usage_bytes"] + [[outputs.influxdb_v2]] + urls = ["https://monitoring.lsst.codes"] + token = "$INFLUX_TOKEN" + organization = "square" + bucket = "k8s_cachemachine" + [outputs.influxdb_v2.tagpass] + namespace = ["cachemachine"] + [[outputs.influxdb_v2]] + urls = ["https://monitoring.lsst.codes"] + token = "$INFLUX_TOKEN" + organization = "square" + bucket = "k8s_cert_manager" + [outputs.influxdb_v2.tagpass] + namespace = ["cert-manager"] + [[outputs.influxdb_v2]] + urls = ["https://monitoring.lsst.codes"] + token = "$INFLUX_TOKEN" + organization = "square" + bucket = "k8s_datalinker" + [outputs.influxdb_v2.tagpass] + namespace = ["datalinker"] + [[outputs.influxdb_v2]] + urls = ["https://monitoring.lsst.codes"] + token = "$INFLUX_TOKEN" + organization = "square" + bucket = "k8s_gafaelfawr" + [outputs.influxdb_v2.tagpass] + namespace = ["gafaelfawr"] + [[outputs.influxdb_v2]] + urls = ["https://monitoring.lsst.codes"] + token = "$INFLUX_TOKEN" + organization = "square" + bucket = "k8s_ingress_nginx" + [outputs.influxdb_v2.tagpass] + namespace = ["ingress-nginx"] + [[outputs.influxdb_v2]] + urls = ["https://monitoring.lsst.codes"] + token = "$INFLUX_TOKEN" + organization = "square" + bucket = "k8s_mobu" + [outputs.influxdb_v2.tagpass] + namespace = ["mobu"] + [[outputs.influxdb_v2]] + urls = ["https://monitoring.lsst.codes"] + token = "$INFLUX_TOKEN" + organization = "square" + bucket = "k8s_moneypenny" + [outputs.influxdb_v2.tagpass] + namespace = ["moneypenny"] + [[outputs.influxdb_v2]] + urls = ["https://monitoring.lsst.codes"] + token = "$INFLUX_TOKEN" + organization = "square" + bucket = "k8s_noteburst" + [outputs.influxdb_v2.tagpass] + namespace = ["noteburst"] + [[outputs.influxdb_v2]] + urls = ["https://monitoring.lsst.codes"] + token = "$INFLUX_TOKEN" + organization = "square" + bucket = "k8s_nublado2" + [outputs.influxdb_v2.tagpass] + namespace = ["nublado2"] + [[outputs.influxdb_v2]] + urls = ["https://monitoring.lsst.codes"] + token = "$INFLUX_TOKEN" + organization = "square" + bucket = "k8s_obstap" + [outputs.influxdb_v2.tagpass] + namespace = ["obstap"] + [[outputs.influxdb_v2]] + urls = ["https://monitoring.lsst.codes"] + token = "$INFLUX_TOKEN" + organization = "square" + bucket = "k8s_portal" + [outputs.influxdb_v2.tagpass] + namespace = ["portal"] + [[outputs.influxdb_v2]] + urls = ["https://monitoring.lsst.codes"] + token = "$INFLUX_TOKEN" + organization = "square" + bucket = "k8s_postgres" + [outputs.influxdb_v2.tagpass] + namespace = ["postgres"] + [[outputs.influxdb_v2]] + urls = ["https://monitoring.lsst.codes"] + token = "$INFLUX_TOKEN" + organization = "square" + bucket = "k8s_semaphore" + [outputs.influxdb_v2.tagpass] + namespace = ["semaphore"] + [[outputs.influxdb_v2]] + urls = ["https://monitoring.lsst.codes"] + token = "$INFLUX_TOKEN" + organization = "square" + bucket = "k8s_sherlock" + [outputs.influxdb_v2.tagpass] + namespace = ["sherlock"] + [[outputs.influxdb_v2]] + urls = ["https://monitoring.lsst.codes"] + token = "$INFLUX_TOKEN" + organization = "square" + bucket = "k8s_squareone" + [outputs.influxdb_v2.tagpass] + namespace = ["squareone"] + [[outputs.influxdb_v2]] + urls = ["https://monitoring.lsst.codes"] + token = "$INFLUX_TOKEN" + organization = "square" + bucket = "k8s_tap" + [outputs.influxdb_v2.tagpass] + namespace = ["tap"] + [[outputs.influxdb_v2]] + urls = ["https://monitoring.lsst.codes"] + token = "$INFLUX_TOKEN" + organization = "square" + bucket = "k8s_tap_schema" + [outputs.influxdb_v2.tagpass] + namespace = ["tap-schema"] + [[outputs.influxdb_v2]] + urls = ["https://monitoring.lsst.codes"] + token = "$INFLUX_TOKEN" + organization = "square" + bucket = "k8s_telegraf" + [outputs.influxdb_v2.tagpass] + namespace = ["telegraf"] + [[outputs.influxdb_v2]] + urls = ["https://monitoring.lsst.codes"] + token = "$INFLUX_TOKEN" + organization = "square" + bucket = "k8s_telegraf_ds" + [outputs.influxdb_v2.tagpass] + namespace = ["telegraf-ds"] + [[outputs.influxdb_v2]] + urls = ["https://monitoring.lsst.codes"] + token = "$INFLUX_TOKEN" + organization = "square" + bucket = "k8s_vault_secrets_operator" + [outputs.influxdb_v2.tagpass] + namespace = ["vault-secrets-operator"] diff --git a/services/telegraf-ds/values-red-five.yaml b/services/telegraf-ds/values-red-five.yaml new file mode 100644 index 0000000000..782c3421d9 --- /dev/null +++ b/services/telegraf-ds/values-red-five.yaml @@ -0,0 +1,132 @@ +telegraf-ds: + override_config: + toml: |+ + [ global_tags ] + cluster = "red-five.lsst.codes" + [ agent ] + hostname = "telegraf-$HOSTIP" + [[inputs.kubernetes]] + url = "https://$HOSTIP:10250" + bearer_token = "/var/run/secrets/kubernetes.io/serviceaccount/token" + insecure_skip_verify = true + namepass = ["kubernetes_pod_container"] + fieldpass = ["cpu_usage_nanocores", "memory_usage_bytes"] + [[outputs.influxdb_v2]] + urls = ["https://monitoring.lsst.codes"] + token = "$INFLUX_TOKEN" + organization = "square" + bucket = "k8s_cachemachine" + [outputs.influxdb_v2.tagpass] + namespace = ["cachemachine"] + [[outputs.influxdb_v2]] + urls = ["https://monitoring.lsst.codes"] + token = "$INFLUX_TOKEN" + organization = "square" + bucket = "k8s_cert_manager" + [outputs.influxdb_v2.tagpass] + namespace = ["cert-manager"] + [[outputs.influxdb_v2]] + urls = ["https://monitoring.lsst.codes"] + token = "$INFLUX_TOKEN" + organization = "square" + bucket = "k8s_datalinker" + [outputs.influxdb_v2.tagpass] + namespace = ["datalinker"] + [[outputs.influxdb_v2]] + urls = ["https://monitoring.lsst.codes"] + token = "$INFLUX_TOKEN" + organization = "square" + bucket = "k8s_gafaelfawr" + [outputs.influxdb_v2.tagpass] + namespace = ["gafaelfawr"] + [[outputs.influxdb_v2]] + urls = ["https://monitoring.lsst.codes"] + token = "$INFLUX_TOKEN" + organization = "square" + bucket = "k8s_ingress_nginx" + [outputs.influxdb_v2.tagpass] + namespace = ["ingress-nginx"] + [[outputs.influxdb_v2]] + urls = ["https://monitoring.lsst.codes"] + token = "$INFLUX_TOKEN" + organization = "square" + bucket = "k8s_mobu" + [outputs.influxdb_v2.tagpass] + namespace = ["mobu"] + [[outputs.influxdb_v2]] + urls = ["https://monitoring.lsst.codes"] + token = "$INFLUX_TOKEN" + organization = "square" + bucket = "k8s_moneypenny" + [outputs.influxdb_v2.tagpass] + namespace = ["moneypenny"] + [[outputs.influxdb_v2]] + urls = ["https://monitoring.lsst.codes"] + token = "$INFLUX_TOKEN" + organization = "square" + bucket = "k8s_nublado2" + [outputs.influxdb_v2.tagpass] + namespace = ["nublado2"] + [[outputs.influxdb_v2]] + urls = ["https://monitoring.lsst.codes"] + token = "$INFLUX_TOKEN" + organization = "square" + bucket = "k8s_obstap" + [outputs.influxdb_v2.tagpass] + namespace = ["obstap"] + [[outputs.influxdb_v2]] + urls = ["https://monitoring.lsst.codes"] + token = "$INFLUX_TOKEN" + organization = "square" + bucket = "k8s_portal" + [outputs.influxdb_v2.tagpass] + namespace = ["portal"] + [[outputs.influxdb_v2]] + urls = ["https://monitoring.lsst.codes"] + token = "$INFLUX_TOKEN" + organization = "square" + bucket = "k8s_postgres" + [outputs.influxdb_v2.tagpass] + namespace = ["postgres"] + [[outputs.influxdb_v2]] + urls = ["https://monitoring.lsst.codes"] + token = "$INFLUX_TOKEN" + organization = "square" + bucket = "k8s_squareone" + [outputs.influxdb_v2.tagpass] + namespace = ["squareone"] + [[outputs.influxdb_v2]] + urls = ["https://monitoring.lsst.codes"] + token = "$INFLUX_TOKEN" + organization = "square" + bucket = "k8s_tap" + [outputs.influxdb_v2.tagpass] + namespace = ["tap"] + [[outputs.influxdb_v2]] + urls = ["https://monitoring.lsst.codes"] + token = "$INFLUX_TOKEN" + organization = "square" + bucket = "k8s_tap_schema" + [outputs.influxdb_v2.tagpass] + namespace = ["tap-schema"] + [[outputs.influxdb_v2]] + urls = ["https://monitoring.lsst.codes"] + token = "$INFLUX_TOKEN" + organization = "square" + bucket = "k8s_telegraf" + [outputs.influxdb_v2.tagpass] + namespace = ["telegraf"] + [[outputs.influxdb_v2]] + urls = ["https://monitoring.lsst.codes"] + token = "$INFLUX_TOKEN" + organization = "square" + bucket = "k8s_telegraf_ds" + [outputs.influxdb_v2.tagpass] + namespace = ["telegraf-ds"] + [[outputs.influxdb_v2]] + urls = ["https://monitoring.lsst.codes"] + token = "$INFLUX_TOKEN" + organization = "square" + bucket = "k8s_vault_secrets_operator" + [outputs.influxdb_v2.tagpass] + namespace = ["vault-secrets-operator"] diff --git a/services/telegraf-ds/values-roe.yaml b/services/telegraf-ds/values-roe.yaml new file mode 100644 index 0000000000..bc1e169b10 --- /dev/null +++ b/services/telegraf-ds/values-roe.yaml @@ -0,0 +1,118 @@ +telegraf-ds: + override_config: + toml: |+ + [ global_tags ] + cluster = "rsp.lsst.ac.uk" + [ agent ] + hostname = "telegraf-$HOSTIP" + [[inputs.kubernetes]] + url = "https://$HOSTIP:10250" + bearer_token = "/var/run/secrets/kubernetes.io/serviceaccount/token" + insecure_skip_verify = true + namepass = ["kubernetes_pod_container"] + fieldpass = ["cpu_usage_nanocores", "memory_usage_bytes"] + [[outputs.influxdb_v2]] + urls = ["https://monitoring.lsst.codes"] + token = "$INFLUX_TOKEN" + organization = "square" + bucket = "k8s_cachemachine" + [outputs.influxdb_v2.tagpass] + namespace = ["cachemachine"] + [[outputs.influxdb_v2]] + urls = ["https://monitoring.lsst.codes"] + token = "$INFLUX_TOKEN" + organization = "square" + bucket = "k8s_cert_manager" + [outputs.influxdb_v2.tagpass] + namespace = ["cert-manager"] + [[outputs.influxdb_v2]] + urls = ["https://monitoring.lsst.codes"] + token = "$INFLUX_TOKEN" + organization = "square" + bucket = "k8s_gafaelfawr" + [outputs.influxdb_v2.tagpass] + namespace = ["gafaelfawr"] + [[outputs.influxdb_v2]] + urls = ["https://monitoring.lsst.codes"] + token = "$INFLUX_TOKEN" + organization = "square" + bucket = "k8s_ingress_nginx" + [outputs.influxdb_v2.tagpass] + namespace = ["ingress-nginx"] + [[outputs.influxdb_v2]] + urls = ["https://monitoring.lsst.codes"] + token = "$INFLUX_TOKEN" + organization = "square" + bucket = "k8s_mobu" + [outputs.influxdb_v2.tagpass] + namespace = ["mobu"] + [[outputs.influxdb_v2]] + urls = ["https://monitoring.lsst.codes"] + token = "$INFLUX_TOKEN" + organization = "square" + bucket = "k8s_moneypenny" + [outputs.influxdb_v2.tagpass] + namespace = ["moneypenny"] + [[outputs.influxdb_v2]] + urls = ["https://monitoring.lsst.codes"] + token = "$INFLUX_TOKEN" + organization = "square" + bucket = "k8s_nublado2" + [outputs.influxdb_v2.tagpass] + namespace = ["nublado2"] + [[outputs.influxdb_v2]] + urls = ["https://monitoring.lsst.codes"] + token = "$INFLUX_TOKEN" + organization = "square" + bucket = "k8s_portal" + [outputs.influxdb_v2.tagpass] + namespace = ["portal"] + [[outputs.influxdb_v2]] + urls = ["https://monitoring.lsst.codes"] + token = "$INFLUX_TOKEN" + organization = "square" + bucket = "k8s_postgres" + [outputs.influxdb_v2.tagpass] + namespace = ["postgres"] + [[outputs.influxdb_v2]] + urls = ["https://monitoring.lsst.codes"] + token = "$INFLUX_TOKEN" + organization = "square" + bucket = "k8s_squareone" + [outputs.influxdb_v2.tagpass] + namespace = ["squareone"] + [[outputs.influxdb_v2]] + urls = ["https://monitoring.lsst.codes"] + token = "$INFLUX_TOKEN" + organization = "square" + bucket = "k8s_tap" + [outputs.influxdb_v2.tagpass] + namespace = ["tap"] + [[outputs.influxdb_v2]] + urls = ["https://monitoring.lsst.codes"] + token = "$INFLUX_TOKEN" + organization = "square" + bucket = "k8s_tap_schema" + [outputs.influxdb_v2.tagpass] + namespace = ["tap-schema"] + [[outputs.influxdb_v2]] + urls = ["https://monitoring.lsst.codes"] + token = "$INFLUX_TOKEN" + organization = "square" + bucket = "k8s_telegraf" + [outputs.influxdb_v2.tagpass] + namespace = ["telegraf"] + [[outputs.influxdb_v2]] + urls = ["https://monitoring.lsst.codes"] + token = "$INFLUX_TOKEN" + organization = "square" + bucket = "k8s_telegraf_ds" + [outputs.influxdb_v2.tagpass] + namespace = ["telegraf-ds"] + [[outputs.influxdb_v2]] + urls = ["https://monitoring.lsst.codes"] + token = "$INFLUX_TOKEN" + organization = "square" + bucket = "k8s_vault_secrets_operator" + [outputs.influxdb_v2.tagpass] + namespace = ["vault-secrets-operator"] diff --git a/services/telegraf-ds/values-squash-sandbox.yaml b/services/telegraf-ds/values-squash-sandbox.yaml new file mode 100644 index 0000000000..95769f3391 --- /dev/null +++ b/services/telegraf-ds/values-squash-sandbox.yaml @@ -0,0 +1,69 @@ +telegraf-ds: + override_config: + toml: |+ + [ global_tags ] + cluster = "squash-sandbox.lsst.codes" + [ agent ] + hostname = "telegraf-$HOSTIP" + [[inputs.kubernetes]] + url = "https://$HOSTIP:10250" + bearer_token = "/var/run/secrets/kubernetes.io/serviceaccount/token" + insecure_skip_verify = true + namepass = ["kubernetes_pod_container"] + fieldpass = ["cpu_usage_nanocores", "memory_usage_bytes"] + [[outputs.influxdb_v2]] + urls = ["https://monitoring.lsst.codes"] + token = "$INFLUX_TOKEN" + organization = "square" + bucket = "k8s_cert_manager" + [outputs.influxdb_v2.tagpass] + namespace = ["cert-manager"] + [[outputs.influxdb_v2]] + urls = ["https://monitoring.lsst.codes"] + token = "$INFLUX_TOKEN" + organization = "square" + bucket = "k8s_gafaelfawr" + [outputs.influxdb_v2.tagpass] + namespace = ["gafaelfawr"] + [[outputs.influxdb_v2]] + urls = ["https://monitoring.lsst.codes"] + token = "$INFLUX_TOKEN" + organization = "square" + bucket = "k8s_ingress_nginx" + [outputs.influxdb_v2.tagpass] + namespace = ["ingress-nginx"] + [[outputs.influxdb_v2]] + urls = ["https://monitoring.lsst.codes"] + token = "$INFLUX_TOKEN" + organization = "square" + bucket = "k8s_postgres" + [outputs.influxdb_v2.tagpass] + namespace = ["postgres"] + [[outputs.influxdb_v2]] + urls = ["https://monitoring.lsst.codes"] + token = "$INFLUX_TOKEN" + organization = "square" + bucket = "k8s_squash_api" + [outputs.influxdb_v2.tagpass] + namespace = ["squash-api"] + [[outputs.influxdb_v2]] + urls = ["https://monitoring.lsst.codes"] + token = "$INFLUX_TOKEN" + organization = "square" + bucket = "k8s_telegraf" + [outputs.influxdb_v2.tagpass] + namespace = ["telegraf"] + [[outputs.influxdb_v2]] + urls = ["https://monitoring.lsst.codes"] + token = "$INFLUX_TOKEN" + organization = "square" + bucket = "k8s_telegraf_ds" + [outputs.influxdb_v2.tagpass] + namespace = ["telegraf-ds"] + [[outputs.influxdb_v2]] + urls = ["https://monitoring.lsst.codes"] + token = "$INFLUX_TOKEN" + organization = "square" + bucket = "k8s_vault_secrets_operator" + [outputs.influxdb_v2.tagpass] + namespace = ["vault-secrets-operator"] diff --git a/services/telegraf-ds/values-stable.yaml b/services/telegraf-ds/values-stable.yaml index 9df526ff0c..896b6cd7f8 100644 --- a/services/telegraf-ds/values-stable.yaml +++ b/services/telegraf-ds/values-stable.yaml @@ -1,6 +1,125 @@ telegraf-ds: - config: - global_tags: - cluster: lsst-lsp-stable.ncsa.illinois.edu - -vaultSecretsPath: secret/k8s_operator/lsst-lsp-stable.ncsa.illinois.edu + override_config: + toml: |+ + [ global_tags ] + cluster = "lsst-lsp-stable.ncsa.illinois.edu" + [ agent ] + hostname = "telegraf-$HOSTIP" + [[inputs.kubernetes]] + url = "https://$HOSTIP:10250" + bearer_token = "/var/run/secrets/kubernetes.io/serviceaccount/token" + insecure_skip_verify = true + namepass = ["kubernetes_pod_container"] + fieldpass = ["cpu_usage_nanocores", "memory_usage_bytes"] + [[outputs.influxdb_v2]] + urls = ["https://monitoring.lsst.codes"] + token = "$INFLUX_TOKEN" + organization = "square" + bucket = "k8s_cachemachine" + [outputs.influxdb_v2.tagpass] + namespace = ["cachemachine"] + [[outputs.influxdb_v2]] + urls = ["https://monitoring.lsst.codes"] + token = "$INFLUX_TOKEN" + organization = "square" + bucket = "k8s_datalinker" + [outputs.influxdb_v2.tagpass] + namespace = ["datalinker"] + [[outputs.influxdb_v2]] + urls = ["https://monitoring.lsst.codes"] + token = "$INFLUX_TOKEN" + organization = "square" + bucket = "k8s_gafaelfawr" + [outputs.influxdb_v2.tagpass] + namespace = ["gafaelfawr"] + [[outputs.influxdb_v2]] + urls = ["https://monitoring.lsst.codes"] + token = "$INFLUX_TOKEN" + organization = "square" + bucket = "k8s_mobu" + [outputs.influxdb_v2.tagpass] + namespace = ["mobu"] + [[outputs.influxdb_v2]] + urls = ["https://monitoring.lsst.codes"] + token = "$INFLUX_TOKEN" + organization = "square" + bucket = "k8s_moneypenny" + [outputs.influxdb_v2.tagpass] + namespace = ["moneypenny"] + [[outputs.influxdb_v2]] + urls = ["https://monitoring.lsst.codes"] + token = "$INFLUX_TOKEN" + organization = "square" + bucket = "k8s_nublado2" + [outputs.influxdb_v2.tagpass] + namespace = ["nublado2"] + [[outputs.influxdb_v2]] + urls = ["https://monitoring.lsst.codes"] + token = "$INFLUX_TOKEN" + organization = "square" + bucket = "k8s_obstap" + [outputs.influxdb_v2.tagpass] + namespace = ["obstap"] + [[outputs.influxdb_v2]] + urls = ["https://monitoring.lsst.codes"] + token = "$INFLUX_TOKEN" + organization = "square" + bucket = "k8s_portal" + [outputs.influxdb_v2.tagpass] + namespace = ["portal"] + [[outputs.influxdb_v2]] + urls = ["https://monitoring.lsst.codes"] + token = "$INFLUX_TOKEN" + organization = "square" + bucket = "k8s_postgres" + [outputs.influxdb_v2.tagpass] + namespace = ["postgres"] + [[outputs.influxdb_v2]] + urls = ["https://monitoring.lsst.codes"] + token = "$INFLUX_TOKEN" + organization = "square" + bucket = "k8s_sasquatch" + [outputs.influxdb_v2.tagpass] + namespace = ["sasquatch"] + [[outputs.influxdb_v2]] + urls = ["https://monitoring.lsst.codes"] + token = "$INFLUX_TOKEN" + organization = "square" + bucket = "k8s_sherlock" + [outputs.influxdb_v2.tagpass] + namespace = ["sherlock"] + [[outputs.influxdb_v2]] + urls = ["https://monitoring.lsst.codes"] + token = "$INFLUX_TOKEN" + organization = "square" + bucket = "k8s_squareone" + [outputs.influxdb_v2.tagpass] + namespace = ["squareone"] + [[outputs.influxdb_v2]] + urls = ["https://monitoring.lsst.codes"] + token = "$INFLUX_TOKEN" + organization = "square" + bucket = "k8s_strimzi" + [outputs.influxdb_v2.tagpass] + namespace = ["strimzi"] + [[outputs.influxdb_v2]] + urls = ["https://monitoring.lsst.codes"] + token = "$INFLUX_TOKEN" + organization = "square" + bucket = "k8s_tap" + [outputs.influxdb_v2.tagpass] + namespace = ["tap"] + [[outputs.influxdb_v2]] + urls = ["https://monitoring.lsst.codes"] + token = "$INFLUX_TOKEN" + organization = "square" + bucket = "k8s_tap_schema" + [outputs.influxdb_v2.tagpass] + namespace = ["tap-schema"] + [[outputs.influxdb_v2]] + urls = ["https://monitoring.lsst.codes"] + token = "$INFLUX_TOKEN" + organization = "square" + bucket = "k8s_vault_secrets_operator" + [outputs.influxdb_v2.tagpass] + namespace = ["vault-secrets-operator"] diff --git a/services/telegraf-ds/values-summit.yaml b/services/telegraf-ds/values-summit.yaml index 6169dd9560..71a07660fa 100644 --- a/services/telegraf-ds/values-summit.yaml +++ b/services/telegraf-ds/values-summit.yaml @@ -1,6 +1,118 @@ telegraf-ds: - config: - global_tags: - cluster: summit-lsp.lsst.codes - -vaultSecretsPath: secret/k8s_operator/summit-lsp.lsst.codes + override_config: + toml: |+ + [ global_tags ] + cluster = "summit-lsp.lsst.codes" + [ agent ] + hostname = "telegraf-$HOSTIP" + [[inputs.kubernetes]] + url = "https://$HOSTIP:10250" + bearer_token = "/var/run/secrets/kubernetes.io/serviceaccount/token" + insecure_skip_verify = true + namepass = ["kubernetes_pod_container"] + fieldpass = ["cpu_usage_nanocores", "memory_usage_bytes"] + [[outputs.influxdb_v2]] + urls = ["https://monitoring.lsst.codes"] + token = "$INFLUX_TOKEN" + organization = "square" + bucket = "k8s_cachemachine" + [outputs.influxdb_v2.tagpass] + namespace = ["cachemachine"] + [[outputs.influxdb_v2]] + urls = ["https://monitoring.lsst.codes"] + token = "$INFLUX_TOKEN" + organization = "square" + bucket = "k8s_cert_manager" + [outputs.influxdb_v2.tagpass] + namespace = ["cert-manager"] + [[outputs.influxdb_v2]] + urls = ["https://monitoring.lsst.codes"] + token = "$INFLUX_TOKEN" + organization = "square" + bucket = "k8s_exposurelog" + [outputs.influxdb_v2.tagpass] + namespace = ["exposurelog"] + [[outputs.influxdb_v2]] + urls = ["https://monitoring.lsst.codes"] + token = "$INFLUX_TOKEN" + organization = "square" + bucket = "k8s_gafaelfawr" + [outputs.influxdb_v2.tagpass] + namespace = ["gafaelfawr"] + [[outputs.influxdb_v2]] + urls = ["https://monitoring.lsst.codes"] + token = "$INFLUX_TOKEN" + organization = "square" + bucket = "k8s_ingress_nginx" + [outputs.influxdb_v2.tagpass] + namespace = ["ingress-nginx"] + [[outputs.influxdb_v2]] + urls = ["https://monitoring.lsst.codes"] + token = "$INFLUX_TOKEN" + organization = "square" + bucket = "k8s_moneypenny" + [outputs.influxdb_v2.tagpass] + namespace = ["moneypenny"] + [[outputs.influxdb_v2]] + urls = ["https://monitoring.lsst.codes"] + token = "$INFLUX_TOKEN" + organization = "square" + bucket = "k8s_narrativelog" + [outputs.influxdb_v2.tagpass] + namespace = ["narrativelog"] + [[outputs.influxdb_v2]] + urls = ["https://monitoring.lsst.codes"] + token = "$INFLUX_TOKEN" + organization = "square" + bucket = "k8s_nublado2" + [outputs.influxdb_v2.tagpass] + namespace = ["nublado2"] + [[outputs.influxdb_v2]] + urls = ["https://monitoring.lsst.codes"] + token = "$INFLUX_TOKEN" + organization = "square" + bucket = "k8s_portal" + [outputs.influxdb_v2.tagpass] + namespace = ["portal"] + [[outputs.influxdb_v2]] + urls = ["https://monitoring.lsst.codes"] + token = "$INFLUX_TOKEN" + organization = "square" + bucket = "k8s_postgres" + [outputs.influxdb_v2.tagpass] + namespace = ["postgres"] + [[outputs.influxdb_v2]] + urls = ["https://monitoring.lsst.codes"] + token = "$INFLUX_TOKEN" + organization = "square" + bucket = "k8s_sherlock" + [outputs.influxdb_v2.tagpass] + namespace = ["sherlock"] + [[outputs.influxdb_v2]] + urls = ["https://monitoring.lsst.codes"] + token = "$INFLUX_TOKEN" + organization = "square" + bucket = "k8s_squareone" + [outputs.influxdb_v2.tagpass] + namespace = ["squareone"] + [[outputs.influxdb_v2]] + urls = ["https://monitoring.lsst.codes"] + token = "$INFLUX_TOKEN" + organization = "square" + bucket = "k8s_telegraf" + [outputs.influxdb_v2.tagpass] + namespace = ["telegraf"] + [[outputs.influxdb_v2]] + urls = ["https://monitoring.lsst.codes"] + token = "$INFLUX_TOKEN" + organization = "square" + bucket = "k8s_telegraf_ds" + [outputs.influxdb_v2.tagpass] + namespace = ["telegraf-ds"] + [[outputs.influxdb_v2]] + urls = ["https://monitoring.lsst.codes"] + token = "$INFLUX_TOKEN" + organization = "square" + bucket = "k8s_vault_secrets_operator" + [outputs.influxdb_v2.tagpass] + namespace = ["vault-secrets-operator"] diff --git a/services/telegraf-ds/values-tucson-teststand.yaml b/services/telegraf-ds/values-tucson-teststand.yaml index cb6dff6a4f..9dfee715e0 100644 --- a/services/telegraf-ds/values-tucson-teststand.yaml +++ b/services/telegraf-ds/values-tucson-teststand.yaml @@ -1,6 +1,111 @@ telegraf-ds: - config: - global_tags: - cluster: tucson-teststand.lsst.codes - -vaultSecretsPath: secret/k8s_operator/tucson-teststand.lsst.codes + override_config: + toml: |+ + [ global_tags ] + cluster = "tucson-teststand.lsst.codes" + [ agent ] + hostname = "telegraf-$HOSTIP" + [[inputs.kubernetes]] + url = "https://$HOSTIP:10250" + bearer_token = "/var/run/secrets/kubernetes.io/serviceaccount/token" + insecure_skip_verify = true + namepass = ["kubernetes_pod_container"] + fieldpass = ["cpu_usage_nanocores", "memory_usage_bytes"] + [[outputs.influxdb_v2]] + urls = ["https://monitoring.lsst.codes"] + token = "$INFLUX_TOKEN" + organization = "square" + bucket = "k8s_cachemachine" + [outputs.influxdb_v2.tagpass] + namespace = ["cachemachine"] + [[outputs.influxdb_v2]] + urls = ["https://monitoring.lsst.codes"] + token = "$INFLUX_TOKEN" + organization = "square" + bucket = "k8s_cert_manager" + [outputs.influxdb_v2.tagpass] + namespace = ["cert-manager"] + [[outputs.influxdb_v2]] + urls = ["https://monitoring.lsst.codes"] + token = "$INFLUX_TOKEN" + organization = "square" + bucket = "k8s_exposurelog" + [outputs.influxdb_v2.tagpass] + namespace = ["exposurelog"] + [[outputs.influxdb_v2]] + urls = ["https://monitoring.lsst.codes"] + token = "$INFLUX_TOKEN" + organization = "square" + bucket = "k8s_gafaelfawr" + [outputs.influxdb_v2.tagpass] + namespace = ["gafaelfawr"] + [[outputs.influxdb_v2]] + urls = ["https://monitoring.lsst.codes"] + token = "$INFLUX_TOKEN" + organization = "square" + bucket = "k8s_ingress_nginx" + [outputs.influxdb_v2.tagpass] + namespace = ["ingress-nginx"] + [[outputs.influxdb_v2]] + urls = ["https://monitoring.lsst.codes"] + token = "$INFLUX_TOKEN" + organization = "square" + bucket = "k8s_moneypenny" + [outputs.influxdb_v2.tagpass] + namespace = ["moneypenny"] + [[outputs.influxdb_v2]] + urls = ["https://monitoring.lsst.codes"] + token = "$INFLUX_TOKEN" + organization = "square" + bucket = "k8s_narrativelog" + [outputs.influxdb_v2.tagpass] + namespace = ["narrativelog"] + [[outputs.influxdb_v2]] + urls = ["https://monitoring.lsst.codes"] + token = "$INFLUX_TOKEN" + organization = "square" + bucket = "k8s_nublado2" + [outputs.influxdb_v2.tagpass] + namespace = ["nublado2"] + [[outputs.influxdb_v2]] + urls = ["https://monitoring.lsst.codes"] + token = "$INFLUX_TOKEN" + organization = "square" + bucket = "k8s_portal" + [outputs.influxdb_v2.tagpass] + namespace = ["portal"] + [[outputs.influxdb_v2]] + urls = ["https://monitoring.lsst.codes"] + token = "$INFLUX_TOKEN" + organization = "square" + bucket = "k8s_postgres" + [outputs.influxdb_v2.tagpass] + namespace = ["postgres"] + [[outputs.influxdb_v2]] + urls = ["https://monitoring.lsst.codes"] + token = "$INFLUX_TOKEN" + organization = "square" + bucket = "k8s_sasquatch" + [outputs.influxdb_v2.tagpass] + namespace = ["sasquatch"] + [[outputs.influxdb_v2]] + urls = ["https://monitoring.lsst.codes"] + token = "$INFLUX_TOKEN" + organization = "square" + bucket = "k8s_squareone" + [outputs.influxdb_v2.tagpass] + namespace = ["squareone"] + [[outputs.influxdb_v2]] + urls = ["https://monitoring.lsst.codes"] + token = "$INFLUX_TOKEN" + organization = "square" + bucket = "k8s_strimzi" + [outputs.influxdb_v2.tagpass] + namespace = ["strimzi"] + [[outputs.influxdb_v2]] + urls = ["https://monitoring.lsst.codes"] + token = "$INFLUX_TOKEN" + organization = "square" + bucket = "k8s_vault_secrets_operator" + [outputs.influxdb_v2.tagpass] + namespace = ["vault-secrets-operator"] diff --git a/services/telegraf-ds/values.yaml b/services/telegraf-ds/values.yaml index 8c9dfdcc8f..ebef14bfe4 100644 --- a/services/telegraf-ds/values.yaml +++ b/services/telegraf-ds/values.yaml @@ -1,3 +1,7 @@ +# -- Path to the Vault secrets (`secret/k8s_operator//telegraf`) +# shared with telegraf (non-DaemonSet) +# @default -- None, must be set +vaultSecretsPath: "" telegraf-ds: env: # -- Token to communicate with Influx @@ -9,7 +13,7 @@ telegraf-ds: override_config: toml: |+ [ global_tags ] - cluster = "" + cluster = "no_endpoint" [ agent ] hostname = "telegraf-$HOSTIP" [[inputs.kubernetes]] @@ -18,176 +22,3 @@ telegraf-ds: insecure_skip_verify = true namepass = ["kubernetes_pod_container"] fieldpass = ["cpu_usage_nanocores", "memory_usage_bytes"] - [[outputs.influxdb_v2]] - urls = ["https://monitoring.lsst.codes"] - token = "$INFLUX_TOKEN" - organization = "square" - bucket = "k8s_argocd" - [outputs.influxdb_v2.tagpass] - namespace = ["argocd"] - [[outputs.influxdb_v2]] - urls = ["https://monitoring.lsst.codes"] - token = "$INFLUX_TOKEN" - organization = "square" - bucket = "k8s_cachemachine" - [outputs.influxdb_v2.tagpass] - namespace = ["cachemachine"] - [[outputs.influxdb_v2]] - urls = ["https://monitoring.lsst.codes"] - token = "$INFLUX_TOKEN" - organization = "square" - bucket = "k8s_cert_manager" - [outputs.influxdb_v2.tagpass] - namespace = ["cert-manager"] - [[outputs.influxdb_v2]] - urls = ["https://monitoring.lsst.codes"] - token = "$INFLUX_TOKEN" - organization = "square" - bucket = "k8s_datalinker" - [outputs.influxdb_v2.tagpass] - namespace = ["datalinker"] - [[outputs.influxdb_v2]] - urls = ["https://monitoring.lsst.codes"] - token = "$INFLUX_TOKEN" - organization = "square" - bucket = "k8s_gafaelfawr" - [outputs.influxdb_v2.tagpass] - namespace = ["gafaelfawr"] - [[outputs.influxdb_v2]] - urls = ["https://monitoring.lsst.codes"] - token = "$INFLUX_TOKEN" - organization = "square" - bucket = "k8s_ingress_nginx" - [outputs.influxdb_v2.tagpass] - namespace = ["ingress-nginx"] - [[outputs.influxdb_v2]] - urls = ["https://monitoring.lsst.codes"] - token = "$INFLUX_TOKEN" - organization = "square" - bucket = "k8s_mobu" - [outputs.influxdb_v2.tagpass] - namespace = ["mobu"] - [[outputs.influxdb_v2]] - urls = ["https://monitoring.lsst.codes"] - token = "$INFLUX_TOKEN" - organization = "square" - bucket = "k8s_moneypenny" - [outputs.influxdb_v2.tagpass] - namespace = ["moneypenny"] - [[outputs.influxdb_v2]] - urls = ["https://monitoring.lsst.codes"] - token = "$INFLUX_TOKEN" - organization = "square" - bucket = "k8s_noteburst" - [outputs.influxdb_v2.tagpass] - namespace = ["noteburst"] - [[outputs.influxdb_v2]] - urls = ["https://monitoring.lsst.codes"] - token = "$INFLUX_TOKEN" - organization = "square" - bucket = "k8s_nublado2" - [outputs.influxdb_v2.tagpass] - namespace = ["nublado2"] - [[outputs.influxdb_v2]] - urls = ["https://monitoring.lsst.codes"] - token = "$INFLUX_TOKEN" - organization = "square" - bucket = "k8s_obstap" - [outputs.influxdb_v2.tagpass] - namespace = ["obstap"] - [[outputs.influxdb_v2]] - urls = ["https://monitoring.lsst.codes"] - token = "$INFLUX_TOKEN" - organization = "square" - bucket = "k8s_portal" - [outputs.influxdb_v2.tagpass] - namespace = ["portal"] - [[outputs.influxdb_v2]] - urls = ["https://monitoring.lsst.codes"] - token = "$INFLUX_TOKEN" - organization = "square" - bucket = "k8s_postgres" - [outputs.influxdb_v2.tagpass] - namespace = ["postgres"] - [[outputs.influxdb_v2]] - urls = ["https://monitoring.lsst.codes"] - token = "$INFLUX_TOKEN" - organization = "square" - bucket = "k8s_sasquatch" - [outputs.influxdb_v2.tagpass] - namespace = ["sasquatch"] - [[outputs.influxdb_v2]] - urls = ["https://monitoring.lsst.codes"] - token = "$INFLUX_TOKEN" - organization = "square" - bucket = "k8s_semaphore" - [outputs.influxdb_v2.tagpass] - namespace = ["semaphore"] - [[outputs.influxdb_v2]] - urls = ["https://monitoring.lsst.codes"] - token = "$INFLUX_TOKEN" - organization = "square" - bucket = "k8s_sherlock" - [outputs.influxdb_v2.tagpass] - namespace = ["sherlock"] - [[outputs.influxdb_v2]] - urls = ["https://monitoring.lsst.codes"] - token = "$INFLUX_TOKEN" - organization = "square" - bucket = "k8s_squareone" - [outputs.influxdb_v2.tagpass] - namespace = ["squareone"] - [[outputs.influxdb_v2]] - urls = ["https://monitoring.lsst.codes"] - token = "$INFLUX_TOKEN" - organization = "square" - bucket = "k8s_strimzi" - [outputs.influxdb_v2.tagpass] - namespace = ["strimzi"] - [[outputs.influxdb_v2]] - urls = ["https://monitoring.lsst.codes"] - token = "$INFLUX_TOKEN" - organization = "square" - bucket = "k8s_tap" - [outputs.influxdb_v2.tagpass] - namespace = ["tap"] - [[outputs.influxdb_v2]] - urls = ["https://monitoring.lsst.codes"] - token = "$INFLUX_TOKEN" - organization = "square" - bucket = "k8s_tap_schema" - [outputs.influxdb_v2.tagpass] - namespace = ["tap-schema"] - [[outputs.influxdb_v2]] - urls = ["https://monitoring.lsst.codes"] - token = "$INFLUX_TOKEN" - organization = "square" - bucket = "k8s_telegraf" - [outputs.influxdb_v2.tagpass] - namespace = ["telegraf"] - [[outputs.influxdb_v2]] - urls = ["https://monitoring.lsst.codes"] - token = "$INFLUX_TOKEN" - organization = "square" - bucket = "k8s_telegraf_ds" - [outputs.influxdb_v2.tagpass] - namespace = ["telegraf-ds"] - [[outputs.influxdb_v2]] - urls = ["https://monitoring.lsst.codes"] - token = "$INFLUX_TOKEN" - organization = "square" - bucket = "k8s_times_square" - [outputs.influxdb_v2.tagpass] - namespace = ["times-square"] - [[outputs.influxdb_v2]] - urls = ["https://monitoring.lsst.codes"] - token = "$INFLUX_TOKEN" - organization = "square" - bucket = "k8s_vault_secrets_operator" - [outputs.influxdb_v2.tagpass] - namespace = ["vault-secrets-operator"] - -# -- Path to the Vault secrets (`secret/k8s_operator//telegraf`) -# shared with telegraf (non-DaemonSet) -# @default -- None, must be set -vaultSecretsPath: "" From 6ef462eeac004bb9f113b63fe349414f5cfc6703 Mon Sep 17 00:00:00 2001 From: adam Date: Thu, 7 Apr 2022 21:19:09 -0700 Subject: [PATCH 0210/1479] Turn off telegraf and telegraf-ds at many sites --- science-platform/values-idfprod.yaml | 4 ++-- science-platform/values-minikube.yaml | 4 ++-- science-platform/values-roe.yaml | 4 ++-- science-platform/values-squash-sandbox.yaml | 4 ++-- science-platform/values-summit.yaml | 4 ++-- 5 files changed, 10 insertions(+), 10 deletions(-) diff --git a/science-platform/values-idfprod.yaml b/science-platform/values-idfprod.yaml index 3d91dde6ca..eded4c03be 100644 --- a/science-platform/values-idfprod.yaml +++ b/science-platform/values-idfprod.yaml @@ -53,9 +53,9 @@ tap: tap_schema: enabled: true telegraf: - enabled: true + enabled: false telegraf-ds: - enabled: true + enabled: false times_square: enabled: false vault_secrets_operator: diff --git a/science-platform/values-minikube.yaml b/science-platform/values-minikube.yaml index d62c9ba578..e1cea28f05 100644 --- a/science-platform/values-minikube.yaml +++ b/science-platform/values-minikube.yaml @@ -53,9 +53,9 @@ tap: tap_schema: enabled: true telegraf: - enabled: true + enabled: false telegraf-ds: - enabled: true + enabled: false times_square: enabled: false vault_secrets_operator: diff --git a/science-platform/values-roe.yaml b/science-platform/values-roe.yaml index 3159a23554..dbf65da615 100644 --- a/science-platform/values-roe.yaml +++ b/science-platform/values-roe.yaml @@ -49,9 +49,9 @@ tap: tap_schema: enabled: true telegraf: - enabled: true + enabled: false telegraf-ds: - enabled: true + enabled: false times_square: enabled: false vault_secrets_operator: diff --git a/science-platform/values-squash-sandbox.yaml b/science-platform/values-squash-sandbox.yaml index 6f3f3c09d4..d3764685c5 100644 --- a/science-platform/values-squash-sandbox.yaml +++ b/science-platform/values-squash-sandbox.yaml @@ -51,9 +51,9 @@ tap: tap_schema: enabled: false telegraf: - enabled: true + enabled: false telegraf-ds: - enabled: true + enabled: false times_square: enabled: false vault_secrets_operator: diff --git a/science-platform/values-summit.yaml b/science-platform/values-summit.yaml index 8e57d2f693..f1655d7280 100644 --- a/science-platform/values-summit.yaml +++ b/science-platform/values-summit.yaml @@ -53,9 +53,9 @@ tap: tap_schema: enabled: false telegraf: - enabled: true + enabled: false telegraf-ds: - enabled: true + enabled: false times_square: enabled: false vault_secrets_operator: From 3dfd311f663b057df45aae1330d005fff89210a7 Mon Sep 17 00:00:00 2001 From: adam Date: Thu, 7 Apr 2022 21:32:00 -0700 Subject: [PATCH 0211/1479] remove superfluous metric_version --- services/telegraf/values.yaml | 1 - 1 file changed, 1 deletion(-) diff --git a/services/telegraf/values.yaml b/services/telegraf/values.yaml index b9f2d2e122..7eb204c99f 100644 --- a/services/telegraf/values.yaml +++ b/services/telegraf/values.yaml @@ -109,7 +109,6 @@ telegraf: prometheus_app: "argocd" urls: - http://argocd-server-metrics.argocd:8083/metrics - metric_version: 2 - prometheus: urls: - http://ingress-nginx-controller-metrics.ingress-nginx:10254/metrics From 0a8be9cddd2237386a6ce1cda2488ef3e8b4ceb6 Mon Sep 17 00:00:00 2001 From: adam Date: Fri, 8 Apr 2022 10:08:46 -0700 Subject: [PATCH 0212/1479] Add vaultSecretsPath back --- services/telegraf-ds/scripts/generate-values | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/services/telegraf-ds/scripts/generate-values b/services/telegraf-ds/scripts/generate-values index d9a8b2003d..0f11cb954a 100755 --- a/services/telegraf-ds/scripts/generate-values +++ b/services/telegraf-ds/scripts/generate-values @@ -193,7 +193,7 @@ telegraf-ds: def build_instance_yaml(self, instance:str) -> str: secrets_path=self.instances[instance].get("fqdn","") cf = f"vaultSecretsPath: \"{secrets_path}\"\n" - cf = "telegraf-ds:\n" + cf += "telegraf-ds:\n" cf += self.build_telegraf_override_conf(instance) return cf From bd0cbc6f691a33f7740175d6370d0d8c39ffb212 Mon Sep 17 00:00:00 2001 From: adam Date: Fri, 8 Apr 2022 10:09:19 -0700 Subject: [PATCH 0213/1479] Add vaultSecretsPath back, and regenerate to reflect where telegraf isn't running yet --- services/telegraf-ds/values-base.yaml | 1 + services/telegraf-ds/values-idfdev.yaml | 1 + services/telegraf-ds/values-idfint.yaml | 1 + services/telegraf-ds/values-idfprod.yaml | 15 +-------------- services/telegraf-ds/values-int.yaml | 1 + services/telegraf-ds/values-minikube.yaml | 15 +-------------- services/telegraf-ds/values-red-five.yaml | 15 +-------------- services/telegraf-ds/values-roe.yaml | 15 +-------------- services/telegraf-ds/values-squash-sandbox.yaml | 15 +-------------- services/telegraf-ds/values-stable.yaml | 1 + services/telegraf-ds/values-summit.yaml | 15 +-------------- services/telegraf-ds/values-tucson-teststand.yaml | 1 + 12 files changed, 12 insertions(+), 84 deletions(-) diff --git a/services/telegraf-ds/values-base.yaml b/services/telegraf-ds/values-base.yaml index 829333c176..6eff7f01d3 100644 --- a/services/telegraf-ds/values-base.yaml +++ b/services/telegraf-ds/values-base.yaml @@ -1,3 +1,4 @@ +vaultSecretsPath: "base-lsp.lsst.codes" telegraf-ds: override_config: toml: |+ diff --git a/services/telegraf-ds/values-idfdev.yaml b/services/telegraf-ds/values-idfdev.yaml index 97f140d1ed..51c8f3d95f 100644 --- a/services/telegraf-ds/values-idfdev.yaml +++ b/services/telegraf-ds/values-idfdev.yaml @@ -1,3 +1,4 @@ +vaultSecretsPath: "data-dev.lsst.cloud" telegraf-ds: override_config: toml: |+ diff --git a/services/telegraf-ds/values-idfint.yaml b/services/telegraf-ds/values-idfint.yaml index 7e5f90a00d..d1fa3aaa11 100644 --- a/services/telegraf-ds/values-idfint.yaml +++ b/services/telegraf-ds/values-idfint.yaml @@ -1,3 +1,4 @@ +vaultSecretsPath: "data-int.lsst.cloud" telegraf-ds: override_config: toml: |+ diff --git a/services/telegraf-ds/values-idfprod.yaml b/services/telegraf-ds/values-idfprod.yaml index 096d98f6eb..fa24a01884 100644 --- a/services/telegraf-ds/values-idfprod.yaml +++ b/services/telegraf-ds/values-idfprod.yaml @@ -1,3 +1,4 @@ +vaultSecretsPath: "data.lsst.cloud" telegraf-ds: override_config: toml: |+ @@ -123,20 +124,6 @@ telegraf-ds: bucket = "k8s_tap_schema" [outputs.influxdb_v2.tagpass] namespace = ["tap-schema"] - [[outputs.influxdb_v2]] - urls = ["https://monitoring.lsst.codes"] - token = "$INFLUX_TOKEN" - organization = "square" - bucket = "k8s_telegraf" - [outputs.influxdb_v2.tagpass] - namespace = ["telegraf"] - [[outputs.influxdb_v2]] - urls = ["https://monitoring.lsst.codes"] - token = "$INFLUX_TOKEN" - organization = "square" - bucket = "k8s_telegraf_ds" - [outputs.influxdb_v2.tagpass] - namespace = ["telegraf-ds"] [[outputs.influxdb_v2]] urls = ["https://monitoring.lsst.codes"] token = "$INFLUX_TOKEN" diff --git a/services/telegraf-ds/values-int.yaml b/services/telegraf-ds/values-int.yaml index 6aada9f0b6..7a9aee9e81 100644 --- a/services/telegraf-ds/values-int.yaml +++ b/services/telegraf-ds/values-int.yaml @@ -1,3 +1,4 @@ +vaultSecretsPath: "lsst-lsp-int.ncsa.illinois.edu" telegraf-ds: override_config: toml: |+ diff --git a/services/telegraf-ds/values-minikube.yaml b/services/telegraf-ds/values-minikube.yaml index c8bbd70986..73268c720a 100644 --- a/services/telegraf-ds/values-minikube.yaml +++ b/services/telegraf-ds/values-minikube.yaml @@ -1,3 +1,4 @@ +vaultSecretsPath: "minikube.lsst.codes" telegraf-ds: override_config: toml: |+ @@ -130,20 +131,6 @@ telegraf-ds: bucket = "k8s_tap_schema" [outputs.influxdb_v2.tagpass] namespace = ["tap-schema"] - [[outputs.influxdb_v2]] - urls = ["https://monitoring.lsst.codes"] - token = "$INFLUX_TOKEN" - organization = "square" - bucket = "k8s_telegraf" - [outputs.influxdb_v2.tagpass] - namespace = ["telegraf"] - [[outputs.influxdb_v2]] - urls = ["https://monitoring.lsst.codes"] - token = "$INFLUX_TOKEN" - organization = "square" - bucket = "k8s_telegraf_ds" - [outputs.influxdb_v2.tagpass] - namespace = ["telegraf-ds"] [[outputs.influxdb_v2]] urls = ["https://monitoring.lsst.codes"] token = "$INFLUX_TOKEN" diff --git a/services/telegraf-ds/values-red-five.yaml b/services/telegraf-ds/values-red-five.yaml index 782c3421d9..9cb3bfffc6 100644 --- a/services/telegraf-ds/values-red-five.yaml +++ b/services/telegraf-ds/values-red-five.yaml @@ -1,3 +1,4 @@ +vaultSecretsPath: "red-five.lsst.codes" telegraf-ds: override_config: toml: |+ @@ -109,20 +110,6 @@ telegraf-ds: bucket = "k8s_tap_schema" [outputs.influxdb_v2.tagpass] namespace = ["tap-schema"] - [[outputs.influxdb_v2]] - urls = ["https://monitoring.lsst.codes"] - token = "$INFLUX_TOKEN" - organization = "square" - bucket = "k8s_telegraf" - [outputs.influxdb_v2.tagpass] - namespace = ["telegraf"] - [[outputs.influxdb_v2]] - urls = ["https://monitoring.lsst.codes"] - token = "$INFLUX_TOKEN" - organization = "square" - bucket = "k8s_telegraf_ds" - [outputs.influxdb_v2.tagpass] - namespace = ["telegraf-ds"] [[outputs.influxdb_v2]] urls = ["https://monitoring.lsst.codes"] token = "$INFLUX_TOKEN" diff --git a/services/telegraf-ds/values-roe.yaml b/services/telegraf-ds/values-roe.yaml index bc1e169b10..d1c97d5a39 100644 --- a/services/telegraf-ds/values-roe.yaml +++ b/services/telegraf-ds/values-roe.yaml @@ -1,3 +1,4 @@ +vaultSecretsPath: "rsp.lsst.ac.uk" telegraf-ds: override_config: toml: |+ @@ -95,20 +96,6 @@ telegraf-ds: bucket = "k8s_tap_schema" [outputs.influxdb_v2.tagpass] namespace = ["tap-schema"] - [[outputs.influxdb_v2]] - urls = ["https://monitoring.lsst.codes"] - token = "$INFLUX_TOKEN" - organization = "square" - bucket = "k8s_telegraf" - [outputs.influxdb_v2.tagpass] - namespace = ["telegraf"] - [[outputs.influxdb_v2]] - urls = ["https://monitoring.lsst.codes"] - token = "$INFLUX_TOKEN" - organization = "square" - bucket = "k8s_telegraf_ds" - [outputs.influxdb_v2.tagpass] - namespace = ["telegraf-ds"] [[outputs.influxdb_v2]] urls = ["https://monitoring.lsst.codes"] token = "$INFLUX_TOKEN" diff --git a/services/telegraf-ds/values-squash-sandbox.yaml b/services/telegraf-ds/values-squash-sandbox.yaml index 95769f3391..af0290a64f 100644 --- a/services/telegraf-ds/values-squash-sandbox.yaml +++ b/services/telegraf-ds/values-squash-sandbox.yaml @@ -1,3 +1,4 @@ +vaultSecretsPath: "squash-sandbox.lsst.codes" telegraf-ds: override_config: toml: |+ @@ -46,20 +47,6 @@ telegraf-ds: bucket = "k8s_squash_api" [outputs.influxdb_v2.tagpass] namespace = ["squash-api"] - [[outputs.influxdb_v2]] - urls = ["https://monitoring.lsst.codes"] - token = "$INFLUX_TOKEN" - organization = "square" - bucket = "k8s_telegraf" - [outputs.influxdb_v2.tagpass] - namespace = ["telegraf"] - [[outputs.influxdb_v2]] - urls = ["https://monitoring.lsst.codes"] - token = "$INFLUX_TOKEN" - organization = "square" - bucket = "k8s_telegraf_ds" - [outputs.influxdb_v2.tagpass] - namespace = ["telegraf-ds"] [[outputs.influxdb_v2]] urls = ["https://monitoring.lsst.codes"] token = "$INFLUX_TOKEN" diff --git a/services/telegraf-ds/values-stable.yaml b/services/telegraf-ds/values-stable.yaml index 896b6cd7f8..41089ec5da 100644 --- a/services/telegraf-ds/values-stable.yaml +++ b/services/telegraf-ds/values-stable.yaml @@ -1,3 +1,4 @@ +vaultSecretsPath: "lsst-lsp-stable.ncsa.illinois.edu" telegraf-ds: override_config: toml: |+ diff --git a/services/telegraf-ds/values-summit.yaml b/services/telegraf-ds/values-summit.yaml index 71a07660fa..d9d7955daa 100644 --- a/services/telegraf-ds/values-summit.yaml +++ b/services/telegraf-ds/values-summit.yaml @@ -1,3 +1,4 @@ +vaultSecretsPath: "summit-lsp.lsst.codes" telegraf-ds: override_config: toml: |+ @@ -95,20 +96,6 @@ telegraf-ds: bucket = "k8s_squareone" [outputs.influxdb_v2.tagpass] namespace = ["squareone"] - [[outputs.influxdb_v2]] - urls = ["https://monitoring.lsst.codes"] - token = "$INFLUX_TOKEN" - organization = "square" - bucket = "k8s_telegraf" - [outputs.influxdb_v2.tagpass] - namespace = ["telegraf"] - [[outputs.influxdb_v2]] - urls = ["https://monitoring.lsst.codes"] - token = "$INFLUX_TOKEN" - organization = "square" - bucket = "k8s_telegraf_ds" - [outputs.influxdb_v2.tagpass] - namespace = ["telegraf-ds"] [[outputs.influxdb_v2]] urls = ["https://monitoring.lsst.codes"] token = "$INFLUX_TOKEN" diff --git a/services/telegraf-ds/values-tucson-teststand.yaml b/services/telegraf-ds/values-tucson-teststand.yaml index 9dfee715e0..5ef45c1c58 100644 --- a/services/telegraf-ds/values-tucson-teststand.yaml +++ b/services/telegraf-ds/values-tucson-teststand.yaml @@ -1,3 +1,4 @@ +vaultSecretsPath: "tucson-teststand.lsst.codes" telegraf-ds: override_config: toml: |+ From dec989cc3c0e5e0625f3e0a2dc9e04a3a1b94899 Mon Sep 17 00:00:00 2001 From: adam Date: Fri, 8 Apr 2022 13:14:28 -0700 Subject: [PATCH 0214/1479] Refactor the config generator --- gen_config/gen_config/__init__.py | 0 gen_config/gen_config/cli_args.py | 14 ++ .../gen_config/phalanxconfiggenerator.py | 175 ++++++++---------- gen_config/gen_config/telegrafdsgenerator.py | 83 +++++++++ .../scripts => gen_config}/requirements.txt | 0 gen_config/telegraf-generator | 15 ++ services/telegraf-ds/values-base.yaml | 28 +-- services/telegraf-ds/values-idfdev.yaml | 46 ++--- services/telegraf-ds/values-idfint.yaml | 42 ++--- services/telegraf-ds/values-idfprod.yaml | 36 ++-- services/telegraf-ds/values-int.yaml | 36 ++-- services/telegraf-ds/values-minikube.yaml | 36 ++-- services/telegraf-ds/values-red-five.yaml | 30 +-- services/telegraf-ds/values-roe.yaml | 26 +-- .../telegraf-ds/values-squash-sandbox.yaml | 12 +- services/telegraf-ds/values-stable.yaml | 32 ++-- services/telegraf-ds/values-summit.yaml | 26 +-- .../telegraf-ds/values-tucson-teststand.yaml | 28 +-- 18 files changed, 376 insertions(+), 289 deletions(-) create mode 100644 gen_config/gen_config/__init__.py create mode 100644 gen_config/gen_config/cli_args.py rename services/telegraf-ds/scripts/generate-values => gen_config/gen_config/phalanxconfiggenerator.py (55%) mode change 100755 => 100644 create mode 100644 gen_config/gen_config/telegrafdsgenerator.py rename {services/telegraf-ds/scripts => gen_config}/requirements.txt (100%) create mode 100755 gen_config/telegraf-generator diff --git a/gen_config/gen_config/__init__.py b/gen_config/gen_config/__init__.py new file mode 100644 index 0000000000..e69de29bb2 diff --git a/gen_config/gen_config/cli_args.py b/gen_config/gen_config/cli_args.py new file mode 100644 index 0000000000..cc242a889e --- /dev/null +++ b/gen_config/gen_config/cli_args.py @@ -0,0 +1,14 @@ +import argparse + +def cli_args() -> argparse.Namespace: + parser = argparse.ArgumentParser(description="Phalanx Generator CLI") + parser.add_argument('--debug', '-d', action='store_true', + help="Enable debugging output") + parser.add_argument('--loglevel', '--log-level', '-l', default='info', + help="Log level (standard logging level names)") + parser.add_argument('--phalanx-root', '-r', + help="Path to root of phalanx directory") + parser.add_argument('--dry-run', '-x', action='store_true', + help="Dry run (output to stdout)") + return parser.parse_args() + diff --git a/services/telegraf-ds/scripts/generate-values b/gen_config/gen_config/phalanxconfiggenerator.py old mode 100755 new mode 100644 similarity index 55% rename from services/telegraf-ds/scripts/generate-values rename to gen_config/gen_config/phalanxconfiggenerator.py index 0f11cb954a..8b993f54bf --- a/services/telegraf-ds/scripts/generate-values +++ b/gen_config/gen_config/phalanxconfiggenerator.py @@ -20,35 +20,69 @@ from pathlib import Path from typing import Any, Dict, Set, Tuple -class TelegrafDSValuesWriter(object): +LOGLEVEL = {"CRITICAL": 50, + "ERROR": 40, + "WARNING": 30, + "INFO": 20, + "DEBUG": 10, + "NOTSET": 0 + } + +class PhalanxConfigGenerator(object): """ - The TelegrafDSValuesWriter uses its knowledge of where it lives (the - scripts directory in the telegraf-ds service) to parse the science-platform - configurations to determine for which environments it should create files, - and then to generate the files to write. + The PhalanxConfigGenerator parses the science-platform configurations + to determine what services run in which environments. It should then be + subclassed for particular applications to generate configuration files to + write. + + A subclass (corresponding to a particular Phalanx application) must do the + following: set self.output_path (generally, + self.phalanx_root + "/services/") and provide + an implementation of the build_config() method to generate configuration + for each instance of the application. """ def __init__(self, *args, **kwargs) -> None: - logging.basicConfig(encoding='utf-8', level=logging.DEBUG) + loglevel_str=kwargs.get("loglevel","warning") + self.debug=kwargs.get("debug",False) + if self.debug: + loglevel_str="debug" + loglevel_str=loglevel_str.upper() + loglevel=LOGLEVEL.get(loglevel_str, 30) + logging.basicConfig(encoding='utf-8',level=loglevel) self.log = logging.getLogger() self.template_re = re.compile('(\{\{.*?\}\})') self.instances: Dict[str,Any] = {} self.applications: Tuple(str) = tuple() self.config: Dict[str,str] = {} self.namespaces: Dict[str,Set[str]] = {} - - def load_config(self) -> None: - """Populate our instance attributes with data from our yaml.""" - self.instances = self.find_instances() - self.applications = self.find_applications() - self.namespaces = self.find_app_namespaces() + self.phalanx_root: str = kwargs.get("phalanx_root","") + if not self.phalanx_root: + try: + me = Path.resolve(Path(__file__)) + # gen_config/gen_config + self.phalanx_root = str(me.parents[2]) + except NameError: + me = Path.resolve(Path(sys.argv[0])) + # gen_config + self.phalanx_root = str(me.parents[1]) + self.dry_run: bool = kwargs.get("dry_run", False) + self.load_phalanx() + self.log.debug(f"Phalanx root: {self.phalanx_root}") + self.log.debug(f"Applications: {self.applications}") def _get_science_platform_path(self) -> str: """Convenience method to extract the science-platform root directory. """ me = Path.resolve(Path(sys.argv[0])) # ./..[telegraf-ds]/..[services]/science-platform - sp_path = str(me.parents[3]) + "/science-platform" + sp_path = self.phalanx_root + "/science-platform" return sp_path + + def load_phalanx(self) -> None: + """Populate our instance attributes with data from our yaml.""" + self.instances = self.find_instances() + self.applications = self.find_applications() + self.namespaces = self.find_app_namespaces() def find_instances(self) -> Dict[str,Any]: """Read the science-platform config to determine which instances @@ -112,8 +146,8 @@ def parse_app_template(self, app:str) -> Set[str]: return namespaces def strip_templates(self, app_file:str) -> str: - """The YAML is actually Helm-templated yaml. For what we're doing, - just stripping all the templates out works fine. + """The config "YAML" is actually Helm-templated yaml. For our + purposes, just stripping all the templates out works fine. """ contents = "" with open(app_file) as f: @@ -125,95 +159,36 @@ def strip_templates(self, app_file:str) -> str: contents += outp_l return contents - def build_telegraf_override_conf(self, instance: str) -> str: - """For each instance, generate the (literal) contents for - telegraf.conf""" - endpoint=self.instances.get(instance,{}).get("fqdn","no_endpoint") - tc = " override_config:\n" - tc += " toml: |+\n" - tc += " [ global_tags ]\n" - tc += f" cluster = \"{endpoint}\"\n" - tc += """ [ agent ] - hostname = "telegraf-$HOSTIP" - [[inputs.kubernetes]] - url = "https://$HOSTIP:10250" - bearer_token = "/var/run/secrets/kubernetes.io/serviceaccount/token" - insecure_skip_verify = true - namepass = ["kubernetes_pod_container"] - fieldpass = ["cpu_usage_nanocores", "memory_usage_bytes"] -""" - tc += self.build_outputs(instance) - return tc - - def build_outputs(self, instance: str) -> str: - """For each instance, generate the list of outputs for each metric. + def build_config(self) -> None: + """This must be defined in a subclass to build the configuration for + the particular service. The configuration should be stored in + self.config, as a dict whose key is a string representing the + instance name, and whose value is a string holding the yaml for + that instance's config. Use "generic" for the top-level values.yaml. """ - outp = "" - i_obj = self.instances.get(instance, {}) - for app in self.applications: - if not i_obj.get(app,{}).get("enabled",False): - continue - namespace_set = self.namespaces.get(app, None) - if not namespace_set: - continue - for namespace in namespace_set: - outp +=''' [[outputs.influxdb_v2]] - urls = ["https://monitoring.lsst.codes"] - token = "$INFLUX_TOKEN" - organization = "square" -''' - bucket = namespace.replace("-", "_") - outp += f" bucket = \"k8s_{bucket}\"\n" - outp += " [outputs.influxdb_v2.tagpass]\n" - outp += f" namespace = [\"{namespace}\"]\n" - return outp - - def build_yaml(self) -> None: - self.config["generic"] = self.build_generic_yaml() - for instance in self.instances: - self.config[instance]=self.build_instance_yaml(instance) - - def build_generic_yaml(self) -> None: - cf='''# -- Path to the Vault secrets (`secret/k8s_operator//telegraf`) -# shared with telegraf (non-DaemonSet) -# @default -- None, must be set -vaultSecretsPath: "" -telegraf-ds: - env: - # -- Token to communicate with Influx - - name: INFLUX_TOKEN - valueFrom: - secretKeyRef: - name: telegraf - key: influx-token -''' - cf += self.build_telegraf_override_conf("generic") - return cf - - def build_instance_yaml(self, instance:str) -> str: - secrets_path=self.instances[instance].get("fqdn","") - cf = f"vaultSecretsPath: \"{secrets_path}\"\n" - cf += "telegraf-ds:\n" - cf += self.build_telegraf_override_conf(instance) - return cf - - def write_yaml(self) -> None: - me = Path.resolve(Path(sys.argv[0])) - val_path = str(me.parents[1]) + raise NotImplementedError() + + def write_config(self) -> None: + """Write the configuration files, unless self.dry_run is set, in which + case, just print their contents to stdout.""" + if self.dry_run: + val_path = "DRY-RUN" + else: + if not self.output_path: + raise RuntimeError( + "self.output_path must be defined in order to write config") + val_path = self.output_path for instance in self.config: if instance == "generic": val_file = f"{val_path}/values.yaml" else: env_name = self.instances[instance]["environment"] val_file = f"{val_path}/values-{env_name}.yaml" - with open(val_file,"w") as f: - f.write(self.config[instance]) - -def main() -> None: - gen = TelegrafDSValuesWriter() - gen.load_config() - gen.build_yaml() - gen.write_yaml() - -if __name__ == "__main__": - main() + if self.dry_run: + print(f"---- begin {val_file} ----") + print(self.config[instance]) + print(f"------ end {val_file} ----") + else: + with open(val_file,"w") as f: + f.write(self.config[instance]) + diff --git a/gen_config/gen_config/telegrafdsgenerator.py b/gen_config/gen_config/telegrafdsgenerator.py new file mode 100644 index 0000000000..f564045273 --- /dev/null +++ b/gen_config/gen_config/telegrafdsgenerator.py @@ -0,0 +1,83 @@ +from .phalanxconfiggenerator import PhalanxConfigGenerator + +class TelegrafDSGenerator(PhalanxConfigGenerator): + """ + TelegrafDSGenerator generates configuration files for the telegraf-ds + application. + """ + def __init__(self, *args, **kwargs) -> None: + super().__init__(*args, **kwargs) + self.output_path = self.phalanx_root + "/services/telegraf-ds" + + def build_config(self) -> None: + self.config["generic"] = self.build_generic_yaml() + for instance in self.instances: + self.config[instance]=self.build_instance_yaml(instance) + + def build_generic_yaml(self) -> None: + cf='''# -- Path to the Vault secrets (`secret/k8s_operator//telegraf`) +# shared with telegraf (non-DaemonSet) +# @default -- None, must be set +vaultSecretsPath: "" +telegraf-ds: + env: + # -- Token to communicate with Influx + - name: INFLUX_TOKEN + valueFrom: + secretKeyRef: + name: telegraf + key: influx-token +''' + cf += self.build_telegraf_override_conf("generic") + return cf + + def build_instance_yaml(self, instance:str) -> str: + secrets_path=self.instances[instance].get("fqdn","") + cf = f"vaultSecretsPath: \"{secrets_path}\"\n" + cf += "telegraf-ds:\n" + cf += self.build_telegraf_override_conf(instance) + return cf + + def build_telegraf_override_conf(self, instance: str) -> str: + """For each instance, generate the (literal) contents for + telegraf.conf""" + endpoint=self.instances.get(instance,{}).get("fqdn","no_endpoint") + tc = " override_config:\n" + tc += " toml: |+\n" + tc += " [ global_tags ]\n" + tc += f" cluster = \"{endpoint}\"\n" + tc += """ [ agent ] + hostname = "telegraf-$HOSTIP" + [[inputs.kubernetes]] + url = "https://$HOSTIP:10250" + bearer_token = "/var/run/secrets/kubernetes.io/serviceaccount/token" + insecure_skip_verify = true + namepass = ["kubernetes_pod_container"] + fieldpass = ["cpu_usage_nanocores", "memory_usage_bytes"] +""" + tc += self.build_outputs(instance) + return tc + + def build_outputs(self, instance: str) -> str: + """For each instance, generate the list of outputs, one for each + enabled service. + """ + outp = "" + i_obj = self.instances.get(instance, {}) + for app in self.applications: + if not i_obj.get(app,{}).get("enabled",False): + continue + namespace_set = self.namespaces.get(app, None) + if not namespace_set: + continue + for namespace in namespace_set: + outp +=''' [[outputs.influxdb_v2]] + urls = ["https://monitoring.lsst.codes"] + token = "$INFLUX_TOKEN" + organization = "square" +''' + bucket = namespace.replace("-", "_") + outp += f" bucket = \"{bucket}\"\n" + outp += " [outputs.influxdb_v2.tagpass]\n" + outp += f" namespace = [\"{namespace}\"]\n" + return outp diff --git a/services/telegraf-ds/scripts/requirements.txt b/gen_config/requirements.txt similarity index 100% rename from services/telegraf-ds/scripts/requirements.txt rename to gen_config/requirements.txt diff --git a/gen_config/telegraf-generator b/gen_config/telegraf-generator new file mode 100755 index 0000000000..4450fbca75 --- /dev/null +++ b/gen_config/telegraf-generator @@ -0,0 +1,15 @@ +#!/usr/bin/env python3 +from gen_config.cli_args import cli_args +from gen_config.telegrafdsgenerator import TelegrafDSGenerator + +def main() -> None: + args = cli_args() + gen = TelegrafDSGenerator(debug=args.debug, + dry_run=args.dry_run, + loglevel=args.loglevel, + phalanx_root=args.phalanx_root) + gen.build_config() + gen.write_config() + +if __name__ == "__main__": + main() diff --git a/services/telegraf-ds/values-base.yaml b/services/telegraf-ds/values-base.yaml index 6eff7f01d3..1e52d50c1c 100644 --- a/services/telegraf-ds/values-base.yaml +++ b/services/telegraf-ds/values-base.yaml @@ -16,97 +16,97 @@ telegraf-ds: urls = ["https://monitoring.lsst.codes"] token = "$INFLUX_TOKEN" organization = "square" - bucket = "k8s_cachemachine" + bucket = "cachemachine" [outputs.influxdb_v2.tagpass] namespace = ["cachemachine"] [[outputs.influxdb_v2]] urls = ["https://monitoring.lsst.codes"] token = "$INFLUX_TOKEN" organization = "square" - bucket = "k8s_cert_manager" + bucket = "cert_manager" [outputs.influxdb_v2.tagpass] namespace = ["cert-manager"] [[outputs.influxdb_v2]] urls = ["https://monitoring.lsst.codes"] token = "$INFLUX_TOKEN" organization = "square" - bucket = "k8s_exposurelog" + bucket = "exposurelog" [outputs.influxdb_v2.tagpass] namespace = ["exposurelog"] [[outputs.influxdb_v2]] urls = ["https://monitoring.lsst.codes"] token = "$INFLUX_TOKEN" organization = "square" - bucket = "k8s_gafaelfawr" + bucket = "gafaelfawr" [outputs.influxdb_v2.tagpass] namespace = ["gafaelfawr"] [[outputs.influxdb_v2]] urls = ["https://monitoring.lsst.codes"] token = "$INFLUX_TOKEN" organization = "square" - bucket = "k8s_ingress_nginx" + bucket = "ingress_nginx" [outputs.influxdb_v2.tagpass] namespace = ["ingress-nginx"] [[outputs.influxdb_v2]] urls = ["https://monitoring.lsst.codes"] token = "$INFLUX_TOKEN" organization = "square" - bucket = "k8s_moneypenny" + bucket = "moneypenny" [outputs.influxdb_v2.tagpass] namespace = ["moneypenny"] [[outputs.influxdb_v2]] urls = ["https://monitoring.lsst.codes"] token = "$INFLUX_TOKEN" organization = "square" - bucket = "k8s_narrativelog" + bucket = "narrativelog" [outputs.influxdb_v2.tagpass] namespace = ["narrativelog"] [[outputs.influxdb_v2]] urls = ["https://monitoring.lsst.codes"] token = "$INFLUX_TOKEN" organization = "square" - bucket = "k8s_nublado2" + bucket = "nublado2" [outputs.influxdb_v2.tagpass] namespace = ["nublado2"] [[outputs.influxdb_v2]] urls = ["https://monitoring.lsst.codes"] token = "$INFLUX_TOKEN" organization = "square" - bucket = "k8s_portal" + bucket = "portal" [outputs.influxdb_v2.tagpass] namespace = ["portal"] [[outputs.influxdb_v2]] urls = ["https://monitoring.lsst.codes"] token = "$INFLUX_TOKEN" organization = "square" - bucket = "k8s_postgres" + bucket = "postgres" [outputs.influxdb_v2.tagpass] namespace = ["postgres"] [[outputs.influxdb_v2]] urls = ["https://monitoring.lsst.codes"] token = "$INFLUX_TOKEN" organization = "square" - bucket = "k8s_squareone" + bucket = "squareone" [outputs.influxdb_v2.tagpass] namespace = ["squareone"] [[outputs.influxdb_v2]] urls = ["https://monitoring.lsst.codes"] token = "$INFLUX_TOKEN" organization = "square" - bucket = "k8s_telegraf" + bucket = "telegraf" [outputs.influxdb_v2.tagpass] namespace = ["telegraf"] [[outputs.influxdb_v2]] urls = ["https://monitoring.lsst.codes"] token = "$INFLUX_TOKEN" organization = "square" - bucket = "k8s_telegraf_ds" + bucket = "telegraf_ds" [outputs.influxdb_v2.tagpass] namespace = ["telegraf-ds"] [[outputs.influxdb_v2]] urls = ["https://monitoring.lsst.codes"] token = "$INFLUX_TOKEN" organization = "square" - bucket = "k8s_vault_secrets_operator" + bucket = "vault_secrets_operator" [outputs.influxdb_v2.tagpass] namespace = ["vault-secrets-operator"] diff --git a/services/telegraf-ds/values-idfdev.yaml b/services/telegraf-ds/values-idfdev.yaml index 51c8f3d95f..0153697bb7 100644 --- a/services/telegraf-ds/values-idfdev.yaml +++ b/services/telegraf-ds/values-idfdev.yaml @@ -16,160 +16,160 @@ telegraf-ds: urls = ["https://monitoring.lsst.codes"] token = "$INFLUX_TOKEN" organization = "square" - bucket = "k8s_cachemachine" + bucket = "cachemachine" [outputs.influxdb_v2.tagpass] namespace = ["cachemachine"] [[outputs.influxdb_v2]] urls = ["https://monitoring.lsst.codes"] token = "$INFLUX_TOKEN" organization = "square" - bucket = "k8s_cert_manager" + bucket = "cert_manager" [outputs.influxdb_v2.tagpass] namespace = ["cert-manager"] [[outputs.influxdb_v2]] urls = ["https://monitoring.lsst.codes"] token = "$INFLUX_TOKEN" organization = "square" - bucket = "k8s_datalinker" + bucket = "datalinker" [outputs.influxdb_v2.tagpass] namespace = ["datalinker"] [[outputs.influxdb_v2]] urls = ["https://monitoring.lsst.codes"] token = "$INFLUX_TOKEN" organization = "square" - bucket = "k8s_gafaelfawr" + bucket = "gafaelfawr" [outputs.influxdb_v2.tagpass] namespace = ["gafaelfawr"] [[outputs.influxdb_v2]] urls = ["https://monitoring.lsst.codes"] token = "$INFLUX_TOKEN" organization = "square" - bucket = "k8s_ingress_nginx" + bucket = "ingress_nginx" [outputs.influxdb_v2.tagpass] namespace = ["ingress-nginx"] [[outputs.influxdb_v2]] urls = ["https://monitoring.lsst.codes"] token = "$INFLUX_TOKEN" organization = "square" - bucket = "k8s_mobu" + bucket = "mobu" [outputs.influxdb_v2.tagpass] namespace = ["mobu"] [[outputs.influxdb_v2]] urls = ["https://monitoring.lsst.codes"] token = "$INFLUX_TOKEN" organization = "square" - bucket = "k8s_moneypenny" + bucket = "moneypenny" [outputs.influxdb_v2.tagpass] namespace = ["moneypenny"] [[outputs.influxdb_v2]] urls = ["https://monitoring.lsst.codes"] token = "$INFLUX_TOKEN" organization = "square" - bucket = "k8s_noteburst" + bucket = "noteburst" [outputs.influxdb_v2.tagpass] namespace = ["noteburst"] [[outputs.influxdb_v2]] urls = ["https://monitoring.lsst.codes"] token = "$INFLUX_TOKEN" organization = "square" - bucket = "k8s_nublado2" + bucket = "nublado2" [outputs.influxdb_v2.tagpass] namespace = ["nublado2"] [[outputs.influxdb_v2]] urls = ["https://monitoring.lsst.codes"] token = "$INFLUX_TOKEN" organization = "square" - bucket = "k8s_obstap" + bucket = "obstap" [outputs.influxdb_v2.tagpass] namespace = ["obstap"] [[outputs.influxdb_v2]] urls = ["https://monitoring.lsst.codes"] token = "$INFLUX_TOKEN" organization = "square" - bucket = "k8s_portal" + bucket = "portal" [outputs.influxdb_v2.tagpass] namespace = ["portal"] [[outputs.influxdb_v2]] urls = ["https://monitoring.lsst.codes"] token = "$INFLUX_TOKEN" organization = "square" - bucket = "k8s_postgres" + bucket = "postgres" [outputs.influxdb_v2.tagpass] namespace = ["postgres"] [[outputs.influxdb_v2]] urls = ["https://monitoring.lsst.codes"] token = "$INFLUX_TOKEN" organization = "square" - bucket = "k8s_sasquatch" + bucket = "sasquatch" [outputs.influxdb_v2.tagpass] namespace = ["sasquatch"] [[outputs.influxdb_v2]] urls = ["https://monitoring.lsst.codes"] token = "$INFLUX_TOKEN" organization = "square" - bucket = "k8s_semaphore" + bucket = "semaphore" [outputs.influxdb_v2.tagpass] namespace = ["semaphore"] [[outputs.influxdb_v2]] urls = ["https://monitoring.lsst.codes"] token = "$INFLUX_TOKEN" organization = "square" - bucket = "k8s_sherlock" + bucket = "sherlock" [outputs.influxdb_v2.tagpass] namespace = ["sherlock"] [[outputs.influxdb_v2]] urls = ["https://monitoring.lsst.codes"] token = "$INFLUX_TOKEN" organization = "square" - bucket = "k8s_squareone" + bucket = "squareone" [outputs.influxdb_v2.tagpass] namespace = ["squareone"] [[outputs.influxdb_v2]] urls = ["https://monitoring.lsst.codes"] token = "$INFLUX_TOKEN" organization = "square" - bucket = "k8s_strimzi" + bucket = "strimzi" [outputs.influxdb_v2.tagpass] namespace = ["strimzi"] [[outputs.influxdb_v2]] urls = ["https://monitoring.lsst.codes"] token = "$INFLUX_TOKEN" organization = "square" - bucket = "k8s_tap" + bucket = "tap" [outputs.influxdb_v2.tagpass] namespace = ["tap"] [[outputs.influxdb_v2]] urls = ["https://monitoring.lsst.codes"] token = "$INFLUX_TOKEN" organization = "square" - bucket = "k8s_tap_schema" + bucket = "tap_schema" [outputs.influxdb_v2.tagpass] namespace = ["tap-schema"] [[outputs.influxdb_v2]] urls = ["https://monitoring.lsst.codes"] token = "$INFLUX_TOKEN" organization = "square" - bucket = "k8s_telegraf" + bucket = "telegraf" [outputs.influxdb_v2.tagpass] namespace = ["telegraf"] [[outputs.influxdb_v2]] urls = ["https://monitoring.lsst.codes"] token = "$INFLUX_TOKEN" organization = "square" - bucket = "k8s_telegraf_ds" + bucket = "telegraf_ds" [outputs.influxdb_v2.tagpass] namespace = ["telegraf-ds"] [[outputs.influxdb_v2]] urls = ["https://monitoring.lsst.codes"] token = "$INFLUX_TOKEN" organization = "square" - bucket = "k8s_times_square" + bucket = "times_square" [outputs.influxdb_v2.tagpass] namespace = ["times-square"] [[outputs.influxdb_v2]] urls = ["https://monitoring.lsst.codes"] token = "$INFLUX_TOKEN" organization = "square" - bucket = "k8s_vault_secrets_operator" + bucket = "vault_secrets_operator" [outputs.influxdb_v2.tagpass] namespace = ["vault-secrets-operator"] diff --git a/services/telegraf-ds/values-idfint.yaml b/services/telegraf-ds/values-idfint.yaml index d1fa3aaa11..9b048b9f3d 100644 --- a/services/telegraf-ds/values-idfint.yaml +++ b/services/telegraf-ds/values-idfint.yaml @@ -16,146 +16,146 @@ telegraf-ds: urls = ["https://monitoring.lsst.codes"] token = "$INFLUX_TOKEN" organization = "square" - bucket = "k8s_cachemachine" + bucket = "cachemachine" [outputs.influxdb_v2.tagpass] namespace = ["cachemachine"] [[outputs.influxdb_v2]] urls = ["https://monitoring.lsst.codes"] token = "$INFLUX_TOKEN" organization = "square" - bucket = "k8s_cert_manager" + bucket = "cert_manager" [outputs.influxdb_v2.tagpass] namespace = ["cert-manager"] [[outputs.influxdb_v2]] urls = ["https://monitoring.lsst.codes"] token = "$INFLUX_TOKEN" organization = "square" - bucket = "k8s_datalinker" + bucket = "datalinker" [outputs.influxdb_v2.tagpass] namespace = ["datalinker"] [[outputs.influxdb_v2]] urls = ["https://monitoring.lsst.codes"] token = "$INFLUX_TOKEN" organization = "square" - bucket = "k8s_gafaelfawr" + bucket = "gafaelfawr" [outputs.influxdb_v2.tagpass] namespace = ["gafaelfawr"] [[outputs.influxdb_v2]] urls = ["https://monitoring.lsst.codes"] token = "$INFLUX_TOKEN" organization = "square" - bucket = "k8s_ingress_nginx" + bucket = "ingress_nginx" [outputs.influxdb_v2.tagpass] namespace = ["ingress-nginx"] [[outputs.influxdb_v2]] urls = ["https://monitoring.lsst.codes"] token = "$INFLUX_TOKEN" organization = "square" - bucket = "k8s_mobu" + bucket = "mobu" [outputs.influxdb_v2.tagpass] namespace = ["mobu"] [[outputs.influxdb_v2]] urls = ["https://monitoring.lsst.codes"] token = "$INFLUX_TOKEN" organization = "square" - bucket = "k8s_moneypenny" + bucket = "moneypenny" [outputs.influxdb_v2.tagpass] namespace = ["moneypenny"] [[outputs.influxdb_v2]] urls = ["https://monitoring.lsst.codes"] token = "$INFLUX_TOKEN" organization = "square" - bucket = "k8s_nublado2" + bucket = "nublado2" [outputs.influxdb_v2.tagpass] namespace = ["nublado2"] [[outputs.influxdb_v2]] urls = ["https://monitoring.lsst.codes"] token = "$INFLUX_TOKEN" organization = "square" - bucket = "k8s_obstap" + bucket = "obstap" [outputs.influxdb_v2.tagpass] namespace = ["obstap"] [[outputs.influxdb_v2]] urls = ["https://monitoring.lsst.codes"] token = "$INFLUX_TOKEN" organization = "square" - bucket = "k8s_plot_navigator" + bucket = "plot_navigator" [outputs.influxdb_v2.tagpass] namespace = ["plot-navigator"] [[outputs.influxdb_v2]] urls = ["https://monitoring.lsst.codes"] token = "$INFLUX_TOKEN" organization = "square" - bucket = "k8s_portal" + bucket = "portal" [outputs.influxdb_v2.tagpass] namespace = ["portal"] [[outputs.influxdb_v2]] urls = ["https://monitoring.lsst.codes"] token = "$INFLUX_TOKEN" organization = "square" - bucket = "k8s_postgres" + bucket = "postgres" [outputs.influxdb_v2.tagpass] namespace = ["postgres"] [[outputs.influxdb_v2]] urls = ["https://monitoring.lsst.codes"] token = "$INFLUX_TOKEN" organization = "square" - bucket = "k8s_semaphore" + bucket = "semaphore" [outputs.influxdb_v2.tagpass] namespace = ["semaphore"] [[outputs.influxdb_v2]] urls = ["https://monitoring.lsst.codes"] token = "$INFLUX_TOKEN" organization = "square" - bucket = "k8s_sherlock" + bucket = "sherlock" [outputs.influxdb_v2.tagpass] namespace = ["sherlock"] [[outputs.influxdb_v2]] urls = ["https://monitoring.lsst.codes"] token = "$INFLUX_TOKEN" organization = "square" - bucket = "k8s_squareone" + bucket = "squareone" [outputs.influxdb_v2.tagpass] namespace = ["squareone"] [[outputs.influxdb_v2]] urls = ["https://monitoring.lsst.codes"] token = "$INFLUX_TOKEN" organization = "square" - bucket = "k8s_tap" + bucket = "tap" [outputs.influxdb_v2.tagpass] namespace = ["tap"] [[outputs.influxdb_v2]] urls = ["https://monitoring.lsst.codes"] token = "$INFLUX_TOKEN" organization = "square" - bucket = "k8s_tap_schema" + bucket = "tap_schema" [outputs.influxdb_v2.tagpass] namespace = ["tap-schema"] [[outputs.influxdb_v2]] urls = ["https://monitoring.lsst.codes"] token = "$INFLUX_TOKEN" organization = "square" - bucket = "k8s_telegraf" + bucket = "telegraf" [outputs.influxdb_v2.tagpass] namespace = ["telegraf"] [[outputs.influxdb_v2]] urls = ["https://monitoring.lsst.codes"] token = "$INFLUX_TOKEN" organization = "square" - bucket = "k8s_telegraf_ds" + bucket = "telegraf_ds" [outputs.influxdb_v2.tagpass] namespace = ["telegraf-ds"] [[outputs.influxdb_v2]] urls = ["https://monitoring.lsst.codes"] token = "$INFLUX_TOKEN" organization = "square" - bucket = "k8s_vault_secrets_operator" + bucket = "vault_secrets_operator" [outputs.influxdb_v2.tagpass] namespace = ["vault-secrets-operator"] [[outputs.influxdb_v2]] urls = ["https://monitoring.lsst.codes"] token = "$INFLUX_TOKEN" organization = "square" - bucket = "k8s_vo_cutouts" + bucket = "vo_cutouts" [outputs.influxdb_v2.tagpass] namespace = ["vo-cutouts"] diff --git a/services/telegraf-ds/values-idfprod.yaml b/services/telegraf-ds/values-idfprod.yaml index fa24a01884..37101cfc32 100644 --- a/services/telegraf-ds/values-idfprod.yaml +++ b/services/telegraf-ds/values-idfprod.yaml @@ -16,125 +16,125 @@ telegraf-ds: urls = ["https://monitoring.lsst.codes"] token = "$INFLUX_TOKEN" organization = "square" - bucket = "k8s_cachemachine" + bucket = "cachemachine" [outputs.influxdb_v2.tagpass] namespace = ["cachemachine"] [[outputs.influxdb_v2]] urls = ["https://monitoring.lsst.codes"] token = "$INFLUX_TOKEN" organization = "square" - bucket = "k8s_cert_manager" + bucket = "cert_manager" [outputs.influxdb_v2.tagpass] namespace = ["cert-manager"] [[outputs.influxdb_v2]] urls = ["https://monitoring.lsst.codes"] token = "$INFLUX_TOKEN" organization = "square" - bucket = "k8s_datalinker" + bucket = "datalinker" [outputs.influxdb_v2.tagpass] namespace = ["datalinker"] [[outputs.influxdb_v2]] urls = ["https://monitoring.lsst.codes"] token = "$INFLUX_TOKEN" organization = "square" - bucket = "k8s_gafaelfawr" + bucket = "gafaelfawr" [outputs.influxdb_v2.tagpass] namespace = ["gafaelfawr"] [[outputs.influxdb_v2]] urls = ["https://monitoring.lsst.codes"] token = "$INFLUX_TOKEN" organization = "square" - bucket = "k8s_ingress_nginx" + bucket = "ingress_nginx" [outputs.influxdb_v2.tagpass] namespace = ["ingress-nginx"] [[outputs.influxdb_v2]] urls = ["https://monitoring.lsst.codes"] token = "$INFLUX_TOKEN" organization = "square" - bucket = "k8s_mobu" + bucket = "mobu" [outputs.influxdb_v2.tagpass] namespace = ["mobu"] [[outputs.influxdb_v2]] urls = ["https://monitoring.lsst.codes"] token = "$INFLUX_TOKEN" organization = "square" - bucket = "k8s_moneypenny" + bucket = "moneypenny" [outputs.influxdb_v2.tagpass] namespace = ["moneypenny"] [[outputs.influxdb_v2]] urls = ["https://monitoring.lsst.codes"] token = "$INFLUX_TOKEN" organization = "square" - bucket = "k8s_nublado2" + bucket = "nublado2" [outputs.influxdb_v2.tagpass] namespace = ["nublado2"] [[outputs.influxdb_v2]] urls = ["https://monitoring.lsst.codes"] token = "$INFLUX_TOKEN" organization = "square" - bucket = "k8s_obstap" + bucket = "obstap" [outputs.influxdb_v2.tagpass] namespace = ["obstap"] [[outputs.influxdb_v2]] urls = ["https://monitoring.lsst.codes"] token = "$INFLUX_TOKEN" organization = "square" - bucket = "k8s_portal" + bucket = "portal" [outputs.influxdb_v2.tagpass] namespace = ["portal"] [[outputs.influxdb_v2]] urls = ["https://monitoring.lsst.codes"] token = "$INFLUX_TOKEN" organization = "square" - bucket = "k8s_postgres" + bucket = "postgres" [outputs.influxdb_v2.tagpass] namespace = ["postgres"] [[outputs.influxdb_v2]] urls = ["https://monitoring.lsst.codes"] token = "$INFLUX_TOKEN" organization = "square" - bucket = "k8s_semaphore" + bucket = "semaphore" [outputs.influxdb_v2.tagpass] namespace = ["semaphore"] [[outputs.influxdb_v2]] urls = ["https://monitoring.lsst.codes"] token = "$INFLUX_TOKEN" organization = "square" - bucket = "k8s_sherlock" + bucket = "sherlock" [outputs.influxdb_v2.tagpass] namespace = ["sherlock"] [[outputs.influxdb_v2]] urls = ["https://monitoring.lsst.codes"] token = "$INFLUX_TOKEN" organization = "square" - bucket = "k8s_squareone" + bucket = "squareone" [outputs.influxdb_v2.tagpass] namespace = ["squareone"] [[outputs.influxdb_v2]] urls = ["https://monitoring.lsst.codes"] token = "$INFLUX_TOKEN" organization = "square" - bucket = "k8s_tap" + bucket = "tap" [outputs.influxdb_v2.tagpass] namespace = ["tap"] [[outputs.influxdb_v2]] urls = ["https://monitoring.lsst.codes"] token = "$INFLUX_TOKEN" organization = "square" - bucket = "k8s_tap_schema" + bucket = "tap_schema" [outputs.influxdb_v2.tagpass] namespace = ["tap-schema"] [[outputs.influxdb_v2]] urls = ["https://monitoring.lsst.codes"] token = "$INFLUX_TOKEN" organization = "square" - bucket = "k8s_vault_secrets_operator" + bucket = "vault_secrets_operator" [outputs.influxdb_v2.tagpass] namespace = ["vault-secrets-operator"] [[outputs.influxdb_v2]] urls = ["https://monitoring.lsst.codes"] token = "$INFLUX_TOKEN" organization = "square" - bucket = "k8s_vo_cutouts" + bucket = "vo_cutouts" [outputs.influxdb_v2.tagpass] namespace = ["vo-cutouts"] diff --git a/services/telegraf-ds/values-int.yaml b/services/telegraf-ds/values-int.yaml index 7a9aee9e81..82f48bcbc6 100644 --- a/services/telegraf-ds/values-int.yaml +++ b/services/telegraf-ds/values-int.yaml @@ -16,125 +16,125 @@ telegraf-ds: urls = ["https://monitoring.lsst.codes"] token = "$INFLUX_TOKEN" organization = "square" - bucket = "k8s_cachemachine" + bucket = "cachemachine" [outputs.influxdb_v2.tagpass] namespace = ["cachemachine"] [[outputs.influxdb_v2]] urls = ["https://monitoring.lsst.codes"] token = "$INFLUX_TOKEN" organization = "square" - bucket = "k8s_datalinker" + bucket = "datalinker" [outputs.influxdb_v2.tagpass] namespace = ["datalinker"] [[outputs.influxdb_v2]] urls = ["https://monitoring.lsst.codes"] token = "$INFLUX_TOKEN" organization = "square" - bucket = "k8s_gafaelfawr" + bucket = "gafaelfawr" [outputs.influxdb_v2.tagpass] namespace = ["gafaelfawr"] [[outputs.influxdb_v2]] urls = ["https://monitoring.lsst.codes"] token = "$INFLUX_TOKEN" organization = "square" - bucket = "k8s_mobu" + bucket = "mobu" [outputs.influxdb_v2.tagpass] namespace = ["mobu"] [[outputs.influxdb_v2]] urls = ["https://monitoring.lsst.codes"] token = "$INFLUX_TOKEN" organization = "square" - bucket = "k8s_moneypenny" + bucket = "moneypenny" [outputs.influxdb_v2.tagpass] namespace = ["moneypenny"] [[outputs.influxdb_v2]] urls = ["https://monitoring.lsst.codes"] token = "$INFLUX_TOKEN" organization = "square" - bucket = "k8s_nublado2" + bucket = "nublado2" [outputs.influxdb_v2.tagpass] namespace = ["nublado2"] [[outputs.influxdb_v2]] urls = ["https://monitoring.lsst.codes"] token = "$INFLUX_TOKEN" organization = "square" - bucket = "k8s_obstap" + bucket = "obstap" [outputs.influxdb_v2.tagpass] namespace = ["obstap"] [[outputs.influxdb_v2]] urls = ["https://monitoring.lsst.codes"] token = "$INFLUX_TOKEN" organization = "square" - bucket = "k8s_portal" + bucket = "portal" [outputs.influxdb_v2.tagpass] namespace = ["portal"] [[outputs.influxdb_v2]] urls = ["https://monitoring.lsst.codes"] token = "$INFLUX_TOKEN" organization = "square" - bucket = "k8s_postgres" + bucket = "postgres" [outputs.influxdb_v2.tagpass] namespace = ["postgres"] [[outputs.influxdb_v2]] urls = ["https://monitoring.lsst.codes"] token = "$INFLUX_TOKEN" organization = "square" - bucket = "k8s_sasquatch" + bucket = "sasquatch" [outputs.influxdb_v2.tagpass] namespace = ["sasquatch"] [[outputs.influxdb_v2]] urls = ["https://monitoring.lsst.codes"] token = "$INFLUX_TOKEN" organization = "square" - bucket = "k8s_sherlock" + bucket = "sherlock" [outputs.influxdb_v2.tagpass] namespace = ["sherlock"] [[outputs.influxdb_v2]] urls = ["https://monitoring.lsst.codes"] token = "$INFLUX_TOKEN" organization = "square" - bucket = "k8s_squareone" + bucket = "squareone" [outputs.influxdb_v2.tagpass] namespace = ["squareone"] [[outputs.influxdb_v2]] urls = ["https://monitoring.lsst.codes"] token = "$INFLUX_TOKEN" organization = "square" - bucket = "k8s_strimzi" + bucket = "strimzi" [outputs.influxdb_v2.tagpass] namespace = ["strimzi"] [[outputs.influxdb_v2]] urls = ["https://monitoring.lsst.codes"] token = "$INFLUX_TOKEN" organization = "square" - bucket = "k8s_tap" + bucket = "tap" [outputs.influxdb_v2.tagpass] namespace = ["tap"] [[outputs.influxdb_v2]] urls = ["https://monitoring.lsst.codes"] token = "$INFLUX_TOKEN" organization = "square" - bucket = "k8s_tap_schema" + bucket = "tap_schema" [outputs.influxdb_v2.tagpass] namespace = ["tap-schema"] [[outputs.influxdb_v2]] urls = ["https://monitoring.lsst.codes"] token = "$INFLUX_TOKEN" organization = "square" - bucket = "k8s_telegraf" + bucket = "telegraf" [outputs.influxdb_v2.tagpass] namespace = ["telegraf"] [[outputs.influxdb_v2]] urls = ["https://monitoring.lsst.codes"] token = "$INFLUX_TOKEN" organization = "square" - bucket = "k8s_telegraf_ds" + bucket = "telegraf_ds" [outputs.influxdb_v2.tagpass] namespace = ["telegraf-ds"] [[outputs.influxdb_v2]] urls = ["https://monitoring.lsst.codes"] token = "$INFLUX_TOKEN" organization = "square" - bucket = "k8s_vault_secrets_operator" + bucket = "vault_secrets_operator" [outputs.influxdb_v2.tagpass] namespace = ["vault-secrets-operator"] diff --git a/services/telegraf-ds/values-minikube.yaml b/services/telegraf-ds/values-minikube.yaml index 73268c720a..704c51f614 100644 --- a/services/telegraf-ds/values-minikube.yaml +++ b/services/telegraf-ds/values-minikube.yaml @@ -16,125 +16,125 @@ telegraf-ds: urls = ["https://monitoring.lsst.codes"] token = "$INFLUX_TOKEN" organization = "square" - bucket = "k8s_cachemachine" + bucket = "cachemachine" [outputs.influxdb_v2.tagpass] namespace = ["cachemachine"] [[outputs.influxdb_v2]] urls = ["https://monitoring.lsst.codes"] token = "$INFLUX_TOKEN" organization = "square" - bucket = "k8s_cert_manager" + bucket = "cert_manager" [outputs.influxdb_v2.tagpass] namespace = ["cert-manager"] [[outputs.influxdb_v2]] urls = ["https://monitoring.lsst.codes"] token = "$INFLUX_TOKEN" organization = "square" - bucket = "k8s_datalinker" + bucket = "datalinker" [outputs.influxdb_v2.tagpass] namespace = ["datalinker"] [[outputs.influxdb_v2]] urls = ["https://monitoring.lsst.codes"] token = "$INFLUX_TOKEN" organization = "square" - bucket = "k8s_gafaelfawr" + bucket = "gafaelfawr" [outputs.influxdb_v2.tagpass] namespace = ["gafaelfawr"] [[outputs.influxdb_v2]] urls = ["https://monitoring.lsst.codes"] token = "$INFLUX_TOKEN" organization = "square" - bucket = "k8s_ingress_nginx" + bucket = "ingress_nginx" [outputs.influxdb_v2.tagpass] namespace = ["ingress-nginx"] [[outputs.influxdb_v2]] urls = ["https://monitoring.lsst.codes"] token = "$INFLUX_TOKEN" organization = "square" - bucket = "k8s_mobu" + bucket = "mobu" [outputs.influxdb_v2.tagpass] namespace = ["mobu"] [[outputs.influxdb_v2]] urls = ["https://monitoring.lsst.codes"] token = "$INFLUX_TOKEN" organization = "square" - bucket = "k8s_moneypenny" + bucket = "moneypenny" [outputs.influxdb_v2.tagpass] namespace = ["moneypenny"] [[outputs.influxdb_v2]] urls = ["https://monitoring.lsst.codes"] token = "$INFLUX_TOKEN" organization = "square" - bucket = "k8s_noteburst" + bucket = "noteburst" [outputs.influxdb_v2.tagpass] namespace = ["noteburst"] [[outputs.influxdb_v2]] urls = ["https://monitoring.lsst.codes"] token = "$INFLUX_TOKEN" organization = "square" - bucket = "k8s_nublado2" + bucket = "nublado2" [outputs.influxdb_v2.tagpass] namespace = ["nublado2"] [[outputs.influxdb_v2]] urls = ["https://monitoring.lsst.codes"] token = "$INFLUX_TOKEN" organization = "square" - bucket = "k8s_obstap" + bucket = "obstap" [outputs.influxdb_v2.tagpass] namespace = ["obstap"] [[outputs.influxdb_v2]] urls = ["https://monitoring.lsst.codes"] token = "$INFLUX_TOKEN" organization = "square" - bucket = "k8s_portal" + bucket = "portal" [outputs.influxdb_v2.tagpass] namespace = ["portal"] [[outputs.influxdb_v2]] urls = ["https://monitoring.lsst.codes"] token = "$INFLUX_TOKEN" organization = "square" - bucket = "k8s_postgres" + bucket = "postgres" [outputs.influxdb_v2.tagpass] namespace = ["postgres"] [[outputs.influxdb_v2]] urls = ["https://monitoring.lsst.codes"] token = "$INFLUX_TOKEN" organization = "square" - bucket = "k8s_semaphore" + bucket = "semaphore" [outputs.influxdb_v2.tagpass] namespace = ["semaphore"] [[outputs.influxdb_v2]] urls = ["https://monitoring.lsst.codes"] token = "$INFLUX_TOKEN" organization = "square" - bucket = "k8s_sherlock" + bucket = "sherlock" [outputs.influxdb_v2.tagpass] namespace = ["sherlock"] [[outputs.influxdb_v2]] urls = ["https://monitoring.lsst.codes"] token = "$INFLUX_TOKEN" organization = "square" - bucket = "k8s_squareone" + bucket = "squareone" [outputs.influxdb_v2.tagpass] namespace = ["squareone"] [[outputs.influxdb_v2]] urls = ["https://monitoring.lsst.codes"] token = "$INFLUX_TOKEN" organization = "square" - bucket = "k8s_tap" + bucket = "tap" [outputs.influxdb_v2.tagpass] namespace = ["tap"] [[outputs.influxdb_v2]] urls = ["https://monitoring.lsst.codes"] token = "$INFLUX_TOKEN" organization = "square" - bucket = "k8s_tap_schema" + bucket = "tap_schema" [outputs.influxdb_v2.tagpass] namespace = ["tap-schema"] [[outputs.influxdb_v2]] urls = ["https://monitoring.lsst.codes"] token = "$INFLUX_TOKEN" organization = "square" - bucket = "k8s_vault_secrets_operator" + bucket = "vault_secrets_operator" [outputs.influxdb_v2.tagpass] namespace = ["vault-secrets-operator"] diff --git a/services/telegraf-ds/values-red-five.yaml b/services/telegraf-ds/values-red-five.yaml index 9cb3bfffc6..f5ab0ed587 100644 --- a/services/telegraf-ds/values-red-five.yaml +++ b/services/telegraf-ds/values-red-five.yaml @@ -16,104 +16,104 @@ telegraf-ds: urls = ["https://monitoring.lsst.codes"] token = "$INFLUX_TOKEN" organization = "square" - bucket = "k8s_cachemachine" + bucket = "cachemachine" [outputs.influxdb_v2.tagpass] namespace = ["cachemachine"] [[outputs.influxdb_v2]] urls = ["https://monitoring.lsst.codes"] token = "$INFLUX_TOKEN" organization = "square" - bucket = "k8s_cert_manager" + bucket = "cert_manager" [outputs.influxdb_v2.tagpass] namespace = ["cert-manager"] [[outputs.influxdb_v2]] urls = ["https://monitoring.lsst.codes"] token = "$INFLUX_TOKEN" organization = "square" - bucket = "k8s_datalinker" + bucket = "datalinker" [outputs.influxdb_v2.tagpass] namespace = ["datalinker"] [[outputs.influxdb_v2]] urls = ["https://monitoring.lsst.codes"] token = "$INFLUX_TOKEN" organization = "square" - bucket = "k8s_gafaelfawr" + bucket = "gafaelfawr" [outputs.influxdb_v2.tagpass] namespace = ["gafaelfawr"] [[outputs.influxdb_v2]] urls = ["https://monitoring.lsst.codes"] token = "$INFLUX_TOKEN" organization = "square" - bucket = "k8s_ingress_nginx" + bucket = "ingress_nginx" [outputs.influxdb_v2.tagpass] namespace = ["ingress-nginx"] [[outputs.influxdb_v2]] urls = ["https://monitoring.lsst.codes"] token = "$INFLUX_TOKEN" organization = "square" - bucket = "k8s_mobu" + bucket = "mobu" [outputs.influxdb_v2.tagpass] namespace = ["mobu"] [[outputs.influxdb_v2]] urls = ["https://monitoring.lsst.codes"] token = "$INFLUX_TOKEN" organization = "square" - bucket = "k8s_moneypenny" + bucket = "moneypenny" [outputs.influxdb_v2.tagpass] namespace = ["moneypenny"] [[outputs.influxdb_v2]] urls = ["https://monitoring.lsst.codes"] token = "$INFLUX_TOKEN" organization = "square" - bucket = "k8s_nublado2" + bucket = "nublado2" [outputs.influxdb_v2.tagpass] namespace = ["nublado2"] [[outputs.influxdb_v2]] urls = ["https://monitoring.lsst.codes"] token = "$INFLUX_TOKEN" organization = "square" - bucket = "k8s_obstap" + bucket = "obstap" [outputs.influxdb_v2.tagpass] namespace = ["obstap"] [[outputs.influxdb_v2]] urls = ["https://monitoring.lsst.codes"] token = "$INFLUX_TOKEN" organization = "square" - bucket = "k8s_portal" + bucket = "portal" [outputs.influxdb_v2.tagpass] namespace = ["portal"] [[outputs.influxdb_v2]] urls = ["https://monitoring.lsst.codes"] token = "$INFLUX_TOKEN" organization = "square" - bucket = "k8s_postgres" + bucket = "postgres" [outputs.influxdb_v2.tagpass] namespace = ["postgres"] [[outputs.influxdb_v2]] urls = ["https://monitoring.lsst.codes"] token = "$INFLUX_TOKEN" organization = "square" - bucket = "k8s_squareone" + bucket = "squareone" [outputs.influxdb_v2.tagpass] namespace = ["squareone"] [[outputs.influxdb_v2]] urls = ["https://monitoring.lsst.codes"] token = "$INFLUX_TOKEN" organization = "square" - bucket = "k8s_tap" + bucket = "tap" [outputs.influxdb_v2.tagpass] namespace = ["tap"] [[outputs.influxdb_v2]] urls = ["https://monitoring.lsst.codes"] token = "$INFLUX_TOKEN" organization = "square" - bucket = "k8s_tap_schema" + bucket = "tap_schema" [outputs.influxdb_v2.tagpass] namespace = ["tap-schema"] [[outputs.influxdb_v2]] urls = ["https://monitoring.lsst.codes"] token = "$INFLUX_TOKEN" organization = "square" - bucket = "k8s_vault_secrets_operator" + bucket = "vault_secrets_operator" [outputs.influxdb_v2.tagpass] namespace = ["vault-secrets-operator"] diff --git a/services/telegraf-ds/values-roe.yaml b/services/telegraf-ds/values-roe.yaml index d1c97d5a39..e1899326c9 100644 --- a/services/telegraf-ds/values-roe.yaml +++ b/services/telegraf-ds/values-roe.yaml @@ -16,90 +16,90 @@ telegraf-ds: urls = ["https://monitoring.lsst.codes"] token = "$INFLUX_TOKEN" organization = "square" - bucket = "k8s_cachemachine" + bucket = "cachemachine" [outputs.influxdb_v2.tagpass] namespace = ["cachemachine"] [[outputs.influxdb_v2]] urls = ["https://monitoring.lsst.codes"] token = "$INFLUX_TOKEN" organization = "square" - bucket = "k8s_cert_manager" + bucket = "cert_manager" [outputs.influxdb_v2.tagpass] namespace = ["cert-manager"] [[outputs.influxdb_v2]] urls = ["https://monitoring.lsst.codes"] token = "$INFLUX_TOKEN" organization = "square" - bucket = "k8s_gafaelfawr" + bucket = "gafaelfawr" [outputs.influxdb_v2.tagpass] namespace = ["gafaelfawr"] [[outputs.influxdb_v2]] urls = ["https://monitoring.lsst.codes"] token = "$INFLUX_TOKEN" organization = "square" - bucket = "k8s_ingress_nginx" + bucket = "ingress_nginx" [outputs.influxdb_v2.tagpass] namespace = ["ingress-nginx"] [[outputs.influxdb_v2]] urls = ["https://monitoring.lsst.codes"] token = "$INFLUX_TOKEN" organization = "square" - bucket = "k8s_mobu" + bucket = "mobu" [outputs.influxdb_v2.tagpass] namespace = ["mobu"] [[outputs.influxdb_v2]] urls = ["https://monitoring.lsst.codes"] token = "$INFLUX_TOKEN" organization = "square" - bucket = "k8s_moneypenny" + bucket = "moneypenny" [outputs.influxdb_v2.tagpass] namespace = ["moneypenny"] [[outputs.influxdb_v2]] urls = ["https://monitoring.lsst.codes"] token = "$INFLUX_TOKEN" organization = "square" - bucket = "k8s_nublado2" + bucket = "nublado2" [outputs.influxdb_v2.tagpass] namespace = ["nublado2"] [[outputs.influxdb_v2]] urls = ["https://monitoring.lsst.codes"] token = "$INFLUX_TOKEN" organization = "square" - bucket = "k8s_portal" + bucket = "portal" [outputs.influxdb_v2.tagpass] namespace = ["portal"] [[outputs.influxdb_v2]] urls = ["https://monitoring.lsst.codes"] token = "$INFLUX_TOKEN" organization = "square" - bucket = "k8s_postgres" + bucket = "postgres" [outputs.influxdb_v2.tagpass] namespace = ["postgres"] [[outputs.influxdb_v2]] urls = ["https://monitoring.lsst.codes"] token = "$INFLUX_TOKEN" organization = "square" - bucket = "k8s_squareone" + bucket = "squareone" [outputs.influxdb_v2.tagpass] namespace = ["squareone"] [[outputs.influxdb_v2]] urls = ["https://monitoring.lsst.codes"] token = "$INFLUX_TOKEN" organization = "square" - bucket = "k8s_tap" + bucket = "tap" [outputs.influxdb_v2.tagpass] namespace = ["tap"] [[outputs.influxdb_v2]] urls = ["https://monitoring.lsst.codes"] token = "$INFLUX_TOKEN" organization = "square" - bucket = "k8s_tap_schema" + bucket = "tap_schema" [outputs.influxdb_v2.tagpass] namespace = ["tap-schema"] [[outputs.influxdb_v2]] urls = ["https://monitoring.lsst.codes"] token = "$INFLUX_TOKEN" organization = "square" - bucket = "k8s_vault_secrets_operator" + bucket = "vault_secrets_operator" [outputs.influxdb_v2.tagpass] namespace = ["vault-secrets-operator"] diff --git a/services/telegraf-ds/values-squash-sandbox.yaml b/services/telegraf-ds/values-squash-sandbox.yaml index af0290a64f..e38b5e4026 100644 --- a/services/telegraf-ds/values-squash-sandbox.yaml +++ b/services/telegraf-ds/values-squash-sandbox.yaml @@ -16,41 +16,41 @@ telegraf-ds: urls = ["https://monitoring.lsst.codes"] token = "$INFLUX_TOKEN" organization = "square" - bucket = "k8s_cert_manager" + bucket = "cert_manager" [outputs.influxdb_v2.tagpass] namespace = ["cert-manager"] [[outputs.influxdb_v2]] urls = ["https://monitoring.lsst.codes"] token = "$INFLUX_TOKEN" organization = "square" - bucket = "k8s_gafaelfawr" + bucket = "gafaelfawr" [outputs.influxdb_v2.tagpass] namespace = ["gafaelfawr"] [[outputs.influxdb_v2]] urls = ["https://monitoring.lsst.codes"] token = "$INFLUX_TOKEN" organization = "square" - bucket = "k8s_ingress_nginx" + bucket = "ingress_nginx" [outputs.influxdb_v2.tagpass] namespace = ["ingress-nginx"] [[outputs.influxdb_v2]] urls = ["https://monitoring.lsst.codes"] token = "$INFLUX_TOKEN" organization = "square" - bucket = "k8s_postgres" + bucket = "postgres" [outputs.influxdb_v2.tagpass] namespace = ["postgres"] [[outputs.influxdb_v2]] urls = ["https://monitoring.lsst.codes"] token = "$INFLUX_TOKEN" organization = "square" - bucket = "k8s_squash_api" + bucket = "squash_api" [outputs.influxdb_v2.tagpass] namespace = ["squash-api"] [[outputs.influxdb_v2]] urls = ["https://monitoring.lsst.codes"] token = "$INFLUX_TOKEN" organization = "square" - bucket = "k8s_vault_secrets_operator" + bucket = "vault_secrets_operator" [outputs.influxdb_v2.tagpass] namespace = ["vault-secrets-operator"] diff --git a/services/telegraf-ds/values-stable.yaml b/services/telegraf-ds/values-stable.yaml index 41089ec5da..cb3a3b1d69 100644 --- a/services/telegraf-ds/values-stable.yaml +++ b/services/telegraf-ds/values-stable.yaml @@ -16,111 +16,111 @@ telegraf-ds: urls = ["https://monitoring.lsst.codes"] token = "$INFLUX_TOKEN" organization = "square" - bucket = "k8s_cachemachine" + bucket = "cachemachine" [outputs.influxdb_v2.tagpass] namespace = ["cachemachine"] [[outputs.influxdb_v2]] urls = ["https://monitoring.lsst.codes"] token = "$INFLUX_TOKEN" organization = "square" - bucket = "k8s_datalinker" + bucket = "datalinker" [outputs.influxdb_v2.tagpass] namespace = ["datalinker"] [[outputs.influxdb_v2]] urls = ["https://monitoring.lsst.codes"] token = "$INFLUX_TOKEN" organization = "square" - bucket = "k8s_gafaelfawr" + bucket = "gafaelfawr" [outputs.influxdb_v2.tagpass] namespace = ["gafaelfawr"] [[outputs.influxdb_v2]] urls = ["https://monitoring.lsst.codes"] token = "$INFLUX_TOKEN" organization = "square" - bucket = "k8s_mobu" + bucket = "mobu" [outputs.influxdb_v2.tagpass] namespace = ["mobu"] [[outputs.influxdb_v2]] urls = ["https://monitoring.lsst.codes"] token = "$INFLUX_TOKEN" organization = "square" - bucket = "k8s_moneypenny" + bucket = "moneypenny" [outputs.influxdb_v2.tagpass] namespace = ["moneypenny"] [[outputs.influxdb_v2]] urls = ["https://monitoring.lsst.codes"] token = "$INFLUX_TOKEN" organization = "square" - bucket = "k8s_nublado2" + bucket = "nublado2" [outputs.influxdb_v2.tagpass] namespace = ["nublado2"] [[outputs.influxdb_v2]] urls = ["https://monitoring.lsst.codes"] token = "$INFLUX_TOKEN" organization = "square" - bucket = "k8s_obstap" + bucket = "obstap" [outputs.influxdb_v2.tagpass] namespace = ["obstap"] [[outputs.influxdb_v2]] urls = ["https://monitoring.lsst.codes"] token = "$INFLUX_TOKEN" organization = "square" - bucket = "k8s_portal" + bucket = "portal" [outputs.influxdb_v2.tagpass] namespace = ["portal"] [[outputs.influxdb_v2]] urls = ["https://monitoring.lsst.codes"] token = "$INFLUX_TOKEN" organization = "square" - bucket = "k8s_postgres" + bucket = "postgres" [outputs.influxdb_v2.tagpass] namespace = ["postgres"] [[outputs.influxdb_v2]] urls = ["https://monitoring.lsst.codes"] token = "$INFLUX_TOKEN" organization = "square" - bucket = "k8s_sasquatch" + bucket = "sasquatch" [outputs.influxdb_v2.tagpass] namespace = ["sasquatch"] [[outputs.influxdb_v2]] urls = ["https://monitoring.lsst.codes"] token = "$INFLUX_TOKEN" organization = "square" - bucket = "k8s_sherlock" + bucket = "sherlock" [outputs.influxdb_v2.tagpass] namespace = ["sherlock"] [[outputs.influxdb_v2]] urls = ["https://monitoring.lsst.codes"] token = "$INFLUX_TOKEN" organization = "square" - bucket = "k8s_squareone" + bucket = "squareone" [outputs.influxdb_v2.tagpass] namespace = ["squareone"] [[outputs.influxdb_v2]] urls = ["https://monitoring.lsst.codes"] token = "$INFLUX_TOKEN" organization = "square" - bucket = "k8s_strimzi" + bucket = "strimzi" [outputs.influxdb_v2.tagpass] namespace = ["strimzi"] [[outputs.influxdb_v2]] urls = ["https://monitoring.lsst.codes"] token = "$INFLUX_TOKEN" organization = "square" - bucket = "k8s_tap" + bucket = "tap" [outputs.influxdb_v2.tagpass] namespace = ["tap"] [[outputs.influxdb_v2]] urls = ["https://monitoring.lsst.codes"] token = "$INFLUX_TOKEN" organization = "square" - bucket = "k8s_tap_schema" + bucket = "tap_schema" [outputs.influxdb_v2.tagpass] namespace = ["tap-schema"] [[outputs.influxdb_v2]] urls = ["https://monitoring.lsst.codes"] token = "$INFLUX_TOKEN" organization = "square" - bucket = "k8s_vault_secrets_operator" + bucket = "vault_secrets_operator" [outputs.influxdb_v2.tagpass] namespace = ["vault-secrets-operator"] diff --git a/services/telegraf-ds/values-summit.yaml b/services/telegraf-ds/values-summit.yaml index d9d7955daa..faa6579d23 100644 --- a/services/telegraf-ds/values-summit.yaml +++ b/services/telegraf-ds/values-summit.yaml @@ -16,90 +16,90 @@ telegraf-ds: urls = ["https://monitoring.lsst.codes"] token = "$INFLUX_TOKEN" organization = "square" - bucket = "k8s_cachemachine" + bucket = "cachemachine" [outputs.influxdb_v2.tagpass] namespace = ["cachemachine"] [[outputs.influxdb_v2]] urls = ["https://monitoring.lsst.codes"] token = "$INFLUX_TOKEN" organization = "square" - bucket = "k8s_cert_manager" + bucket = "cert_manager" [outputs.influxdb_v2.tagpass] namespace = ["cert-manager"] [[outputs.influxdb_v2]] urls = ["https://monitoring.lsst.codes"] token = "$INFLUX_TOKEN" organization = "square" - bucket = "k8s_exposurelog" + bucket = "exposurelog" [outputs.influxdb_v2.tagpass] namespace = ["exposurelog"] [[outputs.influxdb_v2]] urls = ["https://monitoring.lsst.codes"] token = "$INFLUX_TOKEN" organization = "square" - bucket = "k8s_gafaelfawr" + bucket = "gafaelfawr" [outputs.influxdb_v2.tagpass] namespace = ["gafaelfawr"] [[outputs.influxdb_v2]] urls = ["https://monitoring.lsst.codes"] token = "$INFLUX_TOKEN" organization = "square" - bucket = "k8s_ingress_nginx" + bucket = "ingress_nginx" [outputs.influxdb_v2.tagpass] namespace = ["ingress-nginx"] [[outputs.influxdb_v2]] urls = ["https://monitoring.lsst.codes"] token = "$INFLUX_TOKEN" organization = "square" - bucket = "k8s_moneypenny" + bucket = "moneypenny" [outputs.influxdb_v2.tagpass] namespace = ["moneypenny"] [[outputs.influxdb_v2]] urls = ["https://monitoring.lsst.codes"] token = "$INFLUX_TOKEN" organization = "square" - bucket = "k8s_narrativelog" + bucket = "narrativelog" [outputs.influxdb_v2.tagpass] namespace = ["narrativelog"] [[outputs.influxdb_v2]] urls = ["https://monitoring.lsst.codes"] token = "$INFLUX_TOKEN" organization = "square" - bucket = "k8s_nublado2" + bucket = "nublado2" [outputs.influxdb_v2.tagpass] namespace = ["nublado2"] [[outputs.influxdb_v2]] urls = ["https://monitoring.lsst.codes"] token = "$INFLUX_TOKEN" organization = "square" - bucket = "k8s_portal" + bucket = "portal" [outputs.influxdb_v2.tagpass] namespace = ["portal"] [[outputs.influxdb_v2]] urls = ["https://monitoring.lsst.codes"] token = "$INFLUX_TOKEN" organization = "square" - bucket = "k8s_postgres" + bucket = "postgres" [outputs.influxdb_v2.tagpass] namespace = ["postgres"] [[outputs.influxdb_v2]] urls = ["https://monitoring.lsst.codes"] token = "$INFLUX_TOKEN" organization = "square" - bucket = "k8s_sherlock" + bucket = "sherlock" [outputs.influxdb_v2.tagpass] namespace = ["sherlock"] [[outputs.influxdb_v2]] urls = ["https://monitoring.lsst.codes"] token = "$INFLUX_TOKEN" organization = "square" - bucket = "k8s_squareone" + bucket = "squareone" [outputs.influxdb_v2.tagpass] namespace = ["squareone"] [[outputs.influxdb_v2]] urls = ["https://monitoring.lsst.codes"] token = "$INFLUX_TOKEN" organization = "square" - bucket = "k8s_vault_secrets_operator" + bucket = "vault_secrets_operator" [outputs.influxdb_v2.tagpass] namespace = ["vault-secrets-operator"] diff --git a/services/telegraf-ds/values-tucson-teststand.yaml b/services/telegraf-ds/values-tucson-teststand.yaml index 5ef45c1c58..47046b25fe 100644 --- a/services/telegraf-ds/values-tucson-teststand.yaml +++ b/services/telegraf-ds/values-tucson-teststand.yaml @@ -16,97 +16,97 @@ telegraf-ds: urls = ["https://monitoring.lsst.codes"] token = "$INFLUX_TOKEN" organization = "square" - bucket = "k8s_cachemachine" + bucket = "cachemachine" [outputs.influxdb_v2.tagpass] namespace = ["cachemachine"] [[outputs.influxdb_v2]] urls = ["https://monitoring.lsst.codes"] token = "$INFLUX_TOKEN" organization = "square" - bucket = "k8s_cert_manager" + bucket = "cert_manager" [outputs.influxdb_v2.tagpass] namespace = ["cert-manager"] [[outputs.influxdb_v2]] urls = ["https://monitoring.lsst.codes"] token = "$INFLUX_TOKEN" organization = "square" - bucket = "k8s_exposurelog" + bucket = "exposurelog" [outputs.influxdb_v2.tagpass] namespace = ["exposurelog"] [[outputs.influxdb_v2]] urls = ["https://monitoring.lsst.codes"] token = "$INFLUX_TOKEN" organization = "square" - bucket = "k8s_gafaelfawr" + bucket = "gafaelfawr" [outputs.influxdb_v2.tagpass] namespace = ["gafaelfawr"] [[outputs.influxdb_v2]] urls = ["https://monitoring.lsst.codes"] token = "$INFLUX_TOKEN" organization = "square" - bucket = "k8s_ingress_nginx" + bucket = "ingress_nginx" [outputs.influxdb_v2.tagpass] namespace = ["ingress-nginx"] [[outputs.influxdb_v2]] urls = ["https://monitoring.lsst.codes"] token = "$INFLUX_TOKEN" organization = "square" - bucket = "k8s_moneypenny" + bucket = "moneypenny" [outputs.influxdb_v2.tagpass] namespace = ["moneypenny"] [[outputs.influxdb_v2]] urls = ["https://monitoring.lsst.codes"] token = "$INFLUX_TOKEN" organization = "square" - bucket = "k8s_narrativelog" + bucket = "narrativelog" [outputs.influxdb_v2.tagpass] namespace = ["narrativelog"] [[outputs.influxdb_v2]] urls = ["https://monitoring.lsst.codes"] token = "$INFLUX_TOKEN" organization = "square" - bucket = "k8s_nublado2" + bucket = "nublado2" [outputs.influxdb_v2.tagpass] namespace = ["nublado2"] [[outputs.influxdb_v2]] urls = ["https://monitoring.lsst.codes"] token = "$INFLUX_TOKEN" organization = "square" - bucket = "k8s_portal" + bucket = "portal" [outputs.influxdb_v2.tagpass] namespace = ["portal"] [[outputs.influxdb_v2]] urls = ["https://monitoring.lsst.codes"] token = "$INFLUX_TOKEN" organization = "square" - bucket = "k8s_postgres" + bucket = "postgres" [outputs.influxdb_v2.tagpass] namespace = ["postgres"] [[outputs.influxdb_v2]] urls = ["https://monitoring.lsst.codes"] token = "$INFLUX_TOKEN" organization = "square" - bucket = "k8s_sasquatch" + bucket = "sasquatch" [outputs.influxdb_v2.tagpass] namespace = ["sasquatch"] [[outputs.influxdb_v2]] urls = ["https://monitoring.lsst.codes"] token = "$INFLUX_TOKEN" organization = "square" - bucket = "k8s_squareone" + bucket = "squareone" [outputs.influxdb_v2.tagpass] namespace = ["squareone"] [[outputs.influxdb_v2]] urls = ["https://monitoring.lsst.codes"] token = "$INFLUX_TOKEN" organization = "square" - bucket = "k8s_strimzi" + bucket = "strimzi" [outputs.influxdb_v2.tagpass] namespace = ["strimzi"] [[outputs.influxdb_v2]] urls = ["https://monitoring.lsst.codes"] token = "$INFLUX_TOKEN" organization = "square" - bucket = "k8s_vault_secrets_operator" + bucket = "vault_secrets_operator" [outputs.influxdb_v2.tagpass] namespace = ["vault-secrets-operator"] From ac5ea4fe65b08fdcdf560e6c412a20c44b508c53 Mon Sep 17 00:00:00 2001 From: adam Date: Fri, 8 Apr 2022 16:30:29 -0700 Subject: [PATCH 0215/1479] generate telegraf and telegraf-ds config programatically --- .../gen_config/phalanxconfiggenerator.py | 11 +- gen_config/gen_config/telegrafdsgenerator.py | 15 +- gen_config/telegraf-generator | 16 +- services/telegraf-ds/values-base.yaml | 90 ++++----- services/telegraf-ds/values-idfdev.yaml | 144 +++++++------- services/telegraf-ds/values-idfint.yaml | 132 ++++++------- services/telegraf-ds/values-idfprod.yaml | 140 -------------- services/telegraf-ds/values-int.yaml | 114 +++++------ services/telegraf-ds/values-minikube.yaml | 140 -------------- services/telegraf-ds/values-red-five.yaml | 119 ------------ services/telegraf-ds/values-roe.yaml | 105 ---------- .../telegraf-ds/values-squash-sandbox.yaml | 56 ------ services/telegraf-ds/values-stable.yaml | 126 ------------ services/telegraf-ds/values-summit.yaml | 105 ---------- .../telegraf-ds/values-tucson-teststand.yaml | 112 ----------- services/telegraf-ds/values.yaml | 4 +- services/telegraf/values-base.yaml | 19 +- services/telegraf/values-idfdev.yaml | 19 +- services/telegraf/values-idfint.yaml | 19 +- services/telegraf/values-idfprod.yaml | 6 - services/telegraf/values-int.yaml | 19 +- services/telegraf/values-minikube.yaml | 6 - services/telegraf/values-stable.yaml | 6 - services/telegraf/values-summit.yaml | 6 - .../telegraf/values-tucson-teststand.yaml | 6 - services/telegraf/values.yaml | 180 ++---------------- 26 files changed, 353 insertions(+), 1362 deletions(-) delete mode 100644 services/telegraf-ds/values-idfprod.yaml delete mode 100644 services/telegraf-ds/values-minikube.yaml delete mode 100644 services/telegraf-ds/values-red-five.yaml delete mode 100644 services/telegraf-ds/values-roe.yaml delete mode 100644 services/telegraf-ds/values-squash-sandbox.yaml delete mode 100644 services/telegraf-ds/values-stable.yaml delete mode 100644 services/telegraf-ds/values-summit.yaml delete mode 100644 services/telegraf-ds/values-tucson-teststand.yaml delete mode 100644 services/telegraf/values-idfprod.yaml delete mode 100644 services/telegraf/values-minikube.yaml delete mode 100644 services/telegraf/values-stable.yaml delete mode 100644 services/telegraf/values-summit.yaml delete mode 100644 services/telegraf/values-tucson-teststand.yaml diff --git a/gen_config/gen_config/phalanxconfiggenerator.py b/gen_config/gen_config/phalanxconfiggenerator.py index 8b993f54bf..7559a35970 100644 --- a/gen_config/gen_config/phalanxconfiggenerator.py +++ b/gen_config/gen_config/phalanxconfiggenerator.py @@ -189,6 +189,11 @@ def write_config(self) -> None: print(self.config[instance]) print(f"------ end {val_file} ----") else: - with open(val_file,"w") as f: - f.write(self.config[instance]) - + # Don't write if there's no config to write + if self.config[instance]: + with open(val_file,"w") as f: + f.write(self.config[instance]) + + def run(self) -> None: + self.build_config() + self.write_config() diff --git a/gen_config/gen_config/telegrafdsgenerator.py b/gen_config/gen_config/telegrafdsgenerator.py index f564045273..7da253a1ba 100644 --- a/gen_config/gen_config/telegrafdsgenerator.py +++ b/gen_config/gen_config/telegrafdsgenerator.py @@ -32,7 +32,10 @@ def build_generic_yaml(self) -> None: return cf def build_instance_yaml(self, instance:str) -> str: - secrets_path=self.instances[instance].get("fqdn","") + inst_obj = self.instances.get(instance, {}) + if not inst_obj.get("telegraf-ds",{}).get("enabled",""): + return "" + secrets_path=self.instances[instance].get("vault_path_prefix","") cf = f"vaultSecretsPath: \"{secrets_path}\"\n" cf += "telegraf-ds:\n" cf += self.build_telegraf_override_conf(instance) @@ -44,9 +47,9 @@ def build_telegraf_override_conf(self, instance: str) -> str: endpoint=self.instances.get(instance,{}).get("fqdn","no_endpoint") tc = " override_config:\n" tc += " toml: |+\n" - tc += " [ global_tags ]\n" + tc += " [global_tags]\n" tc += f" cluster = \"{endpoint}\"\n" - tc += """ [ agent ] + tc += """ [agent] hostname = "telegraf-$HOSTIP" [[inputs.kubernetes]] url = "https://$HOSTIP:10250" @@ -72,9 +75,9 @@ def build_outputs(self, instance: str) -> str: continue for namespace in namespace_set: outp +=''' [[outputs.influxdb_v2]] - urls = ["https://monitoring.lsst.codes"] - token = "$INFLUX_TOKEN" - organization = "square" + urls = ["https://monitoring.lsst.codes"] + token = "$INFLUX_TOKEN" + organization = "square" ''' bucket = namespace.replace("-", "_") outp += f" bucket = \"{bucket}\"\n" diff --git a/gen_config/telegraf-generator b/gen_config/telegraf-generator index 4450fbca75..7e0087e099 100755 --- a/gen_config/telegraf-generator +++ b/gen_config/telegraf-generator @@ -1,15 +1,19 @@ #!/usr/bin/env python3 from gen_config.cli_args import cli_args +from gen_config.telegrafgenerator import TelegrafGenerator from gen_config.telegrafdsgenerator import TelegrafDSGenerator def main() -> None: args = cli_args() - gen = TelegrafDSGenerator(debug=args.debug, - dry_run=args.dry_run, - loglevel=args.loglevel, - phalanx_root=args.phalanx_root) - gen.build_config() - gen.write_config() + TelegrafDSGenerator(debug=args.debug, + dry_run=args.dry_run, + loglevel=args.loglevel, + phalanx_root=args.phalanx_root).run() + TelegrafGenerator(debug=args.debug, + dry_run=args.dry_run, + loglevel=args.loglevel, + phalanx_root=args.phalanx_root).run() + if __name__ == "__main__": main() diff --git a/services/telegraf-ds/values-base.yaml b/services/telegraf-ds/values-base.yaml index 1e52d50c1c..6e814f945d 100644 --- a/services/telegraf-ds/values-base.yaml +++ b/services/telegraf-ds/values-base.yaml @@ -1,10 +1,10 @@ -vaultSecretsPath: "base-lsp.lsst.codes" +vaultSecretsPath: "secret/k8s_operator/base-lsp.lsst.codes" telegraf-ds: override_config: toml: |+ - [ global_tags ] + [global_tags] cluster = "base-lsp.lsst.codes" - [ agent ] + [agent] hostname = "telegraf-$HOSTIP" [[inputs.kubernetes]] url = "https://$HOSTIP:10250" @@ -13,100 +13,100 @@ telegraf-ds: namepass = ["kubernetes_pod_container"] fieldpass = ["cpu_usage_nanocores", "memory_usage_bytes"] [[outputs.influxdb_v2]] - urls = ["https://monitoring.lsst.codes"] - token = "$INFLUX_TOKEN" - organization = "square" + urls = ["https://monitoring.lsst.codes"] + token = "$INFLUX_TOKEN" + organization = "square" bucket = "cachemachine" [outputs.influxdb_v2.tagpass] namespace = ["cachemachine"] [[outputs.influxdb_v2]] - urls = ["https://monitoring.lsst.codes"] - token = "$INFLUX_TOKEN" - organization = "square" + urls = ["https://monitoring.lsst.codes"] + token = "$INFLUX_TOKEN" + organization = "square" bucket = "cert_manager" [outputs.influxdb_v2.tagpass] namespace = ["cert-manager"] [[outputs.influxdb_v2]] - urls = ["https://monitoring.lsst.codes"] - token = "$INFLUX_TOKEN" - organization = "square" + urls = ["https://monitoring.lsst.codes"] + token = "$INFLUX_TOKEN" + organization = "square" bucket = "exposurelog" [outputs.influxdb_v2.tagpass] namespace = ["exposurelog"] [[outputs.influxdb_v2]] - urls = ["https://monitoring.lsst.codes"] - token = "$INFLUX_TOKEN" - organization = "square" + urls = ["https://monitoring.lsst.codes"] + token = "$INFLUX_TOKEN" + organization = "square" bucket = "gafaelfawr" [outputs.influxdb_v2.tagpass] namespace = ["gafaelfawr"] [[outputs.influxdb_v2]] - urls = ["https://monitoring.lsst.codes"] - token = "$INFLUX_TOKEN" - organization = "square" + urls = ["https://monitoring.lsst.codes"] + token = "$INFLUX_TOKEN" + organization = "square" bucket = "ingress_nginx" [outputs.influxdb_v2.tagpass] namespace = ["ingress-nginx"] [[outputs.influxdb_v2]] - urls = ["https://monitoring.lsst.codes"] - token = "$INFLUX_TOKEN" - organization = "square" + urls = ["https://monitoring.lsst.codes"] + token = "$INFLUX_TOKEN" + organization = "square" bucket = "moneypenny" [outputs.influxdb_v2.tagpass] namespace = ["moneypenny"] [[outputs.influxdb_v2]] - urls = ["https://monitoring.lsst.codes"] - token = "$INFLUX_TOKEN" - organization = "square" + urls = ["https://monitoring.lsst.codes"] + token = "$INFLUX_TOKEN" + organization = "square" bucket = "narrativelog" [outputs.influxdb_v2.tagpass] namespace = ["narrativelog"] [[outputs.influxdb_v2]] - urls = ["https://monitoring.lsst.codes"] - token = "$INFLUX_TOKEN" - organization = "square" + urls = ["https://monitoring.lsst.codes"] + token = "$INFLUX_TOKEN" + organization = "square" bucket = "nublado2" [outputs.influxdb_v2.tagpass] namespace = ["nublado2"] [[outputs.influxdb_v2]] - urls = ["https://monitoring.lsst.codes"] - token = "$INFLUX_TOKEN" - organization = "square" + urls = ["https://monitoring.lsst.codes"] + token = "$INFLUX_TOKEN" + organization = "square" bucket = "portal" [outputs.influxdb_v2.tagpass] namespace = ["portal"] [[outputs.influxdb_v2]] - urls = ["https://monitoring.lsst.codes"] - token = "$INFLUX_TOKEN" - organization = "square" + urls = ["https://monitoring.lsst.codes"] + token = "$INFLUX_TOKEN" + organization = "square" bucket = "postgres" [outputs.influxdb_v2.tagpass] namespace = ["postgres"] [[outputs.influxdb_v2]] - urls = ["https://monitoring.lsst.codes"] - token = "$INFLUX_TOKEN" - organization = "square" + urls = ["https://monitoring.lsst.codes"] + token = "$INFLUX_TOKEN" + organization = "square" bucket = "squareone" [outputs.influxdb_v2.tagpass] namespace = ["squareone"] [[outputs.influxdb_v2]] - urls = ["https://monitoring.lsst.codes"] - token = "$INFLUX_TOKEN" - organization = "square" + urls = ["https://monitoring.lsst.codes"] + token = "$INFLUX_TOKEN" + organization = "square" bucket = "telegraf" [outputs.influxdb_v2.tagpass] namespace = ["telegraf"] [[outputs.influxdb_v2]] - urls = ["https://monitoring.lsst.codes"] - token = "$INFLUX_TOKEN" - organization = "square" + urls = ["https://monitoring.lsst.codes"] + token = "$INFLUX_TOKEN" + organization = "square" bucket = "telegraf_ds" [outputs.influxdb_v2.tagpass] namespace = ["telegraf-ds"] [[outputs.influxdb_v2]] - urls = ["https://monitoring.lsst.codes"] - token = "$INFLUX_TOKEN" - organization = "square" + urls = ["https://monitoring.lsst.codes"] + token = "$INFLUX_TOKEN" + organization = "square" bucket = "vault_secrets_operator" [outputs.influxdb_v2.tagpass] namespace = ["vault-secrets-operator"] diff --git a/services/telegraf-ds/values-idfdev.yaml b/services/telegraf-ds/values-idfdev.yaml index 0153697bb7..41cc95a353 100644 --- a/services/telegraf-ds/values-idfdev.yaml +++ b/services/telegraf-ds/values-idfdev.yaml @@ -1,10 +1,10 @@ -vaultSecretsPath: "data-dev.lsst.cloud" +vaultSecretsPath: "secret/k8s_operator/data-dev.lsst.cloud" telegraf-ds: override_config: toml: |+ - [ global_tags ] + [global_tags] cluster = "data-dev.lsst.cloud" - [ agent ] + [agent] hostname = "telegraf-$HOSTIP" [[inputs.kubernetes]] url = "https://$HOSTIP:10250" @@ -13,163 +13,163 @@ telegraf-ds: namepass = ["kubernetes_pod_container"] fieldpass = ["cpu_usage_nanocores", "memory_usage_bytes"] [[outputs.influxdb_v2]] - urls = ["https://monitoring.lsst.codes"] - token = "$INFLUX_TOKEN" - organization = "square" + urls = ["https://monitoring.lsst.codes"] + token = "$INFLUX_TOKEN" + organization = "square" bucket = "cachemachine" [outputs.influxdb_v2.tagpass] namespace = ["cachemachine"] [[outputs.influxdb_v2]] - urls = ["https://monitoring.lsst.codes"] - token = "$INFLUX_TOKEN" - organization = "square" + urls = ["https://monitoring.lsst.codes"] + token = "$INFLUX_TOKEN" + organization = "square" bucket = "cert_manager" [outputs.influxdb_v2.tagpass] namespace = ["cert-manager"] [[outputs.influxdb_v2]] - urls = ["https://monitoring.lsst.codes"] - token = "$INFLUX_TOKEN" - organization = "square" + urls = ["https://monitoring.lsst.codes"] + token = "$INFLUX_TOKEN" + organization = "square" bucket = "datalinker" [outputs.influxdb_v2.tagpass] namespace = ["datalinker"] [[outputs.influxdb_v2]] - urls = ["https://monitoring.lsst.codes"] - token = "$INFLUX_TOKEN" - organization = "square" + urls = ["https://monitoring.lsst.codes"] + token = "$INFLUX_TOKEN" + organization = "square" bucket = "gafaelfawr" [outputs.influxdb_v2.tagpass] namespace = ["gafaelfawr"] [[outputs.influxdb_v2]] - urls = ["https://monitoring.lsst.codes"] - token = "$INFLUX_TOKEN" - organization = "square" + urls = ["https://monitoring.lsst.codes"] + token = "$INFLUX_TOKEN" + organization = "square" bucket = "ingress_nginx" [outputs.influxdb_v2.tagpass] namespace = ["ingress-nginx"] [[outputs.influxdb_v2]] - urls = ["https://monitoring.lsst.codes"] - token = "$INFLUX_TOKEN" - organization = "square" + urls = ["https://monitoring.lsst.codes"] + token = "$INFLUX_TOKEN" + organization = "square" bucket = "mobu" [outputs.influxdb_v2.tagpass] namespace = ["mobu"] [[outputs.influxdb_v2]] - urls = ["https://monitoring.lsst.codes"] - token = "$INFLUX_TOKEN" - organization = "square" + urls = ["https://monitoring.lsst.codes"] + token = "$INFLUX_TOKEN" + organization = "square" bucket = "moneypenny" [outputs.influxdb_v2.tagpass] namespace = ["moneypenny"] [[outputs.influxdb_v2]] - urls = ["https://monitoring.lsst.codes"] - token = "$INFLUX_TOKEN" - organization = "square" + urls = ["https://monitoring.lsst.codes"] + token = "$INFLUX_TOKEN" + organization = "square" bucket = "noteburst" [outputs.influxdb_v2.tagpass] namespace = ["noteburst"] [[outputs.influxdb_v2]] - urls = ["https://monitoring.lsst.codes"] - token = "$INFLUX_TOKEN" - organization = "square" + urls = ["https://monitoring.lsst.codes"] + token = "$INFLUX_TOKEN" + organization = "square" bucket = "nublado2" [outputs.influxdb_v2.tagpass] namespace = ["nublado2"] [[outputs.influxdb_v2]] - urls = ["https://monitoring.lsst.codes"] - token = "$INFLUX_TOKEN" - organization = "square" + urls = ["https://monitoring.lsst.codes"] + token = "$INFLUX_TOKEN" + organization = "square" bucket = "obstap" [outputs.influxdb_v2.tagpass] namespace = ["obstap"] [[outputs.influxdb_v2]] - urls = ["https://monitoring.lsst.codes"] - token = "$INFLUX_TOKEN" - organization = "square" + urls = ["https://monitoring.lsst.codes"] + token = "$INFLUX_TOKEN" + organization = "square" bucket = "portal" [outputs.influxdb_v2.tagpass] namespace = ["portal"] [[outputs.influxdb_v2]] - urls = ["https://monitoring.lsst.codes"] - token = "$INFLUX_TOKEN" - organization = "square" + urls = ["https://monitoring.lsst.codes"] + token = "$INFLUX_TOKEN" + organization = "square" bucket = "postgres" [outputs.influxdb_v2.tagpass] namespace = ["postgres"] [[outputs.influxdb_v2]] - urls = ["https://monitoring.lsst.codes"] - token = "$INFLUX_TOKEN" - organization = "square" + urls = ["https://monitoring.lsst.codes"] + token = "$INFLUX_TOKEN" + organization = "square" bucket = "sasquatch" [outputs.influxdb_v2.tagpass] namespace = ["sasquatch"] [[outputs.influxdb_v2]] - urls = ["https://monitoring.lsst.codes"] - token = "$INFLUX_TOKEN" - organization = "square" + urls = ["https://monitoring.lsst.codes"] + token = "$INFLUX_TOKEN" + organization = "square" bucket = "semaphore" [outputs.influxdb_v2.tagpass] namespace = ["semaphore"] [[outputs.influxdb_v2]] - urls = ["https://monitoring.lsst.codes"] - token = "$INFLUX_TOKEN" - organization = "square" + urls = ["https://monitoring.lsst.codes"] + token = "$INFLUX_TOKEN" + organization = "square" bucket = "sherlock" [outputs.influxdb_v2.tagpass] namespace = ["sherlock"] [[outputs.influxdb_v2]] - urls = ["https://monitoring.lsst.codes"] - token = "$INFLUX_TOKEN" - organization = "square" + urls = ["https://monitoring.lsst.codes"] + token = "$INFLUX_TOKEN" + organization = "square" bucket = "squareone" [outputs.influxdb_v2.tagpass] namespace = ["squareone"] [[outputs.influxdb_v2]] - urls = ["https://monitoring.lsst.codes"] - token = "$INFLUX_TOKEN" - organization = "square" + urls = ["https://monitoring.lsst.codes"] + token = "$INFLUX_TOKEN" + organization = "square" bucket = "strimzi" [outputs.influxdb_v2.tagpass] namespace = ["strimzi"] [[outputs.influxdb_v2]] - urls = ["https://monitoring.lsst.codes"] - token = "$INFLUX_TOKEN" - organization = "square" + urls = ["https://monitoring.lsst.codes"] + token = "$INFLUX_TOKEN" + organization = "square" bucket = "tap" [outputs.influxdb_v2.tagpass] namespace = ["tap"] [[outputs.influxdb_v2]] - urls = ["https://monitoring.lsst.codes"] - token = "$INFLUX_TOKEN" - organization = "square" + urls = ["https://monitoring.lsst.codes"] + token = "$INFLUX_TOKEN" + organization = "square" bucket = "tap_schema" [outputs.influxdb_v2.tagpass] namespace = ["tap-schema"] [[outputs.influxdb_v2]] - urls = ["https://monitoring.lsst.codes"] - token = "$INFLUX_TOKEN" - organization = "square" + urls = ["https://monitoring.lsst.codes"] + token = "$INFLUX_TOKEN" + organization = "square" bucket = "telegraf" [outputs.influxdb_v2.tagpass] namespace = ["telegraf"] [[outputs.influxdb_v2]] - urls = ["https://monitoring.lsst.codes"] - token = "$INFLUX_TOKEN" - organization = "square" + urls = ["https://monitoring.lsst.codes"] + token = "$INFLUX_TOKEN" + organization = "square" bucket = "telegraf_ds" [outputs.influxdb_v2.tagpass] namespace = ["telegraf-ds"] [[outputs.influxdb_v2]] - urls = ["https://monitoring.lsst.codes"] - token = "$INFLUX_TOKEN" - organization = "square" + urls = ["https://monitoring.lsst.codes"] + token = "$INFLUX_TOKEN" + organization = "square" bucket = "times_square" [outputs.influxdb_v2.tagpass] namespace = ["times-square"] [[outputs.influxdb_v2]] - urls = ["https://monitoring.lsst.codes"] - token = "$INFLUX_TOKEN" - organization = "square" + urls = ["https://monitoring.lsst.codes"] + token = "$INFLUX_TOKEN" + organization = "square" bucket = "vault_secrets_operator" [outputs.influxdb_v2.tagpass] namespace = ["vault-secrets-operator"] diff --git a/services/telegraf-ds/values-idfint.yaml b/services/telegraf-ds/values-idfint.yaml index 9b048b9f3d..f651193203 100644 --- a/services/telegraf-ds/values-idfint.yaml +++ b/services/telegraf-ds/values-idfint.yaml @@ -1,10 +1,10 @@ -vaultSecretsPath: "data-int.lsst.cloud" +vaultSecretsPath: "secret/k8s_operator/data-int.lsst.cloud" telegraf-ds: override_config: toml: |+ - [ global_tags ] + [global_tags] cluster = "data-int.lsst.cloud" - [ agent ] + [agent] hostname = "telegraf-$HOSTIP" [[inputs.kubernetes]] url = "https://$HOSTIP:10250" @@ -13,149 +13,149 @@ telegraf-ds: namepass = ["kubernetes_pod_container"] fieldpass = ["cpu_usage_nanocores", "memory_usage_bytes"] [[outputs.influxdb_v2]] - urls = ["https://monitoring.lsst.codes"] - token = "$INFLUX_TOKEN" - organization = "square" + urls = ["https://monitoring.lsst.codes"] + token = "$INFLUX_TOKEN" + organization = "square" bucket = "cachemachine" [outputs.influxdb_v2.tagpass] namespace = ["cachemachine"] [[outputs.influxdb_v2]] - urls = ["https://monitoring.lsst.codes"] - token = "$INFLUX_TOKEN" - organization = "square" + urls = ["https://monitoring.lsst.codes"] + token = "$INFLUX_TOKEN" + organization = "square" bucket = "cert_manager" [outputs.influxdb_v2.tagpass] namespace = ["cert-manager"] [[outputs.influxdb_v2]] - urls = ["https://monitoring.lsst.codes"] - token = "$INFLUX_TOKEN" - organization = "square" + urls = ["https://monitoring.lsst.codes"] + token = "$INFLUX_TOKEN" + organization = "square" bucket = "datalinker" [outputs.influxdb_v2.tagpass] namespace = ["datalinker"] [[outputs.influxdb_v2]] - urls = ["https://monitoring.lsst.codes"] - token = "$INFLUX_TOKEN" - organization = "square" + urls = ["https://monitoring.lsst.codes"] + token = "$INFLUX_TOKEN" + organization = "square" bucket = "gafaelfawr" [outputs.influxdb_v2.tagpass] namespace = ["gafaelfawr"] [[outputs.influxdb_v2]] - urls = ["https://monitoring.lsst.codes"] - token = "$INFLUX_TOKEN" - organization = "square" + urls = ["https://monitoring.lsst.codes"] + token = "$INFLUX_TOKEN" + organization = "square" bucket = "ingress_nginx" [outputs.influxdb_v2.tagpass] namespace = ["ingress-nginx"] [[outputs.influxdb_v2]] - urls = ["https://monitoring.lsst.codes"] - token = "$INFLUX_TOKEN" - organization = "square" + urls = ["https://monitoring.lsst.codes"] + token = "$INFLUX_TOKEN" + organization = "square" bucket = "mobu" [outputs.influxdb_v2.tagpass] namespace = ["mobu"] [[outputs.influxdb_v2]] - urls = ["https://monitoring.lsst.codes"] - token = "$INFLUX_TOKEN" - organization = "square" + urls = ["https://monitoring.lsst.codes"] + token = "$INFLUX_TOKEN" + organization = "square" bucket = "moneypenny" [outputs.influxdb_v2.tagpass] namespace = ["moneypenny"] [[outputs.influxdb_v2]] - urls = ["https://monitoring.lsst.codes"] - token = "$INFLUX_TOKEN" - organization = "square" + urls = ["https://monitoring.lsst.codes"] + token = "$INFLUX_TOKEN" + organization = "square" bucket = "nublado2" [outputs.influxdb_v2.tagpass] namespace = ["nublado2"] [[outputs.influxdb_v2]] - urls = ["https://monitoring.lsst.codes"] - token = "$INFLUX_TOKEN" - organization = "square" + urls = ["https://monitoring.lsst.codes"] + token = "$INFLUX_TOKEN" + organization = "square" bucket = "obstap" [outputs.influxdb_v2.tagpass] namespace = ["obstap"] [[outputs.influxdb_v2]] - urls = ["https://monitoring.lsst.codes"] - token = "$INFLUX_TOKEN" - organization = "square" + urls = ["https://monitoring.lsst.codes"] + token = "$INFLUX_TOKEN" + organization = "square" bucket = "plot_navigator" [outputs.influxdb_v2.tagpass] namespace = ["plot-navigator"] [[outputs.influxdb_v2]] - urls = ["https://monitoring.lsst.codes"] - token = "$INFLUX_TOKEN" - organization = "square" + urls = ["https://monitoring.lsst.codes"] + token = "$INFLUX_TOKEN" + organization = "square" bucket = "portal" [outputs.influxdb_v2.tagpass] namespace = ["portal"] [[outputs.influxdb_v2]] - urls = ["https://monitoring.lsst.codes"] - token = "$INFLUX_TOKEN" - organization = "square" + urls = ["https://monitoring.lsst.codes"] + token = "$INFLUX_TOKEN" + organization = "square" bucket = "postgres" [outputs.influxdb_v2.tagpass] namespace = ["postgres"] [[outputs.influxdb_v2]] - urls = ["https://monitoring.lsst.codes"] - token = "$INFLUX_TOKEN" - organization = "square" + urls = ["https://monitoring.lsst.codes"] + token = "$INFLUX_TOKEN" + organization = "square" bucket = "semaphore" [outputs.influxdb_v2.tagpass] namespace = ["semaphore"] [[outputs.influxdb_v2]] - urls = ["https://monitoring.lsst.codes"] - token = "$INFLUX_TOKEN" - organization = "square" + urls = ["https://monitoring.lsst.codes"] + token = "$INFLUX_TOKEN" + organization = "square" bucket = "sherlock" [outputs.influxdb_v2.tagpass] namespace = ["sherlock"] [[outputs.influxdb_v2]] - urls = ["https://monitoring.lsst.codes"] - token = "$INFLUX_TOKEN" - organization = "square" + urls = ["https://monitoring.lsst.codes"] + token = "$INFLUX_TOKEN" + organization = "square" bucket = "squareone" [outputs.influxdb_v2.tagpass] namespace = ["squareone"] [[outputs.influxdb_v2]] - urls = ["https://monitoring.lsst.codes"] - token = "$INFLUX_TOKEN" - organization = "square" + urls = ["https://monitoring.lsst.codes"] + token = "$INFLUX_TOKEN" + organization = "square" bucket = "tap" [outputs.influxdb_v2.tagpass] namespace = ["tap"] [[outputs.influxdb_v2]] - urls = ["https://monitoring.lsst.codes"] - token = "$INFLUX_TOKEN" - organization = "square" + urls = ["https://monitoring.lsst.codes"] + token = "$INFLUX_TOKEN" + organization = "square" bucket = "tap_schema" [outputs.influxdb_v2.tagpass] namespace = ["tap-schema"] [[outputs.influxdb_v2]] - urls = ["https://monitoring.lsst.codes"] - token = "$INFLUX_TOKEN" - organization = "square" + urls = ["https://monitoring.lsst.codes"] + token = "$INFLUX_TOKEN" + organization = "square" bucket = "telegraf" [outputs.influxdb_v2.tagpass] namespace = ["telegraf"] [[outputs.influxdb_v2]] - urls = ["https://monitoring.lsst.codes"] - token = "$INFLUX_TOKEN" - organization = "square" + urls = ["https://monitoring.lsst.codes"] + token = "$INFLUX_TOKEN" + organization = "square" bucket = "telegraf_ds" [outputs.influxdb_v2.tagpass] namespace = ["telegraf-ds"] [[outputs.influxdb_v2]] - urls = ["https://monitoring.lsst.codes"] - token = "$INFLUX_TOKEN" - organization = "square" + urls = ["https://monitoring.lsst.codes"] + token = "$INFLUX_TOKEN" + organization = "square" bucket = "vault_secrets_operator" [outputs.influxdb_v2.tagpass] namespace = ["vault-secrets-operator"] [[outputs.influxdb_v2]] - urls = ["https://monitoring.lsst.codes"] - token = "$INFLUX_TOKEN" - organization = "square" + urls = ["https://monitoring.lsst.codes"] + token = "$INFLUX_TOKEN" + organization = "square" bucket = "vo_cutouts" [outputs.influxdb_v2.tagpass] namespace = ["vo-cutouts"] diff --git a/services/telegraf-ds/values-idfprod.yaml b/services/telegraf-ds/values-idfprod.yaml deleted file mode 100644 index 37101cfc32..0000000000 --- a/services/telegraf-ds/values-idfprod.yaml +++ /dev/null @@ -1,140 +0,0 @@ -vaultSecretsPath: "data.lsst.cloud" -telegraf-ds: - override_config: - toml: |+ - [ global_tags ] - cluster = "data.lsst.cloud" - [ agent ] - hostname = "telegraf-$HOSTIP" - [[inputs.kubernetes]] - url = "https://$HOSTIP:10250" - bearer_token = "/var/run/secrets/kubernetes.io/serviceaccount/token" - insecure_skip_verify = true - namepass = ["kubernetes_pod_container"] - fieldpass = ["cpu_usage_nanocores", "memory_usage_bytes"] - [[outputs.influxdb_v2]] - urls = ["https://monitoring.lsst.codes"] - token = "$INFLUX_TOKEN" - organization = "square" - bucket = "cachemachine" - [outputs.influxdb_v2.tagpass] - namespace = ["cachemachine"] - [[outputs.influxdb_v2]] - urls = ["https://monitoring.lsst.codes"] - token = "$INFLUX_TOKEN" - organization = "square" - bucket = "cert_manager" - [outputs.influxdb_v2.tagpass] - namespace = ["cert-manager"] - [[outputs.influxdb_v2]] - urls = ["https://monitoring.lsst.codes"] - token = "$INFLUX_TOKEN" - organization = "square" - bucket = "datalinker" - [outputs.influxdb_v2.tagpass] - namespace = ["datalinker"] - [[outputs.influxdb_v2]] - urls = ["https://monitoring.lsst.codes"] - token = "$INFLUX_TOKEN" - organization = "square" - bucket = "gafaelfawr" - [outputs.influxdb_v2.tagpass] - namespace = ["gafaelfawr"] - [[outputs.influxdb_v2]] - urls = ["https://monitoring.lsst.codes"] - token = "$INFLUX_TOKEN" - organization = "square" - bucket = "ingress_nginx" - [outputs.influxdb_v2.tagpass] - namespace = ["ingress-nginx"] - [[outputs.influxdb_v2]] - urls = ["https://monitoring.lsst.codes"] - token = "$INFLUX_TOKEN" - organization = "square" - bucket = "mobu" - [outputs.influxdb_v2.tagpass] - namespace = ["mobu"] - [[outputs.influxdb_v2]] - urls = ["https://monitoring.lsst.codes"] - token = "$INFLUX_TOKEN" - organization = "square" - bucket = "moneypenny" - [outputs.influxdb_v2.tagpass] - namespace = ["moneypenny"] - [[outputs.influxdb_v2]] - urls = ["https://monitoring.lsst.codes"] - token = "$INFLUX_TOKEN" - organization = "square" - bucket = "nublado2" - [outputs.influxdb_v2.tagpass] - namespace = ["nublado2"] - [[outputs.influxdb_v2]] - urls = ["https://monitoring.lsst.codes"] - token = "$INFLUX_TOKEN" - organization = "square" - bucket = "obstap" - [outputs.influxdb_v2.tagpass] - namespace = ["obstap"] - [[outputs.influxdb_v2]] - urls = ["https://monitoring.lsst.codes"] - token = "$INFLUX_TOKEN" - organization = "square" - bucket = "portal" - [outputs.influxdb_v2.tagpass] - namespace = ["portal"] - [[outputs.influxdb_v2]] - urls = ["https://monitoring.lsst.codes"] - token = "$INFLUX_TOKEN" - organization = "square" - bucket = "postgres" - [outputs.influxdb_v2.tagpass] - namespace = ["postgres"] - [[outputs.influxdb_v2]] - urls = ["https://monitoring.lsst.codes"] - token = "$INFLUX_TOKEN" - organization = "square" - bucket = "semaphore" - [outputs.influxdb_v2.tagpass] - namespace = ["semaphore"] - [[outputs.influxdb_v2]] - urls = ["https://monitoring.lsst.codes"] - token = "$INFLUX_TOKEN" - organization = "square" - bucket = "sherlock" - [outputs.influxdb_v2.tagpass] - namespace = ["sherlock"] - [[outputs.influxdb_v2]] - urls = ["https://monitoring.lsst.codes"] - token = "$INFLUX_TOKEN" - organization = "square" - bucket = "squareone" - [outputs.influxdb_v2.tagpass] - namespace = ["squareone"] - [[outputs.influxdb_v2]] - urls = ["https://monitoring.lsst.codes"] - token = "$INFLUX_TOKEN" - organization = "square" - bucket = "tap" - [outputs.influxdb_v2.tagpass] - namespace = ["tap"] - [[outputs.influxdb_v2]] - urls = ["https://monitoring.lsst.codes"] - token = "$INFLUX_TOKEN" - organization = "square" - bucket = "tap_schema" - [outputs.influxdb_v2.tagpass] - namespace = ["tap-schema"] - [[outputs.influxdb_v2]] - urls = ["https://monitoring.lsst.codes"] - token = "$INFLUX_TOKEN" - organization = "square" - bucket = "vault_secrets_operator" - [outputs.influxdb_v2.tagpass] - namespace = ["vault-secrets-operator"] - [[outputs.influxdb_v2]] - urls = ["https://monitoring.lsst.codes"] - token = "$INFLUX_TOKEN" - organization = "square" - bucket = "vo_cutouts" - [outputs.influxdb_v2.tagpass] - namespace = ["vo-cutouts"] diff --git a/services/telegraf-ds/values-int.yaml b/services/telegraf-ds/values-int.yaml index 82f48bcbc6..6438d52c4a 100644 --- a/services/telegraf-ds/values-int.yaml +++ b/services/telegraf-ds/values-int.yaml @@ -1,10 +1,10 @@ -vaultSecretsPath: "lsst-lsp-int.ncsa.illinois.edu" +vaultSecretsPath: "secret/k8s_operator/lsst-lsp-int.ncsa.illinois.edu" telegraf-ds: override_config: toml: |+ - [ global_tags ] + [global_tags] cluster = "lsst-lsp-int.ncsa.illinois.edu" - [ agent ] + [agent] hostname = "telegraf-$HOSTIP" [[inputs.kubernetes]] url = "https://$HOSTIP:10250" @@ -13,128 +13,128 @@ telegraf-ds: namepass = ["kubernetes_pod_container"] fieldpass = ["cpu_usage_nanocores", "memory_usage_bytes"] [[outputs.influxdb_v2]] - urls = ["https://monitoring.lsst.codes"] - token = "$INFLUX_TOKEN" - organization = "square" + urls = ["https://monitoring.lsst.codes"] + token = "$INFLUX_TOKEN" + organization = "square" bucket = "cachemachine" [outputs.influxdb_v2.tagpass] namespace = ["cachemachine"] [[outputs.influxdb_v2]] - urls = ["https://monitoring.lsst.codes"] - token = "$INFLUX_TOKEN" - organization = "square" + urls = ["https://monitoring.lsst.codes"] + token = "$INFLUX_TOKEN" + organization = "square" bucket = "datalinker" [outputs.influxdb_v2.tagpass] namespace = ["datalinker"] [[outputs.influxdb_v2]] - urls = ["https://monitoring.lsst.codes"] - token = "$INFLUX_TOKEN" - organization = "square" + urls = ["https://monitoring.lsst.codes"] + token = "$INFLUX_TOKEN" + organization = "square" bucket = "gafaelfawr" [outputs.influxdb_v2.tagpass] namespace = ["gafaelfawr"] [[outputs.influxdb_v2]] - urls = ["https://monitoring.lsst.codes"] - token = "$INFLUX_TOKEN" - organization = "square" + urls = ["https://monitoring.lsst.codes"] + token = "$INFLUX_TOKEN" + organization = "square" bucket = "mobu" [outputs.influxdb_v2.tagpass] namespace = ["mobu"] [[outputs.influxdb_v2]] - urls = ["https://monitoring.lsst.codes"] - token = "$INFLUX_TOKEN" - organization = "square" + urls = ["https://monitoring.lsst.codes"] + token = "$INFLUX_TOKEN" + organization = "square" bucket = "moneypenny" [outputs.influxdb_v2.tagpass] namespace = ["moneypenny"] [[outputs.influxdb_v2]] - urls = ["https://monitoring.lsst.codes"] - token = "$INFLUX_TOKEN" - organization = "square" + urls = ["https://monitoring.lsst.codes"] + token = "$INFLUX_TOKEN" + organization = "square" bucket = "nublado2" [outputs.influxdb_v2.tagpass] namespace = ["nublado2"] [[outputs.influxdb_v2]] - urls = ["https://monitoring.lsst.codes"] - token = "$INFLUX_TOKEN" - organization = "square" + urls = ["https://monitoring.lsst.codes"] + token = "$INFLUX_TOKEN" + organization = "square" bucket = "obstap" [outputs.influxdb_v2.tagpass] namespace = ["obstap"] [[outputs.influxdb_v2]] - urls = ["https://monitoring.lsst.codes"] - token = "$INFLUX_TOKEN" - organization = "square" + urls = ["https://monitoring.lsst.codes"] + token = "$INFLUX_TOKEN" + organization = "square" bucket = "portal" [outputs.influxdb_v2.tagpass] namespace = ["portal"] [[outputs.influxdb_v2]] - urls = ["https://monitoring.lsst.codes"] - token = "$INFLUX_TOKEN" - organization = "square" + urls = ["https://monitoring.lsst.codes"] + token = "$INFLUX_TOKEN" + organization = "square" bucket = "postgres" [outputs.influxdb_v2.tagpass] namespace = ["postgres"] [[outputs.influxdb_v2]] - urls = ["https://monitoring.lsst.codes"] - token = "$INFLUX_TOKEN" - organization = "square" + urls = ["https://monitoring.lsst.codes"] + token = "$INFLUX_TOKEN" + organization = "square" bucket = "sasquatch" [outputs.influxdb_v2.tagpass] namespace = ["sasquatch"] [[outputs.influxdb_v2]] - urls = ["https://monitoring.lsst.codes"] - token = "$INFLUX_TOKEN" - organization = "square" + urls = ["https://monitoring.lsst.codes"] + token = "$INFLUX_TOKEN" + organization = "square" bucket = "sherlock" [outputs.influxdb_v2.tagpass] namespace = ["sherlock"] [[outputs.influxdb_v2]] - urls = ["https://monitoring.lsst.codes"] - token = "$INFLUX_TOKEN" - organization = "square" + urls = ["https://monitoring.lsst.codes"] + token = "$INFLUX_TOKEN" + organization = "square" bucket = "squareone" [outputs.influxdb_v2.tagpass] namespace = ["squareone"] [[outputs.influxdb_v2]] - urls = ["https://monitoring.lsst.codes"] - token = "$INFLUX_TOKEN" - organization = "square" + urls = ["https://monitoring.lsst.codes"] + token = "$INFLUX_TOKEN" + organization = "square" bucket = "strimzi" [outputs.influxdb_v2.tagpass] namespace = ["strimzi"] [[outputs.influxdb_v2]] - urls = ["https://monitoring.lsst.codes"] - token = "$INFLUX_TOKEN" - organization = "square" + urls = ["https://monitoring.lsst.codes"] + token = "$INFLUX_TOKEN" + organization = "square" bucket = "tap" [outputs.influxdb_v2.tagpass] namespace = ["tap"] [[outputs.influxdb_v2]] - urls = ["https://monitoring.lsst.codes"] - token = "$INFLUX_TOKEN" - organization = "square" + urls = ["https://monitoring.lsst.codes"] + token = "$INFLUX_TOKEN" + organization = "square" bucket = "tap_schema" [outputs.influxdb_v2.tagpass] namespace = ["tap-schema"] [[outputs.influxdb_v2]] - urls = ["https://monitoring.lsst.codes"] - token = "$INFLUX_TOKEN" - organization = "square" + urls = ["https://monitoring.lsst.codes"] + token = "$INFLUX_TOKEN" + organization = "square" bucket = "telegraf" [outputs.influxdb_v2.tagpass] namespace = ["telegraf"] [[outputs.influxdb_v2]] - urls = ["https://monitoring.lsst.codes"] - token = "$INFLUX_TOKEN" - organization = "square" + urls = ["https://monitoring.lsst.codes"] + token = "$INFLUX_TOKEN" + organization = "square" bucket = "telegraf_ds" [outputs.influxdb_v2.tagpass] namespace = ["telegraf-ds"] [[outputs.influxdb_v2]] - urls = ["https://monitoring.lsst.codes"] - token = "$INFLUX_TOKEN" - organization = "square" + urls = ["https://monitoring.lsst.codes"] + token = "$INFLUX_TOKEN" + organization = "square" bucket = "vault_secrets_operator" [outputs.influxdb_v2.tagpass] namespace = ["vault-secrets-operator"] diff --git a/services/telegraf-ds/values-minikube.yaml b/services/telegraf-ds/values-minikube.yaml deleted file mode 100644 index 704c51f614..0000000000 --- a/services/telegraf-ds/values-minikube.yaml +++ /dev/null @@ -1,140 +0,0 @@ -vaultSecretsPath: "minikube.lsst.codes" -telegraf-ds: - override_config: - toml: |+ - [ global_tags ] - cluster = "minikube.lsst.codes" - [ agent ] - hostname = "telegraf-$HOSTIP" - [[inputs.kubernetes]] - url = "https://$HOSTIP:10250" - bearer_token = "/var/run/secrets/kubernetes.io/serviceaccount/token" - insecure_skip_verify = true - namepass = ["kubernetes_pod_container"] - fieldpass = ["cpu_usage_nanocores", "memory_usage_bytes"] - [[outputs.influxdb_v2]] - urls = ["https://monitoring.lsst.codes"] - token = "$INFLUX_TOKEN" - organization = "square" - bucket = "cachemachine" - [outputs.influxdb_v2.tagpass] - namespace = ["cachemachine"] - [[outputs.influxdb_v2]] - urls = ["https://monitoring.lsst.codes"] - token = "$INFLUX_TOKEN" - organization = "square" - bucket = "cert_manager" - [outputs.influxdb_v2.tagpass] - namespace = ["cert-manager"] - [[outputs.influxdb_v2]] - urls = ["https://monitoring.lsst.codes"] - token = "$INFLUX_TOKEN" - organization = "square" - bucket = "datalinker" - [outputs.influxdb_v2.tagpass] - namespace = ["datalinker"] - [[outputs.influxdb_v2]] - urls = ["https://monitoring.lsst.codes"] - token = "$INFLUX_TOKEN" - organization = "square" - bucket = "gafaelfawr" - [outputs.influxdb_v2.tagpass] - namespace = ["gafaelfawr"] - [[outputs.influxdb_v2]] - urls = ["https://monitoring.lsst.codes"] - token = "$INFLUX_TOKEN" - organization = "square" - bucket = "ingress_nginx" - [outputs.influxdb_v2.tagpass] - namespace = ["ingress-nginx"] - [[outputs.influxdb_v2]] - urls = ["https://monitoring.lsst.codes"] - token = "$INFLUX_TOKEN" - organization = "square" - bucket = "mobu" - [outputs.influxdb_v2.tagpass] - namespace = ["mobu"] - [[outputs.influxdb_v2]] - urls = ["https://monitoring.lsst.codes"] - token = "$INFLUX_TOKEN" - organization = "square" - bucket = "moneypenny" - [outputs.influxdb_v2.tagpass] - namespace = ["moneypenny"] - [[outputs.influxdb_v2]] - urls = ["https://monitoring.lsst.codes"] - token = "$INFLUX_TOKEN" - organization = "square" - bucket = "noteburst" - [outputs.influxdb_v2.tagpass] - namespace = ["noteburst"] - [[outputs.influxdb_v2]] - urls = ["https://monitoring.lsst.codes"] - token = "$INFLUX_TOKEN" - organization = "square" - bucket = "nublado2" - [outputs.influxdb_v2.tagpass] - namespace = ["nublado2"] - [[outputs.influxdb_v2]] - urls = ["https://monitoring.lsst.codes"] - token = "$INFLUX_TOKEN" - organization = "square" - bucket = "obstap" - [outputs.influxdb_v2.tagpass] - namespace = ["obstap"] - [[outputs.influxdb_v2]] - urls = ["https://monitoring.lsst.codes"] - token = "$INFLUX_TOKEN" - organization = "square" - bucket = "portal" - [outputs.influxdb_v2.tagpass] - namespace = ["portal"] - [[outputs.influxdb_v2]] - urls = ["https://monitoring.lsst.codes"] - token = "$INFLUX_TOKEN" - organization = "square" - bucket = "postgres" - [outputs.influxdb_v2.tagpass] - namespace = ["postgres"] - [[outputs.influxdb_v2]] - urls = ["https://monitoring.lsst.codes"] - token = "$INFLUX_TOKEN" - organization = "square" - bucket = "semaphore" - [outputs.influxdb_v2.tagpass] - namespace = ["semaphore"] - [[outputs.influxdb_v2]] - urls = ["https://monitoring.lsst.codes"] - token = "$INFLUX_TOKEN" - organization = "square" - bucket = "sherlock" - [outputs.influxdb_v2.tagpass] - namespace = ["sherlock"] - [[outputs.influxdb_v2]] - urls = ["https://monitoring.lsst.codes"] - token = "$INFLUX_TOKEN" - organization = "square" - bucket = "squareone" - [outputs.influxdb_v2.tagpass] - namespace = ["squareone"] - [[outputs.influxdb_v2]] - urls = ["https://monitoring.lsst.codes"] - token = "$INFLUX_TOKEN" - organization = "square" - bucket = "tap" - [outputs.influxdb_v2.tagpass] - namespace = ["tap"] - [[outputs.influxdb_v2]] - urls = ["https://monitoring.lsst.codes"] - token = "$INFLUX_TOKEN" - organization = "square" - bucket = "tap_schema" - [outputs.influxdb_v2.tagpass] - namespace = ["tap-schema"] - [[outputs.influxdb_v2]] - urls = ["https://monitoring.lsst.codes"] - token = "$INFLUX_TOKEN" - organization = "square" - bucket = "vault_secrets_operator" - [outputs.influxdb_v2.tagpass] - namespace = ["vault-secrets-operator"] diff --git a/services/telegraf-ds/values-red-five.yaml b/services/telegraf-ds/values-red-five.yaml deleted file mode 100644 index f5ab0ed587..0000000000 --- a/services/telegraf-ds/values-red-five.yaml +++ /dev/null @@ -1,119 +0,0 @@ -vaultSecretsPath: "red-five.lsst.codes" -telegraf-ds: - override_config: - toml: |+ - [ global_tags ] - cluster = "red-five.lsst.codes" - [ agent ] - hostname = "telegraf-$HOSTIP" - [[inputs.kubernetes]] - url = "https://$HOSTIP:10250" - bearer_token = "/var/run/secrets/kubernetes.io/serviceaccount/token" - insecure_skip_verify = true - namepass = ["kubernetes_pod_container"] - fieldpass = ["cpu_usage_nanocores", "memory_usage_bytes"] - [[outputs.influxdb_v2]] - urls = ["https://monitoring.lsst.codes"] - token = "$INFLUX_TOKEN" - organization = "square" - bucket = "cachemachine" - [outputs.influxdb_v2.tagpass] - namespace = ["cachemachine"] - [[outputs.influxdb_v2]] - urls = ["https://monitoring.lsst.codes"] - token = "$INFLUX_TOKEN" - organization = "square" - bucket = "cert_manager" - [outputs.influxdb_v2.tagpass] - namespace = ["cert-manager"] - [[outputs.influxdb_v2]] - urls = ["https://monitoring.lsst.codes"] - token = "$INFLUX_TOKEN" - organization = "square" - bucket = "datalinker" - [outputs.influxdb_v2.tagpass] - namespace = ["datalinker"] - [[outputs.influxdb_v2]] - urls = ["https://monitoring.lsst.codes"] - token = "$INFLUX_TOKEN" - organization = "square" - bucket = "gafaelfawr" - [outputs.influxdb_v2.tagpass] - namespace = ["gafaelfawr"] - [[outputs.influxdb_v2]] - urls = ["https://monitoring.lsst.codes"] - token = "$INFLUX_TOKEN" - organization = "square" - bucket = "ingress_nginx" - [outputs.influxdb_v2.tagpass] - namespace = ["ingress-nginx"] - [[outputs.influxdb_v2]] - urls = ["https://monitoring.lsst.codes"] - token = "$INFLUX_TOKEN" - organization = "square" - bucket = "mobu" - [outputs.influxdb_v2.tagpass] - namespace = ["mobu"] - [[outputs.influxdb_v2]] - urls = ["https://monitoring.lsst.codes"] - token = "$INFLUX_TOKEN" - organization = "square" - bucket = "moneypenny" - [outputs.influxdb_v2.tagpass] - namespace = ["moneypenny"] - [[outputs.influxdb_v2]] - urls = ["https://monitoring.lsst.codes"] - token = "$INFLUX_TOKEN" - organization = "square" - bucket = "nublado2" - [outputs.influxdb_v2.tagpass] - namespace = ["nublado2"] - [[outputs.influxdb_v2]] - urls = ["https://monitoring.lsst.codes"] - token = "$INFLUX_TOKEN" - organization = "square" - bucket = "obstap" - [outputs.influxdb_v2.tagpass] - namespace = ["obstap"] - [[outputs.influxdb_v2]] - urls = ["https://monitoring.lsst.codes"] - token = "$INFLUX_TOKEN" - organization = "square" - bucket = "portal" - [outputs.influxdb_v2.tagpass] - namespace = ["portal"] - [[outputs.influxdb_v2]] - urls = ["https://monitoring.lsst.codes"] - token = "$INFLUX_TOKEN" - organization = "square" - bucket = "postgres" - [outputs.influxdb_v2.tagpass] - namespace = ["postgres"] - [[outputs.influxdb_v2]] - urls = ["https://monitoring.lsst.codes"] - token = "$INFLUX_TOKEN" - organization = "square" - bucket = "squareone" - [outputs.influxdb_v2.tagpass] - namespace = ["squareone"] - [[outputs.influxdb_v2]] - urls = ["https://monitoring.lsst.codes"] - token = "$INFLUX_TOKEN" - organization = "square" - bucket = "tap" - [outputs.influxdb_v2.tagpass] - namespace = ["tap"] - [[outputs.influxdb_v2]] - urls = ["https://monitoring.lsst.codes"] - token = "$INFLUX_TOKEN" - organization = "square" - bucket = "tap_schema" - [outputs.influxdb_v2.tagpass] - namespace = ["tap-schema"] - [[outputs.influxdb_v2]] - urls = ["https://monitoring.lsst.codes"] - token = "$INFLUX_TOKEN" - organization = "square" - bucket = "vault_secrets_operator" - [outputs.influxdb_v2.tagpass] - namespace = ["vault-secrets-operator"] diff --git a/services/telegraf-ds/values-roe.yaml b/services/telegraf-ds/values-roe.yaml deleted file mode 100644 index e1899326c9..0000000000 --- a/services/telegraf-ds/values-roe.yaml +++ /dev/null @@ -1,105 +0,0 @@ -vaultSecretsPath: "rsp.lsst.ac.uk" -telegraf-ds: - override_config: - toml: |+ - [ global_tags ] - cluster = "rsp.lsst.ac.uk" - [ agent ] - hostname = "telegraf-$HOSTIP" - [[inputs.kubernetes]] - url = "https://$HOSTIP:10250" - bearer_token = "/var/run/secrets/kubernetes.io/serviceaccount/token" - insecure_skip_verify = true - namepass = ["kubernetes_pod_container"] - fieldpass = ["cpu_usage_nanocores", "memory_usage_bytes"] - [[outputs.influxdb_v2]] - urls = ["https://monitoring.lsst.codes"] - token = "$INFLUX_TOKEN" - organization = "square" - bucket = "cachemachine" - [outputs.influxdb_v2.tagpass] - namespace = ["cachemachine"] - [[outputs.influxdb_v2]] - urls = ["https://monitoring.lsst.codes"] - token = "$INFLUX_TOKEN" - organization = "square" - bucket = "cert_manager" - [outputs.influxdb_v2.tagpass] - namespace = ["cert-manager"] - [[outputs.influxdb_v2]] - urls = ["https://monitoring.lsst.codes"] - token = "$INFLUX_TOKEN" - organization = "square" - bucket = "gafaelfawr" - [outputs.influxdb_v2.tagpass] - namespace = ["gafaelfawr"] - [[outputs.influxdb_v2]] - urls = ["https://monitoring.lsst.codes"] - token = "$INFLUX_TOKEN" - organization = "square" - bucket = "ingress_nginx" - [outputs.influxdb_v2.tagpass] - namespace = ["ingress-nginx"] - [[outputs.influxdb_v2]] - urls = ["https://monitoring.lsst.codes"] - token = "$INFLUX_TOKEN" - organization = "square" - bucket = "mobu" - [outputs.influxdb_v2.tagpass] - namespace = ["mobu"] - [[outputs.influxdb_v2]] - urls = ["https://monitoring.lsst.codes"] - token = "$INFLUX_TOKEN" - organization = "square" - bucket = "moneypenny" - [outputs.influxdb_v2.tagpass] - namespace = ["moneypenny"] - [[outputs.influxdb_v2]] - urls = ["https://monitoring.lsst.codes"] - token = "$INFLUX_TOKEN" - organization = "square" - bucket = "nublado2" - [outputs.influxdb_v2.tagpass] - namespace = ["nublado2"] - [[outputs.influxdb_v2]] - urls = ["https://monitoring.lsst.codes"] - token = "$INFLUX_TOKEN" - organization = "square" - bucket = "portal" - [outputs.influxdb_v2.tagpass] - namespace = ["portal"] - [[outputs.influxdb_v2]] - urls = ["https://monitoring.lsst.codes"] - token = "$INFLUX_TOKEN" - organization = "square" - bucket = "postgres" - [outputs.influxdb_v2.tagpass] - namespace = ["postgres"] - [[outputs.influxdb_v2]] - urls = ["https://monitoring.lsst.codes"] - token = "$INFLUX_TOKEN" - organization = "square" - bucket = "squareone" - [outputs.influxdb_v2.tagpass] - namespace = ["squareone"] - [[outputs.influxdb_v2]] - urls = ["https://monitoring.lsst.codes"] - token = "$INFLUX_TOKEN" - organization = "square" - bucket = "tap" - [outputs.influxdb_v2.tagpass] - namespace = ["tap"] - [[outputs.influxdb_v2]] - urls = ["https://monitoring.lsst.codes"] - token = "$INFLUX_TOKEN" - organization = "square" - bucket = "tap_schema" - [outputs.influxdb_v2.tagpass] - namespace = ["tap-schema"] - [[outputs.influxdb_v2]] - urls = ["https://monitoring.lsst.codes"] - token = "$INFLUX_TOKEN" - organization = "square" - bucket = "vault_secrets_operator" - [outputs.influxdb_v2.tagpass] - namespace = ["vault-secrets-operator"] diff --git a/services/telegraf-ds/values-squash-sandbox.yaml b/services/telegraf-ds/values-squash-sandbox.yaml deleted file mode 100644 index e38b5e4026..0000000000 --- a/services/telegraf-ds/values-squash-sandbox.yaml +++ /dev/null @@ -1,56 +0,0 @@ -vaultSecretsPath: "squash-sandbox.lsst.codes" -telegraf-ds: - override_config: - toml: |+ - [ global_tags ] - cluster = "squash-sandbox.lsst.codes" - [ agent ] - hostname = "telegraf-$HOSTIP" - [[inputs.kubernetes]] - url = "https://$HOSTIP:10250" - bearer_token = "/var/run/secrets/kubernetes.io/serviceaccount/token" - insecure_skip_verify = true - namepass = ["kubernetes_pod_container"] - fieldpass = ["cpu_usage_nanocores", "memory_usage_bytes"] - [[outputs.influxdb_v2]] - urls = ["https://monitoring.lsst.codes"] - token = "$INFLUX_TOKEN" - organization = "square" - bucket = "cert_manager" - [outputs.influxdb_v2.tagpass] - namespace = ["cert-manager"] - [[outputs.influxdb_v2]] - urls = ["https://monitoring.lsst.codes"] - token = "$INFLUX_TOKEN" - organization = "square" - bucket = "gafaelfawr" - [outputs.influxdb_v2.tagpass] - namespace = ["gafaelfawr"] - [[outputs.influxdb_v2]] - urls = ["https://monitoring.lsst.codes"] - token = "$INFLUX_TOKEN" - organization = "square" - bucket = "ingress_nginx" - [outputs.influxdb_v2.tagpass] - namespace = ["ingress-nginx"] - [[outputs.influxdb_v2]] - urls = ["https://monitoring.lsst.codes"] - token = "$INFLUX_TOKEN" - organization = "square" - bucket = "postgres" - [outputs.influxdb_v2.tagpass] - namespace = ["postgres"] - [[outputs.influxdb_v2]] - urls = ["https://monitoring.lsst.codes"] - token = "$INFLUX_TOKEN" - organization = "square" - bucket = "squash_api" - [outputs.influxdb_v2.tagpass] - namespace = ["squash-api"] - [[outputs.influxdb_v2]] - urls = ["https://monitoring.lsst.codes"] - token = "$INFLUX_TOKEN" - organization = "square" - bucket = "vault_secrets_operator" - [outputs.influxdb_v2.tagpass] - namespace = ["vault-secrets-operator"] diff --git a/services/telegraf-ds/values-stable.yaml b/services/telegraf-ds/values-stable.yaml deleted file mode 100644 index cb3a3b1d69..0000000000 --- a/services/telegraf-ds/values-stable.yaml +++ /dev/null @@ -1,126 +0,0 @@ -vaultSecretsPath: "lsst-lsp-stable.ncsa.illinois.edu" -telegraf-ds: - override_config: - toml: |+ - [ global_tags ] - cluster = "lsst-lsp-stable.ncsa.illinois.edu" - [ agent ] - hostname = "telegraf-$HOSTIP" - [[inputs.kubernetes]] - url = "https://$HOSTIP:10250" - bearer_token = "/var/run/secrets/kubernetes.io/serviceaccount/token" - insecure_skip_verify = true - namepass = ["kubernetes_pod_container"] - fieldpass = ["cpu_usage_nanocores", "memory_usage_bytes"] - [[outputs.influxdb_v2]] - urls = ["https://monitoring.lsst.codes"] - token = "$INFLUX_TOKEN" - organization = "square" - bucket = "cachemachine" - [outputs.influxdb_v2.tagpass] - namespace = ["cachemachine"] - [[outputs.influxdb_v2]] - urls = ["https://monitoring.lsst.codes"] - token = "$INFLUX_TOKEN" - organization = "square" - bucket = "datalinker" - [outputs.influxdb_v2.tagpass] - namespace = ["datalinker"] - [[outputs.influxdb_v2]] - urls = ["https://monitoring.lsst.codes"] - token = "$INFLUX_TOKEN" - organization = "square" - bucket = "gafaelfawr" - [outputs.influxdb_v2.tagpass] - namespace = ["gafaelfawr"] - [[outputs.influxdb_v2]] - urls = ["https://monitoring.lsst.codes"] - token = "$INFLUX_TOKEN" - organization = "square" - bucket = "mobu" - [outputs.influxdb_v2.tagpass] - namespace = ["mobu"] - [[outputs.influxdb_v2]] - urls = ["https://monitoring.lsst.codes"] - token = "$INFLUX_TOKEN" - organization = "square" - bucket = "moneypenny" - [outputs.influxdb_v2.tagpass] - namespace = ["moneypenny"] - [[outputs.influxdb_v2]] - urls = ["https://monitoring.lsst.codes"] - token = "$INFLUX_TOKEN" - organization = "square" - bucket = "nublado2" - [outputs.influxdb_v2.tagpass] - namespace = ["nublado2"] - [[outputs.influxdb_v2]] - urls = ["https://monitoring.lsst.codes"] - token = "$INFLUX_TOKEN" - organization = "square" - bucket = "obstap" - [outputs.influxdb_v2.tagpass] - namespace = ["obstap"] - [[outputs.influxdb_v2]] - urls = ["https://monitoring.lsst.codes"] - token = "$INFLUX_TOKEN" - organization = "square" - bucket = "portal" - [outputs.influxdb_v2.tagpass] - namespace = ["portal"] - [[outputs.influxdb_v2]] - urls = ["https://monitoring.lsst.codes"] - token = "$INFLUX_TOKEN" - organization = "square" - bucket = "postgres" - [outputs.influxdb_v2.tagpass] - namespace = ["postgres"] - [[outputs.influxdb_v2]] - urls = ["https://monitoring.lsst.codes"] - token = "$INFLUX_TOKEN" - organization = "square" - bucket = "sasquatch" - [outputs.influxdb_v2.tagpass] - namespace = ["sasquatch"] - [[outputs.influxdb_v2]] - urls = ["https://monitoring.lsst.codes"] - token = "$INFLUX_TOKEN" - organization = "square" - bucket = "sherlock" - [outputs.influxdb_v2.tagpass] - namespace = ["sherlock"] - [[outputs.influxdb_v2]] - urls = ["https://monitoring.lsst.codes"] - token = "$INFLUX_TOKEN" - organization = "square" - bucket = "squareone" - [outputs.influxdb_v2.tagpass] - namespace = ["squareone"] - [[outputs.influxdb_v2]] - urls = ["https://monitoring.lsst.codes"] - token = "$INFLUX_TOKEN" - organization = "square" - bucket = "strimzi" - [outputs.influxdb_v2.tagpass] - namespace = ["strimzi"] - [[outputs.influxdb_v2]] - urls = ["https://monitoring.lsst.codes"] - token = "$INFLUX_TOKEN" - organization = "square" - bucket = "tap" - [outputs.influxdb_v2.tagpass] - namespace = ["tap"] - [[outputs.influxdb_v2]] - urls = ["https://monitoring.lsst.codes"] - token = "$INFLUX_TOKEN" - organization = "square" - bucket = "tap_schema" - [outputs.influxdb_v2.tagpass] - namespace = ["tap-schema"] - [[outputs.influxdb_v2]] - urls = ["https://monitoring.lsst.codes"] - token = "$INFLUX_TOKEN" - organization = "square" - bucket = "vault_secrets_operator" - [outputs.influxdb_v2.tagpass] - namespace = ["vault-secrets-operator"] diff --git a/services/telegraf-ds/values-summit.yaml b/services/telegraf-ds/values-summit.yaml deleted file mode 100644 index faa6579d23..0000000000 --- a/services/telegraf-ds/values-summit.yaml +++ /dev/null @@ -1,105 +0,0 @@ -vaultSecretsPath: "summit-lsp.lsst.codes" -telegraf-ds: - override_config: - toml: |+ - [ global_tags ] - cluster = "summit-lsp.lsst.codes" - [ agent ] - hostname = "telegraf-$HOSTIP" - [[inputs.kubernetes]] - url = "https://$HOSTIP:10250" - bearer_token = "/var/run/secrets/kubernetes.io/serviceaccount/token" - insecure_skip_verify = true - namepass = ["kubernetes_pod_container"] - fieldpass = ["cpu_usage_nanocores", "memory_usage_bytes"] - [[outputs.influxdb_v2]] - urls = ["https://monitoring.lsst.codes"] - token = "$INFLUX_TOKEN" - organization = "square" - bucket = "cachemachine" - [outputs.influxdb_v2.tagpass] - namespace = ["cachemachine"] - [[outputs.influxdb_v2]] - urls = ["https://monitoring.lsst.codes"] - token = "$INFLUX_TOKEN" - organization = "square" - bucket = "cert_manager" - [outputs.influxdb_v2.tagpass] - namespace = ["cert-manager"] - [[outputs.influxdb_v2]] - urls = ["https://monitoring.lsst.codes"] - token = "$INFLUX_TOKEN" - organization = "square" - bucket = "exposurelog" - [outputs.influxdb_v2.tagpass] - namespace = ["exposurelog"] - [[outputs.influxdb_v2]] - urls = ["https://monitoring.lsst.codes"] - token = "$INFLUX_TOKEN" - organization = "square" - bucket = "gafaelfawr" - [outputs.influxdb_v2.tagpass] - namespace = ["gafaelfawr"] - [[outputs.influxdb_v2]] - urls = ["https://monitoring.lsst.codes"] - token = "$INFLUX_TOKEN" - organization = "square" - bucket = "ingress_nginx" - [outputs.influxdb_v2.tagpass] - namespace = ["ingress-nginx"] - [[outputs.influxdb_v2]] - urls = ["https://monitoring.lsst.codes"] - token = "$INFLUX_TOKEN" - organization = "square" - bucket = "moneypenny" - [outputs.influxdb_v2.tagpass] - namespace = ["moneypenny"] - [[outputs.influxdb_v2]] - urls = ["https://monitoring.lsst.codes"] - token = "$INFLUX_TOKEN" - organization = "square" - bucket = "narrativelog" - [outputs.influxdb_v2.tagpass] - namespace = ["narrativelog"] - [[outputs.influxdb_v2]] - urls = ["https://monitoring.lsst.codes"] - token = "$INFLUX_TOKEN" - organization = "square" - bucket = "nublado2" - [outputs.influxdb_v2.tagpass] - namespace = ["nublado2"] - [[outputs.influxdb_v2]] - urls = ["https://monitoring.lsst.codes"] - token = "$INFLUX_TOKEN" - organization = "square" - bucket = "portal" - [outputs.influxdb_v2.tagpass] - namespace = ["portal"] - [[outputs.influxdb_v2]] - urls = ["https://monitoring.lsst.codes"] - token = "$INFLUX_TOKEN" - organization = "square" - bucket = "postgres" - [outputs.influxdb_v2.tagpass] - namespace = ["postgres"] - [[outputs.influxdb_v2]] - urls = ["https://monitoring.lsst.codes"] - token = "$INFLUX_TOKEN" - organization = "square" - bucket = "sherlock" - [outputs.influxdb_v2.tagpass] - namespace = ["sherlock"] - [[outputs.influxdb_v2]] - urls = ["https://monitoring.lsst.codes"] - token = "$INFLUX_TOKEN" - organization = "square" - bucket = "squareone" - [outputs.influxdb_v2.tagpass] - namespace = ["squareone"] - [[outputs.influxdb_v2]] - urls = ["https://monitoring.lsst.codes"] - token = "$INFLUX_TOKEN" - organization = "square" - bucket = "vault_secrets_operator" - [outputs.influxdb_v2.tagpass] - namespace = ["vault-secrets-operator"] diff --git a/services/telegraf-ds/values-tucson-teststand.yaml b/services/telegraf-ds/values-tucson-teststand.yaml deleted file mode 100644 index 47046b25fe..0000000000 --- a/services/telegraf-ds/values-tucson-teststand.yaml +++ /dev/null @@ -1,112 +0,0 @@ -vaultSecretsPath: "tucson-teststand.lsst.codes" -telegraf-ds: - override_config: - toml: |+ - [ global_tags ] - cluster = "tucson-teststand.lsst.codes" - [ agent ] - hostname = "telegraf-$HOSTIP" - [[inputs.kubernetes]] - url = "https://$HOSTIP:10250" - bearer_token = "/var/run/secrets/kubernetes.io/serviceaccount/token" - insecure_skip_verify = true - namepass = ["kubernetes_pod_container"] - fieldpass = ["cpu_usage_nanocores", "memory_usage_bytes"] - [[outputs.influxdb_v2]] - urls = ["https://monitoring.lsst.codes"] - token = "$INFLUX_TOKEN" - organization = "square" - bucket = "cachemachine" - [outputs.influxdb_v2.tagpass] - namespace = ["cachemachine"] - [[outputs.influxdb_v2]] - urls = ["https://monitoring.lsst.codes"] - token = "$INFLUX_TOKEN" - organization = "square" - bucket = "cert_manager" - [outputs.influxdb_v2.tagpass] - namespace = ["cert-manager"] - [[outputs.influxdb_v2]] - urls = ["https://monitoring.lsst.codes"] - token = "$INFLUX_TOKEN" - organization = "square" - bucket = "exposurelog" - [outputs.influxdb_v2.tagpass] - namespace = ["exposurelog"] - [[outputs.influxdb_v2]] - urls = ["https://monitoring.lsst.codes"] - token = "$INFLUX_TOKEN" - organization = "square" - bucket = "gafaelfawr" - [outputs.influxdb_v2.tagpass] - namespace = ["gafaelfawr"] - [[outputs.influxdb_v2]] - urls = ["https://monitoring.lsst.codes"] - token = "$INFLUX_TOKEN" - organization = "square" - bucket = "ingress_nginx" - [outputs.influxdb_v2.tagpass] - namespace = ["ingress-nginx"] - [[outputs.influxdb_v2]] - urls = ["https://monitoring.lsst.codes"] - token = "$INFLUX_TOKEN" - organization = "square" - bucket = "moneypenny" - [outputs.influxdb_v2.tagpass] - namespace = ["moneypenny"] - [[outputs.influxdb_v2]] - urls = ["https://monitoring.lsst.codes"] - token = "$INFLUX_TOKEN" - organization = "square" - bucket = "narrativelog" - [outputs.influxdb_v2.tagpass] - namespace = ["narrativelog"] - [[outputs.influxdb_v2]] - urls = ["https://monitoring.lsst.codes"] - token = "$INFLUX_TOKEN" - organization = "square" - bucket = "nublado2" - [outputs.influxdb_v2.tagpass] - namespace = ["nublado2"] - [[outputs.influxdb_v2]] - urls = ["https://monitoring.lsst.codes"] - token = "$INFLUX_TOKEN" - organization = "square" - bucket = "portal" - [outputs.influxdb_v2.tagpass] - namespace = ["portal"] - [[outputs.influxdb_v2]] - urls = ["https://monitoring.lsst.codes"] - token = "$INFLUX_TOKEN" - organization = "square" - bucket = "postgres" - [outputs.influxdb_v2.tagpass] - namespace = ["postgres"] - [[outputs.influxdb_v2]] - urls = ["https://monitoring.lsst.codes"] - token = "$INFLUX_TOKEN" - organization = "square" - bucket = "sasquatch" - [outputs.influxdb_v2.tagpass] - namespace = ["sasquatch"] - [[outputs.influxdb_v2]] - urls = ["https://monitoring.lsst.codes"] - token = "$INFLUX_TOKEN" - organization = "square" - bucket = "squareone" - [outputs.influxdb_v2.tagpass] - namespace = ["squareone"] - [[outputs.influxdb_v2]] - urls = ["https://monitoring.lsst.codes"] - token = "$INFLUX_TOKEN" - organization = "square" - bucket = "strimzi" - [outputs.influxdb_v2.tagpass] - namespace = ["strimzi"] - [[outputs.influxdb_v2]] - urls = ["https://monitoring.lsst.codes"] - token = "$INFLUX_TOKEN" - organization = "square" - bucket = "vault_secrets_operator" - [outputs.influxdb_v2.tagpass] - namespace = ["vault-secrets-operator"] diff --git a/services/telegraf-ds/values.yaml b/services/telegraf-ds/values.yaml index ebef14bfe4..2ffb19b347 100644 --- a/services/telegraf-ds/values.yaml +++ b/services/telegraf-ds/values.yaml @@ -12,9 +12,9 @@ telegraf-ds: key: influx-token override_config: toml: |+ - [ global_tags ] + [global_tags] cluster = "no_endpoint" - [ agent ] + [agent] hostname = "telegraf-$HOSTIP" [[inputs.kubernetes]] url = "https://$HOSTIP:10250" diff --git a/services/telegraf/values-base.yaml b/services/telegraf/values-base.yaml index 7f645ae14a..9670836a04 100644 --- a/services/telegraf/values-base.yaml +++ b/services/telegraf/values-base.yaml @@ -2,5 +2,22 @@ telegraf: config: global_tags: cluster: base-lsp.lsst.codes - + inputs: + - prometheus: + metric_version: 2 + name_override: prometheus_hub + tags: + prometheus_app: nublado2 + urls: + - http://hub.nublado2:8081/metrics + outputs: + - influxdb_v2: + bucket: nublado2 + organization: square + tagpass: + prometheus_app: + - nublado2 + token: $INFLUX_TOKEN + urls: + - https://monitoring.lsst.codes vaultSecretsPath: secret/k8s_operator/base-lsp.lsst.codes diff --git a/services/telegraf/values-idfdev.yaml b/services/telegraf/values-idfdev.yaml index 3c98a4f098..f152305df5 100644 --- a/services/telegraf/values-idfdev.yaml +++ b/services/telegraf/values-idfdev.yaml @@ -2,5 +2,22 @@ telegraf: config: global_tags: cluster: data-dev.lsst.cloud - + inputs: + - prometheus: + metric_version: 2 + name_override: prometheus_hub + tags: + prometheus_app: nublado2 + urls: + - http://hub.nublado2:8081/metrics + outputs: + - influxdb_v2: + bucket: nublado2 + organization: square + tagpass: + prometheus_app: + - nublado2 + token: $INFLUX_TOKEN + urls: + - https://monitoring.lsst.codes vaultSecretsPath: secret/k8s_operator/data-dev.lsst.cloud diff --git a/services/telegraf/values-idfint.yaml b/services/telegraf/values-idfint.yaml index 6d5503ce40..d055df519d 100644 --- a/services/telegraf/values-idfint.yaml +++ b/services/telegraf/values-idfint.yaml @@ -2,5 +2,22 @@ telegraf: config: global_tags: cluster: data-int.lsst.cloud - + inputs: + - prometheus: + metric_version: 2 + name_override: prometheus_hub + tags: + prometheus_app: nublado2 + urls: + - http://hub.nublado2:8081/metrics + outputs: + - influxdb_v2: + bucket: nublado2 + organization: square + tagpass: + prometheus_app: + - nublado2 + token: $INFLUX_TOKEN + urls: + - https://monitoring.lsst.codes vaultSecretsPath: secret/k8s_operator/data-int.lsst.cloud diff --git a/services/telegraf/values-idfprod.yaml b/services/telegraf/values-idfprod.yaml deleted file mode 100644 index 194d279a2e..0000000000 --- a/services/telegraf/values-idfprod.yaml +++ /dev/null @@ -1,6 +0,0 @@ -telegraf: - config: - global_tags: - cluster: data.lsst.cloud - -vaultSecretsPath: secret/k8s_operator/data.lsst.cloud diff --git a/services/telegraf/values-int.yaml b/services/telegraf/values-int.yaml index 67125edb94..d6282a4852 100644 --- a/services/telegraf/values-int.yaml +++ b/services/telegraf/values-int.yaml @@ -2,5 +2,22 @@ telegraf: config: global_tags: cluster: lsst-lsp-int.ncsa.illinois.edu - + inputs: + - prometheus: + metric_version: 2 + name_override: prometheus_hub + tags: + prometheus_app: nublado2 + urls: + - http://hub.nublado2:8081/metrics + outputs: + - influxdb_v2: + bucket: nublado2 + organization: square + tagpass: + prometheus_app: + - nublado2 + token: $INFLUX_TOKEN + urls: + - https://monitoring.lsst.codes vaultSecretsPath: secret/k8s_operator/lsst-lsp-int.ncsa.illinois.edu diff --git a/services/telegraf/values-minikube.yaml b/services/telegraf/values-minikube.yaml deleted file mode 100644 index 4f24c2bb3b..0000000000 --- a/services/telegraf/values-minikube.yaml +++ /dev/null @@ -1,6 +0,0 @@ -telegraf: - config: - global_tags: - cluster: minikube.lsst.codes - -vaultSecretsPath: secret/k8s_operator/minikube.lsst.codes diff --git a/services/telegraf/values-stable.yaml b/services/telegraf/values-stable.yaml deleted file mode 100644 index ce3d3c3871..0000000000 --- a/services/telegraf/values-stable.yaml +++ /dev/null @@ -1,6 +0,0 @@ -telegraf: - config: - global_tags: - cluster: lsst-lsp-stable.ncsa.illinois.edu - -vaultSecretsPath: secret/k8s_operator/lsst-lsp-stable.ncsa.illinois.edu diff --git a/services/telegraf/values-summit.yaml b/services/telegraf/values-summit.yaml deleted file mode 100644 index 0f4b053b78..0000000000 --- a/services/telegraf/values-summit.yaml +++ /dev/null @@ -1,6 +0,0 @@ -telegraf: - config: - global_tags: - cluster: summit-lsp.lsst.codes - -vaultSecretsPath: secret/k8s_operator/summit-lsp.lsst.codes diff --git a/services/telegraf/values-tucson-teststand.yaml b/services/telegraf/values-tucson-teststand.yaml deleted file mode 100644 index 2f2f8d929b..0000000000 --- a/services/telegraf/values-tucson-teststand.yaml +++ /dev/null @@ -1,6 +0,0 @@ -telegraf: - config: - global_tags: - cluster: tucson-teststand.lsst.codes - -vaultSecretsPath: secret/k8s_operator/tucson-teststand.lsst.codes diff --git a/services/telegraf/values.yaml b/services/telegraf/values.yaml index 7eb204c99f..3551adfb60 100644 --- a/services/telegraf/values.yaml +++ b/services/telegraf/values.yaml @@ -1,174 +1,18 @@ telegraf: - # -- Allow network access to JupyterHub pod. - podLabels: - hub.jupyter.org/network-access-hub: "true" - env: - # -- Token to communicate with Influx - - name: INFLUX_TOKEN - valueFrom: - secretKeyRef: - name: telegraf - key: influx-token - rbac: - enabled: true - clusterWide: true - # When using the prometheus input to scrape all pods you need extra - # rules set to the ClusterRole to be able to scan the pods for - # scraping labels. The following rules have been taken from: - # https://github.com/helm/charts/blob/master/stable/prometheus/templates/server-clusterrole.yaml#L8-L46 - rules: - - apiGroups: - - "" - resources: - - nodes - - nodes/proxy - - nodes/metrics - - services - - endpoints - - pods - - ingresses - - configmaps - verbs: - - get - - list - - watch - - apiGroups: - - "extensions" - resources: - - ingresses/status - - ingresses - verbs: - - get - - list - - watch - - nonResourceURLs: - - "/metrics" - - "/stats" - verbs: - - get - service: - # -- Telegraf service. - enabled: false config: agent: omit_hostname: true global_tags: - # -- Cluster name -- should be same as FQDN of RSP endpoint - # @default -- None, must be set - cluster: "" - inputs: - - prometheus: - # Collect JupyterHub Prometheus metrics by default. - # See https://jupyterhub.readthedocs.io/en/stable/reference/metrics.html - urls: - - http://hub.nublado2:8081/metrics - tags: - prometheus_app: "hub" - metric_version: 2 - - prometheus: - urls: - - http://cert-manager.cert-manager:9402/metrics - tags: - prometheus_app: "certmanager" - metric_version: 2 - - prometheus: - # Get all the ArgoCD measurements, and put them into an "argocd" bucket - # but override the measurement names so each category gets its own - # measurements - name_override: "application_controller" - metric_version: 2 - tags: - prometheus_app: "argocd" - urls: - - http://argocd-application-controller-metrics.argocd:8082/metrics - - prometheus: - name_override: "notifications_controller" - metric_version: 2 - tags: - prometheus_app: "argocd" - urls: - - http://argocd-notifications-controller-metrics.argocd:9001/metrics - - prometheus: - name_override: "redis" - metric_version: 2 - tags: - prometheus_app: "argocd" - urls: - - http://argocd-redis-metrics.argocd:9121/metrics - - prometheus: - name_override: "repo_server" - metric_version: 2 - tags: - prometheus_app: "argocd" - urls: - - http://argocd-repo-server-metrics.argocd:8084/metrics - - prometheus: - name_override: "server" - metric_version: 2 - tags: - prometheus_app: "argocd" - urls: - - http://argocd-server-metrics.argocd:8083/metrics - - prometheus: - urls: - - http://ingress-nginx-controller-metrics.ingress-nginx:10254/metrics - tags: - prometheus_app: "ingressnginx" - # See https://docs.influxdata.com/influxdb/v2.1/reference/prometheus-metrics/ - metric_version: 2 -# - kubernetes: -# bearer_token: "/var/run/secrets/kubernetes.io/serviceaccount/token" -# insecure_skip_verify: true -# url: "https://kubernetes.default.svc" -# # We only care about the applications; GKE does a good job -# # with the overall cluster. -# namepass: ["kubernetes_pod_container"] - # -- Telegraf default output destination. - outputs: - - influxdb_v2: - urls: - - "https://monitoring.lsst.codes" - bucket: "prometheus_argocd" - token: "$INFLUX_TOKEN" - organization: "square" - tagpass: - prometheus_app: ["argocd"] - - influxdb_v2: - urls: - - "https://monitoring.lsst.codes" - bucket: "prometheus_hub" - token: "$INFLUX_TOKEN" - organization: "square" - tagpass: - prometheus_app: ["hub"] - - influxdb_v2: - urls: - - "https://monitoring.lsst.codes" - bucket: "prometheus_certmanager" - token: "$INFLUX_TOKEN" - organization: "square" - tagpass: - prometheus_app: ["certmanager"] - - influxdb_v2: - urls: - - "https://monitoring.lsst.codes" - bucket: "prometheus_ingressnginx" - token: "$INFLUX_TOKEN" - organization: "square" - tagpass: - prometheus_app: ["ingressnginx"] - # Kubernetes: split by namespace - - influxdb_v2: - token: "$INFLUX_TOKEN" - urls: - - "https://monitoring.lsst.codes" - organization: "square" - bucket: "k8s_argocd" - namepass: ["kubernetes_pod_container"] - tagpass: - namespace: ["argocd"] + cluster: '' + env: + - name: INFLUX_TOKEN + valueFrom: + secretKeyRef: + key: influx-token + name: telegraf + podLabels: + hub.jupyter.org/network-access-hub: true + service: + enabled: false tplVersion: 2 - -# -- Path to the Vault secrets (`secret/k8s_operator//telegraf`) -# @default -- None, must be set -vaultSecretsPath: "" +vaultSecretsPath: '' From f7bdcf4b28b0b82b2b570f3fe2630dafe06531c7 Mon Sep 17 00:00:00 2001 From: adam Date: Fri, 8 Apr 2022 16:44:31 -0700 Subject: [PATCH 0216/1479] Labels must be strings, not bools --- services/telegraf/values.yaml | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/services/telegraf/values.yaml b/services/telegraf/values.yaml index 3551adfb60..756f4a3a94 100644 --- a/services/telegraf/values.yaml +++ b/services/telegraf/values.yaml @@ -1,7 +1,7 @@ telegraf: config: agent: - omit_hostname: true + omit_hostname: 'true' global_tags: cluster: '' env: @@ -11,8 +11,8 @@ telegraf: key: influx-token name: telegraf podLabels: - hub.jupyter.org/network-access-hub: true + hub.jupyter.org/network-access-hub: 'true' service: - enabled: false + enabled: 'false' tplVersion: 2 vaultSecretsPath: '' From 6dfe4ed9488d6e7ff8379202c03ea5678123a702 Mon Sep 17 00:00:00 2001 From: adam Date: Fri, 8 Apr 2022 16:46:56 -0700 Subject: [PATCH 0217/1479] but bools must stay bools --- gen_config/gen_config/prometheus.py | 16 ++++++++++++++++ services/telegraf/values.yaml | 2 +- 2 files changed, 17 insertions(+), 1 deletion(-) create mode 100644 gen_config/gen_config/prometheus.py diff --git a/gen_config/gen_config/prometheus.py b/gen_config/gen_config/prometheus.py new file mode 100644 index 0000000000..13dcc9fdc8 --- /dev/null +++ b/gen_config/gen_config/prometheus.py @@ -0,0 +1,16 @@ +prometheus_config = { + "argocd": { + "application_controller": "http://argocd-application-controller-metrics.argocd:8082/metrics", + "notifications_controller": "http://argocd-notifications-controller-metrics.argocd:9001/metrics", + "redis": "http://argocd-redis-metrics.argocd:9121/metrics", + "repo_server": "http://argocd-repo-server-metrics.argocd:8084/metrics", + "server": "http://argocd-server-metrics.argocd:8083/metrics", + }, + "nublado2": { + "hub": "http://hub.nublado2:8081/metrics", + }, + "ingress-nginx": { + "controller": "http://ingress-nginx-controller-metrics.ingress-nginx:10254/metrics", + }, +} + diff --git a/services/telegraf/values.yaml b/services/telegraf/values.yaml index 756f4a3a94..4afe9a0f6f 100644 --- a/services/telegraf/values.yaml +++ b/services/telegraf/values.yaml @@ -1,7 +1,7 @@ telegraf: config: agent: - omit_hostname: 'true' + omit_hostname: true global_tags: cluster: '' env: From 479d1a9ea3df93d60dce50ffc734e532efbe117b Mon Sep 17 00:00:00 2001 From: adam Date: Fri, 8 Apr 2022 16:49:05 -0700 Subject: [PATCH 0218/1479] more str->bool --- gen_config/gen_config/telegrafgenerator.py | 129 +++++++++++++++++++++ services/telegraf/values.yaml | 2 +- 2 files changed, 130 insertions(+), 1 deletion(-) create mode 100644 gen_config/gen_config/telegrafgenerator.py diff --git a/gen_config/gen_config/telegrafgenerator.py b/gen_config/gen_config/telegrafgenerator.py new file mode 100644 index 0000000000..fa8a4df762 --- /dev/null +++ b/gen_config/gen_config/telegrafgenerator.py @@ -0,0 +1,129 @@ +import yaml + +from .phalanxconfiggenerator import PhalanxConfigGenerator +from .prometheus import prometheus_config + +from typing import Any, Dict + +class TelegrafGenerator(PhalanxConfigGenerator): + """ + TelegrafGenerator generates configuration files for the telegraf + application. + """ + def __init__(self, *args, **kwargs) -> None: + super().__init__(*args, **kwargs) + self.output_path = self.phalanx_root + "/services/telegraf" + + def build_config(self) -> None: + self.config["generic"] = self.build_generic_yaml() + for instance in self.instances: + self.config[instance]=self.build_instance_yaml(instance) + + def build_generic_yaml(self) -> None: + obj = { + "telegraf": { + # -- Allow network access to JupyterHub pod. + "podLabels": { + "hub.jupyter.org/network-access-hub": "true", + }, + "env": [ + { + # -- Token to communicate with InfluxDB_v2 + "name": "INFLUX_TOKEN", + "valueFrom": { + "secretKeyRef": { + "name": "telegraf", + "key": "influx-token", + }, + }, + }, + ], + "service": { + # -- Telegraf service. + "enabled": False, + }, + "config": { + "agent": { + "omit_hostname": True, + }, + "global_tags": { + # -- Cluster name -- should be FQDN of RSP endpoint + # @default -- None: must be set + "cluster": "", + }, + }, + "tplVersion": 2, + }, + # -- Path to the Vault secrets + # -- (`secret/k8s_operator/`) + # @default -- None: must be set + "vaultSecretsPath": "", + } + return yaml.dump(obj) + + def build_instance_yaml(self, instance:str) -> str: + inst_obj = self.instances.get(instance, {}) + if not inst_obj: + return "" + # If telegraf isn't enabled for the site, don't write anything. + if not inst_obj.get("telegraf", {}).get("enabled", ""): + return "" + secrets_path=inst_obj.get("vault_path_prefix","") + cluster = inst_obj.get("fqdn","") + obj = { "vaultSecretsPath": secrets_path, + "telegraf": { + "config": { + "global_tags": { + "cluster": cluster, + }, + "outputs": [], + "inputs": [], + }, + }, + } + for app in prometheus_config: + if not inst_obj.get(app,{}).get("enabled",False): + continue + # The app is enabled, so we should monitor it. + for service in prometheus_config[app]: + # Construct the outputs (bucket-separated) + out_obj = self.make_output_object(app, service) + obj["telegraf"]["config"]["outputs"].append(out_obj) + # Construct the inputs (Prometheus metric endpoints) + inp_obj = self.make_input_object(app, service) + obj["telegraf"]["config"]["inputs"].append(inp_obj) + return yaml.dump(obj) + + + def make_input_object(self, app: str, service: str) -> Dict[str, Any]: + obj={ + "prometheus": { + "urls": [ + prometheus_config[app][service], + ], + "tags": { + "prometheus_app": app, + }, + "name_override": f"prometheus_{service}", + "metric_version": 2, + }, + } + return obj + + def make_output_object(self, app: str, service: str) -> Dict[str, Any]: + obj = { + "influxdb_v2": { + "urls": [ + "https://monitoring.lsst.codes", + ], + "bucket": app.replace("-","_"), + "token": "$INFLUX_TOKEN", + "organization": "square", + "tagpass": { + "prometheus_app": [ + app, + ], + }, + }, + } + return obj diff --git a/services/telegraf/values.yaml b/services/telegraf/values.yaml index 4afe9a0f6f..8e487a477e 100644 --- a/services/telegraf/values.yaml +++ b/services/telegraf/values.yaml @@ -13,6 +13,6 @@ telegraf: podLabels: hub.jupyter.org/network-access-hub: 'true' service: - enabled: 'false' + enabled: false tplVersion: 2 vaultSecretsPath: '' From 05b4304ad3a32f6e898ce145733aba0329d163c4 Mon Sep 17 00:00:00 2001 From: adam Date: Fri, 8 Apr 2022 17:01:57 -0700 Subject: [PATCH 0219/1479] Include (implicit) ArgoCD --- .../gen_config/phalanxconfiggenerator.py | 9 +++ services/telegraf-ds/values-base.yaml | 7 ++ services/telegraf-ds/values-idfdev.yaml | 7 ++ services/telegraf-ds/values-idfint.yaml | 7 ++ services/telegraf-ds/values-int.yaml | 7 ++ services/telegraf/values-base.yaml | 80 +++++++++++++++++++ services/telegraf/values-idfdev.yaml | 80 +++++++++++++++++++ services/telegraf/values-idfint.yaml | 80 +++++++++++++++++++ services/telegraf/values-int.yaml | 80 +++++++++++++++++++ 9 files changed, 357 insertions(+) diff --git a/gen_config/gen_config/phalanxconfiggenerator.py b/gen_config/gen_config/phalanxconfiggenerator.py index 7559a35970..b53f02b2f5 100644 --- a/gen_config/gen_config/phalanxconfiggenerator.py +++ b/gen_config/gen_config/phalanxconfiggenerator.py @@ -94,6 +94,9 @@ def find_instances(self) -> Dict[str,Any]: iname = v.split('-')[-1][:-5] with open(v) as f: inst_settings[iname] = yaml.safe_load(f) + # ArgoCD is not specified but implicitly present everywhere. + for inst in inst_settings: + inst_settings[inst]["argocd"] = { "enabled": True } return inst_settings def find_applications(self) -> Tuple[str]: @@ -101,6 +104,8 @@ def find_applications(self) -> Tuple[str]: val_path = self._get_science_platform_path() val_file = val_path + "/values.yaml" applications = tuple() + # ArgoCD is implicitly present everwhere + applications += ("argocd",) with open(val_file) as f: apps=yaml.safe_load(f) for app in apps: @@ -133,6 +138,10 @@ def parse_app_template(self, app:str) -> Set[str]: # preinstalled. namespaces.add("vault-secrets-operator") return namespaces + if app == "argocd": + # Implicitly present at all deployments, not specified. + namespaces.add("argocd") + return namespaces dashapp = app.replace('_', '-') app_file = f"{val_path}/templates/{dashapp}-application.yaml" detemplated_contents = self.strip_templates(app_file) diff --git a/services/telegraf-ds/values-base.yaml b/services/telegraf-ds/values-base.yaml index 6e814f945d..c727d1cd09 100644 --- a/services/telegraf-ds/values-base.yaml +++ b/services/telegraf-ds/values-base.yaml @@ -12,6 +12,13 @@ telegraf-ds: insecure_skip_verify = true namepass = ["kubernetes_pod_container"] fieldpass = ["cpu_usage_nanocores", "memory_usage_bytes"] + [[outputs.influxdb_v2]] + urls = ["https://monitoring.lsst.codes"] + token = "$INFLUX_TOKEN" + organization = "square" + bucket = "argocd" + [outputs.influxdb_v2.tagpass] + namespace = ["argocd"] [[outputs.influxdb_v2]] urls = ["https://monitoring.lsst.codes"] token = "$INFLUX_TOKEN" diff --git a/services/telegraf-ds/values-idfdev.yaml b/services/telegraf-ds/values-idfdev.yaml index 41cc95a353..5fbe246a2b 100644 --- a/services/telegraf-ds/values-idfdev.yaml +++ b/services/telegraf-ds/values-idfdev.yaml @@ -12,6 +12,13 @@ telegraf-ds: insecure_skip_verify = true namepass = ["kubernetes_pod_container"] fieldpass = ["cpu_usage_nanocores", "memory_usage_bytes"] + [[outputs.influxdb_v2]] + urls = ["https://monitoring.lsst.codes"] + token = "$INFLUX_TOKEN" + organization = "square" + bucket = "argocd" + [outputs.influxdb_v2.tagpass] + namespace = ["argocd"] [[outputs.influxdb_v2]] urls = ["https://monitoring.lsst.codes"] token = "$INFLUX_TOKEN" diff --git a/services/telegraf-ds/values-idfint.yaml b/services/telegraf-ds/values-idfint.yaml index f651193203..4b6029926f 100644 --- a/services/telegraf-ds/values-idfint.yaml +++ b/services/telegraf-ds/values-idfint.yaml @@ -12,6 +12,13 @@ telegraf-ds: insecure_skip_verify = true namepass = ["kubernetes_pod_container"] fieldpass = ["cpu_usage_nanocores", "memory_usage_bytes"] + [[outputs.influxdb_v2]] + urls = ["https://monitoring.lsst.codes"] + token = "$INFLUX_TOKEN" + organization = "square" + bucket = "argocd" + [outputs.influxdb_v2.tagpass] + namespace = ["argocd"] [[outputs.influxdb_v2]] urls = ["https://monitoring.lsst.codes"] token = "$INFLUX_TOKEN" diff --git a/services/telegraf-ds/values-int.yaml b/services/telegraf-ds/values-int.yaml index 6438d52c4a..3dae0bcab2 100644 --- a/services/telegraf-ds/values-int.yaml +++ b/services/telegraf-ds/values-int.yaml @@ -12,6 +12,13 @@ telegraf-ds: insecure_skip_verify = true namepass = ["kubernetes_pod_container"] fieldpass = ["cpu_usage_nanocores", "memory_usage_bytes"] + [[outputs.influxdb_v2]] + urls = ["https://monitoring.lsst.codes"] + token = "$INFLUX_TOKEN" + organization = "square" + bucket = "argocd" + [outputs.influxdb_v2.tagpass] + namespace = ["argocd"] [[outputs.influxdb_v2]] urls = ["https://monitoring.lsst.codes"] token = "$INFLUX_TOKEN" diff --git a/services/telegraf/values-base.yaml b/services/telegraf/values-base.yaml index 9670836a04..a1fc7485b5 100644 --- a/services/telegraf/values-base.yaml +++ b/services/telegraf/values-base.yaml @@ -3,6 +3,41 @@ telegraf: global_tags: cluster: base-lsp.lsst.codes inputs: + - prometheus: + metric_version: 2 + name_override: prometheus_application_controller + tags: + prometheus_app: argocd + urls: + - http://argocd-application-controller-metrics.argocd:8082/metrics + - prometheus: + metric_version: 2 + name_override: prometheus_notifications_controller + tags: + prometheus_app: argocd + urls: + - http://argocd-notifications-controller-metrics.argocd:9001/metrics + - prometheus: + metric_version: 2 + name_override: prometheus_redis + tags: + prometheus_app: argocd + urls: + - http://argocd-redis-metrics.argocd:9121/metrics + - prometheus: + metric_version: 2 + name_override: prometheus_repo_server + tags: + prometheus_app: argocd + urls: + - http://argocd-repo-server-metrics.argocd:8084/metrics + - prometheus: + metric_version: 2 + name_override: prometheus_server + tags: + prometheus_app: argocd + urls: + - http://argocd-server-metrics.argocd:8083/metrics - prometheus: metric_version: 2 name_override: prometheus_hub @@ -11,6 +46,51 @@ telegraf: urls: - http://hub.nublado2:8081/metrics outputs: + - influxdb_v2: + bucket: argocd + organization: square + tagpass: + prometheus_app: + - argocd + token: $INFLUX_TOKEN + urls: + - https://monitoring.lsst.codes + - influxdb_v2: + bucket: argocd + organization: square + tagpass: + prometheus_app: + - argocd + token: $INFLUX_TOKEN + urls: + - https://monitoring.lsst.codes + - influxdb_v2: + bucket: argocd + organization: square + tagpass: + prometheus_app: + - argocd + token: $INFLUX_TOKEN + urls: + - https://monitoring.lsst.codes + - influxdb_v2: + bucket: argocd + organization: square + tagpass: + prometheus_app: + - argocd + token: $INFLUX_TOKEN + urls: + - https://monitoring.lsst.codes + - influxdb_v2: + bucket: argocd + organization: square + tagpass: + prometheus_app: + - argocd + token: $INFLUX_TOKEN + urls: + - https://monitoring.lsst.codes - influxdb_v2: bucket: nublado2 organization: square diff --git a/services/telegraf/values-idfdev.yaml b/services/telegraf/values-idfdev.yaml index f152305df5..c4c4fbd9a4 100644 --- a/services/telegraf/values-idfdev.yaml +++ b/services/telegraf/values-idfdev.yaml @@ -3,6 +3,41 @@ telegraf: global_tags: cluster: data-dev.lsst.cloud inputs: + - prometheus: + metric_version: 2 + name_override: prometheus_application_controller + tags: + prometheus_app: argocd + urls: + - http://argocd-application-controller-metrics.argocd:8082/metrics + - prometheus: + metric_version: 2 + name_override: prometheus_notifications_controller + tags: + prometheus_app: argocd + urls: + - http://argocd-notifications-controller-metrics.argocd:9001/metrics + - prometheus: + metric_version: 2 + name_override: prometheus_redis + tags: + prometheus_app: argocd + urls: + - http://argocd-redis-metrics.argocd:9121/metrics + - prometheus: + metric_version: 2 + name_override: prometheus_repo_server + tags: + prometheus_app: argocd + urls: + - http://argocd-repo-server-metrics.argocd:8084/metrics + - prometheus: + metric_version: 2 + name_override: prometheus_server + tags: + prometheus_app: argocd + urls: + - http://argocd-server-metrics.argocd:8083/metrics - prometheus: metric_version: 2 name_override: prometheus_hub @@ -11,6 +46,51 @@ telegraf: urls: - http://hub.nublado2:8081/metrics outputs: + - influxdb_v2: + bucket: argocd + organization: square + tagpass: + prometheus_app: + - argocd + token: $INFLUX_TOKEN + urls: + - https://monitoring.lsst.codes + - influxdb_v2: + bucket: argocd + organization: square + tagpass: + prometheus_app: + - argocd + token: $INFLUX_TOKEN + urls: + - https://monitoring.lsst.codes + - influxdb_v2: + bucket: argocd + organization: square + tagpass: + prometheus_app: + - argocd + token: $INFLUX_TOKEN + urls: + - https://monitoring.lsst.codes + - influxdb_v2: + bucket: argocd + organization: square + tagpass: + prometheus_app: + - argocd + token: $INFLUX_TOKEN + urls: + - https://monitoring.lsst.codes + - influxdb_v2: + bucket: argocd + organization: square + tagpass: + prometheus_app: + - argocd + token: $INFLUX_TOKEN + urls: + - https://monitoring.lsst.codes - influxdb_v2: bucket: nublado2 organization: square diff --git a/services/telegraf/values-idfint.yaml b/services/telegraf/values-idfint.yaml index d055df519d..26d55b82f8 100644 --- a/services/telegraf/values-idfint.yaml +++ b/services/telegraf/values-idfint.yaml @@ -3,6 +3,41 @@ telegraf: global_tags: cluster: data-int.lsst.cloud inputs: + - prometheus: + metric_version: 2 + name_override: prometheus_application_controller + tags: + prometheus_app: argocd + urls: + - http://argocd-application-controller-metrics.argocd:8082/metrics + - prometheus: + metric_version: 2 + name_override: prometheus_notifications_controller + tags: + prometheus_app: argocd + urls: + - http://argocd-notifications-controller-metrics.argocd:9001/metrics + - prometheus: + metric_version: 2 + name_override: prometheus_redis + tags: + prometheus_app: argocd + urls: + - http://argocd-redis-metrics.argocd:9121/metrics + - prometheus: + metric_version: 2 + name_override: prometheus_repo_server + tags: + prometheus_app: argocd + urls: + - http://argocd-repo-server-metrics.argocd:8084/metrics + - prometheus: + metric_version: 2 + name_override: prometheus_server + tags: + prometheus_app: argocd + urls: + - http://argocd-server-metrics.argocd:8083/metrics - prometheus: metric_version: 2 name_override: prometheus_hub @@ -11,6 +46,51 @@ telegraf: urls: - http://hub.nublado2:8081/metrics outputs: + - influxdb_v2: + bucket: argocd + organization: square + tagpass: + prometheus_app: + - argocd + token: $INFLUX_TOKEN + urls: + - https://monitoring.lsst.codes + - influxdb_v2: + bucket: argocd + organization: square + tagpass: + prometheus_app: + - argocd + token: $INFLUX_TOKEN + urls: + - https://monitoring.lsst.codes + - influxdb_v2: + bucket: argocd + organization: square + tagpass: + prometheus_app: + - argocd + token: $INFLUX_TOKEN + urls: + - https://monitoring.lsst.codes + - influxdb_v2: + bucket: argocd + organization: square + tagpass: + prometheus_app: + - argocd + token: $INFLUX_TOKEN + urls: + - https://monitoring.lsst.codes + - influxdb_v2: + bucket: argocd + organization: square + tagpass: + prometheus_app: + - argocd + token: $INFLUX_TOKEN + urls: + - https://monitoring.lsst.codes - influxdb_v2: bucket: nublado2 organization: square diff --git a/services/telegraf/values-int.yaml b/services/telegraf/values-int.yaml index d6282a4852..91687373f1 100644 --- a/services/telegraf/values-int.yaml +++ b/services/telegraf/values-int.yaml @@ -3,6 +3,41 @@ telegraf: global_tags: cluster: lsst-lsp-int.ncsa.illinois.edu inputs: + - prometheus: + metric_version: 2 + name_override: prometheus_application_controller + tags: + prometheus_app: argocd + urls: + - http://argocd-application-controller-metrics.argocd:8082/metrics + - prometheus: + metric_version: 2 + name_override: prometheus_notifications_controller + tags: + prometheus_app: argocd + urls: + - http://argocd-notifications-controller-metrics.argocd:9001/metrics + - prometheus: + metric_version: 2 + name_override: prometheus_redis + tags: + prometheus_app: argocd + urls: + - http://argocd-redis-metrics.argocd:9121/metrics + - prometheus: + metric_version: 2 + name_override: prometheus_repo_server + tags: + prometheus_app: argocd + urls: + - http://argocd-repo-server-metrics.argocd:8084/metrics + - prometheus: + metric_version: 2 + name_override: prometheus_server + tags: + prometheus_app: argocd + urls: + - http://argocd-server-metrics.argocd:8083/metrics - prometheus: metric_version: 2 name_override: prometheus_hub @@ -11,6 +46,51 @@ telegraf: urls: - http://hub.nublado2:8081/metrics outputs: + - influxdb_v2: + bucket: argocd + organization: square + tagpass: + prometheus_app: + - argocd + token: $INFLUX_TOKEN + urls: + - https://monitoring.lsst.codes + - influxdb_v2: + bucket: argocd + organization: square + tagpass: + prometheus_app: + - argocd + token: $INFLUX_TOKEN + urls: + - https://monitoring.lsst.codes + - influxdb_v2: + bucket: argocd + organization: square + tagpass: + prometheus_app: + - argocd + token: $INFLUX_TOKEN + urls: + - https://monitoring.lsst.codes + - influxdb_v2: + bucket: argocd + organization: square + tagpass: + prometheus_app: + - argocd + token: $INFLUX_TOKEN + urls: + - https://monitoring.lsst.codes + - influxdb_v2: + bucket: argocd + organization: square + tagpass: + prometheus_app: + - argocd + token: $INFLUX_TOKEN + urls: + - https://monitoring.lsst.codes - influxdb_v2: bucket: nublado2 organization: square From 7c74ddcf725c63bc1bd2506b8f0cfdd1ca197bdb Mon Sep 17 00:00:00 2001 From: adam Date: Fri, 8 Apr 2022 18:11:26 -0700 Subject: [PATCH 0220/1479] add __pycache__/ to .gitignore --- .gitignore | 1 + 1 file changed, 1 insertion(+) diff --git a/.gitignore b/.gitignore index 80d17d262b..30f71890ea 100644 --- a/.gitignore +++ b/.gitignore @@ -4,3 +4,4 @@ /services-expanded/ .DS_Store **/Chart.lock +__pycache__/ From 30b9c4500d3919fda09354e2193247441bca3d81 Mon Sep 17 00:00:00 2001 From: adam Date: Mon, 11 Apr 2022 13:30:38 -0700 Subject: [PATCH 0221/1479] increase timeout for helm installer --- .github/workflows/ci.yaml | 1 + 1 file changed, 1 insertion(+) diff --git a/.github/workflows/ci.yaml b/.github/workflows/ci.yaml index b5560c7c99..571491a805 100644 --- a/.github/workflows/ci.yaml +++ b/.github/workflows/ci.yaml @@ -96,6 +96,7 @@ jobs: sudo pip install -r installer/requirements.txt - name: Run installer + timeout-minutes: 30 if: steps.filter.outputs.minikube == 'true' run: | cd installer From c196f608420d59d29349f477d5972797bd0c1fa9 Mon Sep 17 00:00:00 2001 From: adam Date: Mon, 11 Apr 2022 13:45:36 -0700 Subject: [PATCH 0222/1479] better app detection --- gen_config/gen_config/phalanxconfiggenerator.py | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/gen_config/gen_config/phalanxconfiggenerator.py b/gen_config/gen_config/phalanxconfiggenerator.py index b53f02b2f5..c31b755aca 100644 --- a/gen_config/gen_config/phalanxconfiggenerator.py +++ b/gen_config/gen_config/phalanxconfiggenerator.py @@ -109,8 +109,7 @@ def find_applications(self) -> Tuple[str]: with open(val_file) as f: apps=yaml.safe_load(f) for app in apps: - # Skip the fields that are not apps - if app in ("repoURL", "revision", "onepassword_uuid"): + if "enabled" not in apps[app]: continue applications += (app,) return applications From 6867ed58c49e031ad0e262c749deeb0caa5ebbc6 Mon Sep 17 00:00:00 2001 From: adam Date: Mon, 11 Apr 2022 14:52:24 -0700 Subject: [PATCH 0223/1479] Fix prometheus endpoints for telegraf+ds --- gen_config/gen_config/prometheus.py | 10 +++++----- services/telegraf/values-base.yaml | 10 +++++----- services/telegraf/values-idfdev.yaml | 10 +++++----- services/telegraf/values-idfint.yaml | 10 +++++----- services/telegraf/values-int.yaml | 10 +++++----- 5 files changed, 25 insertions(+), 25 deletions(-) diff --git a/gen_config/gen_config/prometheus.py b/gen_config/gen_config/prometheus.py index 13dcc9fdc8..941ca2eb76 100644 --- a/gen_config/gen_config/prometheus.py +++ b/gen_config/gen_config/prometheus.py @@ -1,10 +1,10 @@ prometheus_config = { "argocd": { - "application_controller": "http://argocd-application-controller-metrics.argocd:8082/metrics", - "notifications_controller": "http://argocd-notifications-controller-metrics.argocd:9001/metrics", - "redis": "http://argocd-redis-metrics.argocd:9121/metrics", - "repo_server": "http://argocd-repo-server-metrics.argocd:8084/metrics", - "server": "http://argocd-server-metrics.argocd:8083/metrics", + "application_controller": "http://argocd-application-controller.argocd.svc:8082/metrics", + "notifications_controller": "http://argocd-notifications-controller.argocd.svc:9001/metrics", + "redis": "http://argocd-redis.argocd.svc:9121/metrics", + "repo_server": "http://argocd-repo-server.argocd.svc:8084/metrics", + "server": "http://argocd-server.argocd.svc:8083/metrics", }, "nublado2": { "hub": "http://hub.nublado2:8081/metrics", diff --git a/services/telegraf/values-base.yaml b/services/telegraf/values-base.yaml index a1fc7485b5..28e799528a 100644 --- a/services/telegraf/values-base.yaml +++ b/services/telegraf/values-base.yaml @@ -9,35 +9,35 @@ telegraf: tags: prometheus_app: argocd urls: - - http://argocd-application-controller-metrics.argocd:8082/metrics + - http://argocd-application-controller.argocd.svc:8082/metrics - prometheus: metric_version: 2 name_override: prometheus_notifications_controller tags: prometheus_app: argocd urls: - - http://argocd-notifications-controller-metrics.argocd:9001/metrics + - http://argocd-notifications-controller.argocd.svc:9001/metrics - prometheus: metric_version: 2 name_override: prometheus_redis tags: prometheus_app: argocd urls: - - http://argocd-redis-metrics.argocd:9121/metrics + - http://argocd-redis.argocd.svc:9121/metrics - prometheus: metric_version: 2 name_override: prometheus_repo_server tags: prometheus_app: argocd urls: - - http://argocd-repo-server-metrics.argocd:8084/metrics + - http://argocd-repo-server.argocd.svc:8084/metrics - prometheus: metric_version: 2 name_override: prometheus_server tags: prometheus_app: argocd urls: - - http://argocd-server-metrics.argocd:8083/metrics + - http://argocd-server.argocd.svc:8083/metrics - prometheus: metric_version: 2 name_override: prometheus_hub diff --git a/services/telegraf/values-idfdev.yaml b/services/telegraf/values-idfdev.yaml index c4c4fbd9a4..1ea95c701d 100644 --- a/services/telegraf/values-idfdev.yaml +++ b/services/telegraf/values-idfdev.yaml @@ -9,35 +9,35 @@ telegraf: tags: prometheus_app: argocd urls: - - http://argocd-application-controller-metrics.argocd:8082/metrics + - http://argocd-application-controller.argocd.svc:8082/metrics - prometheus: metric_version: 2 name_override: prometheus_notifications_controller tags: prometheus_app: argocd urls: - - http://argocd-notifications-controller-metrics.argocd:9001/metrics + - http://argocd-notifications-controller.argocd.svc:9001/metrics - prometheus: metric_version: 2 name_override: prometheus_redis tags: prometheus_app: argocd urls: - - http://argocd-redis-metrics.argocd:9121/metrics + - http://argocd-redis.argocd.svc:9121/metrics - prometheus: metric_version: 2 name_override: prometheus_repo_server tags: prometheus_app: argocd urls: - - http://argocd-repo-server-metrics.argocd:8084/metrics + - http://argocd-repo-server.argocd.svc:8084/metrics - prometheus: metric_version: 2 name_override: prometheus_server tags: prometheus_app: argocd urls: - - http://argocd-server-metrics.argocd:8083/metrics + - http://argocd-server.argocd.svc:8083/metrics - prometheus: metric_version: 2 name_override: prometheus_hub diff --git a/services/telegraf/values-idfint.yaml b/services/telegraf/values-idfint.yaml index 26d55b82f8..6f3b9f2beb 100644 --- a/services/telegraf/values-idfint.yaml +++ b/services/telegraf/values-idfint.yaml @@ -9,35 +9,35 @@ telegraf: tags: prometheus_app: argocd urls: - - http://argocd-application-controller-metrics.argocd:8082/metrics + - http://argocd-application-controller.argocd.svc:8082/metrics - prometheus: metric_version: 2 name_override: prometheus_notifications_controller tags: prometheus_app: argocd urls: - - http://argocd-notifications-controller-metrics.argocd:9001/metrics + - http://argocd-notifications-controller.argocd.svc:9001/metrics - prometheus: metric_version: 2 name_override: prometheus_redis tags: prometheus_app: argocd urls: - - http://argocd-redis-metrics.argocd:9121/metrics + - http://argocd-redis.argocd.svc:9121/metrics - prometheus: metric_version: 2 name_override: prometheus_repo_server tags: prometheus_app: argocd urls: - - http://argocd-repo-server-metrics.argocd:8084/metrics + - http://argocd-repo-server.argocd.svc:8084/metrics - prometheus: metric_version: 2 name_override: prometheus_server tags: prometheus_app: argocd urls: - - http://argocd-server-metrics.argocd:8083/metrics + - http://argocd-server.argocd.svc:8083/metrics - prometheus: metric_version: 2 name_override: prometheus_hub diff --git a/services/telegraf/values-int.yaml b/services/telegraf/values-int.yaml index 91687373f1..063b84026d 100644 --- a/services/telegraf/values-int.yaml +++ b/services/telegraf/values-int.yaml @@ -9,35 +9,35 @@ telegraf: tags: prometheus_app: argocd urls: - - http://argocd-application-controller-metrics.argocd:8082/metrics + - http://argocd-application-controller.argocd.svc:8082/metrics - prometheus: metric_version: 2 name_override: prometheus_notifications_controller tags: prometheus_app: argocd urls: - - http://argocd-notifications-controller-metrics.argocd:9001/metrics + - http://argocd-notifications-controller.argocd.svc:9001/metrics - prometheus: metric_version: 2 name_override: prometheus_redis tags: prometheus_app: argocd urls: - - http://argocd-redis-metrics.argocd:9121/metrics + - http://argocd-redis.argocd.svc:9121/metrics - prometheus: metric_version: 2 name_override: prometheus_repo_server tags: prometheus_app: argocd urls: - - http://argocd-repo-server-metrics.argocd:8084/metrics + - http://argocd-repo-server.argocd.svc:8084/metrics - prometheus: metric_version: 2 name_override: prometheus_server tags: prometheus_app: argocd urls: - - http://argocd-server-metrics.argocd:8083/metrics + - http://argocd-server.argocd.svc:8083/metrics - prometheus: metric_version: 2 name_override: prometheus_hub From 831951e2d4cf9b5d8b844732f3f97e9e88b5bbc8 Mon Sep 17 00:00:00 2001 From: adam Date: Mon, 11 Apr 2022 15:05:29 -0700 Subject: [PATCH 0224/1479] Turn on metrics for argocd/ingress-nginx in idf-int and base --- services/argocd/values-base.yaml | 20 ++++++++++++++++++++ services/argocd/values-idfint.yaml | 19 +++++++++++++++++++ services/ingress-nginx/values-base.yaml | 2 ++ services/ingress-nginx/values-idfint.yaml | 2 ++ 4 files changed, 43 insertions(+) diff --git a/services/argocd/values-base.yaml b/services/argocd/values-base.yaml index b1a580136e..12749eb03a 100644 --- a/services/argocd/values-base.yaml +++ b/services/argocd/values-base.yaml @@ -1,8 +1,28 @@ argo-cd: redis: enabled: true + metrics: + enabled: true + + controller: + metrics: + enabled: true + applicationLabels: + enabled: true + labels: ["name", "instance"] + + repoServer: + metrics: + enabled: true + + notifications: + metrics: + enabled: true + server: + metrics: + enabled: true ingress: enabled: true hosts: diff --git a/services/argocd/values-idfint.yaml b/services/argocd/values-idfint.yaml index 3328b4fab2..8a8effb6b9 100644 --- a/services/argocd/values-idfint.yaml +++ b/services/argocd/values-idfint.yaml @@ -1,8 +1,27 @@ argo-cd: redis: enabled: true + metrics: + enabled: true + + controller: + metrics: + enabled: true + applicationLabels: + enabled: true + labels: ["name", "instance"] + repoServer: + metrics: + enabled: true + + notifications: + metrics: + enabled: true + server: + metrics: + enabled: true ingress: enabled: true hosts: diff --git a/services/ingress-nginx/values-base.yaml b/services/ingress-nginx/values-base.yaml index 4e1e66cb7f..184cf9a5d6 100644 --- a/services/ingress-nginx/values-base.yaml +++ b/services/ingress-nginx/values-base.yaml @@ -13,6 +13,8 @@ ingress-nginx: podLabels: gafaelfawr.lsst.io/ingress: "true" hub.jupyter.org/network-access-proxy-http: "true" + metrics: + enabled: true vault_certificate: enabled: false diff --git a/services/ingress-nginx/values-idfint.yaml b/services/ingress-nginx/values-idfint.yaml index 9030d9fd6a..4f834a666d 100644 --- a/services/ingress-nginx/values-idfint.yaml +++ b/services/ingress-nginx/values-idfint.yaml @@ -13,6 +13,8 @@ ingress-nginx: podLabels: gafaelfawr.lsst.io/ingress: "true" hub.jupyter.org/network-access-proxy-http: "true" + metrics: + enabled: true vault_certificate: enabled: false From 222cebdf57af9ca248dad9381b3cbd1edbddee3d Mon Sep 17 00:00:00 2001 From: adam Date: Mon, 11 Apr 2022 15:07:16 -0700 Subject: [PATCH 0225/1479] fix trailing whitespace --- services/argocd/values-idfint.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/services/argocd/values-idfint.yaml b/services/argocd/values-idfint.yaml index 8a8effb6b9..58626b4ba4 100644 --- a/services/argocd/values-idfint.yaml +++ b/services/argocd/values-idfint.yaml @@ -18,7 +18,7 @@ argo-cd: notifications: metrics: enabled: true - + server: metrics: enabled: true From fe52c2ea07dfc1b73a398565665498f9f66a8357 Mon Sep 17 00:00:00 2001 From: adam Date: Mon, 11 Apr 2022 15:16:12 -0700 Subject: [PATCH 0226/1479] change metrics endpoints back --- gen_config/gen_config/prometheus.py | 10 +++++----- 1 file changed, 5 insertions(+), 5 deletions(-) diff --git a/gen_config/gen_config/prometheus.py b/gen_config/gen_config/prometheus.py index 941ca2eb76..e66aeae4ed 100644 --- a/gen_config/gen_config/prometheus.py +++ b/gen_config/gen_config/prometheus.py @@ -1,10 +1,10 @@ prometheus_config = { "argocd": { - "application_controller": "http://argocd-application-controller.argocd.svc:8082/metrics", - "notifications_controller": "http://argocd-notifications-controller.argocd.svc:9001/metrics", - "redis": "http://argocd-redis.argocd.svc:9121/metrics", - "repo_server": "http://argocd-repo-server.argocd.svc:8084/metrics", - "server": "http://argocd-server.argocd.svc:8083/metrics", + "application_controller": "http://argocd-application-controller-metrics.argocd.svc:8082/metrics", + "notifications_controller": "http://argocd-notifications-controller-metrics.argocd.svc:9001/metrics", + "redis": "http://argocd-redis-metrics.argocd.svc:9121/metrics", + "repo_server": "http://argocd-repo-server-metrics.argocd.svc:8084/metrics", + "server": "http://argocd-server-metrics.argocd.svc:8083/metrics", }, "nublado2": { "hub": "http://hub.nublado2:8081/metrics", From db39cb8cdf6f76ab312307aa84d732d58fb8a2f6 Mon Sep 17 00:00:00 2001 From: adam Date: Mon, 11 Apr 2022 15:24:01 -0700 Subject: [PATCH 0227/1479] Re-update telegraf config --- services/telegraf/values-base.yaml | 10 +++++----- services/telegraf/values-idfdev.yaml | 10 +++++----- services/telegraf/values-idfint.yaml | 10 +++++----- services/telegraf/values-int.yaml | 10 +++++----- 4 files changed, 20 insertions(+), 20 deletions(-) diff --git a/services/telegraf/values-base.yaml b/services/telegraf/values-base.yaml index 28e799528a..6140009f9a 100644 --- a/services/telegraf/values-base.yaml +++ b/services/telegraf/values-base.yaml @@ -9,35 +9,35 @@ telegraf: tags: prometheus_app: argocd urls: - - http://argocd-application-controller.argocd.svc:8082/metrics + - http://argocd-application-controller-metrics.argocd.svc:8082/metrics - prometheus: metric_version: 2 name_override: prometheus_notifications_controller tags: prometheus_app: argocd urls: - - http://argocd-notifications-controller.argocd.svc:9001/metrics + - http://argocd-notifications-controller-metrics.argocd.svc:9001/metrics - prometheus: metric_version: 2 name_override: prometheus_redis tags: prometheus_app: argocd urls: - - http://argocd-redis.argocd.svc:9121/metrics + - http://argocd-redis-metrics.argocd.svc:9121/metrics - prometheus: metric_version: 2 name_override: prometheus_repo_server tags: prometheus_app: argocd urls: - - http://argocd-repo-server.argocd.svc:8084/metrics + - http://argocd-repo-server-metrics.argocd.svc:8084/metrics - prometheus: metric_version: 2 name_override: prometheus_server tags: prometheus_app: argocd urls: - - http://argocd-server.argocd.svc:8083/metrics + - http://argocd-server-metrics.argocd.svc:8083/metrics - prometheus: metric_version: 2 name_override: prometheus_hub diff --git a/services/telegraf/values-idfdev.yaml b/services/telegraf/values-idfdev.yaml index 1ea95c701d..526e520a08 100644 --- a/services/telegraf/values-idfdev.yaml +++ b/services/telegraf/values-idfdev.yaml @@ -9,35 +9,35 @@ telegraf: tags: prometheus_app: argocd urls: - - http://argocd-application-controller.argocd.svc:8082/metrics + - http://argocd-application-controller-metrics.argocd.svc:8082/metrics - prometheus: metric_version: 2 name_override: prometheus_notifications_controller tags: prometheus_app: argocd urls: - - http://argocd-notifications-controller.argocd.svc:9001/metrics + - http://argocd-notifications-controller-metrics.argocd.svc:9001/metrics - prometheus: metric_version: 2 name_override: prometheus_redis tags: prometheus_app: argocd urls: - - http://argocd-redis.argocd.svc:9121/metrics + - http://argocd-redis-metrics.argocd.svc:9121/metrics - prometheus: metric_version: 2 name_override: prometheus_repo_server tags: prometheus_app: argocd urls: - - http://argocd-repo-server.argocd.svc:8084/metrics + - http://argocd-repo-server-metrics.argocd.svc:8084/metrics - prometheus: metric_version: 2 name_override: prometheus_server tags: prometheus_app: argocd urls: - - http://argocd-server.argocd.svc:8083/metrics + - http://argocd-server-metrics.argocd.svc:8083/metrics - prometheus: metric_version: 2 name_override: prometheus_hub diff --git a/services/telegraf/values-idfint.yaml b/services/telegraf/values-idfint.yaml index 6f3b9f2beb..d6b9be243d 100644 --- a/services/telegraf/values-idfint.yaml +++ b/services/telegraf/values-idfint.yaml @@ -9,35 +9,35 @@ telegraf: tags: prometheus_app: argocd urls: - - http://argocd-application-controller.argocd.svc:8082/metrics + - http://argocd-application-controller-metrics.argocd.svc:8082/metrics - prometheus: metric_version: 2 name_override: prometheus_notifications_controller tags: prometheus_app: argocd urls: - - http://argocd-notifications-controller.argocd.svc:9001/metrics + - http://argocd-notifications-controller-metrics.argocd.svc:9001/metrics - prometheus: metric_version: 2 name_override: prometheus_redis tags: prometheus_app: argocd urls: - - http://argocd-redis.argocd.svc:9121/metrics + - http://argocd-redis-metrics.argocd.svc:9121/metrics - prometheus: metric_version: 2 name_override: prometheus_repo_server tags: prometheus_app: argocd urls: - - http://argocd-repo-server.argocd.svc:8084/metrics + - http://argocd-repo-server-metrics.argocd.svc:8084/metrics - prometheus: metric_version: 2 name_override: prometheus_server tags: prometheus_app: argocd urls: - - http://argocd-server.argocd.svc:8083/metrics + - http://argocd-server-metrics.argocd.svc:8083/metrics - prometheus: metric_version: 2 name_override: prometheus_hub diff --git a/services/telegraf/values-int.yaml b/services/telegraf/values-int.yaml index 063b84026d..35df82cf86 100644 --- a/services/telegraf/values-int.yaml +++ b/services/telegraf/values-int.yaml @@ -9,35 +9,35 @@ telegraf: tags: prometheus_app: argocd urls: - - http://argocd-application-controller.argocd.svc:8082/metrics + - http://argocd-application-controller-metrics.argocd.svc:8082/metrics - prometheus: metric_version: 2 name_override: prometheus_notifications_controller tags: prometheus_app: argocd urls: - - http://argocd-notifications-controller.argocd.svc:9001/metrics + - http://argocd-notifications-controller-metrics.argocd.svc:9001/metrics - prometheus: metric_version: 2 name_override: prometheus_redis tags: prometheus_app: argocd urls: - - http://argocd-redis.argocd.svc:9121/metrics + - http://argocd-redis-metrics.argocd.svc:9121/metrics - prometheus: metric_version: 2 name_override: prometheus_repo_server tags: prometheus_app: argocd urls: - - http://argocd-repo-server.argocd.svc:8084/metrics + - http://argocd-repo-server-metrics.argocd.svc:8084/metrics - prometheus: metric_version: 2 name_override: prometheus_server tags: prometheus_app: argocd urls: - - http://argocd-server.argocd.svc:8083/metrics + - http://argocd-server-metrics.argocd.svc:8083/metrics - prometheus: metric_version: 2 name_override: prometheus_hub From 8796fd11cc16ccbf8fd6974d584d66447fb504d7 Mon Sep 17 00:00:00 2001 From: adam Date: Mon, 11 Apr 2022 15:30:59 -0700 Subject: [PATCH 0228/1479] enable argocd metrics at NCSA int --- services/argocd/values-int.yaml | 18 ++++++++++++++++++ 1 file changed, 18 insertions(+) diff --git a/services/argocd/values-int.yaml b/services/argocd/values-int.yaml index 63b27711d9..e27a97f19b 100644 --- a/services/argocd/values-int.yaml +++ b/services/argocd/values-int.yaml @@ -1,8 +1,26 @@ argo-cd: redis: enabled: true + metrics: + enabled: true + + controller: + metrics: + enabled: true + applicationLabels: + enabled: true + labels: ["name", "instance"] + repoServer: + metrics: + enabled: true + + notifications: + metrics: + enabled: true server: + metrics: + enabled: true ingress: enabled: true hosts: From eeb1135d4e99b37c583753e782797042cf9cd67a Mon Sep 17 00:00:00 2001 From: Christine Banek Date: Mon, 11 Apr 2022 21:18:35 -0700 Subject: [PATCH 0229/1479] [DM-34317] Sherlock to 0.1.6 --- services/sherlock/Chart.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/services/sherlock/Chart.yaml b/services/sherlock/Chart.yaml index 31ec2b9fd6..b3f06efd69 100644 --- a/services/sherlock/Chart.yaml +++ b/services/sherlock/Chart.yaml @@ -3,5 +3,5 @@ name: sherlock version: 1.0.0 dependencies: - name: sherlock - version: 0.1.10 + version: 0.1.11 repository: https://lsst-sqre.github.io/charts/ From 2b6171b8f98fc2a95b924d0a3231b2a33fc797d4 Mon Sep 17 00:00:00 2001 From: adam Date: Mon, 11 Apr 2022 13:01:51 -0700 Subject: [PATCH 0230/1479] move cachemachine chart into phalanx --- .../templates/cachemachine-application.yaml | 1 + services/cachemachine/Chart.yaml | 9 +- services/cachemachine/templates/_helpers.tpl | 60 ++++++++++++ .../cachemachine/templates/configmap.yaml | 8 ++ .../cachemachine/templates/deployment.yaml | 98 +++++++++++++++++++ .../templates/ingress-anonymous.yaml | 33 +++++++ services/cachemachine/templates/ingress.yaml | 41 ++++++++ .../templates/networkpolicy-pull.yaml | 15 +++ .../cachemachine/templates/networkpolicy.yaml | 23 +++++ services/cachemachine/templates/service.yaml | 14 +++ .../templates/serviceaccount.yaml | 65 ++++++++++++ .../templates/tests/test-connection.yaml | 16 +++ .../cachemachine/templates/vault-secret.yaml | 9 ++ services/cachemachine/values-base.yaml | 62 ++++++------ services/cachemachine/values-idfdev.yaml | 75 +++++++------- services/cachemachine/values-idfint.yaml | 64 ++++++------ services/cachemachine/values-idfprod.yaml | 64 ++++++------ services/cachemachine/values-int.yaml | 70 +++++++------ services/cachemachine/values-minikube.yaml | 46 ++++----- services/cachemachine/values-roe.yaml | 46 ++++----- services/cachemachine/values-stable.yaml | 70 +++++++------ services/cachemachine/values-summit.yaml | 62 ++++++------ .../cachemachine/values-tucson-teststand.yaml | 58 +++++------ services/cachemachine/values.yaml | 82 ++++++++++++++++ 24 files changed, 756 insertions(+), 335 deletions(-) create mode 100644 services/cachemachine/templates/_helpers.tpl create mode 100644 services/cachemachine/templates/configmap.yaml create mode 100644 services/cachemachine/templates/deployment.yaml create mode 100644 services/cachemachine/templates/ingress-anonymous.yaml create mode 100644 services/cachemachine/templates/ingress.yaml create mode 100644 services/cachemachine/templates/networkpolicy-pull.yaml create mode 100644 services/cachemachine/templates/networkpolicy.yaml create mode 100644 services/cachemachine/templates/service.yaml create mode 100644 services/cachemachine/templates/serviceaccount.yaml create mode 100644 services/cachemachine/templates/tests/test-connection.yaml create mode 100644 services/cachemachine/templates/vault-secret.yaml create mode 100644 services/cachemachine/values.yaml diff --git a/science-platform/templates/cachemachine-application.yaml b/science-platform/templates/cachemachine-application.yaml index 0dc359a4de..ddb6c3b188 100644 --- a/science-platform/templates/cachemachine-application.yaml +++ b/science-platform/templates/cachemachine-application.yaml @@ -25,5 +25,6 @@ spec: targetRevision: {{ .Values.revision }} helm: valueFiles: + - values.yaml - values-{{ .Values.environment }}.yaml {{- end -}} diff --git a/services/cachemachine/Chart.yaml b/services/cachemachine/Chart.yaml index ebad8940f9..1b51c7f316 100644 --- a/services/cachemachine/Chart.yaml +++ b/services/cachemachine/Chart.yaml @@ -1,7 +1,8 @@ apiVersion: v2 name: cachemachine version: 1.0.0 -dependencies: - - name: cachemachine - version: 1.2.5 - repository: https://lsst-sqre.github.io/charts/ +appVersion: 1.2.0 +description: Service to prepull Docker images for the Science Platform +maintainers: + - name: cbanek + - name: athornton diff --git a/services/cachemachine/templates/_helpers.tpl b/services/cachemachine/templates/_helpers.tpl new file mode 100644 index 0000000000..6599ed07b6 --- /dev/null +++ b/services/cachemachine/templates/_helpers.tpl @@ -0,0 +1,60 @@ +{{/* vim: set filetype=mustache: */}} +{{/* +Expand the name of the chart. +*/}} +{{- define "cachemachine.name" -}} +{{- default .Chart.Name .Values.nameOverride | trunc 63 | trimSuffix "-" -}} +{{- end -}} + +{{/* +Create a default fully qualified app name. +We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec). +If release name contains chart name it will be used as a full name. +*/}} +{{- define "cachemachine.fullname" -}} +{{- if .Values.fullnameOverride -}} +{{- .Values.fullnameOverride | trunc 63 | trimSuffix "-" -}} +{{- else -}} +{{- $name := default .Chart.Name .Values.nameOverride -}} +{{- if contains $name .Release.Name -}} +{{- .Release.Name | trunc 63 | trimSuffix "-" -}} +{{- else -}} +{{- printf "%s-%s" .Release.Name $name | trunc 63 | trimSuffix "-" -}} +{{- end -}} +{{- end -}} +{{- end -}} + +{{/* +Create chart name and version as used by the chart label. +*/}} +{{- define "cachemachine.chart" -}} +{{- printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" -}} +{{- end -}} + +{{/* +Common labels +*/}} +{{- define "cachemachine.labels" -}} +app.kubernetes.io/name: {{ include "cachemachine.name" . }} +helm.sh/chart: {{ include "cachemachine.chart" . }} +app.kubernetes.io/instance: {{ .Release.Name }} +{{- if .Chart.AppVersion }} +app.kubernetes.io/version: {{ .Chart.AppVersion | quote }} +{{- end }} +app.kubernetes.io/managed-by: {{ .Release.Service }} +{{- end -}} + +{{/* +Selector labels +*/}} +{{- define "cachemachine.selectorLabels" -}} +app.kubernetes.io/name: {{ include "cachemachine.name" . }} +app.kubernetes.io/instance: {{ .Release.Name }} +{{- end }} + +{{/* +Create the name of the service account to use +*/}} +{{- define "cachemachine.serviceAccountName" -}} +{{ default (include "cachemachine.fullname" .) .Values.serviceAccount.name }} +{{- end -}} diff --git a/services/cachemachine/templates/configmap.yaml b/services/cachemachine/templates/configmap.yaml new file mode 100644 index 0000000000..013ff04860 --- /dev/null +++ b/services/cachemachine/templates/configmap.yaml @@ -0,0 +1,8 @@ +apiVersion: v1 +kind: ConfigMap +metadata: + name: {{ include "cachemachine.fullname" . }}-autostart + labels: + {{- include "cachemachine.labels" . | nindent 4 }} +data: + {{- toYaml .Values.autostart | nindent 2 }} diff --git a/services/cachemachine/templates/deployment.yaml b/services/cachemachine/templates/deployment.yaml new file mode 100644 index 0000000000..2d408aa29e --- /dev/null +++ b/services/cachemachine/templates/deployment.yaml @@ -0,0 +1,98 @@ +apiVersion: apps/v1 +kind: Deployment +metadata: + name: {{ include "cachemachine.fullname" . }} + labels: + {{- include "cachemachine.labels" . | nindent 4 }} +spec: + replicas: 1 + selector: + matchLabels: + {{- include "cachemachine.selectorLabels" . | nindent 6 }} + template: + metadata: + annotations: + checksum/config: {{ include (print $.Template.BasePath "/configmap.yaml") . | sha256sum }} + {{- with .Values.podAnnotations }} + {{- toYaml . | nindent 8 }} + {{- end }} + labels: + {{- include "cachemachine.selectorLabels" . | nindent 8 }} + spec: + {{- with .Values.imagePullSecrets }} + imagePullSecrets: + {{- toYaml . | nindent 8 }} + {{- end }} + serviceAccountName: {{ template "cachemachine.serviceAccountName" . }} + securityContext: + runAsNonRoot: true + runAsUser: 1000 + runAsGroup: 1000 + containers: + - name: {{ .Chart.Name }} + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - "all" + readOnlyRootFilesystem: true + image: "{{ .Values.image.repository }}:{{ .Values.image.tag | default .Chart.AppVersion }}" + imagePullPolicy: {{ .Values.image.pullPolicy | quote }} + env: + - name: DOCKER_SECRET_NAME + value: {{ template "cachemachine.fullname" . }}-secret + ports: + - name: "http" + containerPort: 8080 + protocol: "TCP" + readinessProbe: + httpGet: + path: "/" + port: "http" + {{- with .Values.resources }} + resources: + {{- toYaml .Values.resources | nindent 12 }} + {{- end }} + volumeMounts: + - name: "docker-creds" + mountPath: "/etc/secrets" + readOnly: true + - name: autostart + mountPath: "/etc/cachemachine" + readOnly: true + - name: podinfo + mountPath: /etc/podinfo + volumes: + - name: docker-creds + secret: + secretName: {{ template "cachemachine.fullname" . }}-secret + - name: autostart + configMap: + name: {{ include "cachemachine.fullname" . }}-autostart + - name: podinfo + downwardAPI: + items: + - path: "annotations" + fieldRef: + fieldPath: metadata.annotations + - path: "labels" + fieldRef: + fieldPath: metadata.labels + - path: "name" + fieldRef: + fieldPath: metadata.name + - path: "uid" + fieldRef: + fieldPath: metadata.uid + {{- with .Values.nodeSelector }} + nodeSelector: + {{- toYaml . | nindent 8 }} + {{- end }} + {{- with .Values.affinity }} + affinity: + {{- toYaml . | nindent 8 }} + {{- end }} + {{- with .Values.tolerations }} + tolerations: + {{- toYaml . | nindent 8 }} + {{- end }} diff --git a/services/cachemachine/templates/ingress-anonymous.yaml b/services/cachemachine/templates/ingress-anonymous.yaml new file mode 100644 index 0000000000..6cd269b446 --- /dev/null +++ b/services/cachemachine/templates/ingress-anonymous.yaml @@ -0,0 +1,33 @@ +{{- if .Values.ingress.enabled -}} +apiVersion: networking.k8s.io/v1 +kind: Ingress +metadata: + annotations: + kubernetes.io/ingress.class: "nginx" + nginx.ingress.kubernetes.io/use-regex: "true" + {{- with .Values.ingress.anonymousAnnotations }} + {{- toYaml . | nindent 4 }} + {{- end }} + name: {{ template "cachemachine.fullname" . }}-anonymous + labels: + {{- include "cachemachine.labels" . | nindent 4 }} +spec: + rules: + - host: {{ required "ingress.host must be set" .Values.ingress.host | quote }} + http: + paths: + - path: "/cachemachine/.*/available" + pathType: "ImplementationSpecific" + backend: + service: + name: {{ template "cachemachine.fullname" . }} + port: + number: {{ .Values.service.port }} + - path: "/cachemachine/.*/desired" + pathType: "ImplementationSpecific" + backend: + service: + name: {{ template "cachemachine.fullname" . }} + port: + number: {{ .Values.service.port }} +{{- end }} diff --git a/services/cachemachine/templates/ingress.yaml b/services/cachemachine/templates/ingress.yaml new file mode 100644 index 0000000000..12fdc87a73 --- /dev/null +++ b/services/cachemachine/templates/ingress.yaml @@ -0,0 +1,41 @@ +{{- if .Values.ingress.enabled -}} +apiVersion: networking.k8s.io/v1 +kind: Ingress +metadata: + annotations: + kubernetes.io/ingress.class: "nginx" + {{- if .Values.ingress.gafaelfawrAuthQuery }} + nginx.ingress.kubernetes.io/auth-method: "GET" + nginx.ingress.kubernetes.io/auth-response-headers: "X-Auth-Request-User" + nginx.ingress.kubernetes.io/auth-signin: "https://{{ .Values.ingress.host }}/login" + nginx.ingress.kubernetes.io/auth-url: "https://{{ .Values.ingress.host }}/auth?{{ .Values.ingress.gafaelfawrAuthQuery }}" + {{- end }} + {{- with .Values.ingress.annotations }} + {{- toYaml . | nindent 4 }} + {{- end }} + name: {{ template "cachemachine.fullname" . }} + labels: + {{- include "cachemachine.labels" . | nindent 4 }} +spec: + rules: + - host: {{ required "ingress.host must be set" .Values.ingress.host | quote }} + http: + paths: + - path: "/cachemachine" + pathType: "Prefix" + backend: + service: + name: {{ template "cachemachine.fullname" . }} + port: + number: {{ .Values.service.port }} + {{- if .Values.ingress.tls }} + tls: + {{- range .Values.ingress.tls }} + - hosts: + {{- range .hosts }} + - {{ . | quote }} + {{- end }} + secretName: {{ .secretName }} + {{- end }} + {{- end }} +{{- end }} diff --git a/services/cachemachine/templates/networkpolicy-pull.yaml b/services/cachemachine/templates/networkpolicy-pull.yaml new file mode 100644 index 0000000000..de3104385d --- /dev/null +++ b/services/cachemachine/templates/networkpolicy-pull.yaml @@ -0,0 +1,15 @@ +apiVersion: networking.k8s.io/v1 +kind: NetworkPolicy +metadata: + name: {{ template "cachemachine.fullname" . }}-pull + labels: + {{- include "cachemachine.labels" . | nindent 4 }} +spec: + # Reject all inbound and outbound connections to the pods that exist solely + # to pull Docker images. + podSelector: + matchLabels: + cachemachine: "pull" + policyTypes: + - Ingress + - Egress diff --git a/services/cachemachine/templates/networkpolicy.yaml b/services/cachemachine/templates/networkpolicy.yaml new file mode 100644 index 0000000000..142947e745 --- /dev/null +++ b/services/cachemachine/templates/networkpolicy.yaml @@ -0,0 +1,23 @@ +{{- if .Values.ingress.enabled -}} +apiVersion: networking.k8s.io/v1 +kind: NetworkPolicy +metadata: + name: {{ include "cachemachine.fullname" . }} +spec: + podSelector: + matchLabels: + {{- include "cachemachine.selectorLabels" . | nindent 6 }} + policyTypes: + - Ingress + ingress: + # Allow inbound access from pods (in any namespace) labeled + # gafaelfawr.lsst.io/ingress: true. + - from: + - namespaceSelector: {} + podSelector: + matchLabels: + gafaelfawr.lsst.io/ingress: "true" + ports: + - protocol: "TCP" + port: 8080 +{{- end }} diff --git a/services/cachemachine/templates/service.yaml b/services/cachemachine/templates/service.yaml new file mode 100644 index 0000000000..05e31e77c0 --- /dev/null +++ b/services/cachemachine/templates/service.yaml @@ -0,0 +1,14 @@ +apiVersion: v1 +kind: Service +metadata: + name: {{ include "cachemachine.fullname" . }} + labels: + {{- include "cachemachine.labels" . | nindent 4 }} +spec: + type: {{ .Values.service.type }} + ports: + - port: {{ .Values.service.port }} + targetPort: "http" + protocol: "TCP" + selector: + {{- include "cachemachine.selectorLabels" . | nindent 4 }} diff --git a/services/cachemachine/templates/serviceaccount.yaml b/services/cachemachine/templates/serviceaccount.yaml new file mode 100644 index 0000000000..81a80ff760 --- /dev/null +++ b/services/cachemachine/templates/serviceaccount.yaml @@ -0,0 +1,65 @@ +apiVersion: v1 +kind: ServiceAccount +metadata: + name: {{ template "cachemachine.serviceAccountName" . }} + labels: + {{- include "cachemachine.labels" . | nindent 4 }} + {{- with .Values.serviceAccount.annotations }} + annotations: + {{- toYaml . | nindent 4 }} + {{- end }} +--- +kind: ClusterRole +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + name: {{ template "cachemachine.serviceAccountName" . }} + labels: + {{- include "cachemachine.labels" . | nindent 4 }} +rules: + - apiGroups: [""] + resources: ["nodes"] + verbs: ["list"] +--- +kind: ClusterRoleBinding +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + name: {{ template "cachemachine.serviceAccountName" . }} + labels: + {{- include "cachemachine.labels" . | nindent 4 }} +subjects: + - kind: ServiceAccount + name: {{ template "cachemachine.serviceAccountName" . }} + namespace: {{ .Release.Namespace }} +roleRef: + kind: ClusterRole + name: {{ template "cachemachine.serviceAccountName" . }} + apiGroup: rbac.authorization.k8s.io +--- +kind: Role +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + name: {{ template "cachemachine.serviceAccountName" . }} + labels: + {{- include "cachemachine.labels" . | nindent 4 }} +rules: + - apiGroups: ["apps"] + resources: ["daemonsets"] + verbs: ["create", "delete"] + - apiGroups: ["apps"] + resources: ["daemonsets/status"] + verbs: ["get"] +--- +kind: RoleBinding +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + name: {{ template "cachemachine.serviceAccountName" . }} + labels: + {{- include "cachemachine.labels" . | nindent 4 }} +subjects: + - kind: ServiceAccount + name: {{ template "cachemachine.serviceAccountName" . }} + namespace: {{ .Release.Namespace }} +roleRef: + kind: Role + name: {{ template "cachemachine.serviceAccountName" . }} + apiGroup: rbac.authorization.k8s.io diff --git a/services/cachemachine/templates/tests/test-connection.yaml b/services/cachemachine/templates/tests/test-connection.yaml new file mode 100644 index 0000000000..35c987cdcc --- /dev/null +++ b/services/cachemachine/templates/tests/test-connection.yaml @@ -0,0 +1,16 @@ +apiVersion: v1 +kind: Pod +metadata: + name: {{ include "cachemachine.fullname" . }}-test-connection + annotations: + "helm.sh/hook": "test-success" + labels: + {{- include "cachemachine.labels" . | nindent 4 }} +spec: + containers: + - name: "wget" + image: "busybox" + command: ['wget'] + args: + - '{{ include "cachemachine.fullname" . }}:8080' + restartPolicy: Never diff --git a/services/cachemachine/templates/vault-secret.yaml b/services/cachemachine/templates/vault-secret.yaml new file mode 100644 index 0000000000..34f24f8778 --- /dev/null +++ b/services/cachemachine/templates/vault-secret.yaml @@ -0,0 +1,9 @@ +apiVersion: ricoberger.de/v1alpha1 +kind: VaultSecret +metadata: + name: {{ template "cachemachine.fullname" . }}-secret + labels: + {{- include "cachemachine.labels" . | nindent 4 }} +spec: + path: {{ required "vaultSecretsPath must be set" .Values.vaultSecretsPath | quote }} + type: kubernetes.io/dockerconfigjson diff --git a/services/cachemachine/values-base.yaml b/services/cachemachine/values-base.yaml index d0cd8faa4a..64ef9cc641 100644 --- a/services/cachemachine/values-base.yaml +++ b/services/cachemachine/values-base.yaml @@ -1,35 +1,31 @@ -cachemachine: - imagePullSecrets: - - name: "cachemachine-secret" +ingress: + enabled: true + host: "base-lsp.lsst.codes" - ingress: - enabled: true - host: "base-lsp.lsst.codes" +vaultSecretsPath: "secret/k8s_operator/base-lsp.lsst.codes/pull-secret" - vaultSecretsPath: "secret/k8s_operator/base-lsp.lsst.codes/pull-secret" - - autostart: - jupyter: | - { - "name": "jupyter", - "labels": { - "jupyterlab": "ok" - }, - "repomen": [ - { - "type": "RubinRepoMan", - "registry_url": "registry.hub.docker.com", - "repo": "lsstts/sal-sciplat-lab", - "recommended_tag": "recommended", - "num_releases": 0, - "num_weeklies": 3, - "num_dailies": 2, - "cycle": 20, - "alias_tags": [ - "latest", - "latest_daily", - "latest_weekly" - ] - } - ] - } +autostart: + jupyter: | + { + "name": "jupyter", + "labels": { + "jupyterlab": "ok" + }, + "repomen": [ + { + "type": "RubinRepoMan", + "registry_url": "registry.hub.docker.com", + "repo": "lsstts/sal-sciplat-lab", + "recommended_tag": "recommended", + "num_releases": 0, + "num_weeklies": 3, + "num_dailies": 2, + "cycle": 20, + "alias_tags": [ + "latest", + "latest_daily", + "latest_weekly" + ] + } + ] + } diff --git a/services/cachemachine/values-idfdev.yaml b/services/cachemachine/values-idfdev.yaml index cd43c02465..c4d7c716ba 100644 --- a/services/cachemachine/values-idfdev.yaml +++ b/services/cachemachine/values-idfdev.yaml @@ -1,44 +1,35 @@ -cachemachine: - imagePullSecrets: - - name: "cachemachine-secret" +ingress: + enabled: true + host: "data-dev.lsst.cloud" - image: - repository: lsstsqre/cachemachine - pullPolicy: IfNotPresent - tag: tickets-DM-33755 +vaultSecretsPath: "secret/k8s_operator/data-dev.lsst.cloud/pull-secret" - ingress: - enabled: true - host: "data-dev.lsst.cloud" - - vaultSecretsPath: "secret/k8s_operator/data-dev.lsst.cloud/pull-secret" - - autostart: - jupyter: | - { - "name": "jupyter", - "labels": {}, - "repomen": [ - { - "type": "RubinRepoGar", - "registry_url": "us-central1-docker.pkg.dev", - "gar_repository": "sciplat", - "gar_image": "sciplat-lab", - "project_id": "rubin-shared-services-71ec", - "location": "us-central1", - "recommended_tag": "recommended", - "num_releases": 1, - "num_weeklies": 2, - "num_dailies": 3 - }, - { - "type": "SimpleRepoMan", - "images": [ - { - "image_url": "us-central1-docker.pkg.dev/rubin-shared-services-71ec/sciplat/sciplat-lab:w_2021_49", - "name": "Weekly 2021_49" - } - ] - } - ] - } +autostart: + jupyter: | + { + "name": "jupyter", + "labels": {}, + "repomen": [ + { + "type": "RubinRepoGar", + "registry_url": "us-central1-docker.pkg.dev", + "gar_repository": "sciplat", + "gar_image": "sciplat-lab", + "project_id": "rubin-shared-services-71ec", + "location": "us-central1", + "recommended_tag": "recommended", + "num_releases": 1, + "num_weeklies": 2, + "num_dailies": 3 + }, + { + "type": "SimpleRepoMan", + "images": [ + { + "image_url": "us-central1-docker.pkg.dev/rubin-shared-services-71ec/sciplat/sciplat-lab:w_2021_49", + "name": "Weekly 2021_49" + } + ] + } + ] + } diff --git a/services/cachemachine/values-idfint.yaml b/services/cachemachine/values-idfint.yaml index a2cf96433b..c0ddacb84d 100644 --- a/services/cachemachine/values-idfint.yaml +++ b/services/cachemachine/values-idfint.yaml @@ -1,36 +1,32 @@ -cachemachine: - imagePullSecrets: - - name: "cachemachine-secret" +ingress: + enabled: true + host: "data-int.lsst.cloud" - ingress: - enabled: true - host: "data-int.lsst.cloud" +vaultSecretsPath: "secret/k8s_operator/data-int.lsst.cloud/pull-secret" - vaultSecretsPath: "secret/k8s_operator/data-int.lsst.cloud/pull-secret" - - autostart: - jupyter: | - { - "name": "jupyter", - "labels": {}, - "repomen": [ - { - "type": "RubinRepoMan", - "registry_url": "us-central1-docker.pkg.dev", - "repo": "rubin-shared-services-71ec/sciplat/sciplat-lab", - "recommended_tag": "recommended", - "num_releases": 1, - "num_weeklies": 2, - "num_dailies": 3 - }, - { - "type": "SimpleRepoMan", - "images": [ - { - "image_url": "us-central1-docker.pkg.dev/rubin-shared-services-71ec/sciplat/sciplat-lab:w_2021_49", - "name": "Weekly 2021_49" - } - ] - } - ] - } +autostart: + jupyter: | + { + "name": "jupyter", + "labels": {}, + "repomen": [ + { + "type": "RubinRepoMan", + "registry_url": "us-central1-docker.pkg.dev", + "repo": "rubin-shared-services-71ec/sciplat/sciplat-lab", + "recommended_tag": "recommended", + "num_releases": 1, + "num_weeklies": 2, + "num_dailies": 3 + }, + { + "type": "SimpleRepoMan", + "images": [ + { + "image_url": "us-central1-docker.pkg.dev/rubin-shared-services-71ec/sciplat/sciplat-lab:w_2021_49", + "name": "Weekly 2021_49" + } + ] + } + ] + } diff --git a/services/cachemachine/values-idfprod.yaml b/services/cachemachine/values-idfprod.yaml index 5d0c7c90ec..48018ccc39 100644 --- a/services/cachemachine/values-idfprod.yaml +++ b/services/cachemachine/values-idfprod.yaml @@ -1,36 +1,32 @@ -cachemachine: - imagePullSecrets: - - name: "cachemachine-secret" +ingress: + enabled: true + host: "data.lsst.cloud" - ingress: - enabled: true - host: "data.lsst.cloud" +vaultSecretsPath: "secret/k8s_operator/data.lsst.cloud/pull-secret" - vaultSecretsPath: "secret/k8s_operator/data.lsst.cloud/pull-secret" - - autostart: - jupyter: | - { - "name": "jupyter", - "labels": {}, - "repomen": [ - { - "type": "RubinRepoMan", - "registry_url": "us-central1-docker.pkg.dev", - "repo": "rubin-shared-services-71ec/sciplat/sciplat-lab", - "recommended_tag": "recommended", - "num_releases": 1, - "num_weeklies": 2, - "num_dailies": 3 - }, - { - "type": "SimpleRepoMan", - "images": [ - { - "image_url": "us-central1-docker.pkg.dev/rubin-shared-services-71ec/sciplat/sciplat-lab:w_2021_49", - "name": "Weekly 2021_49" - } - ] - } - ] - } +autostart: + jupyter: | + { + "name": "jupyter", + "labels": {}, + "repomen": [ + { + "type": "RubinRepoMan", + "registry_url": "us-central1-docker.pkg.dev", + "repo": "rubin-shared-services-71ec/sciplat/sciplat-lab", + "recommended_tag": "recommended", + "num_releases": 1, + "num_weeklies": 2, + "num_dailies": 3 + }, + { + "type": "SimpleRepoMan", + "images": [ + { + "image_url": "us-central1-docker.pkg.dev/rubin-shared-services-71ec/sciplat/sciplat-lab:w_2021_49", + "name": "Weekly 2021_49" + } + ] + } + ] + } diff --git a/services/cachemachine/values-int.yaml b/services/cachemachine/values-int.yaml index 2454bc8628..e8ee5dd4f2 100644 --- a/services/cachemachine/values-int.yaml +++ b/services/cachemachine/values-int.yaml @@ -1,40 +1,36 @@ -cachemachine: - imagePullSecrets: - - name: "cachemachine-secret" +ingress: + enabled: true + host: "lsst-lsp-int.ncsa.illinois.edu" + annotations: + nginx.ingress.kubernetes.io/auth-url: "https://lsst-lsp-int.ncsa.illinois.edu/auth?scope=exec:admin" - ingress: - enabled: true - host: "lsst-lsp-int.ncsa.illinois.edu" - annotations: - nginx.ingress.kubernetes.io/auth-url: "https://lsst-lsp-int.ncsa.illinois.edu/auth?scope=exec:admin" +vaultSecretsPath: "secret/k8s_operator/lsst-lsp-int.ncsa.illinois.edu/pull-secret" - vaultSecretsPath: "secret/k8s_operator/lsst-lsp-int.ncsa.illinois.edu/pull-secret" - - autostart: - jupyter: | - { - "name": "jupyter", - "labels": { - "jupyterlab": "ok" +autostart: + jupyter: | + { + "name": "jupyter", + "labels": { + "jupyterlab": "ok" + }, + "repomen": [ + { + "type": "RubinRepoMan", + "registry_url": "registry.hub.docker.com", + "repo": "lsstsqre/sciplat-lab", + "recommended_tag": "recommended", + "num_releases": 1, + "num_weeklies": 2, + "num_dailies": 3 }, - "repomen": [ - { - "type": "RubinRepoMan", - "registry_url": "registry.hub.docker.com", - "repo": "lsstsqre/sciplat-lab", - "recommended_tag": "recommended", - "num_releases": 1, - "num_weeklies": 2, - "num_dailies": 3 - }, - { - "type": "SimpleRepoMan", - "images": [ - { - "image_url": "registry.hub.docker.com/lsstsqre/sciplat-lab:w_2021_49", - "name": "Weekly 2021_49" - } - ] - } - ] - } + { + "type": "SimpleRepoMan", + "images": [ + { + "image_url": "registry.hub.docker.com/lsstsqre/sciplat-lab:w_2021_49", + "name": "Weekly 2021_49" + } + ] + } + ] + } diff --git a/services/cachemachine/values-minikube.yaml b/services/cachemachine/values-minikube.yaml index 47696d94c9..b4ac07beca 100644 --- a/services/cachemachine/values-minikube.yaml +++ b/services/cachemachine/values-minikube.yaml @@ -1,27 +1,23 @@ -cachemachine: - imagePullSecrets: - - name: "cachemachine-secret" +ingress: + enabled: true + host: "minikube.lsst.codes" - ingress: - enabled: true - host: "minikube.lsst.codes" +vaultSecretsPath: "secret/k8s_operator/minikube.lsst.codes/pull-secret" - vaultSecretsPath: "secret/k8s_operator/minikube.lsst.codes/pull-secret" - - autostart: - jupyter: | - { - "name": "jupyter", - "labels": {}, - "repomen": [ - { - "type": "RubinRepoMan", - "registry_url": "registry.hub.docker.com", - "repo": "lsstsqre/sciplat-lab", - "recommended_tag": "recommended", - "num_releases": 0, - "num_weeklies": 0, - "num_dailies": 0 - } - ] - } +autostart: + jupyter: | + { + "name": "jupyter", + "labels": {}, + "repomen": [ + { + "type": "RubinRepoMan", + "registry_url": "registry.hub.docker.com", + "repo": "lsstsqre/sciplat-lab", + "recommended_tag": "recommended", + "num_releases": 0, + "num_weeklies": 0, + "num_dailies": 0 + } + ] + } diff --git a/services/cachemachine/values-roe.yaml b/services/cachemachine/values-roe.yaml index 17b21ba571..ddda54f36d 100644 --- a/services/cachemachine/values-roe.yaml +++ b/services/cachemachine/values-roe.yaml @@ -1,28 +1,24 @@ -cachemachine: - imagePullSecrets: - - name: "cachemachine-secret" +ingress: + enabled: true + host: "rsp.lsst.ac.uk" - ingress: - enabled: true - host: "rsp.lsst.ac.uk" +vaultSecretsPath: "secret/k8s_operator/roe/pull-secret" - vaultSecretsPath: "secret/k8s_operator/roe/pull-secret" - - autostart: - jupyter: | - { - "name": "jupyter", - "labels": {}, - "repomen": [ - { - "type": "RubinRepoMan", - "registry_url": "registry.hub.docker.com", - "repo": "lsstsqre/sciplat-lab", - "recommended_tag": "recommended", - "num_releases": 1, - "num_weeklies": 2, - "num_dailies": 3 - } - ] - } +autostart: + jupyter: | + { + "name": "jupyter", + "labels": {}, + "repomen": [ + { + "type": "RubinRepoMan", + "registry_url": "registry.hub.docker.com", + "repo": "lsstsqre/sciplat-lab", + "recommended_tag": "recommended", + "num_releases": 1, + "num_weeklies": 2, + "num_dailies": 3 + } + ] + } diff --git a/services/cachemachine/values-stable.yaml b/services/cachemachine/values-stable.yaml index 3c0597044f..482a59aeeb 100644 --- a/services/cachemachine/values-stable.yaml +++ b/services/cachemachine/values-stable.yaml @@ -1,40 +1,36 @@ -cachemachine: - imagePullSecrets: - - name: "cachemachine-secret" +ingress: + enabled: true + host: "lsst-lsp-stable.ncsa.illinois.edu" + annotations: + nginx.ingress.kubernetes.io/auth-url: "https://lsst-lsp-stable.ncsa.illinois.edu/auth?scope=exec:admin" - ingress: - enabled: true - host: "lsst-lsp-stable.ncsa.illinois.edu" - annotations: - nginx.ingress.kubernetes.io/auth-url: "https://lsst-lsp-stable.ncsa.illinois.edu/auth?scope=exec:admin" +vaultSecretsPath: "secret/k8s_operator/lsst-lsp-stable.ncsa.illinois.edu/pull-secret" - vaultSecretsPath: "secret/k8s_operator/lsst-lsp-stable.ncsa.illinois.edu/pull-secret" - - autostart: - jupyter: | - { - "name": "jupyter", - "labels": { - "jupyterlab": "ok" +autostart: + jupyter: | + { + "name": "jupyter", + "labels": { + "jupyterlab": "ok" + }, + "repomen": [ + { + "type": "RubinRepoMan", + "registry_url": "registry.hub.docker.com", + "repo": "lsstsqre/sciplat-lab", + "recommended_tag": "recommended", + "num_releases": 1, + "num_weeklies": 2, + "num_dailies": 3 }, - "repomen": [ - { - "type": "RubinRepoMan", - "registry_url": "registry.hub.docker.com", - "repo": "lsstsqre/sciplat-lab", - "recommended_tag": "recommended", - "num_releases": 1, - "num_weeklies": 2, - "num_dailies": 3 - }, - { - "type": "SimpleRepoMan", - "images": [ - { - "image_url": "registry.hub.docker.com/lsstsqre/sciplat-lab:w_2021_49", - "name": "Weekly 2021_49" - } - ] - } - ] - } + { + "type": "SimpleRepoMan", + "images": [ + { + "image_url": "registry.hub.docker.com/lsstsqre/sciplat-lab:w_2021_49", + "name": "Weekly 2021_49" + } + ] + } + ] + } diff --git a/services/cachemachine/values-summit.yaml b/services/cachemachine/values-summit.yaml index 8e57f44424..e97c4a53d3 100644 --- a/services/cachemachine/values-summit.yaml +++ b/services/cachemachine/values-summit.yaml @@ -1,35 +1,31 @@ -cachemachine: - imagePullSecrets: - - name: "cachemachine-secret" +ingress: + enabled: true + host: "summit-lsp.lsst.codes" - ingress: - enabled: true - host: "summit-lsp.lsst.codes" +vaultSecretsPath: "secret/k8s_operator/summit-lsp.lsst.codes/pull-secret" - vaultSecretsPath: "secret/k8s_operator/summit-lsp.lsst.codes/pull-secret" - - autostart: - jupyter: | - { - "name": "jupyter", - "labels": { - "jupyterlab": "ok" - }, - "repomen": [ - { - "type": "RubinRepoMan", - "registry_url": "ts-dockerhub.lsst.org", - "repo": "sal-sciplat-lab", - "recommended_tag": "recommended", - "num_releases": 0, - "num_weeklies": 3, - "num_dailies": 2, - "cycle": 24, - "alias_tags": [ - "latest", - "latest_daily", - "latest_weekly" - ] - } - ] - } +autostart: + jupyter: | + { + "name": "jupyter", + "labels": { + "jupyterlab": "ok" + }, + "repomen": [ + { + "type": "RubinRepoMan", + "registry_url": "ts-dockerhub.lsst.org", + "repo": "sal-sciplat-lab", + "recommended_tag": "recommended", + "num_releases": 0, + "num_weeklies": 3, + "num_dailies": 2, + "cycle": 24, + "alias_tags": [ + "latest", + "latest_daily", + "latest_weekly" + ] + } + ] + } diff --git a/services/cachemachine/values-tucson-teststand.yaml b/services/cachemachine/values-tucson-teststand.yaml index 0b7141e52a..fcb2c78311 100644 --- a/services/cachemachine/values-tucson-teststand.yaml +++ b/services/cachemachine/values-tucson-teststand.yaml @@ -1,33 +1,29 @@ -cachemachine: - imagePullSecrets: - - name: "cachemachine-secret" +ingress: + enabled: true + host: "tucson-teststand.lsst.codes" - ingress: - enabled: true - host: "tucson-teststand.lsst.codes" +vaultSecretsPath: "secret/k8s_operator/tucson-teststand.lsst.codes/pull-secret" - vaultSecretsPath: "secret/k8s_operator/tucson-teststand.lsst.codes/pull-secret" - - autostart: - jupyter: | - { - "name": "jupyter", - "labels": {}, - "repomen": [ - { - "type": "RubinRepoMan", - "registry_url": "ts-dockerhub.lsst.org", - "repo": "sal-sciplat-lab", - "recommended_tag": "recommended_c0025", - "num_releases": 1, - "num_weeklies": 3, - "num_dailies": 2, - "cycle": 25, - "alias_tags": [ - "latest", - "latest_daily", - "latest_weekly" - ] - } - ] - } +autostart: + jupyter: | + { + "name": "jupyter", + "labels": {}, + "repomen": [ + { + "type": "RubinRepoMan", + "registry_url": "ts-dockerhub.lsst.org", + "repo": "sal-sciplat-lab", + "recommended_tag": "recommended_c0025", + "num_releases": 1, + "num_weeklies": 3, + "num_dailies": 2, + "cycle": 25, + "alias_tags": [ + "latest", + "latest_daily", + "latest_weekly" + ] + } + ] + } diff --git a/services/cachemachine/values.yaml b/services/cachemachine/values.yaml new file mode 100644 index 0000000000..0e2ace353c --- /dev/null +++ b/services/cachemachine/values.yaml @@ -0,0 +1,82 @@ +# Default values for cachemachine. + +# -- Override the base name for resources +nameOverride: "" + +# -- Override the full name for resources (includes the release name) +fullnameOverride: "" + +image: + # -- cachemachine image to use + repository: lsstsqre/cachemachine + + # -- Pull policy for the cachemachine image + pullPolicy: IfNotPresent + + # -- Tag of cachemachine image to use + # @default -- The appVersion of the chart + tag: "" + +# -- Secret names to use for all Docker pulls +imagePullSecrets: + - name: "cachemachine-secret" +serviceAccount: + # -- Name of the service account to use + # @default -- Name based on the fullname template + name: "" + + # -- Annotations to add to the service account + annotations: {} + +service: + # -- Type of service to create + type: "ClusterIP" + + # -- Port of the service to create and map to the ingress + port: 80 + +ingress: + # -- Whether to create an ingress + enabled: true + + # -- Gafaelfawr auth query string + gafaelfawrAuthQuery: "scope=exec:admin" + + # -- Hostname for the ingress + # @default -- None, must be set if the ingress is enabled + host: "" + + # -- Additional annotations to add for endpoints that are authenticated. + annotations: {} + + # -- Additional annotations to add for endpoints that allow anonymous + # access, such as `/*/available`. + anonymousAnnotations: {} + + # -- Configures TLS for the ingress if needed. If multiple ingresses share + # the same hostname, only one of them needs a TLS configuration. + tls: [] + +# -- Resource limits and requests for the cachemachine frontend pod +resources: {} + +# -- Annotations for the cachemachine frontend pod +podAnnotations: {} + +# -- Node selector rules for the cachemachine frontend pod +nodeSelector: {} + +# -- Tolerations for the cachemachine frontend pod +tolerations: [] + +# -- Affinity rules for the cachemachine frontend pod +affinity: {} + +# -- Path to the Vault secret containing the Docker credentials +# @default -- None, must be set +vaultSecretsPath: "" + +# -- Autostart configuration. Each key is the name of a class of images to +# pull, and the value is the JSON specification for which and how many images +# to pull. +autostart: {} From 96765f65f106d487b3908202af9efc8a13aa47be Mon Sep 17 00:00:00 2001 From: Christine Banek Date: Tue, 12 Apr 2022 17:36:40 -0700 Subject: [PATCH 0231/1479] [DM-34433] Add resource limits for Sherlock --- services/sherlock/values-base.yaml | 8 ++++++++ services/sherlock/values-idfdev.yaml | 8 ++++++++ services/sherlock/values-idfint.yaml | 8 ++++++++ services/sherlock/values-idfprod.yaml | 8 ++++++++ services/sherlock/values-int.yaml | 8 ++++++++ services/sherlock/values-roe.yaml | 8 ++++++++ services/sherlock/values-stable.yaml | 8 ++++++++ services/sherlock/values-summit.yaml | 8 ++++++++ services/sherlock/values-tucson-teststand.yaml | 8 ++++++++ 9 files changed, 72 insertions(+) diff --git a/services/sherlock/values-base.yaml b/services/sherlock/values-base.yaml index 8b60acde58..ff21948a36 100644 --- a/services/sherlock/values-base.yaml +++ b/services/sherlock/values-base.yaml @@ -1,3 +1,11 @@ sherlock: ingress: host: "base-lsp.lsst.codes" + + resources: + requests: + cpu: 2.0 + memory: "2G" + limits: + cpu: 4.0 + memory: "4G" diff --git a/services/sherlock/values-idfdev.yaml b/services/sherlock/values-idfdev.yaml index b597adcf9f..45aa372f96 100644 --- a/services/sherlock/values-idfdev.yaml +++ b/services/sherlock/values-idfdev.yaml @@ -2,5 +2,13 @@ sherlock: ingress: host: "data-dev.lsst.cloud" + resources: + requests: + cpu: 2.0 + memory: "2G" + limits: + cpu: 4.0 + memory: "4G" + publish_url: "https://status.lsst.codes/api/data-dev" vaultSecretsPath: "secret/k8s_operator/data-dev.lsst.cloud/sherlock" diff --git a/services/sherlock/values-idfint.yaml b/services/sherlock/values-idfint.yaml index 07eb816022..4675dd56b1 100644 --- a/services/sherlock/values-idfint.yaml +++ b/services/sherlock/values-idfint.yaml @@ -2,5 +2,13 @@ sherlock: ingress: host: "data-int.lsst.cloud" + resources: + requests: + cpu: 2.0 + memory: "2G" + limits: + cpu: 4.0 + memory: "4G" + publish_url: "https://status.lsst.codes/api/data-int" vaultSecretsPath: "secret/k8s_operator/data-int.lsst.cloud/sherlock" diff --git a/services/sherlock/values-idfprod.yaml b/services/sherlock/values-idfprod.yaml index 40f7024786..09c0bca64d 100644 --- a/services/sherlock/values-idfprod.yaml +++ b/services/sherlock/values-idfprod.yaml @@ -2,5 +2,13 @@ sherlock: ingress: host: "data.lsst.cloud" + resources: + requests: + cpu: 2.0 + memory: "2G" + limits: + cpu: 4.0 + memory: "4G" + publish_url: "https://status.lsst.codes/api/data" vaultSecretsPath: "secret/k8s_operator/data.lsst.cloud/sherlock" diff --git a/services/sherlock/values-int.yaml b/services/sherlock/values-int.yaml index 74c2defc68..d8cfc4df71 100644 --- a/services/sherlock/values-int.yaml +++ b/services/sherlock/values-int.yaml @@ -1,3 +1,11 @@ sherlock: ingress: host: "lsst-lsp-int.ncsa.illinois.edu" + + resources: + requests: + cpu: 2.0 + memory: "2G" + limits: + cpu: 4.0 + memory: "4G" diff --git a/services/sherlock/values-roe.yaml b/services/sherlock/values-roe.yaml index 52f1920c23..a9cc9c58a5 100644 --- a/services/sherlock/values-roe.yaml +++ b/services/sherlock/values-roe.yaml @@ -1,3 +1,11 @@ sherlock: ingress: host: "rsp.lsst.ac.uk" + + resources: + requests: + cpu: 2.0 + memory: "2G" + limits: + cpu: 4.0 + memory: "4G" diff --git a/services/sherlock/values-stable.yaml b/services/sherlock/values-stable.yaml index 391e74d55b..402531550a 100644 --- a/services/sherlock/values-stable.yaml +++ b/services/sherlock/values-stable.yaml @@ -1,3 +1,11 @@ sherlock: ingress: host: "lsst-lsp-stable.ncsa.illinois.edu" + + resources: + requests: + cpu: 2.0 + memory: "2G" + limits: + cpu: 4.0 + memory: "4G" diff --git a/services/sherlock/values-summit.yaml b/services/sherlock/values-summit.yaml index 2afdfd57f8..cd1123d53d 100644 --- a/services/sherlock/values-summit.yaml +++ b/services/sherlock/values-summit.yaml @@ -1,3 +1,11 @@ sherlock: ingress: host: "summit-lsp.lsst.codes" + + resources: + requests: + cpu: 2.0 + memory: "2G" + limits: + cpu: 4.0 + memory: "4G" diff --git a/services/sherlock/values-tucson-teststand.yaml b/services/sherlock/values-tucson-teststand.yaml index fcf6d9a9f2..15d9aea1ca 100644 --- a/services/sherlock/values-tucson-teststand.yaml +++ b/services/sherlock/values-tucson-teststand.yaml @@ -1,3 +1,11 @@ sherlock: ingress: host: "tucson-teststand.lsst.codes" + + resources: + requests: + cpu: 2.0 + memory: "2G" + limits: + cpu: 4.0 + memory: "4G" From 6b3f5b4e04ac496bda18e64e95408835803fa196 Mon Sep 17 00:00:00 2001 From: Christine Banek Date: Wed, 13 Apr 2022 01:31:08 -0700 Subject: [PATCH 0232/1479] [DM-34433] Use sherlock chart 0.1.13 --- services/sherlock/Chart.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/services/sherlock/Chart.yaml b/services/sherlock/Chart.yaml index b3f06efd69..1721c7485d 100644 --- a/services/sherlock/Chart.yaml +++ b/services/sherlock/Chart.yaml @@ -3,5 +3,5 @@ name: sherlock version: 1.0.0 dependencies: - name: sherlock - version: 0.1.11 + version: 0.1.13 repository: https://lsst-sqre.github.io/charts/ From 806663e6dde86173f10352c8e624dff00591027f Mon Sep 17 00:00:00 2001 From: dspeck1 Date: Wed, 13 Apr 2022 10:18:25 -0500 Subject: [PATCH 0233/1479] added annotation for workload identity to authenticate with gar --- services/cachemachine/values-idfdev.yaml | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/services/cachemachine/values-idfdev.yaml b/services/cachemachine/values-idfdev.yaml index c4d7c716ba..cb14ba3bfa 100644 --- a/services/cachemachine/values-idfdev.yaml +++ b/services/cachemachine/values-idfdev.yaml @@ -4,6 +4,11 @@ ingress: vaultSecretsPath: "secret/k8s_operator/data-dev.lsst.cloud/pull-secret" +serviceAccount: + annotations: { + iam.gke.io/gcp-service-account: cachemachine-wi@science-platform-dev-7696.iam.gserviceaccount.com + } + autostart: jupyter: | { From 8b525fe8c6d1483e19aed6b2c4522563312e8eb4 Mon Sep 17 00:00:00 2001 From: dspeck1 Date: Wed, 13 Apr 2022 11:29:20 -0500 Subject: [PATCH 0234/1479] Deploying repo gar and annotation for workload identity --- services/cachemachine/values-idfint.yaml | 12 ++++++++++-- 1 file changed, 10 insertions(+), 2 deletions(-) diff --git a/services/cachemachine/values-idfint.yaml b/services/cachemachine/values-idfint.yaml index c0ddacb84d..8cea89ea76 100644 --- a/services/cachemachine/values-idfint.yaml +++ b/services/cachemachine/values-idfint.yaml @@ -4,6 +4,11 @@ ingress: vaultSecretsPath: "secret/k8s_operator/data-int.lsst.cloud/pull-secret" +serviceAccount: + annotations: { + iam.gke.io/gcp-service-account: cachemachine-wi@science-platform-int-dc5d.iam.gserviceaccount.com + } + autostart: jupyter: | { @@ -11,9 +16,12 @@ autostart: "labels": {}, "repomen": [ { - "type": "RubinRepoMan", + "type": "RubinRepoGar", "registry_url": "us-central1-docker.pkg.dev", - "repo": "rubin-shared-services-71ec/sciplat/sciplat-lab", + "gar_repository": "sciplat", + "gar_image": "sciplat-lab", + "project_id": "rubin-shared-services-71ec", + "location": "us-central1", "recommended_tag": "recommended", "num_releases": 1, "num_weeklies": 2, From 016a9a29dee048965a361b53a9de9754c79cb2df Mon Sep 17 00:00:00 2001 From: adam Date: Wed, 13 Apr 2022 10:49:07 -0700 Subject: [PATCH 0235/1479] enable metrics everywhere --- services/ingress-nginx/values-idfprod.yaml | 2 ++ services/ingress-nginx/values-roe.yaml | 2 ++ .../ingress-nginx/values-squash-sandbox.yaml | 17 ----------------- services/ingress-nginx/values-summit.yaml | 2 ++ .../ingress-nginx/values-tucson-teststand.yaml | 2 ++ 5 files changed, 8 insertions(+), 17 deletions(-) delete mode 100644 services/ingress-nginx/values-squash-sandbox.yaml diff --git a/services/ingress-nginx/values-idfprod.yaml b/services/ingress-nginx/values-idfprod.yaml index 4ef58c27fc..b2d341bc9c 100644 --- a/services/ingress-nginx/values-idfprod.yaml +++ b/services/ingress-nginx/values-idfprod.yaml @@ -13,6 +13,8 @@ ingress-nginx: podLabels: gafaelfawr.lsst.io/ingress: "true" hub.jupyter.org/network-access-proxy-http: "true" + metrics: + enabled: true vault_certificate: enabled: false diff --git a/services/ingress-nginx/values-roe.yaml b/services/ingress-nginx/values-roe.yaml index 6dda2488f7..3a1887a23c 100644 --- a/services/ingress-nginx/values-roe.yaml +++ b/services/ingress-nginx/values-roe.yaml @@ -7,6 +7,8 @@ ingress-nginx: proxy-buffer-size: "64k" ssl-redirect: "true" use-forwarded-headers: "true" + metrics: + enabled: true service: type: ClusterIP dnsPolicy: ClusterFirstWithHostNet diff --git a/services/ingress-nginx/values-squash-sandbox.yaml b/services/ingress-nginx/values-squash-sandbox.yaml deleted file mode 100644 index 35d6c67e93..0000000000 --- a/services/ingress-nginx/values-squash-sandbox.yaml +++ /dev/null @@ -1,17 +0,0 @@ -ingress-nginx: - controller: - config: - compute-full-forwarded-for: "true" - large-client-header-buffers: "4 64k" - proxy-body-size: "100m" - proxy-buffer-size: "64k" - ssl-redirect: "true" - use-forwarded-headers: "true" - service: - externalTrafficPolicy: Local - podLabels: - gafaelfawr.lsst.io/ingress: "true" - hub.jupyter.org/network-access-proxy-http: "true" - -vault_certificate: - enabled: false diff --git a/services/ingress-nginx/values-summit.yaml b/services/ingress-nginx/values-summit.yaml index 403af54254..c7973914de 100644 --- a/services/ingress-nginx/values-summit.yaml +++ b/services/ingress-nginx/values-summit.yaml @@ -13,6 +13,8 @@ ingress-nginx: podLabels: gafaelfawr.lsst.io/ingress: "true" hub.jupyter.org/network-access-proxy-http: "true" + metrics: + enabled: true vault_certificate: enabled: false diff --git a/services/ingress-nginx/values-tucson-teststand.yaml b/services/ingress-nginx/values-tucson-teststand.yaml index e94cb0eb8f..c1e1734ba3 100644 --- a/services/ingress-nginx/values-tucson-teststand.yaml +++ b/services/ingress-nginx/values-tucson-teststand.yaml @@ -13,6 +13,8 @@ ingress-nginx: podLabels: gafaelfawr.lsst.io/ingress: "true" hub.jupyter.org/network-access-proxy-http: "true" + metrics: + enabled: true vault_certificate: enabled: false From 5c24706dde2c8cf8b1649e9ef3822b114e0d625e Mon Sep 17 00:00:00 2001 From: adam Date: Wed, 13 Apr 2022 10:45:33 -0700 Subject: [PATCH 0236/1479] Enable argocd metrics everywhere --- services/argocd/values-base.yaml | 1 - services/argocd/values-idfprod.yaml | 19 +++++++++++ services/argocd/values-minikube.yaml | 17 ++++++++++ services/argocd/values-roe.yaml | 19 +++++++++++ services/argocd/values-squash-sandbox.yaml | 34 -------------------- services/argocd/values-stable.yaml | 19 +++++++++++ services/argocd/values-summit.yaml | 19 +++++++++++ services/argocd/values-tucson-teststand.yaml | 19 +++++++++++ 8 files changed, 112 insertions(+), 35 deletions(-) delete mode 100644 services/argocd/values-squash-sandbox.yaml diff --git a/services/argocd/values-base.yaml b/services/argocd/values-base.yaml index 12749eb03a..33cabea149 100644 --- a/services/argocd/values-base.yaml +++ b/services/argocd/values-base.yaml @@ -19,7 +19,6 @@ argo-cd: metrics: enabled: true - server: metrics: enabled: true diff --git a/services/argocd/values-idfprod.yaml b/services/argocd/values-idfprod.yaml index eec769ee2f..dfda8a9d21 100644 --- a/services/argocd/values-idfprod.yaml +++ b/services/argocd/values-idfprod.yaml @@ -1,8 +1,27 @@ argo-cd: redis: enabled: true + metrics: + enabled: true + + controller: + metrics: + enabled: true + applicationLabels: + enabled: true + labels: ["name", "instance"] + + repoServer: + metrics: + enabled: true + + notifications: + metrics: + enabled: true server: + metrics: + enabled: true ingress: enabled: true hosts: diff --git a/services/argocd/values-minikube.yaml b/services/argocd/values-minikube.yaml index 1de5014008..d5340f0bf2 100644 --- a/services/argocd/values-minikube.yaml +++ b/services/argocd/values-minikube.yaml @@ -2,11 +2,28 @@ argo-cd: controller: args: repoServerTimeoutSeconds: "180" + metrics: + enabled: true + applicationLabels: + enabled: true + labels: ["name", "instance"] redis: enabled: true + metrics: + enabled: true + + repoServer: + metrics: + enabled: true + + notifications: + metrics: + enabled: true server: + metrics: + enabled: true ingress: enabled: true hosts: diff --git a/services/argocd/values-roe.yaml b/services/argocd/values-roe.yaml index f35ff0781a..06ad8a8272 100644 --- a/services/argocd/values-roe.yaml +++ b/services/argocd/values-roe.yaml @@ -1,8 +1,27 @@ argo-cd: redis: enabled: true + metrics: + enabled: true + + controller: + metrics: + enabled: true + applicationLabels: + enabled: true + labels: ["name", "instance"] + + repoServer: + metrics: + enabled: true + + notifications: + metrics: + enabled: true server: + metrics: + enabled: true ingress: enabled: true hosts: diff --git a/services/argocd/values-squash-sandbox.yaml b/services/argocd/values-squash-sandbox.yaml deleted file mode 100644 index 5b5a9ca319..0000000000 --- a/services/argocd/values-squash-sandbox.yaml +++ /dev/null @@ -1,34 +0,0 @@ -argo-cd: - redis: - enabled: true - - server: - ingress: - enabled: true - hosts: - - "squash-sandbox.lsst.codes" - annotations: - kubernetes.io/ingress.class: nginx - nginx.ingress.kubernetes.io/rewrite-target: "/$2" - paths: - - /argo-cd(/|$)(.*) - - extraArgs: - - "--basehref=/argo-cd" - - "--insecure=true" - - config: - helm.repositories: | - - url: https://lsst-sqre.github.io/charts/ - name: lsst-sqre - - url: https://ricoberger.github.io/helm-charts/ - name: ricoberger - - url: https://kubernetes.github.io/ingress-nginx/ - name: ingress-nginx - - url: https://charts.helm.sh/stable - name: stable - - url: https://strimzi.io/charts/ - name: strimzi - -vault_secret: - enabled: false diff --git a/services/argocd/values-stable.yaml b/services/argocd/values-stable.yaml index d1b3435b29..6ac6dfc7d6 100644 --- a/services/argocd/values-stable.yaml +++ b/services/argocd/values-stable.yaml @@ -1,8 +1,27 @@ argo-cd: redis: enabled: true + metrics: + enabled: true + + controller: + metrics: + enabled: true + applicationLabels: + enabled: true + labels: ["name", "instance"] + + repoServer: + metrics: + enabled: true + + notifications: + metrics: + enabled: true server: + metrics: + enabled: true ingress: enabled: true hosts: diff --git a/services/argocd/values-summit.yaml b/services/argocd/values-summit.yaml index 5680f76fda..837c1918ec 100644 --- a/services/argocd/values-summit.yaml +++ b/services/argocd/values-summit.yaml @@ -1,8 +1,27 @@ argo-cd: redis: enabled: true + metrics: + enabled: true + + controller: + metrics: + enabled: true + applicationLabels: + enabled: true + labels: ["name", "instance"] + + repoServer: + metrics: + enabled: true + + notifications: + metrics: + enabled: true server: + metrics: + enabled: true ingress: enabled: true hosts: diff --git a/services/argocd/values-tucson-teststand.yaml b/services/argocd/values-tucson-teststand.yaml index baee8b0cfa..d467e06f8f 100644 --- a/services/argocd/values-tucson-teststand.yaml +++ b/services/argocd/values-tucson-teststand.yaml @@ -1,8 +1,27 @@ argo-cd: redis: enabled: true + metrics: + enabled: true + + controller: + metrics: + enabled: true + applicationLabels: + enabled: true + labels: ["name", "instance"] + + repoServer: + metrics: + enabled: true + + notifications: + metrics: + enabled: true server: + metrics: + enabled: true ingress: enabled: true hosts: From b67033839d8740a50ee9a9fbc3d64b9eafc34132 Mon Sep 17 00:00:00 2001 From: adam Date: Wed, 13 Apr 2022 12:37:54 -0700 Subject: [PATCH 0237/1479] Enable ingress-nginx metric collection --- gen_config/gen_config/telegrafgenerator.py | 3 ++- services/telegraf/values-base.yaml | 16 ++++++++++++++++ services/telegraf/values-idfdev.yaml | 16 ++++++++++++++++ services/telegraf/values-idfint.yaml | 16 ++++++++++++++++ 4 files changed, 50 insertions(+), 1 deletion(-) diff --git a/gen_config/gen_config/telegrafgenerator.py b/gen_config/gen_config/telegrafgenerator.py index fa8a4df762..0334ed8c85 100644 --- a/gen_config/gen_config/telegrafgenerator.py +++ b/gen_config/gen_config/telegrafgenerator.py @@ -82,7 +82,8 @@ def build_instance_yaml(self, instance:str) -> str: }, } for app in prometheus_config: - if not inst_obj.get(app,{}).get("enabled",False): + if not inst_obj.get(app.replace('-','_'), + {}).get("enabled",False): continue # The app is enabled, so we should monitor it. for service in prometheus_config[app]: diff --git a/services/telegraf/values-base.yaml b/services/telegraf/values-base.yaml index 6140009f9a..d65cfcb87c 100644 --- a/services/telegraf/values-base.yaml +++ b/services/telegraf/values-base.yaml @@ -45,6 +45,13 @@ telegraf: prometheus_app: nublado2 urls: - http://hub.nublado2:8081/metrics + - prometheus: + metric_version: 2 + name_override: prometheus_controller + tags: + prometheus_app: ingress-nginx + urls: + - http://ingress-nginx-controller-metrics.ingress-nginx:10254/metrics outputs: - influxdb_v2: bucket: argocd @@ -100,4 +107,13 @@ telegraf: token: $INFLUX_TOKEN urls: - https://monitoring.lsst.codes + - influxdb_v2: + bucket: ingress_nginx + organization: square + tagpass: + prometheus_app: + - ingress-nginx + token: $INFLUX_TOKEN + urls: + - https://monitoring.lsst.codes vaultSecretsPath: secret/k8s_operator/base-lsp.lsst.codes diff --git a/services/telegraf/values-idfdev.yaml b/services/telegraf/values-idfdev.yaml index 526e520a08..683bde1539 100644 --- a/services/telegraf/values-idfdev.yaml +++ b/services/telegraf/values-idfdev.yaml @@ -45,6 +45,13 @@ telegraf: prometheus_app: nublado2 urls: - http://hub.nublado2:8081/metrics + - prometheus: + metric_version: 2 + name_override: prometheus_controller + tags: + prometheus_app: ingress-nginx + urls: + - http://ingress-nginx-controller-metrics.ingress-nginx:10254/metrics outputs: - influxdb_v2: bucket: argocd @@ -100,4 +107,13 @@ telegraf: token: $INFLUX_TOKEN urls: - https://monitoring.lsst.codes + - influxdb_v2: + bucket: ingress_nginx + organization: square + tagpass: + prometheus_app: + - ingress-nginx + token: $INFLUX_TOKEN + urls: + - https://monitoring.lsst.codes vaultSecretsPath: secret/k8s_operator/data-dev.lsst.cloud diff --git a/services/telegraf/values-idfint.yaml b/services/telegraf/values-idfint.yaml index d6b9be243d..ad83199a59 100644 --- a/services/telegraf/values-idfint.yaml +++ b/services/telegraf/values-idfint.yaml @@ -45,6 +45,13 @@ telegraf: prometheus_app: nublado2 urls: - http://hub.nublado2:8081/metrics + - prometheus: + metric_version: 2 + name_override: prometheus_controller + tags: + prometheus_app: ingress-nginx + urls: + - http://ingress-nginx-controller-metrics.ingress-nginx:10254/metrics outputs: - influxdb_v2: bucket: argocd @@ -100,4 +107,13 @@ telegraf: token: $INFLUX_TOKEN urls: - https://monitoring.lsst.codes + - influxdb_v2: + bucket: ingress_nginx + organization: square + tagpass: + prometheus_app: + - ingress-nginx + token: $INFLUX_TOKEN + urls: + - https://monitoring.lsst.codes vaultSecretsPath: secret/k8s_operator/data-int.lsst.cloud From 5da2944ff0f2cee54b421451d4a0c38f2de1fe10 Mon Sep 17 00:00:00 2001 From: adam Date: Wed, 13 Apr 2022 12:41:58 -0700 Subject: [PATCH 0238/1479] change - to _ in prometheus_app name --- gen_config/gen_config/telegrafgenerator.py | 4 ++-- services/telegraf/values-base.yaml | 4 ++-- services/telegraf/values-idfdev.yaml | 4 ++-- services/telegraf/values-idfint.yaml | 4 ++-- 4 files changed, 8 insertions(+), 8 deletions(-) diff --git a/gen_config/gen_config/telegrafgenerator.py b/gen_config/gen_config/telegrafgenerator.py index 0334ed8c85..f5440547a2 100644 --- a/gen_config/gen_config/telegrafgenerator.py +++ b/gen_config/gen_config/telegrafgenerator.py @@ -103,7 +103,7 @@ def make_input_object(self, app: str, service: str) -> Dict[str, Any]: prometheus_config[app][service], ], "tags": { - "prometheus_app": app, + "prometheus_app": app.replace("-","_"), }, "name_override": f"prometheus_{service}", "metric_version": 2, @@ -122,7 +122,7 @@ def make_output_object(self, app: str, service: str) -> Dict[str, Any]: "organization": "square", "tagpass": { "prometheus_app": [ - app, + app.replace("-","_"), ], }, }, diff --git a/services/telegraf/values-base.yaml b/services/telegraf/values-base.yaml index d65cfcb87c..344f8af839 100644 --- a/services/telegraf/values-base.yaml +++ b/services/telegraf/values-base.yaml @@ -49,7 +49,7 @@ telegraf: metric_version: 2 name_override: prometheus_controller tags: - prometheus_app: ingress-nginx + prometheus_app: ingress_nginx urls: - http://ingress-nginx-controller-metrics.ingress-nginx:10254/metrics outputs: @@ -112,7 +112,7 @@ telegraf: organization: square tagpass: prometheus_app: - - ingress-nginx + - ingress_nginx token: $INFLUX_TOKEN urls: - https://monitoring.lsst.codes diff --git a/services/telegraf/values-idfdev.yaml b/services/telegraf/values-idfdev.yaml index 683bde1539..afb57b370d 100644 --- a/services/telegraf/values-idfdev.yaml +++ b/services/telegraf/values-idfdev.yaml @@ -49,7 +49,7 @@ telegraf: metric_version: 2 name_override: prometheus_controller tags: - prometheus_app: ingress-nginx + prometheus_app: ingress_nginx urls: - http://ingress-nginx-controller-metrics.ingress-nginx:10254/metrics outputs: @@ -112,7 +112,7 @@ telegraf: organization: square tagpass: prometheus_app: - - ingress-nginx + - ingress_nginx token: $INFLUX_TOKEN urls: - https://monitoring.lsst.codes diff --git a/services/telegraf/values-idfint.yaml b/services/telegraf/values-idfint.yaml index ad83199a59..fb6dd53080 100644 --- a/services/telegraf/values-idfint.yaml +++ b/services/telegraf/values-idfint.yaml @@ -49,7 +49,7 @@ telegraf: metric_version: 2 name_override: prometheus_controller tags: - prometheus_app: ingress-nginx + prometheus_app: ingress_nginx urls: - http://ingress-nginx-controller-metrics.ingress-nginx:10254/metrics outputs: @@ -112,7 +112,7 @@ telegraf: organization: square tagpass: prometheus_app: - - ingress-nginx + - ingress_nginx token: $INFLUX_TOKEN urls: - https://monitoring.lsst.codes From 5c551ddb737c51cd0b04cbb4df53366e1210aa10 Mon Sep 17 00:00:00 2001 From: adam Date: Wed, 13 Apr 2022 12:34:13 -0700 Subject: [PATCH 0239/1479] enable summit monitoring --- science-platform/values-summit.yaml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/science-platform/values-summit.yaml b/science-platform/values-summit.yaml index f1655d7280..8e57d2f693 100644 --- a/science-platform/values-summit.yaml +++ b/science-platform/values-summit.yaml @@ -53,9 +53,9 @@ tap: tap_schema: enabled: false telegraf: - enabled: false + enabled: true telegraf-ds: - enabled: false + enabled: true times_square: enabled: false vault_secrets_operator: From d2432cb116dd49e7810fa72076a4010b85669295 Mon Sep 17 00:00:00 2001 From: adam Date: Wed, 13 Apr 2022 14:29:43 -0700 Subject: [PATCH 0240/1479] Add summit telegraf/ds config --- services/telegraf-ds/values-summit.yaml | 126 ++++++++++++++++++++++++ services/telegraf/values-summit.yaml | 119 ++++++++++++++++++++++ 2 files changed, 245 insertions(+) create mode 100644 services/telegraf-ds/values-summit.yaml create mode 100644 services/telegraf/values-summit.yaml diff --git a/services/telegraf-ds/values-summit.yaml b/services/telegraf-ds/values-summit.yaml new file mode 100644 index 0000000000..d2fb7ef7ae --- /dev/null +++ b/services/telegraf-ds/values-summit.yaml @@ -0,0 +1,126 @@ +vaultSecretsPath: "secret/k8s_operator/summit-lsp.lsst.codes" +telegraf-ds: + override_config: + toml: |+ + [global_tags] + cluster = "summit-lsp.lsst.codes" + [agent] + hostname = "telegraf-$HOSTIP" + [[inputs.kubernetes]] + url = "https://$HOSTIP:10250" + bearer_token = "/var/run/secrets/kubernetes.io/serviceaccount/token" + insecure_skip_verify = true + namepass = ["kubernetes_pod_container"] + fieldpass = ["cpu_usage_nanocores", "memory_usage_bytes"] + [[outputs.influxdb_v2]] + urls = ["https://monitoring.lsst.codes"] + token = "$INFLUX_TOKEN" + organization = "square" + bucket = "argocd" + [outputs.influxdb_v2.tagpass] + namespace = ["argocd"] + [[outputs.influxdb_v2]] + urls = ["https://monitoring.lsst.codes"] + token = "$INFLUX_TOKEN" + organization = "square" + bucket = "cachemachine" + [outputs.influxdb_v2.tagpass] + namespace = ["cachemachine"] + [[outputs.influxdb_v2]] + urls = ["https://monitoring.lsst.codes"] + token = "$INFLUX_TOKEN" + organization = "square" + bucket = "cert_manager" + [outputs.influxdb_v2.tagpass] + namespace = ["cert-manager"] + [[outputs.influxdb_v2]] + urls = ["https://monitoring.lsst.codes"] + token = "$INFLUX_TOKEN" + organization = "square" + bucket = "exposurelog" + [outputs.influxdb_v2.tagpass] + namespace = ["exposurelog"] + [[outputs.influxdb_v2]] + urls = ["https://monitoring.lsst.codes"] + token = "$INFLUX_TOKEN" + organization = "square" + bucket = "gafaelfawr" + [outputs.influxdb_v2.tagpass] + namespace = ["gafaelfawr"] + [[outputs.influxdb_v2]] + urls = ["https://monitoring.lsst.codes"] + token = "$INFLUX_TOKEN" + organization = "square" + bucket = "ingress_nginx" + [outputs.influxdb_v2.tagpass] + namespace = ["ingress-nginx"] + [[outputs.influxdb_v2]] + urls = ["https://monitoring.lsst.codes"] + token = "$INFLUX_TOKEN" + organization = "square" + bucket = "moneypenny" + [outputs.influxdb_v2.tagpass] + namespace = ["moneypenny"] + [[outputs.influxdb_v2]] + urls = ["https://monitoring.lsst.codes"] + token = "$INFLUX_TOKEN" + organization = "square" + bucket = "narrativelog" + [outputs.influxdb_v2.tagpass] + namespace = ["narrativelog"] + [[outputs.influxdb_v2]] + urls = ["https://monitoring.lsst.codes"] + token = "$INFLUX_TOKEN" + organization = "square" + bucket = "nublado2" + [outputs.influxdb_v2.tagpass] + namespace = ["nublado2"] + [[outputs.influxdb_v2]] + urls = ["https://monitoring.lsst.codes"] + token = "$INFLUX_TOKEN" + organization = "square" + bucket = "portal" + [outputs.influxdb_v2.tagpass] + namespace = ["portal"] + [[outputs.influxdb_v2]] + urls = ["https://monitoring.lsst.codes"] + token = "$INFLUX_TOKEN" + organization = "square" + bucket = "postgres" + [outputs.influxdb_v2.tagpass] + namespace = ["postgres"] + [[outputs.influxdb_v2]] + urls = ["https://monitoring.lsst.codes"] + token = "$INFLUX_TOKEN" + organization = "square" + bucket = "sherlock" + [outputs.influxdb_v2.tagpass] + namespace = ["sherlock"] + [[outputs.influxdb_v2]] + urls = ["https://monitoring.lsst.codes"] + token = "$INFLUX_TOKEN" + organization = "square" + bucket = "squareone" + [outputs.influxdb_v2.tagpass] + namespace = ["squareone"] + [[outputs.influxdb_v2]] + urls = ["https://monitoring.lsst.codes"] + token = "$INFLUX_TOKEN" + organization = "square" + bucket = "telegraf" + [outputs.influxdb_v2.tagpass] + namespace = ["telegraf"] + [[outputs.influxdb_v2]] + urls = ["https://monitoring.lsst.codes"] + token = "$INFLUX_TOKEN" + organization = "square" + bucket = "telegraf_ds" + [outputs.influxdb_v2.tagpass] + namespace = ["telegraf-ds"] + [[outputs.influxdb_v2]] + urls = ["https://monitoring.lsst.codes"] + token = "$INFLUX_TOKEN" + organization = "square" + bucket = "vault_secrets_operator" + [outputs.influxdb_v2.tagpass] + namespace = ["vault-secrets-operator"] diff --git a/services/telegraf/values-summit.yaml b/services/telegraf/values-summit.yaml new file mode 100644 index 0000000000..dcca9bf146 --- /dev/null +++ b/services/telegraf/values-summit.yaml @@ -0,0 +1,119 @@ +telegraf: + config: + global_tags: + cluster: summit-lsp.lsst.codes + inputs: + - prometheus: + metric_version: 2 + name_override: prometheus_application_controller + tags: + prometheus_app: argocd + urls: + - http://argocd-application-controller-metrics.argocd.svc:8082/metrics + - prometheus: + metric_version: 2 + name_override: prometheus_notifications_controller + tags: + prometheus_app: argocd + urls: + - http://argocd-notifications-controller-metrics.argocd.svc:9001/metrics + - prometheus: + metric_version: 2 + name_override: prometheus_redis + tags: + prometheus_app: argocd + urls: + - http://argocd-redis-metrics.argocd.svc:9121/metrics + - prometheus: + metric_version: 2 + name_override: prometheus_repo_server + tags: + prometheus_app: argocd + urls: + - http://argocd-repo-server-metrics.argocd.svc:8084/metrics + - prometheus: + metric_version: 2 + name_override: prometheus_server + tags: + prometheus_app: argocd + urls: + - http://argocd-server-metrics.argocd.svc:8083/metrics + - prometheus: + metric_version: 2 + name_override: prometheus_hub + tags: + prometheus_app: nublado2 + urls: + - http://hub.nublado2:8081/metrics + - prometheus: + metric_version: 2 + name_override: prometheus_controller + tags: + prometheus_app: ingress_nginx + urls: + - http://ingress-nginx-controller-metrics.ingress-nginx:10254/metrics + outputs: + - influxdb_v2: + bucket: argocd + organization: square + tagpass: + prometheus_app: + - argocd + token: $INFLUX_TOKEN + urls: + - https://monitoring.lsst.codes + - influxdb_v2: + bucket: argocd + organization: square + tagpass: + prometheus_app: + - argocd + token: $INFLUX_TOKEN + urls: + - https://monitoring.lsst.codes + - influxdb_v2: + bucket: argocd + organization: square + tagpass: + prometheus_app: + - argocd + token: $INFLUX_TOKEN + urls: + - https://monitoring.lsst.codes + - influxdb_v2: + bucket: argocd + organization: square + tagpass: + prometheus_app: + - argocd + token: $INFLUX_TOKEN + urls: + - https://monitoring.lsst.codes + - influxdb_v2: + bucket: argocd + organization: square + tagpass: + prometheus_app: + - argocd + token: $INFLUX_TOKEN + urls: + - https://monitoring.lsst.codes + - influxdb_v2: + bucket: nublado2 + organization: square + tagpass: + prometheus_app: + - nublado2 + token: $INFLUX_TOKEN + urls: + - https://monitoring.lsst.codes + - influxdb_v2: + bucket: ingress_nginx + organization: square + tagpass: + prometheus_app: + - ingress_nginx + token: $INFLUX_TOKEN + urls: + - https://monitoring.lsst.codes +vaultSecretsPath: secret/k8s_operator/summit-lsp.lsst.codes From 4ea8402d1317539acd6dda05ff76f7a1ac4a768e Mon Sep 17 00:00:00 2001 From: dspeck1 Date: Thu, 14 Apr 2022 08:07:40 -0500 Subject: [PATCH 0241/1479] Deploy cachemachine gar to idf prod --- services/cachemachine/values-idfprod.yaml | 12 ++++++++++-- 1 file changed, 10 insertions(+), 2 deletions(-) diff --git a/services/cachemachine/values-idfprod.yaml b/services/cachemachine/values-idfprod.yaml index 48018ccc39..658ac083a2 100644 --- a/services/cachemachine/values-idfprod.yaml +++ b/services/cachemachine/values-idfprod.yaml @@ -4,6 +4,11 @@ ingress: vaultSecretsPath: "secret/k8s_operator/data.lsst.cloud/pull-secret" +serviceAccount: + annotations: { + iam.gke.io/gcp-service-account: cachemachine-wi@science-platform-stable-6994.iam.gserviceaccount.com + } + autostart: jupyter: | { @@ -11,9 +16,12 @@ autostart: "labels": {}, "repomen": [ { - "type": "RubinRepoMan", + "type": "RubinRepoGar", "registry_url": "us-central1-docker.pkg.dev", - "repo": "rubin-shared-services-71ec/sciplat/sciplat-lab", + "gar_repository": "sciplat", + "gar_image": "sciplat-lab", + "project_id": "rubin-shared-services-71ec", + "location": "us-central1", "recommended_tag": "recommended", "num_releases": 1, "num_weeklies": 2, From 868f0128bcde6d5dc1c7391ffdf25e768a3127ad Mon Sep 17 00:00:00 2001 From: Jonathan Sick Date: Wed, 13 Apr 2022 14:52:06 -0400 Subject: [PATCH 0242/1479] Migrate semaphore chart into phalanx services This migration is per RFC-830. While doing this, we're also hard-coding a number of configurations around the security contexts, service, and ingress, which reduces the complexity of the templates and values files. We're also taking advantage of global values set by the Argo CD application resource. --- .../templates/semaphore-application.yaml | 32 ++++-- services/semaphore/Chart.yaml | 12 +- services/semaphore/README.md | 55 +++++++++ services/semaphore/README.md.gotmpl | 13 +++ services/semaphore/templates/_helpers.tpl | 62 +++++++++++ services/semaphore/templates/configmap.yaml | 14 +++ services/semaphore/templates/deployment.yaml | 80 +++++++++++++ services/semaphore/templates/hpa.yaml | 28 +++++ services/semaphore/templates/ingress.yaml | 25 +++++ services/semaphore/templates/service.yaml | 15 +++ .../semaphore/templates/serviceaccount.yaml | 12 ++ services/semaphore/templates/vaultsecret.yaml | 9 ++ services/semaphore/values-base.yaml | 17 +-- services/semaphore/values-idfdev.yaml | 27 ++--- services/semaphore/values-idfint.yaml | 21 +--- services/semaphore/values-idfprod.yaml | 21 +--- services/semaphore/values-int.yaml | 17 +-- services/semaphore/values-minikube.yaml | 17 +-- services/semaphore/values-roe.yaml | 27 ++--- services/semaphore/values-stable.yaml | 17 +-- services/semaphore/values-summit.yaml | 17 +-- .../semaphore/values-tucson-teststand.yaml | 17 +-- services/semaphore/values.yaml | 105 ++++++++++++++++++ 23 files changed, 481 insertions(+), 179 deletions(-) create mode 100644 services/semaphore/README.md create mode 100644 services/semaphore/README.md.gotmpl create mode 100644 services/semaphore/templates/_helpers.tpl create mode 100644 services/semaphore/templates/configmap.yaml create mode 100644 services/semaphore/templates/deployment.yaml create mode 100644 services/semaphore/templates/hpa.yaml create mode 100644 services/semaphore/templates/ingress.yaml create mode 100644 services/semaphore/templates/service.yaml create mode 100644 services/semaphore/templates/serviceaccount.yaml create mode 100644 services/semaphore/templates/vaultsecret.yaml create mode 100644 services/semaphore/values.yaml diff --git a/science-platform/templates/semaphore-application.yaml b/science-platform/templates/semaphore-application.yaml index 4039b32c36..99a1e0a3f4 100644 --- a/science-platform/templates/semaphore-application.yaml +++ b/science-platform/templates/semaphore-application.yaml @@ -2,28 +2,36 @@ apiVersion: v1 kind: Namespace metadata: - name: semaphore + name: "semaphore" spec: finalizers: - - kubernetes + - "kubernetes" --- apiVersion: argoproj.io/v1alpha1 kind: Application metadata: - name: semaphore - namespace: argocd + name: "semaphore" + namespace: "argocd" finalizers: - - resources-finalizer.argocd.argoproj.io + - "resources-finalizer.argocd.argoproj.io" spec: destination: - namespace: semaphore - server: https://kubernetes.default.svc - project: default + namespace: "semaphore" + server: "https://kubernetes.default.svc" + project: "default" source: - path: services/semaphore - repoURL: {{ .Values.repoURL }} - targetRevision: {{ .Values.revision }} + path: "services/semaphore" + repoURL: {{ .Values.repoURL | quote }} + targetRevision: {{ .Values.revision | quote }} helm: + parameters: + - name: "global.host" + value: {{ .Values.fqdn | quote }} + - name: "global.baseUrl" + value: "https://{{ .Values.fqdn }}" + - name: "global.vaultSecretsPathPrefix" + value: {{ .Values.vault_path_prefix | quote }} valueFiles: - - values-{{ .Values.environment }}.yaml + - "values.yaml" + - "values-{{ .Values.environment }}.yaml" {{- end -}} diff --git a/services/semaphore/Chart.yaml b/services/semaphore/Chart.yaml index 4608561d2c..a66b6168ce 100644 --- a/services/semaphore/Chart.yaml +++ b/services/semaphore/Chart.yaml @@ -1,10 +1,16 @@ apiVersion: v2 name: semaphore version: 1.0.0 +appVersion: "tickets-DM-34344" +type: application +description: Semaphore is the user notification and messaging service for the Rubin Science Platform. +sources: + - https://github.com/lsst-sqre/semaphore +maintainers: + - name: jonathansick + url: https://github.com/jonathansick + dependencies: - - name: semaphore - version: 0.2.2 - repository: https://lsst-sqre.github.io/charts/ - name: pull-secret version: 0.1.2 repository: https://lsst-sqre.github.io/charts/ diff --git a/services/semaphore/README.md b/services/semaphore/README.md new file mode 100644 index 0000000000..7fe7913e7e --- /dev/null +++ b/services/semaphore/README.md @@ -0,0 +1,55 @@ +# semaphore + +![AppVersion: tickets-DM-34344](https://img.shields.io/badge/AppVersion-tickets--DM--34344-informational?style=flat-square) + +Semaphore is the user notification and messaging service for the Rubin Science Platform. + +## Source Code + +* + +## Requirements + +| Repository | Name | Version | +|------------|------|---------| +| https://lsst-sqre.github.io/charts/ | pull-secret | 0.1.2 | + +## Values + +| Key | Type | Default | Description | +|-----|------|---------|-------------| +| affinity | object | `{}` | | +| autoscaling.enabled | bool | `false` | | +| autoscaling.maxReplicas | int | `100` | | +| autoscaling.minReplicas | int | `1` | | +| autoscaling.targetCPUUtilizationPercentage | int | `80` | | +| config.enable_github_app | string | `"False"` | Toggle to enable the GitHub App functionality | +| config.github_app_id | string | `""` | GitHub application ID | +| config.log_level | string | `"INFO"` | | +| config.logger_name | string | `"semaphore"` | Logger name | +| config.name | string | `"semaphore"` | Name of the service, and path where the external API is hosted. | +| config.phalanx_env | string | `""` | Name of the Phalanx environment where the application is installed TODO can this be set by a global? | +| config.profile | string | `"production"` | | +| fullnameOverride | string | `""` | Override the full name for resources (includes the release name) | +| global.baseUrl | string | Set by Argo CD Application | Base URL for the environment | +| global.host | string | Set by Argo CD Application | Host name for ingress | +| global.vaultSecretsPathPrefix | string | Set by Argo CD Application | Base path for Vault secrets | +| image.pullPolicy | string | `"IfNotPresent"` | Image pull policy | +| image.repository | string | `"ghcr.io/lsst-sqre/semaphore"` | Semaphore image repository | +| image.tag | string | The appVersion of the chart | Tag of the image | +| imagePullSecrets | list | `[]` | Secret names to use for all Docker pulls | +| ingress.annotations | object | `{}` | Additional annotations to add to the ingress | +| ingress.enabled | bool | `true` | Enable ingress | +| ingress.path | string | `"/semaphore"` | URL path prefix where the Semaphore API is hosted | +| nameOverride | string | `""` | Override the base name for resources | +| nodeSelector | object | `{}` | | +| podAnnotations | object | `{}` | Annotations for pods | +| replicaCount | int | `1` | Number of Semaphore pods to run | +| resources | object | `{}` | | +| serviceAccount.annotations | object | `{}` | Annotations to add to the service account | +| serviceAccount.create | bool | `false` | Specifies whether a service account should be created. | +| serviceAccount.name | string | `""` | | +| tolerations | list | `[]` | | + +---------------------------------------------- +Autogenerated from chart metadata using [helm-docs v1.8.1](https://github.com/norwoodj/helm-docs/releases/v1.8.1) diff --git a/services/semaphore/README.md.gotmpl b/services/semaphore/README.md.gotmpl new file mode 100644 index 0000000000..12e81c78e0 --- /dev/null +++ b/services/semaphore/README.md.gotmpl @@ -0,0 +1,13 @@ +{{ template "chart.header" . }} + +{{ template "chart.appVersionBadge" . }} + +{{ template "chart.description" . }} + +{{ template "chart.sourcesSection" . }} + +{{ template "chart.requirementsSection" . }} + +{{ template "chart.valuesSection" . }} + +{{ template "helm-docs.versionFooter" . }} diff --git a/services/semaphore/templates/_helpers.tpl b/services/semaphore/templates/_helpers.tpl new file mode 100644 index 0000000000..564691e8b7 --- /dev/null +++ b/services/semaphore/templates/_helpers.tpl @@ -0,0 +1,62 @@ +{{/* +Expand the name of the chart. +*/}} +{{- define "semaphore.name" -}} +{{- default .Chart.Name .Values.nameOverride | trunc 63 | trimSuffix "-" }} +{{- end }} + +{{/* +Create a default fully qualified app name. +We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec). +If release name contains chart name it will be used as a full name. +*/}} +{{- define "semaphore.fullname" -}} +{{- if .Values.fullnameOverride }} +{{- .Values.fullnameOverride | trunc 63 | trimSuffix "-" }} +{{- else }} +{{- $name := default .Chart.Name .Values.nameOverride }} +{{- if contains $name .Release.Name }} +{{- .Release.Name | trunc 63 | trimSuffix "-" }} +{{- else }} +{{- printf "%s-%s" .Release.Name $name | trunc 63 | trimSuffix "-" }} +{{- end }} +{{- end }} +{{- end }} + +{{/* +Create chart name and version as used by the chart label. +*/}} +{{- define "semaphore.chart" -}} +{{- printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" }} +{{- end }} + +{{/* +Common labels +*/}} +{{- define "semaphore.labels" -}} +helm.sh/chart: {{ include "semaphore.chart" . }} +{{ include "semaphore.selectorLabels" . }} +{{- if .Chart.AppVersion }} +app.kubernetes.io/version: {{ .Chart.AppVersion | quote }} +{{- end }} +app.kubernetes.io/managed-by: {{ .Release.Service }} +{{- end }} + +{{/* +Selector labels +*/}} +{{- define "semaphore.selectorLabels" -}} +app.kubernetes.io/name: {{ include "semaphore.name" . }} +app.kubernetes.io/instance: {{ .Release.Name }} +{{- end }} + +{{/* +Create the name of the service account to use +*/}} +{{- define "semaphore.serviceAccountName" -}} +{{- if .Values.serviceAccount.create }} +{{- default (include "semaphore.fullname" .) .Values.serviceAccount.name }} +{{- else }} +{{- default "default" .Values.serviceAccount.name }} +{{- end }} +{{- end }} diff --git a/services/semaphore/templates/configmap.yaml b/services/semaphore/templates/configmap.yaml new file mode 100644 index 0000000000..a150586752 --- /dev/null +++ b/services/semaphore/templates/configmap.yaml @@ -0,0 +1,14 @@ +apiVersion: v1 +kind: ConfigMap +metadata: + name: {{ include "semaphore.fullname" . }} + labels: + {{- include "semaphore.labels" . | nindent 4 }} +data: + SAFIR_NAME: {{ .Values.config.name | quote }} + SAFIR_PROFILE: {{ .Values.config.profile | quote }} + SAFIR_LOG_LEVEL: {{ .Values.config.log_level | quote }} + SAFIR_LOGGER: {{ .Values.config.logger_name | quote }} + SEMAPHORE_GITHUB_APP_ID: {{ .Values.config.github_app_id | quote }} + SEMAPHORE_ENABLE_GITHUB_APP: {{ .Values.config.enable_github_app | quote }} + SEMAPHORE_PHALANX_ENV: {{ .Values.config.phalanx_env | quote }} diff --git a/services/semaphore/templates/deployment.yaml b/services/semaphore/templates/deployment.yaml new file mode 100644 index 0000000000..e007921ff5 --- /dev/null +++ b/services/semaphore/templates/deployment.yaml @@ -0,0 +1,80 @@ +apiVersion: apps/v1 +kind: Deployment +metadata: + name: {{ include "semaphore.fullname" . }} + labels: + {{- include "semaphore.labels" . | nindent 4 }} +spec: + {{- if not .Values.autoscaling.enabled }} + replicas: {{ .Values.replicaCount }} + {{- end }} + selector: + matchLabels: + {{- include "semaphore.selectorLabels" . | nindent 6 }} + template: + metadata: + annotations: + checksum/config: {{ include (print $.Template.BasePath "/configmap.yaml") . | sha256sum }} + {{- with .Values.podAnnotations }} + {{- toYaml . | nindent 8 }} + {{- end }} + labels: + {{- include "semaphore.selectorLabels" . | nindent 8 }} + spec: + imagePullSecrets: + - name: "pull-secret" + serviceAccountName: {{ include "semaphore.serviceAccountName" . }} + securityContext: + runAsNonRoot: true + runAsUser: 1000 + runAsGroup: 1000 + containers: + - name: {{ .Chart.Name }} + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - "all" + readOnlyRootFilesystem: true + image: "{{ .Values.image.repository }}:{{ .Values.image.tag | default .Chart.AppVersion }}" + imagePullPolicy: {{ .Values.image.pullPolicy }} + ports: + - name: http + containerPort: 8080 + protocol: TCP + livenessProbe: + httpGet: + path: / + port: http + readinessProbe: + httpGet: + path: / + port: http + resources: + {{- toYaml .Values.resources | nindent 12 }} + envFrom: + - configMapRef: + name: {{ include "semaphore.fullname" . }} + env: + - name: SEMAPHORE_GITHUB_WEBHOOK_SECRET + valueFrom: + secretKeyRef: + name: {{ include "semaphore.fullname" . }} + key: SEMAPHORE_GITHUB_WEBHOOK_SECRET + - name: SEMAPHORE_GITHUB_APP_PRIVATE_KEY + valueFrom: + secretKeyRef: + name: {{ include "semaphore.fullname" . }} + key: SEMAPHORE_GITHUB_APP_PRIVATE_KEY + {{- with .Values.nodeSelector }} + nodeSelector: + {{- toYaml . | nindent 8 }} + {{- end }} + {{- with .Values.affinity }} + affinity: + {{- toYaml . | nindent 8 }} + {{- end }} + {{- with .Values.tolerations }} + tolerations: + {{- toYaml . | nindent 8 }} + {{- end }} diff --git a/services/semaphore/templates/hpa.yaml b/services/semaphore/templates/hpa.yaml new file mode 100644 index 0000000000..d6f2c1fd7b --- /dev/null +++ b/services/semaphore/templates/hpa.yaml @@ -0,0 +1,28 @@ +{{- if .Values.autoscaling.enabled }} +apiVersion: autoscaling/v2beta1 +kind: HorizontalPodAutoscaler +metadata: + name: {{ include "semaphore.fullname" . }} + labels: + {{- include "semaphore.labels" . | nindent 4 }} +spec: + scaleTargetRef: + apiVersion: apps/v1 + kind: Deployment + name: {{ include "semaphore.fullname" . }} + minReplicas: {{ .Values.autoscaling.minReplicas }} + maxReplicas: {{ .Values.autoscaling.maxReplicas }} + metrics: + {{- if .Values.autoscaling.targetCPUUtilizationPercentage }} + - type: Resource + resource: + name: cpu + targetAverageUtilization: {{ .Values.autoscaling.targetCPUUtilizationPercentage }} + {{- end }} + {{- if .Values.autoscaling.targetMemoryUtilizationPercentage }} + - type: Resource + resource: + name: memory + targetAverageUtilization: {{ .Values.autoscaling.targetMemoryUtilizationPercentage }} + {{- end }} +{{- end }} diff --git a/services/semaphore/templates/ingress.yaml b/services/semaphore/templates/ingress.yaml new file mode 100644 index 0000000000..2f632bf09d --- /dev/null +++ b/services/semaphore/templates/ingress.yaml @@ -0,0 +1,25 @@ +{{- if .Values.ingress.enabled -}} +apiVersion: networking.k8s.io/v1 +kind: Ingress +metadata: + name: {{ template "semaphore.fullname" . }} + labels: + {{- include "semaphore.labels" . | nindent 4 }} + annotations: + kubernetes.io/ingress.class: nginx + {{- with .Values.ingress.annotations }} + {{- toYaml . | nindent 4 }} + {{- end }} +spec: + rules: + - host: {{ required "global.host must be set" .Values.global.host | quote }} + http: + paths: + - path: {{ .Values.ingress.path }} + pathType: "Prefix" + backend: + service: + name: {{ template "semaphore.fullname" . }} + port: + number: 80 +{{- end }} diff --git a/services/semaphore/templates/service.yaml b/services/semaphore/templates/service.yaml new file mode 100644 index 0000000000..fd84bb90b4 --- /dev/null +++ b/services/semaphore/templates/service.yaml @@ -0,0 +1,15 @@ +apiVersion: v1 +kind: Service +metadata: + name: {{ include "semaphore.fullname" . }} + labels: + {{- include "semaphore.labels" . | nindent 4 }} +spec: + type: "ClusterIP" + ports: + - port: 80 + targetPort: http + protocol: TCP + name: http + selector: + {{- include "semaphore.selectorLabels" . | nindent 4 }} diff --git a/services/semaphore/templates/serviceaccount.yaml b/services/semaphore/templates/serviceaccount.yaml new file mode 100644 index 0000000000..a2aeac7b66 --- /dev/null +++ b/services/semaphore/templates/serviceaccount.yaml @@ -0,0 +1,12 @@ +{{- if .Values.serviceAccount.create -}} +apiVersion: v1 +kind: ServiceAccount +metadata: + name: {{ include "semaphore.serviceAccountName" . }} + labels: + {{- include "semaphore.labels" . | nindent 4 }} + {{- with .Values.serviceAccount.annotations }} + annotations: + {{- toYaml . | nindent 4 }} + {{- end }} +{{- end }} diff --git a/services/semaphore/templates/vaultsecret.yaml b/services/semaphore/templates/vaultsecret.yaml new file mode 100644 index 0000000000..5c71f7c51a --- /dev/null +++ b/services/semaphore/templates/vaultsecret.yaml @@ -0,0 +1,9 @@ +apiVersion: ricoberger.de/v1alpha1 +kind: VaultSecret +metadata: + name: {{ include "semaphore.fullname" . }} + labels: + {{- include "semaphore.labels" . | nindent 4 }} +spec: + path: "{{ .Values.global.vaultSecretsPathPrefix }}/noteburst" + type: Opaque diff --git a/services/semaphore/values-base.yaml b/services/semaphore/values-base.yaml index e5eab01758..56d9a0e30d 100644 --- a/services/semaphore/values-base.yaml +++ b/services/semaphore/values-base.yaml @@ -1,18 +1,5 @@ -semaphore: - config: - phalanx_env: "base" - ingress: - enabled: true - annotations: - kubernetes.io/ingress.class: nginx - hosts: - - host: "base-lsp.lsst.codes" - paths: - - path: "/semaphore" - pathType: Prefix - imagePullSecrets: - - name: "pull-secret" - vaultSecretsPath: "secret/k8s_operator/base-lsp.lsst.codes/semaphore" +config: + phalanx_env: "base" pull-secret: enabled: true diff --git a/services/semaphore/values-idfdev.yaml b/services/semaphore/values-idfdev.yaml index f89ae44569..b2dde8b667 100644 --- a/services/semaphore/values-idfdev.yaml +++ b/services/semaphore/values-idfdev.yaml @@ -1,23 +1,10 @@ -semaphore: - image: - pullPolicy: Always - config: - github_app_id: "127943" - enable_github_app: "True" - phalanx_env: "idfdev" - log_level: "DEBUG" - ingress: - enabled: true - annotations: - kubernetes.io/ingress.class: nginx - hosts: - - host: "data-dev.lsst.cloud" - paths: - - path: "/semaphore" - pathType: Prefix - imagePullSecrets: - - name: "pull-secret" - vaultSecretsPath: "secret/k8s_operator/data-dev.lsst.cloud/semaphore" +image: + pullPolicy: Always +config: + github_app_id: "127943" + enable_github_app: "True" + phalanx_env: "idfdev" + log_level: "DEBUG" pull-secret: enabled: true diff --git a/services/semaphore/values-idfint.yaml b/services/semaphore/values-idfint.yaml index 0f75e7d7de..7213ca7711 100644 --- a/services/semaphore/values-idfint.yaml +++ b/services/semaphore/values-idfint.yaml @@ -1,20 +1,7 @@ -semaphore: - config: - phalanx_env: "idfint" - github_app_id: "131457" - enable_github_app: "True" - ingress: - enabled: true - annotations: - kubernetes.io/ingress.class: nginx - hosts: - - host: "data-int.lsst.cloud" - paths: - - path: "/semaphore" - pathType: Prefix - imagePullSecrets: - - name: "pull-secret" - vaultSecretsPath: "secret/k8s_operator/data-int.lsst.cloud/semaphore" +config: + phalanx_env: "idfint" + github_app_id: "131457" + enable_github_app: "True" pull-secret: enabled: true diff --git a/services/semaphore/values-idfprod.yaml b/services/semaphore/values-idfprod.yaml index 4c114cfdbf..99f41bc0bc 100644 --- a/services/semaphore/values-idfprod.yaml +++ b/services/semaphore/values-idfprod.yaml @@ -1,20 +1,7 @@ -semaphore: - config: - phalanx_env: "idfprod" - github_app_id: "131502" - enable_github_app: "True" - ingress: - enabled: true - annotations: - kubernetes.io/ingress.class: nginx - hosts: - - host: "data.lsst.cloud" - paths: - - path: "/semaphore" - pathType: Prefix - imagePullSecrets: - - name: "pull-secret" - vaultSecretsPath: "secret/k8s_operator/data.lsst.cloud/semaphore" +config: + phalanx_env: "idfprod" + github_app_id: "131502" + enable_github_app: "True" pull-secret: enabled: true diff --git a/services/semaphore/values-int.yaml b/services/semaphore/values-int.yaml index b6f3db3959..1dae94dd8e 100644 --- a/services/semaphore/values-int.yaml +++ b/services/semaphore/values-int.yaml @@ -1,18 +1,5 @@ -semaphore: - config: - phalanx_env: "int" - ingress: - enabled: true - annotations: - kubernetes.io/ingress.class: nginx - hosts: - - host: "lsst-lsp-int.ncsa.illinois.edu" - paths: - - path: "/semaphore" - pathType: Prefix - imagePullSecrets: - - name: "pull-secret" - vaultSecretsPath: "secret/k8s_operator/lsst-lsp-int.ncsa.illinois.edu/semaphore" +config: + phalanx_env: "int" pull-secret: enabled: true diff --git a/services/semaphore/values-minikube.yaml b/services/semaphore/values-minikube.yaml index 7dfbb96285..8e214230f2 100644 --- a/services/semaphore/values-minikube.yaml +++ b/services/semaphore/values-minikube.yaml @@ -1,18 +1,5 @@ -semaphore: - config: - phalanx_env: "minikube" - ingress: - enabled: true - annotations: - kubernetes.io/ingress.class: nginx - hosts: - - host: "minikube.lsst.codes" - paths: - - path: "/semaphore" - pathType: Prefix - imagePullSecrets: - - name: "pull-secret" - vaultSecretsPath: "secret/k8s_operator/minikube.lsst.codes/semaphore" +config: + phalanx_env: "minikube" pull-secret: enabled: true diff --git a/services/semaphore/values-roe.yaml b/services/semaphore/values-roe.yaml index 4c502b3629..16f883b9ed 100644 --- a/services/semaphore/values-roe.yaml +++ b/services/semaphore/values-roe.yaml @@ -1,23 +1,10 @@ -semaphore: - image: - pullPolicy: Always - config: - github_app_id: "1452049" - enable_github_app: "True" - phalanx_env: "roe" - log_level: "DEBUG" - ingress: - enabled: true - annotations: - kubernetes.io/ingress.class: nginx - hosts: - - host: "rsp.lsst.ac.uk" - paths: - - path: "/semaphore" - pathType: Prefix - imagePullSecrets: - - name: "pull-secret" - vaultSecretsPath: "secret/k8s_operator/roe/semaphore" +image: + pullPolicy: Always +config: + github_app_id: "1452049" + enable_github_app: "True" + phalanx_env: "roe" + log_level: "DEBUG" pull-secret: enabled: true diff --git a/services/semaphore/values-stable.yaml b/services/semaphore/values-stable.yaml index 945a969c10..4747a2b373 100644 --- a/services/semaphore/values-stable.yaml +++ b/services/semaphore/values-stable.yaml @@ -1,18 +1,5 @@ -semaphore: - config: - phalanx_env: "stable" - ingress: - enabled: true - annotations: - kubernetes.io/ingress.class: nginx - hosts: - - host: "lsst-lsp-stable.ncsa.illinois.edu" - paths: - - path: "/semaphore" - pathType: Prefix - imagePullSecrets: - - name: "pull-secret" - vaultSecretsPath: "secret/k8s_operator/lsst-lsp-stable.ncsa.illinois.edu/semaphore" +config: + phalanx_env: "stable" pull-secret: enabled: true diff --git a/services/semaphore/values-summit.yaml b/services/semaphore/values-summit.yaml index e8ae0694a0..8d3df5674b 100644 --- a/services/semaphore/values-summit.yaml +++ b/services/semaphore/values-summit.yaml @@ -1,18 +1,5 @@ -semaphore: - config: - phalanx_env: "summit" - ingress: - enabled: true - annotations: - kubernetes.io/ingress.class: nginx - hosts: - - host: "summit-lsp.lsst.codes" - paths: - - path: "/semaphore" - pathType: Prefix - imagePullSecrets: - - name: "pull-secret" - vaultSecretsPath: "secret/k8s_operator/summit-lsp.lsst.codes/semaphore" +config: + phalanx_env: "summit" pull-secret: enabled: true diff --git a/services/semaphore/values-tucson-teststand.yaml b/services/semaphore/values-tucson-teststand.yaml index 9f023ef0f5..36baad3083 100644 --- a/services/semaphore/values-tucson-teststand.yaml +++ b/services/semaphore/values-tucson-teststand.yaml @@ -1,18 +1,5 @@ -semaphore: - config: - phalanx_env: "tucson-teststand" - ingress: - enabled: true - annotations: - kubernetes.io/ingress.class: nginx - hosts: - - host: "tucson-teststand.lsst.codes" - paths: - - path: "/semaphore" - pathType: Prefix - imagePullSecrets: - - name: "pull-secret" - vaultSecretsPath: "secret/k8s_operator/tucson-teststand.lsst.codes/semaphore" +config: + phalanx_env: "tucson-teststand" pull-secret: enabled: true diff --git a/services/semaphore/values.yaml b/services/semaphore/values.yaml new file mode 100644 index 0000000000..614ed49253 --- /dev/null +++ b/services/semaphore/values.yaml @@ -0,0 +1,105 @@ +# Default values for semaphore. +# This is a YAML-formatted file. +# Declare variables to be passed into your templates. + +# -- Number of Semaphore pods to run +replicaCount: 1 + +image: + # -- Semaphore image repository + repository: ghcr.io/lsst-sqre/semaphore + + # -- Image pull policy + pullPolicy: IfNotPresent + + # -- Tag of the image + # @default -- The appVersion of the chart + tag: "" + +# -- Override the base name for resources +nameOverride: "" + +# -- Override the full name for resources (includes the release name) +fullnameOverride: "" + +serviceAccount: + # -- Specifies whether a service account should be created. + create: false + + # -- Annotations to add to the service account + annotations: {} + + # The name of the service account to use. + # @default -- Generated using the fullname template + name: "" + +# -- Annotations for pods +podAnnotations: {} + +ingress: + # -- Enable ingress + enabled: true + + # -- URL path prefix where the Semaphore API is hosted + path: "/semaphore" + + # -- Additional annotations to add to the ingress + annotations: {} + +resources: {} + # We usually recommend not to specify default resources and to leave this as a conscious + # choice for the user. This also increases chances charts run on environments with little + # resources, such as Minikube. If you do want to specify resources, uncomment the following + # lines, adjust them as necessary, and remove the curly braces after 'resources:'. + # limits: + # cpu: 100m + # memory: 128Mi + # requests: + # cpu: 100m + # memory: 128Mi + +autoscaling: + enabled: false + minReplicas: 1 + maxReplicas: 100 + targetCPUUtilizationPercentage: 80 + # targetMemoryUtilizationPercentage: 80 + +nodeSelector: {} + +tolerations: [] + +affinity: {} + +# Semaphore app configurations. +config: + # -- Name of the service, and path where the external API is hosted. + name: "semaphore" + # -- Name of the Phalanx environment where the application is installed + # TODO can this be set by a global? + phalanx_env: "" + # Run profile: "production" or "development" + profile: "production" + # Logging level: "DEBUG", "INFO", "WARNING", "ERROR", "CRITICAL" + log_level: "INFO" + # -- Logger name + logger_name: "semaphore" + # -- GitHub application ID + github_app_id: "" + # -- Toggle to enable the GitHub App functionality + enable_github_app: "False" + +# Global parameters will be set by parameters injected by Argo CD and should +# not be set in the individual environment values files. +global: + # -- Base URL for the environment + # @default -- Set by Argo CD Application + baseUrl: "" + + # -- Host name for ingress + # @default -- Set by Argo CD Application + host: "" + + # -- Base path for Vault secrets + # @default -- Set by Argo CD Application + vaultSecretsPathPrefix: "" From 09402be3abbfd18ece44c6d31520130caa473553 Mon Sep 17 00:00:00 2001 From: Jonathan Sick Date: Thu, 14 Apr 2022 14:56:40 -0400 Subject: [PATCH 0243/1479] Update Semaphore to 0.3.0 This release supports the new broadcast message "category" field. https://github.com/lsst-sqre/semaphore/releases/tag/0.3.0 --- services/semaphore/Chart.yaml | 2 +- services/semaphore/README.md | 3 +-- 2 files changed, 2 insertions(+), 3 deletions(-) diff --git a/services/semaphore/Chart.yaml b/services/semaphore/Chart.yaml index a66b6168ce..4ded2547f9 100644 --- a/services/semaphore/Chart.yaml +++ b/services/semaphore/Chart.yaml @@ -1,7 +1,7 @@ apiVersion: v2 name: semaphore version: 1.0.0 -appVersion: "tickets-DM-34344" +appVersion: "0.3.0" type: application description: Semaphore is the user notification and messaging service for the Rubin Science Platform. sources: diff --git a/services/semaphore/README.md b/services/semaphore/README.md index 7fe7913e7e..cf10693740 100644 --- a/services/semaphore/README.md +++ b/services/semaphore/README.md @@ -1,6 +1,6 @@ # semaphore -![AppVersion: tickets-DM-34344](https://img.shields.io/badge/AppVersion-tickets--DM--34344-informational?style=flat-square) +![AppVersion: 0.3.0](https://img.shields.io/badge/AppVersion-0.3.0-informational?style=flat-square) Semaphore is the user notification and messaging service for the Rubin Science Platform. @@ -37,7 +37,6 @@ Semaphore is the user notification and messaging service for the Rubin Science P | image.pullPolicy | string | `"IfNotPresent"` | Image pull policy | | image.repository | string | `"ghcr.io/lsst-sqre/semaphore"` | Semaphore image repository | | image.tag | string | The appVersion of the chart | Tag of the image | -| imagePullSecrets | list | `[]` | Secret names to use for all Docker pulls | | ingress.annotations | object | `{}` | Additional annotations to add to the ingress | | ingress.enabled | bool | `true` | Enable ingress | | ingress.path | string | `"/semaphore"` | URL path prefix where the Semaphore API is hosted | From 8ad0ec1374eeab3451f32c877af43406d36eeb0f Mon Sep 17 00:00:00 2001 From: Renovate Bot Date: Thu, 14 Apr 2022 20:52:58 +0000 Subject: [PATCH 0244/1479] Update Helm release redis to v16.8.5 --- services/noteburst/Chart.yaml | 2 +- services/times-square/Chart.yaml | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/services/noteburst/Chart.yaml b/services/noteburst/Chart.yaml index 76e44c1498..4dc4ff6f8d 100644 --- a/services/noteburst/Chart.yaml +++ b/services/noteburst/Chart.yaml @@ -14,5 +14,5 @@ maintainers: # Additional charts that this chart uses dependencies: - name: redis - version: 16.5.3 + version: 16.8.5 repository: https://charts.bitnami.com/bitnami diff --git a/services/times-square/Chart.yaml b/services/times-square/Chart.yaml index 31c398b4a1..d703d1ff7a 100644 --- a/services/times-square/Chart.yaml +++ b/services/times-square/Chart.yaml @@ -16,5 +16,5 @@ dependencies: - name: times-square-ui version: 1.0.0 - name: redis - version: 16.0.1 + version: 16.8.5 repository: https://charts.bitnami.com/bitnami From 5c97454c4bbeb2491b107d9651af0c2c4d6a4f97 Mon Sep 17 00:00:00 2001 From: Jonathan Sick Date: Thu, 14 Apr 2022 18:03:27 -0400 Subject: [PATCH 0245/1479] Update Squareone to 0.6.0 This release includes handling for info banners and auto refreshing of broadcast message data. --- services/squareone/Chart.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/services/squareone/Chart.yaml b/services/squareone/Chart.yaml index 2c77bd8b39..bf5293cb27 100644 --- a/services/squareone/Chart.yaml +++ b/services/squareone/Chart.yaml @@ -10,7 +10,7 @@ maintainers: url: https://github.com/jonathansick # The default version tag of the squareone docker image -appVersion: "0.5.0" +appVersion: "0.6.0" dependencies: - name: pull-secret From ecfe43476db89bab290ce5a5f7289271f3a92280 Mon Sep 17 00:00:00 2001 From: adam Date: Thu, 14 Apr 2022 15:16:40 -0700 Subject: [PATCH 0246/1479] Enable telegraf/ds at IDF stable --- science-platform/values-idfprod.yaml | 4 +- services/telegraf-ds/values-idfprod.yaml | 161 +++++++++++++++++++++++ services/telegraf/values-idfprod.yaml | 119 +++++++++++++++++ 3 files changed, 282 insertions(+), 2 deletions(-) create mode 100644 services/telegraf-ds/values-idfprod.yaml create mode 100644 services/telegraf/values-idfprod.yaml diff --git a/science-platform/values-idfprod.yaml b/science-platform/values-idfprod.yaml index eded4c03be..3d91dde6ca 100644 --- a/science-platform/values-idfprod.yaml +++ b/science-platform/values-idfprod.yaml @@ -53,9 +53,9 @@ tap: tap_schema: enabled: true telegraf: - enabled: false + enabled: true telegraf-ds: - enabled: false + enabled: true times_square: enabled: false vault_secrets_operator: diff --git a/services/telegraf-ds/values-idfprod.yaml b/services/telegraf-ds/values-idfprod.yaml new file mode 100644 index 0000000000..88e60eb1a5 --- /dev/null +++ b/services/telegraf-ds/values-idfprod.yaml @@ -0,0 +1,161 @@ +vaultSecretsPath: "secret/k8s_operator/data.lsst.cloud" +telegraf-ds: + override_config: + toml: |+ + [global_tags] + cluster = "data.lsst.cloud" + [agent] + hostname = "telegraf-$HOSTIP" + [[inputs.kubernetes]] + url = "https://$HOSTIP:10250" + bearer_token = "/var/run/secrets/kubernetes.io/serviceaccount/token" + insecure_skip_verify = true + namepass = ["kubernetes_pod_container"] + fieldpass = ["cpu_usage_nanocores", "memory_usage_bytes"] + [[outputs.influxdb_v2]] + urls = ["https://monitoring.lsst.codes"] + token = "$INFLUX_TOKEN" + organization = "square" + bucket = "argocd" + [outputs.influxdb_v2.tagpass] + namespace = ["argocd"] + [[outputs.influxdb_v2]] + urls = ["https://monitoring.lsst.codes"] + token = "$INFLUX_TOKEN" + organization = "square" + bucket = "cachemachine" + [outputs.influxdb_v2.tagpass] + namespace = ["cachemachine"] + [[outputs.influxdb_v2]] + urls = ["https://monitoring.lsst.codes"] + token = "$INFLUX_TOKEN" + organization = "square" + bucket = "cert_manager" + [outputs.influxdb_v2.tagpass] + namespace = ["cert-manager"] + [[outputs.influxdb_v2]] + urls = ["https://monitoring.lsst.codes"] + token = "$INFLUX_TOKEN" + organization = "square" + bucket = "datalinker" + [outputs.influxdb_v2.tagpass] + namespace = ["datalinker"] + [[outputs.influxdb_v2]] + urls = ["https://monitoring.lsst.codes"] + token = "$INFLUX_TOKEN" + organization = "square" + bucket = "gafaelfawr" + [outputs.influxdb_v2.tagpass] + namespace = ["gafaelfawr"] + [[outputs.influxdb_v2]] + urls = ["https://monitoring.lsst.codes"] + token = "$INFLUX_TOKEN" + organization = "square" + bucket = "ingress_nginx" + [outputs.influxdb_v2.tagpass] + namespace = ["ingress-nginx"] + [[outputs.influxdb_v2]] + urls = ["https://monitoring.lsst.codes"] + token = "$INFLUX_TOKEN" + organization = "square" + bucket = "mobu" + [outputs.influxdb_v2.tagpass] + namespace = ["mobu"] + [[outputs.influxdb_v2]] + urls = ["https://monitoring.lsst.codes"] + token = "$INFLUX_TOKEN" + organization = "square" + bucket = "moneypenny" + [outputs.influxdb_v2.tagpass] + namespace = ["moneypenny"] + [[outputs.influxdb_v2]] + urls = ["https://monitoring.lsst.codes"] + token = "$INFLUX_TOKEN" + organization = "square" + bucket = "nublado2" + [outputs.influxdb_v2.tagpass] + namespace = ["nublado2"] + [[outputs.influxdb_v2]] + urls = ["https://monitoring.lsst.codes"] + token = "$INFLUX_TOKEN" + organization = "square" + bucket = "obstap" + [outputs.influxdb_v2.tagpass] + namespace = ["obstap"] + [[outputs.influxdb_v2]] + urls = ["https://monitoring.lsst.codes"] + token = "$INFLUX_TOKEN" + organization = "square" + bucket = "portal" + [outputs.influxdb_v2.tagpass] + namespace = ["portal"] + [[outputs.influxdb_v2]] + urls = ["https://monitoring.lsst.codes"] + token = "$INFLUX_TOKEN" + organization = "square" + bucket = "postgres" + [outputs.influxdb_v2.tagpass] + namespace = ["postgres"] + [[outputs.influxdb_v2]] + urls = ["https://monitoring.lsst.codes"] + token = "$INFLUX_TOKEN" + organization = "square" + bucket = "semaphore" + [outputs.influxdb_v2.tagpass] + namespace = ["semaphore"] + [[outputs.influxdb_v2]] + urls = ["https://monitoring.lsst.codes"] + token = "$INFLUX_TOKEN" + organization = "square" + bucket = "sherlock" + [outputs.influxdb_v2.tagpass] + namespace = ["sherlock"] + [[outputs.influxdb_v2]] + urls = ["https://monitoring.lsst.codes"] + token = "$INFLUX_TOKEN" + organization = "square" + bucket = "squareone" + [outputs.influxdb_v2.tagpass] + namespace = ["squareone"] + [[outputs.influxdb_v2]] + urls = ["https://monitoring.lsst.codes"] + token = "$INFLUX_TOKEN" + organization = "square" + bucket = "tap" + [outputs.influxdb_v2.tagpass] + namespace = ["tap"] + [[outputs.influxdb_v2]] + urls = ["https://monitoring.lsst.codes"] + token = "$INFLUX_TOKEN" + organization = "square" + bucket = "tap_schema" + [outputs.influxdb_v2.tagpass] + namespace = ["tap-schema"] + [[outputs.influxdb_v2]] + urls = ["https://monitoring.lsst.codes"] + token = "$INFLUX_TOKEN" + organization = "square" + bucket = "telegraf" + [outputs.influxdb_v2.tagpass] + namespace = ["telegraf"] + [[outputs.influxdb_v2]] + urls = ["https://monitoring.lsst.codes"] + token = "$INFLUX_TOKEN" + organization = "square" + bucket = "telegraf_ds" + [outputs.influxdb_v2.tagpass] + namespace = ["telegraf-ds"] + [[outputs.influxdb_v2]] + urls = ["https://monitoring.lsst.codes"] + token = "$INFLUX_TOKEN" + organization = "square" + bucket = "vault_secrets_operator" + [outputs.influxdb_v2.tagpass] + namespace = ["vault-secrets-operator"] + [[outputs.influxdb_v2]] + urls = ["https://monitoring.lsst.codes"] + token = "$INFLUX_TOKEN" + organization = "square" + bucket = "vo_cutouts" + [outputs.influxdb_v2.tagpass] + namespace = ["vo-cutouts"] diff --git a/services/telegraf/values-idfprod.yaml b/services/telegraf/values-idfprod.yaml new file mode 100644 index 0000000000..ef408821a8 --- /dev/null +++ b/services/telegraf/values-idfprod.yaml @@ -0,0 +1,119 @@ +telegraf: + config: + global_tags: + cluster: data.lsst.cloud + inputs: + - prometheus: + metric_version: 2 + name_override: prometheus_application_controller + tags: + prometheus_app: argocd + urls: + - http://argocd-application-controller-metrics.argocd.svc:8082/metrics + - prometheus: + metric_version: 2 + name_override: prometheus_notifications_controller + tags: + prometheus_app: argocd + urls: + - http://argocd-notifications-controller-metrics.argocd.svc:9001/metrics + - prometheus: + metric_version: 2 + name_override: prometheus_redis + tags: + prometheus_app: argocd + urls: + - http://argocd-redis-metrics.argocd.svc:9121/metrics + - prometheus: + metric_version: 2 + name_override: prometheus_repo_server + tags: + prometheus_app: argocd + urls: + - http://argocd-repo-server-metrics.argocd.svc:8084/metrics + - prometheus: + metric_version: 2 + name_override: prometheus_server + tags: + prometheus_app: argocd + urls: + - http://argocd-server-metrics.argocd.svc:8083/metrics + - prometheus: + metric_version: 2 + name_override: prometheus_hub + tags: + prometheus_app: nublado2 + urls: + - http://hub.nublado2:8081/metrics + - prometheus: + metric_version: 2 + name_override: prometheus_controller + tags: + prometheus_app: ingress_nginx + urls: + - http://ingress-nginx-controller-metrics.ingress-nginx:10254/metrics + outputs: + - influxdb_v2: + bucket: argocd + organization: square + tagpass: + prometheus_app: + - argocd + token: $INFLUX_TOKEN + urls: + - https://monitoring.lsst.codes + - influxdb_v2: + bucket: argocd + organization: square + tagpass: + prometheus_app: + - argocd + token: $INFLUX_TOKEN + urls: + - https://monitoring.lsst.codes + - influxdb_v2: + bucket: argocd + organization: square + tagpass: + prometheus_app: + - argocd + token: $INFLUX_TOKEN + urls: + - https://monitoring.lsst.codes + - influxdb_v2: + bucket: argocd + organization: square + tagpass: + prometheus_app: + - argocd + token: $INFLUX_TOKEN + urls: + - https://monitoring.lsst.codes + - influxdb_v2: + bucket: argocd + organization: square + tagpass: + prometheus_app: + - argocd + token: $INFLUX_TOKEN + urls: + - https://monitoring.lsst.codes + - influxdb_v2: + bucket: nublado2 + organization: square + tagpass: + prometheus_app: + - nublado2 + token: $INFLUX_TOKEN + urls: + - https://monitoring.lsst.codes + - influxdb_v2: + bucket: ingress_nginx + organization: square + tagpass: + prometheus_app: + - ingress_nginx + token: $INFLUX_TOKEN + urls: + - https://monitoring.lsst.codes +vaultSecretsPath: secret/k8s_operator/data.lsst.cloud From f7b7b2c4367aa4da955295bf082c6251fb662337 Mon Sep 17 00:00:00 2001 From: Gabriele Mainetti Date: Fri, 15 Apr 2022 12:13:20 +0200 Subject: [PATCH 0247/1479] ccin2p3 --- science-platform/values-ccin2p3.yaml | 46 ++++++++++++++++ services/argocd/values-ccin2p3.yaml | 64 ++++++++++++++++++++++ services/cert-manager/values-ccin2p3.yaml | 9 +++ services/gafaelfawr/values-ccin2p3.yaml | 55 +++++++++++++++++++ services/ingress-nginx/values-ccin2p3.yaml | 37 +++++++++++++ services/moneypenny/values-ccin2p3.yaml | 37 +++++++++++++ 6 files changed, 248 insertions(+) create mode 100644 science-platform/values-ccin2p3.yaml create mode 100644 services/argocd/values-ccin2p3.yaml create mode 100644 services/cert-manager/values-ccin2p3.yaml create mode 100644 services/gafaelfawr/values-ccin2p3.yaml create mode 100644 services/ingress-nginx/values-ccin2p3.yaml create mode 100644 services/moneypenny/values-ccin2p3.yaml diff --git a/science-platform/values-ccin2p3.yaml b/science-platform/values-ccin2p3.yaml new file mode 100644 index 0000000000..c88754088a --- /dev/null +++ b/science-platform/values-ccin2p3.yaml @@ -0,0 +1,46 @@ +environment: ccin2p3dev +fqdn: data-dev.lsst.eu +vault_path_prefix: secret/k8s_operator/rsp-cc + +argo: + enabled: true +cert_issuer: + enabled: false +cert_manager: + enabled: false +chronograf: + enabled: false +exposurelog: + enabled: false +gafaelfawr: + enabled: true +influxdb: + enabled: false +kapacitor: + enabled: false +landing_page: + enabled: true +logging: + enabled: false +mobu: + enabled: false +moneypenny: + enabled: true +ingress_nginx: + enabled: true +nublado: + enabled: true +obstap: + enabled: false +portal: + enabled: true +postgres: + enabled: true +rancher_external_ip_webhook: + enabled: false +squash_api: + enabled: false +tap: + enabled: true +vault_secrets_operator: + enabled: true \ No newline at end of file diff --git a/services/argocd/values-ccin2p3.yaml b/services/argocd/values-ccin2p3.yaml new file mode 100644 index 0000000000..729e0b7d3f --- /dev/null +++ b/services/argocd/values-ccin2p3.yaml @@ -0,0 +1,64 @@ +argo-cd: + redis: + enabled: true + + ingress: + enabled: true + hosts: + - "data-dev.lsst.eu" + annotations: + kubernetes.io/ingress.class: nginx + nginx.ingress.kubernetes.io/rewrite-target: "/$2" + paths: + - /argo-cd(/|$)(.*) + + extraArgs: + - "--basehref=/argo-cd" + - "--insecure=true" + + config: + url: https://data-dev.lsst.eu/argo-cd + dex.config: | + connectors: + # Auth using GitHub. + # See https://dexidp.io/docs/connectors/github/ + - type: github + id: github + name: GitHub + config: + clientID: ae314e45a6af43ea910a + # Reference to key in argo-secret Kubernetes resource + clientSecret: $dex.clientSecret + orgs: + - name: in2p3-dp0 + helm.repositories: | + - url: https://lsst-sqre.github.io/charts/ + name: lsst-sqre + - url: https://ricoberger.github.io/helm-charts/ + name: ricoberger + - url: https://kubernetes.github.io/ingress-nginx/ + name: ingress-nginx + - url: https://charts.helm.sh/stable + name: stable + resource.customizations: | + networking.k8s.io/Ingress: + health.lua: | + hs = {} + hs.status = "Healthy" + return hs + + rbacConfig: + policy.csv: | + g, in2p3-dp0:admin, role:admin + + configs: + secret: + createSecret: true + +vault_secret: + enabled: true + path: secret/k8s_operator/rsp-cc/argocd + +pull-secret: + enabled: true + path: secret/k8s_operator/rsp-cc/pull-secret \ No newline at end of file diff --git a/services/cert-manager/values-ccin2p3.yaml b/services/cert-manager/values-ccin2p3.yaml new file mode 100644 index 0000000000..92f6992fb8 --- /dev/null +++ b/services/cert-manager/values-ccin2p3.yaml @@ -0,0 +1,9 @@ +cert-manager: + installCRDs: true + extraArgs: + - --dns01-recursive-nameservers-only + - --dns01-recursive-nameservers=8.8.8.8:53,1.1.1.1:53 + +pull-secret: + enabled: true + path: secret/k8s_operator/rsp-cc/pull-secret \ No newline at end of file diff --git a/services/gafaelfawr/values-ccin2p3.yaml b/services/gafaelfawr/values-ccin2p3.yaml new file mode 100644 index 0000000000..6682b3165b --- /dev/null +++ b/services/gafaelfawr/values-ccin2p3.yaml @@ -0,0 +1,55 @@ +gafaelfawr: + + pull_secret: 'pull-secret' + ingress: + host: data-dev.lsst.eu + vaultSecretsPath: "secret/k8s_operator/rsp-cc/gafaelfawr" + + redis: + persistence: + enabled: false + + config: + host: data-dev.lsst.eu + + # Do not specify ingress.host because we're using the wildcard virtual host. + + # Session length and token expiration (in minutes). + issuer: + exp_minutes: 43200 # 30 days + + github: + clientId: ae314e45a6af43ea910a + + # Allow access by GitHub team. + groupMapping: + "exec:admin": + - "in2p3-dp0-admin" + "exec:user": + - "in2p3-dp0-admin" + - "in2p3-dp0-user" + "read:workspace": + - "in2p3-dp0-admin" + - "in2p3-dp0-user" + "read:workspace/user": + - "in2p3-dp0-admin" + - "in2p3-dp0-user" + "write:workspace/user": + - "in2p3-dp0-admin" + - "in2p3-dp0-user" + "exec:portal": + - "in2p3-dp0-admin" + - "in2p3-dp0-user" + "exec:notebook": + - "in2p3-dp0-admin" + - "in2p3-dp0-user" + "read:tap": + - "in2p3-dp0-admin" + - "in2p3-dp0-user" + "read:image": + - "in2p3-dp0-admin" + - "in2p3-dp0-user" + +pull-secret: + enabled: true + path: secret/k8s_operator/rsp-cc/pull-secret \ No newline at end of file diff --git a/services/ingress-nginx/values-ccin2p3.yaml b/services/ingress-nginx/values-ccin2p3.yaml new file mode 100644 index 0000000000..c30e4964c2 --- /dev/null +++ b/services/ingress-nginx/values-ccin2p3.yaml @@ -0,0 +1,37 @@ +ingress-nginx: + controller: + nodeSelector: + kubernetes.io/hostname: "ccqserv202" + + tolerations: + - key: "dedicated" + operator: "Equal" + value: "qserv" + effect: "NoSchedule" + + config: + compute-full-forwarded-for: "true" + large-client-header-buffers: "4 64k" + proxy-body-size: "100m" + proxy-buffer-size: "64k" + ssl-redirect: "true" + use-forwarded-headers: "true" + service: + externalTrafficPolicy: Local + externalIPs: + - 134.158.237.2 + type: NodePort + admissionWebhooks: + enabled: false + extraArgs: + default-ssl-certificate: ingress-nginx/ingress-certificate + podLabels: + hub.jupyter.org/network-access-proxy-http: "true" + +vault_certificate: + enabled: true + path: secret/k8s_operator/rsp-cc/ingress-nginx + +pull-secret: + enabled: true + path: secret/k8s_operator/rsp-cc/pull-secret \ No newline at end of file diff --git a/services/moneypenny/values-ccin2p3.yaml b/services/moneypenny/values-ccin2p3.yaml new file mode 100644 index 0000000000..69e6fe6695 --- /dev/null +++ b/services/moneypenny/values-ccin2p3.yaml @@ -0,0 +1,37 @@ +moneypenny: + host: "data-dev.lsst.eu" + + ingress: + enabled: true + hosts: + - host: data-dev.lsst.eu + paths: ["/moneypenny"] + annotations: + nginx.ingress.kubernetes.io/auth-url: "https://data-dev.lsst.eu/auth?scope=exec:admin" + + vault_secrets: + enabled: true + path: "secret/k8s_operator/rsp-lapp/pull-secret" + + orders: | + commission: + - name: initcommission + image: lsstsqre/inituserhome + securityContext: + runAsUser: 0 + runAsNonRootUser: false + volumeMounts: + - mountPath: /home + name: home + retire: + - name: farthing + image: lsstsqre/farthing + securityContext: + runAsUser: 1000 + runAsNonRootUser: true + allowPrivilegeEscalation: false + volumes: + - name: home + hostPath: + path: /data/rsp/home + type: Directory \ No newline at end of file From 7d9473802c6de89852f2f4c3365a75f255ba7647 Mon Sep 17 00:00:00 2001 From: Gabriele Mainetti Date: Fri, 15 Apr 2022 15:02:09 +0200 Subject: [PATCH 0248/1479] Added remaining ccin2p3 config --- services/portal/values-ccin2p3.yaml | 40 +++++++++++++++++++ services/postgres/values-ccin2p3.yaml | 16 ++++++++ services/tap/values-ccin2p3.yaml | 21 ++++++++++ .../values-ccin2p3.yaml | 14 +++++++ 4 files changed, 91 insertions(+) create mode 100644 services/portal/values-ccin2p3.yaml create mode 100644 services/postgres/values-ccin2p3.yaml create mode 100644 services/tap/values-ccin2p3.yaml create mode 100644 services/vault-secrets-operator/values-ccin2p3.yaml diff --git a/services/portal/values-ccin2p3.yaml b/services/portal/values-ccin2p3.yaml new file mode 100644 index 0000000000..06a245dfab --- /dev/null +++ b/services/portal/values-ccin2p3.yaml @@ -0,0 +1,40 @@ +firefly: + pull_secret: 'pull-secret' + replicaCount: 2 + image: + tag: "2.1.1-3" + + ingress: + host: 'data-dev.lsst.eu' + annotations: + nginx.ingress.kubernetes.io/auth-method: GET + nginx.ingress.kubernetes.io/auth-response-headers: X-Auth-Request-Uid, X-Auth-Request-Token + nginx.ingress.kubernetes.io/auth-signin: "https://data-dev.lsst.eu/login" + nginx.ingress.kubernetes.io/auth-url: "https://data-dev.lsst.eu/auth?scope=exec:portal" + nginx.ingress.kubernetes.io/configuration-snippet: | + proxy_set_header X-Original-URI $request_uri; + proxy_set_header X-Forwarded-Proto https; + proxy_set_header X-Forwarded-Port 443; + proxy_set_header X-Forwarded-Path /portal/app; + + secrets: + enabled: true + + vault_secrets: + enabled: true + path: 'secret/k8s_operator/rsp-cc/portal' + + max_jvm_size: "23G" + + redis: + resources: + limits: + memory: 20Mi + + resources: + limits: + memory: 24Gi + +pull-secret: + enabled: true + path: secret/k8s_operator/rsp-cc/pull-secret \ No newline at end of file diff --git a/services/postgres/values-ccin2p3.yaml b/services/postgres/values-ccin2p3.yaml new file mode 100644 index 0000000000..8bee359d14 --- /dev/null +++ b/services/postgres/values-ccin2p3.yaml @@ -0,0 +1,16 @@ +postgres: + pull_secret: 'pull-secret' + vault_secrets: + path: 'secret/k8s_operator/rsp-cc/postgres' + debug: 'true' + jupyterhub_db: + user: 'jovyan' + db: 'jupyterhub' + postgres_storage_class: 'rsp-local-storage' + volume_name: 'postgres-data-rsp-ccqserv219' + image: + tag: '0.0.3' + +pull-secret: + enabled: true + path: secret/k8s_operator/rsp-cc/pull-secret \ No newline at end of file diff --git a/services/tap/values-ccin2p3.yaml b/services/tap/values-ccin2p3.yaml new file mode 100644 index 0000000000..052f73f3c4 --- /dev/null +++ b/services/tap/values-ccin2p3.yaml @@ -0,0 +1,21 @@ +cadc-tap: + pull_secret: 'pull-secret' + tag: "1.0.16" + use_mock_qserv: false + qserv_host: "ccqserv201.in2p3.fr:30040" + + host: "data-dev.lsst.eu" + + secrets: + enabled: false + + vault_secrets: + enabled: true + path: 'secret/k8s_operator/rsp-cc/tap' + +# gcs_bucket: 'async-results.lsst.codes' +# gcs_bucket_url: 'http://async-results.lsst.codes' + +pull-secret: + enabled: true + path: secret/k8s_operator/rsp-cc/pull-secret \ No newline at end of file diff --git a/services/vault-secrets-operator/values-ccin2p3.yaml b/services/vault-secrets-operator/values-ccin2p3.yaml new file mode 100644 index 0000000000..93d8160181 --- /dev/null +++ b/services/vault-secrets-operator/values-ccin2p3.yaml @@ -0,0 +1,14 @@ +vault-secrets-operator: + environmentVars: + - name: VAULT_TOKEN + valueFrom: + secretKeyRef: + name: vault-secrets-operator + key: VAULT_TOKEN + - name: VAULT_TOKEN_LEASE_DURATION + valueFrom: + secretKeyRef: + name: vault-secrets-operator + key: VAULT_TOKEN_LEASE_DURATION + vault: + address: "https://vault.lsst.codes" \ No newline at end of file From 18d5d71f949e265b01e7fa114b9931b4f189bb46 Mon Sep 17 00:00:00 2001 From: Gabriele Mainetti Date: Fri, 15 Apr 2022 15:23:13 +0200 Subject: [PATCH 0249/1479] Add test-config --- science-platform/values-ccin2p3test.yaml | 46 +++++++++++++ services/argocd/values-ccin2p3test.yaml | 64 +++++++++++++++++++ services/cert-manager/values-ccin2p3test.yaml | 9 +++ services/gafaelfawr/values-ccin2p3test.yaml | 55 ++++++++++++++++ .../ingress-nginx/values-ccin2p3test.yaml | 37 +++++++++++ services/moneypenny/values-ccin2p3test.yaml | 37 +++++++++++ services/portal/values-ccin2p3test.yaml | 40 ++++++++++++ services/postgres/values-ccin2p3test.yaml | 16 +++++ services/tap/values-ccin2p3test.yaml | 21 ++++++ .../values-ccin2p3test.yaml | 14 ++++ 10 files changed, 339 insertions(+) create mode 100644 science-platform/values-ccin2p3test.yaml create mode 100644 services/argocd/values-ccin2p3test.yaml create mode 100644 services/cert-manager/values-ccin2p3test.yaml create mode 100644 services/gafaelfawr/values-ccin2p3test.yaml create mode 100644 services/ingress-nginx/values-ccin2p3test.yaml create mode 100644 services/moneypenny/values-ccin2p3test.yaml create mode 100644 services/portal/values-ccin2p3test.yaml create mode 100644 services/postgres/values-ccin2p3test.yaml create mode 100644 services/tap/values-ccin2p3test.yaml create mode 100644 services/vault-secrets-operator/values-ccin2p3test.yaml diff --git a/science-platform/values-ccin2p3test.yaml b/science-platform/values-ccin2p3test.yaml new file mode 100644 index 0000000000..c88754088a --- /dev/null +++ b/science-platform/values-ccin2p3test.yaml @@ -0,0 +1,46 @@ +environment: ccin2p3dev +fqdn: data-dev.lsst.eu +vault_path_prefix: secret/k8s_operator/rsp-cc + +argo: + enabled: true +cert_issuer: + enabled: false +cert_manager: + enabled: false +chronograf: + enabled: false +exposurelog: + enabled: false +gafaelfawr: + enabled: true +influxdb: + enabled: false +kapacitor: + enabled: false +landing_page: + enabled: true +logging: + enabled: false +mobu: + enabled: false +moneypenny: + enabled: true +ingress_nginx: + enabled: true +nublado: + enabled: true +obstap: + enabled: false +portal: + enabled: true +postgres: + enabled: true +rancher_external_ip_webhook: + enabled: false +squash_api: + enabled: false +tap: + enabled: true +vault_secrets_operator: + enabled: true \ No newline at end of file diff --git a/services/argocd/values-ccin2p3test.yaml b/services/argocd/values-ccin2p3test.yaml new file mode 100644 index 0000000000..729e0b7d3f --- /dev/null +++ b/services/argocd/values-ccin2p3test.yaml @@ -0,0 +1,64 @@ +argo-cd: + redis: + enabled: true + + ingress: + enabled: true + hosts: + - "data-dev.lsst.eu" + annotations: + kubernetes.io/ingress.class: nginx + nginx.ingress.kubernetes.io/rewrite-target: "/$2" + paths: + - /argo-cd(/|$)(.*) + + extraArgs: + - "--basehref=/argo-cd" + - "--insecure=true" + + config: + url: https://data-dev.lsst.eu/argo-cd + dex.config: | + connectors: + # Auth using GitHub. + # See https://dexidp.io/docs/connectors/github/ + - type: github + id: github + name: GitHub + config: + clientID: ae314e45a6af43ea910a + # Reference to key in argo-secret Kubernetes resource + clientSecret: $dex.clientSecret + orgs: + - name: in2p3-dp0 + helm.repositories: | + - url: https://lsst-sqre.github.io/charts/ + name: lsst-sqre + - url: https://ricoberger.github.io/helm-charts/ + name: ricoberger + - url: https://kubernetes.github.io/ingress-nginx/ + name: ingress-nginx + - url: https://charts.helm.sh/stable + name: stable + resource.customizations: | + networking.k8s.io/Ingress: + health.lua: | + hs = {} + hs.status = "Healthy" + return hs + + rbacConfig: + policy.csv: | + g, in2p3-dp0:admin, role:admin + + configs: + secret: + createSecret: true + +vault_secret: + enabled: true + path: secret/k8s_operator/rsp-cc/argocd + +pull-secret: + enabled: true + path: secret/k8s_operator/rsp-cc/pull-secret \ No newline at end of file diff --git a/services/cert-manager/values-ccin2p3test.yaml b/services/cert-manager/values-ccin2p3test.yaml new file mode 100644 index 0000000000..92f6992fb8 --- /dev/null +++ b/services/cert-manager/values-ccin2p3test.yaml @@ -0,0 +1,9 @@ +cert-manager: + installCRDs: true + extraArgs: + - --dns01-recursive-nameservers-only + - --dns01-recursive-nameservers=8.8.8.8:53,1.1.1.1:53 + +pull-secret: + enabled: true + path: secret/k8s_operator/rsp-cc/pull-secret \ No newline at end of file diff --git a/services/gafaelfawr/values-ccin2p3test.yaml b/services/gafaelfawr/values-ccin2p3test.yaml new file mode 100644 index 0000000000..6682b3165b --- /dev/null +++ b/services/gafaelfawr/values-ccin2p3test.yaml @@ -0,0 +1,55 @@ +gafaelfawr: + + pull_secret: 'pull-secret' + ingress: + host: data-dev.lsst.eu + vaultSecretsPath: "secret/k8s_operator/rsp-cc/gafaelfawr" + + redis: + persistence: + enabled: false + + config: + host: data-dev.lsst.eu + + # Do not specify ingress.host because we're using the wildcard virtual host. + + # Session length and token expiration (in minutes). + issuer: + exp_minutes: 43200 # 30 days + + github: + clientId: ae314e45a6af43ea910a + + # Allow access by GitHub team. + groupMapping: + "exec:admin": + - "in2p3-dp0-admin" + "exec:user": + - "in2p3-dp0-admin" + - "in2p3-dp0-user" + "read:workspace": + - "in2p3-dp0-admin" + - "in2p3-dp0-user" + "read:workspace/user": + - "in2p3-dp0-admin" + - "in2p3-dp0-user" + "write:workspace/user": + - "in2p3-dp0-admin" + - "in2p3-dp0-user" + "exec:portal": + - "in2p3-dp0-admin" + - "in2p3-dp0-user" + "exec:notebook": + - "in2p3-dp0-admin" + - "in2p3-dp0-user" + "read:tap": + - "in2p3-dp0-admin" + - "in2p3-dp0-user" + "read:image": + - "in2p3-dp0-admin" + - "in2p3-dp0-user" + +pull-secret: + enabled: true + path: secret/k8s_operator/rsp-cc/pull-secret \ No newline at end of file diff --git a/services/ingress-nginx/values-ccin2p3test.yaml b/services/ingress-nginx/values-ccin2p3test.yaml new file mode 100644 index 0000000000..c30e4964c2 --- /dev/null +++ b/services/ingress-nginx/values-ccin2p3test.yaml @@ -0,0 +1,37 @@ +ingress-nginx: + controller: + nodeSelector: + kubernetes.io/hostname: "ccqserv202" + + tolerations: + - key: "dedicated" + operator: "Equal" + value: "qserv" + effect: "NoSchedule" + + config: + compute-full-forwarded-for: "true" + large-client-header-buffers: "4 64k" + proxy-body-size: "100m" + proxy-buffer-size: "64k" + ssl-redirect: "true" + use-forwarded-headers: "true" + service: + externalTrafficPolicy: Local + externalIPs: + - 134.158.237.2 + type: NodePort + admissionWebhooks: + enabled: false + extraArgs: + default-ssl-certificate: ingress-nginx/ingress-certificate + podLabels: + hub.jupyter.org/network-access-proxy-http: "true" + +vault_certificate: + enabled: true + path: secret/k8s_operator/rsp-cc/ingress-nginx + +pull-secret: + enabled: true + path: secret/k8s_operator/rsp-cc/pull-secret \ No newline at end of file diff --git a/services/moneypenny/values-ccin2p3test.yaml b/services/moneypenny/values-ccin2p3test.yaml new file mode 100644 index 0000000000..69e6fe6695 --- /dev/null +++ b/services/moneypenny/values-ccin2p3test.yaml @@ -0,0 +1,37 @@ +moneypenny: + host: "data-dev.lsst.eu" + + ingress: + enabled: true + hosts: + - host: data-dev.lsst.eu + paths: ["/moneypenny"] + annotations: + nginx.ingress.kubernetes.io/auth-url: "https://data-dev.lsst.eu/auth?scope=exec:admin" + + vault_secrets: + enabled: true + path: "secret/k8s_operator/rsp-lapp/pull-secret" + + orders: | + commission: + - name: initcommission + image: lsstsqre/inituserhome + securityContext: + runAsUser: 0 + runAsNonRootUser: false + volumeMounts: + - mountPath: /home + name: home + retire: + - name: farthing + image: lsstsqre/farthing + securityContext: + runAsUser: 1000 + runAsNonRootUser: true + allowPrivilegeEscalation: false + volumes: + - name: home + hostPath: + path: /data/rsp/home + type: Directory \ No newline at end of file diff --git a/services/portal/values-ccin2p3test.yaml b/services/portal/values-ccin2p3test.yaml new file mode 100644 index 0000000000..06a245dfab --- /dev/null +++ b/services/portal/values-ccin2p3test.yaml @@ -0,0 +1,40 @@ +firefly: + pull_secret: 'pull-secret' + replicaCount: 2 + image: + tag: "2.1.1-3" + + ingress: + host: 'data-dev.lsst.eu' + annotations: + nginx.ingress.kubernetes.io/auth-method: GET + nginx.ingress.kubernetes.io/auth-response-headers: X-Auth-Request-Uid, X-Auth-Request-Token + nginx.ingress.kubernetes.io/auth-signin: "https://data-dev.lsst.eu/login" + nginx.ingress.kubernetes.io/auth-url: "https://data-dev.lsst.eu/auth?scope=exec:portal" + nginx.ingress.kubernetes.io/configuration-snippet: | + proxy_set_header X-Original-URI $request_uri; + proxy_set_header X-Forwarded-Proto https; + proxy_set_header X-Forwarded-Port 443; + proxy_set_header X-Forwarded-Path /portal/app; + + secrets: + enabled: true + + vault_secrets: + enabled: true + path: 'secret/k8s_operator/rsp-cc/portal' + + max_jvm_size: "23G" + + redis: + resources: + limits: + memory: 20Mi + + resources: + limits: + memory: 24Gi + +pull-secret: + enabled: true + path: secret/k8s_operator/rsp-cc/pull-secret \ No newline at end of file diff --git a/services/postgres/values-ccin2p3test.yaml b/services/postgres/values-ccin2p3test.yaml new file mode 100644 index 0000000000..8bee359d14 --- /dev/null +++ b/services/postgres/values-ccin2p3test.yaml @@ -0,0 +1,16 @@ +postgres: + pull_secret: 'pull-secret' + vault_secrets: + path: 'secret/k8s_operator/rsp-cc/postgres' + debug: 'true' + jupyterhub_db: + user: 'jovyan' + db: 'jupyterhub' + postgres_storage_class: 'rsp-local-storage' + volume_name: 'postgres-data-rsp-ccqserv219' + image: + tag: '0.0.3' + +pull-secret: + enabled: true + path: secret/k8s_operator/rsp-cc/pull-secret \ No newline at end of file diff --git a/services/tap/values-ccin2p3test.yaml b/services/tap/values-ccin2p3test.yaml new file mode 100644 index 0000000000..052f73f3c4 --- /dev/null +++ b/services/tap/values-ccin2p3test.yaml @@ -0,0 +1,21 @@ +cadc-tap: + pull_secret: 'pull-secret' + tag: "1.0.16" + use_mock_qserv: false + qserv_host: "ccqserv201.in2p3.fr:30040" + + host: "data-dev.lsst.eu" + + secrets: + enabled: false + + vault_secrets: + enabled: true + path: 'secret/k8s_operator/rsp-cc/tap' + +# gcs_bucket: 'async-results.lsst.codes' +# gcs_bucket_url: 'http://async-results.lsst.codes' + +pull-secret: + enabled: true + path: secret/k8s_operator/rsp-cc/pull-secret \ No newline at end of file diff --git a/services/vault-secrets-operator/values-ccin2p3test.yaml b/services/vault-secrets-operator/values-ccin2p3test.yaml new file mode 100644 index 0000000000..93d8160181 --- /dev/null +++ b/services/vault-secrets-operator/values-ccin2p3test.yaml @@ -0,0 +1,14 @@ +vault-secrets-operator: + environmentVars: + - name: VAULT_TOKEN + valueFrom: + secretKeyRef: + name: vault-secrets-operator + key: VAULT_TOKEN + - name: VAULT_TOKEN_LEASE_DURATION + valueFrom: + secretKeyRef: + name: vault-secrets-operator + key: VAULT_TOKEN_LEASE_DURATION + vault: + address: "https://vault.lsst.codes" \ No newline at end of file From 265ae75eb3c052e25fd8158cc70dad81cb3e374e Mon Sep 17 00:00:00 2001 From: Gabriele Mainetti Date: Fri, 15 Apr 2022 15:23:57 +0200 Subject: [PATCH 0250/1479] updated insatller to use right git url --- installer/install.sh | 32 +++++++++++++++++++++----------- 1 file changed, 21 insertions(+), 11 deletions(-) diff --git a/installer/install.sh b/installer/install.sh index 1f1dc6afa7..7a49de128a 100755 --- a/installer/install.sh +++ b/installer/install.sh @@ -6,11 +6,13 @@ export VAULT_ADDR=https://vault.lsst.codes VAULT_PATH_PREFIX=`yq -r .vault_path_prefix ../science-platform/values-$ENVIRONMENT.yaml` ARGOCD_PASSWORD=`vault kv get --field=argocd.admin.plaintext_password $VAULT_PATH_PREFIX/installer` -GIT_URL=`git config --get remote.origin.url` +#GIT_URL=`git config --get remote.origin.url` +GIT_URL="https://github.com/gabrimaine/phalanx.git" # Github runs in a detached head state, but sets GITHUB_REF, # extract the branch from it. If we're there, use that branch. # git branch --show-current will return empty in deatached head. -GIT_BRANCH=${GITHUB_HEAD_REF:-`git branch --show-current`} +#GIT_BRANCH=${GITHUB_HEAD_REF:-`git branch --show-current`} +GIT_BRANCH=ccin2p3 echo "Set VAULT_TOKEN in a secret for vault-secrets-operator..." # The namespace may not exist already, but don't error if it does. @@ -19,14 +21,14 @@ kubectl create secret generic vault-secrets-operator \ --namespace vault-secrets-operator \ --from-literal=VAULT_TOKEN=$VAULT_TOKEN \ --from-literal=VAULT_TOKEN_LEASE_DURATION=31536000 \ - --dry-run=client -o yaml | kubectl apply -f - + --dry-run -o yaml | kubectl apply -f - echo "Set up docker pull secret for vault-secrets-operator..." vault kv get --field=.dockerconfigjson $VAULT_PATH_PREFIX/pull-secret > docker-creds kubectl create secret generic pull-secret -n vault-secrets-operator \ --from-file=.dockerconfigjson=docker-creds \ --type=kubernetes.io/dockerconfigjson \ - --dry-run=client -o yaml | kubectl apply -f - + --dry-run -o yaml | kubectl apply -f - echo "Update / install vault-secrets-operator..." @@ -51,17 +53,17 @@ helm upgrade argocd ../services/argocd \ --wait echo "Login to argocd..." -argocd login \ - --plaintext \ - --port-forward \ - --port-forward-namespace argocd \ - --username admin \ - --password $ARGOCD_PASSWORD +#argocd login --insecure --grpc-web 10.110.57.13 \ +# --plaintext \ +# --port-forward \ +# --port-forward-namespace argocd \ +# --username admin \ +# --password $ARGOCD_PASSWORD echo "Creating top level application" argocd app create science-platform \ --repo $GIT_URL \ - --path science-platform --dest-namespace default \ + --path science-platform --dest-namespace rsp-dev \ --dest-server https://kubernetes.default.svc \ --upsert \ --revision $GIT_BRANCH \ @@ -95,6 +97,14 @@ then kubectl -n cert-manager rollout status deploy/cert-manager-webhook fi +if [ $(yq -r .cert_issuer.enabled ../science-platform/values-$ENVIRONMENT.yaml) == "true" ]; +then + echo "Syncing cert-issuer..." + argocd app sync cert-issuer \ + --port-forward \ + --port-forward-namespace argocd +fi + if [ $(yq -r .postgres.enabled ../science-platform/values-$ENVIRONMENT.yaml) == "true" ]; then echo "Syncing postgres..." From a89f63379c2edbcf38ca277bc857bcd37cff6a82 Mon Sep 17 00:00:00 2001 From: Gabriele Mainetti Date: Fri, 15 Apr 2022 15:36:43 +0200 Subject: [PATCH 0251/1479] Add test instance --- science-platform/values-ccin2p3test.yaml | 4 ++-- services/argocd/values-ccin2p3test.yaml | 4 ++-- services/gafaelfawr/values-ccin2p3test.yaml | 4 ++-- services/moneypenny/values-ccin2p3test.yaml | 6 +++--- services/portal/values-ccin2p3test.yaml | 6 +++--- services/tap/values-ccin2p3test.yaml | 2 +- 6 files changed, 13 insertions(+), 13 deletions(-) diff --git a/science-platform/values-ccin2p3test.yaml b/science-platform/values-ccin2p3test.yaml index c88754088a..8dca3b6a5b 100644 --- a/science-platform/values-ccin2p3test.yaml +++ b/science-platform/values-ccin2p3test.yaml @@ -1,5 +1,5 @@ -environment: ccin2p3dev -fqdn: data-dev.lsst.eu +environment: ccin2p3test +fqdn: minikube.lsst.codes vault_path_prefix: secret/k8s_operator/rsp-cc argo: diff --git a/services/argocd/values-ccin2p3test.yaml b/services/argocd/values-ccin2p3test.yaml index 729e0b7d3f..49d3d9e4f7 100644 --- a/services/argocd/values-ccin2p3test.yaml +++ b/services/argocd/values-ccin2p3test.yaml @@ -5,7 +5,7 @@ argo-cd: ingress: enabled: true hosts: - - "data-dev.lsst.eu" + - "minikube.lsst.codes" annotations: kubernetes.io/ingress.class: nginx nginx.ingress.kubernetes.io/rewrite-target: "/$2" @@ -17,7 +17,7 @@ argo-cd: - "--insecure=true" config: - url: https://data-dev.lsst.eu/argo-cd + url: https://minikube.lsst.codes/argo-cd dex.config: | connectors: # Auth using GitHub. diff --git a/services/gafaelfawr/values-ccin2p3test.yaml b/services/gafaelfawr/values-ccin2p3test.yaml index 6682b3165b..72b7990fc0 100644 --- a/services/gafaelfawr/values-ccin2p3test.yaml +++ b/services/gafaelfawr/values-ccin2p3test.yaml @@ -2,7 +2,7 @@ gafaelfawr: pull_secret: 'pull-secret' ingress: - host: data-dev.lsst.eu + host: minikube.lsst.codes vaultSecretsPath: "secret/k8s_operator/rsp-cc/gafaelfawr" redis: @@ -10,7 +10,7 @@ gafaelfawr: enabled: false config: - host: data-dev.lsst.eu + host: minikube.lsst.codes # Do not specify ingress.host because we're using the wildcard virtual host. diff --git a/services/moneypenny/values-ccin2p3test.yaml b/services/moneypenny/values-ccin2p3test.yaml index 69e6fe6695..5b491a6df3 100644 --- a/services/moneypenny/values-ccin2p3test.yaml +++ b/services/moneypenny/values-ccin2p3test.yaml @@ -1,13 +1,13 @@ moneypenny: - host: "data-dev.lsst.eu" + host: "minikube.lsst.codes" ingress: enabled: true hosts: - - host: data-dev.lsst.eu + - host: minikube.lsst.codes paths: ["/moneypenny"] annotations: - nginx.ingress.kubernetes.io/auth-url: "https://data-dev.lsst.eu/auth?scope=exec:admin" + nginx.ingress.kubernetes.io/auth-url: "https://minikube.lsst.codes/auth?scope=exec:admin" vault_secrets: enabled: true diff --git a/services/portal/values-ccin2p3test.yaml b/services/portal/values-ccin2p3test.yaml index 06a245dfab..896ef95fc0 100644 --- a/services/portal/values-ccin2p3test.yaml +++ b/services/portal/values-ccin2p3test.yaml @@ -5,12 +5,12 @@ firefly: tag: "2.1.1-3" ingress: - host: 'data-dev.lsst.eu' + host: 'minikube.lsst.codes' annotations: nginx.ingress.kubernetes.io/auth-method: GET nginx.ingress.kubernetes.io/auth-response-headers: X-Auth-Request-Uid, X-Auth-Request-Token - nginx.ingress.kubernetes.io/auth-signin: "https://data-dev.lsst.eu/login" - nginx.ingress.kubernetes.io/auth-url: "https://data-dev.lsst.eu/auth?scope=exec:portal" + nginx.ingress.kubernetes.io/auth-signin: "https://minikube.lsst.codes/login" + nginx.ingress.kubernetes.io/auth-url: "https://minikube.lsst.codes/auth?scope=exec:portal" nginx.ingress.kubernetes.io/configuration-snippet: | proxy_set_header X-Original-URI $request_uri; proxy_set_header X-Forwarded-Proto https; diff --git a/services/tap/values-ccin2p3test.yaml b/services/tap/values-ccin2p3test.yaml index 052f73f3c4..c269bc7b7c 100644 --- a/services/tap/values-ccin2p3test.yaml +++ b/services/tap/values-ccin2p3test.yaml @@ -4,7 +4,7 @@ cadc-tap: use_mock_qserv: false qserv_host: "ccqserv201.in2p3.fr:30040" - host: "data-dev.lsst.eu" + host: "minikube.lsst.codes" secrets: enabled: false From 28530eb0c0943e4dc52a3e68a8a68b82a54b8aa5 Mon Sep 17 00:00:00 2001 From: Gabriele Mainetti Date: Fri, 15 Apr 2022 15:50:57 +0200 Subject: [PATCH 0252/1479] changed rubin-lsst for github auth --- services/argocd/values-ccin2p3.yaml | 4 +-- services/argocd/values-ccin2p3test.yaml | 4 +-- services/gafaelfawr/values-ccin2p3.yaml | 34 ++++++++++----------- services/gafaelfawr/values-ccin2p3test.yaml | 34 ++++++++++----------- 4 files changed, 38 insertions(+), 38 deletions(-) diff --git a/services/argocd/values-ccin2p3.yaml b/services/argocd/values-ccin2p3.yaml index 729e0b7d3f..d0e264cecd 100644 --- a/services/argocd/values-ccin2p3.yaml +++ b/services/argocd/values-ccin2p3.yaml @@ -30,7 +30,7 @@ argo-cd: # Reference to key in argo-secret Kubernetes resource clientSecret: $dex.clientSecret orgs: - - name: in2p3-dp0 + - name: rubin-lsst helm.repositories: | - url: https://lsst-sqre.github.io/charts/ name: lsst-sqre @@ -49,7 +49,7 @@ argo-cd: rbacConfig: policy.csv: | - g, in2p3-dp0:admin, role:admin + g, rubin-lsst:admin, role:admin configs: secret: diff --git a/services/argocd/values-ccin2p3test.yaml b/services/argocd/values-ccin2p3test.yaml index 49d3d9e4f7..4ac3eb8a0c 100644 --- a/services/argocd/values-ccin2p3test.yaml +++ b/services/argocd/values-ccin2p3test.yaml @@ -30,7 +30,7 @@ argo-cd: # Reference to key in argo-secret Kubernetes resource clientSecret: $dex.clientSecret orgs: - - name: in2p3-dp0 + - name: rubin-in2p3 helm.repositories: | - url: https://lsst-sqre.github.io/charts/ name: lsst-sqre @@ -49,7 +49,7 @@ argo-cd: rbacConfig: policy.csv: | - g, in2p3-dp0:admin, role:admin + g, rubin-in2p3:admin, role:admin configs: secret: diff --git a/services/gafaelfawr/values-ccin2p3.yaml b/services/gafaelfawr/values-ccin2p3.yaml index 6682b3165b..f05d4a0b2c 100644 --- a/services/gafaelfawr/values-ccin2p3.yaml +++ b/services/gafaelfawr/values-ccin2p3.yaml @@ -24,31 +24,31 @@ gafaelfawr: # Allow access by GitHub team. groupMapping: "exec:admin": - - "in2p3-dp0-admin" + - "rubin-lsst-admin" "exec:user": - - "in2p3-dp0-admin" - - "in2p3-dp0-user" + - "rubin-lsst-admin" + - "rubin-lsst-user" "read:workspace": - - "in2p3-dp0-admin" - - "in2p3-dp0-user" + - "rubin-lsst-admin" + - "rubin-lsst-user" "read:workspace/user": - - "in2p3-dp0-admin" - - "in2p3-dp0-user" + - "rubin-lsst-admin" + - "rubin-lsst-user" "write:workspace/user": - - "in2p3-dp0-admin" - - "in2p3-dp0-user" + - "rubin-lsst-admin" + - "rubin-lsst-user" "exec:portal": - - "in2p3-dp0-admin" - - "in2p3-dp0-user" + - "rubin-lsst-admin" + - "rubin-lsst-user" "exec:notebook": - - "in2p3-dp0-admin" - - "in2p3-dp0-user" + - "rubin-lsst-admin" + - "rubin-lsst-user" "read:tap": - - "in2p3-dp0-admin" - - "in2p3-dp0-user" + - "rubin-lsst-admin" + - "rubin-lsst-user" "read:image": - - "in2p3-dp0-admin" - - "in2p3-dp0-user" + - "rubin-lsst-admin" + - "rubin-lsst-user" pull-secret: enabled: true diff --git a/services/gafaelfawr/values-ccin2p3test.yaml b/services/gafaelfawr/values-ccin2p3test.yaml index 72b7990fc0..2aeecd63b4 100644 --- a/services/gafaelfawr/values-ccin2p3test.yaml +++ b/services/gafaelfawr/values-ccin2p3test.yaml @@ -24,31 +24,31 @@ gafaelfawr: # Allow access by GitHub team. groupMapping: "exec:admin": - - "in2p3-dp0-admin" + - "rubin-lsst-admin" "exec:user": - - "in2p3-dp0-admin" - - "in2p3-dp0-user" + - "rubin-lsst-admin" + - "rubin-lsst-user" "read:workspace": - - "in2p3-dp0-admin" - - "in2p3-dp0-user" + - "rubin-lsst-admin" + - "rubin-lsst-user" "read:workspace/user": - - "in2p3-dp0-admin" - - "in2p3-dp0-user" + - "rubin-lsst-admin" + - "rubin-lsst-user" "write:workspace/user": - - "in2p3-dp0-admin" - - "in2p3-dp0-user" + - "rubin-lsst-admin" + - "rubin-lsst-user" "exec:portal": - - "in2p3-dp0-admin" - - "in2p3-dp0-user" + - "rubin-lsst-admin" + - "rubin-lsst-user" "exec:notebook": - - "in2p3-dp0-admin" - - "in2p3-dp0-user" + - "rubin-lsst-admin" + - "rubin-lsst-user" "read:tap": - - "in2p3-dp0-admin" - - "in2p3-dp0-user" + - "rubin-lsst-admin" + - "rubin-lsst-user" "read:image": - - "in2p3-dp0-admin" - - "in2p3-dp0-user" + - "rubin-lsst-admin" + - "rubin-lsst-user" pull-secret: enabled: true From 180b1244ea227a92de30550960d4ae53f8114460 Mon Sep 17 00:00:00 2001 From: Gabriele Mainetti Date: Fri, 15 Apr 2022 16:26:43 +0200 Subject: [PATCH 0253/1479] Test minikube-cc --- .../ingress-nginx/values-ccin2p3test.yaml | 54 ++++++++++++++----- services/tap/values-ccin2p3test.yaml | 6 +-- 2 files changed, 43 insertions(+), 17 deletions(-) diff --git a/services/ingress-nginx/values-ccin2p3test.yaml b/services/ingress-nginx/values-ccin2p3test.yaml index c30e4964c2..57a2e32b55 100644 --- a/services/ingress-nginx/values-ccin2p3test.yaml +++ b/services/ingress-nginx/values-ccin2p3test.yaml @@ -1,14 +1,34 @@ -ingress-nginx: - controller: - nodeSelector: - kubernetes.io/hostname: "ccqserv202" +# ingress-nginx: +# controller: +# nodeSelector: +# kubernetes.io/hostname: "ccqserv202" - tolerations: - - key: "dedicated" - operator: "Equal" - value: "qserv" - effect: "NoSchedule" +# tolerations: +# - key: "dedicated" +# operator: "Equal" +# value: "qserv" +# effect: "NoSchedule" +# config: +# compute-full-forwarded-for: "true" +# large-client-header-buffers: "4 64k" +# proxy-body-size: "100m" +# proxy-buffer-size: "64k" +# ssl-redirect: "true" +# use-forwarded-headers: "true" +# service: +# externalTrafficPolicy: Local +# externalIPs: +# - 134.158.237.2 +# type: NodePort +# admissionWebhooks: +# enabled: false +# extraArgs: +# default-ssl-certificate: ingress-nginx/ingress-certificate +# podLabels: +# hub.jupyter.org/network-access-proxy-http: "true" +ingress-nginx: + controller: config: compute-full-forwarded-for: "true" large-client-header-buffers: "4 64k" @@ -17,17 +37,23 @@ ingress-nginx: ssl-redirect: "true" use-forwarded-headers: "true" service: - externalTrafficPolicy: Local - externalIPs: - - 134.158.237.2 - type: NodePort + type: ClusterIP + hostNetwork: true + dnsPolicy: ClusterFirstWithHostNet admissionWebhooks: enabled: false extraArgs: default-ssl-certificate: ingress-nginx/ingress-certificate podLabels: + gafaelfawr.lsst.io/ingress: "true" hub.jupyter.org/network-access-proxy-http: "true" - + metrics: + enabled: true + service: + annotations: + prometheus.io/port: "10254" + prometheus.io/scrape: "true" + vault_certificate: enabled: true path: secret/k8s_operator/rsp-cc/ingress-nginx diff --git a/services/tap/values-ccin2p3test.yaml b/services/tap/values-ccin2p3test.yaml index c269bc7b7c..0874983207 100644 --- a/services/tap/values-ccin2p3test.yaml +++ b/services/tap/values-ccin2p3test.yaml @@ -1,8 +1,8 @@ cadc-tap: pull_secret: 'pull-secret' - tag: "1.0.16" - use_mock_qserv: false - qserv_host: "ccqserv201.in2p3.fr:30040" + #tag: "1.0.16" + #use_mock_qserv: false + #qserv_host: "ccqserv201.in2p3.fr:30040" host: "minikube.lsst.codes" From 9a0bc30ce2b0484dcb7a786e1d34ca36f4a81d05 Mon Sep 17 00:00:00 2001 From: Gabriele Mainetti Date: Fri, 15 Apr 2022 23:13:22 +0200 Subject: [PATCH 0254/1479] test2 --- services/argocd/values-ccin2p3.yaml | 1 + services/argocd/values-ccin2p3test.yaml | 10 +++++++++- 2 files changed, 10 insertions(+), 1 deletion(-) diff --git a/services/argocd/values-ccin2p3.yaml b/services/argocd/values-ccin2p3.yaml index d0e264cecd..4438d74c38 100644 --- a/services/argocd/values-ccin2p3.yaml +++ b/services/argocd/values-ccin2p3.yaml @@ -1,4 +1,5 @@ argo-cd: + redis: enabled: true diff --git a/services/argocd/values-ccin2p3test.yaml b/services/argocd/values-ccin2p3test.yaml index 4ac3eb8a0c..4999076ab9 100644 --- a/services/argocd/values-ccin2p3test.yaml +++ b/services/argocd/values-ccin2p3test.yaml @@ -1,4 +1,12 @@ -argo-cd: +argo-cdi: + controller: + args: + repoServerTimeoutSeconds: "180" + metrics: + enabled: true + applicationLabels: + enabled: true + labels: ["name", "instance"] redis: enabled: true From e4a08c48c2374b41d11be99a29bf51f4dfefc4d9 Mon Sep 17 00:00:00 2001 From: Renovate Bot Date: Mon, 18 Apr 2022 00:02:32 +0000 Subject: [PATCH 0255/1479] Update helm values gcr.io/cloudsql-docker/gce-proxy to v1.30.0 --- services/gafaelfawr/values.yaml | 2 +- services/times-square/charts/times-square/values.yaml | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/services/gafaelfawr/values.yaml b/services/gafaelfawr/values.yaml index bb42dc6799..26623e7166 100644 --- a/services/gafaelfawr/values.yaml +++ b/services/gafaelfawr/values.yaml @@ -188,7 +188,7 @@ cloudsql: repository: "gcr.io/cloudsql-docker/gce-proxy" # -- Cloud SQL Auth Proxy tag to use - tag: "1.29.0" + tag: "1.30.0" # -- Pull policy for Cloud SQL Auth Proxy images pullPolicy: "IfNotPresent" diff --git a/services/times-square/charts/times-square/values.yaml b/services/times-square/charts/times-square/values.yaml index 79f99e0751..7b30b83a95 100644 --- a/services/times-square/charts/times-square/values.yaml +++ b/services/times-square/charts/times-square/values.yaml @@ -124,7 +124,7 @@ cloudsql: repository: "gcr.io/cloudsql-docker/gce-proxy" # -- Cloud SQL Auth Proxy tag to use - tag: "1.29.0" + tag: "1.30.0" # -- Pull policy for Cloud SQL Auth Proxy images pullPolicy: "IfNotPresent" From 7c9203f3ccaad9c50a37a7b468abf2eeb6f45044 Mon Sep 17 00:00:00 2001 From: Renovate Bot Date: Mon, 18 Apr 2022 16:05:09 +0000 Subject: [PATCH 0256/1479] Update Helm release argo-cd to v4.5.3 --- services/argocd/Chart.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/services/argocd/Chart.yaml b/services/argocd/Chart.yaml index 075c287b55..af4f7d3e69 100644 --- a/services/argocd/Chart.yaml +++ b/services/argocd/Chart.yaml @@ -3,7 +3,7 @@ name: argo-cd version: 1.0.0 dependencies: - name: argo-cd - version: 4.2.3 + version: 4.5.3 repository: https://argoproj.github.io/argo-helm - name: pull-secret version: 0.1.2 From eecf24b6c8fa936cd5bcca8add3b6ff836f8cac4 Mon Sep 17 00:00:00 2001 From: Renovate Bot Date: Mon, 18 Apr 2022 16:14:36 +0000 Subject: [PATCH 0257/1479] Update Helm release vault-secrets-operator to v1.17.0 --- services/vault-secrets-operator/Chart.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/services/vault-secrets-operator/Chart.yaml b/services/vault-secrets-operator/Chart.yaml index 5a5d34b03c..9d61f3aaf4 100644 --- a/services/vault-secrets-operator/Chart.yaml +++ b/services/vault-secrets-operator/Chart.yaml @@ -3,5 +3,5 @@ name: vault-secrets-operator version: 1.0.0 dependencies: - name: vault-secrets-operator - version: 1.16.5 + version: 1.17.0 repository: https://ricoberger.github.io/helm-charts/ From 7719707a2aae7a07041c1188cf0cc9b2ea26642a Mon Sep 17 00:00:00 2001 From: Renovate Bot Date: Mon, 18 Apr 2022 16:24:55 +0000 Subject: [PATCH 0258/1479] Update Helm release cert-manager to v1.8.0 --- services/cert-manager/Chart.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/services/cert-manager/Chart.yaml b/services/cert-manager/Chart.yaml index 6bcedf4bbe..9a2f2653ee 100644 --- a/services/cert-manager/Chart.yaml +++ b/services/cert-manager/Chart.yaml @@ -4,5 +4,5 @@ version: 1.0.0 description: "Let's Encrypt certificate management" dependencies: - name: cert-manager - version: v1.7.2 + version: v1.8.0 repository: https://charts.jetstack.io From 60728131296e1a04a2c1d4d312c41e19fcdca8f2 Mon Sep 17 00:00:00 2001 From: Russ Allbery Date: Fri, 8 Apr 2022 16:58:25 -0700 Subject: [PATCH 0259/1479] Standardize on vault-secrets naming Since these files contain a pull-secret definition as well, use the plural for consistency. --- .../templates/{vault-secret.yaml => vault-secrets.yaml} | 0 services/mobu/templates/{vault-secret.yaml => vault-secrets.yaml} | 0 .../portal/templates/{vault-secret.yaml => vault-secrets.yaml} | 0 3 files changed, 0 insertions(+), 0 deletions(-) rename services/gafaelfawr/templates/{vault-secret.yaml => vault-secrets.yaml} (100%) rename services/mobu/templates/{vault-secret.yaml => vault-secrets.yaml} (100%) rename services/portal/templates/{vault-secret.yaml => vault-secrets.yaml} (100%) diff --git a/services/gafaelfawr/templates/vault-secret.yaml b/services/gafaelfawr/templates/vault-secrets.yaml similarity index 100% rename from services/gafaelfawr/templates/vault-secret.yaml rename to services/gafaelfawr/templates/vault-secrets.yaml diff --git a/services/mobu/templates/vault-secret.yaml b/services/mobu/templates/vault-secrets.yaml similarity index 100% rename from services/mobu/templates/vault-secret.yaml rename to services/mobu/templates/vault-secrets.yaml diff --git a/services/portal/templates/vault-secret.yaml b/services/portal/templates/vault-secrets.yaml similarity index 100% rename from services/portal/templates/vault-secret.yaml rename to services/portal/templates/vault-secrets.yaml From 10fe9ee24316ee0ca4bd6efa9219ad12340c8e0f Mon Sep 17 00:00:00 2001 From: Russ Allbery Date: Fri, 8 Apr 2022 17:01:26 -0700 Subject: [PATCH 0260/1479] Further simplify mobu chart Remove the unused imagePullSecrets values setting. Remove the service configuration and hard-code the service type and port. Use port 8080 like our other applications instead of port 80. --- services/mobu/README.md | 3 --- services/mobu/templates/ingress.yaml | 2 +- services/mobu/templates/service.yaml | 4 ++-- services/mobu/values.yaml | 10 ---------- 4 files changed, 3 insertions(+), 16 deletions(-) diff --git a/services/mobu/README.md b/services/mobu/README.md index a5845bc133..be6196fc67 100644 --- a/services/mobu/README.md +++ b/services/mobu/README.md @@ -16,15 +16,12 @@ Generate system load by pretending to be a random scientist | image.pullPolicy | string | `"IfNotPresent"` | Pull policy for the mobu image | | image.repository | string | `"ghcr.io/lsst-sqre/mobu"` | mobu image to use | | image.tag | string | The appVersion of the chart | Tag of mobu image to use | -| imagePullSecrets | list | `[]` | Secret names to use for all Docker pulls | | ingress.annotations | object | `{}` | Additional annotations to add to the ingress | | ingress.gafaelfawrAuthQuery | string | `"scope=exec:admin"` | Gafaelfawr auth query string | | nameOverride | string | `""` | Override the base name for resources | | nodeSelector | object | `{}` | Node selector rules for the mobu frontend pod | | podAnnotations | object | `{}` | Annotations for the mobu frontend pod | | resources | object | `{}` | Resource limits and requests for the mobu frontend pod | -| service.port | int | `80` | Port of the service to create and map to the ingress | -| service.type | string | `"ClusterIP"` | Type of service to create | | tolerations | list | `[]` | Tolerations for the mobu frontend pod | ---------------------------------------------- diff --git a/services/mobu/templates/ingress.yaml b/services/mobu/templates/ingress.yaml index 224615154c..8a3894eb31 100644 --- a/services/mobu/templates/ingress.yaml +++ b/services/mobu/templates/ingress.yaml @@ -26,4 +26,4 @@ spec: service: name: {{ template "mobu.fullname" . }} port: - number: {{ .Values.service.port }} + number: 8080 diff --git a/services/mobu/templates/service.yaml b/services/mobu/templates/service.yaml index 5ff81d982a..7402fd5a95 100644 --- a/services/mobu/templates/service.yaml +++ b/services/mobu/templates/service.yaml @@ -5,9 +5,9 @@ metadata: labels: {{- include "mobu.labels" . | nindent 4 }} spec: - type: {{ .Values.service.type }} + type: "ClusterIP" ports: - - port: {{ .Values.service.port }} + - port: 8080 targetPort: "http" protocol: "TCP" selector: diff --git a/services/mobu/values.yaml b/services/mobu/values.yaml index 1ec175569e..b31295cd3f 100644 --- a/services/mobu/values.yaml +++ b/services/mobu/values.yaml @@ -27,16 +27,6 @@ image: # @default -- The appVersion of the chart tag: "" -# -- Secret names to use for all Docker pulls -imagePullSecrets: [] - -service: - # -- Type of service to create - type: "ClusterIP" - - # -- Port of the service to create and map to the ingress - port: 80 - ingress: # -- Gafaelfawr auth query string gafaelfawrAuthQuery: "scope=exec:admin" From b94f4c29f01689690b1a4bc7832b45e726430737 Mon Sep 17 00:00:00 2001 From: Russ Allbery Date: Mon, 18 Apr 2022 10:10:05 -0700 Subject: [PATCH 0261/1479] Ignore nublado2 secret differences nublado2 does automatic secret rotation, which means that it always shows as out of date. Configure Argo CD to ignore the secret changes and the associated checksum changes on the deployment objects. --- .../templates/nublado2-application.yaml | 38 ++++++++++++------- 1 file changed, 25 insertions(+), 13 deletions(-) diff --git a/science-platform/templates/nublado2-application.yaml b/science-platform/templates/nublado2-application.yaml index 4bc41c5d23..e6dae13b3f 100644 --- a/science-platform/templates/nublado2-application.yaml +++ b/science-platform/templates/nublado2-application.yaml @@ -2,29 +2,41 @@ apiVersion: v1 kind: Namespace metadata: - name: nublado2 + name: "nublado2" spec: finalizers: - - kubernetes + - "kubernetes" --- apiVersion: argoproj.io/v1alpha1 kind: Application metadata: - name: nublado2 - namespace: argocd + name: "nublado2" + namespace: "argocd" finalizers: - - resources-finalizer.argocd.argoproj.io + - "resources-finalizer.argocd.argoproj.io" spec: destination: - namespace: nublado2 - server: https://kubernetes.default.svc - project: default + namespace: "nublado2" + server: "https://kubernetes.default.svc" + project: "default" source: - path: services/nublado2 - repoURL: {{ .Values.repoURL }} - targetRevision: {{ .Values.revision }} + path: "services/nublado2" + repoURL: {{ .Values.repoURL | quote }} + targetRevision: {{ .Values.revision | quote }} helm: valueFiles: - - values.yaml - - values-{{ .Values.environment }}.yaml + - "values.yaml" + - "values-{{ .Values.environment }}.yaml" + ignoreDifferences: + - group: "" + kind: "Secret" + jsonPointers: + - "/data/hub.config.ConfigurableHTTPProxy.auth_token" + - "/data/hub.config.CryptKeeper.keys" + - "/data/hub.config.JupyterHub.cookie_secret" + - group: "apps" + kind: "Deployment" + jsonPointers: + - "/spec/template/metadata/annotations/checksum~1secret" + - "/spec/template/metadata/annotations/checksum~1auth-token" {{- end -}} From ecf6ce771f306d752a930e6d68ad6f835be6ec84 Mon Sep 17 00:00:00 2001 From: Russ Allbery Date: Mon, 18 Apr 2022 10:40:42 -0700 Subject: [PATCH 0262/1479] Move the vo-cutouts chart into Phalanx Move the chart from charts, add the global variable settings in the Argo CD application configuration, and simplify the chart to make use of them. Update the version of the GCE Proxy to match the other applications in Phalanx. --- .../templates/vo-cutouts-application.yaml | 32 +-- services/vo-cutouts/Chart.yaml | 10 +- services/vo-cutouts/README.md | 67 ++++++ services/vo-cutouts/README.md.gotmpl | 9 + services/vo-cutouts/templates/_helpers.tpl | 52 +++++ services/vo-cutouts/templates/configmap.yaml | 17 ++ .../templates/db-worker-deployment.yaml | 107 +++++++++ .../templates/db-worker-networkpolicy.yaml | 15 ++ services/vo-cutouts/templates/deployment.yaml | 108 ++++++++++ services/vo-cutouts/templates/ingress.yaml | 29 +++ .../vo-cutouts/templates/networkpolicy.yaml | 25 +++ .../templates/redis-networkpolicy.yaml | 34 +++ .../vo-cutouts/templates/redis-service.yml | 16 ++ .../templates/redis-statefulset.yaml | 107 +++++++++ services/vo-cutouts/templates/service.yaml | 16 ++ .../vo-cutouts/templates/serviceaccount.yaml | 10 + .../vo-cutouts/templates/vault-secrets.yaml | 19 ++ .../templates/worker-deployment.yaml | 123 +++++++++++ .../templates/worker-networkpolicy.yaml | 15 ++ services/vo-cutouts/values-idfdev.yaml | 32 +-- services/vo-cutouts/values-idfint.yaml | 25 +-- services/vo-cutouts/values-idfprod.yaml | 25 +-- services/vo-cutouts/values.yaml | 203 ++++++++++++++++++ 23 files changed, 1019 insertions(+), 77 deletions(-) create mode 100644 services/vo-cutouts/README.md create mode 100644 services/vo-cutouts/README.md.gotmpl create mode 100644 services/vo-cutouts/templates/_helpers.tpl create mode 100644 services/vo-cutouts/templates/configmap.yaml create mode 100644 services/vo-cutouts/templates/db-worker-deployment.yaml create mode 100644 services/vo-cutouts/templates/db-worker-networkpolicy.yaml create mode 100644 services/vo-cutouts/templates/deployment.yaml create mode 100644 services/vo-cutouts/templates/ingress.yaml create mode 100644 services/vo-cutouts/templates/networkpolicy.yaml create mode 100644 services/vo-cutouts/templates/redis-networkpolicy.yaml create mode 100644 services/vo-cutouts/templates/redis-service.yml create mode 100644 services/vo-cutouts/templates/redis-statefulset.yaml create mode 100644 services/vo-cutouts/templates/service.yaml create mode 100644 services/vo-cutouts/templates/serviceaccount.yaml create mode 100644 services/vo-cutouts/templates/vault-secrets.yaml create mode 100644 services/vo-cutouts/templates/worker-deployment.yaml create mode 100644 services/vo-cutouts/templates/worker-networkpolicy.yaml create mode 100644 services/vo-cutouts/values.yaml diff --git a/science-platform/templates/vo-cutouts-application.yaml b/science-platform/templates/vo-cutouts-application.yaml index ed2195b1c5..7fcee0a917 100644 --- a/science-platform/templates/vo-cutouts-application.yaml +++ b/science-platform/templates/vo-cutouts-application.yaml @@ -2,28 +2,36 @@ apiVersion: v1 kind: Namespace metadata: - name: vo-cutouts + name: "vo-cutouts" spec: finalizers: - - kubernetes + - "kubernetes" --- apiVersion: argoproj.io/v1alpha1 kind: Application metadata: - name: vo-cutouts - namespace: argocd + name: "vo-cutouts" + namespace: "argocd" finalizers: - - resources-finalizer.argocd.argoproj.io + - "resources-finalizer.argocd.argoproj.io" spec: destination: - namespace: vo-cutouts - server: https://kubernetes.default.svc - project: default + namespace: "vo-cutouts" + server: "https://kubernetes.default.svc" + project: "default" source: - path: services/vo-cutouts - repoURL: {{ .Values.repoURL }} - targetRevision: {{ .Values.revision }} + path: "services/vo-cutouts" + repoURL: {{ .Values.repoURL | quote }} + targetRevision: {{ .Values.revision | quote }} helm: + parameters: + - name: "global.host" + value: {{ .Values.fqdn | quote }} + - name: "global.baseUrl" + value: "https://{{ .Values.fqdn }}" + - name: "global.vaultSecretsPath" + value: {{ .Values.vault_path_prefix | quote }} valueFiles: - - values-{{ .Values.environment }}.yaml + - "values.yaml" + - "values-{{ .Values.environment }}.yaml" {{- end -}} diff --git a/services/vo-cutouts/Chart.yaml b/services/vo-cutouts/Chart.yaml index 1eb1a6249d..1ede718ff2 100644 --- a/services/vo-cutouts/Chart.yaml +++ b/services/vo-cutouts/Chart.yaml @@ -1,10 +1,6 @@ apiVersion: v2 name: vo-cutouts version: 1.0.0 -dependencies: - - name: vo-cutouts - version: 0.3.3 - repository: https://lsst-sqre.github.io/charts/ - - name: pull-secret - version: 0.1.2 - repository: https://lsst-sqre.github.io/charts/ +description: "Image cutout service complying with IVOA SODA" +home: "https://github.com/lsst-sqre/vo-cutouts" +appVersion: 0.3.0 diff --git a/services/vo-cutouts/README.md b/services/vo-cutouts/README.md new file mode 100644 index 0000000000..dc996b15a9 --- /dev/null +++ b/services/vo-cutouts/README.md @@ -0,0 +1,67 @@ +# vo-cutouts + +Image cutout service complying with IVOA SODA + +## Values + +| Key | Type | Default | Description | +|-----|------|---------|-------------| +| affinity | object | `{}` | Affinity rules for the vo-cutouts frontend pod | +| cloudsql.enabled | bool | `false` | Enable the Cloud SQL Auth Proxy sidecar, used with CloudSQL databases on Google Cloud | +| cloudsql.image.pullPolicy | string | `"IfNotPresent"` | Pull policy for Cloud SQL Auth Proxy images | +| cloudsql.image.repository | string | `"gcr.io/cloudsql-docker/gce-proxy"` | Cloud SQL Auth Proxy image to use | +| cloudsql.image.tag | string | `"1.30.0"` | Cloud SQL Auth Proxy tag to use | +| cloudsql.instanceConnectionName | string | `""` | Instance connection name for a CloudSQL PostgreSQL instance | +| cloudsql.serviceAccount | string | None, must be set | The Google service account that has an IAM binding to the `vo-cutouts` Kubernetes service accounts and has the `cloudsql.client` role, access to the GCS bucket, and ability to sign URLs as itself | +| config.butlerRepository | string | None, must be set | Configuration for the Butler repository to use | +| config.databaseUrl | string | None, must be set | URL for the PostgreSQL database | +| config.gcsBucketUrl | string | None, must be set | URL for the GCS bucket into which to store cutouts (must start with `s3`) | +| config.lifetime | string | 2592000 (30 days) | Lifetime of job results in seconds (quote so that Helm doesn't turn it into a floating point number) | +| config.loglevel | string | `"INFO"` | Choose from the text form of Python logging levels | +| config.syncTimeout | int | 60 (1 minute) | Timeout for results from a sync cutout in seconds | +| config.timeout | int | 600 (10 minutes) | Timeout for a single cutout job in seconds | +| cutoutWorker.affinity | object | `{}` | Affinity rules for the cutout worker pod | +| cutoutWorker.image.pullPolicy | string | `"IfNotPresent"` | Pull policy for cutout workers | +| cutoutWorker.image.repository | string | `"lsstsqre/vo-cutouts-worker"` | Stack image to use for cutouts | +| cutoutWorker.image.tag | string | The appVersion of the chart | Tag of vo-cutouts worker image to use | +| cutoutWorker.nodeSelector | object | `{}` | Node selection rules for the cutout worker pod | +| cutoutWorker.podAnnotations | object | `{}` | Annotations for the cutout worker pod | +| cutoutWorker.replicaCount | int | `2` | Number of cutout worker pods to start | +| cutoutWorker.resources | object | `{}` | Resource limits and requests for the cutout worker pod | +| cutoutWorker.tolerations | list | `[]` | Tolerations for the cutout worker pod | +| databaseWorker.affinity | object | `{}` | Affinity rules for the database worker pod | +| databaseWorker.nodeSelector | object | `{}` | Node selection rules for the database worker pod | +| databaseWorker.podAnnotations | object | `{}` | Annotations for the database worker pod | +| databaseWorker.replicaCount | int | `1` | Number of database worker pods to start | +| databaseWorker.resources | object | `{}` | Resource limits and requests for the database worker pod | +| databaseWorker.tolerations | list | `[]` | Tolerations for the database worker pod | +| fullnameOverride | string | `""` | Override the full name for resources (includes the release name) | +| global.baseUrl | string | Set by Argo CD | Base URL for the environment | +| global.host | string | Set by Argo CD | Host name for ingress | +| global.vaultSecretsPath | string | Set by Argo CD | Base path for Vault secrets | +| image.pullPolicy | string | `"IfNotPresent"` | Pull policy for the vo-cutouts image | +| image.repository | string | `"lsstsqre/vo-cutouts"` | vo-cutouts image to use | +| image.tag | string | The appVersion of the chart | Tag of vo-cutouts image to use | +| ingress.annotations | object | `{}` | Additional annotations to add to the ingress | +| ingress.gafaelfawrAuthQuery | string | `"scope=read:image"` | Gafaelfawr auth query string | +| nameOverride | string | `""` | Override the base name for resources | +| nodeSelector | object | `{}` | Node selector rules for the vo-cutouts frontend pod | +| podAnnotations | object | `{}` | Annotations for the vo-cutouts frontend pod | +| redis.affinity | object | `{}` | Affinity rules for the Redis pod | +| redis.image.pullPolicy | string | `"IfNotPresent"` | Pull policy for the Redis image | +| redis.image.repository | string | `"redis"` | Redis image to use | +| redis.image.tag | string | `"6.2.6"` | Redis image tag to use | +| redis.nodeSelector | object | `{}` | Node selection rules for the Redis pod | +| redis.persistence.accessMode | string | `"ReadWriteOnce"` | Access mode of storage to request | +| redis.persistence.enabled | bool | `true` | Whether to persist Redis storage and thus tokens. Setting this to false will use `emptyDir` and reset all tokens on every restart. Only use this for a test deployment. | +| redis.persistence.size | string | `"100Mi"` | Amount of persistent storage to request | +| redis.persistence.storageClass | string | `""` | Class of storage to request | +| redis.persistence.volumeClaimName | string | `""` | Use an existing PVC, not dynamic provisioning. If this is set, the size, storageClass, and accessMode settings are ignored. | +| redis.podAnnotations | object | `{}` | Pod annotations for the Redis pod | +| redis.tolerations | list | `[]` | Tolerations for the Redis pod | +| replicaCount | int | `1` | Number of web frontend pods to start | +| resources | object | `{}` | Resource limits and requests for the vo-cutouts frontend pod | +| tolerations | list | `[]` | Tolerations for the vo-cutouts frontend pod | + +---------------------------------------------- +Autogenerated from chart metadata using [helm-docs v1.5.0](https://github.com/norwoodj/helm-docs/releases/v1.5.0) diff --git a/services/vo-cutouts/README.md.gotmpl b/services/vo-cutouts/README.md.gotmpl new file mode 100644 index 0000000000..4531459bbb --- /dev/null +++ b/services/vo-cutouts/README.md.gotmpl @@ -0,0 +1,9 @@ +{{ template "chart.header" . }} + +{{ template "chart.description" . }} + +{{ template "chart.requirementsSection" . }} + +{{ template "chart.valuesSection" . }} + +{{ template "helm-docs.versionFooter" . }} diff --git a/services/vo-cutouts/templates/_helpers.tpl b/services/vo-cutouts/templates/_helpers.tpl new file mode 100644 index 0000000000..0fec75cb0a --- /dev/null +++ b/services/vo-cutouts/templates/_helpers.tpl @@ -0,0 +1,52 @@ +{{/* vim: set filetype=mustache: */}} +{{/* +Expand the name of the chart. +*/}} +{{- define "vo-cutouts.name" -}} +{{- default .Chart.Name .Values.nameOverride | trunc 63 | trimSuffix "-" }} +{{- end }} + +{{/* +Create a default fully qualified app name. +We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec). +If release name contains chart name it will be used as a full name. +*/}} +{{- define "vo-cutouts.fullname" -}} +{{- if .Values.fullnameOverride }} +{{- .Values.fullnameOverride | trunc 63 | trimSuffix "-" }} +{{- else }} +{{- $name := default .Chart.Name .Values.nameOverride }} +{{- if contains $name .Release.Name }} +{{- .Release.Name | trunc 63 | trimSuffix "-" }} +{{- else }} +{{- printf "%s-%s" .Release.Name $name | trunc 63 | trimSuffix "-" }} +{{- end }} +{{- end }} +{{- end }} + +{{/* +Create chart name and version as used by the chart label. +*/}} +{{- define "vo-cutouts.chart" -}} +{{- printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" }} +{{- end }} + +{{/* +Common labels +*/}} +{{- define "vo-cutouts.labels" -}} +helm.sh/chart: {{ include "vo-cutouts.chart" . }} +{{ include "vo-cutouts.selectorLabels" . }} +{{- if .Chart.AppVersion }} +app.kubernetes.io/version: {{ .Chart.AppVersion | quote }} +{{- end }} +app.kubernetes.io/managed-by: {{ .Release.Service }} +{{- end }} + +{{/* +Selector labels +*/}} +{{- define "vo-cutouts.selectorLabels" -}} +app.kubernetes.io/name: {{ include "vo-cutouts.name" . }} +app.kubernetes.io/instance: {{ .Release.Name }} +{{- end }} diff --git a/services/vo-cutouts/templates/configmap.yaml b/services/vo-cutouts/templates/configmap.yaml new file mode 100644 index 0000000000..f1130d1f23 --- /dev/null +++ b/services/vo-cutouts/templates/configmap.yaml @@ -0,0 +1,17 @@ +apiVersion: v1 +kind: ConfigMap +metadata: + name: {{ template "vo-cutouts.fullname" . }}-config + labels: + {{- include "vo-cutouts.labels" . | nindent 4 }} +data: + CUTOUT_BUTLER_REPOSITORY: {{ required "config.butlerRepository must be set" .Values.config.butlerRepository | quote }} + CUTOUT_DATABASE_URL: {{ required "config.databaseUrl must be set" .Values.config.databaseUrl | quote }} + CUTOUT_SERVICE_ACCOUNT: {{ required "cloudsql.serviceAccount must be set" .Values.cloudsql.serviceAccount | quote }} + CUTOUT_STORAGE_URL: {{ required "config.gcsBucketUrl must be set" .Values.config.gcsBucketUrl | quote }} + CUTOUT_TIMEOUT: {{ .Values.config.timeout | quote }} + CUTOUT_LIFETIME: {{ .Values.config.lifetime | quote }} + CUTOUT_REDIS_HOST: "{{ template "vo-cutouts.fullname" . }}-redis.{{ .Release.Namespace }}" + CUTOUT_SYNC_TIMEOUT: {{ .Values.config.syncTimeout | quote }} + SAFIR_LOG_LEVEL: {{ .Values.config.loglevel | quote }} + SAFIR_PROFILE: "production" diff --git a/services/vo-cutouts/templates/db-worker-deployment.yaml b/services/vo-cutouts/templates/db-worker-deployment.yaml new file mode 100644 index 0000000000..db3ccff4c0 --- /dev/null +++ b/services/vo-cutouts/templates/db-worker-deployment.yaml @@ -0,0 +1,107 @@ +apiVersion: apps/v1 +kind: Deployment +metadata: + name: {{ template "vo-cutouts.fullname" . }}-db-worker + labels: + {{- include "vo-cutouts.labels" . | nindent 4 }} +spec: + replicas: {{ .Values.databaseWorker.replicaCount }} + selector: + matchLabels: + {{- include "vo-cutouts.selectorLabels" . | nindent 6 }} + app.kubernetes.io/component: "db-worker" + template: + metadata: + annotations: + checksum/config: {{ include (print $.Template.BasePath "/configmap.yaml") . | sha256sum }} + {{- with .Values.databaseWorker.podAnnotations }} + {{- toYaml . | nindent 8 }} + {{- end }} + labels: + {{- include "vo-cutouts.selectorLabels" . | nindent 8 }} + app.kubernetes.io/component: "db-worker" + spec: + {{- if .Values.cloudsql.enabled }} + serviceAccountName: {{ include "vo-cutouts.fullname" . }} + {{- else }} + automountServiceAccountToken: false + {{- end }} + containers: + {{- if .Values.cloudsql.enabled }} + - name: "cloud-sql-proxy" + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - "all" + readOnlyRootFilesystem: true + runAsNonRoot: true + runAsUser: 65532 + runAsGroup: 65532 + image: "{{ .Values.cloudsql.image.repository }}:{{ .Values.cloudsql.image.tag }}" + imagePullPolicy: {{ .Values.cloudsql.image.pullPolicy | quote }} + command: + - "/cloud_sql_proxy" + - "-ip_address_types=PRIVATE" + - "-instances={{ required "cloudsql.instanceConnectionName must be specified" .Values.cloudsql.instanceConnectionName }}=tcp:5432" + {{- end }} + - name: "db-worker" + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - "all" + readOnlyRootFilesystem: true + image: "{{ .Values.image.repository }}:{{ .Values.image.tag | default .Chart.AppVersion }}" + imagePullPolicy: {{ .Values.image.pullPolicy | quote }} + command: + - "dramatiq" + - "vocutouts.actors" + - "-Q" + - "uws" + - "-p" + - "1" + env: + - name: "CUTOUT_DATABASE_PASSWORD" + valueFrom: + secretKeyRef: + name: {{ template "vo-cutouts.fullname" . }}-secret + key: "database-password" + - name: "CUTOUT_REDIS_PASSWORD" + valueFrom: + secretKeyRef: + name: {{ template "vo-cutouts.fullname" . }}-secret + key: "redis-password" + envFrom: + - configMapRef: + name: {{ template "vo-cutouts.fullname" . }}-config + {{- with .Values.databaseWorker.resources }} + resources: + {{- toYaml . | nindent 12 }} + {{- end }} + volumeMounts: + - name: "tmp" + mountPath: "/tmp" + imagePullSecrets: + - name: "pull-secret" + securityContext: + runAsNonRoot: true + runAsUser: 1000 + runAsGroup: 1000 + volumes: + # Dramatiq enables its Prometheus middleware by default, which + # requires writable /tmp. + - name: "tmp" + emptyDir: {} + {{- with .Values.databaseWorker.nodeSelector }} + nodeSelector: + {{- toYaml . | nindent 8 }} + {{- end }} + {{- with .Values.databaseWorker.affinity }} + affinity: + {{- toYaml . | nindent 8 }} + {{- end }} + {{- with .Values.databaseWorker.tolerations }} + tolerations: + {{- toYaml . | nindent 8 }} + {{- end }} diff --git a/services/vo-cutouts/templates/db-worker-networkpolicy.yaml b/services/vo-cutouts/templates/db-worker-networkpolicy.yaml new file mode 100644 index 0000000000..7e6f6b961e --- /dev/null +++ b/services/vo-cutouts/templates/db-worker-networkpolicy.yaml @@ -0,0 +1,15 @@ +apiVersion: networking.k8s.io/v1 +kind: NetworkPolicy +metadata: + name: {{ template "vo-cutouts.fullname" . }}-db-worker + labels: + {{- include "vo-cutouts.labels" . | nindent 4 }} +spec: + podSelector: + # This policy controls inbound and outbound access to the database workers. + matchLabels: + {{- include "vo-cutouts.selectorLabels" . | nindent 6 }} + app.kubernetes.io/component: "db-worker" + policyTypes: + # Block all inbound access. + - Ingress diff --git a/services/vo-cutouts/templates/deployment.yaml b/services/vo-cutouts/templates/deployment.yaml new file mode 100644 index 0000000000..f7fb7f9fa1 --- /dev/null +++ b/services/vo-cutouts/templates/deployment.yaml @@ -0,0 +1,108 @@ +apiVersion: apps/v1 +kind: Deployment +metadata: + name: {{ template "vo-cutouts.fullname" . }} + labels: + {{- include "vo-cutouts.labels" . | nindent 4 }} +spec: + replicas: {{ .Values.replicaCount }} + selector: + matchLabels: + {{- include "vo-cutouts.selectorLabels" . | nindent 6 }} + app.kubernetes.io/component: "frontend" + template: + metadata: + annotations: + checksum/config: {{ include (print $.Template.BasePath "/configmap.yaml") . | sha256sum }} + {{- with .Values.podAnnotations }} + {{- toYaml . | nindent 8 }} + {{- end }} + labels: + {{- include "vo-cutouts.selectorLabels" . | nindent 8 }} + app.kubernetes.io/component: "frontend" + spec: + {{- if .Values.cloudsql.enabled }} + serviceAccountName: {{ include "vo-cutouts.fullname" . }} + {{- else }} + automountServiceAccountToken: false + {{- end }} + securityContext: + runAsNonRoot: true + runAsUser: 1000 + runAsGroup: 1000 + containers: + {{- if .Values.cloudsql.enabled }} + - name: "cloud-sql-proxy" + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - "all" + readOnlyRootFilesystem: true + runAsNonRoot: true + runAsUser: 65532 + runAsGroup: 65532 + image: "{{ .Values.cloudsql.image.repository }}:{{ .Values.cloudsql.image.tag }}" + imagePullPolicy: {{ .Values.cloudsql.image.pullPolicy | quote }} + command: + - "/cloud_sql_proxy" + - "-ip_address_types=PRIVATE" + - "-instances={{ required "cloudsql.instanceConnectionName must be specified" .Values.cloudsql.instanceConnectionName }}=tcp:5432" + {{- end }} + - name: "vo-cutouts" + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - "all" + readOnlyRootFilesystem: true + image: "{{ .Values.image.repository }}:{{ .Values.image.tag | default .Chart.AppVersion }}" + imagePullPolicy: {{ .Values.image.pullPolicy | quote }} + ports: + - containerPort: 8080 + name: "http" + protocol: "TCP" + env: + - name: "CUTOUT_DATABASE_PASSWORD" + valueFrom: + secretKeyRef: + name: {{ template "vo-cutouts.fullname" . }}-secret + key: "database-password" + - name: "CUTOUT_REDIS_PASSWORD" + valueFrom: + secretKeyRef: + name: {{ template "vo-cutouts.fullname" . }}-secret + key: "redis-password" + envFrom: + - configMapRef: + name: {{ template "vo-cutouts.fullname" . }}-config + readinessProbe: + httpGet: + path: "/api/cutout/availability" + port: "http" + {{- with .Values.resources }} + resources: + {{- toYaml . | nindent 12 }} + {{- end }} + volumeMounts: + - name: "tmp" + mountPath: "/tmp" + imagePullSecrets: + - name: "pull-secret" + volumes: + # Dramatiq enables its Prometheus middleware by default, which + # requires writable /tmp. + - name: "tmp" + emptyDir: {} + {{- with .Values.nodeSelector }} + nodeSelector: + {{- toYaml . | nindent 8 }} + {{- end }} + {{- with .Values.affinity }} + affinity: + {{- toYaml . | nindent 8 }} + {{- end }} + {{- with .Values.tolerations }} + tolerations: + {{- toYaml . | nindent 8 }} + {{- end }} diff --git a/services/vo-cutouts/templates/ingress.yaml b/services/vo-cutouts/templates/ingress.yaml new file mode 100644 index 0000000000..26a2dc8185 --- /dev/null +++ b/services/vo-cutouts/templates/ingress.yaml @@ -0,0 +1,29 @@ +apiVersion: networking.k8s.io/v1 +kind: Ingress +metadata: + annotations: + kubernetes.io/ingress.class: "nginx" + {{- if .Values.ingress.gafaelfawrAuthQuery }} + nginx.ingress.kubernetes.io/auth-method: "GET" + nginx.ingress.kubernetes.io/auth-response-headers: X-Auth-Request-User + nginx.ingress.kubernetes.io/auth-signin: "{{ .Values.global.baseUrl }}/login" + nginx.ingress.kubernetes.io/auth-url: "{{ .Values.global.baseUrl }}/auth?{{ .Values.ingress.gafaelfawrAuthQuery }}" + {{- end }} + {{- with .Values.ingress.annotations }} + {{- toYaml . | nindent 4 }} + {{- end }} + name: {{ template "vo-cutouts.fullname" . }} + labels: + {{- include "vo-cutouts.labels" . | nindent 4 }} +spec: + rules: + - host: {{ required "global.host must be set" .Values.global.host | quote }} + http: + paths: + - path: "/api/cutout" + pathType: "Prefix" + backend: + service: + name: {{ template "vo-cutouts.fullname" . }} + port: + number: 8080 diff --git a/services/vo-cutouts/templates/networkpolicy.yaml b/services/vo-cutouts/templates/networkpolicy.yaml new file mode 100644 index 0000000000..61ff694572 --- /dev/null +++ b/services/vo-cutouts/templates/networkpolicy.yaml @@ -0,0 +1,25 @@ +apiVersion: networking.k8s.io/v1 +kind: NetworkPolicy +metadata: + name: {{ template "vo-cutouts.fullname" . }} + labels: + {{- include "vo-cutouts.labels" . | nindent 4 }} +spec: + podSelector: + # This policy controls inbound access to the frontend component. + matchLabels: + {{- include "vo-cutouts.selectorLabels" . | nindent 6 }} + app.kubernetes.io/component: "frontend" + policyTypes: + - Ingress + ingress: + # Allow inbound access from pods (in any namespace) labeled + # gafaelfawr.lsst.io/ingress: true. + - from: + - namespaceSelector: {} + podSelector: + matchLabels: + gafaelfawr.lsst.io/ingress: "true" + ports: + - protocol: "TCP" + port: 8080 diff --git a/services/vo-cutouts/templates/redis-networkpolicy.yaml b/services/vo-cutouts/templates/redis-networkpolicy.yaml new file mode 100644 index 0000000000..9fed7d7780 --- /dev/null +++ b/services/vo-cutouts/templates/redis-networkpolicy.yaml @@ -0,0 +1,34 @@ +apiVersion: networking.k8s.io/v1 +kind: NetworkPolicy +metadata: + name: {{ template "vo-cutouts.fullname" . }}-redis + labels: + {{- include "vo-cutouts.labels" . | nindent 4 }} +spec: + podSelector: + # This policy controls inbound and outbound access to the Redis component. + matchLabels: + {{- include "vo-cutouts.selectorLabels" . | nindent 6 }} + app.kubernetes.io/component: "redis" + policyTypes: + - Ingress + # Deny all outbound access; Redis doesn't need to talk to anything. + - Egress + ingress: + # Allow inbound access to Redis from all other components. + - from: + - podSelector: + matchLabels: + {{- include "vo-cutouts.selectorLabels" . | nindent 14 }} + app.kubernetes.io/component: "frontend" + - podSelector: + matchLabels: + {{- include "vo-cutouts.selectorLabels" . | nindent 14 }} + app.kubernetes.io/component: "worker" + - podSelector: + matchLabels: + {{- include "vo-cutouts.selectorLabels" . | nindent 14 }} + app.kubernetes.io/component: "db-worker" + ports: + - protocol: "TCP" + port: 6379 diff --git a/services/vo-cutouts/templates/redis-service.yml b/services/vo-cutouts/templates/redis-service.yml new file mode 100644 index 0000000000..4e8a6e9c8f --- /dev/null +++ b/services/vo-cutouts/templates/redis-service.yml @@ -0,0 +1,16 @@ +apiVersion: v1 +kind: Service +metadata: + name: {{ template "vo-cutouts.fullname" . }}-redis + labels: + {{- include "vo-cutouts.labels" . | nindent 4 }} +spec: + type: ClusterIP + ports: + - port: 6379 + protocol: "TCP" + targetPort: 6379 + selector: + {{- include "vo-cutouts.selectorLabels" . | nindent 4 }} + app.kubernetes.io/component: "redis" + sessionAffinity: None diff --git a/services/vo-cutouts/templates/redis-statefulset.yaml b/services/vo-cutouts/templates/redis-statefulset.yaml new file mode 100644 index 0000000000..503bcb21eb --- /dev/null +++ b/services/vo-cutouts/templates/redis-statefulset.yaml @@ -0,0 +1,107 @@ +apiVersion: apps/v1 +kind: StatefulSet +metadata: + name: {{ template "vo-cutouts.fullname" . }}-redis + labels: + {{- include "vo-cutouts.labels" . | nindent 4 }} +spec: + replicas: 1 + selector: + matchLabels: + {{- include "vo-cutouts.selectorLabels" . | nindent 6 }} + app.kubernetes.io/component: "redis" + serviceName: "redis" + template: + metadata: + {{- with .Values.redis.podAnnotations }} + annotations: + {{- toYaml . | nindent 8 }} + {{- end }} + labels: + {{- include "vo-cutouts.selectorLabels" . | nindent 8 }} + app.kubernetes.io/component: "redis" + spec: + automountServiceAccountToken: false + containers: + - name: "redis" + image: "{{ .Values.redis.image.repository }}:{{ .Values.redis.image.tag }}" + imagePullPolicy: {{ .Values.redis.image.pullPolicy | quote }} + args: + - "redis-server" + - "--appendonly" + - "yes" + - "--requirepass" + - "$(REDIS_PASSWORD)" + env: + - name: "REDIS_PASSWORD" + valueFrom: + secretKeyRef: + name: {{ template "vo-cutouts.fullname" . }}-secret + key: "redis-password" + livenessProbe: + exec: + command: + - "sh" + - "-c" + - "redis-cli -h $(hostname) incr health:counter" + initialDelaySeconds: 15 + periodSeconds: 30 + ports: + - containerPort: 6379 + resources: + limits: + cpu: "1" + requests: + cpu: "100m" + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - "all" + readOnlyRootFilesystem: true + volumeMounts: + - name: {{ template "vo-cutouts.fullname" . }}-redis-data + mountPath: "/data" + imagePullSecrets: + - name: "pull-secret" + securityContext: + fsGroup: 999 + runAsNonRoot: true + runAsUser: 999 + runAsGroup: 999 + {{- if (not .Values.redis.persistence.enabled) }} + volumes: + - name: {{ template "vo-cutouts.fullname" . }}-redis-data + emptyDir: {} + {{- else if .Values.redis.persistence.volumeClaimName }} + volumes: + - name: {{ template "vo-cutouts.fullname" . }}-redis-data + persistentVolumeClaim: + claimName: {{ .Values.redis.persistence.volumeClaimName | quote }} + {{- end }} + {{- with .Values.redis.nodeSelector }} + nodeSelector: + {{- toYaml . | nindent 8 }} + {{- end }} + {{- with .Values.redis.affinity }} + affinity: + {{- toYaml . | nindent 8 }} + {{- end }} + {{- with .Values.redis.tolerations }} + tolerations: + {{- toYaml . | nindent 8 }} + {{- end }} + {{- if (and .Values.redis.persistence.enabled (not .Values.redis.persistence.volumeClaimName)) }} + volumeClaimTemplates: + - metadata: + name: {{ template "vo-cutouts.fullname" . }}-redis-data + spec: + accessModes: + - {{ .Values.redis.persistence.accessMode | quote }} + resources: + requests: + storage: {{ .Values.redis.persistence.size | quote }} + {{- if .Values.redis.persistence.storageClass }} + storageClassName: {{ .Values.redis.persistence.storageClass | quote }} + {{- end }} + {{- end }} diff --git a/services/vo-cutouts/templates/service.yaml b/services/vo-cutouts/templates/service.yaml new file mode 100644 index 0000000000..ca11dd650e --- /dev/null +++ b/services/vo-cutouts/templates/service.yaml @@ -0,0 +1,16 @@ +apiVersion: v1 +kind: Service +metadata: + name: {{ template "vo-cutouts.fullname" . }} + labels: + {{- include "vo-cutouts.labels" . | nindent 4 }} +spec: + type: ClusterIP + ports: + - protocol: "TCP" + port: 8080 + targetPort: "http" + selector: + {{- include "vo-cutouts.selectorLabels" . | nindent 4 }} + app.kubernetes.io/component: "frontend" + sessionAffinity: None diff --git a/services/vo-cutouts/templates/serviceaccount.yaml b/services/vo-cutouts/templates/serviceaccount.yaml new file mode 100644 index 0000000000..e77c1f4a6c --- /dev/null +++ b/services/vo-cutouts/templates/serviceaccount.yaml @@ -0,0 +1,10 @@ +{{- if .Values.cloudsql.enabled }} +apiVersion: v1 +kind: ServiceAccount +metadata: + name: {{ include "vo-cutouts.fullname" . }} + labels: + {{- include "vo-cutouts.labels" . | nindent 4 }} + annotations: + iam.gke.io/gcp-service-account: {{ required "cloudsql.serviceAccount must be set to a valid Google service account" .Values.cloudsql.serviceAccount | quote }} +{{- end }} diff --git a/services/vo-cutouts/templates/vault-secrets.yaml b/services/vo-cutouts/templates/vault-secrets.yaml new file mode 100644 index 0000000000..0cdb663f4a --- /dev/null +++ b/services/vo-cutouts/templates/vault-secrets.yaml @@ -0,0 +1,19 @@ +apiVersion: ricoberger.de/v1alpha1 +kind: VaultSecret +metadata: + name: {{ template "vo-cutouts.fullname" . }}-secret + labels: + {{- include "vo-cutouts.labels" . | nindent 4 }} +spec: + path: "{{ .Values.global.vaultSecretsPath }}/vo-cutouts" + type: Opaque +--- +apiVersion: ricoberger.de/v1alpha1 +kind: VaultSecret +metadata: + name: "pull-secret" + labels: + {{- include "vo-cutouts.labels" . | nindent 4 }} +spec: + path: "{{ .Values.global.vaultSecretsPath }}/pull-secret" + type: "kubernetes.io/dockerconfigjson" diff --git a/services/vo-cutouts/templates/worker-deployment.yaml b/services/vo-cutouts/templates/worker-deployment.yaml new file mode 100644 index 0000000000..245297541e --- /dev/null +++ b/services/vo-cutouts/templates/worker-deployment.yaml @@ -0,0 +1,123 @@ +apiVersion: apps/v1 +kind: Deployment +metadata: + name: {{ template "vo-cutouts.fullname" . }}-worker + labels: + {{- include "vo-cutouts.labels" . | nindent 4 }} +spec: + replicas: {{ .Values.databaseWorker.replicaCount }} + selector: + matchLabels: + {{- include "vo-cutouts.selectorLabels" . | nindent 6 }} + app.kubernetes.io/component: "worker" + template: + metadata: + annotations: + checksum/config: {{ include (print $.Template.BasePath "/configmap.yaml") . | sha256sum }} + {{- with .Values.databaseWorker.podAnnotations }} + {{- toYaml . | nindent 8 }} + {{- end }} + labels: + {{- include "vo-cutouts.selectorLabels" . | nindent 8 }} + app.kubernetes.io/component: "worker" + spec: + automountServiceAccountToken: false + + # Butler uses a pgpass file to authenticate to its database, and + # PostgreSQL unfortunately requires its pgpass file be owned by the + # current user and mode 0600, but Kubernetes has no way of controlling + # the ownership of a mounted secret. We therefore use a privileged init + # container to copy the secrets into a shared emptyDir and change their + # ownership and permissions. + initContainers: + - name: "fix-secret-permissions" + image: "{{ .Values.image.repository }}:{{ .Values.image.tag | default .Chart.AppVersion }}" + imagePullPolicy: {{ .Values.image.pullPolicy | quote }} + command: + - "/bin/bash" + - "-c" + - | + cp -RL /etc/vo-cutouts/secrets-raw/* /etc/vo-cutouts/secrets + chmod 0400 /etc/vo-cutouts/secrets/* + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - "all" + volumeMounts: + - name: "secrets" + mountPath: "/etc/vo-cutouts/secrets" + - name: "secrets-raw" + mountPath: "/etc/vo-cutouts/secrets-raw" + readOnly: true + containers: + - name: "worker" + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - "all" + image: "{{ .Values.cutoutWorker.image.repository }}:{{ .Values.cutoutWorker.image.tag | default .Chart.AppVersion }}" + imagePullPolicy: {{ .Values.cutoutWorker.image.pullPolicy | quote }} + env: + # The following are used by Butler to retrieve its configuration + # and authenticate to its database. + - name: "AWS_SHARED_CREDENTIALS_FILE" + value: "/etc/vo-cutouts/secrets/aws-credentials" + - name: "PGPASSFILE" + value: "/etc/vo-cutouts/secrets/postgres-credentials" + - name: "S3_ENDPOINT_URL" + value: "https://storage.googleapis.com" + + # Authentication to the Redis queue for Dramatiq. + - name: "CUTOUT_REDIS_PASSWORD" + valueFrom: + secretKeyRef: + name: {{ template "vo-cutouts.fullname" . }}-secret + key: "redis-password" + + # URL of the bucket into which to store the cutouts. + - name: "CUTOUT_STORAGE_URL" + value: {{ required "config.gcsBucketUrl must be set" .Values.config.gcsBucketUrl | quote }} + + # Temporary directory into which to stage cutouts before uploading. + - name: "CUTOUT_TMPDIR" + value: "/tmp/cutouts" + envFrom: + - configMapRef: + name: {{ template "vo-cutouts.fullname" . }}-config + {{- with .Values.cutoutWorker.resources }} + resources: + {{- toYaml . | nindent 12 }} + {{- end }} + volumeMounts: + - name: "secrets" + mountPath: "/etc/vo-cutouts/secrets" + - name: "tmp" + mountPath: "/tmp" + imagePullSecrets: + - name: "pull-secret" + securityContext: + runAsNonRoot: true + runAsUser: 1000 + runAsGroup: 1000 + volumes: + - name: "secrets" + emptyDir: {} + - name: "secrets-raw" + secret: + secretName: {{ template "vo-cutouts.fullname" . }}-secret + - name: "tmp" + emptyDir: {} + {{- with .Values.cutoutWorker.nodeSelector }} + nodeSelector: + {{- toYaml . | nindent 8 }} + {{- end }} + {{- with .Values.cutoutWorker.affinity }} + affinity: + {{- toYaml . | nindent 8 }} + {{- end }} + {{- with .Values.cutoutWorker.tolerations }} + tolerations: + {{- toYaml . | nindent 8 }} + {{- end }} diff --git a/services/vo-cutouts/templates/worker-networkpolicy.yaml b/services/vo-cutouts/templates/worker-networkpolicy.yaml new file mode 100644 index 0000000000..4263747825 --- /dev/null +++ b/services/vo-cutouts/templates/worker-networkpolicy.yaml @@ -0,0 +1,15 @@ +apiVersion: networking.k8s.io/v1 +kind: NetworkPolicy +metadata: + name: {{ template "vo-cutouts.fullname" . }}-worker + labels: + {{- include "vo-cutouts.labels" . | nindent 4 }} +spec: + podSelector: + # This policy controls inbound and outbound access to the database workers. + matchLabels: + {{- include "vo-cutouts.selectorLabels" . | nindent 6 }} + app.kubernetes.io/component: "worker" + policyTypes: + # Block all inbound access. + - Ingress diff --git a/services/vo-cutouts/values-idfdev.yaml b/services/vo-cutouts/values-idfdev.yaml index ef77c098a3..441da96254 100644 --- a/services/vo-cutouts/values-idfdev.yaml +++ b/services/vo-cutouts/values-idfdev.yaml @@ -1,24 +1,12 @@ -vo-cutouts: - imagePullSecrets: - - name: "pull-secret" - ingress: - host: "data-dev.lsst.cloud" - vaultSecretsPath: "secret/k8s_operator/data-dev.lsst.cloud/vo-cutouts" +config: + # There is currently no working Butler in data-dev, so this configuration + # won't work. Leaving it here anyway since it has the correct configuration + # otherwise should we later get a Butler for that environment. + butlerRepository: "TBD" + databaseUrl: "postgresql://vo-cutouts@localhost/vo-cutouts" + gcsBucketUrl: "s3://rubin-cutouts-dev-us-central1-output/" - config: - # There is currently no working Butler in data-dev, so this configuration - # won't work. Leaving it here anyway since it has the correct - # configuration otherwise should we later get a Butler for that - # environment. - butlerRepository: "TBD" - databaseUrl: "postgresql://vo-cutouts@localhost/vo-cutouts" - gcsBucketUrl: "s3://rubin-cutouts-dev-us-central1-output/" - - cloudsql: - enabled: true - instanceConnectionName: "science-platform-dev-7696:us-central1:science-platform-dev-e9e11de2" - serviceAccount: "vo-cutouts@science-platform-dev-7696.iam.gserviceaccount.com" - -pull-secret: +cloudsql: enabled: true - path: "secret/k8s_operator/data-dev.lsst.cloud/pull-secret" + instanceConnectionName: "science-platform-dev-7696:us-central1:science-platform-dev-e9e11de2" + serviceAccount: "vo-cutouts@science-platform-dev-7696.iam.gserviceaccount.com" diff --git a/services/vo-cutouts/values-idfint.yaml b/services/vo-cutouts/values-idfint.yaml index 84943c2d6b..bd88a21358 100644 --- a/services/vo-cutouts/values-idfint.yaml +++ b/services/vo-cutouts/values-idfint.yaml @@ -1,20 +1,9 @@ -vo-cutouts: - imagePullSecrets: - - name: "pull-secret" - ingress: - host: "data-int.lsst.cloud" - vaultSecretsPath: "secret/k8s_operator/data-int.lsst.cloud/vo-cutouts" +config: + butlerRepository: "s3://butler-us-central1-panda-dev/dc2/butler-external.yaml" + databaseUrl: "postgresql://vo-cutouts@localhost/vo-cutouts" + gcsBucketUrl: "s3://rubin-cutouts-int-us-central1-output/" - config: - butlerRepository: "s3://butler-us-central1-panda-dev/dc2/butler-external.yaml" - databaseUrl: "postgresql://vo-cutouts@localhost/vo-cutouts" - gcsBucketUrl: "s3://rubin-cutouts-int-us-central1-output/" - - cloudsql: - enabled: true - instanceConnectionName: "science-platform-int-dc5d:us-central1:science-platform-int-8f439af2" - serviceAccount: "vo-cutouts@science-platform-int-dc5d.iam.gserviceaccount.com" - -pull-secret: +cloudsql: enabled: true - path: "secret/k8s_operator/data-int.lsst.cloud/pull-secret" + instanceConnectionName: "science-platform-int-dc5d:us-central1:science-platform-int-8f439af2" + serviceAccount: "vo-cutouts@science-platform-int-dc5d.iam.gserviceaccount.com" diff --git a/services/vo-cutouts/values-idfprod.yaml b/services/vo-cutouts/values-idfprod.yaml index 2fd39a400d..f84d8d73eb 100644 --- a/services/vo-cutouts/values-idfprod.yaml +++ b/services/vo-cutouts/values-idfprod.yaml @@ -1,20 +1,9 @@ -vo-cutouts: - imagePullSecrets: - - name: "pull-secret" - ingress: - host: "data.lsst.cloud" - vaultSecretsPath: "secret/k8s_operator/data.lsst.cloud/vo-cutouts" +config: + butlerRepository: "s3://butler-us-central1-dp01" + databaseUrl: "postgresql://vo-cutouts@localhost/vo-cutouts" + gcsBucketUrl: "s3://rubin-cutouts-stable-us-central1-output/" - config: - butlerRepository: "s3://butler-us-central1-dp01" - databaseUrl: "postgresql://vo-cutouts@localhost/vo-cutouts" - gcsBucketUrl: "s3://rubin-cutouts-stable-us-central1-output/" - - cloudsql: - enabled: true - instanceConnectionName: "science-platform-stable-6994:us-central1:science-platform-stable-0c29612b" - serviceAccount: "vo-cutouts@science-platform-stable-6994.iam.gserviceaccount.com" - -pull-secret: +cloudsql: enabled: true - path: "secret/k8s_operator/data.lsst.cloud/pull-secret" + instanceConnectionName: "science-platform-stable-6994:us-central1:science-platform-stable-0c29612b" + serviceAccount: "vo-cutouts@science-platform-stable-6994.iam.gserviceaccount.com" diff --git a/services/vo-cutouts/values.yaml b/services/vo-cutouts/values.yaml new file mode 100644 index 0000000000..ed9767a4ae --- /dev/null +++ b/services/vo-cutouts/values.yaml @@ -0,0 +1,203 @@ +# Default values for vo-cutouts. + +# -- Number of web frontend pods to start +replicaCount: 1 + +# -- Override the base name for resources +nameOverride: "" + +# -- Override the full name for resources (includes the release name) +fullnameOverride: "" + +image: + # -- vo-cutouts image to use + repository: "lsstsqre/vo-cutouts" + + # -- Pull policy for the vo-cutouts image + pullPolicy: "IfNotPresent" + + # -- Tag of vo-cutouts image to use + # @default -- The appVersion of the chart + tag: "" + +ingress: + # -- Gafaelfawr auth query string + gafaelfawrAuthQuery: "scope=read:image" + + # -- Additional annotations to add to the ingress + annotations: {} + +# -- Resource limits and requests for the vo-cutouts frontend pod +resources: {} + +# -- Annotations for the vo-cutouts frontend pod +podAnnotations: {} + +# -- Node selector rules for the vo-cutouts frontend pod +nodeSelector: {} + +# -- Tolerations for the vo-cutouts frontend pod +tolerations: [] + +# -- Affinity rules for the vo-cutouts frontend pod +affinity: {} + +config: + # -- Choose from the text form of Python logging levels + loglevel: "INFO" + + # -- Configuration for the Butler repository to use + # @default -- None, must be set + butlerRepository: "" + + # -- URL for the PostgreSQL database + # @default -- None, must be set + databaseUrl: "" + + # -- URL for the GCS bucket into which to store cutouts (must start with + # `s3`) + # @default -- None, must be set + gcsBucketUrl: "" + + # -- Timeout for a single cutout job in seconds + # @default -- 600 (10 minutes) + timeout: 600 + + # -- Lifetime of job results in seconds (quote so that Helm doesn't turn it + # into a floating point number) + # @default -- 2592000 (30 days) + lifetime: "2592000" + + # -- Timeout for results from a sync cutout in seconds + # @default -- 60 (1 minute) + syncTimeout: 60 + +cloudsql: + # -- Enable the Cloud SQL Auth Proxy sidecar, used with CloudSQL databases + # on Google Cloud + enabled: false + + image: + # -- Cloud SQL Auth Proxy image to use + repository: "gcr.io/cloudsql-docker/gce-proxy" + + # -- Cloud SQL Auth Proxy tag to use + tag: "1.30.0" + + # -- Pull policy for Cloud SQL Auth Proxy images + pullPolicy: "IfNotPresent" + + # -- Instance connection name for a CloudSQL PostgreSQL instance + instanceConnectionName: "" + + # -- The Google service account that has an IAM binding to the `vo-cutouts` + # Kubernetes service accounts and has the `cloudsql.client` role, access + # to the GCS bucket, and ability to sign URLs as itself + # @default -- None, must be set + serviceAccount: "" + +cutoutWorker: + # -- Number of cutout worker pods to start + replicaCount: 2 + + image: + # -- Stack image to use for cutouts + repository: "lsstsqre/vo-cutouts-worker" + + # -- Tag of vo-cutouts worker image to use + # @default -- The appVersion of the chart + tag: "" + + # -- Pull policy for cutout workers + pullPolicy: "IfNotPresent" + + # -- Resource limits and requests for the cutout worker pod + resources: {} + + # -- Annotations for the cutout worker pod + podAnnotations: {} + + # -- Node selection rules for the cutout worker pod + nodeSelector: {} + + # -- Tolerations for the cutout worker pod + tolerations: [] + + # -- Affinity rules for the cutout worker pod + affinity: {} + +databaseWorker: + # -- Number of database worker pods to start + replicaCount: 1 + + # -- Resource limits and requests for the database worker pod + resources: {} + + # -- Annotations for the database worker pod + podAnnotations: {} + + # -- Node selection rules for the database worker pod + nodeSelector: {} + + # -- Tolerations for the database worker pod + tolerations: [] + + # -- Affinity rules for the database worker pod + affinity: {} + +redis: + image: + # -- Redis image to use + repository: "redis" + + # -- Redis image tag to use + tag: "6.2.6" + + # -- Pull policy for the Redis image + pullPolicy: "IfNotPresent" + + persistence: + # -- Whether to persist Redis storage and thus tokens. Setting this to + # false will use `emptyDir` and reset all tokens on every restart. Only + # use this for a test deployment. + enabled: true + + # -- Amount of persistent storage to request + size: "100Mi" + + # -- Class of storage to request + storageClass: "" + + # -- Access mode of storage to request + accessMode: "ReadWriteOnce" + + # -- Use an existing PVC, not dynamic provisioning. If this is set, the + # size, storageClass, and accessMode settings are ignored. + volumeClaimName: "" + + # -- Pod annotations for the Redis pod + podAnnotations: {} + + # -- Node selection rules for the Redis pod + nodeSelector: {} + + # -- Tolerations for the Redis pod + tolerations: [] + + # -- Affinity rules for the Redis pod + affinity: {} + +# The following will be set by parameters injected by Argo CD and should not +# be set in the individual environment values files. +global: + # -- Base URL for the environment + # @default -- Set by Argo CD + baseUrl: "" + + # -- Host name for ingress + # @default -- Set by Argo CD + host: "" + + # -- Base path for Vault secrets + # @default -- Set by Argo CD + vaultSecretsPath: "" From 0dd10ad32b1c81f6456c7dc7fed0ebd6b9f5e776 Mon Sep 17 00:00:00 2001 From: Russ Allbery Date: Mon, 18 Apr 2022 10:47:52 -0700 Subject: [PATCH 0263/1479] Don't run minikube unless Helm lint succeeds No point in running the really expensive check if the chart won't even compile. --- .github/workflows/ci.yaml | 1 + 1 file changed, 1 insertion(+) diff --git a/.github/workflows/ci.yaml b/.github/workflows/ci.yaml index 571491a805..6bd4874aa1 100644 --- a/.github/workflows/ci.yaml +++ b/.github/workflows/ci.yaml @@ -52,6 +52,7 @@ jobs: minikube: name: Test deploy runs-on: ubuntu-latest + needs: [helm] steps: - name: Checkout From 667e92b12ed33bfe63ba74bdf6c730f88ffdf68e Mon Sep 17 00:00:00 2001 From: Russ Allbery Date: Mon, 18 Apr 2022 10:55:37 -0700 Subject: [PATCH 0264/1479] Bump the version of tools used by minikube Use the latest minikube, Kubernetes 1.22, Vault 1.9, and Argo CD versions. --- .github/workflows/ci.yaml | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/.github/workflows/ci.yaml b/.github/workflows/ci.yaml index 6bd4874aa1..147af5c788 100644 --- a/.github/workflows/ci.yaml +++ b/.github/workflows/ci.yaml @@ -77,8 +77,8 @@ jobs: if: steps.filter.outputs.minikube == 'true' uses: manusa/actions-setup-minikube@v2.4.3 with: - minikube version: 'v1.24.0' - kubernetes version: 'v1.22.5' + minikube version: 'v1.25.2' + kubernetes version: 'v1.22.8' - name: Test interaction with the cluster if: steps.filter.outputs.minikube == 'true' @@ -87,11 +87,11 @@ jobs: - name: Download installer dependencies if: steps.filter.outputs.minikube == 'true' run: | - curl -sSL -o /tmp/vault.zip https://releases.hashicorp.com/vault/1.9.1/vault_1.9.1_linux_amd64.zip + curl -sSL -o /tmp/vault.zip https://releases.hashicorp.com/vault/1.9.4/vault_1.9.4_linux_amd64.zip unzip /tmp/vault.zip sudo mv vault /usr/local/bin/vault sudo chmod +x /usr/local/bin/vault - sudo curl -sSL -o /usr/local/bin/argocd https://github.com/argoproj/argo-cd/releases/download/v2.1.7/argocd-linux-amd64 + sudo curl -sSL -o /usr/local/bin/argocd https://github.com/argoproj/argo-cd/releases/download/v2.3.3/argocd-linux-amd64 sudo chmod +x /usr/local/bin/argocd sudo apt-get install socat sudo pip install -r installer/requirements.txt From 8eb40a3fefafe5727db7275b15a017eb18c3ae4d Mon Sep 17 00:00:00 2001 From: Frossie Date: Mon, 18 Apr 2022 14:49:23 -0700 Subject: [PATCH 0265/1479] Update values-idfdev.yaml --- services/portal/values-idfdev.yaml | 3 +++ 1 file changed, 3 insertions(+) diff --git a/services/portal/values-idfdev.yaml b/services/portal/values-idfdev.yaml index 2451c233b2..80a80bcc51 100644 --- a/services/portal/values-idfdev.yaml +++ b/services/portal/values-idfdev.yaml @@ -1,3 +1,6 @@ resources: limits: memory: "8Gi" +image: + tag: "suit-2.4.0" + From ecdb74fa771b7bfd775fb91869a9c658c39bff28 Mon Sep 17 00:00:00 2001 From: Frossie Date: Mon, 18 Apr 2022 14:51:23 -0700 Subject: [PATCH 0266/1479] Update values-idfdev.yaml --- services/portal/values-idfdev.yaml | 1 - 1 file changed, 1 deletion(-) diff --git a/services/portal/values-idfdev.yaml b/services/portal/values-idfdev.yaml index 80a80bcc51..8a0bc38db2 100644 --- a/services/portal/values-idfdev.yaml +++ b/services/portal/values-idfdev.yaml @@ -3,4 +3,3 @@ resources: memory: "8Gi" image: tag: "suit-2.4.0" - From 4a6239fe8b7f655df2cb1dd725d67fe4677c3671 Mon Sep 17 00:00:00 2001 From: Frossie Economou Date: Mon, 18 Apr 2022 21:26:20 -0700 Subject: [PATCH 0267/1479] Admin list update --- services/argocd/values-idfdev.yaml | 4 +++- services/argocd/values-idfint.yaml | 3 ++- services/argocd/values-idfprod.yaml | 3 +++ 3 files changed, 8 insertions(+), 2 deletions(-) diff --git a/services/argocd/values-idfdev.yaml b/services/argocd/values-idfdev.yaml index b4f919246b..f91c296f4a 100644 --- a/services/argocd/values-idfdev.yaml +++ b/services/argocd/values-idfdev.yaml @@ -73,7 +73,9 @@ argo-cd: g, jsick@lsst.cloud, role:admin g, krughoff@lsst.cloud, role:admin g, rra@lsst.cloud, role:admin - g, dspeck@lsst.cloud, role:admin + g, gpdf@lsst.cloud, role:admin + g, loi@lsst.cloud, role:admin + g, roby@lsst.cloud, role:admin scopes: "[email]" configs: diff --git a/services/argocd/values-idfint.yaml b/services/argocd/values-idfint.yaml index 58626b4ba4..1440a6832a 100644 --- a/services/argocd/values-idfint.yaml +++ b/services/argocd/values-idfint.yaml @@ -74,8 +74,9 @@ argo-cd: g, krughoff@lsst.cloud, role:admin g, rra@lsst.cloud, role:admin g, ctslater@lsst.cloud, role:admin - g, swnelson@lsst.cloud, role:admin g, gpdf@lsst.cloud, role:admin + g, loi@lsst.cloud, role:admin + g, roby@lsst.cloud, role:admin scopes: "[email]" configs: diff --git a/services/argocd/values-idfprod.yaml b/services/argocd/values-idfprod.yaml index dfda8a9d21..d5f4af6e30 100644 --- a/services/argocd/values-idfprod.yaml +++ b/services/argocd/values-idfprod.yaml @@ -73,6 +73,9 @@ argo-cd: g, jsick@lsst.cloud, role:admin g, krughoff@lsst.cloud, role:admin g, rra@lsst.cloud, role:admin + g, gpdf@lsst.cloud, role:admin + g, loi@lsst.cloud, role:admin + g, roby@lsst.cloud, role:admin scopes: "[email]" configs: From 095116c7504c37098205907b033cc8628c9ec021 Mon Sep 17 00:00:00 2001 From: Gabriele Mainetti Date: Wed, 20 Apr 2022 10:23:14 +0200 Subject: [PATCH 0268/1479] Deatcivate moenypenny --- science-platform/values-ccin2p3test.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/science-platform/values-ccin2p3test.yaml b/science-platform/values-ccin2p3test.yaml index 8dca3b6a5b..a42f6a2ef6 100644 --- a/science-platform/values-ccin2p3test.yaml +++ b/science-platform/values-ccin2p3test.yaml @@ -25,7 +25,7 @@ logging: mobu: enabled: false moneypenny: - enabled: true + enabled: false ingress_nginx: enabled: true nublado: From ba170229514e42df45c9a837908a8e4f6de21a5a Mon Sep 17 00:00:00 2001 From: roby Date: Wed, 20 Apr 2022 09:25:57 -0600 Subject: [PATCH 0269/1479] dm-34469: up SUIT to version 2022.1 - update on both dev and int - allows for extended testing time before ops --- services/portal/values-idfdev.yaml | 2 +- services/portal/values-int.yaml | 3 +++ 2 files changed, 4 insertions(+), 1 deletion(-) diff --git a/services/portal/values-idfdev.yaml b/services/portal/values-idfdev.yaml index 8a0bc38db2..c7d22c9b08 100644 --- a/services/portal/values-idfdev.yaml +++ b/services/portal/values-idfdev.yaml @@ -2,4 +2,4 @@ resources: limits: memory: "8Gi" image: - tag: "suit-2.4.0" + tag: "suit-2022.1" diff --git a/services/portal/values-int.yaml b/services/portal/values-int.yaml index 5efe67737b..6f0d3074ee 100644 --- a/services/portal/values-int.yaml +++ b/services/portal/values-int.yaml @@ -18,6 +18,9 @@ resources: limits: memory: "24Gi" +image: + tag: "suit-2022.1" + securityContext: runAsUser: 101 runAsGroup: 102 From 955d5e56a1d7d1b9425a7fa62c1cf4a53388af57 Mon Sep 17 00:00:00 2001 From: roby Date: Wed, 20 Apr 2022 10:16:13 -0600 Subject: [PATCH 0270/1479] dm-34469: update int to suit version 2022.1, based on firefly version 2022.1.1 --- services/portal/values-idfdev.yaml | 1 + services/portal/values-idfint.yaml | 3 +++ 2 files changed, 4 insertions(+) diff --git a/services/portal/values-idfdev.yaml b/services/portal/values-idfdev.yaml index c7d22c9b08..57ddd52a40 100644 --- a/services/portal/values-idfdev.yaml +++ b/services/portal/values-idfdev.yaml @@ -1,5 +1,6 @@ resources: limits: memory: "8Gi" + image: tag: "suit-2022.1" diff --git a/services/portal/values-idfint.yaml b/services/portal/values-idfint.yaml index bbff39a615..16d3019641 100644 --- a/services/portal/values-idfint.yaml +++ b/services/portal/values-idfint.yaml @@ -9,3 +9,6 @@ config: resources: limits: memory: "30Gi" + +image: + tag: "suit-2022.1" From 1fb23bbdba266a4c323110d37de7f95fb31ab377 Mon Sep 17 00:00:00 2001 From: Michael Reuter Date: Wed, 20 Apr 2022 10:40:32 -0700 Subject: [PATCH 0271/1479] Update summit cachemachine to cycle 25. --- services/cachemachine/values-summit.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/services/cachemachine/values-summit.yaml b/services/cachemachine/values-summit.yaml index e97c4a53d3..e02a3c4483 100644 --- a/services/cachemachine/values-summit.yaml +++ b/services/cachemachine/values-summit.yaml @@ -20,7 +20,7 @@ autostart: "num_releases": 0, "num_weeklies": 3, "num_dailies": 2, - "cycle": 24, + "cycle": 25, "alias_tags": [ "latest", "latest_daily", From afc4be278f26c391b860936a36c5cacae1822663 Mon Sep 17 00:00:00 2001 From: adam Date: Thu, 21 Apr 2022 08:43:47 -0700 Subject: [PATCH 0272/1479] Update summit recommended tag --- services/cachemachine/values-summit.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/services/cachemachine/values-summit.yaml b/services/cachemachine/values-summit.yaml index e02a3c4483..124abd2026 100644 --- a/services/cachemachine/values-summit.yaml +++ b/services/cachemachine/values-summit.yaml @@ -16,7 +16,7 @@ autostart: "type": "RubinRepoMan", "registry_url": "ts-dockerhub.lsst.org", "repo": "sal-sciplat-lab", - "recommended_tag": "recommended", + "recommended_tag": "recommended_c0025", "num_releases": 0, "num_weeklies": 3, "num_dailies": 2, From 9750407773966c3fb4b77b49d796b7e66f13ae70 Mon Sep 17 00:00:00 2001 From: Frossie Date: Thu, 21 Apr 2022 13:18:01 -0700 Subject: [PATCH 0273/1479] Update values-idfint.yaml --- services/argocd/values-idfint.yaml | 1 + 1 file changed, 1 insertion(+) diff --git a/services/argocd/values-idfint.yaml b/services/argocd/values-idfint.yaml index 1440a6832a..622a846e56 100644 --- a/services/argocd/values-idfint.yaml +++ b/services/argocd/values-idfint.yaml @@ -77,6 +77,7 @@ argo-cd: g, gpdf@lsst.cloud, role:admin g, loi@lsst.cloud, role:admin g, roby@lsst.cloud, role:admin + g, fritzm@lsst.cloud, role:admin scopes: "[email]" configs: From fa86b78eb55dd36dbd09d870c46867737eb369d4 Mon Sep 17 00:00:00 2001 From: adam Date: Thu, 21 Apr 2022 11:34:53 -0700 Subject: [PATCH 0274/1479] cachemachine Recommended image -> w_2022_12 --- services/cachemachine/values-idfdev.yaml | 4 ++-- services/cachemachine/values-idfint.yaml | 4 ++-- services/cachemachine/values-idfprod.yaml | 4 ++-- services/cachemachine/values-int.yaml | 4 ++-- services/cachemachine/values-stable.yaml | 4 ++-- 5 files changed, 10 insertions(+), 10 deletions(-) diff --git a/services/cachemachine/values-idfdev.yaml b/services/cachemachine/values-idfdev.yaml index cb14ba3bfa..81eac0fc60 100644 --- a/services/cachemachine/values-idfdev.yaml +++ b/services/cachemachine/values-idfdev.yaml @@ -31,8 +31,8 @@ autostart: "type": "SimpleRepoMan", "images": [ { - "image_url": "us-central1-docker.pkg.dev/rubin-shared-services-71ec/sciplat/sciplat-lab:w_2021_49", - "name": "Weekly 2021_49" + "image_url": "us-central1-docker.pkg.dev/rubin-shared-services-71ec/sciplat/sciplat-lab:w_2022_12", + "name": "Weekly 2022_12" } ] } diff --git a/services/cachemachine/values-idfint.yaml b/services/cachemachine/values-idfint.yaml index 8cea89ea76..e4685a1ef7 100644 --- a/services/cachemachine/values-idfint.yaml +++ b/services/cachemachine/values-idfint.yaml @@ -31,8 +31,8 @@ autostart: "type": "SimpleRepoMan", "images": [ { - "image_url": "us-central1-docker.pkg.dev/rubin-shared-services-71ec/sciplat/sciplat-lab:w_2021_49", - "name": "Weekly 2021_49" + "image_url": "us-central1-docker.pkg.dev/rubin-shared-services-71ec/sciplat/sciplat-lab:w_2022_12", + "name": "Weekly 2022_12" } ] } diff --git a/services/cachemachine/values-idfprod.yaml b/services/cachemachine/values-idfprod.yaml index 658ac083a2..6488321f86 100644 --- a/services/cachemachine/values-idfprod.yaml +++ b/services/cachemachine/values-idfprod.yaml @@ -31,8 +31,8 @@ autostart: "type": "SimpleRepoMan", "images": [ { - "image_url": "us-central1-docker.pkg.dev/rubin-shared-services-71ec/sciplat/sciplat-lab:w_2021_49", - "name": "Weekly 2021_49" + "image_url": "us-central1-docker.pkg.dev/rubin-shared-services-71ec/sciplat/sciplat-lab:w_2022_12", + "name": "Weekly 2022_12" } ] } diff --git a/services/cachemachine/values-int.yaml b/services/cachemachine/values-int.yaml index e8ee5dd4f2..8d567690cc 100644 --- a/services/cachemachine/values-int.yaml +++ b/services/cachemachine/values-int.yaml @@ -27,8 +27,8 @@ autostart: "type": "SimpleRepoMan", "images": [ { - "image_url": "registry.hub.docker.com/lsstsqre/sciplat-lab:w_2021_49", - "name": "Weekly 2021_49" + "image_url": "registry.hub.docker.com/lsstsqre/sciplat-lab:w_2022_12", + "name": "Weekly 2022_12" } ] } diff --git a/services/cachemachine/values-stable.yaml b/services/cachemachine/values-stable.yaml index 482a59aeeb..ba07d1c2ec 100644 --- a/services/cachemachine/values-stable.yaml +++ b/services/cachemachine/values-stable.yaml @@ -27,8 +27,8 @@ autostart: "type": "SimpleRepoMan", "images": [ { - "image_url": "registry.hub.docker.com/lsstsqre/sciplat-lab:w_2021_49", - "name": "Weekly 2021_49" + "image_url": "registry.hub.docker.com/lsstsqre/sciplat-lab:w_2022_12", + "name": "Weekly 2022_12" } ] } From d4b1fba4e6908e5c4ce9f3bcfd5401d6e9368c21 Mon Sep 17 00:00:00 2001 From: Russ Allbery Date: Thu, 21 Apr 2022 15:37:17 -0700 Subject: [PATCH 0275/1479] Fix repository for Argo CD redis-exporter Work around https://github.com/argoproj/argo-helm/issues/1234. --- services/argocd/values-minikube.yaml | 2 ++ 1 file changed, 2 insertions(+) diff --git a/services/argocd/values-minikube.yaml b/services/argocd/values-minikube.yaml index d5340f0bf2..2de8257e78 100644 --- a/services/argocd/values-minikube.yaml +++ b/services/argocd/values-minikube.yaml @@ -12,6 +12,8 @@ argo-cd: enabled: true metrics: enabled: true + image: + repository: "bitnami/redis-exporter" repoServer: metrics: From bf3547642eef4ae976468ee53ce1e3a0b8bc1ae5 Mon Sep 17 00:00:00 2001 From: Russ Allbery Date: Thu, 21 Apr 2022 15:49:16 -0700 Subject: [PATCH 0276/1479] Fix Argo CD Redis metrics container Push out the change tested on minikube to all other environments. --- services/argocd/values-base.yaml | 2 ++ services/argocd/values-idfdev.yaml | 2 ++ services/argocd/values-idfint.yaml | 2 ++ services/argocd/values-idfprod.yaml | 2 ++ services/argocd/values-int.yaml | 2 ++ services/argocd/values-roe.yaml | 2 ++ services/argocd/values-stable.yaml | 2 ++ services/argocd/values-summit.yaml | 2 ++ services/argocd/values-tucson-teststand.yaml | 2 ++ 9 files changed, 18 insertions(+) diff --git a/services/argocd/values-base.yaml b/services/argocd/values-base.yaml index 33cabea149..33d3b4c417 100644 --- a/services/argocd/values-base.yaml +++ b/services/argocd/values-base.yaml @@ -3,6 +3,8 @@ argo-cd: enabled: true metrics: enabled: true + image: + repository: "bitnami/redis-exporter" controller: metrics: diff --git a/services/argocd/values-idfdev.yaml b/services/argocd/values-idfdev.yaml index f91c296f4a..30432510f0 100644 --- a/services/argocd/values-idfdev.yaml +++ b/services/argocd/values-idfdev.yaml @@ -3,6 +3,8 @@ argo-cd: enabled: true metrics: enabled: true + image: + repository: "bitnami/redis-exporter" controller: metrics: diff --git a/services/argocd/values-idfint.yaml b/services/argocd/values-idfint.yaml index 622a846e56..6b5078ead2 100644 --- a/services/argocd/values-idfint.yaml +++ b/services/argocd/values-idfint.yaml @@ -3,6 +3,8 @@ argo-cd: enabled: true metrics: enabled: true + image: + repository: "bitnami/redis-exporter" controller: metrics: diff --git a/services/argocd/values-idfprod.yaml b/services/argocd/values-idfprod.yaml index d5f4af6e30..4d092259c7 100644 --- a/services/argocd/values-idfprod.yaml +++ b/services/argocd/values-idfprod.yaml @@ -3,6 +3,8 @@ argo-cd: enabled: true metrics: enabled: true + image: + repository: "bitnami/redis-exporter" controller: metrics: diff --git a/services/argocd/values-int.yaml b/services/argocd/values-int.yaml index e27a97f19b..1cf2ecd20c 100644 --- a/services/argocd/values-int.yaml +++ b/services/argocd/values-int.yaml @@ -3,6 +3,8 @@ argo-cd: enabled: true metrics: enabled: true + image: + repository: "bitnami/redis-exporter" controller: metrics: diff --git a/services/argocd/values-roe.yaml b/services/argocd/values-roe.yaml index 06ad8a8272..dbb25cb886 100644 --- a/services/argocd/values-roe.yaml +++ b/services/argocd/values-roe.yaml @@ -3,6 +3,8 @@ argo-cd: enabled: true metrics: enabled: true + image: + repository: "bitnami/redis-exporter" controller: metrics: diff --git a/services/argocd/values-stable.yaml b/services/argocd/values-stable.yaml index 6ac6dfc7d6..468e958bd5 100644 --- a/services/argocd/values-stable.yaml +++ b/services/argocd/values-stable.yaml @@ -3,6 +3,8 @@ argo-cd: enabled: true metrics: enabled: true + image: + repository: "bitnami/redis-exporter" controller: metrics: diff --git a/services/argocd/values-summit.yaml b/services/argocd/values-summit.yaml index 837c1918ec..b31ea2f514 100644 --- a/services/argocd/values-summit.yaml +++ b/services/argocd/values-summit.yaml @@ -3,6 +3,8 @@ argo-cd: enabled: true metrics: enabled: true + image: + repository: "bitnami/redis-exporter" controller: metrics: diff --git a/services/argocd/values-tucson-teststand.yaml b/services/argocd/values-tucson-teststand.yaml index d467e06f8f..f3d5752c75 100644 --- a/services/argocd/values-tucson-teststand.yaml +++ b/services/argocd/values-tucson-teststand.yaml @@ -3,6 +3,8 @@ argo-cd: enabled: true metrics: enabled: true + image: + repository: "bitnami/redis-exporter" controller: metrics: From a748ca17643f02acc121397d28293479add98b26 Mon Sep 17 00:00:00 2001 From: roby Date: Wed, 20 Apr 2022 18:03:09 -0600 Subject: [PATCH 0277/1479] Added a new suit deployment, fixed the proxy in ingress.yaml - suit-2022.1 --- services/portal/templates/ingress.yaml | 2 +- services/portal/values-idfdev.yaml | 1 - services/portal/values-idfint.yaml | 1 - 3 files changed, 1 insertion(+), 3 deletions(-) diff --git a/services/portal/templates/ingress.yaml b/services/portal/templates/ingress.yaml index 74943d7d0e..337344a115 100644 --- a/services/portal/templates/ingress.yaml +++ b/services/portal/templates/ingress.yaml @@ -20,7 +20,7 @@ metadata: proxy_set_header X-Original-URI $request_uri; proxy_set_header X-Forwarded-Proto https; proxy_set_header X-Forwarded-Port 443; - proxy_set_header X-Forwarded-Path /firefly; + proxy_set_header X-Forwarded-Path /portal/app; {{- if .Values.ingress.gafaelfawrAuthQuery }} nginx.ingress.kubernetes.io/auth-method: "GET" nginx.ingress.kubernetes.io/auth-response-headers: "X-Auth-Request-User,X-Auth-Request-Email,X-Auth-Request-Token" diff --git a/services/portal/values-idfdev.yaml b/services/portal/values-idfdev.yaml index 57ddd52a40..c7d22c9b08 100644 --- a/services/portal/values-idfdev.yaml +++ b/services/portal/values-idfdev.yaml @@ -1,6 +1,5 @@ resources: limits: memory: "8Gi" - image: tag: "suit-2022.1" diff --git a/services/portal/values-idfint.yaml b/services/portal/values-idfint.yaml index 16d3019641..3af08e6a08 100644 --- a/services/portal/values-idfint.yaml +++ b/services/portal/values-idfint.yaml @@ -9,6 +9,5 @@ config: resources: limits: memory: "30Gi" - image: tag: "suit-2022.1" From 8f369e9720db2eab44915244711de1efc45d6e39 Mon Sep 17 00:00:00 2001 From: Renovate Bot Date: Fri, 22 Apr 2022 11:43:15 +0000 Subject: [PATCH 0278/1479] Update Helm release argo-cd to v4.5.7 --- services/argocd/Chart.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/services/argocd/Chart.yaml b/services/argocd/Chart.yaml index af4f7d3e69..0fc86dd09d 100644 --- a/services/argocd/Chart.yaml +++ b/services/argocd/Chart.yaml @@ -3,7 +3,7 @@ name: argo-cd version: 1.0.0 dependencies: - name: argo-cd - version: 4.5.3 + version: 4.5.7 repository: https://argoproj.github.io/argo-helm - name: pull-secret version: 0.1.2 From 3d8682fccca81a7cc7b34ddd7497182cb05ff7b3 Mon Sep 17 00:00:00 2001 From: Russ Allbery Date: Fri, 22 Apr 2022 09:30:52 -0700 Subject: [PATCH 0279/1479] Revert "Fix Argo CD Redis metrics container" This reverts commit bf3547642eef4ae976468ee53ce1e3a0b8bc1ae5. This has now been fixed by a subsequent Argo CD chart release. --- services/argocd/values-base.yaml | 2 -- services/argocd/values-idfdev.yaml | 2 -- services/argocd/values-idfint.yaml | 2 -- services/argocd/values-idfprod.yaml | 2 -- services/argocd/values-int.yaml | 2 -- services/argocd/values-minikube.yaml | 2 -- services/argocd/values-roe.yaml | 2 -- services/argocd/values-stable.yaml | 2 -- services/argocd/values-summit.yaml | 2 -- services/argocd/values-tucson-teststand.yaml | 2 -- 10 files changed, 20 deletions(-) diff --git a/services/argocd/values-base.yaml b/services/argocd/values-base.yaml index 33d3b4c417..33cabea149 100644 --- a/services/argocd/values-base.yaml +++ b/services/argocd/values-base.yaml @@ -3,8 +3,6 @@ argo-cd: enabled: true metrics: enabled: true - image: - repository: "bitnami/redis-exporter" controller: metrics: diff --git a/services/argocd/values-idfdev.yaml b/services/argocd/values-idfdev.yaml index 30432510f0..f91c296f4a 100644 --- a/services/argocd/values-idfdev.yaml +++ b/services/argocd/values-idfdev.yaml @@ -3,8 +3,6 @@ argo-cd: enabled: true metrics: enabled: true - image: - repository: "bitnami/redis-exporter" controller: metrics: diff --git a/services/argocd/values-idfint.yaml b/services/argocd/values-idfint.yaml index 6b5078ead2..622a846e56 100644 --- a/services/argocd/values-idfint.yaml +++ b/services/argocd/values-idfint.yaml @@ -3,8 +3,6 @@ argo-cd: enabled: true metrics: enabled: true - image: - repository: "bitnami/redis-exporter" controller: metrics: diff --git a/services/argocd/values-idfprod.yaml b/services/argocd/values-idfprod.yaml index 4d092259c7..d5f4af6e30 100644 --- a/services/argocd/values-idfprod.yaml +++ b/services/argocd/values-idfprod.yaml @@ -3,8 +3,6 @@ argo-cd: enabled: true metrics: enabled: true - image: - repository: "bitnami/redis-exporter" controller: metrics: diff --git a/services/argocd/values-int.yaml b/services/argocd/values-int.yaml index 1cf2ecd20c..e27a97f19b 100644 --- a/services/argocd/values-int.yaml +++ b/services/argocd/values-int.yaml @@ -3,8 +3,6 @@ argo-cd: enabled: true metrics: enabled: true - image: - repository: "bitnami/redis-exporter" controller: metrics: diff --git a/services/argocd/values-minikube.yaml b/services/argocd/values-minikube.yaml index 2de8257e78..d5340f0bf2 100644 --- a/services/argocd/values-minikube.yaml +++ b/services/argocd/values-minikube.yaml @@ -12,8 +12,6 @@ argo-cd: enabled: true metrics: enabled: true - image: - repository: "bitnami/redis-exporter" repoServer: metrics: diff --git a/services/argocd/values-roe.yaml b/services/argocd/values-roe.yaml index dbb25cb886..06ad8a8272 100644 --- a/services/argocd/values-roe.yaml +++ b/services/argocd/values-roe.yaml @@ -3,8 +3,6 @@ argo-cd: enabled: true metrics: enabled: true - image: - repository: "bitnami/redis-exporter" controller: metrics: diff --git a/services/argocd/values-stable.yaml b/services/argocd/values-stable.yaml index 468e958bd5..6ac6dfc7d6 100644 --- a/services/argocd/values-stable.yaml +++ b/services/argocd/values-stable.yaml @@ -3,8 +3,6 @@ argo-cd: enabled: true metrics: enabled: true - image: - repository: "bitnami/redis-exporter" controller: metrics: diff --git a/services/argocd/values-summit.yaml b/services/argocd/values-summit.yaml index b31ea2f514..837c1918ec 100644 --- a/services/argocd/values-summit.yaml +++ b/services/argocd/values-summit.yaml @@ -3,8 +3,6 @@ argo-cd: enabled: true metrics: enabled: true - image: - repository: "bitnami/redis-exporter" controller: metrics: diff --git a/services/argocd/values-tucson-teststand.yaml b/services/argocd/values-tucson-teststand.yaml index f3d5752c75..d467e06f8f 100644 --- a/services/argocd/values-tucson-teststand.yaml +++ b/services/argocd/values-tucson-teststand.yaml @@ -3,8 +3,6 @@ argo-cd: enabled: true metrics: enabled: true - image: - repository: "bitnami/redis-exporter" controller: metrics: From dce06ff11ae4f61e6f4840c6ef315a6720f58c70 Mon Sep 17 00:00:00 2001 From: Renovate Bot Date: Fri, 22 Apr 2022 17:28:18 +0000 Subject: [PATCH 0280/1479] Update Helm release ingress-nginx to v4.1.0 --- services/ingress-nginx/Chart.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/services/ingress-nginx/Chart.yaml b/services/ingress-nginx/Chart.yaml index d63f08490a..83c662b2d6 100644 --- a/services/ingress-nginx/Chart.yaml +++ b/services/ingress-nginx/Chart.yaml @@ -3,7 +3,7 @@ name: ingress-nginx version: 1.0.0 dependencies: - name: ingress-nginx - version: 4.0.19 + version: 4.1.0 repository: https://kubernetes.github.io/ingress-nginx - name: pull-secret version: ">=0.1.2" From c345d7a341df9e3f218f05246c6c09d19f564e58 Mon Sep 17 00:00:00 2001 From: adam Date: Tue, 26 Apr 2022 11:21:56 -0700 Subject: [PATCH 0281/1479] Send list of enabled services to telegraf/ds --- science-platform/templates/_helpers.tpl | 13 +++++++++++++ .../templates/telegraf-application.yaml | 4 ++++ .../templates/telegraf-ds-application.yaml | 3 +++ 3 files changed, 20 insertions(+) create mode 100644 science-platform/templates/_helpers.tpl diff --git a/science-platform/templates/_helpers.tpl b/science-platform/templates/_helpers.tpl new file mode 100644 index 0000000000..b8c4c8371c --- /dev/null +++ b/science-platform/templates/_helpers.tpl @@ -0,0 +1,13 @@ +{{/* vim: set filetype=mustache: */}} +{{- define "enabled_services" -}} +['argocd' + {{- range $okey, $oval := .Values }} + {{- $otype := typeOf $oval -}} + {{- if eq $otype "map[string]interface {}" }} + {{- if hasKey $oval "enabled" }} +{{- if $oval.enabled }},'{{- $okey }}'{{- end }} + {{- end }} + {{- end }} + {{- end -}} + ] +{{- end }} diff --git a/science-platform/templates/telegraf-application.yaml b/science-platform/templates/telegraf-application.yaml index 26d877e6c8..60812c920d 100644 --- a/science-platform/templates/telegraf-application.yaml +++ b/science-platform/templates/telegraf-application.yaml @@ -24,7 +24,11 @@ spec: repoURL: {{ .Values.repoURL }} targetRevision: {{ .Values.revision }} helm: + parameters: + - name: "global.enabled_services" + value: {{ include "enabled_services" . | quote }} valueFiles: - values.yaml - values-{{ .Values.environment }}.yaml {{- end -}} +enab diff --git a/science-platform/templates/telegraf-ds-application.yaml b/science-platform/templates/telegraf-ds-application.yaml index acf550e6dc..ae98af5e1f 100644 --- a/science-platform/templates/telegraf-ds-application.yaml +++ b/science-platform/templates/telegraf-ds-application.yaml @@ -24,6 +24,9 @@ spec: repoURL: {{ .Values.repoURL }} targetRevision: {{ .Values.revision }} helm: + parameters: + - name: "global.enabled_services" + value: {{ include "enabled_services" . | quote }} valueFiles: - values.yaml - values-{{ .Values.environment }}.yaml From 2bed0b178da4fec375c65a0a6d7f5ca1f1beb14e Mon Sep 17 00:00:00 2001 From: adam Date: Tue, 26 Apr 2022 12:57:46 -0700 Subject: [PATCH 0282/1479] make enabled services a bare comma-sep string --- science-platform/templates/_helpers.tpl | 7 +++---- 1 file changed, 3 insertions(+), 4 deletions(-) diff --git a/science-platform/templates/_helpers.tpl b/science-platform/templates/_helpers.tpl index b8c4c8371c..5a12dfac5b 100644 --- a/science-platform/templates/_helpers.tpl +++ b/science-platform/templates/_helpers.tpl @@ -1,13 +1,12 @@ {{/* vim: set filetype=mustache: */}} {{- define "enabled_services" -}} -['argocd' +argocd {{- range $okey, $oval := .Values }} {{- $otype := typeOf $oval -}} {{- if eq $otype "map[string]interface {}" }} {{- if hasKey $oval "enabled" }} -{{- if $oval.enabled }},'{{- $okey }}'{{- end }} +{{- if $oval.enabled }},{{- $okey }}{{- end }} {{- end }} {{- end }} - {{- end -}} - ] + {{- end }} {{- end }} From 4579168966415ce70492ff91433fc29107cbdf57 Mon Sep 17 00:00:00 2001 From: adam Date: Tue, 26 Apr 2022 13:24:21 -0700 Subject: [PATCH 0283/1479] remove junk text from end of application definition --- science-platform/templates/telegraf-application.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/science-platform/templates/telegraf-application.yaml b/science-platform/templates/telegraf-application.yaml index 60812c920d..fc926e958f 100644 --- a/science-platform/templates/telegraf-application.yaml +++ b/science-platform/templates/telegraf-application.yaml @@ -31,4 +31,4 @@ spec: - values.yaml - values-{{ .Values.environment }}.yaml {{- end -}} -enab + From 01f78f1f1ea36930dccc0e1301b39406e16f6f7b Mon Sep 17 00:00:00 2001 From: adam Date: Tue, 26 Apr 2022 13:24:30 -0700 Subject: [PATCH 0284/1479] Revert "make enabled services a bare comma-sep string" This reverts commit 2bed0b178da4fec375c65a0a6d7f5ca1f1beb14e. --- science-platform/templates/_helpers.tpl | 7 ++++--- 1 file changed, 4 insertions(+), 3 deletions(-) diff --git a/science-platform/templates/_helpers.tpl b/science-platform/templates/_helpers.tpl index 5a12dfac5b..b8c4c8371c 100644 --- a/science-platform/templates/_helpers.tpl +++ b/science-platform/templates/_helpers.tpl @@ -1,12 +1,13 @@ {{/* vim: set filetype=mustache: */}} {{- define "enabled_services" -}} -argocd +['argocd' {{- range $okey, $oval := .Values }} {{- $otype := typeOf $oval -}} {{- if eq $otype "map[string]interface {}" }} {{- if hasKey $oval "enabled" }} -{{- if $oval.enabled }},{{- $okey }}{{- end }} +{{- if $oval.enabled }},'{{- $okey }}'{{- end }} {{- end }} {{- end }} - {{- end }} + {{- end -}} + ] {{- end }} From b8c3df18c905b54ff30fb6e4ecb0b85d1f701cf3 Mon Sep 17 00:00:00 2001 From: adam Date: Tue, 26 Apr 2022 15:23:16 -0700 Subject: [PATCH 0285/1479] rewrite passed-apps string --- science-platform/templates/_helpers.tpl | 7 +++---- 1 file changed, 3 insertions(+), 4 deletions(-) diff --git a/science-platform/templates/_helpers.tpl b/science-platform/templates/_helpers.tpl index b8c4c8371c..565b7bf3e3 100644 --- a/science-platform/templates/_helpers.tpl +++ b/science-platform/templates/_helpers.tpl @@ -1,13 +1,12 @@ {{/* vim: set filetype=mustache: */}} {{- define "enabled_services" -}} -['argocd' +argocd {{- range $okey, $oval := .Values }} {{- $otype := typeOf $oval -}} {{- if eq $otype "map[string]interface {}" }} {{- if hasKey $oval "enabled" }} -{{- if $oval.enabled }},'{{- $okey }}'{{- end }} +{{- if $oval.enabled }}@{{- $okey }}{{- end }} {{- end }} {{- end }} - {{- end -}} - ] + {{- end }} {{- end }} From 62e9b5df3d7eb78e07bb69b1751910a2d4bdc874 Mon Sep 17 00:00:00 2001 From: adam Date: Tue, 26 Apr 2022 15:25:36 -0700 Subject: [PATCH 0286/1479] add other global variables to telegraf --- science-platform/templates/telegraf-application.yaml | 5 +++++ science-platform/templates/telegraf-ds-application.yaml | 4 ++++ 2 files changed, 9 insertions(+) diff --git a/science-platform/templates/telegraf-application.yaml b/science-platform/templates/telegraf-application.yaml index fc926e958f..d973ed5c84 100644 --- a/science-platform/templates/telegraf-application.yaml +++ b/science-platform/templates/telegraf-application.yaml @@ -1,3 +1,4 @@ + {{- if .Values.telegraf.enabled -}} apiVersion: v1 kind: Namespace @@ -27,6 +28,10 @@ spec: parameters: - name: "global.enabled_services" value: {{ include "enabled_services" . | quote }} + - name: "global.host" + value: {{ .Values.fqdn | quote }} + - name: "global.vaultSecretsPath" + value: {{ .Values.vault_path_prefix | quote }} valueFiles: - values.yaml - values-{{ .Values.environment }}.yaml diff --git a/science-platform/templates/telegraf-ds-application.yaml b/science-platform/templates/telegraf-ds-application.yaml index ae98af5e1f..330e461e38 100644 --- a/science-platform/templates/telegraf-ds-application.yaml +++ b/science-platform/templates/telegraf-ds-application.yaml @@ -27,6 +27,10 @@ spec: parameters: - name: "global.enabled_services" value: {{ include "enabled_services" . | quote }} + - name: "global.host" + value: {{ .Values.fqdn | quote }} + - name: "global.vaultSecretsPath" + value: {{ .Values.vault_path_prefix | quote }} valueFiles: - values.yaml - values-{{ .Values.environment }}.yaml From 82957d1231b3f3dd457d2193566776296fc97e4b Mon Sep 17 00:00:00 2001 From: Renovate Bot Date: Wed, 27 Apr 2022 01:23:04 +0000 Subject: [PATCH 0287/1479] Update Helm release redis to v16.8.7 --- services/noteburst/Chart.yaml | 2 +- services/times-square/Chart.yaml | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/services/noteburst/Chart.yaml b/services/noteburst/Chart.yaml index 4dc4ff6f8d..112bed56ac 100644 --- a/services/noteburst/Chart.yaml +++ b/services/noteburst/Chart.yaml @@ -14,5 +14,5 @@ maintainers: # Additional charts that this chart uses dependencies: - name: redis - version: 16.8.5 + version: 16.8.7 repository: https://charts.bitnami.com/bitnami diff --git a/services/times-square/Chart.yaml b/services/times-square/Chart.yaml index d703d1ff7a..c381c398a1 100644 --- a/services/times-square/Chart.yaml +++ b/services/times-square/Chart.yaml @@ -16,5 +16,5 @@ dependencies: - name: times-square-ui version: 1.0.0 - name: redis - version: 16.8.5 + version: 16.8.7 repository: https://charts.bitnami.com/bitnami From e3ee2f11c99892b6e2ed8df26e50d63ae4a6bf85 Mon Sep 17 00:00:00 2001 From: adam Date: Tue, 26 Apr 2022 15:21:47 -0700 Subject: [PATCH 0288/1479] Generate configuration with Helm, not externally. --- gen_config/gen_config/__init__.py | 0 gen_config/gen_config/cli_args.py | 14 -- .../gen_config/phalanxconfiggenerator.py | 207 ------------------ gen_config/gen_config/prometheus.py | 16 -- gen_config/gen_config/telegrafdsgenerator.py | 86 -------- gen_config/gen_config/telegrafgenerator.py | 130 ----------- gen_config/requirements.txt | 1 - gen_config/telegraf-generator | 19 -- services/telegraf-ds/templates/configmap.yaml | 28 +++ .../telegraf-ds/templates/vault-secret.yaml | 4 +- services/telegraf-ds/values-base.yaml | 119 ---------- services/telegraf-ds/values-idfdev.yaml | 182 --------------- services/telegraf-ds/values-idfint.yaml | 168 -------------- services/telegraf-ds/values-idfprod.yaml | 161 -------------- services/telegraf-ds/values-int.yaml | 147 ------------- services/telegraf-ds/values-summit.yaml | 126 ----------- services/telegraf-ds/values.yaml | 56 +++-- services/telegraf/templates/configmap.yaml | 67 ++++++ services/telegraf/templates/vault-secret.yaml | 4 +- services/telegraf/values-base.yaml | 119 ---------- services/telegraf/values-idfdev.yaml | 119 ---------- services/telegraf/values-idfint.yaml | 119 ---------- services/telegraf/values-idfprod.yaml | 119 ---------- services/telegraf/values-int.yaml | 103 --------- services/telegraf/values-summit.yaml | 119 ---------- services/telegraf/values.yaml | 52 ++++- 26 files changed, 184 insertions(+), 2101 deletions(-) delete mode 100644 gen_config/gen_config/__init__.py delete mode 100644 gen_config/gen_config/cli_args.py delete mode 100644 gen_config/gen_config/phalanxconfiggenerator.py delete mode 100644 gen_config/gen_config/prometheus.py delete mode 100644 gen_config/gen_config/telegrafdsgenerator.py delete mode 100644 gen_config/gen_config/telegrafgenerator.py delete mode 100644 gen_config/requirements.txt delete mode 100755 gen_config/telegraf-generator create mode 100644 services/telegraf-ds/templates/configmap.yaml create mode 100644 services/telegraf/templates/configmap.yaml diff --git a/gen_config/gen_config/__init__.py b/gen_config/gen_config/__init__.py deleted file mode 100644 index e69de29bb2..0000000000 diff --git a/gen_config/gen_config/cli_args.py b/gen_config/gen_config/cli_args.py deleted file mode 100644 index cc242a889e..0000000000 --- a/gen_config/gen_config/cli_args.py +++ /dev/null @@ -1,14 +0,0 @@ -import argparse - -def cli_args() -> argparse.Namespace: - parser = argparse.ArgumentParser(description="Phalanx Generator CLI") - parser.add_argument('--debug', '-d', action='store_true', - help="Enable debugging output") - parser.add_argument('--loglevel', '--log-level', '-l', default='info', - help="Log level (standard logging level names)") - parser.add_argument('--phalanx-root', '-r', - help="Path to root of phalanx directory") - parser.add_argument('--dry-run', '-x', action='store_true', - help="Dry run (output to stdout)") - return parser.parse_args() - diff --git a/gen_config/gen_config/phalanxconfiggenerator.py b/gen_config/gen_config/phalanxconfiggenerator.py deleted file mode 100644 index c31b755aca..0000000000 --- a/gen_config/gen_config/phalanxconfiggenerator.py +++ /dev/null @@ -1,207 +0,0 @@ -#!/usr/bin/env python3 - -# Run this with no arguments. It will generate the values files in the -# directory above the one where this script lives. -# -# This is handy because, as long as we're specifying the Telegraf TOML -# directly, which we have to do because telegraf-ds hasn't been updated to -# template version 2, we can't do the input and output splitting we want to -# do. - -import glob -import json -import logging -import os -import re -import sys -import yaml - -from os.path import basename -from pathlib import Path -from typing import Any, Dict, Set, Tuple - -LOGLEVEL = {"CRITICAL": 50, - "ERROR": 40, - "WARNING": 30, - "INFO": 20, - "DEBUG": 10, - "NOTSET": 0 - } - -class PhalanxConfigGenerator(object): - """ - The PhalanxConfigGenerator parses the science-platform configurations - to determine what services run in which environments. It should then be - subclassed for particular applications to generate configuration files to - write. - - A subclass (corresponding to a particular Phalanx application) must do the - following: set self.output_path (generally, - self.phalanx_root + "/services/") and provide - an implementation of the build_config() method to generate configuration - for each instance of the application. - """ - def __init__(self, *args, **kwargs) -> None: - loglevel_str=kwargs.get("loglevel","warning") - self.debug=kwargs.get("debug",False) - if self.debug: - loglevel_str="debug" - loglevel_str=loglevel_str.upper() - loglevel=LOGLEVEL.get(loglevel_str, 30) - logging.basicConfig(encoding='utf-8',level=loglevel) - self.log = logging.getLogger() - self.template_re = re.compile('(\{\{.*?\}\})') - self.instances: Dict[str,Any] = {} - self.applications: Tuple(str) = tuple() - self.config: Dict[str,str] = {} - self.namespaces: Dict[str,Set[str]] = {} - self.phalanx_root: str = kwargs.get("phalanx_root","") - if not self.phalanx_root: - try: - me = Path.resolve(Path(__file__)) - # gen_config/gen_config - self.phalanx_root = str(me.parents[2]) - except NameError: - me = Path.resolve(Path(sys.argv[0])) - # gen_config - self.phalanx_root = str(me.parents[1]) - self.dry_run: bool = kwargs.get("dry_run", False) - self.load_phalanx() - self.log.debug(f"Phalanx root: {self.phalanx_root}") - self.log.debug(f"Applications: {self.applications}") - - def _get_science_platform_path(self) -> str: - """Convenience method to extract the science-platform root directory. - """ - me = Path.resolve(Path(sys.argv[0])) - # ./..[telegraf-ds]/..[services]/science-platform - sp_path = self.phalanx_root + "/science-platform" - return sp_path - - def load_phalanx(self) -> None: - """Populate our instance attributes with data from our yaml.""" - self.instances = self.find_instances() - self.applications = self.find_applications() - self.namespaces = self.find_app_namespaces() - - def find_instances(self) -> Dict[str,Any]: - """Read the science-platform config to determine which instances - there are.""" - val_path = self._get_science_platform_path() - val_files = glob.glob(val_path + "/values-*yaml") - inst_settings = dict() - for v in val_files: - iname = v.split('-')[-1][:-5] - with open(v) as f: - inst_settings[iname] = yaml.safe_load(f) - # ArgoCD is not specified but implicitly present everywhere. - for inst in inst_settings: - inst_settings[inst]["argocd"] = { "enabled": True } - return inst_settings - - def find_applications(self) -> Tuple[str]: - """Find all the defined applications from science-platform config.""" - val_path = self._get_science_platform_path() - val_file = val_path + "/values.yaml" - applications = tuple() - # ArgoCD is implicitly present everwhere - applications += ("argocd",) - with open(val_file) as f: - apps=yaml.safe_load(f) - for app in apps: - if "enabled" not in apps[app]: - continue - applications += (app,) - return applications - - def find_app_namespaces(self) -> Dict[str,Set[str]]: - """From our list of applications, parse the application YAML for each - to determine whether it has namespaces, and create that mapping. - """ - apps = self.applications - ns = {} - for app in apps: - ns[app] = self.parse_app_template(app) - return ns - - def parse_app_template(self, app:str) -> Set[str]: - """Read the application definition to extract its namespace(s) if any. - """ - # In general, if there's a namespace defined for the app, there's - # only one and it's the app name with _ replaced by -, so all this - # is kind of superfluous. - val_path = self._get_science_platform_path() - namespaces = set() - if app == "vault_secrets_operator": - # The namespace is precreated so the read secret can be - # preinstalled. - namespaces.add("vault-secrets-operator") - return namespaces - if app == "argocd": - # Implicitly present at all deployments, not specified. - namespaces.add("argocd") - return namespaces - dashapp = app.replace('_', '-') - app_file = f"{val_path}/templates/{dashapp}-application.yaml" - detemplated_contents = self.strip_templates(app_file) - app_docs=yaml.safe_load_all(detemplated_contents) - for doc in app_docs: - kind = doc.get("kind","") - if kind != "Namespace": - continue - ns = doc["metadata"]["name"] - namespaces.add(ns) - return namespaces - - def strip_templates(self, app_file:str) -> str: - """The config "YAML" is actually Helm-templated yaml. For our - purposes, just stripping all the templates out works fine. - """ - contents = "" - with open(app_file) as f: - while True: - inp_l = f.readline() - if not inp_l: - break - outp_l = re.sub(self.template_re,'', inp_l) - contents += outp_l - return contents - - def build_config(self) -> None: - """This must be defined in a subclass to build the configuration for - the particular service. The configuration should be stored in - self.config, as a dict whose key is a string representing the - instance name, and whose value is a string holding the yaml for - that instance's config. Use "generic" for the top-level values.yaml. - """ - raise NotImplementedError() - - def write_config(self) -> None: - """Write the configuration files, unless self.dry_run is set, in which - case, just print their contents to stdout.""" - if self.dry_run: - val_path = "DRY-RUN" - else: - if not self.output_path: - raise RuntimeError( - "self.output_path must be defined in order to write config") - val_path = self.output_path - for instance in self.config: - if instance == "generic": - val_file = f"{val_path}/values.yaml" - else: - env_name = self.instances[instance]["environment"] - val_file = f"{val_path}/values-{env_name}.yaml" - if self.dry_run: - print(f"---- begin {val_file} ----") - print(self.config[instance]) - print(f"------ end {val_file} ----") - else: - # Don't write if there's no config to write - if self.config[instance]: - with open(val_file,"w") as f: - f.write(self.config[instance]) - - def run(self) -> None: - self.build_config() - self.write_config() diff --git a/gen_config/gen_config/prometheus.py b/gen_config/gen_config/prometheus.py deleted file mode 100644 index e66aeae4ed..0000000000 --- a/gen_config/gen_config/prometheus.py +++ /dev/null @@ -1,16 +0,0 @@ -prometheus_config = { - "argocd": { - "application_controller": "http://argocd-application-controller-metrics.argocd.svc:8082/metrics", - "notifications_controller": "http://argocd-notifications-controller-metrics.argocd.svc:9001/metrics", - "redis": "http://argocd-redis-metrics.argocd.svc:9121/metrics", - "repo_server": "http://argocd-repo-server-metrics.argocd.svc:8084/metrics", - "server": "http://argocd-server-metrics.argocd.svc:8083/metrics", - }, - "nublado2": { - "hub": "http://hub.nublado2:8081/metrics", - }, - "ingress-nginx": { - "controller": "http://ingress-nginx-controller-metrics.ingress-nginx:10254/metrics", - }, -} - diff --git a/gen_config/gen_config/telegrafdsgenerator.py b/gen_config/gen_config/telegrafdsgenerator.py deleted file mode 100644 index 7da253a1ba..0000000000 --- a/gen_config/gen_config/telegrafdsgenerator.py +++ /dev/null @@ -1,86 +0,0 @@ -from .phalanxconfiggenerator import PhalanxConfigGenerator - -class TelegrafDSGenerator(PhalanxConfigGenerator): - """ - TelegrafDSGenerator generates configuration files for the telegraf-ds - application. - """ - def __init__(self, *args, **kwargs) -> None: - super().__init__(*args, **kwargs) - self.output_path = self.phalanx_root + "/services/telegraf-ds" - - def build_config(self) -> None: - self.config["generic"] = self.build_generic_yaml() - for instance in self.instances: - self.config[instance]=self.build_instance_yaml(instance) - - def build_generic_yaml(self) -> None: - cf='''# -- Path to the Vault secrets (`secret/k8s_operator//telegraf`) -# shared with telegraf (non-DaemonSet) -# @default -- None, must be set -vaultSecretsPath: "" -telegraf-ds: - env: - # -- Token to communicate with Influx - - name: INFLUX_TOKEN - valueFrom: - secretKeyRef: - name: telegraf - key: influx-token -''' - cf += self.build_telegraf_override_conf("generic") - return cf - - def build_instance_yaml(self, instance:str) -> str: - inst_obj = self.instances.get(instance, {}) - if not inst_obj.get("telegraf-ds",{}).get("enabled",""): - return "" - secrets_path=self.instances[instance].get("vault_path_prefix","") - cf = f"vaultSecretsPath: \"{secrets_path}\"\n" - cf += "telegraf-ds:\n" - cf += self.build_telegraf_override_conf(instance) - return cf - - def build_telegraf_override_conf(self, instance: str) -> str: - """For each instance, generate the (literal) contents for - telegraf.conf""" - endpoint=self.instances.get(instance,{}).get("fqdn","no_endpoint") - tc = " override_config:\n" - tc += " toml: |+\n" - tc += " [global_tags]\n" - tc += f" cluster = \"{endpoint}\"\n" - tc += """ [agent] - hostname = "telegraf-$HOSTIP" - [[inputs.kubernetes]] - url = "https://$HOSTIP:10250" - bearer_token = "/var/run/secrets/kubernetes.io/serviceaccount/token" - insecure_skip_verify = true - namepass = ["kubernetes_pod_container"] - fieldpass = ["cpu_usage_nanocores", "memory_usage_bytes"] -""" - tc += self.build_outputs(instance) - return tc - - def build_outputs(self, instance: str) -> str: - """For each instance, generate the list of outputs, one for each - enabled service. - """ - outp = "" - i_obj = self.instances.get(instance, {}) - for app in self.applications: - if not i_obj.get(app,{}).get("enabled",False): - continue - namespace_set = self.namespaces.get(app, None) - if not namespace_set: - continue - for namespace in namespace_set: - outp +=''' [[outputs.influxdb_v2]] - urls = ["https://monitoring.lsst.codes"] - token = "$INFLUX_TOKEN" - organization = "square" -''' - bucket = namespace.replace("-", "_") - outp += f" bucket = \"{bucket}\"\n" - outp += " [outputs.influxdb_v2.tagpass]\n" - outp += f" namespace = [\"{namespace}\"]\n" - return outp diff --git a/gen_config/gen_config/telegrafgenerator.py b/gen_config/gen_config/telegrafgenerator.py deleted file mode 100644 index f5440547a2..0000000000 --- a/gen_config/gen_config/telegrafgenerator.py +++ /dev/null @@ -1,130 +0,0 @@ -import yaml - -from .phalanxconfiggenerator import PhalanxConfigGenerator -from .prometheus import prometheus_config - -from typing import Any, Dict - -class TelegrafGenerator(PhalanxConfigGenerator): - """ - TelegrafGenerator generates configuration files for the telegraf - application. - """ - def __init__(self, *args, **kwargs) -> None: - super().__init__(*args, **kwargs) - self.output_path = self.phalanx_root + "/services/telegraf" - - def build_config(self) -> None: - self.config["generic"] = self.build_generic_yaml() - for instance in self.instances: - self.config[instance]=self.build_instance_yaml(instance) - - def build_generic_yaml(self) -> None: - obj = { - "telegraf": { - # -- Allow network access to JupyterHub pod. - "podLabels": { - "hub.jupyter.org/network-access-hub": "true", - }, - "env": [ - { - # -- Token to communicate with InfluxDB_v2 - "name": "INFLUX_TOKEN", - "valueFrom": { - "secretKeyRef": { - "name": "telegraf", - "key": "influx-token", - }, - }, - }, - ], - "service": { - # -- Telegraf service. - "enabled": False, - }, - "config": { - "agent": { - "omit_hostname": True, - }, - "global_tags": { - # -- Cluster name -- should be FQDN of RSP endpoint - # @default -- None: must be set - "cluster": "", - }, - }, - "tplVersion": 2, - }, - # -- Path to the Vault secrets - # -- (`secret/k8s_operator/`) - # @default -- None: must be set - "vaultSecretsPath": "", - } - return yaml.dump(obj) - - def build_instance_yaml(self, instance:str) -> str: - inst_obj = self.instances.get(instance, {}) - if not inst_obj: - return "" - # If telegraf isn't enabled for the site, don't write anything. - if not inst_obj.get("telegraf", {}).get("enabled", ""): - return "" - secrets_path=inst_obj.get("vault_path_prefix","") - cluster = inst_obj.get("fqdn","") - obj = { "vaultSecretsPath": secrets_path, - "telegraf": { - "config": { - "global_tags": { - "cluster": cluster, - }, - "outputs": [], - "inputs": [], - }, - }, - } - for app in prometheus_config: - if not inst_obj.get(app.replace('-','_'), - {}).get("enabled",False): - continue - # The app is enabled, so we should monitor it. - for service in prometheus_config[app]: - # Construct the outputs (bucket-separated) - out_obj = self.make_output_object(app, service) - obj["telegraf"]["config"]["outputs"].append(out_obj) - # Construct the inputs (Prometheus metric endpoints) - inp_obj = self.make_input_object(app, service) - obj["telegraf"]["config"]["inputs"].append(inp_obj) - return yaml.dump(obj) - - - def make_input_object(self, app: str, service: str) -> Dict[str, Any]: - obj={ - "prometheus": { - "urls": [ - prometheus_config[app][service], - ], - "tags": { - "prometheus_app": app.replace("-","_"), - }, - "name_override": f"prometheus_{service}", - "metric_version": 2, - }, - } - return obj - - def make_output_object(self, app: str, service: str) -> Dict[str, Any]: - obj = { - "influxdb_v2": { - "urls": [ - "https://monitoring.lsst.codes", - ], - "bucket": app.replace("-","_"), - "token": "$INFLUX_TOKEN", - "organization": "square", - "tagpass": { - "prometheus_app": [ - app.replace("-","_"), - ], - }, - }, - } - return obj diff --git a/gen_config/requirements.txt b/gen_config/requirements.txt deleted file mode 100644 index 5500f007d0..0000000000 --- a/gen_config/requirements.txt +++ /dev/null @@ -1 +0,0 @@ -PyYAML diff --git a/gen_config/telegraf-generator b/gen_config/telegraf-generator deleted file mode 100755 index 7e0087e099..0000000000 --- a/gen_config/telegraf-generator +++ /dev/null @@ -1,19 +0,0 @@ -#!/usr/bin/env python3 -from gen_config.cli_args import cli_args -from gen_config.telegrafgenerator import TelegrafGenerator -from gen_config.telegrafdsgenerator import TelegrafDSGenerator - -def main() -> None: - args = cli_args() - TelegrafDSGenerator(debug=args.debug, - dry_run=args.dry_run, - loglevel=args.loglevel, - phalanx_root=args.phalanx_root).run() - TelegrafGenerator(debug=args.debug, - dry_run=args.dry_run, - loglevel=args.loglevel, - phalanx_root=args.phalanx_root).run() - - -if __name__ == "__main__": - main() diff --git a/services/telegraf-ds/templates/configmap.yaml b/services/telegraf-ds/templates/configmap.yaml new file mode 100644 index 0000000000..d10725e357 --- /dev/null +++ b/services/telegraf-ds/templates/configmap.yaml @@ -0,0 +1,28 @@ +apiVersion: v1 +kind: ConfigMap +metadata: + name: telegraf-generated-config +data: + telegraf-generated.conf: |+ + [global_tags] + cluster = {{- .Values.global.host | quote }} + [agent] + hostname = "telegraf-$HOSTIP" + + [[inputs.kubernetes]] + url = "https://$HOSTIP:10250" + bearer_token = "/var/run/secrets/kubernetes.io/serviceaccount/token" + insecure_skip_verify = true + namepass = ["kubernetes_pod_container"] + fieldpass = ["cpu_usage_nanocores", "memory_usage_bytes"] + {{ range $app := splitList "@" .Values.global.enabled_services }} + {{- $bucket := replace "-" "_" $app }} + {{- $namespace := replace "_" "-" $app }} + [[outputs.influxdb_v2]] + urls = ["https://monitoring.lsst.codes"] + token = "$INFLUX_TOKEN" + organization = "square" + bucket = {{ $bucket | quote }} + [outputs.influxdb_v2.tagpass] + namespace = [{{ $namespace | quote }}] + {{ end }} diff --git a/services/telegraf-ds/templates/vault-secret.yaml b/services/telegraf-ds/templates/vault-secret.yaml index cd3ac2d7d9..643487069f 100644 --- a/services/telegraf-ds/templates/vault-secret.yaml +++ b/services/telegraf-ds/templates/vault-secret.yaml @@ -5,7 +5,7 @@ metadata: namespace: telegraf-ds spec: # Use regular telegraf path--it's the same secret - path: {{ .Values.vaultSecretsPath }}/telegraf + path: {{ .Values.global.vaultSecretsPath }}/telegraf type: Opaque --- apiVersion: ricoberger.de/v1alpha1 @@ -13,5 +13,5 @@ kind: VaultSecret metadata: name: pull-secret spec: - path: {{ .Values.vaultSecretsPath }}/pull-secret + path: {{ .Values.global.vaultSecretsPath }}/pull-secret type: kubernetes.io/dockerconfigjson diff --git a/services/telegraf-ds/values-base.yaml b/services/telegraf-ds/values-base.yaml index c727d1cd09..e69de29bb2 100644 --- a/services/telegraf-ds/values-base.yaml +++ b/services/telegraf-ds/values-base.yaml @@ -1,119 +0,0 @@ -vaultSecretsPath: "secret/k8s_operator/base-lsp.lsst.codes" -telegraf-ds: - override_config: - toml: |+ - [global_tags] - cluster = "base-lsp.lsst.codes" - [agent] - hostname = "telegraf-$HOSTIP" - [[inputs.kubernetes]] - url = "https://$HOSTIP:10250" - bearer_token = "/var/run/secrets/kubernetes.io/serviceaccount/token" - insecure_skip_verify = true - namepass = ["kubernetes_pod_container"] - fieldpass = ["cpu_usage_nanocores", "memory_usage_bytes"] - [[outputs.influxdb_v2]] - urls = ["https://monitoring.lsst.codes"] - token = "$INFLUX_TOKEN" - organization = "square" - bucket = "argocd" - [outputs.influxdb_v2.tagpass] - namespace = ["argocd"] - [[outputs.influxdb_v2]] - urls = ["https://monitoring.lsst.codes"] - token = "$INFLUX_TOKEN" - organization = "square" - bucket = "cachemachine" - [outputs.influxdb_v2.tagpass] - namespace = ["cachemachine"] - [[outputs.influxdb_v2]] - urls = ["https://monitoring.lsst.codes"] - token = "$INFLUX_TOKEN" - organization = "square" - bucket = "cert_manager" - [outputs.influxdb_v2.tagpass] - namespace = ["cert-manager"] - [[outputs.influxdb_v2]] - urls = ["https://monitoring.lsst.codes"] - token = "$INFLUX_TOKEN" - organization = "square" - bucket = "exposurelog" - [outputs.influxdb_v2.tagpass] - namespace = ["exposurelog"] - [[outputs.influxdb_v2]] - urls = ["https://monitoring.lsst.codes"] - token = "$INFLUX_TOKEN" - organization = "square" - bucket = "gafaelfawr" - [outputs.influxdb_v2.tagpass] - namespace = ["gafaelfawr"] - [[outputs.influxdb_v2]] - urls = ["https://monitoring.lsst.codes"] - token = "$INFLUX_TOKEN" - organization = "square" - bucket = "ingress_nginx" - [outputs.influxdb_v2.tagpass] - namespace = ["ingress-nginx"] - [[outputs.influxdb_v2]] - urls = ["https://monitoring.lsst.codes"] - token = "$INFLUX_TOKEN" - organization = "square" - bucket = "moneypenny" - [outputs.influxdb_v2.tagpass] - namespace = ["moneypenny"] - [[outputs.influxdb_v2]] - urls = ["https://monitoring.lsst.codes"] - token = "$INFLUX_TOKEN" - organization = "square" - bucket = "narrativelog" - [outputs.influxdb_v2.tagpass] - namespace = ["narrativelog"] - [[outputs.influxdb_v2]] - urls = ["https://monitoring.lsst.codes"] - token = "$INFLUX_TOKEN" - organization = "square" - bucket = "nublado2" - [outputs.influxdb_v2.tagpass] - namespace = ["nublado2"] - [[outputs.influxdb_v2]] - urls = ["https://monitoring.lsst.codes"] - token = "$INFLUX_TOKEN" - organization = "square" - bucket = "portal" - [outputs.influxdb_v2.tagpass] - namespace = ["portal"] - [[outputs.influxdb_v2]] - urls = ["https://monitoring.lsst.codes"] - token = "$INFLUX_TOKEN" - organization = "square" - bucket = "postgres" - [outputs.influxdb_v2.tagpass] - namespace = ["postgres"] - [[outputs.influxdb_v2]] - urls = ["https://monitoring.lsst.codes"] - token = "$INFLUX_TOKEN" - organization = "square" - bucket = "squareone" - [outputs.influxdb_v2.tagpass] - namespace = ["squareone"] - [[outputs.influxdb_v2]] - urls = ["https://monitoring.lsst.codes"] - token = "$INFLUX_TOKEN" - organization = "square" - bucket = "telegraf" - [outputs.influxdb_v2.tagpass] - namespace = ["telegraf"] - [[outputs.influxdb_v2]] - urls = ["https://monitoring.lsst.codes"] - token = "$INFLUX_TOKEN" - organization = "square" - bucket = "telegraf_ds" - [outputs.influxdb_v2.tagpass] - namespace = ["telegraf-ds"] - [[outputs.influxdb_v2]] - urls = ["https://monitoring.lsst.codes"] - token = "$INFLUX_TOKEN" - organization = "square" - bucket = "vault_secrets_operator" - [outputs.influxdb_v2.tagpass] - namespace = ["vault-secrets-operator"] diff --git a/services/telegraf-ds/values-idfdev.yaml b/services/telegraf-ds/values-idfdev.yaml index 5fbe246a2b..e69de29bb2 100644 --- a/services/telegraf-ds/values-idfdev.yaml +++ b/services/telegraf-ds/values-idfdev.yaml @@ -1,182 +0,0 @@ -vaultSecretsPath: "secret/k8s_operator/data-dev.lsst.cloud" -telegraf-ds: - override_config: - toml: |+ - [global_tags] - cluster = "data-dev.lsst.cloud" - [agent] - hostname = "telegraf-$HOSTIP" - [[inputs.kubernetes]] - url = "https://$HOSTIP:10250" - bearer_token = "/var/run/secrets/kubernetes.io/serviceaccount/token" - insecure_skip_verify = true - namepass = ["kubernetes_pod_container"] - fieldpass = ["cpu_usage_nanocores", "memory_usage_bytes"] - [[outputs.influxdb_v2]] - urls = ["https://monitoring.lsst.codes"] - token = "$INFLUX_TOKEN" - organization = "square" - bucket = "argocd" - [outputs.influxdb_v2.tagpass] - namespace = ["argocd"] - [[outputs.influxdb_v2]] - urls = ["https://monitoring.lsst.codes"] - token = "$INFLUX_TOKEN" - organization = "square" - bucket = "cachemachine" - [outputs.influxdb_v2.tagpass] - namespace = ["cachemachine"] - [[outputs.influxdb_v2]] - urls = ["https://monitoring.lsst.codes"] - token = "$INFLUX_TOKEN" - organization = "square" - bucket = "cert_manager" - [outputs.influxdb_v2.tagpass] - namespace = ["cert-manager"] - [[outputs.influxdb_v2]] - urls = ["https://monitoring.lsst.codes"] - token = "$INFLUX_TOKEN" - organization = "square" - bucket = "datalinker" - [outputs.influxdb_v2.tagpass] - namespace = ["datalinker"] - [[outputs.influxdb_v2]] - urls = ["https://monitoring.lsst.codes"] - token = "$INFLUX_TOKEN" - organization = "square" - bucket = "gafaelfawr" - [outputs.influxdb_v2.tagpass] - namespace = ["gafaelfawr"] - [[outputs.influxdb_v2]] - urls = ["https://monitoring.lsst.codes"] - token = "$INFLUX_TOKEN" - organization = "square" - bucket = "ingress_nginx" - [outputs.influxdb_v2.tagpass] - namespace = ["ingress-nginx"] - [[outputs.influxdb_v2]] - urls = ["https://monitoring.lsst.codes"] - token = "$INFLUX_TOKEN" - organization = "square" - bucket = "mobu" - [outputs.influxdb_v2.tagpass] - namespace = ["mobu"] - [[outputs.influxdb_v2]] - urls = ["https://monitoring.lsst.codes"] - token = "$INFLUX_TOKEN" - organization = "square" - bucket = "moneypenny" - [outputs.influxdb_v2.tagpass] - namespace = ["moneypenny"] - [[outputs.influxdb_v2]] - urls = ["https://monitoring.lsst.codes"] - token = "$INFLUX_TOKEN" - organization = "square" - bucket = "noteburst" - [outputs.influxdb_v2.tagpass] - namespace = ["noteburst"] - [[outputs.influxdb_v2]] - urls = ["https://monitoring.lsst.codes"] - token = "$INFLUX_TOKEN" - organization = "square" - bucket = "nublado2" - [outputs.influxdb_v2.tagpass] - namespace = ["nublado2"] - [[outputs.influxdb_v2]] - urls = ["https://monitoring.lsst.codes"] - token = "$INFLUX_TOKEN" - organization = "square" - bucket = "obstap" - [outputs.influxdb_v2.tagpass] - namespace = ["obstap"] - [[outputs.influxdb_v2]] - urls = ["https://monitoring.lsst.codes"] - token = "$INFLUX_TOKEN" - organization = "square" - bucket = "portal" - [outputs.influxdb_v2.tagpass] - namespace = ["portal"] - [[outputs.influxdb_v2]] - urls = ["https://monitoring.lsst.codes"] - token = "$INFLUX_TOKEN" - organization = "square" - bucket = "postgres" - [outputs.influxdb_v2.tagpass] - namespace = ["postgres"] - [[outputs.influxdb_v2]] - urls = ["https://monitoring.lsst.codes"] - token = "$INFLUX_TOKEN" - organization = "square" - bucket = "sasquatch" - [outputs.influxdb_v2.tagpass] - namespace = ["sasquatch"] - [[outputs.influxdb_v2]] - urls = ["https://monitoring.lsst.codes"] - token = "$INFLUX_TOKEN" - organization = "square" - bucket = "semaphore" - [outputs.influxdb_v2.tagpass] - namespace = ["semaphore"] - [[outputs.influxdb_v2]] - urls = ["https://monitoring.lsst.codes"] - token = "$INFLUX_TOKEN" - organization = "square" - bucket = "sherlock" - [outputs.influxdb_v2.tagpass] - namespace = ["sherlock"] - [[outputs.influxdb_v2]] - urls = ["https://monitoring.lsst.codes"] - token = "$INFLUX_TOKEN" - organization = "square" - bucket = "squareone" - [outputs.influxdb_v2.tagpass] - namespace = ["squareone"] - [[outputs.influxdb_v2]] - urls = ["https://monitoring.lsst.codes"] - token = "$INFLUX_TOKEN" - organization = "square" - bucket = "strimzi" - [outputs.influxdb_v2.tagpass] - namespace = ["strimzi"] - [[outputs.influxdb_v2]] - urls = ["https://monitoring.lsst.codes"] - token = "$INFLUX_TOKEN" - organization = "square" - bucket = "tap" - [outputs.influxdb_v2.tagpass] - namespace = ["tap"] - [[outputs.influxdb_v2]] - urls = ["https://monitoring.lsst.codes"] - token = "$INFLUX_TOKEN" - organization = "square" - bucket = "tap_schema" - [outputs.influxdb_v2.tagpass] - namespace = ["tap-schema"] - [[outputs.influxdb_v2]] - urls = ["https://monitoring.lsst.codes"] - token = "$INFLUX_TOKEN" - organization = "square" - bucket = "telegraf" - [outputs.influxdb_v2.tagpass] - namespace = ["telegraf"] - [[outputs.influxdb_v2]] - urls = ["https://monitoring.lsst.codes"] - token = "$INFLUX_TOKEN" - organization = "square" - bucket = "telegraf_ds" - [outputs.influxdb_v2.tagpass] - namespace = ["telegraf-ds"] - [[outputs.influxdb_v2]] - urls = ["https://monitoring.lsst.codes"] - token = "$INFLUX_TOKEN" - organization = "square" - bucket = "times_square" - [outputs.influxdb_v2.tagpass] - namespace = ["times-square"] - [[outputs.influxdb_v2]] - urls = ["https://monitoring.lsst.codes"] - token = "$INFLUX_TOKEN" - organization = "square" - bucket = "vault_secrets_operator" - [outputs.influxdb_v2.tagpass] - namespace = ["vault-secrets-operator"] diff --git a/services/telegraf-ds/values-idfint.yaml b/services/telegraf-ds/values-idfint.yaml index 4b6029926f..e69de29bb2 100644 --- a/services/telegraf-ds/values-idfint.yaml +++ b/services/telegraf-ds/values-idfint.yaml @@ -1,168 +0,0 @@ -vaultSecretsPath: "secret/k8s_operator/data-int.lsst.cloud" -telegraf-ds: - override_config: - toml: |+ - [global_tags] - cluster = "data-int.lsst.cloud" - [agent] - hostname = "telegraf-$HOSTIP" - [[inputs.kubernetes]] - url = "https://$HOSTIP:10250" - bearer_token = "/var/run/secrets/kubernetes.io/serviceaccount/token" - insecure_skip_verify = true - namepass = ["kubernetes_pod_container"] - fieldpass = ["cpu_usage_nanocores", "memory_usage_bytes"] - [[outputs.influxdb_v2]] - urls = ["https://monitoring.lsst.codes"] - token = "$INFLUX_TOKEN" - organization = "square" - bucket = "argocd" - [outputs.influxdb_v2.tagpass] - namespace = ["argocd"] - [[outputs.influxdb_v2]] - urls = ["https://monitoring.lsst.codes"] - token = "$INFLUX_TOKEN" - organization = "square" - bucket = "cachemachine" - [outputs.influxdb_v2.tagpass] - namespace = ["cachemachine"] - [[outputs.influxdb_v2]] - urls = ["https://monitoring.lsst.codes"] - token = "$INFLUX_TOKEN" - organization = "square" - bucket = "cert_manager" - [outputs.influxdb_v2.tagpass] - namespace = ["cert-manager"] - [[outputs.influxdb_v2]] - urls = ["https://monitoring.lsst.codes"] - token = "$INFLUX_TOKEN" - organization = "square" - bucket = "datalinker" - [outputs.influxdb_v2.tagpass] - namespace = ["datalinker"] - [[outputs.influxdb_v2]] - urls = ["https://monitoring.lsst.codes"] - token = "$INFLUX_TOKEN" - organization = "square" - bucket = "gafaelfawr" - [outputs.influxdb_v2.tagpass] - namespace = ["gafaelfawr"] - [[outputs.influxdb_v2]] - urls = ["https://monitoring.lsst.codes"] - token = "$INFLUX_TOKEN" - organization = "square" - bucket = "ingress_nginx" - [outputs.influxdb_v2.tagpass] - namespace = ["ingress-nginx"] - [[outputs.influxdb_v2]] - urls = ["https://monitoring.lsst.codes"] - token = "$INFLUX_TOKEN" - organization = "square" - bucket = "mobu" - [outputs.influxdb_v2.tagpass] - namespace = ["mobu"] - [[outputs.influxdb_v2]] - urls = ["https://monitoring.lsst.codes"] - token = "$INFLUX_TOKEN" - organization = "square" - bucket = "moneypenny" - [outputs.influxdb_v2.tagpass] - namespace = ["moneypenny"] - [[outputs.influxdb_v2]] - urls = ["https://monitoring.lsst.codes"] - token = "$INFLUX_TOKEN" - organization = "square" - bucket = "nublado2" - [outputs.influxdb_v2.tagpass] - namespace = ["nublado2"] - [[outputs.influxdb_v2]] - urls = ["https://monitoring.lsst.codes"] - token = "$INFLUX_TOKEN" - organization = "square" - bucket = "obstap" - [outputs.influxdb_v2.tagpass] - namespace = ["obstap"] - [[outputs.influxdb_v2]] - urls = ["https://monitoring.lsst.codes"] - token = "$INFLUX_TOKEN" - organization = "square" - bucket = "plot_navigator" - [outputs.influxdb_v2.tagpass] - namespace = ["plot-navigator"] - [[outputs.influxdb_v2]] - urls = ["https://monitoring.lsst.codes"] - token = "$INFLUX_TOKEN" - organization = "square" - bucket = "portal" - [outputs.influxdb_v2.tagpass] - namespace = ["portal"] - [[outputs.influxdb_v2]] - urls = ["https://monitoring.lsst.codes"] - token = "$INFLUX_TOKEN" - organization = "square" - bucket = "postgres" - [outputs.influxdb_v2.tagpass] - namespace = ["postgres"] - [[outputs.influxdb_v2]] - urls = ["https://monitoring.lsst.codes"] - token = "$INFLUX_TOKEN" - organization = "square" - bucket = "semaphore" - [outputs.influxdb_v2.tagpass] - namespace = ["semaphore"] - [[outputs.influxdb_v2]] - urls = ["https://monitoring.lsst.codes"] - token = "$INFLUX_TOKEN" - organization = "square" - bucket = "sherlock" - [outputs.influxdb_v2.tagpass] - namespace = ["sherlock"] - [[outputs.influxdb_v2]] - urls = ["https://monitoring.lsst.codes"] - token = "$INFLUX_TOKEN" - organization = "square" - bucket = "squareone" - [outputs.influxdb_v2.tagpass] - namespace = ["squareone"] - [[outputs.influxdb_v2]] - urls = ["https://monitoring.lsst.codes"] - token = "$INFLUX_TOKEN" - organization = "square" - bucket = "tap" - [outputs.influxdb_v2.tagpass] - namespace = ["tap"] - [[outputs.influxdb_v2]] - urls = ["https://monitoring.lsst.codes"] - token = "$INFLUX_TOKEN" - organization = "square" - bucket = "tap_schema" - [outputs.influxdb_v2.tagpass] - namespace = ["tap-schema"] - [[outputs.influxdb_v2]] - urls = ["https://monitoring.lsst.codes"] - token = "$INFLUX_TOKEN" - organization = "square" - bucket = "telegraf" - [outputs.influxdb_v2.tagpass] - namespace = ["telegraf"] - [[outputs.influxdb_v2]] - urls = ["https://monitoring.lsst.codes"] - token = "$INFLUX_TOKEN" - organization = "square" - bucket = "telegraf_ds" - [outputs.influxdb_v2.tagpass] - namespace = ["telegraf-ds"] - [[outputs.influxdb_v2]] - urls = ["https://monitoring.lsst.codes"] - token = "$INFLUX_TOKEN" - organization = "square" - bucket = "vault_secrets_operator" - [outputs.influxdb_v2.tagpass] - namespace = ["vault-secrets-operator"] - [[outputs.influxdb_v2]] - urls = ["https://monitoring.lsst.codes"] - token = "$INFLUX_TOKEN" - organization = "square" - bucket = "vo_cutouts" - [outputs.influxdb_v2.tagpass] - namespace = ["vo-cutouts"] diff --git a/services/telegraf-ds/values-idfprod.yaml b/services/telegraf-ds/values-idfprod.yaml index 88e60eb1a5..e69de29bb2 100644 --- a/services/telegraf-ds/values-idfprod.yaml +++ b/services/telegraf-ds/values-idfprod.yaml @@ -1,161 +0,0 @@ -vaultSecretsPath: "secret/k8s_operator/data.lsst.cloud" -telegraf-ds: - override_config: - toml: |+ - [global_tags] - cluster = "data.lsst.cloud" - [agent] - hostname = "telegraf-$HOSTIP" - [[inputs.kubernetes]] - url = "https://$HOSTIP:10250" - bearer_token = "/var/run/secrets/kubernetes.io/serviceaccount/token" - insecure_skip_verify = true - namepass = ["kubernetes_pod_container"] - fieldpass = ["cpu_usage_nanocores", "memory_usage_bytes"] - [[outputs.influxdb_v2]] - urls = ["https://monitoring.lsst.codes"] - token = "$INFLUX_TOKEN" - organization = "square" - bucket = "argocd" - [outputs.influxdb_v2.tagpass] - namespace = ["argocd"] - [[outputs.influxdb_v2]] - urls = ["https://monitoring.lsst.codes"] - token = "$INFLUX_TOKEN" - organization = "square" - bucket = "cachemachine" - [outputs.influxdb_v2.tagpass] - namespace = ["cachemachine"] - [[outputs.influxdb_v2]] - urls = ["https://monitoring.lsst.codes"] - token = "$INFLUX_TOKEN" - organization = "square" - bucket = "cert_manager" - [outputs.influxdb_v2.tagpass] - namespace = ["cert-manager"] - [[outputs.influxdb_v2]] - urls = ["https://monitoring.lsst.codes"] - token = "$INFLUX_TOKEN" - organization = "square" - bucket = "datalinker" - [outputs.influxdb_v2.tagpass] - namespace = ["datalinker"] - [[outputs.influxdb_v2]] - urls = ["https://monitoring.lsst.codes"] - token = "$INFLUX_TOKEN" - organization = "square" - bucket = "gafaelfawr" - [outputs.influxdb_v2.tagpass] - namespace = ["gafaelfawr"] - [[outputs.influxdb_v2]] - urls = ["https://monitoring.lsst.codes"] - token = "$INFLUX_TOKEN" - organization = "square" - bucket = "ingress_nginx" - [outputs.influxdb_v2.tagpass] - namespace = ["ingress-nginx"] - [[outputs.influxdb_v2]] - urls = ["https://monitoring.lsst.codes"] - token = "$INFLUX_TOKEN" - organization = "square" - bucket = "mobu" - [outputs.influxdb_v2.tagpass] - namespace = ["mobu"] - [[outputs.influxdb_v2]] - urls = ["https://monitoring.lsst.codes"] - token = "$INFLUX_TOKEN" - organization = "square" - bucket = "moneypenny" - [outputs.influxdb_v2.tagpass] - namespace = ["moneypenny"] - [[outputs.influxdb_v2]] - urls = ["https://monitoring.lsst.codes"] - token = "$INFLUX_TOKEN" - organization = "square" - bucket = "nublado2" - [outputs.influxdb_v2.tagpass] - namespace = ["nublado2"] - [[outputs.influxdb_v2]] - urls = ["https://monitoring.lsst.codes"] - token = "$INFLUX_TOKEN" - organization = "square" - bucket = "obstap" - [outputs.influxdb_v2.tagpass] - namespace = ["obstap"] - [[outputs.influxdb_v2]] - urls = ["https://monitoring.lsst.codes"] - token = "$INFLUX_TOKEN" - organization = "square" - bucket = "portal" - [outputs.influxdb_v2.tagpass] - namespace = ["portal"] - [[outputs.influxdb_v2]] - urls = ["https://monitoring.lsst.codes"] - token = "$INFLUX_TOKEN" - organization = "square" - bucket = "postgres" - [outputs.influxdb_v2.tagpass] - namespace = ["postgres"] - [[outputs.influxdb_v2]] - urls = ["https://monitoring.lsst.codes"] - token = "$INFLUX_TOKEN" - organization = "square" - bucket = "semaphore" - [outputs.influxdb_v2.tagpass] - namespace = ["semaphore"] - [[outputs.influxdb_v2]] - urls = ["https://monitoring.lsst.codes"] - token = "$INFLUX_TOKEN" - organization = "square" - bucket = "sherlock" - [outputs.influxdb_v2.tagpass] - namespace = ["sherlock"] - [[outputs.influxdb_v2]] - urls = ["https://monitoring.lsst.codes"] - token = "$INFLUX_TOKEN" - organization = "square" - bucket = "squareone" - [outputs.influxdb_v2.tagpass] - namespace = ["squareone"] - [[outputs.influxdb_v2]] - urls = ["https://monitoring.lsst.codes"] - token = "$INFLUX_TOKEN" - organization = "square" - bucket = "tap" - [outputs.influxdb_v2.tagpass] - namespace = ["tap"] - [[outputs.influxdb_v2]] - urls = ["https://monitoring.lsst.codes"] - token = "$INFLUX_TOKEN" - organization = "square" - bucket = "tap_schema" - [outputs.influxdb_v2.tagpass] - namespace = ["tap-schema"] - [[outputs.influxdb_v2]] - urls = ["https://monitoring.lsst.codes"] - token = "$INFLUX_TOKEN" - organization = "square" - bucket = "telegraf" - [outputs.influxdb_v2.tagpass] - namespace = ["telegraf"] - [[outputs.influxdb_v2]] - urls = ["https://monitoring.lsst.codes"] - token = "$INFLUX_TOKEN" - organization = "square" - bucket = "telegraf_ds" - [outputs.influxdb_v2.tagpass] - namespace = ["telegraf-ds"] - [[outputs.influxdb_v2]] - urls = ["https://monitoring.lsst.codes"] - token = "$INFLUX_TOKEN" - organization = "square" - bucket = "vault_secrets_operator" - [outputs.influxdb_v2.tagpass] - namespace = ["vault-secrets-operator"] - [[outputs.influxdb_v2]] - urls = ["https://monitoring.lsst.codes"] - token = "$INFLUX_TOKEN" - organization = "square" - bucket = "vo_cutouts" - [outputs.influxdb_v2.tagpass] - namespace = ["vo-cutouts"] diff --git a/services/telegraf-ds/values-int.yaml b/services/telegraf-ds/values-int.yaml index 3dae0bcab2..e69de29bb2 100644 --- a/services/telegraf-ds/values-int.yaml +++ b/services/telegraf-ds/values-int.yaml @@ -1,147 +0,0 @@ -vaultSecretsPath: "secret/k8s_operator/lsst-lsp-int.ncsa.illinois.edu" -telegraf-ds: - override_config: - toml: |+ - [global_tags] - cluster = "lsst-lsp-int.ncsa.illinois.edu" - [agent] - hostname = "telegraf-$HOSTIP" - [[inputs.kubernetes]] - url = "https://$HOSTIP:10250" - bearer_token = "/var/run/secrets/kubernetes.io/serviceaccount/token" - insecure_skip_verify = true - namepass = ["kubernetes_pod_container"] - fieldpass = ["cpu_usage_nanocores", "memory_usage_bytes"] - [[outputs.influxdb_v2]] - urls = ["https://monitoring.lsst.codes"] - token = "$INFLUX_TOKEN" - organization = "square" - bucket = "argocd" - [outputs.influxdb_v2.tagpass] - namespace = ["argocd"] - [[outputs.influxdb_v2]] - urls = ["https://monitoring.lsst.codes"] - token = "$INFLUX_TOKEN" - organization = "square" - bucket = "cachemachine" - [outputs.influxdb_v2.tagpass] - namespace = ["cachemachine"] - [[outputs.influxdb_v2]] - urls = ["https://monitoring.lsst.codes"] - token = "$INFLUX_TOKEN" - organization = "square" - bucket = "datalinker" - [outputs.influxdb_v2.tagpass] - namespace = ["datalinker"] - [[outputs.influxdb_v2]] - urls = ["https://monitoring.lsst.codes"] - token = "$INFLUX_TOKEN" - organization = "square" - bucket = "gafaelfawr" - [outputs.influxdb_v2.tagpass] - namespace = ["gafaelfawr"] - [[outputs.influxdb_v2]] - urls = ["https://monitoring.lsst.codes"] - token = "$INFLUX_TOKEN" - organization = "square" - bucket = "mobu" - [outputs.influxdb_v2.tagpass] - namespace = ["mobu"] - [[outputs.influxdb_v2]] - urls = ["https://monitoring.lsst.codes"] - token = "$INFLUX_TOKEN" - organization = "square" - bucket = "moneypenny" - [outputs.influxdb_v2.tagpass] - namespace = ["moneypenny"] - [[outputs.influxdb_v2]] - urls = ["https://monitoring.lsst.codes"] - token = "$INFLUX_TOKEN" - organization = "square" - bucket = "nublado2" - [outputs.influxdb_v2.tagpass] - namespace = ["nublado2"] - [[outputs.influxdb_v2]] - urls = ["https://monitoring.lsst.codes"] - token = "$INFLUX_TOKEN" - organization = "square" - bucket = "obstap" - [outputs.influxdb_v2.tagpass] - namespace = ["obstap"] - [[outputs.influxdb_v2]] - urls = ["https://monitoring.lsst.codes"] - token = "$INFLUX_TOKEN" - organization = "square" - bucket = "portal" - [outputs.influxdb_v2.tagpass] - namespace = ["portal"] - [[outputs.influxdb_v2]] - urls = ["https://monitoring.lsst.codes"] - token = "$INFLUX_TOKEN" - organization = "square" - bucket = "postgres" - [outputs.influxdb_v2.tagpass] - namespace = ["postgres"] - [[outputs.influxdb_v2]] - urls = ["https://monitoring.lsst.codes"] - token = "$INFLUX_TOKEN" - organization = "square" - bucket = "sasquatch" - [outputs.influxdb_v2.tagpass] - namespace = ["sasquatch"] - [[outputs.influxdb_v2]] - urls = ["https://monitoring.lsst.codes"] - token = "$INFLUX_TOKEN" - organization = "square" - bucket = "sherlock" - [outputs.influxdb_v2.tagpass] - namespace = ["sherlock"] - [[outputs.influxdb_v2]] - urls = ["https://monitoring.lsst.codes"] - token = "$INFLUX_TOKEN" - organization = "square" - bucket = "squareone" - [outputs.influxdb_v2.tagpass] - namespace = ["squareone"] - [[outputs.influxdb_v2]] - urls = ["https://monitoring.lsst.codes"] - token = "$INFLUX_TOKEN" - organization = "square" - bucket = "strimzi" - [outputs.influxdb_v2.tagpass] - namespace = ["strimzi"] - [[outputs.influxdb_v2]] - urls = ["https://monitoring.lsst.codes"] - token = "$INFLUX_TOKEN" - organization = "square" - bucket = "tap" - [outputs.influxdb_v2.tagpass] - namespace = ["tap"] - [[outputs.influxdb_v2]] - urls = ["https://monitoring.lsst.codes"] - token = "$INFLUX_TOKEN" - organization = "square" - bucket = "tap_schema" - [outputs.influxdb_v2.tagpass] - namespace = ["tap-schema"] - [[outputs.influxdb_v2]] - urls = ["https://monitoring.lsst.codes"] - token = "$INFLUX_TOKEN" - organization = "square" - bucket = "telegraf" - [outputs.influxdb_v2.tagpass] - namespace = ["telegraf"] - [[outputs.influxdb_v2]] - urls = ["https://monitoring.lsst.codes"] - token = "$INFLUX_TOKEN" - organization = "square" - bucket = "telegraf_ds" - [outputs.influxdb_v2.tagpass] - namespace = ["telegraf-ds"] - [[outputs.influxdb_v2]] - urls = ["https://monitoring.lsst.codes"] - token = "$INFLUX_TOKEN" - organization = "square" - bucket = "vault_secrets_operator" - [outputs.influxdb_v2.tagpass] - namespace = ["vault-secrets-operator"] diff --git a/services/telegraf-ds/values-summit.yaml b/services/telegraf-ds/values-summit.yaml index d2fb7ef7ae..e69de29bb2 100644 --- a/services/telegraf-ds/values-summit.yaml +++ b/services/telegraf-ds/values-summit.yaml @@ -1,126 +0,0 @@ -vaultSecretsPath: "secret/k8s_operator/summit-lsp.lsst.codes" -telegraf-ds: - override_config: - toml: |+ - [global_tags] - cluster = "summit-lsp.lsst.codes" - [agent] - hostname = "telegraf-$HOSTIP" - [[inputs.kubernetes]] - url = "https://$HOSTIP:10250" - bearer_token = "/var/run/secrets/kubernetes.io/serviceaccount/token" - insecure_skip_verify = true - namepass = ["kubernetes_pod_container"] - fieldpass = ["cpu_usage_nanocores", "memory_usage_bytes"] - [[outputs.influxdb_v2]] - urls = ["https://monitoring.lsst.codes"] - token = "$INFLUX_TOKEN" - organization = "square" - bucket = "argocd" - [outputs.influxdb_v2.tagpass] - namespace = ["argocd"] - [[outputs.influxdb_v2]] - urls = ["https://monitoring.lsst.codes"] - token = "$INFLUX_TOKEN" - organization = "square" - bucket = "cachemachine" - [outputs.influxdb_v2.tagpass] - namespace = ["cachemachine"] - [[outputs.influxdb_v2]] - urls = ["https://monitoring.lsst.codes"] - token = "$INFLUX_TOKEN" - organization = "square" - bucket = "cert_manager" - [outputs.influxdb_v2.tagpass] - namespace = ["cert-manager"] - [[outputs.influxdb_v2]] - urls = ["https://monitoring.lsst.codes"] - token = "$INFLUX_TOKEN" - organization = "square" - bucket = "exposurelog" - [outputs.influxdb_v2.tagpass] - namespace = ["exposurelog"] - [[outputs.influxdb_v2]] - urls = ["https://monitoring.lsst.codes"] - token = "$INFLUX_TOKEN" - organization = "square" - bucket = "gafaelfawr" - [outputs.influxdb_v2.tagpass] - namespace = ["gafaelfawr"] - [[outputs.influxdb_v2]] - urls = ["https://monitoring.lsst.codes"] - token = "$INFLUX_TOKEN" - organization = "square" - bucket = "ingress_nginx" - [outputs.influxdb_v2.tagpass] - namespace = ["ingress-nginx"] - [[outputs.influxdb_v2]] - urls = ["https://monitoring.lsst.codes"] - token = "$INFLUX_TOKEN" - organization = "square" - bucket = "moneypenny" - [outputs.influxdb_v2.tagpass] - namespace = ["moneypenny"] - [[outputs.influxdb_v2]] - urls = ["https://monitoring.lsst.codes"] - token = "$INFLUX_TOKEN" - organization = "square" - bucket = "narrativelog" - [outputs.influxdb_v2.tagpass] - namespace = ["narrativelog"] - [[outputs.influxdb_v2]] - urls = ["https://monitoring.lsst.codes"] - token = "$INFLUX_TOKEN" - organization = "square" - bucket = "nublado2" - [outputs.influxdb_v2.tagpass] - namespace = ["nublado2"] - [[outputs.influxdb_v2]] - urls = ["https://monitoring.lsst.codes"] - token = "$INFLUX_TOKEN" - organization = "square" - bucket = "portal" - [outputs.influxdb_v2.tagpass] - namespace = ["portal"] - [[outputs.influxdb_v2]] - urls = ["https://monitoring.lsst.codes"] - token = "$INFLUX_TOKEN" - organization = "square" - bucket = "postgres" - [outputs.influxdb_v2.tagpass] - namespace = ["postgres"] - [[outputs.influxdb_v2]] - urls = ["https://monitoring.lsst.codes"] - token = "$INFLUX_TOKEN" - organization = "square" - bucket = "sherlock" - [outputs.influxdb_v2.tagpass] - namespace = ["sherlock"] - [[outputs.influxdb_v2]] - urls = ["https://monitoring.lsst.codes"] - token = "$INFLUX_TOKEN" - organization = "square" - bucket = "squareone" - [outputs.influxdb_v2.tagpass] - namespace = ["squareone"] - [[outputs.influxdb_v2]] - urls = ["https://monitoring.lsst.codes"] - token = "$INFLUX_TOKEN" - organization = "square" - bucket = "telegraf" - [outputs.influxdb_v2.tagpass] - namespace = ["telegraf"] - [[outputs.influxdb_v2]] - urls = ["https://monitoring.lsst.codes"] - token = "$INFLUX_TOKEN" - organization = "square" - bucket = "telegraf_ds" - [outputs.influxdb_v2.tagpass] - namespace = ["telegraf-ds"] - [[outputs.influxdb_v2]] - urls = ["https://monitoring.lsst.codes"] - token = "$INFLUX_TOKEN" - organization = "square" - bucket = "vault_secrets_operator" - [outputs.influxdb_v2.tagpass] - namespace = ["vault-secrets-operator"] diff --git a/services/telegraf-ds/values.yaml b/services/telegraf-ds/values.yaml index 2ffb19b347..b797e12a96 100644 --- a/services/telegraf-ds/values.yaml +++ b/services/telegraf-ds/values.yaml @@ -1,24 +1,44 @@ -# -- Path to the Vault secrets (`secret/k8s_operator//telegraf`) -# shared with telegraf (non-DaemonSet) -# @default -- None, must be set -vaultSecretsPath: "" telegraf-ds: + args: + - "--config" + - "/etc/telegraf-generated/telegraf-generated.conf" env: # -- Token to communicate with Influx - - name: INFLUX_TOKEN - valueFrom: - secretKeyRef: - name: telegraf - key: influx-token + - name: INFLUX_TOKEN + valueFrom: + secretKeyRef: + name: telegraf + key: influx-token + rbac: + create: true + + serviceAccount: + name: telegraf-ds + + # Set to effectively empty and just use generated config instead. override_config: toml: |+ - [global_tags] - cluster = "no_endpoint" [agent] - hostname = "telegraf-$HOSTIP" - [[inputs.kubernetes]] - url = "https://$HOSTIP:10250" - bearer_token = "/var/run/secrets/kubernetes.io/serviceaccount/token" - insecure_skip_verify = true - namepass = ["kubernetes_pod_container"] - fieldpass = ["cpu_usage_nanocores", "memory_usage_bytes"] + logfile="" + volumes: + - name: telegraf-generated-config + configMap: + name: "telegraf-generated-config" + mountPoints: + - name: telegraf-generated-config + mountPath: /etc/telegraf-generated + +# The following will be set by parameters injected by Argo CD and should not +# be set in the individual environment values files. +global: + # -- services enabled in this RSP instance + # @default -- Set by Argo CD + enabled_services: "" + + # -- Host name for instance identification + # @default -- Set by Argo CD + host: "" + + # -- Base path for Vault secrets + # @default -- Set by Argo CD + vaultSecretsPath: "" diff --git a/services/telegraf/templates/configmap.yaml b/services/telegraf/templates/configmap.yaml new file mode 100644 index 0000000000..7b1bf94d7b --- /dev/null +++ b/services/telegraf/templates/configmap.yaml @@ -0,0 +1,67 @@ +apiVersion: v1 +kind: ConfigMap +metadata: + name: telegraf-generated-config +data: + telegraf-generated.conf: | + {{- $enabled_apps := splitList "@" .Values.global.enabled_services }} + [global_tags] + cluster = {{- .Values.global.host | quote }} + [agent] + hostname = "$HOSTNAME" + omit_hostname = true + interval = "10s" + flush_interval = "10s" + logfile = "" + metric_batch_size = 1000 + metric_buffer_limit = 10000 + + [[processors.enum]] + [[processors.enum.mapping]] + dest = "status_code" + field = "status" + [processors.enum.mapping.value_mappings] + healthy = 1 + problem = 2 + critical = 3 + + [[inputs.internal]] + collect_memstats = false + + + {{- range $raw_app_name, $defn := .Values.prometheus_config }} + {{- $app_name := replace "-" "_" $raw_app_name }} + {{- if has $app_name $enabled_apps }} + {{- range $component, $endpoint := $defn }} + + [[inputs.prometheus]] + metric_version = 2 + name_override = "prometheus_{{ $component }}" + urls = [ + {{ $endpoint | quote }} + ] + [inputs.prometheus.tags] + prometheus_app = {{ $app_name | quote }} + {{- end }} + {{- end }} + {{- end }} + + {{- range $raw_app_name, $defn := .Values.prometheus_config }} + {{- $app_name := replace "-" "_" $raw_app_name }} + {{- if has $app_name $enabled_apps }} + {{- range $component, $endpoint := $defn }} + + [[outputs.influxdb_v2]] + bucket = {{ $app_name | quote }} + organization = "square" + token = "$INFLUX_TOKEN" + urls = [ + "https://monitoring.lsst.codes" + ] + [outputs.influxdb_v2.tagpass] + prometheus_app = [ + {{ $app_name | quote }} + ] + {{- end }} + {{- end }} + {{- end }} diff --git a/services/telegraf/templates/vault-secret.yaml b/services/telegraf/templates/vault-secret.yaml index b6c046ae26..8370543c85 100644 --- a/services/telegraf/templates/vault-secret.yaml +++ b/services/telegraf/templates/vault-secret.yaml @@ -4,7 +4,7 @@ metadata: name: telegraf namespace: telegraf spec: - path: {{ .Values.vaultSecretsPath }}/telegraf + path: {{ .Values.global.vaultSecretsPath }}/telegraf type: Opaque --- apiVersion: ricoberger.de/v1alpha1 @@ -12,5 +12,5 @@ kind: VaultSecret metadata: name: pull-secret spec: - path: {{ .Values.vaultSecretsPath }}/pull-secret + path: {{ .Values.global.vaultSecretsPath }}/pull-secret type: kubernetes.io/dockerconfigjson diff --git a/services/telegraf/values-base.yaml b/services/telegraf/values-base.yaml index 344f8af839..e69de29bb2 100644 --- a/services/telegraf/values-base.yaml +++ b/services/telegraf/values-base.yaml @@ -1,119 +0,0 @@ -telegraf: - config: - global_tags: - cluster: base-lsp.lsst.codes - inputs: - - prometheus: - metric_version: 2 - name_override: prometheus_application_controller - tags: - prometheus_app: argocd - urls: - - http://argocd-application-controller-metrics.argocd.svc:8082/metrics - - prometheus: - metric_version: 2 - name_override: prometheus_notifications_controller - tags: - prometheus_app: argocd - urls: - - http://argocd-notifications-controller-metrics.argocd.svc:9001/metrics - - prometheus: - metric_version: 2 - name_override: prometheus_redis - tags: - prometheus_app: argocd - urls: - - http://argocd-redis-metrics.argocd.svc:9121/metrics - - prometheus: - metric_version: 2 - name_override: prometheus_repo_server - tags: - prometheus_app: argocd - urls: - - http://argocd-repo-server-metrics.argocd.svc:8084/metrics - - prometheus: - metric_version: 2 - name_override: prometheus_server - tags: - prometheus_app: argocd - urls: - - http://argocd-server-metrics.argocd.svc:8083/metrics - - prometheus: - metric_version: 2 - name_override: prometheus_hub - tags: - prometheus_app: nublado2 - urls: - - http://hub.nublado2:8081/metrics - - prometheus: - metric_version: 2 - name_override: prometheus_controller - tags: - prometheus_app: ingress_nginx - urls: - - http://ingress-nginx-controller-metrics.ingress-nginx:10254/metrics - outputs: - - influxdb_v2: - bucket: argocd - organization: square - tagpass: - prometheus_app: - - argocd - token: $INFLUX_TOKEN - urls: - - https://monitoring.lsst.codes - - influxdb_v2: - bucket: argocd - organization: square - tagpass: - prometheus_app: - - argocd - token: $INFLUX_TOKEN - urls: - - https://monitoring.lsst.codes - - influxdb_v2: - bucket: argocd - organization: square - tagpass: - prometheus_app: - - argocd - token: $INFLUX_TOKEN - urls: - - https://monitoring.lsst.codes - - influxdb_v2: - bucket: argocd - organization: square - tagpass: - prometheus_app: - - argocd - token: $INFLUX_TOKEN - urls: - - https://monitoring.lsst.codes - - influxdb_v2: - bucket: argocd - organization: square - tagpass: - prometheus_app: - - argocd - token: $INFLUX_TOKEN - urls: - - https://monitoring.lsst.codes - - influxdb_v2: - bucket: nublado2 - organization: square - tagpass: - prometheus_app: - - nublado2 - token: $INFLUX_TOKEN - urls: - - https://monitoring.lsst.codes - - influxdb_v2: - bucket: ingress_nginx - organization: square - tagpass: - prometheus_app: - - ingress_nginx - token: $INFLUX_TOKEN - urls: - - https://monitoring.lsst.codes -vaultSecretsPath: secret/k8s_operator/base-lsp.lsst.codes diff --git a/services/telegraf/values-idfdev.yaml b/services/telegraf/values-idfdev.yaml index afb57b370d..e69de29bb2 100644 --- a/services/telegraf/values-idfdev.yaml +++ b/services/telegraf/values-idfdev.yaml @@ -1,119 +0,0 @@ -telegraf: - config: - global_tags: - cluster: data-dev.lsst.cloud - inputs: - - prometheus: - metric_version: 2 - name_override: prometheus_application_controller - tags: - prometheus_app: argocd - urls: - - http://argocd-application-controller-metrics.argocd.svc:8082/metrics - - prometheus: - metric_version: 2 - name_override: prometheus_notifications_controller - tags: - prometheus_app: argocd - urls: - - http://argocd-notifications-controller-metrics.argocd.svc:9001/metrics - - prometheus: - metric_version: 2 - name_override: prometheus_redis - tags: - prometheus_app: argocd - urls: - - http://argocd-redis-metrics.argocd.svc:9121/metrics - - prometheus: - metric_version: 2 - name_override: prometheus_repo_server - tags: - prometheus_app: argocd - urls: - - http://argocd-repo-server-metrics.argocd.svc:8084/metrics - - prometheus: - metric_version: 2 - name_override: prometheus_server - tags: - prometheus_app: argocd - urls: - - http://argocd-server-metrics.argocd.svc:8083/metrics - - prometheus: - metric_version: 2 - name_override: prometheus_hub - tags: - prometheus_app: nublado2 - urls: - - http://hub.nublado2:8081/metrics - - prometheus: - metric_version: 2 - name_override: prometheus_controller - tags: - prometheus_app: ingress_nginx - urls: - - http://ingress-nginx-controller-metrics.ingress-nginx:10254/metrics - outputs: - - influxdb_v2: - bucket: argocd - organization: square - tagpass: - prometheus_app: - - argocd - token: $INFLUX_TOKEN - urls: - - https://monitoring.lsst.codes - - influxdb_v2: - bucket: argocd - organization: square - tagpass: - prometheus_app: - - argocd - token: $INFLUX_TOKEN - urls: - - https://monitoring.lsst.codes - - influxdb_v2: - bucket: argocd - organization: square - tagpass: - prometheus_app: - - argocd - token: $INFLUX_TOKEN - urls: - - https://monitoring.lsst.codes - - influxdb_v2: - bucket: argocd - organization: square - tagpass: - prometheus_app: - - argocd - token: $INFLUX_TOKEN - urls: - - https://monitoring.lsst.codes - - influxdb_v2: - bucket: argocd - organization: square - tagpass: - prometheus_app: - - argocd - token: $INFLUX_TOKEN - urls: - - https://monitoring.lsst.codes - - influxdb_v2: - bucket: nublado2 - organization: square - tagpass: - prometheus_app: - - nublado2 - token: $INFLUX_TOKEN - urls: - - https://monitoring.lsst.codes - - influxdb_v2: - bucket: ingress_nginx - organization: square - tagpass: - prometheus_app: - - ingress_nginx - token: $INFLUX_TOKEN - urls: - - https://monitoring.lsst.codes -vaultSecretsPath: secret/k8s_operator/data-dev.lsst.cloud diff --git a/services/telegraf/values-idfint.yaml b/services/telegraf/values-idfint.yaml index fb6dd53080..e69de29bb2 100644 --- a/services/telegraf/values-idfint.yaml +++ b/services/telegraf/values-idfint.yaml @@ -1,119 +0,0 @@ -telegraf: - config: - global_tags: - cluster: data-int.lsst.cloud - inputs: - - prometheus: - metric_version: 2 - name_override: prometheus_application_controller - tags: - prometheus_app: argocd - urls: - - http://argocd-application-controller-metrics.argocd.svc:8082/metrics - - prometheus: - metric_version: 2 - name_override: prometheus_notifications_controller - tags: - prometheus_app: argocd - urls: - - http://argocd-notifications-controller-metrics.argocd.svc:9001/metrics - - prometheus: - metric_version: 2 - name_override: prometheus_redis - tags: - prometheus_app: argocd - urls: - - http://argocd-redis-metrics.argocd.svc:9121/metrics - - prometheus: - metric_version: 2 - name_override: prometheus_repo_server - tags: - prometheus_app: argocd - urls: - - http://argocd-repo-server-metrics.argocd.svc:8084/metrics - - prometheus: - metric_version: 2 - name_override: prometheus_server - tags: - prometheus_app: argocd - urls: - - http://argocd-server-metrics.argocd.svc:8083/metrics - - prometheus: - metric_version: 2 - name_override: prometheus_hub - tags: - prometheus_app: nublado2 - urls: - - http://hub.nublado2:8081/metrics - - prometheus: - metric_version: 2 - name_override: prometheus_controller - tags: - prometheus_app: ingress_nginx - urls: - - http://ingress-nginx-controller-metrics.ingress-nginx:10254/metrics - outputs: - - influxdb_v2: - bucket: argocd - organization: square - tagpass: - prometheus_app: - - argocd - token: $INFLUX_TOKEN - urls: - - https://monitoring.lsst.codes - - influxdb_v2: - bucket: argocd - organization: square - tagpass: - prometheus_app: - - argocd - token: $INFLUX_TOKEN - urls: - - https://monitoring.lsst.codes - - influxdb_v2: - bucket: argocd - organization: square - tagpass: - prometheus_app: - - argocd - token: $INFLUX_TOKEN - urls: - - https://monitoring.lsst.codes - - influxdb_v2: - bucket: argocd - organization: square - tagpass: - prometheus_app: - - argocd - token: $INFLUX_TOKEN - urls: - - https://monitoring.lsst.codes - - influxdb_v2: - bucket: argocd - organization: square - tagpass: - prometheus_app: - - argocd - token: $INFLUX_TOKEN - urls: - - https://monitoring.lsst.codes - - influxdb_v2: - bucket: nublado2 - organization: square - tagpass: - prometheus_app: - - nublado2 - token: $INFLUX_TOKEN - urls: - - https://monitoring.lsst.codes - - influxdb_v2: - bucket: ingress_nginx - organization: square - tagpass: - prometheus_app: - - ingress_nginx - token: $INFLUX_TOKEN - urls: - - https://monitoring.lsst.codes -vaultSecretsPath: secret/k8s_operator/data-int.lsst.cloud diff --git a/services/telegraf/values-idfprod.yaml b/services/telegraf/values-idfprod.yaml index ef408821a8..e69de29bb2 100644 --- a/services/telegraf/values-idfprod.yaml +++ b/services/telegraf/values-idfprod.yaml @@ -1,119 +0,0 @@ -telegraf: - config: - global_tags: - cluster: data.lsst.cloud - inputs: - - prometheus: - metric_version: 2 - name_override: prometheus_application_controller - tags: - prometheus_app: argocd - urls: - - http://argocd-application-controller-metrics.argocd.svc:8082/metrics - - prometheus: - metric_version: 2 - name_override: prometheus_notifications_controller - tags: - prometheus_app: argocd - urls: - - http://argocd-notifications-controller-metrics.argocd.svc:9001/metrics - - prometheus: - metric_version: 2 - name_override: prometheus_redis - tags: - prometheus_app: argocd - urls: - - http://argocd-redis-metrics.argocd.svc:9121/metrics - - prometheus: - metric_version: 2 - name_override: prometheus_repo_server - tags: - prometheus_app: argocd - urls: - - http://argocd-repo-server-metrics.argocd.svc:8084/metrics - - prometheus: - metric_version: 2 - name_override: prometheus_server - tags: - prometheus_app: argocd - urls: - - http://argocd-server-metrics.argocd.svc:8083/metrics - - prometheus: - metric_version: 2 - name_override: prometheus_hub - tags: - prometheus_app: nublado2 - urls: - - http://hub.nublado2:8081/metrics - - prometheus: - metric_version: 2 - name_override: prometheus_controller - tags: - prometheus_app: ingress_nginx - urls: - - http://ingress-nginx-controller-metrics.ingress-nginx:10254/metrics - outputs: - - influxdb_v2: - bucket: argocd - organization: square - tagpass: - prometheus_app: - - argocd - token: $INFLUX_TOKEN - urls: - - https://monitoring.lsst.codes - - influxdb_v2: - bucket: argocd - organization: square - tagpass: - prometheus_app: - - argocd - token: $INFLUX_TOKEN - urls: - - https://monitoring.lsst.codes - - influxdb_v2: - bucket: argocd - organization: square - tagpass: - prometheus_app: - - argocd - token: $INFLUX_TOKEN - urls: - - https://monitoring.lsst.codes - - influxdb_v2: - bucket: argocd - organization: square - tagpass: - prometheus_app: - - argocd - token: $INFLUX_TOKEN - urls: - - https://monitoring.lsst.codes - - influxdb_v2: - bucket: argocd - organization: square - tagpass: - prometheus_app: - - argocd - token: $INFLUX_TOKEN - urls: - - https://monitoring.lsst.codes - - influxdb_v2: - bucket: nublado2 - organization: square - tagpass: - prometheus_app: - - nublado2 - token: $INFLUX_TOKEN - urls: - - https://monitoring.lsst.codes - - influxdb_v2: - bucket: ingress_nginx - organization: square - tagpass: - prometheus_app: - - ingress_nginx - token: $INFLUX_TOKEN - urls: - - https://monitoring.lsst.codes -vaultSecretsPath: secret/k8s_operator/data.lsst.cloud diff --git a/services/telegraf/values-int.yaml b/services/telegraf/values-int.yaml index 35df82cf86..e69de29bb2 100644 --- a/services/telegraf/values-int.yaml +++ b/services/telegraf/values-int.yaml @@ -1,103 +0,0 @@ -telegraf: - config: - global_tags: - cluster: lsst-lsp-int.ncsa.illinois.edu - inputs: - - prometheus: - metric_version: 2 - name_override: prometheus_application_controller - tags: - prometheus_app: argocd - urls: - - http://argocd-application-controller-metrics.argocd.svc:8082/metrics - - prometheus: - metric_version: 2 - name_override: prometheus_notifications_controller - tags: - prometheus_app: argocd - urls: - - http://argocd-notifications-controller-metrics.argocd.svc:9001/metrics - - prometheus: - metric_version: 2 - name_override: prometheus_redis - tags: - prometheus_app: argocd - urls: - - http://argocd-redis-metrics.argocd.svc:9121/metrics - - prometheus: - metric_version: 2 - name_override: prometheus_repo_server - tags: - prometheus_app: argocd - urls: - - http://argocd-repo-server-metrics.argocd.svc:8084/metrics - - prometheus: - metric_version: 2 - name_override: prometheus_server - tags: - prometheus_app: argocd - urls: - - http://argocd-server-metrics.argocd.svc:8083/metrics - - prometheus: - metric_version: 2 - name_override: prometheus_hub - tags: - prometheus_app: nublado2 - urls: - - http://hub.nublado2:8081/metrics - outputs: - - influxdb_v2: - bucket: argocd - organization: square - tagpass: - prometheus_app: - - argocd - token: $INFLUX_TOKEN - urls: - - https://monitoring.lsst.codes - - influxdb_v2: - bucket: argocd - organization: square - tagpass: - prometheus_app: - - argocd - token: $INFLUX_TOKEN - urls: - - https://monitoring.lsst.codes - - influxdb_v2: - bucket: argocd - organization: square - tagpass: - prometheus_app: - - argocd - token: $INFLUX_TOKEN - urls: - - https://monitoring.lsst.codes - - influxdb_v2: - bucket: argocd - organization: square - tagpass: - prometheus_app: - - argocd - token: $INFLUX_TOKEN - urls: - - https://monitoring.lsst.codes - - influxdb_v2: - bucket: argocd - organization: square - tagpass: - prometheus_app: - - argocd - token: $INFLUX_TOKEN - urls: - - https://monitoring.lsst.codes - - influxdb_v2: - bucket: nublado2 - organization: square - tagpass: - prometheus_app: - - nublado2 - token: $INFLUX_TOKEN - urls: - - https://monitoring.lsst.codes -vaultSecretsPath: secret/k8s_operator/lsst-lsp-int.ncsa.illinois.edu diff --git a/services/telegraf/values-summit.yaml b/services/telegraf/values-summit.yaml index dcca9bf146..e69de29bb2 100644 --- a/services/telegraf/values-summit.yaml +++ b/services/telegraf/values-summit.yaml @@ -1,119 +0,0 @@ -telegraf: - config: - global_tags: - cluster: summit-lsp.lsst.codes - inputs: - - prometheus: - metric_version: 2 - name_override: prometheus_application_controller - tags: - prometheus_app: argocd - urls: - - http://argocd-application-controller-metrics.argocd.svc:8082/metrics - - prometheus: - metric_version: 2 - name_override: prometheus_notifications_controller - tags: - prometheus_app: argocd - urls: - - http://argocd-notifications-controller-metrics.argocd.svc:9001/metrics - - prometheus: - metric_version: 2 - name_override: prometheus_redis - tags: - prometheus_app: argocd - urls: - - http://argocd-redis-metrics.argocd.svc:9121/metrics - - prometheus: - metric_version: 2 - name_override: prometheus_repo_server - tags: - prometheus_app: argocd - urls: - - http://argocd-repo-server-metrics.argocd.svc:8084/metrics - - prometheus: - metric_version: 2 - name_override: prometheus_server - tags: - prometheus_app: argocd - urls: - - http://argocd-server-metrics.argocd.svc:8083/metrics - - prometheus: - metric_version: 2 - name_override: prometheus_hub - tags: - prometheus_app: nublado2 - urls: - - http://hub.nublado2:8081/metrics - - prometheus: - metric_version: 2 - name_override: prometheus_controller - tags: - prometheus_app: ingress_nginx - urls: - - http://ingress-nginx-controller-metrics.ingress-nginx:10254/metrics - outputs: - - influxdb_v2: - bucket: argocd - organization: square - tagpass: - prometheus_app: - - argocd - token: $INFLUX_TOKEN - urls: - - https://monitoring.lsst.codes - - influxdb_v2: - bucket: argocd - organization: square - tagpass: - prometheus_app: - - argocd - token: $INFLUX_TOKEN - urls: - - https://monitoring.lsst.codes - - influxdb_v2: - bucket: argocd - organization: square - tagpass: - prometheus_app: - - argocd - token: $INFLUX_TOKEN - urls: - - https://monitoring.lsst.codes - - influxdb_v2: - bucket: argocd - organization: square - tagpass: - prometheus_app: - - argocd - token: $INFLUX_TOKEN - urls: - - https://monitoring.lsst.codes - - influxdb_v2: - bucket: argocd - organization: square - tagpass: - prometheus_app: - - argocd - token: $INFLUX_TOKEN - urls: - - https://monitoring.lsst.codes - - influxdb_v2: - bucket: nublado2 - organization: square - tagpass: - prometheus_app: - - nublado2 - token: $INFLUX_TOKEN - urls: - - https://monitoring.lsst.codes - - influxdb_v2: - bucket: ingress_nginx - organization: square - tagpass: - prometheus_app: - - ingress_nginx - token: $INFLUX_TOKEN - urls: - - https://monitoring.lsst.codes -vaultSecretsPath: secret/k8s_operator/summit-lsp.lsst.codes diff --git a/services/telegraf/values.yaml b/services/telegraf/values.yaml index 8e487a477e..e151cd2c27 100644 --- a/services/telegraf/values.yaml +++ b/services/telegraf/values.yaml @@ -1,9 +1,15 @@ telegraf: + # Remove processors, inputs and outputs: use generated config instead. config: - agent: - omit_hostname: true - global_tags: - cluster: '' + processors: [] + inputs: [] + outputs: [] + args: + - "--config" + - "/etc/telegraf-generated/telegraf-generated.conf" + # We need the additional rules for prometheus scraping. + rbac: + clusterWide: true env: - name: INFLUX_TOKEN valueFrom: @@ -15,4 +21,40 @@ telegraf: service: enabled: false tplVersion: 2 -vaultSecretsPath: '' + volumes: + - name: telegraf-generated-config + configMap: + name: telegraf-generated-config + mountPoints: + - name: telegraf-generated-config + mountPath: /etc/telegraf-generated + +# -- Use prometheus_config to specify all the services in the RSP that +# expose prometheus endpoints. A better option, eventually, will be to +# use telegraf-operator and capture these as pod annotations. +prometheus_config: + argocd: + application_controller: "http://argocd-application-controller-metrics.argocd.svc:8082/metrics" + notifications_controller: "http://argocd-notifications-controller-metrics.argocd.svc:9001/metrics" + redis: "http://argocd-redis-metrics.argocd.svc:9121/metrics" + repo_server: "http://argocd-repo-server-metrics.argocd.svc:8084/metrics" + server: "http://argocd-server-metrics.argocd.svc:8083/metrics" + nublado2: + hub: "http://hub.nublado2:8081/metrics" + ingress-nginx: + controller: "http://ingress-nginx-controller-metrics.ingress-nginx:10254/metrics" + +# The following will be set by parameters injected by Argo CD and should not +# be set in the individual environment values files. +global: + # -- services enabled in this RSP instance + # @default -- Set by Argo CD + enabled_services: "" + + # -- Host name for instance identification + # @default -- Set by Argo CD + host: "" + + # -- Base path for Vault secrets + # @default -- Set by Argo CD + vaultSecretsPath: "" From 1388c2e4da018827e919d2d8018e7d947dff5cb2 Mon Sep 17 00:00:00 2001 From: Colin Slater Date: Thu, 3 Feb 2022 11:12:37 -0800 Subject: [PATCH 0289/1479] Add production-tools. --- .../production-tools-application.yaml | 26 +++++++++++++++++++ science-platform/values-base.yaml | 2 ++ science-platform/values-idfdev.yaml | 2 ++ science-platform/values-idfint.yaml | 2 ++ science-platform/values-idfprod.yaml | 2 ++ science-platform/values-int.yaml | 2 ++ science-platform/values-minikube.yaml | 2 ++ science-platform/values-roe.yaml | 2 ++ science-platform/values-squash-sandbox.yaml | 2 ++ science-platform/values-stable.yaml | 2 ++ science-platform/values-summit.yaml | 2 ++ science-platform/values-tucson-teststand.yaml | 2 ++ science-platform/values.yaml | 2 ++ services/production-tools/Chart.yaml | 7 +++++ services/production-tools/values-idfint.yaml | 13 ++++++++++ 15 files changed, 70 insertions(+) create mode 100644 science-platform/templates/production-tools-application.yaml create mode 100644 services/production-tools/Chart.yaml create mode 100644 services/production-tools/values-idfint.yaml diff --git a/science-platform/templates/production-tools-application.yaml b/science-platform/templates/production-tools-application.yaml new file mode 100644 index 0000000000..48ff5122d7 --- /dev/null +++ b/science-platform/templates/production-tools-application.yaml @@ -0,0 +1,26 @@ +{{- if .Values.production_tools.enabled -}} +apiVersion: v1 +kind: Namespace +metadata: + name: production-tools +--- +apiVersion: argoproj.io/v1alpha1 +kind: Application +metadata: + name: production-tools + namespace: argocd + finalizers: + - resources-finalizer.argocd.argoproj.io +spec: + destination: + namespace: production-tools + server: https://kubernetes.default.svc + project: default + source: + path: services/production-tools + repoURL: {{ .Values.repoURL }} + targetRevision: {{ .Values.revision }} + helm: + valueFiles: + - values-{{ .Values.environment }}.yaml +{{- end -}} diff --git a/science-platform/values-base.yaml b/science-platform/values-base.yaml index a74e7c6c4a..faa326d7df 100644 --- a/science-platform/values-base.yaml +++ b/science-platform/values-base.yaml @@ -36,6 +36,8 @@ postgres: enabled: true sasquatch: enabled: false +production_tools: + enabled: false semaphore: enabled: false squareone: diff --git a/science-platform/values-idfdev.yaml b/science-platform/values-idfdev.yaml index c70f4c3cb1..218abe11d6 100644 --- a/science-platform/values-idfdev.yaml +++ b/science-platform/values-idfdev.yaml @@ -36,6 +36,8 @@ postgres: enabled: true sasquatch: enabled: true +production_tools: + enabled: false semaphore: enabled: true sherlock: diff --git a/science-platform/values-idfint.yaml b/science-platform/values-idfint.yaml index 7e831a870f..7cba6f23c3 100644 --- a/science-platform/values-idfint.yaml +++ b/science-platform/values-idfint.yaml @@ -36,6 +36,8 @@ postgres: enabled: true sasquatch: enabled: false +production_tools: + enabled: true semaphore: enabled: true sherlock: diff --git a/science-platform/values-idfprod.yaml b/science-platform/values-idfprod.yaml index 3d91dde6ca..04ffff1215 100644 --- a/science-platform/values-idfprod.yaml +++ b/science-platform/values-idfprod.yaml @@ -36,6 +36,8 @@ postgres: enabled: true sasquatch: enabled: false +production_tools: + enabled: false semaphore: enabled: true sherlock: diff --git a/science-platform/values-int.yaml b/science-platform/values-int.yaml index 90c994ee5c..d23ff32fca 100644 --- a/science-platform/values-int.yaml +++ b/science-platform/values-int.yaml @@ -36,6 +36,8 @@ postgres: enabled: true sasquatch: enabled: true +production_tools: + enabled: false semaphore: enabled: false sherlock: diff --git a/science-platform/values-minikube.yaml b/science-platform/values-minikube.yaml index e1cea28f05..9a2416ef43 100644 --- a/science-platform/values-minikube.yaml +++ b/science-platform/values-minikube.yaml @@ -36,6 +36,8 @@ postgres: enabled: true sasquatch: enabled: false +production_tools: + enabled: false semaphore: enabled: true sherlock: diff --git a/science-platform/values-roe.yaml b/science-platform/values-roe.yaml index dbf65da615..f26fd0e4bb 100644 --- a/science-platform/values-roe.yaml +++ b/science-platform/values-roe.yaml @@ -36,6 +36,8 @@ postgres: enabled: true sasquatch: enabled: false +production_tools: + enabled: false semaphore: enabled: false squareone: diff --git a/science-platform/values-squash-sandbox.yaml b/science-platform/values-squash-sandbox.yaml index d3764685c5..4aa7865d74 100644 --- a/science-platform/values-squash-sandbox.yaml +++ b/science-platform/values-squash-sandbox.yaml @@ -36,6 +36,8 @@ postgres: enabled: true sasquatch: enabled: false +production_tools: + enabled: false semaphore: enabled: false squareone: diff --git a/science-platform/values-stable.yaml b/science-platform/values-stable.yaml index 8fcd45d336..76e1097694 100644 --- a/science-platform/values-stable.yaml +++ b/science-platform/values-stable.yaml @@ -36,6 +36,8 @@ postgres: enabled: true sasquatch: enabled: true +production_tools: + enabled: false semaphore: enabled: false sherlock: diff --git a/science-platform/values-summit.yaml b/science-platform/values-summit.yaml index 8e57d2f693..9f6d21fcc3 100644 --- a/science-platform/values-summit.yaml +++ b/science-platform/values-summit.yaml @@ -36,6 +36,8 @@ postgres: enabled: true sasquatch: enabled: false +production_tools: + enabled: false semaphore: enabled: false sherlock: diff --git a/science-platform/values-tucson-teststand.yaml b/science-platform/values-tucson-teststand.yaml index 7d83d04092..9da9f55c8b 100644 --- a/science-platform/values-tucson-teststand.yaml +++ b/science-platform/values-tucson-teststand.yaml @@ -36,6 +36,8 @@ postgres: enabled: true sasquatch: enabled: true +production_tools: + enabled: false semaphore: enabled: false squareone: diff --git a/science-platform/values.yaml b/science-platform/values.yaml index f2a56f5336..0d4c2bef5b 100644 --- a/science-platform/values.yaml +++ b/science-platform/values.yaml @@ -32,6 +32,8 @@ postgres: enabled: false sasquatch: enabled: false +production_tools: + enabled: false semaphore: enabled: false sherlock: diff --git a/services/production-tools/Chart.yaml b/services/production-tools/Chart.yaml new file mode 100644 index 0000000000..2b88a4f1cb --- /dev/null +++ b/services/production-tools/Chart.yaml @@ -0,0 +1,7 @@ +apiVersion: v2 +name: production-tools +version: 1.0.0 +dependencies: +- name: production-tools + version: "=0.1.0" + repository: https://lsst-sqre.github.io/charts/ diff --git a/services/production-tools/values-idfint.yaml b/services/production-tools/values-idfint.yaml new file mode 100644 index 0000000000..6dca6e2229 --- /dev/null +++ b/services/production-tools/values-idfint.yaml @@ -0,0 +1,13 @@ +production-tools: + butler_secret_path: "secret/k8s_operator/data-int.lsst.cloud/butler-secret" + environment: + BUTLER_URI: "s3://butler-us-central1-panda-dev/dc2/butler-external.yaml" + PGPASSFILE: "/home/worker/.lsst/postgres-credentials.txt" + AWS_SHARED_CREDENTIALS_FILE: "/home/worker/.lsst/aws-credentials.ini" + S3_ENDPOINT_URL: "https://storage.googleapis.com" + LOG_BUCKET: "drp-us-central1-logging" + LOG_PREFIX: "Panda-RubinLog" + ingress: + host: "data-int.lsst.cloud" + path: "/production-tools" + gafaelfawrAuthQuery: "scope=exec:portal&delegate_to=productiontools" From 23618443820e8bae94cbcf4035182497f53b053c Mon Sep 17 00:00:00 2001 From: Colin Slater Date: Tue, 19 Apr 2022 13:38:39 -0700 Subject: [PATCH 0290/1479] Move chart from separate repo into phalanx. --- services/production-tools/Chart.yaml | 5 +- .../production-tools/templates/_helpers.tpl | 51 ++++++++ .../templates/deployment.yaml | 112 ++++++++++++++++++ services/production-tools/templates/hpa.yaml | 28 +++++ .../production-tools/templates/ingress.yaml | 35 ++++++ .../templates/networkpolicy.yaml | 23 ++++ .../production-tools/templates/secrets.yaml | 8 ++ .../production-tools/templates/service.yaml | 15 +++ services/production-tools/values.yaml | 87 ++++++++++++++ 9 files changed, 361 insertions(+), 3 deletions(-) create mode 100644 services/production-tools/templates/_helpers.tpl create mode 100644 services/production-tools/templates/deployment.yaml create mode 100644 services/production-tools/templates/hpa.yaml create mode 100644 services/production-tools/templates/ingress.yaml create mode 100644 services/production-tools/templates/networkpolicy.yaml create mode 100644 services/production-tools/templates/secrets.yaml create mode 100644 services/production-tools/templates/service.yaml create mode 100644 services/production-tools/values.yaml diff --git a/services/production-tools/Chart.yaml b/services/production-tools/Chart.yaml index 2b88a4f1cb..3aa8425abe 100644 --- a/services/production-tools/Chart.yaml +++ b/services/production-tools/Chart.yaml @@ -2,6 +2,5 @@ apiVersion: v2 name: production-tools version: 1.0.0 dependencies: -- name: production-tools - version: "=0.1.0" - repository: https://lsst-sqre.github.io/charts/ +home: "https://github.com/lsst-sqre/production-tools" +appVersion: 0.0.4 diff --git a/services/production-tools/templates/_helpers.tpl b/services/production-tools/templates/_helpers.tpl new file mode 100644 index 0000000000..43cdb33e8c --- /dev/null +++ b/services/production-tools/templates/_helpers.tpl @@ -0,0 +1,51 @@ +{{/* +Expand the name of the chart. +*/}} +{{- define "production-tools.name" -}} +{{- default .Chart.Name .Values.nameOverride | trunc 63 | trimSuffix "-" }} +{{- end }} + +{{/* +Create a default fully qualified app name. +We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec). +If release name contains chart name it will be used as a full name. +*/}} +{{- define "production-tools.fullname" -}} +{{- if .Values.fullnameOverride }} +{{- .Values.fullnameOverride | trunc 63 | trimSuffix "-" }} +{{- else }} +{{- $name := default .Chart.Name .Values.nameOverride }} +{{- if contains $name .Release.Name }} +{{- .Release.Name | trunc 63 | trimSuffix "-" }} +{{- else }} +{{- printf "%s-%s" .Release.Name $name | trunc 63 | trimSuffix "-" }} +{{- end }} +{{- end }} +{{- end }} + +{{/* +Create chart name and version as used by the chart label. +*/}} +{{- define "production-tools.chart" -}} +{{- printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" }} +{{- end }} + +{{/* +Common labels +*/}} +{{- define "production-tools.labels" -}} +helm.sh/chart: {{ include "production-tools.chart" . }} +{{ include "production-tools.selectorLabels" . }} +{{- if .Chart.AppVersion }} +app.kubernetes.io/version: {{ .Chart.AppVersion | quote }} +{{- end }} +app.kubernetes.io/managed-by: {{ .Release.Service }} +{{- end }} + +{{/* +Selector labels +*/}} +{{- define "production-tools.selectorLabels" -}} +app.kubernetes.io/name: {{ include "production-tools.name" . }} +app.kubernetes.io/instance: {{ .Release.Name }} +{{- end }} diff --git a/services/production-tools/templates/deployment.yaml b/services/production-tools/templates/deployment.yaml new file mode 100644 index 0000000000..c7b0bb8942 --- /dev/null +++ b/services/production-tools/templates/deployment.yaml @@ -0,0 +1,112 @@ +apiVersion: apps/v1 +kind: Deployment +metadata: + name: {{ include "production-tools.fullname" . }} + labels: + {{- include "production-tools.labels" . | nindent 4 }} +spec: + {{- if not .Values.autoscaling.enabled }} + replicas: {{ .Values.replicaCount }} + {{- end }} + selector: + matchLabels: + {{- include "production-tools.selectorLabels" . | nindent 6 }} + template: + metadata: + {{- with .Values.podAnnotations }} + annotations: + {{- toYaml . | nindent 8 }} + {{- end }} + labels: + {{- include "production-tools.selectorLabels" . | nindent 8 }} + spec: + automountServiceAccountToken: false + {{- with .Values.imagePullSecrets }} + imagePullSecrets: + {{- toYaml . | nindent 8 }} + {{- end }} + securityContext: + runAsNonRoot: true + runAsUser: 1000 + runAsGroup: 1000 + volumes: + # butler-secrets-raw is the secrets we get from vault + - name: "butler-secrets-raw" + secret: + secretName: "butler-secret" + # butler-secrets are the copied and chmoded versions + - name: "butler-secrets" + emptyDir: {} + - name: "cache-dir" + emptyDir: {} + # Have to fix permissions on the pgpass file. + # init container pattern borrowed from vo-cutouts. + initContainers: + - name: fix-secret-permissions + image: {{ .Values.image.repository }}:{{ .Values.image.tag | default .Chart.AppVersion }} + imagePullPolicy: Always + command: + - "/bin/bash" + - "-c" + - | + cp -RL /home/worker/secrets-raw/* /home/worker/.lsst/ + chown worker:worker /home/worker/.lsst/* + chmod 0400 /home/worker/.lsst/* + securityContext: + runAsNonRoot: false + runAsUser: 0 + runAsGroup: 0 + volumeMounts: + - name: "butler-secrets" + mountPath: "/home/worker/.lsst/" + - name: "butler-secrets-raw" + mountPath: "/home/worker/secrets-raw/" + readOnly: true + containers: + - name: {{ .Chart.Name }} + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - all + readOnlyRootFilesystem: true + image: "{{ .Values.image.repository }}:{{ .Values.image.tag | default .Chart.AppVersion }}" + imagePullPolicy: {{ .Values.image.pullPolicy }} + ports: + - name: http + containerPort: 8080 + protocol: TCP + livenessProbe: + httpGet: + path: / + port: http + readinessProbe: + httpGet: + path: / + port: http + resources: + {{- toYaml .Values.resources | nindent 12 }} + volumeMounts: + - name: butler-secrets + mountPath: "/home/worker/.lsst/" + - name: "cache-dir" + mountPath: "/home/worker/cache" + env: + - name: "LOG_CACHE_DIR" + value: "/home/worker/cache" +{{- range $key, $value := .Values.environment }} + - name: {{ $key | quote }} + value: {{ $value | quote }} +{{- end }} + {{- with .Values.nodeSelector }} + nodeSelector: + {{- toYaml . | nindent 8 }} + {{- end }} + {{- with .Values.affinity }} + affinity: + {{- toYaml . | nindent 8 }} + {{- end }} + {{- with .Values.tolerations }} + tolerations: + {{- toYaml . | nindent 8 }} + {{- end }} diff --git a/services/production-tools/templates/hpa.yaml b/services/production-tools/templates/hpa.yaml new file mode 100644 index 0000000000..11439968e2 --- /dev/null +++ b/services/production-tools/templates/hpa.yaml @@ -0,0 +1,28 @@ +{{- if .Values.autoscaling.enabled }} +apiVersion: autoscaling/v2beta1 +kind: HorizontalPodAutoscaler +metadata: + name: {{ include "production-tools.fullname" . }} + labels: + {{- include "production-tools.labels" . | nindent 4 }} +spec: + scaleTargetRef: + apiVersion: apps/v1 + kind: Deployment + name: {{ include "production-tools.fullname" . }} + minReplicas: {{ .Values.autoscaling.minReplicas }} + maxReplicas: {{ .Values.autoscaling.maxReplicas }} + metrics: + {{- if .Values.autoscaling.targetCPUUtilizationPercentage }} + - type: Resource + resource: + name: cpu + targetAverageUtilization: {{ .Values.autoscaling.targetCPUUtilizationPercentage }} + {{- end }} + {{- if .Values.autoscaling.targetMemoryUtilizationPercentage }} + - type: Resource + resource: + name: memory + targetAverageUtilization: {{ .Values.autoscaling.targetMemoryUtilizationPercentage }} + {{- end }} +{{- end }} diff --git a/services/production-tools/templates/ingress.yaml b/services/production-tools/templates/ingress.yaml new file mode 100644 index 0000000000..1a344d08f0 --- /dev/null +++ b/services/production-tools/templates/ingress.yaml @@ -0,0 +1,35 @@ +{{- if .Values.ingress.enabled -}} +{{- $fullName := include "production-tools.fullname" . -}} +apiVersion: networking.k8s.io/v1 +kind: Ingress +metadata: + name: {{ $fullName }} + labels: + {{- include "production-tools.labels" . | nindent 4 }} + annotations: + kubernetes.io/ingress.class: "nginx" + {{- if .Values.ingress.gafaelfawrAuthQuery }} + nginx.ingress.kubernetes.io/auth-method: "GET" + nginx.ingress.kubernetes.io/auth-response-headers: "X-Auth-Request-User,X-Auth-Request-Email,X-Auth-Request-Token" + nginx.ingress.kubernetes.io/auth-signin: "https://{{ .Values.ingress.host }}/login" + nginx.ingress.kubernetes.io/auth-url: "https://{{ .Values.ingress.host }}/auth?{{ .Values.ingress.gafaelfawrAuthQuery }}" + {{- end }} + {{- with .Values.ingress.annotations }} + {{- toYaml . | nindent 4 }} + {{- end }} +spec: + {{- if .Values.ingress.className }} + ingressClassName: {{ .Values.ingress.className }} + {{- end }} + rules: + - host: {{ required "ingress.host must be set" .Values.ingress.host | quote }} + http: + paths: + - path: {{ .Values.ingress.path }} + pathType: {{ default "Prefix" .Values.ingress.pathType }} + backend: + service: + name: {{ $fullName }} + port: + number: {{ .Values.service.port }} +{{- end }} diff --git a/services/production-tools/templates/networkpolicy.yaml b/services/production-tools/templates/networkpolicy.yaml new file mode 100644 index 0000000000..6bdfc4eb6e --- /dev/null +++ b/services/production-tools/templates/networkpolicy.yaml @@ -0,0 +1,23 @@ +{{- if .Values.ingress.enabled -}} +apiVersion: networking.k8s.io/v1 +kind: NetworkPolicy +metadata: + name: {{ include "production-tools.fullname" . }} +spec: + podSelector: + matchLabels: + {{- include "production-tools.selectorLabels" . | nindent 6 }} + policyTypes: + - Ingress + ingress: + # Allow inbound access from pods (in any namespace) labeled + # gafaelfawr.lsst.io/ingress: true. + - from: + - namespaceSelector: {} + podSelector: + matchLabels: + gafaelfawr.lsst.io/ingress: "true" + ports: + - protocol: "TCP" + port: 8080 +{{- end }} diff --git a/services/production-tools/templates/secrets.yaml b/services/production-tools/templates/secrets.yaml new file mode 100644 index 0000000000..257f9176b0 --- /dev/null +++ b/services/production-tools/templates/secrets.yaml @@ -0,0 +1,8 @@ +--- +apiVersion: ricoberger.de/v1alpha1 +kind: VaultSecret +metadata: + name: butler-secret +spec: + path: {{ .Values.butler_secret_path }} + type: Opaque diff --git a/services/production-tools/templates/service.yaml b/services/production-tools/templates/service.yaml new file mode 100644 index 0000000000..42704af443 --- /dev/null +++ b/services/production-tools/templates/service.yaml @@ -0,0 +1,15 @@ +apiVersion: v1 +kind: Service +metadata: + name: {{ include "production-tools.fullname" . }} + labels: + {{- include "production-tools.labels" . | nindent 4 }} +spec: + type: {{ .Values.service.type }} + ports: + - port: {{ .Values.service.port }} + targetPort: http + protocol: TCP + name: http + selector: + {{- include "production-tools.selectorLabels" . | nindent 4 }} diff --git a/services/production-tools/values.yaml b/services/production-tools/values.yaml new file mode 100644 index 0000000000..c82253755a --- /dev/null +++ b/services/production-tools/values.yaml @@ -0,0 +1,87 @@ +# Default values for production-tools. +# This is a YAML-formatted file. +# Declare variables to be passed into your templates. + +# -- Number of web deployment pods to start +replicaCount: 1 + +image: + # -- Image to use in the production-tools deployment + repository: lsstdm/production_tools + + # -- Pull policy for the production-tools image + pullPolicy: Always + + # -- Overrides the image tag whose default is the chart appVersion. + tag: "" + +# -- Secret names to use for all Docker pulls +imagePullSecrets: [] + +# -- Override the base name for resources +nameOverride: "" + +# -- Override the full name for resources (includes the release name) +fullnameOverride: "" + +# -- Annotations for the production-tools deployment pod +podAnnotations: {} + +# Path to the vault secret. +butler_secret_path: "" + +# Environment variables passed to container +environment: {} + +service: + # -- Type of service to create + type: ClusterIP + + # -- Port of the service to create and map to the ingress + port: 8080 + +ingress: + # -- Create an ingress resource + enabled: true + + # -- Hostname of the deployment to run behind + host: "" + + # -- Gafaelfawr Auth Query string (default, unauthenticated) + # gafaelfawrAuthQuery: "scope=exec:portal&delegate_to=portal&delegate_scope=read:tap" + gafaelfawrAuthQuery: "" + + # -- Additional annotations for the ingress rule + annotations: {} + + # -- Path type for the ingress rule + pathType: ImplementationSpecific + + # -- URL path to dispatch to the production-tools deployment pod + path: "/production-tools" + +# -- Resource limits and requests for the production-tools deployment pod +resources: {} + +autoscaling: + # -- Enable autoscaling of production-tools deployment + enabled: false + + # -- Minimum number of production-tools deployment pods + minReplicas: 1 + + # -- Maximum number of production-tools deployment pods + maxReplicas: 100 + + # -- Target CPU utilization of production-tools deployment pods + targetCPUUtilizationPercentage: 80 + # targetMemoryUtilizationPercentage: 80 + +# -- Node selection rules for the production-tools deployment pod +nodeSelector: {} + +# -- Tolerations for the production-tools deployment pod +tolerations: [] + +# -- Affinity rules for the production-tools deployment pod +affinity: {} From 055b78aed9b50ca2c4f1ec27f8d26180f51c4571 Mon Sep 17 00:00:00 2001 From: Colin Slater Date: Tue, 19 Apr 2022 13:48:10 -0700 Subject: [PATCH 0291/1479] Lint fix. --- services/production-tools/values-idfint.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/services/production-tools/values-idfint.yaml b/services/production-tools/values-idfint.yaml index 6dca6e2229..6264aefd66 100644 --- a/services/production-tools/values-idfint.yaml +++ b/services/production-tools/values-idfint.yaml @@ -10,4 +10,4 @@ production-tools: ingress: host: "data-int.lsst.cloud" path: "/production-tools" - gafaelfawrAuthQuery: "scope=exec:portal&delegate_to=productiontools" + gafaelfawrAuthQuery: "scope=exec:portal&delegate_to=productiontools" From cf59e6c5dd595d6371c6c6de543e444c1a0ce65f Mon Sep 17 00:00:00 2001 From: Colin Slater Date: Mon, 25 Apr 2022 10:57:57 -0700 Subject: [PATCH 0292/1479] Remove a lot of boilerplate, per review. Add helm-doc README. --- .../production-tools-application.yaml | 1 + services/production-tools/Chart.yaml | 1 + services/production-tools/README.md | 29 ++++++++++ services/production-tools/README.md.gotmpl | 9 +++ .../templates/deployment.yaml | 20 +++---- services/production-tools/templates/hpa.yaml | 28 --------- .../production-tools/templates/ingress.yaml | 19 +++--- .../templates/networkpolicy.yaml | 2 - .../production-tools/templates/secrets.yaml | 8 --- .../production-tools/templates/service.yaml | 4 +- .../templates/vault-secrets.yaml | 18 ++++++ services/production-tools/values-idfint.yaml | 17 ++---- services/production-tools/values.yaml | 58 ++++++------------- 13 files changed, 98 insertions(+), 116 deletions(-) create mode 100644 services/production-tools/README.md create mode 100644 services/production-tools/README.md.gotmpl delete mode 100644 services/production-tools/templates/hpa.yaml delete mode 100644 services/production-tools/templates/secrets.yaml create mode 100644 services/production-tools/templates/vault-secrets.yaml diff --git a/science-platform/templates/production-tools-application.yaml b/science-platform/templates/production-tools-application.yaml index 48ff5122d7..23d0d9b9f0 100644 --- a/science-platform/templates/production-tools-application.yaml +++ b/science-platform/templates/production-tools-application.yaml @@ -22,5 +22,6 @@ spec: targetRevision: {{ .Values.revision }} helm: valueFiles: + - values.yaml - values-{{ .Values.environment }}.yaml {{- end -}} diff --git a/services/production-tools/Chart.yaml b/services/production-tools/Chart.yaml index 3aa8425abe..bd5148628f 100644 --- a/services/production-tools/Chart.yaml +++ b/services/production-tools/Chart.yaml @@ -2,5 +2,6 @@ apiVersion: v2 name: production-tools version: 1.0.0 dependencies: +description: A collection of utility pages for monitoring data processing. home: "https://github.com/lsst-sqre/production-tools" appVersion: 0.0.4 diff --git a/services/production-tools/README.md b/services/production-tools/README.md new file mode 100644 index 0000000000..972971c2ea --- /dev/null +++ b/services/production-tools/README.md @@ -0,0 +1,29 @@ +# production-tools + +A collection of utility pages for monitoring data processing. + +## Values + +| Key | Type | Default | Description | +|-----|------|---------|-------------| +| affinity | object | `{}` | Affinity rules for the production-tools deployment pod | +| environment | object | `{}` | | +| fullnameOverride | string | `""` | Override the full name for resources (includes the release name) | +| global.baseUrl | string | Set by Argo CD | Base URL for the environment | +| global.host | string | Set by Argo CD | Host name for ingress | +| global.vaultSecretsPath | string | Set by Argo CD | Base path for Vault secrets | +| image.pullPolicy | string | `"IfNotPresent"` | Pull policy for the production-tools image | +| image.repository | string | `"lsstdm/production_tools"` | Image to use in the production-tools deployment | +| image.tag | string | `""` | Overrides the image tag whose default is the chart appVersion. | +| ingress.annotations | object | `{}` | Additional annotations for the ingress rule | +| ingress.gafaelfawrAuthQuery | string | `"scope=exec:portal"` | Gafaelfawr Auth Query string (default, unauthenticated) | +| ingress.pathType | string | `"Prefix"` | Path type for the ingress rule | +| nameOverride | string | `""` | Override the base name for resources | +| nodeSelector | object | `{}` | Node selection rules for the production-tools deployment pod | +| podAnnotations | object | `{}` | Annotations for the production-tools deployment pod | +| replicaCount | int | `1` | Number of web deployment pods to start | +| resources | object | `{}` | Resource limits and requests for the production-tools deployment pod | +| tolerations | list | `[]` | Tolerations for the production-tools deployment pod | + +---------------------------------------------- +Autogenerated from chart metadata using [helm-docs v1.8.1](https://github.com/norwoodj/helm-docs/releases/v1.8.1) diff --git a/services/production-tools/README.md.gotmpl b/services/production-tools/README.md.gotmpl new file mode 100644 index 0000000000..4531459bbb --- /dev/null +++ b/services/production-tools/README.md.gotmpl @@ -0,0 +1,9 @@ +{{ template "chart.header" . }} + +{{ template "chart.description" . }} + +{{ template "chart.requirementsSection" . }} + +{{ template "chart.valuesSection" . }} + +{{ template "helm-docs.versionFooter" . }} diff --git a/services/production-tools/templates/deployment.yaml b/services/production-tools/templates/deployment.yaml index c7b0bb8942..1bfb3dda82 100644 --- a/services/production-tools/templates/deployment.yaml +++ b/services/production-tools/templates/deployment.yaml @@ -5,9 +5,7 @@ metadata: labels: {{- include "production-tools.labels" . | nindent 4 }} spec: - {{- if not .Values.autoscaling.enabled }} replicas: {{ .Values.replicaCount }} - {{- end }} selector: matchLabels: {{- include "production-tools.selectorLabels" . | nindent 6 }} @@ -21,10 +19,8 @@ spec: {{- include "production-tools.selectorLabels" . | nindent 8 }} spec: automountServiceAccountToken: false - {{- with .Values.imagePullSecrets }} imagePullSecrets: - {{- toYaml . | nindent 8 }} - {{- end }} + - "pull-secret" securityContext: runAsNonRoot: true runAsUser: 1000 @@ -58,9 +54,9 @@ spec: runAsGroup: 0 volumeMounts: - name: "butler-secrets" - mountPath: "/home/worker/.lsst/" + mountPath: "/home/worker/.lsst" - name: "butler-secrets-raw" - mountPath: "/home/worker/secrets-raw/" + mountPath: "/home/worker/secrets-raw" readOnly: true containers: - name: {{ .Chart.Name }} @@ -76,10 +72,6 @@ spec: - name: http containerPort: 8080 protocol: TCP - livenessProbe: - httpGet: - path: / - port: http readinessProbe: httpGet: path: / @@ -94,6 +86,12 @@ spec: env: - name: "LOG_CACHE_DIR" value: "/home/worker/cache" + - name: "PGPASSFILE" + value: "/home/worker/.lsst/postgres-credentials.txt" + - name: "AWS_SHARED_CREDENTIALS_FILE" + value: "/home/worker/.lsst/aws-credentials.ini" + - name: "S3_ENDPOINT_URL" + value: "https://storage.googleapis.com" {{- range $key, $value := .Values.environment }} - name: {{ $key | quote }} value: {{ $value | quote }} diff --git a/services/production-tools/templates/hpa.yaml b/services/production-tools/templates/hpa.yaml deleted file mode 100644 index 11439968e2..0000000000 --- a/services/production-tools/templates/hpa.yaml +++ /dev/null @@ -1,28 +0,0 @@ -{{- if .Values.autoscaling.enabled }} -apiVersion: autoscaling/v2beta1 -kind: HorizontalPodAutoscaler -metadata: - name: {{ include "production-tools.fullname" . }} - labels: - {{- include "production-tools.labels" . | nindent 4 }} -spec: - scaleTargetRef: - apiVersion: apps/v1 - kind: Deployment - name: {{ include "production-tools.fullname" . }} - minReplicas: {{ .Values.autoscaling.minReplicas }} - maxReplicas: {{ .Values.autoscaling.maxReplicas }} - metrics: - {{- if .Values.autoscaling.targetCPUUtilizationPercentage }} - - type: Resource - resource: - name: cpu - targetAverageUtilization: {{ .Values.autoscaling.targetCPUUtilizationPercentage }} - {{- end }} - {{- if .Values.autoscaling.targetMemoryUtilizationPercentage }} - - type: Resource - resource: - name: memory - targetAverageUtilization: {{ .Values.autoscaling.targetMemoryUtilizationPercentage }} - {{- end }} -{{- end }} diff --git a/services/production-tools/templates/ingress.yaml b/services/production-tools/templates/ingress.yaml index 1a344d08f0..67f7c93321 100644 --- a/services/production-tools/templates/ingress.yaml +++ b/services/production-tools/templates/ingress.yaml @@ -1,4 +1,3 @@ -{{- if .Values.ingress.enabled -}} {{- $fullName := include "production-tools.fullname" . -}} apiVersion: networking.k8s.io/v1 kind: Ingress @@ -11,25 +10,21 @@ metadata: {{- if .Values.ingress.gafaelfawrAuthQuery }} nginx.ingress.kubernetes.io/auth-method: "GET" nginx.ingress.kubernetes.io/auth-response-headers: "X-Auth-Request-User,X-Auth-Request-Email,X-Auth-Request-Token" - nginx.ingress.kubernetes.io/auth-signin: "https://{{ .Values.ingress.host }}/login" - nginx.ingress.kubernetes.io/auth-url: "https://{{ .Values.ingress.host }}/auth?{{ .Values.ingress.gafaelfawrAuthQuery }}" + nginx.ingress.kubernetes.io/auth-signin: "https://{{ .Values.global.baseUrl }}/login" + nginx.ingress.kubernetes.io/auth-url: "https://{{ .Values.global.baseUrl }}/auth?{{ .Values.ingress.gafaelfawrAuthQuery }}" {{- end }} {{- with .Values.ingress.annotations }} {{- toYaml . | nindent 4 }} {{- end }} spec: - {{- if .Values.ingress.className }} - ingressClassName: {{ .Values.ingress.className }} - {{- end }} rules: - - host: {{ required "ingress.host must be set" .Values.ingress.host | quote }} + - host: {{ required ".Values.global.host must be set" .Values.global.host | quote }} http: paths: - - path: {{ .Values.ingress.path }} - pathType: {{ default "Prefix" .Values.ingress.pathType }} + - path: "/production-tools" + pathType: "Prefix" backend: service: - name: {{ $fullName }} + name: {{ template "production-tools.fullname" . }} port: - number: {{ .Values.service.port }} -{{- end }} + number: 8080 diff --git a/services/production-tools/templates/networkpolicy.yaml b/services/production-tools/templates/networkpolicy.yaml index 6bdfc4eb6e..f96da8d5f9 100644 --- a/services/production-tools/templates/networkpolicy.yaml +++ b/services/production-tools/templates/networkpolicy.yaml @@ -1,4 +1,3 @@ -{{- if .Values.ingress.enabled -}} apiVersion: networking.k8s.io/v1 kind: NetworkPolicy metadata: @@ -20,4 +19,3 @@ spec: ports: - protocol: "TCP" port: 8080 -{{- end }} diff --git a/services/production-tools/templates/secrets.yaml b/services/production-tools/templates/secrets.yaml deleted file mode 100644 index 257f9176b0..0000000000 --- a/services/production-tools/templates/secrets.yaml +++ /dev/null @@ -1,8 +0,0 @@ ---- -apiVersion: ricoberger.de/v1alpha1 -kind: VaultSecret -metadata: - name: butler-secret -spec: - path: {{ .Values.butler_secret_path }} - type: Opaque diff --git a/services/production-tools/templates/service.yaml b/services/production-tools/templates/service.yaml index 42704af443..fb56f55e0e 100644 --- a/services/production-tools/templates/service.yaml +++ b/services/production-tools/templates/service.yaml @@ -5,9 +5,9 @@ metadata: labels: {{- include "production-tools.labels" . | nindent 4 }} spec: - type: {{ .Values.service.type }} + type: ClusterIP ports: - - port: {{ .Values.service.port }} + - port: 8080 targetPort: http protocol: TCP name: http diff --git a/services/production-tools/templates/vault-secrets.yaml b/services/production-tools/templates/vault-secrets.yaml new file mode 100644 index 0000000000..5fdcb310ae --- /dev/null +++ b/services/production-tools/templates/vault-secrets.yaml @@ -0,0 +1,18 @@ +--- +apiVersion: ricoberger.de/v1alpha1 +kind: VaultSecret +metadata: + name: butler-secret +spec: + path: "{{ .Values.global.vaultSecretsPath }}/butler-secret" + type: Opaque +--- +apiVersion: ricoberger.de/v1alpha1 +kind: VaultSecret +metadata: + name: "pull-secret" + labels: + {{- include "production-tools.labels" . | nindent 4 }} +spec: + path: "{{ .Values.global.vaultSecretsPath }}/pull-secret" + type: "kubernetes.io/dockerconfigjson" diff --git a/services/production-tools/values-idfint.yaml b/services/production-tools/values-idfint.yaml index 6264aefd66..80f6c3cfdf 100644 --- a/services/production-tools/values-idfint.yaml +++ b/services/production-tools/values-idfint.yaml @@ -1,13 +1,4 @@ -production-tools: - butler_secret_path: "secret/k8s_operator/data-int.lsst.cloud/butler-secret" - environment: - BUTLER_URI: "s3://butler-us-central1-panda-dev/dc2/butler-external.yaml" - PGPASSFILE: "/home/worker/.lsst/postgres-credentials.txt" - AWS_SHARED_CREDENTIALS_FILE: "/home/worker/.lsst/aws-credentials.ini" - S3_ENDPOINT_URL: "https://storage.googleapis.com" - LOG_BUCKET: "drp-us-central1-logging" - LOG_PREFIX: "Panda-RubinLog" - ingress: - host: "data-int.lsst.cloud" - path: "/production-tools" - gafaelfawrAuthQuery: "scope=exec:portal&delegate_to=productiontools" +environment: + BUTLER_URI: "s3://butler-us-central1-panda-dev/dc2/butler-external.yaml" + LOG_BUCKET: "drp-us-central1-logging" + LOG_PREFIX: "Panda-RubinLog" diff --git a/services/production-tools/values.yaml b/services/production-tools/values.yaml index c82253755a..7c9ae8d70f 100644 --- a/services/production-tools/values.yaml +++ b/services/production-tools/values.yaml @@ -10,14 +10,11 @@ image: repository: lsstdm/production_tools # -- Pull policy for the production-tools image - pullPolicy: Always + pullPolicy: IfNotPresent # -- Overrides the image tag whose default is the chart appVersion. tag: "" -# -- Secret names to use for all Docker pulls -imagePullSecrets: [] - # -- Override the base name for resources nameOverride: "" @@ -27,56 +24,22 @@ fullnameOverride: "" # -- Annotations for the production-tools deployment pod podAnnotations: {} -# Path to the vault secret. -butler_secret_path: "" - # Environment variables passed to container environment: {} -service: - # -- Type of service to create - type: ClusterIP - - # -- Port of the service to create and map to the ingress - port: 8080 - ingress: - # -- Create an ingress resource - enabled: true - - # -- Hostname of the deployment to run behind - host: "" - # -- Gafaelfawr Auth Query string (default, unauthenticated) - # gafaelfawrAuthQuery: "scope=exec:portal&delegate_to=portal&delegate_scope=read:tap" - gafaelfawrAuthQuery: "" + gafaelfawrAuthQuery: "scope=exec:portal" # -- Additional annotations for the ingress rule annotations: {} # -- Path type for the ingress rule - pathType: ImplementationSpecific - - # -- URL path to dispatch to the production-tools deployment pod - path: "/production-tools" + pathType: Prefix # -- Resource limits and requests for the production-tools deployment pod resources: {} -autoscaling: - # -- Enable autoscaling of production-tools deployment - enabled: false - - # -- Minimum number of production-tools deployment pods - minReplicas: 1 - - # -- Maximum number of production-tools deployment pods - maxReplicas: 100 - - # -- Target CPU utilization of production-tools deployment pods - targetCPUUtilizationPercentage: 80 - # targetMemoryUtilizationPercentage: 80 - # -- Node selection rules for the production-tools deployment pod nodeSelector: {} @@ -85,3 +48,18 @@ tolerations: [] # -- Affinity rules for the production-tools deployment pod affinity: {} + +# The following will be set by parameters injected by Argo CD and should not +# be set in the individual environment values files. +global: + # -- Base URL for the environment + # @default -- Set by Argo CD + baseUrl: "" + + # -- Host name for ingress + # @default -- Set by Argo CD + host: "" + + # -- Base path for Vault secrets + # @default -- Set by Argo CD + vaultSecretsPath: "" From 566399365dd68d2b67aad10b60ca7b003b997c51 Mon Sep 17 00:00:00 2001 From: Colin Slater Date: Wed, 27 Apr 2022 15:31:13 -0700 Subject: [PATCH 0293/1479] Drop init container privileges, additional fixes as per review #2. --- .../templates/production-tools-application.yaml | 7 +++++++ services/production-tools/templates/deployment.yaml | 8 ++++---- services/production-tools/templates/vault-secrets.yaml | 2 ++ 3 files changed, 13 insertions(+), 4 deletions(-) diff --git a/science-platform/templates/production-tools-application.yaml b/science-platform/templates/production-tools-application.yaml index 23d0d9b9f0..096be8ce2d 100644 --- a/science-platform/templates/production-tools-application.yaml +++ b/science-platform/templates/production-tools-application.yaml @@ -21,6 +21,13 @@ spec: repoURL: {{ .Values.repoURL }} targetRevision: {{ .Values.revision }} helm: + parameters: + - name: "global.host" + value: {{ .Values.fqdn | quote }} + - name: "global.baseUrl" + value: "https://{{ .Values.fqdn }}" + - name: "global.vaultSecretsPath" + value: {{ .Values.vault_path_prefix | quote }} valueFiles: - values.yaml - values-{{ .Values.environment }}.yaml diff --git a/services/production-tools/templates/deployment.yaml b/services/production-tools/templates/deployment.yaml index 1bfb3dda82..dfab4731fe 100644 --- a/services/production-tools/templates/deployment.yaml +++ b/services/production-tools/templates/deployment.yaml @@ -46,12 +46,12 @@ spec: - "-c" - | cp -RL /home/worker/secrets-raw/* /home/worker/.lsst/ - chown worker:worker /home/worker/.lsst/* chmod 0400 /home/worker/.lsst/* securityContext: - runAsNonRoot: false - runAsUser: 0 - runAsGroup: 0 + allowPrivilegeEscalation: false + capabilities: + drop: + - "all" volumeMounts: - name: "butler-secrets" mountPath: "/home/worker/.lsst" diff --git a/services/production-tools/templates/vault-secrets.yaml b/services/production-tools/templates/vault-secrets.yaml index 5fdcb310ae..0b90cc3b7a 100644 --- a/services/production-tools/templates/vault-secrets.yaml +++ b/services/production-tools/templates/vault-secrets.yaml @@ -3,6 +3,8 @@ apiVersion: ricoberger.de/v1alpha1 kind: VaultSecret metadata: name: butler-secret + labels: + {{- include "production-tools.labels" . | nindent 4 }} spec: path: "{{ .Values.global.vaultSecretsPath }}/butler-secret" type: Opaque From fb9c7c730675044cbfca9e8fad782f834c9ad2d6 Mon Sep 17 00:00:00 2001 From: Renovate Bot Date: Thu, 28 Apr 2022 16:26:12 +0000 Subject: [PATCH 0294/1479] Update Helm release influxdb to v4.11.0 --- services/sasquatch/Chart.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/services/sasquatch/Chart.yaml b/services/sasquatch/Chart.yaml index 649cd33d05..b7dbb0383f 100644 --- a/services/sasquatch/Chart.yaml +++ b/services/sasquatch/Chart.yaml @@ -9,7 +9,7 @@ dependencies: version: 1.2.0 repository: https://lsst-sqre.github.io/charts/ - name: influxdb - version: 4.10.7 + version: 4.11.0 repository: https://helm.influxdata.com/ - name: kafka-connect-manager version: 1.0.0 From 75dd657ebd2e1f692521fe6c98347c7ddd51cb16 Mon Sep 17 00:00:00 2001 From: Jonathan Sick Date: Thu, 28 Apr 2022 15:08:48 -0400 Subject: [PATCH 0295/1479] Add pre-commit support The "make init" is our standard way of setting up a dev environment for a project, including installing pre-commit. --- .pre-commit-config.yaml | 5 +++++ Makefile | 9 +++++++++ 2 files changed, 14 insertions(+) create mode 100644 .pre-commit-config.yaml create mode 100644 Makefile diff --git a/.pre-commit-config.yaml b/.pre-commit-config.yaml new file mode 100644 index 0000000000..5a319833f3 --- /dev/null +++ b/.pre-commit-config.yaml @@ -0,0 +1,5 @@ +repos: + - repo: https://github.com/pre-commit/pre-commit-hooks + rev: v4.2.0 + hooks: + - id: trailing-whitespace diff --git a/Makefile b/Makefile new file mode 100644 index 0000000000..76c7436057 --- /dev/null +++ b/Makefile @@ -0,0 +1,9 @@ +.PHONY: +help: + @echo "Make targets for Phalanx:" + @echo "make init - Set up dev environment (install pre-commit hooks)" + +.PHONY: +init: + pip install --upgrade pre-commit + pre-commit install From 31f058a46977ad893eebae748db90d412e8a842a Mon Sep 17 00:00:00 2001 From: Jonathan Sick Date: Thu, 28 Apr 2022 15:11:18 -0400 Subject: [PATCH 0296/1479] Apply trailing-whitespace linter changes --- docs/ops/infrastructure/filestore/privileged-access.rst | 2 +- docs/ops/nublado2/database.rst | 6 +++--- docs/ops/postgres/add-database.rst | 2 +- docs/service-guide/chart-changes.rst | 2 +- services/exposurelog/templates/deployment.yaml | 2 +- services/telegraf/templates/configmap.yaml | 6 +++--- 6 files changed, 10 insertions(+), 10 deletions(-) diff --git a/docs/ops/infrastructure/filestore/privileged-access.rst b/docs/ops/infrastructure/filestore/privileged-access.rst index 8050456134..9831beedeb 100644 --- a/docs/ops/infrastructure/filestore/privileged-access.rst +++ b/docs/ops/infrastructure/filestore/privileged-access.rst @@ -56,7 +56,7 @@ privileged pod: **Examples:** * Get usage data by username, sorted by usage, largest at the bottom:: - + du -s -BM /mnt/home/* \ | sed -e 's/\s\+/,/' \ | sed -e 's|/mnt/home/||' \ diff --git a/docs/ops/nublado2/database.rst b/docs/ops/nublado2/database.rst index 9946d41909..fe32eb8b0c 100644 --- a/docs/ops/nublado2/database.rst +++ b/docs/ops/nublado2/database.rst @@ -8,15 +8,15 @@ The typical symptom of this is that spawns for that user fail with an error sayi Recovery may require manually clearing the user's entry in the session database as follows: #. Remove the user's lab namespace, if it exists. - + #. Remove the user from the session database. Connect to the database with: - + .. code-block:: shell pod=$(kubectl get pods -n postgres | grep postgres | awk '{print $1}') kubectl exec -it -n postgres ${pod} -- psql -U jovyan jupyterhub - + and then, at the PostgreSQL prompt, run: .. code-block:: sql diff --git a/docs/ops/postgres/add-database.rst b/docs/ops/postgres/add-database.rst index 88f289959f..933fda347b 100644 --- a/docs/ops/postgres/add-database.rst +++ b/docs/ops/postgres/add-database.rst @@ -67,7 +67,7 @@ Postgres users already look like that, so copying an existing line and changing the name to reflect your service is usually correct: .. code-block:: python - + self._set_generated("postgres", "exposurelog_password", secrets.token_hex(32)) Make the Phalanx ``services/postgres/Chart.yaml`` entry depend on the diff --git a/docs/service-guide/chart-changes.rst b/docs/service-guide/chart-changes.rst index 3562b6555c..86b0282f6b 100644 --- a/docs/service-guide/chart-changes.rst +++ b/docs/service-guide/chart-changes.rst @@ -11,7 +11,7 @@ If the charts changes are low-risk--perhaps they just add new objects or setting This section, however, is about the times when it's risky to do that. -The bad news is, you can't do this via ArgoCD. The good news is, it's pretty easy to do anyway, but you do need ``kubectl`` access to whatever cluster you're working on. Ideally this is a local ``minikube`` cluster, but if you're, say, using an Apple Silicon Mac, or you need access to real data, maybe you're doing it in ``data-dev`` or ``data-int``. +The bad news is, you can't do this via ArgoCD. The good news is, it's pretty easy to do anyway, but you do need ``kubectl`` access to whatever cluster you're working on. Ideally this is a local ``minikube`` cluster, but if you're, say, using an Apple Silicon Mac, or you need access to real data, maybe you're doing it in ``data-dev`` or ``data-int``. #. Make your changes to both charts and phalanx. diff --git a/services/exposurelog/templates/deployment.yaml b/services/exposurelog/templates/deployment.yaml index d8be8904c9..6fd1c3b784 100644 --- a/services/exposurelog/templates/deployment.yaml +++ b/services/exposurelog/templates/deployment.yaml @@ -89,7 +89,7 @@ spec: nfs: path: {{ .Values.config.nfs_path_1 }} readOnly: true - server: {{ .Values.config.nfs_server_1 }} + server: {{ .Values.config.nfs_server_1 }} {{- end }} {{- if .Values.config.nfs_path_2 }} - name: volume2 diff --git a/services/telegraf/templates/configmap.yaml b/services/telegraf/templates/configmap.yaml index 7b1bf94d7b..8831840512 100644 --- a/services/telegraf/templates/configmap.yaml +++ b/services/telegraf/templates/configmap.yaml @@ -40,7 +40,7 @@ data: urls = [ {{ $endpoint | quote }} ] - [inputs.prometheus.tags] + [inputs.prometheus.tags] prometheus_app = {{ $app_name | quote }} {{- end }} {{- end }} @@ -51,14 +51,14 @@ data: {{- if has $app_name $enabled_apps }} {{- range $component, $endpoint := $defn }} - [[outputs.influxdb_v2]] + [[outputs.influxdb_v2]] bucket = {{ $app_name | quote }} organization = "square" token = "$INFLUX_TOKEN" urls = [ "https://monitoring.lsst.codes" ] - [outputs.influxdb_v2.tagpass] + [outputs.influxdb_v2.tagpass] prometheus_app = [ {{ $app_name | quote }} ] From 4b863a0971935949aeb669aaeac17b69358e9f1b Mon Sep 17 00:00:00 2001 From: Jonathan Sick Date: Thu, 28 Apr 2022 15:21:50 -0400 Subject: [PATCH 0297/1479] Add helm-docs pre-commit hook + default template This sets up helm-docs to run for all charts with pre-commit. Note it needs helm-docs to be separately installed. (see https://github.com/norwoodj/helm-docs) helm-docs is configured to use a default template at helm-docs.md.tmpl. --- .pre-commit-config.yaml | 9 +++++++++ helm-docs.md.gotmpl | 15 +++++++++++++++ 2 files changed, 24 insertions(+) create mode 100644 helm-docs.md.gotmpl diff --git a/.pre-commit-config.yaml b/.pre-commit-config.yaml index 5a319833f3..5686dd6e82 100644 --- a/.pre-commit-config.yaml +++ b/.pre-commit-config.yaml @@ -3,3 +3,12 @@ repos: rev: v4.2.0 hooks: - id: trailing-whitespace + + - repo: https://github.com/norwoodj/helm-docs + rev: v1.2.0 + hooks: + - id: helm-docs + args: + - "--chart-search-root=." + # The `./` makes it relative to the chart-search-root set above + - "--template-files=./helm-docs.md.gotmpl" diff --git a/helm-docs.md.gotmpl b/helm-docs.md.gotmpl new file mode 100644 index 0000000000..a950f083fd --- /dev/null +++ b/helm-docs.md.gotmpl @@ -0,0 +1,15 @@ +{{ template "chart.appVersionBadge" . }} + +{{ template "chart.header" . }} + +{{ template "chart.description" . }} + +{{ template "chart.homepageLine" . }} + +{{ template "chart.sourcesSection" . }} + +{{ template "chart.requirementsSection" . }} + +{{ template "chart.valuesSection" . }} + +{{ template "helm-docs.versionFooter" . }} From 7f921655c2225ef8e479aa0a69a738fe1420c349 Mon Sep 17 00:00:00 2001 From: Jonathan Sick Date: Thu, 28 Apr 2022 15:38:57 -0400 Subject: [PATCH 0298/1479] Update all helm-docs via pre-commit hook --- science-platform/README.md | 45 +++++ services/alert-stream-broker/README.md | 15 ++ services/cachemachine/README.md | 36 ++++ services/cert-manager/README.md | 6 +- services/exposurelog/README.md | 41 ++++- services/gafaelfawr/README.md | 8 +- services/mobu/README.md | 6 +- services/narrativelog/README.md | 35 +++- services/noteburst/README.md | 8 +- services/nublado2/README.md | 154 ++++++++++++++++++ services/portal/README.md | 6 +- services/production-tools/README.md | 4 + services/sasquatch/README.md | 16 +- .../charts/kafka-connect-manager/README.md | 4 +- .../sasquatch/charts/strimzi-kafka/README.md | 5 +- services/semaphore/README.md | 4 +- services/squareone/README.md | 4 +- services/tap-schema/README.md | 28 ++++ services/telegraf-ds/README.md | 18 +- services/telegraf/README.md | 41 +++-- services/times-square/README.md | 12 +- .../charts/times-square-ui/README.md | 4 +- .../charts/times-square/README.md | 13 +- services/vo-cutouts/README.md | 6 +- 24 files changed, 458 insertions(+), 61 deletions(-) create mode 100644 science-platform/README.md create mode 100644 services/alert-stream-broker/README.md create mode 100644 services/cachemachine/README.md create mode 100644 services/nublado2/README.md create mode 100644 services/tap-schema/README.md diff --git a/science-platform/README.md b/science-platform/README.md new file mode 100644 index 0000000000..3052510495 --- /dev/null +++ b/science-platform/README.md @@ -0,0 +1,45 @@ + + +# science-platform + +## Values + +| Key | Type | Default | Description | +|-----|------|---------|-------------| +| alert_stream_broker.enabled | bool | `false` | | +| cachemachine.enabled | bool | `false` | | +| cert_manager.enabled | bool | `false` | | +| datalinker.enabled | bool | `false` | | +| exposurelog.enabled | bool | `false` | | +| gafaelfawr.enabled | bool | `false` | | +| ingress_nginx.enabled | bool | `false` | | +| mobu.enabled | bool | `false` | | +| moneypenny.enabled | bool | `false` | | +| narrativelog.enabled | bool | `false` | | +| noteburst.enabled | bool | `false` | | +| nublado2.enabled | bool | `false` | | +| obstap.enabled | bool | `false` | | +| onepassword_uuid | string | `"dg5afgiadsffeklfr6jykqymeu"` | | +| plot_navigator.enabled | bool | `false` | | +| portal.enabled | bool | `false` | | +| postgres.enabled | bool | `false` | | +| production_tools.enabled | bool | `false` | | +| repoURL | string | `"https://github.com/lsst-sqre/phalanx.git"` | | +| revision | string | `"HEAD"` | | +| sasquatch.enabled | bool | `false` | | +| semaphore.enabled | bool | `false` | | +| sherlock.enabled | bool | `false` | | +| squareone.enabled | bool | `false` | | +| squash_api.enabled | bool | `false` | | +| strimzi.enabled | bool | `false` | | +| strimzi_registry_operator.enabled | bool | `false` | | +| tap.enabled | bool | `false` | | +| tap_schema.enabled | bool | `false` | | +| telegraf-ds.enabled | bool | `false` | | +| telegraf.enabled | bool | `false` | | +| times_square.enabled | bool | `false` | | +| vault_secrets_operator.enabled | bool | `false` | | +| vo_cutouts.enabled | bool | `false` | | + +---------------------------------------------- +Autogenerated from chart metadata using [helm-docs v1.8.1](https://github.com/norwoodj/helm-docs/releases/v1.8.1) diff --git a/services/alert-stream-broker/README.md b/services/alert-stream-broker/README.md new file mode 100644 index 0000000000..fd38042efd --- /dev/null +++ b/services/alert-stream-broker/README.md @@ -0,0 +1,15 @@ + + +# alert-stream-broker + +## Requirements + +| Repository | Name | Version | +|------------|------|---------| +| https://lsst-sqre.github.io/charts/ | alert-database | 2.1.0 | +| https://lsst-sqre.github.io/charts/ | alert-stream-broker | 2.5.1 | +| https://lsst-sqre.github.io/charts/ | alert-stream-schema-registry | 2.1.0 | +| https://lsst-sqre.github.io/charts/ | alert-stream-simulator | 1.6.2 | + +---------------------------------------------- +Autogenerated from chart metadata using [helm-docs v1.8.1](https://github.com/norwoodj/helm-docs/releases/v1.8.1) diff --git a/services/cachemachine/README.md b/services/cachemachine/README.md new file mode 100644 index 0000000000..b023abaa49 --- /dev/null +++ b/services/cachemachine/README.md @@ -0,0 +1,36 @@ +![AppVersion: 1.2.0](https://img.shields.io/badge/AppVersion-1.2.0-informational?style=flat-square) + +# cachemachine + +Service to prepull Docker images for the Science Platform + +## Values + +| Key | Type | Default | Description | +|-----|------|---------|-------------| +| affinity | object | `{}` | Affinity rules for the cachemachine frontend pod | +| autostart | object | `{}` | Autostart configuration. Each key is the name of a class of images to pull, and the value is the JSON specification for which and how many images to pull. | +| fullnameOverride | string | `""` | Override the full name for resources (includes the release name) | +| image.pullPolicy | string | `"IfNotPresent"` | Pull policy for the cachemachine image | +| image.repository | string | `"lsstsqre/cachemachine"` | cachemachine image to use | +| image.tag | string | The appVersion of the chart | Tag of cachemachine image to use | +| imagePullSecrets | list | `[{"name":"cachemachine-secret"}]` | Secret names to use for all Docker pulls | +| ingress.annotations | object | `{}` | Additional annotations to add for endpoints that are authenticated. | +| ingress.anonymousAnnotations | object | `{}` | Additional annotations to add for endpoints that allow anonymous access, such as `/*/available`. | +| ingress.enabled | bool | `true` | Whether to create an ingress | +| ingress.gafaelfawrAuthQuery | string | `"scope=exec:admin"` | Gafaelfawr auth query string | +| ingress.host | string | None, must be set if the ingress is enabled | Hostname for the ingress | +| ingress.tls | list | `[]` | Configures TLS for the ingress if needed. If multiple ingresses share the same hostname, only one of them needs a TLS configuration. | +| nameOverride | string | `""` | Override the base name for resources | +| nodeSelector | object | `{}` | Node selector rules for the cachemachine frontend pod | +| podAnnotations | object | `{}` | Annotations for the cachemachine frontend pod | +| resources | object | `{}` | Resource limits and requests for the cachemachine frontend pod | +| service.port | int | `80` | Port of the service to create and map to the ingress | +| service.type | string | `"ClusterIP"` | Type of service to create | +| serviceAccount.annotations | object | `{}` | Annotations to add to the service account | +| serviceAccount.name | string | Name based on the fullname template | Name of the service account to use | +| tolerations | list | `[]` | Tolerations for the cachemachine frontend pod | +| vaultSecretsPath | string | None, must be set | Path to the Vault secret containing the Docker credentials | + +---------------------------------------------- +Autogenerated from chart metadata using [helm-docs v1.8.1](https://github.com/norwoodj/helm-docs/releases/v1.8.1) diff --git a/services/cert-manager/README.md b/services/cert-manager/README.md index 1ff6b789b3..999afee625 100644 --- a/services/cert-manager/README.md +++ b/services/cert-manager/README.md @@ -1,3 +1,5 @@ + + # cert-manager Let's Encrypt certificate management @@ -6,7 +8,7 @@ Let's Encrypt certificate management | Repository | Name | Version | |------------|------|---------| -| https://charts.jetstack.io | cert-manager | v1.7.2 | +| https://charts.jetstack.io | cert-manager | v1.8.0 | ## Values @@ -22,4 +24,4 @@ Let's Encrypt certificate management | nameOverride | string | `""` | Override the base name for resources | ---------------------------------------------- -Autogenerated from chart metadata using [helm-docs v1.5.0](https://github.com/norwoodj/helm-docs/releases/v1.5.0) +Autogenerated from chart metadata using [helm-docs v1.8.1](https://github.com/norwoodj/helm-docs/releases/v1.8.1) diff --git a/services/exposurelog/README.md b/services/exposurelog/README.md index 2bf346d371..ce19dd70b9 100644 --- a/services/exposurelog/README.md +++ b/services/exposurelog/README.md @@ -1,6 +1,41 @@ +![AppVersion: 0.9.2](https://img.shields.io/badge/AppVersion-0.9.2-informational?style=flat-square) + # exposurelog -Deployment of the exposurelog service, which manages a database of log messages associated with exposures. -Similar to narrativelog, but narrativelog messages are not associated with exposures. +Exposure log service + +## Values + +| Key | Type | Default | Description | +|-----|------|---------|-------------| +| affinity | object | `{}` | | +| autoscaling.enabled | bool | `false` | | +| autoscaling.maxReplicas | int | `100` | | +| autoscaling.minReplicas | int | `1` | | +| autoscaling.targetCPUUtilizationPercentage | int | `80` | | +| config.butler_uri_1 | string | `""` | | +| config.butler_uri_2 | string | `""` | | +| config.nfs_path_1 | string | `""` | | +| config.nfs_path_2 | string | `""` | | +| config.nfs_server_1 | string | `""` | | +| config.nfs_server_2 | string | `""` | | +| config.site_id | string | `""` | | +| fullnameOverride | string | `""` | | +| image.pullPolicy | string | `"Always"` | | +| image.repository | string | `"lsstsqre/exposurelog"` | | +| image.tag | string | `""` | | +| imagePullSecrets[0].name | string | `"pull-secret"` | | +| ingress.enabled | bool | `false` | | +| nameOverride | string | `""` | | +| nodeSelector | object | `{}` | | +| podAnnotations | object | `{}` | | +| podSecurityContext | object | `{}` | | +| replicaCount | int | `1` | | +| resources | object | `{}` | | +| securityContext | object | `{}` | | +| service.port | int | `8080` | | +| service.type | string | `"ClusterIP"` | | +| tolerations | list | `[]` | | -exposurelog is developed at https://github.com/lsst-sqre/exposurelog and uses OpenAPI to document the API. +---------------------------------------------- +Autogenerated from chart metadata using [helm-docs v1.8.1](https://github.com/norwoodj/helm-docs/releases/v1.8.1) diff --git a/services/gafaelfawr/README.md b/services/gafaelfawr/README.md index cfa7fd3496..3bfdb7b89a 100644 --- a/services/gafaelfawr/README.md +++ b/services/gafaelfawr/README.md @@ -1,7 +1,11 @@ +![AppVersion: 4.0.0](https://img.shields.io/badge/AppVersion-4.0.0-informational?style=flat-square) + # gafaelfawr Science Platform authentication and authorization system +**Homepage:** + ## Values | Key | Type | Default | Description | @@ -10,7 +14,7 @@ Science Platform authentication and authorization system | cloudsql.enabled | bool | `false` | Enable the Cloud SQL Auth Proxy sidecar, used with CloudSQL databases on Google Cloud | | cloudsql.image.pullPolicy | string | `"IfNotPresent"` | Pull policy for Cloud SQL Auth Proxy images | | cloudsql.image.repository | string | `"gcr.io/cloudsql-docker/gce-proxy"` | Cloud SQL Auth Proxy image to use | -| cloudsql.image.tag | string | `"1.29.0"` | Cloud SQL Auth Proxy tag to use | +| cloudsql.image.tag | string | `"1.30.0"` | Cloud SQL Auth Proxy tag to use | | cloudsql.instanceConnectionName | string | `""` | Instance connection name for a CloudSQL PostgreSQL instance | | cloudsql.serviceAccount | string | `""` | The Google service account that has an IAM binding to the `gafaelfawr` and `gafaelfawr-tokens` Kubernetes service accounts and has the `cloudsql.client` role | | config.cilogon.clientId | string | `""` | CILogon client ID. One and only one of this, `config.github.clientId`, or `config.oidc.clientId` must be set. | @@ -74,4 +78,4 @@ Science Platform authentication and authorization system | tolerations | list | `[]` | Tolerations for the Gafaelfawr frontend pod | ---------------------------------------------- -Autogenerated from chart metadata using [helm-docs v1.5.0](https://github.com/norwoodj/helm-docs/releases/v1.5.0) +Autogenerated from chart metadata using [helm-docs v1.8.1](https://github.com/norwoodj/helm-docs/releases/v1.8.1) diff --git a/services/mobu/README.md b/services/mobu/README.md index be6196fc67..34e675d06a 100644 --- a/services/mobu/README.md +++ b/services/mobu/README.md @@ -1,7 +1,11 @@ +![AppVersion: 4.2.0](https://img.shields.io/badge/AppVersion-4.2.0-informational?style=flat-square) + # mobu Generate system load by pretending to be a random scientist +**Homepage:** + ## Values | Key | Type | Default | Description | @@ -25,4 +29,4 @@ Generate system load by pretending to be a random scientist | tolerations | list | `[]` | Tolerations for the mobu frontend pod | ---------------------------------------------- -Autogenerated from chart metadata using [helm-docs v1.5.0](https://github.com/norwoodj/helm-docs/releases/v1.5.0) +Autogenerated from chart metadata using [helm-docs v1.8.1](https://github.com/norwoodj/helm-docs/releases/v1.8.1) diff --git a/services/narrativelog/README.md b/services/narrativelog/README.md index a06f57f6ed..a9744fc34d 100644 --- a/services/narrativelog/README.md +++ b/services/narrativelog/README.md @@ -1,6 +1,35 @@ +![AppVersion: 0.2.1](https://img.shields.io/badge/AppVersion-0.2.1-informational?style=flat-square) + # narrativelog -Deployment of the narrativelog service, which manages a database of log messages. -Similar to exposurelog, but exposurelog messages are associated with exposures. +Narrative log service + +## Values + +| Key | Type | Default | Description | +|-----|------|---------|-------------| +| affinity | object | `{}` | | +| autoscaling.enabled | bool | `false` | | +| autoscaling.maxReplicas | int | `100` | | +| autoscaling.minReplicas | int | `1` | | +| autoscaling.targetCPUUtilizationPercentage | int | `80` | | +| config.site_id | string | `""` | | +| fullnameOverride | string | `""` | | +| image.pullPolicy | string | `"Always"` | | +| image.repository | string | `"lsstsqre/narrativelog"` | | +| image.tag | string | `""` | | +| imagePullSecrets[0].name | string | `"pull-secret"` | | +| ingress.enabled | bool | `false` | | +| nameOverride | string | `""` | | +| nodeSelector | object | `{}` | | +| podAnnotations | object | `{}` | | +| podSecurityContext | object | `{}` | | +| replicaCount | int | `1` | | +| resources | object | `{}` | | +| securityContext | object | `{}` | | +| service.port | int | `8080` | | +| service.type | string | `"ClusterIP"` | | +| tolerations | list | `[]` | | -narrativelog is developed at https://github.com/lsst-sqre/narrativelog and uses OpenAPI to document the API. +---------------------------------------------- +Autogenerated from chart metadata using [helm-docs v1.8.1](https://github.com/norwoodj/helm-docs/releases/v1.8.1) diff --git a/services/noteburst/README.md b/services/noteburst/README.md index 0219d9d6b1..8e3907d057 100644 --- a/services/noteburst/README.md +++ b/services/noteburst/README.md @@ -1,7 +1,11 @@ +![AppVersion: 0.2.0](https://img.shields.io/badge/AppVersion-0.2.0-informational?style=flat-square) + # noteburst Noteburst is a notebook execution service for the Rubin Science Platform. +**Homepage:** + ## Source Code * @@ -10,7 +14,7 @@ Noteburst is a notebook execution service for the Rubin Science Platform. | Repository | Name | Version | |------------|------|---------| -| https://charts.bitnami.com/bitnami | redis | 16.5.3 | +| https://charts.bitnami.com/bitnami | redis | 16.8.7 | ## Values @@ -50,4 +54,4 @@ Noteburst is a notebook execution service for the Rubin Science Platform. | tolerations | list | `[]` | | ---------------------------------------------- -Autogenerated from chart metadata using [helm-docs v1.5.0](https://github.com/norwoodj/helm-docs/releases/v1.5.0) +Autogenerated from chart metadata using [helm-docs v1.8.1](https://github.com/norwoodj/helm-docs/releases/v1.8.1) diff --git a/services/nublado2/README.md b/services/nublado2/README.md new file mode 100644 index 0000000000..e12d99bb1c --- /dev/null +++ b/services/nublado2/README.md @@ -0,0 +1,154 @@ +![AppVersion: 2.1.0](https://img.shields.io/badge/AppVersion-2.1.0-informational?style=flat-square) + +# nublado2 + +Nublado2 JupyterHub installation + +**Homepage:** + +## Source Code + +* + +## Requirements + +Kubernetes: `>=1.20.0-0` + +| Repository | Name | Version | +|------------|------|---------| +| https://jupyterhub.github.io/helm-chart/ | jupyterhub | 1.1.3-n410.hd8ae7348 | +| https://lsst-sqre.github.io/charts/ | pull-secret | 0.1.2 | + +## Values + +| Key | Type | Default | Description | +|-----|------|---------|-------------| +| config.base_url | string | `""` | | +| config.butler_secret_path | string | `""` | | +| config.cachemachine_image_policy | string | `"available"` | | +| config.lab_environment | object | See `values.yaml` | Environment variables to set in spawned lab containers. Each value will be expanded using Jinja 2 templating. | +| config.pinned_images | list | `[]` | | +| config.pull_secret_path | string | `""` | | +| config.sizes[0].cpu | int | `1` | | +| config.sizes[0].name | string | `"Small"` | | +| config.sizes[0].ram | string | `"3072M"` | | +| config.sizes[1].cpu | int | `2` | | +| config.sizes[1].name | string | `"Medium"` | | +| config.sizes[1].ram | string | `"6144M"` | | +| config.sizes[2].cpu | int | `4` | | +| config.sizes[2].name | string | `"Large"` | | +| config.sizes[2].ram | string | `"12288M"` | | +| config.user_resources_template | string | See `values.yaml` | Templates for the user resources to create for each lab spawn. This is a string that can be templated and then loaded as YAML to generate a list of Kubernetes objects to create. | +| config.volume_mounts | list | `[]` | | +| config.volumes | list | `[]` | | +| jupyterhub.cull.enabled | bool | `true` | | +| jupyterhub.cull.every | int | `600` | | +| jupyterhub.cull.maxAge | int | `5184000` | | +| jupyterhub.cull.removeNamedServers | bool | `true` | | +| jupyterhub.cull.timeout | int | `2592000` | | +| jupyterhub.cull.users | bool | `true` | | +| jupyterhub.hub.authenticatePrometheus | bool | `false` | | +| jupyterhub.hub.baseUrl | string | `"/nb"` | | +| jupyterhub.hub.config.Authenticator.enable_auth_state | bool | `true` | | +| jupyterhub.hub.config.JupyterHub.authenticator_class | string | `"nublado2.auth.GafaelfawrAuthenticator"` | | +| jupyterhub.hub.config.ServerApp.shutdown_no_activity_timeout | int | `604800` | | +| jupyterhub.hub.containerSecurityContext.allowPrivilegeEscalation | bool | `false` | | +| jupyterhub.hub.containerSecurityContext.runAsGroup | int | `768` | | +| jupyterhub.hub.containerSecurityContext.runAsUser | int | `768` | | +| jupyterhub.hub.db.password | string | `"true"` | | +| jupyterhub.hub.db.type | string | `"postgres"` | | +| jupyterhub.hub.db.url | string | `"postgresql://jovyan@postgres.postgres/jupyterhub"` | | +| jupyterhub.hub.existingSecret | string | `"nublado2-secret"` | | +| jupyterhub.hub.extraConfig."nublado.py" | string | `"import nublado2.hub_config\nnublado2.hub_config.HubConfig().configure(c)\n"` | | +| jupyterhub.hub.extraVolumeMounts[0].mountPath | string | `"/etc/jupyterhub/nublado_config.yaml"` | | +| jupyterhub.hub.extraVolumeMounts[0].name | string | `"nublado-config"` | | +| jupyterhub.hub.extraVolumeMounts[0].subPath | string | `"nublado_config.yaml"` | | +| jupyterhub.hub.extraVolumeMounts[1].mountPath | string | `"/etc/keys/gafaelfawr-token"` | | +| jupyterhub.hub.extraVolumeMounts[1].name | string | `"nublado-gafaelfawr"` | | +| jupyterhub.hub.extraVolumeMounts[1].subPath | string | `"token"` | | +| jupyterhub.hub.extraVolumes[0].configMap.name | string | `"nublado-config"` | | +| jupyterhub.hub.extraVolumes[0].name | string | `"nublado-config"` | | +| jupyterhub.hub.extraVolumes[1].name | string | `"nublado-gafaelfawr"` | | +| jupyterhub.hub.extraVolumes[1].secret.secretName | string | `"gafaelfawr-token"` | | +| jupyterhub.hub.image.name | string | `"lsstsqre/nublado2"` | | +| jupyterhub.hub.image.tag | string | `"2.1.0"` | | +| jupyterhub.hub.loadRoles.self.scopes[0] | string | `"admin:servers!user"` | | +| jupyterhub.hub.loadRoles.self.scopes[1] | string | `"read:metrics"` | | +| jupyterhub.hub.loadRoles.server.scopes[0] | string | `"inherit"` | | +| jupyterhub.hub.networkPolicy.enabled | bool | `false` | | +| jupyterhub.imagePullSecrets[0].name | string | `"pull-secret"` | | +| jupyterhub.ingress.annotations."kubernetes.io/ingress.class" | string | `"nginx"` | | +| jupyterhub.ingress.annotations."nginx.ingress.kubernetes.io/auth-method" | string | `"GET"` | | +| jupyterhub.ingress.annotations."nginx.ingress.kubernetes.io/auth-response-headers" | string | `"X-Auth-Request-Token"` | | +| jupyterhub.ingress.annotations."nginx.ingress.kubernetes.io/auth-url" | string | `"http://gafaelfawr.gafaelfawr.svc.cluster.local:8080/auth?scope=exec:notebook¬ebook=true"` | | +| jupyterhub.ingress.annotations."nginx.ingress.kubernetes.io/configuration-snippet" | string | `"error_page 403 = \"/auth/forbidden?scope=exec:notebook\";\n"` | | +| jupyterhub.ingress.enabled | bool | `true` | | +| jupyterhub.ingress.pathSuffix | string | `"*"` | | +| jupyterhub.prePuller.continuous.enabled | bool | `false` | | +| jupyterhub.prePuller.hook.enabled | bool | `false` | | +| jupyterhub.proxy.chp.networkPolicy.interNamespaceAccessLabels | string | `"accept"` | | +| jupyterhub.proxy.service.type | string | `"ClusterIP"` | | +| jupyterhub.scheduling.userPlaceholder.enabled | bool | `false` | | +| jupyterhub.scheduling.userScheduler.enabled | bool | `false` | | +| jupyterhub.singleuser.cloudMetadata.blockWithIptables | bool | `false` | | +| jupyterhub.singleuser.cmd | string | `"/opt/lsst/software/jupyterlab/runlab.sh"` | | +| jupyterhub.singleuser.defaultUrl | string | `"/lab"` | | +| jupyterhub.singleuser.extraAnnotations."argocd.argoproj.io/compare-options" | string | `"IgnoreExtraneous"` | | +| jupyterhub.singleuser.extraAnnotations."argocd.argoproj.io/sync-options" | string | `"Prune=false"` | | +| jupyterhub.singleuser.extraLabels."argocd.argoproj.io/instance" | string | `"nublado-users"` | | +| jupyterhub.singleuser.extraLabels."hub.jupyter.org/network-access-hub" | string | `"true"` | | +| jupyterhub.singleuser.storage.extraVolumeMounts[0].mountPath | string | `"/etc/dask"` | | +| jupyterhub.singleuser.storage.extraVolumeMounts[0].name | string | `"dask"` | | +| jupyterhub.singleuser.storage.extraVolumeMounts[1].mountPath | string | `"/opt/lsst/software/jupyterlab/panda"` | | +| jupyterhub.singleuser.storage.extraVolumeMounts[1].name | string | `"idds-config"` | | +| jupyterhub.singleuser.storage.extraVolumeMounts[2].mountPath | string | `"/tmp"` | | +| jupyterhub.singleuser.storage.extraVolumeMounts[2].name | string | `"tmp"` | | +| jupyterhub.singleuser.storage.extraVolumeMounts[3].mountPath | string | `"/opt/lsst/software/jupyterlab/butler-secret"` | | +| jupyterhub.singleuser.storage.extraVolumeMounts[3].name | string | `"butler-secret"` | | +| jupyterhub.singleuser.storage.extraVolumeMounts[4].mountPath | string | `"/opt/lsst/software/jupyterlab/environment"` | | +| jupyterhub.singleuser.storage.extraVolumeMounts[4].name | string | `"lab-environment"` | | +| jupyterhub.singleuser.storage.extraVolumeMounts[5].mountPath | string | `"/etc/passwd"` | | +| jupyterhub.singleuser.storage.extraVolumeMounts[5].name | string | `"passwd"` | | +| jupyterhub.singleuser.storage.extraVolumeMounts[5].readOnly | bool | `true` | | +| jupyterhub.singleuser.storage.extraVolumeMounts[5].subPath | string | `"passwd"` | | +| jupyterhub.singleuser.storage.extraVolumeMounts[6].mountPath | string | `"/etc/group"` | | +| jupyterhub.singleuser.storage.extraVolumeMounts[6].name | string | `"group"` | | +| jupyterhub.singleuser.storage.extraVolumeMounts[6].readOnly | bool | `true` | | +| jupyterhub.singleuser.storage.extraVolumeMounts[6].subPath | string | `"group"` | | +| jupyterhub.singleuser.storage.extraVolumeMounts[7].mountPath | string | `"/etc/shadow"` | | +| jupyterhub.singleuser.storage.extraVolumeMounts[7].name | string | `"shadow"` | | +| jupyterhub.singleuser.storage.extraVolumeMounts[7].readOnly | bool | `true` | | +| jupyterhub.singleuser.storage.extraVolumeMounts[7].subPath | string | `"shadow"` | | +| jupyterhub.singleuser.storage.extraVolumeMounts[8].mountPath | string | `"/etc/gshadow"` | | +| jupyterhub.singleuser.storage.extraVolumeMounts[8].name | string | `"gshadow"` | | +| jupyterhub.singleuser.storage.extraVolumeMounts[8].readOnly | bool | `true` | | +| jupyterhub.singleuser.storage.extraVolumeMounts[8].subPath | string | `"gshadow"` | | +| jupyterhub.singleuser.storage.extraVolumes[0].configMap.name | string | `"dask"` | | +| jupyterhub.singleuser.storage.extraVolumes[0].name | string | `"dask"` | | +| jupyterhub.singleuser.storage.extraVolumes[1].configMap.name | string | `"idds-config"` | | +| jupyterhub.singleuser.storage.extraVolumes[1].name | string | `"idds-config"` | | +| jupyterhub.singleuser.storage.extraVolumes[2].emptyDir | object | `{}` | | +| jupyterhub.singleuser.storage.extraVolumes[2].name | string | `"tmp"` | | +| jupyterhub.singleuser.storage.extraVolumes[3].name | string | `"butler-secret"` | | +| jupyterhub.singleuser.storage.extraVolumes[3].secret.secretName | string | `"butler-secret"` | | +| jupyterhub.singleuser.storage.extraVolumes[4].configMap.defaultMode | int | `420` | | +| jupyterhub.singleuser.storage.extraVolumes[4].configMap.name | string | `"lab-environment"` | | +| jupyterhub.singleuser.storage.extraVolumes[4].name | string | `"lab-environment"` | | +| jupyterhub.singleuser.storage.extraVolumes[5].configMap.defaultMode | int | `420` | | +| jupyterhub.singleuser.storage.extraVolumes[5].configMap.name | string | `"passwd"` | | +| jupyterhub.singleuser.storage.extraVolumes[5].name | string | `"passwd"` | | +| jupyterhub.singleuser.storage.extraVolumes[6].configMap.defaultMode | int | `420` | | +| jupyterhub.singleuser.storage.extraVolumes[6].configMap.name | string | `"group"` | | +| jupyterhub.singleuser.storage.extraVolumes[6].name | string | `"group"` | | +| jupyterhub.singleuser.storage.extraVolumes[7].configMap.defaultMode | int | `384` | | +| jupyterhub.singleuser.storage.extraVolumes[7].configMap.name | string | `"shadow"` | | +| jupyterhub.singleuser.storage.extraVolumes[7].name | string | `"shadow"` | | +| jupyterhub.singleuser.storage.extraVolumes[8].configMap.defaultMode | int | `384` | | +| jupyterhub.singleuser.storage.extraVolumes[8].configMap.name | string | `"gshadow"` | | +| jupyterhub.singleuser.storage.extraVolumes[8].name | string | `"gshadow"` | | +| jupyterhub.singleuser.storage.type | string | `"none"` | | +| network_policy.enabled | bool | `true` | | +| vault_secret_path | string | `""` | | + +---------------------------------------------- +Autogenerated from chart metadata using [helm-docs v1.8.1](https://github.com/norwoodj/helm-docs/releases/v1.8.1) diff --git a/services/portal/README.md b/services/portal/README.md index fc91c17a32..ff17ff9ed7 100644 --- a/services/portal/README.md +++ b/services/portal/README.md @@ -1,7 +1,11 @@ +![AppVersion: suit-233-7-dev](https://img.shields.io/badge/AppVersion-suit--233--7--dev-informational?style=flat-square) + # portal Rubin Science Platform portal aspect +**Homepage:** + ## Values | Key | Type | Default | Description | @@ -40,4 +44,4 @@ Rubin Science Platform portal aspect | tolerations | list | `[]` | Tolerations for the Portal pod | ---------------------------------------------- -Autogenerated from chart metadata using [helm-docs v1.5.0](https://github.com/norwoodj/helm-docs/releases/v1.5.0) +Autogenerated from chart metadata using [helm-docs v1.8.1](https://github.com/norwoodj/helm-docs/releases/v1.8.1) diff --git a/services/production-tools/README.md b/services/production-tools/README.md index 972971c2ea..0468f59008 100644 --- a/services/production-tools/README.md +++ b/services/production-tools/README.md @@ -1,7 +1,11 @@ +![AppVersion: 0.0.4](https://img.shields.io/badge/AppVersion-0.0.4-informational?style=flat-square) + # production-tools A collection of utility pages for monitoring data processing. +**Homepage:** + ## Values | Key | Type | Default | Description | diff --git a/services/sasquatch/README.md b/services/sasquatch/README.md index e8ecb0919e..d0157c2ea3 100644 --- a/services/sasquatch/README.md +++ b/services/sasquatch/README.md @@ -1,3 +1,5 @@ + + # sasquatch SQuaRE telemetry data service. @@ -8,10 +10,10 @@ SQuaRE telemetry data service. |------------|------|---------| | | kafka-connect-manager | 1.0.0 | | | strimzi-kafka | 1.0.0 | -| https://helm.influxdata.com/ | chronograf | 1.2.3 | -| https://helm.influxdata.com/ | influxdb | 4.10.6 | -| https://helm.influxdata.com/ | kapacitor | 1.4.3 | -| https://helm.influxdata.com/ | telegraf | 1.8.14 | +| https://helm.influxdata.com/ | chronograf | 1.2.5 | +| https://helm.influxdata.com/ | influxdb | 4.11.0 | +| https://helm.influxdata.com/ | kapacitor | 1.4.6 | +| https://helm.influxdata.com/ | telegraf | 1.8.18 | | https://lsst-sqre.github.io/charts/ | strimzi-registry-operator | 1.2.0 | ## Values @@ -20,7 +22,7 @@ SQuaRE telemetry data service. |-----|------|---------|-------------| | chronograf.env | object | `{"BASE_PATH":"/chronograf","CUSTOM_AUTO_REFRESH":"1s=1000","HOST_PAGE_DISABLED":true}` | Chronograf environment variables. | | chronograf.envFromSecret | string | `"sasquatch"` | Chronograf secrets, expected keys generic_client_id, generic_client_secret and token_secret. | -| chronograf.image | object | `{"repository":"quay.io/influxdb/chronograf","tag":"1.9.3"}` | Chronograf image tag. | +| chronograf.image | object | `{"repository":"quay.io/influxdb/chronograf","tag":"1.9.4"}` | Chronograf image tag. | | chronograf.ingress | object | disabled | Chronograf ingress configuration. | | chronograf.persistence | object | `{"enabled":true,"size":"16Gi"}` | Chronograf data persistence configuration. | | influxdb.config | object | `{"continuous_queries":{"enabled":false},"coordinator":{"log-queries-after":"15s","max-concurrent-queries":10,"query-timeout":"900s","write-timeout":"60s"},"data":{"cache-max-memory-size":0,"trace-logging-enabled":true,"wal-fsync-delay":"100ms"},"http":{"auth-enabled":true,"enabled":true,"flux-enabled":true,"max-row-limit":0}}` | Override InfluxDB configuration. See https://docs.influxdata.com/influxdb/v1.8/administration/config | @@ -31,7 +33,7 @@ SQuaRE telemetry data service. | kafka-connect-manager | object | `{}` | Override strimzi-kafka configuration. | | kapacitor.envVars | object | `{"KAPACITOR_SLACK_ENABLED":true}` | Kapacitor environment variables. | | kapacitor.existingSecret | string | `"sasquatch"` | InfluxDB credentials, use influxdb-user and influxdb-password keys from secret. | -| kapacitor.image | object | `{"repository":"kapacitor","tag":"1.6.3"}` | Kapacitor image tag. | +| kapacitor.image | object | `{"repository":"kapacitor","tag":"1.6.4"}` | Kapacitor image tag. | | kapacitor.influxURL | string | `"http://sasquatch.influxdb:8086"` | InfluxDB connection URL. | | kapacitor.persistence | object | `{"enabled":true,"size":"16Gi"}` | Chronograf data persistence configuration. | | strimzi-kafka | object | `{}` | Override strimzi-kafka configuration. | @@ -45,4 +47,4 @@ SQuaRE telemetry data service. | vaultSecretsPath | string | None, must be set | Path to the Vault secrets (`secret/k8s_operator//sasquatch`) | ---------------------------------------------- -Autogenerated from chart metadata using [helm-docs v1.6.0](https://github.com/norwoodj/helm-docs/releases/v1.6.0) +Autogenerated from chart metadata using [helm-docs v1.8.1](https://github.com/norwoodj/helm-docs/releases/v1.8.1) diff --git a/services/sasquatch/charts/kafka-connect-manager/README.md b/services/sasquatch/charts/kafka-connect-manager/README.md index 41b0cfe86f..553d50bc4d 100644 --- a/services/sasquatch/charts/kafka-connect-manager/README.md +++ b/services/sasquatch/charts/kafka-connect-manager/README.md @@ -1,3 +1,5 @@ + + # kafka-connect-manager A sub chart to deploy the Kafka connectors used by Sasquatch. @@ -74,4 +76,4 @@ A sub chart to deploy the Kafka connectors used by Sasquatch. | s3Sink.topicsRegex | string | `".*"` | Regex to select topics from Kafka. | ---------------------------------------------- -Autogenerated from chart metadata using [helm-docs v1.6.0](https://github.com/norwoodj/helm-docs/releases/v1.6.0) +Autogenerated from chart metadata using [helm-docs v1.8.1](https://github.com/norwoodj/helm-docs/releases/v1.8.1) diff --git a/services/sasquatch/charts/strimzi-kafka/README.md b/services/sasquatch/charts/strimzi-kafka/README.md index 84c2c604dd..e0aaa5345c 100644 --- a/services/sasquatch/charts/strimzi-kafka/README.md +++ b/services/sasquatch/charts/strimzi-kafka/README.md @@ -1,3 +1,5 @@ + + # strimzi-kafka A sub chart to deploy Strimzi Kafka components for Sasquatch. @@ -7,6 +9,7 @@ A sub chart to deploy Strimzi Kafka components for Sasquatch. | Key | Type | Default | Description | |-----|------|---------|-------------| | cluster.name | string | `"sasquatch"` | Name used for the Kafka cluster, and used by Strimzi for many annotations. | +| connect.image | string | `"lsstsqre/strimzi-0.27.1-kafka-3.0.0:master"` | Custom strimzi-kafka image with connector plugins used by sasquatch. | | connect.replicas | int | `1` | Number of Kafka Connect replicas to run. | | kafka.config | object | `{"log.retention.bytes":"644245094400","log.retention.hours":168,"offsets.retention.minutes":10080}` | Configuration overrides for the Kafka server. | | kafka.config."log.retention.bytes" | string | `"644245094400"` | Maximum retained number of bytes for a topic's data. | @@ -23,4 +26,4 @@ A sub chart to deploy Strimzi Kafka components for Sasquatch. | zookeeper.storage.storageClassName | string | `""` | Name of a StorageClass to use when requesting persistent volumes. | ---------------------------------------------- -Autogenerated from chart metadata using [helm-docs v1.6.0](https://github.com/norwoodj/helm-docs/releases/v1.6.0) +Autogenerated from chart metadata using [helm-docs v1.8.1](https://github.com/norwoodj/helm-docs/releases/v1.8.1) diff --git a/services/semaphore/README.md b/services/semaphore/README.md index cf10693740..d5b9598d74 100644 --- a/services/semaphore/README.md +++ b/services/semaphore/README.md @@ -1,7 +1,7 @@ -# semaphore - ![AppVersion: 0.3.0](https://img.shields.io/badge/AppVersion-0.3.0-informational?style=flat-square) +# semaphore + Semaphore is the user notification and messaging service for the Rubin Science Platform. ## Source Code diff --git a/services/squareone/README.md b/services/squareone/README.md index ed2cc8844c..c353a57559 100644 --- a/services/squareone/README.md +++ b/services/squareone/README.md @@ -1,6 +1,6 @@ -# squareone +![AppVersion: 0.6.0](https://img.shields.io/badge/AppVersion-0.6.0-informational?style=flat-square) -![AppVersion: 0.5.0](https://img.shields.io/badge/AppVersion-0.5.0-informational?style=flat-square) +# squareone Squareone is the homepage UI for the Rubin Science Platform. diff --git a/services/tap-schema/README.md b/services/tap-schema/README.md new file mode 100644 index 0000000000..057d0d8510 --- /dev/null +++ b/services/tap-schema/README.md @@ -0,0 +1,28 @@ +![AppVersion: 1.1.7](https://img.shields.io/badge/AppVersion-1.1.7-informational?style=flat-square) + +# tap-schema + +The TAP_SCHEMA database + +**Homepage:** + +## Values + +| Key | Type | Default | Description | +|-----|------|---------|-------------| +| affinity | object | `{}` | Affinity rules for the MySQL pod | +| fullnameOverride | string | `""` | Override the full name for resources (includes the release name) | +| global.baseUrl | string | Set by Argo CD | Base URL for the environment | +| global.host | string | Set by Argo CD | Host name for ingress | +| global.vaultSecretsPath | string | Set by Argo CD | Base path for Vault secrets | +| image.pullPolicy | string | `"IfNotPresent"` | Pull policy for the tap-schema image | +| image.repository | string | `"lsstsqre/tap-schema-mock"` | tap-schema image to use | +| image.tag | string | The appVersion of the chart | Tag of tap-schema image to use | +| nameOverride | string | `""` | Override the base name for resources | +| nodeSelector | object | `{}` | Node selector rules for the MySQL pod | +| podAnnotations | object | `{}` | Annotations for the MySQL pod | +| resources | object | `{}` | Resource limits and requests for the MySQL pod | +| tolerations | list | `[]` | Tolerations for the MySQL pod | + +---------------------------------------------- +Autogenerated from chart metadata using [helm-docs v1.8.1](https://github.com/norwoodj/helm-docs/releases/v1.8.1) diff --git a/services/telegraf-ds/README.md b/services/telegraf-ds/README.md index 9cda49d1c5..01662e10bf 100644 --- a/services/telegraf-ds/README.md +++ b/services/telegraf-ds/README.md @@ -1,3 +1,5 @@ + + # telegraf-ds SQuaRE DaemonSet (K8s) telemetry collection service @@ -12,9 +14,19 @@ SQuaRE DaemonSet (K8s) telemetry collection service | Key | Type | Default | Description | |-----|------|---------|-------------| +| global.enabled_services | string | Set by Argo CD | services enabled in this RSP instance | +| global.host | string | Set by Argo CD | Host name for instance identification | +| global.vaultSecretsPath | string | Set by Argo CD | Base path for Vault secrets | +| telegraf-ds.args[0] | string | `"--config"` | | +| telegraf-ds.args[1] | string | `"/etc/telegraf-generated/telegraf-generated.conf"` | | | telegraf-ds.env[0] | object | `{"name":"INFLUX_TOKEN","valueFrom":{"secretKeyRef":{"key":"influx-token","name":"telegraf"}}}` | Token to communicate with Influx | -| telegraf-ds.override_config.toml | string | `"[ global_tags ]\n cluster = \"no_endpoint\"\n[ agent ]\n hostname = \"telegraf-$HOSTIP\"\n[[inputs.kubernetes]]\n url = \"https://$HOSTIP:10250\"\n bearer_token = \"/var/run/secrets/kubernetes.io/serviceaccount/token\"\n insecure_skip_verify = true\n namepass = [\"kubernetes_pod_container\"]\n fieldpass = [\"cpu_usage_nanocores\", \"memory_usage_bytes\"]\n"` | | -| vaultSecretsPath | string | None, must be set | Path to the Vault secrets (`secret/k8s_operator//telegraf`) shared with telegraf (non-DaemonSet) | +| telegraf-ds.mountPoints[0].mountPath | string | `"/etc/telegraf-generated"` | | +| telegraf-ds.mountPoints[0].name | string | `"telegraf-generated-config"` | | +| telegraf-ds.override_config.toml | string | `"[agent]\n logfile=\"\"\n"` | | +| telegraf-ds.rbac.create | bool | `true` | | +| telegraf-ds.serviceAccount.name | string | `"telegraf-ds"` | | +| telegraf-ds.volumes[0].configMap.name | string | `"telegraf-generated-config"` | | +| telegraf-ds.volumes[0].name | string | `"telegraf-generated-config"` | | ---------------------------------------------- -Autogenerated from chart metadata using [helm-docs v1.7.0](https://github.com/norwoodj/helm-docs/releases/v1.7.0) +Autogenerated from chart metadata using [helm-docs v1.8.1](https://github.com/norwoodj/helm-docs/releases/v1.8.1) diff --git a/services/telegraf/README.md b/services/telegraf/README.md index 14afab9924..7a69345ce6 100644 --- a/services/telegraf/README.md +++ b/services/telegraf/README.md @@ -1,3 +1,5 @@ + + # telegraf SQuaRE telemetry collection service @@ -6,29 +8,32 @@ SQuaRE telemetry collection service | Repository | Name | Version | |------------|------|---------| -| https://helm.influxdata.com/ | telegraf | 1.8.17 | +| https://helm.influxdata.com/ | telegraf | 1.8.18 | ## Values | Key | Type | Default | Description | |-----|------|---------|-------------| -| telegraf.config.agent.omit_hostname | bool | `true` | | -| telegraf.config.global_tags.cluster | string | `""` | | -| telegraf.config.inputs[0].prometheus.metric_version | int | `2` | | -| telegraf.config.inputs[0].prometheus.urls[0] | string | `"http://hub.nublado2:8081/metrics"` | | -| telegraf.config.inputs[0].prometheus.urls[1] | string | `"http://cert-manager.cert-manager:9402/metrics"` | | -| telegraf.config.inputs[0].prometheus.urls[2] | string | `"http://argocd-application-controller-metrics.argocd:8082/metrics"` | | -| telegraf.config.inputs[0].prometheus.urls[3] | string | `"http://argocd-notifications-controller-metrics.argocd:9001/metrics"` | | -| telegraf.config.inputs[0].prometheus.urls[4] | string | `"http://argocd-redis-metrics.argocd:9121/metrics"` | | -| telegraf.config.inputs[0].prometheus.urls[5] | string | `"http://argocd-repo-server-metrics.argocd:8084/metrics"` | | -| telegraf.config.inputs[0].prometheus.urls[6] | string | `"http://argocd-server-metrics.argocd:8083/metrics"` | | -| telegraf.config.inputs[0].prometheus.urls[7] | string | `"http://ingress-nginx-controller-metrics.ingress-nginx:10254/metrics"` | | -| telegraf.config.outputs | list | `[{"influxdb_v2":{"bucket":"monitoring","organization":"square","token":"$INFLUX_TOKEN","urls":["https://monitoring.lsst.codes"]}}]` | Telegraf default output destination. | -| telegraf.env[0] | object | `{"name":"INFLUX_TOKEN","valueFrom":{"secretKeyRef":{"key":"influx-token","name":"telegraf"}}}` | Token to communicate with Influx | -| telegraf.podLabels | object | `{"hub.jupyter.org/network-access-hub":"true"}` | Allow network access to JupyterHub pod. | -| telegraf.service.enabled | bool | `false` | Telegraf service. | +| global.enabled_services | string | Set by Argo CD | services enabled in this RSP instance | +| global.host | string | Set by Argo CD | Host name for instance identification | +| global.vaultSecretsPath | string | Set by Argo CD | Base path for Vault secrets | +| prometheus_config | object | `{"argocd":{"application_controller":"http://argocd-application-controller-metrics.argocd.svc:8082/metrics","notifications_controller":"http://argocd-notifications-controller-metrics.argocd.svc:9001/metrics","redis":"http://argocd-redis-metrics.argocd.svc:9121/metrics","repo_server":"http://argocd-repo-server-metrics.argocd.svc:8084/metrics","server":"http://argocd-server-metrics.argocd.svc:8083/metrics"},"ingress-nginx":{"controller":"http://ingress-nginx-controller-metrics.ingress-nginx:10254/metrics"},"nublado2":{"hub":"http://hub.nublado2:8081/metrics"}}` | Use prometheus_config to specify all the services in the RSP that expose prometheus endpoints. A better option, eventually, will be to use telegraf-operator and capture these as pod annotations. | +| telegraf.args[0] | string | `"--config"` | | +| telegraf.args[1] | string | `"/etc/telegraf-generated/telegraf-generated.conf"` | | +| telegraf.config.inputs | list | `[]` | | +| telegraf.config.outputs | list | `[]` | | +| telegraf.config.processors | list | `[]` | | +| telegraf.env[0].name | string | `"INFLUX_TOKEN"` | | +| telegraf.env[0].valueFrom.secretKeyRef.key | string | `"influx-token"` | | +| telegraf.env[0].valueFrom.secretKeyRef.name | string | `"telegraf"` | | +| telegraf.mountPoints[0].mountPath | string | `"/etc/telegraf-generated"` | | +| telegraf.mountPoints[0].name | string | `"telegraf-generated-config"` | | +| telegraf.podLabels."hub.jupyter.org/network-access-hub" | string | `"true"` | | +| telegraf.rbac.clusterWide | bool | `true` | | +| telegraf.service.enabled | bool | `false` | | | telegraf.tplVersion | int | `2` | | -| vaultSecretsPath | string | None, must be set | Path to the Vault secrets (`secret/k8s_operator//telegraf`) | +| telegraf.volumes[0].configMap.name | string | `"telegraf-generated-config"` | | +| telegraf.volumes[0].name | string | `"telegraf-generated-config"` | | ---------------------------------------------- -Autogenerated from chart metadata using [helm-docs v1.7.0](https://github.com/norwoodj/helm-docs/releases/v1.7.0) +Autogenerated from chart metadata using [helm-docs v1.8.1](https://github.com/norwoodj/helm-docs/releases/v1.8.1) diff --git a/services/times-square/README.md b/services/times-square/README.md index 3222e555a5..ed50440a42 100644 --- a/services/times-square/README.md +++ b/services/times-square/README.md @@ -1,3 +1,5 @@ + + # times-square A parameterized notebook web viewer for the Rubin Science Platform. @@ -11,8 +13,9 @@ See the embedded Helm sub-charts for additional configuration docs: | Repository | Name | Version | |------------|------|---------| -| | times-square | | -| | times-square-ui | | +| | times-square | 1.0.0 | +| | times-square-ui | 1.0.0 | +| https://charts.bitnami.com/bitnami | redis | 16.8.7 | ## Values @@ -21,12 +24,15 @@ See the embedded Helm sub-charts for additional configuration docs: | global.baseUrl | string | Set by times-square Argo CD Application | Base URL for the environment | | global.host | string | Set by times-square Argo CD Application | Host name for ingress | | global.vaultSecretsPathPrefix | string | Set by times-square Argo CD Application | Base path for Vault secrets | +| redis.auth.enabled | bool | `false` | | +| redis.fullnameOverride | string | `"times-square-redis"` | | | times-square-ui.fullnameOverride | string | `"times-square-ui"` | | | times-square-ui.image.pullPolicy | string | `"IfNotPresent"` | | | times-square-ui.image.tag | string | `"tickets-DM-34030"` | | +| times-square.config.redisUrl | string | Points to embedded Redis | Redis URL | | times-square.fullnameOverride | string | `"times-square"` | | | times-square.image.pullPolicy | string | `"IfNotPresent"` | | | times-square.image.tag | string | `"tickets-DM-34030"` | | ---------------------------------------------- -Autogenerated from chart metadata using [helm-docs v1.5.0](https://github.com/norwoodj/helm-docs/releases/v1.5.0) +Autogenerated from chart metadata using [helm-docs v1.8.1](https://github.com/norwoodj/helm-docs/releases/v1.8.1) diff --git a/services/times-square/charts/times-square-ui/README.md b/services/times-square/charts/times-square-ui/README.md index 00c648d5e3..aa807da1f6 100644 --- a/services/times-square/charts/times-square-ui/README.md +++ b/services/times-square/charts/times-square-ui/README.md @@ -1,3 +1,5 @@ +![AppVersion: 1.0.0](https://img.shields.io/badge/AppVersion-1.0.0-informational?style=flat-square) + # times-square-ui The front-end for Times Square, a parameterized notebook web viewer for the Rubin Science Platform @@ -39,4 +41,4 @@ The front-end for Times Square, a parameterized notebook web viewer for the Rubi | tolerations | list | `[]` | Tolerations for the times-square-ui deployment pod | ---------------------------------------------- -Autogenerated from chart metadata using [helm-docs v1.5.0](https://github.com/norwoodj/helm-docs/releases/v1.5.0) +Autogenerated from chart metadata using [helm-docs v1.8.1](https://github.com/norwoodj/helm-docs/releases/v1.8.1) diff --git a/services/times-square/charts/times-square/README.md b/services/times-square/charts/times-square/README.md index ea67b258e7..ab5b6b41a0 100644 --- a/services/times-square/charts/times-square/README.md +++ b/services/times-square/charts/times-square/README.md @@ -1,3 +1,5 @@ +![AppVersion: 1.0.0](https://img.shields.io/badge/AppVersion-1.0.0-informational?style=flat-square) + # times-square A parameterized notebook web viewer for the Rubin Science Platform. @@ -6,12 +8,6 @@ A parameterized notebook web viewer for the Rubin Science Platform. * -## Requirements - -| Repository | Name | Version | -|------------|------|---------| -| https://charts.bitnami.c | redis | 16.0.1 | - ## Values | Key | Type | Default | Description | @@ -24,13 +20,14 @@ A parameterized notebook web viewer for the Rubin Science Platform. | cloudsql.enabled | bool | `false` | Enable the Cloud SQL Auth Proxy sidecar, used with CloudSQL databases on Google Cloud | | cloudsql.image.pullPolicy | string | `"IfNotPresent"` | Pull policy for Cloud SQL Auth Proxy images | | cloudsql.image.repository | string | `"gcr.io/cloudsql-docker/gce-proxy"` | Cloud SQL Auth Proxy image to use | -| cloudsql.image.tag | string | `"1.29.0"` | Cloud SQL Auth Proxy tag to use | +| cloudsql.image.tag | string | `"1.30.0"` | Cloud SQL Auth Proxy tag to use | | cloudsql.instanceConnectionName | string | `""` | Instance connection name for a CloudSQL PostgreSQL instance | | cloudsql.serviceAccount | string | `""` | The Google service account that has an IAM binding to the `times-square` Kubernetes service accounts and has the `cloudsql.client` role | | config.databaseUrl | string | None, must be set | URL for the PostgreSQL database | | config.logLevel | string | `"INFO"` | Logging level: "DEBUG", "INFO", "WARNING", "ERROR", "CRITICAL" | | config.name | string | `"times-square"` | Name of the service. | | config.profile | string | `"production"` | Run profile: "production" or "development" | +| config.redisUrl | string | None, must be set | URL for the Redis cache | | fullnameOverride | string | `""` | Override the full name for resources (includes the release name) | | image.pullPolicy | string | `"Always"` | Pull policy for the times-square image | | image.repository | string | `"ghcr.io/lsst-sqre/times-square"` | Image to use in the times-square deployment | @@ -56,4 +53,4 @@ A parameterized notebook web viewer for the Rubin Science Platform. | vaultSecretsPath | string | None, must be set | Path to the Vault secret (`secret/k8s_operator//times-square`, for example) | ---------------------------------------------- -Autogenerated from chart metadata using [helm-docs v1.5.0](https://github.com/norwoodj/helm-docs/releases/v1.5.0) +Autogenerated from chart metadata using [helm-docs v1.8.1](https://github.com/norwoodj/helm-docs/releases/v1.8.1) diff --git a/services/vo-cutouts/README.md b/services/vo-cutouts/README.md index dc996b15a9..40f70e13f5 100644 --- a/services/vo-cutouts/README.md +++ b/services/vo-cutouts/README.md @@ -1,7 +1,11 @@ +![AppVersion: 0.3.0](https://img.shields.io/badge/AppVersion-0.3.0-informational?style=flat-square) + # vo-cutouts Image cutout service complying with IVOA SODA +**Homepage:** + ## Values | Key | Type | Default | Description | @@ -64,4 +68,4 @@ Image cutout service complying with IVOA SODA | tolerations | list | `[]` | Tolerations for the vo-cutouts frontend pod | ---------------------------------------------- -Autogenerated from chart metadata using [helm-docs v1.5.0](https://github.com/norwoodj/helm-docs/releases/v1.5.0) +Autogenerated from chart metadata using [helm-docs v1.8.1](https://github.com/norwoodj/helm-docs/releases/v1.8.1) From f137226f82e295d5a284e774201fd90649a39f01 Mon Sep 17 00:00:00 2001 From: Jonathan Sick Date: Thu, 28 Apr 2022 15:55:04 -0400 Subject: [PATCH 0299/1479] Add yamllint pre-commit step This adds a pre-commit hook that uses yamllint, https://github.com/adrienverge/yamllint Note this is the yaml linting tool we've already been using from GitHub Actions and Phalanx includes a yamllint configuration file. --- .pre-commit-config.yaml | 7 +++++++ 1 file changed, 7 insertions(+) diff --git a/.pre-commit-config.yaml b/.pre-commit-config.yaml index 5686dd6e82..34564cafe6 100644 --- a/.pre-commit-config.yaml +++ b/.pre-commit-config.yaml @@ -4,6 +4,13 @@ repos: hooks: - id: trailing-whitespace + - repo: https://github.com/adrienverge/yamllint.git + rev: v1.26.3 + hooks: + - id: yamllint + args: + - "-c=.yamllint.yml" + - repo: https://github.com/norwoodj/helm-docs rev: v1.2.0 hooks: From d5b1db85dbd66553ebddba4c19912baba5162656 Mon Sep 17 00:00:00 2001 From: Jonathan Sick Date: Thu, 28 Apr 2022 16:15:39 -0400 Subject: [PATCH 0300/1479] Add black and flake8 pre-commit hooks Configuration files are .flake8 and pyproject.toml (black and isort don't use other types of config files; and though we normally use setup.cfg for flake8, it doesn't make sense to add a setup.cfg file here) --- .flake8 | 5 +++++ .pre-commit-config.yaml | 24 ++++++++++++++++++++++++ pyproject.toml | 23 +++++++++++++++++++++++ 3 files changed, 52 insertions(+) create mode 100644 .flake8 create mode 100644 pyproject.toml diff --git a/.flake8 b/.flake8 new file mode 100644 index 0000000000..63e7cad58a --- /dev/null +++ b/.flake8 @@ -0,0 +1,5 @@ +[flake8] +max-line-length = 79 +# E203: whitespace before :, flake8 disagrees with PEP-8 +# W503: line break after binary operator, flake8 disagrees with PEP-8 +ignore = E203, W503 diff --git a/.pre-commit-config.yaml b/.pre-commit-config.yaml index 34564cafe6..bcc0ac9e78 100644 --- a/.pre-commit-config.yaml +++ b/.pre-commit-config.yaml @@ -3,6 +3,7 @@ repos: rev: v4.2.0 hooks: - id: trailing-whitespace + - id: check-toml - repo: https://github.com/adrienverge/yamllint.git rev: v1.26.3 @@ -19,3 +20,26 @@ repos: - "--chart-search-root=." # The `./` makes it relative to the chart-search-root set above - "--template-files=./helm-docs.md.gotmpl" + + - repo: https://github.com/pycqa/isort + rev: 5.10.1 + hooks: + - id: isort + additional_dependencies: + - toml + + - repo: https://github.com/psf/black + rev: 22.3.0 + hooks: + - id: black + + - repo: https://github.com/asottile/blacken-docs + rev: v1.12.1 + hooks: + - id: blacken-docs + additional_dependencies: [black==22.3.0] + + - repo: https://gitlab.com/pycqa/flake8 + rev: 4.0.1 + hooks: + - id: flake8 diff --git a/pyproject.toml b/pyproject.toml new file mode 100644 index 0000000000..df2f642492 --- /dev/null +++ b/pyproject.toml @@ -0,0 +1,23 @@ +[tool.black] +line-length = 79 +target-version = ['py38'] +exclude = ''' +/( + \.eggs + | \.git + | \.mypy_cache + | \.tox + | \.venv + | _build + | build + | dist +)/ +''' +# Use single-quoted strings so TOML treats the string like a Python r-string +# Multi-line strings are implicitly treated by black as regular expressions + +[tool.isort] +include_trailing_comma = true +multi_line_output = 3 +known_first_party = [] +skip = ["docs/conf.py"] From 6bd3cac2784988a763198e77efabdfaf89d387a4 Mon Sep 17 00:00:00 2001 From: Jonathan Sick Date: Thu, 28 Apr 2022 16:17:17 -0400 Subject: [PATCH 0301/1479] Reformat code with black --- docs/_static/notebook-tap.py | 10 +-- docs/_static/portal-tap.py | 10 +-- docs/conf.py | 65 +++++++------- installer/generate_secrets.py | 161 +++++++++++++++++++++++----------- installer/vault_key.py | 13 ++- 5 files changed, 163 insertions(+), 96 deletions(-) diff --git a/docs/_static/notebook-tap.py b/docs/_static/notebook-tap.py index 71604f4242..e04ac1bc99 100644 --- a/docs/_static/notebook-tap.py +++ b/docs/_static/notebook-tap.py @@ -2,17 +2,17 @@ from diagrams import Cluster, Diagram, Edge from diagrams.gcp.compute import KubernetesEngine -from diagrams.gcp.database import Datastore, Memorystore, SQL +from diagrams.gcp.database import SQL, Datastore, Memorystore from diagrams.gcp.network import LoadBalancing from diagrams.onprem.client import User os.chdir(os.path.dirname(__file__)) with Diagram( - "Notebook to TAP", - show=False, - filename="notebook-tap", - outformat="png", + "Notebook to TAP", + show=False, + filename="notebook-tap", + outformat="png", ): user = User("End User") diff --git a/docs/_static/portal-tap.py b/docs/_static/portal-tap.py index 0afbf5f454..3c09ecfdbf 100644 --- a/docs/_static/portal-tap.py +++ b/docs/_static/portal-tap.py @@ -2,17 +2,17 @@ from diagrams import Cluster, Diagram, Edge from diagrams.gcp.compute import KubernetesEngine -from diagrams.gcp.database import Datastore, Memorystore, SQL +from diagrams.gcp.database import SQL, Datastore, Memorystore from diagrams.gcp.network import LoadBalancing from diagrams.onprem.client import User os.chdir(os.path.dirname(__file__)) with Diagram( - "Portal to TAP", - show=False, - filename="portal-tap", - outformat="png", + "Portal to TAP", + show=False, + filename="portal-tap", + outformat="png", ): user = User("End User") diff --git a/docs/conf.py b/docs/conf.py index d68e7ca5fb..bf7cbdd8f5 100644 --- a/docs/conf.py +++ b/docs/conf.py @@ -17,37 +17,39 @@ # extensions coming with Sphinx (named 'sphinx.ext.*') or your custom # ones. extensions = [ - 'sphinx.ext.autodoc', - 'sphinx.ext.intersphinx', - 'sphinx.ext.todo', - 'sphinx.ext.ifconfig', - 'documenteer.sphinxext' + "sphinx.ext.autodoc", + "sphinx.ext.intersphinx", + "sphinx.ext.todo", + "sphinx.ext.ifconfig", + "documenteer.sphinxext", ] # The suffix(es) of source filenames. # You can specify multiple suffix as a list of string: # source_suffix = ['.rst', '.md'] -source_suffix = '.rst' +source_suffix = ".rst" # The master toctree document. -master_doc = 'index' +master_doc = "index" # General information about the project. -project = 'Phalanx' -copyright = '2020, Association of Universities for Research in Astronomy, Inc. (AURA)' -author = 'LSST SQuaRE' +project = "Phalanx" +copyright = ( + "2020, Association of Universities for Research in Astronomy, Inc. (AURA)" +) +author = "LSST SQuaRE" # The version info for the project you're documenting, acts as replacement for # |version| and |release|, also used in various other places throughout the # built documents. -github_ref = os.getenv('GITHUB_REF', default='refs/heads/master') -ref_match = re.match(r'refs/(heads|tags|pull)/(?P.+)', github_ref) +github_ref = os.getenv("GITHUB_REF", default="refs/heads/master") +ref_match = re.match(r"refs/(heads|tags|pull)/(?P.+)", github_ref) if ref_match is None: - version = 'Current' -elif ref_match['ref'] == 'master': - version = 'Current' + version = "Current" +elif ref_match["ref"] == "master": + version = "Current" else: - version = ref_match['ref'] + version = ref_match["ref"] release = version html_title = f"{project} ({version}) documentation" @@ -67,16 +69,13 @@ # List of patterns, relative to source directory, that match files and # directories to ignore when looking for source files. -exclude_patterns = [ - '_build', - 'README.rst' -] +exclude_patterns = ["_build", "README.rst"] # The name of the Pygments (syntax highlighting) style to use. -pygments_style = 'sphinx' +pygments_style = "sphinx" # The reST default role cross-links Python (used for this markup: `text`) -default_role = 'py:obj' +default_role = "py:obj" # Intersphinx @@ -96,38 +95,38 @@ linkcheck_retries = 2 linkcheck_timeout = 5 # seconds linkcheck_ignore = [ - r'^http://localhost', - r'^http(s)*://ls.st', + r"^http://localhost", + r"^http(s)*://ls.st", ] # -- Options for HTML output ---------------------------------------------- templates_path = [ - '_templates', - lsst_sphinx_bootstrap_theme.get_html_templates_path() + "_templates", + lsst_sphinx_bootstrap_theme.get_html_templates_path(), ] -html_theme = 'lsst_sphinx_bootstrap_theme' +html_theme = "lsst_sphinx_bootstrap_theme" html_theme_path = [lsst_sphinx_bootstrap_theme.get_html_theme_path()] html_context = { # Enable "Edit in GitHub" link - 'display_github': True, + "display_github": True, # https://{{ github_host|default("github.com") }}/{{ github_user }}/ # {{ github_repo }}/blob/ # {{ github_version }}{{ conf_py_path }}{{ pagename }}{{ suffix }} - 'github_user': 'lsst-sqre', - 'github_repo': 'phalanx', - 'conf_py_path': 'docs/', + "github_user": "lsst-sqre", + "github_repo": "phalanx", + "conf_py_path": "docs/", # TRAVIS_BRANCH is available in CI, but master is a safe default - 'github_version': os.getenv('TRAVIS_BRANCH', default='master') + '/' + "github_version": os.getenv("TRAVIS_BRANCH", default="master") + "/", } # Theme options are theme-specific and customize the look and feel of a theme # further. For a list of options available for each theme, see the # documentation. -html_theme_options = {'logotext': project} +html_theme_options = {"logotext": project} # The name for this set of Sphinx documents. If None, it defaults to # " v documentation". diff --git a/installer/generate_secrets.py b/installer/generate_secrets.py index 123eb7caab..765b139f28 100755 --- a/installer/generate_secrets.py +++ b/installer/generate_secrets.py @@ -1,20 +1,19 @@ #!/usr/bin/env python3 import argparse import base64 -import bcrypt -from collections import defaultdict -from cryptography.fernet import Fernet -from cryptography.hazmat.primitives.asymmetric import rsa -from cryptography.hazmat.backends import default_backend -from cryptography.hazmat.primitives import serialization -from datetime import datetime, timezone import json import logging import os -from pathlib import Path import secrets -import yaml +from collections import defaultdict +from datetime import datetime, timezone +from pathlib import Path +import bcrypt +from cryptography.fernet import Fernet +from cryptography.hazmat.backends import default_backend +from cryptography.hazmat.primitives import serialization +from cryptography.hazmat.primitives.asymmetric import rsa from onepassword import OnePassword @@ -62,7 +61,9 @@ def generate(self): elif use_cert_manager == "n": self._ingress_nginx() else: - raise Exception(f"Invalid cert manager enabled value {use_cert_manager}") + raise Exception( + f"Invalid cert manager enabled value {use_cert_manager}" + ) def load(self): """Load the secrets files for each RSP component from the @@ -89,7 +90,9 @@ def save(self): def input_field(self, component, name, description): default = self.secrets[component].get(name, "") - prompt_string = f"[{component} {name}] ({description}): [current: {default}] " + prompt_string = ( + f"[{component} {name}] ({description}): [current: {default}] " + ) input_string = input(prompt_string) if input_string: @@ -99,7 +102,7 @@ def input_file(self, component, name, description): current = self.secrets.get(component, {}).get(name, "") print(f"[{component} {name}] ({description})") print(f"Current contents:\n{current}") - prompt_string = f"New filename with contents (empty to not change): " + prompt_string = "New filename with contents (empty to not change): " fname = input(prompt_string) if fname: @@ -122,7 +125,7 @@ def _set(self, component, name, new_value): self.secrets[component][name] = new_value def _exists(self, component, name): - return (component in self.secrets and name in self.secrets[component]) + return component in self.secrets and name in self.secrets[component] def _set_generated(self, component, name, new_value): if not self._exists(component, name) or self.regenerate: @@ -136,27 +139,42 @@ def _tap(self): ) def _postgres(self): - self._set_generated("postgres", "exposurelog_password", secrets.token_hex(32)) - self._set_generated("postgres", "gafaelfawr_password", secrets.token_hex(32)) - self._set_generated("postgres", "jupyterhub_password", secrets.token_hex(32)) + self._set_generated( + "postgres", "exposurelog_password", secrets.token_hex(32) + ) + self._set_generated( + "postgres", "gafaelfawr_password", secrets.token_hex(32) + ) + self._set_generated( + "postgres", "jupyterhub_password", secrets.token_hex(32) + ) self._set_generated("postgres", "root_password", secrets.token_hex(64)) - self._set_generated("postgres", "vo_cutouts_password", secrets.token_hex(32)) - self._set_generated("postgres", "narrativelog_password", secrets.token_hex(32)) + self._set_generated( + "postgres", "vo_cutouts_password", secrets.token_hex(32) + ) + self._set_generated( + "postgres", "narrativelog_password", secrets.token_hex(32) + ) def _nublado2(self): crypto_key = secrets.token_hex(32) self._set_generated("nublado2", "crypto_key", crypto_key) self._set_generated("nublado2", "proxy_token", secrets.token_hex(32)) - self._set_generated("nublado2", "cryptkeeper_key", secrets.token_hex(32)) + self._set_generated( + "nublado2", "cryptkeeper_key", secrets.token_hex(32) + ) # Pluck the password out of the postgres portion. - self.secrets["nublado2"]["hub_db_password"] = self.secrets["postgres"]["jupyterhub_password"] + self.secrets["nublado2"]["hub_db_password"] = self.secrets["postgres"][ + "jupyterhub_password" + ] def _mobu(self): self.input_field( "mobu", "ALERT_HOOK", - "Slack webhook for reporting mobu alerts. Or use None for no alerting.", + "Slack webhook for reporting mobu alerts. " + "Or use None for no alerting.", ) def _cert_manager(self): @@ -180,7 +198,9 @@ def _gafaelfawr(self): self._set_generated( "gafaelfawr", "bootstrap-token", self._generate_gafaelfawr_token() ) - self._set_generated("gafaelfawr", "redis-password", os.urandom(32).hex()) + self._set_generated( + "gafaelfawr", "redis-password", os.urandom(32).hex() + ) self._set_generated( "gafaelfawr", "session-secret", Fernet.generate_key().decode() ) @@ -189,13 +209,17 @@ def _gafaelfawr(self): self.input_field("gafaelfawr", "cloudsql", "Use CloudSQL? (y/n):") use_cloudsql = self.secrets["gafaelfawr"]["cloudsql"] if use_cloudsql == "y": - self.input_field("gafaelfawr", "database-password", "Database password") + self.input_field( + "gafaelfawr", "database-password", "Database password" + ) elif use_cloudsql == "n": # Pluck the password out of the postgres portion. db_pass = self.secrets["postgres"]["gafaelfawr_password"] self._set("gafaelfawr", "database-password", db_pass) else: - raise Exception(f"Invalid gafaelfawr cloudsql value {use_cloudsql}") + raise Exception( + f"Invalid gafaelfawr cloudsql value {use_cloudsql}" + ) self.input_field("gafaelfawr", "auth_type", "Use cilogon or github?") auth_type = self.secrets["gafaelfawr"]["auth_type"] @@ -212,35 +236,51 @@ def _gafaelfawr(self): def _pull_secret(self): self.input_file( - "pull-secret", ".dockerconfigjson", ".docker/config.json to pull images" + "pull-secret", + ".dockerconfigjson", + ".docker/config.json to pull images", ) def _butler_secret(self): self.input_file( - "butler-secret", "aws-credentials.ini", "AWS credentials for butler" - ) + "butler-secret", + "aws-credentials.ini", + "AWS credentials for butler", + ) self.input_file( - "butler-secret", "butler-gcs-idf-creds.json", "Google credentials for butler" - ) + "butler-secret", + "butler-gcs-idf-creds.json", + "Google credentials for butler", + ) self.input_file( - "butler-secret", "postgres-credentials.txt", "Postgres credentials for butler" - ) + "butler-secret", + "postgres-credentials.txt", + "Postgres credentials for butler", + ) def _ingress_nginx(self): self.input_file("ingress-nginx", "tls.key", "Certificate private key") self.input_file("ingress-nginx", "tls.crt", "Certificate chain") def _argocd(self): - current_pw = self._get_current("installer", "argocd.admin.plaintext_password") + current_pw = self._get_current( + "installer", "argocd.admin.plaintext_password" + ) self.input_field( - "installer", "argocd.admin.plaintext_password", "Admin password for ArgoCD?" + "installer", + "argocd.admin.plaintext_password", + "Admin password for ArgoCD?", ) new_pw = self.secrets["installer"]["argocd.admin.plaintext_password"] if current_pw != new_pw or self.regenerate: - h = bcrypt.hashpw(new_pw.encode("ascii"), bcrypt.gensalt(rounds=15)).decode("ascii") - now_time = datetime.now(timezone.utc).strftime("%Y-%m-%dT%H:%M:%SZ") + h = bcrypt.hashpw( + new_pw.encode("ascii"), bcrypt.gensalt(rounds=15) + ).decode("ascii") + now_time = datetime.now(timezone.utc).strftime( + "%Y-%m-%dT%H:%M:%SZ" + ) self._set("argocd", "admin.password", h) self._set("argocd", "admin.passwordMtime", now_time) @@ -248,10 +288,12 @@ def _argocd(self): self.input_field( "argocd", "dex.clientSecret", - "OAuth client secret for ArgoCD (either GitHub or Google)?" + "OAuth client secret for ArgoCD (either GitHub or Google)?", ) - self._set_generated("argocd", "server.secretkey", secrets.token_hex(16)) + self._set_generated( + "argocd", "server.secretkey", secrets.token_hex(16) + ) def _telegraf(self): self.input_field( @@ -266,18 +308,24 @@ def _portal(self): self._set_generated("portal", "ADMIN_PASSWORD", pw) def _vo_cutouts(self): - self._set_generated("vo-cutouts", "redis-password", os.urandom(32).hex()) + self._set_generated( + "vo-cutouts", "redis-password", os.urandom(32).hex() + ) self.input_field("vo-cutouts", "cloudsql", "Use CloudSQL? (y/n):") use_cloudsql = self.secrets["vo-cutouts"]["cloudsql"] if use_cloudsql == "y": - self.input_field("vo-cutouts", "database-password", "Database password") + self.input_field( + "vo-cutouts", "database-password", "Database password" + ) elif use_cloudsql == "n": # Pluck the password out of the postgres portion. db_pass = self.secrets["postgres"]["vo_cutouts_password"] self._set("vo-cutouts", "database-password", db_pass) else: - raise Exception(f"Invalid vo-cutouts cloudsql value {use_cloudsql}") + raise Exception( + f"Invalid vo-cutouts cloudsql value {use_cloudsql}" + ) aws = self.secrets["butler-secret"]["aws-credentials.ini"] self._set("vo-cutouts", "aws-credentials", aws) @@ -339,16 +387,17 @@ def parse_vault(self): if key is None: key = field["v"] else: - raise Exception("Found two generate_secrets_keys for {key}") + raise Exception( + "Found two generate_secrets_keys for {key}" + ) elif field["t"] == "environment": environments.append(field["v"]) - # If we don't find a generate_secrets_key somewhere, then we shouldn't - # bother with this document in the vault. + # If we don't find a generate_secrets_key somewhere, then we + # shouldn't bother with this document in the vault. if not key: logging.debug( - f"Skipping because of no generate_secrets_key, %s", - uuid + "Skipping because of no generate_secrets_key, %s", uuid ) continue @@ -413,15 +462,29 @@ def generate(self): if item_component in {"ingress-nginx", "cert-manager"}: continue - logging.debug("Updating component: %s/%s", item_component, item_name) + logging.debug( + "Updating component: %s/%s", item_component, item_name + ) self.input_field(item_component, item_name, "") if __name__ == "__main__": parser = argparse.ArgumentParser(description="generate_secrets") - parser.add_argument("--op", default=False, action="store_true", help="Load secrets from 1Password") - parser.add_argument("--verbose", default=False, action="store_true", help="Verbose logging") - parser.add_argument("--regenerate", default=False, action="store_true", help="Regenerate random secrets") + parser.add_argument( + "--op", + default=False, + action="store_true", + help="Load secrets from 1Password", + ) + parser.add_argument( + "--verbose", default=False, action="store_true", help="Verbose logging" + ) + parser.add_argument( + "--regenerate", + default=False, + action="store_true", + help="Regenerate random secrets", + ) parser.add_argument("environment", help="Environment to generate") args = parser.parse_args() diff --git a/installer/vault_key.py b/installer/vault_key.py index 50c175ea96..f90e4933e8 100755 --- a/installer/vault_key.py +++ b/installer/vault_key.py @@ -2,7 +2,6 @@ import argparse import json import os -import pprint from onepassword import OnePassword @@ -22,9 +21,15 @@ def retrieve_key(self, environment, key_type): if __name__ == "__main__": - parser = argparse.ArgumentParser(description="fetch the vault key for an environment") - parser.add_argument("environment", help="Environment name to retrieve key for") - parser.add_argument("key_type", choices=["read", "write"], help="Which key to retrieve") + parser = argparse.ArgumentParser( + description="fetch the vault key for an environment" + ) + parser.add_argument( + "environment", help="Environment name to retrieve key for" + ) + parser.add_argument( + "key_type", choices=["read", "write"], help="Which key to retrieve" + ) args = parser.parse_args() vkr = VaultKeyRetriever() From 748f69b346895bd0faedb2b326982c0ada1e468f Mon Sep 17 00:00:00 2001 From: Jonathan Sick Date: Thu, 28 Apr 2022 16:21:17 -0400 Subject: [PATCH 0302/1479] Run pre-commit in GitHub Actions This replaces the yamllint step since yamllint is now run as part of the pre-commit suite of linters. Note we need to install helm-docs separate from setting up pre-commit; We do this by installing from source per the helm-docs docs: https://github.com/norwoodj/helm-docs#installation --- .github/workflows/ci.yaml | 21 +++++++++++++++------ 1 file changed, 15 insertions(+), 6 deletions(-) diff --git a/.github/workflows/ci.yaml b/.github/workflows/ci.yaml index 147af5c788..8ef8147694 100644 --- a/.github/workflows/ci.yaml +++ b/.github/workflows/ci.yaml @@ -6,17 +6,26 @@ name: CI - "master" jobs: - yamllint: + lint: runs-on: ubuntu-latest steps: - - name: Checkout - uses: actions/checkout@v3 + - uses: actions/checkout@v3 + + - name: Set up go + uses: actions/setup-go@v3 + + - name: Install helm-docs + run: | + go install github.com/norwoodj/helm-docs/cmd/helm-docs@latest - - name: yaml-lint - uses: ibiqlik/action-yamllint@master + - name: Set up Python + uses: actions/setup-python@v3 with: - config_file: ".yamllint.yml" + python-version: "3.10" + + - name: Run pre-commit + uses: pre-commit/action@v2.0.3 helm: runs-on: ubuntu-latest From f6cd8a4ecd89a754789ed73f4ec22bf8b908bcee Mon Sep 17 00:00:00 2001 From: Jonathan Sick Date: Thu, 28 Apr 2022 16:42:59 -0400 Subject: [PATCH 0303/1479] Install helm-docs from homebrew instead It seems that installing from go doesn't get the path for pre-commit set correctly; trying this as a more elegant solution. --- .github/workflows/ci.yaml | 6 +----- 1 file changed, 1 insertion(+), 5 deletions(-) diff --git a/.github/workflows/ci.yaml b/.github/workflows/ci.yaml index 8ef8147694..dfe922ad52 100644 --- a/.github/workflows/ci.yaml +++ b/.github/workflows/ci.yaml @@ -12,12 +12,8 @@ jobs: steps: - uses: actions/checkout@v3 - - name: Set up go - uses: actions/setup-go@v3 - - name: Install helm-docs - run: | - go install github.com/norwoodj/helm-docs/cmd/helm-docs@latest + run: brew install norwoodj/tap/helm-docs - name: Set up Python uses: actions/setup-python@v3 From 3b9397f08d36e7bd9982c93432525b0d46bce720 Mon Sep 17 00:00:00 2001 From: Jonathan Sick Date: Thu, 28 Apr 2022 16:46:50 -0400 Subject: [PATCH 0304/1479] Don't include helm-docs.versionFooter If the helm-docs version changes, then we'll get unnecessary pre-commit errors indicating the READMEs are out of date. --- helm-docs.md.gotmpl | 2 -- science-platform/README.md | 3 --- services/alert-stream-broker/README.md | 2 -- services/cachemachine/README.md | 3 --- services/cert-manager/README.md | 3 --- services/exposurelog/README.md | 3 --- services/gafaelfawr/README.md | 3 --- services/mobu/README.md | 3 --- services/narrativelog/README.md | 3 --- services/noteburst/README.md | 3 --- services/nublado2/README.md | 3 --- services/portal/README.md | 3 --- services/production-tools/README.md | 3 --- services/sasquatch/README.md | 3 --- services/sasquatch/charts/kafka-connect-manager/README.md | 3 --- services/sasquatch/charts/strimzi-kafka/README.md | 3 --- services/semaphore/README.md | 3 --- services/squareone/README.md | 3 --- services/tap-schema/README.md | 3 --- services/telegraf-ds/README.md | 3 --- services/telegraf/README.md | 3 --- services/times-square/README.md | 3 --- services/times-square/charts/times-square-ui/README.md | 3 --- services/times-square/charts/times-square/README.md | 3 --- services/vo-cutouts/README.md | 3 --- 25 files changed, 73 deletions(-) diff --git a/helm-docs.md.gotmpl b/helm-docs.md.gotmpl index a950f083fd..2914dc708a 100644 --- a/helm-docs.md.gotmpl +++ b/helm-docs.md.gotmpl @@ -11,5 +11,3 @@ {{ template "chart.requirementsSection" . }} {{ template "chart.valuesSection" . }} - -{{ template "helm-docs.versionFooter" . }} diff --git a/science-platform/README.md b/science-platform/README.md index 3052510495..853c9bfead 100644 --- a/science-platform/README.md +++ b/science-platform/README.md @@ -40,6 +40,3 @@ | times_square.enabled | bool | `false` | | | vault_secrets_operator.enabled | bool | `false` | | | vo_cutouts.enabled | bool | `false` | | - ----------------------------------------------- -Autogenerated from chart metadata using [helm-docs v1.8.1](https://github.com/norwoodj/helm-docs/releases/v1.8.1) diff --git a/services/alert-stream-broker/README.md b/services/alert-stream-broker/README.md index fd38042efd..e931c11b5e 100644 --- a/services/alert-stream-broker/README.md +++ b/services/alert-stream-broker/README.md @@ -11,5 +11,3 @@ | https://lsst-sqre.github.io/charts/ | alert-stream-schema-registry | 2.1.0 | | https://lsst-sqre.github.io/charts/ | alert-stream-simulator | 1.6.2 | ----------------------------------------------- -Autogenerated from chart metadata using [helm-docs v1.8.1](https://github.com/norwoodj/helm-docs/releases/v1.8.1) diff --git a/services/cachemachine/README.md b/services/cachemachine/README.md index b023abaa49..dd65af14f0 100644 --- a/services/cachemachine/README.md +++ b/services/cachemachine/README.md @@ -31,6 +31,3 @@ Service to prepull Docker images for the Science Platform | serviceAccount.name | string | Name based on the fullname template | Name of the service account to use | | tolerations | list | `[]` | Tolerations for the cachemachine frontend pod | | vaultSecretsPath | string | None, must be set | Path to the Vault secret containing the Docker credentials | - ----------------------------------------------- -Autogenerated from chart metadata using [helm-docs v1.8.1](https://github.com/norwoodj/helm-docs/releases/v1.8.1) diff --git a/services/cert-manager/README.md b/services/cert-manager/README.md index 999afee625..f5caad956b 100644 --- a/services/cert-manager/README.md +++ b/services/cert-manager/README.md @@ -22,6 +22,3 @@ Let's Encrypt certificate management | fullnameOverride | string | `""` | Override the full name for resources (includes the release name) | | global.vaultSecretsPath | string | Set by Argo CD | Base path for Vault secrets | | nameOverride | string | `""` | Override the base name for resources | - ----------------------------------------------- -Autogenerated from chart metadata using [helm-docs v1.8.1](https://github.com/norwoodj/helm-docs/releases/v1.8.1) diff --git a/services/exposurelog/README.md b/services/exposurelog/README.md index ce19dd70b9..e045fc6dfa 100644 --- a/services/exposurelog/README.md +++ b/services/exposurelog/README.md @@ -36,6 +36,3 @@ Exposure log service | service.port | int | `8080` | | | service.type | string | `"ClusterIP"` | | | tolerations | list | `[]` | | - ----------------------------------------------- -Autogenerated from chart metadata using [helm-docs v1.8.1](https://github.com/norwoodj/helm-docs/releases/v1.8.1) diff --git a/services/gafaelfawr/README.md b/services/gafaelfawr/README.md index 3bfdb7b89a..e8f526c96f 100644 --- a/services/gafaelfawr/README.md +++ b/services/gafaelfawr/README.md @@ -76,6 +76,3 @@ Science Platform authentication and authorization system | tokens.resources | object | `{}` | Resource limits and requests for the Gafaelfawr token management pod | | tokens.tolerations | list | `[]` | Tolerations for the token management pod | | tolerations | list | `[]` | Tolerations for the Gafaelfawr frontend pod | - ----------------------------------------------- -Autogenerated from chart metadata using [helm-docs v1.8.1](https://github.com/norwoodj/helm-docs/releases/v1.8.1) diff --git a/services/mobu/README.md b/services/mobu/README.md index 34e675d06a..3e93071d92 100644 --- a/services/mobu/README.md +++ b/services/mobu/README.md @@ -27,6 +27,3 @@ Generate system load by pretending to be a random scientist | podAnnotations | object | `{}` | Annotations for the mobu frontend pod | | resources | object | `{}` | Resource limits and requests for the mobu frontend pod | | tolerations | list | `[]` | Tolerations for the mobu frontend pod | - ----------------------------------------------- -Autogenerated from chart metadata using [helm-docs v1.8.1](https://github.com/norwoodj/helm-docs/releases/v1.8.1) diff --git a/services/narrativelog/README.md b/services/narrativelog/README.md index a9744fc34d..d0cb495aea 100644 --- a/services/narrativelog/README.md +++ b/services/narrativelog/README.md @@ -30,6 +30,3 @@ Narrative log service | service.port | int | `8080` | | | service.type | string | `"ClusterIP"` | | | tolerations | list | `[]` | | - ----------------------------------------------- -Autogenerated from chart metadata using [helm-docs v1.8.1](https://github.com/norwoodj/helm-docs/releases/v1.8.1) diff --git a/services/noteburst/README.md b/services/noteburst/README.md index 8e3907d057..f64539e6af 100644 --- a/services/noteburst/README.md +++ b/services/noteburst/README.md @@ -52,6 +52,3 @@ Noteburst is a notebook execution service for the Rubin Science Platform. | serviceAccount.create | bool | `true` | Specifies whether a service account should be created | | serviceAccount.name | string | `""` | | | tolerations | list | `[]` | | - ----------------------------------------------- -Autogenerated from chart metadata using [helm-docs v1.8.1](https://github.com/norwoodj/helm-docs/releases/v1.8.1) diff --git a/services/nublado2/README.md b/services/nublado2/README.md index e12d99bb1c..82e6c615d0 100644 --- a/services/nublado2/README.md +++ b/services/nublado2/README.md @@ -149,6 +149,3 @@ Kubernetes: `>=1.20.0-0` | jupyterhub.singleuser.storage.type | string | `"none"` | | | network_policy.enabled | bool | `true` | | | vault_secret_path | string | `""` | | - ----------------------------------------------- -Autogenerated from chart metadata using [helm-docs v1.8.1](https://github.com/norwoodj/helm-docs/releases/v1.8.1) diff --git a/services/portal/README.md b/services/portal/README.md index ff17ff9ed7..24de75d137 100644 --- a/services/portal/README.md +++ b/services/portal/README.md @@ -42,6 +42,3 @@ Rubin Science Platform portal aspect | resources | object | `{"limits":{"cpu":2,"memory":"6Gi"}}` | Resource limits and requests. The Portal will use (by default) 93% of container RAM. This is a smallish Portal; tweak it as you need to in instance definitions in Phalanx. | | securityContext | object | `{}` | Security context for the Portal pod | | tolerations | list | `[]` | Tolerations for the Portal pod | - ----------------------------------------------- -Autogenerated from chart metadata using [helm-docs v1.8.1](https://github.com/norwoodj/helm-docs/releases/v1.8.1) diff --git a/services/production-tools/README.md b/services/production-tools/README.md index 0468f59008..a28ed983d2 100644 --- a/services/production-tools/README.md +++ b/services/production-tools/README.md @@ -28,6 +28,3 @@ A collection of utility pages for monitoring data processing. | replicaCount | int | `1` | Number of web deployment pods to start | | resources | object | `{}` | Resource limits and requests for the production-tools deployment pod | | tolerations | list | `[]` | Tolerations for the production-tools deployment pod | - ----------------------------------------------- -Autogenerated from chart metadata using [helm-docs v1.8.1](https://github.com/norwoodj/helm-docs/releases/v1.8.1) diff --git a/services/sasquatch/README.md b/services/sasquatch/README.md index d0157c2ea3..5beed01c32 100644 --- a/services/sasquatch/README.md +++ b/services/sasquatch/README.md @@ -45,6 +45,3 @@ SQuaRE telemetry data service. | telegraf.podLabels | object | `{"hub.jupyter.org/network-access-hub":"true"}` | Allow network access to JupyterHub pod. | | telegraf.service.enabled | bool | `false` | Telegraf service. | | vaultSecretsPath | string | None, must be set | Path to the Vault secrets (`secret/k8s_operator//sasquatch`) | - ----------------------------------------------- -Autogenerated from chart metadata using [helm-docs v1.8.1](https://github.com/norwoodj/helm-docs/releases/v1.8.1) diff --git a/services/sasquatch/charts/kafka-connect-manager/README.md b/services/sasquatch/charts/kafka-connect-manager/README.md index 553d50bc4d..8fbd60ee69 100644 --- a/services/sasquatch/charts/kafka-connect-manager/README.md +++ b/services/sasquatch/charts/kafka-connect-manager/README.md @@ -74,6 +74,3 @@ A sub chart to deploy the Kafka connectors used by Sasquatch. | s3Sink.timezone | string | `"UTC"` | The timezone to use when partitioning with TimeBasedPartitioner. | | s3Sink.topicsDir | string | `"topics"` | Top level directory to store the data ingested from Kafka. | | s3Sink.topicsRegex | string | `".*"` | Regex to select topics from Kafka. | - ----------------------------------------------- -Autogenerated from chart metadata using [helm-docs v1.8.1](https://github.com/norwoodj/helm-docs/releases/v1.8.1) diff --git a/services/sasquatch/charts/strimzi-kafka/README.md b/services/sasquatch/charts/strimzi-kafka/README.md index e0aaa5345c..863dad6a67 100644 --- a/services/sasquatch/charts/strimzi-kafka/README.md +++ b/services/sasquatch/charts/strimzi-kafka/README.md @@ -24,6 +24,3 @@ A sub chart to deploy Strimzi Kafka components for Sasquatch. | zookeeper.replicas | int | `3` | Number of Zookeeper replicas to run. | | zookeeper.storage.size | string | `"100Gi"` | Size of the backing storage disk for each of the Zookeeper instances. | | zookeeper.storage.storageClassName | string | `""` | Name of a StorageClass to use when requesting persistent volumes. | - ----------------------------------------------- -Autogenerated from chart metadata using [helm-docs v1.8.1](https://github.com/norwoodj/helm-docs/releases/v1.8.1) diff --git a/services/semaphore/README.md b/services/semaphore/README.md index d5b9598d74..b80d72dabd 100644 --- a/services/semaphore/README.md +++ b/services/semaphore/README.md @@ -49,6 +49,3 @@ Semaphore is the user notification and messaging service for the Rubin Science P | serviceAccount.create | bool | `false` | Specifies whether a service account should be created. | | serviceAccount.name | string | `""` | | | tolerations | list | `[]` | | - ----------------------------------------------- -Autogenerated from chart metadata using [helm-docs v1.8.1](https://github.com/norwoodj/helm-docs/releases/v1.8.1) diff --git a/services/squareone/README.md b/services/squareone/README.md index c353a57559..a8457ad67f 100644 --- a/services/squareone/README.md +++ b/services/squareone/README.md @@ -44,6 +44,3 @@ Squareone is the homepage UI for the Rubin Science Platform. | replicaCount | int | `1` | Number of squareone pods to run in the deployment. | | resources | object | `{}` | | | tolerations | list | `[]` | | - ----------------------------------------------- -Autogenerated from chart metadata using [helm-docs v1.8.1](https://github.com/norwoodj/helm-docs/releases/v1.8.1) diff --git a/services/tap-schema/README.md b/services/tap-schema/README.md index 057d0d8510..1ffdb3bd0a 100644 --- a/services/tap-schema/README.md +++ b/services/tap-schema/README.md @@ -23,6 +23,3 @@ The TAP_SCHEMA database | podAnnotations | object | `{}` | Annotations for the MySQL pod | | resources | object | `{}` | Resource limits and requests for the MySQL pod | | tolerations | list | `[]` | Tolerations for the MySQL pod | - ----------------------------------------------- -Autogenerated from chart metadata using [helm-docs v1.8.1](https://github.com/norwoodj/helm-docs/releases/v1.8.1) diff --git a/services/telegraf-ds/README.md b/services/telegraf-ds/README.md index 01662e10bf..c2466e0c78 100644 --- a/services/telegraf-ds/README.md +++ b/services/telegraf-ds/README.md @@ -27,6 +27,3 @@ SQuaRE DaemonSet (K8s) telemetry collection service | telegraf-ds.serviceAccount.name | string | `"telegraf-ds"` | | | telegraf-ds.volumes[0].configMap.name | string | `"telegraf-generated-config"` | | | telegraf-ds.volumes[0].name | string | `"telegraf-generated-config"` | | - ----------------------------------------------- -Autogenerated from chart metadata using [helm-docs v1.8.1](https://github.com/norwoodj/helm-docs/releases/v1.8.1) diff --git a/services/telegraf/README.md b/services/telegraf/README.md index 7a69345ce6..fe1db176c0 100644 --- a/services/telegraf/README.md +++ b/services/telegraf/README.md @@ -34,6 +34,3 @@ SQuaRE telemetry collection service | telegraf.tplVersion | int | `2` | | | telegraf.volumes[0].configMap.name | string | `"telegraf-generated-config"` | | | telegraf.volumes[0].name | string | `"telegraf-generated-config"` | | - ----------------------------------------------- -Autogenerated from chart metadata using [helm-docs v1.8.1](https://github.com/norwoodj/helm-docs/releases/v1.8.1) diff --git a/services/times-square/README.md b/services/times-square/README.md index ed50440a42..acc3671f88 100644 --- a/services/times-square/README.md +++ b/services/times-square/README.md @@ -33,6 +33,3 @@ See the embedded Helm sub-charts for additional configuration docs: | times-square.fullnameOverride | string | `"times-square"` | | | times-square.image.pullPolicy | string | `"IfNotPresent"` | | | times-square.image.tag | string | `"tickets-DM-34030"` | | - ----------------------------------------------- -Autogenerated from chart metadata using [helm-docs v1.8.1](https://github.com/norwoodj/helm-docs/releases/v1.8.1) diff --git a/services/times-square/charts/times-square-ui/README.md b/services/times-square/charts/times-square-ui/README.md index aa807da1f6..3bae0cdb59 100644 --- a/services/times-square/charts/times-square-ui/README.md +++ b/services/times-square/charts/times-square-ui/README.md @@ -39,6 +39,3 @@ The front-end for Times Square, a parameterized notebook web viewer for the Rubi | service.port | int | `8080` | Port of the service to create and map to the ingress | | service.type | string | `"ClusterIP"` | Type of service to create | | tolerations | list | `[]` | Tolerations for the times-square-ui deployment pod | - ----------------------------------------------- -Autogenerated from chart metadata using [helm-docs v1.8.1](https://github.com/norwoodj/helm-docs/releases/v1.8.1) diff --git a/services/times-square/charts/times-square/README.md b/services/times-square/charts/times-square/README.md index ab5b6b41a0..c65941ac52 100644 --- a/services/times-square/charts/times-square/README.md +++ b/services/times-square/charts/times-square/README.md @@ -51,6 +51,3 @@ A parameterized notebook web viewer for the Rubin Science Platform. | serviceAccount.name | string | Name based on the fullname template | Name of the service account to use | | tolerations | list | `[]` | Tolerations for the times-square deployment pod | | vaultSecretsPath | string | None, must be set | Path to the Vault secret (`secret/k8s_operator//times-square`, for example) | - ----------------------------------------------- -Autogenerated from chart metadata using [helm-docs v1.8.1](https://github.com/norwoodj/helm-docs/releases/v1.8.1) diff --git a/services/vo-cutouts/README.md b/services/vo-cutouts/README.md index 40f70e13f5..c19760d146 100644 --- a/services/vo-cutouts/README.md +++ b/services/vo-cutouts/README.md @@ -66,6 +66,3 @@ Image cutout service complying with IVOA SODA | replicaCount | int | `1` | Number of web frontend pods to start | | resources | object | `{}` | Resource limits and requests for the vo-cutouts frontend pod | | tolerations | list | `[]` | Tolerations for the vo-cutouts frontend pod | - ----------------------------------------------- -Autogenerated from chart metadata using [helm-docs v1.8.1](https://github.com/norwoodj/helm-docs/releases/v1.8.1) From 6d7deab3646f1f0b12698a6ad8a4a910330bec41 Mon Sep 17 00:00:00 2001 From: Russ Allbery Date: Thu, 28 Apr 2022 15:04:18 -0700 Subject: [PATCH 0305/1479] Update Portal version to 2022.1 --- services/portal/Chart.yaml | 2 +- services/portal/README.md | 2 +- services/portal/values-idfdev.yaml | 2 -- services/portal/values-idfint.yaml | 2 -- 4 files changed, 2 insertions(+), 6 deletions(-) diff --git a/services/portal/Chart.yaml b/services/portal/Chart.yaml index 7c08e8aa8f..a6aa5e53da 100644 --- a/services/portal/Chart.yaml +++ b/services/portal/Chart.yaml @@ -3,4 +3,4 @@ name: portal version: 1.0.0 description: "Rubin Science Platform portal aspect" home: "https://github.com/lsst/suit" -appVersion: "suit-233-7-dev" +appVersion: "suit-2022.1" diff --git a/services/portal/README.md b/services/portal/README.md index 24de75d137..954f5af74d 100644 --- a/services/portal/README.md +++ b/services/portal/README.md @@ -1,4 +1,4 @@ -![AppVersion: suit-233-7-dev](https://img.shields.io/badge/AppVersion-suit--233--7--dev-informational?style=flat-square) +![AppVersion: suit-2022.1](https://img.shields.io/badge/AppVersion-suit--2022.1-informational?style=flat-square) # portal diff --git a/services/portal/values-idfdev.yaml b/services/portal/values-idfdev.yaml index c7d22c9b08..2451c233b2 100644 --- a/services/portal/values-idfdev.yaml +++ b/services/portal/values-idfdev.yaml @@ -1,5 +1,3 @@ resources: limits: memory: "8Gi" -image: - tag: "suit-2022.1" diff --git a/services/portal/values-idfint.yaml b/services/portal/values-idfint.yaml index 3af08e6a08..bbff39a615 100644 --- a/services/portal/values-idfint.yaml +++ b/services/portal/values-idfint.yaml @@ -9,5 +9,3 @@ config: resources: limits: memory: "30Gi" -image: - tag: "suit-2022.1" From 38d00a1536d181d7836bec47abb2b83ee007fcb7 Mon Sep 17 00:00:00 2001 From: Russ Allbery Date: Thu, 28 Apr 2022 16:27:03 -0700 Subject: [PATCH 0306/1479] Run one portal node on IDF prod See if this clears up our problems integrating the portal with Nublado notebooks. --- services/portal/values-idfprod.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/services/portal/values-idfprod.yaml b/services/portal/values-idfprod.yaml index d3325ec38f..d4187887ce 100644 --- a/services/portal/values-idfprod.yaml +++ b/services/portal/values-idfprod.yaml @@ -1,4 +1,4 @@ -replicaCount: 4 +replicaCount: 1 config: volumes: From 6b0a49cae305d378d03156c58d374dd8f09b8d63 Mon Sep 17 00:00:00 2001 From: Russ Allbery Date: Thu, 28 Apr 2022 16:42:20 -0700 Subject: [PATCH 0307/1479] Go back to four Portal nodes on IDF prod Continuing to track Portal issues. --- services/portal/values-idfprod.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/services/portal/values-idfprod.yaml b/services/portal/values-idfprod.yaml index d4187887ce..d3325ec38f 100644 --- a/services/portal/values-idfprod.yaml +++ b/services/portal/values-idfprod.yaml @@ -1,4 +1,4 @@ -replicaCount: 1 +replicaCount: 4 config: volumes: From e74ad39a17b9ee149c9069c2b3fad2663e51e7d6 Mon Sep 17 00:00:00 2001 From: Russ Allbery Date: Thu, 28 Apr 2022 17:01:44 -0700 Subject: [PATCH 0308/1479] Go back to one Portal node on IDF prod --- services/portal/values-idfprod.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/services/portal/values-idfprod.yaml b/services/portal/values-idfprod.yaml index d3325ec38f..d4187887ce 100644 --- a/services/portal/values-idfprod.yaml +++ b/services/portal/values-idfprod.yaml @@ -1,4 +1,4 @@ -replicaCount: 4 +replicaCount: 1 config: volumes: From 5c2bdfbe0fb595026f0a0e8725a9ab5dfc3697bc Mon Sep 17 00:00:00 2001 From: Colin Slater Date: Thu, 28 Apr 2022 10:22:48 -0700 Subject: [PATCH 0309/1479] Tell flask to expect a url prefix. Also fixes errors in auth urls and readiness probe. Add empty tmp dir mount. Bump container version. --- services/production-tools/Chart.yaml | 2 +- services/production-tools/README.md | 2 +- services/production-tools/templates/deployment.yaml | 10 ++++++++-- services/production-tools/templates/ingress.yaml | 6 +++--- 4 files changed, 13 insertions(+), 7 deletions(-) diff --git a/services/production-tools/Chart.yaml b/services/production-tools/Chart.yaml index bd5148628f..9aba525fbf 100644 --- a/services/production-tools/Chart.yaml +++ b/services/production-tools/Chart.yaml @@ -4,4 +4,4 @@ version: 1.0.0 dependencies: description: A collection of utility pages for monitoring data processing. home: "https://github.com/lsst-sqre/production-tools" -appVersion: 0.0.4 +appVersion: 0.0.9 diff --git a/services/production-tools/README.md b/services/production-tools/README.md index a28ed983d2..31d7410867 100644 --- a/services/production-tools/README.md +++ b/services/production-tools/README.md @@ -1,4 +1,4 @@ -![AppVersion: 0.0.4](https://img.shields.io/badge/AppVersion-0.0.4-informational?style=flat-square) +![AppVersion: 0.0.9](https://img.shields.io/badge/AppVersion-0.0.9-informational?style=flat-square) # production-tools diff --git a/services/production-tools/templates/deployment.yaml b/services/production-tools/templates/deployment.yaml index dfab4731fe..af46c2995e 100644 --- a/services/production-tools/templates/deployment.yaml +++ b/services/production-tools/templates/deployment.yaml @@ -20,7 +20,7 @@ spec: spec: automountServiceAccountToken: false imagePullSecrets: - - "pull-secret" + - name: "pull-secret" securityContext: runAsNonRoot: true runAsUser: 1000 @@ -35,6 +35,8 @@ spec: emptyDir: {} - name: "cache-dir" emptyDir: {} + - name: "tmp" + emptyDir: {} # Have to fix permissions on the pgpass file. # init container pattern borrowed from vo-cutouts. initContainers: @@ -74,7 +76,7 @@ spec: protocol: TCP readinessProbe: httpGet: - path: / + path: /production-tools port: http resources: {{- toYaml .Values.resources | nindent 12 }} @@ -83,6 +85,8 @@ spec: mountPath: "/home/worker/.lsst/" - name: "cache-dir" mountPath: "/home/worker/cache" + - name: "tmp" + mountPath: "/tmp" env: - name: "LOG_CACHE_DIR" value: "/home/worker/cache" @@ -92,6 +96,8 @@ spec: value: "/home/worker/.lsst/aws-credentials.ini" - name: "S3_ENDPOINT_URL" value: "https://storage.googleapis.com" + - name: "SCRIPT_NAME" + value: "/production-tools" {{- range $key, $value := .Values.environment }} - name: {{ $key | quote }} value: {{ $value | quote }} diff --git a/services/production-tools/templates/ingress.yaml b/services/production-tools/templates/ingress.yaml index 67f7c93321..c9375c9067 100644 --- a/services/production-tools/templates/ingress.yaml +++ b/services/production-tools/templates/ingress.yaml @@ -9,9 +9,9 @@ metadata: kubernetes.io/ingress.class: "nginx" {{- if .Values.ingress.gafaelfawrAuthQuery }} nginx.ingress.kubernetes.io/auth-method: "GET" - nginx.ingress.kubernetes.io/auth-response-headers: "X-Auth-Request-User,X-Auth-Request-Email,X-Auth-Request-Token" - nginx.ingress.kubernetes.io/auth-signin: "https://{{ .Values.global.baseUrl }}/login" - nginx.ingress.kubernetes.io/auth-url: "https://{{ .Values.global.baseUrl }}/auth?{{ .Values.ingress.gafaelfawrAuthQuery }}" + nginx.ingress.kubernetes.io/auth-response-headers: "X-Auth-Request-User" + nginx.ingress.kubernetes.io/auth-signin: "{{ .Values.global.baseUrl }}/login" + nginx.ingress.kubernetes.io/auth-url: "{{ .Values.global.baseUrl }}/auth?{{ .Values.ingress.gafaelfawrAuthQuery }}" {{- end }} {{- with .Values.ingress.annotations }} {{- toYaml . | nindent 4 }} From a7a35f464da415868dd6005dfb274442f9a1454a Mon Sep 17 00:00:00 2001 From: Colin Slater Date: Thu, 28 Apr 2022 16:54:37 -0700 Subject: [PATCH 0310/1479] Remove README.md.gotmpl. --- services/production-tools/README.md.gotmpl | 9 --------- 1 file changed, 9 deletions(-) delete mode 100644 services/production-tools/README.md.gotmpl diff --git a/services/production-tools/README.md.gotmpl b/services/production-tools/README.md.gotmpl deleted file mode 100644 index 4531459bbb..0000000000 --- a/services/production-tools/README.md.gotmpl +++ /dev/null @@ -1,9 +0,0 @@ -{{ template "chart.header" . }} - -{{ template "chart.description" . }} - -{{ template "chart.requirementsSection" . }} - -{{ template "chart.valuesSection" . }} - -{{ template "helm-docs.versionFooter" . }} From 4b0bf8f27dcbe3d494ee2155d9ceaafa9253ed6f Mon Sep 17 00:00:00 2001 From: Jonathan Sick Date: Thu, 28 Apr 2022 19:44:32 -0400 Subject: [PATCH 0311/1479] Add docs for the pre-commit setup --- docs/conf.py | 2 + docs/index.rst | 1 + docs/service-guide/linting-and-helm-docs.rst | 66 ++++++++++++++++++++ 3 files changed, 69 insertions(+) create mode 100644 docs/service-guide/linting-and-helm-docs.rst diff --git a/docs/conf.py b/docs/conf.py index bf7cbdd8f5..88675d9bc4 100644 --- a/docs/conf.py +++ b/docs/conf.py @@ -88,6 +88,8 @@ .. _Helm: https://helm.sh .. _IVOA: https://ivoa.net/documents/ .. _semantic versioning: https://semver.org/ +.. _helm-docs: https://github.com/norwoodj/helm-docs +.. _pre-commit: https://pre-commit.com """ # -- Options for linkcheck builder ---------------------------------------- diff --git a/docs/index.rst b/docs/index.rst index 51169c4054..043104391f 100644 --- a/docs/index.rst +++ b/docs/index.rst @@ -32,6 +32,7 @@ General development and operations .. toctree:: :maxdepth: 2 + service-guide/linting-and-helm-docs service-guide/create-service service-guide/add-a-onepassword-secret service-guide/update-a-onepassword-secret diff --git a/docs/service-guide/linting-and-helm-docs.rst b/docs/service-guide/linting-and-helm-docs.rst new file mode 100644 index 0000000000..f75291c0a1 --- /dev/null +++ b/docs/service-guide/linting-and-helm-docs.rst @@ -0,0 +1,66 @@ +.. _pre-commit-howto: + +########################################################## +Setting up pre-commit and linting and helm-docs generation +########################################################## + +The Phalanx repository uses `pre-commit`_ to lint source files and generate Helm chart documentation with `helm-docs`_. +If you're contributing to Phalanx, you should enable pre-commit locally to ensure your work is clean and Helm chart docs are up to date. + +.. important:: + + Pre-commit also runs in GitHub Actions to ensure that contributions conform to the linters. + If your pull request's "lint" step fails, it's likely because pre-commit wasn't enabled locally. + This page shows you how to fix that. + + +.. _pre-commit-install: + +Install pre-commit and helm-docs locally +======================================== + +In your clone of Phalanx, run: + +.. code-block:: sh + + make init + +This command uses Python to install pre-commit and enable it in your Phalanx clone. + +**You will also need to install helm-docs separately.** +See the `helm-docs installation guide `__ for details. + +What to expect when developing in Phalanx with pre-commit +========================================================= + +Once installed, your Git commits in Phalanx are checked by the linters. +If a linter "fails" the commit, you'll need to make the necessary changes and re-try the Git commit. + +Many linters make the required changes when "failing." +For example, helm-docs updates the README files for Helm charts and black reformats Python files. +For these cases, you only need to ``git add`` the updated files for ``git commit`` to be successful. + +Other linters, such as flake8, only point out issues. +You'll need to manually resolve those issues before re-adding and committing. + +Running all files +================= + +Pre-commit normally runs only on changed files. +To check all files (similar to how we run pre-commit in GitHub Actions): + +.. code-block:: sh + + pre-commit run --all-files + +By-passing pre-commit +===================== + +In an emergency situation, it's possible to by-pass pre-commit when making git commits: + +.. code-block:: sh + + git commit --no-verify + +Keep in mind that the pre-commit linters always run on GitHub Actions. +Merging to Phalanx's default branch while the linters "fail" the repo needs a repository admin's action. From f1e828f3ffef5cfc7d4d0a7f0ea41ef6a4b6300e Mon Sep 17 00:00:00 2001 From: Russ Allbery Date: Thu, 7 Apr 2022 10:29:07 -0700 Subject: [PATCH 0312/1479] Add installer support for generic OIDC The installer only supported using GitHub or CILogon for the upstream authentication provider. Add support for generic OpenID Connect as the "oidc" auth type, and prompt or retrieve the OpenID Connect client secret in that case. --- installer/generate_secrets.py | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/installer/generate_secrets.py b/installer/generate_secrets.py index 765b139f28..59b1f715ee 100755 --- a/installer/generate_secrets.py +++ b/installer/generate_secrets.py @@ -231,6 +231,12 @@ def _gafaelfawr(self): self.input_field( "gafaelfawr", "github-client-secret", "GitHub client secret" ) + elif auth_type == "oidc": + self.input_field( + "gafaelfawr", + "oidc-client-secret", + "OpenID Connect client secret", + ) else: raise Exception(f"Invalid auth provider {auth_type}") From 41f74aff1cf306ebbaf829ebc8683afb548f6099 Mon Sep 17 00:00:00 2001 From: Russ Allbery Date: Thu, 7 Apr 2022 10:46:29 -0700 Subject: [PATCH 0313/1479] Fix Gafaelfawr support for getting UID from LDAP The ConfigMap template was using the wrong variables without the .ldap level of nesting. --- services/gafaelfawr/templates/configmap.yaml | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/services/gafaelfawr/templates/configmap.yaml b/services/gafaelfawr/templates/configmap.yaml index bc7da1a66f..383cdc234b 100644 --- a/services/gafaelfawr/templates/configmap.yaml +++ b/services/gafaelfawr/templates/configmap.yaml @@ -103,9 +103,9 @@ data: base_dn: {{ required "config.ldap.baseDn must be set" .Values.config.ldap.baseDn | quote }} group_object_class: {{ .Values.config.ldap.groupObjectClass | quote }} group_member_attr: {{ .Values.config.ldap.groupMemberAttr | quote }} - {{- if .Values.config.uidBaseDn }} - uid_base_dn: {{ .Values.config.uidBaseDn | quote }} - uid_attr: {{ .Values.config.uidAttr | quote }} + {{- if .Values.config.ldap.uidBaseDn }} + uid_base_dn: {{ .Values.config.ldap.uidBaseDn | quote }} + uid_attr: {{ .Values.config.ldap.uidAttr | quote }} {{- end }} {{- end }} From 0ea41251180104e122d7ad1bdd2f05c47049b14f Mon Sep 17 00:00:00 2001 From: Russ Allbery Date: Thu, 7 Apr 2022 10:47:21 -0700 Subject: [PATCH 0314/1479] Switch Gafaelfawr image to GitHub Container Registry We're moving all of our internal services to use GitHub Container Registery instead of Docker Hub. --- services/gafaelfawr/values.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/services/gafaelfawr/values.yaml b/services/gafaelfawr/values.yaml index 26623e7166..a192ba425e 100644 --- a/services/gafaelfawr/values.yaml +++ b/services/gafaelfawr/values.yaml @@ -11,7 +11,7 @@ replicaCount: 1 image: # -- Gafaelfawr image to use - repository: "lsstsqre/gafaelfawr" + repository: "ghcr.io/lsst-sqre/gafaelfawr" # -- Pull policy for the Gafaelfawr image pullPolicy: "IfNotPresent" From 5be2fffe4f9faf1cd268716b16810503f2befa2d Mon Sep 17 00:00:00 2001 From: Russ Allbery Date: Thu, 7 Apr 2022 10:53:31 -0700 Subject: [PATCH 0315/1479] Update for Gafaelfawr 4.1.0 Add support for determining the username from LDAP and for LDAP simple bind authentication. --- installer/generate_secrets.py | 9 +++++++++ services/gafaelfawr/Chart.yaml | 2 +- services/gafaelfawr/templates/configmap.yaml | 7 +++++++ services/gafaelfawr/templates/deployment.yaml | 7 +++++++ services/gafaelfawr/values.yaml | 13 +++++++++++++ 5 files changed, 37 insertions(+), 1 deletion(-) diff --git a/installer/generate_secrets.py b/installer/generate_secrets.py index 59b1f715ee..da8e05b42f 100755 --- a/installer/generate_secrets.py +++ b/installer/generate_secrets.py @@ -227,6 +227,11 @@ def _gafaelfawr(self): self.input_field( "gafaelfawr", "cilogon-client-secret", "CILogon client secret" ) + use_ldap = self.secrets["gafaelfawr"]["ldap"] + if use_ldap == "y": + self.input_field( + "gafaelfawr", "ldap-secret", "LDAP simple bind password" + ) elif auth_type == "github": self.input_field( "gafaelfawr", "github-client-secret", "GitHub client secret" @@ -237,6 +242,10 @@ def _gafaelfawr(self): "oidc-client-secret", "OpenID Connect client secret", ) + if use_ldap == "y": + self.input_field( + "gafaelfawr", "ldap-secret", "LDAP simple bind password" + ) else: raise Exception(f"Invalid auth provider {auth_type}") diff --git a/services/gafaelfawr/Chart.yaml b/services/gafaelfawr/Chart.yaml index 215cc6bdbe..211f86a758 100644 --- a/services/gafaelfawr/Chart.yaml +++ b/services/gafaelfawr/Chart.yaml @@ -3,4 +3,4 @@ name: gafaelfawr version: 1.0.0 description: Science Platform authentication and authorization system home: https://gafaelfawr.lsst.io/ -appVersion: 4.0.0 +appVersion: 4.1.0 diff --git a/services/gafaelfawr/templates/configmap.yaml b/services/gafaelfawr/templates/configmap.yaml index 383cdc234b..cb70516bba 100644 --- a/services/gafaelfawr/templates/configmap.yaml +++ b/services/gafaelfawr/templates/configmap.yaml @@ -101,8 +101,15 @@ data: ldap: url: {{ .Values.config.ldap.url | quote }} base_dn: {{ required "config.ldap.baseDn must be set" .Values.config.ldap.baseDn | quote }} + {{- if .Values.config.ldap.userDn }} + user_dn: {{ .Values.config.ldap.userDn | quote }} + {{- end }} group_object_class: {{ .Values.config.ldap.groupObjectClass | quote }} group_member_attr: {{ .Values.config.ldap.groupMemberAttr | quote }} + {{- if .Values.config.ldap.usernameBaseDn }} + username_base_dn: {{ .Values.config.ldap.usernameBaseDn | quote }} + username_search_attr: {{ .Values.config.ldap.usernameSearchAttr | quote }} + {{- end }} {{- if .Values.config.ldap.uidBaseDn }} uid_base_dn: {{ .Values.config.ldap.uidBaseDn | quote }} uid_attr: {{ .Values.config.ldap.uidAttr | quote }} diff --git a/services/gafaelfawr/templates/deployment.yaml b/services/gafaelfawr/templates/deployment.yaml index 83f03a8e77..9c5475902d 100644 --- a/services/gafaelfawr/templates/deployment.yaml +++ b/services/gafaelfawr/templates/deployment.yaml @@ -57,6 +57,13 @@ spec: secretKeyRef: name: {{ template "gafaelfawr.fullname" . }}-secret key: "database-password" + {{- if .Values.config.ldap.userDn }} + - name: "GAFAELFAWR_LDAP_PASSWORD" + valueFrom: + secretKeyRef: + name: {{ template "gafaelfawr.fullname" . }}-secret + key: "ldap-password" + {{- end }} image: "{{ .Values.image.repository }}:{{ .Values.image.tag | default .Chart.AppVersion }}" imagePullPolicy: {{ .Values.image.pullPolicy | quote }} ports: diff --git a/services/gafaelfawr/values.yaml b/services/gafaelfawr/values.yaml index a192ba425e..cbcf3b2e78 100644 --- a/services/gafaelfawr/values.yaml +++ b/services/gafaelfawr/values.yaml @@ -113,6 +113,11 @@ config: # @default -- None, must be set baseDn: "" + # -- Bind DN for simple bind authentication. If set, `ldap-secret` must be + # set in the Gafaelfawr secret + # @default -- Use anonymous binds + userDn: "" + # -- Object class containing group information groupObjectClass: "posixGroup" @@ -120,6 +125,14 @@ config: # returned in the token from the OpenID Connect authentication server. groupMemberAttr: "member" + # -- Base DN for the LDAP search to find a user's username + # @default -- Get the username from the upstream authentication provider + usernameBaseDn: "" + + # -- Attribute matching the `sub` claim of a token to find the record + # containing the username + usernameSearchAttr: "voPersonSoRID" + # -- Base DN for the LDAP search to find a user's UID number # @default -- Get the UID number from the upstream authentication provider uidBaseDn: "" From f111cad4630508208dfd4da5779567ce7a8cc74d Mon Sep 17 00:00:00 2001 From: Russ Allbery Date: Thu, 28 Apr 2022 10:20:56 -0700 Subject: [PATCH 0316/1479] Add Gafaelfawr chart support for Firestore Add the new configuration parameter to enable Firestore UID/GID assignment and regenerate the chart documentation. --- services/gafaelfawr/README.md | 6 +++++- services/gafaelfawr/templates/configmap.yaml | 5 +++++ services/gafaelfawr/values.yaml | 7 +++++++ 3 files changed, 17 insertions(+), 1 deletion(-) diff --git a/services/gafaelfawr/README.md b/services/gafaelfawr/README.md index e8f526c96f..9f1f9c409b 100644 --- a/services/gafaelfawr/README.md +++ b/services/gafaelfawr/README.md @@ -23,6 +23,7 @@ Science Platform authentication and authorization system | config.cilogon.test | bool | `false` | Whether to use the test instance of CILogon | | config.databaseUrl | string | None, must be set | URL for the PostgreSQL database | | config.errorFooter | string | `""` | HTML footer to add to any login error page (inside a

tag). | +| config.firestore.project | string | Firestore support is disabled | If set, assign UIDs and GIDs using Google Firestore in the given project. Cloud SQL must be enabled and the Cloud SQL service account must have read/write access to that Firestore instance. | | config.github.clientId | string | `""` | GitHub client ID. One and only one of this, `config.cilogon.clientId`, or `config.oidc.clientId` must be set. | | config.groupMapping | object | `{}` | Defines a mapping of scopes to groups that provide that scope. Tokens from an OpenID Connect provider such as CILogon that include groups in an `isMemberOf` claim will be granted scopes based on this mapping. | | config.influxdb.enabled | bool | `false` | Whether to issue tokens for InfluxDB. If set to true, `influxdb-secret` must be set in the Gafaelfawr secret. | @@ -35,6 +36,9 @@ Science Platform authentication and authorization system | config.ldap.uidAttr | string | `"uidNumber"` | Attribute containing the user's UID number (only used if uidBaseDn is set) | | config.ldap.uidBaseDn | string | Get the UID number from the upstream authentication provider | Base DN for the LDAP search to find a user's UID number | | config.ldap.url | string | Do not use LDAP | LDAP server URL from which to retrieve user group information | +| config.ldap.userDn | string | Use anonymous binds | Bind DN for simple bind authentication. If set, `ldap-secret` must be set in the Gafaelfawr secret | +| config.ldap.usernameBaseDn | string | Get the username from the upstream authentication provider | Base DN for the LDAP search to find a user's username | +| config.ldap.usernameSearchAttr | string | `"voPersonSoRID"` | Attribute matching the `sub` claim of a token to find the record containing the username | | config.loglevel | string | `"INFO"` | Choose from the text form of Python logging levels | | config.oidc.audience | string | Value of `config.oidc.clientId` | Audience for the JWT token | | config.oidc.clientId | string | `""` | Client ID for generic OpenID Connect support. One and only one of this, `config.cilogon.clientId`, or `config.github.clientId` must be set. | @@ -51,7 +55,7 @@ Science Platform authentication and authorization system | global.host | string | Set by Argo CD | Host name for ingress | | global.vaultSecretsPath | string | Set by Argo CD | Base path for Vault secrets | | image.pullPolicy | string | `"IfNotPresent"` | Pull policy for the Gafaelfawr image | -| image.repository | string | `"lsstsqre/gafaelfawr"` | Gafaelfawr image to use | +| image.repository | string | `"ghcr.io/lsst-sqre/gafaelfawr"` | Gafaelfawr image to use | | image.tag | string | The appVersion of the chart | Tag of Gafaelfawr image to use | | nameOverride | string | `""` | Override the base name for resources | | nodeSelector | object | `{}` | Node selector rules for the Gafaelfawr frontend pod | diff --git a/services/gafaelfawr/templates/configmap.yaml b/services/gafaelfawr/templates/configmap.yaml index cb70516bba..a18f966f12 100644 --- a/services/gafaelfawr/templates/configmap.yaml +++ b/services/gafaelfawr/templates/configmap.yaml @@ -97,6 +97,11 @@ data: {{- end }} + {{- if .Values.config.firestore.project }} + firestore: + project: {{ .Values.config.firestore.project | quote }} + {{- end }} + {{- if .Values.config.ldap.url }} ldap: url: {{ .Values.config.ldap.url | quote }} diff --git a/services/gafaelfawr/values.yaml b/services/gafaelfawr/values.yaml index cbcf3b2e78..ae1839cb6d 100644 --- a/services/gafaelfawr/values.yaml +++ b/services/gafaelfawr/values.yaml @@ -71,6 +71,13 @@ config: loginParams: skin: "LSST" + firestore: + # -- If set, assign UIDs and GIDs using Google Firestore in the given + # project. Cloud SQL must be enabled and the Cloud SQL service account + # must have read/write access to that Firestore instance. + # @default -- Firestore support is disabled + project: "" + github: # -- GitHub client ID. One and only one of this, `config.cilogon.clientId`, # or `config.oidc.clientId` must be set. From 85f72313fbaa5e451c6e6eba7e10d7521c7859c0 Mon Sep 17 00:00:00 2001 From: Russ Allbery Date: Thu, 28 Apr 2022 15:33:00 -0700 Subject: [PATCH 0317/1479] Add support for Gafaelfawr enrollmentUrl This will be where to send the user if their username could not be found in LDAP. --- services/gafaelfawr/README.md | 4 +++- services/gafaelfawr/README.md.gotmpl | 9 --------- services/gafaelfawr/templates/configmap.yaml | 6 ++++++ services/gafaelfawr/values.yaml | 8 ++++++++ 4 files changed, 17 insertions(+), 10 deletions(-) delete mode 100644 services/gafaelfawr/README.md.gotmpl diff --git a/services/gafaelfawr/README.md b/services/gafaelfawr/README.md index 9f1f9c409b..a8d4264ba1 100644 --- a/services/gafaelfawr/README.md +++ b/services/gafaelfawr/README.md @@ -1,4 +1,4 @@ -![AppVersion: 4.0.0](https://img.shields.io/badge/AppVersion-4.0.0-informational?style=flat-square) +![AppVersion: 4.1.0](https://img.shields.io/badge/AppVersion-4.1.0-informational?style=flat-square) # gafaelfawr @@ -18,6 +18,7 @@ Science Platform authentication and authorization system | cloudsql.instanceConnectionName | string | `""` | Instance connection name for a CloudSQL PostgreSQL instance | | cloudsql.serviceAccount | string | `""` | The Google service account that has an IAM binding to the `gafaelfawr` and `gafaelfawr-tokens` Kubernetes service accounts and has the `cloudsql.client` role | | config.cilogon.clientId | string | `""` | CILogon client ID. One and only one of this, `config.github.clientId`, or `config.oidc.clientId` must be set. | +| config.cilogon.enrollmentUrl | string | Login fails with an error | Where to send the user if their username cannot be found in LDAP | | config.cilogon.loginParams | object | `{"skin":"LSST"}` | Additional parameters to add | | config.cilogon.redirectUrl | string | `/login` at the value of config.host | Return URL given to CILogon (must match the CILogon configuration) | | config.cilogon.test | bool | `false` | Whether to use the test instance of CILogon | @@ -42,6 +43,7 @@ Science Platform authentication and authorization system | config.loglevel | string | `"INFO"` | Choose from the text form of Python logging levels | | config.oidc.audience | string | Value of `config.oidc.clientId` | Audience for the JWT token | | config.oidc.clientId | string | `""` | Client ID for generic OpenID Connect support. One and only one of this, `config.cilogon.clientId`, or `config.github.clientId` must be set. | +| config.oidc.enrollmentUrl | string | Login fails with an error | Where to send the user if their username cannot be found in LDAP | | config.oidc.issuer | string | None, must be set | Issuer for the JWT token | | config.oidc.loginParams | object | `{}` | Additional parameters to add to the login request | | config.oidc.loginUrl | string | None, must be set | URL to which to redirect the user for authorization | diff --git a/services/gafaelfawr/README.md.gotmpl b/services/gafaelfawr/README.md.gotmpl deleted file mode 100644 index 4531459bbb..0000000000 --- a/services/gafaelfawr/README.md.gotmpl +++ /dev/null @@ -1,9 +0,0 @@ -{{ template "chart.header" . }} - -{{ template "chart.description" . }} - -{{ template "chart.requirementsSection" . }} - -{{ template "chart.valuesSection" . }} - -{{ template "helm-docs.versionFooter" . }} diff --git a/services/gafaelfawr/templates/configmap.yaml b/services/gafaelfawr/templates/configmap.yaml index a18f966f12..51f54dbc63 100644 --- a/services/gafaelfawr/templates/configmap.yaml +++ b/services/gafaelfawr/templates/configmap.yaml @@ -50,6 +50,9 @@ data: {{- else }} login_url: "https://cilogon.org/authorize" token_url: "https://cilogon.org/oauth2/token" + {{- if .Values.config.cilogon.enrollmentUrl }} + enrollment_url: {{ .Values.config.cilogon.enrollmentUrl | quote }} + {{- end }} issuer: "https://cilogon.org" {{- end }} {{- if .Values.config.cilogon.loginParams }} @@ -80,6 +83,9 @@ data: {{- end }} login_url: {{ required "config.oidc.loginUrl must be set" .Values.config.oidc.loginUrl | quote }} token_url: {{ required "config.oidc.tokenUrl must be set" .Values.config.oidc.tokenUrl | quote }} + {{- if .Values.config.cilogon.enrollmentUrl }} + enrollment_url: {{ .Values.config.cilogon.enrollmentUrl | quote }} + {{- end }} issuer: {{ required "config.oidc.issuer must be set" .Values.config.oidc.issuer | quote }} {{- if .Values.config.oidc.redirectUrl }} redirect_url: {{ .Values.config.oidc.redirectUrl | quote }} diff --git a/services/gafaelfawr/values.yaml b/services/gafaelfawr/values.yaml index ae1839cb6d..e6a11765d9 100644 --- a/services/gafaelfawr/values.yaml +++ b/services/gafaelfawr/values.yaml @@ -64,6 +64,10 @@ config: # @default -- `/login` at the value of config.host redirectUrl: "" + # -- Where to send the user if their username cannot be found in LDAP + # @default -- Login fails with an error + enrollmentUrl: "" + # -- Whether to use the test instance of CILogon test: false @@ -103,6 +107,10 @@ config: # @default -- None, must be set tokenUrl: "" + # -- Where to send the user if their username cannot be found in LDAP + # @default -- Login fails with an error + enrollmentUrl: "" + # -- Issuer for the JWT token # @default -- None, must be set issuer: "" From 686f4b2fd2f4d422d59ce50b2488a8330308c3a4 Mon Sep 17 00:00:00 2001 From: Russ Allbery Date: Fri, 29 Apr 2022 12:41:33 -0700 Subject: [PATCH 0318/1479] Temporarily poing IDF dev Gafaelfawr at a branch Test the new release before it's official to catch any regressions. --- services/gafaelfawr/values-idfdev.yaml | 3 +++ 1 file changed, 3 insertions(+) diff --git a/services/gafaelfawr/values-idfdev.yaml b/services/gafaelfawr/values-idfdev.yaml index 35b2b68594..6cde106dda 100644 --- a/services/gafaelfawr/values-idfdev.yaml +++ b/services/gafaelfawr/values-idfdev.yaml @@ -1,3 +1,6 @@ +image: + tag: "tickets-DM-34335" + # Use the CSI storage class so that we can use snapshots. redis: persistence: From 2dcf9a980bb31c42ab1e9421a2bc6a0fa09bb28a Mon Sep 17 00:00:00 2001 From: Russ Allbery Date: Fri, 29 Apr 2022 12:42:14 -0700 Subject: [PATCH 0319/1479] Drop the pull-secret from Gafaelfawr Gafaelfawr now uses GitHub Container Registry, which doesn't require a pull secret. --- services/gafaelfawr/templates/vault-secrets.yaml | 10 ---------- 1 file changed, 10 deletions(-) diff --git a/services/gafaelfawr/templates/vault-secrets.yaml b/services/gafaelfawr/templates/vault-secrets.yaml index 701e9afaf7..e0b12539b7 100644 --- a/services/gafaelfawr/templates/vault-secrets.yaml +++ b/services/gafaelfawr/templates/vault-secrets.yaml @@ -7,13 +7,3 @@ metadata: spec: path: "{{ .Values.global.vaultSecretsPath }}/gafaelfawr" type: Opaque ---- -apiVersion: ricoberger.de/v1alpha1 -kind: VaultSecret -metadata: - name: "pull-secret" - labels: - {{- include "gafaelfawr.labels" . | nindent 4 }} -spec: - path: "{{ .Values.global.vaultSecretsPath }}/pull-secret" - type: "kubernetes.io/dockerconfigjson" From 5a404e8496d959da30baec3534eb6ff08af2f0c0 Mon Sep 17 00:00:00 2001 From: Russ Allbery Date: Fri, 29 Apr 2022 13:16:30 -0700 Subject: [PATCH 0320/1479] Add source link for Gafaelfawr --- services/gafaelfawr/Chart.yaml | 2 ++ services/gafaelfawr/README.md | 4 ++++ 2 files changed, 6 insertions(+) diff --git a/services/gafaelfawr/Chart.yaml b/services/gafaelfawr/Chart.yaml index 211f86a758..89f4249b68 100644 --- a/services/gafaelfawr/Chart.yaml +++ b/services/gafaelfawr/Chart.yaml @@ -3,4 +3,6 @@ name: gafaelfawr version: 1.0.0 description: Science Platform authentication and authorization system home: https://gafaelfawr.lsst.io/ +sources: + - https://github.com/lsst-sqre/gafaelfawr appVersion: 4.1.0 diff --git a/services/gafaelfawr/README.md b/services/gafaelfawr/README.md index a8d4264ba1..0fe4932e04 100644 --- a/services/gafaelfawr/README.md +++ b/services/gafaelfawr/README.md @@ -6,6 +6,10 @@ Science Platform authentication and authorization system **Homepage:** +## Source Code + +* + ## Values | Key | Type | Default | Description | From 80e3f2b6bbd9af5977665ea345d57b2a9c71478d Mon Sep 17 00:00:00 2001 From: Russ Allbery Date: Fri, 29 Apr 2022 13:22:02 -0700 Subject: [PATCH 0321/1479] Use the pending new release for minikube Similar to IDF dev, use the pending new release since 4.1.0 hasn't been tagged and released yet. --- services/gafaelfawr/values-minikube.yaml | 3 +++ 1 file changed, 3 insertions(+) diff --git a/services/gafaelfawr/values-minikube.yaml b/services/gafaelfawr/values-minikube.yaml index 502d9dec7f..1a5413844c 100644 --- a/services/gafaelfawr/values-minikube.yaml +++ b/services/gafaelfawr/values-minikube.yaml @@ -1,3 +1,6 @@ +image: + tag: "tickets-DM-34335" + # Reset token storage on every Redis restart. redis: persistence: From 09173d5f6bfbac48f8ae0d9a712d3b90b948a0d3 Mon Sep 17 00:00:00 2001 From: Russ Allbery Date: Fri, 29 Apr 2022 13:53:17 -0700 Subject: [PATCH 0322/1479] Delete imagePullSecrets from Gafaelfawr These are no longer needed now that we're using GitHub Container Registry. --- services/gafaelfawr/templates/deployment-tokens.yaml | 2 -- services/gafaelfawr/templates/deployment.yaml | 2 -- 2 files changed, 4 deletions(-) diff --git a/services/gafaelfawr/templates/deployment-tokens.yaml b/services/gafaelfawr/templates/deployment-tokens.yaml index 85007c6c0f..a27a6cd187 100644 --- a/services/gafaelfawr/templates/deployment-tokens.yaml +++ b/services/gafaelfawr/templates/deployment-tokens.yaml @@ -69,8 +69,6 @@ spec: - name: "secret" mountPath: "/etc/gafaelfawr/secrets" readOnly: true - imagePullSecrets: - - name: "pull-secret" securityContext: runAsNonRoot: true runAsUser: 1000 diff --git a/services/gafaelfawr/templates/deployment.yaml b/services/gafaelfawr/templates/deployment.yaml index 9c5475902d..171e3b4f77 100644 --- a/services/gafaelfawr/templates/deployment.yaml +++ b/services/gafaelfawr/templates/deployment.yaml @@ -91,8 +91,6 @@ spec: - name: "secret" mountPath: "/etc/gafaelfawr/secrets" readOnly: true - imagePullSecrets: - - name: "pull-secret" securityContext: runAsNonRoot: true runAsUser: 1000 From 02efc5ff08b20fb3b700d41b1c456d646449e47f Mon Sep 17 00:00:00 2001 From: Russ Allbery Date: Fri, 29 Apr 2022 13:56:23 -0700 Subject: [PATCH 0323/1479] Move Gafaelfawr secrets to files The new version of Gafaelfawr no longer supports environment variables for secrets. Move all the secrets that were passed that way into references to files mounted from the Gafaelfawr secret. --- services/gafaelfawr/templates/configmap.yaml | 3 +++ .../templates/deployment-tokens.yaml | 6 ------ services/gafaelfawr/templates/deployment.yaml | 18 ------------------ 3 files changed, 3 insertions(+), 24 deletions(-) diff --git a/services/gafaelfawr/templates/configmap.yaml b/services/gafaelfawr/templates/configmap.yaml index 51f54dbc63..a86f728f4c 100644 --- a/services/gafaelfawr/templates/configmap.yaml +++ b/services/gafaelfawr/templates/configmap.yaml @@ -9,7 +9,9 @@ data: realm: {{ required "global.host must be set" .Values.global.host | quote }} loglevel: {{ .Values.config.loglevel | quote }} session_secret_file: "/etc/gafaelfawr/secrets/session-secret" + bootstrap_token_file: "/etc/gafaelfawr/secrets/bootstrap-token" database_url: {{ required "config.databaseUrl must be set" .Values.config.databaseUrl | quote }} + database_password_file: "/etc/gafaelfawr/secrets/database-password" redis_url: "redis://{{ template "gafaelfawr.fullname" . }}-redis.{{ .Release.Namespace }}:6379/0" redis_password_file: "/etc/gafaelfawr/secrets/redis-password" token_lifetime_minutes: {{ .Values.config.tokenLifetimeMinutes }} @@ -114,6 +116,7 @@ data: base_dn: {{ required "config.ldap.baseDn must be set" .Values.config.ldap.baseDn | quote }} {{- if .Values.config.ldap.userDn }} user_dn: {{ .Values.config.ldap.userDn | quote }} + password_file: "/etc/gafaelfawr/secrets/ldap-password" {{- end }} group_object_class: {{ .Values.config.ldap.groupObjectClass | quote }} group_member_attr: {{ .Values.config.ldap.groupMemberAttr | quote }} diff --git a/services/gafaelfawr/templates/deployment-tokens.yaml b/services/gafaelfawr/templates/deployment-tokens.yaml index a27a6cd187..c35eb1ba1a 100644 --- a/services/gafaelfawr/templates/deployment-tokens.yaml +++ b/services/gafaelfawr/templates/deployment-tokens.yaml @@ -44,12 +44,6 @@ spec: command: - "gafaelfawr" - "kubernetes-controller" - env: - - name: "GAFAELFAWR_DATABASE_PASSWORD" - valueFrom: - secretKeyRef: - name: {{ template "gafaelfawr.fullname" . }}-secret - key: "database-password" image: "{{ .Values.image.repository }}:{{ .Values.image.tag | default .Chart.AppVersion }}" imagePullPolicy: {{ .Values.image.pullPolicy | quote }} {{- with .Values.resources }} diff --git a/services/gafaelfawr/templates/deployment.yaml b/services/gafaelfawr/templates/deployment.yaml index 171e3b4f77..a4660c9ba3 100644 --- a/services/gafaelfawr/templates/deployment.yaml +++ b/services/gafaelfawr/templates/deployment.yaml @@ -46,24 +46,6 @@ spec: runAsGroup: 65532 {{- end }} - name: "gafaelfawr" - env: - - name: "GAFAELFAWR_BOOTSTRAP_TOKEN" - valueFrom: - secretKeyRef: - name: {{ template "gafaelfawr.fullname" . }}-secret - key: "bootstrap-token" - - name: "GAFAELFAWR_DATABASE_PASSWORD" - valueFrom: - secretKeyRef: - name: {{ template "gafaelfawr.fullname" . }}-secret - key: "database-password" - {{- if .Values.config.ldap.userDn }} - - name: "GAFAELFAWR_LDAP_PASSWORD" - valueFrom: - secretKeyRef: - name: {{ template "gafaelfawr.fullname" . }}-secret - key: "ldap-password" - {{- end }} image: "{{ .Values.image.repository }}:{{ .Values.image.tag | default .Chart.AppVersion }}" imagePullPolicy: {{ .Values.image.pullPolicy | quote }} ports: From aaa8ce2106450ea0a3eb5d45bb0a0200a21274c7 Mon Sep 17 00:00:00 2001 From: Angelo Fausti Date: Wed, 20 Apr 2022 11:59:05 -0700 Subject: [PATCH 0324/1479] Add test-csc and kafka producer - Adds the test-csc and kafka-producer Helm charts as dependencies to sasquatch - The kafka-producer is configured to produce messages to sasquatch from the Test csc - It sets OSPL_URI to a single process configuration file inside the container --- services/sasquatch/Chart.yaml | 6 ++ .../sasquatch/templates/vault-secret.yaml | 9 +++ services/sasquatch/values.yaml | 71 +++++++++++++++++++ 3 files changed, 86 insertions(+) diff --git a/services/sasquatch/Chart.yaml b/services/sasquatch/Chart.yaml index b7dbb0383f..0881dd6c8f 100644 --- a/services/sasquatch/Chart.yaml +++ b/services/sasquatch/Chart.yaml @@ -22,3 +22,9 @@ dependencies: - name: telegraf version: 1.8.18 repository: https://helm.influxdata.com/ + - name: csc + version: 0.9.2 + repository: https://lsst-ts.github.io/charts/ + - name: kafka-producers + version: 0.10.1 + repository: https://lsst-ts.github.io/charts/ diff --git a/services/sasquatch/templates/vault-secret.yaml b/services/sasquatch/templates/vault-secret.yaml index 8660d0610a..9bee7ebd45 100644 --- a/services/sasquatch/templates/vault-secret.yaml +++ b/services/sasquatch/templates/vault-secret.yaml @@ -14,3 +14,12 @@ metadata: spec: path: {{ .Values.vaultSecretsPath }}/pull-secret type: kubernetes.io/dockerconfigjson +--- +apiVersion: ricoberger.de/v1alpha1 +kind: VaultSecret +metadata: + name: sasquatch-nexus3-docker + namespace: sasquatch +spec: + path: {{ .Values.vaultSecretsPath }}/pull-secret + type: kubernetes.io/dockerconfigjson diff --git a/services/sasquatch/values.yaml b/services/sasquatch/values.yaml index 10d247d78d..599ab9cc3c 100644 --- a/services/sasquatch/values.yaml +++ b/services/sasquatch/values.yaml @@ -134,6 +134,77 @@ telegraf: username: "telegraf" password: "$TELEGRAF_PASSWORD" +csc: + image: + # -- The Docker registry name of the container image to use for the CSC + repository: ts-dockerhub.lsst.org/test + # -- The tag of the container image to use for the CSC + tag: c0025 + # -- The tag name for the Nexus3 Docker repository secrets if private images need to be pulled. + nexus3: nexus3-docker + # -- Enviroment variables to run the Test CSC. + env: + LSST_DDS_PARTITION_PREFIX: test + LSST_SITE: test + OSPL_INFOFILE: /tmp/ospl-info-test.log + OSPL_ERRORFILE: /tmp/ospl-error-test.log + # -- Use a single process configuration for DDS OpenSplice. + OSPL_URI: file:///opt/lsst/software/stack/miniconda/lib/python3.8/config/ospl-std.xml + # -- Wether to use an external configuration for DDS OpenSplice. + useExternalConfig: false + # -- DDS OpenSplice version. + osplVersion: V6.10.4 + # -- Namespace where the Test CSC is deployed. + namespace: sasquatch + +kafka-producers: + image: + # -- The Docker registry name of the container image to use for the producers. + repository: ts-dockerhub.lsst.org/salkafka + # -- The tag of the container image to use for the producers. + tag: c0025 + # -- The tag name for the Nexus3 Docker repository secrets if private images need to be pulled. + nexus3: nexus3-docker + env: + # -- The LSST_DDS_PARTITION_PREFIX name applied to all producer containers. + lsstDdsPartitionPrefix: test + # -- The URI for the Sasquatch Kafka broker. + brokerIp: sasquatch-kafka-bootstrap.sasquatch + # -- The port for the Sasquatch Kafka listener. + brokerPort: 9092 + # -- The Sasquatch Schema Registry URL. + registryAddr: http://sasquatch-schema-registry.sasquatch:8081 + # -- The topic replication factor (should be the same as the number of Kafka broker in Sasquatch) + replication: 3 + # -- Logging level for the Kafka producers + logLevel: 20 + extras: + # -- Use a single process configuration for DDS OpenSplice. + OSPL_URI: file:///opt/lsst/software/stack/miniconda/lib/python3.8/config/ospl-std.xml + LSST_DDS_RESPONSIVENESS_TIMEOUT: 15s + OSPL_INFOFILE: /tmp/ospl-info-kafka-producers.log + OSPL_ERRORFILE: /tmp/ospl-error-kafka-producers.log + # -- Wether to use an external configuration for DDS OpenSplice. + useExternalConfig: false + # -- DDS OpenSplice version. + osplVersion: V6.10.4 + startupProbe: + # -- Whether to use the startup probe + use: true + # -- The number of times the startup probe is allowed to fail before failing the probe + failureThreshold: 15 + # -- The initial delay in seconds before the first check is made + initialDelay: 20 + # -- The time in seconds between subsequent checks + period: 10 + # -- List of producers and CSCs to get DDS samples from. + producers: + test: + cscs: >- + Test + # -- Namespace where the Test CSC is deployed. + namespace: sasquatch + # -- Path to the Vault secrets (`secret/k8s_operator//sasquatch`) # @default -- None, must be set vaultSecretsPath: "" From 0133bde71a0cac1b3c0906b5744b166ac2a057ba Mon Sep 17 00:00:00 2001 From: Angelo Fausti Date: Fri, 29 Apr 2022 15:28:40 -0700 Subject: [PATCH 0325/1479] Conditionally deploy csc and kafka-producers - Enable them at TTS only --- services/sasquatch/Chart.yaml | 2 ++ services/sasquatch/values-tucson-teststand.yaml | 6 ++++++ services/sasquatch/values.yaml | 4 ++++ 3 files changed, 12 insertions(+) diff --git a/services/sasquatch/Chart.yaml b/services/sasquatch/Chart.yaml index 0881dd6c8f..a952987b42 100644 --- a/services/sasquatch/Chart.yaml +++ b/services/sasquatch/Chart.yaml @@ -25,6 +25,8 @@ dependencies: - name: csc version: 0.9.2 repository: https://lsst-ts.github.io/charts/ + condition: csc.enabled - name: kafka-producers version: 0.10.1 repository: https://lsst-ts.github.io/charts/ + condition: kafka-producers.enabled diff --git a/services/sasquatch/values-tucson-teststand.yaml b/services/sasquatch/values-tucson-teststand.yaml index 7d7979d0d1..92e52631f1 100644 --- a/services/sasquatch/values-tucson-teststand.yaml +++ b/services/sasquatch/values-tucson-teststand.yaml @@ -40,4 +40,10 @@ kapacitor: persistence: storageClass: rook-ceph-block +csc: + enabled: true + +kafka-producers: + enabled: true + vaultSecretsPath: secret/k8s_operator/tucson-teststand.lsst.codes diff --git a/services/sasquatch/values.yaml b/services/sasquatch/values.yaml index 599ab9cc3c..88bbcba4a6 100644 --- a/services/sasquatch/values.yaml +++ b/services/sasquatch/values.yaml @@ -135,6 +135,8 @@ telegraf: password: "$TELEGRAF_PASSWORD" csc: + # -- Whether the test csc is deployed. + enabled: false image: # -- The Docker registry name of the container image to use for the CSC repository: ts-dockerhub.lsst.org/test @@ -158,6 +160,8 @@ csc: namespace: sasquatch kafka-producers: + # -- Whether the kafka-producer for the test csc is deployed. + enabled: false image: # -- The Docker registry name of the container image to use for the producers. repository: ts-dockerhub.lsst.org/salkafka From d8fecbb7d41de1c66c98ff21c9e49def6c6f1814 Mon Sep 17 00:00:00 2001 From: Angelo Fausti Date: Fri, 29 Apr 2022 15:57:02 -0700 Subject: [PATCH 0326/1479] Run helm-docs - Fix up chart metadata - Remove old helm-doc templates in favor of the new template configure by the pre-commit hook --- services/sasquatch/Chart.yaml | 5 ++- services/sasquatch/README.md | 37 ++++++++++++++++++- services/sasquatch/README.md.gotmpl | 9 ----- .../charts/kafka-connect-manager/Chart.yaml | 3 +- .../charts/kafka-connect-manager/README.md | 6 +-- .../kafka-connect-manager/README.md.gotmpl | 7 ---- .../charts/kafka-connect-manager/values.yaml | 2 +- .../sasquatch/charts/strimzi-kafka/Chart.yaml | 3 +- .../sasquatch/charts/strimzi-kafka/README.md | 4 +- .../charts/strimzi-kafka/README.md.gotmpl | 7 ---- 10 files changed, 48 insertions(+), 35 deletions(-) delete mode 100644 services/sasquatch/README.md.gotmpl delete mode 100644 services/sasquatch/charts/kafka-connect-manager/README.md.gotmpl delete mode 100644 services/sasquatch/charts/strimzi-kafka/README.md.gotmpl diff --git a/services/sasquatch/Chart.yaml b/services/sasquatch/Chart.yaml index a952987b42..ed486b2191 100644 --- a/services/sasquatch/Chart.yaml +++ b/services/sasquatch/Chart.yaml @@ -1,9 +1,10 @@ apiVersion: v2 name: sasquatch version: 1.0.0 -description: SQuaRE telemetry data service. +description: Rubin Observatory's telemetry service. +appVersion: 0.1.0 dependencies: - - name: "strimzi-kafka" + - name: strimzi-kafka version: 1.0.0 - name: strimzi-registry-operator version: 1.2.0 diff --git a/services/sasquatch/README.md b/services/sasquatch/README.md index 5beed01c32..0a8fb82794 100644 --- a/services/sasquatch/README.md +++ b/services/sasquatch/README.md @@ -1,8 +1,8 @@ - +![AppVersion: 0.1.0](https://img.shields.io/badge/AppVersion-0.1.0-informational?style=flat-square) # sasquatch -SQuaRE telemetry data service. +Rubin Observatory's telemetry service. ## Requirements @@ -15,6 +15,8 @@ SQuaRE telemetry data service. | https://helm.influxdata.com/ | kapacitor | 1.4.6 | | https://helm.influxdata.com/ | telegraf | 1.8.18 | | https://lsst-sqre.github.io/charts/ | strimzi-registry-operator | 1.2.0 | +| https://lsst-ts.github.io/charts/ | csc | 0.9.2 | +| https://lsst-ts.github.io/charts/ | kafka-producers | 0.10.1 | ## Values @@ -25,12 +27,43 @@ SQuaRE telemetry data service. | chronograf.image | object | `{"repository":"quay.io/influxdb/chronograf","tag":"1.9.4"}` | Chronograf image tag. | | chronograf.ingress | object | disabled | Chronograf ingress configuration. | | chronograf.persistence | object | `{"enabled":true,"size":"16Gi"}` | Chronograf data persistence configuration. | +| csc.enabled | bool | `false` | Whether the test csc is deployed. | +| csc.env | object | `{"LSST_DDS_PARTITION_PREFIX":"test","LSST_SITE":"test","OSPL_ERRORFILE":"/tmp/ospl-error-test.log","OSPL_INFOFILE":"/tmp/ospl-info-test.log","OSPL_URI":"file:///opt/lsst/software/stack/miniconda/lib/python3.8/config/ospl-std.xml"}` | Enviroment variables to run the Test CSC. | +| csc.env.OSPL_URI | string | `"file:///opt/lsst/software/stack/miniconda/lib/python3.8/config/ospl-std.xml"` | Use a single process configuration for DDS OpenSplice. | +| csc.image.nexus3 | string | `"nexus3-docker"` | The tag name for the Nexus3 Docker repository secrets if private images need to be pulled. | +| csc.image.repository | string | `"ts-dockerhub.lsst.org/test"` | The Docker registry name of the container image to use for the CSC | +| csc.image.tag | string | `"c0025"` | The tag of the container image to use for the CSC | +| csc.namespace | string | `"sasquatch"` | Namespace where the Test CSC is deployed. | +| csc.osplVersion | string | `"V6.10.4"` | DDS OpenSplice version. | +| csc.useExternalConfig | bool | `false` | Wether to use an external configuration for DDS OpenSplice. | | influxdb.config | object | `{"continuous_queries":{"enabled":false},"coordinator":{"log-queries-after":"15s","max-concurrent-queries":10,"query-timeout":"900s","write-timeout":"60s"},"data":{"cache-max-memory-size":0,"trace-logging-enabled":true,"wal-fsync-delay":"100ms"},"http":{"auth-enabled":true,"enabled":true,"flux-enabled":true,"max-row-limit":0}}` | Override InfluxDB configuration. See https://docs.influxdata.com/influxdb/v1.8/administration/config | | influxdb.image | object | `{"tag":"1.8.10"}` | InfluxDB image tag. | | influxdb.ingress | object | disabled | InfluxDB ingress configuration. | | influxdb.initScripts | object | `{"enabled":true,"scripts":{"init.iql":"CREATE DATABASE \"telegraf\" WITH DURATION 30d REPLICATION 1 NAME \"rp_30d\"\n\n"}}` | InfluxDB Custom initialization scripts. | | influxdb.setDefaultUser | object | `{"enabled":true,"user":{"existingSecret":"sasquatch"}}` | Default InfluxDB user, use influxb-user and influxdb-password keys from secret. | | kafka-connect-manager | object | `{}` | Override strimzi-kafka configuration. | +| kafka-producers.enabled | bool | `false` | Whether the kafka-producer for the test csc is deployed. | +| kafka-producers.env.brokerIp | string | `"sasquatch-kafka-bootstrap.sasquatch"` | The URI for the Sasquatch Kafka broker. | +| kafka-producers.env.brokerPort | int | `9092` | The port for the Sasquatch Kafka listener. | +| kafka-producers.env.extras.LSST_DDS_RESPONSIVENESS_TIMEOUT | string | `"15s"` | | +| kafka-producers.env.extras.OSPL_ERRORFILE | string | `"/tmp/ospl-error-kafka-producers.log"` | | +| kafka-producers.env.extras.OSPL_INFOFILE | string | `"/tmp/ospl-info-kafka-producers.log"` | | +| kafka-producers.env.extras.OSPL_URI | string | `"file:///opt/lsst/software/stack/miniconda/lib/python3.8/config/ospl-std.xml"` | Use a single process configuration for DDS OpenSplice. | +| kafka-producers.env.logLevel | int | `20` | Logging level for the Kafka producers | +| kafka-producers.env.lsstDdsPartitionPrefix | string | `"test"` | The LSST_DDS_PARTITION_PREFIX name applied to all producer containers. | +| kafka-producers.env.registryAddr | string | `"http://sasquatch-schema-registry.sasquatch:8081"` | The Sasquatch Schema Registry URL. | +| kafka-producers.env.replication | int | `3` | The topic replication factor (should be the same as the number of Kafka broker in Sasquatch) | +| kafka-producers.image.nexus3 | string | `"nexus3-docker"` | The tag name for the Nexus3 Docker repository secrets if private images need to be pulled. | +| kafka-producers.image.repository | string | `"ts-dockerhub.lsst.org/salkafka"` | The Docker registry name of the container image to use for the producers. | +| kafka-producers.image.tag | string | `"c0025"` | The tag of the container image to use for the producers. | +| kafka-producers.namespace | string | `"sasquatch"` | Namespace where the Test CSC is deployed. | +| kafka-producers.osplVersion | string | `"V6.10.4"` | DDS OpenSplice version. | +| kafka-producers.producers | object | `{"test":{"cscs":"Test"}}` | List of producers and CSCs to get DDS samples from. | +| kafka-producers.startupProbe.failureThreshold | int | `15` | The number of times the startup probe is allowed to fail before failing the probe | +| kafka-producers.startupProbe.initialDelay | int | `20` | The initial delay in seconds before the first check is made | +| kafka-producers.startupProbe.period | int | `10` | The time in seconds between subsequent checks | +| kafka-producers.startupProbe.use | bool | `true` | Whether to use the startup probe | +| kafka-producers.useExternalConfig | bool | `false` | Wether to use an external configuration for DDS OpenSplice. | | kapacitor.envVars | object | `{"KAPACITOR_SLACK_ENABLED":true}` | Kapacitor environment variables. | | kapacitor.existingSecret | string | `"sasquatch"` | InfluxDB credentials, use influxdb-user and influxdb-password keys from secret. | | kapacitor.image | object | `{"repository":"kapacitor","tag":"1.6.4"}` | Kapacitor image tag. | diff --git a/services/sasquatch/README.md.gotmpl b/services/sasquatch/README.md.gotmpl deleted file mode 100644 index 4531459bbb..0000000000 --- a/services/sasquatch/README.md.gotmpl +++ /dev/null @@ -1,9 +0,0 @@ -{{ template "chart.header" . }} - -{{ template "chart.description" . }} - -{{ template "chart.requirementsSection" . }} - -{{ template "chart.valuesSection" . }} - -{{ template "helm-docs.versionFooter" . }} diff --git a/services/sasquatch/charts/kafka-connect-manager/Chart.yaml b/services/sasquatch/charts/kafka-connect-manager/Chart.yaml index 93cbc20ede..a81ef857bc 100644 --- a/services/sasquatch/charts/kafka-connect-manager/Chart.yaml +++ b/services/sasquatch/charts/kafka-connect-manager/Chart.yaml @@ -1,4 +1,5 @@ apiVersion: v2 name: kafka-connect-manager version: 1.0.0 -description: A sub chart to deploy the Kafka connectors used by Sasquatch. +description: A subchart to deploy the Kafka connectors used by Sasquatch. +appVersion: 0.9.3 diff --git a/services/sasquatch/charts/kafka-connect-manager/README.md b/services/sasquatch/charts/kafka-connect-manager/README.md index 8fbd60ee69..c45ef952d8 100644 --- a/services/sasquatch/charts/kafka-connect-manager/README.md +++ b/services/sasquatch/charts/kafka-connect-manager/README.md @@ -1,8 +1,8 @@ - +![AppVersion: 0.9.3](https://img.shields.io/badge/AppVersion-0.9.3-informational?style=flat-square) # kafka-connect-manager -A sub chart to deploy the Kafka connectors used by Sasquatch. +A subchart to deploy the Kafka connectors used by Sasquatch. ## Values @@ -10,7 +10,7 @@ A sub chart to deploy the Kafka connectors used by Sasquatch. |-----|------|---------|-------------| | env.kafkaBrokerUrl | string | `"sasquatch-kafka-bootstrap.sasquatch:9092"` | Kafka broker URL. | | env.kafkaConnectUrl | string | `"http://sasquatch-connect-api.sasquatch:8083"` | Kafka connnect URL. | -| image.pullPolicy | string | `"Always"` | | +| image.pullPolicy | string | `"IfNotPresent"` | | | image.repository | string | `"lsstsqre/kafkaconnect"` | | | image.tag | string | `"0.9.3"` | | | influxdbSink.influxdb-sink.autoUpdate | bool | `true` | If autoUpdate is enabled, check for new kafka topics. | diff --git a/services/sasquatch/charts/kafka-connect-manager/README.md.gotmpl b/services/sasquatch/charts/kafka-connect-manager/README.md.gotmpl deleted file mode 100644 index 0d310b45a2..0000000000 --- a/services/sasquatch/charts/kafka-connect-manager/README.md.gotmpl +++ /dev/null @@ -1,7 +0,0 @@ -{{ template "chart.header" . }} - -{{ template "chart.description" . }} - -{{ template "chart.valuesSection" . }} - -{{ template "helm-docs.versionFooter" . }} diff --git a/services/sasquatch/charts/kafka-connect-manager/values.yaml b/services/sasquatch/charts/kafka-connect-manager/values.yaml index 5719a51034..783677d17c 100644 --- a/services/sasquatch/charts/kafka-connect-manager/values.yaml +++ b/services/sasquatch/charts/kafka-connect-manager/values.yaml @@ -3,7 +3,7 @@ image: repository: lsstsqre/kafkaconnect tag: 0.9.3 - pullPolicy: Always + pullPolicy: IfNotPresent influxdbSink: # Repeat this block to create multiple instances of this connector. diff --git a/services/sasquatch/charts/strimzi-kafka/Chart.yaml b/services/sasquatch/charts/strimzi-kafka/Chart.yaml index 8659e1a0b1..f587b16083 100644 --- a/services/sasquatch/charts/strimzi-kafka/Chart.yaml +++ b/services/sasquatch/charts/strimzi-kafka/Chart.yaml @@ -1,4 +1,5 @@ apiVersion: v2 name: strimzi-kafka version: 1.0.0 -description: A sub chart to deploy Strimzi Kafka components for Sasquatch. +description: A subchart to deploy Strimzi Kafka components for Sasquatch. +appVersion: 3.0.0 diff --git a/services/sasquatch/charts/strimzi-kafka/README.md b/services/sasquatch/charts/strimzi-kafka/README.md index 863dad6a67..b5f851ec85 100644 --- a/services/sasquatch/charts/strimzi-kafka/README.md +++ b/services/sasquatch/charts/strimzi-kafka/README.md @@ -1,8 +1,8 @@ - +![AppVersion: 3.0.0](https://img.shields.io/badge/AppVersion-3.0.0-informational?style=flat-square) # strimzi-kafka -A sub chart to deploy Strimzi Kafka components for Sasquatch. +A subchart to deploy Strimzi Kafka components for Sasquatch. ## Values diff --git a/services/sasquatch/charts/strimzi-kafka/README.md.gotmpl b/services/sasquatch/charts/strimzi-kafka/README.md.gotmpl deleted file mode 100644 index 0d310b45a2..0000000000 --- a/services/sasquatch/charts/strimzi-kafka/README.md.gotmpl +++ /dev/null @@ -1,7 +0,0 @@ -{{ template "chart.header" . }} - -{{ template "chart.description" . }} - -{{ template "chart.valuesSection" . }} - -{{ template "helm-docs.versionFooter" . }} From 5b7bccb2107f17fc63b71ba26c37036511a092e1 Mon Sep 17 00:00:00 2001 From: Jonathan Sick Date: Mon, 2 May 2022 10:51:27 -0400 Subject: [PATCH 0327/1479] Fix title for pre-commit doc page --- docs/service-guide/linting-and-helm-docs.rst | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/docs/service-guide/linting-and-helm-docs.rst b/docs/service-guide/linting-and-helm-docs.rst index f75291c0a1..f80b6e4a3f 100644 --- a/docs/service-guide/linting-and-helm-docs.rst +++ b/docs/service-guide/linting-and-helm-docs.rst @@ -1,8 +1,8 @@ .. _pre-commit-howto: -########################################################## -Setting up pre-commit and linting and helm-docs generation -########################################################## +###################################################### +Setting up pre-commit linting and helm-docs generation +###################################################### The Phalanx repository uses `pre-commit`_ to lint source files and generate Helm chart documentation with `helm-docs`_. If you're contributing to Phalanx, you should enable pre-commit locally to ensure your work is clean and Helm chart docs are up to date. From 7ca367e96f2f05cd92d7d46bdf89f3dcd7d82faa Mon Sep 17 00:00:00 2001 From: Renovate Bot Date: Mon, 2 May 2022 16:05:30 +0000 Subject: [PATCH 0328/1479] Update Helm release vault-secrets-operator to v1.18.0 --- services/vault-secrets-operator/Chart.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/services/vault-secrets-operator/Chart.yaml b/services/vault-secrets-operator/Chart.yaml index 9d61f3aaf4..d9d6c9a182 100644 --- a/services/vault-secrets-operator/Chart.yaml +++ b/services/vault-secrets-operator/Chart.yaml @@ -3,5 +3,5 @@ name: vault-secrets-operator version: 1.0.0 dependencies: - name: vault-secrets-operator - version: 1.17.0 + version: 1.18.0 repository: https://ricoberger.github.io/helm-charts/ From 8819fe06eabc8d2535890719958740f54fd97496 Mon Sep 17 00:00:00 2001 From: Renovate Bot Date: Mon, 2 May 2022 16:34:11 +0000 Subject: [PATCH 0329/1479] Update Helm release argo-cd to v4.5.8 --- services/argocd/Chart.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/services/argocd/Chart.yaml b/services/argocd/Chart.yaml index 0fc86dd09d..e68e9ab27a 100644 --- a/services/argocd/Chart.yaml +++ b/services/argocd/Chart.yaml @@ -3,7 +3,7 @@ name: argo-cd version: 1.0.0 dependencies: - name: argo-cd - version: 4.5.7 + version: 4.5.8 repository: https://argoproj.github.io/argo-helm - name: pull-secret version: 0.1.2 From 0678abfe60bdbb629a9e791996b5bac4728b41a3 Mon Sep 17 00:00:00 2001 From: Renovate Bot Date: Mon, 2 May 2022 16:45:31 +0000 Subject: [PATCH 0330/1479] Update helm values redis to v6.2.7 --- services/gafaelfawr/values.yaml | 2 +- services/portal/values.yaml | 2 +- services/vo-cutouts/values.yaml | 2 +- 3 files changed, 3 insertions(+), 3 deletions(-) diff --git a/services/gafaelfawr/values.yaml b/services/gafaelfawr/values.yaml index e6a11765d9..f6f0eedde6 100644 --- a/services/gafaelfawr/values.yaml +++ b/services/gafaelfawr/values.yaml @@ -251,7 +251,7 @@ redis: repository: "redis" # -- Redis image tag to use - tag: "6.2.6" + tag: "6.2.7" # -- Pull policy for the Redis image pullPolicy: "IfNotPresent" diff --git a/services/portal/values.yaml b/services/portal/values.yaml index 54f5fdd2cc..15a7fb7bc5 100644 --- a/services/portal/values.yaml +++ b/services/portal/values.yaml @@ -87,7 +87,7 @@ redis: repository: "redis" # -- Redis image tag to use - tag: "6.2.6" + tag: "6.2.7" # -- Pull policy for the Redis image pullPolicy: "IfNotPresent" diff --git a/services/vo-cutouts/values.yaml b/services/vo-cutouts/values.yaml index ed9767a4ae..cc4bc9bf1d 100644 --- a/services/vo-cutouts/values.yaml +++ b/services/vo-cutouts/values.yaml @@ -151,7 +151,7 @@ redis: repository: "redis" # -- Redis image tag to use - tag: "6.2.6" + tag: "6.2.7" # -- Pull policy for the Redis image pullPolicy: "IfNotPresent" From 0b0c3c3c67099fec18cd0233dfac26e05f88e53c Mon Sep 17 00:00:00 2001 From: Russ Allbery Date: Mon, 2 May 2022 09:48:28 -0700 Subject: [PATCH 0331/1479] Regenerate chart documentation --- services/gafaelfawr/README.md | 2 +- services/portal/README.md | 2 +- services/vo-cutouts/README.md | 2 +- 3 files changed, 3 insertions(+), 3 deletions(-) diff --git a/services/gafaelfawr/README.md b/services/gafaelfawr/README.md index 0fe4932e04..96f0c95375 100644 --- a/services/gafaelfawr/README.md +++ b/services/gafaelfawr/README.md @@ -69,7 +69,7 @@ Science Platform authentication and authorization system | redis.affinity | object | `{}` | Affinity rules for the Redis pod | | redis.image.pullPolicy | string | `"IfNotPresent"` | Pull policy for the Redis image | | redis.image.repository | string | `"redis"` | Redis image to use | -| redis.image.tag | string | `"6.2.6"` | Redis image tag to use | +| redis.image.tag | string | `"6.2.7"` | Redis image tag to use | | redis.nodeSelector | object | `{}` | Node selection rules for the Redis pod | | redis.persistence.accessMode | string | `"ReadWriteOnce"` | Access mode of storage to request | | redis.persistence.enabled | bool | `true` | Whether to persist Redis storage and thus tokens. Setting this to false will use `emptyDir` and reset all tokens on every restart. Only use this for a test deployment. | diff --git a/services/portal/README.md b/services/portal/README.md index 954f5af74d..ac63dda9aa 100644 --- a/services/portal/README.md +++ b/services/portal/README.md @@ -33,7 +33,7 @@ Rubin Science Platform portal aspect | redis.affinity | object | `{}` | Affinity rules for the Redis pod | | redis.image.pullPolicy | string | `"IfNotPresent"` | Pull policy for the Redis image | | redis.image.repository | string | `"redis"` | Redis image to use | -| redis.image.tag | string | `"6.2.6"` | Redis image tag to use | +| redis.image.tag | string | `"6.2.7"` | Redis image tag to use | | redis.nodeSelector | object | `{}` | Node selection rules for the Redis pod | | redis.podAnnotations | object | `{}` | Pod annotations for the Redis pod | | redis.resources | object | `{"limits":{"memory":"20Mi"}}` | Resource limits and requests | diff --git a/services/vo-cutouts/README.md b/services/vo-cutouts/README.md index c19760d146..d0940a42ca 100644 --- a/services/vo-cutouts/README.md +++ b/services/vo-cutouts/README.md @@ -54,7 +54,7 @@ Image cutout service complying with IVOA SODA | redis.affinity | object | `{}` | Affinity rules for the Redis pod | | redis.image.pullPolicy | string | `"IfNotPresent"` | Pull policy for the Redis image | | redis.image.repository | string | `"redis"` | Redis image to use | -| redis.image.tag | string | `"6.2.6"` | Redis image tag to use | +| redis.image.tag | string | `"6.2.7"` | Redis image tag to use | | redis.nodeSelector | object | `{}` | Node selection rules for the Redis pod | | redis.persistence.accessMode | string | `"ReadWriteOnce"` | Access mode of storage to request | | redis.persistence.enabled | bool | `true` | Whether to persist Redis storage and thus tokens. Setting this to false will use `emptyDir` and reset all tokens on every restart. Only use this for a test deployment. | From d316cf23da302fbe392e3dcbffc50d05b0ccf969 Mon Sep 17 00:00:00 2001 From: Renovate Bot Date: Mon, 2 May 2022 16:50:59 +0000 Subject: [PATCH 0332/1479] Update Helm release redis to v16.8.9 --- services/noteburst/Chart.yaml | 2 +- services/times-square/Chart.yaml | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/services/noteburst/Chart.yaml b/services/noteburst/Chart.yaml index 112bed56ac..a9e2862d31 100644 --- a/services/noteburst/Chart.yaml +++ b/services/noteburst/Chart.yaml @@ -14,5 +14,5 @@ maintainers: # Additional charts that this chart uses dependencies: - name: redis - version: 16.8.7 + version: 16.8.9 repository: https://charts.bitnami.com/bitnami diff --git a/services/times-square/Chart.yaml b/services/times-square/Chart.yaml index c381c398a1..5896380f9e 100644 --- a/services/times-square/Chart.yaml +++ b/services/times-square/Chart.yaml @@ -16,5 +16,5 @@ dependencies: - name: times-square-ui version: 1.0.0 - name: redis - version: 16.8.7 + version: 16.8.9 repository: https://charts.bitnami.com/bitnami From 74ce19c100ad2d0f4ff77829905b95495b6abaf6 Mon Sep 17 00:00:00 2001 From: Russ Allbery Date: Mon, 2 May 2022 10:30:13 -0700 Subject: [PATCH 0333/1479] Regenerate chart documentation --- services/noteburst/README.md | 2 +- services/times-square/README.md | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/services/noteburst/README.md b/services/noteburst/README.md index f64539e6af..9cb284d245 100644 --- a/services/noteburst/README.md +++ b/services/noteburst/README.md @@ -14,7 +14,7 @@ Noteburst is a notebook execution service for the Rubin Science Platform. | Repository | Name | Version | |------------|------|---------| -| https://charts.bitnami.com/bitnami | redis | 16.8.7 | +| https://charts.bitnami.com/bitnami | redis | 16.8.9 | ## Values diff --git a/services/times-square/README.md b/services/times-square/README.md index acc3671f88..6c233dd0e1 100644 --- a/services/times-square/README.md +++ b/services/times-square/README.md @@ -15,7 +15,7 @@ See the embedded Helm sub-charts for additional configuration docs: |------------|------|---------| | | times-square | 1.0.0 | | | times-square-ui | 1.0.0 | -| https://charts.bitnami.com/bitnami | redis | 16.8.7 | +| https://charts.bitnami.com/bitnami | redis | 16.8.9 | ## Values From de4db4ef06a45a607b17222e039e944c8b722ad7 Mon Sep 17 00:00:00 2001 From: Jonathan Sick Date: Tue, 3 May 2022 13:04:17 -0400 Subject: [PATCH 0334/1479] Delete unnecessary helm docs templates Now we're using the centralized template --- services/times-square/README.md.gotmpl | 11 ----------- .../charts/times-square-ui/README.md.gotmpl | 11 ----------- .../times-square/charts/times-square/README.md.gotmpl | 11 ----------- 3 files changed, 33 deletions(-) delete mode 100644 services/times-square/README.md.gotmpl delete mode 100644 services/times-square/charts/times-square-ui/README.md.gotmpl delete mode 100644 services/times-square/charts/times-square/README.md.gotmpl diff --git a/services/times-square/README.md.gotmpl b/services/times-square/README.md.gotmpl deleted file mode 100644 index 18ae54f339..0000000000 --- a/services/times-square/README.md.gotmpl +++ /dev/null @@ -1,11 +0,0 @@ -{{ template "chart.header" . }} - -{{ template "chart.description" . }} - -{{ template "chart.sourcesSection" . }} - -{{ template "chart.requirementsSection" . }} - -{{ template "chart.valuesSection" . }} - -{{ template "helm-docs.versionFooter" . }} diff --git a/services/times-square/charts/times-square-ui/README.md.gotmpl b/services/times-square/charts/times-square-ui/README.md.gotmpl deleted file mode 100644 index 18ae54f339..0000000000 --- a/services/times-square/charts/times-square-ui/README.md.gotmpl +++ /dev/null @@ -1,11 +0,0 @@ -{{ template "chart.header" . }} - -{{ template "chart.description" . }} - -{{ template "chart.sourcesSection" . }} - -{{ template "chart.requirementsSection" . }} - -{{ template "chart.valuesSection" . }} - -{{ template "helm-docs.versionFooter" . }} diff --git a/services/times-square/charts/times-square/README.md.gotmpl b/services/times-square/charts/times-square/README.md.gotmpl deleted file mode 100644 index 18ae54f339..0000000000 --- a/services/times-square/charts/times-square/README.md.gotmpl +++ /dev/null @@ -1,11 +0,0 @@ -{{ template "chart.header" . }} - -{{ template "chart.description" . }} - -{{ template "chart.sourcesSection" . }} - -{{ template "chart.requirementsSection" . }} - -{{ template "chart.valuesSection" . }} - -{{ template "helm-docs.versionFooter" . }} From bfec7105ea6289ae31793f95c1de57ce32891278 Mon Sep 17 00:00:00 2001 From: Jonathan Sick Date: Tue, 3 May 2022 14:31:21 -0400 Subject: [PATCH 0335/1479] Update times-square for GitHub app and arq - times-square now has GitHub app configurations - times-square runs a second Deployment called times-square-worker, which is a pool of nodes that runs jobs from the arq (redis) queue. --- services/times-square/README.md | 7 +- .../charts/times-square/README.md | 10 +- .../times-square/templates/configmap.yaml | 5 +- .../times-square/templates/deployment.yaml | 17 ++- .../templates/worker-deployment.yaml | 114 ++++++++++++++++++ .../charts/times-square/values.yaml | 24 +++- services/times-square/values-idfdev.yaml | 9 +- services/times-square/values.yaml | 10 +- 8 files changed, 174 insertions(+), 22 deletions(-) create mode 100644 services/times-square/charts/times-square/templates/worker-deployment.yaml diff --git a/services/times-square/README.md b/services/times-square/README.md index 6c233dd0e1..a3566d0407 100644 --- a/services/times-square/README.md +++ b/services/times-square/README.md @@ -28,8 +28,9 @@ See the embedded Helm sub-charts for additional configuration docs: | redis.fullnameOverride | string | `"times-square-redis"` | | | times-square-ui.fullnameOverride | string | `"times-square-ui"` | | | times-square-ui.image.pullPolicy | string | `"IfNotPresent"` | | -| times-square-ui.image.tag | string | `"tickets-DM-34030"` | | -| times-square.config.redisUrl | string | Points to embedded Redis | Redis URL | +| times-square-ui.image.tag | string | `"0.2.0"` | | +| times-square.config.queueRedisUrl | string | Points to embedded Redis | URL for Redis arq queue database | +| times-square.config.redisUrl | string | Points to embedded Redis | URL for Redis html / noteburst job cache database | | times-square.fullnameOverride | string | `"times-square"` | | | times-square.image.pullPolicy | string | `"IfNotPresent"` | | -| times-square.image.tag | string | `"tickets-DM-34030"` | | +| times-square.image.tag | string | `"tickets-DM-34458"` | | diff --git a/services/times-square/charts/times-square/README.md b/services/times-square/charts/times-square/README.md index c65941ac52..5eb3bf14e5 100644 --- a/services/times-square/charts/times-square/README.md +++ b/services/times-square/charts/times-square/README.md @@ -24,12 +24,15 @@ A parameterized notebook web viewer for the Rubin Science Platform. | cloudsql.instanceConnectionName | string | `""` | Instance connection name for a CloudSQL PostgreSQL instance | | cloudsql.serviceAccount | string | `""` | The Google service account that has an IAM binding to the `times-square` Kubernetes service accounts and has the `cloudsql.client` role | | config.databaseUrl | string | None, must be set | URL for the PostgreSQL database | +| config.enableGitHubApp | string | `"False"` | Toggle to enable the GitHub App functionality | +| config.githubAppId | string | `""` | GitHub application ID | | config.logLevel | string | `"INFO"` | Logging level: "DEBUG", "INFO", "WARNING", "ERROR", "CRITICAL" | | config.name | string | `"times-square"` | Name of the service. | | config.profile | string | `"production"` | Run profile: "production" or "development" | -| config.redisUrl | string | None, must be set | URL for the Redis cache | +| config.queueRedisUrl | string | None, must be set | URL for Redis arq queue database | +| config.redisCacheUrl | string | None, must be set | URL for Redis html / noteburst job cache database | | fullnameOverride | string | `""` | Override the full name for resources (includes the release name) | -| image.pullPolicy | string | `"Always"` | Pull policy for the times-square image | +| image.pullPolicy | string | `"IfNotPresent"` | Pull policy for the times-square image | | image.repository | string | `"ghcr.io/lsst-sqre/times-square"` | Image to use in the times-square deployment | | image.tag | string | `""` | Overrides the image tag whose default is the chart appVersion. | | imagePullSecrets | list | `[]` | Secret names to use for all Docker pulls | @@ -42,7 +45,8 @@ A parameterized notebook web viewer for the Rubin Science Platform. | nodeSelector | object | `{}` | Node selection rules for the times-square deployment pod | | podAnnotations | object | `{}` | Annotations for the times-square deployment pod | | redis.auth.enabled | bool | `false` | | -| replicaCount | int | `1` | Number of web deployment pods to start | +| replicaCount.api | int | `1` | Number of API deployment pods to start | +| replicaCount.worker | int | `1` | Number of worker deployment pods to start | | resources | object | `{}` | Resource limits and requests for the times-square deployment pod | | service.port | int | `8080` | Port of the service to create and map to the ingress | | service.type | string | `"ClusterIP"` | Type of service to create | diff --git a/services/times-square/charts/times-square/templates/configmap.yaml b/services/times-square/charts/times-square/templates/configmap.yaml index 74a1b79ade..4ee03962d6 100644 --- a/services/times-square/charts/times-square/templates/configmap.yaml +++ b/services/times-square/charts/times-square/templates/configmap.yaml @@ -11,4 +11,7 @@ data: TS_ENVIRONMENT_URL: {{ .Values.global.baseUrl | quote }} TS_PATH_PREFIX: {{ .Values.ingress.path }} TS_DATABASE_URL: {{ required "config.databaseUrl must be set" .Values.config.databaseUrl | quote }} - TS_REDIS_URL: {{ required "config.redisUrl must be set" .Values.config.redisUrl | quote }} + TS_REDIS_URL: {{ required "config.redisCacheUrl must be set" .Values.config.redisCacheUrl | quote }} + TS_REDIS_QUEUE_URL: {{ required "config.redisQueueUrl must be set" .Values.config.redisQueueUrl | quote }} + TS_ENABLE_GITHUB_APP: {{ .Values.config.enableGitHubApp | quote }} + TS_GITHUB_APP_ID: {{ .Values.config.githubAppId | quote }} diff --git a/services/times-square/charts/times-square/templates/deployment.yaml b/services/times-square/charts/times-square/templates/deployment.yaml index 93754faf9b..27fedfed56 100644 --- a/services/times-square/charts/times-square/templates/deployment.yaml +++ b/services/times-square/charts/times-square/templates/deployment.yaml @@ -6,7 +6,7 @@ metadata: {{- include "times-square.labels" . | nindent 4 }} spec: {{- if not .Values.autoscaling.enabled }} - replicas: {{ .Values.replicaCount }} + replicas: {{ .Values.replicaCount.api }} {{- end }} selector: matchLabels: @@ -90,6 +90,21 @@ spec: secretKeyRef: name: {{ template "times-square.fullname" . }}-secret key: "TS_DATABASE_PASSWORD" + - name: "TS_GITHUB_WEBHOOK_SECRET" + valueFrom: + secretKeyRef: + name: {{ template "times-square.fullname" . }}-secret + key: "TS_GITHUB_WEBHOOK_SECRET" + - name: "TS_GITHUB_WEBHOOK_SECRET" + valueFrom: + secretKeyRef: + name: {{ template "times-square.fullname" . }}-secret + key: "TS_GITHUB_WEBHOOK_SECRET" + - name: "TS_GITHUB_APP_PRIVATE_KEY" + valueFrom: + secretKeyRef: + name: {{ template "times-square.fullname" . }}-secret + key: "TS_GITHUB_APP_PRIVATE_KEY" {{- with .Values.nodeSelector }} nodeSelector: {{- toYaml . | nindent 8 }} diff --git a/services/times-square/charts/times-square/templates/worker-deployment.yaml b/services/times-square/charts/times-square/templates/worker-deployment.yaml new file mode 100644 index 0000000000..80ff02d353 --- /dev/null +++ b/services/times-square/charts/times-square/templates/worker-deployment.yaml @@ -0,0 +1,114 @@ +apiVersion: apps/v1 +kind: Deployment +metadata: + name: {{ include "times-square.fullname" . }}-worker + labels: + {{- include "times-square.labels" . | nindent 4 }} +spec: + {{- if not .Values.autoscaling.enabled }} + replicas: {{ .Values.replicaCount.worker }} + {{- end }} + selector: + matchLabels: + {{- include "times-square.selectorLabels" . | nindent 6 }} + template: + metadata: + annotations: + checksum/config: {{ include (print $.Template.BasePath "/configmap.yaml") . | sha256sum }} + {{- with .Values.podAnnotations }} + {{- toYaml . | nindent 8 }} + {{- end }} + labels: + {{- include "times-square.selectorLabels" . | nindent 8 }} + spec: + {{- with .Values.imagePullSecrets }} + imagePullSecrets: + {{- toYaml . | nindent 8 }} + {{- end }} + {{- if or .Values.serviceAccount.create .Values.cloudsql.enabled }} + serviceAccountName: {{ include "times-square.serviceAccountName" . }} + {{- else }} + automountServiceAccountToken: false + {{- end }} + securityContext: + runAsNonRoot: true + runAsUser: 1000 + runAsGroup: 1000 + containers: + {{- if .Values.cloudsql.enabled }} + - name: "cloud-sql-proxy" + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - "all" + readOnlyRootFilesystem: true + runAsNonRoot: true + runAsUser: 65532 + runAsGroup: 65532 + image: "{{ .Values.cloudsql.image.repository }}:{{ .Values.cloudsql.image.tag }}" + imagePullPolicy: {{ .Values.cloudsql.image.pullPolicy | quote }} + command: + - "/cloud_sql_proxy" + - "-ip_address_types=PRIVATE" + - "-instances={{ required "cloudsql.instanceConnectionName must be specified" .Values.cloudsql.instanceConnectionName }}=tcp:5432" + {{- end }} + - name: {{ .Chart.Name }} + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - all + readOnlyRootFilesystem: true + image: "{{ .Values.image.repository }}:{{ .Values.image.tag | default .Chart.AppVersion }}" + imagePullPolicy: {{ .Values.image.pullPolicy }} + ports: + - name: http + containerPort: 8080 + protocol: TCP + livenessProbe: + httpGet: + path: / + port: http + readinessProbe: + httpGet: + path: / + port: http + resources: + {{- toYaml .Values.resources | nindent 12 }} + envFrom: + - configMapRef: + name: {{ include "times-square.fullname" . }} + env: + - name: "TS_GAFAELFAWR_TOKEN" + valueFrom: + secretKeyRef: + name: {{ template "times-square.fullname" . }}-gafaelfawr-token + key: "token" + - name: "TS_DATABASE_PASSWORD" + valueFrom: + secretKeyRef: + name: {{ template "times-square.fullname" . }}-secret + key: "TS_DATABASE_PASSWORD" + - name: "TS_GITHUB_WEBHOOK_SECRET" + valueFrom: + secretKeyRef: + name: {{ template "times-square.fullname" . }}-secret + key: "TS_GITHUB_WEBHOOK_SECRET" + - name: "TS_GITHUB_APP_PRIVATE_KEY" + valueFrom: + secretKeyRef: + name: {{ template "times-square.fullname" . }}-secret + key: "TS_GITHUB_APP_PRIVATE_KEY" + {{- with .Values.nodeSelector }} + nodeSelector: + {{- toYaml . | nindent 8 }} + {{- end }} + {{- with .Values.affinity }} + affinity: + {{- toYaml . | nindent 8 }} + {{- end }} + {{- with .Values.tolerations }} + tolerations: + {{- toYaml . | nindent 8 }} + {{- end }} diff --git a/services/times-square/charts/times-square/values.yaml b/services/times-square/charts/times-square/values.yaml index 7b30b83a95..97289a47cd 100644 --- a/services/times-square/charts/times-square/values.yaml +++ b/services/times-square/charts/times-square/values.yaml @@ -2,15 +2,19 @@ # This is a YAML-formatted file. # Declare variables to be passed into your templates. -# -- Number of web deployment pods to start -replicaCount: 1 +replicaCount: + # -- Number of API deployment pods to start + api: 1 + + # -- Number of worker deployment pods to start + worker: 1 image: # -- Image to use in the times-square deployment repository: ghcr.io/lsst-sqre/times-square # -- Pull policy for the times-square image - pullPolicy: Always + pullPolicy: IfNotPresent # -- Overrides the image tag whose default is the chart appVersion. tag: "" @@ -110,9 +114,19 @@ config: # @default -- None, must be set databaseUrl: "" - # -- URL for the Redis cache + # -- URL for Redis html / noteburst job cache database + # @default -- None, must be set + redisCacheUrl: "" + + # -- URL for Redis arq queue database # @default -- None, must be set - redisUrl: "" + queueRedisUrl: "" + + # -- GitHub application ID + githubAppId: "" + + # -- Toggle to enable the GitHub App functionality + enableGitHubApp: "False" cloudsql: # -- Enable the Cloud SQL Auth Proxy sidecar, used with CloudSQL databases diff --git a/services/times-square/values-idfdev.yaml b/services/times-square/values-idfdev.yaml index 517a5d9285..fd9f088053 100644 --- a/services/times-square/values-idfdev.yaml +++ b/services/times-square/values-idfdev.yaml @@ -1,15 +1,12 @@ times-square: image: - tag: "tickets-DM-34030" + tag: "tickets-DM-34458" pullPolicy: Always config: databaseUrl: "postgresql://times-square@localhost/times-square" + github_app_id: "196798" + enable_github_app: "True" cloudsql: enabled: true instanceConnectionName: "science-platform-dev-7696:us-central1:science-platform-dev-e9e11de2" serviceAccount: "times-square@science-platform-dev-7696.iam.gserviceaccount.com" - -times-square-ui: - image: - tag: "tickets-dm-34030" - pullPolicy: Always diff --git a/services/times-square/values.yaml b/services/times-square/values.yaml index 7a7103073a..03989b6854 100644 --- a/services/times-square/values.yaml +++ b/services/times-square/values.yaml @@ -19,21 +19,25 @@ times-square: fullnameOverride: times-square image: - tag: "tickets-DM-34030" + tag: "tickets-DM-34458" pullPolicy: "IfNotPresent" config: - # -- Redis URL + # -- URL for Redis html / noteburst job cache database # @default -- Points to embedded Redis redisUrl: "redis://times-square-redis-master:6379/0" + # -- URL for Redis arq queue database + # @default -- Points to embedded Redis + queueRedisUrl: "redis://times-square-redis-master:6379/1" + times-square-ui: fullnameOverride: times-square-ui image: - tag: "tickets-DM-34030" + tag: "0.2.0" pullPolicy: "IfNotPresent" From 7dcfe62a7fc3aca189fdc61224cd2a956285589f Mon Sep 17 00:00:00 2001 From: Angelo Fausti Date: Mon, 2 May 2022 15:19:32 -0700 Subject: [PATCH 0336/1479] Enable scram-sha-512 authentication - Enable scram-sha-512 authentication for the plain listener used by clients inside the Kubernetes cluster --- .../sasquatch/charts/strimzi-kafka/templates/kafka.yaml | 8 +++++++- 1 file changed, 7 insertions(+), 1 deletion(-) diff --git a/services/sasquatch/charts/strimzi-kafka/templates/kafka.yaml b/services/sasquatch/charts/strimzi-kafka/templates/kafka.yaml index 34b220d49c..98038f8c18 100644 --- a/services/sasquatch/charts/strimzi-kafka/templates/kafka.yaml +++ b/services/sasquatch/charts/strimzi-kafka/templates/kafka.yaml @@ -8,11 +8,17 @@ spec: version: {{ .Values.kafka.version | quote }} replicas: {{ .Values.kafka.replicas }} listeners: + # plain listener without tls encryption and with scram-sha-512 authentication + # used by clients inside the Kubernetes cluster - name: plain port: 9092 type: internal tls: false - - name: tls # Used by the schema registry; it has a fixed name it expects + authentication: + type: scram-sha-512 + # tls listener with tls encryption and mutual tls authentication + # used by the schema registry and kafka connect clients + - name: tls port: 9093 type: internal tls: true From af0b00b557accf51b5f50f45fdc7847fed8830db Mon Sep 17 00:00:00 2001 From: Angelo Fausti Date: Mon, 2 May 2022 15:21:25 -0700 Subject: [PATCH 0337/1479] Add ts-salkafka KafkaUser - This user represents the ts_salkafka client in sasquatch - It uses the plain listener with scram-sha-512 authentication internal to the cluster - It restricts operations on topics produced by ts_salkafka which are prefixed by lsst.sal.* --- .../templates/ts-salkafka-user.yaml | 19 +++++++++++++++++++ 1 file changed, 19 insertions(+) create mode 100644 services/sasquatch/charts/strimzi-kafka/templates/ts-salkafka-user.yaml diff --git a/services/sasquatch/charts/strimzi-kafka/templates/ts-salkafka-user.yaml b/services/sasquatch/charts/strimzi-kafka/templates/ts-salkafka-user.yaml new file mode 100644 index 0000000000..718448951d --- /dev/null +++ b/services/sasquatch/charts/strimzi-kafka/templates/ts-salkafka-user.yaml @@ -0,0 +1,19 @@ +apiVersion: kafka.strimzi.io/v1beta2 +kind: KafkaUser +metadata: + name: ts-salkafka + labels: + strimzi.io/cluster: {{ .Values.cluster.name }} +spec: + authentication: + type: scram-sha-512 + authorization: + type: simple + acls: + - resource: + type: topic + name: "lsst.sal.*" + patternType: literal + type: allow + host: "*" + operation: All From c3414f0d6a858d917db71bbd9f65e5b1b3e11437 Mon Sep 17 00:00:00 2001 From: Angelo Fausti Date: Tue, 3 May 2022 15:07:30 -0700 Subject: [PATCH 0338/1479] Add a chart test for sasl authentication - It needs a mechanism to set the password created by Strimzi for the test user, setting it manually for now. --- .../tests/test-sasl-authentication.yaml | 77 +++++++++++++++++++ 1 file changed, 77 insertions(+) create mode 100644 services/sasquatch/charts/strimzi-kafka/templates/tests/test-sasl-authentication.yaml diff --git a/services/sasquatch/charts/strimzi-kafka/templates/tests/test-sasl-authentication.yaml b/services/sasquatch/charts/strimzi-kafka/templates/tests/test-sasl-authentication.yaml new file mode 100644 index 0000000000..413614d17e --- /dev/null +++ b/services/sasquatch/charts/strimzi-kafka/templates/tests/test-sasl-authentication.yaml @@ -0,0 +1,77 @@ +apiVersion: kafka.strimzi.io/v1beta2 +kind: KafkaUser +metadata: + name: sasquatch-test + labels: + strimzi.io/cluster: sasquatch +spec: + authentication: + type: scram-sha-512 + authorization: + type: simple + acls: + - resource: + type: topic + name: sasquatch-test + patternType: literal + type: allow + host: "*" + operation: All +--- +apiVersion: kafka.strimzi.io/v1beta1 +kind: KafkaTopic +metadata: + name: sasquatch-test + labels: + strimzi.io/cluster: sasquatch +spec: + replicas: 3 + partitions: 12 +--- +apiVersion: batch/v1 +kind: Job +metadata: + labels: + app: sasquatch + name: sasquatch-test-producer + annotations: + "helm.sh/hook": test +spec: + backoffLimit: 0 + completions: 1 + parallelism: 1 + template: + metadata: + labels: + app: sasquatch + job-name: sasquatch-test-producer + name: sasquatch-test-producer + namespace: sasquatch + spec: + containers: + - env: + - name: BOOTSTRAP_SERVERS + value: sasquatch-kafka-bootstrap.sasquatch:9092 + - name: DELAY_MS + value: "1000" + - name: TOPIC + value: sasquatch-test + - name: MESSAGE_COUNT + value: "100" + - name: MESSAGE + value: Hello-world + - name: PRODUCER_ACKS + value: all + - name: LOG_LEVEL + value: DEBUG + # Set here the password created by Strimzi for the + # sasquatch-test user, see the sasquatch-test secret. + - name: ADDITIONAL_CONFIG + value: | + sasl.mechanism=SCRAM-SHA-512 + security.protocol=SASL_PLAINTEXT + sasl.jaas.config=org.apache.kafka.common.security.scram.ScramLoginModule required username="sasquatch-test" password=""; + image: quay.io/strimzi-test-clients/test-client-kafka-producer:latest-kafka-3.0.0 + imagePullPolicy: IfNotPresent + name: kafka-producer-client + restartPolicy: "Never" From 660d59e130d88cadc76b8688439b889b151c133d Mon Sep 17 00:00:00 2001 From: Angelo Fausti Date: Tue, 3 May 2022 15:46:28 -0700 Subject: [PATCH 0339/1479] Add ts-salkafka secret - This secret is used by the User Operator to set the password for the ts-salkafka user --- services/sasquatch/templates/vault-secret.yaml | 11 +++++++++++ 1 file changed, 11 insertions(+) diff --git a/services/sasquatch/templates/vault-secret.yaml b/services/sasquatch/templates/vault-secret.yaml index 9bee7ebd45..076ab85b37 100644 --- a/services/sasquatch/templates/vault-secret.yaml +++ b/services/sasquatch/templates/vault-secret.yaml @@ -9,6 +9,17 @@ spec: --- apiVersion: ricoberger.de/v1alpha1 kind: VaultSecret +metadata: + name: ts-salkafka + namespace: sasquatch +spec: + keys: + - ts-salkafka-password + path: {{ .Values.vaultSecretsPath }}/sasquatch + type: Opaque +--- +apiVersion: ricoberger.de/v1alpha1 +kind: VaultSecret metadata: name: pull-secret spec: From 3eeaebc6bf79cf0be8e5dd91bf444ee746283ca8 Mon Sep 17 00:00:00 2001 From: Russ Allbery Date: Wed, 4 May 2022 15:00:22 -0700 Subject: [PATCH 0340/1479] Support usernameClaim and uidClaim in Gafaelfawr This was previously supported in an earlier iteration of the chart but was lost. uidClaim is used at SLAC. Allow these to be set for the generic OIDC provider and plumb them through to the ConfigMap. --- services/gafaelfawr/README.md | 2 ++ services/gafaelfawr/templates/configmap.yaml | 6 ++++++ services/gafaelfawr/values.yaml | 10 ++++++++++ 3 files changed, 18 insertions(+) diff --git a/services/gafaelfawr/README.md b/services/gafaelfawr/README.md index 96f0c95375..adc5a74ae9 100644 --- a/services/gafaelfawr/README.md +++ b/services/gafaelfawr/README.md @@ -53,6 +53,8 @@ Science Platform authentication and authorization system | config.oidc.loginUrl | string | None, must be set | URL to which to redirect the user for authorization | | config.oidc.scopes | list | `["openid"]` | Scopes to request from the OpenID Connect provider | | config.oidc.tokenUrl | string | None, must be set | URL from which to retrieve the token for the user | +| config.oidc.uidClaim | string | `"uidNumber"` | Claim from which to get the numeric UID (only used if not retrieved from LDAP) | +| config.oidc.usernameClaim | string | `"sub"` | Claim from which to get the username (only used if not retrieved from LDAP) | | config.oidcServer.enabled | bool | `false` | Whether to support OpenID Connect clients. If set to true, `oidc-server-secrets` must be set in the Gafaelfawr secret. | | config.proxies | list | [`10.0.0.0/8`, `172.16.0.0/12`, `192.168.0.0/16`] | List of netblocks used for internal Kubernetes IP addresses, used to determine the true client IP for logging | | config.tokenLifetimeMinutes | int | `43200` (30 days) | Session length and token expiration (in minutes) | diff --git a/services/gafaelfawr/templates/configmap.yaml b/services/gafaelfawr/templates/configmap.yaml index a86f728f4c..c0b1adb28f 100644 --- a/services/gafaelfawr/templates/configmap.yaml +++ b/services/gafaelfawr/templates/configmap.yaml @@ -102,6 +102,12 @@ data: login_params: {{- toYaml . | nindent 8 }} {{- end }} + {{- if .Values.config.oidc.usernameClaim }} + username_claim: {{ .Values.config.oidc.usernameClaim | quote }} + {{- end }} + {{- if .Values.config.oidc.uidClaim }} + uid_claim: {{ .Values.config.oidc.uidClaim | quote }} + {{- end }} {{- end }} diff --git a/services/gafaelfawr/values.yaml b/services/gafaelfawr/values.yaml index f6f0eedde6..f5c8a8f292 100644 --- a/services/gafaelfawr/values.yaml +++ b/services/gafaelfawr/values.yaml @@ -119,6 +119,16 @@ config: scopes: - "openid" + # -- Claim from which to get the username (only used if not retrieved from + # LDAP) + # @default -- `"sub"` + usernameClaim: "" + + # -- Claim from which to get the numeric UID (only used if not retrieved + # from LDAP) + # @default -- `"uidNumber"` + uidClaim: "" + ldap: # -- LDAP server URL from which to retrieve user group information # @default -- Do not use LDAP From 4ca2d71c6f3abc464768bd7bbf71de6d7028744a Mon Sep 17 00:00:00 2001 From: Jonathan Sick Date: Thu, 5 May 2022 16:58:12 -0400 Subject: [PATCH 0341/1479] Drop appVersionBadge from template We decided to take out the version badge in order to make it easier for version bumps from edit-on-GitHub workflows (i.e., bumping the version does not trigger a change in the README now). --- helm-docs.md.gotmpl | 2 -- 1 file changed, 2 deletions(-) diff --git a/helm-docs.md.gotmpl b/helm-docs.md.gotmpl index 2914dc708a..bc12ee4a20 100644 --- a/helm-docs.md.gotmpl +++ b/helm-docs.md.gotmpl @@ -1,5 +1,3 @@ -{{ template "chart.appVersionBadge" . }} - {{ template "chart.header" . }} {{ template "chart.description" . }} From f02de9e7ead5304ef3898631277e4ac551d8f8d9 Mon Sep 17 00:00:00 2001 From: Jonathan Sick Date: Thu, 5 May 2022 16:59:45 -0400 Subject: [PATCH 0342/1479] Update chart docs to remove app version badges This change is corresponding to the change in ./helm-docs.md.gotmpl. --- science-platform/README.md | 2 -- services/alert-stream-broker/README.md | 2 -- services/cachemachine/README.md | 2 -- services/cert-manager/README.md | 2 -- services/exposurelog/README.md | 2 -- services/gafaelfawr/README.md | 2 -- services/mobu/README.md | 2 -- services/narrativelog/README.md | 2 -- services/noteburst/README.md | 2 -- services/nublado2/README.md | 2 -- services/portal/README.md | 2 -- services/production-tools/README.md | 2 -- services/sasquatch/README.md | 2 -- services/sasquatch/charts/kafka-connect-manager/README.md | 2 -- services/sasquatch/charts/strimzi-kafka/README.md | 2 -- services/semaphore/README.md | 2 -- services/squareone/README.md | 2 -- services/tap-schema/README.md | 2 -- services/telegraf-ds/README.md | 2 -- services/telegraf/README.md | 2 -- services/times-square/README.md | 2 -- services/times-square/charts/times-square-ui/README.md | 2 -- services/times-square/charts/times-square/README.md | 2 -- services/vo-cutouts/README.md | 2 -- 24 files changed, 48 deletions(-) diff --git a/science-platform/README.md b/science-platform/README.md index 853c9bfead..f9c95e1be8 100644 --- a/science-platform/README.md +++ b/science-platform/README.md @@ -1,5 +1,3 @@ - - # science-platform ## Values diff --git a/services/alert-stream-broker/README.md b/services/alert-stream-broker/README.md index e931c11b5e..b34b80c738 100644 --- a/services/alert-stream-broker/README.md +++ b/services/alert-stream-broker/README.md @@ -1,5 +1,3 @@ - - # alert-stream-broker ## Requirements diff --git a/services/cachemachine/README.md b/services/cachemachine/README.md index dd65af14f0..79063f7541 100644 --- a/services/cachemachine/README.md +++ b/services/cachemachine/README.md @@ -1,5 +1,3 @@ -![AppVersion: 1.2.0](https://img.shields.io/badge/AppVersion-1.2.0-informational?style=flat-square) - # cachemachine Service to prepull Docker images for the Science Platform diff --git a/services/cert-manager/README.md b/services/cert-manager/README.md index f5caad956b..2fdc08a311 100644 --- a/services/cert-manager/README.md +++ b/services/cert-manager/README.md @@ -1,5 +1,3 @@ - - # cert-manager Let's Encrypt certificate management diff --git a/services/exposurelog/README.md b/services/exposurelog/README.md index e045fc6dfa..57fb6d63ff 100644 --- a/services/exposurelog/README.md +++ b/services/exposurelog/README.md @@ -1,5 +1,3 @@ -![AppVersion: 0.9.2](https://img.shields.io/badge/AppVersion-0.9.2-informational?style=flat-square) - # exposurelog Exposure log service diff --git a/services/gafaelfawr/README.md b/services/gafaelfawr/README.md index adc5a74ae9..9f8c7f96c6 100644 --- a/services/gafaelfawr/README.md +++ b/services/gafaelfawr/README.md @@ -1,5 +1,3 @@ -![AppVersion: 4.1.0](https://img.shields.io/badge/AppVersion-4.1.0-informational?style=flat-square) - # gafaelfawr Science Platform authentication and authorization system diff --git a/services/mobu/README.md b/services/mobu/README.md index 3e93071d92..587148f45f 100644 --- a/services/mobu/README.md +++ b/services/mobu/README.md @@ -1,5 +1,3 @@ -![AppVersion: 4.2.0](https://img.shields.io/badge/AppVersion-4.2.0-informational?style=flat-square) - # mobu Generate system load by pretending to be a random scientist diff --git a/services/narrativelog/README.md b/services/narrativelog/README.md index d0cb495aea..4b5e9de385 100644 --- a/services/narrativelog/README.md +++ b/services/narrativelog/README.md @@ -1,5 +1,3 @@ -![AppVersion: 0.2.1](https://img.shields.io/badge/AppVersion-0.2.1-informational?style=flat-square) - # narrativelog Narrative log service diff --git a/services/noteburst/README.md b/services/noteburst/README.md index 9cb284d245..52105dec81 100644 --- a/services/noteburst/README.md +++ b/services/noteburst/README.md @@ -1,5 +1,3 @@ -![AppVersion: 0.2.0](https://img.shields.io/badge/AppVersion-0.2.0-informational?style=flat-square) - # noteburst Noteburst is a notebook execution service for the Rubin Science Platform. diff --git a/services/nublado2/README.md b/services/nublado2/README.md index 82e6c615d0..6869d05e60 100644 --- a/services/nublado2/README.md +++ b/services/nublado2/README.md @@ -1,5 +1,3 @@ -![AppVersion: 2.1.0](https://img.shields.io/badge/AppVersion-2.1.0-informational?style=flat-square) - # nublado2 Nublado2 JupyterHub installation diff --git a/services/portal/README.md b/services/portal/README.md index ac63dda9aa..7319b94887 100644 --- a/services/portal/README.md +++ b/services/portal/README.md @@ -1,5 +1,3 @@ -![AppVersion: suit-2022.1](https://img.shields.io/badge/AppVersion-suit--2022.1-informational?style=flat-square) - # portal Rubin Science Platform portal aspect diff --git a/services/production-tools/README.md b/services/production-tools/README.md index 31d7410867..fe7ae5fce9 100644 --- a/services/production-tools/README.md +++ b/services/production-tools/README.md @@ -1,5 +1,3 @@ -![AppVersion: 0.0.9](https://img.shields.io/badge/AppVersion-0.0.9-informational?style=flat-square) - # production-tools A collection of utility pages for monitoring data processing. diff --git a/services/sasquatch/README.md b/services/sasquatch/README.md index 0a8fb82794..c250a4e1ac 100644 --- a/services/sasquatch/README.md +++ b/services/sasquatch/README.md @@ -1,5 +1,3 @@ -![AppVersion: 0.1.0](https://img.shields.io/badge/AppVersion-0.1.0-informational?style=flat-square) - # sasquatch Rubin Observatory's telemetry service. diff --git a/services/sasquatch/charts/kafka-connect-manager/README.md b/services/sasquatch/charts/kafka-connect-manager/README.md index c45ef952d8..9ad0b08e0b 100644 --- a/services/sasquatch/charts/kafka-connect-manager/README.md +++ b/services/sasquatch/charts/kafka-connect-manager/README.md @@ -1,5 +1,3 @@ -![AppVersion: 0.9.3](https://img.shields.io/badge/AppVersion-0.9.3-informational?style=flat-square) - # kafka-connect-manager A subchart to deploy the Kafka connectors used by Sasquatch. diff --git a/services/sasquatch/charts/strimzi-kafka/README.md b/services/sasquatch/charts/strimzi-kafka/README.md index b5f851ec85..709e6b4f55 100644 --- a/services/sasquatch/charts/strimzi-kafka/README.md +++ b/services/sasquatch/charts/strimzi-kafka/README.md @@ -1,5 +1,3 @@ -![AppVersion: 3.0.0](https://img.shields.io/badge/AppVersion-3.0.0-informational?style=flat-square) - # strimzi-kafka A subchart to deploy Strimzi Kafka components for Sasquatch. diff --git a/services/semaphore/README.md b/services/semaphore/README.md index b80d72dabd..9ed939c52a 100644 --- a/services/semaphore/README.md +++ b/services/semaphore/README.md @@ -1,5 +1,3 @@ -![AppVersion: 0.3.0](https://img.shields.io/badge/AppVersion-0.3.0-informational?style=flat-square) - # semaphore Semaphore is the user notification and messaging service for the Rubin Science Platform. diff --git a/services/squareone/README.md b/services/squareone/README.md index a8457ad67f..377f07eb35 100644 --- a/services/squareone/README.md +++ b/services/squareone/README.md @@ -1,5 +1,3 @@ -![AppVersion: 0.6.0](https://img.shields.io/badge/AppVersion-0.6.0-informational?style=flat-square) - # squareone Squareone is the homepage UI for the Rubin Science Platform. diff --git a/services/tap-schema/README.md b/services/tap-schema/README.md index 1ffdb3bd0a..4565a19acd 100644 --- a/services/tap-schema/README.md +++ b/services/tap-schema/README.md @@ -1,5 +1,3 @@ -![AppVersion: 1.1.7](https://img.shields.io/badge/AppVersion-1.1.7-informational?style=flat-square) - # tap-schema The TAP_SCHEMA database diff --git a/services/telegraf-ds/README.md b/services/telegraf-ds/README.md index c2466e0c78..6469c5619c 100644 --- a/services/telegraf-ds/README.md +++ b/services/telegraf-ds/README.md @@ -1,5 +1,3 @@ - - # telegraf-ds SQuaRE DaemonSet (K8s) telemetry collection service diff --git a/services/telegraf/README.md b/services/telegraf/README.md index fe1db176c0..a3dbb31800 100644 --- a/services/telegraf/README.md +++ b/services/telegraf/README.md @@ -1,5 +1,3 @@ - - # telegraf SQuaRE telemetry collection service diff --git a/services/times-square/README.md b/services/times-square/README.md index a3566d0407..588dff15b4 100644 --- a/services/times-square/README.md +++ b/services/times-square/README.md @@ -1,5 +1,3 @@ - - # times-square A parameterized notebook web viewer for the Rubin Science Platform. diff --git a/services/times-square/charts/times-square-ui/README.md b/services/times-square/charts/times-square-ui/README.md index 3bae0cdb59..0d77372491 100644 --- a/services/times-square/charts/times-square-ui/README.md +++ b/services/times-square/charts/times-square-ui/README.md @@ -1,5 +1,3 @@ -![AppVersion: 1.0.0](https://img.shields.io/badge/AppVersion-1.0.0-informational?style=flat-square) - # times-square-ui The front-end for Times Square, a parameterized notebook web viewer for the Rubin Science Platform diff --git a/services/times-square/charts/times-square/README.md b/services/times-square/charts/times-square/README.md index 5eb3bf14e5..e618c98cf1 100644 --- a/services/times-square/charts/times-square/README.md +++ b/services/times-square/charts/times-square/README.md @@ -1,5 +1,3 @@ -![AppVersion: 1.0.0](https://img.shields.io/badge/AppVersion-1.0.0-informational?style=flat-square) - # times-square A parameterized notebook web viewer for the Rubin Science Platform. diff --git a/services/vo-cutouts/README.md b/services/vo-cutouts/README.md index d0940a42ca..f469563328 100644 --- a/services/vo-cutouts/README.md +++ b/services/vo-cutouts/README.md @@ -1,5 +1,3 @@ -![AppVersion: 0.3.0](https://img.shields.io/badge/AppVersion-0.3.0-informational?style=flat-square) - # vo-cutouts Image cutout service complying with IVOA SODA From eb0932628d19789334c818c8beb7336489062e3b Mon Sep 17 00:00:00 2001 From: Angelo Fausti Date: Wed, 4 May 2022 14:37:57 -0700 Subject: [PATCH 0343/1479] Increase telegraf/telegraf-ds polling interval - Also increased metric_batch_size and metric_buffer_limit --- services/telegraf-ds/templates/configmap.yaml | 4 ++++ services/telegraf/templates/configmap.yaml | 8 ++++---- 2 files changed, 8 insertions(+), 4 deletions(-) diff --git a/services/telegraf-ds/templates/configmap.yaml b/services/telegraf-ds/templates/configmap.yaml index d10725e357..0113b68f69 100644 --- a/services/telegraf-ds/templates/configmap.yaml +++ b/services/telegraf-ds/templates/configmap.yaml @@ -8,6 +8,10 @@ data: cluster = {{- .Values.global.host | quote }} [agent] hostname = "telegraf-$HOSTIP" + interval = "60s" + flush_interval = "60s" + metric_batch_size = 10000 + metric_buffer_limit = 100000 [[inputs.kubernetes]] url = "https://$HOSTIP:10250" diff --git a/services/telegraf/templates/configmap.yaml b/services/telegraf/templates/configmap.yaml index 8831840512..99cdca6dbc 100644 --- a/services/telegraf/templates/configmap.yaml +++ b/services/telegraf/templates/configmap.yaml @@ -10,11 +10,11 @@ data: [agent] hostname = "$HOSTNAME" omit_hostname = true - interval = "10s" - flush_interval = "10s" + interval = "60s" + flush_interval = "60s" logfile = "" - metric_batch_size = 1000 - metric_buffer_limit = 10000 + metric_batch_size = 10000 + metric_buffer_limit = 100000 [[processors.enum]] [[processors.enum.mapping]] From 80937f816a069d1535eca90d1ca09241f55258e5 Mon Sep 17 00:00:00 2001 From: Jonathan Sick Date: Tue, 3 May 2022 14:46:09 -0400 Subject: [PATCH 0344/1479] Set values for the redis URLs --- services/times-square/charts/times-square/README.md | 2 +- services/times-square/charts/times-square/values.yaml | 2 +- services/times-square/values-idfdev.yaml | 2 ++ 3 files changed, 4 insertions(+), 2 deletions(-) diff --git a/services/times-square/charts/times-square/README.md b/services/times-square/charts/times-square/README.md index e618c98cf1..99fab1f396 100644 --- a/services/times-square/charts/times-square/README.md +++ b/services/times-square/charts/times-square/README.md @@ -27,8 +27,8 @@ A parameterized notebook web viewer for the Rubin Science Platform. | config.logLevel | string | `"INFO"` | Logging level: "DEBUG", "INFO", "WARNING", "ERROR", "CRITICAL" | | config.name | string | `"times-square"` | Name of the service. | | config.profile | string | `"production"` | Run profile: "production" or "development" | -| config.queueRedisUrl | string | None, must be set | URL for Redis arq queue database | | config.redisCacheUrl | string | None, must be set | URL for Redis html / noteburst job cache database | +| config.redisQueueUrl | string | None, must be set | URL for Redis arq queue database | | fullnameOverride | string | `""` | Override the full name for resources (includes the release name) | | image.pullPolicy | string | `"IfNotPresent"` | Pull policy for the times-square image | | image.repository | string | `"ghcr.io/lsst-sqre/times-square"` | Image to use in the times-square deployment | diff --git a/services/times-square/charts/times-square/values.yaml b/services/times-square/charts/times-square/values.yaml index 97289a47cd..c42b5a7275 100644 --- a/services/times-square/charts/times-square/values.yaml +++ b/services/times-square/charts/times-square/values.yaml @@ -120,7 +120,7 @@ config: # -- URL for Redis arq queue database # @default -- None, must be set - queueRedisUrl: "" + redisQueueUrl: "" # -- GitHub application ID githubAppId: "" diff --git a/services/times-square/values-idfdev.yaml b/services/times-square/values-idfdev.yaml index fd9f088053..1d98c4a081 100644 --- a/services/times-square/values-idfdev.yaml +++ b/services/times-square/values-idfdev.yaml @@ -6,6 +6,8 @@ times-square: databaseUrl: "postgresql://times-square@localhost/times-square" github_app_id: "196798" enable_github_app: "True" + redisCacheUrl: "redis://times-square-redis-master:6379/0" + redisQueueUrl: "redis://times-square-redis-master:6379/1" cloudsql: enabled: true instanceConnectionName: "science-platform-dev-7696:us-central1:science-platform-dev-e9e11de2" From c265b545434b8eecc6878bd9e4c8c881f61421b2 Mon Sep 17 00:00:00 2001 From: Jonathan Sick Date: Tue, 3 May 2022 14:55:52 -0400 Subject: [PATCH 0345/1479] Add arq command for worker pods This makes workers run arq rather than the FastAPI/uvicorn app --- .../charts/times-square/templates/worker-deployment.yaml | 2 ++ 1 file changed, 2 insertions(+) diff --git a/services/times-square/charts/times-square/templates/worker-deployment.yaml b/services/times-square/charts/times-square/templates/worker-deployment.yaml index 80ff02d353..8d272b0bc8 100644 --- a/services/times-square/charts/times-square/templates/worker-deployment.yaml +++ b/services/times-square/charts/times-square/templates/worker-deployment.yaml @@ -62,6 +62,8 @@ spec: readOnlyRootFilesystem: true image: "{{ .Values.image.repository }}:{{ .Values.image.tag | default .Chart.AppVersion }}" imagePullPolicy: {{ .Values.image.pullPolicy }} + command: ["arq"] + args: ["timessquare.worker.main.WorkerSettings"] ports: - name: http containerPort: 8080 From 194ad1ebf4779e776e35aa254846abc59f78fe23 Mon Sep 17 00:00:00 2001 From: Jonathan Sick Date: Tue, 3 May 2022 15:29:07 -0400 Subject: [PATCH 0346/1479] Use arq --check for liveness probe --- .../times-square/templates/worker-deployment.yaml | 14 +++++++------- 1 file changed, 7 insertions(+), 7 deletions(-) diff --git a/services/times-square/charts/times-square/templates/worker-deployment.yaml b/services/times-square/charts/times-square/templates/worker-deployment.yaml index 8d272b0bc8..ec33792f56 100644 --- a/services/times-square/charts/times-square/templates/worker-deployment.yaml +++ b/services/times-square/charts/times-square/templates/worker-deployment.yaml @@ -69,13 +69,13 @@ spec: containerPort: 8080 protocol: TCP livenessProbe: - httpGet: - path: / - port: http - readinessProbe: - httpGet: - path: / - port: http + exec: + command: + - "arq" + - "--check" + - "timessquare.worker.main.WorkerSettings" + initialDelaySeconds: 5 + periodSeconds: 5 resources: {{- toYaml .Values.resources | nindent 12 }} envFrom: From d3c76bfa037d12f334a8f43cae35d34cca8332d4 Mon Sep 17 00:00:00 2001 From: Jonathan Sick Date: Tue, 3 May 2022 15:35:34 -0400 Subject: [PATCH 0347/1479] Drop port from times-square-worker The worker doesn't need an open http port --- .../charts/times-square/templates/worker-deployment.yaml | 4 ---- 1 file changed, 4 deletions(-) diff --git a/services/times-square/charts/times-square/templates/worker-deployment.yaml b/services/times-square/charts/times-square/templates/worker-deployment.yaml index ec33792f56..2da0382978 100644 --- a/services/times-square/charts/times-square/templates/worker-deployment.yaml +++ b/services/times-square/charts/times-square/templates/worker-deployment.yaml @@ -64,10 +64,6 @@ spec: imagePullPolicy: {{ .Values.image.pullPolicy }} command: ["arq"] args: ["timessquare.worker.main.WorkerSettings"] - ports: - - name: http - containerPort: 8080 - protocol: TCP livenessProbe: exec: command: From 463737bc861ccab141492f32d42044d037b63c2b Mon Sep 17 00:00:00 2001 From: Jonathan Sick Date: Tue, 3 May 2022 15:41:04 -0400 Subject: [PATCH 0348/1479] Add an arq liveness probe to noteburst --- services/noteburst/templates/worker-deployment.yaml | 8 ++++++++ 1 file changed, 8 insertions(+) diff --git a/services/noteburst/templates/worker-deployment.yaml b/services/noteburst/templates/worker-deployment.yaml index 7e5611a687..e557f6970a 100644 --- a/services/noteburst/templates/worker-deployment.yaml +++ b/services/noteburst/templates/worker-deployment.yaml @@ -36,6 +36,14 @@ spec: imagePullPolicy: {{ .Values.image.pullPolicy }} command: ["arq"] args: ["noteburst.worker.main.WorkerSettings"] + livenessProbe: + exec: + command: + - "arq" + - "--check" + - "noteburst.worker.main.WorkerSettings" + initialDelaySeconds: 5 + periodSeconds: 5 resources: {{- toYaml .Values.resources | nindent 12 }} envFrom: From cf92edd31d18a00e766d1d07a87d344abce16436 Mon Sep 17 00:00:00 2001 From: Jonathan Sick Date: Tue, 3 May 2022 15:49:42 -0400 Subject: [PATCH 0349/1479] Add open ingress for github webhooks --- .../templates/ingress-webhooks.yaml | 28 +++++++++++++++++++ 1 file changed, 28 insertions(+) create mode 100644 services/times-square/charts/times-square/templates/ingress-webhooks.yaml diff --git a/services/times-square/charts/times-square/templates/ingress-webhooks.yaml b/services/times-square/charts/times-square/templates/ingress-webhooks.yaml new file mode 100644 index 0000000000..1cbd642812 --- /dev/null +++ b/services/times-square/charts/times-square/templates/ingress-webhooks.yaml @@ -0,0 +1,28 @@ +{{- if .Values.ingress.enabled -}} +apiVersion: networking.k8s.io/v1 +kind: Ingress +metadata: + name: {{ include "times-square.fullname" . }}-github-webhook + labels: + {{- include "times-square.labels" . | nindent 4 }} + annotations: + kubernetes.io/ingress.class: "nginx" + {{- with .Values.ingress.annotations }} + {{- toYaml . | nindent 4 }} + {{- end }} +spec: + {{- if .Values.ingress.className }} + ingressClassName: {{ .Values.ingress.className }} + {{- end }} + rules: + - host: {{ required "global.host must be set" .Values.global.host | quote }} + http: + paths: + - path: {{ .Values.ingress.path }}/github + pathType: {{ default "Prefix" .Values.ingress.pathType }} + backend: + service: + name: {{ include "times-square.fullname" . }} + port: + number: {{ .Values.service.port }} +{{- end }} From d71fc93461fb27cd9673224182a735ff4abdbc79 Mon Sep 17 00:00:00 2001 From: Jonathan Sick Date: Tue, 3 May 2022 16:27:39 -0400 Subject: [PATCH 0350/1479] Fix settings names for the GitHub app --- services/times-square/values-idfdev.yaml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/services/times-square/values-idfdev.yaml b/services/times-square/values-idfdev.yaml index 1d98c4a081..b2f47adf4a 100644 --- a/services/times-square/values-idfdev.yaml +++ b/services/times-square/values-idfdev.yaml @@ -4,8 +4,8 @@ times-square: pullPolicy: Always config: databaseUrl: "postgresql://times-square@localhost/times-square" - github_app_id: "196798" - enable_github_app: "True" + githubAppId: "196798" + enableGitHubApp: "True" redisCacheUrl: "redis://times-square-redis-master:6379/0" redisQueueUrl: "redis://times-square-redis-master:6379/1" cloudsql: From 9b430c00e128a3c73024dd642d063b180eb76109 Mon Sep 17 00:00:00 2001 From: Jonathan Sick Date: Fri, 6 May 2022 16:25:31 -0400 Subject: [PATCH 0351/1479] Use DEBUG logging for TS on idfdev --- services/times-square/values-idfdev.yaml | 1 + 1 file changed, 1 insertion(+) diff --git a/services/times-square/values-idfdev.yaml b/services/times-square/values-idfdev.yaml index b2f47adf4a..1cd7b1191e 100644 --- a/services/times-square/values-idfdev.yaml +++ b/services/times-square/values-idfdev.yaml @@ -3,6 +3,7 @@ times-square: tag: "tickets-DM-34458" pullPolicy: Always config: + logLevel: "DEBUG" databaseUrl: "postgresql://times-square@localhost/times-square" githubAppId: "196798" enableGitHubApp: "True" From a3606f9bd2b8309a2e384879278cc6e71acc27fe Mon Sep 17 00:00:00 2001 From: Jonathan Sick Date: Fri, 6 May 2022 16:26:00 -0400 Subject: [PATCH 0352/1479] Update to times-square 0.4.0b1 --- services/times-square/README.md | 2 +- services/times-square/values-idfdev.yaml | 6 +++--- services/times-square/values.yaml | 2 +- 3 files changed, 5 insertions(+), 5 deletions(-) diff --git a/services/times-square/README.md b/services/times-square/README.md index 588dff15b4..6726982261 100644 --- a/services/times-square/README.md +++ b/services/times-square/README.md @@ -31,4 +31,4 @@ See the embedded Helm sub-charts for additional configuration docs: | times-square.config.redisUrl | string | Points to embedded Redis | URL for Redis html / noteburst job cache database | | times-square.fullnameOverride | string | `"times-square"` | | | times-square.image.pullPolicy | string | `"IfNotPresent"` | | -| times-square.image.tag | string | `"tickets-DM-34458"` | | +| times-square.image.tag | string | `"0.4.0b1"` | | diff --git a/services/times-square/values-idfdev.yaml b/services/times-square/values-idfdev.yaml index 1cd7b1191e..b947bf68d7 100644 --- a/services/times-square/values-idfdev.yaml +++ b/services/times-square/values-idfdev.yaml @@ -1,7 +1,7 @@ times-square: - image: - tag: "tickets-DM-34458" - pullPolicy: Always + # image: + # tag: "tickets-DM-34458" + # pullPolicy: Always config: logLevel: "DEBUG" databaseUrl: "postgresql://times-square@localhost/times-square" diff --git a/services/times-square/values.yaml b/services/times-square/values.yaml index 03989b6854..30d74d08c1 100644 --- a/services/times-square/values.yaml +++ b/services/times-square/values.yaml @@ -19,7 +19,7 @@ times-square: fullnameOverride: times-square image: - tag: "tickets-DM-34458" + tag: "0.4.0b1" pullPolicy: "IfNotPresent" From d25d4bbb5caa84e58b8cb1c3e4fdb609551cab71 Mon Sep 17 00:00:00 2001 From: Frossie Date: Fri, 6 May 2022 15:51:00 -0700 Subject: [PATCH 0353/1479] test 2 replicas for portal --- services/portal/values-idfdev.yaml | 2 ++ 1 file changed, 2 insertions(+) diff --git a/services/portal/values-idfdev.yaml b/services/portal/values-idfdev.yaml index 2451c233b2..c4ad1a7846 100644 --- a/services/portal/values-idfdev.yaml +++ b/services/portal/values-idfdev.yaml @@ -1,3 +1,5 @@ +replicaCount: 2 + resources: limits: memory: "8Gi" From 6e5e09fb4f84f7b77d922ca8a3b72e77f5a7270d Mon Sep 17 00:00:00 2001 From: Renovate Bot Date: Mon, 9 May 2022 12:30:47 +0000 Subject: [PATCH 0354/1479] Update manusa/actions-setup-minikube action to v2.6.0 --- .github/workflows/ci.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/ci.yaml b/.github/workflows/ci.yaml index dfe922ad52..88e8c019f2 100644 --- a/.github/workflows/ci.yaml +++ b/.github/workflows/ci.yaml @@ -80,7 +80,7 @@ jobs: - name: Setup Minikube if: steps.filter.outputs.minikube == 'true' - uses: manusa/actions-setup-minikube@v2.4.3 + uses: manusa/actions-setup-minikube@v2.6.0 with: minikube version: 'v1.25.2' kubernetes version: 'v1.22.8' From 160c4eae541723598a85a3b1a83367d121a6a9c1 Mon Sep 17 00:00:00 2001 From: Renovate Bot Date: Mon, 9 May 2022 00:45:22 +0000 Subject: [PATCH 0355/1479] Update helm values gcr.io/cloudsql-docker/gce-proxy to v1.30.1 --- services/gafaelfawr/values.yaml | 2 +- services/times-square/charts/times-square/values.yaml | 2 +- services/vo-cutouts/values.yaml | 2 +- 3 files changed, 3 insertions(+), 3 deletions(-) diff --git a/services/gafaelfawr/values.yaml b/services/gafaelfawr/values.yaml index f5c8a8f292..f58163f58e 100644 --- a/services/gafaelfawr/values.yaml +++ b/services/gafaelfawr/values.yaml @@ -226,7 +226,7 @@ cloudsql: repository: "gcr.io/cloudsql-docker/gce-proxy" # -- Cloud SQL Auth Proxy tag to use - tag: "1.30.0" + tag: "1.30.1" # -- Pull policy for Cloud SQL Auth Proxy images pullPolicy: "IfNotPresent" diff --git a/services/times-square/charts/times-square/values.yaml b/services/times-square/charts/times-square/values.yaml index c42b5a7275..8572fe2cdc 100644 --- a/services/times-square/charts/times-square/values.yaml +++ b/services/times-square/charts/times-square/values.yaml @@ -138,7 +138,7 @@ cloudsql: repository: "gcr.io/cloudsql-docker/gce-proxy" # -- Cloud SQL Auth Proxy tag to use - tag: "1.30.0" + tag: "1.30.1" # -- Pull policy for Cloud SQL Auth Proxy images pullPolicy: "IfNotPresent" diff --git a/services/vo-cutouts/values.yaml b/services/vo-cutouts/values.yaml index cc4bc9bf1d..9cdac13788 100644 --- a/services/vo-cutouts/values.yaml +++ b/services/vo-cutouts/values.yaml @@ -82,7 +82,7 @@ cloudsql: repository: "gcr.io/cloudsql-docker/gce-proxy" # -- Cloud SQL Auth Proxy tag to use - tag: "1.30.0" + tag: "1.30.1" # -- Pull policy for Cloud SQL Auth Proxy images pullPolicy: "IfNotPresent" From fd342e62ec95d5240f57cd030fc4843d17d4aa5a Mon Sep 17 00:00:00 2001 From: Russ Allbery Date: Mon, 9 May 2022 15:27:18 -0700 Subject: [PATCH 0356/1479] Update Helm chart documentation --- services/gafaelfawr/README.md | 2 +- services/times-square/charts/times-square/README.md | 2 +- services/vo-cutouts/README.md | 2 +- 3 files changed, 3 insertions(+), 3 deletions(-) diff --git a/services/gafaelfawr/README.md b/services/gafaelfawr/README.md index 9f8c7f96c6..2f07c0d5fa 100644 --- a/services/gafaelfawr/README.md +++ b/services/gafaelfawr/README.md @@ -16,7 +16,7 @@ Science Platform authentication and authorization system | cloudsql.enabled | bool | `false` | Enable the Cloud SQL Auth Proxy sidecar, used with CloudSQL databases on Google Cloud | | cloudsql.image.pullPolicy | string | `"IfNotPresent"` | Pull policy for Cloud SQL Auth Proxy images | | cloudsql.image.repository | string | `"gcr.io/cloudsql-docker/gce-proxy"` | Cloud SQL Auth Proxy image to use | -| cloudsql.image.tag | string | `"1.30.0"` | Cloud SQL Auth Proxy tag to use | +| cloudsql.image.tag | string | `"1.30.1"` | Cloud SQL Auth Proxy tag to use | | cloudsql.instanceConnectionName | string | `""` | Instance connection name for a CloudSQL PostgreSQL instance | | cloudsql.serviceAccount | string | `""` | The Google service account that has an IAM binding to the `gafaelfawr` and `gafaelfawr-tokens` Kubernetes service accounts and has the `cloudsql.client` role | | config.cilogon.clientId | string | `""` | CILogon client ID. One and only one of this, `config.github.clientId`, or `config.oidc.clientId` must be set. | diff --git a/services/times-square/charts/times-square/README.md b/services/times-square/charts/times-square/README.md index 99fab1f396..74920a9801 100644 --- a/services/times-square/charts/times-square/README.md +++ b/services/times-square/charts/times-square/README.md @@ -18,7 +18,7 @@ A parameterized notebook web viewer for the Rubin Science Platform. | cloudsql.enabled | bool | `false` | Enable the Cloud SQL Auth Proxy sidecar, used with CloudSQL databases on Google Cloud | | cloudsql.image.pullPolicy | string | `"IfNotPresent"` | Pull policy for Cloud SQL Auth Proxy images | | cloudsql.image.repository | string | `"gcr.io/cloudsql-docker/gce-proxy"` | Cloud SQL Auth Proxy image to use | -| cloudsql.image.tag | string | `"1.30.0"` | Cloud SQL Auth Proxy tag to use | +| cloudsql.image.tag | string | `"1.30.1"` | Cloud SQL Auth Proxy tag to use | | cloudsql.instanceConnectionName | string | `""` | Instance connection name for a CloudSQL PostgreSQL instance | | cloudsql.serviceAccount | string | `""` | The Google service account that has an IAM binding to the `times-square` Kubernetes service accounts and has the `cloudsql.client` role | | config.databaseUrl | string | None, must be set | URL for the PostgreSQL database | diff --git a/services/vo-cutouts/README.md b/services/vo-cutouts/README.md index f469563328..e642be2102 100644 --- a/services/vo-cutouts/README.md +++ b/services/vo-cutouts/README.md @@ -12,7 +12,7 @@ Image cutout service complying with IVOA SODA | cloudsql.enabled | bool | `false` | Enable the Cloud SQL Auth Proxy sidecar, used with CloudSQL databases on Google Cloud | | cloudsql.image.pullPolicy | string | `"IfNotPresent"` | Pull policy for Cloud SQL Auth Proxy images | | cloudsql.image.repository | string | `"gcr.io/cloudsql-docker/gce-proxy"` | Cloud SQL Auth Proxy image to use | -| cloudsql.image.tag | string | `"1.30.0"` | Cloud SQL Auth Proxy tag to use | +| cloudsql.image.tag | string | `"1.30.1"` | Cloud SQL Auth Proxy tag to use | | cloudsql.instanceConnectionName | string | `""` | Instance connection name for a CloudSQL PostgreSQL instance | | cloudsql.serviceAccount | string | None, must be set | The Google service account that has an IAM binding to the `vo-cutouts` Kubernetes service accounts and has the `cloudsql.client` role, access to the GCS bucket, and ability to sign URLs as itself | | config.butlerRepository | string | None, must be set | Configuration for the Butler repository to use | From 80b5cfd92c1d59a443b06b510f7f6cfb1807c4da Mon Sep 17 00:00:00 2001 From: Renovate Bot Date: Mon, 9 May 2022 22:29:51 +0000 Subject: [PATCH 0357/1479] Update Helm release argo-cd to v4.5.12 --- services/argocd/Chart.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/services/argocd/Chart.yaml b/services/argocd/Chart.yaml index e68e9ab27a..e2bfe9a7d0 100644 --- a/services/argocd/Chart.yaml +++ b/services/argocd/Chart.yaml @@ -3,7 +3,7 @@ name: argo-cd version: 1.0.0 dependencies: - name: argo-cd - version: 4.5.8 + version: 4.5.12 repository: https://argoproj.github.io/argo-helm - name: pull-secret version: 0.1.2 From bc93cf2fef12cb1143ccb5964707502863629fb5 Mon Sep 17 00:00:00 2001 From: Renovate Bot Date: Mon, 9 May 2022 22:29:57 +0000 Subject: [PATCH 0358/1479] Update Helm release redis to v16.9.1 --- services/noteburst/Chart.yaml | 2 +- services/times-square/Chart.yaml | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/services/noteburst/Chart.yaml b/services/noteburst/Chart.yaml index a9e2862d31..13067b764a 100644 --- a/services/noteburst/Chart.yaml +++ b/services/noteburst/Chart.yaml @@ -14,5 +14,5 @@ maintainers: # Additional charts that this chart uses dependencies: - name: redis - version: 16.8.9 + version: 16.9.1 repository: https://charts.bitnami.com/bitnami diff --git a/services/times-square/Chart.yaml b/services/times-square/Chart.yaml index 5896380f9e..9828b4b436 100644 --- a/services/times-square/Chart.yaml +++ b/services/times-square/Chart.yaml @@ -16,5 +16,5 @@ dependencies: - name: times-square-ui version: 1.0.0 - name: redis - version: 16.8.9 + version: 16.9.1 repository: https://charts.bitnami.com/bitnami From 218a7049f295540189755b87efca0fff59cb1613 Mon Sep 17 00:00:00 2001 From: Russ Allbery Date: Mon, 9 May 2022 15:40:37 -0700 Subject: [PATCH 0359/1479] Regenerate Helm chart documentation --- services/noteburst/README.md | 2 +- services/times-square/README.md | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/services/noteburst/README.md b/services/noteburst/README.md index 52105dec81..fc1b99cf29 100644 --- a/services/noteburst/README.md +++ b/services/noteburst/README.md @@ -12,7 +12,7 @@ Noteburst is a notebook execution service for the Rubin Science Platform. | Repository | Name | Version | |------------|------|---------| -| https://charts.bitnami.com/bitnami | redis | 16.8.9 | +| https://charts.bitnami.com/bitnami | redis | 16.9.1 | ## Values diff --git a/services/times-square/README.md b/services/times-square/README.md index 6726982261..fe696ecfc4 100644 --- a/services/times-square/README.md +++ b/services/times-square/README.md @@ -13,7 +13,7 @@ See the embedded Helm sub-charts for additional configuration docs: |------------|------|---------| | | times-square | 1.0.0 | | | times-square-ui | 1.0.0 | -| https://charts.bitnami.com/bitnami | redis | 16.8.9 | +| https://charts.bitnami.com/bitnami | redis | 16.9.1 | ## Values From a61640d5e00ca96c8bc1ef507ef3d38b609f2fb8 Mon Sep 17 00:00:00 2001 From: Gabriele Mainetti Date: Tue, 10 May 2022 12:38:43 +0200 Subject: [PATCH 0360/1479] last update before the migration --- services/ingress-nginx/values-ccin2p3test.yaml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/services/ingress-nginx/values-ccin2p3test.yaml b/services/ingress-nginx/values-ccin2p3test.yaml index 57a2e32b55..33605df90c 100644 --- a/services/ingress-nginx/values-ccin2p3test.yaml +++ b/services/ingress-nginx/values-ccin2p3test.yaml @@ -1,4 +1,4 @@ -# ingress-nginx: + # ingress-nginx: # controller: # nodeSelector: # kubernetes.io/hostname: "ccqserv202" @@ -53,7 +53,7 @@ ingress-nginx: annotations: prometheus.io/port: "10254" prometheus.io/scrape: "true" - + vault_certificate: enabled: true path: secret/k8s_operator/rsp-cc/ingress-nginx From f26c9a2dfcd3ff1d9fd160e7ea41c6c20b2e6a4f Mon Sep 17 00:00:00 2001 From: Gabriele Mainetti Date: Tue, 10 May 2022 13:43:01 +0200 Subject: [PATCH 0361/1479] update argocd version --- services/argocd/Chart.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/services/argocd/Chart.yaml b/services/argocd/Chart.yaml index 075c287b55..e2bfe9a7d0 100644 --- a/services/argocd/Chart.yaml +++ b/services/argocd/Chart.yaml @@ -3,7 +3,7 @@ name: argo-cd version: 1.0.0 dependencies: - name: argo-cd - version: 4.2.3 + version: 4.5.12 repository: https://argoproj.github.io/argo-helm - name: pull-secret version: 0.1.2 From fe09d916ad50089652205339e7d852f8371d5dd2 Mon Sep 17 00:00:00 2001 From: Gabriele Mainetti Date: Tue, 10 May 2022 13:55:38 +0200 Subject: [PATCH 0362/1479] Fixed redis config --- services/argocd/values-ccin2p3.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/services/argocd/values-ccin2p3.yaml b/services/argocd/values-ccin2p3.yaml index 4438d74c38..4085399723 100644 --- a/services/argocd/values-ccin2p3.yaml +++ b/services/argocd/values-ccin2p3.yaml @@ -2,7 +2,7 @@ argo-cd: redis: enabled: true - + server: ingress: enabled: true hosts: From d83b517677db2ae2452e275f876af241ebc7e159 Mon Sep 17 00:00:00 2001 From: Gabriele Mainetti Date: Tue, 10 May 2022 16:13:24 +0200 Subject: [PATCH 0363/1479] Fix error in environment --- science-platform/values-ccin2p3.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/science-platform/values-ccin2p3.yaml b/science-platform/values-ccin2p3.yaml index c88754088a..528cfd41e5 100644 --- a/science-platform/values-ccin2p3.yaml +++ b/science-platform/values-ccin2p3.yaml @@ -1,4 +1,4 @@ -environment: ccin2p3dev +environment: ccin2p3 fqdn: data-dev.lsst.eu vault_path_prefix: secret/k8s_operator/rsp-cc From b48b7187af716726b9189bb10d57b8e78c4537e2 Mon Sep 17 00:00:00 2001 From: Gabriele Mainetti Date: Tue, 10 May 2022 16:33:47 +0200 Subject: [PATCH 0364/1479] fix databaseUrl --- services/gafaelfawr/values-ccin2p3.yaml | 1 + 1 file changed, 1 insertion(+) diff --git a/services/gafaelfawr/values-ccin2p3.yaml b/services/gafaelfawr/values-ccin2p3.yaml index f05d4a0b2c..d39c09eedd 100644 --- a/services/gafaelfawr/values-ccin2p3.yaml +++ b/services/gafaelfawr/values-ccin2p3.yaml @@ -11,6 +11,7 @@ gafaelfawr: config: host: data-dev.lsst.eu + databaseUrl: "postgresql://gafaelfawr@localhost/gafaelfawr" # Do not specify ingress.host because we're using the wildcard virtual host. From 8030c3cd5cc95a492cd47f2fc36fb1be447340a3 Mon Sep 17 00:00:00 2001 From: Gabriele Mainetti Date: Tue, 10 May 2022 16:49:32 +0200 Subject: [PATCH 0365/1479] add gafaelfawr_db --- services/postgres/values-ccin2p3.yaml | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/services/postgres/values-ccin2p3.yaml b/services/postgres/values-ccin2p3.yaml index 8bee359d14..eb739e45ca 100644 --- a/services/postgres/values-ccin2p3.yaml +++ b/services/postgres/values-ccin2p3.yaml @@ -6,10 +6,13 @@ postgres: jupyterhub_db: user: 'jovyan' db: 'jupyterhub' + gafaelfawr_db: + user: 'gafaelfawr' + db: 'gafaelfawr' postgres_storage_class: 'rsp-local-storage' volume_name: 'postgres-data-rsp-ccqserv219' image: - tag: '0.0.3' + tag: '0.0.5' pull-secret: enabled: true From ee09be40f83c57c7da4abbe52288feb36ceec656 Mon Sep 17 00:00:00 2001 From: Gabriele Mainetti Date: Wed, 11 May 2022 11:36:57 +0200 Subject: [PATCH 0366/1479] Try to fix gafael error --- science-platform/templates/gafaelfawr-application.yaml | 2 ++ 1 file changed, 2 insertions(+) diff --git a/science-platform/templates/gafaelfawr-application.yaml b/science-platform/templates/gafaelfawr-application.yaml index 4eec7a8cb7..9658bb9b68 100644 --- a/science-platform/templates/gafaelfawr-application.yaml +++ b/science-platform/templates/gafaelfawr-application.yaml @@ -29,6 +29,8 @@ spec: value: {{ .Values.fqdn | quote }} - name: "global.baseUrl" value: "https://{{ .Values.fqdn }}" + - name: "global.databaseUrl" + value: {{ .Values.fqdn | quote}} - name: "global.vaultSecretsPath" value: {{ .Values.vault_path_prefix | quote }} valueFiles: From a96ed31488378345db6e579310bcd573e2eeda89 Mon Sep 17 00:00:00 2001 From: Gabriele Mainetti Date: Wed, 11 May 2022 11:48:52 +0200 Subject: [PATCH 0367/1479] Try to fix gafael --- services/gafaelfawr/values-ccin2p3.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/services/gafaelfawr/values-ccin2p3.yaml b/services/gafaelfawr/values-ccin2p3.yaml index d39c09eedd..118e776f9c 100644 --- a/services/gafaelfawr/values-ccin2p3.yaml +++ b/services/gafaelfawr/values-ccin2p3.yaml @@ -10,7 +10,7 @@ gafaelfawr: enabled: false config: - host: data-dev.lsst.eu + host: "data-dev.lsst.eu" databaseUrl: "postgresql://gafaelfawr@localhost/gafaelfawr" # Do not specify ingress.host because we're using the wildcard virtual host. From da7125f5a3c613fcaa034031c5bf8f997fe4fd6e Mon Sep 17 00:00:00 2001 From: Gabriele Mainetti Date: Wed, 11 May 2022 12:00:26 +0200 Subject: [PATCH 0368/1479] fixed "" --- services/gafaelfawr/values-ccin2p3.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/services/gafaelfawr/values-ccin2p3.yaml b/services/gafaelfawr/values-ccin2p3.yaml index 118e776f9c..b3bd65c4bc 100644 --- a/services/gafaelfawr/values-ccin2p3.yaml +++ b/services/gafaelfawr/values-ccin2p3.yaml @@ -10,7 +10,7 @@ gafaelfawr: enabled: false config: - host: "data-dev.lsst.eu" + host: data-dev.lsst.eu databaseUrl: "postgresql://gafaelfawr@localhost/gafaelfawr" # Do not specify ingress.host because we're using the wildcard virtual host. From 3abc69e107ee047321fdda74585c533a81b9f7c8 Mon Sep 17 00:00:00 2001 From: Gabriele Mainetti Date: Wed, 11 May 2022 12:17:01 +0200 Subject: [PATCH 0369/1479] FIx values gafaelfawr --- services/gafaelfawr/values-ccin2p3.yaml | 106 ++++++++++++------------ 1 file changed, 53 insertions(+), 53 deletions(-) diff --git a/services/gafaelfawr/values-ccin2p3.yaml b/services/gafaelfawr/values-ccin2p3.yaml index b3bd65c4bc..d221098833 100644 --- a/services/gafaelfawr/values-ccin2p3.yaml +++ b/services/gafaelfawr/values-ccin2p3.yaml @@ -1,56 +1,56 @@ -gafaelfawr: - - pull_secret: 'pull-secret' - ingress: - host: data-dev.lsst.eu - vaultSecretsPath: "secret/k8s_operator/rsp-cc/gafaelfawr" - - redis: - persistence: - enabled: false - - config: - host: data-dev.lsst.eu - databaseUrl: "postgresql://gafaelfawr@localhost/gafaelfawr" - - # Do not specify ingress.host because we're using the wildcard virtual host. - - # Session length and token expiration (in minutes). - issuer: - exp_minutes: 43200 # 30 days - - github: - clientId: ae314e45a6af43ea910a - - # Allow access by GitHub team. - groupMapping: - "exec:admin": - - "rubin-lsst-admin" - "exec:user": - - "rubin-lsst-admin" - - "rubin-lsst-user" - "read:workspace": - - "rubin-lsst-admin" - - "rubin-lsst-user" - "read:workspace/user": - - "rubin-lsst-admin" - - "rubin-lsst-user" - "write:workspace/user": - - "rubin-lsst-admin" - - "rubin-lsst-user" - "exec:portal": - - "rubin-lsst-admin" - - "rubin-lsst-user" - "exec:notebook": - - "rubin-lsst-admin" - - "rubin-lsst-user" - "read:tap": - - "rubin-lsst-admin" - - "rubin-lsst-user" - "read:image": - - "rubin-lsst-admin" - - "rubin-lsst-user" +replicaCount: 2 + +pull_secret: 'pull-secret' +ingress: + host: data-dev.lsst.eu +vaultSecretsPath: "secret/k8s_operator/rsp-cc/gafaelfawr" + +redis: + persistence: + enabled: false + +config: + host: data-dev.lsst.eu + databaseUrl: "postgresql://gafaelfawr@localhost/gafaelfawr" + +# Do not specify ingress.host because we're using the wildcard virtual host. + +# Session length and token expiration (in minutes). + issuer: + exp_minutes: 43200 # 30 days + + github: + clientId: ae314e45a6af43ea910a + +# Allow access by GitHub team. + groupMapping: + "exec:admin": + - "rubin-lsst-admin" + "exec:user": + - "rubin-lsst-admin" + - "rubin-lsst-user" + "read:workspace": + - "rubin-lsst-admin" + - "rubin-lsst-user" + "read:workspace/user": + - "rubin-lsst-admin" + - "rubin-lsst-user" + "write:workspace/user": + - "rubin-lsst-admin" + - "rubin-lsst-user" + "exec:portal": + - "rubin-lsst-admin" + - "rubin-lsst-user" + "exec:notebook": + - "rubin-lsst-admin" + - "rubin-lsst-user" + "read:tap": + - "rubin-lsst-admin" + - "rubin-lsst-user" + "read:image": + - "rubin-lsst-admin" + - "rubin-lsst-user" pull-secret: enabled: true - path: secret/k8s_operator/rsp-cc/pull-secret \ No newline at end of file + path: secret/k8s_operator/rsp-cc/pull-secret From a770853cf475c4e47f0f41410ccc616a984e9b57 Mon Sep 17 00:00:00 2001 From: Gabriele Mainetti Date: Wed, 11 May 2022 12:23:39 +0200 Subject: [PATCH 0370/1479] Fixed moneypenny --- services/moneypenny/values-ccin2p3.yaml | 10 +++++----- 1 file changed, 5 insertions(+), 5 deletions(-) diff --git a/services/moneypenny/values-ccin2p3.yaml b/services/moneypenny/values-ccin2p3.yaml index 69e6fe6695..89ef1615a0 100644 --- a/services/moneypenny/values-ccin2p3.yaml +++ b/services/moneypenny/values-ccin2p3.yaml @@ -3,11 +3,11 @@ moneypenny: ingress: enabled: true - hosts: - - host: data-dev.lsst.eu - paths: ["/moneypenny"] - annotations: - nginx.ingress.kubernetes.io/auth-url: "https://data-dev.lsst.eu/auth?scope=exec:admin" + host: "data-dev.lsst.eu" + # - host: data-dev.lsst.eu + # paths: ["/moneypenny"] + #annotations: + # nginx.ingress.kubernetes.io/auth-url: "https://data-dev.lsst.eu/auth?scope=exec:admin" vault_secrets: enabled: true From c579e673a28f584ccd0e28ccb513b34f070d8fb4 Mon Sep 17 00:00:00 2001 From: Gabriele Mainetti Date: Wed, 11 May 2022 12:29:51 +0200 Subject: [PATCH 0371/1479] tap fix --- services/tap/values-ccin2p3.yaml | 9 +++++---- 1 file changed, 5 insertions(+), 4 deletions(-) diff --git a/services/tap/values-ccin2p3.yaml b/services/tap/values-ccin2p3.yaml index 052f73f3c4..52540d27a0 100644 --- a/services/tap/values-ccin2p3.yaml +++ b/services/tap/values-ccin2p3.yaml @@ -4,7 +4,11 @@ cadc-tap: use_mock_qserv: false qserv_host: "ccqserv201.in2p3.fr:30040" - host: "data-dev.lsst.eu" + imagePullSecrets: + - name: "pull-secret" + ingress: + host: "data-dev.lsst.eu" + vaultSecretsPath: "secret/k8s_operator/rsp-cc/tap" secrets: enabled: false @@ -13,9 +17,6 @@ cadc-tap: enabled: true path: 'secret/k8s_operator/rsp-cc/tap' -# gcs_bucket: 'async-results.lsst.codes' -# gcs_bucket_url: 'http://async-results.lsst.codes' - pull-secret: enabled: true path: secret/k8s_operator/rsp-cc/pull-secret \ No newline at end of file From 915a01e86859a07c17f8258c6f875cf8d2efac8d Mon Sep 17 00:00:00 2001 From: Gabriele Mainetti Date: Wed, 11 May 2022 12:46:04 +0200 Subject: [PATCH 0372/1479] InitaliAdmins --- services/gafaelfawr/values-ccin2p3.yaml | 2 ++ 1 file changed, 2 insertions(+) diff --git a/services/gafaelfawr/values-ccin2p3.yaml b/services/gafaelfawr/values-ccin2p3.yaml index d221098833..3b42738ddf 100644 --- a/services/gafaelfawr/values-ccin2p3.yaml +++ b/services/gafaelfawr/values-ccin2p3.yaml @@ -50,6 +50,8 @@ config: "read:image": - "rubin-lsst-admin" - "rubin-lsst-user" + initialAdmins: + - "gabrimaine" pull-secret: enabled: true From 2c5ead3d6ebd7bd10e0c1b42f70cbb85d3021720 Mon Sep 17 00:00:00 2001 From: Russ Allbery Date: Wed, 11 May 2022 13:49:50 -0700 Subject: [PATCH 0373/1479] Remove obsolete README.md.gotmpl files We now use a global template, so we don't need all these copies. --- services/cert-manager/README.md.gotmpl | 9 --------- services/mobu/README.md.gotmpl | 9 --------- services/noteburst/README.md.gotmpl | 11 ----------- services/portal/README.md.gotmpl | 9 --------- services/semaphore/README.md.gotmpl | 13 ------------- services/squareone/README.md.gotmpl | 15 --------------- services/tap-schema/README.md.gotmpl | 9 --------- services/telegraf-ds/README.md.gotmpl | 9 --------- services/telegraf/README.md.gotmpl | 9 --------- services/vo-cutouts/README.md.gotmpl | 9 --------- 10 files changed, 102 deletions(-) delete mode 100644 services/cert-manager/README.md.gotmpl delete mode 100644 services/mobu/README.md.gotmpl delete mode 100644 services/noteburst/README.md.gotmpl delete mode 100644 services/portal/README.md.gotmpl delete mode 100644 services/semaphore/README.md.gotmpl delete mode 100644 services/squareone/README.md.gotmpl delete mode 100644 services/tap-schema/README.md.gotmpl delete mode 100644 services/telegraf-ds/README.md.gotmpl delete mode 100644 services/telegraf/README.md.gotmpl delete mode 100644 services/vo-cutouts/README.md.gotmpl diff --git a/services/cert-manager/README.md.gotmpl b/services/cert-manager/README.md.gotmpl deleted file mode 100644 index 4531459bbb..0000000000 --- a/services/cert-manager/README.md.gotmpl +++ /dev/null @@ -1,9 +0,0 @@ -{{ template "chart.header" . }} - -{{ template "chart.description" . }} - -{{ template "chart.requirementsSection" . }} - -{{ template "chart.valuesSection" . }} - -{{ template "helm-docs.versionFooter" . }} diff --git a/services/mobu/README.md.gotmpl b/services/mobu/README.md.gotmpl deleted file mode 100644 index 4531459bbb..0000000000 --- a/services/mobu/README.md.gotmpl +++ /dev/null @@ -1,9 +0,0 @@ -{{ template "chart.header" . }} - -{{ template "chart.description" . }} - -{{ template "chart.requirementsSection" . }} - -{{ template "chart.valuesSection" . }} - -{{ template "helm-docs.versionFooter" . }} diff --git a/services/noteburst/README.md.gotmpl b/services/noteburst/README.md.gotmpl deleted file mode 100644 index 18ae54f339..0000000000 --- a/services/noteburst/README.md.gotmpl +++ /dev/null @@ -1,11 +0,0 @@ -{{ template "chart.header" . }} - -{{ template "chart.description" . }} - -{{ template "chart.sourcesSection" . }} - -{{ template "chart.requirementsSection" . }} - -{{ template "chart.valuesSection" . }} - -{{ template "helm-docs.versionFooter" . }} diff --git a/services/portal/README.md.gotmpl b/services/portal/README.md.gotmpl deleted file mode 100644 index 4531459bbb..0000000000 --- a/services/portal/README.md.gotmpl +++ /dev/null @@ -1,9 +0,0 @@ -{{ template "chart.header" . }} - -{{ template "chart.description" . }} - -{{ template "chart.requirementsSection" . }} - -{{ template "chart.valuesSection" . }} - -{{ template "helm-docs.versionFooter" . }} diff --git a/services/semaphore/README.md.gotmpl b/services/semaphore/README.md.gotmpl deleted file mode 100644 index 12e81c78e0..0000000000 --- a/services/semaphore/README.md.gotmpl +++ /dev/null @@ -1,13 +0,0 @@ -{{ template "chart.header" . }} - -{{ template "chart.appVersionBadge" . }} - -{{ template "chart.description" . }} - -{{ template "chart.sourcesSection" . }} - -{{ template "chart.requirementsSection" . }} - -{{ template "chart.valuesSection" . }} - -{{ template "helm-docs.versionFooter" . }} diff --git a/services/squareone/README.md.gotmpl b/services/squareone/README.md.gotmpl deleted file mode 100644 index e10cdfb560..0000000000 --- a/services/squareone/README.md.gotmpl +++ /dev/null @@ -1,15 +0,0 @@ -{{ template "chart.header" . }} - -{{ template "chart.appVersionBadge" . }} - -{{ template "chart.description" . }} - -{{ template "chart.homepageLine" . }} - -{{ template "chart.sourcesSection" . }} - -{{ template "chart.requirementsSection" . }} - -{{ template "chart.valuesSection" . }} - -{{ template "helm-docs.versionFooter" . }} diff --git a/services/tap-schema/README.md.gotmpl b/services/tap-schema/README.md.gotmpl deleted file mode 100644 index 4531459bbb..0000000000 --- a/services/tap-schema/README.md.gotmpl +++ /dev/null @@ -1,9 +0,0 @@ -{{ template "chart.header" . }} - -{{ template "chart.description" . }} - -{{ template "chart.requirementsSection" . }} - -{{ template "chart.valuesSection" . }} - -{{ template "helm-docs.versionFooter" . }} diff --git a/services/telegraf-ds/README.md.gotmpl b/services/telegraf-ds/README.md.gotmpl deleted file mode 100644 index 4531459bbb..0000000000 --- a/services/telegraf-ds/README.md.gotmpl +++ /dev/null @@ -1,9 +0,0 @@ -{{ template "chart.header" . }} - -{{ template "chart.description" . }} - -{{ template "chart.requirementsSection" . }} - -{{ template "chart.valuesSection" . }} - -{{ template "helm-docs.versionFooter" . }} diff --git a/services/telegraf/README.md.gotmpl b/services/telegraf/README.md.gotmpl deleted file mode 100644 index 4531459bbb..0000000000 --- a/services/telegraf/README.md.gotmpl +++ /dev/null @@ -1,9 +0,0 @@ -{{ template "chart.header" . }} - -{{ template "chart.description" . }} - -{{ template "chart.requirementsSection" . }} - -{{ template "chart.valuesSection" . }} - -{{ template "helm-docs.versionFooter" . }} diff --git a/services/vo-cutouts/README.md.gotmpl b/services/vo-cutouts/README.md.gotmpl deleted file mode 100644 index 4531459bbb..0000000000 --- a/services/vo-cutouts/README.md.gotmpl +++ /dev/null @@ -1,9 +0,0 @@ -{{ template "chart.header" . }} - -{{ template "chart.description" . }} - -{{ template "chart.requirementsSection" . }} - -{{ template "chart.valuesSection" . }} - -{{ template "helm-docs.versionFooter" . }} From 82c997820ef1a19fb251c12df5cb02f92d3a5c66 Mon Sep 17 00:00:00 2001 From: Jonathan Sick Date: Wed, 11 May 2022 15:00:32 -0400 Subject: [PATCH 0374/1479] Migrate times-square-ui to Squareone Times Square's UI is now part of Squareone. This change allows us to drop the chart-of-charts approach for times-square so that the times-square chart is only for the API service. --- services/squareone/Chart.yaml | 2 +- services/squareone/README.md | 1 + services/squareone/templates/configmap.yaml | 3 + services/squareone/values-idfdev.yaml | 2 + services/squareone/values.yaml | 4 + services/times-square/Chart.yaml | 15 +- services/times-square/README.md | 58 ++++-- .../charts/times-square-ui/Chart.yaml | 18 -- .../charts/times-square-ui/README.md | 39 ---- .../times-square-ui/templates/_helpers.tpl | 51 ------ .../times-square-ui/templates/configmap.yaml | 17 -- .../times-square-ui/templates/deployment.yaml | 81 --------- .../charts/times-square-ui/templates/hpa.yaml | 28 --- .../times-square-ui/templates/ingress.yaml | 35 ---- .../templates/networkpolicy.yaml | 23 --- .../times-square-ui/templates/service.yaml | 15 -- .../charts/times-square-ui/values.yaml | 91 ---------- .../charts/times-square/Chart.yaml | 17 -- .../charts/times-square/README.md | 55 ------ .../charts/times-square/values.yaml | 155 ---------------- .../times-square => }/templates/_helpers.tpl | 0 .../templates/configmap.yaml | 0 .../templates/deployment.yaml | 0 .../templates/gafaelfawrtoken.yaml | 0 .../times-square => }/templates/hpa.yaml | 0 .../templates/ingress-webhooks.yaml | 0 .../times-square => }/templates/ingress.yaml | 0 .../templates/networkpolicy.yaml | 0 .../times-square => }/templates/service.yaml | 0 .../templates/serviceaccount.yaml | 0 .../templates/vault-secret.yaml | 0 .../templates/worker-deployment.yaml | 0 services/times-square/values-idfdev.yaml | 29 ++- services/times-square/values.yaml | 166 +++++++++++++++--- 34 files changed, 214 insertions(+), 691 deletions(-) delete mode 100644 services/times-square/charts/times-square-ui/Chart.yaml delete mode 100644 services/times-square/charts/times-square-ui/README.md delete mode 100644 services/times-square/charts/times-square-ui/templates/_helpers.tpl delete mode 100644 services/times-square/charts/times-square-ui/templates/configmap.yaml delete mode 100644 services/times-square/charts/times-square-ui/templates/deployment.yaml delete mode 100644 services/times-square/charts/times-square-ui/templates/hpa.yaml delete mode 100644 services/times-square/charts/times-square-ui/templates/ingress.yaml delete mode 100644 services/times-square/charts/times-square-ui/templates/networkpolicy.yaml delete mode 100644 services/times-square/charts/times-square-ui/templates/service.yaml delete mode 100644 services/times-square/charts/times-square-ui/values.yaml delete mode 100644 services/times-square/charts/times-square/Chart.yaml delete mode 100644 services/times-square/charts/times-square/README.md delete mode 100644 services/times-square/charts/times-square/values.yaml rename services/times-square/{charts/times-square => }/templates/_helpers.tpl (100%) rename services/times-square/{charts/times-square => }/templates/configmap.yaml (100%) rename services/times-square/{charts/times-square => }/templates/deployment.yaml (100%) rename services/times-square/{charts/times-square => }/templates/gafaelfawrtoken.yaml (100%) rename services/times-square/{charts/times-square => }/templates/hpa.yaml (100%) rename services/times-square/{charts/times-square => }/templates/ingress-webhooks.yaml (100%) rename services/times-square/{charts/times-square => }/templates/ingress.yaml (100%) rename services/times-square/{charts/times-square => }/templates/networkpolicy.yaml (100%) rename services/times-square/{charts/times-square => }/templates/service.yaml (100%) rename services/times-square/{charts/times-square => }/templates/serviceaccount.yaml (100%) rename services/times-square/{charts/times-square => }/templates/vault-secret.yaml (100%) rename services/times-square/{charts/times-square => }/templates/worker-deployment.yaml (100%) diff --git a/services/squareone/Chart.yaml b/services/squareone/Chart.yaml index bf5293cb27..c2b0a84de8 100644 --- a/services/squareone/Chart.yaml +++ b/services/squareone/Chart.yaml @@ -10,7 +10,7 @@ maintainers: url: https://github.com/jonathansick # The default version tag of the squareone docker image -appVersion: "0.6.0" +appVersion: "0.7.0b1" dependencies: - name: pull-secret diff --git a/services/squareone/README.md b/services/squareone/README.md index 377f07eb35..4c2e76d6c7 100644 --- a/services/squareone/README.md +++ b/services/squareone/README.md @@ -26,6 +26,7 @@ Squareone is the homepage UI for the Rubin Science Platform. | config.semaphoreUrl | string | `nil` | URL to the Semaphore (user notifications) API service. @default null disables the Semaphore integration | | config.siteDescription | string | `"Access Rubin Observatory Legacy Survey of Space and Time data.\n"` | Site description, used in meta tags | | config.siteName | string | `"Rubin Science Platform"` | Name of the site, used in the title and meta tags. | +| config.timesSquareUrl | string | `nil` | URL to the Times Square (parameterized notebooks) API service. @default null disables the Times Square integration | | fullnameOverride | string | `""` | Overrides the full name for resources (includes the release name) | | global.baseUrl | string | Set by Argo CD Application | Base URL for the environment | | global.host | string | Set by Argo CD Application | Host name for ingress | diff --git a/services/squareone/templates/configmap.yaml b/services/squareone/templates/configmap.yaml index bec6c0f18c..66cc40b565 100644 --- a/services/squareone/templates/configmap.yaml +++ b/services/squareone/templates/configmap.yaml @@ -12,3 +12,6 @@ data: {{- if .Values.config.semaphoreUrl }} semaphoreUrl: {{ .Values.config.semaphoreUrl | quote }} {{- end}} + {{- if .Values.config.timesSquareUrl }} + timesSquareUrl: {{ .Values.config.timesSquareUrl | quote }} + {{- end}} diff --git a/services/squareone/values-idfdev.yaml b/services/squareone/values-idfdev.yaml index fb48ae7878..36f15d50f4 100644 --- a/services/squareone/values-idfdev.yaml +++ b/services/squareone/values-idfdev.yaml @@ -1,9 +1,11 @@ image: pullPolicy: Always + # tag: tickets-DM-34723 config: siteName: "Rubin Science Platform @ data-dev" semaphoreUrl: "https://data-dev.lsst.cloud/semaphore" + timesSquareUrl: "https://data-dev.lsst.cloud/times-square/api" pull-secret: enabled: true diff --git a/services/squareone/values.yaml b/services/squareone/values.yaml index 48ef2a8079..c82dac869a 100644 --- a/services/squareone/values.yaml +++ b/services/squareone/values.yaml @@ -72,6 +72,10 @@ config: # @default null disables the Semaphore integration semaphoreUrl: null + # -- URL to the Times Square (parameterized notebooks) API service. + # @default null disables the Times Square integration + timesSquareUrl: null + # Global parameters are set by parameters injected by the Argo CD Application # and should not be set in the individual environment values files. global: diff --git a/services/times-square/Chart.yaml b/services/times-square/Chart.yaml index 9828b4b436..f12e912a6f 100644 --- a/services/times-square/Chart.yaml +++ b/services/times-square/Chart.yaml @@ -2,19 +2,14 @@ apiVersion: v2 name: times-square version: 1.0.0 description: | - A parameterized notebook web viewer for the Rubin Science Platform. - - See the embedded Helm sub-charts for additional configuration docs: - - - [`times-square` (API)](charts/times-square) - - [`times-square-ui` (Next.js / React front-end)](charts/times-square-ui) + An API service for managing and rendering parameterized Jupyter notebooks. +home: https://github.com/lsst-sqre/times-square type: application +# The default version tag of the times-square docker image +appVersion: 0.4.0b1 + dependencies: - - name: times-square - version: 1.0.0 - - name: times-square-ui - version: 1.0.0 - name: redis version: 16.9.1 repository: https://charts.bitnami.com/bitnami diff --git a/services/times-square/README.md b/services/times-square/README.md index fe696ecfc4..0551e7c5b1 100644 --- a/services/times-square/README.md +++ b/services/times-square/README.md @@ -1,34 +1,62 @@ # times-square -A parameterized notebook web viewer for the Rubin Science Platform. +An API service for managing and rendering parameterized Jupyter notebooks. -See the embedded Helm sub-charts for additional configuration docs: - -- [`times-square` (API)](charts/times-square) -- [`times-square-ui` (Next.js / React front-end)](charts/times-square-ui) +**Homepage:** ## Requirements | Repository | Name | Version | |------------|------|---------| -| | times-square | 1.0.0 | -| | times-square-ui | 1.0.0 | | https://charts.bitnami.com/bitnami | redis | 16.9.1 | ## Values | Key | Type | Default | Description | |-----|------|---------|-------------| +| affinity | object | `{}` | Affinity rules for the times-square deployment pod | +| autoscaling.enabled | bool | `false` | Enable autoscaling of times-square deployment | +| autoscaling.maxReplicas | int | `100` | Maximum number of times-square deployment pods | +| autoscaling.minReplicas | int | `1` | Minimum number of times-square deployment pods | +| autoscaling.targetCPUUtilizationPercentage | int | `80` | Target CPU utilization of times-square deployment pods | +| cloudsql.enabled | bool | `false` | Enable the Cloud SQL Auth Proxy sidecar, used with CloudSQL databases on Google Cloud | +| cloudsql.image.pullPolicy | string | `"IfNotPresent"` | Pull policy for Cloud SQL Auth Proxy images | +| cloudsql.image.repository | string | `"gcr.io/cloudsql-docker/gce-proxy"` | Cloud SQL Auth Proxy image to use | +| cloudsql.image.tag | string | `"1.30.1"` | Cloud SQL Auth Proxy tag to use | +| cloudsql.instanceConnectionName | string | `""` | Instance connection name for a CloudSQL PostgreSQL instance | +| cloudsql.serviceAccount | string | `""` | The Google service account that has an IAM binding to the `times-square` Kubernetes service accounts and has the `cloudsql.client` role | +| config.databaseUrl | string | None, must be set | URL for the PostgreSQL database | +| config.enableGitHubApp | string | `"False"` | Toggle to enable the GitHub App functionality | +| config.githubAppId | string | `""` | GitHub application ID | +| config.logLevel | string | `"INFO"` | Logging level: "DEBUG", "INFO", "WARNING", "ERROR", "CRITICAL" | +| config.name | string | `"times-square"` | Name of the service. | +| config.profile | string | `"production"` | Run profile: "production" or "development" | +| config.queueRedisUrl | string | Points to embedded Redis | URL for Redis arq queue database | +| config.redisUrl | string | Points to embedded Redis | URL for Redis html / noteburst job cache database | +| fullnameOverride | string | `""` | Override the full name for resources (includes the release name) | | global.baseUrl | string | Set by times-square Argo CD Application | Base URL for the environment | | global.host | string | Set by times-square Argo CD Application | Host name for ingress | | global.vaultSecretsPathPrefix | string | Set by times-square Argo CD Application | Base path for Vault secrets | +| image.pullPolicy | string | `"IfNotPresent"` | Pull policy for the times-square image | +| image.repository | string | `"ghcr.io/lsst-sqre/times-square"` | Image to use in the times-square deployment | +| image.tag | string | `""` | Overrides the image tag whose default is the chart appVersion. | +| imagePullSecrets | list | `[]` | Secret names to use for all Docker pulls | +| ingress.annotations | object | `{}` | Additional annotations for the ingress rule | +| ingress.enabled | bool | `true` | Create an ingress resource | +| ingress.gafaelfawrAuthQuery | string | `"scope=exec:admin&auth_type=basic"` | Gafaelfawr auth query string | +| ingress.path | string | `"/times-square/api"` | Root URL path prefix for times-square API | +| ingress.pathType | string | `"ImplementationSpecific"` | Path type for the ingress rule | +| nameOverride | string | `""` | Override the base name for resources | +| nodeSelector | object | `{}` | Node selection rules for the times-square deployment pod | +| podAnnotations | object | `{}` | Annotations for the times-square deployment pod | | redis.auth.enabled | bool | `false` | | | redis.fullnameOverride | string | `"times-square-redis"` | | -| times-square-ui.fullnameOverride | string | `"times-square-ui"` | | -| times-square-ui.image.pullPolicy | string | `"IfNotPresent"` | | -| times-square-ui.image.tag | string | `"0.2.0"` | | -| times-square.config.queueRedisUrl | string | Points to embedded Redis | URL for Redis arq queue database | -| times-square.config.redisUrl | string | Points to embedded Redis | URL for Redis html / noteburst job cache database | -| times-square.fullnameOverride | string | `"times-square"` | | -| times-square.image.pullPolicy | string | `"IfNotPresent"` | | -| times-square.image.tag | string | `"0.4.0b1"` | | +| replicaCount.api | int | `1` | Number of API deployment pods to start | +| replicaCount.worker | int | `1` | Number of worker deployment pods to start | +| resources | object | `{}` | Resource limits and requests for the times-square deployment pod | +| service.port | int | `8080` | Port of the service to create and map to the ingress | +| service.type | string | `"ClusterIP"` | Type of service to create | +| serviceAccount.annotations | object | `{}` | Annotations to add to the service account. If CloudSQL is in use, the annotation specifying the Google service account will also be added. | +| serviceAccount.create | bool | `false` | Force creation of a service account. Normally, no service account is used or mounted. If CloudSQL is enabled, a service account is always created regardless of this value. | +| serviceAccount.name | string | Name based on the fullname template | Name of the service account to use | +| tolerations | list | `[]` | Tolerations for the times-square deployment pod | diff --git a/services/times-square/charts/times-square-ui/Chart.yaml b/services/times-square/charts/times-square-ui/Chart.yaml deleted file mode 100644 index ab34aa66fe..0000000000 --- a/services/times-square/charts/times-square-ui/Chart.yaml +++ /dev/null @@ -1,18 +0,0 @@ -apiVersion: v2 -description: The front-end for Times Square, a parameterized notebook web viewer for the Rubin Science Platform -name: times-square-ui -type: application -sources: - - https://github.com/lsst-sqre/times-square-ui -maintainers: - - name: jonathansick - url: https://github.com/jonathansick - -# The chart version. This is not used in practice since the Helm chart is -# not published. -version: 1.0.0 - -# The app's version corresponding to the image tag. -# Use times-square-ui.image.tag to manage this from the top-level values -# instead. -appVersion: "1.0.0" diff --git a/services/times-square/charts/times-square-ui/README.md b/services/times-square/charts/times-square-ui/README.md deleted file mode 100644 index 0d77372491..0000000000 --- a/services/times-square/charts/times-square-ui/README.md +++ /dev/null @@ -1,39 +0,0 @@ -# times-square-ui - -The front-end for Times Square, a parameterized notebook web viewer for the Rubin Science Platform - -## Source Code - -* - -## Values - -| Key | Type | Default | Description | -|-----|------|---------|-------------| -| affinity | object | `{}` | Affinity rules for the times-square-ui deployment pod | -| autoscaling.enabled | bool | `false` | Enable autoscaling of times-square-ui deployment | -| autoscaling.maxReplicas | int | `100` | Maximum number of times-square-ui deployment pods | -| autoscaling.minReplicas | int | `1` | Minimum number of times-square-ui deployment pods | -| autoscaling.targetCPUUtilizationPercentage | int | `80` | Target CPU utilization of times-square-ui deployment pods | -| config.semaphorePath | string | `nil` | Semaphore API URL path (default is no Semaphore integration) | -| config.siteDescription | string | `"Times Square hosts Jupyter Notebooks that are rendered on the fly on the Rubin Science Platform."` | Description, used in HTML metadata | -| config.siteName | string | `"Times Square"` | Name, used in the HTML header | -| config.timesSquareApiPath | string | `"/times-square/api"` | Times Square API URL path | -| fullnameOverride | string | `""` | Override the full name for resources (includes the release name) | -| image.pullPolicy | string | `"Always"` | Pull policy for the times-square-ui image | -| image.repository | string | `"ghcr.io/lsst-sqre/times-square-ui"` | Image to use in the times-square-ui deployment | -| image.tag | string | `""` | Overrides the image tag whose default is the chart appVersion. | -| imagePullSecrets | list | `[]` | Secret names to use for all Docker pulls | -| ingress.annotations | object | `{}` | Additional annotations for the ingress rule | -| ingress.enabled | bool | `true` | Create an ingress resource | -| ingress.gafaelfawrAuthQuery | string | `"scope=exec:notebook&auth_type=basic"` | Gafaelfawr auth query string | -| ingress.path | string | `"/times-square"` | URL path to dispatch to the times-square-ui deployment pod | -| ingress.pathType | string | `"ImplementationSpecific"` | Path type for the ingress rule | -| nameOverride | string | `""` | Override the base name for resources | -| nodeSelector | object | `{}` | Node selection rules for the times-square-ui deployment pod | -| podAnnotations | object | `{}` | Annotations for the times-square-ui deployment pod | -| replicaCount | int | `1` | Number of web deployment pods to start | -| resources | object | `{}` | Resource limits and requests for the times-square-ui deployment pod | -| service.port | int | `8080` | Port of the service to create and map to the ingress | -| service.type | string | `"ClusterIP"` | Type of service to create | -| tolerations | list | `[]` | Tolerations for the times-square-ui deployment pod | diff --git a/services/times-square/charts/times-square-ui/templates/_helpers.tpl b/services/times-square/charts/times-square-ui/templates/_helpers.tpl deleted file mode 100644 index bc266e59b8..0000000000 --- a/services/times-square/charts/times-square-ui/templates/_helpers.tpl +++ /dev/null @@ -1,51 +0,0 @@ -{{/* -Expand the name of the chart. -*/}} -{{- define "times-square-ui.name" -}} -{{- default .Chart.Name .Values.nameOverride | trunc 63 | trimSuffix "-" }} -{{- end }} - -{{/* -Create a default fully qualified app name. -We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec). -If release name contains chart name it will be used as a full name. -*/}} -{{- define "times-square-ui.fullname" -}} -{{- if .Values.fullnameOverride }} -{{- .Values.fullnameOverride | trunc 63 | trimSuffix "-" }} -{{- else }} -{{- $name := default .Chart.Name .Values.nameOverride }} -{{- if contains $name .Release.Name }} -{{- .Release.Name | trunc 63 | trimSuffix "-" }} -{{- else }} -{{- printf "%s-%s" .Release.Name $name | trunc 63 | trimSuffix "-" }} -{{- end }} -{{- end }} -{{- end }} - -{{/* -Create chart name and version as used by the chart label. -*/}} -{{- define "times-square-ui.chart" -}} -{{- printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" }} -{{- end }} - -{{/* -Common labels -*/}} -{{- define "times-square-ui.labels" -}} -helm.sh/chart: {{ include "times-square-ui.chart" . }} -{{ include "times-square-ui.selectorLabels" . }} -{{- if .Chart.AppVersion }} -app.kubernetes.io/version: {{ .Chart.AppVersion | quote }} -{{- end }} -app.kubernetes.io/managed-by: {{ .Release.Service }} -{{- end }} - -{{/* -Selector labels -*/}} -{{- define "times-square-ui.selectorLabels" -}} -app.kubernetes.io/name: {{ include "times-square-ui.name" . }} -app.kubernetes.io/instance: {{ .Release.Name }} -{{- end }} diff --git a/services/times-square/charts/times-square-ui/templates/configmap.yaml b/services/times-square/charts/times-square-ui/templates/configmap.yaml deleted file mode 100644 index cefd23a44d..0000000000 --- a/services/times-square/charts/times-square-ui/templates/configmap.yaml +++ /dev/null @@ -1,17 +0,0 @@ -apiVersion: v1 -kind: ConfigMap -metadata: - name: {{ include "times-square-ui.fullname" . }} - labels: - {{- include "times-square-ui.labels" . | nindent 4 }} -data: - times-square.config.yaml: | - siteName: {{ .Values.config.siteName | quote }} - siteDescription: | - {{ .Values.config.siteDescription }} - baseUrl: "{{ .Values.global.baseUrl }}{{ .Values.ingress.path }}" - timesSquareApiUrl: "{{ .Values.global.baseUrl }}{{ .Values.config.timesSquareApiPath }}" - {{- if .Values.config.semaphoreUrl }} - semaphoreUrl: "{{ .Values.global.baseUrl }}{{ .Values.config.semaphorePath }}" - {{ .Values.config.semaphoreUrl }} - {{- end}} diff --git a/services/times-square/charts/times-square-ui/templates/deployment.yaml b/services/times-square/charts/times-square-ui/templates/deployment.yaml deleted file mode 100644 index f48c55f006..0000000000 --- a/services/times-square/charts/times-square-ui/templates/deployment.yaml +++ /dev/null @@ -1,81 +0,0 @@ -apiVersion: apps/v1 -kind: Deployment -metadata: - name: {{ include "times-square-ui.fullname" . }} - labels: - {{- include "times-square-ui.labels" . | nindent 4 }} -spec: - {{- if not .Values.autoscaling.enabled }} - replicas: {{ .Values.replicaCount }} - {{- end }} - selector: - matchLabels: - {{- include "times-square-ui.selectorLabels" . | nindent 6 }} - template: - metadata: - {{- with .Values.podAnnotations }} - annotations: - {{- toYaml . | nindent 8 }} - {{- end }} - labels: - {{- include "times-square-ui.selectorLabels" . | nindent 8 }} - spec: - automountServiceAccountToken: false - {{- with .Values.imagePullSecrets }} - imagePullSecrets: - {{- toYaml . | nindent 8 }} - {{- end }} - securityContext: - runAsNonRoot: true - runAsUser: 1000 - runAsGroup: 1000 - containers: - - name: {{ .Chart.Name }} - securityContext: - allowPrivilegeEscalation: false - capabilities: - drop: - - all - readOnlyRootFilesystem: true - image: "{{ .Values.image.repository }}:{{ .Values.image.tag | default .Chart.AppVersion }}" - imagePullPolicy: {{ .Values.image.pullPolicy }} - ports: - - name: http - containerPort: 3000 - protocol: TCP - livenessProbe: - httpGet: - path: "{{ .Values.ingress.path }}/" - port: http - readinessProbe: - httpGet: - path: "{{ .Values.ingress.path }}/" - port: http - resources: - {{- toYaml .Values.resources | nindent 12 }} - env: - - name: "TS_CONFIG_PATH" - value: "/etc/times-square/times-square.config.yaml" - volumeMounts: - - name: "config" - mountPath: "/etc/times-square" - - name: "next-image-cache" - mountPath: "/app/.next/cache/images" - {{- with .Values.nodeSelector }} - nodeSelector: - {{- toYaml . | nindent 8 }} - {{- end }} - {{- with .Values.affinity }} - affinity: - {{- toYaml . | nindent 8 }} - {{- end }} - {{- with .Values.tolerations }} - tolerations: - {{- toYaml . | nindent 8 }} - {{- end }} - volumes: - - name: "config" - configMap: - name: {{ include "times-square-ui.fullname" . }} - - name: "next-image-cache" - emptyDir: {} diff --git a/services/times-square/charts/times-square-ui/templates/hpa.yaml b/services/times-square/charts/times-square-ui/templates/hpa.yaml deleted file mode 100644 index 0edfe0c0fe..0000000000 --- a/services/times-square/charts/times-square-ui/templates/hpa.yaml +++ /dev/null @@ -1,28 +0,0 @@ -{{- if .Values.autoscaling.enabled }} -apiVersion: autoscaling/v2beta1 -kind: HorizontalPodAutoscaler -metadata: - name: {{ include "times-square-ui.fullname" . }} - labels: - {{- include "times-square-ui.labels" . | nindent 4 }} -spec: - scaleTargetRef: - apiVersion: apps/v1 - kind: Deployment - name: {{ include "times-square-ui.fullname" . }} - minReplicas: {{ .Values.autoscaling.minReplicas }} - maxReplicas: {{ .Values.autoscaling.maxReplicas }} - metrics: - {{- if .Values.autoscaling.targetCPUUtilizationPercentage }} - - type: Resource - resource: - name: cpu - targetAverageUtilization: {{ .Values.autoscaling.targetCPUUtilizationPercentage }} - {{- end }} - {{- if .Values.autoscaling.targetMemoryUtilizationPercentage }} - - type: Resource - resource: - name: memory - targetAverageUtilization: {{ .Values.autoscaling.targetMemoryUtilizationPercentage }} - {{- end }} -{{- end }} diff --git a/services/times-square/charts/times-square-ui/templates/ingress.yaml b/services/times-square/charts/times-square-ui/templates/ingress.yaml deleted file mode 100644 index 25b7b5dd11..0000000000 --- a/services/times-square/charts/times-square-ui/templates/ingress.yaml +++ /dev/null @@ -1,35 +0,0 @@ -{{- if .Values.ingress.enabled -}} -{{- $fullName := include "times-square-ui.fullname" . -}} -apiVersion: networking.k8s.io/v1 -kind: Ingress -metadata: - name: {{ $fullName }} - labels: - {{- include "times-square-ui.labels" . | nindent 4 }} - annotations: - kubernetes.io/ingress.class: "nginx" - {{- if .Values.ingress.gafaelfawrAuthQuery }} - nginx.ingress.kubernetes.io/auth-method: "GET" - nginx.ingress.kubernetes.io/auth-response-headers: "X-Auth-Request-User,X-Auth-Request-Email,X-Auth-Request-Token" - nginx.ingress.kubernetes.io/auth-signin: "{{ .Values.global.baseUrl }}/login" - nginx.ingress.kubernetes.io/auth-url: "{{ .Values.global.baseUrl }}/auth?{{ .Values.ingress.gafaelfawrAuthQuery }}" - {{- end }} - {{- with .Values.ingress.annotations }} - {{- toYaml . | nindent 4 }} - {{- end }} -spec: - {{- if .Values.ingress.className }} - ingressClassName: {{ .Values.ingress.className }} - {{- end }} - rules: - - host: {{ required "global.host must be set" .Values.global.host | quote }} - http: - paths: - - path: {{ .Values.ingress.path }} - pathType: {{ default "Prefix" .Values.ingress.pathType }} - backend: - service: - name: {{ $fullName }} - port: - number: {{ .Values.service.port }} -{{- end }} diff --git a/services/times-square/charts/times-square-ui/templates/networkpolicy.yaml b/services/times-square/charts/times-square-ui/templates/networkpolicy.yaml deleted file mode 100644 index f52e9ff245..0000000000 --- a/services/times-square/charts/times-square-ui/templates/networkpolicy.yaml +++ /dev/null @@ -1,23 +0,0 @@ -{{- if .Values.ingress.enabled -}} -apiVersion: networking.k8s.io/v1 -kind: NetworkPolicy -metadata: - name: {{ include "times-square-ui.fullname" . }} -spec: - podSelector: - matchLabels: - {{- include "times-square-ui.selectorLabels" . | nindent 6 }} - policyTypes: - - Ingress - ingress: - # Allow inbound access from pods (in any namespace) labeled - # gafaelfawr.lsst.io/ingress: true. - - from: - - namespaceSelector: {} - podSelector: - matchLabels: - gafaelfawr.lsst.io/ingress: "true" - ports: - - protocol: "TCP" - port: 3000 -{{- end }} diff --git a/services/times-square/charts/times-square-ui/templates/service.yaml b/services/times-square/charts/times-square-ui/templates/service.yaml deleted file mode 100644 index 4d126946f0..0000000000 --- a/services/times-square/charts/times-square-ui/templates/service.yaml +++ /dev/null @@ -1,15 +0,0 @@ -apiVersion: v1 -kind: Service -metadata: - name: {{ include "times-square-ui.fullname" . }} - labels: - {{- include "times-square-ui.labels" . | nindent 4 }} -spec: - type: {{ .Values.service.type }} - ports: - - port: {{ .Values.service.port }} - targetPort: http - protocol: TCP - name: http - selector: - {{- include "times-square-ui.selectorLabels" . | nindent 4 }} diff --git a/services/times-square/charts/times-square-ui/values.yaml b/services/times-square/charts/times-square-ui/values.yaml deleted file mode 100644 index 900107b89c..0000000000 --- a/services/times-square/charts/times-square-ui/values.yaml +++ /dev/null @@ -1,91 +0,0 @@ -# Default values for times-square-ui. -# This is a YAML-formatted file. -# Declare variables to be passed into your templates. - -# -- Number of web deployment pods to start -replicaCount: 1 - -image: - # -- Image to use in the times-square-ui deployment - repository: ghcr.io/lsst-sqre/times-square-ui - - # -- Pull policy for the times-square-ui image - pullPolicy: Always - - # -- Overrides the image tag whose default is the chart appVersion. - tag: "" - -# -- Secret names to use for all Docker pulls -imagePullSecrets: [] - -# -- Override the base name for resources -nameOverride: "" - -# -- Override the full name for resources (includes the release name) -fullnameOverride: "" - -# -- Annotations for the times-square-ui deployment pod -podAnnotations: {} - -service: - # -- Type of service to create - type: ClusterIP - - # -- Port of the service to create and map to the ingress - port: 8080 - -ingress: - # -- Create an ingress resource - enabled: true - - # -- Gafaelfawr auth query string - gafaelfawrAuthQuery: "scope=exec:notebook&auth_type=basic" - - # -- Additional annotations for the ingress rule - annotations: {} - - # -- Path type for the ingress rule - pathType: ImplementationSpecific - - # -- URL path to dispatch to the times-square-ui deployment pod - path: "/times-square" - -# -- Resource limits and requests for the times-square-ui deployment pod -resources: {} - -autoscaling: - # -- Enable autoscaling of times-square-ui deployment - enabled: false - - # -- Minimum number of times-square-ui deployment pods - minReplicas: 1 - - # -- Maximum number of times-square-ui deployment pods - maxReplicas: 100 - - # -- Target CPU utilization of times-square-ui deployment pods - targetCPUUtilizationPercentage: 80 - # targetMemoryUtilizationPercentage: 80 - -# -- Node selection rules for the times-square-ui deployment pod -nodeSelector: {} - -# -- Tolerations for the times-square-ui deployment pod -tolerations: [] - -# -- Affinity rules for the times-square-ui deployment pod -affinity: {} - -# Configurations for the times-square-ui application -config: - # -- Name, used in the HTML header - siteName: "Times Square" - - # -- Description, used in HTML metadata - siteDescription: "Times Square hosts Jupyter Notebooks that are rendered on the fly on the Rubin Science Platform." - - # -- Semaphore API URL path (default is no Semaphore integration) - semaphorePath: null - - # -- Times Square API URL path - timesSquareApiPath: "/times-square/api" diff --git a/services/times-square/charts/times-square/Chart.yaml b/services/times-square/charts/times-square/Chart.yaml deleted file mode 100644 index 96f44209b9..0000000000 --- a/services/times-square/charts/times-square/Chart.yaml +++ /dev/null @@ -1,17 +0,0 @@ -apiVersion: v2 -description: A parameterized notebook web viewer for the Rubin Science Platform. -name: times-square -type: application -sources: - - https://github.com/lsst-sqre/times-square -maintainers: - - name: jonathansick - url: https://github.com/jonathansick - -# The chart version. -version: 1.0.0 - -# The app's version corresponding to the image tag. -# Use times-square.image.tag to manage this from the top-level values -# instead. -appVersion: "1.0.0" diff --git a/services/times-square/charts/times-square/README.md b/services/times-square/charts/times-square/README.md deleted file mode 100644 index 74920a9801..0000000000 --- a/services/times-square/charts/times-square/README.md +++ /dev/null @@ -1,55 +0,0 @@ -# times-square - -A parameterized notebook web viewer for the Rubin Science Platform. - -## Source Code - -* - -## Values - -| Key | Type | Default | Description | -|-----|------|---------|-------------| -| affinity | object | `{}` | Affinity rules for the times-square deployment pod | -| autoscaling.enabled | bool | `false` | Enable autoscaling of times-square deployment | -| autoscaling.maxReplicas | int | `100` | Maximum number of times-square deployment pods | -| autoscaling.minReplicas | int | `1` | Minimum number of times-square deployment pods | -| autoscaling.targetCPUUtilizationPercentage | int | `80` | Target CPU utilization of times-square deployment pods | -| cloudsql.enabled | bool | `false` | Enable the Cloud SQL Auth Proxy sidecar, used with CloudSQL databases on Google Cloud | -| cloudsql.image.pullPolicy | string | `"IfNotPresent"` | Pull policy for Cloud SQL Auth Proxy images | -| cloudsql.image.repository | string | `"gcr.io/cloudsql-docker/gce-proxy"` | Cloud SQL Auth Proxy image to use | -| cloudsql.image.tag | string | `"1.30.1"` | Cloud SQL Auth Proxy tag to use | -| cloudsql.instanceConnectionName | string | `""` | Instance connection name for a CloudSQL PostgreSQL instance | -| cloudsql.serviceAccount | string | `""` | The Google service account that has an IAM binding to the `times-square` Kubernetes service accounts and has the `cloudsql.client` role | -| config.databaseUrl | string | None, must be set | URL for the PostgreSQL database | -| config.enableGitHubApp | string | `"False"` | Toggle to enable the GitHub App functionality | -| config.githubAppId | string | `""` | GitHub application ID | -| config.logLevel | string | `"INFO"` | Logging level: "DEBUG", "INFO", "WARNING", "ERROR", "CRITICAL" | -| config.name | string | `"times-square"` | Name of the service. | -| config.profile | string | `"production"` | Run profile: "production" or "development" | -| config.redisCacheUrl | string | None, must be set | URL for Redis html / noteburst job cache database | -| config.redisQueueUrl | string | None, must be set | URL for Redis arq queue database | -| fullnameOverride | string | `""` | Override the full name for resources (includes the release name) | -| image.pullPolicy | string | `"IfNotPresent"` | Pull policy for the times-square image | -| image.repository | string | `"ghcr.io/lsst-sqre/times-square"` | Image to use in the times-square deployment | -| image.tag | string | `""` | Overrides the image tag whose default is the chart appVersion. | -| imagePullSecrets | list | `[]` | Secret names to use for all Docker pulls | -| ingress.annotations | object | `{}` | Additional annotations for the ingress rule | -| ingress.enabled | bool | `true` | Create an ingress resource | -| ingress.gafaelfawrAuthQuery | string | `"scope=exec:admin&auth_type=basic"` | Gafaelfawr auth query string | -| ingress.path | string | `"/times-square/api"` | URL path to dispatch to the times-square deployment pod | -| ingress.pathType | string | `"ImplementationSpecific"` | Path type for the ingress rule | -| nameOverride | string | `""` | Override the base name for resources | -| nodeSelector | object | `{}` | Node selection rules for the times-square deployment pod | -| podAnnotations | object | `{}` | Annotations for the times-square deployment pod | -| redis.auth.enabled | bool | `false` | | -| replicaCount.api | int | `1` | Number of API deployment pods to start | -| replicaCount.worker | int | `1` | Number of worker deployment pods to start | -| resources | object | `{}` | Resource limits and requests for the times-square deployment pod | -| service.port | int | `8080` | Port of the service to create and map to the ingress | -| service.type | string | `"ClusterIP"` | Type of service to create | -| serviceAccount.annotations | object | `{}` | Annotations to add to the service account. If CloudSQL is in use, the annotation specifying the Google service account will also be added. | -| serviceAccount.create | bool | `false` | Force creation of a service account. Normally, no service account is used or mounted. If CloudSQL is enabled, a service account is always created regardless of this value. | -| serviceAccount.name | string | Name based on the fullname template | Name of the service account to use | -| tolerations | list | `[]` | Tolerations for the times-square deployment pod | -| vaultSecretsPath | string | None, must be set | Path to the Vault secret (`secret/k8s_operator//times-square`, for example) | diff --git a/services/times-square/charts/times-square/values.yaml b/services/times-square/charts/times-square/values.yaml deleted file mode 100644 index 8572fe2cdc..0000000000 --- a/services/times-square/charts/times-square/values.yaml +++ /dev/null @@ -1,155 +0,0 @@ -# Default values for times-square. -# This is a YAML-formatted file. -# Declare variables to be passed into your templates. - -replicaCount: - # -- Number of API deployment pods to start - api: 1 - - # -- Number of worker deployment pods to start - worker: 1 - -image: - # -- Image to use in the times-square deployment - repository: ghcr.io/lsst-sqre/times-square - - # -- Pull policy for the times-square image - pullPolicy: IfNotPresent - - # -- Overrides the image tag whose default is the chart appVersion. - tag: "" - -# -- Secret names to use for all Docker pulls -imagePullSecrets: [] - -# -- Override the base name for resources -nameOverride: "" - -# -- Override the full name for resources (includes the release name) -fullnameOverride: "" - -# -- Annotations for the times-square deployment pod -podAnnotations: {} - -serviceAccount: - # -- Force creation of a service account. Normally, no service account is - # used or mounted. If CloudSQL is enabled, a service account is always - # created regardless of this value. - create: false - - # -- Annotations to add to the service account. If CloudSQL is in use, the - # annotation specifying the Google service account will also be added. - annotations: {} - - # -- Name of the service account to use - # @default -- Name based on the fullname template - name: "" - -service: - # -- Type of service to create - type: ClusterIP - - # -- Port of the service to create and map to the ingress - port: 8080 - -ingress: - # -- Create an ingress resource - enabled: true - - # -- Gafaelfawr auth query string - gafaelfawrAuthQuery: "scope=exec:admin&auth_type=basic" - - # -- Additional annotations for the ingress rule - annotations: {} - - # -- Path type for the ingress rule - pathType: ImplementationSpecific - - # -- URL path to dispatch to the times-square deployment pod - path: "/times-square/api" - -# -- Resource limits and requests for the times-square deployment pod -resources: {} - -autoscaling: - # -- Enable autoscaling of times-square deployment - enabled: false - - # -- Minimum number of times-square deployment pods - minReplicas: 1 - - # -- Maximum number of times-square deployment pods - maxReplicas: 100 - - # -- Target CPU utilization of times-square deployment pods - targetCPUUtilizationPercentage: 80 - # targetMemoryUtilizationPercentage: 80 - -# -- Node selection rules for the times-square deployment pod -nodeSelector: {} - -# -- Tolerations for the times-square deployment pod -tolerations: [] - -# -- Affinity rules for the times-square deployment pod -affinity: {} - -# -- Path to the Vault secret (`secret/k8s_operator//times-square`, for -# example) -# @default -- None, must be set -vaultSecretsPath: "" - -# Configurations for the times-square application. -config: - # -- Name of the service. - name: "times-square" - - # -- Run profile: "production" or "development" - profile: "production" - - # -- Logging level: "DEBUG", "INFO", "WARNING", "ERROR", "CRITICAL" - logLevel: "INFO" - - # -- URL for the PostgreSQL database - # @default -- None, must be set - databaseUrl: "" - - # -- URL for Redis html / noteburst job cache database - # @default -- None, must be set - redisCacheUrl: "" - - # -- URL for Redis arq queue database - # @default -- None, must be set - redisQueueUrl: "" - - # -- GitHub application ID - githubAppId: "" - - # -- Toggle to enable the GitHub App functionality - enableGitHubApp: "False" - -cloudsql: - # -- Enable the Cloud SQL Auth Proxy sidecar, used with CloudSQL databases - # on Google Cloud - enabled: false - - image: - # -- Cloud SQL Auth Proxy image to use - repository: "gcr.io/cloudsql-docker/gce-proxy" - - # -- Cloud SQL Auth Proxy tag to use - tag: "1.30.1" - - # -- Pull policy for Cloud SQL Auth Proxy images - pullPolicy: "IfNotPresent" - - # -- Instance connection name for a CloudSQL PostgreSQL instance - instanceConnectionName: "" - - # -- The Google service account that has an IAM binding to the `times-square` - # Kubernetes service accounts and has the `cloudsql.client` role - serviceAccount: "" - -redis: - auth: - enabled: false diff --git a/services/times-square/charts/times-square/templates/_helpers.tpl b/services/times-square/templates/_helpers.tpl similarity index 100% rename from services/times-square/charts/times-square/templates/_helpers.tpl rename to services/times-square/templates/_helpers.tpl diff --git a/services/times-square/charts/times-square/templates/configmap.yaml b/services/times-square/templates/configmap.yaml similarity index 100% rename from services/times-square/charts/times-square/templates/configmap.yaml rename to services/times-square/templates/configmap.yaml diff --git a/services/times-square/charts/times-square/templates/deployment.yaml b/services/times-square/templates/deployment.yaml similarity index 100% rename from services/times-square/charts/times-square/templates/deployment.yaml rename to services/times-square/templates/deployment.yaml diff --git a/services/times-square/charts/times-square/templates/gafaelfawrtoken.yaml b/services/times-square/templates/gafaelfawrtoken.yaml similarity index 100% rename from services/times-square/charts/times-square/templates/gafaelfawrtoken.yaml rename to services/times-square/templates/gafaelfawrtoken.yaml diff --git a/services/times-square/charts/times-square/templates/hpa.yaml b/services/times-square/templates/hpa.yaml similarity index 100% rename from services/times-square/charts/times-square/templates/hpa.yaml rename to services/times-square/templates/hpa.yaml diff --git a/services/times-square/charts/times-square/templates/ingress-webhooks.yaml b/services/times-square/templates/ingress-webhooks.yaml similarity index 100% rename from services/times-square/charts/times-square/templates/ingress-webhooks.yaml rename to services/times-square/templates/ingress-webhooks.yaml diff --git a/services/times-square/charts/times-square/templates/ingress.yaml b/services/times-square/templates/ingress.yaml similarity index 100% rename from services/times-square/charts/times-square/templates/ingress.yaml rename to services/times-square/templates/ingress.yaml diff --git a/services/times-square/charts/times-square/templates/networkpolicy.yaml b/services/times-square/templates/networkpolicy.yaml similarity index 100% rename from services/times-square/charts/times-square/templates/networkpolicy.yaml rename to services/times-square/templates/networkpolicy.yaml diff --git a/services/times-square/charts/times-square/templates/service.yaml b/services/times-square/templates/service.yaml similarity index 100% rename from services/times-square/charts/times-square/templates/service.yaml rename to services/times-square/templates/service.yaml diff --git a/services/times-square/charts/times-square/templates/serviceaccount.yaml b/services/times-square/templates/serviceaccount.yaml similarity index 100% rename from services/times-square/charts/times-square/templates/serviceaccount.yaml rename to services/times-square/templates/serviceaccount.yaml diff --git a/services/times-square/charts/times-square/templates/vault-secret.yaml b/services/times-square/templates/vault-secret.yaml similarity index 100% rename from services/times-square/charts/times-square/templates/vault-secret.yaml rename to services/times-square/templates/vault-secret.yaml diff --git a/services/times-square/charts/times-square/templates/worker-deployment.yaml b/services/times-square/templates/worker-deployment.yaml similarity index 100% rename from services/times-square/charts/times-square/templates/worker-deployment.yaml rename to services/times-square/templates/worker-deployment.yaml diff --git a/services/times-square/values-idfdev.yaml b/services/times-square/values-idfdev.yaml index b947bf68d7..13a9492a25 100644 --- a/services/times-square/values-idfdev.yaml +++ b/services/times-square/values-idfdev.yaml @@ -1,15 +1,14 @@ -times-square: - # image: - # tag: "tickets-DM-34458" - # pullPolicy: Always - config: - logLevel: "DEBUG" - databaseUrl: "postgresql://times-square@localhost/times-square" - githubAppId: "196798" - enableGitHubApp: "True" - redisCacheUrl: "redis://times-square-redis-master:6379/0" - redisQueueUrl: "redis://times-square-redis-master:6379/1" - cloudsql: - enabled: true - instanceConnectionName: "science-platform-dev-7696:us-central1:science-platform-dev-e9e11de2" - serviceAccount: "times-square@science-platform-dev-7696.iam.gserviceaccount.com" +# image: +# tag: "tickets-DM-34458" +# pullPolicy: Always +config: + logLevel: "DEBUG" + databaseUrl: "postgresql://times-square@localhost/times-square" + githubAppId: "196798" + enableGitHubApp: "True" + redisCacheUrl: "redis://times-square-redis-master:6379/0" + redisQueueUrl: "redis://times-square-redis-master:6379/1" +cloudsql: + enabled: true + instanceConnectionName: "science-platform-dev-7696:us-central1:science-platform-dev-e9e11de2" + serviceAccount: "times-square@science-platform-dev-7696.iam.gserviceaccount.com" diff --git a/services/times-square/values.yaml b/services/times-square/values.yaml index 30d74d08c1..a5799762ea 100644 --- a/services/times-square/values.yaml +++ b/services/times-square/values.yaml @@ -1,48 +1,164 @@ # Global parameters will be set by parameters injected via the Argo CD # Application resource and should not be set in the individual environment # values files. -global: - # -- Base URL for the environment - # @default -- Set by times-square Argo CD Application - baseUrl: "" - # -- Host name for ingress - # @default -- Set by times-square Argo CD Application - host: "" +replicaCount: + # -- Number of API deployment pods to start + api: 1 - # -- Base path for Vault secrets - # @default -- Set by times-square Argo CD Application - vaultSecretsPathPrefix: "" + # -- Number of worker deployment pods to start + worker: 1 -times-square: +image: + # -- Image to use in the times-square deployment + repository: ghcr.io/lsst-sqre/times-square - fullnameOverride: times-square + # -- Pull policy for the times-square image + pullPolicy: IfNotPresent - image: - tag: "0.4.0b1" + # -- Overrides the image tag whose default is the chart appVersion. + tag: "" - pullPolicy: "IfNotPresent" +# -- Secret names to use for all Docker pulls +imagePullSecrets: [] + +# -- Override the base name for resources +nameOverride: "" + +# -- Override the full name for resources (includes the release name) +fullnameOverride: "" + +# -- Annotations for the times-square deployment pod +podAnnotations: {} + +serviceAccount: + # -- Force creation of a service account. Normally, no service account is + # used or mounted. If CloudSQL is enabled, a service account is always + # created regardless of this value. + create: false + + # -- Annotations to add to the service account. If CloudSQL is in use, the + # annotation specifying the Google service account will also be added. + annotations: {} + + # -- Name of the service account to use + # @default -- Name based on the fullname template + name: "" + +service: + # -- Type of service to create + type: ClusterIP + + # -- Port of the service to create and map to the ingress + port: 8080 + +ingress: + # -- Create an ingress resource + enabled: true + + # -- Gafaelfawr auth query string + gafaelfawrAuthQuery: "scope=exec:admin&auth_type=basic" + + # -- Additional annotations for the ingress rule + annotations: {} + + # -- Path type for the ingress rule + pathType: ImplementationSpecific + + # -- Root URL path prefix for times-square API + path: "/times-square/api" + +# -- Resource limits and requests for the times-square deployment pod +resources: {} + +autoscaling: + # -- Enable autoscaling of times-square deployment + enabled: false - config: - # -- URL for Redis html / noteburst job cache database - # @default -- Points to embedded Redis - redisUrl: "redis://times-square-redis-master:6379/0" + # -- Minimum number of times-square deployment pods + minReplicas: 1 - # -- URL for Redis arq queue database - # @default -- Points to embedded Redis - queueRedisUrl: "redis://times-square-redis-master:6379/1" + # -- Maximum number of times-square deployment pods + maxReplicas: 100 -times-square-ui: + # -- Target CPU utilization of times-square deployment pods + targetCPUUtilizationPercentage: 80 + # targetMemoryUtilizationPercentage: 80 - fullnameOverride: times-square-ui +# -- Node selection rules for the times-square deployment pod +nodeSelector: {} + +# -- Tolerations for the times-square deployment pod +tolerations: [] + +# -- Affinity rules for the times-square deployment pod +affinity: {} + +config: + # -- Name of the service. + name: "times-square" + + # -- Run profile: "production" or "development" + profile: "production" + + # -- Logging level: "DEBUG", "INFO", "WARNING", "ERROR", "CRITICAL" + logLevel: "INFO" + + # -- URL for the PostgreSQL database + # @default -- None, must be set + databaseUrl: "" + + # -- URL for Redis html / noteburst job cache database + # @default -- Points to embedded Redis + redisUrl: "redis://times-square-redis-master:6379/0" + + # -- URL for Redis arq queue database + # @default -- Points to embedded Redis + queueRedisUrl: "redis://times-square-redis-master:6379/1" + + # -- GitHub application ID + githubAppId: "" + + # -- Toggle to enable the GitHub App functionality + enableGitHubApp: "False" + +cloudsql: + # -- Enable the Cloud SQL Auth Proxy sidecar, used with CloudSQL databases + # on Google Cloud + enabled: false image: - tag: "0.2.0" + # -- Cloud SQL Auth Proxy image to use + repository: "gcr.io/cloudsql-docker/gce-proxy" + # -- Cloud SQL Auth Proxy tag to use + tag: "1.30.1" + + # -- Pull policy for Cloud SQL Auth Proxy images pullPolicy: "IfNotPresent" + # -- Instance connection name for a CloudSQL PostgreSQL instance + instanceConnectionName: "" + + # -- The Google service account that has an IAM binding to the `times-square` + # Kubernetes service accounts and has the `cloudsql.client` role + serviceAccount: "" + redis: fullnameOverride: times-square-redis auth: enabled: false + +global: + # -- Base URL for the environment + # @default -- Set by times-square Argo CD Application + baseUrl: "" + + # -- Host name for ingress + # @default -- Set by times-square Argo CD Application + host: "" + + # -- Base path for Vault secrets + # @default -- Set by times-square Argo CD Application + vaultSecretsPathPrefix: "" From f75766da731085132af3ac2f03ad94b1e52a9425 Mon Sep 17 00:00:00 2001 From: Gabriele Mainetti Date: Thu, 12 May 2022 11:03:09 +0200 Subject: [PATCH 0375/1479] Fixed gafaekfawr group --- services/gafaelfawr/values-ccin2p3.yaml | 35 +++++++++---------------- 1 file changed, 12 insertions(+), 23 deletions(-) diff --git a/services/gafaelfawr/values-ccin2p3.yaml b/services/gafaelfawr/values-ccin2p3.yaml index 3b42738ddf..b9dadaf28e 100644 --- a/services/gafaelfawr/values-ccin2p3.yaml +++ b/services/gafaelfawr/values-ccin2p3.yaml @@ -23,33 +23,22 @@ config: clientId: ae314e45a6af43ea910a # Allow access by GitHub team. + # Allow access by GitHub team. groupMapping: + "admin:provision": + - "rubin-in2p3-admin" "exec:admin": - - "rubin-lsst-admin" - "exec:user": - - "rubin-lsst-admin" - - "rubin-lsst-user" - "read:workspace": - - "rubin-lsst-admin" - - "rubin-lsst-user" - "read:workspace/user": - - "rubin-lsst-admin" - - "rubin-lsst-user" - "write:workspace/user": - - "rubin-lsst-admin" - - "rubin-lsst-user" - "exec:portal": - - "rubin-lsst-admin" - - "rubin-lsst-user" + - "rubin-in2p3-admin" "exec:notebook": - - "rubin-lsst-admin" - - "rubin-lsst-user" + - "rubin-in2p3-admin" + - "rubin-in2p3-user" + "exec:portal": + - "rubin-in2p3-admin" + - "rubin-in2p3-user" "read:tap": - - "rubin-lsst-admin" - - "rubin-lsst-user" - "read:image": - - "rubin-lsst-admin" - - "rubin-lsst-user" + - "rubin-in2p3-admin" + - "rubin-in2p3-user" + initialAdmins: - "gabrimaine" From feb1313cc7ef4fca2957918a4bae8bb8d9739b4d Mon Sep 17 00:00:00 2001 From: Gabriele Mainetti Date: Thu, 12 May 2022 13:58:24 +0200 Subject: [PATCH 0376/1479] try to fix gafaelfawr --- services/gafaelfawr/values-ccin2p3.yaml | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/services/gafaelfawr/values-ccin2p3.yaml b/services/gafaelfawr/values-ccin2p3.yaml index b9dadaf28e..f1f0cb82cc 100644 --- a/services/gafaelfawr/values-ccin2p3.yaml +++ b/services/gafaelfawr/values-ccin2p3.yaml @@ -1,9 +1,9 @@ replicaCount: 2 -pull_secret: 'pull-secret' -ingress: - host: data-dev.lsst.eu -vaultSecretsPath: "secret/k8s_operator/rsp-cc/gafaelfawr" +# pull_secret: 'pull-secret' +# ingress: +# host: data-dev.lsst.eu +# vaultSecretsPath: "secret/k8s_operator/rsp-cc/gafaelfawr" redis: persistence: From 9c243dde1076523dbfa7c708f7a436ab656dd383 Mon Sep 17 00:00:00 2001 From: Gabriele Mainetti Date: Thu, 12 May 2022 14:33:33 +0200 Subject: [PATCH 0377/1479] reverted config --- services/gafaelfawr/values-ccin2p3.yaml | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/services/gafaelfawr/values-ccin2p3.yaml b/services/gafaelfawr/values-ccin2p3.yaml index f1f0cb82cc..b9dadaf28e 100644 --- a/services/gafaelfawr/values-ccin2p3.yaml +++ b/services/gafaelfawr/values-ccin2p3.yaml @@ -1,9 +1,9 @@ replicaCount: 2 -# pull_secret: 'pull-secret' -# ingress: -# host: data-dev.lsst.eu -# vaultSecretsPath: "secret/k8s_operator/rsp-cc/gafaelfawr" +pull_secret: 'pull-secret' +ingress: + host: data-dev.lsst.eu +vaultSecretsPath: "secret/k8s_operator/rsp-cc/gafaelfawr" redis: persistence: From 557364f5e11d7c9e2e87012bebd151e31799d8c8 Mon Sep 17 00:00:00 2001 From: Gabriele Mainetti Date: Thu, 12 May 2022 18:49:01 +0200 Subject: [PATCH 0378/1479] Removed replicas --- services/gafaelfawr/values-ccin2p3.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/services/gafaelfawr/values-ccin2p3.yaml b/services/gafaelfawr/values-ccin2p3.yaml index b9dadaf28e..16b6bcc4f0 100644 --- a/services/gafaelfawr/values-ccin2p3.yaml +++ b/services/gafaelfawr/values-ccin2p3.yaml @@ -1,4 +1,4 @@ -replicaCount: 2 +#replicaCount: 2 pull_secret: 'pull-secret' ingress: From 384af11ad5d9754fcd9880f6173e08552e178447 Mon Sep 17 00:00:00 2001 From: Gabriele Mainetti Date: Thu, 12 May 2022 20:17:26 +0200 Subject: [PATCH 0379/1479] fixed postgres url --- services/gafaelfawr/values-ccin2p3.yaml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/services/gafaelfawr/values-ccin2p3.yaml b/services/gafaelfawr/values-ccin2p3.yaml index 16b6bcc4f0..b82fbfa8b7 100644 --- a/services/gafaelfawr/values-ccin2p3.yaml +++ b/services/gafaelfawr/values-ccin2p3.yaml @@ -1,4 +1,4 @@ -#replicaCount: 2 +replicaCount: 2 pull_secret: 'pull-secret' ingress: @@ -11,7 +11,7 @@ redis: config: host: data-dev.lsst.eu - databaseUrl: "postgresql://gafaelfawr@localhost/gafaelfawr" + databaseUrl: "postgresql://gafaelfawr@postgres/gafaelfawr" # Do not specify ingress.host because we're using the wildcard virtual host. From 878bb9a98b49c3446335c11637588dc1c987f5fc Mon Sep 17 00:00:00 2001 From: Gabriele Mainetti Date: Thu, 12 May 2022 20:22:50 +0200 Subject: [PATCH 0380/1479] fixed postgres url --- services/gafaelfawr/values-ccin2p3.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/services/gafaelfawr/values-ccin2p3.yaml b/services/gafaelfawr/values-ccin2p3.yaml index b82fbfa8b7..66f663e946 100644 --- a/services/gafaelfawr/values-ccin2p3.yaml +++ b/services/gafaelfawr/values-ccin2p3.yaml @@ -11,7 +11,7 @@ redis: config: host: data-dev.lsst.eu - databaseUrl: "postgresql://gafaelfawr@postgres/gafaelfawr" + databaseUrl: "postgresql://gafaelfawr@postgres.postgres/gafaelfawr" # Do not specify ingress.host because we're using the wildcard virtual host. From 7d4b0f977b3ca76c64fb4002ed38eadf5cdba238 Mon Sep 17 00:00:00 2001 From: Angelo Fausti Date: Thu, 12 May 2022 11:25:25 -0700 Subject: [PATCH 0381/1479] Fix up Kapacitor InfluxDB connection URL --- services/sasquatch/README.md | 2 +- services/sasquatch/values.yaml | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/services/sasquatch/README.md b/services/sasquatch/README.md index c250a4e1ac..5a92544b0e 100644 --- a/services/sasquatch/README.md +++ b/services/sasquatch/README.md @@ -65,7 +65,7 @@ Rubin Observatory's telemetry service. | kapacitor.envVars | object | `{"KAPACITOR_SLACK_ENABLED":true}` | Kapacitor environment variables. | | kapacitor.existingSecret | string | `"sasquatch"` | InfluxDB credentials, use influxdb-user and influxdb-password keys from secret. | | kapacitor.image | object | `{"repository":"kapacitor","tag":"1.6.4"}` | Kapacitor image tag. | -| kapacitor.influxURL | string | `"http://sasquatch.influxdb:8086"` | InfluxDB connection URL. | +| kapacitor.influxURL | string | `"http://sasquatch-influxdb.sasquatch:8086"` | InfluxDB connection URL. | | kapacitor.persistence | object | `{"enabled":true,"size":"16Gi"}` | Chronograf data persistence configuration. | | strimzi-kafka | object | `{}` | Override strimzi-kafka configuration. | | strimzi-registry-operator | object | `{"clusterName":"sasquatch","operatorNamespace":"sasquatch","watchNamespace":"sasquatch"}` | strimzi-registry-operator configuration. | diff --git a/services/sasquatch/values.yaml b/services/sasquatch/values.yaml index 88bbcba4a6..5eaa7322e4 100644 --- a/services/sasquatch/values.yaml +++ b/services/sasquatch/values.yaml @@ -92,7 +92,7 @@ kapacitor: enabled: true size: 16Gi # -- InfluxDB connection URL. - influxURL: http://sasquatch.influxdb:8086 + influxURL: http://sasquatch-influxdb.sasquatch:8086 # -- InfluxDB credentials, use influxdb-user and influxdb-password keys from secret. existingSecret: sasquatch # -- Kapacitor environment variables. From d93f7d876c473857d1a25b8a2d38563da58035c9 Mon Sep 17 00:00:00 2001 From: Gabriele Mainetti Date: Thu, 12 May 2022 20:27:50 +0200 Subject: [PATCH 0382/1479] nublando2 --- science-platform/values-ccin2p3.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/science-platform/values-ccin2p3.yaml b/science-platform/values-ccin2p3.yaml index 528cfd41e5..55fef48451 100644 --- a/science-platform/values-ccin2p3.yaml +++ b/science-platform/values-ccin2p3.yaml @@ -28,7 +28,7 @@ moneypenny: enabled: true ingress_nginx: enabled: true -nublado: +nublado2: enabled: true obstap: enabled: false From 000a2c8229ffc6833037feb60f44b97854e4e964 Mon Sep 17 00:00:00 2001 From: adam Date: Thu, 12 May 2022 12:16:30 -0700 Subject: [PATCH 0383/1479] Update versions --- services/nublado2/Chart.yaml | 6 +++--- services/nublado2/README.md | 2 +- 2 files changed, 4 insertions(+), 4 deletions(-) diff --git a/services/nublado2/Chart.yaml b/services/nublado2/Chart.yaml index caa8ca9182..a7a1b64e12 100644 --- a/services/nublado2/Chart.yaml +++ b/services/nublado2/Chart.yaml @@ -1,7 +1,7 @@ apiVersion: v2 name: nublado2 version: 1.1.0 -appVersion: "2.1.0" +appVersion: "2.3.0" description: Nublado2 JupyterHub installation home: https://github.com/lsst-sqre/nublado2 maintainers: @@ -12,8 +12,8 @@ sources: kubeVersion: ">=1.20.0-0" dependencies: - name: jupyterhub - # Change when there's an asyncio z2jh officially released - version: "1.1.3-n410.hd8ae7348" + # There hasn't been a stable release in a very long time. + version: "1.1.3-n474.h8d0a7616" repository: https://jupyterhub.github.io/helm-chart/ - name: pull-secret version: 0.1.2 diff --git a/services/nublado2/README.md b/services/nublado2/README.md index 6869d05e60..c22ff11597 100644 --- a/services/nublado2/README.md +++ b/services/nublado2/README.md @@ -14,7 +14,7 @@ Kubernetes: `>=1.20.0-0` | Repository | Name | Version | |------------|------|---------| -| https://jupyterhub.github.io/helm-chart/ | jupyterhub | 1.1.3-n410.hd8ae7348 | +| https://jupyterhub.github.io/helm-chart/ | jupyterhub | 1.1.3-n474.h8d0a7616 | | https://lsst-sqre.github.io/charts/ | pull-secret | 0.1.2 | ## Values From 8db16725bc9b264c9a01c81ef52c433dd166cf69 Mon Sep 17 00:00:00 2001 From: Gabriele Mainetti Date: Thu, 12 May 2022 22:13:54 +0200 Subject: [PATCH 0384/1479] NUBLADO2 OFF --- science-platform/values-ccin2p3.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/science-platform/values-ccin2p3.yaml b/science-platform/values-ccin2p3.yaml index 55fef48451..c17e309d91 100644 --- a/science-platform/values-ccin2p3.yaml +++ b/science-platform/values-ccin2p3.yaml @@ -29,7 +29,7 @@ moneypenny: ingress_nginx: enabled: true nublado2: - enabled: true + enabled: false obstap: enabled: false portal: From 2b9734a582a00970de9bf704a62980f22f5d132b Mon Sep 17 00:00:00 2001 From: adam Date: Thu, 12 May 2022 13:11:52 -0700 Subject: [PATCH 0385/1479] bump version in nublado2 idf-dev values.yaml --- services/nublado2/values-idfdev.yaml | 2 ++ 1 file changed, 2 insertions(+) diff --git a/services/nublado2/values-idfdev.yaml b/services/nublado2/values-idfdev.yaml index 5bae607aad..55c2be0476 100644 --- a/services/nublado2/values-idfdev.yaml +++ b/services/nublado2/values-idfdev.yaml @@ -1,5 +1,7 @@ jupyterhub: hub: + image: + tag: "2.3.0" resources: requests: cpu: "2" From 8fb09c3c977216510e8d0d8c0493e3e10e1816ad Mon Sep 17 00:00:00 2001 From: Russ Allbery Date: Thu, 12 May 2022 14:36:45 -0700 Subject: [PATCH 0386/1479] Delete the Portal ingress cookie on failure See if this helps with our 504 issues after restarting the Portal. --- services/portal/templates/ingress.yaml | 1 + 1 file changed, 1 insertion(+) diff --git a/services/portal/templates/ingress.yaml b/services/portal/templates/ingress.yaml index 337344a115..11cb1388ea 100644 --- a/services/portal/templates/ingress.yaml +++ b/services/portal/templates/ingress.yaml @@ -8,6 +8,7 @@ metadata: kubernetes.io/ingress.class: "nginx" nginx.ingress.kubernetes.io/ssl-redirect: "true" nginx.ingress.kubernetes.io/affinity: "cookie" + nginx.ingress.kubernetes.io/session-cookie-change-on-failure: "true" nginx.ingress.kubernetes.io/proxy-body-size: "0m" nginx.ingress.kubernetes.io/proxy-buffer-size: "24k" nginx.ingress.kubernetes.io/client-header-buffer-size: "24k" From 31b1aeedb56e7688106e9e14d814081bd38c7453 Mon Sep 17 00:00:00 2001 From: adam Date: Thu, 12 May 2022 14:50:19 -0700 Subject: [PATCH 0387/1479] shrink FF containers and add shared workarea --- services/portal/values-idfdev.yaml | 8 +++++++- 1 file changed, 7 insertions(+), 1 deletion(-) diff --git a/services/portal/values-idfdev.yaml b/services/portal/values-idfdev.yaml index c4ad1a7846..81bc35d85e 100644 --- a/services/portal/values-idfdev.yaml +++ b/services/portal/values-idfdev.yaml @@ -2,4 +2,10 @@ replicaCount: 2 resources: limits: - memory: "8Gi" + memory: "2Gi" + +config: + volumes: + workareaNfs: + path: "/share1/home/firefly/shared-workarea" + server: "10.87.86.26" From 166a39eac28cd3ca15276d11eb2f3a66762d2468 Mon Sep 17 00:00:00 2001 From: adam Date: Thu, 12 May 2022 15:07:07 -0700 Subject: [PATCH 0388/1479] Bump app version --- services/portal/Chart.yaml | 2 +- services/sasquatch/README.md | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/services/portal/Chart.yaml b/services/portal/Chart.yaml index a6aa5e53da..cd0b6cb4ac 100644 --- a/services/portal/Chart.yaml +++ b/services/portal/Chart.yaml @@ -3,4 +3,4 @@ name: portal version: 1.0.0 description: "Rubin Science Platform portal aspect" home: "https://github.com/lsst/suit" -appVersion: "suit-2022.1" +appVersion: "suit-2022.2" diff --git a/services/sasquatch/README.md b/services/sasquatch/README.md index 5a92544b0e..6add3194d8 100644 --- a/services/sasquatch/README.md +++ b/services/sasquatch/README.md @@ -67,7 +67,7 @@ Rubin Observatory's telemetry service. | kapacitor.image | object | `{"repository":"kapacitor","tag":"1.6.4"}` | Kapacitor image tag. | | kapacitor.influxURL | string | `"http://sasquatch-influxdb.sasquatch:8086"` | InfluxDB connection URL. | | kapacitor.persistence | object | `{"enabled":true,"size":"16Gi"}` | Chronograf data persistence configuration. | -| strimzi-kafka | object | `{}` | Override strimzi-kafka configuration. | +| strimzi-kafka | object | `{}` | | | strimzi-registry-operator | object | `{"clusterName":"sasquatch","operatorNamespace":"sasquatch","watchNamespace":"sasquatch"}` | strimzi-registry-operator configuration. | | telegraf.config.inputs | list | `[{"prometheus":{"metric_version":2,"urls":["http://hub.nublado2:8081/nb/hub/metrics"]}}]` | Telegraf input plugins. Collect JupyterHub Prometheus metrics by dedault. See https://jupyterhub.readthedocs.io/en/stable/reference/metrics.html | | telegraf.config.outputs | list | `[{"influxdb":{"database":"telegraf","password":"$TELEGRAF_PASSWORD","urls":["http://sasquatch-influxdb.sasquatch:8086"],"username":"telegraf"}}]` | Telegraf default output destination. | From c93ae31f05ac6437a8be511db928f2dcc7e414a5 Mon Sep 17 00:00:00 2001 From: adam Date: Thu, 12 May 2022 15:08:24 -0700 Subject: [PATCH 0389/1479] Regen doc --- services/sasquatch/README.md | 2 +- services/sasquatch/values.yaml | 1 + 2 files changed, 2 insertions(+), 1 deletion(-) diff --git a/services/sasquatch/README.md b/services/sasquatch/README.md index 6add3194d8..5a92544b0e 100644 --- a/services/sasquatch/README.md +++ b/services/sasquatch/README.md @@ -67,7 +67,7 @@ Rubin Observatory's telemetry service. | kapacitor.image | object | `{"repository":"kapacitor","tag":"1.6.4"}` | Kapacitor image tag. | | kapacitor.influxURL | string | `"http://sasquatch-influxdb.sasquatch:8086"` | InfluxDB connection URL. | | kapacitor.persistence | object | `{"enabled":true,"size":"16Gi"}` | Chronograf data persistence configuration. | -| strimzi-kafka | object | `{}` | | +| strimzi-kafka | object | `{}` | Override strimzi-kafka configuration. | | strimzi-registry-operator | object | `{"clusterName":"sasquatch","operatorNamespace":"sasquatch","watchNamespace":"sasquatch"}` | strimzi-registry-operator configuration. | | telegraf.config.inputs | list | `[{"prometheus":{"metric_version":2,"urls":["http://hub.nublado2:8081/nb/hub/metrics"]}}]` | Telegraf input plugins. Collect JupyterHub Prometheus metrics by dedault. See https://jupyterhub.readthedocs.io/en/stable/reference/metrics.html | | telegraf.config.outputs | list | `[{"influxdb":{"database":"telegraf","password":"$TELEGRAF_PASSWORD","urls":["http://sasquatch-influxdb.sasquatch:8086"],"username":"telegraf"}}]` | Telegraf default output destination. | diff --git a/services/sasquatch/values.yaml b/services/sasquatch/values.yaml index 5eaa7322e4..a41fbf01df 100644 --- a/services/sasquatch/values.yaml +++ b/services/sasquatch/values.yaml @@ -1,4 +1,5 @@ # Default values for Sasquatch. + # -- Override strimzi-kafka configuration. strimzi-kafka: {} From 929b9573282f1f249f1d3b20bb36d7bee91ff8d9 Mon Sep 17 00:00:00 2001 From: adam Date: Thu, 12 May 2022 15:23:42 -0700 Subject: [PATCH 0390/1479] Bump JH version globally --- services/nublado2/README.md | 2 +- services/nublado2/values-idfdev.yaml | 2 -- services/nublado2/values.yaml | 2 +- 3 files changed, 2 insertions(+), 4 deletions(-) diff --git a/services/nublado2/README.md b/services/nublado2/README.md index c22ff11597..5de714c4f2 100644 --- a/services/nublado2/README.md +++ b/services/nublado2/README.md @@ -69,7 +69,7 @@ Kubernetes: `>=1.20.0-0` | jupyterhub.hub.extraVolumes[1].name | string | `"nublado-gafaelfawr"` | | | jupyterhub.hub.extraVolumes[1].secret.secretName | string | `"gafaelfawr-token"` | | | jupyterhub.hub.image.name | string | `"lsstsqre/nublado2"` | | -| jupyterhub.hub.image.tag | string | `"2.1.0"` | | +| jupyterhub.hub.image.tag | string | `"2.3.0"` | | | jupyterhub.hub.loadRoles.self.scopes[0] | string | `"admin:servers!user"` | | | jupyterhub.hub.loadRoles.self.scopes[1] | string | `"read:metrics"` | | | jupyterhub.hub.loadRoles.server.scopes[0] | string | `"inherit"` | | diff --git a/services/nublado2/values-idfdev.yaml b/services/nublado2/values-idfdev.yaml index 55c2be0476..5bae607aad 100644 --- a/services/nublado2/values-idfdev.yaml +++ b/services/nublado2/values-idfdev.yaml @@ -1,7 +1,5 @@ jupyterhub: hub: - image: - tag: "2.3.0" resources: requests: cpu: "2" diff --git a/services/nublado2/values.yaml b/services/nublado2/values.yaml index 33a8f74a93..9485bfdb56 100644 --- a/services/nublado2/values.yaml +++ b/services/nublado2/values.yaml @@ -7,7 +7,7 @@ jupyterhub: authenticatePrometheus: false image: name: lsstsqre/nublado2 - tag: "2.1.0" + tag: "2.3.0" config: Authenticator: enable_auth_state: true From a443b641e42b05c72dd096ccfc28fd425a71da01 Mon Sep 17 00:00:00 2001 From: Russ Allbery Date: Thu, 12 May 2022 15:42:43 -0700 Subject: [PATCH 0391/1479] Go back to 4 portal pods on IDF prod --- services/portal/values-idfprod.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/services/portal/values-idfprod.yaml b/services/portal/values-idfprod.yaml index d4187887ce..d3325ec38f 100644 --- a/services/portal/values-idfprod.yaml +++ b/services/portal/values-idfprod.yaml @@ -1,4 +1,4 @@ -replicaCount: 1 +replicaCount: 4 config: volumes: From f5a9bf24cbb32280fdc252073052a2f5ebd51d92 Mon Sep 17 00:00:00 2001 From: Russ Allbery Date: Thu, 12 May 2022 16:06:07 -0700 Subject: [PATCH 0392/1479] Unpin Portal version on NCSA int --- services/portal/values-int.yaml | 3 --- 1 file changed, 3 deletions(-) diff --git a/services/portal/values-int.yaml b/services/portal/values-int.yaml index 6f0d3074ee..5efe67737b 100644 --- a/services/portal/values-int.yaml +++ b/services/portal/values-int.yaml @@ -18,9 +18,6 @@ resources: limits: memory: "24Gi" -image: - tag: "suit-2022.1" - securityContext: runAsUser: 101 runAsGroup: 102 From dffa6746625f77a26a4d0e218e2f05edef0baec7 Mon Sep 17 00:00:00 2001 From: Christine Banek Date: Thu, 12 May 2022 22:30:43 -0700 Subject: [PATCH 0393/1479] [DM-34737] Use new datalinker chart --- services/datalinker/Chart.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/services/datalinker/Chart.yaml b/services/datalinker/Chart.yaml index c31c766d03..ddc7f67819 100644 --- a/services/datalinker/Chart.yaml +++ b/services/datalinker/Chart.yaml @@ -3,7 +3,7 @@ name: datalinker version: 1.0.0 dependencies: - name: datalinker - version: 0.1.6 + version: 0.1.7 repository: https://lsst-sqre.github.io/charts/ - name: pull-secret version: 0.1.2 From c36998ab3f49d194594ed5eceee6b5291fb0c590 Mon Sep 17 00:00:00 2001 From: Christine Banek Date: Thu, 12 May 2022 23:08:24 -0700 Subject: [PATCH 0394/1479] [DM-34737] Enable globals for datalinker --- science-platform/templates/datalinker-application.yaml | 7 +++++++ 1 file changed, 7 insertions(+) diff --git a/science-platform/templates/datalinker-application.yaml b/science-platform/templates/datalinker-application.yaml index f089e27bf7..05115cb3ba 100644 --- a/science-platform/templates/datalinker-application.yaml +++ b/science-platform/templates/datalinker-application.yaml @@ -24,6 +24,13 @@ spec: repoURL: {{ .Values.repoURL }} targetRevision: {{ .Values.revision }} helm: + parameters: + - name: "global.host" + value: {{ .Values.fqdn | quote }} + - name: "global.baseUrl" + value: "https://{{ .Values.fqdn }}" + - name: "global.vaultSecretsPath" + value: {{ .Values.vault_path_prefix | quote }} valueFiles: - values-{{ .Values.environment }}.yaml {{- end -}} From 5f2cb1bf049e14a36dcfb1cab1413ce2af6cd29a Mon Sep 17 00:00:00 2001 From: adam Date: Mon, 18 Apr 2022 12:08:18 -0700 Subject: [PATCH 0395/1479] Add global helm variables to all applications --- .../templates/alert-stream-broker-application.yaml | 10 +++++++++- science-platform/templates/argocd-application.yaml | 10 +++++++++- .../templates/cachemachine-application.yaml | 11 +++++++++-- .../templates/datalinker-application.yaml | 3 ++- .../templates/exposurelog-application.yaml | 11 +++++++++-- .../templates/ingress-nginx-application.yaml | 10 +++++++++- .../templates/moneypenny-application.yaml | 10 +++++++++- .../templates/narrativelog-application.yaml | 11 +++++++++-- science-platform/templates/nublado2-application.yaml | 7 +++++++ science-platform/templates/obstap-application.yaml | 10 +++++++++- .../templates/plot-navigator-application.yaml | 10 +++++++++- science-platform/templates/postgres-application.yaml | 10 +++++++++- science-platform/templates/sasquatch-application.yaml | 11 +++++++++-- science-platform/templates/sherlock-application.yaml | 10 +++++++++- .../templates/squash-api-application.yaml | 10 +++++++++- science-platform/templates/strimzi-application.yaml | 10 +++++++++- .../strimzi-registry-operator-application.yaml | 10 +++++++++- science-platform/templates/tap-application.yaml | 10 +++++++++- science-platform/templates/telegraf-application.yaml | 4 ++-- .../templates/telegraf-ds-application.yaml | 4 ++-- .../templates/vault-secrets-operator-application.yaml | 10 +++++++++- 21 files changed, 166 insertions(+), 26 deletions(-) diff --git a/science-platform/templates/alert-stream-broker-application.yaml b/science-platform/templates/alert-stream-broker-application.yaml index b72ce4d286..865c70a1f3 100644 --- a/science-platform/templates/alert-stream-broker-application.yaml +++ b/science-platform/templates/alert-stream-broker-application.yaml @@ -24,6 +24,14 @@ spec: repoURL: {{ .Values.repoURL }} targetRevision: {{ .Values.revision }} helm: + parameters: + - name: "global.host" + value: {{ .Values.fqdn | quote }} + - name: "global.baseUrl" + value: "https://{{ .Values.fqdn }}" + - name: "global.vaultSecretsPath" + value: {{ .Values.vault_path_prefix | quote }} valueFiles: - - values-{{ .Values.environment }}.yaml + - "values.yaml" + - "values-{{ .Values.environment }}.yaml" {{- end -}} diff --git a/science-platform/templates/argocd-application.yaml b/science-platform/templates/argocd-application.yaml index ea9379a8f9..a49eaf3efb 100644 --- a/science-platform/templates/argocd-application.yaml +++ b/science-platform/templates/argocd-application.yaml @@ -15,5 +15,13 @@ spec: repoURL: {{ .Values.repoURL }} targetRevision: {{ .Values.revision }} helm: + parameters: + - name: "global.host" + value: {{ .Values.fqdn | quote }} + - name: "global.baseUrl" + value: "https://{{ .Values.fqdn }}" + - name: "global.vaultSecretsPath" + value: {{ .Values.vault_path_prefix | quote }} valueFiles: - - values-{{ .Values.environment }}.yaml + - "values.yaml" + - "values-{{ .Values.environment }}.yaml" diff --git a/science-platform/templates/cachemachine-application.yaml b/science-platform/templates/cachemachine-application.yaml index ddb6c3b188..3216ca518f 100644 --- a/science-platform/templates/cachemachine-application.yaml +++ b/science-platform/templates/cachemachine-application.yaml @@ -24,7 +24,14 @@ spec: repoURL: {{ .Values.repoURL }} targetRevision: {{ .Values.revision }} helm: + parameters: + - name: "global.host" + value: {{ .Values.fqdn | quote }} + - name: "global.baseUrl" + value: "https://{{ .Values.fqdn }}" + - name: "global.vaultSecretsPath" + value: {{ .Values.vault_path_prefix | quote }} valueFiles: - - values.yaml - - values-{{ .Values.environment }}.yaml + - "values.yaml" + - "values-{{ .Values.environment }}.yaml" {{- end -}} diff --git a/science-platform/templates/datalinker-application.yaml b/science-platform/templates/datalinker-application.yaml index 05115cb3ba..c1177c4a67 100644 --- a/science-platform/templates/datalinker-application.yaml +++ b/science-platform/templates/datalinker-application.yaml @@ -32,5 +32,6 @@ spec: - name: "global.vaultSecretsPath" value: {{ .Values.vault_path_prefix | quote }} valueFiles: - - values-{{ .Values.environment }}.yaml + - "values.yaml" + - "values-{{ .Values.environment }}.yaml" {{- end -}} diff --git a/science-platform/templates/exposurelog-application.yaml b/science-platform/templates/exposurelog-application.yaml index 76e3bc5bea..3e06116112 100644 --- a/science-platform/templates/exposurelog-application.yaml +++ b/science-platform/templates/exposurelog-application.yaml @@ -21,7 +21,14 @@ spec: repoURL: {{ .Values.repoURL }} targetRevision: {{ .Values.revision }} helm: + parameters: + - name: "global.host" + value: {{ .Values.fqdn | quote }} + - name: "global.baseUrl" + value: "https://{{ .Values.fqdn }}" + - name: "global.vaultSecretsPath" + value: {{ .Values.vault_path_prefix | quote }} valueFiles: - - values.yaml - - values-{{ .Values.environment }}.yaml + - "values.yaml" + - "values-{{ .Values.environment }}.yaml" {{- end -}} diff --git a/science-platform/templates/ingress-nginx-application.yaml b/science-platform/templates/ingress-nginx-application.yaml index e720da8484..7a34477e13 100644 --- a/science-platform/templates/ingress-nginx-application.yaml +++ b/science-platform/templates/ingress-nginx-application.yaml @@ -24,6 +24,14 @@ spec: repoURL: {{ .Values.repoURL }} targetRevision: {{ .Values.revision }} helm: + parameters: + - name: "global.host" + value: {{ .Values.fqdn | quote }} + - name: "global.baseUrl" + value: "https://{{ .Values.fqdn }}" + - name: "global.vaultSecretsPath" + value: {{ .Values.vault_path_prefix | quote }} valueFiles: - - values-{{ .Values.environment }}.yaml + - "values.yaml" + - "values-{{ .Values.environment }}.yaml" {{- end -}} diff --git a/science-platform/templates/moneypenny-application.yaml b/science-platform/templates/moneypenny-application.yaml index c6dea1081e..17d8518649 100644 --- a/science-platform/templates/moneypenny-application.yaml +++ b/science-platform/templates/moneypenny-application.yaml @@ -24,6 +24,14 @@ spec: repoURL: {{ .Values.repoURL }} targetRevision: {{ .Values.revision }} helm: + parameters: + - name: "global.host" + value: {{ .Values.fqdn | quote }} + - name: "global.baseUrl" + value: "https://{{ .Values.fqdn }}" + - name: "global.vaultSecretsPath" + value: {{ .Values.vault_path_prefix | quote }} valueFiles: - - values-{{ .Values.environment }}.yaml + - "values.yaml" + - "values-{{ .Values.environment }}.yaml" {{- end -}} diff --git a/science-platform/templates/narrativelog-application.yaml b/science-platform/templates/narrativelog-application.yaml index d12d0e3572..3b903ba92d 100644 --- a/science-platform/templates/narrativelog-application.yaml +++ b/science-platform/templates/narrativelog-application.yaml @@ -21,7 +21,14 @@ spec: repoURL: {{ .Values.repoURL }} targetRevision: {{ .Values.revision }} helm: + parameters: + - name: "global.host" + value: {{ .Values.fqdn | quote }} + - name: "global.baseUrl" + value: "https://{{ .Values.fqdn }}" + - name: "global.vaultSecretsPath" + value: {{ .Values.vault_path_prefix | quote }} valueFiles: - - values.yaml - - values-{{ .Values.environment }}.yaml + - "values.yaml" + - "values-{{ .Values.environment }}.yaml" {{- end -}} diff --git a/science-platform/templates/nublado2-application.yaml b/science-platform/templates/nublado2-application.yaml index e6dae13b3f..6ec05a1abd 100644 --- a/science-platform/templates/nublado2-application.yaml +++ b/science-platform/templates/nublado2-application.yaml @@ -24,6 +24,13 @@ spec: repoURL: {{ .Values.repoURL | quote }} targetRevision: {{ .Values.revision | quote }} helm: + parameters: + - name: "global.host" + value: {{ .Values.fqdn | quote }} + - name: "global.baseUrl" + value: "https://{{ .Values.fqdn }}" + - name: "global.vaultSecretsPath" + value: {{ .Values.vault_path_prefix | quote }} valueFiles: - "values.yaml" - "values-{{ .Values.environment }}.yaml" diff --git a/science-platform/templates/obstap-application.yaml b/science-platform/templates/obstap-application.yaml index e1a5656445..5abc556119 100644 --- a/science-platform/templates/obstap-application.yaml +++ b/science-platform/templates/obstap-application.yaml @@ -24,6 +24,14 @@ spec: repoURL: {{ .Values.repoURL }} targetRevision: {{ .Values.revision }} helm: + parameters: + - name: "global.host" + value: {{ .Values.fqdn | quote }} + - name: "global.baseUrl" + value: "https://{{ .Values.fqdn }}" + - name: "global.vaultSecretsPath" + value: {{ .Values.vault_path_prefix | quote }} valueFiles: - - values-{{ .Values.environment }}.yaml + - "values.yaml" + - "values-{{ .Values.environment }}.yaml" {{- end -}} diff --git a/science-platform/templates/plot-navigator-application.yaml b/science-platform/templates/plot-navigator-application.yaml index 25235b6de0..7277904dda 100644 --- a/science-platform/templates/plot-navigator-application.yaml +++ b/science-platform/templates/plot-navigator-application.yaml @@ -21,6 +21,14 @@ spec: repoURL: {{ .Values.repoURL }} targetRevision: {{ .Values.revision }} helm: + parameters: + - name: "global.host" + value: {{ .Values.fqdn | quote }} + - name: "global.baseUrl" + value: "https://{{ .Values.fqdn }}" + - name: "global.vaultSecretsPath" + value: {{ .Values.vault_path_prefix | quote }} valueFiles: - - values-{{ .Values.environment }}.yaml + - "values.yaml" + - "values-{{ .Values.environment }}.yaml" {{- end -}} diff --git a/science-platform/templates/postgres-application.yaml b/science-platform/templates/postgres-application.yaml index 03d0b0c3d8..6d8e11e97e 100644 --- a/science-platform/templates/postgres-application.yaml +++ b/science-platform/templates/postgres-application.yaml @@ -21,6 +21,14 @@ spec: repoURL: {{ .Values.repoURL }} targetRevision: {{ .Values.revision }} helm: + parameters: + - name: "global.host" + value: {{ .Values.fqdn | quote }} + - name: "global.baseUrl" + value: "https://{{ .Values.fqdn }}" + - name: "global.vaultSecretsPath" + value: {{ .Values.vault_path_prefix | quote }} valueFiles: - - values-{{ .Values.environment }}.yaml + - "values.yaml" + - "values-{{ .Values.environment }}.yaml" {{- end -}} diff --git a/science-platform/templates/sasquatch-application.yaml b/science-platform/templates/sasquatch-application.yaml index da996432b0..976de21e7f 100644 --- a/science-platform/templates/sasquatch-application.yaml +++ b/science-platform/templates/sasquatch-application.yaml @@ -24,7 +24,14 @@ spec: repoURL: {{ .Values.repoURL }} targetRevision: {{ .Values.revision }} helm: + parameters: + - name: "global.host" + value: {{ .Values.fqdn | quote }} + - name: "global.baseUrl" + value: "https://{{ .Values.fqdn }}" + - name: "global.vaultSecretsPath" + value: {{ .Values.vault_path_prefix | quote }} valueFiles: - - values.yaml - - values-{{ .Values.environment }}.yaml + - "values.yaml" + - "values-{{ .Values.environment }}.yaml" {{- end -}} diff --git a/science-platform/templates/sherlock-application.yaml b/science-platform/templates/sherlock-application.yaml index 73463b63f9..9c032cd1d5 100644 --- a/science-platform/templates/sherlock-application.yaml +++ b/science-platform/templates/sherlock-application.yaml @@ -24,6 +24,14 @@ spec: repoURL: {{ .Values.repoURL }} targetRevision: {{ .Values.revision }} helm: + parameters: + - name: "global.host" + value: {{ .Values.fqdn | quote }} + - name: "global.baseUrl" + value: "https://{{ .Values.fqdn }}" + - name: "global.vaultSecretsPath" + value: {{ .Values.vault_path_prefix | quote }} valueFiles: - - values-{{ .Values.environment }}.yaml + - "values.yaml" + - "values-{{ .Values.environment }}.yaml" {{- end -}} diff --git a/science-platform/templates/squash-api-application.yaml b/science-platform/templates/squash-api-application.yaml index 4c326dc1e5..f04026ded0 100644 --- a/science-platform/templates/squash-api-application.yaml +++ b/science-platform/templates/squash-api-application.yaml @@ -24,6 +24,14 @@ spec: repoURL: {{ .Values.repoURL }} targetRevision: {{ .Values.revision }} helm: + parameters: + - name: "global.host" + value: {{ .Values.fqdn | quote }} + - name: "global.baseUrl" + value: "https://{{ .Values.fqdn }}" + - name: "global.vaultSecretsPath" + value: {{ .Values.vault_path_prefix | quote }} valueFiles: - - values-{{ .Values.environment }}.yaml + - "values.yaml" + - "values-{{ .Values.environment }}.yaml" {{- end -}} diff --git a/science-platform/templates/strimzi-application.yaml b/science-platform/templates/strimzi-application.yaml index d6aff0963b..f455ae0399 100644 --- a/science-platform/templates/strimzi-application.yaml +++ b/science-platform/templates/strimzi-application.yaml @@ -24,6 +24,14 @@ spec: repoURL: {{ .Values.repoURL }} targetRevision: {{ .Values.revision }} helm: + parameters: + - name: "global.host" + value: {{ .Values.fqdn | quote }} + - name: "global.baseUrl" + value: "https://{{ .Values.fqdn }}" + - name: "global.vaultSecretsPath" + value: {{ .Values.vault_path_prefix | quote }} valueFiles: - - values-{{ .Values.environment }}.yaml + - "values.yaml" + - "values-{{ .Values.environment }}.yaml" {{- end -}} diff --git a/science-platform/templates/strimzi-registry-operator-application.yaml b/science-platform/templates/strimzi-registry-operator-application.yaml index 967f6aec12..79f2be8d14 100644 --- a/science-platform/templates/strimzi-registry-operator-application.yaml +++ b/science-platform/templates/strimzi-registry-operator-application.yaml @@ -24,6 +24,14 @@ spec: repoURL: {{ .Values.repoURL }} targetRevision: {{ .Values.revision }} helm: + parameters: + - name: "global.host" + value: {{ .Values.fqdn | quote }} + - name: "global.baseUrl" + value: "https://{{ .Values.fqdn }}" + - name: "global.vaultSecretsPath" + value: {{ .Values.vault_path_prefix | quote }} valueFiles: - - values-{{ .Values.environment }}.yaml + - "values.yaml" + - "values-{{ .Values.environment }}.yaml" {{- end -}} diff --git a/science-platform/templates/tap-application.yaml b/science-platform/templates/tap-application.yaml index 5f570f0717..c3419dca62 100644 --- a/science-platform/templates/tap-application.yaml +++ b/science-platform/templates/tap-application.yaml @@ -24,6 +24,14 @@ spec: repoURL: {{ .Values.repoURL }} targetRevision: {{ .Values.revision }} helm: + parameters: + - name: "global.host" + value: {{ .Values.fqdn | quote }} + - name: "global.baseUrl" + value: "https://{{ .Values.fqdn }}" + - name: "global.vaultSecretsPath" + value: {{ .Values.vault_path_prefix | quote }} valueFiles: - - values-{{ .Values.environment }}.yaml + - "values.yaml" + - "values-{{ .Values.environment }}.yaml" {{- end -}} diff --git a/science-platform/templates/telegraf-application.yaml b/science-platform/templates/telegraf-application.yaml index d973ed5c84..c0dd9eae80 100644 --- a/science-platform/templates/telegraf-application.yaml +++ b/science-platform/templates/telegraf-application.yaml @@ -33,7 +33,7 @@ spec: - name: "global.vaultSecretsPath" value: {{ .Values.vault_path_prefix | quote }} valueFiles: - - values.yaml - - values-{{ .Values.environment }}.yaml + - "values.yaml" + - "values-{{ .Values.environment }}.yaml" {{- end -}} diff --git a/science-platform/templates/telegraf-ds-application.yaml b/science-platform/templates/telegraf-ds-application.yaml index 330e461e38..b942c0c8f8 100644 --- a/science-platform/templates/telegraf-ds-application.yaml +++ b/science-platform/templates/telegraf-ds-application.yaml @@ -32,6 +32,6 @@ spec: - name: "global.vaultSecretsPath" value: {{ .Values.vault_path_prefix | quote }} valueFiles: - - values.yaml - - values-{{ .Values.environment }}.yaml + - "values.yaml" + - "values-{{ .Values.environment }}.yaml" {{- end -}} diff --git a/science-platform/templates/vault-secrets-operator-application.yaml b/science-platform/templates/vault-secrets-operator-application.yaml index 3eb50571bb..a25a0142f9 100644 --- a/science-platform/templates/vault-secrets-operator-application.yaml +++ b/science-platform/templates/vault-secrets-operator-application.yaml @@ -16,6 +16,14 @@ spec: repoURL: {{ .Values.repoURL }} targetRevision: {{ .Values.revision }} helm: + parameters: + - name: "global.host" + value: {{ .Values.fqdn | quote }} + - name: "global.baseUrl" + value: "https://{{ .Values.fqdn }}" + - name: "global.vaultSecretsPath" + value: {{ .Values.vault_path_prefix | quote }} valueFiles: - - values-{{ .Values.environment }}.yaml + - "values.yaml" + - "values-{{ .Values.environment }}.yaml" {{- end -}} From 79b5bcb9b9c4f0f3b2bf0aabc21418c1dcb96b5a Mon Sep 17 00:00:00 2001 From: adam Date: Mon, 18 Apr 2022 12:34:53 -0700 Subject: [PATCH 0396/1479] DRY out argocd --- services/argocd/templates/vault-secret.yaml | 2 +- services/argocd/values.yaml | 63 +++++++++++++++++++++ 2 files changed, 64 insertions(+), 1 deletion(-) create mode 100644 services/argocd/values.yaml diff --git a/services/argocd/templates/vault-secret.yaml b/services/argocd/templates/vault-secret.yaml index 598154025d..382c13db75 100644 --- a/services/argocd/templates/vault-secret.yaml +++ b/services/argocd/templates/vault-secret.yaml @@ -4,6 +4,6 @@ kind: VaultSecret metadata: name: argocd-secret spec: - path: {{ .Values.vault_secret.path }} + path: "{{ .Values.global.vaultSecretspath }}/argocd" type: Opaque {{ end }} diff --git a/services/argocd/values.yaml b/services/argocd/values.yaml new file mode 100644 index 0000000000..4ed2559f80 --- /dev/null +++ b/services/argocd/values.yaml @@ -0,0 +1,63 @@ +# The following will be set by parameters injected by Argo CD and should not +# be set in the individual environment values files. +global: + # -- Base URL for the environment + # @default -- Set by Argo CD + baseUrl: "" + + # -- Host name for ingress + # @default -- Set by Argo CD + host: "" + + # -- Base path for Vault secrets + # @default -- Set by Argo CD + vaultSecretsPath: "" + +argo-cd: + redis: + enabled: true + metrics: + enabled: true + + controller: + metrics: + enabled: true + applicationLabels: + enabled: true + labels: ["name", "instance"] + + repoServer: + metrics: + enabled: true + + notifications: + metrics: + enabled: true + + server: + metrics: + enabled: true + ingress: + enabled: true + hosts: + - {{ required "global.host must be set" .Values.global.host | quote }} + annotations: + kubernetes.io/ingress.class: nginx + nginx.ingress.kubernetes.io/rewrite-target: "/$2" + paths: + - /argo-cd(/|$)(.*) + + extraArgs: + - "--basehref=/argo-cd" + - "--insecure=true" + + config: + url: "{{ .Values.global.baseUrl }}/argo-cd" + + configs: + secret: + createSecret: false + +pull-secret: + enabled: true + path: "{{ .global.vaultSecretsPath }}/pull-secret" From d73cb4ba910d9befdad922cbc04326086dbdb98f Mon Sep 17 00:00:00 2001 From: adam Date: Mon, 18 Apr 2022 15:51:35 -0700 Subject: [PATCH 0397/1479] Revert "DRY out argocd" This reverts commit 439babea9c2a819bb55ee9785135239b647819de. --- services/argocd/templates/vault-secret.yaml | 2 +- services/argocd/values.yaml | 63 --------------------- 2 files changed, 1 insertion(+), 64 deletions(-) delete mode 100644 services/argocd/values.yaml diff --git a/services/argocd/templates/vault-secret.yaml b/services/argocd/templates/vault-secret.yaml index 382c13db75..598154025d 100644 --- a/services/argocd/templates/vault-secret.yaml +++ b/services/argocd/templates/vault-secret.yaml @@ -4,6 +4,6 @@ kind: VaultSecret metadata: name: argocd-secret spec: - path: "{{ .Values.global.vaultSecretspath }}/argocd" + path: {{ .Values.vault_secret.path }} type: Opaque {{ end }} diff --git a/services/argocd/values.yaml b/services/argocd/values.yaml deleted file mode 100644 index 4ed2559f80..0000000000 --- a/services/argocd/values.yaml +++ /dev/null @@ -1,63 +0,0 @@ -# The following will be set by parameters injected by Argo CD and should not -# be set in the individual environment values files. -global: - # -- Base URL for the environment - # @default -- Set by Argo CD - baseUrl: "" - - # -- Host name for ingress - # @default -- Set by Argo CD - host: "" - - # -- Base path for Vault secrets - # @default -- Set by Argo CD - vaultSecretsPath: "" - -argo-cd: - redis: - enabled: true - metrics: - enabled: true - - controller: - metrics: - enabled: true - applicationLabels: - enabled: true - labels: ["name", "instance"] - - repoServer: - metrics: - enabled: true - - notifications: - metrics: - enabled: true - - server: - metrics: - enabled: true - ingress: - enabled: true - hosts: - - {{ required "global.host must be set" .Values.global.host | quote }} - annotations: - kubernetes.io/ingress.class: nginx - nginx.ingress.kubernetes.io/rewrite-target: "/$2" - paths: - - /argo-cd(/|$)(.*) - - extraArgs: - - "--basehref=/argo-cd" - - "--insecure=true" - - config: - url: "{{ .Values.global.baseUrl }}/argo-cd" - - configs: - secret: - createSecret: false - -pull-secret: - enabled: true - path: "{{ .global.vaultSecretsPath }}/pull-secret" From dd354ac09e59569f7372c6f02892c8cedb46dd10 Mon Sep 17 00:00:00 2001 From: adam Date: Mon, 18 Apr 2022 16:07:35 -0700 Subject: [PATCH 0398/1479] DRY out cachemachine --- services/cachemachine/templates/deployment.yaml | 4 ++-- services/cachemachine/templates/ingress-anonymous.yaml | 2 +- services/cachemachine/templates/ingress.yaml | 6 +++--- .../{vault-secret.yaml => vault-pull-secret.yaml} | 4 ++-- services/cachemachine/values-base.yaml | 6 ------ services/cachemachine/values-idfdev.yaml | 6 ------ services/cachemachine/values-idfint.yaml | 6 ------ services/cachemachine/values-idfprod.yaml | 6 ------ services/cachemachine/values-int.yaml | 8 -------- services/cachemachine/values-minikube.yaml | 6 ------ services/cachemachine/values-roe.yaml | 7 ------- services/cachemachine/values-stable.yaml | 8 -------- services/cachemachine/values-summit.yaml | 6 ------ services/cachemachine/values-tucson-teststand.yaml | 6 ------ services/cachemachine/values.yaml | 2 +- 15 files changed, 9 insertions(+), 74 deletions(-) rename services/cachemachine/templates/{vault-secret.yaml => vault-pull-secret.yaml} (54%) diff --git a/services/cachemachine/templates/deployment.yaml b/services/cachemachine/templates/deployment.yaml index 2d408aa29e..a6c8f5ca2c 100644 --- a/services/cachemachine/templates/deployment.yaml +++ b/services/cachemachine/templates/deployment.yaml @@ -40,7 +40,7 @@ spec: imagePullPolicy: {{ .Values.image.pullPolicy | quote }} env: - name: DOCKER_SECRET_NAME - value: {{ template "cachemachine.fullname" . }}-secret + value: pull-secret ports: - name: "http" containerPort: 8080 @@ -65,7 +65,7 @@ spec: volumes: - name: docker-creds secret: - secretName: {{ template "cachemachine.fullname" . }}-secret + secretName: pull-secret - name: autostart configMap: name: {{ include "cachemachine.fullname" . }}-autostart diff --git a/services/cachemachine/templates/ingress-anonymous.yaml b/services/cachemachine/templates/ingress-anonymous.yaml index 6cd269b446..c2bd124cfe 100644 --- a/services/cachemachine/templates/ingress-anonymous.yaml +++ b/services/cachemachine/templates/ingress-anonymous.yaml @@ -13,7 +13,7 @@ metadata: {{- include "cachemachine.labels" . | nindent 4 }} spec: rules: - - host: {{ required "ingress.host must be set" .Values.ingress.host | quote }} + - host: {{ required "global.host must be set" .Values.global.host | quote }} http: paths: - path: "/cachemachine/.*/available" diff --git a/services/cachemachine/templates/ingress.yaml b/services/cachemachine/templates/ingress.yaml index 12fdc87a73..f7f5c119ca 100644 --- a/services/cachemachine/templates/ingress.yaml +++ b/services/cachemachine/templates/ingress.yaml @@ -7,8 +7,8 @@ metadata: {{- if .Values.ingress.gafaelfawrAuthQuery }} nginx.ingress.kubernetes.io/auth-method: "GET" nginx.ingress.kubernetes.io/auth-response-headers: "X-Auth-Request-User" - nginx.ingress.kubernetes.io/auth-signin: "https://{{ .Values.ingress.host }}/login" - nginx.ingress.kubernetes.io/auth-url: "https://{{ .Values.ingress.host }}/auth?{{ .Values.ingress.gafaelfawrAuthQuery }}" + nginx.ingress.kubernetes.io/auth-signin: "https://{{ .Values.global.host }}/login" + nginx.ingress.kubernetes.io/auth-url: "https://{{ .Values.global.host }}/auth?{{ .Values.ingress.gafaelfawrAuthQuery }}" {{- end }} {{- with .Values.ingress.annotations }} {{- toYaml . | nindent 4 }} @@ -18,7 +18,7 @@ metadata: {{- include "cachemachine.labels" . | nindent 4 }} spec: rules: - - host: {{ required "ingress.host must be set" .Values.ingress.host | quote }} + - host: {{ required "ingress.host must be set" .Values.global.host | quote }} http: paths: - path: "/cachemachine" diff --git a/services/cachemachine/templates/vault-secret.yaml b/services/cachemachine/templates/vault-pull-secret.yaml similarity index 54% rename from services/cachemachine/templates/vault-secret.yaml rename to services/cachemachine/templates/vault-pull-secret.yaml index 34f24f8778..6f813c9b7d 100644 --- a/services/cachemachine/templates/vault-secret.yaml +++ b/services/cachemachine/templates/vault-pull-secret.yaml @@ -1,9 +1,9 @@ apiVersion: ricoberger.de/v1alpha1 kind: VaultSecret metadata: - name: {{ template "cachemachine.fullname" . }}-secret + name: pull-secret labels: {{- include "cachemachine.labels" . | nindent 4 }} spec: - path: {{ required "vaultSecretsPath must be set" .Values.vaultSecretsPath | quote }} + path: "{{- .Values.global.vaultSecretsPath }}/pull-secret" type: kubernetes.io/dockerconfigjson diff --git a/services/cachemachine/values-base.yaml b/services/cachemachine/values-base.yaml index 64ef9cc641..72eff31977 100644 --- a/services/cachemachine/values-base.yaml +++ b/services/cachemachine/values-base.yaml @@ -1,9 +1,3 @@ -ingress: - enabled: true - host: "base-lsp.lsst.codes" - -vaultSecretsPath: "secret/k8s_operator/base-lsp.lsst.codes/pull-secret" - autostart: jupyter: | { diff --git a/services/cachemachine/values-idfdev.yaml b/services/cachemachine/values-idfdev.yaml index 81eac0fc60..43f9d9adda 100644 --- a/services/cachemachine/values-idfdev.yaml +++ b/services/cachemachine/values-idfdev.yaml @@ -1,9 +1,3 @@ -ingress: - enabled: true - host: "data-dev.lsst.cloud" - -vaultSecretsPath: "secret/k8s_operator/data-dev.lsst.cloud/pull-secret" - serviceAccount: annotations: { iam.gke.io/gcp-service-account: cachemachine-wi@science-platform-dev-7696.iam.gserviceaccount.com diff --git a/services/cachemachine/values-idfint.yaml b/services/cachemachine/values-idfint.yaml index e4685a1ef7..11169980c8 100644 --- a/services/cachemachine/values-idfint.yaml +++ b/services/cachemachine/values-idfint.yaml @@ -1,9 +1,3 @@ -ingress: - enabled: true - host: "data-int.lsst.cloud" - -vaultSecretsPath: "secret/k8s_operator/data-int.lsst.cloud/pull-secret" - serviceAccount: annotations: { iam.gke.io/gcp-service-account: cachemachine-wi@science-platform-int-dc5d.iam.gserviceaccount.com diff --git a/services/cachemachine/values-idfprod.yaml b/services/cachemachine/values-idfprod.yaml index 6488321f86..4f34d9b02b 100644 --- a/services/cachemachine/values-idfprod.yaml +++ b/services/cachemachine/values-idfprod.yaml @@ -1,9 +1,3 @@ -ingress: - enabled: true - host: "data.lsst.cloud" - -vaultSecretsPath: "secret/k8s_operator/data.lsst.cloud/pull-secret" - serviceAccount: annotations: { iam.gke.io/gcp-service-account: cachemachine-wi@science-platform-stable-6994.iam.gserviceaccount.com diff --git a/services/cachemachine/values-int.yaml b/services/cachemachine/values-int.yaml index 8d567690cc..35fc61ee7c 100644 --- a/services/cachemachine/values-int.yaml +++ b/services/cachemachine/values-int.yaml @@ -1,11 +1,3 @@ -ingress: - enabled: true - host: "lsst-lsp-int.ncsa.illinois.edu" - annotations: - nginx.ingress.kubernetes.io/auth-url: "https://lsst-lsp-int.ncsa.illinois.edu/auth?scope=exec:admin" - -vaultSecretsPath: "secret/k8s_operator/lsst-lsp-int.ncsa.illinois.edu/pull-secret" - autostart: jupyter: | { diff --git a/services/cachemachine/values-minikube.yaml b/services/cachemachine/values-minikube.yaml index b4ac07beca..4369a6be97 100644 --- a/services/cachemachine/values-minikube.yaml +++ b/services/cachemachine/values-minikube.yaml @@ -1,9 +1,3 @@ -ingress: - enabled: true - host: "minikube.lsst.codes" - -vaultSecretsPath: "secret/k8s_operator/minikube.lsst.codes/pull-secret" - autostart: jupyter: | { diff --git a/services/cachemachine/values-roe.yaml b/services/cachemachine/values-roe.yaml index ddda54f36d..a5b8e8aef5 100644 --- a/services/cachemachine/values-roe.yaml +++ b/services/cachemachine/values-roe.yaml @@ -1,10 +1,3 @@ -ingress: - enabled: true - host: "rsp.lsst.ac.uk" - -vaultSecretsPath: "secret/k8s_operator/roe/pull-secret" - - autostart: jupyter: | { diff --git a/services/cachemachine/values-stable.yaml b/services/cachemachine/values-stable.yaml index ba07d1c2ec..35fc61ee7c 100644 --- a/services/cachemachine/values-stable.yaml +++ b/services/cachemachine/values-stable.yaml @@ -1,11 +1,3 @@ -ingress: - enabled: true - host: "lsst-lsp-stable.ncsa.illinois.edu" - annotations: - nginx.ingress.kubernetes.io/auth-url: "https://lsst-lsp-stable.ncsa.illinois.edu/auth?scope=exec:admin" - -vaultSecretsPath: "secret/k8s_operator/lsst-lsp-stable.ncsa.illinois.edu/pull-secret" - autostart: jupyter: | { diff --git a/services/cachemachine/values-summit.yaml b/services/cachemachine/values-summit.yaml index 124abd2026..5852f13696 100644 --- a/services/cachemachine/values-summit.yaml +++ b/services/cachemachine/values-summit.yaml @@ -1,9 +1,3 @@ -ingress: - enabled: true - host: "summit-lsp.lsst.codes" - -vaultSecretsPath: "secret/k8s_operator/summit-lsp.lsst.codes/pull-secret" - autostart: jupyter: | { diff --git a/services/cachemachine/values-tucson-teststand.yaml b/services/cachemachine/values-tucson-teststand.yaml index fcb2c78311..3b960c522d 100644 --- a/services/cachemachine/values-tucson-teststand.yaml +++ b/services/cachemachine/values-tucson-teststand.yaml @@ -1,9 +1,3 @@ -ingress: - enabled: true - host: "tucson-teststand.lsst.codes" - -vaultSecretsPath: "secret/k8s_operator/tucson-teststand.lsst.codes/pull-secret" - autostart: jupyter: | { diff --git a/services/cachemachine/values.yaml b/services/cachemachine/values.yaml index 0e2ace353c..d8b70a92de 100644 --- a/services/cachemachine/values.yaml +++ b/services/cachemachine/values.yaml @@ -19,7 +19,7 @@ image: # -- Secret names to use for all Docker pulls imagePullSecrets: - - name: "cachemachine-secret" + - name: "pull-secret" serviceAccount: # -- Name of the service account to use # @default -- Name based on the fullname template From e706766593971a7fe86f6387f940f755532ac40e Mon Sep 17 00:00:00 2001 From: adam Date: Tue, 19 Apr 2022 09:40:08 -0700 Subject: [PATCH 0399/1479] Move datalinker into phalanx and DRY out config --- services/datalinker/Chart.yaml | 14 ++-- services/datalinker/templates/NOTES.txt | 22 +++++ services/datalinker/templates/_helpers.tpl | 51 ++++++++++++ services/datalinker/templates/deployment.yaml | 67 +++++++++++++++ services/datalinker/templates/hpa.yaml | 28 +++++++ services/datalinker/templates/ingress.yaml | 35 ++++++++ .../datalinker/templates/networkpolicy.yaml | 23 ++++++ services/datalinker/templates/service.yaml | 15 ++++ .../templates/vault-pull-secret.yaml | 9 +++ services/datalinker/values-idfdev.yaml | 9 +-- services/datalinker/values-idfint.yaml | 9 +-- services/datalinker/values-idfprod.yaml | 9 +-- services/datalinker/values-int.yaml | 9 +-- services/datalinker/values-minikube.yaml | 9 +-- services/datalinker/values-stable.yaml | 9 +-- services/datalinker/values.yaml | 81 +++++++++++++++++++ 16 files changed, 343 insertions(+), 56 deletions(-) create mode 100644 services/datalinker/templates/NOTES.txt create mode 100644 services/datalinker/templates/_helpers.tpl create mode 100644 services/datalinker/templates/deployment.yaml create mode 100644 services/datalinker/templates/hpa.yaml create mode 100644 services/datalinker/templates/ingress.yaml create mode 100644 services/datalinker/templates/networkpolicy.yaml create mode 100644 services/datalinker/templates/service.yaml create mode 100644 services/datalinker/templates/vault-pull-secret.yaml create mode 100644 services/datalinker/values.yaml diff --git a/services/datalinker/Chart.yaml b/services/datalinker/Chart.yaml index ddc7f67819..02e2f5f841 100644 --- a/services/datalinker/Chart.yaml +++ b/services/datalinker/Chart.yaml @@ -1,10 +1,8 @@ apiVersion: v2 +appVersion: 1.0.0 +description: A Helm chart for Kubernetes name: datalinker -version: 1.0.0 -dependencies: - - name: datalinker - version: 0.1.7 - repository: https://lsst-sqre.github.io/charts/ - - name: pull-secret - version: 0.1.2 - repository: https://lsst-sqre.github.io/charts/ +type: application +version: 0.1.7 +maintainers: + - name: cbanek diff --git a/services/datalinker/templates/NOTES.txt b/services/datalinker/templates/NOTES.txt new file mode 100644 index 0000000000..87627d7740 --- /dev/null +++ b/services/datalinker/templates/NOTES.txt @@ -0,0 +1,22 @@ +1. Get the application URL by running these commands: +{{- if .Values.ingress.enabled }} +{{- range $host := .Values.ingress.hosts }} + {{- range .paths }} + http{{ if $.Values.ingress.tls }}s{{ end }}://{{ $host.host }}{{ .path }} + {{- end }} +{{- end }} +{{- else if contains "NodePort" .Values.service.type }} + export NODE_PORT=$(kubectl get --namespace {{ .Release.Namespace }} -o jsonpath="{.spec.ports[0].nodePort}" services {{ include "datalinker.fullname" . }}) + export NODE_IP=$(kubectl get nodes --namespace {{ .Release.Namespace }} -o jsonpath="{.items[0].status.addresses[0].address}") + echo http://$NODE_IP:$NODE_PORT +{{- else if contains "LoadBalancer" .Values.service.type }} + NOTE: It may take a few minutes for the LoadBalancer IP to be available. + You can watch the status of by running 'kubectl get --namespace {{ .Release.Namespace }} svc -w {{ include "datalinker.fullname" . }}' + export SERVICE_IP=$(kubectl get svc --namespace {{ .Release.Namespace }} {{ include "datalinker.fullname" . }} --template "{{"{{ range (index .status.loadBalancer.ingress 0) }}{{.}}{{ end }}"}}") + echo http://$SERVICE_IP:{{ .Values.service.port }} +{{- else if contains "ClusterIP" .Values.service.type }} + export POD_NAME=$(kubectl get pods --namespace {{ .Release.Namespace }} -l "app.kubernetes.io/name={{ include "datalinker.name" . }},app.kubernetes.io/instance={{ .Release.Name }}" -o jsonpath="{.items[0].metadata.name}") + export CONTAINER_PORT=$(kubectl get pod --namespace {{ .Release.Namespace }} $POD_NAME -o jsonpath="{.spec.containers[0].ports[0].containerPort}") + echo "Visit http://127.0.0.1:8080 to use your application" + kubectl --namespace {{ .Release.Namespace }} port-forward $POD_NAME 8080:$CONTAINER_PORT +{{- end }} diff --git a/services/datalinker/templates/_helpers.tpl b/services/datalinker/templates/_helpers.tpl new file mode 100644 index 0000000000..eb7efad489 --- /dev/null +++ b/services/datalinker/templates/_helpers.tpl @@ -0,0 +1,51 @@ +{{/* +Expand the name of the chart. +*/}} +{{- define "datalinker.name" -}} +{{- default .Chart.Name .Values.nameOverride | trunc 63 | trimSuffix "-" }} +{{- end }} + +{{/* +Create a default fully qualified app name. +We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec). +If release name contains chart name it will be used as a full name. +*/}} +{{- define "datalinker.fullname" -}} +{{- if .Values.fullnameOverride }} +{{- .Values.fullnameOverride | trunc 63 | trimSuffix "-" }} +{{- else }} +{{- $name := default .Chart.Name .Values.nameOverride }} +{{- if contains $name .Release.Name }} +{{- .Release.Name | trunc 63 | trimSuffix "-" }} +{{- else }} +{{- printf "%s-%s" .Release.Name $name | trunc 63 | trimSuffix "-" }} +{{- end }} +{{- end }} +{{- end }} + +{{/* +Create chart name and version as used by the chart label. +*/}} +{{- define "datalinker.chart" -}} +{{- printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" }} +{{- end }} + +{{/* +Common labels +*/}} +{{- define "datalinker.labels" -}} +helm.sh/chart: {{ include "datalinker.chart" . }} +{{ include "datalinker.selectorLabels" . }} +{{- if .Chart.AppVersion }} +app.kubernetes.io/version: {{ .Chart.AppVersion | quote }} +{{- end }} +app.kubernetes.io/managed-by: {{ .Release.Service }} +{{- end }} + +{{/* +Selector labels +*/}} +{{- define "datalinker.selectorLabels" -}} +app.kubernetes.io/name: {{ include "datalinker.name" . }} +app.kubernetes.io/instance: {{ .Release.Name }} +{{- end }} diff --git a/services/datalinker/templates/deployment.yaml b/services/datalinker/templates/deployment.yaml new file mode 100644 index 0000000000..ddc9a4ba3a --- /dev/null +++ b/services/datalinker/templates/deployment.yaml @@ -0,0 +1,67 @@ +apiVersion: apps/v1 +kind: Deployment +metadata: + name: {{ include "datalinker.fullname" . }} + labels: + {{- include "datalinker.labels" . | nindent 4 }} +spec: + {{- if not .Values.autoscaling.enabled }} + replicas: {{ .Values.replicaCount }} + {{- end }} + selector: + matchLabels: + {{- include "datalinker.selectorLabels" . | nindent 6 }} + template: + metadata: + {{- with .Values.podAnnotations }} + annotations: + {{- toYaml . | nindent 8 }} + {{- end }} + labels: + {{- include "datalinker.selectorLabels" . | nindent 8 }} + spec: + automountServiceAccountToken: false + {{- with .Values.imagePullSecrets }} + imagePullSecrets: + {{- toYaml . | nindent 8 }} + {{- end }} + securityContext: + runAsNonRoot: true + runAsUser: 1000 + runAsGroup: 1000 + containers: + - name: {{ .Chart.Name }} + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - all + readOnlyRootFilesystem: true + image: "{{ .Values.image.repository }}:{{ .Values.image.tag | default .Chart.AppVersion }}" + imagePullPolicy: {{ .Values.image.pullPolicy }} + ports: + - name: http + containerPort: 8080 + protocol: TCP + livenessProbe: + httpGet: + path: / + port: http + readinessProbe: + httpGet: + path: / + port: http + resources: + {{- toYaml .Values.resources | nindent 12 }} + {{- with .Values.nodeSelector }} + nodeSelector: + {{- toYaml . | nindent 8 }} + {{- end }} + {{- with .Values.affinity }} + affinity: + {{- toYaml . | nindent 8 }} + {{- end }} + {{- with .Values.tolerations }} + tolerations: + {{- toYaml . | nindent 8 }} + {{- end }} diff --git a/services/datalinker/templates/hpa.yaml b/services/datalinker/templates/hpa.yaml new file mode 100644 index 0000000000..0df24ad67a --- /dev/null +++ b/services/datalinker/templates/hpa.yaml @@ -0,0 +1,28 @@ +{{- if .Values.autoscaling.enabled }} +apiVersion: autoscaling/v2beta1 +kind: HorizontalPodAutoscaler +metadata: + name: {{ include "datalinker.fullname" . }} + labels: + {{- include "datalinker.labels" . | nindent 4 }} +spec: + scaleTargetRef: + apiVersion: apps/v1 + kind: Deployment + name: {{ include "datalinker.fullname" . }} + minReplicas: {{ .Values.autoscaling.minReplicas }} + maxReplicas: {{ .Values.autoscaling.maxReplicas }} + metrics: + {{- if .Values.autoscaling.targetCPUUtilizationPercentage }} + - type: Resource + resource: + name: cpu + targetAverageUtilization: {{ .Values.autoscaling.targetCPUUtilizationPercentage }} + {{- end }} + {{- if .Values.autoscaling.targetMemoryUtilizationPercentage }} + - type: Resource + resource: + name: memory + targetAverageUtilization: {{ .Values.autoscaling.targetMemoryUtilizationPercentage }} + {{- end }} +{{- end }} diff --git a/services/datalinker/templates/ingress.yaml b/services/datalinker/templates/ingress.yaml new file mode 100644 index 0000000000..c1933b76a4 --- /dev/null +++ b/services/datalinker/templates/ingress.yaml @@ -0,0 +1,35 @@ +{{- if .Values.ingress.enabled -}} +{{- $fullName := include "datalinker.fullname" . -}} +apiVersion: networking.k8s.io/v1 +kind: Ingress +metadata: + name: {{ $fullName }} + labels: + {{- include "datalinker.labels" . | nindent 4 }} + {{- with .Values.ingress.annotations }} + annotations: + kubernetes.io/ingress.class: "nginx" + {{- if .Values.ingress.gafaelfawrAuthQuery -}} + nginx.ingress.kubernetes.io/auth-method: GET + nginx.ingress.kubernetes.io/auth-response-headers: X-Auth-Request-User,X-Auth-Request-Email,X-Auth-Request-Token + nginx.ingress.kubernetes.io/auth-signin: "https://{{ .Values.global.host }}/login" + nginx.ingress.kubernetes.io/auth-url: "https://{{ .Values.global.host }}/auth?{{ .Values.ingress.gafaelfawrAuthQuery }}" + {{- end }} + {{- toYaml . | nindent 4 }} + {{- end }} +spec: + {{- if .Values.ingress.className }} + ingressClassName: {{ .Values.ingress.className }} + {{- end }} + rules: + - host: {{ required "ingress.host must be set" .Values.global.host | quote }} + http: + paths: + - path: {{ .Values.ingress.path }} + pathType: {{ default "Prefix" .Values.ingress.pathType }} + backend: + service: + name: {{ $fullName }} + port: + number: {{ .Values.service.port }} +{{- end }} diff --git a/services/datalinker/templates/networkpolicy.yaml b/services/datalinker/templates/networkpolicy.yaml new file mode 100644 index 0000000000..6b228b58a6 --- /dev/null +++ b/services/datalinker/templates/networkpolicy.yaml @@ -0,0 +1,23 @@ +{{- if .Values.ingress.enabled -}} +apiVersion: networking.k8s.io/v1 +kind: NetworkPolicy +metadata: + name: {{ include "datalinker.fullname" . }} +spec: + podSelector: + matchLabels: + {{- include "datalinker.selectorLabels" . | nindent 6 }} + policyTypes: + - Ingress + ingress: + # Allow inbound access from pods (in any namespace) labeled + # gafaelfawr.lsst.io/ingress: true. + - from: + - namespaceSelector: {} + podSelector: + matchLabels: + gafaelfawr.lsst.io/ingress: "true" + ports: + - protocol: "TCP" + port: 8080 +{{- end }} diff --git a/services/datalinker/templates/service.yaml b/services/datalinker/templates/service.yaml new file mode 100644 index 0000000000..b24cc11a8b --- /dev/null +++ b/services/datalinker/templates/service.yaml @@ -0,0 +1,15 @@ +apiVersion: v1 +kind: Service +metadata: + name: {{ include "datalinker.fullname" . }} + labels: + {{- include "datalinker.labels" . | nindent 4 }} +spec: + type: {{ .Values.service.type }} + ports: + - port: {{ .Values.service.port }} + targetPort: http + protocol: TCP + name: http + selector: + {{- include "datalinker.selectorLabels" . | nindent 4 }} diff --git a/services/datalinker/templates/vault-pull-secret.yaml b/services/datalinker/templates/vault-pull-secret.yaml new file mode 100644 index 0000000000..214d3cd565 --- /dev/null +++ b/services/datalinker/templates/vault-pull-secret.yaml @@ -0,0 +1,9 @@ +apiVersion: ricoberger.de/v1alpha1 +kind: VaultSecret +metadata: + name: pull-secret + labels: + {{- include "datalinker.labels" . | nindent 4 }} +spec: + path: "{{- .Values.global.vaultSecretsPath }}/pull-secret" + type: kubernetes.io/dockerconfigjson diff --git a/services/datalinker/values-idfdev.yaml b/services/datalinker/values-idfdev.yaml index 6c4087ba4e..548f8dffd2 100644 --- a/services/datalinker/values-idfdev.yaml +++ b/services/datalinker/values-idfdev.yaml @@ -1,8 +1 @@ -datalinker: - ingress: - enabled: true - host: "data-dev.lsst.cloud" - -pull-secret: - enabled: true - path: secret/k8s_operator/data-dev.lsst.cloud/pull-secret +# idfdev diff --git a/services/datalinker/values-idfint.yaml b/services/datalinker/values-idfint.yaml index 68e40deab8..37cd8a5ecf 100644 --- a/services/datalinker/values-idfint.yaml +++ b/services/datalinker/values-idfint.yaml @@ -1,8 +1 @@ -datalinker: - ingress: - enabled: true - host: "data-int.lsst.cloud" - -pull-secret: - enabled: true - path: secret/k8s_operator/data-int.lsst.cloud/pull-secret +# idfint diff --git a/services/datalinker/values-idfprod.yaml b/services/datalinker/values-idfprod.yaml index e49b8e90bc..40d46707e4 100644 --- a/services/datalinker/values-idfprod.yaml +++ b/services/datalinker/values-idfprod.yaml @@ -1,8 +1 @@ -datalinker: - ingress: - enabled: true - host: "data.lsst.cloud" - -pull-secret: - enabled: true - path: secret/k8s_operator/data.lsst.cloud/pull-secret +# idfprod diff --git a/services/datalinker/values-int.yaml b/services/datalinker/values-int.yaml index f40119de59..a7ad11d22e 100644 --- a/services/datalinker/values-int.yaml +++ b/services/datalinker/values-int.yaml @@ -1,8 +1 @@ -datalinker: - ingress: - enabled: true - host: "lsst-lsp-int.ncsa.illinois.edu" - -pull-secret: - enabled: true - path: secret/k8s_operator/lsst-lsp-int.ncsa.illinois.edu/pull-secret +# int diff --git a/services/datalinker/values-minikube.yaml b/services/datalinker/values-minikube.yaml index 0ddc95f5a5..6b974f9237 100644 --- a/services/datalinker/values-minikube.yaml +++ b/services/datalinker/values-minikube.yaml @@ -1,8 +1 @@ -datalinker: - ingress: - enabled: true - host: "minikube.lsst.cloud" - -pull-secret: - enabled: true - path: secret/k8s_operator/minikube.lsst.codes/pull-secret +# minikube diff --git a/services/datalinker/values-stable.yaml b/services/datalinker/values-stable.yaml index eadcb995c2..ae6951bc3b 100644 --- a/services/datalinker/values-stable.yaml +++ b/services/datalinker/values-stable.yaml @@ -1,8 +1 @@ -datalinker: - ingress: - enabled: true - host: "lsst-lsp-stable.ncsa.illinois.edu" - -pull-secret: - enabled: true - path: secret/k8s_operator/lsst-lsp-stable.ncsa.illinois.edu/pull-secret +# stable diff --git a/services/datalinker/values.yaml b/services/datalinker/values.yaml new file mode 100644 index 0000000000..78a19a8537 --- /dev/null +++ b/services/datalinker/values.yaml @@ -0,0 +1,81 @@ +# Default values for datalinker. +# This is a YAML-formatted file. +# Declare variables to be passed into your templates. + +# -- Number of web deployment pods to start +replicaCount: 1 + +image: + # -- Image to use in the datalinker deployment + repository: lsstsqre/datalinker + + # -- Pull policy for the datalinker image + pullPolicy: Always + + # -- Overrides the image tag whose default is the chart appVersion. + tag: "" + +# -- Secret names to use for all Docker pulls +imagePullSecrets: + - name: "pull-secret" + +# -- Override the base name for resources +nameOverride: "" + +# -- Override the full name for resources (includes the release name) +fullnameOverride: "" + +# -- Annotations for the datalinker deployment pod +podAnnotations: {} + +service: + # -- Type of service to create + type: ClusterIP + + # -- Port of the service to create and map to the ingress + port: 8080 + +ingress: + # -- Create an ingress resource + enabled: true + + # -- Hostname of the deployment to run behind + host: "" + + # -- Gafaelfawr auth query string (default, unauthenticated) + gafaelfawrAuthQuery: "" + + # -- Additional annotations for the ingress rule + annotations: {} + + # -- Path type for the ingress rule + pathType: ImplementationSpecific + + # -- URL path to dispatch to the datalinker deployment pod + path: "/api/datalink" + +# -- Resource limits and requests for the datalinker deployment pod +resources: {} + +autoscaling: + # -- Enable autoscaling of datalinker deployment + enabled: false + + # -- Minimum number of datalinker deployment pods + minReplicas: 1 + + # -- Maximum number of datalinker deployment pods + maxReplicas: 100 + + # -- Target CPU utilization of datalinker deployment pods + targetCPUUtilizationPercentage: 80 + # targetMemoryUtilizationPercentage: 80 + +# -- Node selection rules for the datalinker deployment pod +nodeSelector: {} + +# -- Tolerations for the datalinker deployment pod +tolerations: [] + +# -- Affinity rules for the datalinker deployment pod +affinity: {} From 8878274275e036ccc2b40f79ebda6087f025ed13 Mon Sep 17 00:00:00 2001 From: adam Date: Tue, 19 Apr 2022 09:49:45 -0700 Subject: [PATCH 0400/1479] Revert changes for not-yet-migrated-apps --- .../templates/alert-stream-broker-application.yaml | 10 +--------- science-platform/templates/argocd-application.yaml | 10 +--------- .../templates/exposurelog-application.yaml | 11 ++--------- .../templates/ingress-nginx-application.yaml | 10 +--------- .../templates/moneypenny-application.yaml | 10 +--------- .../templates/narrativelog-application.yaml | 11 ++--------- science-platform/templates/nublado2-application.yaml | 7 ------- science-platform/templates/obstap-application.yaml | 10 +--------- .../templates/plot-navigator-application.yaml | 10 +--------- science-platform/templates/postgres-application.yaml | 10 +--------- science-platform/templates/sasquatch-application.yaml | 11 ++--------- science-platform/templates/sherlock-application.yaml | 10 +--------- .../templates/squash-api-application.yaml | 10 +--------- science-platform/templates/strimzi-application.yaml | 10 +--------- .../strimzi-registry-operator-application.yaml | 10 +--------- science-platform/templates/tap-application.yaml | 10 +--------- science-platform/templates/telegraf-application.yaml | 4 ++-- .../templates/telegraf-ds-application.yaml | 4 ++-- .../templates/vault-secrets-operator-application.yaml | 10 +--------- 19 files changed, 23 insertions(+), 155 deletions(-) diff --git a/science-platform/templates/alert-stream-broker-application.yaml b/science-platform/templates/alert-stream-broker-application.yaml index 865c70a1f3..b72ce4d286 100644 --- a/science-platform/templates/alert-stream-broker-application.yaml +++ b/science-platform/templates/alert-stream-broker-application.yaml @@ -24,14 +24,6 @@ spec: repoURL: {{ .Values.repoURL }} targetRevision: {{ .Values.revision }} helm: - parameters: - - name: "global.host" - value: {{ .Values.fqdn | quote }} - - name: "global.baseUrl" - value: "https://{{ .Values.fqdn }}" - - name: "global.vaultSecretsPath" - value: {{ .Values.vault_path_prefix | quote }} valueFiles: - - "values.yaml" - - "values-{{ .Values.environment }}.yaml" + - values-{{ .Values.environment }}.yaml {{- end -}} diff --git a/science-platform/templates/argocd-application.yaml b/science-platform/templates/argocd-application.yaml index a49eaf3efb..ea9379a8f9 100644 --- a/science-platform/templates/argocd-application.yaml +++ b/science-platform/templates/argocd-application.yaml @@ -15,13 +15,5 @@ spec: repoURL: {{ .Values.repoURL }} targetRevision: {{ .Values.revision }} helm: - parameters: - - name: "global.host" - value: {{ .Values.fqdn | quote }} - - name: "global.baseUrl" - value: "https://{{ .Values.fqdn }}" - - name: "global.vaultSecretsPath" - value: {{ .Values.vault_path_prefix | quote }} valueFiles: - - "values.yaml" - - "values-{{ .Values.environment }}.yaml" + - values-{{ .Values.environment }}.yaml diff --git a/science-platform/templates/exposurelog-application.yaml b/science-platform/templates/exposurelog-application.yaml index 3e06116112..76e3bc5bea 100644 --- a/science-platform/templates/exposurelog-application.yaml +++ b/science-platform/templates/exposurelog-application.yaml @@ -21,14 +21,7 @@ spec: repoURL: {{ .Values.repoURL }} targetRevision: {{ .Values.revision }} helm: - parameters: - - name: "global.host" - value: {{ .Values.fqdn | quote }} - - name: "global.baseUrl" - value: "https://{{ .Values.fqdn }}" - - name: "global.vaultSecretsPath" - value: {{ .Values.vault_path_prefix | quote }} valueFiles: - - "values.yaml" - - "values-{{ .Values.environment }}.yaml" + - values.yaml + - values-{{ .Values.environment }}.yaml {{- end -}} diff --git a/science-platform/templates/ingress-nginx-application.yaml b/science-platform/templates/ingress-nginx-application.yaml index 7a34477e13..e720da8484 100644 --- a/science-platform/templates/ingress-nginx-application.yaml +++ b/science-platform/templates/ingress-nginx-application.yaml @@ -24,14 +24,6 @@ spec: repoURL: {{ .Values.repoURL }} targetRevision: {{ .Values.revision }} helm: - parameters: - - name: "global.host" - value: {{ .Values.fqdn | quote }} - - name: "global.baseUrl" - value: "https://{{ .Values.fqdn }}" - - name: "global.vaultSecretsPath" - value: {{ .Values.vault_path_prefix | quote }} valueFiles: - - "values.yaml" - - "values-{{ .Values.environment }}.yaml" + - values-{{ .Values.environment }}.yaml {{- end -}} diff --git a/science-platform/templates/moneypenny-application.yaml b/science-platform/templates/moneypenny-application.yaml index 17d8518649..c6dea1081e 100644 --- a/science-platform/templates/moneypenny-application.yaml +++ b/science-platform/templates/moneypenny-application.yaml @@ -24,14 +24,6 @@ spec: repoURL: {{ .Values.repoURL }} targetRevision: {{ .Values.revision }} helm: - parameters: - - name: "global.host" - value: {{ .Values.fqdn | quote }} - - name: "global.baseUrl" - value: "https://{{ .Values.fqdn }}" - - name: "global.vaultSecretsPath" - value: {{ .Values.vault_path_prefix | quote }} valueFiles: - - "values.yaml" - - "values-{{ .Values.environment }}.yaml" + - values-{{ .Values.environment }}.yaml {{- end -}} diff --git a/science-platform/templates/narrativelog-application.yaml b/science-platform/templates/narrativelog-application.yaml index 3b903ba92d..d12d0e3572 100644 --- a/science-platform/templates/narrativelog-application.yaml +++ b/science-platform/templates/narrativelog-application.yaml @@ -21,14 +21,7 @@ spec: repoURL: {{ .Values.repoURL }} targetRevision: {{ .Values.revision }} helm: - parameters: - - name: "global.host" - value: {{ .Values.fqdn | quote }} - - name: "global.baseUrl" - value: "https://{{ .Values.fqdn }}" - - name: "global.vaultSecretsPath" - value: {{ .Values.vault_path_prefix | quote }} valueFiles: - - "values.yaml" - - "values-{{ .Values.environment }}.yaml" + - values.yaml + - values-{{ .Values.environment }}.yaml {{- end -}} diff --git a/science-platform/templates/nublado2-application.yaml b/science-platform/templates/nublado2-application.yaml index 6ec05a1abd..e6dae13b3f 100644 --- a/science-platform/templates/nublado2-application.yaml +++ b/science-platform/templates/nublado2-application.yaml @@ -24,13 +24,6 @@ spec: repoURL: {{ .Values.repoURL | quote }} targetRevision: {{ .Values.revision | quote }} helm: - parameters: - - name: "global.host" - value: {{ .Values.fqdn | quote }} - - name: "global.baseUrl" - value: "https://{{ .Values.fqdn }}" - - name: "global.vaultSecretsPath" - value: {{ .Values.vault_path_prefix | quote }} valueFiles: - "values.yaml" - "values-{{ .Values.environment }}.yaml" diff --git a/science-platform/templates/obstap-application.yaml b/science-platform/templates/obstap-application.yaml index 5abc556119..e1a5656445 100644 --- a/science-platform/templates/obstap-application.yaml +++ b/science-platform/templates/obstap-application.yaml @@ -24,14 +24,6 @@ spec: repoURL: {{ .Values.repoURL }} targetRevision: {{ .Values.revision }} helm: - parameters: - - name: "global.host" - value: {{ .Values.fqdn | quote }} - - name: "global.baseUrl" - value: "https://{{ .Values.fqdn }}" - - name: "global.vaultSecretsPath" - value: {{ .Values.vault_path_prefix | quote }} valueFiles: - - "values.yaml" - - "values-{{ .Values.environment }}.yaml" + - values-{{ .Values.environment }}.yaml {{- end -}} diff --git a/science-platform/templates/plot-navigator-application.yaml b/science-platform/templates/plot-navigator-application.yaml index 7277904dda..25235b6de0 100644 --- a/science-platform/templates/plot-navigator-application.yaml +++ b/science-platform/templates/plot-navigator-application.yaml @@ -21,14 +21,6 @@ spec: repoURL: {{ .Values.repoURL }} targetRevision: {{ .Values.revision }} helm: - parameters: - - name: "global.host" - value: {{ .Values.fqdn | quote }} - - name: "global.baseUrl" - value: "https://{{ .Values.fqdn }}" - - name: "global.vaultSecretsPath" - value: {{ .Values.vault_path_prefix | quote }} valueFiles: - - "values.yaml" - - "values-{{ .Values.environment }}.yaml" + - values-{{ .Values.environment }}.yaml {{- end -}} diff --git a/science-platform/templates/postgres-application.yaml b/science-platform/templates/postgres-application.yaml index 6d8e11e97e..03d0b0c3d8 100644 --- a/science-platform/templates/postgres-application.yaml +++ b/science-platform/templates/postgres-application.yaml @@ -21,14 +21,6 @@ spec: repoURL: {{ .Values.repoURL }} targetRevision: {{ .Values.revision }} helm: - parameters: - - name: "global.host" - value: {{ .Values.fqdn | quote }} - - name: "global.baseUrl" - value: "https://{{ .Values.fqdn }}" - - name: "global.vaultSecretsPath" - value: {{ .Values.vault_path_prefix | quote }} valueFiles: - - "values.yaml" - - "values-{{ .Values.environment }}.yaml" + - values-{{ .Values.environment }}.yaml {{- end -}} diff --git a/science-platform/templates/sasquatch-application.yaml b/science-platform/templates/sasquatch-application.yaml index 976de21e7f..da996432b0 100644 --- a/science-platform/templates/sasquatch-application.yaml +++ b/science-platform/templates/sasquatch-application.yaml @@ -24,14 +24,7 @@ spec: repoURL: {{ .Values.repoURL }} targetRevision: {{ .Values.revision }} helm: - parameters: - - name: "global.host" - value: {{ .Values.fqdn | quote }} - - name: "global.baseUrl" - value: "https://{{ .Values.fqdn }}" - - name: "global.vaultSecretsPath" - value: {{ .Values.vault_path_prefix | quote }} valueFiles: - - "values.yaml" - - "values-{{ .Values.environment }}.yaml" + - values.yaml + - values-{{ .Values.environment }}.yaml {{- end -}} diff --git a/science-platform/templates/sherlock-application.yaml b/science-platform/templates/sherlock-application.yaml index 9c032cd1d5..73463b63f9 100644 --- a/science-platform/templates/sherlock-application.yaml +++ b/science-platform/templates/sherlock-application.yaml @@ -24,14 +24,6 @@ spec: repoURL: {{ .Values.repoURL }} targetRevision: {{ .Values.revision }} helm: - parameters: - - name: "global.host" - value: {{ .Values.fqdn | quote }} - - name: "global.baseUrl" - value: "https://{{ .Values.fqdn }}" - - name: "global.vaultSecretsPath" - value: {{ .Values.vault_path_prefix | quote }} valueFiles: - - "values.yaml" - - "values-{{ .Values.environment }}.yaml" + - values-{{ .Values.environment }}.yaml {{- end -}} diff --git a/science-platform/templates/squash-api-application.yaml b/science-platform/templates/squash-api-application.yaml index f04026ded0..4c326dc1e5 100644 --- a/science-platform/templates/squash-api-application.yaml +++ b/science-platform/templates/squash-api-application.yaml @@ -24,14 +24,6 @@ spec: repoURL: {{ .Values.repoURL }} targetRevision: {{ .Values.revision }} helm: - parameters: - - name: "global.host" - value: {{ .Values.fqdn | quote }} - - name: "global.baseUrl" - value: "https://{{ .Values.fqdn }}" - - name: "global.vaultSecretsPath" - value: {{ .Values.vault_path_prefix | quote }} valueFiles: - - "values.yaml" - - "values-{{ .Values.environment }}.yaml" + - values-{{ .Values.environment }}.yaml {{- end -}} diff --git a/science-platform/templates/strimzi-application.yaml b/science-platform/templates/strimzi-application.yaml index f455ae0399..d6aff0963b 100644 --- a/science-platform/templates/strimzi-application.yaml +++ b/science-platform/templates/strimzi-application.yaml @@ -24,14 +24,6 @@ spec: repoURL: {{ .Values.repoURL }} targetRevision: {{ .Values.revision }} helm: - parameters: - - name: "global.host" - value: {{ .Values.fqdn | quote }} - - name: "global.baseUrl" - value: "https://{{ .Values.fqdn }}" - - name: "global.vaultSecretsPath" - value: {{ .Values.vault_path_prefix | quote }} valueFiles: - - "values.yaml" - - "values-{{ .Values.environment }}.yaml" + - values-{{ .Values.environment }}.yaml {{- end -}} diff --git a/science-platform/templates/strimzi-registry-operator-application.yaml b/science-platform/templates/strimzi-registry-operator-application.yaml index 79f2be8d14..967f6aec12 100644 --- a/science-platform/templates/strimzi-registry-operator-application.yaml +++ b/science-platform/templates/strimzi-registry-operator-application.yaml @@ -24,14 +24,6 @@ spec: repoURL: {{ .Values.repoURL }} targetRevision: {{ .Values.revision }} helm: - parameters: - - name: "global.host" - value: {{ .Values.fqdn | quote }} - - name: "global.baseUrl" - value: "https://{{ .Values.fqdn }}" - - name: "global.vaultSecretsPath" - value: {{ .Values.vault_path_prefix | quote }} valueFiles: - - "values.yaml" - - "values-{{ .Values.environment }}.yaml" + - values-{{ .Values.environment }}.yaml {{- end -}} diff --git a/science-platform/templates/tap-application.yaml b/science-platform/templates/tap-application.yaml index c3419dca62..5f570f0717 100644 --- a/science-platform/templates/tap-application.yaml +++ b/science-platform/templates/tap-application.yaml @@ -24,14 +24,6 @@ spec: repoURL: {{ .Values.repoURL }} targetRevision: {{ .Values.revision }} helm: - parameters: - - name: "global.host" - value: {{ .Values.fqdn | quote }} - - name: "global.baseUrl" - value: "https://{{ .Values.fqdn }}" - - name: "global.vaultSecretsPath" - value: {{ .Values.vault_path_prefix | quote }} valueFiles: - - "values.yaml" - - "values-{{ .Values.environment }}.yaml" + - values-{{ .Values.environment }}.yaml {{- end -}} diff --git a/science-platform/templates/telegraf-application.yaml b/science-platform/templates/telegraf-application.yaml index c0dd9eae80..d973ed5c84 100644 --- a/science-platform/templates/telegraf-application.yaml +++ b/science-platform/templates/telegraf-application.yaml @@ -33,7 +33,7 @@ spec: - name: "global.vaultSecretsPath" value: {{ .Values.vault_path_prefix | quote }} valueFiles: - - "values.yaml" - - "values-{{ .Values.environment }}.yaml" + - values.yaml + - values-{{ .Values.environment }}.yaml {{- end -}} diff --git a/science-platform/templates/telegraf-ds-application.yaml b/science-platform/templates/telegraf-ds-application.yaml index b942c0c8f8..330e461e38 100644 --- a/science-platform/templates/telegraf-ds-application.yaml +++ b/science-platform/templates/telegraf-ds-application.yaml @@ -32,6 +32,6 @@ spec: - name: "global.vaultSecretsPath" value: {{ .Values.vault_path_prefix | quote }} valueFiles: - - "values.yaml" - - "values-{{ .Values.environment }}.yaml" + - values.yaml + - values-{{ .Values.environment }}.yaml {{- end -}} diff --git a/science-platform/templates/vault-secrets-operator-application.yaml b/science-platform/templates/vault-secrets-operator-application.yaml index a25a0142f9..3eb50571bb 100644 --- a/science-platform/templates/vault-secrets-operator-application.yaml +++ b/science-platform/templates/vault-secrets-operator-application.yaml @@ -16,14 +16,6 @@ spec: repoURL: {{ .Values.repoURL }} targetRevision: {{ .Values.revision }} helm: - parameters: - - name: "global.host" - value: {{ .Values.fqdn | quote }} - - name: "global.baseUrl" - value: "https://{{ .Values.fqdn }}" - - name: "global.vaultSecretsPath" - value: {{ .Values.vault_path_prefix | quote }} valueFiles: - - "values.yaml" - - "values-{{ .Values.environment }}.yaml" + - values-{{ .Values.environment }}.yaml {{- end -}} From 1435a38287b870b839aaf6d63c5b94b66231d163 Mon Sep 17 00:00:00 2001 From: adam Date: Tue, 19 Apr 2022 09:59:59 -0700 Subject: [PATCH 0401/1479] Address RRA commentary --- services/cachemachine/Chart.yaml | 3 -- .../cachemachine/templates/deployment.yaml | 4 +-- services/cachemachine/templates/ingress.yaml | 6 ++-- ...lt-pull-secret.yaml => vault-secrets.yaml} | 0 services/cachemachine/values.yaml | 6 ---- services/datalinker/templates/NOTES.txt | 22 ------------ services/datalinker/templates/deployment.yaml | 4 +-- services/datalinker/templates/ingress.yaml | 27 ++++++-------- .../datalinker/templates/networkpolicy.yaml | 2 -- services/datalinker/templates/service.yaml | 4 +-- ...lt-pull-secret.yaml => vault-secrets.yaml} | 0 services/datalinker/values-idfdev.yaml | 1 - services/datalinker/values-idfint.yaml | 1 - services/datalinker/values-idfprod.yaml | 1 - services/datalinker/values-int.yaml | 1 - services/datalinker/values-minikube.yaml | 1 - services/datalinker/values-stable.yaml | 1 - services/datalinker/values.yaml | 35 ++++--------------- 18 files changed, 23 insertions(+), 96 deletions(-) rename services/cachemachine/templates/{vault-pull-secret.yaml => vault-secrets.yaml} (100%) delete mode 100644 services/datalinker/templates/NOTES.txt rename services/datalinker/templates/{vault-pull-secret.yaml => vault-secrets.yaml} (100%) diff --git a/services/cachemachine/Chart.yaml b/services/cachemachine/Chart.yaml index 1b51c7f316..389c9d25fe 100644 --- a/services/cachemachine/Chart.yaml +++ b/services/cachemachine/Chart.yaml @@ -3,6 +3,3 @@ name: cachemachine version: 1.0.0 appVersion: 1.2.0 description: Service to prepull Docker images for the Science Platform -maintainers: - - name: cbanek - - name: athornton diff --git a/services/cachemachine/templates/deployment.yaml b/services/cachemachine/templates/deployment.yaml index a6c8f5ca2c..91344b8df5 100644 --- a/services/cachemachine/templates/deployment.yaml +++ b/services/cachemachine/templates/deployment.yaml @@ -19,10 +19,8 @@ spec: labels: {{- include "cachemachine.selectorLabels" . | nindent 8 }} spec: - {{- with .Values.imagePullSecrets }} imagePullSecrets: - {{- toYaml . | nindent 8 }} - {{- end }} + - name: pull-secret serviceAccountName: {{ template "cachemachine.serviceAccountName" . }} securityContext: runAsNonRoot: true diff --git a/services/cachemachine/templates/ingress.yaml b/services/cachemachine/templates/ingress.yaml index f7f5c119ca..3c122e4417 100644 --- a/services/cachemachine/templates/ingress.yaml +++ b/services/cachemachine/templates/ingress.yaml @@ -1,4 +1,3 @@ -{{- if .Values.ingress.enabled -}} apiVersion: networking.k8s.io/v1 kind: Ingress metadata: @@ -7,8 +6,8 @@ metadata: {{- if .Values.ingress.gafaelfawrAuthQuery }} nginx.ingress.kubernetes.io/auth-method: "GET" nginx.ingress.kubernetes.io/auth-response-headers: "X-Auth-Request-User" - nginx.ingress.kubernetes.io/auth-signin: "https://{{ .Values.global.host }}/login" - nginx.ingress.kubernetes.io/auth-url: "https://{{ .Values.global.host }}/auth?{{ .Values.ingress.gafaelfawrAuthQuery }}" + nginx.ingress.kubernetes.io/auth-signin: "{{ .Values.global.baseUrl }}/login" + nginx.ingress.kubernetes.io/auth-url: "{{ .Values.global.baseUrl }}/auth?{{ .Values.ingress.gafaelfawrAuthQuery }}" {{- end }} {{- with .Values.ingress.annotations }} {{- toYaml . | nindent 4 }} @@ -38,4 +37,3 @@ spec: secretName: {{ .secretName }} {{- end }} {{- end }} -{{- end }} diff --git a/services/cachemachine/templates/vault-pull-secret.yaml b/services/cachemachine/templates/vault-secrets.yaml similarity index 100% rename from services/cachemachine/templates/vault-pull-secret.yaml rename to services/cachemachine/templates/vault-secrets.yaml diff --git a/services/cachemachine/values.yaml b/services/cachemachine/values.yaml index d8b70a92de..cc40a1efdd 100644 --- a/services/cachemachine/values.yaml +++ b/services/cachemachine/values.yaml @@ -18,8 +18,6 @@ image: tag: "" # -- Secret names to use for all Docker pulls -imagePullSecrets: - - name: "pull-secret" serviceAccount: # -- Name of the service account to use # @default -- Name based on the fullname template @@ -72,10 +70,6 @@ tolerations: [] # -- Affinity rules for the cachemachine frontend pod affinity: {} -# -- Path to the Vault secret containing the Docker credentials -# @default -- None, must be set -vaultSecretsPath: "" - # -- Autostart configuration. Each key is the name of a class of images to # pull, and the value is the JSON specification for which and how many images # to pull. diff --git a/services/datalinker/templates/NOTES.txt b/services/datalinker/templates/NOTES.txt deleted file mode 100644 index 87627d7740..0000000000 --- a/services/datalinker/templates/NOTES.txt +++ /dev/null @@ -1,22 +0,0 @@ -1. Get the application URL by running these commands: -{{- if .Values.ingress.enabled }} -{{- range $host := .Values.ingress.hosts }} - {{- range .paths }} - http{{ if $.Values.ingress.tls }}s{{ end }}://{{ $host.host }}{{ .path }} - {{- end }} -{{- end }} -{{- else if contains "NodePort" .Values.service.type }} - export NODE_PORT=$(kubectl get --namespace {{ .Release.Namespace }} -o jsonpath="{.spec.ports[0].nodePort}" services {{ include "datalinker.fullname" . }}) - export NODE_IP=$(kubectl get nodes --namespace {{ .Release.Namespace }} -o jsonpath="{.items[0].status.addresses[0].address}") - echo http://$NODE_IP:$NODE_PORT -{{- else if contains "LoadBalancer" .Values.service.type }} - NOTE: It may take a few minutes for the LoadBalancer IP to be available. - You can watch the status of by running 'kubectl get --namespace {{ .Release.Namespace }} svc -w {{ include "datalinker.fullname" . }}' - export SERVICE_IP=$(kubectl get svc --namespace {{ .Release.Namespace }} {{ include "datalinker.fullname" . }} --template "{{"{{ range (index .status.loadBalancer.ingress 0) }}{{.}}{{ end }}"}}") - echo http://$SERVICE_IP:{{ .Values.service.port }} -{{- else if contains "ClusterIP" .Values.service.type }} - export POD_NAME=$(kubectl get pods --namespace {{ .Release.Namespace }} -l "app.kubernetes.io/name={{ include "datalinker.name" . }},app.kubernetes.io/instance={{ .Release.Name }}" -o jsonpath="{.items[0].metadata.name}") - export CONTAINER_PORT=$(kubectl get pod --namespace {{ .Release.Namespace }} $POD_NAME -o jsonpath="{.spec.containers[0].ports[0].containerPort}") - echo "Visit http://127.0.0.1:8080 to use your application" - kubectl --namespace {{ .Release.Namespace }} port-forward $POD_NAME 8080:$CONTAINER_PORT -{{- end }} diff --git a/services/datalinker/templates/deployment.yaml b/services/datalinker/templates/deployment.yaml index ddc9a4ba3a..b5c5d22a6d 100644 --- a/services/datalinker/templates/deployment.yaml +++ b/services/datalinker/templates/deployment.yaml @@ -21,10 +21,8 @@ spec: {{- include "datalinker.selectorLabels" . | nindent 8 }} spec: automountServiceAccountToken: false - {{- with .Values.imagePullSecrets }} imagePullSecrets: - {{- toYaml . | nindent 8 }} - {{- end }} + - name: pull-secret securityContext: runAsNonRoot: true runAsUser: 1000 diff --git a/services/datalinker/templates/ingress.yaml b/services/datalinker/templates/ingress.yaml index c1933b76a4..37c6d78fa1 100644 --- a/services/datalinker/templates/ingress.yaml +++ b/services/datalinker/templates/ingress.yaml @@ -1,35 +1,30 @@ -{{- if .Values.ingress.enabled -}} {{- $fullName := include "datalinker.fullname" . -}} apiVersion: networking.k8s.io/v1 kind: Ingress metadata: - name: {{ $fullName }} - labels: - {{- include "datalinker.labels" . | nindent 4 }} - {{- with .Values.ingress.annotations }} annotations: kubernetes.io/ingress.class: "nginx" {{- if .Values.ingress.gafaelfawrAuthQuery -}} nginx.ingress.kubernetes.io/auth-method: GET nginx.ingress.kubernetes.io/auth-response-headers: X-Auth-Request-User,X-Auth-Request-Email,X-Auth-Request-Token - nginx.ingress.kubernetes.io/auth-signin: "https://{{ .Values.global.host }}/login" - nginx.ingress.kubernetes.io/auth-url: "https://{{ .Values.global.host }}/auth?{{ .Values.ingress.gafaelfawrAuthQuery }}" + nginx.ingress.kubernetes.io/auth-signin: "{{ .Values.global.baseUrl }}/login" + nginx.ingress.kubernetes.io/auth-url: "{{ .Values.global.baseUrl }}/auth?{{ .Values.ingress.gafaelfawrAuthQuery }}" {{- end }} - {{- toYaml . | nindent 4 }} + {{- with .Values.ingress.annotations }} + {{- toYaml . | nindent 4 }} {{- end }} + name: {{ $fullName }} + labels: + {{- include "datalinker.labels" . | nindent 4 }} spec: - {{- if .Values.ingress.className }} - ingressClassName: {{ .Values.ingress.className }} - {{- end }} rules: - - host: {{ required "ingress.host must be set" .Values.global.host | quote }} + - host: {{ required "global.host must be set" .Values.global.host | quote }} http: paths: - - path: {{ .Values.ingress.path }} - pathType: {{ default "Prefix" .Values.ingress.pathType }} + - path: "/api/datalink" + pathType: ImplementationSpecific backend: service: name: {{ $fullName }} port: - number: {{ .Values.service.port }} -{{- end }} + number: 8080 diff --git a/services/datalinker/templates/networkpolicy.yaml b/services/datalinker/templates/networkpolicy.yaml index 6b228b58a6..0bcf4940a4 100644 --- a/services/datalinker/templates/networkpolicy.yaml +++ b/services/datalinker/templates/networkpolicy.yaml @@ -1,4 +1,3 @@ -{{- if .Values.ingress.enabled -}} apiVersion: networking.k8s.io/v1 kind: NetworkPolicy metadata: @@ -20,4 +19,3 @@ spec: ports: - protocol: "TCP" port: 8080 -{{- end }} diff --git a/services/datalinker/templates/service.yaml b/services/datalinker/templates/service.yaml index b24cc11a8b..9f0673808b 100644 --- a/services/datalinker/templates/service.yaml +++ b/services/datalinker/templates/service.yaml @@ -5,9 +5,9 @@ metadata: labels: {{- include "datalinker.labels" . | nindent 4 }} spec: - type: {{ .Values.service.type }} + type: ClusterIP ports: - - port: {{ .Values.service.port }} + - port: 8080 targetPort: http protocol: TCP name: http diff --git a/services/datalinker/templates/vault-pull-secret.yaml b/services/datalinker/templates/vault-secrets.yaml similarity index 100% rename from services/datalinker/templates/vault-pull-secret.yaml rename to services/datalinker/templates/vault-secrets.yaml diff --git a/services/datalinker/values-idfdev.yaml b/services/datalinker/values-idfdev.yaml index 548f8dffd2..e69de29bb2 100644 --- a/services/datalinker/values-idfdev.yaml +++ b/services/datalinker/values-idfdev.yaml @@ -1 +0,0 @@ -# idfdev diff --git a/services/datalinker/values-idfint.yaml b/services/datalinker/values-idfint.yaml index 37cd8a5ecf..e69de29bb2 100644 --- a/services/datalinker/values-idfint.yaml +++ b/services/datalinker/values-idfint.yaml @@ -1 +0,0 @@ -# idfint diff --git a/services/datalinker/values-idfprod.yaml b/services/datalinker/values-idfprod.yaml index 40d46707e4..e69de29bb2 100644 --- a/services/datalinker/values-idfprod.yaml +++ b/services/datalinker/values-idfprod.yaml @@ -1 +0,0 @@ -# idfprod diff --git a/services/datalinker/values-int.yaml b/services/datalinker/values-int.yaml index a7ad11d22e..e69de29bb2 100644 --- a/services/datalinker/values-int.yaml +++ b/services/datalinker/values-int.yaml @@ -1 +0,0 @@ -# int diff --git a/services/datalinker/values-minikube.yaml b/services/datalinker/values-minikube.yaml index 6b974f9237..e69de29bb2 100644 --- a/services/datalinker/values-minikube.yaml +++ b/services/datalinker/values-minikube.yaml @@ -1 +0,0 @@ -# minikube diff --git a/services/datalinker/values-stable.yaml b/services/datalinker/values-stable.yaml index ae6951bc3b..e69de29bb2 100644 --- a/services/datalinker/values-stable.yaml +++ b/services/datalinker/values-stable.yaml @@ -1 +0,0 @@ -# stable diff --git a/services/datalinker/values.yaml b/services/datalinker/values.yaml index 78a19a8537..50837c6341 100644 --- a/services/datalinker/values.yaml +++ b/services/datalinker/values.yaml @@ -2,6 +2,12 @@ # This is a YAML-formatted file. # Declare variables to be passed into your templates. +# -- Override the base name for resources +nameOverride: "" + +# -- Override the full name for resources (includes the release name) +fullnameOverride: "" + # -- Number of web deployment pods to start replicaCount: 1 @@ -15,45 +21,16 @@ image: # -- Overrides the image tag whose default is the chart appVersion. tag: "" -# -- Secret names to use for all Docker pulls -imagePullSecrets: - - name: "pull-secret" - -# -- Override the base name for resources -nameOverride: "" - -# -- Override the full name for resources (includes the release name) -fullnameOverride: "" - # -- Annotations for the datalinker deployment pod podAnnotations: {} -service: - # -- Type of service to create - type: ClusterIP - - # -- Port of the service to create and map to the ingress - port: 8080 - ingress: - # -- Create an ingress resource - enabled: true - - # -- Hostname of the deployment to run behind - host: "" - # -- Gafaelfawr auth query string (default, unauthenticated) gafaelfawrAuthQuery: "" # -- Additional annotations for the ingress rule annotations: {} - # -- Path type for the ingress rule - pathType: ImplementationSpecific - - # -- URL path to dispatch to the datalinker deployment pod - path: "/api/datalink" - # -- Resource limits and requests for the datalinker deployment pod resources: {} From 6b39e2fd40f645c5738c6e908521d861e2ec0990 Mon Sep 17 00:00:00 2001 From: adam Date: Tue, 19 Apr 2022 10:49:15 -0700 Subject: [PATCH 0402/1479] DRY out exposurelog --- .../templates/exposurelog-application.yaml | 11 ++++++-- .../exposurelog/templates/deployment.yaml | 4 +-- services/exposurelog/templates/ingress.yaml | 18 +++++------- services/exposurelog/templates/service.yaml | 4 +-- .../exposurelog/templates/vault-secrets.yaml | 12 +++++++- services/exposurelog/values-base.yaml | 10 ------- services/exposurelog/values-roe.yaml | 10 ------- services/exposurelog/values-summit.yaml | 10 ------- .../exposurelog/values-tucson-teststand.yaml | 9 ------ services/exposurelog/values.yaml | 28 ++----------------- 10 files changed, 32 insertions(+), 84 deletions(-) diff --git a/science-platform/templates/exposurelog-application.yaml b/science-platform/templates/exposurelog-application.yaml index 76e3bc5bea..3e06116112 100644 --- a/science-platform/templates/exposurelog-application.yaml +++ b/science-platform/templates/exposurelog-application.yaml @@ -21,7 +21,14 @@ spec: repoURL: {{ .Values.repoURL }} targetRevision: {{ .Values.revision }} helm: + parameters: + - name: "global.host" + value: {{ .Values.fqdn | quote }} + - name: "global.baseUrl" + value: "https://{{ .Values.fqdn }}" + - name: "global.vaultSecretsPath" + value: {{ .Values.vault_path_prefix | quote }} valueFiles: - - values.yaml - - values-{{ .Values.environment }}.yaml + - "values.yaml" + - "values-{{ .Values.environment }}.yaml" {{- end -}} diff --git a/services/exposurelog/templates/deployment.yaml b/services/exposurelog/templates/deployment.yaml index 6fd1c3b784..0c97d224d5 100644 --- a/services/exposurelog/templates/deployment.yaml +++ b/services/exposurelog/templates/deployment.yaml @@ -20,10 +20,8 @@ spec: labels: {{- include "exposurelog.selectorLabels" . | nindent 8 }} spec: - {{- with .Values.imagePullSecrets }} imagePullSecrets: - {{- toYaml . | nindent 8 }} - {{- end }} + name: pull-secret securityContext: runAsNonRoot: true runAsUser: 1000 diff --git a/services/exposurelog/templates/ingress.yaml b/services/exposurelog/templates/ingress.yaml index bda7b27988..6b7dde57f2 100644 --- a/services/exposurelog/templates/ingress.yaml +++ b/services/exposurelog/templates/ingress.yaml @@ -1,4 +1,3 @@ -{{- if .Values.ingress.enabled -}} apiVersion: networking.k8s.io/v1 kind: Ingress metadata: @@ -10,25 +9,22 @@ metadata: {{- if .Values.ingress.gafaelfawrAuthQuery }} nginx.ingress.kubernetes.io/auth-method: "GET" nginx.ingress.kubernetes.io/auth-response-headers: "X-Auth-Request-User,X-Auth-Request-Email,X-Auth-Request-Token" - nginx.ingress.kubernetes.io/auth-signin: "https://{{ .Values.ingress.host }}/login" - nginx.ingress.kubernetes.io/auth-url: "https://{{ .Values.ingress.host }}/auth?{{ .Values.ingress.gafaelfawrAuthQuery }}" + nginx.ingress.kubernetes.io/auth-signin: "{{ .Values.global.baseUrl }}/login" + nginx.ingress.kubernetes.io/auth-url: "{{ .Values.global.baseUrl }}/auth?{{ .Values.ingress.gafaelfawrAuthQuery }}" {{- end }} {{- with .Values.ingress.annotations }} {{- toYaml . | nindent 4 }} {{- end }} spec: - {{- if .Values.ingress.className }} - ingressClassName: {{ .Values.ingress.className }} - {{- end }} rules: - - host: {{ required "ingress.host must be set" .Values.ingress.host | quote }} + - host: {{ required "global.host must be set" .Values.global.host | quote }} http: paths: - - path: {{ default "/exposurelog" .Values.ingress.path }} - pathType: {{ default "Prefix" .Values.ingress.pathType }} + - path: "/exposurelog" + pathType: "Prefix" backend: service: name: {{ include "exposurelog.fullname" . }} port: - number: {{ .Values.service.port }} -{{- end }} + number: 8080 + diff --git a/services/exposurelog/templates/service.yaml b/services/exposurelog/templates/service.yaml index d482f5c0fc..fcef7a178c 100644 --- a/services/exposurelog/templates/service.yaml +++ b/services/exposurelog/templates/service.yaml @@ -5,9 +5,9 @@ metadata: labels: {{- include "exposurelog.labels" . | nindent 4 }} spec: - type: {{ .Values.service.type }} + type: ClusterIP ports: - - port: {{ .Values.service.port }} + - port: 8080 targetPort: http protocol: TCP name: http diff --git a/services/exposurelog/templates/vault-secrets.yaml b/services/exposurelog/templates/vault-secrets.yaml index 997bfec204..161d7cf3fa 100644 --- a/services/exposurelog/templates/vault-secrets.yaml +++ b/services/exposurelog/templates/vault-secrets.yaml @@ -4,5 +4,15 @@ metadata: name: postgres namespace: exposurelog spec: - path: {{ .Values.vault_path }} + path: "{{- .Values.global.vaultSecretsPath }}/postgres" type: Opaque +--- +apiVersion: ricoberger.de/v1alpha1 +kind: VaultSecret +metadata: + name: pull-secret + labels: + {{- include "exposurelog.labels" . | nindent 4 }} +spec: + path: "{{- .Values.global.vaultSecretsPath }}/pull-secret" + type: kubernetes.io/dockerconfigjson diff --git a/services/exposurelog/values-base.yaml b/services/exposurelog/values-base.yaml index 0f98352715..d003906f49 100644 --- a/services/exposurelog/values-base.yaml +++ b/services/exposurelog/values-base.yaml @@ -6,13 +6,3 @@ config: # Note: exposurelog's Dockerfile copies the test repos to the top of the container butler_uri_1: LSSTCam butler_uri_2: LATISS - -ingress: - enabled: true - host: base-lsp.lsst.codes - -vault_path: secret/k8s_operator/base-lsp.lsst.codes/postgres - -pull-secret: - enabled: true - path: secret/k8s_operator/base-lsp.lsst.codes/pull-secret diff --git a/services/exposurelog/values-roe.yaml b/services/exposurelog/values-roe.yaml index 373287d991..d003906f49 100644 --- a/services/exposurelog/values-roe.yaml +++ b/services/exposurelog/values-roe.yaml @@ -6,13 +6,3 @@ config: # Note: exposurelog's Dockerfile copies the test repos to the top of the container butler_uri_1: LSSTCam butler_uri_2: LATISS - -ingress: - enabled: true - host: rsp.lsst.ac.uk - -vault_path: secret/k8s_operator/roe/postgres - -pull-secret: - enabled: true - path: secret/k8s_operator/roe/pull-secret diff --git a/services/exposurelog/values-summit.yaml b/services/exposurelog/values-summit.yaml index 3b11807de2..f11baa0cbf 100644 --- a/services/exposurelog/values-summit.yaml +++ b/services/exposurelog/values-summit.yaml @@ -7,13 +7,3 @@ config: nfs_path_2: /repo/LATISS # Mounted as /volume_2 nfs_server_2: auxtel-archiver.cp.lsst.org butler_uri_2: /volume_2 - -ingress: - enabled: true - host: summit-lsp.lsst.codes - -vault_path: secret/k8s_operator/summit-lsp.lsst.codes/postgres - -pull-secret: - enabled: true - path: secret/k8s_operator/summit-lsp.lsst.codes/pull-secret diff --git a/services/exposurelog/values-tucson-teststand.yaml b/services/exposurelog/values-tucson-teststand.yaml index 389d313319..c0c9e0ef1f 100644 --- a/services/exposurelog/values-tucson-teststand.yaml +++ b/services/exposurelog/values-tucson-teststand.yaml @@ -7,12 +7,3 @@ config: butler_uri_1: LSSTCam butler_uri_2: LATISS -ingress: - enabled: true - host: tucson-teststand.lsst.codes - -vault_path: secret/k8s_operator/tucson-teststand.lsst.codes/postgres - -pull-secret: - enabled: true - path: secret/k8s_operator/tucson-teststand.lsst.codes/pull-secret diff --git a/services/exposurelog/values.yaml b/services/exposurelog/values.yaml index ebba6937eb..4615d58a4e 100644 --- a/services/exposurelog/values.yaml +++ b/services/exposurelog/values.yaml @@ -1,6 +1,8 @@ # Default values for exposurelog. # This is a YAML-formatted file. # Declare variables to be passed into your templates. +nameOverride: "" +fullnameOverride: "" replicaCount: 1 @@ -36,28 +38,6 @@ config: # Sandboxes should use `test`. site_id: "" -# Site-specific values files should specify: -# -# ingress: -# enabled: true -# host: ... -# -# vault-path: secret/k8s_operator/.../postgres -# -# pull-secret: -# enabled: true -# path: secret/k8s_operator/.../pull-secret - -# This is needed for the CI job to run -ingress: - enabled: false - -imagePullSecrets: - - name: pull-secret - -nameOverride: "" -fullnameOverride: "" - podAnnotations: {} podSecurityContext: {} @@ -71,10 +51,6 @@ securityContext: {} # runAsNonRoot: true # runAsUser: 1000 -service: - type: ClusterIP - port: 8080 - resources: {} # We usually recommend not to specify default resources and to leave this as a conscious # choice for the user. This also increases chances charts run on environments with little From 5be85ff528dd416fd98c3859a352749b20f5ebcb Mon Sep 17 00:00:00 2001 From: adam Date: Tue, 19 Apr 2022 11:04:12 -0700 Subject: [PATCH 0403/1479] DRY out Moneypenny --- .../templates/moneypenny-application.yaml | 10 +- services/datalinker/README.md | 43 +++++++ services/exposurelog/Chart.yaml | 2 - services/exposurelog/README.md | 9 +- services/moneypenny/Chart.yaml | 11 +- services/moneypenny/README.md | 38 +++++++ services/moneypenny/templates/_helpers.tpl | 60 ++++++++++ .../moneypenny/templates/cm-m-config.yaml | 9 ++ services/moneypenny/templates/cm-quips.yaml | 9 ++ services/moneypenny/templates/configmap.yaml | 12 ++ services/moneypenny/templates/deployment.yaml | 96 ++++++++++++++++ services/moneypenny/templates/ingress.yaml | 36 ++++++ .../moneypenny/templates/networkpolicy.yaml | 23 ++++ services/moneypenny/templates/role.yaml | 21 ++++ .../moneypenny/templates/rolebinding.yaml | 13 +++ services/moneypenny/templates/service.yaml | 15 +++ .../moneypenny/templates/serviceaccount.yaml | 8 ++ .../moneypenny/templates/vault-secrets.yaml | 9 ++ services/moneypenny/values-base.yaml | 40 +++---- services/moneypenny/values-idfdev.yaml | 40 +++---- services/moneypenny/values-idfint.yaml | 40 +++---- services/moneypenny/values-idfprod.yaml | 40 +++---- services/moneypenny/values-int.yaml | 11 -- services/moneypenny/values-minikube.yaml | 9 -- services/moneypenny/values-roe.yaml | 30 ++--- services/moneypenny/values-stable.yaml | 11 -- services/moneypenny/values-summit.yaml | 40 +++---- .../moneypenny/values-tucson-teststand.yaml | 40 +++---- services/moneypenny/values.yaml | 107 ++++++++++++++++++ 29 files changed, 616 insertions(+), 216 deletions(-) create mode 100644 services/datalinker/README.md create mode 100644 services/moneypenny/README.md create mode 100644 services/moneypenny/templates/_helpers.tpl create mode 100644 services/moneypenny/templates/cm-m-config.yaml create mode 100644 services/moneypenny/templates/cm-quips.yaml create mode 100644 services/moneypenny/templates/configmap.yaml create mode 100644 services/moneypenny/templates/deployment.yaml create mode 100644 services/moneypenny/templates/ingress.yaml create mode 100644 services/moneypenny/templates/networkpolicy.yaml create mode 100644 services/moneypenny/templates/role.yaml create mode 100644 services/moneypenny/templates/rolebinding.yaml create mode 100644 services/moneypenny/templates/service.yaml create mode 100644 services/moneypenny/templates/serviceaccount.yaml create mode 100644 services/moneypenny/templates/vault-secrets.yaml create mode 100644 services/moneypenny/values.yaml diff --git a/science-platform/templates/moneypenny-application.yaml b/science-platform/templates/moneypenny-application.yaml index c6dea1081e..17d8518649 100644 --- a/science-platform/templates/moneypenny-application.yaml +++ b/science-platform/templates/moneypenny-application.yaml @@ -24,6 +24,14 @@ spec: repoURL: {{ .Values.repoURL }} targetRevision: {{ .Values.revision }} helm: + parameters: + - name: "global.host" + value: {{ .Values.fqdn | quote }} + - name: "global.baseUrl" + value: "https://{{ .Values.fqdn }}" + - name: "global.vaultSecretsPath" + value: {{ .Values.vault_path_prefix | quote }} valueFiles: - - values-{{ .Values.environment }}.yaml + - "values.yaml" + - "values-{{ .Values.environment }}.yaml" {{- end -}} diff --git a/services/datalinker/README.md b/services/datalinker/README.md new file mode 100644 index 0000000000..b437479c17 --- /dev/null +++ b/services/datalinker/README.md @@ -0,0 +1,43 @@ +# datalinker + +![Version: 0.1.4](https://img.shields.io/badge/Version-0.1.4-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: 1.0.0](https://img.shields.io/badge/AppVersion-1.0.0-informational?style=flat-square) + +A Helm chart for Kubernetes + +## Maintainers + +| Name | Email | Url | +| ---- | ------ | --- | +| cbanek | | | + +## Values + +| Key | Type | Default | Description | +|-----|------|---------|-------------| +| affinity | object | `{}` | Affinity rules for the datalinker deployment pod | +| autoscaling.enabled | bool | `false` | Enable autoscaling of datalinker deployment | +| autoscaling.maxReplicas | int | `100` | Maximum number of datalinker deployment pods | +| autoscaling.minReplicas | int | `1` | Minimum number of datalinker deployment pods | +| autoscaling.targetCPUUtilizationPercentage | int | `80` | Target CPU utilization of datalinker deployment pods | +| fullnameOverride | string | `""` | Override the full name for resources (includes the release name) | +| image.pullPolicy | string | `"Always"` | Pull policy for the datalinker image | +| image.repository | string | `"lsstsqre/datalinker"` | Image to use in the datalinker deployment | +| image.tag | string | `""` | Overrides the image tag whose default is the chart appVersion. | +| imagePullSecrets | list | `[]` | Secret names to use for all Docker pulls | +| ingress.annotations | object | `{}` | Additional annotations for the ingress rule | +| ingress.enabled | bool | `true` | Create an ingress resource | +| ingress.gafaelfawrAuthQuery | string | `""` | Gafaelfawr Auth Query string (default, unauthenticated) gafaelfawrAuthQuery: "scope=exec:portal&delegate_to=portal&delegate_scope=read:tap" | +| ingress.host | string | `""` | Hostname of the deployment to run behind | +| ingress.path | string | `"/api/datalink"` | URL path to dispatch to the datalinker deployment pod | +| ingress.pathType | string | `"ImplementationSpecific"` | Path type for the ingress rule | +| nameOverride | string | `""` | Override the base name for resources | +| nodeSelector | object | `{}` | Node selection rules for the datalinker deployment pod | +| podAnnotations | object | `{}` | Annotations for the datalinker deployment pod | +| replicaCount | int | `1` | Number of web deployment pods to start | +| resources | object | `{}` | Resource limits and requests for the datalinker deployment pod | +| service.port | int | `8080` | Port of the service to create and map to the ingress | +| service.type | string | `"ClusterIP"` | Type of service to create | +| tolerations | list | `[]` | Tolerations for the datalinker deployment pod | + +---------------------------------------------- +Autogenerated from chart metadata using [helm-docs v1.5.0](https://github.com/norwoodj/helm-docs/releases/v1.5.0) diff --git a/services/exposurelog/Chart.yaml b/services/exposurelog/Chart.yaml index 445cfe3ddb..6aead4253c 100644 --- a/services/exposurelog/Chart.yaml +++ b/services/exposurelog/Chart.yaml @@ -1,8 +1,6 @@ apiVersion: v2 name: exposurelog description: Exposure log service -maintainers: - - name: r-owen type: application # The chart version. SQuaRE convention is to use 1.0.0 diff --git a/services/exposurelog/README.md b/services/exposurelog/README.md index 57fb6d63ff..a22c611efb 100644 --- a/services/exposurelog/README.md +++ b/services/exposurelog/README.md @@ -1,5 +1,7 @@ # exposurelog +![Version: 1.0.0](https://img.shields.io/badge/Version-1.0.0-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: 0.9.2](https://img.shields.io/badge/AppVersion-0.9.2-informational?style=flat-square) + Exposure log service ## Values @@ -22,8 +24,6 @@ Exposure log service | image.pullPolicy | string | `"Always"` | | | image.repository | string | `"lsstsqre/exposurelog"` | | | image.tag | string | `""` | | -| imagePullSecrets[0].name | string | `"pull-secret"` | | -| ingress.enabled | bool | `false` | | | nameOverride | string | `""` | | | nodeSelector | object | `{}` | | | podAnnotations | object | `{}` | | @@ -31,6 +31,7 @@ Exposure log service | replicaCount | int | `1` | | | resources | object | `{}` | | | securityContext | object | `{}` | | -| service.port | int | `8080` | | -| service.type | string | `"ClusterIP"` | | | tolerations | list | `[]` | | + +---------------------------------------------- +Autogenerated from chart metadata using [helm-docs v1.7.0](https://github.com/norwoodj/helm-docs/releases/v1.7.0) diff --git a/services/moneypenny/Chart.yaml b/services/moneypenny/Chart.yaml index 4838f807ed..87ac28939a 100644 --- a/services/moneypenny/Chart.yaml +++ b/services/moneypenny/Chart.yaml @@ -1,10 +1,5 @@ apiVersion: v2 +appVersion: "1.0.0" +description: User provisioning actions for the Science Platform name: moneypenny -version: 1.0.0 -dependencies: - - name: moneypenny - version: 1.0.2 - repository: https://lsst-sqre.github.io/charts/ - - name: pull-secret - version: 0.1.2 - repository: https://lsst-sqre.github.io/charts/ +version: 1.0.2 diff --git a/services/moneypenny/README.md b/services/moneypenny/README.md new file mode 100644 index 0000000000..3c1df24aa6 --- /dev/null +++ b/services/moneypenny/README.md @@ -0,0 +1,38 @@ +# moneypenny + +![Version: 1.0.2](https://img.shields.io/badge/Version-1.0.2-informational?style=flat-square) ![AppVersion: 1.0.0](https://img.shields.io/badge/AppVersion-1.0.0-informational?style=flat-square) + +User provisioning actions for the Science Platform + +## Maintainers + +| Name | Email | Url | +| ---- | ------ | --- | +| athornton | | | +| rra | | | + +## Values + +| Key | Type | Default | Description | +|-----|------|---------|-------------| +| affinity | object | `{}` | Affinity rules for the vo-cutouts frontend pod | +| fullnameOverride | string | `""` | Override the full name for resources (includes the release name) | +| image.pullPolicy | string | `"IfNotPresent"` | Pull policy for the moneypenny image | +| image.repository | string | `"lsstsqre/moneypenny"` | moneypenny image to use | +| image.tag | string | The appVersion of the chart | Tag of moneypenny image to use | +| ingress.gafaelfawrAuthQuery | string | `"scope=admin:provision"` | Gafaelfawr auth query string | +| ingress.tls | list | `[]` | Configure TLS for the ingress if needed. If multiple ingresses share the same hostname, only one of them needs a TLS configuration. | +| nameOverride | string | `""` | Override the base name for resources | +| nodeSelector | object | `{}` | Node selector rules for the vo-cutouts frontend pod | +| orders.commission | list | `[{"image":"lsstsqre/farthing","name":"farthing","securityContext":{"allowPrivilegeEscalation":false,"runAsNonRootUser":true,"runAsUser":1000}}]` | List of specifications for containers to run to commission a new user. Each member of the list should set a container `name`, `image`, and `securityContext` and may contain `volumeMounts`. | +| orders.retire | list | `[{"image":"lsstsqre/farthing","name":"farthing","securityContext":{"allowPrivilegeEscalation":false,"runAsNonRootUser":true,"runAsUser":1000}}]` | List of specifications for containers to run to retire a user. Each member of the list should set a container `name`, `image`, and `securityContext` and may contain `volumeMounts`. | +| orders.volumes | list | `[]` | Additional volumes to mount when commissioning or retiring users. | +| podAnnotations | object | `{}` | Annotations for the vo-cutouts frontend pod | +| quips | string | A small selection | Moneypenny quotes | +| replicaCount | int | `1` | Number of pods to start | +| resources | object | `{}` | Resource limits and requests for the vo-cutouts frontend pod | +| serviceAccount.name | string | Name based on the fullname template | Name of the service account to use | +| tolerations | list | `[]` | Tolerations for the vo-cutouts frontend pod | + +---------------------------------------------- +Autogenerated from chart metadata using [helm-docs v1.7.0](https://github.com/norwoodj/helm-docs/releases/v1.7.0) diff --git a/services/moneypenny/templates/_helpers.tpl b/services/moneypenny/templates/_helpers.tpl new file mode 100644 index 0000000000..ff1f0f98a7 --- /dev/null +++ b/services/moneypenny/templates/_helpers.tpl @@ -0,0 +1,60 @@ +{{/* vim: set filetype=mustache: */}} +{{/* +Expand the name of the chart. +*/}} +{{- define "moneypenny.name" -}} +{{- default .Chart.Name .Values.nameOverride | trunc 63 | trimSuffix "-" -}} +{{- end -}} + +{{/* +Create a default fully qualified app name. +We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec). +If release name contains chart name it will be used as a full name. +*/}} +{{- define "moneypenny.fullname" -}} +{{- if .Values.fullnameOverride -}} +{{- .Values.fullnameOverride | trunc 63 | trimSuffix "-" -}} +{{- else -}} +{{- $name := default .Chart.Name .Values.nameOverride -}} +{{- if contains $name .Release.Name -}} +{{- .Release.Name | trunc 63 | trimSuffix "-" -}} +{{- else -}} +{{- printf "%s-%s" .Release.Name $name | trunc 63 | trimSuffix "-" -}} +{{- end -}} +{{- end -}} +{{- end -}} + +{{/* +Create chart name and version as used by the chart label. +*/}} +{{- define "moneypenny.chart" -}} +{{- printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" -}} +{{- end -}} + +{{/* +Common labels +*/}} +{{- define "moneypenny.labels" -}} +app.kubernetes.io/name: {{ include "moneypenny.name" . }} +helm.sh/chart: {{ include "moneypenny.chart" . }} +app.kubernetes.io/instance: {{ .Release.Name }} +{{- if .Chart.AppVersion }} +app.kubernetes.io/version: {{ .Chart.AppVersion | quote }} +{{- end }} +app.kubernetes.io/managed-by: {{ .Release.Service }} +{{- end -}} + +{{/* +Selector labels +*/}} +{{- define "moneypenny.selectorLabels" -}} +app.kubernetes.io/name: {{ include "moneypenny.name" . }} +app.kubernetes.io/instance: {{ .Release.Name }} +{{- end }} + +{{/* +Create the name of the service account to use +*/}} +{{- define "moneypenny.serviceAccountName" -}} +{{ default (include "moneypenny.fullname" .) .Values.serviceAccount.name }} +{{- end -}} diff --git a/services/moneypenny/templates/cm-m-config.yaml b/services/moneypenny/templates/cm-m-config.yaml new file mode 100644 index 0000000000..5dedc2a46d --- /dev/null +++ b/services/moneypenny/templates/cm-m-config.yaml @@ -0,0 +1,9 @@ +apiVersion: v1 +kind: ConfigMap +metadata: + name: {{ include "moneypenny.fullname" . }}-m-config + labels: + {{- include "moneypenny.labels" . | nindent 4 }} +data: + m.yaml: | + {{- toYaml .Values.orders | nindent 4 }} diff --git a/services/moneypenny/templates/cm-quips.yaml b/services/moneypenny/templates/cm-quips.yaml new file mode 100644 index 0000000000..a0e9f928ba --- /dev/null +++ b/services/moneypenny/templates/cm-quips.yaml @@ -0,0 +1,9 @@ +apiVersion: v1 +kind: ConfigMap +metadata: + name: {{ include "moneypenny.fullname" . }}-quips + labels: + {{- include "moneypenny.labels" . | nindent 4 }} +data: + quips.txt: | + {{- .Values.quips | nindent 4 }} diff --git a/services/moneypenny/templates/configmap.yaml b/services/moneypenny/templates/configmap.yaml new file mode 100644 index 0000000000..646d1c8042 --- /dev/null +++ b/services/moneypenny/templates/configmap.yaml @@ -0,0 +1,12 @@ +apiVersion: v1 +kind: ConfigMap +metadata: + name: {{ include "moneypenny.fullname" .}} + labels: + {{- include "moneypenny.labels" . | nindent 4 }} +data: + SAFIR_NAME: "moneypenny" + SAFIR_PROFILE: "production" + SAFIR_LOGGER: "moneypenny" + SAFIR_LOG_LEVEL: "INFO" + DOCKER_SECRET_NAME: "pull-secret" diff --git a/services/moneypenny/templates/deployment.yaml b/services/moneypenny/templates/deployment.yaml new file mode 100644 index 0000000000..2684cf8eea --- /dev/null +++ b/services/moneypenny/templates/deployment.yaml @@ -0,0 +1,96 @@ +apiVersion: apps/v1 +kind: Deployment +metadata: + name: {{ include "moneypenny.fullname" . }} + labels: + {{- include "moneypenny.labels" . | nindent 4 }} +spec: + replicas: {{ .Values.replicaCount }} + selector: + matchLabels: + {{- include "moneypenny.selectorLabels" . | nindent 6 }} + template: + metadata: + annotations: + checksum/config: {{ include (print $.Template.BasePath "/configmap.yaml") . | sha256sum }} + checksum/config-m: {{ include (print $.Template.BasePath "/cm-m-config.yaml") . | sha256sum }} + {{- with .Values.podAnnotations }} + {{- toYaml . | nindent 8 }} + {{- end }} + labels: + {{- include "moneypenny.selectorLabels" . | nindent 8 }} + spec: + imagePullSecrets: + - name: "pull-secret" + serviceAccountName: {{ include "moneypenny.serviceAccountName" . }} + securityContext: + runAsNonRoot: true + runAsUser: 1000 + runAsGroup: 1000 + containers: + - name: "moneypenny" + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - "all" + readOnlyRootFilesystem: true + image: "{{ .Values.image.repository }}:{{ .Values.image.tag | default .Chart.AppVersion }}" + imagePullPolicy: {{ .Values.image.pullPolicy | quote }} + envFrom: + - configMapRef: + name: {{ template "moneypenny.fullname" . }} + ports: + - name: "http" + containerPort: 8080 + protocol: "TCP" + livenessProbe: + httpGet: + path: "/" + port: "http" + readinessProbe: + httpGet: + path: "/" + port: "http" + {{- with .Values.resources }} + resources: + {{- toYaml . | nindent 12 }} + {{- end }} + volumeMounts: + - name: "m-config" + mountPath: "/opt/lsst/software/moneypenny/config/M" + readOnly: true + - name: "quips" + mountPath: "/opt/lsst/software/moneypenny/config/quips" + readOnly: true + - name: "podinfo" + mountPath: "/etc/podinfo" + readOnly: true + volumes: + - name: "m-config" + configMap: + name: {{ template "moneypenny.fullname" . }}-m-config + - name: "quips" + configMap: + name: {{ template "moneypenny.fullname" . }}-quips + - name: "podinfo" + downwardAPI: + items: + - path: "name" + fieldRef: + fieldPath: "metadata.name" + - path: "uid" + fieldRef: + fieldPath: "metadata.uid" + {{- with .Values.nodeSelector }} + nodeSelector: + {{- toYaml . | nindent 8 }} + {{- end }} + {{- with .Values.affinity }} + affinity: + {{- toYaml . | nindent 8 }} + {{- end }} + {{- with .Values.tolerations }} + tolerations: + {{- toYaml . | nindent 8 }} + {{- end }} diff --git a/services/moneypenny/templates/ingress.yaml b/services/moneypenny/templates/ingress.yaml new file mode 100644 index 0000000000..96e59738ff --- /dev/null +++ b/services/moneypenny/templates/ingress.yaml @@ -0,0 +1,36 @@ +apiVersion: networking.k8s.io/v1 +kind: Ingress +metadata: + annotations: + kubernetes.io/ingress.class: "nginx" + nginx.ingress.kubernetes.io/auth-method: "GET" + nginx.ingress.kubernetes.io/auth-url: "{{ .Values.global.baseUrl }}/auth?{{ required "ingress.gafaelfawrAuthQuery must be set" .Values.ingress.gafaelfawrAuthQuery }}" + nginx.ingress.kubernetes.io/proxy-read-timeout: "310" + {{- with .Values.ingress.annotations }} + {{- toYaml . | nindent 4 }} + {{- end }} + name: {{ template "moneypenny.fullname" . }} + labels: + {{- include "moneypenny.labels" . | nindent 4 }} +spec: + rules: + - host: {{ required "global.host must be set" .Values.global.host | quote }} + http: + paths: + - path: "/moneypenny" + pathType: Prefix + backend: + service: + name: {{ include "moneypenny.fullname" . }} + port: + number: 8080 + {{- if .Values.ingress.tls }} + tls: + {{- range .Values.ingress.tls }} + - hosts: + {{- range .hosts }} + - {{ . | quote }} + {{- end }} + secretName: {{ .secretName }} + {{- end }} + {{- end }} diff --git a/services/moneypenny/templates/networkpolicy.yaml b/services/moneypenny/templates/networkpolicy.yaml new file mode 100644 index 0000000000..850f72ad2a --- /dev/null +++ b/services/moneypenny/templates/networkpolicy.yaml @@ -0,0 +1,23 @@ +apiVersion: networking.k8s.io/v1 +kind: NetworkPolicy +metadata: + name: {{ template "moneypenny.fullname" . }} + labels: + {{- include "moneypenny.labels" . | nindent 4 }} +spec: + podSelector: + matchLabels: + {{- include "moneypenny.selectorLabels" . | nindent 6 }} + policyTypes: + - Ingress + ingress: + # Allow inbound access from pods (in any namespace) labeled + # gafaelfawr.lsst.io/ingress: true. + - from: + - namespaceSelector: {} + podSelector: + matchLabels: + gafaelfawr.lsst.io/ingress: "true" + ports: + - protocol: "TCP" + port: 8080 diff --git a/services/moneypenny/templates/role.yaml b/services/moneypenny/templates/role.yaml new file mode 100644 index 0000000000..0e730dd5fa --- /dev/null +++ b/services/moneypenny/templates/role.yaml @@ -0,0 +1,21 @@ +kind: Role +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + name: {{ include "moneypenny.serviceAccountName" . }} + labels: + {{- include "moneypenny.labels" . | nindent 4 }} +rules: + - apiGroups: [""] + resources: + - "pods" + verbs: + - "create" + - "delete" + - "get" + - "list" + - "watch" + - apiGroups: [""] + resources: ["configmaps"] + verbs: + - "create" + - "delete" diff --git a/services/moneypenny/templates/rolebinding.yaml b/services/moneypenny/templates/rolebinding.yaml new file mode 100644 index 0000000000..169978eeaf --- /dev/null +++ b/services/moneypenny/templates/rolebinding.yaml @@ -0,0 +1,13 @@ +kind: RoleBinding +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + name: {{ include "moneypenny.serviceAccountName" . }} + labels: + {{- include "moneypenny.labels" . | nindent 4 }} +subjects: + - kind: ServiceAccount + name: {{ include "moneypenny.serviceAccountName" . }} +roleRef: + kind: Role + name: {{ include "moneypenny.serviceAccountName" . }} + apiGroup: rbac.authorization.k8s.io diff --git a/services/moneypenny/templates/service.yaml b/services/moneypenny/templates/service.yaml new file mode 100644 index 0000000000..2b7d9b8da7 --- /dev/null +++ b/services/moneypenny/templates/service.yaml @@ -0,0 +1,15 @@ +apiVersion: v1 +kind: Service +metadata: + name: {{ include "moneypenny.fullname" . }} + labels: + {{- include "moneypenny.labels" . | nindent 4 }} +spec: + type: "ClusterIP" + ports: + - name: "http" + protocol: "TCP" + port: 8080 + targetPort: "http" + selector: + {{- include "moneypenny.selectorLabels" . | nindent 4 }} diff --git a/services/moneypenny/templates/serviceaccount.yaml b/services/moneypenny/templates/serviceaccount.yaml new file mode 100644 index 0000000000..de1cee6e73 --- /dev/null +++ b/services/moneypenny/templates/serviceaccount.yaml @@ -0,0 +1,8 @@ +apiVersion: v1 +kind: ServiceAccount +metadata: + name: {{ include "moneypenny.serviceAccountName" . }} + labels: + {{- include "moneypenny.labels" . | nindent 4 }} +imagePullSecrets: + - name: "pull-secret" diff --git a/services/moneypenny/templates/vault-secrets.yaml b/services/moneypenny/templates/vault-secrets.yaml new file mode 100644 index 0000000000..3be6ea057e --- /dev/null +++ b/services/moneypenny/templates/vault-secrets.yaml @@ -0,0 +1,9 @@ +apiVersion: ricoberger.de/v1alpha1 +kind: VaultSecret +metadata: + name: pull-secret + labels: + {{- include "moneypenny.labels" . | nindent 4 }} +spec: + path: "{{- .Values.global.vaultSecretsPath }}/pull-secret" + type: kubernetes.io/dockerconfigjson diff --git a/services/moneypenny/values-base.yaml b/services/moneypenny/values-base.yaml index b400c84e39..3f44c7f597 100644 --- a/services/moneypenny/values-base.yaml +++ b/services/moneypenny/values-base.yaml @@ -1,25 +1,15 @@ -moneypenny: - imagePullSecrets: - - name: "pull-secret" - ingress: - host: "base-lsp.lsst.codes" - - orders: - commission: - - name: initcommission - image: lsstsqre/inituserhome - securityContext: - runAsUser: 0 - runAsNonRootUser: false - volumeMounts: - - mountPath: /homedirs - name: homedirs - volumes: - - name: homedirs - nfs: - server: ddn-nfs.ls.lsst.org - path: /lsstdata/user/staff/jhome - -pull-secret: - enabled: true - path: "secret/k8s_operator/base-lsp.lsst.codes/pull-secret" +orders: + commission: + - name: initcommission + image: lsstsqre/inituserhome + securityContext: + runAsUser: 0 + runAsNonRootUser: false + volumeMounts: + - mountPath: /homedirs + name: homedirs + volumes: + - name: homedirs + nfs: + server: ddn-nfs.ls.lsst.org + path: /lsstdata/user/staff/jhome diff --git a/services/moneypenny/values-idfdev.yaml b/services/moneypenny/values-idfdev.yaml index f01b6aa93b..77b96cbe69 100644 --- a/services/moneypenny/values-idfdev.yaml +++ b/services/moneypenny/values-idfdev.yaml @@ -1,25 +1,15 @@ -moneypenny: - imagePullSecrets: - - name: "pull-secret" - ingress: - host: "data-dev.lsst.cloud" - - orders: - commission: - - name: initcommission - image: lsstsqre/inituserhome - securityContext: - runAsUser: 0 - runAsNonRootUser: false - volumeMounts: - - mountPath: /homedirs - name: homedirs - volumes: - - name: homedirs - nfs: - server: 10.87.86.26 - path: /share1/home - -pull-secret: - enabled: true - path: "secret/k8s_operator/data-dev.lsst.cloud/pull-secret" +orders: + commission: + - name: initcommission + image: lsstsqre/inituserhome + securityContext: + runAsUser: 0 + runAsNonRootUser: false + volumeMounts: + - mountPath: /homedirs + name: homedirs + volumes: + - name: homedirs + nfs: + server: 10.87.86.26 + path: /share1/home diff --git a/services/moneypenny/values-idfint.yaml b/services/moneypenny/values-idfint.yaml index 3836d840e3..bf3fa84444 100644 --- a/services/moneypenny/values-idfint.yaml +++ b/services/moneypenny/values-idfint.yaml @@ -1,25 +1,15 @@ -moneypenny: - imagePullSecrets: - - name: "pull-secret" - ingress: - host: "data-int.lsst.cloud" - - orders: - commission: - - name: initcommission - image: lsstsqre/inituserhome - securityContext: - runAsUser: 0 - runAsNonRootUser: false - volumeMounts: - - mountPath: /homedirs - name: homedirs - volumes: - - name: homedirs - nfs: - server: 10.22.240.130 - path: /share1/home - -pull-secret: - enabled: true - path: "secret/k8s_operator/data-int.lsst.cloud/pull-secret" +orders: + commission: + - name: initcommission + image: lsstsqre/inituserhome + securityContext: + runAsUser: 0 + runAsNonRootUser: false + volumeMounts: + - mountPath: /homedirs + name: homedirs + volumes: + - name: homedirs + nfs: + server: 10.22.240.130 + path: /share1/home diff --git a/services/moneypenny/values-idfprod.yaml b/services/moneypenny/values-idfprod.yaml index 2115b65fa8..e8821fa71b 100644 --- a/services/moneypenny/values-idfprod.yaml +++ b/services/moneypenny/values-idfprod.yaml @@ -1,25 +1,15 @@ -moneypenny: - imagePullSecrets: - - name: "pull-secret" - ingress: - host: "data.lsst.cloud" - - orders: - commission: - - name: initcommission - image: lsstsqre/inituserhome - securityContext: - runAsUser: 0 - runAsNonRootUser: false - volumeMounts: - - mountPath: /homedirs - name: homedirs - volumes: - - name: homedirs - nfs: - server: 10.13.105.122 - path: /share1/home - -pull-secret: - enabled: true - path: "secret/k8s_operator/data.lsst.cloud/pull-secret" +orders: + commission: + - name: initcommission + image: lsstsqre/inituserhome + securityContext: + runAsUser: 0 + runAsNonRootUser: false + volumeMounts: + - mountPath: /homedirs + name: homedirs + volumes: + - name: homedirs + nfs: + server: 10.13.105.122 + path: /share1/home diff --git a/services/moneypenny/values-int.yaml b/services/moneypenny/values-int.yaml index 82000daa5e..e69de29bb2 100644 --- a/services/moneypenny/values-int.yaml +++ b/services/moneypenny/values-int.yaml @@ -1,11 +0,0 @@ -moneypenny: - imagePullSecrets: - - name: "pull-secret" - ingress: - host: "lsst-lsp-int.ncsa.illinois.edu" - annotations: - nginx.ingress.kubernetes.io/auth-url: "https://lsst-lsp-int.ncsa.illinois.edu/auth?scope=admin:provision" - -pull-secret: - enabled: true - path: "secret/k8s_operator/lsst-lsp-int.ncsa.illinois.edu/pull-secret" diff --git a/services/moneypenny/values-minikube.yaml b/services/moneypenny/values-minikube.yaml index 86ff8d7412..e69de29bb2 100644 --- a/services/moneypenny/values-minikube.yaml +++ b/services/moneypenny/values-minikube.yaml @@ -1,9 +0,0 @@ -moneypenny: - imagePullSecrets: - - name: "pull-secret" - ingress: - host: "minikube.lsst.codes" - -pull-secret: - enabled: true - path: "secret/k8s_operator/minikube.lsst.codes/pull-secret" diff --git a/services/moneypenny/values-roe.yaml b/services/moneypenny/values-roe.yaml index e540bb7797..3952d48484 100644 --- a/services/moneypenny/values-roe.yaml +++ b/services/moneypenny/values-roe.yaml @@ -1,20 +1,10 @@ -moneypenny: - imagePullSecrets: - - name: "pull-secret" - ingress: - host: "rsp.lsst.ac.uk" - - orders: - commission: - - name: initcommission - image: lsstsqre/inituserhome - securityContext: - runAsUser: 0 - runAsNonRootUser: false - volumeMounts: - - mountPath: /homedirs - name: homedirs - -pull-secret: - enabled: true - path: "secret/k8s_operator/roe/pull-secret" +orders: + commission: + - name: initcommission + image: lsstsqre/inituserhome + securityContext: + runAsUser: 0 + runAsNonRootUser: false + volumeMounts: + - mountPath: /homedirs + name: homedirs diff --git a/services/moneypenny/values-stable.yaml b/services/moneypenny/values-stable.yaml index 3f0d6a0bf1..e69de29bb2 100644 --- a/services/moneypenny/values-stable.yaml +++ b/services/moneypenny/values-stable.yaml @@ -1,11 +0,0 @@ -moneypenny: - imagePullSecrets: - - name: "pull-secret" - ingress: - host: "lsst-lsp-stable.ncsa.illinois.edu" - annotations: - nginx.ingress.kubernetes.io/auth-url: "https://lsst-lsp-stable.ncsa.illinois.edu/auth?scope=admin:provision" - -pull-secret: - enabled: true - path: "secret/k8s_operator/lsst-lsp-stable.ncsa.illinois.edu/pull-secret" diff --git a/services/moneypenny/values-summit.yaml b/services/moneypenny/values-summit.yaml index 1a2b978e0d..1436234dbd 100644 --- a/services/moneypenny/values-summit.yaml +++ b/services/moneypenny/values-summit.yaml @@ -1,25 +1,15 @@ -moneypenny: - imagePullSecrets: - - name: "pull-secret" - ingress: - host: "summit-lsp.lsst.codes" - - orders: - commission: - - name: initcommission - image: lsstsqre/inituserhome - securityContext: - runAsUser: 0 - runAsNonRootUser: false - volumeMounts: - - mountPath: /homedirs - name: homedirs - volumes: - - name: homedirs - nfs: - server: nfs1.cp.lsst.org - path: /jhome - -pull-secret: - enabled: true - path: "secret/k8s_operator/summit-lsp.lsst.codes/pull-secret" +orders: + commission: + - name: initcommission + image: lsstsqre/inituserhome + securityContext: + runAsUser: 0 + runAsNonRootUser: false + volumeMounts: + - mountPath: /homedirs + name: homedirs + volumes: + - name: homedirs + nfs: + server: nfs1.cp.lsst.org + path: /jhome diff --git a/services/moneypenny/values-tucson-teststand.yaml b/services/moneypenny/values-tucson-teststand.yaml index e6860d48be..845233c931 100644 --- a/services/moneypenny/values-tucson-teststand.yaml +++ b/services/moneypenny/values-tucson-teststand.yaml @@ -1,25 +1,15 @@ -moneypenny: - imagePullSecrets: - - name: "pull-secret" - ingress: - host: "tucson-teststand.lsst.codes" - - orders: - commission: - - name: initcommission - image: lsstsqre/inituserhome - securityContext: - runAsUser: 0 - runAsNonRootUser: false - volumeMounts: - - mountPath: /homedirs - name: homedirs - volumes: - - name: homedirs - nfs: - server: nfs-jhome.tu.lsst.org - path: /jhome - -pull-secret: - enabled: true - path: "secret/k8s_operator/tucson-teststand.lsst.codes/pull-secret" +orders: + commission: + - name: initcommission + image: lsstsqre/inituserhome + securityContext: + runAsUser: 0 + runAsNonRootUser: false + volumeMounts: + - mountPath: /homedirs + name: homedirs + volumes: + - name: homedirs + nfs: + server: nfs-jhome.tu.lsst.org + path: /jhome diff --git a/services/moneypenny/values.yaml b/services/moneypenny/values.yaml new file mode 100644 index 0000000000..bbf019a4ad --- /dev/null +++ b/services/moneypenny/values.yaml @@ -0,0 +1,107 @@ +# Default values for moneypenny. +# This is a YAML-formatted file. +# Declare variables to be passed into your templates. + +# -- Override the base name for resources +nameOverride: "" + +# -- Override the full name for resources (includes the release name) +fullnameOverride: "" + +# -- Number of pods to start +replicaCount: 1 + +image: + # -- moneypenny image to use + repository: "lsstsqre/moneypenny" + + # -- Pull policy for the moneypenny image + pullPolicy: "IfNotPresent" + + # -- Tag of moneypenny image to use + # @default -- The appVersion of the chart + tag: "" + +serviceAccount: + # -- Name of the service account to use + # @default -- Name based on the fullname template + name: "" + +ingress: + # -- Gafaelfawr auth query string + gafaelfawrAuthQuery: "scope=admin:provision" + + # -- Configure TLS for the ingress if needed. If multiple ingresses share + # the same hostname, only one of them needs a TLS configuration. + tls: [] + +orders: + # -- List of specifications for containers to run to commission a new user. + # Each member of the list should set a container `name`, `image`, and + # `securityContext` and may contain `volumeMounts`. + commission: + - name: farthing + image: lsstsqre/farthing + securityContext: + runAsUser: 1000 + runAsNonRootUser: true + allowPrivilegeEscalation: false + + # -- List of specifications for containers to run to retire a user. Each + # member of the list should set a container `name`, `image`, and + # `securityContext` and may contain `volumeMounts`. + retire: + - name: farthing + image: lsstsqre/farthing + securityContext: + runAsUser: 1000 + runAsNonRootUser: true + allowPrivilegeEscalation: false + + # -- Additional volumes to mount when commissioning or retiring users. + volumes: [] + +# -- Resource limits and requests for the vo-cutouts frontend pod +resources: {} + +# -- Annotations for the vo-cutouts frontend pod +podAnnotations: {} + +# -- Node selector rules for the vo-cutouts frontend pod +nodeSelector: {} + +# -- Tolerations for the vo-cutouts frontend pod +tolerations: [] + +# -- Affinity rules for the vo-cutouts frontend pod +affinity: {} + +# -- Moneypenny quotes +# @default -- A small selection +quips: | + Flattery will get you nowhere... but don't stop trying. + % + You never take me to dinner looking like this, James. You never take me to dinner, period. + % + M: (on intercom) Miss Moneypenny, give 007 the password we've agreed + with Japanese SIS. + Moneypenny: Yes, Sir. We tried to think of something that you wouldn't + forget. + Bond: Yes? + Moneypenny: I... love... you. Repeat it please, to make sure you get it. + Bond: Don't worry, I get it. Sayonara. + % + My problem is, James, you never do anything with me. + % + I didn't know you were a music lover. Any time you want to come over and hear my Barry Manilow collection... + % + Someday you'll have to make good on your innuendos. + % + You always were a cunning linguist, James. + % + Bond: (about getting shot) In your defense, a moving target is harder to hit. + Moneypenny: Then you'd better keep moving. + % + Moneypenny: Cut-throat razor. How very traditional. + Bond: Well, I like to do some things the old-fashioned way. + Moneypenny: Sometimes the old ways are best. From 35193050c3fe95acc412a72d8af955d4841a949d Mon Sep 17 00:00:00 2001 From: adam Date: Tue, 19 Apr 2022 12:13:03 -0700 Subject: [PATCH 0404/1479] exposurelog/narrativelog DRY --- services/exposurelog/README.md | 1 + .../exposurelog/templates/deployment.yaml | 2 +- .../templates/tests/test-connection.yaml | 2 +- services/exposurelog/values-minikube.yaml | 3 ++ services/exposurelog/values.yaml | 4 +++ services/narrativelog/README.md | 16 ++++++--- .../narrativelog/templates/deployment.yaml | 6 ++-- services/narrativelog/templates/ingress.yaml | 17 ++++------ .../narrativelog/templates/networkpolicy.yaml | 2 -- services/narrativelog/templates/service.yaml | 4 +-- .../templates/tests/test-connection.yaml | 2 +- .../narrativelog/templates/vault-secrets.yaml | 12 ++++++- services/narrativelog/values-base.yaml | 10 ------ services/narrativelog/values-minikube.yaml | 2 ++ services/narrativelog/values-summit.yaml | 10 ------ .../narrativelog/values-tucson-teststand.yaml | 10 ------ services/narrativelog/values.yaml | 33 ++++--------------- 17 files changed, 52 insertions(+), 84 deletions(-) create mode 100644 services/exposurelog/values-minikube.yaml create mode 100644 services/narrativelog/values-minikube.yaml diff --git a/services/exposurelog/README.md b/services/exposurelog/README.md index a22c611efb..eb661fbd1d 100644 --- a/services/exposurelog/README.md +++ b/services/exposurelog/README.md @@ -24,6 +24,7 @@ Exposure log service | image.pullPolicy | string | `"Always"` | | | image.repository | string | `"lsstsqre/exposurelog"` | | | image.tag | string | `""` | | +| ingress.gafaelfawrAuthQuery | string | `""` | | | nameOverride | string | `""` | | | nodeSelector | object | `{}` | | | podAnnotations | object | `{}` | | diff --git a/services/exposurelog/templates/deployment.yaml b/services/exposurelog/templates/deployment.yaml index 0c97d224d5..16c3717edd 100644 --- a/services/exposurelog/templates/deployment.yaml +++ b/services/exposurelog/templates/deployment.yaml @@ -38,7 +38,7 @@ spec: imagePullPolicy: {{ .Values.image.pullPolicy }} ports: - name: http - containerPort: {{ .Values.service.port }} + containerPort: 8080 protocol: TCP livenessProbe: httpGet: diff --git a/services/exposurelog/templates/tests/test-connection.yaml b/services/exposurelog/templates/tests/test-connection.yaml index c8964e4f02..a910c41e41 100644 --- a/services/exposurelog/templates/tests/test-connection.yaml +++ b/services/exposurelog/templates/tests/test-connection.yaml @@ -11,5 +11,5 @@ spec: - name: wget image: busybox command: ['wget'] - args: ['{{ include "exposurelog.fullname" . }}:{{ .Values.service.port }}'] + args: ['{{ include "exposurelog.fullname" . }}:8080'] restartPolicy: Never diff --git a/services/exposurelog/values-minikube.yaml b/services/exposurelog/values-minikube.yaml new file mode 100644 index 0000000000..70ee5f98f4 --- /dev/null +++ b/services/exposurelog/values-minikube.yaml @@ -0,0 +1,3 @@ +config: + site_id: minikube + diff --git a/services/exposurelog/values.yaml b/services/exposurelog/values.yaml index 4615d58a4e..5a1fd0f02d 100644 --- a/services/exposurelog/values.yaml +++ b/services/exposurelog/values.yaml @@ -12,6 +12,10 @@ image: # Overrides the image tag whose default is the chart appVersion. tag: "" +ingress: + # Allow specification of auth scope + gafaelfawrAuthQuery: "" + # Application-specific configuration config: # NFS path to butler registry 1 and/or 2. diff --git a/services/narrativelog/README.md b/services/narrativelog/README.md index 4b5e9de385..35bf52283b 100644 --- a/services/narrativelog/README.md +++ b/services/narrativelog/README.md @@ -1,7 +1,15 @@ # narrativelog +![Version: 1.0.0](https://img.shields.io/badge/Version-1.0.0-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: 0.2.1](https://img.shields.io/badge/AppVersion-0.2.1-informational?style=flat-square) + Narrative log service +## Maintainers + +| Name | Email | Url | +| ---- | ------ | --- | +| r-owen | | | + ## Values | Key | Type | Default | Description | @@ -16,8 +24,7 @@ Narrative log service | image.pullPolicy | string | `"Always"` | | | image.repository | string | `"lsstsqre/narrativelog"` | | | image.tag | string | `""` | | -| imagePullSecrets[0].name | string | `"pull-secret"` | | -| ingress.enabled | bool | `false` | | +| ingress.gafaelfawrAuthQuery | string | `""` | | | nameOverride | string | `""` | | | nodeSelector | object | `{}` | | | podAnnotations | object | `{}` | | @@ -25,6 +32,7 @@ Narrative log service | replicaCount | int | `1` | | | resources | object | `{}` | | | securityContext | object | `{}` | | -| service.port | int | `8080` | | -| service.type | string | `"ClusterIP"` | | | tolerations | list | `[]` | | + +---------------------------------------------- +Autogenerated from chart metadata using [helm-docs v1.7.0](https://github.com/norwoodj/helm-docs/releases/v1.7.0) diff --git a/services/narrativelog/templates/deployment.yaml b/services/narrativelog/templates/deployment.yaml index c05d88691c..7b65173217 100644 --- a/services/narrativelog/templates/deployment.yaml +++ b/services/narrativelog/templates/deployment.yaml @@ -20,10 +20,8 @@ spec: labels: {{- include "narrativelog.selectorLabels" . | nindent 8 }} spec: - {{- with .Values.imagePullSecrets }} imagePullSecrets: - {{- toYaml . | nindent 8 }} - {{- end }} + - name: "pull-secret" securityContext: runAsNonRoot: true runAsUser: 1000 @@ -40,7 +38,7 @@ spec: imagePullPolicy: {{ .Values.image.pullPolicy }} ports: - name: http - containerPort: {{ .Values.service.port }} + containerPort: 8080 protocol: TCP livenessProbe: httpGet: diff --git a/services/narrativelog/templates/ingress.yaml b/services/narrativelog/templates/ingress.yaml index 40639c348a..5948b03790 100644 --- a/services/narrativelog/templates/ingress.yaml +++ b/services/narrativelog/templates/ingress.yaml @@ -1,4 +1,3 @@ -{{- if .Values.ingress.enabled -}} apiVersion: networking.k8s.io/v1 kind: Ingress metadata: @@ -10,25 +9,21 @@ metadata: {{- if .Values.ingress.gafaelfawrAuthQuery }} nginx.ingress.kubernetes.io/auth-method: "GET" nginx.ingress.kubernetes.io/auth-response-headers: "X-Auth-Request-User,X-Auth-Request-Email,X-Auth-Request-Token" - nginx.ingress.kubernetes.io/auth-signin: "https://{{ .Values.ingress.host }}/login" - nginx.ingress.kubernetes.io/auth-url: "https://{{ .Values.ingress.host }}/auth?{{ .Values.ingress.gafaelfawrAuthQuery }}" + nginx.ingress.kubernetes.io/auth-signin: "{{ .Values.global.baseUrl }}/login" + nginx.ingress.kubernetes.io/auth-url: "https://{{ .Values.global.baseUrl }}/auth?{{ .Values.ingress.gafaelfawrAuthQuery }}" {{- end }} {{- with .Values.ingress.annotations }} {{- toYaml . | nindent 4 }} {{- end }} spec: - {{- if .Values.ingress.className }} - ingressClassName: {{ .Values.ingress.className }} - {{- end }} rules: - - host: {{ required "ingress.host must be set" .Values.ingress.host | quote }} + - host: {{ required "global.host must be set" .Values.global.host | quote }} http: paths: - - path: {{ default "/narrativelog" .Values.ingress.path }} - pathType: {{ default "Prefix" .Values.ingress.pathType }} + - path: /narrativelog + pathType: Prefix backend: service: name: {{ include "narrativelog.fullname" . }} port: - number: {{ .Values.service.port }} -{{- end }} + number: 8080 diff --git a/services/narrativelog/templates/networkpolicy.yaml b/services/narrativelog/templates/networkpolicy.yaml index 99615234a1..7afc9f8f78 100644 --- a/services/narrativelog/templates/networkpolicy.yaml +++ b/services/narrativelog/templates/networkpolicy.yaml @@ -1,4 +1,3 @@ -{{- if .Values.ingress.enabled -}} apiVersion: networking.k8s.io/v1 kind: NetworkPolicy metadata: @@ -20,4 +19,3 @@ spec: ports: - protocol: "TCP" port: 8080 -{{- end }} diff --git a/services/narrativelog/templates/service.yaml b/services/narrativelog/templates/service.yaml index e8998542f0..b955aaad6b 100644 --- a/services/narrativelog/templates/service.yaml +++ b/services/narrativelog/templates/service.yaml @@ -5,9 +5,9 @@ metadata: labels: {{- include "narrativelog.labels" . | nindent 4 }} spec: - type: {{ .Values.service.type }} + type: "ClusterIP" ports: - - port: {{ .Values.service.port }} + - port: 8080 targetPort: http protocol: TCP name: http diff --git a/services/narrativelog/templates/tests/test-connection.yaml b/services/narrativelog/templates/tests/test-connection.yaml index 4fa4b38980..770b0e6aa4 100644 --- a/services/narrativelog/templates/tests/test-connection.yaml +++ b/services/narrativelog/templates/tests/test-connection.yaml @@ -11,5 +11,5 @@ spec: - name: wget image: busybox command: ['wget'] - args: ['{{ include "narrativelog.fullname" . }}:{{ .Values.service.port }}'] + args: ['{{ include "narrativelog.fullname" . }}:8080'] restartPolicy: Never diff --git a/services/narrativelog/templates/vault-secrets.yaml b/services/narrativelog/templates/vault-secrets.yaml index 52f0d5d817..1a204ff75d 100644 --- a/services/narrativelog/templates/vault-secrets.yaml +++ b/services/narrativelog/templates/vault-secrets.yaml @@ -4,5 +4,15 @@ metadata: name: postgres namespace: narrativelog spec: - path: {{ .Values.vault_path }} + path: "{{- .Values.global.vaultSecretsPath }}/postgres" type: Opaque +--- +apiVersion: ricoberger.de/v1alpha1 +kind: VaultSecret +metadata: + name: pull-secret + labels: + {{- include "narrativelog.labels" . | nindent 4 }} +spec: + path: "{{- .Values.global.vaultSecretsPath }}/pull-secret" + type: kubernetes.io/dockerconfigjson diff --git a/services/narrativelog/values-base.yaml b/services/narrativelog/values-base.yaml index 63bfd5e4de..36f59a4d75 100644 --- a/services/narrativelog/values-base.yaml +++ b/services/narrativelog/values-base.yaml @@ -1,12 +1,2 @@ config: site_id: base - -ingress: - enabled: true - host: base-lsp.lsst.codes - -vault_path: secret/k8s_operator/base-lsp.lsst.codes/postgres - -pull-secret: - enabled: true - path: secret/k8s_operator/base-lsp.lsst.codes/pull-secret diff --git a/services/narrativelog/values-minikube.yaml b/services/narrativelog/values-minikube.yaml new file mode 100644 index 0000000000..45d77ff9ce --- /dev/null +++ b/services/narrativelog/values-minikube.yaml @@ -0,0 +1,2 @@ +config: + site_id: minikube diff --git a/services/narrativelog/values-summit.yaml b/services/narrativelog/values-summit.yaml index 9c385a5854..704dae40b7 100644 --- a/services/narrativelog/values-summit.yaml +++ b/services/narrativelog/values-summit.yaml @@ -1,12 +1,2 @@ config: site_id: summit - -ingress: - enabled: true - host: summit-lsp.lsst.codes - -vault_path: secret/k8s_operator/summit-lsp.lsst.codes/postgres - -pull-secret: - enabled: true - path: secret/k8s_operator/summit-lsp.lsst.codes/pull-secret diff --git a/services/narrativelog/values-tucson-teststand.yaml b/services/narrativelog/values-tucson-teststand.yaml index 0d63534dd4..71d6b32dce 100644 --- a/services/narrativelog/values-tucson-teststand.yaml +++ b/services/narrativelog/values-tucson-teststand.yaml @@ -1,12 +1,2 @@ config: site_id: tucson - -ingress: - enabled: true - host: tucson-teststand.lsst.codes - -vault_path: secret/k8s_operator/tucson-teststand.lsst.codes/postgres - -pull-secret: - enabled: true - path: secret/k8s_operator/tucson-teststand.lsst.codes/pull-secret diff --git a/services/narrativelog/values.yaml b/services/narrativelog/values.yaml index 846a7f05f5..cdcba93366 100644 --- a/services/narrativelog/values.yaml +++ b/services/narrativelog/values.yaml @@ -1,6 +1,8 @@ # Default values for narrativelog. # This is a YAML-formatted file. # Declare variables to be passed into your templates. +nameOverride: "" +fullnameOverride: "" replicaCount: 1 @@ -10,6 +12,10 @@ image: # Overrides the image tag whose default is the chart appVersion. tag: "" +ingress: + # Allow specification of auth scope + gafaelfawrAuthQuery: "" + # Application-specific configuration config: # Site ID; a non-empty string of up to 16 characters. @@ -17,29 +23,6 @@ config: # Sandboxes should use `test`. site_id: "" - -# Site-specific values files should specify: -# -# ingress: -# enabled: true -# host: ... -# -# vault-path: secret/k8s_operator/.../postgres -# -# pull-secret: -# enabled: true -# path: secret/k8s_operator/.../pull-secret - -# This is needed for the CI job to run -ingress: - enabled: false - -imagePullSecrets: - - name: pull-secret - -nameOverride: "" -fullnameOverride: "" - podAnnotations: {} podSecurityContext: {} @@ -53,10 +36,6 @@ securityContext: {} # runAsNonRoot: true # runAsUser: 1000 -service: - type: ClusterIP - port: 8080 - resources: {} # We usually recommend not to specify default resources and to leave this as a conscious # choice for the user. This also increases chances charts run on environments with little From 6b7ad6da2866e358c9d7dea887b54d597764e332 Mon Sep 17 00:00:00 2001 From: adam Date: Tue, 19 Apr 2022 12:49:12 -0700 Subject: [PATCH 0405/1479] DRY out obstap --- services/obstap/Chart.yaml | 16 +-- services/obstap/README.md | 47 +++++++ services/obstap/templates/_helpers.tpl | 51 ++++++++ .../obstap/templates/tap-db-deployment.yaml | 49 ++++++++ .../templates/tap-db-networkpolicy.yaml | 23 ++++ services/obstap/templates/tap-db-service.yaml | 14 +++ services/obstap/templates/tap-deployment.yaml | 78 ++++++++++++ .../templates/tap-ingress-anonymous.yaml | 45 +++++++ .../templates/tap-ingress-authenticated.yaml | 37 ++++++ .../obstap/templates/tap-networkpolicy.yaml | 22 ++++ services/obstap/templates/tap-service.yaml | 15 +++ .../obstap/templates/uws-db-deployment.yaml | 53 ++++++++ .../templates/uws-db-networkpolicy.yaml | 23 ++++ services/obstap/templates/uws-db-service.yaml | 14 +++ services/obstap/templates/vault-secrets.yaml | 19 +++ services/obstap/values-idfdev.yaml | 19 +-- services/obstap/values-idfint.yaml | 19 +-- services/obstap/values-idfprod.yaml | 19 +-- services/obstap/values-int.yaml | 59 ++++----- services/obstap/values-minikube.yaml | 19 +-- services/obstap/values-roe.yaml | 12 -- services/obstap/values-stable.yaml | 59 ++++----- services/obstap/values.yaml | 115 ++++++++++++++++++ 23 files changed, 669 insertions(+), 158 deletions(-) create mode 100644 services/obstap/README.md create mode 100644 services/obstap/templates/_helpers.tpl create mode 100644 services/obstap/templates/tap-db-deployment.yaml create mode 100644 services/obstap/templates/tap-db-networkpolicy.yaml create mode 100644 services/obstap/templates/tap-db-service.yaml create mode 100644 services/obstap/templates/tap-deployment.yaml create mode 100644 services/obstap/templates/tap-ingress-anonymous.yaml create mode 100644 services/obstap/templates/tap-ingress-authenticated.yaml create mode 100644 services/obstap/templates/tap-networkpolicy.yaml create mode 100644 services/obstap/templates/tap-service.yaml create mode 100644 services/obstap/templates/uws-db-deployment.yaml create mode 100644 services/obstap/templates/uws-db-networkpolicy.yaml create mode 100644 services/obstap/templates/uws-db-service.yaml create mode 100644 services/obstap/templates/vault-secrets.yaml create mode 100644 services/obstap/values.yaml diff --git a/services/obstap/Chart.yaml b/services/obstap/Chart.yaml index 107ca0f4c3..adc5f9a369 100644 --- a/services/obstap/Chart.yaml +++ b/services/obstap/Chart.yaml @@ -1,10 +1,6 @@ -apiVersion: v2 -name: obstap -version: 1.0.0 -dependencies: -- name: cadc-tap-postgres - version: 0.2.2 - repository: https://lsst-sqre.github.io/charts/ -- name: pull-secret - version: 0.1.2 - repository: https://lsst-sqre.github.io/charts/ +apiVersion: v1 +appVersion: "1.1" +description: CADC TAP PostgresSQL service, used for ObsTAP +home: https://github.com/lsst-sqre/tap-postgres +name: cadc-tap-postgres +version: 0.2.2 diff --git a/services/obstap/README.md b/services/obstap/README.md new file mode 100644 index 0000000000..0c89e6dfb6 --- /dev/null +++ b/services/obstap/README.md @@ -0,0 +1,47 @@ +# cadc-tap-postgres + +![Version: 0.2.2](https://img.shields.io/badge/Version-0.2.2-informational?style=flat-square) ![AppVersion: 1.1](https://img.shields.io/badge/AppVersion-1.1-informational?style=flat-square) + +CADC TAP PostgresSQL service, used for ObsTAP + +**Homepage:** + +## Values + +| Key | Type | Default | Description | +|-----|------|---------|-------------| +| affinity | object | `{}` | Affinity rules for the cadc-tap-postgres pod | +| config.gcsBucket | string | None, must be set | Name of GCS bucket in which to store results | +| config.gcsBucketUrl | string | None, must be set | Base URL for results stored in GCS bucket | +| db.affinity | object | `{}` | Affinity rules for the database pod | +| db.image.pullPolicy | string | `"IfNotPresent"` | Pull policy for the database image | +| db.image.repository | string | `"lsstdax/tap-postgres-db"` | Database image to use | +| db.image.tag | string | The appVersion of the chart | Tag of database image to use | +| db.nodeSelector | object | `{}` | Node selection rules for the database pod | +| db.podAnnotations | object | `{}` | Annotations for the databse pod | +| db.resources | object | `{}` | Resource limits and requests for the database pod | +| db.tolerations | list | `[]` | Tolerations for the database pod | +| fullnameOverride | string | `""` | Override the full name for resources (includes the release name) | +| image.pullPolicy | string | `"IfNotPresent"` | Pull policy for the tap image | +| image.repository | string | `"lsstdax/tap-postgres-server"` | tap-postgres image to use | +| image.tag | string | The appVersion of the chart | Tag of tap image to use | +| ingress.anonymousAnnotations | object | `{}` | Additional annotations to use for endpoints that allow anonymous access, such as `/capabilities` and `/availability` | +| ingress.authenticatedAnnotations | object | `{}` | Additional annotations to use for endpoints that are authenticated, such as `/sync`, `/async`, and `/tables` | +| ingress.gafaelfawrAuthQuery | string | `"scope=read:tap"` | Gafaelfawr auth query string | +| nameOverride | string | `""` | Override the base name for resources | +| nodeSelector | object | `{}` | Node selector rules for the cadc-tap-postgres pod | +| podAnnotations | object | `{}` | Annotations for the cadc-tap-postgres pod | +| replicaCount | int | `1` | Number of pods to start | +| resources | object | `{}` | Resource limits and requests for the cadc-tap-postgres pod | +| tolerations | list | `[]` | Tolerations for the cadc-tap-postgres pod | +| uws.affinity | object | `{}` | Affinity rules for the UWS database pod | +| uws.image.pullPolicy | string | `"IfNotPresent"` | Pull policy for the UWS database image | +| uws.image.repository | string | `"lsstdax/tap-postgres-uws"` | UWS database image to use | +| uws.image.tag | string | The appVersion of the chart | Tag of UWS database image to use | +| uws.nodeSelector | object | `{}` | Node selection rules for the UWS database pod | +| uws.podAnnotations | object | `{}` | Annotations for the UWS databse pod | +| uws.resources | object | `{}` | Resource limits and requests for the UWS database pod | +| uws.tolerations | list | `[]` | Tolerations for the UWS database pod | + +---------------------------------------------- +Autogenerated from chart metadata using [helm-docs v1.7.0](https://github.com/norwoodj/helm-docs/releases/v1.7.0) diff --git a/services/obstap/templates/_helpers.tpl b/services/obstap/templates/_helpers.tpl new file mode 100644 index 0000000000..8c67eaa741 --- /dev/null +++ b/services/obstap/templates/_helpers.tpl @@ -0,0 +1,51 @@ +{{/* +Expand the name of the chart. +*/}} +{{- define "cadc-tap-postgres.name" -}} +{{- default .Chart.Name .Values.nameOverride | trunc 63 | trimSuffix "-" }} +{{- end }} + +{{/* +Create a default fully qualified app name. +We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec). +If release name contains chart name it will be used as a full name. +*/}} +{{- define "cadc-tap-postgres.fullname" -}} +{{- if .Values.fullnameOverride }} +{{- .Values.fullnameOverride | trunc 63 | trimSuffix "-" }} +{{- else }} +{{- $name := default .Chart.Name .Values.nameOverride }} +{{- if contains $name .Release.Name }} +{{- .Release.Name | trunc 63 | trimSuffix "-" }} +{{- else }} +{{- printf "%s-%s" .Release.Name $name | trunc 63 | trimSuffix "-" }} +{{- end }} +{{- end }} +{{- end }} + +{{/* +Create chart name and version as used by the chart label. +*/}} +{{- define "cadc-tap-postgres.chart" -}} +{{- printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" }} +{{- end }} + +{{/* +Common labels +*/}} +{{- define "cadc-tap-postgres.labels" -}} +helm.sh/chart: {{ include "cadc-tap-postgres.chart" . }} +{{ include "cadc-tap-postgres.selectorLabels" . }} +{{- if .Chart.AppVersion }} +app.kubernetes.io/version: {{ .Chart.AppVersion | quote }} +{{- end }} +app.kubernetes.io/managed-by: {{ .Release.Service }} +{{- end }} + +{{/* +Selector labels +*/}} +{{- define "cadc-tap-postgres.selectorLabels" -}} +app.kubernetes.io/name: {{ include "cadc-tap-postgres.name" . }} +app.kubernetes.io/instance: {{ .Release.Name }} +{{- end }} diff --git a/services/obstap/templates/tap-db-deployment.yaml b/services/obstap/templates/tap-db-deployment.yaml new file mode 100644 index 0000000000..96a7251a6f --- /dev/null +++ b/services/obstap/templates/tap-db-deployment.yaml @@ -0,0 +1,49 @@ +apiVersion: apps/v1 +kind: Deployment +metadata: + name: {{ template "cadc-tap-postgres.fullname" . }}-tap-db + labels: + {{- include "cadc-tap-postgres.labels" . | nindent 4 }} +spec: + replicas: 1 + selector: + matchLabels: + {{- include "cadc-tap-postgres.selectorLabels" . | nindent 6 }} + app.kubernetes.io/component: "tap-db" + template: + metadata: + {{- with .Values.db.podAnnotations }} + annotations: + {{- toYaml . | nindent 8 }} + {{- end }} + labels: + {{- include "cadc-tap-postgres.labels" . | nindent 8 }} + app.kubernetes.io/component: "tap-db" + spec: + {{- with .Values.imagePullSecrets }} + imagePullSecrets: + {{- toYaml . | nindent 8 }} + {{- end }} + automountServiceAccountToken: false + containers: + - name: "tap-db" + image: "{{ .Values.db.image.repository }}:{{ .Values.db.image.tag | default .Chart.AppVersion }}" + imagePullPolicy: {{ .Values.db.imagePullPolicy | quote }} + ports: + - containerPort: 5432 + {{- with .Values.db.resources }} + resources: + {{- toYaml . | nindent 12 }} + {{- end }} + {{- with .Values.db.nodeSelector }} + nodeSelector: + {{- toYaml . | nindent 8 }} + {{- end }} + {{- with .Values.db.affinity }} + affinity: + {{- toYaml . | nindent 8 }} + {{- end }} + {{- with .Values.db.tolerations }} + tolerations: + {{- toYaml . | nindent 8 }} + {{- end }} diff --git a/services/obstap/templates/tap-db-networkpolicy.yaml b/services/obstap/templates/tap-db-networkpolicy.yaml new file mode 100644 index 0000000000..9fa0cb9038 --- /dev/null +++ b/services/obstap/templates/tap-db-networkpolicy.yaml @@ -0,0 +1,23 @@ +apiVersion: networking.k8s.io/v1 +kind: NetworkPolicy +metadata: + name: {{ include "cadc-tap-postgres.fullname" . }}-tap-db +spec: + podSelector: + matchLabels: + {{- include "cadc-tap-postgres.selectorLabels" . | nindent 6 }} + app.kubernetes.io/component: "tap-db" + policyTypes: + - Ingress + # Deny all outbound access; PostgreSQL doesn't need to talk to anything. + - Egress + ingress: + # Allow inbound access to TAP database from the server. + - from: + - podSelector: + matchLabels: + {{- include "cadc-tap-postgres.selectorLabels" . | nindent 14 }} + app.kubernetes.io/component: "server" + ports: + - protocol: "TCP" + port: 5432 diff --git a/services/obstap/templates/tap-db-service.yaml b/services/obstap/templates/tap-db-service.yaml new file mode 100644 index 0000000000..16821e8161 --- /dev/null +++ b/services/obstap/templates/tap-db-service.yaml @@ -0,0 +1,14 @@ +kind: Service +apiVersion: v1 +metadata: + name: {{ template "cadc-tap-postgres.fullname" . }}-tap-db + labels: + {{- include "cadc-tap-postgres.labels" . | nindent 4 }} +spec: + ports: + - protocol: "TCP" + port: 5432 + targetPort: 5432 + selector: + {{- include "cadc-tap-postgres.selectorLabels" . | nindent 4 }} + app.kubernetes.io/component: "tap-db" diff --git a/services/obstap/templates/tap-deployment.yaml b/services/obstap/templates/tap-deployment.yaml new file mode 100644 index 0000000000..854dd967ab --- /dev/null +++ b/services/obstap/templates/tap-deployment.yaml @@ -0,0 +1,78 @@ +apiVersion: apps/v1 +kind: Deployment +metadata: + name: {{ template "cadc-tap-postgres.fullname" . }} + labels: + {{- include "cadc-tap-postgres.labels" . | nindent 4 }} +spec: + replicas: {{ .Values.replicaCount }} + selector: + matchLabels: + {{- include "cadc-tap-postgres.selectorLabels" . | nindent 6 }} + app.kubernetes.io/component: "server" + template: + metadata: + {{- with .Values.podAnnotations }} + annotations: + {{- toYaml . | nindent 8 }} + {{- end }} + labels: + {{- include "cadc-tap-postgres.selectorLabels" . | nindent 8 }} + app.kubernetes.io/component: "server" + spec: + {{- with .Values.imagePullSecrets }} + imagePullSecrets: + {{- toYaml . | nindent 8 }} + {{- end }} + automountServiceAccountToken: false + containers: + - name: "tap-server" + image: "{{ .Values.image.repository }}:{{ .Values.image.tag | default .Chart.AppVersion }}" + imagePullPolicy: {{ .Values.imagePullPolicy | quote }} + env: + - name: "CATALINA_OPTS" + value: >- + -Dtap.username=tap_schema + -Dtap.password=pw-tapschema + -Dtap.url=jdbc:postgresql://{{ template "cadc-tap-postgres.fullname" . }}-tap-db:5432/tap_schema + -Dtap.maxActive=1 + -Dca.nrc.cadc.reg.client.RegistryClient.local=true + -Duws.username=postgres + -Duws.maxActive=2 + -Duws.jdbc.driverClassName=org.postgresql.Driver + -Duws.url=jdbc:postgresql://{{ template "cadc-tap-postgres.fullname" . }}-uws-db/ + -Dgcs_bucket={{ .Values.config.gcsBucket }} + -Dgcs_bucket_url={{ .Values.config.gcsBucketUrl }} + -Dca.nrc.cadc.util.PropertiesReader.dir=/etc/creds/ + - name: "GOOGLE_APPLICATION_CREDENTIALS" + value: "/etc/creds/google_creds.json" + ports: + - containerPort: 8080 + {{- with .Values.resources }} + resources: + {{- toYaml . | nindent 12 }} + {{- end }} + volumeMounts: + - name: "google-creds" + mountPath: "/etc/creds" + readOnly: true + - name: "tmp" + mountPath: "/tmp" + volumes: + - name: "google-creds" + secret: + secretName: {{ template "cadc-tap-postgres.fullname" . }}-secret + - name: "tmp" + emptyDir: {} + {{- with .Values.nodeSelector }} + nodeSelector: + {{- toYaml . | nindent 8 }} + {{- end }} + {{- with .Values.affinity }} + affinity: + {{- toYaml . | nindent 8 }} + {{- end }} + {{- with .Values.tolerations }} + tolerations: + {{- toYaml . | nindent 8 }} + {{- end }} diff --git a/services/obstap/templates/tap-ingress-anonymous.yaml b/services/obstap/templates/tap-ingress-anonymous.yaml new file mode 100644 index 0000000000..0aa273307c --- /dev/null +++ b/services/obstap/templates/tap-ingress-anonymous.yaml @@ -0,0 +1,45 @@ +apiVersion: networking.k8s.io/v1 +kind: Ingress +metadata: + name: {{ template "cadc-tap-postgres.fullname" . }}-anonymous + labels: + {{- include "cadc-tap-postgres.labels" . | nindent 4 }} + annotations: + kubernetes.io/ingress.class: "nginx" + nginx.ingress.kubernetes.io/proxy-connect-timeout: "900" + nginx.ingress.kubernetes.io/proxy-send-timeout: "900" + nginx.ingress.kubernetes.io/proxy-read-timeout: "900" + nginx.ingress.kubernetes.io/rewrite-target: "/tap/$1" + nginx.ingress.kubernetes.io/proxy-redirect-from: "http://$host/tap/" + nginx.ingress.kubernetes.io/proxy-redirect-to: "https://$host/api/obstap/" + nginx.ingress.kubernetes.io/ssl-redirect: "true" + nginx.ingress.kubernetes.io/use-regex: "true" + {{- with .Values.ingress.anonymousAnnotations }} + {{ toYaml . | indent 4}} + {{- end }} +spec: + rules: + - host: {{ required "global.host must be set" .Values.global.host | quote }} + http: + paths: + - path: "/api/obstap/(availability)" + pathType: "ImplementationSpecific" + backend: + service: + name: {{ template "cadc-tap-postgres.fullname" . }} + port: + number: 8080 + - path: "/api/obstap/(capabilities)" + pathType: "ImplementationSpecific" + backend: + service: + name: {{ template "cadc-tap-postgres.fullname" . }} + port: + number: 8080 + - path: "/api/obstap/(swagger-ui.*)" + pathType: "ImplementationSpecific" + backend: + service: + name: {{ template "cadc-tap-postgres.fullname" . }} + port: + number: 8080 diff --git a/services/obstap/templates/tap-ingress-authenticated.yaml b/services/obstap/templates/tap-ingress-authenticated.yaml new file mode 100644 index 0000000000..55aad30af1 --- /dev/null +++ b/services/obstap/templates/tap-ingress-authenticated.yaml @@ -0,0 +1,37 @@ +apiVersion: networking.k8s.io/v1 +kind: Ingress +metadata: + name: {{ template "cadc-tap-postgres.fullname" . }}-authenticated + labels: + {{- include "cadc-tap-postgres.labels" . | nindent 4 }} + annotations: + kubernetes.io/ingress.class: "nginx" + nginx.ingress.kubernetes.io/auth-response-headers: "X-Auth-Request-Uid, X-Auth-Request-Token" + nginx.ingress.kubernetes.io/auth-signin: "{{ .Values.global.baseUrl }}/login" + nginx.ingress.kubernetes.io/auth-url: "{{ .Values.global.baseUrl }}/auth?{{ .Values.ingress.gafaelfawrAuthQuery }}" + nginx.ingress.kubernetes.io/configuration-snippet: | + auth_request_set $auth_token $upstream_http_x_auth_request_token; + proxy_set_header Authorization "Bearer $auth_token"; + nginx.ingress.kubernetes.io/proxy-connect-timeout: "900" + nginx.ingress.kubernetes.io/proxy-send-timeout: "900" + nginx.ingress.kubernetes.io/proxy-read-timeout: "900" + nginx.ingress.kubernetes.io/rewrite-target: "/tap/$2" + nginx.ingress.kubernetes.io/proxy-redirect-from: "http://$host/tap/" + nginx.ingress.kubernetes.io/proxy-redirect-to: "https://$host/api/obstap/" + nginx.ingress.kubernetes.io/ssl-redirect: "true" + nginx.ingress.kubernetes.io/use-regex: "true" + {{- with .Values.ingress.authenticatedAnnotations }} + {{ toYaml . | indent 4 }} + {{- end }} +spec: + rules: + - host: {{ required "global.host must be set" .Values.global.host | quote }} + http: + paths: + - path: "/api/obstap(/|$)(.*)" + pathType: "ImplementationSpecific" + backend: + service: + name: {{ template "cadc-tap-postgres.fullname" . }} + port: + number: 8080 diff --git a/services/obstap/templates/tap-networkpolicy.yaml b/services/obstap/templates/tap-networkpolicy.yaml new file mode 100644 index 0000000000..827888bd90 --- /dev/null +++ b/services/obstap/templates/tap-networkpolicy.yaml @@ -0,0 +1,22 @@ +apiVersion: networking.k8s.io/v1 +kind: NetworkPolicy +metadata: + name: {{ include "cadc-tap-postgres.fullname" . }} +spec: + podSelector: + matchLabels: + {{- include "cadc-tap-postgres.selectorLabels" . | nindent 6 }} + app.kubernetes.io/component: "server" + policyTypes: + - Ingress + ingress: + # Allow inbound access from pods (in any namespace) labeled + # gafaelfawr.lsst.io/ingress: true. + - from: + - namespaceSelector: {} + podSelector: + matchLabels: + gafaelfawr.lsst.io/ingress: "true" + ports: + - protocol: "TCP" + port: 8080 diff --git a/services/obstap/templates/tap-service.yaml b/services/obstap/templates/tap-service.yaml new file mode 100644 index 0000000000..8cc5081ddc --- /dev/null +++ b/services/obstap/templates/tap-service.yaml @@ -0,0 +1,15 @@ +kind: Service +apiVersion: v1 +metadata: + name: {{ template "cadc-tap-postgres.fullname" . }} + labels: + {{- include "cadc-tap-postgres.labels" . | nindent 4 }} +spec: + type: ClusterIP + ports: + - protocol: "TCP" + port: 8080 + targetPort: 8080 + selector: + {{- include "cadc-tap-postgres.selectorLabels" . | nindent 4 }} + app.kubernetes.io/component: "server" diff --git a/services/obstap/templates/uws-db-deployment.yaml b/services/obstap/templates/uws-db-deployment.yaml new file mode 100644 index 0000000000..af2a25115b --- /dev/null +++ b/services/obstap/templates/uws-db-deployment.yaml @@ -0,0 +1,53 @@ +apiVersion: apps/v1 +kind: Deployment +metadata: + name: {{ template "cadc-tap-postgres.fullname" . }}-uws-db + labels: + {{- include "cadc-tap-postgres.labels" . | nindent 4 }} +spec: + replicas: 1 + selector: + matchLabels: + {{- include "cadc-tap-postgres.selectorLabels" . | nindent 6 }} + app.kubernetes.io/component: "uws-db" + template: + metadata: + {{- with .Values.uws.podAnnotations }} + annotations: + {{- toYaml . | nindent 8 }} + {{- end }} + labels: + {{- include "cadc-tap-postgres.labels" . | nindent 8 }} + app.kubernetes.io/component: "uws-db" + spec: + imagePullSecrets: + - name: "pull-secret" + automountServiceAccountToken: false + containers: + - name: "postgresql" + image: "{{ .Values.uws.image.repository }}:{{ .Values.uws.image.tag | default .Chart.AppVersion }}" + imagePullPolicy: {{ .Values.uws.imagePullPolicy | quote }} + ports: + - containerPort: 5432 + {{- with .Values.uws.resources }} + resources: + {{- toYaml . | nindent 12 }} + {{- end }} + volumeMounts: + - name: "data" + mountPath: "/var/lib/postgresql/data" + volumes: + - name: "data" + emptyDir: {} + {{- with .Values.uws.nodeSelector }} + nodeSelector: + {{- toYaml . | nindent 8 }} + {{- end }} + {{- with .Values.uws.affinity }} + affinity: + {{- toYaml . | nindent 8 }} + {{- end }} + {{- with .Values.uws.tolerations }} + tolerations: + {{- toYaml . | nindent 8 }} + {{- end }} diff --git a/services/obstap/templates/uws-db-networkpolicy.yaml b/services/obstap/templates/uws-db-networkpolicy.yaml new file mode 100644 index 0000000000..6de9259b5a --- /dev/null +++ b/services/obstap/templates/uws-db-networkpolicy.yaml @@ -0,0 +1,23 @@ +apiVersion: networking.k8s.io/v1 +kind: NetworkPolicy +metadata: + name: {{ include "cadc-tap-postgres.fullname" . }}-uws-db +spec: + podSelector: + matchLabels: + {{- include "cadc-tap-postgres.selectorLabels" . | nindent 6 }} + app.kubernetes.io/component: "uws-db" + policyTypes: + - Ingress + # Deny all outbound access; PostgreSQL doesn't need to talk to anything. + - Egress + ingress: + # Allow inbound access to UWS database from the server. + - from: + - podSelector: + matchLabels: + {{- include "cadc-tap-postgres.selectorLabels" . | nindent 14 }} + app.kubernetes.io/component: "server" + ports: + - protocol: "TCP" + port: 5432 diff --git a/services/obstap/templates/uws-db-service.yaml b/services/obstap/templates/uws-db-service.yaml new file mode 100644 index 0000000000..33fcd54fac --- /dev/null +++ b/services/obstap/templates/uws-db-service.yaml @@ -0,0 +1,14 @@ +kind: Service +apiVersion: v1 +metadata: + name: {{ template "cadc-tap-postgres.fullname" . }}-uws-db + labels: + {{- include "cadc-tap-postgres.labels" . | nindent 4 }} +spec: + ports: + - protocol: "TCP" + port: 5432 + targetPort: 5432 + selector: + {{- include "cadc-tap-postgres.selectorLabels" . | nindent 4 }} + app.kubernetes.io/component: "uws-db" diff --git a/services/obstap/templates/vault-secrets.yaml b/services/obstap/templates/vault-secrets.yaml new file mode 100644 index 0000000000..bc386a5286 --- /dev/null +++ b/services/obstap/templates/vault-secrets.yaml @@ -0,0 +1,19 @@ +apiVersion: ricoberger.de/v1alpha1 +kind: VaultSecret +metadata: + name: {{ template "cadc-tap-postgres.fullname" . }}-secret + labels: + {{- include "cadc-tap-postgres.labels" . | nindent 4 }} +spec: + path: "{{ .Values.global.vaultSecretsPath }}/tap" + type: Opaque +--- +apiVersion: ricoberger.de/v1alpha1 +kind: VaultSecret +metadata: + name: pull-secret + labels: + {{- include "cadc-tap-postgres.labels" . | nindent 4 }} +spec: + path: "{{- .Values.global.vaultSecretsPath }}/pull-secret" + type: kubernetes.io/dockerconfigjson diff --git a/services/obstap/values-idfdev.yaml b/services/obstap/values-idfdev.yaml index 40870bf137..6e3f1aca1e 100644 --- a/services/obstap/values-idfdev.yaml +++ b/services/obstap/values-idfdev.yaml @@ -1,16 +1,3 @@ -cadc-tap-postgres: - fullnameOverride: "obstap" - - imagePullSecrets: - - name: "pull-secret" - ingress: - host: "data-dev.lsst.cloud" - vaultSecretsPath: "secret/k8s_operator/data-dev.lsst.cloud/tap" - - config: - gcsBucket: "async-results.lsst.codes" - gcsBucketUrl: "http://async-results.lsst.codes" - -pull-secret: - enabled: true - path: "secret/k8s_operator/data-dev.lsst.cloud/pull-secret" +config: + gcsBucket: "async-results.lsst.codes" + gcsBucketUrl: "http://async-results.lsst.codes" diff --git a/services/obstap/values-idfint.yaml b/services/obstap/values-idfint.yaml index 6ea91a0766..6e3f1aca1e 100644 --- a/services/obstap/values-idfint.yaml +++ b/services/obstap/values-idfint.yaml @@ -1,16 +1,3 @@ -cadc-tap-postgres: - fullnameOverride: "obstap" - - imagePullSecrets: - - name: "pull-secret" - ingress: - host: "data-int.lsst.cloud" - vaultSecretsPath: "secret/k8s_operator/data-int.lsst.cloud/tap" - - config: - gcsBucket: "async-results.lsst.codes" - gcsBucketUrl: "http://async-results.lsst.codes" - -pull-secret: - enabled: true - path: "secret/k8s_operator/data-int.lsst.cloud/pull-secret" +config: + gcsBucket: "async-results.lsst.codes" + gcsBucketUrl: "http://async-results.lsst.codes" diff --git a/services/obstap/values-idfprod.yaml b/services/obstap/values-idfprod.yaml index 8713c4abf4..6e3f1aca1e 100644 --- a/services/obstap/values-idfprod.yaml +++ b/services/obstap/values-idfprod.yaml @@ -1,16 +1,3 @@ -cadc-tap-postgres: - fullnameOverride: "obstap" - - imagePullSecrets: - - name: "pull-secret" - ingress: - host: "data.lsst.cloud" - vaultSecretsPath: "secret/k8s_operator/data.lsst.cloud/tap" - - config: - gcsBucket: "async-results.lsst.codes" - gcsBucketUrl: "http://async-results.lsst.codes" - -pull-secret: - enabled: true - path: "secret/k8s_operator/data.lsst.cloud/pull-secret" +config: + gcsBucket: "async-results.lsst.codes" + gcsBucketUrl: "http://async-results.lsst.codes" diff --git a/services/obstap/values-int.yaml b/services/obstap/values-int.yaml index 09984dc612..80e884587f 100644 --- a/services/obstap/values-int.yaml +++ b/services/obstap/values-int.yaml @@ -1,42 +1,29 @@ -cadc-tap-postgres: - fullnameOverride: "obstap" - - imagePullSecrets: - - name: "pull-secret" - ingress: - host: "lsst-lsp-int.ncsa.illinois.edu" - vaultSecretsPath: "secret/k8s_operator/lsst-lsp-int.ncsa.illinois.edu/tap" +resources: + requests: + cpu: 2.0 + memory: "2G" + limits: + cpu: 8.0 + memory: "16G" +db: resources: requests: - cpu: 2.0 - memory: "2G" + cpu: 0.25 + memory: "1G" limits: - cpu: 8.0 - memory: "16G" - - db: - resources: - requests: - cpu: 0.25 - memory: "1G" - limits: - cpu: 2.0 - memory: "4G" - - uws: - resources: - requests: - cpu: 0.25 - memory: "1G" - limits: - cpu: 2.0 - memory: "4G" + cpu: 2.0 + memory: "4G" - config: - gcsBucket: "async-results.lsst.codes" - gcsBucketUrl: "http://async-results.lsst.codes" +uws: + resources: + requests: + cpu: 0.25 + memory: "1G" + limits: + cpu: 2.0 + memory: "4G" -pull-secret: - enabled: true - path: "secret/k8s_operator/lsst-lsp-int.ncsa.illinois.edu/pull-secret" +config: + gcsBucket: "async-results.lsst.codes" + gcsBucketUrl: "http://async-results.lsst.codes" diff --git a/services/obstap/values-minikube.yaml b/services/obstap/values-minikube.yaml index fff2b57958..6e3f1aca1e 100644 --- a/services/obstap/values-minikube.yaml +++ b/services/obstap/values-minikube.yaml @@ -1,16 +1,3 @@ -cadc-tap-postgres: - fullnameOverride: "obstap" - - imagePullSecret: - - name: "pull-secret" - ingress: - host: "minikube.lsst.codes" - vaultSecretsPath: "secret/k8s_operator/minikube.lsst.codes/tap" - - config: - gcsBucket: "async-results.lsst.codes" - gcsBucketUrl: "http://async-results.lsst.codes" - -pull-secret: - enabled: true - path: "secret/k8s_operator/minikube.lsst.codes/pull-secret" +config: + gcsBucket: "async-results.lsst.codes" + gcsBucketUrl: "http://async-results.lsst.codes" diff --git a/services/obstap/values-roe.yaml b/services/obstap/values-roe.yaml index 16f1c99e69..e69de29bb2 100644 --- a/services/obstap/values-roe.yaml +++ b/services/obstap/values-roe.yaml @@ -1,12 +0,0 @@ -cadc-tap-postgres: - fullnameOverride: "obstap" - - imagePullSecrets: - - name: "pull-secret" - ingress: - host: "rsp.lsst.ac.uk" - vaultSecretsPath: "secret/k8s_operator/roe/tap" - -pull-secret: - enabled: true - path: "secret/k8s_operator/roe/pull-secret" diff --git a/services/obstap/values-stable.yaml b/services/obstap/values-stable.yaml index 702d3f3f85..80e884587f 100644 --- a/services/obstap/values-stable.yaml +++ b/services/obstap/values-stable.yaml @@ -1,42 +1,29 @@ -cadc-tap-postgres: - fullnameOverride: "obstap" - - imagePullSecrets: - - name: "pull-secret" - ingress: - host: "lsst-lsp-stable.ncsa.illinois.edu" - vaultSecretsPath: "secret/k8s_operator/lsst-lsp-stable.ncsa.illinois.edu/tap" +resources: + requests: + cpu: 2.0 + memory: "2G" + limits: + cpu: 8.0 + memory: "16G" +db: resources: requests: - cpu: 2.0 - memory: "2G" + cpu: 0.25 + memory: "1G" limits: - cpu: 8.0 - memory: "16G" - - db: - resources: - requests: - cpu: 0.25 - memory: "1G" - limits: - cpu: 2.0 - memory: "4G" - - uws: - resources: - requests: - cpu: 0.25 - memory: "1G" - limits: - cpu: 2.0 - memory: "4G" + cpu: 2.0 + memory: "4G" - config: - gcsBucket: "async-results.lsst.codes" - gcsBucketUrl: "http://async-results.lsst.codes" +uws: + resources: + requests: + cpu: 0.25 + memory: "1G" + limits: + cpu: 2.0 + memory: "4G" -pull-secret: - enabled: true - path: "secret/k8s_operator/lsst-lsp-stable.ncsa.illinois.edu/pull-secret" +config: + gcsBucket: "async-results.lsst.codes" + gcsBucketUrl: "http://async-results.lsst.codes" diff --git a/services/obstap/values.yaml b/services/obstap/values.yaml new file mode 100644 index 0000000000..f3f27895af --- /dev/null +++ b/services/obstap/values.yaml @@ -0,0 +1,115 @@ +# Default values for cadc-tap. +# This is a YAML-formatted file. +# Declare variables to be passed into your templates. + +# -- Override the base name for resources +nameOverride: "" + +# -- Override the full name for resources (includes the release name) +fullnameOverride: "obstap" + +# -- Number of pods to start +replicaCount: 1 + +image: + # -- tap-postgres image to use + repository: "lsstdax/tap-postgres-server" + + # -- Pull policy for the tap image + pullPolicy: "IfNotPresent" + + # -- Tag of tap image to use + # @default -- The appVersion of the chart + tag: "" + + +# Settings for the ingress rules. +ingress: + # -- Gafaelfawr auth query string + gafaelfawrAuthQuery: "scope=read:tap" + + # -- Additional annotations to use for endpoints that allow anonymous + # access, such as `/capabilities` and `/availability` + anonymousAnnotations: {} + + # -- Additional annotations to use for endpoints that are authenticated, + # such as `/sync`, `/async`, and `/tables` + authenticatedAnnotations: {} + +# -- Resource limits and requests for the cadc-tap-postgres pod +resources: {} + +# -- Annotations for the cadc-tap-postgres pod +podAnnotations: {} + +# -- Node selector rules for the cadc-tap-postgres pod +nodeSelector: {} + +# -- Tolerations for the cadc-tap-postgres pod +tolerations: [] + +# -- Affinity rules for the cadc-tap-postgres pod +affinity: {} + +config: + # -- Name of GCS bucket in which to store results + # @default -- None, must be set + gcsBucket: "" + + # -- Base URL for results stored in GCS bucket + # @default -- None, must be set + gcsBucketUrl: "" + +db: + image: + # -- Database image to use + repository: "lsstdax/tap-postgres-db" + + # -- Pull policy for the database image + pullPolicy: "IfNotPresent" + + # -- Tag of database image to use + # @default -- The appVersion of the chart + tag: "" + + # -- Resource limits and requests for the database pod + resources: {} + + # -- Annotations for the databse pod + podAnnotations: {} + + # -- Node selection rules for the database pod + nodeSelector: {} + + # -- Tolerations for the database pod + tolerations: [] + + # -- Affinity rules for the database pod + affinity: {} + +uws: + image: + # -- UWS database image to use + repository: "lsstdax/tap-postgres-uws" + + # -- Pull policy for the UWS database image + pullPolicy: "IfNotPresent" + + # -- Tag of UWS database image to use + # @default -- The appVersion of the chart + tag: "" + + # -- Resource limits and requests for the UWS database pod + resources: {} + + # -- Annotations for the UWS databse pod + podAnnotations: {} + + # -- Node selection rules for the UWS database pod + nodeSelector: {} + + # -- Tolerations for the UWS database pod + tolerations: [] + + # -- Affinity rules for the UWS database pod + affinity: {} From 95a5d24298023b46f8c3c756a1fd06c0d03c69e1 Mon Sep 17 00:00:00 2001 From: adam Date: Tue, 19 Apr 2022 12:51:30 -0700 Subject: [PATCH 0406/1479] DRY cachemachine further --- services/cachemachine/templates/deployment.yaml | 4 ++-- .../cachemachine/templates/ingress-anonymous.yaml | 6 ++---- services/cachemachine/templates/ingress.yaml | 2 +- services/cachemachine/templates/networkpolicy.yaml | 2 -- services/cachemachine/templates/service.yaml | 4 ++-- services/cachemachine/values.yaml | 14 -------------- 6 files changed, 7 insertions(+), 25 deletions(-) diff --git a/services/cachemachine/templates/deployment.yaml b/services/cachemachine/templates/deployment.yaml index 91344b8df5..b8105098c2 100644 --- a/services/cachemachine/templates/deployment.yaml +++ b/services/cachemachine/templates/deployment.yaml @@ -20,7 +20,7 @@ spec: {{- include "cachemachine.selectorLabels" . | nindent 8 }} spec: imagePullSecrets: - - name: pull-secret + - name: "pull-secret" serviceAccountName: {{ template "cachemachine.serviceAccountName" . }} securityContext: runAsNonRoot: true @@ -38,7 +38,7 @@ spec: imagePullPolicy: {{ .Values.image.pullPolicy | quote }} env: - name: DOCKER_SECRET_NAME - value: pull-secret + value: "pull-secret" ports: - name: "http" containerPort: 8080 diff --git a/services/cachemachine/templates/ingress-anonymous.yaml b/services/cachemachine/templates/ingress-anonymous.yaml index c2bd124cfe..f6023cee1c 100644 --- a/services/cachemachine/templates/ingress-anonymous.yaml +++ b/services/cachemachine/templates/ingress-anonymous.yaml @@ -1,4 +1,3 @@ -{{- if .Values.ingress.enabled -}} apiVersion: networking.k8s.io/v1 kind: Ingress metadata: @@ -22,12 +21,11 @@ spec: service: name: {{ template "cachemachine.fullname" . }} port: - number: {{ .Values.service.port }} + number: 80 - path: "/cachemachine/.*/desired" pathType: "ImplementationSpecific" backend: service: name: {{ template "cachemachine.fullname" . }} port: - number: {{ .Values.service.port }} -{{- end }} + number: 80 diff --git a/services/cachemachine/templates/ingress.yaml b/services/cachemachine/templates/ingress.yaml index 3c122e4417..2afc9c46b5 100644 --- a/services/cachemachine/templates/ingress.yaml +++ b/services/cachemachine/templates/ingress.yaml @@ -26,7 +26,7 @@ spec: service: name: {{ template "cachemachine.fullname" . }} port: - number: {{ .Values.service.port }} + number: 80 {{- if .Values.ingress.tls }} tls: {{- range .Values.ingress.tls }} diff --git a/services/cachemachine/templates/networkpolicy.yaml b/services/cachemachine/templates/networkpolicy.yaml index 142947e745..2741f62d58 100644 --- a/services/cachemachine/templates/networkpolicy.yaml +++ b/services/cachemachine/templates/networkpolicy.yaml @@ -1,4 +1,3 @@ -{{- if .Values.ingress.enabled -}} apiVersion: networking.k8s.io/v1 kind: NetworkPolicy metadata: @@ -20,4 +19,3 @@ spec: ports: - protocol: "TCP" port: 8080 -{{- end }} diff --git a/services/cachemachine/templates/service.yaml b/services/cachemachine/templates/service.yaml index 05e31e77c0..63ccbc2ed1 100644 --- a/services/cachemachine/templates/service.yaml +++ b/services/cachemachine/templates/service.yaml @@ -5,9 +5,9 @@ metadata: labels: {{- include "cachemachine.labels" . | nindent 4 }} spec: - type: {{ .Values.service.type }} + type: ClusterIP ports: - - port: {{ .Values.service.port }} + - port: 80 targetPort: "http" protocol: "TCP" selector: diff --git a/services/cachemachine/values.yaml b/services/cachemachine/values.yaml index cc40a1efdd..13d871cb72 100644 --- a/services/cachemachine/values.yaml +++ b/services/cachemachine/values.yaml @@ -26,24 +26,10 @@ serviceAccount: # -- Annotations to add to the service account annotations: {} -service: - # -- Type of service to create - type: "ClusterIP" - - # -- Port of the service to create and map to the ingress - port: 80 - ingress: - # -- Whether to create an ingress - enabled: true - # -- Gafaelfawr auth query string gafaelfawrAuthQuery: "scope=exec:admin" - # -- Hostname for the ingress - # @default -- None, must be set if the ingress is enabled - host: "" - # -- Additional annotations to add for endpoints that are authenticated. annotations: {} From 0e019bb58647f6fdea0e8d716e9c582133e437bd Mon Sep 17 00:00:00 2001 From: adam Date: Tue, 19 Apr 2022 12:57:07 -0700 Subject: [PATCH 0407/1479] update app defs for narrativelog/obstap --- .../templates/narrativelog-application.yaml | 11 +++++++++-- science-platform/templates/obstap-application.yaml | 10 +++++++++- 2 files changed, 18 insertions(+), 3 deletions(-) diff --git a/science-platform/templates/narrativelog-application.yaml b/science-platform/templates/narrativelog-application.yaml index d12d0e3572..3b903ba92d 100644 --- a/science-platform/templates/narrativelog-application.yaml +++ b/science-platform/templates/narrativelog-application.yaml @@ -21,7 +21,14 @@ spec: repoURL: {{ .Values.repoURL }} targetRevision: {{ .Values.revision }} helm: + parameters: + - name: "global.host" + value: {{ .Values.fqdn | quote }} + - name: "global.baseUrl" + value: "https://{{ .Values.fqdn }}" + - name: "global.vaultSecretsPath" + value: {{ .Values.vault_path_prefix | quote }} valueFiles: - - values.yaml - - values-{{ .Values.environment }}.yaml + - "values.yaml" + - "values-{{ .Values.environment }}.yaml" {{- end -}} diff --git a/science-platform/templates/obstap-application.yaml b/science-platform/templates/obstap-application.yaml index e1a5656445..5abc556119 100644 --- a/science-platform/templates/obstap-application.yaml +++ b/science-platform/templates/obstap-application.yaml @@ -24,6 +24,14 @@ spec: repoURL: {{ .Values.repoURL }} targetRevision: {{ .Values.revision }} helm: + parameters: + - name: "global.host" + value: {{ .Values.fqdn | quote }} + - name: "global.baseUrl" + value: "https://{{ .Values.fqdn }}" + - name: "global.vaultSecretsPath" + value: {{ .Values.vault_path_prefix | quote }} valueFiles: - - values-{{ .Values.environment }}.yaml + - "values.yaml" + - "values-{{ .Values.environment }}.yaml" {{- end -}} From c7d8ce9a3d411323f5067ec187c1ff4aab8a4486 Mon Sep 17 00:00:00 2001 From: adam Date: Tue, 19 Apr 2022 13:00:41 -0700 Subject: [PATCH 0408/1479] touch up obstap --- services/obstap/README.md | 2 +- services/obstap/templates/tap-db-deployment.yaml | 4 +--- services/obstap/templates/tap-deployment.yaml | 4 +--- services/obstap/templates/tap-ingress-anonymous.yaml | 6 +++--- services/obstap/templates/tap-ingress-authenticated.yaml | 2 +- services/obstap/templates/tap-service.yaml | 2 +- 6 files changed, 8 insertions(+), 12 deletions(-) diff --git a/services/obstap/README.md b/services/obstap/README.md index 0c89e6dfb6..a57162074a 100644 --- a/services/obstap/README.md +++ b/services/obstap/README.md @@ -21,7 +21,7 @@ CADC TAP PostgresSQL service, used for ObsTAP | db.podAnnotations | object | `{}` | Annotations for the databse pod | | db.resources | object | `{}` | Resource limits and requests for the database pod | | db.tolerations | list | `[]` | Tolerations for the database pod | -| fullnameOverride | string | `""` | Override the full name for resources (includes the release name) | +| fullnameOverride | string | `"obstap"` | Override the full name for resources (includes the release name) | | image.pullPolicy | string | `"IfNotPresent"` | Pull policy for the tap image | | image.repository | string | `"lsstdax/tap-postgres-server"` | tap-postgres image to use | | image.tag | string | The appVersion of the chart | Tag of tap image to use | diff --git a/services/obstap/templates/tap-db-deployment.yaml b/services/obstap/templates/tap-db-deployment.yaml index 96a7251a6f..5fbfb4c325 100644 --- a/services/obstap/templates/tap-db-deployment.yaml +++ b/services/obstap/templates/tap-db-deployment.yaml @@ -20,10 +20,8 @@ spec: {{- include "cadc-tap-postgres.labels" . | nindent 8 }} app.kubernetes.io/component: "tap-db" spec: - {{- with .Values.imagePullSecrets }} imagePullSecrets: - {{- toYaml . | nindent 8 }} - {{- end }} + - name: "pull-secret" automountServiceAccountToken: false containers: - name: "tap-db" diff --git a/services/obstap/templates/tap-deployment.yaml b/services/obstap/templates/tap-deployment.yaml index 854dd967ab..df0ee54952 100644 --- a/services/obstap/templates/tap-deployment.yaml +++ b/services/obstap/templates/tap-deployment.yaml @@ -20,10 +20,8 @@ spec: {{- include "cadc-tap-postgres.selectorLabels" . | nindent 8 }} app.kubernetes.io/component: "server" spec: - {{- with .Values.imagePullSecrets }} imagePullSecrets: - {{- toYaml . | nindent 8 }} - {{- end }} + - name: "pull-secret" automountServiceAccountToken: false containers: - name: "tap-server" diff --git a/services/obstap/templates/tap-ingress-anonymous.yaml b/services/obstap/templates/tap-ingress-anonymous.yaml index 0aa273307c..f8a4c65fd5 100644 --- a/services/obstap/templates/tap-ingress-anonymous.yaml +++ b/services/obstap/templates/tap-ingress-anonymous.yaml @@ -28,18 +28,18 @@ spec: service: name: {{ template "cadc-tap-postgres.fullname" . }} port: - number: 8080 + number: 80 - path: "/api/obstap/(capabilities)" pathType: "ImplementationSpecific" backend: service: name: {{ template "cadc-tap-postgres.fullname" . }} port: - number: 8080 + number: 80 - path: "/api/obstap/(swagger-ui.*)" pathType: "ImplementationSpecific" backend: service: name: {{ template "cadc-tap-postgres.fullname" . }} port: - number: 8080 + number: 80 diff --git a/services/obstap/templates/tap-ingress-authenticated.yaml b/services/obstap/templates/tap-ingress-authenticated.yaml index 55aad30af1..717e034919 100644 --- a/services/obstap/templates/tap-ingress-authenticated.yaml +++ b/services/obstap/templates/tap-ingress-authenticated.yaml @@ -34,4 +34,4 @@ spec: service: name: {{ template "cadc-tap-postgres.fullname" . }} port: - number: 8080 + number: 80 diff --git a/services/obstap/templates/tap-service.yaml b/services/obstap/templates/tap-service.yaml index 8cc5081ddc..a2894fa550 100644 --- a/services/obstap/templates/tap-service.yaml +++ b/services/obstap/templates/tap-service.yaml @@ -8,7 +8,7 @@ spec: type: ClusterIP ports: - protocol: "TCP" - port: 8080 + port: 80 targetPort: 8080 selector: {{- include "cadc-tap-postgres.selectorLabels" . | nindent 4 }} From 72ffbfc11c81ee0fda377b86949bcc4e0a353cd2 Mon Sep 17 00:00:00 2001 From: adam Date: Tue, 19 Apr 2022 13:24:59 -0700 Subject: [PATCH 0409/1479] DRY plot-navigator --- .../templates/plot-navigator-application.yaml | 10 ++- services/plot-navigator/Chart.yaml | 8 +-- services/plot-navigator/README.md | 18 +++++ .../plot-navigator/templates/_helpers.tpl | 51 ++++++++++++++ .../plot-navigator/templates/deployment.yaml | 66 +++++++++++++++++++ .../plot-navigator/templates/ingress.yaml | 30 +++++++++ .../plot-navigator/templates/service.yaml | 13 ++++ .../templates/vault-secrets.yaml | 20 ++++++ services/plot-navigator/values-idfint.yaml | 21 ++---- services/plot-navigator/values.yaml | 11 ++++ 10 files changed, 226 insertions(+), 22 deletions(-) create mode 100644 services/plot-navigator/README.md create mode 100644 services/plot-navigator/templates/_helpers.tpl create mode 100644 services/plot-navigator/templates/deployment.yaml create mode 100644 services/plot-navigator/templates/ingress.yaml create mode 100644 services/plot-navigator/templates/service.yaml create mode 100644 services/plot-navigator/templates/vault-secrets.yaml create mode 100644 services/plot-navigator/values.yaml diff --git a/science-platform/templates/plot-navigator-application.yaml b/science-platform/templates/plot-navigator-application.yaml index 25235b6de0..7277904dda 100644 --- a/science-platform/templates/plot-navigator-application.yaml +++ b/science-platform/templates/plot-navigator-application.yaml @@ -21,6 +21,14 @@ spec: repoURL: {{ .Values.repoURL }} targetRevision: {{ .Values.revision }} helm: + parameters: + - name: "global.host" + value: {{ .Values.fqdn | quote }} + - name: "global.baseUrl" + value: "https://{{ .Values.fqdn }}" + - name: "global.vaultSecretsPath" + value: {{ .Values.vault_path_prefix | quote }} valueFiles: - - values-{{ .Values.environment }}.yaml + - "values.yaml" + - "values-{{ .Values.environment }}.yaml" {{- end -}} diff --git a/services/plot-navigator/Chart.yaml b/services/plot-navigator/Chart.yaml index eee10bee88..c56cd08ec9 100644 --- a/services/plot-navigator/Chart.yaml +++ b/services/plot-navigator/Chart.yaml @@ -1,7 +1,5 @@ apiVersion: v2 name: plot-navigator -version: 1.0.0 -dependencies: -- name: plot-navigator - version: "=1.6.1" - repository: https://lsst-sqre.github.io/charts/ +description: Panel-based plot viewer. +version: 1.6.1 +appVersion: 0.6.1 diff --git a/services/plot-navigator/README.md b/services/plot-navigator/README.md new file mode 100644 index 0000000000..7d63b0eaa1 --- /dev/null +++ b/services/plot-navigator/README.md @@ -0,0 +1,18 @@ +# plot-navigator + +![Version: 1.6.1](https://img.shields.io/badge/Version-1.6.1-informational?style=flat-square) ![AppVersion: 0.6.1](https://img.shields.io/badge/AppVersion-0.6.1-informational?style=flat-square) + +Panel-based plot viewer. + +## Values + +| Key | Type | Default | Description | +|-----|------|---------|-------------| +| environment | object | `{}` | | +| image.repository | string | `"lsstdm/pipetask-plot-navigator"` | | +| image.tag | string | `""` | | +| ingress.annotations | object | `{}` | | +| ingress.gafaelfawrAuthQuery | string | `"scope=exec:portal&delegate_to=plotnavigator"` | | + +---------------------------------------------- +Autogenerated from chart metadata using [helm-docs v1.7.0](https://github.com/norwoodj/helm-docs/releases/v1.7.0) diff --git a/services/plot-navigator/templates/_helpers.tpl b/services/plot-navigator/templates/_helpers.tpl new file mode 100644 index 0000000000..7a48c59875 --- /dev/null +++ b/services/plot-navigator/templates/_helpers.tpl @@ -0,0 +1,51 @@ +{{/* +Expand the name of the chart. +*/}} +{{- define "plot-navigator.name" -}} +{{- default .Chart.Name .Values.nameOverride | trunc 63 | trimSuffix "-" }} +{{- end }} + +{{/* +Create a default fully qualified app name. +We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec). +If release name contains chart name it will be used as a full name. +*/}} +{{- define "plot-navigator.fullname" -}} +{{- if .Values.fullnameOverride }} +{{- .Values.fullnameOverride | trunc 63 | trimSuffix "-" }} +{{- else }} +{{- $name := default .Chart.Name .Values.nameOverride }} +{{- if contains $name .Release.Name }} +{{- .Release.Name | trunc 63 | trimSuffix "-" }} +{{- else }} +{{- printf "%s-%s" .Release.Name $name | trunc 63 | trimSuffix "-" }} +{{- end }} +{{- end }} +{{- end }} + +{{/* +Create chart name and version as used by the chart label. +*/}} +{{- define "plot-navigator.chart" -}} +{{- printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" }} +{{- end }} + +{{/* +Common labels +*/}} +{{- define "plot-navigator.labels" -}} +helm.sh/chart: {{ include "plot-navigator.chart" . }} +{{ include "plot-navigator.selectorLabels" . }} +{{- if .Chart.AppVersion }} +app.kubernetes.io/version: {{ .Chart.AppVersion | quote }} +{{- end }} +app.kubernetes.io/managed-by: {{ .Release.Service }} +{{- end }} + +{{/* +Selector labels +*/}} +{{- define "plot-navigator.selectorLabels" -}} +app.kubernetes.io/name: {{ include "plot-navigator.name" . }} +app.kubernetes.io/instance: {{ .Release.Name }} +{{- end }} diff --git a/services/plot-navigator/templates/deployment.yaml b/services/plot-navigator/templates/deployment.yaml new file mode 100644 index 0000000000..3b241afa0e --- /dev/null +++ b/services/plot-navigator/templates/deployment.yaml @@ -0,0 +1,66 @@ +--- +apiVersion: apps/v1 +kind: Deployment +metadata: + name: plot-navigator + labels: + {{- include "plot-navigator.labels" . | nindent 4 }} +spec: + replicas: 1 + selector: + matchLabels: + app: plot-navigator + template: + metadata: + labels: + app: plot-navigator + spec: + imagePullSecrets: + name: pull-secret + volumes: + # butler-secrets-raw is the secrets we get from vault + - name: "butler-secrets-raw" + secret: + secretName: "butler-secret" + # butler-secrets are the copied and chmoded versions + - name: "butler-secrets" + emptyDir: {} + # Have to fix permissions on the pgpass file. + # init container pattern borrowed from vo-cutouts. + initContainers: + - name: fix-secret-permissions + image: {{ .Values.image.repository }}:{{ .Values.image.tag | default .Chart.AppVersion }} + imagePullPolicy: Always + command: + - "/bin/bash" + - "-c" + - | + cp -RL /home/worker/secrets-raw/* /home/worker/.lsst/ + chown worker:worker /home/worker/.lsst/* + chmod 0400 /home/worker/.lsst/* + securityContext: + runAsNonRoot: false + runAsUser: 0 + runAsGroup: 0 + volumeMounts: + - name: "butler-secrets" + mountPath: "/home/worker/.lsst/" + - name: "butler-secrets-raw" + mountPath: "/home/worker/secrets-raw/" + readOnly: true + containers: + - name: plot-navigator + image: {{ .Values.image.repository }}:{{ .Values.image.tag | default .Chart.AppVersion}} + imagePullPolicy: Always + env: +{{- range $key, $value := .Values.environment }} + - name: {{ $key | quote }} + value: {{ $value | quote }} +{{- end }} + volumeMounts: + - name: butler-secrets + mountPath: "/home/worker/.lsst/" + command: + - /bin/bash + - -c + - panel serve dashboard_gen3.py --port 8080 --prefix {{ .Values.basePath }} --allow-websocket-origin {{ .Values.hostname }} --static-dirs assets=./assets diff --git a/services/plot-navigator/templates/ingress.yaml b/services/plot-navigator/templates/ingress.yaml new file mode 100644 index 0000000000..673b45d962 --- /dev/null +++ b/services/plot-navigator/templates/ingress.yaml @@ -0,0 +1,30 @@ +--- +apiVersion: networking.k8s.io/v1 +kind: Ingress +metadata: + name: plot-navigator + labels: + {{- include "plot-navigator.labels" . | nindent 4 }} + annotations: + kubernetes.io/ingress.class: "nginx" + {{- if .Values.ingress.gafaelfawrAuthQuery }} + nginx.ingress.kubernetes.io/auth-method: "GET" + nginx.ingress.kubernetes.io/auth-response-headers: "X-Auth-Request-User,X-Auth-Request-Email,X-Auth-Request-Token" + nginx.ingress.kubernetes.io/auth-signin: "{{ .Values.global.baseUrl }}/login" + nginx.ingress.kubernetes.io/auth-url: "{{ .Values.global.baseUrl }}/auth?{{ .Values.ingress.gafaelfawrAuthQuery }}" + {{- end }} + {{- with .Values.ingress.annotations }} + {{- toYaml . | nindent 4 }} + {{- end }} +spec: + rules: + - host: {{ required "global.host must be set" .Values.global.host | quote }} + http: + paths: + - path: "/plot-navigator" + pathType: ImplementationSpecific + backend: + service: + name: plot-navigator + port: + number: 80 diff --git a/services/plot-navigator/templates/service.yaml b/services/plot-navigator/templates/service.yaml new file mode 100644 index 0000000000..dc02189b57 --- /dev/null +++ b/services/plot-navigator/templates/service.yaml @@ -0,0 +1,13 @@ +apiVersion: v1 +kind: Service +metadata: + name: plot-navigator + labels: + {{- include "plot-navigator.labels" . | nindent 4 }} +spec: + selector: + app: plot-navigator + ports: + - port: 80 + protocol: TCP + targetPort: 8080 diff --git a/services/plot-navigator/templates/vault-secrets.yaml b/services/plot-navigator/templates/vault-secrets.yaml new file mode 100644 index 0000000000..c189eb29c7 --- /dev/null +++ b/services/plot-navigator/templates/vault-secrets.yaml @@ -0,0 +1,20 @@ +--- +apiVersion: ricoberger.de/v1alpha1 +kind: VaultSecret +metadata: + name: butler-secret + labels: + {{- include "plot-navigator.labels" . | nindent 4 }} +spec: + path: "{{ .Values.global.vaultSecretsPath }}/butler-secret" + type: Opaque +--- +apiVersion: ricoberger.de/v1alpha1 +kind: VaultSecret +metadata: + name: pull-secret + labels: + {{- include "plot-navigator.labels" . | nindent 4 }} +spec: + path: "{{- .Values.global.vaultSecretsPath }}/pull-secret" + type: kubernetes.io/dockerconfigjson diff --git a/services/plot-navigator/values-idfint.yaml b/services/plot-navigator/values-idfint.yaml index 8e8b09f2dc..4dc30dc478 100644 --- a/services/plot-navigator/values-idfint.yaml +++ b/services/plot-navigator/values-idfint.yaml @@ -1,16 +1,5 @@ -plot-navigator: - hostname: "data-int.lsst.cloud" - basePath: "/plot-navigator" - butler_secret_path: "secret/k8s_operator/data-int.lsst.cloud/butler-secret" - environment: - BUTLER_URI: "s3://butler-us-central1-panda-dev/dc2/butler-external.yaml" - PGPASSFILE: "/home/worker/.lsst/postgres-credentials.txt" - AWS_SHARED_CREDENTIALS_FILE: "/home/worker/.lsst/aws-credentials.ini" - S3_ENDPOINT_URL: "https://storage.googleapis.com" - ingress: - host: "data-int.lsst.cloud" - path: "/plot-navigator" - annotations: - nginx.ingress.kubernetes.io/auth-method: GET - nginx.ingress.kubernetes.io/auth-signin: "https://data-int.lsst.cloud/login" - nginx.ingress.kubernetes.io/auth-url: "https://data-int.lsst.cloud/auth?scope=exec:portal&delegate_to=plotnavigator" +environment: + BUTLER_URI: "s3://butler-us-central1-panda-dev/dc2/butler-external.yaml" + PGPASSFILE: "/home/worker/.lsst/postgres-credentials.txt" + AWS_SHARED_CREDENTIALS_FILE: "/home/worker/.lsst/aws-credentials.ini" + S3_ENDPOINT_URL: "https://storage.googleapis.com" diff --git a/services/plot-navigator/values.yaml b/services/plot-navigator/values.yaml new file mode 100644 index 0000000000..f928496c32 --- /dev/null +++ b/services/plot-navigator/values.yaml @@ -0,0 +1,11 @@ +image: + repository: lsstdm/pipetask-plot-navigator + tag: "" + +# Environment variables to be passed to panel. +# e.g. butler configuration and auth params. +environment: {} + +ingress: + gafaelfawrAuthQuery: "scope=exec:portal&delegate_to=plotnavigator" + annotations: {} From c04d66277beac25252f41bf00310a4c64ac12915 Mon Sep 17 00:00:00 2001 From: adam Date: Tue, 19 Apr 2022 13:43:03 -0700 Subject: [PATCH 0410/1479] remove squash-sandbox; DRY out postgres --- .../templates/postgres-application.yaml | 10 +- science-platform/values-squash-sandbox.yaml | 64 ------------- .../cert-manager/values-squash-sandbox.yaml | 4 - .../gafaelfawr/values-squash-sandbox.yaml | 42 -------- services/postgres/.helmignore | 22 +++++ services/postgres/Chart.yaml | 12 +-- services/postgres/README.md | 21 ++++ services/postgres/templates/_helpers.tpl | 56 +++++++++++ services/postgres/templates/deployment.yaml | 95 +++++++++++++++++++ services/postgres/templates/physpvc.yaml | 16 ++++ services/postgres/templates/service.yaml | 10 ++ services/postgres/templates/storageclass.yaml | 9 ++ .../postgres/templates/vault-secrets.yaml | 20 ++++ services/postgres/values-base.yaml | 41 ++++---- services/postgres/values-idfdev.yaml | 17 +--- services/postgres/values-idfint.yaml | 16 +--- services/postgres/values-idfprod.yaml | 16 +--- services/postgres/values-int.yaml | 29 ++---- services/postgres/values-minikube.yaml | 38 +++----- services/postgres/values-roe.yaml | 27 ++---- services/postgres/values-squash-sandbox.yaml | 12 --- services/postgres/values-stable.yaml | 29 ++---- services/postgres/values-summit.yaml | 35 +++---- .../postgres/values-tucson-teststand.yaml | 35 +++---- services/postgres/values.yaml | 18 ++++ .../squash-api/values-squash-sandbox.yaml | 41 -------- .../values-squash-sandbox.yaml | 15 --- 27 files changed, 378 insertions(+), 372 deletions(-) delete mode 100644 science-platform/values-squash-sandbox.yaml delete mode 100644 services/cert-manager/values-squash-sandbox.yaml delete mode 100644 services/gafaelfawr/values-squash-sandbox.yaml create mode 100644 services/postgres/.helmignore create mode 100644 services/postgres/README.md create mode 100644 services/postgres/templates/_helpers.tpl create mode 100644 services/postgres/templates/deployment.yaml create mode 100644 services/postgres/templates/physpvc.yaml create mode 100644 services/postgres/templates/service.yaml create mode 100644 services/postgres/templates/storageclass.yaml create mode 100644 services/postgres/templates/vault-secrets.yaml delete mode 100644 services/postgres/values-squash-sandbox.yaml create mode 100644 services/postgres/values.yaml delete mode 100644 services/squash-api/values-squash-sandbox.yaml delete mode 100644 services/vault-secrets-operator/values-squash-sandbox.yaml diff --git a/science-platform/templates/postgres-application.yaml b/science-platform/templates/postgres-application.yaml index 03d0b0c3d8..6d8e11e97e 100644 --- a/science-platform/templates/postgres-application.yaml +++ b/science-platform/templates/postgres-application.yaml @@ -21,6 +21,14 @@ spec: repoURL: {{ .Values.repoURL }} targetRevision: {{ .Values.revision }} helm: + parameters: + - name: "global.host" + value: {{ .Values.fqdn | quote }} + - name: "global.baseUrl" + value: "https://{{ .Values.fqdn }}" + - name: "global.vaultSecretsPath" + value: {{ .Values.vault_path_prefix | quote }} valueFiles: - - values-{{ .Values.environment }}.yaml + - "values.yaml" + - "values-{{ .Values.environment }}.yaml" {{- end -}} diff --git a/science-platform/values-squash-sandbox.yaml b/science-platform/values-squash-sandbox.yaml deleted file mode 100644 index 4aa7865d74..0000000000 --- a/science-platform/values-squash-sandbox.yaml +++ /dev/null @@ -1,64 +0,0 @@ -environment: squash-sandbox -fqdn: squash-sandbox.lsst.codes -vault_path_prefix: secret/k8s_operator/squash-sandbox.lsst.codes - -alert_stream_broker: - enabled: false -cachemachine: - enabled: false -cert_manager: - enabled: true -datalinker: - enabled: false -exposurelog: - enabled: false -gafaelfawr: - enabled: true -mobu: - enabled: false -moneypenny: - enabled: false -ingress_nginx: - enabled: true -narrativelog: - enabled: false -noteburst: - enabled: false -nublado2: - enabled: false -obstap: - enabled: false -plot_navigator: - enabled: false -portal: - enabled: false -postgres: - enabled: true -sasquatch: - enabled: false -production_tools: - enabled: false -semaphore: - enabled: false -squareone: - enabled: false -squash_api: - enabled: true -strimzi: - enabled: false -strimzi_registry_operator: - enabled: false -tap: - enabled: false -tap_schema: - enabled: false -telegraf: - enabled: false -telegraf-ds: - enabled: false -times_square: - enabled: false -vault_secrets_operator: - enabled: true -vo_cutouts: - enabled: false diff --git a/services/cert-manager/values-squash-sandbox.yaml b/services/cert-manager/values-squash-sandbox.yaml deleted file mode 100644 index 958b34c026..0000000000 --- a/services/cert-manager/values-squash-sandbox.yaml +++ /dev/null @@ -1,4 +0,0 @@ -config: - route53: - awsAccessKeyId: "AKIAQSJOS2SFLUEVXZDB" - hostedZone: "Z06873202D7WVTZUFOQ42" diff --git a/services/gafaelfawr/values-squash-sandbox.yaml b/services/gafaelfawr/values-squash-sandbox.yaml deleted file mode 100644 index f937598ce7..0000000000 --- a/services/gafaelfawr/values-squash-sandbox.yaml +++ /dev/null @@ -1,42 +0,0 @@ -# Reset token storage on every Redis restart. -redis: - persistence: - enabled: false - -config: - databaseUrl: "postgresql://gafaelfawr@postgres.postgres/gafaelfawr" - - # Whether to issue tokens for InfluxDB. If set to true, influxdb-secret - # must be set in the Gafaelfawr secret. - influxdb: - enabled: true - username: "efdreader" - - # Whether to support OpenID Connect clients. If set to true, - # oidc-server-secrets must be set in the Gafaelfawr secret. - oidcServer: - enabled: true - - # Use CILogon authentication. - cilogon: - clientId: "cilogon:/client_id/232eaabf026dab8b26f9c9770873cb7e" - redirectUrl: "https://squash-sandbox.lsst.codes/login" - loginParams: - skin: "LSST" - - # Use NCSA groups to determine token scopes. - groupMapping: - "admin:provision": ["lsst_int_lsp_admin"] - "exec:admin": ["lsst_int_lsp_admin"] - "exec:notebook": ["lsst_int_lspdev"] - "exec:portal": ["lsst_int_lspdev"] - "read:tap": ["lsst_int_lspdev"] - - initialAdmins: - - "afausti" - - "athornto" - - "cbanek" - - "frossie" - - "jsick" - - "krughoff" - - "rra" diff --git a/services/postgres/.helmignore b/services/postgres/.helmignore new file mode 100644 index 0000000000..50af031725 --- /dev/null +++ b/services/postgres/.helmignore @@ -0,0 +1,22 @@ +# Patterns to ignore when building packages. +# This supports shell glob matching, relative path matching, and +# negation (prefixed with !). Only one pattern per line. +.DS_Store +# Common VCS dirs +.git/ +.gitignore +.bzr/ +.bzrignore +.hg/ +.hgignore +.svn/ +# Common backup files +*.swp +*.bak +*.tmp +*~ +# Various IDEs +.project +.idea/ +*.tmproj +.vscode/ diff --git a/services/postgres/Chart.yaml b/services/postgres/Chart.yaml index a23d84f815..d235de0d1e 100644 --- a/services/postgres/Chart.yaml +++ b/services/postgres/Chart.yaml @@ -1,10 +1,6 @@ apiVersion: v2 +appVersion: "1.0" +description: Postgres RDBMS for LSP +home: https://hub.docker.com/r/lsstsqre/lsp-postgres name: postgres -version: 1.0.0 -dependencies: -- name: postgres - version: ">=0.1.1" - repository: https://lsst-sqre.github.io/charts/ -- name: pull-secret - version: 0.1.2 - repository: https://lsst-sqre.github.io/charts/ +version: 0.1.1 diff --git a/services/postgres/README.md b/services/postgres/README.md new file mode 100644 index 0000000000..1a2f69abd8 --- /dev/null +++ b/services/postgres/README.md @@ -0,0 +1,21 @@ +# postgres + +![Version: 0.1.1](https://img.shields.io/badge/Version-0.1.1-informational?style=flat-square) ![AppVersion: 1.0](https://img.shields.io/badge/AppVersion-1.0-informational?style=flat-square) + +Postgres RDBMS for LSP + +**Homepage:** + +## Values + +| Key | Type | Default | Description | +|-----|------|---------|-------------| +| debug | string | `""` | | +| image.repository | string | `"lsstsqre/lsp-postgres"` | | +| image.tag | string | `"latest"` | | +| postgres_storage_class | string | `"fast"` | | +| postgres_volume_size | string | `"1Gi"` | | +| volume_name | string | `""` | | + +---------------------------------------------- +Autogenerated from chart metadata using [helm-docs v1.7.0](https://github.com/norwoodj/helm-docs/releases/v1.7.0) diff --git a/services/postgres/templates/_helpers.tpl b/services/postgres/templates/_helpers.tpl new file mode 100644 index 0000000000..cad60fd269 --- /dev/null +++ b/services/postgres/templates/_helpers.tpl @@ -0,0 +1,56 @@ +{{/* vim: set filetype=mustache: */}} +{{/* +Expand the name of the chart. +*/}} +{{- define "postgres.name" -}} +{{- default .Chart.Name .Values.nameOverride | trunc 63 | trimSuffix "-" -}} +{{- end -}} + +{{/* +Create a default fully qualified app name. +We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec). +If release name contains chart name it will be used as a full name. +*/}} +{{- define "postgres.fullname" -}} +{{- if .Values.fullnameOverride -}} +{{- .Values.fullnameOverride | trunc 63 | trimSuffix "-" -}} +{{- else -}} +{{- $name := default .Chart.Name .Values.nameOverride -}} +{{- if contains $name .Release.Name -}} +{{- .Release.Name | trunc 63 | trimSuffix "-" -}} +{{- else -}} +{{- printf "%s-%s" .Release.Name $name | trunc 63 | trimSuffix "-" -}} +{{- end -}} +{{- end -}} +{{- end -}} + +{{/* +Create chart name and version as used by the chart label. +*/}} +{{- define "postgres.chart" -}} +{{- printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" -}} +{{- end -}} + +{{/* +Common labels +*/}} +{{- define "postgres.labels" -}} +app.kubernetes.io/name: {{ include "postgres.name" . }} +helm.sh/chart: {{ include "postgres.chart" . }} +app.kubernetes.io/instance: {{ .Release.Name }} +{{- if .Chart.AppVersion }} +app.kubernetes.io/version: {{ .Chart.AppVersion | quote }} +{{- end }} +app.kubernetes.io/managed-by: {{ .Release.Service }} +{{- end -}} + +{{/* +Create the name of the service account to use +*/}} +{{- define "postgres.serviceAccountName" -}} +{{- if .Values.serviceAccount.create -}} + {{ default (include "postgres.fullname" .) .Values.serviceAccount.name }} +{{- else -}} + {{ default "default" .Values.serviceAccount.name }} +{{- end -}} +{{- end -}} diff --git a/services/postgres/templates/deployment.yaml b/services/postgres/templates/deployment.yaml new file mode 100644 index 0000000000..7af7b4b63d --- /dev/null +++ b/services/postgres/templates/deployment.yaml @@ -0,0 +1,95 @@ +apiVersion: apps/v1 +kind: Deployment +metadata: + name: {{ template "postgres.fullname" . }} + labels: + app: {{ template "postgres.fullname" . }} +spec: + replicas: 1 + selector: + matchLabels: + name: {{ template "postgres.fullname" . }} + template: + metadata: + labels: + name: {{ template "postgres.fullname" . }} + spec: + containers: + - name: {{ template "postgres.fullname" . }} + imagePullPolicy: "Always" + image: {{ .Values.image.repository }}:{{ .Values.image.tag }} + ports: + - name: postgres + containerPort: 5432 + volumeMounts: + - name: storage + mountPath: /var/lib/postgresql + env: + - name: DEBUG + value: '{{ .Values.debug }}' + - name: POSTGRES_PASSWORD + valueFrom: + secretKeyRef: + name: {{ template "postgres.fullname" . }} + key: root_password + {{- with .Values.jupyterhub_db }} + - name: VRO_DB_JUPYTERHUB_USER + value: {{ .user }} + - name: VRO_DB_JUPYTERHUB_DB + value: {{ .db }} + - name: VRO_DB_JUPYTERHUB_PASSWORD + valueFrom: + secretKeyRef: + name: postgres + key: jupyterhub_password + {{- end }} + {{- with .Values.lovelog_db }} + - name: VRO_DB_LOVELOG_USER + value: {{ .user }} + - name: VRO_DB_LOVELOG_DB + value: {{ .db }} + - name: VRO_DB_LOVELOG_PASSWORD + valueFrom: + secretKeyRef: + name: postgres + key: lovelog_password + {{- end }} + {{- with .Values.narrativelog_db }} + - name: VRO_DB_NARRATIVELOG_USER + value: {{ .user }} + - name: VRO_DB_NARRATIVELOG_DB + value: {{ .db }} + - name: VRO_DB_NARRATIVELOG_PASSWORD + valueFrom: + secretKeyRef: + name: postgres + key: narrativelog_password + {{- end }} + {{- with .Values.exposurelog_db }} + - name: VRO_DB_EXPOSURELOG_USER + value: {{ .user }} + - name: VRO_DB_EXPOSURELOG_DB + value: {{ .db }} + - name: VRO_DB_EXPOSURELOG_PASSWORD + valueFrom: + secretKeyRef: + name: postgres + key: exposurelog_password + {{- end }} + {{- with .Values.gafaelfawr_db }} + - name: VRO_DB_GAFAELFAWR_USER + value: {{ .user }} + - name: VRO_DB_GAFAELFAWR_DB + value: {{ .db }} + - name: VRO_DB_GAFAELFAWR_PASSWORD + valueFrom: + secretKeyRef: + name: postgres + key: gafaelfawr_password + {{- end }} + imagePullSecrets: + - name: "pull-secret" + volumes: + - name: storage + persistentVolumeClaim: + claimName: {{ template "postgres.fullname" . }}-physpvc diff --git a/services/postgres/templates/physpvc.yaml b/services/postgres/templates/physpvc.yaml new file mode 100644 index 0000000000..c17a2b3bb3 --- /dev/null +++ b/services/postgres/templates/physpvc.yaml @@ -0,0 +1,16 @@ +kind: PersistentVolumeClaim +apiVersion: v1 +metadata: + name: {{ template "postgres.fullname" . }}-physpvc +spec: + accessModes: + - "ReadWriteOnce" + resources: + requests: + storage: {{.Values.postgres_volume_size}} + storageClassName: {{.Values.postgres_storage_class}} +{{ if .Values.volume_name }} + volumeName: {{ .Values.volume_name }} +{{ end }} + + diff --git a/services/postgres/templates/service.yaml b/services/postgres/templates/service.yaml new file mode 100644 index 0000000000..9c73f94bf3 --- /dev/null +++ b/services/postgres/templates/service.yaml @@ -0,0 +1,10 @@ +apiVersion: v1 +kind: Service +metadata: + name: {{ template "postgres.fullname" . }} +spec: + ports: + - name: postgres + port: 5432 + selector: + name: {{ template "postgres.fullname" . }} diff --git a/services/postgres/templates/storageclass.yaml b/services/postgres/templates/storageclass.yaml new file mode 100644 index 0000000000..2bcc9cc14d --- /dev/null +++ b/services/postgres/templates/storageclass.yaml @@ -0,0 +1,9 @@ +{{- if eq .Values.postgres_storage_class "fast" }} +kind: StorageClass +apiVersion: storage.k8s.io/v1 +metadata: + name: fast +provisioner: kubernetes.io/gce-pd +parameters: + type: pd-ssd +{{- end }} diff --git a/services/postgres/templates/vault-secrets.yaml b/services/postgres/templates/vault-secrets.yaml new file mode 100644 index 0000000000..5d1a67dfc5 --- /dev/null +++ b/services/postgres/templates/vault-secrets.yaml @@ -0,0 +1,20 @@ +apiVersion: ricoberger.de/v1alpha1 +kind: VaultSecret +metadata: + name: postgres + labels: + app: {{ template "postgres.fullname" . }} +{{ include "postgres.labels" . | indent 4 }} +spec: + path: "{{ .Values.global.vaultSecretsPath }}/postgres" + type: Opaque +--- +apiVersion: ricoberger.de/v1alpha1 +kind: VaultSecret +metadata: + name: pull-secret + labels: + {{- include "postgres.labels" . | nindent 4 }} +spec: + path: "{{- .Values.global.vaultSecretsPath }}/pull-secret" + type: kubernetes.io/dockerconfigjson diff --git a/services/postgres/values-base.yaml b/services/postgres/values-base.yaml index 10aa88f953..ef3170ff25 100644 --- a/services/postgres/values-base.yaml +++ b/services/postgres/values-base.yaml @@ -1,25 +1,16 @@ -postgres: - pull_secret: 'pull-secret' - vault_secrets: - path: 'secret/k8s_operator/base-lsp.lsst.codes/postgres' - debug: 'true' - jupyterhub_db: - user: 'jovyan' - db: 'jupyterhub' - lovelog_db: - user: 'lovelog' - db: 'lovelog' - exposurelog_db: - user: 'exposurelog' - db: 'exposurelog' - gafaelfawr_db: - user: 'gafaelfawr' - db: 'gafaelfawr' - narrativelog_db: - user: 'narrativelog' - db: 'narrativelog' - postgres_storage_class: 'rook-ceph-block' - -pull-secret: - enabled: true - path: secret/k8s_operator/base-lsp.lsst.codes/pull-secret +jupyterhub_db: + user: 'jovyan' + db: 'jupyterhub' +lovelog_db: + user: 'lovelog' + db: 'lovelog' +exposurelog_db: + user: 'exposurelog' + db: 'exposurelog' +gafaelfawr_db: + user: 'gafaelfawr' + db: 'gafaelfawr' +narrativelog_db: + user: 'narrativelog' + db: 'narrativelog' +postgres_storage_class: 'rook-ceph-block' diff --git a/services/postgres/values-idfdev.yaml b/services/postgres/values-idfdev.yaml index d62df2fb11..4bf87c20e3 100644 --- a/services/postgres/values-idfdev.yaml +++ b/services/postgres/values-idfdev.yaml @@ -1,12 +1,5 @@ -postgres: - pull_secret: 'pull-secret' - vault_secrets: - path: 'secret/k8s_operator/data-dev.lsst.cloud/postgres' - debug: 'true' - jupyterhub_db: - user: 'jovyan' - db: 'jupyterhub' - -pull-secret: - enabled: true - path: secret/k8s_operator/data-dev.lsst.cloud/pull-secret +postgres_storage_class: 'fast' +debug: 'true' +jupyterhub_db: + user: 'jovyan' + db: 'jupyterhub' diff --git a/services/postgres/values-idfint.yaml b/services/postgres/values-idfint.yaml index 4cc83a5042..e3e4732f12 100644 --- a/services/postgres/values-idfint.yaml +++ b/services/postgres/values-idfint.yaml @@ -1,12 +1,4 @@ -postgres: - pull_secret: 'pull-secret' - vault_secrets: - path: 'secret/k8s_operator/data-int.lsst.cloud/postgres' - debug: 'true' - jupyterhub_db: - user: 'jovyan' - db: 'jupyterhub' - -pull-secret: - enabled: true - path: secret/k8s_operator/data-int.lsst.cloud/pull-secret +postgres_storage_class: 'fast' +jupyterhub_db: + user: 'jovyan' + db: 'jupyterhub' diff --git a/services/postgres/values-idfprod.yaml b/services/postgres/values-idfprod.yaml index a78ee0fa44..e3e4732f12 100644 --- a/services/postgres/values-idfprod.yaml +++ b/services/postgres/values-idfprod.yaml @@ -1,12 +1,4 @@ -postgres: - pull_secret: 'pull-secret' - vault_secrets: - path: 'secret/k8s_operator/data.lsst.cloud/postgres' - debug: 'true' - jupyterhub_db: - user: 'jovyan' - db: 'jupyterhub' - -pull-secret: - enabled: true - path: secret/k8s_operator/data.lsst.cloud/pull-secret +postgres_storage_class: 'fast' +jupyterhub_db: + user: 'jovyan' + db: 'jupyterhub' diff --git a/services/postgres/values-int.yaml b/services/postgres/values-int.yaml index fcd7931499..3065409373 100644 --- a/services/postgres/values-int.yaml +++ b/services/postgres/values-int.yaml @@ -1,19 +1,10 @@ -postgres: - pull_secret: 'pull-secret' - vault_secrets: - path: 'secret/k8s_operator/lsst-lsp-int.ncsa.illinois.edu/postgres' - debug: 'true' - jupyterhub_db: - user: 'jovyan' - db: 'jupyterhub' - gafaelfawr_db: - user: 'gafaelfawr' - db: 'gafaelfawr' - postgres_storage_class: 'manual' - volume_name: 'postgres-data-volume' - image: - tag: '0.0.3' - -pull-secret: - enabled: true - path: secret/k8s_operator/lsst-lsp-int.ncsa.illinois.edu/pull-secret +jupyterhub_db: + user: 'jovyan' + db: 'jupyterhub' +gafaelfawr_db: + user: 'gafaelfawr' + db: 'gafaelfawr' +postgres_storage_class: 'manual' +volume_name: 'postgres-data-volume' +image: + tag: '0.0.3' diff --git a/services/postgres/values-minikube.yaml b/services/postgres/values-minikube.yaml index 425df8c97b..937caa059e 100644 --- a/services/postgres/values-minikube.yaml +++ b/services/postgres/values-minikube.yaml @@ -1,24 +1,14 @@ -postgres: - pull_secret: 'pull-secret' - vault_secrets: - path: 'secret/k8s_operator/minikube.lsst.codes/postgres' - debug: 'true' - jupyterhub_db: - user: 'jovyan' - db: 'jupyterhub' - exposurelog_db: - user: 'exposurelog' - db: 'exposurelog' - gafaelfawr_db: - user: 'gafaelfawr' - db: 'gafaelfawr' - narrativelog_db: - user: 'narrativelog' - db: 'narrativelog' - image: - tag: '0.0.2' - postgres_storage_class: 'standard' - -pull-secret: - enabled: true - path: secret/k8s_operator/minikube.lsst.codes/pull-secret +debug: 'true' +jupyterhub_db: + user: 'jovyan' + db: 'jupyterhub' +exposurelog_db: + user: 'exposurelog' + db: 'exposurelog' +gafaelfawr_db: + user: 'gafaelfawr' + db: 'gafaelfawr' +narrativelog_db: + user: 'narrativelog' + db: 'narrativelog' +postgres_storage_class: 'standard' diff --git a/services/postgres/values-roe.yaml b/services/postgres/values-roe.yaml index efdbab6e34..686177dbf5 100644 --- a/services/postgres/values-roe.yaml +++ b/services/postgres/values-roe.yaml @@ -1,18 +1,9 @@ -postgres: - pull_secret: 'pull-secret' - vault_secrets: - path: 'secret/k8s_operator/roe/postgres' - debug: 'true' - jupyterhub_db: - user: 'jovyan' - db: 'jupyterhub' - gafaelfawr_db: - user: 'gafaelfawr' - db: 'gafaelfawr' - image: - tag: '0.0.5' - postgres_storage_class: 'standard' - -pull-secret: - enabled: true - path: secret/k8s_operator/roe/pull-secret +jupyterhub_db: + user: 'jovyan' + db: 'jupyterhub' +gafaelfawr_db: + user: 'gafaelfawr' + db: 'gafaelfawr' +image: + tag: '0.0.5' +postgres_storage_class: 'standard' diff --git a/services/postgres/values-squash-sandbox.yaml b/services/postgres/values-squash-sandbox.yaml deleted file mode 100644 index b5bc8486a4..0000000000 --- a/services/postgres/values-squash-sandbox.yaml +++ /dev/null @@ -1,12 +0,0 @@ -postgres: - pull_secret: 'pull-secret' - vault_secrets: - path: 'secret/k8s_operator/squash-sandbox.lsst.codes/postgres' - debug: 'true' - gafaelfawr_db: - user: 'gafaelfawr' - db: 'gafaelfawr' - -pull-secret: - enabled: true - path: secret/k8s_operator/squash-sandbox.lsst.codes/pull-secret diff --git a/services/postgres/values-stable.yaml b/services/postgres/values-stable.yaml index 8b57a2246e..3065409373 100644 --- a/services/postgres/values-stable.yaml +++ b/services/postgres/values-stable.yaml @@ -1,19 +1,10 @@ -postgres: - pull_secret: 'pull-secret' - vault_secrets: - path: 'secret/k8s_operator/lsst-lsp-stable.ncsa.illinois.edu/postgres' - debug: 'true' - jupyterhub_db: - user: 'jovyan' - db: 'jupyterhub' - gafaelfawr_db: - user: 'gafaelfawr' - db: 'gafaelfawr' - postgres_storage_class: 'manual' - volume_name: 'postgres-data-volume' - image: - tag: '0.0.3' - -pull-secret: - enabled: true - path: secret/k8s_operator/lsst-lsp-stable.ncsa.illinois.edu/pull-secret +jupyterhub_db: + user: 'jovyan' + db: 'jupyterhub' +gafaelfawr_db: + user: 'gafaelfawr' + db: 'gafaelfawr' +postgres_storage_class: 'manual' +volume_name: 'postgres-data-volume' +image: + tag: '0.0.3' diff --git a/services/postgres/values-summit.yaml b/services/postgres/values-summit.yaml index b79bc3c378..6095095bc5 100644 --- a/services/postgres/values-summit.yaml +++ b/services/postgres/values-summit.yaml @@ -1,22 +1,13 @@ -postgres: - pull_secret: 'pull-secret' - vault_secrets: - path: 'secret/k8s_operator/summit-lsp.lsst.codes/postgres' - debug: 'true' - jupyterhub_db: - user: 'jovyan' - db: 'jupyterhub' - exposurelog_db: - user: 'exposurelog' - db: 'exposurelog' - gafaelfawr_db: - user: 'gafaelfawr' - db: 'gafaelfawr' - narrativelog_db: - user: 'narrativelog' - db: 'narrativelog' - postgres_storage_class: 'rook-ceph-block' - -pull-secret: - enabled: true - path: secret/k8s_operator/summit-lsp.lsst.codes/pull-secret +jupyterhub_db: + user: 'jovyan' + db: 'jupyterhub' +exposurelog_db: + user: 'exposurelog' + db: 'exposurelog' +gafaelfawr_db: + user: 'gafaelfawr' + db: 'gafaelfawr' +narrativelog_db: + user: 'narrativelog' + db: 'narrativelog' +postgres_storage_class: 'rook-ceph-block' diff --git a/services/postgres/values-tucson-teststand.yaml b/services/postgres/values-tucson-teststand.yaml index 5e09cccdda..6095095bc5 100644 --- a/services/postgres/values-tucson-teststand.yaml +++ b/services/postgres/values-tucson-teststand.yaml @@ -1,22 +1,13 @@ -postgres: - pull_secret: 'pull-secret' - vault_secrets: - path: 'secret/k8s_operator/tucson-teststand.lsst.codes/postgres' - debug: 'true' - jupyterhub_db: - user: 'jovyan' - db: 'jupyterhub' - exposurelog_db: - user: 'exposurelog' - db: 'exposurelog' - gafaelfawr_db: - user: 'gafaelfawr' - db: 'gafaelfawr' - narrativelog_db: - user: 'narrativelog' - db: 'narrativelog' - postgres_storage_class: 'rook-ceph-block' - -pull-secret: - enabled: true - path: secret/k8s_operator/tucson-teststand.lsst.codes/pull-secret +jupyterhub_db: + user: 'jovyan' + db: 'jupyterhub' +exposurelog_db: + user: 'exposurelog' + db: 'exposurelog' +gafaelfawr_db: + user: 'gafaelfawr' + db: 'gafaelfawr' +narrativelog_db: + user: 'narrativelog' + db: 'narrativelog' +postgres_storage_class: 'rook-ceph-block' diff --git a/services/postgres/values.yaml b/services/postgres/values.yaml new file mode 100644 index 0000000000..9ff2396571 --- /dev/null +++ b/services/postgres/values.yaml @@ -0,0 +1,18 @@ +# Default values for fileserver. +# This is a YAML-formatted file. +# Declare variables to be passed into your templates. + +# Set to non-empty to enable debugging output +debug: '' + +image: + repository: 'lsstsqre/lsp-postgres' + tag: 'latest' + +# The volume can generally be very small +postgres_volume_size: '1Gi' +# Set to appropriate value for your deployment: at GKE, 'fast', on Rubin +# Observatory Rancher, 'rook-ceph-block', at NCSA, 'manual', +# elsewhere 'standard' ... +postgres_storage_class: 'standard' +volume_name: '' diff --git a/services/squash-api/values-squash-sandbox.yaml b/services/squash-api/values-squash-sandbox.yaml deleted file mode 100644 index 248713888d..0000000000 --- a/services/squash-api/values-squash-sandbox.yaml +++ /dev/null @@ -1,41 +0,0 @@ -squash-api: - - # SQuaSH Cloud SQL instance connection name - instanceConnectionName: "squash-db-sandbox-3" - - # Credentials for the SQuaSH Cloud SQL service account - cloudSQLInstanceSecret: "cloudsql-instance-credentials" - - # SQuaSH API secret name - squashAPISecret: "squash-api" - - # If "True", job datetime is obtained from the job metadata instead of using - # current time. Use this option to restore existing jobs to SQuaSH. - squashETLMode: "" - - # S3 Bucket to upload verification jobs - s3BucketName: "squash-sandbox" - - # InfluxDB URL - influxUrl: "http://influxdb.influxdb:8086" - influxDb: "squash-sandbox" - - # InfluxDB credentials - influxSecret: "influxdb-auth" - - ingress: - enabled: true - annotations: - kubernetes.io/ingress.class: "nginx" - nginx.ingress.kubernetes.io/rewrite-target: "/" - cert-manager.io/cluster-issuer: "letsencrypt-dns" - hosts: - - host: squash-sandbox.lsst.codes - paths: ["/"] - tls: - - secretName: "tls-certs" - hosts: - - squash-sandbox.lsst.codes - -## Base path for squash-api secrets in Vault -vaultSecretsBasePath: secret/k8s_operator/squash-sandbox.lsst.codes diff --git a/services/vault-secrets-operator/values-squash-sandbox.yaml b/services/vault-secrets-operator/values-squash-sandbox.yaml deleted file mode 100644 index 51a1243b2d..0000000000 --- a/services/vault-secrets-operator/values-squash-sandbox.yaml +++ /dev/null @@ -1,15 +0,0 @@ -vault-secrets-operator: - environmentVars: - - name: VAULT_TOKEN - valueFrom: - secretKeyRef: - name: vault-secrets-operator - key: VAULT_TOKEN - - name: VAULT_TOKEN_LEASE_DURATION - valueFrom: - secretKeyRef: - name: vault-secrets-operator - key: VAULT_TOKEN_LEASE_DURATION - vault: - address: "https://vault.lsst.codes" - reconciliationTime: 60 From 146d297fcc1e84d154d8db677aa7f8ac1e49e730 Mon Sep 17 00:00:00 2001 From: adam Date: Tue, 19 Apr 2022 14:02:15 -0700 Subject: [PATCH 0411/1479] update vault-secrets to global for sasquatch --- science-platform/templates/sasquatch-application.yaml | 7 +++++-- services/plot-navigator/values-minikube.yaml | 0 .../templates/{vault-secret.yaml => vault-secrets.yaml} | 4 ++-- services/sasquatch/values-idfdev.yaml | 2 -- services/sasquatch/values-int.yaml | 2 -- services/sasquatch/values-minikube.yaml | 2 -- services/sasquatch/values-stable.yaml | 2 -- services/sasquatch/values-tucson-teststand.yaml | 3 --- services/sasquatch/values.yaml | 5 ----- 9 files changed, 7 insertions(+), 20 deletions(-) create mode 100644 services/plot-navigator/values-minikube.yaml rename services/sasquatch/templates/{vault-secret.yaml => vault-secrets.yaml} (85%) diff --git a/science-platform/templates/sasquatch-application.yaml b/science-platform/templates/sasquatch-application.yaml index da996432b0..847ba227e8 100644 --- a/science-platform/templates/sasquatch-application.yaml +++ b/science-platform/templates/sasquatch-application.yaml @@ -24,7 +24,10 @@ spec: repoURL: {{ .Values.repoURL }} targetRevision: {{ .Values.revision }} helm: + parameters: + - name: "global.vaultSecretsPath" + value: {{ .Values.vault_path_prefix | quote }} valueFiles: - - values.yaml - - values-{{ .Values.environment }}.yaml + - "values.yaml" + - "values-{{ .Values.environment }}.yaml" {{- end -}} diff --git a/services/plot-navigator/values-minikube.yaml b/services/plot-navigator/values-minikube.yaml new file mode 100644 index 0000000000..e69de29bb2 diff --git a/services/sasquatch/templates/vault-secret.yaml b/services/sasquatch/templates/vault-secrets.yaml similarity index 85% rename from services/sasquatch/templates/vault-secret.yaml rename to services/sasquatch/templates/vault-secrets.yaml index 076ab85b37..4383756330 100644 --- a/services/sasquatch/templates/vault-secret.yaml +++ b/services/sasquatch/templates/vault-secrets.yaml @@ -4,7 +4,7 @@ metadata: name: sasquatch namespace: sasquatch spec: - path: {{ .Values.vaultSecretsPath }}/sasquatch + path: "{{ .Values.global.vaultSecretsPath }}/sasquatch" type: Opaque --- apiVersion: ricoberger.de/v1alpha1 @@ -23,7 +23,7 @@ kind: VaultSecret metadata: name: pull-secret spec: - path: {{ .Values.vaultSecretsPath }}/pull-secret + path: "{{ .Values.global.vaultSecretsPath }}/pull-secret" type: kubernetes.io/dockerconfigjson --- apiVersion: ricoberger.de/v1alpha1 diff --git a/services/sasquatch/values-idfdev.yaml b/services/sasquatch/values-idfdev.yaml index 3888b959ae..a532dedffb 100644 --- a/services/sasquatch/values-idfdev.yaml +++ b/services/sasquatch/values-idfdev.yaml @@ -26,5 +26,3 @@ chronograf: GENERIC_API_KEY: sub PUBLIC_URL: https://data-dev.lsst.cloud/ STATUS_FEED_URL: "https://lsst-sqre.github.io/sasquatch/feeds/idfdev.json" - -vaultSecretsPath: secret/k8s_operator/data-dev.lsst.cloud diff --git a/services/sasquatch/values-int.yaml b/services/sasquatch/values-int.yaml index 32d19e1293..bffec64dac 100644 --- a/services/sasquatch/values-int.yaml +++ b/services/sasquatch/values-int.yaml @@ -39,5 +39,3 @@ chronograf: kapacitor: persistence: storageClass: local-path - -vaultSecretsPath: secret/k8s_operator/lsst-lsp-int.ncsa.illinois.edu diff --git a/services/sasquatch/values-minikube.yaml b/services/sasquatch/values-minikube.yaml index 4bb276e70d..ebdbf7e47e 100644 --- a/services/sasquatch/values-minikube.yaml +++ b/services/sasquatch/values-minikube.yaml @@ -26,5 +26,3 @@ chronograf: GENERIC_API_KEY: sub PUBLIC_URL: https://minikube.lsst.codes STATUS_FEED_URL: "https://lsst-sqre.github.io/sasquatch/feeds/minikube.json" - -vaultSecretsPath: secret/k8s_operator/minikube.lsst.codes diff --git a/services/sasquatch/values-stable.yaml b/services/sasquatch/values-stable.yaml index 7f7a49250b..d9f2715fed 100644 --- a/services/sasquatch/values-stable.yaml +++ b/services/sasquatch/values-stable.yaml @@ -39,5 +39,3 @@ chronograf: kapacitor: persistence: storageClass: local-path - -vaultSecretsPath: secret/k8s_operator/lsst-lsp-stable.ncsa.illinois.edu diff --git a/services/sasquatch/values-tucson-teststand.yaml b/services/sasquatch/values-tucson-teststand.yaml index 92e52631f1..41f0f08720 100644 --- a/services/sasquatch/values-tucson-teststand.yaml +++ b/services/sasquatch/values-tucson-teststand.yaml @@ -39,11 +39,8 @@ chronograf: kapacitor: persistence: storageClass: rook-ceph-block - csc: enabled: true kafka-producers: enabled: true - -vaultSecretsPath: secret/k8s_operator/tucson-teststand.lsst.codes diff --git a/services/sasquatch/values.yaml b/services/sasquatch/values.yaml index a41fbf01df..2ec8e7a5b0 100644 --- a/services/sasquatch/values.yaml +++ b/services/sasquatch/values.yaml @@ -134,7 +134,6 @@ telegraf: database: "telegraf" username: "telegraf" password: "$TELEGRAF_PASSWORD" - csc: # -- Whether the test csc is deployed. enabled: false @@ -209,7 +208,3 @@ kafka-producers: Test # -- Namespace where the Test CSC is deployed. namespace: sasquatch - -# -- Path to the Vault secrets (`secret/k8s_operator//sasquatch`) -# @default -- None, must be set -vaultSecretsPath: "" From c3ded9b48315d7abc66236f35276b5d1469cedaa Mon Sep 17 00:00:00 2001 From: adam Date: Tue, 19 Apr 2022 14:10:12 -0700 Subject: [PATCH 0412/1479] update narrativelog chart --- services/narrativelog/Chart.yaml | 2 -- services/sherlock/Chart.yaml | 9 ++++----- 2 files changed, 4 insertions(+), 7 deletions(-) diff --git a/services/narrativelog/Chart.yaml b/services/narrativelog/Chart.yaml index 5a7a7da954..26189668d8 100644 --- a/services/narrativelog/Chart.yaml +++ b/services/narrativelog/Chart.yaml @@ -1,8 +1,6 @@ apiVersion: v2 name: narrativelog description: Narrative log service -maintainers: - - name: r-owen type: application # The chart version. SQuaRE convention is to use 1.0.0 diff --git a/services/sherlock/Chart.yaml b/services/sherlock/Chart.yaml index 1721c7485d..96e0639fb3 100644 --- a/services/sherlock/Chart.yaml +++ b/services/sherlock/Chart.yaml @@ -1,7 +1,6 @@ apiVersion: v2 +appVersion: 0.1.7 +description: A Helm chart for Kubernetes name: sherlock -version: 1.0.0 -dependencies: - - name: sherlock - version: 0.1.13 - repository: https://lsst-sqre.github.io/charts/ +type: application +version: 0.1.13 From 4a4f0c4459f56a0c380a6074aadaf808391fab7e Mon Sep 17 00:00:00 2001 From: adam Date: Tue, 19 Apr 2022 14:35:54 -0700 Subject: [PATCH 0413/1479] DRY out sherlock --- .../templates/sherlock-application.yaml | 10 ++- .../templates/serviceaccount.yaml | 2 + services/sherlock/README.md | 33 ++++++++ services/sherlock/templates/_helpers.tpl | 58 ++++++++++++++ services/sherlock/templates/deployment.yaml | 76 +++++++++++++++++++ services/sherlock/templates/hpa.yaml | 28 +++++++ services/sherlock/templates/ingress.yaml | 32 ++++++++ .../sherlock/templates/networkpolicy.yaml | 21 +++++ services/sherlock/templates/service.yaml | 15 ++++ .../sherlock/templates/serviceaccount.yaml | 38 ++++++++++ .../sherlock/templates/vault-secrets.yaml | 21 +++++ services/sherlock/values-base.yaml | 18 ++--- services/sherlock/values-idfdev.yaml | 21 ++--- services/sherlock/values-idfint.yaml | 22 ++---- services/sherlock/values-idfprod.yaml | 22 ++---- services/sherlock/values-int.yaml | 18 ++--- services/sherlock/values-minikube.yaml | 3 - services/sherlock/values-roe.yaml | 18 ++--- services/sherlock/values-stable.yaml | 18 ++--- services/sherlock/values-summit.yaml | 18 ++--- .../sherlock/values-tucson-teststand.yaml | 18 ++--- services/sherlock/values.yaml | 67 ++++++++++++++++ 22 files changed, 466 insertions(+), 111 deletions(-) create mode 100644 services/sherlock/README.md create mode 100644 services/sherlock/templates/_helpers.tpl create mode 100644 services/sherlock/templates/deployment.yaml create mode 100644 services/sherlock/templates/hpa.yaml create mode 100644 services/sherlock/templates/ingress.yaml create mode 100644 services/sherlock/templates/networkpolicy.yaml create mode 100644 services/sherlock/templates/service.yaml create mode 100644 services/sherlock/templates/serviceaccount.yaml create mode 100644 services/sherlock/templates/vault-secrets.yaml create mode 100644 services/sherlock/values.yaml diff --git a/science-platform/templates/sherlock-application.yaml b/science-platform/templates/sherlock-application.yaml index 73463b63f9..9c032cd1d5 100644 --- a/science-platform/templates/sherlock-application.yaml +++ b/science-platform/templates/sherlock-application.yaml @@ -24,6 +24,14 @@ spec: repoURL: {{ .Values.repoURL }} targetRevision: {{ .Values.revision }} helm: + parameters: + - name: "global.host" + value: {{ .Values.fqdn | quote }} + - name: "global.baseUrl" + value: "https://{{ .Values.fqdn }}" + - name: "global.vaultSecretsPath" + value: {{ .Values.vault_path_prefix | quote }} valueFiles: - - values-{{ .Values.environment }}.yaml + - "values.yaml" + - "values-{{ .Values.environment }}.yaml" {{- end -}} diff --git a/services/cachemachine/templates/serviceaccount.yaml b/services/cachemachine/templates/serviceaccount.yaml index 81a80ff760..6ca6bc58dd 100644 --- a/services/cachemachine/templates/serviceaccount.yaml +++ b/services/cachemachine/templates/serviceaccount.yaml @@ -8,6 +8,8 @@ metadata: annotations: {{- toYaml . | nindent 4 }} {{- end }} +imagePullSecrets: + - name: "pull-secret" --- kind: ClusterRole apiVersion: rbac.authorization.k8s.io/v1 diff --git a/services/sherlock/README.md b/services/sherlock/README.md new file mode 100644 index 0000000000..7ff2cb0513 --- /dev/null +++ b/services/sherlock/README.md @@ -0,0 +1,33 @@ +# sherlock + +![Version: 0.1.13](https://img.shields.io/badge/Version-0.1.13-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: 0.1.7](https://img.shields.io/badge/AppVersion-0.1.7-informational?style=flat-square) + +A Helm chart for Kubernetes + +## Values + +| Key | Type | Default | Description | +|-----|------|---------|-------------| +| affinity | object | `{}` | Affinity rules for the sherlock deployment pod | +| autoscaling.enabled | bool | `false` | Enable autoscaling of sherlock deployment | +| autoscaling.maxReplicas | int | `100` | Maximum number of sherlock deployment pods | +| autoscaling.minReplicas | int | `1` | Minimum number of sherlock deployment pods | +| autoscaling.targetCPUUtilizationPercentage | int | `80` | Target CPU utilization of sherlock deployment pods | +| fullnameOverride | string | `""` | Override the full name for resources (includes the release name) | +| image.pullPolicy | string | `"Always"` | Pull policy for the sherlock image | +| image.repository | string | `"lsstsqre/sherlock"` | Image to use in the sherlock deployment | +| image.tag | string | `""` | Overrides the image tag whose default is the chart appVersion. | +| imagePullSecrets | list | `[]` | Secret names to use for all Docker pulls | +| ingress.annotations | object | `{}` | Additional annotations for the ingress rule | +| ingress.gafaelfawrAuthQuery | string | `"scope=exec:admin"` | Gafaelfawr auth query string (default, unauthenticated) | +| nameOverride | string | `""` | Override the base name for resources | +| nodeSelector | object | `{}` | Node selection rules for the sherlock deployment pod | +| podAnnotations | object | `{}` | Annotations for the sherlock deployment pod | +| publish_url | string | `""` | URL to push status to via HTTP PUTs. | +| replicaCount | int | `1` | Number of web deployment pods to start | +| resources | object | `{}` | Resource limits and requests for the sherlock deployment pod | +| serviceAccount.name | string | `""` | | +| tolerations | list | `[]` | Tolerations for the sherlock deployment pod | + +---------------------------------------------- +Autogenerated from chart metadata using [helm-docs v1.7.0](https://github.com/norwoodj/helm-docs/releases/v1.7.0) diff --git a/services/sherlock/templates/_helpers.tpl b/services/sherlock/templates/_helpers.tpl new file mode 100644 index 0000000000..542ea5a3e9 --- /dev/null +++ b/services/sherlock/templates/_helpers.tpl @@ -0,0 +1,58 @@ +{{/* +Expand the name of the chart. +*/}} +{{- define "sherlock.name" -}} +{{- default .Chart.Name .Values.nameOverride | trunc 63 | trimSuffix "-" }} +{{- end }} + +{{/* +Create a default fully qualified app name. +We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec). +If release name contains chart name it will be used as a full name. +*/}} +{{- define "sherlock.fullname" -}} +{{- if .Values.fullnameOverride }} +{{- .Values.fullnameOverride | trunc 63 | trimSuffix "-" }} +{{- else }} +{{- $name := default .Chart.Name .Values.nameOverride }} +{{- if contains $name .Release.Name }} +{{- .Release.Name | trunc 63 | trimSuffix "-" }} +{{- else }} +{{- printf "%s-%s" .Release.Name $name | trunc 63 | trimSuffix "-" }} +{{- end }} +{{- end }} +{{- end }} + +{{/* +Create chart name and version as used by the chart label. +*/}} +{{- define "sherlock.chart" -}} +{{- printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" }} +{{- end }} + +{{/* +Common labels +*/}} +{{- define "sherlock.labels" -}} +helm.sh/chart: {{ include "sherlock.chart" . }} +{{ include "sherlock.selectorLabels" . }} +{{- if .Chart.AppVersion }} +app.kubernetes.io/version: {{ .Chart.AppVersion | quote }} +{{- end }} +app.kubernetes.io/managed-by: {{ .Release.Service }} +{{- end }} + +{{/* +Selector labels +*/}} +{{- define "sherlock.selectorLabels" -}} +app.kubernetes.io/name: {{ include "sherlock.name" . }} +app.kubernetes.io/instance: {{ .Release.Name }} +{{- end }} + +{{/* +Create the name of the service account to use +*/}} +{{- define "sherlock.serviceAccountName" -}} +{{ default (include "sherlock.fullname" .) .Values.serviceAccount.name }} +{{- end -}} diff --git a/services/sherlock/templates/deployment.yaml b/services/sherlock/templates/deployment.yaml new file mode 100644 index 0000000000..1aabe10130 --- /dev/null +++ b/services/sherlock/templates/deployment.yaml @@ -0,0 +1,76 @@ +apiVersion: apps/v1 +kind: Deployment +metadata: + name: {{ include "sherlock.fullname" . }} + labels: + {{- include "sherlock.labels" . | nindent 4 }} +spec: + {{- if not .Values.autoscaling.enabled }} + replicas: {{ .Values.replicaCount }} + {{- end }} + selector: + matchLabels: + {{- include "sherlock.selectorLabels" . | nindent 6 }} + template: + metadata: + {{- with .Values.podAnnotations }} + annotations: + {{- toYaml . | nindent 8 }} + {{- end }} + labels: + {{- include "sherlock.selectorLabels" . | nindent 8 }} + spec: + serviceAccountName: {{ template "sherlock.serviceAccountName" . }} + automountServiceAccountToken: true + imagePullSecrets: + - name: "pull-secret" + securityContext: + runAsNonRoot: true + runAsUser: 1000 + runAsGroup: 1000 + containers: + - name: {{ .Chart.Name }} + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - all + readOnlyRootFilesystem: true + image: "{{ .Values.image.repository }}:{{ .Values.image.tag | default .Chart.AppVersion }}" + imagePullPolicy: {{ .Values.image.pullPolicy }} + env: + - name: "PUBLISH_URL" + value: {{ .Values.publish_url }} + {{- if .Values.publish_url }} + - name: "PUBLISH_KEY" + valueFrom: + secretKeyRef: + name: {{ include "sherlock.fullname" . }}-secret + key: "publish_key" + {{- end }} + ports: + - name: http + containerPort: 8080 + protocol: TCP + livenessProbe: + httpGet: + path: / + port: http + readinessProbe: + httpGet: + path: / + port: http + resources: + {{- toYaml .Values.resources | nindent 12 }} + {{- with .Values.nodeSelector }} + nodeSelector: + {{- toYaml . | nindent 8 }} + {{- end }} + {{- with .Values.affinity }} + affinity: + {{- toYaml . | nindent 8 }} + {{- end }} + {{- with .Values.tolerations }} + tolerations: + {{- toYaml . | nindent 8 }} + {{- end }} diff --git a/services/sherlock/templates/hpa.yaml b/services/sherlock/templates/hpa.yaml new file mode 100644 index 0000000000..e9452350c4 --- /dev/null +++ b/services/sherlock/templates/hpa.yaml @@ -0,0 +1,28 @@ +{{- if .Values.autoscaling.enabled }} +apiVersion: autoscaling/v2beta1 +kind: HorizontalPodAutoscaler +metadata: + name: {{ include "sherlock.fullname" . }} + labels: + {{- include "sherlock.labels" . | nindent 4 }} +spec: + scaleTargetRef: + apiVersion: apps/v1 + kind: Deployment + name: {{ include "sherlock.fullname" . }} + minReplicas: {{ .Values.autoscaling.minReplicas }} + maxReplicas: {{ .Values.autoscaling.maxReplicas }} + metrics: + {{- if .Values.autoscaling.targetCPUUtilizationPercentage }} + - type: Resource + resource: + name: cpu + targetAverageUtilization: {{ .Values.autoscaling.targetCPUUtilizationPercentage }} + {{- end }} + {{- if .Values.autoscaling.targetMemoryUtilizationPercentage }} + - type: Resource + resource: + name: memory + targetAverageUtilization: {{ .Values.autoscaling.targetMemoryUtilizationPercentage }} + {{- end }} +{{- end }} diff --git a/services/sherlock/templates/ingress.yaml b/services/sherlock/templates/ingress.yaml new file mode 100644 index 0000000000..fef33cd3b6 --- /dev/null +++ b/services/sherlock/templates/ingress.yaml @@ -0,0 +1,32 @@ +{{- $fullName := include "sherlock.fullname" . -}} +apiVersion: networking.k8s.io/v1 +kind: Ingress +metadata: + name: {{ $fullName }} + labels: + {{- include "sherlock.labels" . | nindent 4 }} + annotations: + kubernetes.io/ingress.class: "nginx" + {{- if .Values.ingress.gafaelfawrAuthQuery }} + nginx.ingress.kubernetes.io/auth-method: GET + nginx.ingress.kubernetes.io/auth-response-headers: X-Auth-Request-User,X-Auth-Request-Email,X-Auth-Request-Token + nginx.ingress.kubernetes.io/auth-signin: "{{ .Values.global.baseUrl }}/login" + nginx.ingress.kubernetes.io/auth-url: "{{ .Values.global.baseUrl }}/auth?{{ .Values.ingress.gafaelfawrAuthQuery }}" + nginx.ingress.kubernetes.io/cors-allow-methods: "GET" + nginx.ingress.kubernetes.io/enable-cors: "true" + {{- end }} + {{- with .Values.ingress.annotations }} + {{- toYaml . | nindent 4 }} + {{- end }} +spec: + rules: + - host: {{ required "global.host must be set" .Values.global.host | quote }} + http: + paths: + - path: "/sherlock" + pathType: ImplementationSpecific + backend: + service: + name: {{ $fullName }} + port: + number: 8080 diff --git a/services/sherlock/templates/networkpolicy.yaml b/services/sherlock/templates/networkpolicy.yaml new file mode 100644 index 0000000000..3c165006dd --- /dev/null +++ b/services/sherlock/templates/networkpolicy.yaml @@ -0,0 +1,21 @@ +apiVersion: networking.k8s.io/v1 +kind: NetworkPolicy +metadata: + name: {{ include "sherlock.fullname" . }} +spec: + podSelector: + matchLabels: + {{- include "sherlock.selectorLabels" . | nindent 6 }} + policyTypes: + - Ingress + ingress: + # Allow inbound access from pods (in any namespace) labeled + # gafaelfawr.lsst.io/ingress: true. + - from: + - namespaceSelector: {} + podSelector: + matchLabels: + gafaelfawr.lsst.io/ingress: "true" + ports: + - protocol: "TCP" + port: 8080 diff --git a/services/sherlock/templates/service.yaml b/services/sherlock/templates/service.yaml new file mode 100644 index 0000000000..4516057f2f --- /dev/null +++ b/services/sherlock/templates/service.yaml @@ -0,0 +1,15 @@ +apiVersion: v1 +kind: Service +metadata: + name: {{ include "sherlock.fullname" . }} + labels: + {{- include "sherlock.labels" . | nindent 4 }} +spec: + type: ClusterIP + ports: + - port: 8080 + targetPort: http + protocol: TCP + name: http + selector: + {{- include "sherlock.selectorLabels" . | nindent 4 }} diff --git a/services/sherlock/templates/serviceaccount.yaml b/services/sherlock/templates/serviceaccount.yaml new file mode 100644 index 0000000000..a6c30dfba1 --- /dev/null +++ b/services/sherlock/templates/serviceaccount.yaml @@ -0,0 +1,38 @@ +apiVersion: v1 +kind: ServiceAccount +metadata: + name: {{ template "sherlock.serviceAccountName" . }} + labels: + {{- include "sherlock.labels" . | nindent 4 }} + {{- with .Values.serviceAccount.annotations }} + annotations: + {{- toYaml . | nindent 4 }} + {{- end }} +imagePullSecrets: + - name: "pull-secret" +--- +kind: ClusterRole +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + name: {{ template "sherlock.serviceAccountName" . }} + labels: + {{- include "sherlock.labels" . | nindent 4 }} +rules: + - apiGroups: [""] + resources: ["pods", "pods/log"] + verbs: ["get", "list"] +--- +kind: ClusterRoleBinding +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + name: {{ template "sherlock.serviceAccountName" . }} + labels: + {{- include "sherlock.labels" . | nindent 4 }} +subjects: + - kind: ServiceAccount + name: {{ template "sherlock.serviceAccountName" . }} + namespace: {{ .Release.Namespace }} +roleRef: + kind: ClusterRole + name: {{ template "sherlock.serviceAccountName" . }} + apiGroup: rbac.authorization.k8s.io diff --git a/services/sherlock/templates/vault-secrets.yaml b/services/sherlock/templates/vault-secrets.yaml new file mode 100644 index 0000000000..89c6e8e37c --- /dev/null +++ b/services/sherlock/templates/vault-secrets.yaml @@ -0,0 +1,21 @@ +{{- if .Values.publish_url }} +apiVersion: ricoberger.de/v1alpha1 +kind: VaultSecret +metadata: + name: {{ include "sherlock.fullname" . }}-secret + labels: + {{- include "sherlock.labels" . | nindent 4 }} +spec: + path: "{{ .Values.global.vaultSecretsPath }}/sherlock" + type: Opaque +{{- end }} +--- +apiVersion: ricoberger.de/v1alpha1 +kind: VaultSecret +metadata: + name: pull-secret + labels: + {{- include "sherlock.labels" . | nindent 4 }} +spec: + path: "{{- .Values.global.vaultSecretsPath }}/pull-secret" + type: kubernetes.io/dockerconfigjson diff --git a/services/sherlock/values-base.yaml b/services/sherlock/values-base.yaml index ff21948a36..de35ed5941 100644 --- a/services/sherlock/values-base.yaml +++ b/services/sherlock/values-base.yaml @@ -1,11 +1,7 @@ -sherlock: - ingress: - host: "base-lsp.lsst.codes" - - resources: - requests: - cpu: 2.0 - memory: "2G" - limits: - cpu: 4.0 - memory: "4G" +resources: + requests: + cpu: 2.0 + memory: "2G" + limits: + cpu: 4.0 + memory: "4G" diff --git a/services/sherlock/values-idfdev.yaml b/services/sherlock/values-idfdev.yaml index 45aa372f96..0ca88e01f0 100644 --- a/services/sherlock/values-idfdev.yaml +++ b/services/sherlock/values-idfdev.yaml @@ -1,14 +1,9 @@ -sherlock: - ingress: - host: "data-dev.lsst.cloud" +resources: + requests: + cpu: 2.0 + memory: "2G" + limits: + cpu: 4.0 + memory: "4G" - resources: - requests: - cpu: 2.0 - memory: "2G" - limits: - cpu: 4.0 - memory: "4G" - - publish_url: "https://status.lsst.codes/api/data-dev" - vaultSecretsPath: "secret/k8s_operator/data-dev.lsst.cloud/sherlock" +publish_url: "https://status.lsst.codes/api/data-dev" diff --git a/services/sherlock/values-idfint.yaml b/services/sherlock/values-idfint.yaml index 4675dd56b1..8719164381 100644 --- a/services/sherlock/values-idfint.yaml +++ b/services/sherlock/values-idfint.yaml @@ -1,14 +1,8 @@ -sherlock: - ingress: - host: "data-int.lsst.cloud" - - resources: - requests: - cpu: 2.0 - memory: "2G" - limits: - cpu: 4.0 - memory: "4G" - - publish_url: "https://status.lsst.codes/api/data-int" - vaultSecretsPath: "secret/k8s_operator/data-int.lsst.cloud/sherlock" +resources: + requests: + cpu: 2.0 + memory: "2G" + limits: + cpu: 4.0 + memory: "4G" +publish_url: "https://status.lsst.codes/api/data-int" diff --git a/services/sherlock/values-idfprod.yaml b/services/sherlock/values-idfprod.yaml index 09c0bca64d..3f3efbd3bf 100644 --- a/services/sherlock/values-idfprod.yaml +++ b/services/sherlock/values-idfprod.yaml @@ -1,14 +1,8 @@ -sherlock: - ingress: - host: "data.lsst.cloud" - - resources: - requests: - cpu: 2.0 - memory: "2G" - limits: - cpu: 4.0 - memory: "4G" - - publish_url: "https://status.lsst.codes/api/data" - vaultSecretsPath: "secret/k8s_operator/data.lsst.cloud/sherlock" +resources: + requests: + cpu: 2.0 + memory: "2G" + limits: + cpu: 4.0 + memory: "4G" +publish_url: "https://status.lsst.codes/api/data" diff --git a/services/sherlock/values-int.yaml b/services/sherlock/values-int.yaml index d8cfc4df71..de35ed5941 100644 --- a/services/sherlock/values-int.yaml +++ b/services/sherlock/values-int.yaml @@ -1,11 +1,7 @@ -sherlock: - ingress: - host: "lsst-lsp-int.ncsa.illinois.edu" - - resources: - requests: - cpu: 2.0 - memory: "2G" - limits: - cpu: 4.0 - memory: "4G" +resources: + requests: + cpu: 2.0 + memory: "2G" + limits: + cpu: 4.0 + memory: "4G" diff --git a/services/sherlock/values-minikube.yaml b/services/sherlock/values-minikube.yaml index 2af4d6dc4e..e69de29bb2 100644 --- a/services/sherlock/values-minikube.yaml +++ b/services/sherlock/values-minikube.yaml @@ -1,3 +0,0 @@ -sherlock: - ingress: - host: "minikube.lsst.codes" diff --git a/services/sherlock/values-roe.yaml b/services/sherlock/values-roe.yaml index a9cc9c58a5..de35ed5941 100644 --- a/services/sherlock/values-roe.yaml +++ b/services/sherlock/values-roe.yaml @@ -1,11 +1,7 @@ -sherlock: - ingress: - host: "rsp.lsst.ac.uk" - - resources: - requests: - cpu: 2.0 - memory: "2G" - limits: - cpu: 4.0 - memory: "4G" +resources: + requests: + cpu: 2.0 + memory: "2G" + limits: + cpu: 4.0 + memory: "4G" diff --git a/services/sherlock/values-stable.yaml b/services/sherlock/values-stable.yaml index 402531550a..de35ed5941 100644 --- a/services/sherlock/values-stable.yaml +++ b/services/sherlock/values-stable.yaml @@ -1,11 +1,7 @@ -sherlock: - ingress: - host: "lsst-lsp-stable.ncsa.illinois.edu" - - resources: - requests: - cpu: 2.0 - memory: "2G" - limits: - cpu: 4.0 - memory: "4G" +resources: + requests: + cpu: 2.0 + memory: "2G" + limits: + cpu: 4.0 + memory: "4G" diff --git a/services/sherlock/values-summit.yaml b/services/sherlock/values-summit.yaml index cd1123d53d..de35ed5941 100644 --- a/services/sherlock/values-summit.yaml +++ b/services/sherlock/values-summit.yaml @@ -1,11 +1,7 @@ -sherlock: - ingress: - host: "summit-lsp.lsst.codes" - - resources: - requests: - cpu: 2.0 - memory: "2G" - limits: - cpu: 4.0 - memory: "4G" +resources: + requests: + cpu: 2.0 + memory: "2G" + limits: + cpu: 4.0 + memory: "4G" diff --git a/services/sherlock/values-tucson-teststand.yaml b/services/sherlock/values-tucson-teststand.yaml index 15d9aea1ca..de35ed5941 100644 --- a/services/sherlock/values-tucson-teststand.yaml +++ b/services/sherlock/values-tucson-teststand.yaml @@ -1,11 +1,7 @@ -sherlock: - ingress: - host: "tucson-teststand.lsst.codes" - - resources: - requests: - cpu: 2.0 - memory: "2G" - limits: - cpu: 4.0 - memory: "4G" +resources: + requests: + cpu: 2.0 + memory: "2G" + limits: + cpu: 4.0 + memory: "4G" diff --git a/services/sherlock/values.yaml b/services/sherlock/values.yaml new file mode 100644 index 0000000000..52fd7e3451 --- /dev/null +++ b/services/sherlock/values.yaml @@ -0,0 +1,67 @@ +# Default values for sherlock. +# This is a YAML-formatted file. +# Declare variables to be passed into your templates. + +# -- Number of web deployment pods to start +replicaCount: 1 + +image: + # -- Image to use in the sherlock deployment + repository: lsstsqre/sherlock + + # -- Pull policy for the sherlock image + pullPolicy: Always + + # -- Overrides the image tag whose default is the chart appVersion. + tag: "" + +# -- Secret names to use for all Docker pulls +imagePullSecrets: [] + +# -- Override the base name for resources +nameOverride: "" + +# -- Override the full name for resources (includes the release name) +fullnameOverride: "" + +# -- Annotations for the sherlock deployment pod +podAnnotations: {} + +ingress: + # -- Gafaelfawr auth query string (default, unauthenticated) + gafaelfawrAuthQuery: "scope=exec:admin" + + # -- Additional annotations for the ingress rule + annotations: {} + +# -- Resource limits and requests for the sherlock deployment pod +resources: {} + +autoscaling: + # -- Enable autoscaling of sherlock deployment + enabled: false + + # -- Minimum number of sherlock deployment pods + minReplicas: 1 + + # -- Maximum number of sherlock deployment pods + maxReplicas: 100 + + # -- Target CPU utilization of sherlock deployment pods + targetCPUUtilizationPercentage: 80 + # targetMemoryUtilizationPercentage: 80 + +# -- Node selection rules for the sherlock deployment pod +nodeSelector: {} + +# -- Tolerations for the sherlock deployment pod +tolerations: [] + +# -- Affinity rules for the sherlock deployment pod +affinity: {} + +serviceAccount: + name: "" + +# -- URL to push status to via HTTP PUTs. +publish_url: "" From a82aca6511c9b0a77fa95876acbb711c572e70fc Mon Sep 17 00:00:00 2001 From: adam Date: Tue, 19 Apr 2022 14:48:47 -0700 Subject: [PATCH 0414/1479] Migrate strimzi-registry-operator from charts to phalanx --- services/squash-api/Chart.yaml | 15 +++--- services/strimzi-registry-operator/Chart.yaml | 8 ++- services/strimzi-registry-operator/README.md | 19 +++++++ .../crds/registry.yaml | 41 ++++++++++++++ .../templates/deployment.yaml | 28 ++++++++++ .../templates/rbac.yaml | 54 +++++++++++++++++++ .../values-minikube.yaml | 0 .../strimzi-registry-operator/values.yaml | 11 ++++ 8 files changed, 165 insertions(+), 11 deletions(-) create mode 100644 services/strimzi-registry-operator/README.md create mode 100644 services/strimzi-registry-operator/crds/registry.yaml create mode 100644 services/strimzi-registry-operator/templates/deployment.yaml create mode 100644 services/strimzi-registry-operator/templates/rbac.yaml create mode 100644 services/strimzi-registry-operator/values-minikube.yaml create mode 100644 services/strimzi-registry-operator/values.yaml diff --git a/services/squash-api/Chart.yaml b/services/squash-api/Chart.yaml index e03abc7614..8fc47bdfbb 100644 --- a/services/squash-api/Chart.yaml +++ b/services/squash-api/Chart.yaml @@ -1,7 +1,10 @@ -apiVersion: v2 +apiVersion: v1 name: squash-api -version: 0.1.0 -dependencies: - - name: squash-api - version: 0.1.6 - repository: https://lsst-sqre.github.io/charts/ +version: 0.1.6 +description: A Helm chart to deploy the SQuaSH API +keywords: + - SQuaSH, Metrics, InfluxDB, Chronograf, S3 +home: https://squash.lsst.io/ +sources: + - https://github.com/lsst-sqre/squash-api/ +appVersion: 0.5.3 diff --git a/services/strimzi-registry-operator/Chart.yaml b/services/strimzi-registry-operator/Chart.yaml index dd0580fbc8..108c76d586 100644 --- a/services/strimzi-registry-operator/Chart.yaml +++ b/services/strimzi-registry-operator/Chart.yaml @@ -1,7 +1,5 @@ apiVersion: v2 name: strimzi-registry-operator -version: 1.1.0 -dependencies: - - name: strimzi-registry-operator - version: 1.2.0 - repository: https://lsst-sqre.github.io/charts/ +version: 1.2.0 +description: Operator to create and manage Schema Registry on Strimzi +appVersion: 0.4.1 diff --git a/services/strimzi-registry-operator/README.md b/services/strimzi-registry-operator/README.md new file mode 100644 index 0000000000..102d0e9aa3 --- /dev/null +++ b/services/strimzi-registry-operator/README.md @@ -0,0 +1,19 @@ +# strimzi-registry-operator + +![Version: 1.0.0](https://img.shields.io/badge/Version-1.0.0-informational?style=flat-square) ![AppVersion: 1.0.0](https://img.shields.io/badge/AppVersion-1.0.0-informational?style=flat-square) + +Operator to create and manage Schema Registry on Strimzi + +## Maintainers + +| Name | Email | Url | +| ---- | ------ | --- | +| swnelson | | | + +## Values + +| Key | Type | Default | Description | +|-----|------|---------|-------------| +| image.repository | string | `"lsstsqre/strimzi-registry-operator"` | The repository for the container with the operator application | +| image.tag | string | `"build"` | The tag of the operator container to deploy | + diff --git a/services/strimzi-registry-operator/crds/registry.yaml b/services/strimzi-registry-operator/crds/registry.yaml new file mode 100644 index 0000000000..6e2ce758a3 --- /dev/null +++ b/services/strimzi-registry-operator/crds/registry.yaml @@ -0,0 +1,41 @@ +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + name: strimzischemaregistries.roundtable.lsst.codes +spec: + scope: Namespaced + group: roundtable.lsst.codes + versions: + - name: v1beta1 + served: true + storage: true + schema: + openAPIV3Schema: + description: >- + StrimziSchemaRegistry represents a desired Schema Registry instance + type: object + properties: + spec: + type: object + description: >- + The specification of the Schema Registry instance. + properties: + strimzi-version: + type: string + default: "v1beta2" + description: >- + The version of the Strimzi Custom Resource API to use. The + correct value depends on the deployed version of Strimzi. + listener: + type: string + default: "internal" + description: >- + The name of the Kafka listener to use to connect. + + names: + kind: StrimziSchemaRegistry + plural: strimzischemaregistries + singular: strimzischemaregistry + shortNames: + - ssrs + - ssr diff --git a/services/strimzi-registry-operator/templates/deployment.yaml b/services/strimzi-registry-operator/templates/deployment.yaml new file mode 100644 index 0000000000..d91eb17328 --- /dev/null +++ b/services/strimzi-registry-operator/templates/deployment.yaml @@ -0,0 +1,28 @@ +apiVersion: apps/v1 +kind: Deployment +metadata: + name: strimzi-registry-operator +spec: + replicas: 1 + strategy: + type: Recreate + selector: + matchLabels: + app: strimzi-registry-operator + template: + metadata: + labels: + app: strimzi-registry-operator + spec: + serviceAccountName: strimzi-registry-operator + containers: + - name: operator + image: "{{ .Values.image.repository }}:{{ .Values.image.tag }}" + imagePullPolicy: Always + env: + - name: SSR_CLUSTER_NAME + value: "{{ .Values.clusterName }}" + - name: SSR_NAMESPACE + value: "{{ .Values.watchNamespace }}" + command: ["kopf"] + args: ["run", "--standalone", "-m", "strimziregistryoperator.handlers", "--namespace", "{{ .Values.watchNamespace }}", "--verbose"] diff --git a/services/strimzi-registry-operator/templates/rbac.yaml b/services/strimzi-registry-operator/templates/rbac.yaml new file mode 100644 index 0000000000..ae67365f87 --- /dev/null +++ b/services/strimzi-registry-operator/templates/rbac.yaml @@ -0,0 +1,54 @@ +--- +apiVersion: v1 +kind: ServiceAccount +metadata: + name: strimzi-registry-operator +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: strimzi-registry-operator +rules: + - apiGroups: [apiextensions.k8s.io] + resources: [customresourcedefinitions] + verbs: [list, get] + + # Kopf: posting the events about the handlers progress/errors. + - apiGroups: [events.k8s.io] + resources: [events] + verbs: [create] + - apiGroups: [""] + resources: [events] + verbs: [create] + + # Application: watching & handling for the custom resource we declare. + - apiGroups: [roundtable.lsst.codes] + resources: [strimzischemaregistries] + verbs: [get, list, watch, patch] + + # Access to the built-in resources the operator manages + - apiGroups: [""] + resources: [secrets, configmaps, services] + verbs: [get, list, watch, patch, create] + + - apiGroups: ["apps"] + resources: ["deployments"] + verbs: [get, list, watch, patch, create] + + # Access to the KafkaUser resource + - apiGroups: [kafka.strimzi.io] + resources: [kafkausers, kafkas] + verbs: [list, get] +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + name: strimzi-registry-operator +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: strimzi-registry-operator +subjects: + - kind: ServiceAccount + name: strimzi-registry-operator + namespace: {{ .Values.operatorNamespace }} diff --git a/services/strimzi-registry-operator/values-minikube.yaml b/services/strimzi-registry-operator/values-minikube.yaml new file mode 100644 index 0000000000..e69de29bb2 diff --git a/services/strimzi-registry-operator/values.yaml b/services/strimzi-registry-operator/values.yaml new file mode 100644 index 0000000000..22ba3f5799 --- /dev/null +++ b/services/strimzi-registry-operator/values.yaml @@ -0,0 +1,11 @@ +image: + # -- The repository for the container with the operator application + repository: lsstsqre/strimzi-registry-operator + # -- The tag of the operator container to deploy + tag: 0.4.1 + +clusterName: alert-broker + +watchNamespace: strimzi + +operatorNamespace: strimzi-registry-operator From 5af82fccc08459b31174296af015f680d2824649 Mon Sep 17 00:00:00 2001 From: adam Date: Tue, 19 Apr 2022 15:00:58 -0700 Subject: [PATCH 0415/1479] remove squash-api --- .../templates/squash-api-application.yaml | 29 ------------------- services/squash-api/Chart.yaml | 10 ------- .../squash-api/templates/vault-secrets.yaml | 26 ----------------- 3 files changed, 65 deletions(-) delete mode 100644 science-platform/templates/squash-api-application.yaml delete mode 100644 services/squash-api/Chart.yaml delete mode 100644 services/squash-api/templates/vault-secrets.yaml diff --git a/science-platform/templates/squash-api-application.yaml b/science-platform/templates/squash-api-application.yaml deleted file mode 100644 index 4c326dc1e5..0000000000 --- a/science-platform/templates/squash-api-application.yaml +++ /dev/null @@ -1,29 +0,0 @@ -{{- if .Values.squash_api.enabled -}} -apiVersion: v1 -kind: Namespace -metadata: - name: squash-api -spec: - finalizers: - - kubernetes ---- -apiVersion: argoproj.io/v1alpha1 -kind: Application -metadata: - name: squash-api - namespace: argocd - finalizers: - - resources-finalizer.argocd.argoproj.io -spec: - destination: - namespace: squash-api - server: https://kubernetes.default.svc - project: default - source: - path: services/squash-api - repoURL: {{ .Values.repoURL }} - targetRevision: {{ .Values.revision }} - helm: - valueFiles: - - values-{{ .Values.environment }}.yaml -{{- end -}} diff --git a/services/squash-api/Chart.yaml b/services/squash-api/Chart.yaml deleted file mode 100644 index 8fc47bdfbb..0000000000 --- a/services/squash-api/Chart.yaml +++ /dev/null @@ -1,10 +0,0 @@ -apiVersion: v1 -name: squash-api -version: 0.1.6 -description: A Helm chart to deploy the SQuaSH API -keywords: - - SQuaSH, Metrics, InfluxDB, Chronograf, S3 -home: https://squash.lsst.io/ -sources: - - https://github.com/lsst-sqre/squash-api/ -appVersion: 0.5.3 diff --git a/services/squash-api/templates/vault-secrets.yaml b/services/squash-api/templates/vault-secrets.yaml deleted file mode 100644 index 8fdc1c91d8..0000000000 --- a/services/squash-api/templates/vault-secrets.yaml +++ /dev/null @@ -1,26 +0,0 @@ -apiVersion: ricoberger.de/v1alpha1 -kind: VaultSecret -metadata: - name: cloudsql-instance-credentials - namespace: squash-api -spec: - path: {{ .Values.vaultSecretsBasePath }}/cloudsql-instance-credentials - type: Opaque ---- -apiVersion: ricoberger.de/v1alpha1 -kind: VaultSecret -metadata: - name: squash-api - namespace: squash-api -spec: - path: {{ .Values.vaultSecretsBasePath }}/squash-api - type: Opaque ---- -apiVersion: ricoberger.de/v1alpha1 -kind: VaultSecret -metadata: - name: influxdb-auth - namespace: squash-api -spec: - path: {{ .Values.vaultSecretsBasePath }}/influxdb-auth - type: Opaque From 231d6a6b93e02f3f50c7eb9253353126fbe2d034 Mon Sep 17 00:00:00 2001 From: adam Date: Tue, 19 Apr 2022 15:16:15 -0700 Subject: [PATCH 0416/1479] DRY out tap --- .../templates/tap-application.yaml | 10 +- services/tap/Chart.yaml | 16 +- services/tap/README.md | 54 +++++++ services/tap/templates/_helpers.tpl | 52 +++++++ .../tap/templates/mock-qserv-deployment.yaml | 49 ++++++ .../templates/mock-qserv-networkpolicy.yaml | 23 +++ .../tap/templates/mock-qserv-service.yaml | 17 +++ services/tap/templates/tap-deployment.yaml | 85 +++++++++++ .../tap/templates/tap-ingress-anonymous.yaml | 31 ++++ .../templates/tap-ingress-authenticated.yaml | 37 +++++ services/tap/templates/tap-networkpolicy.yaml | 22 +++ services/tap/templates/tap-service.yaml | 15 ++ services/tap/templates/uws-db-deployment.yaml | 53 +++++++ .../tap/templates/uws-db-networkpolicy.yaml | 23 +++ services/tap/templates/uws-db-service.yaml | 14 ++ services/tap/templates/vault-secrets.yaml | 19 +++ services/tap/values-idfdev.yaml | 19 +-- services/tap/values-idfint.yaml | 29 +--- services/tap/values-idfprod.yaml | 55 +++---- services/tap/values-int.yaml | 55 +++---- services/tap/values-minikube.yaml | 19 +-- services/tap/values-roe.yaml | 12 -- services/tap/values-stable.yaml | 55 +++---- services/tap/values.yaml | 141 ++++++++++++++++++ 24 files changed, 727 insertions(+), 178 deletions(-) create mode 100644 services/tap/README.md create mode 100644 services/tap/templates/_helpers.tpl create mode 100644 services/tap/templates/mock-qserv-deployment.yaml create mode 100644 services/tap/templates/mock-qserv-networkpolicy.yaml create mode 100644 services/tap/templates/mock-qserv-service.yaml create mode 100644 services/tap/templates/tap-deployment.yaml create mode 100644 services/tap/templates/tap-ingress-anonymous.yaml create mode 100644 services/tap/templates/tap-ingress-authenticated.yaml create mode 100644 services/tap/templates/tap-networkpolicy.yaml create mode 100644 services/tap/templates/tap-service.yaml create mode 100644 services/tap/templates/uws-db-deployment.yaml create mode 100644 services/tap/templates/uws-db-networkpolicy.yaml create mode 100644 services/tap/templates/uws-db-service.yaml create mode 100644 services/tap/templates/vault-secrets.yaml create mode 100644 services/tap/values.yaml diff --git a/science-platform/templates/tap-application.yaml b/science-platform/templates/tap-application.yaml index 5f570f0717..c3419dca62 100644 --- a/science-platform/templates/tap-application.yaml +++ b/science-platform/templates/tap-application.yaml @@ -24,6 +24,14 @@ spec: repoURL: {{ .Values.repoURL }} targetRevision: {{ .Values.revision }} helm: + parameters: + - name: "global.host" + value: {{ .Values.fqdn | quote }} + - name: "global.baseUrl" + value: "https://{{ .Values.fqdn }}" + - name: "global.vaultSecretsPath" + value: {{ .Values.vault_path_prefix | quote }} valueFiles: - - values-{{ .Values.environment }}.yaml + - "values.yaml" + - "values-{{ .Values.environment }}.yaml" {{- end -}} diff --git a/services/tap/Chart.yaml b/services/tap/Chart.yaml index 44759cd33f..56e1b45506 100644 --- a/services/tap/Chart.yaml +++ b/services/tap/Chart.yaml @@ -1,10 +1,6 @@ -apiVersion: v2 -name: tap -version: 1.0.0 -dependencies: - - name: cadc-tap - version: 1.0.6 - repository: https://lsst-sqre.github.io/charts/ - - name: pull-secret - version: 0.1.2 - repository: https://lsst-sqre.github.io/charts/ +apiVersion: v1 +appVersion: "1.1.2" +description: A Helm chart for the CADC TAP service +home: https://github.com/lsst-sqre/lsst-tap-service +name: cadc-tap +version: 1.0.6 diff --git a/services/tap/README.md b/services/tap/README.md new file mode 100644 index 0000000000..687012ffc6 --- /dev/null +++ b/services/tap/README.md @@ -0,0 +1,54 @@ +# cadc-tap + +![Version: 1.0.6](https://img.shields.io/badge/Version-1.0.6-informational?style=flat-square) ![AppVersion: 1.1.2](https://img.shields.io/badge/AppVersion-1.1.2-informational?style=flat-square) + +A Helm chart for the CADC TAP service + +**Homepage:** + +## Values + +| Key | Type | Default | Description | +|-----|------|---------|-------------| +| affinity | object | `{}` | Affinity rules for the Gafaelfawr frontend pod | +| config.datalinkPayloadUrl | string | `"https://github.com/lsst/sdm_schemas/releases/download/1.1.4/datalink-snippets.zip"` | Datalink payload URL | +| config.gafaelfawrHost | string | Value of `ingress.host` | Gafaelfawr hostname to get user information from a token | +| config.gcsBucket | string | None, must be set | Name of GCS bucket in which to store results | +| config.gcsBucketUrl | string | None, must be set | Base URL for results stored in GCS bucket | +| config.jvmMaxHeapSize | string | `"4G"` | Java heap size, which will set the maximum size of the heap. Otherwise Java would determine it based on how much memory is available and black maths. | +| config.tapSchemaAddress | string | `"tap-schema-db.tap-schema.svc.cluster.local:3306"` | Address to a MySQL database containing TAP schema data | +| fullnameOverride | string | `""` | Override the full name for resources (includes the release name) | +| image.pullPolicy | string | `"IfNotPresent"` | Pull policy for the tap image | +| image.repository | string | `"lsstdax/lsst-tap-service"` | tap image to use | +| image.tag | string | The appVersion of the chart | Tag of tap image to use | +| ingress.anonymousAnnotations | object | `{}` | Additional annotations to use for endpoints that allow anonymous access, such as `/capabilities` and `/availability` | +| ingress.authenticatedAnnotations | object | `{}` | Additional annotations to use for endpoints that are authenticated, such as `/sync`, `/async`, and `/tables` | +| ingress.gafaelfawrAuthQuery | string | `"scope=read:tap&auth_type=basic&delegate_to=tap"` | Gafaelfawr auth query string | +| nameOverride | string | `""` | Override the base name for resources | +| nodeSelector | object | `{}` | Node selector rules for the Gafaelfawr frontend pod | +| podAnnotations | object | `{}` | Annotations for the Gafaelfawr frontend pod | +| qserv.host | string | `"mock-qserv:3306"` (the mock QServ) | QServ hostname:port to connect to | +| qserv.mock.affinity | object | `{}` | Affinity rules for the mock QServ pod | +| qserv.mock.enabled | bool | `true` | Spin up a container to pretend to be QServ. | +| qserv.mock.image.pullPolicy | string | `"IfNotPresent"` | Pull policy for the mock QServ image | +| qserv.mock.image.repository | string | `"lsstdax/mock-qserv"` | Mock QServ image to use | +| qserv.mock.image.tag | string | The appVersion of the chart | Tag of mock QServ image to use | +| qserv.mock.nodeSelector | object | `{}` | Node selection rules for the mock QServ pod | +| qserv.mock.podAnnotations | object | `{}` | Annotations for the mock QServ pod | +| qserv.mock.resources | object | `{}` | Resource limits and requests for the mock QServ pod | +| qserv.mock.tolerations | list | `[]` | Tolerations for the mock QServ pod | +| replicaCount | int | `1` | Number of pods to start | +| resources | object | `{}` | Resource limits and requests for the Gafaelfawr frontend pod | +| tolerations | list | `[]` | Tolerations for the Gafaelfawr frontend pod | +| uws.affinity | object | `{}` | Affinity rules for the UWS database pod | +| uws.image.pullPolicy | string | `"IfNotPresent"` | Pull policy for the UWS database image | +| uws.image.repository | string | `"lsstdax/uws-db"` | UWS database image to use | +| uws.image.tag | string | The appVersion of the chart | Tag of UWS database image to use | +| uws.nodeSelector | object | `{}` | Node selection rules for the UWS database pod | +| uws.podAnnotations | object | `{}` | Annotations for the UWS databse pod | +| uws.resources | object | `{}` | Resource limits and requests for the UWS database pod | +| uws.tolerations | list | `[]` | Tolerations for the UWS database pod | +| vaultSecretsPath | string | None, must be set | Path to the Vault secret (`secret/k8s_operator//tap`, for example) | + +---------------------------------------------- +Autogenerated from chart metadata using [helm-docs v1.7.0](https://github.com/norwoodj/helm-docs/releases/v1.7.0) diff --git a/services/tap/templates/_helpers.tpl b/services/tap/templates/_helpers.tpl new file mode 100644 index 0000000000..cfb4a4a120 --- /dev/null +++ b/services/tap/templates/_helpers.tpl @@ -0,0 +1,52 @@ +{{/* +Expand the name of the chart. +*/}} +{{- define "cadc-tap.name" -}} +{{- default .Chart.Name .Values.nameOverride | trunc 63 | trimSuffix "-" }} +{{- end }} + +{{/* +Create a default fully qualified app name. +We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec). +If release name contains chart name it will be used as a full name. +*/}} +{{- define "cadc-tap.fullname" -}} +{{- if .Values.fullnameOverride -}} +{{- .Values.fullnameOverride | trunc 63 | trimSuffix "-" -}} +{{- else -}} +{{- $name := default .Chart.Name .Values.nameOverride -}} +{{- if contains $name .Release.Name -}} +{{- .Release.Name | trunc 63 | trimSuffix "-" -}} +{{- else -}} +{{- printf "%s-%s" .Release.Name $name | trunc 63 | trimSuffix "-" -}} +{{- end -}} +{{- end -}} +{{- end -}} + +{{/* +Create chart name and version as used by the chart label. +*/}} +{{- define "cadc-tap.chart" -}} +{{- printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" -}} +{{- end -}} + +{{/* +Common labels +*/}} +{{- define "cadc-tap.labels" -}} +app.kubernetes.io/name: {{ include "cadc-tap.name" . }} +helm.sh/chart: {{ include "cadc-tap.chart" . }} +app.kubernetes.io/instance: {{ .Release.Name }} +{{- if .Chart.AppVersion }} +app.kubernetes.io/version: {{ .Chart.AppVersion | quote }} +{{- end }} +app.kubernetes.io/managed-by: {{ .Release.Service }} +{{- end -}} + +{{/* +Selector labels +*/}} +{{- define "cadc-tap.selectorLabels" -}} +app.kubernetes.io/name: {{ include "cadc-tap.name" . }} +app.kubernetes.io/instance: {{ .Release.Name }} +{{- end }} diff --git a/services/tap/templates/mock-qserv-deployment.yaml b/services/tap/templates/mock-qserv-deployment.yaml new file mode 100644 index 0000000000..44ed8d0f1d --- /dev/null +++ b/services/tap/templates/mock-qserv-deployment.yaml @@ -0,0 +1,49 @@ +{{ if .Values.qserv.mock.enabled -}} +apiVersion: apps/v1 +kind: Deployment +metadata: + name: {{ template "cadc-tap.fullname" . }}-mock-qserv + labels: + {{- include "cadc-tap.labels" . | nindent 4 }} +spec: + replicas: 1 + selector: + matchLabels: + {{- include "cadc-tap.selectorLabels" . | nindent 6 }} + app.kubernetes.io/component: "mock-qserv" + template: + metadata: + {{- with .Values.qserv.mock.podAnnotations }} + annotations: + {{- toYaml . | nindent 8 }} + {{- end }} + labels: + {{- include "cadc-tap.selectorLabels" . | nindent 8 }} + app.kubernetes.io/component: "mock-qserv" + spec: + imagePullSecrets: + - name: "pull-secret" + automountServiceAccountToken: false + containers: + - name: "mock-qserv" + image: "{{ .Values.qserv.mock.image.repository }}:{{ .Values.qserv.mock.image.tag | default .Chart.AppVersion }}" + imagePullPolicy: {{ .Values.qserv.mock.image.pullPolicy | quote }} + ports: + - containerPort: 3306 + {{- with .Values.qserv.mock.resources }} + resources: + {{- toYaml . | nindent 12 }} + {{- end }} + {{- with .Values.qserv.mock.nodeSelector }} + nodeSelector: + {{- toYaml . | nindent 8 }} + {{- end }} + {{- with .Values.qserv.mock.affinity }} + affinity: + {{- toYaml . | nindent 8 }} + {{- end }} + {{- with .Values.qserv.mock.tolerations }} + tolerations: + {{- toYaml . | nindent 8 }} + {{- end }} +{{- end }} diff --git a/services/tap/templates/mock-qserv-networkpolicy.yaml b/services/tap/templates/mock-qserv-networkpolicy.yaml new file mode 100644 index 0000000000..361c8a6ecf --- /dev/null +++ b/services/tap/templates/mock-qserv-networkpolicy.yaml @@ -0,0 +1,23 @@ +apiVersion: networking.k8s.io/v1 +kind: NetworkPolicy +metadata: + name: {{ include "cadc-tap.fullname" . }}-mock-qserv +spec: + podSelector: + matchLabels: + {{- include "cadc-tap.selectorLabels" . | nindent 6 }} + app.kubernetes.io/component: "mock-qserv" + policyTypes: + - Ingress + # Deny all outbound access; MySQL doesn't need to talk to anything. + - Egress + ingress: + # Allow inbound access to mock Qserv from the server. + - from: + - podSelector: + matchLabels: + {{- include "cadc-tap.selectorLabels" . | nindent 14 }} + app.kubernetes.io/component: "server" + ports: + - protocol: "TCP" + port: 3306 diff --git a/services/tap/templates/mock-qserv-service.yaml b/services/tap/templates/mock-qserv-service.yaml new file mode 100644 index 0000000000..208080d6cc --- /dev/null +++ b/services/tap/templates/mock-qserv-service.yaml @@ -0,0 +1,17 @@ +{{ if .Values.qserv.mock.enabled -}} +kind: Service +apiVersion: v1 +metadata: + name: "mock-qserv" + labels: + {{- include "cadc-tap.labels" . | nindent 4 }} +spec: + type: ClusterIP + ports: + - protocol: "TCP" + port: 3306 + targetPort: 3306 + selector: + {{- include "cadc-tap.selectorLabels" . | nindent 4 }} + app.kubernetes.io/component: "mock-qserv" +{{- end }} diff --git a/services/tap/templates/tap-deployment.yaml b/services/tap/templates/tap-deployment.yaml new file mode 100644 index 0000000000..145f2f630f --- /dev/null +++ b/services/tap/templates/tap-deployment.yaml @@ -0,0 +1,85 @@ +apiVersion: apps/v1 +kind: Deployment +metadata: + name: {{ template "cadc-tap.fullname" . }} + labels: + {{- include "cadc-tap.labels" . | nindent 4 }} +spec: + replicas: {{ .Values.replicaCount }} + selector: + matchLabels: + {{- include "cadc-tap.selectorLabels" . | nindent 6 }} + app.kubernetes.io/component: "server" + template: + metadata: + {{- with .Values.podAnnotations }} + annotations: + {{- toYaml . | nindent 8 }} + {{- end }} + labels: + {{- include "cadc-tap.selectorLabels" . | nindent 8 }} + app.kubernetes.io/component: "server" + spec: + imagePullSecrets: + - name: "pull-secret" + automountServiceAccountToken: false + containers: + - name: "tap-server" + image: "{{ .Values.image.repository }}:{{ .Values.image.tag | default .Chart.AppVersion }}" + imagePullPolicy: {{ .Values.image.pullPolicy | quote }} + env: + - name: CATALINA_OPTS + value: >- + -Dqservuser.jdbc.username=qsmaster + -Dqservuser.jdbc.password= + -Dqservuser.jdbc.driverClassName=com.mysql.cj.jdbc.Driver + -Dqservuser.jdbc.url=jdbc:mysql://{{ .Values.qserv.host }}/ + -Dtapuser.jdbc.username=TAP_SCHEMA + -Dtapuser.jdbc.password=TAP_SCHEMA + -Dtapuser.jdbc.driverClassName=com.mysql.cj.jdbc.Driver + -Dtapuser.jdbc.url=jdbc:mysql://{{ .Values.config.tapSchemaAddress }}/ + -Dca.nrc.cadc.reg.client.RegistryClient.local=true + -Duws.jdbc.username=postgres + -Duws.jdbc.driverClassName=org.postgresql.Driver + -Duws.jdbc.url=jdbc:postgresql://{{ template "cadc-tap.fullname" . }}-uws-db/ + -Dca.nrc.cadc.auth.Authenticator=org.opencadc.tap.impl.AuthenticatorImpl + -Dgafaelfawr_url={{ .Values.global.baseUrl }}/auth/api/v1/user-info + -Dgcs_bucket={{ .Values.config.gcsBucket }} + -Dgcs_bucket_url={{ .Values.config.gcsBucketUrl }} + -Dbase_url={{ .Values.global.baseUrl }} + -Dca.nrc.cadc.util.PropertiesReader.dir=/etc/creds/ + -Xmx{{ .Values.config.jvmMaxHeapSize }} + - name: GOOGLE_APPLICATION_CREDENTIALS + value: "/etc/creds/google_creds.json" + - name: DATALINK_PAYLOAD_URL + value: "{{ .Values.config.datalinkPayloadUrl }}" + ports: + - containerPort: 8080 + {{- with .Values.resources }} + resources: + {{- toYaml . | nindent 12 }} + {{- end }} + volumeMounts: + - name: "google-creds" + mountPath: "/etc/creds" + readOnly: true + - name: "tmp" + mountPath: "/tmp" + volumes: + - name: "google-creds" + secret: + secretName: {{ template "cadc-tap.fullname" . }}-secret + - name: "tmp" + emptyDir: {} + {{- with .Values.nodeSelector }} + nodeSelector: + {{- toYaml . | nindent 8 }} + {{- end }} + {{- with .Values.affinity }} + affinity: + {{- toYaml . | nindent 8 }} + {{- end }} + {{- with .Values.tolerations }} + tolerations: + {{- toYaml . | nindent 8 }} + {{- end }} diff --git a/services/tap/templates/tap-ingress-anonymous.yaml b/services/tap/templates/tap-ingress-anonymous.yaml new file mode 100644 index 0000000000..55e6c91455 --- /dev/null +++ b/services/tap/templates/tap-ingress-anonymous.yaml @@ -0,0 +1,31 @@ +apiVersion: networking.k8s.io/v1 +kind: Ingress +metadata: + name: {{ template "cadc-tap.fullname" . }}-anonymous + labels: + {{- include "cadc-tap.labels" . | nindent 4 }} + annotations: + kubernetes.io/ingress.class: "nginx" + nginx.ingress.kubernetes.io/proxy-connect-timeout: "900" + nginx.ingress.kubernetes.io/proxy-send-timeout: "900" + nginx.ingress.kubernetes.io/proxy-read-timeout: "900" + nginx.ingress.kubernetes.io/rewrite-target: "/tap/$1" + nginx.ingress.kubernetes.io/proxy-redirect-from: "http://$host/tap/" + nginx.ingress.kubernetes.io/proxy-redirect-to: "https://$host/api/tap/" + nginx.ingress.kubernetes.io/ssl-redirect: "true" + nginx.ingress.kubernetes.io/use-regex: "true" + {{- with .Values.ingress.anonymousAnnotations }} + {{- toYaml . | indent 4}} + {{- end }} +spec: + rules: + - host: {{ required "global.host must be set" .Values.global.host | quote }} + http: + paths: + - path: "/api/tap/(availability|capabilities|swagger-ui.*)" + pathType: "ImplementationSpecific" + backend: + service: + name: {{ template "cadc-tap.fullname" . }} + port: + number: 80 diff --git a/services/tap/templates/tap-ingress-authenticated.yaml b/services/tap/templates/tap-ingress-authenticated.yaml new file mode 100644 index 0000000000..fe168f1b4e --- /dev/null +++ b/services/tap/templates/tap-ingress-authenticated.yaml @@ -0,0 +1,37 @@ +apiVersion: networking.k8s.io/v1 +kind: Ingress +metadata: + name: {{ template "cadc-tap.fullname" . }}-authenticated + labels: + {{- include "cadc-tap.labels" . | nindent 4 }} + annotations: + kubernetes.io/ingress.class: "nginx" + nginx.ingress.kubernetes.io/auth-method: "GET" + nginx.ingress.kubernetes.io/auth-response-headers: "X-Auth-Request-Uid, X-Auth-Request-Token" + nginx.ingress.kubernetes.io/auth-url: "{{ .Values.global.baseUrl }}/auth?{{ .Values.ingress.gafaelfawrAuthQuery }}" + nginx.ingress.kubernetes.io/configuration-snippet: | + auth_request_set $auth_token $upstream_http_x_auth_request_token; + proxy_set_header Authorization "Bearer $auth_token"; + nginx.ingress.kubernetes.io/proxy-connect-timeout: "900" + nginx.ingress.kubernetes.io/proxy-send-timeout: "900" + nginx.ingress.kubernetes.io/proxy-read-timeout: "900" + nginx.ingress.kubernetes.io/rewrite-target: "/tap/$2" + nginx.ingress.kubernetes.io/proxy-redirect-from: "http://$host/tap/" + nginx.ingress.kubernetes.io/proxy-redirect-to: "https://$host/api/tap/" + nginx.ingress.kubernetes.io/ssl-redirect: "true" + nginx.ingress.kubernetes.io/use-regex: "true" + {{- with .Values.ingress.authenticatedAnnotations }} + {{- toYaml . | indent 4}} + {{- end }} +spec: + rules: + - host: {{ required "global.host must be set" .Values.global.host | quote }} + http: + paths: + - path: "/api/tap(/|$)(.*)" + pathType: "ImplementationSpecific" + backend: + service: + name: {{ template "cadc-tap.fullname" . }} + port: + number: 80 diff --git a/services/tap/templates/tap-networkpolicy.yaml b/services/tap/templates/tap-networkpolicy.yaml new file mode 100644 index 0000000000..9612ba8cfc --- /dev/null +++ b/services/tap/templates/tap-networkpolicy.yaml @@ -0,0 +1,22 @@ +apiVersion: networking.k8s.io/v1 +kind: NetworkPolicy +metadata: + name: {{ include "cadc-tap.fullname" . }} +spec: + podSelector: + matchLabels: + {{- include "cadc-tap.selectorLabels" . | nindent 6 }} + app.kubernetes.io/component: "server" + policyTypes: + - Ingress + ingress: + # Allow inbound access from pods (in any namespace) labeled + # gafaelfawr.lsst.io/ingress: true. + - from: + - namespaceSelector: {} + podSelector: + matchLabels: + gafaelfawr.lsst.io/ingress: "true" + ports: + - protocol: "TCP" + port: 8080 diff --git a/services/tap/templates/tap-service.yaml b/services/tap/templates/tap-service.yaml new file mode 100644 index 0000000000..8f387364b1 --- /dev/null +++ b/services/tap/templates/tap-service.yaml @@ -0,0 +1,15 @@ +kind: Service +apiVersion: v1 +metadata: + name: {{ template "cadc-tap.fullname" . }} + labels: + {{- include "cadc-tap.labels" . | nindent 4 }} +spec: + type: ClusterIP + ports: + - protocol: "TCP" + port: 80 + targetPort: 8080 + selector: + {{- include "cadc-tap.selectorLabels" . | nindent 4 }} + app.kubernetes.io/component: "server" diff --git a/services/tap/templates/uws-db-deployment.yaml b/services/tap/templates/uws-db-deployment.yaml new file mode 100644 index 0000000000..14cc7dc0f9 --- /dev/null +++ b/services/tap/templates/uws-db-deployment.yaml @@ -0,0 +1,53 @@ +apiVersion: apps/v1 +kind: Deployment +metadata: + name: {{ template "cadc-tap.fullname" . }}-uws-db + labels: + {{- include "cadc-tap.labels" . | nindent 4 }} +spec: + replicas: 1 + selector: + matchLabels: + {{- include "cadc-tap.selectorLabels" . | nindent 6 }} + app.kubernetes.io/component: "uws-db" + template: + metadata: + {{- with .Values.uws.podAnnotations }} + annotations: + {{- toYaml . | nindent 8 }} + {{- end }} + labels: + {{- include "cadc-tap.labels" . | nindent 8 }} + app.kubernetes.io/component: "uws-db" + spec: + imagePullSecrets: + - name: "pull-secret" + automountServiceAccountToken: false + containers: + - name: "postgresql" + image: "{{ .Values.uws.image.repository }}:{{ .Values.uws.image.tag | default .Chart.AppVersion }}" + imagePullPolicy: {{ .Values.uws.image.pullPolicy | quote }} + ports: + - containerPort: 5432 + {{- with .Values.uws.resources }} + resources: + {{- toYaml . | nindent 12 }} + {{- end }} + volumeMounts: + - name: "data" + mountPath: "/var/lib/postgresql/data" + volumes: + - name: "data" + emptyDir: {} + {{- with .Values.uws.nodeSelector }} + nodeSelector: + {{- toYaml . | nindent 8 }} + {{- end }} + {{- with .Values.uws.affinity }} + affinity: + {{- toYaml . | nindent 8 }} + {{- end }} + {{- with .Values.uws.tolerations }} + tolerations: + {{- toYaml . | nindent 8 }} + {{- end }} diff --git a/services/tap/templates/uws-db-networkpolicy.yaml b/services/tap/templates/uws-db-networkpolicy.yaml new file mode 100644 index 0000000000..b67fbdd5e1 --- /dev/null +++ b/services/tap/templates/uws-db-networkpolicy.yaml @@ -0,0 +1,23 @@ +apiVersion: networking.k8s.io/v1 +kind: NetworkPolicy +metadata: + name: {{ include "cadc-tap.fullname" . }}-uws-db +spec: + podSelector: + matchLabels: + {{- include "cadc-tap.selectorLabels" . | nindent 6 }} + app.kubernetes.io/component: "uws-db" + policyTypes: + - Ingress + # Deny all outbound access; PostgreSQL doesn't need to talk to anything. + - Egress + ingress: + # Allow inbound access to UWS database from the server. + - from: + - podSelector: + matchLabels: + {{- include "cadc-tap.selectorLabels" . | nindent 14 }} + app.kubernetes.io/component: "server" + ports: + - protocol: "TCP" + port: 5432 diff --git a/services/tap/templates/uws-db-service.yaml b/services/tap/templates/uws-db-service.yaml new file mode 100644 index 0000000000..2352a5d334 --- /dev/null +++ b/services/tap/templates/uws-db-service.yaml @@ -0,0 +1,14 @@ +kind: Service +apiVersion: v1 +metadata: + name: {{ template "cadc-tap.fullname" . }}-uws-db + labels: + {{- include "cadc-tap.labels" . | nindent 4 }} +spec: + ports: + - protocol: "TCP" + port: 5432 + targetPort: 5432 + selector: + {{- include "cadc-tap.selectorLabels" . | nindent 4 }} + app.kubernetes.io/component: "uws-db" diff --git a/services/tap/templates/vault-secrets.yaml b/services/tap/templates/vault-secrets.yaml new file mode 100644 index 0000000000..319d4147c4 --- /dev/null +++ b/services/tap/templates/vault-secrets.yaml @@ -0,0 +1,19 @@ +apiVersion: ricoberger.de/v1alpha1 +kind: VaultSecret +metadata: + name: {{ template "cadc-tap.fullname" . }}-secret + labels: + {{- include "cadc-tap.labels" . | nindent 4 }} +spec: + path: "{{ .Values.global.vaultSecretsPath }}/tap" + type: Opaque +--- +apiVersion: ricoberger.de/v1alpha1 +kind: VaultSecret +metadata: + name: pull-secret + labels: + {{- include "cadc-tap.labels" . | nindent 4 }} +spec: + path: "{{- .Values.global.vaultSecretsPath }}/pull-secret" + type: kubernetes.io/dockerconfigjson diff --git a/services/tap/values-idfdev.yaml b/services/tap/values-idfdev.yaml index 6693c7e32e..6e3f1aca1e 100644 --- a/services/tap/values-idfdev.yaml +++ b/services/tap/values-idfdev.yaml @@ -1,16 +1,3 @@ -cadc-tap: - fullnameOverride: "cadc-tap" - - imagePullSecrets: - - name: "pull-secret" - ingress: - host: "data-dev.lsst.cloud" - vaultSecretsPath: "secret/k8s_operator/data-dev.lsst.cloud/tap" - - config: - gcsBucket: "async-results.lsst.codes" - gcsBucketUrl: "http://async-results.lsst.codes" - -pull-secret: - enabled: true - path: "secret/k8s_operator/data-dev.lsst.cloud/pull-secret" +config: + gcsBucket: "async-results.lsst.codes" + gcsBucketUrl: "http://async-results.lsst.codes" diff --git a/services/tap/values-idfint.yaml b/services/tap/values-idfint.yaml index 570d4ba999..57b4e3d67c 100644 --- a/services/tap/values-idfint.yaml +++ b/services/tap/values-idfint.yaml @@ -1,21 +1,8 @@ -cadc-tap: - fullnameOverride: "cadc-tap" - - imagePullSecrets: - - name: "pull-secret" - ingress: - host: "data-int.lsst.cloud" - vaultSecretsPath: "secret/k8s_operator/data-int.lsst.cloud/tap" - - config: - gcsBucket: "async-results.lsst.codes" - gcsBucketUrl: "http://async-results.lsst.codes" - - qserv: - host: "10.136.1.211:4040" - mock: - enabled: false - -pull-secret: - enabled: true - path: "secret/k8s_operator/data-int.lsst.cloud/pull-secret" +config: + gcsBucket: "async-results.lsst.codes" + gcsBucketUrl: "http://async-results.lsst.codes" + +qserv: + host: "10.136.1.211:4040" + mock: + enabled: false diff --git a/services/tap/values-idfprod.yaml b/services/tap/values-idfprod.yaml index 94e6df8ec3..59eb3337d6 100644 --- a/services/tap/values-idfprod.yaml +++ b/services/tap/values-idfprod.yaml @@ -1,39 +1,26 @@ -cadc-tap: - fullnameOverride: "cadc-tap" +resources: + requests: + cpu: 2.0 + memory: "2G" + limits: + cpu: 8.0 + memory: "32G" - imagePullSecrets: - - name: "pull-secret" - ingress: - host: "data.lsst.cloud" - vaultSecretsPath: "secret/k8s_operator/data.lsst.cloud/tap" +config: + gcsBucket: "async-results.lsst.codes" + gcsBucketUrl: "http://async-results.lsst.codes" + jvmMaxHeapSize: "31G" +qserv: + host: "10.140.1.211:4040" + mock: + enabled: false + +uws: resources: requests: - cpu: 2.0 - memory: "2G" + cpu: 0.25 + memory: "1G" limits: - cpu: 8.0 - memory: "32G" - - config: - gcsBucket: "async-results.lsst.codes" - gcsBucketUrl: "http://async-results.lsst.codes" - jvmMaxHeapSize: "31G" - - qserv: - host: "10.140.1.211:4040" - mock: - enabled: false - - uws: - resources: - requests: - cpu: 0.25 - memory: "1G" - limits: - cpu: 2.0 - memory: "4G" - -pull-secret: - enabled: true - path: "secret/k8s_operator/data.lsst.cloud/pull-secret" + cpu: 2.0 + memory: "4G" diff --git a/services/tap/values-int.yaml b/services/tap/values-int.yaml index 1641d37d18..79d70cf2ce 100644 --- a/services/tap/values-int.yaml +++ b/services/tap/values-int.yaml @@ -1,39 +1,26 @@ -cadc-tap: - fullnameOverride: "cadc-tap" +resources: + requests: + cpu: 2.0 + memory: "2G" + limits: + cpu: 8.0 + memory: "16G" - imagePullSecrets: - - name: "pull-secret" - ingress: - host: "lsst-lsp-int.ncsa.illinois.edu" - vaultSecretsPath: "secret/k8s_operator/lsst-lsp-int.ncsa.illinois.edu/tap" +config: + gcsBucket: "async-results.lsst.codes" + gcsBucketUrl: "http://async-results.lsst.codes" + jvmMaxHeapSize: "15G" +qserv: + host: "lsst-qserv-master03:4040" + mock: + enabled: false + +uws: resources: requests: - cpu: 2.0 - memory: "2G" + cpu: 0.25 + memory: "1G" limits: - cpu: 8.0 - memory: "16G" - - config: - gcsBucket: "async-results.lsst.codes" - gcsBucketUrl: "http://async-results.lsst.codes" - jvmMaxHeapSize: "15G" - - qserv: - host: "lsst-qserv-master03:4040" - mock: - enabled: false - - uws: - resources: - requests: - cpu: 0.25 - memory: "1G" - limits: - cpu: 2.0 - memory: "4G" - -pull-secret: - enabled: true - path: "secret/k8s_operator/lsst-lsp-int.ncsa.illinois.edu/pull-secret" + cpu: 2.0 + memory: "4G" diff --git a/services/tap/values-minikube.yaml b/services/tap/values-minikube.yaml index 2117a31a05..6e3f1aca1e 100644 --- a/services/tap/values-minikube.yaml +++ b/services/tap/values-minikube.yaml @@ -1,16 +1,3 @@ -cadc-tap: - fullnameOverride: "cadc-tap" - - imagePullSecrets: - - name: "pull-secret" - ingress: - host: "minikube.lsst.codes" - vaultSecretsPath: "secret/k8s_operator/minikube.lsst.codes/tap" - - config: - gcsBucket: "async-results.lsst.codes" - gcsBucketUrl: "http://async-results.lsst.codes" - -pull-secret: - enabled: true - path: "secret/k8s_operator/minikube.lsst.codes/pull-secret" +config: + gcsBucket: "async-results.lsst.codes" + gcsBucketUrl: "http://async-results.lsst.codes" diff --git a/services/tap/values-roe.yaml b/services/tap/values-roe.yaml index 6775305892..e69de29bb2 100644 --- a/services/tap/values-roe.yaml +++ b/services/tap/values-roe.yaml @@ -1,12 +0,0 @@ -cadc-tap: - fullnameOverride: "cadc-tap" - - imagePullSecrets: - - name: "pull-secret" - ingress: - host: "rsp.lsst.ac.uk" - vaultSecretsPath: "secret/k8s_operator/roe/tap" - -pull-secret: - enabled: true - path: "secret/k8s_operator/roe/pull-secret" diff --git a/services/tap/values-stable.yaml b/services/tap/values-stable.yaml index 3c638d699e..b3dd95a128 100644 --- a/services/tap/values-stable.yaml +++ b/services/tap/values-stable.yaml @@ -1,39 +1,26 @@ -cadc-tap: - fullnameOverride: "cadc-tap" +resources: + requests: + cpu: 2.0 + memory: "2G" + limits: + cpu: 8.0 + memory: "32G" - imagePullSecrets: - - name: "pull-secret" - ingress: - host: "lsst-lsp-stable.ncsa.illinois.edu" - vaultSecretsPath: "secret/k8s_operator/lsst-lsp-stable.ncsa.illinois.edu/tap" +config: + gcsBucket: "async-results.lsst.codes" + gcsBucketUrl: "http://async-results.lsst.codes" + jvmMaxHeapSize: "31G" +qserv: + host: "lsst-qserv-master03:4040" + mock: + enabled: false + +uws: resources: requests: - cpu: 2.0 - memory: "2G" + cpu: 0.25 + memory: "1G" limits: - cpu: 8.0 - memory: "32G" - - config: - gcsBucket: "async-results.lsst.codes" - gcsBucketUrl: "http://async-results.lsst.codes" - jvmMaxHeapSize: "31G" - - qserv: - host: "lsst-qserv-master03:4040" - mock: - enabled: false - - uws: - resources: - requests: - cpu: 0.25 - memory: "1G" - limits: - cpu: 2.0 - memory: "4G" - -pull-secret: - enabled: true - path: "secret/k8s_operator/lsst-lsp-stable.ncsa.illinois.edu/pull-secret" + cpu: 2.0 + memory: "4G" diff --git a/services/tap/values.yaml b/services/tap/values.yaml new file mode 100644 index 0000000000..06ca5ae1d7 --- /dev/null +++ b/services/tap/values.yaml @@ -0,0 +1,141 @@ +# Default values for cadc-tap. +# This is a YAML-formatted file. +# Declare variables to be passed into your templates. + +# -- Override the base name for resources +nameOverride: "" + +# -- Override the full name for resources (includes the release name) +fullnameOverride: "cadc-tap" + +# -- Number of pods to start +replicaCount: 1 + +image: + # -- tap image to use + repository: "lsstdax/lsst-tap-service" + + # -- Pull policy for the tap image + pullPolicy: "IfNotPresent" + + # -- Tag of tap image to use + # @default -- The appVersion of the chart + tag: "" + +# Settings for the ingress rules. +ingress: + # -- Gafaelfawr auth query string + gafaelfawrAuthQuery: "scope=read:tap&auth_type=basic&delegate_to=tap" + + # -- Additional annotations to use for endpoints that allow anonymous + # access, such as `/capabilities` and `/availability` + anonymousAnnotations: {} + + # -- Additional annotations to use for endpoints that are authenticated, + # such as `/sync`, `/async`, and `/tables` + authenticatedAnnotations: {} + +# -- Resource limits and requests for the Gafaelfawr frontend pod +resources: {} + +# -- Annotations for the Gafaelfawr frontend pod +podAnnotations: {} + +# -- Node selector rules for the Gafaelfawr frontend pod +nodeSelector: {} + +# -- Tolerations for the Gafaelfawr frontend pod +tolerations: [] + +# -- Affinity rules for the Gafaelfawr frontend pod +affinity: {} + +# -- Path to the Vault secret (`secret/k8s_operator//tap`, for example) +# @default -- None, must be set +vaultSecretsPath: "" + +config: + # -- Address to a MySQL database containing TAP schema data + tapSchemaAddress: "tap-schema-db.tap-schema.svc.cluster.local:3306" + + # -- Datalink payload URL + datalinkPayloadUrl: "https://github.com/lsst/sdm_schemas/releases/download/1.1.4/datalink-snippets.zip" + + # -- Gafaelfawr hostname to get user information from a token + # @default -- Value of `ingress.host` + gafaelfawrHost: "" + + # -- Name of GCS bucket in which to store results + # @default -- None, must be set + gcsBucket: "" + + # -- Base URL for results stored in GCS bucket + # @default -- None, must be set + gcsBucketUrl: "" + + # -- Java heap size, which will set the maximum size of the heap. Otherwise + # Java would determine it based on how much memory is available and black + # maths. + jvmMaxHeapSize: 4G + +qserv: + # -- QServ hostname:port to connect to + # @default -- `"mock-qserv:3306"` (the mock QServ) + host: "mock-qserv:3306" + + mock: + # -- Spin up a container to pretend to be QServ. + enabled: true + + image: + # -- Mock QServ image to use + repository: "lsstdax/mock-qserv" + + # -- Pull policy for the mock QServ image + pullPolicy: "IfNotPresent" + + # -- Tag of mock QServ image to use + # @default -- The appVersion of the chart + tag: "" + + # -- Resource limits and requests for the mock QServ pod + resources: {} + + # -- Annotations for the mock QServ pod + podAnnotations: {} + + # -- Node selection rules for the mock QServ pod + nodeSelector: {} + + # -- Tolerations for the mock QServ pod + tolerations: [] + + # -- Affinity rules for the mock QServ pod + affinity: {} + +uws: + image: + # -- UWS database image to use + repository: "lsstdax/uws-db" + + # -- Pull policy for the UWS database image + pullPolicy: "IfNotPresent" + + # -- Tag of UWS database image to use + # @default -- The appVersion of the chart + tag: "" + + # -- Resource limits and requests for the UWS database pod + resources: {} + + # -- Annotations for the UWS databse pod + podAnnotations: {} + + # -- Node selection rules for the UWS database pod + nodeSelector: {} + + # -- Tolerations for the UWS database pod + tolerations: [] + + # -- Affinity rules for the UWS database pod + affinity: {} From 006b13904f86fdf46f2a2f1676eabaf274cb04b6 Mon Sep 17 00:00:00 2001 From: adam Date: Tue, 19 Apr 2022 15:32:08 -0700 Subject: [PATCH 0417/1479] DRY out vault-secrets-operator --- .../vault-secrets-operator-application.yaml | 3 ++- services/vault-secrets-operator/values-base.yaml | 15 --------------- .../vault-secrets-operator/values-idfdev.yaml | 15 --------------- .../vault-secrets-operator/values-idfint.yaml | 15 --------------- .../vault-secrets-operator/values-idfprod.yaml | 15 --------------- services/vault-secrets-operator/values-int.yaml | 15 --------------- .../vault-secrets-operator/values-minikube.yaml | 15 --------------- services/vault-secrets-operator/values-roe.yaml | 15 --------------- .../vault-secrets-operator/values-stable.yaml | 15 --------------- .../vault-secrets-operator/values-summit.yaml | 15 --------------- .../values-tucson-teststand.yaml | 15 --------------- services/vault-secrets-operator/values.yaml | 15 +++++++++++++++ 12 files changed, 17 insertions(+), 151 deletions(-) create mode 100644 services/vault-secrets-operator/values.yaml diff --git a/science-platform/templates/vault-secrets-operator-application.yaml b/science-platform/templates/vault-secrets-operator-application.yaml index 3eb50571bb..76d98bd16e 100644 --- a/science-platform/templates/vault-secrets-operator-application.yaml +++ b/science-platform/templates/vault-secrets-operator-application.yaml @@ -17,5 +17,6 @@ spec: targetRevision: {{ .Values.revision }} helm: valueFiles: - - values-{{ .Values.environment }}.yaml + - "values.yaml" + - "values-{{ .Values.environment }}.yaml" {{- end -}} diff --git a/services/vault-secrets-operator/values-base.yaml b/services/vault-secrets-operator/values-base.yaml index 51a1243b2d..e69de29bb2 100644 --- a/services/vault-secrets-operator/values-base.yaml +++ b/services/vault-secrets-operator/values-base.yaml @@ -1,15 +0,0 @@ -vault-secrets-operator: - environmentVars: - - name: VAULT_TOKEN - valueFrom: - secretKeyRef: - name: vault-secrets-operator - key: VAULT_TOKEN - - name: VAULT_TOKEN_LEASE_DURATION - valueFrom: - secretKeyRef: - name: vault-secrets-operator - key: VAULT_TOKEN_LEASE_DURATION - vault: - address: "https://vault.lsst.codes" - reconciliationTime: 60 diff --git a/services/vault-secrets-operator/values-idfdev.yaml b/services/vault-secrets-operator/values-idfdev.yaml index 51a1243b2d..e69de29bb2 100644 --- a/services/vault-secrets-operator/values-idfdev.yaml +++ b/services/vault-secrets-operator/values-idfdev.yaml @@ -1,15 +0,0 @@ -vault-secrets-operator: - environmentVars: - - name: VAULT_TOKEN - valueFrom: - secretKeyRef: - name: vault-secrets-operator - key: VAULT_TOKEN - - name: VAULT_TOKEN_LEASE_DURATION - valueFrom: - secretKeyRef: - name: vault-secrets-operator - key: VAULT_TOKEN_LEASE_DURATION - vault: - address: "https://vault.lsst.codes" - reconciliationTime: 60 diff --git a/services/vault-secrets-operator/values-idfint.yaml b/services/vault-secrets-operator/values-idfint.yaml index 51a1243b2d..e69de29bb2 100644 --- a/services/vault-secrets-operator/values-idfint.yaml +++ b/services/vault-secrets-operator/values-idfint.yaml @@ -1,15 +0,0 @@ -vault-secrets-operator: - environmentVars: - - name: VAULT_TOKEN - valueFrom: - secretKeyRef: - name: vault-secrets-operator - key: VAULT_TOKEN - - name: VAULT_TOKEN_LEASE_DURATION - valueFrom: - secretKeyRef: - name: vault-secrets-operator - key: VAULT_TOKEN_LEASE_DURATION - vault: - address: "https://vault.lsst.codes" - reconciliationTime: 60 diff --git a/services/vault-secrets-operator/values-idfprod.yaml b/services/vault-secrets-operator/values-idfprod.yaml index 51a1243b2d..e69de29bb2 100644 --- a/services/vault-secrets-operator/values-idfprod.yaml +++ b/services/vault-secrets-operator/values-idfprod.yaml @@ -1,15 +0,0 @@ -vault-secrets-operator: - environmentVars: - - name: VAULT_TOKEN - valueFrom: - secretKeyRef: - name: vault-secrets-operator - key: VAULT_TOKEN - - name: VAULT_TOKEN_LEASE_DURATION - valueFrom: - secretKeyRef: - name: vault-secrets-operator - key: VAULT_TOKEN_LEASE_DURATION - vault: - address: "https://vault.lsst.codes" - reconciliationTime: 60 diff --git a/services/vault-secrets-operator/values-int.yaml b/services/vault-secrets-operator/values-int.yaml index 51a1243b2d..e69de29bb2 100644 --- a/services/vault-secrets-operator/values-int.yaml +++ b/services/vault-secrets-operator/values-int.yaml @@ -1,15 +0,0 @@ -vault-secrets-operator: - environmentVars: - - name: VAULT_TOKEN - valueFrom: - secretKeyRef: - name: vault-secrets-operator - key: VAULT_TOKEN - - name: VAULT_TOKEN_LEASE_DURATION - valueFrom: - secretKeyRef: - name: vault-secrets-operator - key: VAULT_TOKEN_LEASE_DURATION - vault: - address: "https://vault.lsst.codes" - reconciliationTime: 60 diff --git a/services/vault-secrets-operator/values-minikube.yaml b/services/vault-secrets-operator/values-minikube.yaml index 51a1243b2d..e69de29bb2 100644 --- a/services/vault-secrets-operator/values-minikube.yaml +++ b/services/vault-secrets-operator/values-minikube.yaml @@ -1,15 +0,0 @@ -vault-secrets-operator: - environmentVars: - - name: VAULT_TOKEN - valueFrom: - secretKeyRef: - name: vault-secrets-operator - key: VAULT_TOKEN - - name: VAULT_TOKEN_LEASE_DURATION - valueFrom: - secretKeyRef: - name: vault-secrets-operator - key: VAULT_TOKEN_LEASE_DURATION - vault: - address: "https://vault.lsst.codes" - reconciliationTime: 60 diff --git a/services/vault-secrets-operator/values-roe.yaml b/services/vault-secrets-operator/values-roe.yaml index 51a1243b2d..e69de29bb2 100644 --- a/services/vault-secrets-operator/values-roe.yaml +++ b/services/vault-secrets-operator/values-roe.yaml @@ -1,15 +0,0 @@ -vault-secrets-operator: - environmentVars: - - name: VAULT_TOKEN - valueFrom: - secretKeyRef: - name: vault-secrets-operator - key: VAULT_TOKEN - - name: VAULT_TOKEN_LEASE_DURATION - valueFrom: - secretKeyRef: - name: vault-secrets-operator - key: VAULT_TOKEN_LEASE_DURATION - vault: - address: "https://vault.lsst.codes" - reconciliationTime: 60 diff --git a/services/vault-secrets-operator/values-stable.yaml b/services/vault-secrets-operator/values-stable.yaml index 51a1243b2d..e69de29bb2 100644 --- a/services/vault-secrets-operator/values-stable.yaml +++ b/services/vault-secrets-operator/values-stable.yaml @@ -1,15 +0,0 @@ -vault-secrets-operator: - environmentVars: - - name: VAULT_TOKEN - valueFrom: - secretKeyRef: - name: vault-secrets-operator - key: VAULT_TOKEN - - name: VAULT_TOKEN_LEASE_DURATION - valueFrom: - secretKeyRef: - name: vault-secrets-operator - key: VAULT_TOKEN_LEASE_DURATION - vault: - address: "https://vault.lsst.codes" - reconciliationTime: 60 diff --git a/services/vault-secrets-operator/values-summit.yaml b/services/vault-secrets-operator/values-summit.yaml index 51a1243b2d..e69de29bb2 100644 --- a/services/vault-secrets-operator/values-summit.yaml +++ b/services/vault-secrets-operator/values-summit.yaml @@ -1,15 +0,0 @@ -vault-secrets-operator: - environmentVars: - - name: VAULT_TOKEN - valueFrom: - secretKeyRef: - name: vault-secrets-operator - key: VAULT_TOKEN - - name: VAULT_TOKEN_LEASE_DURATION - valueFrom: - secretKeyRef: - name: vault-secrets-operator - key: VAULT_TOKEN_LEASE_DURATION - vault: - address: "https://vault.lsst.codes" - reconciliationTime: 60 diff --git a/services/vault-secrets-operator/values-tucson-teststand.yaml b/services/vault-secrets-operator/values-tucson-teststand.yaml index 51a1243b2d..e69de29bb2 100644 --- a/services/vault-secrets-operator/values-tucson-teststand.yaml +++ b/services/vault-secrets-operator/values-tucson-teststand.yaml @@ -1,15 +0,0 @@ -vault-secrets-operator: - environmentVars: - - name: VAULT_TOKEN - valueFrom: - secretKeyRef: - name: vault-secrets-operator - key: VAULT_TOKEN - - name: VAULT_TOKEN_LEASE_DURATION - valueFrom: - secretKeyRef: - name: vault-secrets-operator - key: VAULT_TOKEN_LEASE_DURATION - vault: - address: "https://vault.lsst.codes" - reconciliationTime: 60 diff --git a/services/vault-secrets-operator/values.yaml b/services/vault-secrets-operator/values.yaml new file mode 100644 index 0000000000..51a1243b2d --- /dev/null +++ b/services/vault-secrets-operator/values.yaml @@ -0,0 +1,15 @@ +vault-secrets-operator: + environmentVars: + - name: VAULT_TOKEN + valueFrom: + secretKeyRef: + name: vault-secrets-operator + key: VAULT_TOKEN + - name: VAULT_TOKEN_LEASE_DURATION + valueFrom: + secretKeyRef: + name: vault-secrets-operator + key: VAULT_TOKEN_LEASE_DURATION + vault: + address: "https://vault.lsst.codes" + reconciliationTime: 60 From 7d9699ef15b8e45e8aad4469433b4ee8d8890b2f Mon Sep 17 00:00:00 2001 From: adam Date: Tue, 19 Apr 2022 15:59:50 -0700 Subject: [PATCH 0418/1479] DRY out argocd --- .../templates/argocd-application.yaml | 6 +- services/argocd/README.md | 35 +++++++++++ services/argocd/templates/_helpers.tpl | 60 +++++++++++++++++++ services/argocd/templates/vault-secret.yaml | 9 --- services/argocd/values-base.yaml | 55 ----------------- services/argocd/values-idfdev.yaml | 57 ------------------ services/argocd/values-idfint.yaml | 56 ----------------- services/argocd/values-idfprod.yaml | 56 ----------------- services/argocd/values-int.yaml | 55 ----------------- services/argocd/values-minikube.yaml | 44 -------------- services/argocd/values-roe.yaml | 50 +--------------- services/argocd/values-stable.yaml | 56 ----------------- services/argocd/values-summit.yaml | 56 ----------------- services/argocd/values-tucson-teststand.yaml | 55 ----------------- services/argocd/values.yaml | 52 ++++++++++++++++ 15 files changed, 153 insertions(+), 549 deletions(-) create mode 100644 services/argocd/README.md create mode 100644 services/argocd/templates/_helpers.tpl delete mode 100644 services/argocd/templates/vault-secret.yaml create mode 100644 services/argocd/values.yaml diff --git a/science-platform/templates/argocd-application.yaml b/science-platform/templates/argocd-application.yaml index ea9379a8f9..205af94ec6 100644 --- a/science-platform/templates/argocd-application.yaml +++ b/science-platform/templates/argocd-application.yaml @@ -15,5 +15,9 @@ spec: repoURL: {{ .Values.repoURL }} targetRevision: {{ .Values.revision }} helm: + parameters: + - name: "global.vaultSecretsPath" + value: {{ .Values.vault_path_prefix | quote }} valueFiles: - - values-{{ .Values.environment }}.yaml + - "values.yaml" + - "values-{{ .Values.environment }}.yaml" diff --git a/services/argocd/README.md b/services/argocd/README.md new file mode 100644 index 0000000000..c7c3939e96 --- /dev/null +++ b/services/argocd/README.md @@ -0,0 +1,35 @@ +# argo-cd + +![Version: 1.0.0](https://img.shields.io/badge/Version-1.0.0-informational?style=flat-square) + +## Requirements + +| Repository | Name | Version | +|------------|------|---------| +| https://argoproj.github.io/argo-helm | argo-cd | 4.5.3 | +| https://lsst-sqre.github.io/charts/ | pull-secret | 0.1.2 | + +## Values + +| Key | Type | Default | Description | +|-----|------|---------|-------------| +| argo-cd.configs.secret.createSecret | bool | `false` | | +| argo-cd.controller.metrics.applicationLabels.enabled | bool | `true` | | +| argo-cd.controller.metrics.applicationLabels.labels[0] | string | `"name"` | | +| argo-cd.controller.metrics.applicationLabels.labels[1] | string | `"instance"` | | +| argo-cd.controller.metrics.enabled | bool | `true` | | +| argo-cd.notifications.metrics.enabled | bool | `true` | | +| argo-cd.redis.enabled | bool | `true` | | +| argo-cd.redis.metrics.enabled | bool | `true` | | +| argo-cd.repoServer.metrics.enabled | bool | `true` | | +| argo-cd.server.config."helm.repositories" | string | `"- url: https://lsst-sqre.github.io/charts/\n name: lsst-sqre\n- url: https://ricoberger.github.io/helm-charts/\n name: ricoberger\n- url: https://kubernetes.github.io/ingress-nginx/\n name: ingress-nginx\n- url: https://charts.helm.sh/stable\n name: stable\n- url: https://strimzi.io/charts/\n name: strimzi\n"` | | +| argo-cd.server.extraArgs[0] | string | `"--basehref=/argo-cd"` | | +| argo-cd.server.extraArgs[1] | string | `"--insecure=true"` | | +| argo-cd.server.ingress.annotations."kubernetes.io/ingress.class" | string | `"nginx"` | | +| argo-cd.server.ingress.annotations."nginx.ingress.kubernetes.io/rewrite-target" | string | `"/$2"` | | +| argo-cd.server.ingress.enabled | bool | `true` | | +| argo-cd.server.ingress.paths[0] | string | `"/argo-cd(/|$)(.*)"` | | +| argo-cd.server.metrics.enabled | bool | `true` | | + +---------------------------------------------- +Autogenerated from chart metadata using [helm-docs v1.7.0](https://github.com/norwoodj/helm-docs/releases/v1.7.0) diff --git a/services/argocd/templates/_helpers.tpl b/services/argocd/templates/_helpers.tpl new file mode 100644 index 0000000000..e48da5339c --- /dev/null +++ b/services/argocd/templates/_helpers.tpl @@ -0,0 +1,60 @@ +{{/* vim: set filetype=mustache: */}} +{{/* +Expand the name of the chart. +*/}} +{{- define "argocd.name" -}} +{{- default .Chart.Name .Values.nameOverride | trunc 63 | trimSuffix "-" -}} +{{- end -}} + +{{/* +Create a default fully qualified app name. +We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec). +If release name contains chart name it will be used as a full name. +*/}} +{{- define "argocd.fullname" -}} +{{- if .Values.fullnameOverride -}} +{{- .Values.fullnameOverride | trunc 63 | trimSuffix "-" -}} +{{- else -}} +{{- $name := default .Chart.Name .Values.nameOverride -}} +{{- if contains $name .Release.Name -}} +{{- .Release.Name | trunc 63 | trimSuffix "-" -}} +{{- else -}} +{{- printf "%s-%s" .Release.Name $name | trunc 63 | trimSuffix "-" -}} +{{- end -}} +{{- end -}} +{{- end -}} + +{{/* +Create chart name and version as used by the chart label. +*/}} +{{- define "argocd.chart" -}} +{{- printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" -}} +{{- end -}} + +{{/* +Common labels +*/}} +{{- define "argocd.labels" -}} +app.kubernetes.io/name: {{ include "argocd.name" . }} +helm.sh/chart: {{ include "argocd.chart" . }} +app.kubernetes.io/instance: {{ .Release.Name }} +{{- if .Chart.AppVersion }} +app.kubernetes.io/version: {{ .Chart.AppVersion | quote }} +{{- end }} +app.kubernetes.io/managed-by: {{ .Release.Service }} +{{- end -}} + +{{/* +Selector labels +*/}} +{{- define "argocd.selectorLabels" -}} +app.kubernetes.io/name: {{ include "argocd.name" . }} +app.kubernetes.io/instance: {{ .Release.Name }} +{{- end }} + +{{/* +Create the name of the service account to use +*/}} +{{- define "argocd.serviceAccountName" -}} +{{ default (include "argocd.fullname" .) .Values.serviceAccount.name }} +{{- end -}} diff --git a/services/argocd/templates/vault-secret.yaml b/services/argocd/templates/vault-secret.yaml deleted file mode 100644 index 598154025d..0000000000 --- a/services/argocd/templates/vault-secret.yaml +++ /dev/null @@ -1,9 +0,0 @@ -{{ if .Values.vault_secret.enabled }} -apiVersion: ricoberger.de/v1alpha1 -kind: VaultSecret -metadata: - name: argocd-secret -spec: - path: {{ .Values.vault_secret.path }} - type: Opaque -{{ end }} diff --git a/services/argocd/values-base.yaml b/services/argocd/values-base.yaml index 33cabea149..58f41ed40d 100644 --- a/services/argocd/values-base.yaml +++ b/services/argocd/values-base.yaml @@ -1,40 +1,8 @@ argo-cd: - redis: - enabled: true - metrics: - enabled: true - - controller: - metrics: - enabled: true - applicationLabels: - enabled: true - labels: ["name", "instance"] - - repoServer: - metrics: - enabled: true - - notifications: - metrics: - enabled: true - server: - metrics: - enabled: true ingress: - enabled: true hosts: - "base-lsp.lsst.codes" - annotations: - kubernetes.io/ingress.class: nginx - nginx.ingress.kubernetes.io/rewrite-target: "/$2" - paths: - - /argo-cd(/|$)(.*) - - extraArgs: - - "--basehref=/argo-cd" - - "--insecure=true" config: url: https://base-lsp.lsst.codes/argo-cd @@ -51,30 +19,7 @@ argo-cd: clientSecret: $dex.clientSecret orgs: - name: lsst-sqre - helm.repositories: | - - url: https://lsst-sqre.github.io/charts/ - name: lsst-sqre - - url: https://ricoberger.github.io/helm-charts/ - name: ricoberger - - url: https://kubernetes.github.io/ingress-nginx/ - name: ingress-nginx - - url: https://charts.helm.sh/stable - name: stable - - url: https://strimzi.io/charts/ - name: strimzi rbacConfig: policy.csv: | g, lsst-sqre:square, role:admin - - configs: - secret: - createSecret: false - -vault_secret: - enabled: true - path: secret/k8s_operator/base-lsp.lsst.codes/argocd - -pull-secret: - enabled: true - path: secret/k8s_operator/base-lsp.lsst.codes/pull-secret diff --git a/services/argocd/values-idfdev.yaml b/services/argocd/values-idfdev.yaml index f91c296f4a..fa5d270bb0 100644 --- a/services/argocd/values-idfdev.yaml +++ b/services/argocd/values-idfdev.yaml @@ -1,41 +1,8 @@ argo-cd: - redis: - enabled: true - metrics: - enabled: true - - controller: - metrics: - enabled: true - applicationLabels: - enabled: true - labels: ["name", "instance"] - - repoServer: - metrics: - enabled: true - - notifications: - metrics: - enabled: true - server: - metrics: - enabled: true ingress: - enabled: true hosts: - "data-dev.lsst.cloud" - annotations: - kubernetes.io/ingress.class: nginx - nginx.ingress.kubernetes.io/rewrite-target: "/$2" - paths: - - /argo-cd(/|$)(.*) - - extraArgs: - - "--basehref=/argo-cd" - - "--insecure=true" - config: url: https://data-dev.lsst.cloud/argo-cd dex.config: | @@ -51,17 +18,6 @@ argo-cd: hostedDomains: - lsst.cloud redirectURI: https://data-dev.lsst.cloud/argo-cd/api/dex/callback - helm.repositories: | - - url: https://lsst-sqre.github.io/charts/ - name: lsst-sqre - - url: https://ricoberger.github.io/helm-charts/ - name: ricoberger - - url: https://kubernetes.github.io/ingress-nginx/ - name: ingress-nginx - - url: https://charts.helm.sh/stable - name: stable - - url: https://strimzi.io/charts/ - name: strimzi rbacConfig: policy.csv: | @@ -77,16 +33,3 @@ argo-cd: g, loi@lsst.cloud, role:admin g, roby@lsst.cloud, role:admin scopes: "[email]" - - configs: - secret: - createSecret: false - -vault_secret: - enabled: true - path: secret/k8s_operator/data-dev.lsst.cloud/argocd - - -pull-secret: - enabled: true - path: secret/k8s_operator/data-dev.lsst.cloud/pull-secret diff --git a/services/argocd/values-idfint.yaml b/services/argocd/values-idfint.yaml index 622a846e56..42eeeae01b 100644 --- a/services/argocd/values-idfint.yaml +++ b/services/argocd/values-idfint.yaml @@ -1,41 +1,8 @@ argo-cd: - redis: - enabled: true - metrics: - enabled: true - - controller: - metrics: - enabled: true - applicationLabels: - enabled: true - labels: ["name", "instance"] - - repoServer: - metrics: - enabled: true - - notifications: - metrics: - enabled: true - server: - metrics: - enabled: true ingress: - enabled: true hosts: - "data-int.lsst.cloud" - annotations: - kubernetes.io/ingress.class: nginx - nginx.ingress.kubernetes.io/rewrite-target: "/$2" - paths: - - /argo-cd(/|$)(.*) - - extraArgs: - - "--basehref=/argo-cd" - - "--insecure=true" - config: url: https://data-int.lsst.cloud/argo-cd dex.config: | @@ -51,17 +18,6 @@ argo-cd: hostedDomains: - lsst.cloud redirectURI: https://data-int.lsst.cloud/argo-cd/api/dex/callback - helm.repositories: | - - url: https://lsst-sqre.github.io/charts/ - name: lsst-sqre - - url: https://ricoberger.github.io/helm-charts/ - name: ricoberger - - url: https://kubernetes.github.io/ingress-nginx/ - name: ingress-nginx - - url: https://charts.helm.sh/stable - name: stable - - url: https://strimzi.io/charts/ - name: strimzi rbacConfig: policy.csv: | @@ -79,15 +35,3 @@ argo-cd: g, roby@lsst.cloud, role:admin g, fritzm@lsst.cloud, role:admin scopes: "[email]" - - configs: - secret: - createSecret: false - -vault_secret: - enabled: true - path: secret/k8s_operator/data-int.lsst.cloud/argocd - -pull-secret: - enabled: true - path: secret/k8s_operator/data-int.lsst.cloud/pull-secret diff --git a/services/argocd/values-idfprod.yaml b/services/argocd/values-idfprod.yaml index d5f4af6e30..b79c0fed99 100644 --- a/services/argocd/values-idfprod.yaml +++ b/services/argocd/values-idfprod.yaml @@ -1,41 +1,8 @@ argo-cd: - redis: - enabled: true - metrics: - enabled: true - - controller: - metrics: - enabled: true - applicationLabels: - enabled: true - labels: ["name", "instance"] - - repoServer: - metrics: - enabled: true - - notifications: - metrics: - enabled: true - server: - metrics: - enabled: true ingress: - enabled: true hosts: - "data.lsst.cloud" - annotations: - kubernetes.io/ingress.class: nginx - nginx.ingress.kubernetes.io/rewrite-target: "/$2" - paths: - - /argo-cd(/|$)(.*) - - extraArgs: - - "--basehref=/argo-cd" - - "--insecure=true" - config: url: https://data.lsst.cloud/argo-cd dex.config: | @@ -51,17 +18,6 @@ argo-cd: hostedDomains: - lsst.cloud redirectURI: https://data.lsst.cloud/argo-cd/api/dex/callback - helm.repositories: | - - url: https://lsst-sqre.github.io/charts/ - name: lsst-sqre - - url: https://ricoberger.github.io/helm-charts/ - name: ricoberger - - url: https://kubernetes.github.io/ingress-nginx/ - name: ingress-nginx - - url: https://charts.helm.sh/stable - name: stable - - url: https://strimzi.io/charts/ - name: strimzi rbacConfig: policy.csv: | @@ -77,15 +33,3 @@ argo-cd: g, loi@lsst.cloud, role:admin g, roby@lsst.cloud, role:admin scopes: "[email]" - - configs: - secret: - createSecret: false - -vault_secret: - enabled: true - path: secret/k8s_operator/data.lsst.cloud/argocd - -pull-secret: - enabled: true - path: secret/k8s_operator/data.lsst.cloud/pull-secret diff --git a/services/argocd/values-int.yaml b/services/argocd/values-int.yaml index e27a97f19b..c70393d382 100644 --- a/services/argocd/values-int.yaml +++ b/services/argocd/values-int.yaml @@ -1,40 +1,8 @@ argo-cd: - redis: - enabled: true - metrics: - enabled: true - - controller: - metrics: - enabled: true - applicationLabels: - enabled: true - labels: ["name", "instance"] - - repoServer: - metrics: - enabled: true - - notifications: - metrics: - enabled: true server: - metrics: - enabled: true ingress: - enabled: true hosts: - "lsst-lsp-int.ncsa.illinois.edu" - annotations: - kubernetes.io/ingress.class: nginx - nginx.ingress.kubernetes.io/rewrite-target: "/$2" - paths: - - /argo-cd(/|$)(.*) - - extraArgs: - - "--basehref=/argo-cd" - - "--insecure=true" - config: url: https://lsst-lsp-int.ncsa.illinois.edu/argo-cd dex.config: | @@ -50,30 +18,7 @@ argo-cd: clientSecret: $dex.clientSecret orgs: - name: lsst-sqre - helm.repositories: | - - url: https://lsst-sqre.github.io/charts/ - name: lsst-sqre - - url: https://ricoberger.github.io/helm-charts/ - name: ricoberger - - url: https://kubernetes.github.io/ingress-nginx/ - name: ingress-nginx - - url: https://charts.helm.sh/stable - name: stable - - url: https://strimzi.io/charts/ - name: strimzi rbacConfig: policy.csv: | g, lsst-sqre:square, role:admin - - configs: - secret: - createSecret: false - -vault_secret: - enabled: true - path: secret/k8s_operator/lsst-lsp-int.ncsa.illinois.edu/argocd - -pull-secret: - enabled: true - path: secret/k8s_operator/lsst-lsp-int.ncsa.illinois.edu/pull-secret diff --git a/services/argocd/values-minikube.yaml b/services/argocd/values-minikube.yaml index d5340f0bf2..8e019290aa 100644 --- a/services/argocd/values-minikube.yaml +++ b/services/argocd/values-minikube.yaml @@ -2,42 +2,10 @@ argo-cd: controller: args: repoServerTimeoutSeconds: "180" - metrics: - enabled: true - applicationLabels: - enabled: true - labels: ["name", "instance"] - - redis: - enabled: true - metrics: - enabled: true - - repoServer: - metrics: - enabled: true - - notifications: - metrics: - enabled: true - server: - metrics: - enabled: true ingress: - enabled: true hosts: - "minikube.lsst.codes" - annotations: - kubernetes.io/ingress.class: nginx - nginx.ingress.kubernetes.io/rewrite-target: "/$2" - paths: - - /argo-cd(/|$)(.*) - - extraArgs: - - "--basehref=/argo-cd" - - "--insecure=true" - config: helm.repositories: | - url: https://lsst-sqre.github.io/charts/ @@ -50,15 +18,3 @@ argo-cd: name: stable - url: https://strimzi.io/charts/ name: strimzi - - configs: - secret: - createSecret: false - -vault_secret: - enabled: true - path: secret/k8s_operator/minikube.lsst.codes/argocd - -pull-secret: - enabled: true - path: secret/k8s_operator/minikube.lsst.codes/pull-secret diff --git a/services/argocd/values-roe.yaml b/services/argocd/values-roe.yaml index 06ad8a8272..a1fbe5ffc2 100644 --- a/services/argocd/values-roe.yaml +++ b/services/argocd/values-roe.yaml @@ -1,55 +1,7 @@ argo-cd: - redis: - enabled: true - metrics: - enabled: true - - controller: - metrics: - enabled: true - applicationLabels: - enabled: true - labels: ["name", "instance"] - - repoServer: - metrics: - enabled: true - - notifications: - metrics: - enabled: true - server: - metrics: - enabled: true ingress: - enabled: true hosts: - "rsp.lsst.ac.uk" - annotations: - kubernetes.io/ingress.class: nginx - nginx.ingress.kubernetes.io/rewrite-target: "/$2" - paths: - - /argo-cd(/|$)(.*) - - extraArgs: - - "--basehref=/argo-cd" - - "--insecure=true" - config: - helm.repositories: | - - url: https://lsst-sqre.github.io/charts/ - name: lsst-sqre - - url: https://ricoberger.github.io/helm-charts/ - name: ricoberger - - url: https://kubernetes.github.io/ingress-nginx/ - name: ingress-nginx - - url: https://charts.helm.sh/stable - name: stable -pull-secret: - enabled: true - path: secret/k8s_operator/roe/pull-secret - -vault_secret: - enabled: true - path: secret/k8s_operator/roe/argocd + url: https://rsp.lsst.ac.uk/argo-cd diff --git a/services/argocd/values-stable.yaml b/services/argocd/values-stable.yaml index 6ac6dfc7d6..8da1b8041b 100644 --- a/services/argocd/values-stable.yaml +++ b/services/argocd/values-stable.yaml @@ -1,41 +1,8 @@ argo-cd: - redis: - enabled: true - metrics: - enabled: true - - controller: - metrics: - enabled: true - applicationLabels: - enabled: true - labels: ["name", "instance"] - - repoServer: - metrics: - enabled: true - - notifications: - metrics: - enabled: true - server: - metrics: - enabled: true ingress: - enabled: true hosts: - "lsst-lsp-stable.ncsa.illinois.edu" - annotations: - kubernetes.io/ingress.class: nginx - nginx.ingress.kubernetes.io/rewrite-target: "/$2" - paths: - - /argo-cd(/|$)(.*) - - extraArgs: - - "--basehref=/argo-cd" - - "--insecure=true" - config: url: https://lsst-lsp-stable.ncsa.illinois.edu/argo-cd dex.config: | @@ -51,30 +18,7 @@ argo-cd: clientSecret: $dex.clientSecret orgs: - name: lsst-sqre - helm.repositories: | - - url: https://lsst-sqre.github.io/charts/ - name: lsst-sqre - - url: https://ricoberger.github.io/helm-charts/ - name: ricoberger - - url: https://kubernetes.github.io/ingress-nginx/ - name: ingress-nginx - - url: https://charts.helm.sh/stable - name: stable - - url: https://strimzi.io/charts/ - name: strimzi rbacConfig: policy.csv: | g, lsst-sqre:square, role:admin - - configs: - secret: - createSecret: false - -vault_secret: - enabled: true - path: secret/k8s_operator/lsst-lsp-stable.ncsa.illinois.edu/argocd - -pull-secret: - enabled: true - path: secret/k8s_operator/lsst-lsp-stable.ncsa.illinois.edu/pull-secret diff --git a/services/argocd/values-summit.yaml b/services/argocd/values-summit.yaml index 837c1918ec..df13771dda 100644 --- a/services/argocd/values-summit.yaml +++ b/services/argocd/values-summit.yaml @@ -1,41 +1,8 @@ argo-cd: - redis: - enabled: true - metrics: - enabled: true - - controller: - metrics: - enabled: true - applicationLabels: - enabled: true - labels: ["name", "instance"] - - repoServer: - metrics: - enabled: true - - notifications: - metrics: - enabled: true - server: - metrics: - enabled: true ingress: - enabled: true hosts: - "summit-lsp.lsst.codes" - annotations: - kubernetes.io/ingress.class: nginx - nginx.ingress.kubernetes.io/rewrite-target: "/$2" - paths: - - /argo-cd(/|$)(.*) - - extraArgs: - - "--basehref=/argo-cd" - - "--insecure=true" - config: url: https://summit-lsp.lsst.codes/argo-cd dex.config: | @@ -51,30 +18,7 @@ argo-cd: clientSecret: $dex.clientSecret orgs: - name: lsst-sqre - helm.repositories: | - - url: https://lsst-sqre.github.io/charts/ - name: lsst-sqre - - url: https://ricoberger.github.io/helm-charts/ - name: ricoberger - - url: https://kubernetes.github.io/ingress-nginx/ - name: ingress-nginx - - url: https://charts.helm.sh/stable - name: stable - - url: https://strimzi.io/charts/ - name: strimzi rbacConfig: policy.csv: | g, lsst-sqre:square, role:admin - - configs: - secret: - createSecret: false - -vault_secret: - enabled: true - path: secret/k8s_operator/summit-lsp.lsst.codes/argocd - -pull-secret: - enabled: true - path: secret/k8s_operator/summit-lsp.lsst.codes/pull-secret diff --git a/services/argocd/values-tucson-teststand.yaml b/services/argocd/values-tucson-teststand.yaml index d467e06f8f..cc6baf8cc9 100644 --- a/services/argocd/values-tucson-teststand.yaml +++ b/services/argocd/values-tucson-teststand.yaml @@ -1,40 +1,8 @@ argo-cd: - redis: - enabled: true - metrics: - enabled: true - - controller: - metrics: - enabled: true - applicationLabels: - enabled: true - labels: ["name", "instance"] - - repoServer: - metrics: - enabled: true - - notifications: - metrics: - enabled: true - server: - metrics: - enabled: true ingress: - enabled: true hosts: - "tucson-teststand.lsst.codes" - annotations: - kubernetes.io/ingress.class: nginx - nginx.ingress.kubernetes.io/rewrite-target: "/$2" - paths: - - /argo-cd(/|$)(.*) - - extraArgs: - - "--basehref=/argo-cd" - - "--insecure=true" config: url: https://tucson-teststand.lsst.codes/argo-cd @@ -51,30 +19,7 @@ argo-cd: clientSecret: $dex.clientSecret orgs: - name: lsst-sqre - helm.repositories: | - - url: https://lsst-sqre.github.io/charts/ - name: lsst-sqre - - url: https://ricoberger.github.io/helm-charts/ - name: ricoberger - - url: https://kubernetes.github.io/ingress-nginx/ - name: ingress-nginx - - url: https://charts.helm.sh/stable - name: stable - - url: https://strimzi.io/charts/ - name: strimzi rbacConfig: policy.csv: | g, lsst-sqre:square, role:admin - - configs: - secret: - createSecret: false - -vault_secret: - enabled: true - path: secret/k8s_operator/tucson-teststand.lsst.codes/argocd - -pull-secret: - enabled: true - path: secret/k8s_operator/tucson-teststand.lsst.codes/pull-secret diff --git a/services/argocd/values.yaml b/services/argocd/values.yaml new file mode 100644 index 0000000000..2356235024 --- /dev/null +++ b/services/argocd/values.yaml @@ -0,0 +1,52 @@ +argo-cd: + redis: + enabled: true + metrics: + enabled: true + + controller: + metrics: + enabled: true + applicationLabels: + enabled: true + labels: ["name", "instance"] + + repoServer: + metrics: + enabled: true + + notifications: + metrics: + enabled: true + + server: + metrics: + enabled: true + ingress: + enabled: true + annotations: + kubernetes.io/ingress.class: nginx + nginx.ingress.kubernetes.io/rewrite-target: "/$2" + paths: + - /argo-cd(/|$)(.*) + + extraArgs: + - "--basehref=/argo-cd" + - "--insecure=true" + + config: + helm.repositories: | + - url: https://lsst-sqre.github.io/charts/ + name: lsst-sqre + - url: https://ricoberger.github.io/helm-charts/ + name: ricoberger + - url: https://kubernetes.github.io/ingress-nginx/ + name: ingress-nginx + - url: https://charts.helm.sh/stable + name: stable + - url: https://strimzi.io/charts/ + name: strimzi + + configs: + secret: + createSecret: false From 91bc2345b11ea611d97d34a5938316c54c9be342 Mon Sep 17 00:00:00 2001 From: adam Date: Tue, 19 Apr 2022 16:05:05 -0700 Subject: [PATCH 0419/1479] Remove pull secret from argocd --- services/argocd/Chart.yaml | 3 -- services/argocd/templates/_helpers.tpl | 60 -------------------------- 2 files changed, 63 deletions(-) delete mode 100644 services/argocd/templates/_helpers.tpl diff --git a/services/argocd/Chart.yaml b/services/argocd/Chart.yaml index e2bfe9a7d0..83b04ace77 100644 --- a/services/argocd/Chart.yaml +++ b/services/argocd/Chart.yaml @@ -5,6 +5,3 @@ dependencies: - name: argo-cd version: 4.5.12 repository: https://argoproj.github.io/argo-helm -- name: pull-secret - version: 0.1.2 - repository: https://lsst-sqre.github.io/charts/ diff --git a/services/argocd/templates/_helpers.tpl b/services/argocd/templates/_helpers.tpl deleted file mode 100644 index e48da5339c..0000000000 --- a/services/argocd/templates/_helpers.tpl +++ /dev/null @@ -1,60 +0,0 @@ -{{/* vim: set filetype=mustache: */}} -{{/* -Expand the name of the chart. -*/}} -{{- define "argocd.name" -}} -{{- default .Chart.Name .Values.nameOverride | trunc 63 | trimSuffix "-" -}} -{{- end -}} - -{{/* -Create a default fully qualified app name. -We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec). -If release name contains chart name it will be used as a full name. -*/}} -{{- define "argocd.fullname" -}} -{{- if .Values.fullnameOverride -}} -{{- .Values.fullnameOverride | trunc 63 | trimSuffix "-" -}} -{{- else -}} -{{- $name := default .Chart.Name .Values.nameOverride -}} -{{- if contains $name .Release.Name -}} -{{- .Release.Name | trunc 63 | trimSuffix "-" -}} -{{- else -}} -{{- printf "%s-%s" .Release.Name $name | trunc 63 | trimSuffix "-" -}} -{{- end -}} -{{- end -}} -{{- end -}} - -{{/* -Create chart name and version as used by the chart label. -*/}} -{{- define "argocd.chart" -}} -{{- printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" -}} -{{- end -}} - -{{/* -Common labels -*/}} -{{- define "argocd.labels" -}} -app.kubernetes.io/name: {{ include "argocd.name" . }} -helm.sh/chart: {{ include "argocd.chart" . }} -app.kubernetes.io/instance: {{ .Release.Name }} -{{- if .Chart.AppVersion }} -app.kubernetes.io/version: {{ .Chart.AppVersion | quote }} -{{- end }} -app.kubernetes.io/managed-by: {{ .Release.Service }} -{{- end -}} - -{{/* -Selector labels -*/}} -{{- define "argocd.selectorLabels" -}} -app.kubernetes.io/name: {{ include "argocd.name" . }} -app.kubernetes.io/instance: {{ .Release.Name }} -{{- end }} - -{{/* -Create the name of the service account to use -*/}} -{{- define "argocd.serviceAccountName" -}} -{{ default (include "argocd.fullname" .) .Values.serviceAccount.name }} -{{- end -}} From eacdea10a2d3302c5d17c2f023cef4ca6df3a1c5 Mon Sep 17 00:00:00 2001 From: adam Date: Tue, 19 Apr 2022 16:06:05 -0700 Subject: [PATCH 0420/1479] Revert "Remove pull secret from argocd" This reverts commit 12deb2f4c4e08b6f3902b555c9fdd5ea4cc336b3. --- services/argocd/Chart.yaml | 3 ++ services/argocd/templates/_helpers.tpl | 60 ++++++++++++++++++++++++++ 2 files changed, 63 insertions(+) create mode 100644 services/argocd/templates/_helpers.tpl diff --git a/services/argocd/Chart.yaml b/services/argocd/Chart.yaml index 83b04ace77..e2bfe9a7d0 100644 --- a/services/argocd/Chart.yaml +++ b/services/argocd/Chart.yaml @@ -5,3 +5,6 @@ dependencies: - name: argo-cd version: 4.5.12 repository: https://argoproj.github.io/argo-helm +- name: pull-secret + version: 0.1.2 + repository: https://lsst-sqre.github.io/charts/ diff --git a/services/argocd/templates/_helpers.tpl b/services/argocd/templates/_helpers.tpl new file mode 100644 index 0000000000..e48da5339c --- /dev/null +++ b/services/argocd/templates/_helpers.tpl @@ -0,0 +1,60 @@ +{{/* vim: set filetype=mustache: */}} +{{/* +Expand the name of the chart. +*/}} +{{- define "argocd.name" -}} +{{- default .Chart.Name .Values.nameOverride | trunc 63 | trimSuffix "-" -}} +{{- end -}} + +{{/* +Create a default fully qualified app name. +We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec). +If release name contains chart name it will be used as a full name. +*/}} +{{- define "argocd.fullname" -}} +{{- if .Values.fullnameOverride -}} +{{- .Values.fullnameOverride | trunc 63 | trimSuffix "-" -}} +{{- else -}} +{{- $name := default .Chart.Name .Values.nameOverride -}} +{{- if contains $name .Release.Name -}} +{{- .Release.Name | trunc 63 | trimSuffix "-" -}} +{{- else -}} +{{- printf "%s-%s" .Release.Name $name | trunc 63 | trimSuffix "-" -}} +{{- end -}} +{{- end -}} +{{- end -}} + +{{/* +Create chart name and version as used by the chart label. +*/}} +{{- define "argocd.chart" -}} +{{- printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" -}} +{{- end -}} + +{{/* +Common labels +*/}} +{{- define "argocd.labels" -}} +app.kubernetes.io/name: {{ include "argocd.name" . }} +helm.sh/chart: {{ include "argocd.chart" . }} +app.kubernetes.io/instance: {{ .Release.Name }} +{{- if .Chart.AppVersion }} +app.kubernetes.io/version: {{ .Chart.AppVersion | quote }} +{{- end }} +app.kubernetes.io/managed-by: {{ .Release.Service }} +{{- end -}} + +{{/* +Selector labels +*/}} +{{- define "argocd.selectorLabels" -}} +app.kubernetes.io/name: {{ include "argocd.name" . }} +app.kubernetes.io/instance: {{ .Release.Name }} +{{- end }} + +{{/* +Create the name of the service account to use +*/}} +{{- define "argocd.serviceAccountName" -}} +{{ default (include "argocd.fullname" .) .Values.serviceAccount.name }} +{{- end -}} From df008ded511254df2f8298dd747aaaa432224682 Mon Sep 17 00:00:00 2001 From: adam Date: Tue, 19 Apr 2022 16:06:56 -0700 Subject: [PATCH 0421/1479] add back just argocd secret, DRY out ingress-nginx --- .../templates/ingress-nginx-application.yaml | 6 +- services/argocd/templates/_helpers.tpl | 60 ------------------- services/argocd/templates/vault-secrets.yaml | 7 +++ services/ingress-nginx/Chart.yaml | 3 - ...lt-certificate.yaml => vault-secrets.yaml} | 2 +- services/ingress-nginx/values-base.yaml | 20 ------- services/ingress-nginx/values-idfdev.yaml | 20 ------- services/ingress-nginx/values-idfint.yaml | 20 ------- services/ingress-nginx/values-idfprod.yaml | 20 ------- services/ingress-nginx/values-minikube.yaml | 21 ------- services/ingress-nginx/values-roe.yaml | 17 ------ services/ingress-nginx/values-summit.yaml | 20 ------- .../values-tucson-teststand.yaml | 20 ------- services/ingress-nginx/values.yaml | 19 ++++++ 14 files changed, 32 insertions(+), 223 deletions(-) delete mode 100644 services/argocd/templates/_helpers.tpl create mode 100644 services/argocd/templates/vault-secrets.yaml rename services/ingress-nginx/templates/{vault-certificate.yaml => vault-secrets.yaml} (73%) create mode 100644 services/ingress-nginx/values.yaml diff --git a/science-platform/templates/ingress-nginx-application.yaml b/science-platform/templates/ingress-nginx-application.yaml index e720da8484..ee99864bcb 100644 --- a/science-platform/templates/ingress-nginx-application.yaml +++ b/science-platform/templates/ingress-nginx-application.yaml @@ -24,6 +24,10 @@ spec: repoURL: {{ .Values.repoURL }} targetRevision: {{ .Values.revision }} helm: + parameters: + - name: "global.vaultSecretsPath" + value: {{ .Values.vault_path_prefix | quote }} valueFiles: - - values-{{ .Values.environment }}.yaml + - "values.yaml" + - "values-{{ .Values.environment }}.yaml" {{- end -}} diff --git a/services/argocd/templates/_helpers.tpl b/services/argocd/templates/_helpers.tpl deleted file mode 100644 index e48da5339c..0000000000 --- a/services/argocd/templates/_helpers.tpl +++ /dev/null @@ -1,60 +0,0 @@ -{{/* vim: set filetype=mustache: */}} -{{/* -Expand the name of the chart. -*/}} -{{- define "argocd.name" -}} -{{- default .Chart.Name .Values.nameOverride | trunc 63 | trimSuffix "-" -}} -{{- end -}} - -{{/* -Create a default fully qualified app name. -We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec). -If release name contains chart name it will be used as a full name. -*/}} -{{- define "argocd.fullname" -}} -{{- if .Values.fullnameOverride -}} -{{- .Values.fullnameOverride | trunc 63 | trimSuffix "-" -}} -{{- else -}} -{{- $name := default .Chart.Name .Values.nameOverride -}} -{{- if contains $name .Release.Name -}} -{{- .Release.Name | trunc 63 | trimSuffix "-" -}} -{{- else -}} -{{- printf "%s-%s" .Release.Name $name | trunc 63 | trimSuffix "-" -}} -{{- end -}} -{{- end -}} -{{- end -}} - -{{/* -Create chart name and version as used by the chart label. -*/}} -{{- define "argocd.chart" -}} -{{- printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" -}} -{{- end -}} - -{{/* -Common labels -*/}} -{{- define "argocd.labels" -}} -app.kubernetes.io/name: {{ include "argocd.name" . }} -helm.sh/chart: {{ include "argocd.chart" . }} -app.kubernetes.io/instance: {{ .Release.Name }} -{{- if .Chart.AppVersion }} -app.kubernetes.io/version: {{ .Chart.AppVersion | quote }} -{{- end }} -app.kubernetes.io/managed-by: {{ .Release.Service }} -{{- end -}} - -{{/* -Selector labels -*/}} -{{- define "argocd.selectorLabels" -}} -app.kubernetes.io/name: {{ include "argocd.name" . }} -app.kubernetes.io/instance: {{ .Release.Name }} -{{- end }} - -{{/* -Create the name of the service account to use -*/}} -{{- define "argocd.serviceAccountName" -}} -{{ default (include "argocd.fullname" .) .Values.serviceAccount.name }} -{{- end -}} diff --git a/services/argocd/templates/vault-secrets.yaml b/services/argocd/templates/vault-secrets.yaml new file mode 100644 index 0000000000..92bae63785 --- /dev/null +++ b/services/argocd/templates/vault-secrets.yaml @@ -0,0 +1,7 @@ +apiVersion: ricoberger.de/v1alpha1 +kind: VaultSecret +metadata: + name: argocd-secret +spec: + path: "{{ .Values.global.vaultSecretsPath }}/argocd" + type: Opaque diff --git a/services/ingress-nginx/Chart.yaml b/services/ingress-nginx/Chart.yaml index 83c662b2d6..c73809fa9e 100644 --- a/services/ingress-nginx/Chart.yaml +++ b/services/ingress-nginx/Chart.yaml @@ -5,6 +5,3 @@ dependencies: - name: ingress-nginx version: 4.1.0 repository: https://kubernetes.github.io/ingress-nginx - - name: pull-secret - version: ">=0.1.2" - repository: https://lsst-sqre.github.io/charts/ diff --git a/services/ingress-nginx/templates/vault-certificate.yaml b/services/ingress-nginx/templates/vault-secrets.yaml similarity index 73% rename from services/ingress-nginx/templates/vault-certificate.yaml rename to services/ingress-nginx/templates/vault-secrets.yaml index cc2a615207..0d9a7a4a6b 100644 --- a/services/ingress-nginx/templates/vault-certificate.yaml +++ b/services/ingress-nginx/templates/vault-secrets.yaml @@ -4,6 +4,6 @@ kind: VaultSecret metadata: name: ingress-certificate spec: - path: {{ .Values.vault_certificate.path }} + path: "{{ .Values.global.vaultSecretsPath }}/ingress-nginx" type: kubernetes.io/tls {{ end }} diff --git a/services/ingress-nginx/values-base.yaml b/services/ingress-nginx/values-base.yaml index 184cf9a5d6..2b9fc4eeab 100644 --- a/services/ingress-nginx/values-base.yaml +++ b/services/ingress-nginx/values-base.yaml @@ -1,24 +1,4 @@ ingress-nginx: controller: - config: - compute-full-forwarded-for: "true" - large-client-header-buffers: "4 64k" - proxy-body-size: "100m" - proxy-buffer-size: "64k" - ssl-redirect: "true" - use-forwarded-headers: "true" service: - externalTrafficPolicy: Local loadBalancerIP: "139.229.146.150" - podLabels: - gafaelfawr.lsst.io/ingress: "true" - hub.jupyter.org/network-access-proxy-http: "true" - metrics: - enabled: true - -vault_certificate: - enabled: false - -pull-secret: - enabled: true - path: secret/k8s_operator/base-lsp.lsst.codes/pull-secret diff --git a/services/ingress-nginx/values-idfdev.yaml b/services/ingress-nginx/values-idfdev.yaml index 07e4381428..ce9e5c39ca 100644 --- a/services/ingress-nginx/values-idfdev.yaml +++ b/services/ingress-nginx/values-idfdev.yaml @@ -1,24 +1,4 @@ ingress-nginx: controller: - config: - compute-full-forwarded-for: "true" - large-client-header-buffers: "4 64k" - proxy-body-size: "100m" - proxy-buffer-size: "64k" - ssl-redirect: "true" - use-forwarded-headers: "true" service: - externalTrafficPolicy: Local loadBalancerIP: "35.225.112.77" - podLabels: - gafaelfawr.lsst.io/ingress: "true" - hub.jupyter.org/network-access-proxy-http: "true" - metrics: - enabled: true - -vault_certificate: - enabled: false - -pull-secret: - enabled: true - path: secret/k8s_operator/data-dev.lsst.cloud/pull-secret diff --git a/services/ingress-nginx/values-idfint.yaml b/services/ingress-nginx/values-idfint.yaml index 4f834a666d..d80561ff45 100644 --- a/services/ingress-nginx/values-idfint.yaml +++ b/services/ingress-nginx/values-idfint.yaml @@ -1,24 +1,4 @@ ingress-nginx: controller: - config: - compute-full-forwarded-for: "true" - large-client-header-buffers: "4 64k" - proxy-body-size: "100m" - proxy-buffer-size: "64k" - ssl-redirect: "true" - use-forwarded-headers: "true" service: - externalTrafficPolicy: Local loadBalancerIP: "35.238.192.49" - podLabels: - gafaelfawr.lsst.io/ingress: "true" - hub.jupyter.org/network-access-proxy-http: "true" - metrics: - enabled: true - -vault_certificate: - enabled: false - -pull-secret: - enabled: true - path: secret/k8s_operator/data-int.lsst.cloud/pull-secret diff --git a/services/ingress-nginx/values-idfprod.yaml b/services/ingress-nginx/values-idfprod.yaml index b2d341bc9c..04deedff94 100644 --- a/services/ingress-nginx/values-idfprod.yaml +++ b/services/ingress-nginx/values-idfprod.yaml @@ -1,24 +1,4 @@ ingress-nginx: controller: - config: - compute-full-forwarded-for: "true" - large-client-header-buffers: "4 64k" - proxy-body-size: "100m" - proxy-buffer-size: "64k" - ssl-redirect: "true" - use-forwarded-headers: "true" service: - externalTrafficPolicy: Local loadBalancerIP: "35.202.181.164" - podLabels: - gafaelfawr.lsst.io/ingress: "true" - hub.jupyter.org/network-access-proxy-http: "true" - metrics: - enabled: true - -vault_certificate: - enabled: false - -pull-secret: - enabled: true - path: secret/k8s_operator/data.lsst.cloud/pull-secret diff --git a/services/ingress-nginx/values-minikube.yaml b/services/ingress-nginx/values-minikube.yaml index 984f65f210..12a577469f 100644 --- a/services/ingress-nginx/values-minikube.yaml +++ b/services/ingress-nginx/values-minikube.yaml @@ -1,12 +1,5 @@ ingress-nginx: controller: - config: - compute-full-forwarded-for: "true" - large-client-header-buffers: "4 64k" - proxy-body-size: "100m" - proxy-buffer-size: "64k" - ssl-redirect: "true" - use-forwarded-headers: "true" service: type: ClusterIP hostNetwork: true @@ -15,20 +8,6 @@ ingress-nginx: enabled: false extraArgs: default-ssl-certificate: ingress-nginx/ingress-certificate - podLabels: - gafaelfawr.lsst.io/ingress: "true" - hub.jupyter.org/network-access-proxy-http: "true" - metrics: - enabled: true - service: - annotations: - prometheus.io/port: "10254" - prometheus.io/scrape: "true" vault_certificate: enabled: true - path: secret/k8s_operator/minikube.lsst.codes/ingress-nginx - -pull-secret: - enabled: true - path: secret/k8s_operator/minikube.lsst.codes/pull-secret diff --git a/services/ingress-nginx/values-roe.yaml b/services/ingress-nginx/values-roe.yaml index 3a1887a23c..22710084b9 100644 --- a/services/ingress-nginx/values-roe.yaml +++ b/services/ingress-nginx/values-roe.yaml @@ -1,14 +1,5 @@ ingress-nginx: controller: - config: - compute-full-forwarded-for: "true" - large-client-header-buffers: "4 64k" - proxy-body-size: "100m" - proxy-buffer-size: "64k" - ssl-redirect: "true" - use-forwarded-headers: "true" - metrics: - enabled: true service: type: ClusterIP dnsPolicy: ClusterFirstWithHostNet @@ -20,16 +11,8 @@ ingress-nginx: - matchExpressions: - key: node-role.kubernetes.io/etcd operator: Exists - extraArgs: default-ssl-certificate: ingress-nginx/ingress-certificate - podLabels: - hub.jupyter.org/network-access-proxy-http: "true" vault_certificate: enabled: true - path: secret/k8s_operator/roe/ingress-nginx - -pull-secret: - enabled: true - path: secret/k8s_operator/roe/pull-secret diff --git a/services/ingress-nginx/values-summit.yaml b/services/ingress-nginx/values-summit.yaml index c7973914de..d74b046fbb 100644 --- a/services/ingress-nginx/values-summit.yaml +++ b/services/ingress-nginx/values-summit.yaml @@ -1,24 +1,4 @@ ingress-nginx: controller: - config: - compute-full-forwarded-for: "true" - large-client-header-buffers: "4 64k" - proxy-body-size: "100m" - proxy-buffer-size: "64k" - ssl-redirect: "true" - use-forwarded-headers: "true" service: - externalTrafficPolicy: Local loadBalancerIP: "139.229.160.150" - podLabels: - gafaelfawr.lsst.io/ingress: "true" - hub.jupyter.org/network-access-proxy-http: "true" - metrics: - enabled: true - -vault_certificate: - enabled: false - -pull-secret: - enabled: true - path: secret/k8s_operator/summit-lsp.lsst.codes/pull-secret diff --git a/services/ingress-nginx/values-tucson-teststand.yaml b/services/ingress-nginx/values-tucson-teststand.yaml index c1e1734ba3..6b8f9b5d34 100644 --- a/services/ingress-nginx/values-tucson-teststand.yaml +++ b/services/ingress-nginx/values-tucson-teststand.yaml @@ -1,24 +1,4 @@ ingress-nginx: controller: - config: - compute-full-forwarded-for: "true" - large-client-header-buffers: "4 64k" - proxy-body-size: "100m" - proxy-buffer-size: "64k" - ssl-redirect: "true" - use-forwarded-headers: "true" service: - externalTrafficPolicy: Local loadBalancerIP: "140.252.146.50" - podLabels: - gafaelfawr.lsst.io/ingress: "true" - hub.jupyter.org/network-access-proxy-http: "true" - metrics: - enabled: true - -vault_certificate: - enabled: false - -pull-secret: - enabled: true - path: secret/k8s_operator/tucson-teststand.lsst.codes/pull-secret diff --git a/services/ingress-nginx/values.yaml b/services/ingress-nginx/values.yaml new file mode 100644 index 0000000000..202a2d21fe --- /dev/null +++ b/services/ingress-nginx/values.yaml @@ -0,0 +1,19 @@ +ingress-nginx: + controller: + config: + compute-full-forwarded-for: "true" + large-client-header-buffers: "4 64k" + proxy-body-size: "100m" + proxy-buffer-size: "64k" + ssl-redirect: "true" + use-forwarded-headers: "true" + service: + externalTrafficPolicy: Local + podLabels: + gafaelfawr.lsst.io/ingress: "true" + hub.jupyter.org/network-access-proxy-http: "true" + metrics: + enabled: true + +vault_certificate: + enabled: false From 771ff2179017412e5827100650218ea4bb42f4d8 Mon Sep 17 00:00:00 2001 From: adam Date: Tue, 19 Apr 2022 17:03:54 -0700 Subject: [PATCH 0422/1479] add base values.yaml to installer, remove unneeded pull secrets --- installer/install.sh | 2 ++ services/argocd/Chart.yaml | 3 --- services/cert-manager/values-int.yaml | 4 ---- services/mobu/templates/deployment.yaml | 2 -- services/mobu/templates/vault-secrets.yaml | 10 ---------- services/nublado2/Chart.yaml | 3 --- .../templates/{clusterrole.yml => clusterrole.yaml} | 0 ...{clusterrolebinding.yml => clusterrolebinding.yaml} | 0 .../{nublado2-vault-secret.yaml => vault-secrets.yaml} | 10 ++++++++++ services/semaphore/Chart.yaml | 5 ----- services/semaphore/templates/deployment.yaml | 2 -- services/squareone/templates/deployment.yaml | 2 -- 12 files changed, 12 insertions(+), 31 deletions(-) rename services/nublado2/templates/{clusterrole.yml => clusterrole.yaml} (100%) rename services/nublado2/templates/{clusterrolebinding.yml => clusterrolebinding.yaml} (100%) rename services/nublado2/templates/{nublado2-vault-secret.yaml => vault-secrets.yaml} (81%) diff --git a/installer/install.sh b/installer/install.sh index 1f1dc6afa7..71f6c04eda 100755 --- a/installer/install.sh +++ b/installer/install.sh @@ -34,6 +34,7 @@ echo "Update / install vault-secrets-operator..." helm dependency update ../services/vault-secrets-operator helm upgrade vault-secrets-operator ../services/vault-secrets-operator \ --install \ + --values ../services/vault-secrets-operator/values.yaml \ --values ../services/vault-secrets-operator/values-$ENVIRONMENT.yaml \ --create-namespace \ --namespace vault-secrets-operator \ @@ -44,6 +45,7 @@ echo "Update / install argocd using helm3..." helm dependency update ../services/argocd helm upgrade argocd ../services/argocd \ --install \ + --values ../services/argocd/values.yaml \ --values ../services/argocd/values-$ENVIRONMENT.yaml \ --create-namespace \ --namespace argocd \ diff --git a/services/argocd/Chart.yaml b/services/argocd/Chart.yaml index e2bfe9a7d0..83b04ace77 100644 --- a/services/argocd/Chart.yaml +++ b/services/argocd/Chart.yaml @@ -5,6 +5,3 @@ dependencies: - name: argo-cd version: 4.5.12 repository: https://argoproj.github.io/argo-helm -- name: pull-secret - version: 0.1.2 - repository: https://lsst-sqre.github.io/charts/ diff --git a/services/cert-manager/values-int.yaml b/services/cert-manager/values-int.yaml index e4ace2b5d9..bdbcf1edf0 100644 --- a/services/cert-manager/values-int.yaml +++ b/services/cert-manager/values-int.yaml @@ -3,7 +3,3 @@ cert-manager: extraArgs: - --dns01-recursive-nameservers-only - --dns01-recursive-nameservers=8.8.8.8:53,1.1.1.1:53 - -pull-secret: - enabled: true - path: secret/k8s_operator/lsst-lsp-int.ncsa.illinois.edu/pull-secret diff --git a/services/mobu/templates/deployment.yaml b/services/mobu/templates/deployment.yaml index d77db21405..efb73dbff8 100644 --- a/services/mobu/templates/deployment.yaml +++ b/services/mobu/templates/deployment.yaml @@ -71,8 +71,6 @@ spec: {{- end }} - name: "tmp" mountPath: "/tmp" - imagePullSecrets: - - name: "pull-secret" securityContext: runAsNonRoot: true runAsUser: 1000 diff --git a/services/mobu/templates/vault-secrets.yaml b/services/mobu/templates/vault-secrets.yaml index ce08e483b4..050d8fbadc 100644 --- a/services/mobu/templates/vault-secrets.yaml +++ b/services/mobu/templates/vault-secrets.yaml @@ -7,13 +7,3 @@ metadata: spec: path: "{{ .Values.global.vaultSecretsPath }}/mobu" type: "Opaque" ---- -apiVersion: ricoberger.de/v1alpha1 -kind: VaultSecret -metadata: - name: "pull-secret" - labels: - {{- include "mobu.labels" . | nindent 4 }} -spec: - path: "{{ .Values.global.vaultSecretsPath }}/pull-secret" - type: "kubernetes.io/dockerconfigjson" diff --git a/services/nublado2/Chart.yaml b/services/nublado2/Chart.yaml index a7a1b64e12..816cbbd8ec 100644 --- a/services/nublado2/Chart.yaml +++ b/services/nublado2/Chart.yaml @@ -15,6 +15,3 @@ dependencies: # There hasn't been a stable release in a very long time. version: "1.1.3-n474.h8d0a7616" repository: https://jupyterhub.github.io/helm-chart/ - - name: pull-secret - version: 0.1.2 - repository: https://lsst-sqre.github.io/charts/ diff --git a/services/nublado2/templates/clusterrole.yml b/services/nublado2/templates/clusterrole.yaml similarity index 100% rename from services/nublado2/templates/clusterrole.yml rename to services/nublado2/templates/clusterrole.yaml diff --git a/services/nublado2/templates/clusterrolebinding.yml b/services/nublado2/templates/clusterrolebinding.yaml similarity index 100% rename from services/nublado2/templates/clusterrolebinding.yml rename to services/nublado2/templates/clusterrolebinding.yaml diff --git a/services/nublado2/templates/nublado2-vault-secret.yaml b/services/nublado2/templates/vault-secrets.yaml similarity index 81% rename from services/nublado2/templates/nublado2-vault-secret.yaml rename to services/nublado2/templates/vault-secrets.yaml index 66a143d2e3..bd31ebef68 100644 --- a/services/nublado2/templates/nublado2-vault-secret.yaml +++ b/services/nublado2/templates/vault-secrets.yaml @@ -21,3 +21,13 @@ spec: hub.config.JupyterHub.cookie_secret: "{% .Secrets.crypto_key %}" hub.config.CryptKeeper.keys: "{% .Secrets.cryptkeeper_key %}" hub.config.ConfigurableHTTPProxy.auth_token: "{% .Secrets.proxy_token %}" +--- +apiVersion: ricoberger.de/v1alpha1 +kind: VaultSecret +metadata: + name: pull-secret + labels: + {{- include "cachemachine.labels" . | nindent 4 }} +spec: + path: "{{- .Values.pull_secret_path }}" + type: kubernetes.io/dockerconfigjson diff --git a/services/semaphore/Chart.yaml b/services/semaphore/Chart.yaml index 4ded2547f9..87de56eefe 100644 --- a/services/semaphore/Chart.yaml +++ b/services/semaphore/Chart.yaml @@ -9,8 +9,3 @@ sources: maintainers: - name: jonathansick url: https://github.com/jonathansick - -dependencies: - - name: pull-secret - version: 0.1.2 - repository: https://lsst-sqre.github.io/charts/ diff --git a/services/semaphore/templates/deployment.yaml b/services/semaphore/templates/deployment.yaml index e007921ff5..6980bf34e8 100644 --- a/services/semaphore/templates/deployment.yaml +++ b/services/semaphore/templates/deployment.yaml @@ -21,8 +21,6 @@ spec: labels: {{- include "semaphore.selectorLabels" . | nindent 8 }} spec: - imagePullSecrets: - - name: "pull-secret" serviceAccountName: {{ include "semaphore.serviceAccountName" . }} securityContext: runAsNonRoot: true diff --git a/services/squareone/templates/deployment.yaml b/services/squareone/templates/deployment.yaml index 541f5fe2b9..eb8f98ff8e 100644 --- a/services/squareone/templates/deployment.yaml +++ b/services/squareone/templates/deployment.yaml @@ -54,8 +54,6 @@ spec: - name: "next-image-cache" mountPath: "/app/.next/cache/images" automountServiceAccountToken: false - imagePullSecrets: - - name: "pull-secret" securityContext: runAsNonRoot: true runAsUser: 1000 From 7984d6125e22d929a7907a52d690a3c3eafef060 Mon Sep 17 00:00:00 2001 From: adam Date: Tue, 19 Apr 2022 17:09:37 -0700 Subject: [PATCH 0423/1479] Fix up nublado2 definitions --- science-platform/templates/nublado2-application.yaml | 3 +++ services/exposurelog/values-minikube.yaml | 1 - services/exposurelog/values-tucson-teststand.yaml | 1 - services/nublado2/templates/vault-secrets.yaml | 6 +++--- 4 files changed, 6 insertions(+), 5 deletions(-) diff --git a/science-platform/templates/nublado2-application.yaml b/science-platform/templates/nublado2-application.yaml index e6dae13b3f..96e4deb8fc 100644 --- a/science-platform/templates/nublado2-application.yaml +++ b/science-platform/templates/nublado2-application.yaml @@ -27,6 +27,9 @@ spec: valueFiles: - "values.yaml" - "values-{{ .Values.environment }}.yaml" + parameters: + - name: "global.vaultSecretsPath" + value: {{ .Values.vault_path_prefix | quote }} ignoreDifferences: - group: "" kind: "Secret" diff --git a/services/exposurelog/values-minikube.yaml b/services/exposurelog/values-minikube.yaml index 70ee5f98f4..45d77ff9ce 100644 --- a/services/exposurelog/values-minikube.yaml +++ b/services/exposurelog/values-minikube.yaml @@ -1,3 +1,2 @@ config: site_id: minikube - diff --git a/services/exposurelog/values-tucson-teststand.yaml b/services/exposurelog/values-tucson-teststand.yaml index c0c9e0ef1f..d003906f49 100644 --- a/services/exposurelog/values-tucson-teststand.yaml +++ b/services/exposurelog/values-tucson-teststand.yaml @@ -6,4 +6,3 @@ config: # Note: exposurelog's Dockerfile copies the test repos to the top of the container butler_uri_1: LSSTCam butler_uri_2: LATISS - diff --git a/services/nublado2/templates/vault-secrets.yaml b/services/nublado2/templates/vault-secrets.yaml index bd31ebef68..962d6c1896 100644 --- a/services/nublado2/templates/vault-secrets.yaml +++ b/services/nublado2/templates/vault-secrets.yaml @@ -3,7 +3,7 @@ kind: VaultSecret metadata: name: "nublado2-secret" spec: - path: {{ .Values.vault_secret_path }} + path: "{{- .Values.global.vaultSecretsPath }}/nublado2" type: Opaque templates: @@ -27,7 +27,7 @@ kind: VaultSecret metadata: name: pull-secret labels: - {{- include "cachemachine.labels" . | nindent 4 }} + {{- include "nublado2.labels" . | nindent 4 }} spec: - path: "{{- .Values.pull_secret_path }}" + path: "{{- .Values.global.vaultSecretsPath }}/pull-secret" type: kubernetes.io/dockerconfigjson From ccc4ee2cc1cf149df6e355dd5f8705ce77e99159 Mon Sep 17 00:00:00 2001 From: adam Date: Fri, 22 Apr 2022 09:46:32 -0700 Subject: [PATCH 0424/1479] Move strimzi-registry-operator templates to shared charts space and symlink --- .../templates/deployment.yaml | 28 +++++++++++++++++++ .../templates/rbac.yaml | 0 services/argocd/values.yaml | 7 +++++ services/cachemachine/templates/ingress.yaml | 2 +- services/cachemachine/values.yaml | 15 ++++++++++ services/datalinker/values.yaml | 15 ++++++++++ services/exposurelog/values.yaml | 15 ++++++++++ services/moneypenny/values.yaml | 15 ++++++++++ services/narrativelog/values.yaml | 15 ++++++++++ services/nublado2/values.yaml | 8 ++++++ services/obstap/values.yaml | 15 ++++++++++ services/plot-navigator/values.yaml | 15 ++++++++++ services/postgres/values.yaml | 15 ++++++++++ services/sasquatch/values.yaml | 6 ++++ services/sherlock/values.yaml | 15 ++++++++++ services/strimzi-registry-operator/templates | 1 + .../templates/deployment.yaml | 28 ------------------- services/tap/values.yaml | 15 ++++++++++ 18 files changed, 201 insertions(+), 29 deletions(-) create mode 100644 charts/strimzi-registry-operator/templates/deployment.yaml rename {services => charts}/strimzi-registry-operator/templates/rbac.yaml (100%) create mode 120000 services/strimzi-registry-operator/templates delete mode 100644 services/strimzi-registry-operator/templates/deployment.yaml diff --git a/charts/strimzi-registry-operator/templates/deployment.yaml b/charts/strimzi-registry-operator/templates/deployment.yaml new file mode 100644 index 0000000000..b380a27918 --- /dev/null +++ b/charts/strimzi-registry-operator/templates/deployment.yaml @@ -0,0 +1,28 @@ +apiVersion: apps/v1 +kind: Deployment +metadata: + name: strimzi-registry-operator +spec: + replicas: 1 + strategy: + type: Recreate + selector: + matchLabels: + app: strimzi-registry-operator + template: + metadata: + labels: + app: strimzi-registry-operator + spec: + serviceAccountName: strimzi-registry-operator + containers: + - name: operator + image: "{{ .Values.image.repository }}:{{ .Values.image.tag }}" + imagePullPolicy: Always + env: + - name: SSR_CLUSTER_NAME + value: "{{ .Values.clusterName }}" + - name: SSR_NAMESPACE + value: "{{ .Values.watchNamespace }}" + command: ["kopf"] + args: ["run", "--standalone", "-m", "strimziregistryoperator.handlers", "--namespace", "{{ .Values.watchNamespace }}", "--verbose"] diff --git a/services/strimzi-registry-operator/templates/rbac.yaml b/charts/strimzi-registry-operator/templates/rbac.yaml similarity index 100% rename from services/strimzi-registry-operator/templates/rbac.yaml rename to charts/strimzi-registry-operator/templates/rbac.yaml diff --git a/services/argocd/values.yaml b/services/argocd/values.yaml index 2356235024..ce16ba61dd 100644 --- a/services/argocd/values.yaml +++ b/services/argocd/values.yaml @@ -50,3 +50,10 @@ argo-cd: configs: secret: createSecret: false + +# The following will be set by parameters injected by Argo CD and should not +# be set in the individual environment values files. +global: + # -- Base path for Vault secrets + # @default -- Set by Argo CD + vaultSecretsPath: "" diff --git a/services/cachemachine/templates/ingress.yaml b/services/cachemachine/templates/ingress.yaml index 2afc9c46b5..1e48a312e6 100644 --- a/services/cachemachine/templates/ingress.yaml +++ b/services/cachemachine/templates/ingress.yaml @@ -17,7 +17,7 @@ metadata: {{- include "cachemachine.labels" . | nindent 4 }} spec: rules: - - host: {{ required "ingress.host must be set" .Values.global.host | quote }} + - host: {{ required "global.host must be set" .Values.global.host | quote }} http: paths: - path: "/cachemachine" diff --git a/services/cachemachine/values.yaml b/services/cachemachine/values.yaml index 13d871cb72..01ca34db0f 100644 --- a/services/cachemachine/values.yaml +++ b/services/cachemachine/values.yaml @@ -60,3 +60,18 @@ affinity: {} # pull, and the value is the JSON specification for which and how many images # to pull. autostart: {} + +# The following will be set by parameters injected by Argo CD and should not +# be set in the individual environment values files. +global: + # -- Base URL for the environment + # @default -- Set by Argo CD + baseUrl: "" + + # -- Host name for ingress + # @default -- Set by Argo CD + host: "" + + # -- Base path for Vault secrets + # @default -- Set by Argo CD + vaultSecretsPath: "" diff --git a/services/datalinker/values.yaml b/services/datalinker/values.yaml index 50837c6341..c1c1ba476c 100644 --- a/services/datalinker/values.yaml +++ b/services/datalinker/values.yaml @@ -56,3 +56,18 @@ tolerations: [] # -- Affinity rules for the datalinker deployment pod affinity: {} + +# The following will be set by parameters injected by Argo CD and should not +# be set in the individual environment values files. +global: + # -- Base URL for the environment + # @default -- Set by Argo CD + baseUrl: "" + + # -- Host name for ingress + # @default -- Set by Argo CD + host: "" + + # -- Base path for Vault secrets + # @default -- Set by Argo CD + vaultSecretsPath: "" diff --git a/services/exposurelog/values.yaml b/services/exposurelog/values.yaml index 5a1fd0f02d..9d00f652ec 100644 --- a/services/exposurelog/values.yaml +++ b/services/exposurelog/values.yaml @@ -79,3 +79,18 @@ nodeSelector: {} tolerations: [] affinity: {} + +# The following will be set by parameters injected by Argo CD and should not +# be set in the individual environment values files. +global: + # -- Base URL for the environment + # @default -- Set by Argo CD + baseUrl: "" + + # -- Host name for ingress + # @default -- Set by Argo CD + host: "" + + # -- Base path for Vault secrets + # @default -- Set by Argo CD + vaultSecretsPath: "" diff --git a/services/moneypenny/values.yaml b/services/moneypenny/values.yaml index bbf019a4ad..316cd2092d 100644 --- a/services/moneypenny/values.yaml +++ b/services/moneypenny/values.yaml @@ -105,3 +105,18 @@ quips: | Moneypenny: Cut-throat razor. How very traditional. Bond: Well, I like to do some things the old-fashioned way. Moneypenny: Sometimes the old ways are best. + +# The following will be set by parameters injected by Argo CD and should not +# be set in the individual environment values files. +global: + # -- Base URL for the environment + # @default -- Set by Argo CD + baseUrl: "" + + # -- Host name for ingress + # @default -- Set by Argo CD + host: "" + + # -- Base path for Vault secrets + # @default -- Set by Argo CD + vaultSecretsPath: "" diff --git a/services/narrativelog/values.yaml b/services/narrativelog/values.yaml index cdcba93366..8db269a3aa 100644 --- a/services/narrativelog/values.yaml +++ b/services/narrativelog/values.yaml @@ -60,3 +60,18 @@ nodeSelector: {} tolerations: [] affinity: {} + +# The following will be set by parameters injected by Argo CD and should not +# be set in the individual environment values files. +global: + # -- Base URL for the environment + # @default -- Set by Argo CD + baseUrl: "" + + # -- Host name for ingress + # @default -- Set by Argo CD + host: "" + + # -- Base path for Vault secrets + # @default -- Set by Argo CD + vaultSecretsPath: "" diff --git a/services/nublado2/values.yaml b/services/nublado2/values.yaml index 9485bfdb56..29984b747a 100644 --- a/services/nublado2/values.yaml +++ b/services/nublado2/values.yaml @@ -479,3 +479,11 @@ vault_secret_path: "" # even with port 8081 explicitly enabled), so let's use our own for now. network_policy: enabled: true + + +# The following will be set by parameters injected by Argo CD and should not +# be set in the individual environment values files. +global: + # -- Base path for Vault secrets + # @default -- Set by Argo CD + vaultSecretsPath: "" diff --git a/services/obstap/values.yaml b/services/obstap/values.yaml index f3f27895af..9ef70cbc14 100644 --- a/services/obstap/values.yaml +++ b/services/obstap/values.yaml @@ -113,3 +113,18 @@ uws: # -- Affinity rules for the UWS database pod affinity: {} + +# The following will be set by parameters injected by Argo CD and should not +# be set in the individual environment values files. +global: + # -- Base URL for the environment + # @default -- Set by Argo CD + baseUrl: "" + + # -- Host name for ingress + # @default -- Set by Argo CD + host: "" + + # -- Base path for Vault secrets + # @default -- Set by Argo CD + vaultSecretsPath: "" diff --git a/services/plot-navigator/values.yaml b/services/plot-navigator/values.yaml index f928496c32..9d6060a798 100644 --- a/services/plot-navigator/values.yaml +++ b/services/plot-navigator/values.yaml @@ -9,3 +9,18 @@ environment: {} ingress: gafaelfawrAuthQuery: "scope=exec:portal&delegate_to=plotnavigator" annotations: {} + +# The following will be set by parameters injected by Argo CD and should not +# be set in the individual environment values files. +global: + # -- Base URL for the environment + # @default -- Set by Argo CD + baseUrl: "" + + # -- Host name for ingress + # @default -- Set by Argo CD + host: "" + + # -- Base path for Vault secrets + # @default -- Set by Argo CD + vaultSecretsPath: "" diff --git a/services/postgres/values.yaml b/services/postgres/values.yaml index 9ff2396571..331ca1bb61 100644 --- a/services/postgres/values.yaml +++ b/services/postgres/values.yaml @@ -16,3 +16,18 @@ postgres_volume_size: '1Gi' # elsewhere 'standard' ... postgres_storage_class: 'standard' volume_name: '' + +# The following will be set by parameters injected by Argo CD and should not +# be set in the individual environment values files. +global: + # -- Base URL for the environment + # @default -- Set by Argo CD + baseUrl: "" + + # -- Host name for ingress + # @default -- Set by Argo CD + host: "" + + # -- Base path for Vault secrets + # @default -- Set by Argo CD + vaultSecretsPath: "" diff --git a/services/sasquatch/values.yaml b/services/sasquatch/values.yaml index 2ec8e7a5b0..459bc0619d 100644 --- a/services/sasquatch/values.yaml +++ b/services/sasquatch/values.yaml @@ -208,3 +208,9 @@ kafka-producers: Test # -- Namespace where the Test CSC is deployed. namespace: sasquatch +# The following will be set by parameters injected by Argo CD and should not +# be set in the individual environment values files. +global: + # -- Base path for Vault secrets + # @default -- Set by Argo CD + vaultSecretsPath: "" diff --git a/services/sherlock/values.yaml b/services/sherlock/values.yaml index 52fd7e3451..451cba66f2 100644 --- a/services/sherlock/values.yaml +++ b/services/sherlock/values.yaml @@ -65,3 +65,18 @@ serviceAccount: # -- URL to push status to via HTTP PUTs. publish_url: "" + +# The following will be set by parameters injected by Argo CD and should not +# be set in the individual environment values files. +global: + # -- Base URL for the environment + # @default -- Set by Argo CD + baseUrl: "" + + # -- Host name for ingress + # @default -- Set by Argo CD + host: "" + + # -- Base path for Vault secrets + # @default -- Set by Argo CD + vaultSecretsPath: "" diff --git a/services/strimzi-registry-operator/templates b/services/strimzi-registry-operator/templates new file mode 120000 index 0000000000..cf9ca9b452 --- /dev/null +++ b/services/strimzi-registry-operator/templates @@ -0,0 +1 @@ +../../charts/strimzi-registry-operator/templates \ No newline at end of file diff --git a/services/strimzi-registry-operator/templates/deployment.yaml b/services/strimzi-registry-operator/templates/deployment.yaml deleted file mode 100644 index d91eb17328..0000000000 --- a/services/strimzi-registry-operator/templates/deployment.yaml +++ /dev/null @@ -1,28 +0,0 @@ -apiVersion: apps/v1 -kind: Deployment -metadata: - name: strimzi-registry-operator -spec: - replicas: 1 - strategy: - type: Recreate - selector: - matchLabels: - app: strimzi-registry-operator - template: - metadata: - labels: - app: strimzi-registry-operator - spec: - serviceAccountName: strimzi-registry-operator - containers: - - name: operator - image: "{{ .Values.image.repository }}:{{ .Values.image.tag }}" - imagePullPolicy: Always - env: - - name: SSR_CLUSTER_NAME - value: "{{ .Values.clusterName }}" - - name: SSR_NAMESPACE - value: "{{ .Values.watchNamespace }}" - command: ["kopf"] - args: ["run", "--standalone", "-m", "strimziregistryoperator.handlers", "--namespace", "{{ .Values.watchNamespace }}", "--verbose"] diff --git a/services/tap/values.yaml b/services/tap/values.yaml index 06ca5ae1d7..da4f7f0166 100644 --- a/services/tap/values.yaml +++ b/services/tap/values.yaml @@ -139,3 +139,18 @@ uws: # -- Affinity rules for the UWS database pod affinity: {} + +# The following will be set by parameters injected by Argo CD and should not +# be set in the individual environment values files. +global: + # -- Base URL for the environment + # @default -- Set by Argo CD + baseUrl: "" + + # -- Host name for ingress + # @default -- Set by Argo CD + host: "" + + # -- Base path for Vault secrets + # @default -- Set by Argo CD + vaultSecretsPath: "" From 2767f236213f7ccbcd372341a29d977ac39448c9 Mon Sep 17 00:00:00 2001 From: adam Date: Thu, 28 Apr 2022 09:02:24 -0700 Subject: [PATCH 0425/1479] Undo argocd changes --- installer/install.sh | 1 - .../templates/argocd-application.yaml | 6 +- services/argocd/Chart.yaml | 3 + services/argocd/README.md | 35 ----------- .../{vault-secrets.yaml => vault-secret.yaml} | 4 +- services/argocd/values-base.yaml | 55 +++++++++++++++++ services/argocd/values-idfdev.yaml | 57 ++++++++++++++++++ services/argocd/values-idfint.yaml | 56 ++++++++++++++++++ services/argocd/values-idfprod.yaml | 56 ++++++++++++++++++ services/argocd/values-int.yaml | 55 +++++++++++++++++ services/argocd/values-minikube.yaml | 44 ++++++++++++++ services/argocd/values-roe.yaml | 49 +++++++++++++++ services/argocd/values-stable.yaml | 56 ++++++++++++++++++ services/argocd/values-summit.yaml | 56 ++++++++++++++++++ services/argocd/values-tucson-teststand.yaml | 55 +++++++++++++++++ services/argocd/values.yaml | 59 ------------------- services/cachemachine/README.md | 10 ++-- services/datalinker/README.md | 23 ++------ services/exposurelog/README.md | 8 +-- services/ingress-nginx/values-minikube.yaml | 1 + services/moneypenny/README.md | 15 +---- services/narrativelog/README.md | 14 +---- services/nublado2/README.md | 13 +++- services/obstap/README.md | 8 +-- services/plot-navigator/README.md | 8 +-- services/postgres/README.md | 10 ++-- services/sasquatch/README.md | 2 +- services/semaphore/README.md | 6 -- services/sherlock/README.md | 8 +-- services/squareone/README.md | 6 -- services/strimzi-registry-operator/README.md | 14 ++--- services/tap/README.md | 10 ++-- 32 files changed, 598 insertions(+), 205 deletions(-) delete mode 100644 services/argocd/README.md rename services/argocd/templates/{vault-secrets.yaml => vault-secret.yaml} (54%) delete mode 100644 services/argocd/values.yaml diff --git a/installer/install.sh b/installer/install.sh index 71f6c04eda..b16118bb53 100755 --- a/installer/install.sh +++ b/installer/install.sh @@ -45,7 +45,6 @@ echo "Update / install argocd using helm3..." helm dependency update ../services/argocd helm upgrade argocd ../services/argocd \ --install \ - --values ../services/argocd/values.yaml \ --values ../services/argocd/values-$ENVIRONMENT.yaml \ --create-namespace \ --namespace argocd \ diff --git a/science-platform/templates/argocd-application.yaml b/science-platform/templates/argocd-application.yaml index 205af94ec6..ea9379a8f9 100644 --- a/science-platform/templates/argocd-application.yaml +++ b/science-platform/templates/argocd-application.yaml @@ -15,9 +15,5 @@ spec: repoURL: {{ .Values.repoURL }} targetRevision: {{ .Values.revision }} helm: - parameters: - - name: "global.vaultSecretsPath" - value: {{ .Values.vault_path_prefix | quote }} valueFiles: - - "values.yaml" - - "values-{{ .Values.environment }}.yaml" + - values-{{ .Values.environment }}.yaml diff --git a/services/argocd/Chart.yaml b/services/argocd/Chart.yaml index 83b04ace77..e2bfe9a7d0 100644 --- a/services/argocd/Chart.yaml +++ b/services/argocd/Chart.yaml @@ -5,3 +5,6 @@ dependencies: - name: argo-cd version: 4.5.12 repository: https://argoproj.github.io/argo-helm +- name: pull-secret + version: 0.1.2 + repository: https://lsst-sqre.github.io/charts/ diff --git a/services/argocd/README.md b/services/argocd/README.md deleted file mode 100644 index c7c3939e96..0000000000 --- a/services/argocd/README.md +++ /dev/null @@ -1,35 +0,0 @@ -# argo-cd - -![Version: 1.0.0](https://img.shields.io/badge/Version-1.0.0-informational?style=flat-square) - -## Requirements - -| Repository | Name | Version | -|------------|------|---------| -| https://argoproj.github.io/argo-helm | argo-cd | 4.5.3 | -| https://lsst-sqre.github.io/charts/ | pull-secret | 0.1.2 | - -## Values - -| Key | Type | Default | Description | -|-----|------|---------|-------------| -| argo-cd.configs.secret.createSecret | bool | `false` | | -| argo-cd.controller.metrics.applicationLabels.enabled | bool | `true` | | -| argo-cd.controller.metrics.applicationLabels.labels[0] | string | `"name"` | | -| argo-cd.controller.metrics.applicationLabels.labels[1] | string | `"instance"` | | -| argo-cd.controller.metrics.enabled | bool | `true` | | -| argo-cd.notifications.metrics.enabled | bool | `true` | | -| argo-cd.redis.enabled | bool | `true` | | -| argo-cd.redis.metrics.enabled | bool | `true` | | -| argo-cd.repoServer.metrics.enabled | bool | `true` | | -| argo-cd.server.config."helm.repositories" | string | `"- url: https://lsst-sqre.github.io/charts/\n name: lsst-sqre\n- url: https://ricoberger.github.io/helm-charts/\n name: ricoberger\n- url: https://kubernetes.github.io/ingress-nginx/\n name: ingress-nginx\n- url: https://charts.helm.sh/stable\n name: stable\n- url: https://strimzi.io/charts/\n name: strimzi\n"` | | -| argo-cd.server.extraArgs[0] | string | `"--basehref=/argo-cd"` | | -| argo-cd.server.extraArgs[1] | string | `"--insecure=true"` | | -| argo-cd.server.ingress.annotations."kubernetes.io/ingress.class" | string | `"nginx"` | | -| argo-cd.server.ingress.annotations."nginx.ingress.kubernetes.io/rewrite-target" | string | `"/$2"` | | -| argo-cd.server.ingress.enabled | bool | `true` | | -| argo-cd.server.ingress.paths[0] | string | `"/argo-cd(/|$)(.*)"` | | -| argo-cd.server.metrics.enabled | bool | `true` | | - ----------------------------------------------- -Autogenerated from chart metadata using [helm-docs v1.7.0](https://github.com/norwoodj/helm-docs/releases/v1.7.0) diff --git a/services/argocd/templates/vault-secrets.yaml b/services/argocd/templates/vault-secret.yaml similarity index 54% rename from services/argocd/templates/vault-secrets.yaml rename to services/argocd/templates/vault-secret.yaml index 92bae63785..598154025d 100644 --- a/services/argocd/templates/vault-secrets.yaml +++ b/services/argocd/templates/vault-secret.yaml @@ -1,7 +1,9 @@ +{{ if .Values.vault_secret.enabled }} apiVersion: ricoberger.de/v1alpha1 kind: VaultSecret metadata: name: argocd-secret spec: - path: "{{ .Values.global.vaultSecretsPath }}/argocd" + path: {{ .Values.vault_secret.path }} type: Opaque +{{ end }} diff --git a/services/argocd/values-base.yaml b/services/argocd/values-base.yaml index 58f41ed40d..33cabea149 100644 --- a/services/argocd/values-base.yaml +++ b/services/argocd/values-base.yaml @@ -1,8 +1,40 @@ argo-cd: + redis: + enabled: true + metrics: + enabled: true + + controller: + metrics: + enabled: true + applicationLabels: + enabled: true + labels: ["name", "instance"] + + repoServer: + metrics: + enabled: true + + notifications: + metrics: + enabled: true + server: + metrics: + enabled: true ingress: + enabled: true hosts: - "base-lsp.lsst.codes" + annotations: + kubernetes.io/ingress.class: nginx + nginx.ingress.kubernetes.io/rewrite-target: "/$2" + paths: + - /argo-cd(/|$)(.*) + + extraArgs: + - "--basehref=/argo-cd" + - "--insecure=true" config: url: https://base-lsp.lsst.codes/argo-cd @@ -19,7 +51,30 @@ argo-cd: clientSecret: $dex.clientSecret orgs: - name: lsst-sqre + helm.repositories: | + - url: https://lsst-sqre.github.io/charts/ + name: lsst-sqre + - url: https://ricoberger.github.io/helm-charts/ + name: ricoberger + - url: https://kubernetes.github.io/ingress-nginx/ + name: ingress-nginx + - url: https://charts.helm.sh/stable + name: stable + - url: https://strimzi.io/charts/ + name: strimzi rbacConfig: policy.csv: | g, lsst-sqre:square, role:admin + + configs: + secret: + createSecret: false + +vault_secret: + enabled: true + path: secret/k8s_operator/base-lsp.lsst.codes/argocd + +pull-secret: + enabled: true + path: secret/k8s_operator/base-lsp.lsst.codes/pull-secret diff --git a/services/argocd/values-idfdev.yaml b/services/argocd/values-idfdev.yaml index fa5d270bb0..f91c296f4a 100644 --- a/services/argocd/values-idfdev.yaml +++ b/services/argocd/values-idfdev.yaml @@ -1,8 +1,41 @@ argo-cd: + redis: + enabled: true + metrics: + enabled: true + + controller: + metrics: + enabled: true + applicationLabels: + enabled: true + labels: ["name", "instance"] + + repoServer: + metrics: + enabled: true + + notifications: + metrics: + enabled: true + server: + metrics: + enabled: true ingress: + enabled: true hosts: - "data-dev.lsst.cloud" + annotations: + kubernetes.io/ingress.class: nginx + nginx.ingress.kubernetes.io/rewrite-target: "/$2" + paths: + - /argo-cd(/|$)(.*) + + extraArgs: + - "--basehref=/argo-cd" + - "--insecure=true" + config: url: https://data-dev.lsst.cloud/argo-cd dex.config: | @@ -18,6 +51,17 @@ argo-cd: hostedDomains: - lsst.cloud redirectURI: https://data-dev.lsst.cloud/argo-cd/api/dex/callback + helm.repositories: | + - url: https://lsst-sqre.github.io/charts/ + name: lsst-sqre + - url: https://ricoberger.github.io/helm-charts/ + name: ricoberger + - url: https://kubernetes.github.io/ingress-nginx/ + name: ingress-nginx + - url: https://charts.helm.sh/stable + name: stable + - url: https://strimzi.io/charts/ + name: strimzi rbacConfig: policy.csv: | @@ -33,3 +77,16 @@ argo-cd: g, loi@lsst.cloud, role:admin g, roby@lsst.cloud, role:admin scopes: "[email]" + + configs: + secret: + createSecret: false + +vault_secret: + enabled: true + path: secret/k8s_operator/data-dev.lsst.cloud/argocd + + +pull-secret: + enabled: true + path: secret/k8s_operator/data-dev.lsst.cloud/pull-secret diff --git a/services/argocd/values-idfint.yaml b/services/argocd/values-idfint.yaml index 42eeeae01b..622a846e56 100644 --- a/services/argocd/values-idfint.yaml +++ b/services/argocd/values-idfint.yaml @@ -1,8 +1,41 @@ argo-cd: + redis: + enabled: true + metrics: + enabled: true + + controller: + metrics: + enabled: true + applicationLabels: + enabled: true + labels: ["name", "instance"] + + repoServer: + metrics: + enabled: true + + notifications: + metrics: + enabled: true + server: + metrics: + enabled: true ingress: + enabled: true hosts: - "data-int.lsst.cloud" + annotations: + kubernetes.io/ingress.class: nginx + nginx.ingress.kubernetes.io/rewrite-target: "/$2" + paths: + - /argo-cd(/|$)(.*) + + extraArgs: + - "--basehref=/argo-cd" + - "--insecure=true" + config: url: https://data-int.lsst.cloud/argo-cd dex.config: | @@ -18,6 +51,17 @@ argo-cd: hostedDomains: - lsst.cloud redirectURI: https://data-int.lsst.cloud/argo-cd/api/dex/callback + helm.repositories: | + - url: https://lsst-sqre.github.io/charts/ + name: lsst-sqre + - url: https://ricoberger.github.io/helm-charts/ + name: ricoberger + - url: https://kubernetes.github.io/ingress-nginx/ + name: ingress-nginx + - url: https://charts.helm.sh/stable + name: stable + - url: https://strimzi.io/charts/ + name: strimzi rbacConfig: policy.csv: | @@ -35,3 +79,15 @@ argo-cd: g, roby@lsst.cloud, role:admin g, fritzm@lsst.cloud, role:admin scopes: "[email]" + + configs: + secret: + createSecret: false + +vault_secret: + enabled: true + path: secret/k8s_operator/data-int.lsst.cloud/argocd + +pull-secret: + enabled: true + path: secret/k8s_operator/data-int.lsst.cloud/pull-secret diff --git a/services/argocd/values-idfprod.yaml b/services/argocd/values-idfprod.yaml index b79c0fed99..d5f4af6e30 100644 --- a/services/argocd/values-idfprod.yaml +++ b/services/argocd/values-idfprod.yaml @@ -1,8 +1,41 @@ argo-cd: + redis: + enabled: true + metrics: + enabled: true + + controller: + metrics: + enabled: true + applicationLabels: + enabled: true + labels: ["name", "instance"] + + repoServer: + metrics: + enabled: true + + notifications: + metrics: + enabled: true + server: + metrics: + enabled: true ingress: + enabled: true hosts: - "data.lsst.cloud" + annotations: + kubernetes.io/ingress.class: nginx + nginx.ingress.kubernetes.io/rewrite-target: "/$2" + paths: + - /argo-cd(/|$)(.*) + + extraArgs: + - "--basehref=/argo-cd" + - "--insecure=true" + config: url: https://data.lsst.cloud/argo-cd dex.config: | @@ -18,6 +51,17 @@ argo-cd: hostedDomains: - lsst.cloud redirectURI: https://data.lsst.cloud/argo-cd/api/dex/callback + helm.repositories: | + - url: https://lsst-sqre.github.io/charts/ + name: lsst-sqre + - url: https://ricoberger.github.io/helm-charts/ + name: ricoberger + - url: https://kubernetes.github.io/ingress-nginx/ + name: ingress-nginx + - url: https://charts.helm.sh/stable + name: stable + - url: https://strimzi.io/charts/ + name: strimzi rbacConfig: policy.csv: | @@ -33,3 +77,15 @@ argo-cd: g, loi@lsst.cloud, role:admin g, roby@lsst.cloud, role:admin scopes: "[email]" + + configs: + secret: + createSecret: false + +vault_secret: + enabled: true + path: secret/k8s_operator/data.lsst.cloud/argocd + +pull-secret: + enabled: true + path: secret/k8s_operator/data.lsst.cloud/pull-secret diff --git a/services/argocd/values-int.yaml b/services/argocd/values-int.yaml index c70393d382..e27a97f19b 100644 --- a/services/argocd/values-int.yaml +++ b/services/argocd/values-int.yaml @@ -1,8 +1,40 @@ argo-cd: + redis: + enabled: true + metrics: + enabled: true + + controller: + metrics: + enabled: true + applicationLabels: + enabled: true + labels: ["name", "instance"] + + repoServer: + metrics: + enabled: true + + notifications: + metrics: + enabled: true server: + metrics: + enabled: true ingress: + enabled: true hosts: - "lsst-lsp-int.ncsa.illinois.edu" + annotations: + kubernetes.io/ingress.class: nginx + nginx.ingress.kubernetes.io/rewrite-target: "/$2" + paths: + - /argo-cd(/|$)(.*) + + extraArgs: + - "--basehref=/argo-cd" + - "--insecure=true" + config: url: https://lsst-lsp-int.ncsa.illinois.edu/argo-cd dex.config: | @@ -18,7 +50,30 @@ argo-cd: clientSecret: $dex.clientSecret orgs: - name: lsst-sqre + helm.repositories: | + - url: https://lsst-sqre.github.io/charts/ + name: lsst-sqre + - url: https://ricoberger.github.io/helm-charts/ + name: ricoberger + - url: https://kubernetes.github.io/ingress-nginx/ + name: ingress-nginx + - url: https://charts.helm.sh/stable + name: stable + - url: https://strimzi.io/charts/ + name: strimzi rbacConfig: policy.csv: | g, lsst-sqre:square, role:admin + + configs: + secret: + createSecret: false + +vault_secret: + enabled: true + path: secret/k8s_operator/lsst-lsp-int.ncsa.illinois.edu/argocd + +pull-secret: + enabled: true + path: secret/k8s_operator/lsst-lsp-int.ncsa.illinois.edu/pull-secret diff --git a/services/argocd/values-minikube.yaml b/services/argocd/values-minikube.yaml index 8e019290aa..d5340f0bf2 100644 --- a/services/argocd/values-minikube.yaml +++ b/services/argocd/values-minikube.yaml @@ -2,10 +2,42 @@ argo-cd: controller: args: repoServerTimeoutSeconds: "180" + metrics: + enabled: true + applicationLabels: + enabled: true + labels: ["name", "instance"] + + redis: + enabled: true + metrics: + enabled: true + + repoServer: + metrics: + enabled: true + + notifications: + metrics: + enabled: true + server: + metrics: + enabled: true ingress: + enabled: true hosts: - "minikube.lsst.codes" + annotations: + kubernetes.io/ingress.class: nginx + nginx.ingress.kubernetes.io/rewrite-target: "/$2" + paths: + - /argo-cd(/|$)(.*) + + extraArgs: + - "--basehref=/argo-cd" + - "--insecure=true" + config: helm.repositories: | - url: https://lsst-sqre.github.io/charts/ @@ -18,3 +50,15 @@ argo-cd: name: stable - url: https://strimzi.io/charts/ name: strimzi + + configs: + secret: + createSecret: false + +vault_secret: + enabled: true + path: secret/k8s_operator/minikube.lsst.codes/argocd + +pull-secret: + enabled: true + path: secret/k8s_operator/minikube.lsst.codes/pull-secret diff --git a/services/argocd/values-roe.yaml b/services/argocd/values-roe.yaml index a1fbe5ffc2..d566c2326b 100644 --- a/services/argocd/values-roe.yaml +++ b/services/argocd/values-roe.yaml @@ -1,7 +1,56 @@ argo-cd: + redis: + enabled: true + metrics: + enabled: true + + controller: + metrics: + enabled: true + applicationLabels: + enabled: true + labels: ["name", "instance"] + + repoServer: + metrics: + enabled: true + + notifications: + metrics: + enabled: true + server: + metrics: + enabled: true ingress: + enabled: true hosts: - "rsp.lsst.ac.uk" + annotations: + kubernetes.io/ingress.class: nginx + nginx.ingress.kubernetes.io/rewrite-target: "/$2" + paths: + - /argo-cd(/|$)(.*) + + extraArgs: + - "--basehref=/argo-cd" + - "--insecure=true" + config: url: https://rsp.lsst.ac.uk/argo-cd + helm.repositories: | + - url: https://lsst-sqre.github.io/charts/ + name: lsst-sqre + - url: https://ricoberger.github.io/helm-charts/ + name: ricoberger + - url: https://kubernetes.github.io/ingress-nginx/ + name: ingress-nginx + - url: https://charts.helm.sh/stable + name: stable +pull-secret: + enabled: true + path: secret/k8s_operator/roe/pull-secret + +vault_secret: + enabled: true + path: secret/k8s_operator/roe/argocd diff --git a/services/argocd/values-stable.yaml b/services/argocd/values-stable.yaml index 8da1b8041b..6ac6dfc7d6 100644 --- a/services/argocd/values-stable.yaml +++ b/services/argocd/values-stable.yaml @@ -1,8 +1,41 @@ argo-cd: + redis: + enabled: true + metrics: + enabled: true + + controller: + metrics: + enabled: true + applicationLabels: + enabled: true + labels: ["name", "instance"] + + repoServer: + metrics: + enabled: true + + notifications: + metrics: + enabled: true + server: + metrics: + enabled: true ingress: + enabled: true hosts: - "lsst-lsp-stable.ncsa.illinois.edu" + annotations: + kubernetes.io/ingress.class: nginx + nginx.ingress.kubernetes.io/rewrite-target: "/$2" + paths: + - /argo-cd(/|$)(.*) + + extraArgs: + - "--basehref=/argo-cd" + - "--insecure=true" + config: url: https://lsst-lsp-stable.ncsa.illinois.edu/argo-cd dex.config: | @@ -18,7 +51,30 @@ argo-cd: clientSecret: $dex.clientSecret orgs: - name: lsst-sqre + helm.repositories: | + - url: https://lsst-sqre.github.io/charts/ + name: lsst-sqre + - url: https://ricoberger.github.io/helm-charts/ + name: ricoberger + - url: https://kubernetes.github.io/ingress-nginx/ + name: ingress-nginx + - url: https://charts.helm.sh/stable + name: stable + - url: https://strimzi.io/charts/ + name: strimzi rbacConfig: policy.csv: | g, lsst-sqre:square, role:admin + + configs: + secret: + createSecret: false + +vault_secret: + enabled: true + path: secret/k8s_operator/lsst-lsp-stable.ncsa.illinois.edu/argocd + +pull-secret: + enabled: true + path: secret/k8s_operator/lsst-lsp-stable.ncsa.illinois.edu/pull-secret diff --git a/services/argocd/values-summit.yaml b/services/argocd/values-summit.yaml index df13771dda..837c1918ec 100644 --- a/services/argocd/values-summit.yaml +++ b/services/argocd/values-summit.yaml @@ -1,8 +1,41 @@ argo-cd: + redis: + enabled: true + metrics: + enabled: true + + controller: + metrics: + enabled: true + applicationLabels: + enabled: true + labels: ["name", "instance"] + + repoServer: + metrics: + enabled: true + + notifications: + metrics: + enabled: true + server: + metrics: + enabled: true ingress: + enabled: true hosts: - "summit-lsp.lsst.codes" + annotations: + kubernetes.io/ingress.class: nginx + nginx.ingress.kubernetes.io/rewrite-target: "/$2" + paths: + - /argo-cd(/|$)(.*) + + extraArgs: + - "--basehref=/argo-cd" + - "--insecure=true" + config: url: https://summit-lsp.lsst.codes/argo-cd dex.config: | @@ -18,7 +51,30 @@ argo-cd: clientSecret: $dex.clientSecret orgs: - name: lsst-sqre + helm.repositories: | + - url: https://lsst-sqre.github.io/charts/ + name: lsst-sqre + - url: https://ricoberger.github.io/helm-charts/ + name: ricoberger + - url: https://kubernetes.github.io/ingress-nginx/ + name: ingress-nginx + - url: https://charts.helm.sh/stable + name: stable + - url: https://strimzi.io/charts/ + name: strimzi rbacConfig: policy.csv: | g, lsst-sqre:square, role:admin + + configs: + secret: + createSecret: false + +vault_secret: + enabled: true + path: secret/k8s_operator/summit-lsp.lsst.codes/argocd + +pull-secret: + enabled: true + path: secret/k8s_operator/summit-lsp.lsst.codes/pull-secret diff --git a/services/argocd/values-tucson-teststand.yaml b/services/argocd/values-tucson-teststand.yaml index cc6baf8cc9..d467e06f8f 100644 --- a/services/argocd/values-tucson-teststand.yaml +++ b/services/argocd/values-tucson-teststand.yaml @@ -1,8 +1,40 @@ argo-cd: + redis: + enabled: true + metrics: + enabled: true + + controller: + metrics: + enabled: true + applicationLabels: + enabled: true + labels: ["name", "instance"] + + repoServer: + metrics: + enabled: true + + notifications: + metrics: + enabled: true + server: + metrics: + enabled: true ingress: + enabled: true hosts: - "tucson-teststand.lsst.codes" + annotations: + kubernetes.io/ingress.class: nginx + nginx.ingress.kubernetes.io/rewrite-target: "/$2" + paths: + - /argo-cd(/|$)(.*) + + extraArgs: + - "--basehref=/argo-cd" + - "--insecure=true" config: url: https://tucson-teststand.lsst.codes/argo-cd @@ -19,7 +51,30 @@ argo-cd: clientSecret: $dex.clientSecret orgs: - name: lsst-sqre + helm.repositories: | + - url: https://lsst-sqre.github.io/charts/ + name: lsst-sqre + - url: https://ricoberger.github.io/helm-charts/ + name: ricoberger + - url: https://kubernetes.github.io/ingress-nginx/ + name: ingress-nginx + - url: https://charts.helm.sh/stable + name: stable + - url: https://strimzi.io/charts/ + name: strimzi rbacConfig: policy.csv: | g, lsst-sqre:square, role:admin + + configs: + secret: + createSecret: false + +vault_secret: + enabled: true + path: secret/k8s_operator/tucson-teststand.lsst.codes/argocd + +pull-secret: + enabled: true + path: secret/k8s_operator/tucson-teststand.lsst.codes/pull-secret diff --git a/services/argocd/values.yaml b/services/argocd/values.yaml deleted file mode 100644 index ce16ba61dd..0000000000 --- a/services/argocd/values.yaml +++ /dev/null @@ -1,59 +0,0 @@ -argo-cd: - redis: - enabled: true - metrics: - enabled: true - - controller: - metrics: - enabled: true - applicationLabels: - enabled: true - labels: ["name", "instance"] - - repoServer: - metrics: - enabled: true - - notifications: - metrics: - enabled: true - - server: - metrics: - enabled: true - ingress: - enabled: true - annotations: - kubernetes.io/ingress.class: nginx - nginx.ingress.kubernetes.io/rewrite-target: "/$2" - paths: - - /argo-cd(/|$)(.*) - - extraArgs: - - "--basehref=/argo-cd" - - "--insecure=true" - - config: - helm.repositories: | - - url: https://lsst-sqre.github.io/charts/ - name: lsst-sqre - - url: https://ricoberger.github.io/helm-charts/ - name: ricoberger - - url: https://kubernetes.github.io/ingress-nginx/ - name: ingress-nginx - - url: https://charts.helm.sh/stable - name: stable - - url: https://strimzi.io/charts/ - name: strimzi - - configs: - secret: - createSecret: false - -# The following will be set by parameters injected by Argo CD and should not -# be set in the individual environment values files. -global: - # -- Base path for Vault secrets - # @default -- Set by Argo CD - vaultSecretsPath: "" diff --git a/services/cachemachine/README.md b/services/cachemachine/README.md index 79063f7541..5565cfde52 100644 --- a/services/cachemachine/README.md +++ b/services/cachemachine/README.md @@ -9,23 +9,21 @@ Service to prepull Docker images for the Science Platform | affinity | object | `{}` | Affinity rules for the cachemachine frontend pod | | autostart | object | `{}` | Autostart configuration. Each key is the name of a class of images to pull, and the value is the JSON specification for which and how many images to pull. | | fullnameOverride | string | `""` | Override the full name for resources (includes the release name) | +| global.baseUrl | string | Set by Argo CD | Base URL for the environment | +| global.host | string | Set by Argo CD | Host name for ingress | +| global.vaultSecretsPath | string | Set by Argo CD | Base path for Vault secrets | | image.pullPolicy | string | `"IfNotPresent"` | Pull policy for the cachemachine image | | image.repository | string | `"lsstsqre/cachemachine"` | cachemachine image to use | | image.tag | string | The appVersion of the chart | Tag of cachemachine image to use | -| imagePullSecrets | list | `[{"name":"cachemachine-secret"}]` | Secret names to use for all Docker pulls | | ingress.annotations | object | `{}` | Additional annotations to add for endpoints that are authenticated. | | ingress.anonymousAnnotations | object | `{}` | Additional annotations to add for endpoints that allow anonymous access, such as `/*/available`. | -| ingress.enabled | bool | `true` | Whether to create an ingress | | ingress.gafaelfawrAuthQuery | string | `"scope=exec:admin"` | Gafaelfawr auth query string | -| ingress.host | string | None, must be set if the ingress is enabled | Hostname for the ingress | | ingress.tls | list | `[]` | Configures TLS for the ingress if needed. If multiple ingresses share the same hostname, only one of them needs a TLS configuration. | | nameOverride | string | `""` | Override the base name for resources | | nodeSelector | object | `{}` | Node selector rules for the cachemachine frontend pod | | podAnnotations | object | `{}` | Annotations for the cachemachine frontend pod | | resources | object | `{}` | Resource limits and requests for the cachemachine frontend pod | -| service.port | int | `80` | Port of the service to create and map to the ingress | -| service.type | string | `"ClusterIP"` | Type of service to create | +| serviceAccount | object | `{"annotations":{},"name":""}` | Secret names to use for all Docker pulls | | serviceAccount.annotations | object | `{}` | Annotations to add to the service account | | serviceAccount.name | string | Name based on the fullname template | Name of the service account to use | | tolerations | list | `[]` | Tolerations for the cachemachine frontend pod | -| vaultSecretsPath | string | None, must be set | Path to the Vault secret containing the Docker credentials | diff --git a/services/datalinker/README.md b/services/datalinker/README.md index b437479c17..f367f9865d 100644 --- a/services/datalinker/README.md +++ b/services/datalinker/README.md @@ -1,15 +1,7 @@ # datalinker -![Version: 0.1.4](https://img.shields.io/badge/Version-0.1.4-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: 1.0.0](https://img.shields.io/badge/AppVersion-1.0.0-informational?style=flat-square) - A Helm chart for Kubernetes -## Maintainers - -| Name | Email | Url | -| ---- | ------ | --- | -| cbanek | | | - ## Values | Key | Type | Default | Description | @@ -20,24 +12,17 @@ A Helm chart for Kubernetes | autoscaling.minReplicas | int | `1` | Minimum number of datalinker deployment pods | | autoscaling.targetCPUUtilizationPercentage | int | `80` | Target CPU utilization of datalinker deployment pods | | fullnameOverride | string | `""` | Override the full name for resources (includes the release name) | +| global.baseUrl | string | Set by Argo CD | Base URL for the environment | +| global.host | string | Set by Argo CD | Host name for ingress | +| global.vaultSecretsPath | string | Set by Argo CD | Base path for Vault secrets | | image.pullPolicy | string | `"Always"` | Pull policy for the datalinker image | | image.repository | string | `"lsstsqre/datalinker"` | Image to use in the datalinker deployment | | image.tag | string | `""` | Overrides the image tag whose default is the chart appVersion. | -| imagePullSecrets | list | `[]` | Secret names to use for all Docker pulls | | ingress.annotations | object | `{}` | Additional annotations for the ingress rule | -| ingress.enabled | bool | `true` | Create an ingress resource | -| ingress.gafaelfawrAuthQuery | string | `""` | Gafaelfawr Auth Query string (default, unauthenticated) gafaelfawrAuthQuery: "scope=exec:portal&delegate_to=portal&delegate_scope=read:tap" | -| ingress.host | string | `""` | Hostname of the deployment to run behind | -| ingress.path | string | `"/api/datalink"` | URL path to dispatch to the datalinker deployment pod | -| ingress.pathType | string | `"ImplementationSpecific"` | Path type for the ingress rule | +| ingress.gafaelfawrAuthQuery | string | `""` | Gafaelfawr auth query string (default, unauthenticated) | | nameOverride | string | `""` | Override the base name for resources | | nodeSelector | object | `{}` | Node selection rules for the datalinker deployment pod | | podAnnotations | object | `{}` | Annotations for the datalinker deployment pod | | replicaCount | int | `1` | Number of web deployment pods to start | | resources | object | `{}` | Resource limits and requests for the datalinker deployment pod | -| service.port | int | `8080` | Port of the service to create and map to the ingress | -| service.type | string | `"ClusterIP"` | Type of service to create | | tolerations | list | `[]` | Tolerations for the datalinker deployment pod | - ----------------------------------------------- -Autogenerated from chart metadata using [helm-docs v1.5.0](https://github.com/norwoodj/helm-docs/releases/v1.5.0) diff --git a/services/exposurelog/README.md b/services/exposurelog/README.md index eb661fbd1d..8a9c09ccea 100644 --- a/services/exposurelog/README.md +++ b/services/exposurelog/README.md @@ -1,7 +1,5 @@ # exposurelog -![Version: 1.0.0](https://img.shields.io/badge/Version-1.0.0-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: 0.9.2](https://img.shields.io/badge/AppVersion-0.9.2-informational?style=flat-square) - Exposure log service ## Values @@ -21,6 +19,9 @@ Exposure log service | config.nfs_server_2 | string | `""` | | | config.site_id | string | `""` | | | fullnameOverride | string | `""` | | +| global.baseUrl | string | Set by Argo CD | Base URL for the environment | +| global.host | string | Set by Argo CD | Host name for ingress | +| global.vaultSecretsPath | string | Set by Argo CD | Base path for Vault secrets | | image.pullPolicy | string | `"Always"` | | | image.repository | string | `"lsstsqre/exposurelog"` | | | image.tag | string | `""` | | @@ -33,6 +34,3 @@ Exposure log service | resources | object | `{}` | | | securityContext | object | `{}` | | | tolerations | list | `[]` | | - ----------------------------------------------- -Autogenerated from chart metadata using [helm-docs v1.7.0](https://github.com/norwoodj/helm-docs/releases/v1.7.0) diff --git a/services/ingress-nginx/values-minikube.yaml b/services/ingress-nginx/values-minikube.yaml index 12a577469f..a5453ebc46 100644 --- a/services/ingress-nginx/values-minikube.yaml +++ b/services/ingress-nginx/values-minikube.yaml @@ -1,6 +1,7 @@ ingress-nginx: controller: service: + externalTrafficPolicy: null type: ClusterIP hostNetwork: true dnsPolicy: ClusterFirstWithHostNet diff --git a/services/moneypenny/README.md b/services/moneypenny/README.md index 3c1df24aa6..2091cd7266 100644 --- a/services/moneypenny/README.md +++ b/services/moneypenny/README.md @@ -1,22 +1,16 @@ # moneypenny -![Version: 1.0.2](https://img.shields.io/badge/Version-1.0.2-informational?style=flat-square) ![AppVersion: 1.0.0](https://img.shields.io/badge/AppVersion-1.0.0-informational?style=flat-square) - User provisioning actions for the Science Platform -## Maintainers - -| Name | Email | Url | -| ---- | ------ | --- | -| athornton | | | -| rra | | | - ## Values | Key | Type | Default | Description | |-----|------|---------|-------------| | affinity | object | `{}` | Affinity rules for the vo-cutouts frontend pod | | fullnameOverride | string | `""` | Override the full name for resources (includes the release name) | +| global.baseUrl | string | Set by Argo CD | Base URL for the environment | +| global.host | string | Set by Argo CD | Host name for ingress | +| global.vaultSecretsPath | string | Set by Argo CD | Base path for Vault secrets | | image.pullPolicy | string | `"IfNotPresent"` | Pull policy for the moneypenny image | | image.repository | string | `"lsstsqre/moneypenny"` | moneypenny image to use | | image.tag | string | The appVersion of the chart | Tag of moneypenny image to use | @@ -33,6 +27,3 @@ User provisioning actions for the Science Platform | resources | object | `{}` | Resource limits and requests for the vo-cutouts frontend pod | | serviceAccount.name | string | Name based on the fullname template | Name of the service account to use | | tolerations | list | `[]` | Tolerations for the vo-cutouts frontend pod | - ----------------------------------------------- -Autogenerated from chart metadata using [helm-docs v1.7.0](https://github.com/norwoodj/helm-docs/releases/v1.7.0) diff --git a/services/narrativelog/README.md b/services/narrativelog/README.md index 35bf52283b..a96ba1098d 100644 --- a/services/narrativelog/README.md +++ b/services/narrativelog/README.md @@ -1,15 +1,7 @@ # narrativelog -![Version: 1.0.0](https://img.shields.io/badge/Version-1.0.0-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: 0.2.1](https://img.shields.io/badge/AppVersion-0.2.1-informational?style=flat-square) - Narrative log service -## Maintainers - -| Name | Email | Url | -| ---- | ------ | --- | -| r-owen | | | - ## Values | Key | Type | Default | Description | @@ -21,6 +13,9 @@ Narrative log service | autoscaling.targetCPUUtilizationPercentage | int | `80` | | | config.site_id | string | `""` | | | fullnameOverride | string | `""` | | +| global.baseUrl | string | Set by Argo CD | Base URL for the environment | +| global.host | string | Set by Argo CD | Host name for ingress | +| global.vaultSecretsPath | string | Set by Argo CD | Base path for Vault secrets | | image.pullPolicy | string | `"Always"` | | | image.repository | string | `"lsstsqre/narrativelog"` | | | image.tag | string | `""` | | @@ -33,6 +28,3 @@ Narrative log service | resources | object | `{}` | | | securityContext | object | `{}` | | | tolerations | list | `[]` | | - ----------------------------------------------- -Autogenerated from chart metadata using [helm-docs v1.7.0](https://github.com/norwoodj/helm-docs/releases/v1.7.0) diff --git a/services/nublado2/README.md b/services/nublado2/README.md index 5de714c4f2..fab98bcfab 100644 --- a/services/nublado2/README.md +++ b/services/nublado2/README.md @@ -1,9 +1,17 @@ # nublado2 +![Version: 1.1.0](https://img.shields.io/badge/Version-1.1.0-informational?style=flat-square) ![AppVersion: 2.3.0](https://img.shields.io/badge/AppVersion-2.3.0-informational?style=flat-square) + Nublado2 JupyterHub installation **Homepage:** +## Maintainers + +| Name | Email | Url | +| ---- | ------ | --- | +| cbanek | | | + ## Source Code * @@ -15,7 +23,6 @@ Kubernetes: `>=1.20.0-0` | Repository | Name | Version | |------------|------|---------| | https://jupyterhub.github.io/helm-chart/ | jupyterhub | 1.1.3-n474.h8d0a7616 | -| https://lsst-sqre.github.io/charts/ | pull-secret | 0.1.2 | ## Values @@ -39,6 +46,7 @@ Kubernetes: `>=1.20.0-0` | config.user_resources_template | string | See `values.yaml` | Templates for the user resources to create for each lab spawn. This is a string that can be templated and then loaded as YAML to generate a list of Kubernetes objects to create. | | config.volume_mounts | list | `[]` | | | config.volumes | list | `[]` | | +| global.vaultSecretsPath | string | Set by Argo CD | Base path for Vault secrets | | jupyterhub.cull.enabled | bool | `true` | | | jupyterhub.cull.every | int | `600` | | | jupyterhub.cull.maxAge | int | `5184000` | | @@ -147,3 +155,6 @@ Kubernetes: `>=1.20.0-0` | jupyterhub.singleuser.storage.type | string | `"none"` | | | network_policy.enabled | bool | `true` | | | vault_secret_path | string | `""` | | + +---------------------------------------------- +Autogenerated from chart metadata using [helm-docs v1.7.0](https://github.com/norwoodj/helm-docs/releases/v1.7.0) diff --git a/services/obstap/README.md b/services/obstap/README.md index a57162074a..03e372869f 100644 --- a/services/obstap/README.md +++ b/services/obstap/README.md @@ -1,7 +1,5 @@ # cadc-tap-postgres -![Version: 0.2.2](https://img.shields.io/badge/Version-0.2.2-informational?style=flat-square) ![AppVersion: 1.1](https://img.shields.io/badge/AppVersion-1.1-informational?style=flat-square) - CADC TAP PostgresSQL service, used for ObsTAP **Homepage:** @@ -22,6 +20,9 @@ CADC TAP PostgresSQL service, used for ObsTAP | db.resources | object | `{}` | Resource limits and requests for the database pod | | db.tolerations | list | `[]` | Tolerations for the database pod | | fullnameOverride | string | `"obstap"` | Override the full name for resources (includes the release name) | +| global.baseUrl | string | Set by Argo CD | Base URL for the environment | +| global.host | string | Set by Argo CD | Host name for ingress | +| global.vaultSecretsPath | string | Set by Argo CD | Base path for Vault secrets | | image.pullPolicy | string | `"IfNotPresent"` | Pull policy for the tap image | | image.repository | string | `"lsstdax/tap-postgres-server"` | tap-postgres image to use | | image.tag | string | The appVersion of the chart | Tag of tap image to use | @@ -42,6 +43,3 @@ CADC TAP PostgresSQL service, used for ObsTAP | uws.podAnnotations | object | `{}` | Annotations for the UWS databse pod | | uws.resources | object | `{}` | Resource limits and requests for the UWS database pod | | uws.tolerations | list | `[]` | Tolerations for the UWS database pod | - ----------------------------------------------- -Autogenerated from chart metadata using [helm-docs v1.7.0](https://github.com/norwoodj/helm-docs/releases/v1.7.0) diff --git a/services/plot-navigator/README.md b/services/plot-navigator/README.md index 7d63b0eaa1..c3b99f298a 100644 --- a/services/plot-navigator/README.md +++ b/services/plot-navigator/README.md @@ -1,7 +1,5 @@ # plot-navigator -![Version: 1.6.1](https://img.shields.io/badge/Version-1.6.1-informational?style=flat-square) ![AppVersion: 0.6.1](https://img.shields.io/badge/AppVersion-0.6.1-informational?style=flat-square) - Panel-based plot viewer. ## Values @@ -9,10 +7,10 @@ Panel-based plot viewer. | Key | Type | Default | Description | |-----|------|---------|-------------| | environment | object | `{}` | | +| global.baseUrl | string | Set by Argo CD | Base URL for the environment | +| global.host | string | Set by Argo CD | Host name for ingress | +| global.vaultSecretsPath | string | Set by Argo CD | Base path for Vault secrets | | image.repository | string | `"lsstdm/pipetask-plot-navigator"` | | | image.tag | string | `""` | | | ingress.annotations | object | `{}` | | | ingress.gafaelfawrAuthQuery | string | `"scope=exec:portal&delegate_to=plotnavigator"` | | - ----------------------------------------------- -Autogenerated from chart metadata using [helm-docs v1.7.0](https://github.com/norwoodj/helm-docs/releases/v1.7.0) diff --git a/services/postgres/README.md b/services/postgres/README.md index 1a2f69abd8..98eb00fcf9 100644 --- a/services/postgres/README.md +++ b/services/postgres/README.md @@ -1,7 +1,5 @@ # postgres -![Version: 0.1.1](https://img.shields.io/badge/Version-0.1.1-informational?style=flat-square) ![AppVersion: 1.0](https://img.shields.io/badge/AppVersion-1.0-informational?style=flat-square) - Postgres RDBMS for LSP **Homepage:** @@ -11,11 +9,11 @@ Postgres RDBMS for LSP | Key | Type | Default | Description | |-----|------|---------|-------------| | debug | string | `""` | | +| global.baseUrl | string | Set by Argo CD | Base URL for the environment | +| global.host | string | Set by Argo CD | Host name for ingress | +| global.vaultSecretsPath | string | Set by Argo CD | Base path for Vault secrets | | image.repository | string | `"lsstsqre/lsp-postgres"` | | | image.tag | string | `"latest"` | | -| postgres_storage_class | string | `"fast"` | | +| postgres_storage_class | string | `"standard"` | | | postgres_volume_size | string | `"1Gi"` | | | volume_name | string | `""` | | - ----------------------------------------------- -Autogenerated from chart metadata using [helm-docs v1.7.0](https://github.com/norwoodj/helm-docs/releases/v1.7.0) diff --git a/services/sasquatch/README.md b/services/sasquatch/README.md index 5a92544b0e..799960fab9 100644 --- a/services/sasquatch/README.md +++ b/services/sasquatch/README.md @@ -34,6 +34,7 @@ Rubin Observatory's telemetry service. | csc.namespace | string | `"sasquatch"` | Namespace where the Test CSC is deployed. | | csc.osplVersion | string | `"V6.10.4"` | DDS OpenSplice version. | | csc.useExternalConfig | bool | `false` | Wether to use an external configuration for DDS OpenSplice. | +| global.vaultSecretsPath | string | Set by Argo CD | Base path for Vault secrets | | influxdb.config | object | `{"continuous_queries":{"enabled":false},"coordinator":{"log-queries-after":"15s","max-concurrent-queries":10,"query-timeout":"900s","write-timeout":"60s"},"data":{"cache-max-memory-size":0,"trace-logging-enabled":true,"wal-fsync-delay":"100ms"},"http":{"auth-enabled":true,"enabled":true,"flux-enabled":true,"max-row-limit":0}}` | Override InfluxDB configuration. See https://docs.influxdata.com/influxdb/v1.8/administration/config | | influxdb.image | object | `{"tag":"1.8.10"}` | InfluxDB image tag. | | influxdb.ingress | object | disabled | InfluxDB ingress configuration. | @@ -75,4 +76,3 @@ Rubin Observatory's telemetry service. | telegraf.env[0] | object | `{"name":"TELEGRAF_PASSWORD","valueFrom":{"secretKeyRef":{"key":"telegraf-password","name":"sasquatch"}}}` | Telegraf password. | | telegraf.podLabels | object | `{"hub.jupyter.org/network-access-hub":"true"}` | Allow network access to JupyterHub pod. | | telegraf.service.enabled | bool | `false` | Telegraf service. | -| vaultSecretsPath | string | None, must be set | Path to the Vault secrets (`secret/k8s_operator//sasquatch`) | diff --git a/services/semaphore/README.md b/services/semaphore/README.md index 9ed939c52a..ea3233aef9 100644 --- a/services/semaphore/README.md +++ b/services/semaphore/README.md @@ -6,12 +6,6 @@ Semaphore is the user notification and messaging service for the Rubin Science P * -## Requirements - -| Repository | Name | Version | -|------------|------|---------| -| https://lsst-sqre.github.io/charts/ | pull-secret | 0.1.2 | - ## Values | Key | Type | Default | Description | diff --git a/services/sherlock/README.md b/services/sherlock/README.md index 7ff2cb0513..d1a2d63f3a 100644 --- a/services/sherlock/README.md +++ b/services/sherlock/README.md @@ -1,7 +1,5 @@ # sherlock -![Version: 0.1.13](https://img.shields.io/badge/Version-0.1.13-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: 0.1.7](https://img.shields.io/badge/AppVersion-0.1.7-informational?style=flat-square) - A Helm chart for Kubernetes ## Values @@ -14,6 +12,9 @@ A Helm chart for Kubernetes | autoscaling.minReplicas | int | `1` | Minimum number of sherlock deployment pods | | autoscaling.targetCPUUtilizationPercentage | int | `80` | Target CPU utilization of sherlock deployment pods | | fullnameOverride | string | `""` | Override the full name for resources (includes the release name) | +| global.baseUrl | string | Set by Argo CD | Base URL for the environment | +| global.host | string | Set by Argo CD | Host name for ingress | +| global.vaultSecretsPath | string | Set by Argo CD | Base path for Vault secrets | | image.pullPolicy | string | `"Always"` | Pull policy for the sherlock image | | image.repository | string | `"lsstsqre/sherlock"` | Image to use in the sherlock deployment | | image.tag | string | `""` | Overrides the image tag whose default is the chart appVersion. | @@ -28,6 +29,3 @@ A Helm chart for Kubernetes | resources | object | `{}` | Resource limits and requests for the sherlock deployment pod | | serviceAccount.name | string | `""` | | | tolerations | list | `[]` | Tolerations for the sherlock deployment pod | - ----------------------------------------------- -Autogenerated from chart metadata using [helm-docs v1.7.0](https://github.com/norwoodj/helm-docs/releases/v1.7.0) diff --git a/services/squareone/README.md b/services/squareone/README.md index 4c2e76d6c7..907219d8ac 100644 --- a/services/squareone/README.md +++ b/services/squareone/README.md @@ -8,12 +8,6 @@ Squareone is the homepage UI for the Rubin Science Platform. * -## Requirements - -| Repository | Name | Version | -|------------|------|---------| -| https://lsst-sqre.github.io/charts/ | pull-secret | 0.1.2 | - ## Values | Key | Type | Default | Description | diff --git a/services/strimzi-registry-operator/README.md b/services/strimzi-registry-operator/README.md index 102d0e9aa3..2df24ab938 100644 --- a/services/strimzi-registry-operator/README.md +++ b/services/strimzi-registry-operator/README.md @@ -1,19 +1,13 @@ # strimzi-registry-operator -![Version: 1.0.0](https://img.shields.io/badge/Version-1.0.0-informational?style=flat-square) ![AppVersion: 1.0.0](https://img.shields.io/badge/AppVersion-1.0.0-informational?style=flat-square) - Operator to create and manage Schema Registry on Strimzi -## Maintainers - -| Name | Email | Url | -| ---- | ------ | --- | -| swnelson | | | - ## Values | Key | Type | Default | Description | |-----|------|---------|-------------| +| clusterName | string | `"alert-broker"` | | | image.repository | string | `"lsstsqre/strimzi-registry-operator"` | The repository for the container with the operator application | -| image.tag | string | `"build"` | The tag of the operator container to deploy | - +| image.tag | string | `"0.4.1"` | The tag of the operator container to deploy | +| operatorNamespace | string | `"strimzi-registry-operator"` | | +| watchNamespace | string | `"strimzi"` | | diff --git a/services/tap/README.md b/services/tap/README.md index 687012ffc6..2b651feb39 100644 --- a/services/tap/README.md +++ b/services/tap/README.md @@ -1,7 +1,5 @@ # cadc-tap -![Version: 1.0.6](https://img.shields.io/badge/Version-1.0.6-informational?style=flat-square) ![AppVersion: 1.1.2](https://img.shields.io/badge/AppVersion-1.1.2-informational?style=flat-square) - A Helm chart for the CADC TAP service **Homepage:** @@ -17,7 +15,10 @@ A Helm chart for the CADC TAP service | config.gcsBucketUrl | string | None, must be set | Base URL for results stored in GCS bucket | | config.jvmMaxHeapSize | string | `"4G"` | Java heap size, which will set the maximum size of the heap. Otherwise Java would determine it based on how much memory is available and black maths. | | config.tapSchemaAddress | string | `"tap-schema-db.tap-schema.svc.cluster.local:3306"` | Address to a MySQL database containing TAP schema data | -| fullnameOverride | string | `""` | Override the full name for resources (includes the release name) | +| fullnameOverride | string | `"cadc-tap"` | Override the full name for resources (includes the release name) | +| global.baseUrl | string | Set by Argo CD | Base URL for the environment | +| global.host | string | Set by Argo CD | Host name for ingress | +| global.vaultSecretsPath | string | Set by Argo CD | Base path for Vault secrets | | image.pullPolicy | string | `"IfNotPresent"` | Pull policy for the tap image | | image.repository | string | `"lsstdax/lsst-tap-service"` | tap image to use | | image.tag | string | The appVersion of the chart | Tag of tap image to use | @@ -49,6 +50,3 @@ A Helm chart for the CADC TAP service | uws.resources | object | `{}` | Resource limits and requests for the UWS database pod | | uws.tolerations | list | `[]` | Tolerations for the UWS database pod | | vaultSecretsPath | string | None, must be set | Path to the Vault secret (`secret/k8s_operator//tap`, for example) | - ----------------------------------------------- -Autogenerated from chart metadata using [helm-docs v1.7.0](https://github.com/norwoodj/helm-docs/releases/v1.7.0) From 2f09ee1b7982a06a1c7fc0c8d8c15d96738adb61 Mon Sep 17 00:00:00 2001 From: adam Date: Tue, 10 May 2022 10:44:42 -0700 Subject: [PATCH 0426/1479] enable strimzi/strimzi-registry-operator on minikube to test deployment --- science-platform/values-minikube.yaml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/science-platform/values-minikube.yaml b/science-platform/values-minikube.yaml index 9a2416ef43..a0ab175257 100644 --- a/science-platform/values-minikube.yaml +++ b/science-platform/values-minikube.yaml @@ -47,9 +47,9 @@ squareone: squash_api: enabled: false strimzi: - enabled: false + enabled: true strimzi_registry_operator: - enabled: false + enabled: true tap: enabled: true tap_schema: From 5fd2d03f1c493d5d39b65f8f27a32397ade18a2d Mon Sep 17 00:00:00 2001 From: adam Date: Tue, 10 May 2022 15:01:07 -0700 Subject: [PATCH 0427/1479] Go back to master's strimzi-registry-operator WIP --- science-platform/values-minikube.yaml | 4 +- services/strimzi-registry-operator/Chart.yaml | 8 ++-- services/strimzi-registry-operator/README.md | 13 ------ .../crds/registry.yaml | 41 ------------------- services/strimzi-registry-operator/templates | 1 - .../values-minikube.yaml | 0 .../strimzi-registry-operator/values.yaml | 11 ----- 7 files changed, 7 insertions(+), 71 deletions(-) delete mode 100644 services/strimzi-registry-operator/README.md delete mode 100644 services/strimzi-registry-operator/crds/registry.yaml delete mode 120000 services/strimzi-registry-operator/templates delete mode 100644 services/strimzi-registry-operator/values-minikube.yaml delete mode 100644 services/strimzi-registry-operator/values.yaml diff --git a/science-platform/values-minikube.yaml b/science-platform/values-minikube.yaml index a0ab175257..9a2416ef43 100644 --- a/science-platform/values-minikube.yaml +++ b/science-platform/values-minikube.yaml @@ -47,9 +47,9 @@ squareone: squash_api: enabled: false strimzi: - enabled: true + enabled: false strimzi_registry_operator: - enabled: true + enabled: false tap: enabled: true tap_schema: diff --git a/services/strimzi-registry-operator/Chart.yaml b/services/strimzi-registry-operator/Chart.yaml index 108c76d586..dd0580fbc8 100644 --- a/services/strimzi-registry-operator/Chart.yaml +++ b/services/strimzi-registry-operator/Chart.yaml @@ -1,5 +1,7 @@ apiVersion: v2 name: strimzi-registry-operator -version: 1.2.0 -description: Operator to create and manage Schema Registry on Strimzi -appVersion: 0.4.1 +version: 1.1.0 +dependencies: + - name: strimzi-registry-operator + version: 1.2.0 + repository: https://lsst-sqre.github.io/charts/ diff --git a/services/strimzi-registry-operator/README.md b/services/strimzi-registry-operator/README.md deleted file mode 100644 index 2df24ab938..0000000000 --- a/services/strimzi-registry-operator/README.md +++ /dev/null @@ -1,13 +0,0 @@ -# strimzi-registry-operator - -Operator to create and manage Schema Registry on Strimzi - -## Values - -| Key | Type | Default | Description | -|-----|------|---------|-------------| -| clusterName | string | `"alert-broker"` | | -| image.repository | string | `"lsstsqre/strimzi-registry-operator"` | The repository for the container with the operator application | -| image.tag | string | `"0.4.1"` | The tag of the operator container to deploy | -| operatorNamespace | string | `"strimzi-registry-operator"` | | -| watchNamespace | string | `"strimzi"` | | diff --git a/services/strimzi-registry-operator/crds/registry.yaml b/services/strimzi-registry-operator/crds/registry.yaml deleted file mode 100644 index 6e2ce758a3..0000000000 --- a/services/strimzi-registry-operator/crds/registry.yaml +++ /dev/null @@ -1,41 +0,0 @@ -apiVersion: apiextensions.k8s.io/v1 -kind: CustomResourceDefinition -metadata: - name: strimzischemaregistries.roundtable.lsst.codes -spec: - scope: Namespaced - group: roundtable.lsst.codes - versions: - - name: v1beta1 - served: true - storage: true - schema: - openAPIV3Schema: - description: >- - StrimziSchemaRegistry represents a desired Schema Registry instance - type: object - properties: - spec: - type: object - description: >- - The specification of the Schema Registry instance. - properties: - strimzi-version: - type: string - default: "v1beta2" - description: >- - The version of the Strimzi Custom Resource API to use. The - correct value depends on the deployed version of Strimzi. - listener: - type: string - default: "internal" - description: >- - The name of the Kafka listener to use to connect. - - names: - kind: StrimziSchemaRegistry - plural: strimzischemaregistries - singular: strimzischemaregistry - shortNames: - - ssrs - - ssr diff --git a/services/strimzi-registry-operator/templates b/services/strimzi-registry-operator/templates deleted file mode 120000 index cf9ca9b452..0000000000 --- a/services/strimzi-registry-operator/templates +++ /dev/null @@ -1 +0,0 @@ -../../charts/strimzi-registry-operator/templates \ No newline at end of file diff --git a/services/strimzi-registry-operator/values-minikube.yaml b/services/strimzi-registry-operator/values-minikube.yaml deleted file mode 100644 index e69de29bb2..0000000000 diff --git a/services/strimzi-registry-operator/values.yaml b/services/strimzi-registry-operator/values.yaml deleted file mode 100644 index 22ba3f5799..0000000000 --- a/services/strimzi-registry-operator/values.yaml +++ /dev/null @@ -1,11 +0,0 @@ -image: - # -- The repository for the container with the operator application - repository: lsstsqre/strimzi-registry-operator - # -- The tag of the operator container to deploy - tag: 0.4.1 - -clusterName: alert-broker - -watchNamespace: strimzi - -operatorNamespace: strimzi-registry-operator From b67d61991fb98d9bb1fd23bc8f3872449f6a6a52 Mon Sep 17 00:00:00 2001 From: adam Date: Wed, 11 May 2022 13:50:00 -0700 Subject: [PATCH 0428/1479] address review comments --- .../templates/deployment.yaml | 28 ---------- .../templates/rbac.yaml | 54 ------------------- services/datalinker/templates/ingress.yaml | 2 +- services/obstap/Chart.yaml | 2 +- .../templates/tap-ingress-anonymous.yaml | 16 +----- services/plot-navigator/README.md | 8 +-- services/plot-navigator/values.yaml | 6 ++- 7 files changed, 11 insertions(+), 105 deletions(-) delete mode 100644 charts/strimzi-registry-operator/templates/deployment.yaml delete mode 100644 charts/strimzi-registry-operator/templates/rbac.yaml diff --git a/charts/strimzi-registry-operator/templates/deployment.yaml b/charts/strimzi-registry-operator/templates/deployment.yaml deleted file mode 100644 index b380a27918..0000000000 --- a/charts/strimzi-registry-operator/templates/deployment.yaml +++ /dev/null @@ -1,28 +0,0 @@ -apiVersion: apps/v1 -kind: Deployment -metadata: - name: strimzi-registry-operator -spec: - replicas: 1 - strategy: - type: Recreate - selector: - matchLabels: - app: strimzi-registry-operator - template: - metadata: - labels: - app: strimzi-registry-operator - spec: - serviceAccountName: strimzi-registry-operator - containers: - - name: operator - image: "{{ .Values.image.repository }}:{{ .Values.image.tag }}" - imagePullPolicy: Always - env: - - name: SSR_CLUSTER_NAME - value: "{{ .Values.clusterName }}" - - name: SSR_NAMESPACE - value: "{{ .Values.watchNamespace }}" - command: ["kopf"] - args: ["run", "--standalone", "-m", "strimziregistryoperator.handlers", "--namespace", "{{ .Values.watchNamespace }}", "--verbose"] diff --git a/charts/strimzi-registry-operator/templates/rbac.yaml b/charts/strimzi-registry-operator/templates/rbac.yaml deleted file mode 100644 index ae67365f87..0000000000 --- a/charts/strimzi-registry-operator/templates/rbac.yaml +++ /dev/null @@ -1,54 +0,0 @@ ---- -apiVersion: v1 -kind: ServiceAccount -metadata: - name: strimzi-registry-operator ---- -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRole -metadata: - name: strimzi-registry-operator -rules: - - apiGroups: [apiextensions.k8s.io] - resources: [customresourcedefinitions] - verbs: [list, get] - - # Kopf: posting the events about the handlers progress/errors. - - apiGroups: [events.k8s.io] - resources: [events] - verbs: [create] - - apiGroups: [""] - resources: [events] - verbs: [create] - - # Application: watching & handling for the custom resource we declare. - - apiGroups: [roundtable.lsst.codes] - resources: [strimzischemaregistries] - verbs: [get, list, watch, patch] - - # Access to the built-in resources the operator manages - - apiGroups: [""] - resources: [secrets, configmaps, services] - verbs: [get, list, watch, patch, create] - - - apiGroups: ["apps"] - resources: ["deployments"] - verbs: [get, list, watch, patch, create] - - # Access to the KafkaUser resource - - apiGroups: [kafka.strimzi.io] - resources: [kafkausers, kafkas] - verbs: [list, get] ---- -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRoleBinding -metadata: - name: strimzi-registry-operator -roleRef: - apiGroup: rbac.authorization.k8s.io - kind: ClusterRole - name: strimzi-registry-operator -subjects: - - kind: ServiceAccount - name: strimzi-registry-operator - namespace: {{ .Values.operatorNamespace }} diff --git a/services/datalinker/templates/ingress.yaml b/services/datalinker/templates/ingress.yaml index 37c6d78fa1..d5dbe92873 100644 --- a/services/datalinker/templates/ingress.yaml +++ b/services/datalinker/templates/ingress.yaml @@ -22,7 +22,7 @@ spec: http: paths: - path: "/api/datalink" - pathType: ImplementationSpecific + pathType: Prefix backend: service: name: {{ $fullName }} diff --git a/services/obstap/Chart.yaml b/services/obstap/Chart.yaml index adc5f9a369..93a098e7ee 100644 --- a/services/obstap/Chart.yaml +++ b/services/obstap/Chart.yaml @@ -1,4 +1,4 @@ -apiVersion: v1 +apiVersion: v2 appVersion: "1.1" description: CADC TAP PostgresSQL service, used for ObsTAP home: https://github.com/lsst-sqre/tap-postgres diff --git a/services/obstap/templates/tap-ingress-anonymous.yaml b/services/obstap/templates/tap-ingress-anonymous.yaml index f8a4c65fd5..0408231c9a 100644 --- a/services/obstap/templates/tap-ingress-anonymous.yaml +++ b/services/obstap/templates/tap-ingress-anonymous.yaml @@ -22,21 +22,7 @@ spec: - host: {{ required "global.host must be set" .Values.global.host | quote }} http: paths: - - path: "/api/obstap/(availability)" - pathType: "ImplementationSpecific" - backend: - service: - name: {{ template "cadc-tap-postgres.fullname" . }} - port: - number: 80 - - path: "/api/obstap/(capabilities)" - pathType: "ImplementationSpecific" - backend: - service: - name: {{ template "cadc-tap-postgres.fullname" . }} - port: - number: 80 - - path: "/api/obstap/(swagger-ui.*)" + - path: "/api/obstap/(availability|capabilities|swagger-ui.*)" pathType: "ImplementationSpecific" backend: service: diff --git a/services/plot-navigator/README.md b/services/plot-navigator/README.md index c3b99f298a..1b7abe06c6 100644 --- a/services/plot-navigator/README.md +++ b/services/plot-navigator/README.md @@ -6,11 +6,11 @@ Panel-based plot viewer. | Key | Type | Default | Description | |-----|------|---------|-------------| -| environment | object | `{}` | | +| environment | object | `{}` | Environment variables (e.g. butler configuration/auth parms) for panel | | global.baseUrl | string | Set by Argo CD | Base URL for the environment | | global.host | string | Set by Argo CD | Host name for ingress | | global.vaultSecretsPath | string | Set by Argo CD | Base path for Vault secrets | -| image.repository | string | `"lsstdm/pipetask-plot-navigator"` | | +| image.repository | string | `"lsstdm/pipetask-plot-navigator"` | plot-navigator image to use | | image.tag | string | `""` | | -| ingress.annotations | object | `{}` | | -| ingress.gafaelfawrAuthQuery | string | `"scope=exec:portal&delegate_to=plotnavigator"` | | +| ingress.annotations | object | `{}` | Additional annotations to add to the ingress | +| ingress.gafaelfawrAuthQuery | string | `"scope=exec:portal&delegate_to=plotnavigator"` | Gafaelfawr auth query string | diff --git a/services/plot-navigator/values.yaml b/services/plot-navigator/values.yaml index 9d6060a798..4498fd0bf4 100644 --- a/services/plot-navigator/values.yaml +++ b/services/plot-navigator/values.yaml @@ -1,13 +1,15 @@ image: + # -- plot-navigator image to use repository: lsstdm/pipetask-plot-navigator tag: "" -# Environment variables to be passed to panel. -# e.g. butler configuration and auth params. +# -- Environment variables (e.g. butler configuration/auth parms) for panel environment: {} ingress: + # -- Gafaelfawr auth query string gafaelfawrAuthQuery: "scope=exec:portal&delegate_to=plotnavigator" + # -- Additional annotations to add to the ingress annotations: {} # The following will be set by parameters injected by Argo CD and should not From 2082be80d8f36a62c735254fb327238327e87bfe Mon Sep 17 00:00:00 2001 From: adam Date: Thu, 12 May 2022 12:14:29 -0700 Subject: [PATCH 0429/1479] Address review commentary --- .../templates/postgres-application.yaml | 4 -- .../templates/serviceaccount.yaml | 2 - services/exposurelog/README.md | 53 ++++++++-------- services/exposurelog/values.yaml | 60 +++++++++++++++---- services/moneypenny/templates/ingress.yaml | 10 ---- .../moneypenny/templates/serviceaccount.yaml | 2 - services/narrativelog/README.md | 41 +++++++------ services/narrativelog/values.yaml | 32 ++++++++-- .../plot-navigator/templates/deployment.yaml | 5 +- .../plot-navigator/templates/ingress.yaml | 1 - services/postgres/Chart.yaml | 6 +- services/postgres/README.md | 12 ++-- services/postgres/templates/_helpers.tpl | 14 +++++ services/postgres/templates/deployment.yaml | 8 +-- services/postgres/templates/physpvc.yaml | 13 ++-- services/postgres/templates/service.yaml | 1 + services/postgres/values-base.yaml | 22 +++---- services/postgres/values-idfdev.yaml | 8 +-- services/postgres/values-idfint.yaml | 6 +- services/postgres/values-idfprod.yaml | 6 +- services/postgres/values-int.yaml | 14 ++--- services/postgres/values-minikube.yaml | 20 +++---- services/postgres/values-roe.yaml | 12 ++-- services/postgres/values-stable.yaml | 14 ++--- services/postgres/values-summit.yaml | 18 +++--- .../postgres/values-tucson-teststand.yaml | 18 +++--- services/postgres/values.yaml | 28 +++++---- services/sherlock/README.md | 2 +- services/sherlock/templates/deployment.yaml | 4 +- .../sherlock/templates/vault-secrets.yaml | 2 +- services/sherlock/values-idfdev.yaml | 2 +- services/sherlock/values-idfint.yaml | 2 +- services/sherlock/values-idfprod.yaml | 2 +- services/sherlock/values.yaml | 2 +- services/squareone/README.md | 6 ++ 35 files changed, 260 insertions(+), 192 deletions(-) diff --git a/science-platform/templates/postgres-application.yaml b/science-platform/templates/postgres-application.yaml index 6d8e11e97e..deff1baaf7 100644 --- a/science-platform/templates/postgres-application.yaml +++ b/science-platform/templates/postgres-application.yaml @@ -22,10 +22,6 @@ spec: targetRevision: {{ .Values.revision }} helm: parameters: - - name: "global.host" - value: {{ .Values.fqdn | quote }} - - name: "global.baseUrl" - value: "https://{{ .Values.fqdn }}" - name: "global.vaultSecretsPath" value: {{ .Values.vault_path_prefix | quote }} valueFiles: diff --git a/services/cachemachine/templates/serviceaccount.yaml b/services/cachemachine/templates/serviceaccount.yaml index 6ca6bc58dd..81a80ff760 100644 --- a/services/cachemachine/templates/serviceaccount.yaml +++ b/services/cachemachine/templates/serviceaccount.yaml @@ -8,8 +8,6 @@ metadata: annotations: {{- toYaml . | nindent 4 }} {{- end }} -imagePullSecrets: - - name: "pull-secret" --- kind: ClusterRole apiVersion: rbac.authorization.k8s.io/v1 diff --git a/services/exposurelog/README.md b/services/exposurelog/README.md index 8a9c09ccea..be69c3c671 100644 --- a/services/exposurelog/README.md +++ b/services/exposurelog/README.md @@ -6,31 +6,34 @@ Exposure log service | Key | Type | Default | Description | |-----|------|---------|-------------| -| affinity | object | `{}` | | -| autoscaling.enabled | bool | `false` | | -| autoscaling.maxReplicas | int | `100` | | -| autoscaling.minReplicas | int | `1` | | -| autoscaling.targetCPUUtilizationPercentage | int | `80` | | -| config.butler_uri_1 | string | `""` | | -| config.butler_uri_2 | string | `""` | | -| config.nfs_path_1 | string | `""` | | -| config.nfs_path_2 | string | `""` | | -| config.nfs_server_1 | string | `""` | | -| config.nfs_server_2 | string | `""` | | -| config.site_id | string | `""` | | -| fullnameOverride | string | `""` | | +| affinity | object | `{}` | Affinity rules for the exposurelog pod | +| autoscaling | object | `{"enabled":false,"maxReplicas":100,"minReplicas":1,"targetCPUUtilizationPercentage":80,"targetMemoryUtilizationPercentage":80}` | Exposurelog autoscaling settings | +| autoscaling.enabled | bool | false | enable exposurelog autoscaling | +| autoscaling.maxReplicas | int | `100` | maximum number of exposurelog replicas | +| autoscaling.minReplicas | int | `1` | minimum number of exposurelog replicas | +| autoscaling.targetCPUUtilizationPercentage | int | `80` | Target CPU utilization for exposurelog pod autoscale calculations | +| autoscaling.targetMemoryUtilizationPercentage | int | `80` | Target memory utilization for exposurelog pod autoscale calculations | +| config | object | `{"butler_uri_1":"","butler_uri_2":"","nfs_path_1":"","nfs_path_2":"","nfs_server_1":"","nfs_server_2":"","site_id":""}` | Application-specific configuration | +| config.butler_uri_1 | string | `""` | URI for butler registry 1 (required). Format: * For a volume mounted using `nfs_path_1` (see above): An absolute path starting with `/volume_1/`. * For a network URI: see the daf_butler documentation. * For a sandbox deployment: specify `LSSTCam` for butler_uri_1. | +| config.butler_uri_2 | string | `""` | URI for butler registry 2 (optional). Format: * For a volume mounted using `nfs_path_2` (see above): An absolute path starting with `/volume_2/`. * For a network URI: see the daf_butler documentation. * For a sandbox deployment: specify `LATISS` for butler_uri_2. | +| config.nfs_path_1 | string | `""` | NFS path to butler registry 1 Only specify a non-blank value if reading the registry from an NFS-mounted file. If not blank then mount the specified NFS path as internal volume /volume1 | +| config.nfs_path_2 | string | `""` | NFS path to butler registry 2 Only specify a non-blank value if reading the registry from an NFS-mounted file. If not blank then mount the specified NFS path as internal volume /volume2 | +| config.nfs_server_1 | string | `""` | Name of the NFS server that exports nfs_path_1 Specify a non-blank value if and only if the corresponding nfs_path_1 is not blank. | +| config.nfs_server_2 | string | `""` | Name of the NFS server that exports nfs_path_2 Specify a non-blank value if and only if the corresponding nfs_path_1 is not blank. | +| config.site_id | string | `""` | Site ID; a non-empty string of up to 16 characters. This should be different for each non-sandbox deployment. Sandboxes should use `test`. | +| fullnameOverride | string | `""` | Override the full name for resources (includes the release name) | | global.baseUrl | string | Set by Argo CD | Base URL for the environment | | global.host | string | Set by Argo CD | Host name for ingress | | global.vaultSecretsPath | string | Set by Argo CD | Base path for Vault secrets | -| image.pullPolicy | string | `"Always"` | | -| image.repository | string | `"lsstsqre/exposurelog"` | | -| image.tag | string | `""` | | -| ingress.gafaelfawrAuthQuery | string | `""` | | -| nameOverride | string | `""` | | -| nodeSelector | object | `{}` | | -| podAnnotations | object | `{}` | | -| podSecurityContext | object | `{}` | | -| replicaCount | int | `1` | | -| resources | object | `{}` | | -| securityContext | object | `{}` | | -| tolerations | list | `[]` | | +| image.pullPolicy | string | `"Always"` | Pull policy for the exposurelog image | +| image.repository | string | `"lsstsqre/exposurelog"` | exposurelog image to use | +| image.tag | string | The appVersion of the chart | Tag of exposure image to use | +| ingress.gafaelfawrAuthQuery | string | `""` | Gafaelfawr auth query string | +| nameOverride | string | `""` | Override the base name for resources | +| nodeSelector | object | `{}` | Node selector rules for the exposurelog pod | +| podAnnotations | object | `{}` | Annotations for the exposurelog pod | +| podSecurityContext | object | `{}` | Security context for the exposurelog pod | +| replicaCount | int | `1` | How many exposurelog pods to run | +| resources | object | `{}` | Resource limits and requests for the exposurelog pod | +| securityContext | object | `{}` | Security context for the exposurelog deployment | +| tolerations | list | `[]` | Tolerations for the exposurelog pod | diff --git a/services/exposurelog/values.yaml b/services/exposurelog/values.yaml index 9d00f652ec..123c84cf93 100644 --- a/services/exposurelog/values.yaml +++ b/services/exposurelog/values.yaml @@ -1,52 +1,75 @@ # Default values for exposurelog. # This is a YAML-formatted file. # Declare variables to be passed into your templates. + +# -- Override the base name for resources nameOverride: "" + +# -- Override the full name for resources (includes the release name) fullnameOverride: "" +# -- How many exposurelog pods to run replicaCount: 1 image: + # -- exposurelog image to use repository: lsstsqre/exposurelog + # -- Pull policy for the exposurelog image pullPolicy: Always - # Overrides the image tag whose default is the chart appVersion. + # -- Tag of exposure image to use + # @default -- The appVersion of the chart tag: "" ingress: - # Allow specification of auth scope + # -- Gafaelfawr auth query string gafaelfawrAuthQuery: "" -# Application-specific configuration +# -- Application-specific configuration config: - # NFS path to butler registry 1 and/or 2. + # -- NFS path to butler registry 1 # Only specify a non-blank value if reading the registry from an NFS-mounted file. - # If not blank then mount the specified NFS path as internal volume /volume_1 or /volume_2, respectively. + # If not blank then mount the specified NFS path as internal volume /volume1 nfs_path_1: "" + # -- NFS path to butler registry 2 + # Only specify a non-blank value if reading the registry from an NFS-mounted file. + # If not blank then mount the specified NFS path as internal volume /volume2 nfs_path_2: "" - # Name of the NFS server that exports nfs_path_1 or nfs_path_2, respectively. - # Specify a non-blank value if and only if the corresponding nfs_path_1/2 is not blank. + # -- Name of the NFS server that exports nfs_path_1 + # Specify a non-blank value if and only if the corresponding + # nfs_path_1 is not blank. nfs_server_1: "" + # -- Name of the NFS server that exports nfs_path_2 + # Specify a non-blank value if and only if the corresponding + # nfs_path_1 is not blank. nfs_server_2: "" - # URIs for butler registry 1 (required) and 2 (optional). Format: - # * For a volume mounted using `nfs_path_1` or `nfs_path_2` (see above): - # An absolute path starting with `/volume_1/` or `/volume_2/`. + # -- URI for butler registry 1 (required). Format: + # * For a volume mounted using `nfs_path_1` (see above): + # An absolute path starting with `/volume_1/`. # * For a network URI: see the daf_butler documentation. - # * For a sandbox deployment: specify `LSSTCam` for butler_uri_1 and `LATISS` for butler_uri_2. + # * For a sandbox deployment: specify `LSSTCam` for butler_uri_1. butler_uri_1: "" + # -- URI for butler registry 2 (optional). Format: + # * For a volume mounted using `nfs_path_2` (see above): + # An absolute path starting with `/volume_2/`. + # * For a network URI: see the daf_butler documentation. + # * For a sandbox deployment: specify `LATISS` for butler_uri_2. butler_uri_2: "" - # Site ID; a non-empty string of up to 16 characters. + # -- Site ID; a non-empty string of up to 16 characters. # This should be different for each non-sandbox deployment. # Sandboxes should use `test`. site_id: "" +# -- Annotations for the exposurelog pod podAnnotations: {} +# -- Security context for the exposurelog pod podSecurityContext: {} # fsGroup: 2000 +# -- Security context for the exposurelog deployment securityContext: {} # capabilities: # drop: @@ -55,6 +78,7 @@ securityContext: {} # runAsNonRoot: true # runAsUser: 1000 +# -- Resource limits and requests for the exposurelog pod resources: {} # We usually recommend not to specify default resources and to leave this as a conscious # choice for the user. This also increases chances charts run on environments with little @@ -67,17 +91,27 @@ resources: {} # cpu: 100m # memory: 128Mi +# -- Exposurelog autoscaling settings autoscaling: + # -- enable exposurelog autoscaling + # @default -- false enabled: false + # -- minimum number of exposurelog replicas minReplicas: 1 + # -- maximum number of exposurelog replicas maxReplicas: 100 + # -- Target CPU utilization for exposurelog pod autoscale calculations targetCPUUtilizationPercentage: 80 - # targetMemoryUtilizationPercentage: 80 + # -- Target memory utilization for exposurelog pod autoscale calculations + targetMemoryUtilizationPercentage: 80 +# -- Node selector rules for the exposurelog pod nodeSelector: {} +# -- Tolerations for the exposurelog pod tolerations: [] +# -- Affinity rules for the exposurelog pod affinity: {} # The following will be set by parameters injected by Argo CD and should not diff --git a/services/moneypenny/templates/ingress.yaml b/services/moneypenny/templates/ingress.yaml index 96e59738ff..0c44bfd675 100644 --- a/services/moneypenny/templates/ingress.yaml +++ b/services/moneypenny/templates/ingress.yaml @@ -24,13 +24,3 @@ spec: name: {{ include "moneypenny.fullname" . }} port: number: 8080 - {{- if .Values.ingress.tls }} - tls: - {{- range .Values.ingress.tls }} - - hosts: - {{- range .hosts }} - - {{ . | quote }} - {{- end }} - secretName: {{ .secretName }} - {{- end }} - {{- end }} diff --git a/services/moneypenny/templates/serviceaccount.yaml b/services/moneypenny/templates/serviceaccount.yaml index de1cee6e73..963cbe100d 100644 --- a/services/moneypenny/templates/serviceaccount.yaml +++ b/services/moneypenny/templates/serviceaccount.yaml @@ -4,5 +4,3 @@ metadata: name: {{ include "moneypenny.serviceAccountName" . }} labels: {{- include "moneypenny.labels" . | nindent 4 }} -imagePullSecrets: - - name: "pull-secret" diff --git a/services/narrativelog/README.md b/services/narrativelog/README.md index a96ba1098d..1f65d61184 100644 --- a/services/narrativelog/README.md +++ b/services/narrativelog/README.md @@ -6,25 +6,28 @@ Narrative log service | Key | Type | Default | Description | |-----|------|---------|-------------| -| affinity | object | `{}` | | -| autoscaling.enabled | bool | `false` | | -| autoscaling.maxReplicas | int | `100` | | -| autoscaling.minReplicas | int | `1` | | -| autoscaling.targetCPUUtilizationPercentage | int | `80` | | -| config.site_id | string | `""` | | -| fullnameOverride | string | `""` | | +| affinity | object | `{}` | Affinity rules for the narrativelog pod | +| autoscaling | object | `{"enabled":false,"maxReplicas":100,"minReplicas":1,"targetCPUUtilizationPercentage":80,"targetMemoryUtilizationPercentage":80}` | Narrativelog autoscaling settings | +| autoscaling.enabled | bool | false | enable narrativelog autoscaling | +| autoscaling.maxReplicas | int | `100` | maximum number of narrativelog replicas | +| autoscaling.minReplicas | int | `1` | minimum number of narrativelog replicas | +| autoscaling.targetCPUUtilizationPercentage | int | `80` | Target CPU utilization for narrativelog pod autoscale calculations | +| autoscaling.targetMemoryUtilizationPercentage | int | `80` | Target memory utilization for narrativelog pod autoscale calculations | +| config | object | `{"site_id":""}` | Application-specific configuration | +| config.site_id | string | `""` | Site ID; a non-empty string of up to 16 characters. This should be different for each non-sandbox deployment. Sandboxes should use `test`. | +| fullnameOverride | string | `""` | Override the full name for resources (includes the release name) | | global.baseUrl | string | Set by Argo CD | Base URL for the environment | | global.host | string | Set by Argo CD | Host name for ingress | | global.vaultSecretsPath | string | Set by Argo CD | Base path for Vault secrets | -| image.pullPolicy | string | `"Always"` | | -| image.repository | string | `"lsstsqre/narrativelog"` | | -| image.tag | string | `""` | | -| ingress.gafaelfawrAuthQuery | string | `""` | | -| nameOverride | string | `""` | | -| nodeSelector | object | `{}` | | -| podAnnotations | object | `{}` | | -| podSecurityContext | object | `{}` | | -| replicaCount | int | `1` | | -| resources | object | `{}` | | -| securityContext | object | `{}` | | -| tolerations | list | `[]` | | +| image.pullPolicy | string | `"Always"` | Pull policy for the narrativelog image | +| image.repository | string | `"lsstsqre/narrativelog"` | narrativelog image to use | +| image.tag | string | The appVersion of the chart | Tag of exposure image to use | +| ingress.gafaelfawrAuthQuery | string | `""` | Gafaelfawr auth query string | +| nameOverride | string | `""` | Override the base name for resources | +| nodeSelector | object | `{}` | Node selector rules for the narrativelog pod | +| podAnnotations | object | `{}` | Annotations for the narrativelog pod | +| podSecurityContext | object | `{}` | Security context for the narrativelog pod | +| replicaCount | int | `1` | Number of narrativelog replicas to run | +| resources | object | `{}` | Resource limits and requests for the narrativelog pod | +| securityContext | object | `{}` | Security context for the narrativelog deployment | +| tolerations | list | `[]` | Tolerations for the narrativelog pod | diff --git a/services/narrativelog/values.yaml b/services/narrativelog/values.yaml index 8db269a3aa..113450a78e 100644 --- a/services/narrativelog/values.yaml +++ b/services/narrativelog/values.yaml @@ -1,33 +1,44 @@ # Default values for narrativelog. # This is a YAML-formatted file. # Declare variables to be passed into your templates. + +# -- Override the base name for resources nameOverride: "" + +# -- Override the full name for resources (includes the release name) fullnameOverride: "" +# -- Number of narrativelog replicas to run replicaCount: 1 image: + # -- narrativelog image to use repository: lsstsqre/narrativelog + # -- Pull policy for the narrativelog image pullPolicy: Always - # Overrides the image tag whose default is the chart appVersion. + # -- Tag of exposure image to use + # @default -- The appVersion of the chart tag: "" ingress: - # Allow specification of auth scope + # -- Gafaelfawr auth query string gafaelfawrAuthQuery: "" -# Application-specific configuration +# -- Application-specific configuration config: - # Site ID; a non-empty string of up to 16 characters. + # -- Site ID; a non-empty string of up to 16 characters. # This should be different for each non-sandbox deployment. # Sandboxes should use `test`. site_id: "" +# -- Annotations for the narrativelog pod podAnnotations: {} +# -- Security context for the narrativelog pod podSecurityContext: {} # fsGroup: 2000 +# -- Security context for the narrativelog deployment securityContext: {} # capabilities: # drop: @@ -36,6 +47,7 @@ securityContext: {} # runAsNonRoot: true # runAsUser: 1000 +# -- Resource limits and requests for the narrativelog pod resources: {} # We usually recommend not to specify default resources and to leave this as a conscious # choice for the user. This also increases chances charts run on environments with little @@ -48,17 +60,27 @@ resources: {} # cpu: 100m # memory: 128Mi +# -- Narrativelog autoscaling settings autoscaling: + # -- enable narrativelog autoscaling + # @default -- false enabled: false + # -- minimum number of narrativelog replicas minReplicas: 1 + # -- maximum number of narrativelog replicas maxReplicas: 100 + # -- Target CPU utilization for narrativelog pod autoscale calculations targetCPUUtilizationPercentage: 80 - # targetMemoryUtilizationPercentage: 80 + # -- Target memory utilization for narrativelog pod autoscale calculations + targetMemoryUtilizationPercentage: 80 +# -- Node selector rules for the narrativelog pod nodeSelector: {} +# -- Tolerations for the narrativelog pod tolerations: [] +# -- Affinity rules for the narrativelog pod affinity: {} # The following will be set by parameters injected by Argo CD and should not diff --git a/services/plot-navigator/templates/deployment.yaml b/services/plot-navigator/templates/deployment.yaml index 3b241afa0e..4a124e4f1c 100644 --- a/services/plot-navigator/templates/deployment.yaml +++ b/services/plot-navigator/templates/deployment.yaml @@ -1,4 +1,3 @@ ---- apiVersion: apps/v1 kind: Deployment metadata: @@ -9,11 +8,11 @@ spec: replicas: 1 selector: matchLabels: - app: plot-navigator + {{- include "plot-navigator.selectorLabels" . | nindent 6 }} template: metadata: labels: - app: plot-navigator + {{- include "plot-navigator.selectorLabels" . | nindent 8 }} spec: imagePullSecrets: name: pull-secret diff --git a/services/plot-navigator/templates/ingress.yaml b/services/plot-navigator/templates/ingress.yaml index 673b45d962..50601f9edb 100644 --- a/services/plot-navigator/templates/ingress.yaml +++ b/services/plot-navigator/templates/ingress.yaml @@ -1,4 +1,3 @@ ---- apiVersion: networking.k8s.io/v1 kind: Ingress metadata: diff --git a/services/postgres/Chart.yaml b/services/postgres/Chart.yaml index d235de0d1e..57a59c09fb 100644 --- a/services/postgres/Chart.yaml +++ b/services/postgres/Chart.yaml @@ -1,6 +1,6 @@ apiVersion: v2 -appVersion: "1.0" +name: postgres +version: 1.0.0 +appVersion: "0.0.5" description: Postgres RDBMS for LSP home: https://hub.docker.com/r/lsstsqre/lsp-postgres -name: postgres -version: 0.1.1 diff --git a/services/postgres/README.md b/services/postgres/README.md index 98eb00fcf9..208c5ed5b6 100644 --- a/services/postgres/README.md +++ b/services/postgres/README.md @@ -8,12 +8,12 @@ Postgres RDBMS for LSP | Key | Type | Default | Description | |-----|------|---------|-------------| -| debug | string | `""` | | +| debug | string | `""` | Set to non-empty to enable debugging output | | global.baseUrl | string | Set by Argo CD | Base URL for the environment | | global.host | string | Set by Argo CD | Host name for ingress | | global.vaultSecretsPath | string | Set by Argo CD | Base path for Vault secrets | -| image.repository | string | `"lsstsqre/lsp-postgres"` | | -| image.tag | string | `"latest"` | | -| postgres_storage_class | string | `"standard"` | | -| postgres_volume_size | string | `"1Gi"` | | -| volume_name | string | `""` | | +| image.repository | string | `"lsstsqre/lsp-postgres"` | postgres image to use | +| image.tag | string | The appVersion of the chart | Tag of postgres image to use | +| postgresStorageClass | string | `"standard"` | Storage class for postgres volume. Set to appropriate value for your deployment: at GKE, "fast", on Rubin Observatory Rancher, "rook-ceph-block", at NCSA, "manual", elsewhere "standard" ... | +| postgresVolumeSize | string | `"1Gi"` | Volume size for postgres. It can generally be very small | +| volumeName | string | `""` | Volume name for postgres, if you use an existing volume that isn't automatically created from the PVC by the storage driver (e.g. NCSA) | diff --git a/services/postgres/templates/_helpers.tpl b/services/postgres/templates/_helpers.tpl index cad60fd269..c8fd03f180 100644 --- a/services/postgres/templates/_helpers.tpl +++ b/services/postgres/templates/_helpers.tpl @@ -43,6 +43,20 @@ app.kubernetes.io/version: {{ .Chart.AppVersion | quote }} {{- end }} app.kubernetes.io/managed-by: {{ .Release.Service }} {{- end -}} +{{ include "postgres.selectorLabels" . }} +{{- if .Chart.AppVersion }} +app.kubernetes.io/version: {{ .Chart.AppVersion | quote }} +{{- end }} +app.kubernetes.io/managed-by: {{ .Release.Service }} +{{- end }} + +{{/* +Selector labels +*/}} +{{- define "postgres.selectorLabels" -}} +app.kubernetes.io/name: {{ include "postgres.name" . }} +app.kubernetes.io/instance: {{ .Release.Name }} +{{- end }} {{/* Create the name of the service account to use diff --git a/services/postgres/templates/deployment.yaml b/services/postgres/templates/deployment.yaml index 7af7b4b63d..b43548395b 100644 --- a/services/postgres/templates/deployment.yaml +++ b/services/postgres/templates/deployment.yaml @@ -3,21 +3,21 @@ kind: Deployment metadata: name: {{ template "postgres.fullname" . }} labels: - app: {{ template "postgres.fullname" . }} + {{- include "postgres.labels" . | nindent 4 }} spec: replicas: 1 selector: matchLabels: - name: {{ template "postgres.fullname" . }} + {{- include "postgres.selectorLabels" . | nindent 6 }} template: metadata: labels: - name: {{ template "postgres.fullname" . }} + {{- include "postgres.selectorLabels" . | nindent 8 }} spec: containers: - name: {{ template "postgres.fullname" . }} imagePullPolicy: "Always" - image: {{ .Values.image.repository }}:{{ .Values.image.tag }} + image: "{{ .Values.image.repository }}:{{ .Values.image.tag | default .Chart.AppVersion }}" ports: - name: postgres containerPort: 5432 diff --git a/services/postgres/templates/physpvc.yaml b/services/postgres/templates/physpvc.yaml index c17a2b3bb3..c32fdac4ef 100644 --- a/services/postgres/templates/physpvc.yaml +++ b/services/postgres/templates/physpvc.yaml @@ -2,15 +2,14 @@ kind: PersistentVolumeClaim apiVersion: v1 metadata: name: {{ template "postgres.fullname" . }}-physpvc + labels: {{- include "postgres.labels" . | nindent 4 }} spec: accessModes: - "ReadWriteOnce" resources: requests: - storage: {{.Values.postgres_volume_size}} - storageClassName: {{.Values.postgres_storage_class}} -{{ if .Values.volume_name }} - volumeName: {{ .Values.volume_name }} -{{ end }} - - + storage: {{.Values.postgresVolumeSize}} + storageClassName: {{.Values.postgresStorageClass}} + {{- if .Values.volumeName }} + volumeName: {{ .Values.volumeName }} + {{- end }} diff --git a/services/postgres/templates/service.yaml b/services/postgres/templates/service.yaml index 9c73f94bf3..8b504dc33d 100644 --- a/services/postgres/templates/service.yaml +++ b/services/postgres/templates/service.yaml @@ -2,6 +2,7 @@ apiVersion: v1 kind: Service metadata: name: {{ template "postgres.fullname" . }} + labels: {{- include "postgres.labels" . | nindent 4 }} spec: ports: - name: postgres diff --git a/services/postgres/values-base.yaml b/services/postgres/values-base.yaml index ef3170ff25..ec730cc9e5 100644 --- a/services/postgres/values-base.yaml +++ b/services/postgres/values-base.yaml @@ -1,16 +1,16 @@ jupyterhub_db: - user: 'jovyan' - db: 'jupyterhub' + user: "jovyan" + db: "jupyterhub" lovelog_db: - user: 'lovelog' - db: 'lovelog' + user: "lovelog" + db: "lovelog" exposurelog_db: - user: 'exposurelog' - db: 'exposurelog' + user: "exposurelog" + db: "exposurelog" gafaelfawr_db: - user: 'gafaelfawr' - db: 'gafaelfawr' + user: "gafaelfawr" + db: "gafaelfawr" narrativelog_db: - user: 'narrativelog' - db: 'narrativelog' -postgres_storage_class: 'rook-ceph-block' + user: "narrativelog" + db: "narrativelog" +postgresStorageClass: "rook-ceph-block" diff --git a/services/postgres/values-idfdev.yaml b/services/postgres/values-idfdev.yaml index 4bf87c20e3..f1ee8c299b 100644 --- a/services/postgres/values-idfdev.yaml +++ b/services/postgres/values-idfdev.yaml @@ -1,5 +1,5 @@ -postgres_storage_class: 'fast' -debug: 'true' +postgresStorageClass: "fast" +debug: "true" jupyterhub_db: - user: 'jovyan' - db: 'jupyterhub' + user: "jovyan" + db: "jupyterhub" diff --git a/services/postgres/values-idfint.yaml b/services/postgres/values-idfint.yaml index e3e4732f12..59c0698a41 100644 --- a/services/postgres/values-idfint.yaml +++ b/services/postgres/values-idfint.yaml @@ -1,4 +1,4 @@ -postgres_storage_class: 'fast' +postgresStorageClass: "fast" jupyterhub_db: - user: 'jovyan' - db: 'jupyterhub' + user: "jovyan" + db: "jupyterhub" diff --git a/services/postgres/values-idfprod.yaml b/services/postgres/values-idfprod.yaml index e3e4732f12..59c0698a41 100644 --- a/services/postgres/values-idfprod.yaml +++ b/services/postgres/values-idfprod.yaml @@ -1,4 +1,4 @@ -postgres_storage_class: 'fast' +postgresStorageClass: "fast" jupyterhub_db: - user: 'jovyan' - db: 'jupyterhub' + user: "jovyan" + db: "jupyterhub" diff --git a/services/postgres/values-int.yaml b/services/postgres/values-int.yaml index 3065409373..fa18bc2088 100644 --- a/services/postgres/values-int.yaml +++ b/services/postgres/values-int.yaml @@ -1,10 +1,10 @@ jupyterhub_db: - user: 'jovyan' - db: 'jupyterhub' + user: "jovyan" + db: "jupyterhub" gafaelfawr_db: - user: 'gafaelfawr' - db: 'gafaelfawr' -postgres_storage_class: 'manual' -volume_name: 'postgres-data-volume' + user: "gafaelfawr" + db: "gafaelfawr" +postgresStorageClass: "manual" +volumeName: "postgres-data-volume" image: - tag: '0.0.3' + tag: "0.0.3" diff --git a/services/postgres/values-minikube.yaml b/services/postgres/values-minikube.yaml index 937caa059e..1dc388a3ea 100644 --- a/services/postgres/values-minikube.yaml +++ b/services/postgres/values-minikube.yaml @@ -1,14 +1,14 @@ -debug: 'true' +debug: "true" jupyterhub_db: - user: 'jovyan' - db: 'jupyterhub' + user: "jovyan" + db: "jupyterhub" exposurelog_db: - user: 'exposurelog' - db: 'exposurelog' + user: "exposurelog" + db: "exposurelog" gafaelfawr_db: - user: 'gafaelfawr' - db: 'gafaelfawr' + user: "gafaelfawr" + db: "gafaelfawr" narrativelog_db: - user: 'narrativelog' - db: 'narrativelog' -postgres_storage_class: 'standard' + user: "narrativelog" + db: "narrativelog" +postgresStorageClass: "standard" diff --git a/services/postgres/values-roe.yaml b/services/postgres/values-roe.yaml index 686177dbf5..6231253710 100644 --- a/services/postgres/values-roe.yaml +++ b/services/postgres/values-roe.yaml @@ -1,9 +1,9 @@ jupyterhub_db: - user: 'jovyan' - db: 'jupyterhub' + user: "jovyan" + db: "jupyterhub" gafaelfawr_db: - user: 'gafaelfawr' - db: 'gafaelfawr' + user: "gafaelfawr" + db: "gafaelfawr" image: - tag: '0.0.5' -postgres_storage_class: 'standard' + tag: "0.0.5" +postgresStorageClass: "standard" diff --git a/services/postgres/values-stable.yaml b/services/postgres/values-stable.yaml index 3065409373..fa18bc2088 100644 --- a/services/postgres/values-stable.yaml +++ b/services/postgres/values-stable.yaml @@ -1,10 +1,10 @@ jupyterhub_db: - user: 'jovyan' - db: 'jupyterhub' + user: "jovyan" + db: "jupyterhub" gafaelfawr_db: - user: 'gafaelfawr' - db: 'gafaelfawr' -postgres_storage_class: 'manual' -volume_name: 'postgres-data-volume' + user: "gafaelfawr" + db: "gafaelfawr" +postgresStorageClass: "manual" +volumeName: "postgres-data-volume" image: - tag: '0.0.3' + tag: "0.0.3" diff --git a/services/postgres/values-summit.yaml b/services/postgres/values-summit.yaml index 6095095bc5..1cf382a0d9 100644 --- a/services/postgres/values-summit.yaml +++ b/services/postgres/values-summit.yaml @@ -1,13 +1,13 @@ jupyterhub_db: - user: 'jovyan' - db: 'jupyterhub' + user: "jovyan" + db: "jupyterhub" exposurelog_db: - user: 'exposurelog' - db: 'exposurelog' + user: "exposurelog" + db: "exposurelog" gafaelfawr_db: - user: 'gafaelfawr' - db: 'gafaelfawr' + user: "gafaelfawr" + db: "gafaelfawr" narrativelog_db: - user: 'narrativelog' - db: 'narrativelog' -postgres_storage_class: 'rook-ceph-block' + user: "narrativelog" + db: "narrativelog" +postgresStorageClass: "rook-ceph-block" diff --git a/services/postgres/values-tucson-teststand.yaml b/services/postgres/values-tucson-teststand.yaml index 6095095bc5..1cf382a0d9 100644 --- a/services/postgres/values-tucson-teststand.yaml +++ b/services/postgres/values-tucson-teststand.yaml @@ -1,13 +1,13 @@ jupyterhub_db: - user: 'jovyan' - db: 'jupyterhub' + user: "jovyan" + db: "jupyterhub" exposurelog_db: - user: 'exposurelog' - db: 'exposurelog' + user: "exposurelog" + db: "exposurelog" gafaelfawr_db: - user: 'gafaelfawr' - db: 'gafaelfawr' + user: "gafaelfawr" + db: "gafaelfawr" narrativelog_db: - user: 'narrativelog' - db: 'narrativelog' -postgres_storage_class: 'rook-ceph-block' + user: "narrativelog" + db: "narrativelog" +postgresStorageClass: "rook-ceph-block" diff --git a/services/postgres/values.yaml b/services/postgres/values.yaml index 331ca1bb61..ea6055bc38 100644 --- a/services/postgres/values.yaml +++ b/services/postgres/values.yaml @@ -2,20 +2,26 @@ # This is a YAML-formatted file. # Declare variables to be passed into your templates. -# Set to non-empty to enable debugging output -debug: '' +# -- Set to non-empty to enable debugging output +debug: "" image: - repository: 'lsstsqre/lsp-postgres' - tag: 'latest' + # -- postgres image to use + repository: "lsstsqre/lsp-postgres" + # -- Tag of postgres image to use + # @default -- The appVersion of the chart + tag: "" -# The volume can generally be very small -postgres_volume_size: '1Gi' -# Set to appropriate value for your deployment: at GKE, 'fast', on Rubin -# Observatory Rancher, 'rook-ceph-block', at NCSA, 'manual', -# elsewhere 'standard' ... -postgres_storage_class: 'standard' -volume_name: '' +# -- Volume size for postgres. It can generally be very small +postgresVolumeSize: "1Gi" +# -- Storage class for postgres volume. +# Set to appropriate value for your deployment: at GKE, "fast", on Rubin +# Observatory Rancher, "rook-ceph-block", at NCSA, "manual", +# elsewhere "standard" ... +postgresStorageClass: "standard" +# -- Volume name for postgres, if you use an existing volume that isn't +# automatically created from the PVC by the storage driver (e.g. NCSA) +volumeName: "" # The following will be set by parameters injected by Argo CD and should not # be set in the individual environment values files. diff --git a/services/sherlock/README.md b/services/sherlock/README.md index d1a2d63f3a..c18bd816c7 100644 --- a/services/sherlock/README.md +++ b/services/sherlock/README.md @@ -24,7 +24,7 @@ A Helm chart for Kubernetes | nameOverride | string | `""` | Override the base name for resources | | nodeSelector | object | `{}` | Node selection rules for the sherlock deployment pod | | podAnnotations | object | `{}` | Annotations for the sherlock deployment pod | -| publish_url | string | `""` | URL to push status to via HTTP PUTs. | +| publishUrl | string | `""` | URL to push status to via HTTP PUTs. | | replicaCount | int | `1` | Number of web deployment pods to start | | resources | object | `{}` | Resource limits and requests for the sherlock deployment pod | | serviceAccount.name | string | `""` | | diff --git a/services/sherlock/templates/deployment.yaml b/services/sherlock/templates/deployment.yaml index 1aabe10130..8d490720e0 100644 --- a/services/sherlock/templates/deployment.yaml +++ b/services/sherlock/templates/deployment.yaml @@ -40,8 +40,8 @@ spec: imagePullPolicy: {{ .Values.image.pullPolicy }} env: - name: "PUBLISH_URL" - value: {{ .Values.publish_url }} - {{- if .Values.publish_url }} + value: {{ .Values.publishUrl }} + {{- if .Values.publishUrl }} - name: "PUBLISH_KEY" valueFrom: secretKeyRef: diff --git a/services/sherlock/templates/vault-secrets.yaml b/services/sherlock/templates/vault-secrets.yaml index 89c6e8e37c..2099d52cc1 100644 --- a/services/sherlock/templates/vault-secrets.yaml +++ b/services/sherlock/templates/vault-secrets.yaml @@ -1,4 +1,4 @@ -{{- if .Values.publish_url }} +{{- if .Values.publishUrl }} apiVersion: ricoberger.de/v1alpha1 kind: VaultSecret metadata: diff --git a/services/sherlock/values-idfdev.yaml b/services/sherlock/values-idfdev.yaml index 0ca88e01f0..09d06b446e 100644 --- a/services/sherlock/values-idfdev.yaml +++ b/services/sherlock/values-idfdev.yaml @@ -6,4 +6,4 @@ resources: cpu: 4.0 memory: "4G" -publish_url: "https://status.lsst.codes/api/data-dev" +publishUrl: "https://status.lsst.codes/api/data-dev" diff --git a/services/sherlock/values-idfint.yaml b/services/sherlock/values-idfint.yaml index 8719164381..f26f30166c 100644 --- a/services/sherlock/values-idfint.yaml +++ b/services/sherlock/values-idfint.yaml @@ -5,4 +5,4 @@ resources: limits: cpu: 4.0 memory: "4G" -publish_url: "https://status.lsst.codes/api/data-int" +publishUrl: "https://status.lsst.codes/api/data-int" diff --git a/services/sherlock/values-idfprod.yaml b/services/sherlock/values-idfprod.yaml index 3f3efbd3bf..6dc7b40cad 100644 --- a/services/sherlock/values-idfprod.yaml +++ b/services/sherlock/values-idfprod.yaml @@ -5,4 +5,4 @@ resources: limits: cpu: 4.0 memory: "4G" -publish_url: "https://status.lsst.codes/api/data" +publishUrl: "https://status.lsst.codes/api/data" diff --git a/services/sherlock/values.yaml b/services/sherlock/values.yaml index 451cba66f2..ba2259a9c4 100644 --- a/services/sherlock/values.yaml +++ b/services/sherlock/values.yaml @@ -64,7 +64,7 @@ serviceAccount: name: "" # -- URL to push status to via HTTP PUTs. -publish_url: "" +publishUrl: "" # The following will be set by parameters injected by Argo CD and should not # be set in the individual environment values files. diff --git a/services/squareone/README.md b/services/squareone/README.md index 907219d8ac..4c2e76d6c7 100644 --- a/services/squareone/README.md +++ b/services/squareone/README.md @@ -8,6 +8,12 @@ Squareone is the homepage UI for the Rubin Science Platform. * +## Requirements + +| Repository | Name | Version | +|------------|------|---------| +| https://lsst-sqre.github.io/charts/ | pull-secret | 0.1.2 | + ## Values | Key | Type | Default | Description | From 866bf766127855b0782680874657f0bc5ba4dbfe Mon Sep 17 00:00:00 2001 From: adam Date: Thu, 12 May 2022 12:34:23 -0700 Subject: [PATCH 0430/1479] fix postgres _helpers.tpl --- services/nublado2/README.md | 11 ----------- services/postgres/templates/_helpers.tpl | 17 ----------------- 2 files changed, 28 deletions(-) diff --git a/services/nublado2/README.md b/services/nublado2/README.md index fab98bcfab..7bc9308897 100644 --- a/services/nublado2/README.md +++ b/services/nublado2/README.md @@ -1,17 +1,9 @@ # nublado2 -![Version: 1.1.0](https://img.shields.io/badge/Version-1.1.0-informational?style=flat-square) ![AppVersion: 2.3.0](https://img.shields.io/badge/AppVersion-2.3.0-informational?style=flat-square) - Nublado2 JupyterHub installation **Homepage:** -## Maintainers - -| Name | Email | Url | -| ---- | ------ | --- | -| cbanek | | | - ## Source Code * @@ -155,6 +147,3 @@ Kubernetes: `>=1.20.0-0` | jupyterhub.singleuser.storage.type | string | `"none"` | | | network_policy.enabled | bool | `true` | | | vault_secret_path | string | `""` | | - ----------------------------------------------- -Autogenerated from chart metadata using [helm-docs v1.7.0](https://github.com/norwoodj/helm-docs/releases/v1.7.0) diff --git a/services/postgres/templates/_helpers.tpl b/services/postgres/templates/_helpers.tpl index c8fd03f180..9d24248a39 100644 --- a/services/postgres/templates/_helpers.tpl +++ b/services/postgres/templates/_helpers.tpl @@ -43,12 +43,6 @@ app.kubernetes.io/version: {{ .Chart.AppVersion | quote }} {{- end }} app.kubernetes.io/managed-by: {{ .Release.Service }} {{- end -}} -{{ include "postgres.selectorLabels" . }} -{{- if .Chart.AppVersion }} -app.kubernetes.io/version: {{ .Chart.AppVersion | quote }} -{{- end }} -app.kubernetes.io/managed-by: {{ .Release.Service }} -{{- end }} {{/* Selector labels @@ -57,14 +51,3 @@ Selector labels app.kubernetes.io/name: {{ include "postgres.name" . }} app.kubernetes.io/instance: {{ .Release.Name }} {{- end }} - -{{/* -Create the name of the service account to use -*/}} -{{- define "postgres.serviceAccountName" -}} -{{- if .Values.serviceAccount.create -}} - {{ default (include "postgres.fullname" .) .Values.serviceAccount.name }} -{{- else -}} - {{ default "default" .Values.serviceAccount.name }} -{{- end -}} -{{- end -}} From 8e380e52d3e370268e0f05b50e8013f1cbc9ebe1 Mon Sep 17 00:00:00 2001 From: adam Date: Fri, 13 May 2022 10:07:50 -0700 Subject: [PATCH 0431/1479] rework postgres templates --- services/postgres/README.md | 2 +- services/postgres/templates/service.yaml | 5 +++-- services/postgres/templates/storageclass.yaml | 9 --------- services/postgres/values-idfdev.yaml | 2 -- services/postgres/values-idfint.yaml | 1 - services/postgres/values-idfprod.yaml | 1 - services/postgres/values.yaml | 7 ++++--- 7 files changed, 8 insertions(+), 19 deletions(-) delete mode 100644 services/postgres/templates/storageclass.yaml diff --git a/services/postgres/README.md b/services/postgres/README.md index 208c5ed5b6..ff04a90335 100644 --- a/services/postgres/README.md +++ b/services/postgres/README.md @@ -14,6 +14,6 @@ Postgres RDBMS for LSP | global.vaultSecretsPath | string | Set by Argo CD | Base path for Vault secrets | | image.repository | string | `"lsstsqre/lsp-postgres"` | postgres image to use | | image.tag | string | The appVersion of the chart | Tag of postgres image to use | -| postgresStorageClass | string | `"standard"` | Storage class for postgres volume. Set to appropriate value for your deployment: at GKE, "fast", on Rubin Observatory Rancher, "rook-ceph-block", at NCSA, "manual", elsewhere "standard" ... | +| postgresStorageClass | string | `"standard"` | Storage class for postgres volume. Set to appropriate value for your deployment: at GKE, "standard" (if you want SSD, "premium-rwo", but if you want a good database maybe it's better to use a cloud database?), on Rubin Observatory Rancher, "rook-ceph-block", at NCSA, "manual", elsewhere probably "standard" ... | | postgresVolumeSize | string | `"1Gi"` | Volume size for postgres. It can generally be very small | | volumeName | string | `""` | Volume name for postgres, if you use an existing volume that isn't automatically created from the PVC by the storage driver (e.g. NCSA) | diff --git a/services/postgres/templates/service.yaml b/services/postgres/templates/service.yaml index 8b504dc33d..a7995d695b 100644 --- a/services/postgres/templates/service.yaml +++ b/services/postgres/templates/service.yaml @@ -5,7 +5,8 @@ metadata: labels: {{- include "postgres.labels" . | nindent 4 }} spec: ports: - - name: postgres + - targetPort: "postgres" + protocol: "TCP" port: 5432 selector: - name: {{ template "postgres.fullname" . }} + {{- include "postgres.selectorLabels" . | nindent 4 }} diff --git a/services/postgres/templates/storageclass.yaml b/services/postgres/templates/storageclass.yaml deleted file mode 100644 index 2bcc9cc14d..0000000000 --- a/services/postgres/templates/storageclass.yaml +++ /dev/null @@ -1,9 +0,0 @@ -{{- if eq .Values.postgres_storage_class "fast" }} -kind: StorageClass -apiVersion: storage.k8s.io/v1 -metadata: - name: fast -provisioner: kubernetes.io/gce-pd -parameters: - type: pd-ssd -{{- end }} diff --git a/services/postgres/values-idfdev.yaml b/services/postgres/values-idfdev.yaml index f1ee8c299b..5a77f93b71 100644 --- a/services/postgres/values-idfdev.yaml +++ b/services/postgres/values-idfdev.yaml @@ -1,5 +1,3 @@ -postgresStorageClass: "fast" -debug: "true" jupyterhub_db: user: "jovyan" db: "jupyterhub" diff --git a/services/postgres/values-idfint.yaml b/services/postgres/values-idfint.yaml index 59c0698a41..5a77f93b71 100644 --- a/services/postgres/values-idfint.yaml +++ b/services/postgres/values-idfint.yaml @@ -1,4 +1,3 @@ -postgresStorageClass: "fast" jupyterhub_db: user: "jovyan" db: "jupyterhub" diff --git a/services/postgres/values-idfprod.yaml b/services/postgres/values-idfprod.yaml index 59c0698a41..5a77f93b71 100644 --- a/services/postgres/values-idfprod.yaml +++ b/services/postgres/values-idfprod.yaml @@ -1,4 +1,3 @@ -postgresStorageClass: "fast" jupyterhub_db: user: "jovyan" db: "jupyterhub" diff --git a/services/postgres/values.yaml b/services/postgres/values.yaml index ea6055bc38..7c75ccf2e3 100644 --- a/services/postgres/values.yaml +++ b/services/postgres/values.yaml @@ -15,9 +15,10 @@ image: # -- Volume size for postgres. It can generally be very small postgresVolumeSize: "1Gi" # -- Storage class for postgres volume. -# Set to appropriate value for your deployment: at GKE, "fast", on Rubin -# Observatory Rancher, "rook-ceph-block", at NCSA, "manual", -# elsewhere "standard" ... +# Set to appropriate value for your deployment: at GKE, "standard" +# (if you want SSD, "premium-rwo", but if you want a good database maybe +# it's better to use a cloud database?), on Rubin Observatory Rancher, +# "rook-ceph-block", at NCSA, "manual", elsewhere probably "standard" ... postgresStorageClass: "standard" # -- Volume name for postgres, if you use an existing volume that isn't # automatically created from the PVC by the storage driver (e.g. NCSA) From c55d7043f2972f53c0066e5cef4f3df9c05a37e6 Mon Sep 17 00:00:00 2001 From: adam Date: Fri, 13 May 2022 11:03:49 -0700 Subject: [PATCH 0432/1479] Update datalinker to current chart version --- services/datalinker/Chart.yaml | 2 +- services/datalinker/README.md | 6 ++++ services/datalinker/templates/deployment.yaml | 23 +++++++++++++- services/datalinker/templates/ingress.yaml | 21 ++++++++----- .../datalinker/templates/networkpolicy.yaml | 2 ++ services/datalinker/templates/service.yaml | 4 +-- .../datalinker/templates/vault-secrets.yaml | 16 ++++++++-- services/datalinker/values.yaml | 31 +++++++++++++++---- 8 files changed, 84 insertions(+), 21 deletions(-) diff --git a/services/datalinker/Chart.yaml b/services/datalinker/Chart.yaml index 02e2f5f841..ea6541e2f1 100644 --- a/services/datalinker/Chart.yaml +++ b/services/datalinker/Chart.yaml @@ -3,6 +3,6 @@ appVersion: 1.0.0 description: A Helm chart for Kubernetes name: datalinker type: application -version: 0.1.7 +version: 0.1.8 maintainers: - name: cbanek diff --git a/services/datalinker/README.md b/services/datalinker/README.md index f367f9865d..384717980e 100644 --- a/services/datalinker/README.md +++ b/services/datalinker/README.md @@ -19,10 +19,16 @@ A Helm chart for Kubernetes | image.repository | string | `"lsstsqre/datalinker"` | Image to use in the datalinker deployment | | image.tag | string | `""` | Overrides the image tag whose default is the chart appVersion. | | ingress.annotations | object | `{}` | Additional annotations for the ingress rule | +| ingress.className | string | `"nginx"` | Ingress class | +| ingress.enabled | bool | `true` | Create an ingress resource | | ingress.gafaelfawrAuthQuery | string | `""` | Gafaelfawr auth query string (default, unauthenticated) | +| ingress.path | string | `"/api/datalink"` | URL path to dispatch to the datalinker deployment pod | +| ingress.pathType | string | `"ImplementationSpecific"` | Path type for the ingress rule | | nameOverride | string | `""` | Override the base name for resources | | nodeSelector | object | `{}` | Node selection rules for the datalinker deployment pod | | podAnnotations | object | `{}` | Annotations for the datalinker deployment pod | | replicaCount | int | `1` | Number of web deployment pods to start | | resources | object | `{}` | Resource limits and requests for the datalinker deployment pod | +| service.port | int | `8080` | Port of the service to create and map to the ingress | +| service.type | string | `"ClusterIP"` | Type of service to create | | tolerations | list | `[]` | Tolerations for the datalinker deployment pod | diff --git a/services/datalinker/templates/deployment.yaml b/services/datalinker/templates/deployment.yaml index b5c5d22a6d..e5e2bc90b1 100644 --- a/services/datalinker/templates/deployment.yaml +++ b/services/datalinker/templates/deployment.yaml @@ -22,11 +22,12 @@ spec: spec: automountServiceAccountToken: false imagePullSecrets: - - name: pull-secret + - name: "pull-secret" securityContext: runAsNonRoot: true runAsUser: 1000 runAsGroup: 1000 + fsGroup: 1000 containers: - name: {{ .Chart.Name }} securityContext: @@ -37,6 +38,15 @@ spec: readOnlyRootFilesystem: true image: "{{ .Values.image.repository }}:{{ .Values.image.tag | default .Chart.AppVersion }}" imagePullPolicy: {{ .Values.image.pullPolicy }} + env: + # The following are used by Butler to retrieve its configuration + # and authenticate to its database. + - name: "AWS_SHARED_CREDENTIALS_FILE" + value: "/tmp/secrets/aws-credentials.ini" + - name: "PGPASSFILE" + value: "/tmp/secrets/postgres-credentials.txt" + - name: "S3_ENDPOINT_URL" + value: "https://storage.googleapis.com" ports: - name: http containerPort: 8080 @@ -51,6 +61,11 @@ spec: port: http resources: {{- toYaml .Values.resources | nindent 12 }} + volumeMounts: + - name: "butler-secret" + mountPath: "/etc/butler/secrets" + - name: "tmp" + mountPath: "/tmp" {{- with .Values.nodeSelector }} nodeSelector: {{- toYaml . | nindent 8 }} @@ -63,3 +78,9 @@ spec: tolerations: {{- toYaml . | nindent 8 }} {{- end }} + volumes: + - name: "butler-secret" + secret: + secretName: {{ template "datalinker.fullname" . }}-butler-secret + - name: "tmp" + emptyDir: {} diff --git a/services/datalinker/templates/ingress.yaml b/services/datalinker/templates/ingress.yaml index d5dbe92873..99b27cfc3a 100644 --- a/services/datalinker/templates/ingress.yaml +++ b/services/datalinker/templates/ingress.yaml @@ -1,7 +1,12 @@ +{{- if .Values.ingress.enabled -}} {{- $fullName := include "datalinker.fullname" . -}} apiVersion: networking.k8s.io/v1 kind: Ingress metadata: + name: {{ $fullName }} + labels: + {{- include "datalinker.labels" . | nindent 4 }} + {{- with .Values.ingress.annotations }} annotations: kubernetes.io/ingress.class: "nginx" {{- if .Values.ingress.gafaelfawrAuthQuery -}} @@ -10,21 +15,21 @@ metadata: nginx.ingress.kubernetes.io/auth-signin: "{{ .Values.global.baseUrl }}/login" nginx.ingress.kubernetes.io/auth-url: "{{ .Values.global.baseUrl }}/auth?{{ .Values.ingress.gafaelfawrAuthQuery }}" {{- end }} - {{- with .Values.ingress.annotations }} - {{- toYaml . | nindent 4 }} + {{- toYaml . | nindent 4 }} {{- end }} - name: {{ $fullName }} - labels: - {{- include "datalinker.labels" . | nindent 4 }} spec: + {{- if .Values.ingress.className }} + ingressClassName: {{ .Values.ingress.className }} + {{- end }} rules: - host: {{ required "global.host must be set" .Values.global.host | quote }} http: paths: - - path: "/api/datalink" - pathType: Prefix + - path: {{ .Values.ingress.path }} + pathType: {{ default "Prefix" .Values.ingress.pathType }} backend: service: name: {{ $fullName }} port: - number: 8080 + number: {{ .Values.service.port }} +{{- end }} diff --git a/services/datalinker/templates/networkpolicy.yaml b/services/datalinker/templates/networkpolicy.yaml index 0bcf4940a4..6b228b58a6 100644 --- a/services/datalinker/templates/networkpolicy.yaml +++ b/services/datalinker/templates/networkpolicy.yaml @@ -1,3 +1,4 @@ +{{- if .Values.ingress.enabled -}} apiVersion: networking.k8s.io/v1 kind: NetworkPolicy metadata: @@ -19,3 +20,4 @@ spec: ports: - protocol: "TCP" port: 8080 +{{- end }} diff --git a/services/datalinker/templates/service.yaml b/services/datalinker/templates/service.yaml index 9f0673808b..b24cc11a8b 100644 --- a/services/datalinker/templates/service.yaml +++ b/services/datalinker/templates/service.yaml @@ -5,9 +5,9 @@ metadata: labels: {{- include "datalinker.labels" . | nindent 4 }} spec: - type: ClusterIP + type: {{ .Values.service.type }} ports: - - port: 8080 + - port: {{ .Values.service.port }} targetPort: http protocol: TCP name: http diff --git a/services/datalinker/templates/vault-secrets.yaml b/services/datalinker/templates/vault-secrets.yaml index 214d3cd565..2e4597fb41 100644 --- a/services/datalinker/templates/vault-secrets.yaml +++ b/services/datalinker/templates/vault-secrets.yaml @@ -1,9 +1,19 @@ apiVersion: ricoberger.de/v1alpha1 kind: VaultSecret metadata: - name: pull-secret + name: {{ template "datalinker.fullname" . }}-butler-secret labels: {{- include "datalinker.labels" . | nindent 4 }} spec: - path: "{{- .Values.global.vaultSecretsPath }}/pull-secret" - type: kubernetes.io/dockerconfigjson + path: "{{ .Values.global.vaultSecretsPath }}/butler-secret" + type: Opaque +--- +apiVersion: ricoberger.de/v1alpha1 +kind: VaultSecret +metadata: + name: "pull-secret" + labels: + {{- include "datalinker.labels" . | nindent 4 }} +spec: + path: "{{ .Values.global.vaultSecretsPath }}/pull-secret" + type: "kubernetes.io/dockerconfigjson" diff --git a/services/datalinker/values.yaml b/services/datalinker/values.yaml index c1c1ba476c..1d8702ef46 100644 --- a/services/datalinker/values.yaml +++ b/services/datalinker/values.yaml @@ -2,12 +2,6 @@ # This is a YAML-formatted file. # Declare variables to be passed into your templates. -# -- Override the base name for resources -nameOverride: "" - -# -- Override the full name for resources (includes the release name) -fullnameOverride: "" - # -- Number of web deployment pods to start replicaCount: 1 @@ -21,16 +15,41 @@ image: # -- Overrides the image tag whose default is the chart appVersion. tag: "" +# -- Override the base name for resources +nameOverride: "" + +# -- Override the full name for resources (includes the release name) +fullnameOverride: "" + # -- Annotations for the datalinker deployment pod podAnnotations: {} +service: + # -- Type of service to create + type: ClusterIP + + # -- Port of the service to create and map to the ingress + port: 8080 + ingress: + # -- Create an ingress resource + enabled: true + # -- Gafaelfawr auth query string (default, unauthenticated) gafaelfawrAuthQuery: "" # -- Additional annotations for the ingress rule annotations: {} + # -- Path type for the ingress rule + pathType: ImplementationSpecific + + # -- URL path to dispatch to the datalinker deployment pod + path: "/api/datalink" + + # -- Ingress class + className: nginx + # -- Resource limits and requests for the datalinker deployment pod resources: {} From 880fd60c38eefb778fa0ab8972a944816d5d14aa Mon Sep 17 00:00:00 2001 From: adam Date: Fri, 13 May 2022 11:13:47 -0700 Subject: [PATCH 0433/1479] remove charts pull-secret from squareone --- services/squareone/Chart.yaml | 5 ----- services/squareone/README.md | 8 +------- services/squareone/templates/vault-secrets.yaml | 9 +++++++++ services/squareone/values.yaml | 2 +- 4 files changed, 11 insertions(+), 13 deletions(-) create mode 100644 services/squareone/templates/vault-secrets.yaml diff --git a/services/squareone/Chart.yaml b/services/squareone/Chart.yaml index c2b0a84de8..b71181c951 100644 --- a/services/squareone/Chart.yaml +++ b/services/squareone/Chart.yaml @@ -11,8 +11,3 @@ maintainers: # The default version tag of the squareone docker image appVersion: "0.7.0b1" - -dependencies: - - name: pull-secret - version: 0.1.2 - repository: https://lsst-sqre.github.io/charts/ diff --git a/services/squareone/README.md b/services/squareone/README.md index 4c2e76d6c7..e761e3c31f 100644 --- a/services/squareone/README.md +++ b/services/squareone/README.md @@ -8,12 +8,6 @@ Squareone is the homepage UI for the Rubin Science Platform. * -## Requirements - -| Repository | Name | Version | -|------------|------|---------| -| https://lsst-sqre.github.io/charts/ | pull-secret | 0.1.2 | - ## Values | Key | Type | Default | Description | @@ -30,7 +24,7 @@ Squareone is the homepage UI for the Rubin Science Platform. | fullnameOverride | string | `""` | Overrides the full name for resources (includes the release name) | | global.baseUrl | string | Set by Argo CD Application | Base URL for the environment | | global.host | string | Set by Argo CD Application | Host name for ingress | -| global.vaultSecretsPathPrefix | string | Set by Argo CD Application | Base path for Vault secrets | +| global.vaultSecretsPath | string | Set by Argo CD Application | Base path for Vault secrets | | image.pullPolicy | string | `"IfNotPresent"` | Image pull policy (tip: use Always for development) | | image.repository | string | `"ghcr.io/lsst-sqre/squareone"` | Squareone Docker image repository | | image.tag | string | Chart's appVersion | Overrides the image tag. | diff --git a/services/squareone/templates/vault-secrets.yaml b/services/squareone/templates/vault-secrets.yaml new file mode 100644 index 0000000000..0d7e4901e9 --- /dev/null +++ b/services/squareone/templates/vault-secrets.yaml @@ -0,0 +1,9 @@ +apiVersion: ricoberger.de/v1alpha1 +kind: VaultSecret +metadata: + name: pull-secret + labels: + {{- include "squareone.labels" . | nindent 4 }} +spec: + path: "{{- .Values.global.vaultSecretsPath }}/pull-secret" + type: kubernetes.io/dockerconfigjson diff --git a/services/squareone/values.yaml b/services/squareone/values.yaml index c82dac869a..9e390ff256 100644 --- a/services/squareone/values.yaml +++ b/services/squareone/values.yaml @@ -89,4 +89,4 @@ global: # -- Base path for Vault secrets # @default -- Set by Argo CD Application - vaultSecretsPathPrefix: "" + vaultSecretsPath: "" From a0ea80ff4b6e35f30397b4d1f78c16399f6bee5b Mon Sep 17 00:00:00 2001 From: adam Date: Fri, 13 May 2022 11:49:25 -0700 Subject: [PATCH 0434/1479] Point remaining sasquatch secrets to global path --- services/sasquatch/templates/vault-secrets.yaml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/services/sasquatch/templates/vault-secrets.yaml b/services/sasquatch/templates/vault-secrets.yaml index 4383756330..35dceb588c 100644 --- a/services/sasquatch/templates/vault-secrets.yaml +++ b/services/sasquatch/templates/vault-secrets.yaml @@ -15,7 +15,7 @@ metadata: spec: keys: - ts-salkafka-password - path: {{ .Values.vaultSecretsPath }}/sasquatch + path: "{{ .Values.global.vaultSecretsPath }}/sasquatch" type: Opaque --- apiVersion: ricoberger.de/v1alpha1 @@ -32,5 +32,5 @@ metadata: name: sasquatch-nexus3-docker namespace: sasquatch spec: - path: {{ .Values.vaultSecretsPath }}/pull-secret + path: "{{ .Values.global.vaultSecretsPath }}/pull-secret" type: kubernetes.io/dockerconfigjson From 1b49e33da0e83f62b4cb033cc247595de199a004 Mon Sep 17 00:00:00 2001 From: adam Date: Fri, 13 May 2022 12:10:54 -0700 Subject: [PATCH 0435/1479] Add generic values file with aggregated roles --- .../templates/argocd-application.yaml | 1 + services/argocd/values-idfdev.yaml | 2 + services/argocd/values.yaml | 54 +++++++++++++++++++ 3 files changed, 57 insertions(+) create mode 100644 services/argocd/values.yaml diff --git a/science-platform/templates/argocd-application.yaml b/science-platform/templates/argocd-application.yaml index ea9379a8f9..458e205b5e 100644 --- a/science-platform/templates/argocd-application.yaml +++ b/science-platform/templates/argocd-application.yaml @@ -16,4 +16,5 @@ spec: targetRevision: {{ .Values.revision }} helm: valueFiles: + - values.yaml - values-{{ .Values.environment }}.yaml diff --git a/services/argocd/values-idfdev.yaml b/services/argocd/values-idfdev.yaml index f91c296f4a..6994fff0c7 100644 --- a/services/argocd/values-idfdev.yaml +++ b/services/argocd/values-idfdev.yaml @@ -62,6 +62,8 @@ argo-cd: name: stable - url: https://strimzi.io/charts/ name: strimzi + resource.compareoptions: | + ignoreAggregatedRoles: true rbacConfig: policy.csv: | diff --git a/services/argocd/values.yaml b/services/argocd/values.yaml new file mode 100644 index 0000000000..83674741ca --- /dev/null +++ b/services/argocd/values.yaml @@ -0,0 +1,54 @@ +argo-cd: + redis: + enabled: true + metrics: + enabled: true + + controller: + metrics: + enabled: true + applicationLabels: + enabled: true + labels: ["name", "instance"] + + repoServer: + metrics: + enabled: true + + notifications: + metrics: + enabled: true + + server: + metrics: + enabled: true + ingress: + enabled: true + annotations: + kubernetes.io/ingress.class: nginx + nginx.ingress.kubernetes.io/rewrite-target: "/$2" + paths: + - /argo-cd(/|$)(.*) + + extraArgs: + - "--basehref=/argo-cd" + - "--insecure=true" + + config: + helm.repositories: | + - url: https://lsst-sqre.github.io/charts/ + name: lsst-sqre + - url: https://ricoberger.github.io/helm-charts/ + name: ricoberger + - url: https://kubernetes.github.io/ingress-nginx/ + name: ingress-nginx + - url: https://charts.helm.sh/stable + name: stable + - url: https://strimzi.io/charts/ + name: strimzi + resource.compareoptions: | + ignoreAggregatedRoles: true + + configs: + secret: + createSecret: false From 09510753169467e2a38ccd462024e81ccd084145 Mon Sep 17 00:00:00 2001 From: adam Date: Fri, 13 May 2022 12:14:39 -0700 Subject: [PATCH 0436/1479] remove generics from idfdev values --- services/argocd/values-idfdev.yaml | 48 ------------------------------ 1 file changed, 48 deletions(-) diff --git a/services/argocd/values-idfdev.yaml b/services/argocd/values-idfdev.yaml index 6994fff0c7..c1bac1bcc1 100644 --- a/services/argocd/values-idfdev.yaml +++ b/services/argocd/values-idfdev.yaml @@ -1,40 +1,9 @@ argo-cd: - redis: - enabled: true - metrics: - enabled: true - - controller: - metrics: - enabled: true - applicationLabels: - enabled: true - labels: ["name", "instance"] - - repoServer: - metrics: - enabled: true - - notifications: - metrics: - enabled: true - server: - metrics: - enabled: true ingress: enabled: true hosts: - "data-dev.lsst.cloud" - annotations: - kubernetes.io/ingress.class: nginx - nginx.ingress.kubernetes.io/rewrite-target: "/$2" - paths: - - /argo-cd(/|$)(.*) - - extraArgs: - - "--basehref=/argo-cd" - - "--insecure=true" config: url: https://data-dev.lsst.cloud/argo-cd @@ -51,19 +20,6 @@ argo-cd: hostedDomains: - lsst.cloud redirectURI: https://data-dev.lsst.cloud/argo-cd/api/dex/callback - helm.repositories: | - - url: https://lsst-sqre.github.io/charts/ - name: lsst-sqre - - url: https://ricoberger.github.io/helm-charts/ - name: ricoberger - - url: https://kubernetes.github.io/ingress-nginx/ - name: ingress-nginx - - url: https://charts.helm.sh/stable - name: stable - - url: https://strimzi.io/charts/ - name: strimzi - resource.compareoptions: | - ignoreAggregatedRoles: true rbacConfig: policy.csv: | @@ -80,10 +36,6 @@ argo-cd: g, roby@lsst.cloud, role:admin scopes: "[email]" - configs: - secret: - createSecret: false - vault_secret: enabled: true path: secret/k8s_operator/data-dev.lsst.cloud/argocd From c3468bedbccc822d49ece4c194d6c01f713abd97 Mon Sep 17 00:00:00 2001 From: adam Date: Fri, 13 May 2022 12:19:05 -0700 Subject: [PATCH 0437/1479] remove generics from base --- services/argocd/values-base.yaml | 48 -------------------------------- 1 file changed, 48 deletions(-) diff --git a/services/argocd/values-base.yaml b/services/argocd/values-base.yaml index 33cabea149..4897e443e1 100644 --- a/services/argocd/values-base.yaml +++ b/services/argocd/values-base.yaml @@ -1,41 +1,8 @@ argo-cd: - redis: - enabled: true - metrics: - enabled: true - - controller: - metrics: - enabled: true - applicationLabels: - enabled: true - labels: ["name", "instance"] - - repoServer: - metrics: - enabled: true - - notifications: - metrics: - enabled: true - server: - metrics: - enabled: true ingress: - enabled: true hosts: - "base-lsp.lsst.codes" - annotations: - kubernetes.io/ingress.class: nginx - nginx.ingress.kubernetes.io/rewrite-target: "/$2" - paths: - - /argo-cd(/|$)(.*) - - extraArgs: - - "--basehref=/argo-cd" - - "--insecure=true" - config: url: https://base-lsp.lsst.codes/argo-cd dex.config: | @@ -51,26 +18,11 @@ argo-cd: clientSecret: $dex.clientSecret orgs: - name: lsst-sqre - helm.repositories: | - - url: https://lsst-sqre.github.io/charts/ - name: lsst-sqre - - url: https://ricoberger.github.io/helm-charts/ - name: ricoberger - - url: https://kubernetes.github.io/ingress-nginx/ - name: ingress-nginx - - url: https://charts.helm.sh/stable - name: stable - - url: https://strimzi.io/charts/ - name: strimzi rbacConfig: policy.csv: | g, lsst-sqre:square, role:admin - configs: - secret: - createSecret: false - vault_secret: enabled: true path: secret/k8s_operator/base-lsp.lsst.codes/argocd From 054758875c0d33ccdc033d2b21cf124f64926b6b Mon Sep 17 00:00:00 2001 From: adam Date: Fri, 13 May 2022 12:26:30 -0700 Subject: [PATCH 0438/1479] DRY out IDF-int --- services/argocd/values-idfint.yaml | 48 ------------------------------ 1 file changed, 48 deletions(-) diff --git a/services/argocd/values-idfint.yaml b/services/argocd/values-idfint.yaml index 622a846e56..4c273a435f 100644 --- a/services/argocd/values-idfint.yaml +++ b/services/argocd/values-idfint.yaml @@ -1,41 +1,8 @@ argo-cd: - redis: - enabled: true - metrics: - enabled: true - - controller: - metrics: - enabled: true - applicationLabels: - enabled: true - labels: ["name", "instance"] - - repoServer: - metrics: - enabled: true - - notifications: - metrics: - enabled: true - server: - metrics: - enabled: true ingress: - enabled: true hosts: - "data-int.lsst.cloud" - annotations: - kubernetes.io/ingress.class: nginx - nginx.ingress.kubernetes.io/rewrite-target: "/$2" - paths: - - /argo-cd(/|$)(.*) - - extraArgs: - - "--basehref=/argo-cd" - - "--insecure=true" - config: url: https://data-int.lsst.cloud/argo-cd dex.config: | @@ -51,17 +18,6 @@ argo-cd: hostedDomains: - lsst.cloud redirectURI: https://data-int.lsst.cloud/argo-cd/api/dex/callback - helm.repositories: | - - url: https://lsst-sqre.github.io/charts/ - name: lsst-sqre - - url: https://ricoberger.github.io/helm-charts/ - name: ricoberger - - url: https://kubernetes.github.io/ingress-nginx/ - name: ingress-nginx - - url: https://charts.helm.sh/stable - name: stable - - url: https://strimzi.io/charts/ - name: strimzi rbacConfig: policy.csv: | @@ -80,10 +36,6 @@ argo-cd: g, fritzm@lsst.cloud, role:admin scopes: "[email]" - configs: - secret: - createSecret: false - vault_secret: enabled: true path: secret/k8s_operator/data-int.lsst.cloud/argocd From 926c49c56eddbb8986a47ea3724149ff577a7c01 Mon Sep 17 00:00:00 2001 From: adam Date: Fri, 13 May 2022 12:28:02 -0700 Subject: [PATCH 0439/1479] DRY out IDF-prod --- services/argocd/values-idfprod.yaml | 48 ----------------------------- 1 file changed, 48 deletions(-) diff --git a/services/argocd/values-idfprod.yaml b/services/argocd/values-idfprod.yaml index d5f4af6e30..96817e45df 100644 --- a/services/argocd/values-idfprod.yaml +++ b/services/argocd/values-idfprod.yaml @@ -1,41 +1,8 @@ argo-cd: - redis: - enabled: true - metrics: - enabled: true - - controller: - metrics: - enabled: true - applicationLabels: - enabled: true - labels: ["name", "instance"] - - repoServer: - metrics: - enabled: true - - notifications: - metrics: - enabled: true - server: - metrics: - enabled: true ingress: - enabled: true hosts: - "data.lsst.cloud" - annotations: - kubernetes.io/ingress.class: nginx - nginx.ingress.kubernetes.io/rewrite-target: "/$2" - paths: - - /argo-cd(/|$)(.*) - - extraArgs: - - "--basehref=/argo-cd" - - "--insecure=true" - config: url: https://data.lsst.cloud/argo-cd dex.config: | @@ -51,17 +18,6 @@ argo-cd: hostedDomains: - lsst.cloud redirectURI: https://data.lsst.cloud/argo-cd/api/dex/callback - helm.repositories: | - - url: https://lsst-sqre.github.io/charts/ - name: lsst-sqre - - url: https://ricoberger.github.io/helm-charts/ - name: ricoberger - - url: https://kubernetes.github.io/ingress-nginx/ - name: ingress-nginx - - url: https://charts.helm.sh/stable - name: stable - - url: https://strimzi.io/charts/ - name: strimzi rbacConfig: policy.csv: | @@ -78,10 +34,6 @@ argo-cd: g, roby@lsst.cloud, role:admin scopes: "[email]" - configs: - secret: - createSecret: false - vault_secret: enabled: true path: secret/k8s_operator/data.lsst.cloud/argocd From 988ceec70ed91282c7cfca5b82467007dac92952 Mon Sep 17 00:00:00 2001 From: adam Date: Fri, 13 May 2022 12:30:41 -0700 Subject: [PATCH 0440/1479] DRY out NCSA int --- services/argocd/values-int.yaml | 47 --------------------------------- 1 file changed, 47 deletions(-) diff --git a/services/argocd/values-int.yaml b/services/argocd/values-int.yaml index e27a97f19b..78bcc8fa11 100644 --- a/services/argocd/values-int.yaml +++ b/services/argocd/values-int.yaml @@ -1,40 +1,8 @@ argo-cd: - redis: - enabled: true - metrics: - enabled: true - - controller: - metrics: - enabled: true - applicationLabels: - enabled: true - labels: ["name", "instance"] - - repoServer: - metrics: - enabled: true - - notifications: - metrics: - enabled: true server: - metrics: - enabled: true ingress: - enabled: true hosts: - "lsst-lsp-int.ncsa.illinois.edu" - annotations: - kubernetes.io/ingress.class: nginx - nginx.ingress.kubernetes.io/rewrite-target: "/$2" - paths: - - /argo-cd(/|$)(.*) - - extraArgs: - - "--basehref=/argo-cd" - - "--insecure=true" - config: url: https://lsst-lsp-int.ncsa.illinois.edu/argo-cd dex.config: | @@ -50,26 +18,11 @@ argo-cd: clientSecret: $dex.clientSecret orgs: - name: lsst-sqre - helm.repositories: | - - url: https://lsst-sqre.github.io/charts/ - name: lsst-sqre - - url: https://ricoberger.github.io/helm-charts/ - name: ricoberger - - url: https://kubernetes.github.io/ingress-nginx/ - name: ingress-nginx - - url: https://charts.helm.sh/stable - name: stable - - url: https://strimzi.io/charts/ - name: strimzi rbacConfig: policy.csv: | g, lsst-sqre:square, role:admin - configs: - secret: - createSecret: false - vault_secret: enabled: true path: secret/k8s_operator/lsst-lsp-int.ncsa.illinois.edu/argocd From 957c9c9041d62404913c16e754595119000d7558 Mon Sep 17 00:00:00 2001 From: adam Date: Fri, 13 May 2022 12:35:16 -0700 Subject: [PATCH 0441/1479] DRY out minikube --- services/argocd/values-minikube.yaml | 48 ---------------------------- 1 file changed, 48 deletions(-) diff --git a/services/argocd/values-minikube.yaml b/services/argocd/values-minikube.yaml index d5340f0bf2..e86ffb9f30 100644 --- a/services/argocd/values-minikube.yaml +++ b/services/argocd/values-minikube.yaml @@ -2,58 +2,10 @@ argo-cd: controller: args: repoServerTimeoutSeconds: "180" - metrics: - enabled: true - applicationLabels: - enabled: true - labels: ["name", "instance"] - - redis: - enabled: true - metrics: - enabled: true - - repoServer: - metrics: - enabled: true - - notifications: - metrics: - enabled: true - server: - metrics: - enabled: true ingress: - enabled: true hosts: - "minikube.lsst.codes" - annotations: - kubernetes.io/ingress.class: nginx - nginx.ingress.kubernetes.io/rewrite-target: "/$2" - paths: - - /argo-cd(/|$)(.*) - - extraArgs: - - "--basehref=/argo-cd" - - "--insecure=true" - - config: - helm.repositories: | - - url: https://lsst-sqre.github.io/charts/ - name: lsst-sqre - - url: https://ricoberger.github.io/helm-charts/ - name: ricoberger - - url: https://kubernetes.github.io/ingress-nginx/ - name: ingress-nginx - - url: https://charts.helm.sh/stable - name: stable - - url: https://strimzi.io/charts/ - name: strimzi - - configs: - secret: - createSecret: false vault_secret: enabled: true From 4c9341b3c430dc52939014bd6133f274fc0b43b4 Mon Sep 17 00:00:00 2001 From: adam Date: Fri, 13 May 2022 12:47:23 -0700 Subject: [PATCH 0442/1479] DRY out roe --- services/argocd/values-roe.yaml | 45 +++------------------------------ 1 file changed, 4 insertions(+), 41 deletions(-) diff --git a/services/argocd/values-roe.yaml b/services/argocd/values-roe.yaml index d566c2326b..6b5f5cf857 100644 --- a/services/argocd/values-roe.yaml +++ b/services/argocd/values-roe.yaml @@ -1,52 +1,15 @@ argo-cd: - redis: - enabled: true - metrics: - enabled: true - - controller: - metrics: - enabled: true - applicationLabels: - enabled: true - labels: ["name", "instance"] - - repoServer: - metrics: - enabled: true - - notifications: - metrics: - enabled: true - server: - metrics: - enabled: true ingress: - enabled: true hosts: - "rsp.lsst.ac.uk" - annotations: - kubernetes.io/ingress.class: nginx - nginx.ingress.kubernetes.io/rewrite-target: "/$2" - paths: - - /argo-cd(/|$)(.*) - - extraArgs: - - "--basehref=/argo-cd" - - "--insecure=true" config: url: https://rsp.lsst.ac.uk/argo-cd - helm.repositories: | - - url: https://lsst-sqre.github.io/charts/ - name: lsst-sqre - - url: https://ricoberger.github.io/helm-charts/ - name: ricoberger - - url: https://kubernetes.github.io/ingress-nginx/ - name: ingress-nginx - - url: https://charts.helm.sh/stable - name: stable + configs: + secret: + createSecret: true + pull-secret: enabled: true path: secret/k8s_operator/roe/pull-secret From bb59085f4d97fa691647637bf6b181967873ce8c Mon Sep 17 00:00:00 2001 From: adam Date: Fri, 13 May 2022 12:53:46 -0700 Subject: [PATCH 0443/1479] DRY out NCSA prod --- services/argocd/values-stable.yaml | 48 ------------------------------ 1 file changed, 48 deletions(-) diff --git a/services/argocd/values-stable.yaml b/services/argocd/values-stable.yaml index 6ac6dfc7d6..7ac746466c 100644 --- a/services/argocd/values-stable.yaml +++ b/services/argocd/values-stable.yaml @@ -1,41 +1,8 @@ argo-cd: - redis: - enabled: true - metrics: - enabled: true - - controller: - metrics: - enabled: true - applicationLabels: - enabled: true - labels: ["name", "instance"] - - repoServer: - metrics: - enabled: true - - notifications: - metrics: - enabled: true - server: - metrics: - enabled: true ingress: - enabled: true hosts: - "lsst-lsp-stable.ncsa.illinois.edu" - annotations: - kubernetes.io/ingress.class: nginx - nginx.ingress.kubernetes.io/rewrite-target: "/$2" - paths: - - /argo-cd(/|$)(.*) - - extraArgs: - - "--basehref=/argo-cd" - - "--insecure=true" - config: url: https://lsst-lsp-stable.ncsa.illinois.edu/argo-cd dex.config: | @@ -51,26 +18,11 @@ argo-cd: clientSecret: $dex.clientSecret orgs: - name: lsst-sqre - helm.repositories: | - - url: https://lsst-sqre.github.io/charts/ - name: lsst-sqre - - url: https://ricoberger.github.io/helm-charts/ - name: ricoberger - - url: https://kubernetes.github.io/ingress-nginx/ - name: ingress-nginx - - url: https://charts.helm.sh/stable - name: stable - - url: https://strimzi.io/charts/ - name: strimzi rbacConfig: policy.csv: | g, lsst-sqre:square, role:admin - configs: - secret: - createSecret: false - vault_secret: enabled: true path: secret/k8s_operator/lsst-lsp-stable.ncsa.illinois.edu/argocd From fe8d5d251e85dc0f385062f66c4d835f788c57be Mon Sep 17 00:00:00 2001 From: adam Date: Fri, 13 May 2022 12:56:09 -0700 Subject: [PATCH 0444/1479] DRY out summit --- services/argocd/values-summit.yaml | 49 ------------------------------ 1 file changed, 49 deletions(-) diff --git a/services/argocd/values-summit.yaml b/services/argocd/values-summit.yaml index 837c1918ec..62c0d676a6 100644 --- a/services/argocd/values-summit.yaml +++ b/services/argocd/values-summit.yaml @@ -1,41 +1,8 @@ argo-cd: - redis: - enabled: true - metrics: - enabled: true - - controller: - metrics: - enabled: true - applicationLabels: - enabled: true - labels: ["name", "instance"] - - repoServer: - metrics: - enabled: true - - notifications: - metrics: - enabled: true - server: - metrics: - enabled: true ingress: - enabled: true hosts: - "summit-lsp.lsst.codes" - annotations: - kubernetes.io/ingress.class: nginx - nginx.ingress.kubernetes.io/rewrite-target: "/$2" - paths: - - /argo-cd(/|$)(.*) - - extraArgs: - - "--basehref=/argo-cd" - - "--insecure=true" - config: url: https://summit-lsp.lsst.codes/argo-cd dex.config: | @@ -51,26 +18,10 @@ argo-cd: clientSecret: $dex.clientSecret orgs: - name: lsst-sqre - helm.repositories: | - - url: https://lsst-sqre.github.io/charts/ - name: lsst-sqre - - url: https://ricoberger.github.io/helm-charts/ - name: ricoberger - - url: https://kubernetes.github.io/ingress-nginx/ - name: ingress-nginx - - url: https://charts.helm.sh/stable - name: stable - - url: https://strimzi.io/charts/ - name: strimzi - rbacConfig: policy.csv: | g, lsst-sqre:square, role:admin - configs: - secret: - createSecret: false - vault_secret: enabled: true path: secret/k8s_operator/summit-lsp.lsst.codes/argocd From 5b8e99d89254332bec9ad1794f5f80a254ad3090 Mon Sep 17 00:00:00 2001 From: adam Date: Fri, 13 May 2022 13:05:46 -0700 Subject: [PATCH 0445/1479] DRY out TTS --- services/argocd/values-tucson-teststand.yaml | 49 -------------------- 1 file changed, 49 deletions(-) diff --git a/services/argocd/values-tucson-teststand.yaml b/services/argocd/values-tucson-teststand.yaml index d467e06f8f..7267dfe6d0 100644 --- a/services/argocd/values-tucson-teststand.yaml +++ b/services/argocd/values-tucson-teststand.yaml @@ -1,41 +1,8 @@ argo-cd: - redis: - enabled: true - metrics: - enabled: true - - controller: - metrics: - enabled: true - applicationLabels: - enabled: true - labels: ["name", "instance"] - - repoServer: - metrics: - enabled: true - - notifications: - metrics: - enabled: true - server: - metrics: - enabled: true ingress: - enabled: true hosts: - "tucson-teststand.lsst.codes" - annotations: - kubernetes.io/ingress.class: nginx - nginx.ingress.kubernetes.io/rewrite-target: "/$2" - paths: - - /argo-cd(/|$)(.*) - - extraArgs: - - "--basehref=/argo-cd" - - "--insecure=true" - config: url: https://tucson-teststand.lsst.codes/argo-cd dex.config: | @@ -51,26 +18,10 @@ argo-cd: clientSecret: $dex.clientSecret orgs: - name: lsst-sqre - helm.repositories: | - - url: https://lsst-sqre.github.io/charts/ - name: lsst-sqre - - url: https://ricoberger.github.io/helm-charts/ - name: ricoberger - - url: https://kubernetes.github.io/ingress-nginx/ - name: ingress-nginx - - url: https://charts.helm.sh/stable - name: stable - - url: https://strimzi.io/charts/ - name: strimzi - rbacConfig: policy.csv: | g, lsst-sqre:square, role:admin - configs: - secret: - createSecret: false - vault_secret: enabled: true path: secret/k8s_operator/tucson-teststand.lsst.codes/argocd From d7f8edb54d6215fcfe80fd28c05448ac50441789 Mon Sep 17 00:00:00 2001 From: adam Date: Fri, 13 May 2022 13:31:59 -0700 Subject: [PATCH 0446/1479] Add vault/pull secret stub to values.yaml --- services/argocd/values.yaml | 9 +++++++++ 1 file changed, 9 insertions(+) diff --git a/services/argocd/values.yaml b/services/argocd/values.yaml index 83674741ca..1b966fa647 100644 --- a/services/argocd/values.yaml +++ b/services/argocd/values.yaml @@ -52,3 +52,12 @@ argo-cd: configs: secret: createSecret: false + +vault_secret: + enabled: true + path: "" + + +pull-secret: + enabled: true + path: "" From 48111bdeb70b257d504f8ccddba2e561bfe983e5 Mon Sep 17 00:00:00 2001 From: adam Date: Fri, 13 May 2022 14:59:31 -0700 Subject: [PATCH 0447/1479] remove pull-secret from argocd --- services/argocd/Chart.yaml | 3 --- services/argocd/values-base.yaml | 4 ---- services/argocd/values-idfdev.yaml | 5 ----- services/argocd/values-idfint.yaml | 4 ---- services/argocd/values-idfprod.yaml | 4 ---- services/argocd/values-int.yaml | 4 ---- services/argocd/values-minikube.yaml | 4 ---- services/argocd/values-roe.yaml | 4 ---- services/argocd/values-stable.yaml | 4 ---- services/argocd/values-summit.yaml | 4 ---- services/argocd/values-tucson-teststand.yaml | 4 ---- services/argocd/values.yaml | 5 ----- 12 files changed, 49 deletions(-) diff --git a/services/argocd/Chart.yaml b/services/argocd/Chart.yaml index e2bfe9a7d0..83b04ace77 100644 --- a/services/argocd/Chart.yaml +++ b/services/argocd/Chart.yaml @@ -5,6 +5,3 @@ dependencies: - name: argo-cd version: 4.5.12 repository: https://argoproj.github.io/argo-helm -- name: pull-secret - version: 0.1.2 - repository: https://lsst-sqre.github.io/charts/ diff --git a/services/argocd/values-base.yaml b/services/argocd/values-base.yaml index 4897e443e1..d0976e6697 100644 --- a/services/argocd/values-base.yaml +++ b/services/argocd/values-base.yaml @@ -26,7 +26,3 @@ argo-cd: vault_secret: enabled: true path: secret/k8s_operator/base-lsp.lsst.codes/argocd - -pull-secret: - enabled: true - path: secret/k8s_operator/base-lsp.lsst.codes/pull-secret diff --git a/services/argocd/values-idfdev.yaml b/services/argocd/values-idfdev.yaml index c1bac1bcc1..2a3aec6c5f 100644 --- a/services/argocd/values-idfdev.yaml +++ b/services/argocd/values-idfdev.yaml @@ -39,8 +39,3 @@ argo-cd: vault_secret: enabled: true path: secret/k8s_operator/data-dev.lsst.cloud/argocd - - -pull-secret: - enabled: true - path: secret/k8s_operator/data-dev.lsst.cloud/pull-secret diff --git a/services/argocd/values-idfint.yaml b/services/argocd/values-idfint.yaml index 4c273a435f..c1e485b2cb 100644 --- a/services/argocd/values-idfint.yaml +++ b/services/argocd/values-idfint.yaml @@ -39,7 +39,3 @@ argo-cd: vault_secret: enabled: true path: secret/k8s_operator/data-int.lsst.cloud/argocd - -pull-secret: - enabled: true - path: secret/k8s_operator/data-int.lsst.cloud/pull-secret diff --git a/services/argocd/values-idfprod.yaml b/services/argocd/values-idfprod.yaml index 96817e45df..64e147d74f 100644 --- a/services/argocd/values-idfprod.yaml +++ b/services/argocd/values-idfprod.yaml @@ -37,7 +37,3 @@ argo-cd: vault_secret: enabled: true path: secret/k8s_operator/data.lsst.cloud/argocd - -pull-secret: - enabled: true - path: secret/k8s_operator/data.lsst.cloud/pull-secret diff --git a/services/argocd/values-int.yaml b/services/argocd/values-int.yaml index 78bcc8fa11..0b1ea1d9af 100644 --- a/services/argocd/values-int.yaml +++ b/services/argocd/values-int.yaml @@ -26,7 +26,3 @@ argo-cd: vault_secret: enabled: true path: secret/k8s_operator/lsst-lsp-int.ncsa.illinois.edu/argocd - -pull-secret: - enabled: true - path: secret/k8s_operator/lsst-lsp-int.ncsa.illinois.edu/pull-secret diff --git a/services/argocd/values-minikube.yaml b/services/argocd/values-minikube.yaml index e86ffb9f30..4fd10dcc4a 100644 --- a/services/argocd/values-minikube.yaml +++ b/services/argocd/values-minikube.yaml @@ -10,7 +10,3 @@ argo-cd: vault_secret: enabled: true path: secret/k8s_operator/minikube.lsst.codes/argocd - -pull-secret: - enabled: true - path: secret/k8s_operator/minikube.lsst.codes/pull-secret diff --git a/services/argocd/values-roe.yaml b/services/argocd/values-roe.yaml index 6b5f5cf857..2e7d92e03d 100644 --- a/services/argocd/values-roe.yaml +++ b/services/argocd/values-roe.yaml @@ -10,10 +10,6 @@ argo-cd: secret: createSecret: true -pull-secret: - enabled: true - path: secret/k8s_operator/roe/pull-secret - vault_secret: enabled: true path: secret/k8s_operator/roe/argocd diff --git a/services/argocd/values-stable.yaml b/services/argocd/values-stable.yaml index 7ac746466c..dda9600a3d 100644 --- a/services/argocd/values-stable.yaml +++ b/services/argocd/values-stable.yaml @@ -26,7 +26,3 @@ argo-cd: vault_secret: enabled: true path: secret/k8s_operator/lsst-lsp-stable.ncsa.illinois.edu/argocd - -pull-secret: - enabled: true - path: secret/k8s_operator/lsst-lsp-stable.ncsa.illinois.edu/pull-secret diff --git a/services/argocd/values-summit.yaml b/services/argocd/values-summit.yaml index 62c0d676a6..b8db9e5365 100644 --- a/services/argocd/values-summit.yaml +++ b/services/argocd/values-summit.yaml @@ -25,7 +25,3 @@ argo-cd: vault_secret: enabled: true path: secret/k8s_operator/summit-lsp.lsst.codes/argocd - -pull-secret: - enabled: true - path: secret/k8s_operator/summit-lsp.lsst.codes/pull-secret diff --git a/services/argocd/values-tucson-teststand.yaml b/services/argocd/values-tucson-teststand.yaml index 7267dfe6d0..9722005ce1 100644 --- a/services/argocd/values-tucson-teststand.yaml +++ b/services/argocd/values-tucson-teststand.yaml @@ -25,7 +25,3 @@ argo-cd: vault_secret: enabled: true path: secret/k8s_operator/tucson-teststand.lsst.codes/argocd - -pull-secret: - enabled: true - path: secret/k8s_operator/tucson-teststand.lsst.codes/pull-secret diff --git a/services/argocd/values.yaml b/services/argocd/values.yaml index 1b966fa647..124eaf218b 100644 --- a/services/argocd/values.yaml +++ b/services/argocd/values.yaml @@ -56,8 +56,3 @@ argo-cd: vault_secret: enabled: true path: "" - - -pull-secret: - enabled: true - path: "" From d0f89981e470c57f62487c86c9b9d23c9a96d431 Mon Sep 17 00:00:00 2001 From: adam Date: Sat, 14 May 2022 09:32:00 -0700 Subject: [PATCH 0448/1479] freshen values.yaml documentation --- services/argocd/README.md | 35 +++++++++++++++++++++ services/argocd/values.yaml | 2 ++ services/ingress-nginx/README.md | 23 ++++++++++++++ services/ingress-nginx/values.yaml | 5 +++ services/vault-secrets-operator/README.md | 16 ++++++++++ services/vault-secrets-operator/values.yaml | 5 +++ 6 files changed, 86 insertions(+) create mode 100644 services/argocd/README.md create mode 100644 services/ingress-nginx/README.md create mode 100644 services/vault-secrets-operator/README.md diff --git a/services/argocd/README.md b/services/argocd/README.md new file mode 100644 index 0000000000..4586f92962 --- /dev/null +++ b/services/argocd/README.md @@ -0,0 +1,35 @@ +# argo-cd + +## Requirements + +| Repository | Name | Version | +|------------|------|---------| +| https://argoproj.github.io/argo-helm | argo-cd | 4.5.12 | + +## Values + +| Key | Type | Default | Description | +|-----|------|---------|-------------| +| argo-cd.configs.secret.createSecret | bool | `false` | | +| argo-cd.controller.metrics.applicationLabels.enabled | bool | `true` | | +| argo-cd.controller.metrics.applicationLabels.labels[0] | string | `"name"` | | +| argo-cd.controller.metrics.applicationLabels.labels[1] | string | `"instance"` | | +| argo-cd.controller.metrics.enabled | bool | `true` | | +| argo-cd.notifications.metrics.enabled | bool | `true` | | +| argo-cd.redis.enabled | bool | `true` | | +| argo-cd.redis.metrics.enabled | bool | `true` | | +| argo-cd.repoServer.metrics.enabled | bool | `true` | | +| argo-cd.server.config."helm.repositories" | string | `"- url: https://lsst-sqre.github.io/charts/\n name: lsst-sqre\n- url: https://ricoberger.github.io/helm-charts/\n name: ricoberger\n- url: https://kubernetes.github.io/ingress-nginx/\n name: ingress-nginx\n- url: https://charts.helm.sh/stable\n name: stable\n- url: https://strimzi.io/charts/\n name: strimzi\n"` | | +| argo-cd.server.config."resource.compareoptions" | string | `"ignoreAggregatedRoles: true\n"` | | +| argo-cd.server.config.url | string | Set by Argo CD | Injected by ArgoCD; do not set in the individual environment files | +| argo-cd.server.extraArgs[0] | string | `"--basehref=/argo-cd"` | | +| argo-cd.server.extraArgs[1] | string | `"--insecure=true"` | | +| argo-cd.server.ingress.annotations."kubernetes.io/ingress.class" | string | `"nginx"` | | +| argo-cd.server.ingress.annotations."nginx.ingress.kubernetes.io/rewrite-target" | string | `"/$2"` | | +| argo-cd.server.ingress.enabled | bool | `true` | | +| argo-cd.server.ingress.host | list | Set by Argo CD | Injected by ArgoCD; do not set in the individual environment files | +| argo-cd.server.ingress.paths[0] | string | `"/argo-cd(/|$)(.*)"` | | +| argo-cd.server.metrics.enabled | bool | `true` | | +| global.vaultSecretsPath | string | Set by Argo CD | Base path for Vault secrets | +| vault_secret.enabled | bool | `true` | | +| vault_secret.path | string | `""` | | diff --git a/services/argocd/values.yaml b/services/argocd/values.yaml index 124eaf218b..d870b19b76 100644 --- a/services/argocd/values.yaml +++ b/services/argocd/values.yaml @@ -1,3 +1,5 @@ +## Argo CD configuration +## https://github.com/argoproj/argo-helm/blob/master/charts/argo-cd/values.yaml argo-cd: redis: enabled: true diff --git a/services/ingress-nginx/README.md b/services/ingress-nginx/README.md new file mode 100644 index 0000000000..f433db9442 --- /dev/null +++ b/services/ingress-nginx/README.md @@ -0,0 +1,23 @@ +# ingress-nginx + +## Requirements + +| Repository | Name | Version | +|------------|------|---------| +| https://kubernetes.github.io/ingress-nginx | ingress-nginx | 4.1.0 | + +## Values + +| Key | Type | Default | Description | +|-----|------|---------|-------------| +| ingress-nginx.controller.config.compute-full-forwarded-for | string | `"true"` | | +| ingress-nginx.controller.config.large-client-header-buffers | string | `"4 64k"` | | +| ingress-nginx.controller.config.proxy-body-size | string | `"100m"` | | +| ingress-nginx.controller.config.proxy-buffer-size | string | `"64k"` | | +| ingress-nginx.controller.config.ssl-redirect | string | `"true"` | | +| ingress-nginx.controller.config.use-forwarded-headers | string | `"true"` | | +| ingress-nginx.controller.metrics.enabled | bool | `true` | | +| ingress-nginx.controller.podLabels."gafaelfawr.lsst.io/ingress" | string | `"true"` | | +| ingress-nginx.controller.podLabels."hub.jupyter.org/network-access-proxy-http" | string | `"true"` | | +| ingress-nginx.controller.service.externalTrafficPolicy | string | `"Local"` | | +| vault_certificate.enabled | bool | `false` | Whether to store ingress TLS certificate via vault-secrets-operator. Typically "squareone" owns it instead in an RSP. | diff --git a/services/ingress-nginx/values.yaml b/services/ingress-nginx/values.yaml index 202a2d21fe..39dad12993 100644 --- a/services/ingress-nginx/values.yaml +++ b/services/ingress-nginx/values.yaml @@ -1,3 +1,5 @@ +## Ingress configuration +## https://github.com/kubernetes/ingress-nginx/blob/main/charts/ingress-nginx/values.yaml ingress-nginx: controller: config: @@ -16,4 +18,7 @@ ingress-nginx: enabled: true vault_certificate: + # -- Whether to store ingress TLS certificate via + # vault-secrets-operator. Typically "squareone" owns it instead in an + # RSP. enabled: false diff --git a/services/vault-secrets-operator/README.md b/services/vault-secrets-operator/README.md new file mode 100644 index 0000000000..ce388ddde0 --- /dev/null +++ b/services/vault-secrets-operator/README.md @@ -0,0 +1,16 @@ +# vault-secrets-operator + +## Requirements + +| Repository | Name | Version | +|------------|------|---------| +| https://ricoberger.github.io/helm-charts/ | vault-secrets-operator | 1.18.0 | + +## Values + +| Key | Type | Default | Description | +|-----|------|---------|-------------| +| vault-secrets-operator.environmentVars[0] | object | `{"name":"VAULT_TOKEN","valueFrom":{"secretKeyRef":{"key":"VAULT_TOKEN","name":"vault-secrets-operator"}}}` | environment variable where the Vault read token is kept | +| vault-secrets-operator.environmentVars[1] | object | `{"name":"VAULT_TOKEN_LEASE_DURATION","valueFrom":{"secretKeyRef":{"key":"VAULT_TOKEN_LEASE_DURATION","name":"vault-secrets-operator"}}}` | environment variable storing the lease duration, in seconds | +| vault-secrets-operator.vault.address | string | `"https://vault.lsst.codes"` | URL of the underlying Vault implementation | +| vault-secrets-operator.vault.reconciliationTime | int | `60` | Sync secrets from vault on this cadence | diff --git a/services/vault-secrets-operator/values.yaml b/services/vault-secrets-operator/values.yaml index 51a1243b2d..76271289e6 100644 --- a/services/vault-secrets-operator/values.yaml +++ b/services/vault-secrets-operator/values.yaml @@ -1,15 +1,20 @@ +# Variables for Vault Secrets Operator vault-secrets-operator: environmentVars: + # -- environment variable where the Vault read token is kept - name: VAULT_TOKEN valueFrom: secretKeyRef: name: vault-secrets-operator key: VAULT_TOKEN + # -- environment variable storing the lease duration, in seconds - name: VAULT_TOKEN_LEASE_DURATION valueFrom: secretKeyRef: name: vault-secrets-operator key: VAULT_TOKEN_LEASE_DURATION vault: + # -- URL of the underlying Vault implementation address: "https://vault.lsst.codes" + # -- Sync secrets from vault on this cadence reconciliationTime: 60 From 0fbd4f6897c6f68d069167da9cd77583f8180ac4 Mon Sep 17 00:00:00 2001 From: adam Date: Sat, 14 May 2022 09:51:09 -0700 Subject: [PATCH 0449/1479] freshen documentation --- services/alert-stream-broker/README.md | 4 ++++ services/argocd/README.md | 8 +++++--- services/cachemachine/README.md | 5 +++++ services/cert-manager/README.md | 5 +++++ services/datalinker/README.md | 11 +++++++++++ services/exposurelog/README.md | 5 +++++ services/gafaelfawr/README.md | 5 +++++ services/ingress-nginx/README.md | 5 +++++ services/mobu/README.md | 5 +++++ services/moneypenny/README.md | 5 +++++ services/narrativelog/README.md | 5 +++++ services/noteburst/README.md | 11 +++++++++++ services/nublado2/README.md | 11 +++++++++++ services/obstap/README.md | 5 +++++ services/plot-navigator/README.md | 5 +++++ services/portal/README.md | 5 +++++ services/postgres/README.md | 5 +++++ services/production-tools/README.md | 5 +++++ services/sasquatch/README.md | 5 +++++ .../sasquatch/charts/kafka-connect-manager/README.md | 5 +++++ services/sasquatch/charts/strimzi-kafka/README.md | 5 +++++ services/semaphore/README.md | 11 +++++++++++ services/sherlock/README.md | 5 +++++ services/squareone/README.md | 11 +++++++++++ services/tap-schema/README.md | 5 +++++ services/tap/README.md | 5 +++++ services/telegraf-ds/README.md | 5 +++++ services/telegraf/README.md | 5 +++++ services/times-square/README.md | 5 +++++ services/vault-secrets-operator/README.md | 5 +++++ services/vo-cutouts/README.md | 5 +++++ 31 files changed, 184 insertions(+), 3 deletions(-) diff --git a/services/alert-stream-broker/README.md b/services/alert-stream-broker/README.md index b34b80c738..4921047d42 100644 --- a/services/alert-stream-broker/README.md +++ b/services/alert-stream-broker/README.md @@ -1,5 +1,7 @@ # alert-stream-broker +![Version: 3](https://img.shields.io/badge/Version-3-informational?style=flat-square) + ## Requirements | Repository | Name | Version | @@ -9,3 +11,5 @@ | https://lsst-sqre.github.io/charts/ | alert-stream-schema-registry | 2.1.0 | | https://lsst-sqre.github.io/charts/ | alert-stream-simulator | 1.6.2 | +---------------------------------------------- +Autogenerated from chart metadata using [helm-docs v1.7.0](https://github.com/norwoodj/helm-docs/releases/v1.7.0) diff --git a/services/argocd/README.md b/services/argocd/README.md index 4586f92962..3c0868eac4 100644 --- a/services/argocd/README.md +++ b/services/argocd/README.md @@ -1,5 +1,7 @@ # argo-cd +![Version: 1.0.0](https://img.shields.io/badge/Version-1.0.0-informational?style=flat-square) + ## Requirements | Repository | Name | Version | @@ -21,15 +23,15 @@ | argo-cd.repoServer.metrics.enabled | bool | `true` | | | argo-cd.server.config."helm.repositories" | string | `"- url: https://lsst-sqre.github.io/charts/\n name: lsst-sqre\n- url: https://ricoberger.github.io/helm-charts/\n name: ricoberger\n- url: https://kubernetes.github.io/ingress-nginx/\n name: ingress-nginx\n- url: https://charts.helm.sh/stable\n name: stable\n- url: https://strimzi.io/charts/\n name: strimzi\n"` | | | argo-cd.server.config."resource.compareoptions" | string | `"ignoreAggregatedRoles: true\n"` | | -| argo-cd.server.config.url | string | Set by Argo CD | Injected by ArgoCD; do not set in the individual environment files | | argo-cd.server.extraArgs[0] | string | `"--basehref=/argo-cd"` | | | argo-cd.server.extraArgs[1] | string | `"--insecure=true"` | | | argo-cd.server.ingress.annotations."kubernetes.io/ingress.class" | string | `"nginx"` | | | argo-cd.server.ingress.annotations."nginx.ingress.kubernetes.io/rewrite-target" | string | `"/$2"` | | | argo-cd.server.ingress.enabled | bool | `true` | | -| argo-cd.server.ingress.host | list | Set by Argo CD | Injected by ArgoCD; do not set in the individual environment files | | argo-cd.server.ingress.paths[0] | string | `"/argo-cd(/|$)(.*)"` | | | argo-cd.server.metrics.enabled | bool | `true` | | -| global.vaultSecretsPath | string | Set by Argo CD | Base path for Vault secrets | | vault_secret.enabled | bool | `true` | | | vault_secret.path | string | `""` | | + +---------------------------------------------- +Autogenerated from chart metadata using [helm-docs v1.7.0](https://github.com/norwoodj/helm-docs/releases/v1.7.0) diff --git a/services/cachemachine/README.md b/services/cachemachine/README.md index 5565cfde52..43cb187310 100644 --- a/services/cachemachine/README.md +++ b/services/cachemachine/README.md @@ -1,5 +1,7 @@ # cachemachine +![Version: 1.0.0](https://img.shields.io/badge/Version-1.0.0-informational?style=flat-square) ![AppVersion: 1.2.0](https://img.shields.io/badge/AppVersion-1.2.0-informational?style=flat-square) + Service to prepull Docker images for the Science Platform ## Values @@ -27,3 +29,6 @@ Service to prepull Docker images for the Science Platform | serviceAccount.annotations | object | `{}` | Annotations to add to the service account | | serviceAccount.name | string | Name based on the fullname template | Name of the service account to use | | tolerations | list | `[]` | Tolerations for the cachemachine frontend pod | + +---------------------------------------------- +Autogenerated from chart metadata using [helm-docs v1.7.0](https://github.com/norwoodj/helm-docs/releases/v1.7.0) diff --git a/services/cert-manager/README.md b/services/cert-manager/README.md index 2fdc08a311..78430f628d 100644 --- a/services/cert-manager/README.md +++ b/services/cert-manager/README.md @@ -1,5 +1,7 @@ # cert-manager +![Version: 1.0.0](https://img.shields.io/badge/Version-1.0.0-informational?style=flat-square) + Let's Encrypt certificate management ## Requirements @@ -20,3 +22,6 @@ Let's Encrypt certificate management | fullnameOverride | string | `""` | Override the full name for resources (includes the release name) | | global.vaultSecretsPath | string | Set by Argo CD | Base path for Vault secrets | | nameOverride | string | `""` | Override the base name for resources | + +---------------------------------------------- +Autogenerated from chart metadata using [helm-docs v1.7.0](https://github.com/norwoodj/helm-docs/releases/v1.7.0) diff --git a/services/datalinker/README.md b/services/datalinker/README.md index 384717980e..45da886446 100644 --- a/services/datalinker/README.md +++ b/services/datalinker/README.md @@ -1,7 +1,15 @@ # datalinker +![Version: 0.1.8](https://img.shields.io/badge/Version-0.1.8-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: 1.0.0](https://img.shields.io/badge/AppVersion-1.0.0-informational?style=flat-square) + A Helm chart for Kubernetes +## Maintainers + +| Name | Email | Url | +| ---- | ------ | --- | +| cbanek | | | + ## Values | Key | Type | Default | Description | @@ -32,3 +40,6 @@ A Helm chart for Kubernetes | service.port | int | `8080` | Port of the service to create and map to the ingress | | service.type | string | `"ClusterIP"` | Type of service to create | | tolerations | list | `[]` | Tolerations for the datalinker deployment pod | + +---------------------------------------------- +Autogenerated from chart metadata using [helm-docs v1.7.0](https://github.com/norwoodj/helm-docs/releases/v1.7.0) diff --git a/services/exposurelog/README.md b/services/exposurelog/README.md index be69c3c671..9bbc583c0c 100644 --- a/services/exposurelog/README.md +++ b/services/exposurelog/README.md @@ -1,5 +1,7 @@ # exposurelog +![Version: 1.0.0](https://img.shields.io/badge/Version-1.0.0-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: 0.9.2](https://img.shields.io/badge/AppVersion-0.9.2-informational?style=flat-square) + Exposure log service ## Values @@ -37,3 +39,6 @@ Exposure log service | resources | object | `{}` | Resource limits and requests for the exposurelog pod | | securityContext | object | `{}` | Security context for the exposurelog deployment | | tolerations | list | `[]` | Tolerations for the exposurelog pod | + +---------------------------------------------- +Autogenerated from chart metadata using [helm-docs v1.7.0](https://github.com/norwoodj/helm-docs/releases/v1.7.0) diff --git a/services/gafaelfawr/README.md b/services/gafaelfawr/README.md index 2f07c0d5fa..9eb198cbaa 100644 --- a/services/gafaelfawr/README.md +++ b/services/gafaelfawr/README.md @@ -1,5 +1,7 @@ # gafaelfawr +![Version: 1.0.0](https://img.shields.io/badge/Version-1.0.0-informational?style=flat-square) ![AppVersion: 4.1.0](https://img.shields.io/badge/AppVersion-4.1.0-informational?style=flat-square) + Science Platform authentication and authorization system **Homepage:** @@ -86,3 +88,6 @@ Science Platform authentication and authorization system | tokens.resources | object | `{}` | Resource limits and requests for the Gafaelfawr token management pod | | tokens.tolerations | list | `[]` | Tolerations for the token management pod | | tolerations | list | `[]` | Tolerations for the Gafaelfawr frontend pod | + +---------------------------------------------- +Autogenerated from chart metadata using [helm-docs v1.7.0](https://github.com/norwoodj/helm-docs/releases/v1.7.0) diff --git a/services/ingress-nginx/README.md b/services/ingress-nginx/README.md index f433db9442..89faf28495 100644 --- a/services/ingress-nginx/README.md +++ b/services/ingress-nginx/README.md @@ -1,5 +1,7 @@ # ingress-nginx +![Version: 1.0.0](https://img.shields.io/badge/Version-1.0.0-informational?style=flat-square) + ## Requirements | Repository | Name | Version | @@ -21,3 +23,6 @@ | ingress-nginx.controller.podLabels."hub.jupyter.org/network-access-proxy-http" | string | `"true"` | | | ingress-nginx.controller.service.externalTrafficPolicy | string | `"Local"` | | | vault_certificate.enabled | bool | `false` | Whether to store ingress TLS certificate via vault-secrets-operator. Typically "squareone" owns it instead in an RSP. | + +---------------------------------------------- +Autogenerated from chart metadata using [helm-docs v1.7.0](https://github.com/norwoodj/helm-docs/releases/v1.7.0) diff --git a/services/mobu/README.md b/services/mobu/README.md index 587148f45f..da142bba9c 100644 --- a/services/mobu/README.md +++ b/services/mobu/README.md @@ -1,5 +1,7 @@ # mobu +![Version: 1.0.0](https://img.shields.io/badge/Version-1.0.0-informational?style=flat-square) ![AppVersion: 4.2.0](https://img.shields.io/badge/AppVersion-4.2.0-informational?style=flat-square) + Generate system load by pretending to be a random scientist **Homepage:** @@ -25,3 +27,6 @@ Generate system load by pretending to be a random scientist | podAnnotations | object | `{}` | Annotations for the mobu frontend pod | | resources | object | `{}` | Resource limits and requests for the mobu frontend pod | | tolerations | list | `[]` | Tolerations for the mobu frontend pod | + +---------------------------------------------- +Autogenerated from chart metadata using [helm-docs v1.7.0](https://github.com/norwoodj/helm-docs/releases/v1.7.0) diff --git a/services/moneypenny/README.md b/services/moneypenny/README.md index 2091cd7266..a6cf018f86 100644 --- a/services/moneypenny/README.md +++ b/services/moneypenny/README.md @@ -1,5 +1,7 @@ # moneypenny +![Version: 1.0.2](https://img.shields.io/badge/Version-1.0.2-informational?style=flat-square) ![AppVersion: 1.0.0](https://img.shields.io/badge/AppVersion-1.0.0-informational?style=flat-square) + User provisioning actions for the Science Platform ## Values @@ -27,3 +29,6 @@ User provisioning actions for the Science Platform | resources | object | `{}` | Resource limits and requests for the vo-cutouts frontend pod | | serviceAccount.name | string | Name based on the fullname template | Name of the service account to use | | tolerations | list | `[]` | Tolerations for the vo-cutouts frontend pod | + +---------------------------------------------- +Autogenerated from chart metadata using [helm-docs v1.7.0](https://github.com/norwoodj/helm-docs/releases/v1.7.0) diff --git a/services/narrativelog/README.md b/services/narrativelog/README.md index 1f65d61184..74642a3c3e 100644 --- a/services/narrativelog/README.md +++ b/services/narrativelog/README.md @@ -1,5 +1,7 @@ # narrativelog +![Version: 1.0.0](https://img.shields.io/badge/Version-1.0.0-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: 0.2.1](https://img.shields.io/badge/AppVersion-0.2.1-informational?style=flat-square) + Narrative log service ## Values @@ -31,3 +33,6 @@ Narrative log service | resources | object | `{}` | Resource limits and requests for the narrativelog pod | | securityContext | object | `{}` | Security context for the narrativelog deployment | | tolerations | list | `[]` | Tolerations for the narrativelog pod | + +---------------------------------------------- +Autogenerated from chart metadata using [helm-docs v1.7.0](https://github.com/norwoodj/helm-docs/releases/v1.7.0) diff --git a/services/noteburst/README.md b/services/noteburst/README.md index fc1b99cf29..f42a644aed 100644 --- a/services/noteburst/README.md +++ b/services/noteburst/README.md @@ -1,9 +1,17 @@ # noteburst +![Version: 1.0.0](https://img.shields.io/badge/Version-1.0.0-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: 0.2.0](https://img.shields.io/badge/AppVersion-0.2.0-informational?style=flat-square) + Noteburst is a notebook execution service for the Rubin Science Platform. **Homepage:** +## Maintainers + +| Name | Email | Url | +| ---- | ------ | --- | +| jonathansick | | https://github.com/jonathansick | + ## Source Code * @@ -50,3 +58,6 @@ Noteburst is a notebook execution service for the Rubin Science Platform. | serviceAccount.create | bool | `true` | Specifies whether a service account should be created | | serviceAccount.name | string | `""` | | | tolerations | list | `[]` | | + +---------------------------------------------- +Autogenerated from chart metadata using [helm-docs v1.7.0](https://github.com/norwoodj/helm-docs/releases/v1.7.0) diff --git a/services/nublado2/README.md b/services/nublado2/README.md index 7bc9308897..fab98bcfab 100644 --- a/services/nublado2/README.md +++ b/services/nublado2/README.md @@ -1,9 +1,17 @@ # nublado2 +![Version: 1.1.0](https://img.shields.io/badge/Version-1.1.0-informational?style=flat-square) ![AppVersion: 2.3.0](https://img.shields.io/badge/AppVersion-2.3.0-informational?style=flat-square) + Nublado2 JupyterHub installation **Homepage:** +## Maintainers + +| Name | Email | Url | +| ---- | ------ | --- | +| cbanek | | | + ## Source Code * @@ -147,3 +155,6 @@ Kubernetes: `>=1.20.0-0` | jupyterhub.singleuser.storage.type | string | `"none"` | | | network_policy.enabled | bool | `true` | | | vault_secret_path | string | `""` | | + +---------------------------------------------- +Autogenerated from chart metadata using [helm-docs v1.7.0](https://github.com/norwoodj/helm-docs/releases/v1.7.0) diff --git a/services/obstap/README.md b/services/obstap/README.md index 03e372869f..6e57588231 100644 --- a/services/obstap/README.md +++ b/services/obstap/README.md @@ -1,5 +1,7 @@ # cadc-tap-postgres +![Version: 0.2.2](https://img.shields.io/badge/Version-0.2.2-informational?style=flat-square) ![AppVersion: 1.1](https://img.shields.io/badge/AppVersion-1.1-informational?style=flat-square) + CADC TAP PostgresSQL service, used for ObsTAP **Homepage:** @@ -43,3 +45,6 @@ CADC TAP PostgresSQL service, used for ObsTAP | uws.podAnnotations | object | `{}` | Annotations for the UWS databse pod | | uws.resources | object | `{}` | Resource limits and requests for the UWS database pod | | uws.tolerations | list | `[]` | Tolerations for the UWS database pod | + +---------------------------------------------- +Autogenerated from chart metadata using [helm-docs v1.7.0](https://github.com/norwoodj/helm-docs/releases/v1.7.0) diff --git a/services/plot-navigator/README.md b/services/plot-navigator/README.md index 1b7abe06c6..056ed20497 100644 --- a/services/plot-navigator/README.md +++ b/services/plot-navigator/README.md @@ -1,5 +1,7 @@ # plot-navigator +![Version: 1.6.1](https://img.shields.io/badge/Version-1.6.1-informational?style=flat-square) ![AppVersion: 0.6.1](https://img.shields.io/badge/AppVersion-0.6.1-informational?style=flat-square) + Panel-based plot viewer. ## Values @@ -14,3 +16,6 @@ Panel-based plot viewer. | image.tag | string | `""` | | | ingress.annotations | object | `{}` | Additional annotations to add to the ingress | | ingress.gafaelfawrAuthQuery | string | `"scope=exec:portal&delegate_to=plotnavigator"` | Gafaelfawr auth query string | + +---------------------------------------------- +Autogenerated from chart metadata using [helm-docs v1.7.0](https://github.com/norwoodj/helm-docs/releases/v1.7.0) diff --git a/services/portal/README.md b/services/portal/README.md index 7319b94887..8b6e6cabde 100644 --- a/services/portal/README.md +++ b/services/portal/README.md @@ -1,5 +1,7 @@ # portal +![Version: 1.0.0](https://img.shields.io/badge/Version-1.0.0-informational?style=flat-square) ![AppVersion: suit-2022.2](https://img.shields.io/badge/AppVersion-suit--2022.2-informational?style=flat-square) + Rubin Science Platform portal aspect **Homepage:** @@ -40,3 +42,6 @@ Rubin Science Platform portal aspect | resources | object | `{"limits":{"cpu":2,"memory":"6Gi"}}` | Resource limits and requests. The Portal will use (by default) 93% of container RAM. This is a smallish Portal; tweak it as you need to in instance definitions in Phalanx. | | securityContext | object | `{}` | Security context for the Portal pod | | tolerations | list | `[]` | Tolerations for the Portal pod | + +---------------------------------------------- +Autogenerated from chart metadata using [helm-docs v1.7.0](https://github.com/norwoodj/helm-docs/releases/v1.7.0) diff --git a/services/postgres/README.md b/services/postgres/README.md index ff04a90335..ab113f00a5 100644 --- a/services/postgres/README.md +++ b/services/postgres/README.md @@ -1,5 +1,7 @@ # postgres +![Version: 1.0.0](https://img.shields.io/badge/Version-1.0.0-informational?style=flat-square) ![AppVersion: 0.0.5](https://img.shields.io/badge/AppVersion-0.0.5-informational?style=flat-square) + Postgres RDBMS for LSP **Homepage:** @@ -17,3 +19,6 @@ Postgres RDBMS for LSP | postgresStorageClass | string | `"standard"` | Storage class for postgres volume. Set to appropriate value for your deployment: at GKE, "standard" (if you want SSD, "premium-rwo", but if you want a good database maybe it's better to use a cloud database?), on Rubin Observatory Rancher, "rook-ceph-block", at NCSA, "manual", elsewhere probably "standard" ... | | postgresVolumeSize | string | `"1Gi"` | Volume size for postgres. It can generally be very small | | volumeName | string | `""` | Volume name for postgres, if you use an existing volume that isn't automatically created from the PVC by the storage driver (e.g. NCSA) | + +---------------------------------------------- +Autogenerated from chart metadata using [helm-docs v1.7.0](https://github.com/norwoodj/helm-docs/releases/v1.7.0) diff --git a/services/production-tools/README.md b/services/production-tools/README.md index fe7ae5fce9..b2eff44bc6 100644 --- a/services/production-tools/README.md +++ b/services/production-tools/README.md @@ -1,5 +1,7 @@ # production-tools +![Version: 1.0.0](https://img.shields.io/badge/Version-1.0.0-informational?style=flat-square) ![AppVersion: 0.0.9](https://img.shields.io/badge/AppVersion-0.0.9-informational?style=flat-square) + A collection of utility pages for monitoring data processing. **Homepage:** @@ -26,3 +28,6 @@ A collection of utility pages for monitoring data processing. | replicaCount | int | `1` | Number of web deployment pods to start | | resources | object | `{}` | Resource limits and requests for the production-tools deployment pod | | tolerations | list | `[]` | Tolerations for the production-tools deployment pod | + +---------------------------------------------- +Autogenerated from chart metadata using [helm-docs v1.7.0](https://github.com/norwoodj/helm-docs/releases/v1.7.0) diff --git a/services/sasquatch/README.md b/services/sasquatch/README.md index 799960fab9..7cc7a11338 100644 --- a/services/sasquatch/README.md +++ b/services/sasquatch/README.md @@ -1,5 +1,7 @@ # sasquatch +![Version: 1.0.0](https://img.shields.io/badge/Version-1.0.0-informational?style=flat-square) ![AppVersion: 0.1.0](https://img.shields.io/badge/AppVersion-0.1.0-informational?style=flat-square) + Rubin Observatory's telemetry service. ## Requirements @@ -76,3 +78,6 @@ Rubin Observatory's telemetry service. | telegraf.env[0] | object | `{"name":"TELEGRAF_PASSWORD","valueFrom":{"secretKeyRef":{"key":"telegraf-password","name":"sasquatch"}}}` | Telegraf password. | | telegraf.podLabels | object | `{"hub.jupyter.org/network-access-hub":"true"}` | Allow network access to JupyterHub pod. | | telegraf.service.enabled | bool | `false` | Telegraf service. | + +---------------------------------------------- +Autogenerated from chart metadata using [helm-docs v1.7.0](https://github.com/norwoodj/helm-docs/releases/v1.7.0) diff --git a/services/sasquatch/charts/kafka-connect-manager/README.md b/services/sasquatch/charts/kafka-connect-manager/README.md index 9ad0b08e0b..34aee2ffb1 100644 --- a/services/sasquatch/charts/kafka-connect-manager/README.md +++ b/services/sasquatch/charts/kafka-connect-manager/README.md @@ -1,5 +1,7 @@ # kafka-connect-manager +![Version: 1.0.0](https://img.shields.io/badge/Version-1.0.0-informational?style=flat-square) ![AppVersion: 0.9.3](https://img.shields.io/badge/AppVersion-0.9.3-informational?style=flat-square) + A subchart to deploy the Kafka connectors used by Sasquatch. ## Values @@ -72,3 +74,6 @@ A subchart to deploy the Kafka connectors used by Sasquatch. | s3Sink.timezone | string | `"UTC"` | The timezone to use when partitioning with TimeBasedPartitioner. | | s3Sink.topicsDir | string | `"topics"` | Top level directory to store the data ingested from Kafka. | | s3Sink.topicsRegex | string | `".*"` | Regex to select topics from Kafka. | + +---------------------------------------------- +Autogenerated from chart metadata using [helm-docs v1.7.0](https://github.com/norwoodj/helm-docs/releases/v1.7.0) diff --git a/services/sasquatch/charts/strimzi-kafka/README.md b/services/sasquatch/charts/strimzi-kafka/README.md index 709e6b4f55..b31ff55618 100644 --- a/services/sasquatch/charts/strimzi-kafka/README.md +++ b/services/sasquatch/charts/strimzi-kafka/README.md @@ -1,5 +1,7 @@ # strimzi-kafka +![Version: 1.0.0](https://img.shields.io/badge/Version-1.0.0-informational?style=flat-square) ![AppVersion: 3.0.0](https://img.shields.io/badge/AppVersion-3.0.0-informational?style=flat-square) + A subchart to deploy Strimzi Kafka components for Sasquatch. ## Values @@ -22,3 +24,6 @@ A subchart to deploy Strimzi Kafka components for Sasquatch. | zookeeper.replicas | int | `3` | Number of Zookeeper replicas to run. | | zookeeper.storage.size | string | `"100Gi"` | Size of the backing storage disk for each of the Zookeeper instances. | | zookeeper.storage.storageClassName | string | `""` | Name of a StorageClass to use when requesting persistent volumes. | + +---------------------------------------------- +Autogenerated from chart metadata using [helm-docs v1.7.0](https://github.com/norwoodj/helm-docs/releases/v1.7.0) diff --git a/services/semaphore/README.md b/services/semaphore/README.md index ea3233aef9..ea6c5148f0 100644 --- a/services/semaphore/README.md +++ b/services/semaphore/README.md @@ -1,7 +1,15 @@ # semaphore +![Version: 1.0.0](https://img.shields.io/badge/Version-1.0.0-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: 0.3.0](https://img.shields.io/badge/AppVersion-0.3.0-informational?style=flat-square) + Semaphore is the user notification and messaging service for the Rubin Science Platform. +## Maintainers + +| Name | Email | Url | +| ---- | ------ | --- | +| jonathansick | | https://github.com/jonathansick | + ## Source Code * @@ -41,3 +49,6 @@ Semaphore is the user notification and messaging service for the Rubin Science P | serviceAccount.create | bool | `false` | Specifies whether a service account should be created. | | serviceAccount.name | string | `""` | | | tolerations | list | `[]` | | + +---------------------------------------------- +Autogenerated from chart metadata using [helm-docs v1.7.0](https://github.com/norwoodj/helm-docs/releases/v1.7.0) diff --git a/services/sherlock/README.md b/services/sherlock/README.md index c18bd816c7..6583939be2 100644 --- a/services/sherlock/README.md +++ b/services/sherlock/README.md @@ -1,5 +1,7 @@ # sherlock +![Version: 0.1.13](https://img.shields.io/badge/Version-0.1.13-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: 0.1.7](https://img.shields.io/badge/AppVersion-0.1.7-informational?style=flat-square) + A Helm chart for Kubernetes ## Values @@ -29,3 +31,6 @@ A Helm chart for Kubernetes | resources | object | `{}` | Resource limits and requests for the sherlock deployment pod | | serviceAccount.name | string | `""` | | | tolerations | list | `[]` | Tolerations for the sherlock deployment pod | + +---------------------------------------------- +Autogenerated from chart metadata using [helm-docs v1.7.0](https://github.com/norwoodj/helm-docs/releases/v1.7.0) diff --git a/services/squareone/README.md b/services/squareone/README.md index e761e3c31f..de56288eb2 100644 --- a/services/squareone/README.md +++ b/services/squareone/README.md @@ -1,9 +1,17 @@ # squareone +![Version: 1.0.0](https://img.shields.io/badge/Version-1.0.0-informational?style=flat-square) ![AppVersion: 0.7.0b1](https://img.shields.io/badge/AppVersion-0.7.0b1-informational?style=flat-square) + Squareone is the homepage UI for the Rubin Science Platform. **Homepage:** +## Maintainers + +| Name | Email | Url | +| ---- | ------ | --- | +| jonathansick | | https://github.com/jonathansick | + ## Source Code * @@ -37,3 +45,6 @@ Squareone is the homepage UI for the Rubin Science Platform. | replicaCount | int | `1` | Number of squareone pods to run in the deployment. | | resources | object | `{}` | | | tolerations | list | `[]` | | + +---------------------------------------------- +Autogenerated from chart metadata using [helm-docs v1.7.0](https://github.com/norwoodj/helm-docs/releases/v1.7.0) diff --git a/services/tap-schema/README.md b/services/tap-schema/README.md index 4565a19acd..988a7090d2 100644 --- a/services/tap-schema/README.md +++ b/services/tap-schema/README.md @@ -1,5 +1,7 @@ # tap-schema +![Version: 1.0.0](https://img.shields.io/badge/Version-1.0.0-informational?style=flat-square) ![AppVersion: 1.1.7](https://img.shields.io/badge/AppVersion-1.1.7-informational?style=flat-square) + The TAP_SCHEMA database **Homepage:** @@ -21,3 +23,6 @@ The TAP_SCHEMA database | podAnnotations | object | `{}` | Annotations for the MySQL pod | | resources | object | `{}` | Resource limits and requests for the MySQL pod | | tolerations | list | `[]` | Tolerations for the MySQL pod | + +---------------------------------------------- +Autogenerated from chart metadata using [helm-docs v1.7.0](https://github.com/norwoodj/helm-docs/releases/v1.7.0) diff --git a/services/tap/README.md b/services/tap/README.md index 2b651feb39..dfccfe44dc 100644 --- a/services/tap/README.md +++ b/services/tap/README.md @@ -1,5 +1,7 @@ # cadc-tap +![Version: 1.0.6](https://img.shields.io/badge/Version-1.0.6-informational?style=flat-square) ![AppVersion: 1.1.2](https://img.shields.io/badge/AppVersion-1.1.2-informational?style=flat-square) + A Helm chart for the CADC TAP service **Homepage:** @@ -50,3 +52,6 @@ A Helm chart for the CADC TAP service | uws.resources | object | `{}` | Resource limits and requests for the UWS database pod | | uws.tolerations | list | `[]` | Tolerations for the UWS database pod | | vaultSecretsPath | string | None, must be set | Path to the Vault secret (`secret/k8s_operator//tap`, for example) | + +---------------------------------------------- +Autogenerated from chart metadata using [helm-docs v1.7.0](https://github.com/norwoodj/helm-docs/releases/v1.7.0) diff --git a/services/telegraf-ds/README.md b/services/telegraf-ds/README.md index 6469c5619c..6f051ed81f 100644 --- a/services/telegraf-ds/README.md +++ b/services/telegraf-ds/README.md @@ -1,5 +1,7 @@ # telegraf-ds +![Version: 1.0.0](https://img.shields.io/badge/Version-1.0.0-informational?style=flat-square) + SQuaRE DaemonSet (K8s) telemetry collection service ## Requirements @@ -25,3 +27,6 @@ SQuaRE DaemonSet (K8s) telemetry collection service | telegraf-ds.serviceAccount.name | string | `"telegraf-ds"` | | | telegraf-ds.volumes[0].configMap.name | string | `"telegraf-generated-config"` | | | telegraf-ds.volumes[0].name | string | `"telegraf-generated-config"` | | + +---------------------------------------------- +Autogenerated from chart metadata using [helm-docs v1.7.0](https://github.com/norwoodj/helm-docs/releases/v1.7.0) diff --git a/services/telegraf/README.md b/services/telegraf/README.md index a3dbb31800..cdbb76e254 100644 --- a/services/telegraf/README.md +++ b/services/telegraf/README.md @@ -1,5 +1,7 @@ # telegraf +![Version: 1.0.1](https://img.shields.io/badge/Version-1.0.1-informational?style=flat-square) + SQuaRE telemetry collection service ## Requirements @@ -32,3 +34,6 @@ SQuaRE telemetry collection service | telegraf.tplVersion | int | `2` | | | telegraf.volumes[0].configMap.name | string | `"telegraf-generated-config"` | | | telegraf.volumes[0].name | string | `"telegraf-generated-config"` | | + +---------------------------------------------- +Autogenerated from chart metadata using [helm-docs v1.7.0](https://github.com/norwoodj/helm-docs/releases/v1.7.0) diff --git a/services/times-square/README.md b/services/times-square/README.md index 0551e7c5b1..ccd938ac7a 100644 --- a/services/times-square/README.md +++ b/services/times-square/README.md @@ -1,5 +1,7 @@ # times-square +![Version: 1.0.0](https://img.shields.io/badge/Version-1.0.0-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: 0.4.0b1](https://img.shields.io/badge/AppVersion-0.4.0b1-informational?style=flat-square) + An API service for managing and rendering parameterized Jupyter notebooks. **Homepage:** @@ -60,3 +62,6 @@ An API service for managing and rendering parameterized Jupyter notebooks. | serviceAccount.create | bool | `false` | Force creation of a service account. Normally, no service account is used or mounted. If CloudSQL is enabled, a service account is always created regardless of this value. | | serviceAccount.name | string | Name based on the fullname template | Name of the service account to use | | tolerations | list | `[]` | Tolerations for the times-square deployment pod | + +---------------------------------------------- +Autogenerated from chart metadata using [helm-docs v1.7.0](https://github.com/norwoodj/helm-docs/releases/v1.7.0) diff --git a/services/vault-secrets-operator/README.md b/services/vault-secrets-operator/README.md index ce388ddde0..4e7f48c62a 100644 --- a/services/vault-secrets-operator/README.md +++ b/services/vault-secrets-operator/README.md @@ -1,5 +1,7 @@ # vault-secrets-operator +![Version: 1.0.0](https://img.shields.io/badge/Version-1.0.0-informational?style=flat-square) + ## Requirements | Repository | Name | Version | @@ -14,3 +16,6 @@ | vault-secrets-operator.environmentVars[1] | object | `{"name":"VAULT_TOKEN_LEASE_DURATION","valueFrom":{"secretKeyRef":{"key":"VAULT_TOKEN_LEASE_DURATION","name":"vault-secrets-operator"}}}` | environment variable storing the lease duration, in seconds | | vault-secrets-operator.vault.address | string | `"https://vault.lsst.codes"` | URL of the underlying Vault implementation | | vault-secrets-operator.vault.reconciliationTime | int | `60` | Sync secrets from vault on this cadence | + +---------------------------------------------- +Autogenerated from chart metadata using [helm-docs v1.7.0](https://github.com/norwoodj/helm-docs/releases/v1.7.0) diff --git a/services/vo-cutouts/README.md b/services/vo-cutouts/README.md index e642be2102..8b0495110c 100644 --- a/services/vo-cutouts/README.md +++ b/services/vo-cutouts/README.md @@ -1,5 +1,7 @@ # vo-cutouts +![Version: 1.0.0](https://img.shields.io/badge/Version-1.0.0-informational?style=flat-square) ![AppVersion: 0.3.0](https://img.shields.io/badge/AppVersion-0.3.0-informational?style=flat-square) + Image cutout service complying with IVOA SODA **Homepage:** @@ -64,3 +66,6 @@ Image cutout service complying with IVOA SODA | replicaCount | int | `1` | Number of web frontend pods to start | | resources | object | `{}` | Resource limits and requests for the vo-cutouts frontend pod | | tolerations | list | `[]` | Tolerations for the vo-cutouts frontend pod | + +---------------------------------------------- +Autogenerated from chart metadata using [helm-docs v1.7.0](https://github.com/norwoodj/helm-docs/releases/v1.7.0) From dab03a678053ae6a09497cbcf6ad9910fbd747f8 Mon Sep 17 00:00:00 2001 From: adam Date: Sat, 14 May 2022 09:57:18 -0700 Subject: [PATCH 0450/1479] helm-docs via pre-commit --- services/alert-stream-broker/README.md | 4 ---- services/argocd/README.md | 5 ----- services/cachemachine/README.md | 5 ----- services/cert-manager/README.md | 5 ----- services/datalinker/README.md | 11 ----------- services/exposurelog/README.md | 5 ----- services/gafaelfawr/README.md | 5 ----- services/ingress-nginx/README.md | 5 ----- services/mobu/README.md | 5 ----- services/moneypenny/README.md | 5 ----- services/narrativelog/README.md | 5 ----- services/noteburst/README.md | 11 ----------- services/nublado2/README.md | 11 ----------- services/obstap/README.md | 5 ----- services/plot-navigator/README.md | 5 ----- services/portal/README.md | 5 ----- services/postgres/README.md | 5 ----- services/production-tools/README.md | 5 ----- services/sasquatch/README.md | 5 ----- .../sasquatch/charts/kafka-connect-manager/README.md | 5 ----- services/sasquatch/charts/strimzi-kafka/README.md | 5 ----- services/semaphore/README.md | 11 ----------- services/sherlock/README.md | 5 ----- services/squareone/README.md | 11 ----------- services/tap-schema/README.md | 5 ----- services/tap/README.md | 5 ----- services/telegraf-ds/README.md | 5 ----- services/telegraf/README.md | 5 ----- services/times-square/README.md | 5 ----- services/vault-secrets-operator/README.md | 5 ----- services/vault-secrets-operator/values.yaml | 3 ++- services/vo-cutouts/README.md | 5 ----- 32 files changed, 2 insertions(+), 185 deletions(-) diff --git a/services/alert-stream-broker/README.md b/services/alert-stream-broker/README.md index 4921047d42..b34b80c738 100644 --- a/services/alert-stream-broker/README.md +++ b/services/alert-stream-broker/README.md @@ -1,7 +1,5 @@ # alert-stream-broker -![Version: 3](https://img.shields.io/badge/Version-3-informational?style=flat-square) - ## Requirements | Repository | Name | Version | @@ -11,5 +9,3 @@ | https://lsst-sqre.github.io/charts/ | alert-stream-schema-registry | 2.1.0 | | https://lsst-sqre.github.io/charts/ | alert-stream-simulator | 1.6.2 | ----------------------------------------------- -Autogenerated from chart metadata using [helm-docs v1.7.0](https://github.com/norwoodj/helm-docs/releases/v1.7.0) diff --git a/services/argocd/README.md b/services/argocd/README.md index 3c0868eac4..de3d407bd5 100644 --- a/services/argocd/README.md +++ b/services/argocd/README.md @@ -1,7 +1,5 @@ # argo-cd -![Version: 1.0.0](https://img.shields.io/badge/Version-1.0.0-informational?style=flat-square) - ## Requirements | Repository | Name | Version | @@ -32,6 +30,3 @@ | argo-cd.server.metrics.enabled | bool | `true` | | | vault_secret.enabled | bool | `true` | | | vault_secret.path | string | `""` | | - ----------------------------------------------- -Autogenerated from chart metadata using [helm-docs v1.7.0](https://github.com/norwoodj/helm-docs/releases/v1.7.0) diff --git a/services/cachemachine/README.md b/services/cachemachine/README.md index 43cb187310..5565cfde52 100644 --- a/services/cachemachine/README.md +++ b/services/cachemachine/README.md @@ -1,7 +1,5 @@ # cachemachine -![Version: 1.0.0](https://img.shields.io/badge/Version-1.0.0-informational?style=flat-square) ![AppVersion: 1.2.0](https://img.shields.io/badge/AppVersion-1.2.0-informational?style=flat-square) - Service to prepull Docker images for the Science Platform ## Values @@ -29,6 +27,3 @@ Service to prepull Docker images for the Science Platform | serviceAccount.annotations | object | `{}` | Annotations to add to the service account | | serviceAccount.name | string | Name based on the fullname template | Name of the service account to use | | tolerations | list | `[]` | Tolerations for the cachemachine frontend pod | - ----------------------------------------------- -Autogenerated from chart metadata using [helm-docs v1.7.0](https://github.com/norwoodj/helm-docs/releases/v1.7.0) diff --git a/services/cert-manager/README.md b/services/cert-manager/README.md index 78430f628d..2fdc08a311 100644 --- a/services/cert-manager/README.md +++ b/services/cert-manager/README.md @@ -1,7 +1,5 @@ # cert-manager -![Version: 1.0.0](https://img.shields.io/badge/Version-1.0.0-informational?style=flat-square) - Let's Encrypt certificate management ## Requirements @@ -22,6 +20,3 @@ Let's Encrypt certificate management | fullnameOverride | string | `""` | Override the full name for resources (includes the release name) | | global.vaultSecretsPath | string | Set by Argo CD | Base path for Vault secrets | | nameOverride | string | `""` | Override the base name for resources | - ----------------------------------------------- -Autogenerated from chart metadata using [helm-docs v1.7.0](https://github.com/norwoodj/helm-docs/releases/v1.7.0) diff --git a/services/datalinker/README.md b/services/datalinker/README.md index 45da886446..384717980e 100644 --- a/services/datalinker/README.md +++ b/services/datalinker/README.md @@ -1,15 +1,7 @@ # datalinker -![Version: 0.1.8](https://img.shields.io/badge/Version-0.1.8-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: 1.0.0](https://img.shields.io/badge/AppVersion-1.0.0-informational?style=flat-square) - A Helm chart for Kubernetes -## Maintainers - -| Name | Email | Url | -| ---- | ------ | --- | -| cbanek | | | - ## Values | Key | Type | Default | Description | @@ -40,6 +32,3 @@ A Helm chart for Kubernetes | service.port | int | `8080` | Port of the service to create and map to the ingress | | service.type | string | `"ClusterIP"` | Type of service to create | | tolerations | list | `[]` | Tolerations for the datalinker deployment pod | - ----------------------------------------------- -Autogenerated from chart metadata using [helm-docs v1.7.0](https://github.com/norwoodj/helm-docs/releases/v1.7.0) diff --git a/services/exposurelog/README.md b/services/exposurelog/README.md index 9bbc583c0c..be69c3c671 100644 --- a/services/exposurelog/README.md +++ b/services/exposurelog/README.md @@ -1,7 +1,5 @@ # exposurelog -![Version: 1.0.0](https://img.shields.io/badge/Version-1.0.0-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: 0.9.2](https://img.shields.io/badge/AppVersion-0.9.2-informational?style=flat-square) - Exposure log service ## Values @@ -39,6 +37,3 @@ Exposure log service | resources | object | `{}` | Resource limits and requests for the exposurelog pod | | securityContext | object | `{}` | Security context for the exposurelog deployment | | tolerations | list | `[]` | Tolerations for the exposurelog pod | - ----------------------------------------------- -Autogenerated from chart metadata using [helm-docs v1.7.0](https://github.com/norwoodj/helm-docs/releases/v1.7.0) diff --git a/services/gafaelfawr/README.md b/services/gafaelfawr/README.md index 9eb198cbaa..2f07c0d5fa 100644 --- a/services/gafaelfawr/README.md +++ b/services/gafaelfawr/README.md @@ -1,7 +1,5 @@ # gafaelfawr -![Version: 1.0.0](https://img.shields.io/badge/Version-1.0.0-informational?style=flat-square) ![AppVersion: 4.1.0](https://img.shields.io/badge/AppVersion-4.1.0-informational?style=flat-square) - Science Platform authentication and authorization system **Homepage:** @@ -88,6 +86,3 @@ Science Platform authentication and authorization system | tokens.resources | object | `{}` | Resource limits and requests for the Gafaelfawr token management pod | | tokens.tolerations | list | `[]` | Tolerations for the token management pod | | tolerations | list | `[]` | Tolerations for the Gafaelfawr frontend pod | - ----------------------------------------------- -Autogenerated from chart metadata using [helm-docs v1.7.0](https://github.com/norwoodj/helm-docs/releases/v1.7.0) diff --git a/services/ingress-nginx/README.md b/services/ingress-nginx/README.md index 89faf28495..f433db9442 100644 --- a/services/ingress-nginx/README.md +++ b/services/ingress-nginx/README.md @@ -1,7 +1,5 @@ # ingress-nginx -![Version: 1.0.0](https://img.shields.io/badge/Version-1.0.0-informational?style=flat-square) - ## Requirements | Repository | Name | Version | @@ -23,6 +21,3 @@ | ingress-nginx.controller.podLabels."hub.jupyter.org/network-access-proxy-http" | string | `"true"` | | | ingress-nginx.controller.service.externalTrafficPolicy | string | `"Local"` | | | vault_certificate.enabled | bool | `false` | Whether to store ingress TLS certificate via vault-secrets-operator. Typically "squareone" owns it instead in an RSP. | - ----------------------------------------------- -Autogenerated from chart metadata using [helm-docs v1.7.0](https://github.com/norwoodj/helm-docs/releases/v1.7.0) diff --git a/services/mobu/README.md b/services/mobu/README.md index da142bba9c..587148f45f 100644 --- a/services/mobu/README.md +++ b/services/mobu/README.md @@ -1,7 +1,5 @@ # mobu -![Version: 1.0.0](https://img.shields.io/badge/Version-1.0.0-informational?style=flat-square) ![AppVersion: 4.2.0](https://img.shields.io/badge/AppVersion-4.2.0-informational?style=flat-square) - Generate system load by pretending to be a random scientist **Homepage:** @@ -27,6 +25,3 @@ Generate system load by pretending to be a random scientist | podAnnotations | object | `{}` | Annotations for the mobu frontend pod | | resources | object | `{}` | Resource limits and requests for the mobu frontend pod | | tolerations | list | `[]` | Tolerations for the mobu frontend pod | - ----------------------------------------------- -Autogenerated from chart metadata using [helm-docs v1.7.0](https://github.com/norwoodj/helm-docs/releases/v1.7.0) diff --git a/services/moneypenny/README.md b/services/moneypenny/README.md index a6cf018f86..2091cd7266 100644 --- a/services/moneypenny/README.md +++ b/services/moneypenny/README.md @@ -1,7 +1,5 @@ # moneypenny -![Version: 1.0.2](https://img.shields.io/badge/Version-1.0.2-informational?style=flat-square) ![AppVersion: 1.0.0](https://img.shields.io/badge/AppVersion-1.0.0-informational?style=flat-square) - User provisioning actions for the Science Platform ## Values @@ -29,6 +27,3 @@ User provisioning actions for the Science Platform | resources | object | `{}` | Resource limits and requests for the vo-cutouts frontend pod | | serviceAccount.name | string | Name based on the fullname template | Name of the service account to use | | tolerations | list | `[]` | Tolerations for the vo-cutouts frontend pod | - ----------------------------------------------- -Autogenerated from chart metadata using [helm-docs v1.7.0](https://github.com/norwoodj/helm-docs/releases/v1.7.0) diff --git a/services/narrativelog/README.md b/services/narrativelog/README.md index 74642a3c3e..1f65d61184 100644 --- a/services/narrativelog/README.md +++ b/services/narrativelog/README.md @@ -1,7 +1,5 @@ # narrativelog -![Version: 1.0.0](https://img.shields.io/badge/Version-1.0.0-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: 0.2.1](https://img.shields.io/badge/AppVersion-0.2.1-informational?style=flat-square) - Narrative log service ## Values @@ -33,6 +31,3 @@ Narrative log service | resources | object | `{}` | Resource limits and requests for the narrativelog pod | | securityContext | object | `{}` | Security context for the narrativelog deployment | | tolerations | list | `[]` | Tolerations for the narrativelog pod | - ----------------------------------------------- -Autogenerated from chart metadata using [helm-docs v1.7.0](https://github.com/norwoodj/helm-docs/releases/v1.7.0) diff --git a/services/noteburst/README.md b/services/noteburst/README.md index f42a644aed..fc1b99cf29 100644 --- a/services/noteburst/README.md +++ b/services/noteburst/README.md @@ -1,17 +1,9 @@ # noteburst -![Version: 1.0.0](https://img.shields.io/badge/Version-1.0.0-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: 0.2.0](https://img.shields.io/badge/AppVersion-0.2.0-informational?style=flat-square) - Noteburst is a notebook execution service for the Rubin Science Platform. **Homepage:** -## Maintainers - -| Name | Email | Url | -| ---- | ------ | --- | -| jonathansick | | https://github.com/jonathansick | - ## Source Code * @@ -58,6 +50,3 @@ Noteburst is a notebook execution service for the Rubin Science Platform. | serviceAccount.create | bool | `true` | Specifies whether a service account should be created | | serviceAccount.name | string | `""` | | | tolerations | list | `[]` | | - ----------------------------------------------- -Autogenerated from chart metadata using [helm-docs v1.7.0](https://github.com/norwoodj/helm-docs/releases/v1.7.0) diff --git a/services/nublado2/README.md b/services/nublado2/README.md index fab98bcfab..7bc9308897 100644 --- a/services/nublado2/README.md +++ b/services/nublado2/README.md @@ -1,17 +1,9 @@ # nublado2 -![Version: 1.1.0](https://img.shields.io/badge/Version-1.1.0-informational?style=flat-square) ![AppVersion: 2.3.0](https://img.shields.io/badge/AppVersion-2.3.0-informational?style=flat-square) - Nublado2 JupyterHub installation **Homepage:** -## Maintainers - -| Name | Email | Url | -| ---- | ------ | --- | -| cbanek | | | - ## Source Code * @@ -155,6 +147,3 @@ Kubernetes: `>=1.20.0-0` | jupyterhub.singleuser.storage.type | string | `"none"` | | | network_policy.enabled | bool | `true` | | | vault_secret_path | string | `""` | | - ----------------------------------------------- -Autogenerated from chart metadata using [helm-docs v1.7.0](https://github.com/norwoodj/helm-docs/releases/v1.7.0) diff --git a/services/obstap/README.md b/services/obstap/README.md index 6e57588231..03e372869f 100644 --- a/services/obstap/README.md +++ b/services/obstap/README.md @@ -1,7 +1,5 @@ # cadc-tap-postgres -![Version: 0.2.2](https://img.shields.io/badge/Version-0.2.2-informational?style=flat-square) ![AppVersion: 1.1](https://img.shields.io/badge/AppVersion-1.1-informational?style=flat-square) - CADC TAP PostgresSQL service, used for ObsTAP **Homepage:** @@ -45,6 +43,3 @@ CADC TAP PostgresSQL service, used for ObsTAP | uws.podAnnotations | object | `{}` | Annotations for the UWS databse pod | | uws.resources | object | `{}` | Resource limits and requests for the UWS database pod | | uws.tolerations | list | `[]` | Tolerations for the UWS database pod | - ----------------------------------------------- -Autogenerated from chart metadata using [helm-docs v1.7.0](https://github.com/norwoodj/helm-docs/releases/v1.7.0) diff --git a/services/plot-navigator/README.md b/services/plot-navigator/README.md index 056ed20497..1b7abe06c6 100644 --- a/services/plot-navigator/README.md +++ b/services/plot-navigator/README.md @@ -1,7 +1,5 @@ # plot-navigator -![Version: 1.6.1](https://img.shields.io/badge/Version-1.6.1-informational?style=flat-square) ![AppVersion: 0.6.1](https://img.shields.io/badge/AppVersion-0.6.1-informational?style=flat-square) - Panel-based plot viewer. ## Values @@ -16,6 +14,3 @@ Panel-based plot viewer. | image.tag | string | `""` | | | ingress.annotations | object | `{}` | Additional annotations to add to the ingress | | ingress.gafaelfawrAuthQuery | string | `"scope=exec:portal&delegate_to=plotnavigator"` | Gafaelfawr auth query string | - ----------------------------------------------- -Autogenerated from chart metadata using [helm-docs v1.7.0](https://github.com/norwoodj/helm-docs/releases/v1.7.0) diff --git a/services/portal/README.md b/services/portal/README.md index 8b6e6cabde..7319b94887 100644 --- a/services/portal/README.md +++ b/services/portal/README.md @@ -1,7 +1,5 @@ # portal -![Version: 1.0.0](https://img.shields.io/badge/Version-1.0.0-informational?style=flat-square) ![AppVersion: suit-2022.2](https://img.shields.io/badge/AppVersion-suit--2022.2-informational?style=flat-square) - Rubin Science Platform portal aspect **Homepage:** @@ -42,6 +40,3 @@ Rubin Science Platform portal aspect | resources | object | `{"limits":{"cpu":2,"memory":"6Gi"}}` | Resource limits and requests. The Portal will use (by default) 93% of container RAM. This is a smallish Portal; tweak it as you need to in instance definitions in Phalanx. | | securityContext | object | `{}` | Security context for the Portal pod | | tolerations | list | `[]` | Tolerations for the Portal pod | - ----------------------------------------------- -Autogenerated from chart metadata using [helm-docs v1.7.0](https://github.com/norwoodj/helm-docs/releases/v1.7.0) diff --git a/services/postgres/README.md b/services/postgres/README.md index ab113f00a5..ff04a90335 100644 --- a/services/postgres/README.md +++ b/services/postgres/README.md @@ -1,7 +1,5 @@ # postgres -![Version: 1.0.0](https://img.shields.io/badge/Version-1.0.0-informational?style=flat-square) ![AppVersion: 0.0.5](https://img.shields.io/badge/AppVersion-0.0.5-informational?style=flat-square) - Postgres RDBMS for LSP **Homepage:** @@ -19,6 +17,3 @@ Postgres RDBMS for LSP | postgresStorageClass | string | `"standard"` | Storage class for postgres volume. Set to appropriate value for your deployment: at GKE, "standard" (if you want SSD, "premium-rwo", but if you want a good database maybe it's better to use a cloud database?), on Rubin Observatory Rancher, "rook-ceph-block", at NCSA, "manual", elsewhere probably "standard" ... | | postgresVolumeSize | string | `"1Gi"` | Volume size for postgres. It can generally be very small | | volumeName | string | `""` | Volume name for postgres, if you use an existing volume that isn't automatically created from the PVC by the storage driver (e.g. NCSA) | - ----------------------------------------------- -Autogenerated from chart metadata using [helm-docs v1.7.0](https://github.com/norwoodj/helm-docs/releases/v1.7.0) diff --git a/services/production-tools/README.md b/services/production-tools/README.md index b2eff44bc6..fe7ae5fce9 100644 --- a/services/production-tools/README.md +++ b/services/production-tools/README.md @@ -1,7 +1,5 @@ # production-tools -![Version: 1.0.0](https://img.shields.io/badge/Version-1.0.0-informational?style=flat-square) ![AppVersion: 0.0.9](https://img.shields.io/badge/AppVersion-0.0.9-informational?style=flat-square) - A collection of utility pages for monitoring data processing. **Homepage:** @@ -28,6 +26,3 @@ A collection of utility pages for monitoring data processing. | replicaCount | int | `1` | Number of web deployment pods to start | | resources | object | `{}` | Resource limits and requests for the production-tools deployment pod | | tolerations | list | `[]` | Tolerations for the production-tools deployment pod | - ----------------------------------------------- -Autogenerated from chart metadata using [helm-docs v1.7.0](https://github.com/norwoodj/helm-docs/releases/v1.7.0) diff --git a/services/sasquatch/README.md b/services/sasquatch/README.md index 7cc7a11338..799960fab9 100644 --- a/services/sasquatch/README.md +++ b/services/sasquatch/README.md @@ -1,7 +1,5 @@ # sasquatch -![Version: 1.0.0](https://img.shields.io/badge/Version-1.0.0-informational?style=flat-square) ![AppVersion: 0.1.0](https://img.shields.io/badge/AppVersion-0.1.0-informational?style=flat-square) - Rubin Observatory's telemetry service. ## Requirements @@ -78,6 +76,3 @@ Rubin Observatory's telemetry service. | telegraf.env[0] | object | `{"name":"TELEGRAF_PASSWORD","valueFrom":{"secretKeyRef":{"key":"telegraf-password","name":"sasquatch"}}}` | Telegraf password. | | telegraf.podLabels | object | `{"hub.jupyter.org/network-access-hub":"true"}` | Allow network access to JupyterHub pod. | | telegraf.service.enabled | bool | `false` | Telegraf service. | - ----------------------------------------------- -Autogenerated from chart metadata using [helm-docs v1.7.0](https://github.com/norwoodj/helm-docs/releases/v1.7.0) diff --git a/services/sasquatch/charts/kafka-connect-manager/README.md b/services/sasquatch/charts/kafka-connect-manager/README.md index 34aee2ffb1..9ad0b08e0b 100644 --- a/services/sasquatch/charts/kafka-connect-manager/README.md +++ b/services/sasquatch/charts/kafka-connect-manager/README.md @@ -1,7 +1,5 @@ # kafka-connect-manager -![Version: 1.0.0](https://img.shields.io/badge/Version-1.0.0-informational?style=flat-square) ![AppVersion: 0.9.3](https://img.shields.io/badge/AppVersion-0.9.3-informational?style=flat-square) - A subchart to deploy the Kafka connectors used by Sasquatch. ## Values @@ -74,6 +72,3 @@ A subchart to deploy the Kafka connectors used by Sasquatch. | s3Sink.timezone | string | `"UTC"` | The timezone to use when partitioning with TimeBasedPartitioner. | | s3Sink.topicsDir | string | `"topics"` | Top level directory to store the data ingested from Kafka. | | s3Sink.topicsRegex | string | `".*"` | Regex to select topics from Kafka. | - ----------------------------------------------- -Autogenerated from chart metadata using [helm-docs v1.7.0](https://github.com/norwoodj/helm-docs/releases/v1.7.0) diff --git a/services/sasquatch/charts/strimzi-kafka/README.md b/services/sasquatch/charts/strimzi-kafka/README.md index b31ff55618..709e6b4f55 100644 --- a/services/sasquatch/charts/strimzi-kafka/README.md +++ b/services/sasquatch/charts/strimzi-kafka/README.md @@ -1,7 +1,5 @@ # strimzi-kafka -![Version: 1.0.0](https://img.shields.io/badge/Version-1.0.0-informational?style=flat-square) ![AppVersion: 3.0.0](https://img.shields.io/badge/AppVersion-3.0.0-informational?style=flat-square) - A subchart to deploy Strimzi Kafka components for Sasquatch. ## Values @@ -24,6 +22,3 @@ A subchart to deploy Strimzi Kafka components for Sasquatch. | zookeeper.replicas | int | `3` | Number of Zookeeper replicas to run. | | zookeeper.storage.size | string | `"100Gi"` | Size of the backing storage disk for each of the Zookeeper instances. | | zookeeper.storage.storageClassName | string | `""` | Name of a StorageClass to use when requesting persistent volumes. | - ----------------------------------------------- -Autogenerated from chart metadata using [helm-docs v1.7.0](https://github.com/norwoodj/helm-docs/releases/v1.7.0) diff --git a/services/semaphore/README.md b/services/semaphore/README.md index ea6c5148f0..ea3233aef9 100644 --- a/services/semaphore/README.md +++ b/services/semaphore/README.md @@ -1,15 +1,7 @@ # semaphore -![Version: 1.0.0](https://img.shields.io/badge/Version-1.0.0-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: 0.3.0](https://img.shields.io/badge/AppVersion-0.3.0-informational?style=flat-square) - Semaphore is the user notification and messaging service for the Rubin Science Platform. -## Maintainers - -| Name | Email | Url | -| ---- | ------ | --- | -| jonathansick | | https://github.com/jonathansick | - ## Source Code * @@ -49,6 +41,3 @@ Semaphore is the user notification and messaging service for the Rubin Science P | serviceAccount.create | bool | `false` | Specifies whether a service account should be created. | | serviceAccount.name | string | `""` | | | tolerations | list | `[]` | | - ----------------------------------------------- -Autogenerated from chart metadata using [helm-docs v1.7.0](https://github.com/norwoodj/helm-docs/releases/v1.7.0) diff --git a/services/sherlock/README.md b/services/sherlock/README.md index 6583939be2..c18bd816c7 100644 --- a/services/sherlock/README.md +++ b/services/sherlock/README.md @@ -1,7 +1,5 @@ # sherlock -![Version: 0.1.13](https://img.shields.io/badge/Version-0.1.13-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: 0.1.7](https://img.shields.io/badge/AppVersion-0.1.7-informational?style=flat-square) - A Helm chart for Kubernetes ## Values @@ -31,6 +29,3 @@ A Helm chart for Kubernetes | resources | object | `{}` | Resource limits and requests for the sherlock deployment pod | | serviceAccount.name | string | `""` | | | tolerations | list | `[]` | Tolerations for the sherlock deployment pod | - ----------------------------------------------- -Autogenerated from chart metadata using [helm-docs v1.7.0](https://github.com/norwoodj/helm-docs/releases/v1.7.0) diff --git a/services/squareone/README.md b/services/squareone/README.md index de56288eb2..e761e3c31f 100644 --- a/services/squareone/README.md +++ b/services/squareone/README.md @@ -1,17 +1,9 @@ # squareone -![Version: 1.0.0](https://img.shields.io/badge/Version-1.0.0-informational?style=flat-square) ![AppVersion: 0.7.0b1](https://img.shields.io/badge/AppVersion-0.7.0b1-informational?style=flat-square) - Squareone is the homepage UI for the Rubin Science Platform. **Homepage:** -## Maintainers - -| Name | Email | Url | -| ---- | ------ | --- | -| jonathansick | | https://github.com/jonathansick | - ## Source Code * @@ -45,6 +37,3 @@ Squareone is the homepage UI for the Rubin Science Platform. | replicaCount | int | `1` | Number of squareone pods to run in the deployment. | | resources | object | `{}` | | | tolerations | list | `[]` | | - ----------------------------------------------- -Autogenerated from chart metadata using [helm-docs v1.7.0](https://github.com/norwoodj/helm-docs/releases/v1.7.0) diff --git a/services/tap-schema/README.md b/services/tap-schema/README.md index 988a7090d2..4565a19acd 100644 --- a/services/tap-schema/README.md +++ b/services/tap-schema/README.md @@ -1,7 +1,5 @@ # tap-schema -![Version: 1.0.0](https://img.shields.io/badge/Version-1.0.0-informational?style=flat-square) ![AppVersion: 1.1.7](https://img.shields.io/badge/AppVersion-1.1.7-informational?style=flat-square) - The TAP_SCHEMA database **Homepage:** @@ -23,6 +21,3 @@ The TAP_SCHEMA database | podAnnotations | object | `{}` | Annotations for the MySQL pod | | resources | object | `{}` | Resource limits and requests for the MySQL pod | | tolerations | list | `[]` | Tolerations for the MySQL pod | - ----------------------------------------------- -Autogenerated from chart metadata using [helm-docs v1.7.0](https://github.com/norwoodj/helm-docs/releases/v1.7.0) diff --git a/services/tap/README.md b/services/tap/README.md index dfccfe44dc..2b651feb39 100644 --- a/services/tap/README.md +++ b/services/tap/README.md @@ -1,7 +1,5 @@ # cadc-tap -![Version: 1.0.6](https://img.shields.io/badge/Version-1.0.6-informational?style=flat-square) ![AppVersion: 1.1.2](https://img.shields.io/badge/AppVersion-1.1.2-informational?style=flat-square) - A Helm chart for the CADC TAP service **Homepage:** @@ -52,6 +50,3 @@ A Helm chart for the CADC TAP service | uws.resources | object | `{}` | Resource limits and requests for the UWS database pod | | uws.tolerations | list | `[]` | Tolerations for the UWS database pod | | vaultSecretsPath | string | None, must be set | Path to the Vault secret (`secret/k8s_operator//tap`, for example) | - ----------------------------------------------- -Autogenerated from chart metadata using [helm-docs v1.7.0](https://github.com/norwoodj/helm-docs/releases/v1.7.0) diff --git a/services/telegraf-ds/README.md b/services/telegraf-ds/README.md index 6f051ed81f..6469c5619c 100644 --- a/services/telegraf-ds/README.md +++ b/services/telegraf-ds/README.md @@ -1,7 +1,5 @@ # telegraf-ds -![Version: 1.0.0](https://img.shields.io/badge/Version-1.0.0-informational?style=flat-square) - SQuaRE DaemonSet (K8s) telemetry collection service ## Requirements @@ -27,6 +25,3 @@ SQuaRE DaemonSet (K8s) telemetry collection service | telegraf-ds.serviceAccount.name | string | `"telegraf-ds"` | | | telegraf-ds.volumes[0].configMap.name | string | `"telegraf-generated-config"` | | | telegraf-ds.volumes[0].name | string | `"telegraf-generated-config"` | | - ----------------------------------------------- -Autogenerated from chart metadata using [helm-docs v1.7.0](https://github.com/norwoodj/helm-docs/releases/v1.7.0) diff --git a/services/telegraf/README.md b/services/telegraf/README.md index cdbb76e254..a3dbb31800 100644 --- a/services/telegraf/README.md +++ b/services/telegraf/README.md @@ -1,7 +1,5 @@ # telegraf -![Version: 1.0.1](https://img.shields.io/badge/Version-1.0.1-informational?style=flat-square) - SQuaRE telemetry collection service ## Requirements @@ -34,6 +32,3 @@ SQuaRE telemetry collection service | telegraf.tplVersion | int | `2` | | | telegraf.volumes[0].configMap.name | string | `"telegraf-generated-config"` | | | telegraf.volumes[0].name | string | `"telegraf-generated-config"` | | - ----------------------------------------------- -Autogenerated from chart metadata using [helm-docs v1.7.0](https://github.com/norwoodj/helm-docs/releases/v1.7.0) diff --git a/services/times-square/README.md b/services/times-square/README.md index ccd938ac7a..0551e7c5b1 100644 --- a/services/times-square/README.md +++ b/services/times-square/README.md @@ -1,7 +1,5 @@ # times-square -![Version: 1.0.0](https://img.shields.io/badge/Version-1.0.0-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: 0.4.0b1](https://img.shields.io/badge/AppVersion-0.4.0b1-informational?style=flat-square) - An API service for managing and rendering parameterized Jupyter notebooks. **Homepage:** @@ -62,6 +60,3 @@ An API service for managing and rendering parameterized Jupyter notebooks. | serviceAccount.create | bool | `false` | Force creation of a service account. Normally, no service account is used or mounted. If CloudSQL is enabled, a service account is always created regardless of this value. | | serviceAccount.name | string | Name based on the fullname template | Name of the service account to use | | tolerations | list | `[]` | Tolerations for the times-square deployment pod | - ----------------------------------------------- -Autogenerated from chart metadata using [helm-docs v1.7.0](https://github.com/norwoodj/helm-docs/releases/v1.7.0) diff --git a/services/vault-secrets-operator/README.md b/services/vault-secrets-operator/README.md index 4e7f48c62a..ce388ddde0 100644 --- a/services/vault-secrets-operator/README.md +++ b/services/vault-secrets-operator/README.md @@ -1,7 +1,5 @@ # vault-secrets-operator -![Version: 1.0.0](https://img.shields.io/badge/Version-1.0.0-informational?style=flat-square) - ## Requirements | Repository | Name | Version | @@ -16,6 +14,3 @@ | vault-secrets-operator.environmentVars[1] | object | `{"name":"VAULT_TOKEN_LEASE_DURATION","valueFrom":{"secretKeyRef":{"key":"VAULT_TOKEN_LEASE_DURATION","name":"vault-secrets-operator"}}}` | environment variable storing the lease duration, in seconds | | vault-secrets-operator.vault.address | string | `"https://vault.lsst.codes"` | URL of the underlying Vault implementation | | vault-secrets-operator.vault.reconciliationTime | int | `60` | Sync secrets from vault on this cadence | - ----------------------------------------------- -Autogenerated from chart metadata using [helm-docs v1.7.0](https://github.com/norwoodj/helm-docs/releases/v1.7.0) diff --git a/services/vault-secrets-operator/values.yaml b/services/vault-secrets-operator/values.yaml index 76271289e6..713e889bc1 100644 --- a/services/vault-secrets-operator/values.yaml +++ b/services/vault-secrets-operator/values.yaml @@ -1,4 +1,5 @@ -# Variables for Vault Secrets Operator +## Variables for Vault Secrets Operator +## https://github.com/ricoberger/vault-secrets-operator/blob/master/charts/README.md vault-secrets-operator: environmentVars: # -- environment variable where the Vault read token is kept diff --git a/services/vo-cutouts/README.md b/services/vo-cutouts/README.md index 8b0495110c..e642be2102 100644 --- a/services/vo-cutouts/README.md +++ b/services/vo-cutouts/README.md @@ -1,7 +1,5 @@ # vo-cutouts -![Version: 1.0.0](https://img.shields.io/badge/Version-1.0.0-informational?style=flat-square) ![AppVersion: 0.3.0](https://img.shields.io/badge/AppVersion-0.3.0-informational?style=flat-square) - Image cutout service complying with IVOA SODA **Homepage:** @@ -66,6 +64,3 @@ Image cutout service complying with IVOA SODA | replicaCount | int | `1` | Number of web frontend pods to start | | resources | object | `{}` | Resource limits and requests for the vo-cutouts frontend pod | | tolerations | list | `[]` | Tolerations for the vo-cutouts frontend pod | - ----------------------------------------------- -Autogenerated from chart metadata using [helm-docs v1.7.0](https://github.com/norwoodj/helm-docs/releases/v1.7.0) From d9b4368c9c126019c261e01747199080c2a4e4ff Mon Sep 17 00:00:00 2001 From: Renovate Bot Date: Mon, 16 May 2022 04:02:38 +0000 Subject: [PATCH 0451/1479] Update Helm release ingress-nginx to v4.1.1 --- services/ingress-nginx/Chart.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/services/ingress-nginx/Chart.yaml b/services/ingress-nginx/Chart.yaml index c73809fa9e..7f8b56341a 100644 --- a/services/ingress-nginx/Chart.yaml +++ b/services/ingress-nginx/Chart.yaml @@ -3,5 +3,5 @@ name: ingress-nginx version: 1.0.0 dependencies: - name: ingress-nginx - version: 4.1.0 + version: 4.1.1 repository: https://kubernetes.github.io/ingress-nginx From 1c19249193ba7f2df9856d646f487c9c324e2622 Mon Sep 17 00:00:00 2001 From: Gabriele Mainetti Date: Mon, 16 May 2022 17:00:03 +0200 Subject: [PATCH 0452/1479] Test nublado --- science-platform/values-ccin2p3.yaml | 2 +- services/nublado2/values-ccin2p3.yaml | 40 +++++++++++++++++++++++++++ 2 files changed, 41 insertions(+), 1 deletion(-) create mode 100644 services/nublado2/values-ccin2p3.yaml diff --git a/science-platform/values-ccin2p3.yaml b/science-platform/values-ccin2p3.yaml index c17e309d91..55fef48451 100644 --- a/science-platform/values-ccin2p3.yaml +++ b/science-platform/values-ccin2p3.yaml @@ -29,7 +29,7 @@ moneypenny: ingress_nginx: enabled: true nublado2: - enabled: false + enabled: true obstap: enabled: false portal: diff --git a/services/nublado2/values-ccin2p3.yaml b/services/nublado2/values-ccin2p3.yaml new file mode 100644 index 0000000000..9fd43ccde0 --- /dev/null +++ b/services/nublado2/values-ccin2p3.yaml @@ -0,0 +1,40 @@ +nublado2: + jupyterhub: + debug: + enabled: false + + hub: + base_url: "/nb2" + + singleuser: + storage: + type: none + + lab: + enable_moneypenny: 'true' + + ingress: + hosts: ["data-dev.lsst.eu"] + annotations: + nginx.ingress.kubernetes.io/auth-signin: "https://data-dev.lsst.eu/login" + + config: + base_url: "https://data-dev.lsst.eu/" + butler_secret_path: "secret/k8s_operator/rsp-cc/butler-secret" + + volumes: + - name: data + persistentVolumeClaim: + claimName: postgres-physpvc + - name: home + persistentVolumeClaim: + claimName: nublado-hub-physpvc + + volume_mounts: + - name: data + mountPath: /data + - name: home + mountPath: /home + + vault_secret_path: "secret/k8s_operator/rsp-cc/nublado2" + gafaelfawr_secrets_path: "secret/k8s_operator/rsp-cc/gafaelfawr" \ No newline at end of file From 32532ab2cbed55b9f96da07ccc99f6f1cb4af759 Mon Sep 17 00:00:00 2001 From: Gabriele Mainetti Date: Mon, 16 May 2022 17:05:43 +0200 Subject: [PATCH 0453/1479] Add path --- services/nublado2/values-ccin2p3.yaml | 1 + 1 file changed, 1 insertion(+) diff --git a/services/nublado2/values-ccin2p3.yaml b/services/nublado2/values-ccin2p3.yaml index 9fd43ccde0..352ae87af1 100644 --- a/services/nublado2/values-ccin2p3.yaml +++ b/services/nublado2/values-ccin2p3.yaml @@ -21,6 +21,7 @@ nublado2: config: base_url: "https://data-dev.lsst.eu/" butler_secret_path: "secret/k8s_operator/rsp-cc/butler-secret" + pull_secret_path: "secret/k8s_operator/rsp-cc/pull-secret" volumes: - name: data From 1c2921af92e27793dcb8cb8e488c64a9cef14f18 Mon Sep 17 00:00:00 2001 From: Gabriele Mainetti Date: Mon, 16 May 2022 17:14:38 +0200 Subject: [PATCH 0454/1479] Fix nublado2 (?) --- services/nublado2/values-ccin2p3.yaml | 86 ++++++++++++++------------- 1 file changed, 45 insertions(+), 41 deletions(-) diff --git a/services/nublado2/values-ccin2p3.yaml b/services/nublado2/values-ccin2p3.yaml index 352ae87af1..b5db8a18d1 100644 --- a/services/nublado2/values-ccin2p3.yaml +++ b/services/nublado2/values-ccin2p3.yaml @@ -1,41 +1,45 @@ -nublado2: - jupyterhub: - debug: - enabled: false - - hub: - base_url: "/nb2" - - singleuser: - storage: - type: none - - lab: - enable_moneypenny: 'true' - - ingress: - hosts: ["data-dev.lsst.eu"] - annotations: - nginx.ingress.kubernetes.io/auth-signin: "https://data-dev.lsst.eu/login" - - config: - base_url: "https://data-dev.lsst.eu/" - butler_secret_path: "secret/k8s_operator/rsp-cc/butler-secret" - pull_secret_path: "secret/k8s_operator/rsp-cc/pull-secret" - - volumes: - - name: data - persistentVolumeClaim: - claimName: postgres-physpvc - - name: home - persistentVolumeClaim: - claimName: nublado-hub-physpvc - - volume_mounts: - - name: data - mountPath: /data - - name: home - mountPath: /home - - vault_secret_path: "secret/k8s_operator/rsp-cc/nublado2" - gafaelfawr_secrets_path: "secret/k8s_operator/rsp-cc/gafaelfawr" \ No newline at end of file +jupyterhub: + debug: + enabled: false + + hub: + base_url: "/nb2" + + singleuser: + storage: + type: none + + lab: + enable_moneypenny: 'true' + + ingress: + hosts: ["data-dev.lsst.eu"] + annotations: + nginx.ingress.kubernetes.io/auth-signin: "https://data-dev.lsst.eu/login" + +config: + base_url: "https://data-dev.lsst.eu/" + butler_secret_path: "secret/k8s_operator/rsp-cc/butler-secret" + pull_secret_path: "secret/k8s_operator/rsp-cc/pull-secret" + + volumes: + - name: data + persistentVolumeClaim: + claimName: postgres-physpvc + - name: home + persistentVolumeClaim: + claimName: nublado-hub-physpvc + + volume_mounts: + - name: data + mountPath: /data + - name: home + mountPath: /home + +vault_secret_path: "secret/k8s_operator/rsp-cc/nublado2" +gafaelfawr_secrets_path: "secret/k8s_operator/rsp-cc/gafaelfaw" + + +pull-secret: + enabled: true + path: "secret/k8s_operator/data.lsst.cloud/pull-secret" From de525bc30e3c6f61bfa5b3dc9548fb5f78b81561 Mon Sep 17 00:00:00 2001 From: Gabriele Mainetti Date: Mon, 16 May 2022 17:18:31 +0200 Subject: [PATCH 0455/1479] nublado2 fix --- services/nublado2/values-ccin2p3.yaml | 9 +++++---- 1 file changed, 5 insertions(+), 4 deletions(-) diff --git a/services/nublado2/values-ccin2p3.yaml b/services/nublado2/values-ccin2p3.yaml index b5db8a18d1..1ebb1a6112 100644 --- a/services/nublado2/values-ccin2p3.yaml +++ b/services/nublado2/values-ccin2p3.yaml @@ -1,16 +1,17 @@ jupyterhub: debug: - enabled: false + enabled: true hub: - base_url: "/nb2" + resources: + requests: + cpu: "2" + memory: 3Gi singleuser: storage: type: none - lab: - enable_moneypenny: 'true' ingress: hosts: ["data-dev.lsst.eu"] From 1a5f83e3000d4fb5b2d88a80a93934ebcb586ecf Mon Sep 17 00:00:00 2001 From: Gabriele Mainetti Date: Mon, 16 May 2022 17:48:36 +0200 Subject: [PATCH 0456/1479] jupyter db --- services/nublado2/values-ccin2p3.yaml | 23 +++++++++++------------ 1 file changed, 11 insertions(+), 12 deletions(-) diff --git a/services/nublado2/values-ccin2p3.yaml b/services/nublado2/values-ccin2p3.yaml index 1ebb1a6112..1de875f444 100644 --- a/services/nublado2/values-ccin2p3.yaml +++ b/services/nublado2/values-ccin2p3.yaml @@ -1,16 +1,15 @@ jupyterhub: - debug: - enabled: true + # debug: + # enabled: true + # hub: + # resources: + # requests: + # cpu: "2" + # memory: 3Gi - hub: - resources: - requests: - cpu: "2" - memory: 3Gi - - singleuser: - storage: - type: none + # singleuser: + # storage: + # type: none ingress: @@ -38,7 +37,7 @@ config: mountPath: /home vault_secret_path: "secret/k8s_operator/rsp-cc/nublado2" -gafaelfawr_secrets_path: "secret/k8s_operator/rsp-cc/gafaelfaw" +#gafaelfawr_secrets_path: "secret/k8s_operator/rsp-cc/gafaelfaw" pull-secret: From 7a78073439aaabe30ddc64210bdc43498e2e588f Mon Sep 17 00:00:00 2001 From: Russ Allbery Date: Mon, 16 May 2022 09:22:53 -0700 Subject: [PATCH 0457/1479] Update Helm documentation --- services/ingress-nginx/README.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/services/ingress-nginx/README.md b/services/ingress-nginx/README.md index f433db9442..d0d8520cf6 100644 --- a/services/ingress-nginx/README.md +++ b/services/ingress-nginx/README.md @@ -4,7 +4,7 @@ | Repository | Name | Version | |------------|------|---------| -| https://kubernetes.github.io/ingress-nginx | ingress-nginx | 4.1.0 | +| https://kubernetes.github.io/ingress-nginx | ingress-nginx | 4.1.1 | ## Values From c5c1f1a1a7ad7c977dfe0972645332342b4d31fb Mon Sep 17 00:00:00 2001 From: Renovate Bot Date: Mon, 16 May 2022 16:30:43 +0000 Subject: [PATCH 0458/1479] Update Helm release redis to v16.9.5 --- services/noteburst/Chart.yaml | 2 +- services/times-square/Chart.yaml | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/services/noteburst/Chart.yaml b/services/noteburst/Chart.yaml index 13067b764a..cd04b7a1be 100644 --- a/services/noteburst/Chart.yaml +++ b/services/noteburst/Chart.yaml @@ -14,5 +14,5 @@ maintainers: # Additional charts that this chart uses dependencies: - name: redis - version: 16.9.1 + version: 16.9.5 repository: https://charts.bitnami.com/bitnami diff --git a/services/times-square/Chart.yaml b/services/times-square/Chart.yaml index f12e912a6f..f3ed27661a 100644 --- a/services/times-square/Chart.yaml +++ b/services/times-square/Chart.yaml @@ -11,5 +11,5 @@ appVersion: 0.4.0b1 dependencies: - name: redis - version: 16.9.1 + version: 16.9.5 repository: https://charts.bitnami.com/bitnami From f1dddddf68ce97c007335837cbbb6593b22d2fe9 Mon Sep 17 00:00:00 2001 From: Russ Allbery Date: Mon, 16 May 2022 09:34:55 -0700 Subject: [PATCH 0459/1479] Update Helm docs --- services/noteburst/README.md | 2 +- services/times-square/README.md | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/services/noteburst/README.md b/services/noteburst/README.md index fc1b99cf29..2956c04dc4 100644 --- a/services/noteburst/README.md +++ b/services/noteburst/README.md @@ -12,7 +12,7 @@ Noteburst is a notebook execution service for the Rubin Science Platform. | Repository | Name | Version | |------------|------|---------| -| https://charts.bitnami.com/bitnami | redis | 16.9.1 | +| https://charts.bitnami.com/bitnami | redis | 16.9.5 | ## Values diff --git a/services/times-square/README.md b/services/times-square/README.md index 0551e7c5b1..7545486b24 100644 --- a/services/times-square/README.md +++ b/services/times-square/README.md @@ -8,7 +8,7 @@ An API service for managing and rendering parameterized Jupyter notebooks. | Repository | Name | Version | |------------|------|---------| -| https://charts.bitnami.com/bitnami | redis | 16.9.1 | +| https://charts.bitnami.com/bitnami | redis | 16.9.5 | ## Values From 3552b56fcafb251ce6dfe929191715532b4f7508 Mon Sep 17 00:00:00 2001 From: Christine Banek Date: Mon, 16 May 2022 20:01:07 -0700 Subject: [PATCH 0460/1479] [DM-34737] Use Google Service account Set up the environment variable to use the service account JSON file instead of the aws key to try to sign things. --- services/datalinker/templates/deployment.yaml | 2 ++ 1 file changed, 2 insertions(+) diff --git a/services/datalinker/templates/deployment.yaml b/services/datalinker/templates/deployment.yaml index e5e2bc90b1..d14ce156e1 100644 --- a/services/datalinker/templates/deployment.yaml +++ b/services/datalinker/templates/deployment.yaml @@ -47,6 +47,8 @@ spec: value: "/tmp/secrets/postgres-credentials.txt" - name: "S3_ENDPOINT_URL" value: "https://storage.googleapis.com" + - name: "GOOGLE_APPLICATION_CREDENTIALS" + value: "/tmp/secrets/butler-gcs-idf-creds.json" ports: - name: http containerPort: 8080 From 139ae59cc0f91b9e9286bcb5900471a6e12d5c40 Mon Sep 17 00:00:00 2001 From: Gabriele Mainetti Date: Tue, 17 May 2022 11:10:32 +0200 Subject: [PATCH 0461/1479] nublado 2 fix --- services/nublado2/values-ccin2p3.yaml | 41 ++++++++++++++------------- 1 file changed, 22 insertions(+), 19 deletions(-) diff --git a/services/nublado2/values-ccin2p3.yaml b/services/nublado2/values-ccin2p3.yaml index 1de875f444..63f8f12639 100644 --- a/services/nublado2/values-ccin2p3.yaml +++ b/services/nublado2/values-ccin2p3.yaml @@ -1,15 +1,15 @@ jupyterhub: # debug: # enabled: true - # hub: - # resources: - # requests: - # cpu: "2" - # memory: 3Gi + hub: + resources: + requests: + cpu: "2" + memory: 3Gi - # singleuser: - # storage: - # type: none + singleuser: + storage: + type: none ingress: @@ -23,21 +23,24 @@ config: pull_secret_path: "secret/k8s_operator/rsp-cc/pull-secret" volumes: - - name: data - persistentVolumeClaim: - claimName: postgres-physpvc - - name: home - persistentVolumeClaim: - claimName: nublado-hub-physpvc + hostPath: + - name: data + hostPath: + path: /data/rsp/nublado2 + type: Directory + - name: home + hostPath: + path: /data/rsp/home + type: Directory volume_mounts: - - name: data - mountPath: /data - - name: home - mountPath: /home + - name: data + mountPath: /data + - name: home + mountPath: /home vault_secret_path: "secret/k8s_operator/rsp-cc/nublado2" -#gafaelfawr_secrets_path: "secret/k8s_operator/rsp-cc/gafaelfaw" +gafaelfawr_secrets_path: "secret/k8s_operator/rsp-cc/gafaelfaw" pull-secret: From 32e0049581c67fef2b2659840ded5c8246a10a02 Mon Sep 17 00:00:00 2001 From: Gabriele Mainetti Date: Tue, 17 May 2022 14:22:27 +0200 Subject: [PATCH 0462/1479] update postgres and nublado --- services/nublado2/values-ccin2p3.yaml | 4 ++-- services/postgres/values-ccin2p3.yaml | 27 +++++++++++++-------------- 2 files changed, 15 insertions(+), 16 deletions(-) diff --git a/services/nublado2/values-ccin2p3.yaml b/services/nublado2/values-ccin2p3.yaml index 63f8f12639..1c9df5f717 100644 --- a/services/nublado2/values-ccin2p3.yaml +++ b/services/nublado2/values-ccin2p3.yaml @@ -1,6 +1,6 @@ jupyterhub: - # debug: - # enabled: true + debug: + enabled: true hub: resources: requests: diff --git a/services/postgres/values-ccin2p3.yaml b/services/postgres/values-ccin2p3.yaml index eb739e45ca..d6e691f6fc 100644 --- a/services/postgres/values-ccin2p3.yaml +++ b/services/postgres/values-ccin2p3.yaml @@ -1,18 +1,17 @@ -postgres: - pull_secret: 'pull-secret' - vault_secrets: - path: 'secret/k8s_operator/rsp-cc/postgres' +pull_secret: 'pull-secret' +vault_secrets: + path: 'secret/k8s_operator/rsp-cc/postgres' debug: 'true' - jupyterhub_db: - user: 'jovyan' - db: 'jupyterhub' - gafaelfawr_db: - user: 'gafaelfawr' - db: 'gafaelfawr' - postgres_storage_class: 'rsp-local-storage' - volume_name: 'postgres-data-rsp-ccqserv219' - image: - tag: '0.0.5' +jupyterhub_db: + user: 'jovyan' + db: 'jupyterhub' +gafaelfawr_db: + user: 'gafaelfawr' + db: 'gafaelfawr' +postgres_storage_class: 'rsp-local-storage' +volume_name: 'postgres-data-rsp-ccqserv219' +image: + tag: '0.0.5' pull-secret: enabled: true From 4de6c22619c36d96e36abddc13f244c754c293e9 Mon Sep 17 00:00:00 2001 From: Gabriele Mainetti Date: Tue, 17 May 2022 14:50:04 +0200 Subject: [PATCH 0463/1479] fixed postgres --- services/postgres/values-ccin2p3.yaml | 30 ++++++++++++++------------- 1 file changed, 16 insertions(+), 14 deletions(-) diff --git a/services/postgres/values-ccin2p3.yaml b/services/postgres/values-ccin2p3.yaml index d6e691f6fc..2130c9d05c 100644 --- a/services/postgres/values-ccin2p3.yaml +++ b/services/postgres/values-ccin2p3.yaml @@ -1,17 +1,19 @@ -pull_secret: 'pull-secret' -vault_secrets: - path: 'secret/k8s_operator/rsp-cc/postgres' - debug: 'true' -jupyterhub_db: - user: 'jovyan' - db: 'jupyterhub' -gafaelfawr_db: - user: 'gafaelfawr' - db: 'gafaelfawr' -postgres_storage_class: 'rsp-local-storage' -volume_name: 'postgres-data-rsp-ccqserv219' -image: - tag: '0.0.5' +postgres: + pull_secret: 'pull-secret' + vault_secrets: + path: 'secret/k8s_operator/rsp-cc/postgres' + debug: 'true' + jupyterhub_db: + user: 'jovyan' + db: 'jupyterhub' + gafaelfawr_db: + user: 'gafaelfawr' + db: 'gafaelfawr' + + postgres_storage_class: 'rsp-local-storage' + volume_name: 'postgres-data-rsp-ccqserv219' + image: + tag: '0.0.5' pull-secret: enabled: true From d31c2efeccd4155450b558d179f5419705282367 Mon Sep 17 00:00:00 2001 From: Gabriele Mainetti Date: Tue, 17 May 2022 15:49:07 +0200 Subject: [PATCH 0464/1479] fixed error --- services/nublado2/values-ccin2p3.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/services/nublado2/values-ccin2p3.yaml b/services/nublado2/values-ccin2p3.yaml index 1c9df5f717..2330a4ccc7 100644 --- a/services/nublado2/values-ccin2p3.yaml +++ b/services/nublado2/values-ccin2p3.yaml @@ -45,4 +45,4 @@ gafaelfawr_secrets_path: "secret/k8s_operator/rsp-cc/gafaelfaw" pull-secret: enabled: true - path: "secret/k8s_operator/data.lsst.cloud/pull-secret" + path: "secret/k8s_operator/rsp-cc/pull-secret" From 9b3fdb8a5fd3d286d538b92bc064ba60f89cfeb4 Mon Sep 17 00:00:00 2001 From: Gabriele Mainetti Date: Tue, 17 May 2022 16:01:29 +0200 Subject: [PATCH 0465/1479] fixed typo --- services/nublado2/values-ccin2p3.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/services/nublado2/values-ccin2p3.yaml b/services/nublado2/values-ccin2p3.yaml index 2330a4ccc7..8bd6568711 100644 --- a/services/nublado2/values-ccin2p3.yaml +++ b/services/nublado2/values-ccin2p3.yaml @@ -40,7 +40,7 @@ config: mountPath: /home vault_secret_path: "secret/k8s_operator/rsp-cc/nublado2" -gafaelfawr_secrets_path: "secret/k8s_operator/rsp-cc/gafaelfaw" +gafaelfawr_secrets_path: "secret/k8s_operator/rsp-cc/gafaelfawr" pull-secret: From d98d3459828cbbcb355c1327ed226ea32ee02ae3 Mon Sep 17 00:00:00 2001 From: Gabriele Mainetti Date: Tue, 17 May 2022 16:22:37 +0200 Subject: [PATCH 0466/1479] add ingress auth-url --- services/nublado2/values-ccin2p3.yaml | 1 + 1 file changed, 1 insertion(+) diff --git a/services/nublado2/values-ccin2p3.yaml b/services/nublado2/values-ccin2p3.yaml index 8bd6568711..88f1ab6a30 100644 --- a/services/nublado2/values-ccin2p3.yaml +++ b/services/nublado2/values-ccin2p3.yaml @@ -16,6 +16,7 @@ jupyterhub: hosts: ["data-dev.lsst.eu"] annotations: nginx.ingress.kubernetes.io/auth-signin: "https://data-dev.lsst.eu/login" + nginx.ingress.kubernetes.io/auth-url: "https://data-dev.lsst.eu/auth?scope=exec:notebook¬ebook=true" config: base_url: "https://data-dev.lsst.eu/" From 41310d7556115dd3c6e5e8c1ab161a720e7845c7 Mon Sep 17 00:00:00 2001 From: Gabriele Mainetti Date: Tue, 17 May 2022 17:11:25 +0200 Subject: [PATCH 0467/1479] fixed indentation --- services/postgres/values-ccin2p3.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/services/postgres/values-ccin2p3.yaml b/services/postgres/values-ccin2p3.yaml index 2130c9d05c..afb25bb520 100644 --- a/services/postgres/values-ccin2p3.yaml +++ b/services/postgres/values-ccin2p3.yaml @@ -2,7 +2,7 @@ postgres: pull_secret: 'pull-secret' vault_secrets: path: 'secret/k8s_operator/rsp-cc/postgres' - debug: 'true' + debug: 'true' jupyterhub_db: user: 'jovyan' db: 'jupyterhub' From 45a1c885edbc86867a2c95c272ef31717a4d56d5 Mon Sep 17 00:00:00 2001 From: Gabriele Mainetti Date: Tue, 17 May 2022 17:27:07 +0200 Subject: [PATCH 0468/1479] trying postgres.postgres.svc.local --- services/gafaelfawr/values-ccin2p3.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/services/gafaelfawr/values-ccin2p3.yaml b/services/gafaelfawr/values-ccin2p3.yaml index 66f663e946..d3cb89d21d 100644 --- a/services/gafaelfawr/values-ccin2p3.yaml +++ b/services/gafaelfawr/values-ccin2p3.yaml @@ -11,7 +11,7 @@ redis: config: host: data-dev.lsst.eu - databaseUrl: "postgresql://gafaelfawr@postgres.postgres/gafaelfawr" + databaseUrl: "postgresql://gafaelfawr@postgres.postgres.svc.local/gafaelfawr" # Do not specify ingress.host because we're using the wildcard virtual host. From 66f74f674a2b9a105f014697e6708370fe4f6ab5 Mon Sep 17 00:00:00 2001 From: Gabriele Mainetti Date: Tue, 17 May 2022 17:29:49 +0200 Subject: [PATCH 0469/1479] reverted --- services/gafaelfawr/values-ccin2p3.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/services/gafaelfawr/values-ccin2p3.yaml b/services/gafaelfawr/values-ccin2p3.yaml index d3cb89d21d..66f663e946 100644 --- a/services/gafaelfawr/values-ccin2p3.yaml +++ b/services/gafaelfawr/values-ccin2p3.yaml @@ -11,7 +11,7 @@ redis: config: host: data-dev.lsst.eu - databaseUrl: "postgresql://gafaelfawr@postgres.postgres.svc.local/gafaelfawr" + databaseUrl: "postgresql://gafaelfawr@postgres.postgres/gafaelfawr" # Do not specify ingress.host because we're using the wildcard virtual host. From b458ac74123d5c326656ddb9bfc391f65a9b9acb Mon Sep 17 00:00:00 2001 From: Fritz Mueller Date: Tue, 17 May 2022 14:07:21 -0700 Subject: [PATCH 0470/1479] Bump tap-schema version to 1.1.8 --- services/tap-schema/Chart.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/services/tap-schema/Chart.yaml b/services/tap-schema/Chart.yaml index 192ba2e2c3..3d6d9f37c0 100644 --- a/services/tap-schema/Chart.yaml +++ b/services/tap-schema/Chart.yaml @@ -1,5 +1,5 @@ apiVersion: v2 -appVersion: 1.1.7 +appVersion: 1.1.8 description: The TAP_SCHEMA database home: https://github.com/lsst-sqre/lsst-tap-service name: tap-schema From 44b7f9818462541ac7b06d1e03297573abd5a626 Mon Sep 17 00:00:00 2001 From: Gabriele Mainetti Date: Wed, 18 May 2022 11:23:33 +0200 Subject: [PATCH 0471/1479] Update moneypenny --- services/moneypenny/values-ccin2p3.yaml | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/services/moneypenny/values-ccin2p3.yaml b/services/moneypenny/values-ccin2p3.yaml index 89ef1615a0..4223cb6c76 100644 --- a/services/moneypenny/values-ccin2p3.yaml +++ b/services/moneypenny/values-ccin2p3.yaml @@ -4,10 +4,10 @@ moneypenny: ingress: enabled: true host: "data-dev.lsst.eu" - # - host: data-dev.lsst.eu - # paths: ["/moneypenny"] - #annotations: - # nginx.ingress.kubernetes.io/auth-url: "https://data-dev.lsst.eu/auth?scope=exec:admin" + - host: data-dev.lsst.eu + paths: ["/moneypenny"] + annotations: + nginx.ingress.kubernetes.io/auth-url: "https://data-dev.lsst.eu/auth?scope=exec:admin" vault_secrets: enabled: true From d1360d70b8ed0988547bdc11fd4803bcf37456c6 Mon Sep 17 00:00:00 2001 From: Gabriele Mainetti Date: Wed, 18 May 2022 11:25:50 +0200 Subject: [PATCH 0472/1479] Fixed typo --- services/moneypenny/values-ccin2p3.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/services/moneypenny/values-ccin2p3.yaml b/services/moneypenny/values-ccin2p3.yaml index 4223cb6c76..7a05b626f3 100644 --- a/services/moneypenny/values-ccin2p3.yaml +++ b/services/moneypenny/values-ccin2p3.yaml @@ -3,7 +3,7 @@ moneypenny: ingress: enabled: true - host: "data-dev.lsst.eu" + hosts: - host: data-dev.lsst.eu paths: ["/moneypenny"] annotations: From 11d057b0d9928ab53bb1e9e9786ea80734040b64 Mon Sep 17 00:00:00 2001 From: Gabriele Mainetti Date: Wed, 18 May 2022 11:47:38 +0200 Subject: [PATCH 0473/1479] portal update --- services/portal/values-ccin2p3.yaml | 64 ++++++++++++++--------------- 1 file changed, 31 insertions(+), 33 deletions(-) diff --git a/services/portal/values-ccin2p3.yaml b/services/portal/values-ccin2p3.yaml index 06a245dfab..5c75edeccb 100644 --- a/services/portal/values-ccin2p3.yaml +++ b/services/portal/values-ccin2p3.yaml @@ -1,39 +1,37 @@ -firefly: - pull_secret: 'pull-secret' - replicaCount: 2 - image: - tag: "2.1.1-3" - - ingress: - host: 'data-dev.lsst.eu' - annotations: - nginx.ingress.kubernetes.io/auth-method: GET - nginx.ingress.kubernetes.io/auth-response-headers: X-Auth-Request-Uid, X-Auth-Request-Token - nginx.ingress.kubernetes.io/auth-signin: "https://data-dev.lsst.eu/login" - nginx.ingress.kubernetes.io/auth-url: "https://data-dev.lsst.eu/auth?scope=exec:portal" - nginx.ingress.kubernetes.io/configuration-snippet: | - proxy_set_header X-Original-URI $request_uri; - proxy_set_header X-Forwarded-Proto https; - proxy_set_header X-Forwarded-Port 443; - proxy_set_header X-Forwarded-Path /portal/app; - - secrets: - enabled: true - - vault_secrets: - enabled: true - path: 'secret/k8s_operator/rsp-cc/portal' - - max_jvm_size: "23G" - - redis: - resources: - limits: - memory: 20Mi +pull_secret: 'pull-secret' +replicaCount: 2 + +ingress: + host: 'data-dev.lsst.eu' + annotations: + nginx.ingress.kubernetes.io/auth-method: GET + nginx.ingress.kubernetes.io/auth-response-headers: X-Auth-Request-Uid, X-Auth-Request-Token + nginx.ingress.kubernetes.io/auth-signin: "https://data-dev.lsst.eu/login" + nginx.ingress.kubernetes.io/auth-url: "https://data-dev.lsst.eu/auth?scope=exec:portal" + nginx.ingress.kubernetes.io/configuration-snippet: | + proxy_set_header X-Original-URI $request_uri; + proxy_set_header X-Forwarded-Proto https; + proxy_set_header X-Forwarded-Port 443; + proxy_set_header X-Forwarded-Path /portal/app; + +secrets: + enabled: true + +vault_secrets: + enabled: true + path: 'secret/k8s_operator/rsp-cc/portal' + +max_jvm_size: "23G" + +redis: resources: limits: - memory: 24Gi + memory: 20Mi + +resources: + limits: + memory: 24Gi pull-secret: enabled: true From b79fd5ddbe7f87bc12e8ebe6eaf0324ddad725cb Mon Sep 17 00:00:00 2001 From: Gabriele Mainetti Date: Wed, 18 May 2022 12:03:17 +0200 Subject: [PATCH 0474/1479] Update argocd --- services/argocd/values-ccin2p3.yaml | 27 +++++++++++---------------- 1 file changed, 11 insertions(+), 16 deletions(-) diff --git a/services/argocd/values-ccin2p3.yaml b/services/argocd/values-ccin2p3.yaml index 4085399723..710be3edbb 100644 --- a/services/argocd/values-ccin2p3.yaml +++ b/services/argocd/values-ccin2p3.yaml @@ -1,22 +1,17 @@ argo-cd: - - redis: - enabled: true server: ingress: - enabled: true hosts: - "data-dev.lsst.eu" - annotations: - kubernetes.io/ingress.class: nginx - nginx.ingress.kubernetes.io/rewrite-target: "/$2" - paths: - - /argo-cd(/|$)(.*) - - extraArgs: - - "--basehref=/argo-cd" - - "--insecure=true" + # annotations: + # kubernetes.io/ingress.class: nginx + # nginx.ingress.kubernetes.io/rewrite-target: "/$2" + # paths: + # - /argo-cd(/|$)(.*) + # extraArgs: + # - "--basehref=/argo-cd" + # - "--insecure=true" config: url: https://data-dev.lsst.eu/argo-cd dex.config: | @@ -60,6 +55,6 @@ vault_secret: enabled: true path: secret/k8s_operator/rsp-cc/argocd -pull-secret: - enabled: true - path: secret/k8s_operator/rsp-cc/pull-secret \ No newline at end of file +# pull-secret: +# enabled: true +# path: secret/k8s_operator/rsp-cc/pull-secret \ No newline at end of file From 16e158578a43dcf13e8832ec96dda8ac410fe925 Mon Sep 17 00:00:00 2001 From: Gabriele Mainetti Date: Wed, 18 May 2022 12:13:49 +0200 Subject: [PATCH 0475/1479] clean argocd --- services/argocd/values-ccin2p3.yaml | 13 ------------- 1 file changed, 13 deletions(-) diff --git a/services/argocd/values-ccin2p3.yaml b/services/argocd/values-ccin2p3.yaml index 710be3edbb..bacf679724 100644 --- a/services/argocd/values-ccin2p3.yaml +++ b/services/argocd/values-ccin2p3.yaml @@ -3,15 +3,6 @@ argo-cd: ingress: hosts: - "data-dev.lsst.eu" - # annotations: - # kubernetes.io/ingress.class: nginx - # nginx.ingress.kubernetes.io/rewrite-target: "/$2" - # paths: - # - /argo-cd(/|$)(.*) - - # extraArgs: - # - "--basehref=/argo-cd" - # - "--insecure=true" config: url: https://data-dev.lsst.eu/argo-cd dex.config: | @@ -54,7 +45,3 @@ argo-cd: vault_secret: enabled: true path: secret/k8s_operator/rsp-cc/argocd - -# pull-secret: -# enabled: true -# path: secret/k8s_operator/rsp-cc/pull-secret \ No newline at end of file From 3a6b4a7c43cb7fc9921aa03c280a94bf50113483 Mon Sep 17 00:00:00 2001 From: Gabriele Mainetti Date: Wed, 18 May 2022 13:28:34 +0200 Subject: [PATCH 0476/1479] cachemachine update --- services/cachemachine/values-ccin2p3.yaml | 27 +++++++++++++++++++++++ 1 file changed, 27 insertions(+) create mode 100644 services/cachemachine/values-ccin2p3.yaml diff --git a/services/cachemachine/values-ccin2p3.yaml b/services/cachemachine/values-ccin2p3.yaml new file mode 100644 index 0000000000..aa76dcdaf1 --- /dev/null +++ b/services/cachemachine/values-ccin2p3.yaml @@ -0,0 +1,27 @@ +# cachemachine: +# imagePullSecrets: +# - name: "cachemachine-secret" + + ingress: + enabled: true + host: data-dev.lsst.eu + + # vaultSecretsPath: "secret/k8s_operator/rsp-cc/pull-secret" + + autostart: + jupyter: | + { + "name": "jupyter", + "labels": {}, + "repomen": [ + { + "type": "RubinRepoMan", + "registry_url": "registry.hub.docker.com", + "repo": "lsstsqre/sciplat-lab", + "recommended_tag": "recommended", + "num_releases": 1, + "num_weeklies": 2, + "num_dailies": 3 + } + ] + } \ No newline at end of file From a4201b547cb247dc618d1b84f0a26a8f62a7a4fa Mon Sep 17 00:00:00 2001 From: Gabriele Mainetti Date: Wed, 18 May 2022 13:52:38 +0200 Subject: [PATCH 0477/1479] Added missing services --- science-platform/values-ccin2p3.yaml | 49 ++++++++++++++++------- services/cachemachine/values-ccin2p3.yaml | 6 +-- services/obstap/values-ccin2p3.yaml | 18 +++++++++ services/squareone/values-ccin2p3.yaml | 12 ++++++ services/tap-schema/values-ccin2p3.yaml | 2 + 5 files changed, 70 insertions(+), 17 deletions(-) create mode 100644 services/obstap/values-ccin2p3.yaml create mode 100644 services/squareone/values-ccin2p3.yaml create mode 100644 services/tap-schema/values-ccin2p3.yaml diff --git a/science-platform/values-ccin2p3.yaml b/science-platform/values-ccin2p3.yaml index 55fef48451..ff3b66a29a 100644 --- a/science-platform/values-ccin2p3.yaml +++ b/science-platform/values-ccin2p3.yaml @@ -2,45 +2,66 @@ environment: ccin2p3 fqdn: data-dev.lsst.eu vault_path_prefix: secret/k8s_operator/rsp-cc -argo: - enabled: true -cert_issuer: +alert_stream_broker: enabled: false +cachemachine: + enabled: true cert_manager: enabled: false -chronograf: +datalinker: enabled: false exposurelog: enabled: false gafaelfawr: enabled: true -influxdb: - enabled: false -kapacitor: - enabled: false -landing_page: - enabled: true -logging: - enabled: false mobu: enabled: false moneypenny: enabled: true ingress_nginx: enabled: true +narrativelog: + enabled: false +noteburst: + enabled: false nublado2: enabled: true obstap: + enabled: true +plot_navigator: enabled: false portal: enabled: true postgres: enabled: true -rancher_external_ip_webhook: +sasquatch: + enabled: false +production_tools: + enabled: false +semaphore: enabled: false +sherlock: + enabled: false +squareone: + enabled: true squash_api: enabled: false +strimzi: + enabled: false +strimzi_registry_operator: + enabled: false tap: enabled: true +tap_schema: + enabled: true +telegraf: + enabled: false +telegraf-ds: + enabled: false +times_square: + enabled: false vault_secrets_operator: - enabled: true \ No newline at end of file + enabled: true +vo_cutouts: + enabled: false + diff --git a/services/cachemachine/values-ccin2p3.yaml b/services/cachemachine/values-ccin2p3.yaml index aa76dcdaf1..ebd3b67dc9 100644 --- a/services/cachemachine/values-ccin2p3.yaml +++ b/services/cachemachine/values-ccin2p3.yaml @@ -2,9 +2,9 @@ # imagePullSecrets: # - name: "cachemachine-secret" - ingress: - enabled: true - host: data-dev.lsst.eu + # ingress: + # enabled: true + # host: data-dev.lsst.eu # vaultSecretsPath: "secret/k8s_operator/rsp-cc/pull-secret" diff --git a/services/obstap/values-ccin2p3.yaml b/services/obstap/values-ccin2p3.yaml new file mode 100644 index 0000000000..a0c56b38ed --- /dev/null +++ b/services/obstap/values-ccin2p3.yaml @@ -0,0 +1,18 @@ +# cadc-tap-postgres: +# pull_secret: 'pull-secret' +# tag: "1.0" +# host: "data-dev.lsst.eu" + +# secrets: +# enabled: false + +# vault_secrets: +# enabled: true +# path: 'secret/k8s_operator/rsp-cc/tap' + +# pull-secret: +# enabled: true +# path: secret/k8s_operator/rsp-cc/pull-secret +config: + gcs_bucket: 'async-results.lsst.codes' + gcs_bucket_url: 'http://async-results.lsst.codes' \ No newline at end of file diff --git a/services/squareone/values-ccin2p3.yaml b/services/squareone/values-ccin2p3.yaml new file mode 100644 index 0000000000..1a792f44d4 --- /dev/null +++ b/services/squareone/values-ccin2p3.yaml @@ -0,0 +1,12 @@ +ingress: + host: "data-dev.lsst.eu" + annotations: + cert-manager.io/cluster-issuer: cert-issuer-letsencrypt-dns + tls: + - secretName: squareone-tls + hosts: + - "data-dev.lsst.eu" +imagePullSecrets: + - name: "pull-secret" +config: + siteName: "Rubin Science Platform @ CC-IN2P3" \ No newline at end of file diff --git a/services/tap-schema/values-ccin2p3.yaml b/services/tap-schema/values-ccin2p3.yaml new file mode 100644 index 0000000000..1d4b6d863c --- /dev/null +++ b/services/tap-schema/values-ccin2p3.yaml @@ -0,0 +1,2 @@ +image: + repository: "lsstsqre/tap-schema-mock" \ No newline at end of file From fc3c2e939501248ce47c87aada3db635c9789a2d Mon Sep 17 00:00:00 2001 From: Gabriele Mainetti Date: Wed, 18 May 2022 14:05:06 +0200 Subject: [PATCH 0478/1479] clean argocd --- services/argocd/values-ccin2p3.yaml | 36 ++++++++++++++--------------- 1 file changed, 18 insertions(+), 18 deletions(-) diff --git a/services/argocd/values-ccin2p3.yaml b/services/argocd/values-ccin2p3.yaml index bacf679724..26a9c15a28 100644 --- a/services/argocd/values-ccin2p3.yaml +++ b/services/argocd/values-ccin2p3.yaml @@ -18,29 +18,29 @@ argo-cd: clientSecret: $dex.clientSecret orgs: - name: rubin-lsst - helm.repositories: | - - url: https://lsst-sqre.github.io/charts/ - name: lsst-sqre - - url: https://ricoberger.github.io/helm-charts/ - name: ricoberger - - url: https://kubernetes.github.io/ingress-nginx/ - name: ingress-nginx - - url: https://charts.helm.sh/stable - name: stable - resource.customizations: | - networking.k8s.io/Ingress: - health.lua: | - hs = {} - hs.status = "Healthy" - return hs + # helm.repositories: | + # - url: https://lsst-sqre.github.io/charts/ + # name: lsst-sqre + # - url: https://ricoberger.github.io/helm-charts/ + # name: ricoberger + # - url: https://kubernetes.github.io/ingress-nginx/ + # name: ingress-nginx + # - url: https://charts.helm.sh/stable + # name: stable + # resource.customizations: | + # networking.k8s.io/Ingress: + # health.lua: | + # hs = {} + # hs.status = "Healthy" + # return hs rbacConfig: policy.csv: | g, rubin-lsst:admin, role:admin - configs: - secret: - createSecret: true + # configs: + # secret: + # createSecret: true vault_secret: enabled: true From 80f0ec3bf6ef80b9e0ce2e9295e428069941f727 Mon Sep 17 00:00:00 2001 From: Gabriele Mainetti Date: Wed, 18 May 2022 14:15:26 +0200 Subject: [PATCH 0479/1479] clean nublado2 --- services/nublado2/values-ccin2p3.yaml | 10 ++++------ 1 file changed, 4 insertions(+), 6 deletions(-) diff --git a/services/nublado2/values-ccin2p3.yaml b/services/nublado2/values-ccin2p3.yaml index 88f1ab6a30..0de4c8a14a 100644 --- a/services/nublado2/values-ccin2p3.yaml +++ b/services/nublado2/values-ccin2p3.yaml @@ -7,11 +7,9 @@ jupyterhub: cpu: "2" memory: 3Gi - singleuser: - storage: - type: none - - + # singleuser: + # storage: + # type: none ingress: hosts: ["data-dev.lsst.eu"] annotations: @@ -32,7 +30,7 @@ config: - name: home hostPath: path: /data/rsp/home - type: Directory + type: Directory volume_mounts: - name: data From 678cf47302921e5a40b6bf3b40440ac9096af8c3 Mon Sep 17 00:00:00 2001 From: Gabriele Mainetti Date: Wed, 18 May 2022 14:37:48 +0200 Subject: [PATCH 0480/1479] postgres cleanup --- installer/data.lsst.eu/README | 14 +++++++++++ science-platform/values-ccin2p3.yaml | 3 +-- services/postgres/values-ccin2p3.yaml | 34 ++++++++++++--------------- 3 files changed, 30 insertions(+), 21 deletions(-) create mode 100644 installer/data.lsst.eu/README diff --git a/installer/data.lsst.eu/README b/installer/data.lsst.eu/README new file mode 100644 index 0000000000..5050078ff8 --- /dev/null +++ b/installer/data.lsst.eu/README @@ -0,0 +1,14 @@ +This directory contains your keys and certificates. + +`privkey.pem` : the private key for your certificate. +`fullchain.pem`: the certificate file used in most server software. +`chain.pem` : used for OCSP stapling in Nginx >=1.3.7. +`cert.pem` : will break many server configurations, and should not be used + without reading further documentation (see link below). + +WARNING: DO NOT MOVE OR RENAME THESE FILES! + Certbot expects these files to remain in this location in order + to function properly! + +We recommend not moving these files. For more information, see the Certbot +User Guide at https://certbot.eff.org/docs/using.html#where-are-my-certificates. diff --git a/science-platform/values-ccin2p3.yaml b/science-platform/values-ccin2p3.yaml index ff3b66a29a..efab6f4bc7 100644 --- a/science-platform/values-ccin2p3.yaml +++ b/science-platform/values-ccin2p3.yaml @@ -63,5 +63,4 @@ times_square: vault_secrets_operator: enabled: true vo_cutouts: - enabled: false - + enabled: false \ No newline at end of file diff --git a/services/postgres/values-ccin2p3.yaml b/services/postgres/values-ccin2p3.yaml index afb25bb520..8d7e50290c 100644 --- a/services/postgres/values-ccin2p3.yaml +++ b/services/postgres/values-ccin2p3.yaml @@ -1,20 +1,16 @@ -postgres: - pull_secret: 'pull-secret' - vault_secrets: - path: 'secret/k8s_operator/rsp-cc/postgres' - debug: 'true' - jupyterhub_db: - user: 'jovyan' - db: 'jupyterhub' - gafaelfawr_db: - user: 'gafaelfawr' - db: 'gafaelfawr' +# postgres: +# pull_secret: 'pull-secret' +# vault_secrets: +# path: 'secret/k8s_operator/rsp-cc/postgres' +# debug: 'true' +jupyterhub_db: + user: 'jovyan' + db: 'jupyterhub' +gafaelfawr_db: + user: 'gafaelfawr' + db: 'gafaelfawr' - postgres_storage_class: 'rsp-local-storage' - volume_name: 'postgres-data-rsp-ccqserv219' - image: - tag: '0.0.5' - -pull-secret: - enabled: true - path: secret/k8s_operator/rsp-cc/pull-secret \ No newline at end of file +postgres_storage_class: 'rsp-local-storage' +volume_name: 'postgres-data-rsp-ccqserv219' +image: + tag: '0.0.5' From f0d7628cca6dc7b38037543b5d0014d47491400a Mon Sep 17 00:00:00 2001 From: Russ Allbery Date: Wed, 18 May 2022 17:09:47 -0700 Subject: [PATCH 0481/1479] Fix syntax errors in imagePullSecrets In a couple of charts, this wasn't an array. Fix it to always be an array and use consistent quoting. --- services/exposurelog/templates/deployment.yaml | 2 +- services/plot-navigator/templates/deployment.yaml | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/services/exposurelog/templates/deployment.yaml b/services/exposurelog/templates/deployment.yaml index 16c3717edd..0057ed6e89 100644 --- a/services/exposurelog/templates/deployment.yaml +++ b/services/exposurelog/templates/deployment.yaml @@ -21,7 +21,7 @@ spec: {{- include "exposurelog.selectorLabels" . | nindent 8 }} spec: imagePullSecrets: - name: pull-secret + - name: "pull-secret" securityContext: runAsNonRoot: true runAsUser: 1000 diff --git a/services/plot-navigator/templates/deployment.yaml b/services/plot-navigator/templates/deployment.yaml index 4a124e4f1c..7c08089465 100644 --- a/services/plot-navigator/templates/deployment.yaml +++ b/services/plot-navigator/templates/deployment.yaml @@ -15,7 +15,7 @@ spec: {{- include "plot-navigator.selectorLabels" . | nindent 8 }} spec: imagePullSecrets: - name: pull-secret + - name: "pull-secret" volumes: # butler-secrets-raw is the secrets we get from vault - name: "butler-secrets-raw" From c08b81de94a464087b10e13e977e581862a46780 Mon Sep 17 00:00:00 2001 From: Gabriele Mainetti Date: Thu, 19 May 2022 13:55:16 +0200 Subject: [PATCH 0482/1479] removed jupy login --- services/nublado2/values-ccin2p3.yaml | 6 +----- 1 file changed, 1 insertion(+), 5 deletions(-) diff --git a/services/nublado2/values-ccin2p3.yaml b/services/nublado2/values-ccin2p3.yaml index 0de4c8a14a..b898c3e29c 100644 --- a/services/nublado2/values-ccin2p3.yaml +++ b/services/nublado2/values-ccin2p3.yaml @@ -6,15 +6,11 @@ jupyterhub: requests: cpu: "2" memory: 3Gi - - # singleuser: - # storage: - # type: none ingress: hosts: ["data-dev.lsst.eu"] annotations: nginx.ingress.kubernetes.io/auth-signin: "https://data-dev.lsst.eu/login" - nginx.ingress.kubernetes.io/auth-url: "https://data-dev.lsst.eu/auth?scope=exec:notebook¬ebook=true" + #nginx.ingress.kubernetes.io/auth-url: "https://data-dev.lsst.eu/auth?scope=exec:notebook¬ebook=true" config: base_url: "https://data-dev.lsst.eu/" From a344b9717e5491526ff2d80d37cebbe54bc17b79 Mon Sep 17 00:00:00 2001 From: Gabriele Mainetti Date: Thu, 19 May 2022 16:13:54 +0200 Subject: [PATCH 0483/1479] switched off nublado --- science-platform/values-ccin2p3.yaml | 2 +- services/ingress-nginx/values-ccin2p3.yaml | 10 +++++----- 2 files changed, 6 insertions(+), 6 deletions(-) diff --git a/science-platform/values-ccin2p3.yaml b/science-platform/values-ccin2p3.yaml index efab6f4bc7..f381b3bb53 100644 --- a/science-platform/values-ccin2p3.yaml +++ b/science-platform/values-ccin2p3.yaml @@ -25,7 +25,7 @@ narrativelog: noteburst: enabled: false nublado2: - enabled: true + enabled: false obstap: enabled: true plot_navigator: diff --git a/services/ingress-nginx/values-ccin2p3.yaml b/services/ingress-nginx/values-ccin2p3.yaml index c30e4964c2..04c7d6b7a1 100644 --- a/services/ingress-nginx/values-ccin2p3.yaml +++ b/services/ingress-nginx/values-ccin2p3.yaml @@ -25,13 +25,13 @@ ingress-nginx: enabled: false extraArgs: default-ssl-certificate: ingress-nginx/ingress-certificate - podLabels: - hub.jupyter.org/network-access-proxy-http: "true" + # podLabels: + # hub.jupyter.org/network-access-proxy-http: "true" vault_certificate: enabled: true path: secret/k8s_operator/rsp-cc/ingress-nginx -pull-secret: - enabled: true - path: secret/k8s_operator/rsp-cc/pull-secret \ No newline at end of file +# pull-secret: +# enabled: true +# path: secret/k8s_operator/rsp-cc/pull-secret \ No newline at end of file From 7904014ff2d68e0205ac59391057f84280b892f5 Mon Sep 17 00:00:00 2001 From: Gabriele Mainetti Date: Thu, 19 May 2022 16:27:19 +0200 Subject: [PATCH 0484/1479] reactivated nublado --- science-platform/values-ccin2p3.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/science-platform/values-ccin2p3.yaml b/science-platform/values-ccin2p3.yaml index f381b3bb53..efab6f4bc7 100644 --- a/science-platform/values-ccin2p3.yaml +++ b/science-platform/values-ccin2p3.yaml @@ -25,7 +25,7 @@ narrativelog: noteburst: enabled: false nublado2: - enabled: false + enabled: true obstap: enabled: true plot_navigator: From b49c3526158dad1f5b50f64e2296503441fd0c42 Mon Sep 17 00:00:00 2001 From: adam Date: Thu, 19 May 2022 10:35:58 -0700 Subject: [PATCH 0485/1479] Turn on shutdown-on-logout --- services/nublado2/README.md | 3 ++- services/nublado2/values.yaml | 5 ++++- 2 files changed, 6 insertions(+), 2 deletions(-) diff --git a/services/nublado2/README.md b/services/nublado2/README.md index 7bc9308897..1b1c6209e3 100644 --- a/services/nublado2/README.md +++ b/services/nublado2/README.md @@ -26,6 +26,7 @@ Kubernetes: `>=1.20.0-0` | config.lab_environment | object | See `values.yaml` | Environment variables to set in spawned lab containers. Each value will be expanded using Jinja 2 templating. | | config.pinned_images | list | `[]` | | | config.pull_secret_path | string | `""` | | +| config.shutdown_on_logout | bool | `true` | | | config.sizes[0].cpu | int | `1` | | | config.sizes[0].name | string | `"Small"` | | | config.sizes[0].ram | string | `"3072M"` | | @@ -69,7 +70,7 @@ Kubernetes: `>=1.20.0-0` | jupyterhub.hub.extraVolumes[1].name | string | `"nublado-gafaelfawr"` | | | jupyterhub.hub.extraVolumes[1].secret.secretName | string | `"gafaelfawr-token"` | | | jupyterhub.hub.image.name | string | `"lsstsqre/nublado2"` | | -| jupyterhub.hub.image.tag | string | `"2.3.0"` | | +| jupyterhub.hub.image.tag | string | `"2.3.1"` | | | jupyterhub.hub.loadRoles.self.scopes[0] | string | `"admin:servers!user"` | | | jupyterhub.hub.loadRoles.self.scopes[1] | string | `"read:metrics"` | | | jupyterhub.hub.loadRoles.server.scopes[0] | string | `"inherit"` | | diff --git a/services/nublado2/values.yaml b/services/nublado2/values.yaml index 29984b747a..bae3e8f76e 100644 --- a/services/nublado2/values.yaml +++ b/services/nublado2/values.yaml @@ -7,7 +7,7 @@ jupyterhub: authenticatePrometheus: false image: name: lsstsqre/nublado2 - tag: "2.3.0" + tag: "2.3.1" config: Authenticator: enable_auth_state: true @@ -194,6 +194,9 @@ config: pinned_images: [] # One of "available" or "desired" cachemachine_image_policy: "available" + # Superfluous, because our LogoutHandler enforces this, but nice to + # make explicit. + shutdown_on_logout: true sizes: - name: Small cpu: 1 From 06744420ac1c8c7d7fc39b2660db9eb211befee4 Mon Sep 17 00:00:00 2001 From: adam Date: Thu, 19 May 2022 12:47:45 -0700 Subject: [PATCH 0486/1479] Bump nublado version and add documentation for config values --- services/nublado2/README.md | 26 +++++++++----------------- services/nublado2/values.yaml | 20 +++++++++++++------- 2 files changed, 22 insertions(+), 24 deletions(-) diff --git a/services/nublado2/README.md b/services/nublado2/README.md index 1b1c6209e3..bd8836355d 100644 --- a/services/nublado2/README.md +++ b/services/nublado2/README.md @@ -20,25 +20,17 @@ Kubernetes: `>=1.20.0-0` | Key | Type | Default | Description | |-----|------|---------|-------------| -| config.base_url | string | `""` | | -| config.butler_secret_path | string | `""` | | -| config.cachemachine_image_policy | string | `"available"` | | +| config.base_url | string | `""` | base_url must be set in each instantiation of this chart to the URL of the primary ingress. It's used to construct API requests to the authentication service (which should go through the ingress). | +| config.butler_secret_path | string | `""` | butler_secret_path must be set here, because it's passed through to the lab rather than being part of the Hub configuration. | +| config.cachemachine_image_policy | string | `"available"` | Cachemachine image policy: "available" or "desired". Use "desired" at instances with streaming image support. | | config.lab_environment | object | See `values.yaml` | Environment variables to set in spawned lab containers. Each value will be expanded using Jinja 2 templating. | -| config.pinned_images | list | `[]` | | -| config.pull_secret_path | string | `""` | | -| config.shutdown_on_logout | bool | `true` | | -| config.sizes[0].cpu | int | `1` | | -| config.sizes[0].name | string | `"Small"` | | -| config.sizes[0].ram | string | `"3072M"` | | -| config.sizes[1].cpu | int | `2` | | -| config.sizes[1].name | string | `"Medium"` | | -| config.sizes[1].ram | string | `"6144M"` | | -| config.sizes[2].cpu | int | `4` | | -| config.sizes[2].name | string | `"Large"` | | -| config.sizes[2].ram | string | `"12288M"` | | +| config.pinned_images | list | `[]` | images to pin to spawner menu | +| config.pull_secret_path | string | `""` | pull_secret_path must also be set here; it specifies resources in the lab namespace | +| config.shutdown_on_logout | bool | `true` | shut down user pods on logout. Superfluous, because our LogoutHandler enforces this in any event, but nice to make explicit. | +| config.sizes | list | `[{"cpu":1,"name":"Small","ram":"3072M"},{"cpu":2,"name":"Medium","ram":"6144M"},{"cpu":4,"name":"Large","ram":"12288M"}]` | definitions of Lab sizes available in a given instance | | config.user_resources_template | string | See `values.yaml` | Templates for the user resources to create for each lab spawn. This is a string that can be templated and then loaded as YAML to generate a list of Kubernetes objects to create. | -| config.volume_mounts | list | `[]` | | -| config.volumes | list | `[]` | | +| config.volume_mounts | list | `[]` | Where to mount volumes for a particular instance | +| config.volumes | list | `[]` | Volumes to use for a particular instance | | global.vaultSecretsPath | string | Set by Argo CD | Base path for Vault secrets | | jupyterhub.cull.enabled | bool | `true` | | | jupyterhub.cull.every | int | `600` | | diff --git a/services/nublado2/values.yaml b/services/nublado2/values.yaml index bae3e8f76e..3e7a45414c 100644 --- a/services/nublado2/values.yaml +++ b/services/nublado2/values.yaml @@ -182,21 +182,25 @@ jupyterhub: enabled: false config: - # base_url must be set in each instantiation of this chart to the URL of + # -- base_url must be set in each instantiation of this chart to the URL of # the primary ingress. It's used to construct API requests to the # authentication service (which should go through the ingress). base_url: "" - # butler_secret_path must be set here, because it's passed through to - # the lab rather than being part of the Hub configuration + # -- butler_secret_path must be set here, because it's passed through to + # the lab rather than being part of the Hub configuration. butler_secret_path: "" - # same with pull_secret_path; it specifies resource in the lab namespace + # -- pull_secret_path must also be set here; it specifies resources in + # the lab namespace pull_secret_path: "" + # -- images to pin to spawner menu pinned_images: [] - # One of "available" or "desired" + # -- Cachemachine image policy: "available" or "desired". Use + # "desired" at instances with streaming image support. cachemachine_image_policy: "available" - # Superfluous, because our LogoutHandler enforces this, but nice to - # make explicit. + # -- shut down user pods on logout. Superfluous, because our + # LogoutHandler enforces this in any event, but nice to make explicit. shutdown_on_logout: true + # -- definitions of Lab sizes available in a given instance sizes: - name: Small cpu: 1 @@ -207,7 +211,9 @@ config: - name: Large cpu: 4 ram: 12288M + # -- Volumes to use for a particular instance volumes: [] + # -- Where to mount volumes for a particular instance volume_mounts: [] # -- Environment variables to set in spawned lab containers. Each value will From 38d9e2e29aec06c7416d934f874802aedca0f3e6 Mon Sep 17 00:00:00 2001 From: Russ Allbery Date: Thu, 19 May 2022 13:53:47 -0700 Subject: [PATCH 0487/1479] Fix plot-navigator configuration Several command-line arguments were incorrect after the changes to the values.yaml files and the injection of global settings. --- services/plot-navigator/templates/deployment.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/services/plot-navigator/templates/deployment.yaml b/services/plot-navigator/templates/deployment.yaml index 7c08089465..3fd6d69bae 100644 --- a/services/plot-navigator/templates/deployment.yaml +++ b/services/plot-navigator/templates/deployment.yaml @@ -62,4 +62,4 @@ spec: command: - /bin/bash - -c - - panel serve dashboard_gen3.py --port 8080 --prefix {{ .Values.basePath }} --allow-websocket-origin {{ .Values.hostname }} --static-dirs assets=./assets + - panel serve dashboard_gen3.py --port 8080 --prefix /plot-navigator --allow-websocket-origin {{ .Values.global.host }} --static-dirs assets=./assets From 699daa1e6b947c72fc70d2104d05c97cc3cc8fff Mon Sep 17 00:00:00 2001 From: Russ Allbery Date: Thu, 19 May 2022 13:56:46 -0700 Subject: [PATCH 0488/1479] Fix secret path for squareone squareone uses a slightly different global variable name than other applications at the moment. --- services/squareone/README.md | 2 +- services/squareone/templates/vault-secrets.yaml | 2 +- services/squareone/values.yaml | 2 +- 3 files changed, 3 insertions(+), 3 deletions(-) diff --git a/services/squareone/README.md b/services/squareone/README.md index e761e3c31f..907219d8ac 100644 --- a/services/squareone/README.md +++ b/services/squareone/README.md @@ -24,7 +24,7 @@ Squareone is the homepage UI for the Rubin Science Platform. | fullnameOverride | string | `""` | Overrides the full name for resources (includes the release name) | | global.baseUrl | string | Set by Argo CD Application | Base URL for the environment | | global.host | string | Set by Argo CD Application | Host name for ingress | -| global.vaultSecretsPath | string | Set by Argo CD Application | Base path for Vault secrets | +| global.vaultSecretsPathPrefix | string | Set by Argo CD Application | Base path for Vault secrets | | image.pullPolicy | string | `"IfNotPresent"` | Image pull policy (tip: use Always for development) | | image.repository | string | `"ghcr.io/lsst-sqre/squareone"` | Squareone Docker image repository | | image.tag | string | Chart's appVersion | Overrides the image tag. | diff --git a/services/squareone/templates/vault-secrets.yaml b/services/squareone/templates/vault-secrets.yaml index 0d7e4901e9..8755456d29 100644 --- a/services/squareone/templates/vault-secrets.yaml +++ b/services/squareone/templates/vault-secrets.yaml @@ -5,5 +5,5 @@ metadata: labels: {{- include "squareone.labels" . | nindent 4 }} spec: - path: "{{- .Values.global.vaultSecretsPath }}/pull-secret" + path: "{{- .Values.global.vaultSecretsPathPrefix }}/pull-secret" type: kubernetes.io/dockerconfigjson diff --git a/services/squareone/values.yaml b/services/squareone/values.yaml index 9e390ff256..c82dac869a 100644 --- a/services/squareone/values.yaml +++ b/services/squareone/values.yaml @@ -89,4 +89,4 @@ global: # -- Base path for Vault secrets # @default -- Set by Argo CD Application - vaultSecretsPath: "" + vaultSecretsPathPrefix: "" From ab6d513a3aee79487502b76d4b5ae49fda46b391 Mon Sep 17 00:00:00 2001 From: Christine Banek Date: Thu, 19 May 2022 14:02:30 -0700 Subject: [PATCH 0489/1479] [DM-34737] Datalinker 1.1.0 version Use the new datalinker released version that has the links endpoint. --- services/datalinker/Chart.yaml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/services/datalinker/Chart.yaml b/services/datalinker/Chart.yaml index ea6541e2f1..322896f1d2 100644 --- a/services/datalinker/Chart.yaml +++ b/services/datalinker/Chart.yaml @@ -1,8 +1,8 @@ apiVersion: v2 -appVersion: 1.0.0 +appVersion: 1.1.0 description: A Helm chart for Kubernetes name: datalinker type: application -version: 0.1.8 +version: 0.1.9 maintainers: - name: cbanek From c29f716d466127e74b1ace39d9b7c7c279e87704 Mon Sep 17 00:00:00 2001 From: Gabriele Mainetti Date: Fri, 20 May 2022 12:06:59 +0200 Subject: [PATCH 0490/1479] readded login --- services/nublado2/values-ccin2p3.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/services/nublado2/values-ccin2p3.yaml b/services/nublado2/values-ccin2p3.yaml index b898c3e29c..0d5937ff57 100644 --- a/services/nublado2/values-ccin2p3.yaml +++ b/services/nublado2/values-ccin2p3.yaml @@ -10,7 +10,7 @@ jupyterhub: hosts: ["data-dev.lsst.eu"] annotations: nginx.ingress.kubernetes.io/auth-signin: "https://data-dev.lsst.eu/login" - #nginx.ingress.kubernetes.io/auth-url: "https://data-dev.lsst.eu/auth?scope=exec:notebook¬ebook=true" + nginx.ingress.kubernetes.io/auth-url: "https://data-dev.lsst.eu/auth?scope=exec:notebook¬ebook=true" config: base_url: "https://data-dev.lsst.eu/" From 1c3f5449262d5dcd5fcc6522eca12c94399fa396 Mon Sep 17 00:00:00 2001 From: Russell Owen Date: Fri, 20 May 2022 11:06:13 -0700 Subject: [PATCH 0491/1479] exposurelog and narrativelog: bump versions --- services/exposurelog/Chart.yaml | 2 +- services/narrativelog/Chart.yaml | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/services/exposurelog/Chart.yaml b/services/exposurelog/Chart.yaml index 6aead4253c..447066d96e 100644 --- a/services/exposurelog/Chart.yaml +++ b/services/exposurelog/Chart.yaml @@ -9,4 +9,4 @@ version: 1.0.0 # This is the version number of the application being deployed. This version number should be # incremented each time you make changes to the application. Versions are not expected to # follow Semantic Versioning. They should reflect the version the application is using. -appVersion: 0.9.2 +appVersion: 0.9.3 diff --git a/services/narrativelog/Chart.yaml b/services/narrativelog/Chart.yaml index 26189668d8..6c7b7c2c41 100644 --- a/services/narrativelog/Chart.yaml +++ b/services/narrativelog/Chart.yaml @@ -9,4 +9,4 @@ version: 1.0.0 # This is the version number of the application being deployed. This version number should be # incremented each time you make changes to the application. Versions are not expected to # follow Semantic Versioning. They should reflect the version the application is using. -appVersion: 0.2.1 +appVersion: 0.2.2 From cd3115f7465159becee65a6dfcf497164f731b1b Mon Sep 17 00:00:00 2001 From: Russ Allbery Date: Tue, 17 May 2022 13:44:55 -0700 Subject: [PATCH 0492/1479] Add HiPS service and starter Add a chart for the HiPS service using crawlspace as the underlying container implementation. Enable it only on IDF dev. Add a starter for web services based on the charts starter, but with additional simplifications. --- science-platform/README.md | 1 + .../templates/hips-application.yaml | 37 +++++++++ science-platform/values-base.yaml | 6 +- science-platform/values-idfdev.yaml | 6 +- science-platform/values-idfint.yaml | 6 +- science-platform/values-idfprod.yaml | 6 +- science-platform/values-int.yaml | 6 +- science-platform/values-minikube.yaml | 6 +- science-platform/values-roe.yaml | 6 +- science-platform/values-stable.yaml | 6 +- science-platform/values-summit.yaml | 6 +- science-platform/values-tucson-teststand.yaml | 6 +- science-platform/values.yaml | 2 + services/hips/.helmignore | 23 ++++++ services/hips/Chart.yaml | 6 ++ services/hips/README.md | 29 +++++++ services/hips/templates/_helpers.tpl | 26 ++++++ services/hips/templates/deployment.yaml | 64 +++++++++++++++ services/hips/templates/hpa.yaml | 28 +++++++ services/hips/templates/ingress.yaml | 29 +++++++ services/hips/templates/networkpolicy.yaml | 21 +++++ services/hips/templates/service.yaml | 15 ++++ services/hips/templates/serviceaccount.yaml | 8 ++ services/hips/values-idfdev.yaml | 7 ++ services/hips/values-minikube.yaml | 7 ++ services/hips/values.yaml | 81 +++++++++++++++++++ starters/README.md | 11 +++ starters/web-service/.helmignore | 23 ++++++ starters/web-service/Chart.yaml | 10 +++ starters/web-service/README.md | 28 +++++++ starters/web-service/templates/_helpers.tpl | 26 ++++++ .../web-service/templates/deployment.yaml | 59 ++++++++++++++ starters/web-service/templates/hpa.yaml | 28 +++++++ starters/web-service/templates/ingress.yaml | 29 +++++++ .../web-service/templates/networkpolicy.yaml | 21 +++++ starters/web-service/templates/service.yaml | 15 ++++ starters/web-service/values.yaml | 70 ++++++++++++++++ 37 files changed, 744 insertions(+), 20 deletions(-) create mode 100644 science-platform/templates/hips-application.yaml create mode 100644 services/hips/.helmignore create mode 100644 services/hips/Chart.yaml create mode 100644 services/hips/README.md create mode 100644 services/hips/templates/_helpers.tpl create mode 100644 services/hips/templates/deployment.yaml create mode 100644 services/hips/templates/hpa.yaml create mode 100644 services/hips/templates/ingress.yaml create mode 100644 services/hips/templates/networkpolicy.yaml create mode 100644 services/hips/templates/service.yaml create mode 100644 services/hips/templates/serviceaccount.yaml create mode 100644 services/hips/values-idfdev.yaml create mode 100644 services/hips/values-minikube.yaml create mode 100644 services/hips/values.yaml create mode 100644 starters/README.md create mode 100644 starters/web-service/.helmignore create mode 100644 starters/web-service/Chart.yaml create mode 100644 starters/web-service/README.md create mode 100644 starters/web-service/templates/_helpers.tpl create mode 100644 starters/web-service/templates/deployment.yaml create mode 100644 starters/web-service/templates/hpa.yaml create mode 100644 starters/web-service/templates/ingress.yaml create mode 100644 starters/web-service/templates/networkpolicy.yaml create mode 100644 starters/web-service/templates/service.yaml create mode 100644 starters/web-service/values.yaml diff --git a/science-platform/README.md b/science-platform/README.md index f9c95e1be8..30e71fa224 100644 --- a/science-platform/README.md +++ b/science-platform/README.md @@ -10,6 +10,7 @@ | datalinker.enabled | bool | `false` | | | exposurelog.enabled | bool | `false` | | | gafaelfawr.enabled | bool | `false` | | +| hips.enabled | bool | `false` | | | ingress_nginx.enabled | bool | `false` | | | mobu.enabled | bool | `false` | | | moneypenny.enabled | bool | `false` | | diff --git a/science-platform/templates/hips-application.yaml b/science-platform/templates/hips-application.yaml new file mode 100644 index 0000000000..2862d40ec3 --- /dev/null +++ b/science-platform/templates/hips-application.yaml @@ -0,0 +1,37 @@ +{{- if .Values.hips.enabled -}} +apiVersion: v1 +kind: Namespace +metadata: + name: "hips" +spec: + finalizers: + - "kubernetes" +--- +apiVersion: argoproj.io/v1alpha1 +kind: Application +metadata: + name: "hips" + namespace: "argocd" + finalizers: + - "resources-finalizer.argocd.argoproj.io" +spec: + destination: + namespace: "hips" + server: "https://kubernetes.default.svc" + project: "default" + source: + path: "services/hips" + repoURL: {{ .Values.repoURL | quote }} + targetRevision: {{ .Values.revision | quote }} + helm: + parameters: + - name: "global.host" + value: {{ .Values.fqdn | quote }} + - name: "global.baseUrl" + value: "https://{{ .Values.fqdn }}" + - name: "global.vaultSecretsPath" + value: {{ .Values.vault_path_prefix | quote }} + valueFiles: + - "values.yaml" + - "values-{{ .Values.environment }}.yaml" +{{- end -}} diff --git a/science-platform/values-base.yaml b/science-platform/values-base.yaml index faa326d7df..7e06bfa97a 100644 --- a/science-platform/values-base.yaml +++ b/science-platform/values-base.yaml @@ -14,12 +14,14 @@ exposurelog: enabled: true gafaelfawr: enabled: true +hips: + enabled: false +ingress_nginx: + enabled: true mobu: enabled: false moneypenny: enabled: true -ingress_nginx: - enabled: true narrativelog: enabled: true noteburst: diff --git a/science-platform/values-idfdev.yaml b/science-platform/values-idfdev.yaml index 218abe11d6..6a84501088 100644 --- a/science-platform/values-idfdev.yaml +++ b/science-platform/values-idfdev.yaml @@ -14,12 +14,14 @@ exposurelog: enabled: false gafaelfawr: enabled: true +hips: + enabled: true +ingress_nginx: + enabled: true mobu: enabled: true moneypenny: enabled: true -ingress_nginx: - enabled: true narrativelog: enabled: false noteburst: diff --git a/science-platform/values-idfint.yaml b/science-platform/values-idfint.yaml index 7cba6f23c3..759f473672 100644 --- a/science-platform/values-idfint.yaml +++ b/science-platform/values-idfint.yaml @@ -14,12 +14,14 @@ exposurelog: enabled: false gafaelfawr: enabled: true +hips: + enabled: false +ingress_nginx: + enabled: true mobu: enabled: true moneypenny: enabled: true -ingress_nginx: - enabled: true narrativelog: enabled: false noteburst: diff --git a/science-platform/values-idfprod.yaml b/science-platform/values-idfprod.yaml index 04ffff1215..1ac0bb32be 100644 --- a/science-platform/values-idfprod.yaml +++ b/science-platform/values-idfprod.yaml @@ -14,12 +14,14 @@ exposurelog: enabled: false gafaelfawr: enabled: true +hips: + enabled: false +ingress_nginx: + enabled: true mobu: enabled: true moneypenny: enabled: true -ingress_nginx: - enabled: true narrativelog: enabled: false noteburst: diff --git a/science-platform/values-int.yaml b/science-platform/values-int.yaml index d23ff32fca..1cdcb94613 100644 --- a/science-platform/values-int.yaml +++ b/science-platform/values-int.yaml @@ -14,12 +14,14 @@ exposurelog: enabled: false gafaelfawr: enabled: true +hips: + enabled: false +ingress_nginx: + enabled: false mobu: enabled: true moneypenny: enabled: true -ingress_nginx: - enabled: false narrativelog: enabled: false noteburst: diff --git a/science-platform/values-minikube.yaml b/science-platform/values-minikube.yaml index 9a2416ef43..3535a8cb8b 100644 --- a/science-platform/values-minikube.yaml +++ b/science-platform/values-minikube.yaml @@ -14,12 +14,14 @@ exposurelog: enabled: false gafaelfawr: enabled: true +hips: + enabled: true +ingress_nginx: + enabled: true mobu: enabled: true moneypenny: enabled: true -ingress_nginx: - enabled: true narrativelog: enabled: false noteburst: diff --git a/science-platform/values-roe.yaml b/science-platform/values-roe.yaml index f26fd0e4bb..4806424820 100644 --- a/science-platform/values-roe.yaml +++ b/science-platform/values-roe.yaml @@ -14,12 +14,14 @@ exposurelog: enabled: false gafaelfawr: enabled: true +hips: + enabled: false +ingress_nginx: + enabled: true mobu: enabled: true moneypenny: enabled: true -ingress_nginx: - enabled: true narrativelog: enabled: false noteburst: diff --git a/science-platform/values-stable.yaml b/science-platform/values-stable.yaml index 76e1097694..2879f96ac5 100644 --- a/science-platform/values-stable.yaml +++ b/science-platform/values-stable.yaml @@ -14,12 +14,14 @@ exposurelog: enabled: false gafaelfawr: enabled: true +hips: + enabled: false +ingress_nginx: + enabled: false mobu: enabled: true moneypenny: enabled: true -ingress_nginx: - enabled: false narrativelog: enabled: false noteburst: diff --git a/science-platform/values-summit.yaml b/science-platform/values-summit.yaml index 9f6d21fcc3..9f56229663 100644 --- a/science-platform/values-summit.yaml +++ b/science-platform/values-summit.yaml @@ -14,12 +14,14 @@ exposurelog: enabled: true gafaelfawr: enabled: true +hips: + enabled: false +ingress_nginx: + enabled: true mobu: enabled: false moneypenny: enabled: true -ingress_nginx: - enabled: true narrativelog: enabled: true noteburst: diff --git a/science-platform/values-tucson-teststand.yaml b/science-platform/values-tucson-teststand.yaml index 9da9f55c8b..80a699e986 100644 --- a/science-platform/values-tucson-teststand.yaml +++ b/science-platform/values-tucson-teststand.yaml @@ -14,12 +14,14 @@ exposurelog: enabled: true gafaelfawr: enabled: true +hips: + enabled: false +ingress_nginx: + enabled: true mobu: enabled: false moneypenny: enabled: true -ingress_nginx: - enabled: true narrativelog: enabled: true noteburst: diff --git a/science-platform/values.yaml b/science-platform/values.yaml index 0d4c2bef5b..a7aa0c5264 100644 --- a/science-platform/values.yaml +++ b/science-platform/values.yaml @@ -10,6 +10,8 @@ exposurelog: enabled: false gafaelfawr: enabled: false +hips: + enabled: false ingress_nginx: enabled: false mobu: diff --git a/services/hips/.helmignore b/services/hips/.helmignore new file mode 100644 index 0000000000..0e8a0eb36f --- /dev/null +++ b/services/hips/.helmignore @@ -0,0 +1,23 @@ +# Patterns to ignore when building packages. +# This supports shell glob matching, relative path matching, and +# negation (prefixed with !). Only one pattern per line. +.DS_Store +# Common VCS dirs +.git/ +.gitignore +.bzr/ +.bzrignore +.hg/ +.hgignore +.svn/ +# Common backup files +*.swp +*.bak +*.tmp +*.orig +*~ +# Various IDEs +.project +.idea/ +*.tmproj +.vscode/ diff --git a/services/hips/Chart.yaml b/services/hips/Chart.yaml new file mode 100644 index 0000000000..6372aa3f11 --- /dev/null +++ b/services/hips/Chart.yaml @@ -0,0 +1,6 @@ +apiVersion: v2 +appVersion: 0.1.0 +description: A Helm chart for Kubernetes +name: hips +type: application +version: 0.1.0 diff --git a/services/hips/README.md b/services/hips/README.md new file mode 100644 index 0000000000..69a738f3f3 --- /dev/null +++ b/services/hips/README.md @@ -0,0 +1,29 @@ +# hips + +A Helm chart for Kubernetes + +## Values + +| Key | Type | Default | Description | +|-----|------|---------|-------------| +| affinity | object | `{}` | Affinity rules for the hips deployment pod | +| autoscaling.enabled | bool | `false` | Enable autoscaling of hips deployment | +| autoscaling.maxReplicas | int | `100` | Maximum number of hips deployment pods | +| autoscaling.minReplicas | int | `1` | Minimum number of hips deployment pods | +| autoscaling.targetCPUUtilizationPercentage | int | `80` | Target CPU utilization of hips deployment pods | +| config.gcsBucket | string | None, must be set | Name of Google Cloud Storage bucket holding the HiPS files | +| config.gcsProject | string | None, must be set | Google Cloud project in which the underlying storage is located | +| config.serviceAccount | string | None, must be set | The Google service account that has an IAM binding to the `hips` Kubernetes service account and has access to the storage bucket | +| global.baseUrl | string | Set by Argo CD | Base URL for the environment | +| global.host | string | Set by Argo CD | Host name for ingress | +| global.vaultSecretsPath | string | Set by Argo CD | Base path for Vault secrets | +| image.pullPolicy | string | `"IfNotPresent"` | Pull policy for the hips image | +| image.repository | string | `"ghcr.io/lsst-sqre/crawlspace"` | Image to use in the hips deployment | +| image.tag | string | `""` | Overrides the image tag whose default is the chart appVersion. | +| ingress.annotations | object | `{}` | Additional annotations for the ingress rule | +| ingress.gafaelfawrAuthQuery | string | `"scope=read:image"` | Gafaelfawr auth query string | +| nodeSelector | object | `{}` | Node selection rules for the hips deployment pod | +| podAnnotations | object | `{}` | Annotations for the hips deployment pod | +| replicaCount | int | `1` | Number of web deployment pods to start | +| resources | object | `{}` | Resource limits and requests for the hips deployment pod | +| tolerations | list | `[]` | Tolerations for the hips deployment pod | diff --git a/services/hips/templates/_helpers.tpl b/services/hips/templates/_helpers.tpl new file mode 100644 index 0000000000..5a738df28d --- /dev/null +++ b/services/hips/templates/_helpers.tpl @@ -0,0 +1,26 @@ +{{/* +Create chart name and version as used by the chart label. +*/}} +{{- define "hips.chart" -}} +{{- printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" }} +{{- end }} + +{{/* +Common labels +*/}} +{{- define "hips.labels" -}} +helm.sh/chart: {{ include "hips.chart" . }} +{{ include "hips.selectorLabels" . }} +{{- if .Chart.AppVersion }} +app.kubernetes.io/version: {{ .Chart.AppVersion | quote }} +{{- end }} +app.kubernetes.io/managed-by: {{ .Release.Service }} +{{- end }} + +{{/* +Selector labels +*/}} +{{- define "hips.selectorLabels" -}} +app.kubernetes.io/name: "hips" +app.kubernetes.io/instance: {{ .Release.Name }} +{{- end }} diff --git a/services/hips/templates/deployment.yaml b/services/hips/templates/deployment.yaml new file mode 100644 index 0000000000..1d1f8096ed --- /dev/null +++ b/services/hips/templates/deployment.yaml @@ -0,0 +1,64 @@ +apiVersion: apps/v1 +kind: Deployment +metadata: + name: "hips" + labels: + {{- include "hips.labels" . | nindent 4 }} +spec: + {{- if not .Values.autoscaling.enabled }} + replicas: {{ .Values.replicaCount }} + {{- end }} + selector: + matchLabels: + {{- include "hips.selectorLabels" . | nindent 6 }} + template: + metadata: + {{- with .Values.podAnnotations }} + annotations: + {{- toYaml . | nindent 8 }} + {{- end }} + labels: + {{- include "hips.selectorLabels" . | nindent 8 }} + spec: + containers: + - name: {{ .Chart.Name }} + env: + - name: "CRAWLSPACE_PROJECT" + value: {{ required "config.gcsProject must be set" .Values.config.gcsProject | quote }} + - name: "CRAWLSPACE_BUCKET" + value: {{ required "config.gcsBucket must be set" .Values.config.gcsBucket | quote }} + image: "{{ .Values.image.repository }}:{{ .Values.image.tag | default .Chart.AppVersion }}" + imagePullPolicy: {{ .Values.image.pullPolicy }} + ports: + - name: "http" + containerPort: 8080 + protocol: "TCP" + readinessProbe: + httpGet: + path: "/" + port: "http" + resources: + {{- toYaml .Values.resources | nindent 12 }} + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - "all" + readOnlyRootFilesystem: true + securityContext: + runAsNonRoot: true + runAsUser: 1000 + runAsGroup: 1000 + serviceAccountName: "hips" + {{- with .Values.nodeSelector }} + nodeSelector: + {{- toYaml . | nindent 8 }} + {{- end }} + {{- with .Values.affinity }} + affinity: + {{- toYaml . | nindent 8 }} + {{- end }} + {{- with .Values.tolerations }} + tolerations: + {{- toYaml . | nindent 8 }} + {{- end }} diff --git a/services/hips/templates/hpa.yaml b/services/hips/templates/hpa.yaml new file mode 100644 index 0000000000..0606eb00d9 --- /dev/null +++ b/services/hips/templates/hpa.yaml @@ -0,0 +1,28 @@ +{{- if .Values.autoscaling.enabled }} +apiVersion: autoscaling/v2beta1 +kind: HorizontalPodAutoscaler +metadata: + name: "hips" + labels: + {{- include "hips.labels" . | nindent 4 }} +spec: + scaleTargetRef: + apiVersion: apps/v1 + kind: Deployment + name: "hips" + minReplicas: {{ .Values.autoscaling.minReplicas }} + maxReplicas: {{ .Values.autoscaling.maxReplicas }} + metrics: + {{- if .Values.autoscaling.targetCPUUtilizationPercentage }} + - type: Resource + resource: + name: "cpu" + targetAverageUtilization: {{ .Values.autoscaling.targetCPUUtilizationPercentage }} + {{- end }} + {{- if .Values.autoscaling.targetMemoryUtilizationPercentage }} + - type: Resource + resource: + name: "memory" + targetAverageUtilization: {{ .Values.autoscaling.targetMemoryUtilizationPercentage }} + {{- end }} +{{- end }} diff --git a/services/hips/templates/ingress.yaml b/services/hips/templates/ingress.yaml new file mode 100644 index 0000000000..20bd4cc1a9 --- /dev/null +++ b/services/hips/templates/ingress.yaml @@ -0,0 +1,29 @@ +apiVersion: networking.k8s.io/v1 +kind: Ingress +metadata: + name: "hips" + labels: + {{- include "hips.labels" . | nindent 4 }} + annotations: + kubernetes.io/ingress.class: "nginx" + {{- if .Values.ingress.gafaelfawrAuthQuery }} + nginx.ingress.kubernetes.io/auth-method: "GET" + nginx.ingress.kubernetes.io/auth-response-headers: "X-Auth-Request-User" + nginx.ingress.kubernetes.io/auth-signin: "{{ .Values.global.baseUrl }}/login" + nginx.ingress.kubernetes.io/auth-url: "{{ .Values.global.baseUrl }}/auth?{{ .Values.ingress.gafaelfawrAuthQuery }}" + {{- end }} + {{- with .Values.ingress.annotations }} + {{- toYaml . | nindent 4 }} + {{- end }} +spec: + rules: + - host: {{ required "global.host must be set" .Values.global.host | quote }} + http: + paths: + - path: "/hips" + pathType: "Prefix" + backend: + service: + name: "hips" + port: + number: 8080 diff --git a/services/hips/templates/networkpolicy.yaml b/services/hips/templates/networkpolicy.yaml new file mode 100644 index 0000000000..1794a475b8 --- /dev/null +++ b/services/hips/templates/networkpolicy.yaml @@ -0,0 +1,21 @@ +apiVersion: networking.k8s.io/v1 +kind: NetworkPolicy +metadata: + name: "hips" +spec: + podSelector: + matchLabels: + {{- include "hips.selectorLabels" . | nindent 6 }} + policyTypes: + - Ingress + ingress: + # Allow inbound access from pods (in any namespace) labeled + # gafaelfawr.lsst.io/ingress: true. + - from: + - namespaceSelector: {} + podSelector: + matchLabels: + gafaelfawr.lsst.io/ingress: "true" + ports: + - protocol: "TCP" + port: 8080 diff --git a/services/hips/templates/service.yaml b/services/hips/templates/service.yaml new file mode 100644 index 0000000000..e5d572b92c --- /dev/null +++ b/services/hips/templates/service.yaml @@ -0,0 +1,15 @@ +apiVersion: v1 +kind: Service +metadata: + name: "hips" + labels: + {{- include "hips.labels" . | nindent 4 }} +spec: + type: "ClusterIP" + ports: + - port: 8080 + targetPort: "http" + protocol: "TCP" + name: "http" + selector: + {{- include "hips.selectorLabels" . | nindent 4 }} diff --git a/services/hips/templates/serviceaccount.yaml b/services/hips/templates/serviceaccount.yaml new file mode 100644 index 0000000000..902961623a --- /dev/null +++ b/services/hips/templates/serviceaccount.yaml @@ -0,0 +1,8 @@ +apiVersion: v1 +kind: ServiceAccount +metadata: + name: "hips" + labels: + {{- include "hips.labels" . | nindent 4 }} + annotations: + iam.gke.io/gcp-service-account: {{ required "config.serviceAccount must be set to a valid Google service account" .Values.config.serviceAccount | quote }} diff --git a/services/hips/values-idfdev.yaml b/services/hips/values-idfdev.yaml new file mode 100644 index 0000000000..0ad0493a05 --- /dev/null +++ b/services/hips/values-idfdev.yaml @@ -0,0 +1,7 @@ +config: + gcsProject: "bogus" + gcsBucket: "bogus" + serviceAccount: "bogus" + +image: + tag: "tickets-DM-34802" diff --git a/services/hips/values-minikube.yaml b/services/hips/values-minikube.yaml new file mode 100644 index 0000000000..0ad0493a05 --- /dev/null +++ b/services/hips/values-minikube.yaml @@ -0,0 +1,7 @@ +config: + gcsProject: "bogus" + gcsBucket: "bogus" + serviceAccount: "bogus" + +image: + tag: "tickets-DM-34802" diff --git a/services/hips/values.yaml b/services/hips/values.yaml new file mode 100644 index 0000000000..d870968192 --- /dev/null +++ b/services/hips/values.yaml @@ -0,0 +1,81 @@ +# Default values for hips. +# This is a YAML-formatted file. +# Declare variables to be passed into your templates. + +# -- Number of web deployment pods to start +replicaCount: 1 + +config: + # -- Google Cloud project in which the underlying storage is located + # @default -- None, must be set + gcsProject: "" + + # -- Name of Google Cloud Storage bucket holding the HiPS files + # @default -- None, must be set + gcsBucket: "" + + # -- The Google service account that has an IAM binding to the `hips` + # Kubernetes service account and has access to the storage bucket + # @default -- None, must be set + serviceAccount: "" + +image: + # -- Image to use in the hips deployment + repository: "ghcr.io/lsst-sqre/crawlspace" + + # -- Pull policy for the hips image + pullPolicy: "IfNotPresent" + + # -- Overrides the image tag whose default is the chart appVersion. + tag: "" + +ingress: + # -- Gafaelfawr auth query string + gafaelfawrAuthQuery: "scope=read:image" + + # -- Additional annotations for the ingress rule + annotations: {} + +autoscaling: + # -- Enable autoscaling of hips deployment + enabled: false + + # -- Minimum number of hips deployment pods + minReplicas: 1 + + # -- Maximum number of hips deployment pods + maxReplicas: 100 + + # -- Target CPU utilization of hips deployment pods + targetCPUUtilizationPercentage: 80 + # targetMemoryUtilizationPercentage: 80 + +# -- Annotations for the hips deployment pod +podAnnotations: {} + +# -- Resource limits and requests for the hips deployment pod +resources: {} + +# -- Node selection rules for the hips deployment pod +nodeSelector: {} + +# -- Tolerations for the hips deployment pod +tolerations: [] + +# -- Affinity rules for the hips deployment pod +affinity: {} + +# The following will be set by parameters injected by Argo CD and should not +# be set in the individual environment values files. +global: + # -- Base URL for the environment + # @default -- Set by Argo CD + baseUrl: "" + + # -- Host name for ingress + # @default -- Set by Argo CD + host: "" + + # -- Base path for Vault secrets + # @default -- Set by Argo CD + vaultSecretsPath: "" diff --git a/starters/README.md b/starters/README.md new file mode 100644 index 0000000000..ce539a5a36 --- /dev/null +++ b/starters/README.md @@ -0,0 +1,11 @@ +# Helm starters for Phalanx + +Each subdirectory of this directory is a Helm starter for a class of Phalanx service. +Use the starters with the `-p` option to `helm create`. +For example, from the `services` directory: + +```sh +helm create new-service -p $(pwd)/../starters/rsp-web-service +``` + +The path to the starter directory must be absolute, not relative, or Helm will try to use it has a path relative to `$HOME/.local/share/helm`. diff --git a/starters/web-service/.helmignore b/starters/web-service/.helmignore new file mode 100644 index 0000000000..0e8a0eb36f --- /dev/null +++ b/starters/web-service/.helmignore @@ -0,0 +1,23 @@ +# Patterns to ignore when building packages. +# This supports shell glob matching, relative path matching, and +# negation (prefixed with !). Only one pattern per line. +.DS_Store +# Common VCS dirs +.git/ +.gitignore +.bzr/ +.bzrignore +.hg/ +.hgignore +.svn/ +# Common backup files +*.swp +*.bak +*.tmp +*.orig +*~ +# Various IDEs +.project +.idea/ +*.tmproj +.vscode/ diff --git a/starters/web-service/Chart.yaml b/starters/web-service/Chart.yaml new file mode 100644 index 0000000000..f693083c5b --- /dev/null +++ b/starters/web-service/Chart.yaml @@ -0,0 +1,10 @@ +apiVersion: v2 +name: +version: 1.0.0 +description: | + Helm starter chart for a new RSP service. +home: "https://github.com/lsst-sqre/" +type: application + +# The default version tag of the Docker image. +appVersion: "1.0.0" diff --git a/starters/web-service/README.md b/starters/web-service/README.md new file mode 100644 index 0000000000..affa22f3c2 --- /dev/null +++ b/starters/web-service/README.md @@ -0,0 +1,28 @@ +# + +Helm starter chart for a new RSP service. + +**Homepage:** > + +## Values + +| Key | Type | Default | Description | +|-----|------|---------|-------------| +| affinity | object | `{}` | Affinity rules for the deployment pod | +| autoscaling.enabled | bool | `false` | Enable autoscaling of deployment | +| autoscaling.maxReplicas | int | `100` | Maximum number of deployment pods | +| autoscaling.minReplicas | int | `1` | Minimum number of deployment pods | +| autoscaling.targetCPUUtilizationPercentage | int | `80` | Target CPU utilization of deployment pods | +| global.baseUrl | string | Set by Argo CD | Base URL for the environment | +| global.host | string | Set by Argo CD | Host name for ingress | +| global.vaultSecretsPath | string | Set by Argo CD | Base path for Vault secrets | +| image.pullPolicy | string | `"IfNotPresent"` | Pull policy for the image | +| image.repository | string | `"ghcr.io/lsst-sqre/"` | Image to use in the deployment | +| image.tag | string | `""` | Overrides the image tag whose default is the chart appVersion. | +| ingress.annotations | object | `{}` | Additional annotations for the ingress rule | +| ingress.gafaelfawrAuthQuery | string | Unauthenticated | Gafaelfawr auth query string | +| nodeSelector | object | `{}` | Node selection rules for the deployment pod | +| podAnnotations | object | `{}` | Annotations for the deployment pod | +| replicaCount | int | `1` | Number of web deployment pods to start | +| resources | object | `{}` | Resource limits and requests for the deployment pod | +| tolerations | list | `[]` | Tolerations for the deployment pod | diff --git a/starters/web-service/templates/_helpers.tpl b/starters/web-service/templates/_helpers.tpl new file mode 100644 index 0000000000..d4d9a92e86 --- /dev/null +++ b/starters/web-service/templates/_helpers.tpl @@ -0,0 +1,26 @@ +{{/* +Create chart name and version as used by the chart label. +*/}} +{{- define ".chart" -}} +{{- printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" }} +{{- end }} + +{{/* +Common labels +*/}} +{{- define ".labels" -}} +helm.sh/chart: {{ include ".chart" . }} +{{ include ".selectorLabels" . }} +{{- if .Chart.AppVersion }} +app.kubernetes.io/version: {{ .Chart.AppVersion | quote }} +{{- end }} +app.kubernetes.io/managed-by: {{ .Release.Service }} +{{- end }} + +{{/* +Selector labels +*/}} +{{- define ".selectorLabels" -}} +app.kubernetes.io/name: "" +app.kubernetes.io/instance: {{ .Release.Name }} +{{- end }} diff --git a/starters/web-service/templates/deployment.yaml b/starters/web-service/templates/deployment.yaml new file mode 100644 index 0000000000..878b838602 --- /dev/null +++ b/starters/web-service/templates/deployment.yaml @@ -0,0 +1,59 @@ +apiVersion: apps/v1 +kind: Deployment +metadata: + name: "" + labels: + {{- include ".labels" . | nindent 4 }} +spec: + {{- if not .Values.autoscaling.enabled }} + replicas: {{ .Values.replicaCount }} + {{- end }} + selector: + matchLabels: + {{- include ".selectorLabels" . | nindent 6 }} + template: + metadata: + {{- with .Values.podAnnotations }} + annotations: + {{- toYaml . | nindent 8 }} + {{- end }} + labels: + {{- include ".selectorLabels" . | nindent 8 }} + spec: + automountServiceAccountToken: false + containers: + - name: {{ .Chart.Name }} + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - "all" + readOnlyRootFilesystem: true + image: "{{ .Values.image.repository }}:{{ .Values.image.tag | default .Chart.AppVersion }}" + imagePullPolicy: {{ .Values.image.pullPolicy }} + ports: + - name: "http" + containerPort: 8080 + protocol: "TCP" + readinessProbe: + httpGet: + path: "/" + port: "http" + resources: + {{- toYaml .Values.resources | nindent 12 }} + securityContext: + runAsNonRoot: true + runAsUser: 1000 + runAsGroup: 1000 + {{- with .Values.nodeSelector }} + nodeSelector: + {{- toYaml . | nindent 8 }} + {{- end }} + {{- with .Values.affinity }} + affinity: + {{- toYaml . | nindent 8 }} + {{- end }} + {{- with .Values.tolerations }} + tolerations: + {{- toYaml . | nindent 8 }} + {{- end }} diff --git a/starters/web-service/templates/hpa.yaml b/starters/web-service/templates/hpa.yaml new file mode 100644 index 0000000000..c2b225e39e --- /dev/null +++ b/starters/web-service/templates/hpa.yaml @@ -0,0 +1,28 @@ +{{- if .Values.autoscaling.enabled }} +apiVersion: autoscaling/v2beta1 +kind: HorizontalPodAutoscaler +metadata: + name: "" + labels: + {{- include ".labels" . | nindent 4 }} +spec: + scaleTargetRef: + apiVersion: apps/v1 + kind: Deployment + name: "" + minReplicas: {{ .Values.autoscaling.minReplicas }} + maxReplicas: {{ .Values.autoscaling.maxReplicas }} + metrics: + {{- if .Values.autoscaling.targetCPUUtilizationPercentage }} + - type: Resource + resource: + name: "cpu" + targetAverageUtilization: {{ .Values.autoscaling.targetCPUUtilizationPercentage }} + {{- end }} + {{- if .Values.autoscaling.targetMemoryUtilizationPercentage }} + - type: Resource + resource: + name: "memory" + targetAverageUtilization: {{ .Values.autoscaling.targetMemoryUtilizationPercentage }} + {{- end }} +{{- end }} diff --git a/starters/web-service/templates/ingress.yaml b/starters/web-service/templates/ingress.yaml new file mode 100644 index 0000000000..5337b048f1 --- /dev/null +++ b/starters/web-service/templates/ingress.yaml @@ -0,0 +1,29 @@ +apiVersion: networking.k8s.io/v1 +kind: Ingress +metadata: + name: "" + labels: + {{- include ".labels" . | nindent 4 }} + annotations: + kubernetes.io/ingress.class: "nginx" + {{- if .Values.ingress.gafaelfawrAuthQuery }} + nginx.ingress.kubernetes.io/auth-method: "GET" + nginx.ingress.kubernetes.io/auth-response-headers: "X-Auth-Request-User" + nginx.ingress.kubernetes.io/auth-signin: "{{ .Values.global.baseUrl }}/login" + nginx.ingress.kubernetes.io/auth-url: "{{ .Values.global.baseUrl }}/auth?{{ .Values.ingress.gafaelfawrAuthQuery }}" + {{- end }} + {{- with .Values.ingress.annotations }} + {{- toYaml . | nindent 4 }} + {{- end }} +spec: + rules: + - host: {{ required "global.host must be set" .Values.global.host | quote }} + http: + paths: + - path: "/" + pathType: "Prefix" + backend: + service: + name: "" + port: + number: 8080 diff --git a/starters/web-service/templates/networkpolicy.yaml b/starters/web-service/templates/networkpolicy.yaml new file mode 100644 index 0000000000..180cc36f0d --- /dev/null +++ b/starters/web-service/templates/networkpolicy.yaml @@ -0,0 +1,21 @@ +apiVersion: networking.k8s.io/v1 +kind: NetworkPolicy +metadata: + name: "" +spec: + podSelector: + matchLabels: + {{- include ".selectorLabels" . | nindent 6 }} + policyTypes: + - Ingress + ingress: + # Allow inbound access from pods (in any namespace) labeled + # gafaelfawr.lsst.io/ingress: true. + - from: + - namespaceSelector: {} + podSelector: + matchLabels: + gafaelfawr.lsst.io/ingress: "true" + ports: + - protocol: "TCP" + port: 8080 diff --git a/starters/web-service/templates/service.yaml b/starters/web-service/templates/service.yaml new file mode 100644 index 0000000000..2bcfb29260 --- /dev/null +++ b/starters/web-service/templates/service.yaml @@ -0,0 +1,15 @@ +apiVersion: v1 +kind: Service +metadata: + name: "" + labels: + {{- include ".labels" . | nindent 4 }} +spec: + type: "ClusterIP" + ports: + - port: 8080 + targetPort: "http" + protocol: "TCP" + name: "http" + selector: + {{- include ".selectorLabels" . | nindent 4 }} diff --git a/starters/web-service/values.yaml b/starters/web-service/values.yaml new file mode 100644 index 0000000000..cfb6f07a3a --- /dev/null +++ b/starters/web-service/values.yaml @@ -0,0 +1,70 @@ +# Default values for . +# This is a YAML-formatted file. +# Declare variables to be passed into your templates. + +# -- Number of web deployment pods to start +replicaCount: 1 + +image: + # -- Image to use in the deployment + repository: "ghcr.io/lsst-sqre/" + + # -- Pull policy for the image + pullPolicy: "IfNotPresent" + + # -- Overrides the image tag whose default is the chart appVersion. + tag: "" + +ingress: + # -- Gafaelfawr auth query string + # @default -- Unauthenticated + gafaelfawrAuthQuery: "" + # gafaelfawrAuthQuery: "scope=read:image" + # gafaelfawrAuthQuery: "scope=exec:portal&delegate_to=portal&delegate_scope=read:tap" + + # -- Additional annotations for the ingress rule + annotations: {} + +autoscaling: + # -- Enable autoscaling of deployment + enabled: false + + # -- Minimum number of deployment pods + minReplicas: 1 + + # -- Maximum number of deployment pods + maxReplicas: 100 + + # -- Target CPU utilization of deployment pods + targetCPUUtilizationPercentage: 80 + # targetMemoryUtilizationPercentage: 80 + +# -- Annotations for the deployment pod +podAnnotations: {} + +# -- Resource limits and requests for the deployment pod +resources: {} + +# -- Node selection rules for the deployment pod +nodeSelector: {} + +# -- Tolerations for the deployment pod +tolerations: [] + +# -- Affinity rules for the deployment pod +affinity: {} + +# The following will be set by parameters injected by Argo CD and should not +# be set in the individual environment values files. +global: + # -- Base URL for the environment + # @default -- Set by Argo CD + baseUrl: "" + + # -- Host name for ingress + # @default -- Set by Argo CD + host: "" + + # -- Base path for Vault secrets + # @default -- Set by Argo CD + vaultSecretsPath: "" From 4dc4b8ba796e2a277482292ef10e1f687b3af30d Mon Sep 17 00:00:00 2001 From: Russ Allbery Date: Fri, 20 May 2022 11:02:34 -0700 Subject: [PATCH 0493/1479] Allow ingress path to be configured Add ingress.path to the web-service starter, and add it to the HiPS service as well. --- services/hips/README.md | 1 + services/hips/templates/ingress.yaml | 2 +- services/hips/values.yaml | 3 +++ starters/web-service/README.md | 1 + starters/web-service/templates/ingress.yaml | 2 +- starters/web-service/values.yaml | 3 +++ 6 files changed, 10 insertions(+), 2 deletions(-) diff --git a/services/hips/README.md b/services/hips/README.md index 69a738f3f3..813ab25865 100644 --- a/services/hips/README.md +++ b/services/hips/README.md @@ -22,6 +22,7 @@ A Helm chart for Kubernetes | image.tag | string | `""` | Overrides the image tag whose default is the chart appVersion. | | ingress.annotations | object | `{}` | Additional annotations for the ingress rule | | ingress.gafaelfawrAuthQuery | string | `"scope=read:image"` | Gafaelfawr auth query string | +| ingress.path | string | `"/api/hips"` | Path at which to serve the service | | nodeSelector | object | `{}` | Node selection rules for the hips deployment pod | | podAnnotations | object | `{}` | Annotations for the hips deployment pod | | replicaCount | int | `1` | Number of web deployment pods to start | diff --git a/services/hips/templates/ingress.yaml b/services/hips/templates/ingress.yaml index 20bd4cc1a9..a27182e8cd 100644 --- a/services/hips/templates/ingress.yaml +++ b/services/hips/templates/ingress.yaml @@ -20,7 +20,7 @@ spec: - host: {{ required "global.host must be set" .Values.global.host | quote }} http: paths: - - path: "/hips" + - path: {{ .Values.ingress.path | quote }} pathType: "Prefix" backend: service: diff --git a/services/hips/values.yaml b/services/hips/values.yaml index d870968192..dab0285028 100644 --- a/services/hips/values.yaml +++ b/services/hips/values.yaml @@ -33,6 +33,9 @@ ingress: # -- Gafaelfawr auth query string gafaelfawrAuthQuery: "scope=read:image" + # -- Path at which to serve the service + path: "/api/hips" + # -- Additional annotations for the ingress rule annotations: {} diff --git a/starters/web-service/README.md b/starters/web-service/README.md index affa22f3c2..70a73524a9 100644 --- a/starters/web-service/README.md +++ b/starters/web-service/README.md @@ -21,6 +21,7 @@ Helm starter chart for a new RSP service. | image.tag | string | `""` | Overrides the image tag whose default is the chart appVersion. | | ingress.annotations | object | `{}` | Additional annotations for the ingress rule | | ingress.gafaelfawrAuthQuery | string | Unauthenticated | Gafaelfawr auth query string | +| ingress.path | string | `"/"` | Path at which to serve the service | | nodeSelector | object | `{}` | Node selection rules for the deployment pod | | podAnnotations | object | `{}` | Annotations for the deployment pod | | replicaCount | int | `1` | Number of web deployment pods to start | diff --git a/starters/web-service/templates/ingress.yaml b/starters/web-service/templates/ingress.yaml index 5337b048f1..54745ad0d6 100644 --- a/starters/web-service/templates/ingress.yaml +++ b/starters/web-service/templates/ingress.yaml @@ -20,7 +20,7 @@ spec: - host: {{ required "global.host must be set" .Values.global.host | quote }} http: paths: - - path: "/" + - path: {{ .Values.ingress.path | quote }} pathType: "Prefix" backend: service: diff --git a/starters/web-service/values.yaml b/starters/web-service/values.yaml index cfb6f07a3a..ec7d02fa6f 100644 --- a/starters/web-service/values.yaml +++ b/starters/web-service/values.yaml @@ -22,6 +22,9 @@ ingress: # gafaelfawrAuthQuery: "scope=read:image" # gafaelfawrAuthQuery: "scope=exec:portal&delegate_to=portal&delegate_scope=read:tap" + # -- Path at which to serve the service + path: "/" + # -- Additional annotations for the ingress rule annotations: {} From 0b9b53f4c970e0ed10a6e3f05f6b9630470b043b Mon Sep 17 00:00:00 2001 From: Renovate Bot Date: Mon, 23 May 2022 06:42:15 +0000 Subject: [PATCH 0494/1479] Update Helm release argo-cd to v4.6.5 --- services/argocd/Chart.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/services/argocd/Chart.yaml b/services/argocd/Chart.yaml index 83b04ace77..f980705729 100644 --- a/services/argocd/Chart.yaml +++ b/services/argocd/Chart.yaml @@ -3,5 +3,5 @@ name: argo-cd version: 1.0.0 dependencies: - name: argo-cd - version: 4.5.12 + version: 4.6.5 repository: https://argoproj.github.io/argo-helm From 5edc76911f9b53853a830a9952f36db9daafb466 Mon Sep 17 00:00:00 2001 From: Gabriele Mainetti Date: Mon, 23 May 2022 10:57:07 +0200 Subject: [PATCH 0495/1479] update cachemachine --- services/cachemachine/values-ccin2p3.yaml | 48 +++++++++++------------ 1 file changed, 24 insertions(+), 24 deletions(-) diff --git a/services/cachemachine/values-ccin2p3.yaml b/services/cachemachine/values-ccin2p3.yaml index ebd3b67dc9..cebfa3442d 100644 --- a/services/cachemachine/values-ccin2p3.yaml +++ b/services/cachemachine/values-ccin2p3.yaml @@ -1,27 +1,27 @@ -# cachemachine: -# imagePullSecrets: -# - name: "cachemachine-secret" +cachemachine: + imagePullSecrets: + - name: "cachemachine-secret" - # ingress: - # enabled: true - # host: data-dev.lsst.eu + ingress: + enabled: true + host: data-dev.lsst.eu - # vaultSecretsPath: "secret/k8s_operator/rsp-cc/pull-secret" + vaultSecretsPath: "secret/k8s_operator/rsp-cc/pull-secret" - autostart: - jupyter: | - { - "name": "jupyter", - "labels": {}, - "repomen": [ - { - "type": "RubinRepoMan", - "registry_url": "registry.hub.docker.com", - "repo": "lsstsqre/sciplat-lab", - "recommended_tag": "recommended", - "num_releases": 1, - "num_weeklies": 2, - "num_dailies": 3 - } - ] - } \ No newline at end of file +autostart: + jupyter: + { + "name": "jupyter", + "labels": {}, + "repomen": [ + { + "type": "RubinRepoMan", + "registry_url": "registry.hub.docker.com", + "repo": "lsstsqre/sciplat-lab", + "recommended_tag": "recommended", + "num_releases": 1, + "num_weeklies": 2, + "num_dailies": 3 + } + ] + } \ No newline at end of file From 0520bbd07e3b9a4a47a8fe1059ea87f97520c2ca Mon Sep 17 00:00:00 2001 From: Gabriele Mainetti Date: Mon, 23 May 2022 10:59:45 +0200 Subject: [PATCH 0496/1479] Fixed typos --- services/cachemachine/values-ccin2p3.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/services/cachemachine/values-ccin2p3.yaml b/services/cachemachine/values-ccin2p3.yaml index cebfa3442d..15e974e1f0 100644 --- a/services/cachemachine/values-ccin2p3.yaml +++ b/services/cachemachine/values-ccin2p3.yaml @@ -9,7 +9,7 @@ cachemachine: vaultSecretsPath: "secret/k8s_operator/rsp-cc/pull-secret" autostart: - jupyter: + jupyter: | { "name": "jupyter", "labels": {}, From 1bfde1be056c772ba6ebd13a093cb79204fb75a0 Mon Sep 17 00:00:00 2001 From: Gabriele Mainetti Date: Mon, 23 May 2022 11:30:10 +0200 Subject: [PATCH 0497/1479] fix in nublado et cachemachine --- services/cachemachine/values-ccin2p3.yaml | 4 ++-- services/nublado2/values-ccin2p3.yaml | 3 +++ 2 files changed, 5 insertions(+), 2 deletions(-) diff --git a/services/cachemachine/values-ccin2p3.yaml b/services/cachemachine/values-ccin2p3.yaml index 15e974e1f0..26d9afce26 100644 --- a/services/cachemachine/values-ccin2p3.yaml +++ b/services/cachemachine/values-ccin2p3.yaml @@ -4,7 +4,7 @@ cachemachine: ingress: enabled: true - host: data-dev.lsst.eu + host: "data-dev.lsst.eu" vaultSecretsPath: "secret/k8s_operator/rsp-cc/pull-secret" @@ -16,7 +16,7 @@ autostart: "repomen": [ { "type": "RubinRepoMan", - "registry_url": "registry.hub.docker.com", + "registry_url": " ", "repo": "lsstsqre/sciplat-lab", "recommended_tag": "recommended", "num_releases": 1, diff --git a/services/nublado2/values-ccin2p3.yaml b/services/nublado2/values-ccin2p3.yaml index 0d5937ff57..055df418cc 100644 --- a/services/nublado2/values-ccin2p3.yaml +++ b/services/nublado2/values-ccin2p3.yaml @@ -11,6 +11,9 @@ jupyterhub: annotations: nginx.ingress.kubernetes.io/auth-signin: "https://data-dev.lsst.eu/login" nginx.ingress.kubernetes.io/auth-url: "https://data-dev.lsst.eu/auth?scope=exec:notebook¬ebook=true" + singleuser: + storage: + type: none config: base_url: "https://data-dev.lsst.eu/" From 1173b4d5cb38eae363f68a6bac3c696eab1206e7 Mon Sep 17 00:00:00 2001 From: Gabriele Mainetti Date: Mon, 23 May 2022 11:34:38 +0200 Subject: [PATCH 0498/1479] typos --- services/cachemachine/values-ccin2p3.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/services/cachemachine/values-ccin2p3.yaml b/services/cachemachine/values-ccin2p3.yaml index 26d9afce26..e34479848e 100644 --- a/services/cachemachine/values-ccin2p3.yaml +++ b/services/cachemachine/values-ccin2p3.yaml @@ -4,7 +4,7 @@ cachemachine: ingress: enabled: true - host: "data-dev.lsst.eu" + host: data-dev.lsst.eu vaultSecretsPath: "secret/k8s_operator/rsp-cc/pull-secret" From 089cd2390b851824696bbdc0febf5ccc51bde170 Mon Sep 17 00:00:00 2001 From: Gabriele Mainetti Date: Mon, 23 May 2022 11:50:07 +0200 Subject: [PATCH 0499/1479] typo --- services/cachemachine/values-ccin2p3.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/services/cachemachine/values-ccin2p3.yaml b/services/cachemachine/values-ccin2p3.yaml index e34479848e..2f1f19672c 100644 --- a/services/cachemachine/values-ccin2p3.yaml +++ b/services/cachemachine/values-ccin2p3.yaml @@ -4,7 +4,7 @@ cachemachine: ingress: enabled: true - host: data-dev.lsst.eu + host: data-dev.lsst.eu vaultSecretsPath: "secret/k8s_operator/rsp-cc/pull-secret" From 8a43e5d3604aff7351ba85e7ac1f3f03d99412fc Mon Sep 17 00:00:00 2001 From: Gabriele Mainetti Date: Mon, 23 May 2022 11:56:19 +0200 Subject: [PATCH 0500/1479] removed single user --- services/nublado2/values-ccin2p3.yaml | 4 +--- 1 file changed, 1 insertion(+), 3 deletions(-) diff --git a/services/nublado2/values-ccin2p3.yaml b/services/nublado2/values-ccin2p3.yaml index 055df418cc..b72876d7df 100644 --- a/services/nublado2/values-ccin2p3.yaml +++ b/services/nublado2/values-ccin2p3.yaml @@ -11,9 +11,7 @@ jupyterhub: annotations: nginx.ingress.kubernetes.io/auth-signin: "https://data-dev.lsst.eu/login" nginx.ingress.kubernetes.io/auth-url: "https://data-dev.lsst.eu/auth?scope=exec:notebook¬ebook=true" - singleuser: - storage: - type: none + config: base_url: "https://data-dev.lsst.eu/" From a995a616b87a363e73e3ee2588f52f27724f8b6c Mon Sep 17 00:00:00 2001 From: Gabriele Mainetti Date: Mon, 23 May 2022 12:05:11 +0200 Subject: [PATCH 0501/1479] removed secret --- services/cachemachine/values-ccin2p3.yaml | 14 +++++++------- 1 file changed, 7 insertions(+), 7 deletions(-) diff --git a/services/cachemachine/values-ccin2p3.yaml b/services/cachemachine/values-ccin2p3.yaml index 2f1f19672c..e9f560b82d 100644 --- a/services/cachemachine/values-ccin2p3.yaml +++ b/services/cachemachine/values-ccin2p3.yaml @@ -1,12 +1,12 @@ -cachemachine: - imagePullSecrets: - - name: "cachemachine-secret" +# cachemachine: +# imagePullSecrets: +# - name: "cachemachine-secret" - ingress: - enabled: true - host: data-dev.lsst.eu +# ingress: +# enabled: true +# host: data-dev.lsst.eu - vaultSecretsPath: "secret/k8s_operator/rsp-cc/pull-secret" +# vaultSecretsPath: "secret/k8s_operator/rsp-cc/pull-secret" autostart: jupyter: | From a9e00d5ddf79386a5f61500037f50f4eafbf9d87 Mon Sep 17 00:00:00 2001 From: Gabriele Mainetti Date: Mon, 23 May 2022 12:16:28 +0200 Subject: [PATCH 0502/1479] Add hub --- services/cachemachine/values-ccin2p3.yaml | 16 ++++++++-------- 1 file changed, 8 insertions(+), 8 deletions(-) diff --git a/services/cachemachine/values-ccin2p3.yaml b/services/cachemachine/values-ccin2p3.yaml index e9f560b82d..15e974e1f0 100644 --- a/services/cachemachine/values-ccin2p3.yaml +++ b/services/cachemachine/values-ccin2p3.yaml @@ -1,12 +1,12 @@ -# cachemachine: -# imagePullSecrets: -# - name: "cachemachine-secret" +cachemachine: + imagePullSecrets: + - name: "cachemachine-secret" -# ingress: -# enabled: true -# host: data-dev.lsst.eu + ingress: + enabled: true + host: data-dev.lsst.eu -# vaultSecretsPath: "secret/k8s_operator/rsp-cc/pull-secret" + vaultSecretsPath: "secret/k8s_operator/rsp-cc/pull-secret" autostart: jupyter: | @@ -16,7 +16,7 @@ autostart: "repomen": [ { "type": "RubinRepoMan", - "registry_url": " ", + "registry_url": "registry.hub.docker.com", "repo": "lsstsqre/sciplat-lab", "recommended_tag": "recommended", "num_releases": 1, From cb9e095ef574befb0cf2ab8474b10f787e4026b1 Mon Sep 17 00:00:00 2001 From: Gabriele Mainetti Date: Mon, 23 May 2022 14:28:36 +0200 Subject: [PATCH 0503/1479] fixed error in nublado base url --- services/nublado2/values-ccin2p3.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/services/nublado2/values-ccin2p3.yaml b/services/nublado2/values-ccin2p3.yaml index b72876d7df..aeb68329bc 100644 --- a/services/nublado2/values-ccin2p3.yaml +++ b/services/nublado2/values-ccin2p3.yaml @@ -14,7 +14,7 @@ jupyterhub: config: - base_url: "https://data-dev.lsst.eu/" + base_url: "https://data-dev.lsst.eu" butler_secret_path: "secret/k8s_operator/rsp-cc/butler-secret" pull_secret_path: "secret/k8s_operator/rsp-cc/pull-secret" From 31d9b020b12a8142f0b112dd3981daa9a7ab6508 Mon Sep 17 00:00:00 2001 From: Gabriele Mainetti Date: Mon, 23 May 2022 14:33:00 +0200 Subject: [PATCH 0504/1479] Storage fix --- services/nublado2/values-ccin2p3.yaml | 3 +++ 1 file changed, 3 insertions(+) diff --git a/services/nublado2/values-ccin2p3.yaml b/services/nublado2/values-ccin2p3.yaml index aeb68329bc..cd17cefba7 100644 --- a/services/nublado2/values-ccin2p3.yaml +++ b/services/nublado2/values-ccin2p3.yaml @@ -1,6 +1,9 @@ jupyterhub: debug: enabled: true + singleuser: + storage: + type: none hub: resources: requests: From 274e544fd40082710140dd6d71fe8b39a5471196 Mon Sep 17 00:00:00 2001 From: Gabriele Mainetti Date: Mon, 23 May 2022 14:35:02 +0200 Subject: [PATCH 0505/1479] moneypenny --- services/nublado2/values-ccin2p3.yaml | 7 ++++--- 1 file changed, 4 insertions(+), 3 deletions(-) diff --git a/services/nublado2/values-ccin2p3.yaml b/services/nublado2/values-ccin2p3.yaml index cd17cefba7..ad494566d1 100644 --- a/services/nublado2/values-ccin2p3.yaml +++ b/services/nublado2/values-ccin2p3.yaml @@ -1,14 +1,15 @@ jupyterhub: debug: enabled: true - singleuser: - storage: - type: none + hub: resources: requests: cpu: "2" memory: 3Gi + + lab: + enable_moneypenny: 'true' ingress: hosts: ["data-dev.lsst.eu"] annotations: From 9c1efde06731652f8a3a9f4b80a29c6d2cfd6136 Mon Sep 17 00:00:00 2001 From: Gabriele Mainetti Date: Mon, 23 May 2022 14:37:49 +0200 Subject: [PATCH 0506/1479] fixed volums --- services/nublado2/values-ccin2p3.yaml | 22 +++++++++------------- 1 file changed, 9 insertions(+), 13 deletions(-) diff --git a/services/nublado2/values-ccin2p3.yaml b/services/nublado2/values-ccin2p3.yaml index ad494566d1..e57b862b5d 100644 --- a/services/nublado2/values-ccin2p3.yaml +++ b/services/nublado2/values-ccin2p3.yaml @@ -7,10 +7,7 @@ jupyterhub: requests: cpu: "2" memory: 3Gi - - lab: - enable_moneypenny: 'true' - ingress: +s ingress: hosts: ["data-dev.lsst.eu"] annotations: nginx.ingress.kubernetes.io/auth-signin: "https://data-dev.lsst.eu/login" @@ -23,15 +20,14 @@ config: pull_secret_path: "secret/k8s_operator/rsp-cc/pull-secret" volumes: - hostPath: - - name: data - hostPath: - path: /data/rsp/nublado2 - type: Directory - - name: home - hostPath: - path: /data/rsp/home - type: Directory + - name: data + hostPath: + path: /data/rsp/nublado2 + type: Directory + - name: home + hostPath: + path: /data/rsp/home + type: Directory volume_mounts: - name: data From 1083873a49dc50cb5b1ac1911f704b1e83c211ec Mon Sep 17 00:00:00 2001 From: Gabriele Mainetti Date: Mon, 23 May 2022 14:56:08 +0200 Subject: [PATCH 0507/1479] add turorial repo --- services/nublado2/values-ccin2p3.yaml | 12 +++++++++--- 1 file changed, 9 insertions(+), 3 deletions(-) diff --git a/services/nublado2/values-ccin2p3.yaml b/services/nublado2/values-ccin2p3.yaml index e57b862b5d..08a973231f 100644 --- a/services/nublado2/values-ccin2p3.yaml +++ b/services/nublado2/values-ccin2p3.yaml @@ -18,16 +18,22 @@ config: base_url: "https://data-dev.lsst.eu" butler_secret_path: "secret/k8s_operator/rsp-cc/butler-secret" pull_secret_path: "secret/k8s_operator/rsp-cc/pull-secret" - + lab_environment: + AUTO_REPO_URLS: "https://github.com/lsst-sqre/system-test" + AUTO_REPO_BRANCH: "prod" + AUTO_REPO_SPECS: "https://github.com/lsst-sqre/system-test@prod" + pinned_images: + - image_url: registry.hub.docker.com/lsstsqre/sciplat-lab:recommended + name: Recommended volumes: - name: data hostPath: path: /data/rsp/nublado2 - type: Directory + # type: Directory - name: home hostPath: path: /data/rsp/home - type: Directory + # type: Directory volume_mounts: - name: data From cd3200719011878c9f45b24b1d0a0ff32e40d6ef Mon Sep 17 00:00:00 2001 From: Gabriele Mainetti Date: Mon, 23 May 2022 15:29:02 +0200 Subject: [PATCH 0508/1479] fixed typo --- services/nublado2/values-ccin2p3.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/services/nublado2/values-ccin2p3.yaml b/services/nublado2/values-ccin2p3.yaml index 08a973231f..fd8135efa6 100644 --- a/services/nublado2/values-ccin2p3.yaml +++ b/services/nublado2/values-ccin2p3.yaml @@ -7,7 +7,7 @@ jupyterhub: requests: cpu: "2" memory: 3Gi -s ingress: + ingress: hosts: ["data-dev.lsst.eu"] annotations: nginx.ingress.kubernetes.io/auth-signin: "https://data-dev.lsst.eu/login" From 05a90f70f8959398840f4151def3b67ba57e26cf Mon Sep 17 00:00:00 2001 From: Russ Allbery Date: Mon, 23 May 2022 07:45:49 -0700 Subject: [PATCH 0509/1479] Refresh README.md --- services/argocd/README.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/services/argocd/README.md b/services/argocd/README.md index de3d407bd5..0efc6065fd 100644 --- a/services/argocd/README.md +++ b/services/argocd/README.md @@ -4,7 +4,7 @@ | Repository | Name | Version | |------------|------|---------| -| https://argoproj.github.io/argo-helm | argo-cd | 4.5.12 | +| https://argoproj.github.io/argo-helm | argo-cd | 4.6.5 | ## Values From 8741fd776808297305320b88db760b69821d958d Mon Sep 17 00:00:00 2001 From: Renovate Bot Date: Mon, 23 May 2022 14:55:29 +0000 Subject: [PATCH 0510/1479] Update Helm release redis to v16.9.10 --- services/noteburst/Chart.yaml | 2 +- services/times-square/Chart.yaml | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/services/noteburst/Chart.yaml b/services/noteburst/Chart.yaml index cd04b7a1be..da1ba11877 100644 --- a/services/noteburst/Chart.yaml +++ b/services/noteburst/Chart.yaml @@ -14,5 +14,5 @@ maintainers: # Additional charts that this chart uses dependencies: - name: redis - version: 16.9.5 + version: 16.9.10 repository: https://charts.bitnami.com/bitnami diff --git a/services/times-square/Chart.yaml b/services/times-square/Chart.yaml index f3ed27661a..699ea9ae27 100644 --- a/services/times-square/Chart.yaml +++ b/services/times-square/Chart.yaml @@ -11,5 +11,5 @@ appVersion: 0.4.0b1 dependencies: - name: redis - version: 16.9.5 + version: 16.9.10 repository: https://charts.bitnami.com/bitnami From 9d739379d1a95cf46e008e87ddbe1f18b32f4d3a Mon Sep 17 00:00:00 2001 From: Russ Allbery Date: Mon, 23 May 2022 07:59:00 -0700 Subject: [PATCH 0511/1479] Update README.md --- services/noteburst/README.md | 2 +- services/times-square/README.md | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/services/noteburst/README.md b/services/noteburst/README.md index 2956c04dc4..b0ce393361 100644 --- a/services/noteburst/README.md +++ b/services/noteburst/README.md @@ -12,7 +12,7 @@ Noteburst is a notebook execution service for the Rubin Science Platform. | Repository | Name | Version | |------------|------|---------| -| https://charts.bitnami.com/bitnami | redis | 16.9.5 | +| https://charts.bitnami.com/bitnami | redis | 16.9.10 | ## Values diff --git a/services/times-square/README.md b/services/times-square/README.md index 7545486b24..c102dd5ae9 100644 --- a/services/times-square/README.md +++ b/services/times-square/README.md @@ -8,7 +8,7 @@ An API service for managing and rendering parameterized Jupyter notebooks. | Repository | Name | Version | |------------|------|---------| -| https://charts.bitnami.com/bitnami | redis | 16.9.5 | +| https://charts.bitnami.com/bitnami | redis | 16.9.10 | ## Values From 588c7839cae43691051f4448581e4689efa96ec1 Mon Sep 17 00:00:00 2001 From: adam Date: Fri, 20 May 2022 11:16:12 -0700 Subject: [PATCH 0512/1479] Document pull secret updating --- docs/index.rst | 1 + docs/service-guide/update-pull-secret.rst | 43 +++++++++++++++++++++++ 2 files changed, 44 insertions(+) create mode 100644 docs/service-guide/update-pull-secret.rst diff --git a/docs/index.rst b/docs/index.rst index 043104391f..91221f1050 100644 --- a/docs/index.rst +++ b/docs/index.rst @@ -36,6 +36,7 @@ General development and operations service-guide/create-service service-guide/add-a-onepassword-secret service-guide/update-a-onepassword-secret + service-guide/update-pull-secret service-guide/add-service service-guide/add-external-chart service-guide/local-development diff --git a/docs/service-guide/update-pull-secret.rst b/docs/service-guide/update-pull-secret.rst new file mode 100644 index 0000000000..5b8eb46d07 --- /dev/null +++ b/docs/service-guide/update-pull-secret.rst @@ -0,0 +1,43 @@ +###################################################### +Updating the pull secret stored in 1Password and Vault +###################################################### + +The pull secret, present in each RSP instance, and shared by many +services there, is notoriously tricky to format correctly. + +The recommended way to update it is to edit the pull secret in 1Password +and then deploy it with the `installer/update-secrets.sh` script; +however, this only works (at the time of writing, 20 May 2022) on Linux +systems with the 1Password 1.x CLI installed. + +If you need to update the pull secret manually for an environment, here +are the important things to know: + +You will first set the necessary environment variables: + +* ``VAULT_ADDR`` must be set to ``https://vault.lsst.codes`` +* ``VAULT_TOKEN`` must be set to the appropriate write token for the RSP + instance. + +Then you will construct the updated secret in a file; for purposes of +this example, let's call it ``pull-secret.json``. It should look like +this:: + + { ".dockerconfigjson": "{\"auths\": {\"ghcr.io\": {\"auth\": \"base64string\", \"password\": \"cleartexttoken\",\"username\": \"token\"},\"index.docker.io\": {\"auth\":\"base64string\",\"password\":\"cleartextpassword\",\"username\":\"sqrereadonly\"}}}} + +In short: the value is a *string* (not a JSON object) with all keys and +values quoted with backslash-escaped double quotes. + +Once you have this file created, run: + +``vault kv put secret/k8s_operator//pull-secret @pull-secret.json`` + +Then restart the ``vault-secrets-operator`` deployment and watch the pod +logs to make sure that pull-secret was correctly updated. + +If you mess up, remember than you can pull earlier versions of the +secret with ``vault kv get secret -version ``; if you +set ``VAULT_FORMAT`` to ``json`` then you can just delete two (why two? +No idea) layers of ``data`` keys when you do this to create a new JSON +file you can then ``vault kv put`` back to restore the secret to the +original value. From 1444ab906a70aca65a00dbeb05bf72ff7e3c2639 Mon Sep 17 00:00:00 2001 From: adam Date: Fri, 20 May 2022 16:15:50 -0700 Subject: [PATCH 0513/1479] Use Russ's technique for modifying secrets WIP --- docs/service-guide/update-pull-secret.rst | 37 ++++++++++++----------- 1 file changed, 19 insertions(+), 18 deletions(-) diff --git a/docs/service-guide/update-pull-secret.rst b/docs/service-guide/update-pull-secret.rst index 5b8eb46d07..ff063c07d7 100644 --- a/docs/service-guide/update-pull-secret.rst +++ b/docs/service-guide/update-pull-secret.rst @@ -19,25 +19,26 @@ You will first set the necessary environment variables: * ``VAULT_TOKEN`` must be set to the appropriate write token for the RSP instance. -Then you will construct the updated secret in a file; for purposes of -this example, let's call it ``pull-secret.json``. It should look like -this:: - - { ".dockerconfigjson": "{\"auths\": {\"ghcr.io\": {\"auth\": \"base64string\", \"password\": \"cleartexttoken\",\"username\": \"token\"},\"index.docker.io\": {\"auth\":\"base64string\",\"password\":\"cleartextpassword\",\"username\":\"sqrereadonly\"}}}} - -In short: the value is a *string* (not a JSON object) with all keys and -values quoted with backslash-escaped double quotes. - -Once you have this file created, run: - -``vault kv put secret/k8s_operator//pull-secret @pull-secret.json`` +Then you will construct the updated secret. Just create a legal JSON +object. The trick is, this value must be represented to Vault as a +*string*. The easiest way to do this is: + +#. Ensure the secret doesn't, itself, have any single quotes in it. If + it does, replace each single quote with ``'\''`` +#. Copy the secret you've created into your paste buffer +#. Type ``vault kv patch secret/k8s_operator//pull-secret + .dockerconfigjson='`` (*nota bene*: that ends with a single quote) +#. Paste the secret into the command line +#. Type ``'`` and press Enter. + +That will avoid the pain and hassle of multiple layers of quoting in +JSON objects, by handing the secret value as a (possibly multi-line) +string literal to Vault. Then restart the ``vault-secrets-operator`` deployment and watch the pod logs to make sure that pull-secret was correctly updated. -If you mess up, remember than you can pull earlier versions of the -secret with ``vault kv get secret -version ``; if you -set ``VAULT_FORMAT`` to ``json`` then you can just delete two (why two? -No idea) layers of ``data`` keys when you do this to create a new JSON -file you can then ``vault kv put`` back to restore the secret to the -original value. +If you mess up, remember that our vault secrets are versioned, and you +can pull earlier versions of the secret with ``vault kv get secret + -version ``; this (and the above technique) should let +you get back to a less-broken state. From 6012d847ad10d4cfcc378e78b134eb80b8f6bdcb Mon Sep 17 00:00:00 2001 From: Russell Owen Date: Mon, 23 May 2022 10:51:52 -0700 Subject: [PATCH 0514/1479] exposurelog: update tucson-teststand deployment to use real butler repos --- services/exposurelog/values-tucson-teststand.yaml | 15 ++++++++------- 1 file changed, 8 insertions(+), 7 deletions(-) diff --git a/services/exposurelog/values-tucson-teststand.yaml b/services/exposurelog/values-tucson-teststand.yaml index d003906f49..5f7828a251 100644 --- a/services/exposurelog/values-tucson-teststand.yaml +++ b/services/exposurelog/values-tucson-teststand.yaml @@ -1,8 +1,9 @@ config: - # WARNING: this is a "playground" deployment - # using exposurelog's built-in test butler registries. - site_id: test - # Use the test butler registries. - # Note: exposurelog's Dockerfile copies the test repos to the top of the container - butler_uri_1: LSSTCam - butler_uri_2: LATISS + site_id: tucson + nfs_path_1: /repo/LSSTComCam # Mounted as /volume_1 + nfs_server_1: comcam-archiver.tu.lsst.org + butler_uri_1: /volume_1 + + nfs_path_2: /repo/LATISS # Mounted as /volume_2 + nfs_server_2: auxtel-archiver.tu.lsst.org + butler_uri_2: /volume_2 From 1b1574f4794074b0fe60a776d6483b9902a8ed7b Mon Sep 17 00:00:00 2001 From: dspeck1 Date: Mon, 23 May 2022 13:46:11 -0500 Subject: [PATCH 0515/1479] added in server side cull values --- services/nublado2/values-idfdev.yaml | 15 +++++++++++++++ 1 file changed, 15 insertions(+) diff --git a/services/nublado2/values-idfdev.yaml b/services/nublado2/values-idfdev.yaml index 5bae607aad..75dbae9b2e 100644 --- a/services/nublado2/values-idfdev.yaml +++ b/services/nublado2/values-idfdev.yaml @@ -4,6 +4,21 @@ jupyterhub: requests: cpu: "2" memory: 3Gi + config: + ServerApp: + shutdown_no_activity_timeout: 300 + + cull: + enabled: true + users: false + removeNamedServers: false + timeout: 60 + every: 60 + maxAge: 3600 + + debug: + enabled: true + ingress: hosts: ["data-dev.lsst.cloud"] annotations: From dec488c8c9bd9cce5f6710732863f39f8ee50a3c Mon Sep 17 00:00:00 2001 From: dspeck1 Date: Mon, 23 May 2022 13:59:57 -0500 Subject: [PATCH 0516/1479] removed extra space --- services/nublado2/values-idfdev.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/services/nublado2/values-idfdev.yaml b/services/nublado2/values-idfdev.yaml index 75dbae9b2e..f5f7fc9c28 100644 --- a/services/nublado2/values-idfdev.yaml +++ b/services/nublado2/values-idfdev.yaml @@ -18,7 +18,7 @@ jupyterhub: debug: enabled: true - + ingress: hosts: ["data-dev.lsst.cloud"] annotations: From 0185cf9217e651fad18e879a6a3b356df92bee4d Mon Sep 17 00:00:00 2001 From: adam Date: Mon, 23 May 2022 14:17:14 -0700 Subject: [PATCH 0517/1479] Bump telegraf-ds version --- services/telegraf-ds/Chart.yaml | 2 +- services/telegraf-ds/README.md | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/services/telegraf-ds/Chart.yaml b/services/telegraf-ds/Chart.yaml index b94d21e69f..012ef69b09 100644 --- a/services/telegraf-ds/Chart.yaml +++ b/services/telegraf-ds/Chart.yaml @@ -4,5 +4,5 @@ version: 1.0.0 description: SQuaRE DaemonSet (K8s) telemetry collection service dependencies: - name: telegraf-ds - version: 1.0.34 + version: 1.1.0 repository: https://helm.influxdata.com/ diff --git a/services/telegraf-ds/README.md b/services/telegraf-ds/README.md index 6469c5619c..e3307c9097 100644 --- a/services/telegraf-ds/README.md +++ b/services/telegraf-ds/README.md @@ -6,7 +6,7 @@ SQuaRE DaemonSet (K8s) telemetry collection service | Repository | Name | Version | |------------|------|---------| -| https://helm.influxdata.com/ | telegraf-ds | 1.0.34 | +| https://helm.influxdata.com/ | telegraf-ds | 1.1.0 | ## Values From 169fa0f8d0ba6762ea26582f7ca5631f221857fc Mon Sep 17 00:00:00 2001 From: Angelo Fausti Date: Mon, 23 May 2022 16:17:10 -0700 Subject: [PATCH 0518/1479] Bump InfluxDB chart to version 4.12.0 --- services/sasquatch/Chart.yaml | 2 +- services/sasquatch/README.md | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/services/sasquatch/Chart.yaml b/services/sasquatch/Chart.yaml index ed486b2191..219716dbfd 100644 --- a/services/sasquatch/Chart.yaml +++ b/services/sasquatch/Chart.yaml @@ -10,7 +10,7 @@ dependencies: version: 1.2.0 repository: https://lsst-sqre.github.io/charts/ - name: influxdb - version: 4.11.0 + version: 4.12.0 repository: https://helm.influxdata.com/ - name: kafka-connect-manager version: 1.0.0 diff --git a/services/sasquatch/README.md b/services/sasquatch/README.md index 799960fab9..74ee2dbeff 100644 --- a/services/sasquatch/README.md +++ b/services/sasquatch/README.md @@ -9,7 +9,7 @@ Rubin Observatory's telemetry service. | | kafka-connect-manager | 1.0.0 | | | strimzi-kafka | 1.0.0 | | https://helm.influxdata.com/ | chronograf | 1.2.5 | -| https://helm.influxdata.com/ | influxdb | 4.11.0 | +| https://helm.influxdata.com/ | influxdb | 4.12.0 | | https://helm.influxdata.com/ | kapacitor | 1.4.6 | | https://helm.influxdata.com/ | telegraf | 1.8.18 | | https://lsst-sqre.github.io/charts/ | strimzi-registry-operator | 1.2.0 | From a70aa770e8f7ca88d93cdb754896cd6cca990d9b Mon Sep 17 00:00:00 2001 From: Gabriele Mainetti Date: Tue, 24 May 2022 16:27:54 +0200 Subject: [PATCH 0519/1479] add tap schema --- installer/install.sh | 12 ++++++------ services/tap-schema/values-ccin2p3.yaml | 2 +- 2 files changed, 7 insertions(+), 7 deletions(-) diff --git a/installer/install.sh b/installer/install.sh index 860d760ab6..3fc0e7fe5c 100755 --- a/installer/install.sh +++ b/installer/install.sh @@ -54,12 +54,12 @@ helm upgrade argocd ../services/argocd \ --wait echo "Login to argocd..." -#argocd login --insecure --grpc-web 10.110.57.13 \ -# --plaintext \ -# --port-forward \ -# --port-forward-namespace argocd \ -# --username admin \ -# --password $ARGOCD_PASSWORD +argocd login --insecure --grpc-web data-dev.lsst.eu/argo-cd \ + --plaintext \ + --port-forward \ + --port-forward-namespace argocd \ + --username admin \ + --password $ARGOCD_PASSWORD echo "Creating top level application" argocd app create science-platform \ diff --git a/services/tap-schema/values-ccin2p3.yaml b/services/tap-schema/values-ccin2p3.yaml index 1d4b6d863c..5103ed2cb0 100644 --- a/services/tap-schema/values-ccin2p3.yaml +++ b/services/tap-schema/values-ccin2p3.yaml @@ -1,2 +1,2 @@ image: - repository: "lsstsqre/tap-schema-mock" \ No newline at end of file + repository: "rubin-in2p3/qserv-ingest-schema" From a503bfe8ec8a1bed60a18fe983eccf1a6eec6f24 Mon Sep 17 00:00:00 2001 From: Gabriele Mainetti Date: Tue, 24 May 2022 16:29:56 +0200 Subject: [PATCH 0520/1479] back to mock schema --- services/tap-schema/values-ccin2p3.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/services/tap-schema/values-ccin2p3.yaml b/services/tap-schema/values-ccin2p3.yaml index 5103ed2cb0..48db832f6c 100644 --- a/services/tap-schema/values-ccin2p3.yaml +++ b/services/tap-schema/values-ccin2p3.yaml @@ -1,2 +1,2 @@ image: - repository: "rubin-in2p3/qserv-ingest-schema" + repository: "lsstsqre/tap-schema-mock" From 7872943043ce80414c5d63dac2fd88760d079929 Mon Sep 17 00:00:00 2001 From: Jonathan Sick Date: Wed, 18 May 2022 15:45:40 -0400 Subject: [PATCH 0521/1479] Deploy noteburst 0.3.0 --- services/noteburst/Chart.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/services/noteburst/Chart.yaml b/services/noteburst/Chart.yaml index da1ba11877..61554b0e5f 100644 --- a/services/noteburst/Chart.yaml +++ b/services/noteburst/Chart.yaml @@ -1,7 +1,7 @@ apiVersion: v2 name: noteburst version: 1.0.0 -appVersion: 0.2.0 +appVersion: "0.3.0" description: Noteburst is a notebook execution service for the Rubin Science Platform. type: application home: https://noteburst.lsst.io/ From e4632dcdb31411d29f511d86262d2a6ea1ad23de Mon Sep 17 00:00:00 2001 From: Jonathan Sick Date: Wed, 18 May 2022 15:51:10 -0400 Subject: [PATCH 0522/1479] Expand noteburst identities on idfdev --- services/noteburst/values-idfdev.yaml | 10 ++++++++++ 1 file changed, 10 insertions(+) diff --git a/services/noteburst/values-idfdev.yaml b/services/noteburst/values-idfdev.yaml index 61e3309e84..29dc99f7d4 100644 --- a/services/noteburst/values-idfdev.yaml +++ b/services/noteburst/values-idfdev.yaml @@ -10,3 +10,13 @@ config: identities: - uid: 90000 username: "noteburst90000" + - uid: 90001 + username: "noteburst90001" + - uid: 90002 + username: "noteburst90002" + - uid: 90003 + username: "noteburst90003" + - uid: 90004 + username: "noteburst90004" + - uid: 90005 + username: "noteburst90005" From fff4c0122f58041d88dacbae1f6f966768d62854 Mon Sep 17 00:00:00 2001 From: Jonathan Sick Date: Wed, 18 May 2022 16:56:49 -0400 Subject: [PATCH 0523/1479] Pull noteburst image always on data-dev --- services/noteburst/values-idfdev.yaml | 7 +++---- 1 file changed, 3 insertions(+), 4 deletions(-) diff --git a/services/noteburst/values-idfdev.yaml b/services/noteburst/values-idfdev.yaml index 29dc99f7d4..fe9b51ab00 100644 --- a/services/noteburst/values-idfdev.yaml +++ b/services/noteburst/values-idfdev.yaml @@ -1,7 +1,6 @@ -# Uncomment image to enable development builds -# image: -# pullPolicy: Always -# tag: tickets-DM-33025 +image: + pullPolicy: Always + # tag: tickets-DM-33025 config: logLevel: "DEBUG" From 18e4f7009df34fbb0a75bf4bd6dd5c4ac71edc53 Mon Sep 17 00:00:00 2001 From: Jonathan Sick Date: Tue, 24 May 2022 14:48:34 -0400 Subject: [PATCH 0524/1479] Add jobTimeout configuration value The default notebook execution job timeout, in seconds. --- services/noteburst/README.md | 1 + services/noteburst/templates/worker-configmap.yaml | 1 + services/noteburst/values.yaml | 3 +++ 3 files changed, 5 insertions(+) diff --git a/services/noteburst/README.md b/services/noteburst/README.md index b0ce393361..c9e93e0898 100644 --- a/services/noteburst/README.md +++ b/services/noteburst/README.md @@ -25,6 +25,7 @@ Noteburst is a notebook execution service for the Rubin Science Platform. | autoscaling.targetCPUUtilizationPercentage | int | `80` | | | config.logLevel | string | `"INFO"` | Logging level: "DEBUG", "INFO", "WARNING", "ERROR", "CRITICAL" | | config.worker.identities | list | `[]` | Science Platform user identities that workers can acquire. Each item is an object with username and uuid keys | +| config.worker.jobTimeout | int | `300` | The default notebook execution timeout, in seconds. | | config.worker.workerCount | int | `1` | Number of workers to run | | fullnameOverride | string | `""` | Override the full name for resources (includes the release name) | | global.baseUrl | string | Set by Argo CD | Base URL for the environment | diff --git a/services/noteburst/templates/worker-configmap.yaml b/services/noteburst/templates/worker-configmap.yaml index aecb717ffe..d8edd67749 100644 --- a/services/noteburst/templates/worker-configmap.yaml +++ b/services/noteburst/templates/worker-configmap.yaml @@ -9,3 +9,4 @@ data: NOTEBURST_ENVIRONMENT_URL: {{ .Values.global.baseUrl | quote }} NOTEBURST_REDIS_URL: "redis://{{ include "noteburst.fullname" . }}-redis-master.{{ .Release.Namespace }}:{{ .Values.redis.master.service.ports.redis }}/0" NOTEBURST_WORKER_LOCK_REDIS_URL: "redis://{{ include "noteburst.fullname" . }}-redis-master.{{ .Release.Namespace }}:{{ .Values.redis.master.service.ports.redis }}/1" + NOTEBURST_WORKER_JOB_TIMEOUT: {{ .Values.config.worker.jobTimeout | quote }} diff --git a/services/noteburst/values.yaml b/services/noteburst/values.yaml index 113207b7f0..b0ef1d2892 100644 --- a/services/noteburst/values.yaml +++ b/services/noteburst/values.yaml @@ -111,6 +111,9 @@ config: # -- Number of workers to run workerCount: 1 + # -- The default notebook execution timeout, in seconds. + jobTimeout: 300 + redis: auth: enabled: false From 4e85f5c0c4c736e5e131b714924bdae6a93dc97e Mon Sep 17 00:00:00 2001 From: adam Date: Tue, 24 May 2022 14:56:40 -0700 Subject: [PATCH 0525/1479] Add kube_inventory input --- services/telegraf-ds/templates/configmap.yaml | 9 +++++++++ 1 file changed, 9 insertions(+) diff --git a/services/telegraf-ds/templates/configmap.yaml b/services/telegraf-ds/templates/configmap.yaml index 0113b68f69..b1990677f3 100644 --- a/services/telegraf-ds/templates/configmap.yaml +++ b/services/telegraf-ds/templates/configmap.yaml @@ -19,6 +19,15 @@ data: insecure_skip_verify = true namepass = ["kubernetes_pod_container"] fieldpass = ["cpu_usage_nanocores", "memory_usage_bytes"] + + [[inputs.kube_inventory]] + url = "https://kubernetes.default.svc" + bearer_token = "/run/secrets/kubernetes.io/serviceaccount/token" + # Only worry about pods + resource_exclude = [ "daemonsets", "deployments", "endpoints", "ingress", "nodes", "persistentvolumes", "persistentvolumeclaims", "services", "statefulsets" ] + resource_include = [ "pods" ] + insecure_skip_verify = true + namespace = "" {{ range $app := splitList "@" .Values.global.enabled_services }} {{- $bucket := replace "-" "_" $app }} {{- $namespace := replace "_" "-" $app }} From 868173c80290cf0fe6273abadae31bec8f8cb218 Mon Sep 17 00:00:00 2001 From: Gabriele Mainetti Date: Wed, 25 May 2022 10:17:06 +0200 Subject: [PATCH 0526/1479] removed tap repo --- services/tap-schema/values-ccin2p3.yaml | 2 -- 1 file changed, 2 deletions(-) diff --git a/services/tap-schema/values-ccin2p3.yaml b/services/tap-schema/values-ccin2p3.yaml index 48db832f6c..e69de29bb2 100644 --- a/services/tap-schema/values-ccin2p3.yaml +++ b/services/tap-schema/values-ccin2p3.yaml @@ -1,2 +0,0 @@ -image: - repository: "lsstsqre/tap-schema-mock" From 861b2e493ec2e4e693dc03c09fdd184894ee8412 Mon Sep 17 00:00:00 2001 From: Gabriele Mainetti Date: Wed, 25 May 2022 10:35:30 +0200 Subject: [PATCH 0527/1479] reintroudcued tap-schema images --- services/tap-schema/values-ccin2p3.yaml | 1 + 1 file changed, 1 insertion(+) diff --git a/services/tap-schema/values-ccin2p3.yaml b/services/tap-schema/values-ccin2p3.yaml index e69de29bb2..9329d959ee 100644 --- a/services/tap-schema/values-ccin2p3.yaml +++ b/services/tap-schema/values-ccin2p3.yaml @@ -0,0 +1 @@ +image: lsstsqre/tap-schema-mock From a33945975c41e03ad91c8e73ed60fdc7a6cfb675 Mon Sep 17 00:00:00 2001 From: Gabriele Mainetti Date: Wed, 25 May 2022 10:37:20 +0200 Subject: [PATCH 0528/1479] reintroudcued tap-schema images --- services/tap-schema/values-ccin2p3.yaml | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/services/tap-schema/values-ccin2p3.yaml b/services/tap-schema/values-ccin2p3.yaml index 9329d959ee..ecc7a10df3 100644 --- a/services/tap-schema/values-ccin2p3.yaml +++ b/services/tap-schema/values-ccin2p3.yaml @@ -1 +1,2 @@ -image: lsstsqre/tap-schema-mock +image: + repository: "lsstsqre/tap-schema-mock" From 54cf2144e0b52927b162cdb49d13ccc23ad47b86 Mon Sep 17 00:00:00 2001 From: Gabriele Mainetti Date: Wed, 25 May 2022 11:58:10 +0200 Subject: [PATCH 0529/1479] testing idfprod for DP01 --- services/tap-schema/values-ccin2p3.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/services/tap-schema/values-ccin2p3.yaml b/services/tap-schema/values-ccin2p3.yaml index ecc7a10df3..6a4e60db59 100644 --- a/services/tap-schema/values-ccin2p3.yaml +++ b/services/tap-schema/values-ccin2p3.yaml @@ -1,2 +1,2 @@ image: - repository: "lsstsqre/tap-schema-mock" + repository: "lsstsqre/tap-schema-idfprod" From e35610005656536eb419ea71eba6464fecd92513 Mon Sep 17 00:00:00 2001 From: Gabriele Mainetti Date: Wed, 25 May 2022 13:59:38 +0200 Subject: [PATCH 0530/1479] Updates TAP --- services/tap/values-ccin2p3.yaml | 13 +++++++++---- 1 file changed, 9 insertions(+), 4 deletions(-) diff --git a/services/tap/values-ccin2p3.yaml b/services/tap/values-ccin2p3.yaml index 52540d27a0..5cbf34313c 100644 --- a/services/tap/values-ccin2p3.yaml +++ b/services/tap/values-ccin2p3.yaml @@ -1,8 +1,4 @@ cadc-tap: - pull_secret: 'pull-secret' - tag: "1.0.16" - use_mock_qserv: false - qserv_host: "ccqserv201.in2p3.fr:30040" imagePullSecrets: - name: "pull-secret" @@ -10,6 +6,15 @@ cadc-tap: host: "data-dev.lsst.eu" vaultSecretsPath: "secret/k8s_operator/rsp-cc/tap" + config: + gcsBucket: "async-results.lsst.codes" + gcsBucketUrl: "http://async-results.lsst.codes" + jvmMaxHeapSize: "31G" + qserv: + host: "ccqserv201.in2p3.fr:30040" + mock: + enabled: false + secrets: enabled: false From b1e2bb260f38c40e046d24f54ab06d6e93678c2f Mon Sep 17 00:00:00 2001 From: Gabriele Mainetti Date: Wed, 25 May 2022 14:32:21 +0200 Subject: [PATCH 0531/1479] tap updates --- services/tap/values-ccin2p3.yaml | 35 +++++++++++--------------------- 1 file changed, 12 insertions(+), 23 deletions(-) diff --git a/services/tap/values-ccin2p3.yaml b/services/tap/values-ccin2p3.yaml index 5cbf34313c..3c0508c5ba 100644 --- a/services/tap/values-ccin2p3.yaml +++ b/services/tap/values-ccin2p3.yaml @@ -1,27 +1,16 @@ -cadc-tap: +config: + gcsBucket: "async-results.lsst.codes" + gcsBucketUrl: "http://async-results.lsst.codes" + jvmMaxHeapSize: "31G" - imagePullSecrets: - - name: "pull-secret" - ingress: - host: "data-dev.lsst.eu" - vaultSecretsPath: "secret/k8s_operator/rsp-cc/tap" - - config: - gcsBucket: "async-results.lsst.codes" - gcsBucketUrl: "http://async-results.lsst.codes" - jvmMaxHeapSize: "31G" - qserv: - host: "ccqserv201.in2p3.fr:30040" - mock: - enabled: false - - secrets: +qserv: + host: "ccqserv201.in2p3.fr:30040" + mock: enabled: false - vault_secrets: - enabled: true - path: 'secret/k8s_operator/rsp-cc/tap' +# secrets: +# enabled: false -pull-secret: - enabled: true - path: secret/k8s_operator/rsp-cc/pull-secret \ No newline at end of file +# vault_secrets: +# enabled: true +# path: 'secret/k8s_operator/rsp-cc/tap' From a8ae5c0749da6e33e9f29cb9007ac84e57fefcb0 Mon Sep 17 00:00:00 2001 From: Gabriele Mainetti Date: Wed, 25 May 2022 16:08:50 +0200 Subject: [PATCH 0532/1479] add more config to tap in gafaelfawr --- services/gafaelfawr/values-ccin2p3.yaml | 2 ++ 1 file changed, 2 insertions(+) diff --git a/services/gafaelfawr/values-ccin2p3.yaml b/services/gafaelfawr/values-ccin2p3.yaml index 66f663e946..5dfac7e756 100644 --- a/services/gafaelfawr/values-ccin2p3.yaml +++ b/services/gafaelfawr/values-ccin2p3.yaml @@ -38,6 +38,8 @@ config: "read:tap": - "rubin-in2p3-admin" - "rubin-in2p3-user" + - "rubin-in2p3" + - "rubin-in2p3-delegates" initialAdmins: - "gabrimaine" From 6d81d146fccd83237fd39eb9a126788afc154cd5 Mon Sep 17 00:00:00 2001 From: Gabriele Mainetti Date: Wed, 25 May 2022 18:07:44 +0200 Subject: [PATCH 0533/1479] SImplify the portal --- services/portal/values-ccin2p3.yaml | 34 +---------------------------- 1 file changed, 1 insertion(+), 33 deletions(-) diff --git a/services/portal/values-ccin2p3.yaml b/services/portal/values-ccin2p3.yaml index 5c75edeccb..3405e3c176 100644 --- a/services/portal/values-ccin2p3.yaml +++ b/services/portal/values-ccin2p3.yaml @@ -1,38 +1,6 @@ -pull_secret: 'pull-secret' replicaCount: 2 - -ingress: - host: 'data-dev.lsst.eu' - annotations: - nginx.ingress.kubernetes.io/auth-method: GET - nginx.ingress.kubernetes.io/auth-response-headers: X-Auth-Request-Uid, X-Auth-Request-Token - nginx.ingress.kubernetes.io/auth-signin: "https://data-dev.lsst.eu/login" - nginx.ingress.kubernetes.io/auth-url: "https://data-dev.lsst.eu/auth?scope=exec:portal" - nginx.ingress.kubernetes.io/configuration-snippet: | - proxy_set_header X-Original-URI $request_uri; - proxy_set_header X-Forwarded-Proto https; - proxy_set_header X-Forwarded-Port 443; - proxy_set_header X-Forwarded-Path /portal/app; - -secrets: - enabled: true - -vault_secrets: - enabled: true - path: 'secret/k8s_operator/rsp-cc/portal' - -max_jvm_size: "23G" - -redis: - resources: - limits: - memory: 20Mi - resources: limits: - memory: 24Gi + memory: "24Gi" -pull-secret: - enabled: true - path: secret/k8s_operator/rsp-cc/pull-secret \ No newline at end of file From 4e1b49ef1890d5da4e51fad9e194c755f4979eed Mon Sep 17 00:00:00 2001 From: dspeck1 Date: Thu, 26 May 2022 16:06:39 -0500 Subject: [PATCH 0534/1479] adding culling and max age values to idf int --- services/nublado2/values-idfint.yaml | 18 ++++++++++++++++++ 1 file changed, 18 insertions(+) diff --git a/services/nublado2/values-idfint.yaml b/services/nublado2/values-idfint.yaml index 27be78b054..d731cc1957 100644 --- a/services/nublado2/values-idfint.yaml +++ b/services/nublado2/values-idfint.yaml @@ -4,6 +4,18 @@ jupyterhub: requests: cpu: "2" memory: 3Gi + config: + ServerApp: + shutdown_no_activity_timeout: 5184000 + + cull: + enabled: true + users: false + removeNamedServers: false + timeout: 5184000 + every: 300 + maxAge: 2160000 + ingress: hosts: ["data-int.lsst.cloud"] annotations: @@ -29,6 +41,12 @@ config: PANDA_URL: http://pandaserver-doma.cern.ch:25080/server/panda IDDS_CONFIG: /opt/lsst/software/jupyterlab/panda/idds.cfg.client.template PANDA_CONFIG_ROOT: "~" + NO_ACTIVITY_TIMEOUT: "5184000" + CULL_KERNEL_IDLE_TIMEOUT: "5184000" + CULL_KERNEL_CONNECTED: "True" + CULL_KERNEL_INTERVAL: "300" + CULL_TERMINAL_INACTIVE_TIMEOUT: "5184000" + CULL_TERMINAL_INTERVAL: "300" sizes: - name: Small cpu: 1 From 2391b043567474462a3ccc39df1ffe0a61207d32 Mon Sep 17 00:00:00 2001 From: Angelo Fausti Date: Thu, 26 May 2022 15:09:30 -0700 Subject: [PATCH 0535/1479] Disable sasquatch at ncsa deployments - There's a problem deploying strimzi on that evironment --- science-platform/values-int.yaml | 2 +- science-platform/values-stable.yaml | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/science-platform/values-int.yaml b/science-platform/values-int.yaml index 1cdcb94613..a4815ac1ab 100644 --- a/science-platform/values-int.yaml +++ b/science-platform/values-int.yaml @@ -37,7 +37,7 @@ portal: postgres: enabled: true sasquatch: - enabled: true + enabled: false production_tools: enabled: false semaphore: diff --git a/science-platform/values-stable.yaml b/science-platform/values-stable.yaml index 2879f96ac5..6ee9dd981b 100644 --- a/science-platform/values-stable.yaml +++ b/science-platform/values-stable.yaml @@ -37,7 +37,7 @@ portal: postgres: enabled: true sasquatch: - enabled: true + enabled: false production_tools: enabled: false semaphore: From ade6b5b7b9cddb7f38b939028cfbc49d1b949b5d Mon Sep 17 00:00:00 2001 From: adam Date: Thu, 26 May 2022 15:36:51 -0700 Subject: [PATCH 0536/1479] Change to recommended_int --- services/cachemachine/values-idfint.yaml | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/services/cachemachine/values-idfint.yaml b/services/cachemachine/values-idfint.yaml index 11169980c8..a48e748ed5 100644 --- a/services/cachemachine/values-idfint.yaml +++ b/services/cachemachine/values-idfint.yaml @@ -16,7 +16,7 @@ autostart: "gar_image": "sciplat-lab", "project_id": "rubin-shared-services-71ec", "location": "us-central1", - "recommended_tag": "recommended", + "recommended_tag": "recommended_int", "num_releases": 1, "num_weeklies": 2, "num_dailies": 3 @@ -25,6 +25,7 @@ autostart: "type": "SimpleRepoMan", "images": [ { + "image_url": "us-central1-docker.pkg.dev/rubin-shared-services-71ec/sciplat/sciplat-lab:w_2022_22", "image_url": "us-central1-docker.pkg.dev/rubin-shared-services-71ec/sciplat/sciplat-lab:w_2022_12", "name": "Weekly 2022_12" } From 1e8adf2eee9d28ec3d06fc6baf1b2a40c7fd57c9 Mon Sep 17 00:00:00 2001 From: Russ Allbery Date: Fri, 27 May 2022 11:13:17 -0700 Subject: [PATCH 0537/1479] Inject butlerRepositoryIndex Both vo-cutouts and datalinker need DAF_BUTLER_REPOSITORY_INDEX to resolve Butler locations. This is a per-site configuration that should also eventually be injected into nublado2, so add it to the deployment values file and inject it via Argo CD. Adjust datalinker and vo-cutouts charts accordingly, and set the environment variable on the relevant deployments. For vo-cutouts, we can now drop CUTOUT_BUTLER_REPOSITORY, since this replaces that setting. --- .../templates/datalinker-application.yaml | 28 ++++++++++--------- .../templates/vo-cutouts-application.yaml | 6 ++-- science-platform/values-idfint.yaml | 1 + science-platform/values-idfprod.yaml | 1 + services/datalinker/README.md | 1 + services/datalinker/templates/deployment.yaml | 2 ++ services/datalinker/values.yaml | 4 +++ services/vo-cutouts/README.md | 2 +- services/vo-cutouts/templates/configmap.yaml | 1 - .../templates/worker-deployment.yaml | 2 ++ services/vo-cutouts/values-idfdev.yaml | 4 --- services/vo-cutouts/values-idfint.yaml | 1 - services/vo-cutouts/values-idfprod.yaml | 1 - services/vo-cutouts/values.yaml | 8 +++--- 14 files changed, 35 insertions(+), 27 deletions(-) diff --git a/science-platform/templates/datalinker-application.yaml b/science-platform/templates/datalinker-application.yaml index c1177c4a67..c06c23762f 100644 --- a/science-platform/templates/datalinker-application.yaml +++ b/science-platform/templates/datalinker-application.yaml @@ -2,33 +2,35 @@ apiVersion: v1 kind: Namespace metadata: - name: datalinker + name: "datalinker" spec: finalizers: - - kubernetes + - "kubernetes" --- apiVersion: argoproj.io/v1alpha1 kind: Application metadata: - name: datalinker - namespace: argocd + name: "datalinker" + namespace: "argocd" finalizers: - - resources-finalizer.argocd.argoproj.io + - "resources-finalizer.argocd.argoproj.io" spec: destination: - namespace: datalinker - server: https://kubernetes.default.svc - project: default + namespace: "datalinker" + server: "https://kubernetes.default.svc" + project: "default" source: - path: services/datalinker - repoURL: {{ .Values.repoURL }} - targetRevision: {{ .Values.revision }} + path: "services/datalinker" + repoURL: {{ .Values.repoURL | quote }} + targetRevision: {{ .Values.revision | quote }} helm: parameters: - - name: "global.host" - value: {{ .Values.fqdn | quote }} - name: "global.baseUrl" value: "https://{{ .Values.fqdn }}" + - name: "global.butlerRepositoryIndex" + value: {{ .Values.butlerRepositoryIndex | quote }} + - name: "global.host" + value: {{ .Values.fqdn | quote }} - name: "global.vaultSecretsPath" value: {{ .Values.vault_path_prefix | quote }} valueFiles: diff --git a/science-platform/templates/vo-cutouts-application.yaml b/science-platform/templates/vo-cutouts-application.yaml index 7fcee0a917..ae5692b74f 100644 --- a/science-platform/templates/vo-cutouts-application.yaml +++ b/science-platform/templates/vo-cutouts-application.yaml @@ -25,10 +25,12 @@ spec: targetRevision: {{ .Values.revision | quote }} helm: parameters: - - name: "global.host" - value: {{ .Values.fqdn | quote }} - name: "global.baseUrl" value: "https://{{ .Values.fqdn }}" + - name: "global.butlerRepositoryIndex" + value: {{ .Values.butlerRepositoryIndex | quote }} + - name: "global.host" + value: {{ .Values.fqdn | quote }} - name: "global.vaultSecretsPath" value: {{ .Values.vault_path_prefix | quote }} valueFiles: diff --git a/science-platform/values-idfint.yaml b/science-platform/values-idfint.yaml index 759f473672..7e249dcf0b 100644 --- a/science-platform/values-idfint.yaml +++ b/science-platform/values-idfint.yaml @@ -1,6 +1,7 @@ environment: idfint fqdn: data-int.lsst.cloud vault_path_prefix: secret/k8s_operator/data-int.lsst.cloud +butlerRepositoryIndex: "s3://butler-us-central1-repo-locations/data-int-repos.yaml" alert_stream_broker: enabled: false diff --git a/science-platform/values-idfprod.yaml b/science-platform/values-idfprod.yaml index 1ac0bb32be..d03e9f7af1 100644 --- a/science-platform/values-idfprod.yaml +++ b/science-platform/values-idfprod.yaml @@ -1,6 +1,7 @@ environment: idfprod fqdn: data.lsst.cloud vault_path_prefix: secret/k8s_operator/data.lsst.cloud +butlerRepositoryIndex: "s3://butler-us-central1-repo-locations/data-repos.yaml" alert_stream_broker: enabled: false diff --git a/services/datalinker/README.md b/services/datalinker/README.md index 384717980e..34fbb435ba 100644 --- a/services/datalinker/README.md +++ b/services/datalinker/README.md @@ -13,6 +13,7 @@ A Helm chart for Kubernetes | autoscaling.targetCPUUtilizationPercentage | int | `80` | Target CPU utilization of datalinker deployment pods | | fullnameOverride | string | `""` | Override the full name for resources (includes the release name) | | global.baseUrl | string | Set by Argo CD | Base URL for the environment | +| global.butlerRepositoryIndex | string | Set by Argo CD | URI to the Butler configuration of available repositories | | global.host | string | Set by Argo CD | Host name for ingress | | global.vaultSecretsPath | string | Set by Argo CD | Base path for Vault secrets | | image.pullPolicy | string | `"Always"` | Pull policy for the datalinker image | diff --git a/services/datalinker/templates/deployment.yaml b/services/datalinker/templates/deployment.yaml index d14ce156e1..ff0ea606af 100644 --- a/services/datalinker/templates/deployment.yaml +++ b/services/datalinker/templates/deployment.yaml @@ -43,6 +43,8 @@ spec: # and authenticate to its database. - name: "AWS_SHARED_CREDENTIALS_FILE" value: "/tmp/secrets/aws-credentials.ini" + - name: "DAF_BUTLER_REPOSITORY_INDEX" + value: {{ .Values.global.butlerRepositoryIndex | quote }} - name: "PGPASSFILE" value: "/tmp/secrets/postgres-credentials.txt" - name: "S3_ENDPOINT_URL" diff --git a/services/datalinker/values.yaml b/services/datalinker/values.yaml index 1d8702ef46..85f2ff0521 100644 --- a/services/datalinker/values.yaml +++ b/services/datalinker/values.yaml @@ -83,6 +83,10 @@ global: # @default -- Set by Argo CD baseUrl: "" + # -- URI to the Butler configuration of available repositories + # @default -- Set by Argo CD + butlerRepositoryIndex: "" + # -- Host name for ingress # @default -- Set by Argo CD host: "" diff --git a/services/vo-cutouts/README.md b/services/vo-cutouts/README.md index e642be2102..c2cbff4680 100644 --- a/services/vo-cutouts/README.md +++ b/services/vo-cutouts/README.md @@ -15,7 +15,6 @@ Image cutout service complying with IVOA SODA | cloudsql.image.tag | string | `"1.30.1"` | Cloud SQL Auth Proxy tag to use | | cloudsql.instanceConnectionName | string | `""` | Instance connection name for a CloudSQL PostgreSQL instance | | cloudsql.serviceAccount | string | None, must be set | The Google service account that has an IAM binding to the `vo-cutouts` Kubernetes service accounts and has the `cloudsql.client` role, access to the GCS bucket, and ability to sign URLs as itself | -| config.butlerRepository | string | None, must be set | Configuration for the Butler repository to use | | config.databaseUrl | string | None, must be set | URL for the PostgreSQL database | | config.gcsBucketUrl | string | None, must be set | URL for the GCS bucket into which to store cutouts (must start with `s3`) | | config.lifetime | string | 2592000 (30 days) | Lifetime of job results in seconds (quote so that Helm doesn't turn it into a floating point number) | @@ -39,6 +38,7 @@ Image cutout service complying with IVOA SODA | databaseWorker.tolerations | list | `[]` | Tolerations for the database worker pod | | fullnameOverride | string | `""` | Override the full name for resources (includes the release name) | | global.baseUrl | string | Set by Argo CD | Base URL for the environment | +| global.butlerRepositoryIndex | string | Set by Argo CD | URI to the Butler configuration of available repositories | | global.host | string | Set by Argo CD | Host name for ingress | | global.vaultSecretsPath | string | Set by Argo CD | Base path for Vault secrets | | image.pullPolicy | string | `"IfNotPresent"` | Pull policy for the vo-cutouts image | diff --git a/services/vo-cutouts/templates/configmap.yaml b/services/vo-cutouts/templates/configmap.yaml index f1130d1f23..aae4be91be 100644 --- a/services/vo-cutouts/templates/configmap.yaml +++ b/services/vo-cutouts/templates/configmap.yaml @@ -5,7 +5,6 @@ metadata: labels: {{- include "vo-cutouts.labels" . | nindent 4 }} data: - CUTOUT_BUTLER_REPOSITORY: {{ required "config.butlerRepository must be set" .Values.config.butlerRepository | quote }} CUTOUT_DATABASE_URL: {{ required "config.databaseUrl must be set" .Values.config.databaseUrl | quote }} CUTOUT_SERVICE_ACCOUNT: {{ required "cloudsql.serviceAccount must be set" .Values.cloudsql.serviceAccount | quote }} CUTOUT_STORAGE_URL: {{ required "config.gcsBucketUrl must be set" .Values.config.gcsBucketUrl | quote }} diff --git a/services/vo-cutouts/templates/worker-deployment.yaml b/services/vo-cutouts/templates/worker-deployment.yaml index 245297541e..e2b892617a 100644 --- a/services/vo-cutouts/templates/worker-deployment.yaml +++ b/services/vo-cutouts/templates/worker-deployment.yaml @@ -64,6 +64,8 @@ spec: # and authenticate to its database. - name: "AWS_SHARED_CREDENTIALS_FILE" value: "/etc/vo-cutouts/secrets/aws-credentials" + - name: "DAF_BUTLER_REPOSITORY_INDEX" + value: {{ .Values.global.butlerRepositoryIndex | quote }} - name: "PGPASSFILE" value: "/etc/vo-cutouts/secrets/postgres-credentials" - name: "S3_ENDPOINT_URL" diff --git a/services/vo-cutouts/values-idfdev.yaml b/services/vo-cutouts/values-idfdev.yaml index 441da96254..46442dec37 100644 --- a/services/vo-cutouts/values-idfdev.yaml +++ b/services/vo-cutouts/values-idfdev.yaml @@ -1,8 +1,4 @@ config: - # There is currently no working Butler in data-dev, so this configuration - # won't work. Leaving it here anyway since it has the correct configuration - # otherwise should we later get a Butler for that environment. - butlerRepository: "TBD" databaseUrl: "postgresql://vo-cutouts@localhost/vo-cutouts" gcsBucketUrl: "s3://rubin-cutouts-dev-us-central1-output/" diff --git a/services/vo-cutouts/values-idfint.yaml b/services/vo-cutouts/values-idfint.yaml index bd88a21358..08b0e0a979 100644 --- a/services/vo-cutouts/values-idfint.yaml +++ b/services/vo-cutouts/values-idfint.yaml @@ -1,5 +1,4 @@ config: - butlerRepository: "s3://butler-us-central1-panda-dev/dc2/butler-external.yaml" databaseUrl: "postgresql://vo-cutouts@localhost/vo-cutouts" gcsBucketUrl: "s3://rubin-cutouts-int-us-central1-output/" diff --git a/services/vo-cutouts/values-idfprod.yaml b/services/vo-cutouts/values-idfprod.yaml index f84d8d73eb..736d983835 100644 --- a/services/vo-cutouts/values-idfprod.yaml +++ b/services/vo-cutouts/values-idfprod.yaml @@ -1,5 +1,4 @@ config: - butlerRepository: "s3://butler-us-central1-dp01" databaseUrl: "postgresql://vo-cutouts@localhost/vo-cutouts" gcsBucketUrl: "s3://rubin-cutouts-stable-us-central1-output/" diff --git a/services/vo-cutouts/values.yaml b/services/vo-cutouts/values.yaml index 9cdac13788..69dd530549 100644 --- a/services/vo-cutouts/values.yaml +++ b/services/vo-cutouts/values.yaml @@ -46,10 +46,6 @@ config: # -- Choose from the text form of Python logging levels loglevel: "INFO" - # -- Configuration for the Butler repository to use - # @default -- None, must be set - butlerRepository: "" - # -- URL for the PostgreSQL database # @default -- None, must be set databaseUrl: "" @@ -194,6 +190,10 @@ global: # @default -- Set by Argo CD baseUrl: "" + # -- URI to the Butler configuration of available repositories + # @default -- Set by Argo CD + butlerRepositoryIndex: "" + # -- Host name for ingress # @default -- Set by Argo CD host: "" From 5f27ec2ca4571cb1f35456deb7e5eef471c4fe2e Mon Sep 17 00:00:00 2001 From: Christine Banek Date: Fri, 27 May 2022 12:21:24 -0700 Subject: [PATCH 0538/1479] [DM-34891] Up resource limits for TAP data-int.lsst.cloud --- services/tap/values-idfint.yaml | 8 ++++++++ 1 file changed, 8 insertions(+) diff --git a/services/tap/values-idfint.yaml b/services/tap/values-idfint.yaml index 57b4e3d67c..4dc1e24ef5 100644 --- a/services/tap/values-idfint.yaml +++ b/services/tap/values-idfint.yaml @@ -1,3 +1,11 @@ +resources: + requests: + cpu: 2.0 + memory: "2G" + limits: + cpu: 8.0 + memory: "32G" + config: gcsBucket: "async-results.lsst.codes" gcsBucketUrl: "http://async-results.lsst.codes" From 9cdd5609adede2bebd436d2cf64d99c77a8de152 Mon Sep 17 00:00:00 2001 From: Fritz Mueller Date: Fri, 27 May 2022 16:44:50 -0700 Subject: [PATCH 0539/1479] Roll tap_schema to 1.1.9 (includes ivoa.ObsCore) --- services/tap-schema/Chart.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/services/tap-schema/Chart.yaml b/services/tap-schema/Chart.yaml index 3d6d9f37c0..ffb3d38e30 100644 --- a/services/tap-schema/Chart.yaml +++ b/services/tap-schema/Chart.yaml @@ -1,5 +1,5 @@ apiVersion: v2 -appVersion: 1.1.8 +appVersion: 1.1.9 description: The TAP_SCHEMA database home: https://github.com/lsst-sqre/lsst-tap-service name: tap-schema From 5b3796f9a45499dd1d169b7ac3e0f24d771913f1 Mon Sep 17 00:00:00 2001 From: Russ Allbery Date: Fri, 27 May 2022 13:44:21 -0700 Subject: [PATCH 0540/1479] Add configuration for new datalinker Update the datalinker appVersion to the about-to-be-released version, and set DATALINKER_CUTOUT_SYNC_URL so that it knows where the cutout service is. --- services/datalinker/Chart.yaml | 6 +++--- services/datalinker/README.md | 2 +- services/datalinker/templates/deployment.yaml | 2 ++ 3 files changed, 6 insertions(+), 4 deletions(-) diff --git a/services/datalinker/Chart.yaml b/services/datalinker/Chart.yaml index 322896f1d2..0ebcf2d45b 100644 --- a/services/datalinker/Chart.yaml +++ b/services/datalinker/Chart.yaml @@ -1,8 +1,8 @@ apiVersion: v2 -appVersion: 1.1.0 -description: A Helm chart for Kubernetes +appVersion: 1.2.0 +description: IVOA datalink service for Rubin Science Platform name: datalinker type: application -version: 0.1.9 +version: 1.0.0 maintainers: - name: cbanek diff --git a/services/datalinker/README.md b/services/datalinker/README.md index 34fbb435ba..ddac43b0d1 100644 --- a/services/datalinker/README.md +++ b/services/datalinker/README.md @@ -1,6 +1,6 @@ # datalinker -A Helm chart for Kubernetes +IVOA datalink service for Rubin Science Platform ## Values diff --git a/services/datalinker/templates/deployment.yaml b/services/datalinker/templates/deployment.yaml index ff0ea606af..ef55259d82 100644 --- a/services/datalinker/templates/deployment.yaml +++ b/services/datalinker/templates/deployment.yaml @@ -39,6 +39,8 @@ spec: image: "{{ .Values.image.repository }}:{{ .Values.image.tag | default .Chart.AppVersion }}" imagePullPolicy: {{ .Values.image.pullPolicy }} env: + - name: "DATALINKER_CUTOUT_SYNC_URL" + value: "{{ .Values.global.baseUrl }}/api/cutout/sync" # The following are used by Butler to retrieve its configuration # and authenticate to its database. - name: "AWS_SHARED_CREDENTIALS_FILE" From 582d04ee4c1cd58d652c07efaa0d5743532fe8e7 Mon Sep 17 00:00:00 2001 From: Russ Allbery Date: Fri, 27 May 2022 13:48:57 -0700 Subject: [PATCH 0541/1479] Use GitHub Container Registry for datalinker Switch away from DockerHub now that we're publishing containers to GitHub Container Registry. --- services/datalinker/README.md | 2 +- services/datalinker/values.yaml | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/services/datalinker/README.md b/services/datalinker/README.md index ddac43b0d1..09fa0363a2 100644 --- a/services/datalinker/README.md +++ b/services/datalinker/README.md @@ -17,7 +17,7 @@ IVOA datalink service for Rubin Science Platform | global.host | string | Set by Argo CD | Host name for ingress | | global.vaultSecretsPath | string | Set by Argo CD | Base path for Vault secrets | | image.pullPolicy | string | `"Always"` | Pull policy for the datalinker image | -| image.repository | string | `"lsstsqre/datalinker"` | Image to use in the datalinker deployment | +| image.repository | string | `"ghcr.io/lsst-sqre/datalinker"` | Image to use in the datalinker deployment | | image.tag | string | `""` | Overrides the image tag whose default is the chart appVersion. | | ingress.annotations | object | `{}` | Additional annotations for the ingress rule | | ingress.className | string | `"nginx"` | Ingress class | diff --git a/services/datalinker/values.yaml b/services/datalinker/values.yaml index 85f2ff0521..bf659795e7 100644 --- a/services/datalinker/values.yaml +++ b/services/datalinker/values.yaml @@ -7,7 +7,7 @@ replicaCount: 1 image: # -- Image to use in the datalinker deployment - repository: lsstsqre/datalinker + repository: "ghcr.io/lsst-sqre/datalinker" # -- Pull policy for the datalinker image pullPolicy: Always From 061f89d13ef9e2cba30e69d2a124c52aaa45878b Mon Sep 17 00:00:00 2001 From: Russ Allbery Date: Fri, 27 May 2022 13:50:52 -0700 Subject: [PATCH 0542/1479] Remove pull-secret from datalinker Now that we're using GitHub Container Registry, we should no longer need this. --- services/datalinker/templates/vault-secrets.yaml | 10 ---------- 1 file changed, 10 deletions(-) diff --git a/services/datalinker/templates/vault-secrets.yaml b/services/datalinker/templates/vault-secrets.yaml index 2e4597fb41..6386737511 100644 --- a/services/datalinker/templates/vault-secrets.yaml +++ b/services/datalinker/templates/vault-secrets.yaml @@ -7,13 +7,3 @@ metadata: spec: path: "{{ .Values.global.vaultSecretsPath }}/butler-secret" type: Opaque ---- -apiVersion: ricoberger.de/v1alpha1 -kind: VaultSecret -metadata: - name: "pull-secret" - labels: - {{- include "datalinker.labels" . | nindent 4 }} -spec: - path: "{{ .Values.global.vaultSecretsPath }}/pull-secret" - type: "kubernetes.io/dockerconfigjson" From 4ea4bb0ee946cb48468c6cbca5a60ecbbbd78d6d Mon Sep 17 00:00:00 2001 From: Gabriele Mainetti Date: Mon, 30 May 2022 10:23:17 +0200 Subject: [PATCH 0543/1479] async tap --- services/obstap/values-ccin2p3.yaml | 21 +++------------------ 1 file changed, 3 insertions(+), 18 deletions(-) diff --git a/services/obstap/values-ccin2p3.yaml b/services/obstap/values-ccin2p3.yaml index a0c56b38ed..c1f40e8855 100644 --- a/services/obstap/values-ccin2p3.yaml +++ b/services/obstap/values-ccin2p3.yaml @@ -1,18 +1,3 @@ -# cadc-tap-postgres: -# pull_secret: 'pull-secret' -# tag: "1.0" -# host: "data-dev.lsst.eu" - -# secrets: -# enabled: false - -# vault_secrets: -# enabled: true -# path: 'secret/k8s_operator/rsp-cc/tap' - -# pull-secret: -# enabled: true -# path: secret/k8s_operator/rsp-cc/pull-secret -config: - gcs_bucket: 'async-results.lsst.codes' - gcs_bucket_url: 'http://async-results.lsst.codes' \ No newline at end of file +# config: +# gcs_bucket: 'async-results.lsst.codes' +# gcs_bucket_url: 'http://async-results.lsst.codes' \ No newline at end of file From a80dbe2de3116538971927440d911d7ee1705571 Mon Sep 17 00:00:00 2001 From: Gabriele Mainetti Date: Mon, 30 May 2022 10:47:56 +0200 Subject: [PATCH 0544/1479] tap remove async --- services/tap/values-ccin2p3.yaml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/services/tap/values-ccin2p3.yaml b/services/tap/values-ccin2p3.yaml index 3c0508c5ba..0b00d7f73c 100644 --- a/services/tap/values-ccin2p3.yaml +++ b/services/tap/values-ccin2p3.yaml @@ -1,6 +1,6 @@ config: - gcsBucket: "async-results.lsst.codes" - gcsBucketUrl: "http://async-results.lsst.codes" + # gcsBucket: "async-results.lsst.codes" + # gcsBucketUrl: "http://async-results.lsst.codes" jvmMaxHeapSize: "31G" qserv: From 76c1dcd00e0ad2e8d025cba13efbf107b09718d8 Mon Sep 17 00:00:00 2001 From: Gabriele Mainetti Date: Mon, 30 May 2022 11:33:17 +0200 Subject: [PATCH 0545/1479] try to fix sync --- services/tap/values-ccin2p3.yaml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/services/tap/values-ccin2p3.yaml b/services/tap/values-ccin2p3.yaml index 0b00d7f73c..5b72884d4e 100644 --- a/services/tap/values-ccin2p3.yaml +++ b/services/tap/values-ccin2p3.yaml @@ -1,6 +1,6 @@ config: - # gcsBucket: "async-results.lsst.codes" - # gcsBucketUrl: "http://async-results.lsst.codes" + gcsBucket: "sync-results.lsst.codes" + gcsBucketUrl: "http://sync-results.lsst.codes" jvmMaxHeapSize: "31G" qserv: From 00854cc153e709d557555e04fb6e0accc40797a0 Mon Sep 17 00:00:00 2001 From: Renovate Bot Date: Mon, 30 May 2022 17:46:05 +0000 Subject: [PATCH 0546/1479] Update Helm release argo-cd to v4.8.0 --- services/argocd/Chart.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/services/argocd/Chart.yaml b/services/argocd/Chart.yaml index f980705729..c6ce6ec952 100644 --- a/services/argocd/Chart.yaml +++ b/services/argocd/Chart.yaml @@ -3,5 +3,5 @@ name: argo-cd version: 1.0.0 dependencies: - name: argo-cd - version: 4.6.5 + version: 4.8.0 repository: https://argoproj.github.io/argo-helm From b82fa43e8109473b240821dbd056bba953094233 Mon Sep 17 00:00:00 2001 From: Gabriele Mainetti Date: Tue, 31 May 2022 16:26:47 +0200 Subject: [PATCH 0547/1479] oidc first try --- services/gafaelfawr/values-ccin2p3.yaml | 53 ++++++++++++++++++------- services/tap/values-ccin2p3.yaml | 4 +- 2 files changed, 41 insertions(+), 16 deletions(-) diff --git a/services/gafaelfawr/values-ccin2p3.yaml b/services/gafaelfawr/values-ccin2p3.yaml index 5dfac7e756..64f8787dba 100644 --- a/services/gafaelfawr/values-ccin2p3.yaml +++ b/services/gafaelfawr/values-ccin2p3.yaml @@ -19,30 +19,55 @@ config: issuer: exp_minutes: 43200 # 30 days - github: - clientId: ae314e45a6af43ea910a + # github: + # clientId: ae314e45a6af43ea910a + oidc: + clientId: "lsst_rsp" + loginUrl: https://login.cc.in2p3.fr/auth/realms/cc.in2p3.fr/protocol/openid-connect/auth + tokenUrl: https://login.cc.in2p3.fr/auth/realms/cc.in2p3.fr/protocol/openid-connect/token + issuer: https://login.cc.in2p3.fr/auth/realms/cc.in2p3.fr/ + usernameClaim: "preferred_username" + uidClaim: 'uid_number' + isMemberOf: 'groups' + + oidcServer: + enabled: true # Allow access by GitHub team. # Allow access by GitHub team. groupMapping: "admin:provision": - - "rubin-in2p3-admin" + - "lsst" "exec:admin": - - "rubin-in2p3-admin" + - "lsst" "exec:notebook": - - "rubin-in2p3-admin" - - "rubin-in2p3-user" + - "lsst" "exec:portal": - - "rubin-in2p3-admin" - - "rubin-in2p3-user" + - "lsst" "read:tap": - - "rubin-in2p3-admin" - - "rubin-in2p3-user" - - "rubin-in2p3" - - "rubin-in2p3-delegates" + - "lsst" + +# # Allow access by GitHub team. +# # Allow access by GitHub team. +# groupMapping: +# "admin:provision": +# - "rubin-in2p3-admin" +# "exec:admin": +# - "rubin-in2p3-admin" +# "exec:notebook": +# - "rubin-in2p3-admin" +# - "rubin-in2p3-user" +# "exec:portal": +# - "rubin-in2p3-admin" +# - "rubin-in2p3-user" +# "read:tap": +# - "rubin-in2p3-admin" +# - "rubin-in2p3-user" +# - "rubin-in2p3" +# - "rubin-in2p3-delegates" - initialAdmins: - - "gabrimaine" +# initialAdmins: +# - "gabrimaine" pull-secret: enabled: true diff --git a/services/tap/values-ccin2p3.yaml b/services/tap/values-ccin2p3.yaml index 5b72884d4e..0b00d7f73c 100644 --- a/services/tap/values-ccin2p3.yaml +++ b/services/tap/values-ccin2p3.yaml @@ -1,6 +1,6 @@ config: - gcsBucket: "sync-results.lsst.codes" - gcsBucketUrl: "http://sync-results.lsst.codes" + # gcsBucket: "async-results.lsst.codes" + # gcsBucketUrl: "http://async-results.lsst.codes" jvmMaxHeapSize: "31G" qserv: From 4ba2901e0457a916c897262339cb750cdaf9ae6a Mon Sep 17 00:00:00 2001 From: Gabriele Mainetti Date: Tue, 31 May 2022 16:30:28 +0200 Subject: [PATCH 0548/1479] initialAdmins added --- services/gafaelfawr/values-ccin2p3.yaml | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/services/gafaelfawr/values-ccin2p3.yaml b/services/gafaelfawr/values-ccin2p3.yaml index 64f8787dba..f9959bb3fe 100644 --- a/services/gafaelfawr/values-ccin2p3.yaml +++ b/services/gafaelfawr/values-ccin2p3.yaml @@ -66,7 +66,8 @@ config: # - "rubin-in2p3" # - "rubin-in2p3-delegates" -# initialAdmins: + initialAdmins: + - "mainetti" # - "gabrimaine" pull-secret: From 65ae552f842ec68e703329dc17f7c21e5bfaf869 Mon Sep 17 00:00:00 2001 From: Russ Allbery Date: Tue, 31 May 2022 07:46:12 -0700 Subject: [PATCH 0549/1479] Update Helm chart documentation --- services/argocd/README.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/services/argocd/README.md b/services/argocd/README.md index 0efc6065fd..c92211d037 100644 --- a/services/argocd/README.md +++ b/services/argocd/README.md @@ -4,7 +4,7 @@ | Repository | Name | Version | |------------|------|---------| -| https://argoproj.github.io/argo-helm | argo-cd | 4.6.5 | +| https://argoproj.github.io/argo-helm | argo-cd | 4.8.0 | ## Values From 23fbd61da37ccc62d3146a01f75493d50f9468c1 Mon Sep 17 00:00:00 2001 From: Renovate Bot Date: Tue, 31 May 2022 14:54:28 +0000 Subject: [PATCH 0550/1479] Update Helm release ingress-nginx to v4.1.3 --- services/ingress-nginx/Chart.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/services/ingress-nginx/Chart.yaml b/services/ingress-nginx/Chart.yaml index 7f8b56341a..a9b67dafbb 100644 --- a/services/ingress-nginx/Chart.yaml +++ b/services/ingress-nginx/Chart.yaml @@ -3,5 +3,5 @@ name: ingress-nginx version: 1.0.0 dependencies: - name: ingress-nginx - version: 4.1.1 + version: 4.1.3 repository: https://kubernetes.github.io/ingress-nginx From 94c89bcd1f26f61bcbda2f2d2f5eadacff3278eb Mon Sep 17 00:00:00 2001 From: Russ Allbery Date: Tue, 31 May 2022 07:55:08 -0700 Subject: [PATCH 0551/1479] Regenerate Helm chart documentation --- services/ingress-nginx/README.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/services/ingress-nginx/README.md b/services/ingress-nginx/README.md index d0d8520cf6..a9c7c8007d 100644 --- a/services/ingress-nginx/README.md +++ b/services/ingress-nginx/README.md @@ -4,7 +4,7 @@ | Repository | Name | Version | |------------|------|---------| -| https://kubernetes.github.io/ingress-nginx | ingress-nginx | 4.1.1 | +| https://kubernetes.github.io/ingress-nginx | ingress-nginx | 4.1.3 | ## Values From 58f8806b85845225f29362fd68e92c506b9855f2 Mon Sep 17 00:00:00 2001 From: Renovate Bot Date: Tue, 31 May 2022 15:05:17 +0000 Subject: [PATCH 0552/1479] Update Helm release redis to v16.10.1 --- services/noteburst/Chart.yaml | 2 +- services/times-square/Chart.yaml | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/services/noteburst/Chart.yaml b/services/noteburst/Chart.yaml index 61554b0e5f..d38bc62a28 100644 --- a/services/noteburst/Chart.yaml +++ b/services/noteburst/Chart.yaml @@ -14,5 +14,5 @@ maintainers: # Additional charts that this chart uses dependencies: - name: redis - version: 16.9.10 + version: 16.10.1 repository: https://charts.bitnami.com/bitnami diff --git a/services/times-square/Chart.yaml b/services/times-square/Chart.yaml index 699ea9ae27..634ef81ca8 100644 --- a/services/times-square/Chart.yaml +++ b/services/times-square/Chart.yaml @@ -11,5 +11,5 @@ appVersion: 0.4.0b1 dependencies: - name: redis - version: 16.9.10 + version: 16.10.1 repository: https://charts.bitnami.com/bitnami From 56340e5ca3d8fe894d17ad4809792b4d9ccd9491 Mon Sep 17 00:00:00 2001 From: Russ Allbery Date: Tue, 31 May 2022 08:09:27 -0700 Subject: [PATCH 0553/1479] Update Helm chart documentation --- services/noteburst/README.md | 2 +- services/times-square/README.md | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/services/noteburst/README.md b/services/noteburst/README.md index c9e93e0898..a7dfecc3d5 100644 --- a/services/noteburst/README.md +++ b/services/noteburst/README.md @@ -12,7 +12,7 @@ Noteburst is a notebook execution service for the Rubin Science Platform. | Repository | Name | Version | |------------|------|---------| -| https://charts.bitnami.com/bitnami | redis | 16.9.10 | +| https://charts.bitnami.com/bitnami | redis | 16.10.1 | ## Values diff --git a/services/times-square/README.md b/services/times-square/README.md index c102dd5ae9..5f4299c011 100644 --- a/services/times-square/README.md +++ b/services/times-square/README.md @@ -8,7 +8,7 @@ An API service for managing and rendering parameterized Jupyter notebooks. | Repository | Name | Version | |------------|------|---------| -| https://charts.bitnami.com/bitnami | redis | 16.9.10 | +| https://charts.bitnami.com/bitnami | redis | 16.10.1 | ## Values From 34a3dd10066c72f7b87ee8a6d94745c2ec82ce6b Mon Sep 17 00:00:00 2001 From: adam Date: Fri, 27 May 2022 13:33:10 -0700 Subject: [PATCH 0554/1479] Double collection interval and add jitter to reduce load on metrics endpoints --- services/telegraf-ds/templates/configmap.yaml | 5 +++-- services/telegraf/templates/configmap.yaml | 5 +++-- 2 files changed, 6 insertions(+), 4 deletions(-) diff --git a/services/telegraf-ds/templates/configmap.yaml b/services/telegraf-ds/templates/configmap.yaml index b1990677f3..b8c84afc53 100644 --- a/services/telegraf-ds/templates/configmap.yaml +++ b/services/telegraf-ds/templates/configmap.yaml @@ -8,8 +8,9 @@ data: cluster = {{- .Values.global.host | quote }} [agent] hostname = "telegraf-$HOSTIP" - interval = "60s" - flush_interval = "60s" + interval = "120s" + flush_interval = "120s" + collection_jitter = "10s" metric_batch_size = 10000 metric_buffer_limit = 100000 diff --git a/services/telegraf/templates/configmap.yaml b/services/telegraf/templates/configmap.yaml index 99cdca6dbc..6492489b8a 100644 --- a/services/telegraf/templates/configmap.yaml +++ b/services/telegraf/templates/configmap.yaml @@ -10,8 +10,9 @@ data: [agent] hostname = "$HOSTNAME" omit_hostname = true - interval = "60s" - flush_interval = "60s" + interval = "120s" + flush_interval = "120s" + collection_jitter = "10s" logfile = "" metric_batch_size = 10000 metric_buffer_limit = 100000 From bdf80b708ed295b151747a7b6ffb32460b96480d Mon Sep 17 00:00:00 2001 From: Gabriele Mainetti Date: Tue, 31 May 2022 18:26:21 +0200 Subject: [PATCH 0555/1479] removed oicd server --- services/gafaelfawr/values-ccin2p3.yaml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/services/gafaelfawr/values-ccin2p3.yaml b/services/gafaelfawr/values-ccin2p3.yaml index f9959bb3fe..71d7c3d992 100644 --- a/services/gafaelfawr/values-ccin2p3.yaml +++ b/services/gafaelfawr/values-ccin2p3.yaml @@ -31,8 +31,8 @@ config: uidClaim: 'uid_number' isMemberOf: 'groups' - oidcServer: - enabled: true + # oidcServer: + # enabled: true # Allow access by GitHub team. # Allow access by GitHub team. groupMapping: From 974707e89ffe3080a929b036930f53a5f5d5334a Mon Sep 17 00:00:00 2001 From: Gabriele Mainetti Date: Tue, 31 May 2022 18:47:15 +0200 Subject: [PATCH 0556/1479] removed space --- services/gafaelfawr/values-ccin2p3.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/services/gafaelfawr/values-ccin2p3.yaml b/services/gafaelfawr/values-ccin2p3.yaml index 71d7c3d992..c62aa75888 100644 --- a/services/gafaelfawr/values-ccin2p3.yaml +++ b/services/gafaelfawr/values-ccin2p3.yaml @@ -26,7 +26,7 @@ config: clientId: "lsst_rsp" loginUrl: https://login.cc.in2p3.fr/auth/realms/cc.in2p3.fr/protocol/openid-connect/auth tokenUrl: https://login.cc.in2p3.fr/auth/realms/cc.in2p3.fr/protocol/openid-connect/token - issuer: https://login.cc.in2p3.fr/auth/realms/cc.in2p3.fr/ + issuer: https://login.cc.in2p3.fr/auth/realms/cc.in2p3.fr/ usernameClaim: "preferred_username" uidClaim: 'uid_number' isMemberOf: 'groups' From fceafb8f170e89694dd292fca5812f2b75ef57b4 Mon Sep 17 00:00:00 2001 From: Michael Reuter Date: Thu, 26 May 2022 12:09:29 -0700 Subject: [PATCH 0557/1479] Add LSST_SITE to telescope deployments. --- services/nublado2/values-base.yaml | 1 + services/nublado2/values-summit.yaml | 1 + services/nublado2/values-tucson-teststand.yaml | 1 + 3 files changed, 3 insertions(+) diff --git a/services/nublado2/values-base.yaml b/services/nublado2/values-base.yaml index 5f6a67d270..12729fd444 100644 --- a/services/nublado2/values-base.yaml +++ b/services/nublado2/values-base.yaml @@ -23,6 +23,7 @@ config: AUTO_REPO_SPECS: "https://github.com/lsst-sqre/system-test@prod" LSST_DDS_INTERFACE: net1 LSST_DDS_PARTITION_PREFIX: base + LSST_SITE: base volumes: - name: home nfs: diff --git a/services/nublado2/values-summit.yaml b/services/nublado2/values-summit.yaml index 61d159608f..a946f2ca8b 100644 --- a/services/nublado2/values-summit.yaml +++ b/services/nublado2/values-summit.yaml @@ -24,6 +24,7 @@ config: DAF_BUTLER_REPOSITORY_INDEX: "/project/data-repos.yaml" LSST_DDS_INTERFACE: net1 LSST_DDS_PARTITION_PREFIX: summit + LSST_SITE: summit volumes: - name: home nfs: diff --git a/services/nublado2/values-tucson-teststand.yaml b/services/nublado2/values-tucson-teststand.yaml index d578228cbb..6ebdd118f9 100644 --- a/services/nublado2/values-tucson-teststand.yaml +++ b/services/nublado2/values-tucson-teststand.yaml @@ -24,6 +24,7 @@ config: DAF_BUTLER_REPOSITORY_INDEX: "/project/data-repos.yaml" LSST_DDS_INTERFACE: net1 LSST_DDS_PARTITION_PREFIX: tucson + LSST_SITE: tucson volumes: - name: home nfs: From 9bbe9273ca43665820d26a71b3b9b636507e9bca Mon Sep 17 00:00:00 2001 From: Gabriele Mainetti Date: Tue, 31 May 2022 18:57:08 +0200 Subject: [PATCH 0558/1479] using quotes to define issuer --- services/gafaelfawr/values-ccin2p3.yaml | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/services/gafaelfawr/values-ccin2p3.yaml b/services/gafaelfawr/values-ccin2p3.yaml index c62aa75888..8580e181ea 100644 --- a/services/gafaelfawr/values-ccin2p3.yaml +++ b/services/gafaelfawr/values-ccin2p3.yaml @@ -24,9 +24,9 @@ config: oidc: clientId: "lsst_rsp" - loginUrl: https://login.cc.in2p3.fr/auth/realms/cc.in2p3.fr/protocol/openid-connect/auth - tokenUrl: https://login.cc.in2p3.fr/auth/realms/cc.in2p3.fr/protocol/openid-connect/token - issuer: https://login.cc.in2p3.fr/auth/realms/cc.in2p3.fr/ + loginUrl: "https://login.cc.in2p3.fr/auth/realms/cc.in2p3.fr/protocol/openid-connect/auth" + tokenUrl: "https://login.cc.in2p3.fr/auth/realms/cc.in2p3.fr/protocol/openid-connect/token" + issuer: "https://login.cc.in2p3.fr/auth/realms/cc.in2p3.fr/" usernameClaim: "preferred_username" uidClaim: 'uid_number' isMemberOf: 'groups' From 549f9a13911d7ec52da38e1b14e9075cc97bf347 Mon Sep 17 00:00:00 2001 From: Russ Allbery Date: Tue, 31 May 2022 11:22:47 -0700 Subject: [PATCH 0559/1479] Update version of vo-cutouts --- services/vo-cutouts/Chart.yaml | 5 +++-- services/vo-cutouts/README.md | 4 +++- 2 files changed, 6 insertions(+), 3 deletions(-) diff --git a/services/vo-cutouts/Chart.yaml b/services/vo-cutouts/Chart.yaml index 1ede718ff2..6db4da00eb 100644 --- a/services/vo-cutouts/Chart.yaml +++ b/services/vo-cutouts/Chart.yaml @@ -2,5 +2,6 @@ apiVersion: v2 name: vo-cutouts version: 1.0.0 description: "Image cutout service complying with IVOA SODA" -home: "https://github.com/lsst-sqre/vo-cutouts" -appVersion: 0.3.0 +sources: + - "https://github.com/lsst-sqre/vo-cutouts" +appVersion: 0.4.0 diff --git a/services/vo-cutouts/README.md b/services/vo-cutouts/README.md index c2cbff4680..b0ab18fe13 100644 --- a/services/vo-cutouts/README.md +++ b/services/vo-cutouts/README.md @@ -2,7 +2,9 @@ Image cutout service complying with IVOA SODA -**Homepage:** +## Source Code + +* ## Values From 26eeb3e27b664d7881b12673d755dacf8c9ce818 Mon Sep 17 00:00:00 2001 From: Gabriele Mainetti Date: Tue, 31 May 2022 22:46:49 +0200 Subject: [PATCH 0560/1479] try to fix issuer problem --- services/gafaelfawr/values-ccin2p3.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/services/gafaelfawr/values-ccin2p3.yaml b/services/gafaelfawr/values-ccin2p3.yaml index 8580e181ea..a0fd896a2a 100644 --- a/services/gafaelfawr/values-ccin2p3.yaml +++ b/services/gafaelfawr/values-ccin2p3.yaml @@ -26,7 +26,7 @@ config: clientId: "lsst_rsp" loginUrl: "https://login.cc.in2p3.fr/auth/realms/cc.in2p3.fr/protocol/openid-connect/auth" tokenUrl: "https://login.cc.in2p3.fr/auth/realms/cc.in2p3.fr/protocol/openid-connect/token" - issuer: "https://login.cc.in2p3.fr/auth/realms/cc.in2p3.fr/" + issuer: "https://login.cc.in2p3.fr" usernameClaim: "preferred_username" uidClaim: 'uid_number' isMemberOf: 'groups' From 482bc973bd70439fe699d499c83fbce1a31ba319 Mon Sep 17 00:00:00 2001 From: Christine Banek Date: Tue, 31 May 2022 17:53:46 -0700 Subject: [PATCH 0561/1479] [DM-34992] Datalinker 1.2.1 --- services/datalinker/Chart.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/services/datalinker/Chart.yaml b/services/datalinker/Chart.yaml index 0ebcf2d45b..61435003b4 100644 --- a/services/datalinker/Chart.yaml +++ b/services/datalinker/Chart.yaml @@ -1,5 +1,5 @@ apiVersion: v2 -appVersion: 1.2.0 +appVersion: 1.2.1 description: IVOA datalink service for Rubin Science Platform name: datalinker type: application From 23cc91c8aa351ad6fbd859bd942f27d0b3e58d37 Mon Sep 17 00:00:00 2001 From: Gabriele Mainetti Date: Wed, 1 Jun 2022 11:41:46 +0200 Subject: [PATCH 0562/1479] issuer again --- services/gafaelfawr/values-ccin2p3.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/services/gafaelfawr/values-ccin2p3.yaml b/services/gafaelfawr/values-ccin2p3.yaml index a0fd896a2a..8580e181ea 100644 --- a/services/gafaelfawr/values-ccin2p3.yaml +++ b/services/gafaelfawr/values-ccin2p3.yaml @@ -26,7 +26,7 @@ config: clientId: "lsst_rsp" loginUrl: "https://login.cc.in2p3.fr/auth/realms/cc.in2p3.fr/protocol/openid-connect/auth" tokenUrl: "https://login.cc.in2p3.fr/auth/realms/cc.in2p3.fr/protocol/openid-connect/token" - issuer: "https://login.cc.in2p3.fr" + issuer: "https://login.cc.in2p3.fr/auth/realms/cc.in2p3.fr/" usernameClaim: "preferred_username" uidClaim: 'uid_number' isMemberOf: 'groups' From 399d069ddf53424901f704db30bfbf27d35ec9c6 Mon Sep 17 00:00:00 2001 From: Gabriele Mainetti Date: Wed, 1 Jun 2022 12:19:30 +0200 Subject: [PATCH 0563/1479] remove issuer --- services/gafaelfawr/values-ccin2p3.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/services/gafaelfawr/values-ccin2p3.yaml b/services/gafaelfawr/values-ccin2p3.yaml index 8580e181ea..8a99b5afe9 100644 --- a/services/gafaelfawr/values-ccin2p3.yaml +++ b/services/gafaelfawr/values-ccin2p3.yaml @@ -26,7 +26,7 @@ config: clientId: "lsst_rsp" loginUrl: "https://login.cc.in2p3.fr/auth/realms/cc.in2p3.fr/protocol/openid-connect/auth" tokenUrl: "https://login.cc.in2p3.fr/auth/realms/cc.in2p3.fr/protocol/openid-connect/token" - issuer: "https://login.cc.in2p3.fr/auth/realms/cc.in2p3.fr/" + #issuer: "https://login.cc.in2p3.fr/auth/realms/cc.in2p3.fr/" usernameClaim: "preferred_username" uidClaim: 'uid_number' isMemberOf: 'groups' From ba7a2b31a58a36dbb1517c7075c6bc04e4bcab09 Mon Sep 17 00:00:00 2001 From: Gabriele Mainetti Date: Wed, 1 Jun 2022 12:20:20 +0200 Subject: [PATCH 0564/1479] issuer readded --- services/gafaelfawr/values-ccin2p3.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/services/gafaelfawr/values-ccin2p3.yaml b/services/gafaelfawr/values-ccin2p3.yaml index 8a99b5afe9..8580e181ea 100644 --- a/services/gafaelfawr/values-ccin2p3.yaml +++ b/services/gafaelfawr/values-ccin2p3.yaml @@ -26,7 +26,7 @@ config: clientId: "lsst_rsp" loginUrl: "https://login.cc.in2p3.fr/auth/realms/cc.in2p3.fr/protocol/openid-connect/auth" tokenUrl: "https://login.cc.in2p3.fr/auth/realms/cc.in2p3.fr/protocol/openid-connect/token" - #issuer: "https://login.cc.in2p3.fr/auth/realms/cc.in2p3.fr/" + issuer: "https://login.cc.in2p3.fr/auth/realms/cc.in2p3.fr/" usernameClaim: "preferred_username" uidClaim: 'uid_number' isMemberOf: 'groups' From d81c8af6812160a76fca9462ad6951828996e916 Mon Sep 17 00:00:00 2001 From: Gabriele Mainetti Date: Wed, 1 Jun 2022 14:25:43 +0200 Subject: [PATCH 0565/1479] removed / --- services/gafaelfawr/values-ccin2p3.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/services/gafaelfawr/values-ccin2p3.yaml b/services/gafaelfawr/values-ccin2p3.yaml index 8580e181ea..b36c5b5086 100644 --- a/services/gafaelfawr/values-ccin2p3.yaml +++ b/services/gafaelfawr/values-ccin2p3.yaml @@ -26,7 +26,7 @@ config: clientId: "lsst_rsp" loginUrl: "https://login.cc.in2p3.fr/auth/realms/cc.in2p3.fr/protocol/openid-connect/auth" tokenUrl: "https://login.cc.in2p3.fr/auth/realms/cc.in2p3.fr/protocol/openid-connect/token" - issuer: "https://login.cc.in2p3.fr/auth/realms/cc.in2p3.fr/" + issuer: "https://login.cc.in2p3.fr/auth/realms/cc.in2p3.fr" usernameClaim: "preferred_username" uidClaim: 'uid_number' isMemberOf: 'groups' From 280af31748836618ba497fe4d5f08b8261d9fdcf Mon Sep 17 00:00:00 2001 From: Gabriele Mainetti Date: Wed, 1 Jun 2022 16:12:10 +0200 Subject: [PATCH 0566/1479] set log to debug --- services/gafaelfawr/values-ccin2p3.yaml | 1 + 1 file changed, 1 insertion(+) diff --git a/services/gafaelfawr/values-ccin2p3.yaml b/services/gafaelfawr/values-ccin2p3.yaml index b36c5b5086..348481e64c 100644 --- a/services/gafaelfawr/values-ccin2p3.yaml +++ b/services/gafaelfawr/values-ccin2p3.yaml @@ -10,6 +10,7 @@ redis: enabled: false config: + loglevel: "DEBUG" host: data-dev.lsst.eu databaseUrl: "postgresql://gafaelfawr@postgres.postgres/gafaelfawr" From f721cd9983614c90f60fab3449b9dea356cd6d96 Mon Sep 17 00:00:00 2001 From: Jonathan Sick Date: Wed, 1 Jun 2022 11:25:10 -0400 Subject: [PATCH 0567/1479] Drop vaultsecret for noteburst Noteburst isn't using secrets as the moment, so having an empty VaultSecret resource is actually causing errors. --- services/noteburst/templates/vaultsecret.yaml | 9 --------- 1 file changed, 9 deletions(-) delete mode 100644 services/noteburst/templates/vaultsecret.yaml diff --git a/services/noteburst/templates/vaultsecret.yaml b/services/noteburst/templates/vaultsecret.yaml deleted file mode 100644 index 7d5f4a62bb..0000000000 --- a/services/noteburst/templates/vaultsecret.yaml +++ /dev/null @@ -1,9 +0,0 @@ -apiVersion: ricoberger.de/v1alpha1 -kind: VaultSecret -metadata: - name: {{ include "noteburst.fullname" . }} - labels: - {{- include "noteburst.labels" . | nindent 4 }} -spec: - path: "{{ .Values.global.vaultSecretsPathPrefix }}/noteburst" - type: Opaque From 3eb11fdbeb4331f4c2cdfc1e80de9d92a13391ab Mon Sep 17 00:00:00 2001 From: Gabriele Mainetti Date: Wed, 1 Jun 2022 22:18:48 +0200 Subject: [PATCH 0568/1479] add last / --- services/gafaelfawr/values-ccin2p3.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/services/gafaelfawr/values-ccin2p3.yaml b/services/gafaelfawr/values-ccin2p3.yaml index 348481e64c..a83f9a09b6 100644 --- a/services/gafaelfawr/values-ccin2p3.yaml +++ b/services/gafaelfawr/values-ccin2p3.yaml @@ -27,7 +27,7 @@ config: clientId: "lsst_rsp" loginUrl: "https://login.cc.in2p3.fr/auth/realms/cc.in2p3.fr/protocol/openid-connect/auth" tokenUrl: "https://login.cc.in2p3.fr/auth/realms/cc.in2p3.fr/protocol/openid-connect/token" - issuer: "https://login.cc.in2p3.fr/auth/realms/cc.in2p3.fr" + issuer: "https://login.cc.in2p3.fr/auth/realms/cc.in2p3.fr/" usernameClaim: "preferred_username" uidClaim: 'uid_number' isMemberOf: 'groups' From 714e9f6d219da5f53a16d1cee3f1c05e12dc8b8e Mon Sep 17 00:00:00 2001 From: Angelo Fausti Date: Wed, 1 Jun 2022 14:06:03 -0700 Subject: [PATCH 0569/1479] Enable sasquatch and strimzi at the summit --- science-platform/values-summit.yaml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/science-platform/values-summit.yaml b/science-platform/values-summit.yaml index 9f56229663..e19377fe2a 100644 --- a/science-platform/values-summit.yaml +++ b/science-platform/values-summit.yaml @@ -37,7 +37,7 @@ portal: postgres: enabled: true sasquatch: - enabled: false + enabled: true production_tools: enabled: false semaphore: @@ -49,7 +49,7 @@ squareone: squash_api: enabled: false strimzi: - enabled: false + enabled: true strimzi_registry_operator: enabled: false tap: From 63ee65ad2cedfb7a434691674e50c056c9b79236 Mon Sep 17 00:00:00 2001 From: Angelo Fausti Date: Wed, 1 Jun 2022 14:07:37 -0700 Subject: [PATCH 0570/1479] Enable support to OpenID Connect - This is required to authenticate Chronograf --- services/gafaelfawr/values-summit.yaml | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/services/gafaelfawr/values-summit.yaml b/services/gafaelfawr/values-summit.yaml index 11aa1823d7..9313f07ac7 100644 --- a/services/gafaelfawr/values-summit.yaml +++ b/services/gafaelfawr/values-summit.yaml @@ -7,6 +7,10 @@ redis: config: databaseUrl: "postgresql://gafaelfawr@postgres.postgres/gafaelfawr" + # Support OpenID Connect clients like Chronograf. + oidcServer: + enabled: true + # Use GitHub authentication. github: clientId: "220d64cbf46f9d2b7873" From 0a6e18a40eb0f7a5730394f4538ace692093bfca Mon Sep 17 00:00:00 2001 From: Angelo Fausti Date: Wed, 1 Jun 2022 14:18:01 -0700 Subject: [PATCH 0571/1479] Add sasquatch configuration for the summit --- services/sasquatch/values-summit.yaml | 47 +++++++++++++++++++++++++++ 1 file changed, 47 insertions(+) create mode 100644 services/sasquatch/values-summit.yaml diff --git a/services/sasquatch/values-summit.yaml b/services/sasquatch/values-summit.yaml new file mode 100644 index 0000000000..b9ab8c38cc --- /dev/null +++ b/services/sasquatch/values-summit.yaml @@ -0,0 +1,47 @@ +strimzi-kafka: + kafka: + storage: + storageClassName: rook-ceph-block + zookeeper: + storage: + storageClassName: rook-ceph-block + +influxdb: + persistence: + storageClass: rook-ceph-block + ingress: + enabled: true + hostname: summit-lsp.lsst.codes + +kafka-connect-manager: + influxdbSink: + influxdb-sink: + enabled: true + +chronograf: + persistence: + storageClass: rook-ceph-block + ingress: + enabled: true + hostname: summit-lsp.lsst.codes + env: + GENERIC_NAME: "OIDC" + GENERIC_AUTH_URL: https://summit-lsp.lsst.codes/auth/openid/login + GENERIC_TOKEN_URL: https://summit-lsp.lsst.codes/auth/openid/token + USE_ID_TOKEN: 1 + JWKS_URL: https://summit-lsp.lsst.codes/.well-known/jwks.json + GENERIC_API_URL: https://summit-lsp.lsst.codes/auth/userinfo + GENERIC_SCOPES: openid + GENERIC_API_KEY: sub + PUBLIC_URL: https://summit-lsp.lsst.codes + STATUS_FEED_URL: https://lsst-sqre.github.io/sasquatch/feeds/summit.json + +kapacitor: + persistence: + storageClass: rook-ceph-block + +csc: + enabled: false + +kafka-producers: + enabled: false From 39aad457e1076c427899a6a72e2b29f05617830a Mon Sep 17 00:00:00 2001 From: Angelo Fausti Date: Wed, 1 Jun 2022 14:18:57 -0700 Subject: [PATCH 0572/1479] Add strimzi configuration for the summit - Watch the sasquatch namespace --- services/strimzi/values-summit.yaml | 4 ++++ 1 file changed, 4 insertions(+) create mode 100644 services/strimzi/values-summit.yaml diff --git a/services/strimzi/values-summit.yaml b/services/strimzi/values-summit.yaml new file mode 100644 index 0000000000..a12924c931 --- /dev/null +++ b/services/strimzi/values-summit.yaml @@ -0,0 +1,4 @@ +strimzi-kafka-operator: + watchNamespaces: + - "sasquatch" + logLevel: "INFO" From 15da5e0a33518f917185ce353cb1f329fa777288 Mon Sep 17 00:00:00 2001 From: Russ Allbery Date: Wed, 1 Jun 2022 16:50:33 -0700 Subject: [PATCH 0573/1479] Update vo-cutouts to 0.4.1 Update the version and pull from GitHub Container Registry instead of Docker Hub. Drop the pull-secret, since the only remaining image we pull from Docker Hub is the first-party redis image, which should be cached and shouldn't cause rate-limiting issues. --- services/vo-cutouts/Chart.yaml | 2 +- services/vo-cutouts/README.md | 4 ++-- .../vo-cutouts/templates/db-worker-deployment.yaml | 2 -- services/vo-cutouts/templates/deployment.yaml | 2 -- services/vo-cutouts/templates/redis-statefulset.yaml | 2 -- services/vo-cutouts/templates/vault-secrets.yaml | 10 ---------- services/vo-cutouts/templates/worker-deployment.yaml | 2 -- services/vo-cutouts/values.yaml | 4 ++-- 8 files changed, 5 insertions(+), 23 deletions(-) diff --git a/services/vo-cutouts/Chart.yaml b/services/vo-cutouts/Chart.yaml index 6db4da00eb..0a11111956 100644 --- a/services/vo-cutouts/Chart.yaml +++ b/services/vo-cutouts/Chart.yaml @@ -4,4 +4,4 @@ version: 1.0.0 description: "Image cutout service complying with IVOA SODA" sources: - "https://github.com/lsst-sqre/vo-cutouts" -appVersion: 0.4.0 +appVersion: 0.4.1 diff --git a/services/vo-cutouts/README.md b/services/vo-cutouts/README.md index b0ab18fe13..d8de0a2caa 100644 --- a/services/vo-cutouts/README.md +++ b/services/vo-cutouts/README.md @@ -25,7 +25,7 @@ Image cutout service complying with IVOA SODA | config.timeout | int | 600 (10 minutes) | Timeout for a single cutout job in seconds | | cutoutWorker.affinity | object | `{}` | Affinity rules for the cutout worker pod | | cutoutWorker.image.pullPolicy | string | `"IfNotPresent"` | Pull policy for cutout workers | -| cutoutWorker.image.repository | string | `"lsstsqre/vo-cutouts-worker"` | Stack image to use for cutouts | +| cutoutWorker.image.repository | string | `"ghcr.io/lsst-sqre/vo-cutouts-worker"` | Stack image to use for cutouts | | cutoutWorker.image.tag | string | The appVersion of the chart | Tag of vo-cutouts worker image to use | | cutoutWorker.nodeSelector | object | `{}` | Node selection rules for the cutout worker pod | | cutoutWorker.podAnnotations | object | `{}` | Annotations for the cutout worker pod | @@ -44,7 +44,7 @@ Image cutout service complying with IVOA SODA | global.host | string | Set by Argo CD | Host name for ingress | | global.vaultSecretsPath | string | Set by Argo CD | Base path for Vault secrets | | image.pullPolicy | string | `"IfNotPresent"` | Pull policy for the vo-cutouts image | -| image.repository | string | `"lsstsqre/vo-cutouts"` | vo-cutouts image to use | +| image.repository | string | `"ghcr.io/lsst-sqre/vo-cutouts"` | vo-cutouts image to use | | image.tag | string | The appVersion of the chart | Tag of vo-cutouts image to use | | ingress.annotations | object | `{}` | Additional annotations to add to the ingress | | ingress.gafaelfawrAuthQuery | string | `"scope=read:image"` | Gafaelfawr auth query string | diff --git a/services/vo-cutouts/templates/db-worker-deployment.yaml b/services/vo-cutouts/templates/db-worker-deployment.yaml index db3ccff4c0..c34097329d 100644 --- a/services/vo-cutouts/templates/db-worker-deployment.yaml +++ b/services/vo-cutouts/templates/db-worker-deployment.yaml @@ -82,8 +82,6 @@ spec: volumeMounts: - name: "tmp" mountPath: "/tmp" - imagePullSecrets: - - name: "pull-secret" securityContext: runAsNonRoot: true runAsUser: 1000 diff --git a/services/vo-cutouts/templates/deployment.yaml b/services/vo-cutouts/templates/deployment.yaml index f7fb7f9fa1..080aaf39b9 100644 --- a/services/vo-cutouts/templates/deployment.yaml +++ b/services/vo-cutouts/templates/deployment.yaml @@ -87,8 +87,6 @@ spec: volumeMounts: - name: "tmp" mountPath: "/tmp" - imagePullSecrets: - - name: "pull-secret" volumes: # Dramatiq enables its Prometheus middleware by default, which # requires writable /tmp. diff --git a/services/vo-cutouts/templates/redis-statefulset.yaml b/services/vo-cutouts/templates/redis-statefulset.yaml index 503bcb21eb..5472d8b914 100644 --- a/services/vo-cutouts/templates/redis-statefulset.yaml +++ b/services/vo-cutouts/templates/redis-statefulset.yaml @@ -62,8 +62,6 @@ spec: volumeMounts: - name: {{ template "vo-cutouts.fullname" . }}-redis-data mountPath: "/data" - imagePullSecrets: - - name: "pull-secret" securityContext: fsGroup: 999 runAsNonRoot: true diff --git a/services/vo-cutouts/templates/vault-secrets.yaml b/services/vo-cutouts/templates/vault-secrets.yaml index 0cdb663f4a..04696ceb30 100644 --- a/services/vo-cutouts/templates/vault-secrets.yaml +++ b/services/vo-cutouts/templates/vault-secrets.yaml @@ -7,13 +7,3 @@ metadata: spec: path: "{{ .Values.global.vaultSecretsPath }}/vo-cutouts" type: Opaque ---- -apiVersion: ricoberger.de/v1alpha1 -kind: VaultSecret -metadata: - name: "pull-secret" - labels: - {{- include "vo-cutouts.labels" . | nindent 4 }} -spec: - path: "{{ .Values.global.vaultSecretsPath }}/pull-secret" - type: "kubernetes.io/dockerconfigjson" diff --git a/services/vo-cutouts/templates/worker-deployment.yaml b/services/vo-cutouts/templates/worker-deployment.yaml index e2b892617a..869617288b 100644 --- a/services/vo-cutouts/templates/worker-deployment.yaml +++ b/services/vo-cutouts/templates/worker-deployment.yaml @@ -97,8 +97,6 @@ spec: mountPath: "/etc/vo-cutouts/secrets" - name: "tmp" mountPath: "/tmp" - imagePullSecrets: - - name: "pull-secret" securityContext: runAsNonRoot: true runAsUser: 1000 diff --git a/services/vo-cutouts/values.yaml b/services/vo-cutouts/values.yaml index 69dd530549..8cf9b2770c 100644 --- a/services/vo-cutouts/values.yaml +++ b/services/vo-cutouts/values.yaml @@ -11,7 +11,7 @@ fullnameOverride: "" image: # -- vo-cutouts image to use - repository: "lsstsqre/vo-cutouts" + repository: "ghcr.io/lsst-sqre/vo-cutouts" # -- Pull policy for the vo-cutouts image pullPolicy: "IfNotPresent" @@ -98,7 +98,7 @@ cutoutWorker: image: # -- Stack image to use for cutouts - repository: "lsstsqre/vo-cutouts-worker" + repository: "ghcr.io/lsst-sqre/vo-cutouts-worker" # -- Tag of vo-cutouts worker image to use # @default -- The appVersion of the chart From ce5488203e0900b0b7c7ba865af9968abf4d24aa Mon Sep 17 00:00:00 2001 From: Gabriele Mainetti Date: Thu, 2 Jun 2022 11:18:35 +0200 Subject: [PATCH 0574/1479] trying a modified image --- services/gafaelfawr/values-ccin2p3.yaml | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/services/gafaelfawr/values-ccin2p3.yaml b/services/gafaelfawr/values-ccin2p3.yaml index a83f9a09b6..c94ebf951c 100644 --- a/services/gafaelfawr/values-ccin2p3.yaml +++ b/services/gafaelfawr/values-ccin2p3.yaml @@ -1,3 +1,7 @@ +image: + # -- Gafaelfawr image to use + repository: "docker.io/gabrimaine/gafaelfawr" + replicaCount: 2 pull_secret: 'pull-secret' From 4e83a37ba4213d187a18e42c048e1023466e4a7a Mon Sep 17 00:00:00 2001 From: Gabriele Mainetti Date: Thu, 2 Jun 2022 13:29:00 +0200 Subject: [PATCH 0575/1479] removed trailing / to test new release --- services/gafaelfawr/values-ccin2p3.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/services/gafaelfawr/values-ccin2p3.yaml b/services/gafaelfawr/values-ccin2p3.yaml index c94ebf951c..eb6c72eb0c 100644 --- a/services/gafaelfawr/values-ccin2p3.yaml +++ b/services/gafaelfawr/values-ccin2p3.yaml @@ -31,7 +31,7 @@ config: clientId: "lsst_rsp" loginUrl: "https://login.cc.in2p3.fr/auth/realms/cc.in2p3.fr/protocol/openid-connect/auth" tokenUrl: "https://login.cc.in2p3.fr/auth/realms/cc.in2p3.fr/protocol/openid-connect/token" - issuer: "https://login.cc.in2p3.fr/auth/realms/cc.in2p3.fr/" + issuer: "https://login.cc.in2p3.fr/auth/realms/cc.in2p3.fr" usernameClaim: "preferred_username" uidClaim: 'uid_number' isMemberOf: 'groups' From 36fe6036d27a59aff74cda1ca007a4cf07bbe81d Mon Sep 17 00:00:00 2001 From: Gabriele Mainetti Date: Thu, 2 Jun 2022 13:53:54 +0200 Subject: [PATCH 0576/1479] try /lsst --- services/gafaelfawr/values-ccin2p3.yaml | 10 +++++----- 1 file changed, 5 insertions(+), 5 deletions(-) diff --git a/services/gafaelfawr/values-ccin2p3.yaml b/services/gafaelfawr/values-ccin2p3.yaml index eb6c72eb0c..708c861484 100644 --- a/services/gafaelfawr/values-ccin2p3.yaml +++ b/services/gafaelfawr/values-ccin2p3.yaml @@ -42,15 +42,15 @@ config: # Allow access by GitHub team. groupMapping: "admin:provision": - - "lsst" + - "/lsst" "exec:admin": - - "lsst" + - "/lsst" "exec:notebook": - - "lsst" + - "/lsst" "exec:portal": - - "lsst" + - "/lsst" "read:tap": - - "lsst" + - "/lsst" # # Allow access by GitHub team. # # Allow access by GitHub team. From e92faaee6db79dbae8b7252ad0749b77839e83a5 Mon Sep 17 00:00:00 2001 From: Gabriele Mainetti Date: Thu, 2 Jun 2022 14:17:04 +0200 Subject: [PATCH 0577/1479] add isMemeberOfclaim --- services/gafaelfawr/values.yaml | 6 +++++- 1 file changed, 5 insertions(+), 1 deletion(-) diff --git a/services/gafaelfawr/values.yaml b/services/gafaelfawr/values.yaml index f58163f58e..079a3969f7 100644 --- a/services/gafaelfawr/values.yaml +++ b/services/gafaelfawr/values.yaml @@ -94,7 +94,7 @@ config: # -- Audience for the JWT token # @default -- Value of `config.oidc.clientId` - audience: "" + audience: "" # -- URL to which to redirect the user for authorization # @default -- None, must be set @@ -129,6 +129,10 @@ config: # @default -- `"uidNumber"` uidClaim: "" + # -- Claim from which get the list of groups + # @default -- `"isMemberOf"` + isMemberOf: "isMemberOf" + ldap: # -- LDAP server URL from which to retrieve user group information # @default -- Do not use LDAP From b96d7e2943ebefd4b0d4a1c896d4bc4495d57edd Mon Sep 17 00:00:00 2001 From: Gabriele Mainetti Date: Thu, 2 Jun 2022 14:46:21 +0200 Subject: [PATCH 0578/1479] removed / in group mapping --- services/gafaelfawr/values-ccin2p3.yaml | 10 +++++----- 1 file changed, 5 insertions(+), 5 deletions(-) diff --git a/services/gafaelfawr/values-ccin2p3.yaml b/services/gafaelfawr/values-ccin2p3.yaml index 708c861484..eb6c72eb0c 100644 --- a/services/gafaelfawr/values-ccin2p3.yaml +++ b/services/gafaelfawr/values-ccin2p3.yaml @@ -42,15 +42,15 @@ config: # Allow access by GitHub team. groupMapping: "admin:provision": - - "/lsst" + - "lsst" "exec:admin": - - "/lsst" + - "lsst" "exec:notebook": - - "/lsst" + - "lsst" "exec:portal": - - "/lsst" + - "lsst" "read:tap": - - "/lsst" + - "lsst" # # Allow access by GitHub team. # # Allow access by GitHub team. From 06f39ae08f1a5daf8183b0aeb8dee64f69f1fab4 Mon Sep 17 00:00:00 2001 From: Gabriele Mainetti Date: Thu, 2 Jun 2022 15:25:35 +0200 Subject: [PATCH 0579/1479] fix value bases --- services/gafaelfawr/values.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/services/gafaelfawr/values.yaml b/services/gafaelfawr/values.yaml index 079a3969f7..33a30b7758 100644 --- a/services/gafaelfawr/values.yaml +++ b/services/gafaelfawr/values.yaml @@ -131,7 +131,7 @@ config: # -- Claim from which get the list of groups # @default -- `"isMemberOf"` - isMemberOf: "isMemberOf" + isMemberOf: "" ldap: # -- LDAP server URL from which to retrieve user group information From ca608e05c207e09fc395e993b4d040897c4c358e Mon Sep 17 00:00:00 2001 From: Gabriele Mainetti Date: Thu, 2 Jun 2022 15:33:39 +0200 Subject: [PATCH 0580/1479] readded / in groupMapping --- services/gafaelfawr/values-ccin2p3.yaml | 10 +++++----- 1 file changed, 5 insertions(+), 5 deletions(-) diff --git a/services/gafaelfawr/values-ccin2p3.yaml b/services/gafaelfawr/values-ccin2p3.yaml index eb6c72eb0c..708c861484 100644 --- a/services/gafaelfawr/values-ccin2p3.yaml +++ b/services/gafaelfawr/values-ccin2p3.yaml @@ -42,15 +42,15 @@ config: # Allow access by GitHub team. groupMapping: "admin:provision": - - "lsst" + - "/lsst" "exec:admin": - - "lsst" + - "/lsst" "exec:notebook": - - "lsst" + - "/lsst" "exec:portal": - - "lsst" + - "/lsst" "read:tap": - - "lsst" + - "/lsst" # # Allow access by GitHub team. # # Allow access by GitHub team. From c65c5b4a09a39589b77878773cda53e9fca6a3cf Mon Sep 17 00:00:00 2001 From: Jonathan Sick Date: Thu, 2 Jun 2022 09:35:55 -0400 Subject: [PATCH 0581/1479] Drop noteburst workers from minikube env It's possible that noteburst workers can't connect to JupyterLab pods in the minikube environment; setting the worker count to 0 should prevent them from deploying. --- services/noteburst/values-minikube.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/services/noteburst/values-minikube.yaml b/services/noteburst/values-minikube.yaml index 0b427c0ee9..0e9052d8a5 100644 --- a/services/noteburst/values-minikube.yaml +++ b/services/noteburst/values-minikube.yaml @@ -1,6 +1,6 @@ config: worker: - workerCount: 1 + workerCount: 0 identities: - uid: 90000 username: "noteburst90000" From 49791e947d6888cb6a30ef88b708ea3823281c81 Mon Sep 17 00:00:00 2001 From: Gabriele Mainetti Date: Thu, 2 Jun 2022 16:12:52 +0200 Subject: [PATCH 0582/1479] configmap update to use isMemberOf --- services/gafaelfawr/templates/configmap.yaml | 3 +++ 1 file changed, 3 insertions(+) diff --git a/services/gafaelfawr/templates/configmap.yaml b/services/gafaelfawr/templates/configmap.yaml index c0b1adb28f..5b258d3fb9 100644 --- a/services/gafaelfawr/templates/configmap.yaml +++ b/services/gafaelfawr/templates/configmap.yaml @@ -108,6 +108,9 @@ data: {{- if .Values.config.oidc.uidClaim }} uid_claim: {{ .Values.config.oidc.uidClaim | quote }} {{- end }} + {{- if .Values.config.oidc.isMemberOf }} + isMemberOf: {{ .Values.config.oidc.isMemberOf | quote }} + {{- end }} {{- end }} From 422cb1fc262758aa163a816aa1d4f6d7391b89be Mon Sep 17 00:00:00 2001 From: Russ Allbery Date: Thu, 2 Jun 2022 10:23:22 -0700 Subject: [PATCH 0583/1479] Point IDF dev HiPS service at test data Add the service account, GCS project, and GCS bucket for a test HiPS data set. Update Chart.yaml to flesh out the description and sources link. --- services/hips/Chart.yaml | 9 +++++---- services/hips/README.md | 6 +++++- services/hips/values-idfdev.yaml | 9 +++------ services/hips/values-minikube.yaml | 3 --- 4 files changed, 13 insertions(+), 14 deletions(-) diff --git a/services/hips/Chart.yaml b/services/hips/Chart.yaml index 6372aa3f11..e09d6d38d6 100644 --- a/services/hips/Chart.yaml +++ b/services/hips/Chart.yaml @@ -1,6 +1,7 @@ apiVersion: v2 -appVersion: 0.1.0 -description: A Helm chart for Kubernetes name: hips -type: application -version: 0.1.0 +version: 1.0.0 +description: HiPS web server backed by Google Cloud Storage +sources: + - https://github.com/lsst-sqre/crawlspace +appVersion: 0.1.0 diff --git a/services/hips/README.md b/services/hips/README.md index 813ab25865..a8df59b324 100644 --- a/services/hips/README.md +++ b/services/hips/README.md @@ -1,6 +1,10 @@ # hips -A Helm chart for Kubernetes +HiPS web server backed by Google Cloud Storage + +## Source Code + +* ## Values diff --git a/services/hips/values-idfdev.yaml b/services/hips/values-idfdev.yaml index 0ad0493a05..4819b202a8 100644 --- a/services/hips/values-idfdev.yaml +++ b/services/hips/values-idfdev.yaml @@ -1,7 +1,4 @@ config: - gcsProject: "bogus" - gcsBucket: "bogus" - serviceAccount: "bogus" - -image: - tag: "tickets-DM-34802" + gcsProject: "data-curation-prod-fbdb" + gcsBucket: "hips-vista-us-central1-dev" + serviceAccount: "crawlspace-hips@science-platform-dev-7696.iam.gserviceaccount.com" diff --git a/services/hips/values-minikube.yaml b/services/hips/values-minikube.yaml index 0ad0493a05..44e7bb33bc 100644 --- a/services/hips/values-minikube.yaml +++ b/services/hips/values-minikube.yaml @@ -2,6 +2,3 @@ config: gcsProject: "bogus" gcsBucket: "bogus" serviceAccount: "bogus" - -image: - tag: "tickets-DM-34802" From 9db58c58f4d12016859ab1d4f6aaedbb92dcc315 Mon Sep 17 00:00:00 2001 From: dspeck1 Date: Thu, 2 Jun 2022 12:32:21 -0500 Subject: [PATCH 0584/1479] removed debug flag since out of testing --- services/nublado2/values-idfdev.yaml | 3 --- 1 file changed, 3 deletions(-) diff --git a/services/nublado2/values-idfdev.yaml b/services/nublado2/values-idfdev.yaml index f5f7fc9c28..0a860b43ee 100644 --- a/services/nublado2/values-idfdev.yaml +++ b/services/nublado2/values-idfdev.yaml @@ -16,9 +16,6 @@ jupyterhub: every: 60 maxAge: 3600 - debug: - enabled: true - ingress: hosts: ["data-dev.lsst.cloud"] annotations: From 031463c8ab201d0c2052f70b91b9cc733135120b Mon Sep 17 00:00:00 2001 From: dspeck1 Date: Thu, 2 Jun 2022 13:45:41 -0500 Subject: [PATCH 0585/1479] fixed value in int and added values for prod --- services/nublado2/values-idfint.yaml | 10 +++++----- services/nublado2/values-idfprod.yaml | 18 ++++++++++++++++++ 2 files changed, 23 insertions(+), 5 deletions(-) diff --git a/services/nublado2/values-idfint.yaml b/services/nublado2/values-idfint.yaml index d731cc1957..b2eadb73c7 100644 --- a/services/nublado2/values-idfint.yaml +++ b/services/nublado2/values-idfint.yaml @@ -6,13 +6,13 @@ jupyterhub: memory: 3Gi config: ServerApp: - shutdown_no_activity_timeout: 5184000 + shutdown_no_activity_timeout: 432000 cull: enabled: true users: false removeNamedServers: false - timeout: 5184000 + timeout: 432000 every: 300 maxAge: 2160000 @@ -41,11 +41,11 @@ config: PANDA_URL: http://pandaserver-doma.cern.ch:25080/server/panda IDDS_CONFIG: /opt/lsst/software/jupyterlab/panda/idds.cfg.client.template PANDA_CONFIG_ROOT: "~" - NO_ACTIVITY_TIMEOUT: "5184000" - CULL_KERNEL_IDLE_TIMEOUT: "5184000" + NO_ACTIVITY_TIMEOUT: "432000" + CULL_KERNEL_IDLE_TIMEOUT: "432000" CULL_KERNEL_CONNECTED: "True" CULL_KERNEL_INTERVAL: "300" - CULL_TERMINAL_INACTIVE_TIMEOUT: "5184000" + CULL_TERMINAL_INACTIVE_TIMEOUT: "432000" CULL_TERMINAL_INTERVAL: "300" sizes: - name: Small diff --git a/services/nublado2/values-idfprod.yaml b/services/nublado2/values-idfprod.yaml index 9fec61e9f9..6ef0d3d7f3 100644 --- a/services/nublado2/values-idfprod.yaml +++ b/services/nublado2/values-idfprod.yaml @@ -4,6 +4,18 @@ jupyterhub: requests: cpu: "2" memory: 3Gi + config: + ServerApp: + shutdown_no_activity_timeout: 432000 + + cull: + enabled: true + users: false + removeNamedServers: false + timeout: 432000 + every: 300 + maxAge: 2160000 + ingress: hosts: ["data.lsst.cloud"] annotations: @@ -22,6 +34,12 @@ config: AUTO_REPO_URLS: https://github.com/lsst-sqre/system-test,https://github.com/rubin-dp0/tutorial-notebooks AUTO_REPO_BRANCH: prod AUTO_REPO_SPECS: https://github.com/lsst-sqre/system-test@prod,https://github.com/rubin-dp0/tutorial-notebooks@prod + NO_ACTIVITY_TIMEOUT: "432000" + CULL_KERNEL_IDLE_TIMEOUT: "432000" + CULL_KERNEL_CONNECTED: "True" + CULL_KERNEL_INTERVAL: "300" + CULL_TERMINAL_INACTIVE_TIMEOUT: "432000" + CULL_TERMINAL_INTERVAL: "300" volumes: - name: home nfs: From 041eaa08566182da8ed1f32b39ca4d9e854f1fd3 Mon Sep 17 00:00:00 2001 From: Russ Allbery Date: Thu, 2 Jun 2022 13:22:53 -0700 Subject: [PATCH 0586/1479] Bump crawlspace version to 0.1.1 Update the hips service for the new crawlspace release. Stop plumbing through vaultSecretsPath for that service, since it has no secrets (it uses workload identity). --- science-platform/templates/hips-application.yaml | 2 -- services/hips/Chart.yaml | 2 +- services/hips/README.md | 1 - services/hips/values.yaml | 4 ---- 4 files changed, 1 insertion(+), 8 deletions(-) diff --git a/science-platform/templates/hips-application.yaml b/science-platform/templates/hips-application.yaml index 2862d40ec3..071d36dd01 100644 --- a/science-platform/templates/hips-application.yaml +++ b/science-platform/templates/hips-application.yaml @@ -29,8 +29,6 @@ spec: value: {{ .Values.fqdn | quote }} - name: "global.baseUrl" value: "https://{{ .Values.fqdn }}" - - name: "global.vaultSecretsPath" - value: {{ .Values.vault_path_prefix | quote }} valueFiles: - "values.yaml" - "values-{{ .Values.environment }}.yaml" diff --git a/services/hips/Chart.yaml b/services/hips/Chart.yaml index e09d6d38d6..89c9cde2e5 100644 --- a/services/hips/Chart.yaml +++ b/services/hips/Chart.yaml @@ -4,4 +4,4 @@ version: 1.0.0 description: HiPS web server backed by Google Cloud Storage sources: - https://github.com/lsst-sqre/crawlspace -appVersion: 0.1.0 +appVersion: 0.1.1 diff --git a/services/hips/README.md b/services/hips/README.md index a8df59b324..6f5f99b46f 100644 --- a/services/hips/README.md +++ b/services/hips/README.md @@ -20,7 +20,6 @@ HiPS web server backed by Google Cloud Storage | config.serviceAccount | string | None, must be set | The Google service account that has an IAM binding to the `hips` Kubernetes service account and has access to the storage bucket | | global.baseUrl | string | Set by Argo CD | Base URL for the environment | | global.host | string | Set by Argo CD | Host name for ingress | -| global.vaultSecretsPath | string | Set by Argo CD | Base path for Vault secrets | | image.pullPolicy | string | `"IfNotPresent"` | Pull policy for the hips image | | image.repository | string | `"ghcr.io/lsst-sqre/crawlspace"` | Image to use in the hips deployment | | image.tag | string | `""` | Overrides the image tag whose default is the chart appVersion. | diff --git a/services/hips/values.yaml b/services/hips/values.yaml index dab0285028..92a1a9f488 100644 --- a/services/hips/values.yaml +++ b/services/hips/values.yaml @@ -78,7 +78,3 @@ global: # -- Host name for ingress # @default -- Set by Argo CD host: "" - - # -- Base path for Vault secrets - # @default -- Set by Argo CD - vaultSecretsPath: "" From 0e6f55abd24b1c26303a2aea8e221053f033a81c Mon Sep 17 00:00:00 2001 From: dspeck1 Date: Thu, 2 Jun 2022 17:07:29 -0500 Subject: [PATCH 0587/1479] remove extra space --- services/nublado2/values-idfprod.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/services/nublado2/values-idfprod.yaml b/services/nublado2/values-idfprod.yaml index 6ef0d3d7f3..70560fe056 100644 --- a/services/nublado2/values-idfprod.yaml +++ b/services/nublado2/values-idfprod.yaml @@ -310,4 +310,4 @@ vault_secret_path: "secret/k8s_operator/data.lsst.cloud/nublado2" pull-secret: enabled: true - path: "secret/k8s_operator/data.lsst.cloud/pull-secret" + path: "secret/k8s_operator/data.lsst.cloud/pull-secret" \ No newline at end of file From 99890bffd13750ba34fcccf008693adfb8a70940 Mon Sep 17 00:00:00 2001 From: dspeck1 Date: Thu, 2 Jun 2022 17:10:48 -0500 Subject: [PATCH 0588/1479] fixing spacing --- services/nublado2/values-idfprod.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/services/nublado2/values-idfprod.yaml b/services/nublado2/values-idfprod.yaml index 70560fe056..6ef0d3d7f3 100644 --- a/services/nublado2/values-idfprod.yaml +++ b/services/nublado2/values-idfprod.yaml @@ -310,4 +310,4 @@ vault_secret_path: "secret/k8s_operator/data.lsst.cloud/nublado2" pull-secret: enabled: true - path: "secret/k8s_operator/data.lsst.cloud/pull-secret" \ No newline at end of file + path: "secret/k8s_operator/data.lsst.cloud/pull-secret" From dc17c9dd9cbba571b5156589078a3495a8544792 Mon Sep 17 00:00:00 2001 From: dspeck1 Date: Thu, 2 Jun 2022 17:15:21 -0500 Subject: [PATCH 0589/1479] fixing spacing --- services/nublado2/values-idfprod.yaml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/services/nublado2/values-idfprod.yaml b/services/nublado2/values-idfprod.yaml index 6ef0d3d7f3..7ce61c8308 100644 --- a/services/nublado2/values-idfprod.yaml +++ b/services/nublado2/values-idfprod.yaml @@ -7,7 +7,7 @@ jupyterhub: config: ServerApp: shutdown_no_activity_timeout: 432000 - + cull: enabled: true users: false @@ -15,7 +15,7 @@ jupyterhub: timeout: 432000 every: 300 maxAge: 2160000 - + ingress: hosts: ["data.lsst.cloud"] annotations: From fe18691147d18e9b4a021118482d9243ca4bf9c0 Mon Sep 17 00:00:00 2001 From: Simon Krughoff Date: Thu, 2 Jun 2022 22:17:01 +0000 Subject: [PATCH 0590/1479] Update recommended to w_2022_22 --- services/cachemachine/values-idfdev.yaml | 4 ++-- services/cachemachine/values-idfint.yaml | 4 +--- services/cachemachine/values-idfprod.yaml | 4 ++-- services/cachemachine/values-int.yaml | 4 ++-- services/cachemachine/values-stable.yaml | 4 ++-- 5 files changed, 9 insertions(+), 11 deletions(-) diff --git a/services/cachemachine/values-idfdev.yaml b/services/cachemachine/values-idfdev.yaml index 43f9d9adda..6faa7eae53 100644 --- a/services/cachemachine/values-idfdev.yaml +++ b/services/cachemachine/values-idfdev.yaml @@ -25,8 +25,8 @@ autostart: "type": "SimpleRepoMan", "images": [ { - "image_url": "us-central1-docker.pkg.dev/rubin-shared-services-71ec/sciplat/sciplat-lab:w_2022_12", - "name": "Weekly 2022_12" + "image_url": "us-central1-docker.pkg.dev/rubin-shared-services-71ec/sciplat/sciplat-lab:w_2022_22", + "name": "Weekly 2022_22" } ] } diff --git a/services/cachemachine/values-idfint.yaml b/services/cachemachine/values-idfint.yaml index a48e748ed5..b7dd1cf2e6 100644 --- a/services/cachemachine/values-idfint.yaml +++ b/services/cachemachine/values-idfint.yaml @@ -16,7 +16,7 @@ autostart: "gar_image": "sciplat-lab", "project_id": "rubin-shared-services-71ec", "location": "us-central1", - "recommended_tag": "recommended_int", + "recommended_tag": "recommended", "num_releases": 1, "num_weeklies": 2, "num_dailies": 3 @@ -26,8 +26,6 @@ autostart: "images": [ { "image_url": "us-central1-docker.pkg.dev/rubin-shared-services-71ec/sciplat/sciplat-lab:w_2022_22", - "image_url": "us-central1-docker.pkg.dev/rubin-shared-services-71ec/sciplat/sciplat-lab:w_2022_12", - "name": "Weekly 2022_12" } ] } diff --git a/services/cachemachine/values-idfprod.yaml b/services/cachemachine/values-idfprod.yaml index 4f34d9b02b..fa7d37449a 100644 --- a/services/cachemachine/values-idfprod.yaml +++ b/services/cachemachine/values-idfprod.yaml @@ -25,8 +25,8 @@ autostart: "type": "SimpleRepoMan", "images": [ { - "image_url": "us-central1-docker.pkg.dev/rubin-shared-services-71ec/sciplat/sciplat-lab:w_2022_12", - "name": "Weekly 2022_12" + "image_url": "us-central1-docker.pkg.dev/rubin-shared-services-71ec/sciplat/sciplat-lab:w_2022_22", + "name": "Weekly 2022_22" } ] } diff --git a/services/cachemachine/values-int.yaml b/services/cachemachine/values-int.yaml index 35fc61ee7c..d9e2bb9280 100644 --- a/services/cachemachine/values-int.yaml +++ b/services/cachemachine/values-int.yaml @@ -19,8 +19,8 @@ autostart: "type": "SimpleRepoMan", "images": [ { - "image_url": "registry.hub.docker.com/lsstsqre/sciplat-lab:w_2022_12", - "name": "Weekly 2022_12" + "image_url": "registry.hub.docker.com/lsstsqre/sciplat-lab:w_2022_22", + "name": "Weekly 2022_22" } ] } diff --git a/services/cachemachine/values-stable.yaml b/services/cachemachine/values-stable.yaml index 35fc61ee7c..d9e2bb9280 100644 --- a/services/cachemachine/values-stable.yaml +++ b/services/cachemachine/values-stable.yaml @@ -19,8 +19,8 @@ autostart: "type": "SimpleRepoMan", "images": [ { - "image_url": "registry.hub.docker.com/lsstsqre/sciplat-lab:w_2022_12", - "name": "Weekly 2022_12" + "image_url": "registry.hub.docker.com/lsstsqre/sciplat-lab:w_2022_22", + "name": "Weekly 2022_22" } ] } From f86fb7fd086a6d9c765b0efaa042bdcae71425ee Mon Sep 17 00:00:00 2001 From: adam Date: Thu, 2 Jun 2022 15:26:52 -0700 Subject: [PATCH 0591/1479] name w_22 for simplerepoman/idfint --- services/cachemachine/values-idfint.yaml | 1 + 1 file changed, 1 insertion(+) diff --git a/services/cachemachine/values-idfint.yaml b/services/cachemachine/values-idfint.yaml index b7dd1cf2e6..c4e47c3903 100644 --- a/services/cachemachine/values-idfint.yaml +++ b/services/cachemachine/values-idfint.yaml @@ -26,6 +26,7 @@ autostart: "images": [ { "image_url": "us-central1-docker.pkg.dev/rubin-shared-services-71ec/sciplat/sciplat-lab:w_2022_22", + "name": "Weekly 2022_22" } ] } From 8848c94c188c52e577939ba254d2808cc13134d7 Mon Sep 17 00:00:00 2001 From: adam Date: Thu, 2 Jun 2022 15:40:01 -0700 Subject: [PATCH 0592/1479] Bump version of cachemachine --- services/cachemachine/Chart.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/services/cachemachine/Chart.yaml b/services/cachemachine/Chart.yaml index 389c9d25fe..d057659c29 100644 --- a/services/cachemachine/Chart.yaml +++ b/services/cachemachine/Chart.yaml @@ -1,5 +1,5 @@ apiVersion: v2 name: cachemachine version: 1.0.0 -appVersion: 1.2.0 +appVersion: 1.2.1 description: Service to prepull Docker images for the Science Platform From 4e41eaccda8b4275f4ab8d10e6c23798a0db3230 Mon Sep 17 00:00:00 2001 From: Gabriele Mainetti Date: Fri, 3 Jun 2022 10:20:14 +0200 Subject: [PATCH 0593/1479] rolleback to github --- services/gafaelfawr/templates/configmap.yaml | 4 +- services/gafaelfawr/values-ccin2p3.yaml | 82 ++++++++++---------- services/gafaelfawr/values.yaml | 3 - 3 files changed, 42 insertions(+), 47 deletions(-) diff --git a/services/gafaelfawr/templates/configmap.yaml b/services/gafaelfawr/templates/configmap.yaml index 5b258d3fb9..b909bc8462 100644 --- a/services/gafaelfawr/templates/configmap.yaml +++ b/services/gafaelfawr/templates/configmap.yaml @@ -108,9 +108,7 @@ data: {{- if .Values.config.oidc.uidClaim }} uid_claim: {{ .Values.config.oidc.uidClaim | quote }} {{- end }} - {{- if .Values.config.oidc.isMemberOf }} - isMemberOf: {{ .Values.config.oidc.isMemberOf | quote }} - {{- end }} + {{- end }} diff --git a/services/gafaelfawr/values-ccin2p3.yaml b/services/gafaelfawr/values-ccin2p3.yaml index 708c861484..7c6a8c42ff 100644 --- a/services/gafaelfawr/values-ccin2p3.yaml +++ b/services/gafaelfawr/values-ccin2p3.yaml @@ -1,6 +1,6 @@ -image: - # -- Gafaelfawr image to use - repository: "docker.io/gabrimaine/gafaelfawr" +# image: +# # -- Gafaelfawr image to use +# repository: "docker.io/gabrimaine/gafaelfawr" replicaCount: 2 @@ -24,56 +24,56 @@ config: issuer: exp_minutes: 43200 # 30 days - # github: - # clientId: ae314e45a6af43ea910a + github: + clientId: ae314e45a6af43ea910a - oidc: - clientId: "lsst_rsp" - loginUrl: "https://login.cc.in2p3.fr/auth/realms/cc.in2p3.fr/protocol/openid-connect/auth" - tokenUrl: "https://login.cc.in2p3.fr/auth/realms/cc.in2p3.fr/protocol/openid-connect/token" - issuer: "https://login.cc.in2p3.fr/auth/realms/cc.in2p3.fr" - usernameClaim: "preferred_username" - uidClaim: 'uid_number' - isMemberOf: 'groups' - - # oidcServer: - # enabled: true -# Allow access by GitHub team. - # Allow access by GitHub team. - groupMapping: - "admin:provision": - - "/lsst" - "exec:admin": - - "/lsst" - "exec:notebook": - - "/lsst" - "exec:portal": - - "/lsst" - "read:tap": - - "/lsst" +# oidc: +# clientId: "lsst_rsp" +# loginUrl: "https://login.cc.in2p3.fr/auth/realms/cc.in2p3.fr/protocol/openid-connect/auth" +# tokenUrl: "https://login.cc.in2p3.fr/auth/realms/cc.in2p3.fr/protocol/openid-connect/token" +# issuer: "https://login.cc.in2p3.fr/auth/realms/cc.in2p3.fr" +# usernameClaim: "preferred_username" +# uidClaim: 'uid_number' +# isMemberOf: 'groups' +# # oidcServer: +# # enabled: true # # Allow access by GitHub team. # # Allow access by GitHub team. # groupMapping: # "admin:provision": -# - "rubin-in2p3-admin" +# - "/lsst" # "exec:admin": -# - "rubin-in2p3-admin" +# - "/lsst" # "exec:notebook": -# - "rubin-in2p3-admin" -# - "rubin-in2p3-user" +# - "/lsst" # "exec:portal": -# - "rubin-in2p3-admin" -# - "rubin-in2p3-user" +# - "/lsst" # "read:tap": -# - "rubin-in2p3-admin" -# - "rubin-in2p3-user" -# - "rubin-in2p3" -# - "rubin-in2p3-delegates" +# - "/lsst" + +# Allow access by GitHub team. + # Allow access by GitHub team. + groupMapping: + "admin:provision": + - "rubin-in2p3-admin" + "exec:admin": + - "rubin-in2p3-admin" + "exec:notebook": + - "rubin-in2p3-admin" + - "rubin-in2p3-user" + "exec:portal": + - "rubin-in2p3-admin" + - "rubin-in2p3-user" + "read:tap": + - "rubin-in2p3-admin" + - "rubin-in2p3-user" + - "rubin-in2p3" + - "rubin-in2p3-delegates" initialAdmins: - - "mainetti" -# - "gabrimaine" + # - "mainetti" + - "gabrimaine" pull-secret: enabled: true diff --git a/services/gafaelfawr/values.yaml b/services/gafaelfawr/values.yaml index 33a30b7758..e37db71bf5 100644 --- a/services/gafaelfawr/values.yaml +++ b/services/gafaelfawr/values.yaml @@ -129,9 +129,6 @@ config: # @default -- `"uidNumber"` uidClaim: "" - # -- Claim from which get the list of groups - # @default -- `"isMemberOf"` - isMemberOf: "" ldap: # -- LDAP server URL from which to retrieve user group information From da34322f548fc610ed2a18046b87bf3756b161e5 Mon Sep 17 00:00:00 2001 From: Russ Allbery Date: Fri, 3 Jun 2022 10:16:09 -0700 Subject: [PATCH 0594/1479] Configure TCP keepalive for postgres At SLAC, the network connection with the in-cluster PostgreSQL database is dropped after too long an idle period. Enable TCP keep-alive on the PostgreSQL server to prevent this. This should be harmless everywhere, so do this unconditionally. --- services/postgres/Chart.yaml | 5 +- services/postgres/README.md | 6 +- services/postgres/templates/deployment.yaml | 145 ++++++++++---------- services/postgres/values.yaml | 13 +- 4 files changed, 91 insertions(+), 78 deletions(-) diff --git a/services/postgres/Chart.yaml b/services/postgres/Chart.yaml index 57a59c09fb..56fc1e9b2b 100644 --- a/services/postgres/Chart.yaml +++ b/services/postgres/Chart.yaml @@ -1,6 +1,7 @@ apiVersion: v2 name: postgres version: 1.0.0 -appVersion: "0.0.5" description: Postgres RDBMS for LSP -home: https://hub.docker.com/r/lsstsqre/lsp-postgres +sources: + - https://github.com/lsst-sqre/rsp-postgres +appVersion: 0.0.5 diff --git a/services/postgres/README.md b/services/postgres/README.md index ff04a90335..89a1ac190a 100644 --- a/services/postgres/README.md +++ b/services/postgres/README.md @@ -2,7 +2,9 @@ Postgres RDBMS for LSP -**Homepage:** +## Source Code + +* ## Values @@ -14,6 +16,6 @@ Postgres RDBMS for LSP | global.vaultSecretsPath | string | Set by Argo CD | Base path for Vault secrets | | image.repository | string | `"lsstsqre/lsp-postgres"` | postgres image to use | | image.tag | string | The appVersion of the chart | Tag of postgres image to use | -| postgresStorageClass | string | `"standard"` | Storage class for postgres volume. Set to appropriate value for your deployment: at GKE, "standard" (if you want SSD, "premium-rwo", but if you want a good database maybe it's better to use a cloud database?), on Rubin Observatory Rancher, "rook-ceph-block", at NCSA, "manual", elsewhere probably "standard" ... | +| postgresStorageClass | string | `"standard"` | Storage class for postgres volume. Set to appropriate value for your deployment: at GKE, "standard" (if you want SSD, "premium-rwo", but if you want a good database maybe it's better to use a cloud database?), on Rubin Observatory Rancher, "rook-ceph-block", at NCSA, "manual", elsewhere probably "standard" | | postgresVolumeSize | string | `"1Gi"` | Volume size for postgres. It can generally be very small | | volumeName | string | `""` | Volume name for postgres, if you use an existing volume that isn't automatically created from the PVC by the storage driver (e.g. NCSA) | diff --git a/services/postgres/templates/deployment.yaml b/services/postgres/templates/deployment.yaml index b43548395b..5fd1c46e74 100644 --- a/services/postgres/templates/deployment.yaml +++ b/services/postgres/templates/deployment.yaml @@ -12,83 +12,90 @@ spec: template: metadata: labels: - {{- include "postgres.selectorLabels" . | nindent 8 }} + {{- include "postgres.selectorLabels" . | nindent 8 }} spec: containers: - name: {{ template "postgres.fullname" . }} + args: + - "-c" + - "tcp_keepalives_idle=600" + - "-c" + - "tcp_keepalives_interval=30" + - "-c" + - "tcp_keepalives_count=10" + env: + - name: "DEBUG" + value: {{ .Values.debug | quote }} + - name: "POSTGRES_PASSWORD" + valueFrom: + secretKeyRef: + name: {{ template "postgres.fullname" . }} + key: "root_password" + {{- with .Values.jupyterhub_db }} + - name: "VRO_DB_JUPYTERHUB_USER" + value: {{ .user | quote }} + - name: "VRO_DB_JUPYTERHUB_DB" + value: {{ .db | quote }} + - name: "VRO_DB_JUPYTERHUB_PASSWORD" + valueFrom: + secretKeyRef: + name: "postgres" + key: "jupyterhub_password" + {{- end }} + {{- with .Values.lovelog_db }} + - name: "VRO_DB_LOVELOG_USER" + value: {{ .user | quote }} + - name: "VRO_DB_LOVELOG_DB" + value: {{ .db | quote }} + - name: "VRO_DB_LOVELOG_PASSWORD" + valueFrom: + secretKeyRef: + name: "postgres" + key: "lovelog_password" + {{- end }} + {{- with .Values.narrativelog_db }} + - name: "VRO_DB_NARRATIVELOG_USER" + value: {{ .user | quote }} + - name: "VRO_DB_NARRATIVELOG_DB" + value: {{ .db | quote }} + - name: "VRO_DB_NARRATIVELOG_PASSWORD" + valueFrom: + secretKeyRef: + name: "postgres" + key: "narrativelog_password" + {{- end }} + {{- with .Values.exposurelog_db }} + - name: "VRO_DB_EXPOSURELOG_USER" + value: {{ .user | quote }} + - name: "VRO_DB_EXPOSURELOG_DB" + value: {{ .db | quote }} + - name: "VRO_DB_EXPOSURELOG_PASSWORD" + valueFrom: + secretKeyRef: + name: "postgres" + key: "exposurelog_password" + {{- end }} + {{- with .Values.gafaelfawr_db }} + - name: "VRO_DB_GAFAELFAWR_USER" + value: {{ .user | quote }} + - name: "VRO_DB_GAFAELFAWR_DB" + value: {{ .db | quote }} + - name: "VRO_DB_GAFAELFAWR_PASSWORD" + valueFrom: + secretKeyRef: + name: "postgres" + key: "gafaelfawr_password" + {{- end }} imagePullPolicy: "Always" image: "{{ .Values.image.repository }}:{{ .Values.image.tag | default .Chart.AppVersion }}" ports: - - name: postgres - containerPort: 5432 + - name: "postgres" + containerPort: 5432 volumeMounts: - - name: storage - mountPath: /var/lib/postgresql - env: - - name: DEBUG - value: '{{ .Values.debug }}' - - name: POSTGRES_PASSWORD - valueFrom: - secretKeyRef: - name: {{ template "postgres.fullname" . }} - key: root_password - {{- with .Values.jupyterhub_db }} - - name: VRO_DB_JUPYTERHUB_USER - value: {{ .user }} - - name: VRO_DB_JUPYTERHUB_DB - value: {{ .db }} - - name: VRO_DB_JUPYTERHUB_PASSWORD - valueFrom: - secretKeyRef: - name: postgres - key: jupyterhub_password - {{- end }} - {{- with .Values.lovelog_db }} - - name: VRO_DB_LOVELOG_USER - value: {{ .user }} - - name: VRO_DB_LOVELOG_DB - value: {{ .db }} - - name: VRO_DB_LOVELOG_PASSWORD - valueFrom: - secretKeyRef: - name: postgres - key: lovelog_password - {{- end }} - {{- with .Values.narrativelog_db }} - - name: VRO_DB_NARRATIVELOG_USER - value: {{ .user }} - - name: VRO_DB_NARRATIVELOG_DB - value: {{ .db }} - - name: VRO_DB_NARRATIVELOG_PASSWORD - valueFrom: - secretKeyRef: - name: postgres - key: narrativelog_password - {{- end }} - {{- with .Values.exposurelog_db }} - - name: VRO_DB_EXPOSURELOG_USER - value: {{ .user }} - - name: VRO_DB_EXPOSURELOG_DB - value: {{ .db }} - - name: VRO_DB_EXPOSURELOG_PASSWORD - valueFrom: - secretKeyRef: - name: postgres - key: exposurelog_password - {{- end }} - {{- with .Values.gafaelfawr_db }} - - name: VRO_DB_GAFAELFAWR_USER - value: {{ .user }} - - name: VRO_DB_GAFAELFAWR_DB - value: {{ .db }} - - name: VRO_DB_GAFAELFAWR_PASSWORD - valueFrom: - secretKeyRef: - name: postgres - key: gafaelfawr_password - {{- end }} + - name: "storage" + mountPath: "/var/lib/postgresql" imagePullSecrets: - - name: "pull-secret" + - name: "pull-secret" volumes: - name: storage persistentVolumeClaim: diff --git a/services/postgres/values.yaml b/services/postgres/values.yaml index 7c75ccf2e3..607193556e 100644 --- a/services/postgres/values.yaml +++ b/services/postgres/values.yaml @@ -8,18 +8,21 @@ debug: "" image: # -- postgres image to use repository: "lsstsqre/lsp-postgres" + # -- Tag of postgres image to use # @default -- The appVersion of the chart tag: "" # -- Volume size for postgres. It can generally be very small postgresVolumeSize: "1Gi" -# -- Storage class for postgres volume. -# Set to appropriate value for your deployment: at GKE, "standard" -# (if you want SSD, "premium-rwo", but if you want a good database maybe -# it's better to use a cloud database?), on Rubin Observatory Rancher, -# "rook-ceph-block", at NCSA, "manual", elsewhere probably "standard" ... + +# -- Storage class for postgres volume. Set to appropriate value for your +# deployment: at GKE, "standard" (if you want SSD, "premium-rwo", but if you +# want a good database maybe it's better to use a cloud database?), on Rubin +# Observatory Rancher, "rook-ceph-block", at NCSA, "manual", elsewhere +# probably "standard" postgresStorageClass: "standard" + # -- Volume name for postgres, if you use an existing volume that isn't # automatically created from the PVC by the storage driver (e.g. NCSA) volumeName: "" From 60b05d03fb44fa945295cb4afbe4dcb8d554931b Mon Sep 17 00:00:00 2001 From: Russ Allbery Date: Fri, 3 Jun 2022 10:40:07 -0700 Subject: [PATCH 0595/1479] Make pullPolicy for postgres configurable Rather than forcing this to Always, make it configurable and default to IfNotPresent like our other services. --- services/postgres/README.md | 1 + services/postgres/templates/deployment.yaml | 2 +- services/postgres/values.yaml | 3 +++ 3 files changed, 5 insertions(+), 1 deletion(-) diff --git a/services/postgres/README.md b/services/postgres/README.md index 89a1ac190a..5004813a78 100644 --- a/services/postgres/README.md +++ b/services/postgres/README.md @@ -14,6 +14,7 @@ Postgres RDBMS for LSP | global.baseUrl | string | Set by Argo CD | Base URL for the environment | | global.host | string | Set by Argo CD | Host name for ingress | | global.vaultSecretsPath | string | Set by Argo CD | Base path for Vault secrets | +| image.pullPolicy | string | `"IfNotPresent"` | Pull policy for the postgres image | | image.repository | string | `"lsstsqre/lsp-postgres"` | postgres image to use | | image.tag | string | The appVersion of the chart | Tag of postgres image to use | | postgresStorageClass | string | `"standard"` | Storage class for postgres volume. Set to appropriate value for your deployment: at GKE, "standard" (if you want SSD, "premium-rwo", but if you want a good database maybe it's better to use a cloud database?), on Rubin Observatory Rancher, "rook-ceph-block", at NCSA, "manual", elsewhere probably "standard" | diff --git a/services/postgres/templates/deployment.yaml b/services/postgres/templates/deployment.yaml index 5fd1c46e74..4cf523db2d 100644 --- a/services/postgres/templates/deployment.yaml +++ b/services/postgres/templates/deployment.yaml @@ -86,7 +86,7 @@ spec: name: "postgres" key: "gafaelfawr_password" {{- end }} - imagePullPolicy: "Always" + imagePullPolicy: {{ .Values.image.pullPolicy | quote }} image: "{{ .Values.image.repository }}:{{ .Values.image.tag | default .Chart.AppVersion }}" ports: - name: "postgres" diff --git a/services/postgres/values.yaml b/services/postgres/values.yaml index 607193556e..ad3039eee5 100644 --- a/services/postgres/values.yaml +++ b/services/postgres/values.yaml @@ -9,6 +9,9 @@ image: # -- postgres image to use repository: "lsstsqre/lsp-postgres" + # -- Pull policy for the postgres image + pullPolicy: "IfNotPresent" + # -- Tag of postgres image to use # @default -- The appVersion of the chart tag: "" From 4b63bb03c44b07ab9a57d1c81d95e22f27c1f90d Mon Sep 17 00:00:00 2001 From: Russ Allbery Date: Fri, 3 Jun 2022 10:42:07 -0700 Subject: [PATCH 0596/1479] Stop pinning postgres image tag This was pinned to 0.0.3 at NCSA for some reason. Stop doing that. --- services/postgres/values-int.yaml | 2 -- services/postgres/values-roe.yaml | 2 -- services/postgres/values-stable.yaml | 2 -- 3 files changed, 6 deletions(-) diff --git a/services/postgres/values-int.yaml b/services/postgres/values-int.yaml index fa18bc2088..af2e006a5d 100644 --- a/services/postgres/values-int.yaml +++ b/services/postgres/values-int.yaml @@ -6,5 +6,3 @@ gafaelfawr_db: db: "gafaelfawr" postgresStorageClass: "manual" volumeName: "postgres-data-volume" -image: - tag: "0.0.3" diff --git a/services/postgres/values-roe.yaml b/services/postgres/values-roe.yaml index 6231253710..8f053fb744 100644 --- a/services/postgres/values-roe.yaml +++ b/services/postgres/values-roe.yaml @@ -4,6 +4,4 @@ jupyterhub_db: gafaelfawr_db: user: "gafaelfawr" db: "gafaelfawr" -image: - tag: "0.0.5" postgresStorageClass: "standard" diff --git a/services/postgres/values-stable.yaml b/services/postgres/values-stable.yaml index fa18bc2088..af2e006a5d 100644 --- a/services/postgres/values-stable.yaml +++ b/services/postgres/values-stable.yaml @@ -6,5 +6,3 @@ gafaelfawr_db: db: "gafaelfawr" postgresStorageClass: "manual" volumeName: "postgres-data-volume" -image: - tag: "0.0.3" From c4a7b9d2a8948296f44696d5db1fda487a251a08 Mon Sep 17 00:00:00 2001 From: Renovate Bot Date: Mon, 6 Jun 2022 01:09:07 +0000 Subject: [PATCH 0597/1479] Update Helm release argo-cd to v4.8.2 --- services/argocd/Chart.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/services/argocd/Chart.yaml b/services/argocd/Chart.yaml index c6ce6ec952..f5ea48d1d1 100644 --- a/services/argocd/Chart.yaml +++ b/services/argocd/Chart.yaml @@ -3,5 +3,5 @@ name: argo-cd version: 1.0.0 dependencies: - name: argo-cd - version: 4.8.0 + version: 4.8.2 repository: https://argoproj.github.io/argo-helm From eeaa155251333aade8240fa6e91aa6347bc259de Mon Sep 17 00:00:00 2001 From: Russ Allbery Date: Mon, 6 Jun 2022 07:56:52 -0700 Subject: [PATCH 0598/1479] Update Helm docs --- services/argocd/README.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/services/argocd/README.md b/services/argocd/README.md index c92211d037..6575e9a8c4 100644 --- a/services/argocd/README.md +++ b/services/argocd/README.md @@ -4,7 +4,7 @@ | Repository | Name | Version | |------------|------|---------| -| https://argoproj.github.io/argo-helm | argo-cd | 4.8.0 | +| https://argoproj.github.io/argo-helm | argo-cd | 4.8.2 | ## Values From 733a3e3bf2646b5fdfcd46e1e55020ad9297585e Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Mon, 6 Jun 2022 15:13:14 +0000 Subject: [PATCH 0599/1479] Bump pre-commit/action from 2.0.3 to 3.0.0 Bumps [pre-commit/action](https://github.com/pre-commit/action) from 2.0.3 to 3.0.0. - [Release notes](https://github.com/pre-commit/action/releases) - [Commits](https://github.com/pre-commit/action/compare/v2.0.3...v3.0.0) --- updated-dependencies: - dependency-name: pre-commit/action dependency-type: direct:production update-type: version-update:semver-major ... Signed-off-by: dependabot[bot] --- .github/workflows/ci.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/ci.yaml b/.github/workflows/ci.yaml index 88e8c019f2..8aa8ee5016 100644 --- a/.github/workflows/ci.yaml +++ b/.github/workflows/ci.yaml @@ -21,7 +21,7 @@ jobs: python-version: "3.10" - name: Run pre-commit - uses: pre-commit/action@v2.0.3 + uses: pre-commit/action@v3.0.0 helm: runs-on: ubuntu-latest From 7e0c1b6f1c47e907048b764e22afdfa8b36b0fc7 Mon Sep 17 00:00:00 2001 From: Renovate Bot Date: Mon, 6 Jun 2022 15:04:39 +0000 Subject: [PATCH 0600/1479] Update Helm release redis to v16.11.2 --- services/noteburst/Chart.yaml | 2 +- services/times-square/Chart.yaml | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/services/noteburst/Chart.yaml b/services/noteburst/Chart.yaml index d38bc62a28..0dd7a9d11d 100644 --- a/services/noteburst/Chart.yaml +++ b/services/noteburst/Chart.yaml @@ -14,5 +14,5 @@ maintainers: # Additional charts that this chart uses dependencies: - name: redis - version: 16.10.1 + version: 16.11.2 repository: https://charts.bitnami.com/bitnami diff --git a/services/times-square/Chart.yaml b/services/times-square/Chart.yaml index 634ef81ca8..d6a586752d 100644 --- a/services/times-square/Chart.yaml +++ b/services/times-square/Chart.yaml @@ -11,5 +11,5 @@ appVersion: 0.4.0b1 dependencies: - name: redis - version: 16.10.1 + version: 16.11.2 repository: https://charts.bitnami.com/bitnami From 2b47a2d1e076f0de0859ef691236860db25925d2 Mon Sep 17 00:00:00 2001 From: Russ Allbery Date: Mon, 6 Jun 2022 08:22:51 -0700 Subject: [PATCH 0601/1479] Update Helm docs --- services/noteburst/README.md | 2 +- services/times-square/README.md | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/services/noteburst/README.md b/services/noteburst/README.md index a7dfecc3d5..069a0232bb 100644 --- a/services/noteburst/README.md +++ b/services/noteburst/README.md @@ -12,7 +12,7 @@ Noteburst is a notebook execution service for the Rubin Science Platform. | Repository | Name | Version | |------------|------|---------| -| https://charts.bitnami.com/bitnami | redis | 16.10.1 | +| https://charts.bitnami.com/bitnami | redis | 16.11.2 | ## Values diff --git a/services/times-square/README.md b/services/times-square/README.md index 5f4299c011..fb642741ff 100644 --- a/services/times-square/README.md +++ b/services/times-square/README.md @@ -8,7 +8,7 @@ An API service for managing and rendering parameterized Jupyter notebooks. | Repository | Name | Version | |------------|------|---------| -| https://charts.bitnami.com/bitnami | redis | 16.10.1 | +| https://charts.bitnami.com/bitnami | redis | 16.11.2 | ## Values From 16c632ec783ba3465267aaed2165b9847a5f854a Mon Sep 17 00:00:00 2001 From: Renovate Bot Date: Mon, 6 Jun 2022 15:23:37 +0000 Subject: [PATCH 0602/1479] Update helm values redis to v7 --- services/gafaelfawr/values.yaml | 2 +- services/portal/values.yaml | 2 +- services/vo-cutouts/values.yaml | 2 +- 3 files changed, 3 insertions(+), 3 deletions(-) diff --git a/services/gafaelfawr/values.yaml b/services/gafaelfawr/values.yaml index f58163f58e..6c23043700 100644 --- a/services/gafaelfawr/values.yaml +++ b/services/gafaelfawr/values.yaml @@ -261,7 +261,7 @@ redis: repository: "redis" # -- Redis image tag to use - tag: "6.2.7" + tag: "7.0.0" # -- Pull policy for the Redis image pullPolicy: "IfNotPresent" diff --git a/services/portal/values.yaml b/services/portal/values.yaml index 15a7fb7bc5..16d1912ec8 100644 --- a/services/portal/values.yaml +++ b/services/portal/values.yaml @@ -87,7 +87,7 @@ redis: repository: "redis" # -- Redis image tag to use - tag: "6.2.7" + tag: "7.0.0" # -- Pull policy for the Redis image pullPolicy: "IfNotPresent" diff --git a/services/vo-cutouts/values.yaml b/services/vo-cutouts/values.yaml index 8cf9b2770c..8bb2183bdc 100644 --- a/services/vo-cutouts/values.yaml +++ b/services/vo-cutouts/values.yaml @@ -147,7 +147,7 @@ redis: repository: "redis" # -- Redis image tag to use - tag: "6.2.7" + tag: "7.0.0" # -- Pull policy for the Redis image pullPolicy: "IfNotPresent" From fc8f8b914d66124a8d52c3360aafa9cb16eacf35 Mon Sep 17 00:00:00 2001 From: Russ Allbery Date: Mon, 6 Jun 2022 08:34:52 -0700 Subject: [PATCH 0603/1479] Update Helm docs --- services/gafaelfawr/README.md | 2 +- services/portal/README.md | 2 +- services/vo-cutouts/README.md | 2 +- 3 files changed, 3 insertions(+), 3 deletions(-) diff --git a/services/gafaelfawr/README.md b/services/gafaelfawr/README.md index 2f07c0d5fa..1f604aa74c 100644 --- a/services/gafaelfawr/README.md +++ b/services/gafaelfawr/README.md @@ -69,7 +69,7 @@ Science Platform authentication and authorization system | redis.affinity | object | `{}` | Affinity rules for the Redis pod | | redis.image.pullPolicy | string | `"IfNotPresent"` | Pull policy for the Redis image | | redis.image.repository | string | `"redis"` | Redis image to use | -| redis.image.tag | string | `"6.2.7"` | Redis image tag to use | +| redis.image.tag | string | `"7.0.0"` | Redis image tag to use | | redis.nodeSelector | object | `{}` | Node selection rules for the Redis pod | | redis.persistence.accessMode | string | `"ReadWriteOnce"` | Access mode of storage to request | | redis.persistence.enabled | bool | `true` | Whether to persist Redis storage and thus tokens. Setting this to false will use `emptyDir` and reset all tokens on every restart. Only use this for a test deployment. | diff --git a/services/portal/README.md b/services/portal/README.md index 7319b94887..8f25f19e3c 100644 --- a/services/portal/README.md +++ b/services/portal/README.md @@ -31,7 +31,7 @@ Rubin Science Platform portal aspect | redis.affinity | object | `{}` | Affinity rules for the Redis pod | | redis.image.pullPolicy | string | `"IfNotPresent"` | Pull policy for the Redis image | | redis.image.repository | string | `"redis"` | Redis image to use | -| redis.image.tag | string | `"6.2.7"` | Redis image tag to use | +| redis.image.tag | string | `"7.0.0"` | Redis image tag to use | | redis.nodeSelector | object | `{}` | Node selection rules for the Redis pod | | redis.podAnnotations | object | `{}` | Pod annotations for the Redis pod | | redis.resources | object | `{"limits":{"memory":"20Mi"}}` | Resource limits and requests | diff --git a/services/vo-cutouts/README.md b/services/vo-cutouts/README.md index d8de0a2caa..0fea72f761 100644 --- a/services/vo-cutouts/README.md +++ b/services/vo-cutouts/README.md @@ -54,7 +54,7 @@ Image cutout service complying with IVOA SODA | redis.affinity | object | `{}` | Affinity rules for the Redis pod | | redis.image.pullPolicy | string | `"IfNotPresent"` | Pull policy for the Redis image | | redis.image.repository | string | `"redis"` | Redis image to use | -| redis.image.tag | string | `"6.2.7"` | Redis image tag to use | +| redis.image.tag | string | `"7.0.0"` | Redis image tag to use | | redis.nodeSelector | object | `{}` | Node selection rules for the Redis pod | | redis.persistence.accessMode | string | `"ReadWriteOnce"` | Access mode of storage to request | | redis.persistence.enabled | bool | `true` | Whether to persist Redis storage and thus tokens. Setting this to false will use `emptyDir` and reset all tokens on every restart. Only use this for a test deployment. | From 954b854ad76934d09c83e6519166ef80f682b56d Mon Sep 17 00:00:00 2001 From: Russ Allbery Date: Fri, 3 Jun 2022 15:41:51 -0700 Subject: [PATCH 0604/1479] Remove unnecessary applications from NCSA We're winding down the NCSA cluster, so no need to deploy new Science Platform services there. Remove datalinker on those grounds, remove mobu since it was already turned off since the data that it was testing against is no longer present, and remove Sherlock since we don't care much about monitoring NCSA. --- science-platform/values-int.yaml | 6 +++--- science-platform/values-stable.yaml | 6 +++--- services/datalinker/values-int.yaml | 0 services/datalinker/values-stable.yaml | 0 services/mobu/values-int.yaml | 13 ------------- services/mobu/values-stable.yaml | 21 --------------------- services/sherlock/values-int.yaml | 7 ------- services/sherlock/values-stable.yaml | 7 ------- 8 files changed, 6 insertions(+), 54 deletions(-) delete mode 100644 services/datalinker/values-int.yaml delete mode 100644 services/datalinker/values-stable.yaml delete mode 100644 services/mobu/values-int.yaml delete mode 100644 services/mobu/values-stable.yaml delete mode 100644 services/sherlock/values-int.yaml delete mode 100644 services/sherlock/values-stable.yaml diff --git a/science-platform/values-int.yaml b/science-platform/values-int.yaml index a4815ac1ab..ae5c196e17 100644 --- a/science-platform/values-int.yaml +++ b/science-platform/values-int.yaml @@ -9,7 +9,7 @@ cachemachine: cert_manager: enabled: false datalinker: - enabled: true + enabled: false exposurelog: enabled: false gafaelfawr: @@ -19,7 +19,7 @@ hips: ingress_nginx: enabled: false mobu: - enabled: true + enabled: false moneypenny: enabled: true narrativelog: @@ -43,7 +43,7 @@ production_tools: semaphore: enabled: false sherlock: - enabled: true + enabled: false squareone: enabled: true squash_api: diff --git a/science-platform/values-stable.yaml b/science-platform/values-stable.yaml index 6ee9dd981b..268b0c7a4d 100644 --- a/science-platform/values-stable.yaml +++ b/science-platform/values-stable.yaml @@ -9,7 +9,7 @@ cachemachine: cert_manager: enabled: false datalinker: - enabled: true + enabled: false exposurelog: enabled: false gafaelfawr: @@ -19,7 +19,7 @@ hips: ingress_nginx: enabled: false mobu: - enabled: true + enabled: false moneypenny: enabled: true narrativelog: @@ -43,7 +43,7 @@ production_tools: semaphore: enabled: false sherlock: - enabled: true + enabled: false squareone: enabled: true squash_api: diff --git a/services/datalinker/values-int.yaml b/services/datalinker/values-int.yaml deleted file mode 100644 index e69de29bb2..0000000000 diff --git a/services/datalinker/values-stable.yaml b/services/datalinker/values-stable.yaml deleted file mode 100644 index e69de29bb2..0000000000 diff --git a/services/mobu/values-int.yaml b/services/mobu/values-int.yaml deleted file mode 100644 index 23a108f803..0000000000 --- a/services/mobu/values-int.yaml +++ /dev/null @@ -1,13 +0,0 @@ -autostart: - - name: "firefighter" - count: 1 - users: - - username: "lsptestuser01" - uidnumber: 60181 - scopes: ["exec:notebook", "exec:portal", "read:tap"] - business: "NotebookRunner" - options: - repo_url: "https://github.com/lsst-sqre/system-test.git" - repo_branch: "NCSA-prod" - max_executions: 1 - restart: true diff --git a/services/mobu/values-stable.yaml b/services/mobu/values-stable.yaml deleted file mode 100644 index ee845089d8..0000000000 --- a/services/mobu/values-stable.yaml +++ /dev/null @@ -1,21 +0,0 @@ -autostart: - - name: "firefighter" - count: 5 - users: - - username: "lsptestuser01" - uidnumber: 60181 - - username: "lsptestuser02" - uidnumber: 60182 - - username: "lsptestuser03" - uidnumber: 60183 - - username: "lsptestuser04" - uidnumber: 60184 - - username: "lsptestuser05" - uidnumber: 60185 - scopes: ["exec:notebook", "exec:portal", "read:tap"] - business: "NotebookRunner" - options: - repo_url: "https://github.com/lsst-sqre/system-test.git" - repo_branch: "NCSA-prod" - max_executions: 1 - restart: true diff --git a/services/sherlock/values-int.yaml b/services/sherlock/values-int.yaml deleted file mode 100644 index de35ed5941..0000000000 --- a/services/sherlock/values-int.yaml +++ /dev/null @@ -1,7 +0,0 @@ -resources: - requests: - cpu: 2.0 - memory: "2G" - limits: - cpu: 4.0 - memory: "4G" diff --git a/services/sherlock/values-stable.yaml b/services/sherlock/values-stable.yaml deleted file mode 100644 index de35ed5941..0000000000 --- a/services/sherlock/values-stable.yaml +++ /dev/null @@ -1,7 +0,0 @@ -resources: - requests: - cpu: 2.0 - memory: "2G" - limits: - cpu: 4.0 - memory: "4G" From a79862d0473ff0a276ec257eac79deecd9e4915b Mon Sep 17 00:00:00 2001 From: Russ Allbery Date: Mon, 6 Jun 2022 17:30:09 -0700 Subject: [PATCH 0605/1479] Disable more applications at NCSA Also disable Strimzi and Telegraph. We won't be using either at the NCSA deployments, since they'll be retired in August. --- science-platform/values-int.yaml | 10 +++++----- science-platform/values-stable.yaml | 6 +++--- 2 files changed, 8 insertions(+), 8 deletions(-) diff --git a/science-platform/values-int.yaml b/science-platform/values-int.yaml index ae5c196e17..1f9358effd 100644 --- a/science-platform/values-int.yaml +++ b/science-platform/values-int.yaml @@ -36,10 +36,10 @@ portal: enabled: true postgres: enabled: true -sasquatch: - enabled: false production_tools: enabled: false +sasquatch: + enabled: false semaphore: enabled: false sherlock: @@ -49,7 +49,7 @@ squareone: squash_api: enabled: false strimzi: - enabled: true + enabled: false strimzi_registry_operator: enabled: false tap: @@ -57,9 +57,9 @@ tap: tap_schema: enabled: true telegraf: - enabled: true + enabled: false telegraf-ds: - enabled: true + enabled: false times_square: enabled: false vault_secrets_operator: diff --git a/science-platform/values-stable.yaml b/science-platform/values-stable.yaml index 268b0c7a4d..af66ea0dcc 100644 --- a/science-platform/values-stable.yaml +++ b/science-platform/values-stable.yaml @@ -36,10 +36,10 @@ portal: enabled: true postgres: enabled: true -sasquatch: - enabled: false production_tools: enabled: false +sasquatch: + enabled: false semaphore: enabled: false sherlock: @@ -49,7 +49,7 @@ squareone: squash_api: enabled: false strimzi: - enabled: true + enabled: false strimzi_registry_operator: enabled: false tap: From bf516d9780e50f5dec35243bf2298a41eb5e3f5c Mon Sep 17 00:00:00 2001 From: Russ Allbery Date: Mon, 6 Jun 2022 18:11:57 -0700 Subject: [PATCH 0606/1479] Remove obsolete values files for NCSA Forgot these when disabling the applications. --- services/strimzi/values-int.yaml | 4 ---- services/strimzi/values-stable.yaml | 4 ---- services/telegraf-ds/values-int.yaml | 0 services/telegraf/values-int.yaml | 0 4 files changed, 8 deletions(-) delete mode 100644 services/strimzi/values-int.yaml delete mode 100644 services/strimzi/values-stable.yaml delete mode 100644 services/telegraf-ds/values-int.yaml delete mode 100644 services/telegraf/values-int.yaml diff --git a/services/strimzi/values-int.yaml b/services/strimzi/values-int.yaml deleted file mode 100644 index e4cd2e47e1..0000000000 --- a/services/strimzi/values-int.yaml +++ /dev/null @@ -1,4 +0,0 @@ -strimzi-kafka-operator: - watchNamespaces: - - "sasquatch" - logLevel: "DEBUG" diff --git a/services/strimzi/values-stable.yaml b/services/strimzi/values-stable.yaml deleted file mode 100644 index e4cd2e47e1..0000000000 --- a/services/strimzi/values-stable.yaml +++ /dev/null @@ -1,4 +0,0 @@ -strimzi-kafka-operator: - watchNamespaces: - - "sasquatch" - logLevel: "DEBUG" diff --git a/services/telegraf-ds/values-int.yaml b/services/telegraf-ds/values-int.yaml deleted file mode 100644 index e69de29bb2..0000000000 diff --git a/services/telegraf/values-int.yaml b/services/telegraf/values-int.yaml deleted file mode 100644 index e69de29bb2..0000000000 From 745a3c22b6ae1fa190fcfba4b883509bbf0559cf Mon Sep 17 00:00:00 2001 From: adam Date: Tue, 7 Jun 2022 12:20:30 -0700 Subject: [PATCH 0607/1479] Set idf-dev cull timeout to standard values --- services/nublado2/values-idfdev.yaml | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/services/nublado2/values-idfdev.yaml b/services/nublado2/values-idfdev.yaml index 0a860b43ee..df12a840da 100644 --- a/services/nublado2/values-idfdev.yaml +++ b/services/nublado2/values-idfdev.yaml @@ -6,15 +6,15 @@ jupyterhub: memory: 3Gi config: ServerApp: - shutdown_no_activity_timeout: 300 + shutdown_no_activity_timeout: 432000 cull: enabled: true users: false removeNamedServers: false - timeout: 60 - every: 60 - maxAge: 3600 + timeout: 432000 + every: 300 + maxAge: 2160000 ingress: hosts: ["data-dev.lsst.cloud"] From 32f6fe7f6820d092bba5208d609c269516b6caf5 Mon Sep 17 00:00:00 2001 From: adam Date: Wed, 8 Jun 2022 11:45:44 -0700 Subject: [PATCH 0608/1479] finish matching int cull settings --- services/nublado2/values-idfdev.yaml | 10 +++++----- 1 file changed, 5 insertions(+), 5 deletions(-) diff --git a/services/nublado2/values-idfdev.yaml b/services/nublado2/values-idfdev.yaml index df12a840da..c363864671 100644 --- a/services/nublado2/values-idfdev.yaml +++ b/services/nublado2/values-idfdev.yaml @@ -35,12 +35,12 @@ config: AUTO_REPO_URLS: https://github.com/lsst-sqre/system-test,https://github.com/rubin-dp0/tutorial-notebooks AUTO_REPO_BRANCH: prod AUTO_REPO_SPECS: https://github.com/lsst-sqre/system-test@prod,https://github.com/rubin-dp0/tutorial-notebooks@prod - NO_ACTIVITY_TIMEOUT: "300" - CULL_KERNEL_IDLE_TIMEOUT: "300" + NO_ACTIVITY_TIMEOUT: "432000" + CULL_KERNEL_IDLE_TIMEOUT: "432000" CULL_KERNEL_CONNECTED: "True" - CULL_KERNEL_INTERVAL: "60" - CULL_TERMINAL_INACTIVE_TIMEOUT: "300" - CULL_TERMINAL_INTERVAL: "60" + CULL_KERNEL_INTERVAL: "300" + CULL_TERMINAL_INACTIVE_TIMEOUT: "432000" + CULL_TERMINAL_INTERVAL: "300" volumes: - name: home nfs: From 1c1d6221e73ca5d7b587128486f42a06dfeb5620 Mon Sep 17 00:00:00 2001 From: Christine Banek Date: Wed, 8 Jun 2022 12:46:05 -0700 Subject: [PATCH 0609/1479] [DM-35152] TAP 1.2.0 --- services/tap/Chart.yaml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/services/tap/Chart.yaml b/services/tap/Chart.yaml index 56e1b45506..d32fc6fbdb 100644 --- a/services/tap/Chart.yaml +++ b/services/tap/Chart.yaml @@ -1,6 +1,6 @@ apiVersion: v1 -appVersion: "1.1.2" +appVersion: "1.2.0" description: A Helm chart for the CADC TAP service home: https://github.com/lsst-sqre/lsst-tap-service name: cadc-tap -version: 1.0.6 +version: 1.0.7 From fbd6785802a48bff5184ed59a239d0266d4f5a10 Mon Sep 17 00:00:00 2001 From: Russ Allbery Date: Thu, 9 Jun 2022 16:47:33 -0700 Subject: [PATCH 0610/1479] Enable crawlspace HiPS server for data-int Point to the new DP0.2 HiPS bucket (currently empty). --- science-platform/values-idfint.yaml | 2 +- services/hips/values-idfint.yaml | 4 ++++ 2 files changed, 5 insertions(+), 1 deletion(-) create mode 100644 services/hips/values-idfint.yaml diff --git a/science-platform/values-idfint.yaml b/science-platform/values-idfint.yaml index 7e249dcf0b..bb0931dbbb 100644 --- a/science-platform/values-idfint.yaml +++ b/science-platform/values-idfint.yaml @@ -16,7 +16,7 @@ exposurelog: gafaelfawr: enabled: true hips: - enabled: false + enabled: true ingress_nginx: enabled: true mobu: diff --git a/services/hips/values-idfint.yaml b/services/hips/values-idfint.yaml new file mode 100644 index 0000000000..f295c1087e --- /dev/null +++ b/services/hips/values-idfint.yaml @@ -0,0 +1,4 @@ +config: + gcsProject: "data-curation-prod-fbdb" + gcsBucket: "static-us-central1-dp02-hips" + serviceAccount: "crawlspace-hips@science-platform-int-dc5d.iam.gserviceaccount.com" From 31794264f99974cd5f7237e9ecbbc5d890d20561 Mon Sep 17 00:00:00 2001 From: Colin Slater Date: Fri, 10 Jun 2022 10:45:34 -0700 Subject: [PATCH 0611/1479] Bump tap_schema to 1.1.10. --- services/tap-schema/Chart.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/services/tap-schema/Chart.yaml b/services/tap-schema/Chart.yaml index ffb3d38e30..db1495ea4f 100644 --- a/services/tap-schema/Chart.yaml +++ b/services/tap-schema/Chart.yaml @@ -1,5 +1,5 @@ apiVersion: v2 -appVersion: 1.1.9 +appVersion: 1.1.10 description: The TAP_SCHEMA database home: https://github.com/lsst-sqre/lsst-tap-service name: tap-schema From 0d6935c69acb238d03974645bf73253cb028a599 Mon Sep 17 00:00:00 2001 From: Russ Allbery Date: Fri, 10 Jun 2022 14:13:29 -0700 Subject: [PATCH 0612/1479] Bump datalinker to 1.2.2 Pick up a typing fix from GPDF. --- services/datalinker/Chart.yaml | 9 ++++----- services/datalinker/README.md | 4 ++++ 2 files changed, 8 insertions(+), 5 deletions(-) diff --git a/services/datalinker/Chart.yaml b/services/datalinker/Chart.yaml index 61435003b4..357e710e4a 100644 --- a/services/datalinker/Chart.yaml +++ b/services/datalinker/Chart.yaml @@ -1,8 +1,7 @@ apiVersion: v2 -appVersion: 1.2.1 -description: IVOA datalink service for Rubin Science Platform name: datalinker -type: application version: 1.0.0 -maintainers: - - name: cbanek +description: IVOA datalink service for Rubin Science Platform +sources: + - https://github.com/lsst-sqre/datalinker +appVersion: 1.2.2 diff --git a/services/datalinker/README.md b/services/datalinker/README.md index 09fa0363a2..e491e08d60 100644 --- a/services/datalinker/README.md +++ b/services/datalinker/README.md @@ -2,6 +2,10 @@ IVOA datalink service for Rubin Science Platform +## Source Code + +* + ## Values | Key | Type | Default | Description | From 77099b66de99ea81c0a473b6e953020393df0668 Mon Sep 17 00:00:00 2001 From: roby Date: Fri, 10 Jun 2022 15:58:51 -0600 Subject: [PATCH 0613/1479] trying suit-2022.3 --- services/portal/values-idfdev.yaml | 3 +++ 1 file changed, 3 insertions(+) diff --git a/services/portal/values-idfdev.yaml b/services/portal/values-idfdev.yaml index 81bc35d85e..d4f1a080a7 100644 --- a/services/portal/values-idfdev.yaml +++ b/services/portal/values-idfdev.yaml @@ -4,6 +4,9 @@ resources: limits: memory: "2Gi" +image: + tag: "suit-2022.3" + config: volumes: workareaNfs: From 82ace5246faad483faaa31dc217fbabff27170f0 Mon Sep 17 00:00:00 2001 From: Renovate Bot Date: Mon, 13 Jun 2022 00:08:47 +0000 Subject: [PATCH 0614/1479] Update Helm release ingress-nginx to v4.1.4 --- services/ingress-nginx/Chart.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/services/ingress-nginx/Chart.yaml b/services/ingress-nginx/Chart.yaml index a9b67dafbb..277b95e757 100644 --- a/services/ingress-nginx/Chart.yaml +++ b/services/ingress-nginx/Chart.yaml @@ -3,5 +3,5 @@ name: ingress-nginx version: 1.0.0 dependencies: - name: ingress-nginx - version: 4.1.3 + version: 4.1.4 repository: https://kubernetes.github.io/ingress-nginx From da73b5bbf0fd9b5b35969a05cc6a02a14ec9ea24 Mon Sep 17 00:00:00 2001 From: Russ Allbery Date: Mon, 13 Jun 2022 08:38:58 -0700 Subject: [PATCH 0615/1479] Update Helm docs --- services/ingress-nginx/README.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/services/ingress-nginx/README.md b/services/ingress-nginx/README.md index a9c7c8007d..f7a607d6f3 100644 --- a/services/ingress-nginx/README.md +++ b/services/ingress-nginx/README.md @@ -4,7 +4,7 @@ | Repository | Name | Version | |------------|------|---------| -| https://kubernetes.github.io/ingress-nginx | ingress-nginx | 4.1.3 | +| https://kubernetes.github.io/ingress-nginx | ingress-nginx | 4.1.4 | ## Values From 8f635bf0614ddc88bb02db93bcf628a06bf10fbf Mon Sep 17 00:00:00 2001 From: Renovate Bot Date: Mon, 13 Jun 2022 15:39:49 +0000 Subject: [PATCH 0616/1479] Update Helm release argo-cd to v4.8.3 --- services/argocd/Chart.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/services/argocd/Chart.yaml b/services/argocd/Chart.yaml index f5ea48d1d1..c7b641d3ca 100644 --- a/services/argocd/Chart.yaml +++ b/services/argocd/Chart.yaml @@ -3,5 +3,5 @@ name: argo-cd version: 1.0.0 dependencies: - name: argo-cd - version: 4.8.2 + version: 4.8.3 repository: https://argoproj.github.io/argo-helm From b8a4ae813be1227d934abd2d5c36951b3827b47d Mon Sep 17 00:00:00 2001 From: Russ Allbery Date: Mon, 13 Jun 2022 08:47:16 -0700 Subject: [PATCH 0617/1479] Update Helm docs --- services/argocd/README.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/services/argocd/README.md b/services/argocd/README.md index 6575e9a8c4..7cf552ecca 100644 --- a/services/argocd/README.md +++ b/services/argocd/README.md @@ -4,7 +4,7 @@ | Repository | Name | Version | |------------|------|---------| -| https://argoproj.github.io/argo-helm | argo-cd | 4.8.2 | +| https://argoproj.github.io/argo-helm | argo-cd | 4.8.3 | ## Values From 5bbb256368c7e7731f6fad3cfb2c94234c38c7fc Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Mon, 13 Jun 2022 15:58:50 +0000 Subject: [PATCH 0618/1479] Bump actions/setup-python from 3 to 4 Bumps [actions/setup-python](https://github.com/actions/setup-python) from 3 to 4. - [Release notes](https://github.com/actions/setup-python/releases) - [Commits](https://github.com/actions/setup-python/compare/v3...v4) --- updated-dependencies: - dependency-name: actions/setup-python dependency-type: direct:production update-type: version-update:semver-major ... Signed-off-by: dependabot[bot] --- .github/workflows/ci.yaml | 4 ++-- .github/workflows/docs.yaml | 2 +- 2 files changed, 3 insertions(+), 3 deletions(-) diff --git a/.github/workflows/ci.yaml b/.github/workflows/ci.yaml index 8aa8ee5016..7e5896a84a 100644 --- a/.github/workflows/ci.yaml +++ b/.github/workflows/ci.yaml @@ -16,7 +16,7 @@ jobs: run: brew install norwoodj/tap/helm-docs - name: Set up Python - uses: actions/setup-python@v3 + uses: actions/setup-python@v4 with: python-version: "3.10" @@ -33,7 +33,7 @@ jobs: fetch-depth: 0 - name: Set up Python - uses: actions/setup-python@v3 + uses: actions/setup-python@v4 with: python-version: 3.9 diff --git a/.github/workflows/docs.yaml b/.github/workflows/docs.yaml index 6d6cc18299..94cea1d631 100644 --- a/.github/workflows/docs.yaml +++ b/.github/workflows/docs.yaml @@ -27,7 +27,7 @@ jobs: - uses: actions/checkout@v3 - name: Set up Python - uses: actions/setup-python@v3 + uses: actions/setup-python@v4 with: python-version: 3.9 From 28ad89e3a4b0b546a38cb329f795052904b351ef Mon Sep 17 00:00:00 2001 From: Renovate Bot Date: Mon, 13 Jun 2022 15:48:12 +0000 Subject: [PATCH 0619/1479] Update helm values redis to v7.0.1 --- services/gafaelfawr/values.yaml | 2 +- services/portal/values.yaml | 2 +- services/vo-cutouts/values.yaml | 2 +- 3 files changed, 3 insertions(+), 3 deletions(-) diff --git a/services/gafaelfawr/values.yaml b/services/gafaelfawr/values.yaml index 6c23043700..6cce20c57a 100644 --- a/services/gafaelfawr/values.yaml +++ b/services/gafaelfawr/values.yaml @@ -261,7 +261,7 @@ redis: repository: "redis" # -- Redis image tag to use - tag: "7.0.0" + tag: "7.0.1" # -- Pull policy for the Redis image pullPolicy: "IfNotPresent" diff --git a/services/portal/values.yaml b/services/portal/values.yaml index 16d1912ec8..bd51edeefe 100644 --- a/services/portal/values.yaml +++ b/services/portal/values.yaml @@ -87,7 +87,7 @@ redis: repository: "redis" # -- Redis image tag to use - tag: "7.0.0" + tag: "7.0.1" # -- Pull policy for the Redis image pullPolicy: "IfNotPresent" diff --git a/services/vo-cutouts/values.yaml b/services/vo-cutouts/values.yaml index 8bb2183bdc..621f6a76eb 100644 --- a/services/vo-cutouts/values.yaml +++ b/services/vo-cutouts/values.yaml @@ -147,7 +147,7 @@ redis: repository: "redis" # -- Redis image tag to use - tag: "7.0.0" + tag: "7.0.1" # -- Pull policy for the Redis image pullPolicy: "IfNotPresent" From 493f1174f5fbe8dcba3cf9bd25ab1c98f2cd4109 Mon Sep 17 00:00:00 2001 From: Russ Allbery Date: Mon, 13 Jun 2022 13:16:54 -0700 Subject: [PATCH 0620/1479] Update Helm docs --- services/gafaelfawr/README.md | 2 +- services/portal/README.md | 2 +- services/vo-cutouts/README.md | 2 +- 3 files changed, 3 insertions(+), 3 deletions(-) diff --git a/services/gafaelfawr/README.md b/services/gafaelfawr/README.md index 1f604aa74c..403e87d2e2 100644 --- a/services/gafaelfawr/README.md +++ b/services/gafaelfawr/README.md @@ -69,7 +69,7 @@ Science Platform authentication and authorization system | redis.affinity | object | `{}` | Affinity rules for the Redis pod | | redis.image.pullPolicy | string | `"IfNotPresent"` | Pull policy for the Redis image | | redis.image.repository | string | `"redis"` | Redis image to use | -| redis.image.tag | string | `"7.0.0"` | Redis image tag to use | +| redis.image.tag | string | `"7.0.1"` | Redis image tag to use | | redis.nodeSelector | object | `{}` | Node selection rules for the Redis pod | | redis.persistence.accessMode | string | `"ReadWriteOnce"` | Access mode of storage to request | | redis.persistence.enabled | bool | `true` | Whether to persist Redis storage and thus tokens. Setting this to false will use `emptyDir` and reset all tokens on every restart. Only use this for a test deployment. | diff --git a/services/portal/README.md b/services/portal/README.md index 8f25f19e3c..0cf391c404 100644 --- a/services/portal/README.md +++ b/services/portal/README.md @@ -31,7 +31,7 @@ Rubin Science Platform portal aspect | redis.affinity | object | `{}` | Affinity rules for the Redis pod | | redis.image.pullPolicy | string | `"IfNotPresent"` | Pull policy for the Redis image | | redis.image.repository | string | `"redis"` | Redis image to use | -| redis.image.tag | string | `"7.0.0"` | Redis image tag to use | +| redis.image.tag | string | `"7.0.1"` | Redis image tag to use | | redis.nodeSelector | object | `{}` | Node selection rules for the Redis pod | | redis.podAnnotations | object | `{}` | Pod annotations for the Redis pod | | redis.resources | object | `{"limits":{"memory":"20Mi"}}` | Resource limits and requests | diff --git a/services/vo-cutouts/README.md b/services/vo-cutouts/README.md index 0fea72f761..894d697311 100644 --- a/services/vo-cutouts/README.md +++ b/services/vo-cutouts/README.md @@ -54,7 +54,7 @@ Image cutout service complying with IVOA SODA | redis.affinity | object | `{}` | Affinity rules for the Redis pod | | redis.image.pullPolicy | string | `"IfNotPresent"` | Pull policy for the Redis image | | redis.image.repository | string | `"redis"` | Redis image to use | -| redis.image.tag | string | `"7.0.0"` | Redis image tag to use | +| redis.image.tag | string | `"7.0.1"` | Redis image tag to use | | redis.nodeSelector | object | `{}` | Node selection rules for the Redis pod | | redis.persistence.accessMode | string | `"ReadWriteOnce"` | Access mode of storage to request | | redis.persistence.enabled | bool | `true` | Whether to persist Redis storage and thus tokens. Setting this to false will use `emptyDir` and reset all tokens on every restart. Only use this for a test deployment. | From ad84b69ea870aea0d82083566b348656e2552906 Mon Sep 17 00:00:00 2001 From: Russ Allbery Date: Mon, 13 Jun 2022 15:38:49 -0700 Subject: [PATCH 0621/1479] Add auth for datalinker, bump Portal On IDF int, enable auth for datalinker and bump the Portal version. --- services/datalinker/values-idfint.yaml | 2 ++ services/portal/values-idfint.yaml | 3 +++ 2 files changed, 5 insertions(+) diff --git a/services/datalinker/values-idfint.yaml b/services/datalinker/values-idfint.yaml index e69de29bb2..2ddb5b9f5a 100644 --- a/services/datalinker/values-idfint.yaml +++ b/services/datalinker/values-idfint.yaml @@ -0,0 +1,2 @@ +ingress: + gafaelfawrAuthQuery: "scope=read:image" diff --git a/services/portal/values-idfint.yaml b/services/portal/values-idfint.yaml index bbff39a615..285cdff879 100644 --- a/services/portal/values-idfint.yaml +++ b/services/portal/values-idfint.yaml @@ -1,5 +1,8 @@ replicaCount: 4 +image: + tag: "suit-2022.3" + config: volumes: workareaNfs: From e0ca7343012f613c904ca8fd7ec3a0f9e72c417f Mon Sep 17 00:00:00 2001 From: Russ Allbery Date: Mon, 13 Jun 2022 15:54:46 -0700 Subject: [PATCH 0622/1479] Fix annotations for datalinker All annotations were suppressed if ingress.annotations wasn't set. --- services/datalinker/templates/ingress.yaml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/services/datalinker/templates/ingress.yaml b/services/datalinker/templates/ingress.yaml index 99b27cfc3a..d215caa74d 100644 --- a/services/datalinker/templates/ingress.yaml +++ b/services/datalinker/templates/ingress.yaml @@ -6,7 +6,6 @@ metadata: name: {{ $fullName }} labels: {{- include "datalinker.labels" . | nindent 4 }} - {{- with .Values.ingress.annotations }} annotations: kubernetes.io/ingress.class: "nginx" {{- if .Values.ingress.gafaelfawrAuthQuery -}} @@ -15,8 +14,9 @@ metadata: nginx.ingress.kubernetes.io/auth-signin: "{{ .Values.global.baseUrl }}/login" nginx.ingress.kubernetes.io/auth-url: "{{ .Values.global.baseUrl }}/auth?{{ .Values.ingress.gafaelfawrAuthQuery }}" {{- end }} + {{- with .Values.ingress.annotations }} {{- toYaml . | nindent 4 }} - {{- end }} + {{- end }} spec: {{- if .Values.ingress.className }} ingressClassName: {{ .Values.ingress.className }} From 131f6bcabfc5ed09f16afab3183705c136ff2a8f Mon Sep 17 00:00:00 2001 From: Russ Allbery Date: Mon, 13 Jun 2022 15:58:42 -0700 Subject: [PATCH 0623/1479] Fix spacing on datalinker annotations The conditional for datalinker ingress annotations was eating too much whitespace. --- services/datalinker/templates/ingress.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/services/datalinker/templates/ingress.yaml b/services/datalinker/templates/ingress.yaml index d215caa74d..c1793e8f44 100644 --- a/services/datalinker/templates/ingress.yaml +++ b/services/datalinker/templates/ingress.yaml @@ -8,7 +8,7 @@ metadata: {{- include "datalinker.labels" . | nindent 4 }} annotations: kubernetes.io/ingress.class: "nginx" - {{- if .Values.ingress.gafaelfawrAuthQuery -}} + {{- if .Values.ingress.gafaelfawrAuthQuery }} nginx.ingress.kubernetes.io/auth-method: GET nginx.ingress.kubernetes.io/auth-response-headers: X-Auth-Request-User,X-Auth-Request-Email,X-Auth-Request-Token nginx.ingress.kubernetes.io/auth-signin: "{{ .Values.global.baseUrl }}/login" From 618af924ba94d0e3ca0a145b8d254d2045911854 Mon Sep 17 00:00:00 2001 From: Christine Banek Date: Mon, 13 Jun 2022 16:52:27 -0700 Subject: [PATCH 0624/1479] [DM-34891] Set max java heap size for tap Forgot this when I upped the limits. --- services/tap/values-idfint.yaml | 1 + 1 file changed, 1 insertion(+) diff --git a/services/tap/values-idfint.yaml b/services/tap/values-idfint.yaml index 4dc1e24ef5..b0a7af3d2f 100644 --- a/services/tap/values-idfint.yaml +++ b/services/tap/values-idfint.yaml @@ -9,6 +9,7 @@ resources: config: gcsBucket: "async-results.lsst.codes" gcsBucketUrl: "http://async-results.lsst.codes" + jvmMaxHeapSize: "31G" qserv: host: "10.136.1.211:4040" From fb2c4c8203fc3f5f7e07f5af350cbf770a89e645 Mon Sep 17 00:00:00 2001 From: Russ Allbery Date: Mon, 13 Jun 2022 16:37:08 -0700 Subject: [PATCH 0625/1479] Bump version of parameters and update Portal Update Portal to 2022.3 and change the deployment to pass Firefly parameters via individual environment variables rather than via FIREFLY_OPTS. --- services/portal/Chart.yaml | 2 +- services/portal/templates/deployment.yaml | 6 ++++-- services/portal/values-idfdev.yaml | 3 --- 3 files changed, 5 insertions(+), 6 deletions(-) diff --git a/services/portal/Chart.yaml b/services/portal/Chart.yaml index cd0b6cb4ac..b492d0af6c 100644 --- a/services/portal/Chart.yaml +++ b/services/portal/Chart.yaml @@ -3,4 +3,4 @@ name: portal version: 1.0.0 description: "Rubin Science Platform portal aspect" home: "https://github.com/lsst/suit" -appVersion: "suit-2022.2" +appVersion: "suit-2022.3" diff --git a/services/portal/templates/deployment.yaml b/services/portal/templates/deployment.yaml index c0e69caca8..7d3f62054a 100644 --- a/services/portal/templates/deployment.yaml +++ b/services/portal/templates/deployment.yaml @@ -38,8 +38,10 @@ spec: secretKeyRef: name: {{ include "portal.fullname" . }}-secret key: "ADMIN_PASSWORD" - - name: "FIREFLY_OPTS" - value: "-Dredis.host={{ include "portal.fullname" . }}-redis -Dsso.req.auth.hosts={{ .Values.global.host }}" + - name: "PROPS_redis__host" + value: {{ include "portal.fullname" . }}-redis + - name: "PROPS_sso__req__auth__hosts" + value: {{ .Values.global.host | quote }} - name: "SERVER_CONFIG_DIR" value: "/firefly/config" - name: "CLEANUP_INTERVAL" diff --git a/services/portal/values-idfdev.yaml b/services/portal/values-idfdev.yaml index d4f1a080a7..81bc35d85e 100644 --- a/services/portal/values-idfdev.yaml +++ b/services/portal/values-idfdev.yaml @@ -4,9 +4,6 @@ resources: limits: memory: "2Gi" -image: - tag: "suit-2022.3" - config: volumes: workareaNfs: From 8b3c845d034bc45b5fcdc15f2bb5515401b6b00b Mon Sep 17 00:00:00 2001 From: Russ Allbery Date: Mon, 13 Jun 2022 17:15:45 -0700 Subject: [PATCH 0626/1479] Add read:image to the Portal delegations Portal will need this for cutouts and datalink requests. --- services/portal/README.md | 2 +- services/portal/values.yaml | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/services/portal/README.md b/services/portal/README.md index 0cf391c404..fc08f0a1eb 100644 --- a/services/portal/README.md +++ b/services/portal/README.md @@ -24,7 +24,7 @@ Rubin Science Platform portal aspect | image.repository | string | `"ipac/suit"` | Portal image to use | | image.tag | string | The appVersion of the chart | Tag of Portal image to use | | ingress.annotations | object | `{}` | Additional annotations to add to the ingress | -| ingress.gafaelfawrAuthQuery | string | `"scope=exec:portal&delegate_to=portal&delegate_scope=read:tap"` | Gafaelfawr auth query string | +| ingress.gafaelfawrAuthQuery | string | `"scope=exec:portal&delegate_to=portal&delegate_scope=read:image,read:tap"` | Gafaelfawr auth query string | | nameOverride | string | `""` | Override the base name for resources | | nodeSelector | object | `{}` | Node selector rules for the Portal pod | | podAnnotations | object | `{}` | Annotations for the Portal pod | diff --git a/services/portal/values.yaml b/services/portal/values.yaml index bd51edeefe..56620e0bdf 100644 --- a/services/portal/values.yaml +++ b/services/portal/values.yaml @@ -22,7 +22,7 @@ image: ingress: # -- Gafaelfawr auth query string - gafaelfawrAuthQuery: "scope=exec:portal&delegate_to=portal&delegate_scope=read:tap" + gafaelfawrAuthQuery: "scope=exec:portal&delegate_to=portal&delegate_scope=read:image,read:tap" # -- Additional annotations to add to the ingress annotations: {} From c8c5b0071f075ab0c370e53fe223230fcf227cfb Mon Sep 17 00:00:00 2001 From: Russ Allbery Date: Mon, 13 Jun 2022 17:52:28 -0700 Subject: [PATCH 0627/1479] Revert "Bump version of parameters and update Portal" This reverts commit fb2c4c8203fc3f5f7e07f5af350cbf770a89e645. Portal 2022.3 is not yet ready for a production release. --- services/portal/Chart.yaml | 2 +- services/portal/templates/deployment.yaml | 6 ++---- services/portal/values-idfdev.yaml | 3 +++ 3 files changed, 6 insertions(+), 5 deletions(-) diff --git a/services/portal/Chart.yaml b/services/portal/Chart.yaml index b492d0af6c..cd0b6cb4ac 100644 --- a/services/portal/Chart.yaml +++ b/services/portal/Chart.yaml @@ -3,4 +3,4 @@ name: portal version: 1.0.0 description: "Rubin Science Platform portal aspect" home: "https://github.com/lsst/suit" -appVersion: "suit-2022.3" +appVersion: "suit-2022.2" diff --git a/services/portal/templates/deployment.yaml b/services/portal/templates/deployment.yaml index 7d3f62054a..c0e69caca8 100644 --- a/services/portal/templates/deployment.yaml +++ b/services/portal/templates/deployment.yaml @@ -38,10 +38,8 @@ spec: secretKeyRef: name: {{ include "portal.fullname" . }}-secret key: "ADMIN_PASSWORD" - - name: "PROPS_redis__host" - value: {{ include "portal.fullname" . }}-redis - - name: "PROPS_sso__req__auth__hosts" - value: {{ .Values.global.host | quote }} + - name: "FIREFLY_OPTS" + value: "-Dredis.host={{ include "portal.fullname" . }}-redis -Dsso.req.auth.hosts={{ .Values.global.host }}" - name: "SERVER_CONFIG_DIR" value: "/firefly/config" - name: "CLEANUP_INTERVAL" diff --git a/services/portal/values-idfdev.yaml b/services/portal/values-idfdev.yaml index 81bc35d85e..d4f1a080a7 100644 --- a/services/portal/values-idfdev.yaml +++ b/services/portal/values-idfdev.yaml @@ -4,6 +4,9 @@ resources: limits: memory: "2Gi" +image: + tag: "suit-2022.3" + config: volumes: workareaNfs: From b78354493eb7727e183cb322f1c3a7ff2e63f2cc Mon Sep 17 00:00:00 2001 From: Russ Allbery Date: Mon, 13 Jun 2022 17:54:11 -0700 Subject: [PATCH 0628/1479] Give mobu read:image scope This is now required to talk to the Portal. --- services/mobu/values-idfint.yaml | 4 ++-- services/mobu/values-idfprod.yaml | 6 +++--- services/mobu/values-roe.yaml | 4 ++-- 3 files changed, 7 insertions(+), 7 deletions(-) diff --git a/services/mobu/values-idfint.yaml b/services/mobu/values-idfint.yaml index dbe2a6064e..d76167d932 100644 --- a/services/mobu/values-idfint.yaml +++ b/services/mobu/values-idfint.yaml @@ -6,7 +6,7 @@ autostart: users: - username: "systemtest01" uidnumber: 74768 - scopes: ["exec:notebook", "exec:portal", "read:tap"] + scopes: ["exec:notebook", "exec:portal", "read:image", "read:tap"] business: "NotebookRunner" options: repo_url: "https://github.com/SimonKrughoff/system-test.git" @@ -18,7 +18,7 @@ autostart: users: - username: "systemtest02" uidnumber: 74769 - scopes: ["exec:notebook", "exec:portal", "read:tap"] + scopes: ["exec:notebook", "exec:portal", "read:image", "read:tap"] business: "NotebookRunner" options: jupyter: diff --git a/services/mobu/values-idfprod.yaml b/services/mobu/values-idfprod.yaml index f4524f54f4..a25250fe9c 100644 --- a/services/mobu/values-idfprod.yaml +++ b/services/mobu/values-idfprod.yaml @@ -14,7 +14,7 @@ autostart: uidnumber: 74771 - username: "systemtest05" uidnumber: 74772 - scopes: ["exec:notebook", "exec:portal", "read:tap"] + scopes: ["exec:notebook", "exec:portal", "read:image", "read:tap"] business: "NotebookRunner" options: repo_url: "https://github.com/lsst-sqre/system-test.git" @@ -26,7 +26,7 @@ autostart: users: - username: "systemtest06" uidnumber: 74773 - scopes: ["exec:notebook", "exec:portal", "read:tap"] + scopes: ["exec:notebook", "exec:portal", "read:image", "read:tap"] business: "NotebookRunner" options: repo_url: "https://github.com/lsst-sqre/system-test.git" @@ -39,7 +39,7 @@ autostart: users: - username: "systemtest07" uidnumber: 74774 - scopes: ["exec:notebook", "exec:portal", "read:tap"] + scopes: ["exec:notebook", "exec:portal", "read:image", "read:tap"] business: "NotebookRunner" options: repo_url: "https://github.com/rubin-dp0/tutorial-notebooks.git" diff --git a/services/mobu/values-roe.yaml b/services/mobu/values-roe.yaml index cd8efbfaf6..dc12a44d33 100644 --- a/services/mobu/values-roe.yaml +++ b/services/mobu/values-roe.yaml @@ -4,7 +4,7 @@ autostart: users: - username: "systemtest01" uidnumber: 74768 - scopes: ["exec:notebook", "exec:portal", "read:tap"] + scopes: ["exec:notebook", "exec:portal", "read:image", "read:tap"] business: "NotebookRunner" options: repo_url: "https://github.com/SimonKrughoff/system-test.git" @@ -16,7 +16,7 @@ autostart: users: - username: "systemtest02" uidnumber: 74769 - scopes: ["exec:notebook", "exec:portal", "read:tap"] + scopes: ["exec:notebook", "exec:portal", "read:image", "read:tap"] business: "NotebookRunner" options: jupyter: From e08da877aeb98a7f9d32231fa0746542c54872ad Mon Sep 17 00:00:00 2001 From: Russ Allbery Date: Mon, 13 Jun 2022 17:55:31 -0700 Subject: [PATCH 0629/1479] Disable obstap everywhere This is no longer being used since the data is in qserv. Don't delete it, since we may still need to resurrect it in some form in the future. --- science-platform/values-idfdev.yaml | 2 +- science-platform/values-idfint.yaml | 2 +- science-platform/values-idfprod.yaml | 2 +- science-platform/values-int.yaml | 2 +- science-platform/values-minikube.yaml | 2 +- science-platform/values-stable.yaml | 2 +- 6 files changed, 6 insertions(+), 6 deletions(-) diff --git a/science-platform/values-idfdev.yaml b/science-platform/values-idfdev.yaml index 6a84501088..f9e77d94c7 100644 --- a/science-platform/values-idfdev.yaml +++ b/science-platform/values-idfdev.yaml @@ -29,7 +29,7 @@ noteburst: nublado2: enabled: true obstap: - enabled: true + enabled: false plot_navigator: enabled: false portal: diff --git a/science-platform/values-idfint.yaml b/science-platform/values-idfint.yaml index bb0931dbbb..a452bc58ff 100644 --- a/science-platform/values-idfint.yaml +++ b/science-platform/values-idfint.yaml @@ -30,7 +30,7 @@ noteburst: nublado2: enabled: true obstap: - enabled: true + enabled: false plot_navigator: enabled: true portal: diff --git a/science-platform/values-idfprod.yaml b/science-platform/values-idfprod.yaml index d03e9f7af1..61d131a886 100644 --- a/science-platform/values-idfprod.yaml +++ b/science-platform/values-idfprod.yaml @@ -30,7 +30,7 @@ noteburst: nublado2: enabled: true obstap: - enabled: true + enabled: false plot_navigator: enabled: false portal: diff --git a/science-platform/values-int.yaml b/science-platform/values-int.yaml index 1f9358effd..06e84c1e98 100644 --- a/science-platform/values-int.yaml +++ b/science-platform/values-int.yaml @@ -29,7 +29,7 @@ noteburst: nublado2: enabled: true obstap: - enabled: true + enabled: false plot_navigator: enabled: false portal: diff --git a/science-platform/values-minikube.yaml b/science-platform/values-minikube.yaml index 3535a8cb8b..349dae27b5 100644 --- a/science-platform/values-minikube.yaml +++ b/science-platform/values-minikube.yaml @@ -29,7 +29,7 @@ noteburst: nublado2: enabled: true obstap: - enabled: true + enabled: false plot_navigator: enabled: false portal: diff --git a/science-platform/values-stable.yaml b/science-platform/values-stable.yaml index af66ea0dcc..533445763d 100644 --- a/science-platform/values-stable.yaml +++ b/science-platform/values-stable.yaml @@ -29,7 +29,7 @@ noteburst: nublado2: enabled: true obstap: - enabled: true + enabled: false plot_navigator: enabled: false portal: From c9b5317c96c59feaf35dac92b032b8645e9797bb Mon Sep 17 00:00:00 2001 From: Russ Allbery Date: Mon, 13 Jun 2022 18:08:01 -0700 Subject: [PATCH 0630/1479] Simplify the datalinker ingress Remove parameters that we'll always set the same way and hardcode them. Don't specify the ingress class in multiple ways at the same time. --- services/datalinker/README.md | 3 --- services/datalinker/templates/ingress.yaml | 14 ++++--------- .../datalinker/templates/networkpolicy.yaml | 2 -- services/datalinker/values.yaml | 21 ++++++------------- 4 files changed, 10 insertions(+), 30 deletions(-) diff --git a/services/datalinker/README.md b/services/datalinker/README.md index e491e08d60..e6e640e267 100644 --- a/services/datalinker/README.md +++ b/services/datalinker/README.md @@ -24,11 +24,8 @@ IVOA datalink service for Rubin Science Platform | image.repository | string | `"ghcr.io/lsst-sqre/datalinker"` | Image to use in the datalinker deployment | | image.tag | string | `""` | Overrides the image tag whose default is the chart appVersion. | | ingress.annotations | object | `{}` | Additional annotations for the ingress rule | -| ingress.className | string | `"nginx"` | Ingress class | -| ingress.enabled | bool | `true` | Create an ingress resource | | ingress.gafaelfawrAuthQuery | string | `""` | Gafaelfawr auth query string (default, unauthenticated) | | ingress.path | string | `"/api/datalink"` | URL path to dispatch to the datalinker deployment pod | -| ingress.pathType | string | `"ImplementationSpecific"` | Path type for the ingress rule | | nameOverride | string | `""` | Override the base name for resources | | nodeSelector | object | `{}` | Node selection rules for the datalinker deployment pod | | podAnnotations | object | `{}` | Annotations for the datalinker deployment pod | diff --git a/services/datalinker/templates/ingress.yaml b/services/datalinker/templates/ingress.yaml index c1793e8f44..784840b502 100644 --- a/services/datalinker/templates/ingress.yaml +++ b/services/datalinker/templates/ingress.yaml @@ -1,13 +1,10 @@ -{{- if .Values.ingress.enabled -}} -{{- $fullName := include "datalinker.fullname" . -}} apiVersion: networking.k8s.io/v1 kind: Ingress metadata: - name: {{ $fullName }} + name: {{ include "datalinker.fullname" . }} labels: {{- include "datalinker.labels" . | nindent 4 }} annotations: - kubernetes.io/ingress.class: "nginx" {{- if .Values.ingress.gafaelfawrAuthQuery }} nginx.ingress.kubernetes.io/auth-method: GET nginx.ingress.kubernetes.io/auth-response-headers: X-Auth-Request-User,X-Auth-Request-Email,X-Auth-Request-Token @@ -18,18 +15,15 @@ metadata: {{- toYaml . | nindent 4 }} {{- end }} spec: - {{- if .Values.ingress.className }} - ingressClassName: {{ .Values.ingress.className }} - {{- end }} + ingressClassName: "nginx" rules: - host: {{ required "global.host must be set" .Values.global.host | quote }} http: paths: - path: {{ .Values.ingress.path }} - pathType: {{ default "Prefix" .Values.ingress.pathType }} + pathType: "Prefix" backend: service: - name: {{ $fullName }} + name: {{ include "datalinker.fullname" . }} port: number: {{ .Values.service.port }} -{{- end }} diff --git a/services/datalinker/templates/networkpolicy.yaml b/services/datalinker/templates/networkpolicy.yaml index 6b228b58a6..0bcf4940a4 100644 --- a/services/datalinker/templates/networkpolicy.yaml +++ b/services/datalinker/templates/networkpolicy.yaml @@ -1,4 +1,3 @@ -{{- if .Values.ingress.enabled -}} apiVersion: networking.k8s.io/v1 kind: NetworkPolicy metadata: @@ -20,4 +19,3 @@ spec: ports: - protocol: "TCP" port: 8080 -{{- end }} diff --git a/services/datalinker/values.yaml b/services/datalinker/values.yaml index bf659795e7..4193d2eb23 100644 --- a/services/datalinker/values.yaml +++ b/services/datalinker/values.yaml @@ -21,9 +21,6 @@ nameOverride: "" # -- Override the full name for resources (includes the release name) fullnameOverride: "" -# -- Annotations for the datalinker deployment pod -podAnnotations: {} - service: # -- Type of service to create type: ClusterIP @@ -32,27 +29,15 @@ service: port: 8080 ingress: - # -- Create an ingress resource - enabled: true - # -- Gafaelfawr auth query string (default, unauthenticated) gafaelfawrAuthQuery: "" # -- Additional annotations for the ingress rule annotations: {} - # -- Path type for the ingress rule - pathType: ImplementationSpecific - # -- URL path to dispatch to the datalinker deployment pod path: "/api/datalink" - # -- Ingress class - className: nginx - -# -- Resource limits and requests for the datalinker deployment pod -resources: {} - autoscaling: # -- Enable autoscaling of datalinker deployment enabled: false @@ -67,6 +52,12 @@ autoscaling: targetCPUUtilizationPercentage: 80 # targetMemoryUtilizationPercentage: 80 +# -- Annotations for the datalinker deployment pod +podAnnotations: {} + +# -- Resource limits and requests for the datalinker deployment pod +resources: {} + # -- Node selection rules for the datalinker deployment pod nodeSelector: {} From f3619492ae242734bb49580ba4be6e50bc5fe3af Mon Sep 17 00:00:00 2001 From: Russ Allbery Date: Mon, 13 Jun 2022 18:08:46 -0700 Subject: [PATCH 0631/1479] Remove HiPS service NetworkPolicy We're going to point Portal directly at the Kubernetes-local HiPS service address to bypass authentication, so disable the NetworkPolicy for now. --- services/hips/templates/networkpolicy.yaml | 21 --------------------- 1 file changed, 21 deletions(-) delete mode 100644 services/hips/templates/networkpolicy.yaml diff --git a/services/hips/templates/networkpolicy.yaml b/services/hips/templates/networkpolicy.yaml deleted file mode 100644 index 1794a475b8..0000000000 --- a/services/hips/templates/networkpolicy.yaml +++ /dev/null @@ -1,21 +0,0 @@ -apiVersion: networking.k8s.io/v1 -kind: NetworkPolicy -metadata: - name: "hips" -spec: - podSelector: - matchLabels: - {{- include "hips.selectorLabels" . | nindent 6 }} - policyTypes: - - Ingress - ingress: - # Allow inbound access from pods (in any namespace) labeled - # gafaelfawr.lsst.io/ingress: true. - - from: - - namespaceSelector: {} - podSelector: - matchLabels: - gafaelfawr.lsst.io/ingress: "true" - ports: - - protocol: "TCP" - port: 8080 From eccee41233c02c35e3ddf151fc8c16fa2a828174 Mon Sep 17 00:00:00 2001 From: Russ Allbery Date: Tue, 14 Jun 2022 07:43:28 -0700 Subject: [PATCH 0632/1479] Stop overriding Portal version on IDF int --- services/portal/values-idfint.yaml | 3 --- 1 file changed, 3 deletions(-) diff --git a/services/portal/values-idfint.yaml b/services/portal/values-idfint.yaml index 285cdff879..bbff39a615 100644 --- a/services/portal/values-idfint.yaml +++ b/services/portal/values-idfint.yaml @@ -1,8 +1,5 @@ replicaCount: 4 -image: - tag: "suit-2022.3" - config: volumes: workareaNfs: From 5329b9bc66c2b0e5585a5eeccef96e0263130b57 Mon Sep 17 00:00:00 2001 From: Russ Allbery Date: Tue, 14 Jun 2022 09:57:17 -0700 Subject: [PATCH 0633/1479] Update mobu version --- services/mobu/Chart.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/services/mobu/Chart.yaml b/services/mobu/Chart.yaml index be6bc4e018..f905f5725d 100644 --- a/services/mobu/Chart.yaml +++ b/services/mobu/Chart.yaml @@ -3,4 +3,4 @@ name: mobu version: 1.0.0 description: Generate system load by pretending to be a random scientist home: https://github.com/lsst-sqre/mobu -appVersion: "4.2.0" +appVersion: 4.3.0 From f0126b2b7b8687ae69d0f42e6961af095a751ede Mon Sep 17 00:00:00 2001 From: Renovate Bot Date: Tue, 14 Jun 2022 17:11:48 +0000 Subject: [PATCH 0634/1479] Update Helm release argo-cd to v4.9.1 --- services/argocd/Chart.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/services/argocd/Chart.yaml b/services/argocd/Chart.yaml index c7b641d3ca..2da82195c7 100644 --- a/services/argocd/Chart.yaml +++ b/services/argocd/Chart.yaml @@ -3,5 +3,5 @@ name: argo-cd version: 1.0.0 dependencies: - name: argo-cd - version: 4.8.3 + version: 4.9.1 repository: https://argoproj.github.io/argo-helm From 270801bcdd472e6d8df581d7588c5f3fe82f1b3e Mon Sep 17 00:00:00 2001 From: Russ Allbery Date: Tue, 14 Jun 2022 10:16:57 -0700 Subject: [PATCH 0635/1479] Regenerate Helm docs --- services/argocd/README.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/services/argocd/README.md b/services/argocd/README.md index 7cf552ecca..86696b685a 100644 --- a/services/argocd/README.md +++ b/services/argocd/README.md @@ -4,7 +4,7 @@ | Repository | Name | Version | |------------|------|---------| -| https://argoproj.github.io/argo-helm | argo-cd | 4.8.3 | +| https://argoproj.github.io/argo-helm | argo-cd | 4.9.1 | ## Values From d637af1970f609636912c7ef4a5b23527d124086 Mon Sep 17 00:00:00 2001 From: Renovate Bot Date: Tue, 14 Jun 2022 17:12:44 +0000 Subject: [PATCH 0636/1479] Update helm values gcr.io/cloudsql-docker/gce-proxy to v1.31.0 --- services/gafaelfawr/values.yaml | 2 +- services/times-square/values.yaml | 2 +- services/vo-cutouts/values.yaml | 2 +- 3 files changed, 3 insertions(+), 3 deletions(-) diff --git a/services/gafaelfawr/values.yaml b/services/gafaelfawr/values.yaml index 6cce20c57a..d4943ff873 100644 --- a/services/gafaelfawr/values.yaml +++ b/services/gafaelfawr/values.yaml @@ -226,7 +226,7 @@ cloudsql: repository: "gcr.io/cloudsql-docker/gce-proxy" # -- Cloud SQL Auth Proxy tag to use - tag: "1.30.1" + tag: "1.31.0" # -- Pull policy for Cloud SQL Auth Proxy images pullPolicy: "IfNotPresent" diff --git a/services/times-square/values.yaml b/services/times-square/values.yaml index a5799762ea..6ece0e30e4 100644 --- a/services/times-square/values.yaml +++ b/services/times-square/values.yaml @@ -132,7 +132,7 @@ cloudsql: repository: "gcr.io/cloudsql-docker/gce-proxy" # -- Cloud SQL Auth Proxy tag to use - tag: "1.30.1" + tag: "1.31.0" # -- Pull policy for Cloud SQL Auth Proxy images pullPolicy: "IfNotPresent" diff --git a/services/vo-cutouts/values.yaml b/services/vo-cutouts/values.yaml index 621f6a76eb..6062062158 100644 --- a/services/vo-cutouts/values.yaml +++ b/services/vo-cutouts/values.yaml @@ -78,7 +78,7 @@ cloudsql: repository: "gcr.io/cloudsql-docker/gce-proxy" # -- Cloud SQL Auth Proxy tag to use - tag: "1.30.1" + tag: "1.31.0" # -- Pull policy for Cloud SQL Auth Proxy images pullPolicy: "IfNotPresent" From 9530d7ce189b1ca747ae6e6818b23827d8e67da7 Mon Sep 17 00:00:00 2001 From: Russ Allbery Date: Tue, 14 Jun 2022 10:30:16 -0700 Subject: [PATCH 0637/1479] Update Helm docs --- services/gafaelfawr/README.md | 2 +- services/times-square/README.md | 2 +- services/vo-cutouts/README.md | 2 +- 3 files changed, 3 insertions(+), 3 deletions(-) diff --git a/services/gafaelfawr/README.md b/services/gafaelfawr/README.md index 403e87d2e2..c055afe188 100644 --- a/services/gafaelfawr/README.md +++ b/services/gafaelfawr/README.md @@ -16,7 +16,7 @@ Science Platform authentication and authorization system | cloudsql.enabled | bool | `false` | Enable the Cloud SQL Auth Proxy sidecar, used with CloudSQL databases on Google Cloud | | cloudsql.image.pullPolicy | string | `"IfNotPresent"` | Pull policy for Cloud SQL Auth Proxy images | | cloudsql.image.repository | string | `"gcr.io/cloudsql-docker/gce-proxy"` | Cloud SQL Auth Proxy image to use | -| cloudsql.image.tag | string | `"1.30.1"` | Cloud SQL Auth Proxy tag to use | +| cloudsql.image.tag | string | `"1.31.0"` | Cloud SQL Auth Proxy tag to use | | cloudsql.instanceConnectionName | string | `""` | Instance connection name for a CloudSQL PostgreSQL instance | | cloudsql.serviceAccount | string | `""` | The Google service account that has an IAM binding to the `gafaelfawr` and `gafaelfawr-tokens` Kubernetes service accounts and has the `cloudsql.client` role | | config.cilogon.clientId | string | `""` | CILogon client ID. One and only one of this, `config.github.clientId`, or `config.oidc.clientId` must be set. | diff --git a/services/times-square/README.md b/services/times-square/README.md index fb642741ff..3432ed0593 100644 --- a/services/times-square/README.md +++ b/services/times-square/README.md @@ -22,7 +22,7 @@ An API service for managing and rendering parameterized Jupyter notebooks. | cloudsql.enabled | bool | `false` | Enable the Cloud SQL Auth Proxy sidecar, used with CloudSQL databases on Google Cloud | | cloudsql.image.pullPolicy | string | `"IfNotPresent"` | Pull policy for Cloud SQL Auth Proxy images | | cloudsql.image.repository | string | `"gcr.io/cloudsql-docker/gce-proxy"` | Cloud SQL Auth Proxy image to use | -| cloudsql.image.tag | string | `"1.30.1"` | Cloud SQL Auth Proxy tag to use | +| cloudsql.image.tag | string | `"1.31.0"` | Cloud SQL Auth Proxy tag to use | | cloudsql.instanceConnectionName | string | `""` | Instance connection name for a CloudSQL PostgreSQL instance | | cloudsql.serviceAccount | string | `""` | The Google service account that has an IAM binding to the `times-square` Kubernetes service accounts and has the `cloudsql.client` role | | config.databaseUrl | string | None, must be set | URL for the PostgreSQL database | diff --git a/services/vo-cutouts/README.md b/services/vo-cutouts/README.md index 894d697311..453cf2b2cf 100644 --- a/services/vo-cutouts/README.md +++ b/services/vo-cutouts/README.md @@ -14,7 +14,7 @@ Image cutout service complying with IVOA SODA | cloudsql.enabled | bool | `false` | Enable the Cloud SQL Auth Proxy sidecar, used with CloudSQL databases on Google Cloud | | cloudsql.image.pullPolicy | string | `"IfNotPresent"` | Pull policy for Cloud SQL Auth Proxy images | | cloudsql.image.repository | string | `"gcr.io/cloudsql-docker/gce-proxy"` | Cloud SQL Auth Proxy image to use | -| cloudsql.image.tag | string | `"1.30.1"` | Cloud SQL Auth Proxy tag to use | +| cloudsql.image.tag | string | `"1.31.0"` | Cloud SQL Auth Proxy tag to use | | cloudsql.instanceConnectionName | string | `""` | Instance connection name for a CloudSQL PostgreSQL instance | | cloudsql.serviceAccount | string | None, must be set | The Google service account that has an IAM binding to the `vo-cutouts` Kubernetes service accounts and has the `cloudsql.client` role, access to the GCS bucket, and ability to sign URLs as itself | | config.databaseUrl | string | None, must be set | URL for the PostgreSQL database | From f0e059c2ec34661cc261b99423a0c6637a8e54fc Mon Sep 17 00:00:00 2001 From: Renovate Bot Date: Tue, 14 Jun 2022 17:35:43 +0000 Subject: [PATCH 0638/1479] Update Helm release strimzi-kafka-operator to v0.29.0 --- services/strimzi/Chart.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/services/strimzi/Chart.yaml b/services/strimzi/Chart.yaml index aa89f9558d..a319b6f731 100644 --- a/services/strimzi/Chart.yaml +++ b/services/strimzi/Chart.yaml @@ -6,5 +6,5 @@ version: 0.1.0 appVersion: "0.26.0" dependencies: - name: strimzi-kafka-operator - version: "0.28.0" + version: "0.29.0" repository: https://strimzi.io/charts/ From ecd425c2340e79a0375f53975f6c1e19a775b0ae Mon Sep 17 00:00:00 2001 From: Renovate Bot Date: Tue, 14 Jun 2022 17:50:33 +0000 Subject: [PATCH 0639/1479] Update Helm release strimzi-registry-operator to v1.2.1 --- services/sasquatch/Chart.yaml | 2 +- services/strimzi-registry-operator/Chart.yaml | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/services/sasquatch/Chart.yaml b/services/sasquatch/Chart.yaml index 219716dbfd..e73719472e 100644 --- a/services/sasquatch/Chart.yaml +++ b/services/sasquatch/Chart.yaml @@ -7,7 +7,7 @@ dependencies: - name: strimzi-kafka version: 1.0.0 - name: strimzi-registry-operator - version: 1.2.0 + version: 1.2.1 repository: https://lsst-sqre.github.io/charts/ - name: influxdb version: 4.12.0 diff --git a/services/strimzi-registry-operator/Chart.yaml b/services/strimzi-registry-operator/Chart.yaml index dd0580fbc8..b1ee8885d8 100644 --- a/services/strimzi-registry-operator/Chart.yaml +++ b/services/strimzi-registry-operator/Chart.yaml @@ -3,5 +3,5 @@ name: strimzi-registry-operator version: 1.1.0 dependencies: - name: strimzi-registry-operator - version: 1.2.0 + version: 1.2.1 repository: https://lsst-sqre.github.io/charts/ From d15ae2d9d48062b60b27faeb6a3bfb06f3d1bd88 Mon Sep 17 00:00:00 2001 From: Angelo Fausti Date: Tue, 14 Jun 2022 10:57:41 -0700 Subject: [PATCH 0640/1479] Upadate Helm docs - Update strimzi-registry-operator to version 1.2.1 --- services/sasquatch/README.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/services/sasquatch/README.md b/services/sasquatch/README.md index 74ee2dbeff..dab76e80c0 100644 --- a/services/sasquatch/README.md +++ b/services/sasquatch/README.md @@ -12,7 +12,7 @@ Rubin Observatory's telemetry service. | https://helm.influxdata.com/ | influxdb | 4.12.0 | | https://helm.influxdata.com/ | kapacitor | 1.4.6 | | https://helm.influxdata.com/ | telegraf | 1.8.18 | -| https://lsst-sqre.github.io/charts/ | strimzi-registry-operator | 1.2.0 | +| https://lsst-sqre.github.io/charts/ | strimzi-registry-operator | 1.2.1 | | https://lsst-ts.github.io/charts/ | csc | 0.9.2 | | https://lsst-ts.github.io/charts/ | kafka-producers | 0.10.1 | From a71b094f9da5bde35d7a483e146138fff72aaab3 Mon Sep 17 00:00:00 2001 From: Renovate Bot Date: Tue, 14 Jun 2022 17:30:13 +0000 Subject: [PATCH 0641/1479] Update Helm release redis to v16.12.2 --- services/noteburst/Chart.yaml | 2 +- services/times-square/Chart.yaml | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/services/noteburst/Chart.yaml b/services/noteburst/Chart.yaml index 0dd7a9d11d..c4706cc980 100644 --- a/services/noteburst/Chart.yaml +++ b/services/noteburst/Chart.yaml @@ -14,5 +14,5 @@ maintainers: # Additional charts that this chart uses dependencies: - name: redis - version: 16.11.2 + version: 16.12.2 repository: https://charts.bitnami.com/bitnami diff --git a/services/times-square/Chart.yaml b/services/times-square/Chart.yaml index d6a586752d..5fa0d6924f 100644 --- a/services/times-square/Chart.yaml +++ b/services/times-square/Chart.yaml @@ -11,5 +11,5 @@ appVersion: 0.4.0b1 dependencies: - name: redis - version: 16.11.2 + version: 16.12.2 repository: https://charts.bitnami.com/bitnami From 852b95f6eb1416ebd065455f4cffc78209fb5d20 Mon Sep 17 00:00:00 2001 From: Russ Allbery Date: Tue, 14 Jun 2022 10:36:06 -0700 Subject: [PATCH 0642/1479] Update Helm docs --- services/noteburst/README.md | 2 +- services/times-square/README.md | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/services/noteburst/README.md b/services/noteburst/README.md index 069a0232bb..68b02056bd 100644 --- a/services/noteburst/README.md +++ b/services/noteburst/README.md @@ -12,7 +12,7 @@ Noteburst is a notebook execution service for the Rubin Science Platform. | Repository | Name | Version | |------------|------|---------| -| https://charts.bitnami.com/bitnami | redis | 16.11.2 | +| https://charts.bitnami.com/bitnami | redis | 16.12.2 | ## Values diff --git a/services/times-square/README.md b/services/times-square/README.md index 3432ed0593..cf1db9a6a3 100644 --- a/services/times-square/README.md +++ b/services/times-square/README.md @@ -8,7 +8,7 @@ An API service for managing and rendering parameterized Jupyter notebooks. | Repository | Name | Version | |------------|------|---------| -| https://charts.bitnami.com/bitnami | redis | 16.11.2 | +| https://charts.bitnami.com/bitnami | redis | 16.12.2 | ## Values From 49fee923b8acfaf15ad4c3856b3fc981239825c1 Mon Sep 17 00:00:00 2001 From: Russ Allbery Date: Tue, 14 Jun 2022 11:37:34 -0700 Subject: [PATCH 0643/1479] Revert "Update Helm release argo-cd to v4.9.1" This reverts commit f0126b2b7b8687ae69d0f42e6961af095a751ede. This upgrade resulted in a blank UI screen with no errors or logs. --- services/argocd/Chart.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/services/argocd/Chart.yaml b/services/argocd/Chart.yaml index 2da82195c7..c7b641d3ca 100644 --- a/services/argocd/Chart.yaml +++ b/services/argocd/Chart.yaml @@ -3,5 +3,5 @@ name: argo-cd version: 1.0.0 dependencies: - name: argo-cd - version: 4.9.1 + version: 4.8.3 repository: https://argoproj.github.io/argo-helm From b7ac77fb2e20cdb1de654bf41d8a9e603509276f Mon Sep 17 00:00:00 2001 From: Russ Allbery Date: Tue, 14 Jun 2022 11:37:56 -0700 Subject: [PATCH 0644/1479] Revert "Regenerate Helm docs" This reverts commit 270801bcdd472e6d8df581d7588c5f3fe82f1b3e. Revert the corresponding documentation update for the Argo CD update. --- services/argocd/README.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/services/argocd/README.md b/services/argocd/README.md index 86696b685a..7cf552ecca 100644 --- a/services/argocd/README.md +++ b/services/argocd/README.md @@ -4,7 +4,7 @@ | Repository | Name | Version | |------------|------|---------| -| https://argoproj.github.io/argo-helm | argo-cd | 4.9.1 | +| https://argoproj.github.io/argo-helm | argo-cd | 4.8.3 | ## Values From cc77ed4de12dc4e93db9e94a6023f287864e182a Mon Sep 17 00:00:00 2001 From: Jonathan Sick Date: Wed, 18 May 2022 14:05:02 -0400 Subject: [PATCH 0645/1479] DM-34789: Deploy Times Square GitHub nav DM-34789 adds a nav component for GitHub-backed pages to Squareone. DM-34823 adds Times Square API support for the nav component. --- services/squareone/Chart.yaml | 2 +- services/times-square/Chart.yaml | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/services/squareone/Chart.yaml b/services/squareone/Chart.yaml index b71181c951..eca45aba92 100644 --- a/services/squareone/Chart.yaml +++ b/services/squareone/Chart.yaml @@ -10,4 +10,4 @@ maintainers: url: https://github.com/jonathansick # The default version tag of the squareone docker image -appVersion: "0.7.0b1" +appVersion: "tickets-DM-34789" diff --git a/services/times-square/Chart.yaml b/services/times-square/Chart.yaml index 5fa0d6924f..e6f4ce44a2 100644 --- a/services/times-square/Chart.yaml +++ b/services/times-square/Chart.yaml @@ -7,7 +7,7 @@ home: https://github.com/lsst-sqre/times-square type: application # The default version tag of the times-square docker image -appVersion: 0.4.0b1 +appVersion: "tickets-DM-34823" dependencies: - name: redis From d89f4b5241a33878bfb80d96664d597ddef1f622 Mon Sep 17 00:00:00 2001 From: Jonathan Sick Date: Mon, 30 May 2022 16:52:25 -0400 Subject: [PATCH 0646/1479] DM-34941 Deploy squareone This includes the new parameters UI. --- services/squareone/Chart.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/services/squareone/Chart.yaml b/services/squareone/Chart.yaml index eca45aba92..9babc7ffdd 100644 --- a/services/squareone/Chart.yaml +++ b/services/squareone/Chart.yaml @@ -10,4 +10,4 @@ maintainers: url: https://github.com/jonathansick # The default version tag of the squareone docker image -appVersion: "tickets-DM-34789" +appVersion: "tickets-DM-34941" From 030c048527eb03043a4b55d678f93a16926d235c Mon Sep 17 00:00:00 2001 From: Jonathan Sick Date: Thu, 2 Jun 2022 13:53:26 -0400 Subject: [PATCH 0647/1479] Deploy DM-35057 version of Times Square This version manages code cell visibility in notebook output. --- services/times-square/Chart.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/services/times-square/Chart.yaml b/services/times-square/Chart.yaml index e6f4ce44a2..3232a76737 100644 --- a/services/times-square/Chart.yaml +++ b/services/times-square/Chart.yaml @@ -7,7 +7,7 @@ home: https://github.com/lsst-sqre/times-square type: application # The default version tag of the times-square docker image -appVersion: "tickets-DM-34823" +appVersion: "tickets-DM-35057" dependencies: - name: redis From 7fcd5e936385e8268ed84cb82429f1ca903922fc Mon Sep 17 00:00:00 2001 From: Jonathan Sick Date: Thu, 2 Jun 2022 14:16:48 -0400 Subject: [PATCH 0648/1479] Always pull Times Square images on dev --- services/times-square/values-idfdev.yaml | 5 ++--- 1 file changed, 2 insertions(+), 3 deletions(-) diff --git a/services/times-square/values-idfdev.yaml b/services/times-square/values-idfdev.yaml index 13a9492a25..57d97ac65d 100644 --- a/services/times-square/values-idfdev.yaml +++ b/services/times-square/values-idfdev.yaml @@ -1,6 +1,5 @@ -# image: -# tag: "tickets-DM-34458" -# pullPolicy: Always +image: + pullPolicy: Always config: logLevel: "DEBUG" databaseUrl: "postgresql://times-square@localhost/times-square" From 7a57441a4e0914d5bb8a70e2984c4e1520da33f7 Mon Sep 17 00:00:00 2001 From: Jonathan Sick Date: Fri, 3 Jun 2022 14:03:14 -0400 Subject: [PATCH 0649/1479] Deploy DM-35057 version of squareone This version includes support for the ts_hide_code display parameter. --- services/squareone/Chart.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/services/squareone/Chart.yaml b/services/squareone/Chart.yaml index 9babc7ffdd..e9438046b8 100644 --- a/services/squareone/Chart.yaml +++ b/services/squareone/Chart.yaml @@ -10,4 +10,4 @@ maintainers: url: https://github.com/jonathansick # The default version tag of the squareone docker image -appVersion: "tickets-DM-34941" +appVersion: "tickets-DM-35057" From 7462b6f105371a1cdbf2f7ed8bb6d747b965b347 Mon Sep 17 00:00:00 2001 From: Jonathan Sick Date: Wed, 8 Jun 2022 13:01:13 -0400 Subject: [PATCH 0650/1479] Update times-square https://github.com/lsst-sqre/times-square/pull/35 --- services/times-square/Chart.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/services/times-square/Chart.yaml b/services/times-square/Chart.yaml index 3232a76737..39d5cb556e 100644 --- a/services/times-square/Chart.yaml +++ b/services/times-square/Chart.yaml @@ -7,7 +7,7 @@ home: https://github.com/lsst-sqre/times-square type: application # The default version tag of the times-square docker image -appVersion: "tickets-DM-35057" +appVersion: "tickets-DM-35146" dependencies: - name: redis From ecdabedd779d621ca6c993c2fcd2da39a4def0cc Mon Sep 17 00:00:00 2001 From: Jonathan Sick Date: Mon, 13 Jun 2022 16:51:30 -0600 Subject: [PATCH 0651/1479] Deploy DM-34473 v of times-square and noteburst --- services/noteburst/Chart.yaml | 2 +- services/times-square/Chart.yaml | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/services/noteburst/Chart.yaml b/services/noteburst/Chart.yaml index c4706cc980..e9a9e3bfea 100644 --- a/services/noteburst/Chart.yaml +++ b/services/noteburst/Chart.yaml @@ -1,7 +1,7 @@ apiVersion: v2 name: noteburst version: 1.0.0 -appVersion: "0.3.0" +appVersion: "tickets-DM-34473" description: Noteburst is a notebook execution service for the Rubin Science Platform. type: application home: https://noteburst.lsst.io/ diff --git a/services/times-square/Chart.yaml b/services/times-square/Chart.yaml index 39d5cb556e..ec074b2271 100644 --- a/services/times-square/Chart.yaml +++ b/services/times-square/Chart.yaml @@ -7,7 +7,7 @@ home: https://github.com/lsst-sqre/times-square type: application # The default version tag of the times-square docker image -appVersion: "tickets-DM-35146" +appVersion: "tickets-DM-34473" dependencies: - name: redis From 10f13fd3d094b1fabd9dd245a3debb55cc1fb8da Mon Sep 17 00:00:00 2001 From: Jonathan Sick Date: Tue, 14 Jun 2022 11:36:24 -0600 Subject: [PATCH 0652/1479] Deploy DM-35205 version of Noteburst --- services/noteburst/Chart.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/services/noteburst/Chart.yaml b/services/noteburst/Chart.yaml index e9a9e3bfea..dae57b430c 100644 --- a/services/noteburst/Chart.yaml +++ b/services/noteburst/Chart.yaml @@ -1,7 +1,7 @@ apiVersion: v2 name: noteburst version: 1.0.0 -appVersion: "tickets-DM-34473" +appVersion: "tickets-DM-35205" description: Noteburst is a notebook execution service for the Rubin Science Platform. type: application home: https://noteburst.lsst.io/ From d5f6527432bf308a7f3f4f2ca3b25dc6dd24a53f Mon Sep 17 00:00:00 2001 From: Jonathan Sick Date: Tue, 14 Jun 2022 11:36:42 -0600 Subject: [PATCH 0653/1479] Deploy v 0.4.0 of times-square --- services/times-square/Chart.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/services/times-square/Chart.yaml b/services/times-square/Chart.yaml index ec074b2271..703ac5e390 100644 --- a/services/times-square/Chart.yaml +++ b/services/times-square/Chart.yaml @@ -7,7 +7,7 @@ home: https://github.com/lsst-sqre/times-square type: application # The default version tag of the times-square docker image -appVersion: "tickets-DM-34473" +appVersion: "0.4.0" dependencies: - name: redis From e247296ab48bbae9f623c659275c9eb61c1e2c76 Mon Sep 17 00:00:00 2001 From: Russ Allbery Date: Tue, 14 Jun 2022 13:10:22 -0700 Subject: [PATCH 0654/1479] Reintroduce HiPS NetworkPolicy Re-add the NetworkPolicy for the HiPS service, but make an exception for the Portal so that it can use the internal cluster address. It doesn't yet know how to send authentication on HiPS requests. --- services/hips/templates/networkpolicy.yaml | 31 ++++++++++++++++++++++ 1 file changed, 31 insertions(+) create mode 100644 services/hips/templates/networkpolicy.yaml diff --git a/services/hips/templates/networkpolicy.yaml b/services/hips/templates/networkpolicy.yaml new file mode 100644 index 0000000000..bbbba68634 --- /dev/null +++ b/services/hips/templates/networkpolicy.yaml @@ -0,0 +1,31 @@ +apiVersion: networking.k8s.io/v1 +kind: NetworkPolicy +metadata: + name: "hips" + labels: + {{- include "hips.labels" . | nindent 4 }} +spec: + podSelector: + matchLabels: + {{- include "hips.selectorLabels" . | nindent 6 }} + policyTypes: + - Ingress + ingress: + - from: + # Allow inbound access from pods (in any namespace) labeled + # gafaelfawr.lsst.io/ingress: true. + - namespaceSelector: {} + podSelector: + matchLabels: + gafaelfawr.lsst.io/ingress: "true" + # Temporarily also allow inbound access from the Portal because the + # current version of the Portal doesn't support passing authentication + # credentials to HiPS requests. + - namespaceSelector: {} + podSelector: + matchLabels: + app.kubernetes.io/instance: "portal" + app.kubernetes.io/component: "firefly" + ports: + - protocol: "TCP" + port: 8080 From 1a757bb5b9e3d057cb196434b3e303c467fcd357 Mon Sep 17 00:00:00 2001 From: Russ Allbery Date: Wed, 15 Jun 2022 08:38:33 -0700 Subject: [PATCH 0655/1479] Update datalinker to 1.3.0 Bump version to the latest release. Require read:image scope for datalinker access by default and remove the override for IDF int. Change the pull policy to IfNotPresent to match our other services. Remove the values.yaml configuration for service type and port, since we never change those. --- services/datalinker/Chart.yaml | 4 ++-- services/datalinker/README.md | 8 +++----- services/datalinker/templates/ingress.yaml | 6 +++--- services/datalinker/templates/service.yaml | 10 +++++----- services/datalinker/values-idfint.yaml | 2 -- services/datalinker/values.yaml | 19 ++++++------------- 6 files changed, 19 insertions(+), 30 deletions(-) diff --git a/services/datalinker/Chart.yaml b/services/datalinker/Chart.yaml index 357e710e4a..8f44b0ae08 100644 --- a/services/datalinker/Chart.yaml +++ b/services/datalinker/Chart.yaml @@ -1,7 +1,7 @@ apiVersion: v2 name: datalinker version: 1.0.0 -description: IVOA datalink service for Rubin Science Platform +description: IVOA DataLink service for Rubin Science Platform sources: - https://github.com/lsst-sqre/datalinker -appVersion: 1.2.2 +appVersion: 1.3.0 diff --git a/services/datalinker/README.md b/services/datalinker/README.md index e6e640e267..4187c2c5a8 100644 --- a/services/datalinker/README.md +++ b/services/datalinker/README.md @@ -1,6 +1,6 @@ # datalinker -IVOA datalink service for Rubin Science Platform +IVOA DataLink service for Rubin Science Platform ## Source Code @@ -20,17 +20,15 @@ IVOA datalink service for Rubin Science Platform | global.butlerRepositoryIndex | string | Set by Argo CD | URI to the Butler configuration of available repositories | | global.host | string | Set by Argo CD | Host name for ingress | | global.vaultSecretsPath | string | Set by Argo CD | Base path for Vault secrets | -| image.pullPolicy | string | `"Always"` | Pull policy for the datalinker image | +| image.pullPolicy | string | `"IfNotPresent"` | Pull policy for the datalinker image | | image.repository | string | `"ghcr.io/lsst-sqre/datalinker"` | Image to use in the datalinker deployment | | image.tag | string | `""` | Overrides the image tag whose default is the chart appVersion. | | ingress.annotations | object | `{}` | Additional annotations for the ingress rule | -| ingress.gafaelfawrAuthQuery | string | `""` | Gafaelfawr auth query string (default, unauthenticated) | +| ingress.gafaelfawrAuthQuery | string | `"scope=read:image"` | Gafaelfawr auth query string | | ingress.path | string | `"/api/datalink"` | URL path to dispatch to the datalinker deployment pod | | nameOverride | string | `""` | Override the base name for resources | | nodeSelector | object | `{}` | Node selection rules for the datalinker deployment pod | | podAnnotations | object | `{}` | Annotations for the datalinker deployment pod | | replicaCount | int | `1` | Number of web deployment pods to start | | resources | object | `{}` | Resource limits and requests for the datalinker deployment pod | -| service.port | int | `8080` | Port of the service to create and map to the ingress | -| service.type | string | `"ClusterIP"` | Type of service to create | | tolerations | list | `[]` | Tolerations for the datalinker deployment pod | diff --git a/services/datalinker/templates/ingress.yaml b/services/datalinker/templates/ingress.yaml index 784840b502..c981eefe33 100644 --- a/services/datalinker/templates/ingress.yaml +++ b/services/datalinker/templates/ingress.yaml @@ -6,8 +6,8 @@ metadata: {{- include "datalinker.labels" . | nindent 4 }} annotations: {{- if .Values.ingress.gafaelfawrAuthQuery }} - nginx.ingress.kubernetes.io/auth-method: GET - nginx.ingress.kubernetes.io/auth-response-headers: X-Auth-Request-User,X-Auth-Request-Email,X-Auth-Request-Token + nginx.ingress.kubernetes.io/auth-method: "GET" + nginx.ingress.kubernetes.io/auth-response-headers: "X-Auth-Request-User" nginx.ingress.kubernetes.io/auth-signin: "{{ .Values.global.baseUrl }}/login" nginx.ingress.kubernetes.io/auth-url: "{{ .Values.global.baseUrl }}/auth?{{ .Values.ingress.gafaelfawrAuthQuery }}" {{- end }} @@ -26,4 +26,4 @@ spec: service: name: {{ include "datalinker.fullname" . }} port: - number: {{ .Values.service.port }} + number: 8080 diff --git a/services/datalinker/templates/service.yaml b/services/datalinker/templates/service.yaml index b24cc11a8b..20bf10e5d9 100644 --- a/services/datalinker/templates/service.yaml +++ b/services/datalinker/templates/service.yaml @@ -5,11 +5,11 @@ metadata: labels: {{- include "datalinker.labels" . | nindent 4 }} spec: - type: {{ .Values.service.type }} + type: "ClusterIP" ports: - - port: {{ .Values.service.port }} - targetPort: http - protocol: TCP - name: http + - port: 8080 + targetPort: "http" + protocol: "TCP" + name: "http" selector: {{- include "datalinker.selectorLabels" . | nindent 4 }} diff --git a/services/datalinker/values-idfint.yaml b/services/datalinker/values-idfint.yaml index 2ddb5b9f5a..e69de29bb2 100644 --- a/services/datalinker/values-idfint.yaml +++ b/services/datalinker/values-idfint.yaml @@ -1,2 +0,0 @@ -ingress: - gafaelfawrAuthQuery: "scope=read:image" diff --git a/services/datalinker/values.yaml b/services/datalinker/values.yaml index 4193d2eb23..8e8e023318 100644 --- a/services/datalinker/values.yaml +++ b/services/datalinker/values.yaml @@ -10,7 +10,7 @@ image: repository: "ghcr.io/lsst-sqre/datalinker" # -- Pull policy for the datalinker image - pullPolicy: Always + pullPolicy: "IfNotPresent" # -- Overrides the image tag whose default is the chart appVersion. tag: "" @@ -21,23 +21,16 @@ nameOverride: "" # -- Override the full name for resources (includes the release name) fullnameOverride: "" -service: - # -- Type of service to create - type: ClusterIP - - # -- Port of the service to create and map to the ingress - port: 8080 - ingress: - # -- Gafaelfawr auth query string (default, unauthenticated) - gafaelfawrAuthQuery: "" - - # -- Additional annotations for the ingress rule - annotations: {} + # -- Gafaelfawr auth query string + gafaelfawrAuthQuery: "scope=read:image" # -- URL path to dispatch to the datalinker deployment pod path: "/api/datalink" + # -- Additional annotations for the ingress rule + annotations: {} + autoscaling: # -- Enable autoscaling of datalinker deployment enabled: false From aa80feadfd4ddc886656d23fca8c9b3cf3e32bc1 Mon Sep 17 00:00:00 2001 From: Russ Allbery Date: Wed, 15 Jun 2022 10:30:16 -0700 Subject: [PATCH 0656/1479] Set environment variables required for new Portal The new version of Portal (2022.3 and later) will require setting individual environment variables instead of FIREFLY_OPTS. Set the new variables now so that we can easily move back and forth between versions solely by changing the image pin. --- services/portal/templates/deployment.yaml | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/services/portal/templates/deployment.yaml b/services/portal/templates/deployment.yaml index c0e69caca8..71753fb7af 100644 --- a/services/portal/templates/deployment.yaml +++ b/services/portal/templates/deployment.yaml @@ -40,6 +40,10 @@ spec: key: "ADMIN_PASSWORD" - name: "FIREFLY_OPTS" value: "-Dredis.host={{ include "portal.fullname" . }}-redis -Dsso.req.auth.hosts={{ .Values.global.host }}" + - name: "PROPS_redis__host" + value: {{ include "portal.fullname" . }}-redis + - name: "PROPS_sso__req__auth__hosts" + value: {{ .Values.global.host | quote }} - name: "SERVER_CONFIG_DIR" value: "/firefly/config" - name: "CLEANUP_INTERVAL" From afef4ee6b27c05506d989c077e0953c0e49bdabd Mon Sep 17 00:00:00 2001 From: Jonathan Sick Date: Tue, 14 Jun 2022 15:34:42 -0600 Subject: [PATCH 0657/1479] Add image noteburst image selection configs --- services/noteburst/Chart.yaml | 2 +- services/noteburst/README.md | 3 +++ services/noteburst/templates/worker-configmap.yaml | 3 +++ services/noteburst/values.yaml | 9 +++++++++ 4 files changed, 16 insertions(+), 1 deletion(-) diff --git a/services/noteburst/Chart.yaml b/services/noteburst/Chart.yaml index dae57b430c..d3f6e8052a 100644 --- a/services/noteburst/Chart.yaml +++ b/services/noteburst/Chart.yaml @@ -1,7 +1,7 @@ apiVersion: v2 name: noteburst version: 1.0.0 -appVersion: "tickets-DM-35205" +appVersion: "tickets-DM-35203" description: Noteburst is a notebook execution service for the Rubin Science Platform. type: application home: https://noteburst.lsst.io/ diff --git a/services/noteburst/README.md b/services/noteburst/README.md index 68b02056bd..b5c7c3ed3d 100644 --- a/services/noteburst/README.md +++ b/services/noteburst/README.md @@ -25,7 +25,10 @@ Noteburst is a notebook execution service for the Rubin Science Platform. | autoscaling.targetCPUUtilizationPercentage | int | `80` | | | config.logLevel | string | `"INFO"` | Logging level: "DEBUG", "INFO", "WARNING", "ERROR", "CRITICAL" | | config.worker.identities | list | `[]` | Science Platform user identities that workers can acquire. Each item is an object with username and uuid keys | +| config.worker.imageReference | string | `""` | Nublado image reference, applicable when imageSelector is "reference" | +| config.worker.imageSelector | string | `"weekly"` | Nublado image stream to select: "recommended", "weekly" or "reference" | | config.worker.jobTimeout | int | `300` | The default notebook execution timeout, in seconds. | +| config.worker.tokenLifetime | int | `2419200` | Worker token lifetime, in seconds. | | config.worker.workerCount | int | `1` | Number of workers to run | | fullnameOverride | string | `""` | Override the full name for resources (includes the release name) | | global.baseUrl | string | Set by Argo CD | Base URL for the environment | diff --git a/services/noteburst/templates/worker-configmap.yaml b/services/noteburst/templates/worker-configmap.yaml index d8edd67749..256b762e24 100644 --- a/services/noteburst/templates/worker-configmap.yaml +++ b/services/noteburst/templates/worker-configmap.yaml @@ -10,3 +10,6 @@ data: NOTEBURST_REDIS_URL: "redis://{{ include "noteburst.fullname" . }}-redis-master.{{ .Release.Namespace }}:{{ .Values.redis.master.service.ports.redis }}/0" NOTEBURST_WORKER_LOCK_REDIS_URL: "redis://{{ include "noteburst.fullname" . }}-redis-master.{{ .Release.Namespace }}:{{ .Values.redis.master.service.ports.redis }}/1" NOTEBURST_WORKER_JOB_TIMEOUT: {{ .Values.config.worker.jobTimeout | quote }} + NOTEBURST_WORKER_TOKEN_LIFETIME: {{ .Values.config.worker.tokenLifetime | quote }} + NOTEBURST_WORKER_IMAGE_SELECTOR: {{ .Values.config.worker.imageSelector | quote }} + NOTEBURST_WORKER_IMAGE_REFERENCE: {{ .Values.config.worker.imageReference | quote }} diff --git a/services/noteburst/values.yaml b/services/noteburst/values.yaml index b0ef1d2892..c4d561b254 100644 --- a/services/noteburst/values.yaml +++ b/services/noteburst/values.yaml @@ -114,6 +114,15 @@ config: # -- The default notebook execution timeout, in seconds. jobTimeout: 300 + # -- Worker token lifetime, in seconds. + tokenLifetime: 2419200 + + # -- Nublado image stream to select: "recommended", "weekly" or "reference" + imageSelector: "weekly" + + # -- Nublado image reference, applicable when imageSelector is "reference" + imageReference: "" + redis: auth: enabled: false From 2543e6383c681fdfbe65496e2abeb9f46f52ed25 Mon Sep 17 00:00:00 2001 From: Jonathan Sick Date: Tue, 14 Jun 2022 16:01:34 -0600 Subject: [PATCH 0658/1479] Add tokenScopes configuration This maps to noteburst's NOTEBURST_WORKER_TOKEN_SCOPES and allows us to specify what auth scopes the nublado2 bot user account should have. --- services/noteburst/README.md | 1 + services/noteburst/templates/worker-configmap.yaml | 1 + services/noteburst/values.yaml | 3 +++ 3 files changed, 5 insertions(+) diff --git a/services/noteburst/README.md b/services/noteburst/README.md index b5c7c3ed3d..ad196c7caa 100644 --- a/services/noteburst/README.md +++ b/services/noteburst/README.md @@ -29,6 +29,7 @@ Noteburst is a notebook execution service for the Rubin Science Platform. | config.worker.imageSelector | string | `"weekly"` | Nublado image stream to select: "recommended", "weekly" or "reference" | | config.worker.jobTimeout | int | `300` | The default notebook execution timeout, in seconds. | | config.worker.tokenLifetime | int | `2419200` | Worker token lifetime, in seconds. | +| config.worker.tokenScopes | string | `"exec:notebook,read:image,read:tap,read:alertdb"` | Nublado2 worker account's token scopes as a comma-separated list. | | config.worker.workerCount | int | `1` | Number of workers to run | | fullnameOverride | string | `""` | Override the full name for resources (includes the release name) | | global.baseUrl | string | Set by Argo CD | Base URL for the environment | diff --git a/services/noteburst/templates/worker-configmap.yaml b/services/noteburst/templates/worker-configmap.yaml index 256b762e24..0e49569440 100644 --- a/services/noteburst/templates/worker-configmap.yaml +++ b/services/noteburst/templates/worker-configmap.yaml @@ -13,3 +13,4 @@ data: NOTEBURST_WORKER_TOKEN_LIFETIME: {{ .Values.config.worker.tokenLifetime | quote }} NOTEBURST_WORKER_IMAGE_SELECTOR: {{ .Values.config.worker.imageSelector | quote }} NOTEBURST_WORKER_IMAGE_REFERENCE: {{ .Values.config.worker.imageReference | quote }} + NOTEBURST_WORKER_TOKEN_SCOPES: {{ .Values.config.worker.tokenScopes | quote }} diff --git a/services/noteburst/values.yaml b/services/noteburst/values.yaml index c4d561b254..2a7d567c31 100644 --- a/services/noteburst/values.yaml +++ b/services/noteburst/values.yaml @@ -117,6 +117,9 @@ config: # -- Worker token lifetime, in seconds. tokenLifetime: 2419200 + # -- Nublado2 worker account's token scopes as a comma-separated list. + tokenScopes: "exec:notebook,read:image,read:tap,read:alertdb" + # -- Nublado image stream to select: "recommended", "weekly" or "reference" imageSelector: "weekly" From 5e69cb27e7c086e133560313ef2beabbeb3f6937 Mon Sep 17 00:00:00 2001 From: Jonathan Sick Date: Tue, 14 Jun 2022 16:10:49 -0600 Subject: [PATCH 0659/1479] Pre-quote tokenLifetime Helm was turning this integer into scientific notation --- services/noteburst/README.md | 2 +- services/noteburst/values.yaml | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/services/noteburst/README.md b/services/noteburst/README.md index ad196c7caa..26b8eb7c0e 100644 --- a/services/noteburst/README.md +++ b/services/noteburst/README.md @@ -28,7 +28,7 @@ Noteburst is a notebook execution service for the Rubin Science Platform. | config.worker.imageReference | string | `""` | Nublado image reference, applicable when imageSelector is "reference" | | config.worker.imageSelector | string | `"weekly"` | Nublado image stream to select: "recommended", "weekly" or "reference" | | config.worker.jobTimeout | int | `300` | The default notebook execution timeout, in seconds. | -| config.worker.tokenLifetime | int | `2419200` | Worker token lifetime, in seconds. | +| config.worker.tokenLifetime | string | `"2419200"` | Worker token lifetime, in seconds. | | config.worker.tokenScopes | string | `"exec:notebook,read:image,read:tap,read:alertdb"` | Nublado2 worker account's token scopes as a comma-separated list. | | config.worker.workerCount | int | `1` | Number of workers to run | | fullnameOverride | string | `""` | Override the full name for resources (includes the release name) | diff --git a/services/noteburst/values.yaml b/services/noteburst/values.yaml index 2a7d567c31..5af55a9256 100644 --- a/services/noteburst/values.yaml +++ b/services/noteburst/values.yaml @@ -115,7 +115,7 @@ config: jobTimeout: 300 # -- Worker token lifetime, in seconds. - tokenLifetime: 2419200 + tokenLifetime: "2419200" # -- Nublado2 worker account's token scopes as a comma-separated list. tokenScopes: "exec:notebook,read:image,read:tap,read:alertdb" From daa5cd59e4cd349f1ede6cce94745aa3c1c86a4b Mon Sep 17 00:00:00 2001 From: Jonathan Sick Date: Tue, 14 Jun 2022 16:52:43 -0600 Subject: [PATCH 0660/1479] Delay the liveness probe The 5 second delay is a bit aggressive if Redis is also redeploying at the same time. --- services/noteburst/templates/worker-deployment.yaml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/services/noteburst/templates/worker-deployment.yaml b/services/noteburst/templates/worker-deployment.yaml index e557f6970a..c47ac58c4f 100644 --- a/services/noteburst/templates/worker-deployment.yaml +++ b/services/noteburst/templates/worker-deployment.yaml @@ -42,8 +42,8 @@ spec: - "arq" - "--check" - "noteburst.worker.main.WorkerSettings" - initialDelaySeconds: 5 - periodSeconds: 5 + initialDelaySeconds: 360 + periodSeconds: 15 resources: {{- toYaml .Values.resources | nindent 12 }} envFrom: From 24a562176205ccbdb37bd6a2d426750316aaee7c Mon Sep 17 00:00:00 2001 From: Jonathan Sick Date: Wed, 15 Jun 2022 14:07:49 -0600 Subject: [PATCH 0661/1479] Add NOTEBURST_WORKER_KEEPALIVE configuration --- services/noteburst/README.md | 1 + services/noteburst/templates/worker-configmap.yaml | 1 + services/noteburst/values.yaml | 3 +++ 3 files changed, 5 insertions(+) diff --git a/services/noteburst/README.md b/services/noteburst/README.md index 26b8eb7c0e..700dce5d7b 100644 --- a/services/noteburst/README.md +++ b/services/noteburst/README.md @@ -28,6 +28,7 @@ Noteburst is a notebook execution service for the Rubin Science Platform. | config.worker.imageReference | string | `""` | Nublado image reference, applicable when imageSelector is "reference" | | config.worker.imageSelector | string | `"weekly"` | Nublado image stream to select: "recommended", "weekly" or "reference" | | config.worker.jobTimeout | int | `300` | The default notebook execution timeout, in seconds. | +| config.worker.keepAlive | string | `"normal"` | Worker keep alive mode: "normal", "fast", "disabled" | | config.worker.tokenLifetime | string | `"2419200"` | Worker token lifetime, in seconds. | | config.worker.tokenScopes | string | `"exec:notebook,read:image,read:tap,read:alertdb"` | Nublado2 worker account's token scopes as a comma-separated list. | | config.worker.workerCount | int | `1` | Number of workers to run | diff --git a/services/noteburst/templates/worker-configmap.yaml b/services/noteburst/templates/worker-configmap.yaml index 0e49569440..21a90ae8eb 100644 --- a/services/noteburst/templates/worker-configmap.yaml +++ b/services/noteburst/templates/worker-configmap.yaml @@ -14,3 +14,4 @@ data: NOTEBURST_WORKER_IMAGE_SELECTOR: {{ .Values.config.worker.imageSelector | quote }} NOTEBURST_WORKER_IMAGE_REFERENCE: {{ .Values.config.worker.imageReference | quote }} NOTEBURST_WORKER_TOKEN_SCOPES: {{ .Values.config.worker.tokenScopes | quote }} + NOTEBURST_WORKER_KEEPALIVE: {{ .Values.config.worker.keepAlive | quote }} diff --git a/services/noteburst/values.yaml b/services/noteburst/values.yaml index 5af55a9256..4b664450fd 100644 --- a/services/noteburst/values.yaml +++ b/services/noteburst/values.yaml @@ -126,6 +126,9 @@ config: # -- Nublado image reference, applicable when imageSelector is "reference" imageReference: "" + # -- Worker keep alive mode: "normal", "fast", "disabled" + keepAlive: "normal" + redis: auth: enabled: false From c85a2b108e0ab60fad35afa8f841d67c365fd6f1 Mon Sep 17 00:00:00 2001 From: Jonathan Sick Date: Wed, 15 Jun 2022 14:08:42 -0600 Subject: [PATCH 0662/1479] Add bot- prefix to noteburst usernames --- services/noteburst/values-idfdev.yaml | 12 ++++++------ 1 file changed, 6 insertions(+), 6 deletions(-) diff --git a/services/noteburst/values-idfdev.yaml b/services/noteburst/values-idfdev.yaml index fe9b51ab00..afbe9fc0b1 100644 --- a/services/noteburst/values-idfdev.yaml +++ b/services/noteburst/values-idfdev.yaml @@ -8,14 +8,14 @@ config: workerCount: 1 identities: - uid: 90000 - username: "noteburst90000" + username: "bot-noteburst90000" - uid: 90001 - username: "noteburst90001" + username: "bot-noteburst90001" - uid: 90002 - username: "noteburst90002" + username: "bot-noteburst90002" - uid: 90003 - username: "noteburst90003" + username: "bot-noteburst90003" - uid: 90004 - username: "noteburst90004" + username: "bot-noteburst90004" - uid: 90005 - username: "noteburst90005" + username: "bot-noteburst90005" From e2e86d6959f78444f551ee2dfb6d321c6d381142 Mon Sep 17 00:00:00 2001 From: Jonathan Sick Date: Wed, 15 Jun 2022 14:19:28 -0600 Subject: [PATCH 0663/1479] Back off Times Square worker liveness probe This matches how we're running noteburst as well. Seems to work better for cases where the redis cluster is also redeploying. --- services/times-square/templates/worker-deployment.yaml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/services/times-square/templates/worker-deployment.yaml b/services/times-square/templates/worker-deployment.yaml index 2da0382978..d028654312 100644 --- a/services/times-square/templates/worker-deployment.yaml +++ b/services/times-square/templates/worker-deployment.yaml @@ -70,8 +70,8 @@ spec: - "arq" - "--check" - "timessquare.worker.main.WorkerSettings" - initialDelaySeconds: 5 - periodSeconds: 5 + initialDelaySeconds: 360 + periodSeconds: 15 resources: {{- toYaml .Values.resources | nindent 12 }} envFrom: From 680d42d6b82bbd230ce349416d564cffd2e81fb4 Mon Sep 17 00:00:00 2001 From: Jonathan Sick Date: Wed, 15 Jun 2022 14:35:01 -0600 Subject: [PATCH 0664/1479] Deploy Noteburst 0.4.0 --- services/noteburst/Chart.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/services/noteburst/Chart.yaml b/services/noteburst/Chart.yaml index d3f6e8052a..9d4fa6b8b8 100644 --- a/services/noteburst/Chart.yaml +++ b/services/noteburst/Chart.yaml @@ -1,7 +1,7 @@ apiVersion: v2 name: noteburst version: 1.0.0 -appVersion: "tickets-DM-35203" +appVersion: "0.4.0" description: Noteburst is a notebook execution service for the Rubin Science Platform. type: application home: https://noteburst.lsst.io/ From 7d061d1fa1dd96a9385c5687d8e7c317a54f3c3e Mon Sep 17 00:00:00 2001 From: Christine Banek Date: Wed, 15 Jun 2022 16:51:02 -0700 Subject: [PATCH 0665/1479] [DM-35242] Mobu TAP volume to 5 --- services/mobu/values-idfint.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/services/mobu/values-idfint.yaml b/services/mobu/values-idfint.yaml index d76167d932..e4c441c8b5 100644 --- a/services/mobu/values-idfint.yaml +++ b/services/mobu/values-idfint.yaml @@ -27,7 +27,7 @@ autostart: repo_branch: "prod" restart: true - name: "tap" - count: 1 + count: 5 users: - username: "systemtest03" uidnumber: 74770 From 71ffc3f6e046ff216dc43266adac257bdee0c807 Mon Sep 17 00:00:00 2001 From: Christine Banek Date: Wed, 15 Jun 2022 16:58:16 -0700 Subject: [PATCH 0666/1479] [DM-35242] TAP volume 5 Put in the users this time! --- services/mobu/values-idfint.yaml | 8 ++++++++ 1 file changed, 8 insertions(+) diff --git a/services/mobu/values-idfint.yaml b/services/mobu/values-idfint.yaml index e4c441c8b5..342aa9309f 100644 --- a/services/mobu/values-idfint.yaml +++ b/services/mobu/values-idfint.yaml @@ -31,6 +31,14 @@ autostart: users: - username: "systemtest03" uidnumber: 74770 + - username: "systemtest03" + uidnumber: 74770 + - username: "systemtest03" + uidnumber: 74770 + - username: "systemtest03" + uidnumber: 74770 + - username: "systemtest03" + uidnumber: 74770 scopes: ["read:tap"] business: "TAPQueryRunner" restart: true From f15869eaaed5c9cd513e5f5ee0f51536f839d682 Mon Sep 17 00:00:00 2001 From: Christine Banek Date: Wed, 15 Jun 2022 17:30:14 -0700 Subject: [PATCH 0667/1479] [DM-35242] Add liveness check This will check the availability endpoint every 10 seconds and restart the pod if it fails. This should help with our out of memory issues. It might supriously restart the pod though, so we have to make sure it doesn't hit false positives too often. --- services/tap/Chart.yaml | 2 +- services/tap/templates/tap-deployment.yaml | 10 ++++++++++ 2 files changed, 11 insertions(+), 1 deletion(-) diff --git a/services/tap/Chart.yaml b/services/tap/Chart.yaml index d32fc6fbdb..519282f19b 100644 --- a/services/tap/Chart.yaml +++ b/services/tap/Chart.yaml @@ -3,4 +3,4 @@ appVersion: "1.2.0" description: A Helm chart for the CADC TAP service home: https://github.com/lsst-sqre/lsst-tap-service name: cadc-tap -version: 1.0.7 +version: 1.0.8 diff --git a/services/tap/templates/tap-deployment.yaml b/services/tap/templates/tap-deployment.yaml index 145f2f630f..ffa9a9ec4c 100644 --- a/services/tap/templates/tap-deployment.yaml +++ b/services/tap/templates/tap-deployment.yaml @@ -65,6 +65,16 @@ spec: readOnly: true - name: "tmp" mountPath: "/tmp" + livenessProbe: + failureThreshold: 3 + httpGet: + path: /tap/availability + port: 8080 + scheme: HTTP + initialDelaySeconds: 10 + periodSeconds: 10 + successThreshold: 1 + timeoutSeconds: 1 volumes: - name: "google-creds" secret: From a7019afc555d4dea22a7889bb19628f95e4b026d Mon Sep 17 00:00:00 2001 From: Christine Banek Date: Wed, 15 Jun 2022 17:55:52 -0700 Subject: [PATCH 0668/1479] [DM-35242] Turn TAP up to 11 --- services/mobu/values-idfint.yaml | 14 +++++++++++++- 1 file changed, 13 insertions(+), 1 deletion(-) diff --git a/services/mobu/values-idfint.yaml b/services/mobu/values-idfint.yaml index 342aa9309f..36b52654c3 100644 --- a/services/mobu/values-idfint.yaml +++ b/services/mobu/values-idfint.yaml @@ -27,7 +27,7 @@ autostart: repo_branch: "prod" restart: true - name: "tap" - count: 5 + count: 11 users: - username: "systemtest03" uidnumber: 74770 @@ -39,6 +39,18 @@ autostart: uidnumber: 74770 - username: "systemtest03" uidnumber: 74770 + - username: "systemtest03" + uidnumber: 74770 + - username: "systemtest03" + uidnumber: 74770 + - username: "systemtest03" + uidnumber: 74770 + - username: "systemtest03" + uidnumber: 74770 + - username: "systemtest03" + uidnumber: 74770 + - username: "systemtest03" + uidnumber: 74770 scopes: ["read:tap"] business: "TAPQueryRunner" restart: true From 2e1a2d2f9eafee906fb4f6cccb5036da21a38f86 Mon Sep 17 00:00:00 2001 From: Christine Banek Date: Wed, 15 Jun 2022 18:07:40 -0700 Subject: [PATCH 0669/1479] [DM-35242] Turn it up to 15 Also use legit users, or at least users that I think are legit. I think if you use the same user it might not actually spawn multiple. --- services/mobu/values-idfint.yaml | 50 ++++++++++++++++++-------------- 1 file changed, 29 insertions(+), 21 deletions(-) diff --git a/services/mobu/values-idfint.yaml b/services/mobu/values-idfint.yaml index 36b52654c3..14bfd9174c 100644 --- a/services/mobu/values-idfint.yaml +++ b/services/mobu/values-idfint.yaml @@ -27,30 +27,38 @@ autostart: repo_branch: "prod" restart: true - name: "tap" - count: 11 + count: 15 users: + - username: "systemtest01" + uidnumber: 74768 + - username: "systemtest02" + uidnumber: 74769 - username: "systemtest03" uidnumber: 74770 - - username: "systemtest03" - uidnumber: 74770 - - username: "systemtest03" - uidnumber: 74770 - - username: "systemtest03" - uidnumber: 74770 - - username: "systemtest03" - uidnumber: 74770 - - username: "systemtest03" - uidnumber: 74770 - - username: "systemtest03" - uidnumber: 74770 - - username: "systemtest03" - uidnumber: 74770 - - username: "systemtest03" - uidnumber: 74770 - - username: "systemtest03" - uidnumber: 74770 - - username: "systemtest03" - uidnumber: 74770 + - username: "systemtest04" + uidnumber: 74771 + - username: "systemtest05" + uidnumber: 74772 + - username: "systemtest06" + uidnumber: 74773 + - username: "systemtest07" + uidnumber: 74774 + - username: "systemtest08" + uidnumber: 74775 + - username: "systemtest09" + uidnumber: 74776 + - username: "systemtest10" + uidnumber: 74777 + - username: "systemtest11" + uidnumber: 74778 + - username: "systemtest12" + uidnumber: 74779 + - username: "systemtest13" + uidnumber: 74780 + - username: "systemtest14" + uidnumber: 74781 + - username: "systemtest15" + uidnumber: 74782 scopes: ["read:tap"] business: "TAPQueryRunner" restart: true From f33c47d917bfc3cbc599b7268519d15e1aef657c Mon Sep 17 00:00:00 2001 From: Angelo Fausti Date: Wed, 15 Jun 2022 19:24:13 -0700 Subject: [PATCH 0670/1479] Review default values for Kafka volumes - Set Kafka broker disk size to 500Gi and retention period to 24h and maximum retained bytes to 400Gi --- services/sasquatch/charts/strimzi-kafka/README.md | 10 +++++----- services/sasquatch/charts/strimzi-kafka/values.yaml | 8 ++++---- 2 files changed, 9 insertions(+), 9 deletions(-) diff --git a/services/sasquatch/charts/strimzi-kafka/README.md b/services/sasquatch/charts/strimzi-kafka/README.md index 709e6b4f55..366be6ae06 100644 --- a/services/sasquatch/charts/strimzi-kafka/README.md +++ b/services/sasquatch/charts/strimzi-kafka/README.md @@ -9,12 +9,12 @@ A subchart to deploy Strimzi Kafka components for Sasquatch. | cluster.name | string | `"sasquatch"` | Name used for the Kafka cluster, and used by Strimzi for many annotations. | | connect.image | string | `"lsstsqre/strimzi-0.27.1-kafka-3.0.0:master"` | Custom strimzi-kafka image with connector plugins used by sasquatch. | | connect.replicas | int | `1` | Number of Kafka Connect replicas to run. | -| kafka.config | object | `{"log.retention.bytes":"644245094400","log.retention.hours":168,"offsets.retention.minutes":10080}` | Configuration overrides for the Kafka server. | -| kafka.config."log.retention.bytes" | string | `"644245094400"` | Maximum retained number of bytes for a topic's data. | -| kafka.config."log.retention.hours" | int | `168` | Number of days for a topic's data to be retained. | -| kafka.config."offsets.retention.minutes" | int | `10080` | Number of minutes for a consumer group's offsets to be retained. | +| kafka.config | object | `{"log.retention.bytes":"429496729600","log.retention.hours":24,"offsets.retention.minutes":1440}` | Configuration overrides for the Kafka server. | +| kafka.config."log.retention.bytes" | string | `"429496729600"` | Maximum retained number of bytes for a topic's data. | +| kafka.config."log.retention.hours" | int | `24` | Number of days for a topic's data to be retained. | +| kafka.config."offsets.retention.minutes" | int | `1440` | Number of minutes for a consumer group's offsets to be retained. | | kafka.replicas | int | `3` | Number of Kafka broker replicas to run. | -| kafka.storage.size | string | `"100Gi"` | Size of the backing storage disk for each of the Kafka brokers. | +| kafka.storage.size | string | `"500Gi"` | Size of the backing storage disk for each of the Kafka brokers. | | kafka.storage.storageClassName | string | `""` | Name of a StorageClass to use when requesting persistent volumes. | | kafka.version | string | `"3.0.0"` | Version of Kafka to deploy. | | registry.schemaTopic | string | `"registry-schemas"` | Name of the topic used by the Schema Registry | diff --git a/services/sasquatch/charts/strimzi-kafka/values.yaml b/services/sasquatch/charts/strimzi-kafka/values.yaml index a0d3428c93..c9bc0c7b82 100644 --- a/services/sasquatch/charts/strimzi-kafka/values.yaml +++ b/services/sasquatch/charts/strimzi-kafka/values.yaml @@ -10,17 +10,17 @@ kafka: replicas: 3 storage: # -- Size of the backing storage disk for each of the Kafka brokers. - size: 100Gi + size: 500Gi # -- Name of a StorageClass to use when requesting persistent volumes. storageClassName: "" # -- Configuration overrides for the Kafka server. config: # -- Number of minutes for a consumer group's offsets to be retained. - offsets.retention.minutes: 10080 + offsets.retention.minutes: 1440 # -- Number of days for a topic's data to be retained. - log.retention.hours: 168 + log.retention.hours: 24 # -- Maximum retained number of bytes for a topic's data. - log.retention.bytes: "644245094400" + log.retention.bytes: "429496729600" zookeeper: # -- Number of Zookeeper replicas to run. From 4f7e895eda86cef6ad8ab7f374a884e2db5147f4 Mon Sep 17 00:00:00 2001 From: Angelo Fausti Date: Wed, 15 Jun 2022 19:26:49 -0700 Subject: [PATCH 0671/1479] Review InfluxDB, Chronograf and Kapacitor volumes - Set the default size of InfluxDB volume to 1Ti (test stand deployment) - Set default size for Chronograf and Kapacitor volumes to 100Gi --- services/sasquatch/README.md | 5 +++-- services/sasquatch/values.yaml | 9 +++++++-- 2 files changed, 10 insertions(+), 4 deletions(-) diff --git a/services/sasquatch/README.md b/services/sasquatch/README.md index dab76e80c0..da1dfc5b85 100644 --- a/services/sasquatch/README.md +++ b/services/sasquatch/README.md @@ -24,7 +24,7 @@ Rubin Observatory's telemetry service. | chronograf.envFromSecret | string | `"sasquatch"` | Chronograf secrets, expected keys generic_client_id, generic_client_secret and token_secret. | | chronograf.image | object | `{"repository":"quay.io/influxdb/chronograf","tag":"1.9.4"}` | Chronograf image tag. | | chronograf.ingress | object | disabled | Chronograf ingress configuration. | -| chronograf.persistence | object | `{"enabled":true,"size":"16Gi"}` | Chronograf data persistence configuration. | +| chronograf.persistence | object | `{"enabled":true,"size":"100Gi"}` | Chronograf data persistence configuration. | | csc.enabled | bool | `false` | Whether the test csc is deployed. | | csc.env | object | `{"LSST_DDS_PARTITION_PREFIX":"test","LSST_SITE":"test","OSPL_ERRORFILE":"/tmp/ospl-error-test.log","OSPL_INFOFILE":"/tmp/ospl-info-test.log","OSPL_URI":"file:///opt/lsst/software/stack/miniconda/lib/python3.8/config/ospl-std.xml"}` | Enviroment variables to run the Test CSC. | | csc.env.OSPL_URI | string | `"file:///opt/lsst/software/stack/miniconda/lib/python3.8/config/ospl-std.xml"` | Use a single process configuration for DDS OpenSplice. | @@ -39,6 +39,7 @@ Rubin Observatory's telemetry service. | influxdb.image | object | `{"tag":"1.8.10"}` | InfluxDB image tag. | | influxdb.ingress | object | disabled | InfluxDB ingress configuration. | | influxdb.initScripts | object | `{"enabled":true,"scripts":{"init.iql":"CREATE DATABASE \"telegraf\" WITH DURATION 30d REPLICATION 1 NAME \"rp_30d\"\n\n"}}` | InfluxDB Custom initialization scripts. | +| influxdb.persistence | object | `{"accessMode":"ReadWriteOnce","enabled":true,"size":"1Ti"}` | InfluxDB persistence. | | influxdb.setDefaultUser | object | `{"enabled":true,"user":{"existingSecret":"sasquatch"}}` | Default InfluxDB user, use influxb-user and influxdb-password keys from secret. | | kafka-connect-manager | object | `{}` | Override strimzi-kafka configuration. | | kafka-producers.enabled | bool | `false` | Whether the kafka-producer for the test csc is deployed. | @@ -67,7 +68,7 @@ Rubin Observatory's telemetry service. | kapacitor.existingSecret | string | `"sasquatch"` | InfluxDB credentials, use influxdb-user and influxdb-password keys from secret. | | kapacitor.image | object | `{"repository":"kapacitor","tag":"1.6.4"}` | Kapacitor image tag. | | kapacitor.influxURL | string | `"http://sasquatch-influxdb.sasquatch:8086"` | InfluxDB connection URL. | -| kapacitor.persistence | object | `{"enabled":true,"size":"16Gi"}` | Chronograf data persistence configuration. | +| kapacitor.persistence | object | `{"enabled":true,"size":"100Gi"}` | Chronograf data persistence configuration. | | strimzi-kafka | object | `{}` | Override strimzi-kafka configuration. | | strimzi-registry-operator | object | `{"clusterName":"sasquatch","operatorNamespace":"sasquatch","watchNamespace":"sasquatch"}` | strimzi-registry-operator configuration. | | telegraf.config.inputs | list | `[{"prometheus":{"metric_version":2,"urls":["http://hub.nublado2:8081/nb/hub/metrics"]}}]` | Telegraf input plugins. Collect JupyterHub Prometheus metrics by dedault. See https://jupyterhub.readthedocs.io/en/stable/reference/metrics.html | diff --git a/services/sasquatch/values.yaml b/services/sasquatch/values.yaml index 459bc0619d..38041f6131 100644 --- a/services/sasquatch/values.yaml +++ b/services/sasquatch/values.yaml @@ -13,6 +13,11 @@ influxdb: # -- InfluxDB image tag. image: tag: "1.8.10" + # -- InfluxDB persistence. + persistence: + enabled: true + accessMode: ReadWriteOnce + size: 1Ti # -- Default InfluxDB user, use influxb-user and influxdb-password keys from secret. setDefaultUser: enabled: true @@ -65,7 +70,7 @@ chronograf: # -- Chronograf data persistence configuration. persistence: enabled: true - size: 16Gi + size: 100Gi # -- Chronograf ingress configuration. # @default -- disabled ingress: @@ -91,7 +96,7 @@ kapacitor: # -- Chronograf data persistence configuration. persistence: enabled: true - size: 16Gi + size: 100Gi # -- InfluxDB connection URL. influxURL: http://sasquatch-influxdb.sasquatch:8086 # -- InfluxDB credentials, use influxdb-user and influxdb-password keys from secret. From 52ec67e9cbd141a5ef95c9d51ccda834371bf683 Mon Sep 17 00:00:00 2001 From: Angelo Fausti Date: Wed, 15 Jun 2022 19:35:41 -0700 Subject: [PATCH 0672/1479] Increase InfluxDB volume at the Summit --- services/sasquatch/values-summit.yaml | 1 + 1 file changed, 1 insertion(+) diff --git a/services/sasquatch/values-summit.yaml b/services/sasquatch/values-summit.yaml index b9ab8c38cc..1d87158c28 100644 --- a/services/sasquatch/values-summit.yaml +++ b/services/sasquatch/values-summit.yaml @@ -9,6 +9,7 @@ strimzi-kafka: influxdb: persistence: storageClass: rook-ceph-block + size: 15Ti ingress: enabled: true hostname: summit-lsp.lsst.codes From 522e556a8621b8ce82f178f9c4c46a7f6b7d52dc Mon Sep 17 00:00:00 2001 From: Christine Banek Date: Thu, 16 Jun 2022 11:15:49 -0700 Subject: [PATCH 0673/1479] [DM-35242] TAP volume to 30 --- services/mobu/values-idfint.yaml | 32 +++++++++++++++++++++++++++++++- 1 file changed, 31 insertions(+), 1 deletion(-) diff --git a/services/mobu/values-idfint.yaml b/services/mobu/values-idfint.yaml index 14bfd9174c..c0756af067 100644 --- a/services/mobu/values-idfint.yaml +++ b/services/mobu/values-idfint.yaml @@ -27,7 +27,7 @@ autostart: repo_branch: "prod" restart: true - name: "tap" - count: 15 + count: 30 users: - username: "systemtest01" uidnumber: 74768 @@ -59,6 +59,36 @@ autostart: uidnumber: 74781 - username: "systemtest15" uidnumber: 74782 + - username: "systemtest16" + uidnumber: 74783 + - username: "systemtest17" + uidnumber: 74784 + - username: "systemtest18" + uidnumber: 74785 + - username: "systemtest19" + uidnumber: 74786 + - username: "systemtest20" + uidnumber: 74787 + - username: "systemtest21" + uidnumber: 74788 + - username: "systemtest22" + uidnumber: 74789 + - username: "systemtest23" + uidnumber: 74790 + - username: "systemtest24" + uidnumber: 74791 + - username: "systemtest25" + uidnumber: 74792 + - username: "systemtest26" + uidnumber: 74793 + - username: "systemtest27" + uidnumber: 74794 + - username: "systemtest28" + uidnumber: 74795 + - username: "systemtest29" + uidnumber: 74796 + - username: "systemtest30" + uidnumber: 74797 scopes: ["read:tap"] business: "TAPQueryRunner" restart: true From 362105898dbd0061bbc6821ca185da7da0145483 Mon Sep 17 00:00:00 2001 From: Russ Allbery Date: Thu, 16 Jun 2022 11:35:31 -0700 Subject: [PATCH 0674/1479] Bump mobu version to 4.3.1 Pick up change to TAP query annotations. --- services/mobu/Chart.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/services/mobu/Chart.yaml b/services/mobu/Chart.yaml index f905f5725d..993b1861bd 100644 --- a/services/mobu/Chart.yaml +++ b/services/mobu/Chart.yaml @@ -3,4 +3,4 @@ name: mobu version: 1.0.0 description: Generate system load by pretending to be a random scientist home: https://github.com/lsst-sqre/mobu -appVersion: 4.3.0 +appVersion: 4.3.1 From 87a7b75a11e463d5fef3d7a9a4b7271ebea22d62 Mon Sep 17 00:00:00 2001 From: Fritz Mueller Date: Thu, 16 Jun 2022 12:44:08 -0700 Subject: [PATCH 0675/1479] Bump tap_schema to 1.1.11 --- services/tap-schema/Chart.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/services/tap-schema/Chart.yaml b/services/tap-schema/Chart.yaml index db1495ea4f..56825aefcc 100644 --- a/services/tap-schema/Chart.yaml +++ b/services/tap-schema/Chart.yaml @@ -1,5 +1,5 @@ apiVersion: v2 -appVersion: 1.1.10 +appVersion: 1.1.11 description: The TAP_SCHEMA database home: https://github.com/lsst-sqre/lsst-tap-service name: tap-schema From 1f94458d4c15cf8f4b6f358f752a51c85e39da35 Mon Sep 17 00:00:00 2001 From: Russ Allbery Date: Thu, 16 Jun 2022 16:00:12 -0700 Subject: [PATCH 0676/1479] Bump version of datalinker to 1.3.1 --- services/datalinker/Chart.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/services/datalinker/Chart.yaml b/services/datalinker/Chart.yaml index 8f44b0ae08..e5dd132c44 100644 --- a/services/datalinker/Chart.yaml +++ b/services/datalinker/Chart.yaml @@ -4,4 +4,4 @@ version: 1.0.0 description: IVOA DataLink service for Rubin Science Platform sources: - https://github.com/lsst-sqre/datalinker -appVersion: 1.3.0 +appVersion: 1.3.1 From 9fc63d46bd6340f8841cb061a6943c5ff4cbbc97 Mon Sep 17 00:00:00 2001 From: Christine Banek Date: Thu, 16 Jun 2022 20:23:44 -0700 Subject: [PATCH 0677/1479] [DM-35242] Use TAP 1.2.1 --- services/tap/Chart.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/services/tap/Chart.yaml b/services/tap/Chart.yaml index 519282f19b..f2bd045561 100644 --- a/services/tap/Chart.yaml +++ b/services/tap/Chart.yaml @@ -1,5 +1,5 @@ apiVersion: v1 -appVersion: "1.2.0" +appVersion: "1.2.1" description: A Helm chart for the CADC TAP service home: https://github.com/lsst-sqre/lsst-tap-service name: cadc-tap From 58272707f12e82c822c1d14e07adc01c23ac386e Mon Sep 17 00:00:00 2001 From: Christine Banek Date: Thu, 16 Jun 2022 20:23:56 -0700 Subject: [PATCH 0678/1479] [DM-35242] Increase timeout to 30 minutes --- services/tap/templates/tap-ingress-authenticated.yaml | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/services/tap/templates/tap-ingress-authenticated.yaml b/services/tap/templates/tap-ingress-authenticated.yaml index fe168f1b4e..f83394ff89 100644 --- a/services/tap/templates/tap-ingress-authenticated.yaml +++ b/services/tap/templates/tap-ingress-authenticated.yaml @@ -12,9 +12,9 @@ metadata: nginx.ingress.kubernetes.io/configuration-snippet: | auth_request_set $auth_token $upstream_http_x_auth_request_token; proxy_set_header Authorization "Bearer $auth_token"; - nginx.ingress.kubernetes.io/proxy-connect-timeout: "900" - nginx.ingress.kubernetes.io/proxy-send-timeout: "900" - nginx.ingress.kubernetes.io/proxy-read-timeout: "900" + nginx.ingress.kubernetes.io/proxy-connect-timeout: "1800" + nginx.ingress.kubernetes.io/proxy-send-timeout: "1800" + nginx.ingress.kubernetes.io/proxy-read-timeout: "1800" nginx.ingress.kubernetes.io/rewrite-target: "/tap/$2" nginx.ingress.kubernetes.io/proxy-redirect-from: "http://$host/tap/" nginx.ingress.kubernetes.io/proxy-redirect-to: "https://$host/api/tap/" From 3ae6251b57d58df082a74e92188f1dea84f84649 Mon Sep 17 00:00:00 2001 From: Christine Banek Date: Thu, 16 Jun 2022 20:26:16 -0700 Subject: [PATCH 0679/1479] [DM-35242] Replica count to 2 --- services/tap/values-idfint.yaml | 2 ++ services/tap/values-idfprod.yaml | 2 ++ 2 files changed, 4 insertions(+) diff --git a/services/tap/values-idfint.yaml b/services/tap/values-idfint.yaml index b0a7af3d2f..11bab7d2a0 100644 --- a/services/tap/values-idfint.yaml +++ b/services/tap/values-idfint.yaml @@ -6,6 +6,8 @@ resources: cpu: 8.0 memory: "32G" +replicaCount: 2 + config: gcsBucket: "async-results.lsst.codes" gcsBucketUrl: "http://async-results.lsst.codes" diff --git a/services/tap/values-idfprod.yaml b/services/tap/values-idfprod.yaml index 59eb3337d6..a96be3b075 100644 --- a/services/tap/values-idfprod.yaml +++ b/services/tap/values-idfprod.yaml @@ -6,6 +6,8 @@ resources: cpu: 8.0 memory: "32G" +replicaCount: 2 + config: gcsBucket: "async-results.lsst.codes" gcsBucketUrl: "http://async-results.lsst.codes" From 6dbc8a1293b9807a1b1519cfcc75e7ae15782c1e Mon Sep 17 00:00:00 2001 From: Christine Banek Date: Thu, 16 Jun 2022 20:28:32 -0700 Subject: [PATCH 0680/1479] [DM-35242] Bump chart version just for kicks --- services/tap/Chart.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/services/tap/Chart.yaml b/services/tap/Chart.yaml index f2bd045561..f7dac14212 100644 --- a/services/tap/Chart.yaml +++ b/services/tap/Chart.yaml @@ -3,4 +3,4 @@ appVersion: "1.2.1" description: A Helm chart for the CADC TAP service home: https://github.com/lsst-sqre/lsst-tap-service name: cadc-tap -version: 1.0.8 +version: 1.0.9 From 487f6b808d2280f4a42fcc43854efbed79239c2d Mon Sep 17 00:00:00 2001 From: Russ Allbery Date: Fri, 17 Jun 2022 10:44:07 -0700 Subject: [PATCH 0681/1479] Enable hips service on IDF prod --- science-platform/values-idfprod.yaml | 2 +- services/hips/values-idfprod.yaml | 4 ++++ 2 files changed, 5 insertions(+), 1 deletion(-) create mode 100644 services/hips/values-idfprod.yaml diff --git a/science-platform/values-idfprod.yaml b/science-platform/values-idfprod.yaml index 61d131a886..c26fcb2b6f 100644 --- a/science-platform/values-idfprod.yaml +++ b/science-platform/values-idfprod.yaml @@ -16,7 +16,7 @@ exposurelog: gafaelfawr: enabled: true hips: - enabled: false + enabled: true ingress_nginx: enabled: true mobu: diff --git a/services/hips/values-idfprod.yaml b/services/hips/values-idfprod.yaml new file mode 100644 index 0000000000..32762ef72e --- /dev/null +++ b/services/hips/values-idfprod.yaml @@ -0,0 +1,4 @@ +config: + gcsProject: "data-curation-prod-fbdb" + gcsBucket: "static-us-central1-dp02-hips" + serviceAccount: "crawlspace-hips@science-platform-stable-6994.iam.gserviceaccount.com" From 553295da22159296f44d3bedd061322bf893699b Mon Sep 17 00:00:00 2001 From: Christine Banek Date: Fri, 17 Jun 2022 16:38:21 -0700 Subject: [PATCH 0682/1479] [DM-35242] Turn TAP mobu back to 1 --- services/mobu/values-idfint.yaml | 60 +------------------------------- 1 file changed, 1 insertion(+), 59 deletions(-) diff --git a/services/mobu/values-idfint.yaml b/services/mobu/values-idfint.yaml index c0756af067..f8045afb14 100644 --- a/services/mobu/values-idfint.yaml +++ b/services/mobu/values-idfint.yaml @@ -27,68 +27,10 @@ autostart: repo_branch: "prod" restart: true - name: "tap" - count: 30 + count: 1 users: - username: "systemtest01" uidnumber: 74768 - - username: "systemtest02" - uidnumber: 74769 - - username: "systemtest03" - uidnumber: 74770 - - username: "systemtest04" - uidnumber: 74771 - - username: "systemtest05" - uidnumber: 74772 - - username: "systemtest06" - uidnumber: 74773 - - username: "systemtest07" - uidnumber: 74774 - - username: "systemtest08" - uidnumber: 74775 - - username: "systemtest09" - uidnumber: 74776 - - username: "systemtest10" - uidnumber: 74777 - - username: "systemtest11" - uidnumber: 74778 - - username: "systemtest12" - uidnumber: 74779 - - username: "systemtest13" - uidnumber: 74780 - - username: "systemtest14" - uidnumber: 74781 - - username: "systemtest15" - uidnumber: 74782 - - username: "systemtest16" - uidnumber: 74783 - - username: "systemtest17" - uidnumber: 74784 - - username: "systemtest18" - uidnumber: 74785 - - username: "systemtest19" - uidnumber: 74786 - - username: "systemtest20" - uidnumber: 74787 - - username: "systemtest21" - uidnumber: 74788 - - username: "systemtest22" - uidnumber: 74789 - - username: "systemtest23" - uidnumber: 74790 - - username: "systemtest24" - uidnumber: 74791 - - username: "systemtest25" - uidnumber: 74792 - - username: "systemtest26" - uidnumber: 74793 - - username: "systemtest27" - uidnumber: 74794 - - username: "systemtest28" - uidnumber: 74795 - - username: "systemtest29" - uidnumber: 74796 - - username: "systemtest30" - uidnumber: 74797 scopes: ["read:tap"] business: "TAPQueryRunner" restart: true From de1c41592bbc99d67a5555f6092ce460acfacf16 Mon Sep 17 00:00:00 2001 From: Angelo Fausti Date: Tue, 21 Jun 2022 11:14:24 -0700 Subject: [PATCH 0683/1479] Disable query-timeout limit temporarily - We are running a side load query as part of a database restore which usually takes a long time to complete, so we need to disable the query-timeout limit temporarily. --- services/sasquatch/README.md | 2 +- services/sasquatch/values.yaml | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/services/sasquatch/README.md b/services/sasquatch/README.md index da1dfc5b85..176fb8cb76 100644 --- a/services/sasquatch/README.md +++ b/services/sasquatch/README.md @@ -35,7 +35,7 @@ Rubin Observatory's telemetry service. | csc.osplVersion | string | `"V6.10.4"` | DDS OpenSplice version. | | csc.useExternalConfig | bool | `false` | Wether to use an external configuration for DDS OpenSplice. | | global.vaultSecretsPath | string | Set by Argo CD | Base path for Vault secrets | -| influxdb.config | object | `{"continuous_queries":{"enabled":false},"coordinator":{"log-queries-after":"15s","max-concurrent-queries":10,"query-timeout":"900s","write-timeout":"60s"},"data":{"cache-max-memory-size":0,"trace-logging-enabled":true,"wal-fsync-delay":"100ms"},"http":{"auth-enabled":true,"enabled":true,"flux-enabled":true,"max-row-limit":0}}` | Override InfluxDB configuration. See https://docs.influxdata.com/influxdb/v1.8/administration/config | +| influxdb.config | object | `{"continuous_queries":{"enabled":false},"coordinator":{"log-queries-after":"15s","max-concurrent-queries":10,"query-timeout":"0s","write-timeout":"60s"},"data":{"cache-max-memory-size":0,"trace-logging-enabled":true,"wal-fsync-delay":"100ms"},"http":{"auth-enabled":true,"enabled":true,"flux-enabled":true,"max-row-limit":0}}` | Override InfluxDB configuration. See https://docs.influxdata.com/influxdb/v1.8/administration/config | | influxdb.image | object | `{"tag":"1.8.10"}` | InfluxDB image tag. | | influxdb.ingress | object | disabled | InfluxDB ingress configuration. | | influxdb.initScripts | object | `{"enabled":true,"scripts":{"init.iql":"CREATE DATABASE \"telegraf\" WITH DURATION 30d REPLICATION 1 NAME \"rp_30d\"\n\n"}}` | InfluxDB Custom initialization scripts. | diff --git a/services/sasquatch/values.yaml b/services/sasquatch/values.yaml index 38041f6131..5253c6655f 100644 --- a/services/sasquatch/values.yaml +++ b/services/sasquatch/values.yaml @@ -48,7 +48,7 @@ influxdb: coordinator: write-timeout: "60s" max-concurrent-queries: 10 - query-timeout: "900s" + query-timeout: "0s" log-queries-after: "15s" continuous_queries: enabled: false From 42e026e70a1310a6baef0eced3250ca58475fee3 Mon Sep 17 00:00:00 2001 From: Russell Owen Date: Tue, 21 Jun 2022 11:55:04 -0700 Subject: [PATCH 0684/1479] exposurelog: update appVersion to 0.9.4 --- services/exposurelog/Chart.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/services/exposurelog/Chart.yaml b/services/exposurelog/Chart.yaml index 447066d96e..3c6dfb2e44 100644 --- a/services/exposurelog/Chart.yaml +++ b/services/exposurelog/Chart.yaml @@ -9,4 +9,4 @@ version: 1.0.0 # This is the version number of the application being deployed. This version number should be # incremented each time you make changes to the application. Versions are not expected to # follow Semantic Versioning. They should reflect the version the application is using. -appVersion: 0.9.3 +appVersion: 0.9.4 From 0e92ac89b8fd61eaaf8fc28228a2f3c45d248276 Mon Sep 17 00:00:00 2001 From: Russell Owen Date: Tue, 21 Jun 2022 11:55:25 -0700 Subject: [PATCH 0685/1479] narrativelog: update appVersion to 0.2.3 --- services/narrativelog/Chart.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/services/narrativelog/Chart.yaml b/services/narrativelog/Chart.yaml index 6c7b7c2c41..37441cdf8b 100644 --- a/services/narrativelog/Chart.yaml +++ b/services/narrativelog/Chart.yaml @@ -9,4 +9,4 @@ version: 1.0.0 # This is the version number of the application being deployed. This version number should be # incremented each time you make changes to the application. Versions are not expected to # follow Semantic Versioning. They should reflect the version the application is using. -appVersion: 0.2.2 +appVersion: 0.2.3 From 55e3b80198a7d1f956f105966f924b24be2374c4 Mon Sep 17 00:00:00 2001 From: Frossie Date: Tue, 21 Jun 2022 16:24:28 -0700 Subject: [PATCH 0686/1479] add read:image token scope shot in the dark, trying to figure out why portal is 403 --- services/gafaelfawr/values-stable.yaml | 1 + 1 file changed, 1 insertion(+) diff --git a/services/gafaelfawr/values-stable.yaml b/services/gafaelfawr/values-stable.yaml index b02eb57576..9c0304c968 100644 --- a/services/gafaelfawr/values-stable.yaml +++ b/services/gafaelfawr/values-stable.yaml @@ -31,6 +31,7 @@ config: "exec:notebook": ["lsst_int_lspdev"] "exec:portal": ["lsst_int_lspdev"] "read:tap": ["lsst_int_lspdev"] + "read:image": ["lsst_int_lspdev"] initialAdmins: - "afausti" From 854b8c3b5fba41efb5ac84cf313ca96683ae28d8 Mon Sep 17 00:00:00 2001 From: Angelo Fausti Date: Thu, 23 Jun 2022 11:07:55 -0700 Subject: [PATCH 0687/1479] Enable debug log level in InfluxDB - Need to debug the execution of a long running query used to restore a backup shard --- services/sasquatch/README.md | 2 +- services/sasquatch/values.yaml | 2 ++ 2 files changed, 3 insertions(+), 1 deletion(-) diff --git a/services/sasquatch/README.md b/services/sasquatch/README.md index 176fb8cb76..c4b208a918 100644 --- a/services/sasquatch/README.md +++ b/services/sasquatch/README.md @@ -35,7 +35,7 @@ Rubin Observatory's telemetry service. | csc.osplVersion | string | `"V6.10.4"` | DDS OpenSplice version. | | csc.useExternalConfig | bool | `false` | Wether to use an external configuration for DDS OpenSplice. | | global.vaultSecretsPath | string | Set by Argo CD | Base path for Vault secrets | -| influxdb.config | object | `{"continuous_queries":{"enabled":false},"coordinator":{"log-queries-after":"15s","max-concurrent-queries":10,"query-timeout":"0s","write-timeout":"60s"},"data":{"cache-max-memory-size":0,"trace-logging-enabled":true,"wal-fsync-delay":"100ms"},"http":{"auth-enabled":true,"enabled":true,"flux-enabled":true,"max-row-limit":0}}` | Override InfluxDB configuration. See https://docs.influxdata.com/influxdb/v1.8/administration/config | +| influxdb.config | object | `{"continuous_queries":{"enabled":false},"coordinator":{"log-queries-after":"15s","max-concurrent-queries":10,"query-timeout":"0s","write-timeout":"60s"},"data":{"cache-max-memory-size":0,"trace-logging-enabled":true,"wal-fsync-delay":"100ms"},"http":{"auth-enabled":true,"enabled":true,"flux-enabled":true,"max-row-limit":0},"logging":{"level":"debug"}}` | Override InfluxDB configuration. See https://docs.influxdata.com/influxdb/v1.8/administration/config | | influxdb.image | object | `{"tag":"1.8.10"}` | InfluxDB image tag. | | influxdb.ingress | object | disabled | InfluxDB ingress configuration. | | influxdb.initScripts | object | `{"enabled":true,"scripts":{"init.iql":"CREATE DATABASE \"telegraf\" WITH DURATION 30d REPLICATION 1 NAME \"rp_30d\"\n\n"}}` | InfluxDB Custom initialization scripts. | diff --git a/services/sasquatch/values.yaml b/services/sasquatch/values.yaml index 5253c6655f..dfb1f5412e 100644 --- a/services/sasquatch/values.yaml +++ b/services/sasquatch/values.yaml @@ -52,6 +52,8 @@ influxdb: log-queries-after: "15s" continuous_queries: enabled: false + logging: + level: "debug" # -- InfluxDB Custom initialization scripts. initScripts: enabled: true From 5ad097497363da4dfbe7d367dad9410af6c6abb2 Mon Sep 17 00:00:00 2001 From: Jonathan Sick Date: Thu, 23 Jun 2022 14:25:54 -0400 Subject: [PATCH 0688/1479] Deploy squareone 0.7.0 - Updated dependencies - New hero background image for the homepage --- services/squareone/Chart.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/services/squareone/Chart.yaml b/services/squareone/Chart.yaml index e9438046b8..56d9a39ad1 100644 --- a/services/squareone/Chart.yaml +++ b/services/squareone/Chart.yaml @@ -10,4 +10,4 @@ maintainers: url: https://github.com/jonathansick # The default version tag of the squareone docker image -appVersion: "tickets-DM-35057" +appVersion: "0.7.0" From 2994b9e48a8b6fc27c47e324fd5bd676cb85c350 Mon Sep 17 00:00:00 2001 From: adam Date: Thu, 23 Jun 2022 14:14:19 -0700 Subject: [PATCH 0689/1479] Scale down IDF-int portal to 1 replica --- services/portal/values-idfint.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/services/portal/values-idfint.yaml b/services/portal/values-idfint.yaml index bbff39a615..68aa2bde9c 100644 --- a/services/portal/values-idfint.yaml +++ b/services/portal/values-idfint.yaml @@ -1,4 +1,4 @@ -replicaCount: 4 +replicaCount: 1 config: volumes: From 90297299d08e9b6ac53d64e22e936aadc888a9e0 Mon Sep 17 00:00:00 2001 From: adam Date: Thu, 23 Jun 2022 14:24:20 -0700 Subject: [PATCH 0690/1479] Scale back to 4 --- services/portal/values-idfint.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/services/portal/values-idfint.yaml b/services/portal/values-idfint.yaml index 68aa2bde9c..bbff39a615 100644 --- a/services/portal/values-idfint.yaml +++ b/services/portal/values-idfint.yaml @@ -1,4 +1,4 @@ -replicaCount: 1 +replicaCount: 4 config: volumes: From 4c3366e6c4f42e3803a82e18c15693046e0b816f Mon Sep 17 00:00:00 2001 From: adam Date: Thu, 23 Jun 2022 14:38:19 -0700 Subject: [PATCH 0691/1479] Scale down IDF-int portal to 1 replica --- services/portal/values-idfint.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/services/portal/values-idfint.yaml b/services/portal/values-idfint.yaml index bbff39a615..68aa2bde9c 100644 --- a/services/portal/values-idfint.yaml +++ b/services/portal/values-idfint.yaml @@ -1,4 +1,4 @@ -replicaCount: 4 +replicaCount: 1 config: volumes: From 785e113dd58dcf99fcce0cd523adc65849f965c3 Mon Sep 17 00:00:00 2001 From: adam Date: Thu, 23 Jun 2022 15:34:14 -0700 Subject: [PATCH 0692/1479] bump portal version --- services/portal/values-idfint.yaml | 2 ++ 1 file changed, 2 insertions(+) diff --git a/services/portal/values-idfint.yaml b/services/portal/values-idfint.yaml index 68aa2bde9c..00b715f370 100644 --- a/services/portal/values-idfint.yaml +++ b/services/portal/values-idfint.yaml @@ -5,6 +5,8 @@ config: workareaNfs: path: "/share1/home/firefly/shared-workarea" server: "10.22.240.130" +image: + tag: "suit-2022.3" resources: limits: From f0c614b1aced1582bcddada594d2a732c01a988d Mon Sep 17 00:00:00 2001 From: Frossie Date: Thu, 23 Jun 2022 16:37:42 -0700 Subject: [PATCH 0693/1479] Update values-idfint.yaml --- services/portal/values-idfint.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/services/portal/values-idfint.yaml b/services/portal/values-idfint.yaml index 00b715f370..dd17175cf4 100644 --- a/services/portal/values-idfint.yaml +++ b/services/portal/values-idfint.yaml @@ -6,7 +6,7 @@ config: path: "/share1/home/firefly/shared-workarea" server: "10.22.240.130" image: - tag: "suit-2022.3" + tag: "suit-2022.2" resources: limits: From 38ee32eb3906390ec2d14fb35b7aa36a9215e244 Mon Sep 17 00:00:00 2001 From: Fritz Mueller Date: Fri, 24 Jun 2022 01:20:34 -0700 Subject: [PATCH 0694/1479] Update tap-schema to 1.1.13 --- services/tap-schema/Chart.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/services/tap-schema/Chart.yaml b/services/tap-schema/Chart.yaml index 56825aefcc..30c0b3ab90 100644 --- a/services/tap-schema/Chart.yaml +++ b/services/tap-schema/Chart.yaml @@ -1,5 +1,5 @@ apiVersion: v2 -appVersion: 1.1.11 +appVersion: 1.1.13 description: The TAP_SCHEMA database home: https://github.com/lsst-sqre/lsst-tap-service name: tap-schema From cea9bcf9b332afd481e4f56cedcb26615fb330ca Mon Sep 17 00:00:00 2001 From: Angelo Fausti Date: Fri, 24 Jun 2022 14:09:06 -0700 Subject: [PATCH 0695/1479] Allows for an unlimited number of queries - Try python code that launches async queries to copy data from one database to another, one query per measurement. --- services/sasquatch/README.md | 2 +- services/sasquatch/values.yaml | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/services/sasquatch/README.md b/services/sasquatch/README.md index c4b208a918..9cf3854751 100644 --- a/services/sasquatch/README.md +++ b/services/sasquatch/README.md @@ -35,7 +35,7 @@ Rubin Observatory's telemetry service. | csc.osplVersion | string | `"V6.10.4"` | DDS OpenSplice version. | | csc.useExternalConfig | bool | `false` | Wether to use an external configuration for DDS OpenSplice. | | global.vaultSecretsPath | string | Set by Argo CD | Base path for Vault secrets | -| influxdb.config | object | `{"continuous_queries":{"enabled":false},"coordinator":{"log-queries-after":"15s","max-concurrent-queries":10,"query-timeout":"0s","write-timeout":"60s"},"data":{"cache-max-memory-size":0,"trace-logging-enabled":true,"wal-fsync-delay":"100ms"},"http":{"auth-enabled":true,"enabled":true,"flux-enabled":true,"max-row-limit":0},"logging":{"level":"debug"}}` | Override InfluxDB configuration. See https://docs.influxdata.com/influxdb/v1.8/administration/config | +| influxdb.config | object | `{"continuous_queries":{"enabled":false},"coordinator":{"log-queries-after":"15s","max-concurrent-queries":0,"query-timeout":"0s","write-timeout":"60s"},"data":{"cache-max-memory-size":0,"trace-logging-enabled":true,"wal-fsync-delay":"100ms"},"http":{"auth-enabled":true,"enabled":true,"flux-enabled":true,"max-row-limit":0},"logging":{"level":"debug"}}` | Override InfluxDB configuration. See https://docs.influxdata.com/influxdb/v1.8/administration/config | | influxdb.image | object | `{"tag":"1.8.10"}` | InfluxDB image tag. | | influxdb.ingress | object | disabled | InfluxDB ingress configuration. | | influxdb.initScripts | object | `{"enabled":true,"scripts":{"init.iql":"CREATE DATABASE \"telegraf\" WITH DURATION 30d REPLICATION 1 NAME \"rp_30d\"\n\n"}}` | InfluxDB Custom initialization scripts. | diff --git a/services/sasquatch/values.yaml b/services/sasquatch/values.yaml index dfb1f5412e..8f2a5be6a4 100644 --- a/services/sasquatch/values.yaml +++ b/services/sasquatch/values.yaml @@ -47,7 +47,7 @@ influxdb: max-row-limit: 0 coordinator: write-timeout: "60s" - max-concurrent-queries: 10 + max-concurrent-queries: 0 query-timeout: "0s" log-queries-after: "15s" continuous_queries: From 3c08b103d86472221d70ad9a78dc12ea11ceb5b9 Mon Sep 17 00:00:00 2001 From: Angelo Fausti Date: Sat, 25 Jun 2022 08:46:36 -0700 Subject: [PATCH 0696/1479] Increase write timeout in the query coordinator - We are seeing "ClientPayloadError: Response payload is not completed" and long async queries being killed. Try to get around that by increasing the write timeout in the query coordinator. --- services/sasquatch/README.md | 2 +- services/sasquatch/values.yaml | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/services/sasquatch/README.md b/services/sasquatch/README.md index 9cf3854751..f5b4f647ce 100644 --- a/services/sasquatch/README.md +++ b/services/sasquatch/README.md @@ -35,7 +35,7 @@ Rubin Observatory's telemetry service. | csc.osplVersion | string | `"V6.10.4"` | DDS OpenSplice version. | | csc.useExternalConfig | bool | `false` | Wether to use an external configuration for DDS OpenSplice. | | global.vaultSecretsPath | string | Set by Argo CD | Base path for Vault secrets | -| influxdb.config | object | `{"continuous_queries":{"enabled":false},"coordinator":{"log-queries-after":"15s","max-concurrent-queries":0,"query-timeout":"0s","write-timeout":"60s"},"data":{"cache-max-memory-size":0,"trace-logging-enabled":true,"wal-fsync-delay":"100ms"},"http":{"auth-enabled":true,"enabled":true,"flux-enabled":true,"max-row-limit":0},"logging":{"level":"debug"}}` | Override InfluxDB configuration. See https://docs.influxdata.com/influxdb/v1.8/administration/config | +| influxdb.config | object | `{"continuous_queries":{"enabled":false},"coordinator":{"log-queries-after":"15s","max-concurrent-queries":0,"query-timeout":"0s","write-timeout":"1h"},"data":{"cache-max-memory-size":0,"trace-logging-enabled":true,"wal-fsync-delay":"100ms"},"http":{"auth-enabled":true,"enabled":true,"flux-enabled":true,"max-row-limit":0},"logging":{"level":"debug"}}` | Override InfluxDB configuration. See https://docs.influxdata.com/influxdb/v1.8/administration/config | | influxdb.image | object | `{"tag":"1.8.10"}` | InfluxDB image tag. | | influxdb.ingress | object | disabled | InfluxDB ingress configuration. | | influxdb.initScripts | object | `{"enabled":true,"scripts":{"init.iql":"CREATE DATABASE \"telegraf\" WITH DURATION 30d REPLICATION 1 NAME \"rp_30d\"\n\n"}}` | InfluxDB Custom initialization scripts. | diff --git a/services/sasquatch/values.yaml b/services/sasquatch/values.yaml index 8f2a5be6a4..338a75c1d0 100644 --- a/services/sasquatch/values.yaml +++ b/services/sasquatch/values.yaml @@ -46,7 +46,7 @@ influxdb: auth-enabled: true max-row-limit: 0 coordinator: - write-timeout: "60s" + write-timeout: "1h" max-concurrent-queries: 0 query-timeout: "0s" log-queries-after: "15s" From 11fbe79467c34531843ff6ff1caf6edcd1cd3a2f Mon Sep 17 00:00:00 2001 From: Jonathan Sick Date: Mon, 20 Jun 2022 15:15:14 -0400 Subject: [PATCH 0697/1479] Deploy Times Square 0.5.0b1 This adds initial GitHub Checks API support to Times Square. --- services/times-square/Chart.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/services/times-square/Chart.yaml b/services/times-square/Chart.yaml index 703ac5e390..6ebe11b49b 100644 --- a/services/times-square/Chart.yaml +++ b/services/times-square/Chart.yaml @@ -7,7 +7,7 @@ home: https://github.com/lsst-sqre/times-square type: application # The default version tag of the times-square docker image -appVersion: "0.4.0" +appVersion: "0.5.0b1" dependencies: - name: redis From e49a61b0dc8d319d9f4f040201e3a2378f967b39 Mon Sep 17 00:00:00 2001 From: Jonathan Sick Date: Sun, 26 Jun 2022 14:42:08 -0400 Subject: [PATCH 0698/1479] DM-35317 Deploy squareone 0.7.1 This update to Squareone includes documentation link updates for DP0.2. --- services/squareone/Chart.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/services/squareone/Chart.yaml b/services/squareone/Chart.yaml index 56d9a39ad1..45927cffd9 100644 --- a/services/squareone/Chart.yaml +++ b/services/squareone/Chart.yaml @@ -10,4 +10,4 @@ maintainers: url: https://github.com/jonathansick # The default version tag of the squareone docker image -appVersion: "0.7.0" +appVersion: "0.7.1" From b10ac88ff08df10c4689e3e97e0d46b49d43db01 Mon Sep 17 00:00:00 2001 From: Michael Reuter Date: Fri, 24 Jun 2022 10:50:37 -0700 Subject: [PATCH 0699/1479] Update TTS cachemachine to cycle 26. --- services/cachemachine/values-tucson-teststand.yaml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/services/cachemachine/values-tucson-teststand.yaml b/services/cachemachine/values-tucson-teststand.yaml index 3b960c522d..dbaf509662 100644 --- a/services/cachemachine/values-tucson-teststand.yaml +++ b/services/cachemachine/values-tucson-teststand.yaml @@ -8,11 +8,11 @@ autostart: "type": "RubinRepoMan", "registry_url": "ts-dockerhub.lsst.org", "repo": "sal-sciplat-lab", - "recommended_tag": "recommended_c0025", + "recommended_tag": "recommended_c0026", "num_releases": 1, "num_weeklies": 3, "num_dailies": 2, - "cycle": 25, + "cycle": 26, "alias_tags": [ "latest", "latest_daily", From f58e285ca0d4be8e43693fbfec315d375bdd0eeb Mon Sep 17 00:00:00 2001 From: Fritz Mueller Date: Mon, 27 Jun 2022 12:37:54 -0700 Subject: [PATCH 0700/1479] Update tap_schema to 1.1.14 --- services/tap-schema/Chart.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/services/tap-schema/Chart.yaml b/services/tap-schema/Chart.yaml index 30c0b3ab90..6baee624d6 100644 --- a/services/tap-schema/Chart.yaml +++ b/services/tap-schema/Chart.yaml @@ -1,5 +1,5 @@ apiVersion: v2 -appVersion: 1.1.13 +appVersion: 1.1.14 description: The TAP_SCHEMA database home: https://github.com/lsst-sqre/lsst-tap-service name: tap-schema From bcb506e96ce36af3e35c91759a66d421e0d78eab Mon Sep 17 00:00:00 2001 From: Fritz Mueller Date: Mon, 27 Jun 2022 13:46:47 -0700 Subject: [PATCH 0701/1479] Update Chart.yaml --- services/tap-schema/Chart.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/services/tap-schema/Chart.yaml b/services/tap-schema/Chart.yaml index 6baee624d6..e2001d7ecd 100644 --- a/services/tap-schema/Chart.yaml +++ b/services/tap-schema/Chart.yaml @@ -1,5 +1,5 @@ apiVersion: v2 -appVersion: 1.1.14 +appVersion: 1.1.16 description: The TAP_SCHEMA database home: https://github.com/lsst-sqre/lsst-tap-service name: tap-schema From fc23f17756a882b3309e490fa45c5c8277d2b3e5 Mon Sep 17 00:00:00 2001 From: Fritz Mueller Date: Mon, 27 Jun 2022 14:20:21 -0700 Subject: [PATCH 0702/1479] Update tap_schema to 1.1.17 --- services/tap-schema/Chart.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/services/tap-schema/Chart.yaml b/services/tap-schema/Chart.yaml index e2001d7ecd..25ae16e730 100644 --- a/services/tap-schema/Chart.yaml +++ b/services/tap-schema/Chart.yaml @@ -1,5 +1,5 @@ apiVersion: v2 -appVersion: 1.1.16 +appVersion: 1.1.17 description: The TAP_SCHEMA database home: https://github.com/lsst-sqre/lsst-tap-service name: tap-schema From 32fad0e50a34bed88c04553ab225d03a01af4237 Mon Sep 17 00:00:00 2001 From: Frossie Date: Mon, 27 Jun 2022 21:56:57 -0700 Subject: [PATCH 0703/1479] Replicas back to 4 Trying to trigger the issue seen on prod --- services/portal/values-idfint.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/services/portal/values-idfint.yaml b/services/portal/values-idfint.yaml index dd17175cf4..3c5641b42a 100644 --- a/services/portal/values-idfint.yaml +++ b/services/portal/values-idfint.yaml @@ -1,4 +1,4 @@ -replicaCount: 1 +replicaCount: 4 config: volumes: From c5d9b79d2cc73ad0de61c35f88ef1b87720e078d Mon Sep 17 00:00:00 2001 From: Russell Owen Date: Fri, 24 Jun 2022 13:17:29 -0700 Subject: [PATCH 0704/1479] narrativelog: bump appVersion --- services/narrativelog/Chart.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/services/narrativelog/Chart.yaml b/services/narrativelog/Chart.yaml index 37441cdf8b..e43398f64f 100644 --- a/services/narrativelog/Chart.yaml +++ b/services/narrativelog/Chart.yaml @@ -9,4 +9,4 @@ version: 1.0.0 # This is the version number of the application being deployed. This version number should be # incremented each time you make changes to the application. Versions are not expected to # follow Semantic Versioning. They should reflect the version the application is using. -appVersion: 0.2.3 +appVersion: 0.2.4 From 32a0f594f53d63b69e688489817fda1c82b3b40f Mon Sep 17 00:00:00 2001 From: Russ Allbery Date: Tue, 28 Jun 2022 12:13:23 -0700 Subject: [PATCH 0705/1479] Update HiPS service Use version 0.2.0 of crawlspace and increase the replicas to 4 in IDF int and IDF prod. Add a configuration to set the log level. --- services/hips/Chart.yaml | 2 +- services/hips/README.md | 1 + services/hips/templates/deployment.yaml | 2 ++ services/hips/values-idfint.yaml | 2 ++ services/hips/values-idfprod.yaml | 2 ++ services/hips/values.yaml | 3 +++ 6 files changed, 11 insertions(+), 1 deletion(-) diff --git a/services/hips/Chart.yaml b/services/hips/Chart.yaml index 89c9cde2e5..25ebc269af 100644 --- a/services/hips/Chart.yaml +++ b/services/hips/Chart.yaml @@ -4,4 +4,4 @@ version: 1.0.0 description: HiPS web server backed by Google Cloud Storage sources: - https://github.com/lsst-sqre/crawlspace -appVersion: 0.1.1 +appVersion: 0.2.0 diff --git a/services/hips/README.md b/services/hips/README.md index 6f5f99b46f..6feff8cfec 100644 --- a/services/hips/README.md +++ b/services/hips/README.md @@ -17,6 +17,7 @@ HiPS web server backed by Google Cloud Storage | autoscaling.targetCPUUtilizationPercentage | int | `80` | Target CPU utilization of hips deployment pods | | config.gcsBucket | string | None, must be set | Name of Google Cloud Storage bucket holding the HiPS files | | config.gcsProject | string | None, must be set | Google Cloud project in which the underlying storage is located | +| config.logLevel | string | `"INFO"` | Choose from the text form of Python logging levels | | config.serviceAccount | string | None, must be set | The Google service account that has an IAM binding to the `hips` Kubernetes service account and has access to the storage bucket | | global.baseUrl | string | Set by Argo CD | Base URL for the environment | | global.host | string | Set by Argo CD | Host name for ingress | diff --git a/services/hips/templates/deployment.yaml b/services/hips/templates/deployment.yaml index 1d1f8096ed..007849dc3f 100644 --- a/services/hips/templates/deployment.yaml +++ b/services/hips/templates/deployment.yaml @@ -27,6 +27,8 @@ spec: value: {{ required "config.gcsProject must be set" .Values.config.gcsProject | quote }} - name: "CRAWLSPACE_BUCKET" value: {{ required "config.gcsBucket must be set" .Values.config.gcsBucket | quote }} + - name: "SAFIR_LOG_LEVEL" + value: {{ .Values.config.logLevel | quote }} image: "{{ .Values.image.repository }}:{{ .Values.image.tag | default .Chart.AppVersion }}" imagePullPolicy: {{ .Values.image.pullPolicy }} ports: diff --git a/services/hips/values-idfint.yaml b/services/hips/values-idfint.yaml index f295c1087e..54f6619c7a 100644 --- a/services/hips/values-idfint.yaml +++ b/services/hips/values-idfint.yaml @@ -1,3 +1,5 @@ +replicaCount: 4 + config: gcsProject: "data-curation-prod-fbdb" gcsBucket: "static-us-central1-dp02-hips" diff --git a/services/hips/values-idfprod.yaml b/services/hips/values-idfprod.yaml index 32762ef72e..a3710b46f8 100644 --- a/services/hips/values-idfprod.yaml +++ b/services/hips/values-idfprod.yaml @@ -1,3 +1,5 @@ +replicaCount: 4 + config: gcsProject: "data-curation-prod-fbdb" gcsBucket: "static-us-central1-dp02-hips" diff --git a/services/hips/values.yaml b/services/hips/values.yaml index 92a1a9f488..997432e85c 100644 --- a/services/hips/values.yaml +++ b/services/hips/values.yaml @@ -14,6 +14,9 @@ config: # @default -- None, must be set gcsBucket: "" + # -- Choose from the text form of Python logging levels + logLevel: "INFO" + # -- The Google service account that has an IAM binding to the `hips` # Kubernetes service account and has access to the storage bucket # @default -- None, must be set From acebdbd52d4ec6d4d3e557d2d3efc26e0340bf8f Mon Sep 17 00:00:00 2001 From: Gregory Dubois-Felsmann Date: Thu, 30 Jun 2022 12:11:24 -0700 Subject: [PATCH 0706/1479] Update Portal version for testing --- services/portal/values-idfint.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/services/portal/values-idfint.yaml b/services/portal/values-idfint.yaml index 3c5641b42a..0b1b80f458 100644 --- a/services/portal/values-idfint.yaml +++ b/services/portal/values-idfint.yaml @@ -6,7 +6,7 @@ config: path: "/share1/home/firefly/shared-workarea" server: "10.22.240.130" image: - tag: "suit-2022.2" + tag: "suit-2022.2.1" resources: limits: From a874a51da4278fe615539f662db79546cd37a579 Mon Sep 17 00:00:00 2001 From: adam Date: Thu, 30 Jun 2022 13:50:10 -0700 Subject: [PATCH 0707/1479] Default to suit-2022.2.1 --- services/portal/Chart.yaml | 2 +- services/portal/values-idfdev.yaml | 3 --- services/portal/values-idfint.yaml | 2 -- 3 files changed, 1 insertion(+), 6 deletions(-) diff --git a/services/portal/Chart.yaml b/services/portal/Chart.yaml index cd0b6cb4ac..325f973f6f 100644 --- a/services/portal/Chart.yaml +++ b/services/portal/Chart.yaml @@ -3,4 +3,4 @@ name: portal version: 1.0.0 description: "Rubin Science Platform portal aspect" home: "https://github.com/lsst/suit" -appVersion: "suit-2022.2" +appVersion: "suit-2022.2.1" diff --git a/services/portal/values-idfdev.yaml b/services/portal/values-idfdev.yaml index d4f1a080a7..81bc35d85e 100644 --- a/services/portal/values-idfdev.yaml +++ b/services/portal/values-idfdev.yaml @@ -4,9 +4,6 @@ resources: limits: memory: "2Gi" -image: - tag: "suit-2022.3" - config: volumes: workareaNfs: diff --git a/services/portal/values-idfint.yaml b/services/portal/values-idfint.yaml index 0b1b80f458..bbff39a615 100644 --- a/services/portal/values-idfint.yaml +++ b/services/portal/values-idfint.yaml @@ -5,8 +5,6 @@ config: workareaNfs: path: "/share1/home/firefly/shared-workarea" server: "10.22.240.130" -image: - tag: "suit-2022.2.1" resources: limits: From 62b2cbd2c24d090d0d3435e45356a57185ca13e9 Mon Sep 17 00:00:00 2001 From: Angelo Fausti Date: Fri, 27 May 2022 13:02:16 -0700 Subject: [PATCH 0708/1479] Add kafdrop sub chart to sasquatch --- services/sasquatch/Chart.yaml | 2 + services/sasquatch/README.md | 1 + services/sasquatch/charts/kafdrop/Chart.yaml | 7 ++ services/sasquatch/charts/kafdrop/README.md | 36 ++++++++ .../charts/kafdrop/templates/NOTES.txt | 9 ++ .../charts/kafdrop/templates/_helpers.tpl | 52 +++++++++++ .../charts/kafdrop/templates/deployment.yaml | 88 +++++++++++++++++++ .../charts/kafdrop/templates/ingress.yaml | 27 ++++++ .../charts/kafdrop/templates/service.yaml | 15 ++++ services/sasquatch/charts/kafdrop/values.yaml | 78 ++++++++++++++++ services/sasquatch/values-idfdev.yaml | 5 ++ services/sasquatch/values-int.yaml | 5 ++ services/sasquatch/values-minikube.yaml | 5 ++ services/sasquatch/values-stable.yaml | 5 ++ services/sasquatch/values-summit.yaml | 5 ++ .../sasquatch/values-tucson-teststand.yaml | 5 ++ 16 files changed, 345 insertions(+) create mode 100644 services/sasquatch/charts/kafdrop/Chart.yaml create mode 100644 services/sasquatch/charts/kafdrop/README.md create mode 100644 services/sasquatch/charts/kafdrop/templates/NOTES.txt create mode 100644 services/sasquatch/charts/kafdrop/templates/_helpers.tpl create mode 100644 services/sasquatch/charts/kafdrop/templates/deployment.yaml create mode 100644 services/sasquatch/charts/kafdrop/templates/ingress.yaml create mode 100644 services/sasquatch/charts/kafdrop/templates/service.yaml create mode 100644 services/sasquatch/charts/kafdrop/values.yaml diff --git a/services/sasquatch/Chart.yaml b/services/sasquatch/Chart.yaml index e73719472e..e916697a6d 100644 --- a/services/sasquatch/Chart.yaml +++ b/services/sasquatch/Chart.yaml @@ -31,3 +31,5 @@ dependencies: version: 0.10.1 repository: https://lsst-ts.github.io/charts/ condition: kafka-producers.enabled + - name: kafdrop + version: 1.0.0 diff --git a/services/sasquatch/README.md b/services/sasquatch/README.md index f5b4f647ce..376571bb24 100644 --- a/services/sasquatch/README.md +++ b/services/sasquatch/README.md @@ -6,6 +6,7 @@ Rubin Observatory's telemetry service. | Repository | Name | Version | |------------|------|---------| +| | kafdrop | 1.0.0 | | | kafka-connect-manager | 1.0.0 | | | strimzi-kafka | 1.0.0 | | https://helm.influxdata.com/ | chronograf | 1.2.5 | diff --git a/services/sasquatch/charts/kafdrop/Chart.yaml b/services/sasquatch/charts/kafdrop/Chart.yaml new file mode 100644 index 0000000000..09bb251780 --- /dev/null +++ b/services/sasquatch/charts/kafdrop/Chart.yaml @@ -0,0 +1,7 @@ +apiVersion: v2 +name: kafdrop +version: 1.0.0 +description: A subchart to deploy the Kafdrop UI for Sasquatch. +sources: + - https://github.com/obsidiandynamics/kafdrop +appVersion: 3.30.0 diff --git a/services/sasquatch/charts/kafdrop/README.md b/services/sasquatch/charts/kafdrop/README.md new file mode 100644 index 0000000000..f75f7365eb --- /dev/null +++ b/services/sasquatch/charts/kafdrop/README.md @@ -0,0 +1,36 @@ +# kafdrop + +A subchart to deploy the Kafdrop UI for Sasquatch. + +## Source Code + +* + +## Values + +| Key | Type | Default | Description | +|-----|------|---------|-------------| +| affinity | object | `{}` | Affinity configuration. | +| cmdArgs | string | `"--message.format=AVRO --topic.deleteEnabled=false --topic.createEnabled=false"` | Command line arguments to Kafdrop. | +| existingSecret | string | `""` | Existing k8s secrect use to set kafdrop environment variables. Set SCHEMAREGISTRY_AUTH for basic auth credentials in the form username:password | +| host | string | Defaults to localhost. | The hostname to report for the RMI registry (used for JMX). | +| image.pullPolicy | string | `"IfNotPresent"` | Image pull policy. | +| image.repository | string | `"obsidiandynamics/kafdrop"` | Kafdrop Docker image repository. | +| image.tag | string | `"3.30.0"` | Kafdrop image version. | +| ingress.annotations | object | `{}` | Ingress annotations. | +| ingress.enabled | bool | `false` | Enable Ingress. This should be true to create an ingress rule for the application. | +| ingress.hostname | string | `""` | Ingress hostname. | +| ingress.path | string | `"/kafdrop"` | Ingress path. | +| jmx.port | int | Defaults to 8686 | Port to use for JMX. If unspecified, JMX will not be exposed. | +| jvm.opts | string | `""` | JVM options. | +| kafka.broker | string | `"sasquatch-kafka-bootstrap.sasquatch:9092"` | Bootstrap list of Kafka host/port pairs | +| nodeSelector | object | `{}` | Node selector configuration. | +| podAnnotations | object | `{}` | Pod annotations. | +| replicaCount | int | `1` | Number of kafdrop pods to run in the deployment. | +| resources | object | `{}` | | +| schemaregistry | string | `"sasquatch-schema-registry.sasquatch:8081"` | The endpoint of Schema Registry | +| server.port | int | Defaults to 9000. | The web server port to listen on. | +| server.servlet | object | Defaults to /. | The context path to serve requests on (must end with a /). | +| service.annotations | object | `{}` | Service annotations | +| service.port | int | `9000` | Service port | +| tolerations | list | `[]` | Tolerations configuration. | diff --git a/services/sasquatch/charts/kafdrop/templates/NOTES.txt b/services/sasquatch/charts/kafdrop/templates/NOTES.txt new file mode 100644 index 0000000000..b6244d54c8 --- /dev/null +++ b/services/sasquatch/charts/kafdrop/templates/NOTES.txt @@ -0,0 +1,9 @@ +1. Get the application URL by running these commands: +{{- if .Values.ingress.enabled }} +{{- range .Values.ingress.hosts }} + http{{ if $.Values.ingress.tls }}s{{ end }}://{{ . }}{{ $.Values.ingress.path }} +{{- end }} + export POD_NAME=$(kubectl get pods --namespace {{ .Release.Namespace }} -l "app.kubernetes.io/name={{ include "chart.name" . }},app.kubernetes.io/instance={{ .Release.Name }}" -o jsonpath="{.items[0].metadata.name}") + echo "Visit http://127.0.0.1:8080 to use your application" + kubectl port-forward $POD_NAME 8080:80 +{{- end }} diff --git a/services/sasquatch/charts/kafdrop/templates/_helpers.tpl b/services/sasquatch/charts/kafdrop/templates/_helpers.tpl new file mode 100644 index 0000000000..ffeac36252 --- /dev/null +++ b/services/sasquatch/charts/kafdrop/templates/_helpers.tpl @@ -0,0 +1,52 @@ +{{/* vim: set filetype=mustache: */}} +{{/* +Expand the name of the chart. +*/}} +{{- define "chart.name" -}} +{{- default .Chart.Name .Values.nameOverride | trunc 63 | trimSuffix "-" -}} +{{- end -}} + +{{/* +Create a default fully qualified app name. +We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec). +If release name contains chart name it will be used as a full name. +*/}} +{{- define "chart.fullname" -}} +{{- if .Values.fullnameOverride -}} +{{- .Values.fullnameOverride | trunc 63 | trimSuffix "-" -}} +{{- else -}} +{{- $name := default .Chart.Name .Values.nameOverride -}} +{{- if contains $name .Release.Name -}} +{{- .Release.Name | trunc 63 | trimSuffix "-" -}} +{{- else -}} +{{- printf "%s-%s" .Release.Name $name | trunc 63 | trimSuffix "-" -}} +{{- end -}} +{{- end -}} +{{- end -}} + +{{/* +Create chart name and version as used by the chart label. +*/}} +{{- define "chart.chart" -}} +{{- printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" -}} +{{- end -}} + +{{/* +Common labels +*/}} +{{- define "kafdrop.labels" -}} +helm.sh/chart: {{ include "chart.name" . }} +{{ include "kafdrop.selectorLabels" . }} +{{- if .Chart.AppVersion }} +app.kubernetes.io/version: {{ .Chart.AppVersion | quote }} +{{- end }} +app.kubernetes.io/managed-by: {{ .Release.Service }} +{{- end }} + +{{/* +Selector labels +*/}} +{{- define "kafdrop.selectorLabels" -}} +app.kubernetes.io/name: {{ include "chart.name" . }} +app.kubernetes.io/instance: {{ .Release.Name }} +{{- end }} diff --git a/services/sasquatch/charts/kafdrop/templates/deployment.yaml b/services/sasquatch/charts/kafdrop/templates/deployment.yaml new file mode 100644 index 0000000000..27cebded49 --- /dev/null +++ b/services/sasquatch/charts/kafdrop/templates/deployment.yaml @@ -0,0 +1,88 @@ +apiVersion: apps/v1 +kind: Deployment +metadata: + name: {{ include "chart.fullname" . }} + labels: + {{- include "kafdrop.labels" . | nindent 4 }} +spec: + replicas: {{ .Values.replicaCount }} + selector: + matchLabels: + {{- include "kafdrop.selectorLabels" . | nindent 6 }} + template: + metadata: + labels: + {{- include "kafdrop.selectorLabels" . | nindent 8 }} + annotations: + {{- with .Values.podAnnotations }} + {{ toYaml . | indent 8 }} + {{- end }} + spec: + automountServiceAccountToken: false + securityContext: + runAsNonRoot: true + runAsUser: 1000 + runAsGroup: 1000 + containers: + - name: {{ .Chart.Name }} + image: "{{ .Values.image.repository }}:{{ .Values.image.tag }}" + imagePullPolicy: {{ .Values.image.pullPolicy }} + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + {{- if .Values.existingSecret -}} + envFrom: + - secretRef: + name: {{ .Values.existingSecret }} + {{- end }} + env: + - name: KAFKA_BROKERCONNECT + value: {{ .Values.kafka.broker | quote }} + - name: JVM_OPTS + value: {{ .Values.jvm.opts | quote }} + - name: HOST + value: {{ .Values.host | quote }} + - name: JMX_PORT + value: {{ .Values.jmx.port | quote }} + - name: SERVER_SERVLET_CONTEXTPATH + value: {{ .Values.server.servlet.contextPath | trimSuffix "/" | quote }} + - name: SERVER_PORT + value: {{ .Values.server.port | quote }} + - name: CMD_ARGS + value: {{ .Values.cmdArgs | quote }} + - name: SCHEMAREGISTRY_CONNECT + value: {{ .Values.schemaregistry | quote }} + ports: + - name: http + containerPort: {{ .Values.server.port }} + protocol: TCP + livenessProbe: + httpGet: + path: "{{ .Values.server.servlet.contextPath | trimSuffix "/" }}/actuator/health" + port: http + initialDelaySeconds: 180 + periodSeconds: 30 + timeoutSeconds: 10 + readinessProbe: + httpGet: + path: "{{ .Values.server.servlet.contextPath | trimSuffix "/" }}/actuator/health" + port: http + initialDelaySeconds: 20 + periodSeconds: 5 + timeoutSeconds: 10 + resources: + {{- toYaml .Values.resources | nindent 12 }} + {{- with .Values.nodeSelector }} + nodeSelector: + {{ toYaml . | indent 8 }} + {{- end }} + {{- with .Values.affinity }} + affinity: + {{ toYaml . | indent 8 }} + {{- end }} + {{- with .Values.tolerations }} + tolerations: + {{ toYaml . | indent 8 }} + {{- end }} diff --git a/services/sasquatch/charts/kafdrop/templates/ingress.yaml b/services/sasquatch/charts/kafdrop/templates/ingress.yaml new file mode 100644 index 0000000000..c219ae53c6 --- /dev/null +++ b/services/sasquatch/charts/kafdrop/templates/ingress.yaml @@ -0,0 +1,27 @@ +{{- if .Values.ingress.enabled -}} +{{- $fullName := include "chart.fullname" . -}} +{{- $ingressPath := .Values.ingress.path -}} +apiVersion: networking.k8s.io/v1 +kind: Ingress +metadata: + name: {{ $fullName }} + labels: + {{- include "kafdrop.labels" . | nindent 4 }} + annotations: + kubernetes.io/ingress.class: "nginx" + {{- with .Values.ingress.annotations }} + {{ toYaml . | indent 4 }} + {{- end }} +spec: + rules: + - host: {{ .Values.ingress.hostname | quote }} + http: + paths: + - path: {{ $ingressPath }} + pathType: Prefix + backend: + service: + name: {{ $fullName }} + port: + number: {{ .Values.service.port }} +{{- end }} diff --git a/services/sasquatch/charts/kafdrop/templates/service.yaml b/services/sasquatch/charts/kafdrop/templates/service.yaml new file mode 100644 index 0000000000..720eb65e0d --- /dev/null +++ b/services/sasquatch/charts/kafdrop/templates/service.yaml @@ -0,0 +1,15 @@ +apiVersion: v1 +kind: Service +metadata: + name: {{ include "chart.fullname" . }} + labels: + {{- include "kafdrop.labels" . | nindent 4 }} +spec: + type: ClusterIP + ports: + - port: {{ .Values.service.port }} + targetPort: http + protocol: TCP + name: http + selector: + {{- include "kafdrop.selectorLabels" . | nindent 4 }} diff --git a/services/sasquatch/charts/kafdrop/values.yaml b/services/sasquatch/charts/kafdrop/values.yaml new file mode 100644 index 0000000000..7db69df792 --- /dev/null +++ b/services/sasquatch/charts/kafdrop/values.yaml @@ -0,0 +1,78 @@ +# Default values for Kafdrop + +# -- Number of kafdrop pods to run in the deployment. +replicaCount: 1 + +image: + # -- Kafdrop Docker image repository. + repository: obsidiandynamics/kafdrop + # -- Image pull policy. + pullPolicy: IfNotPresent + # -- Kafdrop image version. + tag: 3.30.0 + +kafka: + # -- Bootstrap list of Kafka host/port pairs + broker: "sasquatch-kafka-bootstrap.sasquatch:9092" + +jvm: + # -- JVM options. + opts: "" + +# -- The hostname to report for the RMI registry (used for JMX). +# @default -- Defaults to localhost. +host: localhost + +jmx: + # -- Port to use for JMX. If unspecified, JMX will not be exposed. + # @default -- Defaults to 8686 + port: 8686 + +server: + # -- The context path to serve requests on (must end with a /). + # @default -- Defaults to /. + servlet: + contextPath: /kafdrop + # -- The web server port to listen on. + # @default -- Defaults to 9000. + port: 9000 + +# -- The endpoint of Schema Registry +schemaregistry: "sasquatch-schema-registry.sasquatch:8081" + +# -- Existing k8s secrect use to set kafdrop environment variables. +# Set SCHEMAREGISTRY_AUTH for basic auth credentials in the form username:password +existingSecret: "" + +# -- Command line arguments to Kafdrop. +cmdArgs: "--message.format=AVRO --topic.deleteEnabled=false --topic.createEnabled=false" + +service: + # -- Service annotations + annotations: {} + # -- Service port + port: 9000 + +ingress: + # -- Enable Ingress. This should be true to create an ingress rule for the application. + enabled: false + # -- Ingress annotations. + annotations: {} + # -- Ingress hostname. + hostname: "" + # -- Ingress path. + path: /kafdrop + +resources: {} + +# -- Node selector configuration. +nodeSelector: {} + +# -- Tolerations configuration. +tolerations: [] + +# -- Affinity configuration. +affinity: {} + +# -- Pod annotations. +podAnnotations: {} diff --git a/services/sasquatch/values-idfdev.yaml b/services/sasquatch/values-idfdev.yaml index a532dedffb..e1277d12e9 100644 --- a/services/sasquatch/values-idfdev.yaml +++ b/services/sasquatch/values-idfdev.yaml @@ -10,6 +10,11 @@ kafka-connect-manager: influxdb-sink: enabled: true +kafdrop: + ingress: + enabled: true + hostname: data-dev.lsst.cloud + chronograf: ingress: enabled: true diff --git a/services/sasquatch/values-int.yaml b/services/sasquatch/values-int.yaml index bffec64dac..ed266893ec 100644 --- a/services/sasquatch/values-int.yaml +++ b/services/sasquatch/values-int.yaml @@ -18,6 +18,11 @@ kafka-connect-manager: influxdb-sink: enabled: true +kafdrop: + ingress: + enabled: true + hostname: lsst-lsp-int.ncsa.illinois.edu + chronograf: persistence: storageClass: local-path diff --git a/services/sasquatch/values-minikube.yaml b/services/sasquatch/values-minikube.yaml index ebdbf7e47e..3f2533111f 100644 --- a/services/sasquatch/values-minikube.yaml +++ b/services/sasquatch/values-minikube.yaml @@ -10,6 +10,11 @@ kafka-connect-manager: influxdb-sink: enabled: true +kafdrop: + ingress: + enabled: true + hostname: minikube.lsst.codes + chronograf: ingress: enabled: true diff --git a/services/sasquatch/values-stable.yaml b/services/sasquatch/values-stable.yaml index d9f2715fed..50cec3598c 100644 --- a/services/sasquatch/values-stable.yaml +++ b/services/sasquatch/values-stable.yaml @@ -18,6 +18,11 @@ kafka-connect-manager: influxdb-sink: enabled: true +kafdrop: + ingress: + enabled: true + hostname: lsst-lsp-stable.ncsa.illinois.edu + chronograf: persistence: storageClass: local-path diff --git a/services/sasquatch/values-summit.yaml b/services/sasquatch/values-summit.yaml index 1d87158c28..ba2ebe9c5d 100644 --- a/services/sasquatch/values-summit.yaml +++ b/services/sasquatch/values-summit.yaml @@ -19,6 +19,11 @@ kafka-connect-manager: influxdb-sink: enabled: true +kafdrop: + ingress: + enabled: true + hostname: summit-lsp.lsst.codes + chronograf: persistence: storageClass: rook-ceph-block diff --git a/services/sasquatch/values-tucson-teststand.yaml b/services/sasquatch/values-tucson-teststand.yaml index 41f0f08720..35a9b28a65 100644 --- a/services/sasquatch/values-tucson-teststand.yaml +++ b/services/sasquatch/values-tucson-teststand.yaml @@ -18,6 +18,11 @@ kafka-connect-manager: influxdb-sink: enabled: true +kafdrop: + ingress: + enabled: true + hostname: tucson-teststand.lsst.codes + chronograf: persistence: storageClass: rook-ceph-block From 82bad4d851a5a91c3e6c7fdfbaf95105dc442fc0 Mon Sep 17 00:00:00 2001 From: Angelo Fausti Date: Wed, 22 Jun 2022 16:27:33 -0700 Subject: [PATCH 0709/1479] Add kafdrop kafka user - Create the kafdrop kafka user with scram-sha-512 authentication and simple authorization --- .../strimzi-kafka/templates/kafdrop-user.yaml | 24 +++++++++++++++++++ 1 file changed, 24 insertions(+) create mode 100644 services/sasquatch/charts/strimzi-kafka/templates/kafdrop-user.yaml diff --git a/services/sasquatch/charts/strimzi-kafka/templates/kafdrop-user.yaml b/services/sasquatch/charts/strimzi-kafka/templates/kafdrop-user.yaml new file mode 100644 index 0000000000..6864ab39d6 --- /dev/null +++ b/services/sasquatch/charts/strimzi-kafka/templates/kafdrop-user.yaml @@ -0,0 +1,24 @@ +apiVersion: kafka.strimzi.io/v1beta2 +kind: KafkaUser +metadata: + name: kafdrop + labels: + strimzi.io/cluster: {{ .Values.cluster.name }} +spec: + authentication: + type: scram-sha-512 + password: + valueFrom: + secretKeyRef: + name: sasquatch + key: kafdrop-password + authorization: + type: simple + acls: + - resource: + type: topic + name: "*" + patternType: literal + type: allow + host: "*" + operation: All From e9059f195527d727a161a4ef02159449ff379489 Mon Sep 17 00:00:00 2001 From: Angelo Fausti Date: Wed, 29 Jun 2022 17:22:09 -0700 Subject: [PATCH 0710/1479] Set KAFKA_PROPERTIES_FILE and KAFKA_PROPERTIES - Get KAFKA_PROPERTIES from the kafdrop-kafka-properties key in the sasquatch secret. Kafdrop will use that to populate the $KAFKA_PROPERTIES_FILE --- .../sasquatch/charts/kafdrop/templates/deployment.yaml | 7 +++++++ 1 file changed, 7 insertions(+) diff --git a/services/sasquatch/charts/kafdrop/templates/deployment.yaml b/services/sasquatch/charts/kafdrop/templates/deployment.yaml index 27cebded49..cbd51dedc4 100644 --- a/services/sasquatch/charts/kafdrop/templates/deployment.yaml +++ b/services/sasquatch/charts/kafdrop/templates/deployment.yaml @@ -54,6 +54,13 @@ spec: value: {{ .Values.cmdArgs | quote }} - name: SCHEMAREGISTRY_CONNECT value: {{ .Values.schemaregistry | quote }} + - name: KAFKA_PROPERTIES_FILE + value: "/tmp/kafka.properties" + - name: KAFKA_PROPERTIES + valueFrom: + secretKeyRef: + name: sasquatch + key: kafdrop-kafka-properties ports: - name: http containerPort: {{ .Values.server.port }} From 11900b10f97c47b5e2a9a2e74f6ea5bcc3d4b138 Mon Sep 17 00:00:00 2001 From: Jonathan Sick Date: Mon, 27 Jun 2022 10:25:29 -0400 Subject: [PATCH 0711/1479] DM-35328 Deploy noteburst 0.5.0 This update to noteburst adds the enable_retry option to noteburst's nbexec function. --- services/noteburst/Chart.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/services/noteburst/Chart.yaml b/services/noteburst/Chart.yaml index 9d4fa6b8b8..47104f5801 100644 --- a/services/noteburst/Chart.yaml +++ b/services/noteburst/Chart.yaml @@ -1,7 +1,7 @@ apiVersion: v2 name: noteburst version: 1.0.0 -appVersion: "0.4.0" +appVersion: "0.5.0" description: Noteburst is a notebook execution service for the Rubin Science Platform. type: application home: https://noteburst.lsst.io/ From e77af8eb03c13aaceb33832b628ec13548620c5f Mon Sep 17 00:00:00 2001 From: Jonathan Sick Date: Tue, 28 Jun 2022 16:25:08 -0400 Subject: [PATCH 0712/1479] DM-35150 Deploy Times Square 0.5.0 --- services/times-square/Chart.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/services/times-square/Chart.yaml b/services/times-square/Chart.yaml index 6ebe11b49b..a0d09c107c 100644 --- a/services/times-square/Chart.yaml +++ b/services/times-square/Chart.yaml @@ -7,7 +7,7 @@ home: https://github.com/lsst-sqre/times-square type: application # The default version tag of the times-square docker image -appVersion: "0.5.0b1" +appVersion: "0.5.0" dependencies: - name: redis From cf103543a9f1272e747be9ea48c56609f739e988 Mon Sep 17 00:00:00 2001 From: "renovate[bot]" <29139614+renovate[bot]@users.noreply.github.com> Date: Mon, 4 Jul 2022 22:07:35 +0000 Subject: [PATCH 0713/1479] Update Helm release argo-cd to v4.9.11 --- services/argocd/Chart.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/services/argocd/Chart.yaml b/services/argocd/Chart.yaml index c7b641d3ca..837fd201a9 100644 --- a/services/argocd/Chart.yaml +++ b/services/argocd/Chart.yaml @@ -3,5 +3,5 @@ name: argo-cd version: 1.0.0 dependencies: - name: argo-cd - version: 4.8.3 + version: 4.9.11 repository: https://argoproj.github.io/argo-helm From f08280a006b97cba035b539781fcdecfccf03c7c Mon Sep 17 00:00:00 2001 From: Russ Allbery Date: Tue, 5 Jul 2022 08:49:46 -0700 Subject: [PATCH 0714/1479] Update Helm docs --- services/argocd/README.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/services/argocd/README.md b/services/argocd/README.md index 7cf552ecca..28d86999f1 100644 --- a/services/argocd/README.md +++ b/services/argocd/README.md @@ -4,7 +4,7 @@ | Repository | Name | Version | |------------|------|---------| -| https://argoproj.github.io/argo-helm | argo-cd | 4.8.3 | +| https://argoproj.github.io/argo-helm | argo-cd | 4.9.11 | ## Values From d022d305af3247805230d1b2f196f9bda03366db Mon Sep 17 00:00:00 2001 From: "renovate[bot]" <29139614+renovate[bot]@users.noreply.github.com> Date: Tue, 5 Jul 2022 15:57:16 +0000 Subject: [PATCH 0715/1479] Update Helm release redis to v16.13.2 --- services/noteburst/Chart.yaml | 2 +- services/times-square/Chart.yaml | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/services/noteburst/Chart.yaml b/services/noteburst/Chart.yaml index 47104f5801..0c8e24a451 100644 --- a/services/noteburst/Chart.yaml +++ b/services/noteburst/Chart.yaml @@ -14,5 +14,5 @@ maintainers: # Additional charts that this chart uses dependencies: - name: redis - version: 16.12.2 + version: 16.13.2 repository: https://charts.bitnami.com/bitnami diff --git a/services/times-square/Chart.yaml b/services/times-square/Chart.yaml index a0d09c107c..209d49ef8a 100644 --- a/services/times-square/Chart.yaml +++ b/services/times-square/Chart.yaml @@ -11,5 +11,5 @@ appVersion: "0.5.0" dependencies: - name: redis - version: 16.12.2 + version: 16.13.2 repository: https://charts.bitnami.com/bitnami From 7dd9f250bebe1fa6966bd4f12fba5932c7cee03b Mon Sep 17 00:00:00 2001 From: Russ Allbery Date: Tue, 5 Jul 2022 09:03:05 -0700 Subject: [PATCH 0716/1479] Regenerate Helm docs --- services/noteburst/README.md | 2 +- services/times-square/README.md | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/services/noteburst/README.md b/services/noteburst/README.md index 700dce5d7b..ba8567765f 100644 --- a/services/noteburst/README.md +++ b/services/noteburst/README.md @@ -12,7 +12,7 @@ Noteburst is a notebook execution service for the Rubin Science Platform. | Repository | Name | Version | |------------|------|---------| -| https://charts.bitnami.com/bitnami | redis | 16.12.2 | +| https://charts.bitnami.com/bitnami | redis | 16.13.2 | ## Values diff --git a/services/times-square/README.md b/services/times-square/README.md index cf1db9a6a3..34d5663f8c 100644 --- a/services/times-square/README.md +++ b/services/times-square/README.md @@ -8,7 +8,7 @@ An API service for managing and rendering parameterized Jupyter notebooks. | Repository | Name | Version | |------------|------|---------| -| https://charts.bitnami.com/bitnami | redis | 16.12.2 | +| https://charts.bitnami.com/bitnami | redis | 16.13.2 | ## Values From 74f7dee4a4e70a8cc5a2232d717c37332ebf725b Mon Sep 17 00:00:00 2001 From: "renovate[bot]" <29139614+renovate[bot]@users.noreply.github.com> Date: Tue, 5 Jul 2022 15:57:12 +0000 Subject: [PATCH 0717/1479] Update helm values redis to v7.0.2 --- services/gafaelfawr/values.yaml | 2 +- services/portal/values.yaml | 2 +- services/vo-cutouts/values.yaml | 2 +- 3 files changed, 3 insertions(+), 3 deletions(-) diff --git a/services/gafaelfawr/values.yaml b/services/gafaelfawr/values.yaml index d4943ff873..3aa55f3a25 100644 --- a/services/gafaelfawr/values.yaml +++ b/services/gafaelfawr/values.yaml @@ -261,7 +261,7 @@ redis: repository: "redis" # -- Redis image tag to use - tag: "7.0.1" + tag: "7.0.2" # -- Pull policy for the Redis image pullPolicy: "IfNotPresent" diff --git a/services/portal/values.yaml b/services/portal/values.yaml index 56620e0bdf..444dd86507 100644 --- a/services/portal/values.yaml +++ b/services/portal/values.yaml @@ -87,7 +87,7 @@ redis: repository: "redis" # -- Redis image tag to use - tag: "7.0.1" + tag: "7.0.2" # -- Pull policy for the Redis image pullPolicy: "IfNotPresent" diff --git a/services/vo-cutouts/values.yaml b/services/vo-cutouts/values.yaml index 6062062158..b94df6c9ec 100644 --- a/services/vo-cutouts/values.yaml +++ b/services/vo-cutouts/values.yaml @@ -147,7 +147,7 @@ redis: repository: "redis" # -- Redis image tag to use - tag: "7.0.1" + tag: "7.0.2" # -- Pull policy for the Redis image pullPolicy: "IfNotPresent" From 884bb6b6c0a3547efe6c33bae805f0402761a9d5 Mon Sep 17 00:00:00 2001 From: Russ Allbery Date: Tue, 5 Jul 2022 09:10:44 -0700 Subject: [PATCH 0718/1479] Regenerate Helm docs --- services/gafaelfawr/README.md | 2 +- services/portal/README.md | 2 +- services/vo-cutouts/README.md | 2 +- 3 files changed, 3 insertions(+), 3 deletions(-) diff --git a/services/gafaelfawr/README.md b/services/gafaelfawr/README.md index c055afe188..38e14a1b7c 100644 --- a/services/gafaelfawr/README.md +++ b/services/gafaelfawr/README.md @@ -69,7 +69,7 @@ Science Platform authentication and authorization system | redis.affinity | object | `{}` | Affinity rules for the Redis pod | | redis.image.pullPolicy | string | `"IfNotPresent"` | Pull policy for the Redis image | | redis.image.repository | string | `"redis"` | Redis image to use | -| redis.image.tag | string | `"7.0.1"` | Redis image tag to use | +| redis.image.tag | string | `"7.0.2"` | Redis image tag to use | | redis.nodeSelector | object | `{}` | Node selection rules for the Redis pod | | redis.persistence.accessMode | string | `"ReadWriteOnce"` | Access mode of storage to request | | redis.persistence.enabled | bool | `true` | Whether to persist Redis storage and thus tokens. Setting this to false will use `emptyDir` and reset all tokens on every restart. Only use this for a test deployment. | diff --git a/services/portal/README.md b/services/portal/README.md index fc08f0a1eb..7e6aaefeb4 100644 --- a/services/portal/README.md +++ b/services/portal/README.md @@ -31,7 +31,7 @@ Rubin Science Platform portal aspect | redis.affinity | object | `{}` | Affinity rules for the Redis pod | | redis.image.pullPolicy | string | `"IfNotPresent"` | Pull policy for the Redis image | | redis.image.repository | string | `"redis"` | Redis image to use | -| redis.image.tag | string | `"7.0.1"` | Redis image tag to use | +| redis.image.tag | string | `"7.0.2"` | Redis image tag to use | | redis.nodeSelector | object | `{}` | Node selection rules for the Redis pod | | redis.podAnnotations | object | `{}` | Pod annotations for the Redis pod | | redis.resources | object | `{"limits":{"memory":"20Mi"}}` | Resource limits and requests | diff --git a/services/vo-cutouts/README.md b/services/vo-cutouts/README.md index 453cf2b2cf..a5bb5df181 100644 --- a/services/vo-cutouts/README.md +++ b/services/vo-cutouts/README.md @@ -54,7 +54,7 @@ Image cutout service complying with IVOA SODA | redis.affinity | object | `{}` | Affinity rules for the Redis pod | | redis.image.pullPolicy | string | `"IfNotPresent"` | Pull policy for the Redis image | | redis.image.repository | string | `"redis"` | Redis image to use | -| redis.image.tag | string | `"7.0.1"` | Redis image tag to use | +| redis.image.tag | string | `"7.0.2"` | Redis image tag to use | | redis.nodeSelector | object | `{}` | Node selection rules for the Redis pod | | redis.persistence.accessMode | string | `"ReadWriteOnce"` | Access mode of storage to request | | redis.persistence.enabled | bool | `true` | Whether to persist Redis storage and thus tokens. Setting this to false will use `emptyDir` and reset all tokens on every restart. Only use this for a test deployment. | From fc36e31d9d7117538c8a7c12cb6598619fa07e96 Mon Sep 17 00:00:00 2001 From: "renovate[bot]" <29139614+renovate[bot]@users.noreply.github.com> Date: Tue, 5 Jul 2022 16:13:33 +0000 Subject: [PATCH 0719/1479] Update Helm release cert-manager to v1.8.2 --- services/cert-manager/Chart.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/services/cert-manager/Chart.yaml b/services/cert-manager/Chart.yaml index 9a2f2653ee..6373eada56 100644 --- a/services/cert-manager/Chart.yaml +++ b/services/cert-manager/Chart.yaml @@ -4,5 +4,5 @@ version: 1.0.0 description: "Let's Encrypt certificate management" dependencies: - name: cert-manager - version: v1.8.0 + version: v1.8.2 repository: https://charts.jetstack.io From 01abf50dfb10e7dd9fba6b9bb373f765a6e551e6 Mon Sep 17 00:00:00 2001 From: Russ Allbery Date: Tue, 5 Jul 2022 09:16:30 -0700 Subject: [PATCH 0720/1479] Regenerate Helm docs --- services/cert-manager/README.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/services/cert-manager/README.md b/services/cert-manager/README.md index 2fdc08a311..4f242b4223 100644 --- a/services/cert-manager/README.md +++ b/services/cert-manager/README.md @@ -6,7 +6,7 @@ Let's Encrypt certificate management | Repository | Name | Version | |------------|------|---------| -| https://charts.jetstack.io | cert-manager | v1.8.0 | +| https://charts.jetstack.io | cert-manager | v1.8.2 | ## Values From c4f8a2aa81c032f05d3cb1658196f5bd7cb2d22f Mon Sep 17 00:00:00 2001 From: Angelo Fausti Date: Wed, 6 Jul 2022 13:25:49 -0700 Subject: [PATCH 0721/1479] Fix up ACLS configuration for ts-salkafka - Allow all operations on topics with lsst.sal prefix --- .../charts/strimzi-kafka/templates/ts-salkafka-user.yaml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/services/sasquatch/charts/strimzi-kafka/templates/ts-salkafka-user.yaml b/services/sasquatch/charts/strimzi-kafka/templates/ts-salkafka-user.yaml index 718448951d..0f6d021643 100644 --- a/services/sasquatch/charts/strimzi-kafka/templates/ts-salkafka-user.yaml +++ b/services/sasquatch/charts/strimzi-kafka/templates/ts-salkafka-user.yaml @@ -12,8 +12,8 @@ spec: acls: - resource: type: topic - name: "lsst.sal.*" - patternType: literal + name: "lsst.sal" + patternType: prefix type: allow host: "*" operation: All From d61b5cf2d559198dcef14c6e58ea00b86e37659b Mon Sep 17 00:00:00 2001 From: Angelo Fausti Date: Wed, 6 Jul 2022 13:29:06 -0700 Subject: [PATCH 0722/1479] Get ts-salkafka password from a secret - Strimzi creates a random password for users but we need a fixed one for ts-salkafka so it can be retrieved from Vault and the k8s secret created in different namespaces, for example the kafka-producers namespace. --- .../charts/strimzi-kafka/templates/ts-salkafka-user.yaml | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/services/sasquatch/charts/strimzi-kafka/templates/ts-salkafka-user.yaml b/services/sasquatch/charts/strimzi-kafka/templates/ts-salkafka-user.yaml index 0f6d021643..580d842537 100644 --- a/services/sasquatch/charts/strimzi-kafka/templates/ts-salkafka-user.yaml +++ b/services/sasquatch/charts/strimzi-kafka/templates/ts-salkafka-user.yaml @@ -7,6 +7,11 @@ metadata: spec: authentication: type: scram-sha-512 + password: + valueFrom: + secretKeyRef: + name: sasquatch + key: ts-salkafka-password authorization: type: simple acls: From 9abfafe4fdeb4024b76fc0b7859cbfb21f773e7a Mon Sep 17 00:00:00 2001 From: Angelo Fausti Date: Wed, 6 Jul 2022 14:06:43 -0700 Subject: [PATCH 0723/1479] Disable CSC testing at TTS --- services/sasquatch/values-tucson-teststand.yaml | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/services/sasquatch/values-tucson-teststand.yaml b/services/sasquatch/values-tucson-teststand.yaml index 35a9b28a65..77e1c49c3d 100644 --- a/services/sasquatch/values-tucson-teststand.yaml +++ b/services/sasquatch/values-tucson-teststand.yaml @@ -44,8 +44,9 @@ chronograf: kapacitor: persistence: storageClass: rook-ceph-block + csc: - enabled: true + enabled: false kafka-producers: - enabled: true + enabled: false From 2b49f1050142f5ec8f3b59d1786bdd8ce572f542 Mon Sep 17 00:00:00 2001 From: Michael Reuter Date: Tue, 5 Jul 2022 11:53:13 -0700 Subject: [PATCH 0724/1479] Update summit cachemachine to cycle 26. --- services/cachemachine/values-summit.yaml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/services/cachemachine/values-summit.yaml b/services/cachemachine/values-summit.yaml index 5852f13696..688d5c65b4 100644 --- a/services/cachemachine/values-summit.yaml +++ b/services/cachemachine/values-summit.yaml @@ -10,11 +10,11 @@ autostart: "type": "RubinRepoMan", "registry_url": "ts-dockerhub.lsst.org", "repo": "sal-sciplat-lab", - "recommended_tag": "recommended_c0025", + "recommended_tag": "recommended_c0026", "num_releases": 0, "num_weeklies": 3, "num_dailies": 2, - "cycle": 25, + "cycle": 26, "alias_tags": [ "latest", "latest_daily", From 80730210c8d6659392a6ad2e1d6f229b6660e37d Mon Sep 17 00:00:00 2001 From: Michael Reuter Date: Wed, 6 Jul 2022 14:47:03 -0700 Subject: [PATCH 0725/1479] Update base cachemachine to cycle 26 and private containers. --- services/cachemachine/values-base.yaml | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/services/cachemachine/values-base.yaml b/services/cachemachine/values-base.yaml index 72eff31977..688d5c65b4 100644 --- a/services/cachemachine/values-base.yaml +++ b/services/cachemachine/values-base.yaml @@ -8,13 +8,13 @@ autostart: "repomen": [ { "type": "RubinRepoMan", - "registry_url": "registry.hub.docker.com", - "repo": "lsstts/sal-sciplat-lab", - "recommended_tag": "recommended", + "registry_url": "ts-dockerhub.lsst.org", + "repo": "sal-sciplat-lab", + "recommended_tag": "recommended_c0026", "num_releases": 0, "num_weeklies": 3, "num_dailies": 2, - "cycle": 20, + "cycle": 26, "alias_tags": [ "latest", "latest_daily", From 0c285a51e1b580d268a98d903dca859ac4636796 Mon Sep 17 00:00:00 2001 From: adam Date: Wed, 6 Jul 2022 14:28:07 -0700 Subject: [PATCH 0726/1479] Add persistence to gafaelfawr redis at T&S sites --- services/gafaelfawr/values-base.yaml | 2 +- services/gafaelfawr/values-summit.yaml | 2 +- services/gafaelfawr/values-tucson-teststand.yaml | 2 +- 3 files changed, 3 insertions(+), 3 deletions(-) diff --git a/services/gafaelfawr/values-base.yaml b/services/gafaelfawr/values-base.yaml index 3b346f6505..c8dd17f633 100644 --- a/services/gafaelfawr/values-base.yaml +++ b/services/gafaelfawr/values-base.yaml @@ -2,7 +2,7 @@ # use persistent volumes once we can coordinate that. redis: persistence: - enabled: false + storageClass: "rook-ceph-block" config: databaseUrl: "postgresql://gafaelfawr@postgres.postgres/gafaelfawr" diff --git a/services/gafaelfawr/values-summit.yaml b/services/gafaelfawr/values-summit.yaml index 9313f07ac7..fdc0d632c9 100644 --- a/services/gafaelfawr/values-summit.yaml +++ b/services/gafaelfawr/values-summit.yaml @@ -2,7 +2,7 @@ # use persistent volumes once we can coordinate that. redis: persistence: - enabled: false + storageClass: "rook-ceph-block" config: databaseUrl: "postgresql://gafaelfawr@postgres.postgres/gafaelfawr" diff --git a/services/gafaelfawr/values-tucson-teststand.yaml b/services/gafaelfawr/values-tucson-teststand.yaml index e95005a5e6..93fa768d08 100644 --- a/services/gafaelfawr/values-tucson-teststand.yaml +++ b/services/gafaelfawr/values-tucson-teststand.yaml @@ -2,7 +2,7 @@ # use persistent volumes once we can coordinate that. redis: persistence: - enabled: false + storageClass: "rook-ceph-block" config: databaseUrl: "postgresql://gafaelfawr@postgres.postgres/gafaelfawr" From b36fc4a0aed7e7788a3eeca90ac7c6bbfaf34447 Mon Sep 17 00:00:00 2001 From: Russ Allbery Date: Wed, 6 Jul 2022 15:35:30 -0700 Subject: [PATCH 0727/1479] Point IDF dev HiPS service at DP0.2 release Use the same data release in all three environments to make testing easier. --- services/hips/values-idfdev.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/services/hips/values-idfdev.yaml b/services/hips/values-idfdev.yaml index 4819b202a8..dfff5a5b62 100644 --- a/services/hips/values-idfdev.yaml +++ b/services/hips/values-idfdev.yaml @@ -1,4 +1,4 @@ config: gcsProject: "data-curation-prod-fbdb" - gcsBucket: "hips-vista-us-central1-dev" + gcsBucket: "static-us-central1-dp02-hips" serviceAccount: "crawlspace-hips@science-platform-dev-7696.iam.gserviceaccount.com" From 006c1fa9e9a41504ec26ab031e33e81ab32eeeda Mon Sep 17 00:00:00 2001 From: roby Date: Wed, 6 Jul 2022 10:34:56 -0600 Subject: [PATCH 0728/1479] update suit based on firefly 2022.2-pre-3 - added support PROPS_FIREFLY_OPTIONS --- services/portal/templates/deployment.yaml | 16 ++++++++++++++++ services/portal/values-idfdev.yaml | 3 +++ 2 files changed, 19 insertions(+) diff --git a/services/portal/templates/deployment.yaml b/services/portal/templates/deployment.yaml index 71753fb7af..796d58c49e 100644 --- a/services/portal/templates/deployment.yaml +++ b/services/portal/templates/deployment.yaml @@ -44,6 +44,22 @@ spec: value: {{ include "portal.fullname" . }}-redis - name: "PROPS_sso__req__auth__hosts" value: {{ .Values.global.host | quote }} + - name: "PROPS_FIREFLY_OPTIONS" + value: >- + $'{ + "coverage": {"hipsSourceURL" : "ivo://CDS/P/2MASS/color"}, + "tap" : { + "additional": { + "services": [ { + "label": "LSST RSP", + "value": "https://data-dev.lsst.cloud/api/tap", + "hipsUrl": "https://irsa.ipac.caltech.edu/data/hips/CDS/DSS2/color/", + "centerWP": "62;-37;EQ_J2000", + "fovDeg": 10 + } ] + } + } + }' - name: "SERVER_CONFIG_DIR" value: "/firefly/config" - name: "CLEANUP_INTERVAL" diff --git a/services/portal/values-idfdev.yaml b/services/portal/values-idfdev.yaml index 81bc35d85e..d4f1a080a7 100644 --- a/services/portal/values-idfdev.yaml +++ b/services/portal/values-idfdev.yaml @@ -4,6 +4,9 @@ resources: limits: memory: "2Gi" +image: + tag: "suit-2022.3" + config: volumes: workareaNfs: From f82518de3e1a37526edce9819c9c81361db37753 Mon Sep 17 00:00:00 2001 From: Russ Allbery Date: Wed, 6 Jul 2022 13:26:56 -0700 Subject: [PATCH 0729/1479] Fix trailing whitespace --- services/portal/templates/deployment.yaml | 26 +++++++++++------------ 1 file changed, 13 insertions(+), 13 deletions(-) diff --git a/services/portal/templates/deployment.yaml b/services/portal/templates/deployment.yaml index 796d58c49e..939e7fddaf 100644 --- a/services/portal/templates/deployment.yaml +++ b/services/portal/templates/deployment.yaml @@ -46,19 +46,19 @@ spec: value: {{ .Values.global.host | quote }} - name: "PROPS_FIREFLY_OPTIONS" value: >- - $'{ - "coverage": {"hipsSourceURL" : "ivo://CDS/P/2MASS/color"}, - "tap" : { - "additional": { - "services": [ { - "label": "LSST RSP", - "value": "https://data-dev.lsst.cloud/api/tap", - "hipsUrl": "https://irsa.ipac.caltech.edu/data/hips/CDS/DSS2/color/", - "centerWP": "62;-37;EQ_J2000", - "fovDeg": 10 - } ] - } - } + $'{ + "coverage": {"hipsSourceURL" : "ivo://CDS/P/2MASS/color"}, + "tap" : { + "additional": { + "services": [ { + "label": "LSST RSP", + "value": "https://data-dev.lsst.cloud/api/tap", + "hipsUrl": "https://irsa.ipac.caltech.edu/data/hips/CDS/DSS2/color/", + "centerWP": "62;-37;EQ_J2000", + "fovDeg": 10 + } ] + } + } }' - name: "SERVER_CONFIG_DIR" value: "/firefly/config" From c2765a3d27952ce597ce0e2ade0b9458ee374125 Mon Sep 17 00:00:00 2001 From: Russ Allbery Date: Wed, 6 Jul 2022 13:37:35 -0700 Subject: [PATCH 0730/1479] Get FIREFLY_OPTIONS URLs from configuration Add new config.hipsUrl setting to set the HiPS server URL. Default it to the images/color_gri tree in the current cluster. Set the TAP server URL to the TAP server in the current cluster. --- services/portal/README.md | 1 + services/portal/templates/deployment.yaml | 8 ++++++-- services/portal/values-idfdev.yaml | 1 + services/portal/values.yaml | 4 ++++ 4 files changed, 12 insertions(+), 2 deletions(-) diff --git a/services/portal/README.md b/services/portal/README.md index 7e6aaefeb4..6e0d435a78 100644 --- a/services/portal/README.md +++ b/services/portal/README.md @@ -11,6 +11,7 @@ Rubin Science Platform portal aspect | affinity | object | `{}` | Affinity rules for the Portal pod | | config.cleanupInterval | string | `"36h"` | How long results should be retained before being deleted | | config.debug | string | `"FALSE"` | Set to `TRUE` to enable service debugging | +| config.hipsUrl | string | `/api/hips/images/color_gri` in the local Science Platform | URL for default HiPS service | | config.visualizeFitsSearchPath | string | `"/datasets"` | Search path for FITS files | | config.volumes.configHostPath | string | Use an `emptyDir` | hostPath to mount as configuration. Set either this of `configNfs`, not both. | | config.volumes.configNfs | object | Use an `emptyDir` | NFS information for a configuration. If set, must have keys for path and server, Set either this of `configHostPath`, not both. | diff --git a/services/portal/templates/deployment.yaml b/services/portal/templates/deployment.yaml index 939e7fddaf..8789d0f165 100644 --- a/services/portal/templates/deployment.yaml +++ b/services/portal/templates/deployment.yaml @@ -52,8 +52,12 @@ spec: "additional": { "services": [ { "label": "LSST RSP", - "value": "https://data-dev.lsst.cloud/api/tap", - "hipsUrl": "https://irsa.ipac.caltech.edu/data/hips/CDS/DSS2/color/", + "value": "{{ .Values.global.baseUrl }}/api/tap", + {{- if .Values.config.hipsUrl }} + "hipsUrl": "{{ .Values.config.hipsUrl }}", + {{- else }} + "hipsUrl": "{{ .Values.global.baseUrl }}/api/hips/images/color_gri/", + {{- end }} "centerWP": "62;-37;EQ_J2000", "fovDeg": 10 } ] diff --git a/services/portal/values-idfdev.yaml b/services/portal/values-idfdev.yaml index d4f1a080a7..dbff2f8e2c 100644 --- a/services/portal/values-idfdev.yaml +++ b/services/portal/values-idfdev.yaml @@ -8,6 +8,7 @@ image: tag: "suit-2022.3" config: + hipsUrl: "https://irsa.ipac.caltech.edu/data/hips/CDS/DSS2/color/" volumes: workareaNfs: path: "/share1/home/firefly/shared-workarea" diff --git a/services/portal/values.yaml b/services/portal/values.yaml index 444dd86507..8d327d1880 100644 --- a/services/portal/values.yaml +++ b/services/portal/values.yaml @@ -57,6 +57,10 @@ config: # -- How long results should be retained before being deleted cleanupInterval: "36h" + # -- URL for default HiPS service + # @default -- `/api/hips/images/color_gri` in the local Science Platform + hipsUrl: "" + # -- Search path for FITS files visualizeFitsSearchPath: "/datasets" From 8cf540cfa8a6abe594a3aa3e1855eed316d13656 Mon Sep 17 00:00:00 2001 From: roby Date: Wed, 6 Jul 2022 15:25:02 -0600 Subject: [PATCH 0731/1479] DM-35468: final cleanup - add prop for lsst hips server - set version to suit-2022.4.0 --- services/portal/templates/deployment.yaml | 10 +++++++++- services/portal/values-idfdev.yaml | 2 +- 2 files changed, 10 insertions(+), 2 deletions(-) diff --git a/services/portal/templates/deployment.yaml b/services/portal/templates/deployment.yaml index 8789d0f165..83a21a5e02 100644 --- a/services/portal/templates/deployment.yaml +++ b/services/portal/templates/deployment.yaml @@ -44,10 +44,18 @@ spec: value: {{ include "portal.fullname" . }}-redis - name: "PROPS_sso__req__auth__hosts" value: {{ .Values.global.host | quote }} + - name: "PROPS_lsst__hips__masterUrl" + value: https://irsa.ipac.caltech.edu/data/hips/list - name: "PROPS_FIREFLY_OPTIONS" value: >- $'{ - "coverage": {"hipsSourceURL" : "ivo://CDS/P/2MASS/color"}, + "coverage": { + {{- if .Values.config.hipsUrl }} + "hipsSourceURL" : "{{ .Values.config.hipsUrl }}", + {{- else }} + "hipsSourceURL" : "{{ .Values.global.baseUrl }}/api/hips/images/color_gri/", + {{- end }} + }, "tap" : { "additional": { "services": [ { diff --git a/services/portal/values-idfdev.yaml b/services/portal/values-idfdev.yaml index dbff2f8e2c..3378f93ca9 100644 --- a/services/portal/values-idfdev.yaml +++ b/services/portal/values-idfdev.yaml @@ -5,7 +5,7 @@ resources: memory: "2Gi" image: - tag: "suit-2022.3" + tag: "suit-2022.4" config: hipsUrl: "https://irsa.ipac.caltech.edu/data/hips/CDS/DSS2/color/" From 85f9c9f13251e3a163169c0a9f12f4c6c4e62e38 Mon Sep 17 00:00:00 2001 From: Russ Allbery Date: Thu, 7 Jul 2022 11:52:22 -0700 Subject: [PATCH 0732/1479] Protect Portal admin URLs with Gafaelfawr Disable Portal's internal admin authentication and instead protect the admin endpoints with Gafaelfawr using a different scope (exec:admin). This will work with Portal 2022.4 or later, which is still being deployed, but should be harmless to apply to earlier versions (just not effective). --- services/portal/README.md | 1 + services/portal/templates/deployment.yaml | 4 ++ services/portal/templates/ingress-admin.yaml | 45 ++++++++++++++++++++ services/portal/values.yaml | 3 ++ 4 files changed, 53 insertions(+) create mode 100644 services/portal/templates/ingress-admin.yaml diff --git a/services/portal/README.md b/services/portal/README.md index 6e0d435a78..3a8066a807 100644 --- a/services/portal/README.md +++ b/services/portal/README.md @@ -25,6 +25,7 @@ Rubin Science Platform portal aspect | image.repository | string | `"ipac/suit"` | Portal image to use | | image.tag | string | The appVersion of the chart | Tag of Portal image to use | | ingress.annotations | object | `{}` | Additional annotations to add to the ingress | +| ingress.gafaelfawrAdminAuthQuery | string | `"scope=exec:admin"` | Gafaelfawr auth query string for the admin API | | ingress.gafaelfawrAuthQuery | string | `"scope=exec:portal&delegate_to=portal&delegate_scope=read:image,read:tap"` | Gafaelfawr auth query string | | nameOverride | string | `""` | Override the base name for resources | | nodeSelector | object | `{}` | Node selector rules for the Portal pod | diff --git a/services/portal/templates/deployment.yaml b/services/portal/templates/deployment.yaml index 83a21a5e02..55cadc52ef 100644 --- a/services/portal/templates/deployment.yaml +++ b/services/portal/templates/deployment.yaml @@ -33,6 +33,10 @@ spec: secretKeyRef: name: {{ include "portal.fullname" . }}-secret key: "ADMIN_PASSWORD" + {{- if .Values.ingress.gafaelfawrAdminAuthQuery }} + - name: "USE_ADMIN_AUTH" + value: "false" + {{- end }} - name: "REDIS_PASSWORD" valueFrom: secretKeyRef: diff --git a/services/portal/templates/ingress-admin.yaml b/services/portal/templates/ingress-admin.yaml new file mode 100644 index 0000000000..afe28e72ef --- /dev/null +++ b/services/portal/templates/ingress-admin.yaml @@ -0,0 +1,45 @@ +{{- if .Values.ingress.gafaelfawrAdminAuthQuery -}} +apiVersion: networking.k8s.io/v1 +kind: Ingress +metadata: + name: {{ include "portal.fullname" . }} + labels: + {{- include "portal.labels" . | nindent 4 }} + annotations: + kubernetes.io/ingress.class: "nginx" + nginx.ingress.kubernetes.io/ssl-redirect: "true" + nginx.ingress.kubernetes.io/affinity: "cookie" + nginx.ingress.kubernetes.io/session-cookie-change-on-failure: "true" + nginx.ingress.kubernetes.io/proxy-body-size: "0m" + nginx.ingress.kubernetes.io/proxy-buffer-size: "24k" + nginx.ingress.kubernetes.io/client-header-buffer-size: "24k" + nginx.ingress.kubernetes.io/rewrite-target: "/suit$1$2" + nginx.ingress.kubernetes.io/proxy-redirect-from: "/suit/" + nginx.ingress.kubernetes.io/proxy-redirect-to: "/portal/app/" + nginx.ingress.kubernetes.io/proxy-cookie-path: "/suit /portal/app" + nginx.ingress.kubernetes.io/session-cookie-path: "/portal/app" + nginx.ingress.kubernetes.io/configuration-snippet: | + proxy_set_header X-Original-URI $request_uri; + proxy_set_header X-Forwarded-Proto https; + proxy_set_header X-Forwarded-Port 443; + proxy_set_header X-Forwarded-Path /portal/app; + nginx.ingress.kubernetes.io/auth-method: "GET" + nginx.ingress.kubernetes.io/auth-response-headers: "X-Auth-Request-User,X-Auth-Request-Email" + nginx.ingress.kubernetes.io/auth-signin: "{{ .Values.global.baseUrl }}/login" + nginx.ingress.kubernetes.io/auth-url: "{{ .Values.global.baseUrl }}/auth?{{ .Values.ingress.gafaelfawrAdminAuthQuery }}" + {{- with .Values.ingress.annotations }} + {{- toYaml . | nindent 4 }} + {{- end }} +spec: + rules: + - host: {{ required "global.host must be set" .Values.global.host | quote }} + http: + paths: + - path: "/portal/app/admin(/|$)(.*)" + pathType: "ImplementationSpecific" + backend: + service: + name: {{ include "portal.fullname" . }} + port: + number: 8080 +{{- end }} diff --git a/services/portal/values.yaml b/services/portal/values.yaml index 8d327d1880..49d6263e56 100644 --- a/services/portal/values.yaml +++ b/services/portal/values.yaml @@ -24,6 +24,9 @@ ingress: # -- Gafaelfawr auth query string gafaelfawrAuthQuery: "scope=exec:portal&delegate_to=portal&delegate_scope=read:image,read:tap" + # -- Gafaelfawr auth query string for the admin API + gafaelfawrAdminAuthQuery: "scope=exec:admin" + # -- Additional annotations to add to the ingress annotations: {} From 19a3564fc371850e270d95a0708587b327cd3397 Mon Sep 17 00:00:00 2001 From: Russ Allbery Date: Thu, 7 Jul 2022 12:48:02 -0700 Subject: [PATCH 0733/1479] Fix name of the admin ingress --- services/portal/templates/ingress-admin.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/services/portal/templates/ingress-admin.yaml b/services/portal/templates/ingress-admin.yaml index afe28e72ef..c73123e4ae 100644 --- a/services/portal/templates/ingress-admin.yaml +++ b/services/portal/templates/ingress-admin.yaml @@ -2,7 +2,7 @@ apiVersion: networking.k8s.io/v1 kind: Ingress metadata: - name: {{ include "portal.fullname" . }} + name: {{ include "portal.fullname" . }}-admin labels: {{- include "portal.labels" . | nindent 4 }} annotations: From f2ca69597bdb2777e957fc997ab43bdf1e7f43ba Mon Sep 17 00:00:00 2001 From: Russ Allbery Date: Thu, 7 Jul 2022 13:02:57 -0700 Subject: [PATCH 0734/1479] Fix Portal admin ingress rewrite The URL pattern is different so we were accidentally dropping the /admin component of the path. --- services/portal/templates/ingress-admin.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/services/portal/templates/ingress-admin.yaml b/services/portal/templates/ingress-admin.yaml index c73123e4ae..25f7d0d39f 100644 --- a/services/portal/templates/ingress-admin.yaml +++ b/services/portal/templates/ingress-admin.yaml @@ -13,7 +13,7 @@ metadata: nginx.ingress.kubernetes.io/proxy-body-size: "0m" nginx.ingress.kubernetes.io/proxy-buffer-size: "24k" nginx.ingress.kubernetes.io/client-header-buffer-size: "24k" - nginx.ingress.kubernetes.io/rewrite-target: "/suit$1$2" + nginx.ingress.kubernetes.io/rewrite-target: "/suit/admin$1$2" nginx.ingress.kubernetes.io/proxy-redirect-from: "/suit/" nginx.ingress.kubernetes.io/proxy-redirect-to: "/portal/app/" nginx.ingress.kubernetes.io/proxy-cookie-path: "/suit /portal/app" From 211242786148818399371e55c0bd2d2333543143 Mon Sep 17 00:00:00 2001 From: Russ Allbery Date: Thu, 7 Jul 2022 14:01:40 -0700 Subject: [PATCH 0735/1479] Bump version of Portal on data-int Switch to the same version as data-dev. Also switch data-dev to the DP0.2 HiPS service. --- services/portal/values-idfdev.yaml | 9 ++++----- services/portal/values-idfint.yaml | 3 +++ 2 files changed, 7 insertions(+), 5 deletions(-) diff --git a/services/portal/values-idfdev.yaml b/services/portal/values-idfdev.yaml index 3378f93ca9..be33bd422b 100644 --- a/services/portal/values-idfdev.yaml +++ b/services/portal/values-idfdev.yaml @@ -1,15 +1,14 @@ replicaCount: 2 -resources: - limits: - memory: "2Gi" - image: tag: "suit-2022.4" config: - hipsUrl: "https://irsa.ipac.caltech.edu/data/hips/CDS/DSS2/color/" volumes: workareaNfs: path: "/share1/home/firefly/shared-workarea" server: "10.87.86.26" + +resources: + limits: + memory: "2Gi" diff --git a/services/portal/values-idfint.yaml b/services/portal/values-idfint.yaml index bbff39a615..4661a8f856 100644 --- a/services/portal/values-idfint.yaml +++ b/services/portal/values-idfint.yaml @@ -1,5 +1,8 @@ replicaCount: 4 +image: + tag: "suit-2022.4" + config: volumes: workareaNfs: From d2673d82873aaa6cd5e5640177c94d13ad0c71ec Mon Sep 17 00:00:00 2001 From: Russ Allbery Date: Thu, 7 Jul 2022 15:35:38 -0700 Subject: [PATCH 0736/1479] Give SQuaRE friends exec:admin scope on IDF dev/int This is now required for access to the Portal admin status URL, so include the Portal folks. --- services/gafaelfawr/values-idfdev.yaml | 1 + services/gafaelfawr/values-idfint.yaml | 1 + 2 files changed, 2 insertions(+) diff --git a/services/gafaelfawr/values-idfdev.yaml b/services/gafaelfawr/values-idfdev.yaml index 6cde106dda..8fb6315731 100644 --- a/services/gafaelfawr/values-idfdev.yaml +++ b/services/gafaelfawr/values-idfdev.yaml @@ -22,6 +22,7 @@ config: - "lsst-sqre-square" "exec:admin": - "lsst-sqre-square" + - "lsst-sqre-friends" "exec:notebook": - "lsst-sqre-square" - "lsst-sqre-friends" diff --git a/services/gafaelfawr/values-idfint.yaml b/services/gafaelfawr/values-idfint.yaml index e77a53c6fb..8887f0852d 100644 --- a/services/gafaelfawr/values-idfint.yaml +++ b/services/gafaelfawr/values-idfint.yaml @@ -15,6 +15,7 @@ config: - "lsst-sqre-square" "exec:admin": - "lsst-sqre-square" + - "lsst-sqre-friends" "exec:notebook": - "lsst-ops-panda" - "lsst-ops" From dbd0bf62a1d20612b04cc2ddf1f590f86f09765f Mon Sep 17 00:00:00 2001 From: Angelo Fausti Date: Fri, 8 Jul 2022 12:09:48 -0700 Subject: [PATCH 0737/1479] Update Kafka version to 3.1.1 - Also update Kafka Connect image to tag strimzi-0.29.0-kafka-3.1.1 --- services/sasquatch/charts/strimzi-kafka/Chart.yaml | 2 +- services/sasquatch/charts/strimzi-kafka/README.md | 4 ++-- services/sasquatch/charts/strimzi-kafka/values.yaml | 4 ++-- 3 files changed, 5 insertions(+), 5 deletions(-) diff --git a/services/sasquatch/charts/strimzi-kafka/Chart.yaml b/services/sasquatch/charts/strimzi-kafka/Chart.yaml index f587b16083..d5c1192619 100644 --- a/services/sasquatch/charts/strimzi-kafka/Chart.yaml +++ b/services/sasquatch/charts/strimzi-kafka/Chart.yaml @@ -2,4 +2,4 @@ apiVersion: v2 name: strimzi-kafka version: 1.0.0 description: A subchart to deploy Strimzi Kafka components for Sasquatch. -appVersion: 3.0.0 +appVersion: 3.1.1 diff --git a/services/sasquatch/charts/strimzi-kafka/README.md b/services/sasquatch/charts/strimzi-kafka/README.md index 366be6ae06..f749950f16 100644 --- a/services/sasquatch/charts/strimzi-kafka/README.md +++ b/services/sasquatch/charts/strimzi-kafka/README.md @@ -7,7 +7,7 @@ A subchart to deploy Strimzi Kafka components for Sasquatch. | Key | Type | Default | Description | |-----|------|---------|-------------| | cluster.name | string | `"sasquatch"` | Name used for the Kafka cluster, and used by Strimzi for many annotations. | -| connect.image | string | `"lsstsqre/strimzi-0.27.1-kafka-3.0.0:master"` | Custom strimzi-kafka image with connector plugins used by sasquatch. | +| connect.image | string | `"lsstsqre/strimzi-0.29.0-kafka-3.1.1:master"` | Custom strimzi-kafka image with connector plugins used by sasquatch. | | connect.replicas | int | `1` | Number of Kafka Connect replicas to run. | | kafka.config | object | `{"log.retention.bytes":"429496729600","log.retention.hours":24,"offsets.retention.minutes":1440}` | Configuration overrides for the Kafka server. | | kafka.config."log.retention.bytes" | string | `"429496729600"` | Maximum retained number of bytes for a topic's data. | @@ -16,7 +16,7 @@ A subchart to deploy Strimzi Kafka components for Sasquatch. | kafka.replicas | int | `3` | Number of Kafka broker replicas to run. | | kafka.storage.size | string | `"500Gi"` | Size of the backing storage disk for each of the Kafka brokers. | | kafka.storage.storageClassName | string | `""` | Name of a StorageClass to use when requesting persistent volumes. | -| kafka.version | string | `"3.0.0"` | Version of Kafka to deploy. | +| kafka.version | string | `"3.1.1"` | Version of Kafka to deploy. | | registry.schemaTopic | string | `"registry-schemas"` | Name of the topic used by the Schema Registry | | superusers | list | `["kafka-admin"]` | A list of usernames for users who should have global admin permissions. These users will be created, along with their credentials. | | zookeeper.replicas | int | `3` | Number of Zookeeper replicas to run. | diff --git a/services/sasquatch/charts/strimzi-kafka/values.yaml b/services/sasquatch/charts/strimzi-kafka/values.yaml index c9bc0c7b82..bcbdaf4ea2 100644 --- a/services/sasquatch/charts/strimzi-kafka/values.yaml +++ b/services/sasquatch/charts/strimzi-kafka/values.yaml @@ -5,7 +5,7 @@ cluster: kafka: # -- Version of Kafka to deploy. - version: "3.0.0" + version: "3.1.1" # -- Number of Kafka broker replicas to run. replicas: 3 storage: @@ -33,7 +33,7 @@ zookeeper: connect: # -- Custom strimzi-kafka image with connector plugins used by sasquatch. - image: lsstsqre/strimzi-0.27.1-kafka-3.0.0:master + image: lsstsqre/strimzi-0.29.0-kafka-3.1.1:master # -- Number of Kafka Connect replicas to run. replicas: 1 From 3e1e20d87d55a7e2a7199c988366c3daedf70695 Mon Sep 17 00:00:00 2001 From: Angelo Fausti Date: Sat, 9 Jul 2022 12:15:00 -0700 Subject: [PATCH 0738/1479] Update kafkaconnect image tag --- services/sasquatch/charts/kafka-connect-manager/README.md | 2 +- services/sasquatch/charts/kafka-connect-manager/values.yaml | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/services/sasquatch/charts/kafka-connect-manager/README.md b/services/sasquatch/charts/kafka-connect-manager/README.md index 9ad0b08e0b..2cb77ad82b 100644 --- a/services/sasquatch/charts/kafka-connect-manager/README.md +++ b/services/sasquatch/charts/kafka-connect-manager/README.md @@ -10,7 +10,7 @@ A subchart to deploy the Kafka connectors used by Sasquatch. | env.kafkaConnectUrl | string | `"http://sasquatch-connect-api.sasquatch:8083"` | Kafka connnect URL. | | image.pullPolicy | string | `"IfNotPresent"` | | | image.repository | string | `"lsstsqre/kafkaconnect"` | | -| image.tag | string | `"0.9.3"` | | +| image.tag | string | `"tickets-DM-35506"` | | | influxdbSink.influxdb-sink.autoUpdate | bool | `true` | If autoUpdate is enabled, check for new kafka topics. | | influxdbSink.influxdb-sink.checkInterval | string | `"15000"` | The interval, in milliseconds, to check for new topics and update the connector. | | influxdbSink.influxdb-sink.connectInfluxDb | string | `"efd"` | InfluxDB database to write to. | diff --git a/services/sasquatch/charts/kafka-connect-manager/values.yaml b/services/sasquatch/charts/kafka-connect-manager/values.yaml index 783677d17c..c038e22967 100644 --- a/services/sasquatch/charts/kafka-connect-manager/values.yaml +++ b/services/sasquatch/charts/kafka-connect-manager/values.yaml @@ -2,7 +2,7 @@ # See also https://kafka-connect-manager.lsst.io image: repository: lsstsqre/kafkaconnect - tag: 0.9.3 + tag: tickets-DM-35506 pullPolicy: IfNotPresent influxdbSink: From 75c0bc553b4060ddbdc093e95fdad09a5ba5b67a Mon Sep 17 00:00:00 2001 From: Angelo Fausti Date: Sat, 9 Jul 2022 12:17:27 -0700 Subject: [PATCH 0739/1479] Set variables for SASL authentication - Set environment variables used by kafkaconnect for authentication --- services/sasquatch/charts/kafka-connect-manager/README.md | 1 + .../kafka-connect-manager/templates/influxdb_sink.yaml | 7 +++++++ .../sasquatch/charts/kafka-connect-manager/values.yaml | 2 ++ 3 files changed, 10 insertions(+) diff --git a/services/sasquatch/charts/kafka-connect-manager/README.md b/services/sasquatch/charts/kafka-connect-manager/README.md index 2cb77ad82b..db6527878f 100644 --- a/services/sasquatch/charts/kafka-connect-manager/README.md +++ b/services/sasquatch/charts/kafka-connect-manager/README.md @@ -8,6 +8,7 @@ A subchart to deploy the Kafka connectors used by Sasquatch. |-----|------|---------|-------------| | env.kafkaBrokerUrl | string | `"sasquatch-kafka-bootstrap.sasquatch:9092"` | Kafka broker URL. | | env.kafkaConnectUrl | string | `"http://sasquatch-connect-api.sasquatch:8083"` | Kafka connnect URL. | +| env.kafkaUsername | string | `"kafka-connect-manager"` | Username for SASL authentication. | | image.pullPolicy | string | `"IfNotPresent"` | | | image.repository | string | `"lsstsqre/kafkaconnect"` | | | image.tag | string | `"tickets-DM-35506"` | | diff --git a/services/sasquatch/charts/kafka-connect-manager/templates/influxdb_sink.yaml b/services/sasquatch/charts/kafka-connect-manager/templates/influxdb_sink.yaml index 63f8634104..24fe51a990 100644 --- a/services/sasquatch/charts/kafka-connect-manager/templates/influxdb_sink.yaml +++ b/services/sasquatch/charts/kafka-connect-manager/templates/influxdb_sink.yaml @@ -77,6 +77,13 @@ spec: value: {{ $.Values.env.kafkaBrokerUrl | quote }} - name: KAFKA_CONNECT_URL value: {{ $.Values.env.kafkaConnectUrl | quote }} + - name: KAFKA_USERNAME + value: {{ $.Values.env.kafkaUsername | quote }} + - name: KAFKA_PASSWORD + valueFrom: + secretKeyRef: + name: sasquatch + key: kafka-connect-manager-password {{- end }} {{- end }} {{- end }} diff --git a/services/sasquatch/charts/kafka-connect-manager/values.yaml b/services/sasquatch/charts/kafka-connect-manager/values.yaml index c038e22967..c4c424f037 100644 --- a/services/sasquatch/charts/kafka-connect-manager/values.yaml +++ b/services/sasquatch/charts/kafka-connect-manager/values.yaml @@ -150,3 +150,5 @@ env: kafkaBrokerUrl: "sasquatch-kafka-bootstrap.sasquatch:9092" # -- Kafka connnect URL. kafkaConnectUrl: "http://sasquatch-connect-api.sasquatch:8083" + # -- Username for SASL authentication. + kafkaUsername: "kafka-connect-manager" From de61768270742d162165d5109345679cd826a6bb Mon Sep 17 00:00:00 2001 From: Angelo Fausti Date: Sat, 9 Jul 2022 12:19:11 -0700 Subject: [PATCH 0740/1479] Add kafka-connect-manager kafka user --- .../templates/kafka-connect-manager-user.yaml | 24 +++++++++++++++++++ 1 file changed, 24 insertions(+) create mode 100644 services/sasquatch/charts/strimzi-kafka/templates/kafka-connect-manager-user.yaml diff --git a/services/sasquatch/charts/strimzi-kafka/templates/kafka-connect-manager-user.yaml b/services/sasquatch/charts/strimzi-kafka/templates/kafka-connect-manager-user.yaml new file mode 100644 index 0000000000..a89503658b --- /dev/null +++ b/services/sasquatch/charts/strimzi-kafka/templates/kafka-connect-manager-user.yaml @@ -0,0 +1,24 @@ +apiVersion: kafka.strimzi.io/v1beta2 +kind: KafkaUser +metadata: + name: kafka-connect-manager + labels: + strimzi.io/cluster: {{ .Values.cluster.name }} +spec: + authentication: + type: scram-sha-512 + password: + valueFrom: + secretKeyRef: + name: sasquatch + key: kafka-connect-manager-password + authorization: + type: simple + acls: + - resource: + type: topic + name: "*" + patternType: literal + type: allow + host: "*" + operation: Read From 14912be3154dfd19290f52a0887c557e122dcffc Mon Sep 17 00:00:00 2001 From: Angelo Fausti Date: Sat, 9 Jul 2022 12:23:21 -0700 Subject: [PATCH 0741/1479] Update strimzi-kafka connect image tag --- services/sasquatch/charts/strimzi-kafka/README.md | 2 +- services/sasquatch/charts/strimzi-kafka/values.yaml | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/services/sasquatch/charts/strimzi-kafka/README.md b/services/sasquatch/charts/strimzi-kafka/README.md index f749950f16..29ee23fd5e 100644 --- a/services/sasquatch/charts/strimzi-kafka/README.md +++ b/services/sasquatch/charts/strimzi-kafka/README.md @@ -7,7 +7,7 @@ A subchart to deploy Strimzi Kafka components for Sasquatch. | Key | Type | Default | Description | |-----|------|---------|-------------| | cluster.name | string | `"sasquatch"` | Name used for the Kafka cluster, and used by Strimzi for many annotations. | -| connect.image | string | `"lsstsqre/strimzi-0.29.0-kafka-3.1.1:master"` | Custom strimzi-kafka image with connector plugins used by sasquatch. | +| connect.image | string | `"lsstsqre/strimzi-0.29.0-kafka-3.1.1:tickets-DM-35506"` | Custom strimzi-kafka image with connector plugins used by sasquatch. | | connect.replicas | int | `1` | Number of Kafka Connect replicas to run. | | kafka.config | object | `{"log.retention.bytes":"429496729600","log.retention.hours":24,"offsets.retention.minutes":1440}` | Configuration overrides for the Kafka server. | | kafka.config."log.retention.bytes" | string | `"429496729600"` | Maximum retained number of bytes for a topic's data. | diff --git a/services/sasquatch/charts/strimzi-kafka/values.yaml b/services/sasquatch/charts/strimzi-kafka/values.yaml index bcbdaf4ea2..c64f01a4cd 100644 --- a/services/sasquatch/charts/strimzi-kafka/values.yaml +++ b/services/sasquatch/charts/strimzi-kafka/values.yaml @@ -33,7 +33,7 @@ zookeeper: connect: # -- Custom strimzi-kafka image with connector plugins used by sasquatch. - image: lsstsqre/strimzi-0.29.0-kafka-3.1.1:master + image: lsstsqre/strimzi-0.29.0-kafka-3.1.1:tickets-DM-35506 # -- Number of Kafka Connect replicas to run. replicas: 1 From 0133375bf9dba9c9318c2ccde4f94a7474bf430c Mon Sep 17 00:00:00 2001 From: Angelo Fausti Date: Sat, 9 Jul 2022 12:45:43 -0700 Subject: [PATCH 0742/1479] Set image pullPlolicy for debug --- services/sasquatch/charts/kafka-connect-manager/README.md | 2 +- services/sasquatch/charts/kafka-connect-manager/values.yaml | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/services/sasquatch/charts/kafka-connect-manager/README.md b/services/sasquatch/charts/kafka-connect-manager/README.md index db6527878f..42d5b4a7b5 100644 --- a/services/sasquatch/charts/kafka-connect-manager/README.md +++ b/services/sasquatch/charts/kafka-connect-manager/README.md @@ -9,7 +9,7 @@ A subchart to deploy the Kafka connectors used by Sasquatch. | env.kafkaBrokerUrl | string | `"sasquatch-kafka-bootstrap.sasquatch:9092"` | Kafka broker URL. | | env.kafkaConnectUrl | string | `"http://sasquatch-connect-api.sasquatch:8083"` | Kafka connnect URL. | | env.kafkaUsername | string | `"kafka-connect-manager"` | Username for SASL authentication. | -| image.pullPolicy | string | `"IfNotPresent"` | | +| image.pullPolicy | string | `"Always"` | | | image.repository | string | `"lsstsqre/kafkaconnect"` | | | image.tag | string | `"tickets-DM-35506"` | | | influxdbSink.influxdb-sink.autoUpdate | bool | `true` | If autoUpdate is enabled, check for new kafka topics. | diff --git a/services/sasquatch/charts/kafka-connect-manager/values.yaml b/services/sasquatch/charts/kafka-connect-manager/values.yaml index c4c424f037..ba550b64aa 100644 --- a/services/sasquatch/charts/kafka-connect-manager/values.yaml +++ b/services/sasquatch/charts/kafka-connect-manager/values.yaml @@ -3,7 +3,7 @@ image: repository: lsstsqre/kafkaconnect tag: tickets-DM-35506 - pullPolicy: IfNotPresent + pullPolicy: Always influxdbSink: # Repeat this block to create multiple instances of this connector. From 4202e49e03d61b5e23fdb43ba0bddb1e8c9c5ff8 Mon Sep 17 00:00:00 2001 From: Angelo Fausti Date: Sat, 9 Jul 2022 12:57:48 -0700 Subject: [PATCH 0743/1479] Fix up connectInfluxUrl --- services/sasquatch/charts/kafka-connect-manager/README.md | 2 +- services/sasquatch/charts/kafka-connect-manager/values.yaml | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/services/sasquatch/charts/kafka-connect-manager/README.md b/services/sasquatch/charts/kafka-connect-manager/README.md index 42d5b4a7b5..24a41e8b0f 100644 --- a/services/sasquatch/charts/kafka-connect-manager/README.md +++ b/services/sasquatch/charts/kafka-connect-manager/README.md @@ -18,7 +18,7 @@ A subchart to deploy the Kafka connectors used by Sasquatch. | influxdbSink.influxdb-sink.connectInfluxErrorPolicy | string | `"THROW"` | Error policy. | | influxdbSink.influxdb-sink.connectInfluxMaxRetries | string | `"10"` | The maximum number of times a message is retried. | | influxdbSink.influxdb-sink.connectInfluxRetryInterval | string | `"60000"` | The interval, in milliseconds, between retries. Only valid when the connectInfluxErrorPolicy is set to `RETRY`. | -| influxdbSink.influxdb-sink.connectInfluxUrl | string | `"http://sasquatch.influxdb:8086"` | InfluxDB URL, can be internal to the cluster. | +| influxdbSink.influxdb-sink.connectInfluxUrl | string | `"http://sasquatch-influxdb.sasquatch:8086"` | InfluxDB URL, can be internal to the cluster. | | influxdbSink.influxdb-sink.connectProgressEnabled | bool | `false` | Enables the output for how many records have been processed. | | influxdbSink.influxdb-sink.enabled | bool | `false` | Whether this connector instance is deployed. | | influxdbSink.influxdb-sink.excludedTopicRegex | string | `""` | Regex to exclude topics from the list of selected topics from Kafka. | diff --git a/services/sasquatch/charts/kafka-connect-manager/values.yaml b/services/sasquatch/charts/kafka-connect-manager/values.yaml index ba550b64aa..585ee4a122 100644 --- a/services/sasquatch/charts/kafka-connect-manager/values.yaml +++ b/services/sasquatch/charts/kafka-connect-manager/values.yaml @@ -13,7 +13,7 @@ influxdbSink: # -- Whether this connector instance is deployed. enabled: false # -- InfluxDB URL, can be internal to the cluster. - connectInfluxUrl: "http://sasquatch.influxdb:8086" + connectInfluxUrl: "http://sasquatch-influxdb.sasquatch:8086" # -- InfluxDB database to write to. connectInfluxDb: "efd" # -- Number of KafkaConnect tasks. From aae0a3f22e1db2969a71a637d86a0bf3ddc94f4a Mon Sep 17 00:00:00 2001 From: Angelo Fausti Date: Sat, 9 Jul 2022 13:16:26 -0700 Subject: [PATCH 0744/1479] Authorize access to Kafka groups --- .../charts/strimzi-kafka/templates/connect-user.yaml | 5 +++++ .../charts/strimzi-kafka/templates/kafdrop-user.yaml | 5 +++++ 2 files changed, 10 insertions(+) diff --git a/services/sasquatch/charts/strimzi-kafka/templates/connect-user.yaml b/services/sasquatch/charts/strimzi-kafka/templates/connect-user.yaml index 5e250a175a..e73ad66f60 100644 --- a/services/sasquatch/charts/strimzi-kafka/templates/connect-user.yaml +++ b/services/sasquatch/charts/strimzi-kafka/templates/connect-user.yaml @@ -14,6 +14,11 @@ spec: type: group name: {{ .Values.cluster.name }}-connect operation: Read + - resource: + type: group + name: connect-influxdb-sink + patternType: literal + operation: All - resource: type: topic name: "*" diff --git a/services/sasquatch/charts/strimzi-kafka/templates/kafdrop-user.yaml b/services/sasquatch/charts/strimzi-kafka/templates/kafdrop-user.yaml index 6864ab39d6..fa2fdacc50 100644 --- a/services/sasquatch/charts/strimzi-kafka/templates/kafdrop-user.yaml +++ b/services/sasquatch/charts/strimzi-kafka/templates/kafdrop-user.yaml @@ -15,6 +15,11 @@ spec: authorization: type: simple acls: + - resource: + type: group + name: "*" + patternType: literal + operation: All - resource: type: topic name: "*" From 7a37ffbfe06ed31c5e0d058dce265fe871563437 Mon Sep 17 00:00:00 2001 From: Angelo Fausti Date: Sat, 9 Jul 2022 15:31:40 -0700 Subject: [PATCH 0745/1479] Set default key and value converters for connect - Set default key and value converters to use io.confluent.connect.avro.AvroConverter --- .../sasquatch/charts/strimzi-kafka/templates/connect.yaml | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/services/sasquatch/charts/strimzi-kafka/templates/connect.yaml b/services/sasquatch/charts/strimzi-kafka/templates/connect.yaml index 841538028a..45cd157075 100644 --- a/services/sasquatch/charts/strimzi-kafka/templates/connect.yaml +++ b/services/sasquatch/charts/strimzi-kafka/templates/connect.yaml @@ -28,3 +28,9 @@ spec: config.storage.replication.factor: -1 offset.storage.replication.factor: -1 status.storage.replication.factor: -1 + key.converter: io.confluent.connect.avro.AvroConverter + key.converter.schemas.enable: true + key.converter.schema.registry.url: http://sasquatch-schema-registry.sasquatch:8081 + value.converter: io.confluent.connect.avro.AvroConverter + value.converter.schemas.enable: true + value.converter.schema.registry.url: http://sasquatch-schema-registry.sasquatch:8081 From 6bd41bcc5a3c5dd2c166d7eb14c085b450e5478d Mon Sep 17 00:00:00 2001 From: Angelo Fausti Date: Sat, 9 Jul 2022 16:06:18 -0700 Subject: [PATCH 0746/1479] Fix up schema registry URL for Kafdrop --- services/sasquatch/charts/kafdrop/README.md | 2 +- services/sasquatch/charts/kafdrop/values.yaml | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/services/sasquatch/charts/kafdrop/README.md b/services/sasquatch/charts/kafdrop/README.md index f75f7365eb..0c0126820b 100644 --- a/services/sasquatch/charts/kafdrop/README.md +++ b/services/sasquatch/charts/kafdrop/README.md @@ -28,7 +28,7 @@ A subchart to deploy the Kafdrop UI for Sasquatch. | podAnnotations | object | `{}` | Pod annotations. | | replicaCount | int | `1` | Number of kafdrop pods to run in the deployment. | | resources | object | `{}` | | -| schemaregistry | string | `"sasquatch-schema-registry.sasquatch:8081"` | The endpoint of Schema Registry | +| schemaregistry | string | `"http://sasquatch-schema-registry.sasquatch:8081"` | The endpoint of Schema Registry | | server.port | int | Defaults to 9000. | The web server port to listen on. | | server.servlet | object | Defaults to /. | The context path to serve requests on (must end with a /). | | service.annotations | object | `{}` | Service annotations | diff --git a/services/sasquatch/charts/kafdrop/values.yaml b/services/sasquatch/charts/kafdrop/values.yaml index 7db69df792..8c08196e79 100644 --- a/services/sasquatch/charts/kafdrop/values.yaml +++ b/services/sasquatch/charts/kafdrop/values.yaml @@ -38,7 +38,7 @@ server: port: 9000 # -- The endpoint of Schema Registry -schemaregistry: "sasquatch-schema-registry.sasquatch:8081" +schemaregistry: "http://sasquatch-schema-registry.sasquatch:8081" # -- Existing k8s secrect use to set kafdrop environment variables. # Set SCHEMAREGISTRY_AUTH for basic auth credentials in the form username:password From b11a91ee2fa25a05d40d350340f23a5d07c4a992 Mon Sep 17 00:00:00 2001 From: Angelo Fausti Date: Sat, 9 Jul 2022 16:29:16 -0700 Subject: [PATCH 0747/1479] Increase InfluxDB Sink tasksMax to 10 on idfdev - Debug connector with tasksMax=10 --- services/sasquatch/values-idfdev.yaml | 1 + 1 file changed, 1 insertion(+) diff --git a/services/sasquatch/values-idfdev.yaml b/services/sasquatch/values-idfdev.yaml index e1277d12e9..f47562e2cf 100644 --- a/services/sasquatch/values-idfdev.yaml +++ b/services/sasquatch/values-idfdev.yaml @@ -9,6 +9,7 @@ kafka-connect-manager: influxdbSink: influxdb-sink: enabled: true + tasksMax: 10 kafdrop: ingress: From 5e68db9057092cf6dbb62f3c013d63235e9cbb47 Mon Sep 17 00:00:00 2001 From: Angelo Fausti Date: Sat, 9 Jul 2022 16:58:21 -0700 Subject: [PATCH 0748/1479] Update kafkaconnect to version 1.0.0 - Update Kafkaconnect and custom strimzi-kafka image to version 1.0.0 --- services/sasquatch/charts/kafka-connect-manager/README.md | 4 ++-- services/sasquatch/charts/kafka-connect-manager/values.yaml | 4 ++-- services/sasquatch/charts/strimzi-kafka/README.md | 2 +- services/sasquatch/charts/strimzi-kafka/values.yaml | 2 +- 4 files changed, 6 insertions(+), 6 deletions(-) diff --git a/services/sasquatch/charts/kafka-connect-manager/README.md b/services/sasquatch/charts/kafka-connect-manager/README.md index 24a41e8b0f..2d490498f7 100644 --- a/services/sasquatch/charts/kafka-connect-manager/README.md +++ b/services/sasquatch/charts/kafka-connect-manager/README.md @@ -9,9 +9,9 @@ A subchart to deploy the Kafka connectors used by Sasquatch. | env.kafkaBrokerUrl | string | `"sasquatch-kafka-bootstrap.sasquatch:9092"` | Kafka broker URL. | | env.kafkaConnectUrl | string | `"http://sasquatch-connect-api.sasquatch:8083"` | Kafka connnect URL. | | env.kafkaUsername | string | `"kafka-connect-manager"` | Username for SASL authentication. | -| image.pullPolicy | string | `"Always"` | | +| image.pullPolicy | string | `"IfNotPresent"` | | | image.repository | string | `"lsstsqre/kafkaconnect"` | | -| image.tag | string | `"tickets-DM-35506"` | | +| image.tag | string | `"1.0.0"` | | | influxdbSink.influxdb-sink.autoUpdate | bool | `true` | If autoUpdate is enabled, check for new kafka topics. | | influxdbSink.influxdb-sink.checkInterval | string | `"15000"` | The interval, in milliseconds, to check for new topics and update the connector. | | influxdbSink.influxdb-sink.connectInfluxDb | string | `"efd"` | InfluxDB database to write to. | diff --git a/services/sasquatch/charts/kafka-connect-manager/values.yaml b/services/sasquatch/charts/kafka-connect-manager/values.yaml index 585ee4a122..c7e268d05c 100644 --- a/services/sasquatch/charts/kafka-connect-manager/values.yaml +++ b/services/sasquatch/charts/kafka-connect-manager/values.yaml @@ -2,8 +2,8 @@ # See also https://kafka-connect-manager.lsst.io image: repository: lsstsqre/kafkaconnect - tag: tickets-DM-35506 - pullPolicy: Always + tag: 1.0.0 + pullPolicy: IfNotPresent influxdbSink: # Repeat this block to create multiple instances of this connector. diff --git a/services/sasquatch/charts/strimzi-kafka/README.md b/services/sasquatch/charts/strimzi-kafka/README.md index 29ee23fd5e..09fa0930f7 100644 --- a/services/sasquatch/charts/strimzi-kafka/README.md +++ b/services/sasquatch/charts/strimzi-kafka/README.md @@ -7,7 +7,7 @@ A subchart to deploy Strimzi Kafka components for Sasquatch. | Key | Type | Default | Description | |-----|------|---------|-------------| | cluster.name | string | `"sasquatch"` | Name used for the Kafka cluster, and used by Strimzi for many annotations. | -| connect.image | string | `"lsstsqre/strimzi-0.29.0-kafka-3.1.1:tickets-DM-35506"` | Custom strimzi-kafka image with connector plugins used by sasquatch. | +| connect.image | string | `"lsstsqre/strimzi-0.29.0-kafka-3.1.1:1.0.0"` | Custom strimzi-kafka image with connector plugins used by sasquatch. | | connect.replicas | int | `1` | Number of Kafka Connect replicas to run. | | kafka.config | object | `{"log.retention.bytes":"429496729600","log.retention.hours":24,"offsets.retention.minutes":1440}` | Configuration overrides for the Kafka server. | | kafka.config."log.retention.bytes" | string | `"429496729600"` | Maximum retained number of bytes for a topic's data. | diff --git a/services/sasquatch/charts/strimzi-kafka/values.yaml b/services/sasquatch/charts/strimzi-kafka/values.yaml index c64f01a4cd..864cfd1872 100644 --- a/services/sasquatch/charts/strimzi-kafka/values.yaml +++ b/services/sasquatch/charts/strimzi-kafka/values.yaml @@ -33,7 +33,7 @@ zookeeper: connect: # -- Custom strimzi-kafka image with connector plugins used by sasquatch. - image: lsstsqre/strimzi-0.29.0-kafka-3.1.1:tickets-DM-35506 + image: lsstsqre/strimzi-0.29.0-kafka-3.1.1:1.0.0 # -- Number of Kafka Connect replicas to run. replicas: 1 From a3e04789e538799d6033a97615fe5b6b35f06bd0 Mon Sep 17 00:00:00 2001 From: "renovate[bot]" <29139614+renovate[bot]@users.noreply.github.com> Date: Mon, 11 Jul 2022 00:39:32 +0000 Subject: [PATCH 0749/1479] Update Helm release argo-cd to v4.9.12 --- services/argocd/Chart.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/services/argocd/Chart.yaml b/services/argocd/Chart.yaml index 837fd201a9..7eff20e962 100644 --- a/services/argocd/Chart.yaml +++ b/services/argocd/Chart.yaml @@ -3,5 +3,5 @@ name: argo-cd version: 1.0.0 dependencies: - name: argo-cd - version: 4.9.11 + version: 4.9.12 repository: https://argoproj.github.io/argo-helm From a3899d67498043714e2524c2bb30f8cae9444f6c Mon Sep 17 00:00:00 2001 From: Russ Allbery Date: Mon, 11 Jul 2022 08:08:34 -0700 Subject: [PATCH 0750/1479] Regenerate Helm docs --- services/argocd/README.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/services/argocd/README.md b/services/argocd/README.md index 28d86999f1..5d87f80424 100644 --- a/services/argocd/README.md +++ b/services/argocd/README.md @@ -4,7 +4,7 @@ | Repository | Name | Version | |------------|------|---------| -| https://argoproj.github.io/argo-helm | argo-cd | 4.9.11 | +| https://argoproj.github.io/argo-helm | argo-cd | 4.9.12 | ## Values From ee70f3ba4aff826c121012453402890fd2445fe5 Mon Sep 17 00:00:00 2001 From: adam Date: Mon, 11 Jul 2022 12:04:56 -0700 Subject: [PATCH 0751/1479] add nublado2 limits based on actual usage --- services/nublado2/README.md | 2 ++ services/nublado2/values-idfdev.yaml | 4 ---- services/nublado2/values-idfint.yaml | 4 ---- services/nublado2/values-idfprod.yaml | 4 ---- services/nublado2/values.yaml | 4 ++++ 5 files changed, 6 insertions(+), 12 deletions(-) diff --git a/services/nublado2/README.md b/services/nublado2/README.md index bd8836355d..a3afd6ce9c 100644 --- a/services/nublado2/README.md +++ b/services/nublado2/README.md @@ -67,6 +67,8 @@ Kubernetes: `>=1.20.0-0` | jupyterhub.hub.loadRoles.self.scopes[1] | string | `"read:metrics"` | | | jupyterhub.hub.loadRoles.server.scopes[0] | string | `"inherit"` | | | jupyterhub.hub.networkPolicy.enabled | bool | `false` | | +| jupyterhub.hub.resources.limits.cpu | string | `"900m"` | | +| jupyterhub.hub.resources.limits.memory | string | `"1Gi"` | | | jupyterhub.imagePullSecrets[0].name | string | `"pull-secret"` | | | jupyterhub.ingress.annotations."kubernetes.io/ingress.class" | string | `"nginx"` | | | jupyterhub.ingress.annotations."nginx.ingress.kubernetes.io/auth-method" | string | `"GET"` | | diff --git a/services/nublado2/values-idfdev.yaml b/services/nublado2/values-idfdev.yaml index c363864671..71237a5dda 100644 --- a/services/nublado2/values-idfdev.yaml +++ b/services/nublado2/values-idfdev.yaml @@ -1,9 +1,5 @@ jupyterhub: hub: - resources: - requests: - cpu: "2" - memory: 3Gi config: ServerApp: shutdown_no_activity_timeout: 432000 diff --git a/services/nublado2/values-idfint.yaml b/services/nublado2/values-idfint.yaml index b2eadb73c7..4d451b58c6 100644 --- a/services/nublado2/values-idfint.yaml +++ b/services/nublado2/values-idfint.yaml @@ -1,9 +1,5 @@ jupyterhub: hub: - resources: - requests: - cpu: "2" - memory: 3Gi config: ServerApp: shutdown_no_activity_timeout: 432000 diff --git a/services/nublado2/values-idfprod.yaml b/services/nublado2/values-idfprod.yaml index 7ce61c8308..1e132982f9 100644 --- a/services/nublado2/values-idfprod.yaml +++ b/services/nublado2/values-idfprod.yaml @@ -1,9 +1,5 @@ jupyterhub: hub: - resources: - requests: - cpu: "2" - memory: 3Gi config: ServerApp: shutdown_no_activity_timeout: 432000 diff --git a/services/nublado2/values.yaml b/services/nublado2/values.yaml index 3e7a45414c..57a9a27249 100644 --- a/services/nublado2/values.yaml +++ b/services/nublado2/values.yaml @@ -8,6 +8,10 @@ jupyterhub: image: name: lsstsqre/nublado2 tag: "2.3.1" + resources: + limits: + cpu: 900m + memory: 1Gi # Should support about 200 users config: Authenticator: enable_auth_state: true From 854ed1a0a3f1515ee676777dd6c76672a5557b66 Mon Sep 17 00:00:00 2001 From: adam Date: Mon, 11 Jul 2022 12:18:57 -0700 Subject: [PATCH 0752/1479] add resource limits for telegraf --- services/telegraf/README.md | 2 ++ services/telegraf/values.yaml | 4 ++++ 2 files changed, 6 insertions(+) diff --git a/services/telegraf/README.md b/services/telegraf/README.md index a3dbb31800..a852c9c1c4 100644 --- a/services/telegraf/README.md +++ b/services/telegraf/README.md @@ -28,6 +28,8 @@ SQuaRE telemetry collection service | telegraf.mountPoints[0].name | string | `"telegraf-generated-config"` | | | telegraf.podLabels."hub.jupyter.org/network-access-hub" | string | `"true"` | | | telegraf.rbac.clusterWide | bool | `true` | | +| telegraf.resources.limits.cpu | string | `"900m"` | | +| telegraf.resources.limits.memory | string | `"512Mi"` | | | telegraf.service.enabled | bool | `false` | | | telegraf.tplVersion | int | `2` | | | telegraf.volumes[0].configMap.name | string | `"telegraf-generated-config"` | | diff --git a/services/telegraf/values.yaml b/services/telegraf/values.yaml index e151cd2c27..f323c1eea4 100644 --- a/services/telegraf/values.yaml +++ b/services/telegraf/values.yaml @@ -4,6 +4,10 @@ telegraf: processors: [] inputs: [] outputs: [] + resources: + limits: + memory: 512Mi + cpu: 900m args: - "--config" - "/etc/telegraf-generated/telegraf-generated.conf" From a331b5b0367f22b566784ca9ce90f94acd82508e Mon Sep 17 00:00:00 2001 From: adam Date: Mon, 11 Jul 2022 12:23:04 -0700 Subject: [PATCH 0753/1479] add resource limits for telegraf-ds --- services/telegraf-ds/README.md | 2 ++ services/telegraf-ds/values.yaml | 4 ++++ 2 files changed, 6 insertions(+) diff --git a/services/telegraf-ds/README.md b/services/telegraf-ds/README.md index e3307c9097..8afc41d8fa 100644 --- a/services/telegraf-ds/README.md +++ b/services/telegraf-ds/README.md @@ -22,6 +22,8 @@ SQuaRE DaemonSet (K8s) telemetry collection service | telegraf-ds.mountPoints[0].name | string | `"telegraf-generated-config"` | | | telegraf-ds.override_config.toml | string | `"[agent]\n logfile=\"\"\n"` | | | telegraf-ds.rbac.create | bool | `true` | | +| telegraf-ds.resources.limits.cpu | string | `"900m"` | | +| telegraf-ds.resources.limits.memory | string | `"512Mi"` | | | telegraf-ds.serviceAccount.name | string | `"telegraf-ds"` | | | telegraf-ds.volumes[0].configMap.name | string | `"telegraf-generated-config"` | | | telegraf-ds.volumes[0].name | string | `"telegraf-generated-config"` | | diff --git a/services/telegraf-ds/values.yaml b/services/telegraf-ds/values.yaml index b797e12a96..8ed1e6ea76 100644 --- a/services/telegraf-ds/values.yaml +++ b/services/telegraf-ds/values.yaml @@ -11,6 +11,10 @@ telegraf-ds: key: influx-token rbac: create: true + resources: + limits: + memory: 512Mi + cpu: 900m serviceAccount: name: telegraf-ds From 6577c2aea99a0251cda307e9006a41ecd4060eb0 Mon Sep 17 00:00:00 2001 From: Angelo Fausti Date: Mon, 11 Jul 2022 09:53:30 -0700 Subject: [PATCH 0754/1479] Review influxdb-sink configuration at TTS - Change error policy to NOOP - Limit number of connector tasks to a max of 10 --- services/sasquatch/values-tucson-teststand.yaml | 2 ++ 1 file changed, 2 insertions(+) diff --git a/services/sasquatch/values-tucson-teststand.yaml b/services/sasquatch/values-tucson-teststand.yaml index 77e1c49c3d..0718b5a549 100644 --- a/services/sasquatch/values-tucson-teststand.yaml +++ b/services/sasquatch/values-tucson-teststand.yaml @@ -17,6 +17,8 @@ kafka-connect-manager: influxdbSink: influxdb-sink: enabled: true + connectInfluxErrorPolicy: NOOP + tasksMax: 10 kafdrop: ingress: From 4822e237a4917fb0bb684d909475477ef13a5d4b Mon Sep 17 00:00:00 2001 From: Angelo Fausti Date: Mon, 11 Jul 2022 11:38:16 -0700 Subject: [PATCH 0755/1479] Increase quota limits for Kafka users --- .../charts/strimzi-kafka/templates/connect-user.yaml | 6 ++++++ .../strimzi-kafka/templates/kafka-connect-manager-user.yaml | 6 ++++++ .../charts/strimzi-kafka/templates/ts-salkafka-user.yaml | 6 ++++++ 3 files changed, 18 insertions(+) diff --git a/services/sasquatch/charts/strimzi-kafka/templates/connect-user.yaml b/services/sasquatch/charts/strimzi-kafka/templates/connect-user.yaml index e73ad66f60..9f5a569204 100644 --- a/services/sasquatch/charts/strimzi-kafka/templates/connect-user.yaml +++ b/services/sasquatch/charts/strimzi-kafka/templates/connect-user.yaml @@ -26,3 +26,9 @@ spec: type: allow host: "*" operation: All + quotas: + producerByteRate: 1073741824 + consumerByteRate: 1073741824 + requestPercentage: 90 + controllerMutationRate: 1000 + diff --git a/services/sasquatch/charts/strimzi-kafka/templates/kafka-connect-manager-user.yaml b/services/sasquatch/charts/strimzi-kafka/templates/kafka-connect-manager-user.yaml index a89503658b..69968678b8 100644 --- a/services/sasquatch/charts/strimzi-kafka/templates/kafka-connect-manager-user.yaml +++ b/services/sasquatch/charts/strimzi-kafka/templates/kafka-connect-manager-user.yaml @@ -22,3 +22,9 @@ spec: type: allow host: "*" operation: Read + quotas: + producerByteRate: 1073741824 + consumerByteRate: 1073741824 + requestPercentage: 90 + controllerMutationRate: 1000 + diff --git a/services/sasquatch/charts/strimzi-kafka/templates/ts-salkafka-user.yaml b/services/sasquatch/charts/strimzi-kafka/templates/ts-salkafka-user.yaml index 580d842537..d6edcb3992 100644 --- a/services/sasquatch/charts/strimzi-kafka/templates/ts-salkafka-user.yaml +++ b/services/sasquatch/charts/strimzi-kafka/templates/ts-salkafka-user.yaml @@ -22,3 +22,9 @@ spec: type: allow host: "*" operation: All + quotas: + producerByteRate: 1073741824 + consumerByteRate: 1073741824 + requestPercentage: 90 + controllerMutationRate: 1000 + From 15f566cef7b446e8127e8deb868dd1312a9e876a Mon Sep 17 00:00:00 2001 From: Angelo Fausti Date: Mon, 11 Jul 2022 14:47:25 -0700 Subject: [PATCH 0756/1479] Workaround: use old efd hostname for InfluxDB - We found that the EFD Client cannot connect to a host/path URL like tucson-teststand.lsst.codes/influxdb --- services/sasquatch/templates/vault-secrets.yaml | 9 +++++++++ services/sasquatch/values-tucson-teststand.yaml | 16 +++++++++++++++- 2 files changed, 24 insertions(+), 1 deletion(-) diff --git a/services/sasquatch/templates/vault-secrets.yaml b/services/sasquatch/templates/vault-secrets.yaml index 35dceb588c..b0c46d843e 100644 --- a/services/sasquatch/templates/vault-secrets.yaml +++ b/services/sasquatch/templates/vault-secrets.yaml @@ -34,3 +34,12 @@ metadata: spec: path: "{{ .Values.global.vaultSecretsPath }}/pull-secret" type: kubernetes.io/dockerconfigjson +--- +apiVersion: ricoberger.de/v1alpha1 +kind: VaultSecret +metadata: + name: tls-certs + namespace: sasquatch +spec: + path: "{{ .Values.global.vaultSecretsPath }}/efd/tls-certs" + type: Opaque diff --git a/services/sasquatch/values-tucson-teststand.yaml b/services/sasquatch/values-tucson-teststand.yaml index 0718b5a549..a57a552d4e 100644 --- a/services/sasquatch/values-tucson-teststand.yaml +++ b/services/sasquatch/values-tucson-teststand.yaml @@ -11,7 +11,21 @@ influxdb: storageClass: rook-ceph-block ingress: enabled: true - hostname: tucson-teststand.lsst.codes + tls: true + secretName: tls-certs + hostname: influxdb-tucson-teststand-efd.lsst.codes + annotations: + kubernetes.io/ingress.class: "nginx" + nginx.ingress.kubernetes.io/ssl-redirect: "true" + nginx.ingress.kubernetes.io/affinity: "cookie" + nginx.ingress.kubernetes.io/proxy-body-size: "0m" + nginx.ingress.kubernetes.io/rewrite-target: / + nginx.ingress.kubernetes.io/configuration-snippet: | + proxy_set_header X-Forwarded-Proto https; + proxy_set_header X-Forwarded-Port 443; + proxy_set_header X-Forwarded-Path /; + path: / + kafka-connect-manager: influxdbSink: From cc412ea3f3c2e67dbf5384da0ddd53fcfe694646 Mon Sep 17 00:00:00 2001 From: Angelo Fausti Date: Mon, 11 Jul 2022 15:32:13 -0700 Subject: [PATCH 0757/1479] Update status feed URL for TTS --- services/sasquatch/values-tucson-teststand.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/services/sasquatch/values-tucson-teststand.yaml b/services/sasquatch/values-tucson-teststand.yaml index a57a552d4e..b9322fec03 100644 --- a/services/sasquatch/values-tucson-teststand.yaml +++ b/services/sasquatch/values-tucson-teststand.yaml @@ -55,7 +55,7 @@ chronograf: GENERIC_SCOPES: openid GENERIC_API_KEY: sub PUBLIC_URL: https://tucson-teststand.lsst.codes - STATUS_FEED_URL: https://lsst-sqre.github.io/sasquatch/feeds/tucson-teststand.json + STATUS_FEED_URL: https://lsst-sqre.github.io/argocd-efd/apps/chronograf/feeds/tucson-teststand.json kapacitor: persistence: From 83518a7f606fade96ff17900291259802751b511 Mon Sep 17 00:00:00 2001 From: Angelo Fausti Date: Wed, 13 Jul 2022 10:59:43 -0700 Subject: [PATCH 0758/1479] Improve helm-docs for InfluxDB volume provisioning --- services/sasquatch/README.md | 3 ++- services/sasquatch/values.yaml | 6 ++++-- 2 files changed, 6 insertions(+), 3 deletions(-) diff --git a/services/sasquatch/README.md b/services/sasquatch/README.md index 376571bb24..f454e1bb19 100644 --- a/services/sasquatch/README.md +++ b/services/sasquatch/README.md @@ -40,7 +40,8 @@ Rubin Observatory's telemetry service. | influxdb.image | object | `{"tag":"1.8.10"}` | InfluxDB image tag. | | influxdb.ingress | object | disabled | InfluxDB ingress configuration. | | influxdb.initScripts | object | `{"enabled":true,"scripts":{"init.iql":"CREATE DATABASE \"telegraf\" WITH DURATION 30d REPLICATION 1 NAME \"rp_30d\"\n\n"}}` | InfluxDB Custom initialization scripts. | -| influxdb.persistence | object | `{"accessMode":"ReadWriteOnce","enabled":true,"size":"1Ti"}` | InfluxDB persistence. | +| influxdb.persistence.enabled | bool | `true` | Enable persistent volume claim. By default storageClass is undefined choosing the default provisioner (standard on GKE). | +| influxdb.persistence.size | string | `"1Ti"` | Persistent volume size. @default 1Ti for teststand deployments | | influxdb.setDefaultUser | object | `{"enabled":true,"user":{"existingSecret":"sasquatch"}}` | Default InfluxDB user, use influxb-user and influxdb-password keys from secret. | | kafka-connect-manager | object | `{}` | Override strimzi-kafka configuration. | | kafka-producers.enabled | bool | `false` | Whether the kafka-producer for the test csc is deployed. | diff --git a/services/sasquatch/values.yaml b/services/sasquatch/values.yaml index 338a75c1d0..cbece34ffb 100644 --- a/services/sasquatch/values.yaml +++ b/services/sasquatch/values.yaml @@ -13,10 +13,12 @@ influxdb: # -- InfluxDB image tag. image: tag: "1.8.10" - # -- InfluxDB persistence. persistence: + # -- Enable persistent volume claim. + # By default storageClass is undefined choosing the default provisioner (standard on GKE). enabled: true - accessMode: ReadWriteOnce + # -- Persistent volume size. + # @default 1Ti for teststand deployments size: 1Ti # -- Default InfluxDB user, use influxb-user and influxdb-password keys from secret. setDefaultUser: From 81e6f00c9a1b59f99c9302c6d9c315eead7845d0 Mon Sep 17 00:00:00 2001 From: Christine Banek Date: Wed, 13 Jul 2022 17:15:27 -0700 Subject: [PATCH 0759/1479] [DM-35542] Sherlock 0.1.8 Better logging --- services/sherlock/Chart.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/services/sherlock/Chart.yaml b/services/sherlock/Chart.yaml index 96e0639fb3..d9c7052674 100644 --- a/services/sherlock/Chart.yaml +++ b/services/sherlock/Chart.yaml @@ -1,5 +1,5 @@ apiVersion: v2 -appVersion: 0.1.7 +appVersion: 0.1.8 description: A Helm chart for Kubernetes name: sherlock type: application From c08e8413df735772479008eacc205a0e79712337 Mon Sep 17 00:00:00 2001 From: Christine Banek Date: Wed, 13 Jul 2022 18:39:13 -0700 Subject: [PATCH 0760/1479] [DM-35577] Data-int mobu to 60 TAP users Let's see how we handle this one. --- services/mobu/values-idfint.yaml | 120 ++++++++++++++++++++++++++++++- 1 file changed, 119 insertions(+), 1 deletion(-) diff --git a/services/mobu/values-idfint.yaml b/services/mobu/values-idfint.yaml index f8045afb14..f5304b7ffe 100644 --- a/services/mobu/values-idfint.yaml +++ b/services/mobu/values-idfint.yaml @@ -27,10 +27,128 @@ autostart: repo_branch: "prod" restart: true - name: "tap" - count: 1 + count: 60 users: - username: "systemtest01" uidnumber: 74768 + - username: "systemtest02" + uidnumber: 74769 + - username: "systemtest03" + uidnumber: 74770 + - username: "systemtest04" + uidnumber: 74771 + - username: "systemtest05" + uidnumber: 74772 + - username: "systemtest06" + uidnumber: 74773 + - username: "systemtest07" + uidnumber: 74774 + - username: "systemtest08" + uidnumber: 74775 + - username: "systemtest09" + uidnumber: 74776 + - username: "systemtest10" + uidnumber: 74777 + - username: "systemtest11" + uidnumber: 74778 + - username: "systemtest12" + uidnumber: 74779 + - username: "systemtest13" + uidnumber: 74780 + - username: "systemtest14" + uidnumber: 74781 + - username: "systemtest15" + uidnumber: 74782 + - username: "systemtest16" + uidnumber: 74783 + - username: "systemtest17" + uidnumber: 74784 + - username: "systemtest18" + uidnumber: 74785 + - username: "systemtest19" + uidnumber: 74786 + - username: "systemtest20" + uidnumber: 74787 + - username: "systemtest21" + uidnumber: 74788 + - username: "systemtest22" + uidnumber: 74789 + - username: "systemtest23" + uidnumber: 74790 + - username: "systemtest24" + uidnumber: 74791 + - username: "systemtest25" + uidnumber: 74792 + - username: "systemtest26" + uidnumber: 74793 + - username: "systemtest27" + uidnumber: 74794 + - username: "systemtest28" + uidnumber: 74795 + - username: "systemtest29" + uidnumber: 74796 + - username: "systemtest30" + uidnumber: 74797 + - username: "systemtest31" + uidnumber: 74798 + - username: "systemtest32" + uidnumber: 74799 + - username: "systemtest33" + uidnumber: 74800 + - username: "systemtest34" + uidnumber: 74801 + - username: "systemtest35" + uidnumber: 74802 + - username: "systemtest36" + uidnumber: 74803 + - username: "systemtest37" + uidnumber: 74804 + - username: "systemtest38" + uidnumber: 74805 + - username: "systemtest39" + uidnumber: 74806 + - username: "systemtest40" + uidnumber: 74807 + - username: "systemtest41" + uidnumber: 74808 + - username: "systemtest42" + uidnumber: 74809 + - username: "systemtest43" + uidnumber: 74810 + - username: "systemtest44" + uidnumber: 74811 + - username: "systemtest45" + uidnumber: 74812 + - username: "systemtest46" + uidnumber: 74813 + - username: "systemtest47" + uidnumber: 74814 + - username: "systemtest48" + uidnumber: 74815 + - username: "systemtest49" + uidnumber: 74816 + - username: "systemtest50" + uidnumber: 74817 + - username: "systemtest51" + uidnumber: 74818 + - username: "systemtest52" + uidnumber: 74819 + - username: "systemtest53" + uidnumber: 74820 + - username: "systemtest54" + uidnumber: 74821 + - username: "systemtest55" + uidnumber: 74822 + - username: "systemtest56" + uidnumber: 74823 + - username: "systemtest57" + uidnumber: 74824 + - username: "systemtest58" + uidnumber: 74825 + - username: "systemtest59" + uidnumber: 74826 + - username: "systemtest60" + uidnumber: 74827 scopes: ["read:tap"] business: "TAPQueryRunner" restart: true From bccd6ef7170d0e7b235b657e92c047997533046a Mon Sep 17 00:00:00 2001 From: Angelo Fausti Date: Wed, 13 Jul 2022 17:37:19 -0700 Subject: [PATCH 0761/1479] Update Sasquatch news feed URLs - JSON feeds for sasquatch are now served from the rsp_broadcast repo. --- services/sasquatch/values-idfdev.yaml | 2 +- services/sasquatch/values-summit.yaml | 2 +- services/sasquatch/values-tucson-teststand.yaml | 2 +- 3 files changed, 3 insertions(+), 3 deletions(-) diff --git a/services/sasquatch/values-idfdev.yaml b/services/sasquatch/values-idfdev.yaml index f47562e2cf..71ef97cafb 100644 --- a/services/sasquatch/values-idfdev.yaml +++ b/services/sasquatch/values-idfdev.yaml @@ -31,4 +31,4 @@ chronograf: GENERIC_SCOPES: openid GENERIC_API_KEY: sub PUBLIC_URL: https://data-dev.lsst.cloud/ - STATUS_FEED_URL: "https://lsst-sqre.github.io/sasquatch/feeds/idfdev.json" + STATUS_FEED_URL: https://raw.githubusercontent.com/lsst-sqre/rsp_broadcast/main/jsonfeeds/idfdev.json diff --git a/services/sasquatch/values-summit.yaml b/services/sasquatch/values-summit.yaml index ba2ebe9c5d..733b212072 100644 --- a/services/sasquatch/values-summit.yaml +++ b/services/sasquatch/values-summit.yaml @@ -40,7 +40,7 @@ chronograf: GENERIC_SCOPES: openid GENERIC_API_KEY: sub PUBLIC_URL: https://summit-lsp.lsst.codes - STATUS_FEED_URL: https://lsst-sqre.github.io/sasquatch/feeds/summit.json + STATUS_FEED_URL: https://raw.githubusercontent.com/lsst-sqre/rsp_broadcast/main/jsonfeeds/summit.json kapacitor: persistence: diff --git a/services/sasquatch/values-tucson-teststand.yaml b/services/sasquatch/values-tucson-teststand.yaml index b9322fec03..fa96f8e9aa 100644 --- a/services/sasquatch/values-tucson-teststand.yaml +++ b/services/sasquatch/values-tucson-teststand.yaml @@ -55,7 +55,7 @@ chronograf: GENERIC_SCOPES: openid GENERIC_API_KEY: sub PUBLIC_URL: https://tucson-teststand.lsst.codes - STATUS_FEED_URL: https://lsst-sqre.github.io/argocd-efd/apps/chronograf/feeds/tucson-teststand.json + STATUS_FEED_URL: https://raw.githubusercontent.com/lsst-sqre/rsp_broadcast/main/jsonfeeds/tucson-teststand.json kapacitor: persistence: From 668e10093765c77713e7a6499029afc29fb73a03 Mon Sep 17 00:00:00 2001 From: Russ Allbery Date: Thu, 14 Jul 2022 13:02:22 -0700 Subject: [PATCH 0762/1479] Bump version of vo-cutouts --- services/vo-cutouts/Chart.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/services/vo-cutouts/Chart.yaml b/services/vo-cutouts/Chart.yaml index 0a11111956..240c9becac 100644 --- a/services/vo-cutouts/Chart.yaml +++ b/services/vo-cutouts/Chart.yaml @@ -4,4 +4,4 @@ version: 1.0.0 description: "Image cutout service complying with IVOA SODA" sources: - "https://github.com/lsst-sqre/vo-cutouts" -appVersion: 0.4.1 +appVersion: 0.4.2 From 70f9746a73ee90255125e07ca5bbea3c35fceedf Mon Sep 17 00:00:00 2001 From: Russ Allbery Date: Thu, 14 Jul 2022 13:12:02 -0700 Subject: [PATCH 0763/1479] Add DMTN-235 links to Gafaelfawr values.yaml We now have a tech note that explains how scopes are used, so link to it. --- services/gafaelfawr/README.md | 4 ++-- services/gafaelfawr/values.yaml | 7 +++---- 2 files changed, 5 insertions(+), 6 deletions(-) diff --git a/services/gafaelfawr/README.md b/services/gafaelfawr/README.md index 38e14a1b7c..a4f6915d5c 100644 --- a/services/gafaelfawr/README.md +++ b/services/gafaelfawr/README.md @@ -28,11 +28,11 @@ Science Platform authentication and authorization system | config.errorFooter | string | `""` | HTML footer to add to any login error page (inside a

tag). | | config.firestore.project | string | Firestore support is disabled | If set, assign UIDs and GIDs using Google Firestore in the given project. Cloud SQL must be enabled and the Cloud SQL service account must have read/write access to that Firestore instance. | | config.github.clientId | string | `""` | GitHub client ID. One and only one of this, `config.cilogon.clientId`, or `config.oidc.clientId` must be set. | -| config.groupMapping | object | `{}` | Defines a mapping of scopes to groups that provide that scope. Tokens from an OpenID Connect provider such as CILogon that include groups in an `isMemberOf` claim will be granted scopes based on this mapping. | +| config.groupMapping | object | `{}` | Defines a mapping of scopes to groups that provide that scope. See [DMTN-235](https://dmtn-235.lsst.io/) for more details on scopes. | | config.influxdb.enabled | bool | `false` | Whether to issue tokens for InfluxDB. If set to true, `influxdb-secret` must be set in the Gafaelfawr secret. | | config.influxdb.username | string | `""` | If set, force all InfluxDB tokens to have that username instead of the authenticated identity of the user requesting a token | | config.initialAdmins | list | `[]` | Usernames to add as administrators when initializing a new database. Used only if there are no administrators. | -| config.knownScopes | object | See the `values.yaml` file | Names and descriptions of all scopes in use. This is used to populate the new token creation page. Only scopes listed here will be options when creating a new token. | +| config.knownScopes | object | See the `values.yaml` file | Names and descriptions of all scopes in use. This is used to populate the new token creation page. Only scopes listed here will be options when creating a new token. See [DMTN-235](https://dmtn-235.lsst.io/). | | config.ldap.baseDn | string | None, must be set | Base DN for the LDAP search to find a user's groups | | config.ldap.groupMemberAttr | string | `"member"` | Member attribute of the object class. Values must match the username returned in the token from the OpenID Connect authentication server. | | config.ldap.groupObjectClass | string | `"posixGroup"` | Object class containing group information | diff --git a/services/gafaelfawr/values.yaml b/services/gafaelfawr/values.yaml index 3aa55f3a25..1d79a9964b 100644 --- a/services/gafaelfawr/values.yaml +++ b/services/gafaelfawr/values.yaml @@ -182,7 +182,7 @@ config: # -- Names and descriptions of all scopes in use. This is used to populate # the new token creation page. Only scopes listed here will be options when - # creating a new token. + # creating a new token. See [DMTN-235](https://dmtn-235.lsst.io/). # @default -- See the `values.yaml` file knownScopes: "admin:token": >- @@ -204,9 +204,8 @@ config: "user:token": >- Can create and modify user tokens - # -- Defines a mapping of scopes to groups that provide that scope. Tokens - # from an OpenID Connect provider such as CILogon that include groups in an - # `isMemberOf` claim will be granted scopes based on this mapping. + # -- Defines a mapping of scopes to groups that provide that scope. See + # [DMTN-235](https://dmtn-235.lsst.io/) for more details on scopes. groupMapping: {} # -- Usernames to add as administrators when initializing a new database. From d5d3235ccb072ea106444f40a95a24a1c388cbd1 Mon Sep 17 00:00:00 2001 From: Russ Allbery Date: Mon, 6 Jun 2022 16:08:17 -0700 Subject: [PATCH 0764/1479] Update Gafaelfawr configuration for 5.0.0 The LDAP configuration settings have been renamed and moved around, and some new ones have been added. Update the chart accordingly. --- services/gafaelfawr/Chart.yaml | 2 +- services/gafaelfawr/README.md | 9 ++++-- services/gafaelfawr/templates/configmap.yaml | 13 +++++--- services/gafaelfawr/values.yaml | 34 +++++++++++++------- 4 files changed, 37 insertions(+), 21 deletions(-) diff --git a/services/gafaelfawr/Chart.yaml b/services/gafaelfawr/Chart.yaml index 89f4249b68..4e53ba55d3 100644 --- a/services/gafaelfawr/Chart.yaml +++ b/services/gafaelfawr/Chart.yaml @@ -5,4 +5,4 @@ description: Science Platform authentication and authorization system home: https://gafaelfawr.lsst.io/ sources: - https://github.com/lsst-sqre/gafaelfawr -appVersion: 4.1.0 +appVersion: 5.0.0 diff --git a/services/gafaelfawr/README.md b/services/gafaelfawr/README.md index a4f6915d5c..f3352dbc4e 100644 --- a/services/gafaelfawr/README.md +++ b/services/gafaelfawr/README.md @@ -33,13 +33,16 @@ Science Platform authentication and authorization system | config.influxdb.username | string | `""` | If set, force all InfluxDB tokens to have that username instead of the authenticated identity of the user requesting a token | | config.initialAdmins | list | `[]` | Usernames to add as administrators when initializing a new database. Used only if there are no administrators. | | config.knownScopes | object | See the `values.yaml` file | Names and descriptions of all scopes in use. This is used to populate the new token creation page. Only scopes listed here will be options when creating a new token. See [DMTN-235](https://dmtn-235.lsst.io/). | -| config.ldap.baseDn | string | None, must be set | Base DN for the LDAP search to find a user's groups | +| config.ldap.emailAttr | string | `"mail"` | Attribute containing the user's email address | +| config.ldap.groupBaseDn | string | None, must be set | Base DN for the LDAP search to find a user's groups | | config.ldap.groupMemberAttr | string | `"member"` | Member attribute of the object class. Values must match the username returned in the token from the OpenID Connect authentication server. | | config.ldap.groupObjectClass | string | `"posixGroup"` | Object class containing group information | -| config.ldap.uidAttr | string | `"uidNumber"` | Attribute containing the user's UID number (only used if uidBaseDn is set) | -| config.ldap.uidBaseDn | string | Get the UID number from the upstream authentication provider | Base DN for the LDAP search to find a user's UID number | +| config.ldap.nameAttr | string | `"displayName"` | Attribute containing the user's full name | +| config.ldap.uidAttr | string | Get UID from upstream authentication provider | Attribute containing the user's UID number (set to `uidNumber` for most LDAP servers) | | config.ldap.url | string | Do not use LDAP | LDAP server URL from which to retrieve user group information | +| config.ldap.userBaseDn | string | Get user metadata from the upstream authentication provider | Base DN for the LDAP search to find a user's entry | | config.ldap.userDn | string | Use anonymous binds | Bind DN for simple bind authentication. If set, `ldap-secret` must be set in the Gafaelfawr secret | +| config.ldap.userSearchAttr | string | `"uid"` | Search attribute containing the user's username | | config.ldap.usernameBaseDn | string | Get the username from the upstream authentication provider | Base DN for the LDAP search to find a user's username | | config.ldap.usernameSearchAttr | string | `"voPersonSoRID"` | Attribute matching the `sub` claim of a token to find the record containing the username | | config.loglevel | string | `"INFO"` | Choose from the text form of Python logging levels | diff --git a/services/gafaelfawr/templates/configmap.yaml b/services/gafaelfawr/templates/configmap.yaml index c0b1adb28f..1bbc8ac7cf 100644 --- a/services/gafaelfawr/templates/configmap.yaml +++ b/services/gafaelfawr/templates/configmap.yaml @@ -119,21 +119,24 @@ data: {{- if .Values.config.ldap.url }} ldap: url: {{ .Values.config.ldap.url | quote }} - base_dn: {{ required "config.ldap.baseDn must be set" .Values.config.ldap.baseDn | quote }} + group_base_dn: {{ required "config.ldap.groupBaseDn must be set" .Values.config.ldap.groupBaseDn | quote }} {{- if .Values.config.ldap.userDn }} user_dn: {{ .Values.config.ldap.userDn | quote }} password_file: "/etc/gafaelfawr/secrets/ldap-password" {{- end }} group_object_class: {{ .Values.config.ldap.groupObjectClass | quote }} group_member_attr: {{ .Values.config.ldap.groupMemberAttr | quote }} + {{- if .Values.config.ldap.userBaseDn }} + user_base_dn: {{ .Values.config.ldap.userBaseDn | quote }} + user_search_attr: {{ .Values.config.ldap.userSearchAttr | quote }} + uid_attr: {{ .Values.config.ldap.uidAttr | quote }} + name_attr: {{ .Values.config.ldap.nameAttr | quote }} + email_attr: {{ .Values.config.ldap.emailAttr | quote }} + {{- end }} {{- if .Values.config.ldap.usernameBaseDn }} username_base_dn: {{ .Values.config.ldap.usernameBaseDn | quote }} username_search_attr: {{ .Values.config.ldap.usernameSearchAttr | quote }} {{- end }} - {{- if .Values.config.ldap.uidBaseDn }} - uid_base_dn: {{ .Values.config.ldap.uidBaseDn | quote }} - uid_attr: {{ .Values.config.ldap.uidAttr | quote }} - {{- end }} {{- end }} {{- if .Values.config.oidcServer.enabled }} diff --git a/services/gafaelfawr/values.yaml b/services/gafaelfawr/values.yaml index 1d79a9964b..a46573d3b8 100644 --- a/services/gafaelfawr/values.yaml +++ b/services/gafaelfawr/values.yaml @@ -134,15 +134,15 @@ config: # @default -- Do not use LDAP url: "" - # -- Base DN for the LDAP search to find a user's groups - # @default -- None, must be set - baseDn: "" - # -- Bind DN for simple bind authentication. If set, `ldap-secret` must be # set in the Gafaelfawr secret # @default -- Use anonymous binds userDn: "" + # -- Base DN for the LDAP search to find a user's groups + # @default -- None, must be set + groupBaseDn: "" + # -- Object class containing group information groupObjectClass: "posixGroup" @@ -150,6 +150,24 @@ config: # returned in the token from the OpenID Connect authentication server. groupMemberAttr: "member" + # -- Base DN for the LDAP search to find a user's entry + # @default -- Get user metadata from the upstream authentication provider + userBaseDn: "" + + # -- Search attribute containing the user's username + userSearchAttr: "uid" + + # -- Attribute containing the user's UID number (set to `uidNumber` for + # most LDAP servers) + # @default -- Get UID from upstream authentication provider + uidAttr: "" + + # -- Attribute containing the user's full name + nameAttr: "displayName" + + # -- Attribute containing the user's email address + emailAttr: "mail" + # -- Base DN for the LDAP search to find a user's username # @default -- Get the username from the upstream authentication provider usernameBaseDn: "" @@ -158,14 +176,6 @@ config: # containing the username usernameSearchAttr: "voPersonSoRID" - # -- Base DN for the LDAP search to find a user's UID number - # @default -- Get the UID number from the upstream authentication provider - uidBaseDn: "" - - # -- Attribute containing the user's UID number (only used if uidBaseDn is - # set) - uidAttr: "uidNumber" - influxdb: # -- Whether to issue tokens for InfluxDB. If set to true, # `influxdb-secret` must be set in the Gafaelfawr secret. From 3f421412e37c4b9d68f46e045b874943cb151fe4 Mon Sep 17 00:00:00 2001 From: Russ Allbery Date: Mon, 6 Jun 2022 17:09:13 -0700 Subject: [PATCH 0765/1479] Add Firestore migration to Gafaelfawr Add an optional post-install job to perform the Firestore home directory ownership migration if enabled. --- services/gafaelfawr/README.md | 3 + .../templates/job-firestore-migrate.yaml | 75 +++++++++++++++++++ .../templates/redis-networkpolicy.yaml | 4 + services/gafaelfawr/values.yaml | 13 ++++ 4 files changed, 95 insertions(+) create mode 100644 services/gafaelfawr/templates/job-firestore-migrate.yaml diff --git a/services/gafaelfawr/README.md b/services/gafaelfawr/README.md index f3352dbc4e..c97469c2f2 100644 --- a/services/gafaelfawr/README.md +++ b/services/gafaelfawr/README.md @@ -26,6 +26,9 @@ Science Platform authentication and authorization system | config.cilogon.test | bool | `false` | Whether to use the test instance of CILogon | | config.databaseUrl | string | None, must be set | URL for the PostgreSQL database | | config.errorFooter | string | `""` | HTML footer to add to any login error page (inside a

tag). | +| config.firestore.migrate.enabled | bool | `false` | Do home directory ownership migration | +| config.firestore.migrate.nfs.path | string | None, must be set if `migrate` is `true` | NFS path for home directory ownership migration | +| config.firestore.migrate.nfs.server | string | None, must be set if `migrate` is `true` | NFS server for home directory ownership migration | | config.firestore.project | string | Firestore support is disabled | If set, assign UIDs and GIDs using Google Firestore in the given project. Cloud SQL must be enabled and the Cloud SQL service account must have read/write access to that Firestore instance. | | config.github.clientId | string | `""` | GitHub client ID. One and only one of this, `config.cilogon.clientId`, or `config.oidc.clientId` must be set. | | config.groupMapping | object | `{}` | Defines a mapping of scopes to groups that provide that scope. See [DMTN-235](https://dmtn-235.lsst.io/) for more details on scopes. | diff --git a/services/gafaelfawr/templates/job-firestore-migrate.yaml b/services/gafaelfawr/templates/job-firestore-migrate.yaml new file mode 100644 index 0000000000..2cd18e935a --- /dev/null +++ b/services/gafaelfawr/templates/job-firestore-migrate.yaml @@ -0,0 +1,75 @@ +{{- if .Values.config.firestore.migrate.enabled -}} +apiVersion: batch/v1 +kind: Job +metadata: + name: {{ template "gafaelfawr.fullname" . }}-firestore-migrate + labels: + {{- include "gafaelfawr.labels" . | nindent 4 }} + annotations: + helm.sh/hook: "post-upgrade" + helm.sh/hook-delete-policy: "before-hook-creation,hook-succeeded" +spec: + template: + metadata: + name: {{ template "gafaelfawr.fullname" . }}-firestore-migrate + labels: + {{- include "gafaelfawr.selectorLabels" . | nindent 8 }} + app.kubernetes.io/component: "firestore-migrate" + spec: + automountServiceAccountToken: false + containers: + {{- if .Values.cloudsql.enabled }} + - name: "cloud-sql-proxy" + command: + - "/cloud_sql_proxy" + - "-ip_address_types=PRIVATE" + - "-instances={{ required "cloudsql.instanceConnectionName must be specified" .Values.cloudsql.instanceConnectionName }}=tcp:5432" + image: "{{ .Values.cloudsql.image.repository }}:{{ .Values.cloudsql.image.tag }}" + imagePullPolicy: {{ .Values.cloudsql.image.pullPolicy | quote }} + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - "all" + readOnlyRootFilesystem: true + runAsNonRoot: true + runAsUser: 65532 + runAsGroup: 65532 + {{- end }} + - name: "migrate" + command: + - "gafaelfawr" + - "fix-home-ownership" + - "/homedirs" + image: "{{ .Values.image.repository }}:{{ .Values.image.tag | default .Chart.AppVersion }}" + imagePullPolicy: {{ .Values.image.pullPolicy | quote }} + securityContext: + capabilities: + add: + - "CHOWN" + - "DAC_READ_SEARCH" + readOnlyRootFilesystem: true + runAsUser: 0 + runAsGroup: 0 + volumeMounts: + - name: "config" + mountPath: "/etc/gafaelfawr" + readOnly: true + - name: "homedirs" + mountPath: "/homedirs" + - name: "secret" + mountPath: "/etc/gafaelfawr/secrets" + readOnly: true + restartPolicy: "Never" + volumes: + - name: "config" + configMap: + name: {{ template "gafaelfawr.fullname" . }}-config + - name: "homedirs" + nfs: + server: {{ .Values.config.firestore.migrate.nfs.server | quote }} + path: {{ .Values.config.firestore.migrate.nfs.path | quote }} + - name: "secret" + secret: + secretName: {{ template "gafaelfawr.fullname" . }}-secret +{{- end }} diff --git a/services/gafaelfawr/templates/redis-networkpolicy.yaml b/services/gafaelfawr/templates/redis-networkpolicy.yaml index 7423b2805b..5d21beb7cc 100644 --- a/services/gafaelfawr/templates/redis-networkpolicy.yaml +++ b/services/gafaelfawr/templates/redis-networkpolicy.yaml @@ -17,6 +17,10 @@ spec: ingress: # Allow inbound access to Redis from all other components. - from: + - podSelector: + matchLabels: + {{- include "gafaelfawr.selectorLabels" . | nindent 14 }} + app.kubernetes.io/component: "firestore-migrate" - podSelector: matchLabels: {{- include "gafaelfawr.selectorLabels" . | nindent 14 }} diff --git a/services/gafaelfawr/values.yaml b/services/gafaelfawr/values.yaml index a46573d3b8..bed81af51d 100644 --- a/services/gafaelfawr/values.yaml +++ b/services/gafaelfawr/values.yaml @@ -82,6 +82,19 @@ config: # @default -- Firestore support is disabled project: "" + migrate: + # -- Do home directory ownership migration + enabled: false + + nfs: + # -- NFS server for home directory ownership migration + # @default -- None, must be set if `migrate` is `true` + server: "" + + # -- NFS path for home directory ownership migration + # @default -- None, must be set if `migrate` is `true` + path: "" + github: # -- GitHub client ID. One and only one of this, `config.cilogon.clientId`, # or `config.oidc.clientId` must be set. From 67ce9879f9695890c0b6bf886f8e9ae952fea40d Mon Sep 17 00:00:00 2001 From: Russ Allbery Date: Tue, 7 Jun 2022 13:50:40 -0700 Subject: [PATCH 0766/1479] Add CILogon and Firestore config for IDF dev Switch to the current ticket development branch and add CILogon and Firestore configuration (including enabling migration) for IDF dev. --- services/gafaelfawr/values-idfdev.yaml | 16 +++++++++++++--- 1 file changed, 13 insertions(+), 3 deletions(-) diff --git a/services/gafaelfawr/values-idfdev.yaml b/services/gafaelfawr/values-idfdev.yaml index 8fb6315731..5d664ce22a 100644 --- a/services/gafaelfawr/values-idfdev.yaml +++ b/services/gafaelfawr/values-idfdev.yaml @@ -1,5 +1,5 @@ image: - tag: "tickets-DM-34335" + tag: "tickets-DM-34613" # Use the CSI storage class so that we can use snapshots. redis: @@ -13,8 +13,18 @@ config: oidcServer: enabled: true - github: - clientId: "f46555b3f4c524e764ac" + cilogon: + clientId: "cilogon:/client_id/46f9ae932fd30e9fb1b246972a3c0720" + enrollmentUrl: "https://registry-test.lsst.codes/registry/co_petitions/start/coef:6" + test: true + + firestore: + project: "rsp-firestore-dev-31c4" + migrate: + enabled: true + nfs: + server: "10.87.86.26" + path: "/share1/home" # Allow access by GitHub team. groupMapping: From ba40ec858b8ae5f0b617b7a0a46e0f497aad2edc Mon Sep 17 00:00:00 2001 From: Russ Allbery Date: Thu, 9 Jun 2022 16:44:47 -0700 Subject: [PATCH 0767/1479] Add ldap-password secret for Gafaelfawr This will be used in the future for the IDF environments (and will also be required by SLAC). --- installer/generate_secrets.py | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/installer/generate_secrets.py b/installer/generate_secrets.py index da8e05b42f..25bcd027f3 100755 --- a/installer/generate_secrets.py +++ b/installer/generate_secrets.py @@ -221,6 +221,11 @@ def _gafaelfawr(self): f"Invalid gafaelfawr cloudsql value {use_cloudsql}" ) + self.input_field("gafaelfawr", "ldap", "Use LDAP? (y/n):") + use_ldap = self.secrets["gaelfawr"]["ldap"] + if use_ldap == "y": + self.input_field("gafaelfawr", "ldap-password", "LDAP password") + self.input_field("gafaelfawr", "auth_type", "Use cilogon or github?") auth_type = self.secrets["gafaelfawr"]["auth_type"] if auth_type == "cilogon": From 72352c3867f81c0eebd2b99c9b230057183631f9 Mon Sep 17 00:00:00 2001 From: Russ Allbery Date: Thu, 9 Jun 2022 16:45:22 -0700 Subject: [PATCH 0768/1479] Add LDAP configuration for IDF dev Add the LDAP DNs and server URL for IDF dev, pointing to the test LDAP server for our test COmanage registry. --- services/gafaelfawr/values-idfdev.yaml | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/services/gafaelfawr/values-idfdev.yaml b/services/gafaelfawr/values-idfdev.yaml index 5d664ce22a..8edc60ce11 100644 --- a/services/gafaelfawr/values-idfdev.yaml +++ b/services/gafaelfawr/values-idfdev.yaml @@ -26,6 +26,12 @@ config: server: "10.87.86.26" path: "/share1/home" + ldap: + url: "ldaps://ldap-test.cilogon.org" + userDn: "uid=readonly_user,ou=system,o=LSST,o=CO,dc=lsst,dc=org" + groupBaseDn: "ou=groups,o=LSST,o=CO,dc=lsst,dc=org" + userBaseDn: "ou=people,o=LSST,o=CO,dc=lsst,dc=org" + # Allow access by GitHub team. groupMapping: "admin:provision": From a0ae81063c206c623aaa284acb8fc8a27568b127 Mon Sep 17 00:00:00 2001 From: Russ Allbery Date: Fri, 10 Jun 2022 10:36:10 -0700 Subject: [PATCH 0769/1479] Also switch minikube to new Gafaelfawr branch Allow minikube testing before Gafaelfawr 5.0.0 is released. --- services/gafaelfawr/values-minikube.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/services/gafaelfawr/values-minikube.yaml b/services/gafaelfawr/values-minikube.yaml index 1a5413844c..a3bfd820dd 100644 --- a/services/gafaelfawr/values-minikube.yaml +++ b/services/gafaelfawr/values-minikube.yaml @@ -1,5 +1,5 @@ image: - tag: "tickets-DM-34335" + tag: "tickets-DM-34613" # Reset token storage on every Redis restart. redis: From 5b3cd80ee545ca14d085e76e83ee5ca500f91eeb Mon Sep 17 00:00:00 2001 From: Russ Allbery Date: Fri, 10 Jun 2022 10:43:09 -0700 Subject: [PATCH 0770/1479] Update mobu for new Gafaelfawr Change the names of all of the mobu users to start with bot and be more informative about what flock they're a part of. Run mobu for minikube and IDF dev from a branch and stop assigning a UID so that Gafaelfawr will do it. --- services/mobu/values-idfdev.yaml | 6 +- services/mobu/values-idfint.yaml | 140 ++++------------------------- services/mobu/values-idfprod.yaml | 38 ++++---- services/mobu/values-minikube.yaml | 2 + services/mobu/values-roe.yaml | 4 +- 5 files changed, 44 insertions(+), 146 deletions(-) diff --git a/services/mobu/values-idfdev.yaml b/services/mobu/values-idfdev.yaml index 5b91917a2f..dd5edf6a90 100644 --- a/services/mobu/values-idfdev.yaml +++ b/services/mobu/values-idfdev.yaml @@ -1,11 +1,13 @@ +image: + tag: "tickets-DM-34613" + cachemachineImagePolicy: "desired" autostart: - name: "python" count: 1 users: - - username: "systemtest01" - uidnumber: 74768 + - username: "bot-mobu-user" scopes: ["exec:notebook"] business: "JupyterPythonLoop" options: diff --git a/services/mobu/values-idfint.yaml b/services/mobu/values-idfint.yaml index f5304b7ffe..269524f45d 100644 --- a/services/mobu/values-idfint.yaml +++ b/services/mobu/values-idfint.yaml @@ -4,9 +4,13 @@ autostart: - name: "firefighter" count: 1 users: - - username: "systemtest01" + - username: "bot-mobu-recommended" uidnumber: 74768 - scopes: ["exec:notebook", "exec:portal", "read:image", "read:tap"] + scopes: + - "exec:notebook" + - "exec:portal" + - "read:image" + - "read:tap" business: "NotebookRunner" options: repo_url: "https://github.com/SimonKrughoff/system-test.git" @@ -16,9 +20,13 @@ autostart: - name: "weekly" count: 1 users: - - username: "systemtest02" + - username: "bot-mobu-weekly" uidnumber: 74769 - scopes: ["exec:notebook", "exec:portal", "read:image", "read:tap"] + scopes: + - "exec:notebook" + - "exec:portal" + - "read:image" + - "read:tap" business: "NotebookRunner" options: jupyter: @@ -28,127 +36,9 @@ autostart: restart: true - name: "tap" count: 60 - users: - - username: "systemtest01" - uidnumber: 74768 - - username: "systemtest02" - uidnumber: 74769 - - username: "systemtest03" - uidnumber: 74770 - - username: "systemtest04" - uidnumber: 74771 - - username: "systemtest05" - uidnumber: 74772 - - username: "systemtest06" - uidnumber: 74773 - - username: "systemtest07" - uidnumber: 74774 - - username: "systemtest08" - uidnumber: 74775 - - username: "systemtest09" - uidnumber: 74776 - - username: "systemtest10" - uidnumber: 74777 - - username: "systemtest11" - uidnumber: 74778 - - username: "systemtest12" - uidnumber: 74779 - - username: "systemtest13" - uidnumber: 74780 - - username: "systemtest14" - uidnumber: 74781 - - username: "systemtest15" - uidnumber: 74782 - - username: "systemtest16" - uidnumber: 74783 - - username: "systemtest17" - uidnumber: 74784 - - username: "systemtest18" - uidnumber: 74785 - - username: "systemtest19" - uidnumber: 74786 - - username: "systemtest20" - uidnumber: 74787 - - username: "systemtest21" - uidnumber: 74788 - - username: "systemtest22" - uidnumber: 74789 - - username: "systemtest23" - uidnumber: 74790 - - username: "systemtest24" - uidnumber: 74791 - - username: "systemtest25" - uidnumber: 74792 - - username: "systemtest26" - uidnumber: 74793 - - username: "systemtest27" - uidnumber: 74794 - - username: "systemtest28" - uidnumber: 74795 - - username: "systemtest29" - uidnumber: 74796 - - username: "systemtest30" - uidnumber: 74797 - - username: "systemtest31" - uidnumber: 74798 - - username: "systemtest32" - uidnumber: 74799 - - username: "systemtest33" - uidnumber: 74800 - - username: "systemtest34" - uidnumber: 74801 - - username: "systemtest35" - uidnumber: 74802 - - username: "systemtest36" - uidnumber: 74803 - - username: "systemtest37" - uidnumber: 74804 - - username: "systemtest38" - uidnumber: 74805 - - username: "systemtest39" - uidnumber: 74806 - - username: "systemtest40" - uidnumber: 74807 - - username: "systemtest41" - uidnumber: 74808 - - username: "systemtest42" - uidnumber: 74809 - - username: "systemtest43" - uidnumber: 74810 - - username: "systemtest44" - uidnumber: 74811 - - username: "systemtest45" - uidnumber: 74812 - - username: "systemtest46" - uidnumber: 74813 - - username: "systemtest47" - uidnumber: 74814 - - username: "systemtest48" - uidnumber: 74815 - - username: "systemtest49" - uidnumber: 74816 - - username: "systemtest50" - uidnumber: 74817 - - username: "systemtest51" - uidnumber: 74818 - - username: "systemtest52" - uidnumber: 74819 - - username: "systemtest53" - uidnumber: 74820 - - username: "systemtest54" - uidnumber: 74821 - - username: "systemtest55" - uidnumber: 74822 - - username: "systemtest56" - uidnumber: 74823 - - username: "systemtest57" - uidnumber: 74824 - - username: "systemtest58" - uidnumber: 74825 - - username: "systemtest59" - uidnumber: 74826 - - username: "systemtest60" - uidnumber: 74827 + user_spec: + - username_prefix: "bot-mobu-tap" + uid_start: 74770 scopes: ["read:tap"] business: "TAPQueryRunner" restart: true diff --git a/services/mobu/values-idfprod.yaml b/services/mobu/values-idfprod.yaml index a25250fe9c..a599ba76ba 100644 --- a/services/mobu/values-idfprod.yaml +++ b/services/mobu/values-idfprod.yaml @@ -3,18 +3,14 @@ cachemachineImagePolicy: "desired" autostart: - name: "firefighter" count: 5 - users: - - username: "systemtest01" - uidnumber: 74768 - - username: "systemtest02" - uidnumber: 74769 - - username: "systemtest03" - uidnumber: 74770 - - username: "systemtest04" - uidnumber: 74771 - - username: "systemtest05" - uidnumber: 74772 - scopes: ["exec:notebook", "exec:portal", "read:image", "read:tap"] + user_spec: + username_prefix: "bot-mobu-recommended" + uid_start: 74768 + scopes: + - "exec:notebook" + - "exec:portal" + - "read:image" + - "read:tap" business: "NotebookRunner" options: repo_url: "https://github.com/lsst-sqre/system-test.git" @@ -24,9 +20,13 @@ autostart: - name: "quickbeam" count: 1 users: - - username: "systemtest06" + - username: "bot-mobu-persistent" uidnumber: 74773 - scopes: ["exec:notebook", "exec:portal", "read:image", "read:tap"] + scopes: + - "exec:notebook" + - "exec:portal" + - "read:image" + - "read:tap" business: "NotebookRunner" options: repo_url: "https://github.com/lsst-sqre/system-test.git" @@ -37,9 +37,13 @@ autostart: - name: "tutorial" count: 1 users: - - username: "systemtest07" + - username: "bot-mobu-tutorial" uidnumber: 74774 - scopes: ["exec:notebook", "exec:portal", "read:image", "read:tap"] + scopes: + - "exec:notebook" + - "exec:portal" + - "read:image" + - "read:tap" business: "NotebookRunner" options: repo_url: "https://github.com/rubin-dp0/tutorial-notebooks.git" @@ -50,7 +54,7 @@ autostart: - name: "tap" count: 1 users: - - username: "systemtest08" + - username: "bot-mobu-tap" uidnumber: 74775 scopes: ["read:tap"] business: "TAPQueryRunner" diff --git a/services/mobu/values-minikube.yaml b/services/mobu/values-minikube.yaml index e69de29bb2..a782a15278 100644 --- a/services/mobu/values-minikube.yaml +++ b/services/mobu/values-minikube.yaml @@ -0,0 +1,2 @@ +image: + tag: "tickets-DM-34613" diff --git a/services/mobu/values-roe.yaml b/services/mobu/values-roe.yaml index dc12a44d33..addce5939b 100644 --- a/services/mobu/values-roe.yaml +++ b/services/mobu/values-roe.yaml @@ -2,7 +2,7 @@ autostart: - name: "firefighter" count: 1 users: - - username: "systemtest01" + - username: "bot-mobu-recommended" uidnumber: 74768 scopes: ["exec:notebook", "exec:portal", "read:image", "read:tap"] business: "NotebookRunner" @@ -14,7 +14,7 @@ autostart: - name: "weekly" count: 1 users: - - username: "systemtest02" + - username: "bot-mobu-weekly" uidnumber: 74769 scopes: ["exec:notebook", "exec:portal", "read:image", "read:tap"] business: "NotebookRunner" From 412a3bf87dabef3f5b7dbdd1c982cd201a719950 Mon Sep 17 00:00:00 2001 From: Russ Allbery Date: Fri, 10 Jun 2022 14:42:06 -0700 Subject: [PATCH 0771/1479] Rename more service accounts Rename all of the GafaelfawrServiceToken service accounts to use the bot-* naming convention. --- services/mobu/templates/gafaelfawr-token.yaml | 2 +- services/noteburst/templates/gafaelfawrtoken.yaml | 2 +- services/nublado2/templates/gafaelfawr-token.yaml | 2 +- services/times-square/templates/gafaelfawrtoken.yaml | 2 +- 4 files changed, 4 insertions(+), 4 deletions(-) diff --git a/services/mobu/templates/gafaelfawr-token.yaml b/services/mobu/templates/gafaelfawr-token.yaml index 57d59fb715..c50b1ceb39 100644 --- a/services/mobu/templates/gafaelfawr-token.yaml +++ b/services/mobu/templates/gafaelfawr-token.yaml @@ -5,7 +5,7 @@ metadata: labels: {{- include "mobu.labels" . | nindent 4 }} spec: - service: "mobu" + service: "bot-mobu" scopes: - "admin:token" - "exec:admin" diff --git a/services/noteburst/templates/gafaelfawrtoken.yaml b/services/noteburst/templates/gafaelfawrtoken.yaml index 7113fdc3e9..0b42e8cebf 100644 --- a/services/noteburst/templates/gafaelfawrtoken.yaml +++ b/services/noteburst/templates/gafaelfawrtoken.yaml @@ -5,7 +5,7 @@ metadata: labels: {{- include "noteburst.labels" . | nindent 4 }} spec: - service: "noteburst" + service: "bot-noteburst" scopes: - "admin:token" - "exec:admin" diff --git a/services/nublado2/templates/gafaelfawr-token.yaml b/services/nublado2/templates/gafaelfawr-token.yaml index 2d65a218bc..06a9822b82 100644 --- a/services/nublado2/templates/gafaelfawr-token.yaml +++ b/services/nublado2/templates/gafaelfawr-token.yaml @@ -5,6 +5,6 @@ metadata: labels: {{- include "nublado2.labels" . | nindent 4 }} spec: - service: "nublado2" + service: "bot-nublado2" scopes: - "admin:provision" diff --git a/services/times-square/templates/gafaelfawrtoken.yaml b/services/times-square/templates/gafaelfawrtoken.yaml index 670ed49093..f173ea4fa2 100644 --- a/services/times-square/templates/gafaelfawrtoken.yaml +++ b/services/times-square/templates/gafaelfawrtoken.yaml @@ -5,7 +5,7 @@ metadata: labels: {{- include "times-square.labels" . | nindent 4 }} spec: - service: "times-square" + service: "bot-times-square" scopes: - "admin:token" - "exec:admin" From efd9091a159d38fd80c1a1c22280dde938648adb Mon Sep 17 00:00:00 2001 From: Russ Allbery Date: Wed, 6 Jul 2022 15:22:09 -0700 Subject: [PATCH 0772/1479] Remove home directory UID migration support This turns out to not be possible because we don't have a username mapping. Delete the proposed support. --- services/gafaelfawr/README.md | 3 - .../templates/job-firestore-migrate.yaml | 75 ------------------- .../templates/redis-networkpolicy.yaml | 4 - services/gafaelfawr/values-idfdev.yaml | 5 -- services/gafaelfawr/values.yaml | 13 ---- 5 files changed, 100 deletions(-) delete mode 100644 services/gafaelfawr/templates/job-firestore-migrate.yaml diff --git a/services/gafaelfawr/README.md b/services/gafaelfawr/README.md index c97469c2f2..f3352dbc4e 100644 --- a/services/gafaelfawr/README.md +++ b/services/gafaelfawr/README.md @@ -26,9 +26,6 @@ Science Platform authentication and authorization system | config.cilogon.test | bool | `false` | Whether to use the test instance of CILogon | | config.databaseUrl | string | None, must be set | URL for the PostgreSQL database | | config.errorFooter | string | `""` | HTML footer to add to any login error page (inside a

tag). | -| config.firestore.migrate.enabled | bool | `false` | Do home directory ownership migration | -| config.firestore.migrate.nfs.path | string | None, must be set if `migrate` is `true` | NFS path for home directory ownership migration | -| config.firestore.migrate.nfs.server | string | None, must be set if `migrate` is `true` | NFS server for home directory ownership migration | | config.firestore.project | string | Firestore support is disabled | If set, assign UIDs and GIDs using Google Firestore in the given project. Cloud SQL must be enabled and the Cloud SQL service account must have read/write access to that Firestore instance. | | config.github.clientId | string | `""` | GitHub client ID. One and only one of this, `config.cilogon.clientId`, or `config.oidc.clientId` must be set. | | config.groupMapping | object | `{}` | Defines a mapping of scopes to groups that provide that scope. See [DMTN-235](https://dmtn-235.lsst.io/) for more details on scopes. | diff --git a/services/gafaelfawr/templates/job-firestore-migrate.yaml b/services/gafaelfawr/templates/job-firestore-migrate.yaml deleted file mode 100644 index 2cd18e935a..0000000000 --- a/services/gafaelfawr/templates/job-firestore-migrate.yaml +++ /dev/null @@ -1,75 +0,0 @@ -{{- if .Values.config.firestore.migrate.enabled -}} -apiVersion: batch/v1 -kind: Job -metadata: - name: {{ template "gafaelfawr.fullname" . }}-firestore-migrate - labels: - {{- include "gafaelfawr.labels" . | nindent 4 }} - annotations: - helm.sh/hook: "post-upgrade" - helm.sh/hook-delete-policy: "before-hook-creation,hook-succeeded" -spec: - template: - metadata: - name: {{ template "gafaelfawr.fullname" . }}-firestore-migrate - labels: - {{- include "gafaelfawr.selectorLabels" . | nindent 8 }} - app.kubernetes.io/component: "firestore-migrate" - spec: - automountServiceAccountToken: false - containers: - {{- if .Values.cloudsql.enabled }} - - name: "cloud-sql-proxy" - command: - - "/cloud_sql_proxy" - - "-ip_address_types=PRIVATE" - - "-instances={{ required "cloudsql.instanceConnectionName must be specified" .Values.cloudsql.instanceConnectionName }}=tcp:5432" - image: "{{ .Values.cloudsql.image.repository }}:{{ .Values.cloudsql.image.tag }}" - imagePullPolicy: {{ .Values.cloudsql.image.pullPolicy | quote }} - securityContext: - allowPrivilegeEscalation: false - capabilities: - drop: - - "all" - readOnlyRootFilesystem: true - runAsNonRoot: true - runAsUser: 65532 - runAsGroup: 65532 - {{- end }} - - name: "migrate" - command: - - "gafaelfawr" - - "fix-home-ownership" - - "/homedirs" - image: "{{ .Values.image.repository }}:{{ .Values.image.tag | default .Chart.AppVersion }}" - imagePullPolicy: {{ .Values.image.pullPolicy | quote }} - securityContext: - capabilities: - add: - - "CHOWN" - - "DAC_READ_SEARCH" - readOnlyRootFilesystem: true - runAsUser: 0 - runAsGroup: 0 - volumeMounts: - - name: "config" - mountPath: "/etc/gafaelfawr" - readOnly: true - - name: "homedirs" - mountPath: "/homedirs" - - name: "secret" - mountPath: "/etc/gafaelfawr/secrets" - readOnly: true - restartPolicy: "Never" - volumes: - - name: "config" - configMap: - name: {{ template "gafaelfawr.fullname" . }}-config - - name: "homedirs" - nfs: - server: {{ .Values.config.firestore.migrate.nfs.server | quote }} - path: {{ .Values.config.firestore.migrate.nfs.path | quote }} - - name: "secret" - secret: - secretName: {{ template "gafaelfawr.fullname" . }}-secret -{{- end }} diff --git a/services/gafaelfawr/templates/redis-networkpolicy.yaml b/services/gafaelfawr/templates/redis-networkpolicy.yaml index 5d21beb7cc..7423b2805b 100644 --- a/services/gafaelfawr/templates/redis-networkpolicy.yaml +++ b/services/gafaelfawr/templates/redis-networkpolicy.yaml @@ -17,10 +17,6 @@ spec: ingress: # Allow inbound access to Redis from all other components. - from: - - podSelector: - matchLabels: - {{- include "gafaelfawr.selectorLabels" . | nindent 14 }} - app.kubernetes.io/component: "firestore-migrate" - podSelector: matchLabels: {{- include "gafaelfawr.selectorLabels" . | nindent 14 }} diff --git a/services/gafaelfawr/values-idfdev.yaml b/services/gafaelfawr/values-idfdev.yaml index 8edc60ce11..1f291dc916 100644 --- a/services/gafaelfawr/values-idfdev.yaml +++ b/services/gafaelfawr/values-idfdev.yaml @@ -20,11 +20,6 @@ config: firestore: project: "rsp-firestore-dev-31c4" - migrate: - enabled: true - nfs: - server: "10.87.86.26" - path: "/share1/home" ldap: url: "ldaps://ldap-test.cilogon.org" diff --git a/services/gafaelfawr/values.yaml b/services/gafaelfawr/values.yaml index bed81af51d..a46573d3b8 100644 --- a/services/gafaelfawr/values.yaml +++ b/services/gafaelfawr/values.yaml @@ -82,19 +82,6 @@ config: # @default -- Firestore support is disabled project: "" - migrate: - # -- Do home directory ownership migration - enabled: false - - nfs: - # -- NFS server for home directory ownership migration - # @default -- None, must be set if `migrate` is `true` - server: "" - - # -- NFS path for home directory ownership migration - # @default -- None, must be set if `migrate` is `true` - path: "" - github: # -- GitHub client ID. One and only one of this, `config.cilogon.clientId`, # or `config.oidc.clientId` must be set. From a12d97ced52764efbe50b7d4d9dd9663775f762b Mon Sep 17 00:00:00 2001 From: Russ Allbery Date: Wed, 6 Jul 2022 15:26:11 -0700 Subject: [PATCH 0773/1479] Use default mobu on IDF dev and minikube Support for omitting the UID and letting Gafaelfawr assign it has been added to the current released mobu version, so there's no longer a need to run from a branch. --- services/mobu/values-idfdev.yaml | 3 --- services/mobu/values-minikube.yaml | 2 -- 2 files changed, 5 deletions(-) diff --git a/services/mobu/values-idfdev.yaml b/services/mobu/values-idfdev.yaml index dd5edf6a90..058f7bd051 100644 --- a/services/mobu/values-idfdev.yaml +++ b/services/mobu/values-idfdev.yaml @@ -1,6 +1,3 @@ -image: - tag: "tickets-DM-34613" - cachemachineImagePolicy: "desired" autostart: diff --git a/services/mobu/values-minikube.yaml b/services/mobu/values-minikube.yaml index a782a15278..e69de29bb2 100644 --- a/services/mobu/values-minikube.yaml +++ b/services/mobu/values-minikube.yaml @@ -1,2 +0,0 @@ -image: - tag: "tickets-DM-34613" From 731319f8587dc6d2a39ced06cfc3eacd9dc28673 Mon Sep 17 00:00:00 2001 From: Russ Allbery Date: Thu, 7 Jul 2022 12:02:59 -0700 Subject: [PATCH 0774/1479] Stop assigning UIDs to noteburst workers on data-dev Gafaelfawr will be able to assign UIDs from the bot UID space. --- services/noteburst/values-idfdev.yaml | 18 ++++++------------ 1 file changed, 6 insertions(+), 12 deletions(-) diff --git a/services/noteburst/values-idfdev.yaml b/services/noteburst/values-idfdev.yaml index afbe9fc0b1..cff0a8417f 100644 --- a/services/noteburst/values-idfdev.yaml +++ b/services/noteburst/values-idfdev.yaml @@ -7,15 +7,9 @@ config: worker: workerCount: 1 identities: - - uid: 90000 - username: "bot-noteburst90000" - - uid: 90001 - username: "bot-noteburst90001" - - uid: 90002 - username: "bot-noteburst90002" - - uid: 90003 - username: "bot-noteburst90003" - - uid: 90004 - username: "bot-noteburst90004" - - uid: 90005 - username: "bot-noteburst90005" + - username: "bot-noteburst90000" + - username: "bot-noteburst90001" + - username: "bot-noteburst90002" + - username: "bot-noteburst90003" + - username: "bot-noteburst90004" + - username: "bot-noteburst90005" From 264357a657a04619731e809205a6b2ddca736312 Mon Sep 17 00:00:00 2001 From: Russ Allbery Date: Thu, 7 Jul 2022 13:28:43 -0700 Subject: [PATCH 0775/1479] Update group mapping for IDF dev Switch to the new COmanage group, and update initial admins to match the usernames chosen in COmanage. --- services/gafaelfawr/values-idfdev.yaml | 29 ++++++++------------------ 1 file changed, 9 insertions(+), 20 deletions(-) diff --git a/services/gafaelfawr/values-idfdev.yaml b/services/gafaelfawr/values-idfdev.yaml index 1f291dc916..86733d9da8 100644 --- a/services/gafaelfawr/values-idfdev.yaml +++ b/services/gafaelfawr/values-idfdev.yaml @@ -27,39 +27,28 @@ config: groupBaseDn: "ou=groups,o=LSST,o=CO,dc=lsst,dc=org" userBaseDn: "ou=people,o=LSST,o=CO,dc=lsst,dc=org" - # Allow access by GitHub team. groupMapping: "admin:provision": - - "lsst-sqre-square" + - "g_science-platform-idf-dev" "exec:admin": - - "lsst-sqre-square" - - "lsst-sqre-friends" + - "g_science-platform-idf-dev" "exec:notebook": - - "lsst-sqre-square" - - "lsst-sqre-friends" + - "g_science-platform-idf-dev" "exec:portal": - - "lsst-sqre-square" - - "lsst-sqre-friends" + - "g_science-platform-idf-dev" "read:image": - - "lsst-sqre-square" - - "lsst-sqre-friends" + - "g_science-platform-idf-dev" "read:tap": - - "lsst-sqre-square" - - "lsst-sqre-friends" + - "g_science-platform-idf-dev" initialAdmins: - "afausti" - - "athornton" + - "adam" - "cbanek" - "frossie" - - "jonathansick" + - "jsick" - "rra" - - "simonkrughoff" - - errorFooter: | - To report problems or ask for help, please open an issue in the - GitHub - rubin-dp0/Support project. + - "simon.krughoff" cloudsql: enabled: true From ab64f48b88eb6264311fe4ef7ec2b6571ab6ccc3 Mon Sep 17 00:00:00 2001 From: Angelo Fausti Date: Thu, 14 Jul 2022 13:23:27 -0700 Subject: [PATCH 0776/1479] Enable telegraf and telegraf-ds at TTS - Now that Sasquatch is running at TTS we can tear down the old EFD deployment and deploy telegraf and telegraf-ds as part of the monitoring infrastructure. --- science-platform/values-tucson-teststand.yaml | 5 ++--- 1 file changed, 2 insertions(+), 3 deletions(-) diff --git a/science-platform/values-tucson-teststand.yaml b/science-platform/values-tucson-teststand.yaml index 80a699e986..3d95d761e0 100644 --- a/science-platform/values-tucson-teststand.yaml +++ b/science-platform/values-tucson-teststand.yaml @@ -54,11 +54,10 @@ tap: enabled: false tap_schema: enabled: false -# EFD already provides telegraf namespace. Gotta work that out. telegraf: - enabled: false + enabled: true telegraf-ds: - enabled: false + enabled: true times_square: enabled: false vault_secrets_operator: From f17a80b85282fd2d87821f2c637f8fe0df593262 Mon Sep 17 00:00:00 2001 From: Angelo Fausti Date: Thu, 14 Jul 2022 15:41:54 -0700 Subject: [PATCH 0777/1479] Add tucson-teststand environment for telegraf --- services/telegraf-ds/values-tucson-teststand.yaml | 0 services/telegraf/values-tucson-teststand.yaml | 0 2 files changed, 0 insertions(+), 0 deletions(-) create mode 100644 services/telegraf-ds/values-tucson-teststand.yaml create mode 100644 services/telegraf/values-tucson-teststand.yaml diff --git a/services/telegraf-ds/values-tucson-teststand.yaml b/services/telegraf-ds/values-tucson-teststand.yaml new file mode 100644 index 0000000000..e69de29bb2 diff --git a/services/telegraf/values-tucson-teststand.yaml b/services/telegraf/values-tucson-teststand.yaml new file mode 100644 index 0000000000..e69de29bb2 From f43cd565e37e6c375d9582a6383a93b381d19847 Mon Sep 17 00:00:00 2001 From: Russ Allbery Date: Thu, 14 Jul 2022 16:38:23 -0700 Subject: [PATCH 0778/1479] Fix LDAP configuration for IDF dev COmanage needed some different LDAP configuration and to change the username claim attribute in the OpenID Connect token. Also suppress the uid_attr config parameter if none is set to avoid sending the empty string. --- services/gafaelfawr/README.md | 6 ++++-- services/gafaelfawr/templates/configmap.yaml | 8 ++++++++ services/gafaelfawr/values-idfdev.yaml | 4 ++++ services/gafaelfawr/values.yaml | 14 +++++++++++--- 4 files changed, 27 insertions(+), 5 deletions(-) diff --git a/services/gafaelfawr/README.md b/services/gafaelfawr/README.md index f3352dbc4e..7feabe5f39 100644 --- a/services/gafaelfawr/README.md +++ b/services/gafaelfawr/README.md @@ -24,6 +24,8 @@ Science Platform authentication and authorization system | config.cilogon.loginParams | object | `{"skin":"LSST"}` | Additional parameters to add | | config.cilogon.redirectUrl | string | `/login` at the value of config.host | Return URL given to CILogon (must match the CILogon configuration) | | config.cilogon.test | bool | `false` | Whether to use the test instance of CILogon | +| config.cilogon.uidClaim | string | `"uidNumber"` | Claim from which to get the numeric UID (only used if not retrieved from LDAP or Firestore) | +| config.cilogon.usernameClaim | string | `"uid"` | Claim from which to get the username | | config.databaseUrl | string | None, must be set | URL for the PostgreSQL database | | config.errorFooter | string | `""` | HTML footer to add to any login error page (inside a

tag). | | config.firestore.project | string | Firestore support is disabled | If set, assign UIDs and GIDs using Google Firestore in the given project. Cloud SQL must be enabled and the Cloud SQL service account must have read/write access to that Firestore instance. | @@ -54,8 +56,8 @@ Science Platform authentication and authorization system | config.oidc.loginUrl | string | None, must be set | URL to which to redirect the user for authorization | | config.oidc.scopes | list | `["openid"]` | Scopes to request from the OpenID Connect provider | | config.oidc.tokenUrl | string | None, must be set | URL from which to retrieve the token for the user | -| config.oidc.uidClaim | string | `"uidNumber"` | Claim from which to get the numeric UID (only used if not retrieved from LDAP) | -| config.oidc.usernameClaim | string | `"sub"` | Claim from which to get the username (only used if not retrieved from LDAP) | +| config.oidc.uidClaim | string | `"uidNumber"` | Claim from which to get the numeric UID (only used if not retrieved from LDAP or Firestore) | +| config.oidc.usernameClaim | string | `"sub"` | Claim from which to get the username | | config.oidcServer.enabled | bool | `false` | Whether to support OpenID Connect clients. If set to true, `oidc-server-secrets` must be set in the Gafaelfawr secret. | | config.proxies | list | [`10.0.0.0/8`, `172.16.0.0/12`, `192.168.0.0/16`] | List of netblocks used for internal Kubernetes IP addresses, used to determine the true client IP for logging | | config.tokenLifetimeMinutes | int | `43200` (30 days) | Session length and token expiration (in minutes) | diff --git a/services/gafaelfawr/templates/configmap.yaml b/services/gafaelfawr/templates/configmap.yaml index 1bbc8ac7cf..e32f5e4a26 100644 --- a/services/gafaelfawr/templates/configmap.yaml +++ b/services/gafaelfawr/templates/configmap.yaml @@ -72,6 +72,12 @@ data: - "email" - "org.cilogon.userinfo" audience: {{ .Values.config.cilogon.clientId | quote }} + {{- if .Values.config.cilogon.usernameClaim }} + username_claim: {{ .Values.config.oidc.usernameClaim | quote }} + {{- end }} + {{- if .Values.config.cilogon.uidClaim }} + uid_claim: {{ .Values.config.oidc.uidClaim | quote }} + {{- end }} {{- else if .Values.config.oidc.clientId }} @@ -129,7 +135,9 @@ data: {{- if .Values.config.ldap.userBaseDn }} user_base_dn: {{ .Values.config.ldap.userBaseDn | quote }} user_search_attr: {{ .Values.config.ldap.userSearchAttr | quote }} + {{- if .Values.config.ldap.uidAttr }} uid_attr: {{ .Values.config.ldap.uidAttr | quote }} + {{- end }} name_attr: {{ .Values.config.ldap.nameAttr | quote }} email_attr: {{ .Values.config.ldap.emailAttr | quote }} {{- end }} diff --git a/services/gafaelfawr/values-idfdev.yaml b/services/gafaelfawr/values-idfdev.yaml index 86733d9da8..3960f3abe3 100644 --- a/services/gafaelfawr/values-idfdev.yaml +++ b/services/gafaelfawr/values-idfdev.yaml @@ -17,6 +17,7 @@ config: clientId: "cilogon:/client_id/46f9ae932fd30e9fb1b246972a3c0720" enrollmentUrl: "https://registry-test.lsst.codes/registry/co_petitions/start/coef:6" test: true + usernameClaim: "username" firestore: project: "rsp-firestore-dev-31c4" @@ -25,7 +26,10 @@ config: url: "ldaps://ldap-test.cilogon.org" userDn: "uid=readonly_user,ou=system,o=LSST,o=CO,dc=lsst,dc=org" groupBaseDn: "ou=groups,o=LSST,o=CO,dc=lsst,dc=org" + groupObjectClass: "eduMember" + groupMemberAttr: "hasMember" userBaseDn: "ou=people,o=LSST,o=CO,dc=lsst,dc=org" + userSearchAttr: "voPersonApplicationUID" groupMapping: "admin:provision": diff --git a/services/gafaelfawr/values.yaml b/services/gafaelfawr/values.yaml index a46573d3b8..786b692370 100644 --- a/services/gafaelfawr/values.yaml +++ b/services/gafaelfawr/values.yaml @@ -75,6 +75,15 @@ config: loginParams: skin: "LSST" + # -- Claim from which to get the username + # @default -- `"uid"` + usernameClaim: "" + + # -- Claim from which to get the numeric UID (only used if not retrieved + # from LDAP or Firestore) + # @default -- `"uidNumber"` + uidClaim: "" + firestore: # -- If set, assign UIDs and GIDs using Google Firestore in the given # project. Cloud SQL must be enabled and the Cloud SQL service account @@ -119,13 +128,12 @@ config: scopes: - "openid" - # -- Claim from which to get the username (only used if not retrieved from - # LDAP) + # -- Claim from which to get the username # @default -- `"sub"` usernameClaim: "" # -- Claim from which to get the numeric UID (only used if not retrieved - # from LDAP) + # from LDAP or Firestore) # @default -- `"uidNumber"` uidClaim: "" From c7aa71c392e5d1e4422aa6ea761b8297059704f8 Mon Sep 17 00:00:00 2001 From: Russ Allbery Date: Thu, 14 Jul 2022 17:01:01 -0700 Subject: [PATCH 0779/1479] More IDF dev Gafaelfawr fixes Change log level to DEBUG for now. Remove the dot from Simon's username. Fix the username claim configuration for CILogon sites. --- services/gafaelfawr/templates/configmap.yaml | 4 ++-- services/gafaelfawr/values-idfdev.yaml | 3 ++- 2 files changed, 4 insertions(+), 3 deletions(-) diff --git a/services/gafaelfawr/templates/configmap.yaml b/services/gafaelfawr/templates/configmap.yaml index e32f5e4a26..2179caca30 100644 --- a/services/gafaelfawr/templates/configmap.yaml +++ b/services/gafaelfawr/templates/configmap.yaml @@ -73,10 +73,10 @@ data: - "org.cilogon.userinfo" audience: {{ .Values.config.cilogon.clientId | quote }} {{- if .Values.config.cilogon.usernameClaim }} - username_claim: {{ .Values.config.oidc.usernameClaim | quote }} + username_claim: {{ .Values.config.cilogon.usernameClaim | quote }} {{- end }} {{- if .Values.config.cilogon.uidClaim }} - uid_claim: {{ .Values.config.oidc.uidClaim | quote }} + uid_claim: {{ .Values.config.cilogon.uidClaim | quote }} {{- end }} {{- else if .Values.config.oidc.clientId }} diff --git a/services/gafaelfawr/values-idfdev.yaml b/services/gafaelfawr/values-idfdev.yaml index 3960f3abe3..1f2b81d650 100644 --- a/services/gafaelfawr/values-idfdev.yaml +++ b/services/gafaelfawr/values-idfdev.yaml @@ -8,6 +8,7 @@ redis: config: databaseUrl: "postgresql://gafaelfawr@localhost/gafaelfawr" + loglevel: "DEBUG" # Support OpenID Connect clients like Chronograf. oidcServer: @@ -52,7 +53,7 @@ config: - "frossie" - "jsick" - "rra" - - "simon.krughoff" + - "simonkrughoff" cloudsql: enabled: true From 2948d164ca1e18de3e1731a5d97ffddd2722195d Mon Sep 17 00:00:00 2001 From: Christine Banek Date: Thu, 14 Jul 2022 17:12:25 -0700 Subject: [PATCH 0780/1479] [DM-35577] Turn knob to 120 Thanks Russ for changing the user thing. --- services/mobu/values-idfint.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/services/mobu/values-idfint.yaml b/services/mobu/values-idfint.yaml index 269524f45d..b3ce8e4510 100644 --- a/services/mobu/values-idfint.yaml +++ b/services/mobu/values-idfint.yaml @@ -35,7 +35,7 @@ autostart: repo_branch: "prod" restart: true - name: "tap" - count: 60 + count: 120 user_spec: - username_prefix: "bot-mobu-tap" uid_start: 74770 From d03c761b42553f7e147785a3b586a956c5b5b6ff Mon Sep 17 00:00:00 2001 From: Christine Banek Date: Thu, 14 Jul 2022 17:35:18 -0700 Subject: [PATCH 0781/1479] [DM-35577] Fix mobu config Pull in the user info section. --- services/mobu/values-idfint.yaml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/services/mobu/values-idfint.yaml b/services/mobu/values-idfint.yaml index b3ce8e4510..6438eac7eb 100644 --- a/services/mobu/values-idfint.yaml +++ b/services/mobu/values-idfint.yaml @@ -37,8 +37,8 @@ autostart: - name: "tap" count: 120 user_spec: - - username_prefix: "bot-mobu-tap" - uid_start: 74770 + username_prefix: "bot-mobu-tap" + uid_start: 74770 scopes: ["read:tap"] business: "TAPQueryRunner" restart: true From 4fddffab4816cfd8e1c39b6c30ae66690a23a411 Mon Sep 17 00:00:00 2001 From: Russ Allbery Date: Fri, 15 Jul 2022 08:11:01 -0700 Subject: [PATCH 0782/1479] Give SQuaRE Friends access to Argo CD on T&S sites This will allow Chilean IT to access Argo CD. --- services/argocd/values-base.yaml | 1 + services/argocd/values-summit.yaml | 1 + services/argocd/values-tucson-teststand.yaml | 1 + 3 files changed, 3 insertions(+) diff --git a/services/argocd/values-base.yaml b/services/argocd/values-base.yaml index d0976e6697..c27c030c39 100644 --- a/services/argocd/values-base.yaml +++ b/services/argocd/values-base.yaml @@ -21,6 +21,7 @@ argo-cd: rbacConfig: policy.csv: | + g, lsst-sqre:friends, role:admin g, lsst-sqre:square, role:admin vault_secret: diff --git a/services/argocd/values-summit.yaml b/services/argocd/values-summit.yaml index b8db9e5365..b4f953c8b4 100644 --- a/services/argocd/values-summit.yaml +++ b/services/argocd/values-summit.yaml @@ -20,6 +20,7 @@ argo-cd: - name: lsst-sqre rbacConfig: policy.csv: | + g, lsst-sqre:friends, role:admin g, lsst-sqre:square, role:admin vault_secret: diff --git a/services/argocd/values-tucson-teststand.yaml b/services/argocd/values-tucson-teststand.yaml index 9722005ce1..1c984ca4d6 100644 --- a/services/argocd/values-tucson-teststand.yaml +++ b/services/argocd/values-tucson-teststand.yaml @@ -20,6 +20,7 @@ argo-cd: - name: lsst-sqre rbacConfig: policy.csv: | + g, lsst-sqre:friends, role:admin g, lsst-sqre:square, role:admin vault_secret: From 371927c32c785bc5168575705eb366d0af9f855a Mon Sep 17 00:00:00 2001 From: Russ Allbery Date: Fri, 15 Jul 2022 10:09:43 -0700 Subject: [PATCH 0783/1479] Drop Gafaelfawr support for looking up username CILogon can put the username directly in the OpenID Connect ID token, so there's no longer a need for this functionality. --- services/gafaelfawr/README.md | 2 -- services/gafaelfawr/templates/configmap.yaml | 4 ---- services/gafaelfawr/values.yaml | 8 -------- 3 files changed, 14 deletions(-) diff --git a/services/gafaelfawr/README.md b/services/gafaelfawr/README.md index 7feabe5f39..545ed07a85 100644 --- a/services/gafaelfawr/README.md +++ b/services/gafaelfawr/README.md @@ -45,8 +45,6 @@ Science Platform authentication and authorization system | config.ldap.userBaseDn | string | Get user metadata from the upstream authentication provider | Base DN for the LDAP search to find a user's entry | | config.ldap.userDn | string | Use anonymous binds | Bind DN for simple bind authentication. If set, `ldap-secret` must be set in the Gafaelfawr secret | | config.ldap.userSearchAttr | string | `"uid"` | Search attribute containing the user's username | -| config.ldap.usernameBaseDn | string | Get the username from the upstream authentication provider | Base DN for the LDAP search to find a user's username | -| config.ldap.usernameSearchAttr | string | `"voPersonSoRID"` | Attribute matching the `sub` claim of a token to find the record containing the username | | config.loglevel | string | `"INFO"` | Choose from the text form of Python logging levels | | config.oidc.audience | string | Value of `config.oidc.clientId` | Audience for the JWT token | | config.oidc.clientId | string | `""` | Client ID for generic OpenID Connect support. One and only one of this, `config.cilogon.clientId`, or `config.github.clientId` must be set. | diff --git a/services/gafaelfawr/templates/configmap.yaml b/services/gafaelfawr/templates/configmap.yaml index 2179caca30..d55dddef14 100644 --- a/services/gafaelfawr/templates/configmap.yaml +++ b/services/gafaelfawr/templates/configmap.yaml @@ -141,10 +141,6 @@ data: name_attr: {{ .Values.config.ldap.nameAttr | quote }} email_attr: {{ .Values.config.ldap.emailAttr | quote }} {{- end }} - {{- if .Values.config.ldap.usernameBaseDn }} - username_base_dn: {{ .Values.config.ldap.usernameBaseDn | quote }} - username_search_attr: {{ .Values.config.ldap.usernameSearchAttr | quote }} - {{- end }} {{- end }} {{- if .Values.config.oidcServer.enabled }} diff --git a/services/gafaelfawr/values.yaml b/services/gafaelfawr/values.yaml index 786b692370..1c9e596294 100644 --- a/services/gafaelfawr/values.yaml +++ b/services/gafaelfawr/values.yaml @@ -176,14 +176,6 @@ config: # -- Attribute containing the user's email address emailAttr: "mail" - # -- Base DN for the LDAP search to find a user's username - # @default -- Get the username from the upstream authentication provider - usernameBaseDn: "" - - # -- Attribute matching the `sub` claim of a token to find the record - # containing the username - usernameSearchAttr: "voPersonSoRID" - influxdb: # -- Whether to issue tokens for InfluxDB. If set to true, # `influxdb-secret` must be set in the Gafaelfawr secret. From 01e75fcbfb445e8a49d273d5892190158e6951d3 Mon Sep 17 00:00:00 2001 From: Russ Allbery Date: Fri, 15 Jul 2022 12:17:26 -0700 Subject: [PATCH 0784/1479] Fix Gafaelfawr enrollment URL for OIDC In the OIDC case, the Gafaelfawr enrollment URL was coming from the wrong setting. (The CILogon one was used instead.) --- services/gafaelfawr/templates/configmap.yaml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/services/gafaelfawr/templates/configmap.yaml b/services/gafaelfawr/templates/configmap.yaml index d55dddef14..f243832da1 100644 --- a/services/gafaelfawr/templates/configmap.yaml +++ b/services/gafaelfawr/templates/configmap.yaml @@ -91,8 +91,8 @@ data: {{- end }} login_url: {{ required "config.oidc.loginUrl must be set" .Values.config.oidc.loginUrl | quote }} token_url: {{ required "config.oidc.tokenUrl must be set" .Values.config.oidc.tokenUrl | quote }} - {{- if .Values.config.cilogon.enrollmentUrl }} - enrollment_url: {{ .Values.config.cilogon.enrollmentUrl | quote }} + {{- if .Values.config.oidc.enrollmentUrl }} + enrollment_url: {{ .Values.config.oidc.enrollmentUrl | quote }} {{- end }} issuer: {{ required "config.oidc.issuer must be set" .Values.config.oidc.issuer | quote }} {{- if .Values.config.oidc.redirectUrl }} From 935a94e5eb544cc9869c3d33abcf8fc7fb03b109 Mon Sep 17 00:00:00 2001 From: Russ Allbery Date: Fri, 15 Jul 2022 12:18:43 -0700 Subject: [PATCH 0785/1479] Fix CILogon enrollment URL in Gafaelfawr The templating to add the enrollment URL to the Gafaelfawr configuration excluded it if config.cilogin.test was set. Move it outside of that conditional. --- services/gafaelfawr/templates/configmap.yaml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/services/gafaelfawr/templates/configmap.yaml b/services/gafaelfawr/templates/configmap.yaml index f243832da1..76c48a410b 100644 --- a/services/gafaelfawr/templates/configmap.yaml +++ b/services/gafaelfawr/templates/configmap.yaml @@ -52,11 +52,11 @@ data: {{- else }} login_url: "https://cilogon.org/authorize" token_url: "https://cilogon.org/oauth2/token" + issuer: "https://cilogon.org" + {{- end }} {{- if .Values.config.cilogon.enrollmentUrl }} enrollment_url: {{ .Values.config.cilogon.enrollmentUrl | quote }} {{- end }} - issuer: "https://cilogon.org" - {{- end }} {{- if .Values.config.cilogon.loginParams }} login_params: {{- range $key, $value := .Values.config.cilogon.loginParams }} From 83d1ae2912366e28bf0522d100f2facb8c6f5f77 Mon Sep 17 00:00:00 2001 From: Russ Allbery Date: Fri, 15 Jul 2022 12:20:50 -0700 Subject: [PATCH 0786/1479] Set Gafaelfawr pull policy on IDF dev to Always Make it easier to try new images while I'm testing. --- services/gafaelfawr/values-idfdev.yaml | 1 + 1 file changed, 1 insertion(+) diff --git a/services/gafaelfawr/values-idfdev.yaml b/services/gafaelfawr/values-idfdev.yaml index 1f2b81d650..eef71c946d 100644 --- a/services/gafaelfawr/values-idfdev.yaml +++ b/services/gafaelfawr/values-idfdev.yaml @@ -1,5 +1,6 @@ image: tag: "tickets-DM-34613" + pullPolicy: "Always" # Use the CSI storage class so that we can use snapshots. redis: From a0d1d167531d862e4dc5275c7b9eea2b7eff2312 Mon Sep 17 00:00:00 2001 From: Russ Allbery Date: Fri, 15 Jul 2022 14:46:41 -0700 Subject: [PATCH 0787/1479] Use Gafaelfawr 5.0.0 on IDF dev and minikube The 5.0.0 release is now out, so those environments don't need to run from a branch. --- services/gafaelfawr/values-idfdev.yaml | 4 ---- services/gafaelfawr/values-minikube.yaml | 3 --- 2 files changed, 7 deletions(-) diff --git a/services/gafaelfawr/values-idfdev.yaml b/services/gafaelfawr/values-idfdev.yaml index eef71c946d..e1a8068623 100644 --- a/services/gafaelfawr/values-idfdev.yaml +++ b/services/gafaelfawr/values-idfdev.yaml @@ -1,7 +1,3 @@ -image: - tag: "tickets-DM-34613" - pullPolicy: "Always" - # Use the CSI storage class so that we can use snapshots. redis: persistence: diff --git a/services/gafaelfawr/values-minikube.yaml b/services/gafaelfawr/values-minikube.yaml index a3bfd820dd..502d9dec7f 100644 --- a/services/gafaelfawr/values-minikube.yaml +++ b/services/gafaelfawr/values-minikube.yaml @@ -1,6 +1,3 @@ -image: - tag: "tickets-DM-34613" - # Reset token storage on every Redis restart. redis: persistence: From afcba8e68e77574efe3963aff0ecfdf74c73711d Mon Sep 17 00:00:00 2001 From: Colin Slater Date: Fri, 15 Jul 2022 17:10:50 -0700 Subject: [PATCH 0788/1479] Use selectorLabels in plot-navigator service. --- services/plot-navigator/templates/service.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/services/plot-navigator/templates/service.yaml b/services/plot-navigator/templates/service.yaml index dc02189b57..ba648bdc01 100644 --- a/services/plot-navigator/templates/service.yaml +++ b/services/plot-navigator/templates/service.yaml @@ -6,7 +6,7 @@ metadata: {{- include "plot-navigator.labels" . | nindent 4 }} spec: selector: - app: plot-navigator + {{- include "plot-navigator.selectorLabels" . | nindent 4 }} ports: - port: 80 protocol: TCP From 2a54918fc220f9d9676827611b0d20d9ae1aaf8d Mon Sep 17 00:00:00 2001 From: "renovate[bot]" <29139614+renovate[bot]@users.noreply.github.com> Date: Mon, 18 Jul 2022 00:06:03 +0000 Subject: [PATCH 0789/1479] Update helm values gcr.io/cloudsql-docker/gce-proxy to v1.31.1 --- services/gafaelfawr/values.yaml | 2 +- services/times-square/values.yaml | 2 +- services/vo-cutouts/values.yaml | 2 +- 3 files changed, 3 insertions(+), 3 deletions(-) diff --git a/services/gafaelfawr/values.yaml b/services/gafaelfawr/values.yaml index 1c9e596294..666aa6b889 100644 --- a/services/gafaelfawr/values.yaml +++ b/services/gafaelfawr/values.yaml @@ -235,7 +235,7 @@ cloudsql: repository: "gcr.io/cloudsql-docker/gce-proxy" # -- Cloud SQL Auth Proxy tag to use - tag: "1.31.0" + tag: "1.31.1" # -- Pull policy for Cloud SQL Auth Proxy images pullPolicy: "IfNotPresent" diff --git a/services/times-square/values.yaml b/services/times-square/values.yaml index 6ece0e30e4..cb4dcf0e03 100644 --- a/services/times-square/values.yaml +++ b/services/times-square/values.yaml @@ -132,7 +132,7 @@ cloudsql: repository: "gcr.io/cloudsql-docker/gce-proxy" # -- Cloud SQL Auth Proxy tag to use - tag: "1.31.0" + tag: "1.31.1" # -- Pull policy for Cloud SQL Auth Proxy images pullPolicy: "IfNotPresent" diff --git a/services/vo-cutouts/values.yaml b/services/vo-cutouts/values.yaml index b94df6c9ec..1f5267a6ee 100644 --- a/services/vo-cutouts/values.yaml +++ b/services/vo-cutouts/values.yaml @@ -78,7 +78,7 @@ cloudsql: repository: "gcr.io/cloudsql-docker/gce-proxy" # -- Cloud SQL Auth Proxy tag to use - tag: "1.31.0" + tag: "1.31.1" # -- Pull policy for Cloud SQL Auth Proxy images pullPolicy: "IfNotPresent" From af2780e0b974da448f074a254b6c48ff8c328a5c Mon Sep 17 00:00:00 2001 From: Russ Allbery Date: Mon, 18 Jul 2022 08:05:41 -0700 Subject: [PATCH 0790/1479] Regenerate Helm docs --- services/gafaelfawr/README.md | 2 +- services/times-square/README.md | 2 +- services/vo-cutouts/README.md | 2 +- 3 files changed, 3 insertions(+), 3 deletions(-) diff --git a/services/gafaelfawr/README.md b/services/gafaelfawr/README.md index 545ed07a85..38fa46cac3 100644 --- a/services/gafaelfawr/README.md +++ b/services/gafaelfawr/README.md @@ -16,7 +16,7 @@ Science Platform authentication and authorization system | cloudsql.enabled | bool | `false` | Enable the Cloud SQL Auth Proxy sidecar, used with CloudSQL databases on Google Cloud | | cloudsql.image.pullPolicy | string | `"IfNotPresent"` | Pull policy for Cloud SQL Auth Proxy images | | cloudsql.image.repository | string | `"gcr.io/cloudsql-docker/gce-proxy"` | Cloud SQL Auth Proxy image to use | -| cloudsql.image.tag | string | `"1.31.0"` | Cloud SQL Auth Proxy tag to use | +| cloudsql.image.tag | string | `"1.31.1"` | Cloud SQL Auth Proxy tag to use | | cloudsql.instanceConnectionName | string | `""` | Instance connection name for a CloudSQL PostgreSQL instance | | cloudsql.serviceAccount | string | `""` | The Google service account that has an IAM binding to the `gafaelfawr` and `gafaelfawr-tokens` Kubernetes service accounts and has the `cloudsql.client` role | | config.cilogon.clientId | string | `""` | CILogon client ID. One and only one of this, `config.github.clientId`, or `config.oidc.clientId` must be set. | diff --git a/services/times-square/README.md b/services/times-square/README.md index 34d5663f8c..d644aebaea 100644 --- a/services/times-square/README.md +++ b/services/times-square/README.md @@ -22,7 +22,7 @@ An API service for managing and rendering parameterized Jupyter notebooks. | cloudsql.enabled | bool | `false` | Enable the Cloud SQL Auth Proxy sidecar, used with CloudSQL databases on Google Cloud | | cloudsql.image.pullPolicy | string | `"IfNotPresent"` | Pull policy for Cloud SQL Auth Proxy images | | cloudsql.image.repository | string | `"gcr.io/cloudsql-docker/gce-proxy"` | Cloud SQL Auth Proxy image to use | -| cloudsql.image.tag | string | `"1.31.0"` | Cloud SQL Auth Proxy tag to use | +| cloudsql.image.tag | string | `"1.31.1"` | Cloud SQL Auth Proxy tag to use | | cloudsql.instanceConnectionName | string | `""` | Instance connection name for a CloudSQL PostgreSQL instance | | cloudsql.serviceAccount | string | `""` | The Google service account that has an IAM binding to the `times-square` Kubernetes service accounts and has the `cloudsql.client` role | | config.databaseUrl | string | None, must be set | URL for the PostgreSQL database | diff --git a/services/vo-cutouts/README.md b/services/vo-cutouts/README.md index a5bb5df181..05abc8b11d 100644 --- a/services/vo-cutouts/README.md +++ b/services/vo-cutouts/README.md @@ -14,7 +14,7 @@ Image cutout service complying with IVOA SODA | cloudsql.enabled | bool | `false` | Enable the Cloud SQL Auth Proxy sidecar, used with CloudSQL databases on Google Cloud | | cloudsql.image.pullPolicy | string | `"IfNotPresent"` | Pull policy for Cloud SQL Auth Proxy images | | cloudsql.image.repository | string | `"gcr.io/cloudsql-docker/gce-proxy"` | Cloud SQL Auth Proxy image to use | -| cloudsql.image.tag | string | `"1.31.0"` | Cloud SQL Auth Proxy tag to use | +| cloudsql.image.tag | string | `"1.31.1"` | Cloud SQL Auth Proxy tag to use | | cloudsql.instanceConnectionName | string | `""` | Instance connection name for a CloudSQL PostgreSQL instance | | cloudsql.serviceAccount | string | None, must be set | The Google service account that has an IAM binding to the `vo-cutouts` Kubernetes service accounts and has the `cloudsql.client` role, access to the GCS bucket, and ability to sign URLs as itself | | config.databaseUrl | string | None, must be set | URL for the PostgreSQL database | From e9356d2f52ec98439699c4b32f518000904265f7 Mon Sep 17 00:00:00 2001 From: "renovate[bot]" <29139614+renovate[bot]@users.noreply.github.com> Date: Mon, 18 Jul 2022 15:14:17 +0000 Subject: [PATCH 0791/1479] Update Helm release argo-cd to v4.9.14 --- services/argocd/Chart.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/services/argocd/Chart.yaml b/services/argocd/Chart.yaml index 7eff20e962..8e345b3e7e 100644 --- a/services/argocd/Chart.yaml +++ b/services/argocd/Chart.yaml @@ -3,5 +3,5 @@ name: argo-cd version: 1.0.0 dependencies: - name: argo-cd - version: 4.9.12 + version: 4.9.14 repository: https://argoproj.github.io/argo-helm From 7f0b9917adb6d07cd5ffcb33559e913a4f071a0e Mon Sep 17 00:00:00 2001 From: Russ Allbery Date: Mon, 18 Jul 2022 08:15:09 -0700 Subject: [PATCH 0792/1479] Regenerate Helm docs --- services/argocd/README.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/services/argocd/README.md b/services/argocd/README.md index 5d87f80424..3ae341018a 100644 --- a/services/argocd/README.md +++ b/services/argocd/README.md @@ -4,7 +4,7 @@ | Repository | Name | Version | |------------|------|---------| -| https://argoproj.github.io/argo-helm | argo-cd | 4.9.12 | +| https://argoproj.github.io/argo-helm | argo-cd | 4.9.14 | ## Values From e66bca12706109dd8e414d795475f0fedd21780d Mon Sep 17 00:00:00 2001 From: "renovate[bot]" <29139614+renovate[bot]@users.noreply.github.com> Date: Mon, 18 Jul 2022 15:14:29 +0000 Subject: [PATCH 0793/1479] Update Helm release ingress-nginx to v4.2.0 --- services/ingress-nginx/Chart.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/services/ingress-nginx/Chart.yaml b/services/ingress-nginx/Chart.yaml index 277b95e757..da05d3d010 100644 --- a/services/ingress-nginx/Chart.yaml +++ b/services/ingress-nginx/Chart.yaml @@ -3,5 +3,5 @@ name: ingress-nginx version: 1.0.0 dependencies: - name: ingress-nginx - version: 4.1.4 + version: 4.2.0 repository: https://kubernetes.github.io/ingress-nginx From 1459c343818ed2b776852d3b1f69f8a5032cbbc0 Mon Sep 17 00:00:00 2001 From: Russ Allbery Date: Mon, 18 Jul 2022 08:22:35 -0700 Subject: [PATCH 0794/1479] Update Helm docs --- services/ingress-nginx/README.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/services/ingress-nginx/README.md b/services/ingress-nginx/README.md index f7a607d6f3..bd70803bcf 100644 --- a/services/ingress-nginx/README.md +++ b/services/ingress-nginx/README.md @@ -4,7 +4,7 @@ | Repository | Name | Version | |------------|------|---------| -| https://kubernetes.github.io/ingress-nginx | ingress-nginx | 4.1.4 | +| https://kubernetes.github.io/ingress-nginx | ingress-nginx | 4.2.0 | ## Values From 4b69d2cdb72177550a93bd737c6f3b351f5bf449 Mon Sep 17 00:00:00 2001 From: "renovate[bot]" <29139614+renovate[bot]@users.noreply.github.com> Date: Mon, 18 Jul 2022 15:29:16 +0000 Subject: [PATCH 0795/1479] Update helm values redis to v7.0.3 --- services/gafaelfawr/values.yaml | 2 +- services/portal/values.yaml | 2 +- services/vo-cutouts/values.yaml | 2 +- 3 files changed, 3 insertions(+), 3 deletions(-) diff --git a/services/gafaelfawr/values.yaml b/services/gafaelfawr/values.yaml index 666aa6b889..f9c9643991 100644 --- a/services/gafaelfawr/values.yaml +++ b/services/gafaelfawr/values.yaml @@ -270,7 +270,7 @@ redis: repository: "redis" # -- Redis image tag to use - tag: "7.0.2" + tag: "7.0.3" # -- Pull policy for the Redis image pullPolicy: "IfNotPresent" diff --git a/services/portal/values.yaml b/services/portal/values.yaml index 49d6263e56..0d6855aa3d 100644 --- a/services/portal/values.yaml +++ b/services/portal/values.yaml @@ -94,7 +94,7 @@ redis: repository: "redis" # -- Redis image tag to use - tag: "7.0.2" + tag: "7.0.3" # -- Pull policy for the Redis image pullPolicy: "IfNotPresent" diff --git a/services/vo-cutouts/values.yaml b/services/vo-cutouts/values.yaml index 1f5267a6ee..9b0c95a812 100644 --- a/services/vo-cutouts/values.yaml +++ b/services/vo-cutouts/values.yaml @@ -147,7 +147,7 @@ redis: repository: "redis" # -- Redis image tag to use - tag: "7.0.2" + tag: "7.0.3" # -- Pull policy for the Redis image pullPolicy: "IfNotPresent" From d4b6e65058f5b2e7e7bbe260b6583472454d09b9 Mon Sep 17 00:00:00 2001 From: Russ Allbery Date: Mon, 18 Jul 2022 08:30:45 -0700 Subject: [PATCH 0796/1479] Update Helm docs --- services/gafaelfawr/README.md | 2 +- services/portal/README.md | 2 +- services/vo-cutouts/README.md | 2 +- 3 files changed, 3 insertions(+), 3 deletions(-) diff --git a/services/gafaelfawr/README.md b/services/gafaelfawr/README.md index 38fa46cac3..64a7bf17a1 100644 --- a/services/gafaelfawr/README.md +++ b/services/gafaelfawr/README.md @@ -72,7 +72,7 @@ Science Platform authentication and authorization system | redis.affinity | object | `{}` | Affinity rules for the Redis pod | | redis.image.pullPolicy | string | `"IfNotPresent"` | Pull policy for the Redis image | | redis.image.repository | string | `"redis"` | Redis image to use | -| redis.image.tag | string | `"7.0.2"` | Redis image tag to use | +| redis.image.tag | string | `"7.0.3"` | Redis image tag to use | | redis.nodeSelector | object | `{}` | Node selection rules for the Redis pod | | redis.persistence.accessMode | string | `"ReadWriteOnce"` | Access mode of storage to request | | redis.persistence.enabled | bool | `true` | Whether to persist Redis storage and thus tokens. Setting this to false will use `emptyDir` and reset all tokens on every restart. Only use this for a test deployment. | diff --git a/services/portal/README.md b/services/portal/README.md index 3a8066a807..814c1a2010 100644 --- a/services/portal/README.md +++ b/services/portal/README.md @@ -33,7 +33,7 @@ Rubin Science Platform portal aspect | redis.affinity | object | `{}` | Affinity rules for the Redis pod | | redis.image.pullPolicy | string | `"IfNotPresent"` | Pull policy for the Redis image | | redis.image.repository | string | `"redis"` | Redis image to use | -| redis.image.tag | string | `"7.0.2"` | Redis image tag to use | +| redis.image.tag | string | `"7.0.3"` | Redis image tag to use | | redis.nodeSelector | object | `{}` | Node selection rules for the Redis pod | | redis.podAnnotations | object | `{}` | Pod annotations for the Redis pod | | redis.resources | object | `{"limits":{"memory":"20Mi"}}` | Resource limits and requests | diff --git a/services/vo-cutouts/README.md b/services/vo-cutouts/README.md index 05abc8b11d..624caaa546 100644 --- a/services/vo-cutouts/README.md +++ b/services/vo-cutouts/README.md @@ -54,7 +54,7 @@ Image cutout service complying with IVOA SODA | redis.affinity | object | `{}` | Affinity rules for the Redis pod | | redis.image.pullPolicy | string | `"IfNotPresent"` | Pull policy for the Redis image | | redis.image.repository | string | `"redis"` | Redis image to use | -| redis.image.tag | string | `"7.0.2"` | Redis image tag to use | +| redis.image.tag | string | `"7.0.3"` | Redis image tag to use | | redis.nodeSelector | object | `{}` | Node selection rules for the Redis pod | | redis.persistence.accessMode | string | `"ReadWriteOnce"` | Access mode of storage to request | | redis.persistence.enabled | bool | `true` | Whether to persist Redis storage and thus tokens. Setting this to false will use `emptyDir` and reset all tokens on every restart. Only use this for a test deployment. | From c883fbbff809123e008cb7d3d50f094c41e520a6 Mon Sep 17 00:00:00 2001 From: "renovate[bot]" <29139614+renovate[bot]@users.noreply.github.com> Date: Mon, 18 Jul 2022 15:33:34 +0000 Subject: [PATCH 0797/1479] Update Helm release redis to v17 --- services/noteburst/Chart.yaml | 2 +- services/times-square/Chart.yaml | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/services/noteburst/Chart.yaml b/services/noteburst/Chart.yaml index 0c8e24a451..aedd554cae 100644 --- a/services/noteburst/Chart.yaml +++ b/services/noteburst/Chart.yaml @@ -14,5 +14,5 @@ maintainers: # Additional charts that this chart uses dependencies: - name: redis - version: 16.13.2 + version: 17.0.1 repository: https://charts.bitnami.com/bitnami diff --git a/services/times-square/Chart.yaml b/services/times-square/Chart.yaml index 209d49ef8a..931f4a37fe 100644 --- a/services/times-square/Chart.yaml +++ b/services/times-square/Chart.yaml @@ -11,5 +11,5 @@ appVersion: "0.5.0" dependencies: - name: redis - version: 16.13.2 + version: 17.0.1 repository: https://charts.bitnami.com/bitnami From 811188604a54c68d76914936dd26249c16804d7e Mon Sep 17 00:00:00 2001 From: Russ Allbery Date: Mon, 18 Jul 2022 10:00:35 -0700 Subject: [PATCH 0798/1479] Update Helm docs --- services/noteburst/README.md | 2 +- services/times-square/README.md | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/services/noteburst/README.md b/services/noteburst/README.md index ba8567765f..ad3ba545b7 100644 --- a/services/noteburst/README.md +++ b/services/noteburst/README.md @@ -12,7 +12,7 @@ Noteburst is a notebook execution service for the Rubin Science Platform. | Repository | Name | Version | |------------|------|---------| -| https://charts.bitnami.com/bitnami | redis | 16.13.2 | +| https://charts.bitnami.com/bitnami | redis | 17.0.1 | ## Values diff --git a/services/times-square/README.md b/services/times-square/README.md index d644aebaea..f3d2e6835c 100644 --- a/services/times-square/README.md +++ b/services/times-square/README.md @@ -8,7 +8,7 @@ An API service for managing and rendering parameterized Jupyter notebooks. | Repository | Name | Version | |------------|------|---------| -| https://charts.bitnami.com/bitnami | redis | 16.13.2 | +| https://charts.bitnami.com/bitnami | redis | 17.0.1 | ## Values From b806ca3536478e51f55ee0572ad0224733c275f0 Mon Sep 17 00:00:00 2001 From: Gabriele Mainetti Date: Wed, 20 Jul 2022 18:21:26 +0200 Subject: [PATCH 0799/1479] S3 --- services/tap/values-ccin2p3.yaml | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/services/tap/values-ccin2p3.yaml b/services/tap/values-ccin2p3.yaml index 0b00d7f73c..233a10bfda 100644 --- a/services/tap/values-ccin2p3.yaml +++ b/services/tap/values-ccin2p3.yaml @@ -7,7 +7,10 @@ qserv: host: "ccqserv201.in2p3.fr:30040" mock: enabled: false - +image: + # -- tap image to use + repository: "gabrimaine/lsst-tap-service" + # secrets: # enabled: false From c62791c34425c5ccee4c110d1264f3c7ebce7fe1 Mon Sep 17 00:00:00 2001 From: Russell Owen Date: Wed, 20 Jul 2022 10:31:05 -0700 Subject: [PATCH 0800/1479] narrativelog: update app version --- services/narrativelog/Chart.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/services/narrativelog/Chart.yaml b/services/narrativelog/Chart.yaml index e43398f64f..042c12b017 100644 --- a/services/narrativelog/Chart.yaml +++ b/services/narrativelog/Chart.yaml @@ -9,4 +9,4 @@ version: 1.0.0 # This is the version number of the application being deployed. This version number should be # incremented each time you make changes to the application. Versions are not expected to # follow Semantic Versioning. They should reflect the version the application is using. -appVersion: 0.2.4 +appVersion: 0.3.0 From cbd4c161393aea851932a1da6b3842d28ea08cd1 Mon Sep 17 00:00:00 2001 From: Christine Banek Date: Wed, 20 Jul 2022 18:50:12 -0700 Subject: [PATCH 0801/1479] [DM-35653] New mobu load mix --- services/mobu/Chart.yaml | 2 +- services/mobu/values-idfint.yaml | 31 ++++++++++++++++++++++++++++--- 2 files changed, 29 insertions(+), 4 deletions(-) diff --git a/services/mobu/Chart.yaml b/services/mobu/Chart.yaml index 993b1861bd..ec28f9c080 100644 --- a/services/mobu/Chart.yaml +++ b/services/mobu/Chart.yaml @@ -3,4 +3,4 @@ name: mobu version: 1.0.0 description: Generate system load by pretending to be a random scientist home: https://github.com/lsst-sqre/mobu -appVersion: 4.3.1 +appVersion: 4.4.0 diff --git a/services/mobu/values-idfint.yaml b/services/mobu/values-idfint.yaml index 6438eac7eb..68ebe6eb7a 100644 --- a/services/mobu/values-idfint.yaml +++ b/services/mobu/values-idfint.yaml @@ -34,11 +34,36 @@ autostart: repo_url: "https://github.com/lsst-sqre/system-test.git" repo_branch: "prod" restart: true - - name: "tap" - count: 120 + - name: "sync-tap" + count: 20 user_spec: - username_prefix: "bot-mobu-tap" + username_prefix: "sync-mobu-tap" uid_start: 74770 scopes: ["read:tap"] business: "TAPQueryRunner" restart: true + options: + tap_sync: false + tap_query_directory: "dp0.2" + - name: "aync-tap-medium" + count: 50 + user_spec: + username_prefix: "async-mobu-tap" + uid_start: 74800 + scopes: ["read:tap"] + business: "TAPQueryRunner" + restart: true + options: + tap_sync: false + tap_query_directory: "dp0.2-med-scans" + - name: "aync-tap-long" + count: 50 + user_spec: + username_prefix: "async-mobu-tap" + uid_start: 75000 + scopes: ["read:tap"] + business: "TAPQueryRunner" + restart: true + options: + tap_sync: false + tap_query_directory: "dp0.2-long-scans" From 01a47058fada29d7bf3d8587315740499855b47a Mon Sep 17 00:00:00 2001 From: Christine Banek Date: Wed, 20 Jul 2022 19:20:35 -0700 Subject: [PATCH 0802/1479] [DM-35653] Fix sync and spelling errors --- services/mobu/values-idfint.yaml | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/services/mobu/values-idfint.yaml b/services/mobu/values-idfint.yaml index 68ebe6eb7a..1ea8b1df16 100644 --- a/services/mobu/values-idfint.yaml +++ b/services/mobu/values-idfint.yaml @@ -43,9 +43,9 @@ autostart: business: "TAPQueryRunner" restart: true options: - tap_sync: false + tap_sync: true tap_query_directory: "dp0.2" - - name: "aync-tap-medium" + - name: "async-tap-medium" count: 50 user_spec: username_prefix: "async-mobu-tap" @@ -56,7 +56,7 @@ autostart: options: tap_sync: false tap_query_directory: "dp0.2-med-scans" - - name: "aync-tap-long" + - name: "async-tap-long" count: 50 user_spec: username_prefix: "async-mobu-tap" From 99d4b08f4673bbacd52641a67fe01e28ec871ca2 Mon Sep 17 00:00:00 2001 From: Christine Banek Date: Wed, 20 Jul 2022 19:32:19 -0700 Subject: [PATCH 0803/1479] [DM-35653] tap_query_directory -> tap_query_set --- services/mobu/values-idfint.yaml | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/services/mobu/values-idfint.yaml b/services/mobu/values-idfint.yaml index 1ea8b1df16..ccfe61fcf3 100644 --- a/services/mobu/values-idfint.yaml +++ b/services/mobu/values-idfint.yaml @@ -44,7 +44,7 @@ autostart: restart: true options: tap_sync: true - tap_query_directory: "dp0.2" + tap_query_set: "dp0.2" - name: "async-tap-medium" count: 50 user_spec: @@ -55,7 +55,7 @@ autostart: restart: true options: tap_sync: false - tap_query_directory: "dp0.2-med-scans" + tap_query_set: "dp0.2-med-scans" - name: "async-tap-long" count: 50 user_spec: @@ -66,4 +66,4 @@ autostart: restart: true options: tap_sync: false - tap_query_directory: "dp0.2-long-scans" + tap_query_set: "dp0.2-long-scans" From d86bcf311b9633371272b30acbc6383223f94486 Mon Sep 17 00:00:00 2001 From: Gabriele Mainetti Date: Thu, 21 Jul 2022 14:54:45 +0200 Subject: [PATCH 0804/1479] testing credentials from vault --- services/tap/templates/tap-deployment.yaml | 4 ++++ services/tap/values-ccin2p3.yaml | 6 +++--- 2 files changed, 7 insertions(+), 3 deletions(-) diff --git a/services/tap/templates/tap-deployment.yaml b/services/tap/templates/tap-deployment.yaml index 145f2f630f..c28e5e019f 100644 --- a/services/tap/templates/tap-deployment.yaml +++ b/services/tap/templates/tap-deployment.yaml @@ -51,6 +51,10 @@ spec: -Xmx{{ .Values.config.jvmMaxHeapSize }} - name: GOOGLE_APPLICATION_CREDENTIALS value: "/etc/creds/google_creds.json" + - name: AWS_SECRET_ACCESS_KEY + value: "/etc/creds/AWS_SECRET_ACCESS_KEY" + - name: AWS_ACCESS_KEY_ID + value: "/etc/creds/AWS_ACCESS_KEY_ID" - name: DATALINK_PAYLOAD_URL value: "{{ .Values.config.datalinkPayloadUrl }}" ports: diff --git a/services/tap/values-ccin2p3.yaml b/services/tap/values-ccin2p3.yaml index 233a10bfda..ece0ac246e 100644 --- a/services/tap/values-ccin2p3.yaml +++ b/services/tap/values-ccin2p3.yaml @@ -1,6 +1,6 @@ config: - # gcsBucket: "async-results.lsst.codes" - # gcsBucketUrl: "http://async-results.lsst.codes" + gcsBucket: "async-results.lsst.codes" + gcsBucketUrl: "https://cccephs3.in2p3.fr:8080" jvmMaxHeapSize: "31G" qserv: @@ -10,7 +10,7 @@ qserv: image: # -- tap image to use repository: "gabrimaine/lsst-tap-service" - + tag: "1.2.1-CC" # secrets: # enabled: false From bbd4f2500ef34c525f171e756792154c3a607953 Mon Sep 17 00:00:00 2001 From: Gabriele Mainetti Date: Thu, 21 Jul 2022 15:13:18 +0200 Subject: [PATCH 0805/1479] try to fix secrtes --- services/tap/templates/tap-deployment.yaml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/services/tap/templates/tap-deployment.yaml b/services/tap/templates/tap-deployment.yaml index c28e5e019f..24d087e4bd 100644 --- a/services/tap/templates/tap-deployment.yaml +++ b/services/tap/templates/tap-deployment.yaml @@ -52,9 +52,9 @@ spec: - name: GOOGLE_APPLICATION_CREDENTIALS value: "/etc/creds/google_creds.json" - name: AWS_SECRET_ACCESS_KEY - value: "/etc/creds/AWS_SECRET_ACCESS_KEY" + value: "{% .Secrets.AWS_SECRET_ACCESS_KEY %}" - name: AWS_ACCESS_KEY_ID - value: "/etc/creds/AWS_ACCESS_KEY_ID" + value: "{% .Secrets.AWS_ACCESS_KEY_ID %}" - name: DATALINK_PAYLOAD_URL value: "{{ .Values.config.datalinkPayloadUrl }}" ports: From 210fc2ab5b91ba188cbd4aaa501a7f5cfd43bcaf Mon Sep 17 00:00:00 2001 From: Gabriele Mainetti Date: Thu, 21 Jul 2022 15:16:09 +0200 Subject: [PATCH 0806/1479] trying to fix again --- services/tap/templates/tap-deployment.yaml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/services/tap/templates/tap-deployment.yaml b/services/tap/templates/tap-deployment.yaml index 24d087e4bd..0c2d4f894c 100644 --- a/services/tap/templates/tap-deployment.yaml +++ b/services/tap/templates/tap-deployment.yaml @@ -52,9 +52,9 @@ spec: - name: GOOGLE_APPLICATION_CREDENTIALS value: "/etc/creds/google_creds.json" - name: AWS_SECRET_ACCESS_KEY - value: "{% .Secrets.AWS_SECRET_ACCESS_KEY %}" + value: {% .Secrets.AWS_SECRET_ACCESS_KEY %} - name: AWS_ACCESS_KEY_ID - value: "{% .Secrets.AWS_ACCESS_KEY_ID %}" + value: {% .Secrets.AWS_ACCESS_KEY_ID %} - name: DATALINK_PAYLOAD_URL value: "{{ .Values.config.datalinkPayloadUrl }}" ports: From 7b2ab1718306a61b6757e64f99c25507d3214902 Mon Sep 17 00:00:00 2001 From: Gabriele Mainetti Date: Thu, 21 Jul 2022 15:24:55 +0200 Subject: [PATCH 0807/1479] again creds --- services/tap/templates/tap-deployment.yaml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/services/tap/templates/tap-deployment.yaml b/services/tap/templates/tap-deployment.yaml index 0c2d4f894c..6a820654b9 100644 --- a/services/tap/templates/tap-deployment.yaml +++ b/services/tap/templates/tap-deployment.yaml @@ -52,9 +52,9 @@ spec: - name: GOOGLE_APPLICATION_CREDENTIALS value: "/etc/creds/google_creds.json" - name: AWS_SECRET_ACCESS_KEY - value: {% .Secrets.AWS_SECRET_ACCESS_KEY %} + value: {{% .Secrets.AWS_SECRET_ACCESS_KEY %}} - name: AWS_ACCESS_KEY_ID - value: {% .Secrets.AWS_ACCESS_KEY_ID %} + value: {{% .Secrets.AWS_ACCESS_KEY_ID %}} - name: DATALINK_PAYLOAD_URL value: "{{ .Values.config.datalinkPayloadUrl }}" ports: From bc3bd9b8e0a2cfec5ef07e4a0d2b7e25a85af94d Mon Sep 17 00:00:00 2001 From: Gabriele Mainetti Date: Thu, 21 Jul 2022 15:35:04 +0200 Subject: [PATCH 0808/1479] and again creds problems. --- services/tap/templates/tap-deployment.yaml | 10 ++++++++-- 1 file changed, 8 insertions(+), 2 deletions(-) diff --git a/services/tap/templates/tap-deployment.yaml b/services/tap/templates/tap-deployment.yaml index 6a820654b9..eed5953f7c 100644 --- a/services/tap/templates/tap-deployment.yaml +++ b/services/tap/templates/tap-deployment.yaml @@ -52,9 +52,15 @@ spec: - name: GOOGLE_APPLICATION_CREDENTIALS value: "/etc/creds/google_creds.json" - name: AWS_SECRET_ACCESS_KEY - value: {{% .Secrets.AWS_SECRET_ACCESS_KEY %}} + valueFrom: + secretKeyRef: + name: {{ template "cadc-tap.fullname" . }}-secret + key: "AWS_SECRET_ACCESS_KEY" - name: AWS_ACCESS_KEY_ID - value: {{% .Secrets.AWS_ACCESS_KEY_ID %}} + valueFrom: + secretKeyRef: + name: {{ template "cadc-tap.fullname" . }}-secret + key: "AWS_ACCESS_KEY_ID" - name: DATALINK_PAYLOAD_URL value: "{{ .Values.config.datalinkPayloadUrl }}" ports: From ea84dba7321f98fef46295771822236e57282997 Mon Sep 17 00:00:00 2001 From: Christine Banek Date: Thu, 21 Jul 2022 09:57:32 -0700 Subject: [PATCH 0809/1479] [DM-35653] Mobu to 4.4.1 --- services/mobu/Chart.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/services/mobu/Chart.yaml b/services/mobu/Chart.yaml index ec28f9c080..9e9ed0bc12 100644 --- a/services/mobu/Chart.yaml +++ b/services/mobu/Chart.yaml @@ -3,4 +3,4 @@ name: mobu version: 1.0.0 description: Generate system load by pretending to be a random scientist home: https://github.com/lsst-sqre/mobu -appVersion: 4.4.0 +appVersion: 4.4.1 From 19be77e1fc8039b5e278349a693f44467b39a088 Mon Sep 17 00:00:00 2001 From: Russ Allbery Date: Thu, 21 Jul 2022 10:03:17 -0700 Subject: [PATCH 0810/1479] Bump Gafaelfawr version to 5.0.1 --- services/gafaelfawr/Chart.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/services/gafaelfawr/Chart.yaml b/services/gafaelfawr/Chart.yaml index 4e53ba55d3..eb3fe72d4b 100644 --- a/services/gafaelfawr/Chart.yaml +++ b/services/gafaelfawr/Chart.yaml @@ -5,4 +5,4 @@ description: Science Platform authentication and authorization system home: https://gafaelfawr.lsst.io/ sources: - https://github.com/lsst-sqre/gafaelfawr -appVersion: 5.0.0 +appVersion: 5.0.1 From 07c19284371e10a47aa9a512ba3a2734bdbe52f1 Mon Sep 17 00:00:00 2001 From: Christine Banek Date: Thu, 21 Jul 2022 12:59:20 -0700 Subject: [PATCH 0811/1479] [DM-35653] Mobu 4.4.2 --- services/mobu/Chart.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/services/mobu/Chart.yaml b/services/mobu/Chart.yaml index 9e9ed0bc12..ecaa615c09 100644 --- a/services/mobu/Chart.yaml +++ b/services/mobu/Chart.yaml @@ -3,4 +3,4 @@ name: mobu version: 1.0.0 description: Generate system load by pretending to be a random scientist home: https://github.com/lsst-sqre/mobu -appVersion: 4.4.1 +appVersion: 4.4.2 From 261e5c894819cb88f5498fe74f59361d3c402b2b Mon Sep 17 00:00:00 2001 From: Russ Allbery Date: Tue, 19 Jul 2022 12:09:39 -0700 Subject: [PATCH 0812/1479] Add references to Gafaelfawr tech notes Point to DMTN-224 and DMTN-234 in the Gafaelfawr operational documentation. These aren't published yet, but hopefully will be soon. --- docs/ops/gafaelfawr/index.rst | 2 ++ 1 file changed, 2 insertions(+) diff --git a/docs/ops/gafaelfawr/index.rst b/docs/ops/gafaelfawr/index.rst index 6380a3acf7..8ed2c7ed8d 100644 --- a/docs/ops/gafaelfawr/index.rst +++ b/docs/ops/gafaelfawr/index.rst @@ -30,4 +30,6 @@ Gafaelfawr supports authentication via either OpenID Connect (generally through .. seealso:: + * `DMTN-234: Identity management design `__ + * `DMTN-224: Identity management implementation `__ * `Gafaelfawr documentation `__ From 4f43245c9485d7bc2e43d0eb48bfbdb3eadcf4e8 Mon Sep 17 00:00:00 2001 From: Russ Allbery Date: Tue, 19 Jul 2022 12:10:01 -0700 Subject: [PATCH 0813/1479] Add Gafaelfawr troubleshooting for GitHub bad code Document that this error is from reloading the login page and is a red herring from whatever the actual problem is. --- docs/ops/troubleshooting.rst | 14 ++++++++++++++ 1 file changed, 14 insertions(+) diff --git a/docs/ops/troubleshooting.rst b/docs/ops/troubleshooting.rst index d55446aa2a..f5f3f4ab08 100644 --- a/docs/ops/troubleshooting.rst +++ b/docs/ops/troubleshooting.rst @@ -96,3 +96,17 @@ User pods don't spawn, reporting "permission denied" from Moneypenny This happened because the ``gafaelfawr-redis`` pod restarted and either it lacked persistent storage (at the T&S sites, as of October 2021), or because that storage had been lost. **Solution:** :doc:`gafaelfawr/recreate-token` + +Login fails with "bad verification code" error +============================================== + +**Symptoms:** When attempting to authenticate to a Science Platform deployment using GitHub, the user gets the error message ``Authentication provider failed: bad_verification_code: The code passed is incorrect or expired.`` + +**Cause:** GitHub login failed after the OAuth 2.0 interaction with GitHub was successfully completed, and then the user reloaded the failed login page (or reloaded the page while Gafaelfawr was attempting to complete the authentication). +This error is normal and expected if one reloads a GitHub login error page or interrupts the GitHub login. +It itself doesn't represent a problem, and is probably a red herring distracting from whatever real problem there is. +Most likely, there is some failure on the Gafaelfawr side after GitHub authentication that's preventing the authentication from completing or making it take a long time, and the user ran out of patience and reloaded the page (which will never work). + +**Solution:** Don't reload the login page. +Find the underlying problem and troubleshoot it. +For example, if Gafaelfawr Redis storage is unavailable, Gafaelfawr may time out or fail to store the user's token after completing GitHub authentication. From 92e935600163de4d28a29eb7563a8b13f9a3f8a7 Mon Sep 17 00:00:00 2001 From: Russ Allbery Date: Tue, 19 Jul 2022 13:12:11 -0700 Subject: [PATCH 0814/1479] Document GitHub organizational release Document the permissions issue around releasing GitHub organization information. --- docs/_static/github-oauth.png | Bin 0 -> 80536 bytes docs/ops/gafaelfawr/github-organizations.rst | 19 +++++++++++++++++++ docs/ops/gafaelfawr/index.rst | 1 + docs/ops/troubleshooting.rst | 2 +- 4 files changed, 21 insertions(+), 1 deletion(-) create mode 100644 docs/_static/github-oauth.png create mode 100644 docs/ops/gafaelfawr/github-organizations.rst diff --git a/docs/_static/github-oauth.png b/docs/_static/github-oauth.png new file mode 100644 index 0000000000000000000000000000000000000000..9b26608c2c488c09d7cdda302aec33ca28cb8024 GIT binary patch literal 80536 zcmeF3Ra{k3*X|dJ(ujb7NQrcVgya^b8$`OhyK5sM($Xa$UDDkp(j{z>?(S|l)Au{y z#dmRT&egd%>xTlHy;*zBHRqUPJkNg+tRN?jg-(nPK@gUtgoqLZJ@AL1hfb&uz$0&W zst3TQhmP+gl~GYqrx)cHAcz8z6cJW-`?fRdtT%4*0y?0r|2BWRr9;O&qU3Mz3>}|5 zR>>-CanGOK%WwO0SUA=%t-pF_FFT#zaLp7;Xv=#LT;HKKmRd@iOHb}jr_G;Z5%8@ZO1o>QLm1Uj<&e(vxU6r zo}Ts(!w}Xr!}L5n=RwSx(8As2d!a-_wv$r+fKe$=VTSXuc$Mrw4u&t;}B$a+=gzxYc06n<$8xvdxTuzrK--jYg2 zhlNDgAov*A*hU6twOJA#`t}<24fi)Xt`F5$nkq%dxTmq!PHZ{vqda=_F*)NPX};B! zm74c*WAv3tOhHZe32R_f-I+x6&RiA>lqgG+q&3$p-Z7!;tsZpA7}qyy_>1`Ds#TL} zsDJR*r{DFA<t2JvIUH5)y zwJ_1r<|VsJQQ@loJ0?_$HCvCiii%W=n;cf9vWv;Ex&)*0npnp>*DeL-N(8a1Wdk#`iR;#&inz`~AA4O=RG=i~cC^#i(0&r-YU#T5vG*)$430sxv4E zi#%i0Y-y@S(B;HTdzE}9``1J+JZ_*n@-;b(rIv$^PED;2zV8!0wSD)oikkWvjHC#` zz_hZye%nP(DysMi>%|{4LNLM8f}5d*cKW&~|zkRAq%w?lhLVUZ=z7VIX%)dc5ae=qcdxabovL*m-l;z}FfeRxYL1Ea zu${ho-z8%++tgcORUfx$ZqDzzL&WZ&Jb!m<%rRNE*qOkhbF+lKLjL%bJ@X}^i16ts zJ`_PFsHCjscGz)g5;f>~vU6D_(X{9PgqYhZ_VVH|z}}G2<{6(}MP+4oIN2j8>sQ$3 zSZ#Wl0?_0rPJ%nWMuz;Hjm>)sA4>^6I1oAK`16Zzq^ z;9%JlZpZV3uTnYSNQxxS%gNch+~x6aSKu}_Q~TTJI{(m@2dpU9^Syj_Lya1%9HpZ9 zZ~W_P;V%}SJ_W<#$1z*teRcYR%R>f{{&(?x(41~#?hbLV$nSb-!i;XY0;MFGTyQf_ zs;XvNcNuzyOZjRwVtQ9$w?~Z7&UEE^78ZH@G((hx&t%I(2zzJ#e(~zO-`W}%_cvG> zBV~4kgoF{sl@%33se;$jC8>O=C0cz1%$hD+GdYUOzvSfP49e@OsyG>6zZPV+9^RXm zVz9)3FJY0w&LFMA%R7^ z!RhquOr=nnnwmO+Rr_kQ+d5K54Kd%_TOdB1HkeX-aCi#lvPZMf>(|FKNw2TZ_SjPf zS8+e!BkH9S6901FVG-veEc_^(_-6gX!p8FCNqLVYh0B-E_FYAaeh5-B?)OmX0>k*VngjI6Aw(v0&^B z#Um!bhCG_@%pcMaeZI6hrjK_=${>g=bBQOjW|kpX=FKy!1)h-s_INZ3_>Ulx?xaBz6ciL$ zGcyS@v-FnRcvfwP%iq+R2FbaBkCJ4#4gdU5Db5OjOHoCy3vj-G!CGqxnGVj*%1MV} zYzlpSbtENU2wf~}M0Gl!)~1n5MjQSL-%m+f1 z6PJy@qw!(u?jStllaSz(%v7qDc3}|C)cMTT#AW77e$WAPtLQ-fvp!L>i;KOzi@iC5 zuTXVgD0Hp$!`TB_&Gc`?IZC|NS1*dQGObdyw6*!2c8Ks^@Y|m4@VnYfTn6EQZ@hoW z=sP_bK2|A0^!_{OnV6UgMw-UbkEW`t(ocR<0Xwb>Pesz zKGObjNYBy|3*!mg^X@^8lKFICCLOD-EvxN*L@J;6=_+CC-Hl^CCemAmxQ6>A))B+uo9^Pe;#Oui|iBqKVqt5N{ zf$SL8&5JM+!3If*FOj9TO8Y{_C?7>dyJeC&9zh)Busf$?T0&MWJt8rhgj(}4lbL{E zhB%8mzrYVP@_o0>9*#SINap$w{eM$4PWYB5vvf)b1h7#G@*Z0fAQ%n@yN5|;}ju7F-65i za2qYIpZ+O-nk7bkw)F_=hTnU4pWPdon)1JSBO)sPgjhf%Yji-j%I)`sy+$zs#OJcd z6tEaWD|d6UT+>gewF zT40!;mzSD`x>;c1861A^O2CqQc*Qw=@lf-b`}hXC{^DY~&r$E@2U=&o)S@EIbe~(D ztvPL)m~i6PYlHQUTW5HvXjrL&u4JN$=liqQOUJ{d+RX-F>XVXA|EwnEuu3c{+Wx)D zXhr@20wYaBLE*c8X$`xv+ZYkfi0T|0t8|>OxxG3EM>?DNQQ@;aL)}_=crwX?$~(fjTy1#4-7!-VxI4 zsxSs&JKMa$=k^M0g;;1@OYDTNgmbu*+F-Zf8oP*ya};&7VQ-W-r-}Eb67A7 zW+#cD7ZEho-JQ^!;bRZhw)X6dNfZ0+O7OBr>W~$OcB_x|YRGCws<6@VT1_mna99c( z5`_7KM z0Jr<+&j-FLMc&{^p04{E#VTp*p`oGYyR(fJT@DaVXjhGpqOEN@h@+6*?iS)-C~S0< z&&Pd6NC-bhsJ=U8q@Z|Pw~O~zPS&eC0%OkIb3J1B(W6HyMO=)G$IDpcbB(S~ppK5t zz(RTLm#79y*}eFp#wI31NnFPrmrfao^6YG*bKAy%fB)0-DYjQxXdHxjli(_d*Gg|W;0j!(#a%9T%@Vi#ae6HWf zPuFPkyWl?~a3IMW+XQ(-rByHPOWA~y*}lCFdnV}O;;NycVaRJad@N6H>(rxi((8C_ zaJ4@k9aa_3tU39cF-}ThPx1V&lTHSR7 zg50-Iwbf^KOk*Cpj@*nN@T+j(+d{)%>@4P zHS_%D{mgrHklvl|X+w7Q&gI2cQ%t{SXGx*6-N_GHT3ReI2w)=AxuT<$nwx)_-KqP_=RLgg_4xVxG@q07n523AzbK3*) z>0EE;opDLC*gN~_KMpBAFqfSvM3M0}L5Fu@c~#ZUf>QhC$%#*M%x6pwgi68IcuwWl z})7=)-vnXTU>mJ0z2h6HgWRKV6Z)1?p18Y{865FY}kXyCUt(R-yiP) z6SJ1=ZEkc$YU`h#uBiaokU=>SbhbCCT|#Edk>p}EuM=u8(NkTd3cE9V*vSTxL*4rX z*i@bQ@w#pkyQ9jx;h(;~zU%2f4!0KCLG}pQZLI`{WHpS8>1{iObA?*%ZLgz1*Y^S| zi=$cM;KqZ?{GBDD_8os6563i&dyw3!u-|sI8ueVY2zr)iwak>l;TbR6`~Mx%8%p%d%*}3#9Z6svrsWs5x9WF( z-buG5G3H1rEw#PAzy{kFq@bj9bL)E1^NF}kLd#GP&+~zAyWSheE#-RI>+^kZcb2x- z2}i5Ub0+@q{j}H0$+8PXVl}2Uce@s-ryd?)f~|{xjZ30ta&vc&3;hZH;}KUKY;RvI zzQo8@G8YzZ2aCM#Hrx7Rz(lUBr}b17!%@L>h;}hZV36Jl3ky4ojolm_58GQ$^YQUf zpYF|qvLx1Vokh3a>vE|}YWY)bEf2J^x+b(+m=G6-0I`rI0pxEEd5vY?qZe0eysW&P zojY9mxZ!8+2zo(5!N3AzU7x#4ehdPTvQEq=vK#$9SaDo0(W&=3Tr>d_^*%YgYSDbTh|$5-)pokXTd(so zv3R&xR)&Z?OEg(p8l+%e9JPMA)VHSj8WRgHL`X(P*6}WfR8U=A9l^BX=y9_#dgZ*$ z?Q^2&CL$ssVYdAJ`!8W(^uTuo%D-yN@uqVJdqxd~<_;Etpu#xoecEs|hThlbb>ntf zkrO90g(-+7wv=q|=t%e&SNBc&p5jY6qnTFuu_`qtxs9ZY%vbiOnm(~oab*fFkg0mj z>9hTFMy#`sc)=n-ChDJ^owcZD(X6O5!0vGRwWYvt7eaP!s>FZ~=@qg`=P5n9ynL+# z_rB;+1Vi7qdgO9=xVyBBM8QM5{xcX4Y?gEkj)6*r$_FRM58!-UeGchV+OET2-E)b* zRlpugX6NL#2-@zIJ$;oD5K!09a3&$K5%m>J(`-5(goZ&^0KT0c*a*~I*O^9-n4b!Y)RGgq)&Fj;Q93qT z@3?-l`Jt6uP$THco2vvcv0n>%oZf=lhHwmz>iQXCy+VPS#CG`^eWS~5?4OLb`^ zsJdvO6skK8LO}pQ2Nt=PLdoabY=N1W){3=eS9ubcj;PABM!DU07iv_v_FQA@tE9ZL3#d!%xGt-{xuD^%b#!c2IX!$7ijB4X~loPjqsP# zo*_*zlazmaXi%<3WN{)x8MTqKCukAtXpM1dRg>o;P#oG{(=x6wOVE_JIg?X#u#&ZV ze|c(-=O-e{sdZkt5%`=C1*lJVktWmzp@>ZzARkv!-=x9N1-p<@?qh{;9&so^>hbT==Mxz~7 zRmzZ^t1J9CwKi~amo-ACRJYcnS|K}sW1|o+R3sCrwCMrlk!rJcG6B-Ow4@~Un)=M# z$ol-)$&+jbrc$fyTBU*;eu0HEAewbte29~JhD&U+zjVW>msimLg3i=c=Xnjkcm^e%M_*3&Ama2%1mwPFl@S$ zdP07?AB(t3dTA0ve>qbR0$hN2kGtn}K)~leC3r!Z`5vd+JQm}0$A`;>^PJxi7FZt5 zQ|;}4#E&`m_Vzm7bbrW``}pI$e+2}$NDcgIlIbTSv$M@hx`)R_=Qr?7^oWRvaAKab zBGr9Z>y6T>wawZxEg@FimhI^KlgJ?FC1MF?+$7d3!cr)=8>JzBs zBlpl*snh9E%;*l#?igf8m^e5p+#RPU@qRL@R(8lg$>tMqnBuoIcpz?r4N4Df^)8V_7 zv0snH!Xo zlZ_fTN`{8E+A;@1JD2yoi|p>yosr9GY{3{vh)=4Fz}@C^*+Pau@#NBqar19q&_)Yx z4hX#UJXcQrt;hCF$Qk`Vl@uQqgsN%*C34?}1H<7XL!459)zpv4if4??&CQJ7r{M>_ zZ$mP#PWM@rBP}LU2aa!Y!(X_ksnX&1tCWDb9%#3!RD?hi#LF8_MEiHXX`lR+97Y7E z{ZZ`q1wBaZ{;r`rk~}!ABmORkc^-|hMc6+mj1)H4Kb=B>y7*8XDA@|aH}=ytgeMml zu`BqH0z=&KoEIYnn*vJ$$c}-)Smv=iHC=0C&Zr#h;OKC7yj=?6;NX;5t@Z&$JN4T) zAPQfd!reiHhrUm2`rNLXLUm4unQTZNed7h4;$fJmsNk34i}LdFf<3X(t4k`H$~?Iy zTzqhN`1-P&9EpOC&g`y3w1#M5ag*0)=_i?>=YzLW4h~24j;u?L`B9OusWy8OVVq+^ zrk$j}(pjT8$QkxdJ0s;|jYSi08tclK8c&00-)ElfPFt3%(S>N7&TRn;psA?|+*1+C z!;=#k8L4CrX9mc~)L6UaB-?!ItRwOQoAkkh2cSkv;vA_PP-=!cfF65he$LYGX(u>zo?FQ1e zPVopoSSx$37|S<#ID9vm{zKm7#RZc_g|eGh>wy~<)H5`s(_|;S%Yt;U{>jR5Ee^hI ztq!U`{LlScr&qOe-)i+n4dmsAbtIcTsZZD3(=O)U==)rkw(iXwW~T9+j73fZ)5rNg zdbH>y!S(g|UURFQff9r6)@YVw%vT_f$IU8h0ki3l@}OGBZ1$HWqE2 zY*=nyRa-J9uzDJ8P=^fxctHE$Q2Q>Oe=?+sK!!z zbJLU~O)xE{XjVN1UKkV@bbWPMJb&<1U{zbq*jUI%!1C9NG1CD|bZi$#N4R?%V;s%$ z8=LvL=5%;Ny_HD4-JO@Yc>!4Ac!ac7wHT#7Q#ZZ2IsK|&XF`ji2~S~bH{w8ZK8amf z2`7h-7dpot1RNkNCx8|(l=8aKB{KD&l>h0|Cty;Dh;Tkjt6`?2r`M@4TLkJV2ptm2 zm3+T@@~Vo^fK+1WDZEJgf@f`g^$7{51WgQ3Q$<9(l^dj0RMy1FeJ(Qd3@BfO{Y3oU z&DrbdI(!?*ldt+O-UFvhNJxm3&*f^XpLLK1Z}?c6fO%)O)^^%u7byI6Aq*@mazdVG z3A#SOP<__HEqYtf=Xv=%2N=lv)1~P_d3lpoLjwa|Y4nM}25tf6vw@NlD1P?H$Z&&2 zG?g6g@0wqm4w1~Xw*Fpxhfr?(bqr)uSz=g;^h61JdHFvFM%m)CJ~{?^iB5Ba>+qgb z9t`mes0A;^aLoyM6n`NkV87&6Ys1Qg zhBazN!W%z0G$iDDwlkE<--n&oH#Fq4Wb~}?zgYn5qwFE=2C;6Di6Yf`;jEXEzs)#J zj7@av?0ojq1Xpz~dhBO%BVj_ojyxwrdzq2(Zr|C*XKwHX4{(5vT=TJ}zwvr|?BquQ z6O&n^>g41ID4t?j?EL)OULIFz^FEBOk%`gY1ng)2?g`>1i;8)8dNRgJrLCWO+;*Zo z0dGpvUg$9Se2x@muVki{sLa4j&*GyNjwT0g!|VA(G6FI(QoQLpdqY-R*1&g?im{Vc zf3}^TkPFp0toHRTcONsHI1yuh7Cl~%B;y&HpHE+}15xkh#tW(g2GYQ0=@X(03p2HR zsT}T0uj=2%z2>+#+p==>7WtQx7#v+B1SNP#emjR*b#8PI5-;LLl#j1NtgjDE1#%1h4 zKwh)hqZ!-R)!w;MjftfDV{?DybP@=ffsZcvifba!ga1A6c(ZD%!_O-`Yx(sDp;x$! z_~`NaY?%MZ7p|N!3-!;6bod`>J;kWvdsj8AC1>N%|IHP`Q447!2X};d+S6ca+~7&0 z!bVE)_`7>blNd?LDCN|(=TV7Nk|gy1E)jtZuHxHO=xhJ~F&6(P%I5#sDPz3D!{tof_Gc{kfE-emz9)}Tql}WE!Yvn}%>9Wh96Q~2EHF4yb&A#)ivvcc zFtyd0iU##vhC8!e@!t0G?st_?`lxpW+2+3#G&Gbl2YY)5-3|`sZo^QX zkg+ov{+ky-8$V+a0;f5#g3n9*P-cjeip$IMjND80Y#J9WP~gBcu3%SC6AX#kBgHr`vk)B^Si^Y>C)}goL!@ zquJVdd;)w_v}~nK#!~DCugxVOb!!l2q4T@!gH12p`p#(kT(i&GVnWF0F0%__^BLG^ zbhS}!XsoPsR7!6tw+7V2EKnkAvRA;4uL=L_uzcnGvfWhIdv|}nEk14Cy;%poyA@{* z^MZqYEaW*l{G?hEuT-~DW80sy>-XM14Dt<~m-F;;(JVfGS{LZzbY$z}IjoV^y+;;s zrv&eoV2YAZwx~`i>i13XY#y(U5uuFx0tkdDlqcj{&K~7zlrg%P+?oPp6uTbq=hAeRX~Bj&+l2+xW2lcGDs7w zMyc`zBNW{{dC^@b3m(z#CDk2@-aR@t4^h*@Z)c{5b*m>EU3(9 zHyPLxcq)HBu3iU9$x7Ccik=6g0cRh@w>(P>SU*DWHTH7r!oPf0Kj}g;$ppRL*q#l1 z`$pnNb2a`bln7-S)bcWQ|L=@xc8kw6Gij&iL;AKjYjdY$uKT4>|JL^e2H3) zN)h0>8WwhIt>|NhQ?;wTo3&nwr!WF0l^zP)`_F0)*4h*j%Kk8_o9?|>P8dV6c0EGI90yEGzT>;eO3l8*2{@i~9F^M88z@DtoDzh)z7Fr69A(LPU{&5b`4)B;W0c5}UcI!?R+| z4jNO!g!cEJt3xbyx3)~!h=3<{F{rBh&$mGES#&k-qnXcXR}w%C&RcC2R+F&Z)!j!B z;G{t12emoQ>}m5$`i;CeskNPpm7wy(Cc#z0CgZa@7}2jZZHh{Z-vYL<*Gm4EFS*3x z-Aywyf{m`XSI5KehGKGMcBfn68Ww$h#?pDi-=0l21$J4@)tp|Z*W8u{o*~-bM_-*N z7LnR$wVt(KZ>O2g_$DOqKt{&KQ&$u~kU!cBSp_yJkRt_l-wU~{NW^>{@wwGKvmJTM z5Tib@7Q)+aRFPDgMdwJa}IX-SVb&z8oar%l{%CwS&=lu7bX5+k} zOv6HU?ZZa7r@v1w4(tz`SH>(o5S)%Vo_c@V;^dHu%?x|}mvvLn$+=$~K0UbEqt}6O ze#0gGu?>$)$s0WvI&(XPIG+g#RF?2SbzH$ucDNDcKCdCVmUNe8SZH-5i>h}R*lKUW z*YGg(-L_)OQ~7I5&3>72uC1*RfMaFdQ9v9Qx!a!R-}c#K#1U`ItPCD@dzUm69x zDQyi2vuZKxRf67>!O4YjfNfVpeSCOmj)P-&G4iRfU-E0_pBQ-lybqOd2!>5+RXl+w zmwcGFVZy*D283U7nw59EG+7l?U6p_Ehdw%*bAyfBqE7{)8*I$#Z=x}Zh685owkp{~ zPBKpM1Ka`2LOO)5sD+}eKihW*56Rc?xxQ;e`2%0IMIs@y>X}|mDn-cGv@!sk)6N`U z(*f4J;?rQMFugHxpXK!A#}(VttM$vq@!)6Zfl37$ReCl~+wsu%vF#H+!6#t|shI2@ zH4A0BSfGz_cK%kGGALKTH|Ep?W`S%jZD+Q7TCK(pk7i+}Trd)EA}Az6a4)aix(;GuOGs5!Yun!kA+^QZwq63;4%p_OWz&%#bCYm*{VZJV&ol(Yb{8-_f#Zk@ zq31YU7PQ{#OH1=@FfMB2)ruV0%?SqNRpaj1)$j(oxmm8MU1uFP z|Z#gj^NlGo@u&~e$*#Re6 z-L`3{VrOLW)#pf(k42RzP}zFzya)BE3SArsqon*kOX1rStlCXqz4mqxjH+ohp=wOn zk!DlHo=>1U`(-}au{fIkp*|nmRdoHN%>1aVZcZB#r|mz306cNpn?i8c{jk1vi&%~z zlODeqZ+1f-1BKbxaXv)vM zdr{3HUMg-{DOC{hSj7#QM|iie(dMwWWjd*yg@w1lX#N?o6cSmzX60&<(Xn5sBZ$QV-?bm#G+#d#E5LW7 z5TzPE_Gtcu>nJdchb)YnEkcO|V2S6S504MIxv-k;4jDSx;I~l8pV3juC{)O0_b(E} zDa)!`@wdN!+KL;=_uxx(TU*=RLmf$=IgEA&mC7esP4kp!^FwdkmqdQuUPF3pL@v8C z?3dLA!tL!5a&pvNUGFM@fqz%yNDGnhdYRq)lw>I>Nz>8cVleWC!(E>|f!;VT)s?NC z8;Up3QdLAttpo#1E;uCOX=vAffd&3S*p2SX zzoJDk94acU=?$lU0u8BYrv>m|4d!EG4njURiPpS;>|NPl$9loj;=H}q{t$(xm79yL zY!N`c(0A*`Gmt8Xii!@?(Fs3*ghTv1TVs-rLia{->W*YdV3rJKwM|k?hLc0% zbL|eM-zU zY~~L3_M-)Ow6%9-)U^DXOavI=14&7d*7e55Cg>PCX*x9$|Ew!bzmARvgsQ3qA{trm z0O5&&0pg3MOY^T$Marm|M$h%}UOelisk6PYTELB)RDy9o&9l~IOilk#;AlGhjo(vj zd4q`T>C@+vnc7~Sw6yC$2HUD?063Wfd$S1Ta~^$z2^&`W*uIMGKu=;}Ny+kEJUTi$ z2ntqy0I{%?bo71Op?z3?>d~x|_ksV7a%I&s!JZzqi=knOBr@$S29z5z>;{;qp8-Y#Fcap_KCS~PVH#ZRQ|JvJ--9*~PHAM4X9_GQ8eiSJUy`7FcvW10I6Jywrw7R+(j;1<7Uz3h1;Wu=FMevvwjFb~? zv(fc+of*&bw#SBxogwP=oFUfid(zXe$N}4r&TAauv`}K7(Z^(XsX(c^h@fC0VFlUsZ$ z3(#?^l)8m+#rCCIVzCPd-REUFVWs{~VRavt} z0UA9u^X=Q0Tv-%sVl5Wg$*hv9S1O4-)D&r1>3@G2aHq@5^QWhsohInYe7n&A2FJq} z+(!o|RUbo#Qw19hHVvQ!_c=3;!(l!`64kZq194gm$V^%a6g2!UTPK^j;nvgDl^Vt1 zeZVznj2$KJt-@4|GF|)UhOi8OqKAwBlm@$o5;t~ltIN0r9bb8-V>9=ALCOZ+E1rbH z*{v?DW3#E-mA;a-=$-X}CIg2IbRBH#-ygM-;%YiG`xzU>M0(k9v*6G8#SQ!@VxXabY-9WqN%7dm8&5{P!H zC#<7G27RU4T-;*`(?&-FoeLN|NiqO$fuO9>i?JGOnDw++a2K;?P4e}hX*s!}Lja;x zS%Y+?B_$;#GP0DJM^_j2Z}?PrOYrLJc{@55-=i?5I&|94jJ^trB;%FA5$O~Q|Cf%G zDP{p&JMDS!`*-hkeT?;PukHY5)-&ws(9T614hULIEDTQ#!D{ay?05QLo5F^WK5-Fs zeNaBhp6u*AmMrcE4H19dpK%fof(EeL7sytC$=erC4!V(M%! z5bn+U#NseLuUwp43_r)VrJ^slwDYQb`XbwcXP=;XpL9-*CH-5dr>p$g51%yxZ5F5} z_0}r*V_JA2OJTu=q_n(BA8UO=Iy(_o2ArEeGF62RpDc|mmESeK@0mljMu}1=l~PPs zbXy#CgiX@(IV0nvP-zhZw9Z37l+eWVW#iUsVZ=`?v1(ca-c(aA5 zw3Zd}6w7}>eF|9ISTzCjzHxgz+G;ZdIwThU{CYA$m-ck?A%rQL&hJ`d)tbd-%v)lu z`SLyR0pFEUL3M76esZdkr;s<}m z`zv%mscLRo?BjM@VJvduPmjUGFd@!=*g^C`ib!rOQd5RF90|I$0 zX56;6ZL9W2+DCgOSrS0xCFAo#hSUbuKwhFudn_f|ePc`DT-hT5)wwVC>g|B^6*N_y z?asrfI8TzYav$jodR8Y@s}i|A5-9a{sy`S~pZ@b*=Xk2w`G?PS6x7D=N?RZB>)M zzhW*NYNtGrH(2K@mtl#Fv>lGYAAILy|FZiSw*XlJjXFxxEaEHOku;`8mLkJT-p?xZ zM!4mP%WneTl_=0GA8ESpA2z<#?KdFMF=Sz zqpY^a8pS0xFY=#|3%s!#(TkEe8OTiOY+tt4jnU3k#pe1uEoqJ~&ZcZVgIh z*yTBw&&EZa40bPz0Lzz$^HbE$%Y$H zc^?{fgVc88^lD{gWosqZ(@S&}@plxav`nba84L9-%AO&j zyq#F*huf@DG&s;_z#G5%rd$Mg_Ss6$MI}>HNk1|q1w050;MfS^B@@Y(povn-mSB4N z5QkcWx!Zwrkl-2Ni<8F%$~19(646wWpwSe!;HMS$i*PZ&S7?5E>VL*MQ*jmH#D3Q^ z92|SB$@fDb8f$B5$4Pbhxz2@H<4t55GiFGkK)^rdW#!>vFR0aR_E0H01?gQ1kM)4p z4G{$DMv*Zm&<+9`HbE;+U|?W(1j*%9KPx)=5z^bzG1(+e{l5oM0IBChMIG68&XZ5Q zS?g!5tk|kB*EqN?&jJx~y5$QL1~tR>b<@Lo^Zv;JGGrQ#g$NmW_4g5&JGe1PNse!J84PC z-J<2*aP^T%VtO%kY@5JC&uIY6KKLn$7uX;+?@2~rU7j1Sy{?GLXTX{ktHF0t-?RQV24 z$9t*jDdYLq+j3YM^$lHPIiinh<>vTL?C(yqps#UPOC{J~1I&G)iG@Kc@z-^zqe|L zvs!0DF7HJ^ABlhz$8XzxomWO*Mq1Gq_wW?DOl-;18*6Qwzqb}E6?CMC%BAw=egFQw zEdT5Jr)A#H#*$HA@S~WzrKzQ!_J*QHP^!~Eim(WL$Dr7|iW|N3W@z9yW@i#JL4k51 z^C-;g!dL%Ixmrj0k1x1DmJgjAV8ax~c?(HKV|J=B5fpWK99c=NEf1`FZ4ta<)c{K9 z6WH7v=cAvNs+RZhsGf(mFb1bKhlujMRF(b7f~QyF7*^wTTTy~%Kk!1Sal>Q!tG9U| zUn)r{26jy*+@t_nUwtBMfY5%SkCKq-S>X_mlgU!bU*QO$kR&_tXzsO&mN4R!g?U`i zv9juxPB@Z$MV5@F8usrpSaZYn{Z1DpArdS?)$M@U?;x^>tm zh&uO8yrCNC2xO|hBC%u6yr5JzzcbRr8W<`@$_)i1A;H#VcGU9$Hi9@B& zo)Qk60waQ85rU#P6L2ybQOXEfG(Rdyzh&QL-pa{=3X;wd%uXC+9N-jDoqK(-ed_U4 zYj!4{MOPibFJ8S%t@oa#Pu~p>`$VZxJ%DoFWhnQcJ(V0&nfm#KE-JnT{ew4sv~n4N ze@Os)0bQ9L=BpSBxCZg^By!KzV75e7XE8eT*hR2t&7@b6o;n)9Nvu9&#CKpud8~M zfeGMHAZ3$N%n>*)nL{D*z<0qteqn$zx~k$wubv5!Sb;KwF}7IDsNTr46+$8`4_$Kd z5Zp1&_lgD)%b+?d9~T*`>N2S2Adw8AlM;bITbFbhQ+pY5e>4fJhe`W?ootq}{D45y z&orBo-jeH+#L9OCB3YU={j{cqc&I+sKs|o_P1-{#5u_)8#^@Uyd?~3!69YP2V|uM} zoTqR}yY2Z>hs-!Z?(RqB9$}~!zpAG1V$wCSK?y8vxF8tC z_(xDuqQh_0VZQ}5y)LTZ3Z{O0NI)1z1%ok063veS?a$z#Y~I8(!e>#)n=30|sA8q4 z`#DJZIhd@u)g_du;-nzd&-xNi^)rf@`i}&<@kk`0PK`Gart0yA>dECDALgF_=Py%q z?GOfoH*)FMq@~O18mNrjmNIA(4@G^^`vgH`z7%M2QpV+K9Is!i$7j&>b$6#^n8!@Y zK=L?xHHjkGU#L(&=ZI2)J#9}zV`5@A5`8x z`~(dBkx-Kf39D+IX8WSX_P4=wN+Q6kJ8mogA(s~;LB-iw=JBxG{wB9_^N-dIYn|} z_I(}z3^LaBhry{d_GdlS6cjdAHc*j;gGCI2)kH#2qsxA)7#2h=@}{kWkANY=G*k12 zx;o&u6nvBl!F?VMjL0}D$@0V{_XuN&WIeYC6p8^8yl#w-mKmbSi*K;q$~2y*)>L8Z z-v7H>f={A;w-oD-wx%a~^%zcdge5l;Y$47^2%+viEla!s0>vE?uCKFEUmw5cg@7TP+>2z)( z0LNn#;JhavAE!#`z|T}UQe=9~36If3LZquS-WRltD`z7%rNe0|18F77MVLU{B^pd^ zP$0vA8>JE&xU3c|!ql|(32dkBQ_pPrXgYKT`)6<2%i zTWDG)XlPbzXcpsXIWw}vGfk#^W$Q#Y((!?R%f&}3*YLkf+wX=&oX^dGGWKXi+Z9<@ z>0#4K@tsMvSeD}d;_fY@qKw|Y(VGwuX`~TU5S3KAL#0!?k&*`KE-7gNX=w%+VCbPs zL6GhikZuqdK>BR|&-=XRth3Jhemft|ak&(Mk(qn$z4vwf>MG&UjV3P&k!6$^hKrYu zSaMsdzP1j?PB3_O9~UWQpf#uR_EA}R`Pf3AiAihf`8I{&!bL|NPp<pt5LsF~^~@ z2O;O4(C?)+5!1=9%3@xz1Mg$0(jU4wE`6vUEhvzu7<|9z=eft?(CmD%>S#klL&)KP zmGM?zJ;lSaO&8&}GEWG{V;dMSD!*0V+$G@>9PI7YEt!}c|D;4GUz#Y>n8YaPreLPd zjr6s=ZS9ZZri&G068$za5iL$nA3uC9FAICiuL+&C|r2@wy&CR5Q4=7ic zwwBj#=BH?uK`KDf=r2}RH^&D8)-{R9Xek6c2aAB`uBDAlUxwDikk~^;*3tfc1-NQb za?)4+wDASM9UF)Cilv;TxPpR$=;&yQ!OY&K)H!Lvpq|~zH0aNI6Fr?+T8h&i?#W@p zJ&NaKy)E8uGdQ-%2>q7p!htx3JUhER4QmbE-jjP4%1!l+1Kvl^nVsKDUF2MQdtXFL z;fSca`?BPUdKbEyRS^Uxrs~2scQ-$~|4d7#P6RM=&Zc@X8M9)c{>&pSW)14ZG-TRx&qa7n{(KWVc3AKH@w8~XxHsa6hRW)ZF>x5-u8<>Z zoKhi36=-~T@O~L+$Wy6!(dRxD#Z8qNhO!$`ztKq4XHWiN;$L?tU#b13a3oW=HC`(3 z`n=mgi{oi}N=g(}dbSXpAo7Q9t&=Mve|`9-Wefg%a&j_`!Bn-}=!tB+!~0f`nTX}@ zA6I0Kq-@#VQn@szXSWna$3rWDaa%6w7Q!U)Z0?r+03neQFA^WS&(fH-b$)tr*?-C~Hjbtn{JM*}&9X02; zQQpX}{+@N}4?!Pa+hNu|jbWk_^U7~Qi1=M~0$JYnc5f05&MZXqNJ|X#_$aP|B zXn$4+u~BFM?CDIV&ior3hLzlWBk{T*;AqLo?hZN&3k!7ynr`-c-ItV6F);+taD09! zqbxprq=<(aAIYf=Qw1`mYn<_qPrw!?8$TYOFI6%zx`pa>dMjP1e^z&y`6W4#pI^|R z3D|{WUK!7x*p%%D6&ZjJjU_}OM!H|+BbG&7V@Q@B;uFJ#h{TWl(c9afjjpURwe-}3*+Y3XQw)e!UT|6TC)Yde&-;XYl86!8xg%d2o03=T*a2XlB&4E#XKu$( zT!xEBy)g1fD9Hu0M%Pg>IxsLNCyp3GCDD<;%&jl_vwU6+4gX?QGeZ1W1ov9g zeBiM{lJSgF?Y~FQtI5{PTh?B3b6)N5;5#)mci*R9d^9is-r?MY?s&ZDC_}F`S8r@- z1_o0D@8rjEpZNUi0DBXl$&$!xo)3$m6C%JtubCbG^Xcm@t2Jwz=3`z?PR_MMaKm~l zB+I4WNbl^Sx~^;=h8gN%~7 zhaVpnGqbqPSihO@dwoq6)pR?msik#NSyx|?Z9}=AsOyuWwElh zY1;6!%BYGbF*PNni#^y})i=->nVg)R9ksPM5HI8!w?-BIRL;iE?*{Fe4{gKF(W? zTPtS0ECnX0*!yZ~hWg(zDJZlwlUY1Bu5s~jl~VZ6cemP(2sXgB0g4FIWl|_$zyvUD z_ASf4urtGfCaL9psy`2WQD|r=CK~RYoROk`HFU{@rOZc6unAHlYv8cbTq!1-LczM* zjN01Cu23)Rr%#{eIGcM4KLiD+oW=OUe_D?y~m{uQ{P`a!{&L? zJ3alTPM#^@Wcu^=O9QyNwJhiP_lDh48iO%-%DmpvrP_0#*iCTl@c#38yO`Pe-aYFY z4R$REO794qGrFtI%4>^uL z?A)Arl^aiwdJ!o5;3~xv)&P&tgv)?td$MSJdr+wXIMIvM5eUS|$;sLpnWrZo7bho> zn3WVW)6mcWW)(;&d(1!)_25Ajwd@13&;whn`I4$p5^U-JTv*BfTv*`S7vR4uFCU2( zu+0ezbwF$H7>n#NQ{^z*eF|#nhlI-3O`4Ad9J%8L-vPVA=^?RW^e6C!*3~D5J;c!y z@;-dPh1$dm)qgZKpg^~~BW;cypj$b;FcRk`G#V`RX3)pP&|wPzTZ|^8YGdF;-8TAn zn3MtcS_@h0ZDM0w=KA(FIlrw3INx}D*yF}6Wk9WF67kKYUXLGE%Hw9>e;xK zmLd*pt8e5njV&w)A^22zQgR|X1YVY~XwbLKX5Xg3hak~Ug$8;U_vt~#S66|;0iVZ@ znH%fC=5ZHt@+`EMC5cw5tEusNG4TcmpAq9335K}0w>Q{4;O1~79`O9drv`?0m=3_#PCY4foRCFZo&1`{@_yPILSLz1lR(1nh&YLk_P~q^838{B| zE5{atsr0nu_Vyrc%!&+rQ;v#EV-&mEs#62}`Ow0*ktS|3tZyPdzkM>P#{^cOZ(co}P&iQG{()AwlY?1M zld%{pU}3bJ(Fk>NOn5i)1s7LcwR_5WXEP|ji7~&e9D1?(IBdBa;=Xm&c>TKL&u~R) z6gM;MHIObfzT{+@9GLI;(hZuD2g02P+iQ`~!$jU5AtB%EP!gb!%>g!9Q@Uw2)|%OZ z0w#!3z}jUu_lAdRI7rbq=9Y7NmL5vZWZ0P)F~pXYiP~-1?_)N?Y?<3qWw&c5CjVV61wy z$_O|Jq=BhE-%=o#FttYJC#k<3Y8tneMQGmB9X^?+qNGj*RB*c9uw^i)cRn+o$XLTv zM`kA<*~Rq;k|EgG+)pQOg!ZaVQ{LuD=2~0dSDPFmrlW$rEm6+k$AUmgAgn>)86&qz zrwoH>UdQEGkJ(+huqJE!XE?~kR_wX`%ezNm#AogSK3X@f!rE#TWbOnkz_(-V;- zm;8SZ=I7>Qo*fcXxi`yzeKXFsJ7Q&Hb%;78Ac(Yda40D*diHb3*~uw}jz{nr;}^!B z*Z%v7pKKa^^K)_nJC@$Oi3Z*`I|m1`B#)oNKf!;dpQCc0f*kCLAgU)sS_;%j1%^!^ z@5IykLOFKJ6^R69bnpxT!wQOF>nF<~l!WtN=^j+7TOVBKd_jQDIlWE6HO36&3yEtCYB8pDfA-b`rJ zx}DmCnsjE~9lU5{Rc%=*0HN8o*d+BCNTz3X=5Xq#ILY==u2Z^~a9KQBhH`PwAMSv!e$z z&d$<}fx2BIMIzHMZ)N!!BQ)_o8FL~oR#0ksg84g3%KNlwaY@B`o3vozFcz1wa@g3| zAl+SX3GVW&9XeN61HUt96z{tm{K(&U>W%s~{O=b|0A@70%o9u5;;=uOVvi(-b@W9S zqq?~O$;+G=KWls34nW}~8g~*z zuzI5qLO^p4jzSC!41(mocT|?LFwMNtc%&LgD zeL&(bD7e4%TvsNRQh_P9n=qEv*v!o5#K|bqlK9nTCHDu0mk@|HO9k5Z9>6a|{xGT1 zR!9o8-^U|`pjEkH>j`GpLOIV!x_ePKcW7w7`b^p13ME}cU_Wz-WzC;-W_*W3)Oxq6n(&cMD zPU>4D%oqL#c>3ExlFN4@lW{W)_HX$?Zz1M(@a5BwGyi7*Q{HUjRq-mkzQUlFp~Qmd zV(G~qT#6I87XJD4lTh@=Y%%b4w{ph$@o=27s1ZFWjr=gmlPZ~2&u{xzh(X(}V^+6u z^~}9Y{Z)D*@oP$M;lJYz_X-CMDk>`*4mh_HO45Zih&ddx=(z9*33UFfKE7Uf6Fhud z9XQHVON;}FKT5uB_1?Iqeag%bey$HVi0{6079GfVZ| zl(PjtwHy`UKMAMO;E1zBye=G? z{Kz70N=r*E1~VVfl2Fr=+}qlWDn_*h|KLH_Q{^$tsUD|?)bp@$n86fFIQUAL-paIjU1@#4G?0fIos3Wk0* z#~qFy51|DF27cQWaAwHM1>azM{UCTJ`98&4`uxEryPc#c6iQ=A6lkDTjkL~Al4(ZARN;8<*Vmml*l=*^K&3FV zu#lON*szkE1^P4Z=HH;}+8E3_SYGZmsb*ne2JfNcnv;{5ve`S!zx~@543DKjm$xe4 z9Ut%2gcyhA)hd4#O;1R;zACnW-f620lR9sBdU&CUFAV$|5c4qt;cGj;uj|zkx?;VT z)_A}Z-Ltb3yRA7XPk0I>g~IMPKBlG#K=tU;aB~kScL%~_a=wU4%`=gn!@;yhHkQ_` z#)3#I5ZW}gC>1`|1AIJdFj&Ed z1}wmudmU%E!wuwMBoL*-dW1#^h;Fd5wEVgBVY#b|!>F>VJ6EoAxwu$vJ4=BnkAw$A z%pQ}o`W&wD0ET{MW@c}1?@^Aik=gBtj$nbi$3yudtG7=e^;N-preO{zsVgPB~j)mKNG#O{FG(n zuY?Kh7#ILH>Yc$p`ok#$`0KAAXN)pyz>(=z5i**qRMS^ zI^VJV0*Vkv|8_#k8$0Y~5k4^_LeIlF3)IuSvt9#@S}UX^nchp1na=_G-5njB#pO_mR?)x4t_Z{XP8Ww($iJUXM#jNchzmoO^nXhbE}tK>xBkK?)?z_KqgI z-UZ0y!e|GXK~~(lVG6Y_hY5Yj!YBKB4jvv}=uiMTL`w^7Ef1)vx5aLLU)KTqV37MF z8gv^V9*D4;B0ayj7);?c-_E}aT(A(45K~!qZtHc|PUQNK9=HEOABQkd&7l3ZT#idx z2Nr_I(rd(cRYSPVSNI&7d~Dd^mdS}Hi_`mnHrt=x7h|F z5U<$%y=LMIlSO%eAFek7^ySz6+Z&DVBcmU*oOd6PE=&2NZoHxPcbw8)oe+Q=XMRj1 zGWJN`+h}XG-y4-wzHwa!ZA|O1j)w(VuBntPOc6+ah7h{vV4Z=m7Wkx(ztSq>{m>Aw z9Kp_M(BLzZd*_&%+UtRYnBVRuy|-Upt&vgPY4<@J1C9xJYwmvJPy158{$pdR`R`R_ zJ|hN3kmo(}(_19~ls|pa*>=261BvI2Xo{VEcP`OX%HR&%hCa~}yOyNonV|h{abM7_ zTVLDIL|ol8DT3R)@pCNE#qG-v-i7c6t$%$|xq%W^K;=qTwE%5SwYLhX@JbT2@_gYa+ZLBvU!hz2h1KdPzGis3#sH*>*`+R(uuc*k29@x_2>tFWo z?*ETHec_MUXi&72 zUgOo)nE$ngy87R(Zu%3qGJGQ+C5>-iy7R^?ktRK0qnYoWnF|NDe>ffpTtJ7Ay1uK! zImQwlmuk|`2NGOFDFW@``SKm+wW|iM!@GASBsy{y-K`G}yuZk;!6GSi_4E`K6skD6 zKu9O_`>LTDocd-~=91oadiVkpNfG7EV2`N0TOFwl>2i`0tkW*W1H06yxH|S_N+#2d7J9chf;+c zirU&hq!zeQ?$>d|_=~rX7HZWuHMkp8zAhZQEEa&E7pV%x2U?65O}IRDEYB*4Hy=Cd zY%P-RQ`69ZBYc{b7y6QP|EW0+e0`_e%jZScp%@WXMEJ5EV`3s-@8(&%?eC7SwgTT zxdBypc(|;q#u|b?Jw2z-VD9j^maIhcA2&uz{wChc&(Lr=?zMjgzl3Ya!{CeX?iFwV zoqO_KrW$STjY+1P7Bqa!Q77#e^tjv>x9l?+`-n0dKPX(_v`KP`w#=Z7z z`uxHB!-Xat;&i@lA&Q#n0mx@NAQCe*U8(r<>GN>K)Kp8n)3xqY$Ealuq1es1>@(0` zEuQSe)K1nuA1lBoB-nC0T~K=S28tZtSPsp^RK6 zGc*YP1WnxaQhHCU?|h@R<^22{+^T43fdF)05ETW#PfrQvYVFS{?nrIkYW}J}q%&Ly zJ3ZJT=k!|Lpy#*RMty8fKWi{K{YG6M=ONzH-wXiI_qMje7W-F`8$&xcwVWyaPuB-9 zppaK_PJ6nsS-{J#3LhUGt=h57wf{{8WWIT5*~L{(JL~j0^0(Vs1IEfi2o zhY`>Y!?43bRU?~Pua>z0TAnuon!ig=g+w_GBO?bZD=UjLcZ$lE77Ps`gOz#*M%hde z=ZoFcF-!?yXK1TgC*yNJlT|Bli3Deqg>|RzMvT#521sL7D^xzP5J1bWtRx1;o{Fm4 z0SNJ8W+a#rM4c#|>LOGb z#?bZIavE}Sk{2KU#K`Buamr=>ivxKiK1BLdu>hSb*=Cq0Xkzbezdgu>#)gRF;s|15 zpm)71PZYjlLaBWAsJD(8AVg1b@wR^dgbxD3AHV^C%$3uWYIy-2==b(I9T7j?g)dK$ zJU*0AsDuIWhH<&hMu{HnfO#*Ani`s_zI1m%q`dE6aD!wa7AuxhHU5Ynd`VELzbPqi zTWn6eu(d<1E}tKN@b032RdmZ}a(HT&PUdu;4<7^Vkau6fy^gs$J37nQ*L3xECSteZ zVz&^)-|SC6k)u4Y6yLWNc6I>63Vo`WVcffd-NDb|_3iqz^et3Ms`1vz01LBm zwQW9ov3{#5ozHpE^EjGK%;&ai?f?V??)^GRSD#(o+PZ@&!6xSy;9lHV-20`Q6gQ*p zwy~+G2;_=*UE*N{VE8ZRvjy){kwsCk8&2x=c{~g=ru=EQoP!ql%7P-NIx_4GA=>_V z_yhP5Jns{6c7m{#4f=;JZimN&R~&T36VXYGd_FfbH05PYUTaR(>cyHRdTHt9h7DKi zHsyXtOW3}#^Xq07zNd%M%W2fq8A{eY?u%Y(ti^$I_}TfL4E|TG(#&>FuFe#ZHj}NW z<-xr<8XD^U{sDkD?ZZDe=2$W?FzD$C&5MzeCLA4A4T+tD!T=nTKh~V45T08b2w-lF z0Px3z>SC?Ayp9zd=*+6B8jpK201aQFDeAk~9tf&E3kr&mSAN^&3BXG_5uJUesBUn5 zwXH$H@s*F4myVb9=j`mdl+?w}j-jk#!vb3&&~t$KE=R{l+O`0xUvW?8^{d-TKeiYu z)?nVa5$Qy&5H7TNEH%Gk-#GM`D$_ql55>9fl??!mjJ}fY~IY^VBVwP033GXU44v4cukFj+uouB?RyzO*Re+~ zdVFl}mR{($VY_XAg^r$QVuF^PHMV`jkO!uUWbkHmtO*~ZjtElwr54vgC?r&hxGZu}XYqkUy0JmlvQ1wMdMdIEAMZN&-pmN*pGq&f4r-#Oz zskz(R3EibJ?Gu>B}Q1BI2Y#5bh~p!Sv4sjpWyYv$%0BDcU=o4n=X^}E9O zXmHRM++ASQ1!%o}$?iT1rqgO{yNZ1S9{P)^K+0#$={#m`%5ij@%I^jZfH(t-_W4pV z$zsQ)$ms0mQkU*p!{m2zohIRLb{Sm?);+i6CH!u{jXq|I1}@HR*c;ZH!?|eaMRq1^ zB0Z2MJYOeLKo{`$1uEhb-=GXy4#PF`RJPos)k^F zBwyVo-CXx=LT%LzyYemo+N4Jqh=ZPE@R878IF}oVXX`KMd`^~!*)G=3bo3SKFvHND zovTr?^FoL_wPd$5o8@q{r45A*8c|U+?XVvYOBL?2s1fOoaQ1PtJ@_krH<)NN7CbNb ziM)XtqlshP{*91@nwWS2)|-^4*N)cMXP+Eof;~q$HcVfDiCNbk{T8ha+D@Sxxp`)u8&z70bd>+>g6p$%oAJ?SN+Q)I4_CO6 zeS;GYtE(1@1AA#S#T>LZwXx2rf9xJJm45heFPkeRI=%}02VdqvBJFF2Lc-{;Zria# zkGsU|tnFEB>=cwP;$|g{oukRy4!aXq=Ir&GPr5|N=ic?qU2@Pad~xQf>~;pKtl(ft z02e&h=mi`RsdNIM^ok77Isg?cotBoy%gbxX@6CMho*jBY8MQh6veoakjzW@*y6=&; z3E~Yp1oT|*$0-RpI7rnpYv6}KL(wp!Gwv9QPY6h*u9ah;?vQ=EbePZJ)bMriT~tiu z*%6)XyLZEr3vLV|d*Isx%6BDkL?*Gk7;A~Ay-shw$c5;aEz0y)S2!e2s?NPl&}<@% z7QOD?aGeM#YmIYsUij=@qd^8kYu}vN!HfDE-q!s5z>>@>Br5Z|xTdwStTAAKhpz39 z?^~<&k&J_?X{@D{q>)XLMPk7q9?zMLqnODcJwr{G+Dl0VdF{V93yMSInq-#a%w;)n z|5X&joZ*gTa?IB&{oQ`8THhCHd77$O8ZNcTtNKTHpC%+taNlwWJ6Ar*azEm4a5&ieXhkc^0hx3}CG6U@I~X%K8vhtHxjx^6Ut^yF zu>@#nVii+TK*yBjzZ)JEaf&(>s5m$S#|w?#+}(tN-r2b^)iRNv-l0UVF#5$~I|Y#> zFHeHyBch`N27rq2SC|gg$A^|RdL_Qo`lhh~Z(j}luEuV~f?@*0wT7oly6fJO)^oD& zBHfP(X$8_FIxWuZhAqeU*iN9&o>u-U{rcE^w~gEA76&Ti-G9F4IOqW^tKREq!-}PK z`*0kPp#|%;Vg9;PzaF9o9EY_MdtrGK(rf8yWKYE7FE53?n3shaj=G-h{033p(p=aX-w((juu+>e~V)Pd=rX=2b4J# z6%Xkl5<+@PK0lJh{!$ps+*17ajM`Ih{6XzN-tmfJs^TXx?1`l2Brk5rV<8qb`S{U- zE|I2MXMTOCqNa*`YFuTpEFXL>^rDRK0ob+WV-*-h9l0xQj+4Ez4qvl(RHO)Wn5=L5 zeQ~cb6unU!oM3?7S?x&Wjj%+jx_aBlRbS=3SDn*E@IG_PL>v>9<=mAR2G_eb@FkR@ z1M)ri)Ql;iPO=6@cus99D|@sb%QlPP9AfvEkU5(=WkHNK2XhTk{btPKv*%;xSP<`2 zy-iPvJeMA|jqsIedFFK2yQ&P~px8a1x;krSGF%%PiC^`1eYm)of@CdTq$n^2DQVeo z17%(*4OQb;=~!BHNc!oc45e~n4YlwGoHMP9?ic~pku1?tEYI0T*UDKr?nQsX45%7i zo_=Wx>M%f7sj8}v&yJ4Hj-o@7cRWc86|#iw)(3v=R*l93x~ug72k4Wru;dtljs-p7 zd8~U@_m<9<_BFV&Lq!$+8@t;-T^>wx z;;_Hnk?CI|ltkwOW|?@b4RG3APwgeAtdCV=y|JU4yiC#)EGkslOP(ogA<_aRzTG8# znk90rwXj4Bd$lAo?XKX14pr!|g774jXN_wcP9V6pnIU7~Jx04)pVrNB8j*`&OKX|^ zToOHCO*^C0+l{N`27C|C*AN<)eFrXO6@QK5V@B&18R_3*DYbutnQVLAP?&LQY0MgRI^H=jRN+k zC7$r7;C_Izzw|-Brw83{>}$a=OIhn({i~?+$?jIqx>^uj8Ss!Fi)q|2QT5w8OS zkPaPB@`aCix4o-$m@q)Zv#fDyCVz$6O`OS`bZ+luC3`*gKqX8P(Al>#;BqS2^cWgl zz3}*C^w#*>4`&PeQAm!V2gnWx_~%aaoF3t9_; z$BP8?O|2i212=8IMz0b=Q{LhQTDIEcD_E09*vk}KbR5XCtlY#oI{JLlZd4bla6WnZ zNe?lD;&DU^y$KJuJh*jYPk9KAEL8JRvv8WR# zWfZxA!V?@I%o_(;B#b7~Pd7?>>dIDYQkBOi<$xkoqhumRX%KV_&^y3}W$C&B#dTa! z+CN#E{p)MQ(@;v9^k<2<2u+)V-yl*$azcYqHt8S8)cnG87LPjUT& z^1ju6tSX{q=VJCAc3bMnFG6s{7iQfWjLf)kop@+}=Y-|v8LIc!InfH7G(=q4Y!KL% zmOme{9QRvN8y&he-uq4U!b#Ikqct`9^8gQflcyv?HR|it?nFXcMT6A0Jc^<(86ue_ z!UuBBLC@SKXPvQIHJ=M!=e?(|Mu*2H)bb|wTM4wAg?|iX>-KXLbpkBeT zwOezNL=}x7Nh+h;Cl|mFxvJ&a#8vp1g=7?^j;cQQ&yF$gii4AqU9%vd@e$n>%H zENnjRg++pvy0p}8z2D!ddq~f@ic^5r-qHi)Prp@+j`qK4Z7Qxphhpdz)l0@rNxQgG zOR3+Ulr?XMkcsv}P2KHYSPtwtN5N zjs5Ff6N|Fz^9~)6GNaySW9pMwmCzPQuPPR~EQ2s}vjSGnknib$YIwbP$Add1E$zm0Q)cRZwA9%6_?IN7>!}BGzyQ{YdwNizU7Gh)8LfRI%g1N= z?@M2b4fci0KY0Ki9{;klGuiAj)o;t|JxS_ZRn5sYI!6C$2D}?LA|`R#o4d=5F16&- zPW-fxrBxEIJPbe%YvwS*21YP_b9B^cw>}uCpA-84^DS!f?XM%*|5OA7f^o^HA`i32 zmBTaUZ&1%baUAR2*C)sERpgpz`EW?gPEi;PM#IC8mWrlp`7mMvI2x*I3x|t~lG}^% zqJN2yC< zv%h`vm~(VuV7{*}eb(lkW&MYdBb-O6+vE!E3E*-vv&h8+2kB28$ z?Wywq<%;`uz!GuX|B~(xdX)n~{|i#Ts%a8%De#g^?@Y#?moFLM04264)kf;VRDZlb2TJ$w~hQRWZkvp98N}E8!+1cPesAl znChL{+Itjibex?-U%E?55F%+VW`Ilr^;cUREzt9r#)^Zs4+l(=Q?>(8(t`_U2j^<_ zy5#Pap){ezSt$qt1;=8gUG*DQKTGpG6U-BfjBjRstvB+7%F6JX=jY3kZ8@(ggd2YT z`gPTJVgv=q!7w4fQcxHg+E|%Cu}ea4@3qiW{3`rUAvn;p?u75-8}|2tz;gwu1?D88 z*R6nTsHv$wvpprH?;v8{+ta%Z5VlaZIx{?>OdIJnn%_emZ}x)H(R2kM$zA2Gm;r#? zWY@3JMrano3T9_!LV`m*y}Z~A`P-1l6H%K7Je(H;?h6x^+}LgWfTV*B!s(p8?_;;7A)o znOG1(7#EY@Rmbzhz?>y;o&)s@+C!FOET}VvZe?i;t_jyH*FU^zawzwEAEFDR=JWfQ z(INt=;0u9q*P$1UV9EMj-CROMBFyB_g7*f()yB}zexmoFZSG4(hTQ>}#SZ9I`D8JC z2m}FTaoKdmKc(6Nt ziic)t+iw+1=YaxP7ehBPJq-orPtf*^z2Ue zRZb$32Vyj87KeQmb7vBL^yrzT#}otjga`K_4k~ziTUn`fe0&-Q0_rI+*cQyxENan3 zoMvvjUQLgzbjP3rBS0n4q?npAK-#)GfIKZ$LwgjAvd@-Y{yqEwQu(h9vAFRQfBc#h3Xq^qrq9uQWz0e7Zod=KVHkJ|N_aT)+|^8+yl zy-I7>-xb;I#uALOprn36CxDs?C)GtvP7V@4GV%8p_idlbRspnthX+ZF(@590>t+rx z12{f!IzDuRh9;k7xU|2nl&8g!_1{{6;hX*Q?6IvgqeBo!i+_*W-p1x^mc{{1Ttj1R z3+RK|92}&j!(eNOUcbLR76xJ_|43nf_cv+-XF|l7#_!)_K?Y%zow?KojIC233%b-? zxtx-eZ?b*3!sY^_fdD5bFyQ}A1-tDSPLv1Ig~NMB!GQ?OLkC~MAI+uX9es1~{Cu&6nlM7P5H(NbaTzRmY1 z_G%x<#y7sv(`z~ty9n-B(pORvb=)mdh5K0T>4IoEZv;ok;NR|po`GM#e%xCJyXX^3 zj|!D%E+0PlI3215c6>DSxzRDmbha4e=HYR@R-bxr350y*Pl25Cor?g2#N{RDFPj$4 zGB3BQ&Tuf0*2uphNAoe&^2Wc>t$vf#k5Dq7X!sU7`YwlWd;#$0b zNo5Q{5@&u|-Y^V^M7E8|SeDTQ*j@?3I+i}{Q#af`fV~>gyAMwo_X304Yis=KtW0kS zQ_>R@qZ4)Y=D?^DMmJOnAfz4U8YO|W9Qr6lii4@nmG(}saCtx(G z0&^l*U<_bhBYAj4G6=|OZ_m!l!+>n<_8Qkf_il8=DbHXz)c_k)<;W9YT)5uxl9ZHI3(08}Yp8ELHGqKbb>nJA z4fNBpYK0i$i{DakJ8&DWu4W9o1y4-Gho-BDr&Vdx&khWF)-vWr|Gt3fw_!o{`*q|z zRFsrHs4a^F-@kFmb;_~l8NuIAjC`-J*Ae>c6cD%-D2B4a<`frz=}?U;+F~eGng|mD zvy>-({=|Vm7Q6q{_f5^M3T;~`h2M&ktQ~l)n*3_Z%93VrVrkJJ5bmTdocAK7|DVLG zdw&tQAknfBh`rTA)5diV4f7`_ot43NNsAU%{sspRO*&{F_7^v0CdVhH-i1Id1Gr&` zh*;qJx5EP}J$D2}q6FV#ack}mmo%V|cHY>Az=1#NZhXGA!FodYb5ynKXrzmb84dGE^Ikij|s zc>{HI5E0Vii-pl1D0YSxpw2vhv~tFxB|?++`8PdLwrWYy^G@jm61et6T`3J8u(^#` z0v=gKOKW3m&6WGPqyG25Dbv9H*x-6h=<9PTB_;LxbxTOdS|mp~6H8F z9Y#n8%r0Of1fqH1du+Xazrr!+m&*y%KL>k!hC@9)>xbu>nv;?tAw~|`w`&wxXN51; z*37f~kASc8=V)(4-&&d8@#v6V-F*r&u-Vy@wt5wP(rp1h=J@ys2MQGb)2FNl=kI;@ zqG%G-QM|VESEkW2t6OU#oeq|IdULH}e*VWu*KyhdplfYCpDh99)45M;NxHY8;X;Yc z)K?Mb#;oL*V0dIgtSHgc_zOzBkJ&9}gL**82QaUfmuls9dbM8?lfaa7;BXCjRk@X3 z4&rVf9_*q}C_(r2eyyFh>6_zPAcObz#%6LB_s5sSnNRq?(wkRI|AXGtOcP@Bv8F;s zY?TcSjf#Yolu-T)`Ea5fD}^%EYOf& z>wp{k=tq;X3ix|gb}Y=yN;OM>y)o!p zMYTK5-RKnHjgG5)37NgmfBHalSg(l+$jfgr3|>qYO?VM@49Cg{4|j*VGAU*(ZO{)( zhxSLInnc6y{rjf7);t5^l%>r({D%RVLI^<1Z?5kCa;JN0vC;aP2Q>A!^aBGJJ8?3Ed?0gUV_@; zeEzk|N)!0|hn67+Gb_j^xONZ2CAeqwXEh$!m**R7CcmD)zPfU*+P_(~zFs~&A8M_y zEz=ww|NGnjdjA&J{kV6>AwjpQv8t-Og{h$6-AE;ZMs~5e1xY8sqaDN z$$NWI_nXJoalVUd%?XH%>w7jvY(Lv(&Tb`ubMB+0d^eMVrJdEtl>6fFCm91C`Y)At zNgqphna#@_oYIYAFMqpH-d$-EHh1||zd1dUdaGzKY%tG5LfGlJT<=KwUxI&|jW&;l z9DVj%->Jd1A>qFD4@^oKt&Z0g?zalJt7hf^0X;~1Mm{C{IjB&-DdJZ488@|E*KR{9 z-zeC~Q3gra*+|&h&zx%zRDElR($L!p3cvPsc66m#-E#diB*xs^%dc;5A>G|3q~u)9 zz4hlCII3E!?_lBct)<%ES~;7VcC-nNv@uj5(}nH2&K7;{K(HS_ZX44?j!>unq$0*+ zS_Vd!*PDXA+ns8Cnw_070{ z<*W7+)o0c9)u;CsgD!53^wm{Vg&!u_@63PBxp}`%zA6*Pmuq&!_e;Xa?7u(y3{Hmz&;}wV6dCdFuV5GS9)A zVN2i~DmRj~x3c$B=^p1$%@a7D3J1cM?Q#}sODz3#4>JW;Nc~Il$@TY*rrv%T8fv0V zMwgffD%Y&A?N}XWif5}CAi$#I<3|B~d+=;lWTm^96h1i9gF}uT`HRbF z=YtVbsxVd#HsF_px3u6x;Ew#v*t6(zXb(d^Fn?FT$C^Kx;#8QQ&W!e6+x0lM$f=t zE+-)k9j7p3RQCqU{Uab80Z*%_HDY1(K}Ilxbaa7Xw1)a;_hm~}=`cLVL-+S@{!M-w8nkFB(ny;dLBAR)b;UhuIudfx z#}R!?nwpyV`Ype@B>}e685L7aJRMK1C@Fbv)E&z^KDA{J&MII|`!zf)^SDgF>4X0i zfrVC`gfj*E?A1J9{M{xCNvU7$X&-%DwpCwYdSl30QQE7arM|w z5$C85_oj@ZI`8pBuoB}7vu3X5rNXs;>78WhwvG-ipg{{>w<{pu04+e$&3o{K42CH*( zr^&wL$tEs%-+d&Ke`d(rV_&Oye*LmSsyE^zU-sfzBt`ka7mLi)f%WPkuA%N6u7nmAgwM^_7-#6_x$PAwu+ww7z0yCx zMC#5jjQE|R;Ca#nfe)ef#Y|u0gR%#HH#Z}dj-0xh`s($rV_0Dwjy*BmT_>lg@hpBf z^{c}p27hFp^jr1W&C0{OvUIwLAGU*og6{7Q>?<{Vk;=SGg#_2Adppb6Nx<%ZTXxZS`Nd6b?t-TT^y5IRfJI2vx)R1_UmL^d=!^{S z@J8KltD65@UT5;itL0I1SkvVv1EC0_8RZdfw!vj>UQT9RqG0#Mi!=8{pVZIe7Ka#w zYws;u4~Mj3=tTMLzndNUea$gm8ngK4V>ukTJSa0fM<&+|ec7rrSecwJ6#_F$I`c*K zc*}18cAV*^rGxC`WnG)~yJEn}J{~SE?%f6z;~0#9CAbyf(iV`uG?2nq zVT4g{fNzt#-`{;bFp_bo+1GIB(=!O?V8nTO6)sJ%XVkizfm}pzUffa0~?p7C4^rM8Lx+Kie3Aum6AImB)^uidMw2L}Lj);;CXW50cZMQ>#4 zIC5^Js~qymabrG`b$yUS^m=nFR?LhC?gq>grH*Z=iv{O=+5f$#YYZm99Tp-a}Q9HPbL%(%CPSO>95Eyt%c<$Y^Mhon#4 zjs6ef-ZH4FFa8_dG%5np(j_6?4FUqv5`wgJgXE!0q(ebKTDrSir5mKXySw2oe*bx9 z?sH$=7th=~<1mf~&)H|~y}s)kpQx$K%x#+c@$<)S0v6FiLw0?BUEUK&MmEIvTgr>? z`wPYq#$$x?sb2JY9>+)Cy54o==^g{ONMXwKq#?h5eJWCGIPM)xNFXdx8xy~|u$gIm z0nK}@oG~SGYuho{%v15;HZ1R#+-{%j_J!3?Cp-X;ViQR>`<5R-=QIU`^E=qWY^9gA zk?N^+#YX*n&kx@(y)q#!_sc4^`;mR$zuXKa@ej|Ao~BOdb$8!)PmP0tRR=AN&CKoH z%|WBOoD<2^Okl-}WHQe7#%QgTV zRX&TbORlb0RCjW!sw^>@O!uHE?Ds{Sor5_^g@OKc*e>qgeYj*)ZCw=au7Od?;9%4J zKkcvnbHAub!KW>xde_~wv|}*7Fn!|p8wf;;qqsycurP4JoU5y<@lseI(XQ^EOu8Pk zQv@GyBH@xX!*;utfLKAoc7E6?hY%&D?>Eb-`a~z}=qLw=@)P@Vd24In!)OCo#p*|= zqk#cmfyrP?eLkQRn*%Eq`#Q0tS6+%N%&+_U2dr!?RP)9>ug?WMK6~rhM0Afj-)=4e z9U6*ODadDdaKWa=)YKSUh^pF;65X@0r7tM6a*8i`C$}7}G+VN>>guxVEq1b>gG~jP zOwghwCmw!ENlAgVwKbpfpXz5bK(_jzcKgq*ocQ93wztM+esXkja(2{Z zbx0HgqiA>#Ks=(N0KVqa0hFGpj%_^G1Kp*Q;gKtQ*5EO?5wR?^1K zLxOP^3_{*F!0s0v`S-ZBylfOcz5jgSge2M}m`IxXlTNrj9utd%Xyck{vlO5|x7$}1 z10Z<$5tNI){q1tzdPc@xbV7DU9@?GNqm1n8YOqqC?#^c+5yKWv26s$&Cre*$ zEb|K%>qXcVaz?fspTaMU886lA%;p{)ZYKY%^d2leLAs(*(YoG>p3;cFyT)+bldyJj zQW)p+-2mSa)H(17Usx8Vz6}lKhdiB#j3c`$AZe;FRVey+@3nLVucD=;v~(4 zo~XF|YIanQSSreuS!Z{vyL({uW3@ZJ5VX2(WJipTpGtmDfQ@gL%{?q3C!Uqjq zJYs-SX_lmdMztG}`?fxhj@_@$=M>8px0B8R;hg=iXr$c4P>)P#XINtC=cBuqTRE~J zA^g)b0@E{dau}#j^YaTG&o0Nt$9a<#z|jG8tI|)9fK|nqiwh3ks=B&*-Ey@61_nmp z+`c2fx4DpOgi79MMn@RW^$iD__=~52-529RY|)^Ds;;EF?pCDwx*cC|P=FX6yjjAw z#nLi4NpxQS^w`?QMk+!)G&DL&S3L{|#7{$V3>ySs+@5V+NGb zUqC=eurlu8_!Xk4S#Alwo>t#Fvt?XdP0gjDxVVt}QCDqAzWZZjv%K5g2hB`9y#PB$ z6;{%?w7l5=Ro#4tIh+zZyFdK!9WFc4EQ(F1`zofSr-x!A5^Qjga5)W7V0jN;6KY9K z$Wei^&e;g;kABU@x)JTUw1S8y7G$vEZfa~&>m}W`)Ih3<5xR!2{mt(l#ip1V@4&*` zqCp?_6nBto`#BFyFrbI$7Zkf81x>eqChDG*$Y zkSg#LR~JvhwjJ+XihIv^#Qw0x4Q|gv_z$aazzPTYeDFnfX<1KFObLgAQ=W&5+v~nt zN<1JO1kU^@eb7#>v7H*7p0=;rLTd%sa-oyk-r}Mm_V~$>TH}$6=Vxb6q&)-B6{|k> zNdX0KyVI^$4M5fOt~_?OYIJ0#^J2gK0)KU_@ZkVv;*g`Tv9(?Hp6=)V@cqh>65aiE z-^ub0I878|TLxMCUhTbWXk{jqgg#BBdWh6EGPD|50Ow%ociSqO%ES`_OSf0>>KL@p zq_rAG(SCUhb9-Nl=yO2-t#?MZ!PZXOYrNrj^ckxmkI;t(G{SX3ud8Q07lm_Y+xK z=JUmp@Yt2R)c5z(vRU`l0%N35Z1s{`8M#@8@rS=k^{WhB#%F`?M4C36QO=ORv@W4O zdj>Q&D=cFt|Gr3FiLiOiqmBg%+~3bV9VIB7=Bcw6P*p%5@)V>fvu)iD z>nxWb;V9vrGpUG)#W}d$%Eh#d1EB6$A+OWJql`e{FWUl#&>5aOIzJwpdJ)a>!nq;2 z&Mm1n&s5vPHm9{re~vI^1$r~Xbdsci(yD!R>2bByS-cmr1`~;be$)MAAT2BCekZ~K z5H;~uhH~1s)qp*cNtY#aYq3en6s^SBuV>}Sj^@x_Rh*M=GoP`e51SOl{4r{xhfM9IY{`38a#ZI|mfSCMOP_x1dp#*}Ii*X82tR1Dy-=9g!kECP z;z?~Ap^Zo#9K@ytz}KLrHTA+4O^2`RH*27N*VIf{S;pRVb_dI-V)(@}_HumEYT`yR zgJ^%9U$N2QW*qb@`iNj$V(U|<;ID}rZUjKv)+zk`D{5g1B@a8H9e$FCfe3W4lP98t zn9-ks{R9uSgjW2JF$C!h@J2y8zzKxIRA}!x%QsJlH z_Fb(dH>Fa}q+&)JZd`yuT2L7p`Zv3~U@cy(ui{4zPV3NzHicfW4Sp?tDvJVUMJ{=x z+tZq`NREcLqF&6XViwb8A?YFB*Kd_Te>=hn7Kw@FcJ!m@&tjG;xZIM@$@^!jXBG#; zRfRjqo#o--&w*!hF}<%S1^nQ|#KX1azW0_?c5}1Z;?@2}Bha!VBqXfWJD#);otks? zFCY;L!3;^)79RrPatVJ1vJnoZQAym18#1Yy|8{MfB!o@0AW#hRv;67zu3!w_rw+Rz z+m;_Z*{Oogrv-y*v%k5^x<}7Jt$@Bi;~*}>LC{E<;ihwZa6H^%GpedC@%HQ~DjKJY z>tK?Q`t1%GF|j>UxFOFDpkh3+X_ubTl>ygKv(Xj1co4|+bkj!w2dotG03KKJzt_<9 zl9tbBV1O1aG6H8uE2`^zMpVdBzk&P^M7Iz5s_=s-h{!#-A)qR6`on6`$D5I=XOL=S zhd7R#%;zMQF)o+F-@3R)f=R$>c%Bryo()bwk(>S6&y0!5PBw?7FQ(!*>S62*1Ra|j z2mCJtJlA)RuyeG_5XZOVNVsTN=_V)4l30xs=4@C5Q@srfwn09lKpR049IE&ZHD3^wk#jg)#SLO-Sho@U)x*duec$#8~+wuJy48fEN(spPYGDTd zf(-+`hb0SMGt7nQHB1j1YE+k{={8b{eR_X5D{#QC_pM}t$T1~l;$FIu;%u;wcZUp< z0E^JMTc}Y?tW`@(^N{*Tesg_0xw-pHL2f(wr(-wRrI9cZ?3MX61i&IHao_hGvZx>h z)Y`tSXi1TWE7%;B?!-~S#9Rw3PBR0r;{wQ0K|c?KyF^y={MzyB2QPuMYK_P8#<+}F z$R3E-xw&Y&uCAUJB?4Q5w(b!@LBT#e2epnVgqw5d_n$j=`UFxD*Zjc1af>~m2{~6` z*^szpUBt8i1nxKOu=m|R(?dXI$Md8;XPE>`&Fkz6{43tv1$kQTcx)^vVL)P_qx?KN zuc$7Mjs11~>9WtDWuYnX6z^V<0)#UKA3&7{WrR>Kzf>4;d-*PipP*FaGdmm-6%SPZ zpk_7Gc$9KO+PM7W?|OFj2R&~#w^{$JNZ~)_z#Qo4nrophfL-%ev z4uPtKIdm<`vW+U;4flb0U+dyVJWO=I`0xqZ)7SKWiA2&K@`OEa!c#fV<{oZO0?^VP z77{s~>QlXcBmkO8dftlJU%0@!+RUyyBq6KIqZ3i?Zai__W(;5p^3s_ys- zM?&bfEwzGUkYut!YrFoIkUx1NL-BsCAx6*Xfq#aB(&Ap{*@E{*Khfk?P_fcm)sksK zm}!Jf@w~Y|M82af305uWVXTS5mK@aKzFz{*cSJrd?5A=fW*Dw`gnI>|-}35GP~<7H zd382v90|6-HqL#&1Z)Zld3$Xo1}kSheTp8>;Vo)xEO9}QO=mGWX-BI_+)B{Qr;nA9 zh(35?*`hT@Tc7qLb+_4G?{((odoZz^hSMG;H8S>Q{1)M(yupe*UML^Mf_`(N~*ZAM4Sy zTlw$*&;L=HW^WxlDbiYS;A&7InUJSh)0J(~j7uqxm&b#!3xt#?{Qu8NwKCa0OU99UXW# zI}5D=)^4~QQI-3|K>f5PRD0lyveDmCk(PEpQ0HLtULM@Mxxbl;1}wG*6AyQiZ{KEG zhLn`pPUjArXGnVAt>No=Uwu`@wX`-jH_NrP<6VG7cvEynChQxCKYvQY0Y_g zTau$Mz|4n9@tWG}oNO?Zt#1@HShNFiImyF$YlX8IGVT4b^$cbfD828^x6RnHtqQMxRG(njl~#@ zl#~^ zKUa7MzWU$VTHbhVUDc0|mdk)0In4$8o7p{LI*W%#3X0jm?9{8;U-Jz z?X3YA7w6}InLc0Vc~isCqOYNrl*rG%SFKS2PE>+`yrR6RI>Va)Crczz2#VJhzB%X1 z=nOlegqU07+CxR~EqS+V3!JacQce7LUpvxo#KwNsu{0k~-y*?W-L^*tlhpD?RdVFL_rK!9{hBlC5saf?R&i-w?Aual zB-d89_c)k8@V*>Ae38c~9~T$%vavC{zt(yRrMHTo1Q1Zs?aGugI)%?pA6#!Pfg8Ag zTbug*6^mHc+L_$`%*BFj^H`1E186S)`xo_daxzZWlZlO9I%%fF`+;Y{wZ>aUCa$WW zxtO^b2KM7owx#z$v+1zj{dG;QZqv4fCCD1VCj%~ZnaiQE{S}dIvykQa-qWwkn@g=> zeswn~5|P69{sIeYQ@%kpd%hKT(F0><^#)!Mp| zx|%9AHFfjtwj~0}^ZWP(G!WNYzwri(i;Dv(fizJocxPDiuQwhq@JP`iK$l>3oGg`J zu&q5v`ARfil0mn9UUvck`C{)sjeMc_^G=@@gjsBDAxtep@P6w^&1Gpz!&w+YC#MT- z!b?CY!+AkQRkdWhrzbC(hEdlAsC&ctu&s3H=njHRK?25v`QUjt@6IWY@H;<758=%_ zGqZPQ02@29Q_^@FX?lO(6UqX;v0w0l^Y#7ub>ngO89YfX{&;k%;{C$qJ}QdL`*<)+ zSwmB~{L_3=;C>5i>&r!jg6W%2izFupyUmkeB1G!7=}V8@5v=$AZ>#%TNeS@Tl}Z^i z)0)6r`RuW54t@&Qo}wM859A_#x^mH-xihsR3f8n{tJ}idgKMti%u9k+`hU+fR7bE-t>V(Ft)F=q-2VQ^VuPiG!*}GnO;=X z@6^oA$_gT8gr&JTUJjV%0?c!0iKmAr963LY$)K604nu6;bG*mRS>zj%P z$R|I)r>OyE`?03Fpx_zQe7}71DpGJ7tXIoDz2G4J>W1xHx%tIF@?T?;GZ3*msqL^p zq(dj>?3$R^1WZ6KZs$~7`~@u!B~9hs1hak42HggQAI^&7`=*LsbP9S(jfDvj#ESa96c zB!G&{@{>7m)752VGzoz z?N21!Ap)5l|FnRx$3qi?O?`8-SG!cNx<{op;G(7SZlz^m&{ES#N=V}3rJ(rCChg89 zSwV*t%Ki5`v5;*b*A0_PP7!+cO?p8<^ z1l_vn{fah+VnE~uxp%w}%;uu#Gycq!fz}|JF!#!Rt}BUWWe{C3*A=c!&Z za?rQ#H4w*l!Amz;nIL+o(87_kzm~a8NmDD(yP0Uwb33b=taXXkzW-NH;(50RdjUr6 zUDT z1zhNGmt z>zFzPspo#v16+(umFEqH4qm8chU@APEsbL0`7MWcOXezU!D}a+XCWdeNW0EWUd2%S zqYFktHkisx+{4aT@+lzD(E?raYr=5ZSm7vsb|$vGL6DFwa9cXRd$-wJ(sW-kp?e4P zvh=+6Qtgh83Yu?9+6|sOe}>?L5!=LY=mC<>?Stl~l>wxh!DJrbco{CavbSPbrP&^E zpCZ(dv%t-fuU^8l;8~Je%1TcDyLYA`x3sh}^QRL(XvYMik(}?}kb!=g*p{Li*fX>zMw^CZE1)MF^Pg0)?9<5|P`*wKXA-Sdj{WW4jxh_WpW<_CV7`v1F5= zNFgpY^%FVSi^E@0Vn7JwQ7t`Tq@G9)8|gTpiE^7G2<0KZ_t<1Fj<3Gwe#GH)yJH>XMW)GFo9_q03U8Dcq;G+wa7bAo2(dQ2qPcc-1&# z#l^%9)O#wJeVhy#Y-Ww0j=H8s_Uof|B+hYzBo|D0fiNW3 z*w}*Y#}?e1tjAK6AN&ST{kb_0o)~!aKdYe(E}?xa+3y$sKWH>$CGK3c`D1F*WT4u$ z5U`*U_dfMIY{|m~*M2%vrxEp2pCCr2pS7>5#Gq!TXq>rW?tW(M>0{@lNIDh#$7F>Z z)qE3>b$Tu5`ul%u%AsZI^3Cz7M(Bj#epx}pp9vR5fBh<|5MtPv9UyTZFIq6D&;V1i zQqM=`B%Xw&BQj4#6~7MXCE3=viaicLqkmNH?(yI;{=_H5GpYXgkg<@R{E3tFP`0P@;*@ZjfPH-CjhzOyfD3_Y(26E(jkXquUQ+HDNL+(Utd}nYlzu?hKNzW#lGa}tU1>Sn7gvuC;11&=}AN~tCVG=8Mn~c#L;t{ntnyr^O)|jO5pMVQJnyb&<8pKIfECoTK(CDCh0twB=JO_pd8={rydvA#Qe#UcrQnnU&o z6AL*mO2#~a=JT5MWhrGB1a0}}+z>(~z=qw4a@jro_NO~^zb?_(l~z{hd{rf}+FEvd zftH#69)MGIE1a96_qL}v7OUe|qN9PiCcl%-hWdilLS+_jN!QdUoEihK2J{P+mC^f) zK$g4Y+t)Uyn5=98a6T2KJk>^zTbw!gV0US+pH)VIc>;}$ZOp1_Xz#~BZ$o+Iv4_5~ z<;k?qn*;a#I*~ftTdjk}r6LUODxT@Wo@>H`X-$P+jLp-8;T>%H2IXQ3W-|LG4F2Er z^UQ;#Jq3l%oCBK*GmR$BtxX(gp-U9R?C_WPI5@zj7mVr@i3JkkzY7CJ7SODP|GinZ zB9$HPb=JON^E*X1Y$;@|J=v9HLXZ5hBZU$i?K1gGUnh1P0VVP$Q*vNJ{+_R;;Fxv^=tk6CK(9krY^m^%3+(Vl+T6r%sy zKqCE;m)H7q5+FCgz>brk5lpi4cnE~`%97rXCO^aPHaZ4s_q@C3&37nrseCiDQ{SUw zwk$c%!-9Hx`{^0G8t&(INn4pv5{p~jfCX$J0#%M009>#XmlUWoe7J|xZNi4P9w0<2 zk|*I?9J*gA>MvqXIOe`YBy9EVg;M^R@$>h|!+&#Dkx=o>)23l55bWl3Y3qDdHx*Jc zj0%C-A(#a5MhNJAW0@}k%EgwPq_%PD|k+Ms1-nz5zl+k*yO~-^gIxq^lGqWvqkvsorKerilPwJ=cmbm%FHX~@8dP= zi4~s7SL~6T(bKb8RHgSCP*Z<*D%YK_54cu?V5Yi&^&Wk5u1F;0>|&uQ@ASb=Ngn`R zpigXx0MAEBnL&CtqOwP$BH^k54An{+=ro9OLa(K6*EB-eKq%=F0*yq53SQ=6mO`md z24Yr{ZdWJ=#k1vhw3u{EdCGZ$_xGn%V;{y|cWjKtqZQ1hkL);GiR|v-s%j`@nh@|A z#`WU-7^<~fi4{eVs+$5d;HkiarsN@7K2AnKUS4X(Mkxd39vpcPU8; zkWA13sKjn`qupJC-W)of_(V)CLF;26j%}0PUEQ?^kIi08hRxsiMzdt43KghcYBK6r z#7r0}3UeA>YX`O_B`2qjmK?=j^wd?N6O)l3fS;^b?+XoA{QT;uN)K-= zenP3Nk=IH(lOc>P035kG&p6jk6OM56{&#A^zOOCt2CvU_+@S1t~{4Vu0cLf#5S{f#l<#DU6;&bvG&< zdv~=H(N>GwI!QG!A~1%}`gnX4 zh$b4mdw|NMCTNlXVCnc)VL_3`$y^Ubs|tv{@05OYk5qCE>M!mje;s(J53>=%;N^sPz509-AxQ*Z1i#`0@ zd>2up%${9epH-V_-+Eyg`gEsBP-RW7^k2==P)dYwS+rF(d=mxij}AfrnnG+Z4!h?5 z+M4VO4OI^rEv zN7WaI?-H(=!$UAV(_hT~YQnzs2?zLyA+9LKV7^!+pWAX<_jaViLf~@UlzwTM@cFf* zt;6RZ%fG%@!l#5KewK2Tkk{`{nI_B#jPnar3lDH~Ql83TTFYYi@LD61^o5&_nX7SD zfgA`|n|PEOSkL@E)y%Xaoa(2E<382UE-BN|!AmiPLkywBk%wH06pBuUEYI)~4ALoa ztgVauMT%8FqGn9E=cnFuV$Tb^B`ZjcoCcbNS+3czy=~7Ih~Mf$ zAA?5mIy~X~@DHd_xqEW&d_4PnJ47aBr9XMkx#8o<&Vo*xJd!D`D&D z8PKTliXNMOwbV@h7*->GNL$s+SaVy7pRk2$3{ROO1JPxs=wbLnf2frXs6Hb22@(+{ zAURk*{J4CA-9i1Ty`v3Lg`FHScvcI5@KYOl)l-Gb&w;QDYMNGPn>rhyWp6%r6jSaJ z#}LLIV|WTAN#aMg0IFI#_>jkbfoK3n41 zawYz6$+Vn7jLe+z7Qn&a3_d|bmH3r5_g3lcpDv_D0r@=~c~`S4MBezM^(Sy*&){t< z1YSzgsL=6_Q>e50L#04nsX-X;m(p>WIyqWAIJgVtzE zL*2~kmwgtEU$=N|?FF85c2Jc&;yvNcxNm4X2De96&by4yj=M2Ja6Tr_V zI~R;CFS;a;BcQTCKEHWts`-+fi$ahWpGeSuu#gnZd-==QzM}oyFrEjVDO%`m_nEj< zSfdisy>p|A=S?wbq2f_gJ>}!U{~Q#t&i3e{Py#$2Vq*Va{w;JBS}=MwYxsgB#<=dB zf)cOYUEz#@As;tp&Ekzq*~LrnagSf@axIjMAg(-5brYv zCmnE8?g+s{2XRU~5lkcaDn?@pxqL3ywa_qZh{5;C&MWQO{O2baf~nbYC`fzQ*wfl- zQMTzs8Wz}GRvlofQI}*_j?SY+;g2ROFDtjbvXxgOuxtG46(D+WBnrU&79nQ^h(a(B z_$oI1@1Mu=|@ zg};QEJ?LgBkLB2k(C!G<+S(dROr6Hp+*}h{TI9Fr-7G{zoDX5Zh0qo4J~8b!W^C$GjOiwnc$&^LryZLOgkOwU<@uU!`OE2W{Rd_jM_oQKSIzB zO+qhdr{Nr%cmff#yk`%4BVm0Ro*e93sPXHPbg2a>nqz8u(&ujJ2 zmqf&BiPr`IRX}TyPa_^E{sG~^#0uk)fZk`sfV~2E17I`&U@<^({30mGvEP6X4~n|U zLG}B5-e(@(VfZ(bUd6Pp=bea(y88Qys+IqR1t7wkHyoWj;#nPXid>5QBF~fgcuNZ>C>EJXm5Y-q5(jfE3V94kkI9EK;l{j7W=lB2uy1KuKBgptnCTOPW)T3S0- zejbX7o|du|{U(+cR=Y1>d{Eblc4A)nw~Q*iKS2gnTWRZk(6Br2%j>+qRR?$1^Myl> z>&7`~Cp@Cbwty$tz<*2#my6{afW<3*sMSXU!lefRZPJ2H$3HGNb=fs(;<^=5`Gz6% zjG7#BNCGvD&O0KJ+r~p#yD%v`L!4^DdaBalz}La`t3qJw_}D;KaE|1j5uZRW_Ph?( zhLJJN#a=46+wS3LC4l$<-23SWEgS%+0RI??w~|8FIXTnv*^hY1FvrAx=k9G#a{&8} z;1b!8rvOckrAWcUIf?)#&Y*q7R%SP+Zf?=Y8dP6VAzm;NY?u$MsUROE-JLB{>m=rF zvZFXtrpIjUF6CWP+mil$bF&-hU9FBzh4mH6X=X3hJyQga^s3COwX}8KlnqyzJWBTX zDXXnvhU%(1Fbr4f7*ar?MfEqH6Z)P9Fz&4v^9q~M#DsXH#Kc&5^Hgl~uIz9`o`|nB+3G+G`^;Dk^_e_>UwJ=mp|wzdnw4pAe%$e!t6! z!5j>pV)SZRIl8-zRmS!KH9Tk7%A)$`OpFY&3#Fl|P4)8Ho*^p%06Zc<>~$VTcNkYF zh}YMIT3TASx3@bM7T`8Rx7JV#MfyVri(TsEjNO zG2LsROVQH)XRB`~_oFUxHT6H-j>nSb^oGg~tKi4eEWdQrR}e(;Hhair8%Y$?W!`Gv zahe2;%5)W{^BHkxuNnOBnIxSY3>ze|7oz0sSz{I>Zn=Nk*!S_*88 zN3OXHI~2phcjiQle*yp7!d%``7|)L5_}F;imCf3>r98tCz(3aNtg!}BRWX4PpjyhFuTpBjeggKnY@ zWyh}+8xs^{Bp|zXk4L0NhlBiOBIls#)9G0@T>}2%)I=;-l~$)*ipgHNS}Y#!h6y)U z6{9Yz=XBdJac7y}#Zsr9iRs2_GK--GDPoEeoh!WG?-RyeJ1dvBR{zx#`+t|U;$Zo< zzxODdEDIjXtj%$(7h?t0*&Y4xQB}dN0QeEw|L3Vc)*A>b?#C`J4x9C|nS=XHHB+MX zy0e~MhH^KrtM8htFZL>XLiQVA>+O%U9`|7~*%_GBI0$wg5mrrqSU*ti{X^6D>G3;7 z?GBI<_rkxi)=3sa4)Zg?VGoJA2o60S&fg{?3is-v$L=(Dbc<1z9(gONgo7j_nXTHz zm!dj0apd==7bmHeId0e&4w)~*IR+dPsB>b}me~JQ5sE1Tgh^3!sDiymFHIx(_-2Mj zatcX46rII1xuM%wT2l-~V||3iWP1Peu*F+B6)I4ih z;AVTwX&LAboXxA8NqD1lH8n-y6kUq5^0pFLT6*}MPCaz>*Xw2@)ffd5y+X1PpSmQV z;>BlZIw0Y=fh#a`6^N}PJAt7rBA)a6cbVv;eLlUF0K z|DUtXY;JDS(Y=1yktK`$@uSx){o4r63pz1SPl!>dcNvks=6g>3T<|&LVba`EX@b@h z32aI#_L!{REixQ2)Ujb-MM}`Bag>d^&I|JUWMSFMw3y;@pE2rd_sk?BeD?)oMlksy zJcdH-^XHscDM%@nR%Yj1n@Nn{d(9T#Wc|xkwFn;{F{yBNbXE z&6HIGx-qd}`~`<>ui)Jmq4qfEhB+gPRt59Nw2yNu`lC?|C@BOe{A0W6jyZTDSCM=T zHLOqoK<}EQRwL>oH7fj$qm0fo@avo2Qp+zM^R*!|;{QYFL!JrGoTDe0kM)X~P3&W$ zou$ly=CD^Vx#wI^^(-|c2z+cTjVBhim?M9(a-Ka@2DQV%k>g0fL8#yN@Ut<+ z5PfOMhoGl*e)MJS{kAY!7_}&q{RI7M1mO}9tSh!J*Na5 zre^VQ7h+n`2gQ->YHqau>JZ9cDXT3c!H~y|a7xgH=Oig@JMurdfPb7pjAdG3|JRIn6xMZ%9b?#XT?tU;EP7AJ z3s(=^7we)o_*lNc`5eLz(h&e-UFCwNMl_HDJ2&VY0r3=uL1OJ7)%G*%kIp1?!B{Sx`!?xuhdBXJ}k;^x_vU%BJ#gFM6~>*tx^sdYJ39+Nhl>n zBS9)srtVTXVc9uhvMPB$oSw@o1R8evcqN-SB<9VH&g)kQ>^kR+nczpyEPY0W2bcZ6 zvOsPaG}#}Hj(0!~7iDts_|BG88d!R@o`Jk{gl~2~(m*&Aio%t(wT1SdA69=sD<_IV z`ZWT=?i;CIl4Jq;s1lW=79r_An9zH=)nW=Akyux%A@->eF#B?B>mvF9I>!`_5?GPR zc&Nbl5U!yWhzpUULY(qIEx53*iius&YOOwe#`!=bF8bkCk8~%FKv8A&yZgbiYiv3y zRGBCT{eHF@a3OsW7NmL`H4`?Q^#71XST%_W6%!z#{T*6@Vhx$1|wrvNpUf;h@H%M9XK^706B}P{vqwS{9k$0 zvOblh&9#@Ou7cYCoP{7M;Y;c5?wPGxL5VQ79W6UkID4*z^#n><3wR9qn*q_+1Ei2Y z=F=c;@NGlVjX3Xq&%u)V2eQn!C-W*!Oyv`W?HDDx_7S8cBMFvQtaFQtP%zt8KhUkh zAHw@U`%%2ci;IB53lK2?QZn@EkdWITbN9u0(h0x)mAg*-JKIK7Yo8xR-%cL zCJK~s+*aJ)P=OPEn|JY#RpT?|nqZJjA;SNrBY-dwQ`Tw^nirN=j4u}}Vv1-+^1}MO zZ?C?`E!_S#sLD27!^GSsN^HAv2YDEd1gKc$m1f6kmMuBKi7W5qyv`S~GJwAtngepL zD#?{$8}{VEUZ5K&r1$M$E6>*2yn4zC2+M+R1VD-91IF5EZ}g}j99+B~adF0`Dd6gB z^NOB>`X>weT}Bm%z6-KSi*P9`ZI6o-2MmlzjCrl$f3s*1Y}N?_(|&d6&+V)gv^mT{ zNl`YqpFG24a^gffw$C&(-&?Qy zz52lYx|Qe{ON(tnMA2V#%k@;*0LNvJTBQX_wQkRw9AHB)$W;U=CgUG z?Gm7ri@e{;bB+dCIwJ=aAfD-z*XQJTttYuI?*MfPpptK#EFfU9d)a`$U|Z$wk{hhEWSR##n1Op(6mMmRW{ba4_d6YB!mEA zT-f7a&tJG3(3=4;L4QdID>_P@QLm$H7YGcz1QaIr*ZjQHoMnpk2C1uHzi9tMk7ZZ| zbMj@&vOV|JAz#2+ovfYzla{8`l%8Q|(E7KP$GheJFOxKLwci^1)hjMLUa!Ur)E!6o z-vfJEmihVG*olcH^a53O^|{_{dMQ4HtVtQAG_Z+68~y~+aHiHp*M?2V!6UihSAstiJH?-LuJ84T|}p9{ee{PUxBHM zhVj{Wvb#p?8j`MdN;(~8o4b3h>`ECnjYMZ#3cp=peLisPa@jr`FD_nRrvW|w^czwu zb8|ks-Jp@Jpom}upZpMe2;kbFZ{J2cmmD)w`MaHo{>crWCc{`_8F0W}*fTp|y}lae z)X`K%gETeTr%c{*p>1B z<}sHKQw;})y!jQ@i-UbuiF0EX>IL)G8r8GzHFmZ>Tm6pM7B10mwmW6XSty>EBfiVc zp2qp|$LG%^@`ay!%&bxOc9Zqke&7C&gGeqhyYH)%kwyzGz3S;x@q7-Fll4vmeSEYl z-*uVv!+_)OW;UmSfrJu4tdewk=MMVkdLvqey+Hxpk?m-&V-V`6s8D(UMtJXongtPwim_YS<*{~ z>9B);RlTt;YewGl z;q(gtit=h-HP25c?h`0=8|%TgzC#acv!)I!x=T-vUPfg@gNB})C$%y5N~Yumc$+yA zo?b7BBhNovVtadT^Uy@+WfuP1J0lge?=xcetg}Cpl5H_~XRHxn%ty(7(wGm-R=?|a z7g^7gyUxV+e=k82{n)%4I-<4+5QI{ZNhV2Aohx1|G2W?p(`QaqWZtERl?~j0VdT1U z-8BK&<I;NiR_}j|+21^O5b-`3%kjG7Fi_1He)Co`#gst# zWsK@tCp!ymIMI%*9s?RzP>??4Vs)5-gynd2CyL zen`3*=TDpfs`Rdt;a9dTyGPeSU44l^$-2t_+9fG;eihSaqkif~*KP0kBPK}9VDqhc zI$el?x)zq*M1*yNv(-pF9s~_#nO`OG5}-|nOU4-DN(eiz9_FNa_1Gl=V@wx8n;HQE zw2*W<>8Ng_W!`~)vwE#Sh5`f63)fj!+#l;O5|` zvNcH{+Cicqi2scRLBHIGFXzllCM-92+c%1-+Sl+YPb}y|u;Ser?B$G_i@MO_&|b7+ zwSGp+Gob5xm*z7;gypBpf(P6seQcy}aLH$xB8)F2M0j|*rsKC(~~5|6?F-O0$bC- zk;Nk1;wPI#`BYGl>IZtdZ+e~*Ow8#VLU*_lRh6n!&B@ZTrUnK<`l`vyyJ2NyEZ;Lr z8GDmeKY+D#z+Q2@_GsotAF{{69!$Jzs!(v0Dadbhjcz;?dKx$*!a*F1-%M*e|2ALd zt$}u73k+{CQJ}6F+!_276X`zIuwgT_)4njP*GNb`H4Dmgqr)fS6l*iKF@AnsYQIdg zhs}(piSEID9U3zm7bqIp>2Itv?|b(lM@5JEYD`^Wgm8Z!Z@@P*J}5YsfU==~mXuw4sq+-GI5X zKihnk^b8Ixaqir_dH?)mh}^;pS0&l0^0gL&pBvo<6dB(M33D5hk`!d*GgEr$J(wSJgbPIi3p$Qu(x8fC{LqZ8=RnMc7EH;-nMBa? zW9kb$Tz)ZSa!U5#FO7=4^dtj=&1|h)TRlqU^Mecr3l!LUSBC(Gl(3{elYjxfOC z?cr<^P4!+aom;Bi??~iech}DSOT{Ml*1p0qtp^eEImx{1BbB)y#zu(!7@MBaz5lCR z`QHwG4oh9arpr?BucAWoxKPRP^m6w6;xy|SvsstdjMOFS-6B2bdoblPU}+i8?zz7H zd}kRuy4=n9;YQE9Wo7^BNwD-m)0w1(`I8rOZZ|qW2c#y{3-CYwB+yVr*;Lx}` zgy1fXYjCH7JKUA`dEZm_JLmj3U!5QKQWRCao0h%y+G~wD=9puqu6~TFwH@8k>Ph4p>u*U2pFag(~T< zmw&nD4JQ#3;v!t?Tdr0rLHlDe0u~E)bnm0(YhX48tTO60t_UT<2!Kh2*WJ=)93G>0 z@rdj6+`%CPVrOr*M5*H77#uWU(y*a{^wj*<^o{g0)vwN`1CcIkK+Cq~Yi=?>Wl8g&7`%|{eKa7|@YaaisTH(35MovkAm~COeLV8Ka zV(|+*MxOUIs}wDxpwD=M{gUmX8c0V>(0QIg9pxGN45}CHhrQ+U91$g{pi6NIr{P(_ zx=cEUDg3H>uExrtt83Bc-0KUdmrEpKkyDR`6&42NS7e3-DUOZt{?WFQ*u}G%SM$Al z@(}XVKhrxoftD^f==~d5X`WpI4ny{y6|c^FQDsd}16$EGmOm}c9mnj}yx~NWg(`~N zH@e+7Tu>-(^RdY@-BqOE6)I9jMQC+K#&WLa=1US*C-5EeNK7^crQ_+(uDw9H2rB=P zP~N@(3A4v(rXyg@^>%4grTJA#DA;o_r;3nF{%yCBakZJ$)| z2dvJX2k$?=CJXJHjq0m?@E4ZEnlDjO3cn_cCZD|$INg<}#O&-+FzRF2ZY4FX88F31 z8LKU%#^ODc%>D{5pr+fsm>b7lUyq_;1Kt6_)UyZN`(@PW!<*-qK|T8p=ux9aWSPJ( zc-Z&%a!)#S@*p~?J`xt-7;>_Rf7guNXn5e87^X)K271)s$Gy|HwDXe zZ1XQ5ugNXLWA1g$1gmdzqQ5EJJFNNQ5uD-o5_z z?b}BsB}`1r)!Aw|X0Uq9wv2J09R81ajFOataZjNrcd7_(k;i=%C+$8t>%XU`>%iph z+4M*ibcl_!+&;Zh>L0!R^QPZHG#h5&_#;u7gOynW3QgM#?pfLsf-j`fVl*%WhyF#Y zR}Jql^0GfVR}bQNPYIlRG^b%N(fgha``+&ArZrzLUhDX-8&}TAh)ylpJ?h>r!jZN) z`0TlHzxL%ESBJ&C0uAMEJ90QE^BoNhalM?;Z3oD@<|nNFUH@WUeUOu+0PsszO7cx+ zZf@$PtU$>d^WvxV%B;K2rP5 zzW-+P;O8mOM6<5N#$yP3q9oV0^*RE+n__M*adr@Ma@8dA3^^ns5Q-$d{NV+0Jy_q& zJ;XOan_BLO-Bh?L)JH}=0FSIfe8#51SO;p{2>^2N*3TA!O)sTqj;KIQ&i1yldtyol zaq0%dh0Z%HsxoO7l{3*wiYevgZF;X+9eY50SlY1Bki5B|prSa&msbjd@zvV$ozBBU z{*9mC3QYWaVvyUX6U~?)v&a<4scNX^g*+6=o}6OyAcof>LZEbsKDR+ZFc^|p6vj&H zTy>1BWHAk|-1ass^V?w8S?_j_e~s1bZ@Ug7no5zXeK%D88vj~jquqjSZp=r z>aPG5I~1ALU~Ra%-EeH7DV;j*l|bn7oHw+I1VEusM%}Z^eb-^30wJ$`SGqizbbLZW zRaMR7^)dPOWoGpKndZJ- zjKC$@4MQeGc^ddO_k;>mh1{G@^~DVuamLWckVo~3`n~fID4>1u5I?+w84C%$J1X;A zuV{r#2HLh0dB`4iOkKTWF!k#Gxpqme5-EzSusr{1*rJ}>A*rvx{=2o~%@nM7Cr6Fb zymc^gkU?YP^Ag@;Jkqf;*`j<}^zzJnyzsrRFZybV*Y1}mvhBDjD2!*T%stQcfQF?# z;N@I}u{4lkzkmO$!nl7euH7i{#KYy+*AF}l#_w0VJdBtj?_4v~G5VuLMY{sJ^rTo< z?d;Bn;&EH1DsYrab(--4-2b#aBP1ZWI^A`>zda}AcPsnx1Ju?{PE4dy|I+(?P#d5+^y8c!m`>HYjuYP&KvsbiUH}VpU1rNpXrD;5?=z0V+x|&>p^)&!Qyp zZC57-dI3!FzJuj_uZaZdT6BM5)(? zoxTj#Ep}?ujI7qv|uTy<`IGd ztSM^)3kv~~laq&#cdFwy7?%8h$FR2FIA*=0ROQOk^ohp>9hT&Ov;comai-GL4Q)#b9uYA|GVZVf-L z{^I|5mj5>9|1VL(j>fT^;gjd!9p{~5$vFwa`E9`;Vj(fC&etkp07TiyU4#5dmq}%! z41W}@(Mgf#iDW0n#2JlM<&v6;*-YhNi*@ts$IUuSv)y36$(rA!fC`Gn_NatRL%djH zJRaJH1w2Z!PJ@?c#A9}wZzo!Bk>PaR2X@T+&SoHVagrsd4Yuag^dgIi!XB`!K#wXZ zPg^SU+oCs^VDoBfM^yJ#bgyn#0h1(%6AnYnv>AJnOjDjDxOdSHIk0a`5vkTZv<0wW z+{X`w!yZ6>%#BvKCT$Li(mHZ7{DvC@y-{>u^b)ps0zeRp`6MMc7c+Jwe1Y}+tuxd( za%mqDk&X(7R{e+Qu{e0%B*f?xIWLAD&#X>@hxh?)g__``n$6-mfSOg5*j*_ph&wXW z_eeiNxmn?28*wXovXj2`+lCljHf4eTlD1%``)+558_2wVEgu(5V9E<*apCFQbn7 zcjzuEsy~V~Q+=YnTY*Y0*20{X0Q4YBN6y~|#YF>AH})6nZ^s9RHo!`D_@Oj&^LU{# ziSgGuh*jxiyrhOXUBI44#Kb*`kIRXN@=5~5b2;Dv9c{gqY{p0GieBb{uOL(Kk_3a; z8dt>N@Njjh_@)bSo?~jX=y@*!7UgGW`^3JTcHU)dd&ze8qoS557#U)%vrAJ@ z|7q1sL)T~RIxpb0wv`q5is5>NEg++Da|sa^-uQYc`d`=@4FEj5UU;4B)vzsR8NGL_ zcH9Aw zBCANO2g>&1(|rk09!p6}dz|~QR!Ycgf_j6A`PcqWy01?5<7cu=0onH1+cPL%UQVvx z#6il!Lp-;CqRM8lR+Jp+S5xBwF^9=s-@0zw1a{%v!NldX=!pze zNp&zeDhWPbhfElsf@7svcm&U2p%y?AD8!rweO34%+$kucW}@e=F`bHtYbL3s!+VYv zg@$r<)3RmO*p9xs|A$^XD#4Z8;O-oCxW)^Q5Z8BujrZ~2QNSPL4o==tk5GCvNJWCn z7Tw{lMa&ZwB^RcG#LkvRDK5AkUOX1PqI!S(>*pI0I2$YI$i>R)i9*2d)Mj}fyf?9Z z${^uDFCl8mfyP4=7nI*pat3UNZ7<8#(VgcquVyOJ4}2{q$-q9(C{I9jh#<9N4THg` z9LA&5P48~o!G~SG;g0t;x;HtDq^JtA@8Ttj2;ZGVi;^pCMSKnfHm9pTW;NnsGh_>+ zoSIdg78Fox3yVFsYGCvk+(Up3;737E1qUrHBjY0C*tzNJhpifNMgu&^?~0sDSdi6j z4KjBtE-qn)L2LhUUS5OM-Iw zQK(zaA=Ep+-e98Jr&zH*3+_R1u%SqcKEN!s(`sBVQ=BHhnL0x4k7G;}w3J)&c_bc2 zM2zyZUrL&*NPB_xQT*^OFsIu5zRfn!RR8*Z3(PK$8jgFj(MGt*(7{Bbyh`aFV5f(L zZr48Q*gP8!|F3MSUHzCF|DmPsBrA&bg?R0nEEW1oyiuaWfulor6&AB7{M;4!QrA6V zMvmiAP0dIu!I-u09}|94{TQXtJwWt{GA%x7Owo|Ce{XG&|vD{rVI*s z$vleIr>(?4Ij=SQ_87@Vlm7>n`qUq1B1xn!yu36#ow@H|xF3ACIreb1(AOY{nurwx zUD{$VGafs&CES6GJH0Vyz$V+?P=FO&Bi1~11Uvf7{;RA}ySsi)w5Uv2Cf-gDvJ%)J zah2lJ_F3^z&{!=plA9JEPdz%Vpf3Yz8wTrMMSuKxsf<>C?&>dC$k1c{BxnA= zfQ4D_WDNzVdi2OEK%q&$QKOj>wEB1OP$Ee}feKp8!IoHlPPp_FMu7 zP1p|kyX`fmavXar=pTR4DV^GPG1tb;EQ#w-d+-qQdxb4gCRnl;*lbe+Ku}69sWFxB z2;>f_I>5nB&z0K(R`^(Wq)u>Fr^SENY|XuL)NJp9CX?C#Dhk*dBi6(*Hdc|0Z~g0J z4fGn^(d3fRfNbtGkR0xzr(+o946FVhY~*kv5NVyze0ln+Y%Xg~uyg-xZG%{=+2pp* zRu%a@P=9B7gSlq|Qg7h>mJm}7WVp#Nm{04HMKvWQ1<)Uwt6>fqI98SO^_e(waJVe4 z;|G-U5j8tr@!#g%Cws1*+SAa4$dP_q>mdzzL)Ain%NBRVt34p3(n8ShX`o)$RERxYO{H6L&s$>k(xWGVWfnt$ObvfYDxiOH` zcD#YCNC)WPXWjPkH_2oBNP+FMuja?-gYg4c2*TNN<;_>|gjKxsXK>@Z^m(ZJt%-OH zudo1dT*Y+*=Gl+J(LEj(Am$tW@%hp0g|Ss>zbZbKI$3PKf>q(Y(a6sSQLH)rEy)0m zHQ)};{sld=BxTB5$X>dLMJ>dlB0_M*+Ge%q1JAzP3x|w>#^bcSbZ?vAzcZ-31zmo1 z{C#lX%!Q%gAO&oH1kWqGeTipIJCug`Z}%KIHTfP@X-LaRHJk;2tOC5C5&U7OU5ZWk z?o{FmZUSxpv(;cGs9>q<>Q!}{-tQD?JbtH(-x=+g7%{lbl|N2*Pbp)z53WgMWTcMj zv^ggFnM92rKzL~zHWN}Bac}C1Y2VluH`-ZtUd6ZH$q}8-qATFHOG3Sjud9l?X5M4C z;-n8Z+Aky>)99}@a3l(NfZ4X-z4V1ae;%V9l-zBq3qpSK@SRMizOiKh`I_!-Q`3Pf zXT+QiFE}4E!brnNE2zW09Maq0qULd-caUI@2}l9s+PO!cf3`I}+MV*E>SsmY zKDm-q$_1nsNQ7~4aM&zV(74|B-hcKy8E62^CQ0P={*%(`JANLD)4M=YXAX|LO@H5i zwtBdAEfocYC;tKH_M@VsGAn)y(qtEBex5!@deV593eqS{UY?&f9CIH2G^X3L4I*bj z4?dt(j1_ckGH}WcDv=7%$LyZR7g{m-!oaduTDov)e_A6ZDvFZKa;#b|Qevz&8QZF0 zMjb)yF!=nv5AdZ zLWlUx`BQPHVV1MK;KR2zi}x#5`z>6i#nM#vOoi@NT2&GHMo^B%=}M`UuN~Q!=R#O< z*}#l(+NuV~Q#z^08Qo5WqJlu*j7lJDbFp%5ObU2K%Huc$t>)n9Z@n@Y`IfOtsrAOc z9oWvi$=tPR%F(@lAl8i>fr}G{$8*&{Xd7jG3HH%`sKM%rO`2=o>*u75UR*%^9kUmt zuBzj`rB^b%yFcgq6VMyJ%cR5pvngEH+02w=9n26X;SeG+vH&=yLf@K%!82{|y_jyl z>L-&`ZQeG%6l=C-1Dfc3Td<3$T9WH6-=-YTy&25P5>L*xV#~&9HtblzTb5=D%JW#u zoF7wZ0vS_-!`FRhB;NNKZ9@0CK8Q`I=3)!px!1DOHn|D@7z;`_^T14NILC5`Buc-{ zOr1}E?n_bf$Nqp!JO~QjtJWwkz3~(_6nTU$sd(|_e9^|j3dHFowT-4KE|En#UHfl-z_j-tmVhuanK2Q*Dn) z7Qx61X+_8jvs2ayP!C@O17=u>ct#79{q^AX(i8x3&OA}DJ{iUn`;}}ObNoa~Ow!)# zp549|FJ6d_Pk$uEKhsfHxa%}cuWIQ45DFN5cx!9Rp3=bW(u6xv7e+ZIVgZPcNJw~< zHtle(w(}6u;3pjEz+0(pT63Oo?G#xrUrR)Eq>LH$hPPL# zs(8Kqowoj*WD%Q0dO?1lEV9Sa*-Dvi=`oh|IhKtzf0fjWCrp2cbwss!gZm!}SB4tn ziz`e-Z&Y40vY`-Ow!#ly`upr*wj55ngB1ZdTY)Bo^6w2+!fOZk6dukEp)sXTt)5>4 zlr0fS*lOLs5iu@xYww^M5X4*YRe4vnDrhSkw+;efkGfx$f9u^JAsC}XDWp|#RQg8# zB|1&?2hnapp8;p51<5>Slw;lS7aJ%-hQ1d~;h7IPBv5azVfkUpqw0oAC2p^skKR68 zY7*G9twVFoeZXMaXf@Tvdrs&dTZ*mRq@Z?b?F?5>)l^lL76q^%YOt`R-sbKRYF>73 zsuNzneH5ze!Sw7$UDNOovdj-MKwyobU}cq}Q%aQy@Fd8RcujCj-KsU8?#6lFCDKcR z?z6RGu4X^%q@P4b#{}mWl&7|G6&t!O&mrTqH2LqwjaO^7w=?9q|jpKv$#(tFnsB2cfwEZm4l9=UQ&Bnud{N`u?Pag%M zEj3ypghyOpuH;KHQ#5lYys|ZCEg;T;3V{#vV0lUieluzwW6=o_EXiX67SV}DD-~__d zF^bS@R3d(xn+~wo5c4?MZAW*4oCOiHnVpA+3Fzq)FD*2<(0ZN?=d#rjGV2*hX}R^- zJQ1k=gA=vg*?PGXI-@!WR%6g9_|joJ&zk8otNG4}($aUE+lNzt9&gqDoG1W!XQ=Nh zGCDPU(z33bwz8l0tC&L**Wsz-q_gjsy1}oOhO1j$6>Imvpq+DXa|aU>?Q^OjGiTyC zwOY^Mtl{9CXHs$ZG{-QiK>ivj3me$YuGlQ^?hiiarx~bz4l|w^s&nDgk^qcQ&76A-T9|lS?h+P!aMq@;* zA(tc17~^lK)z*5m?_N9SIQs~N-qJul&DcGTEluC4bZ-B$e<=<3>yPP;swnU}TJ<>R z2I;ejg;#(;jtc%({Y%{{g40D}#;PP@aMjJ`ea5%ediU!g?dHl#3``8U*<^E;aC>q2 zFjtwNN>mp$cVgGE2hSXiea>6uNqLeGhbe;nfE|2^6Y8%&1COAq_rgPYsvgbDBw>&u zmp(kz^#I5h(1ZPcpL(bkX=&@|6u|9AM@Jdjjbw>%bEd@Z0E(!ct8|=7t6fw-xd~+g z)+3($B>ZolLb#uyw2RLX`;CO>h49) z)m}Kn6#I|tgWJ@mw*SCRjec^&q;=AHG@#SsMWBdHt#muDS$YRLP}XGjFr(zbs~h*C z|HA~^-GLwqgh}{av-9&_iMLwDMJl0fdek63sv-GDDAN2rcLRioSC56kQAru8nmJ&>z;-h_}(~&B8e#>{p85YBINEY074xzpoV?!qEiC63l>BOf-#@Wrc>r-jri`Hxc*}-`RIkOD zX>$fw`x_&Q3YV$TZ{sH>F+CiGMgxBMsACiPKMb_garN z(MmzVrgpC5xEm?tY>%(b74bm$xks~3RU{y!2pShMxbU=OwO8Kkx&uX{3pbHVqe#1H zS4!uGnW5|V!41GPHTAQh7`k$Mob-5YefFf3!yB~MVn#Cq`p3%~lTfIlQR|W^XEIcb z1rG%uAD^gSTtZ@Q|7?0XVL2<{d~jP^S&JZ!Twzzo2ZUx4US59Syq&h`sccyZ1W4qm zuu1+SQ>l}+s+<`cQzZ5JL)F_G>_Loc?aF!G49jF^A8+K>F)f0dDTC&Z69hnzMAq*| z?a{oLkbw84?RC%2$a1@)qEedYL3#+i>mnCA1fs!q*fg~}(SU;+MlPwKpg^GVuK%zD z2x^R0N}DVqqPPN$CzgoF<0^SlhAzJ5n|XdjD=dWF2&U8b)3@8v_aA$y45vv32b-kD zllPj0zIyxxrGJ4FffExfRA@Q?Zt@|J>J+z?s-+`(Wy$wgx}SW*{rG3wm&)t4GG6W1 z)IGHJ9zYZ@Mkr(dLXtBut0uQ*1`!zzTq(*YDf7YUY=d5jAoF|wI`Y~o_i`tINWm>IvMV6Kn zSy)&g`M>8M-b5j?+jpMw_Zt-SbySHA`;e%3G3Nf|9cHkkBoN@=yL28YNlYcmA{X&H{OVohuo?Rf41A@ICDizCdCg1Z`po1*E-R$I)laU@y zxc}LXpm!?| zHpnAexo91;7x%tBwk<0uvl%uGf2OLPf0V@<5CgmDJJZg8$n+{)^%L5|2hcdTFN-9^ z6#ic~?@qe0`&%PiyVPXFX~=QF4+-5Lk0#!T%DH`&!knTaEwsmrM$yJI7MwhpSu#(x z4-XBY>&BZ}fdFL;ZQ}f8o$=T&=u4;X{l3HTIZHH^G?h{TKLEaCl1y$-AOnk*rc$&0 z0)e&VbI8K?EJW1q?Fw;;mcR zH5SD(vjHg`xanZ8kOw&tQmWGe9OrZ-OGy5M3>nZwd#$-Gm!smg%-QfzrloTlssM!x z_>LkX?S1S0z#!J9Wj_Kq7SVfo3Y$yXTWQ_M``&S*Gu-I`*{cHP@cmhE9&mwNa$C;< z%PtMvG&eh&03`qz>g{W`3YFQ)6E4vSqXDq~J1w0b@5QPZg8p@893Gfj4+p8to_sn8 zVoUJUIrf#6n8NY7nv0uZ@ixA`fd+=1t@W7nWd~+?MjXcN$q;xBkD`(u#vaHLxXR!B zNk$nBR{RNfvlF}A!G%JD`|u`h?>r@N7Snmx6;fx0(3Bc>Y!7}R91lF+Hf-VnRD6NX zh48hnaXI&xtkS_&=svDVsDNEn6LR9lem~utfv?(6K~;0|$SJrD-zy%E`ZeA7iFD9} z$-U^$*k;QM(QmWjprWASAvP}`I-#yqdR6WWeQB*F8cjh)!0YvO0lm^^-$G0Q=)ge! zDBq5o=!LSF0*GPM!61cBcpz?3&w6&MfqWRD;uDh;=K~Iu(@Tq1kh7q$0oozZ!4X&= zy`|_6X>#tTOlI%^VJemOiHw-FTI1~QA=)UAq}5o@jM?yrI?WNgqLT7lZDok`w_Jqj zZyj8o^BJy&ghpU0NNEtD8=q}Siu%1aG6CY1@o^`Egq6(q0mg_rQy(BTi5nzTDZbE% zTeq~WqbXE%nY))I)1Mz>1`9j`RR((HJ(7?z!{( zYg%8iG;niNZAaoV`MR7t8XgN>rPpO}bwoD#2Vv2OioSSjD{yu9rJhN5&dttvcsGqA zGYcU^UPnti**e>7kiaf)P#JYxpX_jsP*}Iqu&5|3k9q^k&(AM{H7s`#iihFZY`8bJ z4{c9phy)C!@VuqqSRcvwV(@{!l)4o3iwLhI45PQ5QQQ2jXf|yhNSc9S7hpl(b-dC3?D*_p(Oqu|_*;Tqn#EhgS=V-{!F?j66qR%! z+{%II{B|Q;C(?AU?nMNi>27~&LHrHStIi(eFuVa-yAL-Ge5Tod(!` zZ8zWIs4J`jE1zeFZoyiX7>g$?$fCyg$5%13BP_&-rr~K^La04qs>tf%wq0djRn_>E z@>HSfWVy&QWoSf&2ERjHS=q?yDLFYs1Toj-4=$++MQy0_p4#2UU^0bd2@H1RHgB?+ z&jl-zD;LK1?n?Gyp~-!(4!6m1Ai2Ec6MWqf_UXA>g}PVh?dq(6ln`19fP?y zzlaPskz#vncPMY615rf6{cU?C18G-RC)fDYrFYAC6}v$~7>U5E z_4UcAiNS5IpL*=MxjA$pilE09M(3*k6ZPf_-?RQDxA_CGr~$V~C;pF`;$QVaTfh`5 zaF^@j2L#{nk0$Q7`!r`5Bg#949C58EGs{|qac&v%$io^0C{1a*C1PN9l!e#R8*xga z!@@LAC2$nM^za^_cssA!aWcVB=1F><7TyMCN;Fdo?Y z`z?T2Ctc9HXp*{c!hn_a^z>Btjb3%azKdq#R0xVvZjbJBvJEForhs;Rvc82@+w-A) z2GT1pA-NqK40)d*X;F|41gcDUqrBX3kq$8vtbP51sIso=^=W+iy;}IkpdbLfpP~?? zEHna%01XYJMSiKN8t2KJO^4Aktk~#t2@jLCtk7J`U;!-80AmiB@^t{dODfx`*D?SkXN<-|qu zM)2%#_-&ri(h$ zUck2v{8E!w&=c~mW5blZ8&@o$P%8P<#iRJFg-p5Y!k^oH1yp2~%F0kEINij#{juHC zsPEzYv?N0I7zGyQ_V$2(dp*MMFpifsiZ^4-OrWF)2Q8A~z3;Z^m;_p#db>r(Ywv&7 zAab1llF-7trd_#kXL1Ons$a88V69L-^$a;cKllSQR!>{MtmI?9(5l1Nnt>?UKvfBY z1brUqG52uC?LKxJ%tkF)lhFF6CUzPco>{{6LpORAX$L6-YAhR@SNUNUoXH{v)O|SC z)oOmiqZZYyDDaUHU{>J2p(krC;-qZ#oq_gET9$0y{<(D^9uiH(fW!R2j4E-zkOMW7 z>)7~qv*&rD^ZEoxKLC!%qxmje^&S)D@hoFrZi5HnAhlg0!saqNJkzi3HF`MkdLC(O z0vro?x+b>)l)7;++)lc?k}%POoQ0aALm%K-7Hm}46zo03O{`^QUysO$0%I4R+bc|k z!^8JL<7v3LbpO%NaP_QM^Vjmn^b{Xa<+~-~Jt`iWfVbhlV-|D8`|%({ab*4xzK5;e z8@G8&-pF)Z3}{JGJYQy_=Y@PaiuHB1%kC};@}8F|`{s7f51tob$ zN5|Hw$CozHiqk!fiH^?E)2peMh?v+g(goz`hl?M=GOg5FImtuX#UrHTBu}rs0l=*O zt#)!X3J95=;pD>Y2U$|@4Lozv{8xBMUVuS z@G@8d7h&i0>Yr>kBRVJx5U}AwkHt#Akk-;rlo3_rCQ4+>Zh$%TuAut0{R~rgENR)e z09V?@gC`LzHEm&lskbbAI`H!BG0ko@^| zxbnC_Z{O1Hzzhvt&-e`6LJwk zkP&@~O56fcRPZ4eo_}bjHmi6@e0|I96)*$0)DA_aVPrh$Sr$oEb_3`S*4GEBABtQ- zf|)ENBzSmlAznGBsBU`K9$!XWam|i9d&*v2z~d{{(WRHTVG14+kD;N60g&Fld;MC{ zLCb1yIqTW4jIyF2&vQgjSQL~o*tN-zY0rf9kkt0$qDahTg^S0)zP0J0Ib}|5uDc_P477NAx>pjA zl5V<4&or|Y!Ynm`^dGV%&Ms{Lg^DQ*2x%}ooP0=L;4$0U$_;qRL%tQJkh1vBB8Y8g zz>iFtH81)#5^sPqPfF5vAa>4zjnmP=&1!P2gDBAdB`iBy*w$kP z!l2Y3utows%N)^3=DoRX$x1c=F?7s~4-}!SRv& z@yHZViZxry3tCDVU^Uq#JgoMBLvi8+Bo}Y0Q-PDnj#ES23#zJuPXSZ^Ds?Ko+dSn% zw7`FG?eH+tKh+L*7A%!kct0o@IkLAYo2$pHrlL}UQNLi5wwYt67H6!kKwo2K8U{zK zTQi!o7L zi33eDzgVIt3_vi1Qy9DH-mD`}J7cBb@ui@oEmilU&xu#r z4-xM9{bvyxMJi%ZmKMDBb|#IIMKf+IF?iwPXEp@e8On3LakLD9^+k_c--Ci@Cr`iE z;2*(4HMbw}1MT~-Wt)>}HPD#%#3OC9J>#Qkw_V^)*8aMDCJcu4s@9hXlwZlBeT`lr zYh2I=>=`HFUx`G1mXSJ+U)$BJM(tdVvvyE}2H?5gov-}m(9)cB2}&VA^=FqT@_$vm z^BrGX1iR+j#54a zd@{ygO7flb2Lo`J;Y~0Yr>d{y|Nng=T5cEVrpLw=@Q9ehjzoFR+K>h$^*Db$ph5v9 zv5wpeg6xx%OKo`xJT1t#hR;Ugh`#&9K0v&Q_tgC|>HKDgOwx)q5vbyp;l*zN2W<{Ci z_(c1?+BdA5%7+(G*&p7k*@14|{PFhkH8i6|;H~6W{!O4>2P+rvJ{%D%fbD?xd>J1N z6dfcYJPo|jPyNo$r9GEqmeK)eP+R7U+re3tM?W+H*9n*h zm&UC9_B|29m%X_gXm{!ls!Dmrtz{IHK>)R zuFsbv1m&LA4HRTQZ5P(OckyZ4R|Yb<;LY~svKnWw+LKEHs5#gDhi0QJ%vS|Mj2+kR z6%rR2!Xal6vHB+j=Uumd`?5>mrG3+@QnLq6DcK)pUme5m!Wn>Es~`V=H{n{wQHaB;-rFXS!R^X}&h@`9(z;wF)U z$z0wyqY`|sds`EQQ!(-a-tfU%Gi{Dfj!_t?+?0lO@+V8oe_)lo_U|J{34I%i*kC8> z2S%$4$~m>JUel5k z>6IBYkLUy@G^QR75l3H)*|*DbH7*=X>A2UQ8qqAO(y0_(n7FTr#u=A3 z-UWb0Q`5u|ARlEL$Fx+pEZYCmpnRZlbqJK5YZOlc66xjcq;K_}w0a!V0T+ak1BHbP zrD^9nI#t>+{@&y$3p|23V+gsf$5cAzzPg>Nijxx& z&Sv~*5z!N0HeWUd&lSV|G>^L^Q&@BLv7npT`lC>~`3Y37tA6x?FG4MrZIaG{YK|uj zu822eary{S?{0=KrLxsj^w4Ze}j&G=~c1g5~ZK+i9)E z_wqS;0YQrUy{%~{aD{D={ifofrHlPh=lj`{25SGK`z6i@{ot*D&#Je>xbj834F}@} zn=hO1BJ{b8xfOp^I8~MW&Kb0=nZGU;De*Mg69DhsDZB2gdw(?erL@<%}0byPs5$t{M@|wPj_$ z)qDie7d)4|;km$0+%PG2B|~x@m`AB+6%S1t;sg^ zod;#D*JpFM=bn)GBrpi@JsKt(pGqDqHKnp`SPMK|`?iVNe^%h|yzuU7Z*R%C`|PGS zx;yzH)ub~?I?q@>TT7k$gKh_*bi4aqu3N)--;!4WUno-#+xc`V@doba|48NJnY=R? zGF0VHFp&1Jnn46plLyLptllSIRdUt(e%zt8^^U!{T0N(~Q|~vCH|-)dxx0Ed(blsO z11D{CoR%%M)vRlFk`H)$T24nokT8ATaDEUQTjL{gyD*-x)OIjH@e|>uCD|A`TT4=!K0Fti#=T#ub&20H$Ll*Q_YU&fv!z8jb8W2$+*gO zg>npzU}_8x-TB(?U;HWEtvUAaSsdA2YTnODM7AlmQ`H`I+)Ll&FE22gyZ1gvEgU_% zz(!R^*?32d$HPMI58vzMIh+~xIv@56SON7`|6JRY==Y)&ot@UCIO*R&+pWfxWZSd7 zMOo47^L^0F^mpCiDw$*vwG`+Tk$!*C9RPy(tCJXcli_-Ytup=YqhsQT1bjAA@0OEF zd7;a%K`vHHY0*iX)?H!Ygp-l@d?lvCX}(vhY|oC5g0}Q@(%SUuc6RF1eQU;7+nD<8 z4r~b6xzLb&;#<>#T6#2DYL^D^o2eLtni>```?bK$$wMzKVG#)|UQAzS4kVnImoDL< zAd3RKz2hl*1a4frR^BCQe*ys?1`F#>}uuiLQm~QrXh@dfHzhYrprI zNVNVeFXm8bcT!!oGR@#$CQT*#2(2DwIs5ynUt^$C%wQZ4`5f9R2RY(XG8@_NOjyAuNJr87UOoEhb1(Hf$LFZ<^H?Lha&~0-CzdkNRlHKZpd{bzPqFZ|? z$uK%I=`nqIymPsmS&J!;a9lNgCI`puuyCP-xh~XB(j&7p!hgETzBznc2(8)5ABeT zy1GoUQuruOA#NV-(I2w2J4B5^8zvu(tJQnRPk4V}ON$^Ko6@d-o_yN3UZa|~jjLCI zcaB@^&25agC8lDSl4P6+eKGCzU7gwqEho9Ki_UNsq$iyay?jduc-C_$RgU$wk)<6hk_}NC?KNt2l89IV`2J=3aXb+u{oDQF0^fs5>X%~ zSGi3MQuXf_GqdsAvj?p;33stMC+YV3rG;qV2|Vps5JoSrY%xhTZ>0(0yFcBq1w&3E zyjHQ-CE-kNUL32FgGGD}{#s+>%!ps-gumi+Qtg}ab58`h?!5XYs5%RZE!BjqBy9uV ztsG_qc29}h3ZeN9^mZ%SZ}JjLnsE(%QpR}t~=r7sH2@jvcKMp zmgIU9&gVbtpLp>|K}#70!dOyLn+27{yu7+(x;tnD`DM@!dgJ)gq5cMr&n7!K>-)BM z-2w7C=7V(!HWKJGS!`YYt$VeAP~d%W*fG+hPsCYMRceBLhCO!|OMGQ-{ND>-T_Yzy zCO4>e2oB-1;7;VGN7eS?-=41yi-T_LjI^m$YDyN>?pzaXK`x8n_i~YkT?fWin@x>f%G`NIBKKI~c7X1P`B3 zRaqI(#S`$tmE%I#1xZ?(yB6c33bHd6-&;amOGKsoTa6TK9ag(hykUJ&O5p#5HMTSs zP@aaads6$B-}(Csx(0Pmg%3tEq3s69-bxVaLd*NC?2@>HAr{N}8^4LDxg;hgY!%46 zYPFFKeapt^P$lroxiBM8yV)!XPUaWXNK!Ai`Kj6K@hb0_#_$=R`%mw*471N`ua7h;={1QcT$S^_A-Sbp zwA-JZnA65yUEW-tnDjz5HLnZBLW``eq@+V0e3HtUoOlsSQyCf>+T1LVIDgmwT0o$= zprAlvIIWLDmqDY-suKzFK~@sfj|q65Dwa5$|4FzT?FM#W#1kARx@<$1+>pJQ(t zU%5}g8u@~$Wi#tnU)xe5i_C`ZO@c!l&oS1c&M*z50 zJk;u_!Z0xks*qS>@Cbu;u)jn9*`f9Cx>FWoD2tCwneH5N9Ky7 zl~+%rqDme>vSW>%YY#^!t}IcS`RX;dlAB>^T)S9`&qy$Rxk)Ja`CZQjK!?d1nO zXRJLvFF;d#mMBWH&%$2MozpoX0zr#%F|=>JG~^Eypp$J)zSc8&cM&gK`AU%A<`=UL ztDgQb;?JL*OB0lsUcs#6!Za%E!YhGqmiSSX5A%wNuU6w4Jwq(}n)vE{_k<3OjylI? z9k4YY{4^WR$l?#UIlGWCeN;H~lu76@Kcj~t;~KF%uh5`tlPGO{3}OG6{?Gx-!pHb( zL65)?q(ae$uE_BVhEoV{yDH$(I;KB}@|+3xXyu5MrE2?8%9WZ7J71Jjixl~ml^F-0 z-R#2rvkq5xcjp_3=F%I+H}23UiP$_0upG&1FP%#E1t|_r?y%A1`1pK8M1$SIJRgGL>fMu>X9>H>2VvH$ z*IU@mvE}Zl?ep(dC2lcP|G2I0Yb!N`r|$5jX+p~cJ-Rze-WIFHiS`->Z-RX;&fmw8 z;WlnZhCWs@FFoO0`~Jz&sqT-`LFy8kIhXsNcXdm%;qbXJVo2__Y{J2Lt!~VIqo=Zh z>~^1~W}gLJmuFk5ZLdY)z0^AI6z2W7N}gp*fqLttsI=V7Pje1SeOFxd4R{$#lnA4pEleTI zvvh;^T#~wJ(?0cFzg!$Zse_6FWEc}z$-Ynenh0Ft(8kCI{?(_RavA%tkL(@m?V6Wt z;2+(u-Txfcr~KQzf&B#=u>XCNElDuc!I~H*)#*6#ydV^Gl`z_$kJYBM$&5a<_W#z9 zZv>Mm>P;VP!emS0s&B&soNHKpD&AI{j^xJ@I$UFWG)1>`zk=r4Rn@17R}P6qbzAkKWD2H*xxD7yCExT1 zvk6<=G->`=`;X}68_|YK!KX&!VV6_1{CRnxKd=>VG7?QwD^BUFYX-3Vl z96l%r4k*>W=GV+mnMwBklkgz|g6Nl26=Zc15+H*o}-CV9c%rE?t69nV<%<0fmqDo79>-njP;z(-7+NfLJGN3I?q?)gpUODncb#6}g z>mv_VR%rZAgWYsCEwi$8&mL0~9Q>}%z~MgH?fBW`;$w){=q*O|ICju}?}kpp^4FnT z8~hh|QqR()Y(G6duO(`e2_*==0_Ey#TqYDrx^LNd=y3p3sU?(Np)~kpZf^butI4Ia zLH0y%=FjijP}j1HC|OB#P&!Y7?28xc!R0w&efc@cOk!TSQYl61qbvK|PRetAiz`=} zv6|M@v{Ir%Ri&P$B`>}$Wzv^}^4N>|+XB12iX9x;{rH$Fdmo_SG!kz=h?Gc6OPJ1i z9YCa=ka?ybJX764rU^zZ`4i%(dt*p%D)GIdq&3UKA9Ouu;zT(D|O`4+(KZy zx=%&Ce3qmQnc7*2c>ZXq8;hC!Na$p&`?Z-)M}OW4iIAym2@J zkRSRAxi{Qe{Ra)8Ws1DlP0_`T{u0v?Q!nTrUI{8Aw9FYRB5oeVaOP^3rpGvgSu=-R ztBAAKmbn=F@ng8VCL9&eT-m=FACH-W3(qU7Mo}8hO1;5hg+xSX!W2^r`*Kqz@7%dF zzcv15=oDW_0QbnP^1G0b5IiQ8%l=dFJ5sB1Mpsuc?w-|EXEvA-oq%26bbRmM@%CCu zVzztgr0a*D4zWAnh*|K7kW%gpP=_WdQDE!o@z~^~C)pbL#c)m?NC+=p5LL}GHu3|{ zz25CY?RT=LBj#X|jly;$&URWtqW;6d3IVXG=i!AfJG+wY%qp_R=J;c6FY(e>2UCUl z`59#HOKwa=zTYP+EOJzexO)R~Nvc1o6lc&_`I3aW z85`c(TQhuZy_i*O*!%n+pC zq6Iy3K~iR8pTk!NSDalL&>ESYz$`mY{AlwRm|v=oeHnaqKYsADu-@hOUx>T0I$-fN ztCWOn!g2Fm@l=ObjzuausQ8$jNvS<|`!B;4m({nm zIH`!Qj<4J1S*@%{2o;^hPZMR${rX3+C4D1*kf5%*cVYhlPX%=Q{`hy$_bY`OnT1#_zA*$e`Y;|Ff4f( zM}++W#DaSXl> zMlzDSkdk|}yh1fUOA#NU>3zhU3k(R_4ps?HibScxHl93r;;_9{ke~0c%~)(wx3IWr zZ9ZC4SO{vTSQBH5`~wW!WHt4{i_c+ctu!Vx9?ajX3Z^qwlqB^ZTqw1*Z4{CD5s{HK z{S=6oJwk`_4+TY>qzARSA8^KY^We+--_tyQe9N2c?<#l2Q7fH`~^7F{4mR6^x;A39&UO(sRdW z1SaB9qVCKUatF(e!@Shlp=NV4EM7CM0B({^o2$`(cG29NV!^~etgCadDW&9c7NaFt zW5|;D;L`XG-R%awWnXFF^3BT={#T77S|!`ciaswN7BVtCj--;_c9!$CGZ^jVz82g9 zD|ULsN{*Nw>8b5Es}WBfUgXq^OI&qz#rwi6Q=-3XY9!T=x-}`y?4&V`=AxQ-=~nhE zThot2o1LONIT>IK$x#L=L~V9@y1MP0+2_}#8!yIn&(0)^CCCBsZgv|5hJSH%Z$Ux9 z*cP+gF0Z6!#KocE>KJg_|=7gBFxn%v`Q1fL6 zr+kg1B5ofV3RSW{WhR5XsFzO=Gtomoyxk;%<<`gHpSvxjR5g5c5fn+19xY278ygs{ zsxH1jZ{?sD^tL#h+T~6V6>(O15wh;ReoA{9EzO$ErkA&8|Dp@t7k-(+ve@{Bx8|g) zhZ+=BNBpo#A5%>qB9SmPk*d-^7Aw|L-h_CMJgh=uW6SX|VM>`bKHdfxH~+p<5&CMM?NM~!f{m6g*qtuuTPOm}~4tO6^2%IB+x>nR6Y zw&wD!21mD9B3nU!maH-jvB4jdx8MJT!_`J$g)ak}E8=nj3~Pkl{&ev*Ug+tV1nhd~ z(CT{%g8dOOGjniIHrQlH<$COqiH$c2sqs3(eo24jy5c9B^$hH5QFo_Jx(mE?U&-Uk zS7uT|XVnf_F29QI1hlo!yslyc3U2y*CR^j2VirHYoJsB=*9;apG_)#`I}>`B!M}sC zaDu3Tm}6A95t8PVv2Q8|9yBFXqv>v|`z(Flcavz)dw$Bk?!0wg2SxAkYnY(KfmDT~ z<2G16z^XPUJv&#JFX^;%Ql5h&qoWcr({XnnUk+a-zHxx})48QJ=xs=Kby{{F>CK_?VBK zKdzlm{@el{bRZ`GKZa_I4u`deF`hd&>FDzFpd%&;mx}}Hh5dR069oWgSzDLnnO?BL zOiqOk2Bb#yj%`N%gv%0CW@;}XeVUMBdFzjEfuQi>#ippEah3CEL0Y2}FE6hFye^ei zCShl3Yi4NZ>GS7bva+c6I}cU0Ti~Tdq{j)F>HbV`U-W!TK)bR0+BRs&B?BNuX2(}` zHR12@Q-C^-ix|V-ekFD2l!WQS54l#pi{;MYJ(o{QN?V?*6Zd_1=q6lg5lkP~pAx;jw# zEKitCYI{=ty`bO-o@wg}@2u~6!o?r?%jlpWDW8e4YoWt70*1VV)}TQ`BclNGNESnU zXn6a!Fz>zuH;^|1ejHfcR~0*K;qA%dr$S9Tvo}ddKr4`Ix!?p&d~IvEHvQWoCoo`s zW#wdSpzR8m*w{;dtNtvn?)_>dvMxn#YVYp@qn?X%o8R< z>%QbrxyT3i5HFqLjAHV+ML8PK9O!;WM2m}xS^x<1ShVMlcPMpq`oq0{cN{v+`ij2B zfcT0CQpk};T`J1TUUV;Zs;T#{1e{Q(Y@;)VY2Jbq(5=nYDlmBQ@!xJ6R4EuX3cFy} zz*Er^pej18-rH;kHurUmjNd^~GPYt2Oe`7P(&)s^n~XFfo^!r=I=J2y_26IvN)B~W zl!Q8cO;OS8+Bb7elvrBlGVbJb@O0q`>(6-m2?WAZ{jr*4z|PiEo;JYaF@CBM3=eU! z^g<|F>G}QM348q#?Dk~9NzZu6cxKbMh&Og&HvkF*o(2gC32I3aj&pDLK#s{1`_5u1 zP_W{2gzf(ImZ;6l`A@~V3CLfBNN(PobeyrUboASPtkBm`CuH4kYy7L{p?#}TL}-nt z=VI-5b_(0k2@?kgi6%Qb%r=i)2|-lYFkCAd)#P#_2%*ay-zQd8mO8t3h>aIC`u94 zQI@_hnX1Nt5<5Bt-2{CpE*@xW8*3SPrbr@W)lV4cZm%cf9|u7?#19?XLSr(OUSC>1 z(6Vl6{WBkRK@1f;IR#01dwV06S5|~yS7g-JxBrZw7Y$NiMM^rK&CSB0pQHVv7N%<# z4L-)yN}JLYOav4Qi)qpb3VOumLHiAm8+_K&Lvu4LCkNE7W_()6C@U*FIB+qMxpZpu zSB_%fxME)RyujaBt9=!W&AMZzy@MTMXkfsI0hy|BcqqeXFfuf>x78i{w&||p@jcnL z*!U!JdPIRLcVuK3dAI`f#Xlr*!{rjQ57wBX1n z!0oO;Rhg_&C}}ve+Yq>0!gnDfHWh81Q6Af9Qs`#n%^Qt|Dq|Dv?d`3j1r=YH_I}|1 z<-n@EXG3DlJGN$yo}{#*ovg{dc|U{BjrsFOV4pdv_weAziXS^Z6CI0Gl6mNhMYp@6%Wfx)I zegA&{{{3&qyOvfK6)+Bpu$CP4<2@|Mn6nV1ht^1HU3iXFaXgAISOlgM zkP_$4LI=xo2Jpl8%ddVf&CA}b}AU&NN($PD3*{MYGGYttJ88w+> z|F(tzd3<1-urnbfh;RBS|uv3Nf zb~`gGp_(K^-kjfqL-k<#w@!nxW(JPPM1cn~&m89VTy7h(lE0m94IRQX|884DWuFO6 zuZ+TAur`#&D$EG_Qt?%RCGieDy||}y4dQ&zQs!LDADjDtJn;~VJv*zzhl1tOhi#~c z35?U&SD-+!3`xhT8Y&biP~k&n#$z)r6j1KVmk!FDmPz%Ju=>wagn@jte&@XdMt}h< z`H-%}%>41T(dwla$?~d1-vyQIfEe!{)HpMg1+Pi^@gG`=yfi z?fA!d!E&rIxpW^^{Ma=dL`6h)roZ{kS(oRiCylYkA6?(UWUz3@Z!9bjLy0hBE*>s^ z5kW%ena}m&3ZP3+W62%jRELU<}mQ$X|%+6I668ma7~T(BhhVrGc)Km@T6#| zmMCAr8_?x<(~NsKJ`khu1HZ)xaKaz3Nfp)Ct0^lh^H6+;M_hBiCiyqwOE0B?z`=@B zE%}UDB)eTZBO)m1mu7E*wWXEDXR+&0sB6->9AO_)^m0G*U2c~Ocl^T24mg^PYHQ<} z4$L5W>~rE1ZSVpYO`^(EL>UE5zbNoDQaFo0ya$#bdz>84v*TG7x@0dUKx#%i|pPc;aV zRI;8~3L5V%>r2o2RyoY*v{?J1T@9LPVL_2YcI*U($Zf&Xuy$;jE;Z-sbBc=9Oyi{?U`Dy!oUt= z%y{QC|CK^6zSf$WJaxfgQr`ymg$&J29Q2Na&c@M^()IFgV#*EZViq5CYZ^NzKzw=@ z_ZiR*DFev5>T32j;Jy7-IKa-#Y-4km$$irb`BcnmON=(zq??j!BzR$g1O~6K&Qf@nADRb`q6C`g9D6$Njw(KkN95ij^=29SOj_m z^e!izW2ETcVmN zL1hImzeS^g5zCEWIcfnA+CFLWg9m@ukAgxFf= zf@a}j=V_hK94XCno|)g*WXdRocwR`1pK?-V=QjXbm9)wFtC>C?e=~q=@a~YPob~n3PXk z^v{)@UkeMMB^yIQerd+WB!p}WBlpsu(n;8qW?AM`6MbXQ@c6wW^Vlo5q-0)*i_79s zu4^L9*4FmUWDzL5u{&C`Yg_hbVd+T*hXep?%t}e&u-CJn<&h`C?#@&JWU||$3^P1T zNEiY_6~d!6mIRdnq`2Q&vp-P%r3e$7dI4y6Fr}v@rcaNz==u3|SZ&1uj!2-HCeOqH zQ!g*CBT`bD@U}V+rzS?~d$HZ1nh(9gf1$n0iDlsz6rmvw<|dBrD`e0q+_A8XKV8VZ zlJ05O(xzIz>VL8N-9ANhK~?PC(EGRBOF+%PFat{C{BJCi7(5aX77gLs-sJu1hs8aP1ILh+H}#2*xd^yW4E6DpS__@eM*IPqV0N7J?sNQgOjPkxqv=JrRVXprRIvvS2tOVMm$7Wl3s}CzNkw}OZ!+1i&SEZ-LKOGzkPaV$pv9< zo~gj&QWUE`e|Yf>aeX6pH0c-~0!k CPzdt? literal 0 HcmV?d00001 diff --git a/docs/ops/gafaelfawr/github-organizations.rst b/docs/ops/gafaelfawr/github-organizations.rst new file mode 100644 index 0000000000..94b9c848a9 --- /dev/null +++ b/docs/ops/gafaelfawr/github-organizations.rst @@ -0,0 +1,19 @@ +################################## +Releasing GitHub organization data +################################## + +When the user is sent to GitHub to perform an OAuth 2.0 authentication, they are told what information about their account the application is requesting, and are prompted for which organizational information to release. +Since we're using GitHub for group information, all organizations that should contribute to group information (via team membership) must have their data released. +GitHub supports two ways of doing this: make the organization membership public, or grant the OAuth App access to that organization's data explicitly. +GitHub allows the user to do the latter in the authorization screen during OAuth 2.0 authentication. + +.. figure:: /_static/github-oauth.png + :name: GitHub OAuth authorization screen + + The authorization screen shown by GitHub during an OAuth App authentication. + The organizations with green checkmarks either have public membership or that OAuth App was already authorized to get organization data from them. + The "InterNetNews" organization does not share organization membership but allows any member to authorize new OAuth Apps with the :guilabel:`Grant`. + The "cracklib" organization does not share organization membership and requires any new authorizations be approved by administrators, which can be requested with :guilabel:`Request`. + +This UI is not very obvious for users, and for security reasons we may not wish users who are not organization administrators to be able to release organization information to any OAuth App that asks. +Therefore, either organization membership should be set to public for all organizations used to control access to Science Platform deployments protected by GitHub, or someone authorized to approve OAuth Apps for each organization that will be used for group information should authenticate to the Science Platform deployment and use the :guilabel:`Grant` button to grant access to that organization's data. diff --git a/docs/ops/gafaelfawr/index.rst b/docs/ops/gafaelfawr/index.rst index 8ed2c7ed8d..3682bd38e2 100644 --- a/docs/ops/gafaelfawr/index.rst +++ b/docs/ops/gafaelfawr/index.rst @@ -27,6 +27,7 @@ Gafaelfawr supports authentication via either OpenID Connect (generally through debugging storage recreate-token + github-organizations .. seealso:: diff --git a/docs/ops/troubleshooting.rst b/docs/ops/troubleshooting.rst index f5f3f4ab08..7f6c023465 100644 --- a/docs/ops/troubleshooting.rst +++ b/docs/ops/troubleshooting.rst @@ -93,7 +93,7 @@ User pods don't spawn, reporting "permission denied" from Moneypenny **Symptoms:** A user pod fails to spawn, and the error message says that Moneypenny did not have permission to execute. **Cause:** The ``gafaelfawr-token`` VaultSecret in the ``nublado2`` namespace is out of date. -This happened because the ``gafaelfawr-redis`` pod restarted and either it lacked persistent storage (at the T&S sites, as of October 2021), or because that storage had been lost. +This happened because the ``gafaelfawr-redis`` pod restarted and either it lacked persistent storage (at the T&S sites, as of July 2022), or because that storage had been lost. **Solution:** :doc:`gafaelfawr/recreate-token` From b676f685dd5f18566efa46f4907bd426057e1768 Mon Sep 17 00:00:00 2001 From: Russ Allbery Date: Fri, 22 Jul 2022 16:50:27 -0700 Subject: [PATCH 0815/1479] Add CILogon identity selection troubleshooting Document cilogin.org/me. Add a bit more information about Gafaelfawr. --- docs/ops/gafaelfawr/index.rst | 5 ++++- docs/ops/troubleshooting.rst | 13 +++++++++++++ 2 files changed, 17 insertions(+), 1 deletion(-) diff --git a/docs/ops/gafaelfawr/index.rst b/docs/ops/gafaelfawr/index.rst index 3682bd38e2..bdc34878ba 100644 --- a/docs/ops/gafaelfawr/index.rst +++ b/docs/ops/gafaelfawr/index.rst @@ -18,7 +18,9 @@ Gafaelfawr provides authentication and identity management services for the Rubi It is primarily used as an NGINX ``auth_request`` handler configured via annotations on the ``Ingress`` resources of Science Platform services. In that role, it requires a user have the required access scope to use that service, rejects users who do not have that scope, and redirects users who are not authenticated to the authentication process. -Gafaelfawr supports authentication via either OpenID Connect (generally through `CILogon `__) or GitHub. +Gafaelfawr supports authentication via either OpenID Connect (often through `CILogon `__) or GitHub. + +Gafaelfawr also provides a token management API and (currently) UI for users of the Science Platform. .. rubric:: Guides @@ -33,4 +35,5 @@ Gafaelfawr supports authentication via either OpenID Connect (generally through * `DMTN-234: Identity management design `__ * `DMTN-224: Identity management implementation `__ + * `SQR-069: Identity management history and decisions `__ * `Gafaelfawr documentation `__ diff --git a/docs/ops/troubleshooting.rst b/docs/ops/troubleshooting.rst index 7f6c023465..62d978b2de 100644 --- a/docs/ops/troubleshooting.rst +++ b/docs/ops/troubleshooting.rst @@ -110,3 +110,16 @@ Most likely, there is some failure on the Gafaelfawr side after GitHub authentic **Solution:** Don't reload the login page. Find the underlying problem and troubleshoot it. For example, if Gafaelfawr Redis storage is unavailable, Gafaelfawr may time out or fail to store the user's token after completing GitHub authentication. + +User keeps logging in through the wrong identity provider +========================================================= + +**Symptoms**: When attempting to use a different identity provider for authentication, such as when linking a different identity to the same account, the CILogon screen to select an identity provider doesn't appear. +Instead, the user is automatically sent to the last identity provider they used. + +**Cause:** The CILogon identity provider selection screen supports remembering your selection, in which case it's stored in a browser cookie or local storage and you are not prompted again. +Even when you want to be prompted. + +**Solution:** Have the user go to `https://cilogin.org/me `__ and choose "Delete ALL". +This will clear their remembered selection. +They can they retry whatever operation they were attempting. From 2388e1bd9bdb6d86ebaca8c40fbd51fcdb4da722 Mon Sep 17 00:00:00 2001 From: "renovate[bot]" <29139614+renovate[bot]@users.noreply.github.com> Date: Mon, 25 Jul 2022 03:19:35 +0000 Subject: [PATCH 0816/1479] Update manusa/actions-setup-minikube action to v2.6.1 --- .github/workflows/ci.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/ci.yaml b/.github/workflows/ci.yaml index 7e5896a84a..d3f43f948a 100644 --- a/.github/workflows/ci.yaml +++ b/.github/workflows/ci.yaml @@ -80,7 +80,7 @@ jobs: - name: Setup Minikube if: steps.filter.outputs.minikube == 'true' - uses: manusa/actions-setup-minikube@v2.6.0 + uses: manusa/actions-setup-minikube@v2.6.1 with: minikube version: 'v1.25.2' kubernetes version: 'v1.22.8' From ea1bf76290deff625e8dc344643fc0c13ba3e90f Mon Sep 17 00:00:00 2001 From: "renovate[bot]" <29139614+renovate[bot]@users.noreply.github.com> Date: Mon, 25 Jul 2022 16:47:24 +0000 Subject: [PATCH 0817/1479] Update Helm release argo-cd to v4.10.0 --- services/argocd/Chart.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/services/argocd/Chart.yaml b/services/argocd/Chart.yaml index 8e345b3e7e..d921a999af 100644 --- a/services/argocd/Chart.yaml +++ b/services/argocd/Chart.yaml @@ -3,5 +3,5 @@ name: argo-cd version: 1.0.0 dependencies: - name: argo-cd - version: 4.9.14 + version: 4.10.0 repository: https://argoproj.github.io/argo-helm From db719563775e1104c06395752c8e04b8a40b07a4 Mon Sep 17 00:00:00 2001 From: Russ Allbery Date: Mon, 25 Jul 2022 10:21:03 -0700 Subject: [PATCH 0818/1479] Update Helm docs --- services/argocd/README.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/services/argocd/README.md b/services/argocd/README.md index 3ae341018a..39bcaed4f4 100644 --- a/services/argocd/README.md +++ b/services/argocd/README.md @@ -4,7 +4,7 @@ | Repository | Name | Version | |------------|------|---------| -| https://argoproj.github.io/argo-helm | argo-cd | 4.9.14 | +| https://argoproj.github.io/argo-helm | argo-cd | 4.10.0 | ## Values From c24814eace9393cc2a854c449a8d2fec34d6072d Mon Sep 17 00:00:00 2001 From: "renovate[bot]" <29139614+renovate[bot]@users.noreply.github.com> Date: Mon, 25 Jul 2022 17:28:18 +0000 Subject: [PATCH 0819/1479] Update Helm release redis to v17.0.5 --- services/noteburst/Chart.yaml | 2 +- services/times-square/Chart.yaml | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/services/noteburst/Chart.yaml b/services/noteburst/Chart.yaml index aedd554cae..5f8b168b03 100644 --- a/services/noteburst/Chart.yaml +++ b/services/noteburst/Chart.yaml @@ -14,5 +14,5 @@ maintainers: # Additional charts that this chart uses dependencies: - name: redis - version: 17.0.1 + version: 17.0.5 repository: https://charts.bitnami.com/bitnami diff --git a/services/times-square/Chart.yaml b/services/times-square/Chart.yaml index 931f4a37fe..cc83ccc523 100644 --- a/services/times-square/Chart.yaml +++ b/services/times-square/Chart.yaml @@ -11,5 +11,5 @@ appVersion: "0.5.0" dependencies: - name: redis - version: 17.0.1 + version: 17.0.5 repository: https://charts.bitnami.com/bitnami From eb4c35eab7c2fe266c6909916f9cff644d05327a Mon Sep 17 00:00:00 2001 From: Russ Allbery Date: Mon, 25 Jul 2022 10:32:15 -0700 Subject: [PATCH 0820/1479] Update Helm docs --- services/noteburst/README.md | 2 +- services/times-square/README.md | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/services/noteburst/README.md b/services/noteburst/README.md index ad3ba545b7..d2281c544e 100644 --- a/services/noteburst/README.md +++ b/services/noteburst/README.md @@ -12,7 +12,7 @@ Noteburst is a notebook execution service for the Rubin Science Platform. | Repository | Name | Version | |------------|------|---------| -| https://charts.bitnami.com/bitnami | redis | 17.0.1 | +| https://charts.bitnami.com/bitnami | redis | 17.0.5 | ## Values diff --git a/services/times-square/README.md b/services/times-square/README.md index f3d2e6835c..f88dc2917c 100644 --- a/services/times-square/README.md +++ b/services/times-square/README.md @@ -8,7 +8,7 @@ An API service for managing and rendering parameterized Jupyter notebooks. | Repository | Name | Version | |------------|------|---------| -| https://charts.bitnami.com/bitnami | redis | 17.0.1 | +| https://charts.bitnami.com/bitnami | redis | 17.0.5 | ## Values From c8b6f55de6882a1f2184a65a0e214840a531880a Mon Sep 17 00:00:00 2001 From: "renovate[bot]" <29139614+renovate[bot]@users.noreply.github.com> Date: Mon, 25 Jul 2022 17:41:55 +0000 Subject: [PATCH 0821/1479] Update helm values redis to v7.0.4 --- services/gafaelfawr/values.yaml | 2 +- services/portal/values.yaml | 2 +- services/vo-cutouts/values.yaml | 2 +- 3 files changed, 3 insertions(+), 3 deletions(-) diff --git a/services/gafaelfawr/values.yaml b/services/gafaelfawr/values.yaml index f9c9643991..6fd5f15907 100644 --- a/services/gafaelfawr/values.yaml +++ b/services/gafaelfawr/values.yaml @@ -270,7 +270,7 @@ redis: repository: "redis" # -- Redis image tag to use - tag: "7.0.3" + tag: "7.0.4" # -- Pull policy for the Redis image pullPolicy: "IfNotPresent" diff --git a/services/portal/values.yaml b/services/portal/values.yaml index 0d6855aa3d..4ac87f15fd 100644 --- a/services/portal/values.yaml +++ b/services/portal/values.yaml @@ -94,7 +94,7 @@ redis: repository: "redis" # -- Redis image tag to use - tag: "7.0.3" + tag: "7.0.4" # -- Pull policy for the Redis image pullPolicy: "IfNotPresent" diff --git a/services/vo-cutouts/values.yaml b/services/vo-cutouts/values.yaml index 9b0c95a812..34c1fbdf51 100644 --- a/services/vo-cutouts/values.yaml +++ b/services/vo-cutouts/values.yaml @@ -147,7 +147,7 @@ redis: repository: "redis" # -- Redis image tag to use - tag: "7.0.3" + tag: "7.0.4" # -- Pull policy for the Redis image pullPolicy: "IfNotPresent" From ae84a2f2a656667d6120bc5eb8d88dd53b72b3cc Mon Sep 17 00:00:00 2001 From: Russ Allbery Date: Mon, 25 Jul 2022 10:50:53 -0700 Subject: [PATCH 0822/1479] Update Helm docs --- services/gafaelfawr/README.md | 2 +- services/portal/README.md | 2 +- services/vo-cutouts/README.md | 2 +- 3 files changed, 3 insertions(+), 3 deletions(-) diff --git a/services/gafaelfawr/README.md b/services/gafaelfawr/README.md index 64a7bf17a1..e2446c7016 100644 --- a/services/gafaelfawr/README.md +++ b/services/gafaelfawr/README.md @@ -72,7 +72,7 @@ Science Platform authentication and authorization system | redis.affinity | object | `{}` | Affinity rules for the Redis pod | | redis.image.pullPolicy | string | `"IfNotPresent"` | Pull policy for the Redis image | | redis.image.repository | string | `"redis"` | Redis image to use | -| redis.image.tag | string | `"7.0.3"` | Redis image tag to use | +| redis.image.tag | string | `"7.0.4"` | Redis image tag to use | | redis.nodeSelector | object | `{}` | Node selection rules for the Redis pod | | redis.persistence.accessMode | string | `"ReadWriteOnce"` | Access mode of storage to request | | redis.persistence.enabled | bool | `true` | Whether to persist Redis storage and thus tokens. Setting this to false will use `emptyDir` and reset all tokens on every restart. Only use this for a test deployment. | diff --git a/services/portal/README.md b/services/portal/README.md index 814c1a2010..a885567f67 100644 --- a/services/portal/README.md +++ b/services/portal/README.md @@ -33,7 +33,7 @@ Rubin Science Platform portal aspect | redis.affinity | object | `{}` | Affinity rules for the Redis pod | | redis.image.pullPolicy | string | `"IfNotPresent"` | Pull policy for the Redis image | | redis.image.repository | string | `"redis"` | Redis image to use | -| redis.image.tag | string | `"7.0.3"` | Redis image tag to use | +| redis.image.tag | string | `"7.0.4"` | Redis image tag to use | | redis.nodeSelector | object | `{}` | Node selection rules for the Redis pod | | redis.podAnnotations | object | `{}` | Pod annotations for the Redis pod | | redis.resources | object | `{"limits":{"memory":"20Mi"}}` | Resource limits and requests | diff --git a/services/vo-cutouts/README.md b/services/vo-cutouts/README.md index 624caaa546..d32c0efdaa 100644 --- a/services/vo-cutouts/README.md +++ b/services/vo-cutouts/README.md @@ -54,7 +54,7 @@ Image cutout service complying with IVOA SODA | redis.affinity | object | `{}` | Affinity rules for the Redis pod | | redis.image.pullPolicy | string | `"IfNotPresent"` | Pull policy for the Redis image | | redis.image.repository | string | `"redis"` | Redis image to use | -| redis.image.tag | string | `"7.0.3"` | Redis image tag to use | +| redis.image.tag | string | `"7.0.4"` | Redis image tag to use | | redis.nodeSelector | object | `{}` | Node selection rules for the Redis pod | | redis.persistence.accessMode | string | `"ReadWriteOnce"` | Access mode of storage to request | | redis.persistence.enabled | bool | `true` | Whether to persist Redis storage and thus tokens. Setting this to false will use `emptyDir` and reset all tokens on every restart. Only use this for a test deployment. | From c16f3a78a9575f175b31ad04b6159ee2634c6f08 Mon Sep 17 00:00:00 2001 From: adam Date: Mon, 25 Jul 2022 15:46:18 -0700 Subject: [PATCH 0823/1479] Update docs to reflect charts->phalanx migration --- docs/arch/repository.rst | 17 +-- docs/conf.py | 2 +- docs/index.rst | 1 - docs/ops/bootstrapping.rst | 9 +- docs/ops/nublado2/index.rst | 4 +- docs/ops/postgres/add-database.rst | 41 +++--- docs/service-guide/add-service.rst | 130 ++++++++---------- docs/service-guide/chart-changes.rst | 26 ---- docs/service-guide/create-service.rst | 5 +- .../update-a-onepassword-secret.rst | 2 +- docs/service-guide/upgrade.rst | 16 +-- 11 files changed, 101 insertions(+), 152 deletions(-) delete mode 100644 docs/service-guide/chart-changes.rst diff --git a/docs/arch/repository.rst b/docs/arch/repository.rst index 3aeabe9741..eb9ed441ae 100644 --- a/docs/arch/repository.rst +++ b/docs/arch/repository.rst @@ -29,14 +29,11 @@ Charts Argo CD manages services in the Rubin Science Platform through a set of Helm charts. Which Helm charts to deploy in a given environment is controlled by the ``values-.yaml`` files in `/science-platform `__. -For nearly all charts, there are at least two layers of charts. -The upper layer of charts, the ones installed directly by Argo CD, are found in the `/services `__ directory. -These charts usually contain only dependencies and ``values-.yaml`` files to customize the service for each environment. -Sometimes they may contain a small set of resources that are very specific to the Science Platform. +The `/services `__ directory defines templates in its ``templates`` directory and values to resolve those templates in ``values.yaml`` and ``values-.yaml`` files to customize the service for each environment. For first-party charts, the ``templates`` directory is generally richly populated. -The real work of deploying an service is done by the next layer of charts, which are declared as dependencies (via the ``dependencies`` key in ``Chart.yaml``) of the top layer of charts. +For third-party charts the ``templates`` directory might not exist or might have only a small set of resources specific to the Science Platform. In that case, most of the work of deploying a service is done by charts declared as dependencies (via the ``dependencies`` key in ``Chart.yaml``) of the top-level service chart. By convention, the top-level chart has the same name as the underlying chart that it deploys. -This second layer of charts may be external third-party Helm charts provided by other projects, or may be Helm charts maintained by Rubin Observatory. +Subcharts may be external third-party Helm charts provided by other projects, or, in rare instances, they may be Helm charts maintained by Rubin Observatory. In the latter case, these charts are maintained in the `lsst-sqre/charts GitHub repository `__. .. _chart-versioning: @@ -47,21 +44,21 @@ Chart versioning The top level of charts defined in the ``/services`` directory are used only by Argo CD and are never published as Helm charts. Their versions are therefore irrelevant. The version of each chart is set to ``1.0.0`` because ``version`` is a required field in ``Chart.yaml`` and then never changed. -Reverting to a previous configuration in this layer of charts is done via a manual revert in Argo CD or by reverting a change in the GitHub repository, not by pointing Argo CD to an older chart. +It is instead the ``appVersion`` field that is used to point to a particular release of a first-person chart. Reverting to a previous configuration in this layer of charts is done via a manual revert in Argo CD or by reverting a change in the GitHub repository so that the ``appVersion`` points to an earlier release. It is **not** done by pointing Argo CD to an older chart. -The second layer of charts that are declared as dependencies are normal, published Helm charts that follow normal Helm semantic versioning conventions. +Third-party charts are declared as dependencies; they are normal, published Helm charts that follow normal Helm semantic versioning conventions. In the case of the ``lsst-sqre/charts`` repository, this is enforced by CI. We can then constrain the version of the chart Argo CD will deploy by changing the ``dependencies`` configuration in the top-level chart. Best practice is for a release of a chart to deploy the latest version of the corresponding service, so that upgrading the chart also implies upgrading the service. This allows automatic creation of pull requests to upgrade any services deployed by Argo CD (see `SQR-042 `__ for more details). -Charts maintained in lsst-sqre/charts follow this convention (for the most part). +Charts maintained as first-party charts in Phalanx follow this convention (for the most part). Most upstream charts also follow this convention, but some require explicitly changing version numbers in ``values-*.yaml``. In general, we pin the version of the chart to deploy in the ``dependencies`` metadata of the top-level chart. This ensures deterministic cluster configuration and avoids inadvertently upgrading services. However, for services still under development, we sometimes use a floating dependency to reduce the number of pull requests required when iterating, and then switch to a pinned version once the service is stable. -There is currently no mechanism to deploy different versions of a chart in different environments. +There is currently no general mechanism to deploy different versions of a chart in different environments, as appVersion is set in ``Chart.yaml``. We will probably need a mechanism to do this eventually, and have considered possible implementation strategies, but have not yet started on this work. In the meantime, we disable automatic deployment in Argo CD so there is a human check on whether a given chart is safe to deploy in a given environment. diff --git a/docs/conf.py b/docs/conf.py index 88675d9bc4..4c3690b0cc 100644 --- a/docs/conf.py +++ b/docs/conf.py @@ -59,7 +59,7 @@ # # This is also used if you do content translation via gettext catalogs. # Usually you set "language" from the command line for these cases. -language = None +language = "en" # There are two options for replacing |today|: either, you set today to some # non-false value, then it is used: diff --git a/docs/index.rst b/docs/index.rst index 91221f1050..4a37cf09c2 100644 --- a/docs/index.rst +++ b/docs/index.rst @@ -42,7 +42,6 @@ General development and operations service-guide/local-development service-guide/sync-argo-cd service-guide/upgrade - service-guide/chart-changes Specific tasks -------------- diff --git a/docs/ops/bootstrapping.rst b/docs/ops/bootstrapping.rst index 89cc879eba..e7ca1a8364 100644 --- a/docs/ops/bootstrapping.rst +++ b/docs/ops/bootstrapping.rst @@ -19,7 +19,9 @@ Requirements Checklist ========= -#. Fork the `phalanx repository `__ if this work is separate from the SQuaRE-managed environments. +#. Fork the `phalanx repository + `__ if this work is separate + from the SQuaRE-managed environments. #. Create a virtual environment with the tools you will need from the installer's `requirements.txt `__. If you are not using 1password as your source of truth (which, if you are not in a SQuaRE-managed environment, you probably are not) then you may omit ``1password``. @@ -27,7 +29,7 @@ Checklist #. Create a new ``values-.yaml`` file in `/science-platform `__. Start with a template copied from an existing environment that's similar to the new environment. - Edit it to change the environment name at the top to match ```` and choose which services to enable or disable. + Edit it so that ``environment``, ``fqdn``, and ``vault_path_prefix`` at the top match your new environment. Choose which services to enable or leave disabled. #. Decide on your approach to TLS certificates. See :ref:`hostnames` for more details. @@ -40,8 +42,7 @@ Checklist See :doc:`cert-manager/route53-setup` for more details. #. For each enabled service, create a corresponding ``values-.yaml`` file in the relevant directory under `/services `__. - Customization will vary from service to service, but the most common change required is to set the fully-qualified domain name of the environment to the one that will be used for your new deployment. - This will be needed in ingress hostnames, NGINX authentication annotations, and the paths to Vault secrets (the part after ``k8s_operator`` should be the same fully-qualified domain name). + Customization will vary from service to service. See :ref:`service-notes` for more details on special considerations for individual services. diff --git a/docs/ops/nublado2/index.rst b/docs/ops/nublado2/index.rst index dc011cf118..3a1be5e818 100644 --- a/docs/ops/nublado2/index.rst +++ b/docs/ops/nublado2/index.rst @@ -14,7 +14,9 @@ nublado2 .. rubric:: Overview -The ``nublado2`` service is an installation of JupyterHub from its `Helm chart `__. +The ``nublado2`` service is an installation of a Rubin Observatory +flavor of Zero to JupyterHub with some additional resources. Those +resources are defined from `templates at `__ and the `Zero to Jupyterhub chart `__. Upgrading ``nublado2`` is generally painless. A simple Argo CD sync is sufficient. diff --git a/docs/ops/postgres/add-database.rst b/docs/ops/postgres/add-database.rst index 933fda347b..69bfb5cbb4 100644 --- a/docs/ops/postgres/add-database.rst +++ b/docs/ops/postgres/add-database.rst @@ -26,14 +26,13 @@ identical and should reflect the service that will consume the database, e.g. ``gafaelfawr`` or ``exposurelog``. We will use ``exposurelog`` as the model for the remainder of this document. -========================== -Add the database to charts -========================== +================================== +Add the database to the deployment +================================== -First, create the entries in ``charts``. Go to the -``charts/postgres/templates`` directory, and edit ``deployment.yaml`` to -add the new database/password entry. You should copy an existing -entry, and it should look like this: +Go to the ``services/postgres/templates`` directory from the Phalanx +root, and edit ``deployment.yaml`` to add the new database/password +entry. You should copy an existing entry, and it should look like this: .. code-block:: yaml @@ -49,17 +48,14 @@ entry, and it should look like this: key: exposurelog_password {{- end }} -Once you've done that, make sure you increment the chart version number in -``charts/postgres/Chart.yaml``. +===================================== +Add the database to Phalanx installer +===================================== -=========================== -Add the database to phalanx -=========================== - -Next, tackle ``phalanx``. First, add the password entry to Phalanx's -installer, so the next time a new cluster is deployed or an extant -cluster is redeployed, the password will be created. This belongs in -``installer/generate_secrets.py`` in the ``_postgres()`` method. +Next add a password entry to Phalanx's installer, so the next time a new +cluster is deployed or an extant cluster is redeployed, the password +will be created. This belongs in ``installer/generate_secrets.py`` in +the ``_postgres()`` method. Typically we use passwords that are ASCII representations of random 32-byte hexadecimal sequences. The passwords for all the non-root @@ -70,9 +66,6 @@ and changing the name to reflect your service is usually correct: self._set_generated("postgres", "exposurelog_password", secrets.token_hex(32)) -Make the Phalanx ``services/postgres/Chart.yaml`` entry depend on the -new chart version you earlier created. - Finally, go edit the postgres ``values-.yaml`` files and add a section for your new database with appropriate ``user`` and ``db`` entries: @@ -114,9 +107,13 @@ Restart with new values ======================= Now it's finally time to synchronize Postgres in each environment. +There is no new application version, so all you should need to do is +resynchronize the deployment from ArgoCD. -This will cause a brief service interruption in the cluster, so bear -that and your cluster's maintenance window policy in mind. +This will cause a brief service interruption in the cluster, as the +existing deployment is recreated with additional environment variables +and PostgreSQL restarts, so bear that and your cluster's maintenance +window policy in mind. Much of the time, the restart of the ``postgres`` deployment gets stuck and the old Pod will not terminate and allow the new one to run. If diff --git a/docs/service-guide/add-service.rst b/docs/service-guide/add-service.rst index 030ec62f6b..630c233c85 100644 --- a/docs/service-guide/add-service.rst +++ b/docs/service-guide/add-service.rst @@ -6,85 +6,32 @@ Once you have a chart and a Docker image (see :doc:`create-service`) and you hav This is done by creating an Argo CD application that manages your service. This consists of an ``Application`` resource that's used by Argo CD and a small wrapper chart in the `Phalanx repository `__ that holds the ``values-*.yaml`` files to configure your service for each environment in which it's deployed. -Add the wrapper chart -===================== - -#. Create a directory in `/services `__ named for the service (which should almost always be the same as the name of its chart). - -#. Create a ``Chart.yaml`` file in that directory for the wrapper chart. - This should look something like this: - - .. code-block:: yaml - - apiVersion: v2 - name: example - version: 1.0.0 - dependencies: - - name: example - version: 1.3.2 - repository: https://lsst-sqre.github.io/charts/ - - name: pull-secret - version: 0.1.2 - repository: https://lsst-sqre.github.io/charts/ - - The ``name`` field should be the same as the name of the directory, which again should be the same as the name of your chart. - The ``version`` field should always be ``1.0.0`` (see :ref:`chart-versioning` for an explanation). - The first entry in ``dependencies`` should point to your chart and pin its current version. - (Yes, this means you will need to make a PR against Phalanx for each new version of your chart.) - If you are directly referencing an external chart, the ``repository`` property may be different. - Finally, include the ``pull-secret`` dependency as-is. - This is used to configure a Docker pull secret that you will reference later. - -#. For each environment in which your service will run, create a ``values-.yaml`` file in this directory. +#. For each environment in which your service will run, create a ``values-.yaml`` file in your application's service directory. This should hold only the customization per Rubin Science Platform deployment. - Any shared configuration should go into the defaults of your chart. - (An exception is if you are using an external chart directly, in which case you will need to add all configuration required for that chart. - See :ref:`external-chart-config` for more discussion.) - - Some common things to need to configure per-environment: - - - The ingress hostname (usually ``ingress.host``) - - The ``vaultSecretsPath`` for a secret - - Always tell any pods deployed by your service to use a pull secret named ``pull-secret``. - If you are using the default Helm template, this will mean a block like: - - .. code-block:: yaml - - imagePullSecrets: - - name: "pull-secret" - - under the section for your chart. - If you are using an external chart, see its documentation for how to configure pull secrets. - Configuring a pull secret is important to avoid running into Docker pull rate limits, which could otherwise prevent a pod from starting. + Any shared configuration should go into the defaults of your chart (``values.yaml``). - **All configuration for your chart must be under a key named for your chart.** - For example, for a service named ``example``, a typical configuration may look like: + If it is a third-party application repackaged as a Phalanx chart, you will need to add its configuration a little differently. See :ref:`external-chart-config` for more discussion.) - .. code-block:: yaml - - example: - imagePullSecrets: - - name: "pull-secret" - - ingress: - host: "data.lsst.cloud" - - vaultSecretsPath: "secret/k8s_operator/data.lsst.cloud/example" +#. Most services will need a base URL, which is the top-level externally-accessible URL (this is presented within the chart as a separate parameter, although as we will see it is derived from the hostname) for the ingress to the application, the hostname, and the base path within Vault for storage of secrets. - That ``example:`` on the top line and the indentation is important. - If you omit it, all of your configuration will be silently ignored. + In general these will be set within the application definition within the ``science-platform`` directory and carried through to service charts via global ArgoCD variables. You should generally simply need the boilerplate setting them to empty: - Finally, every ``values-*.yaml`` file (at least for now, until we find a better approach) must have, at the bottom, a stanza like: + .. code-block: yaml:: - .. code-block:: yaml + # The following will be set by parameters injected by Argo CD and should not + # be set in the individual environment values files. + global: + # -- Base URL for the environment + # @default -- Set by Argo CD + baseUrl: "" - pull-secret: - enabled: true - path: "secret/k8s_operator//pull-secret" + # -- Host name for ingress + # @default -- Set by Argo CD + host: "" - See all the other directories under `/services `__ for examples. - You may want to copy and paste the basic setup including the ``pull-secret`` configuration from another service to save effort. + # -- Base path for Vault secrets + # @default -- Set by Argo CD + vaultSecretsPath: "" Add the Argo CD application =========================== @@ -119,14 +66,49 @@ Add the Argo CD application repoURL: {{ .Values.repoURL }} targetRevision: {{ .Values.revision }} helm: + parameters: + - name: "global.host" + value: {{ .Values.fqdn | quote }} + - name: "global.baseUrl" + value: "https://{{ .Values.fqdn }}" + - name: "global.vaultSecretsPath" + value: {{ .Values.vault_path_prefix | quote }} valueFiles: - - values-{{ .Values.environment }}.yaml + - "values.yaml" + - 'values-{{ .Values.environment }}.yaml" {{- end -}} replacing every instance of ```` with the name of your service. - This creates the namespace and Argo CD application for your service. + This creates the namespace and Argo CD application for your service. Note that this is where we derive baseURL from host. + + Note that bothh of ``fqdn`` and ``host`` must be defined in each RSP + instance definition file (that is, ``values-.yaml``). Typically + this is done at the top; should you at some point deploy an entirely + new instance of the RSP, remember to do this in the base + science-platform application definition for the new instance. + +#. If your application image resides at a Docker repository which + requires authentication (either to pull the image at all or to raise + the pull rate limit), then you must tell any pods deployed by your + service to use a pull secret named ``pull-secret``, and you must + configure that pull secret in the application's + ``vault-secrets.yaml``. If you are using the default Helm template, + this will mean a block like: + + .. code-block:: yaml + + imagePullSecrets: + - name: "pull-secret" + + under the section for your chart. + + If you are using an external chart, see its documentation for how to configure pull secrets. + + Note that if your container image is built through GitHub actions and stored at ghcr.io, there is no rate limiting (as long as your container image is built from a public repository, which it should be). If it is stored at Docker Hub, you should use a pull secret, because we have been (and will no doubt continue to be) rate-limited at Docker Hub in the past. If it is pulled from a private repository, obviously you will need authentication, and if the container is stored within the Rubin Google Artifact Registry, there is likely to be some Google setup required to make pulls magically work from within a given cluster. + + In general, copying and pasting the basic setup from another service (``cachemachine`` or ``mobu`` recommended for simple services) is a good way to save effort. -#. Finally, edit each of the ``values-*.yaml`` files in `/science-platform `__ and add a stanza for your service. +#. Finally, edit ``values.yaml`` and each of the ``values-*.yaml`` files in `/science-platform `__ and add a stanza for your service. The stanza in ``values.yaml`` should always say: .. code-block:: yaml diff --git a/docs/service-guide/chart-changes.rst b/docs/service-guide/chart-changes.rst deleted file mode 100644 index 86b0282f6b..0000000000 --- a/docs/service-guide/chart-changes.rst +++ /dev/null @@ -1,26 +0,0 @@ -#################################### -Changing charts and phalanx together -#################################### - -Quite often when working on RSP services you will find that you need -simultaneous changes to both the `charts repository `__ and the `phalanx repository `__. - -You may not want to roll out the charts changes prior to the phalanx changes, but at the same time, the phalanx changes require the charts changes. - -If the charts changes are low-risk--perhaps they just add new objects or settings--then it's often OK to release a new charts version, and then point phalanx at the new version. Then you can just update in ArgoCD and it's all very easy. - -This section, however, is about the times when it's risky to do that. - -The bad news is, you can't do this via ArgoCD. The good news is, it's pretty easy to do anyway, but you do need ``kubectl`` access to whatever cluster you're working on. Ideally this is a local ``minikube`` cluster, but if you're, say, using an Apple Silicon Mac, or you need access to real data, maybe you're doing it in ``data-dev`` or ``data-int``. - -#. Make your changes to both charts and phalanx. - -#. Ensure that you're using ``kubectl`` with a kubeconfig file giving access to the cluster you want to use. - -#. Generate a new chart with ``helm package `` in the ``charts/charts`` directory. This will generate a .tgz package of the application. - -#. In the correct phalanx ``services`` directory, update ``Chart.yaml`` to the new (unreleased) Chart version. Then update phalanx with ``helm dependency build .`` . This will try to download the dependent charts and will fail, because the version hasn't been released. Create a ``charts`` directory if it doesn't already exist, and copy the tarball you created into the previous step into it. - -#. Finally, run ``helm install . --values=``. - -The running version will be out of sync in ArgoCD until you release the charts and phalanx changes, but it is testable in the cluster at this point. diff --git a/docs/service-guide/create-service.rst b/docs/service-guide/create-service.rst index ed5a10ef79..8af38810dd 100644 --- a/docs/service-guide/create-service.rst +++ b/docs/service-guide/create-service.rst @@ -5,7 +5,7 @@ Create a new service This documentation is intended for service administrators who are writing a new service in Python. If the goal is to instead deploy a third-party service with its own Helm chart in the Rubin Science Platform, see :doc:`add-external-chart`. -To be deployed in the Rubin Science Platform, a service must come in the form of one or more Docker images and a Helm chart (or Kustomize configuration, although no one currently uses that approach) that deploys those images in Kubernetes. +To be deployed in the Rubin Science Platform, a service must come in the form of one or more Docker images and a Helm chart (or Kustomize configuration, although no service currently uses that approach) that deploys those images in Kubernetes. After you have finished the steps here, go to :doc:`add-service`. @@ -51,7 +51,7 @@ Create the Helm chart To deploy your service in the Rubin Science Platform, it must have either a Helm chart or a Kustomize configuration. Currently, all services use Helm charts. Kustomize is theoretically supported but there are no examples of how to make it work with multiple environments. -Using a Helm chart is recommended unless you are strongly motivated to work out the problems with using Kustomize and write new documentation. +Using a Helm chart is recommended unless you are strongly motivated to work out the problems with using Kustomize and then document the newly-developed process. Unfortunately, unlike for the service itself, we do not (yet) have a template for the Helm chart. However, Helm itself has a starter template that is not awful. @@ -77,6 +77,7 @@ You will need to make at least the following changes to the default Helm chart t For user-facing services you will want a scope other than ``exec:admin``. See `the Gafaelfawr documentation `__, specifically `protecting a service `__ for more information. +- If your service exposes Prometheus endpoints, you will want to configure these in the `telegraf service's prometheus_config `__. Documentation ------------- diff --git a/docs/service-guide/update-a-onepassword-secret.rst b/docs/service-guide/update-a-onepassword-secret.rst index cf6c0d186d..e18eb46688 100644 --- a/docs/service-guide/update-a-onepassword-secret.rst +++ b/docs/service-guide/update-a-onepassword-secret.rst @@ -5,7 +5,7 @@ Updating a secret stored in 1Password and VaultSecret Secrets that are stored in 1Password are synchronized into Vault using the `installer/generate_secrets.py `__ script. Once they are in Vault, they are accessible to the Vault Secrets Operator, which responds to creation of any ``VaultSecret`` resources in Kubernetes by grabbing the current value of the secret data in Vault. -The Vault Secrets Operator reconciles any changes as well by comparing Vault's state with that of any ``VaultSecret``s every 60 seconds. +The Vault Secrets Operator reconciles any changes as well by comparing Vault's state with that of any ``VaultSecret`` resources every 60 seconds. This reconciliation process can also take a bit of time; the net result is that you can expect changes to be reflected after a few minutes. .. note:: diff --git a/docs/service-guide/upgrade.rst b/docs/service-guide/upgrade.rst index c2d781a554..b73f428ade 100644 --- a/docs/service-guide/upgrade.rst +++ b/docs/service-guide/upgrade.rst @@ -2,16 +2,12 @@ Upgrading a service ################### -#. Release a new version of the service by pushing an image with the new version tag to Docker Hub (or whatever Docker repository is used). +#. Release a new version of the service by pushing an image with the new version tag to whichever Docker repository is used. For more recent applications, this image should be built and pushed as a GitHub action upon release of a new version. -#. Update the chart in the `charts repository `__ to install the current version. - For charts using the recommended pattern of determining the default Docker tag via the ``appVersion`` chart metadata, this only requires updating ``appVersion`` in ``Chart.yaml``. - Some charts cannot (or do not) do this, in which case the version has to be changed elsewhere, normally in ``values.yaml``. - Also update the ``version`` of the chart in ``Chart.yaml`` (which follows `semantic versioning`_). - When this PR is merged, a new chart will automatically be published. +#. There are multiple possibilities that depend on the sort of application you have. + - If it is a first-party application such as ``cachemachine``, with its chart directly in Phalanx, then it should use the recommended pattern of determining the default Docker tag via the ``appVersion`` chart metadata. This will only require updating ``appVersion`` in ``Chart.yaml``. + - If, like ``cert-manager``, it's a third-party application with some extra resources glued in, and you are updating to a newer version of the third-party Helm chart, you will need to update the ``version`` in the dependency. + - If it is a complex application such as ``sasquatch`` that bundles first- and third-party applications, you may need to do both, or indeed descend into the ``charts`` directory and update the ``appVersion`` of the subcharts therein. Tricky cases such as these may require some study before deciding on the best course of action. -#. Update the chart version in the Phalanx ``Chart.yaml`` file for the appropriate service under `/services `__. - If the chart is not pinned (if, in other words, it uses a version range constraint instead of a specific version), no Phalanx change is required. - -This will tell Argo CD that the change is pending, but no changes are applied automatically. +Once you have updated the service, Argo CD will that the change is pending, but no changes will be applied automatically. To apply the changes in a given environment, see :doc:`sync-argo-cd`. From 84298139d981d8806e86d3cc20147306fb5a5b92 Mon Sep 17 00:00:00 2001 From: adam Date: Mon, 25 Jul 2022 15:47:14 -0700 Subject: [PATCH 0824/1479] Revert "Update docs to reflect charts->phalanx migration" This reverts commit c16f3a78a9575f175b31ad04b6159ee2634c6f08. --- docs/arch/repository.rst | 17 ++- docs/conf.py | 2 +- docs/index.rst | 1 + docs/ops/bootstrapping.rst | 9 +- docs/ops/nublado2/index.rst | 4 +- docs/ops/postgres/add-database.rst | 41 +++--- docs/service-guide/add-service.rst | 130 ++++++++++-------- docs/service-guide/chart-changes.rst | 26 ++++ docs/service-guide/create-service.rst | 5 +- .../update-a-onepassword-secret.rst | 2 +- docs/service-guide/upgrade.rst | 16 ++- 11 files changed, 152 insertions(+), 101 deletions(-) create mode 100644 docs/service-guide/chart-changes.rst diff --git a/docs/arch/repository.rst b/docs/arch/repository.rst index eb9ed441ae..3aeabe9741 100644 --- a/docs/arch/repository.rst +++ b/docs/arch/repository.rst @@ -29,11 +29,14 @@ Charts Argo CD manages services in the Rubin Science Platform through a set of Helm charts. Which Helm charts to deploy in a given environment is controlled by the ``values-.yaml`` files in `/science-platform `__. -The `/services `__ directory defines templates in its ``templates`` directory and values to resolve those templates in ``values.yaml`` and ``values-.yaml`` files to customize the service for each environment. For first-party charts, the ``templates`` directory is generally richly populated. +For nearly all charts, there are at least two layers of charts. +The upper layer of charts, the ones installed directly by Argo CD, are found in the `/services `__ directory. +These charts usually contain only dependencies and ``values-.yaml`` files to customize the service for each environment. +Sometimes they may contain a small set of resources that are very specific to the Science Platform. -For third-party charts the ``templates`` directory might not exist or might have only a small set of resources specific to the Science Platform. In that case, most of the work of deploying a service is done by charts declared as dependencies (via the ``dependencies`` key in ``Chart.yaml``) of the top-level service chart. +The real work of deploying an service is done by the next layer of charts, which are declared as dependencies (via the ``dependencies`` key in ``Chart.yaml``) of the top layer of charts. By convention, the top-level chart has the same name as the underlying chart that it deploys. -Subcharts may be external third-party Helm charts provided by other projects, or, in rare instances, they may be Helm charts maintained by Rubin Observatory. +This second layer of charts may be external third-party Helm charts provided by other projects, or may be Helm charts maintained by Rubin Observatory. In the latter case, these charts are maintained in the `lsst-sqre/charts GitHub repository `__. .. _chart-versioning: @@ -44,21 +47,21 @@ Chart versioning The top level of charts defined in the ``/services`` directory are used only by Argo CD and are never published as Helm charts. Their versions are therefore irrelevant. The version of each chart is set to ``1.0.0`` because ``version`` is a required field in ``Chart.yaml`` and then never changed. -It is instead the ``appVersion`` field that is used to point to a particular release of a first-person chart. Reverting to a previous configuration in this layer of charts is done via a manual revert in Argo CD or by reverting a change in the GitHub repository so that the ``appVersion`` points to an earlier release. It is **not** done by pointing Argo CD to an older chart. +Reverting to a previous configuration in this layer of charts is done via a manual revert in Argo CD or by reverting a change in the GitHub repository, not by pointing Argo CD to an older chart. -Third-party charts are declared as dependencies; they are normal, published Helm charts that follow normal Helm semantic versioning conventions. +The second layer of charts that are declared as dependencies are normal, published Helm charts that follow normal Helm semantic versioning conventions. In the case of the ``lsst-sqre/charts`` repository, this is enforced by CI. We can then constrain the version of the chart Argo CD will deploy by changing the ``dependencies`` configuration in the top-level chart. Best practice is for a release of a chart to deploy the latest version of the corresponding service, so that upgrading the chart also implies upgrading the service. This allows automatic creation of pull requests to upgrade any services deployed by Argo CD (see `SQR-042 `__ for more details). -Charts maintained as first-party charts in Phalanx follow this convention (for the most part). +Charts maintained in lsst-sqre/charts follow this convention (for the most part). Most upstream charts also follow this convention, but some require explicitly changing version numbers in ``values-*.yaml``. In general, we pin the version of the chart to deploy in the ``dependencies`` metadata of the top-level chart. This ensures deterministic cluster configuration and avoids inadvertently upgrading services. However, for services still under development, we sometimes use a floating dependency to reduce the number of pull requests required when iterating, and then switch to a pinned version once the service is stable. -There is currently no general mechanism to deploy different versions of a chart in different environments, as appVersion is set in ``Chart.yaml``. +There is currently no mechanism to deploy different versions of a chart in different environments. We will probably need a mechanism to do this eventually, and have considered possible implementation strategies, but have not yet started on this work. In the meantime, we disable automatic deployment in Argo CD so there is a human check on whether a given chart is safe to deploy in a given environment. diff --git a/docs/conf.py b/docs/conf.py index 4c3690b0cc..88675d9bc4 100644 --- a/docs/conf.py +++ b/docs/conf.py @@ -59,7 +59,7 @@ # # This is also used if you do content translation via gettext catalogs. # Usually you set "language" from the command line for these cases. -language = "en" +language = None # There are two options for replacing |today|: either, you set today to some # non-false value, then it is used: diff --git a/docs/index.rst b/docs/index.rst index 4a37cf09c2..91221f1050 100644 --- a/docs/index.rst +++ b/docs/index.rst @@ -42,6 +42,7 @@ General development and operations service-guide/local-development service-guide/sync-argo-cd service-guide/upgrade + service-guide/chart-changes Specific tasks -------------- diff --git a/docs/ops/bootstrapping.rst b/docs/ops/bootstrapping.rst index e7ca1a8364..89cc879eba 100644 --- a/docs/ops/bootstrapping.rst +++ b/docs/ops/bootstrapping.rst @@ -19,9 +19,7 @@ Requirements Checklist ========= -#. Fork the `phalanx repository - `__ if this work is separate - from the SQuaRE-managed environments. +#. Fork the `phalanx repository `__ if this work is separate from the SQuaRE-managed environments. #. Create a virtual environment with the tools you will need from the installer's `requirements.txt `__. If you are not using 1password as your source of truth (which, if you are not in a SQuaRE-managed environment, you probably are not) then you may omit ``1password``. @@ -29,7 +27,7 @@ Checklist #. Create a new ``values-.yaml`` file in `/science-platform `__. Start with a template copied from an existing environment that's similar to the new environment. - Edit it so that ``environment``, ``fqdn``, and ``vault_path_prefix`` at the top match your new environment. Choose which services to enable or leave disabled. + Edit it to change the environment name at the top to match ```` and choose which services to enable or disable. #. Decide on your approach to TLS certificates. See :ref:`hostnames` for more details. @@ -42,7 +40,8 @@ Checklist See :doc:`cert-manager/route53-setup` for more details. #. For each enabled service, create a corresponding ``values-.yaml`` file in the relevant directory under `/services `__. - Customization will vary from service to service. + Customization will vary from service to service, but the most common change required is to set the fully-qualified domain name of the environment to the one that will be used for your new deployment. + This will be needed in ingress hostnames, NGINX authentication annotations, and the paths to Vault secrets (the part after ``k8s_operator`` should be the same fully-qualified domain name). See :ref:`service-notes` for more details on special considerations for individual services. diff --git a/docs/ops/nublado2/index.rst b/docs/ops/nublado2/index.rst index 3a1be5e818..dc011cf118 100644 --- a/docs/ops/nublado2/index.rst +++ b/docs/ops/nublado2/index.rst @@ -14,9 +14,7 @@ nublado2 .. rubric:: Overview -The ``nublado2`` service is an installation of a Rubin Observatory -flavor of Zero to JupyterHub with some additional resources. Those -resources are defined from `templates at `__ and the `Zero to Jupyterhub chart `__. +The ``nublado2`` service is an installation of JupyterHub from its `Helm chart `__. Upgrading ``nublado2`` is generally painless. A simple Argo CD sync is sufficient. diff --git a/docs/ops/postgres/add-database.rst b/docs/ops/postgres/add-database.rst index 69bfb5cbb4..933fda347b 100644 --- a/docs/ops/postgres/add-database.rst +++ b/docs/ops/postgres/add-database.rst @@ -26,13 +26,14 @@ identical and should reflect the service that will consume the database, e.g. ``gafaelfawr`` or ``exposurelog``. We will use ``exposurelog`` as the model for the remainder of this document. -================================== -Add the database to the deployment -================================== +========================== +Add the database to charts +========================== -Go to the ``services/postgres/templates`` directory from the Phalanx -root, and edit ``deployment.yaml`` to add the new database/password -entry. You should copy an existing entry, and it should look like this: +First, create the entries in ``charts``. Go to the +``charts/postgres/templates`` directory, and edit ``deployment.yaml`` to +add the new database/password entry. You should copy an existing +entry, and it should look like this: .. code-block:: yaml @@ -48,14 +49,17 @@ entry. You should copy an existing entry, and it should look like this: key: exposurelog_password {{- end }} -===================================== -Add the database to Phalanx installer -===================================== +Once you've done that, make sure you increment the chart version number in +``charts/postgres/Chart.yaml``. -Next add a password entry to Phalanx's installer, so the next time a new -cluster is deployed or an extant cluster is redeployed, the password -will be created. This belongs in ``installer/generate_secrets.py`` in -the ``_postgres()`` method. +=========================== +Add the database to phalanx +=========================== + +Next, tackle ``phalanx``. First, add the password entry to Phalanx's +installer, so the next time a new cluster is deployed or an extant +cluster is redeployed, the password will be created. This belongs in +``installer/generate_secrets.py`` in the ``_postgres()`` method. Typically we use passwords that are ASCII representations of random 32-byte hexadecimal sequences. The passwords for all the non-root @@ -66,6 +70,9 @@ and changing the name to reflect your service is usually correct: self._set_generated("postgres", "exposurelog_password", secrets.token_hex(32)) +Make the Phalanx ``services/postgres/Chart.yaml`` entry depend on the +new chart version you earlier created. + Finally, go edit the postgres ``values-.yaml`` files and add a section for your new database with appropriate ``user`` and ``db`` entries: @@ -107,13 +114,9 @@ Restart with new values ======================= Now it's finally time to synchronize Postgres in each environment. -There is no new application version, so all you should need to do is -resynchronize the deployment from ArgoCD. -This will cause a brief service interruption in the cluster, as the -existing deployment is recreated with additional environment variables -and PostgreSQL restarts, so bear that and your cluster's maintenance -window policy in mind. +This will cause a brief service interruption in the cluster, so bear +that and your cluster's maintenance window policy in mind. Much of the time, the restart of the ``postgres`` deployment gets stuck and the old Pod will not terminate and allow the new one to run. If diff --git a/docs/service-guide/add-service.rst b/docs/service-guide/add-service.rst index 630c233c85..030ec62f6b 100644 --- a/docs/service-guide/add-service.rst +++ b/docs/service-guide/add-service.rst @@ -6,32 +6,85 @@ Once you have a chart and a Docker image (see :doc:`create-service`) and you hav This is done by creating an Argo CD application that manages your service. This consists of an ``Application`` resource that's used by Argo CD and a small wrapper chart in the `Phalanx repository `__ that holds the ``values-*.yaml`` files to configure your service for each environment in which it's deployed. -#. For each environment in which your service will run, create a ``values-.yaml`` file in your application's service directory. +Add the wrapper chart +===================== + +#. Create a directory in `/services `__ named for the service (which should almost always be the same as the name of its chart). + +#. Create a ``Chart.yaml`` file in that directory for the wrapper chart. + This should look something like this: + + .. code-block:: yaml + + apiVersion: v2 + name: example + version: 1.0.0 + dependencies: + - name: example + version: 1.3.2 + repository: https://lsst-sqre.github.io/charts/ + - name: pull-secret + version: 0.1.2 + repository: https://lsst-sqre.github.io/charts/ + + The ``name`` field should be the same as the name of the directory, which again should be the same as the name of your chart. + The ``version`` field should always be ``1.0.0`` (see :ref:`chart-versioning` for an explanation). + The first entry in ``dependencies`` should point to your chart and pin its current version. + (Yes, this means you will need to make a PR against Phalanx for each new version of your chart.) + If you are directly referencing an external chart, the ``repository`` property may be different. + Finally, include the ``pull-secret`` dependency as-is. + This is used to configure a Docker pull secret that you will reference later. + +#. For each environment in which your service will run, create a ``values-.yaml`` file in this directory. This should hold only the customization per Rubin Science Platform deployment. - Any shared configuration should go into the defaults of your chart (``values.yaml``). + Any shared configuration should go into the defaults of your chart. + (An exception is if you are using an external chart directly, in which case you will need to add all configuration required for that chart. + See :ref:`external-chart-config` for more discussion.) + + Some common things to need to configure per-environment: + + - The ingress hostname (usually ``ingress.host``) + - The ``vaultSecretsPath`` for a secret + + Always tell any pods deployed by your service to use a pull secret named ``pull-secret``. + If you are using the default Helm template, this will mean a block like: + + .. code-block:: yaml + + imagePullSecrets: + - name: "pull-secret" + + under the section for your chart. + If you are using an external chart, see its documentation for how to configure pull secrets. + Configuring a pull secret is important to avoid running into Docker pull rate limits, which could otherwise prevent a pod from starting. - If it is a third-party application repackaged as a Phalanx chart, you will need to add its configuration a little differently. See :ref:`external-chart-config` for more discussion.) + **All configuration for your chart must be under a key named for your chart.** + For example, for a service named ``example``, a typical configuration may look like: -#. Most services will need a base URL, which is the top-level externally-accessible URL (this is presented within the chart as a separate parameter, although as we will see it is derived from the hostname) for the ingress to the application, the hostname, and the base path within Vault for storage of secrets. + .. code-block:: yaml + + example: + imagePullSecrets: + - name: "pull-secret" + + ingress: + host: "data.lsst.cloud" + + vaultSecretsPath: "secret/k8s_operator/data.lsst.cloud/example" - In general these will be set within the application definition within the ``science-platform`` directory and carried through to service charts via global ArgoCD variables. You should generally simply need the boilerplate setting them to empty: + That ``example:`` on the top line and the indentation is important. + If you omit it, all of your configuration will be silently ignored. - .. code-block: yaml:: + Finally, every ``values-*.yaml`` file (at least for now, until we find a better approach) must have, at the bottom, a stanza like: - # The following will be set by parameters injected by Argo CD and should not - # be set in the individual environment values files. - global: - # -- Base URL for the environment - # @default -- Set by Argo CD - baseUrl: "" + .. code-block:: yaml - # -- Host name for ingress - # @default -- Set by Argo CD - host: "" + pull-secret: + enabled: true + path: "secret/k8s_operator//pull-secret" - # -- Base path for Vault secrets - # @default -- Set by Argo CD - vaultSecretsPath: "" + See all the other directories under `/services `__ for examples. + You may want to copy and paste the basic setup including the ``pull-secret`` configuration from another service to save effort. Add the Argo CD application =========================== @@ -66,49 +119,14 @@ Add the Argo CD application repoURL: {{ .Values.repoURL }} targetRevision: {{ .Values.revision }} helm: - parameters: - - name: "global.host" - value: {{ .Values.fqdn | quote }} - - name: "global.baseUrl" - value: "https://{{ .Values.fqdn }}" - - name: "global.vaultSecretsPath" - value: {{ .Values.vault_path_prefix | quote }} valueFiles: - - "values.yaml" - - 'values-{{ .Values.environment }}.yaml" + - values-{{ .Values.environment }}.yaml {{- end -}} replacing every instance of ```` with the name of your service. - This creates the namespace and Argo CD application for your service. Note that this is where we derive baseURL from host. - - Note that bothh of ``fqdn`` and ``host`` must be defined in each RSP - instance definition file (that is, ``values-.yaml``). Typically - this is done at the top; should you at some point deploy an entirely - new instance of the RSP, remember to do this in the base - science-platform application definition for the new instance. - -#. If your application image resides at a Docker repository which - requires authentication (either to pull the image at all or to raise - the pull rate limit), then you must tell any pods deployed by your - service to use a pull secret named ``pull-secret``, and you must - configure that pull secret in the application's - ``vault-secrets.yaml``. If you are using the default Helm template, - this will mean a block like: - - .. code-block:: yaml - - imagePullSecrets: - - name: "pull-secret" - - under the section for your chart. - - If you are using an external chart, see its documentation for how to configure pull secrets. - - Note that if your container image is built through GitHub actions and stored at ghcr.io, there is no rate limiting (as long as your container image is built from a public repository, which it should be). If it is stored at Docker Hub, you should use a pull secret, because we have been (and will no doubt continue to be) rate-limited at Docker Hub in the past. If it is pulled from a private repository, obviously you will need authentication, and if the container is stored within the Rubin Google Artifact Registry, there is likely to be some Google setup required to make pulls magically work from within a given cluster. - - In general, copying and pasting the basic setup from another service (``cachemachine`` or ``mobu`` recommended for simple services) is a good way to save effort. + This creates the namespace and Argo CD application for your service. -#. Finally, edit ``values.yaml`` and each of the ``values-*.yaml`` files in `/science-platform `__ and add a stanza for your service. +#. Finally, edit each of the ``values-*.yaml`` files in `/science-platform `__ and add a stanza for your service. The stanza in ``values.yaml`` should always say: .. code-block:: yaml diff --git a/docs/service-guide/chart-changes.rst b/docs/service-guide/chart-changes.rst new file mode 100644 index 0000000000..86b0282f6b --- /dev/null +++ b/docs/service-guide/chart-changes.rst @@ -0,0 +1,26 @@ +#################################### +Changing charts and phalanx together +#################################### + +Quite often when working on RSP services you will find that you need +simultaneous changes to both the `charts repository `__ and the `phalanx repository `__. + +You may not want to roll out the charts changes prior to the phalanx changes, but at the same time, the phalanx changes require the charts changes. + +If the charts changes are low-risk--perhaps they just add new objects or settings--then it's often OK to release a new charts version, and then point phalanx at the new version. Then you can just update in ArgoCD and it's all very easy. + +This section, however, is about the times when it's risky to do that. + +The bad news is, you can't do this via ArgoCD. The good news is, it's pretty easy to do anyway, but you do need ``kubectl`` access to whatever cluster you're working on. Ideally this is a local ``minikube`` cluster, but if you're, say, using an Apple Silicon Mac, or you need access to real data, maybe you're doing it in ``data-dev`` or ``data-int``. + +#. Make your changes to both charts and phalanx. + +#. Ensure that you're using ``kubectl`` with a kubeconfig file giving access to the cluster you want to use. + +#. Generate a new chart with ``helm package `` in the ``charts/charts`` directory. This will generate a .tgz package of the application. + +#. In the correct phalanx ``services`` directory, update ``Chart.yaml`` to the new (unreleased) Chart version. Then update phalanx with ``helm dependency build .`` . This will try to download the dependent charts and will fail, because the version hasn't been released. Create a ``charts`` directory if it doesn't already exist, and copy the tarball you created into the previous step into it. + +#. Finally, run ``helm install . --values=``. + +The running version will be out of sync in ArgoCD until you release the charts and phalanx changes, but it is testable in the cluster at this point. diff --git a/docs/service-guide/create-service.rst b/docs/service-guide/create-service.rst index 8af38810dd..ed5a10ef79 100644 --- a/docs/service-guide/create-service.rst +++ b/docs/service-guide/create-service.rst @@ -5,7 +5,7 @@ Create a new service This documentation is intended for service administrators who are writing a new service in Python. If the goal is to instead deploy a third-party service with its own Helm chart in the Rubin Science Platform, see :doc:`add-external-chart`. -To be deployed in the Rubin Science Platform, a service must come in the form of one or more Docker images and a Helm chart (or Kustomize configuration, although no service currently uses that approach) that deploys those images in Kubernetes. +To be deployed in the Rubin Science Platform, a service must come in the form of one or more Docker images and a Helm chart (or Kustomize configuration, although no one currently uses that approach) that deploys those images in Kubernetes. After you have finished the steps here, go to :doc:`add-service`. @@ -51,7 +51,7 @@ Create the Helm chart To deploy your service in the Rubin Science Platform, it must have either a Helm chart or a Kustomize configuration. Currently, all services use Helm charts. Kustomize is theoretically supported but there are no examples of how to make it work with multiple environments. -Using a Helm chart is recommended unless you are strongly motivated to work out the problems with using Kustomize and then document the newly-developed process. +Using a Helm chart is recommended unless you are strongly motivated to work out the problems with using Kustomize and write new documentation. Unfortunately, unlike for the service itself, we do not (yet) have a template for the Helm chart. However, Helm itself has a starter template that is not awful. @@ -77,7 +77,6 @@ You will need to make at least the following changes to the default Helm chart t For user-facing services you will want a scope other than ``exec:admin``. See `the Gafaelfawr documentation `__, specifically `protecting a service `__ for more information. -- If your service exposes Prometheus endpoints, you will want to configure these in the `telegraf service's prometheus_config `__. Documentation ------------- diff --git a/docs/service-guide/update-a-onepassword-secret.rst b/docs/service-guide/update-a-onepassword-secret.rst index e18eb46688..cf6c0d186d 100644 --- a/docs/service-guide/update-a-onepassword-secret.rst +++ b/docs/service-guide/update-a-onepassword-secret.rst @@ -5,7 +5,7 @@ Updating a secret stored in 1Password and VaultSecret Secrets that are stored in 1Password are synchronized into Vault using the `installer/generate_secrets.py `__ script. Once they are in Vault, they are accessible to the Vault Secrets Operator, which responds to creation of any ``VaultSecret`` resources in Kubernetes by grabbing the current value of the secret data in Vault. -The Vault Secrets Operator reconciles any changes as well by comparing Vault's state with that of any ``VaultSecret`` resources every 60 seconds. +The Vault Secrets Operator reconciles any changes as well by comparing Vault's state with that of any ``VaultSecret``s every 60 seconds. This reconciliation process can also take a bit of time; the net result is that you can expect changes to be reflected after a few minutes. .. note:: diff --git a/docs/service-guide/upgrade.rst b/docs/service-guide/upgrade.rst index b73f428ade..c2d781a554 100644 --- a/docs/service-guide/upgrade.rst +++ b/docs/service-guide/upgrade.rst @@ -2,12 +2,16 @@ Upgrading a service ################### -#. Release a new version of the service by pushing an image with the new version tag to whichever Docker repository is used. For more recent applications, this image should be built and pushed as a GitHub action upon release of a new version. +#. Release a new version of the service by pushing an image with the new version tag to Docker Hub (or whatever Docker repository is used). -#. There are multiple possibilities that depend on the sort of application you have. - - If it is a first-party application such as ``cachemachine``, with its chart directly in Phalanx, then it should use the recommended pattern of determining the default Docker tag via the ``appVersion`` chart metadata. This will only require updating ``appVersion`` in ``Chart.yaml``. - - If, like ``cert-manager``, it's a third-party application with some extra resources glued in, and you are updating to a newer version of the third-party Helm chart, you will need to update the ``version`` in the dependency. - - If it is a complex application such as ``sasquatch`` that bundles first- and third-party applications, you may need to do both, or indeed descend into the ``charts`` directory and update the ``appVersion`` of the subcharts therein. Tricky cases such as these may require some study before deciding on the best course of action. +#. Update the chart in the `charts repository `__ to install the current version. + For charts using the recommended pattern of determining the default Docker tag via the ``appVersion`` chart metadata, this only requires updating ``appVersion`` in ``Chart.yaml``. + Some charts cannot (or do not) do this, in which case the version has to be changed elsewhere, normally in ``values.yaml``. + Also update the ``version`` of the chart in ``Chart.yaml`` (which follows `semantic versioning`_). + When this PR is merged, a new chart will automatically be published. -Once you have updated the service, Argo CD will that the change is pending, but no changes will be applied automatically. +#. Update the chart version in the Phalanx ``Chart.yaml`` file for the appropriate service under `/services `__. + If the chart is not pinned (if, in other words, it uses a version range constraint instead of a specific version), no Phalanx change is required. + +This will tell Argo CD that the change is pending, but no changes are applied automatically. To apply the changes in a given environment, see :doc:`sync-argo-cd`. From 6a8aa981e8adabfeade73ebc88de0b0d2924402d Mon Sep 17 00:00:00 2001 From: Christine Banek Date: Mon, 25 Jul 2022 18:44:48 -0700 Subject: [PATCH 0825/1479] [DM-35704] Mobu to 4.4.3 --- services/mobu/Chart.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/services/mobu/Chart.yaml b/services/mobu/Chart.yaml index ecaa615c09..ae444f1f93 100644 --- a/services/mobu/Chart.yaml +++ b/services/mobu/Chart.yaml @@ -3,4 +3,4 @@ name: mobu version: 1.0.0 description: Generate system load by pretending to be a random scientist home: https://github.com/lsst-sqre/mobu -appVersion: 4.4.2 +appVersion: 4.4.3 From 286245e0273d6e35b659bdff1f8f56f02ef1163c Mon Sep 17 00:00:00 2001 From: Christine Banek Date: Mon, 25 Jul 2022 19:59:10 -0700 Subject: [PATCH 0826/1479] [DM-35704] Tap to 1.3.0 Set up default values for connection pools based on what they were back in the xml. --- services/tap/Chart.yaml | 4 ++-- services/tap/templates/tap-deployment.yaml | 2 ++ 2 files changed, 4 insertions(+), 2 deletions(-) diff --git a/services/tap/Chart.yaml b/services/tap/Chart.yaml index f7dac14212..724d8620ae 100644 --- a/services/tap/Chart.yaml +++ b/services/tap/Chart.yaml @@ -1,6 +1,6 @@ apiVersion: v1 -appVersion: "1.2.1" +appVersion: "1.3.0" description: A Helm chart for the CADC TAP service home: https://github.com/lsst-sqre/lsst-tap-service name: cadc-tap -version: 1.0.9 +version: 1.1.0 diff --git a/services/tap/templates/tap-deployment.yaml b/services/tap/templates/tap-deployment.yaml index ffa9a9ec4c..affdd2f682 100644 --- a/services/tap/templates/tap-deployment.yaml +++ b/services/tap/templates/tap-deployment.yaml @@ -34,10 +34,12 @@ spec: -Dqservuser.jdbc.password= -Dqservuser.jdbc.driverClassName=com.mysql.cj.jdbc.Driver -Dqservuser.jdbc.url=jdbc:mysql://{{ .Values.qserv.host }}/ + -Dqservuser.maxActive=100 -Dtapuser.jdbc.username=TAP_SCHEMA -Dtapuser.jdbc.password=TAP_SCHEMA -Dtapuser.jdbc.driverClassName=com.mysql.cj.jdbc.Driver -Dtapuser.jdbc.url=jdbc:mysql://{{ .Values.config.tapSchemaAddress }}/ + -Dtapuser.maxActive=100 -Dca.nrc.cadc.reg.client.RegistryClient.local=true -Duws.jdbc.username=postgres -Duws.jdbc.driverClassName=org.postgresql.Driver From 8ba0551933fba4d9ceb8f872be25c02c64fc5cf9 Mon Sep 17 00:00:00 2001 From: Christine Banek Date: Mon, 25 Jul 2022 20:53:59 -0700 Subject: [PATCH 0827/1479] [DM-35704] TAP to 1.3.1 --- services/tap/Chart.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/services/tap/Chart.yaml b/services/tap/Chart.yaml index 724d8620ae..a01d58cb65 100644 --- a/services/tap/Chart.yaml +++ b/services/tap/Chart.yaml @@ -1,5 +1,5 @@ apiVersion: v1 -appVersion: "1.3.0" +appVersion: "1.3.1" description: A Helm chart for the CADC TAP service home: https://github.com/lsst-sqre/lsst-tap-service name: cadc-tap From ee8d2eb14771738a9bfa2993071427e93d339da5 Mon Sep 17 00:00:00 2001 From: Christine Banek Date: Tue, 26 Jul 2022 09:40:09 -0700 Subject: [PATCH 0828/1479] [DM-35717] Mobu 4.4.4 --- services/mobu/Chart.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/services/mobu/Chart.yaml b/services/mobu/Chart.yaml index ae444f1f93..919ea77eb9 100644 --- a/services/mobu/Chart.yaml +++ b/services/mobu/Chart.yaml @@ -3,4 +3,4 @@ name: mobu version: 1.0.0 description: Generate system load by pretending to be a random scientist home: https://github.com/lsst-sqre/mobu -appVersion: 4.4.3 +appVersion: 4.4.4 From 9076f9365021e782b8131bc3fd16b9cb376813ec Mon Sep 17 00:00:00 2001 From: roby Date: Thu, 21 Jul 2022 15:26:22 -0600 Subject: [PATCH 0829/1479] suit-2022.5 - update hips 360 - testing on int - fixed json syntax error - removed trailing slash on hips --- services/portal/templates/deployment.yaml | 6 ++++-- services/portal/values-idfdev.yaml | 2 +- services/portal/values-idfint.yaml | 2 +- 3 files changed, 6 insertions(+), 4 deletions(-) diff --git a/services/portal/templates/deployment.yaml b/services/portal/templates/deployment.yaml index 55cadc52ef..f3259a9fef 100644 --- a/services/portal/templates/deployment.yaml +++ b/services/portal/templates/deployment.yaml @@ -56,8 +56,10 @@ spec: "coverage": { {{- if .Values.config.hipsUrl }} "hipsSourceURL" : "{{ .Values.config.hipsUrl }}", + "hipsSource360URL" : "{{ .Values.config.hipsUrl }}" {{- else }} - "hipsSourceURL" : "{{ .Values.global.baseUrl }}/api/hips/images/color_gri/", + "hipsSourceURL" : "{{ .Values.global.baseUrl }}/api/hips/images/color_gri", + "hipsSource360URL" : "{{ .Values.global.baseUrl }}/api/hips/images/color_gri" {{- end }} }, "tap" : { @@ -68,7 +70,7 @@ spec: {{- if .Values.config.hipsUrl }} "hipsUrl": "{{ .Values.config.hipsUrl }}", {{- else }} - "hipsUrl": "{{ .Values.global.baseUrl }}/api/hips/images/color_gri/", + "hipsUrl": "{{ .Values.global.baseUrl }}/api/hips/images/color_gri", {{- end }} "centerWP": "62;-37;EQ_J2000", "fovDeg": 10 diff --git a/services/portal/values-idfdev.yaml b/services/portal/values-idfdev.yaml index be33bd422b..d1fca00dde 100644 --- a/services/portal/values-idfdev.yaml +++ b/services/portal/values-idfdev.yaml @@ -1,7 +1,7 @@ replicaCount: 2 image: - tag: "suit-2022.4" + tag: "suit-2022.5" config: volumes: diff --git a/services/portal/values-idfint.yaml b/services/portal/values-idfint.yaml index 4661a8f856..65473bc5f0 100644 --- a/services/portal/values-idfint.yaml +++ b/services/portal/values-idfint.yaml @@ -1,7 +1,7 @@ replicaCount: 4 image: - tag: "suit-2022.4" + tag: "suit-2022.5" config: volumes: From 4a4e366b4ac1c2aeb4247d9905a3231281128c79 Mon Sep 17 00:00:00 2001 From: Russell Owen Date: Wed, 27 Jul 2022 10:57:49 -0700 Subject: [PATCH 0830/1479] narrativelog: update appVersion --- services/narrativelog/Chart.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/services/narrativelog/Chart.yaml b/services/narrativelog/Chart.yaml index 042c12b017..deef9a0318 100644 --- a/services/narrativelog/Chart.yaml +++ b/services/narrativelog/Chart.yaml @@ -9,4 +9,4 @@ version: 1.0.0 # This is the version number of the application being deployed. This version number should be # incremented each time you make changes to the application. Versions are not expected to # follow Semantic Versioning. They should reflect the version the application is using. -appVersion: 0.3.0 +appVersion: 0.4.0 From 6022e28bb52ecab2b32838385f4fe328cc34f657 Mon Sep 17 00:00:00 2001 From: adam Date: Mon, 25 Jul 2022 15:55:11 -0700 Subject: [PATCH 0831/1479] Update docs to reflect charts->phalanx migration --- docs/arch/repository.rst | 17 +-- docs/conf.py | 2 +- docs/index.rst | 1 - docs/ops/bootstrapping.rst | 9 +- docs/ops/nublado2/index.rst | 4 +- docs/ops/postgres/add-database.rst | 41 +++--- docs/service-guide/add-service.rst | 130 ++++++++---------- docs/service-guide/chart-changes.rst | 26 ---- docs/service-guide/create-service.rst | 5 +- .../update-a-onepassword-secret.rst | 2 +- docs/service-guide/upgrade.rst | 16 +-- 11 files changed, 101 insertions(+), 152 deletions(-) delete mode 100644 docs/service-guide/chart-changes.rst diff --git a/docs/arch/repository.rst b/docs/arch/repository.rst index 3aeabe9741..eb9ed441ae 100644 --- a/docs/arch/repository.rst +++ b/docs/arch/repository.rst @@ -29,14 +29,11 @@ Charts Argo CD manages services in the Rubin Science Platform through a set of Helm charts. Which Helm charts to deploy in a given environment is controlled by the ``values-.yaml`` files in `/science-platform `__. -For nearly all charts, there are at least two layers of charts. -The upper layer of charts, the ones installed directly by Argo CD, are found in the `/services `__ directory. -These charts usually contain only dependencies and ``values-.yaml`` files to customize the service for each environment. -Sometimes they may contain a small set of resources that are very specific to the Science Platform. +The `/services `__ directory defines templates in its ``templates`` directory and values to resolve those templates in ``values.yaml`` and ``values-.yaml`` files to customize the service for each environment. For first-party charts, the ``templates`` directory is generally richly populated. -The real work of deploying an service is done by the next layer of charts, which are declared as dependencies (via the ``dependencies`` key in ``Chart.yaml``) of the top layer of charts. +For third-party charts the ``templates`` directory might not exist or might have only a small set of resources specific to the Science Platform. In that case, most of the work of deploying a service is done by charts declared as dependencies (via the ``dependencies`` key in ``Chart.yaml``) of the top-level service chart. By convention, the top-level chart has the same name as the underlying chart that it deploys. -This second layer of charts may be external third-party Helm charts provided by other projects, or may be Helm charts maintained by Rubin Observatory. +Subcharts may be external third-party Helm charts provided by other projects, or, in rare instances, they may be Helm charts maintained by Rubin Observatory. In the latter case, these charts are maintained in the `lsst-sqre/charts GitHub repository `__. .. _chart-versioning: @@ -47,21 +44,21 @@ Chart versioning The top level of charts defined in the ``/services`` directory are used only by Argo CD and are never published as Helm charts. Their versions are therefore irrelevant. The version of each chart is set to ``1.0.0`` because ``version`` is a required field in ``Chart.yaml`` and then never changed. -Reverting to a previous configuration in this layer of charts is done via a manual revert in Argo CD or by reverting a change in the GitHub repository, not by pointing Argo CD to an older chart. +It is instead the ``appVersion`` field that is used to point to a particular release of a first-person chart. Reverting to a previous configuration in this layer of charts is done via a manual revert in Argo CD or by reverting a change in the GitHub repository so that the ``appVersion`` points to an earlier release. It is **not** done by pointing Argo CD to an older chart. -The second layer of charts that are declared as dependencies are normal, published Helm charts that follow normal Helm semantic versioning conventions. +Third-party charts are declared as dependencies; they are normal, published Helm charts that follow normal Helm semantic versioning conventions. In the case of the ``lsst-sqre/charts`` repository, this is enforced by CI. We can then constrain the version of the chart Argo CD will deploy by changing the ``dependencies`` configuration in the top-level chart. Best practice is for a release of a chart to deploy the latest version of the corresponding service, so that upgrading the chart also implies upgrading the service. This allows automatic creation of pull requests to upgrade any services deployed by Argo CD (see `SQR-042 `__ for more details). -Charts maintained in lsst-sqre/charts follow this convention (for the most part). +Charts maintained as first-party charts in Phalanx follow this convention (for the most part). Most upstream charts also follow this convention, but some require explicitly changing version numbers in ``values-*.yaml``. In general, we pin the version of the chart to deploy in the ``dependencies`` metadata of the top-level chart. This ensures deterministic cluster configuration and avoids inadvertently upgrading services. However, for services still under development, we sometimes use a floating dependency to reduce the number of pull requests required when iterating, and then switch to a pinned version once the service is stable. -There is currently no mechanism to deploy different versions of a chart in different environments. +There is currently no general mechanism to deploy different versions of a chart in different environments, as appVersion is set in ``Chart.yaml``. We will probably need a mechanism to do this eventually, and have considered possible implementation strategies, but have not yet started on this work. In the meantime, we disable automatic deployment in Argo CD so there is a human check on whether a given chart is safe to deploy in a given environment. diff --git a/docs/conf.py b/docs/conf.py index 88675d9bc4..4c3690b0cc 100644 --- a/docs/conf.py +++ b/docs/conf.py @@ -59,7 +59,7 @@ # # This is also used if you do content translation via gettext catalogs. # Usually you set "language" from the command line for these cases. -language = None +language = "en" # There are two options for replacing |today|: either, you set today to some # non-false value, then it is used: diff --git a/docs/index.rst b/docs/index.rst index 91221f1050..4a37cf09c2 100644 --- a/docs/index.rst +++ b/docs/index.rst @@ -42,7 +42,6 @@ General development and operations service-guide/local-development service-guide/sync-argo-cd service-guide/upgrade - service-guide/chart-changes Specific tasks -------------- diff --git a/docs/ops/bootstrapping.rst b/docs/ops/bootstrapping.rst index 89cc879eba..e7ca1a8364 100644 --- a/docs/ops/bootstrapping.rst +++ b/docs/ops/bootstrapping.rst @@ -19,7 +19,9 @@ Requirements Checklist ========= -#. Fork the `phalanx repository `__ if this work is separate from the SQuaRE-managed environments. +#. Fork the `phalanx repository + `__ if this work is separate + from the SQuaRE-managed environments. #. Create a virtual environment with the tools you will need from the installer's `requirements.txt `__. If you are not using 1password as your source of truth (which, if you are not in a SQuaRE-managed environment, you probably are not) then you may omit ``1password``. @@ -27,7 +29,7 @@ Checklist #. Create a new ``values-.yaml`` file in `/science-platform `__. Start with a template copied from an existing environment that's similar to the new environment. - Edit it to change the environment name at the top to match ```` and choose which services to enable or disable. + Edit it so that ``environment``, ``fqdn``, and ``vault_path_prefix`` at the top match your new environment. Choose which services to enable or leave disabled. #. Decide on your approach to TLS certificates. See :ref:`hostnames` for more details. @@ -40,8 +42,7 @@ Checklist See :doc:`cert-manager/route53-setup` for more details. #. For each enabled service, create a corresponding ``values-.yaml`` file in the relevant directory under `/services `__. - Customization will vary from service to service, but the most common change required is to set the fully-qualified domain name of the environment to the one that will be used for your new deployment. - This will be needed in ingress hostnames, NGINX authentication annotations, and the paths to Vault secrets (the part after ``k8s_operator`` should be the same fully-qualified domain name). + Customization will vary from service to service. See :ref:`service-notes` for more details on special considerations for individual services. diff --git a/docs/ops/nublado2/index.rst b/docs/ops/nublado2/index.rst index dc011cf118..3a1be5e818 100644 --- a/docs/ops/nublado2/index.rst +++ b/docs/ops/nublado2/index.rst @@ -14,7 +14,9 @@ nublado2 .. rubric:: Overview -The ``nublado2`` service is an installation of JupyterHub from its `Helm chart `__. +The ``nublado2`` service is an installation of a Rubin Observatory +flavor of Zero to JupyterHub with some additional resources. Those +resources are defined from `templates at `__ and the `Zero to Jupyterhub chart `__. Upgrading ``nublado2`` is generally painless. A simple Argo CD sync is sufficient. diff --git a/docs/ops/postgres/add-database.rst b/docs/ops/postgres/add-database.rst index 933fda347b..69bfb5cbb4 100644 --- a/docs/ops/postgres/add-database.rst +++ b/docs/ops/postgres/add-database.rst @@ -26,14 +26,13 @@ identical and should reflect the service that will consume the database, e.g. ``gafaelfawr`` or ``exposurelog``. We will use ``exposurelog`` as the model for the remainder of this document. -========================== -Add the database to charts -========================== +================================== +Add the database to the deployment +================================== -First, create the entries in ``charts``. Go to the -``charts/postgres/templates`` directory, and edit ``deployment.yaml`` to -add the new database/password entry. You should copy an existing -entry, and it should look like this: +Go to the ``services/postgres/templates`` directory from the Phalanx +root, and edit ``deployment.yaml`` to add the new database/password +entry. You should copy an existing entry, and it should look like this: .. code-block:: yaml @@ -49,17 +48,14 @@ entry, and it should look like this: key: exposurelog_password {{- end }} -Once you've done that, make sure you increment the chart version number in -``charts/postgres/Chart.yaml``. +===================================== +Add the database to Phalanx installer +===================================== -=========================== -Add the database to phalanx -=========================== - -Next, tackle ``phalanx``. First, add the password entry to Phalanx's -installer, so the next time a new cluster is deployed or an extant -cluster is redeployed, the password will be created. This belongs in -``installer/generate_secrets.py`` in the ``_postgres()`` method. +Next add a password entry to Phalanx's installer, so the next time a new +cluster is deployed or an extant cluster is redeployed, the password +will be created. This belongs in ``installer/generate_secrets.py`` in +the ``_postgres()`` method. Typically we use passwords that are ASCII representations of random 32-byte hexadecimal sequences. The passwords for all the non-root @@ -70,9 +66,6 @@ and changing the name to reflect your service is usually correct: self._set_generated("postgres", "exposurelog_password", secrets.token_hex(32)) -Make the Phalanx ``services/postgres/Chart.yaml`` entry depend on the -new chart version you earlier created. - Finally, go edit the postgres ``values-.yaml`` files and add a section for your new database with appropriate ``user`` and ``db`` entries: @@ -114,9 +107,13 @@ Restart with new values ======================= Now it's finally time to synchronize Postgres in each environment. +There is no new application version, so all you should need to do is +resynchronize the deployment from ArgoCD. -This will cause a brief service interruption in the cluster, so bear -that and your cluster's maintenance window policy in mind. +This will cause a brief service interruption in the cluster, as the +existing deployment is recreated with additional environment variables +and PostgreSQL restarts, so bear that and your cluster's maintenance +window policy in mind. Much of the time, the restart of the ``postgres`` deployment gets stuck and the old Pod will not terminate and allow the new one to run. If diff --git a/docs/service-guide/add-service.rst b/docs/service-guide/add-service.rst index 030ec62f6b..630c233c85 100644 --- a/docs/service-guide/add-service.rst +++ b/docs/service-guide/add-service.rst @@ -6,85 +6,32 @@ Once you have a chart and a Docker image (see :doc:`create-service`) and you hav This is done by creating an Argo CD application that manages your service. This consists of an ``Application`` resource that's used by Argo CD and a small wrapper chart in the `Phalanx repository `__ that holds the ``values-*.yaml`` files to configure your service for each environment in which it's deployed. -Add the wrapper chart -===================== - -#. Create a directory in `/services `__ named for the service (which should almost always be the same as the name of its chart). - -#. Create a ``Chart.yaml`` file in that directory for the wrapper chart. - This should look something like this: - - .. code-block:: yaml - - apiVersion: v2 - name: example - version: 1.0.0 - dependencies: - - name: example - version: 1.3.2 - repository: https://lsst-sqre.github.io/charts/ - - name: pull-secret - version: 0.1.2 - repository: https://lsst-sqre.github.io/charts/ - - The ``name`` field should be the same as the name of the directory, which again should be the same as the name of your chart. - The ``version`` field should always be ``1.0.0`` (see :ref:`chart-versioning` for an explanation). - The first entry in ``dependencies`` should point to your chart and pin its current version. - (Yes, this means you will need to make a PR against Phalanx for each new version of your chart.) - If you are directly referencing an external chart, the ``repository`` property may be different. - Finally, include the ``pull-secret`` dependency as-is. - This is used to configure a Docker pull secret that you will reference later. - -#. For each environment in which your service will run, create a ``values-.yaml`` file in this directory. +#. For each environment in which your service will run, create a ``values-.yaml`` file in your application's service directory. This should hold only the customization per Rubin Science Platform deployment. - Any shared configuration should go into the defaults of your chart. - (An exception is if you are using an external chart directly, in which case you will need to add all configuration required for that chart. - See :ref:`external-chart-config` for more discussion.) - - Some common things to need to configure per-environment: - - - The ingress hostname (usually ``ingress.host``) - - The ``vaultSecretsPath`` for a secret - - Always tell any pods deployed by your service to use a pull secret named ``pull-secret``. - If you are using the default Helm template, this will mean a block like: - - .. code-block:: yaml - - imagePullSecrets: - - name: "pull-secret" - - under the section for your chart. - If you are using an external chart, see its documentation for how to configure pull secrets. - Configuring a pull secret is important to avoid running into Docker pull rate limits, which could otherwise prevent a pod from starting. + Any shared configuration should go into the defaults of your chart (``values.yaml``). - **All configuration for your chart must be under a key named for your chart.** - For example, for a service named ``example``, a typical configuration may look like: + If it is a third-party application repackaged as a Phalanx chart, you will need to add its configuration a little differently. See :ref:`external-chart-config` for more discussion.) - .. code-block:: yaml - - example: - imagePullSecrets: - - name: "pull-secret" - - ingress: - host: "data.lsst.cloud" - - vaultSecretsPath: "secret/k8s_operator/data.lsst.cloud/example" +#. Most services will need a base URL, which is the top-level externally-accessible URL (this is presented within the chart as a separate parameter, although as we will see it is derived from the hostname) for the ingress to the application, the hostname, and the base path within Vault for storage of secrets. - That ``example:`` on the top line and the indentation is important. - If you omit it, all of your configuration will be silently ignored. + In general these will be set within the application definition within the ``science-platform`` directory and carried through to service charts via global ArgoCD variables. You should generally simply need the boilerplate setting them to empty: - Finally, every ``values-*.yaml`` file (at least for now, until we find a better approach) must have, at the bottom, a stanza like: + .. code-block: yaml:: - .. code-block:: yaml + # The following will be set by parameters injected by Argo CD and should not + # be set in the individual environment values files. + global: + # -- Base URL for the environment + # @default -- Set by Argo CD + baseUrl: "" - pull-secret: - enabled: true - path: "secret/k8s_operator//pull-secret" + # -- Host name for ingress + # @default -- Set by Argo CD + host: "" - See all the other directories under `/services `__ for examples. - You may want to copy and paste the basic setup including the ``pull-secret`` configuration from another service to save effort. + # -- Base path for Vault secrets + # @default -- Set by Argo CD + vaultSecretsPath: "" Add the Argo CD application =========================== @@ -119,14 +66,49 @@ Add the Argo CD application repoURL: {{ .Values.repoURL }} targetRevision: {{ .Values.revision }} helm: + parameters: + - name: "global.host" + value: {{ .Values.fqdn | quote }} + - name: "global.baseUrl" + value: "https://{{ .Values.fqdn }}" + - name: "global.vaultSecretsPath" + value: {{ .Values.vault_path_prefix | quote }} valueFiles: - - values-{{ .Values.environment }}.yaml + - "values.yaml" + - 'values-{{ .Values.environment }}.yaml" {{- end -}} replacing every instance of ```` with the name of your service. - This creates the namespace and Argo CD application for your service. + This creates the namespace and Argo CD application for your service. Note that this is where we derive baseURL from host. + + Note that bothh of ``fqdn`` and ``host`` must be defined in each RSP + instance definition file (that is, ``values-.yaml``). Typically + this is done at the top; should you at some point deploy an entirely + new instance of the RSP, remember to do this in the base + science-platform application definition for the new instance. + +#. If your application image resides at a Docker repository which + requires authentication (either to pull the image at all or to raise + the pull rate limit), then you must tell any pods deployed by your + service to use a pull secret named ``pull-secret``, and you must + configure that pull secret in the application's + ``vault-secrets.yaml``. If you are using the default Helm template, + this will mean a block like: + + .. code-block:: yaml + + imagePullSecrets: + - name: "pull-secret" + + under the section for your chart. + + If you are using an external chart, see its documentation for how to configure pull secrets. + + Note that if your container image is built through GitHub actions and stored at ghcr.io, there is no rate limiting (as long as your container image is built from a public repository, which it should be). If it is stored at Docker Hub, you should use a pull secret, because we have been (and will no doubt continue to be) rate-limited at Docker Hub in the past. If it is pulled from a private repository, obviously you will need authentication, and if the container is stored within the Rubin Google Artifact Registry, there is likely to be some Google setup required to make pulls magically work from within a given cluster. + + In general, copying and pasting the basic setup from another service (``cachemachine`` or ``mobu`` recommended for simple services) is a good way to save effort. -#. Finally, edit each of the ``values-*.yaml`` files in `/science-platform `__ and add a stanza for your service. +#. Finally, edit ``values.yaml`` and each of the ``values-*.yaml`` files in `/science-platform `__ and add a stanza for your service. The stanza in ``values.yaml`` should always say: .. code-block:: yaml diff --git a/docs/service-guide/chart-changes.rst b/docs/service-guide/chart-changes.rst deleted file mode 100644 index 86b0282f6b..0000000000 --- a/docs/service-guide/chart-changes.rst +++ /dev/null @@ -1,26 +0,0 @@ -#################################### -Changing charts and phalanx together -#################################### - -Quite often when working on RSP services you will find that you need -simultaneous changes to both the `charts repository `__ and the `phalanx repository `__. - -You may not want to roll out the charts changes prior to the phalanx changes, but at the same time, the phalanx changes require the charts changes. - -If the charts changes are low-risk--perhaps they just add new objects or settings--then it's often OK to release a new charts version, and then point phalanx at the new version. Then you can just update in ArgoCD and it's all very easy. - -This section, however, is about the times when it's risky to do that. - -The bad news is, you can't do this via ArgoCD. The good news is, it's pretty easy to do anyway, but you do need ``kubectl`` access to whatever cluster you're working on. Ideally this is a local ``minikube`` cluster, but if you're, say, using an Apple Silicon Mac, or you need access to real data, maybe you're doing it in ``data-dev`` or ``data-int``. - -#. Make your changes to both charts and phalanx. - -#. Ensure that you're using ``kubectl`` with a kubeconfig file giving access to the cluster you want to use. - -#. Generate a new chart with ``helm package `` in the ``charts/charts`` directory. This will generate a .tgz package of the application. - -#. In the correct phalanx ``services`` directory, update ``Chart.yaml`` to the new (unreleased) Chart version. Then update phalanx with ``helm dependency build .`` . This will try to download the dependent charts and will fail, because the version hasn't been released. Create a ``charts`` directory if it doesn't already exist, and copy the tarball you created into the previous step into it. - -#. Finally, run ``helm install . --values=``. - -The running version will be out of sync in ArgoCD until you release the charts and phalanx changes, but it is testable in the cluster at this point. diff --git a/docs/service-guide/create-service.rst b/docs/service-guide/create-service.rst index ed5a10ef79..8af38810dd 100644 --- a/docs/service-guide/create-service.rst +++ b/docs/service-guide/create-service.rst @@ -5,7 +5,7 @@ Create a new service This documentation is intended for service administrators who are writing a new service in Python. If the goal is to instead deploy a third-party service with its own Helm chart in the Rubin Science Platform, see :doc:`add-external-chart`. -To be deployed in the Rubin Science Platform, a service must come in the form of one or more Docker images and a Helm chart (or Kustomize configuration, although no one currently uses that approach) that deploys those images in Kubernetes. +To be deployed in the Rubin Science Platform, a service must come in the form of one or more Docker images and a Helm chart (or Kustomize configuration, although no service currently uses that approach) that deploys those images in Kubernetes. After you have finished the steps here, go to :doc:`add-service`. @@ -51,7 +51,7 @@ Create the Helm chart To deploy your service in the Rubin Science Platform, it must have either a Helm chart or a Kustomize configuration. Currently, all services use Helm charts. Kustomize is theoretically supported but there are no examples of how to make it work with multiple environments. -Using a Helm chart is recommended unless you are strongly motivated to work out the problems with using Kustomize and write new documentation. +Using a Helm chart is recommended unless you are strongly motivated to work out the problems with using Kustomize and then document the newly-developed process. Unfortunately, unlike for the service itself, we do not (yet) have a template for the Helm chart. However, Helm itself has a starter template that is not awful. @@ -77,6 +77,7 @@ You will need to make at least the following changes to the default Helm chart t For user-facing services you will want a scope other than ``exec:admin``. See `the Gafaelfawr documentation `__, specifically `protecting a service `__ for more information. +- If your service exposes Prometheus endpoints, you will want to configure these in the `telegraf service's prometheus_config `__. Documentation ------------- diff --git a/docs/service-guide/update-a-onepassword-secret.rst b/docs/service-guide/update-a-onepassword-secret.rst index cf6c0d186d..e18eb46688 100644 --- a/docs/service-guide/update-a-onepassword-secret.rst +++ b/docs/service-guide/update-a-onepassword-secret.rst @@ -5,7 +5,7 @@ Updating a secret stored in 1Password and VaultSecret Secrets that are stored in 1Password are synchronized into Vault using the `installer/generate_secrets.py `__ script. Once they are in Vault, they are accessible to the Vault Secrets Operator, which responds to creation of any ``VaultSecret`` resources in Kubernetes by grabbing the current value of the secret data in Vault. -The Vault Secrets Operator reconciles any changes as well by comparing Vault's state with that of any ``VaultSecret``s every 60 seconds. +The Vault Secrets Operator reconciles any changes as well by comparing Vault's state with that of any ``VaultSecret`` resources every 60 seconds. This reconciliation process can also take a bit of time; the net result is that you can expect changes to be reflected after a few minutes. .. note:: diff --git a/docs/service-guide/upgrade.rst b/docs/service-guide/upgrade.rst index c2d781a554..b73f428ade 100644 --- a/docs/service-guide/upgrade.rst +++ b/docs/service-guide/upgrade.rst @@ -2,16 +2,12 @@ Upgrading a service ################### -#. Release a new version of the service by pushing an image with the new version tag to Docker Hub (or whatever Docker repository is used). +#. Release a new version of the service by pushing an image with the new version tag to whichever Docker repository is used. For more recent applications, this image should be built and pushed as a GitHub action upon release of a new version. -#. Update the chart in the `charts repository `__ to install the current version. - For charts using the recommended pattern of determining the default Docker tag via the ``appVersion`` chart metadata, this only requires updating ``appVersion`` in ``Chart.yaml``. - Some charts cannot (or do not) do this, in which case the version has to be changed elsewhere, normally in ``values.yaml``. - Also update the ``version`` of the chart in ``Chart.yaml`` (which follows `semantic versioning`_). - When this PR is merged, a new chart will automatically be published. +#. There are multiple possibilities that depend on the sort of application you have. + - If it is a first-party application such as ``cachemachine``, with its chart directly in Phalanx, then it should use the recommended pattern of determining the default Docker tag via the ``appVersion`` chart metadata. This will only require updating ``appVersion`` in ``Chart.yaml``. + - If, like ``cert-manager``, it's a third-party application with some extra resources glued in, and you are updating to a newer version of the third-party Helm chart, you will need to update the ``version`` in the dependency. + - If it is a complex application such as ``sasquatch`` that bundles first- and third-party applications, you may need to do both, or indeed descend into the ``charts`` directory and update the ``appVersion`` of the subcharts therein. Tricky cases such as these may require some study before deciding on the best course of action. -#. Update the chart version in the Phalanx ``Chart.yaml`` file for the appropriate service under `/services `__. - If the chart is not pinned (if, in other words, it uses a version range constraint instead of a specific version), no Phalanx change is required. - -This will tell Argo CD that the change is pending, but no changes are applied automatically. +Once you have updated the service, Argo CD will that the change is pending, but no changes will be applied automatically. To apply the changes in a given environment, see :doc:`sync-argo-cd`. From ab0a8a751456b45d9108d17c5cf975c045fc86ba Mon Sep 17 00:00:00 2001 From: adam Date: Thu, 28 Jul 2022 09:35:58 -0700 Subject: [PATCH 0832/1479] Address review commentary --- docs/arch/repository.rst | 8 +-- docs/service-guide/add-service.rst | 71 ++++++++++++++++++++++++--- docs/service-guide/create-service.rst | 68 +++---------------------- 3 files changed, 74 insertions(+), 73 deletions(-) diff --git a/docs/arch/repository.rst b/docs/arch/repository.rst index eb9ed441ae..2806ed5120 100644 --- a/docs/arch/repository.rst +++ b/docs/arch/repository.rst @@ -59,6 +59,8 @@ In general, we pin the version of the chart to deploy in the ``dependencies`` me This ensures deterministic cluster configuration and avoids inadvertently upgrading services. However, for services still under development, we sometimes use a floating dependency to reduce the number of pull requests required when iterating, and then switch to a pinned version once the service is stable. -There is currently no general mechanism to deploy different versions of a chart in different environments, as appVersion is set in ``Chart.yaml``. -We will probably need a mechanism to do this eventually, and have considered possible implementation strategies, but have not yet started on this work. -In the meantime, we disable automatic deployment in Argo CD so there is a human check on whether a given chart is safe to deploy in a given environment. +There is currently no generic mechanism to deploy different versions of a chart in different environments, as appVersion is set in ``Chart.yaml``. + +That does not mean that rolling out a new version is all-or-nothing: you have a couple of different options for testing new versions. The easiest is to modify the appVersion in ``Chart.yaml`` on your development branch and then use ArgoCD to deploy the application from the branch, rather than ``master``, ``main``, or ``HEAD`` (as the case may be). This will cause the application resource in the ``science-platform`` app to show as out of sync, which is indeed correct, and a helpful reminder that you may be running from a branch when you forget and subsequently rediscover that fact weeks later. +Additionally, many charts allow specification of a tag (usually some variable like ``image.tag`` in a values file), so that is a possibility as well. If your chart doesn't have a way to control what image tag you're deploying from, consider adding the capability. +In any event, for RSP instances, we (as a matter of policy) disable automatic deployment in Argo CD so there is a human check on whether a given chart is safe to deploy in a given environment, and updates are deployed to production environments (barring extraordinary circumstances) during our specified maintenance windows. diff --git a/docs/service-guide/add-service.rst b/docs/service-guide/add-service.rst index 630c233c85..9d5d7d3589 100644 --- a/docs/service-guide/add-service.rst +++ b/docs/service-guide/add-service.rst @@ -2,9 +2,67 @@ Add a new service to Phalanx ############################ -Once you have a chart and a Docker image (see :doc:`create-service`) and you have added your static service secrets to 1Password (see :doc:`add-a-onepassword-secret`), you need to integrate your service into Phalanx. + +Create the Helm chart +===================== + +To deploy your service in the Rubin Science Platform, it must have either a Helm chart or a Kustomize configuration. +Currently, all services use Helm charts. +Kustomize is theoretically supported but there are no examples of how to make it work with multiple environments. +Using a Helm chart is recommended unless you are strongly motivated to work out the problems with using Kustomize and then document the newly-developed process. + +There does not yet exist a SQuaRE-produced a template for the Helm chart; rather, we use the built-in Helm starter template. +Use ``helm create`` to create a new chart from that template. +**Be sure you are using Helm v3.** +Helm v2 is not supported. + +You will need to make at least the following changes to the default Helm chart template: + +- All secrets must come from ``VaultSecret`` resources, not Kubernetes ``Secret`` resources. + You should use a configuration option named ``vaultSecretsPath`` in your ``values.yaml`` to specify the path in Vault for your secret. + This option will be customized per environment when you add the service to Phalanx (see :doc:`add-service`). + See :doc:`add-a-onepassword-secret` for more information about secrets. +- Services providing a web API should be protected by Gafaelfawr and require an appropriate scope. + This normally means adding annotations to the ``Ingress`` resource via ``values.yaml`` similar to: + + .. code-block:: yaml + + ingress: + annotations: + nginx.ingress.kubernetes.io/auth-method: "GET" + nginx.ingress.kubernetes.io/auth-url: "http://gafaelfawr.gafaelfawr.svc.cluster.local:8080/auth?scope=exec:admin" + + For user-facing services you will want a scope other than ``exec:admin``. + See `the Gafaelfawr documentation `__, specifically `protecting a service `__ for more information. +- If your service exposes Prometheus endpoints, you will want to configure these in the `telegraf service's prometheus_config `__. + +Documentation +------------- + +We have begun using `helm-docs `__ to generate documentation for our Helm charts. +This produces a nice Markdown README file that documents all the chart options, but it requires special formatting of the ``values.yaml`` file that is not present in the default Helm template. +If you want to do the additional work, this will produce the most nicely-documented Helm chart. Using helm-docs is currently optional, but very strongly recommended. + +Publication +----------- + +Rubin-developed Helm charts for the Science Platform are stored as part of the `phalanx repository `__. They can be found in the `services directory `__. + +Examples +-------- + +Existing Helm charts that are good examples to read or copy are: + +- `cachemachine `__ (fairly simple) +- `mobu `__ (also simple) +- `gafaelfawr `__ (complex, including CRDs and multiple pods) + +Adding an ArgoCD Application for your service +============================================= + +Once you have a chart and a Docker image and you have added your static service secrets to 1Password (see :doc:`add-a-onepassword-secret`), you need to integrate your service into Phalanx. This is done by creating an Argo CD application that manages your service. -This consists of an ``Application`` resource that's used by Argo CD and a small wrapper chart in the `Phalanx repository `__ that holds the ``values-*.yaml`` files to configure your service for each environment in which it's deployed. +This consists of an ``Application`` resource that's used by Argo CD and configuring your service with for each environment in which it's deployed, via ``values-*.yaml`` files in the service directory. #. For each environment in which your service will run, create a ``values-.yaml`` file in your application's service directory. This should hold only the customization per Rubin Science Platform deployment. @@ -16,7 +74,7 @@ This consists of an ``Application`` resource that's used by Argo CD and a small In general these will be set within the application definition within the ``science-platform`` directory and carried through to service charts via global ArgoCD variables. You should generally simply need the boilerplate setting them to empty: - .. code-block: yaml:: + .. code-block:: yaml # The following will be set by parameters injected by Argo CD and should not # be set in the individual environment values files. @@ -33,9 +91,6 @@ This consists of an ``Application`` resource that's used by Argo CD and a small # @default -- Set by Argo CD vaultSecretsPath: "" -Add the Argo CD application -=========================== - #. Create the Argo CD application resource. This is a new file in `/science-platform/templates `__ named ``-application.yaml`` where ```` must match the name of the directory created above. The contents of this file should look like:: @@ -81,7 +136,7 @@ Add the Argo CD application replacing every instance of ```` with the name of your service. This creates the namespace and Argo CD application for your service. Note that this is where we derive baseURL from host. - Note that bothh of ``fqdn`` and ``host`` must be defined in each RSP + Note that both of ``fqdn`` and ``host`` must be defined in each RSP instance definition file (that is, ``values-.yaml``). Typically this is done at the top; should you at some point deploy an entirely new instance of the RSP, remember to do this in the base @@ -118,4 +173,4 @@ Add the Argo CD application replacing ```` with the name of your service. For the other environments, set ``enabled`` to ``true`` if your service should be deployed there. - You may want to start in a dev or int environment and enable it in production environments later. + You almost certainly want to start in a dev or int environment and enable your new service in production environments only after it has been smoke-tested in less critical environments. diff --git a/docs/service-guide/create-service.rst b/docs/service-guide/create-service.rst index 8af38810dd..5e54b45690 100644 --- a/docs/service-guide/create-service.rst +++ b/docs/service-guide/create-service.rst @@ -32,72 +32,16 @@ If you are using the FastAPI template, tagging in this fashion is required since Create the Docker image ======================= -The Docker image can be stored in any container registry that is usable by Kubernetes, but for Rubin-developed services, we normally use DockerHub. -(We may switch to the Google Container Registry later, but for now DockerHub is used for all images.) +The Docker image can be stored in any container registry that is usable by Kubernetes, but for Rubin-developed services using the FastAPI template, we usually push both to the `GitHub Container Registry `__ and Docker Hub. Google Artifact Registry is in play for Science Platform images and may eventually be used more widely. We may eventually stop publishing to Docker Hub; our workflow is centered on GitHub and the long-term future of Docker-the-company does not look very secure. If your image must be stored in a private container registery, the credentials for that registry must be added to the pull secret. If you use the FastAPI service template, a ``Dockerfile`` will be created as part of the new repository template, and GitHub Actions will be set up in the new repository to build and push new Docker images for tagged releases. -To enable this workflow, you must create two secrets in your new GitHub repository, ``DOCKER_USERNAME`` and ``DOCKER_TOKEN``. -``DOCKER_USERNAME`` should be set to the DockerHub username of the account that will be pushing the new Docker images. + +If you use ghcr.io as your repository (which is the FastAPI template default) you require a repository secret named ``GITHUB_TOKEN``. +If you are using Docker Hub you must create two secrets in your new GitHub repository, ``DOCKER_USERNAME`` and ``DOCKER_TOKEN``. +``DOCKER_USERNAME`` should be set to the Docker Hub username of the account that will be pushing the new Docker images. ``DOCKER_TOKEN`` should be set to a secret authentication token for that account. We recommend creating a separate token for each GitHub repository for which you want to enable automatic image publication, even if they all use the same username. -You may need to have a Docker Pro or similar paid DockerHub account. +If using Docker Hub You may need to have a Docker Pro or similar paid Docker Hub account. Alternately, you can contact SQuaRE to set up Docker image publication using our Docker account. - -Create the Helm chart -===================== - -To deploy your service in the Rubin Science Platform, it must have either a Helm chart or a Kustomize configuration. -Currently, all services use Helm charts. -Kustomize is theoretically supported but there are no examples of how to make it work with multiple environments. -Using a Helm chart is recommended unless you are strongly motivated to work out the problems with using Kustomize and then document the newly-developed process. - -Unfortunately, unlike for the service itself, we do not (yet) have a template for the Helm chart. -However, Helm itself has a starter template that is not awful. -Use ``helm create`` to create a new chart from that template. -**Be sure you are using Helm v3.** -Helm v2 is not supported. - -You will need to make at least the following changes to the default Helm chart template: - -- All secrets must come from ``VaultSecret`` resources, not Kubernetes ``Secret`` resources. - You should use a configuration option named ``vaultSecretsPath`` in your ``values.yaml`` to specify the path in Vault for your secret. - This option will be customized per environment when you add the service to Phalanx (see :doc:`add-service`). - See :doc:`add-a-onepassword-secret` for more information about secrets. -- Services providing a web API should be protected by Gafaelfawr and require an appropriate scope. - This normally means adding annotations to the ``Ingress`` resource via ``values.yaml`` similar to: - - .. code-block:: yaml - - ingress: - annotations: - nginx.ingress.kubernetes.io/auth-method: "GET" - nginx.ingress.kubernetes.io/auth-url: "http://gafaelfawr.gafaelfawr.svc.cluster.local:8080/auth?scope=exec:admin" - - For user-facing services you will want a scope other than ``exec:admin``. - See `the Gafaelfawr documentation `__, specifically `protecting a service `__ for more information. -- If your service exposes Prometheus endpoints, you will want to configure these in the `telegraf service's prometheus_config `__. - -Documentation -------------- - -We have begun using `helm-docs `__ to generate documentation for our Helm charts. -This produces a nice Markdown README file that documents all the chart options, but it requires special formatting of the ``values.yaml`` file that is not present in the default Helm template. -If you want to do the additional work, this will produce the most nicely-documented Helm chart, but using helm-docs is currently optional. - -Publication ------------ - -All Rubin-developed Helm charts for the Science Platform are stored in the `charts repository `__. -This repository automatically handles publication of the Helm chart when a new release is merged to the ``master`` branch, so you will not have to set up your own Helm chart repository. -You should create your new chart as a pull request in this repository, under the ``charts`` subdirectory. - -Examples --------- - -Existing Helm charts that are good examples to read or copy are: - -- `cachemachine `__ (fairly simple) -- `mobu `__ (also simple) -- `gafaelfawr `__ (complex, including CRDs and multiple pods) From cf5f5a975e82d22651f36faa710ff38e53003964 Mon Sep 17 00:00:00 2001 From: roby Date: Thu, 28 Jul 2022 15:40:57 -0600 Subject: [PATCH 0833/1479] for suit-2022.5.1 --- services/portal/values-idfdev.yaml | 2 +- services/portal/values-idfint.yaml | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/services/portal/values-idfdev.yaml b/services/portal/values-idfdev.yaml index d1fca00dde..9a788da368 100644 --- a/services/portal/values-idfdev.yaml +++ b/services/portal/values-idfdev.yaml @@ -1,7 +1,7 @@ replicaCount: 2 image: - tag: "suit-2022.5" + tag: "suit-2022.5.1" config: volumes: diff --git a/services/portal/values-idfint.yaml b/services/portal/values-idfint.yaml index 65473bc5f0..11f26ce891 100644 --- a/services/portal/values-idfint.yaml +++ b/services/portal/values-idfint.yaml @@ -1,7 +1,7 @@ replicaCount: 4 image: - tag: "suit-2022.5" + tag: "suit-2022.5.1" config: volumes: From 35d3fc0678f639838468e5c1e5fc2500f8aa3f98 Mon Sep 17 00:00:00 2001 From: adam Date: Thu, 28 Jul 2022 14:44:58 -0700 Subject: [PATCH 0834/1479] Further review commentary --- docs/service-guide/create-service.rst | 11 +++++++++-- 1 file changed, 9 insertions(+), 2 deletions(-) diff --git a/docs/service-guide/create-service.rst b/docs/service-guide/create-service.rst index 5e54b45690..2d6ee48aaa 100644 --- a/docs/service-guide/create-service.rst +++ b/docs/service-guide/create-service.rst @@ -7,7 +7,7 @@ If the goal is to instead deploy a third-party service with its own Helm chart i To be deployed in the Rubin Science Platform, a service must come in the form of one or more Docker images and a Helm chart (or Kustomize configuration, although no service currently uses that approach) that deploys those images in Kubernetes. -After you have finished the steps here, go to :doc:`add-service`. +After you have finished the steps here, add any secrets you need for your service: :doc:`add-a-onepassword-secret`. Once you have done that, add the service to ArgoCD: :doc:`add-service`. Write the service ================= @@ -37,7 +37,9 @@ If your image must be stored in a private container registery, the credentials f If you use the FastAPI service template, a ``Dockerfile`` will be created as part of the new repository template, and GitHub Actions will be set up in the new repository to build and push new Docker images for tagged releases. -If you use ghcr.io as your repository (which is the FastAPI template default) you require a repository secret named ``GITHUB_TOKEN``. +If you use ghcr.io as your repository (which is the FastAPI template +default) you can use GitHub's built-in ``GITHUB_TOKEN``; you don't need +to create an additional secret. If you are using Docker Hub you must create two secrets in your new GitHub repository, ``DOCKER_USERNAME`` and ``DOCKER_TOKEN``. ``DOCKER_USERNAME`` should be set to the Docker Hub username of the account that will be pushing the new Docker images. ``DOCKER_TOKEN`` should be set to a secret authentication token for that account. @@ -45,3 +47,8 @@ We recommend creating a separate token for each GitHub repository for which you If using Docker Hub You may need to have a Docker Pro or similar paid Docker Hub account. Alternately, you can contact SQuaRE to set up Docker image publication using our Docker account. + +The next step is to create secrets for your application: :doc:`add-a-onepassword-secret`. + +Finally, deploy your service by creating a Helm chart and an ArgoCD +Application in Phalanx: :doc:`add-service`. From 3d61c454548c609f5cf2515be7ca21fb695d8644 Mon Sep 17 00:00:00 2001 From: Russ Allbery Date: Thu, 28 Jul 2022 15:18:05 -0700 Subject: [PATCH 0835/1479] Bump version of portal --- services/portal/Chart.yaml | 2 +- services/portal/values-idfdev.yaml | 3 --- services/portal/values-idfint.yaml | 3 --- 3 files changed, 1 insertion(+), 7 deletions(-) diff --git a/services/portal/Chart.yaml b/services/portal/Chart.yaml index 325f973f6f..95357ec817 100644 --- a/services/portal/Chart.yaml +++ b/services/portal/Chart.yaml @@ -3,4 +3,4 @@ name: portal version: 1.0.0 description: "Rubin Science Platform portal aspect" home: "https://github.com/lsst/suit" -appVersion: "suit-2022.2.1" +appVersion: "suit-2022.5.1" diff --git a/services/portal/values-idfdev.yaml b/services/portal/values-idfdev.yaml index 9a788da368..b8d18401c0 100644 --- a/services/portal/values-idfdev.yaml +++ b/services/portal/values-idfdev.yaml @@ -1,8 +1,5 @@ replicaCount: 2 -image: - tag: "suit-2022.5.1" - config: volumes: workareaNfs: diff --git a/services/portal/values-idfint.yaml b/services/portal/values-idfint.yaml index 11f26ce891..bbff39a615 100644 --- a/services/portal/values-idfint.yaml +++ b/services/portal/values-idfint.yaml @@ -1,8 +1,5 @@ replicaCount: 4 -image: - tag: "suit-2022.5.1" - config: volumes: workareaNfs: From 5b7cbf168966b1deec4cc3e38aee52354ffb32ae Mon Sep 17 00:00:00 2001 From: Angelo Fausti Date: Thu, 28 Jul 2022 13:57:22 -0700 Subject: [PATCH 0836/1479] Upgrade strimzi-registry-operator to version 2.0.0-rc1 --- services/sasquatch/Chart.yaml | 2 +- services/sasquatch/README.md | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/services/sasquatch/Chart.yaml b/services/sasquatch/Chart.yaml index e916697a6d..8dcbdd6a56 100644 --- a/services/sasquatch/Chart.yaml +++ b/services/sasquatch/Chart.yaml @@ -7,7 +7,7 @@ dependencies: - name: strimzi-kafka version: 1.0.0 - name: strimzi-registry-operator - version: 1.2.1 + version: 2.0.0-rc1 repository: https://lsst-sqre.github.io/charts/ - name: influxdb version: 4.12.0 diff --git a/services/sasquatch/README.md b/services/sasquatch/README.md index f454e1bb19..db37783d3b 100644 --- a/services/sasquatch/README.md +++ b/services/sasquatch/README.md @@ -13,7 +13,7 @@ Rubin Observatory's telemetry service. | https://helm.influxdata.com/ | influxdb | 4.12.0 | | https://helm.influxdata.com/ | kapacitor | 1.4.6 | | https://helm.influxdata.com/ | telegraf | 1.8.18 | -| https://lsst-sqre.github.io/charts/ | strimzi-registry-operator | 1.2.1 | +| https://lsst-sqre.github.io/charts/ | strimzi-registry-operator | 2.0.0-rc1 | | https://lsst-ts.github.io/charts/ | csc | 0.9.2 | | https://lsst-ts.github.io/charts/ | kafka-producers | 0.10.1 | From dca647bb3d8e30af95c67edf41feecd33116788c Mon Sep 17 00:00:00 2001 From: Angelo Fausti Date: Thu, 28 Jul 2022 13:59:41 -0700 Subject: [PATCH 0837/1479] Use new key clusterNamespace --- services/sasquatch/README.md | 2 +- services/sasquatch/values.yaml | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/services/sasquatch/README.md b/services/sasquatch/README.md index db37783d3b..de6fc66b8f 100644 --- a/services/sasquatch/README.md +++ b/services/sasquatch/README.md @@ -72,7 +72,7 @@ Rubin Observatory's telemetry service. | kapacitor.influxURL | string | `"http://sasquatch-influxdb.sasquatch:8086"` | InfluxDB connection URL. | | kapacitor.persistence | object | `{"enabled":true,"size":"100Gi"}` | Chronograf data persistence configuration. | | strimzi-kafka | object | `{}` | Override strimzi-kafka configuration. | -| strimzi-registry-operator | object | `{"clusterName":"sasquatch","operatorNamespace":"sasquatch","watchNamespace":"sasquatch"}` | strimzi-registry-operator configuration. | +| strimzi-registry-operator | object | `{"clusterName":"sasquatch","clusterNamespace":"sasquatch","operatorNamespace":"sasquatch"}` | strimzi-registry-operator configuration. | | telegraf.config.inputs | list | `[{"prometheus":{"metric_version":2,"urls":["http://hub.nublado2:8081/nb/hub/metrics"]}}]` | Telegraf input plugins. Collect JupyterHub Prometheus metrics by dedault. See https://jupyterhub.readthedocs.io/en/stable/reference/metrics.html | | telegraf.config.outputs | list | `[{"influxdb":{"database":"telegraf","password":"$TELEGRAF_PASSWORD","urls":["http://sasquatch-influxdb.sasquatch:8086"],"username":"telegraf"}}]` | Telegraf default output destination. | | telegraf.config.processors | object | `{}` | Telegraf processor plugins. | diff --git a/services/sasquatch/values.yaml b/services/sasquatch/values.yaml index cbece34ffb..04f49f45e8 100644 --- a/services/sasquatch/values.yaml +++ b/services/sasquatch/values.yaml @@ -6,7 +6,7 @@ strimzi-kafka: {} # -- strimzi-registry-operator configuration. strimzi-registry-operator: clusterName: sasquatch - watchNamespace: sasquatch + clusterNamespace: sasquatch operatorNamespace: sasquatch influxdb: From 00c7bb982a53529450d68bf0bb20b635e39fcbf7 Mon Sep 17 00:00:00 2001 From: Angelo Fausti Date: Thu, 28 Jul 2022 14:02:31 -0700 Subject: [PATCH 0838/1479] Set schema-registry compatibility level - Use schema compatibility level None for default, as we are not imposing schema compatibility checks yet. --- .../charts/strimzi-kafka/templates/schema-registry.yaml | 1 + 1 file changed, 1 insertion(+) diff --git a/services/sasquatch/charts/strimzi-kafka/templates/schema-registry.yaml b/services/sasquatch/charts/strimzi-kafka/templates/schema-registry.yaml index 87a0eb387b..a8774c17d2 100644 --- a/services/sasquatch/charts/strimzi-kafka/templates/schema-registry.yaml +++ b/services/sasquatch/charts/strimzi-kafka/templates/schema-registry.yaml @@ -4,3 +4,4 @@ metadata: name: {{ .Values.cluster.name }}-schema-registry spec: listener: tls + compatibilityLevel: none From be7d141a3c5404b34d7fed8d9813d1cb41cd304e Mon Sep 17 00:00:00 2001 From: Angelo Fausti Date: Fri, 29 Jul 2022 14:30:55 -0700 Subject: [PATCH 0839/1479] Upgrade strimzi-registry-operator to version 2.0.0 --- services/sasquatch/Chart.yaml | 2 +- services/sasquatch/README.md | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/services/sasquatch/Chart.yaml b/services/sasquatch/Chart.yaml index 8dcbdd6a56..8623f76cba 100644 --- a/services/sasquatch/Chart.yaml +++ b/services/sasquatch/Chart.yaml @@ -7,7 +7,7 @@ dependencies: - name: strimzi-kafka version: 1.0.0 - name: strimzi-registry-operator - version: 2.0.0-rc1 + version: 2.0.0 repository: https://lsst-sqre.github.io/charts/ - name: influxdb version: 4.12.0 diff --git a/services/sasquatch/README.md b/services/sasquatch/README.md index de6fc66b8f..c50625d29e 100644 --- a/services/sasquatch/README.md +++ b/services/sasquatch/README.md @@ -13,7 +13,7 @@ Rubin Observatory's telemetry service. | https://helm.influxdata.com/ | influxdb | 4.12.0 | | https://helm.influxdata.com/ | kapacitor | 1.4.6 | | https://helm.influxdata.com/ | telegraf | 1.8.18 | -| https://lsst-sqre.github.io/charts/ | strimzi-registry-operator | 2.0.0-rc1 | +| https://lsst-sqre.github.io/charts/ | strimzi-registry-operator | 2.0.0 | | https://lsst-ts.github.io/charts/ | csc | 0.9.2 | | https://lsst-ts.github.io/charts/ | kafka-producers | 0.10.1 | From 1e61c2ed082362ee7ef90f4ca3b00938f503a86a Mon Sep 17 00:00:00 2001 From: Russ Allbery Date: Fri, 29 Jul 2022 15:39:59 -0700 Subject: [PATCH 0840/1479] Bump Gafaelfawr version to 5.0.2 --- services/gafaelfawr/Chart.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/services/gafaelfawr/Chart.yaml b/services/gafaelfawr/Chart.yaml index eb3fe72d4b..5e56728b9f 100644 --- a/services/gafaelfawr/Chart.yaml +++ b/services/gafaelfawr/Chart.yaml @@ -5,4 +5,4 @@ description: Science Platform authentication and authorization system home: https://gafaelfawr.lsst.io/ sources: - https://github.com/lsst-sqre/gafaelfawr -appVersion: 5.0.1 +appVersion: 5.0.2 From 785eafa84597f5cacf19108655fbcc51b58fd94e Mon Sep 17 00:00:00 2001 From: "renovate[bot]" <29139614+renovate[bot]@users.noreply.github.com> Date: Mon, 1 Aug 2022 16:52:17 +0000 Subject: [PATCH 0841/1479] Update Helm release argo-cd to v4.10.4 --- services/argocd/Chart.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/services/argocd/Chart.yaml b/services/argocd/Chart.yaml index d921a999af..cb84444ed7 100644 --- a/services/argocd/Chart.yaml +++ b/services/argocd/Chart.yaml @@ -3,5 +3,5 @@ name: argo-cd version: 1.0.0 dependencies: - name: argo-cd - version: 4.10.0 + version: 4.10.4 repository: https://argoproj.github.io/argo-helm From c22ac77683c65d026b00981607b5666d6e6ab642 Mon Sep 17 00:00:00 2001 From: Russ Allbery Date: Mon, 1 Aug 2022 10:22:40 -0700 Subject: [PATCH 0842/1479] Update Helm docs --- services/argocd/README.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/services/argocd/README.md b/services/argocd/README.md index 39bcaed4f4..662b56962c 100644 --- a/services/argocd/README.md +++ b/services/argocd/README.md @@ -4,7 +4,7 @@ | Repository | Name | Version | |------------|------|---------| -| https://argoproj.github.io/argo-helm | argo-cd | 4.10.0 | +| https://argoproj.github.io/argo-helm | argo-cd | 4.10.4 | ## Values From 750da5fdd94527a25772e077d3a737d91efd8d11 Mon Sep 17 00:00:00 2001 From: "renovate[bot]" <29139614+renovate[bot]@users.noreply.github.com> Date: Mon, 1 Aug 2022 17:34:04 +0000 Subject: [PATCH 0843/1479] Update Helm release redis to v17.0.6 --- services/noteburst/Chart.yaml | 2 +- services/times-square/Chart.yaml | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/services/noteburst/Chart.yaml b/services/noteburst/Chart.yaml index 5f8b168b03..2ab7ca0d3c 100644 --- a/services/noteburst/Chart.yaml +++ b/services/noteburst/Chart.yaml @@ -14,5 +14,5 @@ maintainers: # Additional charts that this chart uses dependencies: - name: redis - version: 17.0.5 + version: 17.0.6 repository: https://charts.bitnami.com/bitnami diff --git a/services/times-square/Chart.yaml b/services/times-square/Chart.yaml index cc83ccc523..fbd345b7d4 100644 --- a/services/times-square/Chart.yaml +++ b/services/times-square/Chart.yaml @@ -11,5 +11,5 @@ appVersion: "0.5.0" dependencies: - name: redis - version: 17.0.5 + version: 17.0.6 repository: https://charts.bitnami.com/bitnami From 130f39fae80bab6d4f53a98f8e6d1b3fd1e23092 Mon Sep 17 00:00:00 2001 From: Russ Allbery Date: Mon, 1 Aug 2022 10:44:27 -0700 Subject: [PATCH 0844/1479] Regenerate Helm docs --- services/noteburst/README.md | 2 +- services/times-square/README.md | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/services/noteburst/README.md b/services/noteburst/README.md index d2281c544e..329139557c 100644 --- a/services/noteburst/README.md +++ b/services/noteburst/README.md @@ -12,7 +12,7 @@ Noteburst is a notebook execution service for the Rubin Science Platform. | Repository | Name | Version | |------------|------|---------| -| https://charts.bitnami.com/bitnami | redis | 17.0.5 | +| https://charts.bitnami.com/bitnami | redis | 17.0.6 | ## Values diff --git a/services/times-square/README.md b/services/times-square/README.md index f88dc2917c..04ec519376 100644 --- a/services/times-square/README.md +++ b/services/times-square/README.md @@ -8,7 +8,7 @@ An API service for managing and rendering parameterized Jupyter notebooks. | Repository | Name | Version | |------------|------|---------| -| https://charts.bitnami.com/bitnami | redis | 17.0.5 | +| https://charts.bitnami.com/bitnami | redis | 17.0.6 | ## Values From 435a3c2d46bce05f819f81a5d80299d891d472a9 Mon Sep 17 00:00:00 2001 From: Christine Banek Date: Mon, 1 Aug 2022 10:51:01 -0700 Subject: [PATCH 0845/1479] [DM-35717] Mobu to 4.4.6 --- services/mobu/Chart.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/services/mobu/Chart.yaml b/services/mobu/Chart.yaml index 919ea77eb9..833bd18af1 100644 --- a/services/mobu/Chart.yaml +++ b/services/mobu/Chart.yaml @@ -3,4 +3,4 @@ name: mobu version: 1.0.0 description: Generate system load by pretending to be a random scientist home: https://github.com/lsst-sqre/mobu -appVersion: 4.4.4 +appVersion: 4.4.6 From e919bf5b2e8a26617e5e32b9c0f39adcd104094d Mon Sep 17 00:00:00 2001 From: Angelo Fausti Date: Mon, 1 Aug 2022 11:55:49 -0700 Subject: [PATCH 0846/1479] Update Helm release strimzi-kafka-operator to v0.30.0 --- services/strimzi/Chart.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/services/strimzi/Chart.yaml b/services/strimzi/Chart.yaml index a319b6f731..fdea12619e 100644 --- a/services/strimzi/Chart.yaml +++ b/services/strimzi/Chart.yaml @@ -6,5 +6,5 @@ version: 0.1.0 appVersion: "0.26.0" dependencies: - name: strimzi-kafka-operator - version: "0.29.0" + version: "0.30.0" repository: https://strimzi.io/charts/ From ecacfdf6353ef9281e21eaedfd5fb02929749e9d Mon Sep 17 00:00:00 2001 From: "renovate[bot]" <29139614+renovate[bot]@users.noreply.github.com> Date: Mon, 1 Aug 2022 20:57:53 +0000 Subject: [PATCH 0847/1479] Update Helm release cert-manager to v1.9.1 --- services/cert-manager/Chart.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/services/cert-manager/Chart.yaml b/services/cert-manager/Chart.yaml index 6373eada56..ce4cbb2f13 100644 --- a/services/cert-manager/Chart.yaml +++ b/services/cert-manager/Chart.yaml @@ -4,5 +4,5 @@ version: 1.0.0 description: "Let's Encrypt certificate management" dependencies: - name: cert-manager - version: v1.8.2 + version: v1.9.1 repository: https://charts.jetstack.io From 297cf988d0b4816eca47c8c664c0de2efced54e6 Mon Sep 17 00:00:00 2001 From: Russ Allbery Date: Mon, 1 Aug 2022 13:59:55 -0700 Subject: [PATCH 0848/1479] Update Helm docs --- services/cert-manager/README.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/services/cert-manager/README.md b/services/cert-manager/README.md index 4f242b4223..9f7b2f73e3 100644 --- a/services/cert-manager/README.md +++ b/services/cert-manager/README.md @@ -6,7 +6,7 @@ Let's Encrypt certificate management | Repository | Name | Version | |------------|------|---------| -| https://charts.jetstack.io | cert-manager | v1.8.2 | +| https://charts.jetstack.io | cert-manager | v1.9.1 | ## Values From b4dc10a25c06a898acaa6f5ef566b84e797037a8 Mon Sep 17 00:00:00 2001 From: "renovate[bot]" <29139614+renovate[bot]@users.noreply.github.com> Date: Mon, 1 Aug 2022 21:07:48 +0000 Subject: [PATCH 0849/1479] Update Helm release vault-secrets-operator to v1.19.1 --- services/vault-secrets-operator/Chart.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/services/vault-secrets-operator/Chart.yaml b/services/vault-secrets-operator/Chart.yaml index d9d6c9a182..e6f4ee69a8 100644 --- a/services/vault-secrets-operator/Chart.yaml +++ b/services/vault-secrets-operator/Chart.yaml @@ -3,5 +3,5 @@ name: vault-secrets-operator version: 1.0.0 dependencies: - name: vault-secrets-operator - version: 1.18.0 + version: 1.19.1 repository: https://ricoberger.github.io/helm-charts/ From b90fa611afb2c6ff584df6e73f33e6c4f6e4a741 Mon Sep 17 00:00:00 2001 From: Russ Allbery Date: Mon, 1 Aug 2022 14:10:23 -0700 Subject: [PATCH 0850/1479] Update Helm docs --- services/vault-secrets-operator/README.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/services/vault-secrets-operator/README.md b/services/vault-secrets-operator/README.md index ce388ddde0..641ab222a7 100644 --- a/services/vault-secrets-operator/README.md +++ b/services/vault-secrets-operator/README.md @@ -4,7 +4,7 @@ | Repository | Name | Version | |------------|------|---------| -| https://ricoberger.github.io/helm-charts/ | vault-secrets-operator | 1.18.0 | +| https://ricoberger.github.io/helm-charts/ | vault-secrets-operator | 1.19.1 | ## Values From be55132d6873d0e66bf2fc8aa64af2519e6a0a61 Mon Sep 17 00:00:00 2001 From: adam Date: Tue, 2 Aug 2022 11:26:06 -0700 Subject: [PATCH 0851/1479] Freshen telegraf/-ds --- services/telegraf-ds/Chart.yaml | 2 +- services/telegraf-ds/README.md | 2 +- services/telegraf/Chart.yaml | 2 +- services/telegraf/README.md | 2 +- 4 files changed, 4 insertions(+), 4 deletions(-) diff --git a/services/telegraf-ds/Chart.yaml b/services/telegraf-ds/Chart.yaml index 012ef69b09..fcae4b4f19 100644 --- a/services/telegraf-ds/Chart.yaml +++ b/services/telegraf-ds/Chart.yaml @@ -4,5 +4,5 @@ version: 1.0.0 description: SQuaRE DaemonSet (K8s) telemetry collection service dependencies: - name: telegraf-ds - version: 1.1.0 + version: 1.1.1 repository: https://helm.influxdata.com/ diff --git a/services/telegraf-ds/README.md b/services/telegraf-ds/README.md index 8afc41d8fa..ef66ba67b5 100644 --- a/services/telegraf-ds/README.md +++ b/services/telegraf-ds/README.md @@ -6,7 +6,7 @@ SQuaRE DaemonSet (K8s) telemetry collection service | Repository | Name | Version | |------------|------|---------| -| https://helm.influxdata.com/ | telegraf-ds | 1.1.0 | +| https://helm.influxdata.com/ | telegraf-ds | 1.1.1 | ## Values diff --git a/services/telegraf/Chart.yaml b/services/telegraf/Chart.yaml index e6319163b8..2ea72f4c4f 100644 --- a/services/telegraf/Chart.yaml +++ b/services/telegraf/Chart.yaml @@ -4,5 +4,5 @@ version: 1.0.1 description: SQuaRE telemetry collection service dependencies: - name: telegraf - version: 1.8.18 + version: 1.8.19 repository: https://helm.influxdata.com/ diff --git a/services/telegraf/README.md b/services/telegraf/README.md index a852c9c1c4..85c31625f3 100644 --- a/services/telegraf/README.md +++ b/services/telegraf/README.md @@ -6,7 +6,7 @@ SQuaRE telemetry collection service | Repository | Name | Version | |------------|------|---------| -| https://helm.influxdata.com/ | telegraf | 1.8.18 | +| https://helm.influxdata.com/ | telegraf | 1.8.19 | ## Values From 1190f89bf103ebd295c5ab76f23f91fcca3764d1 Mon Sep 17 00:00:00 2001 From: Colin Slater Date: Tue, 2 Aug 2022 14:20:25 -0700 Subject: [PATCH 0852/1479] Bump production tools to 0.0.17. --- services/production-tools/Chart.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/services/production-tools/Chart.yaml b/services/production-tools/Chart.yaml index 9aba525fbf..1cef194be6 100644 --- a/services/production-tools/Chart.yaml +++ b/services/production-tools/Chart.yaml @@ -4,4 +4,4 @@ version: 1.0.0 dependencies: description: A collection of utility pages for monitoring data processing. home: "https://github.com/lsst-sqre/production-tools" -appVersion: 0.0.9 +appVersion: 0.0.17 From 436b457613af8c77e520ac61584a223b6f51e767 Mon Sep 17 00:00:00 2001 From: Colin Slater Date: Tue, 2 Aug 2022 14:34:28 -0700 Subject: [PATCH 0853/1479] Set WEB_CONCURRENCY for gunicorn. --- services/production-tools/values-idfint.yaml | 1 + 1 file changed, 1 insertion(+) diff --git a/services/production-tools/values-idfint.yaml b/services/production-tools/values-idfint.yaml index 80f6c3cfdf..b89176b204 100644 --- a/services/production-tools/values-idfint.yaml +++ b/services/production-tools/values-idfint.yaml @@ -2,3 +2,4 @@ environment: BUTLER_URI: "s3://butler-us-central1-panda-dev/dc2/butler-external.yaml" LOG_BUCKET: "drp-us-central1-logging" LOG_PREFIX: "Panda-RubinLog" + WEB_CONCURRENCY: "4" From 0c61835d5910e0030ca003e5915cc11181d7a600 Mon Sep 17 00:00:00 2001 From: Christine Banek Date: Wed, 3 Aug 2022 10:47:59 -0700 Subject: [PATCH 0854/1479] [DM-35717] Ceasefire on int We need to figure out the problems with the 8 hour timeouts that we're seeing before any more meaningful results can be figured out. --- services/mobu/values-idfint.yaml | 32 +++++--------------------------- 1 file changed, 5 insertions(+), 27 deletions(-) diff --git a/services/mobu/values-idfint.yaml b/services/mobu/values-idfint.yaml index ccfe61fcf3..21116762f4 100644 --- a/services/mobu/values-idfint.yaml +++ b/services/mobu/values-idfint.yaml @@ -34,36 +34,14 @@ autostart: repo_url: "https://github.com/lsst-sqre/system-test.git" repo_branch: "prod" restart: true - - name: "sync-tap" - count: 20 - user_spec: - username_prefix: "sync-mobu-tap" - uid_start: 74770 + - name: "tap" + count: 1 + users: + - username: "bot-mobu-tap" + uidnumber: 74775 scopes: ["read:tap"] business: "TAPQueryRunner" restart: true options: tap_sync: true tap_query_set: "dp0.2" - - name: "async-tap-medium" - count: 50 - user_spec: - username_prefix: "async-mobu-tap" - uid_start: 74800 - scopes: ["read:tap"] - business: "TAPQueryRunner" - restart: true - options: - tap_sync: false - tap_query_set: "dp0.2-med-scans" - - name: "async-tap-long" - count: 50 - user_spec: - username_prefix: "async-mobu-tap" - uid_start: 75000 - scopes: ["read:tap"] - business: "TAPQueryRunner" - restart: true - options: - tap_sync: false - tap_query_set: "dp0.2-long-scans" From f2cbe8b4344c6b07b0d5931f6eb236372f439ab3 Mon Sep 17 00:00:00 2001 From: Angelo Fausti Date: Fri, 29 Jul 2022 15:37:12 -0700 Subject: [PATCH 0855/1479] Configure external listener for sasquath kafka brokers - configure an external listener of type loadbalancer with tls encryption and scram-sha-512 authentication used by clients outside the Kubernetes cluster. --- .../charts/strimzi-kafka/templates/kafka.yaml | 12 ++++++++++-- 1 file changed, 10 insertions(+), 2 deletions(-) diff --git a/services/sasquatch/charts/strimzi-kafka/templates/kafka.yaml b/services/sasquatch/charts/strimzi-kafka/templates/kafka.yaml index 98038f8c18..0268ea112a 100644 --- a/services/sasquatch/charts/strimzi-kafka/templates/kafka.yaml +++ b/services/sasquatch/charts/strimzi-kafka/templates/kafka.yaml @@ -8,7 +8,7 @@ spec: version: {{ .Values.kafka.version | quote }} replicas: {{ .Values.kafka.replicas }} listeners: - # plain listener without tls encryption and with scram-sha-512 authentication + # internal istener without tls encryption and with scram-sha-512 authentication # used by clients inside the Kubernetes cluster - name: plain port: 9092 @@ -16,7 +16,7 @@ spec: tls: false authentication: type: scram-sha-512 - # tls listener with tls encryption and mutual tls authentication + # internal listener with tls encryption and mutual tls authentication # used by the schema registry and kafka connect clients - name: tls port: 9093 @@ -24,6 +24,14 @@ spec: tls: true authentication: type: tls + # external listener of type loadbalancer with tls encryption and scram-sha-512 + # authentication used by clients outside the Kubernetes cluster + - name: external + port: 9094 + type: loadbalancer + tls: true + authentication: + type: scram-sha-512 authorization: type: simple {{- if .Values.superusers }} From 28a5c4e1b712ca1d21332b0daf838ba2bb00b04e Mon Sep 17 00:00:00 2001 From: Russ Allbery Date: Wed, 3 Aug 2022 15:44:10 -0700 Subject: [PATCH 0856/1479] Bump memory limits for strimzi-cluster-operator It was crashing on the Tucson teststand at 384MiB with out of memory errors. Bump it to 512MiB everywhere. --- services/strimzi/values-idfdev.yaml | 5 +++++ services/strimzi/values-idfint.yaml | 5 +++++ services/strimzi/values-summit.yaml | 5 +++++ services/strimzi/values-tucson-teststand.yaml | 5 +++++ 4 files changed, 20 insertions(+) diff --git a/services/strimzi/values-idfdev.yaml b/services/strimzi/values-idfdev.yaml index e4cd2e47e1..d642c1f7f9 100644 --- a/services/strimzi/values-idfdev.yaml +++ b/services/strimzi/values-idfdev.yaml @@ -1,4 +1,9 @@ strimzi-kafka-operator: + resources: + limits: + memory: "512Mi" + requests: + memory: "512Mi" watchNamespaces: - "sasquatch" logLevel: "DEBUG" diff --git a/services/strimzi/values-idfint.yaml b/services/strimzi/values-idfint.yaml index 0d90ffd616..d7707877e1 100644 --- a/services/strimzi/values-idfint.yaml +++ b/services/strimzi/values-idfint.yaml @@ -1,4 +1,9 @@ strimzi-kafka-operator: + resources: + limits: + memory: "512Mi" + requests: + memory: "512Mi" watchNamespaces: - "alert-stream-broker" logLevel: "INFO" diff --git a/services/strimzi/values-summit.yaml b/services/strimzi/values-summit.yaml index a12924c931..7c977c078e 100644 --- a/services/strimzi/values-summit.yaml +++ b/services/strimzi/values-summit.yaml @@ -1,4 +1,9 @@ strimzi-kafka-operator: + resources: + limits: + memory: "512Mi" + requests: + memory: "512Mi" watchNamespaces: - "sasquatch" logLevel: "INFO" diff --git a/services/strimzi/values-tucson-teststand.yaml b/services/strimzi/values-tucson-teststand.yaml index e4cd2e47e1..d642c1f7f9 100644 --- a/services/strimzi/values-tucson-teststand.yaml +++ b/services/strimzi/values-tucson-teststand.yaml @@ -1,4 +1,9 @@ strimzi-kafka-operator: + resources: + limits: + memory: "512Mi" + requests: + memory: "512Mi" watchNamespaces: - "sasquatch" logLevel: "DEBUG" From 3e6ea79b00935a947357a5a5256cb6164b74be78 Mon Sep 17 00:00:00 2001 From: Russ Allbery Date: Wed, 3 Aug 2022 18:35:12 -0700 Subject: [PATCH 0857/1479] Serve /api/hips/list from datalinker datalinker will be the service that dynamically generates the HiPS list based on the properties files of the HiPS data sets for a given Science Platform deployment. --- services/datalinker/README.md | 1 - services/datalinker/templates/ingress.yaml | 9 ++++++++- services/datalinker/values-idfint.yaml | 3 +++ services/datalinker/values.yaml | 3 --- 4 files changed, 11 insertions(+), 5 deletions(-) diff --git a/services/datalinker/README.md b/services/datalinker/README.md index 4187c2c5a8..576a642542 100644 --- a/services/datalinker/README.md +++ b/services/datalinker/README.md @@ -25,7 +25,6 @@ IVOA DataLink service for Rubin Science Platform | image.tag | string | `""` | Overrides the image tag whose default is the chart appVersion. | | ingress.annotations | object | `{}` | Additional annotations for the ingress rule | | ingress.gafaelfawrAuthQuery | string | `"scope=read:image"` | Gafaelfawr auth query string | -| ingress.path | string | `"/api/datalink"` | URL path to dispatch to the datalinker deployment pod | | nameOverride | string | `""` | Override the base name for resources | | nodeSelector | object | `{}` | Node selection rules for the datalinker deployment pod | | podAnnotations | object | `{}` | Annotations for the datalinker deployment pod | diff --git a/services/datalinker/templates/ingress.yaml b/services/datalinker/templates/ingress.yaml index c981eefe33..65a487300f 100644 --- a/services/datalinker/templates/ingress.yaml +++ b/services/datalinker/templates/ingress.yaml @@ -20,10 +20,17 @@ spec: - host: {{ required "global.host must be set" .Values.global.host | quote }} http: paths: - - path: {{ .Values.ingress.path }} + - path: "/api/datalink" pathType: "Prefix" backend: service: name: {{ include "datalinker.fullname" . }} port: number: 8080 + - path: "/api/hips/list" + pathType: "Exact" + backend: + service: + name: {{ include "datalinker.fullname" . }} + port: + number: 8080 diff --git a/services/datalinker/values-idfint.yaml b/services/datalinker/values-idfint.yaml index e69de29bb2..40383d680e 100644 --- a/services/datalinker/values-idfint.yaml +++ b/services/datalinker/values-idfint.yaml @@ -0,0 +1,3 @@ +image: + tag: "tickets-DM-35482" + pullPolicy: "Always" diff --git a/services/datalinker/values.yaml b/services/datalinker/values.yaml index 8e8e023318..34737d8146 100644 --- a/services/datalinker/values.yaml +++ b/services/datalinker/values.yaml @@ -25,9 +25,6 @@ ingress: # -- Gafaelfawr auth query string gafaelfawrAuthQuery: "scope=read:image" - # -- URL path to dispatch to the datalinker deployment pod - path: "/api/datalink" - # -- Additional annotations for the ingress rule annotations: {} From 83d5b684b3e2c27fb6fa8e694645c4af99cb74fb Mon Sep 17 00:00:00 2001 From: Russ Allbery Date: Wed, 3 Aug 2022 19:01:58 -0700 Subject: [PATCH 0858/1479] Switch the HiPS list to anonymous It should be fine to make this available to anonymous users based on previous discussion, although the actual HiPS data sets will require authentication. --- .../templates/ingress-anonymous.yaml | 23 +++++++++++++++++++ services/datalinker/templates/ingress.yaml | 7 ------ 2 files changed, 23 insertions(+), 7 deletions(-) create mode 100644 services/datalinker/templates/ingress-anonymous.yaml diff --git a/services/datalinker/templates/ingress-anonymous.yaml b/services/datalinker/templates/ingress-anonymous.yaml new file mode 100644 index 0000000000..08e5c7e48b --- /dev/null +++ b/services/datalinker/templates/ingress-anonymous.yaml @@ -0,0 +1,23 @@ +apiVersion: networking.k8s.io/v1 +kind: Ingress +metadata: + name: {{ include "datalinker.fullname" . }}-anonymous + labels: + {{- include "datalinker.labels" . | nindent 4 }} + annotations: + {{- with .Values.ingress.annotations }} + {{- toYaml . | nindent 4 }} + {{- end }} +spec: + ingressClassName: "nginx" + rules: + - host: {{ required "global.host must be set" .Values.global.host | quote }} + http: + paths: + - path: "/api/hips/list" + pathType: "Exact" + backend: + service: + name: {{ include "datalinker.fullname" . }} + port: + number: 8080 diff --git a/services/datalinker/templates/ingress.yaml b/services/datalinker/templates/ingress.yaml index 65a487300f..5e07f43144 100644 --- a/services/datalinker/templates/ingress.yaml +++ b/services/datalinker/templates/ingress.yaml @@ -27,10 +27,3 @@ spec: name: {{ include "datalinker.fullname" . }} port: number: 8080 - - path: "/api/hips/list" - pathType: "Exact" - backend: - service: - name: {{ include "datalinker.fullname" . }} - port: - number: 8080 From 2e6d9945e0bd33e6a40a62d76eacbfe11e041262 Mon Sep 17 00:00:00 2001 From: Russ Allbery Date: Wed, 3 Aug 2022 19:12:12 -0700 Subject: [PATCH 0859/1479] Add configuration for HiPS list Add a Gafaelfawr token so that datalinker can talk to the HiPS service, and pass the token and base HiPS URL down to the deployment. --- services/datalinker/templates/deployment.yaml | 7 +++++++ services/datalinker/templates/gafaelfawr-token.yaml | 10 ++++++++++ 2 files changed, 17 insertions(+) create mode 100644 services/datalinker/templates/gafaelfawr-token.yaml diff --git a/services/datalinker/templates/deployment.yaml b/services/datalinker/templates/deployment.yaml index ef55259d82..16ff38a41f 100644 --- a/services/datalinker/templates/deployment.yaml +++ b/services/datalinker/templates/deployment.yaml @@ -41,6 +41,13 @@ spec: env: - name: "DATALINKER_CUTOUT_SYNC_URL" value: "{{ .Values.global.baseUrl }}/api/cutout/sync" + - name: "DATALINKER_HIPS_BASE_URL" + value: "{{ .Values.global.baseUrl }}/api/hips" + - name: "DATALINKER_TOKEN" + valueFrom: + secretKeyRef: + name: {{ include "datalinker.fullname" . }}-gafaelfawr-token + key: "token" # The following are used by Butler to retrieve its configuration # and authenticate to its database. - name: "AWS_SHARED_CREDENTIALS_FILE" diff --git a/services/datalinker/templates/gafaelfawr-token.yaml b/services/datalinker/templates/gafaelfawr-token.yaml new file mode 100644 index 0000000000..2d55ce2b8f --- /dev/null +++ b/services/datalinker/templates/gafaelfawr-token.yaml @@ -0,0 +1,10 @@ +apiVersion: gafaelfawr.lsst.io/v1alpha1 +kind: GafaelfawrServiceToken +metadata: + name: {{ include "datalinker.fullname" . }}-gafaelfawr-token + labels: + {{- include "datalinker.labels" . | nindent 4 }} +spec: + service: "bot-datalinker" + scopes: + - "read:image" From d361ba91e14fcd1ca54e19df3f54e36760bd764c Mon Sep 17 00:00:00 2001 From: Russ Allbery Date: Fri, 5 Aug 2022 13:28:13 -0700 Subject: [PATCH 0860/1479] Remove auth-signin config for hips I was assuming that this would be accessed via the browser, but it looks like we're going to use the Portal as the interface and won't publish an index.html file, making it hard to use from the browser. Therefore, don't do the automatic redirect when users aren't logged in, and instead return a 403. --- services/hips/templates/ingress.yaml | 1 - 1 file changed, 1 deletion(-) diff --git a/services/hips/templates/ingress.yaml b/services/hips/templates/ingress.yaml index a27182e8cd..09ae0fed5d 100644 --- a/services/hips/templates/ingress.yaml +++ b/services/hips/templates/ingress.yaml @@ -9,7 +9,6 @@ metadata: {{- if .Values.ingress.gafaelfawrAuthQuery }} nginx.ingress.kubernetes.io/auth-method: "GET" nginx.ingress.kubernetes.io/auth-response-headers: "X-Auth-Request-User" - nginx.ingress.kubernetes.io/auth-signin: "{{ .Values.global.baseUrl }}/login" nginx.ingress.kubernetes.io/auth-url: "{{ .Values.global.baseUrl }}/auth?{{ .Values.ingress.gafaelfawrAuthQuery }}" {{- end }} {{- with .Values.ingress.annotations }} From 4bf9d1c0d72a69088c1493a9658a9851929440e2 Mon Sep 17 00:00:00 2001 From: Russ Allbery Date: Fri, 5 Aug 2022 13:29:32 -0700 Subject: [PATCH 0861/1479] Update datalinker version --- services/datalinker/Chart.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/services/datalinker/Chart.yaml b/services/datalinker/Chart.yaml index e5dd132c44..1b6dbc6a53 100644 --- a/services/datalinker/Chart.yaml +++ b/services/datalinker/Chart.yaml @@ -4,4 +4,4 @@ version: 1.0.0 description: IVOA DataLink service for Rubin Science Platform sources: - https://github.com/lsst-sqre/datalinker -appVersion: 1.3.1 +appVersion: 1.4.0 From 45b76cdaeae1529f7e0165b75dd81cf13bb71ce7 Mon Sep 17 00:00:00 2001 From: Russ Allbery Date: Fri, 5 Aug 2022 13:48:13 -0700 Subject: [PATCH 0862/1479] Bump version of crawlspace for hips service --- services/hips/Chart.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/services/hips/Chart.yaml b/services/hips/Chart.yaml index 25ebc269af..1d8f34b68a 100644 --- a/services/hips/Chart.yaml +++ b/services/hips/Chart.yaml @@ -4,4 +4,4 @@ version: 1.0.0 description: HiPS web server backed by Google Cloud Storage sources: - https://github.com/lsst-sqre/crawlspace -appVersion: 0.2.0 +appVersion: 0.2.1 From db44904f663b8bd3627100d9d3e81e4c8833eae0 Mon Sep 17 00:00:00 2001 From: Angelo Fausti Date: Thu, 4 Aug 2022 17:47:09 -0700 Subject: [PATCH 0863/1479] Revome blank line --- services/sasquatch/charts/strimzi-kafka/templates/kafka.yaml | 1 - 1 file changed, 1 deletion(-) diff --git a/services/sasquatch/charts/strimzi-kafka/templates/kafka.yaml b/services/sasquatch/charts/strimzi-kafka/templates/kafka.yaml index 0268ea112a..c6786d35fd 100644 --- a/services/sasquatch/charts/strimzi-kafka/templates/kafka.yaml +++ b/services/sasquatch/charts/strimzi-kafka/templates/kafka.yaml @@ -40,7 +40,6 @@ spec: - {{ . }} {{- end }} {{- end }} - config: offsets.topic.replication.factor: {{ .Values.kafka.replicas }} transaction.state.log.replication.factor: {{ .Values.kafka.replicas }} From 9f8b408b0e8aee396ae439b4f76a64245d8b0621 Mon Sep 17 00:00:00 2001 From: Angelo Fausti Date: Thu, 4 Aug 2022 17:47:28 -0700 Subject: [PATCH 0864/1479] Exclude Kafka PVCs from the app sync status - In Strimzi operator 0.30.0 Kafka PersistenVolumeClaim resources show as OutOfSync (requires prune), affecting the overall app sync status. Strimzi provides a mechanism for customizing k8s resources https://strimzi.io/docs/operators/latest/configuring.html#assembly-customizing-kubernetes-resources-str. Use that to add these annotations to exclude the PVCs from the app sync status and prevent them from pruning. --- .../charts/strimzi-kafka/templates/kafka.yaml | 12 ++++++++++++ 1 file changed, 12 insertions(+) diff --git a/services/sasquatch/charts/strimzi-kafka/templates/kafka.yaml b/services/sasquatch/charts/strimzi-kafka/templates/kafka.yaml index c6786d35fd..cd30ae9d61 100644 --- a/services/sasquatch/charts/strimzi-kafka/templates/kafka.yaml +++ b/services/sasquatch/charts/strimzi-kafka/templates/kafka.yaml @@ -5,6 +5,12 @@ metadata: name: {{ .Values.cluster.name }} spec: kafka: + template: + persistentVolumeClaim: + metadata: + annotations: + argocd.argoproj.io/compare-options: IgnoreExtraneous + argocd.argoproj.io/sync-options: Prune=false version: {{ .Values.kafka.version | quote }} replicas: {{ .Values.kafka.replicas }} listeners: @@ -64,6 +70,12 @@ spec: {{- end}} deleteClaim: false zookeeper: + template: + persistentVolumeClaim: + metadata: + annotations: + argocd.argoproj.io/compare-options: IgnoreExtraneous + argocd.argoproj.io/sync-options: Prune=false replicas: {{ .Values.zookeeper.replicas }} storage: # Note that storage is configured per replica. If there are 3 replicas, From ccfea6f2d71db74330dc507319af49c0fbfd67dc Mon Sep 17 00:00:00 2001 From: Russ Allbery Date: Fri, 5 Aug 2022 15:09:21 -0700 Subject: [PATCH 0865/1479] Point Portal at new HiPS list Use the in-deployment HiPS list served by datalinker. Also delete the old FIREFLY_OPTS setting, which is no longer used by current Firefly. --- services/portal/templates/deployment.yaml | 4 +--- 1 file changed, 1 insertion(+), 3 deletions(-) diff --git a/services/portal/templates/deployment.yaml b/services/portal/templates/deployment.yaml index f3259a9fef..05a9eda51f 100644 --- a/services/portal/templates/deployment.yaml +++ b/services/portal/templates/deployment.yaml @@ -42,14 +42,12 @@ spec: secretKeyRef: name: {{ include "portal.fullname" . }}-secret key: "ADMIN_PASSWORD" - - name: "FIREFLY_OPTS" - value: "-Dredis.host={{ include "portal.fullname" . }}-redis -Dsso.req.auth.hosts={{ .Values.global.host }}" - name: "PROPS_redis__host" value: {{ include "portal.fullname" . }}-redis - name: "PROPS_sso__req__auth__hosts" value: {{ .Values.global.host | quote }} - name: "PROPS_lsst__hips__masterUrl" - value: https://irsa.ipac.caltech.edu/data/hips/list + value: "{{ .Values.global.baseUrl }}/api/hips/list" - name: "PROPS_FIREFLY_OPTIONS" value: >- $'{ From e5fc6faf65316d63fa69f9109b8d36d925033f79 Mon Sep 17 00:00:00 2001 From: Russ Allbery Date: Fri, 5 Aug 2022 15:20:34 -0700 Subject: [PATCH 0866/1479] Remove override of datalink version on data-int --- services/datalinker/values-idfint.yaml | 3 --- 1 file changed, 3 deletions(-) diff --git a/services/datalinker/values-idfint.yaml b/services/datalinker/values-idfint.yaml index 40383d680e..e69de29bb2 100644 --- a/services/datalinker/values-idfint.yaml +++ b/services/datalinker/values-idfint.yaml @@ -1,3 +0,0 @@ -image: - tag: "tickets-DM-35482" - pullPolicy: "Always" From 95a112c74766aabebe597012d35af0fe896e5a85 Mon Sep 17 00:00:00 2001 From: "renovate[bot]" <29139614+renovate[bot]@users.noreply.github.com> Date: Mon, 8 Aug 2022 00:22:34 +0000 Subject: [PATCH 0867/1479] Update Helm release argo-cd to v4.10.5 --- services/argocd/Chart.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/services/argocd/Chart.yaml b/services/argocd/Chart.yaml index cb84444ed7..96cd12a284 100644 --- a/services/argocd/Chart.yaml +++ b/services/argocd/Chart.yaml @@ -3,5 +3,5 @@ name: argo-cd version: 1.0.0 dependencies: - name: argo-cd - version: 4.10.4 + version: 4.10.5 repository: https://argoproj.github.io/argo-helm From 1de432218883843dd0a7150ada0a948110ed4471 Mon Sep 17 00:00:00 2001 From: Russ Allbery Date: Mon, 8 Aug 2022 09:13:11 -0700 Subject: [PATCH 0868/1479] Update Helm docs --- services/argocd/README.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/services/argocd/README.md b/services/argocd/README.md index 662b56962c..d25acc0734 100644 --- a/services/argocd/README.md +++ b/services/argocd/README.md @@ -4,7 +4,7 @@ | Repository | Name | Version | |------------|------|---------| -| https://argoproj.github.io/argo-helm | argo-cd | 4.10.4 | +| https://argoproj.github.io/argo-helm | argo-cd | 4.10.5 | ## Values From 1c54a8a89f90c6deb1a3bdbf7b598e192902bf10 Mon Sep 17 00:00:00 2001 From: "renovate[bot]" <29139614+renovate[bot]@users.noreply.github.com> Date: Mon, 8 Aug 2022 16:22:04 +0000 Subject: [PATCH 0869/1479] Update Helm release redis to v17.0.8 --- services/noteburst/Chart.yaml | 2 +- services/times-square/Chart.yaml | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/services/noteburst/Chart.yaml b/services/noteburst/Chart.yaml index 2ab7ca0d3c..c3ec900ddd 100644 --- a/services/noteburst/Chart.yaml +++ b/services/noteburst/Chart.yaml @@ -14,5 +14,5 @@ maintainers: # Additional charts that this chart uses dependencies: - name: redis - version: 17.0.6 + version: 17.0.8 repository: https://charts.bitnami.com/bitnami diff --git a/services/times-square/Chart.yaml b/services/times-square/Chart.yaml index fbd345b7d4..1f4ea9d587 100644 --- a/services/times-square/Chart.yaml +++ b/services/times-square/Chart.yaml @@ -11,5 +11,5 @@ appVersion: "0.5.0" dependencies: - name: redis - version: 17.0.6 + version: 17.0.8 repository: https://charts.bitnami.com/bitnami From 71090e67224ca5e46390e4f059011844918c3717 Mon Sep 17 00:00:00 2001 From: Russ Allbery Date: Mon, 8 Aug 2022 09:24:24 -0700 Subject: [PATCH 0870/1479] Update Helm docs --- services/noteburst/README.md | 2 +- services/times-square/README.md | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/services/noteburst/README.md b/services/noteburst/README.md index 329139557c..8501e741fd 100644 --- a/services/noteburst/README.md +++ b/services/noteburst/README.md @@ -12,7 +12,7 @@ Noteburst is a notebook execution service for the Rubin Science Platform. | Repository | Name | Version | |------------|------|---------| -| https://charts.bitnami.com/bitnami | redis | 17.0.6 | +| https://charts.bitnami.com/bitnami | redis | 17.0.8 | ## Values diff --git a/services/times-square/README.md b/services/times-square/README.md index 04ec519376..1481f808e9 100644 --- a/services/times-square/README.md +++ b/services/times-square/README.md @@ -8,7 +8,7 @@ An API service for managing and rendering parameterized Jupyter notebooks. | Repository | Name | Version | |------------|------|---------| -| https://charts.bitnami.com/bitnami | redis | 17.0.6 | +| https://charts.bitnami.com/bitnami | redis | 17.0.8 | ## Values From d0c4b9026e9ddbf84fe4f47a7b52b60ef14e7370 Mon Sep 17 00:00:00 2001 From: "renovate[bot]" <29139614+renovate[bot]@users.noreply.github.com> Date: Mon, 8 Aug 2022 16:31:19 +0000 Subject: [PATCH 0871/1479] Update helm values gcr.io/cloudsql-docker/gce-proxy to v1.31.2 --- services/gafaelfawr/values.yaml | 2 +- services/times-square/values.yaml | 2 +- services/vo-cutouts/values.yaml | 2 +- 3 files changed, 3 insertions(+), 3 deletions(-) diff --git a/services/gafaelfawr/values.yaml b/services/gafaelfawr/values.yaml index 6fd5f15907..34d8cf4852 100644 --- a/services/gafaelfawr/values.yaml +++ b/services/gafaelfawr/values.yaml @@ -235,7 +235,7 @@ cloudsql: repository: "gcr.io/cloudsql-docker/gce-proxy" # -- Cloud SQL Auth Proxy tag to use - tag: "1.31.1" + tag: "1.31.2" # -- Pull policy for Cloud SQL Auth Proxy images pullPolicy: "IfNotPresent" diff --git a/services/times-square/values.yaml b/services/times-square/values.yaml index cb4dcf0e03..ad37eeb87e 100644 --- a/services/times-square/values.yaml +++ b/services/times-square/values.yaml @@ -132,7 +132,7 @@ cloudsql: repository: "gcr.io/cloudsql-docker/gce-proxy" # -- Cloud SQL Auth Proxy tag to use - tag: "1.31.1" + tag: "1.31.2" # -- Pull policy for Cloud SQL Auth Proxy images pullPolicy: "IfNotPresent" diff --git a/services/vo-cutouts/values.yaml b/services/vo-cutouts/values.yaml index 34c1fbdf51..b4d6fd17c5 100644 --- a/services/vo-cutouts/values.yaml +++ b/services/vo-cutouts/values.yaml @@ -78,7 +78,7 @@ cloudsql: repository: "gcr.io/cloudsql-docker/gce-proxy" # -- Cloud SQL Auth Proxy tag to use - tag: "1.31.1" + tag: "1.31.2" # -- Pull policy for Cloud SQL Auth Proxy images pullPolicy: "IfNotPresent" From 941bc419bf16177293c930966d8bb3981f9f4ee0 Mon Sep 17 00:00:00 2001 From: Russ Allbery Date: Mon, 8 Aug 2022 10:16:10 -0700 Subject: [PATCH 0872/1479] Update Helm docs --- services/gafaelfawr/README.md | 2 +- services/times-square/README.md | 2 +- services/vo-cutouts/README.md | 2 +- 3 files changed, 3 insertions(+), 3 deletions(-) diff --git a/services/gafaelfawr/README.md b/services/gafaelfawr/README.md index e2446c7016..40b7d15d1d 100644 --- a/services/gafaelfawr/README.md +++ b/services/gafaelfawr/README.md @@ -16,7 +16,7 @@ Science Platform authentication and authorization system | cloudsql.enabled | bool | `false` | Enable the Cloud SQL Auth Proxy sidecar, used with CloudSQL databases on Google Cloud | | cloudsql.image.pullPolicy | string | `"IfNotPresent"` | Pull policy for Cloud SQL Auth Proxy images | | cloudsql.image.repository | string | `"gcr.io/cloudsql-docker/gce-proxy"` | Cloud SQL Auth Proxy image to use | -| cloudsql.image.tag | string | `"1.31.1"` | Cloud SQL Auth Proxy tag to use | +| cloudsql.image.tag | string | `"1.31.2"` | Cloud SQL Auth Proxy tag to use | | cloudsql.instanceConnectionName | string | `""` | Instance connection name for a CloudSQL PostgreSQL instance | | cloudsql.serviceAccount | string | `""` | The Google service account that has an IAM binding to the `gafaelfawr` and `gafaelfawr-tokens` Kubernetes service accounts and has the `cloudsql.client` role | | config.cilogon.clientId | string | `""` | CILogon client ID. One and only one of this, `config.github.clientId`, or `config.oidc.clientId` must be set. | diff --git a/services/times-square/README.md b/services/times-square/README.md index 1481f808e9..ef1e1f2dba 100644 --- a/services/times-square/README.md +++ b/services/times-square/README.md @@ -22,7 +22,7 @@ An API service for managing and rendering parameterized Jupyter notebooks. | cloudsql.enabled | bool | `false` | Enable the Cloud SQL Auth Proxy sidecar, used with CloudSQL databases on Google Cloud | | cloudsql.image.pullPolicy | string | `"IfNotPresent"` | Pull policy for Cloud SQL Auth Proxy images | | cloudsql.image.repository | string | `"gcr.io/cloudsql-docker/gce-proxy"` | Cloud SQL Auth Proxy image to use | -| cloudsql.image.tag | string | `"1.31.1"` | Cloud SQL Auth Proxy tag to use | +| cloudsql.image.tag | string | `"1.31.2"` | Cloud SQL Auth Proxy tag to use | | cloudsql.instanceConnectionName | string | `""` | Instance connection name for a CloudSQL PostgreSQL instance | | cloudsql.serviceAccount | string | `""` | The Google service account that has an IAM binding to the `times-square` Kubernetes service accounts and has the `cloudsql.client` role | | config.databaseUrl | string | None, must be set | URL for the PostgreSQL database | diff --git a/services/vo-cutouts/README.md b/services/vo-cutouts/README.md index d32c0efdaa..686da70daf 100644 --- a/services/vo-cutouts/README.md +++ b/services/vo-cutouts/README.md @@ -14,7 +14,7 @@ Image cutout service complying with IVOA SODA | cloudsql.enabled | bool | `false` | Enable the Cloud SQL Auth Proxy sidecar, used with CloudSQL databases on Google Cloud | | cloudsql.image.pullPolicy | string | `"IfNotPresent"` | Pull policy for Cloud SQL Auth Proxy images | | cloudsql.image.repository | string | `"gcr.io/cloudsql-docker/gce-proxy"` | Cloud SQL Auth Proxy image to use | -| cloudsql.image.tag | string | `"1.31.1"` | Cloud SQL Auth Proxy tag to use | +| cloudsql.image.tag | string | `"1.31.2"` | Cloud SQL Auth Proxy tag to use | | cloudsql.instanceConnectionName | string | `""` | Instance connection name for a CloudSQL PostgreSQL instance | | cloudsql.serviceAccount | string | None, must be set | The Google service account that has an IAM binding to the `vo-cutouts` Kubernetes service accounts and has the `cloudsql.client` role, access to the GCS bucket, and ability to sign URLs as itself | | config.databaseUrl | string | None, must be set | URL for the PostgreSQL database | From 4ca0bd37ef206889884e576bba7bb9960e9ddd79 Mon Sep 17 00:00:00 2001 From: Russ Allbery Date: Fri, 12 Aug 2022 08:56:14 -0700 Subject: [PATCH 0873/1479] Update datalinker to 1.4.1 --- services/datalinker/Chart.yaml | 4 ++-- services/datalinker/README.md | 2 +- 2 files changed, 3 insertions(+), 3 deletions(-) diff --git a/services/datalinker/Chart.yaml b/services/datalinker/Chart.yaml index 1b6dbc6a53..d7ace4f6ec 100644 --- a/services/datalinker/Chart.yaml +++ b/services/datalinker/Chart.yaml @@ -1,7 +1,7 @@ apiVersion: v2 name: datalinker version: 1.0.0 -description: IVOA DataLink service for Rubin Science Platform +description: Service and data discovery for Rubin Science Platform sources: - https://github.com/lsst-sqre/datalinker -appVersion: 1.4.0 +appVersion: 1.4.1 diff --git a/services/datalinker/README.md b/services/datalinker/README.md index 576a642542..eacd75bae4 100644 --- a/services/datalinker/README.md +++ b/services/datalinker/README.md @@ -1,6 +1,6 @@ # datalinker -IVOA DataLink service for Rubin Science Platform +Service and data discovery for Rubin Science Platform ## Source Code From 60b2151b53ab128c68c3211f4768d56bbe34bee9 Mon Sep 17 00:00:00 2001 From: Russ Allbery Date: Fri, 12 Aug 2022 09:01:41 -0700 Subject: [PATCH 0874/1479] Update pre-commit configuration --- .pre-commit-config.yaml | 14 +++++++------- 1 file changed, 7 insertions(+), 7 deletions(-) diff --git a/.pre-commit-config.yaml b/.pre-commit-config.yaml index bcc0ac9e78..01fd1a447e 100644 --- a/.pre-commit-config.yaml +++ b/.pre-commit-config.yaml @@ -1,19 +1,19 @@ repos: - repo: https://github.com/pre-commit/pre-commit-hooks - rev: v4.2.0 + rev: v4.3.0 hooks: - id: trailing-whitespace - id: check-toml - repo: https://github.com/adrienverge/yamllint.git - rev: v1.26.3 + rev: v1.27.1 hooks: - id: yamllint args: - "-c=.yamllint.yml" - repo: https://github.com/norwoodj/helm-docs - rev: v1.2.0 + rev: v1.11.0 hooks: - id: helm-docs args: @@ -21,7 +21,7 @@ repos: # The `./` makes it relative to the chart-search-root set above - "--template-files=./helm-docs.md.gotmpl" - - repo: https://github.com/pycqa/isort + - repo: https://github.com/PyCQA/isort rev: 5.10.1 hooks: - id: isort @@ -29,7 +29,7 @@ repos: - toml - repo: https://github.com/psf/black - rev: 22.3.0 + rev: 22.6.0 hooks: - id: black @@ -39,7 +39,7 @@ repos: - id: blacken-docs additional_dependencies: [black==22.3.0] - - repo: https://gitlab.com/pycqa/flake8 - rev: 4.0.1 + - repo: https://github.com/PyCQA/flake8 + rev: 5.0.4 hooks: - id: flake8 From 3f7fb29297d1f6cbe29723f2bb4643ea3342461a Mon Sep 17 00:00:00 2001 From: "renovate[bot]" <29139614+renovate[bot]@users.noreply.github.com> Date: Mon, 15 Aug 2022 03:31:24 +0000 Subject: [PATCH 0875/1479] Update helm/chart-testing-action action to v2.3.0 --- .github/workflows/ci.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/ci.yaml b/.github/workflows/ci.yaml index d3f43f948a..48f009d7f1 100644 --- a/.github/workflows/ci.yaml +++ b/.github/workflows/ci.yaml @@ -44,7 +44,7 @@ jobs: run: tests/expand-services - name: Set up chart-testing - uses: helm/chart-testing-action@v2.2.1 + uses: helm/chart-testing-action@v2.3.0 - name: Run chart-testing (lint) run: ct lint --all --config ct.yaml From b444340574f76e6ff51ddeb10e42acc8c793596b Mon Sep 17 00:00:00 2001 From: "renovate[bot]" <29139614+renovate[bot]@users.noreply.github.com> Date: Mon, 15 Aug 2022 17:52:27 +0000 Subject: [PATCH 0876/1479] Update Helm release argo-cd to v4.10.6 --- services/argocd/Chart.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/services/argocd/Chart.yaml b/services/argocd/Chart.yaml index 96cd12a284..614608159a 100644 --- a/services/argocd/Chart.yaml +++ b/services/argocd/Chart.yaml @@ -3,5 +3,5 @@ name: argo-cd version: 1.0.0 dependencies: - name: argo-cd - version: 4.10.5 + version: 4.10.6 repository: https://argoproj.github.io/argo-helm From c1064a3b1a20ada01d226302bc810a8a300b72e3 Mon Sep 17 00:00:00 2001 From: Russ Allbery Date: Mon, 15 Aug 2022 10:52:48 -0700 Subject: [PATCH 0877/1479] Update Helm docs --- services/argocd/README.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/services/argocd/README.md b/services/argocd/README.md index d25acc0734..1c3064a111 100644 --- a/services/argocd/README.md +++ b/services/argocd/README.md @@ -4,7 +4,7 @@ | Repository | Name | Version | |------------|------|---------| -| https://argoproj.github.io/argo-helm | argo-cd | 4.10.5 | +| https://argoproj.github.io/argo-helm | argo-cd | 4.10.6 | ## Values From 8d3a6f4e3a551a31aad0f5083a0eecb9b30a52bc Mon Sep 17 00:00:00 2001 From: "renovate[bot]" <29139614+renovate[bot]@users.noreply.github.com> Date: Mon, 15 Aug 2022 17:59:48 +0000 Subject: [PATCH 0878/1479] Update Helm release ingress-nginx to v4.2.1 --- services/ingress-nginx/Chart.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/services/ingress-nginx/Chart.yaml b/services/ingress-nginx/Chart.yaml index da05d3d010..300814ccb3 100644 --- a/services/ingress-nginx/Chart.yaml +++ b/services/ingress-nginx/Chart.yaml @@ -3,5 +3,5 @@ name: ingress-nginx version: 1.0.0 dependencies: - name: ingress-nginx - version: 4.2.0 + version: 4.2.1 repository: https://kubernetes.github.io/ingress-nginx From f19f132bf890c3e8ee2910fd71e2fa4f6ed88ebf Mon Sep 17 00:00:00 2001 From: Russ Allbery Date: Mon, 15 Aug 2022 11:15:51 -0700 Subject: [PATCH 0879/1479] Update Helm docs --- services/ingress-nginx/README.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/services/ingress-nginx/README.md b/services/ingress-nginx/README.md index bd70803bcf..355a14bbcb 100644 --- a/services/ingress-nginx/README.md +++ b/services/ingress-nginx/README.md @@ -4,7 +4,7 @@ | Repository | Name | Version | |------------|------|---------| -| https://kubernetes.github.io/ingress-nginx | ingress-nginx | 4.2.0 | +| https://kubernetes.github.io/ingress-nginx | ingress-nginx | 4.2.1 | ## Values From edd8774547e35e8af1f9d8130aa9da27ec11e7bc Mon Sep 17 00:00:00 2001 From: "renovate[bot]" <29139614+renovate[bot]@users.noreply.github.com> Date: Mon, 15 Aug 2022 18:23:12 +0000 Subject: [PATCH 0880/1479] Update Helm release redis to v17.0.10 --- services/noteburst/Chart.yaml | 2 +- services/times-square/Chart.yaml | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/services/noteburst/Chart.yaml b/services/noteburst/Chart.yaml index c3ec900ddd..e3b84c3514 100644 --- a/services/noteburst/Chart.yaml +++ b/services/noteburst/Chart.yaml @@ -14,5 +14,5 @@ maintainers: # Additional charts that this chart uses dependencies: - name: redis - version: 17.0.8 + version: 17.0.10 repository: https://charts.bitnami.com/bitnami diff --git a/services/times-square/Chart.yaml b/services/times-square/Chart.yaml index 1f4ea9d587..0ccdb4cba1 100644 --- a/services/times-square/Chart.yaml +++ b/services/times-square/Chart.yaml @@ -11,5 +11,5 @@ appVersion: "0.5.0" dependencies: - name: redis - version: 17.0.8 + version: 17.0.10 repository: https://charts.bitnami.com/bitnami From e9d58e689246f3ab61a32dec4c89eb30bf95f881 Mon Sep 17 00:00:00 2001 From: Russ Allbery Date: Mon, 15 Aug 2022 11:30:12 -0700 Subject: [PATCH 0881/1479] Update Helm docs --- services/noteburst/README.md | 2 +- services/times-square/README.md | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/services/noteburst/README.md b/services/noteburst/README.md index 8501e741fd..bbff819b56 100644 --- a/services/noteburst/README.md +++ b/services/noteburst/README.md @@ -12,7 +12,7 @@ Noteburst is a notebook execution service for the Rubin Science Platform. | Repository | Name | Version | |------------|------|---------| -| https://charts.bitnami.com/bitnami | redis | 17.0.8 | +| https://charts.bitnami.com/bitnami | redis | 17.0.10 | ## Values diff --git a/services/times-square/README.md b/services/times-square/README.md index ef1e1f2dba..93b943ad4c 100644 --- a/services/times-square/README.md +++ b/services/times-square/README.md @@ -8,7 +8,7 @@ An API service for managing and rendering parameterized Jupyter notebooks. | Repository | Name | Version | |------------|------|---------| -| https://charts.bitnami.com/bitnami | redis | 17.0.8 | +| https://charts.bitnami.com/bitnami | redis | 17.0.10 | ## Values From 5417ab1bd814f0ada260931055bfdf6c6f67e9ab Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Mon, 15 Aug 2022 17:52:34 +0000 Subject: [PATCH 0882/1479] Bump manusa/actions-setup-minikube from 2.6.1 to 2.7.0 Bumps [manusa/actions-setup-minikube](https://github.com/manusa/actions-setup-minikube) from 2.6.1 to 2.7.0. - [Release notes](https://github.com/manusa/actions-setup-minikube/releases) - [Commits](https://github.com/manusa/actions-setup-minikube/compare/v2.6.1...v2.7.0) --- updated-dependencies: - dependency-name: manusa/actions-setup-minikube dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] --- .github/workflows/ci.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/ci.yaml b/.github/workflows/ci.yaml index 48f009d7f1..f60da91726 100644 --- a/.github/workflows/ci.yaml +++ b/.github/workflows/ci.yaml @@ -80,7 +80,7 @@ jobs: - name: Setup Minikube if: steps.filter.outputs.minikube == 'true' - uses: manusa/actions-setup-minikube@v2.6.1 + uses: manusa/actions-setup-minikube@v2.7.0 with: minikube version: 'v1.25.2' kubernetes version: 'v1.22.8' From 8569369de0e9a8ad465bac4230cc64aaf8c224ef Mon Sep 17 00:00:00 2001 From: Russ Allbery Date: Tue, 16 Aug 2022 09:51:45 -0700 Subject: [PATCH 0883/1479] Bump version of datalinker --- services/datalinker/Chart.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/services/datalinker/Chart.yaml b/services/datalinker/Chart.yaml index d7ace4f6ec..7d3bd9e0fa 100644 --- a/services/datalinker/Chart.yaml +++ b/services/datalinker/Chart.yaml @@ -4,4 +4,4 @@ version: 1.0.0 description: Service and data discovery for Rubin Science Platform sources: - https://github.com/lsst-sqre/datalinker -appVersion: 1.4.1 +appVersion: 1.4.2 From e4aa856b92c391d6912f1f43f60ce709c408a683 Mon Sep 17 00:00:00 2001 From: Russ Allbery Date: Tue, 16 Aug 2022 10:07:56 -0700 Subject: [PATCH 0884/1479] Update nublado2 to 2.4.0 Adds support for primary GIDs. --- services/nublado2/Chart.yaml | 8 +++----- services/nublado2/README.md | 4 ++-- services/nublado2/values.yaml | 2 +- 3 files changed, 6 insertions(+), 8 deletions(-) diff --git a/services/nublado2/Chart.yaml b/services/nublado2/Chart.yaml index 816cbbd8ec..7393358627 100644 --- a/services/nublado2/Chart.yaml +++ b/services/nublado2/Chart.yaml @@ -1,13 +1,11 @@ apiVersion: v2 name: nublado2 -version: 1.1.0 -appVersion: "2.3.0" -description: Nublado2 JupyterHub installation +version: 1.0.0 +description: JupyterHub for the Rubin Science Platform home: https://github.com/lsst-sqre/nublado2 -maintainers: - - name: cbanek sources: - https://github.com/lsst-sqre/nublado2 +appVersion: "2.4.0" # Match the jupyterhub Helm chart for kubeVersion kubeVersion: ">=1.20.0-0" dependencies: diff --git a/services/nublado2/README.md b/services/nublado2/README.md index a3afd6ce9c..a0388df7df 100644 --- a/services/nublado2/README.md +++ b/services/nublado2/README.md @@ -1,6 +1,6 @@ # nublado2 -Nublado2 JupyterHub installation +JupyterHub for the Rubin Science Platform **Homepage:** @@ -62,7 +62,7 @@ Kubernetes: `>=1.20.0-0` | jupyterhub.hub.extraVolumes[1].name | string | `"nublado-gafaelfawr"` | | | jupyterhub.hub.extraVolumes[1].secret.secretName | string | `"gafaelfawr-token"` | | | jupyterhub.hub.image.name | string | `"lsstsqre/nublado2"` | | -| jupyterhub.hub.image.tag | string | `"2.3.1"` | | +| jupyterhub.hub.image.tag | string | `"2.4.0"` | | | jupyterhub.hub.loadRoles.self.scopes[0] | string | `"admin:servers!user"` | | | jupyterhub.hub.loadRoles.self.scopes[1] | string | `"read:metrics"` | | | jupyterhub.hub.loadRoles.server.scopes[0] | string | `"inherit"` | | diff --git a/services/nublado2/values.yaml b/services/nublado2/values.yaml index 57a9a27249..fd7e6d5cee 100644 --- a/services/nublado2/values.yaml +++ b/services/nublado2/values.yaml @@ -7,7 +7,7 @@ jupyterhub: authenticatePrometheus: false image: name: lsstsqre/nublado2 - tag: "2.3.1" + tag: "2.4.0" resources: limits: cpu: 900m From dad3f301b57a70aa63dc60ef0ec20d1a935853c2 Mon Sep 17 00:00:00 2001 From: Russ Allbery Date: Wed, 17 Aug 2022 08:15:14 -0700 Subject: [PATCH 0885/1479] Revert "Update Helm docs" This reverts commit c1064a3b1a20ada01d226302bc810a8a300b72e3. Backing out of Argo CD update that introduced a bug. --- services/argocd/README.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/services/argocd/README.md b/services/argocd/README.md index 1c3064a111..d25acc0734 100644 --- a/services/argocd/README.md +++ b/services/argocd/README.md @@ -4,7 +4,7 @@ | Repository | Name | Version | |------------|------|---------| -| https://argoproj.github.io/argo-helm | argo-cd | 4.10.6 | +| https://argoproj.github.io/argo-helm | argo-cd | 4.10.5 | ## Values From 035e3935114dd08dceeaa8f07f47750aab82538d Mon Sep 17 00:00:00 2001 From: Russ Allbery Date: Wed, 17 Aug 2022 08:15:25 -0700 Subject: [PATCH 0886/1479] Revert "Update Helm release argo-cd to v4.10.6" This reverts commit b444340574f76e6ff51ddeb10e42acc8c793596b. Backing out of Argo CD update that introduced a bug. --- services/argocd/Chart.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/services/argocd/Chart.yaml b/services/argocd/Chart.yaml index 614608159a..96cd12a284 100644 --- a/services/argocd/Chart.yaml +++ b/services/argocd/Chart.yaml @@ -3,5 +3,5 @@ name: argo-cd version: 1.0.0 dependencies: - name: argo-cd - version: 4.10.6 + version: 4.10.5 repository: https://argoproj.github.io/argo-helm From 7fa6ecd70fb0654b292cb2215e65419168f542be Mon Sep 17 00:00:00 2001 From: "renovate[bot]" <29139614+renovate[bot]@users.noreply.github.com> Date: Wed, 17 Aug 2022 16:49:27 +0000 Subject: [PATCH 0887/1479] Update Helm release strimzi-registry-operator to v2.1.0 --- services/sasquatch/Chart.yaml | 2 +- services/sasquatch/README.md | 2 +- services/strimzi-registry-operator/Chart.yaml | 2 +- 3 files changed, 3 insertions(+), 3 deletions(-) diff --git a/services/sasquatch/Chart.yaml b/services/sasquatch/Chart.yaml index 8623f76cba..0fe0976a8f 100644 --- a/services/sasquatch/Chart.yaml +++ b/services/sasquatch/Chart.yaml @@ -7,7 +7,7 @@ dependencies: - name: strimzi-kafka version: 1.0.0 - name: strimzi-registry-operator - version: 2.0.0 + version: 2.1.0 repository: https://lsst-sqre.github.io/charts/ - name: influxdb version: 4.12.0 diff --git a/services/sasquatch/README.md b/services/sasquatch/README.md index c50625d29e..6ee2630c71 100644 --- a/services/sasquatch/README.md +++ b/services/sasquatch/README.md @@ -13,7 +13,7 @@ Rubin Observatory's telemetry service. | https://helm.influxdata.com/ | influxdb | 4.12.0 | | https://helm.influxdata.com/ | kapacitor | 1.4.6 | | https://helm.influxdata.com/ | telegraf | 1.8.18 | -| https://lsst-sqre.github.io/charts/ | strimzi-registry-operator | 2.0.0 | +| https://lsst-sqre.github.io/charts/ | strimzi-registry-operator | 2.1.0 | | https://lsst-ts.github.io/charts/ | csc | 0.9.2 | | https://lsst-ts.github.io/charts/ | kafka-producers | 0.10.1 | diff --git a/services/strimzi-registry-operator/Chart.yaml b/services/strimzi-registry-operator/Chart.yaml index b1ee8885d8..42402847eb 100644 --- a/services/strimzi-registry-operator/Chart.yaml +++ b/services/strimzi-registry-operator/Chart.yaml @@ -3,5 +3,5 @@ name: strimzi-registry-operator version: 1.1.0 dependencies: - name: strimzi-registry-operator - version: 1.2.1 + version: 2.1.0 repository: https://lsst-sqre.github.io/charts/ From 72c1b2f8266272d074f3565b6f8ef2fb98cd947c Mon Sep 17 00:00:00 2001 From: Angelo Fausti Date: Thu, 18 Aug 2022 04:48:04 -0700 Subject: [PATCH 0888/1479] Remove test-csc feature from Sasquatch --- services/sasquatch/Chart.yaml | 8 -- services/sasquatch/README.md | 33 -------- .../sasquatch/templates/vault-secrets.yaml | 9 --- services/sasquatch/values-summit.yaml | 6 -- .../sasquatch/values-tucson-teststand.yaml | 6 -- services/sasquatch/values.yaml | 75 ------------------- 6 files changed, 137 deletions(-) diff --git a/services/sasquatch/Chart.yaml b/services/sasquatch/Chart.yaml index 0fe0976a8f..73c70e3c12 100644 --- a/services/sasquatch/Chart.yaml +++ b/services/sasquatch/Chart.yaml @@ -23,13 +23,5 @@ dependencies: - name: telegraf version: 1.8.18 repository: https://helm.influxdata.com/ - - name: csc - version: 0.9.2 - repository: https://lsst-ts.github.io/charts/ - condition: csc.enabled - - name: kafka-producers - version: 0.10.1 - repository: https://lsst-ts.github.io/charts/ - condition: kafka-producers.enabled - name: kafdrop version: 1.0.0 diff --git a/services/sasquatch/README.md b/services/sasquatch/README.md index 6ee2630c71..17f881e256 100644 --- a/services/sasquatch/README.md +++ b/services/sasquatch/README.md @@ -14,8 +14,6 @@ Rubin Observatory's telemetry service. | https://helm.influxdata.com/ | kapacitor | 1.4.6 | | https://helm.influxdata.com/ | telegraf | 1.8.18 | | https://lsst-sqre.github.io/charts/ | strimzi-registry-operator | 2.1.0 | -| https://lsst-ts.github.io/charts/ | csc | 0.9.2 | -| https://lsst-ts.github.io/charts/ | kafka-producers | 0.10.1 | ## Values @@ -26,15 +24,6 @@ Rubin Observatory's telemetry service. | chronograf.image | object | `{"repository":"quay.io/influxdb/chronograf","tag":"1.9.4"}` | Chronograf image tag. | | chronograf.ingress | object | disabled | Chronograf ingress configuration. | | chronograf.persistence | object | `{"enabled":true,"size":"100Gi"}` | Chronograf data persistence configuration. | -| csc.enabled | bool | `false` | Whether the test csc is deployed. | -| csc.env | object | `{"LSST_DDS_PARTITION_PREFIX":"test","LSST_SITE":"test","OSPL_ERRORFILE":"/tmp/ospl-error-test.log","OSPL_INFOFILE":"/tmp/ospl-info-test.log","OSPL_URI":"file:///opt/lsst/software/stack/miniconda/lib/python3.8/config/ospl-std.xml"}` | Enviroment variables to run the Test CSC. | -| csc.env.OSPL_URI | string | `"file:///opt/lsst/software/stack/miniconda/lib/python3.8/config/ospl-std.xml"` | Use a single process configuration for DDS OpenSplice. | -| csc.image.nexus3 | string | `"nexus3-docker"` | The tag name for the Nexus3 Docker repository secrets if private images need to be pulled. | -| csc.image.repository | string | `"ts-dockerhub.lsst.org/test"` | The Docker registry name of the container image to use for the CSC | -| csc.image.tag | string | `"c0025"` | The tag of the container image to use for the CSC | -| csc.namespace | string | `"sasquatch"` | Namespace where the Test CSC is deployed. | -| csc.osplVersion | string | `"V6.10.4"` | DDS OpenSplice version. | -| csc.useExternalConfig | bool | `false` | Wether to use an external configuration for DDS OpenSplice. | | global.vaultSecretsPath | string | Set by Argo CD | Base path for Vault secrets | | influxdb.config | object | `{"continuous_queries":{"enabled":false},"coordinator":{"log-queries-after":"15s","max-concurrent-queries":0,"query-timeout":"0s","write-timeout":"1h"},"data":{"cache-max-memory-size":0,"trace-logging-enabled":true,"wal-fsync-delay":"100ms"},"http":{"auth-enabled":true,"enabled":true,"flux-enabled":true,"max-row-limit":0},"logging":{"level":"debug"}}` | Override InfluxDB configuration. See https://docs.influxdata.com/influxdb/v1.8/administration/config | | influxdb.image | object | `{"tag":"1.8.10"}` | InfluxDB image tag. | @@ -44,28 +33,6 @@ Rubin Observatory's telemetry service. | influxdb.persistence.size | string | `"1Ti"` | Persistent volume size. @default 1Ti for teststand deployments | | influxdb.setDefaultUser | object | `{"enabled":true,"user":{"existingSecret":"sasquatch"}}` | Default InfluxDB user, use influxb-user and influxdb-password keys from secret. | | kafka-connect-manager | object | `{}` | Override strimzi-kafka configuration. | -| kafka-producers.enabled | bool | `false` | Whether the kafka-producer for the test csc is deployed. | -| kafka-producers.env.brokerIp | string | `"sasquatch-kafka-bootstrap.sasquatch"` | The URI for the Sasquatch Kafka broker. | -| kafka-producers.env.brokerPort | int | `9092` | The port for the Sasquatch Kafka listener. | -| kafka-producers.env.extras.LSST_DDS_RESPONSIVENESS_TIMEOUT | string | `"15s"` | | -| kafka-producers.env.extras.OSPL_ERRORFILE | string | `"/tmp/ospl-error-kafka-producers.log"` | | -| kafka-producers.env.extras.OSPL_INFOFILE | string | `"/tmp/ospl-info-kafka-producers.log"` | | -| kafka-producers.env.extras.OSPL_URI | string | `"file:///opt/lsst/software/stack/miniconda/lib/python3.8/config/ospl-std.xml"` | Use a single process configuration for DDS OpenSplice. | -| kafka-producers.env.logLevel | int | `20` | Logging level for the Kafka producers | -| kafka-producers.env.lsstDdsPartitionPrefix | string | `"test"` | The LSST_DDS_PARTITION_PREFIX name applied to all producer containers. | -| kafka-producers.env.registryAddr | string | `"http://sasquatch-schema-registry.sasquatch:8081"` | The Sasquatch Schema Registry URL. | -| kafka-producers.env.replication | int | `3` | The topic replication factor (should be the same as the number of Kafka broker in Sasquatch) | -| kafka-producers.image.nexus3 | string | `"nexus3-docker"` | The tag name for the Nexus3 Docker repository secrets if private images need to be pulled. | -| kafka-producers.image.repository | string | `"ts-dockerhub.lsst.org/salkafka"` | The Docker registry name of the container image to use for the producers. | -| kafka-producers.image.tag | string | `"c0025"` | The tag of the container image to use for the producers. | -| kafka-producers.namespace | string | `"sasquatch"` | Namespace where the Test CSC is deployed. | -| kafka-producers.osplVersion | string | `"V6.10.4"` | DDS OpenSplice version. | -| kafka-producers.producers | object | `{"test":{"cscs":"Test"}}` | List of producers and CSCs to get DDS samples from. | -| kafka-producers.startupProbe.failureThreshold | int | `15` | The number of times the startup probe is allowed to fail before failing the probe | -| kafka-producers.startupProbe.initialDelay | int | `20` | The initial delay in seconds before the first check is made | -| kafka-producers.startupProbe.period | int | `10` | The time in seconds between subsequent checks | -| kafka-producers.startupProbe.use | bool | `true` | Whether to use the startup probe | -| kafka-producers.useExternalConfig | bool | `false` | Wether to use an external configuration for DDS OpenSplice. | | kapacitor.envVars | object | `{"KAPACITOR_SLACK_ENABLED":true}` | Kapacitor environment variables. | | kapacitor.existingSecret | string | `"sasquatch"` | InfluxDB credentials, use influxdb-user and influxdb-password keys from secret. | | kapacitor.image | object | `{"repository":"kapacitor","tag":"1.6.4"}` | Kapacitor image tag. | diff --git a/services/sasquatch/templates/vault-secrets.yaml b/services/sasquatch/templates/vault-secrets.yaml index b0c46d843e..4071dec1f2 100644 --- a/services/sasquatch/templates/vault-secrets.yaml +++ b/services/sasquatch/templates/vault-secrets.yaml @@ -28,15 +28,6 @@ spec: --- apiVersion: ricoberger.de/v1alpha1 kind: VaultSecret -metadata: - name: sasquatch-nexus3-docker - namespace: sasquatch -spec: - path: "{{ .Values.global.vaultSecretsPath }}/pull-secret" - type: kubernetes.io/dockerconfigjson ---- -apiVersion: ricoberger.de/v1alpha1 -kind: VaultSecret metadata: name: tls-certs namespace: sasquatch diff --git a/services/sasquatch/values-summit.yaml b/services/sasquatch/values-summit.yaml index 733b212072..a3d6606f6d 100644 --- a/services/sasquatch/values-summit.yaml +++ b/services/sasquatch/values-summit.yaml @@ -45,9 +45,3 @@ chronograf: kapacitor: persistence: storageClass: rook-ceph-block - -csc: - enabled: false - -kafka-producers: - enabled: false diff --git a/services/sasquatch/values-tucson-teststand.yaml b/services/sasquatch/values-tucson-teststand.yaml index fa96f8e9aa..b04ebfcba3 100644 --- a/services/sasquatch/values-tucson-teststand.yaml +++ b/services/sasquatch/values-tucson-teststand.yaml @@ -60,9 +60,3 @@ chronograf: kapacitor: persistence: storageClass: rook-ceph-block - -csc: - enabled: false - -kafka-producers: - enabled: false diff --git a/services/sasquatch/values.yaml b/services/sasquatch/values.yaml index 04f49f45e8..42477741d8 100644 --- a/services/sasquatch/values.yaml +++ b/services/sasquatch/values.yaml @@ -143,82 +143,7 @@ telegraf: database: "telegraf" username: "telegraf" password: "$TELEGRAF_PASSWORD" -csc: - # -- Whether the test csc is deployed. - enabled: false - image: - # -- The Docker registry name of the container image to use for the CSC - repository: ts-dockerhub.lsst.org/test - # -- The tag of the container image to use for the CSC - tag: c0025 - # -- The tag name for the Nexus3 Docker repository secrets if private images need to be pulled. - nexus3: nexus3-docker - # -- Enviroment variables to run the Test CSC. - env: - LSST_DDS_PARTITION_PREFIX: test - LSST_SITE: test - OSPL_INFOFILE: /tmp/ospl-info-test.log - OSPL_ERRORFILE: /tmp/ospl-error-test.log - # -- Use a single process configuration for DDS OpenSplice. - OSPL_URI: file:///opt/lsst/software/stack/miniconda/lib/python3.8/config/ospl-std.xml - # -- Wether to use an external configuration for DDS OpenSplice. - useExternalConfig: false - # -- DDS OpenSplice version. - osplVersion: V6.10.4 - # -- Namespace where the Test CSC is deployed. - namespace: sasquatch -kafka-producers: - # -- Whether the kafka-producer for the test csc is deployed. - enabled: false - image: - # -- The Docker registry name of the container image to use for the producers. - repository: ts-dockerhub.lsst.org/salkafka - # -- The tag of the container image to use for the producers. - tag: c0025 - # -- The tag name for the Nexus3 Docker repository secrets if private images need to be pulled. - nexus3: nexus3-docker - env: - # -- The LSST_DDS_PARTITION_PREFIX name applied to all producer containers. - lsstDdsPartitionPrefix: test - # -- The URI for the Sasquatch Kafka broker. - brokerIp: sasquatch-kafka-bootstrap.sasquatch - # -- The port for the Sasquatch Kafka listener. - brokerPort: 9092 - # -- The Sasquatch Schema Registry URL. - registryAddr: http://sasquatch-schema-registry.sasquatch:8081 - # -- The topic replication factor (should be the same as the number of Kafka broker in Sasquatch) - replication: 3 - # -- Logging level for the Kafka producers - logLevel: 20 - extras: - # -- Use a single process configuration for DDS OpenSplice. - OSPL_URI: file:///opt/lsst/software/stack/miniconda/lib/python3.8/config/ospl-std.xml - LSST_DDS_RESPONSIVENESS_TIMEOUT: 15s - OSPL_INFOFILE: /tmp/ospl-info-kafka-producers.log - OSPL_ERRORFILE: /tmp/ospl-error-kafka-producers.log - # -- Wether to use an external configuration for DDS OpenSplice. - useExternalConfig: false - # -- DDS OpenSplice version. - osplVersion: V6.10.4 - startupProbe: - # -- Whether to use the startup probe - use: true - # -- The number of times the startup probe is allowed to fail before failing the probe - failureThreshold: 15 - # -- The initial delay in seconds before the first check is made - initialDelay: 20 - # -- The time in seconds between subsequent checks - period: 10 - # -- List of producers and CSCs to get DDS samples from. - producers: - test: - cscs: >- - Test - # -- Namespace where the Test CSC is deployed. - namespace: sasquatch -# The following will be set by parameters injected by Argo CD and should not -# be set in the individual environment values files. global: # -- Base path for Vault secrets # @default -- Set by Argo CD From f99f8ccab51dd46b1d03e4afde612f421ffa5bc5 Mon Sep 17 00:00:00 2001 From: Angelo Fausti Date: Thu, 18 Aug 2022 05:09:43 -0700 Subject: [PATCH 0889/1479] Get sasquatch-test-password from secret - Also get the sasl.mechanism, security.protocol and sasl.jaas.config kafka properties from secret --- .../templates/tests/test-sasl-authentication.yaml | 15 +++++++++------ 1 file changed, 9 insertions(+), 6 deletions(-) diff --git a/services/sasquatch/charts/strimzi-kafka/templates/tests/test-sasl-authentication.yaml b/services/sasquatch/charts/strimzi-kafka/templates/tests/test-sasl-authentication.yaml index 413614d17e..21be5414ea 100644 --- a/services/sasquatch/charts/strimzi-kafka/templates/tests/test-sasl-authentication.yaml +++ b/services/sasquatch/charts/strimzi-kafka/templates/tests/test-sasl-authentication.yaml @@ -7,6 +7,11 @@ metadata: spec: authentication: type: scram-sha-512 + password: + valueFrom: + secretKeyRef: + name: sasquatch + key: sasquatch-test-password authorization: type: simple acls: @@ -64,13 +69,11 @@ spec: value: all - name: LOG_LEVEL value: DEBUG - # Set here the password created by Strimzi for the - # sasquatch-test user, see the sasquatch-test secret. - name: ADDITIONAL_CONFIG - value: | - sasl.mechanism=SCRAM-SHA-512 - security.protocol=SASL_PLAINTEXT - sasl.jaas.config=org.apache.kafka.common.security.scram.ScramLoginModule required username="sasquatch-test" password=""; + valueFrom: + secretKeyRef: + name: sasquatch + key: sasquatch-test-kafka-properties image: quay.io/strimzi-test-clients/test-client-kafka-producer:latest-kafka-3.0.0 imagePullPolicy: IfNotPresent name: kafka-producer-client From f34a2de00e90d4e9eadca62afaa3b0f8debf3861 Mon Sep 17 00:00:00 2001 From: adam Date: Thu, 18 Aug 2022 09:25:17 -0700 Subject: [PATCH 0890/1479] Remove NCSA references --- README.rst | 5 -- docs/ops/argo-cd/authentication.rst | 14 ++-- docs/ops/bootstrapping.rst | 2 - docs/ops/cachemachine/pruning.rst | 2 +- .../ops/cachemachine/updating-recommended.rst | 4 +- docs/ops/cert-manager/index.rst | 2 +- docs/ops/ingress-nginx/index.rst | 2 - docs/service-guide/sync-argo-cd.rst | 2 - installer/update_all_secrets.sh | 2 - science-platform/values-int.yaml | 68 ------------------- science-platform/values-stable.yaml | 68 ------------------- services/argocd/values-int.yaml | 28 -------- services/argocd/values-stable.yaml | 28 -------- services/cachemachine/values-int.yaml | 28 -------- services/cachemachine/values-stable.yaml | 28 -------- services/cert-manager/values-int.yaml | 5 -- services/gafaelfawr/values-int.yaml | 41 ----------- services/gafaelfawr/values-minikube.yaml | 27 ++++---- services/gafaelfawr/values-stable.yaml | 43 ------------ services/moneypenny/values-int.yaml | 0 services/moneypenny/values-stable.yaml | 0 services/nublado2/values-int.yaml | 47 ------------- services/nublado2/values-stable.yaml | 61 ----------------- services/obstap/values-int.yaml | 29 -------- services/obstap/values-stable.yaml | 29 -------- services/portal/values-int.yaml | 23 ------- services/portal/values-stable.yaml | 23 ------- services/postgres/README.md | 4 +- services/postgres/values-int.yaml | 8 --- services/postgres/values-stable.yaml | 8 --- services/postgres/values.yaml | 5 +- services/sasquatch/values-int.yaml | 46 ------------- services/sasquatch/values-stable.yaml | 46 ------------- services/semaphore/values-int.yaml | 6 -- services/semaphore/values-stable.yaml | 6 -- services/squareone/values-int.yaml | 9 --- services/squareone/values-stable.yaml | 6 -- services/tap-schema/values-int.yaml | 2 - services/tap-schema/values-stable.yaml | 2 - services/tap/values-int.yaml | 26 ------- services/tap/values-stable.yaml | 26 ------- .../vault-secrets-operator/values-int.yaml | 0 .../vault-secrets-operator/values-stable.yaml | 0 43 files changed, 29 insertions(+), 782 deletions(-) delete mode 100644 science-platform/values-int.yaml delete mode 100644 science-platform/values-stable.yaml delete mode 100644 services/argocd/values-int.yaml delete mode 100644 services/argocd/values-stable.yaml delete mode 100644 services/cachemachine/values-int.yaml delete mode 100644 services/cachemachine/values-stable.yaml delete mode 100644 services/cert-manager/values-int.yaml delete mode 100644 services/gafaelfawr/values-int.yaml delete mode 100644 services/gafaelfawr/values-stable.yaml delete mode 100644 services/moneypenny/values-int.yaml delete mode 100644 services/moneypenny/values-stable.yaml delete mode 100644 services/nublado2/values-int.yaml delete mode 100644 services/nublado2/values-stable.yaml delete mode 100644 services/obstap/values-int.yaml delete mode 100644 services/obstap/values-stable.yaml delete mode 100644 services/portal/values-int.yaml delete mode 100644 services/portal/values-stable.yaml delete mode 100644 services/postgres/values-int.yaml delete mode 100644 services/postgres/values-stable.yaml delete mode 100644 services/sasquatch/values-int.yaml delete mode 100644 services/sasquatch/values-stable.yaml delete mode 100644 services/semaphore/values-int.yaml delete mode 100644 services/semaphore/values-stable.yaml delete mode 100644 services/squareone/values-int.yaml delete mode 100644 services/squareone/values-stable.yaml delete mode 100644 services/tap-schema/values-int.yaml delete mode 100644 services/tap-schema/values-stable.yaml delete mode 100644 services/tap/values-int.yaml delete mode 100644 services/tap/values-stable.yaml delete mode 100644 services/vault-secrets-operator/values-int.yaml delete mode 100644 services/vault-secrets-operator/values-stable.yaml diff --git a/README.rst b/README.rst index d53d0ad30a..31218daa26 100644 --- a/README.rst +++ b/README.rst @@ -22,11 +22,6 @@ IDF: * `data-int.lsst.cloud `__ (idfint) * `data.lsst.cloud `__ (idfprod) -NCSA: - -* `lsst-lsp-int.ncsa.illinois.edu `__ (int) -* `lsst-lsp-stable.ncsa.illinois.edu `__ (stable) - Telescope and Site: * `tucson-teststand.lsst.codes `__ (tucson-teststand) diff --git a/docs/ops/argo-cd/authentication.rst b/docs/ops/argo-cd/authentication.rst index e4dd6af967..1db7f1dd51 100644 --- a/docs/ops/argo-cd/authentication.rst +++ b/docs/ops/argo-cd/authentication.rst @@ -121,22 +121,22 @@ To set up Google SSO authentication to Argo CD in a new cluster, take the follow #. Click New OAuth App. #. Enter the following information (adjust for the environment): - - Application name: RSP Argo CD (NCSA int) - - Homepage URL: https://lsst-lsp-int.ncsa.illinois.edu/argo-cd - - Authorization callback URL: https://lsst-lsp-int.ncsa.illinois.edu/argo-cd/api/dex/callback + - Application name: RSP Argo CD (IDF-int) + - Homepage URL: https://data-int.lsst.cloud/argo-cd + - Authorization callback URL: https://data-int.lsst.cloud/argo-cd/api/dex/callback #. Click "Register Application". #. Click "Generate a new client secret". -#. For SQuaRE-run enviroments, go to the RSP-Vault 1Password vault and create a new Login item with a name like "Argo CD GitHub OAuth - lsst-lsp-int.ncsa.illinois.edu" (replacing the last part with the FQDN of the environment). +#. For SQuaRE-run enviroments, go to the RSP-Vault 1Password vault and create a new Login item with a name like "Argo CD GitHub OAuth - data-int.lsst.cloud" (replacing the last part with the FQDN of the environment). In this secret, put the client ID in the username field. Put the client secret in the password field. Create a field labeled ``generate_secrets_key`` with value ``argocd dex.clientSecret``. - Create a field labeled ``environment`` with value ``lsst-lsp-int.ncsa.illinois.edu`` (replace with the FQDN of the environment). + Create a field labeled ``environment`` with value ``data-int.lsst.cloud`` (replace with the FQDN of the environment). Save this 1Password secret. -#. If the environment already exists, get a Vault write token for the environment (or the Vault admin token) and set the ``dex.clientSecret`` key in the ``argocd`` secret in the Vault path for that environment (something like ``secret/k8s_operator/lsst-lsp-int.ncsa.illinois.edu``, replacing the last part with the FQDN of the environment). +#. If the environment already exists, get a Vault write token for the environment (or the Vault admin token) and set the ``dex.clientSecret`` key in the ``argocd`` secret in the Vault path for that environment (something like ``secret/k8s_operator/data-int.lsst.cloud``, replacing the last part with the FQDN of the environment). Be sure to use ``vault kv patch`` to add the key to the existing secret. This will add the value to the Argo CD secret once vault-secrets-operator notices the change. You can delete ``argocd-secret`` to immediately recreate it to speed up the propagation. @@ -146,7 +146,7 @@ To set up Google SSO authentication to Argo CD in a new cluster, take the follow .. code-block:: yaml - url: https://lsst-lsp-int.ncsa.illinois.edu/argo-cd + url: https://data-int.lsst.cloud/argo-cd dex.config: | connectors: # Auth using GitHub. diff --git a/docs/ops/bootstrapping.rst b/docs/ops/bootstrapping.rst index e7ca1a8364..29427e6047 100644 --- a/docs/ops/bootstrapping.rst +++ b/docs/ops/bootstrapping.rst @@ -96,7 +96,6 @@ Gafaelfawr When creating the Gafaelfawr configuration for a new environment, in addition to choosing between OpenID Connect authentication and GitHub authentication, you will need to define a group mapping. This specifies which scopes a user will receive based on which groups they are a member of in the upstream identity system. -The current default expects the NCSA groups, which will not be accurate unless you're using CILogon with NCSA LDAP as an attribute source. The most important scopes to configure are: @@ -152,7 +151,6 @@ If the Portal Aspect is configured with a ``replicaCount`` greater than one (rec This is **not** supported by most Kubernetes persistent volume backends. At GKE, we use Filestore via NFS. -At NCSA, we use a ``hostPath`` mount of an underlying GPFS volume. Currently the provisioning of this underlying backing store is manual, so make sure you either have created it or gotten a system administrator with appropriate permissions for your site to do so. diff --git a/docs/ops/cachemachine/pruning.rst b/docs/ops/cachemachine/pruning.rst index 54b0346214..612a51e8df 100644 --- a/docs/ops/cachemachine/pruning.rst +++ b/docs/ops/cachemachine/pruning.rst @@ -2,7 +2,7 @@ Image pruning ############# -If the list of cached images on nodes gets excessively long (we've only seen this at NCSA, where there is lots of disk for images and the nodes have been around forever), K8s may stop updating its list of cached images. This will manifest as the spawner options form being devoid of prepulled images. +If the list of cached images on nodes gets excessively long, K8s may stop updating its list of cached images. This will manifest as the spawner options form being devoid of prepulled images. This is a function of Kubernetes, by default, `only showing 50 images on a node `__. You can work around this, if you control the Kubernetes installation, with ``--node-status-max-images`` set to ``-1`` on the kubelet command line, or by setting ``nodeStatusMaxImages`` to ``-1`` in the kubelet configuration file. diff --git a/docs/ops/cachemachine/updating-recommended.rst b/docs/ops/cachemachine/updating-recommended.rst index 115aae37a6..507b0bef9c 100644 --- a/docs/ops/cachemachine/updating-recommended.rst +++ b/docs/ops/cachemachine/updating-recommended.rst @@ -47,12 +47,10 @@ Fortunately, this is easy to fix. In cachemachine's ``values-.yaml`` file for the affected environment, go towards the bottom and look in ``repomen``. The first entry will always be of type ``RubinRepoMan``, and will contain the definitions of how many daily, weekly, and release images to prepull. -There are currently only four environments in which we care about keeping the "recommended" target pre-pulled: +There are currently only two environments in which we care about keeping the "recommended" target pre-pulled: #. IDF Production (``data.lsst.cloud``) #. IDF Integration (``data-int.lsst.cloud``) -#. NCSA Stable (``lsst-lsp-stable.ncsa.illinois.edu``) -#. NCSA Integration (``lsst-lsp-int.ncsa.illinois.edu``) Beneath the ``RubinRepoMan`` entry, you should find an entry that looks like: diff --git a/docs/ops/cert-manager/index.rst b/docs/ops/cert-manager/index.rst index 719f3ac520..407c19128b 100644 --- a/docs/ops/cert-manager/index.rst +++ b/docs/ops/cert-manager/index.rst @@ -18,7 +18,7 @@ The ``cert-manager`` service is an installation of `cert-manager `__ and automatically renews them. This service is only deployed on clusters managed by SQuaRE. -NCSA clusters use NCSA certificates issued via an internal process. +If a site uses some other process to manage its certificates, it is the responsibility of that site's administrative team to acquire and deploy those certificates. ``cert-manager`` creates a cluster issuer that uses the DNS solver and Route 53 for DNS by default. Set ``config.createIssuer`` to ``false`` for environments where cert-manager should be installed but not use a Route 53 cluster issuer. diff --git a/docs/ops/ingress-nginx/index.rst b/docs/ops/ingress-nginx/index.rst index b3778ab5de..8216127767 100644 --- a/docs/ops/ingress-nginx/index.rst +++ b/docs/ops/ingress-nginx/index.rst @@ -17,8 +17,6 @@ ingress-nginx The ``ingress-nginx`` service is an installation of `ingress-nginx `__ from its `Helm chart `__. We use NGINX as the ingress controller for all Rubin Science Platform deployments rather than native ingress controllers because we use the NGINX ``auth_request`` feature to do authentication and authorization. -NCSA clusters also use the same software, but the NGINX ingress is managed by NCSA rather than via Argo CD. - Upgrading ``ingress-nginx`` is generally painless. A simple Argo CD sync is sufficient. diff --git a/docs/service-guide/sync-argo-cd.rst b/docs/service-guide/sync-argo-cd.rst index 2c1995fc5e..0a1b4a5a0b 100644 --- a/docs/service-guide/sync-argo-cd.rst +++ b/docs/service-guide/sync-argo-cd.rst @@ -15,10 +15,8 @@ When deploying an update, it should normally follow this sequence (skipping envi * data-dev.lsst.cloud * data-int.lsst.cloud -* lsst-lsp-int.ncsa.illinois.edu * tucson-teststand.lsst.codes * data.lsst.cloud -* lsst-lsp-stable.ncsa.illinois.edu * base-lsp.lsst.codes * summit-lsp.lsst.codes diff --git a/installer/update_all_secrets.sh b/installer/update_all_secrets.sh index 66746ed231..6a6a0020bc 100755 --- a/installer/update_all_secrets.sh +++ b/installer/update_all_secrets.sh @@ -1,7 +1,5 @@ #!/bin/bash -ex ./update_secrets.sh minikube.lsst.codes -./update_secrets.sh lsst-lsp-int.ncsa.illinois.edu -./update_secrets.sh lsst-lsp-stable.ncsa.illinois.edu ./update_secrets.sh base-lsp.lsst.codes ./update_secrets.sh summit-lsp.lsst.codes ./update_secrets.sh tucson-teststand.lsst.codes diff --git a/science-platform/values-int.yaml b/science-platform/values-int.yaml deleted file mode 100644 index 06e84c1e98..0000000000 --- a/science-platform/values-int.yaml +++ /dev/null @@ -1,68 +0,0 @@ -environment: int -fqdn: lsst-lsp-int.ncsa.illinois.edu -vault_path_prefix: secret/k8s_operator/lsst-lsp-int.ncsa.illinois.edu - -alert_stream_broker: - enabled: false -cachemachine: - enabled: true -cert_manager: - enabled: false -datalinker: - enabled: false -exposurelog: - enabled: false -gafaelfawr: - enabled: true -hips: - enabled: false -ingress_nginx: - enabled: false -mobu: - enabled: false -moneypenny: - enabled: true -narrativelog: - enabled: false -noteburst: - enabled: false -nublado2: - enabled: true -obstap: - enabled: false -plot_navigator: - enabled: false -portal: - enabled: true -postgres: - enabled: true -production_tools: - enabled: false -sasquatch: - enabled: false -semaphore: - enabled: false -sherlock: - enabled: false -squareone: - enabled: true -squash_api: - enabled: false -strimzi: - enabled: false -strimzi_registry_operator: - enabled: false -tap: - enabled: true -tap_schema: - enabled: true -telegraf: - enabled: false -telegraf-ds: - enabled: false -times_square: - enabled: false -vault_secrets_operator: - enabled: true -vo_cutouts: - enabled: false diff --git a/science-platform/values-stable.yaml b/science-platform/values-stable.yaml deleted file mode 100644 index 533445763d..0000000000 --- a/science-platform/values-stable.yaml +++ /dev/null @@ -1,68 +0,0 @@ -environment: stable -fqdn: lsst-lsp-stable.ncsa.illinois.edu -vault_path_prefix: secret/k8s_operator/lsst-lsp-stable.ncsa.illinois.edu - -alert_stream_broker: - enabled: false -cachemachine: - enabled: true -cert_manager: - enabled: false -datalinker: - enabled: false -exposurelog: - enabled: false -gafaelfawr: - enabled: true -hips: - enabled: false -ingress_nginx: - enabled: false -mobu: - enabled: false -moneypenny: - enabled: true -narrativelog: - enabled: false -noteburst: - enabled: false -nublado2: - enabled: true -obstap: - enabled: false -plot_navigator: - enabled: false -portal: - enabled: true -postgres: - enabled: true -production_tools: - enabled: false -sasquatch: - enabled: false -semaphore: - enabled: false -sherlock: - enabled: false -squareone: - enabled: true -squash_api: - enabled: false -strimzi: - enabled: false -strimzi_registry_operator: - enabled: false -tap: - enabled: true -tap_schema: - enabled: true -telegraf: - enabled: false -telegraf-ds: - enabled: false -times_square: - enabled: false -vault_secrets_operator: - enabled: true -vo_cutouts: - enabled: false diff --git a/services/argocd/values-int.yaml b/services/argocd/values-int.yaml deleted file mode 100644 index 0b1ea1d9af..0000000000 --- a/services/argocd/values-int.yaml +++ /dev/null @@ -1,28 +0,0 @@ -argo-cd: - server: - ingress: - hosts: - - "lsst-lsp-int.ncsa.illinois.edu" - config: - url: https://lsst-lsp-int.ncsa.illinois.edu/argo-cd - dex.config: | - connectors: - # Auth using GitHub. - # See https://dexidp.io/docs/connectors/github/ - - type: github - id: github - name: GitHub - config: - clientID: 3f4383ff79915ace05d7 - # Reference to key in argo-secret Kubernetes resource - clientSecret: $dex.clientSecret - orgs: - - name: lsst-sqre - - rbacConfig: - policy.csv: | - g, lsst-sqre:square, role:admin - -vault_secret: - enabled: true - path: secret/k8s_operator/lsst-lsp-int.ncsa.illinois.edu/argocd diff --git a/services/argocd/values-stable.yaml b/services/argocd/values-stable.yaml deleted file mode 100644 index dda9600a3d..0000000000 --- a/services/argocd/values-stable.yaml +++ /dev/null @@ -1,28 +0,0 @@ -argo-cd: - server: - ingress: - hosts: - - "lsst-lsp-stable.ncsa.illinois.edu" - config: - url: https://lsst-lsp-stable.ncsa.illinois.edu/argo-cd - dex.config: | - connectors: - # Auth using GitHub. - # See https://dexidp.io/docs/connectors/github/ - - type: github - id: github - name: GitHub - config: - clientID: 5e20005bc8739cea5035 - # Reference to key in argo-secret Kubernetes resource - clientSecret: $dex.clientSecret - orgs: - - name: lsst-sqre - - rbacConfig: - policy.csv: | - g, lsst-sqre:square, role:admin - -vault_secret: - enabled: true - path: secret/k8s_operator/lsst-lsp-stable.ncsa.illinois.edu/argocd diff --git a/services/cachemachine/values-int.yaml b/services/cachemachine/values-int.yaml deleted file mode 100644 index d9e2bb9280..0000000000 --- a/services/cachemachine/values-int.yaml +++ /dev/null @@ -1,28 +0,0 @@ -autostart: - jupyter: | - { - "name": "jupyter", - "labels": { - "jupyterlab": "ok" - }, - "repomen": [ - { - "type": "RubinRepoMan", - "registry_url": "registry.hub.docker.com", - "repo": "lsstsqre/sciplat-lab", - "recommended_tag": "recommended", - "num_releases": 1, - "num_weeklies": 2, - "num_dailies": 3 - }, - { - "type": "SimpleRepoMan", - "images": [ - { - "image_url": "registry.hub.docker.com/lsstsqre/sciplat-lab:w_2022_22", - "name": "Weekly 2022_22" - } - ] - } - ] - } diff --git a/services/cachemachine/values-stable.yaml b/services/cachemachine/values-stable.yaml deleted file mode 100644 index d9e2bb9280..0000000000 --- a/services/cachemachine/values-stable.yaml +++ /dev/null @@ -1,28 +0,0 @@ -autostart: - jupyter: | - { - "name": "jupyter", - "labels": { - "jupyterlab": "ok" - }, - "repomen": [ - { - "type": "RubinRepoMan", - "registry_url": "registry.hub.docker.com", - "repo": "lsstsqre/sciplat-lab", - "recommended_tag": "recommended", - "num_releases": 1, - "num_weeklies": 2, - "num_dailies": 3 - }, - { - "type": "SimpleRepoMan", - "images": [ - { - "image_url": "registry.hub.docker.com/lsstsqre/sciplat-lab:w_2022_22", - "name": "Weekly 2022_22" - } - ] - } - ] - } diff --git a/services/cert-manager/values-int.yaml b/services/cert-manager/values-int.yaml deleted file mode 100644 index bdbcf1edf0..0000000000 --- a/services/cert-manager/values-int.yaml +++ /dev/null @@ -1,5 +0,0 @@ -cert-manager: - installCRDs: true - extraArgs: - - --dns01-recursive-nameservers-only - - --dns01-recursive-nameservers=8.8.8.8:53,1.1.1.1:53 diff --git a/services/gafaelfawr/values-int.yaml b/services/gafaelfawr/values-int.yaml deleted file mode 100644 index 8fc35b6979..0000000000 --- a/services/gafaelfawr/values-int.yaml +++ /dev/null @@ -1,41 +0,0 @@ -# Use an existing, manually-managed PVC for Redis. -redis: - persistence: - volumeClaimName: "auth-int-volume-claim" - -config: - databaseUrl: "postgresql://gafaelfawr@postgres.postgres/gafaelfawr" - - # IP range used by the cluster, used to determine the true client IP for - # logging. - proxies: - - "141.142.181.0/24" - - # Support OpenID Connect clients like Chronograf. - oidcServer: - enabled: true - - # Use CILogon authentication. - cilogon: - clientId: "cilogon:/client_id/6ca7b54ac075b65bccb9c885f9ba4a75" - redirectUrl: "https://lsst-lsp-int.ncsa.illinois.edu/oauth2/callback" - test: true - loginParams: - skin: "LSST" - - # Use NCSA groups to determine token scopes. - groupMapping: - "admin:provision": ["lsst_int_lsp_admin"] - "exec:admin": ["lsst_int_lsp_admin"] - "exec:notebook": ["lsst_int_lspdev"] - "exec:portal": ["lsst_int_lspdev"] - "read:tap": ["lsst_int_lspdev"] - - initialAdmins: - - "afausti" - - "athornto" - - "cbanek" - - "frossie" - - "jsick" - - "krughoff" - - "rra" diff --git a/services/gafaelfawr/values-minikube.yaml b/services/gafaelfawr/values-minikube.yaml index 502d9dec7f..30865a3cdb 100644 --- a/services/gafaelfawr/values-minikube.yaml +++ b/services/gafaelfawr/values-minikube.yaml @@ -10,20 +10,23 @@ config: oidcServer: enabled: true - # Use CILogon authentication. - cilogon: - clientId: "cilogon:/client_id/74e865cd71a3a327096d36081166b739" - redirectUrl: "https://minikube.lsst.codes/login" - loginParams: - skin: "LSST" + github: + clientId: "65b6333a066375091548" - # Use NCSA groups to determine token scopes. + # Allow access by GitHub team. groupMapping: - "exec:admin": ["lsst_int_lsp_admin"] - "exec:notebook": ["lsst_int_lspdev"] - "exec:portal": ["lsst_int_lspdev"] - "exec:user": ["lsst_int_lspdev"] - "read:tap": ["lsst_int_lspdev"] + "admin:provision": + - "lsst-sqre-square" + "exec:admin": + - "lsst-sqre-square" + "exec:notebook": + - "lsst-sqre-square" + "exec:portal": + - "lsst-sqre-square" + "read:image": + - "lsst-sqre-square" + "read:tap": + - "lsst-sqre-square" initialAdmins: - "afausti" diff --git a/services/gafaelfawr/values-stable.yaml b/services/gafaelfawr/values-stable.yaml deleted file mode 100644 index 9c0304c968..0000000000 --- a/services/gafaelfawr/values-stable.yaml +++ /dev/null @@ -1,43 +0,0 @@ -replicaCount: 2 - -# Use an existing, manually-managed PVC for Redis. -redis: - persistence: - volumeClaimName: "auth-redis-volume-claim" - -config: - databaseUrl: "postgresql://gafaelfawr@postgres.postgres/gafaelfawr" - - # IP range used by the cluster, used to determine the true client IP for - # logging. - proxies: - - "41.142.182.128/26" - - # Support OpenID Connect clients like Chronograf. - oidcServer: - enabled: true - - # Use CILogon authentication. - cilogon: - clientId: "cilogon:/client_id/7ae419868b97e81644ced9886ffbcec" - redirectUrl: "https://lsst-lsp-stable.ncsa.illinois.edu/oauth2/callback" - loginParams: - skin: "LSST" - - # Use NCSA groups to determine token scopes. - groupMapping: - "admin:provision": ["lsst_int_lsp_admin"] - "exec:admin": ["lsst_int_lsp_admin"] - "exec:notebook": ["lsst_int_lspdev"] - "exec:portal": ["lsst_int_lspdev"] - "read:tap": ["lsst_int_lspdev"] - "read:image": ["lsst_int_lspdev"] - - initialAdmins: - - "afausti" - - "athornto" - - "cbanek" - - "frossie" - - "jsick" - - "krughoff" - - "rra" diff --git a/services/moneypenny/values-int.yaml b/services/moneypenny/values-int.yaml deleted file mode 100644 index e69de29bb2..0000000000 diff --git a/services/moneypenny/values-stable.yaml b/services/moneypenny/values-stable.yaml deleted file mode 100644 index e69de29bb2..0000000000 diff --git a/services/nublado2/values-int.yaml b/services/nublado2/values-int.yaml deleted file mode 100644 index f98588d3a3..0000000000 --- a/services/nublado2/values-int.yaml +++ /dev/null @@ -1,47 +0,0 @@ -jupyterhub: - ingress: - hosts: ["lsst-lsp-int.ncsa.illinois.edu"] - annotations: - nginx.ingress.kubernetes.io/auth-signin: "https://lsst-lsp-int.ncsa.illinois.edu/login" - nginx.ingress.kubernetes.io/auth-url: "https://lsst-lsp-int.ncsa.illinois.edu/auth?scope=exec:notebook¬ebook=true" - -config: - base_url: "https://lsst-lsp-int.ncsa.illinois.edu" - butler_secret_path: "secret/k8s_operator/lsst-lsp-int.ncsa.illinois.edu/butler-secret" - pull_secret_path: "secret/k8s_operator/lsst-lsp-int.ncsa.illinois.edu/pull-secret" - lab_environment: - AUTO_REPO_URLS: "https://github.com/lsst-sqre/system-test" - AUTO_REPO_BRANCH: "NCSA-prod" - AUTO_REPO_SPECS: "https://github.com/lsst-sqre/system-test@NCSA-prod" - DAF_BUTLER_REPOSITORY_INDEX: "/project/data-repos.yaml" - pinned_images: - - image_url: registry.hub.docker.com/lsstsqre/sciplat-lab:recommended - name: Recommended - volumes: - - name: datasets - hostPath: - path: /lsstdata/user/precursor_data/datasets - - name: home - hostPath: - path: /lsstdata/user/staff/jhome - - name: project - hostPath: - path: /lsstdata/user/staff/project - - name: scratch - hostPath: - path: /lsstdata/user/staff/scratch - volume_mounts: - - name: datasets - mountPath: /datasets - - name: home - mountPath: /home - - name: project - mountPath: /project - - name: scratch - mountPath: /scratch - -vault_secret_path: "secret/k8s_operator/lsst-lsp-int.ncsa.illinois.edu/nublado2" - -pull-secret: - enabled: true - path: "secret/k8s_operator/lsst-lsp-int.ncsa.illinois.edu/pull-secret" diff --git a/services/nublado2/values-stable.yaml b/services/nublado2/values-stable.yaml deleted file mode 100644 index 358deb4a31..0000000000 --- a/services/nublado2/values-stable.yaml +++ /dev/null @@ -1,61 +0,0 @@ -jupyterhub: - ingress: - hosts: ["lsst-lsp-stable.ncsa.illinois.edu"] - annotations: - nginx.ingress.kubernetes.io/auth-signin: "https://lsst-lsp-stable.ncsa.illinois.edu/login" - nginx.ingress.kubernetes.io/auth-url: "https://lsst-lsp-stable.ncsa.illinois.edu/auth?scope=exec:notebook¬ebook=true" - -config: - base_url: "https://lsst-lsp-stable.ncsa.illinois.edu" - butler_secret_path: "secret/k8s_operator/lsst-lsp-stable.ncsa.illinois.edu/butler-secret" - pull_secret_path: "secret/k8s_operator/lsst-lsp-stable.ncsa.illinois.edu/pull-secret" - lab_environment: - AUTO_REPO_URLS: "https://github.com/lsst-sqre/system-test" - AUTO_REPO_BRANCH: "NCSA-prod" - AUTO_REPO_SPECS: "https://github.com/lsst-sqre/system-test@NCSA-prod" - DAF_BUTLER_REPOSITORY_INDEX: "/project/data-repos.yaml" - volumes: - - name: datasets - hostPath: - path: /lsstdata/user/precursor_data/datasets - - name: home - hostPath: - path: /lsstdata/user/staff/jhome - - name: project - hostPath: - path: /lsstdata/user/staff/project - - name: scratch - hostPath: - path: /lsstdata/user/staff/scratch - - name: teststand - hostPath: - path: /lsstdata/offline/teststand - - name: instrument - hostPath: - path: /lsstdata/offline/instrument - - name: repo - hostPath: - path: /repo - volume_mounts: - - name: datasets - mountPath: /datasets - - name: home - mountPath: /home - - name: project - mountPath: /project - - name: scratch - mountPath: /scratch - - name: teststand - mountPath: /lsstdata/offline/teststand - readOnly: true - - name: instrument - mountPath: /lsstdata/offline/instrument - readOnly: true - - name: repo - mountPath: /repo - -vault_secret_path: "secret/k8s_operator/lsst-lsp-stable.ncsa.illinois.edu/nublado2" - -pull-secret: - enabled: true - path: "secret/k8s_operator/lsst-lsp-stable.ncsa.illinois.edu/pull-secret" diff --git a/services/obstap/values-int.yaml b/services/obstap/values-int.yaml deleted file mode 100644 index 80e884587f..0000000000 --- a/services/obstap/values-int.yaml +++ /dev/null @@ -1,29 +0,0 @@ -resources: - requests: - cpu: 2.0 - memory: "2G" - limits: - cpu: 8.0 - memory: "16G" - -db: - resources: - requests: - cpu: 0.25 - memory: "1G" - limits: - cpu: 2.0 - memory: "4G" - -uws: - resources: - requests: - cpu: 0.25 - memory: "1G" - limits: - cpu: 2.0 - memory: "4G" - -config: - gcsBucket: "async-results.lsst.codes" - gcsBucketUrl: "http://async-results.lsst.codes" diff --git a/services/obstap/values-stable.yaml b/services/obstap/values-stable.yaml deleted file mode 100644 index 80e884587f..0000000000 --- a/services/obstap/values-stable.yaml +++ /dev/null @@ -1,29 +0,0 @@ -resources: - requests: - cpu: 2.0 - memory: "2G" - limits: - cpu: 8.0 - memory: "16G" - -db: - resources: - requests: - cpu: 0.25 - memory: "1G" - limits: - cpu: 2.0 - memory: "4G" - -uws: - resources: - requests: - cpu: 0.25 - memory: "1G" - limits: - cpu: 2.0 - memory: "4G" - -config: - gcsBucket: "async-results.lsst.codes" - gcsBucketUrl: "http://async-results.lsst.codes" diff --git a/services/portal/values-int.yaml b/services/portal/values-int.yaml deleted file mode 100644 index 5efe67737b..0000000000 --- a/services/portal/values-int.yaml +++ /dev/null @@ -1,23 +0,0 @@ -replicaCount: 2 - -config: - volumes: - workareaHostPath: "/sui/firefly/workarea" - configHostPath: "/sui/firefly/config" - -nodeSelector: - environment: "portal-int" - -tolerations: - - effect: "NoSchedule" - key: "dedicated" - operator: "Equal" - value: "portal" - -resources: - limits: - memory: "24Gi" - -securityContext: - runAsUser: 101 - runAsGroup: 102 diff --git a/services/portal/values-stable.yaml b/services/portal/values-stable.yaml deleted file mode 100644 index 1b2a815b15..0000000000 --- a/services/portal/values-stable.yaml +++ /dev/null @@ -1,23 +0,0 @@ -replicaCount: 2 - -config: - volumes: - workareaHostPath: "/sui/firefly/workarea" - configHostPath: "/sui/firefly/config" - -nodeSelector: - environment: "portal-stable" - -tolerations: - - effect: "NoSchedule" - key: "dedicated" - operator: "Equal" - value: "portal" - -resources: - limits: - memory: "24Gi" - -securityContext: - runAsUser: 101 - runAsGroup: 102 diff --git a/services/postgres/README.md b/services/postgres/README.md index 5004813a78..248f19228a 100644 --- a/services/postgres/README.md +++ b/services/postgres/README.md @@ -17,6 +17,6 @@ Postgres RDBMS for LSP | image.pullPolicy | string | `"IfNotPresent"` | Pull policy for the postgres image | | image.repository | string | `"lsstsqre/lsp-postgres"` | postgres image to use | | image.tag | string | The appVersion of the chart | Tag of postgres image to use | -| postgresStorageClass | string | `"standard"` | Storage class for postgres volume. Set to appropriate value for your deployment: at GKE, "standard" (if you want SSD, "premium-rwo", but if you want a good database maybe it's better to use a cloud database?), on Rubin Observatory Rancher, "rook-ceph-block", at NCSA, "manual", elsewhere probably "standard" | +| postgresStorageClass | string | `"standard"` | Storage class for postgres volume. Set to appropriate value for your deployment: at GKE, "standard" (if you want SSD, "premium-rwo", but if you want a good database maybe it's better to use a cloud database?), on Rubin Observatory Rancher, "rook-ceph-block", elsewhere probably "standard" | | postgresVolumeSize | string | `"1Gi"` | Volume size for postgres. It can generally be very small | -| volumeName | string | `""` | Volume name for postgres, if you use an existing volume that isn't automatically created from the PVC by the storage driver (e.g. NCSA) | +| volumeName | string | `""` | Volume name for postgres, if you use an existing volume that isn't automatically created from the PVC by the storage driver. | diff --git a/services/postgres/values-int.yaml b/services/postgres/values-int.yaml deleted file mode 100644 index af2e006a5d..0000000000 --- a/services/postgres/values-int.yaml +++ /dev/null @@ -1,8 +0,0 @@ -jupyterhub_db: - user: "jovyan" - db: "jupyterhub" -gafaelfawr_db: - user: "gafaelfawr" - db: "gafaelfawr" -postgresStorageClass: "manual" -volumeName: "postgres-data-volume" diff --git a/services/postgres/values-stable.yaml b/services/postgres/values-stable.yaml deleted file mode 100644 index af2e006a5d..0000000000 --- a/services/postgres/values-stable.yaml +++ /dev/null @@ -1,8 +0,0 @@ -jupyterhub_db: - user: "jovyan" - db: "jupyterhub" -gafaelfawr_db: - user: "gafaelfawr" - db: "gafaelfawr" -postgresStorageClass: "manual" -volumeName: "postgres-data-volume" diff --git a/services/postgres/values.yaml b/services/postgres/values.yaml index ad3039eee5..6c6fe38087 100644 --- a/services/postgres/values.yaml +++ b/services/postgres/values.yaml @@ -22,12 +22,11 @@ postgresVolumeSize: "1Gi" # -- Storage class for postgres volume. Set to appropriate value for your # deployment: at GKE, "standard" (if you want SSD, "premium-rwo", but if you # want a good database maybe it's better to use a cloud database?), on Rubin -# Observatory Rancher, "rook-ceph-block", at NCSA, "manual", elsewhere -# probably "standard" +# Observatory Rancher, "rook-ceph-block", elsewhere probably "standard" postgresStorageClass: "standard" # -- Volume name for postgres, if you use an existing volume that isn't -# automatically created from the PVC by the storage driver (e.g. NCSA) +# automatically created from the PVC by the storage driver. volumeName: "" # The following will be set by parameters injected by Argo CD and should not diff --git a/services/sasquatch/values-int.yaml b/services/sasquatch/values-int.yaml deleted file mode 100644 index ed266893ec..0000000000 --- a/services/sasquatch/values-int.yaml +++ /dev/null @@ -1,46 +0,0 @@ -strimzi-kafka: - kafka: - storage: - storageClassName: local-path - zookeeper: - storage: - storageClassName: local-path - -influxdb: - persistence: - storageClass: local-path - ingress: - enabled: true - hostname: lsst-lsp-int.ncsa.illinois.edu - -kafka-connect-manager: - influxdbSink: - influxdb-sink: - enabled: true - -kafdrop: - ingress: - enabled: true - hostname: lsst-lsp-int.ncsa.illinois.edu - -chronograf: - persistence: - storageClass: local-path - ingress: - enabled: true - hostname: lsst-lsp-int.ncsa.illinois.edu - env: - GENERIC_NAME: "OIDC" - GENERIC_AUTH_URL: https://lsst-lsp-int.ncsa.illinois.edu/auth/openid/login - GENERIC_TOKEN_URL: https://lsst-lsp-int.ncsa.illinois.edu/auth/openid/token - USE_ID_TOKEN: 1 - JWKS_URL: https://lsst-lsp-int.ncsa.illinois.edu/.well-known/jwks.json - GENERIC_API_URL: https://lsst-lsp-int.ncsa.illinois.edu/auth/userinfo - GENERIC_SCOPES: openid - GENERIC_API_KEY: sub - PUBLIC_URL: https://lsst-lsp-int.ncsa.illinois.edu - STATUS_FEED_URL: https://lsst-sqre.github.io/sasquatch/feeds/int.json - -kapacitor: - persistence: - storageClass: local-path diff --git a/services/sasquatch/values-stable.yaml b/services/sasquatch/values-stable.yaml deleted file mode 100644 index 50cec3598c..0000000000 --- a/services/sasquatch/values-stable.yaml +++ /dev/null @@ -1,46 +0,0 @@ -strimzi-kafka: - kafka: - storage: - storageClassName: local-path - zookeeper: - storage: - storageClassName: local-path - -influxdb: - persistence: - storageClass: local-path - ingress: - enabled: true - hostname: lsst-lsp-stable.ncsa.illinois.edu - -kafka-connect-manager: - influxdbSink: - influxdb-sink: - enabled: true - -kafdrop: - ingress: - enabled: true - hostname: lsst-lsp-stable.ncsa.illinois.edu - -chronograf: - persistence: - storageClass: local-path - ingress: - enabled: true - hostname: lsst-lsp-stable.ncsa.illinois.edu - env: - GENERIC_NAME: "OIDC" - GENERIC_AUTH_URL: https://lsst-lsp-stable.ncsa.illinois.edu/auth/openid/login - GENERIC_TOKEN_URL: https://lsst-lsp-stable.ncsa.illinois.edu/auth/openid/token - USE_ID_TOKEN: 1 - JWKS_URL: https://lsst-lsp-stable.ncsa.illinois.edu/.well-known/jwks.json - GENERIC_API_URL: https://lsst-lsp-stable.ncsa.illinois.edu/auth/userinfo - GENERIC_SCOPES: openid - GENERIC_API_KEY: sub - PUBLIC_URL: https://lsst-lsp-stable.ncsa.illinois.edu - STATUS_FEED_URL: https://lsst-sqre.github.io/sasquatch/feeds/stable.json - -kapacitor: - persistence: - storageClass: local-path diff --git a/services/semaphore/values-int.yaml b/services/semaphore/values-int.yaml deleted file mode 100644 index 1dae94dd8e..0000000000 --- a/services/semaphore/values-int.yaml +++ /dev/null @@ -1,6 +0,0 @@ -config: - phalanx_env: "int" - -pull-secret: - enabled: true - path: secret/k8s_operator/lsst-lsp-int.ncsa.illinois.edu/pull-secret diff --git a/services/semaphore/values-stable.yaml b/services/semaphore/values-stable.yaml deleted file mode 100644 index 4747a2b373..0000000000 --- a/services/semaphore/values-stable.yaml +++ /dev/null @@ -1,6 +0,0 @@ -config: - phalanx_env: "stable" - -pull-secret: - enabled: true - path: secret/k8s_operator/lsst-lsp-stable.ncsa.illinois.edu/pull-secret diff --git a/services/squareone/values-int.yaml b/services/squareone/values-int.yaml deleted file mode 100644 index 677a7e23c1..0000000000 --- a/services/squareone/values-int.yaml +++ /dev/null @@ -1,9 +0,0 @@ -config: - siteName: "Rubin Science Platform @ lsp-int" - -ingress: - tls: false - -pull-secret: - enabled: true - path: secret/k8s_operator/lsst-lsp-int.ncsa.illinois.edu/pull-secret diff --git a/services/squareone/values-stable.yaml b/services/squareone/values-stable.yaml deleted file mode 100644 index f4dfe4ea7f..0000000000 --- a/services/squareone/values-stable.yaml +++ /dev/null @@ -1,6 +0,0 @@ -ingress: - tls: false - -pull-secret: - enabled: true - path: secret/k8s_operator/lsst-lsp-stable.ncsa.illinois.edu/pull-secret diff --git a/services/tap-schema/values-int.yaml b/services/tap-schema/values-int.yaml deleted file mode 100644 index 08ae0e92ed..0000000000 --- a/services/tap-schema/values-int.yaml +++ /dev/null @@ -1,2 +0,0 @@ -image: - repository: "lsstsqre/tap-schema-int" diff --git a/services/tap-schema/values-stable.yaml b/services/tap-schema/values-stable.yaml deleted file mode 100644 index 1dc6425b00..0000000000 --- a/services/tap-schema/values-stable.yaml +++ /dev/null @@ -1,2 +0,0 @@ -image: - repository: "lsstsqre/tap-schema-stable" diff --git a/services/tap/values-int.yaml b/services/tap/values-int.yaml deleted file mode 100644 index 79d70cf2ce..0000000000 --- a/services/tap/values-int.yaml +++ /dev/null @@ -1,26 +0,0 @@ -resources: - requests: - cpu: 2.0 - memory: "2G" - limits: - cpu: 8.0 - memory: "16G" - -config: - gcsBucket: "async-results.lsst.codes" - gcsBucketUrl: "http://async-results.lsst.codes" - jvmMaxHeapSize: "15G" - -qserv: - host: "lsst-qserv-master03:4040" - mock: - enabled: false - -uws: - resources: - requests: - cpu: 0.25 - memory: "1G" - limits: - cpu: 2.0 - memory: "4G" diff --git a/services/tap/values-stable.yaml b/services/tap/values-stable.yaml deleted file mode 100644 index b3dd95a128..0000000000 --- a/services/tap/values-stable.yaml +++ /dev/null @@ -1,26 +0,0 @@ -resources: - requests: - cpu: 2.0 - memory: "2G" - limits: - cpu: 8.0 - memory: "32G" - -config: - gcsBucket: "async-results.lsst.codes" - gcsBucketUrl: "http://async-results.lsst.codes" - jvmMaxHeapSize: "31G" - -qserv: - host: "lsst-qserv-master03:4040" - mock: - enabled: false - -uws: - resources: - requests: - cpu: 0.25 - memory: "1G" - limits: - cpu: 2.0 - memory: "4G" diff --git a/services/vault-secrets-operator/values-int.yaml b/services/vault-secrets-operator/values-int.yaml deleted file mode 100644 index e69de29bb2..0000000000 diff --git a/services/vault-secrets-operator/values-stable.yaml b/services/vault-secrets-operator/values-stable.yaml deleted file mode 100644 index e69de29bb2..0000000000 From 91c78fff99319ba335804f0edf3bfc8c8643f3d8 Mon Sep 17 00:00:00 2001 From: Russ Allbery Date: Wed, 17 Aug 2022 10:14:37 -0700 Subject: [PATCH 0891/1479] Add user private group and primary GID support Add configuration to Gafaelfawr for getting a primary GID from LDAP and for synthesizing user private groups when LDAP is in use. (This always happens for GitHub authentication.) --- services/gafaelfawr/Chart.yaml | 2 +- services/gafaelfawr/README.md | 2 ++ services/gafaelfawr/templates/configmap.yaml | 10 ++++++++-- services/gafaelfawr/values-idfdev.yaml | 1 + services/gafaelfawr/values.yaml | 17 +++++++++++++---- 5 files changed, 25 insertions(+), 7 deletions(-) diff --git a/services/gafaelfawr/Chart.yaml b/services/gafaelfawr/Chart.yaml index 5e56728b9f..e48da3608c 100644 --- a/services/gafaelfawr/Chart.yaml +++ b/services/gafaelfawr/Chart.yaml @@ -5,4 +5,4 @@ description: Science Platform authentication and authorization system home: https://gafaelfawr.lsst.io/ sources: - https://github.com/lsst-sqre/gafaelfawr -appVersion: 5.0.2 +appVersion: 5.1.0 diff --git a/services/gafaelfawr/README.md b/services/gafaelfawr/README.md index 40b7d15d1d..d81c7db6bf 100644 --- a/services/gafaelfawr/README.md +++ b/services/gafaelfawr/README.md @@ -35,7 +35,9 @@ Science Platform authentication and authorization system | config.influxdb.username | string | `""` | If set, force all InfluxDB tokens to have that username instead of the authenticated identity of the user requesting a token | | config.initialAdmins | list | `[]` | Usernames to add as administrators when initializing a new database. Used only if there are no administrators. | | config.knownScopes | object | See the `values.yaml` file | Names and descriptions of all scopes in use. This is used to populate the new token creation page. Only scopes listed here will be options when creating a new token. See [DMTN-235](https://dmtn-235.lsst.io/). | +| config.ldap.addUserGroup | bool | `false` | Whether to synthesize a user private group for each user with a GID equal to their UID | | config.ldap.emailAttr | string | `"mail"` | Attribute containing the user's email address | +| config.ldap.gidAttr | string | Use GID of user private group | Attribute containing the user's primary GID (set to `gidNumber` for most LDAP servers) | | config.ldap.groupBaseDn | string | None, must be set | Base DN for the LDAP search to find a user's groups | | config.ldap.groupMemberAttr | string | `"member"` | Member attribute of the object class. Values must match the username returned in the token from the OpenID Connect authentication server. | | config.ldap.groupObjectClass | string | `"posixGroup"` | Object class containing group information | diff --git a/services/gafaelfawr/templates/configmap.yaml b/services/gafaelfawr/templates/configmap.yaml index 76c48a410b..d96d656a9d 100644 --- a/services/gafaelfawr/templates/configmap.yaml +++ b/services/gafaelfawr/templates/configmap.yaml @@ -135,11 +135,17 @@ data: {{- if .Values.config.ldap.userBaseDn }} user_base_dn: {{ .Values.config.ldap.userBaseDn | quote }} user_search_attr: {{ .Values.config.ldap.userSearchAttr | quote }} + name_attr: {{ .Values.config.ldap.nameAttr | quote }} + email_attr: {{ .Values.config.ldap.emailAttr | quote }} {{- if .Values.config.ldap.uidAttr }} uid_attr: {{ .Values.config.ldap.uidAttr | quote }} {{- end }} - name_attr: {{ .Values.config.ldap.nameAttr | quote }} - email_attr: {{ .Values.config.ldap.emailAttr | quote }} + {{- if .Values.config.ldap.gidAttr }} + gid_attr: {{ .Values.config.ldap.gidAttr | quote }} + {{- end }} + {{- end }} + {{- if .Values.config.ldap.addUserGroup }} + add_user_group: true {{- end }} {{- end }} diff --git a/services/gafaelfawr/values-idfdev.yaml b/services/gafaelfawr/values-idfdev.yaml index e1a8068623..55d95872b6 100644 --- a/services/gafaelfawr/values-idfdev.yaml +++ b/services/gafaelfawr/values-idfdev.yaml @@ -28,6 +28,7 @@ config: groupMemberAttr: "hasMember" userBaseDn: "ou=people,o=LSST,o=CO,dc=lsst,dc=org" userSearchAttr: "voPersonApplicationUID" + addUserGroup: true groupMapping: "admin:provision": diff --git a/services/gafaelfawr/values.yaml b/services/gafaelfawr/values.yaml index 34d8cf4852..bcb8631f2d 100644 --- a/services/gafaelfawr/values.yaml +++ b/services/gafaelfawr/values.yaml @@ -165,16 +165,25 @@ config: # -- Search attribute containing the user's username userSearchAttr: "uid" + # -- Attribute containing the user's full name + nameAttr: "displayName" + + # -- Attribute containing the user's email address + emailAttr: "mail" + # -- Attribute containing the user's UID number (set to `uidNumber` for # most LDAP servers) # @default -- Get UID from upstream authentication provider uidAttr: "" - # -- Attribute containing the user's full name - nameAttr: "displayName" + # -- Attribute containing the user's primary GID (set to `gidNumber` for + # most LDAP servers) + # @default -- Use GID of user private group + gidAttr: "" - # -- Attribute containing the user's email address - emailAttr: "mail" + # -- Whether to synthesize a user private group for each user with a GID + # equal to their UID + addUserGroup: false influxdb: # -- Whether to issue tokens for InfluxDB. If set to true, From 36c537db7af29c7ac16162a7a6403e4173e8aaa4 Mon Sep 17 00:00:00 2001 From: Russ Allbery Date: Wed, 17 Aug 2022 15:48:06 -0700 Subject: [PATCH 0892/1479] Add Gafaelfawr maintenance CronJob This is a bit complicated because the Google Cloud SQL sidecar normally keeps running and thus keeps the Job from terminating. Use a hack from StackOverflow to have the main container signal the sidecar container that it should exit. That in turn requires using the Alpine version of the Google sidecar image so that /bin/sh exists. Also fix a bug in adding pod annotations to the Kubernetes operator pod, noticed when copying configuration from it to the new CronJob. --- services/gafaelfawr/README.md | 7 +- .../templates/cronjob-maintenance.yaml | 121 ++++++++++++++++++ .../templates/deployment-tokens.yaml | 4 +- services/gafaelfawr/templates/deployment.yaml | 2 +- .../templates/redis-networkpolicy.yaml | 4 + services/gafaelfawr/values.yaml | 18 ++- 6 files changed, 151 insertions(+), 5 deletions(-) create mode 100644 services/gafaelfawr/templates/cronjob-maintenance.yaml diff --git a/services/gafaelfawr/README.md b/services/gafaelfawr/README.md index d81c7db6bf..1416a64d7c 100644 --- a/services/gafaelfawr/README.md +++ b/services/gafaelfawr/README.md @@ -16,7 +16,7 @@ Science Platform authentication and authorization system | cloudsql.enabled | bool | `false` | Enable the Cloud SQL Auth Proxy sidecar, used with CloudSQL databases on Google Cloud | | cloudsql.image.pullPolicy | string | `"IfNotPresent"` | Pull policy for Cloud SQL Auth Proxy images | | cloudsql.image.repository | string | `"gcr.io/cloudsql-docker/gce-proxy"` | Cloud SQL Auth Proxy image to use | -| cloudsql.image.tag | string | `"1.31.2"` | Cloud SQL Auth Proxy tag to use | +| cloudsql.image.tag | string | `"1.31.2-alpine"` | Cloud SQL Auth Proxy tag to use | | cloudsql.instanceConnectionName | string | `""` | Instance connection name for a CloudSQL PostgreSQL instance | | cloudsql.serviceAccount | string | `""` | The Google service account that has an IAM binding to the `gafaelfawr` and `gafaelfawr-tokens` Kubernetes service accounts and has the `cloudsql.client` role | | config.cilogon.clientId | string | `""` | CILogon client ID. One and only one of this, `config.github.clientId`, or `config.oidc.clientId` must be set. | @@ -68,6 +68,11 @@ Science Platform authentication and authorization system | image.pullPolicy | string | `"IfNotPresent"` | Pull policy for the Gafaelfawr image | | image.repository | string | `"ghcr.io/lsst-sqre/gafaelfawr"` | Gafaelfawr image to use | | image.tag | string | The appVersion of the chart | Tag of Gafaelfawr image to use | +| maintenance.affinity | object | `{}` | Affinity rules for the Gafaelfawr maintenance pod | +| maintenance.nodeSelector | object | `{}` | Node selection rules for the Gafaelfawr maintenance pod | +| maintenance.podAnnotations | object | `{}` | Annotations for the Gafaelfawr maintenance pod | +| maintenance.resources | object | `{}` | Resource limits and requests for the Gafaelfawr maintenance pod | +| maintenance.tolerations | list | `[]` | Tolerations for the Gafaelfawr maintenance pod | | nameOverride | string | `""` | Override the base name for resources | | nodeSelector | object | `{}` | Node selector rules for the Gafaelfawr frontend pod | | podAnnotations | object | `{}` | Annotations for the Gafaelfawr frontend pod | diff --git a/services/gafaelfawr/templates/cronjob-maintenance.yaml b/services/gafaelfawr/templates/cronjob-maintenance.yaml new file mode 100644 index 0000000000..32422e9bb4 --- /dev/null +++ b/services/gafaelfawr/templates/cronjob-maintenance.yaml @@ -0,0 +1,121 @@ +apiVersion: batch/v1 +kind: CronJob +metadata: + name: {{ template "gafaelfawr.fullname" . }}-maintenance + labels: + {{- include "gafaelfawr.labels" . | nindent 4 }} +spec: + schedule: "5 * * * *" + concurrencyPolicy: "Forbid" + jobTemplate: + spec: + template: + metadata: + {{- with .Values.maintenance.podAnnotations }} + annotations: + {{- toYaml . | nindent 12 }} + {{- end }} + labels: + {{- include "gafaelfawr.selectorLabels" . | nindent 12 }} + app.kubernetes.io/component: "maintenance" + spec: + restartPolicy: "Never" + {{- if .Values.cloudsql.enabled }} + serviceAccountName: {{ include "gafaelfawr.fullname" . }} + {{- else }} + automountServiceAccountToken: false + {{- end }} + containers: + {{- if .Values.cloudsql.enabled }} + - name: "cloud-sql-proxy" + # Running the sidecar as normal causes it to keep running and + # thus the Pod never exits, the Job never finishes, and the + # CronJob gets confused. Have the main pod signal the sidecar + # by writing to a file on a shared emptyDir file system, and use + # a simple watcher loop in shell in the sidecar container to + # terminate the proxy when the main container finishes. + # + # Based on https://stackoverflow.com/questions/41679364/ + command: + - "/bin/sh" + - "-c" + args: + - | + /cloud_sql_proxy -ip_address_types=PRIVATE -instances={{ required "cloudsql.instanceConnectionName must be specified" .Values.cloudsql.instanceConnectionName }}=tcp:5432 & + PID=$! + while true; do + if [[ -f "/lifecycle/main-terminated" ]]; then + kill $PID + exit 0 + fi + sleep 1 + done + image: "{{ .Values.cloudsql.image.repository }}:{{ .Values.cloudsql.image.tag }}" + imagePullPolicy: {{ .Values.cloudsql.image.pullPolicy | quote }} + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - "all" + readOnlyRootFilesystem: true + runAsNonRoot: true + runAsUser: 65532 + runAsGroup: 65532 + volumeMounts: + - name: "lifecycle" + mountPath: "/lifecycle" + {{- end }} + - name: "gafaelfawr" + command: + - "/bin/sh" + - "-c" + args: + - | + gafaelfawr maintenance + touch /lifecycle/main-terminated + image: "{{ .Values.image.repository }}:{{ .Values.image.tag | default .Chart.AppVersion }}" + imagePullPolicy: {{ .Values.image.pullPolicy | quote }} + {{- with .Values.maintenance.resources }} + resources: + {{- toYaml . | nindent 16 }} + {{- end }} + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - "all" + readOnlyRootFilesystem: true + volumeMounts: + - name: "config" + mountPath: "/etc/gafaelfawr" + readOnly: true + - name: "lifecycle" + mountPath: "/lifecycle" + - name: "secret" + mountPath: "/etc/gafaelfawr/secrets" + readOnly: true + securityContext: + runAsNonRoot: true + runAsUser: 1000 + runAsGroup: 1000 + volumes: + - name: "config" + configMap: + name: {{ template "gafaelfawr.fullname" . }}-config + - name: "lifecycle" + emptyDir: {} + - name: "secret" + secret: + secretName: {{ template "gafaelfawr.fullname" . }}-secret + {{- with .Values.maintenance.nodeSelector }} + nodeSelector: + {{- toYaml . | nindent 12 }} + {{- end }} + {{- with .Values.maintenance.affinity }} + affinity: + {{- toYaml . | nindent 12 }} + {{- end }} + {{- with .Values.maintenance.tolerations }} + tolerations: + {{- toYaml . | nindent 12 }} + {{- end }} diff --git a/services/gafaelfawr/templates/deployment-tokens.yaml b/services/gafaelfawr/templates/deployment-tokens.yaml index c35eb1ba1a..b97853b643 100644 --- a/services/gafaelfawr/templates/deployment-tokens.yaml +++ b/services/gafaelfawr/templates/deployment-tokens.yaml @@ -46,9 +46,9 @@ spec: - "kubernetes-controller" image: "{{ .Values.image.repository }}:{{ .Values.image.tag | default .Chart.AppVersion }}" imagePullPolicy: {{ .Values.image.pullPolicy | quote }} - {{- with .Values.resources }} + {{- with .Values.tokens.resources }} resources: - {{- toYaml .Values.tokens.resources | nindent 12 }} + {{- toYaml . | nindent 12 }} {{- end }} securityContext: allowPrivilegeEscalation: false diff --git a/services/gafaelfawr/templates/deployment.yaml b/services/gafaelfawr/templates/deployment.yaml index a4660c9ba3..0318cd7096 100644 --- a/services/gafaelfawr/templates/deployment.yaml +++ b/services/gafaelfawr/templates/deployment.yaml @@ -58,7 +58,7 @@ spec: port: "http" {{- with .Values.resources }} resources: - {{- toYaml .Values.resources | nindent 12 }} + {{- toYaml . | nindent 12 }} {{- end }} securityContext: allowPrivilegeEscalation: false diff --git a/services/gafaelfawr/templates/redis-networkpolicy.yaml b/services/gafaelfawr/templates/redis-networkpolicy.yaml index 7423b2805b..91eb35d72c 100644 --- a/services/gafaelfawr/templates/redis-networkpolicy.yaml +++ b/services/gafaelfawr/templates/redis-networkpolicy.yaml @@ -21,6 +21,10 @@ spec: matchLabels: {{- include "gafaelfawr.selectorLabels" . | nindent 14 }} app.kubernetes.io/component: "frontend" + - podSelector: + matchLabels: + {{- include "gafaelfawr.selectorLabels" . | nindent 14 }} + app.kubernetes.io/component: "maintenance" - podSelector: matchLabels: {{- include "gafaelfawr.selectorLabels" . | nindent 14 }} diff --git a/services/gafaelfawr/values.yaml b/services/gafaelfawr/values.yaml index bcb8631f2d..b35aec2fb7 100644 --- a/services/gafaelfawr/values.yaml +++ b/services/gafaelfawr/values.yaml @@ -244,7 +244,7 @@ cloudsql: repository: "gcr.io/cloudsql-docker/gce-proxy" # -- Cloud SQL Auth Proxy tag to use - tag: "1.31.2" + tag: "1.31.2-alpine" # -- Pull policy for Cloud SQL Auth Proxy images pullPolicy: "IfNotPresent" @@ -257,6 +257,22 @@ cloudsql: # `cloudsql.client` role serviceAccount: "" +maintenance: + # -- Resource limits and requests for the Gafaelfawr maintenance pod + resources: {} + + # -- Annotations for the Gafaelfawr maintenance pod + podAnnotations: {} + + # -- Node selection rules for the Gafaelfawr maintenance pod + nodeSelector: {} + + # -- Tolerations for the Gafaelfawr maintenance pod + tolerations: [] + + # -- Affinity rules for the Gafaelfawr maintenance pod + affinity: {} + tokens: # -- Resource limits and requests for the Gafaelfawr token management pod resources: {} From 8697c47436ea8c110e2422520fbff88072ea3a38 Mon Sep 17 00:00:00 2001 From: Russ Allbery Date: Thu, 18 Aug 2022 11:14:06 -0700 Subject: [PATCH 0893/1479] Add Gafaelfawr config for Slack webhook Add support for a general RSP alerts Slack webhook secret, and configuration for Gafaelfawr to use it via its secret. Currently this is only used to report uncaught exceptions. --- installer/generate_secrets.py | 11 +++++++++++ services/gafaelfawr/README.md | 1 + services/gafaelfawr/templates/configmap.yaml | 3 +++ services/gafaelfawr/values-idfdev.yaml | 1 + services/gafaelfawr/values.yaml | 4 ++++ 5 files changed, 20 insertions(+) diff --git a/installer/generate_secrets.py b/installer/generate_secrets.py index 25bcd027f3..8568710bec 100755 --- a/installer/generate_secrets.py +++ b/installer/generate_secrets.py @@ -42,6 +42,7 @@ def generate(self): `regenerate` attribute is `True`. """ self._pull_secret() + self._rsp_alerts() self._butler_secret() self._postgres() self._tap() @@ -254,6 +255,10 @@ def _gafaelfawr(self): else: raise Exception(f"Invalid auth provider {auth_type}") + slack_webhook = self.secrets["rsp-alerts"]["slack-webhook"] + if slack_webhook: + self._set("gafaelfawr", "slack-webhook", slack_webhook) + def _pull_secret(self): self.input_file( "pull-secret", @@ -359,6 +364,12 @@ def _sherlock(self): publish_key = secrets.token_hex(32) self._set_generated("sherlock", "publish_key", publish_key) + def _rsp_alerts(self): + """Shared secrets for alerting.""" + self.input_field( + "rsp-alerts", "slack-webhook", "Slack webhook for alerts" + ) + class OnePasswordSecretGenerator(SecretGenerator): """A secret generator that syncs 1Password secrets into a secrets directory diff --git a/services/gafaelfawr/README.md b/services/gafaelfawr/README.md index 1416a64d7c..30d98c87a6 100644 --- a/services/gafaelfawr/README.md +++ b/services/gafaelfawr/README.md @@ -60,6 +60,7 @@ Science Platform authentication and authorization system | config.oidc.usernameClaim | string | `"sub"` | Claim from which to get the username | | config.oidcServer.enabled | bool | `false` | Whether to support OpenID Connect clients. If set to true, `oidc-server-secrets` must be set in the Gafaelfawr secret. | | config.proxies | list | [`10.0.0.0/8`, `172.16.0.0/12`, `192.168.0.0/16`] | List of netblocks used for internal Kubernetes IP addresses, used to determine the true client IP for logging | +| config.slackAlerts | bool | `false` | Whether to send certain serious alerts to Slack. If `true`, the `slack-webhook` secret must also be set. | | config.tokenLifetimeMinutes | int | `43200` (30 days) | Session length and token expiration (in minutes) | | fullnameOverride | string | `""` | Override the full name for resources (includes the release name) | | global.baseUrl | string | Set by Argo CD | Base URL for the environment | diff --git a/services/gafaelfawr/templates/configmap.yaml b/services/gafaelfawr/templates/configmap.yaml index d96d656a9d..6fd820c59f 100644 --- a/services/gafaelfawr/templates/configmap.yaml +++ b/services/gafaelfawr/templates/configmap.yaml @@ -14,6 +14,9 @@ data: database_password_file: "/etc/gafaelfawr/secrets/database-password" redis_url: "redis://{{ template "gafaelfawr.fullname" . }}-redis.{{ .Release.Namespace }}:6379/0" redis_password_file: "/etc/gafaelfawr/secrets/redis-password" + {{- if .Values.config.slackAlerts }} + slack_webhook_file: "/etc/gafaelfawr/secrets/slack-webhook" + {{- end }} token_lifetime_minutes: {{ .Values.config.tokenLifetimeMinutes }} {{- if .Values.config.proxies }} proxies: diff --git a/services/gafaelfawr/values-idfdev.yaml b/services/gafaelfawr/values-idfdev.yaml index 55d95872b6..ac337a3455 100644 --- a/services/gafaelfawr/values-idfdev.yaml +++ b/services/gafaelfawr/values-idfdev.yaml @@ -6,6 +6,7 @@ redis: config: databaseUrl: "postgresql://gafaelfawr@localhost/gafaelfawr" loglevel: "DEBUG" + slackAlerts: true # Support OpenID Connect clients like Chronograf. oidcServer: diff --git a/services/gafaelfawr/values.yaml b/services/gafaelfawr/values.yaml index b35aec2fb7..0c7929f0bc 100644 --- a/services/gafaelfawr/values.yaml +++ b/services/gafaelfawr/values.yaml @@ -43,6 +43,10 @@ config: # -- Choose from the text form of Python logging levels loglevel: "INFO" + # -- Whether to send certain serious alerts to Slack. If `true`, the + # `slack-webhook` secret must also be set. + slackAlerts: false + # -- Session length and token expiration (in minutes) # @default -- `43200` (30 days) tokenLifetimeMinutes: 43200 From 3cd6906a712e36631c3753a6cdefde9e80c7f064 Mon Sep 17 00:00:00 2001 From: Jonathan Sick Date: Wed, 3 Aug 2022 15:49:21 -0400 Subject: [PATCH 0894/1479] DM-35816: Times Square development --- services/times-square/Chart.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/services/times-square/Chart.yaml b/services/times-square/Chart.yaml index 0ccdb4cba1..f790be320a 100644 --- a/services/times-square/Chart.yaml +++ b/services/times-square/Chart.yaml @@ -7,7 +7,7 @@ home: https://github.com/lsst-sqre/times-square type: application # The default version tag of the times-square docker image -appVersion: "0.5.0" +appVersion: "tickets-DM-35816" dependencies: - name: redis From bfac0d305e35af14d00e265f489dd557e5643b25 Mon Sep 17 00:00:00 2001 From: Jonathan Sick Date: Thu, 4 Aug 2022 16:00:14 -0400 Subject: [PATCH 0895/1479] DM-35816 Update Squareone --- services/squareone/Chart.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/services/squareone/Chart.yaml b/services/squareone/Chart.yaml index 45927cffd9..d437e44c32 100644 --- a/services/squareone/Chart.yaml +++ b/services/squareone/Chart.yaml @@ -10,4 +10,4 @@ maintainers: url: https://github.com/jonathansick # The default version tag of the squareone docker image -appVersion: "0.7.1" +appVersion: "tickets-DM-35816" From 040cdb5a4a2ea25798aa477e3766115975926dd1 Mon Sep 17 00:00:00 2001 From: Jonathan Sick Date: Fri, 19 Aug 2022 12:03:21 -0400 Subject: [PATCH 0896/1479] Update to squareone 0.8.0 and times-square 0.6.0 These are the releases from DM-35816 to add pull request previews for Times Square into Squareone. --- services/squareone/Chart.yaml | 2 +- services/times-square/Chart.yaml | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/services/squareone/Chart.yaml b/services/squareone/Chart.yaml index d437e44c32..11f06889d0 100644 --- a/services/squareone/Chart.yaml +++ b/services/squareone/Chart.yaml @@ -10,4 +10,4 @@ maintainers: url: https://github.com/jonathansick # The default version tag of the squareone docker image -appVersion: "tickets-DM-35816" +appVersion: "0.8.0" diff --git a/services/times-square/Chart.yaml b/services/times-square/Chart.yaml index f790be320a..f9ac4f32c6 100644 --- a/services/times-square/Chart.yaml +++ b/services/times-square/Chart.yaml @@ -7,7 +7,7 @@ home: https://github.com/lsst-sqre/times-square type: application # The default version tag of the times-square docker image -appVersion: "tickets-DM-35816" +appVersion: "0.6.0" dependencies: - name: redis From d8b4f0a26ee3aaa181a6a0857feb4fe45ae8f9bd Mon Sep 17 00:00:00 2001 From: Fritz Mueller Date: Fri, 19 Aug 2022 09:30:29 -0700 Subject: [PATCH 0897/1479] Update tap-schema to 1.1.21 --- services/tap-schema/Chart.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/services/tap-schema/Chart.yaml b/services/tap-schema/Chart.yaml index 25ae16e730..833500b8d1 100644 --- a/services/tap-schema/Chart.yaml +++ b/services/tap-schema/Chart.yaml @@ -1,5 +1,5 @@ apiVersion: v2 -appVersion: 1.1.17 +appVersion: 1.1.21 description: The TAP_SCHEMA database home: https://github.com/lsst-sqre/lsst-tap-service name: tap-schema From b1b1fe03c0a4e48d52541c128b1c51f9bd9c01d2 Mon Sep 17 00:00:00 2001 From: Angelo Fausti Date: Thu, 18 Aug 2022 13:48:51 -0700 Subject: [PATCH 0898/1479] Add external listener configuration - If TLS is enabled use cert-manager to issue certificates for the external listener. - Support annotations added to the Ingress, Route, or Service resource. --- .../sasquatch/charts/strimzi-kafka/README.md | 6 ++++ .../strimzi-kafka/templates/certificates.yaml | 19 +++++++++++ .../charts/strimzi-kafka/templates/kafka.yaml | 30 +++++++++++++++- .../charts/strimzi-kafka/values.yaml | 34 +++++++++++++++++++ services/sasquatch/values-idfdev.yaml | 17 +++++++++- 5 files changed, 104 insertions(+), 2 deletions(-) create mode 100644 services/sasquatch/charts/strimzi-kafka/templates/certificates.yaml diff --git a/services/sasquatch/charts/strimzi-kafka/README.md b/services/sasquatch/charts/strimzi-kafka/README.md index 09fa0930f7..e7bdde332e 100644 --- a/services/sasquatch/charts/strimzi-kafka/README.md +++ b/services/sasquatch/charts/strimzi-kafka/README.md @@ -13,6 +13,12 @@ A subchart to deploy Strimzi Kafka components for Sasquatch. | kafka.config."log.retention.bytes" | string | `"429496729600"` | Maximum retained number of bytes for a topic's data. | | kafka.config."log.retention.hours" | int | `24` | Number of days for a topic's data to be retained. | | kafka.config."offsets.retention.minutes" | int | `1440` | Number of minutes for a consumer group's offsets to be retained. | +| kafka.externalListener.bootstrap.annotations | object | `{}` | Annotations that will be added to the Ingress, Route, or Service resource. | +| kafka.externalListener.bootstrap.host | string | `""` | Name used for TLS hostname verification. | +| kafka.externalListener.bootstrap.loadBalancerIP | string | `""` | The loadbalancer is requested with the IP address specified in this field. This feature depends on whether the underlying cloud provider supports specifying the loadBalancerIP when a load balancer is created. This field is ignored if the cloud provider does not support the feature. Once the IP address is provisioned this option make it possible to pin the IP address. We can request the same IP next time it is provisioned. This is important because it lets us configure a DNS record, associating a hostname with that pinned IP address. | +| kafka.externalListener.brokers | list | `[]` | Borkers configuration. host is used in the brokers' advertised.brokers configuration and for TLS hostname verification. The format is a list of maps. | +| kafka.externalListener.tls.certIssuerName | string | `"letsencrypt-dns"` | Name of a ClusterIssuer capable of provisioning a TLS certificate for the broker. | +| kafka.externalListener.tls.enabled | bool | `false` | Whether TLS encryption is enabled. | | kafka.replicas | int | `3` | Number of Kafka broker replicas to run. | | kafka.storage.size | string | `"500Gi"` | Size of the backing storage disk for each of the Kafka brokers. | | kafka.storage.storageClassName | string | `""` | Name of a StorageClass to use when requesting persistent volumes. | diff --git a/services/sasquatch/charts/strimzi-kafka/templates/certificates.yaml b/services/sasquatch/charts/strimzi-kafka/templates/certificates.yaml new file mode 100644 index 0000000000..71f39d59a5 --- /dev/null +++ b/services/sasquatch/charts/strimzi-kafka/templates/certificates.yaml @@ -0,0 +1,19 @@ +{{- if and (.Values.kafka.externalListener.tls.enabled) (.Values.kafka.externalListener.bootstrap.host) }} +apiVersion: cert-manager.io/v1 +kind: Certificate +metadata: + name: {{ .Values.cluster.name }}-external-tls + +spec: + secretName: {{ .Values.cluster.name }}-external-tls + + issuerRef: + name: {{ .Values.kafka.externalListener.tls.certIssuerName }} + kind: ClusterIssuer + + dnsNames: + - {{ .Values.kafka.externalListener.bootstrap.host }} + {{- range $broker := .Values.kafka.externalListener.brokers }} + - {{ $broker.host }} + {{- end }} +{{- end }} \ No newline at end of file diff --git a/services/sasquatch/charts/strimzi-kafka/templates/kafka.yaml b/services/sasquatch/charts/strimzi-kafka/templates/kafka.yaml index cd30ae9d61..6856a36517 100644 --- a/services/sasquatch/charts/strimzi-kafka/templates/kafka.yaml +++ b/services/sasquatch/charts/strimzi-kafka/templates/kafka.yaml @@ -35,9 +35,37 @@ spec: - name: external port: 9094 type: loadbalancer - tls: true + tls: {{ .Values.kafka.externalListener.tls.enabled }} authentication: type: scram-sha-512 + configuration: + bootstrap: + {{- if .Values.kafka.externalListener.bootstrap.loadBalancerIP }} + loadBalancerIP: {{ .Values.kafka.externalListener.bootstrap.loadBalancerIP }} + {{- end }} + {{- if .Values.kafka.externalListener.bootstrap.annotations }} + annotations: {{ .Values.kafka.externalListener.bootstrap.annotations }} + {{- end }} + {{- if .Values.kafka.externalListener.brokers }} + brokers: + {{- range $idx, $broker := .Values.kafka.externalListener.brokers }} + - broker: {{ $idx }} + loadBalancerIP: {{ $broker.loadBalancerIP }} + advertisedHost: {{ $broker.host }} + advertisedPort: 9094 + annotations: + {{- range $key, $value := $broker.annotations }} + {{ $key }}: {{ $value }} + {{- end}} + {{- end }} + {{- end }} + {{- if and (.Values.kafka.externalListener.tls.enabled) (.Values.kafka.externalListener.bootstrap.host) }} + brokerCertChainAndKey: + secretName: {{ .Values.cluster.name }}-external-tls + certificate: tls.crt + key: tls.key + {{- end }} + authorization: type: simple {{- if .Values.superusers }} diff --git a/services/sasquatch/charts/strimzi-kafka/values.yaml b/services/sasquatch/charts/strimzi-kafka/values.yaml index 864cfd1872..11863b26f9 100644 --- a/services/sasquatch/charts/strimzi-kafka/values.yaml +++ b/services/sasquatch/charts/strimzi-kafka/values.yaml @@ -22,6 +22,40 @@ kafka: # -- Maximum retained number of bytes for a topic's data. log.retention.bytes: "429496729600" + externalListener: + tls: + # -- Whether TLS encryption is enabled. + enabled: false + # -- Name of a ClusterIssuer capable of provisioning a TLS certificate for the broker. + certIssuerName: "letsencrypt-dns" + + bootstrap: + # -- The loadbalancer is requested with the IP address specified in this field. + # This feature depends on whether the underlying cloud provider supports specifying the loadBalancerIP when a load balancer is created. + # This field is ignored if the cloud provider does not support the feature. + # Once the IP address is provisioned this option make it possible to pin the IP address. + # We can request the same IP next time it is provisioned. This is important because + # it lets us configure a DNS record, associating a hostname with that pinned IP address. + loadBalancerIP: "" + # -- Name used for TLS hostname verification. + host: "" + # -- Annotations that will be added to the Ingress, Route, or Service resource. + annotations: {} + + # -- Borkers configuration. host is used in the brokers' advertised.brokers configuration and for TLS hostname verification. + # The format is a list of maps. + brokers: [] + # For example: + # brokers: + # - loadBalancerIP: "192.168.1.1" + # host: broker-0.example + # annotations: + # metallb.universe.tf/address-pool: sdf-dmz + # - loadBalancerIP: "192.168.1.2" + # host: broker-1.example + # annotations: + # metallb.universe.tf/address-pool: sdf-dmz + zookeeper: # -- Number of Zookeeper replicas to run. replicas: 3 diff --git a/services/sasquatch/values-idfdev.yaml b/services/sasquatch/values-idfdev.yaml index 71ef97cafb..a29bf93af2 100644 --- a/services/sasquatch/values-idfdev.yaml +++ b/services/sasquatch/values-idfdev.yaml @@ -1,4 +1,19 @@ -strimzi-kafka: {} +strimzi-kafka: + kafka: + externalListener: + tls: + enabled: true + bootstrap: + loadBalancerIP: "34.173.210.129" + host: sasquatch-dev-kafka-bootstrap.lsst.cloud + + brokers: + - loadBalancerIP: "34.173.20.18" + host: sasquatch-dev-kafka-0.lsst.cloud + - loadBalancerIP: "34.69.251.153" + host: sasquatch-dev-kafka-1.lsst.cloud + - loadBalancerIP: "35.184.86.132" + host: sasquatch-dev-kafka-2.lsst.cloud influxdb: ingress: From 5b5321609692644479d52b1addf5520c0a382d7a Mon Sep 17 00:00:00 2001 From: Russ Allbery Date: Fri, 19 Aug 2022 14:30:18 -0700 Subject: [PATCH 0899/1479] Update mobu to 4.5.0 Set explicit primary GID numbers for test users on deployments with mobu enabled and using GitHub for identity. --- services/mobu/Chart.yaml | 2 +- services/mobu/values-idfint.yaml | 3 +++ services/mobu/values-idfprod.yaml | 4 ++++ services/mobu/values-roe.yaml | 2 ++ 4 files changed, 10 insertions(+), 1 deletion(-) diff --git a/services/mobu/Chart.yaml b/services/mobu/Chart.yaml index 833bd18af1..81927cfb1d 100644 --- a/services/mobu/Chart.yaml +++ b/services/mobu/Chart.yaml @@ -3,4 +3,4 @@ name: mobu version: 1.0.0 description: Generate system load by pretending to be a random scientist home: https://github.com/lsst-sqre/mobu -appVersion: 4.4.6 +appVersion: 4.5.0 diff --git a/services/mobu/values-idfint.yaml b/services/mobu/values-idfint.yaml index 21116762f4..9d8b152f91 100644 --- a/services/mobu/values-idfint.yaml +++ b/services/mobu/values-idfint.yaml @@ -6,6 +6,7 @@ autostart: users: - username: "bot-mobu-recommended" uidnumber: 74768 + gidnumber: 74768 scopes: - "exec:notebook" - "exec:portal" @@ -22,6 +23,7 @@ autostart: users: - username: "bot-mobu-weekly" uidnumber: 74769 + gidnumber: 74769 scopes: - "exec:notebook" - "exec:portal" @@ -39,6 +41,7 @@ autostart: users: - username: "bot-mobu-tap" uidnumber: 74775 + gidnumber: 74775 scopes: ["read:tap"] business: "TAPQueryRunner" restart: true diff --git a/services/mobu/values-idfprod.yaml b/services/mobu/values-idfprod.yaml index a599ba76ba..2d4f6530cf 100644 --- a/services/mobu/values-idfprod.yaml +++ b/services/mobu/values-idfprod.yaml @@ -6,6 +6,7 @@ autostart: user_spec: username_prefix: "bot-mobu-recommended" uid_start: 74768 + gid_start: 74768 scopes: - "exec:notebook" - "exec:portal" @@ -22,6 +23,7 @@ autostart: users: - username: "bot-mobu-persistent" uidnumber: 74773 + gidnumber: 74773 scopes: - "exec:notebook" - "exec:portal" @@ -39,6 +41,7 @@ autostart: users: - username: "bot-mobu-tutorial" uidnumber: 74774 + gidnumber: 74774 scopes: - "exec:notebook" - "exec:portal" @@ -56,6 +59,7 @@ autostart: users: - username: "bot-mobu-tap" uidnumber: 74775 + gidnumber: 74775 scopes: ["read:tap"] business: "TAPQueryRunner" restart: true diff --git a/services/mobu/values-roe.yaml b/services/mobu/values-roe.yaml index addce5939b..11c34784b5 100644 --- a/services/mobu/values-roe.yaml +++ b/services/mobu/values-roe.yaml @@ -4,6 +4,7 @@ autostart: users: - username: "bot-mobu-recommended" uidnumber: 74768 + gidnumber: 74768 scopes: ["exec:notebook", "exec:portal", "read:image", "read:tap"] business: "NotebookRunner" options: @@ -16,6 +17,7 @@ autostart: users: - username: "bot-mobu-weekly" uidnumber: 74769 + gidnumber: 74769 scopes: ["exec:notebook", "exec:portal", "read:image", "read:tap"] business: "NotebookRunner" options: From ce26e94d84216bac8e30100134a17de04b172855 Mon Sep 17 00:00:00 2001 From: Russ Allbery Date: Fri, 19 Aug 2022 15:57:18 -0700 Subject: [PATCH 0900/1479] Add basic mobu documentation Add some basic documentation for mobu including examples of some typical testing patterns. --- docs/index.rst | 1 + docs/ops/mobu/configuring.rst | 139 ++++++++++++++++++++++++++++++++++ docs/ops/mobu/index.rst | 28 +++++++ 3 files changed, 168 insertions(+) create mode 100644 docs/ops/mobu/configuring.rst create mode 100644 docs/ops/mobu/index.rst diff --git a/docs/index.rst b/docs/index.rst index 4a37cf09c2..a51acfc930 100644 --- a/docs/index.rst +++ b/docs/index.rst @@ -66,6 +66,7 @@ Services ops/cert-manager/index ops/gafaelfawr/index ops/ingress-nginx/index + ops/mobu/index ops/nublado2/index ops/postgres/index ops/squash-api/index diff --git a/docs/ops/mobu/configuring.rst b/docs/ops/mobu/configuring.rst new file mode 100644 index 0000000000..40e44f9eff --- /dev/null +++ b/docs/ops/mobu/configuring.rst @@ -0,0 +1,139 @@ +################ +Configuring mobu +################ + +Configuring mobu consists primarily of defining the flocks of monkeys that it should run. +This is done by setting the ``autostart`` key in the ``values-*.yaml`` file for that deployment to a list of flock definitions. +The definition of a flock must follow the same schema as a ``PUT`` to the ``/mobu/flocks`` route to create a new flock via the API. +Complete documentation is therefore available at the ``/mobu/redoc`` route on a given deployment. +This is just an overview of the most common configurations. + +Simple configuration +==================== + +Here is a simple configuration with a single flock that tests the Notebook Aspect by spawning a pod, running some Python, and then destroying the pod again: + +.. code-block:: yaml + + autostart: + - name: "python" + count: 1 + users: + - username: "bot-mobu-user" + scopes: ["exec:notebook"] + business: "JupyterPythonLoop" + options: + jupyter: + image_size: "Small" + restart: true + +Important points to note here: + +* The ``autostart`` key takes a list of flocks of monkeys. + Each one must have a ``name`` (which controls the URL for that flock under ``/mobu/flocks`` once it has been created) and a ``count`` key specifying how many monkeys will be performing this test. + +* Users must be defined for each monkey. + There are two ways to do this: specifying a list of users equal to the number of monkeys being run, or providing a specification for users that is used to programmatically generate usernames, UIDs, and GIDs. + An example of the latter will be given below. + Here, this specifies a single user with the name ``bot-mobu-user``. + Usernames must begin with ``bot-``. + Neither a UID nor a GID is specified, which means that Gafaelfawr has to be ble to generate UIDs and GIDs on the fly. + This configuration will therefore only work if this deployment enables Firestore for UID and GID generation, and enables synthesizing user private groups. + +* If the monkey user will need additional scopes, they must be specified. + Here, the required scope is ``exec:notebook``, which allows spawning Notebooks. + More scopes would be needed if the monkey were running notebooks that interacted with other services. + +* The ``business`` key specifies the type of test to perform. + Here, ``JupyterPythonLoop`` just runs a small bit of Python through the Jupyter lab API after spawning a lab pod. + ``options.jupyter`` specifies additional options for the chosen business and are business-specific. + See the full mobu documentation for more details. + +* ``restart: true`` tells mobu to shut down and respawn the pod if there is any failure. + The default is to attempt to keep using the same pod despite the failure. + +Testing with notebooks +====================== + +Here is a more complex example that runs a set of notebooks as a test: + +.. code-block:: yaml + + autostart: + - name: "firefighter" + count: 1 + users: + - username: "bot-mobu-recommended" + uidnumber: 74768 + gidnumber: 74768 + scopes: + - "exec:notebook" + - "exec:portal" + - "read:image" + - "read:tap" + business: "NotebookRunner" + options: + repo_url: "https://github.com/lsst-sqre/system-test.git" + repo_branch: "prod" + max_executions: 1 + restart: true + +Here, note that the UID and primary GID for the user are specified, so this example will work in deployments that do not use Firestore and synthesized user private groups. + +This uses the business ``NotebookRunner`` instead, which checks out a Git repository and runs all notebooks at the top level of that repository. +The repository URL and branch are configured in ``options``. +``options.max_executions: 1`` tells mobu to shut down and respawn the pod after each notebook. +This exercises pod spawning more frequently, but does not test the lab's ability to run a long series of notebooks. +One may wish to run multiple flocks in a given environment with different configurations for ``max_executions``. +These notebooks need more scopes, so those scopes are specified. + +Here is a different example that runs multiple monkeys in a flock: + +.. code-block:: yaml + + autostart: + - name: "firefighter" + count: 5 + user_spec: + username_prefix: "bot-mobu-recommended" + uid_start: 74768 + gid_start: 74768 + scopes: + - "exec:notebook" + - "exec:portal" + - "read:image" + - "read:tap" + business: "NotebookRunner" + options: + repo_url: "https://github.com/lsst-sqre/system-test.git" + repo_branch: "prod" + max_executions: 1 + restart: true + +This is almost identical except that it specifies five monkeys and provides a specification for creating the users instead of specifying each user. +The users will be assigned consecutive UIDs and GIDs starting with the specified ``uid_start`` and ``gid_start``. +The usernames will be formed by adding consecutive digits to the end of the ``username_prefix``. + +Testing TAP +=========== + +Here is an example of testing a TAP service: + +.. code-block:: yaml + + autostart: + - name: "tap" + count: 1 + users: + - username: "bot-mobu-tap" + uidnumber: 74775 + gidnumber: 74775 + scopes: ["read:tap"] + business: "TAPQueryRunner" + restart: true + options: + tap_sync: true + tap_query_set: "dp0.2" + +Note that ``business`` is set to ``TAPQueryRunner`` instead. +``options.tap_sync`` can choosen between sync and async queries, and ``options.tap_query_set`` can be used to specify the query set to run. diff --git a/docs/ops/mobu/index.rst b/docs/ops/mobu/index.rst new file mode 100644 index 0000000000..c6b73200d9 --- /dev/null +++ b/docs/ops/mobu/index.rst @@ -0,0 +1,28 @@ +#### +mobu +#### + +.. list-table:: + :widths: 10,40 + + * - Edit on GitHub + - `/services/mobu `__ + * - Type + - Helm_ + * - Namespace + - ``mobu`` + +.. rubric:: Overview + +mobu is the continuous integration testing framework for the Rubin Science Platform. +It runs some number of "monkeys" that simulate a random user of the Science Platform. +Those monkeys are organized into "flocks" that share a single configuration across all of the monkeys. +Failures are reported to Slack using a Slack incoming webhook. + +mobu is maintained on `GitHub `__. + +.. rubric:: Guides + +.. toctree:: + + configuring From c473e7acbc312f4ce7d1c0353d77c8bb457bb29b Mon Sep 17 00:00:00 2001 From: "renovate[bot]" <29139614+renovate[bot]@users.noreply.github.com> Date: Mon, 22 Aug 2022 03:48:52 +0000 Subject: [PATCH 0901/1479] Update Helm release vault-secrets-operator to v1.19.2 --- services/vault-secrets-operator/Chart.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/services/vault-secrets-operator/Chart.yaml b/services/vault-secrets-operator/Chart.yaml index e6f4ee69a8..1e316b47d1 100644 --- a/services/vault-secrets-operator/Chart.yaml +++ b/services/vault-secrets-operator/Chart.yaml @@ -3,5 +3,5 @@ name: vault-secrets-operator version: 1.0.0 dependencies: - name: vault-secrets-operator - version: 1.19.1 + version: 1.19.2 repository: https://ricoberger.github.io/helm-charts/ From 187ade1b06bb370d385b547d312809a373e5e97c Mon Sep 17 00:00:00 2001 From: Gabriele Mainetti Date: Mon, 22 Aug 2022 10:22:09 +0200 Subject: [PATCH 0902/1479] test S3 and GCS as option defined via gcsBucketType --- services/tap/README.md | 1 + services/tap/templates/tap-deployment.yaml | 1 + services/tap/values-ccin2p3.yaml | 2 +- 3 files changed, 3 insertions(+), 1 deletion(-) diff --git a/services/tap/README.md b/services/tap/README.md index 2b651feb39..1ec6be9b4f 100644 --- a/services/tap/README.md +++ b/services/tap/README.md @@ -13,6 +13,7 @@ A Helm chart for the CADC TAP service | config.gafaelfawrHost | string | Value of `ingress.host` | Gafaelfawr hostname to get user information from a token | | config.gcsBucket | string | None, must be set | Name of GCS bucket in which to store results | | config.gcsBucketUrl | string | None, must be set | Base URL for results stored in GCS bucket | +| config.gcsBucketType | string | None, must be set | Bucket type: GCS or S3| | config.jvmMaxHeapSize | string | `"4G"` | Java heap size, which will set the maximum size of the heap. Otherwise Java would determine it based on how much memory is available and black maths. | | config.tapSchemaAddress | string | `"tap-schema-db.tap-schema.svc.cluster.local:3306"` | Address to a MySQL database containing TAP schema data | | fullnameOverride | string | `"cadc-tap"` | Override the full name for resources (includes the release name) | diff --git a/services/tap/templates/tap-deployment.yaml b/services/tap/templates/tap-deployment.yaml index eed5953f7c..4df1ade88b 100644 --- a/services/tap/templates/tap-deployment.yaml +++ b/services/tap/templates/tap-deployment.yaml @@ -46,6 +46,7 @@ spec: -Dgafaelfawr_url={{ .Values.global.baseUrl }}/auth/api/v1/user-info -Dgcs_bucket={{ .Values.config.gcsBucket }} -Dgcs_bucket_url={{ .Values.config.gcsBucketUrl }} + -Dgcs_bucket_type={{ .Values.config.gcsBucketType }} -Dbase_url={{ .Values.global.baseUrl }} -Dca.nrc.cadc.util.PropertiesReader.dir=/etc/creds/ -Xmx{{ .Values.config.jvmMaxHeapSize }} diff --git a/services/tap/values-ccin2p3.yaml b/services/tap/values-ccin2p3.yaml index ece0ac246e..d2b76fab12 100644 --- a/services/tap/values-ccin2p3.yaml +++ b/services/tap/values-ccin2p3.yaml @@ -10,7 +10,7 @@ qserv: image: # -- tap image to use repository: "gabrimaine/lsst-tap-service" - tag: "1.2.1-CC" + tag: "1.2.1-CC2" # secrets: # enabled: false From 64047bad8a15c5fc3f307b6ca112835d43c3ee67 Mon Sep 17 00:00:00 2001 From: Russ Allbery Date: Mon, 22 Aug 2022 08:39:18 -0700 Subject: [PATCH 0903/1479] Update Helm docs --- services/vault-secrets-operator/README.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/services/vault-secrets-operator/README.md b/services/vault-secrets-operator/README.md index 641ab222a7..fd34c97469 100644 --- a/services/vault-secrets-operator/README.md +++ b/services/vault-secrets-operator/README.md @@ -4,7 +4,7 @@ | Repository | Name | Version | |------------|------|---------| -| https://ricoberger.github.io/helm-charts/ | vault-secrets-operator | 1.19.1 | +| https://ricoberger.github.io/helm-charts/ | vault-secrets-operator | 1.19.2 | ## Values From ba8946a7e6fb9ccf5c918893b78fa4dbdccc88ad Mon Sep 17 00:00:00 2001 From: "renovate[bot]" <29139614+renovate[bot]@users.noreply.github.com> Date: Mon, 22 Aug 2022 15:46:35 +0000 Subject: [PATCH 0904/1479] Update Helm release redis to v17.1.0 --- services/noteburst/Chart.yaml | 2 +- services/times-square/Chart.yaml | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/services/noteburst/Chart.yaml b/services/noteburst/Chart.yaml index e3b84c3514..3cd0eca71c 100644 --- a/services/noteburst/Chart.yaml +++ b/services/noteburst/Chart.yaml @@ -14,5 +14,5 @@ maintainers: # Additional charts that this chart uses dependencies: - name: redis - version: 17.0.10 + version: 17.1.0 repository: https://charts.bitnami.com/bitnami diff --git a/services/times-square/Chart.yaml b/services/times-square/Chart.yaml index f9ac4f32c6..b578921a5c 100644 --- a/services/times-square/Chart.yaml +++ b/services/times-square/Chart.yaml @@ -11,5 +11,5 @@ appVersion: "0.6.0" dependencies: - name: redis - version: 17.0.10 + version: 17.1.0 repository: https://charts.bitnami.com/bitnami From 9f19affb461f2f694bf9620972a3b5cde746f5d2 Mon Sep 17 00:00:00 2001 From: Russ Allbery Date: Mon, 22 Aug 2022 08:49:19 -0700 Subject: [PATCH 0905/1479] Update Helm docs --- services/noteburst/README.md | 2 +- services/times-square/README.md | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/services/noteburst/README.md b/services/noteburst/README.md index bbff819b56..fa52874fa6 100644 --- a/services/noteburst/README.md +++ b/services/noteburst/README.md @@ -12,7 +12,7 @@ Noteburst is a notebook execution service for the Rubin Science Platform. | Repository | Name | Version | |------------|------|---------| -| https://charts.bitnami.com/bitnami | redis | 17.0.10 | +| https://charts.bitnami.com/bitnami | redis | 17.1.0 | ## Values diff --git a/services/times-square/README.md b/services/times-square/README.md index 93b943ad4c..40397fa531 100644 --- a/services/times-square/README.md +++ b/services/times-square/README.md @@ -8,7 +8,7 @@ An API service for managing and rendering parameterized Jupyter notebooks. | Repository | Name | Version | |------------|------|---------| -| https://charts.bitnami.com/bitnami | redis | 17.0.10 | +| https://charts.bitnami.com/bitnami | redis | 17.1.0 | ## Values From 83746d5a5ce62e7a515d2f07ee500c67c1b100c2 Mon Sep 17 00:00:00 2001 From: "renovate[bot]" <29139614+renovate[bot]@users.noreply.github.com> Date: Mon, 22 Aug 2022 15:56:52 +0000 Subject: [PATCH 0906/1479] Update Helm release telegraf to v1.8.20 --- services/sasquatch/Chart.yaml | 2 +- services/telegraf/Chart.yaml | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/services/sasquatch/Chart.yaml b/services/sasquatch/Chart.yaml index 73c70e3c12..fd49fd7ba8 100644 --- a/services/sasquatch/Chart.yaml +++ b/services/sasquatch/Chart.yaml @@ -21,7 +21,7 @@ dependencies: version: 1.4.6 repository: https://helm.influxdata.com/ - name: telegraf - version: 1.8.18 + version: 1.8.20 repository: https://helm.influxdata.com/ - name: kafdrop version: 1.0.0 diff --git a/services/telegraf/Chart.yaml b/services/telegraf/Chart.yaml index 2ea72f4c4f..4f6ce246a7 100644 --- a/services/telegraf/Chart.yaml +++ b/services/telegraf/Chart.yaml @@ -4,5 +4,5 @@ version: 1.0.1 description: SQuaRE telemetry collection service dependencies: - name: telegraf - version: 1.8.19 + version: 1.8.20 repository: https://helm.influxdata.com/ From 496bf76da74cf70754cc271ed12d48b93254d678 Mon Sep 17 00:00:00 2001 From: Russ Allbery Date: Mon, 22 Aug 2022 10:44:24 -0700 Subject: [PATCH 0907/1479] Update Helm docs --- services/sasquatch/README.md | 2 +- services/telegraf/README.md | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/services/sasquatch/README.md b/services/sasquatch/README.md index 17f881e256..d08dc6d70b 100644 --- a/services/sasquatch/README.md +++ b/services/sasquatch/README.md @@ -12,7 +12,7 @@ Rubin Observatory's telemetry service. | https://helm.influxdata.com/ | chronograf | 1.2.5 | | https://helm.influxdata.com/ | influxdb | 4.12.0 | | https://helm.influxdata.com/ | kapacitor | 1.4.6 | -| https://helm.influxdata.com/ | telegraf | 1.8.18 | +| https://helm.influxdata.com/ | telegraf | 1.8.20 | | https://lsst-sqre.github.io/charts/ | strimzi-registry-operator | 2.1.0 | ## Values diff --git a/services/telegraf/README.md b/services/telegraf/README.md index 85c31625f3..3c3d794add 100644 --- a/services/telegraf/README.md +++ b/services/telegraf/README.md @@ -6,7 +6,7 @@ SQuaRE telemetry collection service | Repository | Name | Version | |------------|------|---------| -| https://helm.influxdata.com/ | telegraf | 1.8.19 | +| https://helm.influxdata.com/ | telegraf | 1.8.20 | ## Values From 74f6696c4faa7ee8070424b414c4bdc3167a77b4 Mon Sep 17 00:00:00 2001 From: Fritz Mueller Date: Mon, 22 Aug 2022 16:09:06 -0700 Subject: [PATCH 0908/1479] Update tap-schema to 1.1.22 --- services/tap-schema/Chart.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/services/tap-schema/Chart.yaml b/services/tap-schema/Chart.yaml index 833500b8d1..49d94012ab 100644 --- a/services/tap-schema/Chart.yaml +++ b/services/tap-schema/Chart.yaml @@ -1,5 +1,5 @@ apiVersion: v2 -appVersion: 1.1.21 +appVersion: 1.1.22 description: The TAP_SCHEMA database home: https://github.com/lsst-sqre/lsst-tap-service name: tap-schema From f4f0e2db3e17d1c75f3604ed493e26ee2caa089f Mon Sep 17 00:00:00 2001 From: Gabriele Mainetti Date: Tue, 23 Aug 2022 15:17:16 +0200 Subject: [PATCH 0909/1479] set the value for gcsType --- services/tap/values-ccin2p3.yaml | 1 + 1 file changed, 1 insertion(+) diff --git a/services/tap/values-ccin2p3.yaml b/services/tap/values-ccin2p3.yaml index d2b76fab12..01912e301c 100644 --- a/services/tap/values-ccin2p3.yaml +++ b/services/tap/values-ccin2p3.yaml @@ -1,6 +1,7 @@ config: gcsBucket: "async-results.lsst.codes" gcsBucketUrl: "https://cccephs3.in2p3.fr:8080" + gcsType: "S3" jvmMaxHeapSize: "31G" qserv: From cc675de9afd3d1882a6ff79fd8b150a3e4333dd3 Mon Sep 17 00:00:00 2001 From: Gabriele Mainetti Date: Tue, 23 Aug 2022 15:18:02 +0200 Subject: [PATCH 0910/1479] fix the key for bucket type --- services/tap/values-ccin2p3.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/services/tap/values-ccin2p3.yaml b/services/tap/values-ccin2p3.yaml index 01912e301c..8b111af9c7 100644 --- a/services/tap/values-ccin2p3.yaml +++ b/services/tap/values-ccin2p3.yaml @@ -1,7 +1,7 @@ config: gcsBucket: "async-results.lsst.codes" gcsBucketUrl: "https://cccephs3.in2p3.fr:8080" - gcsType: "S3" + gcsBucketType: "S3" jvmMaxHeapSize: "31G" qserv: From 9da873fcf6cc53808d025a8fc2c83b4336541f0d Mon Sep 17 00:00:00 2001 From: Angelo Fausti Date: Tue, 23 Aug 2022 14:44:37 -0700 Subject: [PATCH 0911/1479] Enable sasquatch on idfint - Add values for the idfint environment - Enable support to oicd clients in gafaelfawr (Chronograf) - Enable sasquatch and strimzi services --- science-platform/values-idfint.yaml | 6 ++-- services/gafaelfawr/values-idfint.yaml | 4 +++ services/sasquatch/values-idfint.yaml | 49 ++++++++++++++++++++++++++ services/strimzi/values-idfint.yaml | 4 +-- 4 files changed, 57 insertions(+), 6 deletions(-) create mode 100644 services/sasquatch/values-idfint.yaml diff --git a/science-platform/values-idfint.yaml b/science-platform/values-idfint.yaml index a452bc58ff..ef8ceb9d73 100644 --- a/science-platform/values-idfint.yaml +++ b/science-platform/values-idfint.yaml @@ -38,7 +38,7 @@ portal: postgres: enabled: true sasquatch: - enabled: false + enabled: true production_tools: enabled: true semaphore: @@ -47,10 +47,8 @@ sherlock: enabled: true squareone: enabled: true -squash_api: - enabled: false strimzi: - enabled: false + enabled: true strimzi_registry_operator: enabled: false tap: diff --git a/services/gafaelfawr/values-idfint.yaml b/services/gafaelfawr/values-idfint.yaml index 8887f0852d..c8f10c639d 100644 --- a/services/gafaelfawr/values-idfint.yaml +++ b/services/gafaelfawr/values-idfint.yaml @@ -6,6 +6,10 @@ redis: config: databaseUrl: "postgresql://gafaelfawr@localhost/gafaelfawr" + # Support OpenID Connect clients like Chronograf. + oidcServer: + enabled: true + github: clientId: "0c4cc7eaffc0f89b9ace" diff --git a/services/sasquatch/values-idfint.yaml b/services/sasquatch/values-idfint.yaml new file mode 100644 index 0000000000..767e1a2d69 --- /dev/null +++ b/services/sasquatch/values-idfint.yaml @@ -0,0 +1,49 @@ +strimzi-kafka: + kafka: + externalListener: + tls: + enabled: true + bootstrap: + loadBalancerIP: "" + host: sasquatch-int-kafka-bootstrap.lsst.cloud + + brokers: + - loadBalancerIP: "" + host: sasquatch-int-kafka-0.lsst.cloud + - loadBalancerIP: "" + host: sasquatch-int-kafka-1.lsst.cloud + - loadBalancerIP: "" + host: sasquatch-int-kafka-2.lsst.cloud + +influxdb: + ingress: + enabled: true + hostname: data-int.lsst.cloud + +kafka-connect-manager: + influxdbSink: + influxdb-sink: + enabled: true + tasksMax: 10 + +kafdrop: + ingress: + enabled: true + hostname: data-int.lsst.cloud + +chronograf: + ingress: + enabled: true + hostname: data-int.lsst.cloud + + env: + GENERIC_NAME: "OIDC" + GENERIC_AUTH_URL: https://data-int.lsst.cloud/auth/openid/login + GENERIC_TOKEN_URL: https://data-int.lsst.cloud/auth/openid/token + USE_ID_TOKEN: 1 + JWKS_URL: https://data-int.lsst.cloud/.well-known/jwks.json + GENERIC_API_URL: https://data-int.lsst.cloud/auth/userinfo + GENERIC_SCOPES: openid + GENERIC_API_KEY: sub + PUBLIC_URL: https://data-int.lsst.cloud/ + STATUS_FEED_URL: https://raw.githubusercontent.com/lsst-sqre/rsp_broadcast/main/jsonfeeds/idfint.json diff --git a/services/strimzi/values-idfint.yaml b/services/strimzi/values-idfint.yaml index d7707877e1..d642c1f7f9 100644 --- a/services/strimzi/values-idfint.yaml +++ b/services/strimzi/values-idfint.yaml @@ -5,5 +5,5 @@ strimzi-kafka-operator: requests: memory: "512Mi" watchNamespaces: - - "alert-stream-broker" - logLevel: "INFO" + - "sasquatch" + logLevel: "DEBUG" From ed47a2de447b6d46a89fc459709cd7b25568e615 Mon Sep 17 00:00:00 2001 From: Angelo Fausti Date: Tue, 23 Aug 2022 15:15:48 -0700 Subject: [PATCH 0912/1479] Create 5TB pvc for Sasquatch at Summit --- services/sasquatch/values-summit.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/services/sasquatch/values-summit.yaml b/services/sasquatch/values-summit.yaml index a3d6606f6d..0d0d1aab58 100644 --- a/services/sasquatch/values-summit.yaml +++ b/services/sasquatch/values-summit.yaml @@ -9,7 +9,7 @@ strimzi-kafka: influxdb: persistence: storageClass: rook-ceph-block - size: 15Ti + size: 5Ti ingress: enabled: true hostname: summit-lsp.lsst.codes From 59ed88160c606a39cdb1061f9735cb8c2838c0e5 Mon Sep 17 00:00:00 2001 From: Russ Allbery Date: Wed, 24 Aug 2022 13:11:46 -0700 Subject: [PATCH 0913/1479] Improve Argo CD application configuration Inject the Vault secrets path like we do for other applications, and modify the installer to also inject it (and correctly pass in both values.yaml files; I'm not sure how it was working before). Install the Vault secret unconditionally, since it was enabled for every environment, and remove the configuration from the individual values files. --- installer/install.sh | 4 ++- .../templates/argocd-application.yaml | 25 +++++++++++-------- services/argocd/README.md | 6 ++--- .../{vault-secret.yaml => vault-secrets.yaml} | 4 +-- services/argocd/values-base.yaml | 6 +---- services/argocd/values-idfdev.yaml | 7 +----- services/argocd/values-idfint.yaml | 7 ++---- services/argocd/values-idfprod.yaml | 7 ++---- services/argocd/values-minikube.yaml | 5 +--- services/argocd/values-roe.yaml | 7 ++---- services/argocd/values-summit.yaml | 7 ++---- services/argocd/values-tucson-teststand.yaml | 7 ++---- services/argocd/values.yaml | 16 +++++++----- 13 files changed, 44 insertions(+), 64 deletions(-) rename services/argocd/templates/{vault-secret.yaml => vault-secrets.yaml} (54%) diff --git a/installer/install.sh b/installer/install.sh index b16118bb53..127206a019 100755 --- a/installer/install.sh +++ b/installer/install.sh @@ -41,11 +41,13 @@ helm upgrade vault-secrets-operator ../services/vault-secrets-operator \ --timeout 15m \ --wait -echo "Update / install argocd using helm3..." +echo "Update / install argocd using helm..." helm dependency update ../services/argocd helm upgrade argocd ../services/argocd \ --install \ + --values ../services/argocd/values.yaml \ --values ../services/argocd/values-$ENVIRONMENT.yaml \ + --set global.vaultSecretsPath="$VAULT_PATH_PREFIX" \ --create-namespace \ --namespace argocd \ --timeout 15m \ diff --git a/science-platform/templates/argocd-application.yaml b/science-platform/templates/argocd-application.yaml index 458e205b5e..a03884b778 100644 --- a/science-platform/templates/argocd-application.yaml +++ b/science-platform/templates/argocd-application.yaml @@ -1,20 +1,23 @@ apiVersion: argoproj.io/v1alpha1 kind: Application metadata: - name: argocd - namespace: argocd + name: "argocd" + namespace: "argocd" finalizers: - - resources-finalizer.argocd.argoproj.io + - "resources-finalizer.argocd.argoproj.io" spec: destination: - namespace: argocd - server: https://kubernetes.default.svc - project: default + namespace: "argocd" + server: "https://kubernetes.default.svc" + project: "default" source: - path: services/argocd - repoURL: {{ .Values.repoURL }} - targetRevision: {{ .Values.revision }} + path: "services/argocd" + repoURL: {{ .Values.repoURL | quote }} + targetRevision: {{ .Values.revision | quote }} helm: + parameters: + - name: "global.vaultSecretsPath" + value: {{ .Values.vault_path_prefix | quote }} valueFiles: - - values.yaml - - values-{{ .Values.environment }}.yaml + - "values.yaml" + - "values-{{ .Values.environment }}.yaml" diff --git a/services/argocd/README.md b/services/argocd/README.md index d25acc0734..44ef13bd9b 100644 --- a/services/argocd/README.md +++ b/services/argocd/README.md @@ -23,10 +23,10 @@ | argo-cd.server.config."resource.compareoptions" | string | `"ignoreAggregatedRoles: true\n"` | | | argo-cd.server.extraArgs[0] | string | `"--basehref=/argo-cd"` | | | argo-cd.server.extraArgs[1] | string | `"--insecure=true"` | | -| argo-cd.server.ingress.annotations."kubernetes.io/ingress.class" | string | `"nginx"` | | | argo-cd.server.ingress.annotations."nginx.ingress.kubernetes.io/rewrite-target" | string | `"/$2"` | | | argo-cd.server.ingress.enabled | bool | `true` | | +| argo-cd.server.ingress.ingressClassName | string | `"nginx"` | | +| argo-cd.server.ingress.pathType | string | `"ImplementationSpecific"` | | | argo-cd.server.ingress.paths[0] | string | `"/argo-cd(/|$)(.*)"` | | | argo-cd.server.metrics.enabled | bool | `true` | | -| vault_secret.enabled | bool | `true` | | -| vault_secret.path | string | `""` | | +| global.vaultSecretsPath | string | Set by Argo CD | Base path for Vault secrets | diff --git a/services/argocd/templates/vault-secret.yaml b/services/argocd/templates/vault-secrets.yaml similarity index 54% rename from services/argocd/templates/vault-secret.yaml rename to services/argocd/templates/vault-secrets.yaml index 598154025d..92bae63785 100644 --- a/services/argocd/templates/vault-secret.yaml +++ b/services/argocd/templates/vault-secrets.yaml @@ -1,9 +1,7 @@ -{{ if .Values.vault_secret.enabled }} apiVersion: ricoberger.de/v1alpha1 kind: VaultSecret metadata: name: argocd-secret spec: - path: {{ .Values.vault_secret.path }} + path: "{{ .Values.global.vaultSecretsPath }}/argocd" type: Opaque -{{ end }} diff --git a/services/argocd/values-base.yaml b/services/argocd/values-base.yaml index c27c030c39..5462a9042f 100644 --- a/services/argocd/values-base.yaml +++ b/services/argocd/values-base.yaml @@ -4,7 +4,7 @@ argo-cd: hosts: - "base-lsp.lsst.codes" config: - url: https://base-lsp.lsst.codes/argo-cd + url: "https://base-lsp.lsst.codes/argo-cd" dex.config: | connectors: # Auth using GitHub. @@ -23,7 +23,3 @@ argo-cd: policy.csv: | g, lsst-sqre:friends, role:admin g, lsst-sqre:square, role:admin - -vault_secret: - enabled: true - path: secret/k8s_operator/base-lsp.lsst.codes/argocd diff --git a/services/argocd/values-idfdev.yaml b/services/argocd/values-idfdev.yaml index 2a3aec6c5f..c976c699dc 100644 --- a/services/argocd/values-idfdev.yaml +++ b/services/argocd/values-idfdev.yaml @@ -1,12 +1,11 @@ argo-cd: server: ingress: - enabled: true hosts: - "data-dev.lsst.cloud" config: - url: https://data-dev.lsst.cloud/argo-cd + url: "https://data-dev.lsst.cloud/argo-cd" dex.config: | connectors: # Auth using Google. @@ -35,7 +34,3 @@ argo-cd: g, loi@lsst.cloud, role:admin g, roby@lsst.cloud, role:admin scopes: "[email]" - -vault_secret: - enabled: true - path: secret/k8s_operator/data-dev.lsst.cloud/argocd diff --git a/services/argocd/values-idfint.yaml b/services/argocd/values-idfint.yaml index c1e485b2cb..efb504bc91 100644 --- a/services/argocd/values-idfint.yaml +++ b/services/argocd/values-idfint.yaml @@ -3,8 +3,9 @@ argo-cd: ingress: hosts: - "data-int.lsst.cloud" + config: - url: https://data-int.lsst.cloud/argo-cd + url: "https://data-int.lsst.cloud/argo-cd" dex.config: | connectors: # Auth using Google. @@ -35,7 +36,3 @@ argo-cd: g, roby@lsst.cloud, role:admin g, fritzm@lsst.cloud, role:admin scopes: "[email]" - -vault_secret: - enabled: true - path: secret/k8s_operator/data-int.lsst.cloud/argocd diff --git a/services/argocd/values-idfprod.yaml b/services/argocd/values-idfprod.yaml index 64e147d74f..b81d4fb937 100644 --- a/services/argocd/values-idfprod.yaml +++ b/services/argocd/values-idfprod.yaml @@ -3,8 +3,9 @@ argo-cd: ingress: hosts: - "data.lsst.cloud" + config: - url: https://data.lsst.cloud/argo-cd + url: "https://data.lsst.cloud/argo-cd" dex.config: | connectors: # Auth using Google. @@ -33,7 +34,3 @@ argo-cd: g, loi@lsst.cloud, role:admin g, roby@lsst.cloud, role:admin scopes: "[email]" - -vault_secret: - enabled: true - path: secret/k8s_operator/data.lsst.cloud/argocd diff --git a/services/argocd/values-minikube.yaml b/services/argocd/values-minikube.yaml index 4fd10dcc4a..86966dd3e3 100644 --- a/services/argocd/values-minikube.yaml +++ b/services/argocd/values-minikube.yaml @@ -2,11 +2,8 @@ argo-cd: controller: args: repoServerTimeoutSeconds: "180" + server: ingress: hosts: - "minikube.lsst.codes" - -vault_secret: - enabled: true - path: secret/k8s_operator/minikube.lsst.codes/argocd diff --git a/services/argocd/values-roe.yaml b/services/argocd/values-roe.yaml index 2e7d92e03d..c129191161 100644 --- a/services/argocd/values-roe.yaml +++ b/services/argocd/values-roe.yaml @@ -5,11 +5,8 @@ argo-cd: - "rsp.lsst.ac.uk" config: - url: https://rsp.lsst.ac.uk/argo-cd + url: "https://rsp.lsst.ac.uk/argo-cd" + configs: secret: createSecret: true - -vault_secret: - enabled: true - path: secret/k8s_operator/roe/argocd diff --git a/services/argocd/values-summit.yaml b/services/argocd/values-summit.yaml index b4f953c8b4..0f5710ce2a 100644 --- a/services/argocd/values-summit.yaml +++ b/services/argocd/values-summit.yaml @@ -3,8 +3,9 @@ argo-cd: ingress: hosts: - "summit-lsp.lsst.codes" + config: - url: https://summit-lsp.lsst.codes/argo-cd + url: "https://summit-lsp.lsst.codes/argo-cd" dex.config: | connectors: # Auth using GitHub. @@ -22,7 +23,3 @@ argo-cd: policy.csv: | g, lsst-sqre:friends, role:admin g, lsst-sqre:square, role:admin - -vault_secret: - enabled: true - path: secret/k8s_operator/summit-lsp.lsst.codes/argocd diff --git a/services/argocd/values-tucson-teststand.yaml b/services/argocd/values-tucson-teststand.yaml index 1c984ca4d6..b363102534 100644 --- a/services/argocd/values-tucson-teststand.yaml +++ b/services/argocd/values-tucson-teststand.yaml @@ -3,8 +3,9 @@ argo-cd: ingress: hosts: - "tucson-teststand.lsst.codes" + config: - url: https://tucson-teststand.lsst.codes/argo-cd + url: "https://tucson-teststand.lsst.codes/argo-cd" dex.config: | connectors: # Auth using GitHub. @@ -22,7 +23,3 @@ argo-cd: policy.csv: | g, lsst-sqre:friends, role:admin g, lsst-sqre:square, role:admin - -vault_secret: - enabled: true - path: secret/k8s_operator/tucson-teststand.lsst.codes/argocd diff --git a/services/argocd/values.yaml b/services/argocd/values.yaml index d870b19b76..841a442791 100644 --- a/services/argocd/values.yaml +++ b/services/argocd/values.yaml @@ -1,5 +1,5 @@ ## Argo CD configuration -## https://github.com/argoproj/argo-helm/blob/master/charts/argo-cd/values.yaml +## https://github.com/argoproj/argo-helm/blob/main/charts/argo-cd/values.yaml argo-cd: redis: enabled: true @@ -27,10 +27,11 @@ argo-cd: ingress: enabled: true annotations: - kubernetes.io/ingress.class: nginx nginx.ingress.kubernetes.io/rewrite-target: "/$2" + ingressClassName: "nginx" paths: - - /argo-cd(/|$)(.*) + - "/argo-cd(/|$)(.*)" + pathType: "ImplementationSpecific" extraArgs: - "--basehref=/argo-cd" @@ -55,6 +56,9 @@ argo-cd: secret: createSecret: false -vault_secret: - enabled: true - path: "" +# The following will be set by parameters injected by Argo CD and should not +# be set in the individual environment values files. +global: + # -- Base path for Vault secrets + # @default -- Set by Argo CD + vaultSecretsPath: "" From f8c1f257696bd4857220c93e05f4ba7c8e1453d2 Mon Sep 17 00:00:00 2001 From: Russ Allbery Date: Wed, 24 Aug 2022 15:52:08 -0700 Subject: [PATCH 0914/1479] Use ingressClassName instead of an annotation The current Ingress API supports ingressClassName to configure the name of the ingress controller that should serve this ingress. Use this instead of the older annotation to configure all ingresses to use nginx. Drop an old tls configuration for cachemachine. We only do tls via squareone. Hide another Gafaelfawr route only used for OpenID Connect if OpenID Connect is not enabled. --- services/cachemachine/README.md | 1 - .../cachemachine/templates/ingress-anonymous.yaml | 11 ++--------- services/cachemachine/templates/ingress.yaml | 12 +----------- services/cachemachine/values.yaml | 4 ---- services/exposurelog/templates/ingress.yaml | 2 +- services/gafaelfawr/templates/ingress-rewrite.yaml | 2 +- services/gafaelfawr/templates/ingress.yaml | 5 ++--- services/hips/templates/ingress.yaml | 2 +- services/mobu/templates/ingress.yaml | 2 +- services/moneypenny/templates/ingress.yaml | 2 +- services/narrativelog/templates/ingress.yaml | 2 +- services/noteburst/templates/ingress.yaml | 2 +- services/nublado2/README.md | 2 +- services/nublado2/values.yaml | 2 +- services/plot-navigator/templates/ingress.yaml | 2 +- services/portal/templates/ingress-admin.yaml | 2 +- services/portal/templates/ingress.yaml | 2 +- services/production-tools/templates/ingress.yaml | 2 +- .../sasquatch/charts/kafdrop/templates/ingress.yaml | 2 +- services/sasquatch/values-tucson-teststand.yaml | 1 - services/sasquatch/values.yaml | 5 ++--- services/semaphore/templates/ingress.yaml | 2 +- services/sherlock/templates/ingress.yaml | 2 +- services/squareone/templates/ingress.yaml | 2 +- services/tap/templates/tap-ingress-anonymous.yaml | 2 +- .../tap/templates/tap-ingress-authenticated.yaml | 2 +- services/times-square/README.md | 1 + .../times-square/templates/ingress-webhooks.yaml | 1 - services/times-square/templates/ingress.yaml | 1 - services/times-square/values.yaml | 3 +++ services/vo-cutouts/templates/ingress.yaml | 2 +- starters/web-service/templates/ingress.yaml | 2 +- 32 files changed, 32 insertions(+), 55 deletions(-) diff --git a/services/cachemachine/README.md b/services/cachemachine/README.md index 5565cfde52..03b3b4a41c 100644 --- a/services/cachemachine/README.md +++ b/services/cachemachine/README.md @@ -18,7 +18,6 @@ Service to prepull Docker images for the Science Platform | ingress.annotations | object | `{}` | Additional annotations to add for endpoints that are authenticated. | | ingress.anonymousAnnotations | object | `{}` | Additional annotations to add for endpoints that allow anonymous access, such as `/*/available`. | | ingress.gafaelfawrAuthQuery | string | `"scope=exec:admin"` | Gafaelfawr auth query string | -| ingress.tls | list | `[]` | Configures TLS for the ingress if needed. If multiple ingresses share the same hostname, only one of them needs a TLS configuration. | | nameOverride | string | `""` | Override the base name for resources | | nodeSelector | object | `{}` | Node selector rules for the cachemachine frontend pod | | podAnnotations | object | `{}` | Annotations for the cachemachine frontend pod | diff --git a/services/cachemachine/templates/ingress-anonymous.yaml b/services/cachemachine/templates/ingress-anonymous.yaml index f6023cee1c..081aed5717 100644 --- a/services/cachemachine/templates/ingress-anonymous.yaml +++ b/services/cachemachine/templates/ingress-anonymous.yaml @@ -2,7 +2,6 @@ apiVersion: networking.k8s.io/v1 kind: Ingress metadata: annotations: - kubernetes.io/ingress.class: "nginx" nginx.ingress.kubernetes.io/use-regex: "true" {{- with .Values.ingress.anonymousAnnotations }} {{- toYaml . | nindent 4 }} @@ -11,18 +10,12 @@ metadata: labels: {{- include "cachemachine.labels" . | nindent 4 }} spec: + ingressClassName: "nginx" rules: - host: {{ required "global.host must be set" .Values.global.host | quote }} http: paths: - - path: "/cachemachine/.*/available" - pathType: "ImplementationSpecific" - backend: - service: - name: {{ template "cachemachine.fullname" . }} - port: - number: 80 - - path: "/cachemachine/.*/desired" + - path: "/cachemachine/.*/(available|desired)" pathType: "ImplementationSpecific" backend: service: diff --git a/services/cachemachine/templates/ingress.yaml b/services/cachemachine/templates/ingress.yaml index 1e48a312e6..aaffd33acb 100644 --- a/services/cachemachine/templates/ingress.yaml +++ b/services/cachemachine/templates/ingress.yaml @@ -2,7 +2,6 @@ apiVersion: networking.k8s.io/v1 kind: Ingress metadata: annotations: - kubernetes.io/ingress.class: "nginx" {{- if .Values.ingress.gafaelfawrAuthQuery }} nginx.ingress.kubernetes.io/auth-method: "GET" nginx.ingress.kubernetes.io/auth-response-headers: "X-Auth-Request-User" @@ -16,6 +15,7 @@ metadata: labels: {{- include "cachemachine.labels" . | nindent 4 }} spec: + ingressClassName: "nginx" rules: - host: {{ required "global.host must be set" .Values.global.host | quote }} http: @@ -27,13 +27,3 @@ spec: name: {{ template "cachemachine.fullname" . }} port: number: 80 - {{- if .Values.ingress.tls }} - tls: - {{- range .Values.ingress.tls }} - - hosts: - {{- range .hosts }} - - {{ . | quote }} - {{- end }} - secretName: {{ .secretName }} - {{- end }} - {{- end }} diff --git a/services/cachemachine/values.yaml b/services/cachemachine/values.yaml index 01ca34db0f..22c629f672 100644 --- a/services/cachemachine/values.yaml +++ b/services/cachemachine/values.yaml @@ -37,10 +37,6 @@ ingress: # access, such as `/*/available`. anonymousAnnotations: {} - # -- Configures TLS for the ingress if needed. If multiple ingresses share - # the same hostname, only one of them needs a TLS configuration. - tls: [] - # -- Resource limits and requests for the cachemachine frontend pod resources: {} diff --git a/services/exposurelog/templates/ingress.yaml b/services/exposurelog/templates/ingress.yaml index 6b7dde57f2..aa26a054db 100644 --- a/services/exposurelog/templates/ingress.yaml +++ b/services/exposurelog/templates/ingress.yaml @@ -5,7 +5,6 @@ metadata: labels: {{- include "exposurelog.labels" . | nindent 4 }} annotations: - kubernetes.io/ingress.class: "nginx" {{- if .Values.ingress.gafaelfawrAuthQuery }} nginx.ingress.kubernetes.io/auth-method: "GET" nginx.ingress.kubernetes.io/auth-response-headers: "X-Auth-Request-User,X-Auth-Request-Email,X-Auth-Request-Token" @@ -16,6 +15,7 @@ metadata: {{- toYaml . | nindent 4 }} {{- end }} spec: + ingressClassName: "nginx" rules: - host: {{ required "global.host must be set" .Values.global.host | quote }} http: diff --git a/services/gafaelfawr/templates/ingress-rewrite.yaml b/services/gafaelfawr/templates/ingress-rewrite.yaml index 30e399a298..ec7210c162 100644 --- a/services/gafaelfawr/templates/ingress-rewrite.yaml +++ b/services/gafaelfawr/templates/ingress-rewrite.yaml @@ -2,13 +2,13 @@ apiVersion: networking.k8s.io/v1 kind: Ingress metadata: annotations: - kubernetes.io/ingress.class: "nginx" nginx.ingress.kubernetes.io/rewrite-target: "/auth/tokens/" nginx.ingress.kubernetes.io/use-regex: "true" name: {{ template "gafaelfawr.fullname" . }}-rewrite labels: {{- include "gafaelfawr.labels" . | nindent 4 }} spec: + ingressClassName: "nginx" rules: - host: {{ required "global.host must be set" .Values.global.host | quote }} http: diff --git a/services/gafaelfawr/templates/ingress.yaml b/services/gafaelfawr/templates/ingress.yaml index 8f7f27b24b..2cf6d2d351 100644 --- a/services/gafaelfawr/templates/ingress.yaml +++ b/services/gafaelfawr/templates/ingress.yaml @@ -1,12 +1,11 @@ apiVersion: networking.k8s.io/v1 kind: Ingress metadata: - annotations: - kubernetes.io/ingress.class: "nginx" name: {{ template "gafaelfawr.fullname" . }} labels: {{- include "gafaelfawr.labels" . | nindent 4 }} spec: + ingressClassName: "nginx" rules: - host: {{ required "global.host must be set" .Values.global.host | quote }} http: @@ -39,6 +38,7 @@ spec: name: {{ template "gafaelfawr.fullname" . }} port: number: 8080 + {{- if .Values.config.oidcServer.enabled }} - path: "/.well-known/jwks.json" pathType: Exact backend: @@ -46,7 +46,6 @@ spec: name: {{ template "gafaelfawr.fullname" . }} port: number: 8080 - {{- if .Values.config.oidcServer.enabled }} - path: "/.well-known/openid-configuration" pathType: Exact backend: diff --git a/services/hips/templates/ingress.yaml b/services/hips/templates/ingress.yaml index 09ae0fed5d..d33d86acf5 100644 --- a/services/hips/templates/ingress.yaml +++ b/services/hips/templates/ingress.yaml @@ -5,7 +5,6 @@ metadata: labels: {{- include "hips.labels" . | nindent 4 }} annotations: - kubernetes.io/ingress.class: "nginx" {{- if .Values.ingress.gafaelfawrAuthQuery }} nginx.ingress.kubernetes.io/auth-method: "GET" nginx.ingress.kubernetes.io/auth-response-headers: "X-Auth-Request-User" @@ -15,6 +14,7 @@ metadata: {{- toYaml . | nindent 4 }} {{- end }} spec: + ingressClassName: "nginx" rules: - host: {{ required "global.host must be set" .Values.global.host | quote }} http: diff --git a/services/mobu/templates/ingress.yaml b/services/mobu/templates/ingress.yaml index 8a3894eb31..5acd302d47 100644 --- a/services/mobu/templates/ingress.yaml +++ b/services/mobu/templates/ingress.yaml @@ -2,7 +2,6 @@ apiVersion: networking.k8s.io/v1 kind: Ingress metadata: annotations: - kubernetes.io/ingress.class: "nginx" {{- if .Values.ingress.gafaelfawrAuthQuery }} nginx.ingress.kubernetes.io/auth-method: "GET" nginx.ingress.kubernetes.io/auth-response-headers: "X-Auth-Request-User" @@ -16,6 +15,7 @@ metadata: labels: {{- include "mobu.labels" . | nindent 4 }} spec: + ingressClassName: "nginx" rules: - host: {{ required "global.host must be set" .Values.global.host | quote }} http: diff --git a/services/moneypenny/templates/ingress.yaml b/services/moneypenny/templates/ingress.yaml index 0c44bfd675..408570088d 100644 --- a/services/moneypenny/templates/ingress.yaml +++ b/services/moneypenny/templates/ingress.yaml @@ -2,7 +2,6 @@ apiVersion: networking.k8s.io/v1 kind: Ingress metadata: annotations: - kubernetes.io/ingress.class: "nginx" nginx.ingress.kubernetes.io/auth-method: "GET" nginx.ingress.kubernetes.io/auth-url: "{{ .Values.global.baseUrl }}/auth?{{ required "ingress.gafaelfawrAuthQuery must be set" .Values.ingress.gafaelfawrAuthQuery }}" nginx.ingress.kubernetes.io/proxy-read-timeout: "310" @@ -13,6 +12,7 @@ metadata: labels: {{- include "moneypenny.labels" . | nindent 4 }} spec: + ingressClassName: "nginx" rules: - host: {{ required "global.host must be set" .Values.global.host | quote }} http: diff --git a/services/narrativelog/templates/ingress.yaml b/services/narrativelog/templates/ingress.yaml index 5948b03790..cdf8f56d85 100644 --- a/services/narrativelog/templates/ingress.yaml +++ b/services/narrativelog/templates/ingress.yaml @@ -5,7 +5,6 @@ metadata: labels: {{- include "narrativelog.labels" . | nindent 4 }} annotations: - kubernetes.io/ingress.class: "nginx" {{- if .Values.ingress.gafaelfawrAuthQuery }} nginx.ingress.kubernetes.io/auth-method: "GET" nginx.ingress.kubernetes.io/auth-response-headers: "X-Auth-Request-User,X-Auth-Request-Email,X-Auth-Request-Token" @@ -16,6 +15,7 @@ metadata: {{- toYaml . | nindent 4 }} {{- end }} spec: + ingressClassName: "nginx" rules: - host: {{ required "global.host must be set" .Values.global.host | quote }} http: diff --git a/services/noteburst/templates/ingress.yaml b/services/noteburst/templates/ingress.yaml index c76210668a..33a9da1a72 100644 --- a/services/noteburst/templates/ingress.yaml +++ b/services/noteburst/templates/ingress.yaml @@ -6,7 +6,6 @@ metadata: labels: {{- include "noteburst.labels" . | nindent 4 }} annotations: - kubernetes.io/ingress.class: nginx {{- if .Values.ingress.gafaelfawrAuthQuery }} nginx.ingress.kubernetes.io/auth-method: "GET" nginx.ingress.kubernetes.io/auth-response-headers: X-Auth-Request-User,X-Auth-Request-Email,X-Auth-Request-Token @@ -17,6 +16,7 @@ metadata: {{- toYaml . | nindent 4 }} {{- end }} spec: + ingressClassName: "nginx" rules: - host: {{ required "global.host must be set" .Values.global.host | quote }} http: diff --git a/services/nublado2/README.md b/services/nublado2/README.md index a0388df7df..adcf7c49ba 100644 --- a/services/nublado2/README.md +++ b/services/nublado2/README.md @@ -70,12 +70,12 @@ Kubernetes: `>=1.20.0-0` | jupyterhub.hub.resources.limits.cpu | string | `"900m"` | | | jupyterhub.hub.resources.limits.memory | string | `"1Gi"` | | | jupyterhub.imagePullSecrets[0].name | string | `"pull-secret"` | | -| jupyterhub.ingress.annotations."kubernetes.io/ingress.class" | string | `"nginx"` | | | jupyterhub.ingress.annotations."nginx.ingress.kubernetes.io/auth-method" | string | `"GET"` | | | jupyterhub.ingress.annotations."nginx.ingress.kubernetes.io/auth-response-headers" | string | `"X-Auth-Request-Token"` | | | jupyterhub.ingress.annotations."nginx.ingress.kubernetes.io/auth-url" | string | `"http://gafaelfawr.gafaelfawr.svc.cluster.local:8080/auth?scope=exec:notebook¬ebook=true"` | | | jupyterhub.ingress.annotations."nginx.ingress.kubernetes.io/configuration-snippet" | string | `"error_page 403 = \"/auth/forbidden?scope=exec:notebook\";\n"` | | | jupyterhub.ingress.enabled | bool | `true` | | +| jupyterhub.ingress.ingressClassName | string | `"nginx"` | | | jupyterhub.ingress.pathSuffix | string | `"*"` | | | jupyterhub.prePuller.continuous.enabled | bool | `false` | | | jupyterhub.prePuller.hook.enabled | bool | `false` | | diff --git a/services/nublado2/values.yaml b/services/nublado2/values.yaml index fd7e6d5cee..ec5c614ff3 100644 --- a/services/nublado2/values.yaml +++ b/services/nublado2/values.yaml @@ -160,12 +160,12 @@ jupyterhub: ingress: enabled: true annotations: - kubernetes.io/ingress.class: nginx nginx.ingress.kubernetes.io/auth-method: GET nginx.ingress.kubernetes.io/auth-response-headers: "X-Auth-Request-Token" nginx.ingress.kubernetes.io/auth-url: "http://gafaelfawr.gafaelfawr.svc.cluster.local:8080/auth?scope=exec:notebook¬ebook=true" nginx.ingress.kubernetes.io/configuration-snippet: | error_page 403 = "/auth/forbidden?scope=exec:notebook"; + ingressClassName: "nginx" pathSuffix: "*" cull: diff --git a/services/plot-navigator/templates/ingress.yaml b/services/plot-navigator/templates/ingress.yaml index 50601f9edb..f03f655e37 100644 --- a/services/plot-navigator/templates/ingress.yaml +++ b/services/plot-navigator/templates/ingress.yaml @@ -5,7 +5,6 @@ metadata: labels: {{- include "plot-navigator.labels" . | nindent 4 }} annotations: - kubernetes.io/ingress.class: "nginx" {{- if .Values.ingress.gafaelfawrAuthQuery }} nginx.ingress.kubernetes.io/auth-method: "GET" nginx.ingress.kubernetes.io/auth-response-headers: "X-Auth-Request-User,X-Auth-Request-Email,X-Auth-Request-Token" @@ -16,6 +15,7 @@ metadata: {{- toYaml . | nindent 4 }} {{- end }} spec: + ingressClassName: "nginx" rules: - host: {{ required "global.host must be set" .Values.global.host | quote }} http: diff --git a/services/portal/templates/ingress-admin.yaml b/services/portal/templates/ingress-admin.yaml index 25f7d0d39f..b11c39cade 100644 --- a/services/portal/templates/ingress-admin.yaml +++ b/services/portal/templates/ingress-admin.yaml @@ -6,7 +6,6 @@ metadata: labels: {{- include "portal.labels" . | nindent 4 }} annotations: - kubernetes.io/ingress.class: "nginx" nginx.ingress.kubernetes.io/ssl-redirect: "true" nginx.ingress.kubernetes.io/affinity: "cookie" nginx.ingress.kubernetes.io/session-cookie-change-on-failure: "true" @@ -31,6 +30,7 @@ metadata: {{- toYaml . | nindent 4 }} {{- end }} spec: + ingressClassName: "nginx" rules: - host: {{ required "global.host must be set" .Values.global.host | quote }} http: diff --git a/services/portal/templates/ingress.yaml b/services/portal/templates/ingress.yaml index 11cb1388ea..8a98080a7f 100644 --- a/services/portal/templates/ingress.yaml +++ b/services/portal/templates/ingress.yaml @@ -5,7 +5,6 @@ metadata: labels: {{- include "portal.labels" . | nindent 4 }} annotations: - kubernetes.io/ingress.class: "nginx" nginx.ingress.kubernetes.io/ssl-redirect: "true" nginx.ingress.kubernetes.io/affinity: "cookie" nginx.ingress.kubernetes.io/session-cookie-change-on-failure: "true" @@ -32,6 +31,7 @@ metadata: {{- toYaml . | nindent 4 }} {{- end }} spec: + ingressClassName: "nginx" rules: - host: {{ required "global.host must be set" .Values.global.host | quote }} http: diff --git a/services/production-tools/templates/ingress.yaml b/services/production-tools/templates/ingress.yaml index c9375c9067..a5dc3dd120 100644 --- a/services/production-tools/templates/ingress.yaml +++ b/services/production-tools/templates/ingress.yaml @@ -6,7 +6,6 @@ metadata: labels: {{- include "production-tools.labels" . | nindent 4 }} annotations: - kubernetes.io/ingress.class: "nginx" {{- if .Values.ingress.gafaelfawrAuthQuery }} nginx.ingress.kubernetes.io/auth-method: "GET" nginx.ingress.kubernetes.io/auth-response-headers: "X-Auth-Request-User" @@ -17,6 +16,7 @@ metadata: {{- toYaml . | nindent 4 }} {{- end }} spec: + ingressClassName: "nginx" rules: - host: {{ required ".Values.global.host must be set" .Values.global.host | quote }} http: diff --git a/services/sasquatch/charts/kafdrop/templates/ingress.yaml b/services/sasquatch/charts/kafdrop/templates/ingress.yaml index c219ae53c6..7305fbf063 100644 --- a/services/sasquatch/charts/kafdrop/templates/ingress.yaml +++ b/services/sasquatch/charts/kafdrop/templates/ingress.yaml @@ -8,11 +8,11 @@ metadata: labels: {{- include "kafdrop.labels" . | nindent 4 }} annotations: - kubernetes.io/ingress.class: "nginx" {{- with .Values.ingress.annotations }} {{ toYaml . | indent 4 }} {{- end }} spec: + ingressClassName: "nginx" rules: - host: {{ .Values.ingress.hostname | quote }} http: diff --git a/services/sasquatch/values-tucson-teststand.yaml b/services/sasquatch/values-tucson-teststand.yaml index b04ebfcba3..895dcdc9d6 100644 --- a/services/sasquatch/values-tucson-teststand.yaml +++ b/services/sasquatch/values-tucson-teststand.yaml @@ -15,7 +15,6 @@ influxdb: secretName: tls-certs hostname: influxdb-tucson-teststand-efd.lsst.codes annotations: - kubernetes.io/ingress.class: "nginx" nginx.ingress.kubernetes.io/ssl-redirect: "true" nginx.ingress.kubernetes.io/affinity: "cookie" nginx.ingress.kubernetes.io/proxy-body-size: "0m" diff --git a/services/sasquatch/values.yaml b/services/sasquatch/values.yaml index 42477741d8..93eb7598cc 100644 --- a/services/sasquatch/values.yaml +++ b/services/sasquatch/values.yaml @@ -32,8 +32,8 @@ influxdb: tls: false hostname: "" annotations: - kubernetes.io/ingress.class: "nginx" nginx.ingress.kubernetes.io/rewrite-target: /$2 + className: "nginx" path: /influxdb(/|$)(.*) # -- Override InfluxDB configuration. # See https://docs.influxdata.com/influxdb/v1.8/administration/config @@ -81,8 +81,7 @@ chronograf: enabled: false tls: false hostname: "" - annotations: - kubernetes.io/ingress.class: "nginx" + className: "nginx" path: /chronograf(/|$) # -- Chronograf environment variables. env: diff --git a/services/semaphore/templates/ingress.yaml b/services/semaphore/templates/ingress.yaml index 2f632bf09d..8074af0fca 100644 --- a/services/semaphore/templates/ingress.yaml +++ b/services/semaphore/templates/ingress.yaml @@ -6,11 +6,11 @@ metadata: labels: {{- include "semaphore.labels" . | nindent 4 }} annotations: - kubernetes.io/ingress.class: nginx {{- with .Values.ingress.annotations }} {{- toYaml . | nindent 4 }} {{- end }} spec: + ingressClassName: "nginx" rules: - host: {{ required "global.host must be set" .Values.global.host | quote }} http: diff --git a/services/sherlock/templates/ingress.yaml b/services/sherlock/templates/ingress.yaml index fef33cd3b6..dde0586daf 100644 --- a/services/sherlock/templates/ingress.yaml +++ b/services/sherlock/templates/ingress.yaml @@ -6,7 +6,6 @@ metadata: labels: {{- include "sherlock.labels" . | nindent 4 }} annotations: - kubernetes.io/ingress.class: "nginx" {{- if .Values.ingress.gafaelfawrAuthQuery }} nginx.ingress.kubernetes.io/auth-method: GET nginx.ingress.kubernetes.io/auth-response-headers: X-Auth-Request-User,X-Auth-Request-Email,X-Auth-Request-Token @@ -19,6 +18,7 @@ metadata: {{- toYaml . | nindent 4 }} {{- end }} spec: + ingressClassName: "nginx" rules: - host: {{ required "global.host must be set" .Values.global.host | quote }} http: diff --git a/services/squareone/templates/ingress.yaml b/services/squareone/templates/ingress.yaml index 232bf01236..3b5c633c71 100644 --- a/services/squareone/templates/ingress.yaml +++ b/services/squareone/templates/ingress.yaml @@ -7,7 +7,6 @@ metadata: labels: {{- include "squareone.labels" . | nindent 4 }} annotations: - kubernetes.io/ingress.class: "nginx" {{- if .Values.ingress.tls }} cert-manager.io/cluster-issuer: "letsencrypt-dns" {{- end }} @@ -15,6 +14,7 @@ metadata: {{- toYaml . | nindent 4 }} {{- end }} spec: + ingressClassName: "nginx" {{- if .Values.ingress.tls }} tls: - hosts: diff --git a/services/tap/templates/tap-ingress-anonymous.yaml b/services/tap/templates/tap-ingress-anonymous.yaml index 55e6c91455..7cf13ecf40 100644 --- a/services/tap/templates/tap-ingress-anonymous.yaml +++ b/services/tap/templates/tap-ingress-anonymous.yaml @@ -5,7 +5,6 @@ metadata: labels: {{- include "cadc-tap.labels" . | nindent 4 }} annotations: - kubernetes.io/ingress.class: "nginx" nginx.ingress.kubernetes.io/proxy-connect-timeout: "900" nginx.ingress.kubernetes.io/proxy-send-timeout: "900" nginx.ingress.kubernetes.io/proxy-read-timeout: "900" @@ -18,6 +17,7 @@ metadata: {{- toYaml . | indent 4}} {{- end }} spec: + ingressClassName: "nginx" rules: - host: {{ required "global.host must be set" .Values.global.host | quote }} http: diff --git a/services/tap/templates/tap-ingress-authenticated.yaml b/services/tap/templates/tap-ingress-authenticated.yaml index f83394ff89..0a5fb80c09 100644 --- a/services/tap/templates/tap-ingress-authenticated.yaml +++ b/services/tap/templates/tap-ingress-authenticated.yaml @@ -5,7 +5,6 @@ metadata: labels: {{- include "cadc-tap.labels" . | nindent 4 }} annotations: - kubernetes.io/ingress.class: "nginx" nginx.ingress.kubernetes.io/auth-method: "GET" nginx.ingress.kubernetes.io/auth-response-headers: "X-Auth-Request-Uid, X-Auth-Request-Token" nginx.ingress.kubernetes.io/auth-url: "{{ .Values.global.baseUrl }}/auth?{{ .Values.ingress.gafaelfawrAuthQuery }}" @@ -24,6 +23,7 @@ metadata: {{- toYaml . | indent 4}} {{- end }} spec: + ingressClassName: "nginx" rules: - host: {{ required "global.host must be set" .Values.global.host | quote }} http: diff --git a/services/times-square/README.md b/services/times-square/README.md index 40397fa531..862804418e 100644 --- a/services/times-square/README.md +++ b/services/times-square/README.md @@ -42,6 +42,7 @@ An API service for managing and rendering parameterized Jupyter notebooks. | image.tag | string | `""` | Overrides the image tag whose default is the chart appVersion. | | imagePullSecrets | list | `[]` | Secret names to use for all Docker pulls | | ingress.annotations | object | `{}` | Additional annotations for the ingress rule | +| ingress.className | string | `"nginx"` | Class name that should serve this ingress | | ingress.enabled | bool | `true` | Create an ingress resource | | ingress.gafaelfawrAuthQuery | string | `"scope=exec:admin&auth_type=basic"` | Gafaelfawr auth query string | | ingress.path | string | `"/times-square/api"` | Root URL path prefix for times-square API | diff --git a/services/times-square/templates/ingress-webhooks.yaml b/services/times-square/templates/ingress-webhooks.yaml index 1cbd642812..4ba4ac700c 100644 --- a/services/times-square/templates/ingress-webhooks.yaml +++ b/services/times-square/templates/ingress-webhooks.yaml @@ -6,7 +6,6 @@ metadata: labels: {{- include "times-square.labels" . | nindent 4 }} annotations: - kubernetes.io/ingress.class: "nginx" {{- with .Values.ingress.annotations }} {{- toYaml . | nindent 4 }} {{- end }} diff --git a/services/times-square/templates/ingress.yaml b/services/times-square/templates/ingress.yaml index 6a784621c3..c4c3840aed 100644 --- a/services/times-square/templates/ingress.yaml +++ b/services/times-square/templates/ingress.yaml @@ -7,7 +7,6 @@ metadata: labels: {{- include "times-square.labels" . | nindent 4 }} annotations: - kubernetes.io/ingress.class: "nginx" {{- if .Values.ingress.gafaelfawrAuthQuery }} nginx.ingress.kubernetes.io/auth-method: GET nginx.ingress.kubernetes.io/auth-response-headers: X-Auth-Request-User,X-Auth-Request-Email,X-Auth-Request-Token diff --git a/services/times-square/values.yaml b/services/times-square/values.yaml index ad37eeb87e..b7dc42199c 100644 --- a/services/times-square/values.yaml +++ b/services/times-square/values.yaml @@ -62,6 +62,9 @@ ingress: # -- Additional annotations for the ingress rule annotations: {} + # -- Class name that should serve this ingress + className: "nginx" + # -- Path type for the ingress rule pathType: ImplementationSpecific diff --git a/services/vo-cutouts/templates/ingress.yaml b/services/vo-cutouts/templates/ingress.yaml index 26a2dc8185..904faad72e 100644 --- a/services/vo-cutouts/templates/ingress.yaml +++ b/services/vo-cutouts/templates/ingress.yaml @@ -2,7 +2,6 @@ apiVersion: networking.k8s.io/v1 kind: Ingress metadata: annotations: - kubernetes.io/ingress.class: "nginx" {{- if .Values.ingress.gafaelfawrAuthQuery }} nginx.ingress.kubernetes.io/auth-method: "GET" nginx.ingress.kubernetes.io/auth-response-headers: X-Auth-Request-User @@ -16,6 +15,7 @@ metadata: labels: {{- include "vo-cutouts.labels" . | nindent 4 }} spec: + ingressClassName: "nginx" rules: - host: {{ required "global.host must be set" .Values.global.host | quote }} http: diff --git a/starters/web-service/templates/ingress.yaml b/starters/web-service/templates/ingress.yaml index 54745ad0d6..9ac6fb2568 100644 --- a/starters/web-service/templates/ingress.yaml +++ b/starters/web-service/templates/ingress.yaml @@ -5,7 +5,6 @@ metadata: labels: {{- include ".labels" . | nindent 4 }} annotations: - kubernetes.io/ingress.class: "nginx" {{- if .Values.ingress.gafaelfawrAuthQuery }} nginx.ingress.kubernetes.io/auth-method: "GET" nginx.ingress.kubernetes.io/auth-response-headers: "X-Auth-Request-User" @@ -16,6 +15,7 @@ metadata: {{- toYaml . | nindent 4 }} {{- end }} spec: + ingressClassName: "nginx" rules: - host: {{ required "global.host must be set" .Values.global.host | quote }} http: From d304941d89164c842a4fcc7c9fe2362706aea2b0 Mon Sep 17 00:00:00 2001 From: Angelo Fausti Date: Wed, 24 Aug 2022 16:15:14 -0700 Subject: [PATCH 0915/1479] Pin load balancer IP addresses for kafka on idfint --- services/sasquatch/values-idfint.yaml | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/services/sasquatch/values-idfint.yaml b/services/sasquatch/values-idfint.yaml index 767e1a2d69..088a60b07e 100644 --- a/services/sasquatch/values-idfint.yaml +++ b/services/sasquatch/values-idfint.yaml @@ -4,15 +4,15 @@ strimzi-kafka: tls: enabled: true bootstrap: - loadBalancerIP: "" + loadBalancerIP: "35.188.187.82" host: sasquatch-int-kafka-bootstrap.lsst.cloud brokers: - - loadBalancerIP: "" + - loadBalancerIP: "34.171.69.125" host: sasquatch-int-kafka-0.lsst.cloud - - loadBalancerIP: "" + - loadBalancerIP: "34.72.50.204" host: sasquatch-int-kafka-1.lsst.cloud - - loadBalancerIP: "" + - loadBalancerIP: "34.173.225.150" host: sasquatch-int-kafka-2.lsst.cloud influxdb: From 4079cf916adc1279cca792b459646256d4c2b0d8 Mon Sep 17 00:00:00 2001 From: Russ Allbery Date: Wed, 24 Aug 2022 16:28:23 -0700 Subject: [PATCH 0916/1479] Add read:image scopes to T&S deployments I didn't add these when the scope was added for the cutout service, since it wasn't clear we would have images in the same sense on T&S deployments, but now the Portal requests this scope, which means users have to have it when using the Portal to do image display. It's simpler to just grant the scope to the same groups as have exec:portal access than try to change the scope requirements in those environments. This matches what we did with read:tap, which also isn't directly in use there. --- services/gafaelfawr/values-base.yaml | 5 +++++ services/gafaelfawr/values-summit.yaml | 5 +++++ services/gafaelfawr/values-tucson-teststand.yaml | 5 +++++ 3 files changed, 15 insertions(+) diff --git a/services/gafaelfawr/values-base.yaml b/services/gafaelfawr/values-base.yaml index c8dd17f633..ad595de177 100644 --- a/services/gafaelfawr/values-base.yaml +++ b/services/gafaelfawr/values-base.yaml @@ -26,6 +26,11 @@ config: - "lsst-sqre-friends" - "lsst-ts-base-access" - "rubin-summit-rsp-access" + "read:image": + - "lsst-sqre-square" + - "lsst-sqre-friends" + - "lsst-ts-base-access" + - "rubin-summit-rsp-access" "read:tap": - "lsst-sqre-square" - "lsst-sqre-friends" diff --git a/services/gafaelfawr/values-summit.yaml b/services/gafaelfawr/values-summit.yaml index fdc0d632c9..d0dcf9a3ce 100644 --- a/services/gafaelfawr/values-summit.yaml +++ b/services/gafaelfawr/values-summit.yaml @@ -31,6 +31,11 @@ config: - "lsst-sqre-friends" - "lsst-ts-summit-access" - "rubin-summit-rsp-access" + "read:image": + - "lsst-sqre-square" + - "lsst-sqre-friends" + - "lsst-ts-summit-access" + - "rubin-summit-rsp-access" "read:tap": - "lsst-sqre-square" - "lsst-sqre-friends" diff --git a/services/gafaelfawr/values-tucson-teststand.yaml b/services/gafaelfawr/values-tucson-teststand.yaml index 93fa768d08..1fc43047c5 100644 --- a/services/gafaelfawr/values-tucson-teststand.yaml +++ b/services/gafaelfawr/values-tucson-teststand.yaml @@ -31,6 +31,11 @@ config: - "lsst-sqre-friends" - "lsst-ts-base-access" - "rubin-summit-rsp-access" + "read:image": + - "lsst-sqre-square" + - "lsst-sqre-friends" + - "lsst-ts-base-access" + - "rubin-summit-rsp-access" "read:tap": - "lsst-sqre-square" - "lsst-sqre-friends" From 8ace893072244df995f09d416fa02390b81fd8d1 Mon Sep 17 00:00:00 2001 From: Russ Allbery Date: Wed, 24 Aug 2022 16:59:19 -0700 Subject: [PATCH 0917/1479] Clean up unused injected variables Remove Argo CD injected Helm variables that aren't used, and document the ones that are used. Rename the vault_certificate setting for ingress-nginx to vaultCertificate, following the naming rules for Helm chart parameters. This leaves some unused injected variables for semaphore on the grounds that they may be used in the future. --- science-platform/templates/noteburst-application.yaml | 2 -- science-platform/templates/tap-schema-application.yaml | 4 ---- services/ingress-nginx/README.md | 3 ++- services/ingress-nginx/templates/vault-secrets.yaml | 2 +- services/ingress-nginx/values-minikube.yaml | 2 +- services/ingress-nginx/values-roe.yaml | 2 +- services/ingress-nginx/values.yaml | 9 ++++++++- services/noteburst/README.md | 1 - services/noteburst/values.yaml | 4 ---- services/postgres/README.md | 2 -- services/postgres/values.yaml | 8 -------- services/tap-schema/README.md | 2 -- services/tap-schema/values.yaml | 8 -------- 13 files changed, 13 insertions(+), 36 deletions(-) diff --git a/science-platform/templates/noteburst-application.yaml b/science-platform/templates/noteburst-application.yaml index 6193ad79e2..c80f8e1202 100644 --- a/science-platform/templates/noteburst-application.yaml +++ b/science-platform/templates/noteburst-application.yaml @@ -29,8 +29,6 @@ spec: value: {{ .Values.fqdn | quote }} - name: "global.baseUrl" value: "https://{{ .Values.fqdn }}" - - name: "global.vaultSecretsPathPrefix" - value: {{ .Values.vault_path_prefix | quote }} valueFiles: - "values.yaml" - "values-{{ .Values.environment }}.yaml" diff --git a/science-platform/templates/tap-schema-application.yaml b/science-platform/templates/tap-schema-application.yaml index f3fa0673f8..78e9ab9cc1 100644 --- a/science-platform/templates/tap-schema-application.yaml +++ b/science-platform/templates/tap-schema-application.yaml @@ -25,10 +25,6 @@ spec: targetRevision: {{ .Values.revision | quote }} helm: parameters: - - name: "global.host" - value: {{ .Values.fqdn | quote }} - - name: "global.baseUrl" - value: "https://{{ .Values.fqdn }}" - name: "global.vaultSecretsPath" value: {{ .Values.vault_path_prefix | quote }} valueFiles: diff --git a/services/ingress-nginx/README.md b/services/ingress-nginx/README.md index 355a14bbcb..fb38d42e8f 100644 --- a/services/ingress-nginx/README.md +++ b/services/ingress-nginx/README.md @@ -10,6 +10,7 @@ | Key | Type | Default | Description | |-----|------|---------|-------------| +| global.vaultSecretsPath | string | Set by Argo CD | Base path for Vault secrets | | ingress-nginx.controller.config.compute-full-forwarded-for | string | `"true"` | | | ingress-nginx.controller.config.large-client-header-buffers | string | `"4 64k"` | | | ingress-nginx.controller.config.proxy-body-size | string | `"100m"` | | @@ -20,4 +21,4 @@ | ingress-nginx.controller.podLabels."gafaelfawr.lsst.io/ingress" | string | `"true"` | | | ingress-nginx.controller.podLabels."hub.jupyter.org/network-access-proxy-http" | string | `"true"` | | | ingress-nginx.controller.service.externalTrafficPolicy | string | `"Local"` | | -| vault_certificate.enabled | bool | `false` | Whether to store ingress TLS certificate via vault-secrets-operator. Typically "squareone" owns it instead in an RSP. | +| vaultCertificate.enabled | bool | `false` | Whether to store ingress TLS certificate via vault-secrets-operator. Typically "squareone" owns it instead in an RSP. | diff --git a/services/ingress-nginx/templates/vault-secrets.yaml b/services/ingress-nginx/templates/vault-secrets.yaml index 0d9a7a4a6b..61adfb0147 100644 --- a/services/ingress-nginx/templates/vault-secrets.yaml +++ b/services/ingress-nginx/templates/vault-secrets.yaml @@ -1,4 +1,4 @@ -{{ if .Values.vault_certificate.enabled }} +{{ if .Values.vaultCertificate.enabled }} apiVersion: ricoberger.de/v1alpha1 kind: VaultSecret metadata: diff --git a/services/ingress-nginx/values-minikube.yaml b/services/ingress-nginx/values-minikube.yaml index a5453ebc46..ae315d0392 100644 --- a/services/ingress-nginx/values-minikube.yaml +++ b/services/ingress-nginx/values-minikube.yaml @@ -10,5 +10,5 @@ ingress-nginx: extraArgs: default-ssl-certificate: ingress-nginx/ingress-certificate -vault_certificate: +vaultCertificate: enabled: true diff --git a/services/ingress-nginx/values-roe.yaml b/services/ingress-nginx/values-roe.yaml index 22710084b9..c4548e7c91 100644 --- a/services/ingress-nginx/values-roe.yaml +++ b/services/ingress-nginx/values-roe.yaml @@ -14,5 +14,5 @@ ingress-nginx: extraArgs: default-ssl-certificate: ingress-nginx/ingress-certificate -vault_certificate: +vaultCertificate: enabled: true diff --git a/services/ingress-nginx/values.yaml b/services/ingress-nginx/values.yaml index 39dad12993..a7ad11fd0a 100644 --- a/services/ingress-nginx/values.yaml +++ b/services/ingress-nginx/values.yaml @@ -17,8 +17,15 @@ ingress-nginx: metrics: enabled: true -vault_certificate: +vaultCertificate: # -- Whether to store ingress TLS certificate via # vault-secrets-operator. Typically "squareone" owns it instead in an # RSP. enabled: false + +# The following will be set by parameters injected by Argo CD and should not +# be set in the individual environment values files. +global: + # -- Base path for Vault secrets + # @default -- Set by Argo CD + vaultSecretsPath: "" diff --git a/services/noteburst/README.md b/services/noteburst/README.md index fa52874fa6..c743f8cb77 100644 --- a/services/noteburst/README.md +++ b/services/noteburst/README.md @@ -35,7 +35,6 @@ Noteburst is a notebook execution service for the Rubin Science Platform. | fullnameOverride | string | `""` | Override the full name for resources (includes the release name) | | global.baseUrl | string | Set by Argo CD | Base URL for the environment | | global.host | string | Set by Argo CD | Host name for ingress | -| global.vaultSecretsPathPrefix | string | Set by Argo CD | Base path for Vault secrets | | image.pullPolicy | string | `"IfNotPresent"` | Image pull policy | | image.repository | string | `"ghcr.io/lsst-sqre/noteburst"` | Noteburst image repository | | image.tag | string | The appVersion of the chart | Tag of the image | diff --git a/services/noteburst/values.yaml b/services/noteburst/values.yaml index 4b664450fd..9b82274d73 100644 --- a/services/noteburst/values.yaml +++ b/services/noteburst/values.yaml @@ -13,10 +13,6 @@ global: # @default -- Set by Argo CD host: "" - # -- Base path for Vault secrets - # @default -- Set by Argo CD - vaultSecretsPathPrefix: "" - # -- Number of API pods to run replicaCount: 1 diff --git a/services/postgres/README.md b/services/postgres/README.md index 248f19228a..25d2e60e20 100644 --- a/services/postgres/README.md +++ b/services/postgres/README.md @@ -11,8 +11,6 @@ Postgres RDBMS for LSP | Key | Type | Default | Description | |-----|------|---------|-------------| | debug | string | `""` | Set to non-empty to enable debugging output | -| global.baseUrl | string | Set by Argo CD | Base URL for the environment | -| global.host | string | Set by Argo CD | Host name for ingress | | global.vaultSecretsPath | string | Set by Argo CD | Base path for Vault secrets | | image.pullPolicy | string | `"IfNotPresent"` | Pull policy for the postgres image | | image.repository | string | `"lsstsqre/lsp-postgres"` | postgres image to use | diff --git a/services/postgres/values.yaml b/services/postgres/values.yaml index 6c6fe38087..ded4248a51 100644 --- a/services/postgres/values.yaml +++ b/services/postgres/values.yaml @@ -32,14 +32,6 @@ volumeName: "" # The following will be set by parameters injected by Argo CD and should not # be set in the individual environment values files. global: - # -- Base URL for the environment - # @default -- Set by Argo CD - baseUrl: "" - - # -- Host name for ingress - # @default -- Set by Argo CD - host: "" - # -- Base path for Vault secrets # @default -- Set by Argo CD vaultSecretsPath: "" diff --git a/services/tap-schema/README.md b/services/tap-schema/README.md index 4565a19acd..b58ebcc3dd 100644 --- a/services/tap-schema/README.md +++ b/services/tap-schema/README.md @@ -10,8 +10,6 @@ The TAP_SCHEMA database |-----|------|---------|-------------| | affinity | object | `{}` | Affinity rules for the MySQL pod | | fullnameOverride | string | `""` | Override the full name for resources (includes the release name) | -| global.baseUrl | string | Set by Argo CD | Base URL for the environment | -| global.host | string | Set by Argo CD | Host name for ingress | | global.vaultSecretsPath | string | Set by Argo CD | Base path for Vault secrets | | image.pullPolicy | string | `"IfNotPresent"` | Pull policy for the tap-schema image | | image.repository | string | `"lsstsqre/tap-schema-mock"` | tap-schema image to use | diff --git a/services/tap-schema/values.yaml b/services/tap-schema/values.yaml index 3cef8a7833..37398ae568 100644 --- a/services/tap-schema/values.yaml +++ b/services/tap-schema/values.yaml @@ -35,14 +35,6 @@ affinity: {} # The following will be set by parameters injected by Argo CD and should not # be set in the individual environment values files. global: - # -- Base URL for the environment - # @default -- Set by Argo CD - baseUrl: "" - - # -- Host name for ingress - # @default -- Set by Argo CD - host: "" - # -- Base path for Vault secrets # @default -- Set by Argo CD vaultSecretsPath: "" From 3b8f3baec63d18a03d1bcd148b68e6641fb98dac Mon Sep 17 00:00:00 2001 From: Russ Allbery Date: Wed, 24 Aug 2022 17:11:52 -0700 Subject: [PATCH 0918/1479] Delete obstap service ObsTap data is now being served via qserv and the regular TAP service, so the obstap service is obsolete. Delete it. --- science-platform/README.md | 1 - .../templates/obstap-application.yaml | 37 ----- science-platform/values-base.yaml | 2 - science-platform/values-idfdev.yaml | 2 - science-platform/values-idfint.yaml | 2 - science-platform/values-idfprod.yaml | 2 - science-platform/values-minikube.yaml | 2 - science-platform/values-roe.yaml | 2 - science-platform/values-summit.yaml | 2 - science-platform/values-tucson-teststand.yaml | 2 - science-platform/values.yaml | 2 - services/obstap/Chart.yaml | 6 - services/obstap/README.md | 45 ------ services/obstap/templates/_helpers.tpl | 51 ------- .../obstap/templates/tap-db-deployment.yaml | 47 ------- .../templates/tap-db-networkpolicy.yaml | 23 ---- services/obstap/templates/tap-db-service.yaml | 14 -- services/obstap/templates/tap-deployment.yaml | 76 ---------- .../templates/tap-ingress-anonymous.yaml | 31 ----- .../templates/tap-ingress-authenticated.yaml | 37 ----- .../obstap/templates/tap-networkpolicy.yaml | 22 --- services/obstap/templates/tap-service.yaml | 15 -- .../obstap/templates/uws-db-deployment.yaml | 53 ------- .../templates/uws-db-networkpolicy.yaml | 23 ---- services/obstap/templates/uws-db-service.yaml | 14 -- services/obstap/templates/vault-secrets.yaml | 19 --- services/obstap/values-idfdev.yaml | 3 - services/obstap/values-idfint.yaml | 3 - services/obstap/values-idfprod.yaml | 3 - services/obstap/values-minikube.yaml | 3 - services/obstap/values-roe.yaml | 0 services/obstap/values.yaml | 130 ------------------ 32 files changed, 674 deletions(-) delete mode 100644 science-platform/templates/obstap-application.yaml delete mode 100644 services/obstap/Chart.yaml delete mode 100644 services/obstap/README.md delete mode 100644 services/obstap/templates/_helpers.tpl delete mode 100644 services/obstap/templates/tap-db-deployment.yaml delete mode 100644 services/obstap/templates/tap-db-networkpolicy.yaml delete mode 100644 services/obstap/templates/tap-db-service.yaml delete mode 100644 services/obstap/templates/tap-deployment.yaml delete mode 100644 services/obstap/templates/tap-ingress-anonymous.yaml delete mode 100644 services/obstap/templates/tap-ingress-authenticated.yaml delete mode 100644 services/obstap/templates/tap-networkpolicy.yaml delete mode 100644 services/obstap/templates/tap-service.yaml delete mode 100644 services/obstap/templates/uws-db-deployment.yaml delete mode 100644 services/obstap/templates/uws-db-networkpolicy.yaml delete mode 100644 services/obstap/templates/uws-db-service.yaml delete mode 100644 services/obstap/templates/vault-secrets.yaml delete mode 100644 services/obstap/values-idfdev.yaml delete mode 100644 services/obstap/values-idfint.yaml delete mode 100644 services/obstap/values-idfprod.yaml delete mode 100644 services/obstap/values-minikube.yaml delete mode 100644 services/obstap/values-roe.yaml delete mode 100644 services/obstap/values.yaml diff --git a/science-platform/README.md b/science-platform/README.md index 30e71fa224..32b69db4bc 100644 --- a/science-platform/README.md +++ b/science-platform/README.md @@ -17,7 +17,6 @@ | narrativelog.enabled | bool | `false` | | | noteburst.enabled | bool | `false` | | | nublado2.enabled | bool | `false` | | -| obstap.enabled | bool | `false` | | | onepassword_uuid | string | `"dg5afgiadsffeklfr6jykqymeu"` | | | plot_navigator.enabled | bool | `false` | | | portal.enabled | bool | `false` | | diff --git a/science-platform/templates/obstap-application.yaml b/science-platform/templates/obstap-application.yaml deleted file mode 100644 index 5abc556119..0000000000 --- a/science-platform/templates/obstap-application.yaml +++ /dev/null @@ -1,37 +0,0 @@ -{{- if .Values.obstap.enabled -}} -apiVersion: v1 -kind: Namespace -metadata: - name: obstap -spec: - finalizers: - - kubernetes ---- -apiVersion: argoproj.io/v1alpha1 -kind: Application -metadata: - name: obstap - namespace: argocd - finalizers: - - resources-finalizer.argocd.argoproj.io -spec: - destination: - namespace: obstap - server: https://kubernetes.default.svc - project: default - source: - path: services/obstap - repoURL: {{ .Values.repoURL }} - targetRevision: {{ .Values.revision }} - helm: - parameters: - - name: "global.host" - value: {{ .Values.fqdn | quote }} - - name: "global.baseUrl" - value: "https://{{ .Values.fqdn }}" - - name: "global.vaultSecretsPath" - value: {{ .Values.vault_path_prefix | quote }} - valueFiles: - - "values.yaml" - - "values-{{ .Values.environment }}.yaml" -{{- end -}} diff --git a/science-platform/values-base.yaml b/science-platform/values-base.yaml index 7e06bfa97a..b08a617123 100644 --- a/science-platform/values-base.yaml +++ b/science-platform/values-base.yaml @@ -28,8 +28,6 @@ noteburst: enabled: false nublado2: enabled: true -obstap: - enabled: false plot_navigator: enabled: false portal: diff --git a/science-platform/values-idfdev.yaml b/science-platform/values-idfdev.yaml index f9e77d94c7..8d657a908a 100644 --- a/science-platform/values-idfdev.yaml +++ b/science-platform/values-idfdev.yaml @@ -28,8 +28,6 @@ noteburst: enabled: true nublado2: enabled: true -obstap: - enabled: false plot_navigator: enabled: false portal: diff --git a/science-platform/values-idfint.yaml b/science-platform/values-idfint.yaml index ef8ceb9d73..8352c46838 100644 --- a/science-platform/values-idfint.yaml +++ b/science-platform/values-idfint.yaml @@ -29,8 +29,6 @@ noteburst: enabled: false nublado2: enabled: true -obstap: - enabled: false plot_navigator: enabled: true portal: diff --git a/science-platform/values-idfprod.yaml b/science-platform/values-idfprod.yaml index c26fcb2b6f..135031a9a1 100644 --- a/science-platform/values-idfprod.yaml +++ b/science-platform/values-idfprod.yaml @@ -29,8 +29,6 @@ noteburst: enabled: false nublado2: enabled: true -obstap: - enabled: false plot_navigator: enabled: false portal: diff --git a/science-platform/values-minikube.yaml b/science-platform/values-minikube.yaml index 349dae27b5..72f26c9c4d 100644 --- a/science-platform/values-minikube.yaml +++ b/science-platform/values-minikube.yaml @@ -28,8 +28,6 @@ noteburst: enabled: true nublado2: enabled: true -obstap: - enabled: false plot_navigator: enabled: false portal: diff --git a/science-platform/values-roe.yaml b/science-platform/values-roe.yaml index 4806424820..4a588487a4 100644 --- a/science-platform/values-roe.yaml +++ b/science-platform/values-roe.yaml @@ -28,8 +28,6 @@ noteburst: enabled: false nublado2: enabled: true -obstap: - enabled: false plot_navigator: enabled: false portal: diff --git a/science-platform/values-summit.yaml b/science-platform/values-summit.yaml index e19377fe2a..ba6309972b 100644 --- a/science-platform/values-summit.yaml +++ b/science-platform/values-summit.yaml @@ -28,8 +28,6 @@ noteburst: enabled: false nublado2: enabled: true -obstap: - enabled: false plot_navigator: enabled: false portal: diff --git a/science-platform/values-tucson-teststand.yaml b/science-platform/values-tucson-teststand.yaml index 3d95d761e0..b703a19846 100644 --- a/science-platform/values-tucson-teststand.yaml +++ b/science-platform/values-tucson-teststand.yaml @@ -28,8 +28,6 @@ noteburst: enabled: false nublado2: enabled: true -obstap: - enabled: false plot_navigator: enabled: false portal: diff --git a/science-platform/values.yaml b/science-platform/values.yaml index a7aa0c5264..f320ba32cd 100644 --- a/science-platform/values.yaml +++ b/science-platform/values.yaml @@ -24,8 +24,6 @@ noteburst: enabled: false nublado2: enabled: false -obstap: - enabled: false plot_navigator: enabled: false portal: diff --git a/services/obstap/Chart.yaml b/services/obstap/Chart.yaml deleted file mode 100644 index 93a098e7ee..0000000000 --- a/services/obstap/Chart.yaml +++ /dev/null @@ -1,6 +0,0 @@ -apiVersion: v2 -appVersion: "1.1" -description: CADC TAP PostgresSQL service, used for ObsTAP -home: https://github.com/lsst-sqre/tap-postgres -name: cadc-tap-postgres -version: 0.2.2 diff --git a/services/obstap/README.md b/services/obstap/README.md deleted file mode 100644 index 03e372869f..0000000000 --- a/services/obstap/README.md +++ /dev/null @@ -1,45 +0,0 @@ -# cadc-tap-postgres - -CADC TAP PostgresSQL service, used for ObsTAP - -**Homepage:** - -## Values - -| Key | Type | Default | Description | -|-----|------|---------|-------------| -| affinity | object | `{}` | Affinity rules for the cadc-tap-postgres pod | -| config.gcsBucket | string | None, must be set | Name of GCS bucket in which to store results | -| config.gcsBucketUrl | string | None, must be set | Base URL for results stored in GCS bucket | -| db.affinity | object | `{}` | Affinity rules for the database pod | -| db.image.pullPolicy | string | `"IfNotPresent"` | Pull policy for the database image | -| db.image.repository | string | `"lsstdax/tap-postgres-db"` | Database image to use | -| db.image.tag | string | The appVersion of the chart | Tag of database image to use | -| db.nodeSelector | object | `{}` | Node selection rules for the database pod | -| db.podAnnotations | object | `{}` | Annotations for the databse pod | -| db.resources | object | `{}` | Resource limits and requests for the database pod | -| db.tolerations | list | `[]` | Tolerations for the database pod | -| fullnameOverride | string | `"obstap"` | Override the full name for resources (includes the release name) | -| global.baseUrl | string | Set by Argo CD | Base URL for the environment | -| global.host | string | Set by Argo CD | Host name for ingress | -| global.vaultSecretsPath | string | Set by Argo CD | Base path for Vault secrets | -| image.pullPolicy | string | `"IfNotPresent"` | Pull policy for the tap image | -| image.repository | string | `"lsstdax/tap-postgres-server"` | tap-postgres image to use | -| image.tag | string | The appVersion of the chart | Tag of tap image to use | -| ingress.anonymousAnnotations | object | `{}` | Additional annotations to use for endpoints that allow anonymous access, such as `/capabilities` and `/availability` | -| ingress.authenticatedAnnotations | object | `{}` | Additional annotations to use for endpoints that are authenticated, such as `/sync`, `/async`, and `/tables` | -| ingress.gafaelfawrAuthQuery | string | `"scope=read:tap"` | Gafaelfawr auth query string | -| nameOverride | string | `""` | Override the base name for resources | -| nodeSelector | object | `{}` | Node selector rules for the cadc-tap-postgres pod | -| podAnnotations | object | `{}` | Annotations for the cadc-tap-postgres pod | -| replicaCount | int | `1` | Number of pods to start | -| resources | object | `{}` | Resource limits and requests for the cadc-tap-postgres pod | -| tolerations | list | `[]` | Tolerations for the cadc-tap-postgres pod | -| uws.affinity | object | `{}` | Affinity rules for the UWS database pod | -| uws.image.pullPolicy | string | `"IfNotPresent"` | Pull policy for the UWS database image | -| uws.image.repository | string | `"lsstdax/tap-postgres-uws"` | UWS database image to use | -| uws.image.tag | string | The appVersion of the chart | Tag of UWS database image to use | -| uws.nodeSelector | object | `{}` | Node selection rules for the UWS database pod | -| uws.podAnnotations | object | `{}` | Annotations for the UWS databse pod | -| uws.resources | object | `{}` | Resource limits and requests for the UWS database pod | -| uws.tolerations | list | `[]` | Tolerations for the UWS database pod | diff --git a/services/obstap/templates/_helpers.tpl b/services/obstap/templates/_helpers.tpl deleted file mode 100644 index 8c67eaa741..0000000000 --- a/services/obstap/templates/_helpers.tpl +++ /dev/null @@ -1,51 +0,0 @@ -{{/* -Expand the name of the chart. -*/}} -{{- define "cadc-tap-postgres.name" -}} -{{- default .Chart.Name .Values.nameOverride | trunc 63 | trimSuffix "-" }} -{{- end }} - -{{/* -Create a default fully qualified app name. -We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec). -If release name contains chart name it will be used as a full name. -*/}} -{{- define "cadc-tap-postgres.fullname" -}} -{{- if .Values.fullnameOverride }} -{{- .Values.fullnameOverride | trunc 63 | trimSuffix "-" }} -{{- else }} -{{- $name := default .Chart.Name .Values.nameOverride }} -{{- if contains $name .Release.Name }} -{{- .Release.Name | trunc 63 | trimSuffix "-" }} -{{- else }} -{{- printf "%s-%s" .Release.Name $name | trunc 63 | trimSuffix "-" }} -{{- end }} -{{- end }} -{{- end }} - -{{/* -Create chart name and version as used by the chart label. -*/}} -{{- define "cadc-tap-postgres.chart" -}} -{{- printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" }} -{{- end }} - -{{/* -Common labels -*/}} -{{- define "cadc-tap-postgres.labels" -}} -helm.sh/chart: {{ include "cadc-tap-postgres.chart" . }} -{{ include "cadc-tap-postgres.selectorLabels" . }} -{{- if .Chart.AppVersion }} -app.kubernetes.io/version: {{ .Chart.AppVersion | quote }} -{{- end }} -app.kubernetes.io/managed-by: {{ .Release.Service }} -{{- end }} - -{{/* -Selector labels -*/}} -{{- define "cadc-tap-postgres.selectorLabels" -}} -app.kubernetes.io/name: {{ include "cadc-tap-postgres.name" . }} -app.kubernetes.io/instance: {{ .Release.Name }} -{{- end }} diff --git a/services/obstap/templates/tap-db-deployment.yaml b/services/obstap/templates/tap-db-deployment.yaml deleted file mode 100644 index 5fbfb4c325..0000000000 --- a/services/obstap/templates/tap-db-deployment.yaml +++ /dev/null @@ -1,47 +0,0 @@ -apiVersion: apps/v1 -kind: Deployment -metadata: - name: {{ template "cadc-tap-postgres.fullname" . }}-tap-db - labels: - {{- include "cadc-tap-postgres.labels" . | nindent 4 }} -spec: - replicas: 1 - selector: - matchLabels: - {{- include "cadc-tap-postgres.selectorLabels" . | nindent 6 }} - app.kubernetes.io/component: "tap-db" - template: - metadata: - {{- with .Values.db.podAnnotations }} - annotations: - {{- toYaml . | nindent 8 }} - {{- end }} - labels: - {{- include "cadc-tap-postgres.labels" . | nindent 8 }} - app.kubernetes.io/component: "tap-db" - spec: - imagePullSecrets: - - name: "pull-secret" - automountServiceAccountToken: false - containers: - - name: "tap-db" - image: "{{ .Values.db.image.repository }}:{{ .Values.db.image.tag | default .Chart.AppVersion }}" - imagePullPolicy: {{ .Values.db.imagePullPolicy | quote }} - ports: - - containerPort: 5432 - {{- with .Values.db.resources }} - resources: - {{- toYaml . | nindent 12 }} - {{- end }} - {{- with .Values.db.nodeSelector }} - nodeSelector: - {{- toYaml . | nindent 8 }} - {{- end }} - {{- with .Values.db.affinity }} - affinity: - {{- toYaml . | nindent 8 }} - {{- end }} - {{- with .Values.db.tolerations }} - tolerations: - {{- toYaml . | nindent 8 }} - {{- end }} diff --git a/services/obstap/templates/tap-db-networkpolicy.yaml b/services/obstap/templates/tap-db-networkpolicy.yaml deleted file mode 100644 index 9fa0cb9038..0000000000 --- a/services/obstap/templates/tap-db-networkpolicy.yaml +++ /dev/null @@ -1,23 +0,0 @@ -apiVersion: networking.k8s.io/v1 -kind: NetworkPolicy -metadata: - name: {{ include "cadc-tap-postgres.fullname" . }}-tap-db -spec: - podSelector: - matchLabels: - {{- include "cadc-tap-postgres.selectorLabels" . | nindent 6 }} - app.kubernetes.io/component: "tap-db" - policyTypes: - - Ingress - # Deny all outbound access; PostgreSQL doesn't need to talk to anything. - - Egress - ingress: - # Allow inbound access to TAP database from the server. - - from: - - podSelector: - matchLabels: - {{- include "cadc-tap-postgres.selectorLabels" . | nindent 14 }} - app.kubernetes.io/component: "server" - ports: - - protocol: "TCP" - port: 5432 diff --git a/services/obstap/templates/tap-db-service.yaml b/services/obstap/templates/tap-db-service.yaml deleted file mode 100644 index 16821e8161..0000000000 --- a/services/obstap/templates/tap-db-service.yaml +++ /dev/null @@ -1,14 +0,0 @@ -kind: Service -apiVersion: v1 -metadata: - name: {{ template "cadc-tap-postgres.fullname" . }}-tap-db - labels: - {{- include "cadc-tap-postgres.labels" . | nindent 4 }} -spec: - ports: - - protocol: "TCP" - port: 5432 - targetPort: 5432 - selector: - {{- include "cadc-tap-postgres.selectorLabels" . | nindent 4 }} - app.kubernetes.io/component: "tap-db" diff --git a/services/obstap/templates/tap-deployment.yaml b/services/obstap/templates/tap-deployment.yaml deleted file mode 100644 index df0ee54952..0000000000 --- a/services/obstap/templates/tap-deployment.yaml +++ /dev/null @@ -1,76 +0,0 @@ -apiVersion: apps/v1 -kind: Deployment -metadata: - name: {{ template "cadc-tap-postgres.fullname" . }} - labels: - {{- include "cadc-tap-postgres.labels" . | nindent 4 }} -spec: - replicas: {{ .Values.replicaCount }} - selector: - matchLabels: - {{- include "cadc-tap-postgres.selectorLabels" . | nindent 6 }} - app.kubernetes.io/component: "server" - template: - metadata: - {{- with .Values.podAnnotations }} - annotations: - {{- toYaml . | nindent 8 }} - {{- end }} - labels: - {{- include "cadc-tap-postgres.selectorLabels" . | nindent 8 }} - app.kubernetes.io/component: "server" - spec: - imagePullSecrets: - - name: "pull-secret" - automountServiceAccountToken: false - containers: - - name: "tap-server" - image: "{{ .Values.image.repository }}:{{ .Values.image.tag | default .Chart.AppVersion }}" - imagePullPolicy: {{ .Values.imagePullPolicy | quote }} - env: - - name: "CATALINA_OPTS" - value: >- - -Dtap.username=tap_schema - -Dtap.password=pw-tapschema - -Dtap.url=jdbc:postgresql://{{ template "cadc-tap-postgres.fullname" . }}-tap-db:5432/tap_schema - -Dtap.maxActive=1 - -Dca.nrc.cadc.reg.client.RegistryClient.local=true - -Duws.username=postgres - -Duws.maxActive=2 - -Duws.jdbc.driverClassName=org.postgresql.Driver - -Duws.url=jdbc:postgresql://{{ template "cadc-tap-postgres.fullname" . }}-uws-db/ - -Dgcs_bucket={{ .Values.config.gcsBucket }} - -Dgcs_bucket_url={{ .Values.config.gcsBucketUrl }} - -Dca.nrc.cadc.util.PropertiesReader.dir=/etc/creds/ - - name: "GOOGLE_APPLICATION_CREDENTIALS" - value: "/etc/creds/google_creds.json" - ports: - - containerPort: 8080 - {{- with .Values.resources }} - resources: - {{- toYaml . | nindent 12 }} - {{- end }} - volumeMounts: - - name: "google-creds" - mountPath: "/etc/creds" - readOnly: true - - name: "tmp" - mountPath: "/tmp" - volumes: - - name: "google-creds" - secret: - secretName: {{ template "cadc-tap-postgres.fullname" . }}-secret - - name: "tmp" - emptyDir: {} - {{- with .Values.nodeSelector }} - nodeSelector: - {{- toYaml . | nindent 8 }} - {{- end }} - {{- with .Values.affinity }} - affinity: - {{- toYaml . | nindent 8 }} - {{- end }} - {{- with .Values.tolerations }} - tolerations: - {{- toYaml . | nindent 8 }} - {{- end }} diff --git a/services/obstap/templates/tap-ingress-anonymous.yaml b/services/obstap/templates/tap-ingress-anonymous.yaml deleted file mode 100644 index 0408231c9a..0000000000 --- a/services/obstap/templates/tap-ingress-anonymous.yaml +++ /dev/null @@ -1,31 +0,0 @@ -apiVersion: networking.k8s.io/v1 -kind: Ingress -metadata: - name: {{ template "cadc-tap-postgres.fullname" . }}-anonymous - labels: - {{- include "cadc-tap-postgres.labels" . | nindent 4 }} - annotations: - kubernetes.io/ingress.class: "nginx" - nginx.ingress.kubernetes.io/proxy-connect-timeout: "900" - nginx.ingress.kubernetes.io/proxy-send-timeout: "900" - nginx.ingress.kubernetes.io/proxy-read-timeout: "900" - nginx.ingress.kubernetes.io/rewrite-target: "/tap/$1" - nginx.ingress.kubernetes.io/proxy-redirect-from: "http://$host/tap/" - nginx.ingress.kubernetes.io/proxy-redirect-to: "https://$host/api/obstap/" - nginx.ingress.kubernetes.io/ssl-redirect: "true" - nginx.ingress.kubernetes.io/use-regex: "true" - {{- with .Values.ingress.anonymousAnnotations }} - {{ toYaml . | indent 4}} - {{- end }} -spec: - rules: - - host: {{ required "global.host must be set" .Values.global.host | quote }} - http: - paths: - - path: "/api/obstap/(availability|capabilities|swagger-ui.*)" - pathType: "ImplementationSpecific" - backend: - service: - name: {{ template "cadc-tap-postgres.fullname" . }} - port: - number: 80 diff --git a/services/obstap/templates/tap-ingress-authenticated.yaml b/services/obstap/templates/tap-ingress-authenticated.yaml deleted file mode 100644 index 717e034919..0000000000 --- a/services/obstap/templates/tap-ingress-authenticated.yaml +++ /dev/null @@ -1,37 +0,0 @@ -apiVersion: networking.k8s.io/v1 -kind: Ingress -metadata: - name: {{ template "cadc-tap-postgres.fullname" . }}-authenticated - labels: - {{- include "cadc-tap-postgres.labels" . | nindent 4 }} - annotations: - kubernetes.io/ingress.class: "nginx" - nginx.ingress.kubernetes.io/auth-response-headers: "X-Auth-Request-Uid, X-Auth-Request-Token" - nginx.ingress.kubernetes.io/auth-signin: "{{ .Values.global.baseUrl }}/login" - nginx.ingress.kubernetes.io/auth-url: "{{ .Values.global.baseUrl }}/auth?{{ .Values.ingress.gafaelfawrAuthQuery }}" - nginx.ingress.kubernetes.io/configuration-snippet: | - auth_request_set $auth_token $upstream_http_x_auth_request_token; - proxy_set_header Authorization "Bearer $auth_token"; - nginx.ingress.kubernetes.io/proxy-connect-timeout: "900" - nginx.ingress.kubernetes.io/proxy-send-timeout: "900" - nginx.ingress.kubernetes.io/proxy-read-timeout: "900" - nginx.ingress.kubernetes.io/rewrite-target: "/tap/$2" - nginx.ingress.kubernetes.io/proxy-redirect-from: "http://$host/tap/" - nginx.ingress.kubernetes.io/proxy-redirect-to: "https://$host/api/obstap/" - nginx.ingress.kubernetes.io/ssl-redirect: "true" - nginx.ingress.kubernetes.io/use-regex: "true" - {{- with .Values.ingress.authenticatedAnnotations }} - {{ toYaml . | indent 4 }} - {{- end }} -spec: - rules: - - host: {{ required "global.host must be set" .Values.global.host | quote }} - http: - paths: - - path: "/api/obstap(/|$)(.*)" - pathType: "ImplementationSpecific" - backend: - service: - name: {{ template "cadc-tap-postgres.fullname" . }} - port: - number: 80 diff --git a/services/obstap/templates/tap-networkpolicy.yaml b/services/obstap/templates/tap-networkpolicy.yaml deleted file mode 100644 index 827888bd90..0000000000 --- a/services/obstap/templates/tap-networkpolicy.yaml +++ /dev/null @@ -1,22 +0,0 @@ -apiVersion: networking.k8s.io/v1 -kind: NetworkPolicy -metadata: - name: {{ include "cadc-tap-postgres.fullname" . }} -spec: - podSelector: - matchLabels: - {{- include "cadc-tap-postgres.selectorLabels" . | nindent 6 }} - app.kubernetes.io/component: "server" - policyTypes: - - Ingress - ingress: - # Allow inbound access from pods (in any namespace) labeled - # gafaelfawr.lsst.io/ingress: true. - - from: - - namespaceSelector: {} - podSelector: - matchLabels: - gafaelfawr.lsst.io/ingress: "true" - ports: - - protocol: "TCP" - port: 8080 diff --git a/services/obstap/templates/tap-service.yaml b/services/obstap/templates/tap-service.yaml deleted file mode 100644 index a2894fa550..0000000000 --- a/services/obstap/templates/tap-service.yaml +++ /dev/null @@ -1,15 +0,0 @@ -kind: Service -apiVersion: v1 -metadata: - name: {{ template "cadc-tap-postgres.fullname" . }} - labels: - {{- include "cadc-tap-postgres.labels" . | nindent 4 }} -spec: - type: ClusterIP - ports: - - protocol: "TCP" - port: 80 - targetPort: 8080 - selector: - {{- include "cadc-tap-postgres.selectorLabels" . | nindent 4 }} - app.kubernetes.io/component: "server" diff --git a/services/obstap/templates/uws-db-deployment.yaml b/services/obstap/templates/uws-db-deployment.yaml deleted file mode 100644 index af2a25115b..0000000000 --- a/services/obstap/templates/uws-db-deployment.yaml +++ /dev/null @@ -1,53 +0,0 @@ -apiVersion: apps/v1 -kind: Deployment -metadata: - name: {{ template "cadc-tap-postgres.fullname" . }}-uws-db - labels: - {{- include "cadc-tap-postgres.labels" . | nindent 4 }} -spec: - replicas: 1 - selector: - matchLabels: - {{- include "cadc-tap-postgres.selectorLabels" . | nindent 6 }} - app.kubernetes.io/component: "uws-db" - template: - metadata: - {{- with .Values.uws.podAnnotations }} - annotations: - {{- toYaml . | nindent 8 }} - {{- end }} - labels: - {{- include "cadc-tap-postgres.labels" . | nindent 8 }} - app.kubernetes.io/component: "uws-db" - spec: - imagePullSecrets: - - name: "pull-secret" - automountServiceAccountToken: false - containers: - - name: "postgresql" - image: "{{ .Values.uws.image.repository }}:{{ .Values.uws.image.tag | default .Chart.AppVersion }}" - imagePullPolicy: {{ .Values.uws.imagePullPolicy | quote }} - ports: - - containerPort: 5432 - {{- with .Values.uws.resources }} - resources: - {{- toYaml . | nindent 12 }} - {{- end }} - volumeMounts: - - name: "data" - mountPath: "/var/lib/postgresql/data" - volumes: - - name: "data" - emptyDir: {} - {{- with .Values.uws.nodeSelector }} - nodeSelector: - {{- toYaml . | nindent 8 }} - {{- end }} - {{- with .Values.uws.affinity }} - affinity: - {{- toYaml . | nindent 8 }} - {{- end }} - {{- with .Values.uws.tolerations }} - tolerations: - {{- toYaml . | nindent 8 }} - {{- end }} diff --git a/services/obstap/templates/uws-db-networkpolicy.yaml b/services/obstap/templates/uws-db-networkpolicy.yaml deleted file mode 100644 index 6de9259b5a..0000000000 --- a/services/obstap/templates/uws-db-networkpolicy.yaml +++ /dev/null @@ -1,23 +0,0 @@ -apiVersion: networking.k8s.io/v1 -kind: NetworkPolicy -metadata: - name: {{ include "cadc-tap-postgres.fullname" . }}-uws-db -spec: - podSelector: - matchLabels: - {{- include "cadc-tap-postgres.selectorLabels" . | nindent 6 }} - app.kubernetes.io/component: "uws-db" - policyTypes: - - Ingress - # Deny all outbound access; PostgreSQL doesn't need to talk to anything. - - Egress - ingress: - # Allow inbound access to UWS database from the server. - - from: - - podSelector: - matchLabels: - {{- include "cadc-tap-postgres.selectorLabels" . | nindent 14 }} - app.kubernetes.io/component: "server" - ports: - - protocol: "TCP" - port: 5432 diff --git a/services/obstap/templates/uws-db-service.yaml b/services/obstap/templates/uws-db-service.yaml deleted file mode 100644 index 33fcd54fac..0000000000 --- a/services/obstap/templates/uws-db-service.yaml +++ /dev/null @@ -1,14 +0,0 @@ -kind: Service -apiVersion: v1 -metadata: - name: {{ template "cadc-tap-postgres.fullname" . }}-uws-db - labels: - {{- include "cadc-tap-postgres.labels" . | nindent 4 }} -spec: - ports: - - protocol: "TCP" - port: 5432 - targetPort: 5432 - selector: - {{- include "cadc-tap-postgres.selectorLabels" . | nindent 4 }} - app.kubernetes.io/component: "uws-db" diff --git a/services/obstap/templates/vault-secrets.yaml b/services/obstap/templates/vault-secrets.yaml deleted file mode 100644 index bc386a5286..0000000000 --- a/services/obstap/templates/vault-secrets.yaml +++ /dev/null @@ -1,19 +0,0 @@ -apiVersion: ricoberger.de/v1alpha1 -kind: VaultSecret -metadata: - name: {{ template "cadc-tap-postgres.fullname" . }}-secret - labels: - {{- include "cadc-tap-postgres.labels" . | nindent 4 }} -spec: - path: "{{ .Values.global.vaultSecretsPath }}/tap" - type: Opaque ---- -apiVersion: ricoberger.de/v1alpha1 -kind: VaultSecret -metadata: - name: pull-secret - labels: - {{- include "cadc-tap-postgres.labels" . | nindent 4 }} -spec: - path: "{{- .Values.global.vaultSecretsPath }}/pull-secret" - type: kubernetes.io/dockerconfigjson diff --git a/services/obstap/values-idfdev.yaml b/services/obstap/values-idfdev.yaml deleted file mode 100644 index 6e3f1aca1e..0000000000 --- a/services/obstap/values-idfdev.yaml +++ /dev/null @@ -1,3 +0,0 @@ -config: - gcsBucket: "async-results.lsst.codes" - gcsBucketUrl: "http://async-results.lsst.codes" diff --git a/services/obstap/values-idfint.yaml b/services/obstap/values-idfint.yaml deleted file mode 100644 index 6e3f1aca1e..0000000000 --- a/services/obstap/values-idfint.yaml +++ /dev/null @@ -1,3 +0,0 @@ -config: - gcsBucket: "async-results.lsst.codes" - gcsBucketUrl: "http://async-results.lsst.codes" diff --git a/services/obstap/values-idfprod.yaml b/services/obstap/values-idfprod.yaml deleted file mode 100644 index 6e3f1aca1e..0000000000 --- a/services/obstap/values-idfprod.yaml +++ /dev/null @@ -1,3 +0,0 @@ -config: - gcsBucket: "async-results.lsst.codes" - gcsBucketUrl: "http://async-results.lsst.codes" diff --git a/services/obstap/values-minikube.yaml b/services/obstap/values-minikube.yaml deleted file mode 100644 index 6e3f1aca1e..0000000000 --- a/services/obstap/values-minikube.yaml +++ /dev/null @@ -1,3 +0,0 @@ -config: - gcsBucket: "async-results.lsst.codes" - gcsBucketUrl: "http://async-results.lsst.codes" diff --git a/services/obstap/values-roe.yaml b/services/obstap/values-roe.yaml deleted file mode 100644 index e69de29bb2..0000000000 diff --git a/services/obstap/values.yaml b/services/obstap/values.yaml deleted file mode 100644 index 9ef70cbc14..0000000000 --- a/services/obstap/values.yaml +++ /dev/null @@ -1,130 +0,0 @@ -# Default values for cadc-tap. -# This is a YAML-formatted file. -# Declare variables to be passed into your templates. - -# -- Override the base name for resources -nameOverride: "" - -# -- Override the full name for resources (includes the release name) -fullnameOverride: "obstap" - -# -- Number of pods to start -replicaCount: 1 - -image: - # -- tap-postgres image to use - repository: "lsstdax/tap-postgres-server" - - # -- Pull policy for the tap image - pullPolicy: "IfNotPresent" - - # -- Tag of tap image to use - # @default -- The appVersion of the chart - tag: "" - - -# Settings for the ingress rules. -ingress: - # -- Gafaelfawr auth query string - gafaelfawrAuthQuery: "scope=read:tap" - - # -- Additional annotations to use for endpoints that allow anonymous - # access, such as `/capabilities` and `/availability` - anonymousAnnotations: {} - - # -- Additional annotations to use for endpoints that are authenticated, - # such as `/sync`, `/async`, and `/tables` - authenticatedAnnotations: {} - -# -- Resource limits and requests for the cadc-tap-postgres pod -resources: {} - -# -- Annotations for the cadc-tap-postgres pod -podAnnotations: {} - -# -- Node selector rules for the cadc-tap-postgres pod -nodeSelector: {} - -# -- Tolerations for the cadc-tap-postgres pod -tolerations: [] - -# -- Affinity rules for the cadc-tap-postgres pod -affinity: {} - -config: - # -- Name of GCS bucket in which to store results - # @default -- None, must be set - gcsBucket: "" - - # -- Base URL for results stored in GCS bucket - # @default -- None, must be set - gcsBucketUrl: "" - -db: - image: - # -- Database image to use - repository: "lsstdax/tap-postgres-db" - - # -- Pull policy for the database image - pullPolicy: "IfNotPresent" - - # -- Tag of database image to use - # @default -- The appVersion of the chart - tag: "" - - # -- Resource limits and requests for the database pod - resources: {} - - # -- Annotations for the databse pod - podAnnotations: {} - - # -- Node selection rules for the database pod - nodeSelector: {} - - # -- Tolerations for the database pod - tolerations: [] - - # -- Affinity rules for the database pod - affinity: {} - -uws: - image: - # -- UWS database image to use - repository: "lsstdax/tap-postgres-uws" - - # -- Pull policy for the UWS database image - pullPolicy: "IfNotPresent" - - # -- Tag of UWS database image to use - # @default -- The appVersion of the chart - tag: "" - - # -- Resource limits and requests for the UWS database pod - resources: {} - - # -- Annotations for the UWS databse pod - podAnnotations: {} - - # -- Node selection rules for the UWS database pod - nodeSelector: {} - - # -- Tolerations for the UWS database pod - tolerations: [] - - # -- Affinity rules for the UWS database pod - affinity: {} - -# The following will be set by parameters injected by Argo CD and should not -# be set in the individual environment values files. -global: - # -- Base URL for the environment - # @default -- Set by Argo CD - baseUrl: "" - - # -- Host name for ingress - # @default -- Set by Argo CD - host: "" - - # -- Base path for Vault secrets - # @default -- Set by Argo CD - vaultSecretsPath: "" From 33291943cba0b5486548b425a5f5d31ae3090a58 Mon Sep 17 00:00:00 2001 From: Gabriele Mainetti Date: Thu, 25 Aug 2022 11:46:15 +0200 Subject: [PATCH 0919/1479] try to fix squareone --- services/squareone/values-ccin2p3.yaml | 17 ++++++----------- 1 file changed, 6 insertions(+), 11 deletions(-) diff --git a/services/squareone/values-ccin2p3.yaml b/services/squareone/values-ccin2p3.yaml index 1a792f44d4..99180f0148 100644 --- a/services/squareone/values-ccin2p3.yaml +++ b/services/squareone/values-ccin2p3.yaml @@ -1,12 +1,7 @@ -ingress: - host: "data-dev.lsst.eu" - annotations: - cert-manager.io/cluster-issuer: cert-issuer-letsencrypt-dns - tls: - - secretName: squareone-tls - hosts: - - "data-dev.lsst.eu" -imagePullSecrets: - - name: "pull-secret" config: - siteName: "Rubin Science Platform @ CC-IN2P3" \ No newline at end of file + siteName: "Rubin Science Platform @ CC-IN2P3" + + +pull-secret: + enabled: true + path: secret/k8s_operator/rsp-cc/pull-secret \ No newline at end of file From 11126bc3765c0f262a3fbbe21cd89c434b06d908 Mon Sep 17 00:00:00 2001 From: Gabriele Mainetti Date: Thu, 25 Aug 2022 12:30:10 +0200 Subject: [PATCH 0920/1479] activate cert-manager --- science-platform/values-ccin2p3.yaml | 2 +- services/cert-manager/values-ccin2p3.yaml | 7 ++----- 2 files changed, 3 insertions(+), 6 deletions(-) diff --git a/science-platform/values-ccin2p3.yaml b/science-platform/values-ccin2p3.yaml index efab6f4bc7..7722e5f782 100644 --- a/science-platform/values-ccin2p3.yaml +++ b/science-platform/values-ccin2p3.yaml @@ -7,7 +7,7 @@ alert_stream_broker: cachemachine: enabled: true cert_manager: - enabled: false + enabled: true datalinker: enabled: false exposurelog: diff --git a/services/cert-manager/values-ccin2p3.yaml b/services/cert-manager/values-ccin2p3.yaml index 92f6992fb8..3a70ce10d7 100644 --- a/services/cert-manager/values-ccin2p3.yaml +++ b/services/cert-manager/values-ccin2p3.yaml @@ -1,8 +1,5 @@ -cert-manager: - installCRDs: true - extraArgs: - - --dns01-recursive-nameservers-only - - --dns01-recursive-nameservers=8.8.8.8:53,1.1.1.1:53 +config: + createIssuer: false pull-secret: enabled: true From 8f2029e51b6d8a85d3750c9ea7dc8a6d2649cea9 Mon Sep 17 00:00:00 2001 From: Gabriele Mainetti Date: Thu, 25 Aug 2022 13:59:43 +0200 Subject: [PATCH 0921/1479] deactivate nublado --- science-platform/values-ccin2p3.yaml | 2 +- services/ingress-nginx/values-ccin2p3.yaml | 1 + 2 files changed, 2 insertions(+), 1 deletion(-) diff --git a/science-platform/values-ccin2p3.yaml b/science-platform/values-ccin2p3.yaml index 7722e5f782..8357e17d92 100644 --- a/science-platform/values-ccin2p3.yaml +++ b/science-platform/values-ccin2p3.yaml @@ -25,7 +25,7 @@ narrativelog: noteburst: enabled: false nublado2: - enabled: true + enabled: false obstap: enabled: true plot_navigator: diff --git a/services/ingress-nginx/values-ccin2p3.yaml b/services/ingress-nginx/values-ccin2p3.yaml index 04c7d6b7a1..d8e7056f46 100644 --- a/services/ingress-nginx/values-ccin2p3.yaml +++ b/services/ingress-nginx/values-ccin2p3.yaml @@ -32,6 +32,7 @@ vault_certificate: enabled: true path: secret/k8s_operator/rsp-cc/ingress-nginx + # pull-secret: # enabled: true # path: secret/k8s_operator/rsp-cc/pull-secret \ No newline at end of file From c7703a50070a1899a6fb83b29a3a6f6196be1835 Mon Sep 17 00:00:00 2001 From: Gabriele Mainetti Date: Thu, 25 Aug 2022 14:37:54 +0200 Subject: [PATCH 0922/1479] Update settng name to vaultCertificate --- services/ingress-nginx/values-ccin2p3.yaml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/services/ingress-nginx/values-ccin2p3.yaml b/services/ingress-nginx/values-ccin2p3.yaml index d8e7056f46..c326dcf11a 100644 --- a/services/ingress-nginx/values-ccin2p3.yaml +++ b/services/ingress-nginx/values-ccin2p3.yaml @@ -28,9 +28,9 @@ ingress-nginx: # podLabels: # hub.jupyter.org/network-access-proxy-http: "true" -vault_certificate: +vaultCertificate: enabled: true - path: secret/k8s_operator/rsp-cc/ingress-nginx + #path: secret/k8s_operator/rsp-cc/ingress-nginx # pull-secret: From 54c71b5f853de85610e4616d2a0701b589625897 Mon Sep 17 00:00:00 2001 From: Gabriele Mainetti Date: Thu, 25 Aug 2022 14:55:59 +0200 Subject: [PATCH 0923/1479] set false to tls setting in squareone --- services/squareone/values-ccin2p3.yaml | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/services/squareone/values-ccin2p3.yaml b/services/squareone/values-ccin2p3.yaml index 99180f0148..2bc081473e 100644 --- a/services/squareone/values-ccin2p3.yaml +++ b/services/squareone/values-ccin2p3.yaml @@ -1,6 +1,8 @@ config: siteName: "Rubin Science Platform @ CC-IN2P3" - + +ingress: + tls: false pull-secret: enabled: true From b79109fad640cf259bdf1416cd2f38651b72e58e Mon Sep 17 00:00:00 2001 From: Gabriele Mainetti Date: Thu, 25 Aug 2022 15:16:10 +0200 Subject: [PATCH 0924/1479] reintroduced nablado --- science-platform/values-ccin2p3.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/science-platform/values-ccin2p3.yaml b/science-platform/values-ccin2p3.yaml index 8357e17d92..7722e5f782 100644 --- a/science-platform/values-ccin2p3.yaml +++ b/science-platform/values-ccin2p3.yaml @@ -25,7 +25,7 @@ narrativelog: noteburst: enabled: false nublado2: - enabled: false + enabled: true obstap: enabled: true plot_navigator: From daaaf22bbdc6139567c0ae5bb2e3c8bbcd14696e Mon Sep 17 00:00:00 2001 From: Gabriele Mainetti Date: Thu, 25 Aug 2022 15:26:16 +0200 Subject: [PATCH 0925/1479] removed resources --- services/nublado2/values-ccin2p3.yaml | 10 +++++----- 1 file changed, 5 insertions(+), 5 deletions(-) diff --git a/services/nublado2/values-ccin2p3.yaml b/services/nublado2/values-ccin2p3.yaml index fd8135efa6..56a41ae1aa 100644 --- a/services/nublado2/values-ccin2p3.yaml +++ b/services/nublado2/values-ccin2p3.yaml @@ -2,11 +2,11 @@ jupyterhub: debug: enabled: true - hub: - resources: - requests: - cpu: "2" - memory: 3Gi + # hub: + # resources: + # requests: + # cpu: "2" + # memory: 3Gi ingress: hosts: ["data-dev.lsst.eu"] annotations: From 6f3e89a5921851d2e5be78b148791c296582a185 Mon Sep 17 00:00:00 2001 From: Gabriele Mainetti Date: Thu, 25 Aug 2022 16:11:33 +0200 Subject: [PATCH 0926/1479] try to fix gafaelwafr issue with portal --- services/gafaelfawr/values-ccin2p3.yaml | 7 ++++++- 1 file changed, 6 insertions(+), 1 deletion(-) diff --git a/services/gafaelfawr/values-ccin2p3.yaml b/services/gafaelfawr/values-ccin2p3.yaml index 7c6a8c42ff..6f9305303c 100644 --- a/services/gafaelfawr/values-ccin2p3.yaml +++ b/services/gafaelfawr/values-ccin2p3.yaml @@ -70,7 +70,12 @@ config: - "rubin-in2p3-user" - "rubin-in2p3" - "rubin-in2p3-delegates" - + "read:image": + - "rubin-in2p3-admin" + - "rubin-in2p3-user" + - "rubin-in2p3" + - "rubin-in2p3-delegates" + initialAdmins: # - "mainetti" - "gabrimaine" From dc1fecdb3bfc84c2ccbe6e5e4ddedca25ff9f93f Mon Sep 17 00:00:00 2001 From: Russ Allbery Date: Wed, 24 Aug 2022 09:15:04 -0700 Subject: [PATCH 0927/1479] Use separate Cloud SQL Proxy pod Using a Cloud SQL Proxy sidecar for CronJob resources is very annoying, since one has to coordinate stopping the Cloud SQL Proxy server so that the CronJob can exit, which in turn requires a bunch of opaque shell gunk. Since we're about to add another CronJob, add a separate Cloud SQL Proxy service that can be used by all the non-critical, low-volume services (the Kubernetes operator and the CronJobs to start). Continue to use the sidecar for the main Gafaelfawr pods so that the proxy will scale with the pods and the critical Gafaelfawr service doesn't have a single point of failure. Add a NetworkPolicy to keep anything else in the cluster from talking to the Cloud SQL Proxy pod. This will only work at Google, but this service is only used at Google, so that should be sufficient. This requires generating two versions of the Gafaelfawr ConfigMap, since the database URL has to be different between the Gafaelfawr pods (using localhost) and the other pods (using the service in the same namespace). Do that with multiple resources and a Helm define inside that template. Drop the database URL from values.yaml for environments where the Cloud SQL Proxy is used, since we always know what it is (and have to adjust it for the two different deployment patterns). --- services/gafaelfawr/README.md | 15 +++-- .../templates/cloudsql-deployment.yaml | 63 +++++++++++++++++++ .../templates/cloudsql-networkpolicy.yaml | 30 +++++++++ .../templates/cloudsql-service.yaml | 17 +++++ services/gafaelfawr/templates/configmap.yaml | 45 ++++++++++--- .../templates/cronjob-maintenance.yaml | 55 +--------------- .../templates/deployment-tokens.yaml | 17 ----- services/gafaelfawr/templates/deployment.yaml | 2 +- services/gafaelfawr/values-idfdev.yaml | 9 ++- services/gafaelfawr/values-idfint.yaml | 6 +- services/gafaelfawr/values-idfprod.yaml | 2 - services/gafaelfawr/values-summit.yaml | 7 +-- .../gafaelfawr/values-tucson-teststand.yaml | 7 +-- services/gafaelfawr/values.yaml | 30 +++++++-- 14 files changed, 195 insertions(+), 110 deletions(-) create mode 100644 services/gafaelfawr/templates/cloudsql-deployment.yaml create mode 100644 services/gafaelfawr/templates/cloudsql-networkpolicy.yaml create mode 100644 services/gafaelfawr/templates/cloudsql-service.yaml diff --git a/services/gafaelfawr/README.md b/services/gafaelfawr/README.md index 30d98c87a6..63721be187 100644 --- a/services/gafaelfawr/README.md +++ b/services/gafaelfawr/README.md @@ -13,12 +13,17 @@ Science Platform authentication and authorization system | Key | Type | Default | Description | |-----|------|---------|-------------| | affinity | object | `{}` | Affinity rules for the Gafaelfawr frontend pod | -| cloudsql.enabled | bool | `false` | Enable the Cloud SQL Auth Proxy sidecar, used with CloudSQL databases on Google Cloud | +| cloudsql.affinity | object | `{}` | Affinity rules for the Cloud SQL Proxy pod | +| cloudsql.enabled | bool | `false` | Enable the Cloud SQL Auth Proxy, used with CloudSQL databases on Google Cloud. This will be run as a sidecar for the main Gafaelfawr pods, and as a separate service (behind a `NetworkPolicy`) for other, lower-traffic services. | | cloudsql.image.pullPolicy | string | `"IfNotPresent"` | Pull policy for Cloud SQL Auth Proxy images | | cloudsql.image.repository | string | `"gcr.io/cloudsql-docker/gce-proxy"` | Cloud SQL Auth Proxy image to use | -| cloudsql.image.tag | string | `"1.31.2-alpine"` | Cloud SQL Auth Proxy tag to use | -| cloudsql.instanceConnectionName | string | `""` | Instance connection name for a CloudSQL PostgreSQL instance | -| cloudsql.serviceAccount | string | `""` | The Google service account that has an IAM binding to the `gafaelfawr` and `gafaelfawr-tokens` Kubernetes service accounts and has the `cloudsql.client` role | +| cloudsql.image.tag | string | `"1.31.2"` | Cloud SQL Auth Proxy tag to use | +| cloudsql.instanceConnectionName | string | None, must be set if Cloud SQL Auth Proxy is enabled | Instance connection name for a CloudSQL PostgreSQL instance | +| cloudsql.nodeSelector | object | `{}` | Node selection rules for the Cloud SQL Proxy pod | +| cloudsql.podAnnotations | object | `{}` | Annotations for the Cloud SQL Proxy pod | +| cloudsql.resources | object | `{}` | Resource limits and requests for the Cloud SQL Proxy pod | +| cloudsql.serviceAccount | string | None, must be set if Cloud SQL Auth Proxy is enabled | The Google service account that has an IAM binding to the `gafaelfawr` Kubernetes service account and has the `cloudsql.client` role | +| cloudsql.tolerations | list | `[]` | Tolerations for the Cloud SQL Proxy pod | | config.cilogon.clientId | string | `""` | CILogon client ID. One and only one of this, `config.github.clientId`, or `config.oidc.clientId` must be set. | | config.cilogon.enrollmentUrl | string | Login fails with an error | Where to send the user if their username cannot be found in LDAP | | config.cilogon.loginParams | object | `{"skin":"LSST"}` | Additional parameters to add | @@ -26,7 +31,7 @@ Science Platform authentication and authorization system | config.cilogon.test | bool | `false` | Whether to use the test instance of CILogon | | config.cilogon.uidClaim | string | `"uidNumber"` | Claim from which to get the numeric UID (only used if not retrieved from LDAP or Firestore) | | config.cilogon.usernameClaim | string | `"uid"` | Claim from which to get the username | -| config.databaseUrl | string | None, must be set | URL for the PostgreSQL database | +| config.databaseUrl | string | None, must be set if `cloudsql.enabled` is not true | URL for the PostgreSQL database | | config.errorFooter | string | `""` | HTML footer to add to any login error page (inside a

tag). | | config.firestore.project | string | Firestore support is disabled | If set, assign UIDs and GIDs using Google Firestore in the given project. Cloud SQL must be enabled and the Cloud SQL service account must have read/write access to that Firestore instance. | | config.github.clientId | string | `""` | GitHub client ID. One and only one of this, `config.cilogon.clientId`, or `config.oidc.clientId` must be set. | diff --git a/services/gafaelfawr/templates/cloudsql-deployment.yaml b/services/gafaelfawr/templates/cloudsql-deployment.yaml new file mode 100644 index 0000000000..a2f5fbf91a --- /dev/null +++ b/services/gafaelfawr/templates/cloudsql-deployment.yaml @@ -0,0 +1,63 @@ +{{- if .Values.cloudsql.enabled -}} +apiVersion: apps/v1 +kind: Deployment +metadata: + name: cloud-sql-proxy + labels: + {{- include "gafaelfawr.labels" . | nindent 4 }} +spec: + replicas: {{ .Values.cloudsql.replicaCount }} + selector: + matchLabels: + {{- include "gafaelfawr.selectorLabels" . | nindent 6 }} + app.kubernetes.io/component: "cloud-sql-proxy" + template: + metadata: + {{- with .Values.cloudsql.podAnnotations }} + annotations: + {{- toYaml . | nindent 8 }} + {{- end }} + labels: + {{- include "gafaelfawr.selectorLabels" . | nindent 8 }} + app.kubernetes.io/component: "cloud-sql-proxy" + spec: + serviceAccountName: {{ include "gafaelfawr.fullname" . }} + containers: + - name: "cloud-sql-proxy" + command: + - "/cloud_sql_proxy" + - "-ip_address_types=PRIVATE" + - "-instances={{ required "cloudsql.instanceConnectionName must be specified" .Values.cloudsql.instanceConnectionName }}=tcp:0.0.0.0:5432" + image: "{{ .Values.cloudsql.image.repository }}:{{ .Values.cloudsql.image.tag }}" + imagePullPolicy: {{ .Values.cloudsql.image.pullPolicy | quote }} + ports: + - containerPort: 5432 + name: "http" + protocol: "TCP" + {{- with .Values.cloudsql.resources }} + resources: + {{- toYaml . | nindent 12 }} + {{- end }} + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - "all" + readOnlyRootFilesystem: true + securityContext: + runAsNonRoot: true + runAsUser: 65532 + runAsGroup: 65532 + {{- with .Values.cloudsql.nodeSelector }} + nodeSelector: + {{- toYaml . | nindent 8 }} + {{- end }} + {{- with .Values.cloudsql.affinity }} + affinity: + {{- toYaml . | nindent 8 }} + {{- end }} + {{- with .Values.cloudsql.tolerations }} + tolerations: + {{- toYaml . | nindent 8 }} + {{- end }} +{{- end }} diff --git a/services/gafaelfawr/templates/cloudsql-networkpolicy.yaml b/services/gafaelfawr/templates/cloudsql-networkpolicy.yaml new file mode 100644 index 0000000000..55f8afcbe4 --- /dev/null +++ b/services/gafaelfawr/templates/cloudsql-networkpolicy.yaml @@ -0,0 +1,30 @@ +apiVersion: networking.k8s.io/v1 +kind: NetworkPolicy +metadata: + name: "cloud-sql-proxy" + labels: + {{- include "gafaelfawr.labels" . | nindent 4 }} +spec: + podSelector: + # This policy controls inbound and outbound access to the Cloud SQL Proxy. + matchLabels: + {{- include "gafaelfawr.selectorLabels" . | nindent 6 }} + app.kubernetes.io/component: "cloud-sql-proxy" + policyTypes: + - Ingress + ingress: + # Allow inbound access to the Cloud SQL Proxy from other components except + # the frontend. The frontend, since it's performance-critical and gates + # all access to the cluster, continues running its own sidecar. + - from: + - podSelector: + matchLabels: + {{- include "gafaelfawr.selectorLabels" . | nindent 14 }} + app.kubernetes.io/component: "maintenance" + - podSelector: + matchLabels: + {{- include "gafaelfawr.selectorLabels" . | nindent 14 }} + app.kubernetes.io/component: "tokens" + ports: + - protocol: "TCP" + port: 5432 diff --git a/services/gafaelfawr/templates/cloudsql-service.yaml b/services/gafaelfawr/templates/cloudsql-service.yaml new file mode 100644 index 0000000000..5273410788 --- /dev/null +++ b/services/gafaelfawr/templates/cloudsql-service.yaml @@ -0,0 +1,17 @@ +{{- if .Values.cloudsql.enabled -}} +apiVersion: v1 +kind: Service +metadata: + name: "cloud-sql-proxy" + labels: + {{- include "gafaelfawr.labels" . | nindent 4 }} +spec: + type: ClusterIP + ports: + - protocol: "TCP" + port: 5432 + targetPort: "http" + selector: + {{- include "gafaelfawr.selectorLabels" . | nindent 4 }} + app.kubernetes.io/component: "cloud-sql-proxy" +{{- end }} diff --git a/services/gafaelfawr/templates/configmap.yaml b/services/gafaelfawr/templates/configmap.yaml index 6fd820c59f..28694abeb0 100644 --- a/services/gafaelfawr/templates/configmap.yaml +++ b/services/gafaelfawr/templates/configmap.yaml @@ -1,16 +1,13 @@ -apiVersion: v1 -kind: ConfigMap -metadata: - name: {{ template "gafaelfawr.fullname" . }}-config - labels: - {{- include "gafaelfawr.labels" . | nindent 4 }} -data: - gafaelfawr.yaml: | +{{/* Generate two versions of the ConfigMap, one using the sidecar proxy + and the other using the separate Cloud SQL Proxy service. The second + will be used for CronJobs and other lower-load services, avoiding the + difficulty with coordinating stopping the Cloud SQL Proxy sidecar when + a CronJob ends. */}} +{{- define "gafaelfawr.configMap" }} realm: {{ required "global.host must be set" .Values.global.host | quote }} loglevel: {{ .Values.config.loglevel | quote }} session_secret_file: "/etc/gafaelfawr/secrets/session-secret" bootstrap_token_file: "/etc/gafaelfawr/secrets/bootstrap-token" - database_url: {{ required "config.databaseUrl must be set" .Values.config.databaseUrl | quote }} database_password_file: "/etc/gafaelfawr/secrets/database-password" redis_url: "redis://{{ template "gafaelfawr.fullname" . }}-redis.{{ .Release.Namespace }}:6379/0" redis_password_file: "/etc/gafaelfawr/secrets/redis-password" @@ -180,3 +177,33 @@ data: - {{ $admin | quote }} {{- end }} {{- end }} +{{- end }} +apiVersion: v1 +kind: ConfigMap +metadata: + name: {{ template "gafaelfawr.fullname" . }}-config + labels: + {{- include "gafaelfawr.labels" . | nindent 4 }} +data: + gafaelfawr.yaml: | + {{- if .Values.cloudsql.enabled }} + database_url: "postgresql://gafaelfawr@cloud-sql-proxy/gafaelfawr" + {{- else }} + database_url: {{ required "config.databaseUrl must be set" .Values.config.databaseUrl | quote }} + {{- end }} + {{- template "gafaelfawr.configMap" . }} +--- +apiVersion: v1 +kind: ConfigMap +metadata: + name: {{ template "gafaelfawr.fullname" . }}-config-sidecar + labels: + {{- include "gafaelfawr.labels" . | nindent 4 }} +data: + gafaelfawr.yaml: | + {{- if .Values.cloudsql.enabled }} + database_url: "postgresql://gafaelfawr@localhost/gafaelfawr" + {{- else }} + database_url: {{ required "config.databaseUrl must be set" .Values.config.databaseUrl | quote }} + {{- end }} + {{- template "gafaelfawr.configMap" . }} diff --git a/services/gafaelfawr/templates/cronjob-maintenance.yaml b/services/gafaelfawr/templates/cronjob-maintenance.yaml index 32422e9bb4..2f569d5f06 100644 --- a/services/gafaelfawr/templates/cronjob-maintenance.yaml +++ b/services/gafaelfawr/templates/cronjob-maintenance.yaml @@ -20,59 +20,12 @@ spec: app.kubernetes.io/component: "maintenance" spec: restartPolicy: "Never" - {{- if .Values.cloudsql.enabled }} - serviceAccountName: {{ include "gafaelfawr.fullname" . }} - {{- else }} automountServiceAccountToken: false - {{- end }} containers: - {{- if .Values.cloudsql.enabled }} - - name: "cloud-sql-proxy" - # Running the sidecar as normal causes it to keep running and - # thus the Pod never exits, the Job never finishes, and the - # CronJob gets confused. Have the main pod signal the sidecar - # by writing to a file on a shared emptyDir file system, and use - # a simple watcher loop in shell in the sidecar container to - # terminate the proxy when the main container finishes. - # - # Based on https://stackoverflow.com/questions/41679364/ - command: - - "/bin/sh" - - "-c" - args: - - | - /cloud_sql_proxy -ip_address_types=PRIVATE -instances={{ required "cloudsql.instanceConnectionName must be specified" .Values.cloudsql.instanceConnectionName }}=tcp:5432 & - PID=$! - while true; do - if [[ -f "/lifecycle/main-terminated" ]]; then - kill $PID - exit 0 - fi - sleep 1 - done - image: "{{ .Values.cloudsql.image.repository }}:{{ .Values.cloudsql.image.tag }}" - imagePullPolicy: {{ .Values.cloudsql.image.pullPolicy | quote }} - securityContext: - allowPrivilegeEscalation: false - capabilities: - drop: - - "all" - readOnlyRootFilesystem: true - runAsNonRoot: true - runAsUser: 65532 - runAsGroup: 65532 - volumeMounts: - - name: "lifecycle" - mountPath: "/lifecycle" - {{- end }} - name: "gafaelfawr" command: - - "/bin/sh" - - "-c" - args: - - | - gafaelfawr maintenance - touch /lifecycle/main-terminated + - "gafaelfawr" + - "maintenance" image: "{{ .Values.image.repository }}:{{ .Values.image.tag | default .Chart.AppVersion }}" imagePullPolicy: {{ .Values.image.pullPolicy | quote }} {{- with .Values.maintenance.resources }} @@ -89,8 +42,6 @@ spec: - name: "config" mountPath: "/etc/gafaelfawr" readOnly: true - - name: "lifecycle" - mountPath: "/lifecycle" - name: "secret" mountPath: "/etc/gafaelfawr/secrets" readOnly: true @@ -102,8 +53,6 @@ spec: - name: "config" configMap: name: {{ template "gafaelfawr.fullname" . }}-config - - name: "lifecycle" - emptyDir: {} - name: "secret" secret: secretName: {{ template "gafaelfawr.fullname" . }}-secret diff --git a/services/gafaelfawr/templates/deployment-tokens.yaml b/services/gafaelfawr/templates/deployment-tokens.yaml index b97853b643..5e165d67ad 100644 --- a/services/gafaelfawr/templates/deployment-tokens.yaml +++ b/services/gafaelfawr/templates/deployment-tokens.yaml @@ -23,23 +23,6 @@ spec: spec: serviceAccountName: {{ include "gafaelfawr.fullname" . }}-tokens containers: - {{- if .Values.cloudsql.enabled }} - - name: "cloud-sql-proxy" - command: - - "/cloud_sql_proxy" - - "-ip_address_types=PRIVATE" - - "-instances={{ required "cloudsql.instanceConnectionName must be specified" .Values.cloudsql.instanceConnectionName }}=tcp:5432" - image: "{{ .Values.cloudsql.image.repository }}:{{ .Values.cloudsql.image.tag }}" - imagePullPolicy: {{ .Values.cloudsql.image.pullPolicy | quote }} - securityContext: - allowPrivilegeEscalation: false - capabilities: - drop: - - "all" - readOnlyRootFilesystem: true - runAsUser: 65532 - runAsGroup: 65532 - {{- end }} - name: "gafaelfawr-tokens" command: - "gafaelfawr" diff --git a/services/gafaelfawr/templates/deployment.yaml b/services/gafaelfawr/templates/deployment.yaml index 0318cd7096..565f51ac1e 100644 --- a/services/gafaelfawr/templates/deployment.yaml +++ b/services/gafaelfawr/templates/deployment.yaml @@ -80,7 +80,7 @@ spec: volumes: - name: "config" configMap: - name: {{ template "gafaelfawr.fullname" . }}-config + name: {{ template "gafaelfawr.fullname" . }}-config-sidecar - name: "secret" secret: secretName: {{ template "gafaelfawr.fullname" . }}-secret diff --git a/services/gafaelfawr/values-idfdev.yaml b/services/gafaelfawr/values-idfdev.yaml index ac337a3455..2a5601eb87 100644 --- a/services/gafaelfawr/values-idfdev.yaml +++ b/services/gafaelfawr/values-idfdev.yaml @@ -4,14 +4,9 @@ redis: storageClass: "standard-rwo" config: - databaseUrl: "postgresql://gafaelfawr@localhost/gafaelfawr" loglevel: "DEBUG" slackAlerts: true - # Support OpenID Connect clients like Chronograf. - oidcServer: - enabled: true - cilogon: clientId: "cilogon:/client_id/46f9ae932fd30e9fb1b246972a3c0720" enrollmentUrl: "https://registry-test.lsst.codes/registry/co_petitions/start/coef:6" @@ -31,6 +26,10 @@ config: userSearchAttr: "voPersonApplicationUID" addUserGroup: true + # Support OpenID Connect clients like Chronograf. + oidcServer: + enabled: true + groupMapping: "admin:provision": - "g_science-platform-idf-dev" diff --git a/services/gafaelfawr/values-idfint.yaml b/services/gafaelfawr/values-idfint.yaml index c8f10c639d..01bc8905d6 100644 --- a/services/gafaelfawr/values-idfint.yaml +++ b/services/gafaelfawr/values-idfint.yaml @@ -4,15 +4,13 @@ redis: storageClass: "standard-rwo" config: - databaseUrl: "postgresql://gafaelfawr@localhost/gafaelfawr" + github: + clientId: "0c4cc7eaffc0f89b9ace" # Support OpenID Connect clients like Chronograf. oidcServer: enabled: true - github: - clientId: "0c4cc7eaffc0f89b9ace" - # Allow access by GitHub team. groupMapping: "admin:provision": diff --git a/services/gafaelfawr/values-idfprod.yaml b/services/gafaelfawr/values-idfprod.yaml index 7284c8bf50..c63aee7ce4 100644 --- a/services/gafaelfawr/values-idfprod.yaml +++ b/services/gafaelfawr/values-idfprod.yaml @@ -6,8 +6,6 @@ redis: storageClass: "standard-rwo" config: - databaseUrl: "postgresql://gafaelfawr@localhost/gafaelfawr" - github: clientId: "65b6333a066375091548" diff --git a/services/gafaelfawr/values-summit.yaml b/services/gafaelfawr/values-summit.yaml index d0dcf9a3ce..98155ccda8 100644 --- a/services/gafaelfawr/values-summit.yaml +++ b/services/gafaelfawr/values-summit.yaml @@ -7,14 +7,13 @@ redis: config: databaseUrl: "postgresql://gafaelfawr@postgres.postgres/gafaelfawr" + github: + clientId: "220d64cbf46f9d2b7873" + # Support OpenID Connect clients like Chronograf. oidcServer: enabled: true - # Use GitHub authentication. - github: - clientId: "220d64cbf46f9d2b7873" - # Allow access by GitHub team. groupMapping: "admin:provision": diff --git a/services/gafaelfawr/values-tucson-teststand.yaml b/services/gafaelfawr/values-tucson-teststand.yaml index 1fc43047c5..dcd355eaba 100644 --- a/services/gafaelfawr/values-tucson-teststand.yaml +++ b/services/gafaelfawr/values-tucson-teststand.yaml @@ -7,14 +7,13 @@ redis: config: databaseUrl: "postgresql://gafaelfawr@postgres.postgres/gafaelfawr" + github: + clientId: "49533cbd8a8079730dcf" + # Support OpenID Connect clients like Chronograf. oidcServer: enabled: true - # Use GitHub authentication. - github: - clientId: "49533cbd8a8079730dcf" - # Allow access by GitHub team. groupMapping: "admin:provision": diff --git a/services/gafaelfawr/values.yaml b/services/gafaelfawr/values.yaml index 0c7929f0bc..9e31fae912 100644 --- a/services/gafaelfawr/values.yaml +++ b/services/gafaelfawr/values.yaml @@ -37,7 +37,7 @@ affinity: {} config: # -- URL for the PostgreSQL database - # @default -- None, must be set + # @default -- None, must be set if `cloudsql.enabled` is not true databaseUrl: "" # -- Choose from the text form of Python logging levels @@ -239,8 +239,10 @@ config: errorFooter: "" cloudsql: - # -- Enable the Cloud SQL Auth Proxy sidecar, used with CloudSQL databases - # on Google Cloud + # -- Enable the Cloud SQL Auth Proxy, used with CloudSQL databases on Google + # Cloud. This will be run as a sidecar for the main Gafaelfawr pods, and as + # a separate service (behind a `NetworkPolicy`) for other, lower-traffic + # services. enabled: false image: @@ -248,19 +250,35 @@ cloudsql: repository: "gcr.io/cloudsql-docker/gce-proxy" # -- Cloud SQL Auth Proxy tag to use - tag: "1.31.2-alpine" + tag: "1.31.2" # -- Pull policy for Cloud SQL Auth Proxy images pullPolicy: "IfNotPresent" # -- Instance connection name for a CloudSQL PostgreSQL instance + # @default -- None, must be set if Cloud SQL Auth Proxy is enabled instanceConnectionName: "" # -- The Google service account that has an IAM binding to the `gafaelfawr` - # and `gafaelfawr-tokens` Kubernetes service accounts and has the - # `cloudsql.client` role + # Kubernetes service account and has the `cloudsql.client` role + # @default -- None, must be set if Cloud SQL Auth Proxy is enabled serviceAccount: "" + # -- Resource limits and requests for the Cloud SQL Proxy pod + resources: {} + + # -- Annotations for the Cloud SQL Proxy pod + podAnnotations: {} + + # -- Node selection rules for the Cloud SQL Proxy pod + nodeSelector: {} + + # -- Tolerations for the Cloud SQL Proxy pod + tolerations: [] + + # -- Affinity rules for the Cloud SQL Proxy pod + affinity: {} + maintenance: # -- Resource limits and requests for the Gafaelfawr maintenance pod resources: {} From 2e4ae7a86be1e82f24eb7975ae7808d06068a3d9 Mon Sep 17 00:00:00 2001 From: Jonathan Sick Date: Wed, 24 Aug 2022 15:55:58 -0400 Subject: [PATCH 0928/1479] Deploy Squareone 0.8.1 Based on PR https://github.com/lsst-sqre/squareone/pull/93 --- services/squareone/Chart.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/services/squareone/Chart.yaml b/services/squareone/Chart.yaml index 11f06889d0..ef3fbb1608 100644 --- a/services/squareone/Chart.yaml +++ b/services/squareone/Chart.yaml @@ -10,4 +10,4 @@ maintainers: url: https://github.com/jonathansick # The default version tag of the squareone docker image -appVersion: "0.8.0" +appVersion: "0.8.1" From fec16d578275042e24dcb1030bcc4aa0749ec4c4 Mon Sep 17 00:00:00 2001 From: Russ Allbery Date: Thu, 25 Aug 2022 12:59:21 -0700 Subject: [PATCH 0929/1479] Bump version of nublado2 Stop waiting for creation of Secrets from ServiceAccounts, since Kubernetes 1.24 doesn't work this way. --- services/nublado2/Chart.yaml | 2 +- services/nublado2/README.md | 2 +- services/nublado2/values.yaml | 2 +- 3 files changed, 3 insertions(+), 3 deletions(-) diff --git a/services/nublado2/Chart.yaml b/services/nublado2/Chart.yaml index 7393358627..ee31722021 100644 --- a/services/nublado2/Chart.yaml +++ b/services/nublado2/Chart.yaml @@ -5,7 +5,7 @@ description: JupyterHub for the Rubin Science Platform home: https://github.com/lsst-sqre/nublado2 sources: - https://github.com/lsst-sqre/nublado2 -appVersion: "2.4.0" +appVersion: "2.4.1" # Match the jupyterhub Helm chart for kubeVersion kubeVersion: ">=1.20.0-0" dependencies: diff --git a/services/nublado2/README.md b/services/nublado2/README.md index adcf7c49ba..03c0362642 100644 --- a/services/nublado2/README.md +++ b/services/nublado2/README.md @@ -62,7 +62,7 @@ Kubernetes: `>=1.20.0-0` | jupyterhub.hub.extraVolumes[1].name | string | `"nublado-gafaelfawr"` | | | jupyterhub.hub.extraVolumes[1].secret.secretName | string | `"gafaelfawr-token"` | | | jupyterhub.hub.image.name | string | `"lsstsqre/nublado2"` | | -| jupyterhub.hub.image.tag | string | `"2.4.0"` | | +| jupyterhub.hub.image.tag | string | `"2.4.1"` | | | jupyterhub.hub.loadRoles.self.scopes[0] | string | `"admin:servers!user"` | | | jupyterhub.hub.loadRoles.self.scopes[1] | string | `"read:metrics"` | | | jupyterhub.hub.loadRoles.server.scopes[0] | string | `"inherit"` | | diff --git a/services/nublado2/values.yaml b/services/nublado2/values.yaml index ec5c614ff3..4408eecda7 100644 --- a/services/nublado2/values.yaml +++ b/services/nublado2/values.yaml @@ -7,7 +7,7 @@ jupyterhub: authenticatePrometheus: false image: name: lsstsqre/nublado2 - tag: "2.4.0" + tag: "2.4.1" resources: limits: cpu: 900m From 26af81a7857cd09ddaac9ad8f51bb73114009639 Mon Sep 17 00:00:00 2001 From: Gabriele Mainetti Date: Fri, 26 Aug 2022 09:52:30 +0200 Subject: [PATCH 0930/1479] Add default value for gcsBucketType --- services/tap/README.md | 2 +- services/tap/values-ccin2p3test.yaml | 21 --------------------- services/tap/values.yaml | 4 ++++ 3 files changed, 5 insertions(+), 22 deletions(-) delete mode 100644 services/tap/values-ccin2p3test.yaml diff --git a/services/tap/README.md b/services/tap/README.md index 1ec6be9b4f..bcfb4fd56d 100644 --- a/services/tap/README.md +++ b/services/tap/README.md @@ -13,7 +13,7 @@ A Helm chart for the CADC TAP service | config.gafaelfawrHost | string | Value of `ingress.host` | Gafaelfawr hostname to get user information from a token | | config.gcsBucket | string | None, must be set | Name of GCS bucket in which to store results | | config.gcsBucketUrl | string | None, must be set | Base URL for results stored in GCS bucket | -| config.gcsBucketType | string | None, must be set | Bucket type: GCS or S3| +| config.gcsBucketType | string | `"GCS"` | Bucket type: GCS or S3| | config.jvmMaxHeapSize | string | `"4G"` | Java heap size, which will set the maximum size of the heap. Otherwise Java would determine it based on how much memory is available and black maths. | | config.tapSchemaAddress | string | `"tap-schema-db.tap-schema.svc.cluster.local:3306"` | Address to a MySQL database containing TAP schema data | | fullnameOverride | string | `"cadc-tap"` | Override the full name for resources (includes the release name) | diff --git a/services/tap/values-ccin2p3test.yaml b/services/tap/values-ccin2p3test.yaml deleted file mode 100644 index 0874983207..0000000000 --- a/services/tap/values-ccin2p3test.yaml +++ /dev/null @@ -1,21 +0,0 @@ -cadc-tap: - pull_secret: 'pull-secret' - #tag: "1.0.16" - #use_mock_qserv: false - #qserv_host: "ccqserv201.in2p3.fr:30040" - - host: "minikube.lsst.codes" - - secrets: - enabled: false - - vault_secrets: - enabled: true - path: 'secret/k8s_operator/rsp-cc/tap' - -# gcs_bucket: 'async-results.lsst.codes' -# gcs_bucket_url: 'http://async-results.lsst.codes' - -pull-secret: - enabled: true - path: secret/k8s_operator/rsp-cc/pull-secret \ No newline at end of file diff --git a/services/tap/values.yaml b/services/tap/values.yaml index da4f7f0166..48d6bb0f51 100644 --- a/services/tap/values.yaml +++ b/services/tap/values.yaml @@ -73,6 +73,10 @@ config: # @default -- None, must be set gcsBucketUrl: "" + # -- GCS bucket type (GCS or S3) + # @default -- GCS + gcsBucketUrl: "GCS" + # -- Java heap size, which will set the maximum size of the heap. Otherwise # Java would determine it based on how much memory is available and black # maths. From 0bf208b92082db0aada2b36f9edaa095590b4697 Mon Sep 17 00:00:00 2001 From: Gabriele Mainetti Date: Fri, 26 Aug 2022 10:32:19 +0200 Subject: [PATCH 0931/1479] Fix key in default value for gcsBucketType and removed unused files --- science-platform/values-ccin2p3test.yaml | 46 ------------ services/argocd/values-ccin2p3test.yaml | 72 ------------------- services/cert-manager/values-ccin2p3test.yaml | 9 --- services/gafaelfawr/values-ccin2p3test.yaml | 55 -------------- .../ingress-nginx/values-ccin2p3test.yaml | 63 ---------------- services/moneypenny/values-ccin2p3test.yaml | 37 ---------- services/portal/values-ccin2p3test.yaml | 40 ----------- services/postgres/values-ccin2p3test.yaml | 16 ----- services/tap/values.yaml | 2 +- .../values-ccin2p3test.yaml | 14 ---- 10 files changed, 1 insertion(+), 353 deletions(-) delete mode 100644 science-platform/values-ccin2p3test.yaml delete mode 100644 services/argocd/values-ccin2p3test.yaml delete mode 100644 services/cert-manager/values-ccin2p3test.yaml delete mode 100644 services/gafaelfawr/values-ccin2p3test.yaml delete mode 100644 services/ingress-nginx/values-ccin2p3test.yaml delete mode 100644 services/moneypenny/values-ccin2p3test.yaml delete mode 100644 services/portal/values-ccin2p3test.yaml delete mode 100644 services/postgres/values-ccin2p3test.yaml delete mode 100644 services/vault-secrets-operator/values-ccin2p3test.yaml diff --git a/science-platform/values-ccin2p3test.yaml b/science-platform/values-ccin2p3test.yaml deleted file mode 100644 index a42f6a2ef6..0000000000 --- a/science-platform/values-ccin2p3test.yaml +++ /dev/null @@ -1,46 +0,0 @@ -environment: ccin2p3test -fqdn: minikube.lsst.codes -vault_path_prefix: secret/k8s_operator/rsp-cc - -argo: - enabled: true -cert_issuer: - enabled: false -cert_manager: - enabled: false -chronograf: - enabled: false -exposurelog: - enabled: false -gafaelfawr: - enabled: true -influxdb: - enabled: false -kapacitor: - enabled: false -landing_page: - enabled: true -logging: - enabled: false -mobu: - enabled: false -moneypenny: - enabled: false -ingress_nginx: - enabled: true -nublado: - enabled: true -obstap: - enabled: false -portal: - enabled: true -postgres: - enabled: true -rancher_external_ip_webhook: - enabled: false -squash_api: - enabled: false -tap: - enabled: true -vault_secrets_operator: - enabled: true \ No newline at end of file diff --git a/services/argocd/values-ccin2p3test.yaml b/services/argocd/values-ccin2p3test.yaml deleted file mode 100644 index 4999076ab9..0000000000 --- a/services/argocd/values-ccin2p3test.yaml +++ /dev/null @@ -1,72 +0,0 @@ -argo-cdi: - controller: - args: - repoServerTimeoutSeconds: "180" - metrics: - enabled: true - applicationLabels: - enabled: true - labels: ["name", "instance"] - redis: - enabled: true - - ingress: - enabled: true - hosts: - - "minikube.lsst.codes" - annotations: - kubernetes.io/ingress.class: nginx - nginx.ingress.kubernetes.io/rewrite-target: "/$2" - paths: - - /argo-cd(/|$)(.*) - - extraArgs: - - "--basehref=/argo-cd" - - "--insecure=true" - - config: - url: https://minikube.lsst.codes/argo-cd - dex.config: | - connectors: - # Auth using GitHub. - # See https://dexidp.io/docs/connectors/github/ - - type: github - id: github - name: GitHub - config: - clientID: ae314e45a6af43ea910a - # Reference to key in argo-secret Kubernetes resource - clientSecret: $dex.clientSecret - orgs: - - name: rubin-in2p3 - helm.repositories: | - - url: https://lsst-sqre.github.io/charts/ - name: lsst-sqre - - url: https://ricoberger.github.io/helm-charts/ - name: ricoberger - - url: https://kubernetes.github.io/ingress-nginx/ - name: ingress-nginx - - url: https://charts.helm.sh/stable - name: stable - resource.customizations: | - networking.k8s.io/Ingress: - health.lua: | - hs = {} - hs.status = "Healthy" - return hs - - rbacConfig: - policy.csv: | - g, rubin-in2p3:admin, role:admin - - configs: - secret: - createSecret: true - -vault_secret: - enabled: true - path: secret/k8s_operator/rsp-cc/argocd - -pull-secret: - enabled: true - path: secret/k8s_operator/rsp-cc/pull-secret \ No newline at end of file diff --git a/services/cert-manager/values-ccin2p3test.yaml b/services/cert-manager/values-ccin2p3test.yaml deleted file mode 100644 index 92f6992fb8..0000000000 --- a/services/cert-manager/values-ccin2p3test.yaml +++ /dev/null @@ -1,9 +0,0 @@ -cert-manager: - installCRDs: true - extraArgs: - - --dns01-recursive-nameservers-only - - --dns01-recursive-nameservers=8.8.8.8:53,1.1.1.1:53 - -pull-secret: - enabled: true - path: secret/k8s_operator/rsp-cc/pull-secret \ No newline at end of file diff --git a/services/gafaelfawr/values-ccin2p3test.yaml b/services/gafaelfawr/values-ccin2p3test.yaml deleted file mode 100644 index 2aeecd63b4..0000000000 --- a/services/gafaelfawr/values-ccin2p3test.yaml +++ /dev/null @@ -1,55 +0,0 @@ -gafaelfawr: - - pull_secret: 'pull-secret' - ingress: - host: minikube.lsst.codes - vaultSecretsPath: "secret/k8s_operator/rsp-cc/gafaelfawr" - - redis: - persistence: - enabled: false - - config: - host: minikube.lsst.codes - - # Do not specify ingress.host because we're using the wildcard virtual host. - - # Session length and token expiration (in minutes). - issuer: - exp_minutes: 43200 # 30 days - - github: - clientId: ae314e45a6af43ea910a - - # Allow access by GitHub team. - groupMapping: - "exec:admin": - - "rubin-lsst-admin" - "exec:user": - - "rubin-lsst-admin" - - "rubin-lsst-user" - "read:workspace": - - "rubin-lsst-admin" - - "rubin-lsst-user" - "read:workspace/user": - - "rubin-lsst-admin" - - "rubin-lsst-user" - "write:workspace/user": - - "rubin-lsst-admin" - - "rubin-lsst-user" - "exec:portal": - - "rubin-lsst-admin" - - "rubin-lsst-user" - "exec:notebook": - - "rubin-lsst-admin" - - "rubin-lsst-user" - "read:tap": - - "rubin-lsst-admin" - - "rubin-lsst-user" - "read:image": - - "rubin-lsst-admin" - - "rubin-lsst-user" - -pull-secret: - enabled: true - path: secret/k8s_operator/rsp-cc/pull-secret \ No newline at end of file diff --git a/services/ingress-nginx/values-ccin2p3test.yaml b/services/ingress-nginx/values-ccin2p3test.yaml deleted file mode 100644 index 33605df90c..0000000000 --- a/services/ingress-nginx/values-ccin2p3test.yaml +++ /dev/null @@ -1,63 +0,0 @@ - # ingress-nginx: -# controller: -# nodeSelector: -# kubernetes.io/hostname: "ccqserv202" - -# tolerations: -# - key: "dedicated" -# operator: "Equal" -# value: "qserv" -# effect: "NoSchedule" - -# config: -# compute-full-forwarded-for: "true" -# large-client-header-buffers: "4 64k" -# proxy-body-size: "100m" -# proxy-buffer-size: "64k" -# ssl-redirect: "true" -# use-forwarded-headers: "true" -# service: -# externalTrafficPolicy: Local -# externalIPs: -# - 134.158.237.2 -# type: NodePort -# admissionWebhooks: -# enabled: false -# extraArgs: -# default-ssl-certificate: ingress-nginx/ingress-certificate -# podLabels: -# hub.jupyter.org/network-access-proxy-http: "true" -ingress-nginx: - controller: - config: - compute-full-forwarded-for: "true" - large-client-header-buffers: "4 64k" - proxy-body-size: "100m" - proxy-buffer-size: "64k" - ssl-redirect: "true" - use-forwarded-headers: "true" - service: - type: ClusterIP - hostNetwork: true - dnsPolicy: ClusterFirstWithHostNet - admissionWebhooks: - enabled: false - extraArgs: - default-ssl-certificate: ingress-nginx/ingress-certificate - podLabels: - gafaelfawr.lsst.io/ingress: "true" - hub.jupyter.org/network-access-proxy-http: "true" - metrics: - enabled: true - service: - annotations: - prometheus.io/port: "10254" - prometheus.io/scrape: "true" - -vault_certificate: - enabled: true - path: secret/k8s_operator/rsp-cc/ingress-nginx - -pull-secret: - enabled: true - path: secret/k8s_operator/rsp-cc/pull-secret \ No newline at end of file diff --git a/services/moneypenny/values-ccin2p3test.yaml b/services/moneypenny/values-ccin2p3test.yaml deleted file mode 100644 index 5b491a6df3..0000000000 --- a/services/moneypenny/values-ccin2p3test.yaml +++ /dev/null @@ -1,37 +0,0 @@ -moneypenny: - host: "minikube.lsst.codes" - - ingress: - enabled: true - hosts: - - host: minikube.lsst.codes - paths: ["/moneypenny"] - annotations: - nginx.ingress.kubernetes.io/auth-url: "https://minikube.lsst.codes/auth?scope=exec:admin" - - vault_secrets: - enabled: true - path: "secret/k8s_operator/rsp-lapp/pull-secret" - - orders: | - commission: - - name: initcommission - image: lsstsqre/inituserhome - securityContext: - runAsUser: 0 - runAsNonRootUser: false - volumeMounts: - - mountPath: /home - name: home - retire: - - name: farthing - image: lsstsqre/farthing - securityContext: - runAsUser: 1000 - runAsNonRootUser: true - allowPrivilegeEscalation: false - volumes: - - name: home - hostPath: - path: /data/rsp/home - type: Directory \ No newline at end of file diff --git a/services/portal/values-ccin2p3test.yaml b/services/portal/values-ccin2p3test.yaml deleted file mode 100644 index 896ef95fc0..0000000000 --- a/services/portal/values-ccin2p3test.yaml +++ /dev/null @@ -1,40 +0,0 @@ -firefly: - pull_secret: 'pull-secret' - replicaCount: 2 - image: - tag: "2.1.1-3" - - ingress: - host: 'minikube.lsst.codes' - annotations: - nginx.ingress.kubernetes.io/auth-method: GET - nginx.ingress.kubernetes.io/auth-response-headers: X-Auth-Request-Uid, X-Auth-Request-Token - nginx.ingress.kubernetes.io/auth-signin: "https://minikube.lsst.codes/login" - nginx.ingress.kubernetes.io/auth-url: "https://minikube.lsst.codes/auth?scope=exec:portal" - nginx.ingress.kubernetes.io/configuration-snippet: | - proxy_set_header X-Original-URI $request_uri; - proxy_set_header X-Forwarded-Proto https; - proxy_set_header X-Forwarded-Port 443; - proxy_set_header X-Forwarded-Path /portal/app; - - secrets: - enabled: true - - vault_secrets: - enabled: true - path: 'secret/k8s_operator/rsp-cc/portal' - - max_jvm_size: "23G" - - redis: - resources: - limits: - memory: 20Mi - - resources: - limits: - memory: 24Gi - -pull-secret: - enabled: true - path: secret/k8s_operator/rsp-cc/pull-secret \ No newline at end of file diff --git a/services/postgres/values-ccin2p3test.yaml b/services/postgres/values-ccin2p3test.yaml deleted file mode 100644 index 8bee359d14..0000000000 --- a/services/postgres/values-ccin2p3test.yaml +++ /dev/null @@ -1,16 +0,0 @@ -postgres: - pull_secret: 'pull-secret' - vault_secrets: - path: 'secret/k8s_operator/rsp-cc/postgres' - debug: 'true' - jupyterhub_db: - user: 'jovyan' - db: 'jupyterhub' - postgres_storage_class: 'rsp-local-storage' - volume_name: 'postgres-data-rsp-ccqserv219' - image: - tag: '0.0.3' - -pull-secret: - enabled: true - path: secret/k8s_operator/rsp-cc/pull-secret \ No newline at end of file diff --git a/services/tap/values.yaml b/services/tap/values.yaml index 48d6bb0f51..c61e6b4195 100644 --- a/services/tap/values.yaml +++ b/services/tap/values.yaml @@ -75,7 +75,7 @@ config: # -- GCS bucket type (GCS or S3) # @default -- GCS - gcsBucketUrl: "GCS" + gcsBucketType: "GCS" # -- Java heap size, which will set the maximum size of the heap. Otherwise # Java would determine it based on how much memory is available and black diff --git a/services/vault-secrets-operator/values-ccin2p3test.yaml b/services/vault-secrets-operator/values-ccin2p3test.yaml deleted file mode 100644 index 93d8160181..0000000000 --- a/services/vault-secrets-operator/values-ccin2p3test.yaml +++ /dev/null @@ -1,14 +0,0 @@ -vault-secrets-operator: - environmentVars: - - name: VAULT_TOKEN - valueFrom: - secretKeyRef: - name: vault-secrets-operator - key: VAULT_TOKEN - - name: VAULT_TOKEN_LEASE_DURATION - valueFrom: - secretKeyRef: - name: vault-secrets-operator - key: VAULT_TOKEN_LEASE_DURATION - vault: - address: "https://vault.lsst.codes" \ No newline at end of file From e6acbe621251b889337727757c09355c8b47ffb1 Mon Sep 17 00:00:00 2001 From: Gabriele Mainetti Date: Fri, 26 Aug 2022 10:47:11 +0200 Subject: [PATCH 0932/1479] restored install.sh --- installer/install.sh | 24 +++++++----------------- 1 file changed, 7 insertions(+), 17 deletions(-) diff --git a/installer/install.sh b/installer/install.sh index 4c5c90433a..72b49499ac 100755 --- a/installer/install.sh +++ b/installer/install.sh @@ -6,13 +6,11 @@ export VAULT_ADDR=https://vault.lsst.codes VAULT_PATH_PREFIX=`yq -r .vault_path_prefix ../science-platform/values-$ENVIRONMENT.yaml` ARGOCD_PASSWORD=`vault kv get --field=argocd.admin.plaintext_password $VAULT_PATH_PREFIX/installer` -#GIT_URL=`git config --get remote.origin.url` -GIT_URL="https://github.com/gabrimaine/phalanx.git" +GIT_URL=`git config --get remote.origin.url` # Github runs in a detached head state, but sets GITHUB_REF, # extract the branch from it. If we're there, use that branch. # git branch --show-current will return empty in deatached head. -#GIT_BRANCH=${GITHUB_HEAD_REF:-`git branch --show-current`} -GIT_BRANCH=ccin2p3 +GIT_BRANCH=${GITHUB_HEAD_REF:-`git branch --show-current`} echo "Set VAULT_TOKEN in a secret for vault-secrets-operator..." # The namespace may not exist already, but don't error if it does. @@ -21,14 +19,14 @@ kubectl create secret generic vault-secrets-operator \ --namespace vault-secrets-operator \ --from-literal=VAULT_TOKEN=$VAULT_TOKEN \ --from-literal=VAULT_TOKEN_LEASE_DURATION=31536000 \ - --dry-run -o yaml | kubectl apply -f - + --dry-run=client -o yaml | kubectl apply -f - echo "Set up docker pull secret for vault-secrets-operator..." vault kv get --field=.dockerconfigjson $VAULT_PATH_PREFIX/pull-secret > docker-creds kubectl create secret generic pull-secret -n vault-secrets-operator \ --from-file=.dockerconfigjson=docker-creds \ --type=kubernetes.io/dockerconfigjson \ - --dry-run -o yaml | kubectl apply -f - + --dry-run=client -o yaml | kubectl apply -f - echo "Update / install vault-secrets-operator..." @@ -56,7 +54,7 @@ helm upgrade argocd ../services/argocd \ --wait echo "Login to argocd..." -argocd login --insecure --grpc-web data-dev.lsst.eu/argo-cd \ +argocd login \ --plaintext \ --port-forward \ --port-forward-namespace argocd \ @@ -66,7 +64,7 @@ argocd login --insecure --grpc-web data-dev.lsst.eu/argo-cd \ echo "Creating top level application" argocd app create science-platform \ --repo $GIT_URL \ - --path science-platform --dest-namespace rsp-dev \ + --path science-platform --dest-namespace default \ --dest-server https://kubernetes.default.svc \ --upsert \ --revision $GIT_BRANCH \ @@ -100,14 +98,6 @@ then kubectl -n cert-manager rollout status deploy/cert-manager-webhook fi -if [ $(yq -r .cert_issuer.enabled ../science-platform/values-$ENVIRONMENT.yaml) == "true" ]; -then - echo "Syncing cert-issuer..." - argocd app sync cert-issuer \ - --port-forward \ - --port-forward-namespace argocd -fi - if [ $(yq -r .postgres.enabled ../science-platform/values-$ENVIRONMENT.yaml) == "true" ]; then echo "Syncing postgres..." @@ -132,4 +122,4 @@ argocd app sync -l "argocd.argoproj.io/instance=science-platform" \ echo "You can now check on your argo cd installation by running:" echo "kubectl port-forward service/argocd-server -n argocd 8080:443" echo "For the ArgoCD admin password:" -echo "vault kv get --field=argocd.admin.plaintext_password $VAULT_PATH_PREFIX/installer" +echo "vault kv get --field=argocd.admin.plaintext_password $VAULT_PATH_PREFIX/installer" \ No newline at end of file From ac51608a6cc6c74ff24e55b42b9fab87ea06e1a4 Mon Sep 17 00:00:00 2001 From: Gabriele Mainetti Date: Fri, 26 Aug 2022 10:47:41 +0200 Subject: [PATCH 0933/1479] removed unused file --- installer/data.lsst.eu/README | 14 -------------- 1 file changed, 14 deletions(-) delete mode 100644 installer/data.lsst.eu/README diff --git a/installer/data.lsst.eu/README b/installer/data.lsst.eu/README deleted file mode 100644 index 5050078ff8..0000000000 --- a/installer/data.lsst.eu/README +++ /dev/null @@ -1,14 +0,0 @@ -This directory contains your keys and certificates. - -`privkey.pem` : the private key for your certificate. -`fullchain.pem`: the certificate file used in most server software. -`chain.pem` : used for OCSP stapling in Nginx >=1.3.7. -`cert.pem` : will break many server configurations, and should not be used - without reading further documentation (see link below). - -WARNING: DO NOT MOVE OR RENAME THESE FILES! - Certbot expects these files to remain in this location in order - to function properly! - -We recommend not moving these files. For more information, see the Certbot -User Guide at https://certbot.eff.org/docs/using.html#where-are-my-certificates. From 6874b261591fa8120772d76d3a028cad41bf5b96 Mon Sep 17 00:00:00 2001 From: Russ Allbery Date: Fri, 26 Aug 2022 09:07:51 -0700 Subject: [PATCH 0934/1479] Fix lint errors Regenerate Helm docs and fix various YAML lint errors, mostly missing newlines at the ends of files. --- science-platform/values-ccin2p3.yaml | 2 +- services/argocd/values-ccin2p3.yaml | 2 +- services/cachemachine/values-ccin2p3.yaml | 2 +- services/cert-manager/values-ccin2p3.yaml | 2 +- services/gafaelfawr/values-ccin2p3.yaml | 6 +++--- services/gafaelfawr/values.yaml | 2 +- services/ingress-nginx/values-ccin2p3.yaml | 12 ++++++------ services/moneypenny/values-ccin2p3.yaml | 4 ++-- services/nublado2/values-ccin2p3.yaml | 10 +++++----- services/obstap/values-ccin2p3.yaml | 2 +- services/portal/values-ccin2p3.yaml | 1 - services/squareone/values-ccin2p3.yaml | 6 +++--- services/tap/README.md | 2 +- services/tap/templates/tap-deployment.yaml | 2 +- services/vault-secrets-operator/values-ccin2p3.yaml | 2 +- 15 files changed, 28 insertions(+), 29 deletions(-) diff --git a/science-platform/values-ccin2p3.yaml b/science-platform/values-ccin2p3.yaml index 7722e5f782..25b0762f49 100644 --- a/science-platform/values-ccin2p3.yaml +++ b/science-platform/values-ccin2p3.yaml @@ -63,4 +63,4 @@ times_square: vault_secrets_operator: enabled: true vo_cutouts: - enabled: false \ No newline at end of file + enabled: false diff --git a/services/argocd/values-ccin2p3.yaml b/services/argocd/values-ccin2p3.yaml index 26a9c15a28..503c9dd439 100644 --- a/services/argocd/values-ccin2p3.yaml +++ b/services/argocd/values-ccin2p3.yaml @@ -32,7 +32,7 @@ argo-cd: # health.lua: | # hs = {} # hs.status = "Healthy" - # return hs + # return hs rbacConfig: policy.csv: | diff --git a/services/cachemachine/values-ccin2p3.yaml b/services/cachemachine/values-ccin2p3.yaml index 15e974e1f0..35c15a8688 100644 --- a/services/cachemachine/values-ccin2p3.yaml +++ b/services/cachemachine/values-ccin2p3.yaml @@ -24,4 +24,4 @@ autostart: "num_dailies": 3 } ] - } \ No newline at end of file + } diff --git a/services/cert-manager/values-ccin2p3.yaml b/services/cert-manager/values-ccin2p3.yaml index 3a70ce10d7..336e4e318f 100644 --- a/services/cert-manager/values-ccin2p3.yaml +++ b/services/cert-manager/values-ccin2p3.yaml @@ -3,4 +3,4 @@ config: pull-secret: enabled: true - path: secret/k8s_operator/rsp-cc/pull-secret \ No newline at end of file + path: secret/k8s_operator/rsp-cc/pull-secret diff --git a/services/gafaelfawr/values-ccin2p3.yaml b/services/gafaelfawr/values-ccin2p3.yaml index 6f9305303c..c84680e5bc 100644 --- a/services/gafaelfawr/values-ccin2p3.yaml +++ b/services/gafaelfawr/values-ccin2p3.yaml @@ -15,7 +15,7 @@ redis: config: loglevel: "DEBUG" - host: data-dev.lsst.eu + host: data-dev.lsst.eu databaseUrl: "postgresql://gafaelfawr@postgres.postgres/gafaelfawr" # Do not specify ingress.host because we're using the wildcard virtual host. @@ -36,7 +36,7 @@ config: # uidClaim: 'uid_number' # isMemberOf: 'groups' -# # oidcServer: +# # oidcServer: # # enabled: true # # Allow access by GitHub team. # # Allow access by GitHub team. @@ -75,7 +75,7 @@ config: - "rubin-in2p3-user" - "rubin-in2p3" - "rubin-in2p3-delegates" - + initialAdmins: # - "mainetti" - "gabrimaine" diff --git a/services/gafaelfawr/values.yaml b/services/gafaelfawr/values.yaml index d6b10c7e6f..6fc106ab89 100644 --- a/services/gafaelfawr/values.yaml +++ b/services/gafaelfawr/values.yaml @@ -107,7 +107,7 @@ config: # -- Audience for the JWT token # @default -- Value of `config.oidc.clientId` - audience: "" + audience: "" # -- URL to which to redirect the user for authorization # @default -- None, must be set diff --git a/services/ingress-nginx/values-ccin2p3.yaml b/services/ingress-nginx/values-ccin2p3.yaml index c326dcf11a..27ca69a1ab 100644 --- a/services/ingress-nginx/values-ccin2p3.yaml +++ b/services/ingress-nginx/values-ccin2p3.yaml @@ -4,11 +4,11 @@ ingress-nginx: kubernetes.io/hostname: "ccqserv202" tolerations: - - key: "dedicated" - operator: "Equal" - value: "qserv" - effect: "NoSchedule" - + - key: "dedicated" + operator: "Equal" + value: "qserv" + effect: "NoSchedule" + config: compute-full-forwarded-for: "true" large-client-header-buffers: "4 64k" @@ -35,4 +35,4 @@ vaultCertificate: # pull-secret: # enabled: true -# path: secret/k8s_operator/rsp-cc/pull-secret \ No newline at end of file +# path: secret/k8s_operator/rsp-cc/pull-secret diff --git a/services/moneypenny/values-ccin2p3.yaml b/services/moneypenny/values-ccin2p3.yaml index 7a05b626f3..494a02e590 100644 --- a/services/moneypenny/values-ccin2p3.yaml +++ b/services/moneypenny/values-ccin2p3.yaml @@ -3,7 +3,7 @@ moneypenny: ingress: enabled: true - hosts: + hosts: - host: data-dev.lsst.eu paths: ["/moneypenny"] annotations: @@ -34,4 +34,4 @@ moneypenny: - name: home hostPath: path: /data/rsp/home - type: Directory \ No newline at end of file + type: Directory diff --git a/services/nublado2/values-ccin2p3.yaml b/services/nublado2/values-ccin2p3.yaml index 56a41ae1aa..13144b68a2 100644 --- a/services/nublado2/values-ccin2p3.yaml +++ b/services/nublado2/values-ccin2p3.yaml @@ -33,13 +33,13 @@ config: - name: home hostPath: path: /data/rsp/home - # type: Directory + # type: Directory volume_mounts: - - name: data - mountPath: /data - - name: home - mountPath: /home + - name: data + mountPath: /data + - name: home + mountPath: /home vault_secret_path: "secret/k8s_operator/rsp-cc/nublado2" gafaelfawr_secrets_path: "secret/k8s_operator/rsp-cc/gafaelfawr" diff --git a/services/obstap/values-ccin2p3.yaml b/services/obstap/values-ccin2p3.yaml index c1f40e8855..060eef380c 100644 --- a/services/obstap/values-ccin2p3.yaml +++ b/services/obstap/values-ccin2p3.yaml @@ -1,3 +1,3 @@ # config: # gcs_bucket: 'async-results.lsst.codes' -# gcs_bucket_url: 'http://async-results.lsst.codes' \ No newline at end of file +# gcs_bucket_url: 'http://async-results.lsst.codes' diff --git a/services/portal/values-ccin2p3.yaml b/services/portal/values-ccin2p3.yaml index 3405e3c176..c1f35d83f3 100644 --- a/services/portal/values-ccin2p3.yaml +++ b/services/portal/values-ccin2p3.yaml @@ -3,4 +3,3 @@ replicaCount: 2 resources: limits: memory: "24Gi" - diff --git a/services/squareone/values-ccin2p3.yaml b/services/squareone/values-ccin2p3.yaml index 2bc081473e..be75cfcd3e 100644 --- a/services/squareone/values-ccin2p3.yaml +++ b/services/squareone/values-ccin2p3.yaml @@ -2,8 +2,8 @@ config: siteName: "Rubin Science Platform @ CC-IN2P3" ingress: - tls: false - + tls: false + pull-secret: enabled: true - path: secret/k8s_operator/rsp-cc/pull-secret \ No newline at end of file + path: secret/k8s_operator/rsp-cc/pull-secret diff --git a/services/tap/README.md b/services/tap/README.md index bcfb4fd56d..95f12a2fbe 100644 --- a/services/tap/README.md +++ b/services/tap/README.md @@ -12,8 +12,8 @@ A Helm chart for the CADC TAP service | config.datalinkPayloadUrl | string | `"https://github.com/lsst/sdm_schemas/releases/download/1.1.4/datalink-snippets.zip"` | Datalink payload URL | | config.gafaelfawrHost | string | Value of `ingress.host` | Gafaelfawr hostname to get user information from a token | | config.gcsBucket | string | None, must be set | Name of GCS bucket in which to store results | +| config.gcsBucketType | string | GCS | GCS bucket type (GCS or S3) | | config.gcsBucketUrl | string | None, must be set | Base URL for results stored in GCS bucket | -| config.gcsBucketType | string | `"GCS"` | Bucket type: GCS or S3| | config.jvmMaxHeapSize | string | `"4G"` | Java heap size, which will set the maximum size of the heap. Otherwise Java would determine it based on how much memory is available and black maths. | | config.tapSchemaAddress | string | `"tap-schema-db.tap-schema.svc.cluster.local:3306"` | Address to a MySQL database containing TAP schema data | | fullnameOverride | string | `"cadc-tap"` | Override the full name for resources (includes the release name) | diff --git a/services/tap/templates/tap-deployment.yaml b/services/tap/templates/tap-deployment.yaml index f610a49724..43c0c94df3 100644 --- a/services/tap/templates/tap-deployment.yaml +++ b/services/tap/templates/tap-deployment.yaml @@ -54,7 +54,7 @@ spec: -Xmx{{ .Values.config.jvmMaxHeapSize }} - name: GOOGLE_APPLICATION_CREDENTIALS value: "/etc/creds/google_creds.json" - - name: AWS_SECRET_ACCESS_KEY + - name: AWS_SECRET_ACCESS_KEY valueFrom: secretKeyRef: name: {{ template "cadc-tap.fullname" . }}-secret diff --git a/services/vault-secrets-operator/values-ccin2p3.yaml b/services/vault-secrets-operator/values-ccin2p3.yaml index 93d8160181..d18a033099 100644 --- a/services/vault-secrets-operator/values-ccin2p3.yaml +++ b/services/vault-secrets-operator/values-ccin2p3.yaml @@ -11,4 +11,4 @@ vault-secrets-operator: name: vault-secrets-operator key: VAULT_TOKEN_LEASE_DURATION vault: - address: "https://vault.lsst.codes" \ No newline at end of file + address: "https://vault.lsst.codes" From ac0dd6ae5f25238d6b5204092d90aedeb1cf4781 Mon Sep 17 00:00:00 2001 From: Russ Allbery Date: Fri, 26 Aug 2022 09:11:06 -0700 Subject: [PATCH 0935/1479] Revert some stray changes Remove some changes to the shared files that snuck in and weren't used: whitespace changes and the addition of a global variable for Gafaelfawr that wasn't used by the chart. --- installer/install.sh | 2 +- science-platform/templates/gafaelfawr-application.yaml | 2 -- services/gafaelfawr/templates/configmap.yaml | 1 - services/gafaelfawr/values.yaml | 1 - 4 files changed, 1 insertion(+), 5 deletions(-) diff --git a/installer/install.sh b/installer/install.sh index 72b49499ac..127206a019 100755 --- a/installer/install.sh +++ b/installer/install.sh @@ -122,4 +122,4 @@ argocd app sync -l "argocd.argoproj.io/instance=science-platform" \ echo "You can now check on your argo cd installation by running:" echo "kubectl port-forward service/argocd-server -n argocd 8080:443" echo "For the ArgoCD admin password:" -echo "vault kv get --field=argocd.admin.plaintext_password $VAULT_PATH_PREFIX/installer" \ No newline at end of file +echo "vault kv get --field=argocd.admin.plaintext_password $VAULT_PATH_PREFIX/installer" diff --git a/science-platform/templates/gafaelfawr-application.yaml b/science-platform/templates/gafaelfawr-application.yaml index 9658bb9b68..4eec7a8cb7 100644 --- a/science-platform/templates/gafaelfawr-application.yaml +++ b/science-platform/templates/gafaelfawr-application.yaml @@ -29,8 +29,6 @@ spec: value: {{ .Values.fqdn | quote }} - name: "global.baseUrl" value: "https://{{ .Values.fqdn }}" - - name: "global.databaseUrl" - value: {{ .Values.fqdn | quote}} - name: "global.vaultSecretsPath" value: {{ .Values.vault_path_prefix | quote }} valueFiles: diff --git a/services/gafaelfawr/templates/configmap.yaml b/services/gafaelfawr/templates/configmap.yaml index 768ea59167..28694abeb0 100644 --- a/services/gafaelfawr/templates/configmap.yaml +++ b/services/gafaelfawr/templates/configmap.yaml @@ -115,7 +115,6 @@ uid_claim: {{ .Values.config.oidc.uidClaim | quote }} {{- end }} - {{- end }} {{- if .Values.config.firestore.project }} diff --git a/services/gafaelfawr/values.yaml b/services/gafaelfawr/values.yaml index 6fc106ab89..9e31fae912 100644 --- a/services/gafaelfawr/values.yaml +++ b/services/gafaelfawr/values.yaml @@ -141,7 +141,6 @@ config: # @default -- `"uidNumber"` uidClaim: "" - ldap: # -- LDAP server URL from which to retrieve user group information # @default -- Do not use LDAP From afe6c6c409e491fcf993e266aa1f76c07ed759da Mon Sep 17 00:00:00 2001 From: Russ Allbery Date: Fri, 26 Aug 2022 09:12:03 -0700 Subject: [PATCH 0936/1479] Remove obstap references This service has been retired, so remove references to it in the IN2P3 configuration. --- science-platform/values-ccin2p3.yaml | 2 -- services/obstap/values-ccin2p3.yaml | 3 --- 2 files changed, 5 deletions(-) delete mode 100644 services/obstap/values-ccin2p3.yaml diff --git a/science-platform/values-ccin2p3.yaml b/science-platform/values-ccin2p3.yaml index 25b0762f49..5372185731 100644 --- a/science-platform/values-ccin2p3.yaml +++ b/science-platform/values-ccin2p3.yaml @@ -26,8 +26,6 @@ noteburst: enabled: false nublado2: enabled: true -obstap: - enabled: true plot_navigator: enabled: false portal: diff --git a/services/obstap/values-ccin2p3.yaml b/services/obstap/values-ccin2p3.yaml deleted file mode 100644 index 060eef380c..0000000000 --- a/services/obstap/values-ccin2p3.yaml +++ /dev/null @@ -1,3 +0,0 @@ -# config: -# gcs_bucket: 'async-results.lsst.codes' -# gcs_bucket_url: 'http://async-results.lsst.codes' From 7a21f97c99547f326e12c8f6d7c55387604e2aad Mon Sep 17 00:00:00 2001 From: Russ Allbery Date: Fri, 26 Aug 2022 09:17:58 -0700 Subject: [PATCH 0937/1479] Remove old secret config from ccin2p3 values files We now use injected global variables from Argo CD to configure the Vault secret resources, so these settings are now ignored. Remove them for clarity. --- services/argocd/values-ccin2p3.yaml | 4 ---- services/cert-manager/values-ccin2p3.yaml | 4 ---- services/gafaelfawr/values-ccin2p3.yaml | 4 ---- services/ingress-nginx/values-ccin2p3.yaml | 6 ------ services/nublado2/values-ccin2p3.yaml | 3 --- services/postgres/values-ccin2p3.yaml | 5 ----- services/tap/values-ccin2p3.yaml | 6 ------ 7 files changed, 32 deletions(-) diff --git a/services/argocd/values-ccin2p3.yaml b/services/argocd/values-ccin2p3.yaml index 503c9dd439..256e46912d 100644 --- a/services/argocd/values-ccin2p3.yaml +++ b/services/argocd/values-ccin2p3.yaml @@ -41,7 +41,3 @@ argo-cd: # configs: # secret: # createSecret: true - -vault_secret: - enabled: true - path: secret/k8s_operator/rsp-cc/argocd diff --git a/services/cert-manager/values-ccin2p3.yaml b/services/cert-manager/values-ccin2p3.yaml index 336e4e318f..a311844928 100644 --- a/services/cert-manager/values-ccin2p3.yaml +++ b/services/cert-manager/values-ccin2p3.yaml @@ -1,6 +1,2 @@ config: createIssuer: false - -pull-secret: - enabled: true - path: secret/k8s_operator/rsp-cc/pull-secret diff --git a/services/gafaelfawr/values-ccin2p3.yaml b/services/gafaelfawr/values-ccin2p3.yaml index c84680e5bc..7a26478189 100644 --- a/services/gafaelfawr/values-ccin2p3.yaml +++ b/services/gafaelfawr/values-ccin2p3.yaml @@ -79,7 +79,3 @@ config: initialAdmins: # - "mainetti" - "gabrimaine" - -pull-secret: - enabled: true - path: secret/k8s_operator/rsp-cc/pull-secret diff --git a/services/ingress-nginx/values-ccin2p3.yaml b/services/ingress-nginx/values-ccin2p3.yaml index 27ca69a1ab..b8755081a0 100644 --- a/services/ingress-nginx/values-ccin2p3.yaml +++ b/services/ingress-nginx/values-ccin2p3.yaml @@ -30,9 +30,3 @@ ingress-nginx: vaultCertificate: enabled: true - #path: secret/k8s_operator/rsp-cc/ingress-nginx - - -# pull-secret: -# enabled: true -# path: secret/k8s_operator/rsp-cc/pull-secret diff --git a/services/nublado2/values-ccin2p3.yaml b/services/nublado2/values-ccin2p3.yaml index 13144b68a2..ba6fde3c3b 100644 --- a/services/nublado2/values-ccin2p3.yaml +++ b/services/nublado2/values-ccin2p3.yaml @@ -13,7 +13,6 @@ jupyterhub: nginx.ingress.kubernetes.io/auth-signin: "https://data-dev.lsst.eu/login" nginx.ingress.kubernetes.io/auth-url: "https://data-dev.lsst.eu/auth?scope=exec:notebook¬ebook=true" - config: base_url: "https://data-dev.lsst.eu" butler_secret_path: "secret/k8s_operator/rsp-cc/butler-secret" @@ -42,8 +41,6 @@ config: mountPath: /home vault_secret_path: "secret/k8s_operator/rsp-cc/nublado2" -gafaelfawr_secrets_path: "secret/k8s_operator/rsp-cc/gafaelfawr" - pull-secret: enabled: true diff --git a/services/postgres/values-ccin2p3.yaml b/services/postgres/values-ccin2p3.yaml index 8d7e50290c..5b400d2817 100644 --- a/services/postgres/values-ccin2p3.yaml +++ b/services/postgres/values-ccin2p3.yaml @@ -1,8 +1,3 @@ -# postgres: -# pull_secret: 'pull-secret' -# vault_secrets: -# path: 'secret/k8s_operator/rsp-cc/postgres' -# debug: 'true' jupyterhub_db: user: 'jovyan' db: 'jupyterhub' diff --git a/services/tap/values-ccin2p3.yaml b/services/tap/values-ccin2p3.yaml index 8b111af9c7..2996f5338b 100644 --- a/services/tap/values-ccin2p3.yaml +++ b/services/tap/values-ccin2p3.yaml @@ -12,9 +12,3 @@ image: # -- tap image to use repository: "gabrimaine/lsst-tap-service" tag: "1.2.1-CC2" -# secrets: -# enabled: false - -# vault_secrets: -# enabled: true -# path: 'secret/k8s_operator/rsp-cc/tap' From 6520b6d73dc5944c56769ec3411fe813cb7ec295 Mon Sep 17 00:00:00 2001 From: Russ Allbery Date: Fri, 26 Aug 2022 09:20:57 -0700 Subject: [PATCH 0938/1479] Remove obsolete cachemachine configuration The ccin2p3 deployment had some left-over configuration for cachemachine from before the charts migration to Phalanx that was no longer used. --- services/cachemachine/values-ccin2p3.yaml | 10 ---------- 1 file changed, 10 deletions(-) diff --git a/services/cachemachine/values-ccin2p3.yaml b/services/cachemachine/values-ccin2p3.yaml index 35c15a8688..a5b8e8aef5 100644 --- a/services/cachemachine/values-ccin2p3.yaml +++ b/services/cachemachine/values-ccin2p3.yaml @@ -1,13 +1,3 @@ -cachemachine: - imagePullSecrets: - - name: "cachemachine-secret" - - ingress: - enabled: true - host: data-dev.lsst.eu - - vaultSecretsPath: "secret/k8s_operator/rsp-cc/pull-secret" - autostart: jupyter: | { From 20392640e3263e4f8bcf149fbcf0726c0058c37a Mon Sep 17 00:00:00 2001 From: Russ Allbery Date: Fri, 26 Aug 2022 09:22:47 -0700 Subject: [PATCH 0939/1479] Remove obsolete pull-secret config for squareone squareone still had pull-secret configuration left over in its values files, which was no longer used. Remove it from all deployments. --- services/squareone/values-base.yaml | 4 ---- services/squareone/values-ccin2p3.yaml | 4 ---- services/squareone/values-idfdev.yaml | 4 ---- services/squareone/values-idfint.yaml | 4 ---- services/squareone/values-idfprod.yaml | 5 +---- services/squareone/values-minikube.yaml | 4 ---- services/squareone/values-roe.yaml | 4 ---- services/squareone/values-summit.yaml | 4 ---- services/squareone/values-tucson-teststand.yaml | 4 ---- 9 files changed, 1 insertion(+), 36 deletions(-) diff --git a/services/squareone/values-base.yaml b/services/squareone/values-base.yaml index 9c1f83666a..47a1d30ae5 100644 --- a/services/squareone/values-base.yaml +++ b/services/squareone/values-base.yaml @@ -1,6 +1,2 @@ config: siteName: "Rubin Science Platform @ Base" - -pull-secret: - enabled: true - path: secret/k8s_operator/base-lsp.lsst.codes/pull-secret diff --git a/services/squareone/values-ccin2p3.yaml b/services/squareone/values-ccin2p3.yaml index be75cfcd3e..f8cc7248ca 100644 --- a/services/squareone/values-ccin2p3.yaml +++ b/services/squareone/values-ccin2p3.yaml @@ -3,7 +3,3 @@ config: ingress: tls: false - -pull-secret: - enabled: true - path: secret/k8s_operator/rsp-cc/pull-secret diff --git a/services/squareone/values-idfdev.yaml b/services/squareone/values-idfdev.yaml index 36f15d50f4..d96ac543ea 100644 --- a/services/squareone/values-idfdev.yaml +++ b/services/squareone/values-idfdev.yaml @@ -6,7 +6,3 @@ config: siteName: "Rubin Science Platform @ data-dev" semaphoreUrl: "https://data-dev.lsst.cloud/semaphore" timesSquareUrl: "https://data-dev.lsst.cloud/times-square/api" - -pull-secret: - enabled: true - path: secret/k8s_operator/data-dev.lsst.cloud/pull-secret diff --git a/services/squareone/values-idfint.yaml b/services/squareone/values-idfint.yaml index 0386b784bf..24636c3000 100644 --- a/services/squareone/values-idfint.yaml +++ b/services/squareone/values-idfint.yaml @@ -1,7 +1,3 @@ config: siteName: "Rubin Science Platform @ data-int" semaphoreUrl: "https://data-int.lsst.cloud/semaphore" - -pull-secret: - enabled: true - path: secret/k8s_operator/data-int.lsst.cloud/pull-secret diff --git a/services/squareone/values-idfprod.yaml b/services/squareone/values-idfprod.yaml index bc959aebf3..953ac09dda 100644 --- a/services/squareone/values-idfprod.yaml +++ b/services/squareone/values-idfprod.yaml @@ -1,8 +1,5 @@ replicaCount: 3 + config: siteName: "Rubin Science Platform" semaphoreUrl: "https://data.lsst.cloud/semaphore" - -pull-secret: - enabled: true - path: secret/k8s_operator/data.lsst.cloud/pull-secret diff --git a/services/squareone/values-minikube.yaml b/services/squareone/values-minikube.yaml index beed405067..e8c2c09204 100644 --- a/services/squareone/values-minikube.yaml +++ b/services/squareone/values-minikube.yaml @@ -3,7 +3,3 @@ config: ingress: tls: false - -pull-secret: - enabled: true - path: secret/k8s_operator/minikube.lsst.codes/pull-secret diff --git a/services/squareone/values-roe.yaml b/services/squareone/values-roe.yaml index 1a08f52bc0..43079580c6 100644 --- a/services/squareone/values-roe.yaml +++ b/services/squareone/values-roe.yaml @@ -4,7 +4,3 @@ config: ingress: tls: false - -pull-secret: - enabled: true - path: secret/k8s_operator/roe/pull-secret diff --git a/services/squareone/values-summit.yaml b/services/squareone/values-summit.yaml index 1c2db3348c..3bef8dbc2f 100644 --- a/services/squareone/values-summit.yaml +++ b/services/squareone/values-summit.yaml @@ -1,6 +1,2 @@ config: siteName: "Rubin Science Platform @ Summit" - -pull-secret: - enabled: true - path: secret/k8s_operator/summit-lsp.lsst.codes/pull-secret diff --git a/services/squareone/values-tucson-teststand.yaml b/services/squareone/values-tucson-teststand.yaml index b5d54de851..f2836300f9 100644 --- a/services/squareone/values-tucson-teststand.yaml +++ b/services/squareone/values-tucson-teststand.yaml @@ -1,6 +1,2 @@ config: siteName: "Rubin Science Platform @ Tucson" - -pull-secret: - enabled: true - path: secret/k8s_operator/tucson-teststand.lsst.codes/pull-secret From ebd143d8519a894553b61d42833f939d13dddd98 Mon Sep 17 00:00:00 2001 From: Russ Allbery Date: Fri, 26 Aug 2022 09:24:58 -0700 Subject: [PATCH 0940/1479] Remove obsolete comments in Argo CD ccin2p3 config The Argo CD values file for ccin2p3 had a commented-out copy of the defaults set in values.yaml, except somewhat out of date. Delete it to avoid future confusion. --- services/argocd/values-ccin2p3.yaml | 9 --------- 1 file changed, 9 deletions(-) diff --git a/services/argocd/values-ccin2p3.yaml b/services/argocd/values-ccin2p3.yaml index 256e46912d..43d84d21df 100644 --- a/services/argocd/values-ccin2p3.yaml +++ b/services/argocd/values-ccin2p3.yaml @@ -18,15 +18,6 @@ argo-cd: clientSecret: $dex.clientSecret orgs: - name: rubin-lsst - # helm.repositories: | - # - url: https://lsst-sqre.github.io/charts/ - # name: lsst-sqre - # - url: https://ricoberger.github.io/helm-charts/ - # name: ricoberger - # - url: https://kubernetes.github.io/ingress-nginx/ - # name: ingress-nginx - # - url: https://charts.helm.sh/stable - # name: stable # resource.customizations: | # networking.k8s.io/Ingress: # health.lua: | From 4269c3330f876bd900b06520731a8ea6fc322472 Mon Sep 17 00:00:00 2001 From: Russ Allbery Date: Fri, 26 Aug 2022 09:27:48 -0700 Subject: [PATCH 0941/1479] Remove obsolete Gafaelfawr settings for ccin2p3 Remove some obsolete settings that are no longer used (mostly replaced by injected configuration from Argo CD). Also delete some old comments that duplicate uncommented configuration. --- services/gafaelfawr/values-ccin2p3.yaml | 30 ++----------------------- 1 file changed, 2 insertions(+), 28 deletions(-) diff --git a/services/gafaelfawr/values-ccin2p3.yaml b/services/gafaelfawr/values-ccin2p3.yaml index 7a26478189..0a6e6f7be5 100644 --- a/services/gafaelfawr/values-ccin2p3.yaml +++ b/services/gafaelfawr/values-ccin2p3.yaml @@ -1,26 +1,14 @@ -# image: -# # -- Gafaelfawr image to use -# repository: "docker.io/gabrimaine/gafaelfawr" - replicaCount: 2 -pull_secret: 'pull-secret' -ingress: - host: data-dev.lsst.eu -vaultSecretsPath: "secret/k8s_operator/rsp-cc/gafaelfawr" - redis: persistence: enabled: false config: loglevel: "DEBUG" - host: data-dev.lsst.eu databaseUrl: "postgresql://gafaelfawr@postgres.postgres/gafaelfawr" -# Do not specify ingress.host because we're using the wildcard virtual host. - -# Session length and token expiration (in minutes). + # Session length and token expiration (in minutes). issuer: exp_minutes: 43200 # 30 days @@ -38,21 +26,7 @@ config: # # oidcServer: # # enabled: true -# # Allow access by GitHub team. -# # Allow access by GitHub team. -# groupMapping: -# "admin:provision": -# - "/lsst" -# "exec:admin": -# - "/lsst" -# "exec:notebook": -# - "/lsst" -# "exec:portal": -# - "/lsst" -# "read:tap": -# - "/lsst" -# Allow access by GitHub team. # Allow access by GitHub team. groupMapping: "admin:provision": @@ -77,5 +51,5 @@ config: - "rubin-in2p3-delegates" initialAdmins: - # - "mainetti" + # - "mainetti" - "gabrimaine" From a2574b44999829fb7dfcc5a1177e2f77f988fb22 Mon Sep 17 00:00:00 2001 From: Russ Allbery Date: Fri, 26 Aug 2022 09:31:22 -0700 Subject: [PATCH 0942/1479] Fix ccin2p3 moneypenny configuration Redo the configuration for the charts merge into Phalanx, since as written it had no effect. Delete the placeholder decommission section and remove the other configuration that's no longer needed now that Argo CD injects values. --- services/moneypenny/values-ccin2p3.yaml | 48 +++++++------------------ 1 file changed, 13 insertions(+), 35 deletions(-) diff --git a/services/moneypenny/values-ccin2p3.yaml b/services/moneypenny/values-ccin2p3.yaml index 494a02e590..294a1b4da4 100644 --- a/services/moneypenny/values-ccin2p3.yaml +++ b/services/moneypenny/values-ccin2p3.yaml @@ -1,37 +1,15 @@ -moneypenny: - host: "data-dev.lsst.eu" - - ingress: - enabled: true - hosts: - - host: data-dev.lsst.eu - paths: ["/moneypenny"] - annotations: - nginx.ingress.kubernetes.io/auth-url: "https://data-dev.lsst.eu/auth?scope=exec:admin" - - vault_secrets: - enabled: true - path: "secret/k8s_operator/rsp-lapp/pull-secret" - - orders: | - commission: - - name: initcommission - image: lsstsqre/inituserhome - securityContext: - runAsUser: 0 - runAsNonRootUser: false - volumeMounts: +orders: | + commission: + - name: initcommission + image: lsstsqre/inituserhome + securityContext: + runAsUser: 0 + runAsNonRootUser: false + volumeMounts: - mountPath: /home name: home - retire: - - name: farthing - image: lsstsqre/farthing - securityContext: - runAsUser: 1000 - runAsNonRootUser: true - allowPrivilegeEscalation: false - volumes: - - name: home - hostPath: - path: /data/rsp/home - type: Directory + volumes: + - name: home + hostPath: + path: /data/rsp/home + type: Directory From a19a4a6fd2f979cab1e99c6113f7628000db9a73 Mon Sep 17 00:00:00 2001 From: Russ Allbery Date: Fri, 26 Aug 2022 09:33:15 -0700 Subject: [PATCH 0943/1479] Stop pinning postgres image version for ccin2p3 This was copied from other configurations, but we've now removed the pins for all versions. --- services/postgres/values-ccin2p3.yaml | 2 -- 1 file changed, 2 deletions(-) diff --git a/services/postgres/values-ccin2p3.yaml b/services/postgres/values-ccin2p3.yaml index 5b400d2817..52b36aac05 100644 --- a/services/postgres/values-ccin2p3.yaml +++ b/services/postgres/values-ccin2p3.yaml @@ -7,5 +7,3 @@ gafaelfawr_db: postgres_storage_class: 'rsp-local-storage' volume_name: 'postgres-data-rsp-ccqserv219' -image: - tag: '0.0.5' From 73084210eb5b60098aeac13745e9e042cf6cceae Mon Sep 17 00:00:00 2001 From: Russ Allbery Date: Fri, 26 Aug 2022 09:39:54 -0700 Subject: [PATCH 0944/1479] Suppress new TAP AWS settings for non-AWS If the configured TAP bucket type is not AWS, suppress the new settings for the AWS secrets so that those secrets don't have to exist. --- services/tap/templates/tap-deployment.yaml | 2 ++ 1 file changed, 2 insertions(+) diff --git a/services/tap/templates/tap-deployment.yaml b/services/tap/templates/tap-deployment.yaml index 43c0c94df3..9305ee69bb 100644 --- a/services/tap/templates/tap-deployment.yaml +++ b/services/tap/templates/tap-deployment.yaml @@ -54,6 +54,7 @@ spec: -Xmx{{ .Values.config.jvmMaxHeapSize }} - name: GOOGLE_APPLICATION_CREDENTIALS value: "/etc/creds/google_creds.json" + {{- if eq .Values.config.gcsBucketType "AWS" }} - name: AWS_SECRET_ACCESS_KEY valueFrom: secretKeyRef: @@ -64,6 +65,7 @@ spec: secretKeyRef: name: {{ template "cadc-tap.fullname" . }}-secret key: "AWS_ACCESS_KEY_ID" + {{- end }} - name: DATALINK_PAYLOAD_URL value: "{{ .Values.config.datalinkPayloadUrl }}" ports: From 56acc70cb3db5d6dcdb42934b7f969a92f7c9bbb Mon Sep 17 00:00:00 2001 From: Russ Allbery Date: Fri, 26 Aug 2022 15:19:28 -0700 Subject: [PATCH 0945/1479] Bump version of TAP service Pick up support for S3 from IN2P3. --- services/tap/Chart.yaml | 10 +++++----- services/tap/README.md | 2 +- 2 files changed, 6 insertions(+), 6 deletions(-) diff --git a/services/tap/Chart.yaml b/services/tap/Chart.yaml index a01d58cb65..2079821303 100644 --- a/services/tap/Chart.yaml +++ b/services/tap/Chart.yaml @@ -1,6 +1,6 @@ -apiVersion: v1 -appVersion: "1.3.1" -description: A Helm chart for the CADC TAP service -home: https://github.com/lsst-sqre/lsst-tap-service +apiVersion: v2 name: cadc-tap -version: 1.1.0 +version: 1.0.0 +description: VO TAP service for the Rubin Science Platform +home: https://github.com/lsst-sqre/lsst-tap-service +appVersion: 1.4.0 diff --git a/services/tap/README.md b/services/tap/README.md index 95f12a2fbe..b7ac1d6dc9 100644 --- a/services/tap/README.md +++ b/services/tap/README.md @@ -1,6 +1,6 @@ # cadc-tap -A Helm chart for the CADC TAP service +VO TAP service for the Rubin Science Platform **Homepage:** From 35df85492fcad2bf816d6895328c89714c2a7e68 Mon Sep 17 00:00:00 2001 From: Russ Allbery Date: Fri, 26 Aug 2022 15:24:07 -0700 Subject: [PATCH 0946/1479] Use GitHub Container Repository images for TAP Move away from Docker Hub to the new images published on GitHub Container Registry for TAP, and stop installing pull-secret since it's no longer needed. --- services/tap/README.md | 6 +++--- services/tap/templates/vault-secrets.yaml | 10 ---------- services/tap/values.yaml | 6 +++--- 3 files changed, 6 insertions(+), 16 deletions(-) diff --git a/services/tap/README.md b/services/tap/README.md index b7ac1d6dc9..68bda5e1fa 100644 --- a/services/tap/README.md +++ b/services/tap/README.md @@ -21,7 +21,7 @@ VO TAP service for the Rubin Science Platform | global.host | string | Set by Argo CD | Host name for ingress | | global.vaultSecretsPath | string | Set by Argo CD | Base path for Vault secrets | | image.pullPolicy | string | `"IfNotPresent"` | Pull policy for the tap image | -| image.repository | string | `"lsstdax/lsst-tap-service"` | tap image to use | +| image.repository | string | `"ghcr.io/lsst-sqre/lsst-tap-service"` | tap image to use | | image.tag | string | The appVersion of the chart | Tag of tap image to use | | ingress.anonymousAnnotations | object | `{}` | Additional annotations to use for endpoints that allow anonymous access, such as `/capabilities` and `/availability` | | ingress.authenticatedAnnotations | object | `{}` | Additional annotations to use for endpoints that are authenticated, such as `/sync`, `/async`, and `/tables` | @@ -33,7 +33,7 @@ VO TAP service for the Rubin Science Platform | qserv.mock.affinity | object | `{}` | Affinity rules for the mock QServ pod | | qserv.mock.enabled | bool | `true` | Spin up a container to pretend to be QServ. | | qserv.mock.image.pullPolicy | string | `"IfNotPresent"` | Pull policy for the mock QServ image | -| qserv.mock.image.repository | string | `"lsstdax/mock-qserv"` | Mock QServ image to use | +| qserv.mock.image.repository | string | `"ghcr.io/lsst-sqre/lsst-tap-mock-qserv"` | Mock QServ image to use | | qserv.mock.image.tag | string | The appVersion of the chart | Tag of mock QServ image to use | | qserv.mock.nodeSelector | object | `{}` | Node selection rules for the mock QServ pod | | qserv.mock.podAnnotations | object | `{}` | Annotations for the mock QServ pod | @@ -44,7 +44,7 @@ VO TAP service for the Rubin Science Platform | tolerations | list | `[]` | Tolerations for the Gafaelfawr frontend pod | | uws.affinity | object | `{}` | Affinity rules for the UWS database pod | | uws.image.pullPolicy | string | `"IfNotPresent"` | Pull policy for the UWS database image | -| uws.image.repository | string | `"lsstdax/uws-db"` | UWS database image to use | +| uws.image.repository | string | `"ghcr.io/lsst-sqre/lsst-tap-uws-db"` | UWS database image to use | | uws.image.tag | string | The appVersion of the chart | Tag of UWS database image to use | | uws.nodeSelector | object | `{}` | Node selection rules for the UWS database pod | | uws.podAnnotations | object | `{}` | Annotations for the UWS databse pod | diff --git a/services/tap/templates/vault-secrets.yaml b/services/tap/templates/vault-secrets.yaml index 319d4147c4..54334fa119 100644 --- a/services/tap/templates/vault-secrets.yaml +++ b/services/tap/templates/vault-secrets.yaml @@ -7,13 +7,3 @@ metadata: spec: path: "{{ .Values.global.vaultSecretsPath }}/tap" type: Opaque ---- -apiVersion: ricoberger.de/v1alpha1 -kind: VaultSecret -metadata: - name: pull-secret - labels: - {{- include "cadc-tap.labels" . | nindent 4 }} -spec: - path: "{{- .Values.global.vaultSecretsPath }}/pull-secret" - type: kubernetes.io/dockerconfigjson diff --git a/services/tap/values.yaml b/services/tap/values.yaml index c61e6b4195..5eaf3402e4 100644 --- a/services/tap/values.yaml +++ b/services/tap/values.yaml @@ -13,7 +13,7 @@ replicaCount: 1 image: # -- tap image to use - repository: "lsstdax/lsst-tap-service" + repository: "ghcr.io/lsst-sqre/lsst-tap-service" # -- Pull policy for the tap image pullPolicy: "IfNotPresent" @@ -93,7 +93,7 @@ qserv: image: # -- Mock QServ image to use - repository: "lsstdax/mock-qserv" + repository: "ghcr.io/lsst-sqre/lsst-tap-mock-qserv" # -- Pull policy for the mock QServ image pullPolicy: "IfNotPresent" @@ -120,7 +120,7 @@ qserv: uws: image: # -- UWS database image to use - repository: "lsstdax/uws-db" + repository: "ghcr.io/lsst-sqre/lsst-tap-uws-db" # -- Pull policy for the UWS database image pullPolicy: "IfNotPresent" From a35f7c23d2c4e3d8246508b47941f2b0f6a9688c Mon Sep 17 00:00:00 2001 From: Russ Allbery Date: Fri, 26 Aug 2022 16:02:44 -0700 Subject: [PATCH 0947/1479] Delete references to pull-secret in TAP I stopped installing it but forgot to clean up the references in the deployments. --- services/tap/templates/mock-qserv-deployment.yaml | 2 -- services/tap/templates/tap-deployment.yaml | 2 -- services/tap/templates/uws-db-deployment.yaml | 2 -- 3 files changed, 6 deletions(-) diff --git a/services/tap/templates/mock-qserv-deployment.yaml b/services/tap/templates/mock-qserv-deployment.yaml index 44ed8d0f1d..ed70b2d2ce 100644 --- a/services/tap/templates/mock-qserv-deployment.yaml +++ b/services/tap/templates/mock-qserv-deployment.yaml @@ -21,8 +21,6 @@ spec: {{- include "cadc-tap.selectorLabels" . | nindent 8 }} app.kubernetes.io/component: "mock-qserv" spec: - imagePullSecrets: - - name: "pull-secret" automountServiceAccountToken: false containers: - name: "mock-qserv" diff --git a/services/tap/templates/tap-deployment.yaml b/services/tap/templates/tap-deployment.yaml index 9305ee69bb..e6966b2978 100644 --- a/services/tap/templates/tap-deployment.yaml +++ b/services/tap/templates/tap-deployment.yaml @@ -20,8 +20,6 @@ spec: {{- include "cadc-tap.selectorLabels" . | nindent 8 }} app.kubernetes.io/component: "server" spec: - imagePullSecrets: - - name: "pull-secret" automountServiceAccountToken: false containers: - name: "tap-server" diff --git a/services/tap/templates/uws-db-deployment.yaml b/services/tap/templates/uws-db-deployment.yaml index 14cc7dc0f9..c41a9233db 100644 --- a/services/tap/templates/uws-db-deployment.yaml +++ b/services/tap/templates/uws-db-deployment.yaml @@ -20,8 +20,6 @@ spec: {{- include "cadc-tap.labels" . | nindent 8 }} app.kubernetes.io/component: "uws-db" spec: - imagePullSecrets: - - name: "pull-secret" automountServiceAccountToken: false containers: - name: "postgresql" From 1d94ee2a31d111f08167972d46226f27c5b25bf4 Mon Sep 17 00:00:00 2001 From: "renovate[bot]" <29139614+renovate[bot]@users.noreply.github.com> Date: Mon, 29 Aug 2022 04:52:01 +0000 Subject: [PATCH 0948/1479] Update kapacitor Docker tag to v1.6.5 --- services/sasquatch/README.md | 2 +- services/sasquatch/values.yaml | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/services/sasquatch/README.md b/services/sasquatch/README.md index d08dc6d70b..250d30cb0e 100644 --- a/services/sasquatch/README.md +++ b/services/sasquatch/README.md @@ -35,7 +35,7 @@ Rubin Observatory's telemetry service. | kafka-connect-manager | object | `{}` | Override strimzi-kafka configuration. | | kapacitor.envVars | object | `{"KAPACITOR_SLACK_ENABLED":true}` | Kapacitor environment variables. | | kapacitor.existingSecret | string | `"sasquatch"` | InfluxDB credentials, use influxdb-user and influxdb-password keys from secret. | -| kapacitor.image | object | `{"repository":"kapacitor","tag":"1.6.4"}` | Kapacitor image tag. | +| kapacitor.image | object | `{"repository":"kapacitor","tag":"1.6.5"}` | Kapacitor image tag. | | kapacitor.influxURL | string | `"http://sasquatch-influxdb.sasquatch:8086"` | InfluxDB connection URL. | | kapacitor.persistence | object | `{"enabled":true,"size":"100Gi"}` | Chronograf data persistence configuration. | | strimzi-kafka | object | `{}` | Override strimzi-kafka configuration. | diff --git a/services/sasquatch/values.yaml b/services/sasquatch/values.yaml index 93eb7598cc..f8452e7e77 100644 --- a/services/sasquatch/values.yaml +++ b/services/sasquatch/values.yaml @@ -95,7 +95,7 @@ kapacitor: # -- Kapacitor image tag. image: repository: kapacitor - tag: 1.6.4 + tag: 1.6.5 # -- Chronograf data persistence configuration. persistence: enabled: true From 9b500a4a8e1dc62779bad55210f644801ded8c26 Mon Sep 17 00:00:00 2001 From: "renovate[bot]" <29139614+renovate[bot]@users.noreply.github.com> Date: Mon, 29 Aug 2022 17:19:42 +0000 Subject: [PATCH 0949/1479] Update Helm release argo-cd to v4.10.9 --- services/argocd/Chart.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/services/argocd/Chart.yaml b/services/argocd/Chart.yaml index 96cd12a284..083105d6b6 100644 --- a/services/argocd/Chart.yaml +++ b/services/argocd/Chart.yaml @@ -3,5 +3,5 @@ name: argo-cd version: 1.0.0 dependencies: - name: argo-cd - version: 4.10.5 + version: 4.10.9 repository: https://argoproj.github.io/argo-helm From d08c4f473106373fbdc0191c4c28cc9cda2c894b Mon Sep 17 00:00:00 2001 From: Russ Allbery Date: Mon, 29 Aug 2022 10:31:15 -0700 Subject: [PATCH 0950/1479] Update Helm docs --- services/argocd/README.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/services/argocd/README.md b/services/argocd/README.md index 44ef13bd9b..8cc3e80018 100644 --- a/services/argocd/README.md +++ b/services/argocd/README.md @@ -4,7 +4,7 @@ | Repository | Name | Version | |------------|------|---------| -| https://argoproj.github.io/argo-helm | argo-cd | 4.10.5 | +| https://argoproj.github.io/argo-helm | argo-cd | 4.10.9 | ## Values From 236a85b9575dd6936828fef9ddc67a6a5107940a Mon Sep 17 00:00:00 2001 From: "renovate[bot]" <29139614+renovate[bot]@users.noreply.github.com> Date: Mon, 29 Aug 2022 17:37:58 +0000 Subject: [PATCH 0951/1479] Update Helm release ingress-nginx to v4.2.3 --- services/ingress-nginx/Chart.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/services/ingress-nginx/Chart.yaml b/services/ingress-nginx/Chart.yaml index 300814ccb3..129ed811ad 100644 --- a/services/ingress-nginx/Chart.yaml +++ b/services/ingress-nginx/Chart.yaml @@ -3,5 +3,5 @@ name: ingress-nginx version: 1.0.0 dependencies: - name: ingress-nginx - version: 4.2.1 + version: 4.2.3 repository: https://kubernetes.github.io/ingress-nginx From 24f8c5f2a16d35873027cac6f3d6b5ce28a8cfe7 Mon Sep 17 00:00:00 2001 From: Russ Allbery Date: Mon, 29 Aug 2022 10:41:43 -0700 Subject: [PATCH 0952/1479] Update Helm docs --- services/ingress-nginx/README.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/services/ingress-nginx/README.md b/services/ingress-nginx/README.md index fb38d42e8f..f2adcabcad 100644 --- a/services/ingress-nginx/README.md +++ b/services/ingress-nginx/README.md @@ -4,7 +4,7 @@ | Repository | Name | Version | |------------|------|---------| -| https://kubernetes.github.io/ingress-nginx | ingress-nginx | 4.2.1 | +| https://kubernetes.github.io/ingress-nginx | ingress-nginx | 4.2.3 | ## Values From 5e647e2c2a6d5c86b9595fccca70b0bbec305d08 Mon Sep 17 00:00:00 2001 From: "renovate[bot]" <29139614+renovate[bot]@users.noreply.github.com> Date: Mon, 29 Aug 2022 17:48:59 +0000 Subject: [PATCH 0953/1479] Update Helm release redis to v17.1.2 --- services/noteburst/Chart.yaml | 2 +- services/times-square/Chart.yaml | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/services/noteburst/Chart.yaml b/services/noteburst/Chart.yaml index 3cd0eca71c..a1b7ab7a4d 100644 --- a/services/noteburst/Chart.yaml +++ b/services/noteburst/Chart.yaml @@ -14,5 +14,5 @@ maintainers: # Additional charts that this chart uses dependencies: - name: redis - version: 17.1.0 + version: 17.1.2 repository: https://charts.bitnami.com/bitnami diff --git a/services/times-square/Chart.yaml b/services/times-square/Chart.yaml index b578921a5c..8ec3025d83 100644 --- a/services/times-square/Chart.yaml +++ b/services/times-square/Chart.yaml @@ -11,5 +11,5 @@ appVersion: "0.6.0" dependencies: - name: redis - version: 17.1.0 + version: 17.1.2 repository: https://charts.bitnami.com/bitnami From 87edc3be792cc72bdecce66359ba9b91615b0dd0 Mon Sep 17 00:00:00 2001 From: Russ Allbery Date: Mon, 29 Aug 2022 10:50:27 -0700 Subject: [PATCH 0954/1479] Update Helm docs --- services/noteburst/README.md | 2 +- services/times-square/README.md | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/services/noteburst/README.md b/services/noteburst/README.md index c743f8cb77..1a66f7fb66 100644 --- a/services/noteburst/README.md +++ b/services/noteburst/README.md @@ -12,7 +12,7 @@ Noteburst is a notebook execution service for the Rubin Science Platform. | Repository | Name | Version | |------------|------|---------| -| https://charts.bitnami.com/bitnami | redis | 17.1.0 | +| https://charts.bitnami.com/bitnami | redis | 17.1.2 | ## Values diff --git a/services/times-square/README.md b/services/times-square/README.md index 862804418e..be56a48a9b 100644 --- a/services/times-square/README.md +++ b/services/times-square/README.md @@ -8,7 +8,7 @@ An API service for managing and rendering parameterized Jupyter notebooks. | Repository | Name | Version | |------------|------|---------| -| https://charts.bitnami.com/bitnami | redis | 17.1.0 | +| https://charts.bitnami.com/bitnami | redis | 17.1.2 | ## Values From 17a3fe5235c6a080a496667a551f6926e5b8bcbf Mon Sep 17 00:00:00 2001 From: dspeck1 Date: Mon, 29 Aug 2022 13:26:04 -0500 Subject: [PATCH 0955/1479] Added QServ IDF IP. Cross environmet patch added because QServ INT has data so needed when testing development releases of tap. --- services/tap/values-idfdev.yaml | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/services/tap/values-idfdev.yaml b/services/tap/values-idfdev.yaml index 6e3f1aca1e..d0339a85bf 100644 --- a/services/tap/values-idfdev.yaml +++ b/services/tap/values-idfdev.yaml @@ -1,3 +1,8 @@ config: gcsBucket: "async-results.lsst.codes" gcsBucketUrl: "http://async-results.lsst.codes" + +qserv: + host: "10.136.1.211:4040" + mock: + enabled: false \ No newline at end of file From 961ee8ba9ac1fd5fe7a21b5254f4ba37d3b82127 Mon Sep 17 00:00:00 2001 From: roby Date: Tue, 16 Aug 2022 12:25:04 -0500 Subject: [PATCH 0956/1479] suit-2022.5.3 - fixed json --- services/portal/templates/deployment.yaml | 19 +++++++++++++++++-- services/portal/values-idfint.yaml | 3 +++ 2 files changed, 20 insertions(+), 2 deletions(-) diff --git a/services/portal/templates/deployment.yaml b/services/portal/templates/deployment.yaml index 05a9eda51f..395c47bf0e 100644 --- a/services/portal/templates/deployment.yaml +++ b/services/portal/templates/deployment.yaml @@ -73,8 +73,23 @@ spec: "centerWP": "62;-37;EQ_J2000", "fovDeg": 10 } ] - } - } + } + }, + "hips": { + "defHipsSources": {"source": "lsst", "label": "Rubin Featured"}, + "adhocMocSource": { + "sources": [ + "temp://lsst/dp02_dc2/hips/images/color_gri", + "temp://lsst/dp02_dc2/hips/images/band_u", + "temp://lsst/dp02_dc2/hips/images/band_g", + "temp://lsst/dp02_dc2/hips/images/band_r", + "temp://lsst/dp02_dc2/hips/images/band_i", + "temp://lsst/dp02_dc2/hips/images/band_z", + "temp://lsst/dp02_dc2/hips/images/band_y" + ], + "label": "Rubin Featured MOC" + } + } }' - name: "SERVER_CONFIG_DIR" value: "/firefly/config" diff --git a/services/portal/values-idfint.yaml b/services/portal/values-idfint.yaml index bbff39a615..6d2392fe1a 100644 --- a/services/portal/values-idfint.yaml +++ b/services/portal/values-idfint.yaml @@ -1,5 +1,8 @@ replicaCount: 4 +image: + tag: "suit-2022.5.3" + config: volumes: workareaNfs: From 1415a264b3f4ca699dddbd98ef914a80eeb6a582 Mon Sep 17 00:00:00 2001 From: Russ Allbery Date: Mon, 29 Aug 2022 18:28:47 -0700 Subject: [PATCH 0957/1479] Clarify the "bad verification code" Gafaelfawr error This is usually a storage problem, so just say that. --- docs/ops/troubleshooting.rst | 15 +++++++++------ 1 file changed, 9 insertions(+), 6 deletions(-) diff --git a/docs/ops/troubleshooting.rst b/docs/ops/troubleshooting.rst index 62d978b2de..5f27402874 100644 --- a/docs/ops/troubleshooting.rst +++ b/docs/ops/troubleshooting.rst @@ -103,13 +103,16 @@ Login fails with "bad verification code" error **Symptoms:** When attempting to authenticate to a Science Platform deployment using GitHub, the user gets the error message ``Authentication provider failed: bad_verification_code: The code passed is incorrect or expired.`` **Cause:** GitHub login failed after the OAuth 2.0 interaction with GitHub was successfully completed, and then the user reloaded the failed login page (or reloaded the page while Gafaelfawr was attempting to complete the authentication). -This error is normal and expected if one reloads a GitHub login error page or interrupts the GitHub login. -It itself doesn't represent a problem, and is probably a red herring distracting from whatever real problem there is. -Most likely, there is some failure on the Gafaelfawr side after GitHub authentication that's preventing the authentication from completing or making it take a long time, and the user ran out of patience and reloaded the page (which will never work). +Usually this happens because Gafaelfawr was unable to write to its storage, either Redis or PostgreSQL. +If the storage underlying the deployment is broken, this can happen without producing obvious error messages, since the services can go into disk wait and just time out. +Restarting the in-cluster ``postgresql`` pod, if PostgreSQL is running inside the Kubernetes deployment, will generally make this problem obvious because PostgreSQL will be unable to start. -**Solution:** Don't reload the login page. -Find the underlying problem and troubleshoot it. -For example, if Gafaelfawr Redis storage is unavailable, Gafaelfawr may time out or fail to store the user's token after completing GitHub authentication. +**Solution:** Check the underlying storage for Redis and Gafaelfawr. +For in-cluster PostgreSQL, if this is happening for all users, try restarting the ``postgresql`` pod, which will not fix the problem but will make it obvious if it is indeed storage. +If the problem is storage, this will need to be escalated to whoever runs the storage for that Gafaelfawr deployment. + +Note that reloading a failed login page from Gafaelfawr will never work and will always produce this error, so it can also be caused by user impatience. +In that case, the solution is to just wait or to return to the front page and try logging in again, rather than reloading the page. User keeps logging in through the wrong identity provider ========================================================= From f7d30cf64c8936c380252672a3ba952a6a7c0933 Mon Sep 17 00:00:00 2001 From: Gabriele Mainetti Date: Tue, 30 Aug 2022 09:56:37 +0200 Subject: [PATCH 0958/1479] fix moneypenny --- services/moneypenny/values-ccin2p3.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/services/moneypenny/values-ccin2p3.yaml b/services/moneypenny/values-ccin2p3.yaml index 294a1b4da4..a24c5fc216 100644 --- a/services/moneypenny/values-ccin2p3.yaml +++ b/services/moneypenny/values-ccin2p3.yaml @@ -1,4 +1,4 @@ -orders: | +orders: commission: - name: initcommission image: lsstsqre/inituserhome From f7ee2e21a5cbddd80ca9a4fd9096dc54a63812d9 Mon Sep 17 00:00:00 2001 From: Gabriele Mainetti Date: Tue, 30 Aug 2022 10:06:58 +0200 Subject: [PATCH 0959/1479] change mount path on moneypenny --- services/moneypenny/values-ccin2p3.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/services/moneypenny/values-ccin2p3.yaml b/services/moneypenny/values-ccin2p3.yaml index a24c5fc216..b8dac10dfe 100644 --- a/services/moneypenny/values-ccin2p3.yaml +++ b/services/moneypenny/values-ccin2p3.yaml @@ -6,7 +6,7 @@ orders: runAsUser: 0 runAsNonRootUser: false volumeMounts: - - mountPath: /home + - mountPath: /data/rsp/home name: home volumes: - name: home From 5f58449a9869673138c7d0e74d022ee3cd2bc522 Mon Sep 17 00:00:00 2001 From: Gabriele Mainetti Date: Tue, 30 Aug 2022 12:06:35 +0200 Subject: [PATCH 0960/1479] Trying fox moneypenni home problem --- services/moneypenny/values-ccin2p3.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/services/moneypenny/values-ccin2p3.yaml b/services/moneypenny/values-ccin2p3.yaml index b8dac10dfe..39aa3109cb 100644 --- a/services/moneypenny/values-ccin2p3.yaml +++ b/services/moneypenny/values-ccin2p3.yaml @@ -7,7 +7,7 @@ orders: runAsNonRootUser: false volumeMounts: - mountPath: /data/rsp/home - name: home + name: homedirs volumes: - name: home hostPath: From bc7b06a296430740e39bb32c2cd9ab06c7d2f300 Mon Sep 17 00:00:00 2001 From: Gabriele Mainetti Date: Tue, 30 Aug 2022 12:11:30 +0200 Subject: [PATCH 0961/1479] restioe home name --- services/moneypenny/values-ccin2p3.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/services/moneypenny/values-ccin2p3.yaml b/services/moneypenny/values-ccin2p3.yaml index 39aa3109cb..b8dac10dfe 100644 --- a/services/moneypenny/values-ccin2p3.yaml +++ b/services/moneypenny/values-ccin2p3.yaml @@ -7,7 +7,7 @@ orders: runAsNonRootUser: false volumeMounts: - mountPath: /data/rsp/home - name: homedirs + name: home volumes: - name: home hostPath: From 11ff5eb98b272a088e250ff91d61d6ec49ec5965 Mon Sep 17 00:00:00 2001 From: Gabriele Mainetti Date: Tue, 30 Aug 2022 12:19:23 +0200 Subject: [PATCH 0962/1479] restore home in moneypenny --- services/moneypenny/values-ccin2p3.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/services/moneypenny/values-ccin2p3.yaml b/services/moneypenny/values-ccin2p3.yaml index b8dac10dfe..a24c5fc216 100644 --- a/services/moneypenny/values-ccin2p3.yaml +++ b/services/moneypenny/values-ccin2p3.yaml @@ -6,7 +6,7 @@ orders: runAsUser: 0 runAsNonRootUser: false volumeMounts: - - mountPath: /data/rsp/home + - mountPath: /home name: home volumes: - name: home From 045c67cfc46e57bc158f134986b83dd9b5c32ea6 Mon Sep 17 00:00:00 2001 From: Gabriele Mainetti Date: Tue, 30 Aug 2022 13:32:59 +0200 Subject: [PATCH 0963/1479] alway moneypenny --- services/moneypenny/values-ccin2p3.yaml | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/services/moneypenny/values-ccin2p3.yaml b/services/moneypenny/values-ccin2p3.yaml index a24c5fc216..e653e165c2 100644 --- a/services/moneypenny/values-ccin2p3.yaml +++ b/services/moneypenny/values-ccin2p3.yaml @@ -6,10 +6,10 @@ orders: runAsUser: 0 runAsNonRootUser: false volumeMounts: - - mountPath: /home - name: home + - mountPath: /homedirs + name: homedirs volumes: - - name: home + - name: homedirs hostPath: path: /data/rsp/home type: Directory From dc21dbb9e66f9c95ee2b94824046ea9996b68698 Mon Sep 17 00:00:00 2001 From: Gabriele Mainetti Date: Wed, 31 Aug 2022 09:34:53 +0200 Subject: [PATCH 0964/1479] Fix template: replace AWS with S3 --- services/tap/templates/tap-deployment.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/services/tap/templates/tap-deployment.yaml b/services/tap/templates/tap-deployment.yaml index e6966b2978..7e9a6c0448 100644 --- a/services/tap/templates/tap-deployment.yaml +++ b/services/tap/templates/tap-deployment.yaml @@ -52,7 +52,7 @@ spec: -Xmx{{ .Values.config.jvmMaxHeapSize }} - name: GOOGLE_APPLICATION_CREDENTIALS value: "/etc/creds/google_creds.json" - {{- if eq .Values.config.gcsBucketType "AWS" }} + {{- if eq .Values.config.gcsBucketType "S3" }} - name: AWS_SECRET_ACCESS_KEY valueFrom: secretKeyRef: From fa38a4eabc46100815d1af04feb983e478c0bbb3 Mon Sep 17 00:00:00 2001 From: Gabriele Mainetti Date: Wed, 31 Aug 2022 11:23:52 +0200 Subject: [PATCH 0965/1479] try hips --- services/portal/values-ccin2p3.yaml | 2 ++ 1 file changed, 2 insertions(+) diff --git a/services/portal/values-ccin2p3.yaml b/services/portal/values-ccin2p3.yaml index c1f35d83f3..e657a53cc6 100644 --- a/services/portal/values-ccin2p3.yaml +++ b/services/portal/values-ccin2p3.yaml @@ -3,3 +3,5 @@ replicaCount: 2 resources: limits: memory: "24Gi" + +hipsUrl: "http://alasky.cds.unistra.fr/2MASS/Color" \ No newline at end of file From 4629fdb700310bbd259e873e41fb1178607404bd Mon Sep 17 00:00:00 2001 From: Gabriele Mainetti Date: Wed, 31 Aug 2022 11:29:10 +0200 Subject: [PATCH 0966/1479] hips fix --- services/portal/values-ccin2p3.yaml | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/services/portal/values-ccin2p3.yaml b/services/portal/values-ccin2p3.yaml index e657a53cc6..481a0c5459 100644 --- a/services/portal/values-ccin2p3.yaml +++ b/services/portal/values-ccin2p3.yaml @@ -4,4 +4,5 @@ resources: limits: memory: "24Gi" -hipsUrl: "http://alasky.cds.unistra.fr/2MASS/Color" \ No newline at end of file +config: + hipsUrl: "http://alasky.cds.unistra.fr/2MASS/Color" \ No newline at end of file From 78fbeb721241b9a6b4eecd7678edc11cb9768dc9 Mon Sep 17 00:00:00 2001 From: Gabriele Mainetti Date: Wed, 31 Aug 2022 11:35:27 +0200 Subject: [PATCH 0967/1479] change hips service --- services/portal/values-ccin2p3.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/services/portal/values-ccin2p3.yaml b/services/portal/values-ccin2p3.yaml index 481a0c5459..115611cd15 100644 --- a/services/portal/values-ccin2p3.yaml +++ b/services/portal/values-ccin2p3.yaml @@ -5,4 +5,4 @@ resources: memory: "24Gi" config: - hipsUrl: "http://alasky.cds.unistra.fr/2MASS/Color" \ No newline at end of file + hipsUrl: "http://alasky.cds.unistra.fr/DSS/DSSColor" \ No newline at end of file From 12415b70be3ce9de07d9e461768431c0db81ab31 Mon Sep 17 00:00:00 2001 From: Gabriele Mainetti Date: Wed, 31 Aug 2022 11:48:37 +0200 Subject: [PATCH 0968/1479] Using 2MASS --- services/portal/values-ccin2p3.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/services/portal/values-ccin2p3.yaml b/services/portal/values-ccin2p3.yaml index 115611cd15..481a0c5459 100644 --- a/services/portal/values-ccin2p3.yaml +++ b/services/portal/values-ccin2p3.yaml @@ -5,4 +5,4 @@ resources: memory: "24Gi" config: - hipsUrl: "http://alasky.cds.unistra.fr/DSS/DSSColor" \ No newline at end of file + hipsUrl: "http://alasky.cds.unistra.fr/2MASS/Color" \ No newline at end of file From 382b7286ea96fb85284c8ae94b1f1ce403893c21 Mon Sep 17 00:00:00 2001 From: Angelo Fausti Date: Fri, 26 Aug 2022 14:17:52 -0700 Subject: [PATCH 0969/1479] Reorganize Kafka resources - Group related resources to reduce the number of files --- .../strimzi-kafka/templates/connect-user.yaml | 34 ------- .../strimzi-kafka/templates/connect.yaml | 34 +++++++ .../strimzi-kafka/templates/kafdrop-user.yaml | 29 ------ .../templates/kafka-connect-manager-user.yaml | 30 ------- .../templates/schema-registry-topic.yaml | 11 --- .../templates/schema-registry-user.yaml | 49 ---------- .../templates/schema-registry.yaml | 62 +++++++++++++ .../{superuser.yaml => superusers.yaml} | 0 .../templates/ts-salkafka-user.yaml | 30 ------- .../charts/strimzi-kafka/templates/users.yaml | 89 +++++++++++++++++++ 10 files changed, 185 insertions(+), 183 deletions(-) delete mode 100644 services/sasquatch/charts/strimzi-kafka/templates/connect-user.yaml delete mode 100644 services/sasquatch/charts/strimzi-kafka/templates/kafdrop-user.yaml delete mode 100644 services/sasquatch/charts/strimzi-kafka/templates/kafka-connect-manager-user.yaml delete mode 100644 services/sasquatch/charts/strimzi-kafka/templates/schema-registry-topic.yaml delete mode 100644 services/sasquatch/charts/strimzi-kafka/templates/schema-registry-user.yaml rename services/sasquatch/charts/strimzi-kafka/templates/{superuser.yaml => superusers.yaml} (100%) delete mode 100644 services/sasquatch/charts/strimzi-kafka/templates/ts-salkafka-user.yaml create mode 100644 services/sasquatch/charts/strimzi-kafka/templates/users.yaml diff --git a/services/sasquatch/charts/strimzi-kafka/templates/connect-user.yaml b/services/sasquatch/charts/strimzi-kafka/templates/connect-user.yaml deleted file mode 100644 index 9f5a569204..0000000000 --- a/services/sasquatch/charts/strimzi-kafka/templates/connect-user.yaml +++ /dev/null @@ -1,34 +0,0 @@ -apiVersion: kafka.strimzi.io/v1beta2 -kind: KafkaUser -metadata: - name: {{ .Values.cluster.name }}-connect - labels: - strimzi.io/cluster: {{ .Values.cluster.name }} -spec: - authentication: - type: tls - authorization: - type: simple - acls: - - resource: - type: group - name: {{ .Values.cluster.name }}-connect - operation: Read - - resource: - type: group - name: connect-influxdb-sink - patternType: literal - operation: All - - resource: - type: topic - name: "*" - patternType: literal - type: allow - host: "*" - operation: All - quotas: - producerByteRate: 1073741824 - consumerByteRate: 1073741824 - requestPercentage: 90 - controllerMutationRate: 1000 - diff --git a/services/sasquatch/charts/strimzi-kafka/templates/connect.yaml b/services/sasquatch/charts/strimzi-kafka/templates/connect.yaml index 45cd157075..7ed0612ce2 100644 --- a/services/sasquatch/charts/strimzi-kafka/templates/connect.yaml +++ b/services/sasquatch/charts/strimzi-kafka/templates/connect.yaml @@ -34,3 +34,37 @@ spec: value.converter: io.confluent.connect.avro.AvroConverter value.converter.schemas.enable: true value.converter.schema.registry.url: http://sasquatch-schema-registry.sasquatch:8081 +--- +apiVersion: kafka.strimzi.io/v1beta2 +kind: KafkaUser +metadata: + name: {{ .Values.cluster.name }}-connect + labels: + strimzi.io/cluster: {{ .Values.cluster.name }} +spec: + authentication: + type: tls + authorization: + type: simple + acls: + - resource: + type: group + name: {{ .Values.cluster.name }}-connect + operation: Read + - resource: + type: group + name: connect-influxdb-sink + patternType: literal + operation: All + - resource: + type: topic + name: "*" + patternType: literal + type: allow + host: "*" + operation: All + quotas: + producerByteRate: 1073741824 + consumerByteRate: 1073741824 + requestPercentage: 90 + controllerMutationRate: 1000 diff --git a/services/sasquatch/charts/strimzi-kafka/templates/kafdrop-user.yaml b/services/sasquatch/charts/strimzi-kafka/templates/kafdrop-user.yaml deleted file mode 100644 index fa2fdacc50..0000000000 --- a/services/sasquatch/charts/strimzi-kafka/templates/kafdrop-user.yaml +++ /dev/null @@ -1,29 +0,0 @@ -apiVersion: kafka.strimzi.io/v1beta2 -kind: KafkaUser -metadata: - name: kafdrop - labels: - strimzi.io/cluster: {{ .Values.cluster.name }} -spec: - authentication: - type: scram-sha-512 - password: - valueFrom: - secretKeyRef: - name: sasquatch - key: kafdrop-password - authorization: - type: simple - acls: - - resource: - type: group - name: "*" - patternType: literal - operation: All - - resource: - type: topic - name: "*" - patternType: literal - type: allow - host: "*" - operation: All diff --git a/services/sasquatch/charts/strimzi-kafka/templates/kafka-connect-manager-user.yaml b/services/sasquatch/charts/strimzi-kafka/templates/kafka-connect-manager-user.yaml deleted file mode 100644 index 69968678b8..0000000000 --- a/services/sasquatch/charts/strimzi-kafka/templates/kafka-connect-manager-user.yaml +++ /dev/null @@ -1,30 +0,0 @@ -apiVersion: kafka.strimzi.io/v1beta2 -kind: KafkaUser -metadata: - name: kafka-connect-manager - labels: - strimzi.io/cluster: {{ .Values.cluster.name }} -spec: - authentication: - type: scram-sha-512 - password: - valueFrom: - secretKeyRef: - name: sasquatch - key: kafka-connect-manager-password - authorization: - type: simple - acls: - - resource: - type: topic - name: "*" - patternType: literal - type: allow - host: "*" - operation: Read - quotas: - producerByteRate: 1073741824 - consumerByteRate: 1073741824 - requestPercentage: 90 - controllerMutationRate: 1000 - diff --git a/services/sasquatch/charts/strimzi-kafka/templates/schema-registry-topic.yaml b/services/sasquatch/charts/strimzi-kafka/templates/schema-registry-topic.yaml deleted file mode 100644 index ca01c3653c..0000000000 --- a/services/sasquatch/charts/strimzi-kafka/templates/schema-registry-topic.yaml +++ /dev/null @@ -1,11 +0,0 @@ -apiVersion: kafka.strimzi.io/v1beta2 -kind: KafkaTopic -metadata: - name: {{ .Values.registry.schemaTopic }} - labels: - strimzi.io/cluster: {{ .Values.cluster.name }} -spec: - partitions: 1 - replicas: 3 - config: - cleanup.policy: compact diff --git a/services/sasquatch/charts/strimzi-kafka/templates/schema-registry-user.yaml b/services/sasquatch/charts/strimzi-kafka/templates/schema-registry-user.yaml deleted file mode 100644 index 88c84bf126..0000000000 --- a/services/sasquatch/charts/strimzi-kafka/templates/schema-registry-user.yaml +++ /dev/null @@ -1,49 +0,0 @@ -apiVersion: kafka.strimzi.io/v1beta2 -kind: KafkaUser -metadata: - name: {{ .Values.cluster.name }}-schema-registry - labels: - strimzi.io/cluster: {{ .Values.cluster.name }} -spec: - authentication: - type: tls - authorization: - # Official docs on authorizations required for the Schema Registry: - # https://docs.confluent.io/current/schema-registry/security/index.html#authorizing-access-to-the-schemas-topic - type: simple - acls: - # Allow Read, Write and DescribeConfigs operations on the - # schemas topic - - resource: - type: topic - name: {{ .Values.registry.schemaTopic }} - patternType: literal - operation: Read - type: allow - - resource: - type: topic - name: {{ .Values.registry.schemaTopic }} - patternType: literal - operation: Write - type: allow - - resource: - type: topic - name: {{ .Values.registry.schemaTopic }} - patternType: literal - operation: DescribeConfigs - type: allow - # Allow all operations on the schema-registry* group - - resource: - type: group - name: schema-registry - patternType: prefix - operation: All - type: allow - # Allow Describe on the __consumer_offsets topic - # (The official docs also mention DescribeConfigs?) - - resource: - type: topic - name: "__consumer_offsets" - patternType: literal - operation: Describe - type: allow diff --git a/services/sasquatch/charts/strimzi-kafka/templates/schema-registry.yaml b/services/sasquatch/charts/strimzi-kafka/templates/schema-registry.yaml index a8774c17d2..c2e8ee0b3f 100644 --- a/services/sasquatch/charts/strimzi-kafka/templates/schema-registry.yaml +++ b/services/sasquatch/charts/strimzi-kafka/templates/schema-registry.yaml @@ -5,3 +5,65 @@ metadata: spec: listener: tls compatibilityLevel: none +--- +apiVersion: kafka.strimzi.io/v1beta2 +kind: KafkaTopic +metadata: + name: {{ .Values.registry.schemaTopic }} + labels: + strimzi.io/cluster: {{ .Values.cluster.name }} +spec: + partitions: 1 + replicas: 3 + config: + cleanup.policy: compact +--- +apiVersion: kafka.strimzi.io/v1beta2 +kind: KafkaUser +metadata: + name: {{ .Values.cluster.name }}-schema-registry + labels: + strimzi.io/cluster: {{ .Values.cluster.name }} +spec: + authentication: + type: tls + authorization: + # Official docs on authorizations required for the Schema Registry: + # https://docs.confluent.io/current/schema-registry/security/index.html#authorizing-access-to-the-schemas-topic + type: simple + acls: + # Allow Read, Write and DescribeConfigs operations on the + # schemas topic + - resource: + type: topic + name: {{ .Values.registry.schemaTopic }} + patternType: literal + operation: Read + type: allow + - resource: + type: topic + name: {{ .Values.registry.schemaTopic }} + patternType: literal + operation: Write + type: allow + - resource: + type: topic + name: {{ .Values.registry.schemaTopic }} + patternType: literal + operation: DescribeConfigs + type: allow + # Allow all operations on the schema-registry* group + - resource: + type: group + name: schema-registry + patternType: prefix + operation: All + type: allow + # Allow Describe on the __consumer_offsets topic + # (The official docs also mention DescribeConfigs?) + - resource: + type: topic + name: "__consumer_offsets" + patternType: literal + operation: Describe + type: allow diff --git a/services/sasquatch/charts/strimzi-kafka/templates/superuser.yaml b/services/sasquatch/charts/strimzi-kafka/templates/superusers.yaml similarity index 100% rename from services/sasquatch/charts/strimzi-kafka/templates/superuser.yaml rename to services/sasquatch/charts/strimzi-kafka/templates/superusers.yaml diff --git a/services/sasquatch/charts/strimzi-kafka/templates/ts-salkafka-user.yaml b/services/sasquatch/charts/strimzi-kafka/templates/ts-salkafka-user.yaml deleted file mode 100644 index d6edcb3992..0000000000 --- a/services/sasquatch/charts/strimzi-kafka/templates/ts-salkafka-user.yaml +++ /dev/null @@ -1,30 +0,0 @@ -apiVersion: kafka.strimzi.io/v1beta2 -kind: KafkaUser -metadata: - name: ts-salkafka - labels: - strimzi.io/cluster: {{ .Values.cluster.name }} -spec: - authentication: - type: scram-sha-512 - password: - valueFrom: - secretKeyRef: - name: sasquatch - key: ts-salkafka-password - authorization: - type: simple - acls: - - resource: - type: topic - name: "lsst.sal" - patternType: prefix - type: allow - host: "*" - operation: All - quotas: - producerByteRate: 1073741824 - consumerByteRate: 1073741824 - requestPercentage: 90 - controllerMutationRate: 1000 - diff --git a/services/sasquatch/charts/strimzi-kafka/templates/users.yaml b/services/sasquatch/charts/strimzi-kafka/templates/users.yaml new file mode 100644 index 0000000000..04660de5e1 --- /dev/null +++ b/services/sasquatch/charts/strimzi-kafka/templates/users.yaml @@ -0,0 +1,89 @@ +apiVersion: kafka.strimzi.io/v1beta2 +kind: KafkaUser +metadata: + name: ts-salkafka + labels: + strimzi.io/cluster: {{ .Values.cluster.name }} +spec: + authentication: + type: scram-sha-512 + password: + valueFrom: + secretKeyRef: + name: sasquatch + key: ts-salkafka-password + authorization: + type: simple + acls: + - resource: + type: topic + name: "lsst.sal" + patternType: prefix + type: allow + host: "*" + operation: All + quotas: + producerByteRate: 1073741824 + consumerByteRate: 1073741824 + requestPercentage: 90 + controllerMutationRate: 1000 +--- +apiVersion: kafka.strimzi.io/v1beta2 +kind: KafkaUser +metadata: + name: kafka-connect-manager + labels: + strimzi.io/cluster: {{ .Values.cluster.name }} +spec: + authentication: + type: scram-sha-512 + password: + valueFrom: + secretKeyRef: + name: sasquatch + key: kafka-connect-manager-password + authorization: + type: simple + acls: + - resource: + type: topic + name: "*" + patternType: literal + type: allow + host: "*" + operation: Read + quotas: + producerByteRate: 1073741824 + consumerByteRate: 1073741824 + requestPercentage: 90 + controllerMutationRate: 1000 +--- +apiVersion: kafka.strimzi.io/v1beta2 +kind: KafkaUser +metadata: + name: kafdrop + labels: + strimzi.io/cluster: {{ .Values.cluster.name }} +spec: + authentication: + type: scram-sha-512 + password: + valueFrom: + secretKeyRef: + name: sasquatch + key: kafdrop-password + authorization: + type: simple + acls: + - resource: + type: group + name: "*" + patternType: literal + operation: All + - resource: + type: topic + name: "*" + patternType: literal + type: allow + host: "*" + operation: All From 41391f2ef34a66fccbbece1b669b043897f8c3c0 Mon Sep 17 00:00:00 2001 From: Angelo Fausti Date: Fri, 26 Aug 2022 16:33:31 -0700 Subject: [PATCH 0970/1479] Add replicator KafkaUser resource --- .../charts/strimzi-kafka/templates/users.yaml | 30 +++++++++++++++++++ 1 file changed, 30 insertions(+) diff --git a/services/sasquatch/charts/strimzi-kafka/templates/users.yaml b/services/sasquatch/charts/strimzi-kafka/templates/users.yaml index 04660de5e1..6642816164 100644 --- a/services/sasquatch/charts/strimzi-kafka/templates/users.yaml +++ b/services/sasquatch/charts/strimzi-kafka/templates/users.yaml @@ -30,6 +30,36 @@ spec: --- apiVersion: kafka.strimzi.io/v1beta2 kind: KafkaUser +metadata: + name: replicator + labels: + strimzi.io/cluster: {{ .Values.cluster.name }} +spec: + authentication: + type: scram-sha-512 + password: + valueFrom: + secretKeyRef: + name: sasquatch + key: replicator-password + authorization: + type: simple + acls: + - resource: + type: topic + name: "lsst.sal" + patternType: prefix + type: allow + host: "*" + operation: All + quotas: + producerByteRate: 1073741824 + consumerByteRate: 1073741824 + requestPercentage: 90 + controllerMutationRate: 1000 +--- +apiVersion: kafka.strimzi.io/v1beta2 +kind: KafkaUser metadata: name: kafka-connect-manager labels: From 6aac6aeb72c63919119b14a6c0b02789f3f739e5 Mon Sep 17 00:00:00 2001 From: Angelo Fausti Date: Fri, 26 Aug 2022 16:38:21 -0700 Subject: [PATCH 0971/1479] Deploy mirrormaker2 on idfint (target cluster) - Use idfdev as source cluster (active) and idfint as target cluster (passive) --- services/sasquatch/values-idfdev.yaml | 7 +++++++ 1 file changed, 7 insertions(+) diff --git a/services/sasquatch/values-idfdev.yaml b/services/sasquatch/values-idfdev.yaml index a29bf93af2..4730bded44 100644 --- a/services/sasquatch/values-idfdev.yaml +++ b/services/sasquatch/values-idfdev.yaml @@ -47,3 +47,10 @@ chronograf: GENERIC_API_KEY: sub PUBLIC_URL: https://data-dev.lsst.cloud/ STATUS_FEED_URL: https://raw.githubusercontent.com/lsst-sqre/rsp_broadcast/main/jsonfeeds/idfdev.json + +mirrormaker2: + enabled: true + source: + bootstrapServer: sasquatch-dev-kafka-bootstrap.lsst.cloud:9094 + target: + bootstrapServer: sasquatch-int-kafka-bootstrap.lsst.cloud:9094 From 8dd07d59b4d4abbb9faa04ae6abf0bd6865fc847 Mon Sep 17 00:00:00 2001 From: Angelo Fausti Date: Fri, 26 Aug 2022 16:39:50 -0700 Subject: [PATCH 0972/1479] Add KafkaMirrorMaker resource - Create replicator user with enough permission to access mirromaker2 topics - Configure active/passive replication between data-dev and data-int - Enable mirrormaker2 on data-int --- .../sasquatch/charts/strimzi-kafka/README.md | 3 + .../charts/strimzi-kafka/templates/kafka.yaml | 2 + .../strimzi-kafka/templates/mirrormaker2.yaml | 98 +++++++++++++++++++ .../charts/strimzi-kafka/templates/users.yaml | 9 +- .../charts/strimzi-kafka/values.yaml | 10 ++ services/sasquatch/values-idfdev.yaml | 7 -- services/sasquatch/values-idfint.yaml | 6 ++ 7 files changed, 126 insertions(+), 9 deletions(-) create mode 100644 services/sasquatch/charts/strimzi-kafka/templates/mirrormaker2.yaml diff --git a/services/sasquatch/charts/strimzi-kafka/README.md b/services/sasquatch/charts/strimzi-kafka/README.md index e7bdde332e..a2bb756f1e 100644 --- a/services/sasquatch/charts/strimzi-kafka/README.md +++ b/services/sasquatch/charts/strimzi-kafka/README.md @@ -23,6 +23,9 @@ A subchart to deploy Strimzi Kafka components for Sasquatch. | kafka.storage.size | string | `"500Gi"` | Size of the backing storage disk for each of the Kafka brokers. | | kafka.storage.storageClassName | string | `""` | Name of a StorageClass to use when requesting persistent volumes. | | kafka.version | string | `"3.1.1"` | Version of Kafka to deploy. | +| mirrormaker2.enabled | bool | `false` | Enable replication in the target (passive) cluster. | +| mirrormaker2.source.bootstrapServer | string | `""` | Source (active) cluster bootstrap server. | +| mirrormaker2.target.bootstrapServer | string | `""` | Target (passive) cluster boostrap server. | | registry.schemaTopic | string | `"registry-schemas"` | Name of the topic used by the Schema Registry | | superusers | list | `["kafka-admin"]` | A list of usernames for users who should have global admin permissions. These users will be created, along with their credentials. | | zookeeper.replicas | int | `3` | Number of Zookeeper replicas to run. | diff --git a/services/sasquatch/charts/strimzi-kafka/templates/kafka.yaml b/services/sasquatch/charts/strimzi-kafka/templates/kafka.yaml index 6856a36517..7f85bbb44d 100644 --- a/services/sasquatch/charts/strimzi-kafka/templates/kafka.yaml +++ b/services/sasquatch/charts/strimzi-kafka/templates/kafka.yaml @@ -75,6 +75,8 @@ spec: {{- end }} {{- end }} config: + # Accept larger messages + message.max.bytes: 262144 offsets.topic.replication.factor: {{ .Values.kafka.replicas }} transaction.state.log.replication.factor: {{ .Values.kafka.replicas }} transaction.state.log.min.isr: {{ .Values.kafka.replicas }} diff --git a/services/sasquatch/charts/strimzi-kafka/templates/mirrormaker2.yaml b/services/sasquatch/charts/strimzi-kafka/templates/mirrormaker2.yaml new file mode 100644 index 0000000000..d6d96fe433 --- /dev/null +++ b/services/sasquatch/charts/strimzi-kafka/templates/mirrormaker2.yaml @@ -0,0 +1,98 @@ +# Mostly based on the Strimzi Kafka MirrorMaker2 example +# configuration for handling high volumes of messages +{{ if .Values.mirrormaker2.enabled }} +apiVersion: kafka.strimzi.io/v1beta2 +kind: KafkaMirrorMaker2 +metadata: + name: replicator +spec: + version: 3.2.0 + replicas: 1 + # It is recommended to deploy MirrorMaker2 on the target (passive) cluster + # in the active/passive replication scenario + connectCluster: "target" + clusters: + - alias: "source" + bootstrapServers: {{ .Values.mirrormaker2.source.bootstrapServer }} + tls: {} + # External kafka listeneres in Sasquatch use scram-sha-512 authentication + # For simplicity we created the replicator Kafka user with same password + # at both the source and target clusters. + # TODO: try to use and admin user with tls authentication here and the + # internal listener as bootstrap server. + authentication: + type: scram-sha-512 + username: replicator + passwordSecret: + secretName: sasquatch + password: replicator-password + - alias: "target" + bootstrapServers: {{ .Values.mirrormaker2.target.bootstrapServer }} + tls: {} + authentication: + type: scram-sha-512 + username: replicator + passwordSecret: + secretName: sasquatch + password: replicator-password + config: + # This should be enough time for the sent messages to be acknowledged + # by the brokers and offset data committed. + offset.flush.timeout.ms: 10000 + mirrors: + - sourceCluster: "source" + targetCluster: "target" + sourceConnector: + tasksMax: 10 + config: + replication.factor: 3 + offset-syncs.topic.replication.factor: 3 + # Dot not replicat topic ACLs configuration + sync.topic.acls.enabled: "false" + # The frequency to check for new topics + refresh.topics.interval.seconds: 60 + # Policy to define the remote topic naming convention. + # This setting will preserve topic names in the target cluster + replication.policy.separator: "" + replication.policy.class: "org.apache.kafka.connect.mirror.IdentityReplicationPolicy" + # Handling high volumes of messages + # By increasing the batch size, produce requests are delayed and more messages are + # added to the batch and sent to brokers at the same time. + # This can improve throughput when you have just a few topic partitions that + # handle large numbers of messages. + producer.override.batch.size: 327680 + # Use linger.ms to add a wait time in milliseconds to delay produce requests when + # producer load decreases. + # The delay means that more records can be added to batches if they are under the + # maximum batch size. + producer.override.linger.ms: 100 + # Accept larger messages + # See aslo message.max.bytes broker configuration + producer.max.request.size: 262144 + heartbeatConnector: + config: + heartbeats.topic.replication.factor: 3 + checkpointConnector: + config: + checkpoints.topic.replication.factor: 3 + # Frequency of checks for new consumer groups + refresh.groups.interval.seconds: 300 + # Enables synchronization of consumer group offsets to the target cluster + sync.group.offsets.enabled: true + # The frequency to sync group offsets + sync.group.offsets.interval.seconds: 60 + # The frequency of checks for offset tracking + emit.checkpoints.interval.seconds: 60 + # Policy to define the remote topic naming convention. + # This setting will preserve topic names in the target cluster + replication.policy.class: "org.apache.kafka.connect.mirror.IdentityReplicationPolicy" + # Topic replication from the source cluster + topicsPattern: "registry-schemas, lsst.sal.*" + resources: + requests: + cpu: "1" + memory: 512Mi + limits: + cpu: "2" + memory: 4Gi +{{ end }} diff --git a/services/sasquatch/charts/strimzi-kafka/templates/users.yaml b/services/sasquatch/charts/strimzi-kafka/templates/users.yaml index 6642816164..351a23f84e 100644 --- a/services/sasquatch/charts/strimzi-kafka/templates/users.yaml +++ b/services/sasquatch/charts/strimzi-kafka/templates/users.yaml @@ -45,10 +45,15 @@ spec: authorization: type: simple acls: + - resource: + type: group + name: "*" + patternType: literal + operation: All - resource: type: topic - name: "lsst.sal" - patternType: prefix + name: "*" + patternType: literal type: allow host: "*" operation: All diff --git a/services/sasquatch/charts/strimzi-kafka/values.yaml b/services/sasquatch/charts/strimzi-kafka/values.yaml index 11863b26f9..4d706a236d 100644 --- a/services/sasquatch/charts/strimzi-kafka/values.yaml +++ b/services/sasquatch/charts/strimzi-kafka/values.yaml @@ -79,3 +79,13 @@ registry: # These users will be created, along with their credentials. superusers: - kafka-admin + +mirrormaker2: + # -- Enable replication in the target (passive) cluster. + enabled: false + source: + # -- Source (active) cluster bootstrap server. + bootstrapServer: "" + target: + # -- Target (passive) cluster boostrap server. + bootstrapServer: "" diff --git a/services/sasquatch/values-idfdev.yaml b/services/sasquatch/values-idfdev.yaml index 4730bded44..a29bf93af2 100644 --- a/services/sasquatch/values-idfdev.yaml +++ b/services/sasquatch/values-idfdev.yaml @@ -47,10 +47,3 @@ chronograf: GENERIC_API_KEY: sub PUBLIC_URL: https://data-dev.lsst.cloud/ STATUS_FEED_URL: https://raw.githubusercontent.com/lsst-sqre/rsp_broadcast/main/jsonfeeds/idfdev.json - -mirrormaker2: - enabled: true - source: - bootstrapServer: sasquatch-dev-kafka-bootstrap.lsst.cloud:9094 - target: - bootstrapServer: sasquatch-int-kafka-bootstrap.lsst.cloud:9094 diff --git a/services/sasquatch/values-idfint.yaml b/services/sasquatch/values-idfint.yaml index 088a60b07e..c96948787e 100644 --- a/services/sasquatch/values-idfint.yaml +++ b/services/sasquatch/values-idfint.yaml @@ -14,6 +14,12 @@ strimzi-kafka: host: sasquatch-int-kafka-1.lsst.cloud - loadBalancerIP: "34.173.225.150" host: sasquatch-int-kafka-2.lsst.cloud + mirrormaker2: + enabled: true + source: + bootstrapServer: sasquatch-dev-kafka-bootstrap.lsst.cloud:9094 + target: + bootstrapServer: sasquatch-int-kafka-bootstrap.lsst.cloud:9094 influxdb: ingress: From 39ef31660af4bad3e58cc75fc757a35a7f99c3aa Mon Sep 17 00:00:00 2001 From: Angelo Fausti Date: Wed, 31 Aug 2022 10:23:08 -0700 Subject: [PATCH 0973/1479] Use kafka internal listener for the target cluster - Use connect user for authentication and give it authorization to access all groups - Remove target bootstrap server configuration from values.yaml - Expose topicsPattern configuration in values.yaml --- .../sasquatch/charts/strimzi-kafka/README.md | 4 +- .../strimzi-kafka/templates/connect.yaml | 2 +- .../strimzi-kafka/templates/mirrormaker2.yaml | 58 ++++++++++--------- .../charts/strimzi-kafka/values.yaml | 7 +-- services/sasquatch/values-idfint.yaml | 3 +- 5 files changed, 38 insertions(+), 36 deletions(-) diff --git a/services/sasquatch/charts/strimzi-kafka/README.md b/services/sasquatch/charts/strimzi-kafka/README.md index a2bb756f1e..be352c67cc 100644 --- a/services/sasquatch/charts/strimzi-kafka/README.md +++ b/services/sasquatch/charts/strimzi-kafka/README.md @@ -24,8 +24,8 @@ A subchart to deploy Strimzi Kafka components for Sasquatch. | kafka.storage.storageClassName | string | `""` | Name of a StorageClass to use when requesting persistent volumes. | | kafka.version | string | `"3.1.1"` | Version of Kafka to deploy. | | mirrormaker2.enabled | bool | `false` | Enable replication in the target (passive) cluster. | -| mirrormaker2.source.bootstrapServer | string | `""` | Source (active) cluster bootstrap server. | -| mirrormaker2.target.bootstrapServer | string | `""` | Target (passive) cluster boostrap server. | +| mirrormaker2.source.bootstrapServer | string | `""` | Source (active) cluster to replicate from. | +| mirrormaker2.source.topicsPattern | string | `"registry-schemas, lsst.sal.*"` | Topic replication from the source cluster defined as a comma-separated list or regular expression pattern. | | registry.schemaTopic | string | `"registry-schemas"` | Name of the topic used by the Schema Registry | | superusers | list | `["kafka-admin"]` | A list of usernames for users who should have global admin permissions. These users will be created, along with their credentials. | | zookeeper.replicas | int | `3` | Number of Zookeeper replicas to run. | diff --git a/services/sasquatch/charts/strimzi-kafka/templates/connect.yaml b/services/sasquatch/charts/strimzi-kafka/templates/connect.yaml index 7ed0612ce2..c97db87ce3 100644 --- a/services/sasquatch/charts/strimzi-kafka/templates/connect.yaml +++ b/services/sasquatch/charts/strimzi-kafka/templates/connect.yaml @@ -53,7 +53,7 @@ spec: operation: Read - resource: type: group - name: connect-influxdb-sink + name: "*" patternType: literal operation: All - resource: diff --git a/services/sasquatch/charts/strimzi-kafka/templates/mirrormaker2.yaml b/services/sasquatch/charts/strimzi-kafka/templates/mirrormaker2.yaml index d6d96fe433..f79abe2e56 100644 --- a/services/sasquatch/charts/strimzi-kafka/templates/mirrormaker2.yaml +++ b/services/sasquatch/charts/strimzi-kafka/templates/mirrormaker2.yaml @@ -1,5 +1,5 @@ # Mostly based on the Strimzi Kafka MirrorMaker2 example -# configuration for handling high volumes of messages +# configuration for handling high volumes of messages. {{ if .Values.mirrormaker2.enabled }} apiVersion: kafka.strimzi.io/v1beta2 kind: KafkaMirrorMaker2 @@ -8,18 +8,17 @@ metadata: spec: version: 3.2.0 replicas: 1 - # It is recommended to deploy MirrorMaker2 on the target (passive) cluster - # in the active/passive replication scenario + # In the unidirectional (active/passive) replication scenario + # it is recommended to deploy MirrorMaker2 on the target (passive) cluster. connectCluster: "target" clusters: - alias: "source" bootstrapServers: {{ .Values.mirrormaker2.source.bootstrapServer }} tls: {} - # External kafka listeneres in Sasquatch use scram-sha-512 authentication - # For simplicity we created the replicator Kafka user with same password - # at both the source and target clusters. - # TODO: try to use and admin user with tls authentication here and the - # internal listener as bootstrap server. + # The external kafka listeneres in Sasquatch use scram-sha-512 authentication + # Use the replicator Kafka user to authenticate against the Kafka source cluster. + # Not the same secret with the replicator password must exist in both the source + # and the target clusters. authentication: type: scram-sha-512 username: replicator @@ -27,14 +26,18 @@ spec: secretName: sasquatch password: replicator-password - alias: "target" - bootstrapServers: {{ .Values.mirrormaker2.target.bootstrapServer }} - tls: {} + # For the Kafka target cluster, use the internal listener with tls encryption and mutual tls authentication. + bootstrapServers: {{ .Values.cluster.name }}-kafka-bootstrap:9093 + tls: + trustedCertificates: + - secretName: {{ .Values.cluster.name }}-cluster-ca-cert + certificate: ca.crt authentication: - type: scram-sha-512 - username: replicator - passwordSecret: - secretName: sasquatch - password: replicator-password + type: tls + certificateAndKey: + secretName: {{ .Values.cluster.name }}-connect + certificate: user.crt + key: user.key config: # This should be enough time for the sent messages to be acknowledged # by the brokers and offset data committed. @@ -47,12 +50,12 @@ spec: config: replication.factor: 3 offset-syncs.topic.replication.factor: 3 - # Dot not replicat topic ACLs configuration + # Dot not replicate topic ACLs configuration. sync.topic.acls.enabled: "false" - # The frequency to check for new topics + # The frequency to check for new topics. refresh.topics.interval.seconds: 60 # Policy to define the remote topic naming convention. - # This setting will preserve topic names in the target cluster + # This setting will preserve topic names in the target cluster. replication.policy.separator: "" replication.policy.class: "org.apache.kafka.connect.mirror.IdentityReplicationPolicy" # Handling high volumes of messages @@ -66,8 +69,8 @@ spec: # The delay means that more records can be added to batches if they are under the # maximum batch size. producer.override.linger.ms: 100 - # Accept larger messages - # See aslo message.max.bytes broker configuration + # Accept larger messages. + # See also message.max.bytes broker configuration. producer.max.request.size: 262144 heartbeatConnector: config: @@ -75,19 +78,20 @@ spec: checkpointConnector: config: checkpoints.topic.replication.factor: 3 - # Frequency of checks for new consumer groups + # Frequency of checks for new consumer groups. refresh.groups.interval.seconds: 300 - # Enables synchronization of consumer group offsets to the target cluster + # Enables synchronization of consumer group offsets to the target cluster. sync.group.offsets.enabled: true - # The frequency to sync group offsets + # The frequency to sync group offsets. sync.group.offsets.interval.seconds: 60 - # The frequency of checks for offset tracking + # The frequency of checks for offset tracking. emit.checkpoints.interval.seconds: 60 # Policy to define the remote topic naming convention. - # This setting will preserve topic names in the target cluster + # This setting will preserve topic names in the target cluster. replication.policy.class: "org.apache.kafka.connect.mirror.IdentityReplicationPolicy" - # Topic replication from the source cluster - topicsPattern: "registry-schemas, lsst.sal.*" + # Topic replication from the source cluster defined as a comma-separated list + # or regular expression pattern. + topicsPattern: {{ .Values.mirrormaker2.source.topicsPattern }} resources: requests: cpu: "1" diff --git a/services/sasquatch/charts/strimzi-kafka/values.yaml b/services/sasquatch/charts/strimzi-kafka/values.yaml index 4d706a236d..f2b0507be9 100644 --- a/services/sasquatch/charts/strimzi-kafka/values.yaml +++ b/services/sasquatch/charts/strimzi-kafka/values.yaml @@ -84,8 +84,7 @@ mirrormaker2: # -- Enable replication in the target (passive) cluster. enabled: false source: - # -- Source (active) cluster bootstrap server. - bootstrapServer: "" - target: - # -- Target (passive) cluster boostrap server. + # -- Source (active) cluster to replicate from. bootstrapServer: "" + # -- Topic replication from the source cluster defined as a comma-separated list or regular expression pattern. + topicsPattern: "registry-schemas, lsst.sal.*" diff --git a/services/sasquatch/values-idfint.yaml b/services/sasquatch/values-idfint.yaml index c96948787e..cb252e7924 100644 --- a/services/sasquatch/values-idfint.yaml +++ b/services/sasquatch/values-idfint.yaml @@ -18,8 +18,7 @@ strimzi-kafka: enabled: true source: bootstrapServer: sasquatch-dev-kafka-bootstrap.lsst.cloud:9094 - target: - bootstrapServer: sasquatch-int-kafka-bootstrap.lsst.cloud:9094 + topicsPattern: "registry-schemas, lsst.sal.*" influxdb: ingress: From 819124ee76042019548db246dea1893366e258ee Mon Sep 17 00:00:00 2001 From: Angelo Fausti Date: Wed, 31 Aug 2022 13:55:04 -0700 Subject: [PATCH 0974/1479] Add external listener configuration to Summit --- services/sasquatch/values-summit.yaml | 13 +++++++++++++ 1 file changed, 13 insertions(+) diff --git a/services/sasquatch/values-summit.yaml b/services/sasquatch/values-summit.yaml index 0d0d1aab58..179c8407d8 100644 --- a/services/sasquatch/values-summit.yaml +++ b/services/sasquatch/values-summit.yaml @@ -2,6 +2,19 @@ strimzi-kafka: kafka: storage: storageClassName: rook-ceph-block + externalListener: + tls: + enabled: true + bootstrap: + loadBalancerIP: "139.229.160.152" + host: sasquatch-summit-kafka-bootstrap.lsst.codes + brokers: + - loadBalancerIP: "139.229.160.154" + host: sasquatch-summit-kafka-0.lsst.codes + - loadBalancerIP: "139.229.160.153" + host: sasquatch-summit-kafka-1.lsst.codes + - loadBalancerIP: "139.229.160.155" + host: sasquatch-summit-kafka-2.lsst.codes zookeeper: storage: storageClassName: rook-ceph-block From 1683809d9b6b1d72baf59cba11de6d58e00ccf2c Mon Sep 17 00:00:00 2001 From: Gabriele Mainetti Date: Tue, 30 Aug 2022 09:56:37 +0200 Subject: [PATCH 0975/1479] fix moneypenny --- services/moneypenny/values-ccin2p3.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/services/moneypenny/values-ccin2p3.yaml b/services/moneypenny/values-ccin2p3.yaml index 294a1b4da4..a24c5fc216 100644 --- a/services/moneypenny/values-ccin2p3.yaml +++ b/services/moneypenny/values-ccin2p3.yaml @@ -1,4 +1,4 @@ -orders: | +orders: commission: - name: initcommission image: lsstsqre/inituserhome From f3eb39f7df26a7f9b95ab47ec008bcef1a58f05b Mon Sep 17 00:00:00 2001 From: Gabriele Mainetti Date: Tue, 30 Aug 2022 10:06:58 +0200 Subject: [PATCH 0976/1479] change mount path on moneypenny --- services/moneypenny/values-ccin2p3.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/services/moneypenny/values-ccin2p3.yaml b/services/moneypenny/values-ccin2p3.yaml index a24c5fc216..b8dac10dfe 100644 --- a/services/moneypenny/values-ccin2p3.yaml +++ b/services/moneypenny/values-ccin2p3.yaml @@ -6,7 +6,7 @@ orders: runAsUser: 0 runAsNonRootUser: false volumeMounts: - - mountPath: /home + - mountPath: /data/rsp/home name: home volumes: - name: home From 08d271449574f226cb48eceec7a58c10da905678 Mon Sep 17 00:00:00 2001 From: Gabriele Mainetti Date: Tue, 30 Aug 2022 12:06:35 +0200 Subject: [PATCH 0977/1479] Trying fox moneypenni home problem --- services/moneypenny/values-ccin2p3.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/services/moneypenny/values-ccin2p3.yaml b/services/moneypenny/values-ccin2p3.yaml index b8dac10dfe..39aa3109cb 100644 --- a/services/moneypenny/values-ccin2p3.yaml +++ b/services/moneypenny/values-ccin2p3.yaml @@ -7,7 +7,7 @@ orders: runAsNonRootUser: false volumeMounts: - mountPath: /data/rsp/home - name: home + name: homedirs volumes: - name: home hostPath: From 78ec04f0251f6da9b354472b4798fdc1de724490 Mon Sep 17 00:00:00 2001 From: Gabriele Mainetti Date: Tue, 30 Aug 2022 12:11:30 +0200 Subject: [PATCH 0978/1479] restioe home name --- services/moneypenny/values-ccin2p3.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/services/moneypenny/values-ccin2p3.yaml b/services/moneypenny/values-ccin2p3.yaml index 39aa3109cb..b8dac10dfe 100644 --- a/services/moneypenny/values-ccin2p3.yaml +++ b/services/moneypenny/values-ccin2p3.yaml @@ -7,7 +7,7 @@ orders: runAsNonRootUser: false volumeMounts: - mountPath: /data/rsp/home - name: homedirs + name: home volumes: - name: home hostPath: From 2ea8745f589dfaf1d0b36068a65e19f0bad3102a Mon Sep 17 00:00:00 2001 From: Gabriele Mainetti Date: Tue, 30 Aug 2022 12:19:23 +0200 Subject: [PATCH 0979/1479] restore home in moneypenny --- services/moneypenny/values-ccin2p3.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/services/moneypenny/values-ccin2p3.yaml b/services/moneypenny/values-ccin2p3.yaml index b8dac10dfe..a24c5fc216 100644 --- a/services/moneypenny/values-ccin2p3.yaml +++ b/services/moneypenny/values-ccin2p3.yaml @@ -6,7 +6,7 @@ orders: runAsUser: 0 runAsNonRootUser: false volumeMounts: - - mountPath: /data/rsp/home + - mountPath: /home name: home volumes: - name: home From 69df8829ebb1edcc3c82d6afb0fae062011c560f Mon Sep 17 00:00:00 2001 From: Gabriele Mainetti Date: Tue, 30 Aug 2022 13:32:59 +0200 Subject: [PATCH 0980/1479] alway moneypenny --- services/moneypenny/values-ccin2p3.yaml | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/services/moneypenny/values-ccin2p3.yaml b/services/moneypenny/values-ccin2p3.yaml index a24c5fc216..e653e165c2 100644 --- a/services/moneypenny/values-ccin2p3.yaml +++ b/services/moneypenny/values-ccin2p3.yaml @@ -6,10 +6,10 @@ orders: runAsUser: 0 runAsNonRootUser: false volumeMounts: - - mountPath: /home - name: home + - mountPath: /homedirs + name: homedirs volumes: - - name: home + - name: homedirs hostPath: path: /data/rsp/home type: Directory From 49b43249746d88054fefcf0f3ee4295e3e7b0d83 Mon Sep 17 00:00:00 2001 From: Gabriele Mainetti Date: Wed, 31 Aug 2022 09:34:53 +0200 Subject: [PATCH 0981/1479] Fix template: replace AWS with S3 --- services/tap/templates/tap-deployment.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/services/tap/templates/tap-deployment.yaml b/services/tap/templates/tap-deployment.yaml index e6966b2978..7e9a6c0448 100644 --- a/services/tap/templates/tap-deployment.yaml +++ b/services/tap/templates/tap-deployment.yaml @@ -52,7 +52,7 @@ spec: -Xmx{{ .Values.config.jvmMaxHeapSize }} - name: GOOGLE_APPLICATION_CREDENTIALS value: "/etc/creds/google_creds.json" - {{- if eq .Values.config.gcsBucketType "AWS" }} + {{- if eq .Values.config.gcsBucketType "S3" }} - name: AWS_SECRET_ACCESS_KEY valueFrom: secretKeyRef: From 3dbeea8a9b7c3737472d5147428fce48b5ac4334 Mon Sep 17 00:00:00 2001 From: Angelo Fausti Date: Thu, 1 Sep 2022 12:19:07 -0700 Subject: [PATCH 0982/1479] Increase Kapacitor resource limits --- services/sasquatch/README.md | 4 ++++ services/sasquatch/values.yaml | 7 +++++++ 2 files changed, 11 insertions(+) diff --git a/services/sasquatch/README.md b/services/sasquatch/README.md index 250d30cb0e..72f6b90b13 100644 --- a/services/sasquatch/README.md +++ b/services/sasquatch/README.md @@ -38,6 +38,10 @@ Rubin Observatory's telemetry service. | kapacitor.image | object | `{"repository":"kapacitor","tag":"1.6.5"}` | Kapacitor image tag. | | kapacitor.influxURL | string | `"http://sasquatch-influxdb.sasquatch:8086"` | InfluxDB connection URL. | | kapacitor.persistence | object | `{"enabled":true,"size":"100Gi"}` | Chronograf data persistence configuration. | +| kapacitor.resources.limits.cpu | int | `4` | | +| kapacitor.resources.limits.memory | string | `"16Gi"` | | +| kapacitor.resources.requests.cpu | int | `1` | | +| kapacitor.resources.requests.memory | string | `"1Gi"` | | | strimzi-kafka | object | `{}` | Override strimzi-kafka configuration. | | strimzi-registry-operator | object | `{"clusterName":"sasquatch","clusterNamespace":"sasquatch","operatorNamespace":"sasquatch"}` | strimzi-registry-operator configuration. | | telegraf.config.inputs | list | `[{"prometheus":{"metric_version":2,"urls":["http://hub.nublado2:8081/nb/hub/metrics"]}}]` | Telegraf input plugins. Collect JupyterHub Prometheus metrics by dedault. See https://jupyterhub.readthedocs.io/en/stable/reference/metrics.html | diff --git a/services/sasquatch/values.yaml b/services/sasquatch/values.yaml index f8452e7e77..ce8ee753b0 100644 --- a/services/sasquatch/values.yaml +++ b/services/sasquatch/values.yaml @@ -107,6 +107,13 @@ kapacitor: # -- Kapacitor environment variables. envVars: KAPACITOR_SLACK_ENABLED: true + resources: + requests: + memory: 1Gi + cpu: 1 + limits: + memory: 16Gi + cpu: 4 telegraf: # -- Allow network access to JupyterHub pod. From a6424fbe65a771d34e5af539c6f90b0dc7b21cf9 Mon Sep 17 00:00:00 2001 From: Russ Allbery Date: Thu, 1 Sep 2022 15:09:41 -0700 Subject: [PATCH 0983/1479] Bump version of tap-schema Pick up annotations of the ForcedSource table. --- services/tap-schema/Chart.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/services/tap-schema/Chart.yaml b/services/tap-schema/Chart.yaml index 49d94012ab..74ae315ffd 100644 --- a/services/tap-schema/Chart.yaml +++ b/services/tap-schema/Chart.yaml @@ -1,5 +1,5 @@ apiVersion: v2 -appVersion: 1.1.22 +appVersion: 1.1.25 description: The TAP_SCHEMA database home: https://github.com/lsst-sqre/lsst-tap-service name: tap-schema From b412bf5ee937bb482d95e2490f001e10ac27115c Mon Sep 17 00:00:00 2001 From: Russ Allbery Date: Thu, 1 Sep 2022 15:22:48 -0700 Subject: [PATCH 0984/1479] Upgrade version of Portal --- services/portal/Chart.yaml | 2 +- services/portal/values-idfint.yaml | 3 --- 2 files changed, 1 insertion(+), 4 deletions(-) diff --git a/services/portal/Chart.yaml b/services/portal/Chart.yaml index 95357ec817..e906aaa74e 100644 --- a/services/portal/Chart.yaml +++ b/services/portal/Chart.yaml @@ -3,4 +3,4 @@ name: portal version: 1.0.0 description: "Rubin Science Platform portal aspect" home: "https://github.com/lsst/suit" -appVersion: "suit-2022.5.1" +appVersion: "suit-2022.5.3" diff --git a/services/portal/values-idfint.yaml b/services/portal/values-idfint.yaml index 6d2392fe1a..bbff39a615 100644 --- a/services/portal/values-idfint.yaml +++ b/services/portal/values-idfint.yaml @@ -1,8 +1,5 @@ replicaCount: 4 -image: - tag: "suit-2022.5.3" - config: volumes: workareaNfs: From a31c6be4a04d4e45ef59b651515db8291695a37f Mon Sep 17 00:00:00 2001 From: dspeck1 Date: Fri, 2 Sep 2022 13:49:17 -0500 Subject: [PATCH 0985/1479] Adding sqlproxy service to deploy as standalone service for butler int. Added phalanx componetns to add as deployed chart in argo and service helm chart. --- .../sqlproxy-butler-int-application.yaml | 33 ++++++++++ science-platform/values-idfdev.yaml | 2 + services/sqlproxy-gcp/.helmignore | 23 +++++++ services/sqlproxy-gcp/Chart.yaml | 6 ++ services/sqlproxy-gcp/templates/_helpers.tpl | 52 +++++++++++++++ .../sqlproxy-gcp/templates/deployment.yaml | 64 +++++++++++++++++++ services/sqlproxy-gcp/templates/service.yaml | 16 +++++ .../templates/serviceaccount.yaml | 12 ++++ services/sqlproxy-gcp/values-idfdev.yaml | 25 ++++++++ services/sqlproxy-gcp/values.yaml | 62 ++++++++++++++++++ 10 files changed, 295 insertions(+) create mode 100644 science-platform/templates/sqlproxy-butler-int-application.yaml create mode 100644 services/sqlproxy-gcp/.helmignore create mode 100644 services/sqlproxy-gcp/Chart.yaml create mode 100644 services/sqlproxy-gcp/templates/_helpers.tpl create mode 100644 services/sqlproxy-gcp/templates/deployment.yaml create mode 100644 services/sqlproxy-gcp/templates/service.yaml create mode 100644 services/sqlproxy-gcp/templates/serviceaccount.yaml create mode 100644 services/sqlproxy-gcp/values-idfdev.yaml create mode 100644 services/sqlproxy-gcp/values.yaml diff --git a/science-platform/templates/sqlproxy-butler-int-application.yaml b/science-platform/templates/sqlproxy-butler-int-application.yaml new file mode 100644 index 0000000000..c4bf1c055c --- /dev/null +++ b/science-platform/templates/sqlproxy-butler-int-application.yaml @@ -0,0 +1,33 @@ +{{- if .Values.sqlproxy_butler_int.enabled -}} +apiVersion: v1 +kind: Namespace +metadata: + name: sqlproxy-butler-int +spec: + finalizers: + - kubernetes +--- +apiVersion: argoproj.io/v1alpha1 +kind: Application +metadata: + name: sqlproxy-butler-int + namespace: argocd + finalizers: + - resources-finalizer.argocd.argoproj.io +spec: + destination: + namespace: sqlproxy-butler-int + server: https://kubernetes.default.svc + project: default + source: + path: services/sqlproxy-gcp + repoURL: {{ .Values.repoURL }} + targetRevision: {{ .Values.revision }} + helm: + parameters: + - name: "global.vaultSecretsPath" + value: {{ .Values.vault_path_prefix | quote }} + valueFiles: + - "values.yaml" + - "values-{{ .Values.environment }}.yaml" +{{- end -}} diff --git a/science-platform/values-idfdev.yaml b/science-platform/values-idfdev.yaml index 8d657a908a..cb78bffcd0 100644 --- a/science-platform/values-idfdev.yaml +++ b/science-platform/values-idfdev.yaml @@ -46,6 +46,8 @@ squareone: enabled: true squash_api: enabled: false +sqlproxy_butler_int: + enabled: true strimzi: enabled: true strimzi_registry_operator: diff --git a/services/sqlproxy-gcp/.helmignore b/services/sqlproxy-gcp/.helmignore new file mode 100644 index 0000000000..0e8a0eb36f --- /dev/null +++ b/services/sqlproxy-gcp/.helmignore @@ -0,0 +1,23 @@ +# Patterns to ignore when building packages. +# This supports shell glob matching, relative path matching, and +# negation (prefixed with !). Only one pattern per line. +.DS_Store +# Common VCS dirs +.git/ +.gitignore +.bzr/ +.bzrignore +.hg/ +.hgignore +.svn/ +# Common backup files +*.swp +*.bak +*.tmp +*.orig +*~ +# Various IDEs +.project +.idea/ +*.tmproj +.vscode/ diff --git a/services/sqlproxy-gcp/Chart.yaml b/services/sqlproxy-gcp/Chart.yaml new file mode 100644 index 0000000000..1ed38f02c3 --- /dev/null +++ b/services/sqlproxy-gcp/Chart.yaml @@ -0,0 +1,6 @@ +apiVersion: v2 +name: sqlproxy +description: gcp sql proxy as a service deployment +type: application +version: 0.1.0 +appVersion: "0.1.0" diff --git a/services/sqlproxy-gcp/templates/_helpers.tpl b/services/sqlproxy-gcp/templates/_helpers.tpl new file mode 100644 index 0000000000..42c6871d00 --- /dev/null +++ b/services/sqlproxy-gcp/templates/_helpers.tpl @@ -0,0 +1,52 @@ +{{/* vim: set filetype=mustache: */}} +{{/* +Expand the name of the chart. +*/}} +{{- define "sqlproxy.name" -}} +{{- default .Chart.Name .Values.nameOverride | trunc 63 | trimSuffix "-" -}} +{{- end -}} + +{{/* +Create a default fully qualified app name. +We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec). +If release name contains chart name it will be used as a full name. +*/}} +{{- define "sqlproxy.fullname" -}} +{{- if .Values.fullnameOverride -}} +{{- .Values.fullnameOverride | trunc 63 | trimSuffix "-" -}} +{{- else -}} +{{- $name := default .Chart.Name .Values.nameOverride -}} +{{- if contains $name .Release.Name -}} +{{- .Release.Name | trunc 63 | trimSuffix "-" -}} +{{- else -}} +{{- printf "%s-%s" .Release.Name $name | trunc 63 | trimSuffix "-" -}} +{{- end -}} +{{- end -}} +{{- end -}} + +{{/* +Create chart name and version as used by the chart label. +*/}} +{{- define "sqlproxy.chart" -}} +{{- printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" -}} +{{- end -}} + +{{/* +Common labels +*/}} +{{- define "sqlproxy.labels" -}} +helm.sh/chart: {{ include "sqlproxy.chart" . }} +{{ include "sqlproxy.selectorLabels" . }} +{{- if .Chart.AppVersion }} +app.kubernetes.io/version: {{ .Chart.AppVersion | quote }} +{{- end }} +app.kubernetes.io/managed-by: {{ .Release.Service }} +{{- end }} + +{{/* +Selector labels +*/}} +{{- define "sqlproxy.selectorLabels" -}} +app.kubernetes.io/name: {{ include "sqlproxy.name" . }} +app.kubernetes.io/instance: {{ .Release.Name }} +{{- end }} diff --git a/services/sqlproxy-gcp/templates/deployment.yaml b/services/sqlproxy-gcp/templates/deployment.yaml new file mode 100644 index 0000000000..af4851f6a4 --- /dev/null +++ b/services/sqlproxy-gcp/templates/deployment.yaml @@ -0,0 +1,64 @@ +{{- if .Values.cloudsql.enabled -}} +apiVersion: apps/v1 +kind: Deployment +metadata: + name: {{ include "sqlproxy.fullname" . }} + labels: + {{- include "sqlproxy.labels" . | nindent 4 }} +spec: + replicas: {{ .Values.replicaCount }} + selector: + matchLabels: + {{- include "sqlproxy.selectorLabels" . | nindent 6 }} + template: + metadata: + {{- with .Values.podAnnotations }} + annotations: + {{- toYaml . | nindent 8 }} + {{- end }} + labels: + {{- include "sqlproxy.selectorLabels" . | nindent 8 }} + spec: + {{- with .Values.imagePullSecrets }} + imagePullSecrets: + {{- toYaml . | nindent 8 }} + {{- end }} + serviceAccountName: {{ .Values.serviceAccountName }} + securityContext: + runAsNonRoot: true + runAsUser: 65532 + runAsGroup: 65532 + containers: + - name: cloud-sql-proxy + command: + - "/cloud_sql_proxy" + - "-log_debug_stdout" + - "-structured_logs" + - "-ip_address_types={{ required "cloudsql.ipAddressType must be specified" .Values.cloudsql.ipAddressType}}" + - "-instances={{ required "cloudsql.instanceConnectionName must be specified" .Values.cloudsql.instanceConnectionName }}=tcp:0.0.0.0:5432" + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - "all" + readOnlyRootFilesystem: true + image: "{{ .Values.image.repository }}:{{ .Values.image.tag }}" + imagePullPolicy: {{ .Values.image.pullPolicy }} + ports: + - containerPort: 5432 + protocol: TCP + resources: + {{- toYaml .Values.resources | nindent 12 }} + {{- with .Values.nodeSelector }} + nodeSelector: + {{- toYaml . | nindent 8 }} + {{- end }} + {{- with .Values.affinity }} + affinity: + {{- toYaml . | nindent 8 }} + {{- end }} + {{- with .Values.tolerations }} + tolerations: + {{- toYaml . | nindent 8 }} + {{- end }} +{{- end }} \ No newline at end of file diff --git a/services/sqlproxy-gcp/templates/service.yaml b/services/sqlproxy-gcp/templates/service.yaml new file mode 100644 index 0000000000..49326e0c5c --- /dev/null +++ b/services/sqlproxy-gcp/templates/service.yaml @@ -0,0 +1,16 @@ +{{- if .Values.cloudsql.enabled -}} +apiVersion: v1 +kind: Service +metadata: + name: {{ include "sqlproxy.fullname" . }} + labels: + {{- include "sqlproxy.labels" . | nindent 4 }} +spec: + type: ClusterIP + ports: + - port: 5432 + targetPort: 5432 + protocol: TCP + selector: + {{- include "sqlproxy.selectorLabels" . | nindent 4 }} +{{- end }} \ No newline at end of file diff --git a/services/sqlproxy-gcp/templates/serviceaccount.yaml b/services/sqlproxy-gcp/templates/serviceaccount.yaml new file mode 100644 index 0000000000..9348995a90 --- /dev/null +++ b/services/sqlproxy-gcp/templates/serviceaccount.yaml @@ -0,0 +1,12 @@ +{{- if .Values.cloudsql.enabled -}} +apiVersion: v1 +kind: ServiceAccount +metadata: + name: {{ include "sqlproxy.fullname" . }} + labels: + {{- include "sqlproxy.labels" . | nindent 4 }} + {{- with .Values.serviceAccount.annotations }} + annotations: + {{- toYaml . | nindent 4 }} + {{- end }} +{{- end }} diff --git a/services/sqlproxy-gcp/values-idfdev.yaml b/services/sqlproxy-gcp/values-idfdev.yaml new file mode 100644 index 0000000000..cef0f9d209 --- /dev/null +++ b/services/sqlproxy-gcp/values-idfdev.yaml @@ -0,0 +1,25 @@ +serviceAccountName: sqlproxy-butler-int + +nameOverride: sqlproxy-butler-int + +serviceAccount: + annotations: { + iam.gke.io/gcp-service-account: sqlproxy-butler-int@science-platform-dev-7696.iam.gserviceaccount.com + } + +cloudsql: + enabled: true + nameSuffix: "butler-int" + ipAddressType: "PUBLIC" + instanceConnectionName: "science-platform-int-dc5d:us-central1:butler-registry-int-72f9812d" + +replicaCount: 1 + +image: + repository: gcr.io/cloudsql-docker/gce-proxy + tag: 1.28.0 + +resources: + requests: + cpu: "1" + memory: "2Gi" \ No newline at end of file diff --git a/services/sqlproxy-gcp/values.yaml b/services/sqlproxy-gcp/values.yaml new file mode 100644 index 0000000000..a78f3364b1 --- /dev/null +++ b/services/sqlproxy-gcp/values.yaml @@ -0,0 +1,62 @@ +# Default values for sqlproxy-gcp + +# -- Override the base name for resources +nameOverride: "" + +# -- Override the full name for resources (includes the release name) +fullnameOverride: "" + +image: + # -- cachemachine image to use + repository: gcr.io/cloudsql-docker/gce-proxy + + # -- Pull policy for the cachemachine image + pullPolicy: IfNotPresent + + # -- Tag of cachemachine image to use + # @default -- The appVersion of the chart + tag: "" + +# -- Secret names to use for all Docker pulls +serviceAccount: + # -- Name of the service account to use + # @default -- Name based on the fullname template + name: "" + + # -- Annotations to add to the service account + annotations: {} + +# -- Resource limits and requests for the cachemachine frontend pod +resources: {} + +# -- Annotations for the cachemachine frontend pod +podAnnotations: {} + +# -- Node selector rules for the cachemachine frontend pod +nodeSelector: {} + +# -- Tolerations for the cachemachine frontend pod +tolerations: [] + +# -- Affinity rules for the cachemachine frontend pod +affinity: {} + +# -- Autostart configuration. Each key is the name of a class of images to +# pull, and the value is the JSON specification for which and how many images +# to pull. +autostart: {} + +# The following will be set by parameters injected by Argo CD and should not +# be set in the individual environment values files. +global: + # -- Base URL for the environment + # @default -- Set by Argo CD + baseUrl: "" + + # -- Host name for ingress + # @default -- Set by Argo CD + host: "" + + # -- Base path for Vault secrets + # @default -- Set by Argo CD + vaultSecretsPath: "" From c31e7b665ea3e5a808546c14d80bceeaa0edc8d5 Mon Sep 17 00:00:00 2001 From: dspeck1 Date: Fri, 2 Sep 2022 14:00:21 -0500 Subject: [PATCH 0986/1479] fixing linting --- services/sqlproxy-gcp/templates/deployment.yaml | 2 -- services/sqlproxy-gcp/templates/service.yaml | 2 -- services/sqlproxy-gcp/templates/serviceaccount.yaml | 3 +-- services/sqlproxy-gcp/values-idfdev.yaml | 1 - 4 files changed, 1 insertion(+), 7 deletions(-) diff --git a/services/sqlproxy-gcp/templates/deployment.yaml b/services/sqlproxy-gcp/templates/deployment.yaml index af4851f6a4..d1567535e4 100644 --- a/services/sqlproxy-gcp/templates/deployment.yaml +++ b/services/sqlproxy-gcp/templates/deployment.yaml @@ -1,4 +1,3 @@ -{{- if .Values.cloudsql.enabled -}} apiVersion: apps/v1 kind: Deployment metadata: @@ -61,4 +60,3 @@ spec: tolerations: {{- toYaml . | nindent 8 }} {{- end }} -{{- end }} \ No newline at end of file diff --git a/services/sqlproxy-gcp/templates/service.yaml b/services/sqlproxy-gcp/templates/service.yaml index 49326e0c5c..025b0c14e1 100644 --- a/services/sqlproxy-gcp/templates/service.yaml +++ b/services/sqlproxy-gcp/templates/service.yaml @@ -1,4 +1,3 @@ -{{- if .Values.cloudsql.enabled -}} apiVersion: v1 kind: Service metadata: @@ -13,4 +12,3 @@ spec: protocol: TCP selector: {{- include "sqlproxy.selectorLabels" . | nindent 4 }} -{{- end }} \ No newline at end of file diff --git a/services/sqlproxy-gcp/templates/serviceaccount.yaml b/services/sqlproxy-gcp/templates/serviceaccount.yaml index 9348995a90..c1ad0fffab 100644 --- a/services/sqlproxy-gcp/templates/serviceaccount.yaml +++ b/services/sqlproxy-gcp/templates/serviceaccount.yaml @@ -1,4 +1,3 @@ -{{- if .Values.cloudsql.enabled -}} apiVersion: v1 kind: ServiceAccount metadata: @@ -9,4 +8,4 @@ metadata: annotations: {{- toYaml . | nindent 4 }} {{- end }} -{{- end }} + diff --git a/services/sqlproxy-gcp/values-idfdev.yaml b/services/sqlproxy-gcp/values-idfdev.yaml index cef0f9d209..2fb792b97e 100644 --- a/services/sqlproxy-gcp/values-idfdev.yaml +++ b/services/sqlproxy-gcp/values-idfdev.yaml @@ -8,7 +8,6 @@ serviceAccount: } cloudsql: - enabled: true nameSuffix: "butler-int" ipAddressType: "PUBLIC" instanceConnectionName: "science-platform-int-dc5d:us-central1:butler-registry-int-72f9812d" From fb8f87d2e8a00c8340351e3b000e7aef3f23f10e Mon Sep 17 00:00:00 2001 From: dspeck1 Date: Fri, 2 Sep 2022 14:05:18 -0500 Subject: [PATCH 0987/1479] fixing linting --- services/sqlproxy-gcp/values-idfdev.yaml | 2 +- services/sqlproxy-gcp/values.yaml | 8 ++++++++ 2 files changed, 9 insertions(+), 1 deletion(-) diff --git a/services/sqlproxy-gcp/values-idfdev.yaml b/services/sqlproxy-gcp/values-idfdev.yaml index 2fb792b97e..8a63c34884 100644 --- a/services/sqlproxy-gcp/values-idfdev.yaml +++ b/services/sqlproxy-gcp/values-idfdev.yaml @@ -21,4 +21,4 @@ image: resources: requests: cpu: "1" - memory: "2Gi" \ No newline at end of file + memory: "2Gi" diff --git a/services/sqlproxy-gcp/values.yaml b/services/sqlproxy-gcp/values.yaml index a78f3364b1..9d66110c22 100644 --- a/services/sqlproxy-gcp/values.yaml +++ b/services/sqlproxy-gcp/values.yaml @@ -17,6 +17,14 @@ image: # @default -- The appVersion of the chart tag: "" + +serviceAccountName: "" + +cloudsql: + nameSuffix: "" + ipAddressType: "PRIVATE" + instanceConnectionName: "" + # -- Secret names to use for all Docker pulls serviceAccount: # -- Name of the service account to use From 181c1d60d20cd2f95d7ccf26ac9794a0ca760a72 Mon Sep 17 00:00:00 2001 From: dspeck1 Date: Fri, 2 Sep 2022 14:11:24 -0500 Subject: [PATCH 0988/1479] fixing linting values --- services/sqlproxy-gcp/values-idfdev.yaml | 6 +++--- services/tap/values-idfdev.yaml | 2 +- 2 files changed, 4 insertions(+), 4 deletions(-) diff --git a/services/sqlproxy-gcp/values-idfdev.yaml b/services/sqlproxy-gcp/values-idfdev.yaml index 8a63c34884..047a07ae63 100644 --- a/services/sqlproxy-gcp/values-idfdev.yaml +++ b/services/sqlproxy-gcp/values-idfdev.yaml @@ -4,7 +4,7 @@ nameOverride: sqlproxy-butler-int serviceAccount: annotations: { - iam.gke.io/gcp-service-account: sqlproxy-butler-int@science-platform-dev-7696.iam.gserviceaccount.com + iam.gke.io/gcp-service-account: sqlproxy-butler-int@science-platform-dev-7696.iam.gserviceaccount.com } cloudsql: @@ -20,5 +20,5 @@ image: resources: requests: - cpu: "1" - memory: "2Gi" + cpu: "1" + memory: "2Gi" diff --git a/services/tap/values-idfdev.yaml b/services/tap/values-idfdev.yaml index d0339a85bf..57b4e3d67c 100644 --- a/services/tap/values-idfdev.yaml +++ b/services/tap/values-idfdev.yaml @@ -5,4 +5,4 @@ config: qserv: host: "10.136.1.211:4040" mock: - enabled: false \ No newline at end of file + enabled: false From 7233fa952deac14c86adc1d6c6aa2a1bd79c06b7 Mon Sep 17 00:00:00 2001 From: dspeck1 Date: Fri, 2 Sep 2022 14:17:26 -0500 Subject: [PATCH 0989/1479] linting fun --- services/sqlproxy-gcp/values.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/services/sqlproxy-gcp/values.yaml b/services/sqlproxy-gcp/values.yaml index 9d66110c22..789f0fcc88 100644 --- a/services/sqlproxy-gcp/values.yaml +++ b/services/sqlproxy-gcp/values.yaml @@ -21,7 +21,7 @@ image: serviceAccountName: "" cloudsql: - nameSuffix: "" + nameSuffix: "" ipAddressType: "PRIVATE" instanceConnectionName: "" From 409ab9e870145ff25217c5a4ffe82c71ab307dda Mon Sep 17 00:00:00 2001 From: dspeck1 Date: Fri, 2 Sep 2022 14:25:25 -0500 Subject: [PATCH 0990/1479] linting and deploy fixes --- science-platform/values.yaml | 2 ++ services/sqlproxy-gcp/values-idfdev.yaml | 2 +- 2 files changed, 3 insertions(+), 1 deletion(-) diff --git a/science-platform/values.yaml b/science-platform/values.yaml index f320ba32cd..5b456d3f2c 100644 --- a/science-platform/values.yaml +++ b/science-platform/values.yaml @@ -38,6 +38,8 @@ semaphore: enabled: false sherlock: enabled: false +sqlproxy_butler_int: + enabled: false squareone: enabled: false squash_api: diff --git a/services/sqlproxy-gcp/values-idfdev.yaml b/services/sqlproxy-gcp/values-idfdev.yaml index 047a07ae63..d3bfaf214f 100644 --- a/services/sqlproxy-gcp/values-idfdev.yaml +++ b/services/sqlproxy-gcp/values-idfdev.yaml @@ -8,7 +8,7 @@ serviceAccount: } cloudsql: - nameSuffix: "butler-int" + nameSuffix: "butler-int" ipAddressType: "PUBLIC" instanceConnectionName: "science-platform-int-dc5d:us-central1:butler-registry-int-72f9812d" From d1fea2ead2835f1b3bcb4fc3f1315ac2be6c9d8c Mon Sep 17 00:00:00 2001 From: dspeck1 Date: Fri, 2 Sep 2022 14:43:30 -0500 Subject: [PATCH 0991/1479] fix whitespace --- services/sqlproxy-gcp/values-idfdev.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/services/sqlproxy-gcp/values-idfdev.yaml b/services/sqlproxy-gcp/values-idfdev.yaml index d3bfaf214f..4a29601b62 100644 --- a/services/sqlproxy-gcp/values-idfdev.yaml +++ b/services/sqlproxy-gcp/values-idfdev.yaml @@ -18,7 +18,7 @@ image: repository: gcr.io/cloudsql-docker/gce-proxy tag: 1.28.0 -resources: +resources: requests: cpu: "1" memory: "2Gi" From 46ca86e6883e526728edb643884df2d5e10cf2ba Mon Sep 17 00:00:00 2001 From: dspeck1 Date: Fri, 2 Sep 2022 15:07:34 -0500 Subject: [PATCH 0992/1479] helm docs update --- science-platform/README.md | 1 + services/sqlproxy-gcp/README.md | 29 +++++++++++++++++++++++++++++ 2 files changed, 30 insertions(+) create mode 100644 services/sqlproxy-gcp/README.md diff --git a/science-platform/README.md b/science-platform/README.md index 32b69db4bc..064de4751c 100644 --- a/science-platform/README.md +++ b/science-platform/README.md @@ -27,6 +27,7 @@ | sasquatch.enabled | bool | `false` | | | semaphore.enabled | bool | `false` | | | sherlock.enabled | bool | `false` | | +| sqlproxy_butler_int.enabled | bool | `false` | | | squareone.enabled | bool | `false` | | | squash_api.enabled | bool | `false` | | | strimzi.enabled | bool | `false` | | diff --git a/services/sqlproxy-gcp/README.md b/services/sqlproxy-gcp/README.md new file mode 100644 index 0000000000..3eb0020818 --- /dev/null +++ b/services/sqlproxy-gcp/README.md @@ -0,0 +1,29 @@ +# sqlproxy + +gcp sql proxy as a service deployment + +## Values + +| Key | Type | Default | Description | +|-----|------|---------|-------------| +| affinity | object | `{}` | Affinity rules for the cachemachine frontend pod | +| autostart | object | `{}` | Autostart configuration. Each key is the name of a class of images to pull, and the value is the JSON specification for which and how many images to pull. | +| cloudsql.instanceConnectionName | string | `""` | | +| cloudsql.ipAddressType | string | `"PRIVATE"` | | +| cloudsql.nameSuffix | string | `""` | | +| fullnameOverride | string | `""` | Override the full name for resources (includes the release name) | +| global.baseUrl | string | Set by Argo CD | Base URL for the environment | +| global.host | string | Set by Argo CD | Host name for ingress | +| global.vaultSecretsPath | string | Set by Argo CD | Base path for Vault secrets | +| image.pullPolicy | string | `"IfNotPresent"` | Pull policy for the cachemachine image | +| image.repository | string | `"gcr.io/cloudsql-docker/gce-proxy"` | cachemachine image to use | +| image.tag | string | The appVersion of the chart | Tag of cachemachine image to use | +| nameOverride | string | `""` | Override the base name for resources | +| nodeSelector | object | `{}` | Node selector rules for the cachemachine frontend pod | +| podAnnotations | object | `{}` | Annotations for the cachemachine frontend pod | +| resources | object | `{}` | Resource limits and requests for the cachemachine frontend pod | +| serviceAccount | object | `{"annotations":{},"name":""}` | Secret names to use for all Docker pulls | +| serviceAccount.annotations | object | `{}` | Annotations to add to the service account | +| serviceAccount.name | string | Name based on the fullname template | Name of the service account to use | +| serviceAccountName | string | `""` | | +| tolerations | list | `[]` | Tolerations for the cachemachine frontend pod | From 34628f170aaab292676e5aa158873f6e2db18244 Mon Sep 17 00:00:00 2001 From: Russ Allbery Date: Wed, 31 Aug 2022 14:07:38 -0700 Subject: [PATCH 0993/1479] Update datalinker and TAP datalink data Update the version of datalinker, the TAP datalink data, and the tap-schemas service to the latest releases. --- services/datalinker/Chart.yaml | 2 +- services/tap-schema/Chart.yaml | 6 +++--- services/tap/README.md | 2 +- services/tap/values.yaml | 2 +- 4 files changed, 6 insertions(+), 6 deletions(-) diff --git a/services/datalinker/Chart.yaml b/services/datalinker/Chart.yaml index 7d3bd9e0fa..c0932d6edd 100644 --- a/services/datalinker/Chart.yaml +++ b/services/datalinker/Chart.yaml @@ -4,4 +4,4 @@ version: 1.0.0 description: Service and data discovery for Rubin Science Platform sources: - https://github.com/lsst-sqre/datalinker -appVersion: 1.4.2 +appVersion: 1.5.0 diff --git a/services/tap-schema/Chart.yaml b/services/tap-schema/Chart.yaml index 74ae315ffd..979a567463 100644 --- a/services/tap-schema/Chart.yaml +++ b/services/tap-schema/Chart.yaml @@ -1,6 +1,6 @@ apiVersion: v2 -appVersion: 1.1.25 -description: The TAP_SCHEMA database -home: https://github.com/lsst-sqre/lsst-tap-service name: tap-schema version: 1.0.0 +description: The TAP_SCHEMA database +home: https://github.com/lsst/sdm_schemas +appVersion: 1.2.0 diff --git a/services/tap/README.md b/services/tap/README.md index 68bda5e1fa..98a0fb0766 100644 --- a/services/tap/README.md +++ b/services/tap/README.md @@ -9,7 +9,7 @@ VO TAP service for the Rubin Science Platform | Key | Type | Default | Description | |-----|------|---------|-------------| | affinity | object | `{}` | Affinity rules for the Gafaelfawr frontend pod | -| config.datalinkPayloadUrl | string | `"https://github.com/lsst/sdm_schemas/releases/download/1.1.4/datalink-snippets.zip"` | Datalink payload URL | +| config.datalinkPayloadUrl | string | `"https://github.com/lsst/sdm_schemas/releases/download/1.1.23/datalink-snippets.zip"` | Datalink payload URL | | config.gafaelfawrHost | string | Value of `ingress.host` | Gafaelfawr hostname to get user information from a token | | config.gcsBucket | string | None, must be set | Name of GCS bucket in which to store results | | config.gcsBucketType | string | GCS | GCS bucket type (GCS or S3) | diff --git a/services/tap/values.yaml b/services/tap/values.yaml index 5eaf3402e4..8b8e46c48b 100644 --- a/services/tap/values.yaml +++ b/services/tap/values.yaml @@ -59,7 +59,7 @@ config: tapSchemaAddress: "tap-schema-db.tap-schema.svc.cluster.local:3306" # -- Datalink payload URL - datalinkPayloadUrl: "https://github.com/lsst/sdm_schemas/releases/download/1.1.4/datalink-snippets.zip" + datalinkPayloadUrl: "https://github.com/lsst/sdm_schemas/releases/download/1.1.23/datalink-snippets.zip" # -- Gafaelfawr hostname to get user information from a token # @default -- Value of `ingress.host` From 4ed4e3bec02abd616dd68a9baf07e2a96e52adf5 Mon Sep 17 00:00:00 2001 From: Russ Allbery Date: Wed, 31 Aug 2022 17:04:29 -0700 Subject: [PATCH 0994/1479] Add configuration for downloading TAP metadata Support datalinker downloading metadata about the TAP schema. --- services/datalinker/README.md | 1 + services/datalinker/templates/deployment.yaml | 6 ++++++ services/datalinker/values.yaml | 4 ++++ services/tap-schema/README.md | 2 +- 4 files changed, 12 insertions(+), 1 deletion(-) diff --git a/services/datalinker/README.md b/services/datalinker/README.md index eacd75bae4..c7d2aedbd4 100644 --- a/services/datalinker/README.md +++ b/services/datalinker/README.md @@ -15,6 +15,7 @@ Service and data discovery for Rubin Science Platform | autoscaling.maxReplicas | int | `100` | Maximum number of datalinker deployment pods | | autoscaling.minReplicas | int | `1` | Minimum number of datalinker deployment pods | | autoscaling.targetCPUUtilizationPercentage | int | `80` | Target CPU utilization of datalinker deployment pods | +| config.tapMetadataUrl | string | `"https://github.com/lsst/sdm_schemas/releases/download/1.2.0/datalink-columns.zip"` | URL containing TAP schema metadata used to construct queries | | fullnameOverride | string | `""` | Override the full name for resources (includes the release name) | | global.baseUrl | string | Set by Argo CD | Base URL for the environment | | global.butlerRepositoryIndex | string | Set by Argo CD | URI to the Butler configuration of available repositories | diff --git a/services/datalinker/templates/deployment.yaml b/services/datalinker/templates/deployment.yaml index 16ff38a41f..3838890aac 100644 --- a/services/datalinker/templates/deployment.yaml +++ b/services/datalinker/templates/deployment.yaml @@ -43,6 +43,12 @@ spec: value: "{{ .Values.global.baseUrl }}/api/cutout/sync" - name: "DATALINKER_HIPS_BASE_URL" value: "{{ .Values.global.baseUrl }}/api/hips" + {{- if .Values.config.tapMetadataUrl }} + - name: "DATALINKER_TAP_METADATA_DIR" + value: "/tmp/tap-metadata" + - name: "DATALINKER_TAP_METADATA_URL" + value: {{ .Values.config.tapMetadataUrl | quote }} + {{- end }} - name: "DATALINKER_TOKEN" valueFrom: secretKeyRef: diff --git a/services/datalinker/values.yaml b/services/datalinker/values.yaml index 34737d8146..f955ade9af 100644 --- a/services/datalinker/values.yaml +++ b/services/datalinker/values.yaml @@ -42,6 +42,10 @@ autoscaling: targetCPUUtilizationPercentage: 80 # targetMemoryUtilizationPercentage: 80 +config: + # -- URL containing TAP schema metadata used to construct queries + tapMetadataUrl: "https://github.com/lsst/sdm_schemas/releases/download/1.2.0/datalink-columns.zip" + # -- Annotations for the datalinker deployment pod podAnnotations: {} diff --git a/services/tap-schema/README.md b/services/tap-schema/README.md index b58ebcc3dd..972532b185 100644 --- a/services/tap-schema/README.md +++ b/services/tap-schema/README.md @@ -2,7 +2,7 @@ The TAP_SCHEMA database -**Homepage:** +**Homepage:** ## Values From ac426fdfa3ab18e5f921e556ea76abcbe1138238 Mon Sep 17 00:00:00 2001 From: Russ Allbery Date: Fri, 2 Sep 2022 15:13:42 -0700 Subject: [PATCH 0995/1479] Use old DataLink snippets for TAP for now Do not update TAP to the latest DataLink snippets for now, since they potentially trigger a Portal bug. --- services/tap/README.md | 2 +- services/tap/values.yaml | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/services/tap/README.md b/services/tap/README.md index 98a0fb0766..68bda5e1fa 100644 --- a/services/tap/README.md +++ b/services/tap/README.md @@ -9,7 +9,7 @@ VO TAP service for the Rubin Science Platform | Key | Type | Default | Description | |-----|------|---------|-------------| | affinity | object | `{}` | Affinity rules for the Gafaelfawr frontend pod | -| config.datalinkPayloadUrl | string | `"https://github.com/lsst/sdm_schemas/releases/download/1.1.23/datalink-snippets.zip"` | Datalink payload URL | +| config.datalinkPayloadUrl | string | `"https://github.com/lsst/sdm_schemas/releases/download/1.1.4/datalink-snippets.zip"` | Datalink payload URL | | config.gafaelfawrHost | string | Value of `ingress.host` | Gafaelfawr hostname to get user information from a token | | config.gcsBucket | string | None, must be set | Name of GCS bucket in which to store results | | config.gcsBucketType | string | GCS | GCS bucket type (GCS or S3) | diff --git a/services/tap/values.yaml b/services/tap/values.yaml index 8b8e46c48b..5eaf3402e4 100644 --- a/services/tap/values.yaml +++ b/services/tap/values.yaml @@ -59,7 +59,7 @@ config: tapSchemaAddress: "tap-schema-db.tap-schema.svc.cluster.local:3306" # -- Datalink payload URL - datalinkPayloadUrl: "https://github.com/lsst/sdm_schemas/releases/download/1.1.23/datalink-snippets.zip" + datalinkPayloadUrl: "https://github.com/lsst/sdm_schemas/releases/download/1.1.4/datalink-snippets.zip" # -- Gafaelfawr hostname to get user information from a token # @default -- Value of `ingress.host` From a86189ca0d1e1682facf535d9e4fe3336d35a3af Mon Sep 17 00:00:00 2001 From: Angelo Fausti Date: Thu, 1 Sep 2022 20:03:48 -0700 Subject: [PATCH 0996/1479] Scale up Kafka Connect to 3 replicas --- services/sasquatch/charts/strimzi-kafka/README.md | 2 +- services/sasquatch/charts/strimzi-kafka/values.yaml | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/services/sasquatch/charts/strimzi-kafka/README.md b/services/sasquatch/charts/strimzi-kafka/README.md index be352c67cc..43c0656d53 100644 --- a/services/sasquatch/charts/strimzi-kafka/README.md +++ b/services/sasquatch/charts/strimzi-kafka/README.md @@ -8,7 +8,7 @@ A subchart to deploy Strimzi Kafka components for Sasquatch. |-----|------|---------|-------------| | cluster.name | string | `"sasquatch"` | Name used for the Kafka cluster, and used by Strimzi for many annotations. | | connect.image | string | `"lsstsqre/strimzi-0.29.0-kafka-3.1.1:1.0.0"` | Custom strimzi-kafka image with connector plugins used by sasquatch. | -| connect.replicas | int | `1` | Number of Kafka Connect replicas to run. | +| connect.replicas | int | `3` | Number of Kafka Connect replicas to run. | | kafka.config | object | `{"log.retention.bytes":"429496729600","log.retention.hours":24,"offsets.retention.minutes":1440}` | Configuration overrides for the Kafka server. | | kafka.config."log.retention.bytes" | string | `"429496729600"` | Maximum retained number of bytes for a topic's data. | | kafka.config."log.retention.hours" | int | `24` | Number of days for a topic's data to be retained. | diff --git a/services/sasquatch/charts/strimzi-kafka/values.yaml b/services/sasquatch/charts/strimzi-kafka/values.yaml index f2b0507be9..54af642dd5 100644 --- a/services/sasquatch/charts/strimzi-kafka/values.yaml +++ b/services/sasquatch/charts/strimzi-kafka/values.yaml @@ -69,7 +69,7 @@ connect: # -- Custom strimzi-kafka image with connector plugins used by sasquatch. image: lsstsqre/strimzi-0.29.0-kafka-3.1.1:1.0.0 # -- Number of Kafka Connect replicas to run. - replicas: 1 + replicas: 3 registry: # -- Name of the topic used by the Schema Registry From b7a65dd9feccc2414159452987c4436ebf85bdff Mon Sep 17 00:00:00 2001 From: Angelo Fausti Date: Thu, 1 Sep 2022 20:04:32 -0700 Subject: [PATCH 0997/1479] Increase Kafka Connect resource limits - Also increase JMV heap memory --- .../charts/strimzi-kafka/templates/connect.yaml | 10 ++++++++++ 1 file changed, 10 insertions(+) diff --git a/services/sasquatch/charts/strimzi-kafka/templates/connect.yaml b/services/sasquatch/charts/strimzi-kafka/templates/connect.yaml index c97db87ce3..e027b498ca 100644 --- a/services/sasquatch/charts/strimzi-kafka/templates/connect.yaml +++ b/services/sasquatch/charts/strimzi-kafka/templates/connect.yaml @@ -34,6 +34,16 @@ spec: value.converter: io.confluent.connect.avro.AvroConverter value.converter.schemas.enable: true value.converter.schema.registry.url: http://sasquatch-schema-registry.sasquatch:8081 +resources: + requests: + cpu: "2" + memory: 4Gi + limits: + cpu: "8" + memory: 24Gi +jvmOptions: + "-Xmx": "8g" + "-Xms": "8g" --- apiVersion: kafka.strimzi.io/v1beta2 kind: KafkaUser From 9a8fc7f45e1f3fb9378182291a743c65f0ec6bf5 Mon Sep 17 00:00:00 2001 From: Angelo Fausti Date: Thu, 1 Sep 2022 20:05:30 -0700 Subject: [PATCH 0998/1479] Increase the max number of tasks for influxdb-sink --- .../charts/kafka-connect-manager/README.md | 2 +- .../charts/kafka-connect-manager/values.yaml | 2 +- .../charts/strimzi-kafka/templates/connect.yaml | 16 ++++++++-------- 3 files changed, 10 insertions(+), 10 deletions(-) diff --git a/services/sasquatch/charts/kafka-connect-manager/README.md b/services/sasquatch/charts/kafka-connect-manager/README.md index 2d490498f7..796f2a9248 100644 --- a/services/sasquatch/charts/kafka-connect-manager/README.md +++ b/services/sasquatch/charts/kafka-connect-manager/README.md @@ -23,7 +23,7 @@ A subchart to deploy the Kafka connectors used by Sasquatch. | influxdbSink.influxdb-sink.enabled | bool | `false` | Whether this connector instance is deployed. | | influxdbSink.influxdb-sink.excludedTopicRegex | string | `""` | Regex to exclude topics from the list of selected topics from Kafka. | | influxdbSink.influxdb-sink.name | string | `"influxdb-sink"` | Name of the connector instance to create. | -| influxdbSink.influxdb-sink.tasksMax | int | `1` | Number of KafkaConnect tasks. | +| influxdbSink.influxdb-sink.tasksMax | int | `10` | Number of KafkaConnect tasks. | | influxdbSink.influxdb-sink.timestamp | string | `"private_efdStamp"` | Timestamp field to be used as the InfluxDB time, if not specified `sys_time()` the current timestamp. | | influxdbSink.influxdb-sink.topicRegex | string | `"lsst.sal.*"` | Regex to select topics from Kafka. | | jdbcSink.autoCreate | string | `"true"` | Whether to automatically create the destination table. | diff --git a/services/sasquatch/charts/kafka-connect-manager/values.yaml b/services/sasquatch/charts/kafka-connect-manager/values.yaml index c7e268d05c..f34168fb84 100644 --- a/services/sasquatch/charts/kafka-connect-manager/values.yaml +++ b/services/sasquatch/charts/kafka-connect-manager/values.yaml @@ -17,7 +17,7 @@ influxdbSink: # -- InfluxDB database to write to. connectInfluxDb: "efd" # -- Number of KafkaConnect tasks. - tasksMax: 1 + tasksMax: 10 # -- Regex to select topics from Kafka. topicRegex: "lsst.sal.*" # -- If autoUpdate is enabled, check for new kafka topics. diff --git a/services/sasquatch/charts/strimzi-kafka/templates/connect.yaml b/services/sasquatch/charts/strimzi-kafka/templates/connect.yaml index e027b498ca..e1c1fae049 100644 --- a/services/sasquatch/charts/strimzi-kafka/templates/connect.yaml +++ b/services/sasquatch/charts/strimzi-kafka/templates/connect.yaml @@ -34,14 +34,14 @@ spec: value.converter: io.confluent.connect.avro.AvroConverter value.converter.schemas.enable: true value.converter.schema.registry.url: http://sasquatch-schema-registry.sasquatch:8081 -resources: - requests: - cpu: "2" - memory: 4Gi - limits: - cpu: "8" - memory: 24Gi -jvmOptions: + resources: + requests: + cpu: "2" + memory: 4Gi + limits: + cpu: "8" + memory: 24Gi + jvmOptions: "-Xmx": "8g" "-Xms": "8g" --- From 1321268b1ee7d8a04481e49daf8007611e13553f Mon Sep 17 00:00:00 2001 From: Angelo Fausti Date: Thu, 1 Sep 2022 20:46:31 -0700 Subject: [PATCH 0999/1479] Split load into multiple connectors --- .../charts/kafka-connect-manager/README.md | 28 ++++----- .../templates/influxdb_sink.yaml | 37 ++++++------ .../charts/kafka-connect-manager/values.yaml | 59 +++++++++---------- services/sasquatch/values-summit.yaml | 45 +++++++++++++- 4 files changed, 103 insertions(+), 66 deletions(-) diff --git a/services/sasquatch/charts/kafka-connect-manager/README.md b/services/sasquatch/charts/kafka-connect-manager/README.md index 796f2a9248..0f41ac1e45 100644 --- a/services/sasquatch/charts/kafka-connect-manager/README.md +++ b/services/sasquatch/charts/kafka-connect-manager/README.md @@ -12,20 +12,20 @@ A subchart to deploy the Kafka connectors used by Sasquatch. | image.pullPolicy | string | `"IfNotPresent"` | | | image.repository | string | `"lsstsqre/kafkaconnect"` | | | image.tag | string | `"1.0.0"` | | -| influxdbSink.influxdb-sink.autoUpdate | bool | `true` | If autoUpdate is enabled, check for new kafka topics. | -| influxdbSink.influxdb-sink.checkInterval | string | `"15000"` | The interval, in milliseconds, to check for new topics and update the connector. | -| influxdbSink.influxdb-sink.connectInfluxDb | string | `"efd"` | InfluxDB database to write to. | -| influxdbSink.influxdb-sink.connectInfluxErrorPolicy | string | `"THROW"` | Error policy. | -| influxdbSink.influxdb-sink.connectInfluxMaxRetries | string | `"10"` | The maximum number of times a message is retried. | -| influxdbSink.influxdb-sink.connectInfluxRetryInterval | string | `"60000"` | The interval, in milliseconds, between retries. Only valid when the connectInfluxErrorPolicy is set to `RETRY`. | -| influxdbSink.influxdb-sink.connectInfluxUrl | string | `"http://sasquatch-influxdb.sasquatch:8086"` | InfluxDB URL, can be internal to the cluster. | -| influxdbSink.influxdb-sink.connectProgressEnabled | bool | `false` | Enables the output for how many records have been processed. | -| influxdbSink.influxdb-sink.enabled | bool | `false` | Whether this connector instance is deployed. | -| influxdbSink.influxdb-sink.excludedTopicRegex | string | `""` | Regex to exclude topics from the list of selected topics from Kafka. | -| influxdbSink.influxdb-sink.name | string | `"influxdb-sink"` | Name of the connector instance to create. | -| influxdbSink.influxdb-sink.tasksMax | int | `10` | Number of KafkaConnect tasks. | -| influxdbSink.influxdb-sink.timestamp | string | `"private_efdStamp"` | Timestamp field to be used as the InfluxDB time, if not specified `sys_time()` the current timestamp. | -| influxdbSink.influxdb-sink.topicRegex | string | `"lsst.sal.*"` | Regex to select topics from Kafka. | +| influxdbSink.autoUpdate | bool | `true` | If autoUpdate is enabled, check for new kafka topics. | +| influxdbSink.checkInterval | string | `"15000"` | The interval, in milliseconds, to check for new topics and update the connector. | +| influxdbSink.connectInfluxDb | string | `"efd"` | InfluxDB database to write to. | +| influxdbSink.connectInfluxErrorPolicy | string | `"NOOP"` | Error policy, see connector documetation for details. | +| influxdbSink.connectInfluxMaxRetries | string | `"10"` | The maximum number of times a message is retried. | +| influxdbSink.connectInfluxRetryInterval | string | `"60000"` | The interval, in milliseconds, between retries. Only valid when the connectInfluxErrorPolicy is set to `RETRY`. | +| influxdbSink.connectInfluxUrl | string | `"http://sasquatch-influxdb.sasquatch:8086"` | InfluxDB URL. | +| influxdbSink.connectProgressEnabled | bool | `false` | Enables the output for how many records have been processed. | +| influxdbSink.connectors | object | `{"test":{"enabled":false,"topicsRegex":".*Test"}}` | Connector instances to deploy. | +| influxdbSink.connectors.test.enabled | bool | `false` | Whether this connector instance is deployed. | +| influxdbSink.connectors.test.topicsRegex | string | `".*Test"` | Regex to select topics from Kafka. | +| influxdbSink.excludedTopicsRegex | string | `""` | Regex to exclude topics from the list of selected topics from Kafka. | +| influxdbSink.tasksMax | int | `1` | Maxium number of tasks to run the connector. | +| influxdbSink.timestamp | string | `"private_efdStamp"` | Timestamp field to be used as the InfluxDB time, if not specified use `sys_time()`. | | jdbcSink.autoCreate | string | `"true"` | Whether to automatically create the destination table. | | jdbcSink.autoEvolve | string | `"false"` | Whether to automatically add columns in the table schema. | | jdbcSink.batchSize | string | `"3000"` | Specifies how many records to attempt to batch together for insertion into the destination table. | diff --git a/services/sasquatch/charts/kafka-connect-manager/templates/influxdb_sink.yaml b/services/sasquatch/charts/kafka-connect-manager/templates/influxdb_sink.yaml index 24fe51a990..a8617fc8c7 100644 --- a/services/sasquatch/charts/kafka-connect-manager/templates/influxdb_sink.yaml +++ b/services/sasquatch/charts/kafka-connect-manager/templates/influxdb_sink.yaml @@ -1,21 +1,19 @@ -{{- range .Values.influxdbSink }} -{{- with . }} -{{- if .enabled }} +{{- range $key, $value := .Values.influxdbSink.connectors }} +{{- if $value.enabled }} +--- apiVersion: apps/v1 kind: Deployment metadata: - name: sasquatch-{{ .name }} + name: sasquatch-influxdb-sink-{{ $key }} spec: replicas: 1 selector: matchLabels: app: kafka-connect-manager - app.kubernetes.io/instance: {{ $.Release.Name }} template: metadata: labels: app: kafka-connect-manager - app.kubernetes.io/instance: {{ $.Release.Name }} spec: securityContext: runAsNonRoot: true @@ -35,16 +33,16 @@ spec: - kafkaconnect - create - influxdb-sink - {{- if .autoUpdate }} + {{- if $.Values.influxdbSink.autoUpdate }} - --auto-update {{- end }} env: - name: KAFKA_CONNECT_NAME - value: {{ .name | quote }} + value: influxdb-sink-{{ $key }} - name: KAFKA_CONNECT_INFLUXDB_URL - value: {{ .connectInfluxUrl | quote }} + value: {{ $.Values.influxdbSink.connectInfluxUrl | quote }} - name: KAFKA_CONNECT_DATABASE - value: {{ .connectInfluxDb | quote }} + value: {{ $.Values.influxdbSink.connectInfluxDb | quote }} - name: KAFKA_CONNECT_INFLUXDB_USERNAME valueFrom: secretKeyRef: @@ -56,23 +54,23 @@ spec: name: sasquatch key: influxdb-password - name: KAFKA_CONNECT_TASKS_MAX - value: {{ .tasksMax | quote }} + value: {{ $.Values.influxdbSink.tasksMax | quote }} - name: KAFKA_CONNECT_TOPIC_REGEX - value: {{ .topicRegex | quote }} + value: {{ $value.topicsRegex | quote }} - name: KAFKA_CONNECT_CHECK_INTERVAL - value: {{ .checkInterval | quote }} + value: {{ $.Values.influxdbSink.checkInterval | quote }} - name: KAFKA_CONNECT_EXCLUDED_TOPIC_REGEX - value: {{ .excludedTopicRegex | quote }} + value: {{ $.Values.influxdbSink.excludedTopicsRegex | quote }} - name: KAFKA_CONNECT_INFLUXDB_TIMESTAMP - value: {{ .timestamp | quote }} + value: {{ $.Values.influxdbSink.timestamp | quote }} - name: KAFKA_CONNECT_ERROR_POLICY - value: {{ .connectInfluxErrorPolicy | quote }} + value: {{ $.Values.influxdbSink.connectInfluxErrorPolicy | quote }} - name: KAFKA_CONNECT_MAX_RETRIES - value: {{ .connectInfluxMaxRetries | quote }} + value: {{ $.Values.influxdbSink.connectInfluxMaxRetries | quote }} - name: KAFKA_CONNECT_RETRY_INTERVAL - value: {{ .connectInfluxRetryInterval | quote }} + value: {{ $.Values.influxdbSink.connectInfluxRetryInterval | quote }} - name: KAFKA_CONNECT_PROGRESS_ENABLED - value: {{ .connectProgressEnabled | quote }} + value: {{ $.Values.influxdbSink.connectProgressEnabled | quote }} - name: KAFKA_BROKER_URL value: {{ $.Values.env.kafkaBrokerUrl | quote }} - name: KAFKA_CONNECT_URL @@ -86,4 +84,3 @@ spec: key: kafka-connect-manager-password {{- end }} {{- end }} -{{- end }} diff --git a/services/sasquatch/charts/kafka-connect-manager/values.yaml b/services/sasquatch/charts/kafka-connect-manager/values.yaml index f34168fb84..56a82833f3 100644 --- a/services/sasquatch/charts/kafka-connect-manager/values.yaml +++ b/services/sasquatch/charts/kafka-connect-manager/values.yaml @@ -6,36 +6,35 @@ image: pullPolicy: IfNotPresent influxdbSink: - # Repeat this block to create multiple instances of this connector. - influxdb-sink: - # -- Name of the connector instance to create. - name: influxdb-sink - # -- Whether this connector instance is deployed. - enabled: false - # -- InfluxDB URL, can be internal to the cluster. - connectInfluxUrl: "http://sasquatch-influxdb.sasquatch:8086" - # -- InfluxDB database to write to. - connectInfluxDb: "efd" - # -- Number of KafkaConnect tasks. - tasksMax: 10 - # -- Regex to select topics from Kafka. - topicRegex: "lsst.sal.*" - # -- If autoUpdate is enabled, check for new kafka topics. - autoUpdate: true - # -- The interval, in milliseconds, to check for new topics and update the connector. - checkInterval: "15000" - # -- Regex to exclude topics from the list of selected topics from Kafka. - excludedTopicRegex: "" - # -- Timestamp field to be used as the InfluxDB time, if not specified `sys_time()` the current timestamp. - timestamp: private_efdStamp - # -- Error policy. - connectInfluxErrorPolicy: THROW - # -- The maximum number of times a message is retried. - connectInfluxMaxRetries: "10" - # -- The interval, in milliseconds, between retries. Only valid when the connectInfluxErrorPolicy is set to `RETRY`. - connectInfluxRetryInterval: "60000" - # -- Enables the output for how many records have been processed. - connectProgressEnabled: false + # -- InfluxDB URL. + connectInfluxUrl: "http://sasquatch-influxdb.sasquatch:8086" + # -- InfluxDB database to write to. + connectInfluxDb: "efd" + # -- Maxium number of tasks to run the connector. + tasksMax: 1 + # -- If autoUpdate is enabled, check for new kafka topics. + autoUpdate: true + # -- The interval, in milliseconds, to check for new topics and update the connector. + checkInterval: "15000" + # -- Timestamp field to be used as the InfluxDB time, if not specified use `sys_time()`. + timestamp: private_efdStamp + # -- Error policy, see connector documetation for details. + connectInfluxErrorPolicy: NOOP + # -- The maximum number of times a message is retried. + connectInfluxMaxRetries: "10" + # -- The interval, in milliseconds, between retries. Only valid when the connectInfluxErrorPolicy is set to `RETRY`. + connectInfluxRetryInterval: "60000" + # -- Enables the output for how many records have been processed. + connectProgressEnabled: false + # -- Regex to exclude topics from the list of selected topics from Kafka. + excludedTopicsRegex: "" + # -- Connector instances to deploy. + connectors: + test: + # -- Whether this connector instance is deployed. + enabled: false + # -- Regex to select topics from Kafka. + topicsRegex: ".*Test" # The s3Sink connector assumes Parquet format with Snappy compression # and a time based partitioner. diff --git a/services/sasquatch/values-summit.yaml b/services/sasquatch/values-summit.yaml index 179c8407d8..0fb316c9e8 100644 --- a/services/sasquatch/values-summit.yaml +++ b/services/sasquatch/values-summit.yaml @@ -29,8 +29,49 @@ influxdb: kafka-connect-manager: influxdbSink: - influxdb-sink: - enabled: true + connectors: + auxtel: + enabled: true + topicsRegex: ".*ATAOS|.*ATDome|.*ATDomeTrajectory|.*ATHexapod|.*ATPneumatics|.*ATPtg|.*ATMCS" + maintel: + enabled: true + topicsRegex: ".*MTAOS|.*MTDome|.*MTDomeTrajectory|.*MTPtg" + mtmount: + enabled: true + topicsRegex: ".*MTMount" + comcam: + enabled: true + topicsRegex: ".*CCArchiver|.*CCCamera|.*CCHeaderService|.*CCOODS" + eas: + enabled: true + topicsRegex: ".*DIMM|.*DSM|.*ESS|.*HVAC|.*WeatherStation" + latiss: + enabled: true + topicsRegex: ".*ATArchiver|.*ATCamera|.*ATHeaderService|.*ATOODS|.*ATSpectrograph" + m1m3: + enabled: true + topicsRegex: ".*MTM1M3" + m2: + enabled: true + topicsRegex: ".*MTHexapod|.*MTM2|.*MTRotator" + obssys: + enabled: true + topicsRegex: ".*GenericCamera|.*Scheduler|.*Script|.*ScriptQueue|.*Watcher" + ocps: + enabled: true + topicsRegex: ".*OCPS" + test: + enabled: true + topicsRegex: ".*Test" + pmd: + enabled: true + topicsRegex: ".*PMD" + calsys: + enabled: true + topicsRegex: ".*ATMonochromator|.*ATWhiteLight|.*CBP|.*Electrometer|.*FiberSpectrograph|.*LinearStage|.*TunableLaser" + mtaircompressor: + enabled: true + topicsRegex: ".*MTAirCompressor" kafdrop: ingress: From fe56195e9b3416bafae7e5a265bce73653490613 Mon Sep 17 00:00:00 2001 From: Angelo Fausti Date: Sat, 3 Sep 2022 08:31:42 -0700 Subject: [PATCH 1000/1479] Remove mirrormaker2 configuration - Mirrormaker2 is now configured by the Strimzi KafkaMirrorMaker2 resource, its configuration can now be removed from kafka-connect-manager. --- .../charts/kafka-connect-manager/README.md | 10 -- .../templates/mirrormaker2.yaml | 100 ------------------ .../charts/kafka-connect-manager/values.yaml | 25 ----- 3 files changed, 135 deletions(-) delete mode 100644 services/sasquatch/charts/kafka-connect-manager/templates/mirrormaker2.yaml diff --git a/services/sasquatch/charts/kafka-connect-manager/README.md b/services/sasquatch/charts/kafka-connect-manager/README.md index 0f41ac1e45..a7bb05341a 100644 --- a/services/sasquatch/charts/kafka-connect-manager/README.md +++ b/services/sasquatch/charts/kafka-connect-manager/README.md @@ -39,16 +39,6 @@ A subchart to deploy the Kafka connectors used by Sasquatch. | jdbcSink.tableNameFormat | string | `"${topic}"` | A format string for the destination table name. | | jdbcSink.tasksMax | string | `"10"` | Number of Kafka Connect tasks. | | jdbcSink.topicRegex | string | `".*"` | Regex for selecting topics. | -| mirrorMaker2.enabled | bool | `false` | Whether the MirrorMaker 2 connectors (heartbeat, checkpoint and mirror-source) are deployed. | -| mirrorMaker2.name | string | `"replicator"` | Name od the connector to create. | -| mirrorMaker2.replicationPolicySeparator | string | `"."` | Separator used to format the remote topic name. Use an empty string if sourceClusterAlias is empty. | -| mirrorMaker2.sourceClusterAlias | string | `"src"` | Alias for the source cluster. The remote topic name is prefixed by this value. Use an empty string to preserve the name of the source topic in the destination cluster. | -| mirrorMaker2.sourceClusterBootstrapServers | string | `"localhost:31090"` | Source Kafka cluster. | -| mirrorMaker2.syncTopicAclsEnabled | bool | `false` | Whether to monitor source cluster ACLs for changes. | -| mirrorMaker2.targetClusterAlias | string | `"destn"` | Name of the destination cluster. | -| mirrorMaker2.targetClusterBootstrapServers | string | `"localhost:31090"` | Destination Kafka cluster. | -| mirrorMaker2.tasksMax | int | `1` | Number of Kafka Connect tasks. | -| mirrorMaker2.topicRegex | string | `".*"` | Regex for selecting topics. Comma-separated lists are also supported. | | s3Sink.behaviorOnNullValues | string | `"fail"` | How to handle records with a null value (for example, Kafka tombstone records). Valid options are ignore and fail. | | s3Sink.checkInterval | string | `"15000"` | The interval, in milliseconds, to check for new topics and update the connector. | | s3Sink.enabled | bool | `false` | Whether the Amazon S3 Sink connector is deployed. | diff --git a/services/sasquatch/charts/kafka-connect-manager/templates/mirrormaker2.yaml b/services/sasquatch/charts/kafka-connect-manager/templates/mirrormaker2.yaml deleted file mode 100644 index 285855379f..0000000000 --- a/services/sasquatch/charts/kafka-connect-manager/templates/mirrormaker2.yaml +++ /dev/null @@ -1,100 +0,0 @@ -{{ if .Values.mirrorMaker2.enabled }} -apiVersion: v1 -kind: ConfigMap -metadata: - name: sasquatch-{{ .Values.mirrorMaker2.name }} -data: - heartbeat-config.json: |+ - { - "connector.class": "org.apache.kafka.connect.mirror.MirrorHeartbeatConnector", - "name": "{{ .Values.mirrorMaker2.name }}-heartbeat", - "source.cluster.alias": {{ .Values.mirrorMaker2.sourceClusterAlias | quote }}, - "replication.policy.separator": {{ .Values.mirrorMaker2.replicationPolicySeparator | quote }}, - "source.cluster.bootstrap.servers": {{ .Values.mirrorMaker2.sourceClusterBootstrapServers | quote }}, - "target.cluster.alias": {{ .Values.mirrorMaker2.targetClusterAlias | quote }}, - "topics": {{ .Values.mirrorMaker2.topicRegex | quote }} - } - checkpoint-config.json: |+ - { - "connector.class": "org.apache.kafka.connect.mirror.MirrorCheckpointConnector", - "name": "{{ .Values.mirrorMaker2.name }}-checkpoint", - "source.cluster.alias": {{ .Values.mirrorMaker2.sourceClusterAlias | quote }}, - "replication.policy.separator": {{ .Values.mirrorMaker2.replicationPolicySeparator | quote }}, - "source.cluster.bootstrap.servers": {{ .Values.mirrorMaker2.sourceClusterBootstrapServers | quote }}, - "target.cluster.alias": {{ .Values.mirrorMaker2.targetClusterAlias | quote }}, - "target.cluster.bootstrap.servers": {{ .Values.mirrorMaker2.targetClusterBootstrapServers | quote }}, - "topics": {{ .Values.mirrorMaker2.topicRegex | quote }} - } - mirror-source-config.json: |+ - { - "connector.class": "org.apache.kafka.connect.mirror.MirrorSourceConnector", - "name": "{{ .Values.mirrorMaker2.name }}-mirror-source", - "source.cluster.alias": {{ .Values.mirrorMaker2.sourceClusterAlias | quote }}, - "replication.policy.separator": {{ .Values.mirrorMaker2.replicationPolicySeparator | quote }}, - "source.cluster.bootstrap.servers": {{ .Values.mirrorMaker2.sourceClusterBootstrapServers | quote }}, - "target.cluster.alias": {{ .Values.mirrorMaker2.targetClusterAlias | quote }}, - "target.cluster.bootstrap.servers": {{ .Values.mirrorMaker2.targetClusterBootstrapServers | quote }}, - "tasks.max": {{ .Values.mirrorMaker2.tasksMax | quote }}, - "topics": {{ .Values.mirrorMaker2.topicRegex | quote }}, - "sync.topic.acls.enabled": {{ .Values.mirrorMaker2.syncTopicAclsEnabled | quote }}, - "key.converter": "org.apache.kafka.connect.converters.ByteArrayConverter", - "value.converter": "org.apache.kafka.connect.converters.ByteArrayConverter" - } ---- -apiVersion: apps/v1 -kind: Deployment -metadata: - name: sasquatch-{{ .Values.mirrorMaker2.name }} - labels: - app: kafka-connect-manager - app.kubernetes.io/instance: {{ .Release.Name }} -spec: - replicas: 1 - selector: - matchLabels: - app: kafka-connect-manager - app.kubernetes.io/instance: {{ .Release.Name }} - template: - metadata: - labels: - app: kafka-connect-manager - app.kubernetes.io/instance: {{ .Release.Name }} - spec: - securityContext: - runAsNonRoot: true - runAsUser: 1000 - runAsGroup: 1000 - containers: - - name: {{ include "kafka-connect-manager.name" . }} - securityContext: - allowPrivilegeEscalation: false - capabilities: - drop: - - "all" - readOnlyRootFilesystem: true - image: "{{ .Values.image.repository }}:{{ .Values.image.tag }}" - imagePullPolicy: {{ .Values.image.pullPolicy }} - command: - - kafkaconnect - - create - - mirrormaker2 - - --heartbeat - - /etc/mirrormaker2/heartbeat-config.json - - --checkpoint - - /etc/mirrormaker2/checkpoint-config.json - - --mirror-source - - /etc/mirrormaker2/mirror-source-config.json - - --show-status - env: - - name: KAFKA_BROKER_URL - value: {{ .Values.env.kafkaBrokerUrl | quote }} - - name: KAFKA_CONNECT_URL - value: {{ .Values.env.kafkaConnectUrl | quote }} - volumeMounts: - - name: mirrormaker2 - mountPath: /etc/mirrormaker2 - volumes: - - name: mirrormaker2 - configMap: - name: {{ .Values.mirrorMaker2.name }} -{{ end }} \ No newline at end of file diff --git a/services/sasquatch/charts/kafka-connect-manager/values.yaml b/services/sasquatch/charts/kafka-connect-manager/values.yaml index 56a82833f3..64122bc81a 100644 --- a/services/sasquatch/charts/kafka-connect-manager/values.yaml +++ b/services/sasquatch/charts/kafka-connect-manager/values.yaml @@ -91,31 +91,6 @@ s3Sink: # -- The object storage connection URL, for non-AWS s3 providers. storeUrl: "" -mirrorMaker2: - # -- Whether the MirrorMaker 2 connectors (heartbeat, checkpoint and mirror-source) are deployed. - enabled: false - # -- Name od the connector to create. - name: "replicator" - # -- Source Kafka cluster. - sourceClusterBootstrapServers: "localhost:31090" - # -- Alias for the source cluster. The remote topic name is prefixed by this value. - # Use an empty string to preserve the name of the source topic in the destination cluster. - sourceClusterAlias: "src" - # -- Separator used to format the remote topic name. - # Use an empty string if sourceClusterAlias is empty. - replicationPolicySeparator: "." - # -- Destination Kafka cluster. - targetClusterBootstrapServers: "localhost:31090" - # -- Name of the destination cluster. - targetClusterAlias: "destn" - # -- Regex for selecting topics. - # Comma-separated lists are also supported. - topicRegex: ".*" - # -- Number of Kafka Connect tasks. - tasksMax: 1 - # -- Whether to monitor source cluster ACLs for changes. - syncTopicAclsEnabled: false - jdbcSink: # -- Whether the JDBC Sink connector is deployed. enabled: false From 59af647ce023d721eaef4633502dc55cf7177141 Mon Sep 17 00:00:00 2001 From: Angelo Fausti Date: Tue, 6 Sep 2022 11:36:39 -0700 Subject: [PATCH 1001/1479] Add configuration for tucson-teststand - TTS still runs only one influxdb-sink connector instance. --- services/sasquatch/values-tucson-teststand.yaml | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/services/sasquatch/values-tucson-teststand.yaml b/services/sasquatch/values-tucson-teststand.yaml index 895dcdc9d6..648f5d5025 100644 --- a/services/sasquatch/values-tucson-teststand.yaml +++ b/services/sasquatch/values-tucson-teststand.yaml @@ -25,13 +25,12 @@ influxdb: proxy_set_header X-Forwarded-Path /; path: / - kafka-connect-manager: influxdbSink: influxdb-sink: enabled: true - connectInfluxErrorPolicy: NOOP tasksMax: 10 + topicsRegex: "lsst.sal.*" kafdrop: ingress: From 0e64b9d30f75f278a1396db00e0e3e216ac3a34a Mon Sep 17 00:00:00 2001 From: Russ Allbery Date: Fri, 2 Sep 2022 12:31:42 -0700 Subject: [PATCH 1002/1479] Add Gafaelfawr cron job for periodic audit Reuse the same pod settings as the maintenance cron job, since these are very similar. Make the cron timings for both configurable in values.yaml. Bump the version of Gafaelfawr to the upcoming release that will include audit support. --- services/gafaelfawr/Chart.yaml | 2 +- services/gafaelfawr/README.md | 12 ++-- .../gafaelfawr/templates/cronjob-audit.yaml | 70 +++++++++++++++++++ .../templates/cronjob-maintenance.yaml | 2 +- services/gafaelfawr/values.yaml | 16 +++-- 5 files changed, 90 insertions(+), 12 deletions(-) create mode 100644 services/gafaelfawr/templates/cronjob-audit.yaml diff --git a/services/gafaelfawr/Chart.yaml b/services/gafaelfawr/Chart.yaml index e48da3608c..a3ac4cbb25 100644 --- a/services/gafaelfawr/Chart.yaml +++ b/services/gafaelfawr/Chart.yaml @@ -5,4 +5,4 @@ description: Science Platform authentication and authorization system home: https://gafaelfawr.lsst.io/ sources: - https://github.com/lsst-sqre/gafaelfawr -appVersion: 5.1.0 +appVersion: 5.2.0 diff --git a/services/gafaelfawr/README.md b/services/gafaelfawr/README.md index 63721be187..f0f04d096a 100644 --- a/services/gafaelfawr/README.md +++ b/services/gafaelfawr/README.md @@ -74,11 +74,13 @@ Science Platform authentication and authorization system | image.pullPolicy | string | `"IfNotPresent"` | Pull policy for the Gafaelfawr image | | image.repository | string | `"ghcr.io/lsst-sqre/gafaelfawr"` | Gafaelfawr image to use | | image.tag | string | The appVersion of the chart | Tag of Gafaelfawr image to use | -| maintenance.affinity | object | `{}` | Affinity rules for the Gafaelfawr maintenance pod | -| maintenance.nodeSelector | object | `{}` | Node selection rules for the Gafaelfawr maintenance pod | -| maintenance.podAnnotations | object | `{}` | Annotations for the Gafaelfawr maintenance pod | -| maintenance.resources | object | `{}` | Resource limits and requests for the Gafaelfawr maintenance pod | -| maintenance.tolerations | list | `[]` | Tolerations for the Gafaelfawr maintenance pod | +| maintenance.affinity | object | `{}` | Affinity rules for Gafaelfawr maintenance and audit pods | +| maintenance.auditSchedule | string | `"30 3 * * *"` | Cron schedule string for Gafaelfawr data consistency audit (in UTC) | +| maintenance.maintenanceSchedule | string | `"5 * * * *"` | Cron schedule string for Gafaelfawr periodic maintenance (in UTC) | +| maintenance.nodeSelector | object | `{}` | Node selection rules for Gafaelfawr maintenance and audit pods | +| maintenance.podAnnotations | object | `{}` | Annotations for Gafaelfawr maintenance and audit pods | +| maintenance.resources | object | `{}` | Resource limits and requests for Gafaelfawr maintenance and audit pods | +| maintenance.tolerations | list | `[]` | Tolerations for Gafaelfawr maintenance and audit pods | | nameOverride | string | `""` | Override the base name for resources | | nodeSelector | object | `{}` | Node selector rules for the Gafaelfawr frontend pod | | podAnnotations | object | `{}` | Annotations for the Gafaelfawr frontend pod | diff --git a/services/gafaelfawr/templates/cronjob-audit.yaml b/services/gafaelfawr/templates/cronjob-audit.yaml new file mode 100644 index 0000000000..bb6f1ac31f --- /dev/null +++ b/services/gafaelfawr/templates/cronjob-audit.yaml @@ -0,0 +1,70 @@ +apiVersion: batch/v1 +kind: CronJob +metadata: + name: {{ template "gafaelfawr.fullname" . }}-audit + labels: + {{- include "gafaelfawr.labels" . | nindent 4 }} +spec: + schedule: {{ .Values.maintenance.auditSchedule | quote }} + concurrencyPolicy: "Forbid" + jobTemplate: + spec: + template: + metadata: + {{- with .Values.maintenance.podAnnotations }} + annotations: + {{- toYaml . | nindent 12 }} + {{- end }} + labels: + {{- include "gafaelfawr.selectorLabels" . | nindent 12 }} + app.kubernetes.io/component: "audit" + spec: + restartPolicy: "Never" + automountServiceAccountToken: false + containers: + - name: "gafaelfawr" + command: + - "gafaelfawr" + - "audit" + image: "{{ .Values.image.repository }}:{{ .Values.image.tag | default .Chart.AppVersion }}" + imagePullPolicy: {{ .Values.image.pullPolicy | quote }} + {{- with .Values.maintenance.resources }} + resources: + {{- toYaml . | nindent 16 }} + {{- end }} + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - "all" + readOnlyRootFilesystem: true + volumeMounts: + - name: "config" + mountPath: "/etc/gafaelfawr" + readOnly: true + - name: "secret" + mountPath: "/etc/gafaelfawr/secrets" + readOnly: true + securityContext: + runAsNonRoot: true + runAsUser: 1000 + runAsGroup: 1000 + volumes: + - name: "config" + configMap: + name: {{ template "gafaelfawr.fullname" . }}-config + - name: "secret" + secret: + secretName: {{ template "gafaelfawr.fullname" . }}-secret + {{- with .Values.maintenance.nodeSelector }} + nodeSelector: + {{- toYaml . | nindent 12 }} + {{- end }} + {{- with .Values.maintenance.affinity }} + affinity: + {{- toYaml . | nindent 12 }} + {{- end }} + {{- with .Values.maintenance.tolerations }} + tolerations: + {{- toYaml . | nindent 12 }} + {{- end }} diff --git a/services/gafaelfawr/templates/cronjob-maintenance.yaml b/services/gafaelfawr/templates/cronjob-maintenance.yaml index 2f569d5f06..a45bbf9bc9 100644 --- a/services/gafaelfawr/templates/cronjob-maintenance.yaml +++ b/services/gafaelfawr/templates/cronjob-maintenance.yaml @@ -5,7 +5,7 @@ metadata: labels: {{- include "gafaelfawr.labels" . | nindent 4 }} spec: - schedule: "5 * * * *" + schedule: {{ .Values.maintenance.maintenanceSchedule | quote }} concurrencyPolicy: "Forbid" jobTemplate: spec: diff --git a/services/gafaelfawr/values.yaml b/services/gafaelfawr/values.yaml index 9e31fae912..62530d7e2b 100644 --- a/services/gafaelfawr/values.yaml +++ b/services/gafaelfawr/values.yaml @@ -280,19 +280,25 @@ cloudsql: affinity: {} maintenance: - # -- Resource limits and requests for the Gafaelfawr maintenance pod + # -- Cron schedule string for Gafaelfawr data consistency audit (in UTC) + auditSchedule: "30 3 * * *" + + # -- Cron schedule string for Gafaelfawr periodic maintenance (in UTC) + maintenanceSchedule: "5 * * * *" + + # -- Resource limits and requests for Gafaelfawr maintenance and audit pods resources: {} - # -- Annotations for the Gafaelfawr maintenance pod + # -- Annotations for Gafaelfawr maintenance and audit pods podAnnotations: {} - # -- Node selection rules for the Gafaelfawr maintenance pod + # -- Node selection rules for Gafaelfawr maintenance and audit pods nodeSelector: {} - # -- Tolerations for the Gafaelfawr maintenance pod + # -- Tolerations for Gafaelfawr maintenance and audit pods tolerations: [] - # -- Affinity rules for the Gafaelfawr maintenance pod + # -- Affinity rules for Gafaelfawr maintenance and audit pods affinity: {} tokens: From e3b1624631dc66eff6cb103532f50eaa190a5fbc Mon Sep 17 00:00:00 2001 From: Russ Allbery Date: Fri, 2 Sep 2022 15:08:32 -0700 Subject: [PATCH 1003/1479] Add Gafaelfawr OIDC claim config options Add the new configuration options supported by Gafaelfawr 5.2.0 for specifying the OIDC ID token claims containing the primary GID and the list of group memberships. --- services/gafaelfawr/README.md | 4 ++++ services/gafaelfawr/templates/configmap.yaml | 12 ++++++++++++ services/gafaelfawr/values.yaml | 20 ++++++++++++++++++++ 3 files changed, 36 insertions(+) diff --git a/services/gafaelfawr/README.md b/services/gafaelfawr/README.md index f0f04d096a..ba504db038 100644 --- a/services/gafaelfawr/README.md +++ b/services/gafaelfawr/README.md @@ -26,6 +26,8 @@ Science Platform authentication and authorization system | cloudsql.tolerations | list | `[]` | Tolerations for the Cloud SQL Proxy pod | | config.cilogon.clientId | string | `""` | CILogon client ID. One and only one of this, `config.github.clientId`, or `config.oidc.clientId` must be set. | | config.cilogon.enrollmentUrl | string | Login fails with an error | Where to send the user if their username cannot be found in LDAP | +| config.cilogon.gidClaim | string | Do not set a primary GID | Claim from which to get the primary GID (only used if not retrieved from LDAP or Firestore) | +| config.cilogon.groupsClaim | string | `"isMemberOf"` | Claim from which to get the group membership (only used if not retrieved from LDAP) | | config.cilogon.loginParams | object | `{"skin":"LSST"}` | Additional parameters to add | | config.cilogon.redirectUrl | string | `/login` at the value of config.host | Return URL given to CILogon (must match the CILogon configuration) | | config.cilogon.test | bool | `false` | Whether to use the test instance of CILogon | @@ -56,6 +58,8 @@ Science Platform authentication and authorization system | config.oidc.audience | string | Value of `config.oidc.clientId` | Audience for the JWT token | | config.oidc.clientId | string | `""` | Client ID for generic OpenID Connect support. One and only one of this, `config.cilogon.clientId`, or `config.github.clientId` must be set. | | config.oidc.enrollmentUrl | string | Login fails with an error | Where to send the user if their username cannot be found in LDAP | +| config.oidc.gidClaim | string | Do not set a primary GID | Claim from which to get the primary GID (only used if not retrieved from LDAP or Firestore) | +| config.oidc.groupsClaim | string | `"isMemberOf"` | Claim from which to get the group membership (only used if not retrieved from LDAP) | | config.oidc.issuer | string | None, must be set | Issuer for the JWT token | | config.oidc.loginParams | object | `{}` | Additional parameters to add to the login request | | config.oidc.loginUrl | string | None, must be set | URL to which to redirect the user for authorization | diff --git a/services/gafaelfawr/templates/configmap.yaml b/services/gafaelfawr/templates/configmap.yaml index 28694abeb0..8a62574ebb 100644 --- a/services/gafaelfawr/templates/configmap.yaml +++ b/services/gafaelfawr/templates/configmap.yaml @@ -78,6 +78,12 @@ {{- if .Values.config.cilogon.uidClaim }} uid_claim: {{ .Values.config.cilogon.uidClaim | quote }} {{- end }} + {{- if .Values.config.cilogon.gidClaim }} + gid_claim: {{ .Values.config.cilogon.gidClaim | quote }} + {{- end }} + {{- if .Values.config.cilogon.groupsClaim }} + groups_claim: {{ .Values.config.cilogon.groupsClaim | quote }} + {{- end }} {{- else if .Values.config.oidc.clientId }} @@ -114,6 +120,12 @@ {{- if .Values.config.oidc.uidClaim }} uid_claim: {{ .Values.config.oidc.uidClaim | quote }} {{- end }} + {{- if .Values.config.oidc.gidClaim }} + gid_claim: {{ .Values.config.oidc.gidClaim | quote }} + {{- end }} + {{- if .Values.config.oidc.groupsClaim }} + groups_claim: {{ .Values.config.oidc.groupsClaim | quote }} + {{- end }} {{- end }} diff --git a/services/gafaelfawr/values.yaml b/services/gafaelfawr/values.yaml index 62530d7e2b..fdc4cc001c 100644 --- a/services/gafaelfawr/values.yaml +++ b/services/gafaelfawr/values.yaml @@ -88,6 +88,16 @@ config: # @default -- `"uidNumber"` uidClaim: "" + # -- Claim from which to get the primary GID (only used if not retrieved + # from LDAP or Firestore) + # @default -- Do not set a primary GID + gidClaim: "" + + # -- Claim from which to get the group membership (only used if not + # retrieved from LDAP) + # @default -- `"isMemberOf"` + groupsClaim: "" + firestore: # -- If set, assign UIDs and GIDs using Google Firestore in the given # project. Cloud SQL must be enabled and the Cloud SQL service account @@ -141,6 +151,16 @@ config: # @default -- `"uidNumber"` uidClaim: "" + # -- Claim from which to get the primary GID (only used if not retrieved + # from LDAP or Firestore) + # @default -- Do not set a primary GID + gidClaim: "" + + # -- Claim from which to get the group membership (only used if not + # retrieved from LDAP) + # @default -- `"isMemberOf"` + groupsClaim: "" + ldap: # -- LDAP server URL from which to retrieve user group information # @default -- Do not use LDAP From 233966035b1815a71d94b1eb7bb9879e4344287c Mon Sep 17 00:00:00 2001 From: Russ Allbery Date: Thu, 1 Sep 2022 17:42:33 -0700 Subject: [PATCH 1004/1479] Stop specially creating user groups in template Gafaelfawr now includes the user private group in the user's normal gorup list, and some deployments, such as USDF, will not use a user private group with the same GID as the user's UID. Stop generating a separate /etc/group entry with a GID equal to the UID and rely on the groups from Gafaelfawr. Also change the user's GID to their GID attribute if it is set. --- services/nublado2/Chart.yaml | 2 +- services/nublado2/README.md | 2 +- services/nublado2/values.yaml | 10 ++++------ 3 files changed, 6 insertions(+), 8 deletions(-) diff --git a/services/nublado2/Chart.yaml b/services/nublado2/Chart.yaml index ee31722021..6431e74155 100644 --- a/services/nublado2/Chart.yaml +++ b/services/nublado2/Chart.yaml @@ -5,7 +5,7 @@ description: JupyterHub for the Rubin Science Platform home: https://github.com/lsst-sqre/nublado2 sources: - https://github.com/lsst-sqre/nublado2 -appVersion: "2.4.1" +appVersion: "2.5.0" # Match the jupyterhub Helm chart for kubeVersion kubeVersion: ">=1.20.0-0" dependencies: diff --git a/services/nublado2/README.md b/services/nublado2/README.md index 03c0362642..9875c0a8cb 100644 --- a/services/nublado2/README.md +++ b/services/nublado2/README.md @@ -62,7 +62,7 @@ Kubernetes: `>=1.20.0-0` | jupyterhub.hub.extraVolumes[1].name | string | `"nublado-gafaelfawr"` | | | jupyterhub.hub.extraVolumes[1].secret.secretName | string | `"gafaelfawr-token"` | | | jupyterhub.hub.image.name | string | `"lsstsqre/nublado2"` | | -| jupyterhub.hub.image.tag | string | `"2.4.1"` | | +| jupyterhub.hub.image.tag | string | `"2.5.0"` | | | jupyterhub.hub.loadRoles.self.scopes[0] | string | `"admin:servers!user"` | | | jupyterhub.hub.loadRoles.self.scopes[1] | string | `"read:metrics"` | | | jupyterhub.hub.loadRoles.server.scopes[0] | string | `"inherit"` | | diff --git a/services/nublado2/values.yaml b/services/nublado2/values.yaml index 4408eecda7..2d6486b8fc 100644 --- a/services/nublado2/values.yaml +++ b/services/nublado2/values.yaml @@ -7,7 +7,7 @@ jupyterhub: authenticatePrometheus: false image: name: lsstsqre/nublado2 - tag: "2.4.1" + tag: "2.5.0" resources: limits: cpu: 900m @@ -297,8 +297,7 @@ config: cgred:x:997: screen:x:84: jovyan:x:768:{{ user }} - provisionator:x:769: - {{user}}:x:{{uid}}:{% for group in groups %} + provisionator:x:769:{% for group in groups %} {{ group.name }}:x:{{ group.id }}:{{ user }}{% endfor %} - apiVersion: v1 kind: ConfigMap @@ -343,8 +342,7 @@ config: cgred:!:: screen:!:: jovyan:!::{{ user }} - provisionator:!:: - {{ user }}:!::{% for g in groups %} + provisionator:!::{% for g in groups %} {{ g.name }}:!::{{ user }}{% endfor %} - apiVersion: v1 kind: ConfigMap @@ -371,7 +369,7 @@ config: lsst_lcl:x:1000:1000::/home/lsst_lcl:/bin/bash tss:x:59:59:Account used by the trousers package to sandbox the tcsd daemon:/dev/null:/sbin/nologin provisionator:x:769:769:Lab provisioning user:/home/provisionator:/bin/bash - {{ user }}:x:{{ uid }}:{{ uid }}::/home/{{ user }}:/bin/bash + {{ user }}:x:{{ uid }}:{{ gid if gid else uid }}::/home/{{ user }}:/bin/bash - apiVersion: v1 kind: ConfigMap metadata: From d69c156ac8ccb90450c4caf946aff77ddfa15331 Mon Sep 17 00:00:00 2001 From: Russ Allbery Date: Tue, 6 Sep 2022 13:53:22 -0700 Subject: [PATCH 1005/1479] Set EXTERNAL_GID environment variable in notebooks Parallel to EXTERNAL_UID, set EXTERNAL_GID, since it may now be something interesting that isn't the same as the UID. --- services/nublado2/values.yaml | 1 + 1 file changed, 1 insertion(+) diff --git a/services/nublado2/values.yaml b/services/nublado2/values.yaml index 2d6486b8fc..8247b1d50f 100644 --- a/services/nublado2/values.yaml +++ b/services/nublado2/values.yaml @@ -234,6 +234,7 @@ config: WORKFLOW_ROUTE: /wf AUTO_REPO_URLS: https://github.com/lsst-sqre/notebook-demo NO_SUDO: "TRUE" + EXTERNAL_GID: "{{ gid if gid else uid }}" EXTERNAL_GROUPS: "{{ external_groups }}" EXTERNAL_UID: "{{ uid }}" ACCESS_TOKEN: "{{ token }}" From f95fd1249d3ced4325e55867a665d9ce137b7cdc Mon Sep 17 00:00:00 2001 From: Russ Allbery Date: Tue, 6 Sep 2022 13:54:43 -0700 Subject: [PATCH 1006/1479] Remove provisionator, update notebook group template Stop injecting a user and group for provisionator, which I believe dated from the era where the lab was started as a different user and then used sudo. Only add the user as a supplemental member of a group if the group GID doesn't match the user's GID, following the normal primary group conventions of UNIX. --- services/nublado2/values.yaml | 12 ++++-------- 1 file changed, 4 insertions(+), 8 deletions(-) diff --git a/services/nublado2/values.yaml b/services/nublado2/values.yaml index 8247b1d50f..0043882053 100644 --- a/services/nublado2/values.yaml +++ b/services/nublado2/values.yaml @@ -297,9 +297,8 @@ config: tss:x:59: cgred:x:997: screen:x:84: - jovyan:x:768:{{ user }} - provisionator:x:769:{% for group in groups %} - {{ group.name }}:x:{{ group.id }}:{{ user }}{% endfor %} + jovyan:x:768:{{ user }}{% for g in groups %} + {{ g.name }}:x:{{ g.id }}:{{ user if g.id != gid else "" }}{% endfor %} - apiVersion: v1 kind: ConfigMap metadata: @@ -342,9 +341,8 @@ config: tss:!:: cgred:!:: screen:!:: - jovyan:!::{{ user }} - provisionator:!::{% for g in groups %} - {{ g.name }}:!::{{ user }}{% endfor %} + jovyan:!::{{ user }}{% for g in groups %} + {{ g.name }}:!::{{ user if g.id != gid else "" }}{% endfor %} - apiVersion: v1 kind: ConfigMap metadata: @@ -369,7 +367,6 @@ config: dbus:x:81:81:System message bus:/:/sbin/nologin lsst_lcl:x:1000:1000::/home/lsst_lcl:/bin/bash tss:x:59:59:Account used by the trousers package to sandbox the tcsd daemon:/dev/null:/sbin/nologin - provisionator:x:769:769:Lab provisioning user:/home/provisionator:/bin/bash {{ user }}:x:{{ uid }}:{{ gid if gid else uid }}::/home/{{ user }}:/bin/bash - apiVersion: v1 kind: ConfigMap @@ -395,7 +392,6 @@ config: dbus:*:18000:0:99999:7::: lsst_lcl:*:18000:0:99999:7::: tss:*:18000:0:99999:7::: - provisionator:*:18000:0:99999:7::: {{user}}:*:18000:0:99999:7::: - apiVersion: v1 kind: ConfigMap From 6b50965aff42f9e9112623c9c0a0fd1b18ffefa6 Mon Sep 17 00:00:00 2001 From: adam Date: Tue, 6 Sep 2022 14:42:41 -0700 Subject: [PATCH 1007/1479] Remove requirement from summit cachemachine --- services/cachemachine/values-summit.yaml | 4 +--- 1 file changed, 1 insertion(+), 3 deletions(-) diff --git a/services/cachemachine/values-summit.yaml b/services/cachemachine/values-summit.yaml index 688d5c65b4..d73909cf71 100644 --- a/services/cachemachine/values-summit.yaml +++ b/services/cachemachine/values-summit.yaml @@ -2,9 +2,7 @@ autostart: jupyter: | { "name": "jupyter", - "labels": { - "jupyterlab": "ok" - }, + "labels": {}, "repomen": [ { "type": "RubinRepoMan", From 609392e4b4b2429aa75c70481121d300a3682378 Mon Sep 17 00:00:00 2001 From: "renovate[bot]" <29139614+renovate[bot]@users.noreply.github.com> Date: Mon, 5 Sep 2022 17:35:29 +0000 Subject: [PATCH 1008/1479] Update Helm release redis to v17.1.4 --- services/noteburst/Chart.yaml | 2 +- services/times-square/Chart.yaml | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/services/noteburst/Chart.yaml b/services/noteburst/Chart.yaml index a1b7ab7a4d..73967e5f38 100644 --- a/services/noteburst/Chart.yaml +++ b/services/noteburst/Chart.yaml @@ -14,5 +14,5 @@ maintainers: # Additional charts that this chart uses dependencies: - name: redis - version: 17.1.2 + version: 17.1.4 repository: https://charts.bitnami.com/bitnami diff --git a/services/times-square/Chart.yaml b/services/times-square/Chart.yaml index 8ec3025d83..726accff07 100644 --- a/services/times-square/Chart.yaml +++ b/services/times-square/Chart.yaml @@ -11,5 +11,5 @@ appVersion: "0.6.0" dependencies: - name: redis - version: 17.1.2 + version: 17.1.4 repository: https://charts.bitnami.com/bitnami From c6bcf6109ab9d87961867defe4b723a5f010241f Mon Sep 17 00:00:00 2001 From: Russ Allbery Date: Tue, 6 Sep 2022 15:04:20 -0700 Subject: [PATCH 1009/1479] Update Helm docs --- services/noteburst/README.md | 2 +- services/times-square/README.md | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/services/noteburst/README.md b/services/noteburst/README.md index 1a66f7fb66..51c7e97d1d 100644 --- a/services/noteburst/README.md +++ b/services/noteburst/README.md @@ -12,7 +12,7 @@ Noteburst is a notebook execution service for the Rubin Science Platform. | Repository | Name | Version | |------------|------|---------| -| https://charts.bitnami.com/bitnami | redis | 17.1.2 | +| https://charts.bitnami.com/bitnami | redis | 17.1.4 | ## Values diff --git a/services/times-square/README.md b/services/times-square/README.md index be56a48a9b..7565956d82 100644 --- a/services/times-square/README.md +++ b/services/times-square/README.md @@ -8,7 +8,7 @@ An API service for managing and rendering parameterized Jupyter notebooks. | Repository | Name | Version | |------------|------|---------| -| https://charts.bitnami.com/bitnami | redis | 17.1.2 | +| https://charts.bitnami.com/bitnami | redis | 17.1.4 | ## Values From 051da2445566b0edb2beb198447a64401c0ce445 Mon Sep 17 00:00:00 2001 From: Angelo Fausti Date: Tue, 6 Sep 2022 17:01:40 -0700 Subject: [PATCH 1010/1479] Remove telegraf dependency - Centralize monitoring at monitoring.lsst.codes --- services/sasquatch/Chart.yaml | 3 --- services/sasquatch/README.md | 9 +------ services/sasquatch/values.yaml | 45 ++++------------------------------ 3 files changed, 6 insertions(+), 51 deletions(-) diff --git a/services/sasquatch/Chart.yaml b/services/sasquatch/Chart.yaml index fd49fd7ba8..0dc6021020 100644 --- a/services/sasquatch/Chart.yaml +++ b/services/sasquatch/Chart.yaml @@ -20,8 +20,5 @@ dependencies: - name: kapacitor version: 1.4.6 repository: https://helm.influxdata.com/ - - name: telegraf - version: 1.8.20 - repository: https://helm.influxdata.com/ - name: kafdrop version: 1.0.0 diff --git a/services/sasquatch/README.md b/services/sasquatch/README.md index 72f6b90b13..10b1005715 100644 --- a/services/sasquatch/README.md +++ b/services/sasquatch/README.md @@ -12,7 +12,6 @@ Rubin Observatory's telemetry service. | https://helm.influxdata.com/ | chronograf | 1.2.5 | | https://helm.influxdata.com/ | influxdb | 4.12.0 | | https://helm.influxdata.com/ | kapacitor | 1.4.6 | -| https://helm.influxdata.com/ | telegraf | 1.8.20 | | https://lsst-sqre.github.io/charts/ | strimzi-registry-operator | 2.1.0 | ## Values @@ -28,7 +27,7 @@ Rubin Observatory's telemetry service. | influxdb.config | object | `{"continuous_queries":{"enabled":false},"coordinator":{"log-queries-after":"15s","max-concurrent-queries":0,"query-timeout":"0s","write-timeout":"1h"},"data":{"cache-max-memory-size":0,"trace-logging-enabled":true,"wal-fsync-delay":"100ms"},"http":{"auth-enabled":true,"enabled":true,"flux-enabled":true,"max-row-limit":0},"logging":{"level":"debug"}}` | Override InfluxDB configuration. See https://docs.influxdata.com/influxdb/v1.8/administration/config | | influxdb.image | object | `{"tag":"1.8.10"}` | InfluxDB image tag. | | influxdb.ingress | object | disabled | InfluxDB ingress configuration. | -| influxdb.initScripts | object | `{"enabled":true,"scripts":{"init.iql":"CREATE DATABASE \"telegraf\" WITH DURATION 30d REPLICATION 1 NAME \"rp_30d\"\n\n"}}` | InfluxDB Custom initialization scripts. | +| influxdb.initScripts.enabled | bool | `false` | Enable InfluxDB custom initialization script. | | influxdb.persistence.enabled | bool | `true` | Enable persistent volume claim. By default storageClass is undefined choosing the default provisioner (standard on GKE). | | influxdb.persistence.size | string | `"1Ti"` | Persistent volume size. @default 1Ti for teststand deployments | | influxdb.setDefaultUser | object | `{"enabled":true,"user":{"existingSecret":"sasquatch"}}` | Default InfluxDB user, use influxb-user and influxdb-password keys from secret. | @@ -44,9 +43,3 @@ Rubin Observatory's telemetry service. | kapacitor.resources.requests.memory | string | `"1Gi"` | | | strimzi-kafka | object | `{}` | Override strimzi-kafka configuration. | | strimzi-registry-operator | object | `{"clusterName":"sasquatch","clusterNamespace":"sasquatch","operatorNamespace":"sasquatch"}` | strimzi-registry-operator configuration. | -| telegraf.config.inputs | list | `[{"prometheus":{"metric_version":2,"urls":["http://hub.nublado2:8081/nb/hub/metrics"]}}]` | Telegraf input plugins. Collect JupyterHub Prometheus metrics by dedault. See https://jupyterhub.readthedocs.io/en/stable/reference/metrics.html | -| telegraf.config.outputs | list | `[{"influxdb":{"database":"telegraf","password":"$TELEGRAF_PASSWORD","urls":["http://sasquatch-influxdb.sasquatch:8086"],"username":"telegraf"}}]` | Telegraf default output destination. | -| telegraf.config.processors | object | `{}` | Telegraf processor plugins. | -| telegraf.env[0] | object | `{"name":"TELEGRAF_PASSWORD","valueFrom":{"secretKeyRef":{"key":"telegraf-password","name":"sasquatch"}}}` | Telegraf password. | -| telegraf.podLabels | object | `{"hub.jupyter.org/network-access-hub":"true"}` | Allow network access to JupyterHub pod. | -| telegraf.service.enabled | bool | `false` | Telegraf service. | diff --git a/services/sasquatch/values.yaml b/services/sasquatch/values.yaml index ce8ee753b0..410e9466b0 100644 --- a/services/sasquatch/values.yaml +++ b/services/sasquatch/values.yaml @@ -56,12 +56,12 @@ influxdb: enabled: false logging: level: "debug" - # -- InfluxDB Custom initialization scripts. initScripts: - enabled: true - scripts: - init.iql: |+ - CREATE DATABASE "telegraf" WITH DURATION 30d REPLICATION 1 NAME "rp_30d" + # -- Enable InfluxDB custom initialization script. + enabled: false + # scripts: + # # -- InfluxDB custom initialization script. + # init.iql: |+ # -- Override strimzi-kafka configuration. kafka-connect-manager: {} @@ -115,41 +115,6 @@ kapacitor: memory: 16Gi cpu: 4 -telegraf: - # -- Allow network access to JupyterHub pod. - podLabels: - hub.jupyter.org/network-access-hub: "true" - env: - # -- Telegraf password. - - name: TELEGRAF_PASSWORD - valueFrom: - secretKeyRef: - name: sasquatch - key: telegraf-password - service: - # -- Telegraf service. - enabled: false - config: - # -- Telegraf processor plugins. - processors: {} - # -- Telegraf input plugins. - # Collect JupyterHub Prometheus metrics by dedault. - # See https://jupyterhub.readthedocs.io/en/stable/reference/metrics.html - inputs: - - prometheus: - urls: - - http://hub.nublado2:8081/nb/hub/metrics - # See https://docs.influxdata.com/influxdb/v2.1/reference/prometheus-metrics/ - metric_version: 2 - # -- Telegraf default output destination. - outputs: - - influxdb: - urls: - - "http://sasquatch-influxdb.sasquatch:8086" - database: "telegraf" - username: "telegraf" - password: "$TELEGRAF_PASSWORD" - global: # -- Base path for Vault secrets # @default -- Set by Argo CD From ebe2c9fb03811fc5d41fe5d2bfd8a5410842d930 Mon Sep 17 00:00:00 2001 From: Angelo Fausti Date: Wed, 7 Sep 2022 10:30:33 -0700 Subject: [PATCH 1011/1479] Review influxdb-sink configuration - Put influxdb-sink configuration back for the test CSC on data-dev and data-int environments - Create multiple connectors based on the kafka producers configuration for the TTS - Add similar comment to Summit influxdb-sink configuration --- services/sasquatch/README.md | 2 +- services/sasquatch/values-idfdev.yaml | 7 ++- services/sasquatch/values-idfint.yaml | 7 ++- services/sasquatch/values-summit.yaml | 2 + .../sasquatch/values-tucson-teststand.yaml | 55 +++++++++++++++++-- services/sasquatch/values.yaml | 2 +- 6 files changed, 63 insertions(+), 12 deletions(-) diff --git a/services/sasquatch/README.md b/services/sasquatch/README.md index 10b1005715..d1ccadfda2 100644 --- a/services/sasquatch/README.md +++ b/services/sasquatch/README.md @@ -31,7 +31,7 @@ Rubin Observatory's telemetry service. | influxdb.persistence.enabled | bool | `true` | Enable persistent volume claim. By default storageClass is undefined choosing the default provisioner (standard on GKE). | | influxdb.persistence.size | string | `"1Ti"` | Persistent volume size. @default 1Ti for teststand deployments | | influxdb.setDefaultUser | object | `{"enabled":true,"user":{"existingSecret":"sasquatch"}}` | Default InfluxDB user, use influxb-user and influxdb-password keys from secret. | -| kafka-connect-manager | object | `{}` | Override strimzi-kafka configuration. | +| kafka-connect-manager | object | `{}` | Override kafka-connect-manager configuration. | | kapacitor.envVars | object | `{"KAPACITOR_SLACK_ENABLED":true}` | Kapacitor environment variables. | | kapacitor.existingSecret | string | `"sasquatch"` | InfluxDB credentials, use influxdb-user and influxdb-password keys from secret. | | kapacitor.image | object | `{"repository":"kapacitor","tag":"1.6.5"}` | Kapacitor image tag. | diff --git a/services/sasquatch/values-idfdev.yaml b/services/sasquatch/values-idfdev.yaml index a29bf93af2..90d31922ab 100644 --- a/services/sasquatch/values-idfdev.yaml +++ b/services/sasquatch/values-idfdev.yaml @@ -22,9 +22,10 @@ influxdb: kafka-connect-manager: influxdbSink: - influxdb-sink: - enabled: true - tasksMax: 10 + connectors: + test: + enabled: true + topicsRegex: ".*Test" kafdrop: ingress: diff --git a/services/sasquatch/values-idfint.yaml b/services/sasquatch/values-idfint.yaml index cb252e7924..258545b6de 100644 --- a/services/sasquatch/values-idfint.yaml +++ b/services/sasquatch/values-idfint.yaml @@ -27,9 +27,10 @@ influxdb: kafka-connect-manager: influxdbSink: - influxdb-sink: - enabled: true - tasksMax: 10 + connectors: + test: + enabled: true + topicsRegex: ".*Test" kafdrop: ingress: diff --git a/services/sasquatch/values-summit.yaml b/services/sasquatch/values-summit.yaml index 0fb316c9e8..adfc507a38 100644 --- a/services/sasquatch/values-summit.yaml +++ b/services/sasquatch/values-summit.yaml @@ -29,6 +29,8 @@ influxdb: kafka-connect-manager: influxdbSink: + # Based on the kafka producers configuration for the Summit + # https://github.com/lsst-ts/argocd-csc/blob/main/apps/kafka-producers/values-summit.yaml connectors: auxtel: enabled: true diff --git a/services/sasquatch/values-tucson-teststand.yaml b/services/sasquatch/values-tucson-teststand.yaml index 648f5d5025..374c4abd65 100644 --- a/services/sasquatch/values-tucson-teststand.yaml +++ b/services/sasquatch/values-tucson-teststand.yaml @@ -27,10 +27,57 @@ influxdb: kafka-connect-manager: influxdbSink: - influxdb-sink: - enabled: true - tasksMax: 10 - topicsRegex: "lsst.sal.*" + # Based on the kafka producers configuration for the TTS + # https://github.com/lsst-ts/argocd-csc/blob/main/apps/kafka-producers/values-tucson-teststand.yaml + connectors: + auxtel: + enabled: true + topicsRegex: ".*ATAOS|.*ATDome|.*ATDomeTrajectory|.*ATHexapod|.*ATPneumatics|.*ATPtg|.*ATMCS" + maintel: + enabled: true + topicsRegex: ".*MTAOS|.*MTDome|.*MTDomeTrajectory|.*MTPtg" + mtmount: + enabled: true + topicsRegex: ".*MTMount" + comcam: + enabled: true + topicsRegex: ".*CCArchiver|.*CCCamera|.*CCHeaderService|.*CCOODS" + eas: + enabled: true + topicsRegex: ".*DIMM|.*DSM|.*WeatherStation" + latiss: + enabled: true + topicsRegex: ".*ATArchiver|.*ATCamera|.*ATHeaderService|.*ATOODS|.*ATSpectrograph" + m1m3: + enabled: true + topicsRegex: ".*MTM1M3" + m2: + enabled: true + topicsRegex: ".*MTHexapod|.*MTM2|.*MTRotator" + obssys: + enabled: true + topicsRegex: ".*GenericCamera|.*Scheduler|.*Script|.*ScriptQueue|.*Watcher" + ocps: + enabled: true + topicsRegex: ".*OCPS" + test: + enabled: true + topicsRegex: ".*Test" + pmd: + enabled: true + topicsRegex: ".*PMD" + calsys: + enabled: true + topicsRegex: ".*ATMonochromator|.*ATWhiteLight|.*CBP|.*Electrometer|.*FiberSpectrograph|.*LinearStage|.*TunableLaser" + mtaircompressor: + enabled: true + topicsRegex: ".*MTAirCompressor" + authorize: + enabled: true + topicsRegex: ".*Authorize" + mtalignment: + enabled: true + topicsRegex: ".*MTAlignment" kafdrop: ingress: diff --git a/services/sasquatch/values.yaml b/services/sasquatch/values.yaml index 410e9466b0..a3bc7ec762 100644 --- a/services/sasquatch/values.yaml +++ b/services/sasquatch/values.yaml @@ -63,7 +63,7 @@ influxdb: # # -- InfluxDB custom initialization script. # init.iql: |+ -# -- Override strimzi-kafka configuration. +# -- Override kafka-connect-manager configuration. kafka-connect-manager: {} chronograf: From 35ea68ec6c7cba5ec58f622cfb1b93fa034b10f9 Mon Sep 17 00:00:00 2001 From: Angelo Fausti Date: Wed, 7 Sep 2022 10:34:52 -0700 Subject: [PATCH 1012/1479] Remove minikube configuration - This configuration is deprecated and we are using data-dev instead --- services/sasquatch/values-minikube.yaml | 33 ------------------------- 1 file changed, 33 deletions(-) delete mode 100644 services/sasquatch/values-minikube.yaml diff --git a/services/sasquatch/values-minikube.yaml b/services/sasquatch/values-minikube.yaml deleted file mode 100644 index 3f2533111f..0000000000 --- a/services/sasquatch/values-minikube.yaml +++ /dev/null @@ -1,33 +0,0 @@ -strimzi-kafka: {} - -influxdb: - ingress: - enabled: true - hostname: minikube.lsst.codes - -kafka-connect-manager: - influxdbSink: - influxdb-sink: - enabled: true - -kafdrop: - ingress: - enabled: true - hostname: minikube.lsst.codes - -chronograf: - ingress: - enabled: true - hostname: minikube.lsst.codes - - env: - GENERIC_NAME: "OIDC" - GENERIC_AUTH_URL: https://minikube.lsst.codes/auth/openid/login - GENERIC_TOKEN_URL: https://minikube.lsst.codes/auth/openid/token - USE_ID_TOKEN: 1 - JWKS_URL: https://minikube.lsst.codes/.well-known/jwks.json - GENERIC_API_URL: https://minikube.lsst.codes/auth/userinfo - GENERIC_SCOPES: openid - GENERIC_API_KEY: sub - PUBLIC_URL: https://minikube.lsst.codes - STATUS_FEED_URL: "https://lsst-sqre.github.io/sasquatch/feeds/minikube.json" From acaf40d2330d9400dc27caf14b962f3ceb9622f6 Mon Sep 17 00:00:00 2001 From: Angelo Fausti Date: Wed, 7 Sep 2022 10:36:27 -0700 Subject: [PATCH 1013/1479] Secret ts-salkafka is not needed anymore - It was used by the kafka-producer chart when we had the CSC end-to-end testing --- services/sasquatch/templates/vault-secrets.yaml | 11 ----------- 1 file changed, 11 deletions(-) diff --git a/services/sasquatch/templates/vault-secrets.yaml b/services/sasquatch/templates/vault-secrets.yaml index 4071dec1f2..99b782018d 100644 --- a/services/sasquatch/templates/vault-secrets.yaml +++ b/services/sasquatch/templates/vault-secrets.yaml @@ -9,17 +9,6 @@ spec: --- apiVersion: ricoberger.de/v1alpha1 kind: VaultSecret -metadata: - name: ts-salkafka - namespace: sasquatch -spec: - keys: - - ts-salkafka-password - path: "{{ .Values.global.vaultSecretsPath }}/sasquatch" - type: Opaque ---- -apiVersion: ricoberger.de/v1alpha1 -kind: VaultSecret metadata: name: pull-secret spec: From f09a4db3a8d14fd7fbfff483ba08999f0476a443 Mon Sep 17 00:00:00 2001 From: Angelo Fausti Date: Wed, 7 Sep 2022 12:03:38 -0700 Subject: [PATCH 1014/1479] Give superusers group access --- .../sasquatch/charts/strimzi-kafka/templates/superusers.yaml | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/services/sasquatch/charts/strimzi-kafka/templates/superusers.yaml b/services/sasquatch/charts/strimzi-kafka/templates/superusers.yaml index 29c3a7cb10..4da1e5b269 100644 --- a/services/sasquatch/charts/strimzi-kafka/templates/superusers.yaml +++ b/services/sasquatch/charts/strimzi-kafka/templates/superusers.yaml @@ -12,6 +12,11 @@ spec: authorization: type: simple acls: + - resource: + type: group + name: "*" + patternType: literal + operation: All - resource: type: topic name: "*" From 4007989988a6b806e2b9fd1a9aa05ee0d78625bc Mon Sep 17 00:00:00 2001 From: Angelo Fausti Date: Wed, 7 Sep 2022 12:21:54 -0700 Subject: [PATCH 1015/1479] Add comment on the need of the tls-certs secret --- services/sasquatch/templates/vault-secrets.yaml | 2 ++ services/sasquatch/values-tucson-teststand.yaml | 4 ++++ 2 files changed, 6 insertions(+) diff --git a/services/sasquatch/templates/vault-secrets.yaml b/services/sasquatch/templates/vault-secrets.yaml index 99b782018d..58b3b3351b 100644 --- a/services/sasquatch/templates/vault-secrets.yaml +++ b/services/sasquatch/templates/vault-secrets.yaml @@ -15,6 +15,8 @@ spec: path: "{{ .Values.global.vaultSecretsPath }}/pull-secret" type: kubernetes.io/dockerconfigjson --- +# tls-certs secret is here only to enable influxdb-tucson-teststand-efd.lsst.codes +# and should be removed when that's gone. apiVersion: ricoberger.de/v1alpha1 kind: VaultSecret metadata: diff --git a/services/sasquatch/values-tucson-teststand.yaml b/services/sasquatch/values-tucson-teststand.yaml index 374c4abd65..17cb85b601 100644 --- a/services/sasquatch/values-tucson-teststand.yaml +++ b/services/sasquatch/values-tucson-teststand.yaml @@ -9,6 +9,10 @@ strimzi-kafka: influxdb: persistence: storageClass: rook-ceph-block + # Temporarily enable this ingress to allow access by the EFD client + # version 0.11.0. Once version 0.12.0 is the default one, this + # can be removed and we should use tucson-teststand.lsst.codes/influxdb + # instead. ingress: enabled: true tls: true From a2ad6ea4119d1518253faf32118f5e0c5a0b9282 Mon Sep 17 00:00:00 2001 From: Russ Allbery Date: Wed, 7 Sep 2022 13:23:10 -0700 Subject: [PATCH 1016/1479] Also update nublado2 ConfigMaps for IDF IDF int and IDF prod override values.yaml, so had to be updated separately. --- services/nublado2/values-idfint.yaml | 16 +++++----------- services/nublado2/values-idfprod.yaml | 16 +++++----------- 2 files changed, 10 insertions(+), 22 deletions(-) diff --git a/services/nublado2/values-idfint.yaml b/services/nublado2/values-idfint.yaml index 4d451b58c6..2eed3d40fa 100644 --- a/services/nublado2/values-idfint.yaml +++ b/services/nublado2/values-idfint.yaml @@ -124,10 +124,8 @@ config: tss:x:59: cgred:x:997: screen:x:84: - jovyan:x:768:{{ user }} - provisionator:x:769: - {{user}}:x:{{uid}}:{% for group in groups %} - {{ group.name }}:x:{{ group.id }}:{{ user }}{% endfor %} + jovyan:x:768:{{ user }}{% for g in groups %} + {{ g.name }}:x:{{ g.id }}:{{ user if g.id != gid else "" }}{% endfor %} - apiVersion: v1 kind: ConfigMap metadata: @@ -170,10 +168,8 @@ config: tss:!:: cgred:!:: screen:!:: - jovyan:!::{{ user }} - provisionator:!:: - {{ user }}:!::{% for g in groups %} - {{ g.name }}:!::{{ user }}{% endfor %} + jovyan:!::{{ user }}{% for g in groups %} + {{ g.name }}:!::{{ user if g.id != gid else "" }}{% endfor %} - apiVersion: v1 kind: ConfigMap metadata: @@ -198,8 +194,7 @@ config: dbus:x:81:81:System message bus:/:/sbin/nologin lsst_lcl:x:1000:1000::/home/lsst_lcl:/bin/bash tss:x:59:59:Account used by the trousers package to sandbox the tcsd daemon:/dev/null:/sbin/nologin - provisionator:x:769:769:Lab provisioning user:/home/provisionator:/bin/bash - {{ user }}:x:{{ uid }}:{{ uid }}::/home/{{ user }}:/bin/bash + {{ user }}:x:{{ uid }}:{{ gid if gid else uid }}::/home/{{ user }}:/bin/bash - apiVersion: v1 kind: ConfigMap metadata: @@ -224,7 +219,6 @@ config: dbus:*:18000:0:99999:7::: lsst_lcl:*:18000:0:99999:7::: tss:*:18000:0:99999:7::: - provisionator:*:18000:0:99999:7::: {{user}}:*:18000:0:99999:7::: - apiVersion: v1 kind: ConfigMap diff --git a/services/nublado2/values-idfprod.yaml b/services/nublado2/values-idfprod.yaml index 1e132982f9..f61f296daf 100644 --- a/services/nublado2/values-idfprod.yaml +++ b/services/nublado2/values-idfprod.yaml @@ -104,10 +104,8 @@ config: tss:x:59: cgred:x:997: screen:x:84: - jovyan:x:768:{{ user }} - provisionator:x:769: - {{user}}:x:{{uid}}:{% for group in groups %} - {{ group.name }}:x:{{ group.id }}:{{ user }}{% endfor %} + jovyan:x:768:{{ user }}{% for g in groups %} + {{ g.name }}:x:{{ g.id }}:{{ user if g.id != gid else "" }}{% endfor %} - apiVersion: v1 kind: ConfigMap metadata: @@ -150,10 +148,8 @@ config: tss:!:: cgred:!:: screen:!:: - jovyan:!::{{ user }} - provisionator:!:: - {{ user }}:!::{% for g in groups %} - {{ g.name }}:!::{{ user }}{% endfor %} + jovyan:!::{{ user }}{% for g in groups %} + {{ g.name }}:!::{{ user if g.id != gid else "" }}{% endfor %} - apiVersion: v1 kind: ConfigMap metadata: @@ -178,8 +174,7 @@ config: dbus:x:81:81:System message bus:/:/sbin/nologin lsst_lcl:x:1000:1000::/home/lsst_lcl:/bin/bash tss:x:59:59:Account used by the trousers package to sandbox the tcsd daemon:/dev/null:/sbin/nologin - provisionator:x:769:769:Lab provisioning user:/home/provisionator:/bin/bash - {{ user }}:x:{{ uid }}:{{ uid }}::/home/{{ user }}:/bin/bash + {{ user }}:x:{{ uid }}:{{ gid if gid else uid }}::/home/{{ user }}:/bin/bash - apiVersion: v1 kind: ConfigMap metadata: @@ -204,7 +199,6 @@ config: dbus:*:18000:0:99999:7::: lsst_lcl:*:18000:0:99999:7::: tss:*:18000:0:99999:7::: - provisionator:*:18000:0:99999:7::: {{user}}:*:18000:0:99999:7::: - apiVersion: v1 kind: ConfigMap From 3dacab9d11f52bfb3ce5862520540fd1844032a9 Mon Sep 17 00:00:00 2001 From: Russ Allbery Date: Wed, 7 Sep 2022 14:09:44 -0700 Subject: [PATCH 1017/1479] Maybe suppress CloudSQL NetworkPolicy for Gafaelfawr If CloudSQL is not enabled, also don't install the NetworkPolicy. --- services/gafaelfawr/templates/cloudsql-networkpolicy.yaml | 2 ++ 1 file changed, 2 insertions(+) diff --git a/services/gafaelfawr/templates/cloudsql-networkpolicy.yaml b/services/gafaelfawr/templates/cloudsql-networkpolicy.yaml index 55f8afcbe4..544ea4305a 100644 --- a/services/gafaelfawr/templates/cloudsql-networkpolicy.yaml +++ b/services/gafaelfawr/templates/cloudsql-networkpolicy.yaml @@ -1,3 +1,4 @@ +{{- if .Values.cloudsql.enabled -}} apiVersion: networking.k8s.io/v1 kind: NetworkPolicy metadata: @@ -28,3 +29,4 @@ spec: ports: - protocol: "TCP" port: 5432 +{{- end }} From 725224fb5fcf5c6b12cf67698dc4a7eea28293d2 Mon Sep 17 00:00:00 2001 From: Russ Allbery Date: Wed, 7 Sep 2022 16:20:57 -0700 Subject: [PATCH 1018/1479] Update Gafaelfawr configuration for IDF dev The LDAP DNs and enrollment URL have changed for the renaming of the environment to id-dev.lsst.cloud. --- services/gafaelfawr/values-idfdev.yaml | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/services/gafaelfawr/values-idfdev.yaml b/services/gafaelfawr/values-idfdev.yaml index 2a5601eb87..00bbb649cf 100644 --- a/services/gafaelfawr/values-idfdev.yaml +++ b/services/gafaelfawr/values-idfdev.yaml @@ -9,7 +9,7 @@ config: cilogon: clientId: "cilogon:/client_id/46f9ae932fd30e9fb1b246972a3c0720" - enrollmentUrl: "https://registry-test.lsst.codes/registry/co_petitions/start/coef:6" + enrollmentUrl: "https://id-dev.lsst.cloud/registry/co_petitions/start/coef:6" test: true usernameClaim: "username" @@ -18,11 +18,11 @@ config: ldap: url: "ldaps://ldap-test.cilogon.org" - userDn: "uid=readonly_user,ou=system,o=LSST,o=CO,dc=lsst,dc=org" - groupBaseDn: "ou=groups,o=LSST,o=CO,dc=lsst,dc=org" + userDn: "uid=readonly_user,ou=system,o=LSST,o=CO,dc=lsst_dev,dc=org" + groupBaseDn: "ou=groups,o=LSST,o=CO,dc=lsst_dev,dc=org" groupObjectClass: "eduMember" groupMemberAttr: "hasMember" - userBaseDn: "ou=people,o=LSST,o=CO,dc=lsst,dc=org" + userBaseDn: "ou=people,o=LSST,o=CO,dc=lsst_dev,dc=org" userSearchAttr: "voPersonApplicationUID" addUserGroup: true From 8b56d79ce791b66a37b22755b2ecb842478e0b52 Mon Sep 17 00:00:00 2001 From: "renovate[bot]" <29139614+renovate[bot]@users.noreply.github.com> Date: Thu, 8 Sep 2022 01:55:23 +0000 Subject: [PATCH 1019/1479] Update quay.io/influxdb/chronograf Docker tag to v1.10.0 --- services/sasquatch/README.md | 2 +- services/sasquatch/values.yaml | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/services/sasquatch/README.md b/services/sasquatch/README.md index d1ccadfda2..eac49db5ce 100644 --- a/services/sasquatch/README.md +++ b/services/sasquatch/README.md @@ -20,7 +20,7 @@ Rubin Observatory's telemetry service. |-----|------|---------|-------------| | chronograf.env | object | `{"BASE_PATH":"/chronograf","CUSTOM_AUTO_REFRESH":"1s=1000","HOST_PAGE_DISABLED":true}` | Chronograf environment variables. | | chronograf.envFromSecret | string | `"sasquatch"` | Chronograf secrets, expected keys generic_client_id, generic_client_secret and token_secret. | -| chronograf.image | object | `{"repository":"quay.io/influxdb/chronograf","tag":"1.9.4"}` | Chronograf image tag. | +| chronograf.image | object | `{"repository":"quay.io/influxdb/chronograf","tag":"1.10.0"}` | Chronograf image tag. | | chronograf.ingress | object | disabled | Chronograf ingress configuration. | | chronograf.persistence | object | `{"enabled":true,"size":"100Gi"}` | Chronograf data persistence configuration. | | global.vaultSecretsPath | string | Set by Argo CD | Base path for Vault secrets | diff --git a/services/sasquatch/values.yaml b/services/sasquatch/values.yaml index a3bc7ec762..ece68c8c86 100644 --- a/services/sasquatch/values.yaml +++ b/services/sasquatch/values.yaml @@ -70,7 +70,7 @@ chronograf: # -- Chronograf image tag. image: repository: "quay.io/influxdb/chronograf" - tag: 1.9.4 + tag: 1.10.0 # -- Chronograf data persistence configuration. persistence: enabled: true From 6c1fd1c25dc353f3df3a4bd0da0245ddb7ca9d47 Mon Sep 17 00:00:00 2001 From: stvoutsin Date: Thu, 8 Sep 2022 18:01:26 +0300 Subject: [PATCH 1020/1479] Fix typo in generate_secrets script (gafaelfawr) --- installer/generate_secrets.py | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/installer/generate_secrets.py b/installer/generate_secrets.py index 8568710bec..9e684f4718 100755 --- a/installer/generate_secrets.py +++ b/installer/generate_secrets.py @@ -223,7 +223,7 @@ def _gafaelfawr(self): ) self.input_field("gafaelfawr", "ldap", "Use LDAP? (y/n):") - use_ldap = self.secrets["gaelfawr"]["ldap"] + use_ldap = self.secrets["gafaelfawr"]["ldap"] if use_ldap == "y": self.input_field("gafaelfawr", "ldap-password", "LDAP password") From c38224a94995dea5e9dc9eaa178cf30e92c79924 Mon Sep 17 00:00:00 2001 From: Russ Allbery Date: Thu, 8 Sep 2022 10:56:52 -0700 Subject: [PATCH 1021/1479] Fix several issues with Gafaelfawr audits Suppress the audit CronJob if Slack alerts are not enabled, since it will just fail anyway. Enable Slack alerts for most environments now that Slack webhook secrets are in place. Add the audit CronJob to the NetworkPolicy for CloudSQL and Redis. --- services/gafaelfawr/templates/cloudsql-networkpolicy.yaml | 4 ++++ services/gafaelfawr/templates/cronjob-audit.yaml | 2 ++ services/gafaelfawr/templates/redis-networkpolicy.yaml | 4 ++++ services/gafaelfawr/values-base.yaml | 3 +-- services/gafaelfawr/values-idfint.yaml | 2 ++ services/gafaelfawr/values-idfprod.yaml | 2 ++ services/gafaelfawr/values-summit.yaml | 3 +-- services/gafaelfawr/values-tucson-teststand.yaml | 3 +-- 8 files changed, 17 insertions(+), 6 deletions(-) diff --git a/services/gafaelfawr/templates/cloudsql-networkpolicy.yaml b/services/gafaelfawr/templates/cloudsql-networkpolicy.yaml index 544ea4305a..492e2a039b 100644 --- a/services/gafaelfawr/templates/cloudsql-networkpolicy.yaml +++ b/services/gafaelfawr/templates/cloudsql-networkpolicy.yaml @@ -18,6 +18,10 @@ spec: # the frontend. The frontend, since it's performance-critical and gates # all access to the cluster, continues running its own sidecar. - from: + - podSelector: + matchLabels: + {{- include "gafaelfawr.selectorLabels" . | nindent 14 }} + app.kubernetes.io/component: "audit" - podSelector: matchLabels: {{- include "gafaelfawr.selectorLabels" . | nindent 14 }} diff --git a/services/gafaelfawr/templates/cronjob-audit.yaml b/services/gafaelfawr/templates/cronjob-audit.yaml index bb6f1ac31f..690985df58 100644 --- a/services/gafaelfawr/templates/cronjob-audit.yaml +++ b/services/gafaelfawr/templates/cronjob-audit.yaml @@ -1,3 +1,4 @@ +{{- if .Values.config.slackAlerts -}} apiVersion: batch/v1 kind: CronJob metadata: @@ -68,3 +69,4 @@ spec: tolerations: {{- toYaml . | nindent 12 }} {{- end }} +{{- end }} diff --git a/services/gafaelfawr/templates/redis-networkpolicy.yaml b/services/gafaelfawr/templates/redis-networkpolicy.yaml index 91eb35d72c..04c1f6c383 100644 --- a/services/gafaelfawr/templates/redis-networkpolicy.yaml +++ b/services/gafaelfawr/templates/redis-networkpolicy.yaml @@ -17,6 +17,10 @@ spec: ingress: # Allow inbound access to Redis from all other components. - from: + - podSelector: + matchLabels: + {{- include "gafaelfawr.selectorLabels" . | nindent 14 }} + app.kubernetes.io/component: "audit" - podSelector: matchLabels: {{- include "gafaelfawr.selectorLabels" . | nindent 14 }} diff --git a/services/gafaelfawr/values-base.yaml b/services/gafaelfawr/values-base.yaml index ad595de177..7269bf85af 100644 --- a/services/gafaelfawr/values-base.yaml +++ b/services/gafaelfawr/values-base.yaml @@ -1,10 +1,9 @@ -# Reset token storage on every Redis restart for now. This should change to -# use persistent volumes once we can coordinate that. redis: persistence: storageClass: "rook-ceph-block" config: + slackAlerts: true databaseUrl: "postgresql://gafaelfawr@postgres.postgres/gafaelfawr" github: diff --git a/services/gafaelfawr/values-idfint.yaml b/services/gafaelfawr/values-idfint.yaml index 01bc8905d6..69278e9e3e 100644 --- a/services/gafaelfawr/values-idfint.yaml +++ b/services/gafaelfawr/values-idfint.yaml @@ -4,6 +4,8 @@ redis: storageClass: "standard-rwo" config: + slackAlerts: true + github: clientId: "0c4cc7eaffc0f89b9ace" diff --git a/services/gafaelfawr/values-idfprod.yaml b/services/gafaelfawr/values-idfprod.yaml index c63aee7ce4..d4bb06c9f0 100644 --- a/services/gafaelfawr/values-idfprod.yaml +++ b/services/gafaelfawr/values-idfprod.yaml @@ -6,6 +6,8 @@ redis: storageClass: "standard-rwo" config: + slackAlerts: true + github: clientId: "65b6333a066375091548" diff --git a/services/gafaelfawr/values-summit.yaml b/services/gafaelfawr/values-summit.yaml index 98155ccda8..d2631749b9 100644 --- a/services/gafaelfawr/values-summit.yaml +++ b/services/gafaelfawr/values-summit.yaml @@ -1,10 +1,9 @@ -# Reset token storage on every Redis restart for now. This should change to -# use persistent volumes once we can coordinate that. redis: persistence: storageClass: "rook-ceph-block" config: + slackAlerts: true databaseUrl: "postgresql://gafaelfawr@postgres.postgres/gafaelfawr" github: diff --git a/services/gafaelfawr/values-tucson-teststand.yaml b/services/gafaelfawr/values-tucson-teststand.yaml index dcd355eaba..5e5862a27e 100644 --- a/services/gafaelfawr/values-tucson-teststand.yaml +++ b/services/gafaelfawr/values-tucson-teststand.yaml @@ -1,10 +1,9 @@ -# Reset token storage on every Redis restart for now. This should change to -# use persistent volumes once we can coordinate that. redis: persistence: storageClass: "rook-ceph-block" config: + slackAlerts: true databaseUrl: "postgresql://gafaelfawr@postgres.postgres/gafaelfawr" github: From efe56df53374152af1ce180750d9a421f081dafc Mon Sep 17 00:00:00 2001 From: Russ Allbery Date: Thu, 8 Sep 2022 11:41:44 -0700 Subject: [PATCH 1022/1479] Fix optionality of slack-webhook secret The way that this was checked for would fail if it wasn't set due to missing dicts. Use the _get_current method instead, since that's what it was intended for. --- installer/generate_secrets.py | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/installer/generate_secrets.py b/installer/generate_secrets.py index 9e684f4718..42193e6830 100755 --- a/installer/generate_secrets.py +++ b/installer/generate_secrets.py @@ -255,7 +255,7 @@ def _gafaelfawr(self): else: raise Exception(f"Invalid auth provider {auth_type}") - slack_webhook = self.secrets["rsp-alerts"]["slack-webhook"] + slack_webhook = self._get_current("rsp-alerts", "slack-webhook") if slack_webhook: self._set("gafaelfawr", "slack-webhook", slack_webhook) From 00974da5b33b4708ee267075c682e229469b2e06 Mon Sep 17 00:00:00 2001 From: Russ Allbery Date: Thu, 8 Sep 2022 13:45:21 -0700 Subject: [PATCH 1023/1479] Enable DP0.2 TAP queries on IDF prod DP0.2 is out so we should be checking this data set, even though we're currently getting errors. --- services/mobu/values-idfprod.yaml | 3 +++ 1 file changed, 3 insertions(+) diff --git a/services/mobu/values-idfprod.yaml b/services/mobu/values-idfprod.yaml index 2d4f6530cf..056a48df9c 100644 --- a/services/mobu/values-idfprod.yaml +++ b/services/mobu/values-idfprod.yaml @@ -62,4 +62,7 @@ autostart: gidnumber: 74775 scopes: ["read:tap"] business: "TAPQueryRunner" + options: + tap_sync: true + tap_query_set: "dp0.2" restart: true From 7a37605fb8c8d10cdee08eb083962399cc209d0b Mon Sep 17 00:00:00 2001 From: Angelo Fausti Date: Thu, 8 Sep 2022 14:43:38 -0700 Subject: [PATCH 1024/1479] Roll back Chronograf to version 1.9.4 --- services/sasquatch/README.md | 2 +- services/sasquatch/values.yaml | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/services/sasquatch/README.md b/services/sasquatch/README.md index eac49db5ce..d1ccadfda2 100644 --- a/services/sasquatch/README.md +++ b/services/sasquatch/README.md @@ -20,7 +20,7 @@ Rubin Observatory's telemetry service. |-----|------|---------|-------------| | chronograf.env | object | `{"BASE_PATH":"/chronograf","CUSTOM_AUTO_REFRESH":"1s=1000","HOST_PAGE_DISABLED":true}` | Chronograf environment variables. | | chronograf.envFromSecret | string | `"sasquatch"` | Chronograf secrets, expected keys generic_client_id, generic_client_secret and token_secret. | -| chronograf.image | object | `{"repository":"quay.io/influxdb/chronograf","tag":"1.10.0"}` | Chronograf image tag. | +| chronograf.image | object | `{"repository":"quay.io/influxdb/chronograf","tag":"1.9.4"}` | Chronograf image tag. | | chronograf.ingress | object | disabled | Chronograf ingress configuration. | | chronograf.persistence | object | `{"enabled":true,"size":"100Gi"}` | Chronograf data persistence configuration. | | global.vaultSecretsPath | string | Set by Argo CD | Base path for Vault secrets | diff --git a/services/sasquatch/values.yaml b/services/sasquatch/values.yaml index ece68c8c86..a3bc7ec762 100644 --- a/services/sasquatch/values.yaml +++ b/services/sasquatch/values.yaml @@ -70,7 +70,7 @@ chronograf: # -- Chronograf image tag. image: repository: "quay.io/influxdb/chronograf" - tag: 1.10.0 + tag: 1.9.4 # -- Chronograf data persistence configuration. persistence: enabled: true From b84e6c88dfea7d888d798ee6dd6758f61b655ad0 Mon Sep 17 00:00:00 2001 From: "renovate[bot]" <29139614+renovate[bot]@users.noreply.github.com> Date: Mon, 12 Sep 2022 01:31:39 +0000 Subject: [PATCH 1025/1479] Update Helm release ingress-nginx to v4.2.5 --- services/ingress-nginx/Chart.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/services/ingress-nginx/Chart.yaml b/services/ingress-nginx/Chart.yaml index 129ed811ad..1257945e9d 100644 --- a/services/ingress-nginx/Chart.yaml +++ b/services/ingress-nginx/Chart.yaml @@ -3,5 +3,5 @@ name: ingress-nginx version: 1.0.0 dependencies: - name: ingress-nginx - version: 4.2.3 + version: 4.2.5 repository: https://kubernetes.github.io/ingress-nginx From f0216c2b78767a844787dfde51a2eda7508c4a93 Mon Sep 17 00:00:00 2001 From: Russ Allbery Date: Mon, 12 Sep 2022 09:23:35 -0700 Subject: [PATCH 1026/1479] Update Helm docs --- services/ingress-nginx/README.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/services/ingress-nginx/README.md b/services/ingress-nginx/README.md index f2adcabcad..3b28543304 100644 --- a/services/ingress-nginx/README.md +++ b/services/ingress-nginx/README.md @@ -4,7 +4,7 @@ | Repository | Name | Version | |------------|------|---------| -| https://kubernetes.github.io/ingress-nginx | ingress-nginx | 4.2.3 | +| https://kubernetes.github.io/ingress-nginx | ingress-nginx | 4.2.5 | ## Values From 5f7fd3fe695b874bba33da676ab65e0e9521dc1e Mon Sep 17 00:00:00 2001 From: "renovate[bot]" <29139614+renovate[bot]@users.noreply.github.com> Date: Mon, 12 Sep 2022 16:31:24 +0000 Subject: [PATCH 1027/1479] Update Helm release vault-secrets-operator to v1.19.3 --- services/vault-secrets-operator/Chart.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/services/vault-secrets-operator/Chart.yaml b/services/vault-secrets-operator/Chart.yaml index 1e316b47d1..938320151e 100644 --- a/services/vault-secrets-operator/Chart.yaml +++ b/services/vault-secrets-operator/Chart.yaml @@ -3,5 +3,5 @@ name: vault-secrets-operator version: 1.0.0 dependencies: - name: vault-secrets-operator - version: 1.19.2 + version: 1.19.3 repository: https://ricoberger.github.io/helm-charts/ From 1b35dabf66bcaddfed11f1a25343be42b61c0bb7 Mon Sep 17 00:00:00 2001 From: Russ Allbery Date: Mon, 12 Sep 2022 09:35:59 -0700 Subject: [PATCH 1028/1479] Update Helm docs --- services/vault-secrets-operator/README.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/services/vault-secrets-operator/README.md b/services/vault-secrets-operator/README.md index fd34c97469..3888c605b1 100644 --- a/services/vault-secrets-operator/README.md +++ b/services/vault-secrets-operator/README.md @@ -4,7 +4,7 @@ | Repository | Name | Version | |------------|------|---------| -| https://ricoberger.github.io/helm-charts/ | vault-secrets-operator | 1.19.2 | +| https://ricoberger.github.io/helm-charts/ | vault-secrets-operator | 1.19.3 | ## Values From 07a055c22786c147cc8ab36c999cca808cc0bffd Mon Sep 17 00:00:00 2001 From: "renovate[bot]" <29139614+renovate[bot]@users.noreply.github.com> Date: Mon, 12 Sep 2022 16:44:57 +0000 Subject: [PATCH 1029/1479] Update gcr.io/cloudsql-docker/gce-proxy Docker tag to v1.32.0 --- services/gafaelfawr/values.yaml | 2 +- services/times-square/values.yaml | 2 +- services/vo-cutouts/values.yaml | 2 +- 3 files changed, 3 insertions(+), 3 deletions(-) diff --git a/services/gafaelfawr/values.yaml b/services/gafaelfawr/values.yaml index fdc4cc001c..60ac82ea74 100644 --- a/services/gafaelfawr/values.yaml +++ b/services/gafaelfawr/values.yaml @@ -270,7 +270,7 @@ cloudsql: repository: "gcr.io/cloudsql-docker/gce-proxy" # -- Cloud SQL Auth Proxy tag to use - tag: "1.31.2" + tag: "1.32.0" # -- Pull policy for Cloud SQL Auth Proxy images pullPolicy: "IfNotPresent" diff --git a/services/times-square/values.yaml b/services/times-square/values.yaml index b7dc42199c..252579fbd5 100644 --- a/services/times-square/values.yaml +++ b/services/times-square/values.yaml @@ -135,7 +135,7 @@ cloudsql: repository: "gcr.io/cloudsql-docker/gce-proxy" # -- Cloud SQL Auth Proxy tag to use - tag: "1.31.2" + tag: "1.32.0" # -- Pull policy for Cloud SQL Auth Proxy images pullPolicy: "IfNotPresent" diff --git a/services/vo-cutouts/values.yaml b/services/vo-cutouts/values.yaml index b4d6fd17c5..ceeb97380b 100644 --- a/services/vo-cutouts/values.yaml +++ b/services/vo-cutouts/values.yaml @@ -78,7 +78,7 @@ cloudsql: repository: "gcr.io/cloudsql-docker/gce-proxy" # -- Cloud SQL Auth Proxy tag to use - tag: "1.31.2" + tag: "1.32.0" # -- Pull policy for Cloud SQL Auth Proxy images pullPolicy: "IfNotPresent" From 705c9863ba675c216fe8b78d1267ab227b19a824 Mon Sep 17 00:00:00 2001 From: Russ Allbery Date: Mon, 12 Sep 2022 11:15:52 -0700 Subject: [PATCH 1030/1479] Update Helm docs --- services/gafaelfawr/README.md | 2 +- services/times-square/README.md | 2 +- services/vo-cutouts/README.md | 2 +- 3 files changed, 3 insertions(+), 3 deletions(-) diff --git a/services/gafaelfawr/README.md b/services/gafaelfawr/README.md index ba504db038..2bf35725f2 100644 --- a/services/gafaelfawr/README.md +++ b/services/gafaelfawr/README.md @@ -17,7 +17,7 @@ Science Platform authentication and authorization system | cloudsql.enabled | bool | `false` | Enable the Cloud SQL Auth Proxy, used with CloudSQL databases on Google Cloud. This will be run as a sidecar for the main Gafaelfawr pods, and as a separate service (behind a `NetworkPolicy`) for other, lower-traffic services. | | cloudsql.image.pullPolicy | string | `"IfNotPresent"` | Pull policy for Cloud SQL Auth Proxy images | | cloudsql.image.repository | string | `"gcr.io/cloudsql-docker/gce-proxy"` | Cloud SQL Auth Proxy image to use | -| cloudsql.image.tag | string | `"1.31.2"` | Cloud SQL Auth Proxy tag to use | +| cloudsql.image.tag | string | `"1.32.0"` | Cloud SQL Auth Proxy tag to use | | cloudsql.instanceConnectionName | string | None, must be set if Cloud SQL Auth Proxy is enabled | Instance connection name for a CloudSQL PostgreSQL instance | | cloudsql.nodeSelector | object | `{}` | Node selection rules for the Cloud SQL Proxy pod | | cloudsql.podAnnotations | object | `{}` | Annotations for the Cloud SQL Proxy pod | diff --git a/services/times-square/README.md b/services/times-square/README.md index 7565956d82..680efeb0ce 100644 --- a/services/times-square/README.md +++ b/services/times-square/README.md @@ -22,7 +22,7 @@ An API service for managing and rendering parameterized Jupyter notebooks. | cloudsql.enabled | bool | `false` | Enable the Cloud SQL Auth Proxy sidecar, used with CloudSQL databases on Google Cloud | | cloudsql.image.pullPolicy | string | `"IfNotPresent"` | Pull policy for Cloud SQL Auth Proxy images | | cloudsql.image.repository | string | `"gcr.io/cloudsql-docker/gce-proxy"` | Cloud SQL Auth Proxy image to use | -| cloudsql.image.tag | string | `"1.31.2"` | Cloud SQL Auth Proxy tag to use | +| cloudsql.image.tag | string | `"1.32.0"` | Cloud SQL Auth Proxy tag to use | | cloudsql.instanceConnectionName | string | `""` | Instance connection name for a CloudSQL PostgreSQL instance | | cloudsql.serviceAccount | string | `""` | The Google service account that has an IAM binding to the `times-square` Kubernetes service accounts and has the `cloudsql.client` role | | config.databaseUrl | string | None, must be set | URL for the PostgreSQL database | diff --git a/services/vo-cutouts/README.md b/services/vo-cutouts/README.md index 686da70daf..e954c1fc76 100644 --- a/services/vo-cutouts/README.md +++ b/services/vo-cutouts/README.md @@ -14,7 +14,7 @@ Image cutout service complying with IVOA SODA | cloudsql.enabled | bool | `false` | Enable the Cloud SQL Auth Proxy sidecar, used with CloudSQL databases on Google Cloud | | cloudsql.image.pullPolicy | string | `"IfNotPresent"` | Pull policy for Cloud SQL Auth Proxy images | | cloudsql.image.repository | string | `"gcr.io/cloudsql-docker/gce-proxy"` | Cloud SQL Auth Proxy image to use | -| cloudsql.image.tag | string | `"1.31.2"` | Cloud SQL Auth Proxy tag to use | +| cloudsql.image.tag | string | `"1.32.0"` | Cloud SQL Auth Proxy tag to use | | cloudsql.instanceConnectionName | string | `""` | Instance connection name for a CloudSQL PostgreSQL instance | | cloudsql.serviceAccount | string | None, must be set | The Google service account that has an IAM binding to the `vo-cutouts` Kubernetes service accounts and has the `cloudsql.client` role, access to the GCS bucket, and ability to sign URLs as itself | | config.databaseUrl | string | None, must be set | URL for the PostgreSQL database | From b7a2ee90abd0a2855b9480b3302432eaf8fc30f6 Mon Sep 17 00:00:00 2001 From: dspeck1 Date: Mon, 12 Sep 2022 14:54:18 -0500 Subject: [PATCH 1031/1479] adjusted naming to be more generic --- ...ation.yaml => sqlproxy-cross-project-application.yaml} | 8 ++++---- science-platform/values-idfdev.yaml | 2 +- services/{sqlproxy-gcp => sqlproxy}/.helmignore | 0 services/{sqlproxy-gcp => sqlproxy}/Chart.yaml | 0 services/{sqlproxy-gcp => sqlproxy}/README.md | 0 .../{sqlproxy-gcp => sqlproxy}/templates/_helpers.tpl | 0 .../{sqlproxy-gcp => sqlproxy}/templates/deployment.yaml | 0 .../{sqlproxy-gcp => sqlproxy}/templates/service.yaml | 0 .../templates/serviceaccount.yaml | 0 services/{sqlproxy-gcp => sqlproxy}/values-idfdev.yaml | 0 services/{sqlproxy-gcp => sqlproxy}/values.yaml | 0 11 files changed, 5 insertions(+), 5 deletions(-) rename science-platform/templates/{sqlproxy-butler-int-application.yaml => sqlproxy-cross-project-application.yaml} (83%) rename services/{sqlproxy-gcp => sqlproxy}/.helmignore (100%) rename services/{sqlproxy-gcp => sqlproxy}/Chart.yaml (100%) rename services/{sqlproxy-gcp => sqlproxy}/README.md (100%) rename services/{sqlproxy-gcp => sqlproxy}/templates/_helpers.tpl (100%) rename services/{sqlproxy-gcp => sqlproxy}/templates/deployment.yaml (100%) rename services/{sqlproxy-gcp => sqlproxy}/templates/service.yaml (100%) rename services/{sqlproxy-gcp => sqlproxy}/templates/serviceaccount.yaml (100%) rename services/{sqlproxy-gcp => sqlproxy}/values-idfdev.yaml (100%) rename services/{sqlproxy-gcp => sqlproxy}/values.yaml (100%) diff --git a/science-platform/templates/sqlproxy-butler-int-application.yaml b/science-platform/templates/sqlproxy-cross-project-application.yaml similarity index 83% rename from science-platform/templates/sqlproxy-butler-int-application.yaml rename to science-platform/templates/sqlproxy-cross-project-application.yaml index c4bf1c055c..34c67e653e 100644 --- a/science-platform/templates/sqlproxy-butler-int-application.yaml +++ b/science-platform/templates/sqlproxy-cross-project-application.yaml @@ -2,7 +2,7 @@ apiVersion: v1 kind: Namespace metadata: - name: sqlproxy-butler-int + name: sqlproxy-cross-project spec: finalizers: - kubernetes @@ -10,17 +10,17 @@ spec: apiVersion: argoproj.io/v1alpha1 kind: Application metadata: - name: sqlproxy-butler-int + name: sqlproxy-cross-project namespace: argocd finalizers: - resources-finalizer.argocd.argoproj.io spec: destination: - namespace: sqlproxy-butler-int + namespace: sqlproxy-cross-project server: https://kubernetes.default.svc project: default source: - path: services/sqlproxy-gcp + path: services/sqlproxy repoURL: {{ .Values.repoURL }} targetRevision: {{ .Values.revision }} helm: diff --git a/science-platform/values-idfdev.yaml b/science-platform/values-idfdev.yaml index cb78bffcd0..880584d281 100644 --- a/science-platform/values-idfdev.yaml +++ b/science-platform/values-idfdev.yaml @@ -46,7 +46,7 @@ squareone: enabled: true squash_api: enabled: false -sqlproxy_butler_int: +sqlproxy_cross_project: enabled: true strimzi: enabled: true diff --git a/services/sqlproxy-gcp/.helmignore b/services/sqlproxy/.helmignore similarity index 100% rename from services/sqlproxy-gcp/.helmignore rename to services/sqlproxy/.helmignore diff --git a/services/sqlproxy-gcp/Chart.yaml b/services/sqlproxy/Chart.yaml similarity index 100% rename from services/sqlproxy-gcp/Chart.yaml rename to services/sqlproxy/Chart.yaml diff --git a/services/sqlproxy-gcp/README.md b/services/sqlproxy/README.md similarity index 100% rename from services/sqlproxy-gcp/README.md rename to services/sqlproxy/README.md diff --git a/services/sqlproxy-gcp/templates/_helpers.tpl b/services/sqlproxy/templates/_helpers.tpl similarity index 100% rename from services/sqlproxy-gcp/templates/_helpers.tpl rename to services/sqlproxy/templates/_helpers.tpl diff --git a/services/sqlproxy-gcp/templates/deployment.yaml b/services/sqlproxy/templates/deployment.yaml similarity index 100% rename from services/sqlproxy-gcp/templates/deployment.yaml rename to services/sqlproxy/templates/deployment.yaml diff --git a/services/sqlproxy-gcp/templates/service.yaml b/services/sqlproxy/templates/service.yaml similarity index 100% rename from services/sqlproxy-gcp/templates/service.yaml rename to services/sqlproxy/templates/service.yaml diff --git a/services/sqlproxy-gcp/templates/serviceaccount.yaml b/services/sqlproxy/templates/serviceaccount.yaml similarity index 100% rename from services/sqlproxy-gcp/templates/serviceaccount.yaml rename to services/sqlproxy/templates/serviceaccount.yaml diff --git a/services/sqlproxy-gcp/values-idfdev.yaml b/services/sqlproxy/values-idfdev.yaml similarity index 100% rename from services/sqlproxy-gcp/values-idfdev.yaml rename to services/sqlproxy/values-idfdev.yaml diff --git a/services/sqlproxy-gcp/values.yaml b/services/sqlproxy/values.yaml similarity index 100% rename from services/sqlproxy-gcp/values.yaml rename to services/sqlproxy/values.yaml From c733dd1848bf9e4056133e820848eb5bef8a4fcd Mon Sep 17 00:00:00 2001 From: Russ Allbery Date: Mon, 12 Sep 2022 17:09:38 -0700 Subject: [PATCH 1032/1479] Update version of cachemachine --- services/cachemachine/Chart.yaml | 3 ++- services/cachemachine/README.md | 2 ++ 2 files changed, 4 insertions(+), 1 deletion(-) diff --git a/services/cachemachine/Chart.yaml b/services/cachemachine/Chart.yaml index d057659c29..f3fe7fb368 100644 --- a/services/cachemachine/Chart.yaml +++ b/services/cachemachine/Chart.yaml @@ -1,5 +1,6 @@ apiVersion: v2 name: cachemachine version: 1.0.0 -appVersion: 1.2.1 description: Service to prepull Docker images for the Science Platform +home: https://github.com/lsst-sqre/cachemachine +appVersion: 1.2.2 diff --git a/services/cachemachine/README.md b/services/cachemachine/README.md index 03b3b4a41c..931b2f606b 100644 --- a/services/cachemachine/README.md +++ b/services/cachemachine/README.md @@ -2,6 +2,8 @@ Service to prepull Docker images for the Science Platform +**Homepage:** + ## Values | Key | Type | Default | Description | From 5ab7bd72c79dccfb99a525d65a775e5ce3692b61 Mon Sep 17 00:00:00 2001 From: dspeck1 Date: Tue, 13 Sep 2022 11:44:24 -0500 Subject: [PATCH 1033/1479] set for image with idf int schema --- services/tap-schema/values-idfdev.yaml | 2 ++ 1 file changed, 2 insertions(+) diff --git a/services/tap-schema/values-idfdev.yaml b/services/tap-schema/values-idfdev.yaml index e69de29bb2..58f404c428 100644 --- a/services/tap-schema/values-idfdev.yaml +++ b/services/tap-schema/values-idfdev.yaml @@ -0,0 +1,2 @@ +image: + repository: "lsstsqre/tap-schema-idfdev:1.2.1" \ No newline at end of file From 330d73dc70372f0b54ca3bcc0cbecd92b31cfbb5 Mon Sep 17 00:00:00 2001 From: dspeck1 Date: Tue, 13 Sep 2022 11:49:27 -0500 Subject: [PATCH 1034/1479] added newline as required by lint --- services/tap-schema/values-idfdev.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/services/tap-schema/values-idfdev.yaml b/services/tap-schema/values-idfdev.yaml index 58f404c428..8226224f2a 100644 --- a/services/tap-schema/values-idfdev.yaml +++ b/services/tap-schema/values-idfdev.yaml @@ -1,2 +1,2 @@ image: - repository: "lsstsqre/tap-schema-idfdev:1.2.1" \ No newline at end of file + repository: "lsstsqre/tap-schema-idfdev:1.2.1" From 6c505539e30af012a49f2f5076108adbd5b2f5b0 Mon Sep 17 00:00:00 2001 From: dspeck1 Date: Tue, 13 Sep 2022 12:00:03 -0500 Subject: [PATCH 1035/1479] Added in missing tag value --- services/tap-schema/values-idfdev.yaml | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/services/tap-schema/values-idfdev.yaml b/services/tap-schema/values-idfdev.yaml index 8226224f2a..69ce50a906 100644 --- a/services/tap-schema/values-idfdev.yaml +++ b/services/tap-schema/values-idfdev.yaml @@ -1,2 +1,4 @@ image: - repository: "lsstsqre/tap-schema-idfdev:1.2.1" + repository: "lsstsqre/tap-schema-idfdev" + tag: "1.2.1" + From 73643481437259820afddef2acb78e00079fa279 Mon Sep 17 00:00:00 2001 From: dspeck1 Date: Tue, 13 Sep 2022 12:02:38 -0500 Subject: [PATCH 1036/1479] linting blank linfe issue --- services/tap-schema/values-idfdev.yaml | 1 - 1 file changed, 1 deletion(-) diff --git a/services/tap-schema/values-idfdev.yaml b/services/tap-schema/values-idfdev.yaml index 69ce50a906..b0c469eadd 100644 --- a/services/tap-schema/values-idfdev.yaml +++ b/services/tap-schema/values-idfdev.yaml @@ -1,4 +1,3 @@ image: repository: "lsstsqre/tap-schema-idfdev" tag: "1.2.1" - From 0b7403740dae4e2f91dc432673f696c45287db3e Mon Sep 17 00:00:00 2001 From: dspeck1 Date: Tue, 13 Sep 2022 12:29:50 -0500 Subject: [PATCH 1037/1479] Updated missed values to reflect new naming --- science-platform/README.md | 2 +- .../templates/sqlproxy-cross-project-application.yaml | 2 +- science-platform/values.yaml | 2 +- 3 files changed, 3 insertions(+), 3 deletions(-) diff --git a/science-platform/README.md b/science-platform/README.md index 064de4751c..1c1a38276a 100644 --- a/science-platform/README.md +++ b/science-platform/README.md @@ -27,7 +27,7 @@ | sasquatch.enabled | bool | `false` | | | semaphore.enabled | bool | `false` | | | sherlock.enabled | bool | `false` | | -| sqlproxy_butler_int.enabled | bool | `false` | | +| sqlproxy_cross_project.enabled | bool | `false` | | | squareone.enabled | bool | `false` | | | squash_api.enabled | bool | `false` | | | strimzi.enabled | bool | `false` | | diff --git a/science-platform/templates/sqlproxy-cross-project-application.yaml b/science-platform/templates/sqlproxy-cross-project-application.yaml index 34c67e653e..210f5d9abf 100644 --- a/science-platform/templates/sqlproxy-cross-project-application.yaml +++ b/science-platform/templates/sqlproxy-cross-project-application.yaml @@ -1,4 +1,4 @@ -{{- if .Values.sqlproxy_butler_int.enabled -}} +{{- if .Values.sqlproxy_cross_project.enabled -}} apiVersion: v1 kind: Namespace metadata: diff --git a/science-platform/values.yaml b/science-platform/values.yaml index 5b456d3f2c..d1f5f5ca66 100644 --- a/science-platform/values.yaml +++ b/science-platform/values.yaml @@ -38,7 +38,7 @@ semaphore: enabled: false sherlock: enabled: false -sqlproxy_butler_int: +sqlproxy_cross_project: enabled: false squareone: enabled: false From f3ff1da5360eb4fa7b3ccc9410da47586f3f0cf6 Mon Sep 17 00:00:00 2001 From: "renovate[bot]" <29139614+renovate[bot]@users.noreply.github.com> Date: Tue, 13 Sep 2022 18:45:33 +0000 Subject: [PATCH 1038/1479] Update Helm release strimzi-kafka-operator to v0.31.0 --- services/strimzi/Chart.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/services/strimzi/Chart.yaml b/services/strimzi/Chart.yaml index fdea12619e..ebf65a58bb 100644 --- a/services/strimzi/Chart.yaml +++ b/services/strimzi/Chart.yaml @@ -6,5 +6,5 @@ version: 0.1.0 appVersion: "0.26.0" dependencies: - name: strimzi-kafka-operator - version: "0.30.0" + version: "0.31.0" repository: https://strimzi.io/charts/ From 60c0c0e3726d1f0dae40b9480c77e857ea135368 Mon Sep 17 00:00:00 2001 From: Angelo Fausti Date: Tue, 13 Sep 2022 15:22:29 -0700 Subject: [PATCH 1039/1479] Add external listener configuration to TTS --- services/sasquatch/values-tucson-teststand.yaml | 13 +++++++++++++ 1 file changed, 13 insertions(+) diff --git a/services/sasquatch/values-tucson-teststand.yaml b/services/sasquatch/values-tucson-teststand.yaml index 17cb85b601..955b498e87 100644 --- a/services/sasquatch/values-tucson-teststand.yaml +++ b/services/sasquatch/values-tucson-teststand.yaml @@ -2,6 +2,19 @@ strimzi-kafka: kafka: storage: storageClassName: rook-ceph-block + externalListener: + tls: + enabled: true + bootstrap: + loadBalancerIP: "140.252.146.59" + host: sasquatch-tts-kafka-bootstrap.lsst.codes + brokers: + - loadBalancerIP: "140.252.146.46" + host: sasquatch-tts-kafka-0.lsst.codes + - loadBalancerIP: "140.252.146.58" + host: sasquatch-tts-kafka-1.lsst.codes + - loadBalancerIP: "140.252.146.47" + host: sasquatch-tts-kafka-2.lsst.codes zookeeper: storage: storageClassName: rook-ceph-block From 7416e7cd2e4cc59a5d11309f17a9798dd16753c0 Mon Sep 17 00:00:00 2001 From: Russ Allbery Date: Thu, 15 Sep 2022 15:05:19 -0700 Subject: [PATCH 1040/1479] Bump tap-schema and datalink snippets Update the version of the datalink snippets in TAP, and the version of tap-schema. --- services/tap-schema/Chart.yaml | 2 +- services/tap/README.md | 2 +- services/tap/values.yaml | 2 +- 3 files changed, 3 insertions(+), 3 deletions(-) diff --git a/services/tap-schema/Chart.yaml b/services/tap-schema/Chart.yaml index 979a567463..743afa912e 100644 --- a/services/tap-schema/Chart.yaml +++ b/services/tap-schema/Chart.yaml @@ -3,4 +3,4 @@ name: tap-schema version: 1.0.0 description: The TAP_SCHEMA database home: https://github.com/lsst/sdm_schemas -appVersion: 1.2.0 +appVersion: 1.2.2 diff --git a/services/tap/README.md b/services/tap/README.md index 68bda5e1fa..8decd038b5 100644 --- a/services/tap/README.md +++ b/services/tap/README.md @@ -9,7 +9,7 @@ VO TAP service for the Rubin Science Platform | Key | Type | Default | Description | |-----|------|---------|-------------| | affinity | object | `{}` | Affinity rules for the Gafaelfawr frontend pod | -| config.datalinkPayloadUrl | string | `"https://github.com/lsst/sdm_schemas/releases/download/1.1.4/datalink-snippets.zip"` | Datalink payload URL | +| config.datalinkPayloadUrl | string | `"https://github.com/lsst/sdm_schemas/releases/download/1.2.2/datalink-snippets.zip"` | Datalink payload URL | | config.gafaelfawrHost | string | Value of `ingress.host` | Gafaelfawr hostname to get user information from a token | | config.gcsBucket | string | None, must be set | Name of GCS bucket in which to store results | | config.gcsBucketType | string | GCS | GCS bucket type (GCS or S3) | diff --git a/services/tap/values.yaml b/services/tap/values.yaml index 5eaf3402e4..14565d9b39 100644 --- a/services/tap/values.yaml +++ b/services/tap/values.yaml @@ -59,7 +59,7 @@ config: tapSchemaAddress: "tap-schema-db.tap-schema.svc.cluster.local:3306" # -- Datalink payload URL - datalinkPayloadUrl: "https://github.com/lsst/sdm_schemas/releases/download/1.1.4/datalink-snippets.zip" + datalinkPayloadUrl: "https://github.com/lsst/sdm_schemas/releases/download/1.2.2/datalink-snippets.zip" # -- Gafaelfawr hostname to get user information from a token # @default -- Value of `ingress.host` From c42dddbe43a6df67c7b12c46fa1256fcf6991f2e Mon Sep 17 00:00:00 2001 From: Russ Allbery Date: Thu, 15 Sep 2022 15:30:22 -0700 Subject: [PATCH 1041/1479] New Portal version --- services/portal/Chart.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/services/portal/Chart.yaml b/services/portal/Chart.yaml index e906aaa74e..621ec41966 100644 --- a/services/portal/Chart.yaml +++ b/services/portal/Chart.yaml @@ -3,4 +3,4 @@ name: portal version: 1.0.0 description: "Rubin Science Platform portal aspect" home: "https://github.com/lsst/suit" -appVersion: "suit-2022.5.3" +appVersion: "suit-2022.5.4" From 0dffd6a14f695e0023252fb7bfc9cb036dad3962 Mon Sep 17 00:00:00 2001 From: Russ Allbery Date: Fri, 16 Sep 2022 08:10:56 -0700 Subject: [PATCH 1042/1479] Stop pinning tap-schema on IDF dev This has been rolled into the regular tap-schema release process, so it should float with the current appVersion like the other environments. --- services/tap-schema/values-idfdev.yaml | 1 - 1 file changed, 1 deletion(-) diff --git a/services/tap-schema/values-idfdev.yaml b/services/tap-schema/values-idfdev.yaml index b0c469eadd..a831a1b57f 100644 --- a/services/tap-schema/values-idfdev.yaml +++ b/services/tap-schema/values-idfdev.yaml @@ -1,3 +1,2 @@ image: repository: "lsstsqre/tap-schema-idfdev" - tag: "1.2.1" From 5390aba86a5ffa2accafe6e7d9880d84f8e87e8b Mon Sep 17 00:00:00 2001 From: "renovate[bot]" <29139614+renovate[bot]@users.noreply.github.com> Date: Mon, 19 Sep 2022 13:58:00 +0000 Subject: [PATCH 1043/1479] Update Helm release argo-cd to v5 --- services/argocd/Chart.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/services/argocd/Chart.yaml b/services/argocd/Chart.yaml index 083105d6b6..ce17f67c58 100644 --- a/services/argocd/Chart.yaml +++ b/services/argocd/Chart.yaml @@ -3,5 +3,5 @@ name: argo-cd version: 1.0.0 dependencies: - name: argo-cd - version: 4.10.9 + version: 5.4.6 repository: https://argoproj.github.io/argo-helm From a2dcbd9cb35930a61822d94cf584b7f21081fc07 Mon Sep 17 00:00:00 2001 From: Russ Allbery Date: Mon, 19 Sep 2022 10:23:46 -0700 Subject: [PATCH 1044/1479] Update Helm docs --- services/argocd/README.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/services/argocd/README.md b/services/argocd/README.md index 8cc3e80018..2a8d4ec32d 100644 --- a/services/argocd/README.md +++ b/services/argocd/README.md @@ -4,7 +4,7 @@ | Repository | Name | Version | |------------|------|---------| -| https://argoproj.github.io/argo-helm | argo-cd | 4.10.9 | +| https://argoproj.github.io/argo-helm | argo-cd | 5.4.6 | ## Values From 7d8bcc1dfa3ce59aa0821dabac9489eadf9d711b Mon Sep 17 00:00:00 2001 From: "renovate[bot]" <29139614+renovate[bot]@users.noreply.github.com> Date: Mon, 19 Sep 2022 17:31:18 +0000 Subject: [PATCH 1045/1479] Update Helm release vault-secrets-operator to v1.19.5 --- services/vault-secrets-operator/Chart.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/services/vault-secrets-operator/Chart.yaml b/services/vault-secrets-operator/Chart.yaml index 938320151e..e54210c47b 100644 --- a/services/vault-secrets-operator/Chart.yaml +++ b/services/vault-secrets-operator/Chart.yaml @@ -3,5 +3,5 @@ name: vault-secrets-operator version: 1.0.0 dependencies: - name: vault-secrets-operator - version: 1.19.3 + version: 1.19.5 repository: https://ricoberger.github.io/helm-charts/ From 8b08550b6e5345f9195ee4287ee2a95439a88913 Mon Sep 17 00:00:00 2001 From: Russ Allbery Date: Mon, 19 Sep 2022 11:16:30 -0700 Subject: [PATCH 1046/1479] Update Helm docs --- services/vault-secrets-operator/README.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/services/vault-secrets-operator/README.md b/services/vault-secrets-operator/README.md index 3888c605b1..4d00932781 100644 --- a/services/vault-secrets-operator/README.md +++ b/services/vault-secrets-operator/README.md @@ -4,7 +4,7 @@ | Repository | Name | Version | |------------|------|---------| -| https://ricoberger.github.io/helm-charts/ | vault-secrets-operator | 1.19.3 | +| https://ricoberger.github.io/helm-charts/ | vault-secrets-operator | 1.19.5 | ## Values From 4dfbe2183c8aeaab8de0a1c6800d928f1b1ce801 Mon Sep 17 00:00:00 2001 From: "renovate[bot]" <29139614+renovate[bot]@users.noreply.github.com> Date: Mon, 19 Sep 2022 18:25:24 +0000 Subject: [PATCH 1047/1479] Update Helm release redis to v17.1.6 --- services/noteburst/Chart.yaml | 2 +- services/times-square/Chart.yaml | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/services/noteburst/Chart.yaml b/services/noteburst/Chart.yaml index 73967e5f38..0120101bee 100644 --- a/services/noteburst/Chart.yaml +++ b/services/noteburst/Chart.yaml @@ -14,5 +14,5 @@ maintainers: # Additional charts that this chart uses dependencies: - name: redis - version: 17.1.4 + version: 17.1.6 repository: https://charts.bitnami.com/bitnami diff --git a/services/times-square/Chart.yaml b/services/times-square/Chart.yaml index 726accff07..a4936a005f 100644 --- a/services/times-square/Chart.yaml +++ b/services/times-square/Chart.yaml @@ -11,5 +11,5 @@ appVersion: "0.6.0" dependencies: - name: redis - version: 17.1.4 + version: 17.1.6 repository: https://charts.bitnami.com/bitnami From beadc2628ed498781f4f23557c4ff7defc17e4e6 Mon Sep 17 00:00:00 2001 From: Russ Allbery Date: Mon, 19 Sep 2022 11:41:40 -0700 Subject: [PATCH 1048/1479] Update Helm docs --- services/noteburst/README.md | 2 +- services/times-square/README.md | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/services/noteburst/README.md b/services/noteburst/README.md index 51c7e97d1d..e489453a90 100644 --- a/services/noteburst/README.md +++ b/services/noteburst/README.md @@ -12,7 +12,7 @@ Noteburst is a notebook execution service for the Rubin Science Platform. | Repository | Name | Version | |------------|------|---------| -| https://charts.bitnami.com/bitnami | redis | 17.1.4 | +| https://charts.bitnami.com/bitnami | redis | 17.1.6 | ## Values diff --git a/services/times-square/README.md b/services/times-square/README.md index 680efeb0ce..76726c5ba9 100644 --- a/services/times-square/README.md +++ b/services/times-square/README.md @@ -8,7 +8,7 @@ An API service for managing and rendering parameterized Jupyter notebooks. | Repository | Name | Version | |------------|------|---------| -| https://charts.bitnami.com/bitnami | redis | 17.1.4 | +| https://charts.bitnami.com/bitnami | redis | 17.1.6 | ## Values From 35f21e9f439a7aa52437ef714c0a0d5bd311ffa4 Mon Sep 17 00:00:00 2001 From: adam Date: Mon, 19 Sep 2022 15:26:06 -0700 Subject: [PATCH 1049/1479] Adopt z2jh 2.0.0 / JupyterHub 3.0.0 --- services/nublado2/Chart.yaml | 5 +++-- services/nublado2/README.md | 4 ++-- services/nublado2/values.yaml | 2 +- 3 files changed, 6 insertions(+), 5 deletions(-) diff --git a/services/nublado2/Chart.yaml b/services/nublado2/Chart.yaml index 6431e74155..9101af3cb5 100644 --- a/services/nublado2/Chart.yaml +++ b/services/nublado2/Chart.yaml @@ -10,6 +10,7 @@ appVersion: "2.5.0" kubeVersion: ">=1.20.0-0" dependencies: - name: jupyterhub - # There hasn't been a stable release in a very long time. - version: "1.1.3-n474.h8d0a7616" + # This is the Zero To Jupyterhub version, *not* the version of the + # Jupyterhub package itself. + version: "2.0.0" repository: https://jupyterhub.github.io/helm-chart/ diff --git a/services/nublado2/README.md b/services/nublado2/README.md index 9875c0a8cb..4fc4154bd0 100644 --- a/services/nublado2/README.md +++ b/services/nublado2/README.md @@ -14,7 +14,7 @@ Kubernetes: `>=1.20.0-0` | Repository | Name | Version | |------------|------|---------| -| https://jupyterhub.github.io/helm-chart/ | jupyterhub | 1.1.3-n474.h8d0a7616 | +| https://jupyterhub.github.io/helm-chart/ | jupyterhub | 2.0.0 | ## Values @@ -62,7 +62,7 @@ Kubernetes: `>=1.20.0-0` | jupyterhub.hub.extraVolumes[1].name | string | `"nublado-gafaelfawr"` | | | jupyterhub.hub.extraVolumes[1].secret.secretName | string | `"gafaelfawr-token"` | | | jupyterhub.hub.image.name | string | `"lsstsqre/nublado2"` | | -| jupyterhub.hub.image.tag | string | `"2.5.0"` | | +| jupyterhub.hub.image.tag | string | `"2.6.0"` | | | jupyterhub.hub.loadRoles.self.scopes[0] | string | `"admin:servers!user"` | | | jupyterhub.hub.loadRoles.self.scopes[1] | string | `"read:metrics"` | | | jupyterhub.hub.loadRoles.server.scopes[0] | string | `"inherit"` | | diff --git a/services/nublado2/values.yaml b/services/nublado2/values.yaml index 0043882053..6161a1ab3f 100644 --- a/services/nublado2/values.yaml +++ b/services/nublado2/values.yaml @@ -7,7 +7,7 @@ jupyterhub: authenticatePrometheus: false image: name: lsstsqre/nublado2 - tag: "2.5.0" + tag: "2.6.0" resources: limits: cpu: 900m From 3433d59d73149ad6c596c56f67e9264526626766 Mon Sep 17 00:00:00 2001 From: Russ Allbery Date: Tue, 20 Sep 2022 12:57:49 -0700 Subject: [PATCH 1050/1479] Delete /etc/shadow and /etc/gshadow for labs We no longer support PAM, sudo, or privilege escalation in labs, so nothing should be reading these files. Simplify the config by removing the generated ConfigMaps and mounts. Also delete obsolete settings for vault_secrets_path and pull-secret, which were migrated to use the injected global path. The sciplat-lab build already deletes /etc/shadow and /etc/gshadow, so with this change those files simply won't exist. --- services/nublado2/README.md | 15 ---- services/nublado2/values-base.yaml | 6 -- services/nublado2/values-ccin2p3.yaml | 6 -- services/nublado2/values-idfdev.yaml | 6 -- services/nublado2/values-idfint.yaml | 75 ---------------- services/nublado2/values-idfprod.yaml | 75 ---------------- services/nublado2/values-minikube.yaml | 6 -- services/nublado2/values-roe.yaml | 6 -- services/nublado2/values-summit.yaml | 6 -- .../nublado2/values-tucson-teststand.yaml | 6 -- services/nublado2/values.yaml | 89 ------------------- 11 files changed, 296 deletions(-) diff --git a/services/nublado2/README.md b/services/nublado2/README.md index 4fc4154bd0..1dfd2e00ce 100644 --- a/services/nublado2/README.md +++ b/services/nublado2/README.md @@ -108,14 +108,6 @@ Kubernetes: `>=1.20.0-0` | jupyterhub.singleuser.storage.extraVolumeMounts[6].name | string | `"group"` | | | jupyterhub.singleuser.storage.extraVolumeMounts[6].readOnly | bool | `true` | | | jupyterhub.singleuser.storage.extraVolumeMounts[6].subPath | string | `"group"` | | -| jupyterhub.singleuser.storage.extraVolumeMounts[7].mountPath | string | `"/etc/shadow"` | | -| jupyterhub.singleuser.storage.extraVolumeMounts[7].name | string | `"shadow"` | | -| jupyterhub.singleuser.storage.extraVolumeMounts[7].readOnly | bool | `true` | | -| jupyterhub.singleuser.storage.extraVolumeMounts[7].subPath | string | `"shadow"` | | -| jupyterhub.singleuser.storage.extraVolumeMounts[8].mountPath | string | `"/etc/gshadow"` | | -| jupyterhub.singleuser.storage.extraVolumeMounts[8].name | string | `"gshadow"` | | -| jupyterhub.singleuser.storage.extraVolumeMounts[8].readOnly | bool | `true` | | -| jupyterhub.singleuser.storage.extraVolumeMounts[8].subPath | string | `"gshadow"` | | | jupyterhub.singleuser.storage.extraVolumes[0].configMap.name | string | `"dask"` | | | jupyterhub.singleuser.storage.extraVolumes[0].name | string | `"dask"` | | | jupyterhub.singleuser.storage.extraVolumes[1].configMap.name | string | `"idds-config"` | | @@ -133,12 +125,5 @@ Kubernetes: `>=1.20.0-0` | jupyterhub.singleuser.storage.extraVolumes[6].configMap.defaultMode | int | `420` | | | jupyterhub.singleuser.storage.extraVolumes[6].configMap.name | string | `"group"` | | | jupyterhub.singleuser.storage.extraVolumes[6].name | string | `"group"` | | -| jupyterhub.singleuser.storage.extraVolumes[7].configMap.defaultMode | int | `384` | | -| jupyterhub.singleuser.storage.extraVolumes[7].configMap.name | string | `"shadow"` | | -| jupyterhub.singleuser.storage.extraVolumes[7].name | string | `"shadow"` | | -| jupyterhub.singleuser.storage.extraVolumes[8].configMap.defaultMode | int | `384` | | -| jupyterhub.singleuser.storage.extraVolumes[8].configMap.name | string | `"gshadow"` | | -| jupyterhub.singleuser.storage.extraVolumes[8].name | string | `"gshadow"` | | | jupyterhub.singleuser.storage.type | string | `"none"` | | | network_policy.enabled | bool | `true` | | -| vault_secret_path | string | `""` | | diff --git a/services/nublado2/values-base.yaml b/services/nublado2/values-base.yaml index 12729fd444..4eea1c4f87 100644 --- a/services/nublado2/values-base.yaml +++ b/services/nublado2/values-base.yaml @@ -44,9 +44,3 @@ config: mountPath: /project - name: scratch mountPath: /scratch - -vault_secret_path: "secret/k8s_operator/base-lsp.lsst.codes/nublado2" - -pull-secret: - enabled: true - path: "secret/k8s_operator/base-lsp.lsst.codes/pull-secret" diff --git a/services/nublado2/values-ccin2p3.yaml b/services/nublado2/values-ccin2p3.yaml index ba6fde3c3b..c52330e65d 100644 --- a/services/nublado2/values-ccin2p3.yaml +++ b/services/nublado2/values-ccin2p3.yaml @@ -39,9 +39,3 @@ config: mountPath: /data - name: home mountPath: /home - -vault_secret_path: "secret/k8s_operator/rsp-cc/nublado2" - -pull-secret: - enabled: true - path: "secret/k8s_operator/rsp-cc/pull-secret" diff --git a/services/nublado2/values-idfdev.yaml b/services/nublado2/values-idfdev.yaml index 71237a5dda..f49bc99be3 100644 --- a/services/nublado2/values-idfdev.yaml +++ b/services/nublado2/values-idfdev.yaml @@ -57,9 +57,3 @@ config: mountPath: /project - name: scratch mountPath: /scratch - -vault_secret_path: "secret/k8s_operator/data-dev.lsst.cloud/nublado2" - -pull-secret: - enabled: true - path: "secret/k8s_operator/data-dev.lsst.cloud/pull-secret" diff --git a/services/nublado2/values-idfint.yaml b/services/nublado2/values-idfint.yaml index 2eed3d40fa..a86b9072eb 100644 --- a/services/nublado2/values-idfint.yaml +++ b/services/nublado2/values-idfint.yaml @@ -126,50 +126,6 @@ config: screen:x:84: jovyan:x:768:{{ user }}{% for g in groups %} {{ g.name }}:x:{{ g.id }}:{{ user if g.id != gid else "" }}{% endfor %} - - apiVersion: v1 - kind: ConfigMap - metadata: - name: gshadow - namespace: "{{ user_namespace }}" - data: - gshadow: | - root:!:: - bin:!:: - daemon:!:: - sys:!:: - adm:!:: - tty:!:: - disk:!:: - lp:!:: - mem:!:: - kmem:!:: - wheel:!:: - cdrom:!:: - mail:!:: - man:!:: - dialout:!:: - floppy:!:: - games:!:: - tape:!:: - video:!:: - ftp:!:: - lock:!:: - audio:!:: - nobody:!:: - users:!:: - utmp:!:: - utempter:!:: - input:!:: - systemd-journal:!:: - systemd-network:!:: - dbus:!:: - ssh_keys:!:: - lsst_lcl:!::{{ user }} - tss:!:: - cgred:!:: - screen:!:: - jovyan:!::{{ user }}{% for g in groups %} - {{ g.name }}:!::{{ user if g.id != gid else "" }}{% endfor %} - apiVersion: v1 kind: ConfigMap metadata: @@ -195,31 +151,6 @@ config: lsst_lcl:x:1000:1000::/home/lsst_lcl:/bin/bash tss:x:59:59:Account used by the trousers package to sandbox the tcsd daemon:/dev/null:/sbin/nologin {{ user }}:x:{{ uid }}:{{ gid if gid else uid }}::/home/{{ user }}:/bin/bash - - apiVersion: v1 - kind: ConfigMap - metadata: - name: shadow - namespace: "{{ user_namespace }}" - data: - shadow: | - root:*:18000:0:99999:7::: - bin:*:18000:0:99999:7::: - daemon:*:18000:0:99999:7::: - adm:*:18000:0:99999:7::: - lp:*:18000:0:99999:7::: - sync:*:18000:0:99999:7::: - shutdown:*:18000:0:99999:7::: - halt:*:18000:0:99999:7::: - mail:*:18000:0:99999:7::: - operator:*:18000:0:99999:7::: - games:*:18000:0:99999:7::: - ftp:*:18000:0:99999:7::: - nobody:*:18000:0:99999:7::: - systemd-network:*:18000:0:99999:7::: - dbus:*:18000:0:99999:7::: - lsst_lcl:*:18000:0:99999:7::: - tss:*:18000:0:99999:7::: - {{user}}:*:18000:0:99999:7::: - apiVersion: v1 kind: ConfigMap metadata: @@ -315,9 +246,3 @@ config: hard: limits.cpu: 9 limits.memory: 27Gi - -vault_secret_path: "secret/k8s_operator/data-int.lsst.cloud/nublado2" - -pull-secret: - enabled: true - path: "secret/k8s_operator/data-int.lsst.cloud/pull-secret" diff --git a/services/nublado2/values-idfprod.yaml b/services/nublado2/values-idfprod.yaml index f61f296daf..ff3cb92991 100644 --- a/services/nublado2/values-idfprod.yaml +++ b/services/nublado2/values-idfprod.yaml @@ -106,50 +106,6 @@ config: screen:x:84: jovyan:x:768:{{ user }}{% for g in groups %} {{ g.name }}:x:{{ g.id }}:{{ user if g.id != gid else "" }}{% endfor %} - - apiVersion: v1 - kind: ConfigMap - metadata: - name: gshadow - namespace: "{{ user_namespace }}" - data: - gshadow: | - root:!:: - bin:!:: - daemon:!:: - sys:!:: - adm:!:: - tty:!:: - disk:!:: - lp:!:: - mem:!:: - kmem:!:: - wheel:!:: - cdrom:!:: - mail:!:: - man:!:: - dialout:!:: - floppy:!:: - games:!:: - tape:!:: - video:!:: - ftp:!:: - lock:!:: - audio:!:: - nobody:!:: - users:!:: - utmp:!:: - utempter:!:: - input:!:: - systemd-journal:!:: - systemd-network:!:: - dbus:!:: - ssh_keys:!:: - lsst_lcl:!::{{ user }} - tss:!:: - cgred:!:: - screen:!:: - jovyan:!::{{ user }}{% for g in groups %} - {{ g.name }}:!::{{ user if g.id != gid else "" }}{% endfor %} - apiVersion: v1 kind: ConfigMap metadata: @@ -175,31 +131,6 @@ config: lsst_lcl:x:1000:1000::/home/lsst_lcl:/bin/bash tss:x:59:59:Account used by the trousers package to sandbox the tcsd daemon:/dev/null:/sbin/nologin {{ user }}:x:{{ uid }}:{{ gid if gid else uid }}::/home/{{ user }}:/bin/bash - - apiVersion: v1 - kind: ConfigMap - metadata: - name: shadow - namespace: "{{ user_namespace }}" - data: - shadow: | - root:*:18000:0:99999:7::: - bin:*:18000:0:99999:7::: - daemon:*:18000:0:99999:7::: - adm:*:18000:0:99999:7::: - lp:*:18000:0:99999:7::: - sync:*:18000:0:99999:7::: - shutdown:*:18000:0:99999:7::: - halt:*:18000:0:99999:7::: - mail:*:18000:0:99999:7::: - operator:*:18000:0:99999:7::: - games:*:18000:0:99999:7::: - ftp:*:18000:0:99999:7::: - nobody:*:18000:0:99999:7::: - systemd-network:*:18000:0:99999:7::: - dbus:*:18000:0:99999:7::: - lsst_lcl:*:18000:0:99999:7::: - tss:*:18000:0:99999:7::: - {{user}}:*:18000:0:99999:7::: - apiVersion: v1 kind: ConfigMap metadata: @@ -295,9 +226,3 @@ config: hard: limits.cpu: 9 limits.memory: 27Gi - -vault_secret_path: "secret/k8s_operator/data.lsst.cloud/nublado2" - -pull-secret: - enabled: true - path: "secret/k8s_operator/data.lsst.cloud/pull-secret" diff --git a/services/nublado2/values-minikube.yaml b/services/nublado2/values-minikube.yaml index 36582e3cec..ddb9f8c155 100644 --- a/services/nublado2/values-minikube.yaml +++ b/services/nublado2/values-minikube.yaml @@ -19,9 +19,3 @@ config: volume_mounts: - name: home mountPath: /home - -vault_secret_path: "secret/k8s_operator/minikube.lsst.codes/nublado2" - -pull-secret: - enabled: true - path: "secret/k8s_operator/minikube.lsst.codes/pull-secret" diff --git a/services/nublado2/values-roe.yaml b/services/nublado2/values-roe.yaml index 919ad4f472..fee9b01082 100644 --- a/services/nublado2/values-roe.yaml +++ b/services/nublado2/values-roe.yaml @@ -38,9 +38,3 @@ config: mountPath: /project - name: scratch mountPath: /scratch - -vault_secret_path: "secret/k8s_operator/roe/nublado2" - -pull-secret: - enabled: true - path: "secret/k8s_operator/roe/pull-secret" diff --git a/services/nublado2/values-summit.yaml b/services/nublado2/values-summit.yaml index a946f2ca8b..55c6699c6e 100644 --- a/services/nublado2/values-summit.yaml +++ b/services/nublado2/values-summit.yaml @@ -97,9 +97,3 @@ config: - name: base-comcam mountPath: /data/lsstdata/base/comcam readOnly: true - -vault_secret_path: "secret/k8s_operator/summit-lsp.lsst.codes/nublado2" - -pull-secret: - enabled: true - path: "secret/k8s_operator/summit-lsp.lsst.codes/pull-secret" diff --git a/services/nublado2/values-tucson-teststand.yaml b/services/nublado2/values-tucson-teststand.yaml index 6ebdd118f9..4e53a92f03 100644 --- a/services/nublado2/values-tucson-teststand.yaml +++ b/services/nublado2/values-tucson-teststand.yaml @@ -79,9 +79,3 @@ config: - name: comcam-oods mountPath: /data/lsstdata/TTS/comcam readOnly: true - -vault_secret_path: "secret/k8s_operator/tucson-teststand.lsst.codes/nublado2" - -pull-secret: - enabled: true - path: "secret/k8s_operator/tucson-teststand.lsst.codes/pull-secret" diff --git a/services/nublado2/values.yaml b/services/nublado2/values.yaml index 6161a1ab3f..bc1346e563 100644 --- a/services/nublado2/values.yaml +++ b/services/nublado2/values.yaml @@ -104,14 +104,6 @@ jupyterhub: configMap: defaultMode: 420 name: group - - name: shadow - configMap: - defaultMode: 384 - name: shadow - - name: gshadow - configMap: - defaultMode: 384 - name: gshadow extraVolumeMounts: - name: dask mountPath: /etc/dask @@ -131,14 +123,6 @@ jupyterhub: mountPath: /etc/group readOnly: true subPath: group - - name: shadow - mountPath: /etc/shadow - readOnly: true - subPath: shadow - - name: gshadow - mountPath: /etc/gshadow - readOnly: true - subPath: gshadow type: none proxy: @@ -299,50 +283,6 @@ config: screen:x:84: jovyan:x:768:{{ user }}{% for g in groups %} {{ g.name }}:x:{{ g.id }}:{{ user if g.id != gid else "" }}{% endfor %} - - apiVersion: v1 - kind: ConfigMap - metadata: - name: gshadow - namespace: "{{ user_namespace }}" - data: - gshadow: | - root:!:: - bin:!:: - daemon:!:: - sys:!:: - adm:!:: - tty:!:: - disk:!:: - lp:!:: - mem:!:: - kmem:!:: - wheel:!:: - cdrom:!:: - mail:!:: - man:!:: - dialout:!:: - floppy:!:: - games:!:: - tape:!:: - video:!:: - ftp:!:: - lock:!:: - audio:!:: - nobody:!:: - users:!:: - utmp:!:: - utempter:!:: - input:!:: - systemd-journal:!:: - systemd-network:!:: - dbus:!:: - ssh_keys:!:: - lsst_lcl:!::{{ user }} - tss:!:: - cgred:!:: - screen:!:: - jovyan:!::{{ user }}{% for g in groups %} - {{ g.name }}:!::{{ user if g.id != gid else "" }}{% endfor %} - apiVersion: v1 kind: ConfigMap metadata: @@ -368,31 +308,6 @@ config: lsst_lcl:x:1000:1000::/home/lsst_lcl:/bin/bash tss:x:59:59:Account used by the trousers package to sandbox the tcsd daemon:/dev/null:/sbin/nologin {{ user }}:x:{{ uid }}:{{ gid if gid else uid }}::/home/{{ user }}:/bin/bash - - apiVersion: v1 - kind: ConfigMap - metadata: - name: shadow - namespace: "{{ user_namespace }}" - data: - shadow: | - root:*:18000:0:99999:7::: - bin:*:18000:0:99999:7::: - daemon:*:18000:0:99999:7::: - adm:*:18000:0:99999:7::: - lp:*:18000:0:99999:7::: - sync:*:18000:0:99999:7::: - shutdown:*:18000:0:99999:7::: - halt:*:18000:0:99999:7::: - mail:*:18000:0:99999:7::: - operator:*:18000:0:99999:7::: - games:*:18000:0:99999:7::: - ftp:*:18000:0:99999:7::: - nobody:*:18000:0:99999:7::: - systemd-network:*:18000:0:99999:7::: - dbus:*:18000:0:99999:7::: - lsst_lcl:*:18000:0:99999:7::: - tss:*:18000:0:99999:7::: - {{user}}:*:18000:0:99999:7::: - apiVersion: v1 kind: ConfigMap metadata: @@ -480,15 +395,11 @@ config: path: "{{ pull_secret_path }}" type: kubernetes.io/dockerconfigjson -# Note: See note above about existingSecret. -vault_secret_path: "" - # Built-in network policy doesn't quite work (Labs can't talk to Hub, # even with port 8081 explicitly enabled), so let's use our own for now. network_policy: enabled: true - # The following will be set by parameters injected by Argo CD and should not # be set in the individual environment values files. global: From 2fee42511d6e8e002f80823172ba01281039e5ff Mon Sep 17 00:00:00 2001 From: roby Date: Wed, 21 Sep 2022 09:22:10 -0600 Subject: [PATCH 1051/1479] release suit-2022.5.5 --- services/portal/values-idfdev.yaml | 3 +++ services/portal/values-idfint.yaml | 3 +++ 2 files changed, 6 insertions(+) diff --git a/services/portal/values-idfdev.yaml b/services/portal/values-idfdev.yaml index b8d18401c0..99466d6353 100644 --- a/services/portal/values-idfdev.yaml +++ b/services/portal/values-idfdev.yaml @@ -6,6 +6,9 @@ config: path: "/share1/home/firefly/shared-workarea" server: "10.87.86.26" +image: + tag: "suit-2022.5.5" + resources: limits: memory: "2Gi" diff --git a/services/portal/values-idfint.yaml b/services/portal/values-idfint.yaml index bbff39a615..07e7a5fcf4 100644 --- a/services/portal/values-idfint.yaml +++ b/services/portal/values-idfint.yaml @@ -6,6 +6,9 @@ config: path: "/share1/home/firefly/shared-workarea" server: "10.22.240.130" +image: + tag: "suit-2022.5.5" + resources: limits: memory: "30Gi" From 06175901e95c80c09ab32d9241372ef1b56dd36d Mon Sep 17 00:00:00 2001 From: Russ Allbery Date: Wed, 21 Sep 2022 16:07:56 -0700 Subject: [PATCH 1052/1479] Fix authorization for datalinker datalinker was using read:image for access control to all of its non-public routes, but all the routes except /api/datalink/links are TAP query helpers. Require read:tap for those and read:image only for /api/datalink/links. Remove the conditionals and values.yaml configuration for scopes and hard-code them, as we do for other complex configurations. Also remove the auth-url setting, since we expect datalinker links to mostly be followed by scripts and the Portal Aspect, for which redirects to a login page are not useful. --- services/datalinker/README.md | 3 +-- .../datalinker/templates/ingress-image.yaml | 26 +++++++++++++++++++ .../{ingress.yaml => ingress-tap.yaml} | 6 +---- services/datalinker/values.yaml | 5 +--- 4 files changed, 29 insertions(+), 11 deletions(-) create mode 100644 services/datalinker/templates/ingress-image.yaml rename services/datalinker/templates/{ingress.yaml => ingress-tap.yaml} (75%) diff --git a/services/datalinker/README.md b/services/datalinker/README.md index c7d2aedbd4..4ebe6f5172 100644 --- a/services/datalinker/README.md +++ b/services/datalinker/README.md @@ -24,8 +24,7 @@ Service and data discovery for Rubin Science Platform | image.pullPolicy | string | `"IfNotPresent"` | Pull policy for the datalinker image | | image.repository | string | `"ghcr.io/lsst-sqre/datalinker"` | Image to use in the datalinker deployment | | image.tag | string | `""` | Overrides the image tag whose default is the chart appVersion. | -| ingress.annotations | object | `{}` | Additional annotations for the ingress rule | -| ingress.gafaelfawrAuthQuery | string | `"scope=read:image"` | Gafaelfawr auth query string | +| ingress.annotations | object | `{}` | Additional annotations for the ingresses | | nameOverride | string | `""` | Override the base name for resources | | nodeSelector | object | `{}` | Node selection rules for the datalinker deployment pod | | podAnnotations | object | `{}` | Annotations for the datalinker deployment pod | diff --git a/services/datalinker/templates/ingress-image.yaml b/services/datalinker/templates/ingress-image.yaml new file mode 100644 index 0000000000..61546939b3 --- /dev/null +++ b/services/datalinker/templates/ingress-image.yaml @@ -0,0 +1,26 @@ +apiVersion: networking.k8s.io/v1 +kind: Ingress +metadata: + name: {{ include "datalinker.fullname" . }} + labels: + {{- include "datalinker.labels" . | nindent 4 }} + annotations: + nginx.ingress.kubernetes.io/auth-method: "GET" + nginx.ingress.kubernetes.io/auth-response-headers: "X-Auth-Request-User" + nginx.ingress.kubernetes.io/auth-url: "{{ .Values.global.baseUrl }}/auth?scope=read:image" + {{- with .Values.ingress.annotations }} + {{- toYaml . | nindent 4 }} + {{- end }} +spec: + ingressClassName: "nginx" + rules: + - host: {{ required "global.host must be set" .Values.global.host | quote }} + http: + paths: + - path: "/api/datalink/links" + pathType: "Exact" + backend: + service: + name: {{ include "datalinker.fullname" . }} + port: + number: 8080 diff --git a/services/datalinker/templates/ingress.yaml b/services/datalinker/templates/ingress-tap.yaml similarity index 75% rename from services/datalinker/templates/ingress.yaml rename to services/datalinker/templates/ingress-tap.yaml index 5e07f43144..b59de51317 100644 --- a/services/datalinker/templates/ingress.yaml +++ b/services/datalinker/templates/ingress-tap.yaml @@ -5,12 +5,8 @@ metadata: labels: {{- include "datalinker.labels" . | nindent 4 }} annotations: - {{- if .Values.ingress.gafaelfawrAuthQuery }} - nginx.ingress.kubernetes.io/auth-method: "GET" nginx.ingress.kubernetes.io/auth-response-headers: "X-Auth-Request-User" - nginx.ingress.kubernetes.io/auth-signin: "{{ .Values.global.baseUrl }}/login" - nginx.ingress.kubernetes.io/auth-url: "{{ .Values.global.baseUrl }}/auth?{{ .Values.ingress.gafaelfawrAuthQuery }}" - {{- end }} + nginx.ingress.kubernetes.io/auth-url: "{{ .Values.global.baseUrl }}/auth?scope=read:tap" {{- with .Values.ingress.annotations }} {{- toYaml . | nindent 4 }} {{- end }} diff --git a/services/datalinker/values.yaml b/services/datalinker/values.yaml index f955ade9af..e88ca255eb 100644 --- a/services/datalinker/values.yaml +++ b/services/datalinker/values.yaml @@ -22,10 +22,7 @@ nameOverride: "" fullnameOverride: "" ingress: - # -- Gafaelfawr auth query string - gafaelfawrAuthQuery: "scope=read:image" - - # -- Additional annotations for the ingress rule + # -- Additional annotations for the ingresses annotations: {} autoscaling: From 2f766a90fcdf5c33bef2d057a77f98715506d434 Mon Sep 17 00:00:00 2001 From: Russ Allbery Date: Wed, 21 Sep 2022 16:23:26 -0700 Subject: [PATCH 1053/1479] Fix naming of datalinker ingresses --- services/datalinker/templates/ingress-image.yaml | 2 +- services/datalinker/templates/ingress-tap.yaml | 3 ++- 2 files changed, 3 insertions(+), 2 deletions(-) diff --git a/services/datalinker/templates/ingress-image.yaml b/services/datalinker/templates/ingress-image.yaml index 61546939b3..4168995f5f 100644 --- a/services/datalinker/templates/ingress-image.yaml +++ b/services/datalinker/templates/ingress-image.yaml @@ -1,7 +1,7 @@ apiVersion: networking.k8s.io/v1 kind: Ingress metadata: - name: {{ include "datalinker.fullname" . }} + name: {{ include "datalinker.fullname" . }}-image labels: {{- include "datalinker.labels" . | nindent 4 }} annotations: diff --git a/services/datalinker/templates/ingress-tap.yaml b/services/datalinker/templates/ingress-tap.yaml index b59de51317..b408e7bafb 100644 --- a/services/datalinker/templates/ingress-tap.yaml +++ b/services/datalinker/templates/ingress-tap.yaml @@ -1,10 +1,11 @@ apiVersion: networking.k8s.io/v1 kind: Ingress metadata: - name: {{ include "datalinker.fullname" . }} + name: {{ include "datalinker.fullname" . }}-tap labels: {{- include "datalinker.labels" . | nindent 4 }} annotations: + nginx.ingress.kubernetes.io/auth-method: "GET" nginx.ingress.kubernetes.io/auth-response-headers: "X-Auth-Request-User" nginx.ingress.kubernetes.io/auth-url: "{{ .Values.global.baseUrl }}/auth?scope=read:tap" {{- with .Values.ingress.annotations }} From 38487c802e3a37a256f58f861a9171a19ca05afe Mon Sep 17 00:00:00 2001 From: Gabriele Mainetti Date: Thu, 22 Sep 2022 16:04:12 +0200 Subject: [PATCH 1054/1479] use default image in tap --- services/tap/values-ccin2p3.yaml | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/services/tap/values-ccin2p3.yaml b/services/tap/values-ccin2p3.yaml index 2996f5338b..2c0e46f56e 100644 --- a/services/tap/values-ccin2p3.yaml +++ b/services/tap/values-ccin2p3.yaml @@ -8,7 +8,7 @@ qserv: host: "ccqserv201.in2p3.fr:30040" mock: enabled: false -image: - # -- tap image to use - repository: "gabrimaine/lsst-tap-service" - tag: "1.2.1-CC2" +# image: +# # -- tap image to use +# repository: "gabrimaine/lsst-tap-service" +# tag: "1.2.1-CC2" From b6b0896b22168c42c2f53faeee294115d90c8b3e Mon Sep 17 00:00:00 2001 From: "renovate[bot]" <29139614+renovate[bot]@users.noreply.github.com> Date: Mon, 26 Sep 2022 05:56:53 +0000 Subject: [PATCH 1055/1479] Update Helm release argo-cd to v5.5.5 --- services/argocd/Chart.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/services/argocd/Chart.yaml b/services/argocd/Chart.yaml index ce17f67c58..31bacb2180 100644 --- a/services/argocd/Chart.yaml +++ b/services/argocd/Chart.yaml @@ -3,5 +3,5 @@ name: argo-cd version: 1.0.0 dependencies: - name: argo-cd - version: 5.4.6 + version: 5.5.5 repository: https://argoproj.github.io/argo-helm From 52916d25a20a9477e30459290f376cb2a1c230ea Mon Sep 17 00:00:00 2001 From: Russ Allbery Date: Mon, 26 Sep 2022 08:52:51 -0700 Subject: [PATCH 1056/1479] Update Helm docs --- services/argocd/README.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/services/argocd/README.md b/services/argocd/README.md index 2a8d4ec32d..530b6f312c 100644 --- a/services/argocd/README.md +++ b/services/argocd/README.md @@ -4,7 +4,7 @@ | Repository | Name | Version | |------------|------|---------| -| https://argoproj.github.io/argo-helm | argo-cd | 5.4.6 | +| https://argoproj.github.io/argo-helm | argo-cd | 5.5.5 | ## Values From 033cea2a67c986e6e03aa821b3c3efddf5dff379 Mon Sep 17 00:00:00 2001 From: Russ Allbery Date: Fri, 23 Sep 2022 12:14:53 -0700 Subject: [PATCH 1057/1479] Install helm-docs with go The homebrew installation method stopped working claiming that brew is not installed in the Ubuntu image, and setting up homebrew looks very painful. Instead, build helm-docs from source with Go and put the binary in /usr/local/bin. I tried multiple other ways of downloading the release artifacts instead of building from source, but they all failed in practice, getting zero-length files instead of the release artifact that was promised. Not sure if this was a temporary GitHub outage or a bug with the release artifacts of helm-docs. --- .github/workflows/ci.yaml | 7 ++++++- 1 file changed, 6 insertions(+), 1 deletion(-) diff --git a/.github/workflows/ci.yaml b/.github/workflows/ci.yaml index f60da91726..f4a25eda04 100644 --- a/.github/workflows/ci.yaml +++ b/.github/workflows/ci.yaml @@ -12,8 +12,13 @@ jobs: steps: - uses: actions/checkout@v3 + - name: Set up go + uses: actions/setup-go@v3 + - name: Install helm-docs - run: brew install norwoodj/tap/helm-docs + run: go install github.com/norwoodj/helm-docs/cmd/helm-docs@latest + env: + GOBIN: /usr/local/bin/ - name: Set up Python uses: actions/setup-python@v4 From fd92c043776b9c8e3804dc8c402c30d102beed42 Mon Sep 17 00:00:00 2001 From: "renovate[bot]" <29139614+renovate[bot]@users.noreply.github.com> Date: Mon, 26 Sep 2022 16:01:56 +0000 Subject: [PATCH 1058/1479] Update redis Docker tag to v7.0.5 --- services/gafaelfawr/values.yaml | 2 +- services/portal/values.yaml | 2 +- services/vo-cutouts/values.yaml | 2 +- 3 files changed, 3 insertions(+), 3 deletions(-) diff --git a/services/gafaelfawr/values.yaml b/services/gafaelfawr/values.yaml index 60ac82ea74..88c27a9c47 100644 --- a/services/gafaelfawr/values.yaml +++ b/services/gafaelfawr/values.yaml @@ -343,7 +343,7 @@ redis: repository: "redis" # -- Redis image tag to use - tag: "7.0.4" + tag: "7.0.5" # -- Pull policy for the Redis image pullPolicy: "IfNotPresent" diff --git a/services/portal/values.yaml b/services/portal/values.yaml index 4ac87f15fd..f3c255f221 100644 --- a/services/portal/values.yaml +++ b/services/portal/values.yaml @@ -94,7 +94,7 @@ redis: repository: "redis" # -- Redis image tag to use - tag: "7.0.4" + tag: "7.0.5" # -- Pull policy for the Redis image pullPolicy: "IfNotPresent" diff --git a/services/vo-cutouts/values.yaml b/services/vo-cutouts/values.yaml index ceeb97380b..5d5dbee569 100644 --- a/services/vo-cutouts/values.yaml +++ b/services/vo-cutouts/values.yaml @@ -147,7 +147,7 @@ redis: repository: "redis" # -- Redis image tag to use - tag: "7.0.4" + tag: "7.0.5" # -- Pull policy for the Redis image pullPolicy: "IfNotPresent" From 88695de27aa479d30f1f6ce194db53ea6173205b Mon Sep 17 00:00:00 2001 From: Russ Allbery Date: Mon, 26 Sep 2022 09:04:20 -0700 Subject: [PATCH 1059/1479] Update Helm docs --- services/gafaelfawr/README.md | 2 +- services/portal/README.md | 2 +- services/vo-cutouts/README.md | 2 +- 3 files changed, 3 insertions(+), 3 deletions(-) diff --git a/services/gafaelfawr/README.md b/services/gafaelfawr/README.md index 2bf35725f2..7b7bfc9b80 100644 --- a/services/gafaelfawr/README.md +++ b/services/gafaelfawr/README.md @@ -91,7 +91,7 @@ Science Platform authentication and authorization system | redis.affinity | object | `{}` | Affinity rules for the Redis pod | | redis.image.pullPolicy | string | `"IfNotPresent"` | Pull policy for the Redis image | | redis.image.repository | string | `"redis"` | Redis image to use | -| redis.image.tag | string | `"7.0.4"` | Redis image tag to use | +| redis.image.tag | string | `"7.0.5"` | Redis image tag to use | | redis.nodeSelector | object | `{}` | Node selection rules for the Redis pod | | redis.persistence.accessMode | string | `"ReadWriteOnce"` | Access mode of storage to request | | redis.persistence.enabled | bool | `true` | Whether to persist Redis storage and thus tokens. Setting this to false will use `emptyDir` and reset all tokens on every restart. Only use this for a test deployment. | diff --git a/services/portal/README.md b/services/portal/README.md index a885567f67..ee89cc62ab 100644 --- a/services/portal/README.md +++ b/services/portal/README.md @@ -33,7 +33,7 @@ Rubin Science Platform portal aspect | redis.affinity | object | `{}` | Affinity rules for the Redis pod | | redis.image.pullPolicy | string | `"IfNotPresent"` | Pull policy for the Redis image | | redis.image.repository | string | `"redis"` | Redis image to use | -| redis.image.tag | string | `"7.0.4"` | Redis image tag to use | +| redis.image.tag | string | `"7.0.5"` | Redis image tag to use | | redis.nodeSelector | object | `{}` | Node selection rules for the Redis pod | | redis.podAnnotations | object | `{}` | Pod annotations for the Redis pod | | redis.resources | object | `{"limits":{"memory":"20Mi"}}` | Resource limits and requests | diff --git a/services/vo-cutouts/README.md b/services/vo-cutouts/README.md index e954c1fc76..627fc41beb 100644 --- a/services/vo-cutouts/README.md +++ b/services/vo-cutouts/README.md @@ -54,7 +54,7 @@ Image cutout service complying with IVOA SODA | redis.affinity | object | `{}` | Affinity rules for the Redis pod | | redis.image.pullPolicy | string | `"IfNotPresent"` | Pull policy for the Redis image | | redis.image.repository | string | `"redis"` | Redis image to use | -| redis.image.tag | string | `"7.0.4"` | Redis image tag to use | +| redis.image.tag | string | `"7.0.5"` | Redis image tag to use | | redis.nodeSelector | object | `{}` | Node selection rules for the Redis pod | | redis.persistence.accessMode | string | `"ReadWriteOnce"` | Access mode of storage to request | | redis.persistence.enabled | bool | `true` | Whether to persist Redis storage and thus tokens. Setting this to false will use `emptyDir` and reset all tokens on every restart. Only use this for a test deployment. | From 52efc47ef3415c284d7e772768015ff9c53df993 Mon Sep 17 00:00:00 2001 From: "renovate[bot]" <29139614+renovate[bot]@users.noreply.github.com> Date: Mon, 26 Sep 2022 16:06:25 +0000 Subject: [PATCH 1060/1479] Update Helm release vault-secrets-operator to v1.19.6 --- services/vault-secrets-operator/Chart.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/services/vault-secrets-operator/Chart.yaml b/services/vault-secrets-operator/Chart.yaml index e54210c47b..9839520b20 100644 --- a/services/vault-secrets-operator/Chart.yaml +++ b/services/vault-secrets-operator/Chart.yaml @@ -3,5 +3,5 @@ name: vault-secrets-operator version: 1.0.0 dependencies: - name: vault-secrets-operator - version: 1.19.5 + version: 1.19.6 repository: https://ricoberger.github.io/helm-charts/ From 781dfe4e7cddaf4ca9ff2e3648e8ec83b765a483 Mon Sep 17 00:00:00 2001 From: Russ Allbery Date: Mon, 26 Sep 2022 09:12:39 -0700 Subject: [PATCH 1061/1479] Update Helm docs --- services/vault-secrets-operator/README.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/services/vault-secrets-operator/README.md b/services/vault-secrets-operator/README.md index 4d00932781..2dc3e19a31 100644 --- a/services/vault-secrets-operator/README.md +++ b/services/vault-secrets-operator/README.md @@ -4,7 +4,7 @@ | Repository | Name | Version | |------------|------|---------| -| https://ricoberger.github.io/helm-charts/ | vault-secrets-operator | 1.19.5 | +| https://ricoberger.github.io/helm-charts/ | vault-secrets-operator | 1.19.6 | ## Values From b47d50cce95705dd3cbc7e2bc325032edbfff32d Mon Sep 17 00:00:00 2001 From: Russ Allbery Date: Thu, 15 Sep 2022 11:33:29 -0700 Subject: [PATCH 1062/1479] Drop Gafaelfawr config.cilogon.redirectUrl setting The login URL is now always /login at the base URL of the deployment. This setting was previously required for some NCSA deployments, but those have been retired. --- services/gafaelfawr/README.md | 1 - services/gafaelfawr/templates/configmap.yaml | 8 -------- services/gafaelfawr/templates/ingress.yaml | 7 ------- services/gafaelfawr/values.yaml | 4 ---- 4 files changed, 20 deletions(-) diff --git a/services/gafaelfawr/README.md b/services/gafaelfawr/README.md index 7b7bfc9b80..2306c7e9e1 100644 --- a/services/gafaelfawr/README.md +++ b/services/gafaelfawr/README.md @@ -29,7 +29,6 @@ Science Platform authentication and authorization system | config.cilogon.gidClaim | string | Do not set a primary GID | Claim from which to get the primary GID (only used if not retrieved from LDAP or Firestore) | | config.cilogon.groupsClaim | string | `"isMemberOf"` | Claim from which to get the group membership (only used if not retrieved from LDAP) | | config.cilogon.loginParams | object | `{"skin":"LSST"}` | Additional parameters to add | -| config.cilogon.redirectUrl | string | `/login` at the value of config.host | Return URL given to CILogon (must match the CILogon configuration) | | config.cilogon.test | bool | `false` | Whether to use the test instance of CILogon | | config.cilogon.uidClaim | string | `"uidNumber"` | Claim from which to get the numeric UID (only used if not retrieved from LDAP or Firestore) | | config.cilogon.usernameClaim | string | `"uid"` | Claim from which to get the username | diff --git a/services/gafaelfawr/templates/configmap.yaml b/services/gafaelfawr/templates/configmap.yaml index 8a62574ebb..d04dba88f6 100644 --- a/services/gafaelfawr/templates/configmap.yaml +++ b/services/gafaelfawr/templates/configmap.yaml @@ -63,11 +63,7 @@ {{ $key }}: {{ $value | quote }} {{- end }} {{- end }} - {{- if .Values.config.cilogon.redirectUrl }} - redirect_url: {{ .Values.config.cilogon.redirectUrl | quote }} - {{- else }} redirect_url: "{{ .Values.global.baseUrl }}/login" - {{- end }} scopes: - "email" - "org.cilogon.userinfo" @@ -101,11 +97,7 @@ enrollment_url: {{ .Values.config.oidc.enrollmentUrl | quote }} {{- end }} issuer: {{ required "config.oidc.issuer must be set" .Values.config.oidc.issuer | quote }} - {{- if .Values.config.oidc.redirectUrl }} - redirect_url: {{ .Values.config.oidc.redirectUrl | quote }} - {{- else }} redirect_url: "{{ .Values.global.baseUrl }}/login" - {{- end }} scopes: {{- with .Values.config.oidc.scopes }} {{- toYaml . | nindent 8 }} diff --git a/services/gafaelfawr/templates/ingress.yaml b/services/gafaelfawr/templates/ingress.yaml index 2cf6d2d351..18a03df271 100644 --- a/services/gafaelfawr/templates/ingress.yaml +++ b/services/gafaelfawr/templates/ingress.yaml @@ -31,13 +31,6 @@ spec: name: {{ template "gafaelfawr.fullname" . }} port: number: 8080 - - path: "/oauth2/callback" - pathType: Exact - backend: - service: - name: {{ template "gafaelfawr.fullname" . }} - port: - number: 8080 {{- if .Values.config.oidcServer.enabled }} - path: "/.well-known/jwks.json" pathType: Exact diff --git a/services/gafaelfawr/values.yaml b/services/gafaelfawr/values.yaml index 88c27a9c47..c912d82ace 100644 --- a/services/gafaelfawr/values.yaml +++ b/services/gafaelfawr/values.yaml @@ -64,10 +64,6 @@ config: # `config.github.clientId`, or `config.oidc.clientId` must be set. clientId: "" - # -- Return URL given to CILogon (must match the CILogon configuration) - # @default -- `/login` at the value of config.host - redirectUrl: "" - # -- Where to send the user if their username cannot be found in LDAP # @default -- Login fails with an error enrollmentUrl: "" From fdac53e4ddf79755d571f59559c993dc42bdeaca Mon Sep 17 00:00:00 2001 From: Russ Allbery Date: Thu, 15 Sep 2022 13:03:28 -0700 Subject: [PATCH 1063/1479] Change Sasquatch to Gafaelfawr token info URL Gafaelfawr is standardizing on /auth/openid/userinfo. Update the Sasquatch configurations accordingly. --- services/sasquatch/values-idfdev.yaml | 2 +- services/sasquatch/values-idfint.yaml | 2 +- services/sasquatch/values-summit.yaml | 2 +- services/sasquatch/values-tucson-teststand.yaml | 2 +- 4 files changed, 4 insertions(+), 4 deletions(-) diff --git a/services/sasquatch/values-idfdev.yaml b/services/sasquatch/values-idfdev.yaml index 90d31922ab..6807a44581 100644 --- a/services/sasquatch/values-idfdev.yaml +++ b/services/sasquatch/values-idfdev.yaml @@ -43,7 +43,7 @@ chronograf: GENERIC_TOKEN_URL: https://data-dev.lsst.cloud/auth/openid/token USE_ID_TOKEN: 1 JWKS_URL: https://data-dev.lsst.cloud/.well-known/jwks.json - GENERIC_API_URL: https://data-dev.lsst.cloud/auth/userinfo + GENERIC_API_URL: https://data-dev.lsst.cloud/auth/openid/userinfo GENERIC_SCOPES: openid GENERIC_API_KEY: sub PUBLIC_URL: https://data-dev.lsst.cloud/ diff --git a/services/sasquatch/values-idfint.yaml b/services/sasquatch/values-idfint.yaml index 258545b6de..d2dd4c71bb 100644 --- a/services/sasquatch/values-idfint.yaml +++ b/services/sasquatch/values-idfint.yaml @@ -48,7 +48,7 @@ chronograf: GENERIC_TOKEN_URL: https://data-int.lsst.cloud/auth/openid/token USE_ID_TOKEN: 1 JWKS_URL: https://data-int.lsst.cloud/.well-known/jwks.json - GENERIC_API_URL: https://data-int.lsst.cloud/auth/userinfo + GENERIC_API_URL: https://data-int.lsst.cloud/auth/openid/userinfo GENERIC_SCOPES: openid GENERIC_API_KEY: sub PUBLIC_URL: https://data-int.lsst.cloud/ diff --git a/services/sasquatch/values-summit.yaml b/services/sasquatch/values-summit.yaml index adfc507a38..2ad4b2749f 100644 --- a/services/sasquatch/values-summit.yaml +++ b/services/sasquatch/values-summit.yaml @@ -92,7 +92,7 @@ chronograf: GENERIC_TOKEN_URL: https://summit-lsp.lsst.codes/auth/openid/token USE_ID_TOKEN: 1 JWKS_URL: https://summit-lsp.lsst.codes/.well-known/jwks.json - GENERIC_API_URL: https://summit-lsp.lsst.codes/auth/userinfo + GENERIC_API_URL: https://summit-lsp.lsst.codes/auth/openid/userinfo GENERIC_SCOPES: openid GENERIC_API_KEY: sub PUBLIC_URL: https://summit-lsp.lsst.codes diff --git a/services/sasquatch/values-tucson-teststand.yaml b/services/sasquatch/values-tucson-teststand.yaml index 955b498e87..39fbe99969 100644 --- a/services/sasquatch/values-tucson-teststand.yaml +++ b/services/sasquatch/values-tucson-teststand.yaml @@ -113,7 +113,7 @@ chronograf: GENERIC_TOKEN_URL: https://tucson-teststand.lsst.codes/auth/openid/token USE_ID_TOKEN: 1 JWKS_URL: https://tucson-teststand.lsst.codes/.well-known/jwks.json - GENERIC_API_URL: https://tucson-teststand.lsst.codes/auth/userinfo + GENERIC_API_URL: https://tucson-teststand.lsst.codes/auth/openid/userinfo GENERIC_SCOPES: openid GENERIC_API_KEY: sub PUBLIC_URL: https://tucson-teststand.lsst.codes From fc1200c73048b51438298c85ccf9f16c6b008948 Mon Sep 17 00:00:00 2001 From: Russ Allbery Date: Thu, 15 Sep 2022 16:54:44 -0700 Subject: [PATCH 1064/1479] Drop Gafaelfawr support for InfluxDB 1.x tokens Drop support for configuring Gafaelfawr to issue InfluxDB 1.x tokens. We never used this support, and InfluxDB 2.x will require an entirely different approach. --- services/gafaelfawr/README.md | 2 -- services/gafaelfawr/templates/configmap.yaml | 8 -------- services/gafaelfawr/values.yaml | 9 --------- 3 files changed, 19 deletions(-) diff --git a/services/gafaelfawr/README.md b/services/gafaelfawr/README.md index 2306c7e9e1..41c23887ca 100644 --- a/services/gafaelfawr/README.md +++ b/services/gafaelfawr/README.md @@ -37,8 +37,6 @@ Science Platform authentication and authorization system | config.firestore.project | string | Firestore support is disabled | If set, assign UIDs and GIDs using Google Firestore in the given project. Cloud SQL must be enabled and the Cloud SQL service account must have read/write access to that Firestore instance. | | config.github.clientId | string | `""` | GitHub client ID. One and only one of this, `config.cilogon.clientId`, or `config.oidc.clientId` must be set. | | config.groupMapping | object | `{}` | Defines a mapping of scopes to groups that provide that scope. See [DMTN-235](https://dmtn-235.lsst.io/) for more details on scopes. | -| config.influxdb.enabled | bool | `false` | Whether to issue tokens for InfluxDB. If set to true, `influxdb-secret` must be set in the Gafaelfawr secret. | -| config.influxdb.username | string | `""` | If set, force all InfluxDB tokens to have that username instead of the authenticated identity of the user requesting a token | | config.initialAdmins | list | `[]` | Usernames to add as administrators when initializing a new database. Used only if there are no administrators. | | config.knownScopes | object | See the `values.yaml` file | Names and descriptions of all scopes in use. This is used to populate the new token creation page. Only scopes listed here will be options when creating a new token. See [DMTN-235](https://dmtn-235.lsst.io/). | | config.ldap.addUserGroup | bool | `false` | Whether to synthesize a user private group for each user with a GID equal to their UID | diff --git a/services/gafaelfawr/templates/configmap.yaml b/services/gafaelfawr/templates/configmap.yaml index d04dba88f6..95a4957742 100644 --- a/services/gafaelfawr/templates/configmap.yaml +++ b/services/gafaelfawr/templates/configmap.yaml @@ -26,14 +26,6 @@ error_footer: {{ .Values.config.errorFooter | quote }} {{- end }} - {{- if .Values.config.influxdb.enabled }} - influxdb: - secret_file: "/etc/gafaelfawr/secrets/influxdb-secret" - {{- if .Values.config.issuer.influxdb.username }} - username: {{ .Values.config.issuer.influxdb.username | quote }} - {{- end }} - {{- end }} - {{- if .Values.config.github.clientId }} github: diff --git a/services/gafaelfawr/values.yaml b/services/gafaelfawr/values.yaml index c912d82ace..a1862197e7 100644 --- a/services/gafaelfawr/values.yaml +++ b/services/gafaelfawr/values.yaml @@ -205,15 +205,6 @@ config: # equal to their UID addUserGroup: false - influxdb: - # -- Whether to issue tokens for InfluxDB. If set to true, - # `influxdb-secret` must be set in the Gafaelfawr secret. - enabled: false - - # -- If set, force all InfluxDB tokens to have that username instead of - # the authenticated identity of the user requesting a token - username: "" - oidcServer: # -- Whether to support OpenID Connect clients. If set to true, # `oidc-server-secrets` must be set in the Gafaelfawr secret. From 26ff5e69eec627386e5af8ca82a1dd7e3499fa5d Mon Sep 17 00:00:00 2001 From: Russ Allbery Date: Mon, 19 Sep 2022 15:54:56 -0700 Subject: [PATCH 1065/1479] Drop X-Auth-Request-Uid from TAP Make TAP stop requesting X-Auth-Request-Uid from Gafaelfawr, since the next release of Gafaelfawr will no longer send it. This is not currently used; right now, TAP looks at the Authorization header, which is a separate problem since that will no longer be supported in the future, but that's a problem for another day. --- services/tap/templates/tap-ingress-authenticated.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/services/tap/templates/tap-ingress-authenticated.yaml b/services/tap/templates/tap-ingress-authenticated.yaml index 0a5fb80c09..09a6603182 100644 --- a/services/tap/templates/tap-ingress-authenticated.yaml +++ b/services/tap/templates/tap-ingress-authenticated.yaml @@ -6,7 +6,7 @@ metadata: {{- include "cadc-tap.labels" . | nindent 4 }} annotations: nginx.ingress.kubernetes.io/auth-method: "GET" - nginx.ingress.kubernetes.io/auth-response-headers: "X-Auth-Request-Uid, X-Auth-Request-Token" + nginx.ingress.kubernetes.io/auth-response-headers: "X-Auth-Request-Token" nginx.ingress.kubernetes.io/auth-url: "{{ .Values.global.baseUrl }}/auth?{{ .Values.ingress.gafaelfawrAuthQuery }}" nginx.ingress.kubernetes.io/configuration-snippet: | auth_request_set $auth_token $upstream_http_x_auth_request_token; From eafaf4964864e3fb6d43a0aac45c47001bd9682b Mon Sep 17 00:00:00 2001 From: Russ Allbery Date: Fri, 23 Sep 2022 11:58:00 -0700 Subject: [PATCH 1066/1479] Bump Gafaelfawr version --- services/gafaelfawr/Chart.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/services/gafaelfawr/Chart.yaml b/services/gafaelfawr/Chart.yaml index a3ac4cbb25..7a2d695b65 100644 --- a/services/gafaelfawr/Chart.yaml +++ b/services/gafaelfawr/Chart.yaml @@ -5,4 +5,4 @@ description: Science Platform authentication and authorization system home: https://gafaelfawr.lsst.io/ sources: - https://github.com/lsst-sqre/gafaelfawr -appVersion: 5.2.0 +appVersion: 6.0.0 From 16fb39bf6fdc5bd721b05dca5cbe50e989af0315 Mon Sep 17 00:00:00 2001 From: Russ Allbery Date: Tue, 20 Sep 2022 14:53:53 -0700 Subject: [PATCH 1067/1479] Set minimum lifetime for notebook tokens Require that notebook tokens will last at least 25 days, matching the maximum lifetime configuration in the culler. This will hopefully ensure that the notebook token of a user will last at least as long as their notebook does. This will force Notebook Aspect users to reauthenticate every five days, since the maximum ticket lifetime is 30 days. --- services/nublado2/README.md | 2 +- services/nublado2/values.yaml | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/services/nublado2/README.md b/services/nublado2/README.md index 1dfd2e00ce..ebef71fe45 100644 --- a/services/nublado2/README.md +++ b/services/nublado2/README.md @@ -72,7 +72,7 @@ Kubernetes: `>=1.20.0-0` | jupyterhub.imagePullSecrets[0].name | string | `"pull-secret"` | | | jupyterhub.ingress.annotations."nginx.ingress.kubernetes.io/auth-method" | string | `"GET"` | | | jupyterhub.ingress.annotations."nginx.ingress.kubernetes.io/auth-response-headers" | string | `"X-Auth-Request-Token"` | | -| jupyterhub.ingress.annotations."nginx.ingress.kubernetes.io/auth-url" | string | `"http://gafaelfawr.gafaelfawr.svc.cluster.local:8080/auth?scope=exec:notebook¬ebook=true"` | | +| jupyterhub.ingress.annotations."nginx.ingress.kubernetes.io/auth-url" | string | `"http://gafaelfawr.gafaelfawr.svc.cluster.local:8080/auth?scope=exec:notebook¬ebook=true&minimum_lifetime=2160000"` | | | jupyterhub.ingress.annotations."nginx.ingress.kubernetes.io/configuration-snippet" | string | `"error_page 403 = \"/auth/forbidden?scope=exec:notebook\";\n"` | | | jupyterhub.ingress.enabled | bool | `true` | | | jupyterhub.ingress.ingressClassName | string | `"nginx"` | | diff --git a/services/nublado2/values.yaml b/services/nublado2/values.yaml index bc1346e563..7fd8608779 100644 --- a/services/nublado2/values.yaml +++ b/services/nublado2/values.yaml @@ -146,7 +146,7 @@ jupyterhub: annotations: nginx.ingress.kubernetes.io/auth-method: GET nginx.ingress.kubernetes.io/auth-response-headers: "X-Auth-Request-Token" - nginx.ingress.kubernetes.io/auth-url: "http://gafaelfawr.gafaelfawr.svc.cluster.local:8080/auth?scope=exec:notebook¬ebook=true" + nginx.ingress.kubernetes.io/auth-url: "http://gafaelfawr.gafaelfawr.svc.cluster.local:8080/auth?scope=exec:notebook¬ebook=true&minimum_lifetime=2160000" nginx.ingress.kubernetes.io/configuration-snippet: | error_page 403 = "/auth/forbidden?scope=exec:notebook"; ingressClassName: "nginx" From dfd90f0428f76cec649f8a70a42777cb596186f6 Mon Sep 17 00:00:00 2001 From: "renovate[bot]" <29139614+renovate[bot]@users.noreply.github.com> Date: Tue, 27 Sep 2022 17:47:54 +0000 Subject: [PATCH 1068/1479] Update Helm release strimzi-kafka-operator to v0.31.1 --- services/strimzi/Chart.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/services/strimzi/Chart.yaml b/services/strimzi/Chart.yaml index ebf65a58bb..a6198ed057 100644 --- a/services/strimzi/Chart.yaml +++ b/services/strimzi/Chart.yaml @@ -6,5 +6,5 @@ version: 0.1.0 appVersion: "0.26.0" dependencies: - name: strimzi-kafka-operator - version: "0.31.0" + version: "0.31.1" repository: https://strimzi.io/charts/ From 746266a607b24d08361999023f51c85ab37cbf41 Mon Sep 17 00:00:00 2001 From: adam Date: Thu, 29 Sep 2022 15:28:42 -0700 Subject: [PATCH 1069/1479] Pin w_40, not w_22 --- services/cachemachine/values-idfdev.yaml | 4 ++-- services/cachemachine/values-idfint.yaml | 4 ++-- services/cachemachine/values-idfprod.yaml | 4 ++-- 3 files changed, 6 insertions(+), 6 deletions(-) diff --git a/services/cachemachine/values-idfdev.yaml b/services/cachemachine/values-idfdev.yaml index 6faa7eae53..3c1b6dad90 100644 --- a/services/cachemachine/values-idfdev.yaml +++ b/services/cachemachine/values-idfdev.yaml @@ -25,8 +25,8 @@ autostart: "type": "SimpleRepoMan", "images": [ { - "image_url": "us-central1-docker.pkg.dev/rubin-shared-services-71ec/sciplat/sciplat-lab:w_2022_22", - "name": "Weekly 2022_22" + "image_url": "us-central1-docker.pkg.dev/rubin-shared-services-71ec/sciplat/sciplat-lab:w_2022_40", + "name": "Weekly 2022_40" } ] } diff --git a/services/cachemachine/values-idfint.yaml b/services/cachemachine/values-idfint.yaml index c4e47c3903..4edfa8adc3 100644 --- a/services/cachemachine/values-idfint.yaml +++ b/services/cachemachine/values-idfint.yaml @@ -25,8 +25,8 @@ autostart: "type": "SimpleRepoMan", "images": [ { - "image_url": "us-central1-docker.pkg.dev/rubin-shared-services-71ec/sciplat/sciplat-lab:w_2022_22", - "name": "Weekly 2022_22" + "image_url": "us-central1-docker.pkg.dev/rubin-shared-services-71ec/sciplat/sciplat-lab:w_2022_40", + "name": "Weekly 2022_40" } ] } diff --git a/services/cachemachine/values-idfprod.yaml b/services/cachemachine/values-idfprod.yaml index fa7d37449a..b7fb4ac4a8 100644 --- a/services/cachemachine/values-idfprod.yaml +++ b/services/cachemachine/values-idfprod.yaml @@ -25,8 +25,8 @@ autostart: "type": "SimpleRepoMan", "images": [ { - "image_url": "us-central1-docker.pkg.dev/rubin-shared-services-71ec/sciplat/sciplat-lab:w_2022_22", - "name": "Weekly 2022_22" + "image_url": "us-central1-docker.pkg.dev/rubin-shared-services-71ec/sciplat/sciplat-lab:w_2022_40", + "name": "Weekly 2022_40" } ] } From 2e8905325c8b52ed7fcd86f99a9c471f4c99028b Mon Sep 17 00:00:00 2001 From: Gabriele Mainetti Date: Fri, 30 Sep 2022 11:45:58 +0200 Subject: [PATCH 1070/1479] try tio upgrade jupyer db --- services/nublado2/values-ccin2p3.yaml | 3 +++ 1 file changed, 3 insertions(+) diff --git a/services/nublado2/values-ccin2p3.yaml b/services/nublado2/values-ccin2p3.yaml index c52330e65d..2608ff4a13 100644 --- a/services/nublado2/values-ccin2p3.yaml +++ b/services/nublado2/values-ccin2p3.yaml @@ -1,6 +1,9 @@ jupyterhub: debug: enabled: true + hub: + db: + upgrade: true # hub: # resources: From 8bddefc1526c4ad632acae9a6e3185f1b0e755f8 Mon Sep 17 00:00:00 2001 From: gpdf Date: Fri, 30 Sep 2022 10:38:25 -0700 Subject: [PATCH 1071/1479] Deploy latest Firefly to production This is the update that had been planned for yesterday, 2022-09-29, and discussed in RSP Ops. --- services/portal/Chart.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/services/portal/Chart.yaml b/services/portal/Chart.yaml index 621ec41966..4326210d0d 100644 --- a/services/portal/Chart.yaml +++ b/services/portal/Chart.yaml @@ -3,4 +3,4 @@ name: portal version: 1.0.0 description: "Rubin Science Platform portal aspect" home: "https://github.com/lsst/suit" -appVersion: "suit-2022.5.4" +appVersion: "suit-2022.5.5" From e56e1cd643da928b19be0f7aaaf49b3ef9f4779a Mon Sep 17 00:00:00 2001 From: gpdf Date: Fri, 30 Sep 2022 10:39:32 -0700 Subject: [PATCH 1072/1479] Remove version pin from IDF-int --- services/portal/values-idfint.yaml | 3 --- 1 file changed, 3 deletions(-) diff --git a/services/portal/values-idfint.yaml b/services/portal/values-idfint.yaml index 07e7a5fcf4..bbff39a615 100644 --- a/services/portal/values-idfint.yaml +++ b/services/portal/values-idfint.yaml @@ -6,9 +6,6 @@ config: path: "/share1/home/firefly/shared-workarea" server: "10.22.240.130" -image: - tag: "suit-2022.5.5" - resources: limits: memory: "30Gi" From 1fad17098a4fe2ac99d8cfba1af0bb951c0d3a73 Mon Sep 17 00:00:00 2001 From: gpdf Date: Fri, 30 Sep 2022 10:43:56 -0700 Subject: [PATCH 1073/1479] Remove Portal version pin from IDF-dev --- services/portal/values-idfdev.yaml | 3 --- 1 file changed, 3 deletions(-) diff --git a/services/portal/values-idfdev.yaml b/services/portal/values-idfdev.yaml index 99466d6353..b8d18401c0 100644 --- a/services/portal/values-idfdev.yaml +++ b/services/portal/values-idfdev.yaml @@ -6,9 +6,6 @@ config: path: "/share1/home/firefly/shared-workarea" server: "10.87.86.26" -image: - tag: "suit-2022.5.5" - resources: limits: memory: "2Gi" From 9ee87551157a3fe9005abf97316aed04da45c9ea Mon Sep 17 00:00:00 2001 From: Angelo Fausti Date: Wed, 14 Sep 2022 13:14:22 -0700 Subject: [PATCH 1074/1479] Add telegraf helm chart dependency --- services/sasquatch/Chart.yaml | 3 +++ services/sasquatch/README.md | 2 ++ 2 files changed, 5 insertions(+) diff --git a/services/sasquatch/Chart.yaml b/services/sasquatch/Chart.yaml index 0dc6021020..5cc5eafa89 100644 --- a/services/sasquatch/Chart.yaml +++ b/services/sasquatch/Chart.yaml @@ -22,3 +22,6 @@ dependencies: repository: https://helm.influxdata.com/ - name: kafdrop version: 1.0.0 + - name: telegraf + version: 1.8.20 + repository: https://helm.influxdata.com/ diff --git a/services/sasquatch/README.md b/services/sasquatch/README.md index d1ccadfda2..5514fb7598 100644 --- a/services/sasquatch/README.md +++ b/services/sasquatch/README.md @@ -9,6 +9,7 @@ Rubin Observatory's telemetry service. | | kafdrop | 1.0.0 | | | kafka-connect-manager | 1.0.0 | | | strimzi-kafka | 1.0.0 | +| | telegraf-kafka-consumer | 1.0.0 | | https://helm.influxdata.com/ | chronograf | 1.2.5 | | https://helm.influxdata.com/ | influxdb | 4.12.0 | | https://helm.influxdata.com/ | kapacitor | 1.4.6 | @@ -43,3 +44,4 @@ Rubin Observatory's telemetry service. | kapacitor.resources.requests.memory | string | `"1Gi"` | | | strimzi-kafka | object | `{}` | Override strimzi-kafka configuration. | | strimzi-registry-operator | object | `{"clusterName":"sasquatch","clusterNamespace":"sasquatch","operatorNamespace":"sasquatch"}` | strimzi-registry-operator configuration. | +| telegraf-kafka-consumer | object | `{}` | Override telegraf-kafka-consumer | From 45871d00bc1982ba26a0398641d0b0ff42b79b72 Mon Sep 17 00:00:00 2001 From: Angelo Fausti Date: Wed, 14 Sep 2022 13:17:57 -0700 Subject: [PATCH 1075/1479] Add telegraf KafkaUser resource in Strimzi - Use scram-sha-512 authentication with simple authorization, give full permission to groups and read-only access to topics. --- .../charts/strimzi-kafka/templates/users.yaml | 30 +++++++++++++++++++ 1 file changed, 30 insertions(+) diff --git a/services/sasquatch/charts/strimzi-kafka/templates/users.yaml b/services/sasquatch/charts/strimzi-kafka/templates/users.yaml index 351a23f84e..aed7d28017 100644 --- a/services/sasquatch/charts/strimzi-kafka/templates/users.yaml +++ b/services/sasquatch/charts/strimzi-kafka/templates/users.yaml @@ -122,3 +122,33 @@ spec: type: allow host: "*" operation: All +--- +apiVersion: kafka.strimzi.io/v1beta2 +kind: KafkaUser +metadata: + name: telegraf + labels: + strimzi.io/cluster: {{ .Values.cluster.name }} +spec: + authentication: + type: scram-sha-512 + password: + valueFrom: + secretKeyRef: + name: sasquatch + key: telegraf-password + authorization: + type: simple + acls: + - resource: + type: group + name: "*" + patternType: literal + operation: All + - resource: + type: topic + name: "*" + patternType: literal + type: allow + host: "*" + operation: Read From f09c872e45aa0dd9d85177b8b88492f8db6d1fcc Mon Sep 17 00:00:00 2001 From: Angelo Fausti Date: Wed, 14 Sep 2022 13:19:21 -0700 Subject: [PATCH 1076/1479] Add telegraf-kafka-consumer Helm chart Initial Telegraf Kafka consumer configuration --- services/sasquatch/Chart.yaml | 5 +- services/sasquatch/README.md | 10 +++ .../charts/telegraf-kafka-consumer/Chart.yaml | 7 ++ .../charts/telegraf-kafka-consumer/README.md | 31 ++++++++ .../templates/configmap.yaml | 55 +++++++++++++ .../templates/deployment.yaml | 79 +++++++++++++++++++ .../telegraf-kafka-consumer/values.yaml | 68 ++++++++++++++++ services/sasquatch/values-idfdev.yaml | 19 +++-- .../sasquatch/values-tucson-teststand.yaml | 69 ++++++++++++++++ services/sasquatch/values.yaml | 61 ++++++++++++++ 10 files changed, 395 insertions(+), 9 deletions(-) create mode 100755 services/sasquatch/charts/telegraf-kafka-consumer/Chart.yaml create mode 100644 services/sasquatch/charts/telegraf-kafka-consumer/README.md create mode 100644 services/sasquatch/charts/telegraf-kafka-consumer/templates/configmap.yaml create mode 100644 services/sasquatch/charts/telegraf-kafka-consumer/templates/deployment.yaml create mode 100644 services/sasquatch/charts/telegraf-kafka-consumer/values.yaml diff --git a/services/sasquatch/Chart.yaml b/services/sasquatch/Chart.yaml index 5cc5eafa89..fde5ad9fe6 100644 --- a/services/sasquatch/Chart.yaml +++ b/services/sasquatch/Chart.yaml @@ -22,6 +22,5 @@ dependencies: repository: https://helm.influxdata.com/ - name: kafdrop version: 1.0.0 - - name: telegraf - version: 1.8.20 - repository: https://helm.influxdata.com/ + - name: telegraf-kafka-consumer + version: 1.0.0 diff --git a/services/sasquatch/README.md b/services/sasquatch/README.md index 5514fb7598..1424dbb004 100644 --- a/services/sasquatch/README.md +++ b/services/sasquatch/README.md @@ -45,3 +45,13 @@ Rubin Observatory's telemetry service. | strimzi-kafka | object | `{}` | Override strimzi-kafka configuration. | | strimzi-registry-operator | object | `{"clusterName":"sasquatch","clusterNamespace":"sasquatch","operatorNamespace":"sasquatch"}` | strimzi-registry-operator configuration. | | telegraf-kafka-consumer | object | `{}` | Override telegraf-kafka-consumer | +| telegraf.config.inputs | list | `[{"kafka_consumer":{"avro_fields":["heartbeat","private_efdStamp","salIndex"],"avro_measurement":"test","avro_schema_registry":"http://sasquatch-schema-registry.sasquatch:8081","avro_timestamp":"private_efdStamp","avro_timestamp_format":"unix_us","brokers":["sasquatch-kafka-brokers.sasquatch:9092"],"consumer_group":"telegraf-test","data_format":"avro","max_message_len":32768,"sasl_mechanism":"SCRAM-SHA-512","sasl_password":"$TELEGRAF_PASSWORD","sasl_username":"telegraf","topics":["lsst.sal.Test.logevent_heartbeat"]}}]` | Telegraf input plugins. | +| telegraf.config.inputs[0] | object | `{"kafka_consumer":{"avro_fields":["heartbeat","private_efdStamp","salIndex"],"avro_measurement":"test","avro_schema_registry":"http://sasquatch-schema-registry.sasquatch:8081","avro_timestamp":"private_efdStamp","avro_timestamp_format":"unix_us","brokers":["sasquatch-kafka-brokers.sasquatch:9092"],"consumer_group":"telegraf-test","data_format":"avro","max_message_len":32768,"sasl_mechanism":"SCRAM-SHA-512","sasl_password":"$TELEGRAF_PASSWORD","sasl_username":"telegraf","topics":["lsst.sal.Test.logevent_heartbeat"]}}` | See https://github.com/influxdata/telegraf/blob/master/plugins/inputs/kafka_consumer/README.md | +| telegraf.config.outputs | list | `[{"influxdb":{"database":"kafkaconsumer","password":"$INFLUXDB_ADMIN_PASSWORD","urls":["http://sasquatch-influxdb.sasquatch:8086"],"username":"admin"}}]` | Telegraf output destination. | +| telegraf.config.processors | object | `{}` | Telegraf processor plugins. | +| telegraf.env[0] | object | `{"name":"TELEGRAF_PASSWORD","valueFrom":{"secretKeyRef":{"key":"telegraf-password","name":"sasquatch"}}}` | Telegraf KafkaUser password. | +| telegraf.env[1] | object | `{"name":"INFLUXDB_ADMIN_PASSWORD","valueFrom":{"secretKeyRef":{"key":"influxdb-password","name":"sasquatch"}}}` | InfluxDB admin password. | +| telegraf.image.pullPolicy | string | `"Always"` | | +| telegraf.image.repo | string | `"lsstsqre/telegraf"` | Telegraf image repository | +| telegraf.image.tag | string | `"avro"` | Telegraf image tag | +| telegraf.service.enabled | bool | `false` | Telegraf service. | diff --git a/services/sasquatch/charts/telegraf-kafka-consumer/Chart.yaml b/services/sasquatch/charts/telegraf-kafka-consumer/Chart.yaml new file mode 100755 index 0000000000..92210beefa --- /dev/null +++ b/services/sasquatch/charts/telegraf-kafka-consumer/Chart.yaml @@ -0,0 +1,7 @@ +apiVersion: v2 +name: telegraf-kafka-consumer +version: 1.0.0 +description: > + Telegraf is an agent written in Go for collecting, processing, aggregating, and writing metrics. + This chart deploys multiple instances of the telegraf agent to connect Kafka and InfluxDB in Sasquatch. +appVersion: 1.23.3 diff --git a/services/sasquatch/charts/telegraf-kafka-consumer/README.md b/services/sasquatch/charts/telegraf-kafka-consumer/README.md new file mode 100644 index 0000000000..d1b1073976 --- /dev/null +++ b/services/sasquatch/charts/telegraf-kafka-consumer/README.md @@ -0,0 +1,31 @@ +# telegraf-kafka-consumer + +Telegraf is an agent written in Go for collecting, processing, aggregating, and writing metrics. This chart deploys multiple instances of the telegraf agent to connect Kafka and InfluxDB in Sasquatch. + +## Values + +| Key | Type | Default | Description | +|-----|------|---------|-------------| +| affinity | object | `{}` | Affinity for pod assignment. | +| args | list | `[]` | Arguments passed to the Telegraf agent containers. | +| envFromSecret | string | `""` | Name of the secret with values to be added to the environment. | +| env[0].name | string | `"TELEGRAF_PASSWORD"` | | +| env[0].valueFrom.secretKeyRef.key | string | `"telegraf-password"` | Telegraf KafkaUser password. | +| env[0].valueFrom.secretKeyRef.name | string | `"sasquatch"` | | +| env[1].name | string | `"INFLUXDB_ADMIN_PASSWORD"` | | +| env[1].valueFrom.secretKeyRef.key | string | `"influxdb-password"` | InfluxDB admin password. | +| env[1].valueFrom.secretKeyRef.name | string | `"sasquatch"` | | +| image.pullPolicy | string | IfNotPresent | Image pull policy. | +| image.repo | string | `"lsstsqre/telegraf"` | Telegraf image repository. | +| image.tag | string | `"kafka-regexp"` | Telegraf image tag. | +| imagePullSecrets | list | `[]` | Secret names to use for Docker pulls. | +| influxdb.database | string | `"telegraf-kafka-consumer"` | Name of the InfluxDB database to write to. | +| kafkaConsumers.test.enabled | bool | `false` | Enable the Telegraf Kafka consumer. | +| kafkaConsumers.test.flush_interval | string | `"1s"` | Default data flushing interval to InfluxDB. | +| kafkaConsumers.test.interval | string | `"1s"` | Data collection interval for the Kafka consumer. | +| kafkaConsumers.test.topicRegexps | string | `"[ \".*Test\" ]\n"` | List of regular expressions to specify the Kafka topics consumed by this agent. | +| nodeSelector | object | `{}` | Node labels for pod assignment. | +| podAnnotations | object | `{}` | Annotations for telegraf-kafka-consumers pods. | +| podLabels | object | `{}` | Labels for telegraf-kafka-consumer pods. | +| resources | object | `{}` | Kubernetes resources requests and limits. | +| tolerations | list | `[]` | Tolerations for pod assignment. | diff --git a/services/sasquatch/charts/telegraf-kafka-consumer/templates/configmap.yaml b/services/sasquatch/charts/telegraf-kafka-consumer/templates/configmap.yaml new file mode 100644 index 0000000000..4489e763d8 --- /dev/null +++ b/services/sasquatch/charts/telegraf-kafka-consumer/templates/configmap.yaml @@ -0,0 +1,55 @@ +{{- range $key, $value := .Values.kafkaConsumers }} +{{- if $value.enabled }} +--- +apiVersion: v1 +kind: ConfigMap +metadata: + name: sasquatch-telegraf-kafka-consumer-{{ $key }} + labels: + app: sasquatch-telegraf-kafka-consumer +data: + telegraf.conf: |+ + [agent] + collection_jitter = "0s" + debug = true + flush_interval = {{ default "1s" $value.flush_interval | quote }} + flush_jitter = "0s" + interval = {{ default "1s" $value.interval | quote }} + logfile = "" + metric_batch_size = 1000 + metric_buffer_limit = 10000 + omit_hostname = true + precision = "" + quiet = false + round_interval = true + + [[outputs.influxdb]] + database = {{ $.Values.influxdb.database | quote }} + password = "$INFLUXDB_ADMIN_PASSWORD" + urls = [ + "http://sasquatch-influxdb.sasquatch:8086" + ] + username = "admin" + + [[inputs.kafka_consumer]] + avro_schema_registry = "http://sasquatch-schema-registry.sasquatch:8081" + avro_timestamp = "private_efdStamp" + avro_timestamp_format = "unix_us" + brokers = [ + "sasquatch-kafka-brokers.sasquatch:9092" + ] + consumer_group = "telegraf-kafka-consumer-{{ $key }}" + data_format = "avro" + max_message_len = 1000000 + sasl_mechanism = "SCRAM-SHA-512" + sasl_password = "$TELEGRAF_PASSWORD" + sasl_username = "telegraf" + topic_refresh_interval = "60s" + topic_regexps = {{ $value.topicRegexps }} + offset = "newest" + consumer_fetch_default = "20MB" + + [[inputs.internal]] + collect_memstats = false +{{- end }} +{{- end }} diff --git a/services/sasquatch/charts/telegraf-kafka-consumer/templates/deployment.yaml b/services/sasquatch/charts/telegraf-kafka-consumer/templates/deployment.yaml new file mode 100644 index 0000000000..040877961e --- /dev/null +++ b/services/sasquatch/charts/telegraf-kafka-consumer/templates/deployment.yaml @@ -0,0 +1,79 @@ +{{- range $key, $value := .Values.kafkaConsumers }} +{{- if $value.enabled }} +--- +apiVersion: apps/v1 +kind: Deployment +metadata: + name: sasquatch-telegraf-kafka-consumer-{{ $key }} + labels: + app: sasquatch-telegraf-kafka-consumer +spec: + replicas: {{ default 1 $value.replicaCount }} + selector: + matchLabels: + app: sasquatch-telegraf-kafka-consumer + template: + metadata: + labels: + app: sasquatch-telegraf-kafka-consumer + {{- if $.Values.podAnnotations }} + annotations: + {{- toYaml $.Values.podAnnotations | nindent 8 }} + {{- end }} + spec: + securityContext: + runAsNonRoot: true + runAsUser: 1000 + runAsGroup: 1000 + containers: + - name: telegraf + securityContext: + capabilities: + drop: + - all + readOnlyRootFilesystem: true + allowPrivilegeEscalation: false + image: "{{ $.Values.image.repo }}:{{ $.Values.image.tag }}" + imagePullPolicy: {{ default "IfNotPresent" $.Values.image.pullPolicy | quote }} + {{- if $.Values.resources }} + resources: + {{- toYaml $.Values.resources | nindent 10 }} + {{- end }} + {{- if $.Values.args }} + args: + {{- toYaml $.Values.args | nindent 8 }} + {{- end }} + {{- if $.Values.env }} + env: + {{- toYaml $.Values.env | nindent 8 }} + {{- end }} + {{- if $.Values.envFromSecret }} + envFrom: + - secretRef: + name: {{ $.Values.envFromSecret }} + {{- end }} + volumeMounts: + - name: config + mountPath: /etc/telegraf + {{- if $.Values.imagePullSecrets }} + imagePullSecrets: + {{- toYaml $.Values.imagePullSecrets | nindent 8 }} + {{- end }} + {{- if $.Values.nodeSelector }} + nodeSelector: + {{- toYaml $.Values.nodeSelector | nindent 8 }} + {{- end }} + {{- if $.Values.affinity }} + affinity: + {{- toYaml $.Values.affinity | nindent 8 }} + {{- end }} + {{- if $.Values.tolerations }} + tolerations: + {{- toYaml $.Values.tolerations | nindent 8 }} + {{- end }} + volumes: + - name: config + configMap: + name: sasquatch-telegraf-kafka-consumer-{{ $key }} +{{- end }} +{{- end }} \ No newline at end of file diff --git a/services/sasquatch/charts/telegraf-kafka-consumer/values.yaml b/services/sasquatch/charts/telegraf-kafka-consumer/values.yaml new file mode 100644 index 0000000000..6cb3dd3a47 --- /dev/null +++ b/services/sasquatch/charts/telegraf-kafka-consumer/values.yaml @@ -0,0 +1,68 @@ +## Default values.yaml for Telegraf Kafka Consumer +image: + # -- Telegraf image repository. + repo: "lsstsqre/telegraf" + # -- Telegraf image tag. + tag: "kafka-regexp" + # -- Image pull policy. + # @default -- IfNotPresent + pullPolicy: "Always" + +# -- Annotations for telegraf-kafka-consumers pods. +podAnnotations: {} + +# -- Labels for telegraf-kafka-consumer pods. +podLabels: {} + +# -- Secret names to use for Docker pulls. +imagePullSecrets: [] + +# -- Arguments passed to the Telegraf agent containers. +args: [] + +# Telegraf agent enviroment variables +env: + - name: TELEGRAF_PASSWORD + valueFrom: + secretKeyRef: + name: sasquatch + # -- Telegraf KafkaUser password. + key: telegraf-password + - name: INFLUXDB_ADMIN_PASSWORD + valueFrom: + secretKeyRef: + name: sasquatch + # -- InfluxDB admin password. + key: influxdb-password + +# -- Name of the secret with values to be added to the environment. +envFromSecret: "" + +# List of Telegraf Kafka consumers to deploy. +kafkaConsumers: + test: + # -- Enable the Telegraf Kafka consumer. + enabled: false + # -- Data collection interval for the Kafka consumer. + interval: "1s" + # -- Default data flushing interval to InfluxDB. + flush_interval: "1s" + # -- List of regular expressions to specify the Kafka topics consumed by this agent. + topicRegexps: | + [ ".*Test" ] + +influxdb: + # -- Name of the InfluxDB database to write to. + database: "telegraf-kafka-consumer" + +# -- Kubernetes resources requests and limits. +resources: {} + +# -- Node labels for pod assignment. +nodeSelector: {} + +# -- Affinity for pod assignment. +affinity: {} + +# -- Tolerations for pod assignment. +tolerations: [] diff --git a/services/sasquatch/values-idfdev.yaml b/services/sasquatch/values-idfdev.yaml index 6807a44581..de042df35f 100644 --- a/services/sasquatch/values-idfdev.yaml +++ b/services/sasquatch/values-idfdev.yaml @@ -20,12 +20,19 @@ influxdb: enabled: true hostname: data-dev.lsst.cloud -kafka-connect-manager: - influxdbSink: - connectors: - test: - enabled: true - topicsRegex: ".*Test" +telegraf-kafka-consumer: + kafkaConsumers: + test: + enabled: true + replicaCount: 1 + topicRegexps: | + [ ".*Test" ] + atmcs: + enabled: true + replicaCount: 1 + topicRegexps: | + [ ".*ATMCS" ] + kafdrop: ingress: diff --git a/services/sasquatch/values-tucson-teststand.yaml b/services/sasquatch/values-tucson-teststand.yaml index 39fbe99969..f490458f2c 100644 --- a/services/sasquatch/values-tucson-teststand.yaml +++ b/services/sasquatch/values-tucson-teststand.yaml @@ -42,6 +42,75 @@ influxdb: proxy_set_header X-Forwarded-Path /; path: / +telegraf-kafka-consumer: + kafkaConsumers: + auxtel: + enabled: true + topicRegexps: | + [ ".*ATAOS", ".*ATDome", ".*ATDomeTrajectory", ".*ATHexapod", ".*ATPneumatics", ".*ATPtg", ".*ATMCS" ] + maintel: + enabled: true + topicRegexps: | + [ ".*MTAOS", ".*MTDome", ".*MTDomeTrajectory", ".*MTPtg" ] + mtmount: + enabled: true + topicRegexps: | + [ ".*MTMount" ] + comcam: + enabled: true + topicRegexps: | + [ ".*CCArchiver", ".*CCCamera", ".*CCHeaderService", ".*CCOODS" ] + eas: + enabled: true + topicRegexps: | + [ ".*DIMM", ".*DSM", ".*WeatherStation" ] + latiss: + enabled: true + topicRegexps: | + [ ".*ATArchiver", ".*ATCamera", ".*ATHeaderService", ".*ATOODS", ".*ATSpectrograph" ] + m1m3: + enabled: true + flush_interval: "0.1s" + interval: "0.1s" + topicRegexps: | + [ ".*MTM1M3" ] + m2: + enabled: true + topicRegexps: | + [ ".*MTHexapod", ".*MTM2", ".*MTRotator" ] + obssys: + enabled: true + topicRegexps: | + [ ".*GenericCamera", ".*Scheduler", ".*Script", ".*ScriptQueue", ".*Watcher" ] + ocps: + enabled: true + topicRegexps: | + [ ".*OCPS" ] + pmd: + enabled: true + topicRegexps: | + [ ".*PMD" ] + calsys: + enabled: true + topicRegexps: | + [ ".*ATMonochromator", ".*ATWhiteLight", ".*CBP", ".*Electrometer", ".*FiberSpectrograph", ".*LinearStage", ".*TunableLaser" ] + mtaircompressor: + enabled: true + topicRegexps: | + [ ".*MTAirCompressor" ] + authorize: + enabled: true + topicRegexps: | + [ ".*Authorize" ] + mtalignment: + enabled: true + topicRegexps: | + [ ".*MTAlignment" ] + test: + enabled: true + topicRegexps: | + [ "lsst.sal.Test" ] + kafka-connect-manager: influxdbSink: # Based on the kafka producers configuration for the TTS diff --git a/services/sasquatch/values.yaml b/services/sasquatch/values.yaml index a3bc7ec762..619b06d0b5 100644 --- a/services/sasquatch/values.yaml +++ b/services/sasquatch/values.yaml @@ -66,6 +66,10 @@ influxdb: # -- Override kafka-connect-manager configuration. kafka-connect-manager: {} +# -- Override telegraf-kafka-consumer +telegraf-kafka-consumer: {} + + chronograf: # -- Chronograf image tag. image: @@ -115,6 +119,63 @@ kapacitor: memory: 16Gi cpu: 4 +telegraf: + image: + # -- Telegraf image repository + repo: "lsstsqre/telegraf" + # -- Telegraf image tag + tag: "avro" + pullPolicy: Always + env: + # -- Telegraf KafkaUser password. + - name: TELEGRAF_PASSWORD + valueFrom: + secretKeyRef: + name: sasquatch + key: telegraf-password + # -- InfluxDB admin password. + - name: INFLUXDB_ADMIN_PASSWORD + valueFrom: + secretKeyRef: + name: sasquatch + key: influxdb-password + service: + # -- Telegraf service. + enabled: false + config: + # -- Telegraf processor plugins. + processors: {} + # -- Telegraf input plugins. + inputs: + # -- See https://github.com/influxdata/telegraf/blob/master/plugins/inputs/kafka_consumer/README.md + - kafka_consumer: + brokers: + - sasquatch-kafka-brokers.sasquatch:9092 + topics: + - lsst.sal.Test.logevent_heartbeat + sasl_username: telegraf + sasl_password: $TELEGRAF_PASSWORD + sasl_mechanism: SCRAM-SHA-512 + consumer_group: telegraf-test + max_message_len: 32768 + data_format: avro + avro_schema_registry: "http://sasquatch-schema-registry.sasquatch:8081" + avro_measurement: "test" + avro_fields: + - heartbeat + - private_efdStamp + - salIndex + avro_timestamp: private_efdStamp + avro_timestamp_format: unix_us + # -- Telegraf output destination. + outputs: + - influxdb: + urls: + - "http://sasquatch-influxdb.sasquatch:8086" + database: "kafkaconsumer" + username: admin + password: $INFLUXDB_ADMIN_PASSWORD + global: # -- Base path for Vault secrets # @default -- Set by Argo CD From 781969119776c5e065ba0827b32701b3d9e12975 Mon Sep 17 00:00:00 2001 From: Colin Slater Date: Fri, 30 Sep 2022 14:26:49 -0700 Subject: [PATCH 1077/1479] Bump TAP_SCHEMA to pickup DM-36426. --- services/tap-schema/Chart.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/services/tap-schema/Chart.yaml b/services/tap-schema/Chart.yaml index 743afa912e..d3fd0eead6 100644 --- a/services/tap-schema/Chart.yaml +++ b/services/tap-schema/Chart.yaml @@ -3,4 +3,4 @@ name: tap-schema version: 1.0.0 description: The TAP_SCHEMA database home: https://github.com/lsst/sdm_schemas -appVersion: 1.2.2 +appVersion: 1.2.3 From 1c44144ca0ceee5284c06afa410db99f28e7a6d8 Mon Sep 17 00:00:00 2001 From: "renovate[bot]" <29139614+renovate[bot]@users.noreply.github.com> Date: Mon, 3 Oct 2022 04:58:00 +0000 Subject: [PATCH 1078/1479] Update helm/chart-testing-action action to v2.3.1 --- .github/workflows/ci.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/ci.yaml b/.github/workflows/ci.yaml index f4a25eda04..faab6aa980 100644 --- a/.github/workflows/ci.yaml +++ b/.github/workflows/ci.yaml @@ -49,7 +49,7 @@ jobs: run: tests/expand-services - name: Set up chart-testing - uses: helm/chart-testing-action@v2.3.0 + uses: helm/chart-testing-action@v2.3.1 - name: Run chart-testing (lint) run: ct lint --all --config ct.yaml From 9094f2d6027af9e3160c122f27c78e30f38882be Mon Sep 17 00:00:00 2001 From: "renovate[bot]" <29139614+renovate[bot]@users.noreply.github.com> Date: Mon, 3 Oct 2022 14:44:56 +0000 Subject: [PATCH 1079/1479] Update Helm release argo-cd to v5.5.7 --- services/argocd/Chart.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/services/argocd/Chart.yaml b/services/argocd/Chart.yaml index 31bacb2180..c82094f666 100644 --- a/services/argocd/Chart.yaml +++ b/services/argocd/Chart.yaml @@ -3,5 +3,5 @@ name: argo-cd version: 1.0.0 dependencies: - name: argo-cd - version: 5.5.5 + version: 5.5.7 repository: https://argoproj.github.io/argo-helm From c8224eba086f6ca06833195ecf17c4a176d348f1 Mon Sep 17 00:00:00 2001 From: Russ Allbery Date: Mon, 3 Oct 2022 07:45:32 -0700 Subject: [PATCH 1080/1479] Update Helm docs --- services/argocd/README.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/services/argocd/README.md b/services/argocd/README.md index 530b6f312c..514b2deb70 100644 --- a/services/argocd/README.md +++ b/services/argocd/README.md @@ -4,7 +4,7 @@ | Repository | Name | Version | |------------|------|---------| -| https://argoproj.github.io/argo-helm | argo-cd | 5.5.5 | +| https://argoproj.github.io/argo-helm | argo-cd | 5.5.7 | ## Values From 272bcd3ab77ecca109005feb9fadbd612cdd2644 Mon Sep 17 00:00:00 2001 From: "renovate[bot]" <29139614+renovate[bot]@users.noreply.github.com> Date: Mon, 3 Oct 2022 14:53:30 +0000 Subject: [PATCH 1081/1479] Update Helm release telegraf-ds to v1.1.3 --- services/telegraf-ds/Chart.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/services/telegraf-ds/Chart.yaml b/services/telegraf-ds/Chart.yaml index fcae4b4f19..a5917aa65c 100644 --- a/services/telegraf-ds/Chart.yaml +++ b/services/telegraf-ds/Chart.yaml @@ -4,5 +4,5 @@ version: 1.0.0 description: SQuaRE DaemonSet (K8s) telemetry collection service dependencies: - name: telegraf-ds - version: 1.1.1 + version: 1.1.3 repository: https://helm.influxdata.com/ From b3e48e04488173fc047aadeb28b8b295cd1f4735 Mon Sep 17 00:00:00 2001 From: Russ Allbery Date: Mon, 3 Oct 2022 07:58:11 -0700 Subject: [PATCH 1082/1479] Update Helm docs --- services/telegraf-ds/README.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/services/telegraf-ds/README.md b/services/telegraf-ds/README.md index ef66ba67b5..ffb5d374c4 100644 --- a/services/telegraf-ds/README.md +++ b/services/telegraf-ds/README.md @@ -6,7 +6,7 @@ SQuaRE DaemonSet (K8s) telemetry collection service | Repository | Name | Version | |------------|------|---------| -| https://helm.influxdata.com/ | telegraf-ds | 1.1.1 | +| https://helm.influxdata.com/ | telegraf-ds | 1.1.3 | ## Values From 401f6445bfef1533b154c80713aa391f3d37b358 Mon Sep 17 00:00:00 2001 From: "renovate[bot]" <29139614+renovate[bot]@users.noreply.github.com> Date: Mon, 3 Oct 2022 15:04:51 +0000 Subject: [PATCH 1083/1479] Update Helm release telegraf to v1.8.21 --- services/telegraf/Chart.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/services/telegraf/Chart.yaml b/services/telegraf/Chart.yaml index 4f6ce246a7..57d41b056f 100644 --- a/services/telegraf/Chart.yaml +++ b/services/telegraf/Chart.yaml @@ -4,5 +4,5 @@ version: 1.0.1 description: SQuaRE telemetry collection service dependencies: - name: telegraf - version: 1.8.20 + version: 1.8.21 repository: https://helm.influxdata.com/ From 58ca5cda3f4dd28d14cf948b84b3d89f3710d763 Mon Sep 17 00:00:00 2001 From: Russ Allbery Date: Mon, 3 Oct 2022 08:10:20 -0700 Subject: [PATCH 1084/1479] Update Helm docs --- services/telegraf/README.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/services/telegraf/README.md b/services/telegraf/README.md index 3c3d794add..965f80143c 100644 --- a/services/telegraf/README.md +++ b/services/telegraf/README.md @@ -6,7 +6,7 @@ SQuaRE telemetry collection service | Repository | Name | Version | |------------|------|---------| -| https://helm.influxdata.com/ | telegraf | 1.8.20 | +| https://helm.influxdata.com/ | telegraf | 1.8.21 | ## Values From 7524713d69b24370752491b76af397ed12f84305 Mon Sep 17 00:00:00 2001 From: Michael Reuter Date: Mon, 3 Oct 2022 10:39:27 -0700 Subject: [PATCH 1085/1479] TTS: Add and fix generic camera related sasquatch items. --- services/sasquatch/values-tucson-teststand.yaml | 11 +++++++++-- 1 file changed, 9 insertions(+), 2 deletions(-) diff --git a/services/sasquatch/values-tucson-teststand.yaml b/services/sasquatch/values-tucson-teststand.yaml index f490458f2c..a99499ce1e 100644 --- a/services/sasquatch/values-tucson-teststand.yaml +++ b/services/sasquatch/values-tucson-teststand.yaml @@ -81,7 +81,7 @@ telegraf-kafka-consumer: obssys: enabled: true topicRegexps: | - [ ".*GenericCamera", ".*Scheduler", ".*Script", ".*ScriptQueue", ".*Watcher" ] + [ ".*Scheduler", ".*Script", ".*ScriptQueue", ".*Watcher" ] ocps: enabled: true topicRegexps: | @@ -110,6 +110,10 @@ telegraf-kafka-consumer: enabled: true topicRegexps: | [ "lsst.sal.Test" ] + genericcamera: + enabled: true + topicRegexps: | + [ ".*GCHeaderService", .*GenericCamera" ] kafka-connect-manager: influxdbSink: @@ -142,7 +146,7 @@ kafka-connect-manager: topicsRegex: ".*MTHexapod|.*MTM2|.*MTRotator" obssys: enabled: true - topicsRegex: ".*GenericCamera|.*Scheduler|.*Script|.*ScriptQueue|.*Watcher" + topicsRegex: ".*Scheduler|.*Script|.*ScriptQueue|.*Watcher" ocps: enabled: true topicsRegex: ".*OCPS" @@ -164,6 +168,9 @@ kafka-connect-manager: mtalignment: enabled: true topicsRegex: ".*MTAlignment" + genericcamera: + enabled: true + topicsRegex: ".*GCHeaderService|.*GenericCamera" kafdrop: ingress: From c378005f84aa906503fe73b78867a8844b73480d Mon Sep 17 00:00:00 2001 From: adam Date: Mon, 3 Oct 2022 11:49:03 -0700 Subject: [PATCH 1086/1479] Fix missing quote --- services/sasquatch/values-tucson-teststand.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/services/sasquatch/values-tucson-teststand.yaml b/services/sasquatch/values-tucson-teststand.yaml index a99499ce1e..1a3d183aa7 100644 --- a/services/sasquatch/values-tucson-teststand.yaml +++ b/services/sasquatch/values-tucson-teststand.yaml @@ -113,7 +113,7 @@ telegraf-kafka-consumer: genericcamera: enabled: true topicRegexps: | - [ ".*GCHeaderService", .*GenericCamera" ] + [ ".*GCHeaderService", ".*GenericCamera" ] kafka-connect-manager: influxdbSink: From 530f597ca08bf3a5db3055b61631cd8c981bea1a Mon Sep 17 00:00:00 2001 From: adam Date: Mon, 3 Oct 2022 14:25:22 -0700 Subject: [PATCH 1087/1479] update DB endpoints for TTS nublado2/gafaelfawr --- services/gafaelfawr/values-tucson-teststand.yaml | 2 +- services/nublado2/values-tucson-teststand.yaml | 2 ++ 2 files changed, 3 insertions(+), 1 deletion(-) diff --git a/services/gafaelfawr/values-tucson-teststand.yaml b/services/gafaelfawr/values-tucson-teststand.yaml index 5e5862a27e..5e0c50f7a4 100644 --- a/services/gafaelfawr/values-tucson-teststand.yaml +++ b/services/gafaelfawr/values-tucson-teststand.yaml @@ -4,7 +4,7 @@ redis: config: slackAlerts: true - databaseUrl: "postgresql://gafaelfawr@postgres.postgres/gafaelfawr" + databaseUrl: "postgresql://gafaelfawr@140.252.146.49/gafaelfawr" github: clientId: "49533cbd8a8079730dcf" diff --git a/services/nublado2/values-tucson-teststand.yaml b/services/nublado2/values-tucson-teststand.yaml index 4e53a92f03..0398a7dff9 100644 --- a/services/nublado2/values-tucson-teststand.yaml +++ b/services/nublado2/values-tucson-teststand.yaml @@ -3,6 +3,8 @@ jupyterhub: hosts: ["tucson-teststand.lsst.codes"] annotations: nginx.ingress.kubernetes.io/auth-signin: "https://tucson-teststand.lsst.codes/login" + db: + url: "postgresql://jovyan@140.252.146.49/jupyterhub" singleuser: extraAnnotations: From 368d026c3a812a84f06b564901f1be462a6fdcc0 Mon Sep 17 00:00:00 2001 From: adam Date: Mon, 3 Oct 2022 14:41:13 -0700 Subject: [PATCH 1088/1479] Add parameters for narrativelog/exposurelog and rebuild docs --- services/exposurelog/README.md | 4 ++++ services/exposurelog/templates/deployment.yaml | 10 +++++----- services/exposurelog/values-tucson-teststand.yaml | 2 ++ services/exposurelog/values.yaml | 10 ++++++++++ services/narrativelog/README.md | 4 ++++ services/narrativelog/templates/deployment.yaml | 10 +++++----- services/narrativelog/values-tucson-teststand.yaml | 2 ++ services/narrativelog/values.yaml | 10 ++++++++++ 8 files changed, 42 insertions(+), 10 deletions(-) diff --git a/services/exposurelog/README.md b/services/exposurelog/README.md index be69c3c671..a963dc990e 100644 --- a/services/exposurelog/README.md +++ b/services/exposurelog/README.md @@ -21,6 +21,10 @@ Exposure log service | config.nfs_server_1 | string | `""` | Name of the NFS server that exports nfs_path_1 Specify a non-blank value if and only if the corresponding nfs_path_1 is not blank. | | config.nfs_server_2 | string | `""` | Name of the NFS server that exports nfs_path_2 Specify a non-blank value if and only if the corresponding nfs_path_1 is not blank. | | config.site_id | string | `""` | Site ID; a non-empty string of up to 16 characters. This should be different for each non-sandbox deployment. Sandboxes should use `test`. | +| db.database | string | `"exposurelog"` | database name | +| db.host | string | `"postgres.postgres"` | database host | +| db.port | int | `5432` | database port | +| db.user | string | `"exposurelog"` | database user | | fullnameOverride | string | `""` | Override the full name for resources (includes the release name) | | global.baseUrl | string | Set by Argo CD | Base URL for the environment | | global.host | string | Set by Argo CD | Host name for ingress | diff --git a/services/exposurelog/templates/deployment.yaml b/services/exposurelog/templates/deployment.yaml index 0057ed6e89..67d7a6d433 100644 --- a/services/exposurelog/templates/deployment.yaml +++ b/services/exposurelog/templates/deployment.yaml @@ -56,18 +56,18 @@ spec: - name: BUTLER_URI_2 value: {{ .Values.config.butler_uri_2 | quote }} - name: EXPOSURELOG_DB_USER - value: exposurelog + value: {{ .Values.db.user | quote }} - name: EXPOSURELOG_DB_PASSWORD valueFrom: secretKeyRef: name: postgres key: exposurelog_password - name: EXPOSURELOG_DB_HOST - value: postgres.postgres + value: {{ .Values.db.host | quote }} - name: EXPOSURELOG_DB_PORT - value: "5432" - - name: EXPOSURELOG_DB_DATABSE - value: exposurelog + value: {{ .Values.db.port | quote }} + - name: EXPOSURELOG_DB_DATABASE + value: {{ .Values.db.database | quote }} - name: SITE_ID value: {{ .Values.config.site_id | quote }} volumeMounts: diff --git a/services/exposurelog/values-tucson-teststand.yaml b/services/exposurelog/values-tucson-teststand.yaml index 5f7828a251..22c1f491a3 100644 --- a/services/exposurelog/values-tucson-teststand.yaml +++ b/services/exposurelog/values-tucson-teststand.yaml @@ -7,3 +7,5 @@ config: nfs_path_2: /repo/LATISS # Mounted as /volume_2 nfs_server_2: auxtel-archiver.tu.lsst.org butler_uri_2: /volume_2 +db: + host: 140.252.146.49 diff --git a/services/exposurelog/values.yaml b/services/exposurelog/values.yaml index 123c84cf93..d9a807127e 100644 --- a/services/exposurelog/values.yaml +++ b/services/exposurelog/values.yaml @@ -20,6 +20,16 @@ image: # @default -- The appVersion of the chart tag: "" +db: + # -- database host + host: postgres.postgres + # -- database port + port: 5432 + # -- database user + user: exposurelog + # -- database name + database: exposurelog + ingress: # -- Gafaelfawr auth query string gafaelfawrAuthQuery: "" diff --git a/services/narrativelog/README.md b/services/narrativelog/README.md index 1f65d61184..a1353b42d0 100644 --- a/services/narrativelog/README.md +++ b/services/narrativelog/README.md @@ -15,6 +15,10 @@ Narrative log service | autoscaling.targetMemoryUtilizationPercentage | int | `80` | Target memory utilization for narrativelog pod autoscale calculations | | config | object | `{"site_id":""}` | Application-specific configuration | | config.site_id | string | `""` | Site ID; a non-empty string of up to 16 characters. This should be different for each non-sandbox deployment. Sandboxes should use `test`. | +| db.database | string | `"narrativelog"` | database name | +| db.host | string | `"postgres.postgres"` | database host | +| db.port | int | `5432` | database port | +| db.user | string | `"narrativelog"` | database user | | fullnameOverride | string | `""` | Override the full name for resources (includes the release name) | | global.baseUrl | string | Set by Argo CD | Base URL for the environment | | global.host | string | Set by Argo CD | Host name for ingress | diff --git a/services/narrativelog/templates/deployment.yaml b/services/narrativelog/templates/deployment.yaml index 7b65173217..e5cee34e34 100644 --- a/services/narrativelog/templates/deployment.yaml +++ b/services/narrativelog/templates/deployment.yaml @@ -52,18 +52,18 @@ spec: {{- toYaml .Values.resources | nindent 12 }} env: - name: NARRATIVELOG_DB_USER - value: narrativelog + value: {{ .Values.db.user | quote }} - name: NARRATIVELOG_DB_PASSWORD valueFrom: secretKeyRef: name: postgres key: narrativelog_password - name: NARRATIVELOG_DB_HOST - value: postgres.postgres + value: {{ .Values.db.host | quote }} - name: NARRATIVELOG_DB_PORT - value: "5432" - - name: NARRATIVELOG_DB_DATABSE - value: narrativelog + value: {{ .Values.db.port | quote }} + - name: NARRATIVELOG_DB_DATABASE + value: {{ .Values.db.database | quote }} - name: SITE_ID value: {{ .Values.config.site_id | quote }} {{- with .Values.nodeSelector }} diff --git a/services/narrativelog/values-tucson-teststand.yaml b/services/narrativelog/values-tucson-teststand.yaml index 71d6b32dce..e104e68f8a 100644 --- a/services/narrativelog/values-tucson-teststand.yaml +++ b/services/narrativelog/values-tucson-teststand.yaml @@ -1,2 +1,4 @@ config: site_id: tucson +db: + host: 140.252.146.49 diff --git a/services/narrativelog/values.yaml b/services/narrativelog/values.yaml index 113450a78e..cd16ffa3a6 100644 --- a/services/narrativelog/values.yaml +++ b/services/narrativelog/values.yaml @@ -20,6 +20,16 @@ image: # @default -- The appVersion of the chart tag: "" +db: + # -- database host + host: postgres.postgres + # -- database port + port: 5432 + # -- database user + user: narrativelog + # -- database name + database: narrativelog + ingress: # -- Gafaelfawr auth query string gafaelfawrAuthQuery: "" From d23d98154ce9b411e48c2fef9f832cf9ac6be340 Mon Sep 17 00:00:00 2001 From: adam Date: Mon, 3 Oct 2022 16:22:54 -0700 Subject: [PATCH 1089/1479] move *log services to their own vaultsecrets --- services/exposurelog/templates/deployment.yaml | 2 +- services/exposurelog/templates/vault-secrets.yaml | 4 ++-- services/narrativelog/templates/deployment.yaml | 2 +- services/narrativelog/templates/vault-secrets.yaml | 4 ++-- 4 files changed, 6 insertions(+), 6 deletions(-) diff --git a/services/exposurelog/templates/deployment.yaml b/services/exposurelog/templates/deployment.yaml index 67d7a6d433..5983bce19c 100644 --- a/services/exposurelog/templates/deployment.yaml +++ b/services/exposurelog/templates/deployment.yaml @@ -60,7 +60,7 @@ spec: - name: EXPOSURELOG_DB_PASSWORD valueFrom: secretKeyRef: - name: postgres + name: exposurelog key: exposurelog_password - name: EXPOSURELOG_DB_HOST value: {{ .Values.db.host | quote }} diff --git a/services/exposurelog/templates/vault-secrets.yaml b/services/exposurelog/templates/vault-secrets.yaml index 161d7cf3fa..2d30e8e123 100644 --- a/services/exposurelog/templates/vault-secrets.yaml +++ b/services/exposurelog/templates/vault-secrets.yaml @@ -1,10 +1,10 @@ apiVersion: ricoberger.de/v1alpha1 kind: VaultSecret metadata: - name: postgres + name: exposurelog namespace: exposurelog spec: - path: "{{- .Values.global.vaultSecretsPath }}/postgres" + path: "{{- .Values.global.vaultSecretsPath }}/exposurelog" type: Opaque --- apiVersion: ricoberger.de/v1alpha1 diff --git a/services/narrativelog/templates/deployment.yaml b/services/narrativelog/templates/deployment.yaml index e5cee34e34..3284cd27a7 100644 --- a/services/narrativelog/templates/deployment.yaml +++ b/services/narrativelog/templates/deployment.yaml @@ -56,7 +56,7 @@ spec: - name: NARRATIVELOG_DB_PASSWORD valueFrom: secretKeyRef: - name: postgres + name: narrativelog key: narrativelog_password - name: NARRATIVELOG_DB_HOST value: {{ .Values.db.host | quote }} diff --git a/services/narrativelog/templates/vault-secrets.yaml b/services/narrativelog/templates/vault-secrets.yaml index 1a204ff75d..dc13a9537a 100644 --- a/services/narrativelog/templates/vault-secrets.yaml +++ b/services/narrativelog/templates/vault-secrets.yaml @@ -1,10 +1,10 @@ apiVersion: ricoberger.de/v1alpha1 kind: VaultSecret metadata: - name: postgres + name: narrativelog namespace: narrativelog spec: - path: "{{- .Values.global.vaultSecretsPath }}/postgres" + path: "{{- .Values.global.vaultSecretsPath }}/narrativelog" type: Opaque --- apiVersion: ricoberger.de/v1alpha1 From 150d0462896c9fb2076542438321427fad013269 Mon Sep 17 00:00:00 2001 From: adam Date: Mon, 3 Oct 2022 16:33:46 -0700 Subject: [PATCH 1090/1479] fix nublado2 chart indentation --- services/nublado2/values-tucson-teststand.yaml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/services/nublado2/values-tucson-teststand.yaml b/services/nublado2/values-tucson-teststand.yaml index 0398a7dff9..e730d72132 100644 --- a/services/nublado2/values-tucson-teststand.yaml +++ b/services/nublado2/values-tucson-teststand.yaml @@ -3,8 +3,8 @@ jupyterhub: hosts: ["tucson-teststand.lsst.codes"] annotations: nginx.ingress.kubernetes.io/auth-signin: "https://tucson-teststand.lsst.codes/login" - db: - url: "postgresql://jovyan@140.252.146.49/jupyterhub" + db: + url: "postgresql://jovyan@140.252.146.49/jupyterhub" singleuser: extraAnnotations: From e46c5c712a2cca18d66fd9b876449e400f983579 Mon Sep 17 00:00:00 2001 From: adam Date: Mon, 3 Oct 2022 16:38:58 -0700 Subject: [PATCH 1091/1479] fix db name --- services/nublado2/values-tucson-teststand.yaml | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/services/nublado2/values-tucson-teststand.yaml b/services/nublado2/values-tucson-teststand.yaml index e730d72132..eb3bc5d683 100644 --- a/services/nublado2/values-tucson-teststand.yaml +++ b/services/nublado2/values-tucson-teststand.yaml @@ -3,8 +3,9 @@ jupyterhub: hosts: ["tucson-teststand.lsst.codes"] annotations: nginx.ingress.kubernetes.io/auth-signin: "https://tucson-teststand.lsst.codes/login" - db: - url: "postgresql://jovyan@140.252.146.49/jupyterhub" + hub: + db: + url: "postgresql://jovyan@140.252.146.49/jupyterhub" singleuser: extraAnnotations: From b88f2296c408599be3eace0a2972919a685bc6a2 Mon Sep 17 00:00:00 2001 From: adam Date: Mon, 3 Oct 2022 16:49:29 -0700 Subject: [PATCH 1092/1479] Remove postgres from TTS --- installer/generate_secrets.py | 10 ++++++++++ science-platform/values-tucson-teststand.yaml | 2 +- 2 files changed, 11 insertions(+), 1 deletion(-) diff --git a/installer/generate_secrets.py b/installer/generate_secrets.py index 42193e6830..464cfec712 100755 --- a/installer/generate_secrets.py +++ b/installer/generate_secrets.py @@ -370,6 +370,16 @@ def _rsp_alerts(self): "rsp-alerts", "slack-webhook", "Slack webhook for alerts" ) + def _narrativelog(self): + """Give narrativelog its own secret for externalization.""" + db_pass = self.secrets["postgres"]["narrativelog_password"] + self._set("narrativelog", "database-password", db_pass) + + def _exposurelog(self): + """Give exposurelog its own secret for externalization.""" + db_pass = self.secrets["postgres"]["exposurelog_password"] + self._set("exposureloglog", "database-password", db_pass) + class OnePasswordSecretGenerator(SecretGenerator): """A secret generator that syncs 1Password secrets into a secrets directory diff --git a/science-platform/values-tucson-teststand.yaml b/science-platform/values-tucson-teststand.yaml index b703a19846..57a43e17e3 100644 --- a/science-platform/values-tucson-teststand.yaml +++ b/science-platform/values-tucson-teststand.yaml @@ -33,7 +33,7 @@ plot_navigator: portal: enabled: true postgres: - enabled: true + enabled: false sasquatch: enabled: true production_tools: From 2fd324f30d34dac092c0b7bd28927f864d337dd3 Mon Sep 17 00:00:00 2001 From: Gabriele Mainetti Date: Tue, 4 Oct 2022 11:23:19 +0200 Subject: [PATCH 1093/1479] moved hips server from 2mass to DSS --- services/portal/values-ccin2p3.yaml | 2 +- services/tap/values-ccin2p3.yaml | 5 +---- 2 files changed, 2 insertions(+), 5 deletions(-) diff --git a/services/portal/values-ccin2p3.yaml b/services/portal/values-ccin2p3.yaml index 481a0c5459..115611cd15 100644 --- a/services/portal/values-ccin2p3.yaml +++ b/services/portal/values-ccin2p3.yaml @@ -5,4 +5,4 @@ resources: memory: "24Gi" config: - hipsUrl: "http://alasky.cds.unistra.fr/2MASS/Color" \ No newline at end of file + hipsUrl: "http://alasky.cds.unistra.fr/DSS/DSSColor" \ No newline at end of file diff --git a/services/tap/values-ccin2p3.yaml b/services/tap/values-ccin2p3.yaml index 2c0e46f56e..9d7ebe7123 100644 --- a/services/tap/values-ccin2p3.yaml +++ b/services/tap/values-ccin2p3.yaml @@ -8,7 +8,4 @@ qserv: host: "ccqserv201.in2p3.fr:30040" mock: enabled: false -# image: -# # -- tap image to use -# repository: "gabrimaine/lsst-tap-service" -# tag: "1.2.1-CC2" + From d3414ae4e16dfafe4a5ffbe8fcd632d140c8c492 Mon Sep 17 00:00:00 2001 From: Gabriele Mainetti Date: Tue, 4 Oct 2022 11:43:19 +0200 Subject: [PATCH 1094/1479] Fix yaml lint --- services/portal/values-ccin2p3.yaml | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/services/portal/values-ccin2p3.yaml b/services/portal/values-ccin2p3.yaml index 115611cd15..38fd78c35f 100644 --- a/services/portal/values-ccin2p3.yaml +++ b/services/portal/values-ccin2p3.yaml @@ -5,4 +5,5 @@ resources: memory: "24Gi" config: - hipsUrl: "http://alasky.cds.unistra.fr/DSS/DSSColor" \ No newline at end of file + hipsUrl: "http://alasky.cds.unistra.fr/DSS/DSSColor" + From 0289e1b66b10a2f310e556830d545b0fa2fd47a6 Mon Sep 17 00:00:00 2001 From: Gabriele Mainetti Date: Tue, 4 Oct 2022 11:44:46 +0200 Subject: [PATCH 1095/1479] fix yaml lint --- services/tap/values-ccin2p3.yaml | 1 - 1 file changed, 1 deletion(-) diff --git a/services/tap/values-ccin2p3.yaml b/services/tap/values-ccin2p3.yaml index 9d7ebe7123..c573f85a6c 100644 --- a/services/tap/values-ccin2p3.yaml +++ b/services/tap/values-ccin2p3.yaml @@ -8,4 +8,3 @@ qserv: host: "ccqserv201.in2p3.fr:30040" mock: enabled: false - From 8c22cbee8b9c1d7adacbfc7d25317a369a563d7a Mon Sep 17 00:00:00 2001 From: Gabriele Mainetti Date: Tue, 4 Oct 2022 11:47:21 +0200 Subject: [PATCH 1096/1479] fix lint From 3fe06bd69b1a34aae62d3e5e9a59f3c79a616641 Mon Sep 17 00:00:00 2001 From: Gabriele Mainetti Date: Tue, 4 Oct 2022 11:50:16 +0200 Subject: [PATCH 1097/1479] Lint again From c46fe8d8bc7701077212b62614cc8fac972591f4 Mon Sep 17 00:00:00 2001 From: Gabriele Mainetti Date: Tue, 4 Oct 2022 11:51:29 +0200 Subject: [PATCH 1098/1479] lint --- services/portal/values-ccin2p3.yaml | 1 - 1 file changed, 1 deletion(-) diff --git a/services/portal/values-ccin2p3.yaml b/services/portal/values-ccin2p3.yaml index 38fd78c35f..fa6a1ef9bc 100644 --- a/services/portal/values-ccin2p3.yaml +++ b/services/portal/values-ccin2p3.yaml @@ -6,4 +6,3 @@ resources: config: hipsUrl: "http://alasky.cds.unistra.fr/DSS/DSSColor" - From d29a62546a55028bf5aad1d36e43ddcd3ff91a27 Mon Sep 17 00:00:00 2001 From: Russ Allbery Date: Tue, 4 Oct 2022 16:48:36 -0700 Subject: [PATCH 1099/1479] Bump version of Gafaelfawr --- services/gafaelfawr/Chart.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/services/gafaelfawr/Chart.yaml b/services/gafaelfawr/Chart.yaml index 7a2d695b65..096bb571c1 100644 --- a/services/gafaelfawr/Chart.yaml +++ b/services/gafaelfawr/Chart.yaml @@ -5,4 +5,4 @@ description: Science Platform authentication and authorization system home: https://gafaelfawr.lsst.io/ sources: - https://github.com/lsst-sqre/gafaelfawr -appVersion: 6.0.0 +appVersion: 6.1.0 From 106d057f678c8f4be8ed50086144d5ad9ab15958 Mon Sep 17 00:00:00 2001 From: Angelo Fausti Date: Tue, 4 Oct 2022 15:39:52 -0700 Subject: [PATCH 1100/1479] Remove old ingress configuration for InfluxDB - Now that we are using the lsst-efd-client 0.12.0 everywhere, we can remove the ingress configuration to influxdb-tucson-teststand-efd.lsst.codes and the corresponding TLS secret. --- .../sasquatch/templates/vault-secrets.yaml | 11 ----------- .../sasquatch/values-tucson-teststand.yaml | 18 +----------------- 2 files changed, 1 insertion(+), 28 deletions(-) diff --git a/services/sasquatch/templates/vault-secrets.yaml b/services/sasquatch/templates/vault-secrets.yaml index 58b3b3351b..d44b29b2dc 100644 --- a/services/sasquatch/templates/vault-secrets.yaml +++ b/services/sasquatch/templates/vault-secrets.yaml @@ -14,14 +14,3 @@ metadata: spec: path: "{{ .Values.global.vaultSecretsPath }}/pull-secret" type: kubernetes.io/dockerconfigjson ---- -# tls-certs secret is here only to enable influxdb-tucson-teststand-efd.lsst.codes -# and should be removed when that's gone. -apiVersion: ricoberger.de/v1alpha1 -kind: VaultSecret -metadata: - name: tls-certs - namespace: sasquatch -spec: - path: "{{ .Values.global.vaultSecretsPath }}/efd/tls-certs" - type: Opaque diff --git a/services/sasquatch/values-tucson-teststand.yaml b/services/sasquatch/values-tucson-teststand.yaml index 1a3d183aa7..8b5ac1357a 100644 --- a/services/sasquatch/values-tucson-teststand.yaml +++ b/services/sasquatch/values-tucson-teststand.yaml @@ -22,25 +22,9 @@ strimzi-kafka: influxdb: persistence: storageClass: rook-ceph-block - # Temporarily enable this ingress to allow access by the EFD client - # version 0.11.0. Once version 0.12.0 is the default one, this - # can be removed and we should use tucson-teststand.lsst.codes/influxdb - # instead. ingress: enabled: true - tls: true - secretName: tls-certs - hostname: influxdb-tucson-teststand-efd.lsst.codes - annotations: - nginx.ingress.kubernetes.io/ssl-redirect: "true" - nginx.ingress.kubernetes.io/affinity: "cookie" - nginx.ingress.kubernetes.io/proxy-body-size: "0m" - nginx.ingress.kubernetes.io/rewrite-target: / - nginx.ingress.kubernetes.io/configuration-snippet: | - proxy_set_header X-Forwarded-Proto https; - proxy_set_header X-Forwarded-Port 443; - proxy_set_header X-Forwarded-Path /; - path: / + hostname: tucson-teststand.lsst.codes telegraf-kafka-consumer: kafkaConsumers: From 3804b55bde7c07fda2c0dfbab608a66bf4c9792e Mon Sep 17 00:00:00 2001 From: Angelo Fausti Date: Tue, 4 Oct 2022 15:44:53 -0700 Subject: [PATCH 1101/1479] Remove telegraf configuration - That's replaced by Telegraf Kafka consumer which is enabled on specific environments for the moment. --- services/sasquatch/README.md | 10 ------ services/sasquatch/values.yaml | 57 ---------------------------------- 2 files changed, 67 deletions(-) diff --git a/services/sasquatch/README.md b/services/sasquatch/README.md index 1424dbb004..5514fb7598 100644 --- a/services/sasquatch/README.md +++ b/services/sasquatch/README.md @@ -45,13 +45,3 @@ Rubin Observatory's telemetry service. | strimzi-kafka | object | `{}` | Override strimzi-kafka configuration. | | strimzi-registry-operator | object | `{"clusterName":"sasquatch","clusterNamespace":"sasquatch","operatorNamespace":"sasquatch"}` | strimzi-registry-operator configuration. | | telegraf-kafka-consumer | object | `{}` | Override telegraf-kafka-consumer | -| telegraf.config.inputs | list | `[{"kafka_consumer":{"avro_fields":["heartbeat","private_efdStamp","salIndex"],"avro_measurement":"test","avro_schema_registry":"http://sasquatch-schema-registry.sasquatch:8081","avro_timestamp":"private_efdStamp","avro_timestamp_format":"unix_us","brokers":["sasquatch-kafka-brokers.sasquatch:9092"],"consumer_group":"telegraf-test","data_format":"avro","max_message_len":32768,"sasl_mechanism":"SCRAM-SHA-512","sasl_password":"$TELEGRAF_PASSWORD","sasl_username":"telegraf","topics":["lsst.sal.Test.logevent_heartbeat"]}}]` | Telegraf input plugins. | -| telegraf.config.inputs[0] | object | `{"kafka_consumer":{"avro_fields":["heartbeat","private_efdStamp","salIndex"],"avro_measurement":"test","avro_schema_registry":"http://sasquatch-schema-registry.sasquatch:8081","avro_timestamp":"private_efdStamp","avro_timestamp_format":"unix_us","brokers":["sasquatch-kafka-brokers.sasquatch:9092"],"consumer_group":"telegraf-test","data_format":"avro","max_message_len":32768,"sasl_mechanism":"SCRAM-SHA-512","sasl_password":"$TELEGRAF_PASSWORD","sasl_username":"telegraf","topics":["lsst.sal.Test.logevent_heartbeat"]}}` | See https://github.com/influxdata/telegraf/blob/master/plugins/inputs/kafka_consumer/README.md | -| telegraf.config.outputs | list | `[{"influxdb":{"database":"kafkaconsumer","password":"$INFLUXDB_ADMIN_PASSWORD","urls":["http://sasquatch-influxdb.sasquatch:8086"],"username":"admin"}}]` | Telegraf output destination. | -| telegraf.config.processors | object | `{}` | Telegraf processor plugins. | -| telegraf.env[0] | object | `{"name":"TELEGRAF_PASSWORD","valueFrom":{"secretKeyRef":{"key":"telegraf-password","name":"sasquatch"}}}` | Telegraf KafkaUser password. | -| telegraf.env[1] | object | `{"name":"INFLUXDB_ADMIN_PASSWORD","valueFrom":{"secretKeyRef":{"key":"influxdb-password","name":"sasquatch"}}}` | InfluxDB admin password. | -| telegraf.image.pullPolicy | string | `"Always"` | | -| telegraf.image.repo | string | `"lsstsqre/telegraf"` | Telegraf image repository | -| telegraf.image.tag | string | `"avro"` | Telegraf image tag | -| telegraf.service.enabled | bool | `false` | Telegraf service. | diff --git a/services/sasquatch/values.yaml b/services/sasquatch/values.yaml index 619b06d0b5..e1bb15716e 100644 --- a/services/sasquatch/values.yaml +++ b/services/sasquatch/values.yaml @@ -119,63 +119,6 @@ kapacitor: memory: 16Gi cpu: 4 -telegraf: - image: - # -- Telegraf image repository - repo: "lsstsqre/telegraf" - # -- Telegraf image tag - tag: "avro" - pullPolicy: Always - env: - # -- Telegraf KafkaUser password. - - name: TELEGRAF_PASSWORD - valueFrom: - secretKeyRef: - name: sasquatch - key: telegraf-password - # -- InfluxDB admin password. - - name: INFLUXDB_ADMIN_PASSWORD - valueFrom: - secretKeyRef: - name: sasquatch - key: influxdb-password - service: - # -- Telegraf service. - enabled: false - config: - # -- Telegraf processor plugins. - processors: {} - # -- Telegraf input plugins. - inputs: - # -- See https://github.com/influxdata/telegraf/blob/master/plugins/inputs/kafka_consumer/README.md - - kafka_consumer: - brokers: - - sasquatch-kafka-brokers.sasquatch:9092 - topics: - - lsst.sal.Test.logevent_heartbeat - sasl_username: telegraf - sasl_password: $TELEGRAF_PASSWORD - sasl_mechanism: SCRAM-SHA-512 - consumer_group: telegraf-test - max_message_len: 32768 - data_format: avro - avro_schema_registry: "http://sasquatch-schema-registry.sasquatch:8081" - avro_measurement: "test" - avro_fields: - - heartbeat - - private_efdStamp - - salIndex - avro_timestamp: private_efdStamp - avro_timestamp_format: unix_us - # -- Telegraf output destination. - outputs: - - influxdb: - urls: - - "http://sasquatch-influxdb.sasquatch:8086" - database: "kafkaconsumer" - username: admin - password: $INFLUXDB_ADMIN_PASSWORD - global: # -- Base path for Vault secrets # @default -- Set by Argo CD From 843080767e88d654115862f938f1e1268fe96256 Mon Sep 17 00:00:00 2001 From: Angelo Fausti Date: Wed, 5 Oct 2022 13:57:27 -0700 Subject: [PATCH 1102/1479] Add missing resource requests and limits configuration --- services/sasquatch/README.md | 8 ++++++++ services/sasquatch/charts/kafdrop/README.md | 5 ++++- services/sasquatch/charts/kafdrop/values.yaml | 8 +++++++- services/sasquatch/values.yaml | 15 +++++++++++++++ 4 files changed, 34 insertions(+), 2 deletions(-) diff --git a/services/sasquatch/README.md b/services/sasquatch/README.md index 5514fb7598..578ac86886 100644 --- a/services/sasquatch/README.md +++ b/services/sasquatch/README.md @@ -24,6 +24,10 @@ Rubin Observatory's telemetry service. | chronograf.image | object | `{"repository":"quay.io/influxdb/chronograf","tag":"1.9.4"}` | Chronograf image tag. | | chronograf.ingress | object | disabled | Chronograf ingress configuration. | | chronograf.persistence | object | `{"enabled":true,"size":"100Gi"}` | Chronograf data persistence configuration. | +| chronograf.resources.limits.cpu | int | `4` | | +| chronograf.resources.limits.memory | string | `"16Gi"` | | +| chronograf.resources.requests.cpu | int | `1` | | +| chronograf.resources.requests.memory | string | `"1Gi"` | | | global.vaultSecretsPath | string | Set by Argo CD | Base path for Vault secrets | | influxdb.config | object | `{"continuous_queries":{"enabled":false},"coordinator":{"log-queries-after":"15s","max-concurrent-queries":0,"query-timeout":"0s","write-timeout":"1h"},"data":{"cache-max-memory-size":0,"trace-logging-enabled":true,"wal-fsync-delay":"100ms"},"http":{"auth-enabled":true,"enabled":true,"flux-enabled":true,"max-row-limit":0},"logging":{"level":"debug"}}` | Override InfluxDB configuration. See https://docs.influxdata.com/influxdb/v1.8/administration/config | | influxdb.image | object | `{"tag":"1.8.10"}` | InfluxDB image tag. | @@ -31,6 +35,10 @@ Rubin Observatory's telemetry service. | influxdb.initScripts.enabled | bool | `false` | Enable InfluxDB custom initialization script. | | influxdb.persistence.enabled | bool | `true` | Enable persistent volume claim. By default storageClass is undefined choosing the default provisioner (standard on GKE). | | influxdb.persistence.size | string | `"1Ti"` | Persistent volume size. @default 1Ti for teststand deployments | +| influxdb.resources.limits.cpu | int | `8` | | +| influxdb.resources.limits.memory | string | `"96Gi"` | | +| influxdb.resources.requests.cpu | int | `1` | | +| influxdb.resources.requests.memory | string | `"1Gi"` | | | influxdb.setDefaultUser | object | `{"enabled":true,"user":{"existingSecret":"sasquatch"}}` | Default InfluxDB user, use influxb-user and influxdb-password keys from secret. | | kafka-connect-manager | object | `{}` | Override kafka-connect-manager configuration. | | kapacitor.envVars | object | `{"KAPACITOR_SLACK_ENABLED":true}` | Kapacitor environment variables. | diff --git a/services/sasquatch/charts/kafdrop/README.md b/services/sasquatch/charts/kafdrop/README.md index 0c0126820b..4d60ad1654 100644 --- a/services/sasquatch/charts/kafdrop/README.md +++ b/services/sasquatch/charts/kafdrop/README.md @@ -27,7 +27,10 @@ A subchart to deploy the Kafdrop UI for Sasquatch. | nodeSelector | object | `{}` | Node selector configuration. | | podAnnotations | object | `{}` | Pod annotations. | | replicaCount | int | `1` | Number of kafdrop pods to run in the deployment. | -| resources | object | `{}` | | +| resources.limits.cpu | int | `2` | | +| resources.limits.memory | string | `"4Gi"` | | +| resources.requests.cpu | int | `1` | | +| resources.requests.memory | string | `"0.2Gi"` | | | schemaregistry | string | `"http://sasquatch-schema-registry.sasquatch:8081"` | The endpoint of Schema Registry | | server.port | int | Defaults to 9000. | The web server port to listen on. | | server.servlet | object | Defaults to /. | The context path to serve requests on (must end with a /). | diff --git a/services/sasquatch/charts/kafdrop/values.yaml b/services/sasquatch/charts/kafdrop/values.yaml index 8c08196e79..172bd2c1c0 100644 --- a/services/sasquatch/charts/kafdrop/values.yaml +++ b/services/sasquatch/charts/kafdrop/values.yaml @@ -63,7 +63,13 @@ ingress: # -- Ingress path. path: /kafdrop -resources: {} +resources: + requests: + memory: 0.2Gi + cpu: 1 + limits: + memory: 4Gi + cpu: 2 # -- Node selector configuration. nodeSelector: {} diff --git a/services/sasquatch/values.yaml b/services/sasquatch/values.yaml index e1bb15716e..bf13551c75 100644 --- a/services/sasquatch/values.yaml +++ b/services/sasquatch/values.yaml @@ -62,6 +62,14 @@ influxdb: # scripts: # # -- InfluxDB custom initialization script. # init.iql: |+ + resources: + requests: + memory: 1Gi + cpu: 1 + limits: + memory: 96Gi + cpu: 8 + # -- Override kafka-connect-manager configuration. kafka-connect-manager: {} @@ -94,6 +102,13 @@ chronograf: CUSTOM_AUTO_REFRESH: "1s=1000" # -- Chronograf secrets, expected keys generic_client_id, generic_client_secret and token_secret. envFromSecret: "sasquatch" + resources: + requests: + memory: 1Gi + cpu: 1 + limits: + memory: 16Gi + cpu: 4 kapacitor: # -- Kapacitor image tag. From cd25dc11baf77a7c867102b82347cadfb5972165 Mon Sep 17 00:00:00 2001 From: Angelo Fausti Date: Wed, 5 Oct 2022 14:06:18 -0700 Subject: [PATCH 1103/1479] Increase Kafka retention period - Increase Kafka retention to 72h to give it more time for the Telegraf Kafka consumers and Kafka replicator --- services/sasquatch/charts/strimzi-kafka/README.md | 6 +++--- services/sasquatch/charts/strimzi-kafka/values.yaml | 4 ++-- 2 files changed, 5 insertions(+), 5 deletions(-) diff --git a/services/sasquatch/charts/strimzi-kafka/README.md b/services/sasquatch/charts/strimzi-kafka/README.md index 43c0656d53..83e4526e3f 100644 --- a/services/sasquatch/charts/strimzi-kafka/README.md +++ b/services/sasquatch/charts/strimzi-kafka/README.md @@ -9,10 +9,10 @@ A subchart to deploy Strimzi Kafka components for Sasquatch. | cluster.name | string | `"sasquatch"` | Name used for the Kafka cluster, and used by Strimzi for many annotations. | | connect.image | string | `"lsstsqre/strimzi-0.29.0-kafka-3.1.1:1.0.0"` | Custom strimzi-kafka image with connector plugins used by sasquatch. | | connect.replicas | int | `3` | Number of Kafka Connect replicas to run. | -| kafka.config | object | `{"log.retention.bytes":"429496729600","log.retention.hours":24,"offsets.retention.minutes":1440}` | Configuration overrides for the Kafka server. | +| kafka.config | object | `{"log.retention.bytes":"429496729600","log.retention.hours":72,"offsets.retention.minutes":4320}` | Configuration overrides for the Kafka server. | | kafka.config."log.retention.bytes" | string | `"429496729600"` | Maximum retained number of bytes for a topic's data. | -| kafka.config."log.retention.hours" | int | `24` | Number of days for a topic's data to be retained. | -| kafka.config."offsets.retention.minutes" | int | `1440` | Number of minutes for a consumer group's offsets to be retained. | +| kafka.config."log.retention.hours" | int | `72` | Number of days for a topic's data to be retained. | +| kafka.config."offsets.retention.minutes" | int | `4320` | Number of minutes for a consumer group's offsets to be retained. | | kafka.externalListener.bootstrap.annotations | object | `{}` | Annotations that will be added to the Ingress, Route, or Service resource. | | kafka.externalListener.bootstrap.host | string | `""` | Name used for TLS hostname verification. | | kafka.externalListener.bootstrap.loadBalancerIP | string | `""` | The loadbalancer is requested with the IP address specified in this field. This feature depends on whether the underlying cloud provider supports specifying the loadBalancerIP when a load balancer is created. This field is ignored if the cloud provider does not support the feature. Once the IP address is provisioned this option make it possible to pin the IP address. We can request the same IP next time it is provisioned. This is important because it lets us configure a DNS record, associating a hostname with that pinned IP address. | diff --git a/services/sasquatch/charts/strimzi-kafka/values.yaml b/services/sasquatch/charts/strimzi-kafka/values.yaml index 54af642dd5..4fafcd1fed 100644 --- a/services/sasquatch/charts/strimzi-kafka/values.yaml +++ b/services/sasquatch/charts/strimzi-kafka/values.yaml @@ -16,9 +16,9 @@ kafka: # -- Configuration overrides for the Kafka server. config: # -- Number of minutes for a consumer group's offsets to be retained. - offsets.retention.minutes: 1440 + offsets.retention.minutes: 4320 # -- Number of days for a topic's data to be retained. - log.retention.hours: 24 + log.retention.hours: 72 # -- Maximum retained number of bytes for a topic's data. log.retention.bytes: "429496729600" From 0f78fbfad7c2964666e2d7c03cf298d8b95651ed Mon Sep 17 00:00:00 2001 From: Russ Allbery Date: Wed, 5 Oct 2022 14:30:02 -0700 Subject: [PATCH 1104/1479] Upgrade JupyterHub database at summit Enable automatic upgrade of the JupyterHub database at the summit for the JupyterHub 3.0 migration. --- services/nublado2/values-summit.yaml | 3 +++ 1 file changed, 3 insertions(+) diff --git a/services/nublado2/values-summit.yaml b/services/nublado2/values-summit.yaml index 55c6699c6e..9736f4772f 100644 --- a/services/nublado2/values-summit.yaml +++ b/services/nublado2/values-summit.yaml @@ -1,4 +1,7 @@ jupyterhub: + hub: + db: + upgrade: true ingress: hosts: ["summit-lsp.lsst.codes"] annotations: From 8ec37e7a0a9b4dcfd83b7f4a59dd44ec49aff65e Mon Sep 17 00:00:00 2001 From: Russ Allbery Date: Wed, 5 Oct 2022 14:56:46 -0700 Subject: [PATCH 1105/1479] Move database update flag Remove the flag from the summit and add it to the Tucson test stand and IDF dev. --- services/nublado2/values-idfdev.yaml | 2 ++ services/nublado2/values-summit.yaml | 3 --- services/nublado2/values-tucson-teststand.yaml | 1 + 3 files changed, 3 insertions(+), 3 deletions(-) diff --git a/services/nublado2/values-idfdev.yaml b/services/nublado2/values-idfdev.yaml index f49bc99be3..6ef89aafea 100644 --- a/services/nublado2/values-idfdev.yaml +++ b/services/nublado2/values-idfdev.yaml @@ -3,6 +3,8 @@ jupyterhub: config: ServerApp: shutdown_no_activity_timeout: 432000 + db: + upgrade: true cull: enabled: true diff --git a/services/nublado2/values-summit.yaml b/services/nublado2/values-summit.yaml index 9736f4772f..55c6699c6e 100644 --- a/services/nublado2/values-summit.yaml +++ b/services/nublado2/values-summit.yaml @@ -1,7 +1,4 @@ jupyterhub: - hub: - db: - upgrade: true ingress: hosts: ["summit-lsp.lsst.codes"] annotations: diff --git a/services/nublado2/values-tucson-teststand.yaml b/services/nublado2/values-tucson-teststand.yaml index eb3bc5d683..61890b83b1 100644 --- a/services/nublado2/values-tucson-teststand.yaml +++ b/services/nublado2/values-tucson-teststand.yaml @@ -5,6 +5,7 @@ jupyterhub: nginx.ingress.kubernetes.io/auth-signin: "https://tucson-teststand.lsst.codes/login" hub: db: + upgrade: true url: "postgresql://jovyan@140.252.146.49/jupyterhub" singleuser: From a61d18806b0d4cfba993126ba8557f320248343d Mon Sep 17 00:00:00 2001 From: Angelo Fausti Date: Wed, 5 Oct 2022 16:45:05 -0700 Subject: [PATCH 1106/1479] Increase memory limit for Strimzi cluster operator --- services/strimzi/values-idfdev.yaml | 2 +- services/strimzi/values-idfint.yaml | 2 +- services/strimzi/values-summit.yaml | 2 +- services/strimzi/values-tucson-teststand.yaml | 2 +- 4 files changed, 4 insertions(+), 4 deletions(-) diff --git a/services/strimzi/values-idfdev.yaml b/services/strimzi/values-idfdev.yaml index d642c1f7f9..6eb0bd0082 100644 --- a/services/strimzi/values-idfdev.yaml +++ b/services/strimzi/values-idfdev.yaml @@ -1,7 +1,7 @@ strimzi-kafka-operator: resources: limits: - memory: "512Mi" + memory: "1Gi" requests: memory: "512Mi" watchNamespaces: diff --git a/services/strimzi/values-idfint.yaml b/services/strimzi/values-idfint.yaml index d642c1f7f9..6eb0bd0082 100644 --- a/services/strimzi/values-idfint.yaml +++ b/services/strimzi/values-idfint.yaml @@ -1,7 +1,7 @@ strimzi-kafka-operator: resources: limits: - memory: "512Mi" + memory: "1Gi" requests: memory: "512Mi" watchNamespaces: diff --git a/services/strimzi/values-summit.yaml b/services/strimzi/values-summit.yaml index 7c977c078e..1abe0d7c86 100644 --- a/services/strimzi/values-summit.yaml +++ b/services/strimzi/values-summit.yaml @@ -1,7 +1,7 @@ strimzi-kafka-operator: resources: limits: - memory: "512Mi" + memory: "1Gi" requests: memory: "512Mi" watchNamespaces: diff --git a/services/strimzi/values-tucson-teststand.yaml b/services/strimzi/values-tucson-teststand.yaml index d642c1f7f9..6eb0bd0082 100644 --- a/services/strimzi/values-tucson-teststand.yaml +++ b/services/strimzi/values-tucson-teststand.yaml @@ -1,7 +1,7 @@ strimzi-kafka-operator: resources: limits: - memory: "512Mi" + memory: "1Gi" requests: memory: "512Mi" watchNamespaces: From 2cd1d130373176e8383ce8a383ca2f496bfe3f3c Mon Sep 17 00:00:00 2001 From: adam Date: Wed, 5 Oct 2022 14:22:20 -0700 Subject: [PATCH 1107/1479] Increase mirrormaker resources --- .../charts/strimzi-kafka/templates/mirrormaker2.yaml | 8 ++++---- services/sasquatch/values-idfint.yaml | 7 +++++++ 2 files changed, 11 insertions(+), 4 deletions(-) diff --git a/services/sasquatch/charts/strimzi-kafka/templates/mirrormaker2.yaml b/services/sasquatch/charts/strimzi-kafka/templates/mirrormaker2.yaml index f79abe2e56..b599b91922 100644 --- a/services/sasquatch/charts/strimzi-kafka/templates/mirrormaker2.yaml +++ b/services/sasquatch/charts/strimzi-kafka/templates/mirrormaker2.yaml @@ -94,9 +94,9 @@ spec: topicsPattern: {{ .Values.mirrormaker2.source.topicsPattern }} resources: requests: - cpu: "1" - memory: 512Mi + cpu: {{ .Values.mirrormaker2.resources.requests.cpu | quote }} + memory: {{ .Values.mirrormaker2.resources.requests.memory | quote }} limits: - cpu: "2" - memory: 4Gi + cpu: {{ .Values.mirrormaker2.resources.limits.cpu | quote }} + memory: {{ .Values.mirrormaker2.resources.limits.memory | quote }} {{ end }} diff --git a/services/sasquatch/values-idfint.yaml b/services/sasquatch/values-idfint.yaml index d2dd4c71bb..d4443b8f96 100644 --- a/services/sasquatch/values-idfint.yaml +++ b/services/sasquatch/values-idfint.yaml @@ -19,6 +19,13 @@ strimzi-kafka: source: bootstrapServer: sasquatch-dev-kafka-bootstrap.lsst.cloud:9094 topicsPattern: "registry-schemas, lsst.sal.*" + resources: + requests: + cpu: 2 + memory: 4Gi + limits: + cpu: 4 + memory: 8Gi influxdb: ingress: From f926da512a4965be195ab45a6f99d64d52ac11e1 Mon Sep 17 00:00:00 2001 From: Angelo Fausti Date: Thu, 6 Oct 2022 14:08:36 -0700 Subject: [PATCH 1108/1479] Fix kafdrop memory limit value --- services/sasquatch/charts/kafdrop/README.md | 2 +- services/sasquatch/charts/kafdrop/values.yaml | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/services/sasquatch/charts/kafdrop/README.md b/services/sasquatch/charts/kafdrop/README.md index 4d60ad1654..8a1751d804 100644 --- a/services/sasquatch/charts/kafdrop/README.md +++ b/services/sasquatch/charts/kafdrop/README.md @@ -30,7 +30,7 @@ A subchart to deploy the Kafdrop UI for Sasquatch. | resources.limits.cpu | int | `2` | | | resources.limits.memory | string | `"4Gi"` | | | resources.requests.cpu | int | `1` | | -| resources.requests.memory | string | `"0.2Gi"` | | +| resources.requests.memory | string | `"200Mi"` | | | schemaregistry | string | `"http://sasquatch-schema-registry.sasquatch:8081"` | The endpoint of Schema Registry | | server.port | int | Defaults to 9000. | The web server port to listen on. | | server.servlet | object | Defaults to /. | The context path to serve requests on (must end with a /). | diff --git a/services/sasquatch/charts/kafdrop/values.yaml b/services/sasquatch/charts/kafdrop/values.yaml index 172bd2c1c0..e944c3762d 100644 --- a/services/sasquatch/charts/kafdrop/values.yaml +++ b/services/sasquatch/charts/kafdrop/values.yaml @@ -65,7 +65,7 @@ ingress: resources: requests: - memory: 0.2Gi + memory: 200Mi cpu: 1 limits: memory: 4Gi From 19fa762d1f59d5835dc75cee28082dbb344968ff Mon Sep 17 00:00:00 2001 From: Jonathan Sick Date: Tue, 27 Sep 2022 12:12:55 -0400 Subject: [PATCH 1109/1479] Initial adoption of Rubin user guide theme This adds the documenteer.conf.guide configuration along with documenteer.toml-based configuration. --- docs/_rst_epilog.rst | 6 ++ docs/conf.py | 147 +----------------------------------------- docs/documenteer.toml | 16 +++++ docs/requirements.txt | 3 +- 4 files changed, 24 insertions(+), 148 deletions(-) create mode 100644 docs/_rst_epilog.rst create mode 100644 docs/documenteer.toml diff --git a/docs/_rst_epilog.rst b/docs/_rst_epilog.rst new file mode 100644 index 0000000000..bd1cbcabbb --- /dev/null +++ b/docs/_rst_epilog.rst @@ -0,0 +1,6 @@ +.. _Argo CD: https://argoproj.github.io/argo-cd/ +.. _Helm: https://helm.sh +.. _IVOA: https://ivoa.net/documents/ +.. _semantic versioning: https://semver.org/ +.. _helm-docs: https://github.com/norwoodj/helm-docs +.. _pre-commit: https://pre-commit.com diff --git a/docs/conf.py b/docs/conf.py index 4c3690b0cc..8764a89d16 100644 --- a/docs/conf.py +++ b/docs/conf.py @@ -1,146 +1 @@ -import os -import re -import sys - -import lsst_sphinx_bootstrap_theme - - -# Work around Sphinx bug related to large and highly-nested source files -sys.setrecursionlimit(2000) - -# -- General configuration ------------------------------------------------ - -# If your documentation needs a minimal Sphinx version, state it here. -# needs_sphinx = '1.0' - -# Add any Sphinx extension module names here, as strings. They can be -# extensions coming with Sphinx (named 'sphinx.ext.*') or your custom -# ones. -extensions = [ - "sphinx.ext.autodoc", - "sphinx.ext.intersphinx", - "sphinx.ext.todo", - "sphinx.ext.ifconfig", - "documenteer.sphinxext", -] - -# The suffix(es) of source filenames. -# You can specify multiple suffix as a list of string: -# source_suffix = ['.rst', '.md'] -source_suffix = ".rst" - -# The master toctree document. -master_doc = "index" - -# General information about the project. -project = "Phalanx" -copyright = ( - "2020, Association of Universities for Research in Astronomy, Inc. (AURA)" -) -author = "LSST SQuaRE" - -# The version info for the project you're documenting, acts as replacement for -# |version| and |release|, also used in various other places throughout the -# built documents. -github_ref = os.getenv("GITHUB_REF", default="refs/heads/master") -ref_match = re.match(r"refs/(heads|tags|pull)/(?P.+)", github_ref) -if ref_match is None: - version = "Current" -elif ref_match["ref"] == "master": - version = "Current" -else: - version = ref_match["ref"] -release = version - -html_title = f"{project} ({version}) documentation" - -# The language for content autogenerated by Sphinx. Refer to documentation -# for a list of supported languages. -# -# This is also used if you do content translation via gettext catalogs. -# Usually you set "language" from the command line for these cases. -language = "en" - -# There are two options for replacing |today|: either, you set today to some -# non-false value, then it is used: -# today = '' -# Else, today_fmt is used as the format for a strftime call. -# today_fmt = '%B %d, %Y' - -# List of patterns, relative to source directory, that match files and -# directories to ignore when looking for source files. -exclude_patterns = ["_build", "README.rst"] - -# The name of the Pygments (syntax highlighting) style to use. -pygments_style = "sphinx" - -# The reST default role cross-links Python (used for this markup: `text`) -default_role = "py:obj" - -# Intersphinx - -intersphinx_mapping = { - # 'python': ('https://docs.python.org/3/', None), -} - -rst_epilog = """ -.. _Argo CD: https://argoproj.github.io/argo-cd/ -.. _Helm: https://helm.sh -.. _IVOA: https://ivoa.net/documents/ -.. _semantic versioning: https://semver.org/ -.. _helm-docs: https://github.com/norwoodj/helm-docs -.. _pre-commit: https://pre-commit.com -""" - -# -- Options for linkcheck builder ---------------------------------------- - -linkcheck_retries = 2 -linkcheck_timeout = 5 # seconds -linkcheck_ignore = [ - r"^http://localhost", - r"^http(s)*://ls.st", -] - -# -- Options for HTML output ---------------------------------------------- - -templates_path = [ - "_templates", - lsst_sphinx_bootstrap_theme.get_html_templates_path(), -] - -html_theme = "lsst_sphinx_bootstrap_theme" -html_theme_path = [lsst_sphinx_bootstrap_theme.get_html_theme_path()] - - -html_context = { - # Enable "Edit in GitHub" link - "display_github": True, - # https://{{ github_host|default("github.com") }}/{{ github_user }}/ - # {{ github_repo }}/blob/ - # {{ github_version }}{{ conf_py_path }}{{ pagename }}{{ suffix }} - "github_user": "lsst-sqre", - "github_repo": "phalanx", - "conf_py_path": "docs/", - # TRAVIS_BRANCH is available in CI, but master is a safe default - "github_version": os.getenv("TRAVIS_BRANCH", default="master") + "/", -} - -# Theme options are theme-specific and customize the look and feel of a theme -# further. For a list of options available for each theme, see the -# documentation. -html_theme_options = {"logotext": project} - -# The name for this set of Sphinx documents. If None, it defaults to -# " v documentation". -# html_title = None - -# A shorter title for the navigation bar. Default is the same as html_title. -html_short_title = project - -# Add any paths that contain custom static files (such as style sheets) here, -# relative to this directory. They are copied after the builtin static files, -# so a file named "default.css" will overwrite the builtin "default.css". -html_static_path = [] - -# If true, links to the reST sources are added to the pages. -html_show_sourcelink = False +from documenteer.conf.guide import * # noqa: F401 F403 diff --git a/docs/documenteer.toml b/docs/documenteer.toml new file mode 100644 index 0000000000..618a7953b5 --- /dev/null +++ b/docs/documenteer.toml @@ -0,0 +1,16 @@ +[project] +title = "Phalanx" +copyright = "2020-2022 Association of Universities for Research in Astronomy, Inc. (AURA)" +base_url = "https://phalanx.lsst.io" +github_url = "https://github.com/lsst-sqre/phalanx" +github_default_branch = "master" +version = "Current" + +[sphinx] +rst_epilog_file = "_rst_epilog.rst" + +[sphinx.linkcheck] +ignore = [ + '^http://localhost', + '^http(s)*://ls.st', +] diff --git a/docs/requirements.txt b/docs/requirements.txt index 7e21850f4a..15cfd0f1e5 100644 --- a/docs/requirements.txt +++ b/docs/requirements.txt @@ -1,3 +1,2 @@ diagrams -documenteer[pipelines] -ltd-conveyor +documenteer[guide]>=0.7.0b4 From 306f2588d4823c1f10aa85d2f3a8dd427310e2c9 Mon Sep 17 00:00:00 2001 From: Jonathan Sick Date: Tue, 27 Sep 2022 12:41:16 -0400 Subject: [PATCH 1110/1479] Use sphinx-diagrams and co-locate graphics - Use sphinx-diagrams, https://github.com/j-martin/sphinx-diagrams, to make it easier to integrate diagrams with the Sphinx build - Colocate all graphics with their content, making it easier to maintain in the long run. Deprecate the use of _static. --- docs/Makefile | 11 ++--------- docs/documenteer.toml | 3 +++ docs/{_static => ops/gafaelfawr}/github-oauth.png | Bin docs/ops/gafaelfawr/github-organizations.rst | 2 +- docs/ops/tap/index.rst | 10 ++-------- docs/{_static => ops/tap}/notebook-tap.py | 14 +++----------- docs/{_static => ops/tap}/portal-tap.py | 14 +++----------- docs/requirements.txt | 2 +- 8 files changed, 15 insertions(+), 41 deletions(-) rename docs/{_static => ops/gafaelfawr}/github-oauth.png (100%) rename docs/{_static => ops/tap}/notebook-tap.py (86%) rename docs/{_static => ops/tap}/portal-tap.py (87%) diff --git a/docs/Makefile b/docs/Makefile index 4ec685ce45..a19a4cc12c 100644 --- a/docs/Makefile +++ b/docs/Makefile @@ -8,7 +8,6 @@ PAPER = BUILDDIR = _build # Internal variables. -IMAGES = _static/notebook-tap.png _static/portal-tap.png PAPEROPT_a4 = -D latex_paper_size=a4 PAPEROPT_letter = -D latex_paper_size=letter ALLSPHINXOPTS = -d $(BUILDDIR)/doctrees $(PAPEROPT_$(PAPER)) $(SPHINXOPTS) . @@ -26,20 +25,14 @@ help: clean: rm -rf $(BUILDDIR)/* -_static/notebook-tap.png: - python _static/notebook-tap.py - -_static/portal-tap.png: - python _static/portal-tap.py - .PHONY: html -html: $(IMAGES) +html: $(SPHINXBUILD) -b html $(ALLSPHINXOPTS) $(BUILDDIR)/html @echo @echo "Build finished. The HTML pages are in $(BUILDDIR)/html." .PHONY: linkcheck -linkcheck: $(IMAGES) +linkcheck: $(SPHINXBUILD) -b linkcheck $(ALLSPHINXOPTS) $(BUILDDIR)/linkcheck @echo @echo "Link check complete; look for any errors in the above output " \ diff --git a/docs/documenteer.toml b/docs/documenteer.toml index 618a7953b5..4157af9f08 100644 --- a/docs/documenteer.toml +++ b/docs/documenteer.toml @@ -8,6 +8,9 @@ version = "Current" [sphinx] rst_epilog_file = "_rst_epilog.rst" +extensions = [ + "sphinx_diagrams" +] [sphinx.linkcheck] ignore = [ diff --git a/docs/_static/github-oauth.png b/docs/ops/gafaelfawr/github-oauth.png similarity index 100% rename from docs/_static/github-oauth.png rename to docs/ops/gafaelfawr/github-oauth.png diff --git a/docs/ops/gafaelfawr/github-organizations.rst b/docs/ops/gafaelfawr/github-organizations.rst index 94b9c848a9..cfec536509 100644 --- a/docs/ops/gafaelfawr/github-organizations.rst +++ b/docs/ops/gafaelfawr/github-organizations.rst @@ -7,7 +7,7 @@ Since we're using GitHub for group information, all organizations that should co GitHub supports two ways of doing this: make the organization membership public, or grant the OAuth App access to that organization's data explicitly. GitHub allows the user to do the latter in the authorization screen during OAuth 2.0 authentication. -.. figure:: /_static/github-oauth.png +.. figure:: github-oauth.png :name: GitHub OAuth authorization screen The authorization screen shown by GitHub during an OAuth App authentication. diff --git a/docs/ops/tap/index.rst b/docs/ops/tap/index.rst index 0eb61764e1..15f98c1a3d 100644 --- a/docs/ops/tap/index.rst +++ b/docs/ops/tap/index.rst @@ -24,12 +24,6 @@ Upgrading ``tap`` normally only requires an Argo CD sync. .. rubric:: Architecture -.. figure:: /_static/notebook-tap.png - :name: Flow for Notebook Aspect queries to TAP +.. diagrams:: notebook-tap.py - Flow for Notebook Aspect queries to TAP - -.. figure:: /_static/portal-tap.png - :name: Flow for Portal Aspect queries to TAP - - Flow for Portal Aspect queries to TAP +.. diagrams:: portal-tap.py diff --git a/docs/_static/notebook-tap.py b/docs/ops/tap/notebook-tap.py similarity index 86% rename from docs/_static/notebook-tap.py rename to docs/ops/tap/notebook-tap.py index e04ac1bc99..a37f422adc 100644 --- a/docs/_static/notebook-tap.py +++ b/docs/ops/tap/notebook-tap.py @@ -1,19 +1,11 @@ -import os - -from diagrams import Cluster, Diagram, Edge +from diagrams import Cluster, Edge from diagrams.gcp.compute import KubernetesEngine from diagrams.gcp.database import SQL, Datastore, Memorystore from diagrams.gcp.network import LoadBalancing from diagrams.onprem.client import User +from sphinx_diagrams import SphinxDiagram -os.chdir(os.path.dirname(__file__)) - -with Diagram( - "Notebook to TAP", - show=False, - filename="notebook-tap", - outformat="png", -): +with SphinxDiagram(title="Notebook to TAP"): user = User("End User") with Cluster("Kubernetes"): diff --git a/docs/_static/portal-tap.py b/docs/ops/tap/portal-tap.py similarity index 87% rename from docs/_static/portal-tap.py rename to docs/ops/tap/portal-tap.py index 3c09ecfdbf..0a1fce548f 100644 --- a/docs/_static/portal-tap.py +++ b/docs/ops/tap/portal-tap.py @@ -1,19 +1,11 @@ -import os - -from diagrams import Cluster, Diagram, Edge +from diagrams import Cluster, Edge from diagrams.gcp.compute import KubernetesEngine from diagrams.gcp.database import SQL, Datastore, Memorystore from diagrams.gcp.network import LoadBalancing from diagrams.onprem.client import User +from sphinx_diagrams import SphinxDiagram -os.chdir(os.path.dirname(__file__)) - -with Diagram( - "Portal to TAP", - show=False, - filename="portal-tap", - outformat="png", -): +with SphinxDiagram(title="Portal to TAP"): user = User("End User") with Cluster("Kubernetes"): diff --git a/docs/requirements.txt b/docs/requirements.txt index 15cfd0f1e5..af4999d316 100644 --- a/docs/requirements.txt +++ b/docs/requirements.txt @@ -1,2 +1,2 @@ -diagrams documenteer[guide]>=0.7.0b4 +sphinx-diagrams From 9c07a19a9968be747991422f6f8ce62c89522ce7 Mon Sep 17 00:00:00 2001 From: Jonathan Sick Date: Tue, 27 Sep 2022 13:37:35 -0400 Subject: [PATCH 1111/1479] Drop squash-api page The squash-api service is no longer present, so we'll remove this content for now. It can be updated and re-introduced as sasquatch later. --- docs/index.rst | 1 - docs/ops/squash-api/index.rst | 94 ----------------------------------- 2 files changed, 95 deletions(-) delete mode 100644 docs/ops/squash-api/index.rst diff --git a/docs/index.rst b/docs/index.rst index a51acfc930..245c054ca0 100644 --- a/docs/index.rst +++ b/docs/index.rst @@ -69,7 +69,6 @@ Services ops/mobu/index ops/nublado2/index ops/postgres/index - ops/squash-api/index ops/tap/index ops/vault-secrets-operator/index diff --git a/docs/ops/squash-api/index.rst b/docs/ops/squash-api/index.rst deleted file mode 100644 index 227b6c8ab5..0000000000 --- a/docs/ops/squash-api/index.rst +++ /dev/null @@ -1,94 +0,0 @@ -########## -squash-api -########## - -.. list-table:: - :widths: 10,40 - - * - Edit on GitHub - - `/services/squash-api `__ - * - Type - - Helm_ - * - Namespace - - ``squash-api`` - -.. rubric:: Overview - -The ``squash-api`` app deploys a REST API for managing Science Pipelines metrics. -You can learn more about SQuaSH in SQR-009_. - -.. _SQR-009: https://sqr-009.lsst.io/ - -Currently, the ``squash-api`` is deployed using the ``squash-sandbox`` and ``squash-prod`` environments along with other services: - -- argo-cd -- cert-manager -- chronograf -- gafaelfawr -- influxdb -- kapacitor -- ingress-nginx -- vault-secrets-operator - -You can reach the following services, for example, for the ``https://squash-sandbox.lsst.codes`` deployment: - -- https://squash-sandbox.lsst.codes (SQuaSH API) -- https://squash-sandbox.lsst.codes/argo-cd (Argo CD) -- https://squash-sandbox.lsst.codes/chronograf (Chronograf) -- https://squash-sandbox.lsst.codes/influxdb (InfluxDB) - -The Science Pipelines use lsst.verify_ to collect metrics and their measurements and produce verification jobs that are uploaded to the SQuaSH API. -An internal task in the SQuaSH API extracts metric values and metadata from the verification jobs and stores them in InfluxDB. - -.. _lsst.verify: https://sqr-019.lsst.io/ - -Chronograf is the UI for displaying measurements of the Science Pipeline metrics and it uses Gafaelfawr to authenticate users with the CILogon provider. - -.. rubric:: SQuaSH data migration - -Here we document the steps to migrate data from an existing SQuaSH instance to a new one. -To exemplify this, let's assume we want to migrate data from https://squash-prod.lsst.codes to https://squash-sandbox.lsst.codes to make a clone of the production instance. - -The SQuaSH API uses a MySQL instance, managed by CloudSQL, to store the Science Pipelines verification jobs. -The steps to clone the CloudSQL instance are: - -* Clone the ``squash-db-prod`` database in CloudSQL to a new instance, e.g. ``squash-db-sandbox-N``, where N is an incremental number. -* Update the database user credentials, they have to match the the ``squash-db-user`` and ``squash-db-password`` keys in the ``squash-api`` secret for the new https://squash-sandbox.lsst.codes deployment. -* Update ``instanceConnectionName:`` in ``services/squash-api/values-squash-sandbox.yaml`` to the new value. -* Synchronize the ``squash-api`` app in https://squash-sandbox.lsst.codes/argo-cd to connect to the Cloud SQL instance clone. - -You can check if the connection was successful by inspecting the logs of the ``cloudsql-proxy`` container in the ``squash-api`` pod. - -To migrate InfluxDB databases use the ``dump.sh`` and ``restore.sh`` scripts in `squash-api/scripts/ `_. - -First, set the ``kubectl`` context of the source InfluxDB instance (https://squash-prod.lsst.codes) then run: - -.. code:: - - ./dump.sh influxdb squash-prod # this database stores measurements of the science pipelines metrics - ./dump.sh influxdb chronograf # this database stores chronograf data such as annotations and the alert history - -where ``influxdb`` is the namespace of the InfluxDB deployment, and the second argument is the name of the database to dump. - -Before running the ``restore.sh`` script, set the ``kubectl`` context of the destination InfluxDB instance (https://squash-sandbox.lsst.codes). -Then use the output directory from the ``dump.sh`` command as the input directory for the ``restore.sh`` command: - -.. code:: - - ./restore.sh influxdb squash-prod - ./restore.sh influxdb chronograf - -where ``influxdb`` is the namespace of the InfluxDB deployment, and the second argument is the name of the database to restore. - -In addition to the MySQL CloudSQL instance and the InfluxDB databases, there are two other context databases that need to be restored. -The Chronograf context database stores users, organizations, connection data to InfluxDB and Kapacitor, and dashboard data. -The Kapacitor database stores the alert rules and TICKScritps. - -To restore the Chronograf and Kapacitor databases set the ``kubectl`` context of the source instance and copy the files: - -.. code:: - - kubectl cp chronograf/:var/lib/chronograf/chronograf-v1.db chronograf-v1.db - kubectl cp kapacitor/:var/lib/kapacitor/kapacitor.db kapacitor.db - -Set the ``kubectl`` context of the destionation instance, copy the database files to the same location into the corresponding pods, and then restart the pods for that to take effect. From 8e31fd0ecc757dacea395f0de8830d183493b3c0 Mon Sep 17 00:00:00 2001 From: Jonathan Sick Date: Tue, 27 Sep 2022 13:39:23 -0400 Subject: [PATCH 1112/1479] Simplify make for docs --- docs/Makefile | 38 +++++++++----------------------------- docs/conf.py | 2 ++ 2 files changed, 11 insertions(+), 29 deletions(-) diff --git a/docs/Makefile b/docs/Makefile index a19a4cc12c..4e4857f497 100644 --- a/docs/Makefile +++ b/docs/Makefile @@ -1,45 +1,25 @@ # Makefile for Sphinx documentation -# - -# You can set these variables from the command line. -SPHINXOPTS = -SPHINXBUILD = sphinx-build -PAPER = -BUILDDIR = _build - -# Internal variables. -PAPEROPT_a4 = -D latex_paper_size=a4 -PAPEROPT_letter = -D latex_paper_size=letter -ALLSPHINXOPTS = -d $(BUILDDIR)/doctrees $(PAPEROPT_$(PAPER)) $(SPHINXOPTS) . -# the i18n builder cannot share the environment and doctrees with the others -I18NSPHINXOPTS = $(PAPEROPT_$(PAPER)) $(SPHINXOPTS) . .PHONY: help help: @echo "Please use \`make ' where is one of" + @echo " init install dependencies" + @echo " clean delete builds" @echo " html to make standalone HTML files" @echo " linkcheck to check all external links for integrity" - @echo " dummy to check syntax errors of document sources" + +.PHONY: init +init: + pip install -r requirements.txt .PHONY: clean clean: - rm -rf $(BUILDDIR)/* + rm -rf _build/* .PHONY: html html: - $(SPHINXBUILD) -b html $(ALLSPHINXOPTS) $(BUILDDIR)/html - @echo - @echo "Build finished. The HTML pages are in $(BUILDDIR)/html." + sphinx-build -b html -d _build/doctrees . _build/html .PHONY: linkcheck linkcheck: - $(SPHINXBUILD) -b linkcheck $(ALLSPHINXOPTS) $(BUILDDIR)/linkcheck - @echo - @echo "Link check complete; look for any errors in the above output " \ - "or in $(BUILDDIR)/linkcheck/output.txt." - -.PHONY: dummy -dummy: - $(SPHINXBUILD) -b dummy $(ALLSPHINXOPTS) $(BUILDDIR)/dummy - @echo - @echo "Build finished. Dummy builder generates no files." + sphinx-build -b linkcheck -d _build/doctrees . _build/linkcheck diff --git a/docs/conf.py b/docs/conf.py index 8764a89d16..a386856375 100644 --- a/docs/conf.py +++ b/docs/conf.py @@ -1 +1,3 @@ from documenteer.conf.guide import * # noqa: F401 F403 + +exclude_patterns.append("requirements.txt") # noqa: F405 From ee21770376e142ccdbf66db1263eca3a040d6b7f Mon Sep 17 00:00:00 2001 From: Jonathan Sick Date: Tue, 27 Sep 2022 15:26:46 -0400 Subject: [PATCH 1113/1479] Clean up links for linkcheck builder Where possible, also consolidate common links into the common _rst_epilog.rst file. --- docs/_rst_epilog.rst | 9 ++++++++- docs/conf.py | 2 ++ docs/introduction.rst | 5 +---- docs/ops/argo-cd/authentication.rst | 8 ++++---- docs/ops/argo-cd/upgrading.rst | 2 +- docs/ops/bootstrapping.rst | 18 ++++++++---------- docs/ops/cachemachine/index.rst | 2 +- docs/ops/cachemachine/pruning.rst | 2 +- docs/ops/cert-manager/index.rst | 2 +- docs/ops/gafaelfawr/index.rst | 2 +- docs/ops/vault-secrets-operator/index.rst | 8 +++----- docs/service-guide/create-service.rst | 5 +++-- docs/service-guide/linting-and-helm-docs.rst | 2 +- docs/service-guide/local-development.rst | 4 ++-- 14 files changed, 37 insertions(+), 34 deletions(-) diff --git a/docs/_rst_epilog.rst b/docs/_rst_epilog.rst index bd1cbcabbb..847d4a929c 100644 --- a/docs/_rst_epilog.rst +++ b/docs/_rst_epilog.rst @@ -1,6 +1,13 @@ .. _Argo CD: https://argoproj.github.io/argo-cd/ +.. _CILogon: https://www.cilogon.org/home +.. _Docker: https://www.docker.com/ .. _Helm: https://helm.sh +.. _helm-docs: https://github.com/norwoodj/helm-docs .. _IVOA: https://ivoa.net/documents/ +.. _Kubernetes: https://kubernetes.io/ +.. _LSST Vault Utilites: https://github.com/lsst-sqre/lsstvaultutils/ +.. _phalanx repository: https://github.com/lsst-sqre/phalanx .. _semantic versioning: https://semver.org/ -.. _helm-docs: https://github.com/norwoodj/helm-docs .. _pre-commit: https://pre-commit.com +.. _Vault: https://www.vaultproject.io/ +.. _Vault Secrets Operator: https://github.com/ricoberger/vault-secrets-operator diff --git a/docs/conf.py b/docs/conf.py index a386856375..f63bee5b49 100644 --- a/docs/conf.py +++ b/docs/conf.py @@ -1,3 +1,5 @@ from documenteer.conf.guide import * # noqa: F401 F403 exclude_patterns.append("requirements.txt") # noqa: F405 + +linkcheck_anchors = False diff --git a/docs/introduction.rst b/docs/introduction.rst index d5cfb5d660..54dc180c14 100644 --- a/docs/introduction.rst +++ b/docs/introduction.rst @@ -6,9 +6,6 @@ The Rubin Science Platform runs on `Kubernetes`_ Kubernetes provides a way to coordinate running services on multiple nodes. Kubernetes runs a set of `Docker`_ containers and sets up the networking, storage, and configuration of those containers. -.. _Kubernetes: https://kubernetes.io/ -.. _Docker: https://docker.com/ - Git repositories for individual services typically have build pipelines resulting in new Docker container builds when code changes are merged. For example, our Jenkins build system builds stack and JupyterLab containers, and the `lsst-tap-service repository `__ builds the TAP service containers. @@ -30,5 +27,5 @@ That is, it won't notice when the configuration changes and apply those changes. Argo CD watches its source repository for new Git commits and will keep track of those changes, either applying them automatically ("syncing" them), or waiting for an operator to press the sync button in the web UI. Argo CD is the only layer in this stack that has a web UI that can be easily navigated, and it provides many useful features, such as deleting resources and resyncing services. -The Rubin Science Platform stores its Argo CD configuration in the `phalanx repository `__. +The Rubin Science Platform stores its Argo CD configuration in the `phalanx repository`_. This includes the Argo CD application resources, pointers to the Helm charts for all services that are installed as part of the Science Platform, and values files to configure those services. diff --git a/docs/ops/argo-cd/authentication.rst b/docs/ops/argo-cd/authentication.rst index 1db7f1dd51..993d1a6581 100644 --- a/docs/ops/argo-cd/authentication.rst +++ b/docs/ops/argo-cd/authentication.rst @@ -47,7 +47,7 @@ To set up Google SSO authentication to Argo CD in a new cluster, take the follow #. Enter "Argo CD" as the name. #. Add the ``/argo-cd/api/dex/callback`` route under "Authorized redirect URIs." - For example: https://data-int.lsst.cloud/argo-cd/api/dex/callback + For example: ``https://data-int.lsst.cloud/argo-cd/api/dex/callback`` #. Click on create. This will pop up a dialog with the client ID and secret for the newly-created OAuth client. @@ -121,9 +121,9 @@ To set up Google SSO authentication to Argo CD in a new cluster, take the follow #. Click New OAuth App. #. Enter the following information (adjust for the environment): - - Application name: RSP Argo CD (IDF-int) - - Homepage URL: https://data-int.lsst.cloud/argo-cd - - Authorization callback URL: https://data-int.lsst.cloud/argo-cd/api/dex/callback + - Application name: ``RSP Argo CD (IDF-int)`` + - Homepage URL: ``https://data-int.lsst.cloud/argo-cd`` + - Authorization callback URL: ``https://data-int.lsst.cloud/argo-cd/api/dex/callback`` #. Click "Register Application". diff --git a/docs/ops/argo-cd/upgrading.rst b/docs/ops/argo-cd/upgrading.rst index 2347b5b47d..3ab39403a6 100644 --- a/docs/ops/argo-cd/upgrading.rst +++ b/docs/ops/argo-cd/upgrading.rst @@ -45,7 +45,7 @@ Manual upgrade process Replace ``$VERSION`` with the version of Argo CD as discovered above. The version will begin with a ``v``. - This is taken from the `Argo CD disaster recovery documentation `__ with the addition of the namespace flag. + This is taken from the `Argo CD disaster recovery documentation `__ with the addition of the namespace flag. The backup will not be needed if all goes well. diff --git a/docs/ops/bootstrapping.rst b/docs/ops/bootstrapping.rst index 29427e6047..6b031e8688 100644 --- a/docs/ops/bootstrapping.rst +++ b/docs/ops/bootstrapping.rst @@ -9,8 +9,8 @@ Requirements * The installer assumes Git 2.22 or later. -* We presume that you are using `Vault `__ coupled with `Vault Secrets Operator `__ to manage your Kubernetes secrets, and further that you will use the same taxonomy that SQuaRE does as described in the `LSST Vault Utilities `__ documentation (essentially ``secret/k8s_operator/``). - We strongly recommend using the `LSST Vault Utilites `__ to create multiple enclaves (one per instance), so that then compromise of one instance doesn't expose all your secrets for all instances. +* We presume that you are using Vault_ coupled with `Vault Secrets Operator`_ to manage your Kubernetes secrets, and further that you will use the same taxonomy that SQuaRE does as described in the `LSST Vault Utilities documentation `__ documentation (essentially ``secret/k8s_operator/``). + We strongly recommend using the `LSST Vault Utilites`_ to create multiple enclaves (one per instance), so that then compromise of one instance doesn't expose all your secrets for all instances. * Rubin Science Platform applications expect the public hostname of the Science Platform to have a TLS certificate that can be verified using standard CA roots. Using a self-signed certificate or an institutional CA that is not in the normal list of CAs shipped with Docker base images will probably not work. @@ -19,12 +19,10 @@ Requirements Checklist ========= -#. Fork the `phalanx repository - `__ if this work is separate - from the SQuaRE-managed environments. +#. Fork the `phalanx repository`_ if this work is separate from the SQuaRE-managed environments. -#. Create a virtual environment with the tools you will need from the installer's `requirements.txt `__. - If you are not using 1password as your source of truth (which, if you are not in a SQuaRE-managed environment, you probably are not) then you may omit ``1password``. +#. Create a virtual environment with the tools you will need from the installer's `requirements.txt `__. + If you are not using 1Password as your source of truth (which, if you are not in a SQuaRE-managed environment, you probably are not) then you may omit ``1password``. In any event, note the write key for your Vault enclave. #. Create a new ``values-.yaml`` file in `/science-platform `__. @@ -46,10 +44,10 @@ Checklist See :ref:`service-notes` for more details on special considerations for individual services. -#. Generate the secrets for the new environment with `/installer/generate_secrets.py `__ and store them in Vault with `/installer/push_secrets.sh `__. +#. Generate the secrets for the new environment and store them in Vault with `/installer/update_secrets.sh `__. This is where you will need the write key for the Vault enclave. -#. Run the installer script at `/installer/install.sh `__. +#. Run the installer script at `/installer/install.sh `__. If the installation is using a dynamically-assigned IP address, while the installer is running, wait until the ingress-nginx-controller service comes up and has an external IP address; then go set the A record for your endpoint to that address (or set an A record with that IP address for the ingress and a CNAME from the endpoint to the A record). For installations that are intended to be long-lived, it is worth capturing the IP address at this point and modifying your configuration to use it statically should you ever need to reinstall the instance. @@ -113,7 +111,7 @@ The corresponding group for Gafaelfawr purposes will be ``-` That means the team name will be converted to lowercase and spaces will be replaced with dashes, and other transformations will be done for special characters. For more information about how Gafaelfawr constructs groups from GitHub teams, see `the Gafaelfawr documentation `__. -For an example of a ``group_mapping`` configuration for GitHub authentication, see `/services/gafaelfawr/values-idfdev.yaml `__. +For an example of a ``group_mapping`` configuration for GitHub authentication, see `/services/gafaelfawr/values-idfdev.yaml `__. If you run into authentication problems, see :doc:`the Gafaelfawr operational documentation ` for debugging instructions. diff --git a/docs/ops/cachemachine/index.rst b/docs/ops/cachemachine/index.rst index bc860e4455..c31dac091a 100644 --- a/docs/ops/cachemachine/index.rst +++ b/docs/ops/cachemachine/index.rst @@ -14,7 +14,7 @@ cachemachine .. rubric:: Overview -The ``cachemachine`` service is an installation of the RSP's image-prepulling service from its `Helm chart `__. +The ``cachemachine`` service is an installation of the RSP's image-prepulling service from its `Helm chart `__. Upgrading ``cachemachine`` is generally painless. A simple Argo CD sync is sufficient. diff --git a/docs/ops/cachemachine/pruning.rst b/docs/ops/cachemachine/pruning.rst index 612a51e8df..908ea7a9d0 100644 --- a/docs/ops/cachemachine/pruning.rst +++ b/docs/ops/cachemachine/pruning.rst @@ -8,6 +8,6 @@ This is a function of Kubernetes, by default, `only showing 50 images on a node Should you encounter this problem, for each node, perform the following actions: -#. Download `purge `__ +#. Download `purge `__ #. Run it using an account allowed to use the Docker socket (thus, probably in group ``docker``). You may want to run it with ``-x`` first to see what it's going to do. If you want output during the actual run, run it with ``-v``. diff --git a/docs/ops/cert-manager/index.rst b/docs/ops/cert-manager/index.rst index 407c19128b..25ddce6a74 100644 --- a/docs/ops/cert-manager/index.rst +++ b/docs/ops/cert-manager/index.rst @@ -14,7 +14,7 @@ cert-manager .. rubric:: Overview -The ``cert-manager`` service is an installation of `cert-manager `__ from its `Helm chart repository `__. +The ``cert-manager`` service is an installation of `cert-manager `__ from its `Helm chart repository `__. It creates TLS certificates via `Let's Encrypt `__ and automatically renews them. This service is only deployed on clusters managed by SQuaRE. diff --git a/docs/ops/gafaelfawr/index.rst b/docs/ops/gafaelfawr/index.rst index bdc34878ba..9a269e2ebd 100644 --- a/docs/ops/gafaelfawr/index.rst +++ b/docs/ops/gafaelfawr/index.rst @@ -18,7 +18,7 @@ Gafaelfawr provides authentication and identity management services for the Rubi It is primarily used as an NGINX ``auth_request`` handler configured via annotations on the ``Ingress`` resources of Science Platform services. In that role, it requires a user have the required access scope to use that service, rejects users who do not have that scope, and redirects users who are not authenticated to the authentication process. -Gafaelfawr supports authentication via either OpenID Connect (often through `CILogon `__) or GitHub. +Gafaelfawr supports authentication via either OpenID Connect (often through CILogon_ or GitHub). Gafaelfawr also provides a token management API and (currently) UI for users of the Science Platform. diff --git a/docs/ops/vault-secrets-operator/index.rst b/docs/ops/vault-secrets-operator/index.rst index 94edfd81c7..e30a0f6f99 100644 --- a/docs/ops/vault-secrets-operator/index.rst +++ b/docs/ops/vault-secrets-operator/index.rst @@ -19,9 +19,7 @@ vault-secrets-operator The ``vault-secrets-operator`` service is an installation of `Vault Secrets Operator`_ to retrieve necessary secrets from Vault and materialize them as Kubernetes secrets for the use of other services. It processes ``VaultSecret`` resources defined in the `Science Platform repository `__ and creates corresponding Kubernetes ``Secret`` resources. -.. _Vault Secrets Operator: https://github.com/ricoberger/vault-secrets-operator - -See `DMTN-112 `__ for the LSST Vault design. +See :dmtn:`112` for the LSST Vault design. .. rubric:: Upgrading @@ -35,7 +33,7 @@ The Gafaelfawr secret is a good one to use for this purpose since it is only rea .. rubric:: Bootstrapping the service Vault Secrets Operator is the only component of the Science Platform whose secret has to be manually created, so that it can create the secrets for all other services. -This will be done automatically by the `install script `__. +This will be done automatically by the `install script `__. Its secret will look like this: @@ -52,4 +50,4 @@ Its secret will look like this: VAULT_TOKEN_LEASE_DURATION: 86400 Replace ```` with the ``read`` Vault token for the path ``secret/k8s_operator/`` in Vault. -See `DMTN-112 `__ for more information. +See :dmtn:`112` for more information. diff --git a/docs/service-guide/create-service.rst b/docs/service-guide/create-service.rst index 2d6ee48aaa..651c9dcd06 100644 --- a/docs/service-guide/create-service.rst +++ b/docs/service-guide/create-service.rst @@ -32,8 +32,9 @@ If you are using the FastAPI template, tagging in this fashion is required since Create the Docker image ======================= -The Docker image can be stored in any container registry that is usable by Kubernetes, but for Rubin-developed services using the FastAPI template, we usually push both to the `GitHub Container Registry `__ and Docker Hub. Google Artifact Registry is in play for Science Platform images and may eventually be used more widely. We may eventually stop publishing to Docker Hub; our workflow is centered on GitHub and the long-term future of Docker-the-company does not look very secure. -If your image must be stored in a private container registery, the credentials for that registry must be added to the pull secret. +The Docker image can be stored in any container registry that is usable by Kubernetes, but for Rubin-developed services using the FastAPI template, we usually push both to the `GitHub Container Registry (ghcr.io) `__ and Docker Hub (though we are reducing usage of Docker Hub). +The Google Artifact Registry hosts the Science Platform images and may eventually be used more widely. +If your image must be stored in a private container registry, the credentials for that registry must be added to the pull secret. If you use the FastAPI service template, a ``Dockerfile`` will be created as part of the new repository template, and GitHub Actions will be set up in the new repository to build and push new Docker images for tagged releases. diff --git a/docs/service-guide/linting-and-helm-docs.rst b/docs/service-guide/linting-and-helm-docs.rst index f80b6e4a3f..272ccbbb42 100644 --- a/docs/service-guide/linting-and-helm-docs.rst +++ b/docs/service-guide/linting-and-helm-docs.rst @@ -28,7 +28,7 @@ In your clone of Phalanx, run: This command uses Python to install pre-commit and enable it in your Phalanx clone. **You will also need to install helm-docs separately.** -See the `helm-docs installation guide `__ for details. +See the `helm-docs installation guide `__ for details. What to expect when developing in Phalanx with pre-commit ========================================================= diff --git a/docs/service-guide/local-development.rst b/docs/service-guide/local-development.rst index b2f0e4e365..d8abff5841 100644 --- a/docs/service-guide/local-development.rst +++ b/docs/service-guide/local-development.rst @@ -51,7 +51,7 @@ Requirements #. Install `Vault `__. -#. Clone the `Phalanx repository `__. +#. Clone the `Phalanx repository`_. Open Phalanx's ``installer/`` directory: @@ -89,7 +89,7 @@ You can do this by editing the `/science-platform/values-minikube.yaml Date: Thu, 29 Sep 2022 16:18:21 -0400 Subject: [PATCH 1114/1479] Initial re-organization of the Phalanx docs The key sections are now: - Overview - Service DevOps - Operations - Services --- docs/index.rst | 73 ++++-------------- docs/ops/index.rst | 20 +++++ docs/overview/index.rst | 10 +++ docs/{ => overview}/introduction.rst | 0 docs/{arch => overview}/repository.rst | 0 docs/{arch => overview}/secrets.rst | 0 docs/service-guide/index.rst | 25 ++++++ .../argo-cd/authentication.rst | 0 docs/{ops => services}/argo-cd/index.rst | 0 docs/{ops => services}/argo-cd/upgrading.rst | 0 docs/{ops => services}/cachemachine/index.rst | 0 .../cachemachine/pruning.rst | 0 .../cachemachine/updating-recommended.rst | 0 .../cert-manager/bootstrapping.rst | 0 docs/{ops => services}/cert-manager/index.rst | 0 .../cert-manager/route53-setup.rst | 0 .../gafaelfawr/debugging.rst | 0 .../gafaelfawr/github-oauth.png | Bin .../gafaelfawr/github-organizations.rst | 0 docs/{ops => services}/gafaelfawr/index.rst | 0 .../gafaelfawr/recreate-token.rst | 0 docs/{ops => services}/gafaelfawr/storage.rst | 0 docs/services/index.rst | 23 ++++++ .../ingress-nginx/certificates.rst | 0 .../{ops => services}/ingress-nginx/index.rst | 0 docs/{ops => services}/mobu/configuring.rst | 0 docs/{ops => services}/mobu/index.rst | 0 docs/{ops => services}/nublado2/database.rst | 0 docs/{ops => services}/nublado2/index.rst | 0 .../postgres/add-database.rst | 0 docs/{ops => services}/postgres/index.rst | 0 .../postgres/recreate-pvc.rst | 0 docs/{ops => services}/tap/index.rst | 0 docs/{ops => services}/tap/notebook-tap.py | 0 docs/{ops => services}/tap/portal-tap.py | 0 .../vault-secrets-operator/index.rst | 0 36 files changed, 93 insertions(+), 58 deletions(-) create mode 100644 docs/ops/index.rst create mode 100644 docs/overview/index.rst rename docs/{ => overview}/introduction.rst (100%) rename docs/{arch => overview}/repository.rst (100%) rename docs/{arch => overview}/secrets.rst (100%) create mode 100644 docs/service-guide/index.rst rename docs/{ops => services}/argo-cd/authentication.rst (100%) rename docs/{ops => services}/argo-cd/index.rst (100%) rename docs/{ops => services}/argo-cd/upgrading.rst (100%) rename docs/{ops => services}/cachemachine/index.rst (100%) rename docs/{ops => services}/cachemachine/pruning.rst (100%) rename docs/{ops => services}/cachemachine/updating-recommended.rst (100%) rename docs/{ops => services}/cert-manager/bootstrapping.rst (100%) rename docs/{ops => services}/cert-manager/index.rst (100%) rename docs/{ops => services}/cert-manager/route53-setup.rst (100%) rename docs/{ops => services}/gafaelfawr/debugging.rst (100%) rename docs/{ops => services}/gafaelfawr/github-oauth.png (100%) rename docs/{ops => services}/gafaelfawr/github-organizations.rst (100%) rename docs/{ops => services}/gafaelfawr/index.rst (100%) rename docs/{ops => services}/gafaelfawr/recreate-token.rst (100%) rename docs/{ops => services}/gafaelfawr/storage.rst (100%) create mode 100644 docs/services/index.rst rename docs/{ops => services}/ingress-nginx/certificates.rst (100%) rename docs/{ops => services}/ingress-nginx/index.rst (100%) rename docs/{ops => services}/mobu/configuring.rst (100%) rename docs/{ops => services}/mobu/index.rst (100%) rename docs/{ops => services}/nublado2/database.rst (100%) rename docs/{ops => services}/nublado2/index.rst (100%) rename docs/{ops => services}/postgres/add-database.rst (100%) rename docs/{ops => services}/postgres/index.rst (100%) rename docs/{ops => services}/postgres/recreate-pvc.rst (100%) rename docs/{ops => services}/tap/index.rst (100%) rename docs/{ops => services}/tap/notebook-tap.py (100%) rename docs/{ops => services}/tap/portal-tap.py (100%) rename docs/{ops => services}/vault-secrets-operator/index.rst (100%) diff --git a/docs/index.rst b/docs/index.rst index 245c054ca0..069733bc94 100644 --- a/docs/index.rst +++ b/docs/index.rst @@ -16,82 +16,39 @@ Phalanx is how we ensure that all of our services work together as a unit. Overview ======== -.. toctree:: - :maxdepth: 2 - - introduction - arch/repository - arch/secrets - -For service maintainers -======================= - -General development and operations ----------------------------------- +Learn about Phalanx's architecture and technologies. .. toctree:: :maxdepth: 2 - service-guide/linting-and-helm-docs - service-guide/create-service - service-guide/add-a-onepassword-secret - service-guide/update-a-onepassword-secret - service-guide/update-pull-secret - service-guide/add-service - service-guide/add-external-chart - service-guide/local-development - service-guide/sync-argo-cd - service-guide/upgrade + overview/index + +For service developers and maintainers +====================================== -Specific tasks --------------- +Learn how to build services — including websites, web APIs, and other cloud-based infrastructure — and integrate them into Phalanx. .. toctree:: :maxdepth: 2 - service-guide/update-tap-schema - service-guide/mobu-manage-flocks + service-guide/index -For science platform administrators -=================================== +For platform administrators +=========================== -Services --------- +Learn how to bootstrap and operate a Rubin Science Platform Kubernetes cluster. .. toctree:: :maxdepth: 2 - ops/argo-cd/index - ops/cachemachine/index - ops/cert-manager/index - ops/gafaelfawr/index - ops/ingress-nginx/index - ops/mobu/index - ops/nublado2/index - ops/postgres/index - ops/tap/index - ops/vault-secrets-operator/index - -Bootstrapping -------------- + ops/index -.. toctree:: - :maxdepth: 3 - - ops/bootstrapping - -Infrastructure --------------- - -.. toctree:: - :maxdepth: 2 - - ops/infrastructure/filestore/index +Services +======== -Troubleshooting ---------------- +Learn about the individual services deployed through Phalanx. .. toctree:: :maxdepth: 2 - ops/troubleshooting + services/index diff --git a/docs/ops/index.rst b/docs/ops/index.rst new file mode 100644 index 0000000000..6e4dc80207 --- /dev/null +++ b/docs/ops/index.rst @@ -0,0 +1,20 @@ +########## +Operations +########## + +.. toctree:: + :caption: Bootstrapping + :maxdepth: 1 + + bootstrapping + +.. toctree:: + :caption: Infrastructure + :maxdepth: 2 + + infrastructure/filestore/index + +.. toctree:: + :caption: Troubleshooting + + troubleshooting diff --git a/docs/overview/index.rst b/docs/overview/index.rst new file mode 100644 index 0000000000..907ac2624a --- /dev/null +++ b/docs/overview/index.rst @@ -0,0 +1,10 @@ +######## +Overview +######## + +.. toctree:: + :maxdepth: 1 + + introduction + repository + secrets diff --git a/docs/introduction.rst b/docs/overview/introduction.rst similarity index 100% rename from docs/introduction.rst rename to docs/overview/introduction.rst diff --git a/docs/arch/repository.rst b/docs/overview/repository.rst similarity index 100% rename from docs/arch/repository.rst rename to docs/overview/repository.rst diff --git a/docs/arch/secrets.rst b/docs/overview/secrets.rst similarity index 100% rename from docs/arch/secrets.rst rename to docs/overview/secrets.rst diff --git a/docs/service-guide/index.rst b/docs/service-guide/index.rst new file mode 100644 index 0000000000..1b43000dc0 --- /dev/null +++ b/docs/service-guide/index.rst @@ -0,0 +1,25 @@ +############## +Service DevOps +############## + +.. toctree:: + :maxdepth: 2 + :caption: General + + linting-and-helm-docs + create-service + add-a-onepassword-secret + update-a-onepassword-secret + update-pull-secret + add-service + add-external-chart + local-development + sync-argo-cd + upgrade + +.. toctree:: + :maxdepth: 2 + :caption: Tasks + + update-tap-schema + mobu-manage-flocks diff --git a/docs/ops/argo-cd/authentication.rst b/docs/services/argo-cd/authentication.rst similarity index 100% rename from docs/ops/argo-cd/authentication.rst rename to docs/services/argo-cd/authentication.rst diff --git a/docs/ops/argo-cd/index.rst b/docs/services/argo-cd/index.rst similarity index 100% rename from docs/ops/argo-cd/index.rst rename to docs/services/argo-cd/index.rst diff --git a/docs/ops/argo-cd/upgrading.rst b/docs/services/argo-cd/upgrading.rst similarity index 100% rename from docs/ops/argo-cd/upgrading.rst rename to docs/services/argo-cd/upgrading.rst diff --git a/docs/ops/cachemachine/index.rst b/docs/services/cachemachine/index.rst similarity index 100% rename from docs/ops/cachemachine/index.rst rename to docs/services/cachemachine/index.rst diff --git a/docs/ops/cachemachine/pruning.rst b/docs/services/cachemachine/pruning.rst similarity index 100% rename from docs/ops/cachemachine/pruning.rst rename to docs/services/cachemachine/pruning.rst diff --git a/docs/ops/cachemachine/updating-recommended.rst b/docs/services/cachemachine/updating-recommended.rst similarity index 100% rename from docs/ops/cachemachine/updating-recommended.rst rename to docs/services/cachemachine/updating-recommended.rst diff --git a/docs/ops/cert-manager/bootstrapping.rst b/docs/services/cert-manager/bootstrapping.rst similarity index 100% rename from docs/ops/cert-manager/bootstrapping.rst rename to docs/services/cert-manager/bootstrapping.rst diff --git a/docs/ops/cert-manager/index.rst b/docs/services/cert-manager/index.rst similarity index 100% rename from docs/ops/cert-manager/index.rst rename to docs/services/cert-manager/index.rst diff --git a/docs/ops/cert-manager/route53-setup.rst b/docs/services/cert-manager/route53-setup.rst similarity index 100% rename from docs/ops/cert-manager/route53-setup.rst rename to docs/services/cert-manager/route53-setup.rst diff --git a/docs/ops/gafaelfawr/debugging.rst b/docs/services/gafaelfawr/debugging.rst similarity index 100% rename from docs/ops/gafaelfawr/debugging.rst rename to docs/services/gafaelfawr/debugging.rst diff --git a/docs/ops/gafaelfawr/github-oauth.png b/docs/services/gafaelfawr/github-oauth.png similarity index 100% rename from docs/ops/gafaelfawr/github-oauth.png rename to docs/services/gafaelfawr/github-oauth.png diff --git a/docs/ops/gafaelfawr/github-organizations.rst b/docs/services/gafaelfawr/github-organizations.rst similarity index 100% rename from docs/ops/gafaelfawr/github-organizations.rst rename to docs/services/gafaelfawr/github-organizations.rst diff --git a/docs/ops/gafaelfawr/index.rst b/docs/services/gafaelfawr/index.rst similarity index 100% rename from docs/ops/gafaelfawr/index.rst rename to docs/services/gafaelfawr/index.rst diff --git a/docs/ops/gafaelfawr/recreate-token.rst b/docs/services/gafaelfawr/recreate-token.rst similarity index 100% rename from docs/ops/gafaelfawr/recreate-token.rst rename to docs/services/gafaelfawr/recreate-token.rst diff --git a/docs/ops/gafaelfawr/storage.rst b/docs/services/gafaelfawr/storage.rst similarity index 100% rename from docs/ops/gafaelfawr/storage.rst rename to docs/services/gafaelfawr/storage.rst diff --git a/docs/services/index.rst b/docs/services/index.rst new file mode 100644 index 0000000000..e551622cfd --- /dev/null +++ b/docs/services/index.rst @@ -0,0 +1,23 @@ +######## +Services +######## + +.. toctree:: + :maxdepth: 1 + :caption: Cluster infrastructure + + argo-cd/index + cert-manager/index + ingress-nginx/index + gafaelfawr/index + postgres/index + vault-secrets-operator/index + +.. toctree:: + :maxdepth: 1 + :caption: Science Platform + + cachemachine/index + mobu/index + nublado2/index + tap/index diff --git a/docs/ops/ingress-nginx/certificates.rst b/docs/services/ingress-nginx/certificates.rst similarity index 100% rename from docs/ops/ingress-nginx/certificates.rst rename to docs/services/ingress-nginx/certificates.rst diff --git a/docs/ops/ingress-nginx/index.rst b/docs/services/ingress-nginx/index.rst similarity index 100% rename from docs/ops/ingress-nginx/index.rst rename to docs/services/ingress-nginx/index.rst diff --git a/docs/ops/mobu/configuring.rst b/docs/services/mobu/configuring.rst similarity index 100% rename from docs/ops/mobu/configuring.rst rename to docs/services/mobu/configuring.rst diff --git a/docs/ops/mobu/index.rst b/docs/services/mobu/index.rst similarity index 100% rename from docs/ops/mobu/index.rst rename to docs/services/mobu/index.rst diff --git a/docs/ops/nublado2/database.rst b/docs/services/nublado2/database.rst similarity index 100% rename from docs/ops/nublado2/database.rst rename to docs/services/nublado2/database.rst diff --git a/docs/ops/nublado2/index.rst b/docs/services/nublado2/index.rst similarity index 100% rename from docs/ops/nublado2/index.rst rename to docs/services/nublado2/index.rst diff --git a/docs/ops/postgres/add-database.rst b/docs/services/postgres/add-database.rst similarity index 100% rename from docs/ops/postgres/add-database.rst rename to docs/services/postgres/add-database.rst diff --git a/docs/ops/postgres/index.rst b/docs/services/postgres/index.rst similarity index 100% rename from docs/ops/postgres/index.rst rename to docs/services/postgres/index.rst diff --git a/docs/ops/postgres/recreate-pvc.rst b/docs/services/postgres/recreate-pvc.rst similarity index 100% rename from docs/ops/postgres/recreate-pvc.rst rename to docs/services/postgres/recreate-pvc.rst diff --git a/docs/ops/tap/index.rst b/docs/services/tap/index.rst similarity index 100% rename from docs/ops/tap/index.rst rename to docs/services/tap/index.rst diff --git a/docs/ops/tap/notebook-tap.py b/docs/services/tap/notebook-tap.py similarity index 100% rename from docs/ops/tap/notebook-tap.py rename to docs/services/tap/notebook-tap.py diff --git a/docs/ops/tap/portal-tap.py b/docs/services/tap/portal-tap.py similarity index 100% rename from docs/ops/tap/portal-tap.py rename to docs/services/tap/portal-tap.py diff --git a/docs/ops/vault-secrets-operator/index.rst b/docs/services/vault-secrets-operator/index.rst similarity index 100% rename from docs/ops/vault-secrets-operator/index.rst rename to docs/services/vault-secrets-operator/index.rst From 74fb8b5ce33b166aa876c53bb6e94f5c7b5a11a3 Mon Sep 17 00:00:00 2001 From: Jonathan Sick Date: Thu, 29 Sep 2022 16:19:15 -0400 Subject: [PATCH 1115/1479] Edit introductory paragraphs --- docs/index.rst | 20 ++++++++++---------- 1 file changed, 10 insertions(+), 10 deletions(-) diff --git a/docs/index.rst b/docs/index.rst index 069733bc94..a86c8c9266 100644 --- a/docs/index.rst +++ b/docs/index.rst @@ -1,17 +1,17 @@ -########################### -Science Platform operations -########################### +################################################# +Phalanx: Rubin Observatory Kubernetes Deployments +################################################# -The Rubin Science Platform is described in `LDM-542 `__. -This document contains operational notes of interest to administrators of the Science Platform and maintainers of services deployed via the Science Platform, but not of interest to users. +Phalanx [#name]_ is a GitOps repository for Rubin Observatory's Kubernetes clusters, notably including the Rubin Science Platform deployments like https://data.lsst.cloud. +Using Helm_ and `Argo CD`_, Phalanx defines the configuration of services in each environment. -For user documentation of the Notebook Aspect of the Rubin Science Platform, see `nb.lsst.io `__. +This documentation is for Rubin team members that are building services and operating Kubernetes clusters. +Astronomers and other end-users can visit the Rubin Documentation Portal to learn how to use Rubin Observatory's software, services, and datasets. -The Science Platform uses `Argo CD`_ to manage its Kubernetes resources. -The Argo CD configuration and this documentation are maintained on `GitHub `__. +Phalanx is on GitHub at https://github.com/lsst-sqre/phalanx. -A phalanx is a SQuaRE deployment (Science Quality and Reliability Engineering, the team responsible for the Rubin Science Platform). -Phalanx is how we ensure that all of our services work together as a unit. +.. [#name] A phalanx is a SQuaRE deployment (Science Quality and Reliability Engineering, the team responsible for the Rubin Science Platform). + Phalanx is how we ensure that all of our services work together as a unit. Overview ======== From 61c9db09e529ce233ddf818b3fa530a5e3c358b4 Mon Sep 17 00:00:00 2001 From: Jonathan Sick Date: Fri, 30 Sep 2022 14:39:40 -0400 Subject: [PATCH 1116/1479] Move service procedures into service docs --- docs/ops/bootstrapping.rst | 8 ++++---- docs/ops/troubleshooting.rst | 12 ++++++------ docs/service-guide/index.rst | 7 ------- docs/service-guide/local-development.rst | 4 +--- docs/services/mobu/index.rst | 1 + .../mobu/manage-flocks.rst} | 3 ++- docs/services/tap/index.rst | 7 +++++++ .../tap}/update-tap-schema.rst | 3 ++- 8 files changed, 23 insertions(+), 22 deletions(-) rename docs/{service-guide/mobu-manage-flocks.rst => services/mobu/manage-flocks.rst} (95%) rename docs/{service-guide => services/tap}/update-tap-schema.rst (94%) diff --git a/docs/ops/bootstrapping.rst b/docs/ops/bootstrapping.rst index 6b031e8688..db8cbfe5e6 100644 --- a/docs/ops/bootstrapping.rst +++ b/docs/ops/bootstrapping.rst @@ -37,7 +37,7 @@ Checklist If you are using a cloud provider or something like minikube where the IP address is not yet known, then you will need to create that record once the top-level ingress is created and has an external IP address. The first time you set up the RSP for a given domain (note: *not* hostname, but *domain*, so if you were setting up ``dev.my-rsp.net`` and ``prod.my-rsp.net``, ``dev`` first, you would only need to do this when you created ``dev``), if you are using Let's Encrypt for certificate management (which we highly recommend), you will need to create glue records to enable Let's Encrypt to manage TLS for the domain. - See :doc:`cert-manager/route53-setup` for more details. + See :doc:`/services/cert-manager/route53-setup` for more details. #. For each enabled service, create a corresponding ``values-.yaml`` file in the relevant directory under `/services `__. Customization will vary from service to service. @@ -67,13 +67,13 @@ There are supported two mechanisms to configure that TLS certificate: #. Purchase a commercial certificate and configure it as the ingress-nginx default certificate. Do not add TLS configuration to any of the service ingresses. - For more information, see :doc:`ingress-nginx/certificates`. + For more information, see :doc:`/services/ingress-nginx/certificates`. With this approach, the certificate will have to be manually renewed and replaced once per year. #. Configure Let's Encrypt to obtain a certificate via the DNS solver. Once this is configured, TLS will be handled automatically without further human intervention. However, this approach is far more complex to set up and has some significant prerequisites. - For more information, see :doc:`cert-manager/bootstrapping`. + For more information, see :doc:`/services/cert-manager/bootstrapping`. To use the second approach, you must have the following: @@ -113,7 +113,7 @@ For more information about how Gafaelfawr constructs groups from GitHub teams, s For an example of a ``group_mapping`` configuration for GitHub authentication, see `/services/gafaelfawr/values-idfdev.yaml `__. -If you run into authentication problems, see :doc:`the Gafaelfawr operational documentation ` for debugging instructions. +If you run into authentication problems, see :doc:`the Gafaelfawr operational documentation ` for debugging instructions. Nublado 2 --------- diff --git a/docs/ops/troubleshooting.rst b/docs/ops/troubleshooting.rst index 5f27402874..af8c6a7b73 100644 --- a/docs/ops/troubleshooting.rst +++ b/docs/ops/troubleshooting.rst @@ -16,7 +16,7 @@ If the pod is already running, it gets I/O errors from its database, hangs, or o If the backing store is corrupt or has been deleted or otherwise is disrupted, sometimes the ``PersistentVolume`` will become unavailable, but the ``PersistentVolumeClaim`` will hang on to it and keep trying to futilely mount it. When this happens, you may need to recreate the persistent volume. -**Solution:** :doc:`postgres/recreate-pvc` +**Solution:** :doc:`/services/postgres/recreate-pvc` Spawner menu missing images, cachemachine stuck pulling the same image ====================================================================== @@ -35,7 +35,7 @@ The most common cause of this problem is a Kubernetes limitation. By default, the Kubernetes list node API only returns the "first" (which usually means oldest) 50 cached images. If more than 50 images are cached, images may go missing from that list even though they are cached, leading cachemachine to think they aren't cached and omitting them from the spawner menu. -**Solution:** :doc:`cachemachine/pruning` +**Solution:** :doc:`/services/cachemachine/pruning` If this doesn't work, another possibility is that there is a node that cachemachine thinks is available for JupyterLab images but which is not eligible for its ``DaemonSet``. This would be a bug in cachemachine, which should ignore cordoned nodes, but it's possible there is a new iteration of node state or a new rule for where ``DaemonSets`` are allowed to run that it does not know about. @@ -60,14 +60,14 @@ Spawning a notebook fails with a pending error In this case, JupyterHub may not recover without assistance. You may need to delete the record for the affected user, and also make sure the user's lab namespace (visible in Argo CD under the ``nublado-users`` application) has been deleted. -**Solution:** :doc:`nublado2/database` +**Solution:** :doc:`/services/nublado2/database` User gets permission denied from services ========================================= **Symptoms:** A user is able to authenticate to the Rubin Science Platform (prompted by going to the first authenticated URL, such as the Notebook Aspect spawner page), but then gets permission denied from other services. -**Causes:** Authentication and authorization to the Rubin Science Platform is done via a service called Gafaelfawr (see :doc:`./gafaelfawr/index`). +**Causes:** Authentication and authorization to the Rubin Science Platform is done via a service called Gafaelfawr (see :doc:`/services//gafaelfawr/index`). After the user authenticates, Gafaelfawr asks their authentication provider for the user's group memberships and then translates that to a list of scopes. The mapping of group memberships to scopes is defined in the ``values.yaml`` file for Gafaelfawr for the relevant environment, in the ``gafaelfawr.config.groupMapping`` configuration option. @@ -75,7 +75,7 @@ The most likely cause of this problem is that the user is not a member of a grou Gafaelfawr will prevent the user from logging in at all if they are not a member of any group that grants access to a service. If they are a member of at least one group, they'll be able to log in but may get permission denied errors from other services. -**Solution:** :doc:`gafaelfawr/debugging` +**Solution:** :doc:`/services/gafaelfawr/debugging` You need privileged access to the filestore =========================================== @@ -95,7 +95,7 @@ User pods don't spawn, reporting "permission denied" from Moneypenny **Cause:** The ``gafaelfawr-token`` VaultSecret in the ``nublado2`` namespace is out of date. This happened because the ``gafaelfawr-redis`` pod restarted and either it lacked persistent storage (at the T&S sites, as of July 2022), or because that storage had been lost. -**Solution:** :doc:`gafaelfawr/recreate-token` +**Solution:** :doc:`/services/gafaelfawr/recreate-token` Login fails with "bad verification code" error ============================================== diff --git a/docs/service-guide/index.rst b/docs/service-guide/index.rst index 1b43000dc0..47e7650ced 100644 --- a/docs/service-guide/index.rst +++ b/docs/service-guide/index.rst @@ -16,10 +16,3 @@ Service DevOps local-development sync-argo-cd upgrade - -.. toctree:: - :maxdepth: 2 - :caption: Tasks - - update-tap-schema - mobu-manage-flocks diff --git a/docs/service-guide/local-development.rst b/docs/service-guide/local-development.rst index d8abff5841..e48a47cf09 100644 --- a/docs/service-guide/local-development.rst +++ b/docs/service-guide/local-development.rst @@ -75,9 +75,7 @@ Lastly, set the environment variables for Vault access: The Vault read key for minikube is accessible from the ``vault_keys_json`` item in the LSST IT/RSP-Vault 1Password Vault. The key itself is under the ``k8s_operator/minikube.lsst.codes`` → ``read`` → ``id`` field. If you do not have Vault access, ask SQuaRE for the minikube Vault read key. -See also :doc:`../arch/secrets`. - -Enable essential services +See also :doc:`/overview/secrets`. Set up a Phalanx branch for your local minikube deployment ---------------------------------------------------------- diff --git a/docs/services/mobu/index.rst b/docs/services/mobu/index.rst index c6b73200d9..5787f50df1 100644 --- a/docs/services/mobu/index.rst +++ b/docs/services/mobu/index.rst @@ -26,3 +26,4 @@ mobu is maintained on `GitHub `__. .. toctree:: configuring + manage-flocks diff --git a/docs/service-guide/mobu-manage-flocks.rst b/docs/services/mobu/manage-flocks.rst similarity index 95% rename from docs/service-guide/mobu-manage-flocks.rst rename to docs/services/mobu/manage-flocks.rst index 535beebdc3..be91c962d6 100644 --- a/docs/service-guide/mobu-manage-flocks.rst +++ b/docs/services/mobu/manage-flocks.rst @@ -1,5 +1,6 @@ +#################### Managing mobu flocks -==================== +#################### mobu is our monitoring system for the Science Platform. It exercises JupyterHub and labs, and tests other services within the Science Platform by running notebooks on those labs. diff --git a/docs/services/tap/index.rst b/docs/services/tap/index.rst index 15f98c1a3d..daf552bf5d 100644 --- a/docs/services/tap/index.rst +++ b/docs/services/tap/index.rst @@ -27,3 +27,10 @@ Upgrading ``tap`` normally only requires an Argo CD sync. .. diagrams:: notebook-tap.py .. diagrams:: portal-tap.py + +Upgrade procedures +================== + +.. toctree:: + + update-tap-schema diff --git a/docs/service-guide/update-tap-schema.rst b/docs/services/tap/update-tap-schema.rst similarity index 94% rename from docs/service-guide/update-tap-schema.rst rename to docs/services/tap/update-tap-schema.rst index 5471b48087..09987b6c9c 100644 --- a/docs/service-guide/update-tap-schema.rst +++ b/docs/services/tap/update-tap-schema.rst @@ -1,5 +1,6 @@ +############################### Update the ``TAP_SCHEMA`` table -=============================== +############################### The ``TAP_SCHEMA`` table stores information about the tables available in a given installation of the Rubin Science Platform. This table is kept in sync with the felis files using the following process: From 78a6f729e3b58e865162f03117474b4a0bee5a6b Mon Sep 17 00:00:00 2001 From: Jonathan Sick Date: Mon, 3 Oct 2022 15:11:32 -0400 Subject: [PATCH 1117/1479] Rewrite overview document The goal of this page is to introduce the concepts and technologies that Phalanx is based on and works with, giving the reader a quick lay of the land without getting bogged down into specific details. --- docs/_rst_epilog.rst | 9 ++ docs/overview/introduction.rst | 148 ++++++++++++++++++++++++++------- docs/overview/secrets.rst | 17 ++-- 3 files changed, 133 insertions(+), 41 deletions(-) diff --git a/docs/_rst_epilog.rst b/docs/_rst_epilog.rst index 847d4a929c..61f47740e4 100644 --- a/docs/_rst_epilog.rst +++ b/docs/_rst_epilog.rst @@ -1,13 +1,22 @@ +.. _1Password: https://1password.com/ .. _Argo CD: https://argoproj.github.io/argo-cd/ .. _CILogon: https://www.cilogon.org/home +.. _ConfigMap: https://kubernetes.io/docs/concepts/configuration/configmap/ +.. _Deployment: https://kubernetes.io/docs/concepts/workloads/controllers/deployment/ .. _Docker: https://www.docker.com/ .. _Helm: https://helm.sh .. _helm-docs: https://github.com/norwoodj/helm-docs +.. _Ingress: https://kubernetes.io/docs/concepts/services-networking/ingress/ .. _IVOA: https://ivoa.net/documents/ .. _Kubernetes: https://kubernetes.io/ .. _LSST Vault Utilites: https://github.com/lsst-sqre/lsstvaultutils/ .. _phalanx repository: https://github.com/lsst-sqre/phalanx +.. _Pods: +.. _Pod: https://kubernetes.io/docs/concepts/workloads/pods/ +.. _Roundtable: https://roundtable.lsst.io/ +.. _Secret: https://kubernetes.io/docs/concepts/configuration/secret/ .. _semantic versioning: https://semver.org/ +.. _Service: https://kubernetes.io/docs/concepts/services-networking/service/ .. _pre-commit: https://pre-commit.com .. _Vault: https://www.vaultproject.io/ .. _Vault Secrets Operator: https://github.com/ricoberger/vault-secrets-operator diff --git a/docs/overview/introduction.rst b/docs/overview/introduction.rst index 54dc180c14..d3e43b132c 100644 --- a/docs/overview/introduction.rst +++ b/docs/overview/introduction.rst @@ -1,31 +1,117 @@ -###################################### -Introduction to Kubernetes and Argo CD -###################################### - -The Rubin Science Platform runs on `Kubernetes`_ -Kubernetes provides a way to coordinate running services on multiple nodes. -Kubernetes runs a set of `Docker`_ containers and sets up the networking, storage, and configuration of those containers. - -Git repositories for individual services typically have build pipelines resulting in new Docker container builds when code changes are merged. -For example, our Jenkins build system builds stack and JupyterLab containers, and the `lsst-tap-service repository `__ builds the TAP service containers. - -An service deployed on Kubernetes is made up of a number of resources, such as p -ods, deployments, and configmaps. -These resources must be configured to work together to form a logical service, such as the Portal or Notebook Aspects. -Each logical service is contained in a `Helm`_ chart that uses templates to create each resource with some configuration applied. -The configuration for a Helm chart is called a values file, and is a simple YAML document that contains inputs for the templating of the chart. - -Be aware that, confusingly, both "service" and "application" are also names of specific Kubernetes resources that are only one component of a logical service. -In the rest of this documentation, "service" refers to the logical service, not the Kubernetes resource. -Argo CD manages resources via an abstraction called an "application," which tells Argo CD what Helm chart to use to manage the resources. -In the rest of this documentation, "application" will refer to the Argo CD abstraction concept. -In general, each Argo CD application corresponds to a logical service. - -But Helm doesn't keep track of the service once it is deployed. -That is, it won't notice when the configuration changes and apply those changes. -`Argo CD`_ fills this need. -Argo CD watches its source repository for new Git commits and will keep track of those changes, either applying them automatically ("syncing" them), or waiting for an operator to press the sync button in the web UI. -Argo CD is the only layer in this stack that has a web UI that can be easily navigated, and it provides many useful features, such as deleting resources and resyncing services. - -The Rubin Science Platform stores its Argo CD configuration in the `phalanx repository`_. -This includes the Argo CD application resources, pointers to the Helm charts for all services that are installed as part of the Science Platform, and values files to configure those services. +######################################### +Overview of the Phalanx platform concepts +######################################### + +Rubin Observatory's service deployments, like the Rubin Science Platform, run in Kubernetes_ clusters. +Phalanx is how these service deployments are defined — both generally, and specifically for each Kubernetes cluster. +In a nutshell, Phalanx is a Git repository containing Helm charts for individual services (like websites and web APIs) that are configured for multiple environments (like different data access centers and production/development versions of each). +Argo CD instances synchronize these service definitions into the Kubernetes cluster of each environment. + +Expanding on that, this page briefly introduces the Phalanx's key features, terminology, and technology ecosystem. + +Kubernetes and Docker containers +================================ + +Phalanx deploys services on Kubernetes_ clusters — where "cluster" refers to one or more compute nodes that provide CPU, storage, and networking. + +Kubernetes_ is a *container orchestration* system. +These Docker_ containers are isolated environments where instances of an application (such as a web API or website) run. +Containers are instances of Docker *images* and those images are the built products of individual application codebases. + +Kubernetes layers upon Docker by running multiple containers according to configuration, while also managing the networking and storage needs of those containers. +For service developers, the main interface for defining how a service runs is through resources that are represented commonly as YAML files. + +.. sidebar:: Common Kubernetes resources + + A Deployment_ resource defines a set of Pods_ that run simultaneously, and those Pods in turn define one or more containers that run together. + Deployments and their pods can be configured with ConfigMap_ and Secret_ resources. + Deployments are made available to the network by defining a Service_. + An Ingress_ resource publishes that Service to the internet and defines what authentication and authorization is needed. + + You can `learn more about Kubernetes from its documentation `_, and also in Phalanx's :doc:`documentation on creating services `. + +Environments are specific Kubernetes clusters +--------------------------------------------- + +Phalanx treats specific Kubernetes clusters as environments. +Each environment is configured to run specific sets of services with specific services, although all environments running Phalanx benefit from a base of shared services and Kubernetes-based infrastructure. + +Infrastructure agnostic +----------------------- + +Although Phalanx *uses* Kubernetes, this platform is agnostic about how Kubernetes itself is deployed for a specific environment. +Phalanx has been deployed on both public clouds (the public Rubin Science Platform runs on the Google Kubernetes Engine) and on-premises Kubernetes clusters (US Data Facility and most international data access centers (IDACs). +Running on a public cloud versus on-premises generally impacts the specifics of how individual services are configured. + +Helm +==== + +Helm_ is a tool for packaging services for deployment in Kubernetes. +Helm charts are templates for Kubernetes resources. +By supplying values (i.e., through "values.yaml" files), these templates are rendered for specific Kubernetes environments. + +Phalanx takes practical advantage of Helm charts in two ways. +First, each service has a values file for the each environment. +This is the key mechanism for how Phalanx supports service deployments for multiple diverse environments. + +Second, Helm enables us to deploy existing Helm charts for external open source software. +In some cases, Phalanx services are shells around an external Helm chart such as ingress-nginx. +In other cases, external Helm charts are composed as sub-charts within Phalanx's first-party services — like a Redis service within a Rubin API service. + +Services are Helm charts in Phalanx +----------------------------------- + +In Phalanx, the word "service" specifically refers to a Helm chart located in the :file:`services` directory of the `phalanx repository`_. +That Helm chart directory includes the Kubernetes templates and Docker image references to deploy the application, as well as values files to configure the service for each environment. + +Argo CD +======= + +Argo CD manages the Kubernetes deployments of each service's Helm charts from the Phalanx repository. +Each environment runs its own instance of Argo CD (as Argo CD is itself a service in Phalanx). + +Argo CD provides a web UI that shows resources in the Kubernetes cluster, provides lightweight access to logs, and most importantly provides controls for syncing and restarting services to match the current definitions in the Phalanx GitHub repository. + +In development environments, Argo CD's UI makes possible to edit Kubernetes resources to temporarily test configurations separate from the Git-based process. +Argo CD replaces most need for the standard Kubernetes command line client, kubectl. +In fact, most maintainers for individual services only have Argo CD access in most environments. + +Vault and secrets management +============================ + +Phalanx adopts Vault_ as its secret store. +Since the `phalanx repository`_ is public, secret cannot be included directly — instead, secrets are referenced from a Vault secret store. +The Vault Secrets Operator connects information in the secret store with Phalanx services. +Services that need a secret include a ``VaultSecret`` resource. +Inside Kubernetes, the `Vault Secrets Operator`_ obtains the secret information from a Vault instance and formats it into a standard Kubernetes Secret_ that the service's containers can consume as environment variables or mounted files. + +Phalanx itself does not manage Vault. +Most Rubin Science Platform installations use the Vault server at ``vault.lsst.codes``, which is managed using `Roundtable`_. +Each installation environment has its own root path in that Vault server. +Phalanx also includes scripts for syncing a 1Password_ vault into the Vault_ service. +See :doc:`secrets` to learn more. + +The core services +================= + +Phalanx includes services that provide key functionality for other services: + +``argocd`` (service management) + As described above, Argo CD is a service that synchronizes services defined in Phalanx with running resources in Kubernetes and provides a UI for operators. + +``cert-manager`` (TLS certificate management) + Cert-manager acquires and renews TLS certificates from Let's Encrypt. + +``ingress-nginx`` (ingress) + The ingress-nginx service routes traffic from the internet to individual services, while also terminating TLS and integrating with Gafaelfawr, the auth handler. + +``vault-secrets-operator`` (secret configuration) + Vault Secrets Operator bridges secrets in Vault_ with Kubernetes secrets resources. + +Next steps +========== + +This page provided a brief tour of the concepts and components of Phalanx-based service deployments. + +- If you are a service developer looking to integrate your service into Phalanx, see the :doc:`Service maintainer's guide ` to get started. +- If you are an operator looking to create a new environment or operate an existing one, see the :doc:`Operator's guide ` diff --git a/docs/overview/secrets.rst b/docs/overview/secrets.rst index 045db983f0..b4ab93760a 100644 --- a/docs/overview/secrets.rst +++ b/docs/overview/secrets.rst @@ -1,8 +1,11 @@ .. _secrets: -####### -Secrets -####### +########################### +Secrets management overview +########################### + +Phalanx is a public repository on GitHub, nevertheless service configurations generally require some secrets such as random numbers, certificates, or passwords. +This page explains how secrets are managed in Phalanx with Vault, 1Password, and Vault Secrets Operator. Vault ===== @@ -20,14 +23,10 @@ That path, in turn, is configured in the Helm per-environment values files for t Most Rubin Science Platform installations use the Vault server at vault.lsst.codes, which is managed using `Roundtable`_. -.. _Roundtable: https://roundtable.lsst.io/ - Each installation environment has its own root path in that Vault server. The path is ``k8s_operator/`` where ```` is the domain name of that environment. When the environment is bootstrapped, it is given a Kubernetes secret with the Vault token required to read that path of Vault. -See `DMTN-112`_ for more information about that Vault instance and its naming conventions. - -.. _DMTN-112: https://dmtn-112.lsst.io/ +See :dmtn:`122` for more information about that Vault instance and its naming conventions. 1Password ========= @@ -35,8 +34,6 @@ See `DMTN-112`_ for more information about that Vault instance and its naming co While Kubernetes and Argo CD do not look beyond Vault, Vault is not the source of truth for persistent secrets for Rubin Science Platform environments maintained by SQuaRE. Secrets for external services or which for whatever reason cannot be randomly regenerated when the environment is reinstalled are stored in `1Password`_. -.. _1Password: https://1password.com/ - Inside 1Password, there is a vault named RSP-Vault that contains all of the persistent secrets. Each secret is stored in either a Login or a Secure Note object. Inside that object, there must be a key named ``generate_secrets_key`` whose value is two words separated by a space. From 4625e594acd6675f67bc64bdb9c52a6cc791a00c Mon Sep 17 00:00:00 2001 From: Jonathan Sick Date: Tue, 4 Oct 2022 13:32:44 -0400 Subject: [PATCH 1118/1479] Write an overview of the repo structure Since overview/introduction is now an introduction to Phalanx and its technology ecosystem, overview/repository is now where we can provide an overview of the repository itself. This content is mostly derived from the original repository.rst page, but I've moved the details on Helm charts to the service-guide/service-chart-architecture page so that this page can remain an overview. Also stubbed out servic-guide/deploy-from-a-branch, which felt like a useful topic link from the repository structure page. --- docs/_rst_epilog.rst | 2 + docs/overview/introduction.rst | 3 + docs/overview/repository.rst | 144 ++++++++++++------ docs/service-guide/deploy-from-a-branch.rst | 5 + docs/service-guide/index.rst | 23 ++- .../service-chart-architecture.rst | 54 +++++++ 6 files changed, 181 insertions(+), 50 deletions(-) create mode 100644 docs/service-guide/deploy-from-a-branch.rst create mode 100644 docs/service-guide/service-chart-architecture.rst diff --git a/docs/_rst_epilog.rst b/docs/_rst_epilog.rst index 61f47740e4..b31081a51a 100644 --- a/docs/_rst_epilog.rst +++ b/docs/_rst_epilog.rst @@ -10,6 +10,7 @@ .. _IVOA: https://ivoa.net/documents/ .. _Kubernetes: https://kubernetes.io/ .. _LSST Vault Utilites: https://github.com/lsst-sqre/lsstvaultutils/ +.. _Namespace: https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/ .. _phalanx repository: https://github.com/lsst-sqre/phalanx .. _Pods: .. _Pod: https://kubernetes.io/docs/concepts/workloads/pods/ @@ -17,6 +18,7 @@ .. _Secret: https://kubernetes.io/docs/concepts/configuration/secret/ .. _semantic versioning: https://semver.org/ .. _Service: https://kubernetes.io/docs/concepts/services-networking/service/ +.. _Sphinx: https://www.sphinx-doc.org/en/master/ .. _pre-commit: https://pre-commit.com .. _Vault: https://www.vaultproject.io/ .. _Vault Secrets Operator: https://github.com/ricoberger/vault-secrets-operator diff --git a/docs/overview/introduction.rst b/docs/overview/introduction.rst index d3e43b132c..d150fc8f89 100644 --- a/docs/overview/introduction.rst +++ b/docs/overview/introduction.rst @@ -112,6 +112,9 @@ Next steps ========== This page provided a brief tour of the concepts and components of Phalanx-based service deployments. +For more introductory topics, see the :doc:`index` overview topics. + +Start working with Phalanx: - If you are a service developer looking to integrate your service into Phalanx, see the :doc:`Service maintainer's guide ` to get started. - If you are an operator looking to create a new environment or operate an existing one, see the :doc:`Operator's guide ` diff --git a/docs/overview/repository.rst b/docs/overview/repository.rst index 2806ed5120..54d5d0e77e 100644 --- a/docs/overview/repository.rst +++ b/docs/overview/repository.rst @@ -1,66 +1,118 @@ -#################### -Repository structure -#################### +################################ +Phalanx Git repository structure +################################ -Layout -====== +Phalanx is an open source Git repository hosted at https://github.com/lsst-sqre/phalanx. +This page provides an overview of how this repository is structured, for both service developers and environment operators alike. +For background on Phalanx and its technologies, see :doc:`introduction` first. -While ArgoCD can be used and configured in any number of ways, there is also a layer of convention to simplify and add some structure that works for us to deploy the science platform services. +Key directories +=============== + +services directory +------------------ + +:bdg-link-primary-line:`Browse /services/ on GitHub ` + +Every Phalanx service has its own sub-directory within ``services`` named after the service itself (commonly the name is also used as a Kubernetes namespace). +A Phalanx service is itself a Helm_ chart. +Helm charts define Kubernetes templates for the service deployment, values for the templates, and references to any sub-charts from external repositories to include in the sub-chart. +See the `Helm documentation for details on the structure of Helm charts. `__ + +Per-environment Helm values +^^^^^^^^^^^^^^^^^^^^^^^^^^^ + +The novel aspect of Helm charts in Phalanx is the per-environment values files. +The default values for a chart are located in its main ``values.yaml`` file. +There are also additional values for each service, named ``values-.yaml``, that override default values for the service's deployment in that specific environment. + +Services based on third-party charts +^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ + +Note that some services are based entirely (or primarily) on third-party open source charts. +In this chase, the service's chart includes that external chart as a dependency through its ``Chart.yaml``. +See the `Helm documentation on chart dependencies. `__ + +science-platform directory +-------------------------- + +:bdg-link-primary-line:`Browse /science-platform/ on GitHub ` + +The ``science-platform`` directory is where environments are defined (an environment is a distinct Kubernetes cluster). +.. This directory is itself a single Helm chart that deploys Kubernetes ``Namespace`` and Argo CD ``Application`` resources for each service. + +The ``/science-platform/templates`` directory contains a Helm template per service, like this one for the ``noteburst`` application: + +.. literalinclude:: ../../science-platform/templates/noteburst-application.yaml + :caption: /science-platform/templates/noteburst-application.yaml + +The template defines a Kubernetes Namespace_ and an Argo CD ``Application`` for each service. +``Application`` resources directs Argo CD to deploy and synchronize the corresponding services from the Phalanx ``services`` directory. + +Notice that these templates are wrapped in a conditional, which controls whether a service is deployed in a given environment. +The ``values.yaml`` file in the ``science-platform`` defines boolean variables for each service. +Then in corresponding values files for each environment, named, ``values-.yaml``, services are enabled, or not, for the specific environment. + +installer directory +------------------- + +:bdg-link-primary-line:`Browse /installer/ on GitHub ` -First, there is the `installer directory `__. This directory contains a script named `install.sh `__. The arguments to this are the name of the environment, the FQDN, and the read key for Vault (see :ref:`secrets` for more details on Vault). -This installer script is the entrypoint for setting up a new environment. +This installer script is the entry point for setting up a new environment. It can also be run on an existing environment to update it. -Next, there is the `services directory `__. -Each sub-directory in services is one service installed in (at least some environments of) the Rubin Science Platform. -This directory contains Helm values files for each of the environments that use that service. -It also specifies which Helm chart is used to deploy that service. -Each of the values files are named ``values-.yaml``. +docs directory +-------------- + +:bdg-link-primary-line:`Browse /docs/ on GitHub ` + +This directory contains the Sphinx_ documentation that you are reading now. + +starters directory +------------------ + +:bdg-link-primary-line:`Browse /docs/ on GitHub ` + +This directory contains templates for contributing new services to Phalanx. +See :doc:`/service-guide/add-service`. -Finally, there is the `science-platform directory `__. -This contains an Argo CD parent application that specifies which services an environment should use and creates the corresponding Argo CD applications in Argo CD. -The values files in this directory contain the service manifest and other top level configuration. +Branches +======== -Charts -====== +The default branch is ``master`` [#1]_. +This default branch is considered the source of truth for full synchronized phalanx service deployments. -Argo CD manages services in the Rubin Science Platform through a set of Helm charts. -Which Helm charts to deploy in a given environment is controlled by the ``values-.yaml`` files in `/science-platform `__. +.. [#1] This branch will be renamed to ``main`` in the near future. -The `/services `__ directory defines templates in its ``templates`` directory and values to resolve those templates in ``values.yaml`` and ``values-.yaml`` files to customize the service for each environment. For first-party charts, the ``templates`` directory is generally richly populated. +Updates to Phalanx are introduced as pull requests on GitHub. +Repository members create branches directly on the https://github.com/lsst-sqre/phalanx origin (see the `Data Management workflow guide `__, while external collaborators should fork Phalanx and provide pull requests. -For third-party charts the ``templates`` directory might not exist or might have only a small set of resources specific to the Science Platform. In that case, most of the work of deploying a service is done by charts declared as dependencies (via the ``dependencies`` key in ``Chart.yaml``) of the top-level service chart. -By convention, the top-level chart has the same name as the underlying chart that it deploys. -Subcharts may be external third-party Helm charts provided by other projects, or, in rare instances, they may be Helm charts maintained by Rubin Observatory. -In the latter case, these charts are maintained in the `lsst-sqre/charts GitHub repository `__. +It is possible (particularly in non-production environments) to deploy from branches of Phalanx, which is useful for debugging new and updating services before updating the ``master`` branch. +You can learn how to do this in :doc:`/service-guide/deploy-from-a-branch`. -.. _chart-versioning: +Test and formatting infrastructure +================================== -Chart versioning -================ +The Phalanx repository uses two levels of testing and continuous integration. -The top level of charts defined in the ``/services`` directory are used only by Argo CD and are never published as Helm charts. -Their versions are therefore irrelevant. -The version of each chart is set to ``1.0.0`` because ``version`` is a required field in ``Chart.yaml`` and then never changed. -It is instead the ``appVersion`` field that is used to point to a particular release of a first-person chart. Reverting to a previous configuration in this layer of charts is done via a manual revert in Argo CD or by reverting a change in the GitHub repository so that the ``appVersion`` points to an earlier release. It is **not** done by pointing Argo CD to an older chart. +`Pre-commit`_ performs file formatting and linting, both on your local editing environment (when configured) and verified in the GitHub Actions. +In one check, pre-commit regenerates Helm chart documentation for services with helm-docs_. +See the `.pre-commit-config.yaml `__ file for configuration details. +Learn how to set up pre-commit in your local editing environment in :doc:`/service-guide/linting-and-helm-docs`. -Third-party charts are declared as dependencies; they are normal, published Helm charts that follow normal Helm semantic versioning conventions. -In the case of the ``lsst-sqre/charts`` repository, this is enforced by CI. -We can then constrain the version of the chart Argo CD will deploy by changing the ``dependencies`` configuration in the top-level chart. +Second, GitHub Actions runs a CI workflow (`.github/workflows/ci.yaml `__). +This workflow has three key jobs: -Best practice is for a release of a chart to deploy the latest version of the corresponding service, so that upgrading the chart also implies upgrading the service. -This allows automatic creation of pull requests to upgrade any services deployed by Argo CD (see `SQR-042 `__ for more details). -Charts maintained as first-party charts in Phalanx follow this convention (for the most part). -Most upstream charts also follow this convention, but some require explicitly changing version numbers in ``values-*.yaml``. +- Linting with pre-commit_, mirroring the local editing environment. +- Static validation of Helm charts, see `helm/chart-testing-action `__ on GitHub. +- An integration test of a Phalanx deployment in a minikube environment. -In general, we pin the version of the chart to deploy in the ``dependencies`` metadata of the top-level chart. -This ensures deterministic cluster configuration and avoids inadvertently upgrading services. -However, for services still under development, we sometimes use a floating dependency to reduce the number of pull requests required when iterating, and then switch to a pinned version once the service is stable. +Next steps +========== -There is currently no generic mechanism to deploy different versions of a chart in different environments, as appVersion is set in ``Chart.yaml``. +Start working with Phalanx: -That does not mean that rolling out a new version is all-or-nothing: you have a couple of different options for testing new versions. The easiest is to modify the appVersion in ``Chart.yaml`` on your development branch and then use ArgoCD to deploy the application from the branch, rather than ``master``, ``main``, or ``HEAD`` (as the case may be). This will cause the application resource in the ``science-platform`` app to show as out of sync, which is indeed correct, and a helpful reminder that you may be running from a branch when you forget and subsequently rediscover that fact weeks later. -Additionally, many charts allow specification of a tag (usually some variable like ``image.tag`` in a values file), so that is a possibility as well. If your chart doesn't have a way to control what image tag you're deploying from, consider adding the capability. -In any event, for RSP instances, we (as a matter of policy) disable automatic deployment in Argo CD so there is a human check on whether a given chart is safe to deploy in a given environment, and updates are deployed to production environments (barring extraordinary circumstances) during our specified maintenance windows. +- If you are a service developer looking to integrate your service into Phalanx, see the :doc:`Service maintainer's guide ` to get started. +- If you are an operator looking to create a new environment or operate an existing one, see the :doc:`Operator's guide ` diff --git a/docs/service-guide/deploy-from-a-branch.rst b/docs/service-guide/deploy-from-a-branch.rst new file mode 100644 index 0000000000..2102addf72 --- /dev/null +++ b/docs/service-guide/deploy-from-a-branch.rst @@ -0,0 +1,5 @@ +####################################### +Deploying from a branch for development +####################################### + +TK diff --git a/docs/service-guide/index.rst b/docs/service-guide/index.rst index 47e7650ced..6b56fedaa5 100644 --- a/docs/service-guide/index.rst +++ b/docs/service-guide/index.rst @@ -4,15 +4,30 @@ Service DevOps .. toctree:: :maxdepth: 2 - :caption: General + :titlesonly: + :caption: Build - linting-and-helm-docs create-service + +.. toctree:: + :maxdepth: 2 + :titlesonly: + :caption: Integration + + service-chart-architecture + linting-and-helm-docs + add-service + add-external-chart add-a-onepassword-secret update-a-onepassword-secret update-pull-secret - add-service - add-external-chart + +.. toctree:: + :maxdepth: 2 + :titlesonly: + :caption: Deploy & maintain + local-development + deploy-from-a-branch sync-argo-cd upgrade diff --git a/docs/service-guide/service-chart-architecture.rst b/docs/service-guide/service-chart-architecture.rst new file mode 100644 index 0000000000..0d82e2650e --- /dev/null +++ b/docs/service-guide/service-chart-architecture.rst @@ -0,0 +1,54 @@ +#################################### +Overview of Helm charts for services +#################################### + +TK + +.. note:: + + This material is refactored from /overview/repository. + The purpose of this topic is to provide a more detailed guide on the structure and guidelines for the Helm charts of individual services. + Link back to /overview/repository in the introduction. + + +Charts +====== + +Argo CD manages services in the Rubin Science Platform through a set of Helm charts. +Which Helm charts to deploy in a given environment is controlled by the ``values-.yaml`` files in `/science-platform `__. + +The `/services `__ directory defines templates in its ``templates`` directory and values to resolve those templates in ``values.yaml`` and ``values-.yaml`` files to customize the service for each environment. For first-party charts, the ``templates`` directory is generally richly populated. + +For third-party charts the ``templates`` directory might not exist or might have only a small set of resources specific to the Science Platform. In that case, most of the work of deploying a service is done by charts declared as dependencies (via the ``dependencies`` key in ``Chart.yaml``) of the top-level service chart. +By convention, the top-level chart has the same name as the underlying chart that it deploys. +Subcharts may be external third-party Helm charts provided by other projects, or, in rare instances, they may be Helm charts maintained by Rubin Observatory. +In the latter case, these charts are maintained in the `lsst-sqre/charts GitHub repository `__. + +.. _chart-versioning: + +Chart versioning +================ + +The top level of charts defined in the ``/services`` directory are used only by Argo CD and are never published as Helm charts. +Their versions are therefore irrelevant. +The version of each chart is set to ``1.0.0`` because ``version`` is a required field in ``Chart.yaml`` and then never changed. +It is instead the ``appVersion`` field that is used to point to a particular release of a first-person chart. Reverting to a previous configuration in this layer of charts is done via a manual revert in Argo CD or by reverting a change in the GitHub repository so that the ``appVersion`` points to an earlier release. It is **not** done by pointing Argo CD to an older chart. + +Third-party charts are declared as dependencies; they are normal, published Helm charts that follow normal Helm semantic versioning conventions. +In the case of the ``lsst-sqre/charts`` repository, this is enforced by CI. +We can then constrain the version of the chart Argo CD will deploy by changing the ``dependencies`` configuration in the top-level chart. + +Best practice is for a release of a chart to deploy the latest version of the corresponding service, so that upgrading the chart also implies upgrading the service. +This allows automatic creation of pull requests to upgrade any services deployed by Argo CD (see `SQR-042 `__ for more details). +Charts maintained as first-party charts in Phalanx follow this convention (for the most part). +Most upstream charts also follow this convention, but some require explicitly changing version numbers in ``values-*.yaml``. + +In general, we pin the version of the chart to deploy in the ``dependencies`` metadata of the top-level chart. +This ensures deterministic cluster configuration and avoids inadvertently upgrading services. +However, for services still under development, we sometimes use a floating dependency to reduce the number of pull requests required when iterating, and then switch to a pinned version once the service is stable. + +There is currently no generic mechanism to deploy different versions of a chart in different environments, as appVersion is set in ``Chart.yaml``. + +That does not mean that rolling out a new version is all-or-nothing: you have a couple of different options for testing new versions. The easiest is to modify the appVersion in ``Chart.yaml`` on your development branch and then use ArgoCD to deploy the application from the branch, rather than ``master``, ``main``, or ``HEAD`` (as the case may be). This will cause the application resource in the ``science-platform`` app to show as out of sync, which is indeed correct, and a helpful reminder that you may be running from a branch when you forget and subsequently rediscover that fact weeks later. +Additionally, many charts allow specification of a tag (usually some variable like ``image.tag`` in a values file), so that is a possibility as well. If your chart doesn't have a way to control what image tag you're deploying from, consider adding the capability. +In any event, for RSP instances, we (as a matter of policy) disable automatic deployment in Argo CD so there is a human check on whether a given chart is safe to deploy in a given environment, and updates are deployed to production environments (barring extraordinary circumstances) during our specified maintenance windows. From fbe74f0f1e90de537115bc9cf45b8ca88c2f5c69 Mon Sep 17 00:00:00 2001 From: Jonathan Sick Date: Tue, 4 Oct 2022 14:11:56 -0400 Subject: [PATCH 1119/1479] Add a Contributing section to overview There are basic procedures for working with Phalanx that apply to both service developers and operations specialists that will both work with the Phalanx repository. Having these procedures in the overview section could make sense. An alternative is to put this material in a new top-level section, Contributing --- but there may not be enough material to justify that. --- docs/overview/index.rst | 11 +++++++++++ .../precommit-and-helm-docs.rst} | 0 docs/overview/repository.rst | 2 +- docs/service-guide/index.rst | 1 - 4 files changed, 12 insertions(+), 2 deletions(-) rename docs/{service-guide/linting-and-helm-docs.rst => overview/precommit-and-helm-docs.rst} (100%) diff --git a/docs/overview/index.rst b/docs/overview/index.rst index 907ac2624a..49cf7fb9cd 100644 --- a/docs/overview/index.rst +++ b/docs/overview/index.rst @@ -2,9 +2,20 @@ Overview ######## +This section helps you understand the crucial concepts behind Phalanx, and how to work with and contribute to the Phalanx documentation. + +After you have reviewed this documentation, see the :doc:`/service-guide/index` section to develop and deploy services, or the :doc:`/ops/index` section to operate a Kubernetes cluster with Phalanx services. + .. toctree:: :maxdepth: 1 + :caption: Introduction introduction repository secrets + +.. toctree:: + :maxdepth: 1 + :caption: Contributing + + precommit-and-helm-docs diff --git a/docs/service-guide/linting-and-helm-docs.rst b/docs/overview/precommit-and-helm-docs.rst similarity index 100% rename from docs/service-guide/linting-and-helm-docs.rst rename to docs/overview/precommit-and-helm-docs.rst diff --git a/docs/overview/repository.rst b/docs/overview/repository.rst index 54d5d0e77e..823d94b326 100644 --- a/docs/overview/repository.rst +++ b/docs/overview/repository.rst @@ -100,7 +100,7 @@ The Phalanx repository uses two levels of testing and continuous integration. `Pre-commit`_ performs file formatting and linting, both on your local editing environment (when configured) and verified in the GitHub Actions. In one check, pre-commit regenerates Helm chart documentation for services with helm-docs_. See the `.pre-commit-config.yaml `__ file for configuration details. -Learn how to set up pre-commit in your local editing environment in :doc:`/service-guide/linting-and-helm-docs`. +Learn how to set up pre-commit in your local editing environment in :doc:`precommit-and-helm-docs`. Second, GitHub Actions runs a CI workflow (`.github/workflows/ci.yaml `__). This workflow has three key jobs: diff --git a/docs/service-guide/index.rst b/docs/service-guide/index.rst index 6b56fedaa5..99fa88a6ed 100644 --- a/docs/service-guide/index.rst +++ b/docs/service-guide/index.rst @@ -15,7 +15,6 @@ Service DevOps :caption: Integration service-chart-architecture - linting-and-helm-docs add-service add-external-chart add-a-onepassword-secret From b0276631804fbfca1201648f293d5827b82f7e0b Mon Sep 17 00:00:00 2001 From: Jonathan Sick Date: Wed, 5 Oct 2022 14:38:30 -0400 Subject: [PATCH 1120/1479] Add documentation on how to contribute docs As we add specific guidelines for documenting services and other topics we can either add them or link to them from this page. --- docs/.gitignore | 1 + docs/_rst_epilog.rst | 5 ++ docs/overview/contributing-docs.rst | 111 ++++++++++++++++++++++++++++ docs/overview/index.rst | 1 + 4 files changed, 118 insertions(+) create mode 100644 docs/overview/contributing-docs.rst diff --git a/docs/.gitignore b/docs/.gitignore index f1d176e896..61fb47c494 100644 --- a/docs/.gitignore +++ b/docs/.gitignore @@ -1,2 +1,3 @@ /_build /_static/*.png +.venv diff --git a/docs/_rst_epilog.rst b/docs/_rst_epilog.rst index b31081a51a..da084a2f27 100644 --- a/docs/_rst_epilog.rst +++ b/docs/_rst_epilog.rst @@ -2,8 +2,11 @@ .. _Argo CD: https://argoproj.github.io/argo-cd/ .. _CILogon: https://www.cilogon.org/home .. _ConfigMap: https://kubernetes.io/docs/concepts/configuration/configmap/ +.. _Data Management workflow guide: https://developer.lsst.io/work/flow.html .. _Deployment: https://kubernetes.io/docs/concepts/workloads/controllers/deployment/ .. _Docker: https://www.docker.com/ +.. _Documentation Style Guide: https://developer.lsst.io/user-docs/index.html +.. _Google Documentation Style Guide: https://developers.google.com/style/ .. _Helm: https://helm.sh .. _helm-docs: https://github.com/norwoodj/helm-docs .. _Ingress: https://kubernetes.io/docs/concepts/services-networking/ingress/ @@ -11,6 +14,7 @@ .. _Kubernetes: https://kubernetes.io/ .. _LSST Vault Utilites: https://github.com/lsst-sqre/lsstvaultutils/ .. _Namespace: https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/ +.. _`lsst-sqre/phalanx`: .. _phalanx repository: https://github.com/lsst-sqre/phalanx .. _Pods: .. _Pod: https://kubernetes.io/docs/concepts/workloads/pods/ @@ -22,3 +26,4 @@ .. _pre-commit: https://pre-commit.com .. _Vault: https://www.vaultproject.io/ .. _Vault Secrets Operator: https://github.com/ricoberger/vault-secrets-operator +.. _venv: https://packaging.python.org/en/latest/guides/installing-using-pip-and-virtual-environments/#creating-a-virtual-environment diff --git a/docs/overview/contributing-docs.rst b/docs/overview/contributing-docs.rst new file mode 100644 index 0000000000..154c51ae20 --- /dev/null +++ b/docs/overview/contributing-docs.rst @@ -0,0 +1,111 @@ +################################# +Contributing to the documentation +################################# + +This documentation is a Sphinx_ project hosted out of the ``doc`` of the phalanx repository on GitHub. +You can contribute to this documentation by editing the source files in a clone of this repository and submitting a pull request on GitHub. +This page provides the basic steps. + +Set up for documentation development +==================================== + +Cloning phalanx +--------------- + +Start by cloning Phalanx into your own editing environment. +Members of the `lsst-sqre/phalanx`_ repository on GitHub can clone the repository directly and create a ticket branch, per the `Data Management workflow guide`_. +Otherwise, fork lsst-sqre/phalanx `following GitHub's guide `__. + +Set up pre-commit +----------------- + +Phalanx uses Pre-commit_ to lint files and, in some cases, automatically reformat files. +Follow the instructions in :doc:`precommit-and-helm-docs`. + +Install the Sphinx dependencies +------------------------------- + +From the +The Sphinx_ documentation project requires Python dependencies located in the ``docs/requirements.txt`` directory. +For best results, install these dependencies in a dedicated Python virtual environment, such as with venv_ or other tools: + +.. tab-set:: + + .. tab-item:: pip install + + .. code-block:: bash + + cd docs + pip install -r requirements.txt + + .. tab-item:: Workflow with venv + + Create and activate the virtual environment: + + .. code-block:: bash + + cd docs + python -m venv .venv + source .venv/bin/activate + + Install documentation dependencies: + + .. code-block:: bash + + pip install -r requirements.txt + + .. note:: + + When you want to de-activate this virtual environment in your current shell you can run: + + .. code-block:: bash + + deactivate + + And later set up the environment again by sourcing the ``activate`` script again with: + + .. code-block:: bash + + source .venv/bin/activate + +Compiling the documentation +=========================== + +The Makefile includes a target for building the documentation: + +.. code-block:: bash + + make html + +The built documentation is located in the ``_build/html`` directory (relative to the ``/docs`` directory). + +Sphinx caches build products and in some cases you may need to delete the build to get a consistent result: + +.. code-block:: bash + + make clean + +Checking links +============== + +Links in the documentation are validated in the GitHub Actions workflow, but you can also run this validation on your local clone: + +.. code-block:: bash + + make linkcheck + +Submitting a pull request and sharing documentation drafts +========================================================== + +Members of the `lsst-sqre/phalanx`_ repository should submit pull requests following the `Data Management workflow guide`_. +Note that GitHub Actions builds the documentation and uploads a draft edition of the documentation to the web. +You can find your branch's development edition at https://phalanx.lsst.io/v. + +If you are submitting a GitHub pull request from a fork, the documentation will build as a check, however the draft won't upload for public staging. + +More information on writing documentation +========================================= + +When writing documentation for Rubin Observatory, refer to our `Documentation Style Guide`_, based on the `Google Documentation Style Guide`_, for guidelines on writing effective documentation content. + +For technical tips on writing Sphinx documentation, see the `reStructuredText Style Guide `__ and `Documenteer's documentation for User guides `__. diff --git a/docs/overview/index.rst b/docs/overview/index.rst index 49cf7fb9cd..e9a2fcdf57 100644 --- a/docs/overview/index.rst +++ b/docs/overview/index.rst @@ -19,3 +19,4 @@ After you have reviewed this documentation, see the :doc:`/service-guide/index` :caption: Contributing precommit-and-helm-docs + contributing-docs From bbd139fb986fd54a411459b7db5640322ac6ac63 Mon Sep 17 00:00:00 2001 From: Jonathan Sick Date: Thu, 6 Oct 2022 13:33:24 -0400 Subject: [PATCH 1121/1479] Add a stub page for documenting environments --- docs/ops/environments/index.rst | 8 ++++++++ docs/ops/index.rst | 7 +++++++ 2 files changed, 15 insertions(+) create mode 100644 docs/ops/environments/index.rst diff --git a/docs/ops/environments/index.rst b/docs/ops/environments/index.rst new file mode 100644 index 0000000000..cac6969f0b --- /dev/null +++ b/docs/ops/environments/index.rst @@ -0,0 +1,8 @@ +#################### +Phalanx environments +#################### + +Environments are specific Kubernetes clusters deploying Phalanx services. +Each environment can deploy a specific collection of services, and with specific configurations. + +.. Add a table of environments, possibly linking to their own documentation sets. diff --git a/docs/ops/index.rst b/docs/ops/index.rst index 6e4dc80207..4694dd50c1 100644 --- a/docs/ops/index.rst +++ b/docs/ops/index.rst @@ -2,6 +2,13 @@ Operations ########## +.. toctree:: + :caption: Environments + :maxdepth: 2 + :titlesonly: + + environments/index + .. toctree:: :caption: Bootstrapping :maxdepth: 1 From 17a9665ade847782fb8848ad0dbe9c0e1d7318ab Mon Sep 17 00:00:00 2001 From: Jonathan Sick Date: Thu, 6 Oct 2022 13:33:44 -0400 Subject: [PATCH 1122/1479] Write doc on deploying from a branch --- docs/_rst_epilog.rst | 1 + .../service-guide/application-edit-button.jpg | Bin 0 -> 55656 bytes .../application-revision-edit.jpg | Bin 0 -> 69777 bytes docs/service-guide/argocd-application.jpg | Bin 0 -> 61237 bytes docs/service-guide/deploy-from-a-branch.rst | 183 +++++++++++++++++- docs/service-guide/index.rst | 4 +- docs/service-guide/local-development.rst | 5 +- docs/service-guide/restart-deployment.png | Bin 0 -> 37537 bytes docs/service-guide/sync-button.jpg | Bin 0 -> 37912 bytes 9 files changed, 189 insertions(+), 4 deletions(-) create mode 100644 docs/service-guide/application-edit-button.jpg create mode 100644 docs/service-guide/application-revision-edit.jpg create mode 100644 docs/service-guide/argocd-application.jpg create mode 100644 docs/service-guide/restart-deployment.png create mode 100644 docs/service-guide/sync-button.jpg diff --git a/docs/_rst_epilog.rst b/docs/_rst_epilog.rst index da084a2f27..57f645b813 100644 --- a/docs/_rst_epilog.rst +++ b/docs/_rst_epilog.rst @@ -3,6 +3,7 @@ .. _CILogon: https://www.cilogon.org/home .. _ConfigMap: https://kubernetes.io/docs/concepts/configuration/configmap/ .. _Data Management workflow guide: https://developer.lsst.io/work/flow.html +.. _Deployments: .. _Deployment: https://kubernetes.io/docs/concepts/workloads/controllers/deployment/ .. _Docker: https://www.docker.com/ .. _Documentation Style Guide: https://developer.lsst.io/user-docs/index.html diff --git a/docs/service-guide/application-edit-button.jpg b/docs/service-guide/application-edit-button.jpg new file mode 100644 index 0000000000000000000000000000000000000000..bce80da878aac4e29e1a1701095f018ee34d8a8f GIT binary patch literal 55656 zcmeFa1zc3y+AzL{fuTV{a%comK$@Yu1O$UpB%Gn78M>8{PU%Jg1xZ0bLP8h>K~Nf% z4kZMn!*2-n+;i^np7Z{{@4oMQfB)rT?`N;Q@>x%>4SpN^HbJ1PA}434c|}7}MNI(! zfdGI&SOom3R$7?J2o zhw#s|(GQ?|0)V$%%9@OfKg<6TL;|;Sa0CF5Cb~91!UPFN!~SU4%Ei&{u>1=eCckBQ z2xDL#!Vc&OqG75-*z6eQJgRdHOCQ1rYa0Z*&f%Qx5Y~u8xCIU0b9OR8!(cTu9O!Ie z;(~_Xp# zG;u}G69D9F?c5wJ%*-7b&%!wvc|}BEjLIf1Rwj;)T$;vkOJfHFqnxd^ow1D@035IR zuoXahh+9T9l7)ChgoL>GxY6kUk$(B|N3CB2hkJWmW9{8EYm05c>l_W%qB^Lvcti=8lebq8Bc>xVUgzn83LY5&9$j z%L+eg{yFfQ@wgAi`+++~c@tA(Co4zBL!`oOt!$kf7?F0ya1%zZ-xKkFx#4f7^_zKc zUNJE>aWJt#52cN!G7B3s^mf}IEF3LtZ5S_=`hS5(>)qSzdySE!v!M}{fL3IFk?I{mb-F| z5$@#RdLup@6VMgdxfhJ;-f{2P6!V1}TQTfb>8nA?w)K*wonP zu_drIu#K@Du>-M_unVypuzRtmvA1yWaTsv;a1?Q_m+0(yd)YV)+Avhk4f4|=18$g*+>;g5v2a4Ii$^`lVo5r7BV?9IGG>W1G1N7 z)8r6xc5)T++vK6-PsqE-znmsLEpS@$)RxrI)X%8j(_qq^qq$7uLX%GOl4gOH zoK}n$P8&j7Mmr3}fS!Y1fqFo5pqFM=3=IsQ7*8|GFj_GtGPW>&VS+L#GdVG3F?BKRGP5&lG2dk_W`56t#{y$9Wr<^H zV)??#z^cyb$y&fVd3vCw;cm#Q@cpmVK@RIUg5~yBPO;(*yJE!KLR-=xg zeo;MEee}|qOE#CDX#g538nGJhHQ6=oHJ@LGT-Lmta(U(o?-kE0ZCA;z8eV;Tb>o`s zwa9BDT4%MKw3@Vuwe__hX>aPt>%{1c>0Z$F((TZr(X-I2x{iHa`+Dy6^&1K|?%$Z! z7t{~b@4v}@)AeS%0gZu`L7gG7p|N4P5tfmT(PN`MV-4eMUS*wZCuw#X;2}7YRb%L{>SHqm8Lfr?XB0PUFs! z&MD4YF4`{Tt|YEDuAOe@+=AU^-4)#*dSH6MJ(@h3Jnwjpd&ziZd4s%fc{lm6`1t!w z`zrb7-@&_MdFSW!%HOXK}A9m_Ilv z_#gxk@+y=kG(L1M3?B9>oHsl%{9A-+L|3FxWO@`N$|kBmS}Hm}h9t&4W-?Yiwla<} zE+p>jeZ%|h@dEJ~33v%k31f+BiB(CgNl{6A$>zy@DY7ZWsnFEm)Xg+RT5q~^dQk>l zMrg)PrbXspmQq$_Hd}Ul4kX7pXXb(SgSLmThmUe;azk_X^KA0Q@~`B#JQ9BN=rQzh zWC2EjQ^9Pu9sVrz4oOj`p=0#(~C+Ftz%_Uc)OP)B8_U}wc^!PgaCLS2>J z!rfJGMBdc&i1*a@O7%9rm4Dm%PUT%k-=)5uey#q&0sVooLB!zPkk!!2u=DWli0>%Y zXvq6h@8dr}KV*O8_*gt9G*&k*Ki)ZUbz)=^KKXeHIkh+KKSMYZKg%%tXpV2Lc3yG* z&8Himra#+#-dzY>Bw0*dI=l3AS$etii|&`{6^E5?t6^)@Yk6Mm0J!maHJnO zkF?$8*qrjWMqiBWv+g!evI<D1RVf?5is==o!U z@o@35zt0pz!i2$R#7oNah54}0Y%tj=M&B~HUrzH|O}o1>6D)F9k&{uGB~7dRYq8&k z0Rr?YFi5~8=!I@)o-TXM9c*?n*T#E!Tyo(zYX>|GENZ?w!0pZquT5rPM0N521 zyVANpdj0zVNPtWlV2EFQCnmPnpb_ac>{cVP0~46lDV}M2zsLT5HuE=qf`?bUG7lZ! z|1W9psjBz0=(*Lewt+=A_ZH0Pi!t{Hn)cuDn2Oh*m)Pu%%=Fya!T$X%t08633qK`S zTfnmX(JRr^oTE#@=ypc#(PY-#H0&E&JR*~qBwRwxioTrPyefV4!a=cmQ$!?b9qLfm zMZlgpaevv4XfxxZV6@QTYjDVHMWYK{1ZOe4^Ld8M%V3XGy0>~{Mu+cUOCC@$ZufNS z@(*i^9{OoWV}Zlsf0nSPA9je9KE64ad{g&5rD*-Kgd<1%A~uFzhWZaJZqfHnrsUlldON#GmF^*Irr2}6BBj23O0xdYLjtD9 zH?Y&%mxx)+a>Z|~w0N8n?Ws-1IxNSQk`cW9Nq<$e-{Hg8+B#YPH;1MFEHR{5O}^*uc>7=>jnC?R zHo<;IvlnV?xpB>D=w;#8)j%X`2S$vLA_U1|%1G!p5|LCSA#uISCakcTg&Ma@Q8Hu3 zJ6RJ#@ZhSUL^nJPot)5ZRu**q*T=e|dtH}shb@8A5D?|L#I)pbIlPCb}nZ13Q zCGN^Ev$>0@&vDWZNF`^->!-kxI@z#|WoY@J_{cJp);)+@v`s7%08=+c-R^q_bJ~&X z7@8v@G{_v^iKHAxV_+!NRP&z>^H&OKTrBuF0pc#^ulg>xwcQn7CXK&;5LvxtTMeu} zU7Tu=GV@8AukaF&*)+=uy6&F5{iW`}U{JkggQ#H5DZN7dA{sr!!o}_NRvW7(Z9_ff zfgaD+?M*x+ij#J3V*-RpttJ4d)A1=XZAro`b4@6%OFeLtqWR(M)Utz0RXaf)k@@pmpCn(;x{JI41eSUcx&T8e(s4~+c+Md5*1qz_5*G=OZ{EeOaT^tfAl8Q{%1Ewn5~b z<-ImTVw`?4x*C(|p@DY&7`E=>t?uIFQU1*DyC(8j54Qw3-mYU@g3t>>LnkWl?^0

>7r~bn*%W+1+rDuC5Lvb5Q*}HY;BY>?%|mQYZp`)92$@lfe=OW?c<^7PS~%lL zw&6998q)_c7iY5 zNZPPkC;(mqT`+ZCOFR8qFAXS za!bwOcS03}Pvm|BjD*8~`?R#T+yflb^{fRicdm?^|a8KyW{@%`4pZH90x8nU~`Tz)RH$Wh2=oaYG#wdU_`=a`9-~S#ykvoaO(g4mbapW#O zx`NQ>p(5BWZ1=oTLTHA`(9qQ@waZGfNO!12Mf8P?8(;NC&-CQvXr*onY4qhH$Tg{mvkZh6%l`wY4zLkAD9E zeCI2*jtr%~K{rqOwg;Z@=l2GV(TSGz#|TBY1LX;nU1Oi~B=$T(<{$d{iv`~qi+hPd z)-Y%L8<066Y4*8xS#xSTBYzudIOyp!sF%~UqjByv{f8%IQ-E=FpdvLD;vaADxq6Q| zX#i|$pCkQjbYJPUVWF#ce-~eE$uY`Ab}+TkNc)i_gJ$c|hag9i z2vU9vtD?QSoBgVe$Z)vnSDET!qmznYy^?+_&^;l+1ws!1Lf{*ULt%tMt2p!%Hd@!= zwntITib~(kexcxZxuU>03hg_#a|ClSCvQLmX_HHA6as5$ua{YYiq9nSg+g*Hwci-E zpJ8WHR~#UE;_!8_%iR|s6nlDPgUD(E7?KTW8}uR5v^OWMh_OG+iXZrB>5J8r**Pw^PcD6BT(hn3 z;-arjH;@p8-Aoi*bLT;>?YMVKdT}OKNu=`|r0<)t?v%Mn26n}EIgPDVc!2M&)vj5- z?YFmHjO`lvs1*CjjCV>S=W&HuPvg`_FM2}_MGdKfLZ!4%a}fqUhF!U0Pg9Gp>Ot$o zBCK!TWM>e5R3!dtu}}Yo*IAMBKD$+k>oB){&Vk4U%XyZ@9o$GE_jA<-snA-T`?oyXumpHPIyQ9LxLy*lUlgI-<6Q;%(yM5(vK^ z;}0}}zDh}aWduOwu+GdMg?|?~5g|#z>Xpcvv(u1&HBPI1{zd!;rpn>ckd>&dQ}2R}{z$j^~uNKOOy13G`sJuLMQt9uccj z1&|m)(i(GIMY?l;F! zU?7H@t5P?O2+SbTKPrOfynl*=*&Uj0ejkJLp&AA3LXlUm*)1$)`~IkUC~^8-J-ocH zk1c*~pS4(brq^Mw68H3QaNGN^kWT;c26pVcb$N4!C3|%7dq2O>(f01f1!9(-50Tsw zTor5Yz0>`=m**R2%{TJbwj@d?1}glzrZ(5p9Uv~D%f4u!Qa3Tqk(Z&R!&y7{X8z)qKx^N^z z_=@}5^s?yC{SM3yFeln_dC>uul3Qz#&-}k*&fPvT=WN@(tbLD6*>mPSjj8$xT92OT zu8S8W3{t;=L|1p1ZnCYxGuXZXmb2dX(8tC9efswG;ldl9Y+rbCERqT4<|aj)KfOni z)T`f^by&rhP~WT59i$O(A>vqWa)3Xr75S`}H&<(TTeIX?0b^4Su08lVTGKU~V&>8P z!LhW-rFL2V`wn5Jx?hlb@L{boEgYJcJ<&KiHtJY4wS=4(OBK76kn!~M_lm!`|H*z* z_tZqP&C+yj50srJ0cyUwBo5LmMw-QMt-btYf8p95 z&ydqEuKpqad);5$Ppp~OY8`%T1c`jNcRt4MbO3M|9{^kn*Qc+1x^|=Dw(*V0jCb;N z+{V2#bU!YQJxiVq@6dwf|AsP5!98RFy;UE*6BYou^$V#TEmob#_VIS{L$qc(3@-fl z_!vS*vZ8$IpzP0O1+dmFGr1@soRPn-pCp>Dq&N5j?Vx7l=-7za)%1s>J=j+h6uPr# zh6F2K_F5q$f&^(t3skZiw%*&K-&XOMX&csd{L=zWrIGawY>lK3UQ|Ed+h9$g>?g)oB`MOc}B-rz&_n=ndn&Ul!uIc zX#Pvj^*31iPBuq+M`txd=NH!0>t2|ndrnYBKfQO?i`9LZ*^lO9MLn}h`LOk!lP<9- zZ_h>=W>!!1%@c9=nzQ--W~g6)-}h-qHO!Bi3Uzy@A#UgSvFQ2Uia~DeqbvZ>@`t?w zz>q5(%rXC-d=~xj;&If&?ods78NTwmd8{VC&+NBxkMCuF_x|0s9lHnsmOI7wcM5*7 z`c{dAp!zzUpsIEM-;A@Sp)!Rgl-GI4*M5C=pCp8_MLySt(Kp8?uG8CS{7`PcY4LmT zyCL@C$PhC;zpnk~W+-$Yj6T+&N89i}6Iygg+bzw}J9qW8EJC&VVRVy$5+qGa^xlVY zmw%m3@N6H0<_VoX&*HvcNCYarf5(}`@v(vjI~8YkY? zEc5Z|pS}BqL{N7PDv!i2s?&EHZL3@n)lga6$1Yi`PC4p#8}aIyVv&i7tHzh zmw(*iL%b-?tnAhd zyjx+8`a7kwvhLd}`y#n@G)o>EZZ+K(UHQ!la=M1-cB^*z2mh5hcN|WU#6-(&iyf)d z9kD-W;U6p<3bbR(bNuRm4%FtiyruJM-PJ{~C!LO1=}}wz(@&q*wj&)%6Mt6v6?C#4{)gT% zI$U{h_ZQyr@B0y0`hCftJfE0IO^413gUlM*Q~jSN3j)5AZBiUt51ufz<=C_A zD!Kkwss8Zv^)IFqbu@vAmb;NIO`B+{Z!GOhc-Seb-~6kKx8HPq?hD{3a{1q*DuUWN z9v*$Ya{LiX_GW{W-VS(eWe3yq)UH{}L-bE%rKj>=z3nu#1ua}?i}!BYb3OX$$Y{NC z(7A{3{{Mge9u8jTt*q?guS{o@G|)2~{-8g6#Q|XeAS~e8wfzU|_3wt%mA~MHpi@SP z{}`?j7GdrAU4i`G2M4`he8;j+QeOD!)2F2<-gC)3?tP-2&4I$m?R|2t?>2L)?>TFQ zhu81r#gJ&pOo+!k)Yp2cucdWaa0;wouXEa7YsybS%U(-oVJDTUPr1R0> z*RG6;w1(Sa-j&Kw@@vEk(-%D}#^be!eFM}Rj_?XT#H+k-F~ifU zH%bhe4OEu{17L3qighw4ilyIq*YD@B;zGw#0iS>)TwL8CJ;&P!P+oqLx5!JwyoC4o zByII+Y3Zz}`I4OlP#Ao^YH>F&Yu7KyrJ3^qHFxVYYwidRI6yxuX)>KXpP&3WDEh8! z)mFOZUiJ$e^@7~Kx8@4I1sH_jDCzSL`rh82uZ+j=&0}gBH!4=U@`CI-?aZ}lQrYTP zv*%Nb9KPRBl|dn-~X1=AqT7f67C-?(tX=&MBqOSee-^RG@Mh zs)u*8e8E&_OU`4-0g4i$#(KqSnyq*x+TC{K3_bRCcw@ylFot1#nVY-@DVpXC+nbkW zvB04zFE%N1&Jb(n*2Wp=TnWuLM+jIHe|~_*AS<5T)g69REe?3`;BlIrFzkFduAQ(1 ztmaO)meciFQq}ui>fCIzy~Q$J7{%%%JJv@e0Xig!DX~7t(`uZ%^A%Kgk*c0_pFC*o zEdfGf2ObzR{$(IYsCSvNmbcK(^$Q|v@&$^cX_=t#nc~*k8ALi)bP=DpJn93h?Hxvl zxI}&2Mf&TV@$pRtYb~gbt97l6gN=R49d|uV#y^N~v(`;Vt9%3WBEoq|X>qJCyer|2 z04;@4rw`X9PEjyD(xbdJWnx;+v?f|APjFj!7c9?h-I(|lo|9Z6|EiMhY0+^1Glt%v zy3(gj+nxNlN;rBM)6H%CbtMYt%(>a=*&3M1z`H)%tRI_t^s-5xHjTi8OEX*jSu8bF z?(;rPP#j3cOB|F2WwrX^xwg}qSn&u^?O4fDU^@;Wjlv&AwKl&A$qK)X;0)&zYLz&P zl&j@BJ&w<2s={uQRw5DJ`jWRD-ocx}=GbImH*KX6Yv3gz9gHHqnav~4Qg*-Z(z>k3 zImffNYAKTiS6#*Wa7O!+`>fK(`fKiMj5~(i-X*zEO8V=|=T=R|FQgcCk2ea2i*J9w z)h7rByqema=cuBH-;!#Hf?PtTs}zqZ@lU|2W$iLJq@qV>V$N``DMjArABr93PoEJM zW}Ms~l1$Z$5q_o=%h(*mG2X`Q92lx3#W7uMDs$^)^jE|($@Hs@)aq2)gea?+>#Ab< z%!&19)#4&V^yyhW(zd8$>iLtR#`vaOMfhPQ2x@vWpNo220g?H4mfSdfbn%G1^#dZ1 z9dO48$Ex0SOlqQ9$_9pmR=J3YS?>q|^>kl^=;rIoW8VP!NvBuj| zwUIsKZu3wrMVN=MUz}~)db?uqa-AOiTkIY13&dfqNfDcOan4Z_Xx!i741P}%;v&{q zh7Id_bCdsi;+L;xmMX6JMIW5ikTGI6rr^AJ@wVerJl!LRC?BZzJFmyGZO+eHZ;ZUh zPYan$*dmkb^W55347<`!dryzyUEM;fhf=RoAjb{XFwasA{0HF+$=U=CZS9z40(jn- zrIZcxFrJBzEcOOH>&j_WMTG7C9dvAVbEwV4$QxhSgO`!lH=ohcy{W{R4bCBt=ff5P z)9$DR%xLuFg!k6yyR-nT9b}mv_ER3rZJyc6@5wSIM;lPjEd!XI7o?8O8_}I@u||a5 zzaOJJ5lgI7@i1!I*P#20j52)wYu8oi#2fuH7M6R0r6zzO3r$;Hzo36f+3G}7n_^S% zfMBsXQ%MkmDlhmZYq+DV1G6csqpgFn)u4a;i#9dPQgum}?LDzD9YNkDV`s-AoT~fp z93b~%RP}ZBH(^Or=O$$*rr$Y`DU%^Ql>B*<49^Q(c`>BiV#JDpg9%_{p3&`9#saV( z`o0N!Bp>lAdcNxdn@e?PbWi>&BDn10Jb`}(DTo@zZOoi;2YMlHV&Wc#r#$ktPPIo| z7;@z6Xnjh;TZbJRL-mgNYA@jnxzoQYx(u)3Uox2f&&jg217B){M7&%R27-Tmab&>( zU^rO1eQ>RCZNcxikLnDc%D({&y9Z>7=@E2WrHMmyV<0wVLrU-#pMxldg?`gsf}&_I zPditHV`V!*`Ng3!(JRyzoU0wwpX!SEdUYiI#Rr0Rw?rB5l^ijV zlY(KkvMO&8cAhP-M(@?c@PVMK&u$tlF)WYAG_$I|g8Q98;K9QZw^b@``S?J?CNu`4Z_Om!m%Pe&d8Tw}D!h)66Z zu2rsj@-(zF&ORf7g1t+Gj<(?wO2Z9Pl)-}MA|_4B=Cn(Po&5zM;FD< zNib(g8Bgl*a*1lLq*a7{cvbz>O`o!^r*#AL>>8uYzHk@iGF7ooVltPrSx7N|KE;Jx zA!?5}o(&qOS+O>y`rMD`$NruI7;=@x00_y2V>x zH$w`iOuupC1`TWM*a5Zx3^7S{iS5h>>ZlsmL@x6-JCwITbUT<0B5oDt6co0H3=NyR z)q2-Fr^UaK0!nnJq=_zRa(|C4G9P8?%wNXW>~Eh0?H{H~=uHvn5#I!KOQ_sE;WnIw zW(d=XX|KZiPAa=yb?->?Z-DC4{f6S${sU=jNSDvSjrXi>R6hHBB;4e5@1Bk|9!QPc z4hB)@+!l$#TpEv{M8=EcVm_VR49?bl-wKVSU*mO5XHd@yZ^rT?+*I-(qS^?omg5Lm zw6hzR;^x%Ipxsi&PT};@ZUi&hMsBX8P{&@Fyc-CSB}*I#l!IFGwDVcYVN;C+R~1^V zj46;WFJ6XKQt*jenNBJ&m|Mx(3=bJb-l2feWwS0QirPM8(Am28C_1e3Uh12XOJbG$mGe|(hk*dDd^0Q+71JzIR^>OFtW$VN6=cF4V@A%MR9Ef7= z*@!MhwPA+A)9s&&rDnE90N6opt*j0_D_v@tSMTjrC2sPpG^~6B8pa9hAg>m~+v5pz z#{fH#tmX?(>jHYJQyED!7uPP?^HPU=U|F4&vTZ#$AhI)WO?}rjLCspkiE<21B8qf-vmqb;_R5yd(as?jBibXb6-K zgteG5^FhfRSRHIsKP1J>;;dcZLPa;zb$fck54km(fbCl6rIhS2HB}b7WXagKhb!L_ z$r`U3qnH$YR8sLManYD+5flXhfn_7O6DMiiVcz;-t{>ozL3EvnhsBnoWr$D8M^kE| zwZAmyJ^4Y7HfnA%nZ)0tAk?0U zv+x(jx{2R_>lZp;m-70NH`n)j#_J-eF5yhjVlM_wqh6l2h}dW*KSNQUPJC0bs6a=n z;BjBy?N1d>*K3~K)c$1w&7ah810UimmLQk1onQYW<)XsBN|&S$Wifg~IcV+mi}1$& zLNrl0}&>!t|nvlhToKihc2ugM2dZfkx^#)F3xz}GxoYd z0uKWzwWGNRPvu&7TAj&dulpczeg=goBNs3 zsOwn?ugdxcxI9-Si>qdUV?#yCH>&Q0R(u2Qnqw;R;Y;z%Di1*ri|{h`*853ht)gGm!jl+{zTj5r)sxnE}5^CBM-`48=(#Wf~DxK4Z+c*bRQ$l@j z(i?zygt01|$q3x20tyqz)rRb7S+d(mYR6iyC8|ZgZnTz)#H0TR1r3r^c|k-Zb z9n$TjxZ6ol>IL!b)UKGt5W571qKtWoGw0d8F*Pn5;Y^v?!dVgsl($w`g1-TZk_j?( zhP@gcQT+*t&&7+079w&Lp;aF)j6{7*nDANbI1)oflu#(!#Iy5UiBE!_x3Q$YSsCRy zD0sVd=>ylcH&gI~ugNv)H`$6}k6AaeqLm@)`3t)w_}#(hsm5FL2h==CiEFGjEqB%K zI?@YfeLmfPzEDTEsPyKonwL%?|KgEedL-oW!)uT4UwN!`@sZZK|D~V?<6hOST(g

%SSTCvo}o-+t0wC7wO(_KM>J< z(r#rnU$Qvmcce-pW7+tV-e*PmFa^=PS}IO-mGVcwvf(g6Fsta1I)+;&@v~a4-hxX` zNx+^5iZ7A1YOE&Sw<@#`<-;9q*JE53F8ncq3#ka(mg{oHtgPK%m z$vn@XBFF?5e8HDnhGW!G_b9e4E3Lf?JD*#wU3Y7Qnb>*qR2WY_;;tV*o^~?@^gV~t?lvMIwZB3^ z--1`KFNkEk_dwV(ZB?ZDikG&i@Vy9n0t2wWr6&Kz@l2p+Zn@+7SrR zCu+59b?nBJ)LRWJ7sYPp3=8j_?uZnqjuCZprz#U!?T9_E-%b}Ufe2!N5|oCrt3F#t z;6qjTCmfR;gqdcbqz*Sm;Fc@y1m#s1?PflS#K7D6^_XH@>B5@a393wlHbwRFLM)JM zcXia+#8;<;bR>o9x=}$aY-rC{C7exc+BgIv%dfYdMe@qwMv}m5N2Cgy&9&&l1QovU zB~SYV6Df8!#RND{lt3WP7&I2GnQg#m@~%q4r&@k=x~na`mq6G5QggscGp6gCh>R4s3c8OEIoCfx$`JTYW zg2Sxyf=i7REEmZbAxxm0+-B4?yKlZ6ibtj9%F}Wql2(<+IJ`%CFvlB{m_Zh3GnR$N zv#GUvSb4!pZUq=S&#erODkm!vFfA``t%@vIg+~%m#p!A`DRRo>k+KU55VM~b53)J0B;VSxqGW_5)TQF_*j#!T^3hD` zD%!fnl-1Fp)}h83k8?eywnJg6$UUQ-NX<*=+jl@b;`?2ChE^xNOjF`bY@I!+T9w-o zfh{b=E~J-2>bL-(Tsnm^9L<5hA7!!3NJYJ)CYd7cXiKXm_}mIGH8=KF6x$$d9par^ zmatKSZDHk=>}OZyV_fADps&XgxJpGLiOo@A7_lZ$plxK1nmb=ek)#0!qBcS{&NyK*X^UQZLTwqT6L;k$H5%%qbHtcB`3Cz^)mttJYsM+l) zRYsvR-!cF2u87~tM0DZHKwff^7qp@H^t!!>mb~u{;&lH>${&KKKB9N+sH8@sq ztFf)CyCaS5NG%;Q&%Dr>m>c7fW1{j5G|~1;t);X+rSv2zjZxw=8S`U37QS~aK(ZI^b`tdCpu`E6IXC)ey;y2JX&x^8) zBj+l$tR4?(l@*w1zj|{2#`nk7Bk$>`rM0!TwnD9Re5zYb&I)Ao+RsDA-<&u8?*iSh zr@Iaj1&y5NN!}9Tn?}+U63bt0;vler)DpMDp$=4-)y7%doW>$T7l)E390tLwiOm#B zS1$1$>59X)WKJSoUxG99s=Fi!3jLZ-4=7Fa!_*0`$P!#2@D?i~jNxDj_(H`PovS-l z9gZ|Tj%yrphdsaN$7H`N6S8v&=LGK=UxIr)ibg`1Z8e=>7y2rpQ(lKjo>Opya)(G1RLVLlpHg3k#pQ{9CHgy`da3lX?yZ zHlAnb694KeNs^K>5HrxVtL|8khke`LlF5u!+~Q4 zwqct?ri`@>`*M-PV=oesWDsbNFhp3U^*I*1CF{`=*oiDP$DszEc8L3Tm1fQfM+r^X z!>Xyd61d85)lXn1<7bu$$CioJidp9j zzW*#rX!aByA^6SP)!9RN6ke45s_pqbjLAr1Wh6nkE#nWKM_J}SY_)o{)yqo}0lAmz3EmuHiUg~S;x?Q+R^PrPc&r@Cf!x^s#=OXRVc}xOmm2_oe1~DZ@e_JDBA#o&tz?v8FoZ$j(am38)xXIxn zqt9*8w4o{6>TRyRO{?Jap@ZkmjGsy?MHW&;%4BG#Na3itRr`lIke z#A#qA0j-nbc6BObouvwAVJoPCNq9fI!r9m}Wpd#NMVyLF2 z0V$0iy5ulk`$v^^{dCrUU=}$M+s7e;KN24IIPI`QOSDpS;_QSlXETfY6GZv5MHh%j z;+v*h4AxB?tJp(`h!Bf16JCUx{9>}U8eP<$TlrKZJH3t+%a>N4ifTdiSA9v`u6|ry z!9!V3ELgq!f0#6(+}M}SH0_e556<`ns302Cb;CqRH11<2!BEbM}phubCA5O!6nWMogHnnjcKgC{Ld?vcGoCo zOg$Lx^Jhel*4VlrxvBXiR#Z}Wd`4r;r1&f{*j+54?WQ5h4m-VaqiiVNSryj0dX*`k z1#}SQP<--|#$8R*H&j$k360uvi{@#|8EZBp2VNi zWxnI?FdlodNk?9v^O4sVVwG>-VH)1$eN9axx{z;120s?bh@9@aOR1WI$&|FUid&Z5 zb_o^!#4+5$8A0Hag%;=u$IO`CPAk?y8y*`%eQ%x)TEzt)_o5Ao=@)*+yIRgI?gF1c z_-t2w6>(4;VzDZsCbGE8cIw8Q$oJ{kaM(>Gwb8JUN0n)}M?#AdAh`MfsOl8&>wqwi zVfq2M;#_V^2y*>a#nwtY%dRJ}q(55r{$Y;}<3K0#`5zqjIdWSEqR@)z80&|JfPbL8 zi3Cwt`qDU#?R)EzO{y6yuT~D?_o3MaG=t^Y_q&#O1-eJ!z67mT^yjjXYfNEDgF`In z_>T|eHq28ryrG%dd9t*)>d}mixN#rVnlQ51ra85&}>9@p|&GV5JB)#Ff~XfqmzLv!A{6T4Fi}Z){B5YYrG` zk1h{vpt+*&|Ku)*N|+)wc?o6R6C(FTa>D&Mv@$#vAE)4Q8NuKdO(lS&^a(FdW$S28 zTL^Q%VDN&~oleVli7OXXX*ATI2~$u=t;nkpdJFKeH`Bh4jz9zo;S4Y68cdSmnTlVo zsEXp@!^z=p4PHbCR7zV>K?`}`H~PqafBwV!&pnn5T>n#Je&2(UQ)u$F{-I*t{`CJ- zj@ju!2Um>2#0`8teU?zpZUTwM)u0){#O2paD;I~7wv#0K28>;>FFNqKvk_!*TrlVI z(5Km`6I^ugzIub(Ky@VrqWZv`v0y}VYzhi3z8zw!_GTsuiW6v)Ll;kz9lgxd_)4Xj zj$0KTRRz8uGpg-m!Tzajy6a@{vNW7z3qxV+?hDaXfyxd%!-n{Ih(R~vfS3u?w((xs zITkD4eEPlGur)%}2kil`sYwuR@G{X0Awv4huvvDgeTzcu$~!7d7IzgZsY^e6s5~1c z=?kw5N3xlepsvHslruM;wtVWK4xFtt6;&MFo9VE6Q2nvs2TE2S*-s{+V_x{^KfX-W zNbA-k&kXfq^7%Q#qfH|E^HRKYaC_bxj;?T&e%mLVq9;GCusg42hmf zvZ$NkX#?rdAT`BHdg)L<&Z;4ZPbcyTxTcc<8+pICBMKfjMH1DSkMQ7U^7sbax3Z>d z6;d4t7i^r|_%X()5@Gpt_dUH+F);WJastP6r?<37B&-QhEm27ZM*pt@Mvjp-FG@`( z*Jr6@ISXOXq&|-@Tf|M$o8rVcc*MhK9U^q3=-m2p4Z}AtR*sc8RG_SXvpjx(aPHoT;OL zt&1RhTkV#m-|*gx$&H-n3uQwHq)8;V2y_%RYVY9vBK91t!-327l`)-Zzy2H5X=dd$ zmbm?@B~x9;42xnLp&JPEc4N51q`kAHoKeCPhEGbcr?S0)UpBi>cYr8;r zbBOuW-o|9Dw6Png+iGjkQ=O!GA*tBvNr-a^T(vi?3^m8Aq^!Ve$qRkQJIY7jhT39| zjtu0`-2zWgbdbbSFY_s|$-vKerr{O_JZvlxS7b_f$SpR7wiV*+Uyb)9^1<{6CqraQ zi%7g5pw-;Qk#W(14u*dC@pP#4&}ciYec$4*=Jez5Wi*~)28P$Y+B`p6?C>{kqj#SD zM>^G~bI_KAQnb)0>7M6N1l-=|_*Z8zAX31?s%r%}Ugu;!AW~i=4JhKKIhrt8;}?EU z#jjH=u3veY6Z!lhO+mnb>E$-!DYoUFY_oanyovY&jgQB_EOOLSWDKa}5`VCd!o(ND zURM)23p`y?RLesGW*KY3>(`c9hHiWj&OXn!gsNdmmdLE)Ypj*>{T%R+d2V4NM?may zVao@c`L9?`DZ=;{-Rm;bm^igvJjUzgU1BI7q}G1}0u9%(jXpAjNYT&@_9a?3h8Si{ zBufmIOdApFhM)H%SJ2C(7T_c3d{4AGnN_J$^!tC33__Mf>gPiX9@;y3n!FO(Jbx;F z#4mQu{3@fWJwYhs{L`C;w6I(HF=wU9K&4~N(hJQ2Bo}xdGw2qZ`D99-#cq4F7#UU> zN|zP=u~3$Z|-~N{`H%A&zWS-*?Y40oVCy1Ywh*2~ris6a?k z$&a=4?yUV_W8_sUMk+G(m9^aW4ymFYZlB7?cuyc+r>8@G--D)w6x33q=cPY zF|T|&Wwc=wU}Ct`JMiNrj7#_u%OdLjWu%^>(~A@Lx<=H8L=C9FZi)pj>x2V=XS-Hp z4yZpF62{j@CkxRSs4eh(vHVLc70U?hCsvrfsWzC8(YpfI9It>nsBiR;FxBi=_)ydAV^f`TfCoMyT<6OBY`Rq?AA~N3}4yrQU8-c!W$*+_+b1)`@qfFAD2v+Tpjpded3l6nKU>u)*`cciREa zICamh!1&5LrNUF+Qq1|D8NW()HF(u^toezEscY&XK3-hZr$T1tm@g?k;Q0hsg{DakeB5P&R37Sg*m{iZYn&<<_Lb^s;9|B zVTdk&4 zM^tq$r+#fH4|nL&kOPejA?;0=%u&xEhD?FP`ukbuo?DBX4LesaA8nQFX^|Ky;VFIp z${uVhFTHbq#!lM_vhI+!>|K=bZFs8}O2oS8wYxi^PcH`8s+{!xa7?tV#SjzlH2)4C zeiRwXQYceao%?M*N_p2Jq_J}>v;ufRU`#h^gQ$FEy!T?LokK> zNo-Y`&wX&U*lgmss2Fze5&v~MrTKo@50)^*v>giD`vkQ%xmUmYB!kwT%p-d)%?9^T z-~IyF&Tc|Vcipf8T{$8+jT;M9^1QTi&skhVV)pDU1EG{O($lYFW&>1xkae( zz>lcu%co&taKP8;&% zt}3Pf@l#k2k|fzc9DS-5p$(!0+Z|@W_01>O4lyj$2f?O9QYSGDO$TvxfyDWp2+!Fy zaN8+RrKGKj_X?{fv44sB%22p8ZvE5_-mf?4d5sJEomeTNdUQV1w|mri0rAf)cD8!4 zPS7cX#X?x?Jg)KX0-^u}6d6kQWNv1dMhRBse(Y?NDQ%E%lMus~hTe{O?eTm~ra70p zqP%c`%d1e$|3Oc!v2lr?f6B2V$}Ri3sN0fAn+bZEns{}JuoTWZF#7o6$UO^*Ap>(g zQO($V1J`__+QRGC1^X&i;AkT!ir>kJYsg6T(#9v3)a5=I>Y}510-pH}A2CY9LC#|8fD{wqd2pV7s-@+{x@m2l)d15wGo@~OdLmB4NAWi+PKzz5pHJrMUiH7P@-%eI{x2X$GgiwedgLCeuRM?M%lO2iTx-e=p1GBWb=w9<)U`P_ ze*`7Jo_Gj4#AE6Pp|AgQ$XN<5?3t!<*yP*;zrZM0VMzrqh}3#<)x;6^Mc#zJfVRpR zcG|1EF{kR%f~zFld&5cvK*}S(B{2RM-i_Q8zevX)zY2-+4sg9NQ#dzuZi=Wy76E=a zwHPKVc!ga~p{)tO>|O>&UOaz#!$y{y{QB7Iw*zi^ z>Tm6QFV?;}*P&}0r1aLeP_2e*z_2@YD`8&g6G1jp>j>AQ!4(_**I{3u#szMA!h#f> zlaAV*gPkF~3`yQTqD3;kuQsZ)^ioKHR%%+;KhoM&$x{1F+K$;Y>YLGzJmQT-OS_x0ipTN1V`_%m6eM`yQ^5+q#B|E+zEsGs;k6V^Ms5H8@VZ~gqD zmaelzCLizphgx^~(DxjlD~Z_p0%b46pS-(<>&;<50 ze}Py+j1l%Kyr#36k}~8Sqc_}XLJ)lDwR-vXFLmCPx{|G9?bW~O4 zn_tj85Ydr^xw5q+qtY-rRP3D=U>rPf%0ogsH)M~z#TRzV^ZS7mrGv1%b%)T6R*(aCC z#POgLs9Z_e8eR?ea8Dv77zeK1s8iL%gxM|D(v5+<`orqP($U*M(YCHzSc!+TnYyAl zX(NM(CL%hO=NKB6EWxKe6F6ppQJWDg=|21ovJHy2eX3duR_>dxGmtc0RU^hO6G@GR z&DPw_=Fx&+qIQG#SpP*X&*WPk7P>DKuRqnPkP)rJ1ijgC+Gzyn-ZO)RT!&;R09GE= zKJb5Q_5e;>hdC{fl%9TOFbPyU6a0$Zc+qufmZ1x0D>|rC_FNG`FIBbDu&;N}+A4U( zIT5-eQ`O84i4(aqOCgS9JwjT1gW*GaCt_&4na0>)S~I7J1I z;3VI*51Ri4ERxMUo*b7{1@fGmQ8@qk$>Mo8Zq2Uq(vtT+hw3RA#;f*8qL|BY>7%77 z&qWnId1ow@T29$b9yTvoiI1We3?BLF)vN6|R$Fsy=y&3ag;0x!2%j(zGd+;^ZQi5r zkGx$>7XY)#r`1Si7B@6wuZwf5y%OFMjOsnb-?k&qsj+KZXk4Nx?kMiyDEpNCMeo0W z>I2Tozr}w6ccRZoZ#4imSgUdyvu9o35%!E4x8c?65JfaLn}?;n);NO>)_i|0rp>+F z9NN&9wWF3w&A8VE&)imA!8e}Cm*|!JdNFQfl!bb}{6mkqkW8{mXtdsGhku9&JQ>D# zl$W^XKKZ?R)lxZ5{xd5{Ou6}fTyW;n2IcET0`cchjyneX{^^q0o9yks0EYgLkVRo7 z5ns!Ij%l=|W{!GKuzkYJzIw0gN8!bTUiYRP`h>+h`>wyno;7=wHd%g%Jn?BpS*aHjEaESnH_zUhO-ysO(|AA@7ZRm)P6lY!{g!c1A z_7BL{$b#0%VbIDW-&_wDpFx%kk9{{X;jDA_uYQ(B8-o_4&VM-MoU|ZVDP9$pt;FEEst8-C@vHX|$~r zng{O;P&)@(knGoh|4uN8lp1uU>=oKNFRM%I>c`hES$=c;eV9N@dgk@PnR2fUdUVt^ zY~?=iHw^cqI{5}K z_tTD7Y3Pevz`uZ%UB!NEt9_}BM^p~o_@#VCijwwT`d{}Ll{99^5N0Eo=O3%aI zM#gy@tdR|3yyHg47B#C0kklJl}?`=i6)JOg@;;WSKYKW zQpi}lm+I?=e%H4pH}4Po=o@S5DhQl7B>Og}`$$W(v+J|fr09^5y^(`R&crXOA(eX* zDYB)+kYV`#yB6;OFD4=>`Q-lC>w?z_t49ncCB7xKmTC*`IWBELA3+J+DxQA<%rt5Y z5H-JS*@|tA<{9?nWPC@hs_ZcGxH5tJoPR|_%GVQoYG8f-De)Zl4|tmR*#?O9|Me00 z&$X*v_*U7+QE@rYExXrYz(|jlQrlyCN|p{vGW-Gm90v%t*E7JNKf+(HkbW%oz{O^D z`eo%NCNplm<+qRkEE<`9eB_&1_(x|YEL1iFStl0WfAf+@DL6mNoP-$tH2Fo~f@G$p zzFO|hxV66kr}e1Mq2k!aHSo@N*I5waj9FOc#c-}i+}*_s_=L}C)X;o!t-K#O!x~mU z&uwXoT2@&Zifr#T+LQjH4nIA4@$$%VIq<67a}zn-m*#|-i*pxW+YbE!PwDEi71H*&l8A?QNy)F5+TH~#3STc@xxtIKO8A7h&eibbSF_aHTxiv(jy zh^)UrxdZwAKPr`G+nV_i15uun-ryQ<_Al^5+=V z9X1&=N#D(`v8ti0bkRd`E-$sdiwDv4F8!$(@p-?xU6TQY4ZG14e8saker!$M^~R2x zbVzh}nIDkYr|4XkNT#WP{d{{6qce+kKqWcjU|%15XxnR`d17i!&3@Jd+)Ir@Z` zd5+07RU#&ModGh*Zd2Cj7C0M<^*1Tgh?oN*O7IM0d+Fo8FoKyWdNcyq1jmIT4sxJARo@XB(tE-`s8tfc=NZCxT+mP&y%D&ZsXsuzW_^j zPT%S)qkyQwy^fJ)bIH@mg#PsyGH37-SmQx8%W6h!&^w@k123NmQCv95v8|=jjBVKg z8G3)Bj}dHtgRl=-k4UvWn;v63ZzndbHq$be%=&C+7IWOy?x1gGfwNJQp`pL=XJn`Y zxQ_0Qu8QysXf03e&v6r2S?}l`x9+z!?269mH+P}o z=wxqJDITM>%pD7hz%EdGrlIR0#Mzw(CI4^7E?`Sq?}&`**GEt+UQN1mgOqV##3Ap& z4+2eT|8xGYBoNUg`{Bof|L4Q#7jOIApQfdw2a=VLJti(8)RBAqo}0L^o>ru?bh5$W zqQ3wj?(Cb7U++K7S30nrnr)+$xC~Obg`b}~9D3j>>Mc2MFux>iDkqdV##LajA#WAq z$SVRGiF}`9sk5&0h9wM0^%itHA}tr!G_V{xB%fCQq(AIk<~cJFNxB)^de~nOaW}$4 z`3gI z$?oC@Mp%}7de}_=8*lha-~lF$cT1um`nHRinMGfYn}Dtbz(Gm->iYoX=BsGO%`2I< z>@XY8LC*x!dFm<~K2;dc9}A@*GqmXy1h4FMN4y!PcYd0hX;LUgCb;Q!h6oWmYu3`g zyJlhfss}PjrFOyD{&C5Ei}0(MM)-mIE}J7Z=gS7}z<+I#GQlc?g-t)@xyso-F+JJR|uVCXl-an6$6Er+L%xzMjnL#w;eX%$u_^}jZpN6FPA(w60oG7~uO zIX7s()CK$!jn18=uxBKcrey(l!Cj_keP1mgt(5jtw6Csm*`$@ z#586F^ydP!D!B#&-eZZ_Ln0ArtqlCO+q52Ig=1@Bhp;UtFBoj8BG-%pP_oaF-y;$}83ut-tTHC6%w=5CaU&l5?LvwA6 z(ybsvqdUaptD|(LGkx38`Hh(XTS(?TL;PUNF+(0>o3AwM$31~&nT0be>dF0AsVyL# z&^Q9m!1s#Oiqwvc(p}JDBYvVFE{LR|a&2s$;O`K=P4E~M75jM~&!%M`WS4YGor8la zj3wEHla69*cUT$=R>rr9=}QyS+Nyn=tmXLr7pnmohV^H^_drR0hwaDK$dB9f>&Lwk zJ0iobTq7eH-IzA({t;4NASh`hh=#B$Z`HArucdz++LzV1zHe4NCk*|@pRo*0mZWJv&sg9fs_MH5&6JI(Z<7wc`>&up zMhRd$y&_WI)h_G|*7i71$k~zxXI{r}G$1!`SItk%jGZL~q>tULhQt_aNFlCJOArDL zVj-*Q8f9gzQ|?4}Wq2S91|6Nd9!%67EK(yri$|neIkyosnn#DM=pNy`;I3ETRBYRn z^N1-MfDQE=5u2OV&=~zQ97P4yYCpAygn93c@=xX zaZaSpj#ZBZm#nRT=g}h@Q8PvA)s*lwB+O=6jru3SSLQ?_MNZThz=sT=dgN8;XL?h!zT^RTa7uPa% zu^~xMol%Pq*DYs8tFT2WPsJmW>#=FbCHRdDTAmHz@a%E*#z^(iO{+lNlDdwy4DgS9 zVmIW5aljC6??aDuw)ea+qFAs~%&D#->etI<&5VW5U~u!9g-(3ZG|ejHUh4Om)$0i( zn_7ZJ2L1sd13M-Y0Vw9g#tULMa4Jxz{~5&2uDP0R7*p4ky{;Y2OzIEzy+z(aM-!-X zlpmyYh%ZN~zKhCEv(`7l*!v5VtPL6kV4inj?KU;1uypQe5?(KtvFF@LiTc3ZLs_Q&EBp=c=ZP~j z5z9}StNhY`Yw3nv(fkXz0g+(FG7geztBCabj7mF=s3^AlS_<*cnlN^d7aktO&~ zuv5mW7ts_kSEdN}ttGgOX{8yqMc{}5Z{Cl=b4kRG?fUOfH0WLKO8d6$pLCf-ZKF`c zYALTfW5nA}w!YJ_0+GQI-u>p6SQD0*ScglTkB=T*@g3Exsivq0qs6pLg)i4lW_l*2 zgFF09Cu~Q-H7(nQ1sqR6Rp=CKg!A$*;88}31WTDp|4hTDt!!%#C#}GO_@M2z2hmCD zF_tc3cEr>*_m6f0uzFe;o|1ec6(y69VL|K$fjYZlH=EIk&FW^VGNqnzs_0!dZ}ncL){r5OjAmL|`c zc02O535BgUBud2~QdoSBNq3hU`jUf_nCof_kp-zhILZJaQgiYF5*}mqvf+=k;$Zor zntAfXfEE1Lqd$_i@}^&MSETlefXQz{u38QCjSHH66M9ct{R@~T{0^J)**$WkW1xWb znKNA6@bXh{i9awFYdbFN3(V3d>iPY4ny4B$xn+mj>bBiw0fP}qjhbWsI=q^WZhj$E z9*c+dJPREV@bEOchX|G3c@H#U$QY4Ozt*#tckUCz@0lnPrdm(FZ-lBg0$%v|HUO z?j73f@ly{w7M3Y_@7+J>SnfJx#QS%&8$2>bQPUPR5U9vIuVD+YKj?#8M(?gHzIt22`*b)YLrtwcT-eA26cIR`;&Aw!$sYxE5kshS*(^<^$%vjO=a;Gq>u%cvB&5QZ(I!sGf>^ScNK@=#}blreqP6XI#ARZ z;~V*()D7$>zKrKfpR2Z;1gL&W<5Kpy!j0jqRtG0A;2W+Wu0F`w$Zim&K23l()sM6uhq?WBQP>DPwV@F3`n<+^mNz=jLpnzyQfBq4%6{p$ zj!Pc%p`3IiXLub#QIM~-HVeAI7BJQ%I`mfH);Zt>DF7mrp-7dF)f*r(8yCDr_) z-Gue~(<#j>GCS2=TE-;q)>{T&Hs&C&5wDUjpUkIJLc_4 zR@|Xk^qUS~{O}{#-D6Abi*45aUQV{`IEoX70}2ruydk?Rz8~X@WJF$^#rcs@Fy%~_ z!5-^@tLm_2=nQT@9t+bNBkXvzfL5&`(6M`gW%#;An{~g&Wb%TwmEgzub?|z2^URL% zJAZYH5yT#BXXCW{dYd;Gxs$n#v05Tl2$Id=$zarJd)mu&;36del|6luY@|!wW{0SH zSkBMYaAY5ri`}|mho|Z{vG%e_SIN*iTM#*!KI<3K67qE~+#Sn?yVlaig1+n(+S41; z*ZpqPkJQR^DDtUX@%5->H2RU??11u~X#9^0A7D=O{eodajZU29Y;D#L+W@Z;8rUQI z7?FcZT)SHC=+v&xu`fv1gcXcx)6e_`lv{&6>=^yPY3E1a)a>1tWIJXME&nb(gKcr0 zUP3SvTXK16M5_9XCe!$1&7;07W$JG?3iTbRz7@s1HrX! zHa^Mm`u>@Y^V&!^J3UOyyvRb9I|j9h>rBvxYm)U>Uzy6I7Ng(dCsSGpR~fVTg>ups zA&7OI^jQr^!hHk1IsV0zYxF5l$l9O^;F)# zkP7FeUzT~2tqoFmFGg1Ye`mta0d3ek<6d>_XB!*dn|}cVYr%_bP4Yb1&s>sye8+*b zPPEb+PmDH3Onz>g9?Geh8X2=^>p=XHXNljPe+X{ z%i~20u{Eu@JxdIC%gS#kR}MiP?wy%fSJfZ*Jt*G)UHOblI;@rkhaOm3d%1XlZ_8d4 z#afxkbQfgMhX%>{O@>#u2EW9HR+BOie!?jzi&zv^VI_;T6CYiQ(b!@NgycvHbVRsrSI-{}M z%D(z1IBf(!+GZzycpj5we)?cvcD*(j?F;FyWl7~LFZ!xJ-tmJ6U8pah!jzYa?TZd_ z^VNk!%+sED)*j@1g+g`2$uE6lVkVw?Md~;V4zOjv*VR>upW*)MKZ*!|K^uhpGm-SH zUzE^zMornu;yQ{9R@_Se3*d-tO;eZDmLehdqt^U%Dd{FyhZ!z+M!yZ;k}j(sw&;97 zY=BjB={!r8Y1dF;bX%4+#ub=}-bk|Z{jx#tsh!ct$H5mZM@oGR1$`;OoJ8m@tY$w? zu}|)g!RsOIgJ=BLG_bPWt{iqldg<9 zASo2(l(C*E$rcOkA1xYQ2AOm8JktHWp-Qf6drr}7(vFLXq^6rxzxa+#k0KwbvA})V zIV}tJw{Z<=a~pf0lUv;m7#*vJVTtz2{N9*OQ{>S zFr1fG;P%!gMY`(g5?~6n41D@8;5({k)q#>`0(CC$aAv7xu6OLlir-JA)|}yAQY&P3 zJAg4$s78(`dt%%T%ffvari{j|N?)oE3CA370}D7OW7RX0?V*&6Nzvl^N-Zj+`7C~W zk#5RP{AkO%)7@<;wuB;(d{PO4c1(qOnnZZLS_5dQqn=tPMYnpg6h%lMTm=Qa>_6wm z0TGhmcUcMyL8cFilwGY~K6j+vv3|@D;g@)jBx&$^<8;E953f@FwA!~qTvB61*9HLr zmzyt65ftb|4tA0mn0UwP?YSQsQW;O!8S51*_5EV++LX~X&P~^|z%^QTuL>ff?Vt>F zCucS&-JwV0eb|{z>vZq-FB)2_P%TbX6=`D38t5p>qx%umyXg&Oj=fj{Ie(!Eh}!i{ zjn!A@RQ)Q{qC9scPpTz0bnWc9bMgrFq;>ZJ$(4+#bbbf>$z=6V@B8(p^Up8Fs&}hp8+nhpAkgUL3QY-@3W?^YG{| z=z91_`qk;-eWy#l*@J^KxY78*k#9?IO_~;&Ss7Egc~gr)N%x^aH;S1ER2h*{rb9ck zFkTNSDSF2Nqu=pAKYVXPDjq(M2DUb5u#JlYJaFBYd|%O~!__$fsbGdTP5f$Dos|vV zD21IYkbxf!5^VnqP)UUJGbr|UOhrgp?T?y|R7axAUS|f~VL7p`9%GMZWe|8~DKD*G z^8bMl$69=|!EU}`Hczo5Pg)1e_?d{n?r$~F*jL`rM$mVGX+fQ(8tVR6U!xvGSOz`u zF%k*hfq7}I6Lh{34r}6lT^8x{n}K-8RgD8!1-Sa7+ryT{%SZ2^Q+A>ic>j^7>)%$^ zJA$g#_S4C8n^Dvi)y7$Bxp$}6Vy9jPoq$fLkMP@aL@9C_$mds92B2aK)u#jP&95+) zILnFZEnLbvs~MaJ-V?snjO0(7ktDYzq(`&E)W$=(@8S(||r8lh1f zqVJhWlmniYUm4i^e-lF z_qdi8-A6th2@)Wl8D%3?u0QgEB}udR* z(W~?HXQXRqJ4KL`v}lS?f;m1@pD|ZQ4iFD2z_LH~FB`3;$+E9`TG%oypqjKRFAd>3 zo7d6BScy=h=d8ML()KHQcJt0D8dt&VsxO7xefdg1A^GVQ^WCJ&V!{6X?FPrfkLFz zr2LN9x`=*tg_6S=W{9!1RAT8hDT}@nEZw9vB*I^v{1|ViK6LYvW=x2-cUP9+>Y&^& z1`vVKFe3W-ANW^m4*Rs$S}fFU!;uw?)u2xxgp0d;QJCM=g{Z9z??{SjjYjzFs!jEQ zXj?{MpS|A!klN{s(#DWxYfei3df;SO`HKbimHED_cQ;l4S@J_d{=$scf!nAt zqVPv&NB3G(&pD&?q`e|&&EWn(WZKcG_qMhy<)1z_c*nF9+ac#SbWaXs;@quw24p5U z0j*`qo#id?ivM*e@b=F+!A{t~oOAa@=Q7PytAtD+gY;MuU*^55*SmdV1$x||n!ljB zqS@!dBk@-RFD$K$mO-96JrvajH6%02HbY8nRF~EkwoJQsEM`95_faV6K{4*}2O($N zOBVYLL17sk^uDnl!G8fGDU?J)y;Q?_C;B+@?bOvP< zNp5}~ZhP>$Nmr$k7zjI6np)*G82F}DuzKQ!It2|M%`PP5PcoEIp*|wt`|fU$8=}+? zYoTQav;L8RUcl_a%2Tx@sF^-%9C>t)?8J}{qtm=DRBaPV@)X>=7T35d0;uVuc! zYdx7#3LLO{d1cMTXIO1&M!xNSbPY_k)A6bponwc|T88mb5l z8^dMF%}>E%bp1@|=mAh*mRM(8P)RugURE$U02mq9!ZK(zgJTtXY++|50X0=zH)P&V zlOxLFXm(Aghdrf9b`R8Msyhc{^!tD%o1bjs%bXj;M=m|qyb~d=+2boM24&4S7rKuB zUdxQh_S=z(S1~?p2MVw#b&%&0+;f2g^N><6cNU1gri543z@kaQJ5&GOpcH>4#75oAb8kWTvyNv+u zupNlXuWx~s3B1})BUaHF%tz(#vrU53O~j%|50JY9}uXj{{ucX-G831 z{8*yoxJ9^vzUbNaAHVBO!b?D=$WfYjwAR_gD)DALN| zxu?>S@3NN`8NYxZp1vV2bRm1km%wrUzO=>eJT&Y!2Rb9r26HLKz&j3F5P3uLB zD2FQt<2^p{*I6<_95G%{tKV)x@T_0jDJzJ?E^S){OJra9zGyDPvwBcmX|>q@wueG&_?Q@zB!=Bj2Mfk_L_sJn8IApxO^X2@yWW9`O;zNkekXsr2R-g}=O_nll?l-g znsj5Z$L>ApBJX^6TRw$n^T&mK$EHgc;s*yjH6YKn^jy(AWJ0-Sr!&4Djy_l^5)fIN zaP!PL(YTA7dv!#^rmpBm(U7vZNlZo3O!7b=$bZOhWt34=RzYf2EL;V*yF8)HZ|O!e zHd7nV-~#e#nPyjh_U>$6v#Uw`Hjb$U^b52@wR3T(<~h-_^YIY5T6KbYku|*k;`O@M zMBj2~8!>C$h3R6pjI7hc=o^JPjY`rQN?{r)-Gtr2*k~0s`v&HtbEWGc3J1{$tH~e~ zsJI+Fp9_Ksu(d zzNgYW(lA=g?=>h!9gazCAZ=!x;vRZTrxrtCbxTGtDcxn4>BY91*&0jA!&6n|9i^+= zWC27-8X?hr3AviN=Bl|Q&JR^3m)EgDP6q_OdnK#ltBJ@TAPPFsOS-DA%l^@#7lLV& zDV{t7!?-Xh>)FV3|9;xcZH_O?Kfq5bqV~m<=Oz-0a;9SV-hyzPiBe(f-oO_a%uqtgf$Rqe=_J2bdNo$Y7ksNm{DM#yS-}<6 z>`2II_n664)2^-qu-ZmZjRY#PK`@^6`~`s1A(`u$@&sg&gxb&aSbAPoH-+J_{sVmz zQ@z`Ez;`^b$ouH?3~Q?I+wJGTK8Vi31h~e2UuY48utJD_eR#YBJL5K-_a|n4K9?Pv zZmm6!kR~$r2ZjsjZl!(oJGZ-Qp)|KJufe^YAU{Q>hC}kz3+e-zJn0Ki^`$yCx(2wl zXU)`$AaB}~Y()7A5MW8XBvxbnblGvwaw*HNoAyrE7j0gF)t6ZIILM-kwUtIBqO`VS zWK-`MntfVok?K5lA7gha0zVFc>8_%u)nZ47Hg9HpD5Eycs31fs-50vtV1uM^#(vp> zbNVXc4`eID(I~b1(!*JaN}aB0Fn*KXOD&>t*6&yyUN6?#M?dwEADbu3>B_m@QWq4GSvEoh%zdRr}W; zNZYqOBc04w1KT=FP*JoK6&norXEU7k_M=4Sc z*Y!JXs&{23DPfLifk;P>sL});67LO8=TgJ4SJWC+ULLIe?^ug{g`@zCB?(*cUCL8{W0~ulOa$_ zblIEy90cH%G0(xy2j7sopD!8qtj1bgWlkfqA>RBQ$VWY6?0#4Y?8!4i;;lTl{pGak zQEHOlZ|tKrS5;L2;$6t#_Ri2q^~7n#2C4>b|74_VEuiX z)X~;cgu!w=md799A>Ue+Q}nr)+CO#XR*H3qC87nj9`o<556=BDp1j!Z@pIh-axuwTQeAUmoCWw z10j~iPPV~F9Qt-aOhI8GKHf-rw$IHq?1SBq2bmfFuoZ{aVS}ryDTcy@ksjvrgX$xa zW8Ar)S+fNb>E)i&1I@%Wa60+o;$bea6;*GY#|T#_NEziO1zRiGl%WzaV$BjWG0ew@ zCMADe0P81$T;KBFl#cKMUTcSP-C7axIdVTg#XBvHUs69n3OKZWU$rWq>;5T%Gg*=X zJmoJuw0&NZs>+j=cK9x(&cL4QQLp{jS!k!*)2T`vR%7_f0Ro@*sh^RQh1rlSfop=Uuh1b|P=SDpeh|9GYbw#`q=Sz^316IG>x;lu&E;CQ;M62ckV#KD)%TJS7O07bks`V@PmDKXp-1*u!YC!(-xLzhS#Som?V%iI49`{mgVOf>ss>+<$#r z-i@GoXxvhyy*XDyt=V~4&t9xNV$Z0 z;N;>EBuE84GEdWkP<3nxU|Txeb)HTj?pSS-%~YVGF2N6y`W;G1(S7 ztoj7L0lmayuh9h>rBV{NN$zwl^tX-La8em5AOW7gpI5p=Fbr}yGzSr&e@nt;$(niD zi`h22YA}G}#QtU=!nEgQk&ID}<>$J=wnO%k?ygK6@jx*otwn-e37*dJsjiP|NTVT}pt7d! zy_q?s>mrB5ugnFEa!meM{Abp+VS##*2fKsGDg}Xli}9_bPuLS;nP*+IJFz^?9eUpR zV>)A=|3ALG{w412BE!vW7IRfai#}gkenjswE=jyzXwi{suHgK?>*b%r%iny9H_n|M z7X>KnV!$VV3oZNY;R>tE#H?utBxZEKNVbEOMVt=zOL2$IV&5xF6@-|`C0pV z$)eAFuKdR%C3C{A%8}&(myHJ>x*pD(kU#F@ohguH*?)>ESqr8mDPM3a%;P#&HTjaq?tD(=|!`>O3^hc(Y(V&-!Yy6WiB&d z=WmVmJ5!r#iM%{KiyHOoQE&OabP^t;W@iwk!~XrFBjg+dx|^U65yh z6mIH2{LeG8>6N!q6Y53z-{h2xksrDA+9EUe;+XQRIceFYt=J#Cd-d|?hNB}7uM}h7 z=v``x9UZRhWvTL#Y0~E&?)UF_U%|qs|5pp{ZR3 zgW%e3*--astUzxQ!$)(;k80z<5lGQj8E9te(D$taQ(e`Wj2BS7w7kAR%a5(qUs@Rf zh-?#6Uy3%GmTR@hQ%Rnf%*1YM*aS!SuRZ8Qxz&EV>H&e#_!i5^(k%~q4|zfKVTY?} zYw)pka09iCdWjAs@H>an%{cT-5+jJ#YB<7Ul>J%SYBPDMVL9=xgH=d@8R=HXv(OSc zjZj!sl{~-wqE*$f$5*f9d!yg%ew9nzkXR{Y7Yw$eHX!b&fSzwkc?pP zJniJ%^^f_6-3TZ)z|j|SeY3`_4)~$WMX)@{zLvVI=o`dzEM>wI&_k}i0zyHsyyWI8 z$aB`+lt7ZaOy|gwA)aonT<1JCaZ(z_q*K!7W9O+>OH0l>9@~P6H*WHfW7QcCN;0Rr zX#IsYxdH(Q1b>8o+jsyF~|K(-}GBrRnUS>W#ST)R48=j_mbwqFXtJ0p5B~jH!fH#Z5vpl8ty^w zoY)>6Jh1G~u-}3a=#0@a)BWdr3l)ZSCbbhXG{S{p_s+2&4y z_>Gmrp!Om4b{p!ApR3k4gCvRG5w-S^GaV8vXcaL)ys>EJPY2DC>sQhTI(}$}Xb&e+IBSl`s)7vCe{KhB;0?HcVMw$a;$~Cs}Gzh69jyu>E``f zs<mceR{As_9q@6y2AQ+VhKEn~EHeX-gwds_KUSWC}C} z`~{dN?!G4+YCAL9rW>)6L7^{Ik$Z~?1tVQY`38G?U}>|{smO7Ck<{4LEaI> zrg4*joP%BCK0Krz*R=W8BwQ08t-h*HZz%Ikgy1RRs=C>J*Hh$= z$nR~d&=tvGZSbXXWUu5u105=Vo}A#_2?o51&5mspA)(VgORmx;GSf}(;Ef}xSSX#d}^wd3%sDF@2V04nq0@0`C|?D>V?u7Oq0S% z2S=}@vg5SXqdHZd;R3euc3G*4SFNxz2OT@?1E3E1~@EZ?5D9%jOm%&ktdsb zX(eMfc|T0qJ-?z#%!mHu7-UR}m|ek~BAfGCDvd~+r^U?70c3wSBp^#_efWJFDP{h+ z7|})i`_z6kSKqs*kCF7*kF^HJEaoyr%}EuxU8W!I!+~9H2;1rwBkXOZMF7ytC zl-6ecQpPnduUqYR@kG9VXIxT%+s^NpG{;(-eh+ae8PHNF@^dsy!$?KwJL>!R;|ULX zd<=z!1f@($ZrpCdT0Ve+^7_6|Q(COIF}DjZwA@YN+XyshQ~Hj<9LjRAEq=o|@3#9F z5XvH*Bh<3HqR+G{$1W3yW7Sqyv9h0G%8M{dMX08ZW4SYvm`patUz^6-IgPf{$5&~3 z??^i>GgUb_K0DO(l5^(LqegS@m0Fu&z0Q{}5cZd}GM($>N5DI39=gmYPVZ>MZl_X& zGq*IW&RlQk=qNfH84xpntIk;;llsX-gO2wl{RWv z6%$zYW0TiXIR8JH7@^<}HEw1}c%8gOTgh|v9aA2`4EB9a-H}7uR#N!(pE3~L* zVSJ;a;Sm=fXQKOyvC}-z+t~?MblPb+RNxkIw$+1V{j|edWLYo=D_87lV%tX`c$I7K zAO}?FM`VHWWj0q`IB7kcP!Q zF_hVb=p?t4m8l&h0sMaOmWx0kRA0GM;i@sj1Vj0xJ=TZ^wrwk5$v<#3ACRQ+V+ z;rqTNLY#*yIk^rK2TA2ms{}WH1P7b#o+#4#XKK$yBFJKxB8jJ_LU;=_6 zmsT&icN}}eExxRTa3wv>KEpz}$JyDTgEr7ihljiFW^Nhk5%JfRt@|`t#cI;R9cY)b zY(wLPDjB()nbES{a=sNmb?yAPl^N_~mov0Y*6{6?Kgmrfoqum1_)`(VU+vItP&v%$ zE2pxeDIEl+2Cp1}1-v5XS9N`nxkkL&-H+_Y0BD;&>Wy_+qOi8pcnq_Z!85SR<26ra zlh5S}F%%w-^I7xhT9oauWu?U?K0Xb@c|)6kBKmVuG&sT6z4@Z)m6E!j%PPboAGiZU ztr^P_%$Yr|L5f+52umMw;r)7hRr>7s(Tz;z8IHqThQu>26QK+yX(T#}pPn<-M zaazbo)J_h6)3A4X4!5Ja>uS$v=jzn*bDYwP^uv{{4}ZOZK8=>aoM5C+;{g^_HE-{J z*4f_0phJCK`u-_h5*Q2Yg665#J?Uvcb*=uOc%=AqV5dhw-}BSASLzg`!;O4@r81bX zGfEw9Jl+e3Rqb2iVa{&)Pmkz!>iS&S??1|9DWkK*Pd?y={bxg{uy>DC%Bm{nEUdun zHJesUWM2+@AjSJ=U=5j=(y(E3NqzGum>FoqqU~>u>=lkCIk6>$-llQ1D3Jl~$fc>s zJqZqjOAso$iL^Ae!J41!X;4J?o<<9}5R}P=wcwd-1&?)TWV=oeFF1}p551>Ex*nfk z%KRP2T&jI+nP6bVAMLtGm=7x#^?Bs}grL~)YVt_^{M9`-^T7Qte@P=}CU;)zOeQ{K zw6hii>l`mu@%F43Fc%`Qdz%>r=2XK51O@Gh^Hd&Ar0!O!KCz)&t$(jzuTd##f*9X_ zcfX4I4Jw(cWv0{<^fLCM4Av9I=*Ywqol~ zWM_!XfRY@^NMwGEbjo9ias=})`{^2uz$uIY8cSL3SDjDkf$J%O#7}}E8HT4xWD>2H zPp%SLB#th9^Qfo3(5S6^8Gqr6OlsX#(bVQ^(>w1qre5`b7`C_wT5V#6##9JOs9V$t zu=Xom69Z4hVu6!X-t{h*(etC2Cc6>crcuUJ=v~8cH{O-o_5FH9AL)`ptHUKzp*TbH z3Z5NU&A`ffjE`y@0$Cg^5mOcs<(_c;akmE- z?KD$_#O&X#;CkXU>r1mNh~FYty3;&~ZAq}g1YiPu#k=8-&3;Uh4bxLrE6i58Z95M_c&<4 zz~QhNcHX_fu~XUW@!7Ev!+_9Czco{xpqi$jcWdGf2UP z50Ja(BN;0tDq`nQW>wIy1UDN`wuS0pQxH{S#wDkYTTZ=ju03 zrEBq0<^XlwpE&H#MVN0$&$1xRgW{UBsMsynHyinm5u^sV}EG6jCH)~3H zJkq-th7}!ElV??5BGg?1=4@NP$P~1nW0+QS8~05bDu+*M|1v#U0){)hX+(HMjC$-} zcaTQn5ZNvn0C^K!5Yw=)1s7)Sv8rEy1kt8(L{O5s-qcqct)w09x>nU>`mM(hilJh}KyzT+TRvy0=yp_n$eB3k_#yCIsIe1XG2j>8KY!Ga3?j7`EZjG1k<@I1#6@Fen( zGN@VL)+MZvbOrCFY`=}@OPtNF9>E!-E_P{k_~g}=4l3hMjpat`4~acxOoF+PO#n2(6nLsQ)t^TC>8(P=E{`dGKIAqR(|Dd2Ie^c>i=|3>g{JE%FX2{J& zT0P4OKXA&nG#1|AtCyf`u!nYwn7HZ45u1}WyvgJzaHiy_YlYIpgVRsq0YOSdOC;gU4eX4mLH%Z;9 z6=TP+&c24FpZE(YG}SLM;bp>8I!l##qqds^0FAr502z6!#NWD+YU+rd8l*&*>tC{R zT{)htSzWt09I3heF=hsJFfENxaedVamgSlx!T3cnpBgvd+_g6xLqJJ87mC$RI0aX1 z)ZTo}o=)wjh{U0k3e;Mi_eSOy8J9A1Il)A`nE|-lRroO`VIJqJ+k5FG<$UMoT~cIp zvwwT&K{t)HvuK@c3u( z3v8!M+&s~`A68nRct!cL=43AsQ*U@J5PR3#0FYM1Dq2Bd^C#$867*Q@DQN@7-xpKb zvj2Aj;{S(<@h@_X=s#m$9`TwvO-6LS37lWHaOUB4uz}+P3Vr>df!N)lrGEdpB9ESG zQ+dlmBNkH9btJKX(?Ck{Mcyo_){*S))xtUv2wg%X8`&ZAk}Y`t_PoI-k0xH*!v40i zyQ20vLl=3Gyfl% zj5D`C%8UoOz>QK!6w#$|cWG{ZFY0j5^i!>wxgpt8Hm(v0<{sN8s_LQz^2%jkfDba@ z!s{NBOYJvpbXeT?568a9s32CQ1~}#U7-7xLDARg^d3Yj@N!ZN4sM3s1Y(*ige0GlT z7b12nS9z%+`@3dDwI1uC0JGCb=V(g(>&dhY-ozYo7e^r}vbe7|<{L>#3&flKwqj~I zyfn;DKw3Lig;=<)>Qfm^wbs{rz3x!AgtrC%6LX=>u|a1iPfY6rhTT~-z((B0tFF#2 z=5sy04$8@mT5vLbb)Lom2|?^OvBVnvF(-HxslHbg$g_BcmVSw0!I2@7ew}tq7_UjH zasa|6FrUL88U_?2M@n$+rIMiRi0LDXemdmLbkyitIdkTV3_);X!*~)@A@wckR3{G>59-|m+99)&jQoL#$}<-V?mlC z)dW0PL95$2bs5W(c7~pOyjSIs)2Clx@^gSE%0ic_15)?%fzQUg3_MTTi35v_NBg+i zy!H%EL)^MyfVPr&3X?yDCJY^RpgGqS z(TkO@phN&{pLO7Yf-2a{PMfpsL4Ggo>(=zPj_XljE9q9B0JOjxc;)1G)MW!H7zlyR zT^;;}_&T3J6k|054(E;N)(&!yMHdH+mHVwmMzT>QJ~H%A7H=Cca^} zIrH{&u!h_Fb7DFsc(R1CZfxfgG(=ed)eH!1S03cw;B^L8e_A%}Mp+%+ zu&oyPm9!s*8+Bl%l#HpFqg&$6zA}Qo-#v!+j1R18S-pgyKLBy@g+<40ugCYy$4HAw z2P`@z5p3rJN9nb@gmVV7Vs9ZW`kkecl(+ZZ>WxrYiG~aWX7p^o&UiG?R%+1?NMF}- z95L$@mdxy?IGaa1n;5g(o*;c%@kF=m>IFebLe4eHk?x_VTy>8|&zKroslsIsCCOU^LAmE17IB`-_%Huj^vhs6o0B52_{m4S+G0Y|29FGx|ND~hle z&{$it%cc{g08Ph-?jAq5D3SOI7#4vpT7(x3=) zuBs_$hLj)d5l6GtuZJ6GPDSla;oSKmBWJTiZeA9{=|k8kXsuZcgqQg+gjJ>$NgQ88 zU4&wy;jF1N+M$GeWbZWebzw7YIpS*SqZkTpoa?LB=|PYm0t_p>JG7Rpv+G5l=BN=L z=h&qFwnBd z9eeu)_j0l3qMvx6bUtWpx@sIW77Be&^;iW4zXI&1Dg@0~7dD{*iCHVP^3xqPp)iU1 z;HtxAix;odpPeFQCJH`xB|bk1%Hl3&aVIOEz4Jiyn+1^tey=HBLh@o=M)QCdb945l zxIOry61;&JVn_k_Ex=D8728On(j`2FVXxsW&U!UjCRVFlK%-JP;=+_QG0G|-(6!cPbY6rLonMZB z??@dFx=htHgzFVvS;f+^=Py6nCfOj2j3wLo%7=h`Dn=ELC+=;)UUJGPGkQ~HtnOf$ z8uu%dOLT=k5nR0-8iaNvfKqBcN5zk`RpmGZf1Gs zk6puEozC9t#Rf4&t@Oo+qMX6F*w~P|rBQv4)`Ka+kE=xI^u|#nTS?k*UR=sWxOrf= znBY+#e{8_MTbx;n8PG=+>{5RDeM?c%E10i6THQUYZpeZc`QcZhv-8%o{%jA;O)(sg zns9pyvqGXnsR*icW0jen3tDh^?olrC(yTV4&GWKcGOTR|^7KC7`T4c0xu8t!$GM+7 z(F)#ggtU)>6?zc6*c|1HALfEvaoXnD!S&ldz0sB>mT2R|?y(Kd3eM{gd^{#7bj!Q= zf`qw^FziTb8AZ(iSXEb3bT>n^Tj!xtJ_|oBMA+sCARAA}2-XXq7j(9?LjKxx^0C-J z#GB8{l#J>&iB}ouv8v_BEv(MM{C$=z>&g{`nPyt`{0YeWz#A`asc#uxt^4{C^mB6x z_B6d)KmH%w_WJp^F2e=EZstW97uxj#_L?N5z5Cysu$8fj_>VmS{%TVEf8MXQO!SYD L2~q%p`qKArpZd6s literal 0 HcmV?d00001 diff --git a/docs/service-guide/application-revision-edit.jpg b/docs/service-guide/application-revision-edit.jpg new file mode 100644 index 0000000000000000000000000000000000000000..399c22d652fac8c0018684d9fe844012132e7e83 GIT binary patch literal 69777 zcmd?Q1wdBK(l~w|9=fEZr5luPML@chMx?tNR6s$L?(Ps&x>JxA3F+=eLXc1p<#!%I zUSIF)`+4tozxaRueemq;o{ia=+1Z)d>8UU~5hzV@E>}_61=pS0_7I{Wb{W8Cb$#ICvQB03ry& zgfQ6j6lVF><`foz!A90LMqnEl&UQxDMliSqgrB%L8-p-Z4ut(&%#B?^co2kXtemaQ zLHH90<5?T)I|2YaI;`Hw*w74wuYfSR!z~pt5EcReWOUOXV1plECu27dPXG|JwR3kc zH#KvjU@&B)VCU!OqmVLowK8^cVpY;NwA6Pnq7bvSw$rz92Y}Nx!+HTYFxpapMCM`V z=iy=HU<1j2p8odbd8@w%V7xtTv8()zXApv}KkEMI`$wH^1_1EwgR}|zqs|~604g5= z0O9x_bu?)JaKRSgvj7ZfwW~Bj|bh4;!4f{59~yd~C4! z&S^&>Zfv6OY~@4&BdVdTm94V_g`=Imp)m#P&qDk!cl-gZAMjvNF*Y%FFt!1wQUj&T z+{P4Sw~djxlew)8g}KeIIQ%bm`vC_Scq-Q*fSdIdz`Mf+V7(>74uH=P2m}d&0l|e3K`udPA&HV|jXJ%|q^5E21NfTTm7Ly95QkVZ%cqz^I%nS-oBK0uD(pm6AL zcyMHJba0p9_~5R?$->=&yA5XwXAkEA=L;7C7YCOCmj_n?*9g}MHv~5ew+^=t1)yk9 z0w^Vv70L${gDOI`pe9fUs3$Z48UxLM7C>vD?a%?}EOY~U2#*Ml3r_*h3NHvR1+NNk z2yYMX2_FQX0RIfW0=@-)0DcaB8~!T-1_CJpGlBquG=c_#DS|74A3_X5HbOZ#-AAjD+ELc~{yeTWN)`$$MgL`cj?!bplp`bbVlen|01 zc}NXN{YXnlpODdzFClXvOCW0@+aNzgjzNBbT#ww3yn_501q+21MF2$+#R$b6B@`tK zr3U3K$`Z((2CGrqs^fm zqT`@5p^KsGpgW_7py!~!LLWol#lXOz!w|vH!f?U}!FZ0*j4_Sz2@@BS4O1G^2-6EQ z5wilbA9L#h$_3gB*DvT^@VF3jq4dJr3maG{SaeuoSo&C=SczEGSR+{b*tpp2*oxTJ z*g@DYusg6AaeZ*Ja9eSg@DTCn@ucxA@B;Dj z@p|yK@p16E@YV3$@DuT0;?EL53Fru<39JZ02}%ft363t3UA%tL_@e*Cf{XnZKN6A< ziVzwT1`rk!4iO#^Q4rlAvLp&8swA2sh9_nsRwi~OP9bh3-XOsv5hO7r2_PvU87GA! zWg=A}y-S)&+C{ogMouP4W=9rJ)=aiRPCza~Zb2SJUQfPu3HQ>~OXioNE;U?wM}bdq zox+MDj-rKPo061Liqe@fowA4WGZj6RD%C@(LaHfhRBAqI6Y41HChBdPOEmH{_h@oy z#%WP#`Do2(V`h{(vtXvvt& z*vkaR#LZ;Jl*sg!8IGBU*_=6l_;an;hFiwo10G z%QTm@E{9)kzx?$I_Z6!vSyv|5aoAdyVp%{T#9)g~_-V42BeMS8Y{e1&zgCv7(Lovfx!*wGOqbQ>_V`1Y6;}sKO zlL(VlQ(@Cc(>1eeW-(?P=3?dv<~tTr7O55=Efp}Kr+?4#|s9b_G{9U+dl9jl!1Kx3-QnZfyy^PJ07mqeFOu4=BOZrE-% zZe8w7?*8s89ugi;@50|TyxVk-^4^1cbN8>`Pxpj)8hAE&QG5A%EqP0NKYM`s!16)& z!z&LX9`5<5`_%Z7`Fi^xb#*;5YJE@Nw!B_$TI1di**44_ zcpPLH^d^`+I4<}k#3ZCAlqWPL3^B|mY&iT{__GM?2#<(`NcqT$D2k|nsJ-Yr(H${d zF{!brvCgrxadL50@ig&a@y7{f2}6mZiG@j|N&ZP6lZ}%5Q$$hk#Oue#7^svXiH?qKmt$yqmkbyoaZ!;w|sns$Txynm(bv z`u=PEjRWEXZG+N-okI#keZ#85qa!*av!h0%t7BGUJL4|npC`O05heqsu%=?BNvAVr z7-tG+d1hbEiO+S--<+RVFkDz)bX+`M@?FMQj#;_1@_dzJwQfyft@oYwyQOuz_0JoA zo7kI4TMS!e??v8sZEI{V?Kte5dbNXwg3bQU_s%ah#+{LP9^|f01q3R z7>AgVkdTp+o`Rl}o)k>1or;5+6P{8uL+qv@mWa}Wbd`rCjy{=q6jux!A|gu%X!Pv1 zmG$k5o4LdnZW$r$I{8LrHTBOo_La5Z&kZhetKxvhITR5E6#?Npnh-c_91cB7b}AJp z)|G8hgNG3rxD-l74)fGvKAFvSVI`acBK?Mr3#BLH06MsAIBY03xWZi#PV1kV+c!{OwGD}xQ+{j~zf~)z&Jk+Z@79NF{-?7i6-HJ$w z_E_mFlrh;=!LTXYPV7b@$+wQLV`p^UXB{f2cdqUmf6RK@qZ(VVM~yn4T)tfj5V+S9 z?^g6L;PJf+l=w5TaiT!22ym}5_strON77c0bGnhsr=!D!DNNVQM$C_?dz{%{IoMTO zvOAFH4H%JEXoKR20EQBSx-PXMbw+PcOLv>j09 zdR@>><{aKXUOg&gerIy@KUO}XcRluG_!r9I7kXO;ZCP}==^&&EqsD_n>{vci((fctwcL(}UykEYC(-YVzb)ZV)9N+uC9?4d#T3f4d= zwye0|ZZ}g%q%7iYBF!q7%kuK+8_Vow8G)7h6=MMmsq&hYJzA7sa{H>5iH^1aZS56V zT~+nH=WnShc8d#h^BO<6b0m6$bD(=wgSdr{ysq6;eQ1*#1#w{?LtZ3(xj zTmKXuoj0uVuhOCC32?Q;#XK5GOfB6y3az&O&LGL&q|iWa*RTusJZD@a3;Zlgkc1;P z7ouG_`BsCdr2@$<;#wTdASpvi(nZ7C<}KMWh!2B5b*^L80B6+zNih3AJR&x!5+kUj z{HbW3{C8(zz@c3f0JJ~8R zZ7SZsKhIAs3*LAa0ap$AH0=Xj_^a2fYpQAQ$R`C?{BB-L{W4FSQF?SEU49>~Pf#Bg2K+$J95F``71W2Y~o?9a0=IhB4e)7x7Pd7;u z^H~x@T*ZGAY2u~vdWU4wL7}Ss3v9yT$7u(Jm)D-gQ2I8_$$b0C<@wWId?o{zYXSEP zIEB^aEFGDj_?VSorE%BLTbnJRo`Sm`o3`})6AigV`xF^OP9F-h_ezF$3{roR5CF&<1*$}h3!@63Co`6^7eRsL|BV1#R3w>%Ri3#VjQ;X^k`{| zEGk*~yMrCcQ@cDI@0~UICdUpB*-L3<9h8~j1(Q4*LHmK8;SDST_Ctbn^IGpts5TTg zRjm(o#t*&a%=zK%8AyE9any2QWF>FiRw2G);MGqpAeoWQL;&y|p|N6|wGriD?N#=* z0_Q>lW}J~+&D`C=_d+DDS{3e@auU=aW$M4*TwH%WMi7YuWoHWMjM zbvq(@97hOB@k0@?#Xp_S6g)Nq00|Xad5KcP0w8ieoVzS&sczBPQWLF>#xkDq$-;Wr zv8F~F-z-)k{|(Eex>32s=1n7}n$oL2k5)0lPSptp#uo?DuaBZv4n7)*@+{iibo!^U z0Xv*2Y5#cphT0*%qh!qZh2#|eOJ}&XNr1?m2@^hjAXQkXVdMx87_9yW5rY!#uB5ex zt&y#O|GExqLt^sN`tNRK=&`h}ARRH1t51udw&QE3ccW(f^c@rCie+`ztMoK{l6DI7k}&vN2P*_-XL>Leu&rm-#ykiP6D| zIeC&ywG{8((K@rSGRCTJD8UITuHv#DBX-qcJYNKW9p-oL zmYnV%Big-t_id`%rdIo{4mV~)(|4zRr+kMkHxN04ywBDO0N`e7EIHjw=XKuzeC>x7 zF)x$V9xG@K|H)+gvjKNr@+N%!-0XLMzOTMdcDjE!zzsvVNAA@N?jQCfPz9VN$mqhs zcY*z0cbd<;97iX7Y%kB-7VwB7?={r>^Xp%hm@3j(fD7?NvENu0nzsAZdx`)Ov_Ns* z1GD{7k(KvfoD@h&d(LAEg)_s$P8A1t9VR)`&inj5aC&}rl?J^rH5#j_*8kCeKH zxLSm63Tlw=$%XHWkI|`>0yIX6hvSG#W7GVPWT1GQijWCy%JS2!bb&{_Dw4hKCxD1e zAkbzHJH<{Dl40oRU!EA>8~jFoc3K%|^OV&f;M5{M=e`CHsH-V^@L-c@qU7%@W*zoFo;_r%I!CM{=nLYQMEC**r zk%f0;ADQX(TSs~Gc4Ns#lE(zuxRKJ_Kc)CLZTj2sD){l^C$C@*6zop4%dfa9 zbJlfJH>>6_*P{zubv!~g-1~W#TFTz7#22`fzIsQZJb%k|W0wp!KLoRJ(A)|mRIpb7 zXE#yOlvq7h2&wqH6>_GqQ|#kK0OXIK$abAHeor5e+Pq#+UPYoS7+o^V<1cy_B7D2A z#igCZ*3F@KnDoVGYXAN*QvL&pRNgwik_}8J0iTZjqnkqQikX}bDhEl~3SKQ+x*`eQ zDdC@Nkd=0+e^sDD8mr;1TPR~HQ2%V++DVf9wtmy}46z_j@KrB62Y%0jNU`L#G>4@j z(ieA$_&L@wPz9PL$go=m_j>t~G3HhTK0i!wMf4RA^LM>vHdVw|oA~OCxu+Yh8$Jzy zzk7^%Si=G(Y7;qUJXy#u)HCuMI>KkwKWs@@7x-6gcH-xKPXVH+a}{+az7LfEDB0Ep zx8Kzzh#?=NO9D1F)`b+Ww>;R801w6AN@wiLK4o8(@WSu1k6eAoY;4(eZ++O2?+BXB z4jNFumCi`X0ki#IHopHG{R~A^{(F_hR7U$>sL;-pmIW;UP*2Z(4DQn-?14E^XKBO! zGvaFi&LQaO_nLn?KhqY2--yw)^*7oAHGd^$CezqTH7C+k;KSvZsE{=8@6(~*SiW#; zc0DD&#eb?*X!ogY+?1f|>TamSypjh!f$8lP2ak)%Wn0ZxjrKmxTaX8A>4vXb4(;X? zi9K;mstM^-H~T))pK`dDmY)u+Zuiv9j4$jPE57x>rGULZGZ~c`I{fU=!?(6;vwwZ= zz;WP9?8wX!jxtn;!1{hm$UC3KlHcyJ^F?eL4fJhddN%0UJ)Iy`H!~aQC$$vF3??5P zUO2*TkJWJ4zuO!bGCI8E`j~F|$uMXF{Z+!7q=*|HeSP}s^!VrQ01aC5_h@xCXuo&9 zAW}0B=@~zWLDcy7WH?bAKOMH`;$-z*oEm>APKX?*5v>0SA4HT99W)wFPqESOa{2Jg zh~kW3)O!UZ^pAEFG{Gt9C?q#Rpoc7a)IpytmSfkxdFzxN;B%486=xwgl)KEubm^|i z=Lhygm`z|h2!Ue}5#f_p3`Wtj(&czpS@OwCMbeB{#*lNPJ} zAOt`Ilmi+hz3K;i`%PfKb;*Q@jY?hJ0WQRe_$zE~eC3ZC-1$ zO(vaTtg^Rvrsv_!o64PegMFnXgT=Mu<-;GrXj0Gne@B;`ezT_*H_A;D1uH?U(&&_=Zuz7pog%p+j#r&f7W5*@iP?i#x3f^; z9X&J63jW9*n2Rc4KqV~N*Vdd)$lJkf`#(#g<{`{Ii&glCQ@&Kl!S1wfju9E(~mfy%v zt*8|^FyJHHLvQt6Yn=7`(Ib=4DSa9$+*=UiCiqy9*rRwb7EW~<>wJpgv01Xps2O2s zPs?7^ZXU1A;)e^$g*k1)k&g>p4(@&3>9@b)O72iPu8?#6;70?x8x|nc2&`7i2!%7b}{R+Z3uFn{rq1A9ufB zTJs_0Sw~mm>W5EG4oBK#S7}Pu4#svI*5(crFGcOYr;XYVWscgv%+3r(u)2lO9*vEV z@ZEk(nX+2JfB$NOVz-Cx3=Q|6qT%4=aHKttlS>Dxl!VcG7WV`aJdm>8$H*VNF7~kD zHNgrduwklDIty6x_i)12JaVz@Z`MprsbCFLYZGSqdSGZujz^-x1%cW7beR|USKFyl zR%c~v_{P8bIv#%Yw%eH^eXQgDC8cWj?v(z@fyYAkk%+SUy%T_beCX}O0drZUWt+5yS>_zLibkjs+X8{PSDYYe%$ATm@U|1|^>FFS3^Zvi%0z%GhDwx7@Has2*IZrXv4F zJ(!ae*sWGq3ou>&fufF>iOJVT9T^4LtQ0ci1Z-^Lrych&zw*~D^z&zCElRzsy50Lj z^Iw2x1ncVblOQ5A5-SBa`gddYw8xK@ENBjPzZJKzbVjUy^~ZS7z;SX{@*uNSS4mJl z=Lc4i1SRYF@mwFL7WQLa&B-JU5N!6J_@n(Vq0K6L#e+N!OgU*tJ&mVw205Bv_cUXx4f}83o3D=&f;O-1D%^FPRFy!0MZNwyT@` zaP6jM85oE@W%E@|HV#4~LrTmB>Vm&vGq=m*%Z_@EyY;YJdoaeOS;9rKpcUf1GEu>8 zF+=Qe|3TOIso$GDcgyzgusDAwrsxuhdEqIg!myOwcTesZ=BDI#tdki0G93ONxgruJ zOK|)D<-bpZthX*JT^7{?POS?7ltIejC1?3x%i#IK|4HD~$#p}I@CLBneK_(P{dM@f zk2fhO*)(OUAoGrbKnUWHvrdA-LgX`#iZRSsEgXWoph0QEmI`t|U;hJm_rN-s)oC(c(h-PT}-Y1{?&{*|gLo#Dmym z!}wKf{Xp7U)yHH)M;`eRrp&U%VV9(rnZ_%X%z29=WI0So`ftJq%q)^)9!V;v*Po&Q zd!Bkz+bmDN-62s9F75x_?yY|{)bn~pyNV&l$$Sg3zCpxXy^lCX_iQ*w&*~aUaUVgu zNppB<9UmEMHF1>FWBxwUYA3(!N+pMyc+x4G(Z0+V{7x=yAq^Ui$>(-6TqVG;>yL4$Gv-ip z%!PxR8*6P>z~pcE^T+x@h`YkQHTX%asX}Ddik1!2FmJ*LuKBp`NZzFRA5jTd4@fZg z5`pG(Q;{XvA!Vrf^XvVp*Q-`GVyj=`vfidH==ZPB@NpLp)Hx&pzb}jU!?p%{ev6N| zv4bWLW)5ez^>0R*pvis9ngbyZwf8D3EMxEJlWGa0R^29Rv3DF(Po7v0F_rU%;dP$+ z$FlNvU!D)YP`j4ekAEwC&G`JtjCie3@`W9CB-tLzMHz;zuENks|a8@K;-p#KRD|d`e zrLD{i`DaWP4GyjEVo2{>^H-nX)ck^aj=^v~mvHfJwykjR+v zYSqFgJx`{~md`H3Xe%1Cct@sIG-jz{TRof@41OXdD;pNC<~|^x!1`FTCE7*D$%R;F zw^sd{%1gle&m*3f`Z{WYyid<3a#EN$q`zGy`CV~XaFHaRj+>LMC_qv-CzTagh<&@4 zu>Z7U-!L*~G`=IVA5$$go%G$&v%w_~$m_v9ndQF0M*i@8vf}QsF=Cxm32x^jF^Ph> z!J&7*!VkHxpc+_(k5fJTOZ z-(n*GI0`RZYL3OuNH)1YvYFv~bq!1>z`~*W z32>>6A2xGxeTr;{`(@gtS+Aq7(9{nh3O#L|sa%t6$()XIEXBs511G@9#cP+F4!4au zc{FR56{>M_OpThh;^QOjY725B3lypa7S|)c(kZU=4KpKZlq^nScAWrWVY_md--7O$ zP6Lzen~Bx;CqPKWk@NA>`p^>~Qb9I$AYr+>z%pUwOU5xNNU`|isS|*Dx%!JxY{Um$ z5GAkq&O}d<_Z|G%o{EVqVOOcf?-K zt>kGO;JthTz+e2v4JeEo3LBj~$4_S>0U_W0M`OvY0}XVBnmODF-JH9&?VVXR8*Spv z^j~-fA{|XkbmAS1J3laOY{=X)}UZ{iYSP!mo5zclAFl+u98(kk(s00 zl9!Ihb-{IUJSauY_}S#Rnv22mvC(m&aw;AaWNX{O3ob8^Cpjmdf)58{!FP5_$jIl)>Me5orbjHwjZ5!P|N-oDA7FZ6xl!g7pAMTt0yK`3z^nxGM z5kcwP7I{q;XS`c=XoKEKG59{3c@(zCu^1p}{7h$`jI%Uny|r`b(@oAAd;6oJ+U!E+ z>};EaxDvD60CUTSAx~buGKWPXy+3B5U0Uad{VJ;cdxy zjA`VQ55#M!Z$|}|hPyCepWHf zYs38H9Cy8gCOc1nM(8&ofxv`ho6P#s^J9!Vfk(xO31%^IIsVC5d|%Eh^Ai(7xH}We z;Gd9sMj$c{_Z_85EfIOva-ZD%0;SwNWoYTer@208xTV#c0+g+j4u%&mj$cz&uq71hp?>^^_XP02Jtl}! zx7aevqSAKg@94A{;1d?%#jEWrVQA?DO!Q3&*m$CJ%T%~js?@?Zr26AA?iO#k0D}rmu8Tx;TdtQE5#BzHk zQSt;}MTx}v;O@00y4X_@I`|c_u=R@uj)PLem5AzUpv;gfsO5dP0NC#nY!!wMN{Lu( zo{nMR^xBf|?n}j~)yY=*yJEA=(@u)lK8dx**`m7L@?%v@os@LogPDleY6hkFae1vK z%Get>VW`{4}p{L1oJ(D>A}$Wls5%kZe1P zooZb0o5B1Fj1JMy+7a^2W_3m+s?|pKOD0RC4!Zqh`)>+}F*Gks@FM$35>X`u+zj6* zH+16;tRz85&-1Vkc{XBbmrpH~;Gh?yV)&Rv=q}A1)+j6T3S}NnqUeF5sJWCvbum-_ zJI>cOYT~UDm>963GF-xi7L}svp7QrF-gt8}k4}aWeP-J`x)pD0ON~Fr(@PR00W-&% zrRiO_$cg4mGLXVGgVpCMh_bQl$(}B=}@*&=`{x1Q3<_ zD^jCKF3EpVh)ofQa|_H6>c18!T-f+LR40NMd>9+3bf%diZt?-BEt=nvy&t00(&% zC4(S)0}*Gp5Vwh3Xs52YTz$~OXkL{p#lx0DS|`Yx9ho|XG6F@;cSL%@$UCQV}U^mj&8?ipJ58(J8N_vQb5d zpLCD!BsFGkV_A95j2861Q>HK~8X-Q(y_2H)27xGn7}C+rm9+e0Q$j8~aC_G#R`VyN z&7;HLpe~itwdzu&n|UjC^b8Frg}p#%8py@!q@CmNORSYUj4FvTs6VsMZ#$Vk6(c>rM#mH=`bXMN6T_;mg-|W; zGwQvQI?S=r#lPg^1Jl{H9Jk}yx?)XaOKHa7Hf;MIe)wE$Ep}#sT+?UOeD0Z!4=_q=OO4ZLo`rdsj4kq+z)5X z+`sl9cgIT;2h=2+cUp3H?4e!?sgXMpT{rlOF7?fZNxqW>H9%IsIg-N>aX+-&U&lBR zIXhO0ToY9~n;}yWy{|_F>WYJYQ#Pwjqr#}O5N#VjMFH18d|Y4NG%~orJP(_1>|*Tg z4(ku^8e7P&<n4Naek(6|OFCqIS)qDF*jZABf4-81W@W>M(d_G$DKkG|~6y z`!_PLkQv~{NJ4{9)uL$OJR*m%Z=%&YE;mgkKKMixXBm& z$!bR0G%4aJ6PU5P`eZoK9ehLgJkiwlB1faA(ONKjTKc=NLXRjql9Quh^LcuTziO>k z!~go!_=i8Ei|emX02MldEr=^z?StE|3TD;qn5*z7QMVA#U)i?P>oPQKz3s@u&2gt7 zSB)2x=1ZD|^9K*!y_e9$`-~#X#{IrHq-y#RoK@lnMnf^uL5OaXwXYi-B6-S1aEeK; z+zwFadUhk{Lf#r?~Zk@4+M0-e(`+ck+aF3 zYH}sA4CQnhZ={nSKbpf6Y9D*Q#*q>N&5wLq46Y1x{FMy)oRj)kg|%YFpmkMgX7MPH zLxWA=?t@`Fo-m_GL_+PyB;3k3?n^g7LD4DVxH+xqHk76O^ z@gmjf$?~ix`i#$e=}W(H)7};vy`3eSR<>tTk$Lc%nPA9A=b`@l`n9EpD2^M*OO@6c zF+?tFhB0KJ`(D(Q_n3ruXOkW0rcB&Tk1#GeYdzOsFA&GR$%tq%M{=J>Gr5iD_1DMu zG!@PC1GEkCXsrm1YMLb7t3TSj-J>)xBiorfTiQHrnP(1^lQ$4U#J9e%kwuL8>g42H zHnxDvvR|F(0Ubj^5?P(9CmY3DtFTg1o>D+p3cDX)d^5QB(QVi z1aR?Gpn@rm+)vRkybk@PC_?QEkUv)4AV0DRbty61=%xoCBz@yWE=RWbNi^Fo32*VN zjvU+^NF>;y-rF4`{;84S{0-PJUJf10G+e}TI*!oBZfdMj4?on1 z-6)N#X}DlDUn3=Dx?b2O4;f}BbNXnX)ei6?il%JeTv9W>zC?l}IRAxIlJDaul>Fo| z{Tr)|!6kenjyPNTx4W3DAGuyBSjL}hs*O{31UE%*+v2f`^A2na92CA%6P_>H;E-na z8Kt~o)QEXUb^t4y+VC;B+ax__Eb)|OJv3c5495$xh-=N?`E2phC`<%(9@lbEj?p*? z5~h!(8wuXF7n8vj!wP6MDAtLkF^p6jYazY+Tq_CW%H)AmsDOS-kt68#6O1OYk21Zg*r!s{zavecbs;THsR)cx-)Ep9L6wH*l#- z3|fsE16m%2tfS!jnEEc!gGv@jaegj|9v`7<x*R&fC;MS!}PTu;2%fC7MmJLsw5xLds(cD2jY(?;$MNj&byiCBIO&wVZ2<>svbClX^jdji`9(=un;a{I={ zqB&Hsdn-emqS~H&UbUCbl-hc|KD90Bys@ts;|pv6^eE62{8OeEaX3cp5GI?K5*oqP|wa< zxZm&~XL|=pf!pI9J=G3cmrsY1i5e(y{xbXT>+ngAkVc7Cwin2!nr`)WX z$r-3r#!J->BYltIo^Fw*9NKTDWg=iC4~f43LaMZ4blzQ!U`R~`8s$q*8Vq^TLi0go zC9{Q$FK@^a<+-D~C3+6|DDYM+Jeu6(R`pAd1s$)CI6;1 zmb{LT<*OxHO8b!aNqA|fE=&Ut_i*1RYv-sqAe&t`()avSiA9W`d$U-#?H#8~nlIxP zcM|3!Gx!7xC9h~!v!^fZ%U*10-(#noV6IpyuE74%9p6-^qQ*ZwWcIqPjw7ne`0k-h$kx`G&FZu7k3>q1w0A0p3~ zz1Wc~8+xLUrNZ_3wk5rRFM-xejTfP#gy=qZEb}#%#$R+THc-+0J>eQ&uz*(lAAc{t!FJ z5Rd)UHSjZ0K3NpJT~UmQUekwWS*D&+om8|Ho+b5N+tya&W*+yKu7TD7%+`N3VO_Q} zRmdgrOg%xGSJoPf3M46`p}9o9=cLl!=Qmy#K&OGRYiu{%l&a@OQXoHp1Iwc3>(c*R zkscyg`tKZ%sz)4N;RLX!zXPCWGPwFJ&8XabPcE)t<8Pgs|4R7khi^(Nz;!WaD&7AC zm{fYtPU6qbyHo;Gem}OD+PcPtA2hFhyZs3mX@VI$R$pu&YagS&l7mKs>WFI!hS2=x zT}v&})~VDFV=#;6?eHvls=MMGY|GgUP4g>hUh%iypKh6n=@@APi4JbhGcq!1`01yb zgxxu=Wg<&a@z`%F`l?NThp^^H3_v$<7I|@*dx6b4tlYpIvOsg2=Z_hZ6efqkKsp$u zHs~bKC~1xPKU375jjmfukOY9aS1L(iNCJb~Fhcc+Yrzc4EU{qbbER)k%J| z=uT6<3lm(s3yO8H6I^kvL*NtEal|cZ`s|Iq!DY32qaPXBYT-FeQAuz9)&Hf!@xwV? zb~4S`@RW(sVyF3HySx@#mSQ;`mQK9d#CEO`qbIo??AP|hlkXwAUL>)9!)ix~IGLo= z(G|{Gx?hEqGyP5JNYu*J*Nu|w9nymJ zh{YsdrQ09?%6zF0$9d;ZEBcfkg*;f|3wiayhcv?Xj>ZzoJxV&B8x#*iu1C2|D;eS# z8q=g-M5{%+?tsSHG(zDDB|=*5e?Y~KiJq9+FD*)g$bqg#mDq@5XhP>IE_Y3mjzC?%0*X;3IAY=gB&#I2{6WVK>N^_q%m2`WmDsRcHcs))aH~ zMIkz1B(e_%T4pAbAkiYv+>I?JaY-vNSyAXLpBQ*AvHUqXP-S$|%JqWz_{@QG$NmNeJFCg+{AW&IUeCNHs0On;(YvEtkJRTkr#IZ zRj+PMX|kLE2R2^0oT?|l=<^3^FS)`b5f{}Y@;kBHtF>cftZfDfE^iGC-k&aWd8b~$ z!=#?aJvYTDDG^PQbMM6#ry1f3tFu%APPvA4i~7bbvVyR_!UIt6{F(R9EA&f+qP7G( z$~05xb1b?Vmfz}1n=6u5m}!TNo)p;2g&-feO_ ze?wO7>9aSi_16WWtX_>g(<wT?b}295nPNbWxg3VgxoNWU)F#_oE$(Cj1Bst9hnu7^u^Bw1i7k{46AC zVrZD|NI$=>m;R6s{!wrR&XUR|V^8-ur)nBE%UhF2NDm9TD>_83b*I#Y_lL1gxZ2dPI%xwk}?;)~%*1S4bGbmVIDWjrI=&~-*uH`XIH*TfrHzk(h?h@$XsK(DY zY{Byp3}B0_tzKt$3OQg$VRp(SvQ#*pDj5idy_+nq*GiL)jCpjqZqt{Xo?QzA%X z718o8hgiT3BK#+dd}L!W|Gv>+h{+k;as2sU32NUr~SL_<3*Se$-0qWbax<&%9r2w{?x}=Tlj2j=IBuP{uL9 z*GH>WlUWEyNX7FX&eecPYPSu}S|PPjOKg4yYImdK3eZV#nz*Lz{oNYE_l(pg(&xJk z;DuINe`#3i{~3`I2+yYeb;8F>AAWk{e^|)9Tz7W2`2SVVyn5$nS%;mXtph(;KwtQO z5-Yy!Bns@8*eG(;L}SPc5y#5W!A$}i+P->k-4OX~B-!r|G|=LuUjf5k{BKFUU}qW_ zFMgDq{KS{|WnBJ+enwIKV>oxNOtcWy3-+;57qi@5J}cT>bRifC=G^^^^3(LK&ZBfM zX~b~^$pmrGqtSXlVq~RPvkN8qNDWb&%dAX+o*c>jPF0?ryLa9V7TeSrR%!cZP39$S z?DCg2sj)n^R{Y`Ys+|x*difeltJdXNdzCzVvF+oYsA0-df=~Ar!7lS#3m#LsiT5Tl z+wMk>UEWlqD^|OFu(+`~!AH*<=Mon;N-?>q!7-_eg1A|&n-m#$0`MB?%!f>hRdnJ7 z-FnnC+-*Ymt`kcE+iU$e2V38k{3mg<$3iJm4`2^T!p0hYf+|z=Mgq>71-q+R1u%us zf6laebnyI+l|U)RdbCMCI@hLF$Ud5y=6DNqRBEVFK+)~mn=3YLdv65PbFnviur($& zv~pe2NBJvOQif!B^lWz*@8UCzJt$NvH_k*cbmz$pR=ZuHlrV&n*Eh*1&(&P|mPR;v zg5X+5^ued;&Zy7EwXD^fwl3PLbe8yVc9&Mj%h+xZVhf4f7#)_Itbg+p?p}m?bX{Gn zhfY5!)UUKN5&vm*_;1v#za9#{?eeLjnfSw`{1mIvRvc_d+{PVbNjS`&XZXLh82{k! zB2#hkpTL;PMfu7M|@()H(B-iL#=~OE_j05{^1)eBp)(7MS1+; zn{u;;xp%Xrf_Y?mYpoL--+YTe#{{z^>vg%|tgVE>2VON{@B5NWapK-cXStRPKaD`D zxu14jNJTZt#H)(gWx0%`t^_n@(-UnQSXpZ@dIPL$mTD56T#>h=YcB5yOX zvln?Pep8+ephLDivLc*1!@+Rt6pfxP?4Cg;t@k#PClTYQH$^6wX?J_=V*7Fa!xS&a4u?=r_9?Z ze8TSIYC9IN3$SmIQKtzQJ?){)IPYTnG8a>>dMWWDK@BhE)^Zq_8ia{UT&LuZL!;B= zWND4dhA_ddKE5(868xL&qhIgh|E%Tpdn2>6+k=-ob#QAHuu$84T-m$`n{6VTEBKKV z%V=K+=JQKDN8?E3daC0%WFyl;LmNoq4TqDCU+AA(&I;MV@jp=6^?lK;JG=%3P+ zkK#dp{<~Jfp9z-eTB2mgSKRBwG3U086`ptd>P@JWC~l)Lentq_X#Nnmy6X0=OA&PF!3W97*Eao4xKe|8BO&a?q*FnqLfnflC`qj;;o0#5>TXcwlOW_z zqE$|Y5=?Zx5zNofZh1;0(T`L3Mo@LhHFD<=W&~M(@r10k(RRoy2a_6I*fVi(dtRH9 z0A2?YZyDb1vaAkvWiMFfo@}d)JFkLQ5egNX1+S3QEZ2)w_~BnTx|xqYcx>bU7X13} z>&u!}{p{!5PaZyBRwB_7=Yx7+)K{htTF- z7yqwc$(-FcnXa^-o)(4Y;Y%gs1K08sA!-~&P$r_dtXTUe)JHe0j8g-&!&{uKxSx53b>Tin(SSr_6f>i0 z5>w>r=ZiHBBPBVYr+*UqnGI9?rp)XjJEfB7tSm~`$)58xxjt+-0lHm-ObXb#KkBR3 zOq$?S%1lw70HXPh^+&@t!)Z{9mv6szzj*x2B|&d|ETHwZ-ckh+E%?;n&W>oV)})Jj zRt(`h>l=6Or38257r2dFl&S&wM_-SraHILA&CLdZ2>D2X3FqZvny37o@bQBcE3Cp5 zfjtD~4fZthSF9t{?`o%M(&ejZ!Z%55q7Kf9F9@jhNNY`Xq|^~m#-K*9YY2zX1;oyN zbKWM7j=x6|12hnCCfbG=4bDUHX5H_rtV--j3(d~yd*CP@q*WF(|1Qg3Y6d64I1+^kXwqREthe&ZjQ15=>i zchXr{TBt5n(~{LVuRNw?SgZ4Y2S~w^2;Q!P9=I2%D^Bkt>;(&Ks%w_l6aW90+3=rh z`O~|GGf%tWkL?e2H8IO;=ltSZ`^YVYB<$@cuAg^h$|QFb!CXmZ94&I8dfd}$cm(ce zX|{XJ3ka($LX~>nS(WHwWTP~a4AAIj-iU+ZxLSU-Q9C|(4`~kyHfAiun}%KE7Sz~e zjSnb4V@&UG4raNebX`#Sf9$;lR9s!xCP)$zAi>=U65O3&!68_H1ef6M?j*RoySqC@ z0fEAy2ok)I!h#m=kg4STS}|M(wKcO@nR)Wl8_UoPbL*a@0efKy}V4|~Q< zk5vhycy&*a52d)9*W+tO_38MTNiaW}c_U$t<2qw$-%&dm*18!lz3H-L8TIw zn5AsHOlM)Wnq%bTP0#{tWB%sn*^1VACBp(&GX`$8>K|--&*qc!9BmucrBx262IgSG z;o3;}ORTu2J#Ic-NqX(6_pwu>Y13|QOk zUfUy=rOn~i_H5o0!LsNvGJ~DvPjo*Z-PR^MwfDBU!TFhWDVXhc%Z_7a6DIQ6@XQY6 z51(S*Hxex*wkB5|j$w^=ObSvr9iH}`XF~$y>b^kw{u8VT>tk(+6A+Ses+38a3esYt zUa-$06Vr=7v3RG@a*b?QgGp~KgMddbOB_YTr553ISg`qNgF$4xTfq8TuXRDqh3uqwQl)a0qlFe;#fGQ02{cRG3@u?ewx1Sw7xWTs zk2$Rz8muN8EP_**aEE6PWy5=xUs@`SW$N)&Q4GY@*B#zd?|Z3Iai8jhh%4)H=LR12zR_h;EvZn;i254msE#XZER+)qiAWJ`(|{& zZM%4BEqT2Zmm%|5>+K0&fbU-f;4iiHc$)}|+=PuA}4zxV-6NXc?Tiext>1h7iPe)4QFC1cu;11#50BTl@FKe+H$7#&C1MNw#9E0!Sz~I-aZp8q+BzNUeS@?XG&C>-#Z0I*Kj(L zb-67n5$$OTw|H9V7PzepEYKvKA1pVx)<`|KavHRDsAQg!)1GnqPyhToeRzXH5%AmV z`4>6#$n5zKVuI!%xc|>SPX1pEe2XVv+KTo;D^LCoCPzW8s{hp|)3N?U$kP9K;QtXL z-rcmIa7(ri9;&WTdxXD3S+sC;{7P@g?Pul#S+hnK3kYMp6CREq{JSddZyPyDYS}~% zOzL$T@i3_u;VE+RFi+``=Wbqr$uHVDCGk|-sdOZOu4jGCzY@I!De?>m#=a%NF;q8d zW_qu;nUJWxXcsR=2Efoim!`uMGKT69e6Bkh>nmp4RK2t9DMUs3ZQak8;3VXqtkqv8p;cWl9=?=rZrf9UoxPRznC35({ryX_ zPHy@|a_^*D!y`)QOJ}k*utQORa8WW585QUkDLq&^^ zjbnn18r{1&wyD6}{5(u9yctO}FA>N0NBUx?>6?1(%kN8RC<2k9$U}4kAW&NRFNBD{ zScv^K|39@W{u(C^q9V7$n1=ozI08U5i=l?xe+g%10}Zaq5KO9eR9ZkD*-KcAyjvW)(^ z(Di^~RSq5zeYV?rPx>!68uXlcu1bXz&&4RyhNvQ2+^G6lZ@;P-WdTP=t%2B!)gTGk zZ0)5NJ@T{==6V^${jrPUii^sTsf7r0j$)cA3ADP; zMaG&x36o~FGEgd$Qs|aq%wM{_G&gfwayu4tV#U&- zX=vp%v?Dvxx@?zQMXpo>a86`4T(Cx!koMU4nzZ;u+LzFJL`}EqQY^obW3Ff&%_|W! zDBdS9oo1Yp6)1%84zGNT!xkIyiPAR(+$d{#1+d6~rjiAnIwP6YhPEYq1u7>vd@hHf zq>wpKUEmpP^RMCli2g5*s-nir3hq7F`OwRb^rHtpEg7AGl|^231Q0}Kz&EgZM|V$? z{l_}{fBRQ>CnDt>li=1h(atp+g@f;uMuGV*+st5hRz>ft(W9ACr{WsLdy0SKow3l_ z7ru)rm+kmS=PB52qs?K6B-+_1>%}_=6Ul@dF$|vhGgId*C)`$<-;N?F81-Vwbryhe z3@F{_wz1E9xvaoiWx#)^Y{v*DSc{`xwjMEbS8~sKA)kWIiBek2r5#q7>Vl9J{w2Q~ zaSN}t(cPipQ-4vtX3mWGn~qsL_+^{8g1-oq z@kykte~xDE}2hN!IATIhd2Ua&UR5oUz_Kdl&yYtHs^3vD!C{4rid|i z_a5a|k$w6>6OGxg`Xgh@F{+Ai-YG|rquH&IbxOvf<_;(6n_u5T%uA3lZf21wi&mA4 z%iiPGt~h(eNpl2N;(U-+xyR?SUp?t$I0zDZQn7 z0t#gWh(*0nBLQz|5Y3`;(9N23?9Nj9Ae%(Bok^yzIZRSwvy^QOo?)c}0hdVBsA%j%?FLLB)ey*S>Z zt50#5IkMZ{F@Bg8nr1IoB^HSL^%H*T1pc35*k1LR%F-myS!7M06e0{h=dVnKa>B*> zRO#(9Q-$8f=u_SDZ2 zKMXnJPA}&W+G?hxz1URY9<-{60D*US(q4Zx7F2Zl);nuj$&z0OPc1{pnVd=aF^KfS zjr_O4gFl|=zsEX#<^Jlj)u49D_93=FZ-2N>GPe8IapVEUb1UvGrzVHOB*x|Bn`a96 zM@!A+pGsqj+h{$?rjks$;aLee)6WI%Fbe#CAxOBys>@moVhsv8OhvsE{G?Y9ltBjK zZGY(wzu8Y6knfrms!i(BmX2*J@6 zQxTbe=EP9ms{9-Hrzw^0Eay2WQ5AE<^&Vo?^#AuH}Qq&u~UVi$jj%XDWA>7p8r*$ z;`iloMoL0#U)G8cdJxk^@|)i0#=bBZym^itUKS~Ym87*HXW;zGl(VD2Lp;fCOZR^4 zNN>$9F=y@cx=$_arN!-+s$U3coQ+{z4MJV)Gf@9D7pw->JnjZkv5Fpx+4Zkf^ttDO z^69kOAv^EriPaw{Q$ja-`l`r5?53$9sMRk*wM!)&U&v&kG-uWDce zCoir8eZ;z6uVUJV@xf1!{Xz(_8|h~KbmLQ-hgYS7ZQS{yrDN@lYztXHiL!Efu-}`aWzUGEx8Y%>jMbr+7i{E=rs^Zs!bFV8RJ(+efj0-l^YBXjygY`=dV1O8=>vT7UWx&? zNHt#8ZY;r9)a?xP^35FJn9cY551idPMm^oq865s-G2);-{ngh~fzIK$`GU=<`0MW` zopK1UdCu)w)2Lg>5mWrL$}A(A$DsT*6CW%GD)b^e;?keerJ$@kuxn~+Njn}`g z>xw&zfCg$882qD;pFDy0@patkB|sU zN1lf_sc?jLO^>I6C7bEdrg!ZEZT^`>>Bs?ORJ-*0p4giJQts|uz%uYAoZB`uWn<^7 zksZDt{z0AKj!2}>$~V1I?i{|-0gQkHHu=c!1}Fe{)r~WmZ#{KeQ_$3yM*b(2Y!vIO zZfoV)?2lap8o7*XAK&Jy-2OnE5j_;!@+|^}x=r~^-hk3{bu}|~&>-yRR$S)ZM+!W< z<~EPjvM#`N&i1~8nc7tK=&|f91HRCA7E-q$%i@u(RS8lHw0#HQmQ|9G(v|+D9+d(r z%(ckSyfo5Xi#U$3rctjThvi&CqVfBL+r{yPZ-n3z8e5M-TEQ+(`VDL+H*j$iQkIzG zu9+D{L21H?{xk3NiOjrWPr3dcDX1A!mR_w+l}`I;k@%4=pL39_B{;>{xF8_~MsjQK ztR@ROd_AH;6uIR>X0)Q26WYP2ol~2k5-#}t`e3YlNt`%1wMKj)$1dv2;5UAIgthr74G2F91{6csz)zEHrVNXhuJ6fJVl=;D{3*hQ2X9SMi$$68qD833V&*yt4z(*W(bO1hY=bGH0E6xmQmTwen z(Z-`0gWYNIJ#(d-zCeMI2Ht`pjXr4BzYl65(&qLls>H)Nxd6p3Q5M50syx zb;5VIDmR%+&xye=PQJniZm49{>JnQ56=$bD#x-{D(|&B^669HI%O)t)IBJFwM{RD8 z&EiGl^eE9h+86z2ax>lsUjlo!;7yq?IK=v~#!kf~@|8lCjf;VxHF{G^a(X6D6j zmk0qXJn0iB@Je5p#00W@yT|;EJBQ5fdw-tX`VW~`w2oFy1ZtL#HCh&!-LYp_` zZ~SJ)&m|?(oOfHOvPo1XXv6_j{r283E6yjfz zKw(iLu==G&c6>7EtM}l1sb%h0^}*myO_<@DuRdyomN4`nz>K5!>g9FFh!9$J{Sai(*)!+qA3U`^(Ir#HnU@c>mxklc~1a$oVcUkLRA?SSuFJt662 z!`HcabV3T3?gc{2ux(mnx+n|lnw7WKN8m^H6TrJL53+Q@uE|`C(e30@FZm#y9sRy& z5}ci2AyJc@)B-WUxpI~&m*}(S+c(3xSVLvSeVrlawVv>cQke^eDt*QW?_nFe6$M$? z;z{5vl?V?v z)5Iq}p`xQ7Ja#t~Uk~cHDn}0VP400gr6Y>jfp%qHmi{xfYCR)S-OXGgpFDHFB$IMa zD$440X=M2mZxHE9j7JQfJq zHIeant0oZ}$CwZ%*ueJpIsnHj_U;i}lNocg0R;iAniAAOvxj0h;Dqd;(0ik4T&jrz zsIDk=lkSVw2Wyc-3ffaohVgYuiWKjUW(0Z>(M-!9w_QH0J1*d{$qN(sSrnN2Qcfo&v2NV~D(KXp3^CL3_4>l9dI@fT1 z0)2zn5)wf4nMV9LH=mk8Ukz?HUFNN6VTYFt$2E7|U<|DZI+ zl64Log{U_cy)&0`vWUCT)HEommYz8l2+azkE=h1ACW+1pL2`F^sXN9$MIiBm{z%Oo ztqfRP%!$Et_~wAW*;9~PO&O*UzU%6igE3QP?lw~H+Iv1Z4|exo*$bgFd)T{Rli$*? zT&oF|5NuR?zeZUjbonk&->3ecOJXAC zH>j?O#wPA&10L|TpPg%2U`(3kiAtsXH#alJRsm}>BPE|W%aauj@K&KfIt*hJt${MA_Pq%v~rG&A=*RBki~o!?uagg}?|D~}-)a(p@ri>xo{ zKh51c>*Yf7X**y83g>Ea$i93Bs)yfBlwEYwT*7M}6POBPn~`U-tEm3o zbTI$tnQE3qW&yYTl@lUyne6^sYmYX+5I)wk3GYKwVg*)LKvJUAk=wg{2JqUOUn z1RpQ}rF1Yaj^d1WOlFB^Z!o(~Kq3EXL|0hUdEHSH&z)e#@qC4xK_ApBY24HQT9>UN z7LVlpkbL;BkIZb8)hnv(t+De~2}KfKUD#+|9ev8d6{MnIRe(vx(B7$gx$q z>6sOge|LYVeK;Nta)I}lNkNk%2Ma+r@O+WreSGpuR#<|P`@U#LB;QBEMp8cxDU76zWZ)L*qV{s%alccVQIpgqe(wa|6szxk zW)nl6$Ld&^IXif_<4S&g8I6rc&GYah1@dV!i(2LOIVTtg%TEB^sJP+xXmR@c@l=c+mggjJ!O}!~Fy>zUI+}pe>R`J!%b*W&h zOgu`Kx^VKHD(k9I?)XITWBBTQ!EL+9?neU+ItU}twZGbSDu}O-VrBSl^_vRU2R(ZK zJIu3Ht1@0oO0TwWd&P@(4V5#A7uup)oxc!*(#IG1wQK0T(%dq~x=W}Wg3HX;s9EwK zK)!$AI7&GC<9=n7=1OO%l0K5m-B?x;@%U0Z*Z;djVxM$qoW^okqiE3fl--+ zr|Cni0Wx<>;s-AIZB^nbz_X-!ugxvMkwCT z&MPgnM*(i*vvBrIK;m)TGXtI|)=h4Rcfl3Riw4^3*-d?Z84h)$qb#_X1Qune8ksru z*(~3!L>oo|$lOtNQE-9?>ip^ftNc=gAvjw%L0F zsgsX5s>9`8V%Pkh-N#)d|G=&wZsf5@+=={@bSXDQe8gPu&!$3TR}KQzPJD^Y~e8=3`McFku)YBzM%x-k~GG$2rU!n+W8a{Hk=@eRY)Ss z+_l`|<;k8;NsNuOhO#h^cE!N%-*mG7oFs$E$=rYHe7uIEslwmAeSD=K2tD(7Npj`r zC?kD|cW6eTUBGg5$U4CBdD`vDAi7$OS6A&(o6auxixh6pq>$G(7{nk<8X?!piGmoZ zgC*iH{A2v8;#|V9-1{4J7)*Q9e3qZ`56jTNUIemn?iRI&%rhD4m4@kNv_toZ~0y#=9uhHh&R<-klA_FP@}2>|DQ zIREHNk=MVC*4p<~;_aDsQNoog&*eSH)6|X0 zqSS>_Tyn3mCcROQEN+`7NfU&pK*mn9E9Y&N#Z&@lP488^U9rMR?R2EWYEbeai}6p~ zXaPlEW!#OTVJH|2x7?>svh1`yq#P8v9h;wyqLRVmL*N^Oq^R@eb+0ZtH!ie=ZuPi| zH^lxHw1$i**TtC&3Au#bu_n?gL{x>g1uC({dtL%~G)ksGq-?B&Eh?&qfyj`a#C zM`7_c#ux8p(aK&^=6AHe!sa2hZDe@y?&kS~*nK~}e9w{T>tkEQ8F+>O^P2WsiJ=df zByr)u4H_7cenHo8_sB1VNsM0m5K&;_Rd*-|Dfu$t>Q4~sbUVS#ex*&ZGwT;ZgI1N) zuvWnMS z;E|DFcw_{xL{wHi?Sb5-1j29#o(b%Lq5MeOSN+nO&Oh|gRr-^N@S2EE*mG)hHVn)8g+ z49Y0A@@HJmlsl8zVPq)E4GN2w!-|S}>+S)MX%!g+_=&l(A-4+xUva(_`ue8N6R<%6 zsZd-RVH)LM=yulE8i3uUJFNKKelNXhXGNeWXd}v87xZiP(g5CuMwHpDw^|@2?~E=f zlQeUmv^^$H(SaGs=EFR=Lx=Vz9e{{XyH$Et-w}5&OYbfv@(DBt0APxC^Fe=Ha9UsK z8xhYA8;RiF_kfwXO1NjGL9qvZ)CS=3Me_0BKD{dDo$bcw_!&2;#{w}sL^$od@wVLT zJouQrLi(*u(;HWEZ0^ZXD!RMQg++L9*1H;wEFIAR)FDD*u*{_t~Bmlgzh4eY(tv>8o_Eg`6 z^I3KlvGcqm{SEFqqt>q7uAVI|825-pOvQCRogaYl>cdSJr=?sYQgD}wyH?km01v$% zub~o2L5&hqM(g@N`uJeV9XiQzB21nGIWF12M}7TDi=Zz#yJ!cn&V$h3f>W9S z&Uu4Kl{+uPuk}N{WciE2Je+gxPDOSFfkJ%3@kRqN8P1EljFQ>q1!sK3u-$Pga?+iy z``8Z2gQL0Z@V%)AYB={6o=TvfK&5IgpfaUNK<5)4r}ff`+M=&j@p%`u*`JA&y|MZiSn6`|6kv@Ek^J5k~phk|0pvTWb|%Gu0AgBe{>8Q4E$6&r*m&$T0p4HJyqOJ28< zEq@Kn4kh5(FH)qbI(nWa=>j1fe@MvF)XT(PUj+twHqT#cS0@k#FNRq6yTbN`=}d%b zMgGLw?_F4^0naj5JGLf=9}RSx)H=~USSX(5(5^nv0j)3f%cTVivz64sq3i2<@X}b| zje|NIn3Bm20#x5yCs_DiqhtlR+6+m&U{yo8NR_8~C; zS9e}j%fV{JXPJO-qo7WQgi9K~#G8oo27|TyAPH1qI^inCj`rio6(af#gRATaGN_h) zT>bOeS6^I!Ml1`(1=#MCBL)odQ09TMiHS9rngP`t9=84e!S z@#@63>Gp-e@noamaa%yNKryB0GL$LrDkcYe5`D;1-v`)h2al#-{{&~S4})Wgk4Y)U zWbnB4ty`OtoFXBw$NkWXq{jStMWTf$-^{F-<&;Rd2t#Hz!ioZgNb$s*YC|0 za+amo+xC&cH!=3%Bo}JG5HJ?$h~_QmoIX=ofPW##cfiYNSETDsIGwNtSX|6^kBXlx z_aRMUkH1ZJd%x;v#J^8kiXle4 z9ESZ!=G{g7-gA#it&hcan;)9QCkUWH0Wr#QxNl(tt|RU}maZA5p_6?T_u|RvWo9wt z7ad&k`zhkr!mqu;k!LJ;$_Mdu2@ zOf7{r;QFq~<$A*Fw8OR+{HS3T3ZMO>h1TG>yRB2;pU(0iE|aAU9Tq5*JG;|}rGA~=o1`N&u6DV`%{J*FtpIxhYx6K81S?561yN3S?d^279L=f?HAH;5I(LzeZi ziq%UXt}}sXnOV%Zz1STi{VOh~Ab`If-JZ~7(dacc7yC4kx3vDjxotKEFwkpli3IKhs*QKlrFv^o6$e5oswBxOc~!`~Ec+ z0VSh-Hg(0?Wg0+O)#-^dE9!tFDbQV}>7c!zB#}FfCu{|inQX&n)|q`ca+e+OhT~_T zKYw4Omv@ZG+6`qt>y$QJ{`{Fwm1c;M@e zaMddI^w138C*PS`IuLavvex~ggxyPPPxGXioF87e10F!irL#NUe5hobdXu_~J$fE) zdMg>63E%K}DuFk+lpaKQvf29;Rnf+8w|s?WFf%)Ik)_AP-FsS>uJk?oRhvV-=oa*w zSbJIvqC;oB#CTF$o2u2#GU4N-y$VQ)qw9o}#zu!;`32dA&J5hH{9u8!s<)jA3^E%R zGE0#2as$l{>4ck9VS>|>EI0Ow-l8twsAEu3L|d;k3u6qLl*v!3kfBlQ*xwWJe<5_* zU;C@K29RN`m|<<0#k~9y z+2&t0qX$X0WmKDVrJ7go&F;#FC+gEdN(6H*ISeAJ9#gF+T`IjJQ3DE%;;%eOO=8_r zk&od;672i7w-z53A?}7TcSCanPnZc!DPsvdG9P-CYOQDAcQ1eL=z0BA0@XAeSBhD6 zqa+Ncn+V#b5d87sA#rgfXKscQ^bM zBMV{`P~uAg@Fh~$aAodFv#4!UjDS{oW1bQ!?hyR z*p9fASx%%8+mza%uSl-mfbZp*Z4xz&rm7$&;!-=*?rz)ss(abLER-O7CkX&PKbQB@ znbx0xu*+@)K2<(^n5ExHJ;ZI0z6x^}T++>rxv zrILw3%)j+GB@CP2fJz6g1-&K-p(ULE!r^a86TjxHX6qhp(y;}2aphodkMK4@Xzg|C zr|MYuB^$LqK=VA9AVoIxoe2ti{>s}>s3SQz7oVUD*--GOE9Gb!4$nK_l zglJ&Z`mo41GjL+a!&i6Wu(i@^@qpW{5!Py9Y=u}#kQh`eSD8pbtXI;-q8pZHXhRTW z<{^+}BLM+!JTt9VlU&4_;8tl3Cp>^27Qi>D!w1WBN#V2{_2-}ZE7stDL+P25YGidW z5t^{(1F=808Y+yd(YlpK3fA|jB|?IEa&N(_T)O(akh$gT>L z*0|>JP>&6^xc=`vd;lD4?6}M0e<&*JI06~^cnNPjm3`QldmSbIC9K|vq(7a~;KtXb z1DJpWuWU=~VtVDd!CK&}URg57AnkxZK*t%}9Dp?$Ob&~j7@nG#Vmd*4F0}-bp+t63 z@dhQVOZ}W4GL%nT;q5dg4SpSf^p;^Kg`&MWEI>VP)Kbm8NJCSFpR|aeOXFZ>B~Cl4F%pvM^^l)?o*Kk{hw*ovP|TJiJPk>%kR6A9A!#xAw%P5HDz_-^J`7YElqA)P zI~)3}30fwzqx*tVJquZSWt4uLmed5DEbsKW5-}ciR%lY6{h*8MO{MF!^%xL%^&ov1 zegyA|aN|a6QiodCkI;3)gG59sL*dAnB0gp{;f1v-rB=2P&~A z=qBFG&~7q_ex*k@jQj`gQ#6P2t~a^i-lYk)HY4}O*;2Dq)G2G{4tHY-Yq!M+kj`h+ zq@6;LVSh#adK?h9fMqtJZ}KC2VGSAT7rQ zKq{d3+C4*>fQzYwgjv{ZLZg0xwx3wn1tqJH{ao!^D5LM}c3IOv!o+!^!Qf>X@?vUK zJ@vZJwEl^7{ou=_)vljV5^VrEIfD@FXKRn|Xdmf0o##v-sau(EFNyI5O~*13=N5t^C^(IwSj;o1!KGv8zbU1D5k} z-4_qA4L=RO-*Lo0cfAUqXiUK$?a3m)0|?J~N&2T!O^Oy#IHg(emVV8U>`uxeZ*iw6 zT=?T4!LQpT%2N5iU;hOObYre!ivp9PT=Y66wOV8JDRzGlMv=Z{CHRGq5)3n_6bRY= z=+EDI^gHD97a(qm?87NmMpTHyhvauzpGJ9D#n}_gE2NJ^EHr8b9!%at&j5dO{kv%V zy{Qx8%{rCgp?kJhhd6?1A1=)Oj}^s&Z3liKti|pSWdFOX_=~C+8g&Ll%tW;qGWg@yID~fZ__#PWwgrkX zq(OjQqPxbku8WXZ&XUhg@g-sD%gb!WVQb$Wb!-V1tUn~NRCQpDkkJ@BFCI{Utn5`qQDaYRW<(Cdjc9G8j6(dHuOc(uxU z-@rhw#?GJ{R!GW;^$US%T)rU`$^0#3c~A%y-3|*HG%3#*B5gBiY2Q6zQ8#^*hr5gD ztWPS$xm);Hh)p3KoLwHC-*dA7p(s$(%fF^3Tb_u)g6@@GIC*!mRY}nI2TC27cM=~! zQpoqbAaV+ksAZA?%1jhgc1aiTjKF!zgc82-ZfvM^MK=dt_(X5 zo_R-^H%2ySkmc+zzvVBT^!Y?}aCj$31Rn3%+KezpGRL;=RUDuQ`}fcE3Czt$AR%1` zeAxk(8$`|qFH+acK7x!C702c_4%r`ZA_=G7gy;&vZu}L0l(4%w(st4;8y+-ra7`CBoYepC+cI{u~$&jvc6!RgC_q%XitS&5}4c1 z4liV9FUfW4_p_e+J;D!shQrrHZFgjws)_aTIJLG)9zYZKKfyr+|$&iFWn`rW8S{BeWT zqM(DzGzSKU7)(Ol!oIBLB~bifUGt=Or_b2i_T~uwD`|Y{=+;Dm#sT_?Po$b3vNQn$ zY+B<5&W2F|Ae4bifEK{J=B#}<^4g<&Op2E?5^G`NsXQ3Xg}3g$-EUId>>L?}iG_0_ zDW}*K5GhV21>mSRk`H|VpH%%gdcY+y1zLN+Y`ePewBHEzt=I^_cBsHyB4x-C8kYw$X}f-g^g z-)h4b^?ZZm%>H?0ELT1Va{Qau15EaZ12#r! zvaM27J_}IAQI!Y>^-)Syhl*D3n$DK3uhj65d!w!!p$brw+7Q)mCgNx`CM$9qk#KS+*ABv7%~K0*((U^|GIB>@nNp&{OQMJDQ0UUcd7) z#ye14JhP=quoT51;1e0ff4~fRrcW7GYdnmoqxArNL{;5uW?z&2iZ;8oKzS8;T5o3V zs%q^^(4sSx{4Ifw-_+5loyOh2W!8!&l_YCGCrcI8WOH*&oWLQ-5OmMlq9D*=7q8&m zC=-l=>uv%J7mE9Zpb|>sWM~J$)zRyx6~lq{?OT7M>*`|%n#%~GP6&VI zD#p%%=#qct+f?NBC&42^0;77Ja^y>|^auchV||sGngy{gpAAzeJb^ri`fe1QUMsN} ziwt}oIj`yG?GUeOVeW%C#~t(R&~48LyGiM(fXFq{5^ZNGmx6u>a6eD~5lTp+KnnA? z^2=S}5MHG~(hCgUS33eU50Fyk;!AT*F|%69p1cL-@~7|QnS`i4>-)~|83egmvDPjO zB6WC2EJD_N+)gU2gpWT-)H4TO3kYuu86;P%eb8@yaYz$48aDXAbzlNQ`Akj|?*!QXwbc_i(g12G*+QF)T7Q%HguUo-zm}ncWA{$xoG2Ls;2C2Z+ub z!`NLm)sjGu&z{DyE7bfj!%_0a^aKUP zPCdpLPia1Z<3RT)He1>q_jWI4VK-78mQ>9^x0MVcM(pu>;JD%OJuY#j70 zOVhAAL|FZ>ewJxc*St6_#;6^Y^3g~yhYem$@P*3II@w94`$AgU@T@(dv(#?N7U12t z>WEYZHml>WtYI6s-4?CDB@e^?@Ivp&gRL0VnbGRY3i_*%n9aH1I@oH+I}DG-;RofJ zo~Y$Ke57$m)Gq`aZavl|HRk0pkwZp-n6tWm$^d=Jn2Rxsk`(022Cq*Dsn1@Cu_dFU zpWQcoe+5LHvy^hZX0t0e(q}!=Y1zMTQXLpuYE;EaJT&K6gpn!jj~|?v?#=#WM>INv zas?w|$%OjpDG}X*0TntuFdNnn$RquDuQ`LFe3l1!aogh84{`9%LR~^G=I3Dpdgx7? zgO}Q%582G188f)7?NNw&FUHiNu>!$td<60biPF!#vaUoJuw3*s{)6Sq(XyE3Rz!(e zd={Fs*W4y3;F<*u^eExWq2=E+cP1=B5m;6rQ&_B0j93W~k9j-^*>HO#G}K+Rf^Q-0 z`krn@Ux;5Guddc0Lxq&yB$eRSwq!!L$amS0Jt;@eTlm^E(Y7JNz$0+)gS{XiaA?QS{J7U_zM&Zn5S^3AT0hu1+k=W*%vu z+4LLU_=NBCeXk=Wa<<~8Rc3-9iLQ~Xj;$Lwb3Cx>1NC>$5{ zR8bkPIr+y!cqyMC#|X4s@tpckgIYa<7Y~%Fv)^jZKdgRi4UJzy_voc9wBYyXn6RvT z$BBwcS^OHsXw)Si7fX<&+!-V>VQ3a6o@H52N+!WvaXB8Jr5V31bQZ`Y-A=gB& zh2~1P*L_?8>=6R?pOe?oe6S41#k zo894P(B9OS^nK`lwOaV~lAjMlaoGS4hfI-L2PsEmYiCDSO=nl0FZ4QfgzR;KiX%NN zz7>%~2?8u!(@sBcJV;tS$%X<@X%NsWNlikiM-%-EJhepse6$wohoQ z@q!o_o#)YfRFUIs$E=HXdFe=7ocm?rdyltlRzVzvENfPpNS{fdS0L)L7_=|vViMec zRlN$Ao!|Fm(C&kC5$BG)bB zYv<_-pwP)UMY$oFoP%RXiQ2aVSq5@N-&HMp*Vb#uAk=Z`eLPCLWQyB$f;5x2LN@TT zFF?bYCoO&=oRkcyMj9T~m&u0_l>!``J=jNMrv~fOB_$O;V~XtA>Bu41UF5`SOw~F# zqoSeOz&x+~0-x>xj6d%=p7^S=te5q9e8nOcsVYj`o2jy!@Y6CQ>7psFya+D?1iQj4 zjiA2pLX%IJYHTG4cE^Vso12|71z=;!tK*6!iJpf`MZkk z;?n!yEEvTDmm}n8kTriH5b@nu)IHF)%hCQ^+hD4XQ}l2s0R%?lBgjQYPI^nV%iz?% z@9!kZ%Ali(zZrX239y#00G`=h(RANTgyW7McEW6Romtu^N}pZQE#4J!E! zpVPKh)Wc2c1O(Z#1AT$*Z+;n>s@2i% z3?Nf0M}x5;7GH>a`=G<#bC=yEELe(ysGB`&sBZnSTa*y zO*K2)XKv$DV5{F0tvho9`Qq`T!ZB@W=J=I}zHymIx~5R-eM&Vgi;RrVOQ**v*8)S4 zrm3+=G-spTNjUdVq-JVu)wwm*xa;n5)anK0H%a1(Ge@y+bpYJLb)tvSBoCiu%4L)V ze8tZ_h+rEtehR{gr^NMN5PjBT=wly^Uj-hRjpwH2ybK%@B*q8bu5z2JOjnIZ^&kCg zNfo!V!cI~`Ty{2O_ZasM97IT3kZG6vIUK4>jM7BLEsigDJ$f@?xgS_vM=PsIq~UYr zq1){OiU}=VTi*4PQ96stXZFg6&0lM87asgcIFksKLNk`pWUL0VpaLgY#A{m$U^~hP z;Spd={WeKhUY5mbPnvGhmhDDR{!qmRaL!gs`%3MYNldg+SsVl>7|R~fBmNBA3D4L-Pb@r zLN%`4LE0aDy+50;?WJ&ZvW4wUBR9uw;$y|V>&1$aI=z|4|H@t{|BOE3ziiV_@~8i` zC;WGBF6P}wu+3k*7sLm`9=AeNG!hIx=fwic>>GGGd@*M@ZvERKN#J$=yytv(UE|r& zaG9FF&t4P%5M_b|1ZXKm}&eNz90ZP23?J3*a_au3b3Fp{!PB1(=>KYAzN}s?gNoZzpc2 z_t*kg{5}e=+7@L#z382PzT?m8F^}lzEsPGN>=Vzbjd4$+h^#Ow)s)}wS>n;^Ge}IK znp9ZXUyhrL2rFkuxwxaaBq|@XU60Cqm=(slocYPV+oZ(q@x4>mQrH%L1dzn_!x6s* zr!dj!k?5eeS_eU6#Ez(a^Ixz&9cDTPKbZtlepE04sEgMmAjA&JiYBKoCA)Bdn5Bbq zK6V&|KA&I8#i6(;zMp0aS9GMUTlv@oN)Kuyu)pErj8)u|#^eKKjx4_VWbvdXpdqKm z%d^l@M4*F?*k?-ueCm+p>rwRl8-Yk0d+_B*jRaBU%RLE~Ul?9xz-TNC*LOHU($p%5 zTx3Gsf|mgej|WLz*b>`gp4>4C6Z+uG>U7XKeqhD`K0%Rxvz9X^L5|F6@XmRTU%119 zBy}#I2mV|wIok8vvrf4m)TRG0jl=8_2YlQ0L`U#YlE$93FPZ}x+&rx@`^fKZAvl-! zOWzg21CeuosUK8DlfinF|X3sr7t_LVg^ZHmd6Evpf7W0{Cm=MGx8U_9+m z2OGMd2TY`)k+YTlLs|DaoJzx(id>bZ%<2#S5f0|&>4w8g3nWr22qY3+@vxh6JO`T? z`mvISySJ#yQUT}=HVIr}llPkD%wf0mT*6#0+GVvnzQZ<)?BF1g?`kpR+N)?!q9UtW z9Wfbw@R?{b!`EiNIL6cB722La{=hSQc^7^pVkd*CT}(@ZM9i zI2A@Q!Kl|GKm%M)<-%)n)Va>?#+J8?(OWm!2aPGYmB5%!@q}Y=eh-;l-zLeCaGhuR zy!|S!$MBw6m#6TY=OhhiTSPO5YXEtsddku>!U-=q`-QRFB&O5PR#~&Ks+ffaHe-Lx z%8jKTkhO!fp106%A9@AgL2B!eHd**&dAE7^#M#E(n!_V_jmYuQXL9GAClq&LfH;`h zg{Y{3x!MBK0I`)AU|(PV+4X`C{B9^D+kr5<@Ya?Xj97_zwW_|XASNzI*Au@Xj=CXT zS|e=%sy&UF6|~x%Dr_f99e&ynFwXI`EHNr0X2JwpR?_;1i*gEk=V{Lp_gdb|%ivyH zR~$$1^S=g}pL<2a`)3WMvCj<5l?{w`o*%Wytghr&`9lQ9eKT;MZVv5Ek~K)gqvQMAS1yZZ^>olAh_mFb8nHf?|CmzL zeu|qm%$;N5o5nIRTsFZEv$sJjW!VOE7EyDKL%r2 zw6NS=H*Oh5@^!y<^B6sCu?mT*pY|hmF6{=DWy+zSUEMEagjKA(nB>fgVPFcnhT(8Iop(o~7%&;tr*)eUXDED#k~-$=o1b*QY0$ z*xP4IXd`8OzxX*ohzQfWt~yO9DdN&UL)(oG*gnu4Giye;ZkP~;ECe&Oo`THAvE{#u z-JOB98B8cL>>w-@+P&c?Ovy|=iG<5UDw+F>WqEQTL|}9}QFHo3PCq?NHF8Tz_2_eP zW$B@b!X+k-BeQebh+rx!rhb&6Rd3I3;99|^t{X|CttJ+E-B^C*yc>yDnCLt+Y?-h~ z)Na@=9x$UMYRL9Ys`_CJD11fI*(ywGU&>C3oybIr3HT7ib+dL9v zo??sFkE~81IZQQ$LokqE_|ZtoFd9P*E#&vHwQFq`)c~8v_@jbrU>!x}%^mZ7qniXt zL&~8^@ctN6Jhd<(9dCza5F0bQ=O+;l;tPA=xeEsA|24C~CjRS9<^N_&{QrDB8m!n_1D+4Oh@*-X#Jvt@vVw9?&sbY?QWHPso6m{b;q(@0g}k1TxJF3O}=5{Y|55H$JS|Mr!fB#U;IN>6(J(@;y~A>JE1lT3b-- z*!_hu)OYxBpp6AOWhD_ytVQ8}yT!Zw$R}x-KKoVjVP(3{*J$1f%?UT033I*{(SQK4 z;O2vm&Gvi{EBkNPu{KR)(<^-}!7JY1NHG~e8Q&=A?TOga;mz^sursQ1luETFiDa!R zlYxTA(PnhuEDfdp^dVkzRJNAnd$tuq3k@NeD7bCPWpL$J*qR1-kVRk>Gm(Dx5|@F$ zT`8{J%b&WfBQwGG6Fr9W&y$X|`?myHP_$LjjEieC$_)F-Ltw$t^$?kwRLV!A5Otan9EwU-SO7z@ntf^>Nd<`J9tFqH_<+Ul<>h@R#@`W;Ipa zpzKo?PPO7WZ#avd;u$f9)!5Pf;1rJ3)W{$NL;|3oh%YJHA;Y`pIZSDMei%!v@#&mI zQa{8;d?v|oi2RFWby_0hgkm)nqD^f%6v8O=t2FQMr{pRt zc{DNe@bJ!*%_$p!ip1A=NF(c1&3i{i_kg~$9d4RjvSQjw4^}Zcf2NGY@hMa%(eE(F z2-5Q$aBO|pR}mfSLmcB)Y>D@&7vc%tBPx!J9c~>qWDbGd(034D`KE$isxU4?d%F%v z5l8(IVbfNpCf`swGiz|1&>nrp?_35YF?Ym+%JHbNvfQ{k0m6GNKxDf{^UH?4@2N!C zLSlp1i{gI60i5gc2DjyESYr1EK;4-Bu>7_cBM78dhIzz{W9vw?-G`3}vE8VUi{O8} zdzUS}jy#+sKe`u}8px5~l4XCojM4%ht{zs8u$=~t3KY@j%|rL=gq<_8c)M5h8jjdS z17^Nu%%7M)1`OyOU5`WbCcAf=G`M9+fGga;Q|;GakN+Fdr2q3A_WuK<^}oFdeXPlU z87hDF2hVT$@YE02K!Z0bOm&8&yQsS|s=F-u&jRo=T8vP)QGghcsv=x|H_{)L!I4Eh zw(jn$+m>5pIoU=MO<86Ml!D_u;iG|KT3>3Whsn0r&Hd9!GTl z&)h>W$gaN6j-A{oj**^|3FH}z}cnYS@H$>QCAl^q~`~9@p;ui)G z+Kg87aG?1Eb^G}(_$Be29S?g~Etby% za4f2hE5taFDM`qeT&F=$1J5tslppc$lB1RO#x+mI)wWkAayEeZi|=cort3QB zDF^kEk?a!$@0)6QsyTxWxB2pD0UzAR6WU0G+MBcQBb>Wa%xy`_e)m1t(~0jOzL-ND z&lhRQf4<`+8*mBCHId3c^;~hB#8!~&kv=wgYIjq;x7S75@x!60w#4diafdQtX#E&cg1w0>g4cTRu@p3qCZRFw`#|=l00<(_jLAfB_>z4U zSbhdlJq?#*RFntOA6)QwO`rpfX5*Hk_e`Ct)|CBPr0OZ*ECFJ@;x!~@DcSI%G){h& z-2&rw($*Jlk0=S}`FgIiipYi?t94b*(tAs-HZBr3FD<+ZzXxG7ZX65y$+o z`WchSc?&1&87JG_B$Gqi&oei5j^Q?Tkt{l3fcc zD_#M|$sF)-Oh{@Lx~TG-vn+?UJk4x{IfeeW7hhAxoxk_fo#!V!*zEcl(<}^bZg*)@ zH}EZHxVI`9I-#yP1ALL99$YL^9|<@P*PeXLO)Gvr%_T0%i5G2x7zVw&Sr|GcM$DLh3iheL!MbWn-)4Y){{J3SoHJkV@#4bF zI8OrV}u{t{mkWwL_AyMAf*bi zYBVPcJtZzF6=JDZGWbNma{sa^j?L4Wp=@H|o_pXd5OTRa zLxmUBAUvOeOQJ6R3u8iocJ!JNDx_T;6M-_Vw*f3UP=~()2P?gd!Ks(zbnkdfdyhvD zU&+0nLL$E*-3h1bfZR&s5!nOsoz!D5G^BO5Z9`^j;oL2T#MZj*Kcnev-XE8HB)m$B z%TH67H)T0^{*A4;8Vk;w`dZAtc{xz$4w)^C$LGKye*ZezbYkV((?=B+Xp`Jm=F&|(L0xiet9#@ z;aSa@2L~)Tci()4^}%Z5y)0CsC~6J>4=&XQixR6hk<8uEG?!KCfh=W(oDPxENKC?= zH+6w&*akn@4IMauun!~3BmANPm0GoGL7jc%75;2cc3kE zxasux$AJ4g%yF17WcfeKf6xMU5YfM2^M48+{A-i`W)J&#H3Xgcr4^o4-?2OVofbUW zVixUBKH1%3nwhuI73``4Zjjo}6lGscL%*sv^L*PQBllLmU)iYJK}8Bc(F*|SmjSW$@BT?D2ji(1|pXZtCKOPdkbX$=&~GoIs~ ziD+jOfUm*?diDVwvZLk-*gd1emQXZ^#JfTxAtB@^FZTv5azlCob9BJmL6dyV_|n(^ zOql+Yn2!8zhJO&y+rL!N)x9dOcgbz{!AN=^v3h7sPw% zO+>&$Dgv;AQ8g%TwL6JSuJwpYiXvNtFoX!?TK6EVZC`>&YD2 z*RZuQ_>1-=$WkF#I=WR7Cjzg?{F&*Ms~7?6(WE?B9CfpHAefY zrh_5It>0`n1!E~|5|;tF8p{;wG6=MSaO)!Xbd5@nz)8K=Bk)=FAvh(=Y*9knF*Uz1igXXBbe8yfw}Hk#^H36~c7K*%7znBfD>Cdb zA6crV35B1aW|wR+gQb}!H$DIv7B-~;!TZfctFSuAmiu|kn>P7TuihNLTl#wQox=2& z_d)W*Z&$=!zu9olTk*{*#5620rd?P{D12@=_&BLB=0b5gYD>@y-cPuHZr#3bG@>)dkgUwlp!z(t$+P@$kdZ(sghbYcaPbrA)l`OYfVwO2)u*N652r+i#SwbCD@*Ui z>U?vmd61#aBlEFQg;6EpvQH)zA_aB>_nd}Tzm9UxJkL~2wv49UNj@SOrUF9=1RP(d zTz?_AZ?+ZW_{NqSrC!|1#tz=y$TMh;Ltbo3%3RpvXe__EJn%uI`Y)Q5a0J2%ok1wC zp6mu@l&hqG3b6`-E~nC))KSGJg>e;di#JVdRBJMd$hyt}0)c^E6$4I9*2 zeB-)tyB625S%UIyie?TavXo+k(2i33m|d_DXrH;~Cu@KF)Y^+?xo-nw7B#kDHV}A| zF&BZGY_mOcc2tQd7TmD5q&J4bnW)fj+W!mBxEh8EbBJpMU)_L?#b7Z0s}K-1i+BkY z4w8b6p7+AQdfIX?(D^55+u)8*XlSOJKbKm)i>U99*+Uu)YtIwaz!T<4Z0QJKR}_2A za>v^4s@&~L9P==DRL&!EHfA;kum;%q+zd=jCQgEbAuePSYV$dT*qEZZNQ*pqQ2CJ5 zwKpQKUY;;`d%92kjYEpqVxwVHELe_Y#+`rFm*5yy{NcSED0wH$6!DGr0V|J2bPu~vyqleL_+pl3A6Mw;C=Y7{^whXf+3I0fhEZN} z?lXb7AuYm1L*N8<+vpc5OZ%^7fO3+$EJe+A_n6&p=d)R;IG{MK?q}PQtf~jJ#&4B) zPssQ_#!Yg{9*mf=O>opbO40tT39){2nl6(>PKPcmHHs>JZRN^Sa!WxuQ{!XFM!{wA zREeCm>kyQ*dvxBR6S*`}6rrdM4mjLJ#Rk5jT$OqV_aHLJ*h~?k|1m;1*JiN3Cw$fU zFoEzJQ&hFQd#8K<_r3S_B?%J+u>^Cmbu5|Z?PG#Dt<$gfzo`0Bou$~*(U4$#g$1$^ zeF-*tk2#L{+H42U4P#WJBKfe@buIXzgB4u-XV=izINk!KcEOGvD(tMNiY`>7MW-t! z;}{7zz6P(ZW7+0LrfE;tjps1nSwUfx`_O~et7@TR0Zg4@9$QwsXEJUvXOXCP$;#^@ z0QSgGFRL@1pe!ySfV}*jyHS~j6Q{WslWQjf#aPKqBDU$+86K{u8A&5mdj-886fxD^ zC?KnW)`4u3lw_2-eG8nHKqlYJs1o*BdRNM*u!>D@G1W)xevcRvIgkakbUt>l!qj^` zI#DR6g=ZKFaWN5-mm6;-F@g8WkUT%iLJ7L_X~i~hY1O6UUChBFXL$MSOq~X$oD^W1 zEVxH&JD1ceT96af@J2F%Ds@ym>C6D|oZ*BFf-O(Jd2hU8H-Gr*Wjv0D@_~CaCEaW9 zx-nX$pSVaQ(5HQvIFgj#3F_z(xW`bc2-TsYM<7!tKz(dbDRXdt`HY2ycT}^W9mkxa zG@X>$H!bxjr~@7%QBmguGWr*WcnB`o>hkpa-DjdS8}7mU@`9mU|Yx z{R>X+{IyALLLJ9AQHxP;@E?fPQKft{{yxAmm!!cniK}0?y8+Qr2^iQQ;8c|*?U>pB zlD#Z9^^YfxjUXc~%z7EZJ5`?F?kWf-FOp{g_UAx)wpwAO`r(DCIXh8H?-SC*9!~v0 z=tthH(I@ry@6@4Va{hGj^!EjUOqLV`Oo6Z5lqk)|I6lRSz9UH_>;-`li)BhpD2HDd z;BBC(^=*|JJAOOLgZk793+8QBCB$THxj>cfh4pDV)TnD9{BQJy-xi28T9@H>{t{3% zrr2`)2}P7aqiSElD{j&{`wublpN&}mXJdIjT98HL0P}Z7>mMAlwThQd%cnIfymc#b z^ma@CuU*MorD??d7cSEu!3nei)4wDZQmRem6tb~9ZXZ0vTgaQwJ6DYy%=v|(PjgHS zeirZ#0igp2zRAm(vWyna9|mvL*Lt&;S@}ZWub&Y<-VbL&s}tr34ybb(2_ZjRKL=|p z1nGbQbuzp9Ec~R^@83Xehgl2sHj{0!?1~X+5%Qdm-?FOKOf@)Z_@twBi|VN6p;^u4 zYi}GfbpgPNlYDkITTu(#QuP?S@C>?brjk9-tiN$YlLIjSqiKv}mpQ-*KcvqE+vdc$ zk&oF=5_qdKf=+0TP3hO*5wa7VVJDlUe}NJoITlPG*WiS>key^>b4FDJF}#;Q@YzWX zmRsd0{d;r7r);KYzJq411N!Nx`+}a|noX;KLr6lxxj=8V?GwOm{sGbj!NyE5i$p5S zqXD*#V4IqF?%aaFtqD$8SS(zZjMBd~yZ=@Ih7Y8mtHe{5mlc&Gc5G^P3y5~Tl9%b! zYWk>-REnyMKQU{)wW>@9xYm%xBvB6tuMly#ky*USEYhFzc#gE}?I@;blPaBN$_71S zZlO>1K;>-huAo3^``U?(pD5q5d{0!CMSI4pg_iiqjo?n=uT^t$|F>gPk zbE-pjn~R=vHZgPMgO*iS&LZ=ZU@P%_A{b1V;%v;bw+zH&FDc5UcLKU9T!u(Ua??$ zuOGm%hGh?lmY5h;szxVp*pVAGUKJnTmN#>$dc*h4BNtESp2q4u!tW$c`ldjQMxL@d z20hmL`xY#nbc0*#DBHgawk|&@4nTVgD7T%CSuFjq(DHo~Kv7Ql%DCQuUUN*}{wBB? z;ay^`oc6sli96q@5$4eGzVYG_%1JHx@t4adF_vY{yzNHJ->&*Tjh&`_%PY#rsYd&k z%apZmevZC%_|ZwMl$tPjf+@4xcKar9R3_8R(TdYsPxqa7_<7I}{L420o6nuF=nYAe z8`aDo;wy2p;w&wErVRV5##zb;RE?RRSB%|xj31t$!dn7k2-AXcek#$<2kPLm_90Me zmZYXyg4(8O?+Zn_NM4e`@U5_@M_!Tn?62*TYS%b<%^1*{NNa`hEAl{t=qGcDm!OwF zRTiGRJoHizLRx7m_?}t;$4@)ru}`O8szsnxD~bP+ZBD!TQsTw-!?@hBuoEwLX>D&Nq;aW>L*=y{1bROY(3@yUd#8d4J}F!hL(@FNPX^u z0<6S?ucKJi0Zn(NjsgxWeW@FwGE{Droo~naU_Q3&iLM{RCZ$T~$#chSb2lWV`Lnxj z)ssu(`P+C9rvaz@uo1!>Y*~wKRLsxYaT9Pi0(zQc#!Q%5XvIjwDk%C3|0*#+v@;>EJ1gQaDorxi!W; z3}xA8$#kiCkzy-7GiA8GI6tyT4Z6ShcQ)&?bS=H{y6URX4Q`ep&=W*7pc6UkerM{y zyIQ6!R@Q>kFB|V7tnd@=sRgJ#P1rx;5A3`HXL@bxDQ+7s=Oe}f4K&f|16=i&JQs48 z-oFDe9=aFRCv7|Ay(DVLy4AYG4YT|BQRI+cr&tgIH!2FTJaq*ns>EF=h36A! z^Vt{0DqHb$3~9@(@~!sHSd^xO!0Cg7drJk-a>-T+zc9E*Poqk6B^fcq-r~JiA=tVt zFz;RM4~ux{cHWa9To&70xfX%=0m{fdxY25Vy;~btV;glhM;CwcSncoun!S6|5#c}U zdOI`}y1e}hwew#eLL3w-jY3P}=35JZkK1Nf_yR08;(5asX*He(` z2DnW?i*i}HIQ>WcWB=^cGl>_wY4J5PislYX4rODuEq%w*BbHP;TIToc7;Wit!~$49 z`k!tAR1`g$CWEPhMl2Nx`jYFx+m}Mxe48|_G&+W}=aE+YMbFFbAL3Rme5Q%>fS)lu zDS|ANf}jz8-_ivx2ZQbsl@)K_sD}S^S-|>-{@?n`Ni@H#BEu{p*@$D|d45h-qXVO3 zP{Mr0GsC>ITRG9cIvX0y`pYD06MFi;(ZTyK+odzoyU6|5-S%%Z+5D%M;G38Ku6W;n z*-ih)`hY*&!vC_s(efyNSz815&5zMijQ?s$Z5Kw(naO&1KI$qU)tElDU(11HVA1~+ z9)?F7)Qo)I9>)Y@uO9e|{Dh?-Np_n8W=bdITkNAZ#2$#}x zf*%PpAtor;0>@>5P*{G?>=p55&F>2*BRJub9BZ*(jL_yt!y8A#*EGqBhqS{RdEktt zIrOMYx!>f-Q9IWhMU{6i;T0wWip(uTI_4^{C`0vCA}vd}vXQ|KWQ!5b)Sa#$lR!!( zno*0Ss#VsaQZAes!d_^pwe2}`blKb-+;mEByg^q{5Ra&YYWEU|jw)w?7EGvacq$kC zSy_zR#S-v|xCJb7L2E0B#1)OW{Z|P7Fu(wtKEcsI!=q#^{|Kz36IWBT4_tAb=lY%D zw_@aPL6oO#9_@EDb=;AzD%VrrpNV1&=33D-S1VO*iL@h3rFl=&)v z!2fxHa-ihXo8<+^sYF;Q=tHy$PSWDA8Iq^Ls$%Xyyyyy|y&C%#lkpy&GO1jB3KExA z%xIc61%o^(YY=g|NzPh{(gLA%*(1jGJ@g`Q_DN{M=8*WL7jOI_{w3@yJ^{B(@yaVG z3n%#T2xF?C?LI1S2$*ctjOIWmCIrQg2|9Z?w1vhU_Ntpkr;`yTy@H*&Y*?dB;!5C5TRIr$TW9+?b%W zf{IiJ`WF7UMHsS02dZ~aaG9#Y*nFTIp=-H2cpr9TsczQH!=gUN90&f@`+p}O{Hu-g z&%>@B_&<;y{cj(=-u->r=y$L9`2PfBuSJ^1=j~r^aC))Mq3lHPos|{0=)XE`m%#pV zldi%Jz6c{S=2~d+baa#bM&6VPog6g1FTzL*O`9nbY^Ub6=z9o=ceE(EosQ_u--$Bqm;aZ=fsTG;^*Jf9;9x6ckfG(+bSdY=RlKDxi!qU zwLpQRv&h@ytn>zYavgc&$gwkGABwncS4s6~*lbbOl;JSLzCF@Q6yZj#$+|@CHyvFz z359Dy`)Lwhk@BKo z0g|r-FwPc4oOPi%x)b>^r*8-M(f3o;h!wl46bwPUCRy$`FCV9|7qpaZy@ z-tlDP{m7zfU*PdNIRul()hHMMnbT-Itu$inJti3LC^@(1 z6`GzqLMu>mmC+^0qDIv;<7*%4yP&wC@sZD5j6f_9{B`Gf%EU(N%{3 z&2@?vA)oK8@{lVcK*aV4ddeRsDW;!InQLMloD!`w)SYSiwy|nYv9w%3N_=acqjYJzd_F+TQLb*8S>v9F*ooJ3AO(Wy^B|&lJ)<-rQ%)XpP&7oE%v98I`-Q(`K@M+ zb{w|;kf)pAqQD_x$K`ahBe`T9F%;NbK6g?&AQ>1@K$k4pA308YM8?-l6Ejz2mUiPZ z_q(K0MUsyX`Y#aI&K5{n2xSNzKI}Prtg`L4IM-WTBVh)Hw*8h-GUj?}bVi9lR=>%~ zRM>Hwfql`D&{b4WTM-r)4mBI`@=*^fdF{buzY~A%Kv}xa2X5lk4PbBEKh>AJmc}iK z$JHD@(_bq2?W>&p8DhevV2X<|0Z7fO^IUcU9Vo>TVAhWnAZw9_%kN)rvZ3OFaL&FD zR&0;E5h_FP{J<)#espbq(|o#Y63wZy6iu2*Ed~)4uDuML(6X$Jga1&XHYH_*BpY9u z&?np#6Bj2G>i1X1%J19KOIB9swj&1;6!uUx8D!@AXU}lYqu!$>n6T5`;;x?@{lakC zPJJu74E)5i%!z9}=HFO<`vl8sx?C+hF%{x9cBU{BSOClS^s#avlC^8I<@XZ1()3or zlUM?2YFjc%3KG7mP!Y~v6|-UQ3Z3XRgsmQfWvp3&uA=u%u!+P9i)ccKbXLV{`mz&vai1AlMUxuDz zqq~+MrS9-56R514cIeu{diQB$n40BU1@c4n(Pk!(+3^V?*S{g*V>nSx9NMO@|xO$_?z7dHEGf*P8E>N!tQ4px;W1!1Z8AyPXe=uJg{** zR03lxMrd7Ps%A#6o49(qdjZO#D)Fc9h(Av|-c*DeQt@qi;D`8AaJ_wz*%nb{@Y@7pO>l`gAZ$FWCNLngHH1^GSXNI~XP=#H#Mg(3B z;ZY)PIV9#l7tYSa-f4}_v`EN`BKyh;6>Ya%iOQRFy|}D#%x^gr5^WKxStX*MT<{?d z&)U?vUYr$nr%H>foDHAR2+ z4Jd|`ng`r)?_NBYZ~MC69AA+>XFFou+KhkTXZ?9&!mP^No3Sgc16D0AY{=*^D|xjn zHJWY^5rgKwr=qew?7-ckwITQmSFAzzA2PW(8;P&g!$sY;xJTJMd~qowB8cVo0B&S0 z%WU=#t8u)3!^V`)a$ML`4PvP}W<4pp=U(0!_8V~5hU}n2&&NJCGecv3MF0R6hPHZ$ zCf6t08G?6VMC?**yoI{5h}k0F>;O}rA%GGW5DzL6+N1F?@>FMOdhclwvI8pmND>OB ziX`{+TdverADy*wplWwrY)=wJ|fukZ88vWGXX^4yVxk|L9`op*#Hm&KH) zo)e%U7zvL;`Sf&Dwi{%xMvL|UBG)8`W{Z2yf{V&ZXliKRGrj2qS*$uwiJExicU&ID zS}!V0l(T;9C;7U9dEb4FSZ&9ziGb_CPc&?(Z|cDP%KAD_TIk@)AJA;bke$0hS?1r| z=*C9b$OJl8s1(_Mg zFt)q*MfNc&Zgo$Bh}MFRh1uVUho!|2GR*s?J5zb+Gx5eJ-)wozLs;0Dk*O;iePP86 z=cD8Zhx_^?NH#f|Mt#|E2)K%ms5C39s$Z7?A}ISXE3 z)}ssudM(ExAV4c6}Tfi)%WMaDyUalrFuvHPv-oD~qvZuGi38cx~JM#z}5e~uqwmIR2sZmxnaRN(}>W&KA zP}J?i9^jaVFUQ55@SP*F@2qbSX4}ZxqdGEzgzN*q?I>k^KMh5;D*liOo~efV4AoB( zAt$aS4h&(Z@&-i$XD>=~qG}iFZ=^@a8akL}BVARZfJLYPN$Ux1Ib`O0@GerM11iHl z7AGO4(cM#_4Yp2{M0CI1SKQXTu|?kSPVe4!;H&DHl^kMinV#AgS&k4EGs#-)iVPN# zu5c4f0A%F2hdK2Q_+Q-7#&EY^jnJPdiCUKYI2f@Wjb~9vs^o`v%8Yk@61ae8=fj_T zHi+#$L?Yaxs}!W^W*z-1pt~b*J79^sEuO6yGXL#tQ1V3@0k>JRL)EtU)Vh|OD1KYZ z-JWY^kTUNj?dw^;M(w)9P@wDEkiGjMX>NXL%HDym`e{Bs`zi;>=nFVy?ij7|YD_X^ z;*{qh*B8zlXqs!uF~ag3NrG7Yn1sx;7w!5NXZnUU%sQT_)O4nW;EN|+imm9c`6(8? zc(zYSL&Oq_mf-u`6aEBw;{TGxzmLGf4iNqhVl=SXd!@(3TKWm4x#Ddw%U9=DETOK4 zk@}4Gp;-R(S$P3)jLp;Hf_aJJZ=aybPSO5TH#pj01B2d2I+O^s7{3%J~L)P+ipw8}|h^Lpb0o{ND zlij1<37#l7EY4c+pqkmm+jmgKc&0l(a0B_n4~N@pX|Gd=i*;Ac8KLa$+|_iUNrxFm zU0QW#DqmymCi13RhQv>z~(0nl{}%qgv~Q zepa@*A9LaoNZimmr&W;6CNaMpBN+RK?feaDkdO_@*OUeBO;C%~*IuvHL7sXo!!R^9 z5)uBKLj@YUjlA(E%J`+|-v$vhE$8lkYb1RpC*SZRUkRzA3%1f9PyGeYNSv5*b%2MRw4#(9G`x*O^APM@YM|8u%<34Dx zsimz7s9BWx9D*w<XSwxG3l4msQ;{P72jZs4 zMbo&6)0Rq5?!nF-L%v&0>tOr$pfy^3pA@*6$?=ngVdbL^B`{}@Qz_*H8wMt_Xt+ln zw`U9^Dxk``0@yOO*J8hobeAr79hc|!(I?RE2#YrG7e@zEwGa4aj!-xpx$M)Jt4@9{ zc(rv*SHdKaC4toEg7DTDkS}a46RJa|$ghZ`A-7;-U8BqX3G(n025S<^r++H?IcvSp zw~Zdz4hem`YrEC5qPK*1+FoK~)x__l`7TipJT(+<`FYyU~N7{2aPXSet-Yje_}K+PWi#mI`#QD#AfmYLkYvxOh$7Whv}Yw z-)ZcOFg42k(EH75!G|od`OsT~gqQW|uO+z)v*jOcTO=M8Xle>~tkU#_+sq(lZ`XH42Z5k#BH%y$(DR()9?>Jp_}j56Xp}kJ z^lipB(gGw7S0E`VFyNMirZfsoi}0cr8g+5c-J|?=Yvdkxk`)FCEqv11MQGx=QnImE z91&cAs?0q+(8cWZYT7GcePp^LjLGCXw@8?KaH`338lofTj+8k#LQW3(6VA_PXA|@~ zgiw}1ch6~8Es{=h%G;Q99>7zyBf~94df6?=R=3#kmc=vENl9a?PcyHD$vw#M2Q-N^ zMSr$Li`hO(v~KUQ6jQ{(ife#my~?I-F+`+%H?Rz(%^Dddwhw0u=#Py*{MPl5x+p0s zy3m3V!c*zJ_ykpE>vN|_^@w^OS&)6{Mt1o#vI4zlUEIG zuoZgPBHAUDctKUK@rIvR0!QprYI&af2W@#8O}b5f!+X=*Qk%%PnyQ+zg`}Gho;`O_ zd!LS1?4NbEBnvR3ab6#7?RPAg>e1P8vvWJBMq3<-uC;;>#-kK3 zpYju?tyl58=uw~>C&6E*Ap-6NGrFnCAvWa9U0?sgm^veSvovA<+Lkk_!8nR4I1BEV z_eC9Y`hj{3ofQ1n=gH<92I#MUlKV7sgJ*qs(-yTZ`C~ziDO~9XMxt9+q^Nbm?o=Pm zgf!y7|696kv!kTT;)SELVJ-~+lT$wpG$8&RVX>;q`QaT%$sV5@QpLZ;P#GZ(Tc^*td|ZkAHl| zr28EW0QNMv2m?Tc7#!WLYrA%~Ka1AMK{Uou%exiGVnwjX7><Vq)GTvwh9|Ts=QktbYU@ ze`z-3l%lO#D}I3Dbe=!0QdaRZPVqiX((~Vg)wu=Zus!wkpAaQU;bP-TPjq2 zR#T+!O6)BT*QPc})uNWz6@Bk2IdT%`SH5`s#ba5UcVCXOvPDux&XRsxS7}*Y!982< zUcU8e%daQF!k3Q9F}F`C%C$|B=*mj&X=z-Sp7nF*(<9gZO{#O)F*)e`fj2L2sV$oR zu>73fI(v71(~rEMVe8}IVe30=%evcy{>Gc%+$*w9M#SQdB>N@Ti>GEOEWNpD-$cP& zJKbYSJ0iK>{@%Be$NA9NsXvaM^L%Zu241NFE)(}Ff7TdI_lsI})%gRrUjvJE`{rXY p`CN}H!le)GxF>q-!#eZU!adr(56KY}F}Z&Dx%{(<`{e)M1OUHeix>a^ literal 0 HcmV?d00001 diff --git a/docs/service-guide/argocd-application.jpg b/docs/service-guide/argocd-application.jpg new file mode 100644 index 0000000000000000000000000000000000000000..79b71d911d400af3f125abfed9df11720ac80c41 GIT binary patch literal 61237 zcmd431zc85(>Q#tix#B2JEXfyx5}d)L6lDEP*MRwK#@kJySt^k5m51eK)rAD zxu55KzvugY-|s(rJUeI4?C#9$?Ck8G3%`$l|Ae9~Cm~^=dPhZCPEiVgKmY(mR?*7N z9*PbCwstN~cVuppYwPHeBlH4L011Ex*a5)E#MwbfUHUEnf}E5Dxid&~iT@2JqX5_v z01Pq9s*;ocUH-qqFiaerTmS%~3Q}{LnmL<*crb|DxVt!9mhXW$wz2gk4u!qMoj?Xb z9RCux_<=KB(fq*0E^$*^J5!M6l4l1~ThmLt8N{Esxtf7Ej3S7KxLKLGgZMCrQ`@-O zT7mc}h-2HD894(0EXrlMiiqqXY5+E)F0Ej3S*Kp%&xQm$w$R_|u*gJSS zSy@=RkkgwmkhAmi^O4J%x!ahzxG<|4nOGY+nUYJ`+d3H8c>=%>nJ;Srn3uXG2bIjj z&dMu{#Qa@moB{yv z9svOU z%l`h-9l4~Lxsj`l3;Cr|P3&##U7g6C9gIxO$eI5%;{UqhHMXwt!F0#W+|0?$4(v)3 zv@$C@3vjsYOs!n3?Cr>{?Ec*d|CiOS@o;ZoHi13h1o#4hKoB4|Ay^Os2pNP1!U*Aj z@Igc%QV>PR9f%IZ5MlwbgSbL`AVH9DNE{>;@*MIKQUP$FM!=@RzJRTSZH66!U4Y$#y@0z3M-0aZCjci0rwwNT=MEPFmk5^+_ZF@N zZUk-_?gSnl9v7Yto)=ygUI+dGyf=IVdP$W?FP+U=>Pzq4qqfDS2-n@B}_NLfP-J32qqi(*u*>rRE<|!%`DhsL{ zswt{JY8q-K>LBV48WI`}nmF2hG%vJ7v>^fdHp^fB~f3@i+G z3>6Gpj0lWEj1G)7Oax3?OesuL%wWtM%qGl5EEp^*ED0PWa5Ql|aMEzanJEc@Wk=V@IvuQ@CNZd z;}hYF;hW)y;g{l%;GYwa6G#zQ6T}j{BbXtCCA>wbM(9qMN!UWTMTAWxNMu43MpRBT zNem^vMSO?Yn>dHKoA{W7lthNafh2{biDZiumsE`O0ciqh1L-;$7MTc{6;eho(#8) zx6FH4I9UbRSlKZ-5;+sOmvVdZyz;*C%?cI$g}pA>H?Iw{sDL6zi{;+3YAX_W1h z->Cp9aw_pEGpcl|j;gh4@M@}RX=*EX*zfqDRZuH$L4SEe%jgOjW zntGZqH9u=fYQ<^IYqM(mYIo@n>R9Pi=_2TA>gMYn-;=uc^xm=_w_b?es6L&(hknO> z!uvM&>kZHhj0`Fa;S9A53k|;-sTgG&9UIFTryK8?NSGv-UBn^IduTSMDwJ4`!kyJmY* zdk^~o2S$ewhj~W<$ES{aP6|%>&JbsP=PDO$FqrCgrFVVgy5J__mgaWquIXOkf#G52 z(d~K5Gt_g{OWG^X8`j&z`=bwqPoU3&uek4XKZu{P-$#Ec|6u>+0GWUnfj0uJ1A88_ zJ&b#J6r>eY6HF2u5WM(E=21}yYKT+F*ki%RSx;b}SUu?tkMZLPYnMW zVG_|9$sU;;`8~=!syCV^Ix_}7#x7nlYFumRXWTk`7AzZKXO%)hwvqWLB7%a?`3h0#UOBG;nzV!h)2 zSCX%)N|;NYm*SR&zXo2rzTPM^EE_FXDF0Z&S5fkY=1uxrthZs6kV?k#Ou?&Rxy*TvIS+0EVkwuigtZ7)x6Wgl-}RX=}!&4AEA z!=UKkhat(K)?vBft`X&tfl-ao@iD!z`Ek?nwF#Sv{YkgUFH-^2aMNKk=rf74#IxCR z40EOPJoEJnk_+9R)IUuvnk;TEIWK)(4qmyrlDJB?`f`n9t!`ao9r~R&yJEZDd)j-;`%e4c4b@HK!<_Cz=P;t@O=sh2Cy+O z2r&s6@bMWq>B#9g>4-s~qr|%eN(_`M_?i89`120IAtaFUL#kIHx0s{*Ng-5t71mQ0!K-r++ z8+1@a7zjK(3;>0K6~V{|EWp5m#Y88kV8@1I6I12j#4!|yr{r>=zD*?&z>NV?z(QdV zP|)Du5MZEia1bbffeFKoMM24dE`FPeQ$n3wOjYgq9b>0#6K7a9BgeqlhjAYVgW@Zi zhOqZ?7OA-m%O&rcmVG*O2~Nm$cry&g{bAvt8HYy7%=IlM7@xz!BBH>;!NUAt6#~Ve zz=RRoqvT*yHDteyMJ0hw9soA}kW(FOJ}x`H$ss7G0z2kl=x~u*^7|x!0*V2}fWZK( z&j%9PjtMEbFdOI}i0Ws2Bfo5tQta~nUjWR(woYy8YL>H1)6qMIj|`_Yy6zE8VVxDGJ?lgEsG*kaC60TGQW{E&v@iFR1U3XXvHthH!gRD1X*Q&L zveZdw=&V0D+-XWHSy#48s~^!m*N}-OTGJcZI&}8M?RAguld>S1?bBk3vgKbt^S2Lm z^5ssC^t1O@4=jxx>a(|Ax~M1+&BYA(e<3=6uspwEzvNn%B{9}};*r7EHu^Pd)cxQa zp-~zqS5*Uq7FAU2Qc!iiG|_ z`WN~pI3;_syHQ<&i1^wZ155{=Q;%&sZe5_ z_H9XO@bWVv-DYg4buQ(9b6)JPbMPHdcRunFS?!tV-E?Y**O@Xuimr z@it+g5n?~&Q!v;T#R)l|}apAO|(6qs`=H`wLy%=#Tte;G8l$~~x^NPR_mV5(+aPmqmcPNpbNAX6cMdDQl3-Nr9Ol^gY`pK0WgXI& z?A~!jLwu8@e;WtYwv%e zZYOs4S+TYqveerW_P^BkkKsIFqUA!|VI;vxUe z!}hrQ{`Ey{UXwWENpQa0$-HracLt$>XF+2z0GZZ7mbNeEm9_k^ncIe!mhZ_I9XO5`e^u?PrKJSY^Z(3{T zC-oY#pfWGt-S<)dU`GI`ZbGRaX9mT~Z#GC6(52JC?x$?ByfxFW< zDk+G$;oB=+A>B9{4O=(wCYSpj-)2_z%8wqLj7D?KMKydqKjd8_aN0W7UX<#P_PxME z&Xf0EaTO|IB?>i&B$bQgPV@>*0Dz*t&@m<+y)mItefa5yy4C#Wna_Ud`5$sWcQcpG zBni>lim|?s+oeTkDn%mEeJ@0;hfT*?w=DNR`7$@K-`O55Ob?mk=fQU2G#1oy5;({< zjB#?1&hTk?TIZL3GSa`~?Y1G}tuyK*RBHCIjCW)Cn1)||qiogW#fns)TK7SQc3)&k zQl@?q31W-dkQ28~;~d)CjPt|IUaxa_7Tk%k-psk~Z`9lI(keHProV2x5pQE@ncB$H zr4$~n$qADKa6AX=74I~3cDVaQTdR-imOrzkRadg?N4@_Cp?($lc_wM{~aA25*HYnp$(pL`oed8G_TOVVA|AeG z9*0WKSn1u?mu=SW)m}YJBSgui!dg;!15eFg7N|*1%dbwVULK_UI}qjGXA5{HQnc*% z;{5VB5j;gqrbZxT+ETfNS6teyPmEu&Myxcrl?hkrmaZenf+z0Q#(Kk-D0MyaA@s;0$J)0t-w8F~d zeLKRfwJ*z-+^4JKw#SKhS|v&^`y;%xn$LodUg*1Nb9pu8*&fDEx@b%=_Lb5-vpCkj z{T(1>lp3DFAcs^Oo|0!h z%HIL&uFPUO+L^@kM(=OLwV&}~S6?f-xcZb*nOF03pCE0H;B{Va>`$C5RWkD4X}@g? zrAX3BL(ES2Zv^P_urYG5F|vp;X!pOav3)6+SeX{sisbW(8|v9|O0U-_g^9ks^(8Y^ zi*{X);rCRkmBwzRmx6H%Kx&+L`oio1fo_QA^Z$S(a`$Uq>m9--DvB8Z>r2<`3m#vz z1BzeDb@9TkC)`ocS;}Pa^%=hhB;P}gWs_q5Te`*LiL@KM;vs9p%;Vt4KUOR7#`ccagf^$=dh8JN=?3 z^KcDxTmY;Jp5B+c2GU-d+%eY}MhghFP>n^xIP&K|vYH_bfY?5rU=?*I%Qwi9#%jHg z(f%xT7UsTR3%fdyyk8MJ%GgzeA0{+W(mflMDV)4~!UQ0s01#><*xyDUBDKi0PEbD$ z1V3r1W{LLmRXCh!Gun=mE5Cmh&V2`CcnlM8DQI+VV`}b&dYm* zmc%zFcjzyh(W2wZTVY9!JE0#Jd`SzZv37X31Y0^(*kmFC$xY41C>H5cnb*we@x4 zr0%P0I$F+IUykxzm#-G5y8a<-P+uCH^*92LH$uSIgXb4w%GMHuW;x@;?s}+ zCN+uJMWnZHpx%2?Vwb@!6Ki;_Hp2Ue%~z$XkDWuV2F=33n*O(`7a9Q2(jt+|UaRsG zwK`rMbt#->&ba5H|4}ku(c)eoZINKFQ0aYslcLplUAOc`>%mOcH=84!&(85k@xV0} z0Gvt$-WW*EnCM(@?-aY$1whL_o6A<79|l+6zu&>C#EG;06d3B;rTgJOr+ef3NadJR zJf)bMpBKBUb68$kw2a(wojCdtzJvm|#QW**?>TVAuOP9Y zJbbpS3xti)P8gzEEKIm^*h4Y zVj&e^Zy5Ak+8cQNt8XxenU5zJ{Uo>Qa+b5^=e?#pKdQ!dZA@S~#V*Yi0B*~cOy<>U z>Z^T9|2*o;S4lJKEbyRkF3Wk_b9LEyTj?I1mlol^{-S8nBR^JxNjNNr{CNQ07h7*} z{ji1?e}(2XKx=kzBvg;aD$&*dPY6R-e@VB97fkwEgjc=SH5LKjls&`#U7~E0sIW8Ftv>k(^x;`KfGwJ3UnY3s$mmRtM7f=-&{2r zGG^~{N=&LX5&t#R@!yRUlne>LAPxAlJMg)7YSeXkGs}DhHFSBMHNk^PeW|}#y98Oo zlU2j$mT%_BsHMl7zpU|4IgF|JcOi2wg+xX0*^V^Bg8i!p$m&>}uvnZJ`nAFS)q5a4 zX2hN2Zyui+pZX>mZ!QK|Ch^$CtPG87u@A`z_Y=>NXgK@s%7}^@Ipm{`MbsMM#rzxeEIS&Iy|6{P16-G$$=-!sopRp;K#h4#Fg1d*0lhMFZ5ao87oC zUaU>E74P=-MrS*4v5%(fzFR$ExnwJ?Xn@(8F(H47##nds#;B)IB2Mvvr#7Qh9=IY1 zWoq643$If4LM&Es0DS7J;|!mZolNU=o%7U))Q)GDjer1#EQbOLq1hYen_$rJHy|{j ztN~Pw?{|ON9Ajb|9j>r%F)6RoK|v#rlgp0vqx;`j@#WuxpMBZcf#P6bG=&U{y4FUZ(!5rWB>qB8lGO6>s!-XOim1dPUJC9e7nIj$a3eOlJMc% z<=0||ls)|1q##d!0c5WuVhteKLG!p8??3}l1X1%afytFUyQB3*<5)&dbhwtywOg7?v2Obwle$ z_QX{HxSt=+`1`8Q*Bby8oF+Y+B;)^pl6Q!+=CDVlA z`LNIAIlBgr7pLn={ObiU=H&M-UYyzo&Ov)K-ky!na@DHYi7-LFQ7n%ufS*0&d zS6sci-Z!4Omz7$*g|7mx+CfP@&8TK;E%WRuwO@%Rrr;PMQqk&_+0Aehp+o90PV@8`}ck{BdEq~vFaDJ z+VD83wtsU0>R`9$SZR`Bq3Cf)x~Amn#eFZb%yyp+**=oD<8fZ!jH`69zTjAYo8c87 zsH_j@^wvr`S3Z8g1ecPpp9h>z9vdM3;_)hnFn;U$4?7OZ@4p+Y8$+h`p=~_kM`iA{Vogu0y*>n;uBvsd#Gve@ju9tc5*gaXXDg=yB?dty%d__T`Z3rm+w+Gfb{l8MC6E%a z>zxARBb$B2>+Ksx6{03-1HwpFg_Ce@T4sHi4WEQbtv@ddPu(p|xSKe!g6m>Bga-gP z6U}2HGk61;Pyet3Y0wU47Cxi)kLqxrrJn746T0vB9mq8s8G4ULe%U2V-*fqe+q-m+ z$~ADq%zsQ>eK-Xv#%5W@g79d)lN?pAfl`+LxMBOLS?MZ{cvEU=;g>F6Vapx8R^^hK5k^Qeta2~W}nk^<)D7afLbX{FY3Ff zn@?2_+8(CchOw7)?VT$%(0_EPUm~K*a5{nofak2vH9RKCslZK<3dI_>nWetL7OUs! zH3Y38j?dFAEeL-@vQr)D&iy&-?$ z&3YBl`@VH`)<-H?W1h!4F1vk{^PnqUoRNxqD2^GB#kd~N;_d3Q=d;+Tl2zcf?{%+0 zFI(wMjgs?$0ukq0n2^ys^_j1>E3bq^mWop^T-)9%+n|a{S@7lwi;Z9P3?mX&;&60e zUERjc3_$FwoqxERzkJT`NcFiy#%ex)*%0vzVWAN6FXk_E5tbjzw|(feAk~lM8-ubg zZKwcGbU<2|OnA5UlXa3?SZD>a>%ej6ft#NARB1fI{RaOE4L@5>wUGus)@P}U57wj> z7bjicU(TSwOLJ7yyPj!Wi%-J`dSk(iXTb<`}N2ZA=(d3eYO8`JBL9} zjhIY>2|z^h_D+O^qtQ&7#{V+{n#wW9sW&NU+vBo@EsuXdu$R}Ql7)^C1iWBSiwpy< z@dNl6n+Q;gQ@d5w=agR$zQMROX!w2dbdP$OZWQ-^_3z#lf4`v2o`L%7zO36nrfS| zG({2jwd$i~UsjRcfZnI~J~(Z8_6%4H&Dy=Fy5bGsTuW;qk-kr?L|X` z`ya+O??O^LQ!dic0`70SxRv=ZJ*f_w`8P$uyth3e}s9jSzeU zA8^GPyt+DJk8||ICu1AX&((SNmi6H16!o}d_)9*!A^=^|eP>fso$|1yK*OIUml;C) zWu#ozzL^nteRqZ?@+=eyN{a+iz$(fDNWtacF5+JQFQf9@r&_#*Wc$0B`5E%|{Qe3bk^AA{z_ zxt5^DymP;c3rX5ULD;;N1g?8l>48rwJ{Mj9NCcqA6E|;?LvrS_bOz#E($d!j&_wcX z6%TeSP4>`&UOu(Ln)y+8jEx$6hzjkfE@~JxAkJkV{)ZD$ymTUVD%zXZoe0PQX`MG{ zDVN3qeoR%B=TvwnEgS_5zWv04Lz?67*aj)H4V z{2d@+?|En0q9tqexme2(_;ga0wlD=Avy}CPYwPth9LS2XWOD#` zUGi{sjFbHx;8-q?b+**-=LQNY01~guW*Qc>HUhrQMLQCW;7zpuMA)9b|Ax9lka7j*^9KR z1P%JcWtsgtqI9*&?raIT)&v>b)vR63>s=>N`%QR{V@yTx)a8f8T&r=3!eU009}9bw zXglb(^?Q8!Oml4Ki>1SUJij^6Gl@uj{Psk2xy=e^_|k%L8bfs{`!dG2M?z`+JYzkp$~;3QMXF zn!w>rrX~fp!EUaKzY+GVj@2Fwow5Mir+XQ1GE>cDrrlma>Np!Va{C+j6$v$>LthK)QCa#Z2xli>j zTyOhq-1!JDe^b#`L*RD&(wYANgcLa}%uD_J%V`lB4n+quI%u^uOr_`{mxc))CN*fHly7+ zZTC-LPkxa5gFn(i1b;OIfdh2a--=@6FyI(dy7}2Owm9hFonF9bYM2h^={_~nRNN{o z?0Q5nqT|;x{IpnkDP!|A_vr{8{DjmMC?(tl;p*WB`t#w(+u!dhLZ5n5QYtxoKkpND z@hqOAEfG1M)MUHqY7o}G)wl-Zy@ep8j9e@FiK^FFTw==W8CL~bZ6%Xig(aPh&(ze^ z+tt9^z}(adQ5rYdLqBGD-biI39!|A-f^W5rjU=f>3a?mRym+zRGW3?0tjT;qN^*N` zcYEJ@UPEI<|LWg}kDuVJiwdPTSMsQQ2VnN}uul8rFX*JClt#_uPrFCHl2n!4XR9aM z7r1rnmLHvlhQWsk(IBN!3;&kKSufSw+zR5dvkP9To1DJtuKrQabo-3l`73DyGalL5 zz*oc7)%29aO5KdRV`rs@1}lZuYRuN!`ELG#8U_RzQ@#A<-vK&ZEM(r`t=@D3D_Y%* zcr1~_)1L0?bL-T>os^Wi@F0PgH!LisH14iH^^x&v%-87PPD21UzoYZn#@ zn_V_)4jqrt~k<2dVK{giq8EYxyY3(B#TEj(U32|K3FGwgAmFANwSuN%xUc7w$ zC^U?n7Q@IMT3A?HvYyrIZvIvGfz?-n$(Ly@h4bHm!yJzxEtL#AddFqzaq}9F3CmV9 zMNN$sgJaEfEloq$!4X{Q;wOkc+c-kTxIBl7y*qsQ+us3Qt~0y#f`s^b9}Es`ey8$! zq>@Zd8H~2Np335$1w8thX<;t*DiN{PW>fnms*V`kCl)dU((6xguo$wdXb?^Vs-hom zYhnye)d>@%z6@rcl)E8w5Zl{3bbG&H@^6DV6&hnDyyHm53d3b6x%A~$;d+)|SejL1 zl#Qa{{C$lH^;Y)bSp&we_e>5ZXW6jgw=A-|K3$mq)j)$aYxtJmJsl#!ClQk-qwjH? z_9XSQ?6lCBe_sQ@smY2%8#*y@qNX;)jq`IV{mk4JrF##E+Wjs${$Ba%a~IsP2A-RjaEtiB6zS;JsF}?|{bBaX44g_Hr7Uz9uixAW#bZ zF;@fp4$y3ts!sZoP~vLXW?nDqDb!glxZB74Q%r)hPUyF zov0|Gz5NTG1sE*E*Y6$~FdCeaRBCl~9J|1Gjl@xn9Q2`Iv?@!!mm0$*df>lV+!4m*>EhmN%2}0ciow1T|MaPob!TS+d~ye0!zYw-teaQ@<=%DAWLt{K&-6(#fE%U4r!fOo%y_q(jVn2YDC9 zZ5`DhBXAAAs9`eXw4uXV%jnC)b8EI0CK423ByUA`Z?b@Y!0G6kG&SGtQEMQ_H4foS zvO%EQ4zR4X)vJ~CGTvUmJb&hZ>t^2_nf`d4yaJv%g}Sv`#Ex-Uh6Q^9L*Wrk+qRfJ zJg}Gq`lX>H#JAt9*?c`JH8m-EC{9}G4Z|E*0w?jd*@8Nzh*S1yW7zjmXgXRqNENN) zvur?B5gbrGWO$#nd&{9S3A>E5jI#i#qYI6?HbiWx?G?qhU-dZM`lk zQeJ0FOj=w@C;z4I0N77R4-|H5a z;W2T9=tyIRuD-!m@x8p_VJBiy@nWMItIHeU{ zhNA4ppR&HDaga(@&h2zo-dP_5O{wHqa71QO=P@IGnIbtqR7fI52BjmXji1_vpE!-M z#3Pu)Wwk^$j3WvAlUX$92kL_d#=gvW4xEm@idaa`+OfprXrmmVo*$C#bd!6Xm^?+U zQ9e|`mSPVf=4jBn8O>mnT=A*BS33?;Ngc(I(Q^DPjRyzsm(*yg3M+1|dG1y+}gl}x_QJ1BgnOjQC_ z)J=SoiZY>dh{@+v?(6zpx!ktf+uK78lBCvgJ5}}>c%~m1BeuRsLu#3z2TLDW>E9BW zCb2KIBBA=G+-||;qU>!US>b7357@`N>`Y6I3ggYx4P z>B7l~@STY8aQR2#952+rxz55(ksBz~qWiTqx z_W^Ho)WTz1$eUt>Rn4S338>oCxEz%t^I;D^wjO@8k5V&{drIC{fstO&WkIlSW=ZP- zEca%V)23<%A5arOwIUBVks>EO&byOJdM8C8Ns9&MHddy@expGFp-hOr`BIL|i zN6oZNi^mGyGKZgoP|w3V;dM)&g&Cfu&zO4_amt>zWz*E&YYy~8R8)0g9TYYFMEXp< zVz* z%w)h7s-&rp@WhP4=*z&B;nGT5V*hBUal|Pq;86 z!Yp@!_3Lx|i_FmMETe7uQF>q@z>dga>9Xk9L~IbM{JCt>pkzZF%~33CZm2J{!aAja z9OmDJ^j{=_PfScv6x>5M)*rcitTEDOD@oQ;WX#7Ix`7|e(=$b$a`8uP)E=PD5tg!` zHJT!;{Nv^yE&ka}_O`0z*6@U=T@b~e4gJl=pOt=NSoNfx!Z+Tno!0*!B@lGM-z~SB zfbIJ?B7$wBnLWzHrwXh$`kdjPLme(kEFtW1JlI5iOtUpo-6(pUqpTjpN;_NYJ6kN zIG2o@&Bx1#BiWOe;?pDJWfwx+lgrt2m=fdEJbI=GLLYq=^(MzkzHhQ_Px3x_R#A(A zI+{f-V4*}A{M*^pICQEcLd#tKSql0lGR+tI&$KOkjGPeZ7~~Zt6ulBmR|L)d_sz|1 zs(Ts2d8GMslSptCUy-sDfLo#9^g!Ghvk{Bssd)Nmz1YooCR3w2HPEL?ev?z&linBN zBp{_qh-#xYKEM$Vvk?*>Kqjh%JRmvs?-8sWjDeP zHgNu2ksYnRAiZ>2R@FdlM-f6U^$0_HA31$|k@2YPwGN3%AUdoAtPw80q)I3O=SLP_ zCbt^;qoydfg1~rAWZPuoW~UFbrw3Ib^!ed9sba0Mk`B$$^m5X;Ew~eo(&{JyqO~+%W=z}9)8<~ed9=XK64ncw_h-Gb@b3pnGUAb7g8t)>{6? z0(rBrX)(t#8_F4OMjf;>SWhmry5J%8zF0TgM@6;UHx(big&5J&e&s}12~!V#D4R!V zWhd_#sKno^+?a5R_4XbwN|~J7G~J`xI$H({w{erUjxpK&rHxeeEP~mpf$zXK($St0 zL{h)GsijSei7yk;Q4=({d<)TbF}a<+Ej}-nI@pae_MP-s%WPgBEIg?VG*=O!6~f|D zUzF6@EZc9^-z4R1Gxsoi%&^je5)tIq6SL?uAum|&ieb@d8{#BKtd8G2&_NCx8AX*w z6|f{CxVX$Cq>}E~2A|Xh9i^}QENz#w85qvWa6s&VD8VDBL`4i9AJ!PQ;WcykJPapz zCbGOw!c`k@Y^=#&htlnlMSWlf>3aI!$gc!=lG_rd4y1C#KIfaIe+K{fox|k}w2kD7 zAR_T+*t3aaPjIX?eE&f9wibvgka9+op`w`T*WyQ(Q5ePJGAQ%iri;x&6+*cmcQdO# zrM_-_DVmOYkFCbMyTvCq35$`rwoW3(Q#+coFXB$$;F3vtM*Y%5^e$&&#dN3b@w~@3 zGJ*CeAHD-(Lr8>UfWfn{3|L(+?PFBz+d1$NGB?xj-JnGcVP+1(LgD*x!-p^3IM~?A zk)S0t4cX3|d>OJ}hHT{a5$aZiN*&7%s~xjoQs=Q4UO>F>ilV(l$7Di(Sf zEy!)v;0TE|`sk#9s5tO}Sjm_-az3&t_pyu;Zm1Db2>nBhOB0xJ{aWy0$=`c15?yYk z%T8IY*;kdrrhm}${ms#qSBC)+6+z<4zFdd$5Uy=Zlu<*UwQ*^4a+`iPy9EN2!CJiW zETxekY=Xd;Z)!7N@ZYp?$}=ZX1*@m`N8Js{Vv&KQN+<2(FVTm)jvZtn#D3f1tk|ij z*jh?Yc{ekW*2Y|6GUNV{L@A`3CZu&c1ZqDO9BWkZHulZ_P4h>&PTTJ{n6xCqZelG6 zDdE`<5ts4fjmgL~EDl3E%Cn@mw;t$HNm762>TG2w= zQ>ppY)0CK6@U)oUw`VDGsJ4lyWA>!UsR-tGvm}(8N0gP*CW^O5%o*8s!;cw!xg#XS zg(jCyQ0@rHiG3p3rW$k`c0y!*_D=hE;3m6T`2J^*r_xI`!!SprQPLT8JeeyBybn*+ z6ATv`YG#VcB$I)krEyc>#RDuEs>-`82g|Uwq^iV9u~8ZzawJh; z!OJAy&ZQ-J5h9d)bM@nUALF1Ka;k1;g{P9IZBsL=YcwxU&T?5x*?fGQ!-Rx5TFsk8 zvgqC=l($TE@)vwy(0i@4ggSW}AxyGqYRNDh)A9+6mXU25iiJo(3My@q4IXX?-V+~` zbo5Tn?N;0VhAMV>{HZrjIOnm5+@9lgeDLP@)WVjDTAB5(uJyFF^;=`0+b0SXW2oQw z5`jm#9GkH;CagHo1^${;&#WLtG_81A#T$NSgOss@M$k6T32ZY$~%gf+I`b>~)P=#OTIh5{TD#vw( z)vhCk(;gx9$%Lb2$3_y8!j9z5kWQ7{QC8lKJyC&8)wMUKD!(V&5BnNbJ5VMJqlGJy zq2@ws9t;;Gm<#Y_Guhn@aWy|aLMOV1JrFKn`Qd5uj8X(gut%9RrU`7m8icQvau;1t zC6suq;(c=0T#e+3N&E?yGC%SO@n=qo@#f(Iu3rbx zKR8MKf0x|kF9RF>xOYFI8Koa#4p$r_m?#*Kjym%@%5zed?cNru^PzaU-;aC6k+V~S zOeTDQyj{4b==_%E?$bLOavJ|3yE{k>2~E@ql2ccpD!OX;vhn|$lAXGB=}H5dl-Iyo zc-(^mFWLtjcHU%BOZS(bK6I7~ed547DxcrXPZ0!_U7E<6%9LsTKrFcaC>)}KFr5wm$#8szz?;~tI8({j!KDNEY*UEBTgt#%;gMV3ka!rQ7H zshx?Z46QxMcG?xh4VDK0SrN`i*hUNNB2_f=__rcDYR6W^4pWDY1Trk{f+?;KFs`vy zo8n7Je1z=Xp_7VLIqqGdVZ>#r(B2rR&xa_s&Rp9J)PNYJuksZFX<4}f7uNH$;Ym^E z?|CN-%zU4oC{c7-2Wz{Ud@%D zXeVOmn4%8_TRVDCx#c&KLe;?(+k!O#QB=V|dSDid+*u`s?wPkcNR=9;CM=ISC zo8Q`O`QeMLHoIvs8mch?TbM~x@U!sdp4RGw{MB{T#lmjE~~6iP949^LHYl z2u?Wh!ihm_Pby89gqU&V%8H|-6l0NSI`L-}%OdBfwa3R#{Ez0AW=G9)INWo<|8zk! zjVL->$h2d@mnVZuS2a*@Yp^pc3_a1D6uDdT}$cL(V1^0Ze1Fr%`uukPK;km16goDyn<5r-Pqcm2L11Vr+c} z*6Y5;j|hTeS~Vg}W_=zEDk9W3f|S>M_*7e&b!BCHua7b2GM2My^A(AzU)wNF_3HwO5+v1ig*rH_sX$dNvV@ zOyP)Upvv)#S9|P?Sd$k&EWgoC`$T8#!h5b#F)h4ypqg&EZ0#cZHuVv<$3U%+V^u%? z8|e_fmNziiHtfQyS{e6UJxBh1#?_K-rHezoK)3-nvK_z$)RLF5?vv9tAwRQ za6#*|M}J*l?6?(ldJX{L-36> zXfnm4h>?~QgUw`fx6CmeknX`pdB8p>@_3?x2#u;?+4Md0wA0J+3a6F$bK-%78BoPc zUkT_^hP+_vaR^e@cD@ismsQg(ZitiU4lyde;&{{f-((RkqS=O@tJ$T#JhrCm-0fZH z5ddYHoDDcG*p2iMtalS7dDS+YbF$_0WWp80ULzq6#pG>9mQk8CrLk;iU~qDpsV7F~ z1@ZJZim^j~_|YR&yWaMDL7M3^yd=>E>d{l>iUhLfNb$BkPB}ysQQ5rwsL-b^*m5-ELm2o2ObLXX2x$4y@WZsBn@=PJlixeR3UrBg?_x{6;4S|W{MwWO{8?@3%EirB zYpl9>)YF-@y3y+;M;Z@Cz%Tjz;Fp;M&_)wgV;`#kFdguu>PwzCY_kgjlW4Vokj_pmQS&pr@??RQDRF7@tnX50x1tIbZa+c7G{Ocrod;&rO@sl>9ST&E!gm-l z4g?BRJBLuaFrKwOxw*IC$i%1Ahsl7nzer(Y`RE>rL^wL%!bg+}&+(hv4oWTnA@xw-DUj-DO~KCxSZ!cbDK6G(hqu$+`FZ@2>m5bM9Sl!J3-A zXYbwJ)z#HsRdw}F5mmmg7rah5wx=f;#ijHZh>T;l-ts@`wca|#j7coqJK*%?Fk`^3 z!;ajf_2}mnixIz{N^yAII7Ns;HyBUEgVfiTK@C#=oO939n!o+op`V*%y_4*V&uJFX zcs%~Vu^_!}{ndbn-=#P8DE?0GDB($Vn}rN7Xe>>FIi@?bkKN%Lj=OfL3pSZRx_2#9u zSoPp}{D{NQj@Pd8finj`7~cOK13QxJ_UR7B$#^$$DH5A`NbV~q z%2ix(w_UBpFE_fJuoGoBPMKP^za6WL!X<7;|Iv;r=Ne_L0Fccy7{>om3D^PVewav* z_G<@5UdiHLHGknBM03ajVeAicnghE;m!|nh?SqLkeUKD~@yVFK)Vol}us4(>w8*8S zN&lJreltGLZR{i~?zG>z3MBaRTp}=l3F}SD*o3PubSEJPz_k;Lcu9nXR5$@3iAO1v=%uMtnGpR>K$5WYPKa|J{hQHX?239SYQ9a3 zG-~O5G-Q1^3XJZM7bP$7y5kl40Eodvt%`)bNc5}hU&t(7&2HrX49MTYdA_2y5zEiX zjkOS%Uxe-MYf+QbBEQ6B5hn2Vz$~H*s!E6knH!{-LK34Jg$AffyXNh`zWO_<{$X`h zd*jsFEjO7@mu}?|`=hop-!4~%%fMDN!zWrI(cGo3B?*G0|LhsJcC}nrk1C7DiNmbe zBhE>Bl81~uPc!>u51TU1I9*~$Vv|O48rt;8PsPa4jw(pyg646R`<%ehY)Sti04lm3 zt+_sB2G&nl+*q!wZtG=zClE}Yw&tWZ`7Ndp2*a)x`^afq`2%&rl%exwX9Rp1I^yw_~_(!MkdKRXerq+0oKWE5J$P&_zXS=z$sg*x*%{Tuf>)dos9 zzl@CHi7?q85sO`aW{7VABsJeq?wx>-7OS45pK8fkt(4HfrNOR@l&L&i^+S9~aP}w; zaekeKi6IwzFhUwiQNWjGSVC=?2N7P4aEKfyGW79b0B_~V*$=nM4SYvz{jb)%s zYMFMX-v5|bT)Zp~O?F<7UrE>J%Jf7Meuqx8q-W?wSmRxtw=}E#pACs{L9>2LFH_y-+A0pfpFB^cnwRteoVu(~>gq{I7-N1E750X7>93u9Csidts2yrsq1 zL`754dnGc^`^4Kcsg?3r9wTjm=q~z3)9fDTyvRx1fOrvG(%aAMKT6$?0NTgk8>CjA zq#9y1OX$aYSmYRrVrbI0jS#d@iL;_^qx=O!znv^CB!TVwpx(vqvD!F_Ak-=? zjoZa|QE86yniMJa92NQ<+*A9nNM(6}3VF{UwHmly?OSMq3PB2xxSICr^PXzq>DFSduHXvK7n5$>_CvtvFV7l3Cf9wbv5aovX02m8h^Rmn@eYc5&z7j@`{^ z?^(3nR$Yn8)6dDP%ORvzXF(aK|APaUE0o-RULd4zHj`cY4g?NvU)F_yW zAFYUk5_wq2R6C5qGJ-&o3NtoGW||~W@Z!{A*a}&nsw0v9qI}rP*Ium*7pOvgGdJ#B z6$l3{UunfGQ7-%~)6Sh44zzGiP6rPwwa2sovHC5GVfs(@5RKiTH)cRNS4(?3v^59; z0RlReNAWDF20hyLX~HBj#a;*dksaemLpAu{`e2{_ZD($T+u7IP>bSj8Ggr!ZchCMM zv#UmT#z}Ej`C9YB@Str$e&|aakXC3>DtZm!j`EH&0%dqRs50(Ao*-Eq?vXZx4%ZSl zy``H$>P^pEgFjM6=M+IKm?F8Y=+GhAvjRC`?wj1a5?56E$SVTXV&}chQ0yv^noX-~ z<}rZXtHS&g2FVnh;`GANbQ@P1#D%W$z)u4>Z+E$%eF!@E0YyVec>1N4JMewW{~8(n z0Z*FKiEmV#&jjWV8t`#j)f7b)XC0tsZ<|Hur*usp)7`EYjcjB1R*6GEezb3C2ChSV ziMw*lt#P*$!=wxPYgMK zX{N+J+)CGe{rwNPg(|&r@;*)_TBtTOkDFcFZ^E2D-K8!iiW}JJIvZ=7&qKsDdb7)g zH5^Rsf>!*^IH)^LP0;iZug_B|?5saZ`Sg5xY*ouJRZA845<2@OoLyNY*CWJPKlJxu zMGMfs&)mUNLgui3|IQ3nyH^7y8r#HP4VEqfB?B>Av^uAH^@Hv~nI&iBD337{;qCGx%!_3zSYXK-%qICMrvF0X zu&BQ#(?#T-{{1nJLpyRtQt|)1ln#$%Y*l)Q7_EFDc_N{n>8}yUL>}_a^8?I__~p)! zS4g^OHVq^x7`T!#v){cPGiU#D>k~=tB;~9>n8=GDv!NlMyp_#m)p$~A(hhPQD+NuG zlRBhS92)@aF{=xG?0R#1YZbZ`I!cbX*gu1Xm;Gl}_uX2`b9^gFJ{5QFoGeNa9eRpd zNXa)uVmj)>lBt2s%UqI*mO0@BWgp*=*mQQOb!M@ z6*>2(yPjOLz>^V@uXmo9)gz{uRB*8abRKDG3w8lS)c-_GSbq=`-*3d^)Wh~VaUz}A zC1v%F#3Jx`)KSi(YI;E~r1pjC!UY%X7QdmP44o+YtZ3gwk< zI}53LcHU0)pMp8^p1!%?w_}`eS2(=ejphI|KbHj)E8auM{wy<8B zHSSupmJFU=|HTndAz4O^w;O6FJs?dV?eRIqaPeanG{VS+cUSlW&T`$AvsqG->qPzm z)}Y57<%SynL~pt7w(4eUXPLM=r>Zt&a!@N+d51oINj}^DdkorA&*_3~5@>T0Pmj5D z9C^4AKc0-eB(yPfAYhXP@7ZHNax;)9-f*e>bZWgn&2xTF1wWaA82XVS zH&W(QhI}A|G69(a0}E?~i#J_*Tj@hjc1xr5J1I&uI&(i6Z}UErC`DYJWQ5#k^slB7 z{Q!8PYfBd%EZc+e9kds?10TLPev^O&{zp67`Fa!B#%U1}#yDRmv(GQ1TXSujjnSSK z%nX1giE5C-D3QL}iPa!A5q`DlTl#}Zl`uG)B!{FzTa?&DIYw#y+S+>KNJDnVz=P4v ze1|}3Jzc3dpW@p@wia2L1aEOfQa*U87>cNEGl%`ge4K{AT503eyzaZ;1m^D^5A3c~ z!;XvwK}X}mA_%8iMuM}pmq5eS>aPQi&ucx325N)Y=<5IODEV*36CE_O77T?z!?C;3 z$NRdA(~9@+k|d}zurRjzRQvZ!`oc7zds&7XPx=Y!Thu|f4?s)0|iG!KEIkvk; z@9NvDX1?rK4m8=&AP>@Yv@?U&UAt6cBpO&f#&W_2$(nFtQpcr~f1rJ_tkM17wu0b&!MJs)t^%lfDckdszAguh_u@tYfb8 zCCwzX{Oo`{pR2ypOFY{JTB#W4A+sK&d@^k3I{}FjzG)~z>7j|FXJEIqI+QDnC$)6$ zcghg-%X&>}ljB@slaGF;5@8zm?rOw&XB2g~KWD~#WafMiHpj4vfeLDNPbKz4k~(Cg z_508Ihe!K+j}vj=*Qk_uo24oN=gu0d;6fo74n_YAyKQL zFxh8OSR!AOlTbl*X8yfL%QJS{)JW+m6unSCk2sG<6XRE~cn#|RhE%>#fV$qk{UoW`QX>|(RbE1&ItApn z?n*=Udcr#<=zV(&&oMechjE9UVbIWI(2Paj(Ua}9?UPLd6>wgB?75dD7i#oSo?|os zE)E_`1|WN5;jO!}!A%0uEj`GTZ!|Bq@9c;3df%FJcJnK>olMqk#>rTgC+;?L{K+$D z=GYHUI|-PzWN*ryjPMk%<_tNl9}YD@rx7x9wLlY{M&TTy%oDW=Gsyvj(&m^TWf(Sd zHh(Q1V!qtviW>lAi8`BE*>Jo^EF-iddHC%O{N0!xH5)19BxZa$JiE}D+XR(mtlJO9 z8k9dWb>`$hm1zoB$vB@t_rhVg}N zzX?5O8oBDK{l9#qKyo-@Ae=pN`=N=u11ugi1VR>oS*ZJ^Gvu5)G;TYbII3xb^%2iWa!08uPKZ;*&AXrvRt3+;ZZziQJ@ET*D?0_L(X?F&u$^U^p zfl!0pF1eX8t8?6Nptefp)UcP}*lC7<({x8@aR2Jjt#S9ST8FZCzs>d;qS65^+7L3Q zwR5DBNUXTz%HUtZBE zA)l02UDT$)L@XBnjd=vc0Io@7vEMrh5Oce4FZ>^2 zmx7UWSTxTjjjCu}=6#{(P58!Kh)oT#?t-&)khm0TCkFhj-cqhJ*mZH0?2Cuujl-dt zjV5K!BXw-ykR*I!aw{vXw+fOs{!@$YN_f+_2bWMQ)qB{T+v;C19~fBjBv1Lb&2KQE zt~2iJWJd<*EJ~Jca^KRL#am=$dkLA``0zv)!0OS1%X5&K;v6HeoMN#xtpq9Qy!0O*kCcnQO5AdVV1#Q?k>%B_e>{O9w|Tw_>%K zv)8PMGmb|z6=_9!k+%O6lH6G*LmiJL$Jr*w(D{Ac%Hw}{|L+3j&(4Ly=om((u^ZVW zDrc2?p?os^%_qj0D1g4#LJu@at4K&iJ#-lApp`W*{y`De(jr&r0d?47LKCl`Jr%wU z6{H89;Q4H$n4e^XXVP=5;vQhmxmI(>%WH-r;-B6}-SYS*F zT_)`A5`IhzU0YJ(6J4`V7PjUe&0!(3lsu)iQ0v^60h7^Ng*KWw4^76=|ER})fVXzt zakB4jpOb+Qx0QR2!zL-tV}DP1|NJF{;AkaIaRTZHdp%nJr*8pVN^PrMyfr-iXG5WWVqb%2RMc$4^)ba>h~ zZn9>A7<(4%BzgAww~7}LX1*?mkD`jF?3Wyw;my>ZICn-zeu~o}tmOoN#_PcigN;259kd2K< zDXA2M()I-G9`!z#Jp9vs0g(HnG`pA)+2Z2-epIi*)MoM`;g-XG~VDwtu zaGyT&s7}n?u{2jWB$tKWH_5mup0Q)y`dUJ)rbvoyIG5TPM=!UlD0#7cs$+oiyrvdMQ%< z#<#K!c+NbwJO@MD3z0VH4#f84Jt)PoVV6vOwU}M<|ALfdG+8K^#(BiL!ySY1#8NAY z60EF;hy0;D6#30VTUsfljg8W5z65EQ8W{!lxvkhKNra%B=&vOt;wBuFFw~duol-=! z5d`m%xbY9kpkpW=I)?0RwD+G{$>x7U#s5_d`A_VbisUs^lpB7Fa7%7 zL=`Oqhk4|(*D6(l1xd5*FnOP#?$RO<-i;q4%NsGW1doBEC?ZeQj9`b;8!@^EiZw(4 z!fH^;i1O z=f52$Zavai7Dn&Te$t@xrXvf_v!NzqcGHwE-IFOjqmx zLZhDV!2c2V^fjWJUj0s z;9NYwFdN!DhePe%)nu17P(beZUGZ&Y0}>v64{wRL3W^l{4y^P`MzhdxfQH9t!fra( z{`-dA$i1<|*sIdcaDF-DgfGtH6p$imy8&r}q_I42GyW^;#QqV2dXC!NdrV6SjLP=2 z{xfNNcphmfGD<_$U5jZ3Lb0WJxeAV5Zd|t-JT)fShuYGHeJA2fWyK<_cplFP4jMMT zE0q2I5x%0KG?({{)GsWv)UsK!kgp84UTsxSj3rqfU9mWd{B7S2m|{2E_wI09+ac#q z2$Woftd&wGj&~w)^u$tZmByvQu#cB-HW4kNo{DCAV7RWx)SkX+FdW-)S_XnI4I4)h zp$B7iNcHtzP3@w{*$>|!`V}R6Z;VnQk_fzD=~2qL%s-5%B-8O{~UkNC|?ff5&koDr!F?U@97-e^F*qx%8;>E9IUYxurMDqlinl9z0+!s7= z9%83Uj9N}2LmfY7O6YsPWAF5&vJnQvfeV%{e)LiFEo7eL$uHV)c8{lPYw7cej8;5`h`^ z^fZk=xe%co4b9O=OK=8VX%$@QuD(Z2xgrQNc@lJ!Hq9V%=2y>gqm9{lOAk;z>l{Vd z2u2f16FG3q;p3-bnf8w%#VFi(|JAZa|N0DYO;{d9-;|*os>R zd7-A4-CG(DwYn)O(Fe<_7@X1C+pb5V3?zhnapO`cF}n)J{P(6Zbb6J4igJ@7n^mjk zk(hExo83jzlD;$89+o6Ci&?e!`GVexAau&jkRU9=CwRy5|L9s~g9D1l@t)P9)#Ll<8O^ zFXAIFqUXXcq5%WmB1~#sq!j;x5w(=ZK-dK%_g+af_gE#xmfQHfBs7LQ5HN-tNdMBM zTC1$HUXsyJp~+f)^rC9g7{a_Y&ho+JQ+@@jjaLwLwtU|abbqchhEjP0J(J>(@8ehu zARcF`Ha7xK9!^3S-%l5gUdlC2+#j#Qx#yB!ZPO>aXt@{4ftooWW9V834#iKf!D*bJMr4Gzk_AdispK5kR1oA$G_PEvoZ655H1su8a69Ulod<8q&ft!u zK`$%OP3+*?^gQsszA4fDID=p?Ya1-leSJR;EX=S(pYA)|m0j{LNY()%*ufIkZsvOF zpK~=-mZgiS&8NzHa#2vQ&3R;c{AqQx;p&@tIZ z)^O*#+pXt$d3esxEFk#U;ToLqX?^kzu~a^VMJ0Xl=fy)ZjbVm3_D%x0DLOg#(K}h5}y`WLdXirkry7UC0S8(!$AEZx6hQvs_pMccyMGJe$$v;%S}n zH25j)7ECY8X09pqjZ=MCBYz%w76C;qbRm`M>9rY3{uG)xa`fC&LJBpKBIv%ip z2B2mATo>klu_3?g>(u*EW`VWs_O>U@$1AmTVx~kgn@QHz!{~-LaVJ7k6%b8$`*umN z8=T&FJAL+$kr|43x<^y$C3YqcaBP$D);sERQF-9_tjcz-YEReNiJlQSaz~0P*s-9_ zVlb5|ZcW31+~n-5>V%{sZsnal^32|lS*a8L_Vey57F)l18%7!97r>Y3xf}*Tri^zA z-^S05A1Gqy6!zu6NPdX!L*e|OUgp|Oe_banngm4Rs4FdaOYo^+SuPDy;6poFTfsUZ z6WB?;(oJh`luqr@GY?qP#W;e!p{ z=Mp-cUD2n=93h!3`n}ImHCngO9=kQY7dl9H^bTtB#ji8|n~x6*)on*-J}Q}3zhLA_ zsPs2u5KJ#5FNxBH>9&@B!A#qn=aB0wC4Rn7q@=^4y}h>iK>4lYNl-AzA(JQlZQKUK z?P>~4l)eTpDFSAde1(qX1wgDK(^6f?p!%Td11t`Na3j?PMGA*O)IFGmS7;Xprcq10 zwr}E*9<@RttDkepPPM6$8?_$gM*D~UPe&ICEX?RMf0HbhD&P{j_(#9m8fU+1qZ^>v zZB6Q^CAZqUosSy4;}Qie@AS3Wor4U+gQ;n!8WZzcuRq;-_f3%VXv)^xs$*BRWPM6X zsutbSGlTYT<}3#LG?ykKaud3fPwyHjwat#!TG!WFr=_yRmb5~9T$W?sCk9Np=*{TA zbhBL@?L2r`G-+jx;g>&sPIGVbt#uw!NXJ$DkwT|{)#2_K)(-R?YlP-=tX$T)$KNP8 zl7bAvi-Hpc${34NM!)@nQTbLF+F3n<)C^wz2+r3X?{8=Ypp8aV!yi@6jP+-$xX&-) zG5Iv#6Bt-Zxot3tkYF8%l@@D47d;U(>Axe{S z$m;?$#+ZxKUPj+u@U)0t#ki;~a7SJoiGkvyx3|Q2@mJEqcHZ~B@93#AlkZoLq67E% zt>%xmzoOM%LQW#)YN2!$)XkGQEGXv0p$s*;2?Qk(+RNFxH@myE<5RPvYXc3BHIiY= zO{Z8cRmRFIEj?vRKB%W(3^z*7_^_MPNGV+-yKRdV7549hBl{&IH z`mJJY`^v?;4K;3xIkR%QSA87Pa%!%`&y?)QG$GY*Wwt<{JFW$y`w^hL zu57jb1z{}q7tCoUs)g)V-^Bv!c7Sns=8V*6$=GVSuVv_Hv}bu8u?9=^5HevBfdLnI zF}&I5fLlWj_n;{G&=j)Ro@Rj7tqj!sz79Ik$3yY;n0+7L)AkEy8?+XkDV^fP*KRMO zKvn_{mU4Nb$Fu*42e(&W&JLg}3RN92+q?;P;n&X(ho7Gv8VZwh;8j5JSou1HZ@=%7 zPfEIG*%?D}R<{iNt|r(DA88-$9T@2X(A7yZ7o1ZbS=+zeBK?B9hR?09#maAYY+C7! z<$1$sQ0X=N2OPdDr zmTQyIkdm~T{HzmK+YjFYb9=@tkZ5Tv)IWZAkfHa>*n6FPO_lOi{Yg;+IJ+6PJATu5Jbm-C-2{yA<0g;b{Nm36= z|In8rR_9_lLIF>SdkHh@RmeL z`^JR6Ez6G{H<*c?Ygl=*G`zLQnjm{yR3Z}9&C4$bQ$9;Ehe>mOW#a5*beCTSjER)0 zinUl)yz5VDINq(&?&Y9@$dg%~0&B{eq+YF}B$O%b3b3}INu@u@QMXGq42}&(gG>xB z!#bPJhpggDa(zWb;ED%;Pt#eXH8O~8m&fsVX9j!0xe(y1p%h0%!;dLd5R|$fkYad6KogK2>z(&Jt+eN zhfI-cs9X%Zs;gdRoCf!nm#n_*_Sd*~`r8APhtxxou~P;I7p?;IJR2AY<4WY5hyn*S z`$hIcD6ofMV?7SVstn^)?CePB%b7YCajVn^y~yl1kQ$mEd$sq~mK@KkaW=~;o@9}; z-en?>$k1+XXjV-=i3k#S9jN>~s6#=9v%JUs2Od2hra=BJroSIN= zA*w`W;ujUCr8HE4)(#iE^M^^)V)jKuKCaDddwg`H4BWLZ=H0aTib@_&`1&y88QSHy zhrGyQ9I%d2IVF}xG?-e{p`NUEz(5webAS}gEH$L2vC`SqVc*S@!rwG5&DP~<1>gX_ z6Xr3do03rKX#lsi%31oAj$dnU;XvfhFe|E>p}F3?hkhF+;m(Yz?|;D%@99V9CGYF5 zW^QPuz%O$~dphvJDk&3GuJ0BgOk>N}qOue#o)U$6@SQQmUh@>n$bjONrRwIb!jT>6hCy@~;HMtrEQ- zYA$OTS@DkUUw*X4lj={<#E#rQdc}caspB2fDyFm?IDb|leAIo1hRswf6zJIgUK9FK zJ8}~-^;nf<=X_mMgCtFB?M*HU7t1z^CF!U+1-Pbz^Kw`qKUM9ZH6tUl_)#)`@(y7u z0-x}Au`z0TZF9Nuvu&^<%hHwso^55o_al>riOi!}TOZRZcUOv(>GFAzqwSF-TC_7i zWf|Th$^-K<l3OR#&($3ztL23L3{RUm1r8+HgXn$(&i`VJD*C?5~sbl^?aHF8n zU52k+rPvIJs$Ml7591la9XUVI?n?hDLxp5%57IoG*0f8EXFgmyx88FS3UIJgIGfbAEjZr@VPQj|_R@|z|>5-`}aF&Yc zuMIyr;9ZhqYC$G#zm|amkA!YF;V~tJ?solh2jJ2bg5_ADJB#&%N^&B%yL(<*pvtPY zho+S&fs$}l#zBSPREs9WpX;Q z!!W_S`j*@~-s8YlSvB`3>&fZSvisIJw%>JXT7aE(jZRIg z?M|`W)06$X-CfJr^KSRzEV;-2kd`X2KPe%$Ifw&mJW#%b_rU*1q?)E$bm_x7m>_ zhxxR`qz{FLEl!THh&3G{hY~a3yF?!9yruc*LI#8xrS3^qK{FKa@}ETT?&@$V(Ma8j zrYa?gBuL@!@>_X3R2*`)iGR1zbyG?lT#dW8w3Jg|P`T(iwsV^zAPv9h|~F1FLDJoqE4uSO;A^ zJ}Z3leya`ugE@tpkhOHbld$X>?mq4Mw3~?XG~9ZCoDB@uqn$w>arszz&$D6pxq!k@VxfxS#Lyo8%=O3K$Y1pFIX!vX2V;nd^u zhAn0Ky3u`Nw0n5j>ea37sdmqAbwrLySh;P<<|3Ix%Cw`jTsAmooa_GpkyP5{tu0m= zOabIuQ|EBpvH(HJ0jecNKImRQbknc2{*Vjc``5BS%=O$cDE&u&G?Y?1Lv%(qu5A&WjKd}H(T*O8_gU3)51pg`SWzGVwneK#Gu|TU|MFDd*vbGqIW^LL zVi`MoWQ?MjITn6K-vBK;JA2%zddcmKHc$5OQ`@p5-PI1XjM3P#t3bd%PrYmOy_AP} z(cI1y_4=+@g6;lo$p5ec|E#9shr!-hqExnI&r$HdtoJ`}`(Kx*#Tf5!(`uVa*OFEL z?=eh0vej>SrCC0CMd{uDjU)dJlm48diT{kf0`vL=aZ>I(Gc+lf`F-YXN9XU!_ryK{ z_jX{+o-C!lE~KAob4;l zxMhpVRTz9eICB#jbB4Z<6@-!aj@#nn_HqrVb$q*#Z*@W?Da6jU8%$G+J7?$q$qFZP zVBf_rg$1rgI%`e_byhB9_~rw8N7n{j_DeJAb#u827U!f55!dMFw#7O*PNZ#-7e>ng z3udbW^FTf2mXPQz+=5r!Gb%VBmfWjK&P!AI13KUCTUftU#yJur+fcv!8H=BEOu1+` zguxAy$5)@ukhT5BrXznE#f2CC%;%i66h(!;WOsz|XFda2Z1Ys0(#_ZYMl^^4j#l4v zP5-6)Phvz5Zg!cL=O31rKWh(}{reDWcD3@fTIM{qfNG-XcGfeV;|AZ;3IWALQ9De^ zwIn)Mo&fz{FoQQky7g`fChIRkH9lEE{AGTw2~h3bDo#(EXiyva#kv+cSkNl&nv3iWm5paIg{Nn|B9z~8+8&IobwUP zdBnSf9+sga+3eu%+1AV(cK7bNm;JBff7ssxt6Omw;NLV;m2XM)#Pl(iHP+x^?zHZS zF&i9y6R%zC)(Cp9%;%TeeReh_Y|v480e+8jI7$F%+_T;Ota8i0@Nr4;N0$uB zpJ#U6XvM>oZQB*r!uF5^v1Yf9_aJ1ddi6_}eJ^PT=ljC_XcQ=BYm4C<`xJHlBVY5e zqDhQq0=UrH9e8c5HTG~oK|FnjfzvtaVE1-kM+U7q%@9$mIrnV?Hj}XBPOuL7d`;&! z?@xe1s?-57%duP??r3MiT36QSvE9w+m}8gdWU$frelaKKEaW?ZL2c3g_CRtqx)B}@ z>dCmOe3f=-RT=zvMyfV6`&P121zybbCHwv#eRcq-(Akxe1zOCq{oFtlXz z@Um3cBWYkt9+lGZc0>unMtaTisL^kH=i9wXd16a$h{L6xgp1u_7F_`4Z@0Yb)@A$2 z02Y){{Z{WiFjwXAQHC#Kz!Wkc!c>4YAJX4rXNb3QFQ z`%&fU38W(T*W^v&!^hoa(6ceRjgw~(qgakol|?^*=zY-;L82bvYO$JktLMVxNV#n( zvhT1m9!%3&>lw12h)4RQPAK8%*t5S$PFSFhpwfJTW0P`RFx#go(3k_(KDS z<@jJu9thZ0Caq<;Goh7>n3|!OUiMKwd%S0vN(ND)#x?bmkGt5 zW1FoSvee-(&_~twTjK(&Xq0n-<;gqbm6_CGfbjv%oOqJ`_BLw8MhDKU%wn+w!6}Ma zS!=$^i!_EdYyTVT%1kR-rB5%f5*gDp_v9fUd_1H=F&3Ay;-Zyc4RmrUxqBug9lEza z_nf7YHS*?1yhmHfS?!#BJBxOg-l5XQN>}qdI5aHJ+3tzL)FmL>m_wq+*F(q^Sj~5L zzvOfqrfDct6Y1GFd=xm>$qjXln#hlT1(V=0<{He@W6K|?F;lO+S%^-w9|I9C$_KCEn{ii|C_ z@cZ!H;Y#DK?>Z*M0@FP*diZI&&D?g^1}WO_Y`Af1qpc2IOrpZl##g>kHn%fmjqD$3 z9TY3Tp8`51jM}L6#cRDCABoPn*t>1)M^k~#(SiH+>xTh%$-!czjYm5;4*Iu3-yUi; zuUi`ZbxLBoJ>)(+q(9`#I6iToKg5hW_m9p!8=M+A*!`@(|Ji&Xtj{z@xrWp!O58bS z+wNN0>Ra&4`v7t*`G-Sp&`X)IB5oQohM3FISBuI4AuOXUIhA@JCI&$aM6rpE3sc02 z%1~Iy($LI2&rL%u=|xkUT?uULM3kduC|%RaTWk5=`aoZ&*2F!#B&dMY7mJB~B&?en zc=~ilhu1$n=Bg)O2$=!N-D*>=gk`O9tvI6MP6?a~$VAQ&c{mfPU_k<=;$~t?gI%@~ zt};6Woe+;5t=UVBHuV^Pv~CBqE+Q^zl%{EbO&gx$G^Qyf;aOveUS4VQ;O$n+G9Fy~ z`C`vH{0>G|1-3(YZ3&R>kUtigZu8jmMSq5V1rP}0bOG}miS@8Z1w^gBFb@6*D(O6c z<0PEIz05TL3e!qbLF!zp-U=b8X|#+4uuSrvZ~zKow@0xw*gOYzM{0*Lv=~(UY07A; zN=PnnX-D4snwmiXh96}CDKPB7GTJip7Loc--=#dpnaKt6XV%xOK$ z*jSMF1(oZwkyPz2>yH4L(x~$m|Fhe`(Ut4;&wW0xwMK8OtG05Q=$9mo;>IC%F25bC zp43jUgsLa4TW6N5%T(fbU|ftkUTPq?+pBH6GL%kf@Q3q}J+c}FWE*Vf3V=Gpx5N!T zy6g7TA%i6vc;}@?s}5}!@Hr|Tp97Cr2P^Myf59wX{EQ6zOj_r69O$ts0Ga+c*t)aa zo(&?Jzf08~@ml>13HV+GWTBhZBqfp#tVRcc7D5p(D%fpAwYWMGT~@qo;Go+Vt2WV7 zqs=Zf8gpkmrq<)BZ_%LsELxoyC!1YvC570T+<|5lZ?(^?aBhWi^dvnkI!K$_ma>K? zE)!jjJFCFWU^$0|!_jYDryFu8pdII!CGQGG`%l?SPZNszxP-@4N$J`bZR_##uEOTY zVK?DzN4CJGmgSI^mV1ao-j7ABf%2a}ch-Q}RY$G9HDqNsqLti}9=7>ozyZIK+4}Ub zL6y&TJGt$ z-|KY=t060|z_vmC&QH1bcz_Xmc$m7Fq_M7j`&E+99gTK?RU;+D*ePKyCKtAYs+Ls_ zq~(s9%wdb~>7a)UDk<*|J&i0x29^$^7~UCCql^qo@|Alcn7e!u`a~(g&8mm4uLI|4nkwZc(8e9bm-V1W6( z52eRgLYzv^p~IIv92z4QRjZJqDLBh|+55?KwDflE`PUoeQdVCd(PO3N?NV)H{gqt+ zM$)J)`3(L>sinyp$DFmUY=v@&S&6chD^r%v#=0)VMl%u|PjTtA%&9nt6j>VqbxS@$ z=fGMN2d$BZ+TQUX2M860tM(_{T8e8&+t5os~)+dmsd zw3SP|;AXtCgW7%1v3J>?%$x{9sIg>Lvj*4s9218!SV&Cfnk_;k{Qy{cI~Bx&;>b!& zQv&9KlFEXU={ltnRApN9UIztY#X`(PdBU2w%R-RAhr_zH6LwKpbNzc2%o{r`Oy#01 z?ecGseeo4ReHFlSyE0f{ATz6yNPgXx_Nc$ECxdy}u>Qht6;&@>!m#z?7YqRL^E(UN z{g-=4kiECrNzpthm!TEp4i>yOYPKI>TDB&mz~lYkf=GQx;UNP5jio&Cy!NSq;lLh; zOQAzL?NQELmyhG{cSB-$?*#gO2c#Wg+CZ8cr_rO6Ol5`3AaK*e0%t ztDz>;s_IR7FQgDqhCVdS&a(KGX;mP%!O8~PTo>4$zOiuwUlk@vE7}PtXwtZH*R_K3_cTS{m49X>Q3g{@|nkAr{lpq0~jALZBj(j~r!#tQFoDM5Vw`N%k>T zK&6hUE}Qv4_*5-t=w%$XhLfV0rYdY7@<@qVD0`Zw+WLh#AW`ufD=J4Nwr9PS)K*c4$mBWq&*Je8w2A!?oe(1nqGJjviF|V;+G?^ww&ntg8X$PsD~wt94*a*KNjJnGA88nUNhj1f3e)+4(r!3tKq}#?R{q5 z5c9@hI2twLg43(+;B!|HoVrpaMkHL?IHP`L}ysgeh`%cHOXJ?u0s#0jh!1UvQD};rUecfgl&HCHU0k$vU3(Mr?JhCUQrmFj6QgPjm zSXw6PzdSC&@T1eJkBZNx^D6@)hBM1@+Ak{08Q&z=H;8y7S zy^rwH9)c!cEjwbx{#c~6NV2sQqWusho5>=qy<)#OEUqc91z0$BfvFBN3`30;A7!Ou zjHytM(+-l4WO}wD%&A%AWuh(SL1107RLe}Yd*uA>L=m=ioEGiWY6hV*L01EKedZtd z1+yv{JR%2Ntqsh48nD`42?KJXyU#~@e;#WkjOUPQ7?<4!36FZX1Wa;9bq?r{d|<4S z+3htrmyRdO4sWHE<}$3@z24_B{sp6X6JOamDAf~ZX|(e)Ne={EZoCQ9v0V86#(*pQ zYCB8jKL1E0^flCxAGFH$6a;3TxyMF5YLCx8`;E}9d}UUyOC@28 z8ehE8j|spxiGe*)ZSMup%p7^UckK_~_P|yqcz{@w9KzA^N83B_k3p4m+jaMo3F%!q z12`7#K1lz`7=-h7drQ12Z;mRd#$FGR8cEs^=Wh7k4vNB7ggjLKkny{hZL4W{V z>{B1DYs1B@&-EA@0kV6##~PNK0#tWxUta1}ZJO`_`8~ZI()u3@u72dP4!P7ZrKP-E zC}&H5DEJ+C&w%2piBM^7qvSno8K(P-F$Pa1|2`wMu6@H`+Cq&8Hhp1Vb?be*Q%6$^ zCKQr=MA2jB30)C(`&}JJO}zs=-9FdwOCu&5?u54<8X!jvZQLedN25ZQL%{$*^O0)w}h$;-Go86JwY|EL16uPwyST{>rOagKAeXF8-%RRZ1C(nTL?Y zI{f+G#;xlmW)cW0a#ca#kPk;_|7|_Vyyz$H!PEMs zFA;0kGcL-KKxOOaLz+PZc+@i+)pqB#&6|aQnveqjh3z-sQ48nK74W-+0sdrY@en;E zPQ|}^XWre!@%F4AYL}{$7F3dUy7t@my6oO#h&vf7l_zcVXp}hYD-&~N zeQ~{~hB^Q`JT&{|o~oN)01K2NlWb+XB0y~YHDeMvm#FNS(v!*EmixBck&Cai($vy^ zA+E)9dJjqzeRHAD(g<5PaKw(07k@dm7KODq z?^77y0=6mDL(fb2EHnm}icX1|jeQekcx4xFyHLh)o5_)y1nT0dl1y}!G`L(hf5_#M z*N%SLXE-z%cmWa*dV3sX_gT)hh4F>1X$JyRziywy<U_=n>bl&(&?;m(GN~hXore z#YKVbxzUi6?U{Z7_*Jo_M%z_2jVA|$$c|ULW7xV6m4dq4N<_rup|mos`GykvLK8D* zFY9(!4Xg+8=iOVVeR%GiW6I^5iQ$eL!&Pd|;v$PB&oG}`_nBcCHGy@-ggpUz#6%?$BK-*J2pkIK&`7_6MRxTux0o4mx<9cgVH}we>R<2N|zWhka^MtJjO?lFMJI4|I3$R8*i9SIg z6#%)WrrvO7rI=dL7l~@%4Aab#&aTK6(iVLIOtL+F`LL|>o5T0Up{fvCAUYOan;LeJ z39Nn;+)}zJW2a>Xa}@Bi-5O4KXZ`|Q!YAtJoz+bDkL6#}5;uRtt0y({NJN>MK^A>f;Bh>GiS z%1nic*WiI&XjezAn3tf)xz)U8uAi4QC!0Rs+YR`vUJvk|*iO-!eui*P?A#dIAkM`i zjk=OP8gC11tsT~x)2rx8)LPp#CmI;2bM=3fveFTAiDR=n^%*>A5Gq|~euxLU&)_&I z?|(i>D_uU}K0I|jI{WbzBS25w0qujiidfUUW+J4fI(3`Z=0-&~2*GZv=Grd#vAp{x zwK>J7Tb&!u?=LZR_xM ziXVrN!yQ>2N^AjYelNW}$>F>+)Oqr{J9dUGs>d2laOalUAxFu{CuM-%F@eksR2(H{PQGe2og(`g%MSeg^L96 zwWLd06Ke?aOkIO0bWsW?XGbe{){4+BSHNiLD75tGS5=d~Rk%cGk}$V>gA1Ij) z`gHT%aG}F;C68F$^KEc&XrQgzspU04%G&(1kHNZ=DH$B`gVk<{7g7A+CJ;PY1q}Cy zi2|`5NecA#G!R`;kZqVO{6A`X>jdvOMCo_0L_H0-8G;jkcJ1s8KL~E}H3iO35sc1n z9r3u47?q>ArE;zDPc0A>`{GrJ5as>**E1Vzq^s7SP7TvAd2$;&&}iuAj;MWLNPjceIWSW|IbeL|K)}I4}E$34mmPi zl1j2MFGwHnER5rYxUlbq72!t1Ub2yV7tbLGtVK;(N8bo}(v)gy^D6JSdE@!VCQR4+ zcLP8d)=}%zhLVNo}LPX;|tsn2N$)&3*!*^bb$-@E!z{Fh1PJ*`>PUI33N_QMjR51C8l*{&|K6My^yEG=Se z2}kF^EHOE9N3bfa0AWj!b3BP$xsT&6^L8>a<8L6YtESK^)e3MQo zn;<3-IzN0<=E_hng5qvF>B42g4k1a7OuhA~@y8#Ill!zZ!1T~@d`bTs6uzxKy6`jc zjYzy8wC1X>pr@0;IxpA(r8e?>4YevCc>jg#f3D) zs7nz$|9SD>?li#|8~XyhJXZ$j1W;dxFBoohlcUA@DWRl-Gvl5yS`djh#?<$GvW^PF zujbsqdUa0g`X*VO)0##}gqd|#4-Q2igW6=0h<$yb>JyVN z#s<76UpnK!=*(i^mHp*+exf#7Wum!_gDhtoa(vXfa)E$Zm_l@v6aQmamrn z8FTKeCfG*_EXDgslNaO`jh|2-R;_jIP&wR$VE^1ujvouJuBybGK2AP9-OC`%(c>ZX zx0}>jde`KOV~e)SyMO-HQVbhuvObs2I)blBL%a;=LSz2X+Z0hegvcIV%GN}d<#4DS z=x5qh+)`bV+&nb&qnO^6U1IijAj2NHsl%m~Y_^Dg#|^vXVFxHqT$vA=xYK@{_y)j3 z{JF8s-X1l^D2ofGp9<%5)mps3m+rTQ{XMZ_)- z^9m$K3qU5YdfGx?!G#i$&QL<~96JV3>&to6&$Et)R1`b7{=~`eaAZ^Ro31I(7$mdC zmtGUviQT^Ic|6;J7I(qZO@BgRb+PQ>A+Pl@c8FLsOh!X2aXY-fP42)dKy1@ zNLL?Hy>*h5$5ZZcuFjfChL1Ga)5Af6KYE;WC|_a9X@38hXn!jW%%2OCgv8DkJ@8C8 zyBe{!ha53bmgw{felG#l+IKG5STlVC%K`OY?`7fm1swahGf69IQF}}DHrK@3`z1*i zLzKoJ3=Gr4YI`XcGzfPI)MtJ2ZkyY9(GiFI`!YKuHoRy`L4x*Ersx$I@hPC|_hzN# zY<)*UO$Uf7*)+H~hxT%=`q88b%rmFi@|0fn(PJj;TmIZy<;c@0-%fSY;m-}BYgb&Z zSJawhYPL7c-A_H=9X8XITRC8z0L@_CWTso`@4Evhkh{HrkwzU|7z^}Xk;{Qhd_Z1t zgrnAP#A>I}s;=ACIvBHkr}0Fl*EEhE@ezenpNVKf6nT%GGVAE@kyY0k_cpFmcv<99 zFO=D%ZBjuQ{pP?2d38VmQ${4AwV)KkXlGnjuwy@zg#&KelBU9RAIiGg@gekQc3!5# z4~^PmRjSYu8?PkdYkixy-&Z5Po#t427S6q<=l;?kg7O*z+o!^Rc828Yz0#Tpd){*+ z{>jj2T7?av)MuZ?3qr3T!@>==vWr7Ur(3^`PbQezcPi48x{VrwnsIU^RQ`g+eKZ_4 zQi=^&FZ|UZC~q4Thlh@E#RDH?m~8LgdS4!eyP3@&d}XYrz`{`U3-O7(F9j3=QYy!x zNkhV-{xQKBcW1oAvGiF=A~zH?M_JaG2uWm^!@88u9nw5Dd+#!spZuU^9bf98jm@n4 z|Me;lc*A1vSd0=U6q}Zd=5PLNFA}jU*J5b^Xu*G!HHMZ1t(kbtVL4cn&wV1*ZBvq( z`&#CA#y9zso;7Kgm;L#SpOOTK*tj{bpeq>$i4p>Jum4 zN!j^)*?n7E4Ozo3AT}rl%Pl)Tmav3Dn||Y#ULpr5UoUg!qHHB2`s_!l#9Sr5d?yuK z-OFo3Ug(pgDNJ5qgbAa?p-6&Y&$xY&1`%2L+=L~;Z`;E9?#Qq12>$8>;J;j3wv}eG zu#mA8*%vWIjwb&z2jR3a5M6fC2|wZ3gn7N9hFMSa;uH6gdrN9-^<|~`KCZ4-;;f0H z#m)N>UhnC-@3HN1cGbA~ZbRq1ns80s=!O`n;*hOrHRs;9Y9a710BrN{OhuMo**-8O z14Yu|#a4B8?16bVon~H)<#vnGeckQdbL1*I4fj2!p8nkxH3s% zu*^9m_(j=sP_RBJPpTpR_;>$v-%D6*Z_TFenvjakEzsK=jYKspjt5hVcS&}e#(PA{ zEv*iJ-kfqyiest(NdK^}{{jcafs?s7kC}_E1m+FL_6j#aWKpA{&&os(wh`cvTGL{zpUpE4?%d&34(XV0Yr(9WVDeGs6LR zNubmRdAjjjOh|d@-qcv>#Q3^^KH18@t}w#rtNJ7dkXQX^la@neqp?ch2O<$o5{qnQ z9z^O`aSpV~4`oZ7OdVXNBoWI#UBMWX;x#U7VZ!mFO!|fbsm}k*ZdsRz;_FR0ATJ1M zia@BC^FP{|f2nBxS=;+dR%3#Lm)SzX2lmT7ZVz_)io>Vrhz}6MQZjjTLay#$Kzv&eLr&KVVrjkI0-Yda&(iPB*PVbz!osB!<`UE~ zZFFC=jDtKqfij7%n)L?ZLy6~^&0$I62|-P6uZY~eY3yI_;Ce{6GA)lkdUAx|0f7=v zfJ|hYrHgG_0wyfrFv*5UPCoi^149}6V=8Y%1ko{j_WE@$AWLq*$Fd^Tb8~BOpI-vM-GN^&!UZav$O9Ju_Wr^ZEM~#Z(?$em=qBo$e zZ`LJTsuv?$3~QeinGyYoiRY$*jx}x`U9SjWPC6=f3n2ncN5##UN=xl>vI@^^gmp_G z?$*~|^Lo+c=+UfO1YSVSAGpFQ6=t6(d{k4KSzKql9Vz*|RJve`FJgxD+*ITe4Ugz+ zmxMDC0cyWaoLMz*nbv4Kqp(JU>&h-E>%znGlH^-9oUh^H#uPa49sk=6rtob0Rf|K( zX(tn#KJB?9#^+?99?_pU*52oIuOI?J6?%O(4Jr)aQRnvu{7sB~a}5@P<&Whi+;(X!= z&?4B!SB?%MN=Hg}vlcWEBJb6tqp7|GXwl)BB86awrlo22KeHTP0~uQ26X3_GHw&t< z6Uri^Q4NoWs0dye)tVC|zLQDKVj)2@xj zVGcS1#iDC3N>(d*D8eiFvLcpgI_|E!mBxn+V49IL^7RrbhrYKU(%FiZLAG>S( zV-3G=&@YQ0D+F@QU>O{0^caCt9t5A8+u9=RD0fT*Q4Expg^egB4WIehfm)1FKQQv_ zJ+#^OzOMZR_+STtGFmr%ndlh6@LiXqf24e27X8fC+-7v)=aoGieRU`l@HxKWj|;gQ z%>n7R8I4BnAoV`MRbhfvQ?RoIljBJHf#R|V;+Z-zQr+1%%m-oKJfw|tW^Xk^tiL}C z&O{XRpNQwSs)|vL3Qk@clu)MT^T zCRJQ}*ABfL2z~(^NHh|1kzpn!pzXsEmu`A$w{=s`@>RGQWcWQI=Cth#DaED_7Pl0< zV2Wy|q}m>AlcCl#Ih8omo|;p*&T-g-sj&ti$38#43RBh?Ec&s#c3u2#I4+}(aM(At zDW#PlGV15*U@kgo=zu{%N|PH){5h-2ghqFa%w+cdW9lK3q&^gBipfgQ=HhdOos49P zW@AFC)@_*H;yy=Y@ON9-OG?xu8twVl9R?!6eDD`wu0y_MIxgfPA z-`3zLtow0t5NdWcSVKdlt5z#--ALaGtXmBJc?McZF&9zMe!;$L?-utUg}1e;hdfnW zkjj;A$Zr!ne6|oSk3q{4fiEQC6Wfx2vWA=>!4#mO^|?gHJ8}D{zIVWkAkIGHqMFy| z&a+KBuoN+T8b{aDeDW^wOmJXt6}cOrC*Perxdh6zX=G{w^mzPh2D&)k4#YZ8S_w%qTOVijDM>{?f_E}~&>JNX zzX`wR4BBcU$ z$&g)g`a$Vx6pYD}v^L`HY~RM3OSR*c4eK!)`oU$2FhL*h6l)#v25 zpEw1dOyQ^$5+ii1w10lysf%Y;^iba$-5qt6g*B~T=;6YeZzoi}_WAJNjx#3@_(+sw zqj)G*94`&$4Xb`+ZHEo^*cpo`wUrQXCp{im?N=ORRdnS2ZR& zSYa27hvn9R=NF)_e=Q4bOnbgu3#dD=)O0s9Xz`{h4eiurzF}bFVS|o38{({3QvSv* zy}En3?iT;qS-=MeuY95>@iy9O%M_Hv(z>- z$i(!Xfkb^^DTw09Ov!IQWDnb5$M3x`j8ZZANIctPQT^(UCY#Mq^91X?85{xqHyQIk z2G~DstRe#Cm+di$Qx7j+H}624qv?)GRtw$YMKsB+<`c_$_SjceXo@*)SYBja#i(#S zi7!|$phGE=m$R_Ad?*u!o1QKI{D^*c$BMhp35TPhplJMynYjsSCu=yx|LOy&?r-;Ce`&#lw<}v89_GR} z3*OaL44|DA5MS_R9VbpeR}B5eG;F@Y7&|-p<>Q-Bw1hNyR`TZsN@xx5xGHctcaIyi zvnmQ5jSR$!J)HE7!Tm)Y#v+_a8W{_?8??B~$4TrQ2*_r9^=y1o1_#LIfHb5ve>leL z=Uzm|KINN$o+?}Jbzri5pz+%)zIa;Bxf?;YDah#|2J(`O9Eg~993q!-SQQ;g)~a$3 zjE`V08$Z^>oJ7dIBBH#0p*c;w`>DPzIDBsRedZqDYY|M_0OeXc3arGHjiUynMD^(`8( z0DN2mF%hJVf@W2!t{|sw-o?aBg>McaE#@0whC6$;!#6`5sX3)7UnXi3IT#mqTWENY zc-QG%a!J&}2RBdaQ+58pFclG{c#g)&=FT4J{EtOhM| z#HYBptW_Af?8eIfCx{~>avGtiB$I@Y ztjv!jnMi*DFdXjL+J3^ANQj$azJ)*Z{`kI(lO1;q^Iay$k#Pv8(3M)s=lXH4Myh%e zs30x4x{uZn%?3pY;5C^9rN1BQf4j(n-%G~@@}?r0ysknJ&E`bp6>{G@lN>08k#d~m zs3ROG*}BrIlb^Oy@&XSaFKSmIzfpJlT{&7b?Csmsj8v$s=f zroVCXY$2ZO!|drHq#$o^c-_1I7k~;Ykj>nKkq%Sg^?=2~;B8Yw^x&jI8Jiu(Z5U`v z(=J2n+#r~-L6j;bbnaN`##<|*(j*(|5f{Y6RV1pBC(+!0-BubL^Y##fnF$Npc0V}) zCT`oTdNUMcR6z0kp0wGG?iU~iCAvFIu==T9%PX4m*1A1?OD+P2NWn%M$2~yec++%(T0O0 zyzh@BNzAI*kDi6%Tpalfnw#l2Ji=`P0`b5WzcN}dBFKLl=_`Bkss~cI1ML1;9C?3S zF+}yjR=sP-CbFnqZ|vR_-u@q!j(lfdX%y$NCG53xM|#}k5)1!IArA{+?p-~5Op=x7 z%j3pSGrDp4>0G_#l8}P$^dDrFUj2zJXI-d)03o_M*Ge}|ty0k982$(rD-&~z+PTp; zQ%}TU_a6==)8wV?<%(h=z+`iKU57Of`5{(MYUcWI8>@aMQU~H3x=>)-BamRM*;CaI z*ZYy$oPLn`pg}FEQrkvNeeFMx)4^XesIfGn%O%ZzD8bxLHnC=c1vRme8_>l1M4<=~ zO+0w>gb2?HM~GpptDuAXWTjc1L}7k(=`n*6D`e#L)AJK(>lcrdwZo1$MV~qvYrwm| zVh;fm8jii~*Abl8K!IIS3aVw8{nvKG% zxw1bC-3Fip6o?d(N9l*-*6vj#Z}vEHEkn2H5w%76(#?CMpy+Y59du5YNVNXJU5)oyb16;BA3!jhajMA*sm{#{btp_(kPi*WDQw6XrNJr1u z%vX)&%h8y-4_alnr{USKzgTc+)()FbUEU9syf;^p$wXq9$e}8koEU6Ka9@70)jEvX zbm}_1Uou65w3Cvx#0M9YCyVAHXW3RX_ zLu{~Q!Pd8Uo_Jj!Q~#Oq9xvhM^?19B-5Wa&=Ir@(FPhi;#2FT`p*k0Gq&53^60D}cPz+CdIOt^Hoa@Jt3)JGCO0m~7Z+fK2Id|+x)BUF5zhh?I zdO6L}EmA=y7XjLazuyj*AJ1|J*1k=dsMEtUncD2kwl+8%T$h)HCAB}Z(r3_!qvG6j zpI!wiGwJd55+8l4^U1z9yz|b|$v2UZ>iKJ06B?|W;An_`P9PbH=++9_aGg2i(F*)9 zh0A{uK76t;CNNwg@1atlR59{&$&&uN6s8dF#8Wj^_v<^5zkE%IWkzj=){r~DG9bP) zdsvUbAsvj%9xY^5ejBw#9zh~vxa6IWrh{qzVWq_E%t!0VT$;4y!k8fHaySNo9TE{~ zl;AZiEOt^~!T$0&&{`YKjQcxW=6DuuPH7RycoMxZM#ID^MoSKk7Dw|dsm?LSh_|t` zob&%C{1k_&a8j9S4oClO*{$vmVZf8fuX*tV$I_F2ssW7DMa8rN2*&7-^B_nBNO&svKO3c!pFjZ>ND;A;gGOv6Sg&P}q@~yKrPY=OG-;S< z3N?U65xO$E;Fed5f4CG;aPyAX^}LWTr_J)Pa?ZXu|HoU+z=u{0%jl~d`Eb=+$l;@@ z<)sm)EKiLTbkgcbGRi1skJHkr%7l3jKgmm*U#X7wiRM zk%k0P#AD7=Yx9<93=Ji#+B?4hSTFm9ztxvQ_db`@fo_z6l3UEWI(iK>>1A2{Wn&9g?G9onk!egv0o6W@L%10J5c_RCmYzU84Bd! z2v=%Y|5TqGO?3qIq-V|>aBaiFPqpTpkwuudv2(kuLkMM1;t0)vlpfDVoHwg8fsFEJ z`CO|Gg-RX{qzgIZ5-We6**+L(%?kfONqSELEp01tntiFoaF-mT!I8D46#I?cXH|Up zd5xlt+|4kP;4eVLzG#m-wH4X%FF@Hlp{FMl0Y80kf3Lh%(}}XVj%ofNedtQR4Iem1 z{vKPF0@5L_z6){0dWnf!sh4*|acC0qRtB@H?hKAKir}BMCHLi0_3QJb*=1;Ok1gOU zRYZS6k^6jDU~~drfs$AM*2jkC4g4{UApD7m;?HG~#PUO`U~_XjMJeWOaA;s(3A=4~ zeZP>xl?piDxh$o=c{r6OHx&2di1_e`4sCs4MSgzftdrgm{Q6}}c|sn71+VUmRMF;U z3G7(X?uPA=IdCOs-yh|Rr(en*Uw?wc7 z4(s9e{GA7ZbI(oUm9Rjqwt%$nVr2s*LbS6U=R+gVi9sA^bTP4D&dDh!-23`e?#?S5 z04pG>pDp-ymKwfT%@Ws$Zmhs@Y$U5j1hx}ZraYoQA$+pPQL8}W+M170M-NUw2J)T6 zusYNZDLw+1#`xKMA^|yqM{*UP5AK0UG1Ws0R*F7Se z5FlKsodWMC>X2KP%%8rR}YjAh~U2B>n-5o3(3opPnC(TNq6a5P~ybEj&2{8 z!e~5d2CtUYB@Z0)cFDeLO>U*m%763ub);XxW6(~cq)%71XNAyV|KB~}r~oO=fB7;` zzGX+1m7-{XRNDMXD!rf+hw1%osb7>s?tt=80S_fsgzHKicZ8k&I)N&`#EAQKX_2#i;_(pJI-( zcrT=Bj_V^A+5uBCte>dPNt*FN&3uyQ9~p^J=)b*6mn@!d>eKfx`)JOG`4V2xA)Sd% zv#~k*b0G&3D}B6WaY@=2Y?`Y|_0Vf(ItL@v!6z>XJpz7voe0AwDe!Wz!ge1^2FaYt`5nQ$QjS2CS9k<19b_gbNVor%Z6F?r1XKb#C<>5Wo zce=qbsw((-6LQM<+140wr{>8SLYBVXhY1TF-?{rA`<`aowdFM<`J(vprBBAi$)8Zr!A|#exn9ykxQt0ab_|7IRv=ma5eA#&D{6wQfgP+WXr+j)4;INzfBi8+)m!1~rgOY>Y8a(K#Y)r#J zJIiW{nxvAXT>No-RYbYdrslmia8d?{o;42wAfVS=R+A4#ATfLz!mx&)Xh&cziTTD( z;&3jKIYO$L#|}9wm1|80+FO8_hCYMo<07M3Fu_#?Q#GK+?31#z6V)8YY!G*^RpT5x zKUcfk8*^zGBy)amh3*4KbwO)*W02RecEm!H2{LxR?(M7>RXsu;wMXqvV&kS3>~WDs zZ=L9hgzbpaWWlnhel+}_K_Va_rqQ%YfabTHKPdb2dKX@w7=Fs79ce4CJ&MN<@IXki zz1PP#PHOUz50}O{rHj?C%H2xPyF!R}f}k94^RmWdG93!}kcJM9OYVDX!vR2v2&2;k zt)Vl|g4d{~=6(G>79)^;+meelF-5V+#)wO>ODO_~^2EoZPw;Gz{(QzX0Ri zvH;b|+LV|YpQJ4>=i#|a6rj1hWWZCl0*(^u!Gak|3U{6?LUid)6LU0WY8k3LNU1Zt zDd#^dsJ?ie?HUz=`+0uZMMd?dpXl&|rj9K-3NBve;+Ew2%dD#0CQp-K8N4KH1ZV1? z7^^P%2^_)^5V(QtC9;=~OjFyIL_nR1#+|JMS+{PM2~k@WpYRtbtLT&xx9llQtD`j5 z7oYJJsE-{Q3Bb=U4=X)U+sXU`Z}70Y@n|$5BKcrN?L3Ot5V=mk&K^;Bqnr&l7AI{a z=kE(SDEq)4ubCR{5@TLdqt<@>nj=F&V#G%rFjZDM;m_SPV_ZgN5zuk)=2d;%H}(ix z#{#TplJR^#t5+u#9-q7n7rXq4EtigYnO|DJ!Sm(U|LbR8V!EKbtEHH;vrHLTtTk3D z=)r-}kuld;8ojsEPKov!G3AqQ4cX+On%m<{CryDF+)Fo)1VCQu#;sd-MGti0aA!6- z_7KTjCTVivW1DaW#|Pu(lNGII7hOB?@+1&$^6sP+Xbv)dm-Qyxt>?@kzJ{ReTbkpF z;5EJP`Y{#tZaHC0Y~cg>5ZAt%UBw4v^;j7&%?z~%3e{h}z{G2lIDps854sb1Yo2}_ zF1!;GHm9R~$(pD}x(HLUlL-1wHi|Xa%n|I1VKDdfChDAF0-Wj-k$0m~x-Uc|nFMd` zX(5U`F%hkdP$#GWcC`;PDT54NOE{8Zi5~bXee{rFU5<`;Gf@$C zOB1^p!Jyi*k|yEo2Q~S^f+_5EmMR$HDzQ6*;PbxBRy^1=Nv4U-U$jwD!P=E#)>O{Z$rGF}APmjc% zpszN@Esr}_MQMZ65iW_h_qXpfK~^z_a3yXfLV`ecZ)rmEx-SAt5OvPrz_>CL#(>NC z^gF4^N(9S71mkEf-Z3l?Ckx>Sb+m~B_fiIi6NolJ<)@iX;J*tOYe(QIdx+X;FpSRq zkD(EapSaQfbchDq$L{gIWEcG)!{5s@#1}l&fU%tLL&=uZWv9LPIrd1->WJZ4)kOl>(ucZ8n4v ze3I5zv&3y<4_{J)b#bG$g&D4l;LMt^{2=mv%q2vLF@cy=L zyGHGqPm7%Y%Be-)P?d!5#P?f0+;n%oee+z@e7~uEu)Ayg^u|6Vy@3%@6h9% zwj@-<6y)ZrueD35nHR5E6kgZ`GIuj(R~Cd>f0mo}@c>)X&^aaPmLngU&b3@tXxRGh z#p6zlyFi7GIC$-OPTsE4P9)au_m%8nX`L^Rdr1tdQn#0u@JbUndoh(+A09>V(-Unb z)DPLEiWdJ!f(x%$EDZ0t%4>W#)Qcah*Y;cLYiMT-Sd|iG+wOdR0qS?)yz6b%B1_zq zcl`P+#D7E?Pae%$vo1!*1%#+MkCckw(?m>9B~ltj_J@M(nBYM*%@BI8R14u$OHzvF zDfkl}zI~E<@%l5;WC%-3=UqLL5eVCeP)fX-2)iIvHPI z@#>mYeEaRk&VcYQ)v+jXQ5v$ofTdTesp6yAx^t}_+)IDZzTke_ZNRjyc;LCn!uX`s z9_OX9y?NQocXL9tU4G=Q1qhMtJ>`U_HSuceR04$m_Aip!JBwFdVe)cSAGCY>z3Fd; zBWW|DbsRY-9TL}#0{AFnIid2?x|>aUdQZn_G~2DAyxtUpXECMLc*@C8mogvD7*T)1 z@VU+I9~Ct#awvuP`Kb>3toZ5F>FWwgFyOke^v8a0_VdL1W&Nl>jJD)-k^P+aRDqa7 zuMFTO4_V(+N<|SO_UU4H{?WG*HR{J-j9S8I|TVl|fs z;#G9u=6r5SM^Xb7bltvx_jms1|0{56l)&efMF^($csM|Wsdd_pYUt81TsUYjKcGU#AlRx7w85%$Zq%$Ta3UW2_StUFzU z8e!jM=7*pxXU5!Gj&(ZMdUu1ehWuWYT>=FDnkx27-D*t~BW68NGV=A+zZh*#4!Rsg zQGti0#3^Qa}@qa+s5@{ z z6cuKPW?^O%v;%T{a*Xi}nSu%%juj_o2Zhj6^D%jcKW7^huBsM(? zO|jo3*Vv50N(y!92X-L~8|5xB^|$yY$dD09e{A?Wd;;8onztNOpozF7DYIfx0;kO) zh657U%z6o36dcfz!M>Av^8KHdN)zT9I8fb8-dU79geS)b&3XU3c@pTW^9KU z_70stdulNdR7jRCX0KIqIM;nzE?%o|m3_X-Wq5RlTC*|X1<@$^8}aiJ*{?o=r7ym_ z!zd^yj)#Y4;=4ACtt}eAce0}BB;#iOT$3WcAf>S3*ypq4ArLlc!yltW`>@VK2dF|6 z|I)j$R;vt@%*2ZgMGuuJHh4h?Mo07$DSA)150Cjy>1vYF$ws^6+dOP-9zAfwnvC;#Kc#|2&+Z!+$^0Ha3`8{U z;9%kG#JN}J)`hrS_wFEP?|u#|f=jpyfS1;6iK?uMM*e9b_qjT8D0avw%nT0N5+)$V zQ2w;`9nOj&h^6A2DkfMdJKHz8^O-(HQdgW6d$v0 z=cd1$dm3f;9eG7;8+WW-I1r`nJA;ZK9=y{$kJ+}guz>ur7}I(6+)IRT50#Y3a`ipw z3*CIg;-+P`siTR>H`OT8&!4o<+Lx8eEVJ^EF8N;ft|D*J&M{E)3*iC|(Ol-rbSv@u zzD`f={265y8dS`>m|_p{P&xEqylRO|#6zLO>frC|rlowUJhFGF;9>29^^7ewqdxkF zfUmv!u(lfnsbq|Qj*wUB&0EP`vXz{p6%13pBhVPnAK~ObJM1L#QkFCi= z5*or$Kp;K==VFa5U3eZ#?ekW$YlqAaje?-?RLTjdaLLQ~gSz7E=V$hI)16IPc&XPq zzW_k=LG2(9J376IA2$mH#MiEkTc6^xP}@C)jwJs+0<8DiXCdgrAv`)4b%s|c@R4TT z*Q>1J^0xWkl5qZ)jGX`71{#TC-N+ZpT{SLBI~Imvvs+p@j zk)~-Kj)@V{SdP6%6=eGZ8G;XBRl@;{^Pfu}9@MnjTcv--_SI`vr&_e_rdrxV3w5}tKQ0b#+bDi8grR{>J8e^(j7&C45VLLpNPYj41a-2|SJx7L)>xZ$qIXG}h@)!*dcI zgcP1R1{27S%5m&HzGSuYE!^uThT3bv^v{&X`KeTzEpk|nv!dk_sxE;E8JZGhi3e0r z44V?&xT2(?ML)~o{4oH5b;me4g7sIXOX5aQBY6;vye;St}=--5lKguy^{ z%7F%aaE4+sgR)UZ{%rms1H(UX$pU`LS&}D8Clqn7>!#XEh^-d>5~yL&{3TFRq=*l* z%!+a3c=|+3?eezXtuD7XNjE@se+;;5Cjx#eAs$+F+WcisJQ+NhME=YvysdEHj+QPr z+G^I?W>ZKBJbqLEB3J#nd}@d9nkn~iiTa~6L-tv;j{FdB*f+4}l$#V7rP@zDPfP=t z@2XBZzz(2RotivzEE^|aHsh>jFOYK{`rK<~Ot*HrJJ*o%He@%QBPP4`3xC{D$QwQh z8&=KSGsnxB=Qv{3F+~t`^;gVH^=8&nd4n6-O;lER4L;DejTWRhB&^J}y~`s)==8>R4GJky=7<8gFQqifwG{yuCx@ z`R7a^8lQ~t)OnJIjqPmWk(1ul(P~iDH+|ebTsv6~-q*GMh3ynvO~H^>8k*4Cq z@aAd7kYnkv=8)dd$b|PL2Lgh*PEkqtnbra5^~L-0YQ9N%*aTe>=S*$CDbFfn~DxwRUZgG9p z2FvVY=3_yEZ`9j8VwHQ#Iy%DI22(aO$sg(1#6x0K*~PDrYk$nepTD-kuCg|B*Y!k_ zds)EYHUjiZwyu8ycsSHsp8VXanrEG*V>PK*K;gZ-DQV3Lk*KND`uv;9ym)-`l|~(+ z;K-q+TYb|iwx2!onLwO7&27^3QJxF`M=#S@XR&4Z)q7jUWW+M&w+iVv8tkBId#445 zqi-?EitE#^`rEw5J(IwGKhPvc?%bP8OG}{9a5SNpY-N410$+iHR`#ESnZF)cNv!nF zr`jWRPhLI$W-h-T&cUBYD$Mr_Ku9GWRGZ9Q7dD}cU`}d)q3{tWG^5VRvCk~`yBV9Y zB2+Y@51x>iKRGiPO-**NeZj#Uu`-%Q#=p>@QWE@Z{Owvbd8+W0$98 z=lz`PWYfT4HMz0@3F?LATI?4no8S4rY!shsHhy_A0j@RXJImZ%Ew6~}4|@5!Q0u^T2MI*9=O-W+4#1tkvfV`joOxq_*7mZ-HlJj^Y2H}fXJv~ZeP)#Ll% zD;c9Vc5F6V13MopYXaI|LRqm_1fq+-+KN2w~e~~Zu|*^n&P)UH-rG` z|1@^)@l5Z393P>Q>QwH+D#F|jOD=_y3S&ZxA(pb-nfoQjN|dIH%V=&>lw9UgX6DvG zB!)ALFr&E~WQw)i!ufXl{m%L4JkI0s`TO(z{_**|KJVM}{g%vAvk1A|guR`s+-Uk= ziQRv4y{MFWFgRA7KYEn43OgtAkYB7oV@p`7auLu``&9sO zJrks=DK4l-h-I|f0Xq>+6jKEGh2aM=MOcplcFO^Qr!sPT7cu{V9RBBj0LZcI-lZ{H zp-oWo@ln=^hlf!OWszAW7FPCAO@m!)&yL)1pVTo1#8NLs1w>zPoSm9vCScv)nWWSy zeoMjvrUz?p?EI^)g}DUnKip9J6`L3?_m~!EY!UB#9(7XoC4H_U2Tv`yA|+)v)@}}t zMhRW2%*gb2z^M4GQPTsJCZ38NynJGyi6S5Fah z4rBQN-|Me_%2$`Gek)~b5fP1!T>4FS{M%w*1eogY=XRaTn4W7Jc}()`)f5I4Oe%%J zX)#0ZwozZ!n6l6^G;K{1Jb%O9%UQM&w#CLB8IUom%BNIv+V&$VpNB1S*>QT;?^>+u zK1nt`5^+L9O>#2W`4m%T}y;RpD(TBxoG)v(i3E1!8qeb_~EPUbY(B( z1@nvs+yfGi0l5&ubn3Q<&^(~C`bDKZ{Pf=w?n^5)o$+0tueI^mUoSJ16L#!}Kl1gm zzH0!71aU&`m?ICR;a|4J1O>ySZcE7fohSIr&!R+_yFT;tTZg|)7nX;CAn!w>d==l<2uA18}jY(67cSxm*8mGI@Wr(#un|z=L;~efRRjsz%MXg3%w+ z9I1HIlPQ~>qy_Lphx!!o5pLVnD%(%mk4)-~&a4ZTLjJWP>BiNY@WLotY&&=B7R9@z z?A8H{+sP?R<7Mya3NyUZ)X`d;%*B>F-o1(W6*``4O``YubABH5PoFF9$~AIw+PcfE ztKA;B>xVm*-|jh5uBo1(GsZVGAQqUhLWsE}@ZqDNGf^sg$v9mABoNmg{BeX!a*lU9 zA~lokO6iYwmXDo(H;D04EWl=wiKMs>m=N_Q*BQ>nqGTy{nCC;1GA?-Y#UsT-T7hi; zT(7(G`kMbw!#gbZgCu7@w1y;`^tp!g?=%heZ1v^1#k~Kmn90-H^!=Ln?@JmT-JcK= z{%AEvu&-WQR%>C_J$^p42^4!*n#o5-eorZe0ki-EEFCAq^@^7U( zyc2c{Gi4x76cQrFQ?vn`y-E%f$8JYEMY8t0gQ$3eeFd6#@)7~~9phUmfM+s>`YY%g zqWY=VPhpVWj>j1tmC-cO05ax^oq=qb z64l$d$DMmE%W3B!Oe)pO1sGVk3A#nYrJwf@=P}&t%(Psr8yIesM`3)FD@wz;W}fi{?y>oeVCxUtw{tLo9n+owD;Qa zi$Ih1xe@LVTVumV##F=ItdPDyUd+KAp3_67NsyZwTqR5b?ekP5^O6GdFhx;FXNpWv zYAvB9vQDHP{m3QnP1SwwIm&JR-ZbHGpvl=(q*K*nTSP#~0A#RgmYH?cwvuu0v1r3QWhYo)eIADd<^gSV*c)y-=zXv?xnqz$hP z-vDZ78nhcc$TegxTHE06w#*gG)=S@fNJPN)9+Gmc%^ngpEIXyLjjUm!3X?`m+dR__U`i88!3D8rtkt;^PVIJu z7IaSr)lKl_i#>}MVK9QysF{2xz{>fyG!iT@ZR0s4sn-f-cW%%*-n~p$jL_vaQRD@c zAikM7SS~W2u1B-tjMmU&UE z8iF=IfJ^gfPfs3SfvaZT3Fe>?c4%}km7Xe8NK9{UHJ46)>LQ|zXSnSz6C&Rd2u!9W zsUozjtTkopZvgQHyJv=>hHvT8QBk*w2&~?>GodvJetiJ=!!OSq5%{o&f7zgNdTc%4 zY`dS3jkeW6fmG`_;c?Sft0Sj|3*(>>8xn@V^Onzlg)c!lZ5+Zj1ziVR3LwCq^s_C+y6>Tp@q^1L>q|MG0*0YW+?X*QadYr5+$%}; literal 0 HcmV?d00001 diff --git a/docs/service-guide/deploy-from-a-branch.rst b/docs/service-guide/deploy-from-a-branch.rst index 2102addf72..089fd9b94f 100644 --- a/docs/service-guide/deploy-from-a-branch.rst +++ b/docs/service-guide/deploy-from-a-branch.rst @@ -2,4 +2,185 @@ Deploying from a branch for development ####################################### -TK +When developing services and their :doc:`Helm charts `, it's useful to temporarily deploy from a branch of Phalanx on :doc:`designated development environments ` before merging to Phalanx's default branch. + +Some use cases include: + +- Testing that a new or updated Helm chart works in a higher-fidelity environment than the Minikube GitHub Actions CI cluster. +- Testing how a new or updated service interacts with other deployed services and cluster infrastructure like databases. + +Through this process it is possible to develop a service in a fairly tight loop, though it's best to augment this practice with unit tests within the service's codebase. + +.. seealso:: + + This page focuses on using a development environment to iteratively develop and test changes to a service, ultimately yielding a service upgrade in Phalanx. + You can achieve the same result, without the iterative deployment testing, following the steps in :doc:`upgrade`. + +.. _deploy-branch-prep: + +Preparing and pushing a branch +============================== + +Start by creating a branch of the `phalanx repository`_ and editing your service. + +You can make many types of edits to the service. +The most straightforward changes are updates to your service's Docker images or the Helm sub-charts the service depends on. +See :doc:`upgrade`. +You can also make changes to the Helm values by editing the service's defaults in its ``values.yaml`` file, or the values for the development environment in the corresponding ``values-.yaml`` file. +Finally, you can also make changes to the Helm templates for Kubernetes resources. + +Commit your changes and push your branch to GitHub. +Throughout this process, you can continue to commit changes and push updates to your branch to GitHub. + +.. tip:: + + In a development environment it's useful to force Kubernetes to pull the service's Docker images every time a Pod_ starts up. + This way you can push edits to the Docker images with a specific development tag [1]_ and then have your test deployment use those updated images. + This setting is controlled by the ``imagePullPolicy`` key in Deployment_ resources (and specifically their Pods_). + In typical service Helm charts the image pull policy is accessible from Helm values. + In the service's values file for the development environment, set this pull policy to ``Always``: + + .. code-block:: yaml + :caption: services//values-.yaml + + image: + pullPolicy: Always + + Consult the Helm values documentation for your service for details. + + .. [1] SQuaRE Docker images are tagged with the Git branch or tag they are built from, with a typical branch build being tagged as ``tickets-DM-00000``. + +Switching the Argo CD Application to sync the branch +==================================================== + +By default, Argo CD syncs your service from the default branch (``master``) of the `phalanx repository`_. +Change the service in Argo CD to instead sync from the branch you've pushed to GitHub: + +1. Open your service's page in your environment's Argo CD UI. + Generally the URL path for this page, relative to the environment's domain, is ``/argo-cd/applications/``. + +2. Click on the resource of type ``Application``. + In the tree view this is the root node. + + .. image:: argocd-application.jpg + +3. Click on the :guilabel:`Edit` button in the :guilabel:`Summary` pane. + + .. image:: application-edit-button.jpg + +4. Edit the application to sync from your branch: + + 1. Edit the :guilabel:`Target revision` field and enter your branch's name. + 2. Finally, click on the :guilabel:`Save` button. + + .. image:: application-revision-edit.jpg + +5. In the service's page in Argo CD, click on the :guilabel:`Sync` button to redeploy the service from your branch. + + .. image:: sync-button.jpg + +Updating the service's Helm chart +================================= + +While your service is in active development, you may need to update its Helm chart and corresponding Kubernetes resources. +There are two ways of approaching these updates. + +.. _updating-resources-in-argo-cd: + +Editing resources directly in Argo CD +------------------------------------- + +The fastest method for trying out changes to Kubernetes resources is to directly edit those resources in the Argo CD UI. +In your service's Argo CD page you can click on a specific resource (such as a ConfigMap_ or Deployment_) and click the :guilabel:`Edit` button on the live manifest. +Make your changes, then click :guilabel:`Save`. + +Your application should show as out of sync. +Click the :guilabel:`Sync` button to redeploy the resources to the Kubernetes cluster. + +Note that some changes won't affect a running deployment. +In some cases you many also need to restart Pods_ in Deployments_ to see changes take affect. +See :ref:`branch-deploy-restart`. + +.. important:: + + Edits to resources via the Argo CD UI are temporary. + To make permanent changes, you need to edit the service's Helm chart in the `phalanx repository`_. + +.. _updating-and-resyncing-from-branch: + +Updating and resyncing from the branch +-------------------------------------- + +When you have edited your service's Helm chart in your development branch of the `phalanx repository`_, you need to sync those changes to Kubernetes. + +Argo CD generally refreshes automatically. +If you have pushed your branch to GitHub and Argo CD doesn't show that your application is out-of-sync, you can click the :guilabel:`Refresh` button on your service's Argo CD page. + +When your service shows an out-of-sync status, you can click the :guilabel:`Sync` button on your service's Argo CD page. +When individual services are synchronized their status changes from yellow to green. + +In some cases you many also need to restart Pods_ in Deployments_ to see changes take affect. +See :ref:`branch-deploy-restart`. + +Refreshing a deployment's Docker images +======================================= + +Besides developing the service's Helm chart, you can also test branch builds of your service's Docker images inside Deployment_ resources. + +To start, ensure that the Deployment_ is using development builds of your service's Docker images. +The best way to do this is to edit the service's Helm chart for the service in the development environment and to :ref:`sync those changes `. +For many services you can set the ``appVersion`` in the field in the service's ``Chart.yaml`` file to the name of the development Docker tag (see also :doc:`upgrade`). + +You should also ensure that the Deployment_ is always pulling new images, rather than caching them, by setting the ``imagePullPolicy`` to ``Always``. +This is covered in :ref:`deploy-branch-prep`. + +When new Docker images for your services are available with the corresponding branch tag from a container repository, you will need to restart the deployments using those images. See :ref:`branch-deploy-restart`. + +.. _branch-deploy-restart: + +Restarting a Deployment +======================= + +Some changes won't affect a running Deployment_. +For example, many Deployments_ only read ConfigMap_ or Secret_ resources when Pods_ initially start up. +To realize an update, you'll see to restart the Pods_ in Deployments_. + +To restart a Deployment_, find the Deployment_ resources in your service's Argo CD page, click on the three-vertical-dots icon, and select :guilabel:`Restart` from the menu. +New pods will appear while old pods will shut down. + +.. figure:: restart-deployment.png + :alt: Screenshot showing a Deployment in the Argo CD with its drop down menu, highlighting the Restart item. + + The Deployment drop-down menu for accessing + Click on the three-vertical-dots to open the drop-down menu for a Deployment resource. + Select the :guilabel:`Restart` item to restart the deployment. + +If the new pods fail to start up, they will show a "crash-loop backoff" status and the old pods will continue to operate. +You'll need to resolve the error with changes to the service's Docker image and/or Helm charts. +After making fixes, you may need to restart the Deployment again. + +Merging and switching the Argo CD Application to the default branch +=================================================================== + +Once development and testing is complete, you should submit the pull request for review following the `Data Management workflow guide`_. +Once your branch is merged, remember to reset your service's Argo CD ``Application`` resource to point back to the default branch (currently ``master``). + +1. Open your service's page in your environment's Argo CD UI. + Generally the URL path for this page, relative to the environment's domain, is ``argo-cd/applications/``. + +2. Click on the resource of type ``Application``. + In the tree view this is the root node. + +3. Click on the :guilabel:`Edit` button in the :guilabel:`Summary` pane: + + - Edit the :guilabel:`Target revision` field back to the default branch (``master``). + - Finally, click on the :guilabel:`Save` button. + +4. In the service's page in Argo CD, click on the :guilabel:`Sync` button to redeploy the service from the default branch. + +Next steps +========== + +Follow this page, you have iterated on the development of your service and ultimately upgraded that service in a development environment. +The next step is to roll out this change to other environments. +For details, see :doc:`sync-argo-cd`. diff --git a/docs/service-guide/index.rst b/docs/service-guide/index.rst index 99fa88a6ed..a18bf8678b 100644 --- a/docs/service-guide/index.rst +++ b/docs/service-guide/index.rst @@ -26,7 +26,7 @@ Service DevOps :titlesonly: :caption: Deploy & maintain - local-development + upgrade deploy-from-a-branch + local-development sync-argo-cd - upgrade diff --git a/docs/service-guide/local-development.rst b/docs/service-guide/local-development.rst index e48a47cf09..6b1aecb31f 100644 --- a/docs/service-guide/local-development.rst +++ b/docs/service-guide/local-development.rst @@ -8,11 +8,14 @@ This page shows you how to run a Minikube cluster on macOS (amd64 or arm64) usin You may be able to deploy the entire Science Platform, provided that you have enough cpu and memory on your local machine. If not, you can enable only the essential services to develop with minikube. -.. note:: +.. warning:: This procedure may not create a fully-operational auth system since the ingress is different from the production system. As well, this procedure does not create a TLS certificate. + Instead, the recommended pattern for developing a service in a Kubernetes cluster is to use a development environment. + See :doc:`deploy-from-a-branch` for details. + Start minikube ============== diff --git a/docs/service-guide/restart-deployment.png b/docs/service-guide/restart-deployment.png new file mode 100644 index 0000000000000000000000000000000000000000..ac172977d3deb6ff6edebad111142a27efbb9098 GIT binary patch literal 37537 zcmZ5{b9g6BvvzD_idC&RIb^e&^nx5{yySi$o zyXx+mFgY19co=LLARr)k@n6CUKtRA}-)aTWeZ< zBU=MwS~qLE?|L90Zaz0VeM3uQCxC&msksdg(N#w`5y0Gthe(x0nqJyY$k@#MmxqI~ zqKAx4x z2N1G#Fb1&F($mrt@xlPO9gIvk6@*3q)A_r^LuBUUWXDNI=j!T8>&irH>tIU9z`?;m zN6$#d$Vl_ug2vI^#!26e#>SEOABg|L5H@x+bTGGbGPkt>{DY})VC(F}Lqzml5BLwb zv77n-N4IhO&-A|)LHAD$9Rn>r-M`KMDRIh~yBS-l3!7UT+c@(?jGG5()gwf|Mi z%)#)lECB9*dn-E{I|$iYe|L8JN5cQeC}8!U(tn9;W&V#~oL2faraVM$G)BfI`p#BP zM7)ZI4#wZ3n%O#W)BQ6QEA#(g{9F2O5bl4a=KMb+{a26wrHp@c{BOT+C4XCs?tjen zUHBh^8{2$a+2Pxq(D1PCKtM3{=0ZYp;zB|IIR{%4b1P#YpkHB0DUeDDt0;a~UnL>G zfuK8sw!lunVo^MRid5yH#r@<2p}>GU>RSUW1%$!IVXB$IRf|S6kO#v9h)RzGs6kHK z)oSx@eRhyGypK9vxAr%fbPsd5n4b7t9Y}#<&8_n2!IOaj%CQtMk1hpbq9XJ5(?Gzb zpfI&yN~~l;BXDr{kf9SN-Q#a>Kp@MnUx*fm7)CF<%fe6&2@Op@`l63I7rcyK(XoUv{uV`$k}qg^ik!{c?MxW(s)P zF@;iG;rKc_d)|&uC(0hri=kG?A0fk>{iQ9Z>yV!F8{A$Jn3McxK4Hj*O76f z;3#$c@jBsLTKzBI@QoK;GKmZ+l~c4kRyLs{wFGSPemF)O(@`o-`ZSdcLc$8FJGJ=x z#=uM{$JE~ty0pE>eWY%80@pBY5`^T1X;in4$)kt(OdgiKj=Nj+_|CMjJl^<*hNH71 z=+rv~CZeBB_U`!Ecf9&2zWT)(Bq{Vi<^E1f-XyOu)eDk%GR47ibhF9bevi}T?+CX6 zgb2ltlpDyu16&!q#U#e7pZ4ecgbQY4{x=7akDvi*R+tl3%oK{<#E%)8Ng5j9)XUXX zsvB0fVhq9{$Gc|c!Vt`>INntb+XyO%Tn+;954){mPaq%(d?0CS+&Xg0CDu(DAkfee zTVQx{Q21O>IDZO-3>rJI>K@eR03alo{2qrM;4lDsXpclKwiVDzF48$rhX58k6r}(Q zJA{m%i5-L%m}(Ea9pt^Am>v*ZAch|9AIJnGuw4M7a8M$l^e;q4e`-RAeK>c)PdR!t z@IgW7SRfRkiacpKLM5;yfskD6W7T73C**brX92`q0W&xcQ14)Qdg$Wb(^}p?NG3f} zD~Jd|DZS8koSCpkz3V#)tsuNGY`qw}IChBKK;3?1azH#3#wk^(XLNlKs?z!6|Rpfz-_7tC-~r&bBF1Y{ZV&?~B+P+L)} zS@%{4zXH2LdyeD+64FnxCuJwo3WST35;i`3F^D&qHSD|>Y)^2b;3oa&=N2qM6vhtQ zU&-sHXUAuocPO8DfY1yvI}!+#mLP&Y*Diftl3fP9R4U0B3Vf){fSdt}J!oB`n(QB` zbF!|a`1rZx`V^S>zmioclu4Yl&dL^Yr>Nr5Mp6!BgRujJ)`gUF;B%mJnv7|cvMxWx z5|~EUM_BeH_sRBS=9J8t%#)c_J+hqIoD!T`?x|q>^TqTPk`)~&ekLX)t|z82f?;`M zxnea>Xrwu$%`$6YDy>%4H`Om2i5=KEygFn%Xti;-Nwi5i2q~c{hn&hB z$g#;ID$*&2n5(4&M~O)0qt8Xpa+>emI@~VZ?%uB69^9H9K%&XPyuwfip#@#QkfB{t zd8sI=8d2V&wU94SxlsAYDJVNA|D`}DXCZ$e_f{#U@}wlAx>B-H@u>_@VNiiqP%m@f zKd2v*R8B81pcHH3fB1bW#G*E-Mx$n(q*1gc-309n?`-Rw_p0+Cc}mBE#;nB>&m7J& zWgcm+z>>xCl0KMz#F8_Aa3bXa)0wy>L$Itce>;m}i8pt;kiNh=gD}5Ux|#c-7E;dYYhW^LbfHu6%aexg<5_Hi_Wm6c(pnU;;$Iv8sm%WlRw+lhvsx?VSbZLWbp4aI1p zdAhNNDW_Sn-l1*tY~||tqTpuGEUYW-x!UvO#t`@5d+iG`EC;M^MAVO}AGXv{G#tqX z$xoFdDmp4>l^T^gni*<$m56Fjt8&&q)~%Y&8(u6dO{wauTJRd?nkX^+j)?+A{)mKNz;l>$)ny@Yz_ZV18D{yq z;M>hQ=yxc!ayu{DAGG7!VU zO|E6;A}^*7u75z^dN=Vp^*a3;5g8v@1Q|3AmUvlsD^wxuuUM1tUVeW;jIb>AgI2re ziCv_$l+VP6F~oR%ineBTJ-6}8DtaRNIXamkLmhHmQ=RS#@Hxz*FfNsi?gsmCRzt{L zz}XnhVf0O=o5-Iyx02`l=UK3l-`dcIVYFdC!{}Zv-x)v8NOB4T#R=j;<16Az6o?eC z6>iGv%1Xc;0*nMa(?vC0G*V`SQ|WMjx&GSD;-$Ss#T)fwOg3&bnv2~%E?$v)4|Jm+ z=cwR5+Z(%1B5N>i0AFQujC5??kKFe-_^gNN3~wm6Zdy8puYg>pU&hsdt%}lIZ7l`_WzH*m3a)%2mq+#&vn+w5qO6qM4}4 z+-P}IU2NcCFL2YbN#&wTRY%Lw8qzBE$251LyV1DjatqJ1JMm}oLt;k~+qvR;i}7~I z$HvDdq!!`=ffApZ+x6Y_d(InzJAp;{ObvP2fQpGSFBh&)>mJ4s9gCP!G#dVk#?Mmh zQiN)on!1XzGUbX*9mwUdv!UoA+)l@dJvGTr^N&1;py0l}oz~~)J6%KHPT#&O;dSw$ z(N{%}l1CN=9N6^S;>_Zk!+}Hpa4D*)-A98 zN6~rdjEtxjD;pMLP1;S2E02v%hZyH8(dqc?>NowTHxEM( z$k$fy0z?J;KR&4scDJ*yK2pBDhH1k;Wf!uQ-fiwZ`~5C@Rs~{uGh~Ibd9nY(bv_gC z#nAP;PmfGXh%$>=h|-8nN4iICx_8~bT*K~0jHbN!j(xUWCGA!y`nG*KJ90aCJvSXc zEM!#KCT**9Hux;FBD3G@d!N3IB7zen@u~P4c%44u-nbh%9AIpu%+-kMYIeVPpXEqo zrK8k~oTteH1yQr};`^~F1H~2qja$T2)P}$A1?xIeNZ2{Vai) zm#^yOd*}utfq@1~Z<&Mw0^$b}7Zy-*13uS=)Wbcf!++TFOsO<*9*y_xM>j0@p8*9H z1b{<{GWS>;-tnWq8yr8jmI$J#4+3sI1*>o?JS8JYJgU zb$0lEb@N=D^L?R(q#riJ0>lao4dp!A@f{RV4-{VFk@diw1oXVTK)R^Ne=EZ}^!D}& zq?AJ>b=vKM;L`EI@Ad*Cp<`RgX)ejRgKeuyo37`US3^4}pb!!<&tL~zH#3k5uYB6} zSm|lB5}O`;YG-EU+3Lx0q+MYFi}FK)NmQKa`?!>=W3j-;@WLse8uX6$ONY#A*v^)( ziH1f%1*%IDSGuBbJBaebg5f5rE@>?65=8XY|;;8J(DUv7p?hdWOj9XYy;wcXHh*fH%w>2Qvel*z)|}c`tgBleLi;R%Q_`I z0=y8}l&y>g(ZqE6WQ9c--|^x&hJQx}4j3djkhtL1=dmLu7M4H8*VDAgHcC9Z5+|Z8 zO#^K&28=KCNhFzSEht#~8wB9TlX#Nql3}S*ahUKy&0yOJM0cy`@UT7`W$mC?umCQ8 zvtVcF#mI506(|0sO)L^RLZM{85f9Y!t6RUL?;Fp6h*%#NfiH0P*E-V@lUrD{5>11P zqqBeSE^-(`M#vzP8Uiq%t!yefkGHaSW21uqEO|_9V)u`O!oY-t1c&6QCze*-E^;=| zckfQ;YN{rfJyeWbWR~{sEnOh%R-T>x!pA0(raVa>Zq(4KpT{F%M9(|(HF^hgLD$Fq zi2Mg98pka+7ubq>m5+`r%=AE01@V!l!lh-yJr_(MDj|OL94a`URlgx#11lod_$c(F z#~$vpp3i?{dRItP>$utyxVg9Yw+}kPC$s;uarl8hGc!W&*4~lsjizqipnvwbd9546 z3oO){WWQQ|uyb%={%F6V5Mt5POE#j@aLzn2`K!6;?(S&HK8`)gTs6*BoB{0;RN~G$q}639jP9yzj$@lr-@i1J~Ij+&B&uMcPUWyXB1h) zWumm`0Egp}Hh$k&~ehW(DETBNm~5 zlL_bbQu;BZoO(td4nWML4nn_kP-1il>a(yJ5t#KyHLms2`O&%;F|AS7Spli)hR@$l zFLfxUXJ7ylEGA}O#ASh8Z2gI~t`n2awqj-5#Z4^APX}gZELct5WW0ciL2AdM1(t%@ zQwj+Y@>}`kRK$IrdHNy!cN*m^Hw&8`LSNT448?Q zdcyQ(;{ zU!?|$9^G{0kvR|41o^b()j2R@m7W3EIhKEAA{clAl>#;ud6@!i7;3fAd6+yZ67#n5 zoueP~VwJj4&10Se1hJj~n2FI+T^u3iN`LbvmIjjV<(dSNT(c>uaamg$g(x0RSPYc~ zPUKoK1$Kv@LZIVOM{Zt`a-O>{0i9h>3>vAZA2K~J2-BxA_{&RvnMlly=iv`5U@8&6 z4c*uL$f=+npxKx`oWOJmnHDw{%;39sP@PrV9n^ND)mmWTt z$wmX~G<_?ED1SOstY}L;grnrTJCxY=@NLB}l!z-{4U&Nx7pK%495wy=LJUC|bF?*u zQ|8dFNp*4YQ`xX#(+H^JN0mAeFgKYhMtKmHDZv#5(|Bu!*i?<9mhl5 z{eqJ2G_9y|%aL&*PV7A+T9?Xmv}b)laA7Lc^}U@co0SY3G02!eQshDNQl#QeHJmU% z6$5*lqLok(iVLzCU`=b&0x9?7h!l=Cj`b|x%)=~Ist(TebT*K6y$cggI9&LzSN-Tu zYZuaSK<-4UDKe3MQ>;SQxjKxVUUih% zScUr4MQAL%*BJ}(8Ng8N3E1Vs@vCUt<$e+zPL#q6sC>2GOF0=YEM)LH-xK^?ZbSpo zV6ep2LbLFR-ce;kCDuEGni;1f0_#kYeyPRp-}Y8_1{Ds`y&qvwJhw28{N-PnTZp21 zSRI>&R+DMH^me#(S8M&n04SloYnVqnAD-kyx|GsuEKhArEk2#7T_pq22%W# z8I4|QDDSsh#J*Po_Gx}55FyOD7$;_7dHSl{QJj>K(lQqc(OC)E@cGj#f8ojdybN57 zB4ziX*zNGJP2hl&MhxGe4}ROLlAxq3j#VmY+E#c2O!2_=7)pIvwfU@M)2( z);+7cv`S?Tp1mt03$3>;JL{XRG2L7udqluYJdoqdlK(_K45o*xF33n~LjDc`J2svx zT1oeD1>Nt)6}fshSVrtlvlwMsP8%CL8ec}O8Emk0gmt@I1KsL)@<%7Li?XI!-Yv$b+?`G&xtiJ-er-Y-%-v$WmaZpZbOMGJ=@Fyq@k4Culvb? zZ`UT$uM8;{h{jZdt4A~JBpfc~75!U(ike)%zg`jP>FE%szMez+W(K(1?axn;Q<*M= zI+hloU+R7L)0io5!%4oPi!2X3>oSX(y6IT*47J@k87$K^yo^!-L<-UDM%Ctb_)TrG zhd!9VZ^C{XL(%!68rl0;HEz{U4vmI@(UCi&vwOUcy?5N- zN%Vrf68xII0$Mv@S^f;ux93G-$ugMS=w!=Bn1{ocb?-eDd017_h?$yXA)))rpfx@g z8CbhryM61=4>`6f6B;ItV_a8p4UEx{pC`MPEC)Dch!mLR=FG&Yr0@iJyLpt``TBrqoY7-0)13#s;ktBVGBmu>GIP_#~CZ~O`0M)?637rWRS=q zHKXxC!wP=R1uSq@T9bEge}gd?Ca|a;3b4TxQ9-e?bI)5wkLC0y)-ECG=1;>p^2_3{ zSPoQZ)1t*j!E7~A@~Y<;H5rDaD=T#1&eR9`HA2o@?*=N)4^xAGaC(Z7Qg0z7BGpOa zA6EQ*kuNPR4<^{OPw=O)cNXp8L;?&|N+teyT;S`~{|-VV54^9*bOo>Ge$pf3 zlG9u4w{6t~hjHhQ}+6pKdXX zK)kLV&Wyy-olSQv;kGH~Zr|ZXB&E@8tNvP*KNaarq$6b{B!}kXRrJ^l3Ct1bGl(j1 z%Bc~yDk@jc@Ueq6nI5x~jl+l@fx|YK2q{!L+kh)Av+&ES|J3q)(OAt~&~9{f5_I-1 zXtydTI%6a)a2|ta0O1781S80f0K-&e(&b7jK*A;dr579~XV34DgXG3#aLDLC#$?a0 zYQDP$L=rhJ1<6ZhiR=D8BLcm?dyM~?u&A(T!>JE7NRU7*bHP%HIfxSW15|QtG?m@I5?VHkQV8O> zc%*|{0Z?8R#?nm6gR#m*;#lajyApmiZ0|ee$`&DR#6M$KoB?dKe8;$f~Q^Zg13Aw1~kfFi`tD@qLA>>{B(a0;bfF| zCC+npwC|ceKXY$v?h?>-Azaz4MasmJ0*IY&5eq=?zFuy9cLv$EfXj7&;kG;>kPEb?m$p`z_c zyzACUOch4iEat3YW7 zRnW){^UrO}Fra4}(L!$GW8bl+C#yvZv4;09wZ~1j=awjGFZ*GvC}O9{6hGvCRs4F{ zR3`u#?IlV!64nq2*Iai@mpa4j=%xFSus|jV~v;V6)7$28r@D@mrEX~wlwpdfX|o{B-Q>mM1sJ|#?@F%j6ecCjN0>`*CAw|W%P^h znQ*(G(Ku{9hqf+)-g{WraqATd{j|*u2^eXeUJFt7r=+ltfGfCsL{h16{07G&VZX z&%z?rUUYB+Q)#y(Ki*$Ww*?7?UXx4OPQ+`SWZJ1u8ni>c<0EMoI$vZ|e7NNr9coFU zkKBMc#d^=Rqb~gml%R_N&uVQ;l(4{W{lOb74HQ<`2U$o@q<_|$#iXZJP{Iff))_m_ z{r3A=eoI9!eB9e70XTp(CK741Ma=qbsX{F`#dy-mP$xKA8)Ena| zWdw$ntQ0DOK4pA7-dfuTQeJLpd_tl_hU{W%n?oH%dmJP((Q=@bAz{K(O;QCI2adb! zK5}u}+myae2q6e64W(~2`M?%{qdUAyL#7Aww@qK)nHEv5Cmri}+nM?Zva|a@QBUW^ z7@J7CJkidN9=IJdbv`J{mRVOOYAEKhATsX!NuWg^>OOXt$L)UG10Xd}*MOSsXgHiu z2RCLk7GZgL4c5{;dz%B8NLQS`9y-QmqnSdvm{du=jnkOL7lnV5WPVcMzcP!W74`}U zDM&$@321+ZuN9jQ{xW=b5{ejX8Yqw(*bEl{-w(Sa?iV^pFj{749hMrFz3P%qCe?BC zlvd3y__&VE<=59u9~)&l)_gnRQR*hFX)`&{H>Q%0s( zvygN*lNN@Q*H@-FrzBr$E*BqD?|)O^QJq7H58^P#?xt_D8loOFlRfw~I#^@#A|oE= z?-QDi*`$`;HL*mKPE2pjApPl;TiW+Gm1Hs;6>W@nyImVoa{UG2+2YMcjhjyvld>uu zaz;nVYnFOsI!OBsQHX{z9(k7c_M3Jh)Jm{a&rfd`&3jL_bph5#BEX?J=NlFd77~9U zsUC)r{9RxEnU}KEAHxf+X^-2;Ih~qC9eM?MU6KCFU8;O-hgp;#6(o!jP0o;e)7fxA z5!S?*RPsY1{Z^pc_(h0AcixRdmInmStV~F=>JVV*riSNcvP3~@9(0{Mz{s|y9CO0-{DTIEgQ1o%d8KYTVjgfp+{nP=*6S_T_06qc zM~yl$Y1+9J{FUT4SIqi=Lq{5D;?ZA-^-H&eNnY^xCtPge*q8-&v9o~Z1hl;V{9Kbb zK>m3dGFp}@or?=tWnwZt*(U6_fL2?3f%c!<@c??VJDNF&loFqflE+&G>tIo9cXAG% z-1hv?jEVk6!qa{{)u*w#*~KXF4AwR{Vt%Mtu&BrC={)t>@LE9V@@!$eRf%jaQ#AjA zZX9LWt+#t^Da!Zmmu_|1U{7WL5ibs%Q!FzwwWc+p;e)H-tvfY=cVL=#*p8w5CwPwE zmjLYt?(Z#|&CG=3xvMnRK_0DgNj?Z~ES5#tun4d@TvbvBRZ4WC!}5tzbE|v%!iiD} zZM=eFZso}IxiW8SES97a-b5^xq6!?;0|o|=H2}W=Q>ef^awrOsCW&Gf-MFRnSye4c zlG90`L^;XgQ;~e?L)y|E{qJz0Uu6*hWeRc;YH`& zuQOn2JDXS6La7Ke=#pyWt#2VzFbj}qwKqy)I2d)y1kM}Cze7^Xp+Lrngi5Y$m|xB7RGucW${oWE4hUdqPnc}n>f7pUoA-~*&!39C){DDH z>EiEsS%TTb6=N3TFK~j?=fU=Uo&Nq-Dk`I*T9W5QWy;E6zzOK@OKNaxCxaJW8&}w( zA~f{U4o&qDHGspV;i^(@GK0IfKe%<*Nc(NR2*CI!%4&kz2a{5Tk$ifZoph2EIcx74 zccPKiK2;QRFCFsGrED30N*3!O_gpGY4Mt7Z8kmv@{v$FDXR`43St;yKhF!O|>X<~d zVp(m`hKyP)pH@`*;Vr&n;`pzV>>_4bd|2XK8j$5-ksds=uAd6z8UlZs z$u<8ptu|0>r5r+>sj0KXwk4Ba{5g$(sWlOZZVMq?{fum`XFY@y>LVuPr2yC3MBB^9 zUV{`FQfO|t6fJmrO;!PD@>z%dtr`jrfqGb2B+U7{YyjkkcO1fv}+mocI%I@1wZ$hs5g|U~Cey8c`P5Rcz64bxj3ynguuTw(E{Q@}f=OF2LzZ z&yAjzfEHGU{@}XJTC}GWDz zqN2_mhor2dhIAnP(3^tdTk(YA$0Mt84EEaN<3r%@M5XJ8jB4$wy!0jYFos<@bzc*W z7oK5>-KFtBXB6cGA}|Jb<^7Plsv6BsDCsmQOV&9iRyb9>FR=1gE~EaDM`-^NMb*A9 zrHi0|%OC2mcksjdj$02%=N|HTHfUIPbd)Z=#g5^uNdvXA_nCnm;oSileTuujbv&l; zK;LX~B{1;XX@01tkttpbOkwj_rSwM^^HYOPdIrLNj$l$+8N-ml@!K4xA$=kI=pTQc z&Od~vTSN&A79bSJ-X0YW2)_6{(I=-Ftc09!f08oi6$uhuco;2|KjgX?PGn0EzoSfx zj?xx*TAF7$e|bfZO+7Yl2Ma{)vE!5W0P{$VWDe(>-c=a4;>%J8#%(5$cws#_tcUcA zke%Bsv7KtrAhW(EoMz^%gnc!5tVE8jl;B9&oc3rL1WfR2134n^wHc-1nWv)S=E*oR zER(9JCq^M)!h_l%bqdN13Jz_=Z9JME29@R1xrx8VEYu}{rMPE2F{(3p0dUQ`{^#Gf58q00n!$tTeI1Ewq&a;cD|6f~3DPiXNjXeMA@n2f0#X z!UshguIppbrqrCXLRk|ltS%s!1HBl^Xt`P^bXSn9f7pD{&p#;hCQtw)9}zCDxn ziR4Z4meGy)%%K%{aK{jXbZ7mMvyL(c3wV@BZj);>!+>~5zqnLWYEEFMil$?SFT+)^ zf0Z>94jRo%PB`x%l43OWsfc2@$a>vnxYC?&zy9Y7h@&z%3i$4`!4tCE%U;cHzxCVi z=LNJ%A#`^`<{b6eUBT2}w{+F#p*qTVhQ(Dd;qzr}%KjMR7<*&sp(;~UAcp8`greTE zPR+TwkI3P@VFR}?;4i_*v6vu|LZBs4X1p54$7uL>f7vb?o7sEWq2%B!IYq_LL4z?% zoENJwZ@ZK>^W7CMqSaCV_#6)$+!i^qc!=WQ;`<*qBLJ>Ak2sZ>EG;6?h^hs-EM7U8 z*?1T&kx4u($T-98pZxjA=#t>=^}M87i<9m=IaGVEP{^`YN0?3tlDyyxTFXgM#$nms z5s3lvU`zT=rF=#ue)EZF6qD09TUvdGdX}LcWyI~`>1l8{{KMP2!>?o)Ii$!fB&YgZ!fN^a0G?7O17iKVr zX0SU_uGoQe`^STFoKFC&G08rzp25bQAai>rH0;6-&?3#se&*6Ht~|c zV@UGJSXpc&2J5{{z^tHwU%A-j^{3vu7Tyz`ymc*XCL7x(Dy1W878|#| z)1i$=jxA^BvAmt*ZSCmDFeMg@_y7)pViYryF!YeV*%w;~B7Hc_~h+0d^rX2Nsdl5^~e%efDzJH!MGp*-0qf9K{+}&P-mMcG2@1Fl< zZ}q?`!GOg@HtSI)+)}^UcK|Zjz{>CtE;_Bw_arCz02SNMy<_>&}y>_CtYJoU@z^*@%d@+m9{sQ zR=rynNU~Aj$EhX(zq>Na?;x;mQbQ-^2=M%n^M&C1T=UjDy$p#!K=nJnUgCN7f{k+F z0O#8WOT_|?+YLQRv&2*pG+H=3ovxj=sJ5Qscz^fB5B%@cf{#~$=i|Go+OHA&-j`8n z9NG}@m*hK=5*Wxh{|M8`UmCp2)u|87+HX5f);#Z5Ili#kn>^S3IbSMnAl4Un*YB3L zy$QZvcbs;OCtKzJj$d>;-tUY|>nGhWr`J|86|0B@K0K1EOCy|Jh+<*ypE=A#`aK5}HN5AwCGWNs z>aj8~0Hb2ojjx$+L^`r-D?&ETw4JPt?>b5IoNss{eTH2P9yT29lpW~=eKQXY9@O*q z=b-`-A!;(GQtQ>J&hqNuTI~)LZn+nYA#WlWc|k?!GY-}8kNBLF+-!8RvZd_Gu+o#J zapuz?827~SGr2iGj$2qHQhXvUOb0KMgbWaRLnaPUW@fX*Dp(W zwU6ZHBYmIC=jYO2ftV z?eDA+;GI356X5ePNmc&aO7<1+9jMlJEoR;Pv)Nhspi^QAYXz*iAJalZALmp!`rEsP zv1#dW`1lwf4phuNY>|G@NPuFM00A=z88)cdDA7cp7Sdw}jRc$LmYu6JaI7%<*eoxG zzc}b5!D?RR_+u6WHxwSwg*UJVvEsV?r1ZQpaGtm|=1DwQTB787J$$t6yfCK;*aT6A zk#S8V^p-{r{r%PT%$A*)*w~EgGv?^BAIQW`_AUX#K5t04RMh^iysx-9+wAX;c?22O z)ajfkX$=hxOfv!`)#ZZ?#jnX@4V)%C{=Svb(Xa0B($d*K&k5+VQy@P;0~sg6(&j$z z0_l-Fh%PO=zfMvF+j{f#$%nj;GHN~D3=NhBUoRI0l01sJCM`#={#K@UtHby#v5oVGoyul9y_?r58Cl*W)>@$ ziyDMBa(Bg%9h@d8tFQYDb9aW>+1lOk@!}%MpLsPkvU&@L2$cEL?^V(2h`SO?^V;2X zTb8t%@V@S^;LoGJAHeS)UO|h@{>j`_IxCt!$8p2G7^=%#Ztu&}KB35MnE(ipt?suo zCJ^E-xThRLqJHooCgk(Ct2VsP*J%v@$NrGmJU*{4p86UV1%>r`Ym6(^2)&zCYN(m; z_8(aKJ{t8Z@&{5ZC@KA4R7UAYn-(0E#;cK}<5?SG1|AO#X zhL4%q3;H8~s{LVwz$jMmSX)5%6t4}N5ZI`R-ub`>2a#aZ(g)Z?zZ zo0K`v_h>CndMyku>1iDRtn z!O+lC`ZnIRLL;JrqprMw#KUgnR8bApu0C*TxME6J!|T4T-;#-HJds*BC9z_m6i%cYk>2<~JixH8xW<8cyM;YUORY zjKjyKr-PWgDP>iw9P@Hffl7>1<)VKayydT~4X@)gTW>?3Ema5HFRUUVBO@#xKMN{y zvFUUJtL~7;%>^D4Q^4~9RBHZ!QOahCHqhzjZ68QtoXujZ>Vr9n@sAPNS7@uBePXsk z5a;rMZ0X?JmG8n8PKKj5zRjZ==ABsK2!DI41Vq6+bdIdwi6R9Tj#+xug|b}13xtzr z(m6K4zl_>J0|V!qV;mZocK2kvk)(?1?SrKLo_2Nlu-hGnR%*IBkr!5H?c@T~IlO6) ziOrW1F}v_OVSc0}`v)d~M&`{OO{z9rhVZ63;H?Yzr8Qk}OJ;{5BVP-|xsruPjl%SR zeu@acH)OD(5I8hQ)#$uphAVu+zk;W!1<2Ka9aJ$HzWaVV`M+}rfh}T@Bla(g*NF5~lrV9rc)*D<7esJwMQYTO z0SZVJ)n!3no_E&z1R9Hm-vl@qVS5^$8ZpFgi$vOU>|4=iEl*q++o*?93t|= zrQOfBmh2&zb{}hD7;C z%Q$-(!k^=pi!V=;#)Ir?hIG`C8VH|C_6st}DQF!mytXVhqb!(otjA(Mp1ZeSF@-jo z%V=bbo6lFs%)WHH99~1h)#|`mUcMf$*n%{}H!x7KAVzQMjD&yF!5c@!r3YgCNCPt>`;=9M?SMD|9N56`G@^XUsIJ`Z9 ziPGduEkA|;)l^j5Uu(LDjpvJ4(beCbjVO!*_qy5Kr zwyUX5cvrmvm5{uL;53#aF|%6ifNgN5+JisW5nXj-kJOk`VIcxW5pCV1fIMYj$9ZI8 zG*McIL$=Ymh{uv~9UBMFe=*|D`7-C4tgenxWJk@*`wsxI0N z88;-1fZsaE~+0UM@u15r~h)5kDWgq;H+?4Ec0TCXr;^UQ|%w45rwqAcj5y1?| z@8f3}8_(anVzBZw>GzAQ*~r}H#sD4Q70B5hAW>Q&reZ)o%$ip$4)*D3jUp5xOA zi{EvHAW#-1d?M`hL-jGk^*kt`Phn(SDv-(aY-c>{Z6~k878&zJ-Ra@=^U%7MJcbwM zq)ev}Wg~FA^+Yl?BMYIkmF{csvD0oDUKQGN4MXxKsS40zV5jLG&yAQsv=c%#kgRfV z5&Tv|G+Qo?7l)eooiJJZ=1XuDR!LdKGlaY+-c zlI`nujsHv$o-ATQ!B>ocdxQi5I~VjTA#>m;0s9r0AX;%qi`8=m9NwYzhYe!}PbOU<>F7DI%%obp8Ur#Llg zpnSsSJ>`Rrc@TIn^sA&Gf9jhjkH#7pfkEyXOy=ul&yvLxxG@YRFqD^|-exsaGbxY5 zZgS`4DJ+M3_x?@qt$;c!x6DYUl;wS=ni=+>OE-v9Z3V#ZGDNY6+M@fch+9cX+3aRY z*(vR=XZ7t^zywv;SmhsQqpd>7r}zsV;`6E#p}C6Y%-{ZXd13wa_Wrh99ip?~&n~Y) zL7o$*j%7YQE!-d<*#*uA^6veIkcvfI0FF;ld#Z&OELB}|n`sYO6AIY*ZMt!rGu&rD zc~#w}U@kb+Xf3fn9RT~0oYSfLSa-2Y3>x>2jeIXd9LM)lOs!4%zm8pfARtHkj za;Z4-^yNjb2ux=4-~%6!}I7Ty;Wi`fjVrE?O(sg`B}*zv<@ ze8=~zSB0lwuIi2e>mg-eYf$rvO6wiMTQuqjKc+R1D^3Nde^R;2q@~~1 z|H-?i)@>rnAiU7Xr%j6w$}4W?c6QpML}@Xk7;0i@njPKBO0D_B&J8!XL-j*O6uaYO ztcg*P+MfGlv|&K9YN|1S*PrOj%BWFTUJ?6nxl%iN!qLR@ZRrlr4lQf&eYtZxWM#xI zFX{>b4|R&^L&$S)fql(9 zXgib2f0y0FFuUJ;4goBGE{^Ilz<2%Up5&WA<=T5cIGa>kk%4(8Ot=)QI7W`KtCG`?gvw1I*G_dHLh8>#g5d-Q)DLGVlQ#ik{5JC0tK6p)QJ+{Uy zf@YFIrkucK4xQ^IM&j}>4MKV>w6e3mrJ~goU5y}MnLeKtU!Mi&kqIFqP`@DjZQus% ziy!{z+0r0{>+~s`rK5)T(l2lj5sFIxJ^!V(S#~>4(_A#!hSG2SnqR``>}@_DtTZ+= zjNr~DDJbn}Iy{=%hqfAVO%(FeNjTS}gIAaUq!3Ci>~SW)S%3_JgixfO*Ql5XIr(YB z3trCMS@>=2Ejs&mVCg~k(KYmOkIP75xXN)MI;{fhB>_gVYA>0tFC-Tt8kE%AoH6X| zZX}mYk{iFfGfgZ+D~64I?8}c6Rx5#_w}(qmkb-D_Pbcj4fDI`CYAwk7WTkGMn%>Cw z&VR2b>Wr909xU6v3T{LkZ7JCLQZ5BE8P^q6cTGp9I};x}9C}4=Y^qN>CG;0W6y%`S|l9 z5=gqLc+B472U`-g_&=gj(g z_Fo{(HT7k?Lp8Aw5N_!Cj}pZtpR`b^2>vYbrlh4T&x4BWdg!{jf|jM(e1QZ*fa$X& z>m1cio(PmQ6^9&&mwh!glhJNZl0Khw{ce`OAF}f~7-1xm)p%)OTtNZ*$u1$a7%Qg;u-i3~N_2`rj`*E0^;YlvroI4!=p@x7>>=ix`s?Zn&rC#oX}b&Bo63J8(Uwn+ zQ_40GErtX%=luR`Ut`URqxw72joQgC(0uejendYlwWKrsC8uZ5ML^G_Tny4@ z^yQISNmK7S-?M_yMb_ICIE^cRGm?%!5NCKI3+6v>)cFV?yR1I&yS}{s4f;j7ZTA?t z&@Fnq3Lm>+_#a3X%15wJnC14@L>tKEuLFPU!>BQ6(+heeTvbo)J$(Y>kA-wMf@v1d z1N{s)_`%@EyI$^8@tV(WGGpo{>zGz?^+hxl*w^|*K3fT>;h(daI_`W%oK&8u23)($vUG>S)6C9;}L^y-EE#E^)< zT%8apC}_c_5L+t&#Jcy9gEY(QC(E{-zKld~_~xMoQ*fFG3PP8*--JUdT6%XKX^wd@xB7Hf{)GfOr>Ut~ zUc%w9$F9`t`I&jKrdd0699XtIq(TvPr&Z_>6!^q`BARhM3{W5%lsVFmGG zg^F!bbf2V!sWImNQg|@XA#6ysh9O4kE0(RDBUiXkTKZpgV5VjaDCqiZpnf3|CI+-* zmcP!bnrF2;G$(b8?7XCK8Vlwm?1MgdmkW7>a;5_;tww0=p4Cb^)WjDmDuj-^_Z~H` zj*iB*3eVzMAuV;!t=+%(1z7o1N#$BYyZFs`yxnhYjD8*+m64svN@{QgfMF3Hr&Sfx zg>U~2Yhg`s&M`}*kq13@M%$XRG}6UzM*>PT=%o)-W!A>W@CCh+NfAmje4)Yxy#t+5 z{sYW-iQhdAg4TPSaiNPyV-iv6X?}aPJGY#M*I1ATSP^diUf zUnNz}ou@;}0aCw?&l`AHjjY0QVts%Yc=4ruG0^@bO>yX>_8*_9P^93W7j#)iRo&=y ziZNG*86193-oR!wCpT;ccjD3~cSeinTlR$T<#ikfhr zYB0K@HL8_eKk~t`kqTw+3IZ&M>rNimde20|zjvkNUmHE&fBeF&fdfq&3VlMb>Tt@m z-qi6-WFh!4o>Jj2nc=EF=;G)Y=+W+z^R>1%H}c(jV+Ik}-!=r%1GY zT?_v_WUq0BHV*O0;%5tJ;_Kk&HX@N5n1Bfg31Hz=XJ)fiM%teJGpz}Ac``rzro^pd zG~TX`@TEm1c@r5G5u=OKvsr!C7$~Gwz{<&YveN$|A-7$GVm2QD27F6o;9~qQCXYJ9 zy5OACllpO6QjvIv^ybICGt@5il!GLH9y>~5WZlHKQdIp`iax%qv_z7xN9yly?Whor ziJq5l{uT*qW*y!K7zsN7RUhjT^Wx{5x%&9Mb$>4vWfmt)K|8A zu#NgysfcWedPeO?maI0g$#Q+?AiG#PCqLE^+aYs0gjDEoJe9+0c?Aa$=~zSq#rU}D z-_Ho&aR{n$n*Ry^gdqiyG5WDvO1K5`ry6tkmzc3R>f0V*fWjb&r%ZZP`t8QxBRIda zbs@;KK{_dj)LF?9=QI4*Kvj4i9%j}h+S*7$@o06~2;W)M%2cnQ*_icnW)PK_5WbSj zOw)JFP+q@iJT_G4onwvTYc&NPU7mpfJ$ue# zvAMes6=_4nzuDwwF`6FqMJI6y{{2{*+-LuDCVZ*iY~zpP7Ffq+@pBTgFV8cmiZN|S zmm=w65*zy0HJRO)4Kr6VYmTS9QmCk#w3Jkcz|1awRL@T9A?cqvQPy9^1vEe1F!@lw zNctv1iEmGD5vTt6j$};3ud6XMdy{V5S4qN)wNj9Mod`3rlwUK+%M7J81TSH%!~TIM zVgu6@Q{#1_?H+nI!?Mc&;l*ydI4>p{CpuzLO^Uv(7+PCN#YgY1N|gSj#kLV)$7EC; zUY{d~>1pdwcQQg4mj+d%l7RnW{6ZF4*d>wDc$bypb&w#=+1wFSUet`LG8 zyjO|J9a*AEJN;q#79#rz4~F&W*2_gm&y23w$LT{heP4F;&WHvhU`o2TrIIKMrNQX| zr2MEmW(8gPuaD+uE$>d?E?{0q4^I)!LpbKP`S!^&m*im#TqJXH;l_;Yr1_DFA{fYp zkT`hVuxr0N`BRyeLGg<(nwZ6*6We@;NMG5?pSRRwP>5HN2j+E$y)v!@f0uk6ySS=& z^&|=D3RO~AA9klIF176BcmJT-WHGJJe(&7zef2Xp)~#6LgZliN_>&ghNIpt#$J4<;OgtuvGfwS>|JbsL+w5yghA|YJ z=l+6G>sEu{Dgsk`n{=aqmOAXK>oH;GvlE#zs^?SSf+5pMhD-KBqsH1RQu|*o#d&P~ zL}EWRKl`0iRnh3y>Uk(+a~4p)gsm=M~>b5E~MZt8C>qgcu6`-F1e+gMVc@W&Ozb8-U#TmF!x z$6U3S^=6RBb+wP9Srm-xDNmBH04Cjw`?TX{c|>Da9QGXwZZ)=Nz9hR)C73&k3; zi{M$@yOgzNAVcs|>m@m~iF#>6Y8RI`Kc-??{`h2L0$z6bsfexWvF}>Zco*i&6AFh+ zXnoVUU-M;6mc+x%YAed3)EUwd@3o5TY72ExtG+E(eGuQEH@N@72OM$GWjhNAjpoI% z3cxkY_w^x47_n4M85LYk-)|we6cVq0AJn=zo<)h_I-d8_L<%Le$n+Co{p`4y?r2;9 z4}XkOf>TIRol`n&bO4&7P$#ke4#(cV8lM>U!BxzQ+NL2Hg&(?-2!@v4@r%b<{xHuZ zYa@j9#C*^t*gFSD%4#Y1W2$DmT{%J#DoN#99`L1ltO}&}m?u~r=Tl}Op-3}>rA6q0 zG{qn& zl2D9I48=?+H@?`7G@PB!ry*E6)(lFvlyoN2k_)oE*JiOB;lvE4&d$ayOE=9mXj zWoAp-k5-UeO9d^`t=s~!6$!V#F>FTj4>*bKcqAoLCQfde&IRcw7zWVkW7swufg)#8`WM9kmjI z-#TP0&xDOA-bA7q(=Kz2zY#ni#$3!2LI&RtF*3sFQsv>ckK3MkpQyzgV9_kP0jIF) z=%9CIhY&GR$3NbC;8NYx3j5-0(64?GJl0S{nLvO*7e*>~81heSvbcZxWCxXW#N~mU z)iQ-H6%~!9UTw3>8|by2wSgv#b~@0YM{N;Zg8zZ`N9<3WMcdbRxO_u&gI5RbU#4c_ zR)}1+jX<*T zP26RcF^D~wYwGlgCkBd9Ei5cWsR?aS`SM&%)chBWD`EUaY2umuwlAxFd$)>1)XSW3 z4!R<4GNpe%O|CZhBDxon!7Ya&X{Sp~dE2V<=(K%rs{Fu^QLvx9BfKG}W@&Z$N1x=6 z3`WgdoP`>Hz>cAbL%)eTcxidLYju@y<*Y$!;unQt{7;cF_AmRM4ioIkB{Y-(Z*E8^1palyhubu z*Vg#lcA~(tI1*ZgW}F^@l-I)~@|ao6rsFJ#hS?+NuXvoSKcC2aYjaO?s8_$eI`53o zrY}4yM+L})li16EGA!uovA^HfxpkT;^iL~Z&qEO_FDLCaSp)~N!}Mz%@?$cE=_nBT zwY5?nKM{*DoK1ABz7M~w32d`>yq$R7kMiXxD@_8pPR}MFw}1saZalg@o-QC27CGyI zB-)c>S6GR}n3Pb)HM7v-$Uvt}5BQj^bi|Axniw^l8S%lrMCd5NXfb%8-dr;>?a=Qe zJyiCM?OP{1pr)eG$*5zgP${?YP{5z5N)Ess9E_>MkVGtKqgjtAY|A-wJ$KgTlGLOs zYpV!?@&GBCQu5GUlvElFvCZWEF}DccHUJ}8(#znR_@WGnfwTJPK5@`Vg3N}tsOPbi zSYP=o2j-)shusCOUO0lm8w`^f0vrm(`R=07Dsezng-M>(txIIj(NaQSIpU9twD3Rv zeYsU-rwjM(N&~LeZ(IbJ7y)HS04;OQ)JPV*v}n~qylM>2=PV-i1`QtPW76QI<=tFEgPRT3;A!;Db!NB+=HFSdTvbkAOSV+gw$4heZR1uFU4>u4_crTsSY~J2f}>QC|LKeM95bLt|BB-WB}hyf65Lt(DJJ;6 zpk+GV+vOnDPK^)?8>EZFsgyETM;l}hgf_VI$aLGqSHtYzRdN^>bq&(=u)_4)qL|ku*zlXQ^ z<#W_XMQ-2#mf8^iklkkMP&_TjT`I#-XDaPB_CD@gkfg+1{00&rO=IQ4l;{NCj=*|lbJ4R|DXEr-i_w4$vRw0*r)YqD4UpntP#HUZ^Np?*Tf;w zNdZyxjm{p%`&C;elSAI<0>s#SPN36?2i8c0FYp)1eFx>3LHQECV#~tN-jiI+g^n8i zs>qi&SH63bsN8C6xtH9Hptt_L-GH8}Hj{yT4K%6HXgJmafEhArI~2B9%Ey$DhacI05TB9(>W*pD7e;IORCR^Vbhvt8NmrNQ)c0s9=j`<5|R1hr>(pNCf@A7eDDA>4-cFp ztC_V@ayT>S1KQ+E#j_D%`K_at?yZTdCreH-8g|`i8YKNAV#FOH$5rN zn@RjRY_%szDQuI-K?_&^Mo+(5z3an;BSpo>hMb(7h-@)Xhf1#gFxW%&)#Pjo_JF`@pE%u2_G1dU^$T zv$C~;G3q2c=GCUrVNCr6AHCx9hGca@c^eQgm7#`bUL@Vv>K6S3w42S}<@{8fKai)r zvAJvdZZe7{^u5Pn9c^cDz(IHTA*SO`t@FFq=SB6slYM`M_C?qVpDWmZ?|y&?LRUlg zWH%|M^K7y}uf}X|TXT}+5JnXj_{WrVn1Gm>Mlg$fUDayP&m_&8BP~{z8UbTAGr|YE z7;0@(pBi(AZCO9*kl2p1c}axqQ{>-BG4rjAV#!++0@Qreisz^Q2O|rUI~wK>@Kq`E zCinZ=hTG4VEw(|23l%?tPuj&bO%u|J{aQy=Nh9fWeHQ7YI#Jkkm(u5PsWtgQr3Pl# z(J|D(LJ#u&1sv|?C^FYc;FUI-)#|gS|LUb9m$ZP+Y#6#bWp zx$aWD+CRjUH=)rO-{4w#6Y+QVaJm5xa_R~Aq2bhLJk|+Fk}?9y@xK| zZ`e1<(z%|wl}N`Wm%d{E+Mb^)-5&L_zM5!Oj_-Ww6_aL5r9iYHOcUYdhzygrurMu^ zJtou@QHDKH3l}rKxje`IhBe+?Tc#NM?JEd+^`+a!XqXRPqO%^gu+TD~_m5N>uCa+l zjI`B{GyGm&cKg+ViaPe%oUK<| z`}Epc`C*9K!Wo@jmOoWd#pS$6bZWjgW%lN0hkc|)=-aJLc=kW6h{>~Tp3Jk6JGM)A zChPQ=pTA#mosIBC@>_&w0mA9zzca;!2khAam{ky?YI-&1YP}(U`EP1{NBtb!1>%?U zpPhx4e6_*Pj|KVx&9uMRmOKF6$V-GMq0lbtmPH;Ui7&|}w&TXx0$l<#?6Y-M?8aGF z{P7QdjwIdV|1zDj)?5IU%}h^TW=|)1v+&KQSxr$kr#qY2^`c%PS7uoR_GKU+)$ZZG z;^i@#lY=}RfceZJ+@C%fDMk_jK?}251oDcyiPMSmbEl1*%)z9WJUXh-u~}V>!}B&a zLXVw48aSP_(X$FLeZ_{iI&;x)1BVD3tH-KcPs2U>0OB%I8;yM|?qBFBuRA(25mOL< zu)=z<6v}7z?2UZ-1qAI4GNQ%70K}1!^=05}HhT4(C-U?2gSP8u zpy1idiF$#PJ$K1`4w+4G0x;E_wf`9KG+9987Amr2bCv5*Y39PRh38*WhWKL8L@Bt^ zm)gOh(um1(gSnCt5{g>ZI9NT(PU#7rf$lo|9f4HJWezvPMglD3fT)3-S%qZ`$9$SH z)6F8MQXcE{V+ zSkr2&wK?KK&d=i1pNfa~e&sJy{S@H0BYZnw(1U7O=i;QSc|Y8056B(`CySjhG&Tb? zMJc>rP`=rpdg~1F;86rK?7$3Ob8tjBlz0@KSjGk#sUHv5k)KC?J~EngdJmlye%FUv zgMDp`Daqh01heF&T|SBRHn|j1HU@D;=EH;iKy&?jl-9fc7Q4)K?gP~SjU=0*{K|Cn z#}O)?DLMFa`2QzM_8fq4C8V)13GQn|e_a4<1!z~tM8x>8!q6|1K|B~JPdf^gwsWjm z3hp2j{tFy2NpZ+`|~qN9ygUlCy;)2J7mVawn(W7|8zdIOM-)YVEyVzaMFD3arX4u_MTd1 zc;g1YA~5)*1%s@oXFbk`4-WdpThZU>ggV0m_M~;&-Ss+Y0NnowivLhVa9gUus0*&( zzvRx%dH?c8iTRx7-~@XUjAvK4xNUr(<^S3C!o9C*pvT}|@9`9?FY?t1-1@ZRfr^O( z^{wNMow){kYMYJRfEDI; zRKGuIKZdJCIP)EyHPP&F{{%Q76eqh~?Cs%r27ALTUIE=dpn*r_haNP@tQLtMW%FSNlA%fIf~80M2P)u{ zsEGkOxs#NCDYSfD)RJ5_OQsG5FgC*TW=co3WOQ5@L=De#Q>s4v99mm{v`Ktub82%W z86G(2K`HWX5v zu&dKQPhCv2%ZS{5a$UE)rY~$Z%j zNhSDD=EAEJi&lvZ&IS?)mdXq7q;6wBzijv2_pTGM5el|FaG@z{tLj)n^_Jv0ItE5o1s+jrLP?+~*}VR)d( zio0-jRlO1WX{n_(_`>QfUz1wr<1&MJvyB6P#V!Wm=lSgA-2bmU7CcEiaN_op1_R-y zN-*{MuAxbIzkcogrbO%!345uOTP1FofDDrVAM6zCqE(ILvM{pJHEE^%H=b@sob>pO~;z+yTPsSn@-~PSE8BF0x(W^K-g<*g*9VdBg~ZJ)9<+Pa5qcC6#6#2|2f79F9DdM?m;Zr{Kk0Lq!2FO!(rR7#fgT;;)6Y@mbe( zehDD0kAw1R_u2myQhddQ{##SOT`=Nk3`T`!jVPRD!&pwOWET#oV^(2eCVQbw#q}-8r z{q@G+TayMa1()uU$Mmf~mAs89E?OqP=`?c1HvukVEn_ST?qy_u@*NgJw)w;+LWxdQ z;5^BRRlUMUZeR=v06!pp=G;kESG9mT;#D`gkTTdwMgbTpoFBl!U37A@Il>owGnY(jAQmY+{&@-#2wV90LM=Ijal^V+-%U_mCId(Bx`81SQqwWkB6dKoZfQ9d;KZ z{b2h0G0C6zcmlkyMpgAzGp#uoCm>SDeu!2QwJkYHa#5x~leE6TxtzqkVKt6yD$I-( zzl5JLW{CSHfArQS;Xr>8>qP6@P$n~*S9Zta!o8)uu;q`LADdpDqNqN3V$SNfQE*dS}gZaePV)f2duURw;C7Sbyt$_pDW@FHV&!oTNS+UOES z#m6eIdOu#v1QyZZ-!L|rwI`ac5dtpa`W@ow4CExDo$q>1>YV3=jAV1W5X@(3Xj5^m z1$8*3U>Mbz(%<0@)u=Z3b_blrkj%N!DQCF5k#Cs;|8RlwQgzGWCj$xU`VlhmmL5!K z`peH$WPooFz$U_c3;lFZHWOwD3;(r=)pe}6a^8IMjxhv{`E zDpj<+*Ex4LqP&mAzks| zo0UtdUomfU6GP;x8vNS|HLcHSnEKl9x0XFm*~2w1(?XKi`rPQqdSE=+o#}#5ZUJ;SywjdoXlLQKR-;I}*SYd%#TmPxq-#t8&tw3cdT+Et8~ajc%R{kPkqywQG~GloZg_te`S^9Q z2?Y?#2FBfQ(p~H;80se_y=ME>elwioO{L6;>nlZIB8>cON`0a{YbhV{+i4;{q!dB<+Es=H2dT z;|^T)Q;3XD{Lm^9zz&o6T7)NgRQ>XF{J1<8%GuQvn_T((@l+qPdqe>V=x>qO`1$W4 z2qQLV($RX+M;^ik5%h)&f`d;B_d$ zMw=dYVX+fmBZr$(vrzqr+Q+wh3dS`-F26DnA+UiY68QaXhi>!*@=HG(>3Z=HNs1Q} zT6na5w@015k}7W?xrUZRzGLD9bwsg{pYd*acQNxzkm_YpMMVt zh4>dI!`*GA=oacMz@FHaS8@yDZ{4Ox19{40yf-3iog}>yLGYi=?C+GW+D0^b?#FHa z+zllFCS5s2`JA{r!UcWkEE+s>R)+tmNls1}E&P8~c(4lRiiQEQyD){ofnLZT2dYbbH zHt1L*oSl^i;X`FAKC1`SC5ZtLuhqA{b1!Gd6yd8&CiHLB)?~idcdX5bC1F4Q$zQFn zP+I$ZVqs03t$G_Zz?Gn1?dI%^CYO?OPy;KmQ3SNc3~~UfWju^O6X3Y*yn|32R2Fl3 zpT>WSZSB={+(-E1d`1JHIU?+I>HK!Pk*EYTa>TRok`a=b2!L~?SaE}0qH`Q=kC-5+ zK1yDAadbS3dHAYkss@)303X{Se}aVb+G}>*-*^FZXeJacK){TMu@yBEBKFUY3Mdkj zgwT3ghf%l-2H+!*-%70*lDz%6MadzwYJ0Jbl^+03wRA>P(|UmsN)EcP#!hu~b*H|L zD@`x0kCx`Wdi+CU1z`*Of*e)nI7JAO@o+^yjbha04k;ldF}anT?U}|(I~0766!Oi8 zHmIj$whm3Pt-@I;_bKLclK_Hr5gn%^y9@jDrtQ_davPOffeQqnY6%6FCxhQVBcRg; z+@SG27e3$`88kTs{}xOGXkNm*>ITAOSOM`28Y;=M^?zRD{o88~y z>fZ0QEV+)xeJ$_ccO5OXS$g(2g8GULe2VkY!p-On#!mDnY8-d|j$5Y0`tD0i90Fh( zikzq70%jK78(>wU5Wm|8!NK)2zzoDs862+zLdr;jX-$I5qMDg;-~ee6pqHwt-z}JM zGzTnFP)QCP4e1|JD+=+Wf_Z}@RfFFbEWZPNglmZ29j!3|Q-lL>YK?>h!=m41Ck`~* z8yys3;HVMd%kUpSIgQ_|o*640hTMSTt=VMBJ{VJQt{)UEAGfk9G=Z=T-h{uTA@SSq z{@Y+g5R|3;Za$^3%$MM)B~1Kc+pm7*?cV3{Zwb82fl%~`=L&uR5??DJq$3v$zU$_C zj23aV^A*WN5zTR=6btUDe;zP6&iaNwxsJf;YpXyEDGA5biou}U+E zA+!~V31yu?n$t&W{rKrRO3ANWO#JW%ld1pV#2Cpsjn2X~&#-{8Eff+W+;nzyj$<*$ znq%K7qGQSr%xtKgswQGgyYd7BaepzzDgG7!e}yX_ z?1@`N1eD-=_I5J>ML$MckE^@Uw3n9XG=iYk)L@2s(WgF6JyVyLwtYVe+5*J;&WlDk zO~(>AC}$d)hBJwA8jHi0Y-2Jnjb<$h6cwOhT>eFSxod4Y$xASov1jGDW8{w4NCQoLt>}#!4g^pQzp%_-*jLt zi_kdD3gRwHslTbz3d3v<7JHq&p%W4T+`GQ~f;2)nIFj|Y=&sWdn@Q(YwMoZCyvFr^ ztmHH51C=V9#`)J-HlQYnYe~50oG;~A6qwiM+6EIFn`fty#9b99&+YYNg$%dTUx<5x zoaqhZ&5D;;*-VdmqeJzaz?c5`<;g`fyUQ#9{d9b{aXFh8>C4)Kb?Tqt3a6v3O@+(A zqGD3pD+`@;NTJeqNSl8s^jUwf@}qDRKR@c-4)1!)w)I}KA5Ds` zp6mZi;U_gA$0tR-@xn4yB3f5oH}*49tG$~IUh30c7Ra!%IlRbaWDrN|Bg{b5rdJow zYurE}3kO32gwUllf1#pRSG2yqQtX;JBn70{osMnoyza6kv6+vjI_~iHJdZ6ttEy{b znALbba9ne9@$N=sL{haFbeV-8Ey8RVW*NjXTI!d)HuHzv~jR#fxp_wz3-EbZPobtyRvLfR`Rr)8uSrwU{$aD4uW zF_pks|07$4+uMXNLkzxhhUNnG*<8by*x01NFSd>Sd0ga1$I7YbNvLN8er&3` z+W3U9lj?G0o%u5BQMR@oX3!cU^8Zc-Knf`W>b5*LyN;%&4F8nSTJ{udGE7t>@NJ^k zRz=1Z1>B0kC}o5MpUK9lUdcMQOR+X9G%cGarV{DGKc%(h5cT$@{E+k}(6Gg-r-*Wa*5K0ZIEV?}LzSX%gr%6) z=ey6g?KtzJBX0v;R!t^X+`QIkT&H7b+UJ88RWJOQH5!XCjg%Ho3+XXs^u3uHCds)F z!*$~tmK-{pc9aiajC4MFdyQPv&HFriz##7sibJlI&3UCMZ8&e(v_GGMod+q6ur(Nk z9SdrSD3%t+9--0Q`*8f1S9zyzH;$b%4F6=R+BHY=+#7!^<$dwV*~{7oPeeqK&jvwWR{+M@zHNOWOse5~8}AcS+norX zY~GO#@2yeyo}pBTHRkFkHYRnOp(slS56+ z5%8irn#rpTaLhWs_~L)o$`1`UZ-H-ZIZ@GJ^NDIM4-pW{@VY1d)5i7dZ@A{u**i8C zn+vhls|UQ+`x73logH59;5?M4bRIehgU4~F)`tlf`yUS=m#oVW@yTTv!oZkQZ=dsb?;|*bB zN{T=ccp*Spd8QYewri(O_rUci(q27+X;|g@_yGb=eJZ9A|GIoAmM<>`y ztuhdVNErRTKxYT3K<{sY4!gXX&4O}@&&N6TEBTNfyoafs^i>_Xc6)0)fwfw>yr!2+ zx!H{)neB>`v;^kSG za(3|w`eyLL+(6d$WBW7#XY_RadTV-#!>K3j|5VOa<9I@qWyQO%v{1B;eJgo2CqD$H0y1}PrrC0p~yV7uFnR`6c zTbKni*L1iuk)8gRvhnsC{rP}ohH_71dFvCp$9Ja8>HBvXo&bO1@#WrLvTk$sF>TY$ zXbxX>m?-P1iQ3JY^XD{=l48J`;1&4uGGt-t`rn#8Xoc;S`I=#HXpB7TW9QhyYhtq0 z4@;9yq0wYFc!5VNjQ4q$fgK%kHXnz-u6_L*6f62J$LBNabs)E>VS(YuE$!LID@ZLWHEA^&y5n2aP0>w&8o+9U?TT!6%UR zIzdU-qP~XXq3mI$=Mj$H<9?-k#iqe0wFP!K)srALb|nO_&3DQZw%c-)BPuG?Dr&b* zsw(iwGn*Vm_<}?O###63_#kR%+2Nt>HZqcSY z@B3h_FPM=d?a%$zs{4tjX$i0#OA)jf_EU{Y2i}VvE+R}%8#gIRdP+r0efQ}V$&N+M z0VS($jCGA~ByUqD1~u zkeLuNQ;&LfVxEgRlhi8e8AN>PKo!l~G^R$F#qoKBl|xQ%9I)t5PFeoI)LlGheOA+Q zf>p&Sg5H2yi3iP4uPqdLKeJ2lJlgGmGjR4fL|S%q6z5&b9Lw?Zc+6xrwD{#tXM!0E zeG)7DwOm?Vqg>>SqT1gT5qVoRhuyZGeoLO6fse%LS2Y}Re~jYul{yJ04#%w|d{)0( zURjTfVKhkX*3?6qZgtSr>~~cnL#FPyW0zvbB9^n<9`DB@2|q*{c8g4$hz-`URk2(3 zbQGD`Vp^oPjgQ{F5=1K-biHgdgy-U|ApN|9hb}?0!)&P!82?zBq;I@``xOXWZ2r7r zUr{_-l&dIULnp5T+fb$zcgCnb>fVK~9?xee+67}z zfo;YE(DAyAPBl)lv+)s~(T!pV6yo#(+mNR}?!ttK;_SZAmG%Te&Z@gl-tUf}35Y)R@ z1xK%FEsJvukVt1Wc!}KZL9+kcEH%=<$DY87oC}a7XKi9jynH24|29?2vk-JTZAa^T zFunV`=WJk+4~G%00M(8by4=0}^@O+bXkV>(mn&K)k?T=e$8!oChwOr$Gfeie^?E_` zWiq4lc#2E!k$mOxZ1cdAgrn@^%h22npS{P8N{Jo}%Kbmivld(Zuf+WWZ4(;pwRj^% z2`;bgUKVsKJ6K0YXzZW7eRgd$A7;ZfFJIj6Oo$om?ud7BbfN-%QTOD*qXD{)i?A)y zg>@a+I-7bej+O#nZNnq2k~6;4%$twTZBIMypka&PKB4lg@TPOy`8hMC~43&ea*i7 z-+WI)#O~-yY7o*YD>=EhNG3kUIx%gVCDMcDDPhULHA@DUy4$5at8+7t!5)A4=A`|I z9^g!d3a9VLiRwSC%TaVpoDWEzNP_2hbbJ~|;0WGj&&5lX4uJ55>(4dK*)J_1b>FTW35H+9_QP;89&TlwY{y~tG1dInS z#nIRbFCqk~mChvpF|y#a)y&C8Mja@`MMYw?8cE!~(u`^s?~AS9wy>~oJkTcaZN(AZ z>(%F1WTsnr&10EtPNj~y9`6yUa@4lneg0zKe3A0i=e4BG$LB!x;xd8#m4SCE5esmi#I_Jx4=@PH z`a1trqSbQQNg=aD^s|*BsdH(CICFWPsJCukRf~+S-f-5(6IjQ#`NvTN6M|1d zh)VJt$4Yw8Pw2PLW-c}VS3g(d(KsA*ylvEOo?x>1c{l8z7{DjrhLpr_SK54p-qAt{UCc8r(=R_Ja@y=Z`k($eqm4 z5^J;wD;c<%%a0s3&}#hbL{9ib50Z$1TE)3b)(*@`*F>S$EwQ7OgyRiW%1@+|9FP!A zmq@@ig$dGA=v*@sRTbkNwh(7z0lK4&9>aMU&$lH70p5>-nT8U+FK-*-JT)B9H;b&N zGf(rvH^ZjTi;lA%U3jK=_n>WkvMb-qDD46bBAeG;CzZwy6mlV5-`y?vykI_lrY*Jm zjUY0amVxdE8L$6AGSBbd8vp(b8Bz2}r2Bx-{ZY?Qfr*Xc7jFW54|@clRtjoF&J>0} z(Nsp~lvRwvHoE*zHr~S>h{xC2{3za@{HiUB^ z_FD?Zf~Fb*Rr(U^Sit3*CG1y74b8x# z8`Ybb{&}5V$_`OJjw}M)lrC0ZSPN<+>p>IA9?Kq9JCdjp5a0C(0LN;+Q-Ng7)i$QeR;FGA?1^}h;6W+g?X6rqL(ZE_C(WtVbY=M9%WozwX3 zOh`sk(T4(?6EG~)ijqI-op0OcVQM##5=^vk4iE8vcVc5F&{b_sGvOmTJ4G}1iUp7| zR=@iprKq6P^686~cpUnH1X8>9L4lFj>fj*(m6%HC;x!Hy4HKWlrIH+*}8hG zjj}*m&b_A*d*CTr82G`UkgRGK1rC@El>gmwDhZ(R;Vmufm>abhzo$QUHiq#sy<%eJ zO%zVEBjz%eIdE_y(tR_HQwxKk)=>FUu_6o&&8?4QWzOE+u#lonJ z(?_q|q=@CI*8ie3Rn;!53AbQ?|AeohfiI^aa|?N|Y%}|DYlU`9;veoZ+f(UxGcN|j zT26V5hEQw4zYSmgZ?aHA`Vri`7&Jz#H&GCC)~$UOT?B#Yx_X*4LWt zHW$oIWK*4s?P>ai#-`pQQR51kqO@f3#2)))j^NM@M>*Ux(>SWjTk9i=e!?-;Wk)r~ zYiE_o@5hbFX}qOr`B9b|s@Z~~YX4R?A}%-n7`N)8$*ilx=b93UK#d_135^jJ?+WlQ z$8!*u=^dP7kj)cGGQuN3lTIdq$+~~UkzBf3pB(iaFTnPh4vsM?{}}DYS!RKoRdP(cD0g1mvYsc=BoFHRoe9{8x@ z-Mb=6^3!Z|Q=IR&rpknenXOvY&5(fhpkT){CWS@Uld%Hv!hvQOkYJcnxxjb@JTiy0^j-Du4)7fvEGy2 z_B`;z+oI+Lwmpvl$KP)&{H;q&KxsbiL(#C61AYLWY4ryR{r}Gf^h7huNLBS5e>srH zQy6T!DD*DvP?!O%5ErW zBC=D~kgY7qHnMLc>sZFfl4Zy`7-Sjid-cA5z4zbqxu1KUd!F+=s3Zrj_-3>M!s6p0q5caaFrdmGp(;lUTq{u~rM_7Q*k$9TUSDV!=kNe{I z2=FUJFwiPNlW_lGA=>mV+iAPqc4AfJu83DCm&;pA;4!)^c3Db8*YI~NA`JEDF`+6a zpJgqEd!TnLMy$?P!v>#eq-{1fUE~m80z$LW4>_A^TC?RsLQCn4fY|S)g9F&(p6Wc;&V2ZAa|*ZaLrL1c#%%@i{9$c{Ri7QR+Rfo9mxbP zLN_9=HDe@h^W5vfl(st-%wzE;mZs>Ux*X2I(rBT0H&cs&iXCtI;&4%dmWoVq0duq9 z06_qG)MuWU__oqGGjdKBh`<;`Tz(2=Ln!Y*8+O&_8h9;5HHwaY)E3eJ_o%Kt0|G6c zX@L$`ZqqX}dI$JJw0ZaxA~|*F6g9o!164n?R_flFxv~MZuUeBKO{8)*$vNvzJOteJ zCB*_SownioVx9alXoKPdyEWTVmP9fpt&1yf6xZYTj|LA2E#~c0LI;mky@KM5Jq0NL zGD22WCAmWQ=GT~@IZTJ{NLu@0_M_n{ZuZMF>hBe~KHI8ABG@Y)Bds-J##@9kt=$G< zy?{J2O9?qC2eA zN1t{H$d0WRp-X`C`Zjgbs5aL85Sdms=&&-psta-18cZyuM1? zk6F^34seTzmL0;G$@ju@gc;HkB=Ow~#_ys%)XktpCn+A>gkAM}R5*P#|ecBjK%xsLi-M+s`F^XW{jhu);_G8$}A zXwBXT8VXBHZpnW5Q$AtA=+_QST-=L*$J%BvIv>zU?M$)qtDcU_rcgMYDPvhOuLvEG>7fj6bMgLj;` zwQ(Y>jkZTS!E2H*UexLAe_5i_lnHi;X%`OpNoJ{5YKi!QZ0k_xlk3}#FMTqZ7_MUR z){zurlswT|NMt*FH76!}oj%x>!e>%y{%(Jt_5yTpkN1K40yJR$3P_+m(7<&N{-NapJA6p!Fx>uLem-u=R$54QdPG_~&ZNhuGG|^es&+Q0Db0 zMp_5#%!Du4Hv5eGWP4;@Q`g*4SG8wFQECsKwMV`i=Hm-=@R{7=@fQ*ZnKJLQz1;ia zgglG0`%C7XzTC|nL^MwnDx~%4bmfWtuaYHG?LJ*_4)eFzjx<%8jdGiB8~7lFeCz4O z8MIbZf0x-W!>^AMj#JO)^BjWq9c&z`k;ZD7qbGf2)*5C_1lp|Jdb5MpTci2k&}>sW zlBV-kN?IZ=*|fj^9Z@+$ppd11)xHe>eVRu{23`R7q&?Xk`;hcfbm?HVW1{b9wmYv$wyc*(Nv?5%%Yz?fY`EjUH7{!8 z1lE7vep-0oi=yVX+|)#3$?fzv-EjY7PFO&4Ty4hjSY71zpmIMhI1?oD_(mtPlVC2H zKZ9ddc5Z}vM?w{?AX87b6^g7+E;IdssLEEZW_F|eht%3)R9uCHh4Tl!Yu;AU@&y1{ zT^Ft5=Oq2!(8bA4$1s1wilcI&WD3J*s`qgkJhOqnch*qowkTl&-V4@Ktck)x4*tsJ zDA!Wb23`SP*WMsq>|yM!XM* z8fKOLj41DsdOpIH2ofM$WF=5m^GjL%;m8S>a2U#O%vW(OoF6@{vc|e^x461AXPq=j z#ygT(ik2=#wmn{6b$3p-mcsUo<2@$&kEf$VqpP3t;ny&Iw#i8y6K=XMa79awFl*g=0O^{v-VL{i zsGN3WRXUtIua_aKZ+(h#QZ5@*7u(9BF5C$$zbuE3ja>a%#_qdXyqhqd?{Y*Yh5Fq* zB{?CwTR{hZO;&N8;Tr%oe;D>VsmgM-_n6El;`197c4LH!>g*G3bycH(SO@c5%#Glj z&}IOvY^A&`tl(F54wR@BdmqE`?bkD*Ka8X?vz*%rZDu_T^;83jt$hbMt#F6JsHC|5 z^W}N(HO0{aa9hf>7g?5+x?qF6um+YfRa7R|+S)HY6emL01L>97I{eDT+uJYQyT9~I z=(des&`fb7b`yR4c`V1HZb$RW!z*<3pOHuH$~9vdGVVAOa@cj6*Os@r8MCs}zT+I~ zI*)7aN;Ywzc!}o(PbuNuCtFeJIkUSylX;sJ^GDk;+eMJ2pJo5d5|IWYB%NH<=L9jw z`49C4{i<`Fs>xm>Q<{SU90&^Xi`S_aWm61%;l=vr>IW73tyHE&oL7bw~%jQ9?4WTeo0B5=X5vyRQJRIi}41d{8jjD4jL$<*e3we6_J$t#?L_k=0d@R}hc~7BbaK z`75~YM}N)nJWTQ+Jq@9X1@s;`>-iP#fha%E*Ht0HX0Oq}jAz(GKHkDp_A*8|QA zcawS}6M|h%su(3wG@Xa4l?dX>liIX^k`olYGK2Bh}--y$o8ErLI3BDg<}Qm&Kt zIrO7(#_PGezzA2fFQ#&$?`m$XZW+`ns>ajoUuz>CiQoAu>4lIo;MiP4aII#gZ&cF> z(lMXy>Ya=}bkMwiU*j%nn%Uth_M3^<*0Oct@bGlK*$Rz%ktKp3aT<#RNYOx< zCro|3)a7kdzDI0FKq^DwN9aPabZ~i~S4S>GD;>XJ$+O!R%5M=zq)$tx-UY!Lz%PCZ zrNQ=NR$8(jwGDtcCLbMA$0Wq*SSsiHhg)tmRIhfb`I~T~Bmz>FLtgx;2$xbaw?J-} zv;EKJsZ{gy4=*fv2WpjVgfGJESU{lAs|GI$XFadXx20C$Kg+H@A8mL89`rp>7i2O{ z$M*L>?uob;))+0mTnK*@WY6TCe39qIt*hsWbi6-DEH)n(Phd!~TI&C-_PQVofgf~4 z%cvSnzh1!mLEf1YdtnVB|D@}p!RB*o>5_@#I}+XRNCQ#lqT2^~hc?hXrQdSrKKu^W zSo1D|R8!ri7G034rdy;z<8MC)J=Zn_#^4mksj0Qz+JB{O!;kN28Ns2GQl7}wj#6%U z*6kdh;j*Nc&YUv02RkwJA{Mb`BZsbk5!hNepzYw1_>5*;nKlaOSSfu9Vg za{iGj+Gny-8EtYm;*)fK?gX(DanyCdW#m~GVVb#Tb`1-!QS`HfErjj5A$)zNLh7>C z1VuJZHy+GE4rr#Pnc1+U-pp#}$dPaJ#Z?3^hp!0r{EG7nkp(+p9;R~;dJ%yYCY5;I z(*$7x4JZaoAJo&u=;gx7DWB?R#fp6{RolYQNXbBjuEPwx_TE0;-qAQMKxupK(^G|8 zPru|gX?KnpM&Fg-2j)vYgI=v&f~H36&@Q6=FQzwL#sI|=HVz^aKKN+?s7qVN`684v zBG?dfJ=m2o45(FzsUm)-WsC#OVd1JpQ2D_D4h9>Yro OT-qA?>LqG+ul@tiH)6;D literal 0 HcmV?d00001 diff --git a/docs/service-guide/sync-button.jpg b/docs/service-guide/sync-button.jpg new file mode 100644 index 0000000000000000000000000000000000000000..83526cf63bdf50ef6853756fa1da22ba7b30266b GIT binary patch literal 37912 zcmd?Q1ymi`wk}*7_h7-@-Q9w_ySux40>Og22e;s^0TSFDf@`qg5C|b5gttlhq`S{K zeQw`(-#^Cx#+#c_^{u()nzrUzyQ+3^zj*&1Nn1ut%t%>PNm52$0sw&k07+Wj#?c7^ z6#yI@-Cb3sL`k%DbV*<*00;mcfB{$mz{JeWSwT%w9RQPzgcyk%Sm*)&PS^7QSQ7xu zGD<6xko?a7TL{g}+0`8YK+0fgc5@3iGcXPTV|y=m=Lh~d7-O2+Jzxl^2kZ)V5R7pi zu+>k@@I&S&7Jk6y4vywvnFpVp%^l1ia32_ldwN)aF{C^ghk4pqc!BX87*p7LIM{&k z4H#oOSeUp002I;#-`&E@8jM-M7|B&#RSb*;000ij>JQlT57^zp8|)_lh&eg?xY}4* zyOYqE(UP$8^74>KTX@-9xVtkdo0!>|xSErQIXO6+IQjs<&zK)Z0q768B>^Xyi?*A3J|Z{b%qnw?8E=ResDF2y5(j-tS|7=Q$Ms0M93IZsLFEnPvb$ODF)~ zEdS1<$OC{!App=k`Gx4F7Kq`-2Y;@Mm3v0Y=ex0Mm#GK%K+{AWy~sC=5gZQa=aW z1Nt>@^6;9#!^+bl-v3$mU<~g6as1N(A`aYyaI>)@d0>mFs*{*`xOzTd@S1oyKm!QC zBLEY?1&9E0fCgX$*Z^*T9}os409il@PzQ7XL%FME3^$B4j1G(~j2}!iOg2mnOc%^F%r?v?SXfwGSbA7NSS45!Sa;Yk z*bLZ8*tf7Vu)DA~aENfkaBOgraJq1ga6xdXaOH4s;AY_V;cnqk;VI$y;FaLb;eFua z;EUj2!%xER!rvmGAy6X-BB&$SB0NV(N2o^VM_5I;L_|a+L*zwNL9{^(L`+AlMI1uh zLi~b+jzotfhNO?=ffS4M3aJZe3F#6U8JP-M7+DwD9XS@c47nG19r*?Y1BD4i2E`mD z0Oci0Gs+Cg=_B|@l#fIn89wrTl=`UQ(d46JRCrV>R54T&)MuzKQQJ@#P(Ptzps}JU zp*f&Mqm`o#qkTY!MW;fSKsQGZK`%t_Mc>AN#308I!!W}L#wfz*$JoV$!KB8N!L-GU z!mPraz&wA9{+Q#j=40>2FCTY4-o%2$qQa8Fvd4hng`if16ErM-<9f4hqJ%jxj z2Omcm#{wr3rv~R8&R1L#TnSt|+yvYf+%-HXJUToTJTJT)ynei6d`x_Pd^7w={CfOl z0tf;+0#yP(fwuer+n76xdw~a&N0}#@XNVV?SClt^w}bZ!9~YlH zUp?O$KO?^#e>wjL0crsYfg*uzK{7!T!F<6@Arc{Dp**3@C!|kIo)kQJFHA0ME?gqK zFG4F~D^e+PD#{}2D%vFaS&UEYsaTgdq_~uLr1*pcx`c*Aro_4=nWU9uh2*&ur<9*m zmo&7roOFWpf()UInM|3?xh%KrQ`tT_Bsn#?Ou6^+bn>q9uN5E^WEGMWRuw4~9Ti)Y z03{ivB&9WFYGoJYb`=;EWtEpId#bFe{;Gp&7-~jpa`JYX zcBXd@bKZ2}b4hVIca?K3aRa#-xV5@tf-k1VJZL;ZJ+?fBJYRa=cxieyc%ykcdXM?g z`9%2a`%3y2`$74c`Stjd`ak#IdMffX{~73+>9d{y@_>+l-9V|p(&q@z?VgVZu>>Us zT?K0ezYZY`2@Kf|l?ts0LkV*YTX@0$A~zf=+$MY?f;}Q5;(MfdXtU^% z7}l8dnEP1E*oio8%+Q8Sxq4GOaV;y%c>}lSPmfk@Y#-JbNZbIHx+7FgGgqYo1NsV!l*opkeG~n1{X+wi z1HFSHgKvifhdPG&hTBGXMp{O>Mw`bt$C}1D$D1a&CYmR?CtIg@r(RDBOuw0VGSfXP zK07ccGdKE9@!j;i#{A-f{=(*>`QnEq`=yIz&*j^dz*Xqg$Tifp)OCXOf(_b@noX|F z&Mon+vG;24SGLWzk9OR4zU_wWA@8N`6YrOOVEfQHg>LkzI)+%asM&;68G}e6~|T2C*@D;*ACaWpCfN@Z%V)Ld>QzQ&>l^I1 z^gG(S*Wcy7uiiV{-`}4Cq$1`{rWSyCAoyAU1PP!*LO{ZR;V-&h0YU&wG&DSPJX#za zT6Ss@YIbS@Fj13XKM)xj(hvIW^t18LN6=$DJW@hZG8`N-OcWFp%!dOC=FcH$e@DT6 z4}b;-p$An72_gd^&_IxAp!+`H7JS760r_w{^ot;&KoHO{u;5FM2l~YZ#|8lj1&s=T z!2M7#5D*}!ALAgvF+-uDW1x~^LX)rvE3-Z}7GYy2b0+7238df@r9=bYPeFlTVBwKq zVBlaNAi-(?G;~M|QdTlHa(2`NF*UPUC=wA-Ra4gjw_su8a}}4M#H7N8UQ8Bcljrpu zJ=>QQ;_CTz-81ja-9wxMiyHfOJ|@RQOQ3@<%^~2Sk>H{K;UowG4IS*kgJwvKb5T`t zF;o&`Q`ewGb~UrYS?9pK`kwc}NxcPb+m}Tg_sakhH~hk1Vp{5J^kIGyBQxqsq-KAtqSxG_;2)Q!c}>BUuKD_#lZK4vceR&m&IhwNGG z<|YtPBNVMc&KIf7IlYl&!PHh*6y$%kz<1hcT4mTtM#SND(KX-x<#Hx_AJ(mLbAu1! zHvPqv7Ylx7tbI7w^I2Cy+fLm`gtSRB1O?Z7{#& zeYJfx{TZ$C{7^7EGI`c(D|^`?JI&3imk=e_(2P})>=Sgu4|jeKR5O}g<8tJivR^<>)$m45%B}RWz?q750eU=KNjcaW2{J%W83Vhab zd}8py4s5c%SKqa36p{g{mhJz@Nyr#p5H{=7=Ps3ejNqw&gIk=}NZesA{ntED-;U04 z4y{#_cm9bXjh|K|(YyCAel?nXi|u%)`*xO&4gW=?efl7NoWq3|%a1xz=eMzwLJWRd zDOYSuJoVQ(e1cZX9m>}=n1U7kk8Cf*{@Cy;oFz@QV}fOxw7ih}H~oJS{?!=ug}2X= z@pHm2Y4|5+nT~zk*%b&BC31$}r~Y#k;E*bF>SRyd0b*t@th`v;y{4u4)-;977l*kF zU(@&8zuje(nVuZ6xCv5I(Z1Hx;^wB{&1k5DaS+#7s6v}q?;B)gkTGl8_eGq1E7q)* zzp;gzR0cn}P$nPAKacW^X>)IzNAB*4;9Ob?halZdM=R<4aVRoh8*hTU4ccP0lEl6* z!Kb7`%3=S#1^4>$Z!ee~t3;!#BgEv`F}YfjvMH`(#dzdCd#7o}lsC)J8b;SN9Z^%; zrPG?u%U)a`X05hU<3EdjL2SpL?6y#(riUu^Zg?o^m2^$)22y|I&Xu88{-h2c{{g`; zFY{gE37x|yg`o^~v2yD$aipnI7@v2h6`wL~2n`gXJ2U(v>Oi_qJNw7m9x{SVD zb&x?GR*IY@PXt9u-)mcRyAP=?7)xI=?A(3ixH8+Q)@vIgw|y#*o22FDTAcVV5*Ldr z*9)jFHL=L1WH?n!c?P}$L!Z8_zwtzWehFU1Xm{WZL6xm*T#qbsi?$lUE+})er1b~L z&K^yLv0cJkfLCx<)5lzZ=ImCT=pTjTw2!n4`6&}D!=hhHZv*b8rQodIQ0LmE z(MVg3{!81xfPWo(Vy|Dzt~pfFD*Hz-A`pLU7XJOFh*|6rh2%(^afbomLIvqjhB8K3 zi;t*cDR&uYu4drG1FYE!fu?mf1kg?TsTy9?YUvr8sv0^GkEtm%r&_}x4hiMpytr*z zA9k;x;i-Y~VtI{z0?I4+vc<7k+_^<4S18uhQY z@U6b@>R7p)tQ`}ry`Gkwu>zR&gNOxRxe{J1KmF2r;vuU_t&}eHi8=L78Zr&mLBAav zZE~TA=cT8nEA7lu@RJM< zyrXQ}r%ydbnjBLHsjKoG)F&FWVEBJT1wIf9h1uS2&%b)Zx}rlKzmnpZPdxWV?-L0M z2j29;aNFGFU25gZ{((?di}w^!l%gWa1|fWav7m)hv?F+H1EcR5a5ZHFG@rxuZ;92Dv{(UOZQ z@2}5i950sHE9$4IW;V<99A92Yok@wJOl{KfjkXfh1!s}9_k;6U#Qgq||M%36)o*wB zSY?&1g#_-&+lFCem6q$)`YVIvmE+F^!SQsbp}cc%?ANrX9j^9#OiAVH#BQr-p5!&) z3r@xlA{Hw4%(;30iHhH_EU%Z0xy--iP#EpYTb1Ii-ZOSi$@P6hcLNjE7uK$qvji`> zrTF4(=^5c4{2<@CuK2>&uQ*+ts7 z2s0lF=KPLQZf|$);7Xse%uVNXPtLV?bA6p!(I6^QzhX@>#iWH^pv=j1yzdx%sU}KP zS~YUUIgyo$eo6JZAhVrK*KdIW{$H~aj?%620I5&JX-~y}W5cxD+W$l1_wxf6 zj$Xe)^}XOgCDo^6VL1j*%9;#rS|y@XrF1WY#u=!#4%I3LizQYL_EAN91_hDr)HS!oTCz7K_E#2N)tJ~QMN_?&XD^W` zeO1Pwz2V1Bv_zItmQ}!&i9FsoW5y;%*B>_QgOvCXZuRm@NL@m_5T7*JDm$GSM3r$y zB$=v&Gdn~*9T}_{<4kYrNu3tMX2@#(iuP1$cSGej{)09Moc(I@W!ac! z3><08aX<7+R$D~21(&(arpNj4lDJ?N{x(o&991tBM;Sp^^VX>h>fMG#Qwd-{?|(eDeCT^{^rz4tk3ZaR zPBkWz;Z$2TQM1{RAIGf!$oXN=f_G=G#t|P{uxL1j$y#mQ8|jE6lpnX&&0c4!=v1~e<%fAvKZBkrZ))E?HI=$Y_NXCwb8IBRoj3mA+Oxq*=BZmLZ`OD2jAOQC!>hf)YHWmQMGp3Cm_;b9vMw5txvYuA0`icU$ z?EVf3J+tELB}a;8Bl}7{@jb#=8$jA-HO0+0bdq~HBNNiG{8FZDHj$TI|5-m?)x!3t zm=IU)oa$Ew(R;Hsw#~&pc4MX*Ze^xT88&An*MG+#0DcN>rI;2_ik;`(558#H!g{*Cpk}1y6U1g zhyML2D|ET!VH0`MzxSE%^Au+IUC|>b_5zzoy9`@m!r_aocZWK`$WnJE2tjb82JEf7c;^ zI#KOZL@nA;oBSMm>W$wOJ;cCYKF}5=0_@cNIIc5WnGG^W4{@w)i9$B&$_(OduBLuRj_kl z<>n|KHRC!x7nN3=oqcnWJ;+!8>9V^yTZ@VEI2;(H+pZ!=Q0U?OgQ4?aJ^`e^b^ zu(9@l^B*eccOM3vt#G>rdOBZoThvpkwu_E(+Rt)-aN{$UD`_I{@Z}rHE*J||u)wo2 zL02hs!4s+GMiX(C$biywBwKL?aJD}4JQcWG1XoSLpQ<%HTP^C?>^3)CBtthSofBCp~l?JyH>-cB=!#`>Ua{nF>{>!2n za7hA}4Z39Na%q#Ci{X61Ole~|BVCm2UjfZNNP!hD9XD5Zm&v(<@yUAmUrqqPdEt+2 z!cKmF{#V&#%|Z%ej}Al{4Jn}bFFrI?2s#ho6>xAD@cz@M_)O9a+d5KRFJM zk547#?~H$GW!=9+^hX;e;_v$7IsiX2gabdm1VIDZBfa0z$CE9)dW8&Dg1L-jXBw;M zm0lnc*}cJVyPlS0P{KjX_isUZJz5F=`%3L;zOnOtc{23LXajru*EB0?tX@C&s^sy> zSghZO$K(f@h5cy%)-o~qt^E%vte+jfxB^ULM{+KXNDVtrkZuB=QR#dP@Mj+sVBeg4 z-VyKy_u@&xWI`@RNdUdTw|)1??a9Qm8&6(8B3u)*nJuvL@qq1Pg>i1mG#zdC?@_q& zH#&-6B+pCpB`3`frlx;Fk$j{H;l6emd z_U1D6G1=M5$h7%nrWTj+@7n677FW$;zYuc6!qTj)k`w3{d}efG68e9F;t-!xQ2FoZtK_w!VMNBp zOiNw8`S*}#g5-We{?}ekvg`e^JlcPxPmHG-IyzTX$LZIe*Ib+5LxjMx^k31Q83z9- z2k--JXh2bZINE5Qo&VMbD>V{3W2a<{HH|~5xCPgdag1HM1$S0RZz_~}?LlVJm*;y_Uf0wfX}YORX;(fTW%I=q zIj^iPVQ&Q^Hso^PS=gzNs9DX&!>;(!^`A#v)x(&$Qc;7u1*j>aopC#Iq!IZnF_iY~ zuyp$!QM5BQoYheIypZZ755^>J7US!oj0Y6QsK8lbBk$S??U8zd%Tw=#B`{B>*>^EF+(^y-2N_MiQrDWB+VA$I z$Id=H`B9gkhq~wjiDV|FYufTQ3 zgzM{n=Rsp(Ny2c3?^<~-O}38lOny*)7e`F>^a7ja;lu95U#zvNHyrscvYx=JYvvMyF~dZZ z036)_^t4!F6|O)^VahV8sc&8DAWk2}jfp)Q35LzBhfhI`mL<$943d*~J&Lh}T_-7p z*8Cp6dxF)a@pIvl2rOE@p9;%`67RN3Ip|WBaO-YnnYKuh?_y2DWY^xjb>J~KPQG>U zsq*p(v$<6Xmt&sHI!U`mbhDSh_U&VpqWqE{ZbCe;$w6H%>7Y1`-~Q1lg||#d@NMU4 z3Fk5+l+(?&5Tp&@IK{L9#lvKM@wZ)(p} zMd#AegjvG360gU4ZR3awwOEi_2B#Afu32&0Rz1P33XpTnSfOCfBn5cf@hM%4TPAjm zF#`w#QSWrX(G~4&*)OpdKSsI{#O*Y+mak1%6LkjGBAj`8x~1;~aN#!yU)3NtUqrN) z9!Ieoj3q9aDk|zz+-$8?cBqt+@Ix77N}6J0$Fikthwr)t3AO0H^(b2LoHGs2BmA0KTlQ>G~Y zm?~ac-@tQ}8EI{Kv>z|1ZIQWVu1f15mhYqNBwB5Z4?L2&{Nvqt?|-OM?r}@-w84!g zK%k+>5TF`kk+x?|5b)SZ$ED5m#r0s4tB4XOk??l z6x~yGuk6Vnuoja@b#?Igl4Sc0g=t9>sriy1F(sLdRoVySDRJRqY^00A-+LbovtwFP zQlN`RBXE2<%nLlmUO3dO5VS(5A7Widlscd?^-V$?Hk8gd zP#k+)%(}uz0mV3gD~l1mEOH*+*70ul`CI~lIBP~D=Wh0pK9N!^;lYN7r@l?4{WX6z zUnHO+L4b^uPs1+9;IVtMv4YX2c}j_OY<@?HN>hO2N!%Jh!o^kFH{*ONe%9NVv&uTe zO%_cg+JKm4m0xHB(WRS?L`jZgVQItUuzCH}>x<~=!%oG<_S*4?@SD)gpt^%o` zj(EX6K&$9YP>79DExJXeU#?+7x72rzkxV#v>*NnF&JsdBmuz&)NO3CKn}3-@IFxA+Ld*0y%>MtobNc6Qc#eO&1aHUgt7##Puw)312^ubPfKy&BA`FkPbK1%jMpy7ynT z%n_v@d0|HsL9Du(*nW1mpFKdLCL!NiF<5U23K0^U-g^9SVC}8(*uvwVvd4hPc6oaf*5^=zID@X%{Tl+L5qm-xMnHc0CfOMqPexm^rg>%kgy+mjp5T9s@TBuMt}5 z!SXcL)l63SSoT=a@ZtuF(Xu3G3lf|injtElv0Zk@W(U_vis51^*gEnu2RU}ZFKb~} zJ*2+I=sBW<+tZZ8Mc7$uJMl%7NJ^~WcRQew20_?934P;Zg>4*Sgc;=A?d)v^>B(u7 zDLJanhz*idijHLuKK#ty>ubkHw5Ux>={Y;qDnlx$W2Vf{Tt&bU?y*56M|(H$3VJu2 zor5~e*9H_z^vuX;2_p4EIpQajIsGP~Too$!+2UJqID*|;vaPNFX!7erLiXR9mt-M( zbR3y^=^VkX&*uXufTCw>VkKtacZEDJE5C=)D4G_^lp~!-Z`o$07`+R`j9V#nA2Xgo zo>=$D9gW0DFP*Us`mH%(>H2JKC5QUb{AT-OY^V?M;SqC1<(umIudhe{1AN)6X+c1W z;rvBPv?K15N7}o2BQ2e$1{VJe6;|lk;0Cz1{z|pul1{R7h(hnK%zxJNXYJhfl|$q> zE5Qx?#E#WY|7`Qmvj4`Zewyw!G@du{*s9KNvm`#Np3eZL1F%HSsa4YE7X{asq@Z8@XxnY0$69NIA( z8qL*eN0EoAY^tK!1deAGo1OV}JgKuY)e=IHG6Ei*1;0Tx3?JbQlk~gTI+Ms_lC-4{ zrVE>M3rX9KCe1D}?L=)=MCVx#$@TVv`6m8xge80xLS+N~QCXaKdm#KE&ybQMskME` zgewbaLfp8e&w>JaxSjm-3h4shB%V?E@ZDFqoZd1y+z}z^FJGL6%tQl)4FvTvo;)LV z7d-_j#U^jjc(fr=+t5;PY-6ufF|T3Tkr%^Fo7q}7!gIiG#m>2QECfMBN+uhcm{atv z%ZDAmcJ?5dkJ!bVDl;siq<Y*F%ywTR-B<#so&u3EG@UJ?1li_ncFd4K2;+a$WyCXWXo;r{P;U@y|-K5(nlTV zm>xwq1E6HNZ#hpc-STEQoEzq=1HMgtr%*uhD)914>Cs8w$rR2+$vKh~feM>l@Wfq~ z!LjsT#x`zc#EtPm^v_UTU%xwz*OzjTJkPP?~!?-BMjwWk}E*}M(oAe3-@~< zienqexg%xhZTIm@LQ_vmbZfFUmNQ(yTFDQ(oEG zaeSuKmNmJwxp%v(1?#lMezF*`Y@x;20XOGpPvDKf_g8bCXUF9ijhzGh467u#aJNY| zkEsW9jweF2{f*v`8FktWuU3U+!Z;^3+PO9-9w2{Bmxu(v zh+sYV;_P|gP_H6L9Kzn?eSA375~p=Y7W9Vjp)r;XwtvYyCE&-jI6w&|%`N+M3*V)U&g4v@2UV=uR z>ugXxXGjWDaHethz@R>-L-Dn>mIA^-z5xe)NvQiYm8IqO?dDln(;CuR)!3v|>lt6> zqUePIyj-7n&xQqFtV*(REf;JV;ReSxYE?3A6#WvJCl0sLcAn=Xy?)+;YtdB8y?N<4n_2hoPe#d7wK!7UZ+`E zqKri|DzAPxd6mUp9bs?k^hOB6$%_y?A3jTeaMn?F98r;V5ct${dRGz|yPk@Xr|97Z zeGD_(z#ZEOtkQ{XYT+?EEWw-UnEuS|1;T?1}Lcc+u(q! zz1OTtYvtWgPx};QJDa|iwJTlL+yhg`A-zagW?Ai(kNDn7@|3TIFTIMDW2S&Q(`3Up z!S#3vGiTq?J}thjA7o=Y0ZU5g$l z<0+NogM4uo+UoVb%)b2b$~d{!^JD4pkOdAoi)~t`J@g9vP{);ffT+WX(RYE&+Bjto zWgATf$1tQPO5nxHCcJ3{sqi!PcwBw&O3lO+uL{si){9nAH!)kTM4nr}<1S5u-PrNK zCin?YLlgCU7G@Q&vW7wG!64}%O-mCeCTCiRY_9Uv0DsF$wkP7Yc-z?U`S1fo?=&HJ z21JM^mDLtvwyRY6f|+eASS8?u1qJ*Xv|_vZm& zS?lx=H&lw9foPpeMaSo5OfMXw)mRYb9#?*cqN|a$B<^Rp{UqnJz?Vi=eo7<*ZZDf; zBE2PLOcHr5&7oO_;icJqKUmTjfwS?$a>#T?kb9*1RrqR!v;!quN@T2-tmxJX9v7c^ zUX&%zrgsodCMut}bh}@|La_R|x_432%6jiwn5e3nt7f4ayp0q4G`5s` ze9J_Pbph-2>rz$yttdwQFW1 zUQ`C=*&0WEU0#{ILemYplgf(?bKU-dZ@N6N-O=y~M}%YLZXKUaiR{-Adiptbtqm3N zd5uD@LPfL}@++;z6bij3*=l;tCv!bT0`A7#V@_0cnrcs0wL@>?w@2^J zxu~(~=+(=NizU^h$n^woRb^RL6P0UdPeNSr1@$c2RAnkdb=C^PY@i2rV*Ng9iGJLx ztl=;`dq~xJ9o9FemG|h83GgB+??t2wl;^CaaWb->3i!ERzfZunb4@5UHm<3E`s91> z^|!c%H-=%Rxh-b`$w;fWcBpc2@@&`Fq*2Ws3>+MRo}aPtaAFlVs^VJE3QxZFSV!{0 zw%CPOzkD*+5U4WqamvSnuFrCPM&?KuM#&n(k#NSDeZAVnO*++bn6OW`gR)lgAAbQ6yG#|Iis6bllyJA6OKU9x zHFE8{-)|J?MF{;YFg;Ij*yV)I^?B#CP}~T%M-XAoC_e-E1DD<2yDwkM9t+AX+9oO_ zo-X0shNPlYeXf`CyIbN9DJXf%K*~6n&@vwAM1VH#znz-gAVaY*MtJ+2bPm;6ntC3R?W36h;2ZdkDuxhz%or4v#SM ze2pz1<5+X`z#v~zRympO{30gmm98*d5Z#BRNL{oMC1u?5Y3@{>0jf{#OB1w~whlTw zbp&yYp{tf_*)kUgZ=dboZn=uak`cuewNNn3Te;!S$X={di>(oa*{QLJe&nf`9Y%iD zsN~Gwn}j?(%NP9{$X1K}FR@0P;FEd(~NuGdGI^3rz(21QGX&*b6?aYH*ItUhj~ zcLu+1-mMqZ^4CqX?El>VKkl_7IQ^Th{EtojYs^HXq>`U1JJ=OC#4tu21t@N2M#UJB z8ri1)-#V?!=MsOY%q3DJ1plJ=xBl({)}-yBN4rPx_rTh>H%4(JPtuC0=6tb2^R0C; z31YCXzZ+2x#uE?ge6MAsgt}dIA9GvIS%t>1LBT3o<3Nu;!DBzjnUnkkC0#JpUguS<>mUtl-dsq1oQV}9HL;%ar2Vp)Pd^a z;OU0gWHIJh8Rg&J^)Ss7#`5UoR5k(Ik;18*FdkqXBYDTo`=<9m^$J!_V^dVfTO#2A zW|@27toPBS#NFFu|LWOgn9`+|$HG_jEGWMA zm@R$3;%>C^Mats&tLC@I=1LaoWHkI&$c!4yJ#7T_l3FK_v#Glc0kI5UjmjUtLpTie z5Ph9*pj=(5rB46%85y65cZomEm^8M>$X*Yi3~RPE?0UHxmloe_ZJ43ap+$R)Zg>BO zA8_MF$|p36Q{C!x4SW~wyvp9)1125)Jw~yFBT=h(n-}6n#2>VrPF<&%>rNIjUN(wW z-vf*Ia_vb!BK{sOcd^MFcO_~R2l5XnK>y~AxV<6nAvCh2M{i+Yl~UiV`QL;zy;2RM z4?3Sl?Jw_rCmLrS416Pa&74A2#qvq__!DmbyQm6mf7oX<>v}GI9}P{?s-o1r7U5sP zQgz~|8DN!ru1~%i!7?j#~$ps zoa9XGUZN?g^vi+BBz0v)J0vj>7lQSt@(j>DOy&yvZBRxeBQt^ehI-b|Q7x0m&)vWt zB%8(;g_u984t?q_1W&jZzf!`re?+L7IJ=}4@W{CE@>8nwUHzz_F1y6QLstEUw!5)M z60*YZu7TrTj<}g+1IFT+<#Q$d^kvBOJO7Q|MY^#m!lcM6P3C!@M{VM)=V{wrMnval zVV1ovQTq|Yw8NZb{bCd`%(Vg+^@n5z;&P=CPJJbNzvXsoqldEibA}V!x&@5{duyLU zDbCMU$EZ*0CF7pnSj&&jztz;FoTD(qcSJ!j#{3wJI>bh^wz9PQBWYH-P4cfGxx91u z)@U~?@H<#L%&C0bm@qCF^E4(=YmYm9`O$O03VW) zCWk7LJ8@hpRa~ALoB8#M9UwtB#_|l};;z9+>O-0CLu2hGh@(IoX+-gSo~iADtg8SI z?Oo^^#0FD?0oMlv!ENgak8eJcE&4?CPq4Y&F4Ax`jf4HVJ(4BL7(jr(>(U`@Ly89{=q>sk_vG zdIt%TQF_QB#gnu|be`=Bs^*Bc+n>qM0zY}`rLy;v5BzcuP=1&DmiC4DqtVXWVM#o_ zpY!zk4G*8?%sPlr>A$~a{o3hRrjIZE!Iit_HZDZmk3HEm{!K8`>0u35@b9`llwOe) zX;|Z?r%9^T0Yi1-$N|F*#oPReb-2?Exdkq>Ru`TnbdtBNW*%c@%e-oO?^q1Y{J3R> z4+pqn2TBe{cq8|@n@VM8N1ochg2Lj?9sRM-H7Go6mmc<8i2GohxDF$*3`J<4W~-Y6 zK${1?f@pNch?^dle6CO--&kXhI=A<4FX0^LD zj7qN^sU%{>W<{fkif|_%X5+Iy>`Rs}ANG_F@~1=DORa8`oI!mdW}H^s=Y)%eXobN`q6=FX7)$&h`%szfNr+2M{>U&+yh>&-=C4)1DOG9N8oRR_Mb0uLBKo# zHmz`2RR&`fxf?{9Ie8q-bK(_Wb|+*6Q+)hHZy%G5llfTS0R6de0WC|OG7U11`egy7 zm)E=@1SdV-iAZg-yRq5F~xow(%KxUw|D$u z8otg#9ZM&VLRXVBlap${Gs9l^J@E4dq6arHBF&Oys$lbC>r9Rs)P~2j-9O_A9>0kn zZM*E%rWw`QiF}-P4bzvckRKFR9%r4QLl(wOZqw4m+9 zgRNjLzHCNqveJ*ewj~XLLy;pc*d4u+v1F?_VddGG*Im(VqsM*w;VBhbzJWcI)f*x3 zGpZZa#3X4kSL@#c#f^0IzIJQa^X4~WTD*gepgHfRTp$kZ*jam~a2>N3Z=yS?kAbA1 zi+Qv7_5+N=D1DuxmR#Q|?Qz?8kHgSB@#V6Q=g=hMT&Zb7r{^_Hle&SQPQ)WiK4{ta zf&XVUUvO<5yA^)6@)XCzfJCxEu|}9O+hQZ)Z5FYQGDg!g76(q+dtiXbiR-cKxFK;Z zdLqSpQ*YN@&aKmx2q!Bhf5R-eDJ0wFF;WRh`%y2m`G8mfe8qzHXaagG;=wuM+Y^GmYj^|XzUi*!%Iw#;1K z;fEl`HZK-b^-pW$z#6oE29?@m}cfEwz(MG10 zLRP4#bE+bmB;BL}A495-dJ zywYxo9UAJtwUCEmeN1B2ObedY`_MTqyW8sa2)ih5Y<*g9e~=80mI?l zlE<`1Du6394w5Tv74L7QS?a^Rd396Oz15eRT$Y=JEIq?fZG=XQM?f-TLCeLk;Wyl6 zV*^t3w0)|?dAw!LNi8+GE+NYny`(^YSmjtHp}xl%Lse|_ZUISpK1D~bJ2Ks3%v{Iz zQ>))%B~pFip0JKI!$A^T{kxen(`0l4^v&WxlF!ljln`a3c@V0r$0!rW`haqSw;WcN z!Tb@uwQB&9cE394mGa13g*S$wZjW;X99|Fdx@E+*dI>boAl-x;D_dH@@aIAAEQSlM^cR~aPVfguP#Yog`|4O z+Hd%s>SyR5*1Q+#^r8z+eTMJ1s#=7qsUuj#CM4=Au|8E4>^}b~*QW04L?YIt2A09b*UkRl` zB6zB{aVG4vOoBpFA{l^592Jysdk<(=y~X)T+a07O6WjVt$*%#GI=&m0H5xx{-)v`v z&yBmr0qG>XwD;Ck?9RV4xuS5rtBUFvCfI8}u!(27@^wFU?`(1& z>y-#)iw?;!pD}n+-FT7K2G_Q6!$Tv&j-d&4Q>#&rmIEik2CYH?mAeGek*3x()1@;f z@pp|>mha1!rrt(l3lpUl2~$Rz_weE9rlSI03YW^7=I`}O7sW-Rpl)+nUK*2S)qEp> zE-#VPZ3Spk+gl$OKSvUp!D7`Q#JS+o@ zIt9_U$GmVu-VoWE(=2FiZ_k}ob33v%B6M40d%IvyH%Zykku$TcGigcuMG;ZWk*O!1 z%OjTMZtMa8O*tN6gn4n@_S%lgIT)4<=X<}SdsOS~CFUlGr z;gekimSgMoP--dnKyXk91}jTfZsddD`$ko*YY8}bll4FZ+-z+GsNrFnkuYkJz>$#P zji5>j$!EYTjYfGW{j+Zbm?Wd$Sn0jca{FLUx70Hd^Dk}R4gZ)|5rm?Yc_Id=yg4^G zAU|Uq!-M46G)CSCy$0noUJ2LfZ1#_Ntmw$)et}0>!Y=6%pGDNs6^%&{ONSI~`vstx z{#SEv8P(R??TZE|?Y~HAace0Qhftj2R@@5-k^n751Hq*@MT@mi+}#NjLV`ol;_eQ` zA!u>w&AZRocbqfs`EcHS?mgpv$jbb%)}w1p`^`BY+;V|3>l)JR82&0eFpCXM&#+7> z!H<_wD;EUf6Mq3Jmkiy>*L6S^7P+mS7|Pfb z8tJYRnXcgVr7-jB0u53Pt8xYQ>;!L`!le`1)--Sky*mNu%i zi3@cP4rCODG!dK`DnieyHRtz%e*QhQ%L@_yn5JH#FSh8^32Ko+WZN&x|8vS z*$7G$UtLsQKenh~%W*DCIPCK+oFT7>ii&x?{_Ss8F9j1<9amntNnq#kwQ}wb!X6NJ zjA+@KQ)uKWv$vMmHKpB`wuS~{*KJ317*1);Okfq4zVUu7Ty!d$bn519fxL|ooB+_H89%uMJC|Xy28-LF;$I^y^gy}&S8m$nQW3xZE+LG)#!YCgCnW>sNX)79+BV2(F zzdrx4AY$eGi!a2K8hM4)sy>`KJA=|{@sV#(mYzCV(PN5V?TF$cZJf*O0qt&Mie(!Ma zwO7-`x%dUlzZB?&ihQ{0=vvZodZpax+GkU?Htpg>Ss_t#R*+v;LIp@kwllo^5&yit zhIi{|SrK|GTr`-oQh&UDE#{b@AEeW9+Tai-P9reJd78V(90aip1;(TaGy-8)%C(^e zds?I>+-&L6)5I!XyJBN`Mr0h**2pgg=AIw=yQ9(pQAc^rT7R+vF|^}G%}`PbgB06{ zlA^SL1Hen&JW5b{4$Dr=)Y#1%41SwVc43C^^K@&st=#AZ^+nz^v+cf1Jh4Z62(^MF*SMEL_AtM^A6V zOgDV3xaJre-{p7_3r~U@D$k6Q{Lh3}kb#_(>jt)Voc5bDWK| zV3Xji>d93j%?b)hw!f+)5(whMPvc;<*VcCov0q{q5P)d`7 z1W{EK1-bDyBrzgOvX%m@9A(Yw>s;5E{ilVpAwYuQ?TX^l9QBjJqBx3SRX44^2;*v> z&wd9S#7pt(oY$B`f=Vwpk<=eNQ3D)O&PRFx>8cPlG8A0rTUhzh5bJ-N"|5h3s5 zsUrpCI-w;Z(q0Ow{O?LXG3Ak2h51QM-<+eTS)8J%}wo_uOGzq-muxmh@1Mfy1Mk8v2W8-)*!p{dco z>)}*y6ROR?UHBtg?m4O^ET1JD&%wqCC|MuJpBEke`OGDbT?yKs?N1U|!_W6Jo8c=V zUyA5junmt-|HHM6SLqqAn*zqkjE%7yOsXiaJ*weQ7FaI(NGih35g3K(4lnDL7%pI=265l^!lkzbx`h@SwrpnHS!~IUwBi3rf>eR<#DmP7>@HRM z-x$FEJ$mu*|LrZEEoQh9;2e)HimU6t#^-)qJRXN}@M`4E=CE{8{rozTDn6`J5vQnmA!*jYf zoLm-e=3bJ>!Mr}9>-w_Xvp7q+G~2H^02RBZ+ZWBvkk8Y32ZWJ%xmac1Y4>5k5A zywBE8e)&AjdXk!Kys+Mr_h~_IO26gO18r7nd}nIi+@k@_vJdp>MMAdeOR_q=9b#f5 ze*rdFV?&ddZPSS0;8Vt z4zb@?us$>Qi6yHQCEA(%`HF8<`sJz!gPzrjx2o%R(Cs!SOmMF{PYiNa3+(K1CgwL+ zG>2Vy8x-S8oaH_!VzPn6qseM3L*JV}P4K)Flw)2Ws{2B1%gwK;0I)iR+^`d{a!yz( zzOCQ2hXxo~=E;RnptLdZ+ML)*<8G!PX8^&P@3|uAx`#A9yukk5jOJ1cb!DI--H@_& zk+BoiK!l+w2ceK+VPQnTt6_3MkKtZ2hFpS%U!yxr_MB2CNoS5ZlM0Fnqet1`Qcl5& zun_V(8K23|2C|aI441FSgY$&+zA(*|B>IwEGQrrTX|3B(E>MfCujyM2T50zaD=g+u zZK1w|Dj0tfPtyIh#`L?k+}1z7amS5XlaL5+3$>dQALH?aLWp)1&Oo z6~S)4mgIn4mdROPO@^ti-#$?a=)TYR>{E1!*O-hUdthQ6!B_+NH>&iCN7lyRCrQ7C zn?KLped8Lrt~-~%eCZQ&VfVvU*TuPObk#o`<&fI7>0s7{mRIC%lpNN(aX_HLoTt%| z!Y)7&x&EI;Co^ySN_ik3P!M8xQ&E|P*L3BQLPLI^HAn+4`9v!>fQPg}P5vA17Ng6J za(km1iUK%E-YjHa`OBJ(SNMK+;mH&n-NNTtbh6LOTU)o>=L(srR*LjEV%+5~ozp#~ zJ!clRWF{(gd1`BOfte*$IMlu`?EB|;MGRs3`W@9C7AG)aQX%q;PolYOrF6BYPJ+XU{8gChI+2CE#EDp~^Y$RAZE86*RQsqK`1!zli-LimT5fpw$J> zcXyl>2HqNH0@X5VZ?!FsWktBIT*k*6Ie&*S-Bjs@Oj(n-# z-b)+d0?bsNyEn;UI~#uwi4#i%tfFdlH} zY5!^`;0zdw7!VL(w~WZ=q~Scu&CN9rO>bgegq}MI15$MPB`5>>;W#v36e0jPK8Dsi z3Z&$HsVq5KWh`Z%c#J|l^+J+R)wNK(ZVCl_1<{hkZW z%(;5tt2|+3c1CLM?$+R z{1BNA0Zz`E|Cl6~-a}XLhm;g~K|Cjlf>aa<4oD9G1F%nTyWx{+ zSx~o%vAQX)m?bJ|dC5q0Fo(uOWa7^^0HTHwyLaZ=UkT}dhMG2C2pjZ8{s9Y7ZI{Dd zj~Yyv=2jKADty%Oi|Ee1qX;Jos>6!oltFyE?aJs?K~40vPM8Oz&4Dg}Bjw}D%aYtc z0+C2Z-9@a$$x6|8x$62-j3x*_(fMI|RUj**RkPGgD|xfff)$LgRh2Ee*wNTe*v`J<9YQI#!hZc zbnc~j_ggg!YW^TAo84^5b4oj6g#;|{Wr4k|b77~YwnnDP{25%s#Rc@s&m|SPi|{RS zg|vOtmS8>Z`KRE+J?LIAByKJ~%rmE|=XKZ$YzswYTJs8;zd8?6SFQ2kJG9 zl)0I$u;1nMj=xW?^CeNDf(OWzZFB9hK;tE0w2G@np=G+%pJmLFIBjf%AwMdeb)4IDu#@)B2_IYR@?$NiHqwh?*F%d2#Us;wJ$nlQ9 zP*zx|sToTV!<7ur9e;in!jHKuuX3n)EI=k(wl#Ol?p=z*$(BgDo* zh~km`Ku8AOTMS+H)`w;GJYc6q;o1#5Ad!qrB@ZsCB>pfwuu#36-7Uy&;0J{YxcC97 zY%d5XcRiCoP*Yk!+5EzpqK#Q9TSr$K8RR~~9HbtR@$fGod2`jckPucNu2u5cHG{Tz zu=I}kkzvo}9PeGu9Jq}=s4Yj-!O(r(2x1;0G*Qk`ru6YiUBBJK98iK0uHfv3P7dsR zglAX*Ww9zBpn;>W5F%KEZ#+sw)!(s^UBbp#kO~pB|NcjXf59&C`tal9Ih8aXefl*} zm^16YxTBHr6*pbB^_P-r2<;$XhLmuXgdq9R@2Ar#YOfyawLIVe_Z8*1De)F`a zVIOl!C2vbgW3XX${1@={?S|B4@Q>HV1qtaG!J7AT3f^@eZC#XBz4i&i6AaX4xTBt? z;&&f6Yo2o{6ohQZitWW&Lc;@T65+}a6Ak>^4OM7|^GOCxT^Z^Tv zPKL=n&PMZy1)py`ISoKN?fMaQGjbbd~bv-5UF( zpUHA5hQ6o-^Gux6UfQ#=7~+miLa=TA<}q#8KwYuQ{j0^h`YS8ZJLjO%(J$9QK-_+s_a@D&GVQm z9MSH|x%vJ)(z(`6nO#?|@XX1fMpYj;>Roy1>g0j;h(bV4NyU{A)~%aGM{_~u>#mjv zA9g1P;KM`*{8VlPOVTsjnDr}l<+|n!!PN9{VatLs?nMP|;8UZyJzXBnWd*9rQvQ zMBZvXs&3dFVA*VuFm!?^fEyxT$58?4SkYonBC{7I`)}7Dc=ZK?pd?SWw7j_M6zJ$KNvV28V4(kUK`AkWpuiSparpzh z>CB;*z>Pv5;AS4-1>XjR#8@3-{c5mF8)~pK*IAwjOLG zp_%lAtcK*l*pjU*n_&>tA>;9BYxLR)(MGCCFi@SmxFCMd`i~=hgjF(is)e~wmqozk zL1xOvJ-9&4xRrv)Ip0 zifBk%jm`G{;RjL(uWg;r;$*U}^&?Ya2?u>D9^aUBwT281e?3;SP%1=GSMx$Hi9h~=YsuOl-7~Q+kc}y8+n+WyL4vmi6>AzTyoP=UxDXsYkFcG= zwwNDro~AiqyP6H1mB}HGN9)hKlwN)6r!i$q`wO5~dDQ2_x)K+l6#q(A=Jf4*d`3&I zIyal`T;uHm8N9V;xqwV)tPY6ncM`DzdDhp=$Ls)4UP6HKAm4SkgaIvEWN`Xo zUs@PvMTjxC=2+rLS8Bg3gGN)Xa1X_XNf#dkO#?1aA}UBwr8zLP5tM&_83J@P%;fp@mY z<{h6D9fw} zOUR!4JSHE)QYr#UO(f5S7QL9-vi-crmpxyKRM5~SKp&jY1uvS+{h5E$ZdIvRmO|lp z;0&qohBwXG-7UZCb51n<&)xoBr5h7!%C=e)YFoi+@ecuzpav~1>Q81fCNKFbP58MW z;tl*m6~Z~m%>MdAP!1td)!jQvQ`aW)ZVktsXjculw|b1)KsvF~4Rh=ystm@rHA2o) zt7DT7fu@s~Rikn$D6$^&aqpf?1P zPS*&@pi&^TcPRj|ZT@2c?i)CuHL62Io@=A0`NL&Fo{Uajsjj7!r{W75i~Y^ydemyq z9CqP?n!it})4o|zy;d$3jxdvDU1XfIFqm5>*dir_4c{?^dBA!#QxyT_T|Z1UQa z*sf(Ts>h;q?T`EGwL5UfNBoKMlrk71%&URxj;*wjiXvKgZV$?(8MnhSc;=nfQb;49 zPI0Xb#O22~O0k{X&J7VQ%J;F{@T>mE157O7V%hJ!VJxy~?>ls8MJSR%@NViW0$OA} z2fuG8m@0H(`7wvCTWDTBG$mddVje1g0v@rbI~@A$XL-2j*Mb$fDT74zo3CC>mu$A| zZru$qf|wiVA|xhjvCwPBI~7-V_UfWr;VCL&H38fSYXm_WS90dG)j#No)Hc79QTg{K zU1vJ{%ziwNoyl%n@4DV#^Hi;!%!PxPghn+u&x~eWn&}Dc@*mm>xo9@JitoQj6|n;& z&2kiP(w3Zm{44>>%X9hbQ&V^AnGHpnNRbFV;dyA$ZEKJ!IA7*sn-LA}D0@W3Lfz^c z7LM!=^P-J}hYsddf}ac@GH#=>zF!(>1!8gPV2k5{c6R{nnczNb?$eFKM-pZ;^fsbP zaNNVqnX}G9BBWdOn#zXrs-=Oh! zAWP);QmX47Bc14OOLZV^DeAU++~u*HfIyO}APkb|fj;nyxeW>)k+DDiphuTK*yg0y zMBZ@D$9paQbRy14p0kV>;vraji3J%N?S0j`=PZ^CWC(aY7u9_e5Qi+0)lp(KRqX9W zSVzyj<+n{tYf3j|V_YTYc}uy6+`oVg=}zBGZez$VrX*XdT=a}S{DwGdT0Y4+SSp%P5MFJBp)7~Pp^Lx0dLT*m zdi#MJ#G%dm8i~Y>`b?vB<5YT8q@WI%KVS8BvpYA`rIGR&UYTYxKYurY=Tt@vKiC8n zU_LC)esC5y(IuOboA+R&pebTe=L!$0YhOn%pt-rw&Vo&6vx^s*Qu6InTbv=xR}z)8 z?WigR0o~V6<||$hF?uAU5paN!t0{>mYTInqGLsgSlc%9NBguB##DQMnB|=)181hJO zihN2>LWI1xQmytJbovVraK4y&n>=vqT*&{n2$k_^)&tqu{j;+p3{iGMG-$M%ild3AlM1*Z? z^5n_)%_psM3PSs3-5o{knZhrm`JzYVjmiv zH%VxlvB5e+I?qSlXKV=L`;|OGf%C`bX~l(Wp)d59@>D~)b2k?Sn{Ds3L@0NBx$F+b zgc1+VmtL@Sq($0*3p%{@A>P%~JFDROImIqD*GuokzW|}|(RLQ2B)%<8bV7ff(H%E5 zPPq}WA-F5lAkkcLKx3QG7%VwaWcY{Av0}QayJLrG4aBWP<>toGKD+nlDTJLusMA%k zwHZox{-Ye@RA1Iumt8ga7HyqJ3>Ow^Qj@rlZajB#N?l*tAQQCSZ=gLeGpc_;NueK6 ztr4-_(Q%t4f?=AcBvZ5+k%b$f+SdO95T70EVm>%p!@-&Ir~Vsv@vj;O@&tA-d3cYS zZ)<6rnbKIlU;Z} zxk~rBVAbs2eQAhx^}TU1_V@)Ihq#WevoxrIZ9+-$C3vo&_TFUqqOyGn&IGdC>n_YF zaP#|k6{RsHA{*YjCO`kN{5dSKv{nD%z=lw6F{cZC%$H$7x$*{ahS{YQf$Wfd=vX^{=r9Qv>BI|6!d+%VVC)$_Qv=5 zb9%B6Z%XnpIZ^hCi9^cf%vM?VhjMriZLO3vzcrl4{3A!0QxCIn-N{2l+V^uN7D|zP zzF45#5f`OwkcdFc-f-I~LsTuS^(r@@5dV~$=fT9J*r(xnHSJfIXx|zxLb!M+I1Z~~ z@bN&;bV_Zxr$VZAToDfE2`g(k3*FHo-i;c!rX^gR44gLqx;{Fe} zVSMi%lcDD**fvbx^Zwe02m*;56p} z>g_=6b*-rS2TD-|3TI!k!f|H*#q)JFYwr|)KPre+M)!~yyY(TSIB3nAIiqV$^RXJY zZFGu)j-xo?*Rre61>kCoo%fURbA9d(VEseN)H4&i#{kGfbl;5Ey*UxZgOMa7bdh&M zRmo^O0!1FL)|Gskoc0>|S+6uP9_6pZ?48{Go09_=&{H|KFY?T7hfajDY4?ZMrLc`Q zo(?OFXZ#*E*_b9iEp?HViD~my^v{F>pomz^B;B;AIJ!Ulc7zk(WiDPG1#2R`dXzfKrg|F^tVp4 zC5BGw*DTPF`;CxtBzk@S`S*?d?wRvQA8cx!GN2#+q6`uCWo*HyxuN@PG?bj!`1c1C zHm|DhFCc8@db^?4LKVfO74)5l|D`ZS87gG+Co5@W-AlPKmls2jQj~wjD%8Z@X0F}6 z#NXR$KQuU)PUpeGzMeY5ThIq+=&rTg8l(O4(XOjlDQO8C@v0*&z_ zXQ}=fLJk|(=j-#e5*$b2~Zn3B`csV0dHwXqShey}tAA8dFR3^6B%m)esUpXxJx0MIsm`^* zB^uP9BGKnf={5`Lh*~RSVvxPAH~wz=D6kJYVXP=XrD0 zZefFa`OMqKirn@Q^8sCvPwRAHZoa8fJsL zzqvq$!|3WD>NufEupZ1aEJvN_NFQddn`3m6R`sRPcFOfe4Q}KYz(7NcAIv%BfeRW?dJT7V2t}X}e)gy<+g|t3%K! z1c;5>`mX(q+^N?W{)P`wW^UW{8kEhqzpQ7RYnv^49_xk>0Qm!jzoc&tW4Kq}M)K-v zfZJx#FAgVf=-J)D7M-y$93zcd;&)(r z%{tfGd%tNk`%WKaoZQj5Fne3O@#8Nb@w(}G!Ax833M0bIqJ;Yc)i)Jm%v~_C^p^UMC{2G_8bt?JiAe*JjHu9A&f-o9&u5BW-Ei{>* zK}$vTsAgL}oD)sc6ii$4N90GrMuKa}@#V81S_<2`xY69!e&0ml*T{&{H!@HoA8a~B z^C6-!Y(E>tRXqKa3#9pC{1M7pj$NU%j<}anumC}PFzj0s315;u!WsBUZ1C8@ zFrWOu>8H5x-}42f$HF2tB54MV){j-EfF>>kP$_B>nnj^h;%nC7{H>N$ees9^piHD*^P71gLBkcWc8YfA%H-*&7bHGb&F-%hc< z;2}XqvT)$cCge|+jgOt0+D4LsL6(fJS&wT{L`)+G4jB&~5y;k^qGuYoOfP&9&0%c& zSH-o?dq2K&AzxL0qEm-Tu0L|Gv(y;-GP%^@uyG?S^eKZ`fH0~+W7t?#KWw&9^Y!bY zc42q+BDL;Z{Pvs!llrjoJCTVwtlGjEW#z7(-q>nZM_e zI@>YZkYgy<^0`vs-lDGQrxuJ9E(QeB%{LClzZ%QU{n_khVC3cfxE~uKLkY-#6>4Qv zHn{`;3)s1zUM$}Jc@FZ1hX&h$^Y3ku4wB`8ARM^K;s>-{NCR2SF?mTQAUtNe#RQ*Nd;;VIO1PK<) zmHPN#!LnXR_|ML$($c}Z;VFj?K}f-gxisAz_(d{Ax~4H4chfMWoVxK8dGl`%!-C^C z?D!vF8Z_=(3-39HX#7a9&aD;6Ir}tIWj9A;h|d^1H9wAtBUp!kS?pPi+=nU{7ce3* z=P`+9<+;fGfkkH3RZA9p#H&V4Sf`NYzOiGtSwj|x*pW=+AEImEf+Ui^mU_WKw7!o0 z0K=azAe?}%ZD<>b%w07rhc`fzJ4@#drD}6S)36a2&eg6{8_kRJMo+1p?LKT$t-)p$ z;1TAwg@CvTsu~zr+|U<4J8s?>HIW%a;go4IB%~4Uy>xfh0B~NZqpyZLL;CbeQmf^S z9`u$XzBURCVrC$=DKa|Jtj}cm(cQaOgW>D0BLixHlTHOODw{3;(vHXom4rFlq}V}g zSI6n#-Sa2%DiAB*_alH%rx#Tb^oSe*NLZBblv^e+IrMNZ*!6o@+9vYNG5m257xhN!zO zr18#=^U=yk?ivH|js4`@IC6G>>RP!eDUR5&O~oElkWp#Af0>S|7(Z{$vt6*FcS?8a zcKSv0i~ipxJ2&6_e)Bu(H@1-Jo1y<7km>)0Is6x={{QM@M-#y%&(8#ZHjLX0NEy32 zg}C$Dfmq)kOmi4(Od`IO2ZThw;vZJp{R=p8N$&ng6J^Qwzx*d*av#@={$)N0h9w+Nn zZ}$TV+{C`zgVyp;?TvUV$B2fJT=R7r2qbj1PJ{9fc<$0c>-9fR)5Qa}r31D_dA`-T zd_vO-(-ze4xgcW{b@Rpp1A{8cVu#a~P&vLM|reQQL78ezJ{#WS_*n=HoQIJ`?vYko#BI zmaMIn{S;3ht>=zb_kXPL_3mTk9b$&5&MvldF1HeUj)np)%-zciu77pnp>e|Y`$**A zp21fRGb&!R--?Jhs0s7#w(fWb`id}1&7N=I)Fro)Pn`FZv}hgu=A20M_MX$LZrVY< zB-$N&p27b>1X`-_55Io&xz*$7X2%H0ec(&HJa>dImZKm+*}q3&)U^A)*7qN$3lH(= zpm)DtXN3|(P#!Y)@=N~taN!|M z62P)a(4kXGaP$K6bBPnh-a6IU31wSL8avSWIVPm%v+zdsZDHxJA*`YE+1AaaB%LlJ zDsVthivD7)tuw=AtkN`K>*q<6|CK}6=h>Jc#j>n0t9tSj{-Kmzl=c^w($cI{=_3Ip zl_x0V(dg$G9=&l z$e9` z^I6vY3z!QPwx_hf-*)X7F+O-P^%v0Ou(&{;pW-*u8GmYinx}W%UGn=tTsaYv@Zk!= zjJ)_UP+|;ANdbqU>%`Sf)Fu_e34ZMA7Zp5z&0^2HNE70w9|ay1y8mc1Tjep;x`R$K zyUUKFGTiY>On^irx;N!RJB&JVnQA6&yltJQmZ^@88EHBTEP(X$UE&aJ0uDKovZ%_t zrHy)wbfbRwRa#4)Z(moJMGVh0#mPIY4Q_MbxX+9;=DCL@fBI`LoaswXQoJi|SF?YM z+N!_j+&IuWxm_U2NaLNhsGP%i#Cix9+-Yd2rDaAgQSArae;HsqX``9qJoF&7H0)AW z;47~xZ|*keJy?h#45e|8nu}@;|Ic;_VF~yub}De%3THf2q=F2sL8`y51KN)q`cl>X z(EP=dkl{~n?+-|~IQVWF1G`4vbGRvCoT~_E} zzpR`cS*l|u1#_PpUpuIWAr9;?IC{nN{-{v=?iV&u)R~khTcByeib4?2 zriAoz_M_*Hgo7ko^j7{|mrYVDdr4=Q{~6AmoZ90uE{LO0iJv{CzFdM;CNJgU?2+SN zKz!#WHsvq$aASzup#J;)WVo{VN?DtM$tB*#BjD_CH8I zd@?eAKH-=D5c9oCz8Xyk=x5K56<7)+58^(8M?<3z6HQB}H|`^U<~2EokDgDhg$?0M zrr8XC9FwaJVJ+92`cr|aIA~A?sK&r!^A{2sSo*#CM^!FoThf|m9Af>+mN~L^>*+^h zzvbPp+cGGXMSt8rb1L_JQ6cm#Z?ZG2MMvUp$aFI9viU^$;s*N_8*Jh_K9fzk{0q2U zdH7&>EoyN4EHn7ZE(=vVVbAeceXN;~&fPaJ}9!Ve)58 z%r<@EF`Z=m6d<>h)PG_hs2O}(wsM*Epb(Aek&4%S6{G1qdObYK;1l$l#=CN{?Nur( zIo^q42J<)C1m!P1u!m?}zsXen|i4g{x*2UpJUHY+%3@y9V1VL#n|J4hZ_> zD#?jy(maOS$O{JFfXq-)ClWg+G{OgsG{UZU#%C%{Bocp3buB#Q?D|kRSau%kRAIpm zqySlVRHU^M=R+EKsnMgUdwRDQ7PpC%B&EpS5ADY8ZxC*ZlzpdH(5-OO|P(M|cgT<%{>7fiI3jmlpMUbtuZ z@2;H~vBsK}=nczHIs@@-_7C`C�X&-2{vaUFvj96%IZuH}}q9qc@m#TeOpOz?wtF z<%?;QOTxqXXHFgjUc&Fb5oB;3+Zme4mrWPi>qVqVO`a_jsXR~J<~HmrOSFU~U=|Oo za2NT({NOB{iynVV&BwC+X%d=d+B(&0tu#a@9{9Zie4(1^nNhaXQ<81u;leE%{*WOV z1VusFyU;>>7*W(z4mMH>WP7|rac8cl1IqxtLxFHIKwkz7<=;-q#N@p^60OvyjtBZl zGPRZmuF6@tw3f1 zlt$Tf5eV){ppIV1yTVF>WZc-7Fd7LdcWUk+VfVs@W)E>9jQY%j!nqF+y)$p+RHmRL zkbZlVu(tLmQfzEJ`!gG{e&vEZ1(_bQmq%3J&m65mhI{XFU;!MY#^3X|?L}YBIq){Ko1>bHUIUP}})9AimEZ4JdSBpoe*x9w`Cn8xlJk zu{^Wd;4`ur z(Goo^<+XBf-@t)hFA@Ip$A??p+mv{L(Nc_OXUoMg)ezHYIjX46E!`a2FUs&0b?%YV zV!Azl(It@lwob})Qs{NhTUeG-d9*H;x0U+7s20-7n^G+K!n&E6m`IH&&)r7QcTg3b2t7EM zrK0)C1r|LCJtCl(B_H&wAdY`$p<Ho36vl@Xo{r27)Me}+!e zOnSHu{iu^L@UlT{pZlP`QCt)JgelFO#%A{h>j0|qQynUiU;m&{)3JUm{RDUJ-Da%g zI7-yo_a*s8H~` z@?gCpHHgQxiq>nKi>{L$7Obv?SH1pBujBOE?W?JAB<4M; zR6|xCY>3shLLy6Q&b;3sLuK2Gg^YyE9PFKAIf2!aCa^ z0wZ8o`>}A$rC{$Qd?yan#Cu*PB;0C6FrXNnkBs}J)e&$F2rXVxDVWB>nr9Kb4bT5T zA)gItq9>0~*PKkh*9!tUi?{be$RUiH=MejEKbQZ^+z(N<$9L%K6Big0TwcC$_05Ok z#u*Q&nyS256h^EpT~{Ph8-wy=dTqV!r!=(~$|A>Nr~rB=Hnmruz=ew)auAEg6;unj zYk=!V2zZ_o@o-$jt_&LsjI?#2lz-}Y3`&_l}I;kQ^nhqOIvHrm?Tk7!d?EeM6n_WTx literal 0 HcmV?d00001 From 2a80b08ff35a2c568b7c4dca59f35f11c0440491 Mon Sep 17 00:00:00 2001 From: Jonathan Sick Date: Thu, 6 Oct 2022 15:59:55 -0400 Subject: [PATCH 1123/1479] Move "sync-argo-cd" to ops section Moved this page over to the ops section. Also split out the details on upgrade windows and sequencing to a separate page for referencing outside the syncing procedure. --- docs/ops/index.rst | 13 ++++++-- docs/{service-guide => ops}/sync-argo-cd.rst | 34 ++++++++------------ docs/ops/upgrade-windows.rst | 27 ++++++++++++++++ docs/service-guide/deploy-from-a-branch.rst | 2 +- docs/service-guide/index.rst | 1 - docs/service-guide/local-development.rst | 2 +- docs/service-guide/upgrade.rst | 2 +- 7 files changed, 54 insertions(+), 27 deletions(-) rename docs/{service-guide => ops}/sync-argo-cd.rst (63%) create mode 100644 docs/ops/upgrade-windows.rst diff --git a/docs/ops/index.rst b/docs/ops/index.rst index 4694dd50c1..9be56e504f 100644 --- a/docs/ops/index.rst +++ b/docs/ops/index.rst @@ -9,6 +9,12 @@ Operations environments/index +.. toctree:: + :caption: Infrastructure + :maxdepth: 2 + + infrastructure/filestore/index + .. toctree:: :caption: Bootstrapping :maxdepth: 1 @@ -16,10 +22,11 @@ Operations bootstrapping .. toctree:: - :caption: Infrastructure - :maxdepth: 2 + :caption: Procedures + :maxdepth: 1 - infrastructure/filestore/index + upgrade-windows + sync-argo-cd .. toctree:: :caption: Troubleshooting diff --git a/docs/service-guide/sync-argo-cd.rst b/docs/ops/sync-argo-cd.rst similarity index 63% rename from docs/service-guide/sync-argo-cd.rst rename to docs/ops/sync-argo-cd.rst index 0a1b4a5a0b..158453434e 100644 --- a/docs/service-guide/sync-argo-cd.rst +++ b/docs/ops/sync-argo-cd.rst @@ -1,29 +1,23 @@ -############### -Syncing Argo CD -############### +################################# +Syncing Argo CD in an environment +################################# -Go to Argo CD for the environment -================================= +Phalanx enables environment operators to roll out new and updates services by synchronizing deployed in Kubernetes with the current HEAD of the `phalanx repository`_ using `Argo CD`_. +This page explains the key steps in this process for environment operators. -To access the Argo CD UI, go to the ``/argo-cd`` URL under the domain name of that deployment of the Rubin Science Platform. -See `the Phalanx README `__ for the names of all Phalanx environments and direct links to their Argo CD pages. - -Depending on the environment, you will need to authenticate with either GitHub or with Google OAuth. -You can use the ``admin`` account and password, stored in 1Password for deployments managed by SQuaRE, in case of an emergency. +.. important:: -When deploying an update, it should normally follow this sequence (skipping environments that aren't relevant to that update). + Keep in mind that environments have specific upgrade windows and that application updates should be rolled out to environments in order, to development and integration environments before production environments. + See :doc:`upgrade-windows` for details. -* data-dev.lsst.cloud -* data-int.lsst.cloud -* tucson-teststand.lsst.codes -* data.lsst.cloud -* base-lsp.lsst.codes -* summit-lsp.lsst.codes +Log into Argo CD for the environment +==================================== -Some of these environments have maintenance windows, in which case, in the absence of an emergency, updates should only be synced during the maintenance window. -See `SQR-056`_ for more information. +To access the Argo CD UI, go to the ``/argo-cd`` URL under the domain name of that deployment of the Rubin Science Platform. +See :doc:`/ops/environments/index` for a list of Phalanx environments and direct links to their Argo CD pages. -.. _SQR-056: https://sqr-056.lsst.io/ +Depending on the environment, you will need to authenticate with either GitHub, Google OAuth, CILogon, or another OAuth provider as relevant. +You can use the ``admin`` account and password, stored in 1Password for deployments managed by SQuaRE, in case of an emergency. Sync the application ==================== diff --git a/docs/ops/upgrade-windows.rst b/docs/ops/upgrade-windows.rst new file mode 100644 index 0000000000..e23a42b5fb --- /dev/null +++ b/docs/ops/upgrade-windows.rst @@ -0,0 +1,27 @@ +############################ +Upgrade windows and sequence +############################ + +Phalanx provides configurations for multiple environments. +Many of these are production environments that service different user groups. +Other environments are intended for development and integration. + +In general, new and updates services should be rolled out to development and integration environments before production environments. + +Production environments also generally have specific maintenance windows when upgrades can occur. + +SQuaRE environments +=================== + +In the case of environments managed by SQuaRE, the process for gated updates to environments is canonically defined in :sqr:`056`, but also summarized here. + +The sequence for rolling out updatesis: + +* data-dev.lsst.cloud +* data-int.lsst.cloud +* tucson-teststand.lsst.codes +* data.lsst.cloud +* base-lsp.lsst.codes +* summit-lsp.lsst.codes + +See :sqr:`056` for the change coordination and upgrade windows (as relevant) for each environment. diff --git a/docs/service-guide/deploy-from-a-branch.rst b/docs/service-guide/deploy-from-a-branch.rst index 089fd9b94f..1cb6f568c6 100644 --- a/docs/service-guide/deploy-from-a-branch.rst +++ b/docs/service-guide/deploy-from-a-branch.rst @@ -183,4 +183,4 @@ Next steps Follow this page, you have iterated on the development of your service and ultimately upgraded that service in a development environment. The next step is to roll out this change to other environments. -For details, see :doc:`sync-argo-cd`. +For details, see :doc:`/ops/sync-argo-cd`. diff --git a/docs/service-guide/index.rst b/docs/service-guide/index.rst index a18bf8678b..ef30a67b58 100644 --- a/docs/service-guide/index.rst +++ b/docs/service-guide/index.rst @@ -29,4 +29,3 @@ Service DevOps upgrade deploy-from-a-branch local-development - sync-argo-cd diff --git a/docs/service-guide/local-development.rst b/docs/service-guide/local-development.rst index 6b1aecb31f..94df50b78b 100644 --- a/docs/service-guide/local-development.rst +++ b/docs/service-guide/local-development.rst @@ -137,4 +137,4 @@ The minikube Argo CD admin password can be retrieved from Vault. VAULT_PATH_PREFIX=`yq -r .vault_path_prefix ../science-platform/values-minikube.yaml` vault kv get --field=argocd.admin.plaintext_password $VAULT_PATH_PREFIX/installer -With Argo CD you can sync your service (see :doc:`sync-argo-cd`). +With Argo CD you can sync your service (see :doc:`/ops/sync-argo-cd`). diff --git a/docs/service-guide/upgrade.rst b/docs/service-guide/upgrade.rst index b73f428ade..e88a85526b 100644 --- a/docs/service-guide/upgrade.rst +++ b/docs/service-guide/upgrade.rst @@ -10,4 +10,4 @@ Upgrading a service - If it is a complex application such as ``sasquatch`` that bundles first- and third-party applications, you may need to do both, or indeed descend into the ``charts`` directory and update the ``appVersion`` of the subcharts therein. Tricky cases such as these may require some study before deciding on the best course of action. Once you have updated the service, Argo CD will that the change is pending, but no changes will be applied automatically. -To apply the changes in a given environment, see :doc:`sync-argo-cd`. +To apply the changes in a given environment, see :doc:`/ops/sync-argo-cd`. From 9fc960b1892b787578d338969d0f2dce762eba87 Mon Sep 17 00:00:00 2001 From: Jonathan Sick Date: Thu, 6 Oct 2022 16:12:15 -0400 Subject: [PATCH 1124/1479] Move update-pull-secret to ops documentation --- docs/ops/index.rst | 1 + docs/{service-guide => ops}/update-pull-secret.rst | 6 +++--- docs/service-guide/index.rst | 1 - 3 files changed, 4 insertions(+), 4 deletions(-) rename docs/{service-guide => ops}/update-pull-secret.rst (90%) diff --git a/docs/ops/index.rst b/docs/ops/index.rst index 9be56e504f..0d8cdae08d 100644 --- a/docs/ops/index.rst +++ b/docs/ops/index.rst @@ -27,6 +27,7 @@ Operations upgrade-windows sync-argo-cd + update-pull-secret .. toctree:: :caption: Troubleshooting diff --git a/docs/service-guide/update-pull-secret.rst b/docs/ops/update-pull-secret.rst similarity index 90% rename from docs/service-guide/update-pull-secret.rst rename to docs/ops/update-pull-secret.rst index ff063c07d7..6260f2e2f0 100644 --- a/docs/service-guide/update-pull-secret.rst +++ b/docs/ops/update-pull-secret.rst @@ -1,6 +1,6 @@ -###################################################### -Updating the pull secret stored in 1Password and Vault -###################################################### +############################################################# +Updating the Docker pull secret stored in 1Password and Vault +############################################################# The pull secret, present in each RSP instance, and shared by many services there, is notoriously tricky to format correctly. diff --git a/docs/service-guide/index.rst b/docs/service-guide/index.rst index ef30a67b58..1fc04b5d68 100644 --- a/docs/service-guide/index.rst +++ b/docs/service-guide/index.rst @@ -19,7 +19,6 @@ Service DevOps add-external-chart add-a-onepassword-secret update-a-onepassword-secret - update-pull-secret .. toctree:: :maxdepth: 2 From 7ee8927eb47eeab2d07077294ff55288cf656086 Mon Sep 17 00:00:00 2001 From: Jonathan Sick Date: Fri, 7 Oct 2022 11:30:45 -0400 Subject: [PATCH 1125/1479] Move environments to top-level section --- docs/environments/index.rst | 10 ++++++ docs/index.rst | 36 ++------------------- docs/ops/environments/index.rst | 8 ----- docs/ops/index.rst | 6 ---- docs/ops/sync-argo-cd.rst | 2 +- docs/service-guide/deploy-from-a-branch.rst | 2 +- 6 files changed, 15 insertions(+), 49 deletions(-) create mode 100644 docs/environments/index.rst delete mode 100644 docs/ops/environments/index.rst diff --git a/docs/environments/index.rst b/docs/environments/index.rst new file mode 100644 index 0000000000..0c23a514cd --- /dev/null +++ b/docs/environments/index.rst @@ -0,0 +1,10 @@ +############ +Environments +############ + +Environments are specific Kubernetes clusters deploying Phalanx services. +Each environment can deploy a specific collection of applications, and with specific configurations. + +To learn more about operating a Phalanx environment, see the :doc:`/ops/index` section. + +.. Add a table of environments, possibly linking to their own documentation sets. diff --git a/docs/index.rst b/docs/index.rst index a86c8c9266..b47e2259bc 100644 --- a/docs/index.rst +++ b/docs/index.rst @@ -13,42 +13,12 @@ Phalanx is on GitHub at https://github.com/lsst-sqre/phalanx. .. [#name] A phalanx is a SQuaRE deployment (Science Quality and Reliability Engineering, the team responsible for the Rubin Science Platform). Phalanx is how we ensure that all of our services work together as a unit. -Overview -======== - -Learn about Phalanx's architecture and technologies. - .. toctree:: - :maxdepth: 2 + :maxdepth: 1 + :hidden: overview/index - -For service developers and maintainers -====================================== - -Learn how to build services — including websites, web APIs, and other cloud-based infrastructure — and integrate them into Phalanx. - -.. toctree:: - :maxdepth: 2 - service-guide/index - -For platform administrators -=========================== - -Learn how to bootstrap and operate a Rubin Science Platform Kubernetes cluster. - -.. toctree:: - :maxdepth: 2 - ops/index - -Services -======== - -Learn about the individual services deployed through Phalanx. - -.. toctree:: - :maxdepth: 2 - services/index + environments/index diff --git a/docs/ops/environments/index.rst b/docs/ops/environments/index.rst deleted file mode 100644 index cac6969f0b..0000000000 --- a/docs/ops/environments/index.rst +++ /dev/null @@ -1,8 +0,0 @@ -#################### -Phalanx environments -#################### - -Environments are specific Kubernetes clusters deploying Phalanx services. -Each environment can deploy a specific collection of services, and with specific configurations. - -.. Add a table of environments, possibly linking to their own documentation sets. diff --git a/docs/ops/index.rst b/docs/ops/index.rst index 0d8cdae08d..b90e5ea483 100644 --- a/docs/ops/index.rst +++ b/docs/ops/index.rst @@ -2,12 +2,6 @@ Operations ########## -.. toctree:: - :caption: Environments - :maxdepth: 2 - :titlesonly: - - environments/index .. toctree:: :caption: Infrastructure diff --git a/docs/ops/sync-argo-cd.rst b/docs/ops/sync-argo-cd.rst index 158453434e..04349f3f76 100644 --- a/docs/ops/sync-argo-cd.rst +++ b/docs/ops/sync-argo-cd.rst @@ -14,7 +14,7 @@ Log into Argo CD for the environment ==================================== To access the Argo CD UI, go to the ``/argo-cd`` URL under the domain name of that deployment of the Rubin Science Platform. -See :doc:`/ops/environments/index` for a list of Phalanx environments and direct links to their Argo CD pages. +See :doc:`/environments/index` for a list of Phalanx environments and direct links to their Argo CD pages. Depending on the environment, you will need to authenticate with either GitHub, Google OAuth, CILogon, or another OAuth provider as relevant. You can use the ``admin`` account and password, stored in 1Password for deployments managed by SQuaRE, in case of an emergency. diff --git a/docs/service-guide/deploy-from-a-branch.rst b/docs/service-guide/deploy-from-a-branch.rst index 1cb6f568c6..1e6b3fb1ac 100644 --- a/docs/service-guide/deploy-from-a-branch.rst +++ b/docs/service-guide/deploy-from-a-branch.rst @@ -2,7 +2,7 @@ Deploying from a branch for development ####################################### -When developing services and their :doc:`Helm charts `, it's useful to temporarily deploy from a branch of Phalanx on :doc:`designated development environments ` before merging to Phalanx's default branch. +When developing services and their :doc:`Helm charts `, it's useful to temporarily deploy from a branch of Phalanx on :doc:`designated development environments ` before merging to Phalanx's default branch. Some use cases include: From be923b775934688268cccea0b8b4f6831bf1e9b8 Mon Sep 17 00:00:00 2001 From: Jonathan Sick Date: Fri, 7 Oct 2022 12:25:23 -0400 Subject: [PATCH 1126/1479] Update the section names These are the section names, and corresponding directories, that SQuaRE settled on 2022-10-06: - About - Developers - Administrators - Applications (changed from Services) --- .../{overview => about}/contributing-docs.rst | 2 +- docs/about/index.rst | 22 +++++++++++ docs/{overview => about}/introduction.rst | 6 +-- .../precommit-and-helm-docs.rst | 0 docs/{overview => about}/repository.rst | 10 ++--- docs/{overview => about}/secrets.rst | 4 +- docs/{ops => admin}/bootstrapping.rst | 12 +++--- docs/{ops => admin}/index.rst | 7 ++-- .../infrastructure/filestore/index.rst | 0 .../filestore/privileged-access.rst | 0 docs/{ops => admin}/sync-argo-cd.rst | 0 docs/{ops => admin}/troubleshooting.rst | 12 +++--- docs/{ops => admin}/update-pull-secret.rst | 0 docs/{ops => admin}/upgrade-windows.rst | 0 .../argo-cd/authentication.rst | 0 .../argo-cd/index.rst | 0 .../argo-cd/upgrading.rst | 0 .../cachemachine/index.rst | 0 .../cachemachine/pruning.rst | 0 .../cachemachine/updating-recommended.rst | 0 .../cert-manager/bootstrapping.rst | 0 .../cert-manager/index.rst | 0 .../cert-manager/route53-setup.rst | 0 .../gafaelfawr/debugging.rst | 0 .../gafaelfawr/github-oauth.png | Bin .../gafaelfawr/github-organizations.rst | 0 .../gafaelfawr/index.rst | 0 .../gafaelfawr/recreate-token.rst | 0 .../gafaelfawr/storage.rst | 0 docs/applications/index.rst | 29 ++++++++++++++ .../ingress-nginx/certificates.rst | 0 .../ingress-nginx/index.rst | 0 .../mobu/configuring.rst | 0 .../{services => applications}/mobu/index.rst | 0 .../mobu/manage-flocks.rst | 0 .../nublado2/database.rst | 0 .../nublado2/index.rst | 0 .../postgres/add-database.rst | 0 .../postgres/index.rst | 0 .../postgres/recreate-pvc.rst | 0 docs/{services => applications}/tap/index.rst | 0 .../tap/notebook-tap.py | 0 .../tap/portal-tap.py | 0 .../tap/update-tap-schema.rst | 0 .../vault-secrets-operator/index.rst | 0 .../add-a-onepassword-secret.rst | 2 +- .../add-external-chart.rst | 0 .../add-service.rst | 0 .../application-edit-button.jpg | Bin .../application-revision-edit.jpg | Bin .../argocd-application.jpg | Bin .../create-service.rst | 0 .../deploy-from-a-branch.rst | 4 +- docs/developers/index.rst | 36 ++++++++++++++++++ .../local-development.rst | 4 +- .../restart-deployment.png | Bin .../service-chart-architecture.rst | 0 .../sync-button.jpg | Bin .../update-a-onepassword-secret.rst | 2 +- .../{service-guide => developers}/upgrade.rst | 2 +- docs/environments/index.rst | 2 +- docs/index.rst | 22 +++++------ docs/overview/index.rst | 22 ----------- docs/service-guide/index.rst | 30 --------------- docs/services/index.rst | 23 ----------- 65 files changed, 133 insertions(+), 120 deletions(-) rename docs/{overview => about}/contributing-docs.rst (96%) create mode 100644 docs/about/index.rst rename docs/{overview => about}/introduction.rst (95%) rename docs/{overview => about}/precommit-and-helm-docs.rst (100%) rename docs/{overview => about}/repository.rst (91%) rename docs/{overview => about}/secrets.rst (95%) rename docs/{ops => admin}/bootstrapping.rst (94%) rename docs/{ops => admin}/index.rst (62%) rename docs/{ops => admin}/infrastructure/filestore/index.rst (100%) rename docs/{ops => admin}/infrastructure/filestore/privileged-access.rst (100%) rename docs/{ops => admin}/sync-argo-cd.rst (100%) rename docs/{ops => admin}/troubleshooting.rst (96%) rename docs/{ops => admin}/update-pull-secret.rst (100%) rename docs/{ops => admin}/upgrade-windows.rst (100%) rename docs/{services => applications}/argo-cd/authentication.rst (100%) rename docs/{services => applications}/argo-cd/index.rst (100%) rename docs/{services => applications}/argo-cd/upgrading.rst (100%) rename docs/{services => applications}/cachemachine/index.rst (100%) rename docs/{services => applications}/cachemachine/pruning.rst (100%) rename docs/{services => applications}/cachemachine/updating-recommended.rst (100%) rename docs/{services => applications}/cert-manager/bootstrapping.rst (100%) rename docs/{services => applications}/cert-manager/index.rst (100%) rename docs/{services => applications}/cert-manager/route53-setup.rst (100%) rename docs/{services => applications}/gafaelfawr/debugging.rst (100%) rename docs/{services => applications}/gafaelfawr/github-oauth.png (100%) rename docs/{services => applications}/gafaelfawr/github-organizations.rst (100%) rename docs/{services => applications}/gafaelfawr/index.rst (100%) rename docs/{services => applications}/gafaelfawr/recreate-token.rst (100%) rename docs/{services => applications}/gafaelfawr/storage.rst (100%) create mode 100644 docs/applications/index.rst rename docs/{services => applications}/ingress-nginx/certificates.rst (100%) rename docs/{services => applications}/ingress-nginx/index.rst (100%) rename docs/{services => applications}/mobu/configuring.rst (100%) rename docs/{services => applications}/mobu/index.rst (100%) rename docs/{services => applications}/mobu/manage-flocks.rst (100%) rename docs/{services => applications}/nublado2/database.rst (100%) rename docs/{services => applications}/nublado2/index.rst (100%) rename docs/{services => applications}/postgres/add-database.rst (100%) rename docs/{services => applications}/postgres/index.rst (100%) rename docs/{services => applications}/postgres/recreate-pvc.rst (100%) rename docs/{services => applications}/tap/index.rst (100%) rename docs/{services => applications}/tap/notebook-tap.py (100%) rename docs/{services => applications}/tap/portal-tap.py (100%) rename docs/{services => applications}/tap/update-tap-schema.rst (100%) rename docs/{services => applications}/vault-secrets-operator/index.rst (100%) rename docs/{service-guide => developers}/add-a-onepassword-secret.rst (98%) rename docs/{service-guide => developers}/add-external-chart.rst (100%) rename docs/{service-guide => developers}/add-service.rst (100%) rename docs/{service-guide => developers}/application-edit-button.jpg (100%) rename docs/{service-guide => developers}/application-revision-edit.jpg (100%) rename docs/{service-guide => developers}/argocd-application.jpg (100%) rename docs/{service-guide => developers}/create-service.rst (100%) rename docs/{service-guide => developers}/deploy-from-a-branch.rst (96%) create mode 100644 docs/developers/index.rst rename docs/{service-guide => developers}/local-development.rst (97%) rename docs/{service-guide => developers}/restart-deployment.png (100%) rename docs/{service-guide => developers}/service-chart-architecture.rst (100%) rename docs/{service-guide => developers}/sync-button.jpg (100%) rename docs/{service-guide => developers}/update-a-onepassword-secret.rst (96%) rename docs/{service-guide => developers}/upgrade.rst (94%) delete mode 100644 docs/overview/index.rst delete mode 100644 docs/service-guide/index.rst delete mode 100644 docs/services/index.rst diff --git a/docs/overview/contributing-docs.rst b/docs/about/contributing-docs.rst similarity index 96% rename from docs/overview/contributing-docs.rst rename to docs/about/contributing-docs.rst index 154c51ae20..5bf762c3d3 100644 --- a/docs/overview/contributing-docs.rst +++ b/docs/about/contributing-docs.rst @@ -2,7 +2,7 @@ Contributing to the documentation ################################# -This documentation is a Sphinx_ project hosted out of the ``doc`` of the phalanx repository on GitHub. +This documentation is a Sphinx_ project hosted out of the ``docs`` directory of the `phalanx repository`_ on GitHub. You can contribute to this documentation by editing the source files in a clone of this repository and submitting a pull request on GitHub. This page provides the basic steps. diff --git a/docs/about/index.rst b/docs/about/index.rst new file mode 100644 index 0000000000..4457544e45 --- /dev/null +++ b/docs/about/index.rst @@ -0,0 +1,22 @@ +##### +About +##### + +This section helps you understand the crucial concepts behind Phalanx, and how to work with and contribute to the `phalanx repository`_. + +After you have reviewed this documentation, see the :doc:`/developers/index` section to develop and deploy applications, or the :doc:`/admin/index` section to operate a Kubernetes cluster with Phalanx applications. + +.. toctree:: + :maxdepth: 1 + :caption: Design + + introduction + repository + secrets + +.. toctree:: + :maxdepth: 1 + :caption: Contributing + + precommit-and-helm-docs + contributing-docs diff --git a/docs/overview/introduction.rst b/docs/about/introduction.rst similarity index 95% rename from docs/overview/introduction.rst rename to docs/about/introduction.rst index d150fc8f89..671a0d129c 100644 --- a/docs/overview/introduction.rst +++ b/docs/about/introduction.rst @@ -28,7 +28,7 @@ For service developers, the main interface for defining how a service runs is th Deployments are made available to the network by defining a Service_. An Ingress_ resource publishes that Service to the internet and defines what authentication and authorization is needed. - You can `learn more about Kubernetes from its documentation `_, and also in Phalanx's :doc:`documentation on creating services `. + You can `learn more about Kubernetes from its documentation `_, and also in Phalanx's :doc:`documentation on creating application `. Environments are specific Kubernetes clusters --------------------------------------------- @@ -116,5 +116,5 @@ For more introductory topics, see the :doc:`index` overview topics. Start working with Phalanx: -- If you are a service developer looking to integrate your service into Phalanx, see the :doc:`Service maintainer's guide ` to get started. -- If you are an operator looking to create a new environment or operate an existing one, see the :doc:`Operator's guide ` +- If you are an application developer looking to integrate your service into Phalanx, see the :doc:`/developers/index` section to get started. +- If you are an administrator looking to create a new environment or operate an existing one, see the :doc:`/admin/index` section. diff --git a/docs/overview/precommit-and-helm-docs.rst b/docs/about/precommit-and-helm-docs.rst similarity index 100% rename from docs/overview/precommit-and-helm-docs.rst rename to docs/about/precommit-and-helm-docs.rst diff --git a/docs/overview/repository.rst b/docs/about/repository.rst similarity index 91% rename from docs/overview/repository.rst rename to docs/about/repository.rst index 823d94b326..e43b60fe6c 100644 --- a/docs/overview/repository.rst +++ b/docs/about/repository.rst @@ -76,7 +76,7 @@ starters directory :bdg-link-primary-line:`Browse /docs/ on GitHub ` This directory contains templates for contributing new services to Phalanx. -See :doc:`/service-guide/add-service`. +See :doc:`/developers/add-service`. Branches ======== @@ -87,10 +87,10 @@ This default branch is considered the source of truth for full synchronized phal .. [#1] This branch will be renamed to ``main`` in the near future. Updates to Phalanx are introduced as pull requests on GitHub. -Repository members create branches directly on the https://github.com/lsst-sqre/phalanx origin (see the `Data Management workflow guide `__, while external collaborators should fork Phalanx and provide pull requests. +Repository members create branches directly on the https://github.com/lsst-sqre/phalanx origin (see the `Data Management workflow guide`_, while external collaborators should fork Phalanx and provide pull requests. It is possible (particularly in non-production environments) to deploy from branches of Phalanx, which is useful for debugging new and updating services before updating the ``master`` branch. -You can learn how to do this in :doc:`/service-guide/deploy-from-a-branch`. +You can learn how to do this in :doc:`/developers/deploy-from-a-branch`. Test and formatting infrastructure ================================== @@ -114,5 +114,5 @@ Next steps Start working with Phalanx: -- If you are a service developer looking to integrate your service into Phalanx, see the :doc:`Service maintainer's guide ` to get started. -- If you are an operator looking to create a new environment or operate an existing one, see the :doc:`Operator's guide ` +- If you are an application developer looking to integrate your service into Phalanx, see the :doc:`/developers/index` section to get started. +- If you are an administrator looking to create a new environment or operate an existing one, see the :doc:`/admin/index` section. diff --git a/docs/overview/secrets.rst b/docs/about/secrets.rst similarity index 95% rename from docs/overview/secrets.rst rename to docs/about/secrets.rst index b4ab93760a..45004b854a 100644 --- a/docs/overview/secrets.rst +++ b/docs/about/secrets.rst @@ -46,5 +46,5 @@ These 1Password objects are used by the `generate_secrets.py script `__ uses the ``onepassword_uuid`` setting in `/science-platform/values.yaml `__ to locate the appropriate 1Password vault. -For a step-by-step guide on adding a 1Password-based secret, see :doc:`/service-guide/add-a-onepassword-secret`. -For updating an existing 1Password-based secret, see :doc:`/service-guide/update-a-onepassword-secret`. +For a step-by-step guide on adding a 1Password-based secret, see :doc:`/developers/add-a-onepassword-secret`. +For updating an existing 1Password-based secret, see :doc:`/developers/update-a-onepassword-secret`. diff --git a/docs/ops/bootstrapping.rst b/docs/admin/bootstrapping.rst similarity index 94% rename from docs/ops/bootstrapping.rst rename to docs/admin/bootstrapping.rst index db8cbfe5e6..9e025b08b4 100644 --- a/docs/ops/bootstrapping.rst +++ b/docs/admin/bootstrapping.rst @@ -37,7 +37,7 @@ Checklist If you are using a cloud provider or something like minikube where the IP address is not yet known, then you will need to create that record once the top-level ingress is created and has an external IP address. The first time you set up the RSP for a given domain (note: *not* hostname, but *domain*, so if you were setting up ``dev.my-rsp.net`` and ``prod.my-rsp.net``, ``dev`` first, you would only need to do this when you created ``dev``), if you are using Let's Encrypt for certificate management (which we highly recommend), you will need to create glue records to enable Let's Encrypt to manage TLS for the domain. - See :doc:`/services/cert-manager/route53-setup` for more details. + See :doc:`/applications/cert-manager/route53-setup` for more details. #. For each enabled service, create a corresponding ``values-.yaml`` file in the relevant directory under `/services `__. Customization will vary from service to service. @@ -67,13 +67,13 @@ There are supported two mechanisms to configure that TLS certificate: #. Purchase a commercial certificate and configure it as the ingress-nginx default certificate. Do not add TLS configuration to any of the service ingresses. - For more information, see :doc:`/services/ingress-nginx/certificates`. + For more information, see :doc:`/applications/ingress-nginx/certificates`. With this approach, the certificate will have to be manually renewed and replaced once per year. #. Configure Let's Encrypt to obtain a certificate via the DNS solver. Once this is configured, TLS will be handled automatically without further human intervention. However, this approach is far more complex to set up and has some significant prerequisites. - For more information, see :doc:`/services/cert-manager/bootstrapping`. + For more information, see :doc:`/applications/cert-manager/bootstrapping`. To use the second approach, you must have the following: @@ -111,9 +111,9 @@ The corresponding group for Gafaelfawr purposes will be ``-` That means the team name will be converted to lowercase and spaces will be replaced with dashes, and other transformations will be done for special characters. For more information about how Gafaelfawr constructs groups from GitHub teams, see `the Gafaelfawr documentation `__. -For an example of a ``group_mapping`` configuration for GitHub authentication, see `/services/gafaelfawr/values-idfdev.yaml `__. +For an example of a ``group_mapping`` configuration for GitHub authentication, see `/applications/gafaelfawr/values-idfdev.yaml `__. -If you run into authentication problems, see :doc:`the Gafaelfawr operational documentation ` for debugging instructions. +If you run into authentication problems, see :doc:`the Gafaelfawr operational documentation ` for debugging instructions. Nublado 2 --------- @@ -168,7 +168,7 @@ Because each ingress uses the same hostname, the NGINX ingress will merge all of Were TLS defined on more than one ingress, only one of those TLS configurations would be used, but which one is chosen is somewhat random. Therefore, we designate a single service to hold the configuration to avoid any confusion from unused configurations. -This means adding something like the following to ``values-.yaml`` in `/services/squareone `__: +This means adding something like the following to ``values-.yaml`` in `/applications/squareone `__: .. code-block:: yaml diff --git a/docs/ops/index.rst b/docs/admin/index.rst similarity index 62% rename from docs/ops/index.rst rename to docs/admin/index.rst index b90e5ea483..175939017f 100644 --- a/docs/ops/index.rst +++ b/docs/admin/index.rst @@ -1,7 +1,8 @@ -########## -Operations -########## +############## +Administrators +############## +Administrators operate infrastructure, bootstrap infrastructure, and are involved in the deployment, configuration, and Argo CD synchronization of applications. .. toctree:: :caption: Infrastructure diff --git a/docs/ops/infrastructure/filestore/index.rst b/docs/admin/infrastructure/filestore/index.rst similarity index 100% rename from docs/ops/infrastructure/filestore/index.rst rename to docs/admin/infrastructure/filestore/index.rst diff --git a/docs/ops/infrastructure/filestore/privileged-access.rst b/docs/admin/infrastructure/filestore/privileged-access.rst similarity index 100% rename from docs/ops/infrastructure/filestore/privileged-access.rst rename to docs/admin/infrastructure/filestore/privileged-access.rst diff --git a/docs/ops/sync-argo-cd.rst b/docs/admin/sync-argo-cd.rst similarity index 100% rename from docs/ops/sync-argo-cd.rst rename to docs/admin/sync-argo-cd.rst diff --git a/docs/ops/troubleshooting.rst b/docs/admin/troubleshooting.rst similarity index 96% rename from docs/ops/troubleshooting.rst rename to docs/admin/troubleshooting.rst index af8c6a7b73..576390db02 100644 --- a/docs/ops/troubleshooting.rst +++ b/docs/admin/troubleshooting.rst @@ -16,7 +16,7 @@ If the pod is already running, it gets I/O errors from its database, hangs, or o If the backing store is corrupt or has been deleted or otherwise is disrupted, sometimes the ``PersistentVolume`` will become unavailable, but the ``PersistentVolumeClaim`` will hang on to it and keep trying to futilely mount it. When this happens, you may need to recreate the persistent volume. -**Solution:** :doc:`/services/postgres/recreate-pvc` +**Solution:** :doc:`/applications/postgres/recreate-pvc` Spawner menu missing images, cachemachine stuck pulling the same image ====================================================================== @@ -35,7 +35,7 @@ The most common cause of this problem is a Kubernetes limitation. By default, the Kubernetes list node API only returns the "first" (which usually means oldest) 50 cached images. If more than 50 images are cached, images may go missing from that list even though they are cached, leading cachemachine to think they aren't cached and omitting them from the spawner menu. -**Solution:** :doc:`/services/cachemachine/pruning` +**Solution:** :doc:`/applications/cachemachine/pruning` If this doesn't work, another possibility is that there is a node that cachemachine thinks is available for JupyterLab images but which is not eligible for its ``DaemonSet``. This would be a bug in cachemachine, which should ignore cordoned nodes, but it's possible there is a new iteration of node state or a new rule for where ``DaemonSets`` are allowed to run that it does not know about. @@ -60,14 +60,14 @@ Spawning a notebook fails with a pending error In this case, JupyterHub may not recover without assistance. You may need to delete the record for the affected user, and also make sure the user's lab namespace (visible in Argo CD under the ``nublado-users`` application) has been deleted. -**Solution:** :doc:`/services/nublado2/database` +**Solution:** :doc:`/applications/nublado2/database` User gets permission denied from services ========================================= **Symptoms:** A user is able to authenticate to the Rubin Science Platform (prompted by going to the first authenticated URL, such as the Notebook Aspect spawner page), but then gets permission denied from other services. -**Causes:** Authentication and authorization to the Rubin Science Platform is done via a service called Gafaelfawr (see :doc:`/services//gafaelfawr/index`). +**Causes:** Authentication and authorization to the Rubin Science Platform is done via a service called Gafaelfawr (see :doc:`/applications/gafaelfawr/index`). After the user authenticates, Gafaelfawr asks their authentication provider for the user's group memberships and then translates that to a list of scopes. The mapping of group memberships to scopes is defined in the ``values.yaml`` file for Gafaelfawr for the relevant environment, in the ``gafaelfawr.config.groupMapping`` configuration option. @@ -75,7 +75,7 @@ The most likely cause of this problem is that the user is not a member of a grou Gafaelfawr will prevent the user from logging in at all if they are not a member of any group that grants access to a service. If they are a member of at least one group, they'll be able to log in but may get permission denied errors from other services. -**Solution:** :doc:`/services/gafaelfawr/debugging` +**Solution:** :doc:`/applications/gafaelfawr/debugging` You need privileged access to the filestore =========================================== @@ -95,7 +95,7 @@ User pods don't spawn, reporting "permission denied" from Moneypenny **Cause:** The ``gafaelfawr-token`` VaultSecret in the ``nublado2`` namespace is out of date. This happened because the ``gafaelfawr-redis`` pod restarted and either it lacked persistent storage (at the T&S sites, as of July 2022), or because that storage had been lost. -**Solution:** :doc:`/services/gafaelfawr/recreate-token` +**Solution:** :doc:`/applications/gafaelfawr/recreate-token` Login fails with "bad verification code" error ============================================== diff --git a/docs/ops/update-pull-secret.rst b/docs/admin/update-pull-secret.rst similarity index 100% rename from docs/ops/update-pull-secret.rst rename to docs/admin/update-pull-secret.rst diff --git a/docs/ops/upgrade-windows.rst b/docs/admin/upgrade-windows.rst similarity index 100% rename from docs/ops/upgrade-windows.rst rename to docs/admin/upgrade-windows.rst diff --git a/docs/services/argo-cd/authentication.rst b/docs/applications/argo-cd/authentication.rst similarity index 100% rename from docs/services/argo-cd/authentication.rst rename to docs/applications/argo-cd/authentication.rst diff --git a/docs/services/argo-cd/index.rst b/docs/applications/argo-cd/index.rst similarity index 100% rename from docs/services/argo-cd/index.rst rename to docs/applications/argo-cd/index.rst diff --git a/docs/services/argo-cd/upgrading.rst b/docs/applications/argo-cd/upgrading.rst similarity index 100% rename from docs/services/argo-cd/upgrading.rst rename to docs/applications/argo-cd/upgrading.rst diff --git a/docs/services/cachemachine/index.rst b/docs/applications/cachemachine/index.rst similarity index 100% rename from docs/services/cachemachine/index.rst rename to docs/applications/cachemachine/index.rst diff --git a/docs/services/cachemachine/pruning.rst b/docs/applications/cachemachine/pruning.rst similarity index 100% rename from docs/services/cachemachine/pruning.rst rename to docs/applications/cachemachine/pruning.rst diff --git a/docs/services/cachemachine/updating-recommended.rst b/docs/applications/cachemachine/updating-recommended.rst similarity index 100% rename from docs/services/cachemachine/updating-recommended.rst rename to docs/applications/cachemachine/updating-recommended.rst diff --git a/docs/services/cert-manager/bootstrapping.rst b/docs/applications/cert-manager/bootstrapping.rst similarity index 100% rename from docs/services/cert-manager/bootstrapping.rst rename to docs/applications/cert-manager/bootstrapping.rst diff --git a/docs/services/cert-manager/index.rst b/docs/applications/cert-manager/index.rst similarity index 100% rename from docs/services/cert-manager/index.rst rename to docs/applications/cert-manager/index.rst diff --git a/docs/services/cert-manager/route53-setup.rst b/docs/applications/cert-manager/route53-setup.rst similarity index 100% rename from docs/services/cert-manager/route53-setup.rst rename to docs/applications/cert-manager/route53-setup.rst diff --git a/docs/services/gafaelfawr/debugging.rst b/docs/applications/gafaelfawr/debugging.rst similarity index 100% rename from docs/services/gafaelfawr/debugging.rst rename to docs/applications/gafaelfawr/debugging.rst diff --git a/docs/services/gafaelfawr/github-oauth.png b/docs/applications/gafaelfawr/github-oauth.png similarity index 100% rename from docs/services/gafaelfawr/github-oauth.png rename to docs/applications/gafaelfawr/github-oauth.png diff --git a/docs/services/gafaelfawr/github-organizations.rst b/docs/applications/gafaelfawr/github-organizations.rst similarity index 100% rename from docs/services/gafaelfawr/github-organizations.rst rename to docs/applications/gafaelfawr/github-organizations.rst diff --git a/docs/services/gafaelfawr/index.rst b/docs/applications/gafaelfawr/index.rst similarity index 100% rename from docs/services/gafaelfawr/index.rst rename to docs/applications/gafaelfawr/index.rst diff --git a/docs/services/gafaelfawr/recreate-token.rst b/docs/applications/gafaelfawr/recreate-token.rst similarity index 100% rename from docs/services/gafaelfawr/recreate-token.rst rename to docs/applications/gafaelfawr/recreate-token.rst diff --git a/docs/services/gafaelfawr/storage.rst b/docs/applications/gafaelfawr/storage.rst similarity index 100% rename from docs/services/gafaelfawr/storage.rst rename to docs/applications/gafaelfawr/storage.rst diff --git a/docs/applications/index.rst b/docs/applications/index.rst new file mode 100644 index 0000000000..d2adca0116 --- /dev/null +++ b/docs/applications/index.rst @@ -0,0 +1,29 @@ +############ +Applications +############ + +Applications are individual *atomic* services that are configured and deployed through Phalanx. +Each environment can opt whether to deploy an application, and also customize the configuration of the application. +This section of the documentation describes each Phalanx application. + +To learn how to develop applications for Phalanx, see the :doc:`/developers/index` section. + +.. toctree:: + :maxdepth: 1 + :caption: Cluster infrastructure + + argo-cd/index + cert-manager/index + ingress-nginx/index + gafaelfawr/index + postgres/index + vault-secrets-operator/index + +.. toctree:: + :maxdepth: 1 + :caption: Rubin Science Platform + + cachemachine/index + mobu/index + nublado2/index + tap/index diff --git a/docs/services/ingress-nginx/certificates.rst b/docs/applications/ingress-nginx/certificates.rst similarity index 100% rename from docs/services/ingress-nginx/certificates.rst rename to docs/applications/ingress-nginx/certificates.rst diff --git a/docs/services/ingress-nginx/index.rst b/docs/applications/ingress-nginx/index.rst similarity index 100% rename from docs/services/ingress-nginx/index.rst rename to docs/applications/ingress-nginx/index.rst diff --git a/docs/services/mobu/configuring.rst b/docs/applications/mobu/configuring.rst similarity index 100% rename from docs/services/mobu/configuring.rst rename to docs/applications/mobu/configuring.rst diff --git a/docs/services/mobu/index.rst b/docs/applications/mobu/index.rst similarity index 100% rename from docs/services/mobu/index.rst rename to docs/applications/mobu/index.rst diff --git a/docs/services/mobu/manage-flocks.rst b/docs/applications/mobu/manage-flocks.rst similarity index 100% rename from docs/services/mobu/manage-flocks.rst rename to docs/applications/mobu/manage-flocks.rst diff --git a/docs/services/nublado2/database.rst b/docs/applications/nublado2/database.rst similarity index 100% rename from docs/services/nublado2/database.rst rename to docs/applications/nublado2/database.rst diff --git a/docs/services/nublado2/index.rst b/docs/applications/nublado2/index.rst similarity index 100% rename from docs/services/nublado2/index.rst rename to docs/applications/nublado2/index.rst diff --git a/docs/services/postgres/add-database.rst b/docs/applications/postgres/add-database.rst similarity index 100% rename from docs/services/postgres/add-database.rst rename to docs/applications/postgres/add-database.rst diff --git a/docs/services/postgres/index.rst b/docs/applications/postgres/index.rst similarity index 100% rename from docs/services/postgres/index.rst rename to docs/applications/postgres/index.rst diff --git a/docs/services/postgres/recreate-pvc.rst b/docs/applications/postgres/recreate-pvc.rst similarity index 100% rename from docs/services/postgres/recreate-pvc.rst rename to docs/applications/postgres/recreate-pvc.rst diff --git a/docs/services/tap/index.rst b/docs/applications/tap/index.rst similarity index 100% rename from docs/services/tap/index.rst rename to docs/applications/tap/index.rst diff --git a/docs/services/tap/notebook-tap.py b/docs/applications/tap/notebook-tap.py similarity index 100% rename from docs/services/tap/notebook-tap.py rename to docs/applications/tap/notebook-tap.py diff --git a/docs/services/tap/portal-tap.py b/docs/applications/tap/portal-tap.py similarity index 100% rename from docs/services/tap/portal-tap.py rename to docs/applications/tap/portal-tap.py diff --git a/docs/services/tap/update-tap-schema.rst b/docs/applications/tap/update-tap-schema.rst similarity index 100% rename from docs/services/tap/update-tap-schema.rst rename to docs/applications/tap/update-tap-schema.rst diff --git a/docs/services/vault-secrets-operator/index.rst b/docs/applications/vault-secrets-operator/index.rst similarity index 100% rename from docs/services/vault-secrets-operator/index.rst rename to docs/applications/vault-secrets-operator/index.rst diff --git a/docs/service-guide/add-a-onepassword-secret.rst b/docs/developers/add-a-onepassword-secret.rst similarity index 98% rename from docs/service-guide/add-a-onepassword-secret.rst rename to docs/developers/add-a-onepassword-secret.rst index f56c59a431..4df166289d 100644 --- a/docs/service-guide/add-a-onepassword-secret.rst +++ b/docs/developers/add-a-onepassword-secret.rst @@ -15,7 +15,7 @@ This page provides steps for adding a service secret through 1Password. .. note:: This document only covers creating a 1Password-backed Secret for the first time for a service. - If you want to update a Secret, either by adding new 1Password secrets or by changing their secret values, you should follow the instructions in :doc:`/service-guide/update-a-onepassword-secret`. + If you want to update a Secret, either by adding new 1Password secrets or by changing their secret values, you should follow the instructions in :doc:`/developers/update-a-onepassword-secret`. Part 1. Open the 1Password vault ================================ diff --git a/docs/service-guide/add-external-chart.rst b/docs/developers/add-external-chart.rst similarity index 100% rename from docs/service-guide/add-external-chart.rst rename to docs/developers/add-external-chart.rst diff --git a/docs/service-guide/add-service.rst b/docs/developers/add-service.rst similarity index 100% rename from docs/service-guide/add-service.rst rename to docs/developers/add-service.rst diff --git a/docs/service-guide/application-edit-button.jpg b/docs/developers/application-edit-button.jpg similarity index 100% rename from docs/service-guide/application-edit-button.jpg rename to docs/developers/application-edit-button.jpg diff --git a/docs/service-guide/application-revision-edit.jpg b/docs/developers/application-revision-edit.jpg similarity index 100% rename from docs/service-guide/application-revision-edit.jpg rename to docs/developers/application-revision-edit.jpg diff --git a/docs/service-guide/argocd-application.jpg b/docs/developers/argocd-application.jpg similarity index 100% rename from docs/service-guide/argocd-application.jpg rename to docs/developers/argocd-application.jpg diff --git a/docs/service-guide/create-service.rst b/docs/developers/create-service.rst similarity index 100% rename from docs/service-guide/create-service.rst rename to docs/developers/create-service.rst diff --git a/docs/service-guide/deploy-from-a-branch.rst b/docs/developers/deploy-from-a-branch.rst similarity index 96% rename from docs/service-guide/deploy-from-a-branch.rst rename to docs/developers/deploy-from-a-branch.rst index 1e6b3fb1ac..864392e24c 100644 --- a/docs/service-guide/deploy-from-a-branch.rst +++ b/docs/developers/deploy-from-a-branch.rst @@ -2,7 +2,7 @@ Deploying from a branch for development ####################################### -When developing services and their :doc:`Helm charts `, it's useful to temporarily deploy from a branch of Phalanx on :doc:`designated development environments ` before merging to Phalanx's default branch. +When developing services and their :doc:`Helm charts `, it's useful to temporarily deploy from a branch of Phalanx on :doc:`designated development environments ` before merging to Phalanx's default branch. Some use cases include: @@ -183,4 +183,4 @@ Next steps Follow this page, you have iterated on the development of your service and ultimately upgraded that service in a development environment. The next step is to roll out this change to other environments. -For details, see :doc:`/ops/sync-argo-cd`. +This activity is normally done by the administrators for each environment, see :doc:`/admin/sync-argo-cd`. diff --git a/docs/developers/index.rst b/docs/developers/index.rst new file mode 100644 index 0000000000..3c8bf0c10a --- /dev/null +++ b/docs/developers/index.rst @@ -0,0 +1,36 @@ +########## +Developers +########## + +Developers can deploy their applications on Rubin's Kubernetes environments, such as the Rubin Science Platform, by integrating their service with Phalanx. +In this section of the Phalanx documentation you can learn how to build and integrate your service with Phalanx, and how to test your service's deployment in development Phalanx environments. + +For background on Phalanx and how to contribute to the Phalanx repository itself, see the :doc:`/about/index` section. +Individual services are documented in :doc:`/applications/index` section. + +.. toctree:: + :maxdepth: 2 + :titlesonly: + :caption: Build + + create-service + +.. toctree:: + :maxdepth: 2 + :titlesonly: + :caption: Integration + + service-chart-architecture + add-service + add-external-chart + add-a-onepassword-secret + update-a-onepassword-secret + +.. toctree:: + :maxdepth: 2 + :titlesonly: + :caption: Deploy & maintain + + upgrade + deploy-from-a-branch + local-development diff --git a/docs/service-guide/local-development.rst b/docs/developers/local-development.rst similarity index 97% rename from docs/service-guide/local-development.rst rename to docs/developers/local-development.rst index 94df50b78b..e5aa4aa1cd 100644 --- a/docs/service-guide/local-development.rst +++ b/docs/developers/local-development.rst @@ -78,7 +78,7 @@ Lastly, set the environment variables for Vault access: The Vault read key for minikube is accessible from the ``vault_keys_json`` item in the LSST IT/RSP-Vault 1Password Vault. The key itself is under the ``k8s_operator/minikube.lsst.codes`` → ``read`` → ``id`` field. If you do not have Vault access, ask SQuaRE for the minikube Vault read key. -See also :doc:`/overview/secrets`. +See also :doc:`/about/secrets`. Set up a Phalanx branch for your local minikube deployment ---------------------------------------------------------- @@ -137,4 +137,4 @@ The minikube Argo CD admin password can be retrieved from Vault. VAULT_PATH_PREFIX=`yq -r .vault_path_prefix ../science-platform/values-minikube.yaml` vault kv get --field=argocd.admin.plaintext_password $VAULT_PATH_PREFIX/installer -With Argo CD you can sync your service (see :doc:`/ops/sync-argo-cd`). +With Argo CD you can sync your service (see :doc:`/admin/sync-argo-cd`). diff --git a/docs/service-guide/restart-deployment.png b/docs/developers/restart-deployment.png similarity index 100% rename from docs/service-guide/restart-deployment.png rename to docs/developers/restart-deployment.png diff --git a/docs/service-guide/service-chart-architecture.rst b/docs/developers/service-chart-architecture.rst similarity index 100% rename from docs/service-guide/service-chart-architecture.rst rename to docs/developers/service-chart-architecture.rst diff --git a/docs/service-guide/sync-button.jpg b/docs/developers/sync-button.jpg similarity index 100% rename from docs/service-guide/sync-button.jpg rename to docs/developers/sync-button.jpg diff --git a/docs/service-guide/update-a-onepassword-secret.rst b/docs/developers/update-a-onepassword-secret.rst similarity index 96% rename from docs/service-guide/update-a-onepassword-secret.rst rename to docs/developers/update-a-onepassword-secret.rst index e18eb46688..d116d0f0ca 100644 --- a/docs/service-guide/update-a-onepassword-secret.rst +++ b/docs/developers/update-a-onepassword-secret.rst @@ -16,7 +16,7 @@ This reconciliation process can also take a bit of time; the net result is that So, if you want to make any changes to a ``VaultSecret``'s data, you'll need to: 1. Make the changes in 1Password -2. Run the `installer/update_secrets.sh `__ script, as described in :doc:`/service-guide/add-a-onepassword-secret`. +2. Run the `installer/update_secrets.sh `__ script, as described in :doc:`add-a-onepassword-secret`. 3. Wait a few minutes for automatic reconciliation diff --git a/docs/service-guide/upgrade.rst b/docs/developers/upgrade.rst similarity index 94% rename from docs/service-guide/upgrade.rst rename to docs/developers/upgrade.rst index e88a85526b..190b83d033 100644 --- a/docs/service-guide/upgrade.rst +++ b/docs/developers/upgrade.rst @@ -10,4 +10,4 @@ Upgrading a service - If it is a complex application such as ``sasquatch`` that bundles first- and third-party applications, you may need to do both, or indeed descend into the ``charts`` directory and update the ``appVersion`` of the subcharts therein. Tricky cases such as these may require some study before deciding on the best course of action. Once you have updated the service, Argo CD will that the change is pending, but no changes will be applied automatically. -To apply the changes in a given environment, see :doc:`/ops/sync-argo-cd`. +To apply the changes in a given environment, see :doc:`/admin/sync-argo-cd`. diff --git a/docs/environments/index.rst b/docs/environments/index.rst index 0c23a514cd..a95319eabc 100644 --- a/docs/environments/index.rst +++ b/docs/environments/index.rst @@ -5,6 +5,6 @@ Environments Environments are specific Kubernetes clusters deploying Phalanx services. Each environment can deploy a specific collection of applications, and with specific configurations. -To learn more about operating a Phalanx environment, see the :doc:`/ops/index` section. +To learn more about operating a Phalanx environment, see the :doc:`/admin/index` section. .. Add a table of environments, possibly linking to their own documentation sets. diff --git a/docs/index.rst b/docs/index.rst index b47e2259bc..652206c075 100644 --- a/docs/index.rst +++ b/docs/index.rst @@ -1,12 +1,12 @@ -################################################# -Phalanx: Rubin Observatory Kubernetes Deployments -################################################# +################################################################ +Phalanx: Rubin Observatory Kubernetes Application Configurations +################################################################ -Phalanx [#name]_ is a GitOps repository for Rubin Observatory's Kubernetes clusters, notably including the Rubin Science Platform deployments like https://data.lsst.cloud. -Using Helm_ and `Argo CD`_, Phalanx defines the configuration of services in each environment. +Phalanx [#name]_ is a GitOps repository for Rubin Observatory's Kubernetes environment, notably including the Rubin Science Platform deployments like https://data.lsst.cloud. +Using Helm_ and `Argo CD`_, Phalanx defines the configuration of applications in each environment. -This documentation is for Rubin team members that are building services and operating Kubernetes clusters. -Astronomers and other end-users can visit the Rubin Documentation Portal to learn how to use Rubin Observatory's software, services, and datasets. +This documentation is for Rubin team members that are developing applications and operating Kubernetes clusters. +Astronomers and other end-users can visit the `Rubin Documentation Portal `__ to learn how to use Rubin Observatory's software, services, and datasets. Phalanx is on GitHub at https://github.com/lsst-sqre/phalanx. @@ -17,8 +17,8 @@ Phalanx is on GitHub at https://github.com/lsst-sqre/phalanx. :maxdepth: 1 :hidden: - overview/index - service-guide/index - ops/index - services/index + about/index + developers/index + admin/index + applications/index environments/index diff --git a/docs/overview/index.rst b/docs/overview/index.rst deleted file mode 100644 index e9a2fcdf57..0000000000 --- a/docs/overview/index.rst +++ /dev/null @@ -1,22 +0,0 @@ -######## -Overview -######## - -This section helps you understand the crucial concepts behind Phalanx, and how to work with and contribute to the Phalanx documentation. - -After you have reviewed this documentation, see the :doc:`/service-guide/index` section to develop and deploy services, or the :doc:`/ops/index` section to operate a Kubernetes cluster with Phalanx services. - -.. toctree:: - :maxdepth: 1 - :caption: Introduction - - introduction - repository - secrets - -.. toctree:: - :maxdepth: 1 - :caption: Contributing - - precommit-and-helm-docs - contributing-docs diff --git a/docs/service-guide/index.rst b/docs/service-guide/index.rst deleted file mode 100644 index 1fc04b5d68..0000000000 --- a/docs/service-guide/index.rst +++ /dev/null @@ -1,30 +0,0 @@ -############## -Service DevOps -############## - -.. toctree:: - :maxdepth: 2 - :titlesonly: - :caption: Build - - create-service - -.. toctree:: - :maxdepth: 2 - :titlesonly: - :caption: Integration - - service-chart-architecture - add-service - add-external-chart - add-a-onepassword-secret - update-a-onepassword-secret - -.. toctree:: - :maxdepth: 2 - :titlesonly: - :caption: Deploy & maintain - - upgrade - deploy-from-a-branch - local-development diff --git a/docs/services/index.rst b/docs/services/index.rst deleted file mode 100644 index e551622cfd..0000000000 --- a/docs/services/index.rst +++ /dev/null @@ -1,23 +0,0 @@ -######## -Services -######## - -.. toctree:: - :maxdepth: 1 - :caption: Cluster infrastructure - - argo-cd/index - cert-manager/index - ingress-nginx/index - gafaelfawr/index - postgres/index - vault-secrets-operator/index - -.. toctree:: - :maxdepth: 1 - :caption: Science Platform - - cachemachine/index - mobu/index - nublado2/index - tap/index From 05eca3814b9cb0b0f8545311a5f611929f29ba4a Mon Sep 17 00:00:00 2001 From: Jonathan Sick Date: Fri, 7 Oct 2022 18:25:19 -0400 Subject: [PATCH 1127/1479] Change terminology from service to application On 2022-10-06 we (SQuaRE) decided to settle on "application" for the term we formerly used "service" for. This commit also provides other minor edits to the doc set. --- docs/_rst_epilog.rst | 3 + docs/about/introduction.rst | 82 +++++------ docs/about/repository.rst | 59 ++++---- docs/about/secrets.rst | 20 +-- docs/admin/bootstrapping.rst | 39 ++--- docs/admin/index.rst | 13 +- docs/admin/infrastructure/filestore/index.rst | 20 ++- .../filestore/privileged-access.rst | 103 ++++++------- docs/admin/sync-argo-cd.rst | 6 +- docs/admin/troubleshooting.rst | 22 +-- docs/admin/update-pull-secret.rst | 2 +- docs/admin/upgrade-windows.rst | 16 +-- .../cert-manager/bootstrapping.rst | 2 +- docs/applications/gafaelfawr/debugging.rst | 2 +- docs/applications/gafaelfawr/storage.rst | 2 +- .../ingress-nginx/certificates.rst | 2 +- docs/applications/mobu/configuring.rst | 4 +- docs/applications/mobu/manage-flocks.rst | 2 +- docs/applications/postgres/add-database.rst | 51 ++++--- docs/applications/tap/index.rst | 2 +- docs/applications/tap/update-tap-schema.rst | 2 +- .../vault-secrets-operator/index.rst | 8 +- docs/developers/add-a-onepassword-secret.rst | 22 +-- .../{add-service.rst => add-application.rst} | 136 +++++++++--------- docs/developers/add-external-chart.rst | 30 ++-- ...rt-architecture.rst => chart-overview.rst} | 37 +++-- docs/developers/create-an-application.rst | 55 +++++++ docs/developers/create-service.rst | 55 ------- docs/developers/deploy-from-a-branch.rst | 78 +++++----- docs/developers/index.rst | 15 +- docs/developers/local-development.rst | 21 ++- docs/developers/upgrade.rst | 11 +- docs/index.rst | 4 +- 33 files changed, 466 insertions(+), 460 deletions(-) rename docs/developers/{add-service.rst => add-application.rst} (51%) rename docs/developers/{service-chart-architecture.rst => chart-overview.rst} (62%) create mode 100644 docs/developers/create-an-application.rst delete mode 100644 docs/developers/create-service.rst diff --git a/docs/_rst_epilog.rst b/docs/_rst_epilog.rst index 57f645b813..a983693228 100644 --- a/docs/_rst_epilog.rst +++ b/docs/_rst_epilog.rst @@ -7,6 +7,7 @@ .. _Deployment: https://kubernetes.io/docs/concepts/workloads/controllers/deployment/ .. _Docker: https://www.docker.com/ .. _Documentation Style Guide: https://developer.lsst.io/user-docs/index.html +.. _FastAPI: https://fastapi.tiangolo.com/ .. _Google Documentation Style Guide: https://developers.google.com/style/ .. _Helm: https://helm.sh .. _helm-docs: https://github.com/norwoodj/helm-docs @@ -20,8 +21,10 @@ .. _Pods: .. _Pod: https://kubernetes.io/docs/concepts/workloads/pods/ .. _Roundtable: https://roundtable.lsst.io/ +.. _Safir: https://safir.lsst.io/ .. _Secret: https://kubernetes.io/docs/concepts/configuration/secret/ .. _semantic versioning: https://semver.org/ +.. _Services: .. _Service: https://kubernetes.io/docs/concepts/services-networking/service/ .. _Sphinx: https://www.sphinx-doc.org/en/master/ .. _pre-commit: https://pre-commit.com diff --git a/docs/about/introduction.rst b/docs/about/introduction.rst index 671a0d129c..7c4ec0d857 100644 --- a/docs/about/introduction.rst +++ b/docs/about/introduction.rst @@ -2,24 +2,24 @@ Overview of the Phalanx platform concepts ######################################### -Rubin Observatory's service deployments, like the Rubin Science Platform, run in Kubernetes_ clusters. -Phalanx is how these service deployments are defined — both generally, and specifically for each Kubernetes cluster. -In a nutshell, Phalanx is a Git repository containing Helm charts for individual services (like websites and web APIs) that are configured for multiple environments (like different data access centers and production/development versions of each). -Argo CD instances synchronize these service definitions into the Kubernetes cluster of each environment. +Rubin Observatory's application deployments, like the Rubin Science Platform, run in Kubernetes_ clusters. +Phalanx is how these application deployments are defined — both generally, and specifically for each Kubernetes cluster. +In a nutshell, Phalanx is a Git repository containing Helm charts for individual applications (like websites and web APIs) that are configured for multiple environments (like different data access centers and production/development versions of each). +`Argo CD`_ instances synchronize these application deployment manifests into the Kubernetes cluster of each environment. Expanding on that, this page briefly introduces the Phalanx's key features, terminology, and technology ecosystem. Kubernetes and Docker containers ================================ -Phalanx deploys services on Kubernetes_ clusters — where "cluster" refers to one or more compute nodes that provide CPU, storage, and networking. +Phalanx deploys applications on Kubernetes_ clusters — where "cluster" refers to one or more compute nodes that provide CPU, storage, and networking. Kubernetes_ is a *container orchestration* system. These Docker_ containers are isolated environments where instances of an application (such as a web API or website) run. Containers are instances of Docker *images* and those images are the built products of individual application codebases. Kubernetes layers upon Docker by running multiple containers according to configuration, while also managing the networking and storage needs of those containers. -For service developers, the main interface for defining how a service runs is through resources that are represented commonly as YAML files. +For application developers, the main interface for defining how an application runs is through resources that are commonly represented as YAML files. .. sidebar:: Common Kubernetes resources @@ -28,93 +28,93 @@ For service developers, the main interface for defining how a service runs is th Deployments are made available to the network by defining a Service_. An Ingress_ resource publishes that Service to the internet and defines what authentication and authorization is needed. - You can `learn more about Kubernetes from its documentation `_, and also in Phalanx's :doc:`documentation on creating application `. + You can `learn more about Kubernetes from its documentation `_, and also in Phalanx's :doc:`documentation on creating applications `. Environments are specific Kubernetes clusters --------------------------------------------- -Phalanx treats specific Kubernetes clusters as environments. -Each environment is configured to run specific sets of services with specific services, although all environments running Phalanx benefit from a base of shared services and Kubernetes-based infrastructure. +Phalanx treats specific Kubernetes clusters as separate environments. +Each environment is configured to run specific sets of applications with specific configurations, although all environments running Phalanx benefit from a base of shared applications and Kubernetes-based infrastructure. Infrastructure agnostic ----------------------- Although Phalanx *uses* Kubernetes, this platform is agnostic about how Kubernetes itself is deployed for a specific environment. -Phalanx has been deployed on both public clouds (the public Rubin Science Platform runs on the Google Kubernetes Engine) and on-premises Kubernetes clusters (US Data Facility and most international data access centers (IDACs). -Running on a public cloud versus on-premises generally impacts the specifics of how individual services are configured. +Phalanx has been deployed on both public clouds (the public Rubin Science Platform runs on the Google Kubernetes Engine) and on-premises Kubernetes clusters (US Data Facility and most international data access centers [IDACs]). +Running on a public cloud versus on-premises generally impacts the specifics of how individual applications are configured. Helm ==== -Helm_ is a tool for packaging services for deployment in Kubernetes. -Helm charts are templates for Kubernetes resources. -By supplying values (i.e., through "values.yaml" files), these templates are rendered for specific Kubernetes environments. +Helm_ is a tool for packaging applications for deployment in Kubernetes. +Helm *charts* are templates for Kubernetes resources. +By supplying values (i.e., through "values.yaml" files), Helm renders templates for specific Kubernetes environments. Phalanx takes practical advantage of Helm charts in two ways. -First, each service has a values file for the each environment. -This is the key mechanism for how Phalanx supports service deployments for multiple diverse environments. +First, each application has a values file for each environment. +This is the key mechanism for how Phalanx supports application deployments across multiple diverse environments. Second, Helm enables us to deploy existing Helm charts for external open source software. -In some cases, Phalanx services are shells around an external Helm chart such as ingress-nginx. -In other cases, external Helm charts are composed as sub-charts within Phalanx's first-party services — like a Redis service within a Rubin API service. +In some cases, Phalanx application charts are shells around an external Helm chart, such as ingress-nginx. +In other cases, external Helm charts are composed as sub-charts within Phalanx's first-party application — like a Redis cluster within a Rubin API application. -Services are Helm charts in Phalanx ------------------------------------ +Applications are Helm charts in Phalanx +--------------------------------------- -In Phalanx, the word "service" specifically refers to a Helm chart located in the :file:`services` directory of the `phalanx repository`_. -That Helm chart directory includes the Kubernetes templates and Docker image references to deploy the application, as well as values files to configure the service for each environment. +In Phalanx, the word *application* specifically refers to a Helm chart located in the :file:`services` directory of the `phalanx repository`_. +That Helm chart directory includes the Kubernetes templates and Docker image references to deploy the application, as well as values files to configure the application for each environment. Argo CD ======= -Argo CD manages the Kubernetes deployments of each service's Helm charts from the Phalanx repository. -Each environment runs its own instance of Argo CD (as Argo CD is itself a service in Phalanx). +`Argo CD`_ manages the Kubernetes deployments of each application's Helm chart from the Phalanx repository. +Each environment runs its own instance of Argo CD (as Argo CD is itself an application in Phalanx). -Argo CD provides a web UI that shows resources in the Kubernetes cluster, provides lightweight access to logs, and most importantly provides controls for syncing and restarting services to match the current definitions in the Phalanx GitHub repository. +Argo CD provides a web UI that shows resources in the Kubernetes cluster, provides lightweight access to logs, and most importantly provides controls for syncing and restarting applications to match the current definitions in the Phalanx GitHub repository. -In development environments, Argo CD's UI makes possible to edit Kubernetes resources to temporarily test configurations separate from the Git-based process. -Argo CD replaces most need for the standard Kubernetes command line client, kubectl. -In fact, most maintainers for individual services only have Argo CD access in most environments. +In development environments, Argo CD's UI makes it possible to temporarily edit Kubernetes resources for testing configurations outside from the Git-based process. +Argo CD replaces most need for the standard Kubernetes command-line client, ``kubectl``. +In fact, most developers for individual applications only have Argo CD access in most environments. Vault and secrets management ============================ Phalanx adopts Vault_ as its secret store. Since the `phalanx repository`_ is public, secret cannot be included directly — instead, secrets are referenced from a Vault secret store. -The Vault Secrets Operator connects information in the secret store with Phalanx services. -Services that need a secret include a ``VaultSecret`` resource. -Inside Kubernetes, the `Vault Secrets Operator`_ obtains the secret information from a Vault instance and formats it into a standard Kubernetes Secret_ that the service's containers can consume as environment variables or mounted files. +The Vault Secrets Operator connects information in the secret store with Phalanx applications. +Applications that need a secret include a ``VaultSecret`` resource in their Helm chart. +Inside Kubernetes, the `Vault Secrets Operator`_ obtains the secret information from a Vault instance and formats it into a standard Kubernetes Secret_ that the application's containers can consume as environment variables or mounted files. Phalanx itself does not manage Vault. -Most Rubin Science Platform installations use the Vault server at ``vault.lsst.codes``, which is managed using `Roundtable`_. +Most Rubin Science Platform environments use the Vault server at ``vault.lsst.codes``, which is hosted on `Roundtable`_. Each installation environment has its own root path in that Vault server. Phalanx also includes scripts for syncing a 1Password_ vault into the Vault_ service. See :doc:`secrets` to learn more. -The core services -================= +The core applications +===================== -Phalanx includes services that provide key functionality for other services: +Phalanx includes applications that provide key functionality for other applications: -``argocd`` (service management) - As described above, Argo CD is a service that synchronizes services defined in Phalanx with running resources in Kubernetes and provides a UI for operators. +``argocd`` (application management) + As described above, Argo CD is an application that synchronizes applications defined in Phalanx with running resources in Kubernetes and provides a UI for developers and administrators. ``cert-manager`` (TLS certificate management) Cert-manager acquires and renews TLS certificates from Let's Encrypt. ``ingress-nginx`` (ingress) - The ingress-nginx service routes traffic from the internet to individual services, while also terminating TLS and integrating with Gafaelfawr, the auth handler. + The ingress-nginx application routes traffic from the internet to individual applications, while also terminating TLS and integrating with Gafaelfawr, the auth handler. ``vault-secrets-operator`` (secret configuration) - Vault Secrets Operator bridges secrets in Vault_ with Kubernetes secrets resources. + Vault Secrets Operator bridges secrets in Vault_ with Kubernetes Secret_ resources. Next steps ========== -This page provided a brief tour of the concepts and components of Phalanx-based service deployments. +This page provided a brief tour of the concepts and components of Phalanx-based application deployments. For more introductory topics, see the :doc:`index` overview topics. Start working with Phalanx: -- If you are an application developer looking to integrate your service into Phalanx, see the :doc:`/developers/index` section to get started. +- If you are a developer looking to integrate your application into Phalanx, see the :doc:`/developers/index` section to get started. - If you are an administrator looking to create a new environment or operate an existing one, see the :doc:`/admin/index` section. diff --git a/docs/about/repository.rst b/docs/about/repository.rst index e43b60fe6c..e7a2b6259b 100644 --- a/docs/about/repository.rst +++ b/docs/about/repository.rst @@ -3,7 +3,7 @@ Phalanx Git repository structure ################################ Phalanx is an open source Git repository hosted at https://github.com/lsst-sqre/phalanx. -This page provides an overview of how this repository is structured, for both service developers and environment operators alike. +This page provides an overview of this repository's structure, for both application developers and environment administrators alike. For background on Phalanx and its technologies, see :doc:`introduction` first. Key directories @@ -14,23 +14,23 @@ services directory :bdg-link-primary-line:`Browse /services/ on GitHub ` -Every Phalanx service has its own sub-directory within ``services`` named after the service itself (commonly the name is also used as a Kubernetes namespace). -A Phalanx service is itself a Helm_ chart. -Helm charts define Kubernetes templates for the service deployment, values for the templates, and references to any sub-charts from external repositories to include in the sub-chart. +Every Phalanx application has its own sub-directory within ``services`` named after the application itself (commonly the name is also used as a Kubernetes Namespace_). +A Phalanx application is itself a Helm_ chart. +Helm charts define Kubernetes templates for the application deployment, values for the templates, and references to any sub-charts from external repositories to include as a sub-chart. See the `Helm documentation for details on the structure of Helm charts. `__ Per-environment Helm values ^^^^^^^^^^^^^^^^^^^^^^^^^^^ -The novel aspect of Helm charts in Phalanx is the per-environment values files. -The default values for a chart are located in its main ``values.yaml`` file. -There are also additional values for each service, named ``values-.yaml``, that override default values for the service's deployment in that specific environment. +Phalanx Helm charts in Phalanx include the per-environment configuration, in addition to a common set of defaults. +A chart's defaults are located in its main ``values.yaml`` file. +The per-environment values files, named ``values-.yaml``, override those default values for the application's deployment in the corresponding environments. -Services based on third-party charts -^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ +Applications based on third-party charts +^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ -Note that some services are based entirely (or primarily) on third-party open source charts. -In this chase, the service's chart includes that external chart as a dependency through its ``Chart.yaml``. +Note that some applications are based entirely (or primarily) on third-party open source charts. +In this case, the application's Helm chart includes that external chart as a *dependency* through its ``Chart.yaml``. See the `Helm documentation on chart dependencies. `__ science-platform directory @@ -39,19 +39,18 @@ science-platform directory :bdg-link-primary-line:`Browse /science-platform/ on GitHub ` The ``science-platform`` directory is where environments are defined (an environment is a distinct Kubernetes cluster). -.. This directory is itself a single Helm chart that deploys Kubernetes ``Namespace`` and Argo CD ``Application`` resources for each service. -The ``/science-platform/templates`` directory contains a Helm template per service, like this one for the ``noteburst`` application: +The ``/science-platform/templates`` directory contains a Helm template per application, like this one for the ``noteburst`` application: .. literalinclude:: ../../science-platform/templates/noteburst-application.yaml :caption: /science-platform/templates/noteburst-application.yaml -The template defines a Kubernetes Namespace_ and an Argo CD ``Application`` for each service. -``Application`` resources directs Argo CD to deploy and synchronize the corresponding services from the Phalanx ``services`` directory. +The template defines a Kubernetes Namespace_ and an Argo CD ``Application`` for each Phalanx application. +``Application`` resources direct Argo CD to deploy and synchronize the corresponding application Helm chart from the Phalanx ``services`` directory. -Notice that these templates are wrapped in a conditional, which controls whether a service is deployed in a given environment. -The ``values.yaml`` file in the ``science-platform`` defines boolean variables for each service. -Then in corresponding values files for each environment, named, ``values-.yaml``, services are enabled, or not, for the specific environment. +Notice that these templates are wrapped in a conditional, which controls whether an application is deployed in a given environment. +The ``values.yaml`` file in the ``science-platform`` directory defines boolean variables for each application. +Then in corresponding values files for each environment, named ``values-.yaml``, applications are enabled, or not, for the specific environment. installer directory ------------------- @@ -62,6 +61,7 @@ This directory contains a script named `install.sh ` for details. docs directory -------------- @@ -69,27 +69,28 @@ docs directory :bdg-link-primary-line:`Browse /docs/ on GitHub ` This directory contains the Sphinx_ documentation that you are reading now. +See :doc:`contributing-docs`. starters directory ------------------ :bdg-link-primary-line:`Browse /docs/ on GitHub ` -This directory contains templates for contributing new services to Phalanx. -See :doc:`/developers/add-service`. +This directory contains templates for contributing new applications to Phalanx. +See :doc:`/developers/add-application`. Branches ======== The default branch is ``master`` [#1]_. -This default branch is considered the source of truth for full synchronized phalanx service deployments. +This default branch is considered the source of truth for fullly synchronized Phalanx environments. .. [#1] This branch will be renamed to ``main`` in the near future. Updates to Phalanx are introduced as pull requests on GitHub. Repository members create branches directly on the https://github.com/lsst-sqre/phalanx origin (see the `Data Management workflow guide`_, while external collaborators should fork Phalanx and provide pull requests. -It is possible (particularly in non-production environments) to deploy from branches of Phalanx, which is useful for debugging new and updating services before updating the ``master`` branch. +It is possible (particularly in non-production environments) to deploy from branches of Phalanx, which is useful for debugging new and updating applications before updating the ``master`` branch. You can learn how to do this in :doc:`/developers/deploy-from-a-branch`. Test and formatting infrastructure @@ -97,22 +98,22 @@ Test and formatting infrastructure The Phalanx repository uses two levels of testing and continuous integration. -`Pre-commit`_ performs file formatting and linting, both on your local editing environment (when configured) and verified in the GitHub Actions. -In one check, pre-commit regenerates Helm chart documentation for services with helm-docs_. +`Pre-commit`_ performs file formatting and linting, both on your local editing environment (when configured) and verified in GitHub Actions. +In one check, Pre-commit regenerates Helm chart documentation for applications with helm-docs_. See the `.pre-commit-config.yaml `__ file for configuration details. -Learn how to set up pre-commit in your local editing environment in :doc:`precommit-and-helm-docs`. +Learn how to set up Pre-commit in your local editing environment in :doc:`precommit-and-helm-docs`. Second, GitHub Actions runs a CI workflow (`.github/workflows/ci.yaml `__). This workflow has three key jobs: -- Linting with pre-commit_, mirroring the local editing environment. -- Static validation of Helm charts, see `helm/chart-testing-action `__ on GitHub. -- An integration test of a Phalanx deployment in a minikube environment. +- Linting with Pre-commit_, mirroring the local editing environment. +- Static validation of Helm charts with the `helm/chart-testing-action `__ GitHub action. +- An integration test of a Phalanx environment in a minikube. Next steps ========== Start working with Phalanx: -- If you are an application developer looking to integrate your service into Phalanx, see the :doc:`/developers/index` section to get started. +- If you are a developer looking to integrate your application into Phalanx, see the :doc:`/developers/index` section to get started. - If you are an administrator looking to create a new environment or operate an existing one, see the :doc:`/admin/index` section. diff --git a/docs/about/secrets.rst b/docs/about/secrets.rst index 45004b854a..75d53fe5ae 100644 --- a/docs/about/secrets.rst +++ b/docs/about/secrets.rst @@ -4,27 +4,27 @@ Secrets management overview ########################### -Phalanx is a public repository on GitHub, nevertheless service configurations generally require some secrets such as random numbers, certificates, or passwords. +Phalanx is a public repository on GitHub, nevertheless application configurations generally require some secrets such as random numbers, certificates, or passwords. This page explains how secrets are managed in Phalanx with Vault, 1Password, and Vault Secrets Operator. Vault ===== -Argo CD allows all service configuration to be checked into Git and deployed from that repository. -However, many service configurations require some secrets such as random numbers, certificates, or passwords. +Argo CD allows all application configurations to be checked into Git and deployed from that repository. +However, many application configurations require some secrets such as random numbers, certificates, or passwords. These obviously cannot be committed to a public repository. We instead use `Vault`_ to store secrets and then materialize them in Kubernetes using :ref:`vault-secrets-operator`. .. _Vault: https://www.vaultproject.io/ -Charts that need secrets use ``VaultSecret`` resources with the name matching the ``Secret`` resource to create. +Helm charts that need secrets use ``VaultSecret`` resources with the name matching the Secret_ resource to create. Those ``VaultSecret`` resources are configured with the path in Vault to the secret. -That path, in turn, is configured in the Helm per-environment values files for those services. +That path, in turn, is configured in the Helm per-environment values files for those applications. -Most Rubin Science Platform installations use the Vault server at vault.lsst.codes, which is managed using `Roundtable`_. +Most Rubin Science Platform installations use the Vault server at ``vault.lsst.codes``, which is managed using Roundtable_. Each installation environment has its own root path in that Vault server. -The path is ``k8s_operator/`` where ```` is the domain name of that environment. +The path is formatted as ``k8s_operator/`` where ```` is the domain name of that environment. When the environment is bootstrapped, it is given a Kubernetes secret with the Vault token required to read that path of Vault. See :dmtn:`122` for more information about that Vault instance and its naming conventions. @@ -32,12 +32,12 @@ See :dmtn:`122` for more information about that Vault instance and its naming co ========= While Kubernetes and Argo CD do not look beyond Vault, Vault is not the source of truth for persistent secrets for Rubin Science Platform environments maintained by SQuaRE. -Secrets for external services or which for whatever reason cannot be randomly regenerated when the environment is reinstalled are stored in `1Password`_. +Secrets for external applications or which for whatever reason cannot be randomly regenerated when the environment is reinstalled are stored in `1Password`_. -Inside 1Password, there is a vault named RSP-Vault that contains all of the persistent secrets. +Inside 1Password, there is a vault named ``RSP-Vault`` that contains all of the persistent secrets. Each secret is stored in either a Login or a Secure Note object. Inside that object, there must be a key named ``generate_secrets_key`` whose value is two words separated by a space. -The first word is the service and the second is the name of that secret among the secrets for that service. +The first word is the application's name and the second is the name of that secret among the secrets for that application. There may also be one or more keys named ``environment``. Its values are the domain names of the environments to which that specific secret applies. If ``environment`` is missing, that 1Password object provides a default for the given ``generate_secrets_key`` key, which will be used if there is no other object with the same key and a matching environment. diff --git a/docs/admin/bootstrapping.rst b/docs/admin/bootstrapping.rst index 9e025b08b4..e6812411e0 100644 --- a/docs/admin/bootstrapping.rst +++ b/docs/admin/bootstrapping.rst @@ -1,8 +1,8 @@ -############################## -Bootstrapping a new deployment -############################## +############################### +Bootstrapping a new environment +############################### -This is (somewhat incomplete) documentation on how to add a new Rubin Science Platform environment. +This is (somewhat incomplete) documentation on how to create a new Rubin Science Platform environment. Requirements ============ @@ -27,7 +27,8 @@ Checklist #. Create a new ``values-.yaml`` file in `/science-platform `__. Start with a template copied from an existing environment that's similar to the new environment. - Edit it so that ``environment``, ``fqdn``, and ``vault_path_prefix`` at the top match your new environment. Choose which services to enable or leave disabled. + Edit it so that ``environment``, ``fqdn``, and ``vault_path_prefix`` at the top match your new environment. + Choose which applications to enable or leave disabled. #. Decide on your approach to TLS certificates. See :ref:`hostnames` for more details. @@ -39,17 +40,17 @@ Checklist The first time you set up the RSP for a given domain (note: *not* hostname, but *domain*, so if you were setting up ``dev.my-rsp.net`` and ``prod.my-rsp.net``, ``dev`` first, you would only need to do this when you created ``dev``), if you are using Let's Encrypt for certificate management (which we highly recommend), you will need to create glue records to enable Let's Encrypt to manage TLS for the domain. See :doc:`/applications/cert-manager/route53-setup` for more details. -#. For each enabled service, create a corresponding ``values-.yaml`` file in the relevant directory under `/services `__. - Customization will vary from service to service. +#. For each enabled application, create a corresponding ``values-.yaml`` file in the relevant directory under `/services `__. + Customization will vary from application to application. - See :ref:`service-notes` for more details on special considerations for individual services. + See :ref:`application-notes` for more details on special considerations for individual applications. #. Generate the secrets for the new environment and store them in Vault with `/installer/update_secrets.sh `__. This is where you will need the write key for the Vault enclave. #. Run the installer script at `/installer/install.sh `__. - If the installation is using a dynamically-assigned IP address, while the installer is running, wait until the ingress-nginx-controller service comes up and has an external IP address; then go set the A record for your endpoint to that address (or set an A record with that IP address for the ingress and a CNAME from the endpoint to the A record). + If the installation is using a dynamically-assigned IP address, while the installer is running, wait until the ingress-nginx-controller Service_ comes up and has an external IP address; then go set the A record for your endpoint to that address (or set an A record with that IP address for the ingress and a CNAME from the endpoint to the A record). For installations that are intended to be long-lived, it is worth capturing the IP address at this point and modifying your configuration to use it statically should you ever need to reinstall the instance. .. _hostnames: @@ -58,7 +59,7 @@ Hostnames and TLS ================= The Science Platform is designed to run under a single hostname. -All ingresses for all services use different routes on the same external hostname. +Ingresses for all applications use different routes on the same external hostname. That hostname, in turn, is served by an NGINX proxy web server, configured via the ``ingress-nginx`` Helm chart (normally installed with the Science Platform). An NGINX ingress controller is required since its ``auth_request`` mechanism is used for authentication. @@ -66,7 +67,7 @@ The external hostname must have a valid TLS certificate that is trusted by the s There are supported two mechanisms to configure that TLS certificate: #. Purchase a commercial certificate and configure it as the ingress-nginx default certificate. - Do not add TLS configuration to any of the service ingresses. + Do not add TLS configuration to any of the application ingresses. For more information, see :doc:`/applications/ingress-nginx/certificates`. With this approach, the certificate will have to be manually renewed and replaced once per year. @@ -84,10 +85,10 @@ To use the second approach, you must have the following: If neither of those requirements sound familiar, you almost certainly want to use the first option and purchase a commercial certificate. -.. _service-notes: +.. _application-notes: -Service notes -============= +Application bootstrapping notes +=============================== Gafaelfawr ---------- @@ -118,7 +119,7 @@ If you run into authentication problems, see :doc:`the Gafaelfawr operational do Nublado 2 --------- -Nublado (the ``nublado2`` service) and moneypenny need to know where the NFS server that provides user home space is. +Nublado (the ``nublado2`` application) and moneypenny need to know where the NFS server that provides user home space is. Nublado also requires other persistent storage space. Ensure the correct definitions are in place in their configuration. @@ -159,16 +160,16 @@ Squareone If you are using the Let's Encrypt approach to obtain TLS certificates, you must give the Squareone ingress with an appropriate TLS configuration. -Because all service ingresses share the same external hostname, the way the ingress configuration is structured is somewhat unusual. -Nearly all of the services create an ingress without adding TLS configuration. +Because all application ingresses share the same external hostname, the way the ingress configuration is structured is somewhat unusual. +Nearly all application create an ingress without adding TLS configuration. Instead, they all use the same hostname, without a TLS stanza. The Squareone ingress is the one designated ingress with a TLS configuration to request creation of certificates. Because each ingress uses the same hostname, the NGINX ingress will merge all of those ingresses into one virtual host and will set up TLS if TLS is defined on any of them. Were TLS defined on more than one ingress, only one of those TLS configurations would be used, but which one is chosen is somewhat random. -Therefore, we designate a single service to hold the configuration to avoid any confusion from unused configurations. +Therefore, we designate a single application to hold the configuration to avoid any confusion from unused configurations. -This means adding something like the following to ``values-.yaml`` in `/applications/squareone `__: +This means adding something like the following to ``values-.yaml`` in `/services/squareone `__: .. code-block:: yaml diff --git a/docs/admin/index.rst b/docs/admin/index.rst index 175939017f..f47b71e6a7 100644 --- a/docs/admin/index.rst +++ b/docs/admin/index.rst @@ -4,15 +4,10 @@ Administrators Administrators operate infrastructure, bootstrap infrastructure, and are involved in the deployment, configuration, and Argo CD synchronization of applications. -.. toctree:: - :caption: Infrastructure - :maxdepth: 2 - - infrastructure/filestore/index - .. toctree:: :caption: Bootstrapping :maxdepth: 1 + :name: bootstrapping-toc bootstrapping @@ -28,3 +23,9 @@ Administrators operate infrastructure, bootstrap infrastructure, and are involve :caption: Troubleshooting troubleshooting + +.. toctree:: + :caption: Infrastructure + :maxdepth: 2 + + infrastructure/filestore/index diff --git a/docs/admin/infrastructure/filestore/index.rst b/docs/admin/infrastructure/filestore/index.rst index dd6c7bf8dd..1500de52c5 100644 --- a/docs/admin/infrastructure/filestore/index.rst +++ b/docs/admin/infrastructure/filestore/index.rst @@ -2,21 +2,17 @@ Filestore ######### -The thing we're calling ``filestore`` is not an RSP service at all. -Nor does it (generally) run in Kubernetes. +Filestore is not an RSP application, nor does it (generally) run in Kubernetes. +All current filestore implementations are simply implementations of NFS that are mounted into RSP Pods_ (both JupyterLab user Pods_ and application Pods_) by ``Volume`` and ``VolumeMount`` definitions. -All current ``filestore`` implementations are simply implementations of -NFS that are mounted into RSP pods (both user and service) by Volume and -VolumeMount definitions. +.. note:: -There is nothing in the filestore that mandates NFS. What is required -is simply something that can present some storage to user and service -pods as a POSIX filesystem. To this point, NFS has been the most -convenient way to accomplish that, but it is certainly not fundamental -to the concept. - -.. rubric:: Guides + There is nothing in the filestore that mandates NFS. + What is required is simply something that can present some storage to user and application Pods_ as a POSIX filesystem. + To this point, NFS has been the most convenient way to accomplish that, but it is certainly not fundamental to the concept. .. toctree:: + :caption: Guides + :titlesonly: privileged-access diff --git a/docs/admin/infrastructure/filestore/privileged-access.rst b/docs/admin/infrastructure/filestore/privileged-access.rst index 9831beedeb..a5f6a21a40 100644 --- a/docs/admin/infrastructure/filestore/privileged-access.rst +++ b/docs/admin/infrastructure/filestore/privileged-access.rst @@ -2,67 +2,74 @@ Privileged access to the filestore ################################## -Currently, we do not have any way to make containers with privileged -filesystem access available from JupyterHub. +Currently, we do not have any way to make containers with privileged filesystem access available from JupyterHub. -In order to get privileged access to the filestore, you will need access -to ``kubectl`` with admin privileges to the cluster you want to work on. +In order to get privileged access to the filestore, you will need access to ``kubectl`` with admin privileges to Kubernetes cluster you want to work on. -Save the following file as ``copier.yaml``; you may need to edit it to -point to the correct filestore, and of course if you need multiple -filestores present (for instance, for copying data between environments) -then you will need to create multiple Volume/VolumeMount pairs so -multiple filestores are presented within the container. +Procedure +========= + +Save the following file as ``copier.yaml``. +You may need to edit it to point to the correct filestore. +If you need multiple filestores present (for instance, for copying data between environments), then you will need to create multiple ``Volume``\ /``VolumeMount`` pairs so multiple filestores are present within the container. .. code-block:: yaml + :caption: copier.yaml + + apiVersion: v1 + kind: Pod + metadata: + name: copier + namespace: copier + spec: + containers: + - name: main + image: ubuntu:latest + args: [ "tail", "-f", "/dev/null" ] + volumeMounts: + - mountPath: /mnt + name: share + volumes: + - name: share + nfs: + path: /share1 + server: 10.13.105.122 + # 10.87.86.26 is IDF dev + # 10.22.240.130 is IDF int + # 10.13.105.122 is IDF prod + +Spin up this Pod_ and log into its shell: + +.. code-block:: bash - apiVersion: v1 - kind: Pod - metadata: - name: copier - namespace: copier - spec: - containers: - - name: main - image: ubuntu:latest - args: [ "tail", "-f", "/dev/null" ] - volumeMounts: - - mountPath: /mnt - name: share - volumes: - - name: share - nfs: - path: /share1 - server: 10.13.105.122 - # 10.87.86.26 is IDF dev - # 10.22.240.130 is IDF int - # 10.13.105.122 is IDF prod + kubectl create ns copier + kubectl apply -f copier.yaml + kubectl exec -it -n copier copier -- /bin/bash -l -In order to spin up this pod, do the following: +Once you do that, you have a root prompt and the instance filestore is mounted at ``/mnt``. +*With great power comes great responsibility.* - * ``kubectl create ns copier`` - * ``kubectl apply -f copier.yaml`` - * ``kubectl exec -it -n copier copier -- /bin/bash -l`` +When you're done, delete the namespace. +This will also destroy the privileged pod: -Once you do that, you have a root prompt and the instance filestore is -mounted at ``/mnt``. -With great power comes great responsibility. +.. code-block:: bash -When you're done, delete the namespace. This will also destroy the -privileged pod: + kubectl delete ns copier - * ``kubectl delete ns copier`` +Examples +======== -**Examples:** +- Get usage data by username, sorted by usage, largest at the bottom: - * Get usage data by username, sorted by usage, largest at the bottom:: + .. code-block:: bash - du -s -BM /mnt/home/* \ - | sed -e 's/\s\+/,/' \ - | sed -e 's|/mnt/home/||' \ - | sort -nr + du -s -BM /mnt/home/* \ + | sed -e 's/\s\+/,/' \ + | sed -e 's|/mnt/home/||' \ + | sort -nr - * Make archival copy of user ``foo``'s previous ``.local`` for analysis:: +- Make an archival copy of user ``foo``\ ’s previous ``.local`` file for analysis: - tar cvpfz /tmp/foo-local.tgz /mnt/home/foo/.local.20210804223021 + .. code-block:: bash + tar cvpfz /tmp/foo-local.tgz /mnt/home/foo/.local.20210804223021 diff --git a/docs/admin/sync-argo-cd.rst b/docs/admin/sync-argo-cd.rst index 04349f3f76..e32860ae9e 100644 --- a/docs/admin/sync-argo-cd.rst +++ b/docs/admin/sync-argo-cd.rst @@ -2,12 +2,12 @@ Syncing Argo CD in an environment ################################# -Phalanx enables environment operators to roll out new and updates services by synchronizing deployed in Kubernetes with the current HEAD of the `phalanx repository`_ using `Argo CD`_. -This page explains the key steps in this process for environment operators. +Phalanx enables environment administrators to roll out new and updated applications by synchronizing deployemnts in Kubernetes to the current HEAD of the `phalanx repository`_ using `Argo CD`_. +This page explains the key steps in this process for environment administrators. .. important:: - Keep in mind that environments have specific upgrade windows and that application updates should be rolled out to environments in order, to development and integration environments before production environments. + Keep in mind that environments have specific upgrade windows and that application updates should be rolled out to environments in sequence to development and integration environments before production environments. See :doc:`upgrade-windows` for details. Log into Argo CD for the environment diff --git a/docs/admin/troubleshooting.rst b/docs/admin/troubleshooting.rst index 576390db02..d2ca808385 100644 --- a/docs/admin/troubleshooting.rst +++ b/docs/admin/troubleshooting.rst @@ -2,14 +2,14 @@ Troubleshooting the Rubin Science Platform ########################################## -Intended audience: Anyone who is administering an installation of the Rubin Science Platform. +Intended audience: Anyone who is administering a Rubin Science Platform environment. Sometimes things break, and we are assembling the most common failure scenarios, and their fixes, in this document. PostgreSQL cannot mount its persistent volume ============================================= -**Symptoms:** When restarted, the ``postgres`` service pod fails to start because it cannot mount its persistent volume. +**Symptoms:** When restarted, the ``postgres`` application pod fails to start because it cannot mount its persistent volume. If the pod is already running, it gets I/O errors from its database, hangs, or otherwise shows signs of storage problems. **Cause:** The ``postgres`` deployment requests a ``PersistentVolume`` via a ``PersistentVolumeClaim``. @@ -23,7 +23,7 @@ Spawner menu missing images, cachemachine stuck pulling the same image **Symptoms:** When a user goes to the spawner page for the Notebook Aspect, the expected menu of images is not available. Instead, the menu is either empty or missing the right number of images of different classes. -The cachemachine service is continuously creating a ``DaemonSet`` for the same image without apparent forward progress. +The cachemachine application is continuously creating a ``DaemonSet`` for the same image without apparent forward progress. Querying the cachemachine ``/available`` API shows either nothing in ``images`` or not everything that was expected. **Cause:** Cachemachine is responsible for generating the menu used for spawning new JupyterLab instances. @@ -62,18 +62,18 @@ You may need to delete the record for the affected user, and also make sure the **Solution:** :doc:`/applications/nublado2/database` -User gets permission denied from services -========================================= +User gets permission denied from applications +============================================= -**Symptoms:** A user is able to authenticate to the Rubin Science Platform (prompted by going to the first authenticated URL, such as the Notebook Aspect spawner page), but then gets permission denied from other services. +**Symptoms:** A user is able to authenticate to the Rubin Science Platform (prompted by going to the first authenticated URL, such as the Notebook Aspect spawner page), but then gets permission denied from other application. -**Causes:** Authentication and authorization to the Rubin Science Platform is done via a service called Gafaelfawr (see :doc:`/applications/gafaelfawr/index`). +**Causes:** Authentication and authorization to the Rubin Science Platform is done via a application called Gafaelfawr (see :doc:`/applications/gafaelfawr/index`). After the user authenticates, Gafaelfawr asks their authentication provider for the user's group memberships and then translates that to a list of scopes. The mapping of group memberships to scopes is defined in the ``values.yaml`` file for Gafaelfawr for the relevant environment, in the ``gafaelfawr.config.groupMapping`` configuration option. -The most likely cause of this problem is that the user is not a member of a group that grants them access to that service. -Gafaelfawr will prevent the user from logging in at all if they are not a member of any group that grants access to a service. -If they are a member of at least one group, they'll be able to log in but may get permission denied errors from other services. +The most likely cause of this problem is that the user is not a member of a group that grants them access to that application. +Gafaelfawr will prevent the user from logging in at all if they are not a member of any group that grants access to an application. +If they are a member of at least one group, they'll be able to log in but may get permission denied errors from other application. **Solution:** :doc:`/applications/gafaelfawr/debugging` @@ -104,7 +104,7 @@ Login fails with "bad verification code" error **Cause:** GitHub login failed after the OAuth 2.0 interaction with GitHub was successfully completed, and then the user reloaded the failed login page (or reloaded the page while Gafaelfawr was attempting to complete the authentication). Usually this happens because Gafaelfawr was unable to write to its storage, either Redis or PostgreSQL. -If the storage underlying the deployment is broken, this can happen without producing obvious error messages, since the services can go into disk wait and just time out. +If the storage underlying the deployment is broken, this can happen without producing obvious error messages, since the applications can go into disk wait and just time out. Restarting the in-cluster ``postgresql`` pod, if PostgreSQL is running inside the Kubernetes deployment, will generally make this problem obvious because PostgreSQL will be unable to start. **Solution:** Check the underlying storage for Redis and Gafaelfawr. diff --git a/docs/admin/update-pull-secret.rst b/docs/admin/update-pull-secret.rst index 6260f2e2f0..22ff6783fa 100644 --- a/docs/admin/update-pull-secret.rst +++ b/docs/admin/update-pull-secret.rst @@ -3,7 +3,7 @@ Updating the Docker pull secret stored in 1Password and Vault ############################################################# The pull secret, present in each RSP instance, and shared by many -services there, is notoriously tricky to format correctly. +applications there, is notoriously tricky to format correctly. The recommended way to update it is to edit the pull secret in 1Password and then deploy it with the `installer/update-secrets.sh` script; diff --git a/docs/admin/upgrade-windows.rst b/docs/admin/upgrade-windows.rst index e23a42b5fb..32b16f45b8 100644 --- a/docs/admin/upgrade-windows.rst +++ b/docs/admin/upgrade-windows.rst @@ -6,7 +6,7 @@ Phalanx provides configurations for multiple environments. Many of these are production environments that service different user groups. Other environments are intended for development and integration. -In general, new and updates services should be rolled out to development and integration environments before production environments. +In general, new and updated services should be rolled out to development and integration environments before production environments. Production environments also generally have specific maintenance windows when upgrades can occur. @@ -15,13 +15,13 @@ SQuaRE environments In the case of environments managed by SQuaRE, the process for gated updates to environments is canonically defined in :sqr:`056`, but also summarized here. -The sequence for rolling out updatesis: +The sequence for rolling out updates is: -* data-dev.lsst.cloud -* data-int.lsst.cloud -* tucson-teststand.lsst.codes -* data.lsst.cloud -* base-lsp.lsst.codes -* summit-lsp.lsst.codes +* ``data-dev.lsst.cloud`` +* ``data-int.lsst.cloud`` +* ``tucson-teststand.lsst.codes`` +* ``data.lsst.cloud`` +* ``base-lsp.lsst.codes`` +* ``summit-lsp.lsst.codes`` See :sqr:`056` for the change coordination and upgrade windows (as relevant) for each environment. diff --git a/docs/applications/cert-manager/bootstrapping.rst b/docs/applications/cert-manager/bootstrapping.rst index 46c5e2f4ed..3b1bdba483 100644 --- a/docs/applications/cert-manager/bootstrapping.rst +++ b/docs/applications/cert-manager/bootstrapping.rst @@ -2,7 +2,7 @@ Bootstrapping cert-manager ########################## -The issuer defined in the ``cert-manager`` service uses the DNS solver. +The issuer defined in the ``cert-manager`` application uses the DNS solver. The advantage of the DNS solver is that it works behind firewalls and can provision certificates for environments not exposed to the Internet, such as the Tucson teststand. The DNS solver uses an AWS service user with write access to Route 53 to answer Let's Encrypt challenges. diff --git a/docs/applications/gafaelfawr/debugging.rst b/docs/applications/gafaelfawr/debugging.rst index 39d277b1fa..2d33b386a3 100644 --- a/docs/applications/gafaelfawr/debugging.rst +++ b/docs/applications/gafaelfawr/debugging.rst @@ -2,7 +2,7 @@ Debugging authentication issues ############################### -If a user successfully authenticates through the Gafaelfawr ``/login`` route but then cannot access a service such as the Notebook or Portal Aspects, a good initial debugging step is to determine what scopes the user was granted on the basis of their group membership. +If a user successfully authenticates through the Gafaelfawr ``/login`` route but then cannot access an application such as the Notebook or Portal, a good initial debugging step is to determine what scopes the user was granted on the basis of their group membership. Have the user go to ``/auth/analyze``, which will provide a JSON dump of their authentication information. The important information is in the ``token.data`` portion of the JSON document. diff --git a/docs/applications/gafaelfawr/storage.rst b/docs/applications/gafaelfawr/storage.rst index b3f625ed1a..1fa334361f 100644 --- a/docs/applications/gafaelfawr/storage.rst +++ b/docs/applications/gafaelfawr/storage.rst @@ -41,7 +41,7 @@ Do this by putting: in the ``values-*.yaml`` file for that environment under the ``gafaelfawr`` key. In this configuration, you may want to start Gafaelfawr so that the persistent volume claim and corresponding persistent volume has been created, locate that persistent volume, and then change its reclaim policy from the default (usually ``Delete``) to ``Retain``. -This provides some additional protection against wiping the storage in accidents or service redeployments that cause the ``StatefulSet`` and its ``PersistentVolumeClaim`` to be deleted. +This provides some additional protection against wiping the storage in accidents or application redeployments that cause the ``StatefulSet`` and its ``PersistentVolumeClaim`` to be deleted. Existing ``PersistentVolumeClaim`` ================================== diff --git a/docs/applications/ingress-nginx/certificates.rst b/docs/applications/ingress-nginx/certificates.rst index ed7198dd73..ae9b6cdcaa 100644 --- a/docs/applications/ingress-nginx/certificates.rst +++ b/docs/applications/ingress-nginx/certificates.rst @@ -5,7 +5,7 @@ TLS certificates The entire Science Platform uses the same external hostname and relies on NGINX merging all the ingresses into a single virtual host with a single TLS configuration. As discussed in :ref:`hostnames`, TLS for the Science Platform can be configured with either a default certificate in ``ingress-nginx`` or through Let's Encrypt with the DNS solver. -If an installation is using Let's Encrypt with the DNS solver, no further configuration of the NGINX ingresss is required. +If an installation is using Let's Encrypt with the DNS solver, no further configuration of the NGINX ingress is required. See :doc:`../cert-manager/bootstrapping` for setup information. When using a commercial certificate, that certificate should be configured in the ``values-*.yaml`` for ``ingress-nginx`` for that environment. diff --git a/docs/applications/mobu/configuring.rst b/docs/applications/mobu/configuring.rst index 40e44f9eff..017f2fe685 100644 --- a/docs/applications/mobu/configuring.rst +++ b/docs/applications/mobu/configuring.rst @@ -42,7 +42,7 @@ Important points to note here: * If the monkey user will need additional scopes, they must be specified. Here, the required scope is ``exec:notebook``, which allows spawning Notebooks. - More scopes would be needed if the monkey were running notebooks that interacted with other services. + More scopes would be needed if the monkey were running notebooks that interacted with other applications. * The ``business`` key specifies the type of test to perform. Here, ``JupyterPythonLoop`` just runs a small bit of Python through the Jupyter lab API after spawning a lab pod. @@ -117,7 +117,7 @@ The usernames will be formed by adding consecutive digits to the end of the ``us Testing TAP =========== -Here is an example of testing a TAP service: +Here is an example of testing the TAP application: .. code-block:: yaml diff --git a/docs/applications/mobu/manage-flocks.rst b/docs/applications/mobu/manage-flocks.rst index be91c962d6..bf2be3c386 100644 --- a/docs/applications/mobu/manage-flocks.rst +++ b/docs/applications/mobu/manage-flocks.rst @@ -3,7 +3,7 @@ Managing mobu flocks #################### mobu is our monitoring system for the Science Platform. -It exercises JupyterHub and labs, and tests other services within the Science Platform by running notebooks on those labs. +It exercises JupyterHub and JupyterLab, and tests other applications within the Science Platform by running notebooks on those JupyterLab Pods. mobu calls each test runner a "monkey" and organizes them into groups called "flocks." You can get a list of flocks from the mobu API. diff --git a/docs/applications/postgres/add-database.rst b/docs/applications/postgres/add-database.rst index 69bfb5cbb4..ccca52bad6 100644 --- a/docs/applications/postgres/add-database.rst +++ b/docs/applications/postgres/add-database.rst @@ -16,17 +16,15 @@ to reauthenticate. Assuming that the internal Postgres is indeed the right choice for your needs, there are several steps. -========================= Decide on a database name ========================= In general the database will require three things: a database name, a username, and a password. Usually the database name and user should be -identical and should reflect the service that will consume the database, +identical and should reflect the application that will consume the database, e.g. ``gafaelfawr`` or ``exposurelog``. We will use ``exposurelog`` as the model for the remainder of this document. -================================== Add the database to the deployment ================================== @@ -34,21 +32,20 @@ Go to the ``services/postgres/templates`` directory from the Phalanx root, and edit ``deployment.yaml`` to add the new database/password entry. You should copy an existing entry, and it should look like this: - .. code-block:: yaml +.. code-block:: yaml - {{- with .Values.exposurelog_db }} - - name: VRO_DB_EXPOSURELOG_USER - value: {{ .user }} - - name: VRO_DB_EXPOSURELOG_DB - value: {{ .db }} - - name: VRO_DB_EXPOSURELOG_PASSWORD - valueFrom: - secretKeyRef: - name: postgres - key: exposurelog_password - {{- end }} + {{- with .Values.exposurelog_db }} + - name: VRO_DB_EXPOSURELOG_USER + value: {{ .user }} + - name: VRO_DB_EXPOSURELOG_DB + value: {{ .db }} + - name: VRO_DB_EXPOSURELOG_PASSWORD + valueFrom: + secretKeyRef: + name: postgres + key: exposurelog_password + {{- end }} -===================================== Add the database to Phalanx installer ===================================== @@ -60,27 +57,28 @@ the ``_postgres()`` method. Typically we use passwords that are ASCII representations of random 32-byte hexadecimal sequences. The passwords for all the non-root Postgres users already look like that, so copying an existing line -and changing the name to reflect your service is usually correct: +and changing the name to reflect your application is usually correct: - .. code-block:: python +.. code-block:: python + :caption: /installer/generate_secrets.py - self._set_generated("postgres", "exposurelog_password", secrets.token_hex(32)) + self._set_generated("postgres", "exposurelog_password", secrets.token_hex(32)) Finally, go edit the postgres ``values-.yaml`` files and add a section for your new database with appropriate ``user`` and ``db`` entries: - .. code-block:: yaml +.. code-block:: yaml + :caption: /services/postgres/values-.yaml - exposurelog_db: - user: 'exposurelog' - db: 'exposurelog' + exposurelog_db: + user: 'exposurelog' + db: 'exposurelog' Now start the PR and review process. However, there is a step you still -must do before you can synchronize the updated services: put the +must do before you can synchronize the updated application: put the password into Vault so it appears in the postgres secrets. -================================ Manually add the secret to Vault ================================ @@ -102,7 +100,6 @@ just your new password. force Vault Secrets Operator to recreate it. * Repeat for each environment where you need the new database. -======================= Restart with new values ======================= @@ -121,4 +118,4 @@ that happens, you need to identify the ReplicaSet responsible for the stuck Pod, and delete that ReplicaSet. Once Postgres restarts, the new database will be present, with the user -and password set. At that point it is ready for use by your new service. +and password set. At that point it is ready for use by your new application. diff --git a/docs/applications/tap/index.rst b/docs/applications/tap/index.rst index daf552bf5d..ba45d9042c 100644 --- a/docs/applications/tap/index.rst +++ b/docs/applications/tap/index.rst @@ -18,7 +18,7 @@ TAP (Table Access Protocol) is an IVOA_ service that provides access to general On the Rubin Science Platform, it is provided by `lsst-tap-service `__, which is derived from the `CADC TAP service `__. The data itself, apart from schema queries, comes from qserv. -The ``tap`` service consists of the TAP Java web service, a PostgreSQL database used to track user job submissions, and (on development deployments) a mock version of qserv. +The ``tap`` application consists of the TAP Java web application, a PostgreSQL database used to track user job submissions, and (on development deployments) a mock version of qserv. Upgrading ``tap`` normally only requires an Argo CD sync. diff --git a/docs/applications/tap/update-tap-schema.rst b/docs/applications/tap/update-tap-schema.rst index 09987b6c9c..2981b10319 100644 --- a/docs/applications/tap/update-tap-schema.rst +++ b/docs/applications/tap/update-tap-schema.rst @@ -11,4 +11,4 @@ This table is kept in sync with the felis files using the following process: This will create a tag and run a publishing pipeline GitHub Action. That publishing pipeline will run the Python felis library against the YAML files in the ``yml`` directory and make different Docker images for the different supported environments. It will then push the images to DockerHub. -#. Update the ``appVersion`` version to the version of the new release in the `tap-schema Phalanx service `__. +#. Update the ``appVersion`` version to the version of the new release in the `tap-schema Phalanx application `__. diff --git a/docs/applications/vault-secrets-operator/index.rst b/docs/applications/vault-secrets-operator/index.rst index e30a0f6f99..41fe4d3882 100644 --- a/docs/applications/vault-secrets-operator/index.rst +++ b/docs/applications/vault-secrets-operator/index.rst @@ -16,8 +16,8 @@ vault-secrets-operator .. rubric:: Overview -The ``vault-secrets-operator`` service is an installation of `Vault Secrets Operator`_ to retrieve necessary secrets from Vault and materialize them as Kubernetes secrets for the use of other services. -It processes ``VaultSecret`` resources defined in the `Science Platform repository `__ and creates corresponding Kubernetes ``Secret`` resources. +The ``vault-secrets-operator`` application is an installation of `Vault Secrets Operator`_ to retrieve necessary secrets from Vault and materialize them as Kubernetes secrets for the use of other applications. +It processes ``VaultSecret`` resources defined in the `phalanx repository`_ and creates corresponding Kubernetes Secret_ resources. See :dmtn:`112` for the LSST Vault design. @@ -30,9 +30,9 @@ After upgrading, check that Vault Secrets Operator is still working properly by It should be nearly immediately re-created from the ``VaultSecret`` resource by Vault Secrets Operator. The Gafaelfawr secret is a good one to use for this purpose since it is only read during Gafaelfawr start-up. -.. rubric:: Bootstrapping the service +.. rubric:: Bootstrapping -Vault Secrets Operator is the only component of the Science Platform whose secret has to be manually created, so that it can create the secrets for all other services. +Vault Secrets Operator is the only component of the Science Platform whose secret has to be manually created, so that it can create the secrets for all other applications. This will be done automatically by the `install script `__. Its secret will look like this: diff --git a/docs/developers/add-a-onepassword-secret.rst b/docs/developers/add-a-onepassword-secret.rst index 4df166289d..c12dbc8f95 100644 --- a/docs/developers/add-a-onepassword-secret.rst +++ b/docs/developers/add-a-onepassword-secret.rst @@ -2,10 +2,10 @@ Add a secret with 1Password and VaultSecret ########################################### -Static secrets for services are stored in a 1Password vault before being automatically synced to the Vault service itself and ultimately to Kubernetes ``Secret`` resources via :ref:`vault-secrets-operator`. +Static secrets for applications are stored in a 1Password vault before being automatically synced to the Vault service itself and ultimately to Kubernetes Secret_ resources via :ref:`vault-secrets-operator`. Such secrets are things for external cloud services where we don't automatically provision accounts and password. When we manually create such a secret, we store it in 1Password. -This page provides steps for adding a service secret through 1Password. +This page provides steps for adding an application secret through 1Password. .. note:: @@ -14,7 +14,7 @@ This page provides steps for adding a service secret through 1Password. .. note:: - This document only covers creating a 1Password-backed Secret for the first time for a service. + This document only covers creating a 1Password-backed Secret for the first time for an application. If you want to update a Secret, either by adding new 1Password secrets or by changing their secret values, you should follow the instructions in :doc:`/developers/update-a-onepassword-secret`. Part 1. Open the 1Password vault @@ -33,7 +33,7 @@ Each item in a Kubernetes ``Secret`` corresponds to either the contents of a sec .. code-block:: text - {{service}} {{env}} {{description}} + {{application}} {{env}} {{description}} This format is a convention and isn't tied into the automation. The ``env`` can be omitted if the secret applies to all environments. @@ -47,7 +47,7 @@ Each item in a Kubernetes ``Secret`` corresponds to either the contents of a sec .. code-block:: text - {{service}} {{secret name}} + {{application}} {{secret name}} This field provides part of a Vault path for the secret value, which in turn is used by :ref:`vault-secrets-operator` resources to create Kubernetes secrets. @@ -60,7 +60,7 @@ Each item in a Kubernetes ``Secret`` corresponds to either the contents of a sec Part 3. Sync 1Password items into Vault ======================================= -Once a service's secrets are stored in 1Password, you need to sync them into Vault. +Once an application's secrets are stored in 1Password, you need to sync them into Vault. Open Phalanx's ``installer/`` directory: @@ -95,10 +95,10 @@ To sync multiple environments at once: Next steps: connecting Vault to Kubernetes with VaultSecret =========================================================== -Once a secret is in Vault, you need to create or update a ``VaultSecret`` resource in your services deployment (typically in its Helm_ chart). -See :doc:`create-service` for more details about creating a Helm chart for a service. +Once a secret is in Vault, you need to create or update a ``VaultSecret`` resource in your application's deployment (typically in its Helm_ chart). +See :doc:`create-an-application` for more details about creating a Helm chart for an application. -A conventional ``VaultSecret`` Helm template looks like this (update ``myapp`` with your service's name): +A conventional ``VaultSecret`` Helm template looks like this (update ``myapp`` with your application's name): .. code-block:: yaml @@ -117,12 +117,12 @@ This Vault path is formatted as: .. code-block:: text - secret/k8s_operator/{{host}}/{{service}} + secret/k8s_operator/{{host}}/{{application}} The path components correspond to metadata in 1Password items: - ``{{host}}`` corresponds to the value of the ``environment`` metadata field -- ``{{service}}`` corresponds to the first part of the ``generate_secrets_key`` metadata field +- ``{{application}}`` corresponds to the first part of the ``generate_secrets_key`` metadata field Within Kubernetes, vault-secrets-operator acts on the ``VaultSecret`` to create a ``Secret`` resource. The ``Secret`` has the same name and namespace as the ``VaultSecret`` that you explicitly template in your Helm chart. diff --git a/docs/developers/add-service.rst b/docs/developers/add-application.rst similarity index 51% rename from docs/developers/add-service.rst rename to docs/developers/add-application.rst index 9d5d7d3589..230807b01a 100644 --- a/docs/developers/add-service.rst +++ b/docs/developers/add-application.rst @@ -1,15 +1,19 @@ -############################ -Add a new service to Phalanx -############################ +################################ +Add a new application to Phalanx +################################ +This page provides the steps for integrating an application with Phalanx by adding the application's Helm chart. +For background on building an application, see the :ref:`dev-build-toc` documentation. Create the Helm chart ===================== -To deploy your service in the Rubin Science Platform, it must have either a Helm chart or a Kustomize configuration. -Currently, all services use Helm charts. -Kustomize is theoretically supported but there are no examples of how to make it work with multiple environments. -Using a Helm chart is recommended unless you are strongly motivated to work out the problems with using Kustomize and then document the newly-developed process. +To deploy your application with Phalanx, it must have either a Helm chart or a Kustomize configuration. +Currently, all applications use Helm charts. + +.. note:: + + Kustomize is theoretically supported but has not been used to date in the `phalanx repository`_, and therefore isn't recommended. There does not yet exist a SQuaRE-produced a template for the Helm chart; rather, we use the built-in Helm starter template. Use ``helm create`` to create a new chart from that template. @@ -20,9 +24,10 @@ You will need to make at least the following changes to the default Helm chart t - All secrets must come from ``VaultSecret`` resources, not Kubernetes ``Secret`` resources. You should use a configuration option named ``vaultSecretsPath`` in your ``values.yaml`` to specify the path in Vault for your secret. - This option will be customized per environment when you add the service to Phalanx (see :doc:`add-service`). + This option will be customized per environment when you add the application to Phalanx (see :ref:`add-argocd-application`). See :doc:`add-a-onepassword-secret` for more information about secrets. -- Services providing a web API should be protected by Gafaelfawr and require an appropriate scope. + +- Application providing a web API should be protected by Gafaelfawr and require an appropriate scope. This normally means adding annotations to the ``Ingress`` resource via ``values.yaml`` similar to: .. code-block:: yaml @@ -32,16 +37,16 @@ You will need to make at least the following changes to the default Helm chart t nginx.ingress.kubernetes.io/auth-method: "GET" nginx.ingress.kubernetes.io/auth-url: "http://gafaelfawr.gafaelfawr.svc.cluster.local:8080/auth?scope=exec:admin" - For user-facing services you will want a scope other than ``exec:admin``. - See `the Gafaelfawr documentation `__, specifically `protecting a service `__ for more information. -- If your service exposes Prometheus endpoints, you will want to configure these in the `telegraf service's prometheus_config `__. + For user-facing applications you will want a scope other than ``exec:admin``. + See `the Gafaelfawr's documentation on protecting an application `__ for more information. + +- If your application exposes Prometheus endpoints, you will want to configure these in the `telegraf application's prometheus_config `__. Documentation ------------- -We have begun using `helm-docs `__ to generate documentation for our Helm charts. +Phalanx uses `helm-docs`_ to generate documentation for Helm charts. This produces a nice Markdown README file that documents all the chart options, but it requires special formatting of the ``values.yaml`` file that is not present in the default Helm template. -If you want to do the additional work, this will produce the most nicely-documented Helm chart. Using helm-docs is currently optional, but very strongly recommended. Publication ----------- @@ -57,49 +62,53 @@ Existing Helm charts that are good examples to read or copy are: - `mobu `__ (also simple) - `gafaelfawr `__ (complex, including CRDs and multiple pods) -Adding an ArgoCD Application for your service -============================================= +.. _add-argocd-application: -Once you have a chart and a Docker image and you have added your static service secrets to 1Password (see :doc:`add-a-onepassword-secret`), you need to integrate your service into Phalanx. -This is done by creating an Argo CD application that manages your service. -This consists of an ``Application`` resource that's used by Argo CD and configuring your service with for each environment in which it's deployed, via ``values-*.yaml`` files in the service directory. +Adding an Argo CD Application for your application +================================================== -#. For each environment in which your service will run, create a ``values-.yaml`` file in your application's service directory. +Once you have a chart and a Docker image and you have added your static application secrets to 1Password (see :doc:`add-a-onepassword-secret`), you need to integrate your application into Phalanx. +This is done by creating an Argo CD ``Application`` that manages your application. + +#. For each environment in which your application will run, create a ``values-.yaml`` file in your application's directory. This should hold only the customization per Rubin Science Platform deployment. Any shared configuration should go into the defaults of your chart (``values.yaml``). If it is a third-party application repackaged as a Phalanx chart, you will need to add its configuration a little differently. See :ref:`external-chart-config` for more discussion.) -#. Most services will need a base URL, which is the top-level externally-accessible URL (this is presented within the chart as a separate parameter, although as we will see it is derived from the hostname) for the ingress to the application, the hostname, and the base path within Vault for storage of secrets. +#. Most applications will need a base URL, which is the top-level externally-accessible URL (this is presented within the chart as a separate parameter, although as we will see it is derived from the hostname) for the ingress to the application, the hostname, and the base path within Vault for storage of secrets. - In general these will be set within the application definition within the ``science-platform`` directory and carried through to service charts via global ArgoCD variables. You should generally simply need the boilerplate setting them to empty: + In general these will be set within the application definition within the ``science-platform`` directory and carried through to application charts via global Argo CD variables. + You should generally simply need the boilerplate setting them to empty: .. code-block:: yaml # The following will be set by parameters injected by Argo CD and should not # be set in the individual environment values files. global: - # -- Base URL for the environment - # @default -- Set by Argo CD - baseUrl: "" + # -- Base URL for the environment + # @default -- Set by Argo CD + baseUrl: "" - # -- Host name for ingress - # @default -- Set by Argo CD - host: "" + # -- Host name for ingress + # @default -- Set by Argo CD + host: "" - # -- Base path for Vault secrets - # @default -- Set by Argo CD - vaultSecretsPath: "" + # -- Base path for Vault secrets + # @default -- Set by Argo CD + vaultSecretsPath: "" #. Create the Argo CD application resource. - This is a new file in `/science-platform/templates `__ named ``-application.yaml`` where ```` must match the name of the directory created above. - The contents of this file should look like:: + This is a new file in `/science-platform/templates `__ named ``-application.yaml`` where ```` must match the name of the directory created above. + The contents of this file should look like: + + .. code-block:: yaml - {{- if .Values..enabled -}} + {{- if .Values..enabled -}} apiVersion: v1 kind: Namespace metadata: - name: + name: spec: finalizers: - kubernetes @@ -107,70 +116,63 @@ This consists of an ``Application`` resource that's used by Argo CD and configur apiVersion: argoproj.io/v1alpha1 kind: Application metadata: - name: + name: namespace: argocd finalizers: - resources-finalizer.argocd.argoproj.io spec: destination: - namespace: + namespace: server: https://kubernetes.default.svc project: default source: - path: services/ + path: services/ repoURL: {{ .Values.repoURL }} targetRevision: {{ .Values.revision }} helm: parameters: - - name: "global.host" - value: {{ .Values.fqdn | quote }} - - name: "global.baseUrl" - value: "https://{{ .Values.fqdn }}" - - name: "global.vaultSecretsPath" - value: {{ .Values.vault_path_prefix | quote }} + - name: "global.host" + value: {{ .Values.fqdn | quote }} + - name: "global.baseUrl" + value: "https://{{ .Values.fqdn }}" + - name: "global.vaultSecretsPath" + value: {{ .Values.vault_path_prefix | quote }} valueFiles: - - "values.yaml" + - "values.yaml" - 'values-{{ .Values.environment }}.yaml" {{- end -}} - replacing every instance of ```` with the name of your service. - This creates the namespace and Argo CD application for your service. Note that this is where we derive baseURL from host. + Replace every instance of ```` with the name of your application. + This creates the namespace and Argo CD application for your application. + Note that this is where we derive baseURL from host. - Note that both of ``fqdn`` and ``host`` must be defined in each RSP - instance definition file (that is, ``values-.yaml``). Typically - this is done at the top; should you at some point deploy an entirely - new instance of the RSP, remember to do this in the base - science-platform application definition for the new instance. + Both the ``fqdn`` and ``host`` must be defined in each RSP instance definition file (that is, ``/science-platform/values-.yaml`` files in the `phalanx repository`_). + Typically this is done at the top; should you at some point deploy an entirely new instance of the RSP, remember to do this in the base science-platform application definition for the new instance. -#. If your application image resides at a Docker repository which - requires authentication (either to pull the image at all or to raise - the pull rate limit), then you must tell any pods deployed by your - service to use a pull secret named ``pull-secret``, and you must - configure that pull secret in the application's - ``vault-secrets.yaml``. If you are using the default Helm template, - this will mean a block like: +#. If your application image resides at a Docker repository which requires authentication (either to pull the image at all or to raise + the pull rate limit), then you must tell any pods deployed by your application to use a pull secret named ``pull-secret``, and you must + configure that pull secret in the application's ``vault-secrets.yaml``. + If you are using the default Helm template, this will mean a block like: .. code-block:: yaml imagePullSecrets: - name: "pull-secret" - under the section for your chart. - If you are using an external chart, see its documentation for how to configure pull secrets. Note that if your container image is built through GitHub actions and stored at ghcr.io, there is no rate limiting (as long as your container image is built from a public repository, which it should be). If it is stored at Docker Hub, you should use a pull secret, because we have been (and will no doubt continue to be) rate-limited at Docker Hub in the past. If it is pulled from a private repository, obviously you will need authentication, and if the container is stored within the Rubin Google Artifact Registry, there is likely to be some Google setup required to make pulls magically work from within a given cluster. - In general, copying and pasting the basic setup from another service (``cachemachine`` or ``mobu`` recommended for simple services) is a good way to save effort. + In general, copying and pasting the basic setup from another application (``cachemachine`` or ``mobu`` recommended for simple applications) is a good way to save effort. -#. Finally, edit ``values.yaml`` and each of the ``values-*.yaml`` files in `/science-platform `__ and add a stanza for your service. +#. Finally, edit ``values.yaml`` and each of the ``values-*.yaml`` files in `/science-platform `__ and add a stanza for your application. The stanza in ``values.yaml`` should always say: .. code-block:: yaml - : + : enabled: false - replacing ```` with the name of your service. - For the other environments, set ``enabled`` to ``true`` if your service should be deployed there. - You almost certainly want to start in a dev or int environment and enable your new service in production environments only after it has been smoke-tested in less critical environments. + Replace ```` with the name of your application. + For the other environments, set ``enabled`` to ``true`` if your application should be deployed there. + You almost certainly want to start in a development or integration environment and enable your new application in production environments only after it has been smoke-tested in less critical environments. diff --git a/docs/developers/add-external-chart.rst b/docs/developers/add-external-chart.rst index 99f70ccfa3..e3b013912e 100644 --- a/docs/developers/add-external-chart.rst +++ b/docs/developers/add-external-chart.rst @@ -2,13 +2,12 @@ Adding an external Helm chart ############################# -Sometimes, rather than deploying a new service we wrote ourselves (see :doc:`create-service`), we want to deploy an existing external service in the Rubin Science Platform with some customizations. +Sometimes, rather than deploying a new application written specifically for Rubin Observatory (see :doc:`create-an-application`), we want to deploy an existing third-party application in the Rubin Science Platform with some customizations. -If the service has an existing published Helm chart (and most major open source services do, albeit sometimes not from the upstream service maintainers), we should use that Helm chart. +If the application has an existing published Helm chart, we should use that Helm chart. Below are details on how to do that. -This guide is somewhat general since every external service will be different in new and exciting ways. -Expect to spend a lot of time reading the upstream Helm chart documentation and iterating on configuration approaches when adding an external Helm chart. +This guide is somewhat general since every external application will be different. Potential problems ================== @@ -16,22 +15,21 @@ Potential problems No existing Helm chart ---------------------- -If the service does not have an existing published Helm chart, you should consider that a red flag that prompts you to reconsider whether this service is the right choice for the Rubin Science Platform. -To deploy it, you will need to write and maintain a Helm chart and keep it up-to-date for new releases of the service. +If the application does not have an existing published Helm chart, you should consider that a red flag that prompts you to reconsider whether this application is the right choice for the Rubin Science Platform. +To deploy it, you will need to write and maintain a Helm chart and keep it up-to-date for new releases of the application. This can be a substantial amount of work. -For large and complex services, it can even be a full-time job. +For large and complex applications, it can even be a full-time job. -**We cannot accept services in the Rubin Science Platform that are not kept up-to-date.** -It is a hard requirement that every service keep up with new upstream development and releases so that we get continued security support. -You must be able to commit to doing this for the lifetime of the project before adding an external service to the Rubin Science Platform. +**We cannot accept applications in the Rubin Science Platform that are not kept up-to-date.** +It is a hard requirement that every application keep up with new upstream development and releases so that we get continued security support. +You must be able to commit to doing this for the lifetime of the project before adding an external application to the Rubin Science Platform. If the benefit to the Rubin Science Platform seems worth the ongoing effort to write and maintain a Helm chart, try to contribute that Helm chart to the upstream maintainers so that we can share the burden of maintaining it with other projects that use Kubernetes. No published Helm chart ----------------------- -If the service has an existing, maintained Helm chart, but it's not published in a Helm repository, this is also a red flag, albeit a lesser one. -This normally means the people maintaining the Helm chart don't entirely understand Helm or the conventions of the Kubernetes ecosystem. +If the application has an existing, maintained Helm chart, but it's not published in a Helm repository, this is also a red flag, albeit a lesser one. In exceptional circumstances we can import such an external Helm chart into the `charts repository `__, but we would prefer not to do this since keeping it up-to-date with upstream changes is very awkward. .. _external-chart-config: @@ -41,10 +39,10 @@ Configure the external chart Configuration mostly involves carefully reading the documentation of the upstream Helm chart and building a ``values.yaml`` file that configures it appropriately. You may also need to add additional resources not created by the upstream Helm chart, particularly ``VaultSecret`` objects to create any secrets that it needs. -(See :doc:`add-a-onepassword-secret` for more about secrets.) +See :doc:`add-a-onepassword-secret` for more about secrets. If the required configuration for the chart is simple enough, you can reference the chart directly from Phalanx and put its configuration in the per-environment Phalanx ``values-*.yaml`` files. -In this case, you can skip ahead to :doc:`add-service`, although still read the information below on what settings you may need to configure. +In this case, you can skip ahead to :doc:`add-application`, although still read the information below on what settings you may need to configure. If configuring the chart is sufficiently complex, if you want to provide additional Kubernetes resources that are not part of the upstream chart, or if there is substantial configuration that should be shared between all Rubin Science Platform environments, you may want to create a wrapper chart. This is a chart that lives in the `charts repository `__ and includes the upstream chart as a subchart. @@ -66,6 +64,6 @@ If it is not, you will need to add a stanza like: - url: https://kubernetes.github.io/ingress-nginx/ name: ingress-nginx -to that configuration key for the ``values-*.yaml`` file for every environment in Phalanx that will deploy this service. +to that configuration key for the ``values-*.yaml`` file for every environment in Phalanx that will deploy this application. (The example above is for the ``ingress-nginx`` chart; the URL and name will obviously vary.) -Do that as a pull request, probably as part of your pull request to add your Argo CD application (see :doc:`add-service`). +Do that as a pull request, probably as part of your pull request to add your Argo CD application (see :doc:`add-application`). diff --git a/docs/developers/service-chart-architecture.rst b/docs/developers/chart-overview.rst similarity index 62% rename from docs/developers/service-chart-architecture.rst rename to docs/developers/chart-overview.rst index 0d82e2650e..832caaca2a 100644 --- a/docs/developers/service-chart-architecture.rst +++ b/docs/developers/chart-overview.rst @@ -1,25 +1,19 @@ -#################################### -Overview of Helm charts for services -#################################### - -TK - -.. note:: - - This material is refactored from /overview/repository. - The purpose of this topic is to provide a more detailed guide on the structure and guidelines for the Helm charts of individual services. - Link back to /overview/repository in the introduction. +######################################## +Overview of Helm charts for applications +######################################## +This page provides overall guidelines on how Phalanx uses Helm charts for applications. Charts ====== -Argo CD manages services in the Rubin Science Platform through a set of Helm charts. +Argo CD manages applications in the Rubin Science Platform through a set of Helm charts. Which Helm charts to deploy in a given environment is controlled by the ``values-.yaml`` files in `/science-platform `__. -The `/services `__ directory defines templates in its ``templates`` directory and values to resolve those templates in ``values.yaml`` and ``values-.yaml`` files to customize the service for each environment. For first-party charts, the ``templates`` directory is generally richly populated. +The `/services `__ directory defines templates in its ``templates`` directory and values to resolve those templates in ``values.yaml`` and ``values-.yaml`` files to customize the application for each environment. For first-party charts, the ``templates`` directory is generally richly populated. -For third-party charts the ``templates`` directory might not exist or might have only a small set of resources specific to the Science Platform. In that case, most of the work of deploying a service is done by charts declared as dependencies (via the ``dependencies`` key in ``Chart.yaml``) of the top-level service chart. +For third-party charts the ``templates`` directory might not exist or might have only a small set of resources specific to the Science Platform. +In that case, most of the work of deploying an application is done by charts declared as dependencies (via the ``dependencies`` key in ``Chart.yaml``) of the top-level chart. By convention, the top-level chart has the same name as the underlying chart that it deploys. Subcharts may be external third-party Helm charts provided by other projects, or, in rare instances, they may be Helm charts maintained by Rubin Observatory. In the latter case, these charts are maintained in the `lsst-sqre/charts GitHub repository `__. @@ -38,17 +32,20 @@ Third-party charts are declared as dependencies; they are normal, published Helm In the case of the ``lsst-sqre/charts`` repository, this is enforced by CI. We can then constrain the version of the chart Argo CD will deploy by changing the ``dependencies`` configuration in the top-level chart. -Best practice is for a release of a chart to deploy the latest version of the corresponding service, so that upgrading the chart also implies upgrading the service. -This allows automatic creation of pull requests to upgrade any services deployed by Argo CD (see `SQR-042 `__ for more details). +Best practice is for a release of a chart to deploy the latest version of the corresponding application, so that upgrading the chart also implies upgrading the application. +This allows automatic creation of pull requests to upgrade any applications deployed by Argo CD (see :sqr:`042`). Charts maintained as first-party charts in Phalanx follow this convention (for the most part). Most upstream charts also follow this convention, but some require explicitly changing version numbers in ``values-*.yaml``. In general, we pin the version of the chart to deploy in the ``dependencies`` metadata of the top-level chart. -This ensures deterministic cluster configuration and avoids inadvertently upgrading services. -However, for services still under development, we sometimes use a floating dependency to reduce the number of pull requests required when iterating, and then switch to a pinned version once the service is stable. +This ensures deterministic cluster configuration and avoids inadvertently upgrading applications. +However, for applications still under development, we sometimes use a floating dependency to reduce the number of pull requests required when iterating, and then switch to a pinned version once the application is stable. There is currently no generic mechanism to deploy different versions of a chart in different environments, as appVersion is set in ``Chart.yaml``. -That does not mean that rolling out a new version is all-or-nothing: you have a couple of different options for testing new versions. The easiest is to modify the appVersion in ``Chart.yaml`` on your development branch and then use ArgoCD to deploy the application from the branch, rather than ``master``, ``main``, or ``HEAD`` (as the case may be). This will cause the application resource in the ``science-platform`` app to show as out of sync, which is indeed correct, and a helpful reminder that you may be running from a branch when you forget and subsequently rediscover that fact weeks later. -Additionally, many charts allow specification of a tag (usually some variable like ``image.tag`` in a values file), so that is a possibility as well. If your chart doesn't have a way to control what image tag you're deploying from, consider adding the capability. +That does not mean that rolling out a new version is all-or-nothing: you have a couple of different options for testing new versions. +The easiest is to modify the appVersion in ``Chart.yaml`` on your development branch and then use Argo CD to deploy the application from the branch, rather than ``master``, ``main``, or ``HEAD`` (as the case may be). +This will cause the application resource in the ``science-platform`` app to show as out of sync, which is indeed correct, and a helpful reminder that you may be running from a branch when you forget and subsequently rediscover that fact weeks later. +Additionally, many charts allow specification of a tag (usually some variable like ``image.tag`` in a values file), so that is a possibility as well. +If your chart doesn't have a way to control what image tag you're deploying from, consider adding the capability. In any event, for RSP instances, we (as a matter of policy) disable automatic deployment in Argo CD so there is a human check on whether a given chart is safe to deploy in a given environment, and updates are deployed to production environments (barring extraordinary circumstances) during our specified maintenance windows. diff --git a/docs/developers/create-an-application.rst b/docs/developers/create-an-application.rst new file mode 100644 index 0000000000..c9159e804d --- /dev/null +++ b/docs/developers/create-an-application.rst @@ -0,0 +1,55 @@ +########################## +Building a new application +########################## + +This page provides general guidance for creating an application in Python that can be deployed through Phalanx. +If the goal is to instead deploy an existing third-party application with its own Helm chart in the Rubin Science Platform, see :doc:`add-external-chart`. + +To be deployed in the Rubin Science Platform, an application must come in the form of one or more Docker images and a Helm chart (or Kustomize configuration, although no application currently uses that approach) that deploys those images in Kubernetes. + +After you have finished the steps here, add any secrets you need for your application: :doc:`add-a-onepassword-secret`. +Once you have done that, add the application to Phalanx: :doc:`add-application`. + +Write the application +===================== + +Rubin-developed applications for the Rubin Science Platform should be written in Python unless there's some reason (such as using code developed elsewhere) that forces choice of a different language. +For the common case of a web application (one that exposes an API via HTTP), we recommend using the `FastAPI framework `__. + +The easiest way to start a new FastAPI_ application written in Python and intended for the Rubin Science Platform is to create a new project using sqrbot-jr. +On the LSSTC Slack, send the message ``create project`` to ``@sqrbot-jr``. +Select ``FastAPI application (Safir)`` from the list of project types. +This will create a new GitHub repository with the basic framework of a FastAPI_ application that will work well inside the Rubin Science Platform. +The template uses Safir_ to simplify and regularize many parts of your FastAPI_ application, from logger to database handling. + +Any Python application destined for the RSP should regularly update its dependencies to pick up any security fixes. +If your application follows the code layout of the FastAPI template, use `neophile `__ to automatically create PRs to update your dependencies. +To add your application to the list of repositories that neophile updates, submit a PR to add the repository owner and name to `neophile's configuration `__. + +Each release of your application must be tagged. +The tag should use `semantic versioning`_ (for example, ``1.3.2``). +Creating a GitHub release for the tag is optional but recommended, and we recommend setting the title of the release to the name of the tag. +If you are using the FastAPI template, tagging in this fashion is required since it triggers the GitHub Actions workflow to build and publish a Docker image with a tag matching the release version. + +Create the Docker image +======================= + +The Docker image can be stored in any container registry that is usable by Kubernetes, but for Rubin-developed applications using the FastAPI template, we usually push `GitHub Container Registry (ghcr.io) `__. +The Google Artifact Registry hosts the Science Platform images and may eventually be used more widely. +If your image must be stored in a private container registry, the credentials for that registry must be added to the pull secret. + +If you use the FastAPI application template, a ``Dockerfile`` is be created as part of the new repository template, and a GitHub Actions workflow is set up in the new repository to build and push Docker images for tagged releases. + +If you use ``ghcr.io`` as your repository (which is the FastAPI template default) you can use GitHub's built-in ``GITHUB_TOKEN``; you don't need +to create an additional secret. +If you are using Docker Hub you must create two secrets in your new GitHub repository, ``DOCKER_USERNAME`` and ``DOCKER_TOKEN``. +``DOCKER_USERNAME`` should be set to the Docker Hub username of the account that will be pushing the new Docker images. +``DOCKER_TOKEN`` should be set to a secret authentication token for that account. +We recommend creating a separate token for each GitHub repository for which you want to enable automatic image publication, even if they all use the same username. + +If using Docker Hub You may need to have a Docker Pro or similar paid Docker Hub account. +Alternately, you can contact SQuaRE to set up Docker image publication using our Docker account. + +The next step is to create secrets for your application: :doc:`add-a-onepassword-secret`. + +Finally, deploy your application by creating a Helm chart and an Argo CD Application in Phalanx: :doc:`add-application`. diff --git a/docs/developers/create-service.rst b/docs/developers/create-service.rst deleted file mode 100644 index 651c9dcd06..0000000000 --- a/docs/developers/create-service.rst +++ /dev/null @@ -1,55 +0,0 @@ -#################### -Create a new service -#################### - -This documentation is intended for service administrators who are writing a new service in Python. -If the goal is to instead deploy a third-party service with its own Helm chart in the Rubin Science Platform, see :doc:`add-external-chart`. - -To be deployed in the Rubin Science Platform, a service must come in the form of one or more Docker images and a Helm chart (or Kustomize configuration, although no service currently uses that approach) that deploys those images in Kubernetes. - -After you have finished the steps here, add any secrets you need for your service: :doc:`add-a-onepassword-secret`. Once you have done that, add the service to ArgoCD: :doc:`add-service`. - -Write the service -================= - -Rubin-developed services for the Rubin Science Platform should be written in Python unless there's some reason (such as using code developed elsewhere) that forces choice of a different language. -For the common case of a web service (one that exposes an API via HTTP), we recommend using the `FastAPI framework `__. - -The easiest way to start a new FastAPI service written in Python and intended for the Rubin Science Platform is to create a new project using sqrbot-jr. -On the LSST Slack, send the message ``create project`` to ``@sqrbot-jr``. -Select ``FastAPI application (Safir)`` from the list of project types. -This will create a new GitHub repository with the basic framework of a FastAPI service that will work well inside the Rubin Science Platform. - -Any Python service destined for the RSP should regularly update its dependencies to pick up any security fixes. -If your service follows the code layout of the FastAPI service template, using `neophile `__ to automatically create PRs to update your dependencies is strongly recommended. -To add your service to the list of repositories that neophile updates, submit a PR to add the repository owner and name to `neophile's configuration `__. - -Each release of your service must be tagged. -The tag should use `semantic versioning`_ (for example, ``1.3.2``). -Creating a GitHub release for the tag is optional but recommended, and we recommend setting the title of the release to the name of the tag. -If you are using the FastAPI template, tagging in this fashion is required since it triggers the GitHub Actions workflow to build and publish a Docker image with a tag matching the release version. - -Create the Docker image -======================= - -The Docker image can be stored in any container registry that is usable by Kubernetes, but for Rubin-developed services using the FastAPI template, we usually push both to the `GitHub Container Registry (ghcr.io) `__ and Docker Hub (though we are reducing usage of Docker Hub). -The Google Artifact Registry hosts the Science Platform images and may eventually be used more widely. -If your image must be stored in a private container registry, the credentials for that registry must be added to the pull secret. - -If you use the FastAPI service template, a ``Dockerfile`` will be created as part of the new repository template, and GitHub Actions will be set up in the new repository to build and push new Docker images for tagged releases. - -If you use ghcr.io as your repository (which is the FastAPI template -default) you can use GitHub's built-in ``GITHUB_TOKEN``; you don't need -to create an additional secret. -If you are using Docker Hub you must create two secrets in your new GitHub repository, ``DOCKER_USERNAME`` and ``DOCKER_TOKEN``. -``DOCKER_USERNAME`` should be set to the Docker Hub username of the account that will be pushing the new Docker images. -``DOCKER_TOKEN`` should be set to a secret authentication token for that account. -We recommend creating a separate token for each GitHub repository for which you want to enable automatic image publication, even if they all use the same username. - -If using Docker Hub You may need to have a Docker Pro or similar paid Docker Hub account. -Alternately, you can contact SQuaRE to set up Docker image publication using our Docker account. - -The next step is to create secrets for your application: :doc:`add-a-onepassword-secret`. - -Finally, deploy your service by creating a Helm chart and an ArgoCD -Application in Phalanx: :doc:`add-service`. diff --git a/docs/developers/deploy-from-a-branch.rst b/docs/developers/deploy-from-a-branch.rst index 864392e24c..2b41e1b2ab 100644 --- a/docs/developers/deploy-from-a-branch.rst +++ b/docs/developers/deploy-from-a-branch.rst @@ -2,18 +2,18 @@ Deploying from a branch for development ####################################### -When developing services and their :doc:`Helm charts `, it's useful to temporarily deploy from a branch of Phalanx on :doc:`designated development environments ` before merging to Phalanx's default branch. +When developing applications and their :doc:`Helm charts `, it's useful to temporarily deploy from a branch of Phalanx on :doc:`designated development environments ` before merging to Phalanx's default branch. Some use cases include: - Testing that a new or updated Helm chart works in a higher-fidelity environment than the Minikube GitHub Actions CI cluster. -- Testing how a new or updated service interacts with other deployed services and cluster infrastructure like databases. +- Testing how a new or updated application interacts with other deployed applications and cluster infrastructure like databases. -Through this process it is possible to develop a service in a fairly tight loop, though it's best to augment this practice with unit tests within the service's codebase. +Through this process it is possible to develop an application in a fairly tight loop, though it's best to augment this practice with unit tests within the application's codebase. .. seealso:: - This page focuses on using a development environment to iteratively develop and test changes to a service, ultimately yielding a service upgrade in Phalanx. + This page focuses on using a development environment to iteratively develop and test changes to an application, ultimately yielding a applicatino upgrade in Phalanx. You can achieve the same result, without the iterative deployment testing, following the steps in :doc:`upgrade`. .. _deploy-branch-prep: @@ -21,12 +21,12 @@ Through this process it is possible to develop a service in a fairly tight loop, Preparing and pushing a branch ============================== -Start by creating a branch of the `phalanx repository`_ and editing your service. +Start by creating a branch of the `phalanx repository`_ and editing your appliation. -You can make many types of edits to the service. -The most straightforward changes are updates to your service's Docker images or the Helm sub-charts the service depends on. +You can make many types of edits to the application. +The most straightforward changes are updates to your application's Docker images or the Helm sub-charts the application depends on. See :doc:`upgrade`. -You can also make changes to the Helm values by editing the service's defaults in its ``values.yaml`` file, or the values for the development environment in the corresponding ``values-.yaml`` file. +You can also make changes to the Helm values by editing the application's defaults in its ``values.yaml`` file, or the values for the development environment in the corresponding ``values-.yaml`` file. Finally, you can also make changes to the Helm templates for Kubernetes resources. Commit your changes and push your branch to GitHub. @@ -34,30 +34,30 @@ Throughout this process, you can continue to commit changes and push updates to .. tip:: - In a development environment it's useful to force Kubernetes to pull the service's Docker images every time a Pod_ starts up. + In a development environment it's useful to force Kubernetes to pull the application's Docker images every time a Pod_ starts up. This way you can push edits to the Docker images with a specific development tag [1]_ and then have your test deployment use those updated images. This setting is controlled by the ``imagePullPolicy`` key in Deployment_ resources (and specifically their Pods_). - In typical service Helm charts the image pull policy is accessible from Helm values. - In the service's values file for the development environment, set this pull policy to ``Always``: + In typical application Helm charts the image pull policy is accessible from Helm values. + In the application's Helm values file for the development environment, set this pull policy to ``Always``: .. code-block:: yaml - :caption: services//values-.yaml + :caption: services//values-.yaml image: pullPolicy: Always - Consult the Helm values documentation for your service for details. + Consult the Helm values documentation for your application for details. .. [1] SQuaRE Docker images are tagged with the Git branch or tag they are built from, with a typical branch build being tagged as ``tickets-DM-00000``. Switching the Argo CD Application to sync the branch ==================================================== -By default, Argo CD syncs your service from the default branch (``master``) of the `phalanx repository`_. -Change the service in Argo CD to instead sync from the branch you've pushed to GitHub: +By default, Argo CD syncs your application from the default branch (``master``) of the `phalanx repository`_. +Change the application in Argo CD to instead sync from the branch you've pushed to GitHub: -1. Open your service's page in your environment's Argo CD UI. - Generally the URL path for this page, relative to the environment's domain, is ``/argo-cd/applications/``. +1. Open your application's page in your environment's Argo CD UI. + Generally the URL path for this page, relative to the environment's domain, is ``/argo-cd/applications/``. 2. Click on the resource of type ``Application``. In the tree view this is the root node. @@ -75,14 +75,14 @@ Change the service in Argo CD to instead sync from the branch you've pushed to G .. image:: application-revision-edit.jpg -5. In the service's page in Argo CD, click on the :guilabel:`Sync` button to redeploy the service from your branch. +5. In the application's page in Argo CD, click on the :guilabel:`Sync` button to redeploy the application from your branch. .. image:: sync-button.jpg -Updating the service's Helm chart -================================= +Updating the application's Helm chart +===================================== -While your service is in active development, you may need to update its Helm chart and corresponding Kubernetes resources. +While your application is in active development, you may need to update its Helm chart and corresponding Kubernetes resources. There are two ways of approaching these updates. .. _updating-resources-in-argo-cd: @@ -91,7 +91,7 @@ Editing resources directly in Argo CD ------------------------------------- The fastest method for trying out changes to Kubernetes resources is to directly edit those resources in the Argo CD UI. -In your service's Argo CD page you can click on a specific resource (such as a ConfigMap_ or Deployment_) and click the :guilabel:`Edit` button on the live manifest. +In your application's Argo CD page you can click on a specific resource (such as a ConfigMap_ or Deployment_) and click the :guilabel:`Edit` button on the live manifest. Make your changes, then click :guilabel:`Save`. Your application should show as out of sync. @@ -104,20 +104,20 @@ See :ref:`branch-deploy-restart`. .. important:: Edits to resources via the Argo CD UI are temporary. - To make permanent changes, you need to edit the service's Helm chart in the `phalanx repository`_. + To make permanent changes, you need to edit the application's Helm chart in the `phalanx repository`_. .. _updating-and-resyncing-from-branch: Updating and resyncing from the branch -------------------------------------- -When you have edited your service's Helm chart in your development branch of the `phalanx repository`_, you need to sync those changes to Kubernetes. +When you have edited your application's Helm chart in your development branch of the `phalanx repository`_, you need to sync those changes to Kubernetes. Argo CD generally refreshes automatically. -If you have pushed your branch to GitHub and Argo CD doesn't show that your application is out-of-sync, you can click the :guilabel:`Refresh` button on your service's Argo CD page. +If you have pushed your branch to GitHub and Argo CD doesn't show that your application is out-of-sync, you can click the :guilabel:`Refresh` button on your application's Argo CD page. -When your service shows an out-of-sync status, you can click the :guilabel:`Sync` button on your service's Argo CD page. -When individual services are synchronized their status changes from yellow to green. +When your application shows an out-of-sync status, you can click the :guilabel:`Sync` button on your application's Argo CD page. +When individual applications are synchronized their status changes from yellow to green. In some cases you many also need to restart Pods_ in Deployments_ to see changes take affect. See :ref:`branch-deploy-restart`. @@ -125,16 +125,16 @@ See :ref:`branch-deploy-restart`. Refreshing a deployment's Docker images ======================================= -Besides developing the service's Helm chart, you can also test branch builds of your service's Docker images inside Deployment_ resources. +Besides developing the Helm chart, you can also test branch builds of your application's Docker images inside Deployment_ resources. -To start, ensure that the Deployment_ is using development builds of your service's Docker images. -The best way to do this is to edit the service's Helm chart for the service in the development environment and to :ref:`sync those changes `. -For many services you can set the ``appVersion`` in the field in the service's ``Chart.yaml`` file to the name of the development Docker tag (see also :doc:`upgrade`). +To start, ensure that the Deployment_ is using development builds of your application's Docker images. +The best way to do this is to edit the application's Helm chart for the application in the development environment and to :ref:`sync those changes `. +For many applications you can set the ``appVersion`` in the field in the application's ``Chart.yaml`` file to the name of the development Docker tag (see also :doc:`upgrade`). You should also ensure that the Deployment_ is always pulling new images, rather than caching them, by setting the ``imagePullPolicy`` to ``Always``. This is covered in :ref:`deploy-branch-prep`. -When new Docker images for your services are available with the corresponding branch tag from a container repository, you will need to restart the deployments using those images. See :ref:`branch-deploy-restart`. +When new Docker images for your application are available with the corresponding branch tag from a container repository, you will need to restart the deployments using those images. See :ref:`branch-deploy-restart`. .. _branch-deploy-restart: @@ -145,7 +145,7 @@ Some changes won't affect a running Deployment_. For example, many Deployments_ only read ConfigMap_ or Secret_ resources when Pods_ initially start up. To realize an update, you'll see to restart the Pods_ in Deployments_. -To restart a Deployment_, find the Deployment_ resources in your service's Argo CD page, click on the three-vertical-dots icon, and select :guilabel:`Restart` from the menu. +To restart a Deployment_, find the Deployment_ resources in your application's Argo CD page, click on the three-vertical-dots icon, and select :guilabel:`Restart` from the menu. New pods will appear while old pods will shut down. .. figure:: restart-deployment.png @@ -156,17 +156,17 @@ New pods will appear while old pods will shut down. Select the :guilabel:`Restart` item to restart the deployment. If the new pods fail to start up, they will show a "crash-loop backoff" status and the old pods will continue to operate. -You'll need to resolve the error with changes to the service's Docker image and/or Helm charts. +You'll need to resolve the error with changes to the application's Docker image and/or Helm charts. After making fixes, you may need to restart the Deployment again. Merging and switching the Argo CD Application to the default branch =================================================================== Once development and testing is complete, you should submit the pull request for review following the `Data Management workflow guide`_. -Once your branch is merged, remember to reset your service's Argo CD ``Application`` resource to point back to the default branch (currently ``master``). +Once your branch is merged, remember to reset your application's Argo CD ``Application`` resource to point back to the default branch (currently ``master``). -1. Open your service's page in your environment's Argo CD UI. - Generally the URL path for this page, relative to the environment's domain, is ``argo-cd/applications/``. +1. Open your application's page in your environment's Argo CD UI. + Generally the URL path for this page, relative to the environment's domain, is ``argo-cd/applications/``. 2. Click on the resource of type ``Application``. In the tree view this is the root node. @@ -176,11 +176,11 @@ Once your branch is merged, remember to reset your service's Argo CD ``Applicati - Edit the :guilabel:`Target revision` field back to the default branch (``master``). - Finally, click on the :guilabel:`Save` button. -4. In the service's page in Argo CD, click on the :guilabel:`Sync` button to redeploy the service from the default branch. +4. In the application's page in Argo CD, click on the :guilabel:`Sync` button to redeploy the application from the default branch. Next steps ========== -Follow this page, you have iterated on the development of your service and ultimately upgraded that service in a development environment. +Follow this page, you have iterated on the development of your application and ultimately upgraded that application in a development environment. The next step is to roll out this change to other environments. This activity is normally done by the administrators for each environment, see :doc:`/admin/sync-argo-cd`. diff --git a/docs/developers/index.rst b/docs/developers/index.rst index 3c8bf0c10a..a9beca68d3 100644 --- a/docs/developers/index.rst +++ b/docs/developers/index.rst @@ -2,26 +2,28 @@ Developers ########## -Developers can deploy their applications on Rubin's Kubernetes environments, such as the Rubin Science Platform, by integrating their service with Phalanx. -In this section of the Phalanx documentation you can learn how to build and integrate your service with Phalanx, and how to test your service's deployment in development Phalanx environments. +Developers can deploy their applications on Rubin's Kubernetes environments, such as the Rubin Science Platform, by integrating into Phalanx. +In this section of the Phalanx documentation you can learn how to build and integrate your application with Phalanx, and how to test your applications deployment in development Phalanx environments. For background on Phalanx and how to contribute to the Phalanx repository itself, see the :doc:`/about/index` section. -Individual services are documented in :doc:`/applications/index` section. +Individual applications are documented in :doc:`/applications/index` section. .. toctree:: :maxdepth: 2 :titlesonly: :caption: Build + :name: dev-build-toc - create-service + create-an-application .. toctree:: :maxdepth: 2 :titlesonly: :caption: Integration + :name: dev-int-toc - service-chart-architecture - add-service + chart-overview + add-application add-external-chart add-a-onepassword-secret update-a-onepassword-secret @@ -30,6 +32,7 @@ Individual services are documented in :doc:`/applications/index` section. :maxdepth: 2 :titlesonly: :caption: Deploy & maintain + :name: dev-deploy-toc upgrade deploy-from-a-branch diff --git a/docs/developers/local-development.rst b/docs/developers/local-development.rst index e5aa4aa1cd..3280db4a39 100644 --- a/docs/developers/local-development.rst +++ b/docs/developers/local-development.rst @@ -2,18 +2,18 @@ Set up a local development environment with minikube #################################################### -Using `minikube `__ you can quickly set up a local Kubernetes cluster to help you adding a service to Phalanx (see :doc:`add-service`). +Using `minikube `__ you can quickly set up a local Kubernetes cluster to help you develop and test an application for Phalanx (see :doc:`add-application`). This page shows you how to run a Minikube cluster on macOS (amd64 or arm64) using the `docker driver `__. You may be able to deploy the entire Science Platform, provided that you have enough cpu and memory on your local machine. -If not, you can enable only the essential services to develop with minikube. +If not, you can enable only the essential applications to develop with minikube. .. warning:: This procedure may not create a fully-operational auth system since the ingress is different from the production system. As well, this procedure does not create a TLS certificate. - Instead, the recommended pattern for developing a service in a Kubernetes cluster is to use a development environment. + Instead, the recommended pattern for developing an application in a Kubernetes cluster is to use a development environment. See :doc:`deploy-from-a-branch` for details. Start minikube @@ -85,30 +85,29 @@ Set up a Phalanx branch for your local minikube deployment The ``install.sh`` uses the locally checked out branch of your Phalanx repository clone. -To conserve resources, you may want to deploy a subset of Phalanx services in your local minikube cluster. +To conserve resources, you may want to deploy a subset of Phalanx applications in your local minikube cluster. You can do this by editing the `/science-platform/values-minikube.yaml `_ file. -Set any service you do not want to deploy to ``enabled: false``. +Set any application you do not want to deploy to ``enabled: false``. Commit any changes with Git into a development branch of the Phalanx repository. **You must also push this development branch to the GitHub origin,** ``https://github.com/lsst-sqre/phalanx.git``. The ``install.sh`` script uses your locally-checked out branch of Phalanx, but also requires that the branch be accessible from GitHub. -**Services that must be disabled for local Minikube:** +**Application that must be disabled for local Minikube:** - ``ingress-nginx`` (conflicts with the minikube addon of Nginx Ingress Controller) -**Minimal set of services that should be enabled:** +**Minimal set of applications that should be enabled:** - ``vault_secrets_operator`` (for Vault secrets) - ``gafaelfawr`` (for authentication) -- ``postgreql`` (for gafaelfawr) +- ``postgresql`` (for gafaelfawr) Run the installer ------------------ Finally, run the installer for the minikube environment. - .. code-block:: sh ./install.sh minikube $VAULT_TOKEN @@ -123,7 +122,7 @@ Add the following line to ``/etc/hosts``. 127.0.0.1 minikube.lsst.codes -On a new terminal, use ``minikube tunnel`` to route traffic from the host to the services in minikube. +On a new terminal, use ``minikube tunnel`` to route traffic from the host to the application in minikube. .. code-block:: sh @@ -137,4 +136,4 @@ The minikube Argo CD admin password can be retrieved from Vault. VAULT_PATH_PREFIX=`yq -r .vault_path_prefix ../science-platform/values-minikube.yaml` vault kv get --field=argocd.admin.plaintext_password $VAULT_PATH_PREFIX/installer -With Argo CD you can sync your service (see :doc:`/admin/sync-argo-cd`). +With Argo CD you can sync your application (see :doc:`/admin/sync-argo-cd`). diff --git a/docs/developers/upgrade.rst b/docs/developers/upgrade.rst index 190b83d033..23c34d88da 100644 --- a/docs/developers/upgrade.rst +++ b/docs/developers/upgrade.rst @@ -1,13 +1,14 @@ -################### -Upgrading a service -################### +######################## +Upgrading an application +######################## -#. Release a new version of the service by pushing an image with the new version tag to whichever Docker repository is used. For more recent applications, this image should be built and pushed as a GitHub action upon release of a new version. +#. Release a new version of the application by pushing an image with the new version tag to whichever Docker repository is used. + For more recent applications, this image should be built and pushed as a GitHub action upon release of a new version. #. There are multiple possibilities that depend on the sort of application you have. - If it is a first-party application such as ``cachemachine``, with its chart directly in Phalanx, then it should use the recommended pattern of determining the default Docker tag via the ``appVersion`` chart metadata. This will only require updating ``appVersion`` in ``Chart.yaml``. - If, like ``cert-manager``, it's a third-party application with some extra resources glued in, and you are updating to a newer version of the third-party Helm chart, you will need to update the ``version`` in the dependency. - If it is a complex application such as ``sasquatch`` that bundles first- and third-party applications, you may need to do both, or indeed descend into the ``charts`` directory and update the ``appVersion`` of the subcharts therein. Tricky cases such as these may require some study before deciding on the best course of action. -Once you have updated the service, Argo CD will that the change is pending, but no changes will be applied automatically. +Once you have updated the application, Argo CD will that the change is pending, but no changes will be applied automatically. To apply the changes in a given environment, see :doc:`/admin/sync-argo-cd`. diff --git a/docs/index.rst b/docs/index.rst index 652206c075..8f88f9f272 100644 --- a/docs/index.rst +++ b/docs/index.rst @@ -5,13 +5,13 @@ Phalanx: Rubin Observatory Kubernetes Application Configurations Phalanx [#name]_ is a GitOps repository for Rubin Observatory's Kubernetes environment, notably including the Rubin Science Platform deployments like https://data.lsst.cloud. Using Helm_ and `Argo CD`_, Phalanx defines the configuration of applications in each environment. -This documentation is for Rubin team members that are developing applications and operating Kubernetes clusters. +This documentation is for Rubin team members that are developing applications and administering Kubernetes clusters. Astronomers and other end-users can visit the `Rubin Documentation Portal `__ to learn how to use Rubin Observatory's software, services, and datasets. Phalanx is on GitHub at https://github.com/lsst-sqre/phalanx. .. [#name] A phalanx is a SQuaRE deployment (Science Quality and Reliability Engineering, the team responsible for the Rubin Science Platform). - Phalanx is how we ensure that all of our services work together as a unit. + Phalanx is how we ensure that all of our applications work together as a unit. .. toctree:: :maxdepth: 1 From c7aade22b0dbab1d1ca92abdd60502d2a381bd6f Mon Sep 17 00:00:00 2001 From: Jonathan Sick Date: Fri, 7 Oct 2022 19:00:21 -0400 Subject: [PATCH 1128/1479] Add a card grid to the home page In lieu of a toctree on the homepage, this card grid provides short explainers for each section. --- docs/index.rst | 38 ++++++++++++++++++++++++++++++++++++-- 1 file changed, 36 insertions(+), 2 deletions(-) diff --git a/docs/index.rst b/docs/index.rst index 8f88f9f272..06cb98feae 100644 --- a/docs/index.rst +++ b/docs/index.rst @@ -2,8 +2,8 @@ Phalanx: Rubin Observatory Kubernetes Application Configurations ################################################################ -Phalanx [#name]_ is a GitOps repository for Rubin Observatory's Kubernetes environment, notably including the Rubin Science Platform deployments like https://data.lsst.cloud. -Using Helm_ and `Argo CD`_, Phalanx defines the configuration of applications in each environment. +Phalanx [#name]_ is a GitOps repository for Rubin Observatory's Kubernetes environments, notably including Rubin Science Platform deployments like https://data.lsst.cloud. +Using Helm_ and `Argo CD`_, Phalanx defines the configurations of applications in each environment. This documentation is for Rubin team members that are developing applications and administering Kubernetes clusters. Astronomers and other end-users can visit the `Rubin Documentation Portal `__ to learn how to use Rubin Observatory's software, services, and datasets. @@ -22,3 +22,37 @@ Phalanx is on GitHub at https://github.com/lsst-sqre/phalanx. admin/index applications/index environments/index + +.. grid:: 3 + + .. grid-item-card:: About + :link: about/index + :link-type: doc + + Learn about Phalanx's design and how to contribute. + + .. grid-item-card:: Developers + :link: developers/index + :link-type: doc + + Learn how to develop applications that are deployed with Phalanx. + + .. grid-item-card:: Administrators + :link: admin/index + :link-type: doc + + Learn how install and operate Phalanx applications, such as the Rubin Science Platform, in your data access center. + +.. grid:: 2 + + .. grid-item-card:: Applications + :link: applications/index + :link-type: doc + + Learn about the individual applications that are configured to deploy with Phalanx. + + .. grid-item-card:: Environments + :link: environments/index + :link-type: doc + + Learn about the Kubernetes clusters that are running Phalanx. From a29588b940221384f97f92dca74104b0616c04e4 Mon Sep 17 00:00:00 2001 From: Jonathan Sick Date: Sun, 9 Oct 2022 17:21:58 -0400 Subject: [PATCH 1129/1479] Edits --- docs/developers/index.rst | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/docs/developers/index.rst b/docs/developers/index.rst index a9beca68d3..6c1d2be848 100644 --- a/docs/developers/index.rst +++ b/docs/developers/index.rst @@ -3,10 +3,10 @@ Developers ########## Developers can deploy their applications on Rubin's Kubernetes environments, such as the Rubin Science Platform, by integrating into Phalanx. -In this section of the Phalanx documentation you can learn how to build and integrate your application with Phalanx, and how to test your applications deployment in development Phalanx environments. +In this section of the Phalanx documentation you can learn how to build and integrate your application, and how to test your application's deployment in development Phalanx environments. For background on Phalanx and how to contribute to the Phalanx repository itself, see the :doc:`/about/index` section. -Individual applications are documented in :doc:`/applications/index` section. +Individual applications are documented in the :doc:`/applications/index` section. .. toctree:: :maxdepth: 2 From 1c9af4c6780469cee33ac7e87aa905b8dbf57bf8 Mon Sep 17 00:00:00 2001 From: "renovate[bot]" <29139614+renovate[bot]@users.noreply.github.com> Date: Mon, 10 Oct 2022 01:39:59 +0000 Subject: [PATCH 1130/1479] Update Helm release argo-cd to v5.5.16 --- services/argocd/Chart.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/services/argocd/Chart.yaml b/services/argocd/Chart.yaml index c82094f666..a2374455b0 100644 --- a/services/argocd/Chart.yaml +++ b/services/argocd/Chart.yaml @@ -3,5 +3,5 @@ name: argo-cd version: 1.0.0 dependencies: - name: argo-cd - version: 5.5.7 + version: 5.5.16 repository: https://argoproj.github.io/argo-helm From 2e200cde26fa44ec5b26237b2d3acb4caed0987c Mon Sep 17 00:00:00 2001 From: Russ Allbery Date: Mon, 10 Oct 2022 08:51:12 -0700 Subject: [PATCH 1131/1479] Update Helm docs --- services/argocd/README.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/services/argocd/README.md b/services/argocd/README.md index 514b2deb70..9d877714a7 100644 --- a/services/argocd/README.md +++ b/services/argocd/README.md @@ -4,7 +4,7 @@ | Repository | Name | Version | |------------|------|---------| -| https://argoproj.github.io/argo-helm | argo-cd | 5.5.7 | +| https://argoproj.github.io/argo-helm | argo-cd | 5.5.16 | ## Values From 6138f83640b5174854aa9770bb3f5702a6c6a022 Mon Sep 17 00:00:00 2001 From: "renovate[bot]" <29139614+renovate[bot]@users.noreply.github.com> Date: Mon, 10 Oct 2022 16:00:22 +0000 Subject: [PATCH 1132/1479] Update Helm release telegraf-ds to v1.1.4 --- services/telegraf-ds/Chart.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/services/telegraf-ds/Chart.yaml b/services/telegraf-ds/Chart.yaml index a5917aa65c..d764825d71 100644 --- a/services/telegraf-ds/Chart.yaml +++ b/services/telegraf-ds/Chart.yaml @@ -4,5 +4,5 @@ version: 1.0.0 description: SQuaRE DaemonSet (K8s) telemetry collection service dependencies: - name: telegraf-ds - version: 1.1.3 + version: 1.1.4 repository: https://helm.influxdata.com/ From cf3f63b03633e848145e32e0c787b95b825e582a Mon Sep 17 00:00:00 2001 From: Russ Allbery Date: Mon, 10 Oct 2022 09:08:38 -0700 Subject: [PATCH 1133/1479] Update Helm docs --- services/telegraf-ds/README.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/services/telegraf-ds/README.md b/services/telegraf-ds/README.md index ffb5d374c4..6ecb49e95b 100644 --- a/services/telegraf-ds/README.md +++ b/services/telegraf-ds/README.md @@ -6,7 +6,7 @@ SQuaRE DaemonSet (K8s) telemetry collection service | Repository | Name | Version | |------------|------|---------| -| https://helm.influxdata.com/ | telegraf-ds | 1.1.3 | +| https://helm.influxdata.com/ | telegraf-ds | 1.1.4 | ## Values From 9a9000c92f89adcb4f982afa2e2fe286df4f70a9 Mon Sep 17 00:00:00 2001 From: "renovate[bot]" <29139614+renovate[bot]@users.noreply.github.com> Date: Mon, 10 Oct 2022 16:15:30 +0000 Subject: [PATCH 1134/1479] Update Helm release telegraf to v1.8.22 --- services/telegraf/Chart.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/services/telegraf/Chart.yaml b/services/telegraf/Chart.yaml index 57d41b056f..0d72f6881b 100644 --- a/services/telegraf/Chart.yaml +++ b/services/telegraf/Chart.yaml @@ -4,5 +4,5 @@ version: 1.0.1 description: SQuaRE telemetry collection service dependencies: - name: telegraf - version: 1.8.21 + version: 1.8.22 repository: https://helm.influxdata.com/ From dea45a445dd36c481dd49eaa33882ce791be15ca Mon Sep 17 00:00:00 2001 From: Russ Allbery Date: Mon, 10 Oct 2022 09:18:38 -0700 Subject: [PATCH 1135/1479] Update Helm docs --- services/telegraf/README.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/services/telegraf/README.md b/services/telegraf/README.md index 965f80143c..69755c73e3 100644 --- a/services/telegraf/README.md +++ b/services/telegraf/README.md @@ -6,7 +6,7 @@ SQuaRE telemetry collection service | Repository | Name | Version | |------------|------|---------| -| https://helm.influxdata.com/ | telegraf | 1.8.21 | +| https://helm.influxdata.com/ | telegraf | 1.8.22 | ## Values From bc36dbb34ca294dfa7aafdbee510d86acfe9c471 Mon Sep 17 00:00:00 2001 From: Russ Allbery Date: Tue, 11 Oct 2022 13:29:09 -0700 Subject: [PATCH 1136/1479] Revert "Update Helm release argo-cd to v5.5.16" This reverts commit 1c9af4c6780469cee33ac7e87aa905b8dbf57bf8. This release of Argo CD has a buggy version of Dax that breaks Google authentication. Hopefully the next release will import the version of Dax with a fix. --- services/argocd/Chart.yaml | 2 +- services/argocd/README.md | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/services/argocd/Chart.yaml b/services/argocd/Chart.yaml index a2374455b0..c82094f666 100644 --- a/services/argocd/Chart.yaml +++ b/services/argocd/Chart.yaml @@ -3,5 +3,5 @@ name: argo-cd version: 1.0.0 dependencies: - name: argo-cd - version: 5.5.16 + version: 5.5.7 repository: https://argoproj.github.io/argo-helm diff --git a/services/argocd/README.md b/services/argocd/README.md index 9d877714a7..514b2deb70 100644 --- a/services/argocd/README.md +++ b/services/argocd/README.md @@ -4,7 +4,7 @@ | Repository | Name | Version | |------------|------|---------| -| https://argoproj.github.io/argo-helm | argo-cd | 5.5.16 | +| https://argoproj.github.io/argo-helm | argo-cd | 5.5.7 | ## Values From 07a2165745d6756f9506161aa2dcacfd29a8aff9 Mon Sep 17 00:00:00 2001 From: Angelo Fausti Date: Fri, 7 Oct 2022 14:35:55 -0700 Subject: [PATCH 1137/1479] Add InfluxDB2 to Sasquatch - InfluxDB2 HTTP API can be reached at /influxdb2/api/v2 - Review InfluxDB2 configuration - Use initialization script to create a bucket, Telegraf does not create buckets automatically in v2. --- services/sasquatch/Chart.yaml | 3 ++ services/sasquatch/README.md | 25 +++++++++++++++ services/sasquatch/values-idfdev.yaml | 8 +++-- services/sasquatch/values.yaml | 46 +++++++++++++++++++++++++++ 4 files changed, 79 insertions(+), 3 deletions(-) diff --git a/services/sasquatch/Chart.yaml b/services/sasquatch/Chart.yaml index fde5ad9fe6..bbecba6998 100644 --- a/services/sasquatch/Chart.yaml +++ b/services/sasquatch/Chart.yaml @@ -12,6 +12,9 @@ dependencies: - name: influxdb version: 4.12.0 repository: https://helm.influxdata.com/ + - name: influxdb2 + version: 2.1.0 + repository: https://helm.influxdata.com/ - name: kafka-connect-manager version: 1.0.0 - name: chronograf diff --git a/services/sasquatch/README.md b/services/sasquatch/README.md index 578ac86886..7367745533 100644 --- a/services/sasquatch/README.md +++ b/services/sasquatch/README.md @@ -12,6 +12,7 @@ Rubin Observatory's telemetry service. | | telegraf-kafka-consumer | 1.0.0 | | https://helm.influxdata.com/ | chronograf | 1.2.5 | | https://helm.influxdata.com/ | influxdb | 4.12.0 | +| https://helm.influxdata.com/ | influxdb2 | 2.1.0 | | https://helm.influxdata.com/ | kapacitor | 1.4.6 | | https://lsst-sqre.github.io/charts/ | strimzi-registry-operator | 2.1.0 | @@ -40,6 +41,30 @@ Rubin Observatory's telemetry service. | influxdb.resources.requests.cpu | int | `1` | | | influxdb.resources.requests.memory | string | `"1Gi"` | | | influxdb.setDefaultUser | object | `{"enabled":true,"user":{"existingSecret":"sasquatch"}}` | Default InfluxDB user, use influxb-user and influxdb-password keys from secret. | +| influxdb2.adminUser.bucket | string | `"default"` | Admin default bucket. | +| influxdb2.adminUser.existingSecret | string | `"sasquatch"` | Get admin-password/admin-token keys from secret. | +| influxdb2.adminUser.organization | string | `"default"` | Admin default organization. | +| influxdb2.env[0].name | string | `"INFLUXD_STORAGE_WAL_FSYNC_DELAY"` | | +| influxdb2.env[0].value | string | `"100ms"` | | +| influxdb2.env[1].name | string | `"INFLUXD_HTTP_IDLE_TIMEOUT"` | | +| influxdb2.env[1].value | string | `"0"` | | +| influxdb2.env[2].name | string | `"INFLUXD_FLUX_LOG_ENABLED"` | | +| influxdb2.env[2].value | string | `"true"` | | +| influxdb2.env[3].name | string | `"INFLUXD_LOG_LEVEL"` | | +| influxdb2.env[3].value | string | `"debug"` | | +| influxdb2.ingress.annotations."nginx.ingress.kubernetes.io/rewrite-target" | string | `"/$2"` | | +| influxdb2.ingress.className | string | `"nginx"` | | +| influxdb2.ingress.enabled | bool | `false` | InfluxDB2 ingress configuration | +| influxdb2.ingress.hostname | string | `""` | | +| influxdb2.ingress.path | string | `"/influxdb2(/|$)(.*)"` | | +| influxdb2.initScripts.enabled | bool | `true` | InfluxDB2 initialization scripts | +| influxdb2.initScripts.scripts."init.sh" | string | `"#!/bin/bash\ninflux bucket create --name telegra-kafka-consumer --org default\n"` | | +| influxdb2.persistence.enabled | bool | `true` | Enable persistent volume claim. By default storageClass is undefined choosing the default provisioner (standard on GKE). | +| influxdb2.persistence.size | string | `"1Ti"` | Persistent volume size. @default 1Ti for teststand deployments. | +| influxdb2.resources.limits.cpu | int | `8` | | +| influxdb2.resources.limits.memory | string | `"96Gi"` | | +| influxdb2.resources.requests.cpu | int | `1` | | +| influxdb2.resources.requests.memory | string | `"1Gi"` | | | kafka-connect-manager | object | `{}` | Override kafka-connect-manager configuration. | | kapacitor.envVars | object | `{"KAPACITOR_SLACK_ENABLED":true}` | Kapacitor environment variables. | | kapacitor.existingSecret | string | `"sasquatch"` | InfluxDB credentials, use influxdb-user and influxdb-password keys from secret. | diff --git a/services/sasquatch/values-idfdev.yaml b/services/sasquatch/values-idfdev.yaml index de042df35f..9005ef64c9 100644 --- a/services/sasquatch/values-idfdev.yaml +++ b/services/sasquatch/values-idfdev.yaml @@ -6,7 +6,6 @@ strimzi-kafka: bootstrap: loadBalancerIP: "34.173.210.129" host: sasquatch-dev-kafka-bootstrap.lsst.cloud - brokers: - loadBalancerIP: "34.173.20.18" host: sasquatch-dev-kafka-0.lsst.cloud @@ -20,6 +19,11 @@ influxdb: enabled: true hostname: data-dev.lsst.cloud +influxdb2: + ingress: + enabled: true + hostname: data-dev.lsst.cloud + telegraf-kafka-consumer: kafkaConsumers: test: @@ -33,7 +37,6 @@ telegraf-kafka-consumer: topicRegexps: | [ ".*ATMCS" ] - kafdrop: ingress: enabled: true @@ -43,7 +46,6 @@ chronograf: ingress: enabled: true hostname: data-dev.lsst.cloud - env: GENERIC_NAME: "OIDC" GENERIC_AUTH_URL: https://data-dev.lsst.cloud/auth/openid/login diff --git a/services/sasquatch/values.yaml b/services/sasquatch/values.yaml index bf13551c75..83c38abe58 100644 --- a/services/sasquatch/values.yaml +++ b/services/sasquatch/values.yaml @@ -70,6 +70,52 @@ influxdb: memory: 96Gi cpu: 8 +influxdb2: + adminUser: + # -- Admin default organization. + organization: "default" + # -- Admin default bucket. + bucket: "default" + # -- Get admin-password/admin-token keys from secret. + existingSecret: sasquatch + persistence: + # -- Enable persistent volume claim. + # By default storageClass is undefined choosing the default provisioner (standard on GKE). + enabled: true + # -- Persistent volume size. + # @default 1Ti for teststand deployments. + size: 1Ti + ingress: + # -- InfluxDB2 ingress configuration + enabled: false + hostname: "" + annotations: + nginx.ingress.kubernetes.io/rewrite-target: /$2 + className: "nginx" + path: /influxdb2(/|$)(.*) + env: + - name: INFLUXD_STORAGE_WAL_FSYNC_DELAY + value: "100ms" + - name: INFLUXD_HTTP_IDLE_TIMEOUT + value: "0" + - name: INFLUXD_FLUX_LOG_ENABLED + value: "true" + - name: INFLUXD_LOG_LEVEL + value: "debug" + initScripts: + # -- InfluxDB2 initialization scripts + enabled: true + scripts: + init.sh: |+ + #!/bin/bash + influx bucket create --name telegra-kafka-consumer --org default + resources: + requests: + memory: 1Gi + cpu: 1 + limits: + memory: 96Gi + cpu: 8 # -- Override kafka-connect-manager configuration. kafka-connect-manager: {} From ac7012cedb61bea143a489648ba332cff7f00c59 Mon Sep 17 00:00:00 2001 From: Angelo Fausti Date: Fri, 7 Oct 2022 16:12:49 -0700 Subject: [PATCH 1138/1479] Add bucketmapper --- services/sasquatch/README.md | 3 ++ .../sasquatch/templates/bucketmapper.yaml | 39 +++++++++++++++++++ services/sasquatch/values.yaml | 8 ++++ 3 files changed, 50 insertions(+) create mode 100644 services/sasquatch/templates/bucketmapper.yaml diff --git a/services/sasquatch/README.md b/services/sasquatch/README.md index 7367745533..6b3f2c1d61 100644 --- a/services/sasquatch/README.md +++ b/services/sasquatch/README.md @@ -20,6 +20,9 @@ Rubin Observatory's telemetry service. | Key | Type | Default | Description | |-----|------|---------|-------------| +| bucketmapper.image | object | `{"repository":"ghcr.io/lsst-sqre/rubin-influx-tools","tag":"0.1.22"}` | image for monitoring-related cronjobs | +| bucketmapper.image.repository | string | `"ghcr.io/lsst-sqre/rubin-influx-tools"` | repository for rubin-influx-tools | +| bucketmapper.image.tag | string | `"0.1.22"` | tag for rubin-influx-tools | | chronograf.env | object | `{"BASE_PATH":"/chronograf","CUSTOM_AUTO_REFRESH":"1s=1000","HOST_PAGE_DISABLED":true}` | Chronograf environment variables. | | chronograf.envFromSecret | string | `"sasquatch"` | Chronograf secrets, expected keys generic_client_id, generic_client_secret and token_secret. | | chronograf.image | object | `{"repository":"quay.io/influxdb/chronograf","tag":"1.9.4"}` | Chronograf image tag. | diff --git a/services/sasquatch/templates/bucketmapper.yaml b/services/sasquatch/templates/bucketmapper.yaml new file mode 100644 index 0000000000..f94a3545c3 --- /dev/null +++ b/services/sasquatch/templates/bucketmapper.yaml @@ -0,0 +1,39 @@ +apiVersion: batch/v1 +kind: CronJob +metadata: + name: sasquatch-bucketmapper + namespace: sasquatch +spec: + schedule: "3-59/15 * * * *" + successfulJobsHistoryLimit: 1 + jobTemplate: + spec: + template: + spec: + restartPolicy: Never + automountServiceAccountToken: false + containers: + - name: bucketmapper + image: "{{ .Values.bucketmapper.image.repository }}:{{ .Values.bucketmapper.image.tag }}" + securityContext: + allowPrivilegeEscalation: false + runAsNonRoot: true + runAsUser: 405 + runAsGroup: 100 + capabilities: + drop: + - all + readOnlyRootFilesystem: true + env: + - name: "INFLUXDB_TOKEN" + valueFrom: + secretKeyRef: + name: "sasquatch" + key: "admin-token" + - name: "INFLUXDB_ORG" + value: "default" + - name: "INFLUXDB_URL" + value: "http://sasquatch-influxdb2.sasquatch:80" + - name: "DEBUG" + value: "true" + command: [ "bucketmapper" ] \ No newline at end of file diff --git a/services/sasquatch/values.yaml b/services/sasquatch/values.yaml index 83c38abe58..8a748f681d 100644 --- a/services/sasquatch/values.yaml +++ b/services/sasquatch/values.yaml @@ -180,6 +180,14 @@ kapacitor: memory: 16Gi cpu: 4 +bucketmapper: + # -- image for monitoring-related cronjobs + image: + # -- repository for rubin-influx-tools + repository: ghcr.io/lsst-sqre/rubin-influx-tools + # -- tag for rubin-influx-tools + tag: 0.1.22 + global: # -- Base path for Vault secrets # @default -- Set by Argo CD From b463e8c70930d4d8600caceb572c9bcdc9dc518e Mon Sep 17 00:00:00 2001 From: Angelo Fausti Date: Mon, 10 Oct 2022 12:56:22 -0700 Subject: [PATCH 1139/1479] Configure Telegraf Kafka consumer with InfluxDB2 --- .../charts/telegraf-kafka-consumer/README.md | 6 +++--- .../telegraf-kafka-consumer/templates/configmap.yaml | 10 +++++----- .../charts/telegraf-kafka-consumer/values.yaml | 12 ++++++------ 3 files changed, 14 insertions(+), 14 deletions(-) diff --git a/services/sasquatch/charts/telegraf-kafka-consumer/README.md b/services/sasquatch/charts/telegraf-kafka-consumer/README.md index d1b1073976..1c9a74089e 100644 --- a/services/sasquatch/charts/telegraf-kafka-consumer/README.md +++ b/services/sasquatch/charts/telegraf-kafka-consumer/README.md @@ -12,14 +12,14 @@ Telegraf is an agent written in Go for collecting, processing, aggregating, and | env[0].name | string | `"TELEGRAF_PASSWORD"` | | | env[0].valueFrom.secretKeyRef.key | string | `"telegraf-password"` | Telegraf KafkaUser password. | | env[0].valueFrom.secretKeyRef.name | string | `"sasquatch"` | | -| env[1].name | string | `"INFLUXDB_ADMIN_PASSWORD"` | | -| env[1].valueFrom.secretKeyRef.key | string | `"influxdb-password"` | InfluxDB admin password. | +| env[1].name | string | `"INFLUXDB_TOKEN"` | | +| env[1].valueFrom.secretKeyRef.key | string | `"admin-token"` | InfluxDB admin token. | | env[1].valueFrom.secretKeyRef.name | string | `"sasquatch"` | | | image.pullPolicy | string | IfNotPresent | Image pull policy. | | image.repo | string | `"lsstsqre/telegraf"` | Telegraf image repository. | | image.tag | string | `"kafka-regexp"` | Telegraf image tag. | | imagePullSecrets | list | `[]` | Secret names to use for Docker pulls. | -| influxdb.database | string | `"telegraf-kafka-consumer"` | Name of the InfluxDB database to write to. | +| influxdb2.bucket | string | `"telegraf-kafka-consumer"` | Name of the InfluxDB v2 bucket to write to. | | kafkaConsumers.test.enabled | bool | `false` | Enable the Telegraf Kafka consumer. | | kafkaConsumers.test.flush_interval | string | `"1s"` | Default data flushing interval to InfluxDB. | | kafkaConsumers.test.interval | string | `"1s"` | Data collection interval for the Kafka consumer. | diff --git a/services/sasquatch/charts/telegraf-kafka-consumer/templates/configmap.yaml b/services/sasquatch/charts/telegraf-kafka-consumer/templates/configmap.yaml index 4489e763d8..40072b3e68 100644 --- a/services/sasquatch/charts/telegraf-kafka-consumer/templates/configmap.yaml +++ b/services/sasquatch/charts/telegraf-kafka-consumer/templates/configmap.yaml @@ -23,13 +23,13 @@ data: quiet = false round_interval = true - [[outputs.influxdb]] - database = {{ $.Values.influxdb.database | quote }} - password = "$INFLUXDB_ADMIN_PASSWORD" + [[outputs.influxdb_v2]] + bucket = {{ $.Values.influxdb2.bucket | quote }} + token = "$INFLUXDB_TOKEN" + organization = "default" urls = [ - "http://sasquatch-influxdb.sasquatch:8086" + "http://sasquatch-influxdb2.sasquatch:80" ] - username = "admin" [[inputs.kafka_consumer]] avro_schema_registry = "http://sasquatch-schema-registry.sasquatch:8081" diff --git a/services/sasquatch/charts/telegraf-kafka-consumer/values.yaml b/services/sasquatch/charts/telegraf-kafka-consumer/values.yaml index 6cb3dd3a47..ba88a40e07 100644 --- a/services/sasquatch/charts/telegraf-kafka-consumer/values.yaml +++ b/services/sasquatch/charts/telegraf-kafka-consumer/values.yaml @@ -28,12 +28,12 @@ env: name: sasquatch # -- Telegraf KafkaUser password. key: telegraf-password - - name: INFLUXDB_ADMIN_PASSWORD + - name: INFLUXDB_TOKEN valueFrom: secretKeyRef: name: sasquatch - # -- InfluxDB admin password. - key: influxdb-password + # -- InfluxDB admin token. + key: admin-token # -- Name of the secret with values to be added to the environment. envFromSecret: "" @@ -51,9 +51,9 @@ kafkaConsumers: topicRegexps: | [ ".*Test" ] -influxdb: - # -- Name of the InfluxDB database to write to. - database: "telegraf-kafka-consumer" +influxdb2: + # -- Name of the InfluxDB v2 bucket to write to. + bucket: "telegraf-kafka-consumer" # -- Kubernetes resources requests and limits. resources: {} From 28724f18b8f018afafa4f5934eaf3ed0bcd5c425 Mon Sep 17 00:00:00 2001 From: Angelo Fausti Date: Tue, 11 Oct 2022 10:53:51 -0700 Subject: [PATCH 1140/1479] Publish InfluxDB2 API under /influxdb2 --- services/sasquatch/README.md | 2 +- services/sasquatch/values.yaml | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/services/sasquatch/README.md b/services/sasquatch/README.md index 6b3f2c1d61..9ecbeffab6 100644 --- a/services/sasquatch/README.md +++ b/services/sasquatch/README.md @@ -55,7 +55,7 @@ Rubin Observatory's telemetry service. | influxdb2.env[2].value | string | `"true"` | | | influxdb2.env[3].name | string | `"INFLUXD_LOG_LEVEL"` | | | influxdb2.env[3].value | string | `"debug"` | | -| influxdb2.ingress.annotations."nginx.ingress.kubernetes.io/rewrite-target" | string | `"/$2"` | | +| influxdb2.ingress.annotations."nginx.ingress.kubernetes.io/rewrite-target" | string | `"/api/v2/$2"` | | | influxdb2.ingress.className | string | `"nginx"` | | | influxdb2.ingress.enabled | bool | `false` | InfluxDB2 ingress configuration | | influxdb2.ingress.hostname | string | `""` | | diff --git a/services/sasquatch/values.yaml b/services/sasquatch/values.yaml index 8a748f681d..aa648432c5 100644 --- a/services/sasquatch/values.yaml +++ b/services/sasquatch/values.yaml @@ -90,7 +90,7 @@ influxdb2: enabled: false hostname: "" annotations: - nginx.ingress.kubernetes.io/rewrite-target: /$2 + nginx.ingress.kubernetes.io/rewrite-target: /api/v2/$2 className: "nginx" path: /influxdb2(/|$)(.*) env: From 5f862575c3c5500a051e7d8e20f9061945f47a0d Mon Sep 17 00:00:00 2001 From: Jonathan Sick Date: Tue, 11 Oct 2022 15:13:11 -0400 Subject: [PATCH 1141/1479] Add a "phalanx" Python package Although phalanx won't every be published to PyPI, using standard Python packaging lets us used our common methods for dependency management, testing, and managing Python CLIs. --- .gitignore | 131 +++++++++++++++++++++++++++++++++++++++- Makefile | 9 ++- pyproject.toml | 71 ++++++++++++++++++++++ src/phalanx/__init__.py | 18 ++++++ tests/__init__.py | 0 tests/packaging_test.py | 11 ++++ tox.ini | 45 ++++++++++++++ 7 files changed, 283 insertions(+), 2 deletions(-) create mode 100644 src/phalanx/__init__.py create mode 100644 tests/__init__.py create mode 100644 tests/packaging_test.py create mode 100644 tox.ini diff --git a/.gitignore b/.gitignore index 30f71890ea..fe29a93c2c 100644 --- a/.gitignore +++ b/.gitignore @@ -2,6 +2,135 @@ /installer/docker-creds /services/*/charts/*.tgz /services-expanded/ -.DS_Store **/Chart.lock + +# Byte-compiled / optimized / DLL files __pycache__/ +*.py[cod] +*$py.class + +# C extensions +*.so + +# Distribution / packaging +.Python +build/ +develop-eggs/ +dist/ +downloads/ +eggs/ +.eggs/ +lib/ +lib64/ +parts/ +sdist/ +var/ +wheels/ +pip-wheel-metadata/ +share/python-wheels/ +*.egg-info/ +.installed.cfg +*.egg +MANIFEST + +# PyInstaller +# Usually these files are written by a python script from a template +# before PyInstaller builds the exe, so as to inject date/other infos into it. +*.manifest +*.spec + +# Installer logs +pip-log.txt +pip-delete-this-directory.txt + +# Unit test / coverage reports +htmlcov/ +.tox/ +.nox/ +.coverage +.coverage.* +.cache +nosetests.xml +coverage.xml +*.cover +*.py,cover +.hypothesis/ +.pytest_cache/ + +# Translations +*.mo +*.pot + +# Django stuff: +*.log +local_settings.py +db.sqlite3 +db.sqlite3-journal + +# Flask stuff: +instance/ +.webassets-cache + +# Scrapy stuff: +.scrapy + +# Sphinx documentation +docs/_build/ +docs/api/ + +# PyBuilder +target/ + +# Jupyter Notebook +.ipynb_checkpoints + +# IPython +profile_default/ +ipython_config.py + +# pyenv +.python-version + +# pipenv +# According to pypa/pipenv#598, it is recommended to include Pipfile.lock in version control. +# However, in case of collaboration, if having platform-specific dependencies or dependencies +# having no cross-platform support, pipenv may install dependencies that don't work, or not +# install all needed dependencies. +#Pipfile.lock + +# PEP 582; used by e.g. github.com/David-OConnor/pyflow +__pypackages__/ + +# Celery stuff +celerybeat-schedule +celerybeat.pid + +# SageMath parsed files +*.sage.py + +# Environments +.env +.venv +env/ +venv/ +ENV/ +env.bak/ +venv.bak/ + +# Spyder project settings +.spyderproject +.spyproject + +# Rope project settings +.ropeproject + +# mkdocs documentation +/site + +# mypy +.mypy_cache/ +.dmypy.json +dmypy.json + +# Pyre type checker +.pyre/ diff --git a/Makefile b/Makefile index 76c7436057..8fd55e5a25 100644 --- a/Makefile +++ b/Makefile @@ -5,5 +5,12 @@ help: .PHONY: init: - pip install --upgrade pre-commit + pip install --upgrade pre-commit tox pre-commit install + pip install -e ".[dev]" + rm -rf .tox + +.PHONY: +clean: + rm -rf .tox + make -C docs clean diff --git a/pyproject.toml b/pyproject.toml index df2f642492..8a2cf620e3 100644 --- a/pyproject.toml +++ b/pyproject.toml @@ -1,3 +1,74 @@ +[project] +# https://packaging.python.org/en/latest/specifications/declaring-project-metadata/ +name = "phalanx" +version = "1.0.0" +description = "Python support code for the Rubin Phalanx platform." +# license = {file = "LICENSE"} +readme= "README.rst" +keywords = [ + "rubin", + "lsst", +] +# https://pypi.org/classifiers/ +classifiers = [ + "Development Status :: 5 - Production/Stable", + "License :: OSI Approved :: MIT License", + "Programming Language :: Python", + "Programming Language :: Python :: 3", + "Intended Audience :: Developers", + "Operating System :: POSIX", +] +requires-python = ">=3.8" +dependencies = [] + +[project.optional-dependencies] +dev = [ + # Testing + "coverage[toml]", + "pytest", + "pre-commit", + "mypy", + # Documentation + "documenteer[guide]>=0.7.0b4", + "sphinx-diagrams" +] + +[project.urls] +Homepage = "https://phalanx.lsst.io" +Source = "https://github.com/lsst-sqre/phalanx" + +[build-system] +requires = [ + "setuptools>=61", + "wheel", + "setuptools_scm[toml]>=6.2" +] +build-backend = "setuptools.build_meta" + +[tool.setuptools_scm] + +[tool.coverage.run] +parallel = true +branch = true +source = ["phalanx"] + +[tool.coverage.paths] +source = ["src", ".tox/*/site-packages"] + +[tool.coverage.report] +show_missing = true +exclude_lines = [ + "pragma: no cover", + "def __repr__", + "if self.debug:", + "if settings.DEBUG", + "raise AssertionError", + "raise NotImplementedError", + "if 0:", + "if __name__ == .__main__.:", + "if TYPE_CHECKING:" +] + [tool.black] line-length = 79 target-version = ['py38'] diff --git a/src/phalanx/__init__.py b/src/phalanx/__init__.py new file mode 100644 index 0000000000..a48ec8244e --- /dev/null +++ b/src/phalanx/__init__.py @@ -0,0 +1,18 @@ +"""The phalanx package provides support tooling for Phalanx, SQuaRE's +application deployment platform. +""" + +__all__ = ["__version__"] + +from importlib.metadata import PackageNotFoundError, version + +__version__: str +"""The version string, although ``phalanx`` isn't technically released +like a typical Python package. +""" + +try: + __version__ = version(__name__) +except PackageNotFoundError: + # package is not installed + __version__ = "0.0.0" diff --git a/tests/__init__.py b/tests/__init__.py new file mode 100644 index 0000000000..e69de29bb2 diff --git a/tests/packaging_test.py b/tests/packaging_test.py new file mode 100644 index 0000000000..5010938f07 --- /dev/null +++ b/tests/packaging_test.py @@ -0,0 +1,11 @@ +"""Test that the Python packaging metadata.""" + +from __future__ import annotations + +from phalanx import __version__ + + +def test_vesrion() -> None: + """Test that the package has a version (and is installed).""" + assert len(__version__) > 0 + assert __version__ != "0.0.0" # would be if not installed diff --git a/tox.ini b/tox.ini new file mode 100644 index 0000000000..6650653286 --- /dev/null +++ b/tox.ini @@ -0,0 +1,45 @@ +[tox] +envlist = py,coverage-report,typing,lint,docs,docs-linkcheck +isolated_build = True + +[testenv] +description = Run pytest against {envname}. +extras = + dev + +[testenv:py] +description = Run pytest +commands = + coverage run -m pytest {posargs} + +[testenv:coverage-report] +description = Compile coverage from each test run. +skip_install = true +deps = coverage[toml]>=5.0.2 +depends = + py +commands = + coverage combine + coverage report + +[testenv:typing] +description = Run mypy. +commands = + mypy src/phalanx tests + +[testenv:lint] +description = Lint codebase by running pre-commit (Black, isort, Flake8). +skip_install = true +deps = + pre-commit +commands = pre-commit run --all-files + +[testenv:docs] +description = Build documentation (HTML) with Sphinx. +commands = + sphinx-build --keep-going -n -W -T -b html -d {envtmpdir}/doctrees docs docs/_build/html + +[testenv:docs-linkcheck] +description = Check links in the documentation. +commands = + sphinx-build --keep-going -n -W -T -b linkcheck -d {envtmpdir}/doctrees docs docs/_build/linkcheck From 4f209c029d004dc6d22966264db3e7b75150f47c Mon Sep 17 00:00:00 2001 From: Jonathan Sick Date: Tue, 11 Oct 2022 16:36:58 -0400 Subject: [PATCH 1142/1479] Update Gafaelfawr doc links Some URLs changed after the recent restructure. --- docs/admin/bootstrapping.rst | 2 +- docs/developers/add-application.rst | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/docs/admin/bootstrapping.rst b/docs/admin/bootstrapping.rst index e6812411e0..76849bb5bd 100644 --- a/docs/admin/bootstrapping.rst +++ b/docs/admin/bootstrapping.rst @@ -110,7 +110,7 @@ If you are using GitHub, group membership will be synthesized from all of the te These must be team memberships, not just organization memberships. The corresponding group for Gafaelfawr purposes will be ``-`` where ```` is the team **slug**, not the team name. That means the team name will be converted to lowercase and spaces will be replaced with dashes, and other transformations will be done for special characters. -For more information about how Gafaelfawr constructs groups from GitHub teams, see `the Gafaelfawr documentation `__. +For more information about how Gafaelfawr constructs groups from GitHub teams, see `the Gafaelfawr documentation `__. For an example of a ``group_mapping`` configuration for GitHub authentication, see `/applications/gafaelfawr/values-idfdev.yaml `__. diff --git a/docs/developers/add-application.rst b/docs/developers/add-application.rst index 230807b01a..b513c92107 100644 --- a/docs/developers/add-application.rst +++ b/docs/developers/add-application.rst @@ -38,7 +38,7 @@ You will need to make at least the following changes to the default Helm chart t nginx.ingress.kubernetes.io/auth-url: "http://gafaelfawr.gafaelfawr.svc.cluster.local:8080/auth?scope=exec:admin" For user-facing applications you will want a scope other than ``exec:admin``. - See `the Gafaelfawr's documentation on protecting an application `__ for more information. + See `the Gafaelfawr's documentation on Ingress configurations `__ for more information. - If your application exposes Prometheus endpoints, you will want to configure these in the `telegraf application's prometheus_config `__. From df2f8e3b06bdcdf5870b8f2054b3839155eae4db Mon Sep 17 00:00:00 2001 From: Jonathan Sick Date: Tue, 11 Oct 2022 16:37:40 -0400 Subject: [PATCH 1143/1479] Fix syntax errors These didn't get picked up in the original documentation update. --- docs/about/repository.rst | 2 +- docs/admin/update-pull-secret.rst | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/docs/about/repository.rst b/docs/about/repository.rst index e7a2b6259b..b79836979c 100644 --- a/docs/about/repository.rst +++ b/docs/about/repository.rst @@ -74,7 +74,7 @@ See :doc:`contributing-docs`. starters directory ------------------ -:bdg-link-primary-line:`Browse /docs/ on GitHub ` +:bdg-link-primary-line:`Browse /docs/ on GitHub ` This directory contains templates for contributing new applications to Phalanx. See :doc:`/developers/add-application`. diff --git a/docs/admin/update-pull-secret.rst b/docs/admin/update-pull-secret.rst index 22ff6783fa..7e590a06aa 100644 --- a/docs/admin/update-pull-secret.rst +++ b/docs/admin/update-pull-secret.rst @@ -6,7 +6,7 @@ The pull secret, present in each RSP instance, and shared by many applications there, is notoriously tricky to format correctly. The recommended way to update it is to edit the pull secret in 1Password -and then deploy it with the `installer/update-secrets.sh` script; +and then deploy it with the ``installer/update-secrets.sh`` script; however, this only works (at the time of writing, 20 May 2022) on Linux systems with the 1Password 1.x CLI installed. From 91c349ce60f491594c851a6e88e40f4a9d7f3753 Mon Sep 17 00:00:00 2001 From: Jonathan Sick Date: Wed, 12 Oct 2022 12:16:03 -0400 Subject: [PATCH 1144/1479] Convert docs to use tox build process Since Phalanx now hosts a Python package, we use tox with our standard documentation building and checking environments. --- .github/workflows/docs.yaml | 15 +++++---- docs/Makefile | 18 ++--------- docs/_rst_epilog.rst | 1 + docs/about/contributing-docs.rst | 55 ++++++-------------------------- docs/requirements.txt | 2 -- 5 files changed, 21 insertions(+), 70 deletions(-) delete mode 100644 docs/requirements.txt diff --git a/.github/workflows/docs.yaml b/.github/workflows/docs.yaml index 94cea1d631..7310381165 100644 --- a/.github/workflows/docs.yaml +++ b/.github/workflows/docs.yaml @@ -29,21 +29,22 @@ jobs: - name: Set up Python uses: actions/setup-python@v4 with: - python-version: 3.9 + python-version: "3.10" - name: Python install run: | - python -m pip install --upgrade pip - python -m pip install -r docs/requirements.txt + python -m pip install --upgrade pip tox + python -m pip install -e ".[dev]" python -m pip install ltd-conveyor - name: Install graphviz run: sudo apt-get install graphviz - - name: Build - run: | - cd docs - make html + - name: Run tox + uses: lsst-sqre/run-tox@v1 + with: + python-version: "3.10" + tox-envs: "docs,docs-linkcheck" # Only attempt documentation uploads for long-lived branches, tagged # releases, and pull requests from ticket branches. This avoids version diff --git a/docs/Makefile b/docs/Makefile index 4e4857f497..02d05fdc68 100644 --- a/docs/Makefile +++ b/docs/Makefile @@ -1,25 +1,11 @@ -# Makefile for Sphinx documentation +# Makefile for Sphinx documentation. +# Use tox -e docs,docs-linkcheck to build the docs. .PHONY: help help: @echo "Please use \`make ' where is one of" - @echo " init install dependencies" @echo " clean delete builds" - @echo " html to make standalone HTML files" - @echo " linkcheck to check all external links for integrity" - -.PHONY: init -init: - pip install -r requirements.txt .PHONY: clean clean: rm -rf _build/* - -.PHONY: html -html: - sphinx-build -b html -d _build/doctrees . _build/html - -.PHONY: linkcheck -linkcheck: - sphinx-build -b linkcheck -d _build/doctrees . _build/linkcheck diff --git a/docs/_rst_epilog.rst b/docs/_rst_epilog.rst index a983693228..f4e9be3910 100644 --- a/docs/_rst_epilog.rst +++ b/docs/_rst_epilog.rst @@ -27,6 +27,7 @@ .. _Services: .. _Service: https://kubernetes.io/docs/concepts/services-networking/service/ .. _Sphinx: https://www.sphinx-doc.org/en/master/ +.. _tox: https://tox.wiki/en/latest/ .. _pre-commit: https://pre-commit.com .. _Vault: https://www.vaultproject.io/ .. _Vault Secrets Operator: https://github.com/ricoberger/vault-secrets-operator diff --git a/docs/about/contributing-docs.rst b/docs/about/contributing-docs.rst index 5bf762c3d3..1ace4686d7 100644 --- a/docs/about/contributing-docs.rst +++ b/docs/about/contributing-docs.rst @@ -22,62 +22,27 @@ Set up pre-commit Phalanx uses Pre-commit_ to lint files and, in some cases, automatically reformat files. Follow the instructions in :doc:`precommit-and-helm-docs`. -Install the Sphinx dependencies -------------------------------- +Initialize the development environment +-------------------------------------- -From the -The Sphinx_ documentation project requires Python dependencies located in the ``docs/requirements.txt`` directory. -For best results, install these dependencies in a dedicated Python virtual environment, such as with venv_ or other tools: +From the ``phalanx`` directory, initialize your environment: -.. tab-set:: - - .. tab-item:: pip install - - .. code-block:: bash - - cd docs - pip install -r requirements.txt - - .. tab-item:: Workflow with venv - - Create and activate the virtual environment: - - .. code-block:: bash - - cd docs - python -m venv .venv - source .venv/bin/activate - - Install documentation dependencies: - - .. code-block:: bash - - pip install -r requirements.txt - - .. note:: - - When you want to de-activate this virtual environment in your current shell you can run: - - .. code-block:: bash - - deactivate - - And later set up the environment again by sourcing the ``activate`` script again with: +.. code-block:: bash - .. code-block:: bash + make init - source .venv/bin/activate +This steps installs tox_, the tooling for builds with isolated Python environments, and pre-commit_, a tool for linting and formatting files (see :doc:`precommit-and-helm-docs`). Compiling the documentation =========================== -The Makefile includes a target for building the documentation: +Use the tox_ ``docs`` environment for compiling the documentation: .. code-block:: bash - make html + tox -e docs -The built documentation is located in the ``_build/html`` directory (relative to the ``/docs`` directory). +The built documentation is located in the ``docs/_build/html`` directory. Sphinx caches build products and in some cases you may need to delete the build to get a consistent result: @@ -92,7 +57,7 @@ Links in the documentation are validated in the GitHub Actions workflow, but you .. code-block:: bash - make linkcheck + tox -e docs-linkcheck Submitting a pull request and sharing documentation drafts ========================================================== diff --git a/docs/requirements.txt b/docs/requirements.txt deleted file mode 100644 index af4999d316..0000000000 --- a/docs/requirements.txt +++ /dev/null @@ -1,2 +0,0 @@ -documenteer[guide]>=0.7.0b4 -sphinx-diagrams From 9ab9743191f4d9a01d02b9c5584df454fb7e2194 Mon Sep 17 00:00:00 2001 From: Jonathan Sick Date: Wed, 12 Oct 2022 12:56:50 -0400 Subject: [PATCH 1145/1479] Move expand-services into Python package Consistent with Python packaging, this moves the tests/expand-services script into the phalanx package and uses entrypoints to create a script called expand-charts. Updates the GitHub Actions ci.yaml to use this script. --- .github/workflows/ci.yaml | 4 ++-- pyproject.toml | 7 ++++++- src/phalanx/testing/__init__.py | 0 .../expand-services => src/phalanx/testing/expandcharts.py | 6 ------ tests/requirements.txt | 1 - 5 files changed, 8 insertions(+), 10 deletions(-) create mode 100644 src/phalanx/testing/__init__.py rename tests/expand-services => src/phalanx/testing/expandcharts.py (97%) mode change 100755 => 100644 delete mode 100644 tests/requirements.txt diff --git a/.github/workflows/ci.yaml b/.github/workflows/ci.yaml index faab6aa980..955f9c51df 100644 --- a/.github/workflows/ci.yaml +++ b/.github/workflows/ci.yaml @@ -43,10 +43,10 @@ jobs: python-version: 3.9 - name: Install test dependencies - run: pip install -r tests/requirements.txt + run: pip install . - name: Expand modified charts - run: tests/expand-services + run: expand-charts - name: Set up chart-testing uses: helm/chart-testing-action@v2.3.1 diff --git a/pyproject.toml b/pyproject.toml index 8a2cf620e3..62ed957dc3 100644 --- a/pyproject.toml +++ b/pyproject.toml @@ -19,7 +19,9 @@ classifiers = [ "Operating System :: POSIX", ] requires-python = ">=3.8" -dependencies = [] +dependencies = [ + "GitPython", +] [project.optional-dependencies] dev = [ @@ -33,6 +35,9 @@ dev = [ "sphinx-diagrams" ] +[project.scripts] +expand-charts = "phalanx.testing.expandcharts:main" + [project.urls] Homepage = "https://phalanx.lsst.io" Source = "https://github.com/lsst-sqre/phalanx" diff --git a/src/phalanx/testing/__init__.py b/src/phalanx/testing/__init__.py new file mode 100644 index 0000000000..e69de29bb2 diff --git a/tests/expand-services b/src/phalanx/testing/expandcharts.py old mode 100755 new mode 100644 similarity index 97% rename from tests/expand-services rename to src/phalanx/testing/expandcharts.py index eb0f78f981..4dee047111 --- a/tests/expand-services +++ b/src/phalanx/testing/expandcharts.py @@ -1,5 +1,3 @@ -#!/usr/bin/env python3 - """Expand Helm charts for testing. Discover the list of supported environments, find all charts that have changed @@ -85,7 +83,3 @@ def main() -> None: environments = get_environments() for chart in charts: expand_chart(chart, environments) - - -if __name__ == "__main__": - main() diff --git a/tests/requirements.txt b/tests/requirements.txt deleted file mode 100644 index 64b1adaeeb..0000000000 --- a/tests/requirements.txt +++ /dev/null @@ -1 +0,0 @@ -GitPython From 836baa621704116ad9a95a33067dcb410beb90a7 Mon Sep 17 00:00:00 2001 From: Jonathan Sick Date: Wed, 12 Oct 2022 14:16:00 -0400 Subject: [PATCH 1146/1479] Add a license for pyproject.toml --- LICENSE | 21 +++++++++++++++++++++ pyproject.toml | 2 +- 2 files changed, 22 insertions(+), 1 deletion(-) create mode 100644 LICENSE diff --git a/LICENSE b/LICENSE new file mode 100644 index 0000000000..6b5e25a46c --- /dev/null +++ b/LICENSE @@ -0,0 +1,21 @@ +MIT License + +Copyright (c) 2019-2022 Association of Universities for Research in Astronomy, Inc. (AURA) + +Permission is hereby granted, free of charge, to any person obtaining a copy +of this software and associated documentation files (the "Software"), to deal +in the Software without restriction, including without limitation the rights +to use, copy, modify, merge, publish, distribute, sublicense, and/or sell +copies of the Software, and to permit persons to whom the Software is +furnished to do so, subject to the following conditions: + +The above copyright notice and this permission notice shall be included in all +copies or substantial portions of the Software. + +THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR +IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, +FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE +AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER +LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, +OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE +SOFTWARE. diff --git a/pyproject.toml b/pyproject.toml index 62ed957dc3..6d2f275205 100644 --- a/pyproject.toml +++ b/pyproject.toml @@ -3,7 +3,7 @@ name = "phalanx" version = "1.0.0" description = "Python support code for the Rubin Phalanx platform." -# license = {file = "LICENSE"} +license = {file = "LICENSE"} readme= "README.rst" keywords = [ "rubin", From 8e067eb2239c76b8e9f2472272d5adc4674d0514 Mon Sep 17 00:00:00 2001 From: Russ Allbery Date: Thu, 13 Oct 2022 14:04:42 -0700 Subject: [PATCH 1147/1479] Add more data-int users --- services/argocd/values-idfint.yaml | 2 ++ 1 file changed, 2 insertions(+) diff --git a/services/argocd/values-idfint.yaml b/services/argocd/values-idfint.yaml index efb504bc91..c2745b744d 100644 --- a/services/argocd/values-idfint.yaml +++ b/services/argocd/values-idfint.yaml @@ -35,4 +35,6 @@ argo-cd: g, loi@lsst.cloud, role:admin g, roby@lsst.cloud, role:admin g, fritzm@lsst.cloud, role:admin + g, drbsmart@lsst.cloud, role:admin + g, ecbellm@lsst.cloud, role:admin scopes: "[email]" From c23380e6fb00f7e104e3d5da0acdf8764a17c2be Mon Sep 17 00:00:00 2001 From: adam Date: Thu, 13 Oct 2022 16:09:21 -0700 Subject: [PATCH 1148/1479] Bump bucketmapper version --- services/sasquatch/README.md | 4 ++-- services/sasquatch/values.yaml | 2 +- 2 files changed, 3 insertions(+), 3 deletions(-) diff --git a/services/sasquatch/README.md b/services/sasquatch/README.md index 9ecbeffab6..105a6b95e8 100644 --- a/services/sasquatch/README.md +++ b/services/sasquatch/README.md @@ -20,9 +20,9 @@ Rubin Observatory's telemetry service. | Key | Type | Default | Description | |-----|------|---------|-------------| -| bucketmapper.image | object | `{"repository":"ghcr.io/lsst-sqre/rubin-influx-tools","tag":"0.1.22"}` | image for monitoring-related cronjobs | +| bucketmapper.image | object | `{"repository":"ghcr.io/lsst-sqre/rubin-influx-tools","tag":"0.1.23"}` | image for monitoring-related cronjobs | | bucketmapper.image.repository | string | `"ghcr.io/lsst-sqre/rubin-influx-tools"` | repository for rubin-influx-tools | -| bucketmapper.image.tag | string | `"0.1.22"` | tag for rubin-influx-tools | +| bucketmapper.image.tag | string | `"0.1.23"` | tag for rubin-influx-tools | | chronograf.env | object | `{"BASE_PATH":"/chronograf","CUSTOM_AUTO_REFRESH":"1s=1000","HOST_PAGE_DISABLED":true}` | Chronograf environment variables. | | chronograf.envFromSecret | string | `"sasquatch"` | Chronograf secrets, expected keys generic_client_id, generic_client_secret and token_secret. | | chronograf.image | object | `{"repository":"quay.io/influxdb/chronograf","tag":"1.9.4"}` | Chronograf image tag. | diff --git a/services/sasquatch/values.yaml b/services/sasquatch/values.yaml index aa648432c5..94a68c62b8 100644 --- a/services/sasquatch/values.yaml +++ b/services/sasquatch/values.yaml @@ -186,7 +186,7 @@ bucketmapper: # -- repository for rubin-influx-tools repository: ghcr.io/lsst-sqre/rubin-influx-tools # -- tag for rubin-influx-tools - tag: 0.1.22 + tag: 0.1.23 global: # -- Base path for Vault secrets From 38338447e4e187309007893d6f2b33ac26548389 Mon Sep 17 00:00:00 2001 From: Russ Allbery Date: Thu, 13 Oct 2022 17:25:21 -0700 Subject: [PATCH 1149/1479] Update to Gafaelfawr 6.2.0 Use the new syntax for restricting access by GitHub organization and team. --- services/gafaelfawr/Chart.yaml | 2 +- services/gafaelfawr/templates/configmap.yaml | 9 +- services/gafaelfawr/values-base.yaml | 72 +++++++++++---- services/gafaelfawr/values-ccin2p3.yaml | 50 ++++++++--- services/gafaelfawr/values-idfint.yaml | 84 +++++++++++++----- services/gafaelfawr/values-idfprod.yaml | 88 ++++++++++++++----- services/gafaelfawr/values-minikube.yaml | 24 +++-- services/gafaelfawr/values-roe.yaml | 38 +++++--- services/gafaelfawr/values-summit.yaml | 71 +++++++++++---- .../gafaelfawr/values-tucson-teststand.yaml | 70 +++++++++++---- 10 files changed, 377 insertions(+), 131 deletions(-) diff --git a/services/gafaelfawr/Chart.yaml b/services/gafaelfawr/Chart.yaml index 096bb571c1..1dc1959f05 100644 --- a/services/gafaelfawr/Chart.yaml +++ b/services/gafaelfawr/Chart.yaml @@ -5,4 +5,4 @@ description: Science Platform authentication and authorization system home: https://gafaelfawr.lsst.io/ sources: - https://github.com/lsst-sqre/gafaelfawr -appVersion: 6.1.0 +appVersion: 6.2.0 diff --git a/services/gafaelfawr/templates/configmap.yaml b/services/gafaelfawr/templates/configmap.yaml index 95a4957742..ad772597b3 100644 --- a/services/gafaelfawr/templates/configmap.yaml +++ b/services/gafaelfawr/templates/configmap.yaml @@ -159,13 +159,10 @@ {{ $key | quote }}: {{ $value | quote }} {{- end }} + {{- with .Values.config.groupMapping }} group_mapping: - {{- range $key, $value := .Values.config.groupMapping }} - {{ $key | quote }}: - {{- range $group := $value }} - - {{ $group | quote }} - {{- end }} - {{- end }} + {{- toYaml . | nindent 6 }} + {{- end }} {{- if .Values.config.initialAdmins }} initial_admins: diff --git a/services/gafaelfawr/values-base.yaml b/services/gafaelfawr/values-base.yaml index 7269bf85af..13f12583f9 100644 --- a/services/gafaelfawr/values-base.yaml +++ b/services/gafaelfawr/values-base.yaml @@ -12,29 +12,65 @@ config: # Allow access by GitHub team. groupMapping: "admin:provision": - - "lsst-sqre-square" + - github: + organization: "lsst-sqre" + team: "square" "exec:admin": - - "lsst-sqre-square" + - github: + organization: "lsst-sqre" + team: "square" "exec:notebook": - - "lsst-sqre-square" - - "lsst-sqre-friends" - - "lsst-ts-base-access" - - "rubin-summit-rsp-access" + - github: + organization: "lsst-sqre" + team: "square" + - github: + organization: "lsst-sqre" + team: "friends" + - github: + organization: "lsst-ts" + team: "base-access" + - github: + organization: "rubin-summit" + team: "rsp-access" "exec:portal": - - "lsst-sqre-square" - - "lsst-sqre-friends" - - "lsst-ts-base-access" - - "rubin-summit-rsp-access" + - github: + organization: "lsst-sqre" + team: "square" + - github: + organization: "lsst-sqre" + team: "friends" + - github: + organization: "lsst-ts" + team: "base-access" + - github: + organization: "rubin-summit" + team: "rsp-access" "read:image": - - "lsst-sqre-square" - - "lsst-sqre-friends" - - "lsst-ts-base-access" - - "rubin-summit-rsp-access" + - github: + organization: "lsst-sqre" + team: "square" + - github: + organization: "lsst-sqre" + team: "friends" + - github: + organization: "lsst-ts" + team: "base-access" + - github: + organization: "rubin-summit" + team: "rsp-access" "read:tap": - - "lsst-sqre-square" - - "lsst-sqre-friends" - - "lsst-ts-base-access" - - "rubin-summit-rsp-access" + - github: + organization: "lsst-sqre" + team: "square" + - github: + organization: "lsst-sqre" + team: "friends" + - github: + organization: "lsst-ts" + team: "base-access" + - github: + organization: "rubin-summit" + team: "rsp-access" initialAdmins: - "afausti" diff --git a/services/gafaelfawr/values-ccin2p3.yaml b/services/gafaelfawr/values-ccin2p3.yaml index 0a6e6f7be5..e8f6a9c3d7 100644 --- a/services/gafaelfawr/values-ccin2p3.yaml +++ b/services/gafaelfawr/values-ccin2p3.yaml @@ -30,25 +30,47 @@ config: # Allow access by GitHub team. groupMapping: "admin:provision": - - "rubin-in2p3-admin" + - github: + organization: "rubin-in2p3" + team: "admin" "exec:admin": - - "rubin-in2p3-admin" + - github: + organization: "rubin-in2p3" + team: "admin" "exec:notebook": - - "rubin-in2p3-admin" - - "rubin-in2p3-user" + - github: + organization: "rubin-in2p3" + team: "admin" + - github: + organization: "rubin-in2p3" + team: "user" "exec:portal": - - "rubin-in2p3-admin" - - "rubin-in2p3-user" + - github: + organization: "rubin-in2p3" + team: "admin" + - github: + organization: "rubin-in2p3" + team: "user" "read:tap": - - "rubin-in2p3-admin" - - "rubin-in2p3-user" - - "rubin-in2p3" - - "rubin-in2p3-delegates" + - github: + organization: "rubin-in2p3" + team: "admin" + - github: + organization: "rubin-in2p3" + team: "user" + - github: + organization: "rubin-in2p3" + team: "delegates" "read:image": - - "rubin-in2p3-admin" - - "rubin-in2p3-user" - - "rubin-in2p3" - - "rubin-in2p3-delegates" + - github: + organization: "rubin-in2p3" + team: "admin" + - github: + organization: "rubin-in2p3" + team: "user" + - github: + organization: "rubin-in2p3" + team: "delegates" initialAdmins: # - "mainetti" diff --git a/services/gafaelfawr/values-idfint.yaml b/services/gafaelfawr/values-idfint.yaml index 69278e9e3e..19f3786514 100644 --- a/services/gafaelfawr/values-idfint.yaml +++ b/services/gafaelfawr/values-idfint.yaml @@ -16,33 +16,75 @@ config: # Allow access by GitHub team. groupMapping: "admin:provision": - - "lsst-sqre-square" + - github: + organization: "lsst-sqre" + team: "square" "exec:admin": - - "lsst-sqre-square" - - "lsst-sqre-friends" + - github: + organization: "lsst-sqre" + team: "square" + - github: + organization: "lsst-sqre" + team: "friends" "exec:notebook": - - "lsst-ops-panda" - - "lsst-ops" - - "lsst-sqre-square" - - "lsst-sqre-friends" + - github: + organization: "lsst" + team: "ops" + - github: + organization: "lsst" + team: "ops-panda" + - github: + organization: "lsst-sqre" + team: "square" + - github: + organization: "lsst-sqre" + team: "friends" "exec:portal": - - "lsst-ops-panda" - - "lsst-sqre-square" - - "lsst-ops" - - "lsst-sqre-friends" + - github: + organization: "lsst" + team: "ops" + - github: + organization: "lsst" + team: "ops-panda" + - github: + organization: "lsst-sqre" + team: "square" + - github: + organization: "lsst-sqre" + team: "friends" "read:alertdb": - - "lsst-sqre-square" - - "lsst-sqre-friends" + - github: + organization: "lsst-sqre" + team: "square" + - github: + organization: "lsst-sqre" + team: "friends" "read:image": - - "lsst-ops-panda" - - "lsst-sqre-square" - - "lsst-ops" - - "lsst-sqre-friends" + - github: + organization: "lsst" + team: "ops" + - github: + organization: "lsst" + team: "ops-panda" + - github: + organization: "lsst-sqre" + team: "square" + - github: + organization: "lsst-sqre" + team: "friends" "read:tap": - - "lsst-ops-panda" - - "lsst-sqre-square" - - "lsst-ops" - - "lsst-sqre-friends" + - github: + organization: "lsst" + team: "ops" + - github: + organization: "lsst" + team: "ops-panda" + - github: + organization: "lsst-sqre" + team: "square" + - github: + organization: "lsst-sqre" + team: "friends" initialAdmins: - "afausti" diff --git a/services/gafaelfawr/values-idfprod.yaml b/services/gafaelfawr/values-idfprod.yaml index d4bb06c9f0..6afd5476c6 100644 --- a/services/gafaelfawr/values-idfprod.yaml +++ b/services/gafaelfawr/values-idfprod.yaml @@ -14,33 +14,77 @@ config: # Allow access by GitHub team. groupMapping: "admin:provision": - - "lsst-sqre-square" + - github: + organization: "lsst-sqre" + team: "square" "exec:admin": - - "lsst-sqre-square" + - github: + organization: "lsst-sqre" + team: "square" "exec:notebook": - - "lsst-sqre-square" - - "lsst-data-management" - - "lsst-ops" - - "rubin-dp0-delegates" - - "rubin-dp0-friends" + - github: + organization: "lsst" + team: "data-management" + - github: + organization: "lsst" + team: "ops" + - github: + organization: "lsst-sqre" + team: "square" + - github: + organization: "rubin-dp0" + team: "delegates" + - github: + organization: "rubin-dp0" + team: "friends" "exec:portal": - - "lsst-sqre-square" - - "lsst-data-management" - - "lsst-ops" - - "rubin-dp0-delegates" - - "rubin-dp0-friends" + - github: + organization: "lsst" + team: "data-management" + - github: + organization: "lsst" + team: "ops" + - github: + organization: "lsst-sqre" + team: "square" + - github: + organization: "rubin-dp0" + team: "delegates" + - github: + organization: "rubin-dp0" + team: "friends" "read:image": - - "lsst-sqre-square" - - "lsst-data-management" - - "lsst-ops" - - "rubin-dp0-delegates" - - "rubin-dp0-friends" + - github: + organization: "lsst" + team: "data-management" + - github: + organization: "lsst" + team: "ops" + - github: + organization: "lsst-sqre" + team: "square" + - github: + organization: "rubin-dp0" + team: "delegates" + - github: + organization: "rubin-dp0" + team: "friends" "read:tap": - - "lsst-sqre-square" - - "lsst-data-management" - - "lsst-ops" - - "rubin-dp0-delegates" - - "rubin-dp0-friends" + - github: + organization: "lsst" + team: "data-management" + - github: + organization: "lsst" + team: "ops" + - github: + organization: "lsst-sqre" + team: "square" + - github: + organization: "rubin-dp0" + team: "delegates" + - github: + organization: "rubin-dp0" + team: "friends" initialAdmins: - "afausti" diff --git a/services/gafaelfawr/values-minikube.yaml b/services/gafaelfawr/values-minikube.yaml index 30865a3cdb..6b56f79f5e 100644 --- a/services/gafaelfawr/values-minikube.yaml +++ b/services/gafaelfawr/values-minikube.yaml @@ -16,17 +16,29 @@ config: # Allow access by GitHub team. groupMapping: "admin:provision": - - "lsst-sqre-square" + - github: + organization: "lsst-sqre" + team: "square" "exec:admin": - - "lsst-sqre-square" + - github: + organization: "lsst-sqre" + team: "square" "exec:notebook": - - "lsst-sqre-square" + - github: + organization: "lsst-sqre" + team: "square" "exec:portal": - - "lsst-sqre-square" + - github: + organization: "lsst-sqre" + team: "square" "read:image": - - "lsst-sqre-square" + - github: + organization: "lsst-sqre" + team: "square" "read:tap": - - "lsst-sqre-square" + - github: + organization: "lsst-sqre" + team: "square" initialAdmins: - "afausti" diff --git a/services/gafaelfawr/values-roe.yaml b/services/gafaelfawr/values-roe.yaml index f7a607cbfe..3e07eeb73e 100644 --- a/services/gafaelfawr/values-roe.yaml +++ b/services/gafaelfawr/values-roe.yaml @@ -11,23 +11,41 @@ config: # Allow access by GitHub team. groupMapping: "exec:admin": - - "lsp-uk-dev" + - github: + organization: "lsp-uk" + team: "dev" "exec:notebook": - - "lsp-uk-dev" + - github: + organization: "lsp-uk" + team: "dev" "read:workspace": - - "lsp-uk-dev" + - github: + organization: "lsp-uk" + team: "dev" "read:workspace/user": - - "lsp-uk-dev" + - github: + organization: "lsp-uk" + team: "dev" "write:workspace/user": - - "lsp-uk-dev" + - github: + organization: "lsp-uk" + team: "dev" "exec:portal": - - "lsp-uk-dev" + - github: + organization: "lsp-uk" + team: "dev" "exec:user": - - "lsp-uk-dev" - "read:tap": - - "lsp-uk-dev" + - github: + organization: "lsp-uk" + team: "dev" "read:image": - - "lsp-uk-dev" + - github: + organization: "lsp-uk" + team: "dev" + "read:tap": + - github: + organization: "lsp-uk" + team: "dev" initialAdmins: - "stvoutsin" diff --git a/services/gafaelfawr/values-summit.yaml b/services/gafaelfawr/values-summit.yaml index d2631749b9..7140742b64 100644 --- a/services/gafaelfawr/values-summit.yaml +++ b/services/gafaelfawr/values-summit.yaml @@ -16,29 +16,66 @@ config: # Allow access by GitHub team. groupMapping: "admin:provision": - - "lsst-sqre-square" + - github: + organization: "lsst-sqre" + team: "square" "exec:admin": + - github: + organization: "lsst-sqre" + team: "square" - "lsst-sqre-square" "exec:notebook": - - "lsst-sqre-square" - - "lsst-sqre-friends" - - "lsst-ts-summit-access" - - "rubin-summit-rsp-access" + - github: + organization: "lsst-sqre" + team: "square" + - github: + organization: "lsst-sqre" + team: "friends" + - github: + organization: "lsst-ts" + team: "summit-access" + - github: + organization: "rubin-summit" + team: "rsp-access" "exec:portal": - - "lsst-sqre-square" - - "lsst-sqre-friends" - - "lsst-ts-summit-access" - - "rubin-summit-rsp-access" + - github: + organization: "lsst-sqre" + team: "square" + - github: + organization: "lsst-sqre" + team: "friends" + - github: + organization: "lsst-ts" + team: "summit-access" + - github: + organization: "rubin-summit" + team: "rsp-access" "read:image": - - "lsst-sqre-square" - - "lsst-sqre-friends" - - "lsst-ts-summit-access" - - "rubin-summit-rsp-access" + - github: + organization: "lsst-sqre" + team: "square" + - github: + organization: "lsst-sqre" + team: "friends" + - github: + organization: "lsst-ts" + team: "summit-access" + - github: + organization: "rubin-summit" + team: "rsp-access" "read:tap": - - "lsst-sqre-square" - - "lsst-sqre-friends" - - "lsst-ts-summit-access" - - "rubin-summit-rsp-access" + - github: + organization: "lsst-sqre" + team: "square" + - github: + organization: "lsst-sqre" + team: "friends" + - github: + organization: "lsst-ts" + team: "summit-access" + - github: + organization: "rubin-summit" + team: "rsp-access" initialAdmins: - "afausti" diff --git a/services/gafaelfawr/values-tucson-teststand.yaml b/services/gafaelfawr/values-tucson-teststand.yaml index 5e0c50f7a4..4c0a86aa0f 100644 --- a/services/gafaelfawr/values-tucson-teststand.yaml +++ b/services/gafaelfawr/values-tucson-teststand.yaml @@ -16,29 +16,67 @@ config: # Allow access by GitHub team. groupMapping: "admin:provision": + - github: + organization: "lsst-sqre" + team: "square" - "lsst-sqre-square" "exec:admin": + - github: + organization: "lsst-sqre" + team: "square" - "lsst-sqre-square" "exec:notebook": - - "lsst-sqre-square" - - "lsst-sqre-friends" - - "lsst-ts-base-access" - - "rubin-summit-rsp-access" + - github: + organization: "lsst-sqre" + team: "square" + - github: + organization: "lsst-sqre" + team: "friends" + - github: + organization: "lsst-ts" + team: "base-access" + - github: + organization: "rubin-summit" + team: "rsp-access" "exec:portal": - - "lsst-sqre-square" - - "lsst-sqre-friends" - - "lsst-ts-base-access" - - "rubin-summit-rsp-access" + - github: + organization: "lsst-sqre" + team: "square" + - github: + organization: "lsst-sqre" + team: "friends" + - github: + organization: "lsst-ts" + team: "base-access" + - github: + organization: "rubin-summit" + team: "rsp-access" "read:image": - - "lsst-sqre-square" - - "lsst-sqre-friends" - - "lsst-ts-base-access" - - "rubin-summit-rsp-access" + - github: + organization: "lsst-sqre" + team: "square" + - github: + organization: "lsst-sqre" + team: "friends" + - github: + organization: "lsst-ts" + team: "base-access" + - github: + organization: "rubin-summit" + team: "rsp-access" "read:tap": - - "lsst-sqre-square" - - "lsst-sqre-friends" - - "lsst-ts-base-access" - - "rubin-summit-rsp-access" + - github: + organization: "lsst-sqre" + team: "square" + - github: + organization: "lsst-sqre" + team: "friends" + - github: + organization: "lsst-ts" + team: "base-access" + - github: + organization: "rubin-summit" + team: "rsp-access" initialAdmins: - "afausti" From 6ca22513c0f8dfe0edb423d6415c05a2b1d6304a Mon Sep 17 00:00:00 2001 From: adam Date: Fri, 14 Oct 2022 13:34:27 -0700 Subject: [PATCH 1150/1479] IP -> A record --- services/exposurelog/values-tucson-teststand.yaml | 2 +- services/gafaelfawr/values-tucson-teststand.yaml | 2 +- services/narrativelog/values-tucson-teststand.yaml | 2 +- services/nublado2/values-tucson-teststand.yaml | 2 +- 4 files changed, 4 insertions(+), 4 deletions(-) diff --git a/services/exposurelog/values-tucson-teststand.yaml b/services/exposurelog/values-tucson-teststand.yaml index 22c1f491a3..8382031cf3 100644 --- a/services/exposurelog/values-tucson-teststand.yaml +++ b/services/exposurelog/values-tucson-teststand.yaml @@ -8,4 +8,4 @@ config: nfs_server_2: auxtel-archiver.tu.lsst.org butler_uri_2: /volume_2 db: - host: 140.252.146.49 + host: squoint.tu.lsst.org diff --git a/services/gafaelfawr/values-tucson-teststand.yaml b/services/gafaelfawr/values-tucson-teststand.yaml index 4c0a86aa0f..02596337f6 100644 --- a/services/gafaelfawr/values-tucson-teststand.yaml +++ b/services/gafaelfawr/values-tucson-teststand.yaml @@ -4,7 +4,7 @@ redis: config: slackAlerts: true - databaseUrl: "postgresql://gafaelfawr@140.252.146.49/gafaelfawr" + databaseUrl: "postgresql://gafaelfawr@squoint.tu.lsst.org/gafaelfawr" github: clientId: "49533cbd8a8079730dcf" diff --git a/services/narrativelog/values-tucson-teststand.yaml b/services/narrativelog/values-tucson-teststand.yaml index e104e68f8a..1350506e76 100644 --- a/services/narrativelog/values-tucson-teststand.yaml +++ b/services/narrativelog/values-tucson-teststand.yaml @@ -1,4 +1,4 @@ config: site_id: tucson db: - host: 140.252.146.49 + host: squoint.tu.lsst.org diff --git a/services/nublado2/values-tucson-teststand.yaml b/services/nublado2/values-tucson-teststand.yaml index 61890b83b1..f91de52c82 100644 --- a/services/nublado2/values-tucson-teststand.yaml +++ b/services/nublado2/values-tucson-teststand.yaml @@ -6,7 +6,7 @@ jupyterhub: hub: db: upgrade: true - url: "postgresql://jovyan@140.252.146.49/jupyterhub" + url: "postgresql://jovyan@squoint.tu.lsst.org/jupyterhub" singleuser: extraAnnotations: From 1a701953329c0f8cc3232e29a04450369d19138a Mon Sep 17 00:00:00 2001 From: "renovate[bot]" <29139614+renovate[bot]@users.noreply.github.com> Date: Mon, 17 Oct 2022 00:49:25 +0000 Subject: [PATCH 1151/1479] Update Helm release argo-cd to v5.6.0 --- services/argocd/Chart.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/services/argocd/Chart.yaml b/services/argocd/Chart.yaml index c82094f666..dd83c2d1a6 100644 --- a/services/argocd/Chart.yaml +++ b/services/argocd/Chart.yaml @@ -3,5 +3,5 @@ name: argo-cd version: 1.0.0 dependencies: - name: argo-cd - version: 5.5.7 + version: 5.6.0 repository: https://argoproj.github.io/argo-helm From 5f774726b168ed647a93c37346102dcef55452c1 Mon Sep 17 00:00:00 2001 From: Russ Allbery Date: Mon, 17 Oct 2022 11:27:48 -0700 Subject: [PATCH 1152/1479] Update Helm docs --- services/argocd/README.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/services/argocd/README.md b/services/argocd/README.md index 514b2deb70..7bd6065d7e 100644 --- a/services/argocd/README.md +++ b/services/argocd/README.md @@ -4,7 +4,7 @@ | Repository | Name | Version | |------------|------|---------| -| https://argoproj.github.io/argo-helm | argo-cd | 5.5.7 | +| https://argoproj.github.io/argo-helm | argo-cd | 5.6.0 | ## Values From 77df228410b1aa76c5cceaabd466505e1b78c8a8 Mon Sep 17 00:00:00 2001 From: "renovate[bot]" <29139614+renovate[bot]@users.noreply.github.com> Date: Mon, 17 Oct 2022 18:37:08 +0000 Subject: [PATCH 1153/1479] Update Helm release redis to v17.3.5 --- services/noteburst/Chart.yaml | 2 +- services/times-square/Chart.yaml | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/services/noteburst/Chart.yaml b/services/noteburst/Chart.yaml index 0120101bee..8ef59141e0 100644 --- a/services/noteburst/Chart.yaml +++ b/services/noteburst/Chart.yaml @@ -14,5 +14,5 @@ maintainers: # Additional charts that this chart uses dependencies: - name: redis - version: 17.1.6 + version: 17.3.5 repository: https://charts.bitnami.com/bitnami diff --git a/services/times-square/Chart.yaml b/services/times-square/Chart.yaml index a4936a005f..246c074c1c 100644 --- a/services/times-square/Chart.yaml +++ b/services/times-square/Chart.yaml @@ -11,5 +11,5 @@ appVersion: "0.6.0" dependencies: - name: redis - version: 17.1.6 + version: 17.3.5 repository: https://charts.bitnami.com/bitnami From bac4aa8bd8cde7a47b16586935d22774b9320a81 Mon Sep 17 00:00:00 2001 From: Russ Allbery Date: Mon, 17 Oct 2022 12:07:49 -0700 Subject: [PATCH 1154/1479] Update Helm docs --- services/noteburst/README.md | 2 +- services/times-square/README.md | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/services/noteburst/README.md b/services/noteburst/README.md index e489453a90..29ffffc887 100644 --- a/services/noteburst/README.md +++ b/services/noteburst/README.md @@ -12,7 +12,7 @@ Noteburst is a notebook execution service for the Rubin Science Platform. | Repository | Name | Version | |------------|------|---------| -| https://charts.bitnami.com/bitnami | redis | 17.1.6 | +| https://charts.bitnami.com/bitnami | redis | 17.3.5 | ## Values diff --git a/services/times-square/README.md b/services/times-square/README.md index 76726c5ba9..bfbd0230bf 100644 --- a/services/times-square/README.md +++ b/services/times-square/README.md @@ -8,7 +8,7 @@ An API service for managing and rendering parameterized Jupyter notebooks. | Repository | Name | Version | |------------|------|---------| -| https://charts.bitnami.com/bitnami | redis | 17.1.6 | +| https://charts.bitnami.com/bitnami | redis | 17.3.5 | ## Values From 5fb097a501b0ef5649f4d535a8445bcab72f1de4 Mon Sep 17 00:00:00 2001 From: "renovate[bot]" <29139614+renovate[bot]@users.noreply.github.com> Date: Mon, 17 Oct 2022 19:15:08 +0000 Subject: [PATCH 1155/1479] Update Helm release ingress-nginx to v4.3.0 --- services/ingress-nginx/Chart.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/services/ingress-nginx/Chart.yaml b/services/ingress-nginx/Chart.yaml index 1257945e9d..02b00d6afe 100644 --- a/services/ingress-nginx/Chart.yaml +++ b/services/ingress-nginx/Chart.yaml @@ -3,5 +3,5 @@ name: ingress-nginx version: 1.0.0 dependencies: - name: ingress-nginx - version: 4.2.5 + version: 4.3.0 repository: https://kubernetes.github.io/ingress-nginx From fe3eb5d70225eedff8dd8296fd412f18a72ac041 Mon Sep 17 00:00:00 2001 From: Russ Allbery Date: Mon, 17 Oct 2022 12:27:19 -0700 Subject: [PATCH 1156/1479] Update Helm docs --- services/ingress-nginx/README.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/services/ingress-nginx/README.md b/services/ingress-nginx/README.md index 3b28543304..e4bc897c03 100644 --- a/services/ingress-nginx/README.md +++ b/services/ingress-nginx/README.md @@ -4,7 +4,7 @@ | Repository | Name | Version | |------------|------|---------| -| https://kubernetes.github.io/ingress-nginx | ingress-nginx | 4.2.5 | +| https://kubernetes.github.io/ingress-nginx | ingress-nginx | 4.3.0 | ## Values From e7cb63eed82acdc0a6ef65925f25d611c5562d7c Mon Sep 17 00:00:00 2001 From: "renovate[bot]" <29139614+renovate[bot]@users.noreply.github.com> Date: Mon, 17 Oct 2022 19:36:15 +0000 Subject: [PATCH 1157/1479] Update Helm release influxdb2 to v2.1.1 --- services/sasquatch/Chart.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/services/sasquatch/Chart.yaml b/services/sasquatch/Chart.yaml index bbecba6998..c83458919c 100644 --- a/services/sasquatch/Chart.yaml +++ b/services/sasquatch/Chart.yaml @@ -13,7 +13,7 @@ dependencies: version: 4.12.0 repository: https://helm.influxdata.com/ - name: influxdb2 - version: 2.1.0 + version: 2.1.1 repository: https://helm.influxdata.com/ - name: kafka-connect-manager version: 1.0.0 From b6fe45c1de42dc996a7ed9588483bcf151c7b7d2 Mon Sep 17 00:00:00 2001 From: Russ Allbery Date: Mon, 17 Oct 2022 12:41:00 -0700 Subject: [PATCH 1158/1479] Update Helm docs --- services/sasquatch/README.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/services/sasquatch/README.md b/services/sasquatch/README.md index 105a6b95e8..a03783e133 100644 --- a/services/sasquatch/README.md +++ b/services/sasquatch/README.md @@ -12,7 +12,7 @@ Rubin Observatory's telemetry service. | | telegraf-kafka-consumer | 1.0.0 | | https://helm.influxdata.com/ | chronograf | 1.2.5 | | https://helm.influxdata.com/ | influxdb | 4.12.0 | -| https://helm.influxdata.com/ | influxdb2 | 2.1.0 | +| https://helm.influxdata.com/ | influxdb2 | 2.1.1 | | https://helm.influxdata.com/ | kapacitor | 1.4.6 | | https://lsst-sqre.github.io/charts/ | strimzi-registry-operator | 2.1.0 | From 78da554f791367e6098c3e9abeab99121d5b6ffd Mon Sep 17 00:00:00 2001 From: adam Date: Tue, 18 Oct 2022 14:05:28 -0700 Subject: [PATCH 1159/1479] add culler to TTS --- services/nublado2/values-tucson-teststand.yaml | 7 +++++++ 1 file changed, 7 insertions(+) diff --git a/services/nublado2/values-tucson-teststand.yaml b/services/nublado2/values-tucson-teststand.yaml index f91de52c82..3d2745e261 100644 --- a/services/nublado2/values-tucson-teststand.yaml +++ b/services/nublado2/values-tucson-teststand.yaml @@ -1,4 +1,11 @@ jupyterhub: + cull: + enabled: true + users: false + removeNamedServers: false + timeout: 432000 + every: 300 + maxAge: 2160000 ingress: hosts: ["tucson-teststand.lsst.codes"] annotations: From ba41da222ce1c0d00fdf8f958026f80cfaea924d Mon Sep 17 00:00:00 2001 From: Jonathan Sick Date: Wed, 12 Oct 2022 14:10:26 -0400 Subject: [PATCH 1160/1479] Prototype homepage for idfdev env This initial homepage implementation for the idfdev environment is just to determine what information we want and how to include it. The table will be replaced with automation that pulls the info out of phalanx itself. --- docs/environments/idfdev/index.rst | 52 ++++++++++++++++++++++++++++++ docs/environments/index.rst | 5 +++ 2 files changed, 57 insertions(+) create mode 100644 docs/environments/idfdev/index.rst diff --git a/docs/environments/idfdev/index.rst b/docs/environments/idfdev/index.rst new file mode 100644 index 0000000000..4c9ad808d5 --- /dev/null +++ b/docs/environments/idfdev/index.rst @@ -0,0 +1,52 @@ +########################## +idfdev: idf-dev.lsst.cloud +########################## + +idfdev is a development environment for the Rubin Science Platform at the IDF (hosted on Google Cloud Platform). +The primary use of idfdev is for application development by the SQuaRE team. + +.. list-table:: + + * - Phalanx name + - ``idfdev`` + * - Root domain + - `data-dev.lsst.cloud `__ + * - Identity provider + - ``ldaps://ldap-test.cilogon.org`` + * - Gafaelfawr groups + - .. list-table:: + + * - Role + - Groups + * - ``admin:provision`` + - - ``g_science-platform-idf-dev`` + * - ``exec:admin`` + - - ``g_science-platform-idf-dev`` + * - ``exec:notebook`` + - - ``g_science-platform-idf-dev`` + * - ``exec:portal`` + - - ``g_science-platform-idf-dev`` + * - ``read:image`` + - - ``g_science-platform-idf-dev`` + * - ``read:tap`` + - - ``g_science-platform-idf-dev`` + * - Argo CD + - https://data-dev.lsst.cloud/argo-cd + * - Argo CD access + - .. code-block:: text + + g, adam@lsst.cloud, role:admin + g, afausti@lsst.cloud, role:admin + g, christine@lsst.cloud, role:admin + g, dspeck@lsst.cloud, role:admin + g, frossie@lsst.cloud, role:admin + g, jsick@lsst.cloud, role:admin + g, krughoff@lsst.cloud, role:admin + g, rra@lsst.cloud, role:admin + g, gpdf@lsst.cloud, role:admin + g, loi@lsst.cloud, role:admin + g, roby@lsst.cloud, role:admin + + * - Applications + - - `argocd <#>`__ — `values-idfdev.yaml <#>`__ + `values.yaml <#>`__ + - `gafaelfawr <#>`__ — `values-idfdev.yaml <#>`__ + `values.yaml <#>`__ diff --git a/docs/environments/index.rst b/docs/environments/index.rst index a95319eabc..cd588dfcd3 100644 --- a/docs/environments/index.rst +++ b/docs/environments/index.rst @@ -8,3 +8,8 @@ Each environment can deploy a specific collection of applications, and with spec To learn more about operating a Phalanx environment, see the :doc:`/admin/index` section. .. Add a table of environments, possibly linking to their own documentation sets. + +.. toctree:: + :maxdepth: 1 + + idfdev/index From c6ddb176a95a015a9f56076adb68ae873b52d91f Mon Sep 17 00:00:00 2001 From: Jonathan Sick Date: Wed, 12 Oct 2022 16:22:19 -0400 Subject: [PATCH 1161/1479] Move applications to the top of the env info --- docs/environments/idfdev/index.rst | 11 +++++------ 1 file changed, 5 insertions(+), 6 deletions(-) diff --git a/docs/environments/idfdev/index.rst b/docs/environments/idfdev/index.rst index 4c9ad808d5..8638265e5a 100644 --- a/docs/environments/idfdev/index.rst +++ b/docs/environments/idfdev/index.rst @@ -11,6 +11,11 @@ The primary use of idfdev is for application development by the SQuaRE team. - ``idfdev`` * - Root domain - `data-dev.lsst.cloud `__ + * - Argo CD + - https://data-dev.lsst.cloud/argo-cd + * - Applications + - - `argocd <#>`__ — `values-idfdev.yaml <#>`__ + `values.yaml <#>`__ + - `gafaelfawr <#>`__ — `values-idfdev.yaml <#>`__ + `values.yaml <#>`__ * - Identity provider - ``ldaps://ldap-test.cilogon.org`` * - Gafaelfawr groups @@ -30,8 +35,6 @@ The primary use of idfdev is for application development by the SQuaRE team. - - ``g_science-platform-idf-dev`` * - ``read:tap`` - - ``g_science-platform-idf-dev`` - * - Argo CD - - https://data-dev.lsst.cloud/argo-cd * - Argo CD access - .. code-block:: text @@ -46,7 +49,3 @@ The primary use of idfdev is for application development by the SQuaRE team. g, gpdf@lsst.cloud, role:admin g, loi@lsst.cloud, role:admin g, roby@lsst.cloud, role:admin - - * - Applications - - - `argocd <#>`__ — `values-idfdev.yaml <#>`__ + `values.yaml <#>`__ - - `gafaelfawr <#>`__ — `values-idfdev.yaml <#>`__ + `values.yaml <#>`__ From 23cb5c13666690e7c917876c8235c2b3b2da2d92 Mon Sep 17 00:00:00 2001 From: Jonathan Sick Date: Thu, 13 Oct 2022 12:47:30 -0400 Subject: [PATCH 1162/1479] Create models for the Phalanx configurations We'll use these models in the sphinx build to provide information that can be extracted from the repository about Phalanx's environments and applications. --- pyproject.toml | 1 + src/phalanx/docs/__init__.py | 0 src/phalanx/docs/models.py | 126 +++++++++++++++++++++++++++++++++++ tests/docs/models_test.py | 17 +++++ 4 files changed, 144 insertions(+) create mode 100644 src/phalanx/docs/__init__.py create mode 100644 src/phalanx/docs/models.py create mode 100644 tests/docs/models_test.py diff --git a/pyproject.toml b/pyproject.toml index 6d2f275205..c7d7984353 100644 --- a/pyproject.toml +++ b/pyproject.toml @@ -20,6 +20,7 @@ classifiers = [ ] requires-python = ">=3.8" dependencies = [ + "PyYAML", "GitPython", ] diff --git a/src/phalanx/docs/__init__.py b/src/phalanx/docs/__init__.py new file mode 100644 index 0000000000..e69de29bb2 diff --git a/src/phalanx/docs/models.py b/src/phalanx/docs/models.py new file mode 100644 index 0000000000..fa084f610f --- /dev/null +++ b/src/phalanx/docs/models.py @@ -0,0 +1,126 @@ +"""Models of the Phalanx environment and application configurations.""" + +from __future__ import annotations + +from dataclasses import dataclass, field +from pathlib import Path +from typing import List + +import yaml + +ENVIRONMENTS_DIR = "science-platform" +"""Directory of the environments Helm chart in Phalanx.""" + +APPS_DIR = "services" +"""Root directory of the application Helm charts in Phalanx.""" + + +@dataclass(kw_only=True) +class Application: + """A model for a Phalanx-configured application.""" + + name: str + """Name of the application. + + This name is used to label directories, etc. + """ + + @classmethod + def load(cls, *, app_dir: Path) -> Application: + return cls(name=app_dir.name) + + +@dataclass(kw_only=True) +class Environment: + """A model for an environment.""" + + name: str + """Name of the Phalanx environment. + + This name is used to label directories, values files, etc. + """ + + domain: str + """The root domain where the environment is hosted.""" + + vault_path_prefix: str + """The Vault key prefix for this environment.""" + + apps: List[Application] + """The applications that are enabled for this service.""" + + @classmethod + def load( + cls, *, env_values_path: Path, applications: List[Application] + ) -> Environment: + """Load an environment by inspecting the Phalanx repository.""" + # Extract name from dir/values-envname.yaml + env_values = yaml.safe_load(env_values_path.read_text()) + name = env_values["environment"] + + # Get Application instances active in this environment + apps: List[Application] = [] + for app in applications: + try: + if env_values[app.name]["enabled"] is True: + apps.append(app) + except KeyError: + continue + apps.sort(key=lambda a: a.name) + + return Environment( + name=name, + domain=env_values["fqdn"], + vault_path_prefix=env_values["vault_path_prefix"], + apps=apps, + ) + + +@dataclass(kw_only=True) +class Phalanx: + """Root container for Phalanx data.""" + + environments: List[Environment] = field(default_factory=list) + """Phalanx environments.""" + + apps: List[Application] = field(default_factory=list) + """Phalanx applications.""" + + @classmethod + def load_phalanx(cls, root_dir: Path) -> Phalanx: + """Load the Phalanx git repository. + + Parameters + ---------- + root_dir : `pathlib.Path` + The path for the root directory of a Phalanx repository clone. + + Returns + ------- + phalanx : `Phalanx` + A model of the Phalanx platform, including environment and + application configuration. + """ + apps: List[Application] = [] + envs: List[Environment] = [] + + # Gather applications + for app_dir in root_dir.joinpath(APPS_DIR).iterdir(): + if not app_dir.is_dir(): + continue + app = Application.load(app_dir=app_dir) + apps.append(app) + apps.sort(key=lambda a: a.name) + + # Gather environments + for env_values_path in root_dir.joinpath(ENVIRONMENTS_DIR).glob( + "values-*.yaml" + ): + if not env_values_path.is_file(): + continue + env = Environment.load( + env_values_path=env_values_path, applications=apps + ) + envs.append(env) + + return cls(environments=envs, apps=apps) diff --git a/tests/docs/models_test.py b/tests/docs/models_test.py new file mode 100644 index 0000000000..3fc650b24a --- /dev/null +++ b/tests/docs/models_test.py @@ -0,0 +1,17 @@ +"""Tests for the phalanx.docs.models module.""" + +from __future__ import annotations + +from pathlib import Path + +from phalanx.docs.models import Phalanx + + +def test_phalanx_load() -> None: + """Smoke test for loading Phalanx repository metadata.""" + root_dir = Path(__file__).parent.parent.parent + metadata = Phalanx.load_phalanx(root_dir) + assert isinstance(metadata, Phalanx) + + assert len(metadata.environments) > 0 + assert len(metadata.apps) > 0 From 51d6e068fa3a99b9a82ba1e07962ce333b2b7e11 Mon Sep 17 00:00:00 2001 From: Jonathan Sick Date: Thu, 13 Oct 2022 15:14:28 -0400 Subject: [PATCH 1163/1479] Integrate Phalanx model into jinja env/template sphinx-jinja allows us to use Jinja templates to populate content on the page. In conf.py, we're create a jinja templating environment for every Phalanx environment. Then on the homepage for an environment, we insert a templated section using that corresponding Jinja environment for data. The jinja template is a centrally maintained file, docs/environments/_summary.rst.jinja. This approach allows us to easily add the same summary info to each environment's page, customized for that environment. --- docs/conf.py | 14 +++++++++++++- docs/documenteer.toml | 3 ++- docs/environments/_summary.rst.jinja | 17 +++++++++++++++++ docs/environments/idfdev/index.rst | 3 +++ pyproject.toml | 3 ++- 5 files changed, 37 insertions(+), 3 deletions(-) create mode 100644 docs/environments/_summary.rst.jinja diff --git a/docs/conf.py b/docs/conf.py index f63bee5b49..23ca18c93d 100644 --- a/docs/conf.py +++ b/docs/conf.py @@ -1,5 +1,17 @@ +from typing import Dict +from pathlib import Path + from documenteer.conf.guide import * # noqa: F401 F403 -exclude_patterns.append("requirements.txt") # noqa: F405 +from phalanx.docs.models import Phalanx as PhalanxModel + +phalanx_metadata = PhalanxModel.load_phalanx(Path(__file__).parent.parent) +jinja_contexts: Dict[str, Dict] = {} +for env in phalanx_metadata.environments: + jinja_contexts[env.name] = {"env": env} + +exclude_patterns.extend( # noqa: F405 + ["requirements.txt", "environments/_summary.rst.jinja"] +) linkcheck_anchors = False diff --git a/docs/documenteer.toml b/docs/documenteer.toml index 4157af9f08..7873f0965d 100644 --- a/docs/documenteer.toml +++ b/docs/documenteer.toml @@ -9,7 +9,8 @@ version = "Current" [sphinx] rst_epilog_file = "_rst_epilog.rst" extensions = [ - "sphinx_diagrams" + "sphinx_diagrams", + "sphinx_jinja", ] [sphinx.linkcheck] diff --git a/docs/environments/_summary.rst.jinja b/docs/environments/_summary.rst.jinja new file mode 100644 index 0000000000..86ce908760 --- /dev/null +++ b/docs/environments/_summary.rst.jinja @@ -0,0 +1,17 @@ +.. list-table:: + + * - Phalanx name + - ``{{ env.name }}`` + * - Root domain + - `{{ env.domain }} `__ + * - Applications + - .. list-table:: + + * - Documentation + - Environment values + - Defaults + {% for app in env.apps %} + * - {{ app.name }} + - `values-{{ env.name }}.yaml `__ + - `values.yaml `__ + {% endfor %} diff --git a/docs/environments/idfdev/index.rst b/docs/environments/idfdev/index.rst index 8638265e5a..de5ea4159d 100644 --- a/docs/environments/idfdev/index.rst +++ b/docs/environments/idfdev/index.rst @@ -5,6 +5,9 @@ idfdev: idf-dev.lsst.cloud idfdev is a development environment for the Rubin Science Platform at the IDF (hosted on Google Cloud Platform). The primary use of idfdev is for application development by the SQuaRE team. +.. jinja:: idfdev + :file: environments/_summary.rst.jinja + .. list-table:: * - Phalanx name diff --git a/pyproject.toml b/pyproject.toml index c7d7984353..38186fe679 100644 --- a/pyproject.toml +++ b/pyproject.toml @@ -33,7 +33,8 @@ dev = [ "mypy", # Documentation "documenteer[guide]>=0.7.0b4", - "sphinx-diagrams" + "sphinx-diagrams", + "sphinx-jinja", ] [project.scripts] From 65e352686bf7e23d6f3cf78375b26e65dfbd035f Mon Sep 17 00:00:00 2001 From: Jonathan Sick Date: Thu, 13 Oct 2022 16:03:15 -0400 Subject: [PATCH 1164/1479] Load values files for apps to provide argo cd URL This application is to extract the Argo CD UI URL, but it can be used for other cases of exposing critical application information. --- docs/environments/_summary.rst.jinja | 2 ++ pyproject.toml | 1 + src/phalanx/docs/models.py | 40 ++++++++++++++++++++++++++-- 3 files changed, 41 insertions(+), 2 deletions(-) diff --git a/docs/environments/_summary.rst.jinja b/docs/environments/_summary.rst.jinja index 86ce908760..188caf48fc 100644 --- a/docs/environments/_summary.rst.jinja +++ b/docs/environments/_summary.rst.jinja @@ -4,6 +4,8 @@ - ``{{ env.name }}`` * - Root domain - `{{ env.domain }} `__ + * - Argo CD + - {{ env.argocd_url }} * - Applications - .. list-table:: diff --git a/pyproject.toml b/pyproject.toml index 38186fe679..55bca21138 100644 --- a/pyproject.toml +++ b/pyproject.toml @@ -31,6 +31,7 @@ dev = [ "pytest", "pre-commit", "mypy", + "types-PyYAML", # Documentation "documenteer[guide]>=0.7.0b4", "sphinx-diagrams", diff --git a/src/phalanx/docs/models.py b/src/phalanx/docs/models.py index fa084f610f..c74c3c7ee0 100644 --- a/src/phalanx/docs/models.py +++ b/src/phalanx/docs/models.py @@ -4,7 +4,7 @@ from dataclasses import dataclass, field from pathlib import Path -from typing import List +from typing import Dict, List, Optional import yaml @@ -25,9 +25,18 @@ class Application: This name is used to label directories, etc. """ + env_values: Dict[str, Dict] + """The parsed Helm values for each environment.""" + @classmethod def load(cls, *, app_dir: Path) -> Application: - return cls(name=app_dir.name) + # Load values files for each environment + env_values: Dict[str, Dict] = {} + for values_path in app_dir.glob("values-*.yaml"): + env_name = values_path.stem.removeprefix("values-") + env_values[env_name] = yaml.safe_load(values_path.read_text()) + + return cls(name=app_dir.name, env_values=env_values) @dataclass(kw_only=True) @@ -49,6 +58,28 @@ class Environment: apps: List[Application] """The applications that are enabled for this service.""" + @property + def argocd_url(self) -> Optional[str]: + """Path to the Argo CD UI.""" + argocd = self.get_app("argocd") + if argocd is None: + return None + + try: + return argocd.env_values[self.name]["argo-cd"]["server"]["config"][ + "url" + ] + except KeyError: + # Environments like minikube don't expose an argo cd URL + return None + + def get_app(self, name) -> Optional[Application]: + """Get the named application.""" + for app in self.apps: + if app.name == name: + return app + return None + @classmethod def load( cls, *, env_values_path: Path, applications: List[Application] @@ -61,6 +92,11 @@ def load( # Get Application instances active in this environment apps: List[Application] = [] for app in applications: + if app.name == "argocd": + # argocd is a special case because it's not toggled per env + apps.append(app) + continue + try: if env_values[app.name]["enabled"] is True: apps.append(app) From 6e3d77275cba2bce57a847e847ab2a1074c2d26e Mon Sep 17 00:00:00 2001 From: Jonathan Sick Date: Thu, 13 Oct 2022 16:11:02 -0400 Subject: [PATCH 1165/1479] Template the page title --- docs/environments/_title.rst.jinja | 3 +++ docs/environments/idfdev/index.rst | 5 ++--- 2 files changed, 5 insertions(+), 3 deletions(-) create mode 100644 docs/environments/_title.rst.jinja diff --git a/docs/environments/_title.rst.jinja b/docs/environments/_title.rst.jinja new file mode 100644 index 0000000000..bc9e662687 --- /dev/null +++ b/docs/environments/_title.rst.jinja @@ -0,0 +1,3 @@ +{{ "#" * (env.name|length + env.domain|length + 3) }} +{{ env.name }} — {{ env.domain }} +{{ "#" * (env.name|length + env.domain|length + 3) }} diff --git a/docs/environments/idfdev/index.rst b/docs/environments/idfdev/index.rst index de5ea4159d..6adfafcc6e 100644 --- a/docs/environments/idfdev/index.rst +++ b/docs/environments/idfdev/index.rst @@ -1,6 +1,5 @@ -########################## -idfdev: idf-dev.lsst.cloud -########################## +.. jinja:: idfdev + :file: environments/_title.rst.jinja idfdev is a development environment for the Rubin Science Platform at the IDF (hosted on Google Cloud Platform). The primary use of idfdev is for application development by the SQuaRE team. From c52b5032d11312bfe8414e6779081ad788cad612 Mon Sep 17 00:00:00 2001 From: Jonathan Sick Date: Thu, 13 Oct 2022 17:40:17 -0400 Subject: [PATCH 1166/1479] Add pages for other environments --- docs/documenteer.toml | 5 +++++ docs/environments/base/index.rst | 7 +++++++ docs/environments/ccin2p3/index.rst | 7 +++++++ docs/environments/idfint/index.rst | 8 ++++++++ docs/environments/idfprod/index.rst | 8 ++++++++ docs/environments/index.rst | 8 ++++++++ docs/environments/minikube/index.rst | 8 ++++++++ docs/environments/roe/index.rst | 7 +++++++ docs/environments/summit/index.rst | 8 ++++++++ docs/environments/tucson-teststand/index.rst | 7 +++++++ 10 files changed, 73 insertions(+) create mode 100644 docs/environments/base/index.rst create mode 100644 docs/environments/ccin2p3/index.rst create mode 100644 docs/environments/idfint/index.rst create mode 100644 docs/environments/idfprod/index.rst create mode 100644 docs/environments/minikube/index.rst create mode 100644 docs/environments/roe/index.rst create mode 100644 docs/environments/summit/index.rst create mode 100644 docs/environments/tucson-teststand/index.rst diff --git a/docs/documenteer.toml b/docs/documenteer.toml index 7873f0965d..b7763563a6 100644 --- a/docs/documenteer.toml +++ b/docs/documenteer.toml @@ -17,4 +17,9 @@ extensions = [ ignore = [ '^http://localhost', '^http(s)*://ls.st', + '^https://tucson-teststand.lsst.codes', + '^https://summit-lsp.lsst.codes', + '^https://minikube.lsst.codes', + '^https://base-lsp.lsst.codes', + '^https://github.com/lsst-sqre/phalanx/blob/master/services/strimzi/values.yaml', ] diff --git a/docs/environments/base/index.rst b/docs/environments/base/index.rst new file mode 100644 index 0000000000..3e576b4836 --- /dev/null +++ b/docs/environments/base/index.rst @@ -0,0 +1,7 @@ +.. jinja:: base + :file: environments/_title.rst.jinja + +base is the environment for the Rubin Science Platform at the Rubin Base facility in La Serena. + +.. jinja:: base + :file: environments/_summary.rst.jinja diff --git a/docs/environments/ccin2p3/index.rst b/docs/environments/ccin2p3/index.rst new file mode 100644 index 0000000000..d74092b716 --- /dev/null +++ b/docs/environments/ccin2p3/index.rst @@ -0,0 +1,7 @@ +.. jinja:: ccin2p3 + :file: environments/_title.rst.jinja + +ccin2p3 is the environment for the Rubin Science Platform at the `CC-IN2P3 `__. + +.. jinja:: ccin2p3 + :file: environments/_summary.rst.jinja diff --git a/docs/environments/idfint/index.rst b/docs/environments/idfint/index.rst new file mode 100644 index 0000000000..0c71c783e5 --- /dev/null +++ b/docs/environments/idfint/index.rst @@ -0,0 +1,8 @@ +.. jinja:: idfint + :file: environments/_title.rst.jinja + +idfint is a development and integration environment for the Rubin Science Platform at the IDF (hosted on Google Cloud Platform). +The primary use of idfint is Rubin construction and operations teams to integrate applications into the Rubin Science Platform. + +.. jinja:: idfint + :file: environments/_summary.rst.jinja diff --git a/docs/environments/idfprod/index.rst b/docs/environments/idfprod/index.rst new file mode 100644 index 0000000000..2851bafd28 --- /dev/null +++ b/docs/environments/idfprod/index.rst @@ -0,0 +1,8 @@ +.. jinja:: idfprod + :file: environments/_title.rst.jinja + +idfprod is the production environment for the Rubin Science Platform at IDF (hosted on Google Cloud Platform). +idfprod serves as the public Rubin Science Platform for the Data Previews. + +.. jinja:: idfprod + :file: environments/_summary.rst.jinja diff --git a/docs/environments/index.rst b/docs/environments/index.rst index cd588dfcd3..dde7b92396 100644 --- a/docs/environments/index.rst +++ b/docs/environments/index.rst @@ -12,4 +12,12 @@ To learn more about operating a Phalanx environment, see the :doc:`/admin/index` .. toctree:: :maxdepth: 1 + base/index + ccin2p3/index idfdev/index + idfint/index + idfprod/index + minikube/index + roe/index + summit/index + tucson-teststand/index diff --git a/docs/environments/minikube/index.rst b/docs/environments/minikube/index.rst new file mode 100644 index 0000000000..26370af188 --- /dev/null +++ b/docs/environments/minikube/index.rst @@ -0,0 +1,8 @@ +.. jinja:: minikube + :file: environments/_title.rst.jinja + +minikube is the Phalanx testing environment for the Rubin Science Platform. +minikube is stood up in the GitHub Actions CI workflow for the phalanx environment. + +.. jinja:: minikube + :file: environments/_summary.rst.jinja diff --git a/docs/environments/roe/index.rst b/docs/environments/roe/index.rst new file mode 100644 index 0000000000..3824d06473 --- /dev/null +++ b/docs/environments/roe/index.rst @@ -0,0 +1,7 @@ +.. jinja:: roe + :file: environments/_title.rst.jinja + +roe is the environment for the Rubin Science Platform hosted at the `Royal Observatory, Edinburgh `__. + +.. jinja:: roe + :file: environments/_summary.rst.jinja diff --git a/docs/environments/summit/index.rst b/docs/environments/summit/index.rst new file mode 100644 index 0000000000..75f4dac6e6 --- /dev/null +++ b/docs/environments/summit/index.rst @@ -0,0 +1,8 @@ +.. jinja:: summit + :file: environments/_title.rst.jinja + +summit is the environment for the Rubin Science Platform at the Rubin summit. +The primary use of summit is for observatory operations at the summit site itself. + +.. jinja:: summit + :file: environments/_summary.rst.jinja diff --git a/docs/environments/tucson-teststand/index.rst b/docs/environments/tucson-teststand/index.rst new file mode 100644 index 0000000000..69b18103f3 --- /dev/null +++ b/docs/environments/tucson-teststand/index.rst @@ -0,0 +1,7 @@ +.. jinja:: tucson-teststand + :file: environments/_title.rst.jinja + +tucson-teststand is the development and integration environment for the Telescope & Site and Commissioning teams, hosted out of NOIRLab in Tucson. + +.. jinja:: tucson-teststand + :file: environments/_summary.rst.jinja From 8466e978149407a07770463ba8843650f0fbdbe0 Mon Sep 17 00:00:00 2001 From: Jonathan Sick Date: Thu, 13 Oct 2022 18:18:58 -0400 Subject: [PATCH 1167/1479] Ignore typing issue in expandcharts --- src/phalanx/testing/expandcharts.py | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/phalanx/testing/expandcharts.py b/src/phalanx/testing/expandcharts.py index 4dee047111..79751cc095 100644 --- a/src/phalanx/testing/expandcharts.py +++ b/src/phalanx/testing/expandcharts.py @@ -29,7 +29,7 @@ def get_changed_charts() -> List[str]: if (path / "Chart.yaml").exists(): diff = repo.head.commit.diff("origin/master", paths=[str(path)]) for change_type in DiffIndex.change_type: - if any(diff.iter_change_type(change_type)): + if any(diff.iter_change_type(change_type)): # type: ignore print("Found changed chart", path.name) charts.append(path.name) break From e9140192a49faa99f7945271345c806a3dfa8335 Mon Sep 17 00:00:00 2001 From: Jonathan Sick Date: Fri, 14 Oct 2022 11:06:15 -0400 Subject: [PATCH 1168/1479] Add identity provider to env summary --- docs/environments/_summary.rst.jinja | 2 ++ src/phalanx/docs/models.py | 19 +++++++++++++++++++ 2 files changed, 21 insertions(+) diff --git a/docs/environments/_summary.rst.jinja b/docs/environments/_summary.rst.jinja index 188caf48fc..08c33bbbe3 100644 --- a/docs/environments/_summary.rst.jinja +++ b/docs/environments/_summary.rst.jinja @@ -17,3 +17,5 @@ - `values-{{ env.name }}.yaml `__ - `values.yaml `__ {% endfor %} + * - Identity provider + - {{ env.identity_provider }} diff --git a/src/phalanx/docs/models.py b/src/phalanx/docs/models.py index c74c3c7ee0..4b5de9f7a6 100644 --- a/src/phalanx/docs/models.py +++ b/src/phalanx/docs/models.py @@ -73,6 +73,25 @@ def argocd_url(self) -> Optional[str]: # Environments like minikube don't expose an argo cd URL return None + @property + def identity_provider(self) -> str: + """A description of the identity provider for Gafaelfawr.""" + gafaelfawr = self.get_app("gafaelfawr") + if gafaelfawr is None: + return "Unknown" + + config_values = gafaelfawr.env_values[self.name]["config"] + if "cilogon" in config_values: + return "CILogon" + + if "github" in config_values: + return "GitHub" + + if "oidc" in config_values: + return "OIDC" + + return "Unknown" + def get_app(self, name) -> Optional[Application]: """Get the named application.""" for app in self.apps: From 127ac5e4305adfb33ccf0862d94d6f887441b1db Mon Sep 17 00:00:00 2001 From: Jonathan Sick Date: Fri, 14 Oct 2022 11:48:54 -0400 Subject: [PATCH 1169/1479] Add support for the Argo CD RBAC table This includes the Argo CD RBAC CSV table in the environment summary, using the csv-list directive to render it. --- docs/conf.py | 4 ++++ docs/environments/_summary.rst.jinja | 8 ++++++++ src/phalanx/docs/models.py | 23 ++++++++++++++++++++++- 3 files changed, 34 insertions(+), 1 deletion(-) diff --git a/docs/conf.py b/docs/conf.py index 23ca18c93d..1d7c6ee741 100644 --- a/docs/conf.py +++ b/docs/conf.py @@ -10,6 +10,10 @@ for env in phalanx_metadata.environments: jinja_contexts[env.name] = {"env": env} +jinja_env_kwargs = { + "lstrip_blocks": True, +} + exclude_patterns.extend( # noqa: F405 ["requirements.txt", "environments/_summary.rst.jinja"] ) diff --git a/docs/environments/_summary.rst.jinja b/docs/environments/_summary.rst.jinja index 08c33bbbe3..247605e00c 100644 --- a/docs/environments/_summary.rst.jinja +++ b/docs/environments/_summary.rst.jinja @@ -19,3 +19,11 @@ {% endfor %} * - Identity provider - {{ env.identity_provider }} + {% if env.argocd_rbac_csv %} + * - Argo CD RBAC + - .. csv-table:: + + {% for csvline in env.argocd_rbac_csv %} + {{ csvline }} + {%- endfor %} + {% endif %} diff --git a/src/phalanx/docs/models.py b/src/phalanx/docs/models.py index 4b5de9f7a6..61ab4a4172 100644 --- a/src/phalanx/docs/models.py +++ b/src/phalanx/docs/models.py @@ -63,7 +63,7 @@ def argocd_url(self) -> Optional[str]: """Path to the Argo CD UI.""" argocd = self.get_app("argocd") if argocd is None: - return None + return "N/A" try: return argocd.env_values[self.name]["argo-cd"]["server"]["config"][ @@ -71,6 +71,27 @@ def argocd_url(self) -> Optional[str]: ] except KeyError: # Environments like minikube don't expose an argo cd URL + return "N/A" + + @property + def argocd_rbac_csv(self) -> Optional[List[str]]: + """The Argo CD RBAC table, as a list of CSV lines.""" + argocd = self.get_app("argocd") + if argocd is None: + return None + + try: + rbac_csv = argocd.env_values[self.name]["argo-cd"]["server"][ + "rbacConfig" + ]["policy.csv"] + lines = [ + ",".join([f"``{item.strip()}``" for item in line.split(",")]) + for line in rbac_csv.splitlines() + ] + print(lines) + return lines + except KeyError: + # Some environments may not configure an RBAC return None @property From 189e573d9ed64ffeea93850559fb09e403263ee2 Mon Sep 17 00:00:00 2001 From: Jonathan Sick Date: Fri, 14 Oct 2022 12:20:51 -0400 Subject: [PATCH 1170/1479] Add gafaelfawr role-group mapping This will need to be updated when a new syntax for presenting GitHub teams is added. --- docs/environments/_summary.rst.jinja | 16 ++++++++++++++++ src/phalanx/docs/models.py | 25 ++++++++++++++++++++++++- 2 files changed, 40 insertions(+), 1 deletion(-) diff --git a/docs/environments/_summary.rst.jinja b/docs/environments/_summary.rst.jinja index 247605e00c..4314894fe7 100644 --- a/docs/environments/_summary.rst.jinja +++ b/docs/environments/_summary.rst.jinja @@ -19,6 +19,22 @@ {% endfor %} * - Identity provider - {{ env.identity_provider }} + {% if env.gafaelfawr_roles %} + * - Gafaelfawr groups + - .. list-table:: + + * - Role + - Groups + {% for role_groups in env.gafaelfawr_roles %} + * - ``{{ role_groups[0] }}`` + - - ``{{ role_groups[1][0] }}`` + {% if role_groups[1]|length > 1 %} + {% for group in role_groups[1][1:] %} + - ``{{ group }}`` + {%- endfor %} + {%- endif %} + {%- endfor %} + {% endif %} {% if env.argocd_rbac_csv %} * - Argo CD RBAC - .. csv-table:: diff --git a/src/phalanx/docs/models.py b/src/phalanx/docs/models.py index 61ab4a4172..06f18e343a 100644 --- a/src/phalanx/docs/models.py +++ b/src/phalanx/docs/models.py @@ -4,7 +4,7 @@ from dataclasses import dataclass, field from pathlib import Path -from typing import Dict, List, Optional +from typing import Dict, List, Optional, Tuple import yaml @@ -113,6 +113,29 @@ def identity_provider(self) -> str: return "Unknown" + @property + def gafaelfawr_roles(self) -> List[Tuple[str, List[str]]]: + """Gafaelfawr role mapping.""" + roles: List[Tuple[str, List[str]]] = [] + + gafaelfawr = self.get_app("gafaelfawr") + if gafaelfawr is None: + return roles + + try: + group_mapping = gafaelfawr.env_values[self.name]["config"][ + "groupMapping" + ] + except KeyError: + return roles + + role_names = sorted(group_mapping.keys()) + for role_name in role_names: + groups = group_mapping[role_name] + roles.append((role_name, groups)) + + return roles + def get_app(self, name) -> Optional[Application]: """Get the named application.""" for app in self.apps: From 8021fa424ce1952aebda23cd185c808398d205d2 Mon Sep 17 00:00:00 2001 From: Jonathan Sick Date: Fri, 14 Oct 2022 12:21:48 -0400 Subject: [PATCH 1171/1479] Drop prototype/debugging from idfdev page --- docs/environments/idfdev/index.rst | 45 ------------------------------ 1 file changed, 45 deletions(-) diff --git a/docs/environments/idfdev/index.rst b/docs/environments/idfdev/index.rst index 6adfafcc6e..1de77f5194 100644 --- a/docs/environments/idfdev/index.rst +++ b/docs/environments/idfdev/index.rst @@ -6,48 +6,3 @@ The primary use of idfdev is for application development by the SQuaRE team. .. jinja:: idfdev :file: environments/_summary.rst.jinja - -.. list-table:: - - * - Phalanx name - - ``idfdev`` - * - Root domain - - `data-dev.lsst.cloud `__ - * - Argo CD - - https://data-dev.lsst.cloud/argo-cd - * - Applications - - - `argocd <#>`__ — `values-idfdev.yaml <#>`__ + `values.yaml <#>`__ - - `gafaelfawr <#>`__ — `values-idfdev.yaml <#>`__ + `values.yaml <#>`__ - * - Identity provider - - ``ldaps://ldap-test.cilogon.org`` - * - Gafaelfawr groups - - .. list-table:: - - * - Role - - Groups - * - ``admin:provision`` - - - ``g_science-platform-idf-dev`` - * - ``exec:admin`` - - - ``g_science-platform-idf-dev`` - * - ``exec:notebook`` - - - ``g_science-platform-idf-dev`` - * - ``exec:portal`` - - - ``g_science-platform-idf-dev`` - * - ``read:image`` - - - ``g_science-platform-idf-dev`` - * - ``read:tap`` - - - ``g_science-platform-idf-dev`` - * - Argo CD access - - .. code-block:: text - - g, adam@lsst.cloud, role:admin - g, afausti@lsst.cloud, role:admin - g, christine@lsst.cloud, role:admin - g, dspeck@lsst.cloud, role:admin - g, frossie@lsst.cloud, role:admin - g, jsick@lsst.cloud, role:admin - g, krughoff@lsst.cloud, role:admin - g, rra@lsst.cloud, role:admin - g, gpdf@lsst.cloud, role:admin - g, loi@lsst.cloud, role:admin - g, roby@lsst.cloud, role:admin From 06aef5c4f23b5e3bb6f682dc808ec2f21de98d3d Mon Sep 17 00:00:00 2001 From: Jonathan Sick Date: Fri, 14 Oct 2022 13:53:18 -0400 Subject: [PATCH 1172/1479] Add px-env and px-app roles for cross-refs px-env cross references to a Phalanx environment page. px-app cross references to a Phalanx app page. The corresponding directives for these roles will be added automatically through the Jinja page templates (i.e. environments/_title.rst.jinja. --- docs/documenteer.toml | 1 + docs/environments/_title.rst.jinja | 2 ++ src/phalanx/docs/crossref.py | 27 +++++++++++++++++++++++++++ 3 files changed, 30 insertions(+) create mode 100644 src/phalanx/docs/crossref.py diff --git a/docs/documenteer.toml b/docs/documenteer.toml index b7763563a6..3b3f6b58e1 100644 --- a/docs/documenteer.toml +++ b/docs/documenteer.toml @@ -11,6 +11,7 @@ rst_epilog_file = "_rst_epilog.rst" extensions = [ "sphinx_diagrams", "sphinx_jinja", + "phalanx.docs.crossref", ] [sphinx.linkcheck] diff --git a/docs/environments/_title.rst.jinja b/docs/environments/_title.rst.jinja index bc9e662687..a6574d09ac 100644 --- a/docs/environments/_title.rst.jinja +++ b/docs/environments/_title.rst.jinja @@ -1,3 +1,5 @@ +.. px-env:: {{ env.name }} + {{ "#" * (env.name|length + env.domain|length + 3) }} {{ env.name }} — {{ env.domain }} {{ "#" * (env.name|length + env.domain|length + 3) }} diff --git a/src/phalanx/docs/crossref.py b/src/phalanx/docs/crossref.py new file mode 100644 index 0000000000..9f92aab557 --- /dev/null +++ b/src/phalanx/docs/crossref.py @@ -0,0 +1,27 @@ +"""Cross-referencing roles and directives for Phalanx topics.""" + +from __future__ import annotations + +from sphinx.application import Sphinx + +__all__ = ["setup"] + + +def setup(app: Sphinx) -> None: + """Set up the Phalan cross-referencing extensions.""" + app.add_crossref_type( + "px-env", + "px-env", + indextemplate="single: %s", + ref_nodeclass=None, + objname="", + override=False, + ) + app.add_crossref_type( + "px-app", + "px-app", + indextemplate="single: %s", + ref_nodeclass=None, + objname="", + override=False, + ) From da8fa46122584f33f046d7e5fdf6fa3131acae7b Mon Sep 17 00:00:00 2001 From: Jonathan Sick Date: Fri, 14 Oct 2022 17:08:52 -0400 Subject: [PATCH 1173/1479] Drop use of jinja template for title It turns out that using a jinja template for the title disrupts the toctree; for now we'll have to "manually" maintain these titles. --- docs/environments/_title.rst.jinja | 5 ----- docs/environments/base/index.rst | 7 +++++-- docs/environments/ccin2p3/index.rst | 7 +++++-- docs/environments/idfdev/index.rst | 7 +++++-- docs/environments/idfint/index.rst | 7 +++++-- docs/environments/idfprod/index.rst | 7 +++++-- docs/environments/minikube/index.rst | 7 +++++-- docs/environments/roe/index.rst | 7 +++++-- docs/environments/summit/index.rst | 7 +++++-- docs/environments/tucson-teststand/index.rst | 7 +++++-- 10 files changed, 45 insertions(+), 23 deletions(-) delete mode 100644 docs/environments/_title.rst.jinja diff --git a/docs/environments/_title.rst.jinja b/docs/environments/_title.rst.jinja deleted file mode 100644 index a6574d09ac..0000000000 --- a/docs/environments/_title.rst.jinja +++ /dev/null @@ -1,5 +0,0 @@ -.. px-env:: {{ env.name }} - -{{ "#" * (env.name|length + env.domain|length + 3) }} -{{ env.name }} — {{ env.domain }} -{{ "#" * (env.name|length + env.domain|length + 3) }} diff --git a/docs/environments/base/index.rst b/docs/environments/base/index.rst index 3e576b4836..588f1f65fc 100644 --- a/docs/environments/base/index.rst +++ b/docs/environments/base/index.rst @@ -1,5 +1,8 @@ -.. jinja:: base - :file: environments/_title.rst.jinja +.. px-env:: base + +########################## +base — base-lsp.lsst.codes +########################## base is the environment for the Rubin Science Platform at the Rubin Base facility in La Serena. diff --git a/docs/environments/ccin2p3/index.rst b/docs/environments/ccin2p3/index.rst index d74092b716..9d42f9436b 100644 --- a/docs/environments/ccin2p3/index.rst +++ b/docs/environments/ccin2p3/index.rst @@ -1,5 +1,8 @@ -.. jinja:: ccin2p3 - :file: environments/_title.rst.jinja +.. px-env:: ccin2p3 + +########################## +ccin2p3 — data-dev.lsst.eu +########################## ccin2p3 is the environment for the Rubin Science Platform at the `CC-IN2P3 `__. diff --git a/docs/environments/idfdev/index.rst b/docs/environments/idfdev/index.rst index 1de77f5194..547e17b50d 100644 --- a/docs/environments/idfdev/index.rst +++ b/docs/environments/idfdev/index.rst @@ -1,5 +1,8 @@ -.. jinja:: idfdev - :file: environments/_title.rst.jinja +.. px-env:: idfdev + +############################ +idfdev — data-dev.lsst.cloud +############################ idfdev is a development environment for the Rubin Science Platform at the IDF (hosted on Google Cloud Platform). The primary use of idfdev is for application development by the SQuaRE team. diff --git a/docs/environments/idfint/index.rst b/docs/environments/idfint/index.rst index 0c71c783e5..a0d9893c52 100644 --- a/docs/environments/idfint/index.rst +++ b/docs/environments/idfint/index.rst @@ -1,5 +1,8 @@ -.. jinja:: idfint - :file: environments/_title.rst.jinja +.. px-env:: idfint + +############################ +idfint — data-int.lsst.cloud +############################ idfint is a development and integration environment for the Rubin Science Platform at the IDF (hosted on Google Cloud Platform). The primary use of idfint is Rubin construction and operations teams to integrate applications into the Rubin Science Platform. diff --git a/docs/environments/idfprod/index.rst b/docs/environments/idfprod/index.rst index 2851bafd28..ab9b1ad475 100644 --- a/docs/environments/idfprod/index.rst +++ b/docs/environments/idfprod/index.rst @@ -1,5 +1,8 @@ -.. jinja:: idfprod - :file: environments/_title.rst.jinja +.. px-env:: idfprod + +######################### +idfprod — data.lsst.cloud +######################### idfprod is the production environment for the Rubin Science Platform at IDF (hosted on Google Cloud Platform). idfprod serves as the public Rubin Science Platform for the Data Previews. diff --git a/docs/environments/minikube/index.rst b/docs/environments/minikube/index.rst index 26370af188..713f11d254 100644 --- a/docs/environments/minikube/index.rst +++ b/docs/environments/minikube/index.rst @@ -1,5 +1,8 @@ -.. jinja:: minikube - :file: environments/_title.rst.jinja +.. px-env:: minikube + +############################## +minikube — minikube.lsst.codes +############################## minikube is the Phalanx testing environment for the Rubin Science Platform. minikube is stood up in the GitHub Actions CI workflow for the phalanx environment. diff --git a/docs/environments/roe/index.rst b/docs/environments/roe/index.rst index 3824d06473..4fe36c2c68 100644 --- a/docs/environments/roe/index.rst +++ b/docs/environments/roe/index.rst @@ -1,5 +1,8 @@ -.. jinja:: roe - :file: environments/_title.rst.jinja +.. px-env:: roe + +#################### +roe — rsp.lsst.ac.uk +#################### roe is the environment for the Rubin Science Platform hosted at the `Royal Observatory, Edinburgh `__. diff --git a/docs/environments/summit/index.rst b/docs/environments/summit/index.rst index 75f4dac6e6..797de1f5d1 100644 --- a/docs/environments/summit/index.rst +++ b/docs/environments/summit/index.rst @@ -1,5 +1,8 @@ -.. jinja:: summit - :file: environments/_title.rst.jinja +.. px-env:: summit + +############################## +summit — summit-lsp.lsst.codes +############################## summit is the environment for the Rubin Science Platform at the Rubin summit. The primary use of summit is for observatory operations at the summit site itself. diff --git a/docs/environments/tucson-teststand/index.rst b/docs/environments/tucson-teststand/index.rst index 69b18103f3..afa588c2d3 100644 --- a/docs/environments/tucson-teststand/index.rst +++ b/docs/environments/tucson-teststand/index.rst @@ -1,5 +1,8 @@ -.. jinja:: tucson-teststand - :file: environments/_title.rst.jinja +.. px-env:: tucson-teststand + +############################################## +tucson-teststand — tucson-teststand.lsst.codes +############################################## tucson-teststand is the development and integration environment for the Telescope & Site and Commissioning teams, hosted out of NOIRLab in Tucson. From 4fa4212a54500bc6808899204a5defa6f212a5e9 Mon Sep 17 00:00:00 2001 From: Jonathan Sick Date: Fri, 14 Oct 2022 17:10:23 -0400 Subject: [PATCH 1174/1479] Template summary table for applications Similar to the summary table for environments, this jinja-sphinx-based template provides summary info for applications in Phalanx. At the moment the table, and the Application model that powers it, only gather the app's namespace and cross-links to the environments that use the application. Here the code for getting the k8s Namespace is a bit fragile because it's using a regular expression to parse the namespace from the app's Helm template. Potentially we could put these namespaces in the science-platform values to be able to drop use of regular expressions. --- docs/applications/_summary.rst.jinja | 16 ++++ docs/applications/argo-cd/index.rst | 27 ++++-- docs/conf.py | 12 ++- docs/environments/_summary.rst.jinja | 2 +- src/phalanx/docs/models.py | 123 +++++++++++++++++++++------ 5 files changed, 144 insertions(+), 36 deletions(-) create mode 100644 docs/applications/_summary.rst.jinja diff --git a/docs/applications/_summary.rst.jinja b/docs/applications/_summary.rst.jinja new file mode 100644 index 0000000000..40b18c2e6b --- /dev/null +++ b/docs/applications/_summary.rst.jinja @@ -0,0 +1,16 @@ +.. list-table:: + + * - Type + - Helm_ + * - Namespace + - {{ app.namespace }} + {% if app.active_environments %} + * - Environments + - .. list-table:: + + {% for env_name in app.active_environments %} + * - :px-env:`{{ env_name }}` + - `values `__ + - `Argo CD <{{ envs[env_name].argocd_url }}/applications/{{ app.name }}>`__ + {% endfor %} + {% endif %} diff --git a/docs/applications/argo-cd/index.rst b/docs/applications/argo-cd/index.rst index 0e9fa56886..f44ab1a05a 100644 --- a/docs/applications/argo-cd/index.rst +++ b/docs/applications/argo-cd/index.rst @@ -1,6 +1,15 @@ -####### -Argo CD -####### +.. px-app:: argocd + +###### +argocd +###### + +`Argo CD`_ is the software that manages all Kubernetes resources in a deployment of the Rubin Science Platform. +It is itself a set of Kubernetes resources and running pods managed with `Helm`_. + +.. jinja:: argocd + :file: applications/_summary.rst.jinja + :debug: .. list-table:: :widths: 10,40 @@ -10,7 +19,8 @@ Argo CD * - Namespace - ``argocd`` -.. rubric:: Overview +Overview +======== `Argo CD`_ is the software that manages all Kubernetes resources in a deployment of the Rubin Science Platform. It is itself a set of Kubernetes resources and running pods managed with `Helm`_. @@ -19,10 +29,10 @@ Argo CD cannot manage and upgrade itself, so it periodically should be upgraded Argo CD is installed and bootstrapped as part of the cluster creation process. The UI is exposed on the ``/argo-cd`` route for the Science Platform. Unlike other resources on the Science Platform, it is not protected by Gafaelfawr. -It instead uses username and password authentication. -The username and password are stored in the SQuaRE 1Password vault. +See :doc:`authentication` -.. rubric:: Warnings +Warnings +======== Argo CD is somewhat particular about how its resources are set up. Everything related to Argo CD that can be namespaced must be in the ``argocd`` namespace. @@ -42,7 +52,8 @@ To delete the stray ``Application`` resource, edit it with ``kubectl edit`` and Instead, follow the upgrade process described below. -.. rubric:: Guides +Guides +====== .. toctree:: diff --git a/docs/conf.py b/docs/conf.py index 1d7c6ee741..94731d2b65 100644 --- a/docs/conf.py +++ b/docs/conf.py @@ -9,13 +9,23 @@ jinja_contexts: Dict[str, Dict] = {} for env in phalanx_metadata.environments: jinja_contexts[env.name] = {"env": env} +for app in phalanx_metadata.apps: + jinja_contexts[app.name] = { + "app": app, + "envs": {env.name: env for env in phalanx_metadata.environments}, + } + jinja_env_kwargs = { "lstrip_blocks": True, } exclude_patterns.extend( # noqa: F405 - ["requirements.txt", "environments/_summary.rst.jinja"] + [ + "requirements.txt", + "environments/_summary.rst.jinja", + "applications/_summary.rst.jinja", + ] ) linkcheck_anchors = False diff --git a/docs/environments/_summary.rst.jinja b/docs/environments/_summary.rst.jinja index 4314894fe7..e0584b7c2f 100644 --- a/docs/environments/_summary.rst.jinja +++ b/docs/environments/_summary.rst.jinja @@ -13,7 +13,7 @@ - Environment values - Defaults {% for app in env.apps %} - * - {{ app.name }} + * - :px-app:`{{ app.name }}` - `values-{{ env.name }}.yaml `__ - `values.yaml `__ {% endfor %} diff --git a/src/phalanx/docs/models.py b/src/phalanx/docs/models.py index 06f18e343a..d715d16783 100644 --- a/src/phalanx/docs/models.py +++ b/src/phalanx/docs/models.py @@ -2,9 +2,10 @@ from __future__ import annotations +import re from dataclasses import dataclass, field from pathlib import Path -from typing import Dict, List, Optional, Tuple +from typing import Any, Dict, List, Optional, Tuple import yaml @@ -25,18 +26,82 @@ class Application: This name is used to label directories, etc. """ - env_values: Dict[str, Dict] + values: Dict[str, Dict] """The parsed Helm values for each environment.""" + active_environments: List[str] = field(default_factory=list) + """Environments where this application is active.""" + + namespace: str + """Kubernetes namespace""" + @classmethod - def load(cls, *, app_dir: Path) -> Application: - # Load values files for each environment - env_values: Dict[str, Dict] = {} + def load( + cls, *, app_dir: Path, root_dir: Path, env_values: Dict[str, Dict] + ) -> Application: + """Load an application from the Phalanx repository. + + Parameters + ---------- + app_dir : `pathlib.Path` + The application's directory (where its Helm chart is located + in Phalanx). + env_values : `dict` + The Helm values for each environment, keyed by the environment + name. This data determines where the application is active. + """ + app_name = app_dir.name + + # Load the app's values files for each environment + values: Dict[str, Dict] = {} for values_path in app_dir.glob("values-*.yaml"): env_name = values_path.stem.removeprefix("values-") - env_values[env_name] = yaml.safe_load(values_path.read_text()) + values[env_name] = yaml.safe_load(values_path.read_text()) + + # Determine what environments use this app based on the environment's + # values file. + active_environments: List[str] = [] + for env_name, env_configs in env_values.items(): + if app_name == "argocd": + active_environments.append(env_name) + continue - return cls(name=app_dir.name, env_values=env_values) + try: + reformatted_name = app_name.replace("-", "_") + if env_configs[reformatted_name]["enabled"] is True: + active_environments.append(env_name) + except KeyError: + pass + active_environments.sort() + + # Open the Application Helm definition to get namespace info + namespace = "Unknown" + app_template_path = root_dir.joinpath( + ENVIRONMENTS_DIR, "templates", f"{app_name}-application.yaml" + ) + if app_template_path.is_file(): + app_template = app_template_path.read_text() + # Extract the namespace from the Helm template + pattern = ( + r"destination:\n" + r"[ ]+namespace:[ ]*[\"]?(?P[a-zA-Z][\w-]+)[\"]?" + ) + m = re.search( + pattern, app_template, flags=re.MULTILINE | re.DOTALL + ) + if m: + namespace = m.group("namespace") + else: + print(f"Did not match template for namespace for {app_name}") + else: + print(f"Could not open app template for {app_name}") + + return cls( + name=app_name, + values=values, + active_environments=active_environments, + namespace=namespace, + ) @dataclass(kw_only=True) @@ -66,7 +131,7 @@ def argocd_url(self) -> Optional[str]: return "N/A" try: - return argocd.env_values[self.name]["argo-cd"]["server"]["config"][ + return argocd.values[self.name]["argo-cd"]["server"]["config"][ "url" ] except KeyError: @@ -81,7 +146,7 @@ def argocd_rbac_csv(self) -> Optional[List[str]]: return None try: - rbac_csv = argocd.env_values[self.name]["argo-cd"]["server"][ + rbac_csv = argocd.values[self.name]["argo-cd"]["server"][ "rbacConfig" ]["policy.csv"] lines = [ @@ -101,7 +166,7 @@ def identity_provider(self) -> str: if gafaelfawr is None: return "Unknown" - config_values = gafaelfawr.env_values[self.name]["config"] + config_values = gafaelfawr.values[self.name]["config"] if "cilogon" in config_values: return "CILogon" @@ -123,7 +188,7 @@ def gafaelfawr_roles(self) -> List[Tuple[str, List[str]]]: return roles try: - group_mapping = gafaelfawr.env_values[self.name]["config"][ + group_mapping = gafaelfawr.values[self.name]["config"][ "groupMapping" ] except KeyError: @@ -145,12 +210,11 @@ def get_app(self, name) -> Optional[Application]: @classmethod def load( - cls, *, env_values_path: Path, applications: List[Application] + cls, *, values: Dict[str, Any], applications: List[Application] ) -> Environment: """Load an environment by inspecting the Phalanx repository.""" # Extract name from dir/values-envname.yaml - env_values = yaml.safe_load(env_values_path.read_text()) - name = env_values["environment"] + name = values["environment"] # Get Application instances active in this environment apps: List[Application] = [] @@ -161,7 +225,7 @@ def load( continue try: - if env_values[app.name]["enabled"] is True: + if values[app.name]["enabled"] is True: apps.append(app) except KeyError: continue @@ -169,8 +233,8 @@ def load( return Environment( name=name, - domain=env_values["fqdn"], - vault_path_prefix=env_values["vault_path_prefix"], + domain=values["fqdn"], + vault_path_prefix=values["vault_path_prefix"], apps=apps, ) @@ -203,23 +267,30 @@ def load_phalanx(cls, root_dir: Path) -> Phalanx: apps: List[Application] = [] envs: List[Environment] = [] + # Pre-load the values files for each environment + env_values: Dict[str, Dict[str, Any]] = {} + for env_values_path in root_dir.joinpath(ENVIRONMENTS_DIR).glob( + "values-*.yaml" + ): + if not env_values_path.is_file(): + continue + values = yaml.safe_load(env_values_path.read_text()) + name = values["environment"] + env_values[name] = values + # Gather applications for app_dir in root_dir.joinpath(APPS_DIR).iterdir(): if not app_dir.is_dir(): continue - app = Application.load(app_dir=app_dir) + app = Application.load( + app_dir=app_dir, env_values=env_values, root_dir=root_dir + ) apps.append(app) apps.sort(key=lambda a: a.name) # Gather environments - for env_values_path in root_dir.joinpath(ENVIRONMENTS_DIR).glob( - "values-*.yaml" - ): - if not env_values_path.is_file(): - continue - env = Environment.load( - env_values_path=env_values_path, applications=apps - ) + for env_name, values in env_values.items(): + env = Environment.load(values=values, applications=apps) envs.append(env) return cls(environments=envs, apps=apps) From fcb724e662f745cf6bafb9ddfa78a55d2ac1567d Mon Sep 17 00:00:00 2001 From: Jonathan Sick Date: Mon, 17 Oct 2022 10:49:23 -0400 Subject: [PATCH 1175/1479] wip pages for argo-cd, cachemachine, cert-manager --- docs/applications/argo-cd/index.rst | 8 -------- docs/applications/cachemachine/index.rst | 20 +++++++------------- docs/applications/cert-manager/index.rst | 16 +++++++--------- 3 files changed, 14 insertions(+), 30 deletions(-) diff --git a/docs/applications/argo-cd/index.rst b/docs/applications/argo-cd/index.rst index f44ab1a05a..a5747c7784 100644 --- a/docs/applications/argo-cd/index.rst +++ b/docs/applications/argo-cd/index.rst @@ -11,14 +11,6 @@ It is itself a set of Kubernetes resources and running pods managed with `Helm`_ :file: applications/_summary.rst.jinja :debug: -.. list-table:: - :widths: 10,40 - - * - Type - - Helm_ - * - Namespace - - ``argocd`` - Overview ======== diff --git a/docs/applications/cachemachine/index.rst b/docs/applications/cachemachine/index.rst index c31dac091a..ee2881d592 100644 --- a/docs/applications/cachemachine/index.rst +++ b/docs/applications/cachemachine/index.rst @@ -1,25 +1,19 @@ +.. px-app:: cachemachine + ############ cachemachine ############ -.. list-table:: - :widths: 10,40 - - * - Edit on GitHub - - `/services/cachemachine `__ - * - Type - - Helm_ - * - Namespace - - ``cachemachine`` - -.. rubric:: Overview +Cachemachine is the RSP's image prepulling service. -The ``cachemachine`` service is an installation of the RSP's image-prepulling service from its `Helm chart `__. +.. jinja:: cachemachine + :file: applications/_summary.rst.jinja Upgrading ``cachemachine`` is generally painless. A simple Argo CD sync is sufficient. -.. rubric:: Guides +Guides +====== .. toctree:: diff --git a/docs/applications/cert-manager/index.rst b/docs/applications/cert-manager/index.rst index 25ddce6a74..be8beba572 100644 --- a/docs/applications/cert-manager/index.rst +++ b/docs/applications/cert-manager/index.rst @@ -1,16 +1,13 @@ +.. px-app:: cert-manager + ############ cert-manager ############ -.. list-table:: - :widths: 10,40 +Cert-manager creates TLS certificates via `Let's Encrypt `__ and automatically renews them. - * - Edit on GitHub - - `/services/cert-manager `__ - * - Type - - Helm_ - * - Namespace - - ``cert-manager`` +.. jinja:: cert-manager + :file: applications/_summary.rst.jinja .. rubric:: Overview @@ -47,7 +44,8 @@ It should be recreated by cert-manager. (You may have to also delete the ``Certificate`` resource of the same name and let Argo CD re-create it to trigger this.) This may cause an outage for the Science Platform since it is using this certificate, so you may want to be prepared to port-forward to get to the Argo CD UI in case something goes wrong. -.. rubric:: Guides +Guides +====== .. toctree:: From 43aa425ed6c3dd41d3f68c91fa36224ec18ba5b1 Mon Sep 17 00:00:00 2001 From: Jonathan Sick Date: Mon, 17 Oct 2022 11:40:46 -0400 Subject: [PATCH 1176/1479] Add support for Gafelfawr github team values Gafaelfawr 6.2's Helm chart now retains information about GitHub teams; we now use that to format the name and link to that team. --- docs/documenteer.toml | 1 + docs/environments/_summary.rst.jinja | 4 ++-- src/phalanx/docs/models.py | 20 ++++++++++++++++++-- 3 files changed, 21 insertions(+), 4 deletions(-) diff --git a/docs/documenteer.toml b/docs/documenteer.toml index 3b3f6b58e1..015686c1b9 100644 --- a/docs/documenteer.toml +++ b/docs/documenteer.toml @@ -23,4 +23,5 @@ ignore = [ '^https://minikube.lsst.codes', '^https://base-lsp.lsst.codes', '^https://github.com/lsst-sqre/phalanx/blob/master/services/strimzi/values.yaml', + '^https://github.com/orgs/', ] diff --git a/docs/environments/_summary.rst.jinja b/docs/environments/_summary.rst.jinja index e0584b7c2f..ea7d8f9df9 100644 --- a/docs/environments/_summary.rst.jinja +++ b/docs/environments/_summary.rst.jinja @@ -27,10 +27,10 @@ - Groups {% for role_groups in env.gafaelfawr_roles %} * - ``{{ role_groups[0] }}`` - - - ``{{ role_groups[1][0] }}`` + - - {{ role_groups[1][0] }} {% if role_groups[1]|length > 1 %} {% for group in role_groups[1][1:] %} - - ``{{ group }}`` + - {{ group }} {%- endfor %} {%- endif %} {%- endfor %} diff --git a/src/phalanx/docs/models.py b/src/phalanx/docs/models.py index d715d16783..04fb3b77e1 100644 --- a/src/phalanx/docs/models.py +++ b/src/phalanx/docs/models.py @@ -180,7 +180,11 @@ def identity_provider(self) -> str: @property def gafaelfawr_roles(self) -> List[Tuple[str, List[str]]]: - """Gafaelfawr role mapping.""" + """Gafaelfawr role mapping (reStructuredText). + + Group strings may be formatted as reStructuredText links to GitHub + teams. + """ roles: List[Tuple[str, List[str]]] = [] gafaelfawr = self.get_app("gafaelfawr") @@ -196,7 +200,19 @@ def gafaelfawr_roles(self) -> List[Tuple[str, List[str]]]: role_names = sorted(group_mapping.keys()) for role_name in role_names: - groups = group_mapping[role_name] + groups: List[str] = [] + for group in group_mapping[role_name]: + if isinstance(group, str): + # e.g. a comanage group + groups.append(f"``{group}``") + elif isinstance(group, dict) and "github" in group: + org = group["github"]["organization"] + team = group["github"]["team"] + url = f"https://github.com/orgs/{org}/teams/{team}" + groups.append(f":fab:`github` `{org}/{team} <{url}>`__") + else: + print(f"Group type unknown: {group}") + continue roles.append((role_name, groups)) return roles From d601cd0e781ec708c044540c64f644da49b9ba7d Mon Sep 17 00:00:00 2001 From: Jonathan Sick Date: Mon, 17 Oct 2022 15:39:41 -0400 Subject: [PATCH 1177/1479] Stub pages for applications --- .../alert-stream-broker/index.rst | 16 ++++++++ docs/applications/datalinker/index.rst | 17 +++++++++ docs/applications/exposurelog/index.rst | 16 ++++++++ docs/applications/gafaelfawr/index.rst | 23 +++++------- docs/applications/hips/index.rst | 16 ++++++++ docs/applications/index.rst | 26 +++++++++++++ docs/applications/ingress-nginx/index.rst | 21 +++++------ docs/applications/mobu/index.rst | 23 ++++-------- docs/applications/moneypenny/index.rst | 16 ++++++++ docs/applications/narrativelog/index.rst | 16 ++++++++ docs/applications/noteburst/index.rst | 16 ++++++++ docs/applications/nublado2/index.rst | 23 ++++-------- docs/applications/plot-navigator/index.rst | 16 ++++++++ docs/applications/portal/index.rst | 16 ++++++++ docs/applications/postgres/index.rst | 37 +++++++++---------- docs/applications/production-tools/index.rst | 16 ++++++++ docs/applications/sasquatch/index.rst | 16 ++++++++ docs/applications/semaphore/index.rst | 16 ++++++++ docs/applications/sherlock/index.rst | 16 ++++++++ docs/applications/squareone/index.rst | 16 ++++++++ .../strimzi-registry-operator/index.rst | 17 +++++++++ docs/applications/strimzi/index.rst | 16 ++++++++ docs/applications/tap-schema/index.rst | 16 ++++++++ docs/applications/tap/index.rst | 31 ++++++---------- docs/applications/telegraf-ds/index.rst | 16 ++++++++ docs/applications/telegraf/index.rst | 16 ++++++++ docs/applications/times-square/index.rst | 16 ++++++++ .../vault-secrets-operator/index.rst | 17 +++------ docs/applications/vo-cutouts/index.rst | 16 ++++++++ 29 files changed, 432 insertions(+), 107 deletions(-) create mode 100644 docs/applications/alert-stream-broker/index.rst create mode 100644 docs/applications/datalinker/index.rst create mode 100644 docs/applications/exposurelog/index.rst create mode 100644 docs/applications/hips/index.rst create mode 100644 docs/applications/moneypenny/index.rst create mode 100644 docs/applications/narrativelog/index.rst create mode 100644 docs/applications/noteburst/index.rst create mode 100644 docs/applications/plot-navigator/index.rst create mode 100644 docs/applications/portal/index.rst create mode 100644 docs/applications/production-tools/index.rst create mode 100644 docs/applications/sasquatch/index.rst create mode 100644 docs/applications/semaphore/index.rst create mode 100644 docs/applications/sherlock/index.rst create mode 100644 docs/applications/squareone/index.rst create mode 100644 docs/applications/strimzi-registry-operator/index.rst create mode 100644 docs/applications/strimzi/index.rst create mode 100644 docs/applications/tap-schema/index.rst create mode 100644 docs/applications/telegraf-ds/index.rst create mode 100644 docs/applications/telegraf/index.rst create mode 100644 docs/applications/times-square/index.rst create mode 100644 docs/applications/vo-cutouts/index.rst diff --git a/docs/applications/alert-stream-broker/index.rst b/docs/applications/alert-stream-broker/index.rst new file mode 100644 index 0000000000..1f2d9c5dde --- /dev/null +++ b/docs/applications/alert-stream-broker/index.rst @@ -0,0 +1,16 @@ +.. px-app:: alert-stream-broker + +################### +alert-stream-broker +################### + +Alert stream broker. + +.. jinja:: alert-stream-broker + :file: applications/_summary.rst.jinja + +.. Guides +.. ====== +.. +.. .. toctree:: +.. :maxdepth: 1 diff --git a/docs/applications/datalinker/index.rst b/docs/applications/datalinker/index.rst new file mode 100644 index 0000000000..66072820e8 --- /dev/null +++ b/docs/applications/datalinker/index.rst @@ -0,0 +1,17 @@ +.. px-app:: datalinker + +########## +datalinker +########## + +Datalinker provides various facilities for discovering and referring to data products and services within the Rubin Science Platform. +It is primarily based on the IVOA DataLink standard, but also provides some related service discovery facilities beyond the scope of that standard. + +.. jinja:: datalinker + :file: applications/_summary.rst.jinja + +.. Guides +.. ====== +.. +.. .. toctree:: +.. :maxdepth: 1 diff --git a/docs/applications/exposurelog/index.rst b/docs/applications/exposurelog/index.rst new file mode 100644 index 0000000000..dac572f232 --- /dev/null +++ b/docs/applications/exposurelog/index.rst @@ -0,0 +1,16 @@ +.. px-app:: exposurelog + +########### +exposurelog +########### + +Exposure log is a REST web service to create and manage log messages that are associated with a particular exposure. + +.. jinja:: exposurelog + :file: applications/_summary.rst.jinja + +.. Guides +.. ====== +.. +.. .. toctree:: +.. :maxdepth: 1 diff --git a/docs/applications/gafaelfawr/index.rst b/docs/applications/gafaelfawr/index.rst index 9a269e2ebd..441f897d78 100644 --- a/docs/applications/gafaelfawr/index.rst +++ b/docs/applications/gafaelfawr/index.rst @@ -1,19 +1,9 @@ +.. px-app:: gafaelfawr + ########## -Gafaelfawr +gafaelfawr ########## -.. list-table:: - :widths: 10,40 - - * - Edit on GitHub - - `/services/gafaelfawr `__ - * - Type - - Helm_ - * - Namespace - - ``gafaelfawr`` - -.. rubric:: Overview - Gafaelfawr provides authentication and identity management services for the Rubin Science Platform. It is primarily used as an NGINX ``auth_request`` handler configured via annotations on the ``Ingress`` resources of Science Platform services. In that role, it requires a user have the required access scope to use that service, rejects users who do not have that scope, and redirects users who are not authenticated to the authentication process. @@ -22,9 +12,14 @@ Gafaelfawr supports authentication via either OpenID Connect (often through CILo Gafaelfawr also provides a token management API and (currently) UI for users of the Science Platform. -.. rubric:: Guides +.. jinja:: gafaelfawr + :file: applications/_summary.rst.jinja + +Guides +====== .. toctree:: + :maxdepth: 2 debugging storage diff --git a/docs/applications/hips/index.rst b/docs/applications/hips/index.rst new file mode 100644 index 0000000000..c4a07abf6e --- /dev/null +++ b/docs/applications/hips/index.rst @@ -0,0 +1,16 @@ +.. px-app:: hips + +#### +hips +#### + +HiPS web server backed by Google Cloud Storage. + +.. jinja:: hips + :file: applications/_summary.rst.jinja + +.. Guides +.. ====== +.. +.. .. toctree:: +.. :maxdepth: 1 diff --git a/docs/applications/index.rst b/docs/applications/index.rst index d2adca0116..1366fec6fb 100644 --- a/docs/applications/index.rst +++ b/docs/applications/index.rst @@ -24,6 +24,32 @@ To learn how to develop applications for Phalanx, see the :doc:`/developers/inde :caption: Rubin Science Platform cachemachine/index + datalinker/index + hips/index mobu/index + moneypenny/index + noteburst/index nublado2/index + portal/index + semaphore/index + sherlock/index + squareone/index tap/index + tap-schema/index + times-square/index + vo-cutouts/index + +.. toctree:: + :maxdepth: 1 + :caption: RSP+ + + alert-stream-broker/index + exposurelog/index + narrativelog/index + plot-navigator/index + production-tools/index + sasquatch/index + strimzi/index + strimzi-registry-operator/index + telegraf/index + telegraf-ds/index diff --git a/docs/applications/ingress-nginx/index.rst b/docs/applications/ingress-nginx/index.rst index 8216127767..a6ad536f5f 100644 --- a/docs/applications/ingress-nginx/index.rst +++ b/docs/applications/ingress-nginx/index.rst @@ -1,27 +1,24 @@ +.. px-app:: ingress-nginx + ############# ingress-nginx ############# -.. list-table:: - :widths: 10,40 +The ``ingress-nginx`` application is an installation of `ingress-nginx `__ from its `Helm chart `__. +We use NGINX as the ingress controller for all Rubin Science Platform deployments rather than native ingress controllers because we use the NGINX ``auth_request`` feature to do authentication and authorization. - * - Edit on GitHub - - `/services/ingress-nginx `__ - * - Type - - Helm_ - * - Namespace - - ``ingress-nginx`` +.. jinja:: ingress-nginx + :file: applications/_summary.rst.jinja .. rubric:: Overview -The ``ingress-nginx`` service is an installation of `ingress-nginx `__ from its `Helm chart `__. -We use NGINX as the ingress controller for all Rubin Science Platform deployments rather than native ingress controllers because we use the NGINX ``auth_request`` feature to do authentication and authorization. - Upgrading ``ingress-nginx`` is generally painless. A simple Argo CD sync is sufficient. -.. rubric:: Guides +Guides +====== .. toctree:: + :maxdepth: 2 certificates diff --git a/docs/applications/mobu/index.rst b/docs/applications/mobu/index.rst index 5787f50df1..dae9d6d4a1 100644 --- a/docs/applications/mobu/index.rst +++ b/docs/applications/mobu/index.rst @@ -1,29 +1,22 @@ +.. px-app:: mobu + #### mobu #### -.. list-table:: - :widths: 10,40 - - * - Edit on GitHub - - `/services/mobu `__ - * - Type - - Helm_ - * - Namespace - - ``mobu`` - -.. rubric:: Overview - -mobu is the continuous integration testing framework for the Rubin Science Platform. +Mobu is the continuous integration testing framework for the Rubin Science Platform. It runs some number of "monkeys" that simulate a random user of the Science Platform. Those monkeys are organized into "flocks" that share a single configuration across all of the monkeys. Failures are reported to Slack using a Slack incoming webhook. -mobu is maintained on `GitHub `__. +.. jinja:: mobu + :file: applications/_summary.rst.jinja -.. rubric:: Guides +Guides +====== .. toctree:: + :maxdepth: 2 configuring manage-flocks diff --git a/docs/applications/moneypenny/index.rst b/docs/applications/moneypenny/index.rst new file mode 100644 index 0000000000..7e36399f2e --- /dev/null +++ b/docs/applications/moneypenny/index.rst @@ -0,0 +1,16 @@ +.. px-app:: moneypenny + +########## +moneypenny +########## + +Moneypenny provider user-provisioning actions for the Rubin Science Platform. + +.. jinja:: moneypenny + :file: applications/_summary.rst.jinja + +.. Guides +.. ====== +.. +.. .. toctree:: +.. :maxdepth: 1 diff --git a/docs/applications/narrativelog/index.rst b/docs/applications/narrativelog/index.rst new file mode 100644 index 0000000000..fb9785ece7 --- /dev/null +++ b/docs/applications/narrativelog/index.rst @@ -0,0 +1,16 @@ +.. px-app:: narrativelog + +############ +narrativelog +############ + +Narrative log service for Rubin Observatory. + +.. jinja:: narrativelog + :file: applications/_summary.rst.jinja + +.. Guides +.. ====== +.. +.. .. toctree:: +.. :maxdepth: 1 diff --git a/docs/applications/noteburst/index.rst b/docs/applications/noteburst/index.rst new file mode 100644 index 0000000000..4127a85d0f --- /dev/null +++ b/docs/applications/noteburst/index.rst @@ -0,0 +1,16 @@ +.. px-app:: noteburst + +######### +noteburst +######### + +Noteburst is a notebook execution service for the Rubin Science Platform. + +.. jinja:: noteburst + :file: applications/_summary.rst.jinja + +.. Guides +.. ====== +.. +.. .. toctree:: +.. :maxdepth: 1 diff --git a/docs/applications/nublado2/index.rst b/docs/applications/nublado2/index.rst index 3a1be5e818..8910722a80 100644 --- a/docs/applications/nublado2/index.rst +++ b/docs/applications/nublado2/index.rst @@ -1,28 +1,21 @@ +.. px-app:: nublado2 + ######## nublado2 ######## -.. list-table:: - :widths: 10,40 - - * - Edit on GitHub - - `/services/nublado2 `__ - * - Type - - Helm_ - * - Namespace - - ``nublado2`` - -.. rubric:: Overview +The ``nublado2`` service is an installation of a Rubin Observatory flavor of `Zero to JupyterHub `__ with some additional resources. -The ``nublado2`` service is an installation of a Rubin Observatory -flavor of Zero to JupyterHub with some additional resources. Those -resources are defined from `templates at `__ and the `Zero to Jupyterhub chart `__. +.. jinja:: nublado2 + :file: applications/_summary.rst.jinja Upgrading ``nublado2`` is generally painless. A simple Argo CD sync is sufficient. -.. rubric:: Guides +Guides +====== .. toctree:: + :maxdepth: 2 database diff --git a/docs/applications/plot-navigator/index.rst b/docs/applications/plot-navigator/index.rst new file mode 100644 index 0000000000..230634c16f --- /dev/null +++ b/docs/applications/plot-navigator/index.rst @@ -0,0 +1,16 @@ +.. px-app:: plot-navigator + +############## +plot-navigator +############## + +Panel-based plot viewer. + +.. jinja:: plot-navigator + :file: applications/_summary.rst.jinja + +.. Guides +.. ====== +.. +.. .. toctree:: +.. :maxdepth: 1 diff --git a/docs/applications/portal/index.rst b/docs/applications/portal/index.rst new file mode 100644 index 0000000000..b71e05e456 --- /dev/null +++ b/docs/applications/portal/index.rst @@ -0,0 +1,16 @@ +.. px-app:: portal + +###### +portal +###### + +The portal aspect of the Rubin Science Platform, powered by Firefly. + +.. jinja:: portal + :file: applications/_summary.rst.jinja + +.. Guides +.. ====== +.. +.. .. toctree:: +.. :maxdepth: 1 diff --git a/docs/applications/postgres/index.rst b/docs/applications/postgres/index.rst index 2ef0d56b10..14eb89f88b 100644 --- a/docs/applications/postgres/index.rst +++ b/docs/applications/postgres/index.rst @@ -1,39 +1,36 @@ +.. px-app:: postgres + ######## postgres ######## -.. list-table:: - :widths: 10,40 +The ``postgres`` service is a very small PostgreSQL installation to provide relational storage for applications and environments where data loss is acceptable. +Two intended purposes for this service are: - * - Edit on GitHub - - `/services/postgres `__ - * - Type - - Helm_ - * - Namespace - - ``postgres`` +- The JupyterHub user session database +- Backing store for Gafaelfawr's authentication tokens -.. rubric:: Overview +If either of those is destroyed, then all current user sessions and authentication tokens are invalidated, work up to the last checkpoint (five minutes in JupyterLab) may be lost. +Users will have to log in, restart sessions, and recreate authentication tokens. -The ``postgres`` service is a very small PostgreSQL installation. -It is intended to provide persistent relational storage for low-value databases that it isn't a tragedy to lose. +.. important:: -Do not use this service for important data. -Use a managed relational database such as Google CloudSQL. -Two intended purposes for this service are: + Do not use this service for important data. + Use a managed relational database, such as Google CloudSQL, instead. -#. The JupyterHub user session database -#. Backing store for Gafaelfawr's authentication tokens + Production instances of the Science Platform use CloudSQL for the Gafaelfawr token database instead of this service. -If either of those is destroyed, then all current user sessions and authentication tokens are invalidated, work up to the last checkpoint (5 minutes in JupyterLab) may be lost, and users will have to log in again, restart their sessions, and recreate any authentication tokens. -While irritating, this is not the end of the world; hence "low-value databases." -(That said, production instances of the Science Platform use CloudSQL for the Gafaelfawr token database.) +.. jinja:: postgres + :file: applications/_summary.rst.jinja Upgrading ``postgres`` is generally painless. A simple Argo CD sync is sufficient. -.. rubric:: Guides +Guides +====== .. toctree:: + :maxdepth: 2 recreate-pvc add-database diff --git a/docs/applications/production-tools/index.rst b/docs/applications/production-tools/index.rst new file mode 100644 index 0000000000..c70bf99d60 --- /dev/null +++ b/docs/applications/production-tools/index.rst @@ -0,0 +1,16 @@ +.. px-app:: production-tools + +################ +production-tools +################ + +Production Tools provides a collection of utility pages for monitoring data processing. + +.. jinja:: production-tools + :file: applications/_summary.rst.jinja + +.. Guides +.. ====== +.. +.. .. toctree:: +.. :maxdepth: 1 diff --git a/docs/applications/sasquatch/index.rst b/docs/applications/sasquatch/index.rst new file mode 100644 index 0000000000..301f82f9bc --- /dev/null +++ b/docs/applications/sasquatch/index.rst @@ -0,0 +1,16 @@ +.. px-app:: sasquatch + +######### +sasquatch +######### + +Rubin Observatory's telemetry service. + +.. jinja:: sasquatch + :file: applications/_summary.rst.jinja + +.. Guides +.. ====== +.. +.. .. toctree:: +.. :maxdepth: 1 diff --git a/docs/applications/semaphore/index.rst b/docs/applications/semaphore/index.rst new file mode 100644 index 0000000000..9b6d06724c --- /dev/null +++ b/docs/applications/semaphore/index.rst @@ -0,0 +1,16 @@ +.. px-app:: semaphore + +######### +semaphore +######### + +Semaphore is the user notification and messaging service for the Rubin Science Platform. + +.. jinja:: semaphore + :file: applications/_summary.rst.jinja + +.. Guides +.. ====== +.. +.. .. toctree:: +.. :maxdepth: 1 diff --git a/docs/applications/sherlock/index.rst b/docs/applications/sherlock/index.rst new file mode 100644 index 0000000000..7f76286303 --- /dev/null +++ b/docs/applications/sherlock/index.rst @@ -0,0 +1,16 @@ +.. px-app:: sherlock + +######## +sherlock +######## + +Sherlock collects service status and metrics from ingress logs. + +.. jinja:: sherlock + :file: applications/_summary.rst.jinja + +.. Guides +.. ====== +.. +.. .. toctree:: +.. :maxdepth: 1 diff --git a/docs/applications/squareone/index.rst b/docs/applications/squareone/index.rst new file mode 100644 index 0000000000..12a257d6f2 --- /dev/null +++ b/docs/applications/squareone/index.rst @@ -0,0 +1,16 @@ +.. px-app:: squareone + +######### +squareone +######### + +Squareone is the Rubin Science Platform's homepage and general-purpose UI. + +.. jinja:: squareone + :file: applications/_summary.rst.jinja + +.. Guides +.. ====== +.. +.. .. toctree:: +.. :maxdepth: 1 diff --git a/docs/applications/strimzi-registry-operator/index.rst b/docs/applications/strimzi-registry-operator/index.rst new file mode 100644 index 0000000000..52747d773a --- /dev/null +++ b/docs/applications/strimzi-registry-operator/index.rst @@ -0,0 +1,17 @@ +.. px-app:: strimzi-registry-operator + +######################### +strimzi-registry-operator +######################### + +Alert stream broker. +The Strimzi Registry Operator operates a Confluence Schema Registry for Strimzi-based Kafka clusters. + +.. jinja:: strimzi-registry-operator + :file: applications/_summary.rst.jinja + +.. Guides +.. ====== +.. +.. .. toctree:: +.. :maxdepth: 1 diff --git a/docs/applications/strimzi/index.rst b/docs/applications/strimzi/index.rst new file mode 100644 index 0000000000..928221bb4c --- /dev/null +++ b/docs/applications/strimzi/index.rst @@ -0,0 +1,16 @@ +.. px-app:: strimzi + +####### +strimzi +####### + +Strimzi is an operator for Kafka clusters. + +.. jinja:: strimzi + :file: applications/_summary.rst.jinja + +.. Guides +.. ====== +.. +.. .. toctree:: +.. :maxdepth: 1 diff --git a/docs/applications/tap-schema/index.rst b/docs/applications/tap-schema/index.rst new file mode 100644 index 0000000000..8229127d4a --- /dev/null +++ b/docs/applications/tap-schema/index.rst @@ -0,0 +1,16 @@ +.. px-app:: tap-schema + +########## +tap-schema +########## + +The TAP schema database. + +.. jinja:: tap-schema + :file: applications/_summary.rst.jinja + +.. Guides +.. ====== +.. +.. .. toctree:: +.. :maxdepth: 1 diff --git a/docs/applications/tap/index.rst b/docs/applications/tap/index.rst index ba45d9042c..0a090e52df 100644 --- a/docs/applications/tap/index.rst +++ b/docs/applications/tap/index.rst @@ -1,35 +1,28 @@ +.. px-app:: tap + ### -TAP +tap ### -.. list-table:: - :widths: 10,40 - - * - Edit on GitHub - - `/services/tap `__ - * - Type - - Helm_ - * - Namespace - - ``tap`` - -.. rubric:: Overview - TAP (Table Access Protocol) is an IVOA_ service that provides access to general table data, including astronomical catalogs. On the Rubin Science Platform, it is provided by `lsst-tap-service `__, which is derived from the `CADC TAP service `__. -The data itself, apart from schema queries, comes from qserv. +The data itself, apart from schema queries, comes from Qserv. -The ``tap`` application consists of the TAP Java web application, a PostgreSQL database used to track user job submissions, and (on development deployments) a mock version of qserv. - -Upgrading ``tap`` normally only requires an Argo CD sync. +.. jinja:: tap + :file: applications/_summary.rst.jinja .. rubric:: Architecture +The ``tap`` application consists of the TAP Java web application, a PostgreSQL database used to track user job submissions, and (on development deployments) a mock version of qserv. + .. diagrams:: notebook-tap.py .. diagrams:: portal-tap.py -Upgrade procedures -================== +Upgrading ``tap`` normally only requires an Argo CD sync. + +Guides +====== .. toctree:: diff --git a/docs/applications/telegraf-ds/index.rst b/docs/applications/telegraf-ds/index.rst new file mode 100644 index 0000000000..dca19cd18e --- /dev/null +++ b/docs/applications/telegraf-ds/index.rst @@ -0,0 +1,16 @@ +.. px-app:: telegraf-ds + +########### +telegraf-ds +########### + +SQuaRE DaemonSet (K8s) telemetry collection service + +.. jinja:: telegraf-ds + :file: applications/_summary.rst.jinja + +.. Guides +.. ====== +.. +.. .. toctree:: +.. :maxdepth: 1 diff --git a/docs/applications/telegraf/index.rst b/docs/applications/telegraf/index.rst new file mode 100644 index 0000000000..fd90ea894c --- /dev/null +++ b/docs/applications/telegraf/index.rst @@ -0,0 +1,16 @@ +.. px-app:: telegraf + +######## +telegraf +######## + +SQuaRE telemetry collection service. + +.. jinja:: telegraf + :file: applications/_summary.rst.jinja + +.. Guides +.. ====== +.. +.. .. toctree:: +.. :maxdepth: 1 diff --git a/docs/applications/times-square/index.rst b/docs/applications/times-square/index.rst new file mode 100644 index 0000000000..126ec3ba0f --- /dev/null +++ b/docs/applications/times-square/index.rst @@ -0,0 +1,16 @@ +.. px-app:: times-square + +############ +times-square +############ + +An API service for managing and rendering parameterized Jupyter notebooks, integrated with :px-app:`squareone` (user interface) and :px-app:`noteburst` (notebook execution). + +.. jinja:: times-square + :file: applications/_summary.rst.jinja + +.. Guides +.. ====== +.. +.. .. toctree:: +.. :maxdepth: 1 diff --git a/docs/applications/vault-secrets-operator/index.rst b/docs/applications/vault-secrets-operator/index.rst index 41fe4d3882..97b018c5f0 100644 --- a/docs/applications/vault-secrets-operator/index.rst +++ b/docs/applications/vault-secrets-operator/index.rst @@ -1,26 +1,19 @@ +.. px-app:: vault-secrets-operator + .. _vault-secrets-operator: ###################### vault-secrets-operator ###################### -.. list-table:: - :widths: 10,40 - - * - Edit on GitHub - - `/services/vault-secrets-operator `__ - * - Type - - Helm_ - * - Namespace - - ``vault-secrets-operator`` - -.. rubric:: Overview - The ``vault-secrets-operator`` application is an installation of `Vault Secrets Operator`_ to retrieve necessary secrets from Vault and materialize them as Kubernetes secrets for the use of other applications. It processes ``VaultSecret`` resources defined in the `phalanx repository`_ and creates corresponding Kubernetes Secret_ resources. See :dmtn:`112` for the LSST Vault design. +.. jinja:: vault-secrets-operator + :file: applications/_summary.rst.jinja + .. rubric:: Upgrading Upgrading to newer upstream releases of the Helm chart is normally simple and straightforward. diff --git a/docs/applications/vo-cutouts/index.rst b/docs/applications/vo-cutouts/index.rst new file mode 100644 index 0000000000..168ac585d9 --- /dev/null +++ b/docs/applications/vo-cutouts/index.rst @@ -0,0 +1,16 @@ +.. px-app:: vo-cutouts + +########## +vo-cutouts +########## + +Image cutout service that implements the IVOA SODA specification. + +.. jinja:: vo-cutouts + :file: applications/_summary.rst.jinja + +.. Guides +.. ====== +.. +.. .. toctree:: +.. :maxdepth: 1 From bb6cba455fa65579e3151fc7c53c18fb68be2a88 Mon Sep 17 00:00:00 2001 From: Jonathan Sick Date: Mon, 17 Oct 2022 16:02:00 -0400 Subject: [PATCH 1178/1479] Don't link to Argo CD pages with no URL This effects minikube deployments of apps, where of course there isn't an Argo CD URL to look at. --- docs/applications/_summary.rst.jinja | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/docs/applications/_summary.rst.jinja b/docs/applications/_summary.rst.jinja index 40b18c2e6b..07c79c439c 100644 --- a/docs/applications/_summary.rst.jinja +++ b/docs/applications/_summary.rst.jinja @@ -11,6 +11,10 @@ {% for env_name in app.active_environments %} * - :px-env:`{{ env_name }}` - `values `__ + {% if envs[env_name].argocd_url != "N/A" %} - `Argo CD <{{ envs[env_name].argocd_url }}/applications/{{ app.name }}>`__ + {% else %} + - + {% endif %} {% endfor %} {% endif %} From 8ff982a30a79fb6f6a2b8081c556de066f51d44d Mon Sep 17 00:00:00 2001 From: Jonathan Sick Date: Mon, 17 Oct 2022 16:02:54 -0400 Subject: [PATCH 1179/1479] Ignore links to more RSP sites This is mostly to avoid links to Argo CD pages, and any other pages that require authentication. --- docs/documenteer.toml | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/docs/documenteer.toml b/docs/documenteer.toml index 015686c1b9..5733a444ea 100644 --- a/docs/documenteer.toml +++ b/docs/documenteer.toml @@ -22,6 +22,11 @@ ignore = [ '^https://summit-lsp.lsst.codes', '^https://minikube.lsst.codes', '^https://base-lsp.lsst.codes', + '^https://data-dev.lsst.cloud', + '^https://data-int.lsst.cloud', + '^https://data.lsst.cloud', + '^https://data-dev.lsst.eu', + '^https://rsp.lsst.ac.uk', '^https://github.com/lsst-sqre/phalanx/blob/master/services/strimzi/values.yaml', '^https://github.com/orgs/', ] From be36a41478d0ab136512dab1656d2dbe577e2f27 Mon Sep 17 00:00:00 2001 From: Jonathan Sick Date: Tue, 18 Oct 2022 12:11:36 -0400 Subject: [PATCH 1180/1479] Add support for Helm home and sources fields This adds the contents of Chart.yaml to the Application model. This enables us to include the home and sources URLs in the application summary table. --- docs/applications/_summary.rst.jinja | 17 +++++++++++++++++ src/phalanx/docs/models.py | 27 +++++++++++++++++++++++++++ 2 files changed, 44 insertions(+) diff --git a/docs/applications/_summary.rst.jinja b/docs/applications/_summary.rst.jinja index 07c79c439c..0147f3f2fe 100644 --- a/docs/applications/_summary.rst.jinja +++ b/docs/applications/_summary.rst.jinja @@ -1,5 +1,22 @@ .. list-table:: + {% if app.homepage_url %} + * - Homepage + - {{ app.homepage_url }} + {% endif %} + {% if app.source_urls %} + * - Source + {% if app.source_urls|length == 1 %} + - {{ app.source_urls[0] }} + {% else %} + - - {{ app.source_urls[0] }} + {% endif %} + {% if app.source_urls|length > 1 %} + {% for source_url in app.source_urls[1:] %} + - {{ source_url }} + {% endfor %} + {% endif %} + {% endif %} * - Type - Helm_ * - Namespace diff --git a/src/phalanx/docs/models.py b/src/phalanx/docs/models.py index 04fb3b77e1..3205257a39 100644 --- a/src/phalanx/docs/models.py +++ b/src/phalanx/docs/models.py @@ -29,12 +29,31 @@ class Application: values: Dict[str, Dict] """The parsed Helm values for each environment.""" + chart: Dict[str, Any] + """The parsed Helm Chart.yaml file.""" + active_environments: List[str] = field(default_factory=list) """Environments where this application is active.""" namespace: str """Kubernetes namespace""" + @property + def homepage_url(self) -> Optional[str]: + """The Helm home field, typically used for the app's docs.""" + if "home" in self.chart: + return self.chart["home"] + else: + return None + + @property + def source_urls(self) -> Optional[List[str]]: + """Application source URLs, typically from the Helm sources field.""" + if "sources" in self.chart: + return self.chart["sources"] + else: + return None + @classmethod def load( cls, *, app_dir: Path, root_dir: Path, env_values: Dict[str, Dict] @@ -52,6 +71,13 @@ def load( """ app_name = app_dir.name + # Open the chart's Chart.yaml + chart_path = app_dir.joinpath("Chart.yaml") + if chart_path.is_file(): + chart = yaml.safe_load(chart_path.read_text()) + else: + chart = {} + # Load the app's values files for each environment values: Dict[str, Dict] = {} for values_path in app_dir.glob("values-*.yaml"): @@ -98,6 +124,7 @@ def load( return cls( name=app_name, + chart=chart, values=values, active_environments=active_environments, namespace=namespace, From b5c1ec11f630f193f6c9e93778068cdaabea043d Mon Sep 17 00:00:00 2001 From: Jonathan Sick Date: Tue, 18 Oct 2022 12:40:38 -0400 Subject: [PATCH 1181/1479] Add links to view app template on GitHub --- docs/applications/_summary.rst.jinja | 3 +++ 1 file changed, 3 insertions(+) diff --git a/docs/applications/_summary.rst.jinja b/docs/applications/_summary.rst.jinja index 0147f3f2fe..335045a830 100644 --- a/docs/applications/_summary.rst.jinja +++ b/docs/applications/_summary.rst.jinja @@ -1,5 +1,8 @@ .. list-table:: + * - View on GitHub + - :bdg-link-primary-line:`/services/{{ app.name }} ` + :bdg-link-primary-line:`Application template ` {% if app.homepage_url %} * - Homepage - {{ app.homepage_url }} From 42f1b520ea986a7582b17fc06d5f06e159e79f7f Mon Sep 17 00:00:00 2001 From: Jonathan Sick Date: Tue, 18 Oct 2022 14:26:12 -0400 Subject: [PATCH 1182/1479] Attempt to include Helm values in docs This isn't quite working; I was hoping that the sphinx-jinja extension's content would be rendered as markdown, but it isn't. Possibly we'd need a custom extension to accomplish this. --- docs/applications/argo-cd/index.rst | 1 + docs/applications/argo-cd/values.md | 8 ++++++++ src/phalanx/docs/models.py | 22 ++++++++++++++++++++++ 3 files changed, 31 insertions(+) create mode 100644 docs/applications/argo-cd/values.md diff --git a/docs/applications/argo-cd/index.rst b/docs/applications/argo-cd/index.rst index a5747c7784..61d6d367ba 100644 --- a/docs/applications/argo-cd/index.rst +++ b/docs/applications/argo-cd/index.rst @@ -51,3 +51,4 @@ Guides upgrading authentication + values diff --git a/docs/applications/argo-cd/values.md b/docs/applications/argo-cd/values.md new file mode 100644 index 0000000000..2055e4abda --- /dev/null +++ b/docs/applications/argo-cd/values.md @@ -0,0 +1,8 @@ +# Helm values reference + + + + + +```{include} ../../../services/argocd/README.md +``` diff --git a/src/phalanx/docs/models.py b/src/phalanx/docs/models.py index 3205257a39..db91d275e1 100644 --- a/src/phalanx/docs/models.py +++ b/src/phalanx/docs/models.py @@ -38,6 +38,9 @@ class Application: namespace: str """Kubernetes namespace""" + readme: str + """Contents of the README.md from the applications Phalanx directory.""" + @property def homepage_url(self) -> Optional[str]: """The Helm home field, typically used for the app's docs.""" @@ -54,6 +57,17 @@ def source_urls(self) -> Optional[List[str]]: else: return None + @property + def values_table_md(self) -> str: + """The markdown-formatted Helm values documenation generated by + helm-docs in the README. + """ + lines = self.readme.splitlines() + for i, line in enumerate(lines): + if line.startswith("## Values"): + return "\n".join(lines[i + 1 :]) + return "" + @classmethod def load( cls, *, app_dir: Path, root_dir: Path, env_values: Dict[str, Dict] @@ -71,6 +85,13 @@ def load( """ app_name = app_dir.name + # Open the chart's README + readme_path = app_dir.joinpath("README.md") + if readme_path.is_file(): + readme = readme_path.read_text() + else: + readme = "" + # Open the chart's Chart.yaml chart_path = app_dir.joinpath("Chart.yaml") if chart_path.is_file(): @@ -128,6 +149,7 @@ def load( values=values, active_environments=active_environments, namespace=namespace, + readme=readme, ) From 122568e409e8c6c00e403e65f8d116fbdcfa4903 Mon Sep 17 00:00:00 2001 From: Jonathan Sick Date: Tue, 18 Oct 2022 15:23:07 -0400 Subject: [PATCH 1183/1479] Add crossref roles and directives for app topics This makes it easier to cross reference the standard app topic types. --- src/phalanx/docs/crossref.py | 47 ++++++++++++++++++++++++++++++++++++ 1 file changed, 47 insertions(+) diff --git a/src/phalanx/docs/crossref.py b/src/phalanx/docs/crossref.py index 9f92aab557..3220a5c8b5 100644 --- a/src/phalanx/docs/crossref.py +++ b/src/phalanx/docs/crossref.py @@ -9,6 +9,7 @@ def setup(app: Sphinx) -> None: """Set up the Phalan cross-referencing extensions.""" + # Cross reference an environment's homepage app.add_crossref_type( "px-env", "px-env", @@ -17,6 +18,7 @@ def setup(app: Sphinx) -> None: objname="", override=False, ) + # Cross reference an app's homepage app.add_crossref_type( "px-app", "px-app", @@ -25,3 +27,48 @@ def setup(app: Sphinx) -> None: objname="", override=False, ) + # Cross reference an app's architectural notes page + app.add_crossref_type( + "px-app-notes", + "px-app-notes", + indextemplate="single: %s", + ref_nodeclass=None, + objname="", + override=False, + ) + # Cross reference an app's bootstrapping page + app.add_crossref_type( + "px-app-bootstrap", + "px-app-bootstrap", + indextemplate="single: %s", + ref_nodeclass=None, + objname="", + override=False, + ) + # Cross reference an app's upgrade page + app.add_crossref_type( + "px-app-upgrade", + "px-app-upgrade", + indextemplate="single: %s", + ref_nodeclass=None, + objname="", + override=False, + ) + # Cross reference an app's troubleshooting page + app.add_crossref_type( + "px-app-troubleshooting", + "px-app-troubleshooting", + indextemplate="single: %s", + ref_nodeclass=None, + objname="", + override=False, + ) + # Cross reference an app's Helm values page + app.add_crossref_type( + "px-app-values", + "px-app-values", + indextemplate="single: %s", + ref_nodeclass=None, + objname="", + override=False, + ) From 20aaa1eba3a5e6c4fa1d1f77b127310ff6f716de Mon Sep 17 00:00:00 2001 From: Jonathan Sick Date: Tue, 18 Oct 2022 15:17:57 -0400 Subject: [PATCH 1184/1479] Build out normalized argo cd doc set This re-organizes content into standard pages: - notes - upgrade - values Also edited the upgrade page for clarity and usability. --- docs/applications/argo-cd/index.rst | 36 +----- docs/applications/argo-cd/notes.rst | 27 +++++ .../argo-cd/{upgrading.rst => upgrade.rst} | 106 ++++++++++-------- docs/applications/argo-cd/values.md | 12 +- 4 files changed, 94 insertions(+), 87 deletions(-) create mode 100644 docs/applications/argo-cd/notes.rst rename docs/applications/argo-cd/{upgrading.rst => upgrade.rst} (65%) diff --git a/docs/applications/argo-cd/index.rst b/docs/applications/argo-cd/index.rst index 61d6d367ba..4856b380b6 100644 --- a/docs/applications/argo-cd/index.rst +++ b/docs/applications/argo-cd/index.rst @@ -11,44 +11,12 @@ It is itself a set of Kubernetes resources and running pods managed with `Helm`_ :file: applications/_summary.rst.jinja :debug: -Overview -======== - -`Argo CD`_ is the software that manages all Kubernetes resources in a deployment of the Rubin Science Platform. -It is itself a set of Kubernetes resources and running pods managed with `Helm`_. -Argo CD cannot manage and upgrade itself, so it periodically should be upgraded manually. - -Argo CD is installed and bootstrapped as part of the cluster creation process. -The UI is exposed on the ``/argo-cd`` route for the Science Platform. -Unlike other resources on the Science Platform, it is not protected by Gafaelfawr. -See :doc:`authentication` - -Warnings -======== - -Argo CD is somewhat particular about how its resources are set up. -Everything related to Argo CD that can be namespaced must be in the ``argocd`` namespace. - -.. warning:: - - ``Application`` resources must be in the ``argocd`` namespace, not in the namespace of the application. - -If you accidentally create an ``Application`` resource outside of the ``argocd`` namespace, Argo CD will display it in the UI but will not be able to sync it. -You also won't be able to easily delete it if it defines the normal Argo CD finalizer because that finalizer will not run outside the ``argocd`` namespace. -To delete the stray ``Application`` resource, edit it with ``kubectl edit`` and delete the finalizer, and then delete it with ``kubectl delete``. - -.. warning:: - - Do not use the documented Argo CD upgrade method that uses ``kubectl apply``. - This will not work properly when Argo CD was installed via Helm, as it is on the Science Platform, and it will create a huge mess. - -Instead, follow the upgrade process described below. - Guides ====== .. toctree:: - upgrading + notes + upgrade authentication values diff --git a/docs/applications/argo-cd/notes.rst b/docs/applications/argo-cd/notes.rst new file mode 100644 index 0000000000..a4e4606f1e --- /dev/null +++ b/docs/applications/argo-cd/notes.rst @@ -0,0 +1,27 @@ +.. px-app-notes:: argocd + +############################## +Argo CD architecture and notes +############################## + +`Argo CD`_ is the software that manages all Kubernetes resources in a deployment of the Rubin Science Platform. +It is itself a set of Kubernetes resources and running pods managed with `Helm`_. +Argo CD cannot manage and upgrade itself, so it periodically should be upgraded manually. + +Argo CD is installed and bootstrapped as part of the cluster creation process. +The UI is exposed on the ``/argo-cd`` route for the Science Platform. +Unlike other resources on the Science Platform, it is not protected by Gafaelfawr. +See :doc:`authentication` + +Namespace for Application resources +=================================== + +Everything related to Argo CD that can be namespaced must be in the ``argocd`` namespace. + +.. warning:: + + ``Application`` resources must be in the ``argocd`` namespace, not in the namespace of the application. + + If you accidentally create an ``Application`` resource outside of the ``argocd`` namespace, Argo CD will display it in the UI but will not be able to sync it. + You also won't be able to easily delete it if it defines the normal Argo CD finalizer because that finalizer will not run outside the ``argocd`` namespace. + To delete the stray ``Application`` resource, edit it with ``kubectl edit`` and delete the finalizer, and then delete it with ``kubectl delete``. diff --git a/docs/applications/argo-cd/upgrading.rst b/docs/applications/argo-cd/upgrade.rst similarity index 65% rename from docs/applications/argo-cd/upgrading.rst rename to docs/applications/argo-cd/upgrade.rst index 3ab39403a6..ae60f10256 100644 --- a/docs/applications/argo-cd/upgrading.rst +++ b/docs/applications/argo-cd/upgrade.rst @@ -1,17 +1,21 @@ +.. px-app-upgrade:: argocd + ################# Upgrading Argo CD ################# +This page provides upgrade procedures for the :px-app:`argocd` app. + +.. warning:: + + Do not use the `documented Argo CD upgrade method `__ that uses ``kubectl apply``. + This will not work properly when Argo CD is installed via Helm, as it is Phalanx. + Automatic upgrades ================== -Normally, you can let Argo CD upgrade itself. -According to the documentation, this is not necessarily safe. -The developers recommend the manual process documented below instead. -However, it's much more convenient to do the upgrade through Argo CD and we have had good luck with it. -Just be aware that it's not entirely supported. - -When performing the upgrade through Argo CD, it appears to be somewhat more reliable to use the following process rather than telling Argo CD to sync everything at once: +Normally, you can let Argo CD upgrade itself (`Manage Argo CD Using Argo CD `__). +When performing the upgrade through Argo CD, it appears to be somewhat more reliable to use the following process rather than syncing everything at once: #. Sync everything except the deployments by unchecking them in the sync dialog #. Sync the argocd-redis deployment and wait for it to be green @@ -25,20 +29,21 @@ Manual upgrade process ====================== #. Determine the current version of Argo CD. + The easiest way to do this is to go to the ``/argo-cd`` route and look at the version number in the top left sidebar. Ignore the hash after the ``+`` sign; the part before that is the version number. #. Ensure your default ``kubectl`` context is the cluster you want to upgrade. Check your current context with ``kubectl config current-context`` and switch as necessary with ``kubectl config use-context``. -#. Back up the Argo CD configuration. +#. Back up the Argo CD configuration: - .. code-block:: console + .. code-block:: sh - $ chmod 644 ~/.kube/config - $ docker run -v ~/.kube:/home/argocd/.kube --rm \ - argoproj/argocd:$VERSION argocd-util export -n argocd > backup.yaml - $ chmod 600 ~/.kube/config + chmod 644 ~/.kube/config + docker run -v ~/.kube:/home/argocd/.kube --rm \ + argoproj/argocd:$VERSION argocd-util export -n argocd > backup.yaml + chmod 600 ~/.kube/config You have to temporarily make your ``kubectl`` configuration file world-readable so that the Argo CD Docker image can use your credentials. Do this on a private system with no other users. @@ -49,30 +54,33 @@ Manual upgrade process The backup will not be needed if all goes well. -#. Determine the new version of the Argo CD Helm chart (**not** Argo CD itself) to which you will be upgrading. +#. Determine the new version of the Argo CD Helm chart (**not** Argo CD itself) to which you will be upgrading: - .. code-block:: console + .. code-block:: sh - $ helm repo add argo https://argoproj.github.io/argo-helm - $ helm repo update - $ helm search repo argo-cd + helm repo add argo https://argoproj.github.io/argo-helm + helm repo update + helm search repo argo-cd Note the chart version for ``argo/argo-cd``. #. Upgrade Argo CD using Helm. Check out the `phalanx repository `_ first. - .. code-block:: console + .. code-block:: sh - $ cd phalanx/installer - $ helm upgrade --install argocd argo/argo-cd --version $VERSION \ - --values argo-cd-values.yaml --namespace argocd --wait --timeout 900s + cd phalanx/installer + helm upgrade --install argocd argo/argo-cd --version $VERSION \ + --values argo-cd-values.yaml --namespace argocd --wait --timeout 900s Replace ``$VERSION`` with the Helm chart version (**not** the Argo CD application version) that you want to install. If all goes well, you can now view the UI at ``/argo-cd`` and confirm that everything still looks correct. -If the ``helm upgrade`` command returns an error like this: +Troubleshooting the helm upgrade +-------------------------------- + +The ``helm upgrade`` command may return an error: Error: rendered manifests contain a resource that already exists. Unable to continue with install: Service @@ -84,18 +92,18 @@ If the ``helm upgrade`` command returns an error like this: "argocd"; annotation validation error: missing key "meta.helm.sh/release-namespace": must be set to "argocd" -that means Argo CD was originally installed with Helm v2 and you're using Helm v3. +This means Argo CD was originally installed with Helm v2 and you're using Helm v3. You can proceed with Helm v3, but you will need to fix all of the annotations and labels first. For all namespaced resources, you can do this by running the following two commands for each resource type that ``helm upgrade`` warns about. -.. code-block:: console +.. code-block:: sh - $ kubectl -n argocd label --overwrite $RESOURCE \ - -l "app.kubernetes.io/managed-by=Tiller" \ - "app.kubernetes.io/managed-by=Helm" - $ kubectl -n argocd annotate $RESOURCE \ - -l "app.kubernetes.io/managed-by=Helm" \ - meta.helm.sh/release-name=argocd meta.helm.sh/release-namespace=argocd + kubectl -n argocd label --overwrite $RESOURCE \ + -l "app.kubernetes.io/managed-by=Tiller" \ + "app.kubernetes.io/managed-by=Helm" + kubectl -n argocd annotate $RESOURCE \ + -l "app.kubernetes.io/managed-by=Helm" \ + meta.helm.sh/release-name=argocd meta.helm.sh/release-namespace=argocd Replace ``$RESOURCE`` with the type of the resource. You should not use this command for non-namespaced resources (specifically ``ClusterRole`` and ``ClusterRoleBinding``). @@ -110,35 +118,35 @@ Recovering from a botched upgrade If everything goes horribly wrong, you can remove Argo CD entirely and the restore it from the backup that you took. To do this, first drop the Argo CD namespace: -.. code-block:: console +.. code-block:: sh - $ kubectl delete namespace argocd + kubectl delete namespace argocd You will then need to manually remove the finalizers for all the Argo CD application resources in order for the namespace deletion to succeed. -The following instructions are taken from `an old Kubernetes issue `__. +The following instructions are taken from `kubernetes/kubernetes#77086 `__: -.. code-block:: console +.. code-block:: sh - $ kubectl api-resources --verbs=list --namespaced -o name \ - | xargs -n 1 kubectl get --show-kind --ignore-not-found -n argocd + kubectl api-resources --verbs=list --namespaced -o name \ + | xargs -n 1 kubectl get --show-kind --ignore-not-found -n argocd This will show all resources that need manual attention. It should only be Argo CD ``Application`` and ``AppProject`` resources. For each resource, edit it with ``kubectl edit -n argocd`` and delete the finalizer. As you save each resource, its deletion should succeed. By the end, the namespace should successfully finish deletion. -You can then recreate the namespace, reinstall Argo CD, and restore the backup. - -.. code-block:: console - - $ kubectl create namespace argocd - $ cd phalanx/installer - $ helm upgrade --install argocd argo/argo-cd --version $HELM_VERSION \ - --values argo-cd-values.yaml --namespace argocd --wait --timeout 900s - $ chmod 644 ~/.kube/config - $ docker run -i -v ~/.kube:/home/argocd/.kube --rm \ - argoproj/argocd:$VERSION argocd-util import -n argocd - < backup.yaml - $ chmod 600 ~/.kube/config +You can then recreate the namespace, reinstall Argo CD, and restore the backup: + +.. code-block:: sh + + kubectl create namespace argocd + cd phalanx/installer + helm upgrade --install argocd argo/argo-cd --version $HELM_VERSION \ + --values argo-cd-values.yaml --namespace argocd --wait --timeout 900s + chmod 644 ~/.kube/config + docker run -i -v ~/.kube:/home/argocd/.kube --rm \ + argoproj/argocd:$VERSION argocd-util import -n argocd - < backup.yaml + chmod 600 ~/.kube/config Replace ``$HELM_VERSION`` with the version of the Helm chart you want to use and ``$VERSION`` with the corresponding Argo CD version (as shown via ``helm search repo``). diff --git a/docs/applications/argo-cd/values.md b/docs/applications/argo-cd/values.md index 2055e4abda..d6c99f881b 100644 --- a/docs/applications/argo-cd/values.md +++ b/docs/applications/argo-cd/values.md @@ -1,8 +1,12 @@ -# Helm values reference +```{px-app-values} argocd +``` + +# Argo CD Helm values reference - - - +Helm values reference table for the {px-app}`argocd` application. ```{include} ../../../services/argocd/README.md +--- +start-after: "## Values" +--- ``` From df563973f095445397ff1307664c09a1524ab189 Mon Sep 17 00:00:00 2001 From: Jonathan Sick Date: Tue, 18 Oct 2022 16:03:41 -0400 Subject: [PATCH 1185/1479] Reorganize cert-manager docs Apply standardized documentation structure and edit as necessary. --- docs/admin/bootstrapping.rst | 2 +- .../{bootstrapping.rst => bootstrap.rst} | 4 +- docs/applications/cert-manager/index.rst | 44 ++----------------- docs/applications/cert-manager/notes.rst | 31 +++++++++++++ .../cert-manager/route53-setup.rst | 25 +++++------ docs/applications/cert-manager/upgrade.rst | 17 +++++++ docs/applications/cert-manager/values.md | 12 +++++ .../ingress-nginx/certificates.rst | 7 +-- 8 files changed, 84 insertions(+), 58 deletions(-) rename docs/applications/cert-manager/{bootstrapping.rst => bootstrap.rst} (96%) create mode 100644 docs/applications/cert-manager/notes.rst create mode 100644 docs/applications/cert-manager/upgrade.rst create mode 100644 docs/applications/cert-manager/values.md diff --git a/docs/admin/bootstrapping.rst b/docs/admin/bootstrapping.rst index 76849bb5bd..a9cf4d16fd 100644 --- a/docs/admin/bootstrapping.rst +++ b/docs/admin/bootstrapping.rst @@ -74,7 +74,7 @@ There are supported two mechanisms to configure that TLS certificate: #. Configure Let's Encrypt to obtain a certificate via the DNS solver. Once this is configured, TLS will be handled automatically without further human intervention. However, this approach is far more complex to set up and has some significant prerequisites. - For more information, see :doc:`/applications/cert-manager/bootstrapping`. + For more information, see :px-app-bootstrap:`cert-manager`. To use the second approach, you must have the following: diff --git a/docs/applications/cert-manager/bootstrapping.rst b/docs/applications/cert-manager/bootstrap.rst similarity index 96% rename from docs/applications/cert-manager/bootstrapping.rst rename to docs/applications/cert-manager/bootstrap.rst index 3b1bdba483..b6d0e23fc6 100644 --- a/docs/applications/cert-manager/bootstrapping.rst +++ b/docs/applications/cert-manager/bootstrap.rst @@ -1,8 +1,10 @@ +.. px-app-bootstrap:: cert-manager + ########################## Bootstrapping cert-manager ########################## -The issuer defined in the ``cert-manager`` application uses the DNS solver. +The issuer defined in the :px-app:`cert-manager` application uses the DNS solver. The advantage of the DNS solver is that it works behind firewalls and can provision certificates for environments not exposed to the Internet, such as the Tucson teststand. The DNS solver uses an AWS service user with write access to Route 53 to answer Let's Encrypt challenges. diff --git a/docs/applications/cert-manager/index.rst b/docs/applications/cert-manager/index.rst index be8beba572..25a6279ae6 100644 --- a/docs/applications/cert-manager/index.rst +++ b/docs/applications/cert-manager/index.rst @@ -9,49 +9,13 @@ Cert-manager creates TLS certificates via `Let's Encrypt `__ from its `Helm chart repository `__. -It creates TLS certificates via `Let's Encrypt `__ and automatically renews them. - -This service is only deployed on clusters managed by SQuaRE. -If a site uses some other process to manage its certificates, it is the responsibility of that site's administrative team to acquire and deploy those certificates. - -``cert-manager`` creates a cluster issuer that uses the DNS solver and Route 53 for DNS by default. -Set ``config.createIssuer`` to ``false`` for environments where cert-manager should be installed but not use a Route 53 cluster issuer. -For more information, see :ref:`hostnames`. - -.. rubric:: Using cert-manager - -To configure an ingress to use certificates issued by it, add a ``tls`` configuration to the ingress and the annotation: - -.. code-block:: yaml - - cert-manager.io/cluster-issuer: "letsencrypt-dns" - -This should be done on one and only one ingress for a deployment using ``cert-manager``. -The RSP conventionally uses the ``squareone`` service. - -.. rubric:: Upgrading - -Upgrading cert-manager is generally painless. -The only custom configuration that we use, beyond installing a cluster issuer, is to tell the Helm chart to install the Custom Resource Definitions. - -Normally, it's not necessary to explicitly test cert-manager after a routine upgrade. -We will notice if the certificates expire, and have monitoring of the important ones. -However, if you want to be sure that cert-manager is still working after an upgrade, delete the TLS secret in the ``squareone`` namespace. -It should be recreated by cert-manager. -(You may have to also delete the ``Certificate`` resource of the same name and let Argo CD re-create it to trigger this.) -This may cause an outage for the Science Platform since it is using this certificate, so you may want to be prepared to port-forward to get to the Argo CD UI in case something goes wrong. - Guides ====== .. toctree:: + notes + bootstrap route53-setup - bootstrapping - -.. seealso:: - - * `cert-manager documentation for Route 53 `__. + upgrade + values diff --git a/docs/applications/cert-manager/notes.rst b/docs/applications/cert-manager/notes.rst new file mode 100644 index 0000000000..e0c1d654ed --- /dev/null +++ b/docs/applications/cert-manager/notes.rst @@ -0,0 +1,31 @@ +.. px-app-notes:: cert-manager + +################################### +Cert-manager architecture and notes +################################### + +The :px-app:`cert-manager` service is an installation of `cert-manager `__ from its `Helm chart repository `__. +It creates TLS certificates via `Let's Encrypt `__ and automatically renews them. + +This application is only deployed on clusters managed by SQuaRE on Google Cloud Platform. +If a site uses some other process to manage its certificates, it is the responsibility of that site's administrative team to acquire and deploy those certificates. + +``cert-manager`` creates a cluster issuer that uses the DNS solver and Route 53 for DNS by default. +Set ``config.createIssuer`` to ``false`` for environments where cert-manager should be installed but not use a Route 53 cluster issuer. +For more information, see :ref:`hostnames`. + +.. seealso:: + + `cert-manager documentation for Route 53 `__. + +Using cert-manager +================== + +To configure an Ingress_ to use certificates issued by it, add a ``tls`` configuration to the ingress and the annotation: + +.. code-block:: yaml + + cert-manager.io/cluster-issuer: "letsencrypt-dns" + +This should be done on one and only one Ingress_ for an environment using ``cert-manager``. +The RSP conventionally uses the :px-app:`squareone` application. diff --git a/docs/applications/cert-manager/route53-setup.rst b/docs/applications/cert-manager/route53-setup.rst index ca3f582fbc..cfde31924e 100644 --- a/docs/applications/cert-manager/route53-setup.rst +++ b/docs/applications/cert-manager/route53-setup.rst @@ -7,24 +7,23 @@ This involves creating a new hosted zone for the DNS challenges for that domain, Normally, DNS challenges work by writing a text record to the ``_acme-challenge.`` record for the hostname for which one is obtaining a certificate. However, Route 53 IAM policies are only granular to the level of a hosted zone. -To give ``cert-manager`` write access to the whole hosted zone would be exessive, since it could then modify any other records. +To give ``cert-manager`` write access to the whole hosted zone would be excessive, since it could then modify any other records. Therefore, we use a strategy documented in the `cert-manager documentation for Route 53 `__ to delegate only the relevant records. To do this for a new zone, do the following. -In these instructions, the new zone is shown as ``new.zone``. +In these instructions, the new zone is shown as :samp:`new.zone`. In practice this will be a zone like ``lsst.codes`` or ``lsst.cloud``. This must be a public domain served from normal Internet domain servers. It cannot be a private domain present only in Route 53. -#. Create a new hosted zone named ``tls.new.zone`` in Route 53. +#. Create a new hosted zone named :samp:`tls.{new.zone}` in Route 53. Make a note of its zone ID. -#. Add the NS glue record for ``tls.new.zone`` to ``new.zone`` in Route 53. - See `the Amazon documentation `__ for more details. +#. Add the NS glue record for :samp:`tls.{new.zone}` to :samp:`{new.zone}` in Route 53. + See `the Route 53 documentation `__ for more details. -#. Create a new IAM user named ``cert-manager-new-zone``. - (Don't forget to replace ``new-zone`` with the name of your zone.) - Attach an inline IAM policy for that user that gives it access to the new ``tls.new.zone`` hosted zone. +#. Create a new IAM user named :samp:`cert-manager-{new-zone}` (replace ``new-zone`` with the name of your zone). + Attach an inline IAM policy for that user that gives it access to the new :samp:`tls.{new.zone}` hosted zone. .. code-block:: json @@ -49,13 +48,13 @@ It cannot be a private domain present only in Route 53. ] } - replacing ```` with the ID of the hosted zone. - (This will be a string similar to ``Z0567328105IEHEMIXLCO``.) + Replace :samp:`{}` with the ID of the hosted zone + (which is a string looking like ``Z0567328105IEHEMIXLCO``.) #. Create an access key for that user. - Store the access key and secret key pair in 1Password as ``cert-manager-new-zone``. + Store the access key and secret key pair in 1Password as :samp:`cert-manager-{new-zone}`. -You can now follow the instructions in :doc:`bootstrapping` to set up the new cluster. +You can now follow the instructions in :px-app-bootstrap:`cert-manager` to set up the new cluster. The above instructions only have to be done once per domain. -After that, any new clusters in the same domain will only need the addition of a CNAME and some Vault and Argo CD configuration, as described in :doc:`bootstrapping`. +After that, any new clusters in the same domain will only need the addition of a CNAME and some Vault and Argo CD configuration, as described in :px-app-bootstrap:`cert-manager`. diff --git a/docs/applications/cert-manager/upgrade.rst b/docs/applications/cert-manager/upgrade.rst new file mode 100644 index 0000000000..87f3f2c44c --- /dev/null +++ b/docs/applications/cert-manager/upgrade.rst @@ -0,0 +1,17 @@ +.. px-app-upgrade:: cert-manager + +###################### +Upgrading cert-manager +###################### + +Upgrading :px-app:`cert-manager` is generally painless. +The only custom configuration that we use, beyond installing a cluster issuer, is to tell the Helm chart to install the Custom Resource Definitions. + +Normally, it's not necessary to explicitly test :px-app:`cert-manager` after a routine upgrade. +We will notice if the certificates expire, and have monitoring of the important ones. +However, if you want to be sure that cert-manager is still working after an upgrade, delete the TLS secret and ``Certificate`` resource in the ``squareone`` namespace. +It should be recreated by cert-manager. + +.. warning:: + + This may cause an outage for the Science Platform since it is using this certificate, so you may want to be prepared to port-forward to get to the Argo CD UI in case something goes wrong. diff --git a/docs/applications/cert-manager/values.md b/docs/applications/cert-manager/values.md new file mode 100644 index 0000000000..3d82099205 --- /dev/null +++ b/docs/applications/cert-manager/values.md @@ -0,0 +1,12 @@ +```{px-app-values} cert-manager +``` + +# Cert-manager Helm values reference + +Helm values reference table for the {px-app}`cert-manager` application. + +```{include} ../../../services/cert-manager/README.md +--- +start-after: "## Values" +--- +``` diff --git a/docs/applications/ingress-nginx/certificates.rst b/docs/applications/ingress-nginx/certificates.rst index ae9b6cdcaa..8cb662e25c 100644 --- a/docs/applications/ingress-nginx/certificates.rst +++ b/docs/applications/ingress-nginx/certificates.rst @@ -6,7 +6,7 @@ The entire Science Platform uses the same external hostname and relies on NGINX As discussed in :ref:`hostnames`, TLS for the Science Platform can be configured with either a default certificate in ``ingress-nginx`` or through Let's Encrypt with the DNS solver. If an installation is using Let's Encrypt with the DNS solver, no further configuration of the NGINX ingress is required. -See :doc:`../cert-manager/bootstrapping` for setup information. +See :px-app-bootstrap:`cert-manager` for setup information. When using a commercial certificate, that certificate should be configured in the ``values-*.yaml`` for ``ingress-nginx`` for that environment. Specifically, add the following under ``ingress-nginx.controller``: @@ -16,7 +16,7 @@ Specifically, add the following under ``ingress-nginx.controller``: extraArgs: default-ssl-certificate: ingress-nginx/ingress-certificate -and add, at the top level: +And at the top level, add: .. code-block:: yaml @@ -24,7 +24,8 @@ and add, at the top level: enabled: true path: secret/k8s_operator//ingress-nginx -replacing ```` with the hostname of the environment. +Replace ```` with the hostname of the environment. + Then, in the Vault key named by that path, store the commercial certificate. The Vault secret should have two keys: ``tls.crt`` and ``tls.key``. The first should contain the full public certificate chain. From 97213609a67d6be23a132bdeed5beb69233a09bb Mon Sep 17 00:00:00 2001 From: Jonathan Sick Date: Tue, 18 Oct 2022 16:07:24 -0400 Subject: [PATCH 1186/1479] Organize cachemachine docs Reorganize the cachemachine app docs around the standard structure --- docs/applications/cachemachine/index.rst | 5 ++--- .../cachemachine/updating-recommended.rst | 6 +++--- docs/applications/cachemachine/upgrade.rst | 7 +++++++ docs/applications/cachemachine/values.md | 12 ++++++++++++ 4 files changed, 24 insertions(+), 6 deletions(-) create mode 100644 docs/applications/cachemachine/upgrade.rst create mode 100644 docs/applications/cachemachine/values.md diff --git a/docs/applications/cachemachine/index.rst b/docs/applications/cachemachine/index.rst index ee2881d592..52bf1e6fad 100644 --- a/docs/applications/cachemachine/index.rst +++ b/docs/applications/cachemachine/index.rst @@ -9,13 +9,12 @@ Cachemachine is the RSP's image prepulling service. .. jinja:: cachemachine :file: applications/_summary.rst.jinja -Upgrading ``cachemachine`` is generally painless. -A simple Argo CD sync is sufficient. - Guides ====== .. toctree:: + upgrade pruning updating-recommended + values diff --git a/docs/applications/cachemachine/updating-recommended.rst b/docs/applications/cachemachine/updating-recommended.rst index 507b0bef9c..505b0bb4cf 100644 --- a/docs/applications/cachemachine/updating-recommended.rst +++ b/docs/applications/cachemachine/updating-recommended.rst @@ -1,6 +1,6 @@ -###################### -Updating "recommended" -###################### +########################################### +Updating the "recommended" JupyterLab image +########################################### The "recommended" tag for JupyterLab images is usually a recent weekly image. The image marked "recommended" is guaranteed by SQuaRE to be compatible with other services and materials--such as tutorial or system testing notebooks--that we make available on RSP deployments. diff --git a/docs/applications/cachemachine/upgrade.rst b/docs/applications/cachemachine/upgrade.rst new file mode 100644 index 0000000000..4d0b3fc6a3 --- /dev/null +++ b/docs/applications/cachemachine/upgrade.rst @@ -0,0 +1,7 @@ +.. px-app-upgrade:: cachemachine + +###################### +Upgrading cachemachine +###################### + +A simple Argo CD sync is sufficient for upgrading :px-app:`cachemachine`. diff --git a/docs/applications/cachemachine/values.md b/docs/applications/cachemachine/values.md new file mode 100644 index 0000000000..b21aea8ffb --- /dev/null +++ b/docs/applications/cachemachine/values.md @@ -0,0 +1,12 @@ +```{px-app-values} cachemachine +``` + +# Cachemachine Helm values reference + +Helm values reference table for the {px-app}`cachemachine` application. + +```{include} ../../../services/cachemachine/README.md +--- +start-after: "## Values" +--- +``` From d54747e586f0098cd75b9b19a5d312aae7a28d64 Mon Sep 17 00:00:00 2001 From: Jonathan Sick Date: Tue, 18 Oct 2022 16:15:52 -0400 Subject: [PATCH 1187/1479] Update homepage for production-tools --- services/production-tools/Chart.yaml | 2 +- services/production-tools/README.md | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/services/production-tools/Chart.yaml b/services/production-tools/Chart.yaml index 1cef194be6..99e99dbd4f 100644 --- a/services/production-tools/Chart.yaml +++ b/services/production-tools/Chart.yaml @@ -3,5 +3,5 @@ name: production-tools version: 1.0.0 dependencies: description: A collection of utility pages for monitoring data processing. -home: "https://github.com/lsst-sqre/production-tools" +home: "https://github.com/lsst-dm/production_tools" appVersion: 0.0.17 diff --git a/services/production-tools/README.md b/services/production-tools/README.md index fe7ae5fce9..c589e89ba0 100644 --- a/services/production-tools/README.md +++ b/services/production-tools/README.md @@ -2,7 +2,7 @@ A collection of utility pages for monitoring data processing. -**Homepage:** +**Homepage:** ## Values From d77cf5e1504fcdf4b2d7435eebc8c32bc2679835 Mon Sep 17 00:00:00 2001 From: Jonathan Sick Date: Tue, 18 Oct 2022 16:21:26 -0400 Subject: [PATCH 1188/1479] Skip accidental links in values files Ignore values.md from linkcheck. The Helm values can include sample links that take time to add to the ignore pattern for link check. --- docs/conf.py | 3 +++ 1 file changed, 3 insertions(+) diff --git a/docs/conf.py b/docs/conf.py index 94731d2b65..9d4279b46a 100644 --- a/docs/conf.py +++ b/docs/conf.py @@ -29,3 +29,6 @@ ) linkcheck_anchors = False +linkcheck_exclude_documents = [ + r"applications/.*/values", +] From 48db97112ee173c217ef947209c95e5617b8feb2 Mon Sep 17 00:00:00 2001 From: Jonathan Sick Date: Wed, 19 Oct 2022 14:20:59 -0400 Subject: [PATCH 1189/1479] Apply application doc page structure Standard pages are: - notes.rst - bootstrap.rst - upgrade.rst - troubleshoot.rst - values.md Apps can implement a subset of these, or add additional pages as necessary. --- docs/admin/troubleshooting.rst | 6 ++-- docs/applications/datalinker/index.rst | 12 ++++--- docs/applications/datalinker/values.md | 12 +++++++ docs/applications/exposurelog/index.rst | 12 ++++--- docs/applications/exposurelog/values.md | 12 +++++++ docs/applications/gafaelfawr/index.rst | 11 ++---- docs/applications/gafaelfawr/notes.rst | 13 +++++++ .../{debugging.rst => troubleshoot.rst} | 9 +++-- docs/applications/gafaelfawr/values.md | 12 +++++++ docs/applications/hips/index.rst | 12 ++++--- docs/applications/hips/values.md | 12 +++++++ docs/applications/ingress-nginx/index.rst | 9 ++--- docs/applications/ingress-nginx/upgrade.rst | 7 ++++ docs/applications/ingress-nginx/values.md | 12 +++++++ docs/applications/mobu/index.rst | 1 + docs/applications/mobu/values.md | 12 +++++++ docs/applications/moneypenny/index.rst | 14 ++++---- docs/applications/moneypenny/values.md | 12 +++++++ docs/applications/narrativelog/index.rst | 14 ++++---- docs/applications/narrativelog/values.md | 12 +++++++ docs/applications/noteburst/index.rst | 12 ++++--- docs/applications/noteburst/values.md | 12 +++++++ docs/applications/nublado2/index.rst | 7 ++-- .../{database.rst => troubleshoot.rst} | 15 +++++--- docs/applications/nublado2/upgrade.rst | 5 +++ docs/applications/nublado2/values.md | 12 +++++++ docs/applications/plot-navigator/index.rst | 12 ++++--- docs/applications/plot-navigator/values.md | 12 +++++++ docs/applications/portal/index.rst | 12 ++++--- docs/applications/portal/values.md | 12 +++++++ docs/applications/postgres/index.rst | 7 ++-- docs/applications/postgres/recreate-pvc.rst | 21 ----------- docs/applications/postgres/troubleshoot.rst | 18 ++++++++++ docs/applications/postgres/upgrade.rst | 7 ++++ docs/applications/postgres/values.md | 12 +++++++ docs/applications/production-tools/index.rst | 12 ++++--- docs/applications/production-tools/values.md | 12 +++++++ docs/applications/sasquatch/index.rst | 12 ++++--- docs/applications/sasquatch/values.md | 12 +++++++ docs/applications/semaphore/index.rst | 12 ++++--- docs/applications/semaphore/values.md | 12 +++++++ docs/applications/sherlock/index.rst | 12 ++++--- docs/applications/sherlock/values.md | 12 +++++++ docs/applications/squareone/index.rst | 12 ++++--- docs/applications/squareone/values.md | 12 +++++++ .../strimzi-registry-operator/index.rst | 1 - docs/applications/tap-schema/index.rst | 14 ++++---- docs/applications/tap-schema/values.md | 12 +++++++ docs/applications/tap/index.rst | 12 ++----- docs/applications/tap/notes.rst | 11 ++++++ docs/applications/tap/upgrade.rst | 9 +++++ docs/applications/tap/values.md | 12 +++++++ docs/applications/telegraf-ds/index.rst | 14 ++++---- docs/applications/telegraf-ds/values.md | 12 +++++++ docs/applications/telegraf/index.rst | 12 ++++--- docs/applications/telegraf/values.md | 12 +++++++ docs/applications/times-square/index.rst | 12 ++++--- docs/applications/times-square/values.md | 12 +++++++ .../vault-secrets-operator/bootstrap.rst | 25 +++++++++++++ .../vault-secrets-operator/index.rst | 35 ++++--------------- .../vault-secrets-operator/upgrade.rst | 12 +++++++ .../vault-secrets-operator/values.md | 12 +++++++ docs/applications/vo-cutouts/index.rst | 12 ++++--- docs/applications/vo-cutouts/values.md | 12 +++++++ 64 files changed, 581 insertions(+), 184 deletions(-) create mode 100644 docs/applications/datalinker/values.md create mode 100644 docs/applications/exposurelog/values.md create mode 100644 docs/applications/gafaelfawr/notes.rst rename docs/applications/gafaelfawr/{debugging.rst => troubleshoot.rst} (91%) create mode 100644 docs/applications/gafaelfawr/values.md create mode 100644 docs/applications/hips/values.md create mode 100644 docs/applications/ingress-nginx/upgrade.rst create mode 100644 docs/applications/ingress-nginx/values.md create mode 100644 docs/applications/mobu/values.md create mode 100644 docs/applications/moneypenny/values.md create mode 100644 docs/applications/narrativelog/values.md create mode 100644 docs/applications/noteburst/values.md rename docs/applications/nublado2/{database.rst => troubleshoot.rst} (80%) create mode 100644 docs/applications/nublado2/upgrade.rst create mode 100644 docs/applications/nublado2/values.md create mode 100644 docs/applications/plot-navigator/values.md create mode 100644 docs/applications/portal/values.md delete mode 100644 docs/applications/postgres/recreate-pvc.rst create mode 100644 docs/applications/postgres/troubleshoot.rst create mode 100644 docs/applications/postgres/upgrade.rst create mode 100644 docs/applications/postgres/values.md create mode 100644 docs/applications/production-tools/values.md create mode 100644 docs/applications/sasquatch/values.md create mode 100644 docs/applications/semaphore/values.md create mode 100644 docs/applications/sherlock/values.md create mode 100644 docs/applications/squareone/values.md create mode 100644 docs/applications/tap-schema/values.md create mode 100644 docs/applications/tap/notes.rst create mode 100644 docs/applications/tap/upgrade.rst create mode 100644 docs/applications/tap/values.md create mode 100644 docs/applications/telegraf-ds/values.md create mode 100644 docs/applications/telegraf/values.md create mode 100644 docs/applications/times-square/values.md create mode 100644 docs/applications/vault-secrets-operator/bootstrap.rst create mode 100644 docs/applications/vault-secrets-operator/upgrade.rst create mode 100644 docs/applications/vault-secrets-operator/values.md create mode 100644 docs/applications/vo-cutouts/values.md diff --git a/docs/admin/troubleshooting.rst b/docs/admin/troubleshooting.rst index d2ca808385..3ccd90be13 100644 --- a/docs/admin/troubleshooting.rst +++ b/docs/admin/troubleshooting.rst @@ -16,7 +16,7 @@ If the pod is already running, it gets I/O errors from its database, hangs, or o If the backing store is corrupt or has been deleted or otherwise is disrupted, sometimes the ``PersistentVolume`` will become unavailable, but the ``PersistentVolumeClaim`` will hang on to it and keep trying to futilely mount it. When this happens, you may need to recreate the persistent volume. -**Solution:** :doc:`/applications/postgres/recreate-pvc` +**Solution:** :ref:`recreate-postgres-pvc` Spawner menu missing images, cachemachine stuck pulling the same image ====================================================================== @@ -60,7 +60,7 @@ Spawning a notebook fails with a pending error In this case, JupyterHub may not recover without assistance. You may need to delete the record for the affected user, and also make sure the user's lab namespace (visible in Argo CD under the ``nublado-users`` application) has been deleted. -**Solution:** :doc:`/applications/nublado2/database` +**Solution:** :ref:`nublado2-clear-session-database` User gets permission denied from applications ============================================= @@ -75,7 +75,7 @@ The most likely cause of this problem is that the user is not a member of a grou Gafaelfawr will prevent the user from logging in at all if they are not a member of any group that grants access to an application. If they are a member of at least one group, they'll be able to log in but may get permission denied errors from other application. -**Solution:** :doc:`/applications/gafaelfawr/debugging` +**Solution:** :px-app-troubleshooting:`Gafaelfawr troubleshooting ` You need privileged access to the filestore =========================================== diff --git a/docs/applications/datalinker/index.rst b/docs/applications/datalinker/index.rst index 66072820e8..a5bc757873 100644 --- a/docs/applications/datalinker/index.rst +++ b/docs/applications/datalinker/index.rst @@ -10,8 +10,10 @@ It is primarily based on the IVOA DataLink standard, but also provides some rela .. jinja:: datalinker :file: applications/_summary.rst.jinja -.. Guides -.. ====== -.. -.. .. toctree:: -.. :maxdepth: 1 +Guides +====== + +.. toctree:: + :maxdepth: 1 + + values diff --git a/docs/applications/datalinker/values.md b/docs/applications/datalinker/values.md new file mode 100644 index 0000000000..8964d8098d --- /dev/null +++ b/docs/applications/datalinker/values.md @@ -0,0 +1,12 @@ +```{px-app-values} datalinker +``` + +# Datalinker Helm values reference + +Helm values reference table for the {px-app}`datalinker` application. + +```{include} ../../../services/datalinker/README.md +--- +start-after: "## Values" +--- +``` diff --git a/docs/applications/exposurelog/index.rst b/docs/applications/exposurelog/index.rst index dac572f232..ce6f9f74ce 100644 --- a/docs/applications/exposurelog/index.rst +++ b/docs/applications/exposurelog/index.rst @@ -9,8 +9,10 @@ Exposure log is a REST web service to create and manage log messages that are as .. jinja:: exposurelog :file: applications/_summary.rst.jinja -.. Guides -.. ====== -.. -.. .. toctree:: -.. :maxdepth: 1 +Guides +====== + +.. toctree:: + :maxdepth: 1 + + values diff --git a/docs/applications/exposurelog/values.md b/docs/applications/exposurelog/values.md new file mode 100644 index 0000000000..67c1045b96 --- /dev/null +++ b/docs/applications/exposurelog/values.md @@ -0,0 +1,12 @@ +```{px-app-values} exposurelog +``` + +# Exposure log Helm values reference + +Helm values reference table for the {px-app}`exposurelog` application. + +```{include} ../../../services/exposurelog/README.md +--- +start-after: "## Values" +--- +``` diff --git a/docs/applications/gafaelfawr/index.rst b/docs/applications/gafaelfawr/index.rst index 441f897d78..ab760a4144 100644 --- a/docs/applications/gafaelfawr/index.rst +++ b/docs/applications/gafaelfawr/index.rst @@ -21,14 +21,9 @@ Guides .. toctree:: :maxdepth: 2 - debugging + notes storage recreate-token github-organizations - -.. seealso:: - - * `DMTN-234: Identity management design `__ - * `DMTN-224: Identity management implementation `__ - * `SQR-069: Identity management history and decisions `__ - * `Gafaelfawr documentation `__ + troubleshoot + values diff --git a/docs/applications/gafaelfawr/notes.rst b/docs/applications/gafaelfawr/notes.rst new file mode 100644 index 0000000000..eee15792e8 --- /dev/null +++ b/docs/applications/gafaelfawr/notes.rst @@ -0,0 +1,13 @@ +.. px-app-notes:: gafaelfawr + +################################# +Gafaelfawr architecture and notes +################################# + +Further documentation +===================== + +* `DMTN-234: Identity management design `__ +* `DMTN-224: Identity management implementation `__ +* `SQR-069: Identity management history and decisions `__ +* `Gafaelfawr documentation `__ diff --git a/docs/applications/gafaelfawr/debugging.rst b/docs/applications/gafaelfawr/troubleshoot.rst similarity index 91% rename from docs/applications/gafaelfawr/debugging.rst rename to docs/applications/gafaelfawr/troubleshoot.rst index 2d33b386a3..64ee8de698 100644 --- a/docs/applications/gafaelfawr/debugging.rst +++ b/docs/applications/gafaelfawr/troubleshoot.rst @@ -1,6 +1,11 @@ -############################### +.. px-app-troubleshooting:: gafaelfawr + +############### +Troubleshooting +############### + Debugging authentication issues -############################### +=============================== If a user successfully authenticates through the Gafaelfawr ``/login`` route but then cannot access an application such as the Notebook or Portal, a good initial debugging step is to determine what scopes the user was granted on the basis of their group membership. diff --git a/docs/applications/gafaelfawr/values.md b/docs/applications/gafaelfawr/values.md new file mode 100644 index 0000000000..1693601a81 --- /dev/null +++ b/docs/applications/gafaelfawr/values.md @@ -0,0 +1,12 @@ +```{px-app-values} gafaelfawr +``` + +# Gafaelfawr Helm values reference + +Helm values reference table for the {px-app}`gafaelfawr` application. + +```{include} ../../../services/gafaelfawr/README.md +--- +start-after: "## Values" +--- +``` diff --git a/docs/applications/hips/index.rst b/docs/applications/hips/index.rst index c4a07abf6e..cf3d0d94fe 100644 --- a/docs/applications/hips/index.rst +++ b/docs/applications/hips/index.rst @@ -9,8 +9,10 @@ HiPS web server backed by Google Cloud Storage. .. jinja:: hips :file: applications/_summary.rst.jinja -.. Guides -.. ====== -.. -.. .. toctree:: -.. :maxdepth: 1 +Guides +====== + +.. toctree:: + :maxdepth: 1 + + values diff --git a/docs/applications/hips/values.md b/docs/applications/hips/values.md new file mode 100644 index 0000000000..30ebaf14a9 --- /dev/null +++ b/docs/applications/hips/values.md @@ -0,0 +1,12 @@ +```{px-app-values} hips +``` + +# hips Helm values reference + +Helm values reference table for the {px-app}`hips` application. + +```{include} ../../../services/hips/README.md +--- +start-after: "## Values" +--- +``` diff --git a/docs/applications/ingress-nginx/index.rst b/docs/applications/ingress-nginx/index.rst index a6ad536f5f..15072c5109 100644 --- a/docs/applications/ingress-nginx/index.rst +++ b/docs/applications/ingress-nginx/index.rst @@ -5,20 +5,17 @@ ingress-nginx ############# The ``ingress-nginx`` application is an installation of `ingress-nginx `__ from its `Helm chart `__. -We use NGINX as the ingress controller for all Rubin Science Platform deployments rather than native ingress controllers because we use the NGINX ``auth_request`` feature to do authentication and authorization. +We use NGINX as the ingress controller for all Rubin Science Platform deployments rather than native ingress controllers because we use the NGINX ``auth_request`` feature to do authentication and authorization with :px-app:`gafaelfawr`. .. jinja:: ingress-nginx :file: applications/_summary.rst.jinja -.. rubric:: Overview - -Upgrading ``ingress-nginx`` is generally painless. -A simple Argo CD sync is sufficient. - Guides ====== .. toctree:: :maxdepth: 2 + upgrade certificates + values diff --git a/docs/applications/ingress-nginx/upgrade.rst b/docs/applications/ingress-nginx/upgrade.rst new file mode 100644 index 0000000000..9c9d7deddf --- /dev/null +++ b/docs/applications/ingress-nginx/upgrade.rst @@ -0,0 +1,7 @@ +.. px-app-upgrade:: ingress-nginx + +####################### +Upgrading ingress-nginx +####################### + +A simple Argo CD sync is sufficient for upgrading :px-app:`ingress-nginx`. diff --git a/docs/applications/ingress-nginx/values.md b/docs/applications/ingress-nginx/values.md new file mode 100644 index 0000000000..b006a12d1c --- /dev/null +++ b/docs/applications/ingress-nginx/values.md @@ -0,0 +1,12 @@ +```{px-app-values} ingress-nginx +``` + +# Ingress-nginx Helm values reference + +Helm values reference table for the {px-app}`ingress-nginx` application. + +```{include} ../../../services/ingress-nginx/README.md +--- +start-after: "## Values" +--- +``` diff --git a/docs/applications/mobu/index.rst b/docs/applications/mobu/index.rst index dae9d6d4a1..2937917950 100644 --- a/docs/applications/mobu/index.rst +++ b/docs/applications/mobu/index.rst @@ -20,3 +20,4 @@ Guides configuring manage-flocks + values diff --git a/docs/applications/mobu/values.md b/docs/applications/mobu/values.md new file mode 100644 index 0000000000..29c2e394b8 --- /dev/null +++ b/docs/applications/mobu/values.md @@ -0,0 +1,12 @@ +```{px-app-values} mobu +``` + +# Mobu Helm values reference + +Helm values reference table for the {px-app}`mobu` application. + +```{include} ../../../services/mobu/README.md +--- +start-after: "## Values" +--- +``` diff --git a/docs/applications/moneypenny/index.rst b/docs/applications/moneypenny/index.rst index 7e36399f2e..618741637f 100644 --- a/docs/applications/moneypenny/index.rst +++ b/docs/applications/moneypenny/index.rst @@ -4,13 +4,15 @@ moneypenny ########## -Moneypenny provider user-provisioning actions for the Rubin Science Platform. +Moneypenny provides user-provisioning actions for the Rubin Science Platform. .. jinja:: moneypenny :file: applications/_summary.rst.jinja -.. Guides -.. ====== -.. -.. .. toctree:: -.. :maxdepth: 1 +Guides +====== + +.. toctree:: + :maxdepth: 1 + + values diff --git a/docs/applications/moneypenny/values.md b/docs/applications/moneypenny/values.md new file mode 100644 index 0000000000..58a6586b0c --- /dev/null +++ b/docs/applications/moneypenny/values.md @@ -0,0 +1,12 @@ +```{px-app-values} moneypenny +``` + +# moneypenny Helm values reference + +Helm values reference table for the {px-app}`moneypenny` application. + +```{include} ../../../services/moneypenny/README.md +--- +start-after: "## Values" +--- +``` diff --git a/docs/applications/narrativelog/index.rst b/docs/applications/narrativelog/index.rst index fb9785ece7..0f646d2175 100644 --- a/docs/applications/narrativelog/index.rst +++ b/docs/applications/narrativelog/index.rst @@ -4,13 +4,15 @@ narrativelog ############ -Narrative log service for Rubin Observatory. +Narrative log API service for Rubin Observatory. .. jinja:: narrativelog :file: applications/_summary.rst.jinja -.. Guides -.. ====== -.. -.. .. toctree:: -.. :maxdepth: 1 +Guides +====== + +.. toctree:: + :maxdepth: 1 + + values diff --git a/docs/applications/narrativelog/values.md b/docs/applications/narrativelog/values.md new file mode 100644 index 0000000000..64f214b837 --- /dev/null +++ b/docs/applications/narrativelog/values.md @@ -0,0 +1,12 @@ +```{px-app-values} narrativelog +``` + +# narrativelog Helm values reference + +Helm values reference table for the {px-app}`narrativelog` application. + +```{include} ../../../services/narrativelog/README.md +--- +start-after: "## Values" +--- +``` diff --git a/docs/applications/noteburst/index.rst b/docs/applications/noteburst/index.rst index 4127a85d0f..c5d852775f 100644 --- a/docs/applications/noteburst/index.rst +++ b/docs/applications/noteburst/index.rst @@ -9,8 +9,10 @@ Noteburst is a notebook execution service for the Rubin Science Platform. .. jinja:: noteburst :file: applications/_summary.rst.jinja -.. Guides -.. ====== -.. -.. .. toctree:: -.. :maxdepth: 1 +Guides +====== + +.. toctree:: + :maxdepth: 1 + + values diff --git a/docs/applications/noteburst/values.md b/docs/applications/noteburst/values.md new file mode 100644 index 0000000000..75cc07fd25 --- /dev/null +++ b/docs/applications/noteburst/values.md @@ -0,0 +1,12 @@ +```{px-app-values} noteburst +``` + +# noteburst Helm values reference + +Helm values reference table for the {px-app}`noteburst` application. + +```{include} ../../../services/noteburst/README.md +--- +start-after: "## Values" +--- +``` diff --git a/docs/applications/nublado2/index.rst b/docs/applications/nublado2/index.rst index 8910722a80..f317977f81 100644 --- a/docs/applications/nublado2/index.rst +++ b/docs/applications/nublado2/index.rst @@ -9,13 +9,12 @@ The ``nublado2`` service is an installation of a Rubin Observatory flavor of `Ze .. jinja:: nublado2 :file: applications/_summary.rst.jinja -Upgrading ``nublado2`` is generally painless. -A simple Argo CD sync is sufficient. - Guides ====== .. toctree:: :maxdepth: 2 - database + upgrade + troubleshoot + values diff --git a/docs/applications/nublado2/database.rst b/docs/applications/nublado2/troubleshoot.rst similarity index 80% rename from docs/applications/nublado2/database.rst rename to docs/applications/nublado2/troubleshoot.rst index fe32eb8b0c..c5223be9c1 100644 --- a/docs/applications/nublado2/database.rst +++ b/docs/applications/nublado2/troubleshoot.rst @@ -1,6 +1,13 @@ -############################ +.. px-app-troubleshooting:: nublado2 + +######################## +Troubleshooting nublado2 +######################## + +.. _nublado2-clear-session-database: + Clear session database entry -############################ +============================ Sometimes JupyterHub and its session database will get into an inconsistent state where it thinks a pod is already running but cannot shut it down. The typical symptom of this is that spawns for that user fail with an error saying that the user's lab is already pending spawn or pending deletion, but the user cannot connect to their pod. @@ -10,14 +17,14 @@ Recovery may require manually clearing the user's entry in the session database #. Remove the user's lab namespace, if it exists. #. Remove the user from the session database. - Connect to the database with: + First, connect to the database: .. code-block:: shell pod=$(kubectl get pods -n postgres | grep postgres | awk '{print $1}') kubectl exec -it -n postgres ${pod} -- psql -U jovyan jupyterhub - and then, at the PostgreSQL prompt, run: + Then, at the PostgreSQL prompt: .. code-block:: sql diff --git a/docs/applications/nublado2/upgrade.rst b/docs/applications/nublado2/upgrade.rst new file mode 100644 index 0000000000..b727490324 --- /dev/null +++ b/docs/applications/nublado2/upgrade.rst @@ -0,0 +1,5 @@ +.. px-app-upgrade:: nublado2 + +################## +Upgrading nublado2 +################## diff --git a/docs/applications/nublado2/values.md b/docs/applications/nublado2/values.md new file mode 100644 index 0000000000..3be8c0fcf2 --- /dev/null +++ b/docs/applications/nublado2/values.md @@ -0,0 +1,12 @@ +```{px-app-values} nublado2 +``` + +# nublado2 Helm values reference + +Helm values reference table for the {px-app}`nublado2` application. + +```{include} ../../../services/nublado2/README.md +--- +start-after: "## Values" +--- +``` diff --git a/docs/applications/plot-navigator/index.rst b/docs/applications/plot-navigator/index.rst index 230634c16f..7608f96d79 100644 --- a/docs/applications/plot-navigator/index.rst +++ b/docs/applications/plot-navigator/index.rst @@ -9,8 +9,10 @@ Panel-based plot viewer. .. jinja:: plot-navigator :file: applications/_summary.rst.jinja -.. Guides -.. ====== -.. -.. .. toctree:: -.. :maxdepth: 1 +Guides +====== + +.. toctree:: + :maxdepth: 1 + + values diff --git a/docs/applications/plot-navigator/values.md b/docs/applications/plot-navigator/values.md new file mode 100644 index 0000000000..068567fa77 --- /dev/null +++ b/docs/applications/plot-navigator/values.md @@ -0,0 +1,12 @@ +```{px-app-values} plot-navigator +``` + +# plot-navigator Helm values reference + +Helm values reference table for the {px-app}`plot-navigator` application. + +```{include} ../../../services/plot-navigator/README.md +--- +start-after: "## Values" +--- +``` diff --git a/docs/applications/portal/index.rst b/docs/applications/portal/index.rst index b71e05e456..b11ae6e403 100644 --- a/docs/applications/portal/index.rst +++ b/docs/applications/portal/index.rst @@ -9,8 +9,10 @@ The portal aspect of the Rubin Science Platform, powered by Firefly. .. jinja:: portal :file: applications/_summary.rst.jinja -.. Guides -.. ====== -.. -.. .. toctree:: -.. :maxdepth: 1 +Guides +====== + +.. toctree:: + :maxdepth: 1 + + values diff --git a/docs/applications/portal/values.md b/docs/applications/portal/values.md new file mode 100644 index 0000000000..15328e3b51 --- /dev/null +++ b/docs/applications/portal/values.md @@ -0,0 +1,12 @@ +```{px-app-values} portal +``` + +# portal Helm values reference + +Helm values reference table for the {px-app}`portal` application. + +```{include} ../../../services/portal/README.md +--- +start-after: "## Values" +--- +``` diff --git a/docs/applications/postgres/index.rst b/docs/applications/postgres/index.rst index 14eb89f88b..6a0906be03 100644 --- a/docs/applications/postgres/index.rst +++ b/docs/applications/postgres/index.rst @@ -23,14 +23,13 @@ Users will have to log in, restart sessions, and recreate authentication tokens. .. jinja:: postgres :file: applications/_summary.rst.jinja -Upgrading ``postgres`` is generally painless. -A simple Argo CD sync is sufficient. - Guides ====== .. toctree:: :maxdepth: 2 - recreate-pvc + upgrade add-database + troubleshoot + values diff --git a/docs/applications/postgres/recreate-pvc.rst b/docs/applications/postgres/recreate-pvc.rst deleted file mode 100644 index 315558e0c3..0000000000 --- a/docs/applications/postgres/recreate-pvc.rst +++ /dev/null @@ -1,21 +0,0 @@ -########################## -Recreating postgres PV/PVC -########################## - -If you get into a state where the cluster has completely crashed, -perhaps due to hardware problems, and the backing store for persistent -volumes has been lost, Postgres may refuse to start. - -The reason for this is that if you are using an autoprovisioned storage -class (such as GKE and Rook provide), the PVC will reference a volume -that no longer exists. - -This, in and of itself, is not a tragedy. The Postgres database is -intended to hold only fairly low-value data. If your cluster has -crashed that hard, the authentication Redis cache and JupyterHub session -database are unlikely to still be relevant. - -All you need to do to recover is to delete the PVC, recreate it (which -will re-allocate the persistent storage), and restart the deployment. -This is most easily accomplished with ArgoCD, although ``kubectl`` works -as well. diff --git a/docs/applications/postgres/troubleshoot.rst b/docs/applications/postgres/troubleshoot.rst new file mode 100644 index 0000000000..b3469f21c1 --- /dev/null +++ b/docs/applications/postgres/troubleshoot.rst @@ -0,0 +1,18 @@ +.. px-app-troubleshooting:: postgres + +######################## +Troubleshooting postgres +######################## + +.. _recreate-postgres-pvc: + +Recreating postgres PV/PVC +========================== + +If you get into a state where the cluster has completely crashed, perhaps due to hardware problems, and the backing store for persistent volumes has been lost, Postgres may refuse to start. +The reason for this is that if you are using an autoprovisioned storage class (such as GKE and Rook provide), the PVC will reference a volume that no longer exists. +This loss is acceptable; the :px-app:`postgres` database is intended to hold only fairly low-value data. +If your cluster has crashed that hard, the authentication Redis cache and JupyterHub session database are unlikely to still be relevant. + +To recover, you need to delete the PVC, recreate it (which will re-allocate the persistent storage), and restart the deployment. +This is most easily accomplished with Argo CD, although ``kubectl`` works as well. diff --git a/docs/applications/postgres/upgrade.rst b/docs/applications/postgres/upgrade.rst new file mode 100644 index 0000000000..946f4b0856 --- /dev/null +++ b/docs/applications/postgres/upgrade.rst @@ -0,0 +1,7 @@ +.. px-app-upgrade:: postgres + +################## +Upgrading postgres +################## + +A simple Argo CD sync is sufficient to upgrade the :px-app:`postgres` application. diff --git a/docs/applications/postgres/values.md b/docs/applications/postgres/values.md new file mode 100644 index 0000000000..80c963a1d4 --- /dev/null +++ b/docs/applications/postgres/values.md @@ -0,0 +1,12 @@ +```{px-app-values} postgres +``` + +# postgres Helm values reference + +Helm values reference table for the {px-app}`postgres` application. + +```{include} ../../../services/postgres/README.md +--- +start-after: "## Values" +--- +``` diff --git a/docs/applications/production-tools/index.rst b/docs/applications/production-tools/index.rst index c70bf99d60..e8288e3f1c 100644 --- a/docs/applications/production-tools/index.rst +++ b/docs/applications/production-tools/index.rst @@ -9,8 +9,10 @@ Production Tools provides a collection of utility pages for monitoring data proc .. jinja:: production-tools :file: applications/_summary.rst.jinja -.. Guides -.. ====== -.. -.. .. toctree:: -.. :maxdepth: 1 +Guides +====== + +.. toctree:: + :maxdepth: 1 + + values diff --git a/docs/applications/production-tools/values.md b/docs/applications/production-tools/values.md new file mode 100644 index 0000000000..86f3a62b08 --- /dev/null +++ b/docs/applications/production-tools/values.md @@ -0,0 +1,12 @@ +```{px-app-values} production-tools +``` + +# production-tools Helm values reference + +Helm values reference table for the {px-app}`production-tools` application. + +```{include} ../../../services/production-tools/README.md +--- +start-after: "## Values" +--- +``` diff --git a/docs/applications/sasquatch/index.rst b/docs/applications/sasquatch/index.rst index 301f82f9bc..5a295c117e 100644 --- a/docs/applications/sasquatch/index.rst +++ b/docs/applications/sasquatch/index.rst @@ -9,8 +9,10 @@ Rubin Observatory's telemetry service. .. jinja:: sasquatch :file: applications/_summary.rst.jinja -.. Guides -.. ====== -.. -.. .. toctree:: -.. :maxdepth: 1 +Guides +====== + +.. toctree:: + :maxdepth: 1 + + values diff --git a/docs/applications/sasquatch/values.md b/docs/applications/sasquatch/values.md new file mode 100644 index 0000000000..10e996925f --- /dev/null +++ b/docs/applications/sasquatch/values.md @@ -0,0 +1,12 @@ +```{px-app-values} sasquatch +``` + +# sasquatch Helm values reference + +Helm values reference table for the {px-app}`sasquatch` application. + +```{include} ../../../services/sasquatch/README.md +--- +start-after: "## Values" +--- +``` diff --git a/docs/applications/semaphore/index.rst b/docs/applications/semaphore/index.rst index 9b6d06724c..c8d179e56c 100644 --- a/docs/applications/semaphore/index.rst +++ b/docs/applications/semaphore/index.rst @@ -9,8 +9,10 @@ Semaphore is the user notification and messaging service for the Rubin Science P .. jinja:: semaphore :file: applications/_summary.rst.jinja -.. Guides -.. ====== -.. -.. .. toctree:: -.. :maxdepth: 1 +Guides +====== + +.. toctree:: + :maxdepth: 1 + + values diff --git a/docs/applications/semaphore/values.md b/docs/applications/semaphore/values.md new file mode 100644 index 0000000000..94defb1928 --- /dev/null +++ b/docs/applications/semaphore/values.md @@ -0,0 +1,12 @@ +```{px-app-values} semaphore +``` + +# semaphore Helm values reference + +Helm values reference table for the {px-app}`semaphore` application. + +```{include} ../../../services/semaphore/README.md +--- +start-after: "## Values" +--- +``` diff --git a/docs/applications/sherlock/index.rst b/docs/applications/sherlock/index.rst index 7f76286303..5d752c7acb 100644 --- a/docs/applications/sherlock/index.rst +++ b/docs/applications/sherlock/index.rst @@ -9,8 +9,10 @@ Sherlock collects service status and metrics from ingress logs. .. jinja:: sherlock :file: applications/_summary.rst.jinja -.. Guides -.. ====== -.. -.. .. toctree:: -.. :maxdepth: 1 +Guides +====== + +.. toctree:: + :maxdepth: 1 + + values diff --git a/docs/applications/sherlock/values.md b/docs/applications/sherlock/values.md new file mode 100644 index 0000000000..772943ae80 --- /dev/null +++ b/docs/applications/sherlock/values.md @@ -0,0 +1,12 @@ +```{px-app-values} sherlock +``` + +# sherlock Helm values reference + +Helm values reference table for the {px-app}`sherlock` application. + +```{include} ../../../services/sherlock/README.md +--- +start-after: "## Values" +--- +``` diff --git a/docs/applications/squareone/index.rst b/docs/applications/squareone/index.rst index 12a257d6f2..7a12efa5cc 100644 --- a/docs/applications/squareone/index.rst +++ b/docs/applications/squareone/index.rst @@ -9,8 +9,10 @@ Squareone is the Rubin Science Platform's homepage and general-purpose UI. .. jinja:: squareone :file: applications/_summary.rst.jinja -.. Guides -.. ====== -.. -.. .. toctree:: -.. :maxdepth: 1 +Guides +====== + +.. toctree:: + :maxdepth: 1 + + values diff --git a/docs/applications/squareone/values.md b/docs/applications/squareone/values.md new file mode 100644 index 0000000000..75385c192a --- /dev/null +++ b/docs/applications/squareone/values.md @@ -0,0 +1,12 @@ +```{px-app-values} squareone +``` + +# Squareone Helm values reference + +Helm values reference table for the {px-app}`squareone` application. + +```{include} ../../../services/squareone/README.md +--- +start-after: "## Values" +--- +``` diff --git a/docs/applications/strimzi-registry-operator/index.rst b/docs/applications/strimzi-registry-operator/index.rst index 52747d773a..f9dea18cfc 100644 --- a/docs/applications/strimzi-registry-operator/index.rst +++ b/docs/applications/strimzi-registry-operator/index.rst @@ -4,7 +4,6 @@ strimzi-registry-operator ######################### -Alert stream broker. The Strimzi Registry Operator operates a Confluence Schema Registry for Strimzi-based Kafka clusters. .. jinja:: strimzi-registry-operator diff --git a/docs/applications/tap-schema/index.rst b/docs/applications/tap-schema/index.rst index 8229127d4a..11fcd8eec0 100644 --- a/docs/applications/tap-schema/index.rst +++ b/docs/applications/tap-schema/index.rst @@ -4,13 +4,15 @@ tap-schema ########## -The TAP schema database. +The TAP schema database, for the :px-app:`tap` application. .. jinja:: tap-schema :file: applications/_summary.rst.jinja -.. Guides -.. ====== -.. -.. .. toctree:: -.. :maxdepth: 1 +Guides +====== + +.. toctree:: + :maxdepth: 1 + + values diff --git a/docs/applications/tap-schema/values.md b/docs/applications/tap-schema/values.md new file mode 100644 index 0000000000..5b84e377ec --- /dev/null +++ b/docs/applications/tap-schema/values.md @@ -0,0 +1,12 @@ +```{px-app-values} tap-schema +``` + +# tap-schema Helm values reference + +Helm values reference table for the {px-app}`tap-schema` application. + +```{include} ../../../services/tap-schema/README.md +--- +start-after: "## Values" +--- +``` diff --git a/docs/applications/tap/index.rst b/docs/applications/tap/index.rst index 0a090e52df..2ad8a5e9a7 100644 --- a/docs/applications/tap/index.rst +++ b/docs/applications/tap/index.rst @@ -11,19 +11,13 @@ The data itself, apart from schema queries, comes from Qserv. .. jinja:: tap :file: applications/_summary.rst.jinja -.. rubric:: Architecture - -The ``tap`` application consists of the TAP Java web application, a PostgreSQL database used to track user job submissions, and (on development deployments) a mock version of qserv. - -.. diagrams:: notebook-tap.py - -.. diagrams:: portal-tap.py - -Upgrading ``tap`` normally only requires an Argo CD sync. Guides ====== .. toctree:: + notes + upgrade update-tap-schema + values diff --git a/docs/applications/tap/notes.rst b/docs/applications/tap/notes.rst new file mode 100644 index 0000000000..1015a6bfbe --- /dev/null +++ b/docs/applications/tap/notes.rst @@ -0,0 +1,11 @@ +.. px-app-notes:: tap + +########################## +tap architecture and notes +########################## + +The ``tap`` application consists of the TAP Java web application, a PostgreSQL database used to track user job submissions, and (on development deployments) a mock version of Qserv. + +.. diagrams:: notebook-tap.py + +.. diagrams:: portal-tap.py diff --git a/docs/applications/tap/upgrade.rst b/docs/applications/tap/upgrade.rst new file mode 100644 index 0000000000..e350790841 --- /dev/null +++ b/docs/applications/tap/upgrade.rst @@ -0,0 +1,9 @@ +.. px-app-upgrade:: tap + +############# +Upgrading tap +############# + +Upgrading :px-app:`tap` normally only requires an Argo CD sync. + +To update TAP's schema, see :doc:`update-tap-schema`. diff --git a/docs/applications/tap/values.md b/docs/applications/tap/values.md new file mode 100644 index 0000000000..cf4f0c7f22 --- /dev/null +++ b/docs/applications/tap/values.md @@ -0,0 +1,12 @@ +```{px-app-values} tap +``` + +# tap Helm values reference + +Helm values reference table for the {px-app}`tap` application. + +```{include} ../../../services/tap/README.md +--- +start-after: "## Values" +--- +``` diff --git a/docs/applications/telegraf-ds/index.rst b/docs/applications/telegraf-ds/index.rst index dca19cd18e..2fca54c1aa 100644 --- a/docs/applications/telegraf-ds/index.rst +++ b/docs/applications/telegraf-ds/index.rst @@ -4,13 +4,15 @@ telegraf-ds ########### -SQuaRE DaemonSet (K8s) telemetry collection service +SQuaRE DaemonSet (K8s) telemetry collection service. .. jinja:: telegraf-ds :file: applications/_summary.rst.jinja -.. Guides -.. ====== -.. -.. .. toctree:: -.. :maxdepth: 1 +Guides +====== + +.. toctree:: + :maxdepth: 1 + + values diff --git a/docs/applications/telegraf-ds/values.md b/docs/applications/telegraf-ds/values.md new file mode 100644 index 0000000000..3cd67db5d4 --- /dev/null +++ b/docs/applications/telegraf-ds/values.md @@ -0,0 +1,12 @@ +```{px-app-values} telegraf-ds +``` + +# telegraf-ds Helm values reference + +Helm values reference table for the {px-app}`telegraf-ds` application. + +```{include} ../../../services/telegraf-ds/README.md +--- +start-after: "## Values" +--- +``` diff --git a/docs/applications/telegraf/index.rst b/docs/applications/telegraf/index.rst index fd90ea894c..eb1595ad28 100644 --- a/docs/applications/telegraf/index.rst +++ b/docs/applications/telegraf/index.rst @@ -9,8 +9,10 @@ SQuaRE telemetry collection service. .. jinja:: telegraf :file: applications/_summary.rst.jinja -.. Guides -.. ====== -.. -.. .. toctree:: -.. :maxdepth: 1 +Guides +====== + +.. toctree:: + :maxdepth: 1 + + values diff --git a/docs/applications/telegraf/values.md b/docs/applications/telegraf/values.md new file mode 100644 index 0000000000..75ec2e5e27 --- /dev/null +++ b/docs/applications/telegraf/values.md @@ -0,0 +1,12 @@ +```{px-app-values} telegraf +``` + +# telegraf Helm values reference + +Helm values reference table for the {px-app}`telegraf` application. + +```{include} ../../../services/telegraf/README.md +--- +start-after: "## Values" +--- +``` diff --git a/docs/applications/times-square/index.rst b/docs/applications/times-square/index.rst index 126ec3ba0f..9940128665 100644 --- a/docs/applications/times-square/index.rst +++ b/docs/applications/times-square/index.rst @@ -9,8 +9,10 @@ An API service for managing and rendering parameterized Jupyter notebooks, integ .. jinja:: times-square :file: applications/_summary.rst.jinja -.. Guides -.. ====== -.. -.. .. toctree:: -.. :maxdepth: 1 +Guides +====== + +.. toctree:: + :maxdepth: 1 + + values diff --git a/docs/applications/times-square/values.md b/docs/applications/times-square/values.md new file mode 100644 index 0000000000..a6e033e3be --- /dev/null +++ b/docs/applications/times-square/values.md @@ -0,0 +1,12 @@ +```{px-app-values} times-square +``` + +# times-square Helm values reference + +Helm values reference table for the {px-app}`times-square` application. + +```{include} ../../../services/times-square/README.md +--- +start-after: "## Values" +--- +``` diff --git a/docs/applications/vault-secrets-operator/bootstrap.rst b/docs/applications/vault-secrets-operator/bootstrap.rst new file mode 100644 index 0000000000..b2a5c72aa7 --- /dev/null +++ b/docs/applications/vault-secrets-operator/bootstrap.rst @@ -0,0 +1,25 @@ +.. px-app-bootstrap:: vault-secrets-operator + +#################################### +Bootstrapping vault-secrets-operator +#################################### + +Vault Secrets Operator is the only component of the Science Platform whose secret has to be manually created, so that it can create the secrets for all other applications. +This will be done automatically by the `install script `__. + +Its secret will look like this: + +.. code-block:: yaml + + apiVersion: v1 + kind: Secret + metadata: + name: vault-secrets-operator + namespace: vault-secrets-operator + type: Opaque + stringData: + VAULT_TOKEN: + VAULT_TOKEN_LEASE_DURATION: 86400 + +Replace ```` with the ``read`` Vault token for the path ``secret/k8s_operator/`` in Vault. +See :dmtn:`112` for more information. diff --git a/docs/applications/vault-secrets-operator/index.rst b/docs/applications/vault-secrets-operator/index.rst index 97b018c5f0..a19052449d 100644 --- a/docs/applications/vault-secrets-operator/index.rst +++ b/docs/applications/vault-secrets-operator/index.rst @@ -14,33 +14,12 @@ See :dmtn:`112` for the LSST Vault design. .. jinja:: vault-secrets-operator :file: applications/_summary.rst.jinja -.. rubric:: Upgrading +Guides +====== -Upgrading to newer upstream releases of the Helm chart is normally simple and straightforward. -We have no significant local customization. +.. toctree:: + :maxdepth: 1 -After upgrading, check that Vault Secrets Operator is still working properly by finding a ``VaultSecret`` and ``Secret`` resource pair in the Argo CD dashboard and deleting the ``Secret`` resource. -It should be nearly immediately re-created from the ``VaultSecret`` resource by Vault Secrets Operator. -The Gafaelfawr secret is a good one to use for this purpose since it is only read during Gafaelfawr start-up. - -.. rubric:: Bootstrapping - -Vault Secrets Operator is the only component of the Science Platform whose secret has to be manually created, so that it can create the secrets for all other applications. -This will be done automatically by the `install script `__. - -Its secret will look like this: - -.. code-block:: yaml - - apiVersion: v1 - kind: Secret - metadata: - name: vault-secrets-operator - namespace: vault-secrets-operator - type: Opaque - stringData: - VAULT_TOKEN: - VAULT_TOKEN_LEASE_DURATION: 86400 - -Replace ```` with the ``read`` Vault token for the path ``secret/k8s_operator/`` in Vault. -See :dmtn:`112` for more information. + bootstrap + upgrade + values diff --git a/docs/applications/vault-secrets-operator/upgrade.rst b/docs/applications/vault-secrets-operator/upgrade.rst new file mode 100644 index 0000000000..5f8451d292 --- /dev/null +++ b/docs/applications/vault-secrets-operator/upgrade.rst @@ -0,0 +1,12 @@ +.. px-app-upgrade:: vault-secrets-operator + +################################ +Upgrading vault-secrets-operator +################################ + +Upgrading to newer upstream releases of the Helm chart is normally simple and straightforward. +We have no significant local customization. + +After upgrading, check that Vault Secrets Operator is still working properly by finding a ``VaultSecret`` and ``Secret`` resource pair in the Argo CD dashboard and deleting the ``Secret`` resource. +It should be nearly immediately re-created from the ``VaultSecret`` resource by Vault Secrets Operator. +The Gafaelfawr secret is a good one to use for this purpose since it is only read during Gafaelfawr start-up. diff --git a/docs/applications/vault-secrets-operator/values.md b/docs/applications/vault-secrets-operator/values.md new file mode 100644 index 0000000000..4d134ce79d --- /dev/null +++ b/docs/applications/vault-secrets-operator/values.md @@ -0,0 +1,12 @@ +```{px-app-values} vault-secrets-operator +``` + +# vault-secrets-operator Helm values reference + +Helm values reference table for the {px-app}`vault-secrets-operator` application. + +```{include} ../../../services/vault-secrets-operator/README.md +--- +start-after: "## Values" +--- +``` diff --git a/docs/applications/vo-cutouts/index.rst b/docs/applications/vo-cutouts/index.rst index 168ac585d9..ceae78711d 100644 --- a/docs/applications/vo-cutouts/index.rst +++ b/docs/applications/vo-cutouts/index.rst @@ -9,8 +9,10 @@ Image cutout service that implements the IVOA SODA specification. .. jinja:: vo-cutouts :file: applications/_summary.rst.jinja -.. Guides -.. ====== -.. -.. .. toctree:: -.. :maxdepth: 1 +Guides +====== + +.. toctree:: + :maxdepth: 1 + + values diff --git a/docs/applications/vo-cutouts/values.md b/docs/applications/vo-cutouts/values.md new file mode 100644 index 0000000000..fcd04ea69a --- /dev/null +++ b/docs/applications/vo-cutouts/values.md @@ -0,0 +1,12 @@ +```{px-app-values} vo-cutouts +``` + +# vo-cutouts Helm values reference + +Helm values reference table for the {px-app}`vo-cutouts` application. + +```{include} ../../../services/vo-cutouts/README.md +--- +start-after: "## Values" +--- +``` From 0858b9364d1f4f5f174ebdf96b142b716bb64892 Mon Sep 17 00:00:00 2001 From: Jonathan Sick Date: Wed, 19 Oct 2022 15:24:43 -0400 Subject: [PATCH 1190/1479] Add descriptions to app titles These descriptions make the /applications/index table of contents more usable. I tried customizing the label just in the toctree, but found this also affects the titles in the sidebar. So in this case, it's better to just add the descriptions ot the individual pages where they're easier to maintain. --- docs/applications/argo-cd/index.rst | 6 +++--- docs/applications/cachemachine/index.rst | 6 +++--- docs/applications/cert-manager/index.rst | 6 +++--- docs/applications/datalinker/index.rst | 6 +++--- docs/applications/exposurelog/index.rst | 6 +++--- docs/applications/gafaelfawr/index.rst | 6 +++--- docs/applications/hips/index.rst | 6 +++--- docs/applications/ingress-nginx/index.rst | 6 +++--- docs/applications/mobu/index.rst | 6 +++--- docs/applications/moneypenny/index.rst | 6 +++--- docs/applications/narrativelog/index.rst | 6 +++--- docs/applications/noteburst/index.rst | 6 +++--- docs/applications/nublado2/index.rst | 6 +++--- docs/applications/plot-navigator/index.rst | 6 +++--- docs/applications/portal/index.rst | 6 +++--- docs/applications/postgres/index.rst | 6 +++--- docs/applications/production-tools/index.rst | 6 +++--- docs/applications/sasquatch/index.rst | 6 +++--- docs/applications/semaphore/index.rst | 9 ++++++--- docs/applications/sherlock/index.rst | 6 +++--- docs/applications/squareone/index.rst | 6 +++--- docs/applications/strimzi-registry-operator/index.rst | 6 +++--- docs/applications/strimzi/index.rst | 6 +++--- docs/applications/tap-schema/index.rst | 6 +++--- docs/applications/tap/index.rst | 6 +++--- docs/applications/telegraf-ds/index.rst | 6 +++--- docs/applications/telegraf/index.rst | 6 +++--- docs/applications/times-square/index.rst | 6 +++--- docs/applications/vault-secrets-operator/index.rst | 6 +++--- docs/applications/vo-cutouts/index.rst | 6 +++--- 30 files changed, 93 insertions(+), 90 deletions(-) diff --git a/docs/applications/argo-cd/index.rst b/docs/applications/argo-cd/index.rst index 4856b380b6..7f814d0c50 100644 --- a/docs/applications/argo-cd/index.rst +++ b/docs/applications/argo-cd/index.rst @@ -1,8 +1,8 @@ .. px-app:: argocd -###### -argocd -###### +####################################### +argocd — Kubernetes application manager +####################################### `Argo CD`_ is the software that manages all Kubernetes resources in a deployment of the Rubin Science Platform. It is itself a set of Kubernetes resources and running pods managed with `Helm`_. diff --git a/docs/applications/cachemachine/index.rst b/docs/applications/cachemachine/index.rst index 52bf1e6fad..4554a18a98 100644 --- a/docs/applications/cachemachine/index.rst +++ b/docs/applications/cachemachine/index.rst @@ -1,8 +1,8 @@ .. px-app:: cachemachine -############ -cachemachine -############ +######################################### +cachemachine — JupyterLab image prepuller +######################################### Cachemachine is the RSP's image prepulling service. diff --git a/docs/applications/cert-manager/index.rst b/docs/applications/cert-manager/index.rst index 25a6279ae6..a9682cb45b 100644 --- a/docs/applications/cert-manager/index.rst +++ b/docs/applications/cert-manager/index.rst @@ -1,8 +1,8 @@ .. px-app:: cert-manager -############ -cert-manager -############ +###################################### +cert-manager — TLS certificate manager +###################################### Cert-manager creates TLS certificates via `Let's Encrypt `__ and automatically renews them. diff --git a/docs/applications/datalinker/index.rst b/docs/applications/datalinker/index.rst index a5bc757873..6198978ecd 100644 --- a/docs/applications/datalinker/index.rst +++ b/docs/applications/datalinker/index.rst @@ -1,8 +1,8 @@ .. px-app:: datalinker -########## -datalinker -########## +################################## +datalinker — IVOA DataLink service +################################## Datalinker provides various facilities for discovering and referring to data products and services within the Rubin Science Platform. It is primarily based on the IVOA DataLink standard, but also provides some related service discovery facilities beyond the scope of that standard. diff --git a/docs/applications/exposurelog/index.rst b/docs/applications/exposurelog/index.rst index ce6f9f74ce..736e63ad6c 100644 --- a/docs/applications/exposurelog/index.rst +++ b/docs/applications/exposurelog/index.rst @@ -1,8 +1,8 @@ .. px-app:: exposurelog -########### -exposurelog -########### +############################## +exposurelog — Exposure log API +############################## Exposure log is a REST web service to create and manage log messages that are associated with a particular exposure. diff --git a/docs/applications/gafaelfawr/index.rst b/docs/applications/gafaelfawr/index.rst index ab760a4144..9212298417 100644 --- a/docs/applications/gafaelfawr/index.rst +++ b/docs/applications/gafaelfawr/index.rst @@ -1,8 +1,8 @@ .. px-app:: gafaelfawr -########## -gafaelfawr -########## +###################################### +gafaelfawr — Authentication & identity +###################################### Gafaelfawr provides authentication and identity management services for the Rubin Science Platform. It is primarily used as an NGINX ``auth_request`` handler configured via annotations on the ``Ingress`` resources of Science Platform services. diff --git a/docs/applications/hips/index.rst b/docs/applications/hips/index.rst index cf3d0d94fe..cb2f1c55dd 100644 --- a/docs/applications/hips/index.rst +++ b/docs/applications/hips/index.rst @@ -1,8 +1,8 @@ .. px-app:: hips -#### -hips -#### +####################### +hips — HiPS tile server +####################### HiPS web server backed by Google Cloud Storage. diff --git a/docs/applications/ingress-nginx/index.rst b/docs/applications/ingress-nginx/index.rst index 15072c5109..3f706685a3 100644 --- a/docs/applications/ingress-nginx/index.rst +++ b/docs/applications/ingress-nginx/index.rst @@ -1,8 +1,8 @@ .. px-app:: ingress-nginx -############# -ingress-nginx -############# +################################## +ingress-nginx — Ingress controller +################################## The ``ingress-nginx`` application is an installation of `ingress-nginx `__ from its `Helm chart `__. We use NGINX as the ingress controller for all Rubin Science Platform deployments rather than native ingress controllers because we use the NGINX ``auth_request`` feature to do authentication and authorization with :px-app:`gafaelfawr`. diff --git a/docs/applications/mobu/index.rst b/docs/applications/mobu/index.rst index 2937917950..6168706062 100644 --- a/docs/applications/mobu/index.rst +++ b/docs/applications/mobu/index.rst @@ -1,8 +1,8 @@ .. px-app:: mobu -#### -mobu -#### +############################## +mobu — RSP integration testing +############################## Mobu is the continuous integration testing framework for the Rubin Science Platform. It runs some number of "monkeys" that simulate a random user of the Science Platform. diff --git a/docs/applications/moneypenny/index.rst b/docs/applications/moneypenny/index.rst index 618741637f..2479984f6a 100644 --- a/docs/applications/moneypenny/index.rst +++ b/docs/applications/moneypenny/index.rst @@ -1,8 +1,8 @@ .. px-app:: moneypenny -########## -moneypenny -########## +################################## +moneypenny — RSP user provisioning +################################## Moneypenny provides user-provisioning actions for the Rubin Science Platform. diff --git a/docs/applications/narrativelog/index.rst b/docs/applications/narrativelog/index.rst index 0f646d2175..cda2c73b49 100644 --- a/docs/applications/narrativelog/index.rst +++ b/docs/applications/narrativelog/index.rst @@ -1,8 +1,8 @@ .. px-app:: narrativelog -############ -narrativelog -############ +######################################## +narrativelog — Narrative observatory log +######################################## Narrative log API service for Rubin Observatory. diff --git a/docs/applications/noteburst/index.rst b/docs/applications/noteburst/index.rst index c5d852775f..dcd707021d 100644 --- a/docs/applications/noteburst/index.rst +++ b/docs/applications/noteburst/index.rst @@ -1,8 +1,8 @@ .. px-app:: noteburst -######### -noteburst -######### +########################################### +noteburst — Notebook execution-as-a-service +########################################### Noteburst is a notebook execution service for the Rubin Science Platform. diff --git a/docs/applications/nublado2/index.rst b/docs/applications/nublado2/index.rst index f317977f81..7d115a424a 100644 --- a/docs/applications/nublado2/index.rst +++ b/docs/applications/nublado2/index.rst @@ -1,8 +1,8 @@ .. px-app:: nublado2 -######## -nublado2 -######## +############################# +nublado2 — JupyterHub for RSP +############################# The ``nublado2`` service is an installation of a Rubin Observatory flavor of `Zero to JupyterHub `__ with some additional resources. diff --git a/docs/applications/plot-navigator/index.rst b/docs/applications/plot-navigator/index.rst index 7608f96d79..1b241aa5ef 100644 --- a/docs/applications/plot-navigator/index.rst +++ b/docs/applications/plot-navigator/index.rst @@ -1,8 +1,8 @@ .. px-app:: plot-navigator -############## -plot-navigator -############## +############################################ +plot-navigator — Data production plot viewer +############################################ Panel-based plot viewer. diff --git a/docs/applications/portal/index.rst b/docs/applications/portal/index.rst index b11ae6e403..61b5bb97ff 100644 --- a/docs/applications/portal/index.rst +++ b/docs/applications/portal/index.rst @@ -1,8 +1,8 @@ .. px-app:: portal -###### -portal -###### +################################# +portal — Firefly-based RSP Portal +################################# The portal aspect of the Rubin Science Platform, powered by Firefly. diff --git a/docs/applications/postgres/index.rst b/docs/applications/postgres/index.rst index 6a0906be03..a73d0c951c 100644 --- a/docs/applications/postgres/index.rst +++ b/docs/applications/postgres/index.rst @@ -1,8 +1,8 @@ .. px-app:: postgres -######## -postgres -######## +############################### +postgres — In-cluster SQL store +############################### The ``postgres`` service is a very small PostgreSQL installation to provide relational storage for applications and environments where data loss is acceptable. Two intended purposes for this service are: diff --git a/docs/applications/production-tools/index.rst b/docs/applications/production-tools/index.rst index e8288e3f1c..967b580265 100644 --- a/docs/applications/production-tools/index.rst +++ b/docs/applications/production-tools/index.rst @@ -1,8 +1,8 @@ .. px-app:: production-tools -################ -production-tools -################ +################################## +production-tools — Data Production +################################## Production Tools provides a collection of utility pages for monitoring data processing. diff --git a/docs/applications/sasquatch/index.rst b/docs/applications/sasquatch/index.rst index 5a295c117e..7be5eef342 100644 --- a/docs/applications/sasquatch/index.rst +++ b/docs/applications/sasquatch/index.rst @@ -1,8 +1,8 @@ .. px-app:: sasquatch -######### -sasquatch -######### +################################# +sasquatch — Observatory telemetry +################################# Rubin Observatory's telemetry service. diff --git a/docs/applications/semaphore/index.rst b/docs/applications/semaphore/index.rst index c8d179e56c..05755a6773 100644 --- a/docs/applications/semaphore/index.rst +++ b/docs/applications/semaphore/index.rst @@ -1,10 +1,13 @@ .. px-app:: semaphore -######### -semaphore -######### +############################# +semaphore — User notification +############################# Semaphore is the user notification and messaging service for the Rubin Science Platform. +UI applications like :px-app:`squareone` can display messages from Semaphore's API. + +Edit broadcast messages for SQuaRE-managed environments at https://github.com/lsst-sqre/rsp_broadcast. .. jinja:: semaphore :file: applications/_summary.rst.jinja diff --git a/docs/applications/sherlock/index.rst b/docs/applications/sherlock/index.rst index 5d752c7acb..22fc0d42ab 100644 --- a/docs/applications/sherlock/index.rst +++ b/docs/applications/sherlock/index.rst @@ -1,8 +1,8 @@ .. px-app:: sherlock -######## -sherlock -######## +######################################### +sherlock — App ingress status and metrics +######################################### Sherlock collects service status and metrics from ingress logs. diff --git a/docs/applications/squareone/index.rst b/docs/applications/squareone/index.rst index 7a12efa5cc..3b3f23d4b6 100644 --- a/docs/applications/squareone/index.rst +++ b/docs/applications/squareone/index.rst @@ -1,8 +1,8 @@ .. px-app:: squareone -######### -squareone -######### +######################## +squareone — RSP homepage +######################## Squareone is the Rubin Science Platform's homepage and general-purpose UI. diff --git a/docs/applications/strimzi-registry-operator/index.rst b/docs/applications/strimzi-registry-operator/index.rst index f9dea18cfc..1a69450bc1 100644 --- a/docs/applications/strimzi-registry-operator/index.rst +++ b/docs/applications/strimzi-registry-operator/index.rst @@ -1,8 +1,8 @@ .. px-app:: strimzi-registry-operator -######################### -strimzi-registry-operator -######################### +############################################################ +strimzi-registry-operator — Schema registry for Alert Broker +############################################################ The Strimzi Registry Operator operates a Confluence Schema Registry for Strimzi-based Kafka clusters. diff --git a/docs/applications/strimzi/index.rst b/docs/applications/strimzi/index.rst index 928221bb4c..d464b7707a 100644 --- a/docs/applications/strimzi/index.rst +++ b/docs/applications/strimzi/index.rst @@ -1,8 +1,8 @@ .. px-app:: strimzi -####### -strimzi -####### +################################## +strimzi — Strimzi for Alert Broker +################################## Strimzi is an operator for Kafka clusters. diff --git a/docs/applications/tap-schema/index.rst b/docs/applications/tap-schema/index.rst index 11fcd8eec0..6ca95a5755 100644 --- a/docs/applications/tap-schema/index.rst +++ b/docs/applications/tap-schema/index.rst @@ -1,8 +1,8 @@ .. px-app:: tap-schema -########## -tap-schema -########## +######################## +tap-schema — TAP schemas +######################## The TAP schema database, for the :px-app:`tap` application. diff --git a/docs/applications/tap/index.rst b/docs/applications/tap/index.rst index 2ad8a5e9a7..7a2edb028a 100644 --- a/docs/applications/tap/index.rst +++ b/docs/applications/tap/index.rst @@ -1,8 +1,8 @@ .. px-app:: tap -### -tap -### +################################ +tap — IVOA Table Access Protocol +################################ TAP (Table Access Protocol) is an IVOA_ service that provides access to general table data, including astronomical catalogs. On the Rubin Science Platform, it is provided by `lsst-tap-service `__, which is derived from the `CADC TAP service `__. diff --git a/docs/applications/telegraf-ds/index.rst b/docs/applications/telegraf-ds/index.rst index 2fca54c1aa..05cd5310b4 100644 --- a/docs/applications/telegraf-ds/index.rst +++ b/docs/applications/telegraf-ds/index.rst @@ -1,8 +1,8 @@ .. px-app:: telegraf-ds -########### -telegraf-ds -########### +######################################### +telegraf-ds — SQuaRE telemetry collection +######################################### SQuaRE DaemonSet (K8s) telemetry collection service. diff --git a/docs/applications/telegraf/index.rst b/docs/applications/telegraf/index.rst index eb1595ad28..96061d95b1 100644 --- a/docs/applications/telegraf/index.rst +++ b/docs/applications/telegraf/index.rst @@ -1,8 +1,8 @@ .. px-app:: telegraf -######## -telegraf -######## +###################################### +telegraf — SQuaRE telemetry collection +###################################### SQuaRE telemetry collection service. diff --git a/docs/applications/times-square/index.rst b/docs/applications/times-square/index.rst index 9940128665..9545768591 100644 --- a/docs/applications/times-square/index.rst +++ b/docs/applications/times-square/index.rst @@ -1,8 +1,8 @@ .. px-app:: times-square -############ -times-square -############ +###################################### +times-square — Parameterized notebooks +###################################### An API service for managing and rendering parameterized Jupyter notebooks, integrated with :px-app:`squareone` (user interface) and :px-app:`noteburst` (notebook execution). diff --git a/docs/applications/vault-secrets-operator/index.rst b/docs/applications/vault-secrets-operator/index.rst index a19052449d..37029f4dcf 100644 --- a/docs/applications/vault-secrets-operator/index.rst +++ b/docs/applications/vault-secrets-operator/index.rst @@ -2,9 +2,9 @@ .. _vault-secrets-operator: -###################### -vault-secrets-operator -###################### +############################################ +vault-secrets-operator — Vault to Kubernetes +############################################ The ``vault-secrets-operator`` application is an installation of `Vault Secrets Operator`_ to retrieve necessary secrets from Vault and materialize them as Kubernetes secrets for the use of other applications. It processes ``VaultSecret`` resources defined in the `phalanx repository`_ and creates corresponding Kubernetes Secret_ resources. diff --git a/docs/applications/vo-cutouts/index.rst b/docs/applications/vo-cutouts/index.rst index ceae78711d..866f45e82f 100644 --- a/docs/applications/vo-cutouts/index.rst +++ b/docs/applications/vo-cutouts/index.rst @@ -1,8 +1,8 @@ .. px-app:: vo-cutouts -########## -vo-cutouts -########## +#################################### +vo-cutouts — IVOA SODA image cutouts +#################################### Image cutout service that implements the IVOA SODA specification. From ba2b142bec483cd486d8b6e31ca8f16157427e1f Mon Sep 17 00:00:00 2001 From: Jonathan Sick Date: Wed, 19 Oct 2022 15:33:22 -0400 Subject: [PATCH 1191/1479] Add descriptions to environment titles --- docs/environments/base/index.rst | 6 +++--- docs/environments/ccin2p3/index.rst | 6 +++--- docs/environments/idfdev/index.rst | 6 +++--- docs/environments/idfint/index.rst | 6 +++--- docs/environments/idfprod/index.rst | 6 +++--- docs/environments/minikube/index.rst | 6 +++--- docs/environments/roe/index.rst | 6 +++--- docs/environments/summit/index.rst | 6 +++--- docs/environments/tucson-teststand/index.rst | 6 +++--- 9 files changed, 27 insertions(+), 27 deletions(-) diff --git a/docs/environments/base/index.rst b/docs/environments/base/index.rst index 588f1f65fc..6016690152 100644 --- a/docs/environments/base/index.rst +++ b/docs/environments/base/index.rst @@ -1,8 +1,8 @@ .. px-env:: base -########################## -base — base-lsp.lsst.codes -########################## +###################################### +base — base-lsp.lsst.codes (La Serena) +###################################### base is the environment for the Rubin Science Platform at the Rubin Base facility in La Serena. diff --git a/docs/environments/ccin2p3/index.rst b/docs/environments/ccin2p3/index.rst index 9d42f9436b..d81e98f2c7 100644 --- a/docs/environments/ccin2p3/index.rst +++ b/docs/environments/ccin2p3/index.rst @@ -1,8 +1,8 @@ .. px-env:: ccin2p3 -########################## -ccin2p3 — data-dev.lsst.eu -########################## +################################################# +ccin2p3 — data-dev.lsst.eu (French Data Facility) +################################################# ccin2p3 is the environment for the Rubin Science Platform at the `CC-IN2P3 `__. diff --git a/docs/environments/idfdev/index.rst b/docs/environments/idfdev/index.rst index 547e17b50d..6d7d1fa5d3 100644 --- a/docs/environments/idfdev/index.rst +++ b/docs/environments/idfdev/index.rst @@ -1,8 +1,8 @@ .. px-env:: idfdev -############################ -idfdev — data-dev.lsst.cloud -############################ +################################################ +idfdev — data-dev.lsst.cloud (SQuaRE dev in GCP) +################################################ idfdev is a development environment for the Rubin Science Platform at the IDF (hosted on Google Cloud Platform). The primary use of idfdev is for application development by the SQuaRE team. diff --git a/docs/environments/idfint/index.rst b/docs/environments/idfint/index.rst index a0d9893c52..20db379c0f 100644 --- a/docs/environments/idfint/index.rst +++ b/docs/environments/idfint/index.rst @@ -1,8 +1,8 @@ .. px-env:: idfint -############################ -idfint — data-int.lsst.cloud -############################ +##################################################### +idfint — data-int.lsst.cloud (RSP integration in GCP) +##################################################### idfint is a development and integration environment for the Rubin Science Platform at the IDF (hosted on Google Cloud Platform). The primary use of idfint is Rubin construction and operations teams to integrate applications into the Rubin Science Platform. diff --git a/docs/environments/idfprod/index.rst b/docs/environments/idfprod/index.rst index ab9b1ad475..efde9dd77b 100644 --- a/docs/environments/idfprod/index.rst +++ b/docs/environments/idfprod/index.rst @@ -1,8 +1,8 @@ .. px-env:: idfprod -######################### -idfprod — data.lsst.cloud -######################### +################################################# +idfprod — data.lsst.cloud (Production RSP in GCP) +################################################# idfprod is the production environment for the Rubin Science Platform at IDF (hosted on Google Cloud Platform). idfprod serves as the public Rubin Science Platform for the Data Previews. diff --git a/docs/environments/minikube/index.rst b/docs/environments/minikube/index.rst index 713f11d254..0a9478a984 100644 --- a/docs/environments/minikube/index.rst +++ b/docs/environments/minikube/index.rst @@ -1,8 +1,8 @@ .. px-env:: minikube -############################## -minikube — minikube.lsst.codes -############################## +################################################## +minikube — minikube.lsst.codes (GitHub Actions CI) +################################################## minikube is the Phalanx testing environment for the Rubin Science Platform. minikube is stood up in the GitHub Actions CI workflow for the phalanx environment. diff --git a/docs/environments/roe/index.rst b/docs/environments/roe/index.rst index 4fe36c2c68..d475d9ec61 100644 --- a/docs/environments/roe/index.rst +++ b/docs/environments/roe/index.rst @@ -1,8 +1,8 @@ .. px-env:: roe -#################### -roe — rsp.lsst.ac.uk -#################### +####################################### +roe — rsp.lsst.ac.uk (UK Data Facility) +####################################### roe is the environment for the Rubin Science Platform hosted at the `Royal Observatory, Edinburgh `__. diff --git a/docs/environments/summit/index.rst b/docs/environments/summit/index.rst index 797de1f5d1..fd0450d32e 100644 --- a/docs/environments/summit/index.rst +++ b/docs/environments/summit/index.rst @@ -1,8 +1,8 @@ .. px-env:: summit -############################## -summit — summit-lsp.lsst.codes -############################## +############################################# +summit — summit-lsp.lsst.codes (Rubin Summit) +############################################# summit is the environment for the Rubin Science Platform at the Rubin summit. The primary use of summit is for observatory operations at the summit site itself. diff --git a/docs/environments/tucson-teststand/index.rst b/docs/environments/tucson-teststand/index.rst index afa588c2d3..64d6c99fae 100644 --- a/docs/environments/tucson-teststand/index.rst +++ b/docs/environments/tucson-teststand/index.rst @@ -1,8 +1,8 @@ .. px-env:: tucson-teststand -############################################## -tucson-teststand — tucson-teststand.lsst.codes -############################################## +########################################################### +tucson-teststand — tucson-teststand.lsst.codes (T&S/SITCom) +########################################################### tucson-teststand is the development and integration environment for the Telescope & Site and Commissioning teams, hosted out of NOIRLab in Tucson. From 482dbea7f3d4e1f4b981ff4b44af7de56abc1c5b Mon Sep 17 00:00:00 2001 From: "renovate[bot]" <29139614+renovate[bot]@users.noreply.github.com> Date: Mon, 24 Oct 2022 01:24:53 +0000 Subject: [PATCH 1192/1479] Update Helm release redis to v17.3.7 --- services/noteburst/Chart.yaml | 2 +- services/times-square/Chart.yaml | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/services/noteburst/Chart.yaml b/services/noteburst/Chart.yaml index 8ef59141e0..4a16426a26 100644 --- a/services/noteburst/Chart.yaml +++ b/services/noteburst/Chart.yaml @@ -14,5 +14,5 @@ maintainers: # Additional charts that this chart uses dependencies: - name: redis - version: 17.3.5 + version: 17.3.7 repository: https://charts.bitnami.com/bitnami diff --git a/services/times-square/Chart.yaml b/services/times-square/Chart.yaml index 246c074c1c..2575f49395 100644 --- a/services/times-square/Chart.yaml +++ b/services/times-square/Chart.yaml @@ -11,5 +11,5 @@ appVersion: "0.6.0" dependencies: - name: redis - version: 17.3.5 + version: 17.3.7 repository: https://charts.bitnami.com/bitnami From 74b8e88cf74e53dcf200610dbefefe3efdd839bb Mon Sep 17 00:00:00 2001 From: Russ Allbery Date: Mon, 24 Oct 2022 08:33:49 -0700 Subject: [PATCH 1193/1479] Update Helm docs --- services/noteburst/README.md | 2 +- services/times-square/README.md | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/services/noteburst/README.md b/services/noteburst/README.md index 29ffffc887..adced70188 100644 --- a/services/noteburst/README.md +++ b/services/noteburst/README.md @@ -12,7 +12,7 @@ Noteburst is a notebook execution service for the Rubin Science Platform. | Repository | Name | Version | |------------|------|---------| -| https://charts.bitnami.com/bitnami | redis | 17.3.5 | +| https://charts.bitnami.com/bitnami | redis | 17.3.7 | ## Values diff --git a/services/times-square/README.md b/services/times-square/README.md index bfbd0230bf..5048c5df56 100644 --- a/services/times-square/README.md +++ b/services/times-square/README.md @@ -8,7 +8,7 @@ An API service for managing and rendering parameterized Jupyter notebooks. | Repository | Name | Version | |------------|------|---------| -| https://charts.bitnami.com/bitnami | redis | 17.3.5 | +| https://charts.bitnami.com/bitnami | redis | 17.3.7 | ## Values From ae564aa9c16f38e6c82fdc64c807cf0edd156e05 Mon Sep 17 00:00:00 2001 From: "renovate[bot]" <29139614+renovate[bot]@users.noreply.github.com> Date: Mon, 24 Oct 2022 15:42:21 +0000 Subject: [PATCH 1194/1479] Update Helm release argo-cd to v5.6.3 --- services/argocd/Chart.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/services/argocd/Chart.yaml b/services/argocd/Chart.yaml index dd83c2d1a6..ef22b80c10 100644 --- a/services/argocd/Chart.yaml +++ b/services/argocd/Chart.yaml @@ -3,5 +3,5 @@ name: argo-cd version: 1.0.0 dependencies: - name: argo-cd - version: 5.6.0 + version: 5.6.3 repository: https://argoproj.github.io/argo-helm From 1441322ff34dc8ca76087f19801c5658b2ab5f8a Mon Sep 17 00:00:00 2001 From: Russ Allbery Date: Mon, 24 Oct 2022 08:43:53 -0700 Subject: [PATCH 1195/1479] Update Helm docs --- services/argocd/README.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/services/argocd/README.md b/services/argocd/README.md index 7bd6065d7e..b167418e38 100644 --- a/services/argocd/README.md +++ b/services/argocd/README.md @@ -4,7 +4,7 @@ | Repository | Name | Version | |------------|------|---------| -| https://argoproj.github.io/argo-helm | argo-cd | 5.6.0 | +| https://argoproj.github.io/argo-helm | argo-cd | 5.6.3 | ## Values From 6e6b55e7a1ebe4b6958ed69f495859fbb835f3d7 Mon Sep 17 00:00:00 2001 From: "renovate[bot]" <29139614+renovate[bot]@users.noreply.github.com> Date: Mon, 24 Oct 2022 15:49:35 +0000 Subject: [PATCH 1196/1479] Update Helm release cert-manager to v1.10.0 --- services/cert-manager/Chart.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/services/cert-manager/Chart.yaml b/services/cert-manager/Chart.yaml index ce4cbb2f13..4514205c9a 100644 --- a/services/cert-manager/Chart.yaml +++ b/services/cert-manager/Chart.yaml @@ -4,5 +4,5 @@ version: 1.0.0 description: "Let's Encrypt certificate management" dependencies: - name: cert-manager - version: v1.9.1 + version: v1.10.0 repository: https://charts.jetstack.io From f3ec027146f8510c7c5e73ca8bcd51920fe5dc6b Mon Sep 17 00:00:00 2001 From: Russ Allbery Date: Mon, 24 Oct 2022 08:50:04 -0700 Subject: [PATCH 1197/1479] Update Helm docs --- services/cert-manager/README.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/services/cert-manager/README.md b/services/cert-manager/README.md index 9f7b2f73e3..6279cca4a5 100644 --- a/services/cert-manager/README.md +++ b/services/cert-manager/README.md @@ -6,7 +6,7 @@ Let's Encrypt certificate management | Repository | Name | Version | |------------|------|---------| -| https://charts.jetstack.io | cert-manager | v1.9.1 | +| https://charts.jetstack.io | cert-manager | v1.10.0 | ## Values From 67189c2e4567790405ea7c53e25bcb8b1e12e5b9 Mon Sep 17 00:00:00 2001 From: Russ Allbery Date: Mon, 24 Oct 2022 16:16:51 -0700 Subject: [PATCH 1198/1479] Bump version of nublado2 to 2.6.1 Pick up fix for the communication to moneypenny when some groups do not have GIDs. --- services/nublado2/Chart.yaml | 2 +- services/nublado2/README.md | 2 +- services/nublado2/values.yaml | 2 +- 3 files changed, 3 insertions(+), 3 deletions(-) diff --git a/services/nublado2/Chart.yaml b/services/nublado2/Chart.yaml index 9101af3cb5..969d0cbdf0 100644 --- a/services/nublado2/Chart.yaml +++ b/services/nublado2/Chart.yaml @@ -5,7 +5,7 @@ description: JupyterHub for the Rubin Science Platform home: https://github.com/lsst-sqre/nublado2 sources: - https://github.com/lsst-sqre/nublado2 -appVersion: "2.5.0" +appVersion: "2.6.1" # Match the jupyterhub Helm chart for kubeVersion kubeVersion: ">=1.20.0-0" dependencies: diff --git a/services/nublado2/README.md b/services/nublado2/README.md index ebef71fe45..262fae81d5 100644 --- a/services/nublado2/README.md +++ b/services/nublado2/README.md @@ -62,7 +62,7 @@ Kubernetes: `>=1.20.0-0` | jupyterhub.hub.extraVolumes[1].name | string | `"nublado-gafaelfawr"` | | | jupyterhub.hub.extraVolumes[1].secret.secretName | string | `"gafaelfawr-token"` | | | jupyterhub.hub.image.name | string | `"lsstsqre/nublado2"` | | -| jupyterhub.hub.image.tag | string | `"2.6.0"` | | +| jupyterhub.hub.image.tag | string | `"2.6.1"` | | | jupyterhub.hub.loadRoles.self.scopes[0] | string | `"admin:servers!user"` | | | jupyterhub.hub.loadRoles.self.scopes[1] | string | `"read:metrics"` | | | jupyterhub.hub.loadRoles.server.scopes[0] | string | `"inherit"` | | diff --git a/services/nublado2/values.yaml b/services/nublado2/values.yaml index 7fd8608779..292425e56a 100644 --- a/services/nublado2/values.yaml +++ b/services/nublado2/values.yaml @@ -7,7 +7,7 @@ jupyterhub: authenticatePrometheus: false image: name: lsstsqre/nublado2 - tag: "2.6.0" + tag: "2.6.1" resources: limits: cpu: 900m From 0de8af77599dbb7fb787e3fdd23a2a4758ee2915 Mon Sep 17 00:00:00 2001 From: Angelo Fausti Date: Fri, 21 Oct 2022 15:37:25 -0700 Subject: [PATCH 1199/1479] Add Kafka bridge - Add Kafka bridge a REST interface that allows clients to interact with Kafka. - Enable tls authentication - Reach the kafka bridge at /sasquatch-bridge --- .../strimzi-kafka/templates/bridge.yaml | 49 +++++++++++++++++++ 1 file changed, 49 insertions(+) create mode 100644 services/sasquatch/charts/strimzi-kafka/templates/bridge.yaml diff --git a/services/sasquatch/charts/strimzi-kafka/templates/bridge.yaml b/services/sasquatch/charts/strimzi-kafka/templates/bridge.yaml new file mode 100644 index 0000000000..2d3d4b40df --- /dev/null +++ b/services/sasquatch/charts/strimzi-kafka/templates/bridge.yaml @@ -0,0 +1,49 @@ +apiVersion: kafka.strimzi.io/v1beta2 +kind: KafkaBridge +metadata: + name: {{ .Values.cluster.name }} +spec: + replicas: 1 + bootstrapServers: {{ .Values.cluster.name }}-kafka-bootstrap:9093 + http: + port: 8080 + tls: + trustedCertificates: + - secretName: {{ .Values.cluster.name }}-cluster-ca-cert + certificate: ca.crt + authentication: + type: tls + certificateAndKey: + secretName: {{ .Values.cluster.name }}-bridge + certificate: user.crt + key: user.key +--- +apiVersion: networking.k8s.io/v1 +kind: Ingress +metadata: + annotations: + nginx.ingress.kubernetes.io/rewrite-target: /$2 + name: {{ .Values.cluster.name }}-bridge +spec: + ingressClassName: nginx + rules: + - host: data-dev.lsst.cloud + http: + paths: + - backend: + service: + name: {{ .Values.cluster.name }}-bridge-service + port: + number: 8080 + path: /{{ .Values.cluster.name }}-bridge(/|$)(.*) + pathType: Prefix +--- +apiVersion: kafka.strimzi.io/v1beta2 +kind: KafkaUser +metadata: + name: {{ .Values.cluster.name }}-bridge + labels: + strimzi.io/cluster: {{ .Values.cluster.name }} +spec: + authentication: + type: tls From c10e9edded908cbba6f30db9ef111b12e8e5ab9c Mon Sep 17 00:00:00 2001 From: Angelo Fausti Date: Mon, 24 Oct 2022 12:28:12 -0700 Subject: [PATCH 1200/1479] Use a global variable for setting the host --- science-platform/templates/sasquatch-application.yaml | 4 ++++ services/sasquatch/README.md | 2 ++ .../sasquatch/charts/strimzi-kafka/templates/bridge.yaml | 2 +- services/sasquatch/values.yaml | 8 ++++++++ 4 files changed, 15 insertions(+), 1 deletion(-) diff --git a/science-platform/templates/sasquatch-application.yaml b/science-platform/templates/sasquatch-application.yaml index 847ba227e8..976de21e7f 100644 --- a/science-platform/templates/sasquatch-application.yaml +++ b/science-platform/templates/sasquatch-application.yaml @@ -25,6 +25,10 @@ spec: targetRevision: {{ .Values.revision }} helm: parameters: + - name: "global.host" + value: {{ .Values.fqdn | quote }} + - name: "global.baseUrl" + value: "https://{{ .Values.fqdn }}" - name: "global.vaultSecretsPath" value: {{ .Values.vault_path_prefix | quote }} valueFiles: diff --git a/services/sasquatch/README.md b/services/sasquatch/README.md index a03783e133..7e393decad 100644 --- a/services/sasquatch/README.md +++ b/services/sasquatch/README.md @@ -32,6 +32,8 @@ Rubin Observatory's telemetry service. | chronograf.resources.limits.memory | string | `"16Gi"` | | | chronograf.resources.requests.cpu | int | `1` | | | chronograf.resources.requests.memory | string | `"1Gi"` | | +| global.baseUrl | string | Set by Argo CD | Base URL for the environment | +| global.host | string | Set by Argo CD | Host name for ingress | | global.vaultSecretsPath | string | Set by Argo CD | Base path for Vault secrets | | influxdb.config | object | `{"continuous_queries":{"enabled":false},"coordinator":{"log-queries-after":"15s","max-concurrent-queries":0,"query-timeout":"0s","write-timeout":"1h"},"data":{"cache-max-memory-size":0,"trace-logging-enabled":true,"wal-fsync-delay":"100ms"},"http":{"auth-enabled":true,"enabled":true,"flux-enabled":true,"max-row-limit":0},"logging":{"level":"debug"}}` | Override InfluxDB configuration. See https://docs.influxdata.com/influxdb/v1.8/administration/config | | influxdb.image | object | `{"tag":"1.8.10"}` | InfluxDB image tag. | diff --git a/services/sasquatch/charts/strimzi-kafka/templates/bridge.yaml b/services/sasquatch/charts/strimzi-kafka/templates/bridge.yaml index 2d3d4b40df..34e906f811 100644 --- a/services/sasquatch/charts/strimzi-kafka/templates/bridge.yaml +++ b/services/sasquatch/charts/strimzi-kafka/templates/bridge.yaml @@ -27,7 +27,7 @@ metadata: spec: ingressClassName: nginx rules: - - host: data-dev.lsst.cloud + - host: {{ required "global.host must be set" .Values.global.host | quote }} http: paths: - backend: diff --git a/services/sasquatch/values.yaml b/services/sasquatch/values.yaml index 94a68c62b8..dbc90902e4 100644 --- a/services/sasquatch/values.yaml +++ b/services/sasquatch/values.yaml @@ -189,6 +189,14 @@ bucketmapper: tag: 0.1.23 global: + # -- Base URL for the environment + # @default -- Set by Argo CD + baseUrl: "" + + # -- Host name for ingress + # @default -- Set by Argo CD + host: "" + # -- Base path for Vault secrets # @default -- Set by Argo CD vaultSecretsPath: "" From ffb32a1e947af7d0f3f12f4e700a8b3b1c98c0e3 Mon Sep 17 00:00:00 2001 From: Angelo Fausti Date: Mon, 24 Oct 2022 16:53:06 -0700 Subject: [PATCH 1201/1479] Add Kafka topic for analysis_tools - Add the object-table-core-metrics Kafka topic - Set ACLs rules for the sasquatch-bridge KafkaUser --- .../strimzi-kafka/templates/bridge.yaml | 25 +++++++++++++++++++ 1 file changed, 25 insertions(+) diff --git a/services/sasquatch/charts/strimzi-kafka/templates/bridge.yaml b/services/sasquatch/charts/strimzi-kafka/templates/bridge.yaml index 34e906f811..1185e2841f 100644 --- a/services/sasquatch/charts/strimzi-kafka/templates/bridge.yaml +++ b/services/sasquatch/charts/strimzi-kafka/templates/bridge.yaml @@ -47,3 +47,28 @@ metadata: spec: authentication: type: tls + authorization: + type: simple + acls: + - resource: + type: group + name: "*" + patternType: literal + operation: All + - resource: + type: topic + name: "object-table-core-metrics" + patternType: literal + type: allow + host: "*" + operation: All +--- +apiVersion: kafka.strimzi.io/v1beta2 +kind: KafkaTopic +metadata: + name: object-table-core-metrics + labels: + strimzi.io/cluster: {{ .Values.cluster.name }} +spec: + partitions: 1 + replicas: 3 From 656d241272c8dc061eb5fd736d05314ced38b4b0 Mon Sep 17 00:00:00 2001 From: adam Date: Wed, 26 Oct 2022 10:36:28 -0700 Subject: [PATCH 1202/1479] Add PGPASSFILE to TTS env --- services/nublado2/values-tucson-teststand.yaml | 1 + 1 file changed, 1 insertion(+) diff --git a/services/nublado2/values-tucson-teststand.yaml b/services/nublado2/values-tucson-teststand.yaml index 3d2745e261..4301418e7e 100644 --- a/services/nublado2/values-tucson-teststand.yaml +++ b/services/nublado2/values-tucson-teststand.yaml @@ -36,6 +36,7 @@ config: LSST_DDS_INTERFACE: net1 LSST_DDS_PARTITION_PREFIX: tucson LSST_SITE: tucson + PGPASSFILE: "/opt/lsst/software/jupyterlab/butler-secret/postgres-credentials.txt" volumes: - name: home nfs: From 0561957e95c35fb77208437862b5f1333b86390f Mon Sep 17 00:00:00 2001 From: adam Date: Wed, 26 Oct 2022 10:37:18 -0700 Subject: [PATCH 1203/1479] Add PGUSER to TTS env --- services/nublado2/values-tucson-teststand.yaml | 1 + 1 file changed, 1 insertion(+) diff --git a/services/nublado2/values-tucson-teststand.yaml b/services/nublado2/values-tucson-teststand.yaml index 4301418e7e..6c19a72b7e 100644 --- a/services/nublado2/values-tucson-teststand.yaml +++ b/services/nublado2/values-tucson-teststand.yaml @@ -37,6 +37,7 @@ config: LSST_DDS_PARTITION_PREFIX: tucson LSST_SITE: tucson PGPASSFILE: "/opt/lsst/software/jupyterlab/butler-secret/postgres-credentials.txt" + PGUSER: "oods" volumes: - name: home nfs: From fea698e29e3863a44e59132cbb870ea9be4ee3a6 Mon Sep 17 00:00:00 2001 From: Russell Owen Date: Tue, 25 Oct 2022 15:23:14 -0300 Subject: [PATCH 1204/1479] phalanx: get PGUSER and PGPASSWORD secrets --- services/exposurelog/templates/deployment.yaml | 7 +++++++ 1 file changed, 7 insertions(+) diff --git a/services/exposurelog/templates/deployment.yaml b/services/exposurelog/templates/deployment.yaml index 5983bce19c..c3c37e2734 100644 --- a/services/exposurelog/templates/deployment.yaml +++ b/services/exposurelog/templates/deployment.yaml @@ -57,11 +57,18 @@ spec: value: {{ .Values.config.butler_uri_2 | quote }} - name: EXPOSURELOG_DB_USER value: {{ .Values.db.user | quote }} + - name: PGUSER + value: {{ .Values.db.user | quote }} - name: EXPOSURELOG_DB_PASSWORD valueFrom: secretKeyRef: name: exposurelog key: exposurelog_password + - name: PGPASSWORD + valueFrom: + secretKeyRef: + name: exposurelog + key: exposurelog_password - name: EXPOSURELOG_DB_HOST value: {{ .Values.db.host | quote }} - name: EXPOSURELOG_DB_PORT From e234fc00847d2d3712cf2cceceefcbe7fab3991f Mon Sep 17 00:00:00 2001 From: Russell Owen Date: Tue, 25 Oct 2022 15:28:34 -0300 Subject: [PATCH 1205/1479] exposurelog: update appVersion --- services/exposurelog/Chart.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/services/exposurelog/Chart.yaml b/services/exposurelog/Chart.yaml index 3c6dfb2e44..837234bd26 100644 --- a/services/exposurelog/Chart.yaml +++ b/services/exposurelog/Chart.yaml @@ -9,4 +9,4 @@ version: 1.0.0 # This is the version number of the application being deployed. This version number should be # incremented each time you make changes to the application. Versions are not expected to # follow Semantic Versioning. They should reflect the version the application is using. -appVersion: 0.9.4 +appVersion: 0.9.5 From 041ee4384910e9ae3d5dd423e5d42576c75dfc64 Mon Sep 17 00:00:00 2001 From: Russell Owen Date: Thu, 27 Oct 2022 16:23:34 -0300 Subject: [PATCH 1206/1479] exposurelog chart: update appVersion --- services/exposurelog/Chart.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/services/exposurelog/Chart.yaml b/services/exposurelog/Chart.yaml index 837234bd26..1e59a2ce94 100644 --- a/services/exposurelog/Chart.yaml +++ b/services/exposurelog/Chart.yaml @@ -9,4 +9,4 @@ version: 1.0.0 # This is the version number of the application being deployed. This version number should be # incremented each time you make changes to the application. Versions are not expected to # follow Semantic Versioning. They should reflect the version the application is using. -appVersion: 0.9.5 +appVersion: 0.9.6 From 5b9d44a3d38f20bdf61ccaa1ebbea481a98e775c Mon Sep 17 00:00:00 2001 From: Brianna Smart Date: Thu, 13 Oct 2022 14:47:14 -0700 Subject: [PATCH 1207/1479] Move charts to alert-stream-broker Phalanx --- .../charts/alert-database/.helmignore | 22 +++ .../charts/alert-database/Chart.yaml | 9 + .../charts/alert-database/README.md | 48 ++++++ .../alert-database/ci/values-idfint.yaml | 24 +++ .../alert-database/templates/_helpers.tpl | 65 +++++++ .../templates/ingester-deployment.yaml | 54 ++++++ .../templates/ingester-serviceaccount.yaml | 11 ++ .../alert-database/templates/ingress.yaml | 38 ++++ .../alert-database/templates/kafka-user.yaml | 47 +++++ .../templates/server-deployment.yaml | 48 ++++++ .../templates/server-serviceaccount.yaml | 11 ++ .../alert-database/templates/service.yaml | 15 ++ .../charts/alert-database/values.yaml | 105 ++++++++++++ .../charts/alert-stream-broker/.helmignore | 22 +++ .../charts/alert-stream-broker/Chart.yaml | 9 + .../charts/alert-stream-broker/README.md | 47 +++++ .../templates/_helpers.tpl | 17 ++ .../alert-stream-broker/templates/certs.yaml | 23 +++ .../alert-stream-broker/templates/kafka.yaml | 162 ++++++++++++++++++ .../templates/superuser.yaml | 27 +++ .../alert-stream-broker/templates/users.yaml | 52 ++++++ .../templates/vault-secret.yaml | 7 + .../charts/alert-stream-broker/values.yaml | 129 ++++++++++++++ .../alert-stream-schema-registry/.helmignore | 22 +++ .../alert-stream-schema-registry/Chart.yaml | 9 + .../alert-stream-schema-registry/README.md | 27 +++ .../templates/ingress.yaml | 31 ++++ .../templates/schema-registry-server.yaml | 7 + .../templates/schema-registry-topic.yaml | 11 ++ .../templates/schema-registry-user.yaml | 49 ++++++ .../templates/sync-schema-job.yaml | 29 ++++ .../alert-stream-schema-registry/values.yaml | 33 ++++ .../charts/alert-stream-simulator/.helmignore | 22 +++ .../charts/alert-stream-simulator/Chart.yaml | 9 + .../charts/alert-stream-simulator/README.md | 30 ++++ .../templates/_helpers.tpl | 55 ++++++ .../templates/deployment.yaml | 44 +++++ .../templates/kafka-topics.yaml | 13 ++ .../templates/kafka-user.yaml | 45 +++++ .../templates/load-data-job.yaml | 50 ++++++ .../charts/alert-stream-simulator/values.yaml | 52 ++++++ 41 files changed, 1530 insertions(+) create mode 100644 services/alert-stream-broker/charts/alert-database/.helmignore create mode 100644 services/alert-stream-broker/charts/alert-database/Chart.yaml create mode 100644 services/alert-stream-broker/charts/alert-database/README.md create mode 100644 services/alert-stream-broker/charts/alert-database/ci/values-idfint.yaml create mode 100644 services/alert-stream-broker/charts/alert-database/templates/_helpers.tpl create mode 100644 services/alert-stream-broker/charts/alert-database/templates/ingester-deployment.yaml create mode 100644 services/alert-stream-broker/charts/alert-database/templates/ingester-serviceaccount.yaml create mode 100644 services/alert-stream-broker/charts/alert-database/templates/ingress.yaml create mode 100644 services/alert-stream-broker/charts/alert-database/templates/kafka-user.yaml create mode 100644 services/alert-stream-broker/charts/alert-database/templates/server-deployment.yaml create mode 100644 services/alert-stream-broker/charts/alert-database/templates/server-serviceaccount.yaml create mode 100644 services/alert-stream-broker/charts/alert-database/templates/service.yaml create mode 100644 services/alert-stream-broker/charts/alert-database/values.yaml create mode 100644 services/alert-stream-broker/charts/alert-stream-broker/.helmignore create mode 100644 services/alert-stream-broker/charts/alert-stream-broker/Chart.yaml create mode 100644 services/alert-stream-broker/charts/alert-stream-broker/README.md create mode 100644 services/alert-stream-broker/charts/alert-stream-broker/templates/_helpers.tpl create mode 100644 services/alert-stream-broker/charts/alert-stream-broker/templates/certs.yaml create mode 100644 services/alert-stream-broker/charts/alert-stream-broker/templates/kafka.yaml create mode 100644 services/alert-stream-broker/charts/alert-stream-broker/templates/superuser.yaml create mode 100644 services/alert-stream-broker/charts/alert-stream-broker/templates/users.yaml create mode 100644 services/alert-stream-broker/charts/alert-stream-broker/templates/vault-secret.yaml create mode 100644 services/alert-stream-broker/charts/alert-stream-broker/values.yaml create mode 100644 services/alert-stream-broker/charts/alert-stream-schema-registry/.helmignore create mode 100644 services/alert-stream-broker/charts/alert-stream-schema-registry/Chart.yaml create mode 100644 services/alert-stream-broker/charts/alert-stream-schema-registry/README.md create mode 100644 services/alert-stream-broker/charts/alert-stream-schema-registry/templates/ingress.yaml create mode 100644 services/alert-stream-broker/charts/alert-stream-schema-registry/templates/schema-registry-server.yaml create mode 100644 services/alert-stream-broker/charts/alert-stream-schema-registry/templates/schema-registry-topic.yaml create mode 100644 services/alert-stream-broker/charts/alert-stream-schema-registry/templates/schema-registry-user.yaml create mode 100644 services/alert-stream-broker/charts/alert-stream-schema-registry/templates/sync-schema-job.yaml create mode 100644 services/alert-stream-broker/charts/alert-stream-schema-registry/values.yaml create mode 100644 services/alert-stream-broker/charts/alert-stream-simulator/.helmignore create mode 100644 services/alert-stream-broker/charts/alert-stream-simulator/Chart.yaml create mode 100644 services/alert-stream-broker/charts/alert-stream-simulator/README.md create mode 100644 services/alert-stream-broker/charts/alert-stream-simulator/templates/_helpers.tpl create mode 100644 services/alert-stream-broker/charts/alert-stream-simulator/templates/deployment.yaml create mode 100644 services/alert-stream-broker/charts/alert-stream-simulator/templates/kafka-topics.yaml create mode 100644 services/alert-stream-broker/charts/alert-stream-simulator/templates/kafka-user.yaml create mode 100644 services/alert-stream-broker/charts/alert-stream-simulator/templates/load-data-job.yaml create mode 100644 services/alert-stream-broker/charts/alert-stream-simulator/values.yaml diff --git a/services/alert-stream-broker/charts/alert-database/.helmignore b/services/alert-stream-broker/charts/alert-database/.helmignore new file mode 100644 index 0000000000..50af031725 --- /dev/null +++ b/services/alert-stream-broker/charts/alert-database/.helmignore @@ -0,0 +1,22 @@ +# Patterns to ignore when building packages. +# This supports shell glob matching, relative path matching, and +# negation (prefixed with !). Only one pattern per line. +.DS_Store +# Common VCS dirs +.git/ +.gitignore +.bzr/ +.bzrignore +.hg/ +.hgignore +.svn/ +# Common backup files +*.swp +*.bak +*.tmp +*~ +# Various IDEs +.project +.idea/ +*.tmproj +.vscode/ diff --git a/services/alert-stream-broker/charts/alert-database/Chart.yaml b/services/alert-stream-broker/charts/alert-database/Chart.yaml new file mode 100644 index 0000000000..374d21b33e --- /dev/null +++ b/services/alert-stream-broker/charts/alert-database/Chart.yaml @@ -0,0 +1,9 @@ +apiVersion: v2 +name: alert-database +version: 2.1.0 +description: Archival database of alerts sent through the alert stream. +maintainers: + - name: swnelson + email: swnelson@uw.edu +appVersion: 1.0.0 +type: application diff --git a/services/alert-stream-broker/charts/alert-database/README.md b/services/alert-stream-broker/charts/alert-database/README.md new file mode 100644 index 0000000000..ac6b3bf5ad --- /dev/null +++ b/services/alert-stream-broker/charts/alert-database/README.md @@ -0,0 +1,48 @@ +# alert-database + +![Version: 2.1.0](https://img.shields.io/badge/Version-2.1.0-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: 1.0.0](https://img.shields.io/badge/AppVersion-1.0.0-informational?style=flat-square) + +Archival database of alerts sent through the alert stream. + +## Maintainers + +| Name | Email | Url | +| ---- | ------ | --- | +| swnelson | swnelson@uw.edu | | + +## Values + +| Key | Type | Default | Description | +|-----|------|---------|-------------| +| fullnameOverride | string | `""` | Override the full name for resources (includes the release name) | +| ingester | object | `{"gcp":{"projectID":"","serviceAccountName":""},"image":{"imagePullPolicy":"IfNotPresent","repository":"lsstdm/alert_database_ingester","tag":"v2.0.1"},"kafka":{"cluster":"alert-broker","port":9092,"strimziAPIVersion":"v1beta2","topic":"alerts-simulated","user":"alert-database-ingester"},"logLevel":"verbose","schemaRegistryURL":"","serviceAccountName":"alert-database-ingester"}` | it to the database backend. | +| ingester.gcp.projectID | string | `""` | Project ID which has the above GCP IAM service account | +| ingester.gcp.serviceAccountName | string | `""` | Name of a service account which has credentials granting access to the alert database's backing storage buckets. | +| ingester.kafka.cluster | string | `"alert-broker"` | Name of a Strimzi Kafka cluster to connect to. | +| ingester.kafka.port | int | `9092` | Port to connect to on the Strimzi Kafka cluster. It should be an internal listener that expects SCRAM SHA-512 auth. | +| ingester.kafka.strimziAPIVersion | string | `"v1beta2"` | API version of the Strimzi installation's custom resource definitions | +| ingester.kafka.topic | string | `"alerts-simulated"` | Name of the topic which will holds alert data. | +| ingester.kafka.user | string | `"alert-database-ingester"` | The username of the Kafka user identity used to connect to the broker. | +| ingester.logLevel | string | `"verbose"` | set the log level of the application. can be 'info', or 'debug', or anything else to suppress logging. | +| ingester.schemaRegistryURL | string | `""` | URL of a schema registry instance | +| ingester.serviceAccountName | string | `"alert-database-ingester"` | The name of the Kubernetes ServiceAccount (*not* the Google Cloud IAM service account!) which is used by the alert database ingester. | +| ingress.annotations | object | `{}` | | +| ingress.enabled | bool | `true` | Whether to create an ingress | +| ingress.gafaelfawrAuthQuery | string | `"scope=read:alertdb"` | Query string for Gafaelfawr to authorize access | +| ingress.host | string | None, must be set if the ingress is enabled | Hostname for the ingress | +| ingress.path | string | `"/alertdb"` | Subpath to host the alert database application under the ingress | +| ingress.tls | list | `[]` | Configures TLS for the ingress if needed. If multiple ingresses share the same hostname, only one of them needs a TLS configuration. | +| nameOverride | string | `""` | Override the base name for resources | +| server.gcp.projectID | string | `""` | Project ID which has the above GCP IAM service account | +| server.gcp.serviceAccountName | string | `""` | Name of a service account which has credentials granting access to the alert database's backing storage buckets. | +| server.image.imagePullPolicy | string | `"IfNotPresent"` | | +| server.image.repository | string | `"lsstdm/alert_database_server"` | | +| server.image.tag | string | `"v2.1.0"` | | +| server.logLevel | string | `"verbose"` | set the log level of the application. can be 'info', or 'debug', or anything else to suppress logging. | +| server.service.port | int | `3000` | | +| server.service.type | string | `"ClusterIP"` | | +| server.serviceAccountName | string | `"alertdb-reader"` | The name of the Kubernetes ServiceAccount (*not* the Google Cloud IAM service account!) which is used by the alert database server. | +| storage.gcp.alertBucket | string | `""` | Name of a Google Cloud Storage bucket in GCP with alert data | +| storage.gcp.project | string | `""` | Name of a GCP project that has a bucket for database storage | +| storage.gcp.schemaBucket | string | `""` | Name of a Google Cloud Storage bucket in GCP with schema data | + diff --git a/services/alert-stream-broker/charts/alert-database/ci/values-idfint.yaml b/services/alert-stream-broker/charts/alert-database/ci/values-idfint.yaml new file mode 100644 index 0000000000..d839602b98 --- /dev/null +++ b/services/alert-stream-broker/charts/alert-database/ci/values-idfint.yaml @@ -0,0 +1,24 @@ +ingester: + schemaRegistryURL: https://alert-schemas-int.lsst.cloud + + serviceAccountName: alert-database-writer + + gcp: + serviceAccountName: alertdb-writer + projectID: science-platform-int-dc5d + +storage: + gcp: + project: science-platform-int-dc5d + alertBucket: rubin-alertdb-int-us-central1-packets + schemaBucket: rubin-alertdb-int-us-central1-schemas + +ingress: + host: data-int.lsst.cloud + +server: + serviceAccountName: alert-database-reader + + gcp: + serviceAccountName: alertdb-reader + projectID: science-platform-int-dc5d diff --git a/services/alert-stream-broker/charts/alert-database/templates/_helpers.tpl b/services/alert-stream-broker/charts/alert-database/templates/_helpers.tpl new file mode 100644 index 0000000000..b315385468 --- /dev/null +++ b/services/alert-stream-broker/charts/alert-database/templates/_helpers.tpl @@ -0,0 +1,65 @@ +{{/* -*- go-template -*- */}} + +{{- define "alertDatabase.name" -}} +{{- default .Chart.Name .Values.nameOverride | trunc 63 | trimSuffix "-" -}} +{{- end -}} + +{{/* +Create a default fully qualified app name. +We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec). +If release name contains chart name it will be used as a full name. +*/}} +{{- define "alertDatabase.fullname" -}} +{{- if .Values.fullnameOverride -}} +{{- .Values.fullnameOverride | trunc 63 | trimSuffix "-" -}} +{{- else -}} +{{- $name := default .Chart.Name .Values.nameOverride -}} +{{- if contains $name .Release.Name -}} +{{- .Release.Name | trunc 63 | trimSuffix "-" -}} +{{- else -}} +{{- printf "%s-%s" .Release.Name $name | trunc 63 | trimSuffix "-" -}} +{{- end -}} +{{- end -}} +{{- end -}} + +{{/* +Create chart name and version as used by the chart label. +*/}} +{{- define "alertDatabase.chart" -}} +{{- printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" }} +{{- end }} + +{{/* Name for the ingester */}} +{{- define "alertDatabase.ingesterName" -}} +{{- printf "%s-ingester-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" }} +{{- end }} + +{{/* Name for the server */}} +{{- define "alertDatabase.serverName" -}} +{{- printf "%s-server-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" }} +{{- end }} + +{{/* +Common labels +*/}} +{{- define "alertDatabase.labels" -}} +helm.sh/chart: {{ include "alertDatabase.chart" . }} +app.kubernetes.io/version: {{ .Chart.AppVersion | quote }} +app.kubernetes.io/managed-by: {{ .Release.Service }} +{{- end }} + +{{/* +Ingester selector labels +*/}} +{{- define "alertDatabase.ingesterSelectorLabels" -}} +app.kubernetes.io/name: {{ include "alertDatabase.ingesterName" . }} +app.kubernetes.io/instance: {{ .Release.Name }} +{{- end }} + +{{/* +Server selector labels +*/}} +{{- define "alertDatabase.serverSelectorLabels" -}} +app.kubernetes.io/name: {{ include "alertDatabase.serverName" . }} +app.kubernetes.io/instance: {{ .Release.Name }} +{{- end }} diff --git a/services/alert-stream-broker/charts/alert-database/templates/ingester-deployment.yaml b/services/alert-stream-broker/charts/alert-database/templates/ingester-deployment.yaml new file mode 100644 index 0000000000..cd794da932 --- /dev/null +++ b/services/alert-stream-broker/charts/alert-database/templates/ingester-deployment.yaml @@ -0,0 +1,54 @@ +apiVersion: apps/v1 +kind: Deployment + +metadata: + name: {{ template "alertDatabase.ingesterName" . }} + labels: + {{- include "alertDatabase.labels" . | nindent 4 }} +spec: + replicas: 1 + selector: + matchLabels: + {{- include "alertDatabase.ingesterSelectorLabels" . | nindent 6 }} + template: + metadata: + labels: + {{- include "alertDatabase.ingesterSelectorLabels" . | nindent 8 }} + spec: + containers: + - name: "alert-database-ingester" + image: "{{ .Values.ingester.image.repository }}:{{ .Values.ingester.image.tag }}" + volumeMounts: + - name: "kafka-client-secret" + mountPath: "/etc/kafka-client-secret" + readOnly: True + - name: "kafka-server-ca-cert" + mountPath: "/etc/kafka-server-ca-cert" + readOnly: True + command: + - "alertdb-ingester" + - "--kafka-host={{ .Values.ingester.kafka.cluster }}-kafka-bootstrap:{{ .Values.ingester.kafka.port }}" + - "--kafka-topic={{ .Values.ingester.kafka.topic }}" + - "--tls-client-key-location=/etc/kafka-client-secret/user.key" + - "--tls-client-crt-location=/etc/kafka-client-secret/user.crt" + - "--tls-server-ca-crt-location=/etc/kafka-server-ca-cert/ca.crt" + - "--kafka-auth-mechanism=mtls" + - "--schema-registry-address={{ required "A schema registry URL is required " .Values.ingester.schemaRegistryURL }}" + - "--gcp-project={{ required "A GCP project is required " .Values.storage.gcp.project }}" + - "--gcp-bucket-alerts={{ required "A GCP bucket name is required " .Values.storage.gcp.alertBucket }}" + - "--gcp-bucket-schemas={{ required "A GCP bucket name is required " .Values.storage.gcp.schemaBucket }}" + {{- if eq .Values.ingester.logLevel "debug" }} + - "--debug" + {{- end }} + {{- if eq .Values.ingester.logLevel "verbose" }} + - "--verbose" + {{- end }} + + volumes: + - name: "kafka-client-secret" + secret: + secretName: "{{ .Values.ingester.kafka.user}}" + - name: "kafka-server-ca-cert" + secret: + secretName: "{{ .Values.ingester.kafka.cluster}}-cluster-ca-cert" + serviceAccountName: "{{ .Values.ingester.serviceAccountName }}" diff --git a/services/alert-stream-broker/charts/alert-database/templates/ingester-serviceaccount.yaml b/services/alert-stream-broker/charts/alert-database/templates/ingester-serviceaccount.yaml new file mode 100644 index 0000000000..f6e1df0408 --- /dev/null +++ b/services/alert-stream-broker/charts/alert-database/templates/ingester-serviceaccount.yaml @@ -0,0 +1,11 @@ +apiVersion: v1 +kind: ServiceAccount +metadata: + name: {{ .Values.ingester.serviceAccountName }} + annotations: + # The following annotation connects the Kubernetes ServiceAccount to a GCP + # IAM Service Account, granting access to resources on GCP, via the + # "Workload Identity" framework. + # + # https://cloud.google.com/kubernetes-engine/docs/how-to/workload-identity + iam.gke.io/gcp-service-account: "{{ .Values.ingester.gcp.serviceAccountName }}@{{ .Values.ingester.gcp.projectID }}.iam.gserviceaccount.com" diff --git a/services/alert-stream-broker/charts/alert-database/templates/ingress.yaml b/services/alert-stream-broker/charts/alert-database/templates/ingress.yaml new file mode 100644 index 0000000000..083c96d39b --- /dev/null +++ b/services/alert-stream-broker/charts/alert-database/templates/ingress.yaml @@ -0,0 +1,38 @@ +{{- if .Values.ingress.enabled -}} +apiVersion: networking.k8s.io/v1 +kind: Ingress +metadata: + annotations: + kubernetes.io/ingress.class: "nginx" + nginx.ingress.kubernetes.io/rewrite-target: /$2 + nginx.ingress.kubernetes.io/auth-method: "GET" + nginx.ingress.kubernetes.io/auth-url: "http://gafaelfawr.gafaelfawr.svc.cluster.local:8080/auth?{{ required "ingress.gafaelfawrAuthQuery must be set" .Values.ingress.gafaelfawrAuthQuery }}" + {{- with .Values.ingress.annotations }} + {{- toYaml . | nindent 4 }} + {{- end }} + name: {{ template "alertDatabase.fullname" . }} + labels: + {{- include "alertDatabase.labels" . | nindent 4 }} +spec: + rules: + - host: {{ required "ingress.host must be set" .Values.ingress.host | quote }} + http: + paths: + - path: "{{ .Values.ingress.path }}(/|$)(.*)" + pathType: Prefix + backend: + service: + name: {{ template "alertDatabase.fullname" . }} + port: + name: http + {{- if .Values.ingress.tls }} + tls: + {{- range .Values.ingress.tls }} + - hosts: + {{- range .hosts }} + - {{ . | quote }} + {{- end }} + secretName: {{ .secretName }} + {{- end }} + {{- end }} +{{- end }} diff --git a/services/alert-stream-broker/charts/alert-database/templates/kafka-user.yaml b/services/alert-stream-broker/charts/alert-database/templates/kafka-user.yaml new file mode 100644 index 0000000000..1cf0896802 --- /dev/null +++ b/services/alert-stream-broker/charts/alert-database/templates/kafka-user.yaml @@ -0,0 +1,47 @@ +apiVersion: kafka.strimzi.io/{{ .Values.ingester.kafka.strimziAPIVersion }} +kind: KafkaUser +metadata: + name: {{ .Values.ingester.kafka.user }} + labels: + strimzi.io/cluster: {{ .Values.ingester.kafka.cluster }} +spec: + authentication: + type: tls + authorization: + type: simple + acls: + # Allow read and describe on the source topic + - resource: + type: topic + name: {{ .Values.ingester.kafka.topic }} + patternType: literal + operation: Read + type: allow + - resource: + type: topic + name: {{ .Values.ingester.kafka.topic }} + patternType: literal + operation: Describe + type: allow + + # Allow all on the __consumer_offsets topic + - resource: + type: topic + name: "__consumer_offsets" + patternType: literal + operation: All + type: allow + + # Allow running as a consumer group + - resource: + type: group + name: "*" + patternType: literal + operation: Describe + type: allow + - resource: + type: group + name: "*" + patternType: literal + operation: Read + type: allow diff --git a/services/alert-stream-broker/charts/alert-database/templates/server-deployment.yaml b/services/alert-stream-broker/charts/alert-database/templates/server-deployment.yaml new file mode 100644 index 0000000000..62839837a4 --- /dev/null +++ b/services/alert-stream-broker/charts/alert-database/templates/server-deployment.yaml @@ -0,0 +1,48 @@ +apiVersion: apps/v1 +kind: Deployment + +metadata: + name: {{ template "alertDatabase.serverName" . }} + labels: + {{- include "alertDatabase.labels" . | nindent 4 }} +spec: + replicas: 1 + selector: + matchLabels: + {{- include "alertDatabase.serverSelectorLabels" . | nindent 6 }} + template: + metadata: + labels: + {{- include "alertDatabase.serverSelectorLabels" . | nindent 8 }} + spec: + containers: + - name: "alert-database-server" + image: "{{ .Values.server.image.repository }}:{{ .Values.server.image.tag }}" + + ports: + - name: http + containerPort: 3000 + protocol: TCP + + livenessProbe: + httpGet: + path: /v1/health + port: http + + command: + - "alertdb" + - "--listen-host=0.0.0.0" + - "--listen-port=3000" + - "--backend=google-cloud" + - "--gcp-project={{ required "A GCP project is required " .Values.storage.gcp.project }}" + - "--gcp-bucket-alerts={{ required "A GCP bucket name is required " .Values.storage.gcp.alertBucket }}" + - "--gcp-bucket-schemas={{ required "A GCP bucket name is required " .Values.storage.gcp.schemaBucket }}" + {{- if eq .Values.ingester.logLevel "debug" }} + - "--debug" + {{- end }} + {{- if eq .Values.ingester.logLevel "verbose" }} + - "--verbose" + {{- end }} + + + serviceAccountName: "{{ .Values.server.serviceAccountName }}" diff --git a/services/alert-stream-broker/charts/alert-database/templates/server-serviceaccount.yaml b/services/alert-stream-broker/charts/alert-database/templates/server-serviceaccount.yaml new file mode 100644 index 0000000000..51dc67ccff --- /dev/null +++ b/services/alert-stream-broker/charts/alert-database/templates/server-serviceaccount.yaml @@ -0,0 +1,11 @@ +apiVersion: v1 +kind: ServiceAccount +metadata: + name: {{ .Values.server.serviceAccountName }} + annotations: + # The following annotation connects the Kubernetes ServiceAccount to a GCP + # IAM Service Account, granting access to resources on GCP, via the + # "Workload Identity" framework. + # + # https://cloud.google.com/kubernetes-engine/docs/how-to/workload-identity + iam.gke.io/gcp-service-account: "{{ .Values.server.gcp.serviceAccountName }}@{{ .Values.server.gcp.projectID }}.iam.gserviceaccount.com" diff --git a/services/alert-stream-broker/charts/alert-database/templates/service.yaml b/services/alert-stream-broker/charts/alert-database/templates/service.yaml new file mode 100644 index 0000000000..306e9900dd --- /dev/null +++ b/services/alert-stream-broker/charts/alert-database/templates/service.yaml @@ -0,0 +1,15 @@ +apiVersion: v1 +kind: Service +metadata: + name: {{ include "alertDatabase.fullname" . }} + labels: + {{- include "alertDatabase.labels" . | nindent 4 }} +spec: + type: {{ .Values.server.service.type }} + ports: + - port: {{ .Values.server.service.port }} + targetPort: http + protocol: TCP + name: http + selector: + {{- include "alertDatabase.serverSelectorLabels" . | nindent 4 }} diff --git a/services/alert-stream-broker/charts/alert-database/values.yaml b/services/alert-stream-broker/charts/alert-database/values.yaml new file mode 100644 index 0000000000..d1005c263c --- /dev/null +++ b/services/alert-stream-broker/charts/alert-database/values.yaml @@ -0,0 +1,105 @@ +# -- Override the base name for resources +nameOverride: "" + +# -- Override the full name for resources (includes the release name) +fullnameOverride: "" + +# Configuration for the ingester, which pulls data out of Kafka and writes +# it to the database backend. + +ingester: + image: + repository: lsstdm/alert_database_ingester + tag: v2.0.1 + imagePullPolicy: IfNotPresent + + kafka: + # -- Name of a Strimzi Kafka cluster to connect to. + cluster: alert-broker + + # -- Port to connect to on the Strimzi Kafka cluster. It should be an + # internal listener that expects SCRAM SHA-512 auth. + port: 9092 + + # -- The username of the Kafka user identity used to connect to the broker. + user: alert-database-ingester + + # -- Name of the topic which will holds alert data. + topic: alerts-simulated + + # -- API version of the Strimzi installation's custom resource definitions + strimziAPIVersion: v1beta2 + + # -- URL of a schema registry instance + schemaRegistryURL: "" + + gcp: + # -- Name of a service account which has credentials granting access to the + # alert database's backing storage buckets. + serviceAccountName: "" + # -- Project ID which has the above GCP IAM service account + projectID: "" + + # -- The name of the Kubernetes ServiceAccount (*not* the Google Cloud IAM + # service account!) which is used by the alert database ingester. + serviceAccountName: alert-database-ingester + + # -- set the log level of the application. can be 'info', or 'debug', or + # anything else to suppress logging. + logLevel: verbose + +server: + image: + repository: lsstdm/alert_database_server + tag: v2.1.0 + imagePullPolicy: IfNotPresent + + gcp: + # -- Name of a service account which has credentials granting access to the + # alert database's backing storage buckets. + serviceAccountName: "" + # -- Project ID which has the above GCP IAM service account + projectID: "" + + # -- The name of the Kubernetes ServiceAccount (*not* the Google Cloud IAM + # service account!) which is used by the alert database server. + serviceAccountName: alertdb-reader + + # -- set the log level of the application. can be 'info', or 'debug', or + # anything else to suppress logging. + logLevel: verbose + + service: + type: ClusterIP + port: 3000 + + +storage: + gcp: + # -- Name of a GCP project that has a bucket for database storage + project: "" + # -- Name of a Google Cloud Storage bucket in GCP with alert data + alertBucket: "" + # -- Name of a Google Cloud Storage bucket in GCP with schema data + schemaBucket: "" + +ingress: + # -- Whether to create an ingress + enabled: true + + # Additional annotations to add to the ingress + annotations: {} + + # -- Hostname for the ingress + # @default -- None, must be set if the ingress is enabled + host: "" + + # -- Configures TLS for the ingress if needed. If multiple ingresses share + # the same hostname, only one of them needs a TLS configuration. + tls: [] + + # -- Subpath to host the alert database application under the ingress + path: "/alertdb" + + # -- Query string for Gafaelfawr to authorize access + gafaelfawrAuthQuery: "scope=read:alertdb" diff --git a/services/alert-stream-broker/charts/alert-stream-broker/.helmignore b/services/alert-stream-broker/charts/alert-stream-broker/.helmignore new file mode 100644 index 0000000000..50af031725 --- /dev/null +++ b/services/alert-stream-broker/charts/alert-stream-broker/.helmignore @@ -0,0 +1,22 @@ +# Patterns to ignore when building packages. +# This supports shell glob matching, relative path matching, and +# negation (prefixed with !). Only one pattern per line. +.DS_Store +# Common VCS dirs +.git/ +.gitignore +.bzr/ +.bzrignore +.hg/ +.hgignore +.svn/ +# Common backup files +*.swp +*.bak +*.tmp +*~ +# Various IDEs +.project +.idea/ +*.tmproj +.vscode/ diff --git a/services/alert-stream-broker/charts/alert-stream-broker/Chart.yaml b/services/alert-stream-broker/charts/alert-stream-broker/Chart.yaml new file mode 100644 index 0000000000..b0a41f0a55 --- /dev/null +++ b/services/alert-stream-broker/charts/alert-stream-broker/Chart.yaml @@ -0,0 +1,9 @@ +apiVersion: v2 +name: alert-stream-broker +version: 2.5.1 +description: Kafka broker cluster for distributing alerts +maintainers: + - name: swnelson + email: swnelson@uw.edu +appVersion: 1.0.0 +type: application diff --git a/services/alert-stream-broker/charts/alert-stream-broker/README.md b/services/alert-stream-broker/charts/alert-stream-broker/README.md new file mode 100644 index 0000000000..e5418243eb --- /dev/null +++ b/services/alert-stream-broker/charts/alert-stream-broker/README.md @@ -0,0 +1,47 @@ +# alert-stream-broker + +![Version: 2.5.0](https://img.shields.io/badge/Version-2.5.0-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: 1.0.0](https://img.shields.io/badge/AppVersion-1.0.0-informational?style=flat-square) + +Kafka broker cluster for distributing alerts + +## Maintainers + +| Name | Email | Url | +| ---- | ------ | --- | +| swnelson | swnelson@uw.edu | | + +## Values + +| Key | Type | Default | Description | +|-----|------|---------|-------------| +| cluster.name | string | `"alert-broker"` | Name used for the Kafka broker, and used by Strimzi for many annotations. | +| fullnameOverride | string | `""` | Override for the full name used for Kubernetes resources; by default one will be created based on the chart name and helm release name. | +| kafka.config | object | `{"log.retention.bytes":"644245094400","log.retention.hours":168,"offsets.retention.minutes":10080}` | Configuration overrides for the Kafka server. | +| kafka.config."log.retention.bytes" | string | `"644245094400"` | Maximum retained number of bytes for a topic's data. This is a string -- to avoid YAML type conversion issues for large numbers. | +| kafka.config."log.retention.hours" | int | `168` | Number of days for a topic's data to be retained. | +| kafka.config."offsets.retention.minutes" | int | `10080` | Number of minutes for a consumer group's offsets to be retained. | +| kafka.externalListener.bootstrap.host | string | `""` | Hostname that should be used by clients who want to connect to the broker through the bootstrap address. | +| kafka.externalListener.bootstrap.ip | string | `""` | IP address that should be used by the broker's external bootstrap load balancer for access from the internet. The format of this is a string like "192.168.1.1". | +| kafka.externalListener.brokers | list | `[]` | List of hostname and IP for each broker. The format of this is a list of maps with 'ip' and 'host' keys. For example: - ip: "192.168.1.1" host: broker-0.example - ip: "192.168.1.2" host: broker-1.example Each replica should get a host and IP. If these are unset, then IP addresses will be chosen automatically by the Kubernetes cluster's LoadBalancer controller, and hostnames will be unset, which will break TLS connections. | +| kafka.interBrokerProtocolVersion | float | `2.8` | Version of the protocol for inter-broker communication, see https://strimzi.io/docs/operators/latest/deploying.html#ref-kafka-versions-str. | +| kafka.logMessageFormatVersion | float | `2.8` | Encoding version for messages, see https://strimzi.io/docs/operators/latest/deploying.html#ref-kafka-versions-str. | +| kafka.nodePool.affinities | list | `[{"key":"kafka","value":"ok"}]` | List of node affinities to set for the broker's nodes. The key should be a label key, and the value should be a label value, and then the broker will prefer running Kafka and Zookeeper on nodes with those key-value pairs. | +| kafka.nodePool.tolerations | list | `[{"effect":"NoSchedule","key":"kafka","value":"ok"}]` | List of taint tolerations when scheduling the broker's pods onto nodes. The key should be a taint key, the value should be a taint value, and effect should be a taint effect that can be tolerated (ignored) when scheduling the broker's Kafka and Zookeeper pods. | +| kafka.replicas | int | `3` | Number of Kafka broker replicas to run. | +| kafka.storage.size | string | `"1000Gi"` | Size of the backing storage disk for each of the Kafka brokers. | +| kafka.storage.storageClassName | string | `"standard"` | Name of a StorageClass to use when requesting persistent volumes. | +| kafka.version | string | `"2.8.1"` | Version of Kafka to deploy. | +| nameOverride | string | `""` | | +| strimziAPIVersion | string | `"v1beta2"` | Version of the Strimzi Custom Resource API. The correct value depends on the deployed version of Strimzi. See [this blog post](https://strimzi.io/blog/2021/04/29/api-conversion/) for more. | +| superusers | list | `["kafka-admin"]` | A list of usernames for users who should have global admin permissions. These users will be created, along with their credentials. | +| tls.certIssuerName | string | `"cert-issuer-letsencrypt-dns"` | Name of a ClusterIssuer capable of provisioning a TLS certificate for the broker. | +| tls.subject.organization | string | `"Vera C. Rubin Observatory"` | Organization to use in the 'Subject' field of the broker's TLS certifcate. | +| users | list | `[{"groups":["rubin-testing"],"readonlyTopics":["alert-stream","alerts-simulated"],"username":"rubin-testing"}]` | A list of users that should be created and granted access. Passwords for these users are not generated automatically; they are expected to be stored as 1Password secrets which are replicated into Vault. Each username should have a "{{ $username }}-password" secret associated with it. | +| users[0].groups | list | `["rubin-testing"]` | A list of string prefixes for groups that the user should get admin access to, allowing them to create, delete, describe, etc consumer groups. Note that these are prefix-matched, not just literal exact matches. | +| users[0].readonlyTopics | list | `["alert-stream","alerts-simulated"]` | A list of topics that the user should get read-only access to. | +| users[0].username | string | `"rubin-testing"` | The username for the user that should be created. | +| vaultSecretsPath | string | `""` | Path to the secret resource in Vault | +| zookeeper.replicas | int | `3` | Number of Zookeeper replicas to run. | +| zookeeper.storage.size | string | `"1000Gi"` | Size of the backing storage disk for each of the Zookeeper instances. | +| zookeeper.storage.storageClassName | string | `"standard"` | Name of a StorageClass to use when requesting persistent volumes. | + diff --git a/services/alert-stream-broker/charts/alert-stream-broker/templates/_helpers.tpl b/services/alert-stream-broker/charts/alert-stream-broker/templates/_helpers.tpl new file mode 100644 index 0000000000..edfa089a03 --- /dev/null +++ b/services/alert-stream-broker/charts/alert-stream-broker/templates/_helpers.tpl @@ -0,0 +1,17 @@ +{{/* +Create a default fully qualified app name. +We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec). +If release name contains chart name it will be used as a full name. +*/}} +{{- define "alertStreamBroker.fullname" -}} + {{- if .Values.fullnameOverride }} + {{- .Values.fullnameOverride | trunc 63 | trimSuffix "-" }} + {{- else }} + {{- $name := default .Chart.Name .Values.nameOverride }} + {{- if contains $name .Release.Name }} + {{- .Release.Name | trunc 63 | trimSuffix "-" }} + {{- else }} + {{- printf "%s-%s" .Release.Name $name | trunc 63 | trimSuffix "-" }} + {{- end }} + {{- end }} +{{- end }} diff --git a/services/alert-stream-broker/charts/alert-stream-broker/templates/certs.yaml b/services/alert-stream-broker/charts/alert-stream-broker/templates/certs.yaml new file mode 100644 index 0000000000..94bfb26a72 --- /dev/null +++ b/services/alert-stream-broker/charts/alert-stream-broker/templates/certs.yaml @@ -0,0 +1,23 @@ +{{- if .Values.kafka.externalListener.bootstrap.host }} +apiVersion: cert-manager.io/v1 +kind: Certificate +metadata: + name: {{ .Values.cluster.name }}-external-tls + +spec: + secretName: {{ .Values.cluster.name }}-external-tls + + issuerRef: + name: {{ .Values.tls.certIssuerName }} + kind: ClusterIssuer + + subject: + organizations: + - {{ .Values.tls.subject.organization }} + + dnsNames: + - {{ .Values.kafka.externalListener.bootstrap.host }} + {{- range $broker := .Values.kafka.externalListener.brokers }} + - {{ $broker.host }} + {{- end }} +{{- end }} diff --git a/services/alert-stream-broker/charts/alert-stream-broker/templates/kafka.yaml b/services/alert-stream-broker/charts/alert-stream-broker/templates/kafka.yaml new file mode 100644 index 0000000000..6eefb11f40 --- /dev/null +++ b/services/alert-stream-broker/charts/alert-stream-broker/templates/kafka.yaml @@ -0,0 +1,162 @@ +apiVersion: kafka.strimzi.io/{{ .Values.strimziAPIVersion }} +kind: Kafka +metadata: + name: {{ .Values.cluster.name }} +spec: + kafka: + version: {{ .Values.kafka.version }} + replicas: {{ .Values.kafka.replicas }} + listeners: + - name: internal + port: 9092 + type: internal + tls: true + authentication: + type: tls + - name: tls # Used by the schema registry; it has a fixed name it expects + port: 9093 + type: internal + tls: true + authentication: + type: tls + - name: external + port: 9094 + type: loadbalancer + tls: true + authentication: + type: scram-sha-512 + configuration: + {{- /* + + This is complicated looking, but that's just because these are all + optional parameters. They're optional because we don't actually know + the right IP addresses to use on a fresh deployment. + + The LoadBalancer Service type triggers automatic creation of a cloud + load balancer, which will get provisioned with some IP address that + we don't actually choose - it's picked for us. Once that has been + done, these options make it possible to pin the IP address: we can + request the actual IP that we already have. This is important because + it lets us configure a DNS record, associating a hostname with that + pinned IP address. + + */}} + bootstrap: + + {{- if .Values.kafka.externalListener.bootstrap.ip }} + loadBalancerIP: {{ .Values.kafka.externalListener.bootstrap.ip }} + {{- end }} + + {{- if .Values.kafka.externalListener.brokers }} + brokers: + {{- range $idx, $broker := .Values.kafka.externalListener.brokers }} + - broker: {{ $idx }} + loadBalancerIP: {{ $broker.ip }} + advertisedHost: {{ $broker.host }} + {{- end }} + {{- end }} + + {{- if .Values.kafka.externalListener.bootstrap.host }} + brokerCertChainAndKey: + secretName: {{ .Values.cluster.name }}-external-tls + certificate: tls.crt + key: tls.key + {{- end }} + + authorization: + type: simple +{{- if .Values.superusers }} + superUsers: +{{- range .Values.superusers }} + - {{ . }} +{{- end }} +{{- end }} + + config: + offsets.topic.replication.factor: 3 + transaction.state.log.replication.factor: 3 + transaction.state.log.min.isr: 2 + log.message.format.version: {{ .Values.kafka.logMessageFormatVersion }} + inter.broker.protocol.version: {{ .Values.kafka.interBrokerProtocolVersion }} + ssl.client.auth: required + {{- range $key, $value := .Values.kafka.config }} + {{ $key }}: {{ $value }} + {{- end }} + storage: + type: jbod + volumes: + # Note that storage is configured per replica. If there are 3 replicas, + # and 2 volumes in this array, each replica will get 2 + # PersistentVolumeClaims for the configured size, for a total of 6 + # volumes. + - id: 0 + type: persistent-claim + size: {{ .Values.kafka.storage.size }} + class: {{ .Values.kafka.storage.storageClassName }} + deleteClaim: false + + template: + pod: + {{- if .Values.kafka.nodePool.tolerations }} + tolerations: + {{- range $tol := .Values.kafka.nodePool.tolerations }} + - key: {{ $tol.key }} + operator: "Equal" + value: {{ $tol.value }} + effect: {{ $tol.effect }} + {{- end }} + {{- end }} + + {{- if .Values.kafka.nodePool.affinities }} + affinity: + nodeAffinity: + preferredDuringSchedulingIgnoredDuringExecution: + {{- range $affinity := .Values.kafka.nodePool.affinities }} + - weight: 1 + preference: + matchExpressions: + - key: {{ $affinity.key }} + operator: In + values: [{{ $affinity.value }}] + {{- end }} + {{- end }} + + zookeeper: + replicas: {{ .Values.zookeeper.replicas }} + storage: + # Note that storage is configured per replica. If there are 3 replicas, + # each will get its own PersistentVolumeClaim for the configured size. + type: persistent-claim + size: {{ .Values.zookeeper.storage.size }} + class: {{ .Values.zookeeper.storage.storageClassName }} + deleteClaim: false + + template: + pod: + {{- if .Values.kafka.nodePool.tolerations }} + tolerations: + {{- range $tol := .Values.kafka.nodePool.tolerations }} + - key: {{ $tol.key }} + operator: "Equal" + value: {{ $tol.value }} + effect: {{ $tol.effect }} + {{- end }} + {{- end }} + + {{- if .Values.kafka.nodePool.affinities }} + affinity: + nodeAffinity: + preferredDuringSchedulingIgnoredDuringExecution: + {{- range $affinity := .Values.kafka.nodePool.affinities }} + - weight: 1 + preference: + matchExpressions: + - key: {{ $affinity.key }} + operator: In + values: [{{ $affinity.value }}] + {{- end }} + {{- end }} + + entityOperator: + topicOperator: {} + userOperator: {} diff --git a/services/alert-stream-broker/charts/alert-stream-broker/templates/superuser.yaml b/services/alert-stream-broker/charts/alert-stream-broker/templates/superuser.yaml new file mode 100644 index 0000000000..2812678ddf --- /dev/null +++ b/services/alert-stream-broker/charts/alert-stream-broker/templates/superuser.yaml @@ -0,0 +1,27 @@ +{{ range $idx, $username := .Values.superusers }} +--- +apiVersion: kafka.strimzi.io/{{ $.Values.strimziAPIVersion }} +kind: KafkaUser +metadata: + name: {{ $username }} + labels: + strimzi.io/cluster: {{ $.Values.cluster.name }} +spec: + authentication: + type: scram-sha-512 + password: + valueFrom: + secretKeyRef: + name: {{ template "alertStreamBroker.fullname" $ }}-secrets + key: {{ $username }}-password + authorization: + type: simple + acls: + - resource: + type: topic + name: "*" + patternType: literal + type: allow + host: "*" + operation: All +{{ end }} diff --git a/services/alert-stream-broker/charts/alert-stream-broker/templates/users.yaml b/services/alert-stream-broker/charts/alert-stream-broker/templates/users.yaml new file mode 100644 index 0000000000..80d484775d --- /dev/null +++ b/services/alert-stream-broker/charts/alert-stream-broker/templates/users.yaml @@ -0,0 +1,52 @@ +{{ range $idx, $user := $.Values.users }} +--- +apiVersion: kafka.strimzi.io/{{ $.Values.strimziAPIVersion }} +kind: KafkaUser +metadata: + name: {{ $user.username }} + labels: + strimzi.io/cluster: {{ $.Values.cluster.name }} +spec: + authentication: + type: scram-sha-512 + password: + valueFrom: + secretKeyRef: + name: {{ template "alertStreamBroker.fullname" $ }}-secrets + key: {{ $user.username }}-password + authorization: + type: simple + acls: + {{- range $idx, $topic := $user.readonlyTopics }} + - resource: + type: topic + name: {{ $topic | quote }} + patternType: literal + type: allow + host: "*" + operation: Read + - resource: + type: topic + name: {{ $topic | quote }} + patternType: literal + type: allow + host: "*" + operation: Describe + - resource: + type: topic + name: {{ $topic | quote }} + patternType: literal + type: allow + host: "*" + operation: DescribeConfigs + {{- end }} + {{- range $idx, $group := $user.groups }} + - resource: + type: group + name: {{ $group | quote }} + patternType: prefix + type: allow + host: "*" + operation: All + {{- end }} +{{- end }} diff --git a/services/alert-stream-broker/charts/alert-stream-broker/templates/vault-secret.yaml b/services/alert-stream-broker/charts/alert-stream-broker/templates/vault-secret.yaml new file mode 100644 index 0000000000..d924e52bb7 --- /dev/null +++ b/services/alert-stream-broker/charts/alert-stream-broker/templates/vault-secret.yaml @@ -0,0 +1,7 @@ +apiVersion: ricoberger.de/v1alpha1 +kind: VaultSecret +metadata: + name: {{ template "alertStreamBroker.fullname" . }}-secrets +spec: + path: {{ required "vaultSecretsPath must be set" .Values.vaultSecretsPath | quote }} + type: Opaque diff --git a/services/alert-stream-broker/charts/alert-stream-broker/values.yaml b/services/alert-stream-broker/charts/alert-stream-broker/values.yaml new file mode 100644 index 0000000000..cb5db7cf0c --- /dev/null +++ b/services/alert-stream-broker/charts/alert-stream-broker/values.yaml @@ -0,0 +1,129 @@ +# -- Version of the Strimzi Custom Resource API. The correct value depends on +# the deployed version of Strimzi. See [this blog +# post](https://strimzi.io/blog/2021/04/29/api-conversion/) for more. +strimziAPIVersion: v1beta2 + +cluster: + # -- Name used for the Kafka broker, and used by Strimzi for many annotations. + name: alert-broker + +kafka: + # -- Version of Kafka to deploy. + version: 2.8.1 + # -- Encoding version for messages, see + # https://strimzi.io/docs/operators/latest/deploying.html#ref-kafka-versions-str. + logMessageFormatVersion: 2.8 + # -- Version of the protocol for inter-broker communication, see + # https://strimzi.io/docs/operators/latest/deploying.html#ref-kafka-versions-str. + interBrokerProtocolVersion: 2.8 + + # -- Number of Kafka broker replicas to run. + replicas: 3 + + storage: + # -- Size of the backing storage disk for each of the Kafka brokers. + size: 1000Gi + # -- Name of a StorageClass to use when requesting persistent volumes. + storageClassName: standard + + # -- Configuration overrides for the Kafka server. + config: + # -- Number of minutes for a consumer group's offsets to be retained. + offsets.retention.minutes: 10080 + # -- Number of days for a topic's data to be retained. + log.retention.hours: 168 + # -- Maximum retained number of bytes for a topic's data. This is a string + # -- to avoid YAML type conversion issues for large numbers. + log.retention.bytes: "644245094400" + + externalListener: + bootstrap: + # -- IP address that should be used by the broker's external bootstrap load + # balancer for access from the internet. The format of this is a string like + # "192.168.1.1". + ip: "" + # -- Hostname that should be used by clients who want to connect to the + # broker through the bootstrap address. + host: "" + + # -- List of hostname and IP for each broker. The format of this is a list + # of maps with 'ip' and 'host' keys. For example: + # + # - ip: "192.168.1.1" + # host: broker-0.example + # - ip: "192.168.1.2" + # host: broker-1.example + # + # Each replica should get a host and IP. If these are unset, then IP + # addresses will be chosen automatically by the Kubernetes cluster's + # LoadBalancer controller, and hostnames will be unset, which will break + # TLS connections. + brokers: [] + + nodePool: + # -- List of node affinities to set for the broker's nodes. The key should + # be a label key, and the value should be a label value, and then the + # broker will prefer running Kafka and Zookeeper on nodes with those + # key-value pairs. + affinities: + - key: kafka + value: ok + + # -- List of taint tolerations when scheduling the broker's pods onto + # nodes. The key should be a taint key, the value should be a taint + # value, and effect should be a taint effect that can be tolerated + # (ignored) when scheduling the broker's Kafka and Zookeeper pods. + tolerations: + - key: kafka + value: ok + effect: NoSchedule + + +# -- A list of usernames for users who should have global admin permissions. +# These users will be created, along with their credentials. +superusers: + - kafka-admin + +# -- A list of users that should be created and granted access. +# +# Passwords for these users are not generated automatically; they are expected +# to be stored as 1Password secrets which are replicated into Vault. Each +# username should have a "{{ $username }}-password" secret associated with it. +users: + - # -- The username for the user that should be created. + username: rubin-testing + # -- A list of topics that the user should get read-only access to. + readonlyTopics: ["alert-stream", "alerts-simulated"] + # -- A list of string prefixes for groups that the user should get admin + # access to, allowing them to create, delete, describe, etc consumer + # groups. Note that these are prefix-matched, not just literal exact + # matches. + groups: ["rubin-testing"] + + +zookeeper: + # -- Number of Zookeeper replicas to run. + replicas: 3 + + storage: + # -- Size of the backing storage disk for each of the Zookeeper instances. + size: 1000Gi + # -- Name of a StorageClass to use when requesting persistent volumes. + storageClassName: standard + +tls: + subject: + # -- Organization to use in the 'Subject' field of the broker's TLS certifcate. + organization: "Vera C. Rubin Observatory" + # -- Name of a ClusterIssuer capable of provisioning a TLS certificate for + # the broker. + certIssuerName: "cert-issuer-letsencrypt-dns" + +# -- Path to the secret resource in Vault +vaultSecretsPath: "" + +# -- Override for the full name used for Kubernetes resources; by default one +# will be created based on the chart name and helm release name. +fullnameOverride: "" + +nameOverride: "" diff --git a/services/alert-stream-broker/charts/alert-stream-schema-registry/.helmignore b/services/alert-stream-broker/charts/alert-stream-schema-registry/.helmignore new file mode 100644 index 0000000000..50af031725 --- /dev/null +++ b/services/alert-stream-broker/charts/alert-stream-schema-registry/.helmignore @@ -0,0 +1,22 @@ +# Patterns to ignore when building packages. +# This supports shell glob matching, relative path matching, and +# negation (prefixed with !). Only one pattern per line. +.DS_Store +# Common VCS dirs +.git/ +.gitignore +.bzr/ +.bzrignore +.hg/ +.hgignore +.svn/ +# Common backup files +*.swp +*.bak +*.tmp +*~ +# Various IDEs +.project +.idea/ +*.tmproj +.vscode/ diff --git a/services/alert-stream-broker/charts/alert-stream-schema-registry/Chart.yaml b/services/alert-stream-broker/charts/alert-stream-schema-registry/Chart.yaml new file mode 100644 index 0000000000..fa14e7ae03 --- /dev/null +++ b/services/alert-stream-broker/charts/alert-stream-schema-registry/Chart.yaml @@ -0,0 +1,9 @@ +apiVersion: v2 +name: alert-stream-schema-registry +version: 2.1.0 +description: Confluent Schema Registry for managing schema versions for the Alert Stream +maintainers: + - name: swnelson + email: swnelson@uw.edu +appVersion: 1.0.0 +type: application diff --git a/services/alert-stream-broker/charts/alert-stream-schema-registry/README.md b/services/alert-stream-broker/charts/alert-stream-schema-registry/README.md new file mode 100644 index 0000000000..4d77ab3c08 --- /dev/null +++ b/services/alert-stream-broker/charts/alert-stream-schema-registry/README.md @@ -0,0 +1,27 @@ +# alert-stream-schema-registry + +![Version: 1.0.0](https://img.shields.io/badge/Version-1.0.0-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: 1.0.0](https://img.shields.io/badge/AppVersion-1.0.0-informational?style=flat-square) + +Confluent Schema Registry for managing schema versions for the Alert Stream + +## Maintainers + +| Name | Email | Url | +| ---- | ------ | --- | +| swnelson | swnelson@uw.edu | | + +## Values + +| Key | Type | Default | Description | +|-----|------|---------|-------------| +| clusterName | string | `"alert-broker"` | Strimzi "cluster name" of the broker to use as a backend. | +| hostname | string | `"alert-schemas-int.lsst.cloud"` | Hostname for an ingress which sends traffic to the Schema Registry. | +| name | string | `"alert-schema-registry"` | Name used by the registry, and by its users. | +| port | int | `8081` | Port where the registry is listening. NOTE: Not actually configurable in strimzi-registry-operator, so this basically cannot be changed. | +| schemaSync | object | `{"image":{"repository":"swnelson/lsst_alert_packet","tag":"latest"},"subject":"alert-packet"}` | Configuration for the Job which injects the most recent alert_packet schema into the Schema Registry | +| schemaSync.image.repository | string | `"swnelson/lsst_alert_packet"` | Repository of a container which has the alert_packet syncLatestSchemaToRegistry.py program | +| schemaSync.image.tag | string | `"latest"` | Version of the container to use | +| schemaSync.subject | string | `"alert-packet"` | Subject name to use when inserting data into the Schema Registry | +| schemaTopic | string | `"registry-schemas"` | Name of the topic used by the Schema Registry to store data. | +| strimziAPIVersion | string | `"v1beta2"` | Version of the Strimzi Custom Resource API. The correct value depends on the deployed version of Strimzi. See [this blog post](https://strimzi.io/blog/2021/04/29/api-conversion/) for more. | + diff --git a/services/alert-stream-broker/charts/alert-stream-schema-registry/templates/ingress.yaml b/services/alert-stream-broker/charts/alert-stream-schema-registry/templates/ingress.yaml new file mode 100644 index 0000000000..077c37715d --- /dev/null +++ b/services/alert-stream-broker/charts/alert-stream-schema-registry/templates/ingress.yaml @@ -0,0 +1,31 @@ +apiVersion: networking.k8s.io/v1 +kind: Ingress +metadata: + name: "{{ .Values.name }}" + annotations: + kubernetes.io/ingress.class: "nginx" + cert-manager.io/cluster-issuer: cert-issuer-letsencrypt-dns + nginx.ingress.kubernetes.io/configuration-snippet: | + # Forbid everything except GET since this should be a read-only ingress + # to the schema registry. + limit_except GET { + deny all; + } + +spec: + tls: + - hosts: [{{ .Values.hostname | quote }}] + secretName: "{{ .Values.name }}-tls" + + rules: + - host: {{ .Values.hostname | quote }} + http: + paths: + - path: / + pathType: Prefix + backend: + service: + name: {{ .Values.name }} + port: + # TODO: not configurable in strimzi-registry-operator + number: {{ .Values.port }} diff --git a/services/alert-stream-broker/charts/alert-stream-schema-registry/templates/schema-registry-server.yaml b/services/alert-stream-broker/charts/alert-stream-schema-registry/templates/schema-registry-server.yaml new file mode 100644 index 0000000000..492a383002 --- /dev/null +++ b/services/alert-stream-broker/charts/alert-stream-schema-registry/templates/schema-registry-server.yaml @@ -0,0 +1,7 @@ +apiVersion: roundtable.lsst.codes/v1beta1 +kind: StrimziSchemaRegistry +metadata: + name: {{ .Values.name }} +spec: + strimzi-version: {{ .Values.strimziAPIVersion }} + listener: internal diff --git a/services/alert-stream-broker/charts/alert-stream-schema-registry/templates/schema-registry-topic.yaml b/services/alert-stream-broker/charts/alert-stream-schema-registry/templates/schema-registry-topic.yaml new file mode 100644 index 0000000000..3eaa139011 --- /dev/null +++ b/services/alert-stream-broker/charts/alert-stream-schema-registry/templates/schema-registry-topic.yaml @@ -0,0 +1,11 @@ +apiVersion: "kafka.strimzi.io/{{ .Values.strimziAPIVersion }}" +kind: KafkaTopic +metadata: + name: "{{ .Values.schemaTopic }}" + labels: + strimzi.io/cluster: "{{ .Values.clusterName }}" +spec: + partitions: 1 + replicas: 3 + config: + cleanup.policy: compact diff --git a/services/alert-stream-broker/charts/alert-stream-schema-registry/templates/schema-registry-user.yaml b/services/alert-stream-broker/charts/alert-stream-schema-registry/templates/schema-registry-user.yaml new file mode 100644 index 0000000000..60b7ae4a23 --- /dev/null +++ b/services/alert-stream-broker/charts/alert-stream-schema-registry/templates/schema-registry-user.yaml @@ -0,0 +1,49 @@ +apiVersion: kafka.strimzi.io/{{ .Values.strimziAPIVersion }} +kind: KafkaUser +metadata: + name: {{ .Values.name }} + labels: + strimzi.io/cluster: {{ .Values.clusterName }} +spec: + authentication: + type: tls + authorization: + # Official docs on authorizations required for the Schema Registry: + # https://docs.confluent.io/current/schema-registry/security/index.html#authorizing-access-to-the-schemas-topic + type: simple + acls: + # Allow Read, Write and DescribeConfigs operations on the + # schemas topic + - resource: + type: topic + name: "{{ .Values.schemaTopic }}" + patternType: literal + operation: Read + type: allow + - resource: + type: topic + name: "{{ .Values.schemaTopic }}" + patternType: literal + operation: Write + type: allow + - resource: + type: topic + name: "{{ .Values.schemaTopic }}" + patternType: literal + operation: DescribeConfigs + type: allow + # Allow all operations on the schema-registry* group + - resource: + type: group + name: schema-registry + patternType: prefix + operation: All + type: allow + # Allow Describe on the __consumer_offsets topic + # (The official docs also mention DescribeConfigs?) + - resource: + type: topic + name: "__consumer_offsets" + patternType: literal + operation: Describe + type: allow diff --git a/services/alert-stream-broker/charts/alert-stream-schema-registry/templates/sync-schema-job.yaml b/services/alert-stream-broker/charts/alert-stream-schema-registry/templates/sync-schema-job.yaml new file mode 100644 index 0000000000..a83f6bae0d --- /dev/null +++ b/services/alert-stream-broker/charts/alert-stream-schema-registry/templates/sync-schema-job.yaml @@ -0,0 +1,29 @@ +apiVersion: batch/v1 +kind: Job +metadata: + name: "{{ .Release.Name }}-sync-schema" + labels: + app.kubernetes.io/managed-by: {{ .Release.Service | quote }} + app.kubernetes.io/instance: {{ .Release.Name | quote }} + app.kubernetes.io/version: {{ .Chart.AppVersion }} + helm.sh/chart: "{{ .Chart.Name }}-{{ .Chart.Version }}" + annotations: + argocd.argoproj.io/hook: Sync +spec: + ttlSecondsAfterFinished: 600 + template: + metadata: + name: "{{ .Release.Name }}" + labels: + app.kubernetes.io/managed-by: {{ .Release.Service | quote }} + app.kubernetes.io/instance: {{ .Release.Name | quote }} + helm.sh/chart: "{{ .Chart.Name }}-{{ .Chart.Version }}" + spec: + restartPolicy: Never + containers: + - name: sync-schema-job + image: "{{ .Values.schemaSync.image.repository }}:{{ .Values.schemaSync.image.tag | default .Chart.AppVersion }}" + command: + - "syncLatestSchemaToRegistry.py" + - "--schema-registry-url=http://{{ .Values.name }}:{{ .Values.port }}" + - "--subject={{ .Values.schemaSync.subject }}" diff --git a/services/alert-stream-broker/charts/alert-stream-schema-registry/values.yaml b/services/alert-stream-broker/charts/alert-stream-schema-registry/values.yaml new file mode 100644 index 0000000000..b84d04abf9 --- /dev/null +++ b/services/alert-stream-broker/charts/alert-stream-schema-registry/values.yaml @@ -0,0 +1,33 @@ +# -- Name used by the registry, and by its users. +name: alert-schema-registry + +# -- Port where the registry is listening. NOTE: Not actually configurable in +# strimzi-registry-operator, so this basically cannot be changed. +port: 8081 + +# -- Version of the Strimzi Custom Resource API. The correct value depends on +# the deployed version of Strimzi. See [this blog +# post](https://strimzi.io/blog/2021/04/29/api-conversion/) for more. +strimziAPIVersion: v1beta2 + +# -- Strimzi "cluster name" of the broker to use as a backend. +clusterName: alert-broker + +# -- Name of the topic used by the Schema Registry to store data. +schemaTopic: registry-schemas + +# -- Hostname for an ingress which sends traffic to the Schema Registry. +hostname: alert-schemas-int.lsst.cloud + +# -- Configuration for the Job which injects the most recent alert_packet +# schema into the Schema Registry +schemaSync: + image: + # -- Repository of a container which has the alert_packet + # syncLatestSchemaToRegistry.py program + repository: lsstdm/lsst_alert_packet + # -- Version of the container to use + tag: tickets-DM-32743 + + # -- Subject name to use when inserting data into the Schema Registry + subject: alert-packet diff --git a/services/alert-stream-broker/charts/alert-stream-simulator/.helmignore b/services/alert-stream-broker/charts/alert-stream-simulator/.helmignore new file mode 100644 index 0000000000..50af031725 --- /dev/null +++ b/services/alert-stream-broker/charts/alert-stream-simulator/.helmignore @@ -0,0 +1,22 @@ +# Patterns to ignore when building packages. +# This supports shell glob matching, relative path matching, and +# negation (prefixed with !). Only one pattern per line. +.DS_Store +# Common VCS dirs +.git/ +.gitignore +.bzr/ +.bzrignore +.hg/ +.hgignore +.svn/ +# Common backup files +*.swp +*.bak +*.tmp +*~ +# Various IDEs +.project +.idea/ +*.tmproj +.vscode/ diff --git a/services/alert-stream-broker/charts/alert-stream-simulator/Chart.yaml b/services/alert-stream-broker/charts/alert-stream-simulator/Chart.yaml new file mode 100644 index 0000000000..668b29606f --- /dev/null +++ b/services/alert-stream-broker/charts/alert-stream-simulator/Chart.yaml @@ -0,0 +1,9 @@ +apiVersion: v2 +name: alert-stream-simulator +version: 1.6.2 +description: Producer which repeatedly publishes a static set of alerts into a Kafka topic +maintainers: + - name: swnelson + email: swnelson@uw.edu +appVersion: 1.2.1 +type: application diff --git a/services/alert-stream-broker/charts/alert-stream-simulator/README.md b/services/alert-stream-broker/charts/alert-stream-simulator/README.md new file mode 100644 index 0000000000..df9e6563ac --- /dev/null +++ b/services/alert-stream-broker/charts/alert-stream-simulator/README.md @@ -0,0 +1,30 @@ +# alert-stream-simulator + +![Version: 1.0.0](https://img.shields.io/badge/Version-1.0.0-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: 1.0.0](https://img.shields.io/badge/AppVersion-1.0.0-informational?style=flat-square) + +Producer which repeatedly publishes a static set of alerts into a Kafka topic + +## Maintainers + +| Name | Email | Url | +| ---- | ------ | --- | +| swnelson | swnelson@uw.edu | | + +## Values + +| Key | Type | Default | Description | +|-----|------|---------|-------------| +| clusterName | string | `"alert-broker"` | Name of a Strimzi Kafka cluster to connect to. | +| clusterPort | int | `9092` | Port to connect to on the Strimzi Kafka cluster. It should be an internal TLS listener. | +| fullnameOverride | string | `""` | Explicitly sets the full name used for the deployment and job (includes the release name). | +| image.imagePullPolicy | string | `"IfNotPresent"` | Pull policy for the Deployment | +| image.repository | string | `"swnelson/alert-stream-simulator"` | Source repository for the image which holds the rubin-alert-stream program. | +| image.tag | string | `"latest"` | Tag to use for the rubin-alert-stream container. | +| kafkaUserName | string | `"alert-stream-simulator"` | The username of the Kafka user identity used to connect to the broker. | +| nameOverride | string | `""` | Explicitly sets the name of the deployment and job. | +| repeatInterval | int | `37` | How often (in seconds) to repeat the sample data into the replay topic. | +| replayTopicName | string | `"alerts-simulated"` | Name of the topic which will receive the repeated alerts on an interval. | +| schemaID | int | `1` | Integer ID to use in the prefix of alert data packets. This should be a valid Confluent Schema Registry ID associated with the schema used. | +| staticTopicName | string | `"alerts-static"` | Name of the topic which will hold a static single visit of sample data. | +| strimziAPIVersion | string | `"v1beta2"` | API version of the Strimzi installation's custom resource definitions | + diff --git a/services/alert-stream-broker/charts/alert-stream-simulator/templates/_helpers.tpl b/services/alert-stream-broker/charts/alert-stream-simulator/templates/_helpers.tpl new file mode 100644 index 0000000000..715cf9d667 --- /dev/null +++ b/services/alert-stream-broker/charts/alert-stream-simulator/templates/_helpers.tpl @@ -0,0 +1,55 @@ +{{/* vim: set filetype=mustache: */}} +{{/* +Expand the name of the chart. +*/}} +{{- define "alertStreamSimulator.name" -}} +{{- default .Chart.Name .Values.nameOverride | trunc 63 | trimSuffix "-" }} +{{- end }} + +{{/* +Create a default fully qualified app name. +We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec). +If release name contains chart name it will be used as a full name. +*/}} +{{- define "alertStreamSimulator.fullname" -}} +{{- if .Values.fullnameOverride }} +{{- .Values.fullnameOverride | trunc 63 | trimSuffix "-" }} +{{- else }} +{{- $name := default .Chart.Name .Values.nameOverride }} +{{- if contains $name .Release.Name }} +{{- .Release.Name | trunc 63 | trimSuffix "-" }} +{{- else }} +{{- printf "%s-%s" .Release.Name $name | trunc 63 | trimSuffix "-" }} +{{- end }} +{{- end }} +{{- end }} + +{{/* +Create chart name and version as used by the chart label. +*/}} +{{- define "alertStreamSimulator.chart" -}} +{{- printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" }} +{{- end }} + +{{/* +Common labels +*/}} +{{- define "alertStreamSimulator.labels" -}} +helm.sh/chart: {{ include "alertStreamSimulator.chart" . }} +app.kubernetes.io/version: {{ .Chart.AppVersion | quote }} +app.kubernetes.io/managed-by: {{ .Release.Service }} +{{ include "alertStreamSimulator.selectorLabels" . }} +{{- end }} + +{{/* +Selector labels +*/}} +{{- define "alertStreamSimulator.selectorLabels" -}} +app.kubernetes.io/name: {{ include "alertStreamSimulator.name" . }} +app.kubernetes.io/instance: {{ .Release.Name }} +{{- end }} + +{{/* +Name for the static alerts topic. +*/}} +{{- define "alertStreamSimulator.staticTopicName" -}}alerts-static{{- end }} diff --git a/services/alert-stream-broker/charts/alert-stream-simulator/templates/deployment.yaml b/services/alert-stream-broker/charts/alert-stream-simulator/templates/deployment.yaml new file mode 100644 index 0000000000..1bd137bbe4 --- /dev/null +++ b/services/alert-stream-broker/charts/alert-stream-simulator/templates/deployment.yaml @@ -0,0 +1,44 @@ +apiVersion: apps/v1 +kind: Deployment +metadata: + name: {{ template "alertStreamSimulator.fullname" . }} + labels: + {{- include "alertStreamSimulator.labels" . | nindent 4 }} +spec: + replicas: 1 + selector: + matchLabels: + {{- include "alertStreamSimulator.selectorLabels" . | nindent 6 }} + template: + metadata: + labels: + {{- include "alertStreamSimulator.selectorLabels" . | nindent 8 }} + spec: + containers: + - name: "alert-stream-simulator" + image: "{{ .Values.image.repository }}:{{ .Values.image.tag | default .Chart.AppVersion }}" + volumeMounts: + - name: "kafka-client-secret" + mountPath: "/etc/kafka-client-secret" + readOnly: True + - name: "kafka-server-ca-cert" + mountPath: "/etc/kafka-server-ca-cert" + readOnly: True + command: + - "rubin-alert-sim" + - "--debug" + - "play-stream" + - "--broker={{ .Values.clusterName }}-kafka-bootstrap:{{ .Values.clusterPort }}" + - "--dst-topic={{ .Values.replayTopicName }}" + - "--src-topic={{ template "alertStreamSimulator.staticTopicName" . }}" + - "--tls-client-key-location=/etc/kafka-client-secret/user.key" + - "--tls-client-crt-location=/etc/kafka-client-secret/user.crt" + - "--tls-server-ca-crt-location=/etc/kafka-server-ca-cert/ca.crt" + - "--repeat-interval={{ .Values.repeatInterval }}" + volumes: + - name: "kafka-client-secret" + secret: + secretName: "{{ .Values.kafkaUserName}}" + - name: "kafka-server-ca-cert" + secret: + secretName: "{{ .Values.clusterName}}-cluster-ca-cert" diff --git a/services/alert-stream-broker/charts/alert-stream-simulator/templates/kafka-topics.yaml b/services/alert-stream-broker/charts/alert-stream-simulator/templates/kafka-topics.yaml new file mode 100644 index 0000000000..e3998adb52 --- /dev/null +++ b/services/alert-stream-broker/charts/alert-stream-simulator/templates/kafka-topics.yaml @@ -0,0 +1,13 @@ +apiVersion: "kafka.strimzi.io/{{ .Values.strimziAPIVersion }}" +kind: KafkaTopic +metadata: + name: "{{ .Values.replayTopicName }}" + labels: + strimzi.io/cluster: "{{ .Values.clusterName }}" +spec: + partitions: {{ .Values.replayTopicPartitions }} + replicas: {{ .Values.replayTopicReplicas }} + config: + cleanup.policy: "delete" + retention.ms: {{ .Values.maxMillisecondsRetained }} # 7 days + retention.bytes: {{ .Values.maxBytesRetained }} diff --git a/services/alert-stream-broker/charts/alert-stream-simulator/templates/kafka-user.yaml b/services/alert-stream-broker/charts/alert-stream-simulator/templates/kafka-user.yaml new file mode 100644 index 0000000000..42a35f8d9c --- /dev/null +++ b/services/alert-stream-broker/charts/alert-stream-simulator/templates/kafka-user.yaml @@ -0,0 +1,45 @@ +apiVersion: kafka.strimzi.io/{{ .Values.strimziAPIVersion }} +kind: KafkaUser +metadata: + name: {{ .Values.kafkaUserName }} + labels: + strimzi.io/cluster: {{ .Values.clusterName }} +spec: + authentication: + type: tls + authorization: + type: simple + acls: + # Allow all operations on both topics + - resource: + type: topic + name: {{ template "alertStreamSimulator.staticTopicName" . }} + patternType: literal + operation: All + type: allow + - resource: + type: topic + name: "{{ .Values.replayTopicName }}" + patternType: literal + operation: All + type: allow + # Allow all on the __consumer_offsets topic + - resource: + type: topic + name: "__consumer_offsets" + patternType: literal + operation: All + type: allow + # Allow running as a consumer group + - resource: + type: group + name: "*" + patternType: literal + operation: Describe + type: allow + - resource: + type: group + name: "*" + patternType: literal + operation: Read + type: allow diff --git a/services/alert-stream-broker/charts/alert-stream-simulator/templates/load-data-job.yaml b/services/alert-stream-broker/charts/alert-stream-simulator/templates/load-data-job.yaml new file mode 100644 index 0000000000..ede343ff73 --- /dev/null +++ b/services/alert-stream-broker/charts/alert-stream-simulator/templates/load-data-job.yaml @@ -0,0 +1,50 @@ +apiVersion: batch/v1 +kind: Job +metadata: + name: "{{ .Release.Name }}-load-data" + labels: + app.kubernetes.io/managed-by: {{ .Release.Service | quote }} + app.kubernetes.io/instance: {{ .Release.Name | quote }} + app.kubernetes.io/version: {{ .Chart.AppVersion }} + helm.sh/chart: "{{ .Chart.Name }}-{{ .Chart.Version }}" + annotations: + argocd.argoproj.io/hook: Sync +spec: + template: + metadata: + name: "{{ .Release.Name }}" + labels: + app.kubernetes.io/managed-by: {{ .Release.Service | quote }} + app.kubernetes.io/instance: {{ .Release.Name | quote }} + helm.sh/chart: "{{ .Chart.Name }}-{{ .Chart.Version }}" + spec: + restartPolicy: Never + containers: + - name: pre-install-job + image: "{{ .Values.image.repository }}:{{ .Values.image.tag | default .Chart.AppVersion }}" + volumeMounts: + - name: "kafka-client-secret" + mountPath: "/etc/kafka-client-secret" + readOnly: True + - name: "kafka-server-ca-cert" + mountPath: "/etc/kafka-server-ca-cert" + readOnly: True + command: + - "rubin-alert-sim" + - "--debug" + - "create-stream" + - "--broker={{ .Values.clusterName }}-kafka-bootstrap:{{ .Values.clusterPort }}" + - "--dst-topic={{ template "alertStreamSimulator.staticTopicName" . }}" + - "--create-topic" + - "--schema-id={{ .Values.schemaID }}" + - "--tls-client-key-location=/etc/kafka-client-secret/user.key" + - "--tls-client-crt-location=/etc/kafka-client-secret/user.crt" + - "--tls-server-ca-crt-location=/etc/kafka-server-ca-cert/ca.crt" + - "/var/sample_alert_data/rubin_single_visit_sample.avro" + volumes: + - name: "kafka-client-secret" + secret: + secretName: "{{ .Values.kafkaUserName}}" + - name: "kafka-server-ca-cert" + secret: + secretName: "{{ .Values.clusterName}}-cluster-ca-cert" diff --git a/services/alert-stream-broker/charts/alert-stream-simulator/values.yaml b/services/alert-stream-broker/charts/alert-stream-simulator/values.yaml new file mode 100644 index 0000000000..b41680e248 --- /dev/null +++ b/services/alert-stream-broker/charts/alert-stream-simulator/values.yaml @@ -0,0 +1,52 @@ +# -- Explicitly sets the name of the deployment and job. +nameOverride: "" + +# -- Explicitly sets the full name used for the deployment and job (includes +# the release name). +fullnameOverride: "" + +# -- The username of the Kafka user identity used to connect to the broker. +kafkaUserName: alert-stream-simulator + +# -- Name of the topic which will hold a static single visit of sample data. +staticTopicName: alerts-static + +# -- Name of the topic which will receive the repeated alerts on an interval. +replayTopicName: alerts-simulated + +# -- Integer ID to use in the prefix of alert data packets. This should be a +# valid Confluent Schema Registry ID associated with the schema used. +schemaID: 1 + +# -- Name of a Strimzi Kafka cluster to connect to. +clusterName: alert-broker + +# -- Port to connect to on the Strimzi Kafka cluster. It should be an internal +# TLS listener. +clusterPort: 9092 + +# -- API version of the Strimzi installation's custom resource definitions +strimziAPIVersion: v1beta2 + +image: + # -- Source repository for the image which holds the rubin-alert-stream program. + repository: lsstdm/alert-stream-simulator + # -- Tag to use for the rubin-alert-stream container. + tag: v1.2.1 + # -- Pull policy for the Deployment + imagePullPolicy: IfNotPresent + +# -- How often (in seconds) to repeat the sample data into the replay topic. +repeatInterval: 37 + +# -- Maximum amount of time to save simulated alerts in the replay topic, in +# milliseconds. Default is 7 days. +maxMillisecondsRetained: "604800000" + +# -- Maximum number of bytes for the replay topic, per partition, per replica. +# Default is 100GB +maxBytesRetained: "100000000000" + +replayTopicPartitions: 8 + +replayTopicReplicas: 2 From 169efbf9d7712cb3b29b56dba301c19d1128522c Mon Sep 17 00:00:00 2001 From: Brianna Smart Date: Mon, 17 Oct 2022 16:21:00 -0700 Subject: [PATCH 1208/1479] Change Chart.yaml file Update .gitignore --- .gitignore | 8 ++++++++ services/alert-stream-broker/Chart.yaml | 4 ---- 2 files changed, 8 insertions(+), 4 deletions(-) diff --git a/.gitignore b/.gitignore index fe29a93c2c..0078da47eb 100644 --- a/.gitignore +++ b/.gitignore @@ -134,3 +134,11 @@ dmypy.json # Pyre type checker .pyre/ + +.idea/workspace.xml + +.idea/inspectionProfiles/Project_Default.xml + +services/alert-stream-broker/charts/.DS_Store + +services/.DS_Store diff --git a/services/alert-stream-broker/Chart.yaml b/services/alert-stream-broker/Chart.yaml index b213142182..dac7895acc 100644 --- a/services/alert-stream-broker/Chart.yaml +++ b/services/alert-stream-broker/Chart.yaml @@ -4,7 +4,6 @@ version: "3" dependencies: - name: alert-stream-broker version: 2.5.1 - repository: https://lsst-sqre.github.io/charts/ # The schema registry is bundled together in the same application as the # Kafka broker because Strimzi Registry Operator expects everything (the @@ -12,7 +11,6 @@ dependencies: # resource) to be in the same namespace. - name: alert-stream-schema-registry version: 2.1.0 - repository: https://lsst-sqre.github.io/charts/ # alert-stream-simulator is bundled together with the broker too for a # similar reason: the Strimzi EntityOperator can only watch a single @@ -21,8 +19,6 @@ dependencies: # connect. - name: alert-stream-simulator version: 1.6.2 - repository: https://lsst-sqre.github.io/charts/ - name: alert-database version: 2.1.0 - repository: https://lsst-sqre.github.io/charts/ From d2cc2474e5fbefa1624630d654502030e6266187 Mon Sep 17 00:00:00 2001 From: Brianna Smart Date: Wed, 26 Oct 2022 14:52:27 -0700 Subject: [PATCH 1209/1479] Update README files Update .gitignore --- .gitignore | 12 ++++++++++++ services/alert-stream-broker/README.md | 8 ++++---- .../charts/alert-database/README.md | 13 +++---------- .../charts/alert-stream-broker/README.md | 15 +++------------ .../alert-stream-schema-registry/README.md | 15 +++------------ .../charts/alert-stream-simulator/README.md | 17 ++++++----------- 6 files changed, 31 insertions(+), 49 deletions(-) diff --git a/.gitignore b/.gitignore index 0078da47eb..f217a7f04c 100644 --- a/.gitignore +++ b/.gitignore @@ -142,3 +142,15 @@ dmypy.json services/alert-stream-broker/charts/.DS_Store services/.DS_Store + +services/alert-stream-broker/.DS_Store + +.idea/modules.xml + +.idea/phalanx.iml + +.idea/vcs.xml + +.DS_Store + +.idea/inspectionProfiles/profiles_settings.xml diff --git a/services/alert-stream-broker/README.md b/services/alert-stream-broker/README.md index b34b80c738..dbdef8c1d6 100644 --- a/services/alert-stream-broker/README.md +++ b/services/alert-stream-broker/README.md @@ -4,8 +4,8 @@ | Repository | Name | Version | |------------|------|---------| -| https://lsst-sqre.github.io/charts/ | alert-database | 2.1.0 | -| https://lsst-sqre.github.io/charts/ | alert-stream-broker | 2.5.1 | -| https://lsst-sqre.github.io/charts/ | alert-stream-schema-registry | 2.1.0 | -| https://lsst-sqre.github.io/charts/ | alert-stream-simulator | 1.6.2 | +| | alert-database | 2.1.0 | +| | alert-stream-broker | 2.5.1 | +| | alert-stream-schema-registry | 2.1.0 | +| | alert-stream-simulator | 1.6.2 | diff --git a/services/alert-stream-broker/charts/alert-database/README.md b/services/alert-stream-broker/charts/alert-database/README.md index ac6b3bf5ad..f08056fd22 100644 --- a/services/alert-stream-broker/charts/alert-database/README.md +++ b/services/alert-stream-broker/charts/alert-database/README.md @@ -1,23 +1,17 @@ # alert-database -![Version: 2.1.0](https://img.shields.io/badge/Version-2.1.0-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: 1.0.0](https://img.shields.io/badge/AppVersion-1.0.0-informational?style=flat-square) - Archival database of alerts sent through the alert stream. -## Maintainers - -| Name | Email | Url | -| ---- | ------ | --- | -| swnelson | swnelson@uw.edu | | - ## Values | Key | Type | Default | Description | |-----|------|---------|-------------| | fullnameOverride | string | `""` | Override the full name for resources (includes the release name) | -| ingester | object | `{"gcp":{"projectID":"","serviceAccountName":""},"image":{"imagePullPolicy":"IfNotPresent","repository":"lsstdm/alert_database_ingester","tag":"v2.0.1"},"kafka":{"cluster":"alert-broker","port":9092,"strimziAPIVersion":"v1beta2","topic":"alerts-simulated","user":"alert-database-ingester"},"logLevel":"verbose","schemaRegistryURL":"","serviceAccountName":"alert-database-ingester"}` | it to the database backend. | | ingester.gcp.projectID | string | `""` | Project ID which has the above GCP IAM service account | | ingester.gcp.serviceAccountName | string | `""` | Name of a service account which has credentials granting access to the alert database's backing storage buckets. | +| ingester.image.imagePullPolicy | string | `"IfNotPresent"` | | +| ingester.image.repository | string | `"lsstdm/alert_database_ingester"` | | +| ingester.image.tag | string | `"v2.0.1"` | | | ingester.kafka.cluster | string | `"alert-broker"` | Name of a Strimzi Kafka cluster to connect to. | | ingester.kafka.port | int | `9092` | Port to connect to on the Strimzi Kafka cluster. It should be an internal listener that expects SCRAM SHA-512 auth. | | ingester.kafka.strimziAPIVersion | string | `"v1beta2"` | API version of the Strimzi installation's custom resource definitions | @@ -45,4 +39,3 @@ Archival database of alerts sent through the alert stream. | storage.gcp.alertBucket | string | `""` | Name of a Google Cloud Storage bucket in GCP with alert data | | storage.gcp.project | string | `""` | Name of a GCP project that has a bucket for database storage | | storage.gcp.schemaBucket | string | `""` | Name of a Google Cloud Storage bucket in GCP with schema data | - diff --git a/services/alert-stream-broker/charts/alert-stream-broker/README.md b/services/alert-stream-broker/charts/alert-stream-broker/README.md index e5418243eb..43225ca04b 100644 --- a/services/alert-stream-broker/charts/alert-stream-broker/README.md +++ b/services/alert-stream-broker/charts/alert-stream-broker/README.md @@ -1,15 +1,7 @@ # alert-stream-broker -![Version: 2.5.0](https://img.shields.io/badge/Version-2.5.0-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: 1.0.0](https://img.shields.io/badge/AppVersion-1.0.0-informational?style=flat-square) - Kafka broker cluster for distributing alerts -## Maintainers - -| Name | Email | Url | -| ---- | ------ | --- | -| swnelson | swnelson@uw.edu | | - ## Values | Key | Type | Default | Description | @@ -17,12 +9,12 @@ Kafka broker cluster for distributing alerts | cluster.name | string | `"alert-broker"` | Name used for the Kafka broker, and used by Strimzi for many annotations. | | fullnameOverride | string | `""` | Override for the full name used for Kubernetes resources; by default one will be created based on the chart name and helm release name. | | kafka.config | object | `{"log.retention.bytes":"644245094400","log.retention.hours":168,"offsets.retention.minutes":10080}` | Configuration overrides for the Kafka server. | -| kafka.config."log.retention.bytes" | string | `"644245094400"` | Maximum retained number of bytes for a topic's data. This is a string -- to avoid YAML type conversion issues for large numbers. | +| kafka.config."log.retention.bytes" | string | `"644245094400"` | to avoid YAML type conversion issues for large numbers. | | kafka.config."log.retention.hours" | int | `168` | Number of days for a topic's data to be retained. | | kafka.config."offsets.retention.minutes" | int | `10080` | Number of minutes for a consumer group's offsets to be retained. | | kafka.externalListener.bootstrap.host | string | `""` | Hostname that should be used by clients who want to connect to the broker through the bootstrap address. | | kafka.externalListener.bootstrap.ip | string | `""` | IP address that should be used by the broker's external bootstrap load balancer for access from the internet. The format of this is a string like "192.168.1.1". | -| kafka.externalListener.brokers | list | `[]` | List of hostname and IP for each broker. The format of this is a list of maps with 'ip' and 'host' keys. For example: - ip: "192.168.1.1" host: broker-0.example - ip: "192.168.1.2" host: broker-1.example Each replica should get a host and IP. If these are unset, then IP addresses will be chosen automatically by the Kubernetes cluster's LoadBalancer controller, and hostnames will be unset, which will break TLS connections. | +| kafka.externalListener.brokers | list | `[]` | List of hostname and IP for each broker. The format of this is a list of maps with 'ip' and 'host' keys. For example: - ip: "192.168.1.1" host: broker-0.example - ip: "192.168.1.2" host: broker-1.example Each replica should get a host and IP. If these are unset, then IP addresses will be chosen automatically by the Kubernetes cluster's LoadBalancer controller, and hostnames will be unset, which will break TLS connections. | | kafka.interBrokerProtocolVersion | float | `2.8` | Version of the protocol for inter-broker communication, see https://strimzi.io/docs/operators/latest/deploying.html#ref-kafka-versions-str. | | kafka.logMessageFormatVersion | float | `2.8` | Encoding version for messages, see https://strimzi.io/docs/operators/latest/deploying.html#ref-kafka-versions-str. | | kafka.nodePool.affinities | list | `[{"key":"kafka","value":"ok"}]` | List of node affinities to set for the broker's nodes. The key should be a label key, and the value should be a label value, and then the broker will prefer running Kafka and Zookeeper on nodes with those key-value pairs. | @@ -36,7 +28,7 @@ Kafka broker cluster for distributing alerts | superusers | list | `["kafka-admin"]` | A list of usernames for users who should have global admin permissions. These users will be created, along with their credentials. | | tls.certIssuerName | string | `"cert-issuer-letsencrypt-dns"` | Name of a ClusterIssuer capable of provisioning a TLS certificate for the broker. | | tls.subject.organization | string | `"Vera C. Rubin Observatory"` | Organization to use in the 'Subject' field of the broker's TLS certifcate. | -| users | list | `[{"groups":["rubin-testing"],"readonlyTopics":["alert-stream","alerts-simulated"],"username":"rubin-testing"}]` | A list of users that should be created and granted access. Passwords for these users are not generated automatically; they are expected to be stored as 1Password secrets which are replicated into Vault. Each username should have a "{{ $username }}-password" secret associated with it. | +| users | list | `[{"groups":["rubin-testing"],"readonlyTopics":["alert-stream","alerts-simulated"],"username":"rubin-testing"}]` | A list of users that should be created and granted access. Passwords for these users are not generated automatically; they are expected to be stored as 1Password secrets which are replicated into Vault. Each username should have a "{{ $username }}-password" secret associated with it. | | users[0].groups | list | `["rubin-testing"]` | A list of string prefixes for groups that the user should get admin access to, allowing them to create, delete, describe, etc consumer groups. Note that these are prefix-matched, not just literal exact matches. | | users[0].readonlyTopics | list | `["alert-stream","alerts-simulated"]` | A list of topics that the user should get read-only access to. | | users[0].username | string | `"rubin-testing"` | The username for the user that should be created. | @@ -44,4 +36,3 @@ Kafka broker cluster for distributing alerts | zookeeper.replicas | int | `3` | Number of Zookeeper replicas to run. | | zookeeper.storage.size | string | `"1000Gi"` | Size of the backing storage disk for each of the Zookeeper instances. | | zookeeper.storage.storageClassName | string | `"standard"` | Name of a StorageClass to use when requesting persistent volumes. | - diff --git a/services/alert-stream-broker/charts/alert-stream-schema-registry/README.md b/services/alert-stream-broker/charts/alert-stream-schema-registry/README.md index 4d77ab3c08..cc6ac85074 100644 --- a/services/alert-stream-broker/charts/alert-stream-schema-registry/README.md +++ b/services/alert-stream-broker/charts/alert-stream-schema-registry/README.md @@ -1,15 +1,7 @@ # alert-stream-schema-registry -![Version: 1.0.0](https://img.shields.io/badge/Version-1.0.0-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: 1.0.0](https://img.shields.io/badge/AppVersion-1.0.0-informational?style=flat-square) - Confluent Schema Registry for managing schema versions for the Alert Stream -## Maintainers - -| Name | Email | Url | -| ---- | ------ | --- | -| swnelson | swnelson@uw.edu | | - ## Values | Key | Type | Default | Description | @@ -18,10 +10,9 @@ Confluent Schema Registry for managing schema versions for the Alert Stream | hostname | string | `"alert-schemas-int.lsst.cloud"` | Hostname for an ingress which sends traffic to the Schema Registry. | | name | string | `"alert-schema-registry"` | Name used by the registry, and by its users. | | port | int | `8081` | Port where the registry is listening. NOTE: Not actually configurable in strimzi-registry-operator, so this basically cannot be changed. | -| schemaSync | object | `{"image":{"repository":"swnelson/lsst_alert_packet","tag":"latest"},"subject":"alert-packet"}` | Configuration for the Job which injects the most recent alert_packet schema into the Schema Registry | -| schemaSync.image.repository | string | `"swnelson/lsst_alert_packet"` | Repository of a container which has the alert_packet syncLatestSchemaToRegistry.py program | -| schemaSync.image.tag | string | `"latest"` | Version of the container to use | +| schemaSync | object | `{"image":{"repository":"lsstdm/lsst_alert_packet","tag":"tickets-DM-32743"},"subject":"alert-packet"}` | Configuration for the Job which injects the most recent alert_packet schema into the Schema Registry | +| schemaSync.image.repository | string | `"lsstdm/lsst_alert_packet"` | Repository of a container which has the alert_packet syncLatestSchemaToRegistry.py program | +| schemaSync.image.tag | string | `"tickets-DM-32743"` | Version of the container to use | | schemaSync.subject | string | `"alert-packet"` | Subject name to use when inserting data into the Schema Registry | | schemaTopic | string | `"registry-schemas"` | Name of the topic used by the Schema Registry to store data. | | strimziAPIVersion | string | `"v1beta2"` | Version of the Strimzi Custom Resource API. The correct value depends on the deployed version of Strimzi. See [this blog post](https://strimzi.io/blog/2021/04/29/api-conversion/) for more. | - diff --git a/services/alert-stream-broker/charts/alert-stream-simulator/README.md b/services/alert-stream-broker/charts/alert-stream-simulator/README.md index df9e6563ac..f1aa446e52 100644 --- a/services/alert-stream-broker/charts/alert-stream-simulator/README.md +++ b/services/alert-stream-broker/charts/alert-stream-simulator/README.md @@ -1,15 +1,7 @@ # alert-stream-simulator -![Version: 1.0.0](https://img.shields.io/badge/Version-1.0.0-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: 1.0.0](https://img.shields.io/badge/AppVersion-1.0.0-informational?style=flat-square) - Producer which repeatedly publishes a static set of alerts into a Kafka topic -## Maintainers - -| Name | Email | Url | -| ---- | ------ | --- | -| swnelson | swnelson@uw.edu | | - ## Values | Key | Type | Default | Description | @@ -18,13 +10,16 @@ Producer which repeatedly publishes a static set of alerts into a Kafka topic | clusterPort | int | `9092` | Port to connect to on the Strimzi Kafka cluster. It should be an internal TLS listener. | | fullnameOverride | string | `""` | Explicitly sets the full name used for the deployment and job (includes the release name). | | image.imagePullPolicy | string | `"IfNotPresent"` | Pull policy for the Deployment | -| image.repository | string | `"swnelson/alert-stream-simulator"` | Source repository for the image which holds the rubin-alert-stream program. | -| image.tag | string | `"latest"` | Tag to use for the rubin-alert-stream container. | +| image.repository | string | `"lsstdm/alert-stream-simulator"` | Source repository for the image which holds the rubin-alert-stream program. | +| image.tag | string | `"v1.2.1"` | Tag to use for the rubin-alert-stream container. | | kafkaUserName | string | `"alert-stream-simulator"` | The username of the Kafka user identity used to connect to the broker. | +| maxBytesRetained | string | `"100000000000"` | Maximum number of bytes for the replay topic, per partition, per replica. Default is 100GB | +| maxMillisecondsRetained | string | `"604800000"` | Maximum amount of time to save simulated alerts in the replay topic, in milliseconds. Default is 7 days. | | nameOverride | string | `""` | Explicitly sets the name of the deployment and job. | | repeatInterval | int | `37` | How often (in seconds) to repeat the sample data into the replay topic. | | replayTopicName | string | `"alerts-simulated"` | Name of the topic which will receive the repeated alerts on an interval. | +| replayTopicPartitions | int | `8` | | +| replayTopicReplicas | int | `2` | | | schemaID | int | `1` | Integer ID to use in the prefix of alert data packets. This should be a valid Confluent Schema Registry ID associated with the schema used. | | staticTopicName | string | `"alerts-static"` | Name of the topic which will hold a static single visit of sample data. | | strimziAPIVersion | string | `"v1beta2"` | API version of the Strimzi installation's custom resource definitions | - From 7bc4632f03a3e8fbdb3f8f443648e0591f723372 Mon Sep 17 00:00:00 2001 From: Brianna Smart Date: Thu, 27 Oct 2022 14:00:58 -0700 Subject: [PATCH 1210/1479] Update values-idfint.yaml --- science-platform/values-idfint.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/science-platform/values-idfint.yaml b/science-platform/values-idfint.yaml index 8352c46838..10342c9daf 100644 --- a/science-platform/values-idfint.yaml +++ b/science-platform/values-idfint.yaml @@ -4,7 +4,7 @@ vault_path_prefix: secret/k8s_operator/data-int.lsst.cloud butlerRepositoryIndex: "s3://butler-us-central1-repo-locations/data-int-repos.yaml" alert_stream_broker: - enabled: false + enabled: true cachemachine: enabled: true cert_manager: From 26299129d7981ea2c78da8216438080aaf4137a8 Mon Sep 17 00:00:00 2001 From: Brianna Smart Date: Thu, 27 Oct 2022 14:23:22 -0700 Subject: [PATCH 1211/1479] Add alert-stream-broker to strimzi --- services/strimzi/values-idfint.yaml | 1 + 1 file changed, 1 insertion(+) diff --git a/services/strimzi/values-idfint.yaml b/services/strimzi/values-idfint.yaml index 6eb0bd0082..f98848daa7 100644 --- a/services/strimzi/values-idfint.yaml +++ b/services/strimzi/values-idfint.yaml @@ -6,4 +6,5 @@ strimzi-kafka-operator: memory: "512Mi" watchNamespaces: - "sasquatch" + - "alert-stream-broker" logLevel: "DEBUG" From bb6d171ba3d1d0b1a3fb64a06f77c0966c4462f6 Mon Sep 17 00:00:00 2001 From: Russ Allbery Date: Mon, 24 Oct 2022 14:35:33 -0700 Subject: [PATCH 1212/1479] Update Gafaelfawr Helm config for Kopf Update for Gafaelfawr 7.0.0, which now uses Kopf to implement the Kubernetes operator. This changes the invocation of the token management pod and removes the status specification in the CRD. Instead, add the annotation that tells Kubernetes the status section is free-form. --- services/gafaelfawr/Chart.yaml | 2 +- services/gafaelfawr/crds/service-token.yaml | 78 +------------------ .../templates/deployment-tokens.yaml | 8 +- 3 files changed, 8 insertions(+), 80 deletions(-) diff --git a/services/gafaelfawr/Chart.yaml b/services/gafaelfawr/Chart.yaml index 1dc1959f05..36b668955b 100644 --- a/services/gafaelfawr/Chart.yaml +++ b/services/gafaelfawr/Chart.yaml @@ -5,4 +5,4 @@ description: Science Platform authentication and authorization system home: https://gafaelfawr.lsst.io/ sources: - https://github.com/lsst-sqre/gafaelfawr -appVersion: 6.2.0 +appVersion: 7.0.0 diff --git a/services/gafaelfawr/crds/service-token.yaml b/services/gafaelfawr/crds/service-token.yaml index 8db2835515..cc60081d11 100644 --- a/services/gafaelfawr/crds/service-token.yaml +++ b/services/gafaelfawr/crds/service-token.yaml @@ -76,80 +76,4 @@ spec: description: >- GafaelfawrServiceTokenStatus defines the observed state of the GafaelfawrServiceToken. - properties: - conditions: - type: array - description: >- - Condition contains details for one aspect of the current - state of this API Resource. SecretCreated is the only - known .status.conditions.type value. - items: - type: object - required: - - lastTransitionTime - - message - - reason - - status - - type - properties: - lastTransitionTime: - type: string - format: date-time - description: > - lastTransitionTime is the last time the condition - transitioned from one status to another. This should - be when the underlying condition changed. If that is - not known, then using the time when the API field - changed is acceptable. - message: - type: string - description: > - message is a human readable message indicating - details about the transition. This may be an empty - string. - maxLength: 32768 - observedGeneration: - description: > - observedGeneration represents the - .metadata.generation that the condition was set - based upon. For instance, if .metadata.generation is - currently 12, but the - .status.conditions[x].observedGeneration is 9, the - condition is out of date with respect to the current - state of the instance. - format: int64 - minimum: 0 - type: integer - reason: - type: string - description: > - reason contains a programmatic identifier indicating - the reason for the condition's last - transition. Producers of specific condition types - may define expected values and meanings for this - field, and whether the values are considered a - guaranteed API. The value should be a CamelCase - string. This field may not be empty. - maxLength: 1024 - minLength: 1 - pattern: "^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$" - status: - type: string - description: > - status of the condition, one of True, False, Unknown. - enum: - - "True" - - "False" - - "Unknown" - type: - type: string - description: > - type of condition in CamelCase or in - foo.example.com/CamelCase. Many .condition.type - values are consistent across resources like - Available, but because arbitrary conditions can be - useful (see .node.status.conditions), the ability to - deconflict is important. The regex it matches is - (dns1123SubdomainFmt/)?(qualifiedNameFmt) - maxLength: 316 - pattern: "^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$" + x-kubernetes-preserve-unknown-fields: true diff --git a/services/gafaelfawr/templates/deployment-tokens.yaml b/services/gafaelfawr/templates/deployment-tokens.yaml index 5e165d67ad..216c305bea 100644 --- a/services/gafaelfawr/templates/deployment-tokens.yaml +++ b/services/gafaelfawr/templates/deployment-tokens.yaml @@ -25,8 +25,12 @@ spec: containers: - name: "gafaelfawr-tokens" command: - - "gafaelfawr" - - "kubernetes-controller" + - "kopf" + - "run" + - "-A" + - "--log-format=json" + - "-m" + - "gafaelfawr.operator" image: "{{ .Values.image.repository }}:{{ .Values.image.tag | default .Chart.AppVersion }}" imagePullPolicy: {{ .Values.image.pullPolicy | quote }} {{- with .Values.tokens.resources }} From 16e0a208de9d68d4c203d6ed8aece7c06abf77ce Mon Sep 17 00:00:00 2001 From: Russ Allbery Date: Wed, 26 Oct 2022 16:47:22 -0700 Subject: [PATCH 1213/1479] Grant gafaelfawr-tokens event access Kopf wants to post events in the namespace in which it processes custom resources. Grant that access. --- services/gafaelfawr/templates/serviceaccount-tokens.yaml | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/services/gafaelfawr/templates/serviceaccount-tokens.yaml b/services/gafaelfawr/templates/serviceaccount-tokens.yaml index 70104dcbd9..826342ceb2 100644 --- a/services/gafaelfawr/templates/serviceaccount-tokens.yaml +++ b/services/gafaelfawr/templates/serviceaccount-tokens.yaml @@ -16,6 +16,9 @@ metadata: labels: {{- include "gafaelfawr.labels" . | nindent 4 }} rules: + - apiGroups: [""] + resources: ["events"] + verbs: ["create"] - apiGroups: [""] resources: ["secrets"] verbs: ["create", "get", "patch", "update"] @@ -34,6 +37,6 @@ subjects: name: {{ include "gafaelfawr.fullname" . }}-tokens namespace: {{ .Release.Namespace }} roleRef: + apiGroup: rbac.authorization.k8s.io kind: ClusterRole name: {{ include "gafaelfawr.fullname" . }}-tokens - apiGroup: rbac.authorization.k8s.io From 03c32c3d76bcca6bbbd2f447eba6bf57b8e51db7 Mon Sep 17 00:00:00 2001 From: Russ Allbery Date: Thu, 27 Oct 2022 16:13:45 -0700 Subject: [PATCH 1214/1479] Grant Gafaelfawr access to watch namespaces Kopf uses this to keep track of what namespaces exist so that it can pick up new resources, so grant that access. --- services/gafaelfawr/templates/serviceaccount-tokens.yaml | 3 +++ 1 file changed, 3 insertions(+) diff --git a/services/gafaelfawr/templates/serviceaccount-tokens.yaml b/services/gafaelfawr/templates/serviceaccount-tokens.yaml index 826342ceb2..2683e22280 100644 --- a/services/gafaelfawr/templates/serviceaccount-tokens.yaml +++ b/services/gafaelfawr/templates/serviceaccount-tokens.yaml @@ -19,6 +19,9 @@ rules: - apiGroups: [""] resources: ["events"] verbs: ["create"] + - apiGroups: [""] + resources: ["namespaces"] + verbs: ["list", "watch"] - apiGroups: [""] resources: ["secrets"] verbs: ["create", "get", "patch", "update"] From cee24630d5ed5babff59802ae0e5c164fe8f0257 Mon Sep 17 00:00:00 2001 From: Russ Allbery Date: Thu, 27 Oct 2022 16:29:17 -0700 Subject: [PATCH 1215/1479] Give Gafaelfawr list and watch on CRDs Kopf wants to be able to list and watch CRDs as well. Not sure that it really needs this, but it complains otherwise, so add it. --- services/gafaelfawr/templates/serviceaccount-tokens.yaml | 3 +++ 1 file changed, 3 insertions(+) diff --git a/services/gafaelfawr/templates/serviceaccount-tokens.yaml b/services/gafaelfawr/templates/serviceaccount-tokens.yaml index 2683e22280..65edd355f2 100644 --- a/services/gafaelfawr/templates/serviceaccount-tokens.yaml +++ b/services/gafaelfawr/templates/serviceaccount-tokens.yaml @@ -25,6 +25,9 @@ rules: - apiGroups: [""] resources: ["secrets"] verbs: ["create", "get", "patch", "update"] + - apiGroups: ["apiextensions.k8s.io"] + resources: ["customresourcedefinitions"] + verbs: ["list", "watch"] - apiGroups: ["gafaelfawr.lsst.io"] resources: ["gafaelfawrservicetokens", "gafaelfawrservicetokens/status"] verbs: ["get", "list", "patch", "watch"] From ac69ac6cca07131c7717a8e0151ed8e90489dd75 Mon Sep 17 00:00:00 2001 From: "renovate[bot]" <29139614+renovate[bot]@users.noreply.github.com> Date: Mon, 31 Oct 2022 04:52:10 +0000 Subject: [PATCH 1216/1479] Update manusa/actions-setup-minikube action to v2.7.1 --- .github/workflows/ci.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/ci.yaml b/.github/workflows/ci.yaml index 955f9c51df..df99cbbcac 100644 --- a/.github/workflows/ci.yaml +++ b/.github/workflows/ci.yaml @@ -85,7 +85,7 @@ jobs: - name: Setup Minikube if: steps.filter.outputs.minikube == 'true' - uses: manusa/actions-setup-minikube@v2.7.0 + uses: manusa/actions-setup-minikube@v2.7.1 with: minikube version: 'v1.25.2' kubernetes version: 'v1.22.8' From 0af695cfc9fa6358e5015c2d7fe629d7746afb1e Mon Sep 17 00:00:00 2001 From: dspeck1 Date: Thu, 15 Sep 2022 15:39:39 -0500 Subject: [PATCH 1217/1479] testing fullname override --- services/sqlproxy/values-idfdev.yaml | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/services/sqlproxy/values-idfdev.yaml b/services/sqlproxy/values-idfdev.yaml index 4a29601b62..77be1218ed 100644 --- a/services/sqlproxy/values-idfdev.yaml +++ b/services/sqlproxy/values-idfdev.yaml @@ -1,10 +1,10 @@ -serviceAccountName: sqlproxy-butler-int +serviceAccountName: sqlproxy-cross-project -nameOverride: sqlproxy-butler-int +fullnameOverride: sqlproxy-butler-int serviceAccount: annotations: { - iam.gke.io/gcp-service-account: sqlproxy-butler-int@science-platform-dev-7696.iam.gserviceaccount.com + iam.gke.io/gcp-service-account: sqlproxy-cross-project@science-platform-dev-7696.iam.gserviceaccount.com } cloudsql: From 017b2fe581b532941e8e4ac688b552bea135df6e Mon Sep 17 00:00:00 2001 From: dspeck1 Date: Thu, 15 Sep 2022 16:29:35 -0500 Subject: [PATCH 1218/1479] Adjusted SA name --- services/sqlproxy/values-idfdev.yaml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/services/sqlproxy/values-idfdev.yaml b/services/sqlproxy/values-idfdev.yaml index 77be1218ed..027717b6bb 100644 --- a/services/sqlproxy/values-idfdev.yaml +++ b/services/sqlproxy/values-idfdev.yaml @@ -1,10 +1,10 @@ -serviceAccountName: sqlproxy-cross-project +serviceAccountName: sqlproxy-butler-int fullnameOverride: sqlproxy-butler-int serviceAccount: annotations: { - iam.gke.io/gcp-service-account: sqlproxy-cross-project@science-platform-dev-7696.iam.gserviceaccount.com + iam.gke.io/gcp-service-account: sqlproxy-butler-int@science-platform-dev-7696.iam.gserviceaccount.com } cloudsql: From 46a81f5c6124f161b13456b82f1983b23be85069 Mon Sep 17 00:00:00 2001 From: Michael Reuter Date: Fri, 28 Oct 2022 15:07:12 -0700 Subject: [PATCH 1219/1479] Update TTS cachemachine to cycle 27. --- services/cachemachine/values-tucson-teststand.yaml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/services/cachemachine/values-tucson-teststand.yaml b/services/cachemachine/values-tucson-teststand.yaml index dbaf509662..ebcc0a57c9 100644 --- a/services/cachemachine/values-tucson-teststand.yaml +++ b/services/cachemachine/values-tucson-teststand.yaml @@ -8,11 +8,11 @@ autostart: "type": "RubinRepoMan", "registry_url": "ts-dockerhub.lsst.org", "repo": "sal-sciplat-lab", - "recommended_tag": "recommended_c0026", + "recommended_tag": "recommended_c0027", "num_releases": 1, "num_weeklies": 3, "num_dailies": 2, - "cycle": 26, + "cycle": 27, "alias_tags": [ "latest", "latest_daily", From dc9a7cce5969360e616d758f993cf6758648efda Mon Sep 17 00:00:00 2001 From: Jonathan Sick Date: Mon, 31 Oct 2022 14:37:32 -0400 Subject: [PATCH 1220/1479] Add phalanx.lsst.io/docs Chart.yaml annotation This is a proof-of-concept for adding information about Rubin docs (technotes and change-controlled documents) to the application summary tables of apps using Helm's free-form "annotations" field. Note that items in annotation must be strings. How we handle this is by making each item a YAML-formatted string that we can parse later. This is very much based on how Artifact Hub uses annotations https://artifacthub.io/docs/topics/annotations/helm/ --- services/semaphore/Chart.yaml | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/services/semaphore/Chart.yaml b/services/semaphore/Chart.yaml index 87de56eefe..c021a09311 100644 --- a/services/semaphore/Chart.yaml +++ b/services/semaphore/Chart.yaml @@ -9,3 +9,8 @@ sources: maintainers: - name: jonathansick url: https://github.com/jonathansick +annotations: + phalanx.lsst.io/docs: | + - id: "SQR-060" + title: "Design of the Semaphore user broadcast message system for the Rubin Science Platform" + url: "https://sqr-060.lsst.io/" From d32f0db46d2d728f222d0b4c029c627fde7764c7 Mon Sep 17 00:00:00 2001 From: Jonathan Sick Date: Mon, 31 Oct 2022 15:59:06 -0400 Subject: [PATCH 1221/1479] Add document links to app summary tables These links are based on the phalanx.lsst.io/docs annotation data. --- docs/applications/_summary.rst.jinja | 13 ++++++++++ src/phalanx/docs/models.py | 37 ++++++++++++++++++++++++++++ 2 files changed, 50 insertions(+) diff --git a/docs/applications/_summary.rst.jinja b/docs/applications/_summary.rst.jinja index 335045a830..ac7e756d30 100644 --- a/docs/applications/_summary.rst.jinja +++ b/docs/applications/_summary.rst.jinja @@ -20,6 +20,19 @@ {% endfor %} {% endif %} {% endif %} + {% if app.doc_links %} + * - Related docs + {% if app.doc_links|length == 1 %} + - {{ app.doc_links[0] }} + {% else %} + - - {{ app.doc_links[0] }} + {% endif %} + {% if app.doc_links|length > 1 %} + {% for doc_link in app.doc_links[1:] %} + - {{ doc_link }} + {% endfor %} + {% endif %} + {% endif %} * - Type - Helm_ * - Namespace diff --git a/src/phalanx/docs/models.py b/src/phalanx/docs/models.py index db91d275e1..4aecccfdd5 100644 --- a/src/phalanx/docs/models.py +++ b/src/phalanx/docs/models.py @@ -4,6 +4,7 @@ import re from dataclasses import dataclass, field +from functools import cached_property from pathlib import Path from typing import Any, Dict, List, Optional, Tuple @@ -16,6 +17,31 @@ """Root directory of the application Helm charts in Phalanx.""" +@dataclass(kw_only=True) +class DocLink: + """A model describing a document link, based on an individual array item + in the ``phalanx.lsst.io/docs`` chart annotation. + """ + + url: str + """URL to the document.""" + + title: str + """Document title.""" + + id: Optional[str] + """Document identifier.""" + + def __str__(self) -> str: + """A reStructuredText-formatted link.""" + if self.id is not None: + label = f"{self.id}: {self.title}" + else: + label = self.title + + return f"`{label} <{self.url}>`__" + + @dataclass(kw_only=True) class Application: """A model for a Phalanx-configured application.""" @@ -68,6 +94,17 @@ def values_table_md(self) -> str: return "\n".join(lines[i + 1 :]) return "" + @cached_property + def doc_links(self) -> List[str]: + """reStructuredText-formatted list of links.""" + key = "phalanx.lsst.io/docs" + if "annotations" in self.chart and key in self.chart["annotations"]: + docs_data = yaml.safe_load(self.chart["annotations"][key]) + docs = [DocLink(**d) for d in docs_data] + return docs + else: + return [] + @classmethod def load( cls, *, app_dir: Path, root_dir: Path, env_values: Dict[str, Dict] From 80b2fdddf70651b04101baa64eb76f98b322db50 Mon Sep 17 00:00:00 2001 From: Jonathan Sick Date: Mon, 31 Oct 2022 16:17:21 -0400 Subject: [PATCH 1222/1479] Add doc annotations to Noteburst + Times Square This shows how to add multiple documents. --- services/noteburst/Chart.yaml | 9 +++++++++ services/times-square/Chart.yaml | 9 +++++++++ 2 files changed, 18 insertions(+) diff --git a/services/noteburst/Chart.yaml b/services/noteburst/Chart.yaml index 4a16426a26..365d16a219 100644 --- a/services/noteburst/Chart.yaml +++ b/services/noteburst/Chart.yaml @@ -16,3 +16,12 @@ dependencies: - name: redis version: 17.3.7 repository: https://charts.bitnami.com/bitnami + +annotations: + phalanx.lsst.io/docs: | + - id: "SQR-065" + title: "Design of Noteburst, a programatic JupyterLab notebook execution service for the Rubin Science Platform" + url: "https://sqr-065.lsst.io/" + - id: "SQR-062" + title: "The Times Square service for publishing parameterized Jupyter Notebooks in the Rubin Science platform" + url: "https://sqr-062.lsst.io/" diff --git a/services/times-square/Chart.yaml b/services/times-square/Chart.yaml index 2575f49395..468cbbf16a 100644 --- a/services/times-square/Chart.yaml +++ b/services/times-square/Chart.yaml @@ -13,3 +13,12 @@ dependencies: - name: redis version: 17.3.7 repository: https://charts.bitnami.com/bitnami + +annotations: + phalanx.lsst.io/docs: | + - id: "SQR-062" + title: "The Times Square service for publishing parameterized Jupyter Notebooks in the Rubin Science platform" + url: "https://sqr-062.lsst.io/" + - id: "SQR-065" + title: "Design of Noteburst, a programatic JupyterLab notebook execution service for the Rubin Science Platform" + url: "https://sqr-065.lsst.io/" From 8e089905408dec9d04b5dc94030acc6738448abd Mon Sep 17 00:00:00 2001 From: Jonathan Sick Date: Mon, 31 Oct 2022 16:23:57 -0400 Subject: [PATCH 1223/1479] Switch home to sources "sources" is more appropriate for GitHub repo links; we'll add a home when Times Square has a user guide. --- services/times-square/Chart.yaml | 3 ++- services/times-square/README.md | 4 +++- 2 files changed, 5 insertions(+), 2 deletions(-) diff --git a/services/times-square/Chart.yaml b/services/times-square/Chart.yaml index 468cbbf16a..adb496b852 100644 --- a/services/times-square/Chart.yaml +++ b/services/times-square/Chart.yaml @@ -3,7 +3,8 @@ name: times-square version: 1.0.0 description: | An API service for managing and rendering parameterized Jupyter notebooks. -home: https://github.com/lsst-sqre/times-square +sources: + - https://github.com/lsst-sqre/times-square type: application # The default version tag of the times-square docker image diff --git a/services/times-square/README.md b/services/times-square/README.md index 5048c5df56..544b73fddc 100644 --- a/services/times-square/README.md +++ b/services/times-square/README.md @@ -2,7 +2,9 @@ An API service for managing and rendering parameterized Jupyter notebooks. -**Homepage:** +## Source Code + +* ## Requirements From 861db365faefe4849159562eabe2de02f8c79771 Mon Sep 17 00:00:00 2001 From: Jonathan Sick Date: Mon, 31 Oct 2022 16:42:32 -0400 Subject: [PATCH 1224/1479] Document phalanx.lsst.io/docs annotation And also document how home and sources are used in the Phalanx docs. --- docs/developers/chart-overview.rst | 57 ++++++++++++++++++++++++++++++ 1 file changed, 57 insertions(+) diff --git a/docs/developers/chart-overview.rst b/docs/developers/chart-overview.rst index 832caaca2a..50482d6904 100644 --- a/docs/developers/chart-overview.rst +++ b/docs/developers/chart-overview.rst @@ -49,3 +49,60 @@ This will cause the application resource in the ``science-platform`` app to show Additionally, many charts allow specification of a tag (usually some variable like ``image.tag`` in a values file), so that is a possibility as well. If your chart doesn't have a way to control what image tag you're deploying from, consider adding the capability. In any event, for RSP instances, we (as a matter of policy) disable automatic deployment in Argo CD so there is a human check on whether a given chart is safe to deploy in a given environment, and updates are deployed to production environments (barring extraordinary circumstances) during our specified maintenance windows. + +.. _chart-doc-links: + +Source and documentation links in Chart.yaml +============================================ + +You can add source and documentation links to an app's ``Chart.yaml`` and that information is included in the :doc:`app's homepage in the Phalanx docs `. + +home +---- + +Use the ``home`` field in ``Chart.yaml`` for the app's documentation site (if it has one). +For example: + +.. code-block:: yaml + :caption: Chart.yaml + + home: https://gafaelfawr.lsst.io/ + +Don't use the ``home`` field for links to documents (technotes) or source repositories. + +sources +------- + +Use ``sources`` to link to the Git repositories related to the application. +Note that ``sources`` is an array of URLs: + +.. code-block:: yaml + :caption: Chart.yaml + + sources: + - https://github.com/lsst-sqre/gafaelfawr + +phalanx.lsst.io/docs +-------------------- + +Use this custom annotation to link to documents (as opposed to the user guide, see ``home``). +Documents are technotes and change-controlled documents: + + +.. code-block:: yaml + :caption: Chart.yaml + + annotations: + phalanx.lsst.io/docs: | + - id: "SQR-065" + title: "Design of Noteburst, a programatic JupyterLab notebook execution service for the Rubin Science Platform" + url: "https://sqr-065.lsst.io/" + - id: "SQR-062" + title: "The Times Square service for publishing parameterized Jupyter Notebooks in the Rubin Science platform" + url: "https://sqr-062.lsst.io/" + +.. note:: + + Note how the value of ``phalanx.lsst.io/docs`` is a YAML-formatted string (hence the ``|`` symbol). + The ``id`` field is optional, but can be set to the document's handle. + The ``title`` and ``url`` fields are required. From 438a532adf6d40b4bb0e525cde9d23f4284fdc63 Mon Sep 17 00:00:00 2001 From: Russ Allbery Date: Mon, 31 Oct 2022 15:44:56 -0700 Subject: [PATCH 1225/1479] Add tech note references to services For services that have associated tech notes, add the references using the new annotation syntax. --- services/datalinker/Chart.yaml | 5 +++++ services/gafaelfawr/Chart.yaml | 11 +++++++++++ services/hips/Chart.yaml | 5 +++++ services/moneypenny/Chart.yaml | 6 ++++++ services/nublado2/Chart.yaml | 8 ++++++++ services/sasquatch/Chart.yaml | 7 +++++++ services/telegraf-ds/Chart.yaml | 5 +++++ services/telegraf/Chart.yaml | 5 +++++ services/vo-cutouts/Chart.yaml | 5 +++++ 9 files changed, 57 insertions(+) diff --git a/services/datalinker/Chart.yaml b/services/datalinker/Chart.yaml index c0932d6edd..0dc4090b8d 100644 --- a/services/datalinker/Chart.yaml +++ b/services/datalinker/Chart.yaml @@ -5,3 +5,8 @@ description: Service and data discovery for Rubin Science Platform sources: - https://github.com/lsst-sqre/datalinker appVersion: 1.5.0 +annotations: + phalanx.lsst.io/docs: | + - id: "DMTN-238" + title: "RSP DataLink service implementation strategy" + url: "https://dmtn-238.lsst.io/" diff --git a/services/gafaelfawr/Chart.yaml b/services/gafaelfawr/Chart.yaml index 36b668955b..0ceb9e76e4 100644 --- a/services/gafaelfawr/Chart.yaml +++ b/services/gafaelfawr/Chart.yaml @@ -6,3 +6,14 @@ home: https://gafaelfawr.lsst.io/ sources: - https://github.com/lsst-sqre/gafaelfawr appVersion: 7.0.0 +annotations: + phalanx.lsst.io/docs: | + - id: "DMTN-234" + title: "RSP identity management design" + url: "https://dmtn-234.lsst.io/" + - id: "DMTN-224" + title: "RSP identity management implementation strategy" + url: "https://dmtn-224.lsst.io/" + - id: "SQR-069" + title: "Implementation decisions for RSP identity management" + url: "https://sqr-069.lsst.io/" diff --git a/services/hips/Chart.yaml b/services/hips/Chart.yaml index 1d8f34b68a..c3d493de4a 100644 --- a/services/hips/Chart.yaml +++ b/services/hips/Chart.yaml @@ -5,3 +5,8 @@ description: HiPS web server backed by Google Cloud Storage sources: - https://github.com/lsst-sqre/crawlspace appVersion: 0.2.1 +annotations: + phalanx.lsst.io/docs: | + - id: "DMTN-230" + title: "RSP HiPS service implementation strategy" + url: "https://dmtn-230.lsst.io/" diff --git a/services/moneypenny/Chart.yaml b/services/moneypenny/Chart.yaml index 87ac28939a..5005cda2a5 100644 --- a/services/moneypenny/Chart.yaml +++ b/services/moneypenny/Chart.yaml @@ -3,3 +3,9 @@ appVersion: "1.0.0" description: User provisioning actions for the Science Platform name: moneypenny version: 1.0.2 +annotations: + phalanx.lsst.io/docs: | + - id: "SQR-052" + title: >- + Proposal for privilege separation in RSP Notebook Aspect containers + url: "https://sqr-052.lsst.io/" diff --git a/services/nublado2/Chart.yaml b/services/nublado2/Chart.yaml index 969d0cbdf0..d758b2bf68 100644 --- a/services/nublado2/Chart.yaml +++ b/services/nublado2/Chart.yaml @@ -5,7 +5,9 @@ description: JupyterHub for the Rubin Science Platform home: https://github.com/lsst-sqre/nublado2 sources: - https://github.com/lsst-sqre/nublado2 +# This version is not used directly. Also update the tag in values.yaml. appVersion: "2.6.1" + # Match the jupyterhub Helm chart for kubeVersion kubeVersion: ">=1.20.0-0" dependencies: @@ -14,3 +16,9 @@ dependencies: # Jupyterhub package itself. version: "2.0.0" repository: https://jupyterhub.github.io/helm-chart/ + +annotations: + phalanx.lsst.io/docs: | + - id: "DMTN-164" + title: "Nublado v2 Architecture" + url: "https://dmtn-164.lsst.io/" diff --git a/services/sasquatch/Chart.yaml b/services/sasquatch/Chart.yaml index c83458919c..4ea9f079b2 100644 --- a/services/sasquatch/Chart.yaml +++ b/services/sasquatch/Chart.yaml @@ -3,6 +3,7 @@ name: sasquatch version: 1.0.0 description: Rubin Observatory's telemetry service. appVersion: 0.1.0 + dependencies: - name: strimzi-kafka version: 1.0.0 @@ -27,3 +28,9 @@ dependencies: version: 1.0.0 - name: telegraf-kafka-consumer version: 1.0.0 + +annotations: + phalanx.lsst.io/docs: | + - id: "SQR-068" + title: "Sasquatch: beyond the EFD" + url: "https://sqr-068.lsst.io/" diff --git a/services/telegraf-ds/Chart.yaml b/services/telegraf-ds/Chart.yaml index d764825d71..3224a33e50 100644 --- a/services/telegraf-ds/Chart.yaml +++ b/services/telegraf-ds/Chart.yaml @@ -6,3 +6,8 @@ dependencies: - name: telegraf-ds version: 1.1.4 repository: https://helm.influxdata.com/ +annotations: + phalanx.lsst.io/docs: | + - id: "SQR-061" + title: "Monitoring architecture for the RSP" + url: "https://sqr-061.lsst.io/" diff --git a/services/telegraf/Chart.yaml b/services/telegraf/Chart.yaml index 0d72f6881b..dc35fe8bef 100644 --- a/services/telegraf/Chart.yaml +++ b/services/telegraf/Chart.yaml @@ -6,3 +6,8 @@ dependencies: - name: telegraf version: 1.8.22 repository: https://helm.influxdata.com/ +annotations: + phalanx.lsst.io/docs: | + - id: "SQR-061" + title: "Monitoring architecture for the RSP" + url: "https://sqr-061.lsst.io/" diff --git a/services/vo-cutouts/Chart.yaml b/services/vo-cutouts/Chart.yaml index 240c9becac..36eec53b4e 100644 --- a/services/vo-cutouts/Chart.yaml +++ b/services/vo-cutouts/Chart.yaml @@ -5,3 +5,8 @@ description: "Image cutout service complying with IVOA SODA" sources: - "https://github.com/lsst-sqre/vo-cutouts" appVersion: 0.4.2 +annotations: + phalanx.lsst.io/docs: | + - id: "DMTN-208" + title: "RSP image cutout service implementation strategy" + url: "https://dmtn-208.lsst.io/" From c2bff200384cb15ecdeced797a5a19c86b8d76b6 Mon Sep 17 00:00:00 2001 From: Russ Allbery Date: Mon, 31 Oct 2022 15:48:23 -0700 Subject: [PATCH 1226/1479] Rebuild documentation on more changes The new Phalanx documentation pulls information from Chart.yaml and from the portion of README.md for each chart that is generated from values.yaml, so rebuild the documentation if those files change. --- .github/workflows/docs.yaml | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/.github/workflows/docs.yaml b/.github/workflows/docs.yaml index 7310381165..f6f58c47ee 100644 --- a/.github/workflows/docs.yaml +++ b/.github/workflows/docs.yaml @@ -4,6 +4,8 @@ name: Docs pull_request: paths: - "docs/**" + - "services/*/Chart.yaml" + - "services/*/values.yaml" push: branches-ignore: # These should always correspond to pull requests, so ignore them for @@ -18,6 +20,8 @@ name: Docs - "*" paths: - "docs/**" + - "services/*/Chart.yaml" + - "services/*/values.yaml" jobs: docs: From 741bfe4fcf0d6fefe8e40f298e82466fb18da9a6 Mon Sep 17 00:00:00 2001 From: dspeck1 Date: Thu, 14 Apr 2022 08:56:52 -0500 Subject: [PATCH 1227/1479] initial commit of cachemachine gar doc --- docs/applications/cachemachine/gar.rst | 38 ++++++++++++++++++++++++++ 1 file changed, 38 insertions(+) create mode 100644 docs/applications/cachemachine/gar.rst diff --git a/docs/applications/cachemachine/gar.rst b/docs/applications/cachemachine/gar.rst new file mode 100644 index 0000000000..a49d0d94fd --- /dev/null +++ b/docs/applications/cachemachine/gar.rst @@ -0,0 +1,38 @@ +############################################################################## +Overview of Cachemachine integration with Google Cloud Artifact Registry (GAR) +############################################################################## + +The existing Cachemachine service was updated to support interfacing with the Google Artifact Registry (GAR) API instead of using the docker client. This allows for workload identity credentials to be used instead of docker credentials. Docker client authentication with GAR is cumbersome because a JSON token is used for authentication that contains special characters which makes it difficult to pass between multiple secret engine layers. The other main advantage of interfacing directly with GAR is that a hash cache does not need to be built. The GAR API returns a list of images with all tags for that image. The docker client will return a list of images with a single tag. The single tag per image approach with the docker client requires that a hash cache is built to group the same images together. That construct is not used by the GAR instance of cachemachine because the image already has the tags included in the API response. + +Container Image Streaming +========================= + +[Container Image Streaming](https://cloud.google.com/blog/products/containers-kubernetes/introducing-container-image-streaming-in-gke) is used by uncached images and by cachemachine to decrease the time for the image pull time. The sciplat lab images are 4 GB and the image pull time decreased from 4 minutes to 30 seconds using image streaming. Image streaming is per project by enabling the `containerfilesystem.googleapis.com` API. This was enabled via Terraform. + + +Workload Identity +================= + +[Workload Identity](https://cloud.google.com/kubernetes-engine/docs/how-to/workload-identity) is used by Cachemachine to authenticate with GAR API. Workload Identity allows kubernetes service accounts to impersonate Google Cloud Platform (GCP) Service Accounts to authenticate to GCP services. Workload Identity is enabled on all of the Rubin Science Platform (RSP) Google Kuberentes Engine (GKE) Clusters. The binding between the Kubernetes and the GCP service account is done through IAM permissions deployed via Terraform. A kubernetes annotation is deployed via phalanx as detailed below to bind the GCP service account to the Kubernetes service account. + +``` +serviceAccount: + annotations: { + iam.gke.io/gcp-service-account: cachemachine-wi@science-platform-dev-7696.iam.gserviceaccount.com + } +``` +To troubleshoot or validate workload identity a test pod can be provisioned using [these instructions](https://cloud.google.com/kubernetes-engine/docs/how-to/workload-identity#verify_the_setup) + + +Validating Operations +===================== + +To validate cachemachine is running check the status page at this url `https://data-dev.lsst.cloud/cachemachine/jupyter`. Replace `data-dev` with the appropriate environment. Check the `common_cache` for new images cached and see if in `images_to_cache` is blank or only showing new images that are in the process of being downloaded. + + +https://data-dev.lsst.cloud/cachemachine/jupyter + +Below are notes from the deployment and considerations for future. + +* The kubernetes python client defaults to including an image pull secret. This value is not used by GAR. In GKE the nodes default to using the built in service account to pull images. Noting here to avoid confusion in the future. +* Image streaming is currently a per region setting. If GKE clustes are deployed outside of us-central1 in the future a GAR repo should be created for that region to stream images. \ No newline at end of file From 0ed74369f9cd7f979244284c23b5938e462a272a Mon Sep 17 00:00:00 2001 From: Russ Allbery Date: Mon, 31 Oct 2022 16:39:06 -0700 Subject: [PATCH 1228/1479] Reformat the GAR documentation Do some reformatting and rewording, and fix a few rST bugs. Add the document to the new list of guides. --- docs/applications/cachemachine/gar.rst | 64 ++++++++++++++++-------- docs/applications/cachemachine/index.rst | 1 + 2 files changed, 45 insertions(+), 20 deletions(-) diff --git a/docs/applications/cachemachine/gar.rst b/docs/applications/cachemachine/gar.rst index a49d0d94fd..6b4e52c646 100644 --- a/docs/applications/cachemachine/gar.rst +++ b/docs/applications/cachemachine/gar.rst @@ -1,38 +1,62 @@ -############################################################################## -Overview of Cachemachine integration with Google Cloud Artifact Registry (GAR) -############################################################################## +################################################ +Google Cloud Artifact Registry (GAR) integration +################################################ -The existing Cachemachine service was updated to support interfacing with the Google Artifact Registry (GAR) API instead of using the docker client. This allows for workload identity credentials to be used instead of docker credentials. Docker client authentication with GAR is cumbersome because a JSON token is used for authentication that contains special characters which makes it difficult to pass between multiple secret engine layers. The other main advantage of interfacing directly with GAR is that a hash cache does not need to be built. The GAR API returns a list of images with all tags for that image. The docker client will return a list of images with a single tag. The single tag per image approach with the docker client requires that a hash cache is built to group the same images together. That construct is not used by the GAR instance of cachemachine because the image already has the tags included in the API response. +Cachemachine optionally supports using the Google Cloud Artifact Registry (GAR) API to list images rather than the Docker API. + +This allows workload identity credentials to be used instead of Docker credentials when the images are stored in GAR. +Docker client authentication with GAR is cumbersome because a JSON token is used for authentication, and that token contains special characters that make it difficult to pass between multiple secret engine layers. + +Using the GAR API directly also avoids the need to build a cache of hashes to resolve tags to images. +The Docker API returns a list of images with a single tag, which requires constructing a cache of known hashes to determine which tags are alternate names for images that have already been seen. +The GAR API returns a list of images with all tags for that image, avoiding this problem. Container Image Streaming ========================= -[Container Image Streaming](https://cloud.google.com/blog/products/containers-kubernetes/introducing-container-image-streaming-in-gke) is used by uncached images and by cachemachine to decrease the time for the image pull time. The sciplat lab images are 4 GB and the image pull time decreased from 4 minutes to 30 seconds using image streaming. Image streaming is per project by enabling the `containerfilesystem.googleapis.com` API. This was enabled via Terraform. +`Container Image Streaming `__ is used by cachemachine to decrease the time for the image pull time. +It's also used when an image isn't cached, which makes it practical to use uncached images. +With normal Docker image retrieval, using an uncached image can result in a five-minute wait and an almost-certain timeout. + +The ``sciplatlab`` images are 4GB. +Image pull time for those images decreased from 4 minutes to 30 seconds using image streaming. +Image streaming is per project by enabling the ``containerfilesystem.googleapis.com`` API. +This was enabled via Terraform for the Interim Data Facility environments. Workload Identity ================= -[Workload Identity](https://cloud.google.com/kubernetes-engine/docs/how-to/workload-identity) is used by Cachemachine to authenticate with GAR API. Workload Identity allows kubernetes service accounts to impersonate Google Cloud Platform (GCP) Service Accounts to authenticate to GCP services. Workload Identity is enabled on all of the Rubin Science Platform (RSP) Google Kuberentes Engine (GKE) Clusters. The binding between the Kubernetes and the GCP service account is done through IAM permissions deployed via Terraform. A kubernetes annotation is deployed via phalanx as detailed below to bind the GCP service account to the Kubernetes service account. +`Workload Identity `__ is used by Cachemachine to authenticate to the GAR API. +Workload Identity allows Kubernetes service accounts to impersonate Google Cloud Platform (GCP) Service Accounts to authenticate to GCP services. +Workload Identity is enabled on all of the Rubin Science Platform (RSP) Google Kuberentes Engine (GKE) Clusters. -``` -serviceAccount: - annotations: { - iam.gke.io/gcp-service-account: cachemachine-wi@science-platform-dev-7696.iam.gserviceaccount.com - } -``` -To troubleshoot or validate workload identity a test pod can be provisioned using [these instructions](https://cloud.google.com/kubernetes-engine/docs/how-to/workload-identity#verify_the_setup) +The binding between the Kubernetes and the GCP service account is done through IAM permissions deployed via Terraform. +The following Kubernetes annotation must be added to the Kubernetes ``ServiceAccount`` object as deployed via Phalanx to bind that service account to the GCP service account. +.. code-block:: yaml -Validating Operations -===================== + serviceAccount: + annotations: { + iam.gke.io/gcp-service-account: cachemachine-wi@science-platform-dev-7696.iam.gserviceaccount.com + } + +To troubleshoot or validate Workload Identity, a test pod can be provisioned using [these instructions](https://cloud.google.com/kubernetes-engine/docs/how-to/workload-identity#verify_the_setup) -To validate cachemachine is running check the status page at this url `https://data-dev.lsst.cloud/cachemachine/jupyter`. Replace `data-dev` with the appropriate environment. Check the `common_cache` for new images cached and see if in `images_to_cache` is blank or only showing new images that are in the process of being downloaded. +Validating operations +===================== +To validate cachemachine is running, check the status page at ``https://data-dev.lsst.cloud/cachemachine/jupyter``. +(Replace ``data-dev`` with the appropriate environment.) +Check the ``common_cache`` key for cached images, and see if ``images_to_cache`` is blank or only showing new images that are in the process of being downloaded. -https://data-dev.lsst.cloud/cachemachine/jupyter +Future work +=========== -Below are notes from the deployment and considerations for future. +- Cachemachine and Nublado both default to configuring an image pull secret when spawning pods. + This value is not used by GAR. + In GKE, the nodes default to using the built-in service account to pull images. + This means we can drop the ``pull-secret`` secret and its configuration when GAR is in use. -* The kubernetes python client defaults to including an image pull secret. This value is not used by GAR. In GKE the nodes default to using the built in service account to pull images. Noting here to avoid confusion in the future. -* Image streaming is currently a per region setting. If GKE clustes are deployed outside of us-central1 in the future a GAR repo should be created for that region to stream images. \ No newline at end of file +- Image streaming is currently a per-region setting. + If GKE clustes are deployed outside of ``us-central1`` in the future, a GAR repository should be created for that region to stream images. diff --git a/docs/applications/cachemachine/index.rst b/docs/applications/cachemachine/index.rst index 4554a18a98..7cca7f737b 100644 --- a/docs/applications/cachemachine/index.rst +++ b/docs/applications/cachemachine/index.rst @@ -17,4 +17,5 @@ Guides upgrade pruning updating-recommended + gar values From 3cc8411cea0bc986dcac241c006484b21252dbfc Mon Sep 17 00:00:00 2001 From: Russ Allbery Date: Mon, 31 Oct 2022 16:53:05 -0700 Subject: [PATCH 1229/1479] Fix stray Markdown link Fix a stray Markdown link in the GAR documentation. --- docs/applications/cachemachine/gar.rst | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docs/applications/cachemachine/gar.rst b/docs/applications/cachemachine/gar.rst index 6b4e52c646..5ba3ad269c 100644 --- a/docs/applications/cachemachine/gar.rst +++ b/docs/applications/cachemachine/gar.rst @@ -41,7 +41,7 @@ The following Kubernetes annotation must be added to the Kubernetes ``ServiceAcc iam.gke.io/gcp-service-account: cachemachine-wi@science-platform-dev-7696.iam.gserviceaccount.com } -To troubleshoot or validate Workload Identity, a test pod can be provisioned using [these instructions](https://cloud.google.com/kubernetes-engine/docs/how-to/workload-identity#verify_the_setup) +To troubleshoot or validate Workload Identity, a test pod can be provisioned using `these instructions `__. Validating operations ===================== From b6f89e2360ee909ee945bf34030c8ecbb30c7930 Mon Sep 17 00:00:00 2001 From: Angelo Fausti Date: Mon, 31 Oct 2022 21:11:41 -0700 Subject: [PATCH 1230/1479] Better control where influxdb2 is enabled --- services/sasquatch/Chart.yaml | 1 + services/sasquatch/README.md | 1 + services/sasquatch/values-idfdev.yaml | 1 + services/sasquatch/values.yaml | 1 + 4 files changed, 4 insertions(+) diff --git a/services/sasquatch/Chart.yaml b/services/sasquatch/Chart.yaml index 4ea9f079b2..5f792ef60e 100644 --- a/services/sasquatch/Chart.yaml +++ b/services/sasquatch/Chart.yaml @@ -14,6 +14,7 @@ dependencies: version: 4.12.0 repository: https://helm.influxdata.com/ - name: influxdb2 + condition: influxdb2.enabled version: 2.1.1 repository: https://helm.influxdata.com/ - name: kafka-connect-manager diff --git a/services/sasquatch/README.md b/services/sasquatch/README.md index 7e393decad..fc7f1e7d2e 100644 --- a/services/sasquatch/README.md +++ b/services/sasquatch/README.md @@ -49,6 +49,7 @@ Rubin Observatory's telemetry service. | influxdb2.adminUser.bucket | string | `"default"` | Admin default bucket. | | influxdb2.adminUser.existingSecret | string | `"sasquatch"` | Get admin-password/admin-token keys from secret. | | influxdb2.adminUser.organization | string | `"default"` | Admin default organization. | +| influxdb2.enabled | bool | `false` | | | influxdb2.env[0].name | string | `"INFLUXD_STORAGE_WAL_FSYNC_DELAY"` | | | influxdb2.env[0].value | string | `"100ms"` | | | influxdb2.env[1].name | string | `"INFLUXD_HTTP_IDLE_TIMEOUT"` | | diff --git a/services/sasquatch/values-idfdev.yaml b/services/sasquatch/values-idfdev.yaml index 9005ef64c9..b6314343f9 100644 --- a/services/sasquatch/values-idfdev.yaml +++ b/services/sasquatch/values-idfdev.yaml @@ -20,6 +20,7 @@ influxdb: hostname: data-dev.lsst.cloud influxdb2: + enabled: true ingress: enabled: true hostname: data-dev.lsst.cloud diff --git a/services/sasquatch/values.yaml b/services/sasquatch/values.yaml index dbc90902e4..5229f8e1cc 100644 --- a/services/sasquatch/values.yaml +++ b/services/sasquatch/values.yaml @@ -71,6 +71,7 @@ influxdb: cpu: 8 influxdb2: + enabled: false adminUser: # -- Admin default organization. organization: "default" From eb73934f09fec758fef10af24945f0a2af6fdba2 Mon Sep 17 00:00:00 2001 From: Brianna Smart Date: Tue, 1 Nov 2022 14:37:51 +0000 Subject: [PATCH 1231/1479] Update alert-stream-broker Kafka version --- .../charts/alert-stream-broker/README.md | 6 +++--- .../charts/alert-stream-broker/values.yaml | 6 +++--- 2 files changed, 6 insertions(+), 6 deletions(-) diff --git a/services/alert-stream-broker/charts/alert-stream-broker/README.md b/services/alert-stream-broker/charts/alert-stream-broker/README.md index 43225ca04b..85442ab6ff 100644 --- a/services/alert-stream-broker/charts/alert-stream-broker/README.md +++ b/services/alert-stream-broker/charts/alert-stream-broker/README.md @@ -15,14 +15,14 @@ Kafka broker cluster for distributing alerts | kafka.externalListener.bootstrap.host | string | `""` | Hostname that should be used by clients who want to connect to the broker through the bootstrap address. | | kafka.externalListener.bootstrap.ip | string | `""` | IP address that should be used by the broker's external bootstrap load balancer for access from the internet. The format of this is a string like "192.168.1.1". | | kafka.externalListener.brokers | list | `[]` | List of hostname and IP for each broker. The format of this is a list of maps with 'ip' and 'host' keys. For example: - ip: "192.168.1.1" host: broker-0.example - ip: "192.168.1.2" host: broker-1.example Each replica should get a host and IP. If these are unset, then IP addresses will be chosen automatically by the Kubernetes cluster's LoadBalancer controller, and hostnames will be unset, which will break TLS connections. | -| kafka.interBrokerProtocolVersion | float | `2.8` | Version of the protocol for inter-broker communication, see https://strimzi.io/docs/operators/latest/deploying.html#ref-kafka-versions-str. | -| kafka.logMessageFormatVersion | float | `2.8` | Encoding version for messages, see https://strimzi.io/docs/operators/latest/deploying.html#ref-kafka-versions-str. | +| kafka.interBrokerProtocolVersion | string | `"3.2.3"` | Version of the protocol for inter-broker communication, see https://strimzi.io/docs/operators/latest/deploying.html#ref-kafka-versions-str. | +| kafka.logMessageFormatVersion | string | `"3.2.3"` | Encoding version for messages, see https://strimzi.io/docs/operators/latest/deploying.html#ref-kafka-versions-str. | | kafka.nodePool.affinities | list | `[{"key":"kafka","value":"ok"}]` | List of node affinities to set for the broker's nodes. The key should be a label key, and the value should be a label value, and then the broker will prefer running Kafka and Zookeeper on nodes with those key-value pairs. | | kafka.nodePool.tolerations | list | `[{"effect":"NoSchedule","key":"kafka","value":"ok"}]` | List of taint tolerations when scheduling the broker's pods onto nodes. The key should be a taint key, the value should be a taint value, and effect should be a taint effect that can be tolerated (ignored) when scheduling the broker's Kafka and Zookeeper pods. | | kafka.replicas | int | `3` | Number of Kafka broker replicas to run. | | kafka.storage.size | string | `"1000Gi"` | Size of the backing storage disk for each of the Kafka brokers. | | kafka.storage.storageClassName | string | `"standard"` | Name of a StorageClass to use when requesting persistent volumes. | -| kafka.version | string | `"2.8.1"` | Version of Kafka to deploy. | +| kafka.version | string | `"3.2.3"` | Version of Kafka to deploy. | | nameOverride | string | `""` | | | strimziAPIVersion | string | `"v1beta2"` | Version of the Strimzi Custom Resource API. The correct value depends on the deployed version of Strimzi. See [this blog post](https://strimzi.io/blog/2021/04/29/api-conversion/) for more. | | superusers | list | `["kafka-admin"]` | A list of usernames for users who should have global admin permissions. These users will be created, along with their credentials. | diff --git a/services/alert-stream-broker/charts/alert-stream-broker/values.yaml b/services/alert-stream-broker/charts/alert-stream-broker/values.yaml index cb5db7cf0c..4226954915 100644 --- a/services/alert-stream-broker/charts/alert-stream-broker/values.yaml +++ b/services/alert-stream-broker/charts/alert-stream-broker/values.yaml @@ -9,13 +9,13 @@ cluster: kafka: # -- Version of Kafka to deploy. - version: 2.8.1 + version: 3.2.3 # -- Encoding version for messages, see # https://strimzi.io/docs/operators/latest/deploying.html#ref-kafka-versions-str. - logMessageFormatVersion: 2.8 + logMessageFormatVersion: 3.2.3 # -- Version of the protocol for inter-broker communication, see # https://strimzi.io/docs/operators/latest/deploying.html#ref-kafka-versions-str. - interBrokerProtocolVersion: 2.8 + interBrokerProtocolVersion: 3.2.3 # -- Number of Kafka broker replicas to run. replicas: 3 From c728168a2e4ffce5a51e99c0d69667753f3462ef Mon Sep 17 00:00:00 2001 From: Russ Allbery Date: Wed, 2 Nov 2022 10:44:08 -0700 Subject: [PATCH 1232/1479] Editing pass through Gafaelfawr documentation Remove the notes page, since this is now redundant with the links section on the main application page. Remove obsolete information and do a general update pass through all of the guides. --- .../gafaelfawr/github-organizations.rst | 3 ++ docs/applications/gafaelfawr/index.rst | 1 - docs/applications/gafaelfawr/notes.rst | 13 ------ .../gafaelfawr/recreate-token.rst | 13 ++++-- docs/applications/gafaelfawr/storage.rst | 13 ++++-- docs/applications/gafaelfawr/troubleshoot.rst | 42 ++++++++++++++----- 6 files changed, 52 insertions(+), 33 deletions(-) delete mode 100644 docs/applications/gafaelfawr/notes.rst diff --git a/docs/applications/gafaelfawr/github-organizations.rst b/docs/applications/gafaelfawr/github-organizations.rst index cfec536509..17f0022ac0 100644 --- a/docs/applications/gafaelfawr/github-organizations.rst +++ b/docs/applications/gafaelfawr/github-organizations.rst @@ -2,9 +2,12 @@ Releasing GitHub organization data ################################## +This applies only to Science Platform environments that use GitHub for authentication, not to ones that use CILogon or a local identity provider. + When the user is sent to GitHub to perform an OAuth 2.0 authentication, they are told what information about their account the application is requesting, and are prompted for which organizational information to release. Since we're using GitHub for group information, all organizations that should contribute to group information (via team membership) must have their data released. GitHub supports two ways of doing this: make the organization membership public, or grant the OAuth App access to that organization's data explicitly. + GitHub allows the user to do the latter in the authorization screen during OAuth 2.0 authentication. .. figure:: github-oauth.png diff --git a/docs/applications/gafaelfawr/index.rst b/docs/applications/gafaelfawr/index.rst index 9212298417..24b1b27c60 100644 --- a/docs/applications/gafaelfawr/index.rst +++ b/docs/applications/gafaelfawr/index.rst @@ -21,7 +21,6 @@ Guides .. toctree:: :maxdepth: 2 - notes storage recreate-token github-organizations diff --git a/docs/applications/gafaelfawr/notes.rst b/docs/applications/gafaelfawr/notes.rst deleted file mode 100644 index eee15792e8..0000000000 --- a/docs/applications/gafaelfawr/notes.rst +++ /dev/null @@ -1,13 +0,0 @@ -.. px-app-notes:: gafaelfawr - -################################# -Gafaelfawr architecture and notes -################################# - -Further documentation -===================== - -* `DMTN-234: Identity management design `__ -* `DMTN-224: Identity management implementation `__ -* `SQR-069: Identity management history and decisions `__ -* `Gafaelfawr documentation `__ diff --git a/docs/applications/gafaelfawr/recreate-token.rst b/docs/applications/gafaelfawr/recreate-token.rst index a6b9ac46c7..21da258661 100644 --- a/docs/applications/gafaelfawr/recreate-token.rst +++ b/docs/applications/gafaelfawr/recreate-token.rst @@ -3,13 +3,14 @@ Recreating Gafaelfawr service tokens #################################### Where possible, we use persistent storage for Gafaelfawr's Redis database so that its tokens survive restarts and upgrades. -However, persistent storage isn't enabled for some clusters, such as (at the time of this writing) the yagan cluster at the summit. -On those clusters, if the ``gafaelfawr-redis`` service is restarted, its storage is cleared, and therefore all tokens will be invalidated. +However, if that persistent storage is deleted for some reason, or if Gafaelfawr is not configured to use persistent storage, all tokens will be invalidated. -When this happens, depending on the order of restart, the ``gafaelfawr-tokens`` pod that is responsible for maintaining service tokens in the cluster may not realize those tokens are no longer valid. -This will primarily affect the Notebook Aspect, which will be unable to authenticate to ``moneypenny`` and thus will not be able to spawn pods. +When this happens, depending on the order of restart, the ``gafaelfawr-tokens`` pod that is responsible for maintaining service tokens in the cluster may take up to 30 minutes to realize those tokens are no longer valid. +This will primarily affect the Notebook Aspect, which will be unable to authenticate to moneypenny and thus will not be able to spawn pods. The result will be a "permission denied" error from moneypenny. +Gafaelfawr will automatically fix this problem after 30 minutes, but unfortunately the JupyterHub component of ``nublado2`` currently loads its token on startup and doesn't pick up changes. + The easiest way to fix this problem is to force revalidation of all of the Gafaelfawr service tokens. To do that: @@ -21,3 +22,7 @@ To do that: Be aware that when the Redis storage is wipoed, all user tokens will also be invalidated. Users will be prompted to log in again the next time they go to the Science Platform. + +Invalidating the Redis storage will also result in inconsistencies between Redis and SQL that will produce nightly alerts if Gafaelfawr is configured to send Slack alerts. +To fix the inconsistencies, run ``gafaelfawr audit --fix`` inside the Gafaelfawr pod using ``kubectl exec``. +This will locate all the tokens that are no longer valid and mark them as expired in the database as well. diff --git a/docs/applications/gafaelfawr/storage.rst b/docs/applications/gafaelfawr/storage.rst index 1fa334361f..796156c902 100644 --- a/docs/applications/gafaelfawr/storage.rst +++ b/docs/applications/gafaelfawr/storage.rst @@ -18,7 +18,7 @@ To choose this method, put: persistence: enabled: false -in the ``values-*.yaml`` file for that environment under the ``gafaelfawr`` key. +in the ``values-*.yaml`` file for that environment. .. _dynamic-gafaelfawr: @@ -38,9 +38,11 @@ Do this by putting: persistence: storageClass: "standard-rwo" -in the ``values-*.yaml`` file for that environment under the ``gafaelfawr`` key. +in the ``values-*.yaml`` file for that environment. -In this configuration, you may want to start Gafaelfawr so that the persistent volume claim and corresponding persistent volume has been created, locate that persistent volume, and then change its reclaim policy from the default (usually ``Delete``) to ``Retain``. +You may want to change the reclaim policy from the default. +First, start Gafaelfawr so that hte persistent volume claim and corresponding persistent volume have been created. +Then, locate that persistent volume and change its reclaim policy from the default (usually ``Delete``) to ``Retain``. This provides some additional protection against wiping the storage in accidents or application redeployments that cause the ``StatefulSet`` and its ``PersistentVolumeClaim`` to be deleted. Existing ``PersistentVolumeClaim`` @@ -57,4 +59,7 @@ To use this method, add: persistence: volumeClaimName: "" -to ``values-*.yaml`` file for that environment under the ``gafaelfawr`` key, replacing ```` with the name of an existing ``PersistentVolumeClaim`` in the ``gafaelfawr`` namespace. +to ``values-*.yaml`` file for that environment, replacing ```` with the name of an existing ``PersistentVolumeClaim`` in the ``gafaelfawr`` namespace. + +When using this method, Phalanx does not attempt to create or manage the ``PersistentVolumeClaim`` resource. +This must be done outside of Phalanx. diff --git a/docs/applications/gafaelfawr/troubleshoot.rst b/docs/applications/gafaelfawr/troubleshoot.rst index 64ee8de698..ccd8cc89fb 100644 --- a/docs/applications/gafaelfawr/troubleshoot.rst +++ b/docs/applications/gafaelfawr/troubleshoot.rst @@ -4,18 +4,38 @@ Troubleshooting ############### -Debugging authentication issues -=============================== +User has no access to services +============================== -If a user successfully authenticates through the Gafaelfawr ``/login`` route but then cannot access an application such as the Notebook or Portal, a good initial debugging step is to determine what scopes the user was granted on the basis of their group membership. +If a user successfully authenticates through the Gafaelfawr ``/login`` route but then cannot access an application such as the Notebook or Portal, or if Gafaelfawr tells them that they are not a member of any authorized groups, start by determining what groups the user is a member of. -Have the user go to ``/auth/analyze``, which will provide a JSON dump of their authentication information. -The important information is in the ``token.data`` portion of the JSON document. -The key information to look at is the ``isMemberOf`` claim, which shows the groups of which Gafaelfawr thinks the user is a member, and the ``scope`` claim, which shows how those group memberships were translated into access scopes using the ``config.groupMappings`` configuration. -This is usually the best tool for uncovering problems with group mapping. +Have the user go to ``/auth/api/v1/user-info``, which will provide a JSON dump of their authentication information. +There is nothing secret in this information, so they can safely cut and paste it into a help ticket, Slack, etc. + +The important information is in the ``groups`` portion of the JSON document. +This shows the group membership as seen by Gafaelfawr. +Scopes are then assigned based on the ``config.groupMapping`` configuration in the ``values-*.yaml`` file for that environment. +Chances are good that the user is not a member of a group that conveys the appropriate scopes. + +From there, the next step is usually to determine why the user is not a member of the appropriate group. +Usually this means they weren't added or (in the case of groups from GitHub teams) didn't accept the invitation. + +For a new GitHub configuration, it's possible that the organizational membership is private and the user didn't release it. +See :doc:`github-organizations` for more details about that problem. + +Viewing logs +============ + +For other issues, looking at the pod logs for the ``gafaelfawr`` deployment in the ``gafaelfawr`` namespace is the best next step. +The best way to look at current logs is via Argo CD, which will group together the logs from all pods managed by that deployment and optionally add timestamps. + +Find the ``Deployment`` resource named ``gafaelfawr`` (not the Redis or tokens deployment) and choose :guilabel:`Logs` from the menu. +Then, use the :guilabel:`Containers` button (it looks like three horizontal lines with the middle one offset) at the top and select the ``gafaelfawr`` container. +That will show a merged view of the logs of all of the pods, and you can look for error messages. + +You can also add timestamps to the start of each line and download the logs with other buttons at the top. +Downloading logs will give you somewhat older logs, although usually only about a half-hour's worth since Gafaelfawr generates a lot of logs. -For other issues, looking at the pod logs for the ``gafaelfawr`` pod in the ``gafaelfawr`` namespace is the best next step. -(The actual pod name will have a random string appended to ``gafaelfawr``. -The pod of interest is the one that is not the Redis pod.) -``kubectl logs -n gafaelfawr`` or the Argo CD pod logs screen will show you the messages from Gafaelfawr, including any errors. The logs from Gafaelfawr are in JSON format. +The best way to search older logs (and arguably the best way to look at current logs) is to use a JSON-aware log view and search tool if available for the environment that you're debugging. +For the IDF environments, use `Google Log Explorer `__. From 258ff40b382a46e2b3cc01d9e164616a764c9f58 Mon Sep 17 00:00:00 2001 From: Russ Allbery Date: Wed, 2 Nov 2022 10:51:58 -0700 Subject: [PATCH 1233/1479] Improve the bootstrapping checklist Minor wording improvements, delete some duplicate text, and generally tidy up a bit. --- docs/_rst_epilog.rst | 2 +- docs/admin/bootstrapping.rst | 29 +++++++++++++++++------------ 2 files changed, 18 insertions(+), 13 deletions(-) diff --git a/docs/_rst_epilog.rst b/docs/_rst_epilog.rst index f4e9be3910..1aaf4789ec 100644 --- a/docs/_rst_epilog.rst +++ b/docs/_rst_epilog.rst @@ -17,7 +17,7 @@ .. _LSST Vault Utilites: https://github.com/lsst-sqre/lsstvaultutils/ .. _Namespace: https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/ .. _`lsst-sqre/phalanx`: -.. _phalanx repository: https://github.com/lsst-sqre/phalanx +.. _Phalanx repository: https://github.com/lsst-sqre/phalanx .. _Pods: .. _Pod: https://kubernetes.io/docs/concepts/workloads/pods/ .. _Roundtable: https://roundtable.lsst.io/ diff --git a/docs/admin/bootstrapping.rst b/docs/admin/bootstrapping.rst index a9cf4d16fd..c1d6e73323 100644 --- a/docs/admin/bootstrapping.rst +++ b/docs/admin/bootstrapping.rst @@ -9,7 +9,8 @@ Requirements * The installer assumes Git 2.22 or later. -* We presume that you are using Vault_ coupled with `Vault Secrets Operator`_ to manage your Kubernetes secrets, and further that you will use the same taxonomy that SQuaRE does as described in the `LSST Vault Utilities documentation `__ documentation (essentially ``secret/k8s_operator/``). +* We presume that you are using Vault_ coupled with `Vault Secrets Operator`_ to manage your Kubernetes secrets, and that all of the secrets for your environment will be stored under a single common prefix. + See the `LSST Vault Utilities documentation `__ for the naming convention that we usually use. We strongly recommend using the `LSST Vault Utilites`_ to create multiple enclaves (one per instance), so that then compromise of one instance doesn't expose all your secrets for all instances. * Rubin Science Platform applications expect the public hostname of the Science Platform to have a TLS certificate that can be verified using standard CA roots. @@ -19,11 +20,12 @@ Requirements Checklist ========= -#. Fork the `phalanx repository`_ if this work is separate from the SQuaRE-managed environments. +.. rst-class:: open + +#. Fork the `Phalanx repository`_ if this work is separate from the SQuaRE-managed environments. #. Create a virtual environment with the tools you will need from the installer's `requirements.txt `__. If you are not using 1Password as your source of truth (which, if you are not in a SQuaRE-managed environment, you probably are not) then you may omit ``1password``. - In any event, note the write key for your Vault enclave. #. Create a new ``values-.yaml`` file in `/science-platform `__. Start with a template copied from an existing environment that's similar to the new environment. @@ -32,25 +34,25 @@ Checklist #. Decide on your approach to TLS certificates. See :ref:`hostnames` for more details. + This may require DNS configuration in Route 53 if this is the first deployment in a new domain and you are using Let's Encrypt for certificates. #. Do what DNS setup you can. If you already know the IP address where your instance will reside, create the DNS records (A or possibly CNAME) for that instance. If you are using a cloud provider or something like minikube where the IP address is not yet known, then you will need to create that record once the top-level ingress is created and has an external IP address. - The first time you set up the RSP for a given domain (note: *not* hostname, but *domain*, so if you were setting up ``dev.my-rsp.net`` and ``prod.my-rsp.net``, ``dev`` first, you would only need to do this when you created ``dev``), if you are using Let's Encrypt for certificate management (which we highly recommend), you will need to create glue records to enable Let's Encrypt to manage TLS for the domain. - See :doc:`/applications/cert-manager/route53-setup` for more details. - #. For each enabled application, create a corresponding ``values-.yaml`` file in the relevant directory under `/services `__. Customization will vary from application to application. See :ref:`application-notes` for more details on special considerations for individual applications. #. Generate the secrets for the new environment and store them in Vault with `/installer/update_secrets.sh `__. - This is where you will need the write key for the Vault enclave. + You will need the write key for the Vault enclave you are using for this environment. #. Run the installer script at `/installer/install.sh `__. + Debug any problems. + The most common source of problems are errors or missing configuration in the ``values-.yaml`` files you created for each application. - If the installation is using a dynamically-assigned IP address, while the installer is running, wait until the ingress-nginx-controller Service_ comes up and has an external IP address; then go set the A record for your endpoint to that address (or set an A record with that IP address for the ingress and a CNAME from the endpoint to the A record). +#. If the installation is using a dynamically-assigned IP address, while the installer is running, wait until the ingress-nginx-controller Service_ comes up and has an external IP address; then go set the A record for your endpoint to that address (or set an A record with that IP address for the ingress and a CNAME from the endpoint to the A record). For installations that are intended to be long-lived, it is worth capturing the IP address at this point and modifying your configuration to use it statically should you ever need to reinstall the instance. .. _hostnames: @@ -59,17 +61,20 @@ Hostnames and TLS ================= The Science Platform is designed to run under a single hostname. -Ingresses for all applications use different routes on the same external hostname. -That hostname, in turn, is served by an NGINX proxy web server, configured via the ``ingress-nginx`` Helm chart (normally installed with the Science Platform). +``Ingress`` resources for all applications use different routes on the same external hostname. +That hostname, in turn, is served by an NGINX proxy web server, configured via the ``ingress-nginx`` Helm chart. An NGINX ingress controller is required since its ``auth_request`` mechanism is used for authentication. The external hostname must have a valid TLS certificate that is trusted by the stock configuration of standard CentOS, Debian, and Alpine containers. There are supported two mechanisms to configure that TLS certificate: +.. rst-class:: open + #. Purchase a commercial certificate and configure it as the ingress-nginx default certificate. - Do not add TLS configuration to any of the application ingresses. For more information, see :doc:`/applications/ingress-nginx/certificates`. - With this approach, the certificate will have to be manually renewed and replaced once per year. + Do not add TLS configuration to any of the application ``Ingress`` resources. + With this approach, the certificate will have to be manually renewed and replaced at whatever frequency the commercial certificate provider requires. + Usually this is once per year. #. Configure Let's Encrypt to obtain a certificate via the DNS solver. Once this is configured, TLS will be handled automatically without further human intervention. From 02c939bdec461af7ade4f71e32d2c155f12e0258 Mon Sep 17 00:00:00 2001 From: Russ Allbery Date: Wed, 2 Nov 2022 14:56:49 -0700 Subject: [PATCH 1234/1479] Move bootstrapping notes to new layout Use the new px-app-bootstrap marker and move the bootstrapping notes to live in the application documentation, with a list in the checklist. Update them for various things that are out of date, including simplifying the Squareone bootstrapping considerably. --- docs/_rst_epilog.rst | 1 + docs/admin/bootstrapping.rst | 106 +-------------------- docs/applications/gafaelfawr/bootstrap.rst | 25 +++++ docs/applications/gafaelfawr/index.rst | 1 + docs/applications/nublado2/bootstrap.rst | 32 +++++++ docs/applications/nublado2/index.rst | 1 + docs/applications/portal/bootstrap.rst | 16 ++++ docs/applications/portal/index.rst | 1 + docs/applications/squareone/bootstrap.rst | 17 ++++ docs/applications/squareone/index.rst | 2 + docs/applications/squareone/notes.rst | 19 ++++ 11 files changed, 120 insertions(+), 101 deletions(-) create mode 100644 docs/applications/gafaelfawr/bootstrap.rst create mode 100644 docs/applications/nublado2/bootstrap.rst create mode 100644 docs/applications/portal/bootstrap.rst create mode 100644 docs/applications/squareone/bootstrap.rst create mode 100644 docs/applications/squareone/notes.rst diff --git a/docs/_rst_epilog.rst b/docs/_rst_epilog.rst index 1aaf4789ec..65e93805ca 100644 --- a/docs/_rst_epilog.rst +++ b/docs/_rst_epilog.rst @@ -9,6 +9,7 @@ .. _Documentation Style Guide: https://developer.lsst.io/user-docs/index.html .. _FastAPI: https://fastapi.tiangolo.com/ .. _Google Documentation Style Guide: https://developers.google.com/style/ +.. _Google Filestore: https://cloud.google.com/filestore .. _Helm: https://helm.sh .. _helm-docs: https://github.com/norwoodj/helm-docs .. _Ingress: https://kubernetes.io/docs/concepts/services-networking/ingress/ diff --git a/docs/admin/bootstrapping.rst b/docs/admin/bootstrapping.rst index c1d6e73323..16a37c62b3 100644 --- a/docs/admin/bootstrapping.rst +++ b/docs/admin/bootstrapping.rst @@ -42,8 +42,12 @@ Checklist #. For each enabled application, create a corresponding ``values-.yaml`` file in the relevant directory under `/services `__. Customization will vary from application to application. + The following applications have special bootstrapping considerations: - See :ref:`application-notes` for more details on special considerations for individual applications. + - :px-app-bootstrap:`gafaelfawr` + - :px-app-bootstrap:`nublado2` + - :px-app-bootstrap:`portal` + - :px-app-bootstrap:`squareone` #. Generate the secrets for the new environment and store them in Vault with `/installer/update_secrets.sh `__. You will need the write key for the Vault enclave you are using for this environment. @@ -68,8 +72,6 @@ An NGINX ingress controller is required since its ``auth_request`` mechanism is The external hostname must have a valid TLS certificate that is trusted by the stock configuration of standard CentOS, Debian, and Alpine containers. There are supported two mechanisms to configure that TLS certificate: -.. rst-class:: open - #. Purchase a commercial certificate and configure it as the ingress-nginx default certificate. For more information, see :doc:`/applications/ingress-nginx/certificates`. Do not add TLS configuration to any of the application ``Ingress`` resources. @@ -89,101 +91,3 @@ To use the second approach, you must have the following: This means either registering a domain via Amazon, registering a domain elsewhere and pointing it to Amazon's Route 53 DNS servers, or creating a subdomain of an existing public domain by adding ``NS`` records to that domain for a subdomain hosted on Route 53. If neither of those requirements sound familiar, you almost certainly want to use the first option and purchase a commercial certificate. - -.. _application-notes: - -Application bootstrapping notes -=============================== - -Gafaelfawr ----------- - -When creating the Gafaelfawr configuration for a new environment, in addition to choosing between OpenID Connect authentication and GitHub authentication, you will need to define a group mapping. -This specifies which scopes a user will receive based on which groups they are a member of in the upstream identity system. - -The most important scopes to configure are: - -* ``exec:admin``: provides access to administrative tools (users do not need this) -* ``exec:user``: allows users to create personal tokens -* ``exec:notebook``: allows users to use the Notebook Aspect -* ``exec:portal``: allows users to use the Portal Aspect -* ``read:tap``: allows users to make TAP queries - -If you are using OpenID Connect, the group values for each scope should be group names as shown in the ``isMemberOf`` claim. - -If you are using GitHub, group membership will be synthesized from all of the teams of which the user is a member. -These must be team memberships, not just organization memberships. -The corresponding group for Gafaelfawr purposes will be ``-`` where ```` is the team **slug**, not the team name. -That means the team name will be converted to lowercase and spaces will be replaced with dashes, and other transformations will be done for special characters. -For more information about how Gafaelfawr constructs groups from GitHub teams, see `the Gafaelfawr documentation `__. - -For an example of a ``group_mapping`` configuration for GitHub authentication, see `/applications/gafaelfawr/values-idfdev.yaml `__. - -If you run into authentication problems, see :doc:`the Gafaelfawr operational documentation ` for debugging instructions. - -Nublado 2 ---------- - -Nublado (the ``nublado2`` application) and moneypenny need to know where the NFS server that provides user home space is. -Nublado also requires other persistent storage space. -Ensure the correct definitions are in place in their configuration. - -For T&S deployments that require instrument control, make sure you have any Multus network definitions you need in the ``nublado2`` ``values.yaml``. -This will look something like: - -.. code-block:: yaml - - singleuser: - extraAnnotations: - k8s.v1.cni.cncf.io/networks: "kube-system/auxtel-dds, kube-system/comcam-dds, kube-system/misc-dds" - initContainers: - - name: "multus-init" - image: "lsstit/ddsnet4u:latest" - securityContext: - privileged: true - -The Multus network names are given as an annotation string containing the networks, separated by commas. -Experimentally, it appears that the interfaces will appear in the order specified. - -The ``initContainers`` entry should be inserted verbatim. -It creates a privileged container that bridges user pods to the specified networks before releasing control to the user's lab. - -Portal ------- - -If the Portal Aspect is configured with a ``replicaCount`` greater than one (recommended for production installations), ``firefly_shared_workdir`` must be set and point to an underlying filesystem that supports shared multiple-write. -This is **not** supported by most Kubernetes persistent volume backends. - -At GKE, we use Filestore via NFS. - -Currently the provisioning of this underlying backing store is manual, so make sure you either have created it or gotten a system administrator with appropriate permissions for your site to do so. - -The default UID for the Portal Aspect is 91, although it is tunable in the deployment if need be. - -Squareone ---------- - -If you are using the Let's Encrypt approach to obtain TLS certificates, you must give the Squareone ingress with an appropriate TLS configuration. - -Because all application ingresses share the same external hostname, the way the ingress configuration is structured is somewhat unusual. -Nearly all application create an ingress without adding TLS configuration. -Instead, they all use the same hostname, without a TLS stanza. -The Squareone ingress is the one designated ingress with a TLS configuration to request creation of certificates. -Because each ingress uses the same hostname, the NGINX ingress will merge all of those ingresses into one virtual host and will set up TLS if TLS is defined on any of them. - -Were TLS defined on more than one ingress, only one of those TLS configurations would be used, but which one is chosen is somewhat random. -Therefore, we designate a single application to hold the configuration to avoid any confusion from unused configurations. - -This means adding something like the following to ``values-.yaml`` in `/services/squareone `__: - -.. code-block:: yaml - - squareone: - ingress: - host: "rsp.example.com" - annotations: - cert-manager.io/cluster-issuer: letsencrypt-dns - tls: - - secretName: squareone-tls - hosts: - - "rsp.example.com" diff --git a/docs/applications/gafaelfawr/bootstrap.rst b/docs/applications/gafaelfawr/bootstrap.rst new file mode 100644 index 0000000000..46fc469b49 --- /dev/null +++ b/docs/applications/gafaelfawr/bootstrap.rst @@ -0,0 +1,25 @@ +.. px-app-bootstrap:: gafaelfawr + +######################## +Bootstrapping Gafaelfawr +######################## + +The primary documentation for configuring Gafaelfawr for a new environment is the `Gafaelfawr user guide `__. +That guide should provide most of the information required to write the ``values-.yaml`` file for Gafaelfawr for a new environment. + +As described there, the primary configuration you will need to do is to choose between GitHub, CILogon, and a local OpenID Connect identity provider as a source of authentication. +If you choose an identity provider other than GitHub, you will then also have to decide how to retrieve user identity information such as full name, email address, UID, GID, and group membership. + +:dmtn:`225` is a useful reference for user identity information sources for current Science Platform environments. +It may be helpful as a model for deciding policy for new environments. + +You will also need to assign scopes to users based on either their group membership (for CILogon and local identity providers) or their GitHub team membership. +This is done with the ``config.groupMapping`` setting in ``values-.yaml``. + +See :dmtn:`235` for a list of scopes used by the Science Platform. +You will need to assign all of them except ``admin:token`` and ``user:token``, which are handled internally by Gafaelfawr. + +For ``admin:token``, ensure that the list of usernames in ``config.initialAdmins`` is correct before you start Gafaelfawr for the first time. +Otherwise, you will need to add admins later via the Gafaelfawr API. + +If you run into authentication problems after installing your new environment, see :doc:`troubleshoot`. diff --git a/docs/applications/gafaelfawr/index.rst b/docs/applications/gafaelfawr/index.rst index 24b1b27c60..75f6be7393 100644 --- a/docs/applications/gafaelfawr/index.rst +++ b/docs/applications/gafaelfawr/index.rst @@ -21,6 +21,7 @@ Guides .. toctree:: :maxdepth: 2 + bootstrap storage recreate-token github-organizations diff --git a/docs/applications/nublado2/bootstrap.rst b/docs/applications/nublado2/bootstrap.rst new file mode 100644 index 0000000000..a8111d3030 --- /dev/null +++ b/docs/applications/nublado2/bootstrap.rst @@ -0,0 +1,32 @@ +.. px-app-bootstrap:: nublado2 + +##################### +Bootstrapping Nublado +##################### + +Nublado (the ``nublado2`` application) and moneypenny need to know where the NFS server that provides user home space is. +Nublado also requires other persistent storage space. +Ensure the correct definitions are in place in their configuration. + +Telescope and Site deployments +============================== + +For T&S deployments that require instrument control, make sure you have any Multus network definitions you need in the ``values-.yaml``. +This will look something like: + +.. code-block:: yaml + + singleuser: + extraAnnotations: + k8s.v1.cni.cncf.io/networks: "kube-system/macvlan-conf" + initContainers: + - name: "multus-init" + image: "lsstit/ddsnet4u:latest" + securityContext: + privileged: true + +It's possible to list multiple Multus network names separated by commas in the annotation string. +Experimentally, it appears that the interfaces will appear in the order specified. + +The ``initContainers`` entry should be inserted verbatim. +It creates a privileged container that bridges user pods to the specified networks before releasing control to the user's lab. diff --git a/docs/applications/nublado2/index.rst b/docs/applications/nublado2/index.rst index 7d115a424a..7742c4a014 100644 --- a/docs/applications/nublado2/index.rst +++ b/docs/applications/nublado2/index.rst @@ -15,6 +15,7 @@ Guides .. toctree:: :maxdepth: 2 + bootstrap upgrade troubleshoot values diff --git a/docs/applications/portal/bootstrap.rst b/docs/applications/portal/bootstrap.rst new file mode 100644 index 0000000000..a7d33530ad --- /dev/null +++ b/docs/applications/portal/bootstrap.rst @@ -0,0 +1,16 @@ +.. px-app-bootstrap:: portal + +#################### +Bootstrapping Portal +#################### + +If the Portal Aspect is configured with a ``replicaCount`` greater than one (recommended for production installations), ``config.volumes.workareaHostPath`` or ``config.volumes.workareaNfs`` must be set and point to an underlying filesystem that supports shared multiple-write. +This is not supported by most Kubernetes persistent volume backends, which is why only a host path or an NFS mount are supported. + +The IDF environments use `Google Filestore`_ via NFS. + +The provisioning of this underlying backing store is manual, so make sure you either have created it or gotten a system administrator with appropriate permissions for your site to do so. + +Ensure that it is writable by the Portal pods. +The default UID for the Portal pods is 91. +If this needs to be changed, you'll need to add a new ``values.yaml`` parameter and plumb it through to the ``Deployment`` configuration. diff --git a/docs/applications/portal/index.rst b/docs/applications/portal/index.rst index 61b5bb97ff..fc53115b11 100644 --- a/docs/applications/portal/index.rst +++ b/docs/applications/portal/index.rst @@ -15,4 +15,5 @@ Guides .. toctree:: :maxdepth: 1 + bootstrap values diff --git a/docs/applications/squareone/bootstrap.rst b/docs/applications/squareone/bootstrap.rst new file mode 100644 index 0000000000..eae9ab4118 --- /dev/null +++ b/docs/applications/squareone/bootstrap.rst @@ -0,0 +1,17 @@ +.. px-app-bootstrap:: squareone + +####################### +Bootstrapping Squareone +####################### + +By default, Squareone manages the TLS configuration for the entirety of the Science Platform. +This assumes the Let's Encrypt approach to obtaining TLS certificates, and the default TLS configuration requires the cert-manager cluster issuer be set up. +See :doc:`/applications/cert-manager/notes` for more information. + +If you instead are using a commercial certificate and configuring ingress-nginx to use it, you need to disable the TLS configuration for Squareone. +Do that with the following in ``values-.yaml`` in `/services/squareone `__: + +.. code-block:: yaml + + ingress: + tls: false diff --git a/docs/applications/squareone/index.rst b/docs/applications/squareone/index.rst index 3b3f23d4b6..b7dd11c0e1 100644 --- a/docs/applications/squareone/index.rst +++ b/docs/applications/squareone/index.rst @@ -15,4 +15,6 @@ Guides .. toctree:: :maxdepth: 1 + notes + bootstrap values diff --git a/docs/applications/squareone/notes.rst b/docs/applications/squareone/notes.rst new file mode 100644 index 0000000000..02ffa82281 --- /dev/null +++ b/docs/applications/squareone/notes.rst @@ -0,0 +1,19 @@ +.. px-app-notes:: squareone + +################################ +Squareone architecture and notes +################################ + +TLS configuration merging +========================= + +This applies only to environments that use Let's Encrypt for certificate management. + +Because all application ingresses share the same external hostname, the way the ingress configuration is structured in Phalanx is somewhat unusual. +Nearly all application create an ingress without adding TLS configuration. +Instead, they all use the same hostname, without a TLS stanza. +The Squareone ingress is the one designated ingress with a TLS configuration to request creation of certificates. +Because each ingress uses the same hostname, the NGINX ingress will merge all of those ingresses into one virtual host and will set up TLS if TLS is defined on any of them. + +Were TLS defined on more than one ingress, only one of those TLS configurations would be used, but which one is chosen is somewhat random. +Therefore, we designate Squareone as the single application to hold the configuration to avoid any confusion from unused configurations. From 0323d3c1bc5d3d0c6466766b7eac274441e5eb3b Mon Sep 17 00:00:00 2001 From: Russ Allbery Date: Wed, 2 Nov 2022 15:46:30 -0700 Subject: [PATCH 1235/1479] Simplify Gafaelfawr bootstrapping Documentation on how to configure Redis storage is already covered by the user guide, so don't repeat it here. Add some structure to the bootstrapping page. --- docs/applications/gafaelfawr/bootstrap.rst | 16 +++++- docs/applications/gafaelfawr/index.rst | 1 - docs/applications/gafaelfawr/storage.rst | 65 ---------------------- 3 files changed, 14 insertions(+), 68 deletions(-) delete mode 100644 docs/applications/gafaelfawr/storage.rst diff --git a/docs/applications/gafaelfawr/bootstrap.rst b/docs/applications/gafaelfawr/bootstrap.rst index 46fc469b49..e958d145d7 100644 --- a/docs/applications/gafaelfawr/bootstrap.rst +++ b/docs/applications/gafaelfawr/bootstrap.rst @@ -7,12 +7,26 @@ Bootstrapping Gafaelfawr The primary documentation for configuring Gafaelfawr for a new environment is the `Gafaelfawr user guide `__. That guide should provide most of the information required to write the ``values-.yaml`` file for Gafaelfawr for a new environment. +For a new environment, it's worth reading all of the user guide. +There are a lot of configuration decisions you will need to make. + +If you run into authentication problems after installing your new environment, see :doc:`troubleshoot`. + +Choose an identity provider +=========================== + As described there, the primary configuration you will need to do is to choose between GitHub, CILogon, and a local OpenID Connect identity provider as a source of authentication. If you choose an identity provider other than GitHub, you will then also have to decide how to retrieve user identity information such as full name, email address, UID, GID, and group membership. :dmtn:`225` is a useful reference for user identity information sources for current Science Platform environments. It may be helpful as a model for deciding policy for new environments. +If you choose GitHub as the identity provider, you may need to configure the privacy settings of organizations used for user groups. +See :doc:`github-organizations` for more details. + +Assign scopes and admins +======================== + You will also need to assign scopes to users based on either their group membership (for CILogon and local identity providers) or their GitHub team membership. This is done with the ``config.groupMapping`` setting in ``values-.yaml``. @@ -21,5 +35,3 @@ You will need to assign all of them except ``admin:token`` and ``user:token``, w For ``admin:token``, ensure that the list of usernames in ``config.initialAdmins`` is correct before you start Gafaelfawr for the first time. Otherwise, you will need to add admins later via the Gafaelfawr API. - -If you run into authentication problems after installing your new environment, see :doc:`troubleshoot`. diff --git a/docs/applications/gafaelfawr/index.rst b/docs/applications/gafaelfawr/index.rst index 75f6be7393..13ee26b32c 100644 --- a/docs/applications/gafaelfawr/index.rst +++ b/docs/applications/gafaelfawr/index.rst @@ -22,7 +22,6 @@ Guides :maxdepth: 2 bootstrap - storage recreate-token github-organizations troubleshoot diff --git a/docs/applications/gafaelfawr/storage.rst b/docs/applications/gafaelfawr/storage.rst deleted file mode 100644 index 796156c902..0000000000 --- a/docs/applications/gafaelfawr/storage.rst +++ /dev/null @@ -1,65 +0,0 @@ -################### -Configuring storage -################### - -Gafaelfawr uses Redis for persistent storage. -When deploying Gafaelfawr, you will need to choose between three possible storage configurations based on the needs of the environment. - -Ephemeral -========= - -For test environments, or for environments where no one is expected to use persistent user tokens, it may be acceptable to invalidate all tokens on each Gafaelfawr restart. -This is the simplest configuration, since it doesn't require persistent volumes. -To choose this method, put: - -.. code-block:: yaml - - redis: - persistence: - enabled: false - -in the ``values-*.yaml`` file for that environment. - -.. _dynamic-gafaelfawr: - -Dynamic provisioning -==================== - -The default Gafaelfawr behavior is to use `dynamic provisioning `__. -Gafaelfawr will request (via a ``StatefulSet``) a 1GiB volume using the default storage class with access mode ``ReadWriteOnce``. -These values can be overridden with ``redis.persistence.size``, ``redis.persistence.storageClass``, and ``redis.persistence.accessMode``. - -On GKE environments, the recommended configuration is to enable the Google Compute Engine Physical Disk CSI driver (this can be done via the GKE cluster configuration) and then use its storage class. -Do this by putting: - -.. code-block:: yaml - - redis: - persistence: - storageClass: "standard-rwo" - -in the ``values-*.yaml`` file for that environment. - -You may want to change the reclaim policy from the default. -First, start Gafaelfawr so that hte persistent volume claim and corresponding persistent volume have been created. -Then, locate that persistent volume and change its reclaim policy from the default (usually ``Delete``) to ``Retain``. -This provides some additional protection against wiping the storage in accidents or application redeployments that cause the ``StatefulSet`` and its ``PersistentVolumeClaim`` to be deleted. - -Existing ``PersistentVolumeClaim`` -================================== - -Finally, Gafaelfawr can be configured to use an existing ``PersistentVolumeClaim``. -This is the most flexible approach, since the ``PersistentVolumeClaim`` can be created outside of the Gafaelfawr chart with whatever parameters are desired. - -To use this method, add: - -.. code-block:: yaml - - redis: - persistence: - volumeClaimName: "" - -to ``values-*.yaml`` file for that environment, replacing ```` with the name of an existing ``PersistentVolumeClaim`` in the ``gafaelfawr`` namespace. - -When using this method, Phalanx does not attempt to create or manage the ``PersistentVolumeClaim`` resource. -This must be done outside of Phalanx. From 52a3d0faf2619b1ad8ae2a998d247d391a9b8d69 Mon Sep 17 00:00:00 2001 From: Russ Allbery Date: Wed, 2 Nov 2022 15:47:00 -0700 Subject: [PATCH 1236/1479] Fix a link to Gafaelfawr Use explicit anchor text to avoid the summary of Gafaelfawr's purpose when linking to it from troubleshooting. It looked odd. --- docs/admin/troubleshooting.rst | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docs/admin/troubleshooting.rst b/docs/admin/troubleshooting.rst index 3ccd90be13..87dfd49c82 100644 --- a/docs/admin/troubleshooting.rst +++ b/docs/admin/troubleshooting.rst @@ -67,7 +67,7 @@ User gets permission denied from applications **Symptoms:** A user is able to authenticate to the Rubin Science Platform (prompted by going to the first authenticated URL, such as the Notebook Aspect spawner page), but then gets permission denied from other application. -**Causes:** Authentication and authorization to the Rubin Science Platform is done via a application called Gafaelfawr (see :doc:`/applications/gafaelfawr/index`). +**Causes:** Authentication and authorization to the Rubin Science Platform is done via a application called :doc:`Gafaelfawr `. After the user authenticates, Gafaelfawr asks their authentication provider for the user's group memberships and then translates that to a list of scopes. The mapping of group memberships to scopes is defined in the ``values.yaml`` file for Gafaelfawr for the relevant environment, in the ``gafaelfawr.config.groupMapping`` configuration option. From 5a539a82b705990ec7d7b638b73ff9f88dd5b2ef Mon Sep 17 00:00:00 2001 From: Russ Allbery Date: Wed, 2 Nov 2022 16:06:09 -0700 Subject: [PATCH 1237/1479] Flesh out documentation for alert-stream-broker Add more of an introduction and add links to its tech notes to its Chart.yaml. --- docs/_rst_epilog.rst | 2 ++ docs/applications/alert-stream-broker/index.rst | 8 ++++++-- services/alert-stream-broker/Chart.yaml | 12 ++++++++++++ 3 files changed, 20 insertions(+), 2 deletions(-) diff --git a/docs/_rst_epilog.rst b/docs/_rst_epilog.rst index 65e93805ca..6e044e87d7 100644 --- a/docs/_rst_epilog.rst +++ b/docs/_rst_epilog.rst @@ -1,4 +1,6 @@ .. _1Password: https://1password.com/ +.. _Apache Avro: https://avro.apache.org/ +.. _Apache Kafka: https://kafka.apache.org/ .. _Argo CD: https://argoproj.github.io/argo-cd/ .. _CILogon: https://www.cilogon.org/home .. _ConfigMap: https://kubernetes.io/docs/concepts/configuration/configmap/ diff --git a/docs/applications/alert-stream-broker/index.rst b/docs/applications/alert-stream-broker/index.rst index 1f2d9c5dde..c8897dffc6 100644 --- a/docs/applications/alert-stream-broker/index.rst +++ b/docs/applications/alert-stream-broker/index.rst @@ -1,10 +1,14 @@ .. px-app:: alert-stream-broker ################### -alert-stream-broker +Alert Stream Broker ################### -Alert stream broker. +The Alert Stream Broker is responsible for rapid dissemination of alerts (from observatory operations) to community alert brokers. +It is built on top of `Apache Kafka`_ and uses `Apache Avro`_ as the schema for alerts. + +For testing during construction, the alert-stream-broker application includes an alert stream simulator, which periodically posts a static set of alerts to allow testing the alert pipeline. +During normal observatory operations, the alerts will instead come from the Alert Production pipelines. .. jinja:: alert-stream-broker :file: applications/_summary.rst.jinja diff --git a/services/alert-stream-broker/Chart.yaml b/services/alert-stream-broker/Chart.yaml index dac7895acc..b7dcbafbb5 100644 --- a/services/alert-stream-broker/Chart.yaml +++ b/services/alert-stream-broker/Chart.yaml @@ -22,3 +22,15 @@ dependencies: - name: alert-database version: 2.1.0 + +annotations: + phalanx.lsst.io/docs: | + - id: "DMTN-093" + title: "Design of the LSST Alert Distribution System" + url: "https://dmtn-093.lsst.io/" + - id: "DMTN-210" + title: "Implementation of the LSST Alert Distribution System" + url: "https://dmtn-210.lsst.io/" + - id: "DMTN-214" + title: "Alert Distribution System Operator's Manual" + url: "https://dmtn-214.lsst.io/" From 10b50410103bc8388fb7e2d1140d9fbd5a1877aa Mon Sep 17 00:00:00 2001 From: Russ Allbery Date: Wed, 2 Nov 2022 16:40:24 -0700 Subject: [PATCH 1238/1479] Go over the Argo CD documentation Add an explicit bootstrapping page suggesting configuring authentication. Make an editing pass on the Argo CD documentation and remove some obsolete information. --- docs/admin/bootstrapping.rst | 1 + docs/applications/argo-cd/authentication.rst | 30 ++++----- docs/applications/argo-cd/bootstrap.rst | 17 ++++++ docs/applications/argo-cd/index.rst | 5 +- docs/applications/argo-cd/notes.rst | 5 +- docs/applications/argo-cd/upgrade.rst | 64 +++++--------------- 6 files changed, 53 insertions(+), 69 deletions(-) create mode 100644 docs/applications/argo-cd/bootstrap.rst diff --git a/docs/admin/bootstrapping.rst b/docs/admin/bootstrapping.rst index 16a37c62b3..9df4c93c16 100644 --- a/docs/admin/bootstrapping.rst +++ b/docs/admin/bootstrapping.rst @@ -44,6 +44,7 @@ Checklist Customization will vary from application to application. The following applications have special bootstrapping considerations: + - :px-app-bootstrap:`argo-cd` - :px-app-bootstrap:`gafaelfawr` - :px-app-bootstrap:`nublado2` - :px-app-bootstrap:`portal` diff --git a/docs/applications/argo-cd/authentication.rst b/docs/applications/argo-cd/authentication.rst index 993d1a6581..0fe7e45f30 100644 --- a/docs/applications/argo-cd/authentication.rst +++ b/docs/applications/argo-cd/authentication.rst @@ -20,9 +20,9 @@ Configuring Google SSO To set up Google SSO authentication to Argo CD in a new cluster, take the following steps as a user with the ``roles/oauthconfig.editor`` role: -#. On the GCP console, go to "OAuth consent screen" under "APIs & Services." +#. On the GCP console, go to :guilabel:`OAuth consent screen` under :guilabel:`APIs & Services`. -#. Select "Internal" and click Create. +#. Select :guilabel:`Internal` and click :guilabel:`Create`. #. Enter the environment information. For example (adjust for the environment): @@ -32,24 +32,24 @@ To set up Google SSO authentication to Argo CD in a new cluster, take the follow - Authorized domains: lsst.cloud - Developer contact information email addresses: Work email address -#. Click "Save and Continue." +#. Click :guilabel:`Save and Continue`. -#. Add the ``openid`` scope and click "Save and Continue." +#. Add the ``openid`` scope and click :guilabel:`Save and Continue`. -#. Click "Back to Dashboard." +#. Click :guilabel:`Back to Dashboard`. -#. Go to "Credentials" still under "APIs & Services." +#. Go to :guilabel:`Credentials` still under :guilabel:`APIs & Services`. -#. Click "Create Credentials" and choose "OAuth client ID." +#. Click :guilabel:`Create Credentials` and choose :guilabel:`OAuth client ID`. -#. Choose "Web application" as the application type. +#. Choose :guilabel:`Web application` as the application type. #. Enter "Argo CD" as the name. #. Add the ``/argo-cd/api/dex/callback`` route under "Authorized redirect URIs." For example: ``https://data-int.lsst.cloud/argo-cd/api/dex/callback`` -#. Click on create. +#. Click on :guilabel:`Create`. This will pop up a dialog with the client ID and secret for the newly-created OAuth client. #. For SQuaRE-run enviroments, go to the RSP-Vault 1Password vault and create a new Login item with a name like "Argo CD Google OAuth - data-int.lsst.cloud" (replacing the last part with the FQDN of the environment). @@ -102,7 +102,7 @@ To set up Google SSO authentication to Argo CD in a new cluster, take the follow Change the list of users to the email addresses of the users who should have admin access to this environment. -#. Create a PR with the above changes, merge it, and then sync Argo CD. +#. If the environment already exists, create a PR with the above changes, merge it, and then sync Argo CD. Ensure that both the ``argocd-server`` and ``argocd-dex-server`` deployments are restarted (in case the Argo CD Helm chart doesn't ensure this). #. Go to the ``/argo-cd`` route on the environment. @@ -116,18 +116,18 @@ Configuring GitHub SSO To set up Google SSO authentication to Argo CD in a new cluster, take the following steps: -#. From the GitHub page of the organization in which you want to create the OAuth application (such as https://github.com/lsst-sqre), go to Settings → Developer Settings → OAuth Apps. +#. From the GitHub page of the organization in which you want to create the OAuth application (such as `lsst-sqre `__), go to :guilabel:`Settings → Developer Settings → OAuth Apps`. -#. Click New OAuth App. +#. Click :guilabel:`New OAuth App`. #. Enter the following information (adjust for the environment): - Application name: ``RSP Argo CD (IDF-int)`` - Homepage URL: ``https://data-int.lsst.cloud/argo-cd`` - Authorization callback URL: ``https://data-int.lsst.cloud/argo-cd/api/dex/callback`` -#. Click "Register Application". +#. Click :guilabel:`Register Application`. -#. Click "Generate a new client secret". +#. Click :guilabel:`Generate a new client secret`. #. For SQuaRE-run enviroments, go to the RSP-Vault 1Password vault and create a new Login item with a name like "Argo CD GitHub OAuth - data-int.lsst.cloud" (replacing the last part with the FQDN of the environment). In this secret, put the client ID in the username field. @@ -175,7 +175,7 @@ To set up Google SSO authentication to Argo CD in a new cluster, take the follow Add lines for additional GitHub teams as needed for that environment. Be aware that this uses the human-readable name of the team (with capital letters and spaces if applicable), not the slug. -#. Create a PR with the above changes, merge it, and then sync Argo CD. +#. If the environment already exists, create a PR with the above changes, merge it, and then sync Argo CD. Ensure that both the ``argocd-server`` and ``argocd-dex-server`` deployments are restarted (in case the Argo CD Helm chart doesn't ensure this). #. Go to the ``/argo-cd`` route on the environment. diff --git a/docs/applications/argo-cd/bootstrap.rst b/docs/applications/argo-cd/bootstrap.rst new file mode 100644 index 0000000000..9ae414e241 --- /dev/null +++ b/docs/applications/argo-cd/bootstrap.rst @@ -0,0 +1,17 @@ +.. px-app-bootstrap:: argo-cd + +##################### +Bootstrapping Argo CD +##################### + +Initial installation of the Rubin Science Platform is done using Argo CD and a static password for the ``admin`` account. +You can then log on to the ``admin`` account using that password to manage the resulting environment. +No special bootstrapping is required. + +That said, using the ``admin`` account for longer than necessary is not recommended. +Instead, you should configure single sign-on for Argo CD as soon as possible and prefer that for day-to-day operations to minimize the chances of leaking the ``admin`` password. + +To do that, follow the instructions in :doc:`authentication`. + +You may want to do this during your initial bootstrapping process, or very shortly afterwards. +The execution of the installer script itself will use the ``admin`` account and password regardless, but if Argo CD SSO is set up in advance, you can then immediately switch to using it for management of the environment. diff --git a/docs/applications/argo-cd/index.rst b/docs/applications/argo-cd/index.rst index 7f814d0c50..92ed9114c9 100644 --- a/docs/applications/argo-cd/index.rst +++ b/docs/applications/argo-cd/index.rst @@ -5,7 +5,7 @@ argocd — Kubernetes application manager ####################################### `Argo CD`_ is the software that manages all Kubernetes resources in a deployment of the Rubin Science Platform. -It is itself a set of Kubernetes resources and running pods managed with `Helm`_. +It is itself a set of Kubernetes resources and running pods managed with Helm_. .. jinja:: argocd :file: applications/_summary.rst.jinja @@ -17,6 +17,7 @@ Guides .. toctree:: notes - upgrade + bootstrap authentication + upgrade values diff --git a/docs/applications/argo-cd/notes.rst b/docs/applications/argo-cd/notes.rst index a4e4606f1e..a3ca9efdd7 100644 --- a/docs/applications/argo-cd/notes.rst +++ b/docs/applications/argo-cd/notes.rst @@ -4,12 +4,9 @@ Argo CD architecture and notes ############################## -`Argo CD`_ is the software that manages all Kubernetes resources in a deployment of the Rubin Science Platform. -It is itself a set of Kubernetes resources and running pods managed with `Helm`_. -Argo CD cannot manage and upgrade itself, so it periodically should be upgraded manually. - Argo CD is installed and bootstrapped as part of the cluster creation process. The UI is exposed on the ``/argo-cd`` route for the Science Platform. + Unlike other resources on the Science Platform, it is not protected by Gafaelfawr. See :doc:`authentication` diff --git a/docs/applications/argo-cd/upgrade.rst b/docs/applications/argo-cd/upgrade.rst index ae60f10256..8427264eee 100644 --- a/docs/applications/argo-cd/upgrade.rst +++ b/docs/applications/argo-cd/upgrade.rst @@ -4,30 +4,33 @@ Upgrading Argo CD ################# -This page provides upgrade procedures for the :px-app:`argocd` app. +This page provides upgrade procedures for the :px-app:`argocd` application. .. warning:: Do not use the `documented Argo CD upgrade method `__ that uses ``kubectl apply``. - This will not work properly when Argo CD is installed via Helm, as it is Phalanx. + This will not work properly when Argo CD is installed via Helm, as it is in Phalanx. Automatic upgrades ================== -Normally, you can let Argo CD upgrade itself (`Manage Argo CD Using Argo CD `__). -When performing the upgrade through Argo CD, it appears to be somewhat more reliable to use the following process rather than syncing everything at once: +Normally, you can let Argo CD upgrade itself (see `Manage Argo CD Using Argo CD `__). +The upgrade will appear to proceed up to a point and then will apparently stall when the frontend pod is restarted. +When that happens, wait a minute or two and reload the page. +You should be presented with the login screen, can authenticate with GitHub or Google, and then will see the completed upgrade. -#. Sync everything except the deployments by unchecking them in the sync dialog -#. Sync the argocd-redis deployment and wait for it to be green -#. Sync the remaining deployments one at a time in the following order (the exact order probably doesn't matter, but this is what we've done): - - ``argocd-application-controller`` - - ``argocd-server`` - - ``argocd-repo-server`` - - ``argocd-dex-server`` +In some cases after an upgrade, Argo CD will claim that syncing itself failed. +This is usually a spurious failure caused by the controller restarting due to the upgrade. +Simply sync Argo CD again to resolve the error state. + +If the upgrade results in a non-working Argo CD, often you can get it back to a working state by selectively downgrading the failed component using ``kubectl edit`` on the relevant ``Deployment`` resource. +This is particularly true if Dex failed (which will cause errors when logging in), since it is largely independent of the rest of Argo CD. Manual upgrade process ====================== +Only use this process if the automatic upgrade failed or if there are documented serious problems with automatic upgrades. + #. Determine the current version of Argo CD. The easiest way to do this is to go to the ``/argo-cd`` route and look at the version number in the top left sidebar. @@ -65,7 +68,7 @@ Manual upgrade process Note the chart version for ``argo/argo-cd``. #. Upgrade Argo CD using Helm. - Check out the `phalanx repository `_ first. + Check out the `Phalanx repository`_ first. .. code-block:: sh @@ -77,43 +80,8 @@ Manual upgrade process If all goes well, you can now view the UI at ``/argo-cd`` and confirm that everything still looks correct. -Troubleshooting the helm upgrade --------------------------------- - -The ``helm upgrade`` command may return an error: - - Error: rendered manifests contain a resource that already - exists. Unable to continue with install: Service - "argocd-application-controller" in namespace "argocd" exists and - cannot be imported into the current release: invalid ownership - metadata; label validation error: key "app.kubernetes.io/managed-by" - must equal "Helm": current value is "Tiller"; annotation validation - error: missing key "meta.helm.sh/release-name": must be set to - "argocd"; annotation validation error: missing key - "meta.helm.sh/release-namespace": must be set to "argocd" - -This means Argo CD was originally installed with Helm v2 and you're using Helm v3. -You can proceed with Helm v3, but you will need to fix all of the annotations and labels first. -For all namespaced resources, you can do this by running the following two commands for each resource type that ``helm upgrade`` warns about. - -.. code-block:: sh - - kubectl -n argocd label --overwrite $RESOURCE \ - -l "app.kubernetes.io/managed-by=Tiller" \ - "app.kubernetes.io/managed-by=Helm" - kubectl -n argocd annotate $RESOURCE \ - -l "app.kubernetes.io/managed-by=Helm" \ - meta.helm.sh/release-name=argocd meta.helm.sh/release-namespace=argocd - -Replace ``$RESOURCE`` with the type of the resource. -You should not use this command for non-namespaced resources (specifically ``ClusterRole`` and ``ClusterRoleBinding``). -For those resources, instead of using the ``-l`` selector, find the resources that are part of Argo CD via the ``argocd-`` prefix and then run the ``label`` and ``annotate`` commands naming them explicitly. -If you fix those non-namespaced resources and then iterate for each namespaced resource, eventually the ``helm upgrade`` command will succeed. - -You should only have to do this once per cluster, and then subsequent upgrades with Helm v3 should work smoothly. - Recovering from a botched upgrade -================================= +--------------------------------- If everything goes horribly wrong, you can remove Argo CD entirely and the restore it from the backup that you took. To do this, first drop the Argo CD namespace: From 8162a1c67ae9797cd22874f3b144c7db6837d581 Mon Sep 17 00:00:00 2001 From: Russ Allbery Date: Wed, 2 Nov 2022 17:08:13 -0700 Subject: [PATCH 1239/1479] Improve cachemachine documentation Update the process for changing recommended to reference the new GitHub Action for doing the retagging. Do a general editing pass and remove obsolete information and unneeded files. --- docs/applications/cachemachine/index.rst | 7 +- docs/applications/cachemachine/pruning.rst | 15 ++-- .../cachemachine/updating-recommended.rst | 81 ++++++++----------- docs/applications/cachemachine/upgrade.rst | 7 -- 4 files changed, 49 insertions(+), 61 deletions(-) delete mode 100644 docs/applications/cachemachine/upgrade.rst diff --git a/docs/applications/cachemachine/index.rst b/docs/applications/cachemachine/index.rst index 7cca7f737b..dcdc167aed 100644 --- a/docs/applications/cachemachine/index.rst +++ b/docs/applications/cachemachine/index.rst @@ -4,7 +4,11 @@ cachemachine — JupyterLab image prepuller ######################################### -Cachemachine is the RSP's image prepulling service. +The Docker images used for lab pods run by the Notebook Aspect are quite large, since they contain the full Rubin Observatory software stack. +If the image is not already cached on a Kubernetes node, starting a lab pod can take as long as five minutes and may exceed the timeout allowed by JupyterHub. + +Cachemachine is an image prepulling service designed to avoid this problem by ensuring every node in the Science Platform Kubernetes cluster has the most frequently used lab images cached. +It is also responsible for reporting the available images to :doc:`Nublado <../nublado2/index>`, used to generate the menu of images when the user creates a new lab pod. .. jinja:: cachemachine :file: applications/_summary.rst.jinja @@ -14,7 +18,6 @@ Guides .. toctree:: - upgrade pruning updating-recommended gar diff --git a/docs/applications/cachemachine/pruning.rst b/docs/applications/cachemachine/pruning.rst index 908ea7a9d0..b7f2829f81 100644 --- a/docs/applications/cachemachine/pruning.rst +++ b/docs/applications/cachemachine/pruning.rst @@ -2,12 +2,17 @@ Image pruning ############# -If the list of cached images on nodes gets excessively long, K8s may stop updating its list of cached images. This will manifest as the spawner options form being devoid of prepulled images. +If the list of cached images on nodes gets excessively long, Kubernetes may stop updating its list of cached images. +The usual symptom is that the Notebook Aspect spawner menu of available images will be empty or missing expected images. -This is a function of Kubernetes, by default, `only showing 50 images on a node `__. You can work around this, if you control the Kubernetes installation, with ``--node-status-max-images`` set to ``-1`` on the kubelet command line, or by setting ``nodeStatusMaxImages`` to ``-1`` in the kubelet configuration file. +This is a limitation of the Kubernetes node API. +By default, `only 50 images on a node will be shown `__. +You can work around this, if you control the Kubernetes installation, by adding ``--node-status-max-images=-1`` on the kubelet command line, or by setting ``nodeStatusMaxImages`` to ``-1`` in the kubelet configuration file. -Should you encounter this problem, for each node, perform the following actions: +If you cannot change that setting, you will need to trim the node image cache so that the total number of images is under 50. -#. Download `purge `__ -#. Run it using an account allowed to use the Docker socket (thus, probably in group ``docker``). You may want to run it with ``-x`` first to see what it's going to do. If you want output during the actual run, run it with ``-v``. +#. Download `purge `__. +#. Run it on each node, using an account allowed to use the Docker socket (thus, probably in group ``docker``). + You may want to run it with ``-x`` first to see what it's going to do. + If you want output during the actual run, run it with ``-v``. diff --git a/docs/applications/cachemachine/updating-recommended.rst b/docs/applications/cachemachine/updating-recommended.rst index 505b0bb4cf..1292ca0588 100644 --- a/docs/applications/cachemachine/updating-recommended.rst +++ b/docs/applications/cachemachine/updating-recommended.rst @@ -1,60 +1,53 @@ -########################################### -Updating the "recommended" JupyterLab image -########################################### +############################################## +Updating the recommended Notebook Aspect image +############################################## -The "recommended" tag for JupyterLab images is usually a recent weekly image. -The image marked "recommended" is guaranteed by SQuaRE to be compatible with other services and materials--such as tutorial or system testing notebooks--that we make available on RSP deployments. -Because this process requires quite a bit of checking and sign-off from multiple stakeholders, it is possible that approving a new version for "recommended" may take more than the two weeks (for most deployments) it takes for a weekly image to roll off the default list of images to pull. +The ``recommended`` tag for JupyterLab images is usually a recent weekly image. +The image tagged ``recommended`` is guaranteed by SQuaRE to be compatible with other services and materials, such as tutorial or system testing notebooks, that we make available on RSP deployments. + +Because this process requires quite a bit of checking and sign-off from multiple stakeholders, it is possible that approving a new recommended version may take more than the two weeks (for most deployments) it takes for a weekly image to roll off the default list of images to pull. This can cause the RSP JupyterHub options form to display empty parentheses rather than the correct target version when a user requests a lab container. -This document explains how to circumvent that display bug by changing cachemachine's ``values-.yaml`` for the appropriate instance when moving the "recommended" tag. +This document explains the process for moving the ``recommended`` tag, and how to circumvent that display bug by changing cachemachine's ``values-.yaml`` for the appropriate instance when moving the ``recommended`` tag. Tagging a new container version -------------------------------- -When a new version is to be approved (after passing through its prior QA and sign-off gates), the "recommended" tag must be updated to point to the new version. - -This really is as simple as pulling the new target version, tagging it as recommended, and pushing it again. -This is, sadly, necessary — there is no way to tag an image on Docker Hub without pulling and re-pushing it. -However, the push will be a no-op, since all the layers are, by definition, already there, so while the pull may be slow, the push will be fast. +When a new version is to be approved (after passing through its prior QA and sign-off gates), the ``recommended`` tag must be updated to point to the new version. -The procedure is as follows: +To do this, run the GitHub retag workflow for the `sciplat-lab `__ repository, as follows: -.. code-block:: sh +#. Go to `the retag workflow page `__. +#. Click on :guilabel:`Run workflow`. +#. Enter the tag of the image to promote to recommended under :guilabel:`Docker tag of input container`. + This will be a tag like ``w_2022_40``. +#. Enter ``recommended`` under :guilabel:`Additional value to tag container with`. +#. Click on the :guilabel:`Run workflow` submit button. - docker pull registry.hub.docker.com/lsstsqre/sciplat-lab:w_2021_33 # or whatever tag - docker tag registry.hub.docker.com/lsstsqre/sciplat-lab:w_2021_33 registry.hub.docker.com/lsstsqre/sciplat-lab:recommended - docker login # This may require interaction, depending on how you've set up your docker credentials - docker push registry.hub.docker.com/lsstsqre/sciplat-lab:recommended - -The DockerHub ``sqreadmin`` user could be used for this; however, when the process is not automated (it currently is not), using personal credentials is acceptible. -The ``sqreadmin`` DockerHub credentials are within the SQuaRE 1Password credential store. +Don't change the URIs. .. _prepull-recommended: -Updating Phalanx to ensure the "recommended" target is pre-pulled ------------------------------------------------------------------ +Ensure the recommended image is pre-pulled +------------------------------------------ -In most environments, cachemachine only ensures pulling of the latest two weekly images, and it is therefore not at all unusual for more than two weeks to go by before approving a new version. +In most environments, cachemachine only prepulls the latest two weekly images. +It is common for more than two weeks to go by before approving a new version of recommended. +While the recommended tag is always prepulled, cachemachine cannot resolve that tag to a regular image tag unless the corresponding image tag is also prepulled. +The result is a display bug where recommended is not resolved to a particular tag, and therefore is missing the information in parentheses after the :guilabel:`Recommended` menu option in the spawner form. -Usually this doesn't matter: the image cache on a node uses a Least Recently Used replacement strategy, and the great majority of users spawn "recommended," so it's not going to be purged. -However, there is a display bug in the Notebook Aspect spawner form can occur. -If a new node has come online after the recommended weekly has rolled out of the weekly list, then, although the new node will pre-pull "recommended", it will not pre-pull the corresponding weekly by the weekly tag -Cachemachine, and therefore the options form, will fail to resolve "recommended" to a particular weekly, which means the description in parentheses after the image name will be empty. +To avoid this, we therefore explicitly prepull the weekly tag corresponding to the ``recommended`` tag. +This ensures that cachemachine can map the ``recommended`` tag to a weekly tag. +This doesn't consume any additional cache space on the nodes, since Kubernetes, when cachemachine tells it to cache that weekly tag, will realize that it already has it cached under another name. -Fortunately, this is easy to fix. +We add this configuration to the IDF environments. +Other Phalanx environments handle recommended images differently and don't need this configuration. In cachemachine's ``values-.yaml`` file for the affected environment, go towards the bottom and look in ``repomen``. The first entry will always be of type ``RubinRepoMan``, and will contain the definitions of how many daily, weekly, and release images to prepull. - -There are currently only two environments in which we care about keeping the "recommended" target pre-pulled: - -#. IDF Production (``data.lsst.cloud``) -#. IDF Integration (``data-int.lsst.cloud``) - Beneath the ``RubinRepoMan`` entry, you should find an entry that looks like: -.. code-block:: yaml +.. code-block:: json { "type": "SimpleRepoMan", @@ -66,16 +59,10 @@ Beneath the ``RubinRepoMan`` entry, you should find an entry that looks like: ] } -Replace the tag and image name with the current approved versions. - -If you are adding these definitions to an instance that does not already ensure that the target image for "recommended" is always prepulled, add an entry to the ``repomen`` list that looks like the above, with current approved versions. +Replace the tag and name with the weekly tag and corresponding name for the weekly image that is also tagged ``recommended``. -Commit your changes to a git branch, and then create a GitHub pull request to ``services/cachemachine`` in `Phalanx `__ from that branch. -Request that someone review the PR, and then merge it. +Once this change is merged, sync cachemachine (using Argo CD) in the affected environments. +You do not have to wait for a maintenance window to do this, since the change is low risk, although it will result in a very brief outage for Notebook Aspect lab spawning while cachemachine is restarted. -Then synchronize cachemachine (using Argo CD) in the correct environment. -It is not generally required to wait for a maintenance window to do this, since making this change is low-risk. -The cachemachine deployment will automatically restart, and that will kick off any required pulls. -Since these pulls will just be pulling "recommended" under a different name, the image will almost certainly already be cached, and therefore the pull will be near-instant. -Each pod that starts from the pulled image simply sleeps for one minute and then terminates. -After each pod has run and terminated, the Notebook Aspect options form will again show the correct data. +cachemachine will then spawn a ``DaemonSet`` that pulls the weekly tag to every node, which as mentioned above will be fairly quick since Kubernetes will realize it already has the image cached under another name. +Once cachemachine rechecks the cached images on each node, it will have enough information to build the menu correctly, and the spawner menu in the Notebook Aspect should be correct. diff --git a/docs/applications/cachemachine/upgrade.rst b/docs/applications/cachemachine/upgrade.rst deleted file mode 100644 index 4d0b3fc6a3..0000000000 --- a/docs/applications/cachemachine/upgrade.rst +++ /dev/null @@ -1,7 +0,0 @@ -.. px-app-upgrade:: cachemachine - -###################### -Upgrading cachemachine -###################### - -A simple Argo CD sync is sufficient for upgrading :px-app:`cachemachine`. From 4a68eccd15148e417919fc77aeede83f7f56134e Mon Sep 17 00:00:00 2001 From: Russ Allbery Date: Thu, 3 Nov 2022 11:21:38 -0700 Subject: [PATCH 1240/1479] Add bootstrapping documentation for cachemachine --- docs/admin/bootstrapping.rst | 1 + docs/applications/cachemachine/bootstrap.rst | 40 ++++++++++++++++++++ docs/applications/cachemachine/index.rst | 1 + 3 files changed, 42 insertions(+) create mode 100644 docs/applications/cachemachine/bootstrap.rst diff --git a/docs/admin/bootstrapping.rst b/docs/admin/bootstrapping.rst index 9df4c93c16..2f4dc0dd8b 100644 --- a/docs/admin/bootstrapping.rst +++ b/docs/admin/bootstrapping.rst @@ -45,6 +45,7 @@ Checklist The following applications have special bootstrapping considerations: - :px-app-bootstrap:`argo-cd` + - :px-app-bootstrap:`cachemachine` - :px-app-bootstrap:`gafaelfawr` - :px-app-bootstrap:`nublado2` - :px-app-bootstrap:`portal` diff --git a/docs/applications/cachemachine/bootstrap.rst b/docs/applications/cachemachine/bootstrap.rst new file mode 100644 index 0000000000..c34ce36628 --- /dev/null +++ b/docs/applications/cachemachine/bootstrap.rst @@ -0,0 +1,40 @@ +.. px-app-bootstrap:: cachemachine + +########################## +Bootstrapping cachemachine +########################## + +By default, cachemachine doesn't do any prepulling and doesn't provide a useful menu for Notebook Aspect spawning. +As part of bootstrapping a new environment, you will want to configure it to prepull appropriate images. + +For deployments on Google Kubernetes Engine, you will want to use Google Artifact Repository (GAR) as the source of images. +See :doc:`gar` for basic information and instructions on how to configure workload identity. +A good starting point for the cachemachine configuration is the `configuration from the IDF environment `__, which sets up GAR as the image source and prepulls a reasonable number of images. + +For Telescope and Site deployments that need special images and image cycle configuration, start from the `summit configuration `__. +Consult with Telescope and Site to determine the correct recommended tag and cycle number. + +For other deployments that use the normal Rubin Notebook Aspect images, a reasonable starting configuration for cachemachine is: + +.. code-block:: yaml + + autostart: + jupyter: | + { + "name": "jupyter", + "labels": {}, + "repomen": [ + { + "type": "RubinRepoMan", + "registry_url": "registry.hub.docker.com", + "repo": "lsstsqre/sciplat-lab", + "recommended_tag": "recommended", + "num_releases": 1, + "num_weeklies": 2, + "num_dailies": 3 + } + ] + } + +This prepulls the latest release, the latest two weeklies, and the latest three dailies, as well as the image tagged ``recommended``. +However, also see :ref:`prepull-recommended` for information on how to ensure cachemachine knows the correct tag and description for the recommended image. diff --git a/docs/applications/cachemachine/index.rst b/docs/applications/cachemachine/index.rst index dcdc167aed..065cf6cfc6 100644 --- a/docs/applications/cachemachine/index.rst +++ b/docs/applications/cachemachine/index.rst @@ -18,6 +18,7 @@ Guides .. toctree:: + bootstrap pruning updating-recommended gar From 007fdc166ef02db799d0c1d0637c102f47c2a1e4 Mon Sep 17 00:00:00 2001 From: Russ Allbery Date: Thu, 3 Nov 2022 11:44:12 -0700 Subject: [PATCH 1241/1479] Update cert-manager documentation Note that cert-manager is also used to generate internal-only certs, and therefore isn't only used in environments that use Let's Encrypt certs. --- docs/applications/cert-manager/bootstrap.rst | 4 ++++ docs/applications/cert-manager/index.rst | 5 ++++- docs/applications/cert-manager/notes.rst | 16 ++++++---------- docs/applications/cert-manager/upgrade.rst | 2 +- 4 files changed, 15 insertions(+), 12 deletions(-) diff --git a/docs/applications/cert-manager/bootstrap.rst b/docs/applications/cert-manager/bootstrap.rst index b6d0e23fc6..d7dd489a21 100644 --- a/docs/applications/cert-manager/bootstrap.rst +++ b/docs/applications/cert-manager/bootstrap.rst @@ -55,3 +55,7 @@ The Vault secret should look something like this: The secrets for the SQuaRE-maintained Rubin Science Platform domains are stored in 1Password (search for ``cert-manager-lsst-codes`` or ``cert-manager-lsst-cloud``). If this cluster is in the same domain as another, working cluster, you can copy the secret from that cluster into the appropriate path for the new cluster. + +.. seealso:: + + `cert-manager documentation for Route 53 `__. diff --git a/docs/applications/cert-manager/index.rst b/docs/applications/cert-manager/index.rst index a9682cb45b..6bffb9f54b 100644 --- a/docs/applications/cert-manager/index.rst +++ b/docs/applications/cert-manager/index.rst @@ -4,7 +4,10 @@ cert-manager — TLS certificate manager ###################################### -Cert-manager creates TLS certificates via `Let's Encrypt `__ and automatically renews them. +cert-manager manages TLS certificates internal to the Science Platform Kubernetes cluster. +It may also manage the external TLS certificate for the cluster ingresses if the `Let's Encrypt `__ approach to certificate management was chosen. + +See :ref:`hostnames` for more details on the supported approaches for managing the external TLS certificate. .. jinja:: cert-manager :file: applications/_summary.rst.jinja diff --git a/docs/applications/cert-manager/notes.rst b/docs/applications/cert-manager/notes.rst index e0c1d654ed..95417dd23e 100644 --- a/docs/applications/cert-manager/notes.rst +++ b/docs/applications/cert-manager/notes.rst @@ -5,18 +5,13 @@ Cert-manager architecture and notes ################################### The :px-app:`cert-manager` service is an installation of `cert-manager `__ from its `Helm chart repository `__. -It creates TLS certificates via `Let's Encrypt `__ and automatically renews them. +It creates cluster-internal private TLS certificates for applications that need them (such as for admission webhooks). +It may also create TLS certificates via `Let's Encrypt `__ and automatically renew them if the environment uses Let's Encrypt certificates. -This application is only deployed on clusters managed by SQuaRE on Google Cloud Platform. -If a site uses some other process to manage its certificates, it is the responsibility of that site's administrative team to acquire and deploy those certificates. - -``cert-manager`` creates a cluster issuer that uses the DNS solver and Route 53 for DNS by default. +``cert-manager`` optionally creates a cluster issuer that uses the DNS solver and Route 53 for DNS. Set ``config.createIssuer`` to ``false`` for environments where cert-manager should be installed but not use a Route 53 cluster issuer. -For more information, see :ref:`hostnames`. - -.. seealso:: - `cert-manager documentation for Route 53 `__. +For more information on the options for TLS certificate management, see :ref:`hostnames`. Using cert-manager ================== @@ -27,5 +22,6 @@ To configure an Ingress_ to use certificates issued by it, add a ``tls`` configu cert-manager.io/cluster-issuer: "letsencrypt-dns" -This should be done on one and only one Ingress_ for an environment using ``cert-manager``. +Typically, this should be done on one and only one Ingress_ for an environment using ``cert-manager``. The RSP conventionally uses the :px-app:`squareone` application. +(There are some special exceptions that have their own ingresses or otherwise need valid CA-issued certificates, such as :px-app:`alert-stream-broker` and :px-app:`sasquatch`.) diff --git a/docs/applications/cert-manager/upgrade.rst b/docs/applications/cert-manager/upgrade.rst index 87f3f2c44c..496badca15 100644 --- a/docs/applications/cert-manager/upgrade.rst +++ b/docs/applications/cert-manager/upgrade.rst @@ -8,7 +8,7 @@ Upgrading :px-app:`cert-manager` is generally painless. The only custom configuration that we use, beyond installing a cluster issuer, is to tell the Helm chart to install the Custom Resource Definitions. Normally, it's not necessary to explicitly test :px-app:`cert-manager` after a routine upgrade. -We will notice if the certificates expire, and have monitoring of the important ones. +We will notice if the certificates expire. However, if you want to be sure that cert-manager is still working after an upgrade, delete the TLS secret and ``Certificate`` resource in the ``squareone`` namespace. It should be recreated by cert-manager. From ebbc1fc85fdc84c1e07336211427ef7a8327a45a Mon Sep 17 00:00:00 2001 From: Russ Allbery Date: Thu, 3 Nov 2022 11:53:13 -0700 Subject: [PATCH 1242/1479] Flesh out datalinker service description --- docs/applications/datalinker/index.rst | 7 ++++++- 1 file changed, 6 insertions(+), 1 deletion(-) diff --git a/docs/applications/datalinker/index.rst b/docs/applications/datalinker/index.rst index 6198978ecd..a47312fa62 100644 --- a/docs/applications/datalinker/index.rst +++ b/docs/applications/datalinker/index.rst @@ -4,9 +4,14 @@ datalinker — IVOA DataLink service ################################## -Datalinker provides various facilities for discovering and referring to data products and services within the Rubin Science Platform. +datalinker provides various facilities for discovering and referring to data products and services within the Rubin Science Platform. It is primarily based on the IVOA DataLink standard, but also provides some related service discovery facilities beyond the scope of that standard. +Most significantly, datalinker is used to retrieve images referenced in the results of an ObsTAP search. +It does this by returning a DataLink response for the image that includes a signed URL, allowing direct image download from the underlying data store. + +It also provides the HiPS list service, which collects the property files of HiPS data sets served by :px-app:`hips` and returns them with appropriate URLs, and implements a variety of "microservice" endpoints that rewrite simple service-descriptor-friendly APIs into redirects to other RSP services. + .. jinja:: datalinker :file: applications/_summary.rst.jinja From 47fdeec33b09b78e0cbe74d7bf84c023b42bbca1 Mon Sep 17 00:00:00 2001 From: Russ Allbery Date: Thu, 3 Nov 2022 11:55:40 -0700 Subject: [PATCH 1243/1479] Add source URL for exposurelog --- services/exposurelog/Chart.yaml | 9 ++++++--- services/exposurelog/README.md | 4 ++++ 2 files changed, 10 insertions(+), 3 deletions(-) diff --git a/services/exposurelog/Chart.yaml b/services/exposurelog/Chart.yaml index 1e59a2ce94..01bcd727fe 100644 --- a/services/exposurelog/Chart.yaml +++ b/services/exposurelog/Chart.yaml @@ -2,11 +2,14 @@ apiVersion: v2 name: exposurelog description: Exposure log service type: application +sources: + - https://github.com/lsst-sqre/exposurelog # The chart version. SQuaRE convention is to use 1.0.0 version: 1.0.0 -# This is the version number of the application being deployed. This version number should be -# incremented each time you make changes to the application. Versions are not expected to -# follow Semantic Versioning. They should reflect the version the application is using. +# This is the version number of the application being deployed. This version +# number should be incremented each time you make changes to the +# application. Versions are not expected to follow Semantic Versioning. They +# should reflect the version the application is using. appVersion: 0.9.6 diff --git a/services/exposurelog/README.md b/services/exposurelog/README.md index a963dc990e..0951bc809e 100644 --- a/services/exposurelog/README.md +++ b/services/exposurelog/README.md @@ -2,6 +2,10 @@ Exposure log service +## Source Code + +* + ## Values | Key | Type | Default | Description | From 047980707660faabea7b6176e92f73a6bd0fc3a1 Mon Sep 17 00:00:00 2001 From: Russ Allbery Date: Thu, 3 Nov 2022 12:04:19 -0700 Subject: [PATCH 1244/1479] Flesh out the HiPS service description --- docs/applications/hips/index.rst | 9 ++++++++- 1 file changed, 8 insertions(+), 1 deletion(-) diff --git a/docs/applications/hips/index.rst b/docs/applications/hips/index.rst index cb2f1c55dd..cb5578b875 100644 --- a/docs/applications/hips/index.rst +++ b/docs/applications/hips/index.rst @@ -4,7 +4,14 @@ hips — HiPS tile server ####################### -HiPS web server backed by Google Cloud Storage. +Serves HiPS_ tiles from an object store backed by Google Cloud Storage. +This is an interim approach that will eventually be replaced by serving the tiles directly from Google Cloud Storage with special code to handle authentication. + +.. _HiPS: https://www.ivoa.net/documents/HiPS/ + +It is a replacement for the normal static file server approach to serving HiPS file trees, used because Rubin Observatory prefers object storage for all data products. + +The HiPS list, which catalogues all available HiPS file trees, is generated and served by :px-app:`datalinker` instead of this application. .. jinja:: hips :file: applications/_summary.rst.jinja From 736172f75e14bad7e795b21c9aae1ad3cba83ee2 Mon Sep 17 00:00:00 2001 From: Russ Allbery Date: Thu, 3 Nov 2022 12:11:32 -0700 Subject: [PATCH 1245/1479] Revise the ingress-nginx documentation Remove a useless upgrading document, flesh out the description a bit more, and update the syntax for configuring a commercial certificate. --- docs/applications/ingress-nginx/certificates.rst | 15 ++++++--------- docs/applications/ingress-nginx/index.rst | 6 ++++-- docs/applications/ingress-nginx/upgrade.rst | 7 ------- 3 files changed, 10 insertions(+), 18 deletions(-) delete mode 100644 docs/applications/ingress-nginx/upgrade.rst diff --git a/docs/applications/ingress-nginx/certificates.rst b/docs/applications/ingress-nginx/certificates.rst index 8cb662e25c..785326622f 100644 --- a/docs/applications/ingress-nginx/certificates.rst +++ b/docs/applications/ingress-nginx/certificates.rst @@ -14,21 +14,18 @@ Specifically, add the following under ``ingress-nginx.controller``: .. code-block:: yaml extraArgs: - default-ssl-certificate: ingress-nginx/ingress-certificate + default-ssl-certificate: "ingress-nginx/ingress-certificate" And at the top level, add: .. code-block:: yaml - vault_certificate: + vaultCertificate: enabled: true - path: secret/k8s_operator//ingress-nginx -Replace ```` with the hostname of the environment. - -Then, in the Vault key named by that path, store the commercial certificate. -The Vault secret should have two keys: ``tls.crt`` and ``tls.key``. -The first should contain the full public certificate chain. -The second should contain the private key (without a passphrase). +Then, in the Vault key named ``ingress-nginx`` in the Vault enclave for that environment, store the commercial certificate. +The Vault secret must have two keys: ``tls.crt`` and ``tls.key``. +The first must contain the full public certificate chain. +The second must contain the private key (without a passphrase). For an example of an environment configured this way, see `/services/ingress-nginx/values-minikube.yaml `__ diff --git a/docs/applications/ingress-nginx/index.rst b/docs/applications/ingress-nginx/index.rst index 3f706685a3..a08dbe76b4 100644 --- a/docs/applications/ingress-nginx/index.rst +++ b/docs/applications/ingress-nginx/index.rst @@ -5,7 +5,10 @@ ingress-nginx — Ingress controller ################################## The ``ingress-nginx`` application is an installation of `ingress-nginx `__ from its `Helm chart `__. -We use NGINX as the ingress controller for all Rubin Science Platform deployments rather than native ingress controllers because we use the NGINX ``auth_request`` feature to do authentication and authorization with :px-app:`gafaelfawr`. +It is used as the ingress controller for all Science Platform applications. + +We use ingress-nginx, rather than any native ingress controller, in all Rubin Science Platform environments because we use the NGINX ``auth_request`` feature to do authentication and authorization with :px-app:`gafaelfawr`. +We also apply custom configuration required for correct operation of the Portal Aspect, to support our ``NetworkPolicy`` rules, and to ensure `mostly-correct logging of client IP addresses `__. .. jinja:: ingress-nginx :file: applications/_summary.rst.jinja @@ -16,6 +19,5 @@ Guides .. toctree:: :maxdepth: 2 - upgrade certificates values diff --git a/docs/applications/ingress-nginx/upgrade.rst b/docs/applications/ingress-nginx/upgrade.rst deleted file mode 100644 index 9c9d7deddf..0000000000 --- a/docs/applications/ingress-nginx/upgrade.rst +++ /dev/null @@ -1,7 +0,0 @@ -.. px-app-upgrade:: ingress-nginx - -####################### -Upgrading ingress-nginx -####################### - -A simple Argo CD sync is sufficient for upgrading :px-app:`ingress-nginx`. From 71a5d6bc8ee196d9df4d39c9ebf8e2a100c4c866 Mon Sep 17 00:00:00 2001 From: Russ Allbery Date: Thu, 3 Nov 2022 12:24:13 -0700 Subject: [PATCH 1246/1479] Editing pass on mobu documentation --- docs/applications/mobu/index.rst | 2 +- docs/applications/mobu/manage-flocks.rst | 3 --- 2 files changed, 1 insertion(+), 4 deletions(-) diff --git a/docs/applications/mobu/index.rst b/docs/applications/mobu/index.rst index 6168706062..c160c2185b 100644 --- a/docs/applications/mobu/index.rst +++ b/docs/applications/mobu/index.rst @@ -4,7 +4,7 @@ mobu — RSP integration testing ############################## -Mobu is the continuous integration testing framework for the Rubin Science Platform. +mobu is the continuous integration testing framework for the Rubin Science Platform. It runs some number of "monkeys" that simulate a random user of the Science Platform. Those monkeys are organized into "flocks" that share a single configuration across all of the monkeys. Failures are reported to Slack using a Slack incoming webhook. diff --git a/docs/applications/mobu/manage-flocks.rst b/docs/applications/mobu/manage-flocks.rst index bf2be3c386..8bb81a58ef 100644 --- a/docs/applications/mobu/manage-flocks.rst +++ b/docs/applications/mobu/manage-flocks.rst @@ -2,9 +2,6 @@ Managing mobu flocks #################### -mobu is our monitoring system for the Science Platform. -It exercises JupyterHub and JupyterLab, and tests other applications within the Science Platform by running notebooks on those JupyterLab Pods. - mobu calls each test runner a "monkey" and organizes them into groups called "flocks." You can get a list of flocks from the mobu API. For example, on the IDF production deployment, go to: From 9aaafd4d7460ace6b509e6f80ebe7e7499f6fbad Mon Sep 17 00:00:00 2001 From: Russ Allbery Date: Thu, 3 Nov 2022 13:41:54 -0700 Subject: [PATCH 1247/1479] Standardize application metadata Update the short descriptions of some applications, standardize them with the description fields of Chart.yaml, move some home metadata to sources, and add some missing sources. --- docs/applications/alert-stream-broker/index.rst | 6 +++--- docs/applications/exposurelog/index.rst | 6 +++--- docs/applications/mobu/index.rst | 6 +++--- services/alert-stream-broker/Chart.yaml | 1 + services/alert-stream-broker/README.md | 2 ++ services/argocd/Chart.yaml | 7 ++++--- services/argocd/README.md | 2 ++ services/cachemachine/Chart.yaml | 5 +++-- services/cachemachine/README.md | 6 ++++-- services/cert-manager/Chart.yaml | 2 +- services/cert-manager/README.md | 2 +- services/datalinker/Chart.yaml | 2 +- services/datalinker/README.md | 2 +- services/exposurelog/Chart.yaml | 2 +- services/exposurelog/README.md | 2 +- services/gafaelfawr/Chart.yaml | 2 +- services/gafaelfawr/README.md | 2 +- services/hips/Chart.yaml | 2 +- services/hips/README.md | 2 +- services/ingress-nginx/Chart.yaml | 1 + services/ingress-nginx/README.md | 2 ++ services/mobu/Chart.yaml | 5 +++-- services/mobu/README.md | 6 ++++-- services/moneypenny/Chart.yaml | 6 +++++- services/moneypenny/README.md | 8 +++++++- 25 files changed, 57 insertions(+), 32 deletions(-) diff --git a/docs/applications/alert-stream-broker/index.rst b/docs/applications/alert-stream-broker/index.rst index c8897dffc6..85c49f98d0 100644 --- a/docs/applications/alert-stream-broker/index.rst +++ b/docs/applications/alert-stream-broker/index.rst @@ -1,8 +1,8 @@ .. px-app:: alert-stream-broker -################### -Alert Stream Broker -################### +################################################### +alert-stream-broker — Alert transmission to brokers +################################################### The Alert Stream Broker is responsible for rapid dissemination of alerts (from observatory operations) to community alert brokers. It is built on top of `Apache Kafka`_ and uses `Apache Avro`_ as the schema for alerts. diff --git a/docs/applications/exposurelog/index.rst b/docs/applications/exposurelog/index.rst index 736e63ad6c..bc70c9fb45 100644 --- a/docs/applications/exposurelog/index.rst +++ b/docs/applications/exposurelog/index.rst @@ -1,8 +1,8 @@ .. px-app:: exposurelog -############################## -exposurelog — Exposure log API -############################## +################################## +exposurelog — Exposure message log +################################## Exposure log is a REST web service to create and manage log messages that are associated with a particular exposure. diff --git a/docs/applications/mobu/index.rst b/docs/applications/mobu/index.rst index c160c2185b..e047dc36b4 100644 --- a/docs/applications/mobu/index.rst +++ b/docs/applications/mobu/index.rst @@ -1,8 +1,8 @@ .. px-app:: mobu -############################## -mobu — RSP integration testing -############################## +########################## +mobu — Integration testing +########################## mobu is the continuous integration testing framework for the Rubin Science Platform. It runs some number of "monkeys" that simulate a random user of the Science Platform. diff --git a/services/alert-stream-broker/Chart.yaml b/services/alert-stream-broker/Chart.yaml index b7dcbafbb5..d2b3080047 100644 --- a/services/alert-stream-broker/Chart.yaml +++ b/services/alert-stream-broker/Chart.yaml @@ -1,6 +1,7 @@ apiVersion: v2 name: alert-stream-broker version: "3" +description: Alert transmission to community brokers dependencies: - name: alert-stream-broker version: 2.5.1 diff --git a/services/alert-stream-broker/README.md b/services/alert-stream-broker/README.md index dbdef8c1d6..b71982a188 100644 --- a/services/alert-stream-broker/README.md +++ b/services/alert-stream-broker/README.md @@ -1,5 +1,7 @@ # alert-stream-broker +Alert transmission to community brokers + ## Requirements | Repository | Name | Version | diff --git a/services/argocd/Chart.yaml b/services/argocd/Chart.yaml index ef22b80c10..152c42ce60 100644 --- a/services/argocd/Chart.yaml +++ b/services/argocd/Chart.yaml @@ -1,7 +1,8 @@ apiVersion: v2 name: argo-cd version: 1.0.0 +description: Kubernetes application manager dependencies: -- name: argo-cd - version: 5.6.3 - repository: https://argoproj.github.io/argo-helm + - name: argo-cd + version: 5.6.3 + repository: https://argoproj.github.io/argo-helm diff --git a/services/argocd/README.md b/services/argocd/README.md index b167418e38..b1d9fbab03 100644 --- a/services/argocd/README.md +++ b/services/argocd/README.md @@ -1,5 +1,7 @@ # argo-cd +Kubernetes application manager + ## Requirements | Repository | Name | Version | diff --git a/services/cachemachine/Chart.yaml b/services/cachemachine/Chart.yaml index f3fe7fb368..fd8100af9e 100644 --- a/services/cachemachine/Chart.yaml +++ b/services/cachemachine/Chart.yaml @@ -1,6 +1,7 @@ apiVersion: v2 name: cachemachine version: 1.0.0 -description: Service to prepull Docker images for the Science Platform -home: https://github.com/lsst-sqre/cachemachine +description: JupyterLab image prepuller +sources: + - https://github.com/lsst-sqre/cachemachine appVersion: 1.2.2 diff --git a/services/cachemachine/README.md b/services/cachemachine/README.md index 931b2f606b..7437701fb7 100644 --- a/services/cachemachine/README.md +++ b/services/cachemachine/README.md @@ -1,8 +1,10 @@ # cachemachine -Service to prepull Docker images for the Science Platform +JupyterLab image prepuller -**Homepage:** +## Source Code + +* ## Values diff --git a/services/cert-manager/Chart.yaml b/services/cert-manager/Chart.yaml index 4514205c9a..673feb8ba1 100644 --- a/services/cert-manager/Chart.yaml +++ b/services/cert-manager/Chart.yaml @@ -1,7 +1,7 @@ apiVersion: v2 name: cert-manager version: 1.0.0 -description: "Let's Encrypt certificate management" +description: TLS certificate manager dependencies: - name: cert-manager version: v1.10.0 diff --git a/services/cert-manager/README.md b/services/cert-manager/README.md index 6279cca4a5..b2f15fa7a8 100644 --- a/services/cert-manager/README.md +++ b/services/cert-manager/README.md @@ -1,6 +1,6 @@ # cert-manager -Let's Encrypt certificate management +TLS certificate manager ## Requirements diff --git a/services/datalinker/Chart.yaml b/services/datalinker/Chart.yaml index 0dc4090b8d..bc8a18ea85 100644 --- a/services/datalinker/Chart.yaml +++ b/services/datalinker/Chart.yaml @@ -1,7 +1,7 @@ apiVersion: v2 name: datalinker version: 1.0.0 -description: Service and data discovery for Rubin Science Platform +description: IVOA DataLink-based service and data discovery sources: - https://github.com/lsst-sqre/datalinker appVersion: 1.5.0 diff --git a/services/datalinker/README.md b/services/datalinker/README.md index 4ebe6f5172..a3cfbd378f 100644 --- a/services/datalinker/README.md +++ b/services/datalinker/README.md @@ -1,6 +1,6 @@ # datalinker -Service and data discovery for Rubin Science Platform +IVOA DataLink-based service and data discovery ## Source Code diff --git a/services/exposurelog/Chart.yaml b/services/exposurelog/Chart.yaml index 01bcd727fe..9de9651aac 100644 --- a/services/exposurelog/Chart.yaml +++ b/services/exposurelog/Chart.yaml @@ -1,6 +1,6 @@ apiVersion: v2 name: exposurelog -description: Exposure log service +description: Log messages related to an exposure type: application sources: - https://github.com/lsst-sqre/exposurelog diff --git a/services/exposurelog/README.md b/services/exposurelog/README.md index 0951bc809e..da67d864e9 100644 --- a/services/exposurelog/README.md +++ b/services/exposurelog/README.md @@ -1,6 +1,6 @@ # exposurelog -Exposure log service +Log messages related to an exposure ## Source Code diff --git a/services/gafaelfawr/Chart.yaml b/services/gafaelfawr/Chart.yaml index 0ceb9e76e4..2502b6413f 100644 --- a/services/gafaelfawr/Chart.yaml +++ b/services/gafaelfawr/Chart.yaml @@ -1,7 +1,7 @@ apiVersion: v2 name: gafaelfawr version: 1.0.0 -description: Science Platform authentication and authorization system +description: Authentication and identity system home: https://gafaelfawr.lsst.io/ sources: - https://github.com/lsst-sqre/gafaelfawr diff --git a/services/gafaelfawr/README.md b/services/gafaelfawr/README.md index 41c23887ca..a5e008a459 100644 --- a/services/gafaelfawr/README.md +++ b/services/gafaelfawr/README.md @@ -1,6 +1,6 @@ # gafaelfawr -Science Platform authentication and authorization system +Authentication and identity system **Homepage:** diff --git a/services/hips/Chart.yaml b/services/hips/Chart.yaml index c3d493de4a..5789b5f727 100644 --- a/services/hips/Chart.yaml +++ b/services/hips/Chart.yaml @@ -1,7 +1,7 @@ apiVersion: v2 name: hips version: 1.0.0 -description: HiPS web server backed by Google Cloud Storage +description: HiPS tile server backed by Google Cloud Storage sources: - https://github.com/lsst-sqre/crawlspace appVersion: 0.2.1 diff --git a/services/hips/README.md b/services/hips/README.md index 6feff8cfec..90b30c483f 100644 --- a/services/hips/README.md +++ b/services/hips/README.md @@ -1,6 +1,6 @@ # hips -HiPS web server backed by Google Cloud Storage +HiPS tile server backed by Google Cloud Storage ## Source Code diff --git a/services/ingress-nginx/Chart.yaml b/services/ingress-nginx/Chart.yaml index 02b00d6afe..7e56344af0 100644 --- a/services/ingress-nginx/Chart.yaml +++ b/services/ingress-nginx/Chart.yaml @@ -1,6 +1,7 @@ apiVersion: v2 name: ingress-nginx version: 1.0.0 +description: Ingress controller dependencies: - name: ingress-nginx version: 4.3.0 diff --git a/services/ingress-nginx/README.md b/services/ingress-nginx/README.md index e4bc897c03..5ff320aba4 100644 --- a/services/ingress-nginx/README.md +++ b/services/ingress-nginx/README.md @@ -1,5 +1,7 @@ # ingress-nginx +Ingress controller + ## Requirements | Repository | Name | Version | diff --git a/services/mobu/Chart.yaml b/services/mobu/Chart.yaml index 81927cfb1d..f1047ca194 100644 --- a/services/mobu/Chart.yaml +++ b/services/mobu/Chart.yaml @@ -1,6 +1,7 @@ apiVersion: v2 name: mobu version: 1.0.0 -description: Generate system load by pretending to be a random scientist -home: https://github.com/lsst-sqre/mobu +description: Continuous integration testing +sources: + - https://github.com/lsst-sqre/mobu appVersion: 4.5.0 diff --git a/services/mobu/README.md b/services/mobu/README.md index 587148f45f..5371800dce 100644 --- a/services/mobu/README.md +++ b/services/mobu/README.md @@ -1,8 +1,10 @@ # mobu -Generate system load by pretending to be a random scientist +Continuous integration testing -**Homepage:** +## Source Code + +* ## Values diff --git a/services/moneypenny/Chart.yaml b/services/moneypenny/Chart.yaml index 5005cda2a5..9c0ba6863a 100644 --- a/services/moneypenny/Chart.yaml +++ b/services/moneypenny/Chart.yaml @@ -1,7 +1,11 @@ apiVersion: v2 appVersion: "1.0.0" -description: User provisioning actions for the Science Platform name: moneypenny +description: User provisioning actions +sources: + - https://github.com/lsst-sqre/moneypenny + - https://github.com/lsst-sqre/farthing + - https://github.com/lsst-sqre/inituserhome version: 1.0.2 annotations: phalanx.lsst.io/docs: | diff --git a/services/moneypenny/README.md b/services/moneypenny/README.md index 2091cd7266..584302e731 100644 --- a/services/moneypenny/README.md +++ b/services/moneypenny/README.md @@ -1,6 +1,12 @@ # moneypenny -User provisioning actions for the Science Platform +User provisioning actions + +## Source Code + +* +* +* ## Values From 9f1417f83e8cf40ebb57792b3f4b5fea5ce65b86 Mon Sep 17 00:00:00 2001 From: Russ Allbery Date: Thu, 3 Nov 2022 13:43:09 -0700 Subject: [PATCH 1248/1479] Update moneypenny documentation Add an explicit mention in the bootstrapping checklist of deciding on a storage approach for user home directories, and flesh out the moneypenny application documentation a bit. --- docs/admin/bootstrapping.rst | 5 +++++ docs/applications/moneypenny/index.rst | 12 ++++++++---- 2 files changed, 13 insertions(+), 4 deletions(-) diff --git a/docs/admin/bootstrapping.rst b/docs/admin/bootstrapping.rst index 2f4dc0dd8b..1ec89a5414 100644 --- a/docs/admin/bootstrapping.rst +++ b/docs/admin/bootstrapping.rst @@ -40,6 +40,11 @@ Checklist If you already know the IP address where your instance will reside, create the DNS records (A or possibly CNAME) for that instance. If you are using a cloud provider or something like minikube where the IP address is not yet known, then you will need to create that record once the top-level ingress is created and has an external IP address. +#. Decide on your approach to user home directory storage. + The Notebook Aspect requires a POSIX file system. + The most frequently used method of providing that file system is NFS mounts, but you may instead want to use a different file system that's mounted on the Kubernetes cluster nodes and exposed to pods via ``hostPath``. + Either way, you will need to configure appropriate mount points in :px-app:`nublado2` and :px-app:`moneypenny` when you configure each application in the next step. + #. For each enabled application, create a corresponding ``values-.yaml`` file in the relevant directory under `/services `__. Customization will vary from application to application. The following applications have special bootstrapping considerations: diff --git a/docs/applications/moneypenny/index.rst b/docs/applications/moneypenny/index.rst index 2479984f6a..fcc7b01682 100644 --- a/docs/applications/moneypenny/index.rst +++ b/docs/applications/moneypenny/index.rst @@ -1,10 +1,14 @@ .. px-app:: moneypenny -################################## -moneypenny — RSP user provisioning -################################## +############################## +moneypenny — User provisioning +############################## -Moneypenny provides user-provisioning actions for the Rubin Science Platform. +Moneypenny is responsible for provisioning new users of the Notebook Aspect of a Science Platform installation. +It is invoked by :px-app:`nublado2` whenever a user pod is spawned and decides whether provisioning is required. +If so, it does so before the lab spawn, usually by spawning a privileged pod. + +A typical example of the type of provisioning it does is creating the user's home directory, with appropriate ownership and permissions, in an NFS file store. .. jinja:: moneypenny :file: applications/_summary.rst.jinja From be2abfb5d5c81f7251d695771a7e3fb19e1a0e62 Mon Sep 17 00:00:00 2001 From: Russ Allbery Date: Thu, 3 Nov 2022 13:50:26 -0700 Subject: [PATCH 1249/1479] Flesh out narrativelog documentation --- docs/applications/narrativelog/index.rst | 3 ++- services/narrativelog/Chart.yaml | 11 +++++++---- services/narrativelog/README.md | 4 ++++ 3 files changed, 13 insertions(+), 5 deletions(-) diff --git a/docs/applications/narrativelog/index.rst b/docs/applications/narrativelog/index.rst index cda2c73b49..fa553d9371 100644 --- a/docs/applications/narrativelog/index.rst +++ b/docs/applications/narrativelog/index.rst @@ -4,7 +4,8 @@ narrativelog — Narrative observatory log ######################################## -Narrative log API service for Rubin Observatory. +Narrative log provides an API for telescope operators to create and manage observatory log messages. +See :px-app:`exposurelog` for a similar service for log messages related to a specific exposure. .. jinja:: narrativelog :file: applications/_summary.rst.jinja diff --git a/services/narrativelog/Chart.yaml b/services/narrativelog/Chart.yaml index deef9a0318..dcddc58a34 100644 --- a/services/narrativelog/Chart.yaml +++ b/services/narrativelog/Chart.yaml @@ -1,12 +1,15 @@ apiVersion: v2 name: narrativelog -description: Narrative log service type: application +description: Narrative log service +sources: + - https://github.com/lsst-sqre/narrativelog # The chart version. SQuaRE convention is to use 1.0.0 version: 1.0.0 -# This is the version number of the application being deployed. This version number should be -# incremented each time you make changes to the application. Versions are not expected to -# follow Semantic Versioning. They should reflect the version the application is using. +# This is the version number of the application being deployed. This version +# number should be incremented each time you make changes to the +# application. Versions are not expected to follow Semantic Versioning. They +# should reflect the version the application is using. appVersion: 0.4.0 diff --git a/services/narrativelog/README.md b/services/narrativelog/README.md index a1353b42d0..281d4e69db 100644 --- a/services/narrativelog/README.md +++ b/services/narrativelog/README.md @@ -2,6 +2,10 @@ Narrative log service +## Source Code + +* + ## Values | Key | Type | Default | Description | From ddf1993f85245f22686d3d00c14f26283c28bb47 Mon Sep 17 00:00:00 2001 From: Russ Allbery Date: Thu, 3 Nov 2022 15:11:21 -0700 Subject: [PATCH 1250/1479] Update Nublado documentation Flesh out the upgrading documentation and do an editing pass on the rest. --- docs/applications/nublado2/bootstrap.rst | 4 ++-- docs/applications/nublado2/index.rst | 1 + docs/applications/nublado2/upgrade.rst | 24 +++++++++++++++++++++--- 3 files changed, 24 insertions(+), 5 deletions(-) diff --git a/docs/applications/nublado2/bootstrap.rst b/docs/applications/nublado2/bootstrap.rst index a8111d3030..0401e7d390 100644 --- a/docs/applications/nublado2/bootstrap.rst +++ b/docs/applications/nublado2/bootstrap.rst @@ -4,14 +4,14 @@ Bootstrapping Nublado ##################### -Nublado (the ``nublado2`` application) and moneypenny need to know where the NFS server that provides user home space is. +Nublado and :px-app:`moneypenny` need to know where the NFS server that provides user home space is. Nublado also requires other persistent storage space. Ensure the correct definitions are in place in their configuration. Telescope and Site deployments ============================== -For T&S deployments that require instrument control, make sure you have any Multus network definitions you need in the ``values-.yaml``. +For Telescope and Site deployments that require instrument control, make sure you have any Multus network definitions you need in the ``values-.yaml``. This will look something like: .. code-block:: yaml diff --git a/docs/applications/nublado2/index.rst b/docs/applications/nublado2/index.rst index 7742c4a014..88a29f0b52 100644 --- a/docs/applications/nublado2/index.rst +++ b/docs/applications/nublado2/index.rst @@ -5,6 +5,7 @@ nublado2 — JupyterHub for RSP ############################# The ``nublado2`` service is an installation of a Rubin Observatory flavor of `Zero to JupyterHub `__ with some additional resources. +It provides the Notebook Aspect of the Rubin Science Platform. .. jinja:: nublado2 :file: applications/_summary.rst.jinja diff --git a/docs/applications/nublado2/upgrade.rst b/docs/applications/nublado2/upgrade.rst index b727490324..9d24ba3bce 100644 --- a/docs/applications/nublado2/upgrade.rst +++ b/docs/applications/nublado2/upgrade.rst @@ -1,5 +1,23 @@ .. px-app-upgrade:: nublado2 -################## -Upgrading nublado2 -################## +################# +Upgrading Nublado +################# + +Most of the time, upgrading Nublado can be done simply by syncing the application in Argo CD. +There will be a brief outage for spawning new pods, but users with existing pods should be able to continue working. + +Occasionally, new versions of JupyterHub will require a schema update. +We do not routinely enable automatic schema updates currently, so JupyterHub will refuse to start if a database schema update is required. +To enable schema updates, add: + +.. code-block:: yaml + + jupyterhub: + hub: + db: + upgrade: true + +(The ``jupyterhub`` and ``hub`` keys probably already exist in the ``values-.yaml`` file, so just add the ``db.upgrade`` setting in the correct spot.) +Then, JupyterHub will automatically upgrade its database when the new version starts. +You can then remove this configuration again if you're worried about automatic updates misbehaving later. From 3bd4f8b30c33b15e3792fe17dfc5cacd6ef26cb8 Mon Sep 17 00:00:00 2001 From: Russ Allbery Date: Thu, 3 Nov 2022 15:21:32 -0700 Subject: [PATCH 1251/1479] Add sources for plot-navigator --- services/plot-navigator/Chart.yaml | 4 +++- services/plot-navigator/README.md | 6 +++++- 2 files changed, 8 insertions(+), 2 deletions(-) diff --git a/services/plot-navigator/Chart.yaml b/services/plot-navigator/Chart.yaml index c56cd08ec9..9b0c3b7dd3 100644 --- a/services/plot-navigator/Chart.yaml +++ b/services/plot-navigator/Chart.yaml @@ -1,5 +1,7 @@ apiVersion: v2 name: plot-navigator -description: Panel-based plot viewer. +description: Panel-based plot viewer version: 1.6.1 +sources: + - https://github.com/lsst-dm/pipetask-plot-navigator appVersion: 0.6.1 diff --git a/services/plot-navigator/README.md b/services/plot-navigator/README.md index 1b7abe06c6..e3897a5b3e 100644 --- a/services/plot-navigator/README.md +++ b/services/plot-navigator/README.md @@ -1,6 +1,10 @@ # plot-navigator -Panel-based plot viewer. +Panel-based plot viewer + +## Source Code + +* ## Values From 89425e8462d8e1b52f6f103028ddfe3675d3dde7 Mon Sep 17 00:00:00 2001 From: Russ Allbery Date: Thu, 3 Nov 2022 15:31:10 -0700 Subject: [PATCH 1252/1479] Flesh out Portal documentation Add a link to the design and maintenance manual tech note. --- docs/applications/portal/index.rst | 3 ++- services/portal/Chart.yaml | 11 +++++++++-- services/portal/README.md | 7 +++++-- 3 files changed, 16 insertions(+), 5 deletions(-) diff --git a/docs/applications/portal/index.rst b/docs/applications/portal/index.rst index fc53115b11..31e2c7214b 100644 --- a/docs/applications/portal/index.rst +++ b/docs/applications/portal/index.rst @@ -4,7 +4,8 @@ portal — Firefly-based RSP Portal ################################# -The portal aspect of the Rubin Science Platform, powered by Firefly. +The Portal Aspect of the Rubin Science Platform, powered by Firefly. +This provides a graphical user interface for astronomical data exploration and also provides a data viewer that can be used within the Notebook Aspect (:px-app:`nublado2`). .. jinja:: portal :file: applications/_summary.rst.jinja diff --git a/services/portal/Chart.yaml b/services/portal/Chart.yaml index 4326210d0d..76a6d99501 100644 --- a/services/portal/Chart.yaml +++ b/services/portal/Chart.yaml @@ -1,6 +1,13 @@ apiVersion: v2 name: portal version: 1.0.0 -description: "Rubin Science Platform portal aspect" -home: "https://github.com/lsst/suit" +description: Rubin Science Platform Portal Aspect +sources: + - https://github.com/lsst/suit + - https://github.com/Caltech-IPAC/firefly appVersion: "suit-2022.5.5" +annotations: + phalanx.lsst.io/docs: | + - id: "DMTN-136" + title: "LSST Science Platform Portal Aspect Design and Maintenance Manual" + url: "https://dmtn-136.lsst.io/" diff --git a/services/portal/README.md b/services/portal/README.md index ee89cc62ab..219c7301d1 100644 --- a/services/portal/README.md +++ b/services/portal/README.md @@ -1,8 +1,11 @@ # portal -Rubin Science Platform portal aspect +Rubin Science Platform Portal Aspect -**Homepage:** +## Source Code + +* +* ## Values From 0f4bdcb4c5da4d41ccf6e6abac20b3bca31877a3 Mon Sep 17 00:00:00 2001 From: Russ Allbery Date: Thu, 3 Nov 2022 16:06:15 -0700 Subject: [PATCH 1253/1479] Set Recreate strategy for PostgreSQL This will stop the existing pod before starting a new one, so they won't fight over the persistent volume. (This should really be a StatefulSet, but it really should be an external PostgreSQL server instead, so use the easy fix for now.) --- services/postgres/templates/deployment.yaml | 2 ++ 1 file changed, 2 insertions(+) diff --git a/services/postgres/templates/deployment.yaml b/services/postgres/templates/deployment.yaml index 4cf523db2d..fcba77bf1a 100644 --- a/services/postgres/templates/deployment.yaml +++ b/services/postgres/templates/deployment.yaml @@ -9,6 +9,8 @@ spec: selector: matchLabels: {{- include "postgres.selectorLabels" . | nindent 6 }} + strategy: + type: "Recreate" template: metadata: labels: From d804bc7ca8a6eb9ea1de5074bf7af34a0ba2c86e Mon Sep 17 00:00:00 2001 From: Russ Allbery Date: Thu, 3 Nov 2022 16:06:59 -0700 Subject: [PATCH 1254/1479] Update postgres documentation Do a general editing and reformat pass, and remove notes that are obsolete now that it uses a replace strategy for updates. --- docs/applications/postgres/add-database.rst | 119 +++++++++----------- docs/applications/postgres/index.rst | 6 +- docs/applications/postgres/upgrade.rst | 7 -- 3 files changed, 53 insertions(+), 79 deletions(-) delete mode 100644 docs/applications/postgres/upgrade.rst diff --git a/docs/applications/postgres/add-database.rst b/docs/applications/postgres/add-database.rst index ccca52bad6..0b49b39963 100644 --- a/docs/applications/postgres/add-database.rst +++ b/docs/applications/postgres/add-database.rst @@ -2,35 +2,27 @@ Adding a new database ##################### -From time to time you might need to add a new database to the internal -Postgres instance. +From time to time, you may need to add a new database to the internal PostgreSQL instance. -Before you do, please ask yourself how valuable the data is: the -internal Postgres is not intended to be either highly available or -extremely reliable. It's designed for persistent storage for low-value -data, such as the JupyterHub session database, or Gafaelfawr's -authentication tokens, where the worst thing that happens, if it is -wiped out, is that a bunch of users lose their running sessions and have -to reauthenticate. +Before you do, ask yourself how valuable the data is. +The internal PostgreSQL service is not intended to be highly available or extremely reliable. +It's designed for persistent storage for low-value data such as the JupyterHub session database, where the worst thing that happens after data loss is that users lose running sessions and may have to reauthenticate. -Assuming that the internal Postgres is indeed the right choice for your -needs, there are several steps. +Assuming that the internal PostgreSQL is indeed the right choice for your needs, there are several steps. Decide on a database name ========================= -In general the database will require three things: a database name, a -username, and a password. Usually the database name and user should be -identical and should reflect the application that will consume the database, -e.g. ``gafaelfawr`` or ``exposurelog``. We will use ``exposurelog`` as -the model for the remainder of this document. +The service requires a database name, a username, and a password. +Usually the database name and user should be identical and should match the application that will consume the database (for example, ``gafaelfawr`` or ``exposurelog``). +We will use ``exposurelog`` as the model for the remainder of this document. Add the database to the deployment ================================== -Go to the ``services/postgres/templates`` directory from the Phalanx -root, and edit ``deployment.yaml`` to add the new database/password -entry. You should copy an existing entry, and it should look like this: +Go to the ``/services/postgres/templates`` directory and edit ``deployment.yaml`` to add an entry for the new database. +You should copy an existing entry to get the syntax correct, and then change the names. +The result should look like this: .. code-block:: yaml @@ -42,80 +34,71 @@ entry. You should copy an existing entry, and it should look like this: - name: VRO_DB_EXPOSURELOG_PASSWORD valueFrom: secretKeyRef: - name: postgres - key: exposurelog_password + name: "postgres" + key: "exposurelog_password" {{- end }} Add the database to Phalanx installer ===================================== -Next add a password entry to Phalanx's installer, so the next time a new -cluster is deployed or an extant cluster is redeployed, the password -will be created. This belongs in ``installer/generate_secrets.py`` in -the ``_postgres()`` method. +Add a password entry to Phalanx's installer, so the next time a new cluster is deployed or an extant cluster is redeployed, the password will be created. +This belongs in ``installer/generate_secrets.py`` in the ``_postgres()`` method. -Typically we use passwords that are ASCII representations of random -32-byte hexadecimal sequences. The passwords for all the non-root -Postgres users already look like that, so copying an existing line -and changing the name to reflect your application is usually correct: +Typically, we use passwords that are ASCII representations of random 32-byte hexadecimal sequences. +The passwords for all the non-root PostgreSQL users already look like that, so copying an existing line and changing the name to reflect your application is usually correct: .. code-block:: python :caption: /installer/generate_secrets.py self._set_generated("postgres", "exposurelog_password", secrets.token_hex(32)) -Finally, go edit the postgres ``values-.yaml`` files and add -a section for your new database with appropriate ``user`` and ``db`` -entries: +Finally, edit the ``postgres`` ``values-.yaml`` files for the environments that need this database and add a section for your new database with appropriate ``user`` and ``db`` entries: .. code-block:: yaml :caption: /services/postgres/values-.yaml exposurelog_db: - user: 'exposurelog' - db: 'exposurelog' + user: "exposurelog" + db: "exposurelog" -Now start the PR and review process. However, there is a step you still -must do before you can synchronize the updated application: put the -password into Vault so it appears in the postgres secrets. +Now start the PR and review process. Manually add the secret to Vault ================================ -Since you have already added generation of the password to the -installer, you could just generate new secrets for each environment and -push them into Vault. That, however, would require that you restart -everything with randomly-generated passwords, and that's a fairly -disruptive operation, so you probably are better off manually injecting -just your new password. - -* Consult ``1Password`` and retrieve the appropriate vault write token for - the instance you're working with from ``vault_keys.json``. -* Set up your environment: ``export VAULT_ADDR=vault.lsst.codes ; export - VAULT_FORMAT=json ; export VAULT_TOKEN=`` -* Run ``vault kv patch secret/k8s_operator//postgres - _password=$(openssl rand -hex 32)`` to generate and - store a new random password. -* Delete the ``postgres`` secret from the ``postgres`` namespace to - force Vault Secrets Operator to recreate it. -* Repeat for each environment where you need the new database. +Since you have already added generation of the password to the installer, you could just generate new secrets for each environment and push them into Vault. +That, however, would require that you restart everything with randomly-generated passwords, and that's a fairly disruptive operation, so you probably are better off manually injecting just your new password. + +.. rst-class:: open + +#. Consult 1Password and retrieve the appropriate vault write token for the instance you're working with from ``vault_keys.json``. + +#. Set up your environment: + + .. code-block:: bash + + export VAULT_ADDR=vault.lsst.codes + export VAULT_TOKEN= + +#. Generate and store a new random password: + + .. code-block:: bash + + vault kv patch secret/k8s_operator//postgres \ + _password=$(openssl rand -hex 32) + +#. Delete the ``postgres`` ``Secret`` from the ``postgres`` namespace to force Vault Secrets Operator to recreate it. + +#. Repeat for each environment where you need the new database. Restart with new values ======================= -Now it's finally time to synchronize Postgres in each environment. -There is no new application version, so all you should need to do is -resynchronize the deployment from ArgoCD. - -This will cause a brief service interruption in the cluster, as the -existing deployment is recreated with additional environment variables -and PostgreSQL restarts, so bear that and your cluster's maintenance -window policy in mind. +Now it's finally time to synchronize PostgreSQL in each environment. +All you should need to do is sync the application in Argo CD. -Much of the time, the restart of the ``postgres`` deployment gets stuck -and the old Pod will not terminate and allow the new one to run. If -that happens, you need to identify the ReplicaSet responsible for the -stuck Pod, and delete that ReplicaSet. +This will cause a brief service interruption in the cluster while the deployment is recreated with additional environment variables and PostgreSQL restarts. +You may therefore want to wait for a maintenance window. -Once Postgres restarts, the new database will be present, with the user -and password set. At that point it is ready for use by your new application. +Once PostgreSQL restarts, the new database will be present, with the user and password set. +At that point it is ready for use by your new application. diff --git a/docs/applications/postgres/index.rst b/docs/applications/postgres/index.rst index a73d0c951c..7c2f8b845c 100644 --- a/docs/applications/postgres/index.rst +++ b/docs/applications/postgres/index.rst @@ -10,15 +10,14 @@ Two intended purposes for this service are: - The JupyterHub user session database - Backing store for Gafaelfawr's authentication tokens -If either of those is destroyed, then all current user sessions and authentication tokens are invalidated, work up to the last checkpoint (five minutes in JupyterLab) may be lost. -Users will have to log in, restart sessions, and recreate authentication tokens. +It may also be used by other applications, such as :px-app:`exposurelog` and :px-app:`narrativelog`. .. important:: Do not use this service for important data. Use a managed relational database, such as Google CloudSQL, instead. - Production instances of the Science Platform use CloudSQL for the Gafaelfawr token database instead of this service. + Production instances of the Science Platform use CloudSQL or a local external PostgreSQL server for the Gafaelfawr token database instead of this service. .. jinja:: postgres :file: applications/_summary.rst.jinja @@ -29,7 +28,6 @@ Guides .. toctree:: :maxdepth: 2 - upgrade add-database troubleshoot values diff --git a/docs/applications/postgres/upgrade.rst b/docs/applications/postgres/upgrade.rst deleted file mode 100644 index 946f4b0856..0000000000 --- a/docs/applications/postgres/upgrade.rst +++ /dev/null @@ -1,7 +0,0 @@ -.. px-app-upgrade:: postgres - -################## -Upgrading postgres -################## - -A simple Argo CD sync is sufficient to upgrade the :px-app:`postgres` application. From 872282f64ef578e07a424a40e0602aa115b3815f Mon Sep 17 00:00:00 2001 From: Russ Allbery Date: Thu, 3 Nov 2022 16:12:10 -0700 Subject: [PATCH 1255/1479] Minor tweaks to production-tools documentation --- docs/applications/production-tools/index.rst | 6 +++--- services/production-tools/Chart.yaml | 3 ++- services/production-tools/README.md | 4 +++- 3 files changed, 8 insertions(+), 5 deletions(-) diff --git a/docs/applications/production-tools/index.rst b/docs/applications/production-tools/index.rst index 967b580265..4656e9e501 100644 --- a/docs/applications/production-tools/index.rst +++ b/docs/applications/production-tools/index.rst @@ -1,8 +1,8 @@ .. px-app:: production-tools -################################## -production-tools — Data Production -################################## +############################################# +production-tools — Data Production monitoring +############################################# Production Tools provides a collection of utility pages for monitoring data processing. diff --git a/services/production-tools/Chart.yaml b/services/production-tools/Chart.yaml index 99e99dbd4f..95add46d37 100644 --- a/services/production-tools/Chart.yaml +++ b/services/production-tools/Chart.yaml @@ -3,5 +3,6 @@ name: production-tools version: 1.0.0 dependencies: description: A collection of utility pages for monitoring data processing. -home: "https://github.com/lsst-dm/production_tools" +sources: + - https://github.com/lsst-dm/production_tools appVersion: 0.0.17 diff --git a/services/production-tools/README.md b/services/production-tools/README.md index c589e89ba0..75a7de56df 100644 --- a/services/production-tools/README.md +++ b/services/production-tools/README.md @@ -2,7 +2,9 @@ A collection of utility pages for monitoring data processing. -**Homepage:** +## Source Code + +* ## Values From db89ac58ab15fa69044565ad86535e108703519b Mon Sep 17 00:00:00 2001 From: Russ Allbery Date: Thu, 3 Nov 2022 16:16:01 -0700 Subject: [PATCH 1256/1479] Improve semaphore and sherlock docs --- docs/applications/semaphore/index.rst | 2 +- docs/applications/sherlock/index.rst | 2 +- services/sherlock/Chart.yaml | 8 +++++--- services/sherlock/README.md | 6 +++++- 4 files changed, 12 insertions(+), 6 deletions(-) diff --git a/docs/applications/semaphore/index.rst b/docs/applications/semaphore/index.rst index 05755a6773..438a37e47a 100644 --- a/docs/applications/semaphore/index.rst +++ b/docs/applications/semaphore/index.rst @@ -7,7 +7,7 @@ semaphore — User notification Semaphore is the user notification and messaging service for the Rubin Science Platform. UI applications like :px-app:`squareone` can display messages from Semaphore's API. -Edit broadcast messages for SQuaRE-managed environments at https://github.com/lsst-sqre/rsp_broadcast. +Edit broadcast messages for SQuaRE-managed environments at `lsst-sqre/rsp_broadcast `__. .. jinja:: semaphore :file: applications/_summary.rst.jinja diff --git a/docs/applications/sherlock/index.rst b/docs/applications/sherlock/index.rst index 22fc0d42ab..45d08b943b 100644 --- a/docs/applications/sherlock/index.rst +++ b/docs/applications/sherlock/index.rst @@ -4,7 +4,7 @@ sherlock — App ingress status and metrics ######################################### -Sherlock collects service status and metrics from ingress logs. +Sherlock collects service status and metrics from :px-app:`ingress-nginx` logs and can aggregate them across environments. .. jinja:: sherlock :file: applications/_summary.rst.jinja diff --git a/services/sherlock/Chart.yaml b/services/sherlock/Chart.yaml index d9c7052674..4ca1fede5c 100644 --- a/services/sherlock/Chart.yaml +++ b/services/sherlock/Chart.yaml @@ -1,6 +1,8 @@ apiVersion: v2 -appVersion: 0.1.8 -description: A Helm chart for Kubernetes name: sherlock type: application -version: 0.1.13 +version: 1.0.0 +description: Application ingress status and metrics +sources: + - https://github.com/lsst-sqre/sherlock +appVersion: 0.1.8 diff --git a/services/sherlock/README.md b/services/sherlock/README.md index c18bd816c7..4271d73046 100644 --- a/services/sherlock/README.md +++ b/services/sherlock/README.md @@ -1,6 +1,10 @@ # sherlock -A Helm chart for Kubernetes +Application ingress status and metrics + +## Source Code + +* ## Values From 2c55f5fa64066e3afc09bf63dddfc655453b51f3 Mon Sep 17 00:00:00 2001 From: Russ Allbery Date: Fri, 4 Nov 2022 08:50:18 -0700 Subject: [PATCH 1257/1479] Update Strimzi-related documentation Note that the strimzi-registry-operator service is only for alert-stream-broker, but the strimzi service is used by both it and Sasquatch. Add some additional links. --- docs/_rst_epilog.rst | 1 + docs/applications/strimzi-registry-operator/index.rst | 5 ++++- docs/applications/strimzi/index.rst | 9 +++++---- services/strimzi-registry-operator/Chart.yaml | 2 ++ services/strimzi/Chart.yaml | 3 ++- 5 files changed, 14 insertions(+), 6 deletions(-) diff --git a/docs/_rst_epilog.rst b/docs/_rst_epilog.rst index 6e044e87d7..cc789ce88b 100644 --- a/docs/_rst_epilog.rst +++ b/docs/_rst_epilog.rst @@ -4,6 +4,7 @@ .. _Argo CD: https://argoproj.github.io/argo-cd/ .. _CILogon: https://www.cilogon.org/home .. _ConfigMap: https://kubernetes.io/docs/concepts/configuration/configmap/ +.. _Confluent Schema Registry: https://docs.confluent.io/current/schema-registry/index.html .. _Data Management workflow guide: https://developer.lsst.io/work/flow.html .. _Deployments: .. _Deployment: https://kubernetes.io/docs/concepts/workloads/controllers/deployment/ diff --git a/docs/applications/strimzi-registry-operator/index.rst b/docs/applications/strimzi-registry-operator/index.rst index 1a69450bc1..6e0cd951c4 100644 --- a/docs/applications/strimzi-registry-operator/index.rst +++ b/docs/applications/strimzi-registry-operator/index.rst @@ -4,7 +4,10 @@ strimzi-registry-operator — Schema registry for Alert Broker ############################################################ -The Strimzi Registry Operator operates a Confluence Schema Registry for Strimzi-based Kafka clusters. +:px-app:`alert-stream-broker` uses `Apache Kafka`_ as the mechanism for publishing alerts. +The `Confluent Schema Registry`_ for that Kafka cluster is created and managed by this installation of the Strimzi Registry Operator. + +Note that :px-app:`sasquatch` includes a separate installation of the Strimzi Registry Operator to manage its Confluent Schema Registry. .. jinja:: strimzi-registry-operator :file: applications/_summary.rst.jinja diff --git a/docs/applications/strimzi/index.rst b/docs/applications/strimzi/index.rst index d464b7707a..0b3fdec5c9 100644 --- a/docs/applications/strimzi/index.rst +++ b/docs/applications/strimzi/index.rst @@ -1,10 +1,11 @@ .. px-app:: strimzi -################################## -strimzi — Strimzi for Alert Broker -################################## +############################### +strimzi — Kafka cluster manager +############################### -Strimzi is an operator for Kafka clusters. +The ``strimzi`` application is an installation of the `Strimzi Kafka Operator `__, used to manage `Apache Kafka`_ installations in the Rubin Science Platform. +It is used by both :px-app:`alert-stream-broker` and :px-app:`sasquatch` to create their respective Kafka clusters. .. jinja:: strimzi :file: applications/_summary.rst.jinja diff --git a/services/strimzi-registry-operator/Chart.yaml b/services/strimzi-registry-operator/Chart.yaml index 42402847eb..f236549ad6 100644 --- a/services/strimzi-registry-operator/Chart.yaml +++ b/services/strimzi-registry-operator/Chart.yaml @@ -1,6 +1,8 @@ apiVersion: v2 name: strimzi-registry-operator version: 1.1.0 +sources: + - https://github.com/lsst-sqre/strimzi-registry-operator dependencies: - name: strimzi-registry-operator version: 2.1.0 diff --git a/services/strimzi/Chart.yaml b/services/strimzi/Chart.yaml index a6198ed057..1f020ba2ff 100644 --- a/services/strimzi/Chart.yaml +++ b/services/strimzi/Chart.yaml @@ -1,8 +1,9 @@ apiVersion: v2 name: strimzi -description: Strimzi Kafka Operator, https://strimzi.io type: application version: 0.1.0 +description: Strimzi Kafka Operator +home: https://strimzi.io appVersion: "0.26.0" dependencies: - name: strimzi-kafka-operator From 24c7e76f14bfa45f4ccce2f4809d8c958e90b1d0 Mon Sep 17 00:00:00 2001 From: Russ Allbery Date: Fri, 4 Nov 2022 11:55:32 -0700 Subject: [PATCH 1258/1479] Update TAP documentation Move the TAP schema update documentation to the tap-schema app and make sure there are enough links so that it's easy to find. Restructure the documentation a bit and add some more links. --- docs/_rst_epilog.rst | 6 ++++- docs/applications/tap-schema/index.rst | 4 ++++ docs/applications/tap-schema/notes.rst | 13 +++++++++++ docs/applications/tap-schema/upgrade.rst | 25 +++++++++++++++++++++ docs/applications/tap/index.rst | 11 +++++---- docs/applications/tap/notes.rst | 4 ++-- docs/applications/tap/update-tap-schema.rst | 14 ------------ docs/applications/tap/upgrade.rst | 9 -------- services/tap-schema/Chart.yaml | 3 ++- services/tap-schema/README.md | 4 +++- services/tap/Chart.yaml | 6 +++-- services/tap/README.md | 7 ++++-- 12 files changed, 70 insertions(+), 36 deletions(-) create mode 100644 docs/applications/tap-schema/notes.rst create mode 100644 docs/applications/tap-schema/upgrade.rst delete mode 100644 docs/applications/tap/update-tap-schema.rst delete mode 100644 docs/applications/tap/upgrade.rst diff --git a/docs/_rst_epilog.rst b/docs/_rst_epilog.rst index cc789ce88b..cf2ab7acf9 100644 --- a/docs/_rst_epilog.rst +++ b/docs/_rst_epilog.rst @@ -11,6 +11,7 @@ .. _Docker: https://www.docker.com/ .. _Documentation Style Guide: https://developer.lsst.io/user-docs/index.html .. _FastAPI: https://fastapi.tiangolo.com/ +.. _Felis: https://felis.lsst.io/ .. _Google Documentation Style Guide: https://developers.google.com/style/ .. _Google Filestore: https://cloud.google.com/filestore .. _Helm: https://helm.sh @@ -21,9 +22,11 @@ .. _LSST Vault Utilites: https://github.com/lsst-sqre/lsstvaultutils/ .. _Namespace: https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/ .. _`lsst-sqre/phalanx`: +.. _ObsTAP: https://www.ivoa.net/documents/ObsCore/ .. _Phalanx repository: https://github.com/lsst-sqre/phalanx .. _Pods: .. _Pod: https://kubernetes.io/docs/concepts/workloads/pods/ +.. _pre-commit: https://pre-commit.com .. _Roundtable: https://roundtable.lsst.io/ .. _Safir: https://safir.lsst.io/ .. _Secret: https://kubernetes.io/docs/concepts/configuration/secret/ @@ -31,8 +34,9 @@ .. _Services: .. _Service: https://kubernetes.io/docs/concepts/services-networking/service/ .. _Sphinx: https://www.sphinx-doc.org/en/master/ +.. _TAP: https://www.ivoa.net/documents/TAP/ .. _tox: https://tox.wiki/en/latest/ -.. _pre-commit: https://pre-commit.com +.. _UWS: https://www.ivoa.net/documents/UWS/ .. _Vault: https://www.vaultproject.io/ .. _Vault Secrets Operator: https://github.com/ricoberger/vault-secrets-operator .. _venv: https://packaging.python.org/en/latest/guides/installing-using-pip-and-virtual-environments/#creating-a-virtual-environment diff --git a/docs/applications/tap-schema/index.rst b/docs/applications/tap-schema/index.rst index 6ca95a5755..ee558bd129 100644 --- a/docs/applications/tap-schema/index.rst +++ b/docs/applications/tap-schema/index.rst @@ -5,14 +5,18 @@ tap-schema — TAP schemas ######################## The TAP schema database, for the :px-app:`tap` application. +This database is generated directly from the canonical Felis_ description of the project database schemas. .. jinja:: tap-schema :file: applications/_summary.rst.jinja + Guides ====== .. toctree:: :maxdepth: 1 + notes + upgrade values diff --git a/docs/applications/tap-schema/notes.rst b/docs/applications/tap-schema/notes.rst new file mode 100644 index 0000000000..ec9350303e --- /dev/null +++ b/docs/applications/tap-schema/notes.rst @@ -0,0 +1,13 @@ +.. px-app-notes:: tap-schema + +################################# +tap-schema architecture and notes +################################# + +The TAP schema may vary by environment, depending on the tables and data available in that environment. +This is controlled by the `build-all script in the lsst/sdm_schemas repository `__. + +Each variation of the schema is represented by a different Docker image, which is a MySQL server with the appropriate data preloaded. +Whenever a new version of `lsst/sdm_schemas `__ is tagged, GitHub Actions builds and pushes all of those Docker images. + +Each Science Platform environment then selects the schema to deploy by configuring which Docker image to use in its ``values-.yaml`` file. diff --git a/docs/applications/tap-schema/upgrade.rst b/docs/applications/tap-schema/upgrade.rst new file mode 100644 index 0000000000..d7fb02f361 --- /dev/null +++ b/docs/applications/tap-schema/upgrade.rst @@ -0,0 +1,25 @@ +.. px-app-upgrade:: tap-schema + +#################### +Upgrading tap-schema +#################### + +Upgrading the tap-schema Argo CD application itself requires no special steps. +Syncing the Argo CD application is all that's required. +The new schema will automatically be picked up by the TAP service. + +Releasing a new schema version +============================== + +When a new version of the project schema is ready for deployment, use the following procedure: + +#. Ensure all PRs to `lsst/sdm_schemas `__ that should go into the new release have been merged. + +#. Make a new GitHub release of sdm_schemas with a new `semantic versioning`_ version number (such as ``1.1.5``). + (Ignore the other tags in the repository, such as ``w.2022.45``, created by other Rubin release processes.) + This will create a tag and run the publishing pipeline GitHub Action. + That, in turn, will run Felis_ against the YAML schema files in the ``yml`` directory and build the Docker images for the different supported environments. + +#. Update the ``appVersion`` field to the version of the new release in `/services/tap-schema/Chart.yaml `__. + +#. Sync the tap-schema Argo CD application on affected environments as normal. diff --git a/docs/applications/tap/index.rst b/docs/applications/tap/index.rst index 7a2edb028a..56bedb616b 100644 --- a/docs/applications/tap/index.rst +++ b/docs/applications/tap/index.rst @@ -4,9 +4,14 @@ tap — IVOA Table Access Protocol ################################ -TAP (Table Access Protocol) is an IVOA_ service that provides access to general table data, including astronomical catalogs. +TAP_ (Table Access Protocol) is an IVOA_ service that provides access to general table data, including astronomical catalogs. On the Rubin Science Platform, it is provided by `lsst-tap-service `__, which is derived from the `CADC TAP service `__. -The data itself, apart from schema queries, comes from Qserv. +The same service provides both TAP and ObsTAP_ schemas. + +The TAP data itself, apart from schema queries, comes from Qserv. +The TAP schema is provided by the separate :px-app:`tap-schema` application. + +See :px-app-upgrade:`tap-schema` for information on how to update the TAP schema. .. jinja:: tap :file: applications/_summary.rst.jinja @@ -18,6 +23,4 @@ Guides .. toctree:: notes - upgrade - update-tap-schema values diff --git a/docs/applications/tap/notes.rst b/docs/applications/tap/notes.rst index 1015a6bfbe..002e46f01f 100644 --- a/docs/applications/tap/notes.rst +++ b/docs/applications/tap/notes.rst @@ -1,10 +1,10 @@ .. px-app-notes:: tap ########################## -tap architecture and notes +TAP architecture and notes ########################## -The ``tap`` application consists of the TAP Java web application, a PostgreSQL database used to track user job submissions, and (on development deployments) a mock version of Qserv. +The ``tap`` application consists of the TAP Java web application, a PostgreSQL database used to track user job submissions (the backing store for the UWS_ protocol), and (on development deployments) a mock version of Qserv. .. diagrams:: notebook-tap.py diff --git a/docs/applications/tap/update-tap-schema.rst b/docs/applications/tap/update-tap-schema.rst deleted file mode 100644 index 2981b10319..0000000000 --- a/docs/applications/tap/update-tap-schema.rst +++ /dev/null @@ -1,14 +0,0 @@ -############################### -Update the ``TAP_SCHEMA`` table -############################### - -The ``TAP_SCHEMA`` table stores information about the tables available in a given installation of the Rubin Science Platform. -This table is kept in sync with the felis files using the following process: - -#. Make a PR to the `sdm_schemas repository `__ with a change to a felis YAML file. -#. After this is merged, make a GitHub release of sdm_schemas with a new semver version number. - (Ignore the weekly tags that are added by other processes.) - This will create a tag and run a publishing pipeline GitHub Action. - That publishing pipeline will run the Python felis library against the YAML files in the ``yml`` directory and make different Docker images for the different supported environments. - It will then push the images to DockerHub. -#. Update the ``appVersion`` version to the version of the new release in the `tap-schema Phalanx application `__. diff --git a/docs/applications/tap/upgrade.rst b/docs/applications/tap/upgrade.rst deleted file mode 100644 index e350790841..0000000000 --- a/docs/applications/tap/upgrade.rst +++ /dev/null @@ -1,9 +0,0 @@ -.. px-app-upgrade:: tap - -############# -Upgrading tap -############# - -Upgrading :px-app:`tap` normally only requires an Argo CD sync. - -To update TAP's schema, see :doc:`update-tap-schema`. diff --git a/services/tap-schema/Chart.yaml b/services/tap-schema/Chart.yaml index d3fd0eead6..06017de370 100644 --- a/services/tap-schema/Chart.yaml +++ b/services/tap-schema/Chart.yaml @@ -2,5 +2,6 @@ apiVersion: v2 name: tap-schema version: 1.0.0 description: The TAP_SCHEMA database -home: https://github.com/lsst/sdm_schemas +sources: + - https://github.com/lsst/sdm_schemas appVersion: 1.2.3 diff --git a/services/tap-schema/README.md b/services/tap-schema/README.md index 972532b185..4c53f0c3ef 100644 --- a/services/tap-schema/README.md +++ b/services/tap-schema/README.md @@ -2,7 +2,9 @@ The TAP_SCHEMA database -**Homepage:** +## Source Code + +* ## Values diff --git a/services/tap/Chart.yaml b/services/tap/Chart.yaml index 2079821303..c4c818bbaa 100644 --- a/services/tap/Chart.yaml +++ b/services/tap/Chart.yaml @@ -1,6 +1,8 @@ apiVersion: v2 name: cadc-tap version: 1.0.0 -description: VO TAP service for the Rubin Science Platform -home: https://github.com/lsst-sqre/lsst-tap-service +description: IVOA TAP service +sources: + - https://github.com/lsst-sqre/lsst-tap-service + - https://github.com/opencadc/tap appVersion: 1.4.0 diff --git a/services/tap/README.md b/services/tap/README.md index 8decd038b5..4829936546 100644 --- a/services/tap/README.md +++ b/services/tap/README.md @@ -1,8 +1,11 @@ # cadc-tap -VO TAP service for the Rubin Science Platform +IVOA TAP service -**Homepage:** +## Source Code + +* +* ## Values From 1cfadc2e245fcf41c1aa325e2e232372d0c025a1 Mon Sep 17 00:00:00 2001 From: Russ Allbery Date: Fri, 4 Nov 2022 12:29:27 -0700 Subject: [PATCH 1259/1479] Flesh out telegraf and telegraf-ds docs Add home and sources links and flesh out the application descriptions a little. --- docs/_rst_epilog.rst | 2 ++ docs/applications/telegraf-ds/index.rst | 11 +++++++---- docs/applications/telegraf/index.rst | 11 +++++++---- services/telegraf-ds/Chart.yaml | 6 +++++- services/telegraf-ds/README.md | 9 ++++++++- services/telegraf/Chart.yaml | 6 +++++- services/telegraf/README.md | 9 ++++++++- 7 files changed, 42 insertions(+), 12 deletions(-) diff --git a/docs/_rst_epilog.rst b/docs/_rst_epilog.rst index cf2ab7acf9..d140588cc4 100644 --- a/docs/_rst_epilog.rst +++ b/docs/_rst_epilog.rst @@ -17,6 +17,7 @@ .. _Helm: https://helm.sh .. _helm-docs: https://github.com/norwoodj/helm-docs .. _Ingress: https://kubernetes.io/docs/concepts/services-networking/ingress/ +.. _InfluxDB: https://www.influxdata.com/ .. _IVOA: https://ivoa.net/documents/ .. _Kubernetes: https://kubernetes.io/ .. _LSST Vault Utilites: https://github.com/lsst-sqre/lsstvaultutils/ @@ -35,6 +36,7 @@ .. _Service: https://kubernetes.io/docs/concepts/services-networking/service/ .. _Sphinx: https://www.sphinx-doc.org/en/master/ .. _TAP: https://www.ivoa.net/documents/TAP/ +.. _Telegraf: https://www.influxdata.com/time-series-platform/telegraf/ .. _tox: https://tox.wiki/en/latest/ .. _UWS: https://www.ivoa.net/documents/UWS/ .. _Vault: https://www.vaultproject.io/ diff --git a/docs/applications/telegraf-ds/index.rst b/docs/applications/telegraf-ds/index.rst index 05cd5310b4..d4b963b769 100644 --- a/docs/applications/telegraf-ds/index.rst +++ b/docs/applications/telegraf-ds/index.rst @@ -1,10 +1,13 @@ .. px-app:: telegraf-ds -######################################### -telegraf-ds — SQuaRE telemetry collection -######################################### +########################################### +telegraf-ds — Per-node telemetry collection +########################################### -SQuaRE DaemonSet (K8s) telemetry collection service. +Telegraf_ is used to gather system metrics about the services running on the Science Platform and send them to a central InfluxDB_ service, where they can be used for dashboards and alerting. + +This application deploys a Kubernetes ``DaemonSet`` to gather metrics from every node on the cluster. +For application-level metrics gathering, see the :px-app:`telegraf` application. .. jinja:: telegraf-ds :file: applications/_summary.rst.jinja diff --git a/docs/applications/telegraf/index.rst b/docs/applications/telegraf/index.rst index 96061d95b1..f09a4f429f 100644 --- a/docs/applications/telegraf/index.rst +++ b/docs/applications/telegraf/index.rst @@ -1,10 +1,13 @@ .. px-app:: telegraf -###################################### -telegraf — SQuaRE telemetry collection -###################################### +########################################### +telegraf — Application telemetry collection +########################################### -SQuaRE telemetry collection service. +Telegraf_ is used to gather system metrics about the services running on the Science Platform and send them to a central InfluxDB_ service, where they can be used for dashboards and alerting. + +This application gathers application-level metrics. +For node-level metrics gathering, see the :px-app:`telegraf-ds` application. .. jinja:: telegraf :file: applications/_summary.rst.jinja diff --git a/services/telegraf-ds/Chart.yaml b/services/telegraf-ds/Chart.yaml index 3224a33e50..1cb52d439d 100644 --- a/services/telegraf-ds/Chart.yaml +++ b/services/telegraf-ds/Chart.yaml @@ -1,7 +1,11 @@ apiVersion: v2 name: telegraf-ds version: 1.0.0 -description: SQuaRE DaemonSet (K8s) telemetry collection service +description: Kubernetes node telemetry collection service +home: https://www.influxdata.com/time-series-platform/telegraf/ +sources: + - https://github.com/influxdata/telegraf + - https://github.com/influxdata/helm-charts dependencies: - name: telegraf-ds version: 1.1.4 diff --git a/services/telegraf-ds/README.md b/services/telegraf-ds/README.md index 6ecb49e95b..58ecb92182 100644 --- a/services/telegraf-ds/README.md +++ b/services/telegraf-ds/README.md @@ -1,6 +1,13 @@ # telegraf-ds -SQuaRE DaemonSet (K8s) telemetry collection service +Kubernetes node telemetry collection service + +**Homepage:** + +## Source Code + +* +* ## Requirements diff --git a/services/telegraf/Chart.yaml b/services/telegraf/Chart.yaml index dc35fe8bef..355aa11cb2 100644 --- a/services/telegraf/Chart.yaml +++ b/services/telegraf/Chart.yaml @@ -1,7 +1,11 @@ apiVersion: v2 name: telegraf version: 1.0.1 -description: SQuaRE telemetry collection service +description: Application telemetry collection service +home: https://www.influxdata.com/time-series-platform/telegraf/ +sources: + - https://github.com/influxdata/telegraf + - https://github.com/influxdata/helm-charts dependencies: - name: telegraf version: 1.8.22 diff --git a/services/telegraf/README.md b/services/telegraf/README.md index 69755c73e3..354c28a746 100644 --- a/services/telegraf/README.md +++ b/services/telegraf/README.md @@ -1,6 +1,13 @@ # telegraf -SQuaRE telemetry collection service +Application telemetry collection service + +**Homepage:** + +## Source Code + +* +* ## Requirements From 1e530b99c822d30ca9805a2ace1223692b65f813 Mon Sep 17 00:00:00 2001 From: Russ Allbery Date: Fri, 4 Nov 2022 12:41:05 -0700 Subject: [PATCH 1260/1479] Edit Vault Secrets Operator docs Add additional links to its Chart.yaml. --- docs/about/secrets.rst | 2 +- .../vault-secrets-operator/bootstrap.rst | 4 +++- docs/applications/vault-secrets-operator/index.rst | 6 +----- .../applications/vault-secrets-operator/upgrade.rst | 5 +++-- docs/developers/add-a-onepassword-secret.rst | 4 ++-- services/vault-secrets-operator/Chart.yaml | 13 ++++++++++--- services/vault-secrets-operator/README.md | 4 ++++ 7 files changed, 24 insertions(+), 14 deletions(-) diff --git a/docs/about/secrets.rst b/docs/about/secrets.rst index 75d53fe5ae..879b841dd8 100644 --- a/docs/about/secrets.rst +++ b/docs/about/secrets.rst @@ -13,7 +13,7 @@ Vault Argo CD allows all application configurations to be checked into Git and deployed from that repository. However, many application configurations require some secrets such as random numbers, certificates, or passwords. These obviously cannot be committed to a public repository. -We instead use `Vault`_ to store secrets and then materialize them in Kubernetes using :ref:`vault-secrets-operator`. +We instead use `Vault`_ to store secrets and then materialize them in Kubernetes using :px-app:`vault-secrets-operator`. .. _Vault: https://www.vaultproject.io/ diff --git a/docs/applications/vault-secrets-operator/bootstrap.rst b/docs/applications/vault-secrets-operator/bootstrap.rst index b2a5c72aa7..d8a5fa7c54 100644 --- a/docs/applications/vault-secrets-operator/bootstrap.rst +++ b/docs/applications/vault-secrets-operator/bootstrap.rst @@ -21,5 +21,7 @@ Its secret will look like this: VAULT_TOKEN: VAULT_TOKEN_LEASE_DURATION: 86400 -Replace ```` with the ``read`` Vault token for the path ``secret/k8s_operator/`` in Vault. +Replace ```` with the ``read`` Vault token for the path ``secret/k8s_operator/`` in Vault (or whatever Vault enclave you plan to use for this Phalanx environment). +The path must match the path configured in ``values-.yaml`` in `/science-platform `__. + See :dmtn:`112` for more information. diff --git a/docs/applications/vault-secrets-operator/index.rst b/docs/applications/vault-secrets-operator/index.rst index 37029f4dcf..24a1d0dbda 100644 --- a/docs/applications/vault-secrets-operator/index.rst +++ b/docs/applications/vault-secrets-operator/index.rst @@ -1,15 +1,11 @@ .. px-app:: vault-secrets-operator -.. _vault-secrets-operator: - ############################################ vault-secrets-operator — Vault to Kubernetes ############################################ The ``vault-secrets-operator`` application is an installation of `Vault Secrets Operator`_ to retrieve necessary secrets from Vault and materialize them as Kubernetes secrets for the use of other applications. -It processes ``VaultSecret`` resources defined in the `phalanx repository`_ and creates corresponding Kubernetes Secret_ resources. - -See :dmtn:`112` for the LSST Vault design. +It processes ``VaultSecret`` resources defined in the `Phalanx repository`_ and creates corresponding Kubernetes Secret_ resources. .. jinja:: vault-secrets-operator :file: applications/_summary.rst.jinja diff --git a/docs/applications/vault-secrets-operator/upgrade.rst b/docs/applications/vault-secrets-operator/upgrade.rst index 5f8451d292..2cc6551c19 100644 --- a/docs/applications/vault-secrets-operator/upgrade.rst +++ b/docs/applications/vault-secrets-operator/upgrade.rst @@ -7,6 +7,7 @@ Upgrading vault-secrets-operator Upgrading to newer upstream releases of the Helm chart is normally simple and straightforward. We have no significant local customization. -After upgrading, check that Vault Secrets Operator is still working properly by finding a ``VaultSecret`` and ``Secret`` resource pair in the Argo CD dashboard and deleting the ``Secret`` resource. +If you want to verify that an upgrade has been successful, or if at any point you want to verify that Vault Secrets Operator is still working, find a ``VaultSecret`` and ``Secret`` resource pair in the Argo CD dashboard and delete the ``Secret`` resource. It should be nearly immediately re-created from the ``VaultSecret`` resource by Vault Secrets Operator. -The Gafaelfawr secret is a good one to use for this purpose since it is only read during Gafaelfawr start-up. + +The Gafaelfawr secret is a good one to use for this purpose since it is only read during Gafaelfawr start-up, so deleting the ``Secret`` resource won't cause an outage. diff --git a/docs/developers/add-a-onepassword-secret.rst b/docs/developers/add-a-onepassword-secret.rst index c12dbc8f95..6981c6ae96 100644 --- a/docs/developers/add-a-onepassword-secret.rst +++ b/docs/developers/add-a-onepassword-secret.rst @@ -2,7 +2,7 @@ Add a secret with 1Password and VaultSecret ########################################### -Static secrets for applications are stored in a 1Password vault before being automatically synced to the Vault service itself and ultimately to Kubernetes Secret_ resources via :ref:`vault-secrets-operator`. +Static secrets for applications are stored in a 1Password vault before being automatically synced to the Vault service itself and ultimately to Kubernetes Secret_ resources via :px-app:`vault-secrets-operator`. Such secrets are things for external cloud services where we don't automatically provision accounts and password. When we manually create such a secret, we store it in 1Password. This page provides steps for adding an application secret through 1Password. @@ -49,7 +49,7 @@ Each item in a Kubernetes ``Secret`` corresponds to either the contents of a sec {{application}} {{secret name}} - This field provides part of a Vault path for the secret value, which in turn is used by :ref:`vault-secrets-operator` resources to create Kubernetes secrets. + This field provides part of a Vault path for the secret value, which in turn is used by :px-app:`vault-secrets-operator` resources to create Kubernetes secrets. - Add a metadata field labeled ``environment``. The value of that field should be the **hostname** of the RSP environment that this secret applies to (e.g. ``data.lsst.cloud``, not the Phalanx name ``idfprod``). diff --git a/services/vault-secrets-operator/Chart.yaml b/services/vault-secrets-operator/Chart.yaml index 9839520b20..d1b9033941 100644 --- a/services/vault-secrets-operator/Chart.yaml +++ b/services/vault-secrets-operator/Chart.yaml @@ -1,7 +1,14 @@ apiVersion: v2 name: vault-secrets-operator version: 1.0.0 +sources: + - https://github.com/ricoberger/vault-secrets-operator dependencies: -- name: vault-secrets-operator - version: 1.19.6 - repository: https://ricoberger.github.io/helm-charts/ + - name: vault-secrets-operator + version: 1.19.6 + repository: https://ricoberger.github.io/helm-charts/ +annotations: + phalanx.lsst.io/docs: | + - id: "DMTN-112" + title: "LSST DM Vault" + url: "https://dmtn-112.lsst.io/" diff --git a/services/vault-secrets-operator/README.md b/services/vault-secrets-operator/README.md index 2dc3e19a31..6ef772c809 100644 --- a/services/vault-secrets-operator/README.md +++ b/services/vault-secrets-operator/README.md @@ -1,5 +1,9 @@ # vault-secrets-operator +## Source Code + +* + ## Requirements | Repository | Name | Version | From 7ff1bdff0cba43fdec9d4ebf5fd9839382446914 Mon Sep 17 00:00:00 2001 From: Russ Allbery Date: Fri, 4 Nov 2022 12:48:18 -0700 Subject: [PATCH 1261/1479] Flesh out vo-cutouts documentation --- docs/_rst_epilog.rst | 2 ++ docs/applications/vo-cutouts/index.rst | 4 +++- 2 files changed, 5 insertions(+), 1 deletion(-) diff --git a/docs/_rst_epilog.rst b/docs/_rst_epilog.rst index d140588cc4..42dd4962ea 100644 --- a/docs/_rst_epilog.rst +++ b/docs/_rst_epilog.rst @@ -5,6 +5,7 @@ .. _CILogon: https://www.cilogon.org/home .. _ConfigMap: https://kubernetes.io/docs/concepts/configuration/configmap/ .. _Confluent Schema Registry: https://docs.confluent.io/current/schema-registry/index.html +.. _DataLink: https://www.ivoa.net/documents/DataLink/ .. _Data Management workflow guide: https://developer.lsst.io/work/flow.html .. _Deployments: .. _Deployment: https://kubernetes.io/docs/concepts/workloads/controllers/deployment/ @@ -34,6 +35,7 @@ .. _semantic versioning: https://semver.org/ .. _Services: .. _Service: https://kubernetes.io/docs/concepts/services-networking/service/ +.. _SODA: https://ivoa.net/documents/SODA/ .. _Sphinx: https://www.sphinx-doc.org/en/master/ .. _TAP: https://www.ivoa.net/documents/TAP/ .. _Telegraf: https://www.influxdata.com/time-series-platform/telegraf/ diff --git a/docs/applications/vo-cutouts/index.rst b/docs/applications/vo-cutouts/index.rst index 866f45e82f..f50cbbdfbc 100644 --- a/docs/applications/vo-cutouts/index.rst +++ b/docs/applications/vo-cutouts/index.rst @@ -4,7 +4,9 @@ vo-cutouts — IVOA SODA image cutouts #################################### -Image cutout service that implements the IVOA SODA specification. +``vo-cutouts`` provides image cutouts via an API complying with the IVOA_ SODA_ specification. +It is returned as part of the DataLink_ record for images found via TAP searches and is used by the Portal Aspect (see :px-app:`portal`) to obtain cutouts. +It can also be used directly by any other IVOA-compatible client. .. jinja:: vo-cutouts :file: applications/_summary.rst.jinja From 4089d2d39f45e734ca920fc5f23c595c2d059a33 Mon Sep 17 00:00:00 2001 From: Russ Allbery Date: Fri, 4 Nov 2022 12:56:22 -0700 Subject: [PATCH 1262/1479] Add additional links Add home pages and sources links for more applications. --- services/alert-stream-broker/Chart.yaml | 3 +++ services/alert-stream-broker/README.md | 5 +++++ services/argocd/Chart.yaml | 4 ++++ services/argocd/README.md | 7 +++++++ services/cert-manager/Chart.yaml | 3 +++ services/cert-manager/README.md | 6 ++++++ services/ingress-nginx/Chart.yaml | 3 +++ services/ingress-nginx/README.md | 6 ++++++ 8 files changed, 37 insertions(+) diff --git a/services/alert-stream-broker/Chart.yaml b/services/alert-stream-broker/Chart.yaml index d2b3080047..88f46b2c94 100644 --- a/services/alert-stream-broker/Chart.yaml +++ b/services/alert-stream-broker/Chart.yaml @@ -2,6 +2,9 @@ apiVersion: v2 name: alert-stream-broker version: "3" description: Alert transmission to community brokers +sources: + - https://github.com/lsst-dm/alert_database_ingester + - https://github.com/lsst-dm/alert-stream-simulator dependencies: - name: alert-stream-broker version: 2.5.1 diff --git a/services/alert-stream-broker/README.md b/services/alert-stream-broker/README.md index b71982a188..c6bf42365a 100644 --- a/services/alert-stream-broker/README.md +++ b/services/alert-stream-broker/README.md @@ -2,6 +2,11 @@ Alert transmission to community brokers +## Source Code + +* +* + ## Requirements | Repository | Name | Version | diff --git a/services/argocd/Chart.yaml b/services/argocd/Chart.yaml index 152c42ce60..6b6e943ac4 100644 --- a/services/argocd/Chart.yaml +++ b/services/argocd/Chart.yaml @@ -2,6 +2,10 @@ apiVersion: v2 name: argo-cd version: 1.0.0 description: Kubernetes application manager +home: https://argoproj.github.io/cd/ +sources: + - https://github.com/argoproj/argo-cd + - https://github.com/argoproj/argo-helm dependencies: - name: argo-cd version: 5.6.3 diff --git a/services/argocd/README.md b/services/argocd/README.md index b1d9fbab03..216b3330ca 100644 --- a/services/argocd/README.md +++ b/services/argocd/README.md @@ -2,6 +2,13 @@ Kubernetes application manager +**Homepage:** + +## Source Code + +* +* + ## Requirements | Repository | Name | Version | diff --git a/services/cert-manager/Chart.yaml b/services/cert-manager/Chart.yaml index 673feb8ba1..40c8f29459 100644 --- a/services/cert-manager/Chart.yaml +++ b/services/cert-manager/Chart.yaml @@ -2,6 +2,9 @@ apiVersion: v2 name: cert-manager version: 1.0.0 description: TLS certificate manager +home: https://cert-manager.io/ +sources: + - https://github.com/cert-manager/cert-manager dependencies: - name: cert-manager version: v1.10.0 diff --git a/services/cert-manager/README.md b/services/cert-manager/README.md index b2f15fa7a8..1bb8a31def 100644 --- a/services/cert-manager/README.md +++ b/services/cert-manager/README.md @@ -2,6 +2,12 @@ TLS certificate manager +**Homepage:** + +## Source Code + +* + ## Requirements | Repository | Name | Version | diff --git a/services/ingress-nginx/Chart.yaml b/services/ingress-nginx/Chart.yaml index 7e56344af0..8d49f066c9 100644 --- a/services/ingress-nginx/Chart.yaml +++ b/services/ingress-nginx/Chart.yaml @@ -2,6 +2,9 @@ apiVersion: v2 name: ingress-nginx version: 1.0.0 description: Ingress controller +home: https://kubernetes.github.io/ingress-nginx/ +sources: + - https://github.com/kubernetes/ingress-nginx dependencies: - name: ingress-nginx version: 4.3.0 diff --git a/services/ingress-nginx/README.md b/services/ingress-nginx/README.md index 5ff320aba4..a53965e719 100644 --- a/services/ingress-nginx/README.md +++ b/services/ingress-nginx/README.md @@ -2,6 +2,12 @@ Ingress controller +**Homepage:** + +## Source Code + +* + ## Requirements | Repository | Name | Version | From c23a6eb136b5f49c604acffdb711c3286d381cf9 Mon Sep 17 00:00:00 2001 From: Russ Allbery Date: Fri, 4 Nov 2022 13:05:32 -0700 Subject: [PATCH 1263/1479] Editing pass on environment pages Put the environment code names in a fixed-width font. Add a link to the documentation page on how to use minikube for local development. --- docs/environments/base/index.rst | 2 +- docs/environments/ccin2p3/index.rst | 2 +- docs/environments/idfdev/index.rst | 4 ++-- docs/environments/idfint/index.rst | 4 ++-- docs/environments/idfprod/index.rst | 4 ++-- docs/environments/minikube/index.rst | 7 +++++-- docs/environments/roe/index.rst | 2 +- docs/environments/summit/index.rst | 4 ++-- docs/environments/tucson-teststand/index.rst | 2 +- 9 files changed, 17 insertions(+), 14 deletions(-) diff --git a/docs/environments/base/index.rst b/docs/environments/base/index.rst index 6016690152..df3bec85ba 100644 --- a/docs/environments/base/index.rst +++ b/docs/environments/base/index.rst @@ -4,7 +4,7 @@ base — base-lsp.lsst.codes (La Serena) ###################################### -base is the environment for the Rubin Science Platform at the Rubin Base facility in La Serena. +``base`` is the environment for the Rubin Science Platform at the Rubin Base facility in La Serena. .. jinja:: base :file: environments/_summary.rst.jinja diff --git a/docs/environments/ccin2p3/index.rst b/docs/environments/ccin2p3/index.rst index d81e98f2c7..733aa9b0ca 100644 --- a/docs/environments/ccin2p3/index.rst +++ b/docs/environments/ccin2p3/index.rst @@ -4,7 +4,7 @@ ccin2p3 — data-dev.lsst.eu (French Data Facility) ################################################# -ccin2p3 is the environment for the Rubin Science Platform at the `CC-IN2P3 `__. +``ccin2p3`` is the environment for the Rubin Science Platform at the `CC-IN2P3 `__. .. jinja:: ccin2p3 :file: environments/_summary.rst.jinja diff --git a/docs/environments/idfdev/index.rst b/docs/environments/idfdev/index.rst index 6d7d1fa5d3..bed3bed456 100644 --- a/docs/environments/idfdev/index.rst +++ b/docs/environments/idfdev/index.rst @@ -4,8 +4,8 @@ idfdev — data-dev.lsst.cloud (SQuaRE dev in GCP) ################################################ -idfdev is a development environment for the Rubin Science Platform at the IDF (hosted on Google Cloud Platform). -The primary use of idfdev is for application development by the SQuaRE team. +``idfdev`` is a development environment for the Rubin Science Platform at the Interim Data Facility (IDF) hosted on Google Cloud Platform. +The primary use of ``idfdev`` is for application development by the SQuaRE team. .. jinja:: idfdev :file: environments/_summary.rst.jinja diff --git a/docs/environments/idfint/index.rst b/docs/environments/idfint/index.rst index 20db379c0f..d1c3a25cdb 100644 --- a/docs/environments/idfint/index.rst +++ b/docs/environments/idfint/index.rst @@ -4,8 +4,8 @@ idfint — data-int.lsst.cloud (RSP integration in GCP) ##################################################### -idfint is a development and integration environment for the Rubin Science Platform at the IDF (hosted on Google Cloud Platform). -The primary use of idfint is Rubin construction and operations teams to integrate applications into the Rubin Science Platform. +``idfint`` is a development and integration environment for the Rubin Science Platform at the Interim Data Facility (IDF) hosted on Google Cloud Platform. +The primary use of ``idfint`` is for Rubin construction and operations teams to integrate applications into the Rubin Science Platform. .. jinja:: idfint :file: environments/_summary.rst.jinja diff --git a/docs/environments/idfprod/index.rst b/docs/environments/idfprod/index.rst index efde9dd77b..44a4a826cf 100644 --- a/docs/environments/idfprod/index.rst +++ b/docs/environments/idfprod/index.rst @@ -4,8 +4,8 @@ idfprod — data.lsst.cloud (Production RSP in GCP) ################################################# -idfprod is the production environment for the Rubin Science Platform at IDF (hosted on Google Cloud Platform). -idfprod serves as the public Rubin Science Platform for the Data Previews. +``idfprod`` is the production environment for the Rubin Science Platform at the Interim Data Facility (IDF) hosted on Google Cloud Platform. +``idfprod`` serves as the public Rubin Science Platform for the Data Previews. .. jinja:: idfprod :file: environments/_summary.rst.jinja diff --git a/docs/environments/minikube/index.rst b/docs/environments/minikube/index.rst index 0a9478a984..500e76e690 100644 --- a/docs/environments/minikube/index.rst +++ b/docs/environments/minikube/index.rst @@ -4,8 +4,11 @@ minikube — minikube.lsst.codes (GitHub Actions CI) ################################################## -minikube is the Phalanx testing environment for the Rubin Science Platform. -minikube is stood up in the GitHub Actions CI workflow for the phalanx environment. +``minikube`` is the Phalanx testing environment for the Rubin Science Platform. +minikube is stood up in the GitHub Actions CI workflow for testing pull requests to the Phalanx repository. + +``minikube`` can also be used locally as a development deployment of the Science Platform. +See :doc:`/developers/local-development` for more information. .. jinja:: minikube :file: environments/_summary.rst.jinja diff --git a/docs/environments/roe/index.rst b/docs/environments/roe/index.rst index d475d9ec61..cc76a32978 100644 --- a/docs/environments/roe/index.rst +++ b/docs/environments/roe/index.rst @@ -4,7 +4,7 @@ roe — rsp.lsst.ac.uk (UK Data Facility) ####################################### -roe is the environment for the Rubin Science Platform hosted at the `Royal Observatory, Edinburgh `__. +``roe`` is the environment for the Rubin Science Platform hosted at the `Royal Observatory, Edinburgh `__. .. jinja:: roe :file: environments/_summary.rst.jinja diff --git a/docs/environments/summit/index.rst b/docs/environments/summit/index.rst index fd0450d32e..49dca48169 100644 --- a/docs/environments/summit/index.rst +++ b/docs/environments/summit/index.rst @@ -4,8 +4,8 @@ summit — summit-lsp.lsst.codes (Rubin Summit) ############################################# -summit is the environment for the Rubin Science Platform at the Rubin summit. -The primary use of summit is for observatory operations at the summit site itself. +``summit`` is the environment for the Rubin Science Platform at the Rubin summit. +The primary use of ``summit`` is for observatory operations at the summit site itself. .. jinja:: summit :file: environments/_summary.rst.jinja diff --git a/docs/environments/tucson-teststand/index.rst b/docs/environments/tucson-teststand/index.rst index 64d6c99fae..db03138c5a 100644 --- a/docs/environments/tucson-teststand/index.rst +++ b/docs/environments/tucson-teststand/index.rst @@ -4,7 +4,7 @@ tucson-teststand — tucson-teststand.lsst.codes (T&S/SITCom) ########################################################### -tucson-teststand is the development and integration environment for the Telescope & Site and Commissioning teams, hosted out of NOIRLab in Tucson. +``tucson-teststand`` is the development and integration environment for the Telescope & Site and Commissioning teams, hosted out of NOIRLab in Tucson, Arizona. .. jinja:: tucson-teststand :file: environments/_summary.rst.jinja From c04c6af1f08aa007202cc4dad0e5d6470ed14f5d Mon Sep 17 00:00:00 2001 From: Russ Allbery Date: Fri, 4 Nov 2022 13:17:29 -0700 Subject: [PATCH 1264/1479] Fix Gafaelfawr troubleshooting cross-reference Don't link to the top-level troubleshooting page. Instead, link to the specific section that resolves that problem. --- docs/admin/troubleshooting.rst | 2 +- docs/applications/gafaelfawr/troubleshoot.rst | 2 ++ 2 files changed, 3 insertions(+), 1 deletion(-) diff --git a/docs/admin/troubleshooting.rst b/docs/admin/troubleshooting.rst index 87dfd49c82..103f2d9cb5 100644 --- a/docs/admin/troubleshooting.rst +++ b/docs/admin/troubleshooting.rst @@ -75,7 +75,7 @@ The most likely cause of this problem is that the user is not a member of a grou Gafaelfawr will prevent the user from logging in at all if they are not a member of any group that grants access to an application. If they are a member of at least one group, they'll be able to log in but may get permission denied errors from other application. -**Solution:** :px-app-troubleshooting:`Gafaelfawr troubleshooting ` +**Solution:** :ref:`gafaelfawr-no-access` You need privileged access to the filestore =========================================== diff --git a/docs/applications/gafaelfawr/troubleshoot.rst b/docs/applications/gafaelfawr/troubleshoot.rst index ccd8cc89fb..0a7ec6ba2b 100644 --- a/docs/applications/gafaelfawr/troubleshoot.rst +++ b/docs/applications/gafaelfawr/troubleshoot.rst @@ -4,6 +4,8 @@ Troubleshooting ############### +.. _gafaelfawr-no-access: + User has no access to services ============================== From 71e539cf0dc547e23b40cb783ad10b0a91ec622e Mon Sep 17 00:00:00 2001 From: "renovate[bot]" <29139614+renovate[bot]@users.noreply.github.com> Date: Mon, 7 Nov 2022 04:08:24 +0000 Subject: [PATCH 1265/1479] Update Helm release argo-cd to v5.13.4 --- services/argocd/Chart.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/services/argocd/Chart.yaml b/services/argocd/Chart.yaml index 6b6e943ac4..0ae454efc0 100644 --- a/services/argocd/Chart.yaml +++ b/services/argocd/Chart.yaml @@ -8,5 +8,5 @@ sources: - https://github.com/argoproj/argo-helm dependencies: - name: argo-cd - version: 5.6.3 + version: 5.13.4 repository: https://argoproj.github.io/argo-helm From 2e5da591c9321170006f6fee1628de6c64e0759f Mon Sep 17 00:00:00 2001 From: Russ Allbery Date: Mon, 7 Nov 2022 08:18:12 -0800 Subject: [PATCH 1266/1479] Update Helm docs --- services/argocd/README.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/services/argocd/README.md b/services/argocd/README.md index 216b3330ca..5306f57d0c 100644 --- a/services/argocd/README.md +++ b/services/argocd/README.md @@ -13,7 +13,7 @@ Kubernetes application manager | Repository | Name | Version | |------------|------|---------| -| https://argoproj.github.io/argo-helm | argo-cd | 5.6.3 | +| https://argoproj.github.io/argo-helm | argo-cd | 5.13.4 | ## Values From ec539df7f716968baf37f84a790104a99a88d8f4 Mon Sep 17 00:00:00 2001 From: "renovate[bot]" <29139614+renovate[bot]@users.noreply.github.com> Date: Mon, 7 Nov 2022 04:08:17 +0000 Subject: [PATCH 1267/1479] Update Helm release telegraf-ds to v1.1.5 --- services/telegraf-ds/Chart.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/services/telegraf-ds/Chart.yaml b/services/telegraf-ds/Chart.yaml index 1cb52d439d..fc695fb61c 100644 --- a/services/telegraf-ds/Chart.yaml +++ b/services/telegraf-ds/Chart.yaml @@ -8,7 +8,7 @@ sources: - https://github.com/influxdata/helm-charts dependencies: - name: telegraf-ds - version: 1.1.4 + version: 1.1.5 repository: https://helm.influxdata.com/ annotations: phalanx.lsst.io/docs: | From 70fb13f203222e0efaaed97a3e50830f02e17862 Mon Sep 17 00:00:00 2001 From: Russ Allbery Date: Mon, 7 Nov 2022 08:27:06 -0800 Subject: [PATCH 1268/1479] Update Helm docs --- services/telegraf-ds/README.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/services/telegraf-ds/README.md b/services/telegraf-ds/README.md index 58ecb92182..1f2eea3c52 100644 --- a/services/telegraf-ds/README.md +++ b/services/telegraf-ds/README.md @@ -13,7 +13,7 @@ Kubernetes node telemetry collection service | Repository | Name | Version | |------------|------|---------| -| https://helm.influxdata.com/ | telegraf-ds | 1.1.4 | +| https://helm.influxdata.com/ | telegraf-ds | 1.1.5 | ## Values From ffef3ef948582c4377e74a4e7767a396078cfc0f Mon Sep 17 00:00:00 2001 From: "renovate[bot]" <29139614+renovate[bot]@users.noreply.github.com> Date: Mon, 7 Nov 2022 16:34:43 +0000 Subject: [PATCH 1269/1479] Update Helm release telegraf to v1.8.23 --- services/telegraf/Chart.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/services/telegraf/Chart.yaml b/services/telegraf/Chart.yaml index 355aa11cb2..1cd9a4e30b 100644 --- a/services/telegraf/Chart.yaml +++ b/services/telegraf/Chart.yaml @@ -8,7 +8,7 @@ sources: - https://github.com/influxdata/helm-charts dependencies: - name: telegraf - version: 1.8.22 + version: 1.8.23 repository: https://helm.influxdata.com/ annotations: phalanx.lsst.io/docs: | From 4557c7a0cbf276d3a1ee4b7f706f3e94bbaf4021 Mon Sep 17 00:00:00 2001 From: Russ Allbery Date: Mon, 7 Nov 2022 08:36:26 -0800 Subject: [PATCH 1270/1479] Update Helm docs --- services/telegraf/README.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/services/telegraf/README.md b/services/telegraf/README.md index 354c28a746..224c724374 100644 --- a/services/telegraf/README.md +++ b/services/telegraf/README.md @@ -13,7 +13,7 @@ Application telemetry collection service | Repository | Name | Version | |------------|------|---------| -| https://helm.influxdata.com/ | telegraf | 1.8.22 | +| https://helm.influxdata.com/ | telegraf | 1.8.23 | ## Values From 2cba9a836afc20613438d9f2fb6529d388ae2fff Mon Sep 17 00:00:00 2001 From: "renovate[bot]" <29139614+renovate[bot]@users.noreply.github.com> Date: Mon, 7 Nov 2022 16:44:02 +0000 Subject: [PATCH 1271/1479] Update Helm release redis to v17.3.8 --- services/noteburst/Chart.yaml | 2 +- services/times-square/Chart.yaml | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/services/noteburst/Chart.yaml b/services/noteburst/Chart.yaml index 365d16a219..7712b4c1ba 100644 --- a/services/noteburst/Chart.yaml +++ b/services/noteburst/Chart.yaml @@ -14,7 +14,7 @@ maintainers: # Additional charts that this chart uses dependencies: - name: redis - version: 17.3.7 + version: 17.3.8 repository: https://charts.bitnami.com/bitnami annotations: diff --git a/services/times-square/Chart.yaml b/services/times-square/Chart.yaml index adb496b852..039c2643ac 100644 --- a/services/times-square/Chart.yaml +++ b/services/times-square/Chart.yaml @@ -12,7 +12,7 @@ appVersion: "0.6.0" dependencies: - name: redis - version: 17.3.7 + version: 17.3.8 repository: https://charts.bitnami.com/bitnami annotations: From 20cbb3402ea01dba9a58fbd6ae4acf5a2026d16e Mon Sep 17 00:00:00 2001 From: Russ Allbery Date: Mon, 7 Nov 2022 08:44:26 -0800 Subject: [PATCH 1272/1479] Update Helm docs --- services/noteburst/README.md | 2 +- services/times-square/README.md | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/services/noteburst/README.md b/services/noteburst/README.md index adced70188..dd409fa0ca 100644 --- a/services/noteburst/README.md +++ b/services/noteburst/README.md @@ -12,7 +12,7 @@ Noteburst is a notebook execution service for the Rubin Science Platform. | Repository | Name | Version | |------------|------|---------| -| https://charts.bitnami.com/bitnami | redis | 17.3.7 | +| https://charts.bitnami.com/bitnami | redis | 17.3.8 | ## Values diff --git a/services/times-square/README.md b/services/times-square/README.md index 544b73fddc..c483b47a1f 100644 --- a/services/times-square/README.md +++ b/services/times-square/README.md @@ -10,7 +10,7 @@ An API service for managing and rendering parameterized Jupyter notebooks. | Repository | Name | Version | |------------|------|---------| -| https://charts.bitnami.com/bitnami | redis | 17.3.7 | +| https://charts.bitnami.com/bitnami | redis | 17.3.8 | ## Values From 7ef3f5f9a56483ab50eb74c741f91009fab1be45 Mon Sep 17 00:00:00 2001 From: Russ Allbery Date: Fri, 4 Nov 2022 14:03:30 -0700 Subject: [PATCH 1273/1479] Update Argo CD version in CI --- .github/workflows/ci.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/ci.yaml b/.github/workflows/ci.yaml index df99cbbcac..ea657e9115 100644 --- a/.github/workflows/ci.yaml +++ b/.github/workflows/ci.yaml @@ -101,7 +101,7 @@ jobs: unzip /tmp/vault.zip sudo mv vault /usr/local/bin/vault sudo chmod +x /usr/local/bin/vault - sudo curl -sSL -o /usr/local/bin/argocd https://github.com/argoproj/argo-cd/releases/download/v2.3.3/argocd-linux-amd64 + sudo curl -sSL -o /usr/local/bin/argocd https://github.com/argoproj/argo-cd/releases/download/v2.5.1/argocd-linux-amd64 sudo chmod +x /usr/local/bin/argocd sudo apt-get install socat sudo pip install -r installer/requirements.txt From ffcc68a82fd510b077dd74eb5fc019f21aa2fede Mon Sep 17 00:00:00 2001 From: Russ Allbery Date: Fri, 4 Nov 2022 14:04:33 -0700 Subject: [PATCH 1274/1479] Update Vault version in CI --- .github/workflows/ci.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/ci.yaml b/.github/workflows/ci.yaml index ea657e9115..f6414c4c79 100644 --- a/.github/workflows/ci.yaml +++ b/.github/workflows/ci.yaml @@ -97,7 +97,7 @@ jobs: - name: Download installer dependencies if: steps.filter.outputs.minikube == 'true' run: | - curl -sSL -o /tmp/vault.zip https://releases.hashicorp.com/vault/1.9.4/vault_1.9.4_linux_amd64.zip + curl -sSL -o /tmp/vault.zip https://releases.hashicorp.com/vault/1.12.1/vault_1.12.1_linux_amd64.zip unzip /tmp/vault.zip sudo mv vault /usr/local/bin/vault sudo chmod +x /usr/local/bin/vault From 042c2547750876e391dec82f3a6c88accdac5a80 Mon Sep 17 00:00:00 2001 From: Angelo Fausti Date: Mon, 7 Nov 2022 14:16:43 -0700 Subject: [PATCH 1275/1479] Deploy bucketmapper only if influxdb2 is enabled --- services/sasquatch/templates/bucketmapper.yaml | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/services/sasquatch/templates/bucketmapper.yaml b/services/sasquatch/templates/bucketmapper.yaml index f94a3545c3..de676abaf0 100644 --- a/services/sasquatch/templates/bucketmapper.yaml +++ b/services/sasquatch/templates/bucketmapper.yaml @@ -1,3 +1,4 @@ +{{- if .Values.influxdb2.enabled }} apiVersion: batch/v1 kind: CronJob metadata: @@ -36,4 +37,5 @@ spec: value: "http://sasquatch-influxdb2.sasquatch:80" - name: "DEBUG" value: "true" - command: [ "bucketmapper" ] \ No newline at end of file + command: [ "bucketmapper" ] +{{- end }} From dd9425ec801e9ac57ec5b9442652fc1fb3ab6946 Mon Sep 17 00:00:00 2001 From: Angelo Fausti Date: Mon, 7 Nov 2022 14:18:06 -0700 Subject: [PATCH 1276/1479] Deploy telegraf-kafka-consumer only if influxdb2 is enabled --- services/sasquatch/Chart.yaml | 1 + 1 file changed, 1 insertion(+) diff --git a/services/sasquatch/Chart.yaml b/services/sasquatch/Chart.yaml index 5f792ef60e..a98392d95f 100644 --- a/services/sasquatch/Chart.yaml +++ b/services/sasquatch/Chart.yaml @@ -28,6 +28,7 @@ dependencies: - name: kafdrop version: 1.0.0 - name: telegraf-kafka-consumer + condition: influxdb2.enabled version: 1.0.0 annotations: From 4047c52048e588dcaf941ff5c6b1c190fcd4d4f9 Mon Sep 17 00:00:00 2001 From: Gabriele Mainetti Date: Fri, 14 Oct 2022 09:32:41 +0200 Subject: [PATCH 1277/1479] first try with keycloak --- services/gafaelfawr/values-ccin2p3.yaml | 119 +++++++++++++----------- 1 file changed, 63 insertions(+), 56 deletions(-) diff --git a/services/gafaelfawr/values-ccin2p3.yaml b/services/gafaelfawr/values-ccin2p3.yaml index e8f6a9c3d7..18aa90a64e 100644 --- a/services/gafaelfawr/values-ccin2p3.yaml +++ b/services/gafaelfawr/values-ccin2p3.yaml @@ -15,63 +15,70 @@ config: github: clientId: ae314e45a6af43ea910a -# oidc: -# clientId: "lsst_rsp" -# loginUrl: "https://login.cc.in2p3.fr/auth/realms/cc.in2p3.fr/protocol/openid-connect/auth" -# tokenUrl: "https://login.cc.in2p3.fr/auth/realms/cc.in2p3.fr/protocol/openid-connect/token" -# issuer: "https://login.cc.in2p3.fr/auth/realms/cc.in2p3.fr" -# usernameClaim: "preferred_username" -# uidClaim: 'uid_number' -# isMemberOf: 'groups' - -# # oidcServer: -# # enabled: true +oidc: + clientId: "lsst_rsp" + loginUrl: "https://login.cc.in2p3.fr/auth/realms/cc.in2p3.fr/protocol/openid-connect/auth" + tokenUrl: "https://login.cc.in2p3.fr/auth/realms/cc.in2p3.fr/protocol/openid-connect/token" + # scopes: + # - "openid" + issuer: "https://login.cc.in2p3.fr/auth/realms/cc.in2p3.fr" + gidClaim: "gid_number" + uidClaim: "uid_number" + groupsClaim: "groups" + usernameClaim: "preferred_username" +oidcServer: + enabled: true +groupMapping: + "admin": + - "lsst" + "read:all": + - "lsst" # Allow access by GitHub team. - groupMapping: - "admin:provision": - - github: - organization: "rubin-in2p3" - team: "admin" - "exec:admin": - - github: - organization: "rubin-in2p3" - team: "admin" - "exec:notebook": - - github: - organization: "rubin-in2p3" - team: "admin" - - github: - organization: "rubin-in2p3" - team: "user" - "exec:portal": - - github: - organization: "rubin-in2p3" - team: "admin" - - github: - organization: "rubin-in2p3" - team: "user" - "read:tap": - - github: - organization: "rubin-in2p3" - team: "admin" - - github: - organization: "rubin-in2p3" - team: "user" - - github: - organization: "rubin-in2p3" - team: "delegates" - "read:image": - - github: - organization: "rubin-in2p3" - team: "admin" - - github: - organization: "rubin-in2p3" - team: "user" - - github: - organization: "rubin-in2p3" - team: "delegates" + # groupMapping: + # "admin:provision": + # - github: + # organization: "rubin-in2p3" + # team: "admin" + # "exec:admin": + # - github: + # organization: "rubin-in2p3" + # team: "admin" + # "exec:notebook": + # - github: + # organization: "rubin-in2p3" + # team: "admin" + # - github: + # organization: "rubin-in2p3" + # team: "user" + # "exec:portal": + # - github: + # organization: "rubin-in2p3" + # team: "admin" + # - github: + # organization: "rubin-in2p3" + # team: "user" + # "read:tap": + # - github: + # organization: "rubin-in2p3" + # team: "admin" + # - github: + # organization: "rubin-in2p3" + # team: "user" + # - github: + # organization: "rubin-in2p3" + # team: "delegates" + # "read:image": + # - github: + # organization: "rubin-in2p3" + # team: "admin" + # - github: + # organization: "rubin-in2p3" + # team: "user" + # - github: + # organization: "rubin-in2p3" + # team: "delegates" initialAdmins: - # - "mainetti" - - "gabrimaine" + - "mainetti" + #- "gabrimaine" From 4ace7c470ed9d29d859505b549bfc76a2ec2feba Mon Sep 17 00:00:00 2001 From: Gabriele Mainetti Date: Fri, 14 Oct 2022 09:39:45 +0200 Subject: [PATCH 1278/1479] fix initialAdmins --- services/gafaelfawr/values-ccin2p3.yaml | 10 +++++++--- 1 file changed, 7 insertions(+), 3 deletions(-) diff --git a/services/gafaelfawr/values-ccin2p3.yaml b/services/gafaelfawr/values-ccin2p3.yaml index 18aa90a64e..968c90f84a 100644 --- a/services/gafaelfawr/values-ccin2p3.yaml +++ b/services/gafaelfawr/values-ccin2p3.yaml @@ -29,6 +29,10 @@ oidc: oidcServer: enabled: true + +initialAdmins: + - "mainetti" + groupMapping: "admin": - "lsst" @@ -79,6 +83,6 @@ groupMapping: # organization: "rubin-in2p3" # team: "delegates" - initialAdmins: - - "mainetti" - #- "gabrimaine" + # initialAdmins: + # - "mainetti" + # #- "gabrimaine" From f086da86d995c551320110482fd3ba9441b33750 Mon Sep 17 00:00:00 2001 From: Gabriele Mainetti Date: Fri, 14 Oct 2022 09:42:51 +0200 Subject: [PATCH 1279/1479] removed github config --- services/gafaelfawr/values-ccin2p3.yaml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/services/gafaelfawr/values-ccin2p3.yaml b/services/gafaelfawr/values-ccin2p3.yaml index 968c90f84a..6d80bfc369 100644 --- a/services/gafaelfawr/values-ccin2p3.yaml +++ b/services/gafaelfawr/values-ccin2p3.yaml @@ -12,8 +12,8 @@ config: issuer: exp_minutes: 43200 # 30 days - github: - clientId: ae314e45a6af43ea910a + # github: + # clientId: ae314e45a6af43ea910a oidc: clientId: "lsst_rsp" From 064a3e62888c25100e10bc9710b7c8290756c3bb Mon Sep 17 00:00:00 2001 From: Gabriele Mainetti Date: Fri, 14 Oct 2022 09:46:15 +0200 Subject: [PATCH 1280/1479] fix tab --- services/gafaelfawr/values-ccin2p3.yaml | 40 ++++++++++++------------- 1 file changed, 20 insertions(+), 20 deletions(-) diff --git a/services/gafaelfawr/values-ccin2p3.yaml b/services/gafaelfawr/values-ccin2p3.yaml index 6d80bfc369..33f1df55f7 100644 --- a/services/gafaelfawr/values-ccin2p3.yaml +++ b/services/gafaelfawr/values-ccin2p3.yaml @@ -15,29 +15,29 @@ config: # github: # clientId: ae314e45a6af43ea910a -oidc: - clientId: "lsst_rsp" - loginUrl: "https://login.cc.in2p3.fr/auth/realms/cc.in2p3.fr/protocol/openid-connect/auth" - tokenUrl: "https://login.cc.in2p3.fr/auth/realms/cc.in2p3.fr/protocol/openid-connect/token" - # scopes: - # - "openid" - issuer: "https://login.cc.in2p3.fr/auth/realms/cc.in2p3.fr" - gidClaim: "gid_number" - uidClaim: "uid_number" - groupsClaim: "groups" - usernameClaim: "preferred_username" + oidc: + clientId: "lsst_rsp" + loginUrl: "https://login.cc.in2p3.fr/auth/realms/cc.in2p3.fr/protocol/openid-connect/auth" + tokenUrl: "https://login.cc.in2p3.fr/auth/realms/cc.in2p3.fr/protocol/openid-connect/token" + # scopes: + # - "openid" + issuer: "https://login.cc.in2p3.fr/auth/realms/cc.in2p3.fr" + gidClaim: "gid_number" + uidClaim: "uid_number" + groupsClaim: "groups" + usernameClaim: "preferred_username" -oidcServer: - enabled: true + oidcServer: + enabled: true -initialAdmins: - - "mainetti" + initialAdmins: + - "mainetti" -groupMapping: - "admin": - - "lsst" - "read:all": - - "lsst" + groupMapping: + "admin": + - "lsst" + "read:all": + - "lsst" # Allow access by GitHub team. # groupMapping: # "admin:provision": From 9fa9ca59202c2c2941202e3524db2b699203cbde Mon Sep 17 00:00:00 2001 From: Gabriele Mainetti Date: Fri, 14 Oct 2022 09:49:06 +0200 Subject: [PATCH 1281/1479] remove server --- services/gafaelfawr/values-ccin2p3.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/services/gafaelfawr/values-ccin2p3.yaml b/services/gafaelfawr/values-ccin2p3.yaml index 33f1df55f7..24a26c8a2f 100644 --- a/services/gafaelfawr/values-ccin2p3.yaml +++ b/services/gafaelfawr/values-ccin2p3.yaml @@ -28,7 +28,7 @@ config: usernameClaim: "preferred_username" oidcServer: - enabled: true + enabled: false initialAdmins: - "mainetti" From e2214e4de4692f1196da826425756723bc7b2cbc Mon Sep 17 00:00:00 2001 From: Gabriele Mainetti Date: Fri, 14 Oct 2022 10:35:44 +0200 Subject: [PATCH 1282/1479] add scopes --- services/gafaelfawr/values-ccin2p3.yaml | 9 +++++++++ 1 file changed, 9 insertions(+) diff --git a/services/gafaelfawr/values-ccin2p3.yaml b/services/gafaelfawr/values-ccin2p3.yaml index 24a26c8a2f..0b26d65000 100644 --- a/services/gafaelfawr/values-ccin2p3.yaml +++ b/services/gafaelfawr/values-ccin2p3.yaml @@ -38,6 +38,15 @@ config: - "lsst" "read:all": - "lsst" + "exec:notebook": + - "lsst" + "exec:portal": + - "lsst" + "read:tap": + - "lsst" + "read:image" + - "lsst" + # Allow access by GitHub team. # groupMapping: # "admin:provision": From 6938bc15a31debe0f3e1c7bbe0feb2a9189ef70b Mon Sep 17 00:00:00 2001 From: Gabriele Mainetti Date: Fri, 14 Oct 2022 10:37:36 +0200 Subject: [PATCH 1283/1479] fix typo --- services/gafaelfawr/values-ccin2p3.yaml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/services/gafaelfawr/values-ccin2p3.yaml b/services/gafaelfawr/values-ccin2p3.yaml index 0b26d65000..b84d51a440 100644 --- a/services/gafaelfawr/values-ccin2p3.yaml +++ b/services/gafaelfawr/values-ccin2p3.yaml @@ -44,9 +44,9 @@ config: - "lsst" "read:tap": - "lsst" - "read:image" + "read:image": - "lsst" - + # Allow access by GitHub team. # groupMapping: # "admin:provision": From 192caf14023669018475d2b55f776cb6043b7056 Mon Sep 17 00:00:00 2001 From: Gabriele Mainetti Date: Fri, 14 Oct 2022 11:50:57 +0200 Subject: [PATCH 1284/1479] add admin provision --- services/gafaelfawr/values-ccin2p3.yaml | 2 ++ 1 file changed, 2 insertions(+) diff --git a/services/gafaelfawr/values-ccin2p3.yaml b/services/gafaelfawr/values-ccin2p3.yaml index b84d51a440..c122efa928 100644 --- a/services/gafaelfawr/values-ccin2p3.yaml +++ b/services/gafaelfawr/values-ccin2p3.yaml @@ -34,6 +34,8 @@ config: - "mainetti" groupMapping: + "admin:provision": + - "lsst" "admin": - "lsst" "read:all": From 22f6c24056c22c7c6499203b246ca4ce17229d38 Mon Sep 17 00:00:00 2001 From: Gabriele Mainetti Date: Fri, 14 Oct 2022 15:50:08 +0200 Subject: [PATCH 1285/1479] trying a fix for nublado eror --- services/nublado2/values-ccin2p3.yaml | 3 +++ 1 file changed, 3 insertions(+) diff --git a/services/nublado2/values-ccin2p3.yaml b/services/nublado2/values-ccin2p3.yaml index 2608ff4a13..0edb0676c1 100644 --- a/services/nublado2/values-ccin2p3.yaml +++ b/services/nublado2/values-ccin2p3.yaml @@ -4,6 +4,9 @@ jupyterhub: hub: db: upgrade: true + image: + name: gabrimaine/nublado2 + tag: "2.6.0-dev" # hub: # resources: From 49766aaf6296fdade2f78411d2d78eaf958b70a0 Mon Sep 17 00:00:00 2001 From: Gabriele Mainetti Date: Mon, 17 Oct 2022 11:35:39 +0200 Subject: [PATCH 1286/1479] exec:admin fix --- services/gafaelfawr/values-ccin2p3.yaml | 9 +++++---- 1 file changed, 5 insertions(+), 4 deletions(-) diff --git a/services/gafaelfawr/values-ccin2p3.yaml b/services/gafaelfawr/values-ccin2p3.yaml index c122efa928..2551877745 100644 --- a/services/gafaelfawr/values-ccin2p3.yaml +++ b/services/gafaelfawr/values-ccin2p3.yaml @@ -34,10 +34,11 @@ config: - "mainetti" groupMapping: - "admin:provision": - - "lsst" - "admin": - - "lsst" + "exec:admin": "lsst" + # "admin:provision": + # - "lsst" + # "admin": + # - "lsst" "read:all": - "lsst" "exec:notebook": From 07bc0e49c55746a2832e010b77299190168573ce Mon Sep 17 00:00:00 2001 From: Gabriele Mainetti Date: Mon, 17 Oct 2022 11:41:06 +0200 Subject: [PATCH 1287/1479] add token scopes --- services/gafaelfawr/values-ccin2p3.yaml | 7 ++----- 1 file changed, 2 insertions(+), 5 deletions(-) diff --git a/services/gafaelfawr/values-ccin2p3.yaml b/services/gafaelfawr/values-ccin2p3.yaml index 2551877745..6540ce348c 100644 --- a/services/gafaelfawr/values-ccin2p3.yaml +++ b/services/gafaelfawr/values-ccin2p3.yaml @@ -32,13 +32,10 @@ config: initialAdmins: - "mainetti" - groupMapping: + "admin:token": "lsst" + "user:token": "lsst" "exec:admin": "lsst" - # "admin:provision": - # - "lsst" - # "admin": - # - "lsst" "read:all": - "lsst" "exec:notebook": From f7534fccde53c3b12fc46024e70aa435476fb5f4 Mon Sep 17 00:00:00 2001 From: Gabriele Mainetti Date: Wed, 19 Oct 2022 15:04:16 +0200 Subject: [PATCH 1288/1479] activate datalinker --- science-platform/values-ccin2p3.yaml | 2 +- services/datalinker/values-ccin2p3.yaml | 0 services/gafaelfawr/values-ccin2p3.yaml | 1 + 3 files changed, 2 insertions(+), 1 deletion(-) create mode 100644 services/datalinker/values-ccin2p3.yaml diff --git a/science-platform/values-ccin2p3.yaml b/science-platform/values-ccin2p3.yaml index 5372185731..0dc2f088ea 100644 --- a/science-platform/values-ccin2p3.yaml +++ b/science-platform/values-ccin2p3.yaml @@ -9,7 +9,7 @@ cachemachine: cert_manager: enabled: true datalinker: - enabled: false + enabled: true exposurelog: enabled: false gafaelfawr: diff --git a/services/datalinker/values-ccin2p3.yaml b/services/datalinker/values-ccin2p3.yaml new file mode 100644 index 0000000000..e69de29bb2 diff --git a/services/gafaelfawr/values-ccin2p3.yaml b/services/gafaelfawr/values-ccin2p3.yaml index 6540ce348c..fafe4ee560 100644 --- a/services/gafaelfawr/values-ccin2p3.yaml +++ b/services/gafaelfawr/values-ccin2p3.yaml @@ -32,6 +32,7 @@ config: initialAdmins: - "mainetti" + groupMapping: "admin:token": "lsst" "user:token": "lsst" From 340997bb179fe60787116a7e797cf497f1392a1f Mon Sep 17 00:00:00 2001 From: Gabriele Mainetti Date: Wed, 26 Oct 2022 11:44:48 +0200 Subject: [PATCH 1289/1479] trying HOME --- services/nublado2/values-ccin2p3.yaml | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/services/nublado2/values-ccin2p3.yaml b/services/nublado2/values-ccin2p3.yaml index 0edb0676c1..a427a7e29f 100644 --- a/services/nublado2/values-ccin2p3.yaml +++ b/services/nublado2/values-ccin2p3.yaml @@ -37,7 +37,8 @@ config: # type: Directory - name: home hostPath: - path: /data/rsp/home + #path: /data/rsp/home + path: /pbs/home # type: Directory volume_mounts: From 21ac282129c5ffa41d23bd029999d7abf3e7b26e Mon Sep 17 00:00:00 2001 From: Gabriele Mainetti Date: Wed, 26 Oct 2022 11:52:07 +0200 Subject: [PATCH 1290/1479] pass to official image and try with home --- services/nublado2/values-ccin2p3.yaml | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/services/nublado2/values-ccin2p3.yaml b/services/nublado2/values-ccin2p3.yaml index a427a7e29f..9f0117c259 100644 --- a/services/nublado2/values-ccin2p3.yaml +++ b/services/nublado2/values-ccin2p3.yaml @@ -4,9 +4,9 @@ jupyterhub: hub: db: upgrade: true - image: - name: gabrimaine/nublado2 - tag: "2.6.0-dev" + # image: + # name: gabrimaine/nublado2 + # tag: "2.6.0-dev" # hub: # resources: @@ -38,7 +38,7 @@ config: - name: home hostPath: #path: /data/rsp/home - path: /pbs/home + path: /pbs/home/m # type: Directory volume_mounts: From e1a265a78dc8afa1653930823dd88c3ff2849612 Mon Sep 17 00:00:00 2001 From: Gabriele Mainetti Date: Wed, 26 Oct 2022 11:59:28 +0200 Subject: [PATCH 1291/1479] reverting home --- services/nublado2/values-ccin2p3.yaml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/services/nublado2/values-ccin2p3.yaml b/services/nublado2/values-ccin2p3.yaml index 9f0117c259..937a743891 100644 --- a/services/nublado2/values-ccin2p3.yaml +++ b/services/nublado2/values-ccin2p3.yaml @@ -37,8 +37,8 @@ config: # type: Directory - name: home hostPath: - #path: /data/rsp/home - path: /pbs/home/m + path: /data/rsp/home + #path: /pbs/home/m # type: Directory volume_mounts: From e9c434a00baf6c8ef29ea7e844298c5c48a6c63d Mon Sep 17 00:00:00 2001 From: Gabriele Mainetti Date: Wed, 26 Oct 2022 16:03:14 +0200 Subject: [PATCH 1292/1479] home --- services/moneypenny/values-ccin2p3.yaml | 2 +- services/nublado2/values-ccin2p3.yaml | 3 ++- 2 files changed, 3 insertions(+), 2 deletions(-) diff --git a/services/moneypenny/values-ccin2p3.yaml b/services/moneypenny/values-ccin2p3.yaml index e653e165c2..78f745db78 100644 --- a/services/moneypenny/values-ccin2p3.yaml +++ b/services/moneypenny/values-ccin2p3.yaml @@ -11,5 +11,5 @@ orders: volumes: - name: homedirs hostPath: - path: /data/rsp/home + path: /pbs/home type: Directory diff --git a/services/nublado2/values-ccin2p3.yaml b/services/nublado2/values-ccin2p3.yaml index 937a743891..ecc29352ad 100644 --- a/services/nublado2/values-ccin2p3.yaml +++ b/services/nublado2/values-ccin2p3.yaml @@ -37,7 +37,8 @@ config: # type: Directory - name: home hostPath: - path: /data/rsp/home + path: /pbs/home/ + #path: /data/rsp/home #path: /pbs/home/m # type: Directory From 4eb8e7d213f4d9d0064d43bc1867f842cd4b7b18 Mon Sep 17 00:00:00 2001 From: Gabriele Mainetti Date: Wed, 26 Oct 2022 16:19:33 +0200 Subject: [PATCH 1293/1479] moneypenny fix --- services/moneypenny/values-ccin2p3.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/services/moneypenny/values-ccin2p3.yaml b/services/moneypenny/values-ccin2p3.yaml index 78f745db78..e653e165c2 100644 --- a/services/moneypenny/values-ccin2p3.yaml +++ b/services/moneypenny/values-ccin2p3.yaml @@ -11,5 +11,5 @@ orders: volumes: - name: homedirs hostPath: - path: /pbs/home + path: /data/rsp/home type: Directory From 11a654c2e6e6071c369a349f292e818d6dcc29b7 Mon Sep 17 00:00:00 2001 From: Gabriele Mainetti Date: Wed, 26 Oct 2022 16:38:38 +0200 Subject: [PATCH 1294/1479] add subdir --- services/nublado2/values-ccin2p3.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/services/nublado2/values-ccin2p3.yaml b/services/nublado2/values-ccin2p3.yaml index ecc29352ad..75e8aed698 100644 --- a/services/nublado2/values-ccin2p3.yaml +++ b/services/nublado2/values-ccin2p3.yaml @@ -37,7 +37,7 @@ config: # type: Directory - name: home hostPath: - path: /pbs/home/ + path: /pbs/home/m #path: /data/rsp/home #path: /pbs/home/m # type: Directory From 439e3f15a9d00d1bf4b10e5e4721b5b141340298 Mon Sep 17 00:00:00 2001 From: Gabriele Mainetti Date: Thu, 27 Oct 2022 10:49:55 +0200 Subject: [PATCH 1295/1479] try subpath --- services/nublado2/values-ccin2p3.yaml | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/services/nublado2/values-ccin2p3.yaml b/services/nublado2/values-ccin2p3.yaml index 75e8aed698..f5f577b569 100644 --- a/services/nublado2/values-ccin2p3.yaml +++ b/services/nublado2/values-ccin2p3.yaml @@ -37,7 +37,7 @@ config: # type: Directory - name: home hostPath: - path: /pbs/home/m + path: /pbs/home #path: /data/rsp/home #path: /pbs/home/m # type: Directory @@ -47,3 +47,4 @@ config: mountPath: /data - name: home mountPath: /home + subPath: "{{user[0]}}/{{user}}" From 5c2e1293ac47dc13884b671db801587859fd85c4 Mon Sep 17 00:00:00 2001 From: Gabriele Mainetti Date: Thu, 27 Oct 2022 11:13:22 +0200 Subject: [PATCH 1296/1479] home again --- services/nublado2/values-ccin2p3.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/services/nublado2/values-ccin2p3.yaml b/services/nublado2/values-ccin2p3.yaml index f5f577b569..edbc2a711c 100644 --- a/services/nublado2/values-ccin2p3.yaml +++ b/services/nublado2/values-ccin2p3.yaml @@ -47,4 +47,4 @@ config: mountPath: /data - name: home mountPath: /home - subPath: "{{user[0]}}/{{user}}" + subPath: "{{ $user[1] }}/{{ $user }}" From ce48b025c53fd6f7dc7a837b99656a9c4fd10a78 Mon Sep 17 00:00:00 2001 From: Gabriele Mainetti Date: Thu, 27 Oct 2022 11:17:31 +0200 Subject: [PATCH 1297/1479] home --- services/nublado2/values-ccin2p3.yaml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/services/nublado2/values-ccin2p3.yaml b/services/nublado2/values-ccin2p3.yaml index edbc2a711c..aaee05a8ee 100644 --- a/services/nublado2/values-ccin2p3.yaml +++ b/services/nublado2/values-ccin2p3.yaml @@ -46,5 +46,5 @@ config: - name: data mountPath: /data - name: home - mountPath: /home - subPath: "{{ $user[1] }}/{{ $user }}" + mountPath: /home/{{ $user[1] }}/{{ $user }} + #subPath: "{{ $user[1] }}/{{ $user }}" From 6859ba3c7f7ba18d17398921ae38610b28f16703 Mon Sep 17 00:00:00 2001 From: Gabriele Mainetti Date: Thu, 27 Oct 2022 11:24:15 +0200 Subject: [PATCH 1298/1479] home again --- services/nublado2/values-ccin2p3.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/services/nublado2/values-ccin2p3.yaml b/services/nublado2/values-ccin2p3.yaml index aaee05a8ee..3882be4577 100644 --- a/services/nublado2/values-ccin2p3.yaml +++ b/services/nublado2/values-ccin2p3.yaml @@ -46,5 +46,5 @@ config: - name: data mountPath: /data - name: home - mountPath: /home/{{ $user[1] }}/{{ $user }} + mountPath: /home/"{{ $user[1] }}/{{ $user }}"" #subPath: "{{ $user[1] }}/{{ $user }}" From c300fb94f76d9759836b532aa61e2fe148790e43 Mon Sep 17 00:00:00 2001 From: Gabriele Mainetti Date: Thu, 27 Oct 2022 11:27:30 +0200 Subject: [PATCH 1299/1479] again home --- services/nublado2/values-ccin2p3.yaml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/services/nublado2/values-ccin2p3.yaml b/services/nublado2/values-ccin2p3.yaml index 3882be4577..69fe9efb8e 100644 --- a/services/nublado2/values-ccin2p3.yaml +++ b/services/nublado2/values-ccin2p3.yaml @@ -37,7 +37,7 @@ config: # type: Directory - name: home hostPath: - path: /pbs/home + path: /pbs/home"{{ $user[1] }}" #path: /data/rsp/home #path: /pbs/home/m # type: Directory @@ -46,5 +46,5 @@ config: - name: data mountPath: /data - name: home - mountPath: /home/"{{ $user[1] }}/{{ $user }}"" + mountPath: /home/"{{ $user[1] }}/{{ $user }}" #subPath: "{{ $user[1] }}/{{ $user }}" From 71344be50664e082422d8fbc54054b286d884829 Mon Sep 17 00:00:00 2001 From: Gabriele Mainetti Date: Thu, 27 Oct 2022 11:34:34 +0200 Subject: [PATCH 1300/1479] again and again home --- services/nublado2/values-ccin2p3.yaml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/services/nublado2/values-ccin2p3.yaml b/services/nublado2/values-ccin2p3.yaml index 69fe9efb8e..3e83e1b7bd 100644 --- a/services/nublado2/values-ccin2p3.yaml +++ b/services/nublado2/values-ccin2p3.yaml @@ -37,7 +37,7 @@ config: # type: Directory - name: home hostPath: - path: /pbs/home"{{ $user[1] }}" + path: /pbs/home"{{ user[1] }}" #path: /data/rsp/home #path: /pbs/home/m # type: Directory @@ -46,5 +46,5 @@ config: - name: data mountPath: /data - name: home - mountPath: /home/"{{ $user[1] }}/{{ $user }}" + mountPath: /home/"{{ user[1] }}/{{ user }}" #subPath: "{{ $user[1] }}/{{ $user }}" From d926753a8a8ba8a17657d8ca45d0266d4880bf0c Mon Sep 17 00:00:00 2001 From: Gabriele Mainetti Date: Thu, 27 Oct 2022 11:38:25 +0200 Subject: [PATCH 1301/1479] and again --- services/nublado2/values-ccin2p3.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/services/nublado2/values-ccin2p3.yaml b/services/nublado2/values-ccin2p3.yaml index 3e83e1b7bd..726167172b 100644 --- a/services/nublado2/values-ccin2p3.yaml +++ b/services/nublado2/values-ccin2p3.yaml @@ -37,7 +37,7 @@ config: # type: Directory - name: home hostPath: - path: /pbs/home"{{ user[1] }}" + path: /pbs/home/"{{ user[1] }}" #path: /data/rsp/home #path: /pbs/home/m # type: Directory From d115a683b737c5b032f7eeea194681477c0abdee Mon Sep 17 00:00:00 2001 From: Gabriele Mainetti Date: Thu, 27 Oct 2022 11:40:33 +0200 Subject: [PATCH 1302/1479] home always --- services/nublado2/values-ccin2p3.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/services/nublado2/values-ccin2p3.yaml b/services/nublado2/values-ccin2p3.yaml index 726167172b..f191a3b0b8 100644 --- a/services/nublado2/values-ccin2p3.yaml +++ b/services/nublado2/values-ccin2p3.yaml @@ -37,7 +37,7 @@ config: # type: Directory - name: home hostPath: - path: /pbs/home/"{{ user[1] }}" + path: /pbs/home #path: /data/rsp/home #path: /pbs/home/m # type: Directory From 878778b9104d1da7512bbb4359a82391261d02ef Mon Sep 17 00:00:00 2001 From: Gabriele Mainetti Date: Thu, 27 Oct 2022 11:45:39 +0200 Subject: [PATCH 1303/1479] home with subpath --- services/nublado2/values-ccin2p3.yaml | 1 + 1 file changed, 1 insertion(+) diff --git a/services/nublado2/values-ccin2p3.yaml b/services/nublado2/values-ccin2p3.yaml index f191a3b0b8..6fc55e6c67 100644 --- a/services/nublado2/values-ccin2p3.yaml +++ b/services/nublado2/values-ccin2p3.yaml @@ -38,6 +38,7 @@ config: - name: home hostPath: path: /pbs/home + subPath: "{{ user[1] }}" #path: /data/rsp/home #path: /pbs/home/m # type: Directory From 53c317d82a2727198dd3c5cced7dd5aed9631ca6 Mon Sep 17 00:00:00 2001 From: Gabriele Mainetti Date: Thu, 27 Oct 2022 11:53:38 +0200 Subject: [PATCH 1304/1479] home? yes --- services/nublado2/values-ccin2p3.yaml | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/services/nublado2/values-ccin2p3.yaml b/services/nublado2/values-ccin2p3.yaml index 6fc55e6c67..9646b52ca9 100644 --- a/services/nublado2/values-ccin2p3.yaml +++ b/services/nublado2/values-ccin2p3.yaml @@ -38,7 +38,6 @@ config: - name: home hostPath: path: /pbs/home - subPath: "{{ user[1] }}" #path: /data/rsp/home #path: /pbs/home/m # type: Directory @@ -47,5 +46,5 @@ config: - name: data mountPath: /data - name: home - mountPath: /home/"{{ user[1] }}/{{ user }}" + mountPath: /home/{{ user[1] }}/{{ user }} #subPath: "{{ $user[1] }}/{{ $user }}" From 20c39c07a6b221f64f48493663086a5c65bbe4b1 Mon Sep 17 00:00:00 2001 From: Gabriele Mainetti Date: Thu, 27 Oct 2022 11:57:43 +0200 Subject: [PATCH 1305/1479] home again --- services/nublado2/values-ccin2p3.yaml | 164 +++++++++++++++++++++++++- 1 file changed, 163 insertions(+), 1 deletion(-) diff --git a/services/nublado2/values-ccin2p3.yaml b/services/nublado2/values-ccin2p3.yaml index 9646b52ca9..ed5ac30507 100644 --- a/services/nublado2/values-ccin2p3.yaml +++ b/services/nublado2/values-ccin2p3.yaml @@ -46,5 +46,167 @@ config: - name: data mountPath: /data - name: home - mountPath: /home/{{ user[1] }}/{{ user }} + mountPath: /home + + user_resources_template: | + - apiVersion: v1 + kind: Namespace + metadata: + name: "{{ user_namespace }}" + - apiVersion: v1 + kind: ConfigMap + metadata: + name: group + namespace: "{{ user_namespace }}" + data: + group: | + root:x:0: + bin:x:1: + daemon:x:2: + sys:x:3: + adm:x:4: + tty:x:5: + disk:x:6: + lp:x:7: + mem:x:8: + kmem:x:9: + wheel:x:10: + cdrom:x:11: + mail:x:12: + man:x:15: + dialout:x:18: + floppy:x:19: + games:x:20: + tape:x:33: + video:x:39: + ftp:x:50: + lock:x:54: + audio:x:63: + nobody:x:99: + users:x:100: + utmp:x:22: + utempter:x:35: + input:x:999: + systemd-journal:x:190: + systemd-network:x:192: + dbus:x:81: + ssh_keys:x:998: + lsst_lcl:x:1000:{{ user }} + tss:x:59: + cgred:x:997: + screen:x:84: + jovyan:x:768:{{ user }}{% for g in groups %} + {{ g.name }}:x:{{ g.id }}:{{ user if g.id != gid else "" }}{% endfor %} + - apiVersion: v1 + kind: ConfigMap + metadata: + name: passwd + namespace: "{{ user_namespace }}" + data: + passwd: | + root:x:0:0:root:/root:/bin/bash + bin:x:1:1:bin:/bin:/sbin/nologin + daemon:x:2:2:daemon:/sbin:/sbin/nologin + adm:x:3:4:adm:/var/adm:/sbin/nologin + lp:x:4:7:lp:/var/spool/lpd:/sbin/nologin + sync:x:5:0:sync:/sbin:/bin/sync + shutdown:x:6:0:shutdown:/sbin:/sbin/shutdown + halt:x:7:0:halt:/sbin:/sbin/halt + mail:x:8:12:mail:/var/spool/mail:/sbin/nologin + operator:x:11:0:operator:/root:/sbin/nologin + games:x:12:100:games:/usr/games:/sbin/nologin + ftp:x:14:50:FTP User:/var/ftp:/sbin/nologin + nobody:x:99:99:Nobody:/:/sbin/nologin + systemd-network:x:192:192:systemd Network Management:/:/sbin/nologin + dbus:x:81:81:System message bus:/:/sbin/nologin + lsst_lcl:x:1000:1000::/home/{{ user[0]}}/lsst_lcl:/bin/bash + tss:x:59:59:Account used by the trousers package to sandbox the tcsd daemon:/dev/null:/sbin/nologin + {{ user }}:x:{{ uid }}:{{ gid if gid else uid }}::/home//{{ user[0]}}/{{ user }}:/bin/bash + - apiVersion: v1 + kind: ConfigMap + metadata: + name: dask + namespace: "{{ user_namespace }}" + data: + dask_worker.yml: | + {{ dask_yaml | indent(6) }} + # When we break out the resources we should make this per-instance + # configurable. + - apiVersion: v1 + kind: ConfigMap + metadata: + name: idds-config + namespace: "{{ user_namespace }}" + data: + idds_cfg.client.template: | + # Licensed under the Apache License, Version 2.0 (the "License"); + # You may not use this file except in compliance with the License. + # You may obtain a copy of the License at http://www.apache.org/licenses/LICENSE-2.0 + # + # Authors: + # - Wen Guan, , 2020 + [common] + # if logdir is configured, idds will write to idds.log in this directory. + # else idds will go to stdout/stderr. + # With supervisord, it's good to write to stdout/stderr, then supervisord can manage and rotate logs. + # logdir = /var/log/idds + loglevel = INFO + [rest] + host = https://iddsserver.cern.ch:443/idds + #url_prefix = /idds + #cacher_dir = /tmp + cacher_dir = /data/idds + - apiVersion: v1 + kind: ServiceAccount + metadata: + name: "{{ user }}-serviceaccount" + namespace: "{{ user_namespace }}" + imagePullSecrets: + - name: pull-secret + - apiVersion: rbac.authorization.k8s.io/v1 + kind: Role + metadata: + name: "{{ user }}-role" + namespace: "{{ user_namespace }}" + rules: + # cf https://kubernetes.dask.org/en/latest/kubecluster.html + - apiGroups: [""] + resources: ["pods", "services"] + verbs: ["create", "delete", "get", "list", "watch"] + - apiGroups: [""] + resources: ["pods/log"] + verbs: ["get","list"] + - apiGroups: ["policy"] + resources: ["poddisruptionbudgets"] + verbs: ["create", "delete", "get", "list", "watch"] + - apiVersion: rbac.authorization.k8s.io/v1 + kind: RoleBinding + metadata: + name: "{{ user }}-rolebinding" + namespace: "{{ user_namespace }}" + roleRef: + apiGroup: rbac.authorization.k8s.io + kind: Role + name: "{{ user }}-role" + subjects: + - kind: ServiceAccount + name: "{{ user }}-serviceaccount" + namespace: "{{ user_namespace }}" + - apiVersion: ricoberger.de/v1alpha1 + kind: VaultSecret + metadata: + name: butler-secret + namespace: "{{ user_namespace }}" + spec: + path: "{{ butler_secret_path }}" + type: Opaque + - apiVersion: ricoberger.de/v1alpha1 + kind: VaultSecret + metadata: + name: pull-secret + namespace: "{{ user_namespace }}" + spec: + path: "{{ pull_secret_path }}" + type: kubernetes.io/dockerconfigjson + #subPath: "{{ $user[1] }}/{{ $user }}" From fbb554fa88f1df262e95350d5a668c7024b24475 Mon Sep 17 00:00:00 2001 From: Gabriele Mainetti Date: Thu, 27 Oct 2022 12:15:35 +0200 Subject: [PATCH 1306/1479] fix for home --- services/nublado2/values-ccin2p3.yaml | 10 ++++------ 1 file changed, 4 insertions(+), 6 deletions(-) diff --git a/services/nublado2/values-ccin2p3.yaml b/services/nublado2/values-ccin2p3.yaml index ed5ac30507..4b31156b8c 100644 --- a/services/nublado2/values-ccin2p3.yaml +++ b/services/nublado2/values-ccin2p3.yaml @@ -47,7 +47,7 @@ config: mountPath: /data - name: home mountPath: /home - + user_resources_template: | - apiVersion: v1 kind: Namespace @@ -119,9 +119,9 @@ config: nobody:x:99:99:Nobody:/:/sbin/nologin systemd-network:x:192:192:systemd Network Management:/:/sbin/nologin dbus:x:81:81:System message bus:/:/sbin/nologin - lsst_lcl:x:1000:1000::/home/{{ user[0]}}/lsst_lcl:/bin/bash + lsst_lcl:x:1000:1000::/home/{{ user[0] }}/lsst_lcl:/bin/bash tss:x:59:59:Account used by the trousers package to sandbox the tcsd daemon:/dev/null:/sbin/nologin - {{ user }}:x:{{ uid }}:{{ gid if gid else uid }}::/home//{{ user[0]}}/{{ user }}:/bin/bash + {{ user }}:x:{{ uid }}:{{ gid if gid else uid }}::/home/{{ user[0] }}/{{ user }}:/bin/bash - apiVersion: v1 kind: ConfigMap metadata: @@ -207,6 +207,4 @@ config: namespace: "{{ user_namespace }}" spec: path: "{{ pull_secret_path }}" - type: kubernetes.io/dockerconfigjson - - #subPath: "{{ $user[1] }}/{{ $user }}" + type: kubernetes.io/dockerconfigjson \ No newline at end of file From 784a0e6e06c39e520a46a2230ec3d1962a65cf66 Mon Sep 17 00:00:00 2001 From: Gabriele Mainetti Date: Thu, 27 Oct 2022 14:35:31 +0200 Subject: [PATCH 1307/1479] set home rsp not as standard home --- services/nublado2/values-ccin2p3.yaml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/services/nublado2/values-ccin2p3.yaml b/services/nublado2/values-ccin2p3.yaml index 4b31156b8c..c6597de7e8 100644 --- a/services/nublado2/values-ccin2p3.yaml +++ b/services/nublado2/values-ccin2p3.yaml @@ -119,9 +119,9 @@ config: nobody:x:99:99:Nobody:/:/sbin/nologin systemd-network:x:192:192:systemd Network Management:/:/sbin/nologin dbus:x:81:81:System message bus:/:/sbin/nologin - lsst_lcl:x:1000:1000::/home/{{ user[0] }}/lsst_lcl:/bin/bash + lsst_lcl:x:1000:1000::/home/{{ user[0] }}/{{ user }}/rsp_home/lsst_lcl:/bin/bash tss:x:59:59:Account used by the trousers package to sandbox the tcsd daemon:/dev/null:/sbin/nologin - {{ user }}:x:{{ uid }}:{{ gid if gid else uid }}::/home/{{ user[0] }}/{{ user }}:/bin/bash + {{ user }}:x:{{ uid }}:{{ gid if gid else uid }}::/home/{{ user[0] }}/{{ user }}/rsp_home:/bin/bash - apiVersion: v1 kind: ConfigMap metadata: From c7f3c9a96c63604804ffe5c297832cc021e55123 Mon Sep 17 00:00:00 2001 From: Gabriele Mainetti Date: Thu, 27 Oct 2022 15:04:16 +0200 Subject: [PATCH 1308/1479] removed data volume --- services/nublado2/values-ccin2p3.yaml | 10 +++++----- 1 file changed, 5 insertions(+), 5 deletions(-) diff --git a/services/nublado2/values-ccin2p3.yaml b/services/nublado2/values-ccin2p3.yaml index c6597de7e8..f9cf6e4988 100644 --- a/services/nublado2/values-ccin2p3.yaml +++ b/services/nublado2/values-ccin2p3.yaml @@ -31,9 +31,9 @@ config: - image_url: registry.hub.docker.com/lsstsqre/sciplat-lab:recommended name: Recommended volumes: - - name: data - hostPath: - path: /data/rsp/nublado2 + # - name: data + # hostPath: + # path: /data/rsp/nublado2 # type: Directory - name: home hostPath: @@ -43,8 +43,8 @@ config: # type: Directory volume_mounts: - - name: data - mountPath: /data + # - name: data + # mountPath: /data - name: home mountPath: /home From c3a57b5992d47986b9233462bc3640a423d08103 Mon Sep 17 00:00:00 2001 From: Gabriele Mainetti Date: Thu, 27 Oct 2022 15:44:51 +0200 Subject: [PATCH 1309/1479] add nginx timeout --- services/nublado2/values-ccin2p3.yaml | 17 +++++++++++++++++ 1 file changed, 17 insertions(+) diff --git a/services/nublado2/values-ccin2p3.yaml b/services/nublado2/values-ccin2p3.yaml index f9cf6e4988..656d669fcd 100644 --- a/services/nublado2/values-ccin2p3.yaml +++ b/services/nublado2/values-ccin2p3.yaml @@ -4,6 +4,13 @@ jupyterhub: hub: db: upgrade: true + cull: + enabled: true + users: false + removeNamedServers: false + timeout: 432000 + every: 300 + maxAge: 2160000 # image: # name: gabrimaine/nublado2 # tag: "2.6.0-dev" @@ -18,6 +25,10 @@ jupyterhub: annotations: nginx.ingress.kubernetes.io/auth-signin: "https://data-dev.lsst.eu/login" nginx.ingress.kubernetes.io/auth-url: "https://data-dev.lsst.eu/auth?scope=exec:notebook¬ebook=true" + nginx.ingress.kubernetes.io/proxy-connect-timeout: "30s" + nginx.ingress.kubernetes.io/proxy-read-timeout: "20s" + nginx.ingress.kubernetes.io/client-max-body-size: "50m" + nginx.ingress.kubernetes.io/proxy-body-size: "50m" config: base_url: "https://data-dev.lsst.eu" @@ -27,6 +38,12 @@ config: AUTO_REPO_URLS: "https://github.com/lsst-sqre/system-test" AUTO_REPO_BRANCH: "prod" AUTO_REPO_SPECS: "https://github.com/lsst-sqre/system-test@prod" + NO_ACTIVITY_TIMEOUT: "432000" + CULL_KERNEL_IDLE_TIMEOUT: "432000" + CULL_KERNEL_CONNECTED: "True" + CULL_KERNEL_INTERVAL: "300" + CULL_TERMINAL_INACTIVE_TIMEOUT: "432000" + CULL_TERMINAL_INTERVAL: "300" pinned_images: - image_url: registry.hub.docker.com/lsstsqre/sciplat-lab:recommended name: Recommended From edbbc3aa67a90241170ead10bde8e12ad8a061f3 Mon Sep 17 00:00:00 2001 From: Gabriele Mainetti Date: Wed, 2 Nov 2022 17:29:35 +0100 Subject: [PATCH 1310/1479] try a fix for home problem --- services/nublado2/values-ccin2p3.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/services/nublado2/values-ccin2p3.yaml b/services/nublado2/values-ccin2p3.yaml index 656d669fcd..fa3872bf92 100644 --- a/services/nublado2/values-ccin2p3.yaml +++ b/services/nublado2/values-ccin2p3.yaml @@ -63,7 +63,7 @@ config: # - name: data # mountPath: /data - name: home - mountPath: /home + mountPath: /pbs/home user_resources_template: | - apiVersion: v1 From ed2c2d71218b55d2c4f730f9d917014f28c9731f Mon Sep 17 00:00:00 2001 From: Gabriele Mainetti Date: Wed, 2 Nov 2022 17:32:29 +0100 Subject: [PATCH 1311/1479] fix for home --- services/nublado2/values-ccin2p3.yaml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/services/nublado2/values-ccin2p3.yaml b/services/nublado2/values-ccin2p3.yaml index fa3872bf92..f5140c54c2 100644 --- a/services/nublado2/values-ccin2p3.yaml +++ b/services/nublado2/values-ccin2p3.yaml @@ -136,9 +136,9 @@ config: nobody:x:99:99:Nobody:/:/sbin/nologin systemd-network:x:192:192:systemd Network Management:/:/sbin/nologin dbus:x:81:81:System message bus:/:/sbin/nologin - lsst_lcl:x:1000:1000::/home/{{ user[0] }}/{{ user }}/rsp_home/lsst_lcl:/bin/bash + lsst_lcl:x:1000:1000::/pbs/home/{{ user[0] }}/{{ user }}/rsp_home/lsst_lcl:/bin/bash tss:x:59:59:Account used by the trousers package to sandbox the tcsd daemon:/dev/null:/sbin/nologin - {{ user }}:x:{{ uid }}:{{ gid if gid else uid }}::/home/{{ user[0] }}/{{ user }}/rsp_home:/bin/bash + {{ user }}:x:{{ uid }}:{{ gid if gid else uid }}::/pbs/home/{{ user[0] }}/{{ user }}/rsp_home:/bin/bash - apiVersion: v1 kind: ConfigMap metadata: From 9dae301e8b2eb0d110c4ea78abf4b0d3997d263c Mon Sep 17 00:00:00 2001 From: Gabriele Mainetti Date: Thu, 3 Nov 2022 10:28:36 +0100 Subject: [PATCH 1312/1479] working on HOME --- services/nublado2/values-ccin2p3.yaml | 17 ++++++++--------- 1 file changed, 8 insertions(+), 9 deletions(-) diff --git a/services/nublado2/values-ccin2p3.yaml b/services/nublado2/values-ccin2p3.yaml index f5140c54c2..4bd59c9d18 100644 --- a/services/nublado2/values-ccin2p3.yaml +++ b/services/nublado2/values-ccin2p3.yaml @@ -25,8 +25,8 @@ jupyterhub: annotations: nginx.ingress.kubernetes.io/auth-signin: "https://data-dev.lsst.eu/login" nginx.ingress.kubernetes.io/auth-url: "https://data-dev.lsst.eu/auth?scope=exec:notebook¬ebook=true" - nginx.ingress.kubernetes.io/proxy-connect-timeout: "30s" - nginx.ingress.kubernetes.io/proxy-read-timeout: "20s" + nginx.ingress.kubernetes.io/proxy-connect-timeout: "50s" + nginx.ingress.kubernetes.io/proxy-read-timeout: "50s" nginx.ingress.kubernetes.io/client-max-body-size: "50m" nginx.ingress.kubernetes.io/proxy-body-size: "50m" @@ -48,10 +48,10 @@ config: - image_url: registry.hub.docker.com/lsstsqre/sciplat-lab:recommended name: Recommended volumes: - # - name: data - # hostPath: - # path: /data/rsp/nublado2 - # type: Directory + - name: data + hostPath: + path: /data/rsp/nublado2 + type: Directory - name: home hostPath: path: /pbs/home @@ -60,8 +60,8 @@ config: # type: Directory volume_mounts: - # - name: data - # mountPath: /data + - name: data + mountPath: /data - name: home mountPath: /pbs/home @@ -136,7 +136,6 @@ config: nobody:x:99:99:Nobody:/:/sbin/nologin systemd-network:x:192:192:systemd Network Management:/:/sbin/nologin dbus:x:81:81:System message bus:/:/sbin/nologin - lsst_lcl:x:1000:1000::/pbs/home/{{ user[0] }}/{{ user }}/rsp_home/lsst_lcl:/bin/bash tss:x:59:59:Account used by the trousers package to sandbox the tcsd daemon:/dev/null:/sbin/nologin {{ user }}:x:{{ uid }}:{{ gid if gid else uid }}::/pbs/home/{{ user[0] }}/{{ user }}/rsp_home:/bin/bash - apiVersion: v1 From 045e60c9ec46bf7c77f84e4e73a1b5a460e35070 Mon Sep 17 00:00:00 2001 From: Gabriele Mainetti Date: Fri, 4 Nov 2022 13:43:22 +0100 Subject: [PATCH 1313/1479] try to fix HOME --- services/moneypenny/values-ccin2p3.yaml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/services/moneypenny/values-ccin2p3.yaml b/services/moneypenny/values-ccin2p3.yaml index e653e165c2..184313dcce 100644 --- a/services/moneypenny/values-ccin2p3.yaml +++ b/services/moneypenny/values-ccin2p3.yaml @@ -11,5 +11,5 @@ orders: volumes: - name: homedirs hostPath: - path: /data/rsp/home - type: Directory + path: /pbs/home +# type: Directory From b8f51649d5e939fa823f8f28af07ed83742c0b27 Mon Sep 17 00:00:00 2001 From: Gabriele Mainetti Date: Fri, 4 Nov 2022 13:50:09 +0100 Subject: [PATCH 1314/1479] moneypenny per home --- services/moneypenny/values-ccin2p3.yaml | 14 +++++++------- 1 file changed, 7 insertions(+), 7 deletions(-) diff --git a/services/moneypenny/values-ccin2p3.yaml b/services/moneypenny/values-ccin2p3.yaml index 184313dcce..53ecb853ca 100644 --- a/services/moneypenny/values-ccin2p3.yaml +++ b/services/moneypenny/values-ccin2p3.yaml @@ -5,11 +5,11 @@ orders: securityContext: runAsUser: 0 runAsNonRootUser: false - volumeMounts: - - mountPath: /homedirs - name: homedirs - volumes: - - name: homedirs - hostPath: - path: /pbs/home + # volumeMounts: + # - mountPath: /homedirs + # name: homedirs + # volumes: + # - name: homedirs + # hostPath: + # path: /pbs/home # type: Directory From 57809aa8f3caa4ee6ac47242293b9308356d35a2 Mon Sep 17 00:00:00 2001 From: Gabriele Mainetti Date: Fri, 4 Nov 2022 14:28:39 +0100 Subject: [PATCH 1315/1479] moneypenny --- services/moneypenny/values-ccin2p3.yaml | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/services/moneypenny/values-ccin2p3.yaml b/services/moneypenny/values-ccin2p3.yaml index 53ecb853ca..87288cf916 100644 --- a/services/moneypenny/values-ccin2p3.yaml +++ b/services/moneypenny/values-ccin2p3.yaml @@ -5,9 +5,9 @@ orders: securityContext: runAsUser: 0 runAsNonRootUser: false - # volumeMounts: - # - mountPath: /homedirs - # name: homedirs + volumeMounts: + - mountPath: /homedirs + name: homedirs # volumes: # - name: homedirs # hostPath: From 203b393ee1da9537b31e9c57e70f6e88861e7de1 Mon Sep 17 00:00:00 2001 From: Gabriele Mainetti Date: Fri, 4 Nov 2022 14:35:26 +0100 Subject: [PATCH 1316/1479] retry with pbs --- services/moneypenny/values-ccin2p3.yaml | 10 +++++----- 1 file changed, 5 insertions(+), 5 deletions(-) diff --git a/services/moneypenny/values-ccin2p3.yaml b/services/moneypenny/values-ccin2p3.yaml index 87288cf916..78f745db78 100644 --- a/services/moneypenny/values-ccin2p3.yaml +++ b/services/moneypenny/values-ccin2p3.yaml @@ -8,8 +8,8 @@ orders: volumeMounts: - mountPath: /homedirs name: homedirs - # volumes: - # - name: homedirs - # hostPath: - # path: /pbs/home -# type: Directory + volumes: + - name: homedirs + hostPath: + path: /pbs/home + type: Directory From 7c80bc49dd6553ab3662da2b24f1be580de71629 Mon Sep 17 00:00:00 2001 From: Gabriele Mainetti Date: Fri, 4 Nov 2022 16:48:33 +0100 Subject: [PATCH 1317/1479] set homedirs to localdata --- services/moneypenny/values-ccin2p3.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/services/moneypenny/values-ccin2p3.yaml b/services/moneypenny/values-ccin2p3.yaml index 78f745db78..e653e165c2 100644 --- a/services/moneypenny/values-ccin2p3.yaml +++ b/services/moneypenny/values-ccin2p3.yaml @@ -11,5 +11,5 @@ orders: volumes: - name: homedirs hostPath: - path: /pbs/home + path: /data/rsp/home type: Directory From c709981c566b330619589b3048f8dd3906eddd4c Mon Sep 17 00:00:00 2001 From: Gabriele Mainetti Date: Mon, 7 Nov 2022 14:04:44 +0100 Subject: [PATCH 1318/1479] move to /home on container --- services/nublado2/values-ccin2p3.yaml | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/services/nublado2/values-ccin2p3.yaml b/services/nublado2/values-ccin2p3.yaml index 4bd59c9d18..fa12e42fe2 100644 --- a/services/nublado2/values-ccin2p3.yaml +++ b/services/nublado2/values-ccin2p3.yaml @@ -63,7 +63,7 @@ config: - name: data mountPath: /data - name: home - mountPath: /pbs/home + mountPath: /home user_resources_template: | - apiVersion: v1 @@ -137,7 +137,7 @@ config: systemd-network:x:192:192:systemd Network Management:/:/sbin/nologin dbus:x:81:81:System message bus:/:/sbin/nologin tss:x:59:59:Account used by the trousers package to sandbox the tcsd daemon:/dev/null:/sbin/nologin - {{ user }}:x:{{ uid }}:{{ gid if gid else uid }}::/pbs/home/{{ user[0] }}/{{ user }}/rsp_home:/bin/bash + {{ user }}:x:{{ uid }}:{{ gid if gid else uid }}::/home/{{ user[0] }}/{{ user }}/rsp_home:/bin/bash - apiVersion: v1 kind: ConfigMap metadata: @@ -223,4 +223,4 @@ config: namespace: "{{ user_namespace }}" spec: path: "{{ pull_secret_path }}" - type: kubernetes.io/dockerconfigjson \ No newline at end of file + type: kubernetes.io/dockerconfigjson From 954b1775498126178ae847d0a2ba8c8580077b0e Mon Sep 17 00:00:00 2001 From: Gabriele Mainetti Date: Mon, 7 Nov 2022 16:45:02 +0100 Subject: [PATCH 1319/1479] add gid --- services/nublado2/values-ccin2p3.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/services/nublado2/values-ccin2p3.yaml b/services/nublado2/values-ccin2p3.yaml index fa12e42fe2..84840028c5 100644 --- a/services/nublado2/values-ccin2p3.yaml +++ b/services/nublado2/values-ccin2p3.yaml @@ -113,7 +113,7 @@ config: cgred:x:997: screen:x:84: jovyan:x:768:{{ user }}{% for g in groups %} - {{ g.name }}:x:{{ g.id }}:{{ user if g.id != gid else "" }}{% endfor %} + ccin2p3:x:102 - apiVersion: v1 kind: ConfigMap metadata: From 59b7a8b826b59d631b6115b024ed56a261e6b64e Mon Sep 17 00:00:00 2001 From: Gabriele Mainetti Date: Mon, 7 Nov 2022 16:52:17 +0100 Subject: [PATCH 1320/1479] add gid --- services/nublado2/values-ccin2p3.yaml | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/services/nublado2/values-ccin2p3.yaml b/services/nublado2/values-ccin2p3.yaml index 84840028c5..980d345ea4 100644 --- a/services/nublado2/values-ccin2p3.yaml +++ b/services/nublado2/values-ccin2p3.yaml @@ -112,8 +112,9 @@ config: tss:x:59: cgred:x:997: screen:x:84: + ccin2p3:x:102: jovyan:x:768:{{ user }}{% for g in groups %} - ccin2p3:x:102 + {{ g.name }}:x:{{ g.id }}:{{ user if g.id != gid else "" }}{% endfor %} - apiVersion: v1 kind: ConfigMap metadata: @@ -137,7 +138,7 @@ config: systemd-network:x:192:192:systemd Network Management:/:/sbin/nologin dbus:x:81:81:System message bus:/:/sbin/nologin tss:x:59:59:Account used by the trousers package to sandbox the tcsd daemon:/dev/null:/sbin/nologin - {{ user }}:x:{{ uid }}:{{ gid if gid else uid }}::/home/{{ user[0] }}/{{ user }}/rsp_home:/bin/bash + {{ user }}:x:{{ uid }}:{{ gid if gid else uid }}::/pbs/home/{{ user[0] }}/{{ user }}/rsp_home:/bin/bash - apiVersion: v1 kind: ConfigMap metadata: From 985dc21d7cec3d54f8c67fb199dc2daed0e4292e Mon Sep 17 00:00:00 2001 From: Gabriele Mainetti Date: Mon, 7 Nov 2022 17:02:28 +0100 Subject: [PATCH 1321/1479] fix home and gid --- services/nublado2/values-ccin2p3.yaml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/services/nublado2/values-ccin2p3.yaml b/services/nublado2/values-ccin2p3.yaml index 980d345ea4..ec955b5845 100644 --- a/services/nublado2/values-ccin2p3.yaml +++ b/services/nublado2/values-ccin2p3.yaml @@ -112,7 +112,7 @@ config: tss:x:59: cgred:x:997: screen:x:84: - ccin2p3:x:102: + ccin2p3:x:102:{{ user }} jovyan:x:768:{{ user }}{% for g in groups %} {{ g.name }}:x:{{ g.id }}:{{ user if g.id != gid else "" }}{% endfor %} - apiVersion: v1 @@ -138,7 +138,7 @@ config: systemd-network:x:192:192:systemd Network Management:/:/sbin/nologin dbus:x:81:81:System message bus:/:/sbin/nologin tss:x:59:59:Account used by the trousers package to sandbox the tcsd daemon:/dev/null:/sbin/nologin - {{ user }}:x:{{ uid }}:{{ gid if gid else uid }}::/pbs/home/{{ user[0] }}/{{ user }}/rsp_home:/bin/bash + {{ user }}:x:{{ uid }}:{{ gid if gid else uid }}::/home/{{ user[0] }}/{{ user }}/rsp_home:/bin/bash - apiVersion: v1 kind: ConfigMap metadata: From 2bd8156034ce42ce524419a541d4670ef4eb3f08 Mon Sep 17 00:00:00 2001 From: Gabriele Mainetti Date: Tue, 8 Nov 2022 11:17:25 +0100 Subject: [PATCH 1322/1479] fix home --- services/nublado2/values-ccin2p3.yaml | 18 ------------------ 1 file changed, 18 deletions(-) diff --git a/services/nublado2/values-ccin2p3.yaml b/services/nublado2/values-ccin2p3.yaml index ec955b5845..44e2250e6d 100644 --- a/services/nublado2/values-ccin2p3.yaml +++ b/services/nublado2/values-ccin2p3.yaml @@ -11,15 +11,7 @@ jupyterhub: timeout: 432000 every: 300 maxAge: 2160000 - # image: - # name: gabrimaine/nublado2 - # tag: "2.6.0-dev" - # hub: - # resources: - # requests: - # cpu: "2" - # memory: 3Gi ingress: hosts: ["data-dev.lsst.eu"] annotations: @@ -48,20 +40,11 @@ config: - image_url: registry.hub.docker.com/lsstsqre/sciplat-lab:recommended name: Recommended volumes: - - name: data - hostPath: - path: /data/rsp/nublado2 - type: Directory - name: home hostPath: path: /pbs/home - #path: /data/rsp/home - #path: /pbs/home/m - # type: Directory volume_mounts: - - name: data - mountPath: /data - name: home mountPath: /home @@ -112,7 +95,6 @@ config: tss:x:59: cgred:x:997: screen:x:84: - ccin2p3:x:102:{{ user }} jovyan:x:768:{{ user }}{% for g in groups %} {{ g.name }}:x:{{ g.id }}:{{ user if g.id != gid else "" }}{% endfor %} - apiVersion: v1 From b0c095f292a02387db88fe25248991429a62bb34 Mon Sep 17 00:00:00 2001 From: Russ Allbery Date: Tue, 8 Nov 2022 09:56:34 -0800 Subject: [PATCH 1323/1479] Apply linting changes --- services/gafaelfawr/values-ccin2p3.yaml | 6 +++--- services/nublado2/values-ccin2p3.yaml | 2 +- 2 files changed, 4 insertions(+), 4 deletions(-) diff --git a/services/gafaelfawr/values-ccin2p3.yaml b/services/gafaelfawr/values-ccin2p3.yaml index fafe4ee560..3d1fcf3066 100644 --- a/services/gafaelfawr/values-ccin2p3.yaml +++ b/services/gafaelfawr/values-ccin2p3.yaml @@ -19,7 +19,7 @@ config: clientId: "lsst_rsp" loginUrl: "https://login.cc.in2p3.fr/auth/realms/cc.in2p3.fr/protocol/openid-connect/auth" tokenUrl: "https://login.cc.in2p3.fr/auth/realms/cc.in2p3.fr/protocol/openid-connect/token" - # scopes: + # scopes: # - "openid" issuer: "https://login.cc.in2p3.fr/auth/realms/cc.in2p3.fr" gidClaim: "gid_number" @@ -31,8 +31,8 @@ config: enabled: false initialAdmins: - - "mainetti" - + - "mainetti" + groupMapping: "admin:token": "lsst" "user:token": "lsst" diff --git a/services/nublado2/values-ccin2p3.yaml b/services/nublado2/values-ccin2p3.yaml index 44e2250e6d..33e2c594ba 100644 --- a/services/nublado2/values-ccin2p3.yaml +++ b/services/nublado2/values-ccin2p3.yaml @@ -47,7 +47,7 @@ config: volume_mounts: - name: home mountPath: /home - + user_resources_template: | - apiVersion: v1 kind: Namespace From 7b076532aaa781d1ff0187f12295d8c1663fc77c Mon Sep 17 00:00:00 2001 From: Russ Allbery Date: Thu, 3 Nov 2022 17:03:25 -0700 Subject: [PATCH 1324/1479] Clean up the sqlproxy service Rename this to sqlproxy-cross-project to match the science-platform name and overall Phalanx configuration. Add documentation. Clean up the Helm chart configuration. Remove a bunch of unneeded variables and make the interface higher-level, roughly matching how Gafaelfawr's instance of this has been configured. Remove global variables that were never used. --- docs/applications/index.rst | 1 + .../sqlproxy-cross-project/index.rst | 21 ++++++ .../sqlproxy-cross-project/values.md | 12 ++++ .../sqlproxy-cross-project-application.yaml | 25 +++---- .../.helmignore | 0 services/sqlproxy-cross-project/Chart.yaml | 15 ++++ services/sqlproxy-cross-project/README.md | 28 ++++++++ .../templates/_helpers.tpl | 0 .../templates/deployment.yaml | 36 +++++----- .../templates/service.yaml | 5 +- .../templates/serviceaccount.yaml | 8 +++ .../sqlproxy-cross-project/values-idfdev.yaml | 11 +++ services/sqlproxy-cross-project/values.yaml | 49 +++++++++++++ services/sqlproxy/Chart.yaml | 6 -- services/sqlproxy/README.md | 29 -------- .../sqlproxy/templates/serviceaccount.yaml | 11 --- services/sqlproxy/values-idfdev.yaml | 24 ------- services/sqlproxy/values.yaml | 70 ------------------- 18 files changed, 177 insertions(+), 174 deletions(-) create mode 100644 docs/applications/sqlproxy-cross-project/index.rst create mode 100644 docs/applications/sqlproxy-cross-project/values.md rename services/{sqlproxy => sqlproxy-cross-project}/.helmignore (100%) create mode 100644 services/sqlproxy-cross-project/Chart.yaml create mode 100644 services/sqlproxy-cross-project/README.md rename services/{sqlproxy => sqlproxy-cross-project}/templates/_helpers.tpl (100%) rename services/{sqlproxy => sqlproxy-cross-project}/templates/deployment.yaml (69%) rename services/{sqlproxy => sqlproxy-cross-project}/templates/service.yaml (75%) create mode 100644 services/sqlproxy-cross-project/templates/serviceaccount.yaml create mode 100644 services/sqlproxy-cross-project/values-idfdev.yaml create mode 100644 services/sqlproxy-cross-project/values.yaml delete mode 100644 services/sqlproxy/Chart.yaml delete mode 100644 services/sqlproxy/README.md delete mode 100644 services/sqlproxy/templates/serviceaccount.yaml delete mode 100644 services/sqlproxy/values-idfdev.yaml delete mode 100644 services/sqlproxy/values.yaml diff --git a/docs/applications/index.rst b/docs/applications/index.rst index 1366fec6fb..e9e954db32 100644 --- a/docs/applications/index.rst +++ b/docs/applications/index.rst @@ -33,6 +33,7 @@ To learn how to develop applications for Phalanx, see the :doc:`/developers/inde portal/index semaphore/index sherlock/index + sqlproxy-cross-project/index squareone/index tap/index tap-schema/index diff --git a/docs/applications/sqlproxy-cross-project/index.rst b/docs/applications/sqlproxy-cross-project/index.rst new file mode 100644 index 0000000000..7e63ea2af7 --- /dev/null +++ b/docs/applications/sqlproxy-cross-project/index.rst @@ -0,0 +1,21 @@ +.. px-app:: sqlproxy-cross-project + +################################################# +sqlproxy-cross-project — External Cloud SQL proxy +################################################# + +Sometimes, we want to allow arbitrary pods in one Google Kubernetes Engine cluster access Cloud SQL services in a different project. +For example, the IDF dev environment needs to be able to access the Cloud SQL Butler registry in the IDF int environment for testing purposes. + +This application enables that type of cross-environment Cloud SQL connection by running a general-use instance of the `Google Cloud SQL Auth Proxy `__. + +.. jinja:: sqlproxy-cross-project + :file: applications/_summary.rst.jinja + +Guides +====== + +.. toctree:: + :maxdepth: 1 + + values diff --git a/docs/applications/sqlproxy-cross-project/values.md b/docs/applications/sqlproxy-cross-project/values.md new file mode 100644 index 0000000000..5a4cc17c79 --- /dev/null +++ b/docs/applications/sqlproxy-cross-project/values.md @@ -0,0 +1,12 @@ +```{px-app-values} sqlproxy-cross-project +``` + +# sqlproxy-cross-project Helm values reference + +Helm values reference table for the {px-app}`sqlproxy-cross-project` application. + +```{include} ../../../services/sqlproxy-cross-project/README.md +--- +start-after: "## Values" +--- +``` diff --git a/science-platform/templates/sqlproxy-cross-project-application.yaml b/science-platform/templates/sqlproxy-cross-project-application.yaml index 210f5d9abf..631378b41f 100644 --- a/science-platform/templates/sqlproxy-cross-project-application.yaml +++ b/science-platform/templates/sqlproxy-cross-project-application.yaml @@ -2,31 +2,28 @@ apiVersion: v1 kind: Namespace metadata: - name: sqlproxy-cross-project + name: "sqlproxy-cross-project" spec: finalizers: - - kubernetes + - "kubernetes" --- apiVersion: argoproj.io/v1alpha1 kind: Application metadata: - name: sqlproxy-cross-project - namespace: argocd + name: "sqlproxy-cross-project" + namespace: "argocd" finalizers: - - resources-finalizer.argocd.argoproj.io + - "resources-finalizer.argocd.argoproj.io" spec: destination: - namespace: sqlproxy-cross-project - server: https://kubernetes.default.svc - project: default + namespace: "sqlproxy-cross-project" + server: "https://kubernetes.default.svc" + project: "default" source: - path: services/sqlproxy - repoURL: {{ .Values.repoURL }} - targetRevision: {{ .Values.revision }} + path: "services/sqlproxy-cross-project" + repoURL: {{ .Values.repoURL | quote }} + targetRevision: {{ .Values.revision | quote }} helm: - parameters: - - name: "global.vaultSecretsPath" - value: {{ .Values.vault_path_prefix | quote }} valueFiles: - "values.yaml" - "values-{{ .Values.environment }}.yaml" diff --git a/services/sqlproxy/.helmignore b/services/sqlproxy-cross-project/.helmignore similarity index 100% rename from services/sqlproxy/.helmignore rename to services/sqlproxy-cross-project/.helmignore diff --git a/services/sqlproxy-cross-project/Chart.yaml b/services/sqlproxy-cross-project/Chart.yaml new file mode 100644 index 0000000000..4f48ff8d1f --- /dev/null +++ b/services/sqlproxy-cross-project/Chart.yaml @@ -0,0 +1,15 @@ +apiVersion: v2 +name: sqlproxy +type: application +version: 1.0.0 +description: GCP SQL Proxy as a service +home: https://cloud.google.com/sql/docs/postgres/sql-proxy +sources: + - https://github.com/GoogleCloudPlatform/cloud-sql-proxy + +# Normally, we would put the tag of the Docker container here and have the +# deployment default to that value. However, in this case, since the image is +# maintained externally and we want Renovate to send us PRs for version +# updates, the version is tracked only in values.yaml and this version is not +# used. +# appVersion: "0.1.0" diff --git a/services/sqlproxy-cross-project/README.md b/services/sqlproxy-cross-project/README.md new file mode 100644 index 0000000000..6feb8140b5 --- /dev/null +++ b/services/sqlproxy-cross-project/README.md @@ -0,0 +1,28 @@ +# sqlproxy + +GCP SQL Proxy as a service + +**Homepage:** + +## Source Code + +* + +## Values + +| Key | Type | Default | Description | +|-----|------|---------|-------------| +| affinity | object | `{}` | Affinity rules for the Cloud SQL Proxy pod | +| config.instanceConnectionName | string | None, must be set | Instance connection name for a CloudSQL PostgreSQL instance | +| config.ipAddressType | string | `"PRIVATE"` | IP address type of the instance to connect to (either `PUBLIC` or `PRIVATE`) | +| config.serviceAccount | string | None, must be set if Cloud SQL Auth Proxy is enabled | The Google service account that has an IAM binding to the Cloud SQL Proxy Kubernetes service account and has the `cloudsql.client` role | +| fullnameOverride | string | `""` | Override the full name for resources (includes the release name) | +| image.pullPolicy | string | `"IfNotPresent"` | Pull policy for the Cloud SQL Proxy image | +| image.repository | string | `"gcr.io/cloudsql-docker/gce-proxy"` | Cloud SQL Proxy image to use | +| image.tag | string | `"1.32.0"` | Tag of Cloud SQL Proxy image to use | +| nameOverride | string | `""` | Override the base name for resources | +| nodeSelector | object | `{}` | Node selector rules for the Cloud SQL Proxy pod | +| podAnnotations | object | `{}` | Annotations for the Cloud SQL Proxy pod | +| replicaCount | int | `1` | Number of pods to start | +| resources | object | `{}` | Resource limits and requests for the Cloud SQL Proxy pod | +| tolerations | list | `[]` | Tolerations for the Cloud SQL Proxy pod | diff --git a/services/sqlproxy/templates/_helpers.tpl b/services/sqlproxy-cross-project/templates/_helpers.tpl similarity index 100% rename from services/sqlproxy/templates/_helpers.tpl rename to services/sqlproxy-cross-project/templates/_helpers.tpl diff --git a/services/sqlproxy/templates/deployment.yaml b/services/sqlproxy-cross-project/templates/deployment.yaml similarity index 69% rename from services/sqlproxy/templates/deployment.yaml rename to services/sqlproxy-cross-project/templates/deployment.yaml index d1567535e4..5a0cd44a21 100644 --- a/services/sqlproxy/templates/deployment.yaml +++ b/services/sqlproxy-cross-project/templates/deployment.yaml @@ -9,6 +9,7 @@ spec: selector: matchLabels: {{- include "sqlproxy.selectorLabels" . | nindent 6 }} + app.kubernetes.io/component: "cloud-sql-proxy" template: metadata: {{- with .Values.podAnnotations }} @@ -17,37 +18,36 @@ spec: {{- end }} labels: {{- include "sqlproxy.selectorLabels" . | nindent 8 }} + app.kubernetes.io/component: "cloud-sql-proxy" spec: - {{- with .Values.imagePullSecrets }} - imagePullSecrets: - {{- toYaml . | nindent 8 }} - {{- end }} - serviceAccountName: {{ .Values.serviceAccountName }} - securityContext: - runAsNonRoot: true - runAsUser: 65532 - runAsGroup: 65532 + serviceAccountName: {{ include "sqlproxy.fullname" . }} containers: - name: cloud-sql-proxy command: - "/cloud_sql_proxy" - "-log_debug_stdout" - "-structured_logs" - - "-ip_address_types={{ required "cloudsql.ipAddressType must be specified" .Values.cloudsql.ipAddressType}}" - - "-instances={{ required "cloudsql.instanceConnectionName must be specified" .Values.cloudsql.instanceConnectionName }}=tcp:0.0.0.0:5432" + - "-ip_address_types={{ required "config.ipAddressType must be specified" .Values.config.ipAddressType}}" + - "-instances={{ required "config.instanceConnectionName must be specified" .Values.config.instanceConnectionName }}=tcp:0.0.0.0:5432" + image: "{{ .Values.image.repository }}:{{ .Values.image.tag }}" + imagePullPolicy: {{ .Values.image.pullPolicy | quote }} + ports: + - containerPort: 5432 + protocol: "TCP" + {{- with .Values.resources }} + resources: + {{- toYaml . | nindent 12 }} + {{- end }} securityContext: allowPrivilegeEscalation: false capabilities: drop: - "all" readOnlyRootFilesystem: true - image: "{{ .Values.image.repository }}:{{ .Values.image.tag }}" - imagePullPolicy: {{ .Values.image.pullPolicy }} - ports: - - containerPort: 5432 - protocol: TCP - resources: - {{- toYaml .Values.resources | nindent 12 }} + securityContext: + runAsNonRoot: true + runAsUser: 65532 + runAsGroup: 65532 {{- with .Values.nodeSelector }} nodeSelector: {{- toYaml . | nindent 8 }} diff --git a/services/sqlproxy/templates/service.yaml b/services/sqlproxy-cross-project/templates/service.yaml similarity index 75% rename from services/sqlproxy/templates/service.yaml rename to services/sqlproxy-cross-project/templates/service.yaml index 025b0c14e1..c684cc889c 100644 --- a/services/sqlproxy/templates/service.yaml +++ b/services/sqlproxy-cross-project/templates/service.yaml @@ -7,8 +7,9 @@ metadata: spec: type: ClusterIP ports: - - port: 5432 + - protocol: "TCP" + port: 5432 targetPort: 5432 - protocol: TCP selector: {{- include "sqlproxy.selectorLabels" . | nindent 4 }} + app.kubernetes.io/component: "cloud-sql-proxy" diff --git a/services/sqlproxy-cross-project/templates/serviceaccount.yaml b/services/sqlproxy-cross-project/templates/serviceaccount.yaml new file mode 100644 index 0000000000..cb8d257f36 --- /dev/null +++ b/services/sqlproxy-cross-project/templates/serviceaccount.yaml @@ -0,0 +1,8 @@ +apiVersion: v1 +kind: ServiceAccount +metadata: + name: {{ include "sqlproxy.fullname" . }} + labels: + {{- include "sqlproxy.labels" . | nindent 4 }} + annotations: + iam.gke.io/gcp-service-account: {{ required ".Values.config.serviceAccount must be set to a valid Google service account" .Values.config.serviceAccount | quote }} diff --git a/services/sqlproxy-cross-project/values-idfdev.yaml b/services/sqlproxy-cross-project/values-idfdev.yaml new file mode 100644 index 0000000000..ffcc6f60d1 --- /dev/null +++ b/services/sqlproxy-cross-project/values-idfdev.yaml @@ -0,0 +1,11 @@ +fullnameOverride: sqlproxy-butler-int + +config: + ipAddressType: "PUBLIC" + instanceConnectionName: "science-platform-int-dc5d:us-central1:butler-registry-int-72f9812d" + serviceAccount: "sqlproxy-butler-int@science-platform-dev-7696.iam.gserviceaccount.com" + +resources: + requests: + cpu: "1" + memory: "2Gi" diff --git a/services/sqlproxy-cross-project/values.yaml b/services/sqlproxy-cross-project/values.yaml new file mode 100644 index 0000000000..be19862597 --- /dev/null +++ b/services/sqlproxy-cross-project/values.yaml @@ -0,0 +1,49 @@ +# Default values for sqlproxy + +# -- Override the base name for resources +nameOverride: "" + +# -- Override the full name for resources (includes the release name) +fullnameOverride: "" + +# -- Number of pods to start +replicaCount: 1 + +image: + # -- Cloud SQL Proxy image to use + repository: "gcr.io/cloudsql-docker/gce-proxy" + + # -- Tag of Cloud SQL Proxy image to use + tag: "1.32.0" + + # -- Pull policy for the Cloud SQL Proxy image + pullPolicy: "IfNotPresent" + +config: + # -- Instance connection name for a CloudSQL PostgreSQL instance + # @default -- None, must be set + instanceConnectionName: "" + + # -- IP address type of the instance to connect to (either `PUBLIC` or + # `PRIVATE`) + ipAddressType: "PRIVATE" + + # -- The Google service account that has an IAM binding to the Cloud SQL + # Proxy Kubernetes service account and has the `cloudsql.client` role + # @default -- None, must be set if Cloud SQL Auth Proxy is enabled + serviceAccount: "" + +# -- Resource limits and requests for the Cloud SQL Proxy pod +resources: {} + +# -- Annotations for the Cloud SQL Proxy pod +podAnnotations: {} + +# -- Node selector rules for the Cloud SQL Proxy pod +nodeSelector: {} + +# -- Tolerations for the Cloud SQL Proxy pod +tolerations: [] + +# -- Affinity rules for the Cloud SQL Proxy pod +affinity: {} diff --git a/services/sqlproxy/Chart.yaml b/services/sqlproxy/Chart.yaml deleted file mode 100644 index 1ed38f02c3..0000000000 --- a/services/sqlproxy/Chart.yaml +++ /dev/null @@ -1,6 +0,0 @@ -apiVersion: v2 -name: sqlproxy -description: gcp sql proxy as a service deployment -type: application -version: 0.1.0 -appVersion: "0.1.0" diff --git a/services/sqlproxy/README.md b/services/sqlproxy/README.md deleted file mode 100644 index 3eb0020818..0000000000 --- a/services/sqlproxy/README.md +++ /dev/null @@ -1,29 +0,0 @@ -# sqlproxy - -gcp sql proxy as a service deployment - -## Values - -| Key | Type | Default | Description | -|-----|------|---------|-------------| -| affinity | object | `{}` | Affinity rules for the cachemachine frontend pod | -| autostart | object | `{}` | Autostart configuration. Each key is the name of a class of images to pull, and the value is the JSON specification for which and how many images to pull. | -| cloudsql.instanceConnectionName | string | `""` | | -| cloudsql.ipAddressType | string | `"PRIVATE"` | | -| cloudsql.nameSuffix | string | `""` | | -| fullnameOverride | string | `""` | Override the full name for resources (includes the release name) | -| global.baseUrl | string | Set by Argo CD | Base URL for the environment | -| global.host | string | Set by Argo CD | Host name for ingress | -| global.vaultSecretsPath | string | Set by Argo CD | Base path for Vault secrets | -| image.pullPolicy | string | `"IfNotPresent"` | Pull policy for the cachemachine image | -| image.repository | string | `"gcr.io/cloudsql-docker/gce-proxy"` | cachemachine image to use | -| image.tag | string | The appVersion of the chart | Tag of cachemachine image to use | -| nameOverride | string | `""` | Override the base name for resources | -| nodeSelector | object | `{}` | Node selector rules for the cachemachine frontend pod | -| podAnnotations | object | `{}` | Annotations for the cachemachine frontend pod | -| resources | object | `{}` | Resource limits and requests for the cachemachine frontend pod | -| serviceAccount | object | `{"annotations":{},"name":""}` | Secret names to use for all Docker pulls | -| serviceAccount.annotations | object | `{}` | Annotations to add to the service account | -| serviceAccount.name | string | Name based on the fullname template | Name of the service account to use | -| serviceAccountName | string | `""` | | -| tolerations | list | `[]` | Tolerations for the cachemachine frontend pod | diff --git a/services/sqlproxy/templates/serviceaccount.yaml b/services/sqlproxy/templates/serviceaccount.yaml deleted file mode 100644 index c1ad0fffab..0000000000 --- a/services/sqlproxy/templates/serviceaccount.yaml +++ /dev/null @@ -1,11 +0,0 @@ -apiVersion: v1 -kind: ServiceAccount -metadata: - name: {{ include "sqlproxy.fullname" . }} - labels: - {{- include "sqlproxy.labels" . | nindent 4 }} - {{- with .Values.serviceAccount.annotations }} - annotations: - {{- toYaml . | nindent 4 }} - {{- end }} - diff --git a/services/sqlproxy/values-idfdev.yaml b/services/sqlproxy/values-idfdev.yaml deleted file mode 100644 index 027717b6bb..0000000000 --- a/services/sqlproxy/values-idfdev.yaml +++ /dev/null @@ -1,24 +0,0 @@ -serviceAccountName: sqlproxy-butler-int - -fullnameOverride: sqlproxy-butler-int - -serviceAccount: - annotations: { - iam.gke.io/gcp-service-account: sqlproxy-butler-int@science-platform-dev-7696.iam.gserviceaccount.com - } - -cloudsql: - nameSuffix: "butler-int" - ipAddressType: "PUBLIC" - instanceConnectionName: "science-platform-int-dc5d:us-central1:butler-registry-int-72f9812d" - -replicaCount: 1 - -image: - repository: gcr.io/cloudsql-docker/gce-proxy - tag: 1.28.0 - -resources: - requests: - cpu: "1" - memory: "2Gi" diff --git a/services/sqlproxy/values.yaml b/services/sqlproxy/values.yaml deleted file mode 100644 index 789f0fcc88..0000000000 --- a/services/sqlproxy/values.yaml +++ /dev/null @@ -1,70 +0,0 @@ -# Default values for sqlproxy-gcp - -# -- Override the base name for resources -nameOverride: "" - -# -- Override the full name for resources (includes the release name) -fullnameOverride: "" - -image: - # -- cachemachine image to use - repository: gcr.io/cloudsql-docker/gce-proxy - - # -- Pull policy for the cachemachine image - pullPolicy: IfNotPresent - - # -- Tag of cachemachine image to use - # @default -- The appVersion of the chart - tag: "" - - -serviceAccountName: "" - -cloudsql: - nameSuffix: "" - ipAddressType: "PRIVATE" - instanceConnectionName: "" - -# -- Secret names to use for all Docker pulls -serviceAccount: - # -- Name of the service account to use - # @default -- Name based on the fullname template - name: "" - - # -- Annotations to add to the service account - annotations: {} - -# -- Resource limits and requests for the cachemachine frontend pod -resources: {} - -# -- Annotations for the cachemachine frontend pod -podAnnotations: {} - -# -- Node selector rules for the cachemachine frontend pod -nodeSelector: {} - -# -- Tolerations for the cachemachine frontend pod -tolerations: [] - -# -- Affinity rules for the cachemachine frontend pod -affinity: {} - -# -- Autostart configuration. Each key is the name of a class of images to -# pull, and the value is the JSON specification for which and how many images -# to pull. -autostart: {} - -# The following will be set by parameters injected by Argo CD and should not -# be set in the individual environment values files. -global: - # -- Base URL for the environment - # @default -- Set by Argo CD - baseUrl: "" - - # -- Host name for ingress - # @default -- Set by Argo CD - host: "" - - # -- Base path for Vault secrets - # @default -- Set by Argo CD - vaultSecretsPath: "" From 7eeeeb96922f4860bcba7de2bdae135feab3c8ee Mon Sep 17 00:00:00 2001 From: Russ Allbery Date: Fri, 4 Nov 2022 14:02:14 -0700 Subject: [PATCH 1325/1479] Bump minikube and Kubernetes version --- .github/workflows/ci.yaml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/.github/workflows/ci.yaml b/.github/workflows/ci.yaml index f6414c4c79..2b7c36786c 100644 --- a/.github/workflows/ci.yaml +++ b/.github/workflows/ci.yaml @@ -87,8 +87,8 @@ jobs: if: steps.filter.outputs.minikube == 'true' uses: manusa/actions-setup-minikube@v2.7.1 with: - minikube version: 'v1.25.2' - kubernetes version: 'v1.22.8' + minikube version: 'v1.28.0' + kubernetes version: 'v1.25.2' - name: Test interaction with the cluster if: steps.filter.outputs.minikube == 'true' From 5ad3069542e2596a9c08144c0e9e1769a32eeed4 Mon Sep 17 00:00:00 2001 From: Russ Allbery Date: Tue, 8 Nov 2022 11:51:59 -0800 Subject: [PATCH 1326/1479] Ignore link to file added with this diff Otherwise, we create a deadlock that causes the new docs to never be published. --- docs/documenteer.toml | 3 +++ 1 file changed, 3 insertions(+) diff --git a/docs/documenteer.toml b/docs/documenteer.toml index 5733a444ea..974db92ca8 100644 --- a/docs/documenteer.toml +++ b/docs/documenteer.toml @@ -29,4 +29,7 @@ ignore = [ '^https://rsp.lsst.ac.uk', '^https://github.com/lsst-sqre/phalanx/blob/master/services/strimzi/values.yaml', '^https://github.com/orgs/', + # Temporary until merged. + "^https://github.com/lsst-sqre/phalanx/tree/master/services/sqlproxy-cross-project", + "^https://github.com/lsst-sqre/phalanx/blob/master/services/sqlproxy-cross-project", ] From 8fe06f5d54cf0241f214a866604a6d211cbc845f Mon Sep 17 00:00:00 2001 From: stelios Date: Thu, 10 Nov 2022 15:20:17 +0200 Subject: [PATCH 1327/1479] Use roe TAP_SCHEMA / Ingress fixes / Add new Volume mounts & enable Qserv --- services/ingress-nginx/values-roe.yaml | 28 +++++++++++++------ services/moneypenny/values-roe.yaml | 5 ++++ services/nublado2/values-roe.yaml | 38 ++++++++++++++------------ services/tap-schema/values-roe.yaml | 2 ++ services/tap/values-roe.yaml | 4 +++ 5 files changed, 52 insertions(+), 25 deletions(-) diff --git a/services/ingress-nginx/values-roe.yaml b/services/ingress-nginx/values-roe.yaml index c4548e7c91..8706c8926c 100644 --- a/services/ingress-nginx/values-roe.yaml +++ b/services/ingress-nginx/values-roe.yaml @@ -1,18 +1,30 @@ ingress-nginx: controller: + config: + compute-full-forwarded-for: "true" + large-client-header-buffers: "4 64k" + proxy-body-size: "100m" + proxy-buffer-size: "64k" + ssl-redirect: "true" + use-forwarded-headers: "true" service: + externalTrafficPolicy: null type: ClusterIP - dnsPolicy: ClusterFirstWithHostNet - hostNetwork: true affinity: nodeAffinity: - requiredDuringSchedulingIgnoredDuringExecution: - nodeSelectorTerms: - - matchExpressions: - - key: node-role.kubernetes.io/etcd - operator: Exists + preferredDuringSchedulingIgnoredDuringExecution: + - weight: 1 + preference: + matchExpressions: + - key: nodetype + operator: In + values: + - public + dnsPolicy: ClusterFirstWithHostNet + hostNetwork: true extraArgs: default-ssl-certificate: ingress-nginx/ingress-certificate - + podLabels: + hub.jupyter.org/network-access-proxy-http: "true" vaultCertificate: enabled: true diff --git a/services/moneypenny/values-roe.yaml b/services/moneypenny/values-roe.yaml index 3952d48484..0dbe21c7f7 100644 --- a/services/moneypenny/values-roe.yaml +++ b/services/moneypenny/values-roe.yaml @@ -8,3 +8,8 @@ orders: volumeMounts: - mountPath: /homedirs name: homedirs + volumes: + - name: homedirs + nfs: + server: 192.41.122.33 + path: /jhome diff --git a/services/nublado2/values-roe.yaml b/services/nublado2/values-roe.yaml index fee9b01082..7ff9ae4f8f 100644 --- a/services/nublado2/values-roe.yaml +++ b/services/nublado2/values-roe.yaml @@ -17,24 +17,28 @@ config: - image_url: registry.hub.docker.com/lsstsqre/sciplat-lab:recommended name: Recommended volumes: - - name: datasets - hostPath: - path: /lsstdata/user/precursor_data/datasets + - name: data + nfs: + path: /data + server: 192.41.122.33 - name: home - hostPath: - path: /lsstdata/user/staff/jhome - - name: project - hostPath: - path: /lsstdata/user/staff/project - - name: scratch - hostPath: - path: /lsstdata/user/staff/scratch - volume_mounts: + nfs: + path: /jhome + server: 192.41.122.33 - name: datasets - mountPath: /datasets + nfs: + path: /datasets + server: 192.41.122.33 + volume_mounts: + - name: data + mountPath: /data - name: home mountPath: /home - - name: project - mountPath: /project - - name: scratch - mountPath: /scratch + - name: datasets + mountPath: /datasets + +vault_secret_path: "secret/k8s_operator/roe/nublado2" + +pull-secret: + enabled: true + path: "secret/k8s_operator/roe/pull-secret" diff --git a/services/tap-schema/values-roe.yaml b/services/tap-schema/values-roe.yaml index e69de29bb2..37acef8e22 100644 --- a/services/tap-schema/values-roe.yaml +++ b/services/tap-schema/values-roe.yaml @@ -0,0 +1,2 @@ +image: + repository: "stvoutsin/tap-schema-roe" diff --git a/services/tap/values-roe.yaml b/services/tap/values-roe.yaml index e69de29bb2..cf433e64ea 100644 --- a/services/tap/values-roe.yaml +++ b/services/tap/values-roe.yaml @@ -0,0 +1,4 @@ +qserv: + host: "192.41.122.228:30040" + mock: + enabled: false From 21874e4b6401258085ff46a9591a346efb2b4318 Mon Sep 17 00:00:00 2001 From: Tiago Ribeiro Date: Tue, 8 Nov 2022 12:07:03 -0700 Subject: [PATCH 1328/1479] Update nublado summit deployment to cycle 27. --- services/cachemachine/values-summit.yaml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/services/cachemachine/values-summit.yaml b/services/cachemachine/values-summit.yaml index d73909cf71..0ee5194119 100644 --- a/services/cachemachine/values-summit.yaml +++ b/services/cachemachine/values-summit.yaml @@ -8,11 +8,11 @@ autostart: "type": "RubinRepoMan", "registry_url": "ts-dockerhub.lsst.org", "repo": "sal-sciplat-lab", - "recommended_tag": "recommended_c0026", + "recommended_tag": "recommended_c0027", "num_releases": 0, "num_weeklies": 3, "num_dailies": 2, - "cycle": 26, + "cycle": 27, "alias_tags": [ "latest", "latest_daily", From dd7be667a1c5985d81a707edc1cd0a6d0fa2b711 Mon Sep 17 00:00:00 2001 From: stelios Date: Fri, 11 Nov 2022 14:01:51 +0200 Subject: [PATCH 1329/1479] Fix the IP address to the NFS node --- services/moneypenny/values-roe.yaml | 2 +- services/nublado2/values-roe.yaml | 6 +++--- 2 files changed, 4 insertions(+), 4 deletions(-) diff --git a/services/moneypenny/values-roe.yaml b/services/moneypenny/values-roe.yaml index 0dbe21c7f7..a16c891ca2 100644 --- a/services/moneypenny/values-roe.yaml +++ b/services/moneypenny/values-roe.yaml @@ -11,5 +11,5 @@ orders: volumes: - name: homedirs nfs: - server: 192.41.122.33 + server: 10.72.0.23 path: /jhome diff --git a/services/nublado2/values-roe.yaml b/services/nublado2/values-roe.yaml index 7ff9ae4f8f..186887deb5 100644 --- a/services/nublado2/values-roe.yaml +++ b/services/nublado2/values-roe.yaml @@ -20,15 +20,15 @@ config: - name: data nfs: path: /data - server: 192.41.122.33 + server: 10.72.0.23 - name: home nfs: path: /jhome - server: 192.41.122.33 + server: 10.72.0.23 - name: datasets nfs: path: /datasets - server: 192.41.122.33 + server: 10.72.0.23 volume_mounts: - name: data mountPath: /data From 142dd2306ffacb05bb6bce6c02cf85e79c315a75 Mon Sep 17 00:00:00 2001 From: "renovate[bot]" <29139614+renovate[bot]@users.noreply.github.com> Date: Mon, 14 Nov 2022 00:32:37 +0000 Subject: [PATCH 1330/1479] Update Helm release argo-cd to v5.13.8 --- services/argocd/Chart.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/services/argocd/Chart.yaml b/services/argocd/Chart.yaml index 0ae454efc0..8abc5118d1 100644 --- a/services/argocd/Chart.yaml +++ b/services/argocd/Chart.yaml @@ -8,5 +8,5 @@ sources: - https://github.com/argoproj/argo-helm dependencies: - name: argo-cd - version: 5.13.4 + version: 5.13.8 repository: https://argoproj.github.io/argo-helm From ff549736c5950ed15e4be386aab4d43b143878dc Mon Sep 17 00:00:00 2001 From: Russ Allbery Date: Mon, 14 Nov 2022 08:14:23 -0800 Subject: [PATCH 1331/1479] Remove subchart section of service README.md While this information is useful, it forces additional manual work whenever merging Renovate updates. We decided to drop it to reduce maintenance work. --- helm-docs.md.gotmpl | 2 -- services/alert-stream-broker/README.md | 9 --------- services/argocd/README.md | 6 ------ services/cert-manager/README.md | 6 ------ services/ingress-nginx/README.md | 6 ------ services/noteburst/README.md | 6 ------ services/nublado2/README.md | 8 -------- services/sasquatch/README.md | 14 -------------- services/telegraf-ds/README.md | 6 ------ services/telegraf/README.md | 6 ------ services/times-square/README.md | 6 ------ services/vault-secrets-operator/README.md | 6 ------ 12 files changed, 81 deletions(-) diff --git a/helm-docs.md.gotmpl b/helm-docs.md.gotmpl index bc12ee4a20..c63e5b2103 100644 --- a/helm-docs.md.gotmpl +++ b/helm-docs.md.gotmpl @@ -6,6 +6,4 @@ {{ template "chart.sourcesSection" . }} -{{ template "chart.requirementsSection" . }} - {{ template "chart.valuesSection" . }} diff --git a/services/alert-stream-broker/README.md b/services/alert-stream-broker/README.md index c6bf42365a..2648fe3a72 100644 --- a/services/alert-stream-broker/README.md +++ b/services/alert-stream-broker/README.md @@ -7,12 +7,3 @@ Alert transmission to community brokers * * -## Requirements - -| Repository | Name | Version | -|------------|------|---------| -| | alert-database | 2.1.0 | -| | alert-stream-broker | 2.5.1 | -| | alert-stream-schema-registry | 2.1.0 | -| | alert-stream-simulator | 1.6.2 | - diff --git a/services/argocd/README.md b/services/argocd/README.md index 5306f57d0c..13c3499ab3 100644 --- a/services/argocd/README.md +++ b/services/argocd/README.md @@ -9,12 +9,6 @@ Kubernetes application manager * * -## Requirements - -| Repository | Name | Version | -|------------|------|---------| -| https://argoproj.github.io/argo-helm | argo-cd | 5.13.4 | - ## Values | Key | Type | Default | Description | diff --git a/services/cert-manager/README.md b/services/cert-manager/README.md index 1bb8a31def..1d4e1116ec 100644 --- a/services/cert-manager/README.md +++ b/services/cert-manager/README.md @@ -8,12 +8,6 @@ TLS certificate manager * -## Requirements - -| Repository | Name | Version | -|------------|------|---------| -| https://charts.jetstack.io | cert-manager | v1.10.0 | - ## Values | Key | Type | Default | Description | diff --git a/services/ingress-nginx/README.md b/services/ingress-nginx/README.md index a53965e719..dbf2869d27 100644 --- a/services/ingress-nginx/README.md +++ b/services/ingress-nginx/README.md @@ -8,12 +8,6 @@ Ingress controller * -## Requirements - -| Repository | Name | Version | -|------------|------|---------| -| https://kubernetes.github.io/ingress-nginx | ingress-nginx | 4.3.0 | - ## Values | Key | Type | Default | Description | diff --git a/services/noteburst/README.md b/services/noteburst/README.md index dd409fa0ca..73a3f63c1e 100644 --- a/services/noteburst/README.md +++ b/services/noteburst/README.md @@ -8,12 +8,6 @@ Noteburst is a notebook execution service for the Rubin Science Platform. * -## Requirements - -| Repository | Name | Version | -|------------|------|---------| -| https://charts.bitnami.com/bitnami | redis | 17.3.8 | - ## Values | Key | Type | Default | Description | diff --git a/services/nublado2/README.md b/services/nublado2/README.md index 262fae81d5..550696da67 100644 --- a/services/nublado2/README.md +++ b/services/nublado2/README.md @@ -8,14 +8,6 @@ JupyterHub for the Rubin Science Platform * -## Requirements - -Kubernetes: `>=1.20.0-0` - -| Repository | Name | Version | -|------------|------|---------| -| https://jupyterhub.github.io/helm-chart/ | jupyterhub | 2.0.0 | - ## Values | Key | Type | Default | Description | diff --git a/services/sasquatch/README.md b/services/sasquatch/README.md index fc7f1e7d2e..7890c319a0 100644 --- a/services/sasquatch/README.md +++ b/services/sasquatch/README.md @@ -2,20 +2,6 @@ Rubin Observatory's telemetry service. -## Requirements - -| Repository | Name | Version | -|------------|------|---------| -| | kafdrop | 1.0.0 | -| | kafka-connect-manager | 1.0.0 | -| | strimzi-kafka | 1.0.0 | -| | telegraf-kafka-consumer | 1.0.0 | -| https://helm.influxdata.com/ | chronograf | 1.2.5 | -| https://helm.influxdata.com/ | influxdb | 4.12.0 | -| https://helm.influxdata.com/ | influxdb2 | 2.1.1 | -| https://helm.influxdata.com/ | kapacitor | 1.4.6 | -| https://lsst-sqre.github.io/charts/ | strimzi-registry-operator | 2.1.0 | - ## Values | Key | Type | Default | Description | diff --git a/services/telegraf-ds/README.md b/services/telegraf-ds/README.md index 1f2eea3c52..012cd8ecad 100644 --- a/services/telegraf-ds/README.md +++ b/services/telegraf-ds/README.md @@ -9,12 +9,6 @@ Kubernetes node telemetry collection service * * -## Requirements - -| Repository | Name | Version | -|------------|------|---------| -| https://helm.influxdata.com/ | telegraf-ds | 1.1.5 | - ## Values | Key | Type | Default | Description | diff --git a/services/telegraf/README.md b/services/telegraf/README.md index 224c724374..b3fc357504 100644 --- a/services/telegraf/README.md +++ b/services/telegraf/README.md @@ -9,12 +9,6 @@ Application telemetry collection service * * -## Requirements - -| Repository | Name | Version | -|------------|------|---------| -| https://helm.influxdata.com/ | telegraf | 1.8.23 | - ## Values | Key | Type | Default | Description | diff --git a/services/times-square/README.md b/services/times-square/README.md index c483b47a1f..b107fab875 100644 --- a/services/times-square/README.md +++ b/services/times-square/README.md @@ -6,12 +6,6 @@ An API service for managing and rendering parameterized Jupyter notebooks. * -## Requirements - -| Repository | Name | Version | -|------------|------|---------| -| https://charts.bitnami.com/bitnami | redis | 17.3.8 | - ## Values | Key | Type | Default | Description | diff --git a/services/vault-secrets-operator/README.md b/services/vault-secrets-operator/README.md index 6ef772c809..f1c78b7e0e 100644 --- a/services/vault-secrets-operator/README.md +++ b/services/vault-secrets-operator/README.md @@ -4,12 +4,6 @@ * -## Requirements - -| Repository | Name | Version | -|------------|------|---------| -| https://ricoberger.github.io/helm-charts/ | vault-secrets-operator | 1.19.6 | - ## Values | Key | Type | Default | Description | From 623d2e3e9b59bb1b0e7680b318d5f5cb2ab3cf58 Mon Sep 17 00:00:00 2001 From: "renovate[bot]" <29139614+renovate[bot]@users.noreply.github.com> Date: Mon, 14 Nov 2022 16:23:16 +0000 Subject: [PATCH 1332/1479] Update Helm release ingress-nginx to v4.4.0 --- services/ingress-nginx/Chart.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/services/ingress-nginx/Chart.yaml b/services/ingress-nginx/Chart.yaml index 8d49f066c9..5128abc18e 100644 --- a/services/ingress-nginx/Chart.yaml +++ b/services/ingress-nginx/Chart.yaml @@ -7,5 +7,5 @@ sources: - https://github.com/kubernetes/ingress-nginx dependencies: - name: ingress-nginx - version: 4.3.0 + version: 4.4.0 repository: https://kubernetes.github.io/ingress-nginx From 4ba2606a94fd91c4a69114d97fa7ce3c11a6be9a Mon Sep 17 00:00:00 2001 From: "renovate[bot]" <29139614+renovate[bot]@users.noreply.github.com> Date: Mon, 14 Nov 2022 16:32:01 +0000 Subject: [PATCH 1333/1479] Update Helm release vault-secrets-operator to v1.19.7 --- services/vault-secrets-operator/Chart.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/services/vault-secrets-operator/Chart.yaml b/services/vault-secrets-operator/Chart.yaml index d1b9033941..e6480cccea 100644 --- a/services/vault-secrets-operator/Chart.yaml +++ b/services/vault-secrets-operator/Chart.yaml @@ -5,7 +5,7 @@ sources: - https://github.com/ricoberger/vault-secrets-operator dependencies: - name: vault-secrets-operator - version: 1.19.6 + version: 1.19.7 repository: https://ricoberger.github.io/helm-charts/ annotations: phalanx.lsst.io/docs: | From 54be35dfe68f26977ca4a0da51aa8fd97e8dba4d Mon Sep 17 00:00:00 2001 From: "renovate[bot]" <29139614+renovate[bot]@users.noreply.github.com> Date: Mon, 14 Nov 2022 16:42:39 +0000 Subject: [PATCH 1334/1479] Update Helm release redis to v17.3.10 --- services/noteburst/Chart.yaml | 2 +- services/times-square/Chart.yaml | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/services/noteburst/Chart.yaml b/services/noteburst/Chart.yaml index 7712b4c1ba..258d03af9c 100644 --- a/services/noteburst/Chart.yaml +++ b/services/noteburst/Chart.yaml @@ -14,7 +14,7 @@ maintainers: # Additional charts that this chart uses dependencies: - name: redis - version: 17.3.8 + version: 17.3.10 repository: https://charts.bitnami.com/bitnami annotations: diff --git a/services/times-square/Chart.yaml b/services/times-square/Chart.yaml index 039c2643ac..dabe3f34cd 100644 --- a/services/times-square/Chart.yaml +++ b/services/times-square/Chart.yaml @@ -12,7 +12,7 @@ appVersion: "0.6.0" dependencies: - name: redis - version: 17.3.8 + version: 17.3.10 repository: https://charts.bitnami.com/bitnami annotations: From 87281f8fe9f5fe0643502ec7fd2d225ce303e32a Mon Sep 17 00:00:00 2001 From: adam Date: Fri, 18 Nov 2022 10:26:50 -0700 Subject: [PATCH 1335/1479] Add Butler env vars to summit --- services/nublado2/values-summit.yaml | 2 ++ 1 file changed, 2 insertions(+) diff --git a/services/nublado2/values-summit.yaml b/services/nublado2/values-summit.yaml index 55c6699c6e..cf4f6f6767 100644 --- a/services/nublado2/values-summit.yaml +++ b/services/nublado2/values-summit.yaml @@ -25,6 +25,8 @@ config: LSST_DDS_INTERFACE: net1 LSST_DDS_PARTITION_PREFIX: summit LSST_SITE: summit + PGPASSFILE: "/opt/lsst/software/jupyterlab/butler-secret/postgres-credentials.txt" + PGUSER: "oods" volumes: - name: home nfs: From 2696da4d3beabf55b0f137a21500cc22d7869b48 Mon Sep 17 00:00:00 2001 From: Brianna Smart Date: Fri, 4 Nov 2022 15:40:59 +0000 Subject: [PATCH 1336/1479] Edit alert stream broker log message version --- .gitignore | 12 ++++++++++++ .../charts/alert-stream-broker/README.md | 4 ++-- .../charts/alert-stream-broker/values.yaml | 4 ++-- 3 files changed, 16 insertions(+), 4 deletions(-) diff --git a/.gitignore b/.gitignore index f217a7f04c..5b7ee1e96e 100644 --- a/.gitignore +++ b/.gitignore @@ -154,3 +154,15 @@ services/alert-stream-broker/.DS_Store .DS_Store .idea/inspectionProfiles/profiles_settings.xml + +services/alert-stream-broker/.idea/alert-stream-broker.iml + +services/alert-stream-broker/.idea/vcs.xml + +services/alert-stream-broker/.idea/inspectionProfiles/profiles_settings.xml + +services/alert-stream-broker/.idea/inspectionProfiles/Project_Default.xml + +services/alert-stream-broker/.idea/modules.xml + +services/alert-stream-broker/.idea/misc.xml diff --git a/services/alert-stream-broker/charts/alert-stream-broker/README.md b/services/alert-stream-broker/charts/alert-stream-broker/README.md index 85442ab6ff..f5534172f2 100644 --- a/services/alert-stream-broker/charts/alert-stream-broker/README.md +++ b/services/alert-stream-broker/charts/alert-stream-broker/README.md @@ -15,8 +15,8 @@ Kafka broker cluster for distributing alerts | kafka.externalListener.bootstrap.host | string | `""` | Hostname that should be used by clients who want to connect to the broker through the bootstrap address. | | kafka.externalListener.bootstrap.ip | string | `""` | IP address that should be used by the broker's external bootstrap load balancer for access from the internet. The format of this is a string like "192.168.1.1". | | kafka.externalListener.brokers | list | `[]` | List of hostname and IP for each broker. The format of this is a list of maps with 'ip' and 'host' keys. For example: - ip: "192.168.1.1" host: broker-0.example - ip: "192.168.1.2" host: broker-1.example Each replica should get a host and IP. If these are unset, then IP addresses will be chosen automatically by the Kubernetes cluster's LoadBalancer controller, and hostnames will be unset, which will break TLS connections. | -| kafka.interBrokerProtocolVersion | string | `"3.2.3"` | Version of the protocol for inter-broker communication, see https://strimzi.io/docs/operators/latest/deploying.html#ref-kafka-versions-str. | -| kafka.logMessageFormatVersion | string | `"3.2.3"` | Encoding version for messages, see https://strimzi.io/docs/operators/latest/deploying.html#ref-kafka-versions-str. | +| kafka.interBrokerProtocolVersion | float | `3.2` | Version of the protocol for inter-broker communication, see https://strimzi.io/docs/operators/latest/deploying.html#ref-kafka-versions-str. | +| kafka.logMessageFormatVersion | float | `3.2` | Encoding version for messages, see https://strimzi.io/docs/operators/latest/deploying.html#ref-kafka-versions-str. | | kafka.nodePool.affinities | list | `[{"key":"kafka","value":"ok"}]` | List of node affinities to set for the broker's nodes. The key should be a label key, and the value should be a label value, and then the broker will prefer running Kafka and Zookeeper on nodes with those key-value pairs. | | kafka.nodePool.tolerations | list | `[{"effect":"NoSchedule","key":"kafka","value":"ok"}]` | List of taint tolerations when scheduling the broker's pods onto nodes. The key should be a taint key, the value should be a taint value, and effect should be a taint effect that can be tolerated (ignored) when scheduling the broker's Kafka and Zookeeper pods. | | kafka.replicas | int | `3` | Number of Kafka broker replicas to run. | diff --git a/services/alert-stream-broker/charts/alert-stream-broker/values.yaml b/services/alert-stream-broker/charts/alert-stream-broker/values.yaml index 4226954915..02b2c5c431 100644 --- a/services/alert-stream-broker/charts/alert-stream-broker/values.yaml +++ b/services/alert-stream-broker/charts/alert-stream-broker/values.yaml @@ -12,10 +12,10 @@ kafka: version: 3.2.3 # -- Encoding version for messages, see # https://strimzi.io/docs/operators/latest/deploying.html#ref-kafka-versions-str. - logMessageFormatVersion: 3.2.3 + logMessageFormatVersion: 3.2 # -- Version of the protocol for inter-broker communication, see # https://strimzi.io/docs/operators/latest/deploying.html#ref-kafka-versions-str. - interBrokerProtocolVersion: 3.2.3 + interBrokerProtocolVersion: 3.2 # -- Number of Kafka broker replicas to run. replicas: 3 From 86a14befd1614f60aad75c09cfd6eeb9cb995585 Mon Sep 17 00:00:00 2001 From: Brianna Smart Date: Tue, 8 Nov 2022 16:53:15 -0800 Subject: [PATCH 1337/1479] Edit cert-manager --- services/alert-stream-broker/.idea/.gitignore | 8 ++++++++ .../charts/alert-stream-broker/README.md | 4 ++-- .../charts/alert-stream-broker/values.yaml | 4 ++-- .../alert-stream-schema-registry/templates/ingress.yaml | 2 +- 4 files changed, 13 insertions(+), 5 deletions(-) create mode 100644 services/alert-stream-broker/.idea/.gitignore diff --git a/services/alert-stream-broker/.idea/.gitignore b/services/alert-stream-broker/.idea/.gitignore new file mode 100644 index 0000000000..13566b81b0 --- /dev/null +++ b/services/alert-stream-broker/.idea/.gitignore @@ -0,0 +1,8 @@ +# Default ignored files +/shelf/ +/workspace.xml +# Editor-based HTTP Client requests +/httpRequests/ +# Datasource local storage ignored files +/dataSources/ +/dataSources.local.xml diff --git a/services/alert-stream-broker/charts/alert-stream-broker/README.md b/services/alert-stream-broker/charts/alert-stream-broker/README.md index f5534172f2..f01f46a8b8 100644 --- a/services/alert-stream-broker/charts/alert-stream-broker/README.md +++ b/services/alert-stream-broker/charts/alert-stream-broker/README.md @@ -26,8 +26,8 @@ Kafka broker cluster for distributing alerts | nameOverride | string | `""` | | | strimziAPIVersion | string | `"v1beta2"` | Version of the Strimzi Custom Resource API. The correct value depends on the deployed version of Strimzi. See [this blog post](https://strimzi.io/blog/2021/04/29/api-conversion/) for more. | | superusers | list | `["kafka-admin"]` | A list of usernames for users who should have global admin permissions. These users will be created, along with their credentials. | -| tls.certIssuerName | string | `"cert-issuer-letsencrypt-dns"` | Name of a ClusterIssuer capable of provisioning a TLS certificate for the broker. | -| tls.subject.organization | string | `"Vera C. Rubin Observatory"` | Organization to use in the 'Subject' field of the broker's TLS certifcate. | +| tls.certIssuerName | string | `"letsencrypt-dns"` | Name of a ClusterIssuer capable of provisioning a TLS certificate for the broker. | +| tls.subject.organization | string | `"Vera C. Rubin Observatory"` | Organization to use in the 'Subject' field of the broker's TLS certificate. | | users | list | `[{"groups":["rubin-testing"],"readonlyTopics":["alert-stream","alerts-simulated"],"username":"rubin-testing"}]` | A list of users that should be created and granted access. Passwords for these users are not generated automatically; they are expected to be stored as 1Password secrets which are replicated into Vault. Each username should have a "{{ $username }}-password" secret associated with it. | | users[0].groups | list | `["rubin-testing"]` | A list of string prefixes for groups that the user should get admin access to, allowing them to create, delete, describe, etc consumer groups. Note that these are prefix-matched, not just literal exact matches. | | users[0].readonlyTopics | list | `["alert-stream","alerts-simulated"]` | A list of topics that the user should get read-only access to. | diff --git a/services/alert-stream-broker/charts/alert-stream-broker/values.yaml b/services/alert-stream-broker/charts/alert-stream-broker/values.yaml index 02b2c5c431..81baacd523 100644 --- a/services/alert-stream-broker/charts/alert-stream-broker/values.yaml +++ b/services/alert-stream-broker/charts/alert-stream-broker/values.yaml @@ -113,11 +113,11 @@ zookeeper: tls: subject: - # -- Organization to use in the 'Subject' field of the broker's TLS certifcate. + # -- Organization to use in the 'Subject' field of the broker's TLS certificate. organization: "Vera C. Rubin Observatory" # -- Name of a ClusterIssuer capable of provisioning a TLS certificate for # the broker. - certIssuerName: "cert-issuer-letsencrypt-dns" + certIssuerName: "letsencrypt-dns" # -- Path to the secret resource in Vault vaultSecretsPath: "" diff --git a/services/alert-stream-broker/charts/alert-stream-schema-registry/templates/ingress.yaml b/services/alert-stream-broker/charts/alert-stream-schema-registry/templates/ingress.yaml index 077c37715d..e33ddf4c29 100644 --- a/services/alert-stream-broker/charts/alert-stream-schema-registry/templates/ingress.yaml +++ b/services/alert-stream-broker/charts/alert-stream-schema-registry/templates/ingress.yaml @@ -4,7 +4,7 @@ metadata: name: "{{ .Values.name }}" annotations: kubernetes.io/ingress.class: "nginx" - cert-manager.io/cluster-issuer: cert-issuer-letsencrypt-dns + cert-manager.io/cluster-issuer: letsencrypt-dns nginx.ingress.kubernetes.io/configuration-snippet: | # Forbid everything except GET since this should be a read-only ingress # to the schema registry. From 4248768c302e84d1bdb7616b95232ca7aa1478b5 Mon Sep 17 00:00:00 2001 From: Brianna Smart Date: Mon, 14 Nov 2022 12:03:29 -0800 Subject: [PATCH 1338/1479] Edit values.yaml with tls config Values edit Typo edit Fix typo --- .../charts/alert-stream-broker/README.md | 3 +++ .../charts/alert-stream-broker/templates/kafka.yaml | 7 +++++-- .../charts/alert-stream-broker/values.yaml | 5 +++++ 3 files changed, 13 insertions(+), 2 deletions(-) diff --git a/services/alert-stream-broker/charts/alert-stream-broker/README.md b/services/alert-stream-broker/charts/alert-stream-broker/README.md index f01f46a8b8..14f48a94ef 100644 --- a/services/alert-stream-broker/charts/alert-stream-broker/README.md +++ b/services/alert-stream-broker/charts/alert-stream-broker/README.md @@ -12,9 +12,12 @@ Kafka broker cluster for distributing alerts | kafka.config."log.retention.bytes" | string | `"644245094400"` | to avoid YAML type conversion issues for large numbers. | | kafka.config."log.retention.hours" | int | `168` | Number of days for a topic's data to be retained. | | kafka.config."offsets.retention.minutes" | int | `10080` | Number of minutes for a consumer group's offsets to be retained. | +| kafka.externalListener.bootstrap.annotations | object | `{}` | | | kafka.externalListener.bootstrap.host | string | `""` | Hostname that should be used by clients who want to connect to the broker through the bootstrap address. | | kafka.externalListener.bootstrap.ip | string | `""` | IP address that should be used by the broker's external bootstrap load balancer for access from the internet. The format of this is a string like "192.168.1.1". | | kafka.externalListener.brokers | list | `[]` | List of hostname and IP for each broker. The format of this is a list of maps with 'ip' and 'host' keys. For example: - ip: "192.168.1.1" host: broker-0.example - ip: "192.168.1.2" host: broker-1.example Each replica should get a host and IP. If these are unset, then IP addresses will be chosen automatically by the Kubernetes cluster's LoadBalancer controller, and hostnames will be unset, which will break TLS connections. | +| kafka.externalListener.tls.certIssuerName | string | `"letsencrypt-dns"` | | +| kafka.externalListener.tls.enabled | bool | `false` | Whether TLS encryption is enabled. | | kafka.interBrokerProtocolVersion | float | `3.2` | Version of the protocol for inter-broker communication, see https://strimzi.io/docs/operators/latest/deploying.html#ref-kafka-versions-str. | | kafka.logMessageFormatVersion | float | `3.2` | Encoding version for messages, see https://strimzi.io/docs/operators/latest/deploying.html#ref-kafka-versions-str. | | kafka.nodePool.affinities | list | `[{"key":"kafka","value":"ok"}]` | List of node affinities to set for the broker's nodes. The key should be a label key, and the value should be a label value, and then the broker will prefer running Kafka and Zookeeper on nodes with those key-value pairs. | diff --git a/services/alert-stream-broker/charts/alert-stream-broker/templates/kafka.yaml b/services/alert-stream-broker/charts/alert-stream-broker/templates/kafka.yaml index 6eefb11f40..47bf8244f0 100644 --- a/services/alert-stream-broker/charts/alert-stream-broker/templates/kafka.yaml +++ b/services/alert-stream-broker/charts/alert-stream-broker/templates/kafka.yaml @@ -22,7 +22,7 @@ spec: - name: external port: 9094 type: loadbalancer - tls: true + tls: {{ .Values.kafka.externalListener.tls.enabled}} authentication: type: scram-sha-512 configuration: @@ -46,6 +46,9 @@ spec: {{- if .Values.kafka.externalListener.bootstrap.ip }} loadBalancerIP: {{ .Values.kafka.externalListener.bootstrap.ip }} {{- end }} + {{- if .Values.kafka.externalListener.bootstrap.annotations }} + annotations: {{ .Values.kafka.externalListener.bootstrap.annotations }} + {{- end }} {{- if .Values.kafka.externalListener.brokers }} brokers: @@ -56,7 +59,7 @@ spec: {{- end }} {{- end }} - {{- if .Values.kafka.externalListener.bootstrap.host }} + {{- if and (.Values.kafka.externalListener.tls.enabled) (.Values.kafka.externalListener.bootstrap.host) }} brokerCertChainAndKey: secretName: {{ .Values.cluster.name }}-external-tls certificate: tls.crt diff --git a/services/alert-stream-broker/charts/alert-stream-broker/values.yaml b/services/alert-stream-broker/charts/alert-stream-broker/values.yaml index 81baacd523..ab248cc3b0 100644 --- a/services/alert-stream-broker/charts/alert-stream-broker/values.yaml +++ b/services/alert-stream-broker/charts/alert-stream-broker/values.yaml @@ -37,6 +37,10 @@ kafka: log.retention.bytes: "644245094400" externalListener: + tls: + # -- Whether TLS encryption is enabled. + enabled: false + certIssuerName: "letsencrypt-dns" bootstrap: # -- IP address that should be used by the broker's external bootstrap load # balancer for access from the internet. The format of this is a string like @@ -45,6 +49,7 @@ kafka: # -- Hostname that should be used by clients who want to connect to the # broker through the bootstrap address. host: "" + annotations: {} # -- List of hostname and IP for each broker. The format of this is a list # of maps with 'ip' and 'host' keys. For example: From 75057072a1cc5b0caf4df705182f71909542dd49 Mon Sep 17 00:00:00 2001 From: Brianna Smart Date: Mon, 14 Nov 2022 14:27:04 -0800 Subject: [PATCH 1339/1479] Update external-boostrap IP --- services/alert-stream-broker/values-idfint.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/services/alert-stream-broker/values-idfint.yaml b/services/alert-stream-broker/values-idfint.yaml index 605bfe8c40..f95536a00a 100644 --- a/services/alert-stream-broker/values-idfint.yaml +++ b/services/alert-stream-broker/values-idfint.yaml @@ -7,7 +7,7 @@ alert-stream-broker: # Google and now we're pinning them. externalListener: bootstrap: - ip: 35.188.169.31 + ip: 35.224.176.103 host: alert-stream-int.lsst.cloud brokers: - ip: 35.239.64.164 From 8de8d5a82a4097eb15763d13585bdad6f07476c7 Mon Sep 17 00:00:00 2001 From: Brianna Smart Date: Mon, 14 Nov 2022 14:30:02 -0800 Subject: [PATCH 1340/1479] Removed broker configs --- services/alert-stream-broker/values-idfint.yaml | 7 ------- 1 file changed, 7 deletions(-) diff --git a/services/alert-stream-broker/values-idfint.yaml b/services/alert-stream-broker/values-idfint.yaml index f95536a00a..4950d97edd 100644 --- a/services/alert-stream-broker/values-idfint.yaml +++ b/services/alert-stream-broker/values-idfint.yaml @@ -9,13 +9,6 @@ alert-stream-broker: bootstrap: ip: 35.224.176.103 host: alert-stream-int.lsst.cloud - brokers: - - ip: 35.239.64.164 - host: alert-stream-int-broker-0.lsst.cloud - - ip: 34.122.165.155 - host: alert-stream-int-broker-1.lsst.cloud - - ip: 35.238.120.127 - host: alert-stream-int-broker-2.lsst.cloud storage: size: 1500Gi From 1af3646a2975984d8f6b6963e7747eb993320258 Mon Sep 17 00:00:00 2001 From: Brianna Smart Date: Wed, 23 Nov 2022 10:58:46 -0800 Subject: [PATCH 1341/1479] add strimzi-registry-operator to chart --- services/alert-stream-broker/Chart.yaml | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/services/alert-stream-broker/Chart.yaml b/services/alert-stream-broker/Chart.yaml index 88f46b2c94..a6042337fe 100644 --- a/services/alert-stream-broker/Chart.yaml +++ b/services/alert-stream-broker/Chart.yaml @@ -27,6 +27,10 @@ dependencies: - name: alert-database version: 2.1.0 + - name: strimzi-registry-operator + version: 2.1.0 + repository: https://lsst-sqre.github.io/charts/ + annotations: phalanx.lsst.io/docs: | - id: "DMTN-093" From bc88c4970451f245e1320a1709a9d332daf3c3c1 Mon Sep 17 00:00:00 2001 From: Brianna Smart Date: Wed, 23 Nov 2022 11:23:15 -0800 Subject: [PATCH 1342/1479] values.yaml change --- services/alert-stream-broker/README.md | 6 ++++++ services/alert-stream-broker/values.yaml | 7 ++++++- 2 files changed, 12 insertions(+), 1 deletion(-) diff --git a/services/alert-stream-broker/README.md b/services/alert-stream-broker/README.md index 2648fe3a72..d17200e56a 100644 --- a/services/alert-stream-broker/README.md +++ b/services/alert-stream-broker/README.md @@ -7,3 +7,9 @@ Alert transmission to community brokers * * +## Values + +| Key | Type | Default | Description | +|-----|------|---------|-------------| +| strimzi-registry-operator.clusterName | string | `"alert-broker"` | | +| strimzi-registry-operator.watchNamespace | string | `"alert-stream-broker"` | | diff --git a/services/alert-stream-broker/values.yaml b/services/alert-stream-broker/values.yaml index a12314beaa..3ce3e8b8db 100644 --- a/services/alert-stream-broker/values.yaml +++ b/services/alert-stream-broker/values.yaml @@ -1 +1,6 @@ -# This file intentionally blank - no customization needed +strimzi-registry-operator: + # Should match the cluster name used by the alert-stream-broker + clusterName: alert-broker + + # Should match the namespace where the alert-broker cluster runs + watchNamespace: alert-stream-broker From e105634fcaf6c897da389dba48bfe87cdf37f7f4 Mon Sep 17 00:00:00 2001 From: Brianna Smart Date: Wed, 23 Nov 2022 14:58:41 -0800 Subject: [PATCH 1343/1479] Edit strimzi-registry-operator values in values.yaml Temp deactivating simulator and database Add back the alert-database Add back the simulator --- services/alert-stream-broker/README.md | 1 + services/alert-stream-broker/values.yaml | 3 ++- 2 files changed, 3 insertions(+), 1 deletion(-) diff --git a/services/alert-stream-broker/README.md b/services/alert-stream-broker/README.md index d17200e56a..8e0c22f653 100644 --- a/services/alert-stream-broker/README.md +++ b/services/alert-stream-broker/README.md @@ -12,4 +12,5 @@ Alert transmission to community brokers | Key | Type | Default | Description | |-----|------|---------|-------------| | strimzi-registry-operator.clusterName | string | `"alert-broker"` | | +| strimzi-registry-operator.operatorNamespace | string | `"alert-stream-broker"` | | | strimzi-registry-operator.watchNamespace | string | `"alert-stream-broker"` | | diff --git a/services/alert-stream-broker/values.yaml b/services/alert-stream-broker/values.yaml index 3ce3e8b8db..787942fa0c 100644 --- a/services/alert-stream-broker/values.yaml +++ b/services/alert-stream-broker/values.yaml @@ -1,6 +1,7 @@ strimzi-registry-operator: # Should match the cluster name used by the alert-stream-broker clusterName: alert-broker - # Should match the namespace where the alert-broker cluster runs watchNamespace: alert-stream-broker + + operatorNamespace: "alert-stream-broker" From f855d1ca536349d4926f545c2f0c15a4179235fe Mon Sep 17 00:00:00 2001 From: "renovate[bot]" <29139614+renovate[bot]@users.noreply.github.com> Date: Fri, 25 Nov 2022 19:42:33 +0000 Subject: [PATCH 1344/1479] Update Helm release argo-cd to v5.14.2 --- services/argocd/Chart.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/services/argocd/Chart.yaml b/services/argocd/Chart.yaml index 8abc5118d1..c6f0ba59ed 100644 --- a/services/argocd/Chart.yaml +++ b/services/argocd/Chart.yaml @@ -8,5 +8,5 @@ sources: - https://github.com/argoproj/argo-helm dependencies: - name: argo-cd - version: 5.13.8 + version: 5.14.2 repository: https://argoproj.github.io/argo-helm From 3e067740528ef3071dd556b99057e48b38c80770 Mon Sep 17 00:00:00 2001 From: "renovate[bot]" <29139614+renovate[bot]@users.noreply.github.com> Date: Mon, 28 Nov 2022 16:55:57 +0000 Subject: [PATCH 1345/1479] Update Helm release vault-secrets-operator to v1.19.8 --- services/vault-secrets-operator/Chart.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/services/vault-secrets-operator/Chart.yaml b/services/vault-secrets-operator/Chart.yaml index e6480cccea..b3b58dbfae 100644 --- a/services/vault-secrets-operator/Chart.yaml +++ b/services/vault-secrets-operator/Chart.yaml @@ -5,7 +5,7 @@ sources: - https://github.com/ricoberger/vault-secrets-operator dependencies: - name: vault-secrets-operator - version: 1.19.7 + version: 1.19.8 repository: https://ricoberger.github.io/helm-charts/ annotations: phalanx.lsst.io/docs: | From 473569e14cabca3538546fff2c5c4df275259113 Mon Sep 17 00:00:00 2001 From: "renovate[bot]" <29139614+renovate[bot]@users.noreply.github.com> Date: Mon, 28 Nov 2022 17:19:04 +0000 Subject: [PATCH 1346/1479] Update Helm release redis to v17.3.11 --- services/noteburst/Chart.yaml | 2 +- services/times-square/Chart.yaml | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/services/noteburst/Chart.yaml b/services/noteburst/Chart.yaml index 258d03af9c..23fd1bfb33 100644 --- a/services/noteburst/Chart.yaml +++ b/services/noteburst/Chart.yaml @@ -14,7 +14,7 @@ maintainers: # Additional charts that this chart uses dependencies: - name: redis - version: 17.3.10 + version: 17.3.11 repository: https://charts.bitnami.com/bitnami annotations: diff --git a/services/times-square/Chart.yaml b/services/times-square/Chart.yaml index dabe3f34cd..765985e19d 100644 --- a/services/times-square/Chart.yaml +++ b/services/times-square/Chart.yaml @@ -12,7 +12,7 @@ appVersion: "0.6.0" dependencies: - name: redis - version: 17.3.10 + version: 17.3.11 repository: https://charts.bitnami.com/bitnami annotations: From 78a794ab9842769d141a79eea7e3f78d361f7d1c Mon Sep 17 00:00:00 2001 From: Tiago Ribeiro Date: Mon, 28 Nov 2022 14:07:27 -0700 Subject: [PATCH 1347/1479] Update chachemachine deployment for TTS to cycle 28. --- services/cachemachine/values-tucson-teststand.yaml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/services/cachemachine/values-tucson-teststand.yaml b/services/cachemachine/values-tucson-teststand.yaml index ebcc0a57c9..3e5b2797b5 100644 --- a/services/cachemachine/values-tucson-teststand.yaml +++ b/services/cachemachine/values-tucson-teststand.yaml @@ -8,11 +8,11 @@ autostart: "type": "RubinRepoMan", "registry_url": "ts-dockerhub.lsst.org", "repo": "sal-sciplat-lab", - "recommended_tag": "recommended_c0027", + "recommended_tag": "recommended_c0028", "num_releases": 1, "num_weeklies": 3, "num_dailies": 2, - "cycle": 27, + "cycle": 28, "alias_tags": [ "latest", "latest_daily", From 7f28eacdbea443689377956022b4df368b609b28 Mon Sep 17 00:00:00 2001 From: Russ Allbery Date: Wed, 16 Nov 2022 14:21:48 -0800 Subject: [PATCH 1348/1479] Update to Gafaelfawr 7.1.0 Update the Gafaelfawr custom resource definitions to the latest versions from that release. This adds GafaelfawrIngress and re-adds schema validation for a part of the status portion of a GafaelfawrServiceToken. --- services/gafaelfawr/Chart.yaml | 3 +- services/gafaelfawr/crds/ingress.yaml | 320 ++++++++++++++++++ services/gafaelfawr/crds/service-token.yaml | 139 +++++++- .../templates/serviceaccount-tokens.yaml | 9 +- 4 files changed, 459 insertions(+), 12 deletions(-) create mode 100644 services/gafaelfawr/crds/ingress.yaml diff --git a/services/gafaelfawr/Chart.yaml b/services/gafaelfawr/Chart.yaml index 2502b6413f..946674b909 100644 --- a/services/gafaelfawr/Chart.yaml +++ b/services/gafaelfawr/Chart.yaml @@ -5,7 +5,8 @@ description: Authentication and identity system home: https://gafaelfawr.lsst.io/ sources: - https://github.com/lsst-sqre/gafaelfawr -appVersion: 7.0.0 +appVersion: 7.1.0 + annotations: phalanx.lsst.io/docs: | - id: "DMTN-234" diff --git a/services/gafaelfawr/crds/ingress.yaml b/services/gafaelfawr/crds/ingress.yaml new file mode 100644 index 0000000000..29a4f3c7fd --- /dev/null +++ b/services/gafaelfawr/crds/ingress.yaml @@ -0,0 +1,320 @@ +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + name: gafaelfawringresses.gafaelfawr.lsst.io + labels: + app.kubernetes.io/name: gafaelfawr.lsst.io + app.kubernetes.io/part-of: gafaelfawr + annotations: + helm.sh/hook: crd-install +spec: + group: gafaelfawr.lsst.io + scope: Namespaced + names: + plural: gafaelfawringresses + singular: gafaelfawringress + kind: GafaelfawrIngress + versions: + - name: v1alpha1 + served: true + storage: true + additionalPrinterColumns: + - description: "If the ingress was created successfully" + jsonPath: .status.create.status + name: "Succeeded" + type: string + - description: "Reason for the current status" + jsonPath: .status.create.reason + name: "Reason" + type: string + - description: "More information about the current status" + jsonPath: .status.create.message + name: "Message" + type: string + - description: "Time when the condition was last updated" + jsonPath: .status.create.lastTransitionTime + name: "Last Transition" + type: date + - description: "Time when the GafaelfawrIngress was created" + jsonPath: .metadata.creationTimestamp + name: "Age" + type: date + subresources: + status: {} + schema: + openAPIV3Schema: + description: >- + GafaelfawrIngress defines the parameters used to create an Ingress + resource. + type: object + required: + - config + - template + properties: + config: + type: object + description: "Configuration for the ingress to create." + required: + - baseUrl + properties: + baseUrl: + type: string + description: "Base URL for Gafaelfawr APIs." + pattern: "^https://[a-z.-]+" + scopes: + type: object + description: >- + The token scope or scopes required to access this + service. May be omitted if the service allows + anonymous access. + properties: + any: + type: array + description: >- + Access is granted if any of the listed scopes are + present. + items: + type: string + all: + type: array + description: >- + Access is granted if all of the listed scopes are + present. + items: + type: string + oneOf: + - required: + - any + - required: + - all + authType: + type: string + enum: + - basic + - bearer + description: >- + Controls the authentication type in the challenge + returned in the `WWW-Authenticate` header if the user + is not authenticated. By default, this is `bearer`. + loginRedirect: + type: boolean + description: >- + Whether to redirect to the login flow if the user is + not currently authenticated. + replace403: + type: boolean + description: >- + Whether to replace 403 responses with a custom 403 + response from Gafaelfawr that disables caching and + includes authorization-related errors in the + `WWW-Authenticate` header. + delegate: + type: object + description: >- + Create a (or reuse a cached) delegated token and + include it in the request to the backend service. + properties: + internal: + type: object + description: >- + Delegate an internal token to this service. + required: + - scopes + - service + properties: + scopes: + type: array + description: >- + Scopes to include in the delegated token if + they are available. These scopes are not + required to access the service; to make them + required, include them in spec.scopes as well. + items: + type: string + service: + type: string + description: >- + Name of the service to which the token is + delegated. + notebook: + type: object + description: >- + Delegate a notebook token to this service. + minimumLifetime: + type: integer + description: >- + Minimum lifetime of delegated token in seconds. If + the user's token has less than that time + remaining, force them to reauthenticate. + oneOf: + - required: + - internal + - required: + - notebook + template: + type: object + description: "The template used to create the ingress." + required: + - metadata + - spec + properties: + metadata: + type: object + description: "Metadata attributes for the generated ingress." + properties: + annotations: + type: object + description: >- + Annotations to apply to the generated ingress. These + will be merged with the annotations required by + Gafaelfawr. If there is a conflict, the + Gafaelfawr-generated annotations will override the + ones provided in this field. + additionalProperties: + type: string + labels: + type: object + description: "Labels to apply to the generated ingress." + additionalProperties: + type: string + name: + type: string + description: "Name of the generated ingress" + spec: + type: object + description: "Spec for the generated ingress." + required: + - rules + properties: + rules: + type: array + description: >- + Host rules for the generated ingress. See the schema + for the regular Ingress resource for descriptions of + the individual fields. + items: + type: object + properties: + host: + type: string + http: + type: object + required: + - paths + properties: + paths: + type: array + items: + type: object + required: + - path + - pathType + - backend + properties: + path: + type: string + pathType: + type: string + enum: + - Exact + - ImplementationSpecific + - Prefix + backend: + type: object + properties: + service: + type: object + properties: + name: + type: string + port: + type: object + properties: + number: + type: integer + name: + type: string + tls: + type: array + description: >- + TLS configuration if one should be added to this + generated ingress. See the schema for the regular + Ingress resource for descriptions of the individual + fields. + items: + type: object + properties: + hosts: + type: array + items: + type: string + secretName: + type: string + status: + type: object + description: >- + The current state of the GafaelfawrIngress, its processing by + Gafaelfawr, and its child resources. + x-kubernetes-preserve-unknown-fields: true + properties: + create: + type: object + description: >- + Status of processing of the last creation or update of the + GafaelfawrIngress object. + required: + - lastTransitionTime + - message + - reason + - status + - type + properties: + lastTransitionTime: + type: string + format: date-time + description: > + The last time the child Ingress status changed. + message: + type: string + description: > + A human readable message indicating details about the + transition. This may be an empty string. + maxLength: 32768 + observedGeneration: + description: > + The .metadata.generation that the condition was set + based upon. For instance, if .metadata.generation is + currently 12, but the + .status.create.observedGeneration is 9, the condition + is out of date with respect to the current state of + the instance. + format: int64 + minimum: 0 + type: integer + reason: + type: string + description: > + A programmatic identifier indicating the reason for + the condition's last transition. Producers of specific + condition types may define expected values and + meanings for this field, and whether the values are + considered a guaranteed API. The value should be a + CamelCase string. This field may not be empty. + maxLength: 1024 + minLength: 1 + pattern: "^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$" + status: + type: string + description: > + Status of the condition, one of True, False, Unknown. + enum: + - "True" + - "False" + - "Unknown" + type: + type: string + description: > + Type of condition in CamelCase or in + foo.example.com/CamelCase. + maxLength: 316 + pattern: "^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$" diff --git a/services/gafaelfawr/crds/service-token.yaml b/services/gafaelfawr/crds/service-token.yaml index cc60081d11..a795609663 100644 --- a/services/gafaelfawr/crds/service-token.yaml +++ b/services/gafaelfawr/crds/service-token.yaml @@ -24,23 +24,19 @@ spec: name: "Service" type: string - description: "If the secret was created/updated successfully" - jsonPath: >- - .status.conditions[?(@.type=="SecretCreated")].status + jsonPath: .status.create.status name: "Succeeded" type: string - description: "Reason for the current status" - jsonPath: >- - .status.conditions[?(@.type=="SecretCreated")].reason + jsonPath: .status.create.reason name: "Reason" type: string - description: "More information about the current status" - jsonPath: >- - .status.conditions[?(@.type=="SecretCreated")].message + jsonPath: .status.create.message name: "Message" type: string - description: "Time when the condition was last updated" - jsonPath: >- - .status.conditions[?(@.type=="SecretCreated")].lastTransitionTime + jsonPath: .status.create.lastTransitionTime name: "Last Transition" type: date - description: "Time when the GafaelfawrServiceToken was created" @@ -74,6 +70,129 @@ spec: status: type: object description: >- - GafaelfawrServiceTokenStatus defines the observed state of the - GafaelfawrServiceToken. + The observed state of the GafaelfawrServiceToken. x-kubernetes-preserve-unknown-fields: true + properties: + create: + type: object + description: >- + Status of processing of the last creation or update of the + GafaelfawrServiceToken object. + required: + - lastTransitionTime + - message + - reason + - status + - type + properties: + lastTransitionTime: + type: string + format: date-time + description: > + The last time the child Secret status changed. + message: + type: string + description: > + A human readable message indicating details about the + transition. This may be an empty string. + maxLength: 32768 + observedGeneration: + description: > + The .metadata.generation that the condition was set + based upon. For instance, if .metadata.generation is + currently 12, but the + .status.create.observedGeneration is 9, the condition + is out of date with respect to the current state of + the instance. + format: int64 + minimum: 0 + type: integer + reason: + type: string + description: > + A programmatic identifier indicating the reason for + the condition's last transition. Producers of specific + condition types may define expected values and + meanings for this field, and whether the values are + considered a guaranteed API. The value should be a + CamelCase string. This field may not be empty. + maxLength: 1024 + minLength: 1 + pattern: "^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$" + status: + type: string + description: > + Status of the condition, one of True, False, Unknown. + enum: + - "True" + - "False" + - "Unknown" + type: + type: string + description: > + Type of condition in CamelCase or in + foo.example.com/CamelCase. + maxLength: 316 + pattern: "^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$" + periodic: + type: object + description: >- + Status of the last periodic validation of the Secret for + this GafaelfawrServiceToken object. + required: + - lastTransitionTime + - message + - reason + - status + - type + properties: + lastTransitionTime: + type: string + format: date-time + description: > + The last time the child Secret status changed due to a + periodic revalidation. + message: + type: string + description: > + A human readable message indicating details about the + transition. This may be an empty string. + maxLength: 32768 + observedGeneration: + description: > + The .metadata.generation that the condition was set + based upon. For instance, if .metadata.generation is + currently 12, but the + .status.create.observedGeneration is 9, the condition + is out of date with respect to the current state of + the instance. + format: int64 + minimum: 0 + type: integer + reason: + type: string + description: > + A programmatic identifier indicating the reason for + the condition's last transition. Producers of specific + condition types may define expected values and + meanings for this field, and whether the values are + considered a guaranteed API. The value should be a + CamelCase string. This field may not be empty. + maxLength: 1024 + minLength: 1 + pattern: "^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$" + status: + type: string + description: > + Status of the condition, one of True, False, Unknown. + enum: + - "True" + - "False" + - "Unknown" + type: + type: string + description: > + Type of condition in CamelCase or in + foo.example.com/CamelCase. + maxLength: 316 + pattern: "^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$" diff --git a/services/gafaelfawr/templates/serviceaccount-tokens.yaml b/services/gafaelfawr/templates/serviceaccount-tokens.yaml index 65edd355f2..6e3b79f2dc 100644 --- a/services/gafaelfawr/templates/serviceaccount-tokens.yaml +++ b/services/gafaelfawr/templates/serviceaccount-tokens.yaml @@ -28,8 +28,15 @@ rules: - apiGroups: ["apiextensions.k8s.io"] resources: ["customresourcedefinitions"] verbs: ["list", "watch"] + - apiGroups: ["networking.k8s.io"] + resources: ["ingresses"] + verbs: ["create", "get", "patch", "update"] - apiGroups: ["gafaelfawr.lsst.io"] - resources: ["gafaelfawrservicetokens", "gafaelfawrservicetokens/status"] + resources: + - "gafaelfawringresses" + - "gafaelfawringresses/status" + - "gafaelfawrservicetokens" + - "gafaelfawrservicetokens/status" verbs: ["get", "list", "patch", "watch"] --- apiVersion: rbac.authorization.k8s.io/v1 From 11fd2ac06477ce27e5d2c2be8dd178f37b24ff1c Mon Sep 17 00:00:00 2001 From: Russ Allbery Date: Wed, 16 Nov 2022 15:14:09 -0800 Subject: [PATCH 1349/1479] Convert Portal ingresses to GafaelfawrIngress Rewrite the ingress resources for the Portal to use the new custom resource definition. Stop making the scopes configurable; we don't want to offer this degree of freedom to other installations since we document the scopes required to access various services in multiple places. --- services/portal/README.md | 2 - services/portal/templates/deployment.yaml | 2 - services/portal/templates/ingress-admin.yaml | 84 +++++++++--------- services/portal/templates/ingress.yaml | 90 +++++++++++--------- services/portal/values.yaml | 6 -- 5 files changed, 92 insertions(+), 92 deletions(-) diff --git a/services/portal/README.md b/services/portal/README.md index 219c7301d1..f6c1bbaa21 100644 --- a/services/portal/README.md +++ b/services/portal/README.md @@ -28,8 +28,6 @@ Rubin Science Platform Portal Aspect | image.repository | string | `"ipac/suit"` | Portal image to use | | image.tag | string | The appVersion of the chart | Tag of Portal image to use | | ingress.annotations | object | `{}` | Additional annotations to add to the ingress | -| ingress.gafaelfawrAdminAuthQuery | string | `"scope=exec:admin"` | Gafaelfawr auth query string for the admin API | -| ingress.gafaelfawrAuthQuery | string | `"scope=exec:portal&delegate_to=portal&delegate_scope=read:image,read:tap"` | Gafaelfawr auth query string | | nameOverride | string | `""` | Override the base name for resources | | nodeSelector | object | `{}` | Node selector rules for the Portal pod | | podAnnotations | object | `{}` | Annotations for the Portal pod | diff --git a/services/portal/templates/deployment.yaml b/services/portal/templates/deployment.yaml index 395c47bf0e..2585616ac6 100644 --- a/services/portal/templates/deployment.yaml +++ b/services/portal/templates/deployment.yaml @@ -33,10 +33,8 @@ spec: secretKeyRef: name: {{ include "portal.fullname" . }}-secret key: "ADMIN_PASSWORD" - {{- if .Values.ingress.gafaelfawrAdminAuthQuery }} - name: "USE_ADMIN_AUTH" value: "false" - {{- end }} - name: "REDIS_PASSWORD" valueFrom: secretKeyRef: diff --git a/services/portal/templates/ingress-admin.yaml b/services/portal/templates/ingress-admin.yaml index b11c39cade..2a107ab1f5 100644 --- a/services/portal/templates/ingress-admin.yaml +++ b/services/portal/templates/ingress-admin.yaml @@ -1,45 +1,47 @@ -{{- if .Values.ingress.gafaelfawrAdminAuthQuery -}} -apiVersion: networking.k8s.io/v1 -kind: Ingress +apiVersion: gafaelfawr.lsst.io/v1alpha1 +kind: GafaelfawrIngress metadata: name: {{ include "portal.fullname" . }}-admin labels: {{- include "portal.labels" . | nindent 4 }} - annotations: - nginx.ingress.kubernetes.io/ssl-redirect: "true" - nginx.ingress.kubernetes.io/affinity: "cookie" - nginx.ingress.kubernetes.io/session-cookie-change-on-failure: "true" - nginx.ingress.kubernetes.io/proxy-body-size: "0m" - nginx.ingress.kubernetes.io/proxy-buffer-size: "24k" - nginx.ingress.kubernetes.io/client-header-buffer-size: "24k" - nginx.ingress.kubernetes.io/rewrite-target: "/suit/admin$1$2" - nginx.ingress.kubernetes.io/proxy-redirect-from: "/suit/" - nginx.ingress.kubernetes.io/proxy-redirect-to: "/portal/app/" - nginx.ingress.kubernetes.io/proxy-cookie-path: "/suit /portal/app" - nginx.ingress.kubernetes.io/session-cookie-path: "/portal/app" - nginx.ingress.kubernetes.io/configuration-snippet: | - proxy_set_header X-Original-URI $request_uri; - proxy_set_header X-Forwarded-Proto https; - proxy_set_header X-Forwarded-Port 443; - proxy_set_header X-Forwarded-Path /portal/app; - nginx.ingress.kubernetes.io/auth-method: "GET" - nginx.ingress.kubernetes.io/auth-response-headers: "X-Auth-Request-User,X-Auth-Request-Email" - nginx.ingress.kubernetes.io/auth-signin: "{{ .Values.global.baseUrl }}/login" - nginx.ingress.kubernetes.io/auth-url: "{{ .Values.global.baseUrl }}/auth?{{ .Values.ingress.gafaelfawrAdminAuthQuery }}" - {{- with .Values.ingress.annotations }} - {{- toYaml . | nindent 4 }} - {{- end }} -spec: - ingressClassName: "nginx" - rules: - - host: {{ required "global.host must be set" .Values.global.host | quote }} - http: - paths: - - path: "/portal/app/admin(/|$)(.*)" - pathType: "ImplementationSpecific" - backend: - service: - name: {{ include "portal.fullname" . }} - port: - number: 8080 -{{- end }} +config: + baseUrl: {{ .Values.global.baseUrl | quote }} + scopes: + all: + - "exec:admin" + loginRedirect: true +template: + metadata: + name: {{ include "portal.fullname" . }}-admin + annotations: + nginx.ingress.kubernetes.io/ssl-redirect: "true" + nginx.ingress.kubernetes.io/affinity: "cookie" + nginx.ingress.kubernetes.io/session-cookie-change-on-failure: "true" + nginx.ingress.kubernetes.io/proxy-body-size: "0m" + nginx.ingress.kubernetes.io/proxy-buffer-size: "24k" + nginx.ingress.kubernetes.io/client-header-buffer-size: "24k" + nginx.ingress.kubernetes.io/rewrite-target: "/suit$1" + nginx.ingress.kubernetes.io/proxy-redirect-from: "/suit/" + nginx.ingress.kubernetes.io/proxy-redirect-to: "/portal/app/" + nginx.ingress.kubernetes.io/proxy-cookie-path: "/suit /portal/app" + nginx.ingress.kubernetes.io/session-cookie-path: "/portal/app" + nginx.ingress.kubernetes.io/configuration-snippet: | + proxy_set_header X-Original-URI $request_uri; + proxy_set_header X-Forwarded-Proto https; + proxy_set_header X-Forwarded-Port 443; + proxy_set_header X-Forwarded-Path /portal/app; + {{- with .Values.ingress.annotations }} + {{- toYaml . | nindent 6 }} + {{- end }} + spec: + rules: + - host: {{ required "global.host must be set" .Values.global.host | quote }} + http: + paths: + - path: "/portal/app(/admin.*)" + pathType: "ImplementationSpecific" + backend: + service: + name: {{ include "portal.fullname" . }} + port: + number: 8080 diff --git a/services/portal/templates/ingress.yaml b/services/portal/templates/ingress.yaml index 8a98080a7f..547fa5b484 100644 --- a/services/portal/templates/ingress.yaml +++ b/services/portal/templates/ingress.yaml @@ -1,45 +1,53 @@ -apiVersion: networking.k8s.io/v1 -kind: Ingress +apiVersion: gafaelfawr.lsst.io/v1alpha1 +kind: GafaelfawrIngress metadata: name: {{ include "portal.fullname" . }} labels: {{- include "portal.labels" . | nindent 4 }} - annotations: - nginx.ingress.kubernetes.io/ssl-redirect: "true" - nginx.ingress.kubernetes.io/affinity: "cookie" - nginx.ingress.kubernetes.io/session-cookie-change-on-failure: "true" - nginx.ingress.kubernetes.io/proxy-body-size: "0m" - nginx.ingress.kubernetes.io/proxy-buffer-size: "24k" - nginx.ingress.kubernetes.io/client-header-buffer-size: "24k" - nginx.ingress.kubernetes.io/rewrite-target: "/suit$1$2" - nginx.ingress.kubernetes.io/proxy-redirect-from: "/suit/" - nginx.ingress.kubernetes.io/proxy-redirect-to: "/portal/app/" - nginx.ingress.kubernetes.io/proxy-cookie-path: "/suit /portal/app" - nginx.ingress.kubernetes.io/session-cookie-path: "/portal/app" - nginx.ingress.kubernetes.io/configuration-snippet: | - proxy_set_header X-Original-URI $request_uri; - proxy_set_header X-Forwarded-Proto https; - proxy_set_header X-Forwarded-Port 443; - proxy_set_header X-Forwarded-Path /portal/app; - {{- if .Values.ingress.gafaelfawrAuthQuery }} - nginx.ingress.kubernetes.io/auth-method: "GET" - nginx.ingress.kubernetes.io/auth-response-headers: "X-Auth-Request-User,X-Auth-Request-Email,X-Auth-Request-Token" - nginx.ingress.kubernetes.io/auth-signin: "{{ .Values.global.baseUrl }}/login" - nginx.ingress.kubernetes.io/auth-url: "{{ .Values.global.baseUrl }}/auth?{{ .Values.ingress.gafaelfawrAuthQuery }}" - {{- end }} - {{- with .Values.ingress.annotations }} - {{- toYaml . | nindent 4 }} - {{- end }} -spec: - ingressClassName: "nginx" - rules: - - host: {{ required "global.host must be set" .Values.global.host | quote }} - http: - paths: - - path: "/portal/app(/|$)(.*)" - pathType: "ImplementationSpecific" - backend: - service: - name: {{ include "portal.fullname" . }} - port: - number: 8080 +config: + baseUrl: {{ .Values.global.baseUrl | quote }} + scopes: + all: + - "exec:portal" + loginRedirect: true + delegate: + internal: + service: "portal" + scopes: + - "read:image" + - "read:tap" +template: + metadata: + name: {{ include "portal.fullname" . }} + annotations: + nginx.ingress.kubernetes.io/ssl-redirect: "true" + nginx.ingress.kubernetes.io/affinity: "cookie" + nginx.ingress.kubernetes.io/session-cookie-change-on-failure: "true" + nginx.ingress.kubernetes.io/proxy-body-size: "0m" + nginx.ingress.kubernetes.io/proxy-buffer-size: "24k" + nginx.ingress.kubernetes.io/client-header-buffer-size: "24k" + nginx.ingress.kubernetes.io/rewrite-target: "/suit$1$2" + nginx.ingress.kubernetes.io/proxy-redirect-from: "/suit/" + nginx.ingress.kubernetes.io/proxy-redirect-to: "/portal/app/" + nginx.ingress.kubernetes.io/proxy-cookie-path: "/suit /portal/app" + nginx.ingress.kubernetes.io/session-cookie-path: "/portal/app" + nginx.ingress.kubernetes.io/configuration-snippet: | + proxy_set_header X-Original-URI $request_uri; + proxy_set_header X-Forwarded-Proto https; + proxy_set_header X-Forwarded-Port 443; + proxy_set_header X-Forwarded-Path /portal/app; + {{- with .Values.ingress.annotations }} + {{- toYaml . | nindent 6 }} + {{- end }} + spec: + rules: + - host: {{ required "global.host must be set" .Values.global.host | quote }} + http: + paths: + - path: "/portal/app(/|$)(.*)" + pathType: "ImplementationSpecific" + backend: + service: + name: {{ include "portal.fullname" . }} + port: + number: 8080 diff --git a/services/portal/values.yaml b/services/portal/values.yaml index f3c255f221..0883ebd561 100644 --- a/services/portal/values.yaml +++ b/services/portal/values.yaml @@ -21,12 +21,6 @@ image: tag: "" ingress: - # -- Gafaelfawr auth query string - gafaelfawrAuthQuery: "scope=exec:portal&delegate_to=portal&delegate_scope=read:image,read:tap" - - # -- Gafaelfawr auth query string for the admin API - gafaelfawrAdminAuthQuery: "scope=exec:admin" - # -- Additional annotations to add to the ingress annotations: {} From c683eede9f38c7e0878b0e7f14116c7d4ad7e33b Mon Sep 17 00:00:00 2001 From: Russ Allbery Date: Wed, 16 Nov 2022 17:05:33 -0800 Subject: [PATCH 1350/1479] Rename gafaelfawr-tokens to gafaelfawr-operator This is now a general Kubernetes operator that does more than one thing, so use a more appropriate name. --- services/gafaelfawr/README.md | 10 +++++----- .../templates/cloudsql-networkpolicy.yaml | 2 +- ...t-tokens.yaml => deployment-operator.yaml} | 20 +++++++++---------- ...kens.yaml => serviceaccount-operator.yaml} | 10 +++++----- services/gafaelfawr/values.yaml | 4 ++-- 5 files changed, 23 insertions(+), 23 deletions(-) rename services/gafaelfawr/templates/{deployment-tokens.yaml => deployment-operator.yaml} (82%) rename services/gafaelfawr/templates/{serviceaccount-tokens.yaml => serviceaccount-operator.yaml} (84%) diff --git a/services/gafaelfawr/README.md b/services/gafaelfawr/README.md index a5e008a459..f292d33e3c 100644 --- a/services/gafaelfawr/README.md +++ b/services/gafaelfawr/README.md @@ -84,6 +84,11 @@ Authentication and identity system | maintenance.tolerations | list | `[]` | Tolerations for Gafaelfawr maintenance and audit pods | | nameOverride | string | `""` | Override the base name for resources | | nodeSelector | object | `{}` | Node selector rules for the Gafaelfawr frontend pod | +| operator.affinity | object | `{}` | Affinity rules for the token management pod | +| operator.nodeSelector | object | `{}` | Node selection rules for the token management pod | +| operator.podAnnotations | object | `{}` | Annotations for the token management pod | +| operator.resources | object | `{}` | Resource limits and requests for the Gafaelfawr Kubernetes operator | +| operator.tolerations | list | `[]` | Tolerations for the token management pod | | podAnnotations | object | `{}` | Annotations for the Gafaelfawr frontend pod | | redis.affinity | object | `{}` | Affinity rules for the Redis pod | | redis.image.pullPolicy | string | `"IfNotPresent"` | Pull policy for the Redis image | @@ -99,9 +104,4 @@ Authentication and identity system | redis.tolerations | list | `[]` | Tolerations for the Redis pod | | replicaCount | int | `1` | Number of web frontend pods to start | | resources | object | `{}` | Resource limits and requests for the Gafaelfawr frontend pod | -| tokens.affinity | object | `{}` | Affinity rules for the token management pod | -| tokens.nodeSelector | object | `{}` | Node selection rules for the token management pod | -| tokens.podAnnotations | object | `{}` | Annotations for the token management pod | -| tokens.resources | object | `{}` | Resource limits and requests for the Gafaelfawr token management pod | -| tokens.tolerations | list | `[]` | Tolerations for the token management pod | | tolerations | list | `[]` | Tolerations for the Gafaelfawr frontend pod | diff --git a/services/gafaelfawr/templates/cloudsql-networkpolicy.yaml b/services/gafaelfawr/templates/cloudsql-networkpolicy.yaml index 492e2a039b..27d59bad79 100644 --- a/services/gafaelfawr/templates/cloudsql-networkpolicy.yaml +++ b/services/gafaelfawr/templates/cloudsql-networkpolicy.yaml @@ -29,7 +29,7 @@ spec: - podSelector: matchLabels: {{- include "gafaelfawr.selectorLabels" . | nindent 14 }} - app.kubernetes.io/component: "tokens" + app.kubernetes.io/component: "operator" ports: - protocol: "TCP" port: 5432 diff --git a/services/gafaelfawr/templates/deployment-tokens.yaml b/services/gafaelfawr/templates/deployment-operator.yaml similarity index 82% rename from services/gafaelfawr/templates/deployment-tokens.yaml rename to services/gafaelfawr/templates/deployment-operator.yaml index 216c305bea..19d44aa96c 100644 --- a/services/gafaelfawr/templates/deployment-tokens.yaml +++ b/services/gafaelfawr/templates/deployment-operator.yaml @@ -1,7 +1,7 @@ apiVersion: apps/v1 kind: Deployment metadata: - name: {{ template "gafaelfawr.fullname" . }}-tokens + name: {{ template "gafaelfawr.fullname" . }}-operator labels: {{- include "gafaelfawr.labels" . | nindent 4 }} spec: @@ -9,21 +9,21 @@ spec: selector: matchLabels: {{- include "gafaelfawr.selectorLabels" . | nindent 6 }} - app.kubernetes.io/component: "tokens" + app.kubernetes.io/component: "operator" template: metadata: annotations: checksum/config: {{ include (print $.Template.BasePath "/configmap.yaml") . | sha256sum }} - {{- with .Values.tokens.podAnnotations }} + {{- with .Values.operator.podAnnotations }} {{- toYaml . | nindent 8 }} {{- end }} labels: {{- include "gafaelfawr.selectorLabels" . | nindent 8 }} - app.kubernetes.io/component: "tokens" + app.kubernetes.io/component: "operator" spec: - serviceAccountName: {{ include "gafaelfawr.fullname" . }}-tokens + serviceAccountName: {{ include "gafaelfawr.fullname" . }}-operator containers: - - name: "gafaelfawr-tokens" + - name: "gafaelfawr" command: - "kopf" - "run" @@ -33,7 +33,7 @@ spec: - "gafaelfawr.operator" image: "{{ .Values.image.repository }}:{{ .Values.image.tag | default .Chart.AppVersion }}" imagePullPolicy: {{ .Values.image.pullPolicy | quote }} - {{- with .Values.tokens.resources }} + {{- with .Values.operator.resources }} resources: {{- toYaml . | nindent 12 }} {{- end }} @@ -61,15 +61,15 @@ spec: - name: "secret" secret: secretName: {{ template "gafaelfawr.fullname" . }}-secret - {{- with .Values.tokens.nodeSelector }} + {{- with .Values.operator.nodeSelector }} nodeSelector: {{- toYaml . | nindent 8 }} {{- end }} - {{- with .Values.tokens.affinity }} + {{- with .Values.operator.affinity }} affinity: {{- toYaml . | nindent 8 }} {{- end }} - {{- with .Values.tokens.tolerations }} + {{- with .Values.operator.tolerations }} tolerations: {{- toYaml . | nindent 8 }} {{- end }} diff --git a/services/gafaelfawr/templates/serviceaccount-tokens.yaml b/services/gafaelfawr/templates/serviceaccount-operator.yaml similarity index 84% rename from services/gafaelfawr/templates/serviceaccount-tokens.yaml rename to services/gafaelfawr/templates/serviceaccount-operator.yaml index 6e3b79f2dc..e1c96b4e47 100644 --- a/services/gafaelfawr/templates/serviceaccount-tokens.yaml +++ b/services/gafaelfawr/templates/serviceaccount-operator.yaml @@ -1,7 +1,7 @@ apiVersion: v1 kind: ServiceAccount metadata: - name: {{ include "gafaelfawr.fullname" . }}-tokens + name: {{ include "gafaelfawr.fullname" . }}-operator labels: {{- include "gafaelfawr.labels" . | nindent 4 }} annotations: @@ -12,7 +12,7 @@ metadata: apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRole metadata: - name: {{ include "gafaelfawr.fullname" . }}-tokens + name: {{ include "gafaelfawr.fullname" . }}-operator labels: {{- include "gafaelfawr.labels" . | nindent 4 }} rules: @@ -42,14 +42,14 @@ rules: apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRoleBinding metadata: - name: {{ include "gafaelfawr.fullname" . }}-tokens + name: {{ include "gafaelfawr.fullname" . }}-operator labels: {{- include "gafaelfawr.labels" . | nindent 4 }} subjects: - kind: ServiceAccount - name: {{ include "gafaelfawr.fullname" . }}-tokens + name: {{ include "gafaelfawr.fullname" . }}-operator namespace: {{ .Release.Namespace }} roleRef: apiGroup: rbac.authorization.k8s.io kind: ClusterRole - name: {{ include "gafaelfawr.fullname" . }}-tokens + name: {{ include "gafaelfawr.fullname" . }}-operator diff --git a/services/gafaelfawr/values.yaml b/services/gafaelfawr/values.yaml index a1862197e7..998d6f2e9a 100644 --- a/services/gafaelfawr/values.yaml +++ b/services/gafaelfawr/values.yaml @@ -308,8 +308,8 @@ maintenance: # -- Affinity rules for Gafaelfawr maintenance and audit pods affinity: {} -tokens: - # -- Resource limits and requests for the Gafaelfawr token management pod +operator: + # -- Resource limits and requests for the Gafaelfawr Kubernetes operator resources: {} # -- Annotations for the token management pod From 0d6c6bca84531c91a53f102cb3b5f683767bca09 Mon Sep 17 00:00:00 2001 From: Russ Allbery Date: Tue, 29 Nov 2022 08:09:56 -0800 Subject: [PATCH 1351/1479] Add comments to the Gafaelfawr CRDs Add comments to the start of the Gafaelfawr custom resource definitions pointing to the Gafaelfawr repository as their canonical location. --- services/gafaelfawr/crds/ingress.yaml | 2 ++ services/gafaelfawr/crds/service-token.yaml | 2 ++ 2 files changed, 4 insertions(+) diff --git a/services/gafaelfawr/crds/ingress.yaml b/services/gafaelfawr/crds/ingress.yaml index 29a4f3c7fd..da8e858a57 100644 --- a/services/gafaelfawr/crds/ingress.yaml +++ b/services/gafaelfawr/crds/ingress.yaml @@ -1,3 +1,5 @@ +# The canonical version of this file is in the Gafaelfawr repository: +# https://github.com/lsst-sqre/gafaelfawr/blob/main/crds/ingress.yaml apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: diff --git a/services/gafaelfawr/crds/service-token.yaml b/services/gafaelfawr/crds/service-token.yaml index a795609663..810904def7 100644 --- a/services/gafaelfawr/crds/service-token.yaml +++ b/services/gafaelfawr/crds/service-token.yaml @@ -1,3 +1,5 @@ +# The canonical version of this file is in the Gafaelfawr repository: +# https://github.com/lsst-sqre/gafaelfawr/blob/main/crds/service-token.yaml apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: From b47bcda2c749ce411e09674cf73209edc63d9dcc Mon Sep 17 00:00:00 2001 From: Russ Allbery Date: Tue, 29 Nov 2022 09:51:43 -0800 Subject: [PATCH 1352/1479] Update Gafaelfawr documentation and starter Update the developer documentation and web-service starter to use GafaelfawrIngress instead of a regular Ingress, and move more things into the template and out of values.yaml, following the pattern used with newer services where we try to avoid configuration for things that should never change. --- docs/developers/add-application.rst | 19 +++----- docs/developers/local-development.rst | 2 +- starters/web-service/README.md | 2 - starters/web-service/templates/ingress.yaml | 49 +++++++++++---------- starters/web-service/values.yaml | 9 ---- 5 files changed, 33 insertions(+), 48 deletions(-) diff --git a/docs/developers/add-application.rst b/docs/developers/add-application.rst index b513c92107..0910709388 100644 --- a/docs/developers/add-application.rst +++ b/docs/developers/add-application.rst @@ -13,10 +13,10 @@ Currently, all applications use Helm charts. .. note:: - Kustomize is theoretically supported but has not been used to date in the `phalanx repository`_, and therefore isn't recommended. + Kustomize is theoretically supported but has not been used to date in the `Phalanx repository`_, and therefore isn't recommended. There does not yet exist a SQuaRE-produced a template for the Helm chart; rather, we use the built-in Helm starter template. -Use ``helm create`` to create a new chart from that template. +Use ``helm create -p starters/web-service`` to create a new chart from that template. **Be sure you are using Helm v3.** Helm v2 is not supported. @@ -28,17 +28,10 @@ You will need to make at least the following changes to the default Helm chart t See :doc:`add-a-onepassword-secret` for more information about secrets. - Application providing a web API should be protected by Gafaelfawr and require an appropriate scope. - This normally means adding annotations to the ``Ingress`` resource via ``values.yaml`` similar to: + This is set up for you by the template using a ``GafaelfawrIngress`` resource in ``templates/ingress.yaml``, but you will need to customize the scope required for access, and may need to add additional configuration. + You will also need to customize the path under which your application should be served. - .. code-block:: yaml - - ingress: - annotations: - nginx.ingress.kubernetes.io/auth-method: "GET" - nginx.ingress.kubernetes.io/auth-url: "http://gafaelfawr.gafaelfawr.svc.cluster.local:8080/auth?scope=exec:admin" - - For user-facing applications you will want a scope other than ``exec:admin``. - See `the Gafaelfawr's documentation on Ingress configurations `__ for more information. + See `the Gafaelfawr's documentation on Ingress configurations `__ for more information, and see :dmtn:`235` for a guide to what scopes to use to protect the application. - If your application exposes Prometheus endpoints, you will want to configure these in the `telegraf application's prometheus_config `__. @@ -58,7 +51,7 @@ Examples Existing Helm charts that are good examples to read or copy are: -- `cachemachine `__ (fairly simple) +- `hips `__ (fairly simple) - `mobu `__ (also simple) - `gafaelfawr `__ (complex, including CRDs and multiple pods) diff --git a/docs/developers/local-development.rst b/docs/developers/local-development.rst index 3280db4a39..ae05cd59e5 100644 --- a/docs/developers/local-development.rst +++ b/docs/developers/local-development.rst @@ -52,7 +52,7 @@ Requirements #. Install `Helm 3 `__. -#. Install `Vault `__. +#. Install `Vault `__. #. Clone the `Phalanx repository`_. diff --git a/starters/web-service/README.md b/starters/web-service/README.md index 70a73524a9..6e0e4b91e0 100644 --- a/starters/web-service/README.md +++ b/starters/web-service/README.md @@ -20,8 +20,6 @@ Helm starter chart for a new RSP service. | image.repository | string | `"ghcr.io/lsst-sqre/"` | Image to use in the deployment | | image.tag | string | `""` | Overrides the image tag whose default is the chart appVersion. | | ingress.annotations | object | `{}` | Additional annotations for the ingress rule | -| ingress.gafaelfawrAuthQuery | string | Unauthenticated | Gafaelfawr auth query string | -| ingress.path | string | `"/"` | Path at which to serve the service | | nodeSelector | object | `{}` | Node selection rules for the deployment pod | | podAnnotations | object | `{}` | Annotations for the deployment pod | | replicaCount | int | `1` | Number of web deployment pods to start | diff --git a/starters/web-service/templates/ingress.yaml b/starters/web-service/templates/ingress.yaml index 9ac6fb2568..eacb451a7e 100644 --- a/starters/web-service/templates/ingress.yaml +++ b/starters/web-service/templates/ingress.yaml @@ -1,29 +1,32 @@ -apiVersion: networking.k8s.io/v1 -kind: Ingress +apiVersion: gafaelfawr.lsst.io/v1alpha1 +kind: GafaelfawrIngress metadata: name: "" labels: {{- include ".labels" . | nindent 4 }} - annotations: - {{- if .Values.ingress.gafaelfawrAuthQuery }} - nginx.ingress.kubernetes.io/auth-method: "GET" - nginx.ingress.kubernetes.io/auth-response-headers: "X-Auth-Request-User" - nginx.ingress.kubernetes.io/auth-signin: "{{ .Values.global.baseUrl }}/login" - nginx.ingress.kubernetes.io/auth-url: "{{ .Values.global.baseUrl }}/auth?{{ .Values.ingress.gafaelfawrAuthQuery }}" - {{- end }} +config: + baseUrl: {{ .Values.global.baseUrl | quote }} + scopes: + all: + - "read:image" + loginRedirect: true +template: + metadata: + name: "" {{- with .Values.ingress.annotations }} - {{- toYaml . | nindent 4 }} + annotations: + {{- toYaml . | nindent 6 }} {{- end }} -spec: - ingressClassName: "nginx" - rules: - - host: {{ required "global.host must be set" .Values.global.host | quote }} - http: - paths: - - path: {{ .Values.ingress.path | quote }} - pathType: "Prefix" - backend: - service: - name: "" - port: - number: 8080 + spec: + ingressClassName: "nginx" + rules: + - host: {{ required "global.host must be set" .Values.global.host | quote }} + http: + paths: + - path: "/" + pathType: "Prefix" + backend: + service: + name: "" + port: + number: 8080 diff --git a/starters/web-service/values.yaml b/starters/web-service/values.yaml index ec7d02fa6f..61c5171ce3 100644 --- a/starters/web-service/values.yaml +++ b/starters/web-service/values.yaml @@ -16,15 +16,6 @@ image: tag: "" ingress: - # -- Gafaelfawr auth query string - # @default -- Unauthenticated - gafaelfawrAuthQuery: "" - # gafaelfawrAuthQuery: "scope=read:image" - # gafaelfawrAuthQuery: "scope=exec:portal&delegate_to=portal&delegate_scope=read:tap" - - # -- Path at which to serve the service - path: "/" - # -- Additional annotations for the ingress rule annotations: {} From 9aff2926323df988d76e937fb6248c6ef50c7746 Mon Sep 17 00:00:00 2001 From: Adam Thornton Date: Wed, 30 Nov 2022 12:33:18 -0700 Subject: [PATCH 1353/1479] Add admin:jupyterlab mapping to Gafaelfawr --- services/gafaelfawr/values-idfdev.yaml | 2 ++ 1 file changed, 2 insertions(+) diff --git a/services/gafaelfawr/values-idfdev.yaml b/services/gafaelfawr/values-idfdev.yaml index 00bbb649cf..45a724911d 100644 --- a/services/gafaelfawr/values-idfdev.yaml +++ b/services/gafaelfawr/values-idfdev.yaml @@ -31,6 +31,8 @@ config: enabled: true groupMapping: + "admin:jupyterlab": + - "g_science-platform-idf-dev" "admin:provision": - "g_science-platform-idf-dev" "exec:admin": From aab97150deca255e7a17f5f9b59a2fb0f38c8d80 Mon Sep 17 00:00:00 2001 From: Adam Thornton Date: Wed, 30 Nov 2022 12:53:47 -0700 Subject: [PATCH 1354/1479] Add admin:jupyterlab to known_scopes --- services/gafaelfawr/values.yaml | 2 ++ 1 file changed, 2 insertions(+) diff --git a/services/gafaelfawr/values.yaml b/services/gafaelfawr/values.yaml index 998d6f2e9a..92593233c3 100644 --- a/services/gafaelfawr/values.yaml +++ b/services/gafaelfawr/values.yaml @@ -215,6 +215,8 @@ config: # creating a new token. See [DMTN-235](https://dmtn-235.lsst.io/). # @default -- See the `values.yaml` file knownScopes: + "admin:jupyterlab": >- + Can create and destroy labs for any user "admin:token": >- Can create and modify tokens for any user "admin:provision": >- From 2bc83ba7f05f07c8bec6e776bf792a3aa6a49db8 Mon Sep 17 00:00:00 2001 From: Russ Allbery Date: Fri, 11 Nov 2022 15:34:15 -0800 Subject: [PATCH 1355/1479] Switch IDF int to CILogon Add the COmanage configuration and change the authorization groups. --- services/gafaelfawr/values-idfint.yaml | 108 +++++++++---------------- 1 file changed, 36 insertions(+), 72 deletions(-) diff --git a/services/gafaelfawr/values-idfint.yaml b/services/gafaelfawr/values-idfint.yaml index 19f3786514..6a02fdcbf7 100644 --- a/services/gafaelfawr/values-idfint.yaml +++ b/services/gafaelfawr/values-idfint.yaml @@ -6,8 +6,24 @@ redis: config: slackAlerts: true - github: - clientId: "0c4cc7eaffc0f89b9ace" + cilogon: + clientId: "cilogon:/client_id/6b3f86ecfe74f14afa81b73a76be0868" + enrollmentUrl: "https://id-int.lsst.cloud/registry/co_petitions/start/coef:10" + test: true + usernameClaim: "username" + + firestore: + project: "rsp-firestore-int-7bfb" + + ldap: + url: "ldaps://ldap-test.cilogon.org" + userDn: "uid=readonly_user,ou=system,o=LSST,o=CO,dc=lsst,dc=org" + groupBaseDn: "ou=groups,o=LSST,o=CO,dc=lsst,dc=org" + groupObjectClass: "eduMember" + groupMemberAttr: "hasMember" + userBaseDn: "ou=people,o=LSST,o=CO,dc=lsst,dc=org" + userSearchAttr: "voPersonApplicationUID" + addUserGroup: true # Support OpenID Connect clients like Chronograf. oidcServer: @@ -16,90 +32,38 @@ config: # Allow access by GitHub team. groupMapping: "admin:provision": - - github: - organization: "lsst-sqre" - team: "square" + - "g_admins" "exec:admin": - - github: - organization: "lsst-sqre" - team: "square" - - github: - organization: "lsst-sqre" - team: "friends" + - "g_admins" "exec:notebook": - - github: - organization: "lsst" - team: "ops" - - github: - organization: "lsst" - team: "ops-panda" - - github: - organization: "lsst-sqre" - team: "square" - - github: - organization: "lsst-sqre" - team: "friends" + - "g_admins" + - "g_developers" + - "g_users" "exec:portal": - - github: - organization: "lsst" - team: "ops" - - github: - organization: "lsst" - team: "ops-panda" - - github: - organization: "lsst-sqre" - team: "square" - - github: - organization: "lsst-sqre" - team: "friends" + - "g_admins" + - "g_developers" + - "g_users" "read:alertdb": - - github: - organization: "lsst-sqre" - team: "square" - - github: - organization: "lsst-sqre" - team: "friends" + - "g_admins" + - "g_developers" "read:image": - - github: - organization: "lsst" - team: "ops" - - github: - organization: "lsst" - team: "ops-panda" - - github: - organization: "lsst-sqre" - team: "square" - - github: - organization: "lsst-sqre" - team: "friends" + - "g_admins" + - "g_developers" + - "g_users" "read:tap": - - github: - organization: "lsst" - team: "ops" - - github: - organization: "lsst" - team: "ops-panda" - - github: - organization: "lsst-sqre" - team: "square" - - github: - organization: "lsst-sqre" - team: "friends" + - "g_admins" + - "g_developers" + - "g_users" initialAdmins: - "afausti" - - "athornton" + - "adam" - "cbanek" - "frossie" - - "jonathansick" + - "jsick" - "rra" - "simonkrughoff" - errorFooter: | - To report problems or ask for help, please open an issue in the - GitHub - rubin-dp0/Support project. - cloudsql: enabled: true instanceConnectionName: "science-platform-int-dc5d:us-central1:science-platform-int-8f439af2" From 850262a99b6488f99c254380b13ebff64e3f689c Mon Sep 17 00:00:00 2001 From: Russ Allbery Date: Thu, 1 Dec 2022 15:56:10 -0800 Subject: [PATCH 1356/1479] Stop hard-coding mobu UID/GID on int --- services/mobu/values-idfint.yaml | 6 ------ 1 file changed, 6 deletions(-) diff --git a/services/mobu/values-idfint.yaml b/services/mobu/values-idfint.yaml index 9d8b152f91..4b6733032f 100644 --- a/services/mobu/values-idfint.yaml +++ b/services/mobu/values-idfint.yaml @@ -5,8 +5,6 @@ autostart: count: 1 users: - username: "bot-mobu-recommended" - uidnumber: 74768 - gidnumber: 74768 scopes: - "exec:notebook" - "exec:portal" @@ -22,8 +20,6 @@ autostart: count: 1 users: - username: "bot-mobu-weekly" - uidnumber: 74769 - gidnumber: 74769 scopes: - "exec:notebook" - "exec:portal" @@ -40,8 +36,6 @@ autostart: count: 1 users: - username: "bot-mobu-tap" - uidnumber: 74775 - gidnumber: 74775 scopes: ["read:tap"] business: "TAPQueryRunner" restart: true From 144ac42cf9255a9b18ee182c8c8fffdfe1eded83 Mon Sep 17 00:00:00 2001 From: "renovate[bot]" <29139614+renovate[bot]@users.noreply.github.com> Date: Mon, 5 Dec 2022 04:10:46 +0000 Subject: [PATCH 1357/1479] Update Helm release argo-cd to v5.16.1 --- services/argocd/Chart.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/services/argocd/Chart.yaml b/services/argocd/Chart.yaml index c6f0ba59ed..a4961fe3ec 100644 --- a/services/argocd/Chart.yaml +++ b/services/argocd/Chart.yaml @@ -8,5 +8,5 @@ sources: - https://github.com/argoproj/argo-helm dependencies: - name: argo-cd - version: 5.14.2 + version: 5.16.1 repository: https://argoproj.github.io/argo-helm From 5d43b41aabb4762f2aa32787a1780d09721cc99b Mon Sep 17 00:00:00 2001 From: "renovate[bot]" <29139614+renovate[bot]@users.noreply.github.com> Date: Mon, 5 Dec 2022 17:59:49 +0000 Subject: [PATCH 1358/1479] Update Helm release cert-manager to v1.10.1 --- services/cert-manager/Chart.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/services/cert-manager/Chart.yaml b/services/cert-manager/Chart.yaml index 40c8f29459..a9d778c149 100644 --- a/services/cert-manager/Chart.yaml +++ b/services/cert-manager/Chart.yaml @@ -7,5 +7,5 @@ sources: - https://github.com/cert-manager/cert-manager dependencies: - name: cert-manager - version: v1.10.0 + version: v1.10.1 repository: https://charts.jetstack.io From 2defcc29e99c08254482945fcf7a3885dfc9e33e Mon Sep 17 00:00:00 2001 From: "renovate[bot]" <29139614+renovate[bot]@users.noreply.github.com> Date: Mon, 5 Dec 2022 18:13:14 +0000 Subject: [PATCH 1359/1479] Update Helm release redis to v17.3.14 --- services/noteburst/Chart.yaml | 2 +- services/times-square/Chart.yaml | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/services/noteburst/Chart.yaml b/services/noteburst/Chart.yaml index 23fd1bfb33..1a179e42dd 100644 --- a/services/noteburst/Chart.yaml +++ b/services/noteburst/Chart.yaml @@ -14,7 +14,7 @@ maintainers: # Additional charts that this chart uses dependencies: - name: redis - version: 17.3.11 + version: 17.3.14 repository: https://charts.bitnami.com/bitnami annotations: diff --git a/services/times-square/Chart.yaml b/services/times-square/Chart.yaml index 765985e19d..5dc49215cb 100644 --- a/services/times-square/Chart.yaml +++ b/services/times-square/Chart.yaml @@ -12,7 +12,7 @@ appVersion: "0.6.0" dependencies: - name: redis - version: 17.3.11 + version: 17.3.14 repository: https://charts.bitnami.com/bitnami annotations: From 242ebfe02f21863ff8e3afb297b191fa46517600 Mon Sep 17 00:00:00 2001 From: Russ Allbery Date: Mon, 5 Dec 2022 14:55:11 -0800 Subject: [PATCH 1360/1479] Switch remaining ingresses to GafaelfawrIngress Switch all the remaining authenticated ingresses except for the nublado2 configuration, which will continue to have to be hand-configured to work with Zero-to-JupyterHub, over to using GafaelfawrIngress to generate the ingress. In the process, hard-code more things in the GafaelfawrIngress templates and remove them from values.yaml, since we're standardizing on not customizing paths, scopes, and similar bits of the ingress. --- .../templates/ingress-anonymous.yaml | 4 +- .../datalinker/templates/ingress-image.yaml | 44 ++++++----- .../datalinker/templates/ingress-tap.yaml | 44 ++++++----- services/hips/README.md | 4 +- services/hips/templates/ingress.yaml | 46 ++++++------ services/hips/values.yaml | 8 +- services/mobu/README.md | 1 - services/mobu/templates/ingress.yaml | 52 ++++++------- services/mobu/values.yaml | 3 - services/moneypenny/README.md | 3 +- services/moneypenny/templates/ingress.yaml | 49 ++++++------ services/moneypenny/values.yaml | 8 +- services/noteburst/README.md | 3 - services/noteburst/templates/ingress.yaml | 51 ++++++------- services/noteburst/values.yaml | 9 --- services/plot-navigator/README.md | 1 - .../plot-navigator/templates/ingress.yaml | 55 ++++++++------ services/plot-navigator/values.yaml | 2 - services/production-tools/README.md | 2 - .../production-tools/templates/ingress.yaml | 50 ++++++------- services/production-tools/values.yaml | 6 -- services/sherlock/README.md | 1 - services/sherlock/templates/ingress.yaml | 59 ++++++++------- services/sherlock/values.yaml | 3 - services/tap/README.md | 1 - .../templates/tap-ingress-authenticated.yaml | 75 +++++++++++-------- services/tap/values.yaml | 3 - services/times-square/README.md | 5 -- .../templates/ingress-webhooks.yaml | 10 +-- services/times-square/templates/ingress.yaml | 55 +++++++------- services/times-square/values.yaml | 15 ---- services/vo-cutouts/README.md | 1 - services/vo-cutouts/templates/ingress.yaml | 51 ++++++------- services/vo-cutouts/values.yaml | 3 - 34 files changed, 342 insertions(+), 385 deletions(-) diff --git a/services/datalinker/templates/ingress-anonymous.yaml b/services/datalinker/templates/ingress-anonymous.yaml index 08e5c7e48b..a646f7d3e3 100644 --- a/services/datalinker/templates/ingress-anonymous.yaml +++ b/services/datalinker/templates/ingress-anonymous.yaml @@ -4,10 +4,10 @@ metadata: name: {{ include "datalinker.fullname" . }}-anonymous labels: {{- include "datalinker.labels" . | nindent 4 }} + {{- with .Values.ingress.annotations }} annotations: - {{- with .Values.ingress.annotations }} {{- toYaml . | nindent 4 }} - {{- end }} + {{- end }} spec: ingressClassName: "nginx" rules: diff --git a/services/datalinker/templates/ingress-image.yaml b/services/datalinker/templates/ingress-image.yaml index 4168995f5f..889ba5e5ca 100644 --- a/services/datalinker/templates/ingress-image.yaml +++ b/services/datalinker/templates/ingress-image.yaml @@ -1,26 +1,30 @@ -apiVersion: networking.k8s.io/v1 -kind: Ingress +apiVersion: gafaelfawr.lsst.io/v1alpha1 +kind: GafaelfawrIngress metadata: name: {{ include "datalinker.fullname" . }}-image labels: {{- include "datalinker.labels" . | nindent 4 }} - annotations: - nginx.ingress.kubernetes.io/auth-method: "GET" - nginx.ingress.kubernetes.io/auth-response-headers: "X-Auth-Request-User" - nginx.ingress.kubernetes.io/auth-url: "{{ .Values.global.baseUrl }}/auth?scope=read:image" +config: + baseUrl: {{ .Values.global.baseUrl | quote }} + scopes: + all: + - "read:image" +template: + metadata: + name: {{ include "datalinker.fullname" . }}-image {{- with .Values.ingress.annotations }} - {{- toYaml . | nindent 4 }} + annotations: + {{- toYaml . | nindent 6 }} {{- end }} -spec: - ingressClassName: "nginx" - rules: - - host: {{ required "global.host must be set" .Values.global.host | quote }} - http: - paths: - - path: "/api/datalink/links" - pathType: "Exact" - backend: - service: - name: {{ include "datalinker.fullname" . }} - port: - number: 8080 + spec: + rules: + - host: {{ required "global.host must be set" .Values.global.host | quote }} + http: + paths: + - path: "/api/datalink/links" + pathType: "Exact" + backend: + service: + name: {{ include "datalinker.fullname" . }} + port: + number: 8080 diff --git a/services/datalinker/templates/ingress-tap.yaml b/services/datalinker/templates/ingress-tap.yaml index b408e7bafb..107229fcf1 100644 --- a/services/datalinker/templates/ingress-tap.yaml +++ b/services/datalinker/templates/ingress-tap.yaml @@ -1,26 +1,30 @@ -apiVersion: networking.k8s.io/v1 -kind: Ingress +apiVersion: gafaelfawr.lsst.io/v1alpha1 +kind: GafaelfawrIngress metadata: name: {{ include "datalinker.fullname" . }}-tap labels: {{- include "datalinker.labels" . | nindent 4 }} - annotations: - nginx.ingress.kubernetes.io/auth-method: "GET" - nginx.ingress.kubernetes.io/auth-response-headers: "X-Auth-Request-User" - nginx.ingress.kubernetes.io/auth-url: "{{ .Values.global.baseUrl }}/auth?scope=read:tap" +config: + baseUrl: {{ .Values.global.baseUrl | quote }} + scopes: + all: + - "read:tap" +template: + metadata: + name: {{ include "datalinker.fullname" . }}-tap {{- with .Values.ingress.annotations }} - {{- toYaml . | nindent 4 }} + annotations: + {{- toYaml . | nindent 6 }} {{- end }} -spec: - ingressClassName: "nginx" - rules: - - host: {{ required "global.host must be set" .Values.global.host | quote }} - http: - paths: - - path: "/api/datalink" - pathType: "Prefix" - backend: - service: - name: {{ include "datalinker.fullname" . }} - port: - number: 8080 + spec: + rules: + - host: {{ required "global.host must be set" .Values.global.host | quote }} + http: + paths: + - path: "/api/datalink" + pathType: "Prefix" + backend: + service: + name: {{ include "datalinker.fullname" . }} + port: + number: 8080 diff --git a/services/hips/README.md b/services/hips/README.md index 90b30c483f..01f98617a6 100644 --- a/services/hips/README.md +++ b/services/hips/README.md @@ -24,9 +24,7 @@ HiPS tile server backed by Google Cloud Storage | image.pullPolicy | string | `"IfNotPresent"` | Pull policy for the hips image | | image.repository | string | `"ghcr.io/lsst-sqre/crawlspace"` | Image to use in the hips deployment | | image.tag | string | `""` | Overrides the image tag whose default is the chart appVersion. | -| ingress.annotations | object | `{}` | Additional annotations for the ingress rule | -| ingress.gafaelfawrAuthQuery | string | `"scope=read:image"` | Gafaelfawr auth query string | -| ingress.path | string | `"/api/hips"` | Path at which to serve the service | +| ingress.annotations | object | `{}` | Additional annotations for the ingress | | nodeSelector | object | `{}` | Node selection rules for the hips deployment pod | | podAnnotations | object | `{}` | Annotations for the hips deployment pod | | replicaCount | int | `1` | Number of web deployment pods to start | diff --git a/services/hips/templates/ingress.yaml b/services/hips/templates/ingress.yaml index d33d86acf5..78bfe06ee9 100644 --- a/services/hips/templates/ingress.yaml +++ b/services/hips/templates/ingress.yaml @@ -1,28 +1,30 @@ -apiVersion: networking.k8s.io/v1 -kind: Ingress +apiVersion: gafaelfawr.lsst.io/v1alpha1 +kind: GafaelfawrIngress metadata: name: "hips" labels: {{- include "hips.labels" . | nindent 4 }} - annotations: - {{- if .Values.ingress.gafaelfawrAuthQuery }} - nginx.ingress.kubernetes.io/auth-method: "GET" - nginx.ingress.kubernetes.io/auth-response-headers: "X-Auth-Request-User" - nginx.ingress.kubernetes.io/auth-url: "{{ .Values.global.baseUrl }}/auth?{{ .Values.ingress.gafaelfawrAuthQuery }}" - {{- end }} +config: + baseUrl: {{ .Values.global.baseUrl | quote }} + scopes: + all: + - "read:image" +template: + metadata: + name: "hips" {{- with .Values.ingress.annotations }} - {{- toYaml . | nindent 4 }} + annotations: + {{- toYaml . | nindent 6 }} {{- end }} -spec: - ingressClassName: "nginx" - rules: - - host: {{ required "global.host must be set" .Values.global.host | quote }} - http: - paths: - - path: {{ .Values.ingress.path | quote }} - pathType: "Prefix" - backend: - service: - name: "hips" - port: - number: 8080 + spec: + rules: + - host: {{ required "global.host must be set" .Values.global.host | quote }} + http: + paths: + - path: "/api/hips" + pathType: "Prefix" + backend: + service: + name: "hips" + port: + number: 8080 diff --git a/services/hips/values.yaml b/services/hips/values.yaml index 997432e85c..aa4a305bd1 100644 --- a/services/hips/values.yaml +++ b/services/hips/values.yaml @@ -33,13 +33,7 @@ image: tag: "" ingress: - # -- Gafaelfawr auth query string - gafaelfawrAuthQuery: "scope=read:image" - - # -- Path at which to serve the service - path: "/api/hips" - - # -- Additional annotations for the ingress rule + # -- Additional annotations for the ingress annotations: {} autoscaling: diff --git a/services/mobu/README.md b/services/mobu/README.md index 5371800dce..2bc6059b1f 100644 --- a/services/mobu/README.md +++ b/services/mobu/README.md @@ -21,7 +21,6 @@ Continuous integration testing | image.repository | string | `"ghcr.io/lsst-sqre/mobu"` | mobu image to use | | image.tag | string | The appVersion of the chart | Tag of mobu image to use | | ingress.annotations | object | `{}` | Additional annotations to add to the ingress | -| ingress.gafaelfawrAuthQuery | string | `"scope=exec:admin"` | Gafaelfawr auth query string | | nameOverride | string | `""` | Override the base name for resources | | nodeSelector | object | `{}` | Node selector rules for the mobu frontend pod | | podAnnotations | object | `{}` | Annotations for the mobu frontend pod | diff --git a/services/mobu/templates/ingress.yaml b/services/mobu/templates/ingress.yaml index 5acd302d47..42a41c00ed 100644 --- a/services/mobu/templates/ingress.yaml +++ b/services/mobu/templates/ingress.yaml @@ -1,29 +1,31 @@ -apiVersion: networking.k8s.io/v1 -kind: Ingress +apiVersion: gafaelfawr.lsst.io/v1alpha1 +kind: GafaelfawrIngress metadata: - annotations: - {{- if .Values.ingress.gafaelfawrAuthQuery }} - nginx.ingress.kubernetes.io/auth-method: "GET" - nginx.ingress.kubernetes.io/auth-response-headers: "X-Auth-Request-User" - nginx.ingress.kubernetes.io/auth-signin: "{{ .Values.global.baseUrl }}/login" - nginx.ingress.kubernetes.io/auth-url: "{{ .Values.global.baseUrl }}/auth?{{ .Values.ingress.gafaelfawrAuthQuery }}" - {{- end }} - {{- with .Values.ingress.annotations }} - {{- toYaml . | nindent 4 }} - {{- end }} name: {{ template "mobu.fullname" . }} labels: {{- include "mobu.labels" . | nindent 4 }} -spec: - ingressClassName: "nginx" - rules: - - host: {{ required "global.host must be set" .Values.global.host | quote }} - http: - paths: - - path: "/mobu" - pathType: "Prefix" - backend: - service: - name: {{ template "mobu.fullname" . }} - port: - number: 8080 +config: + baseUrl: {{ .Values.global.baseUrl | quote }} + scopes: + all: + - "exec:admin" + loginRedirect: true +template: + metadata: + name: {{ template "mobu.fullname" . }} + {{- with .Values.ingress.annotations }} + annotations: + {{- toYaml . | nindent 6 }} + {{- end }} + spec: + rules: + - host: {{ required "global.host must be set" .Values.global.host | quote }} + http: + paths: + - path: "/mobu" + pathType: "Prefix" + backend: + service: + name: {{ template "mobu.fullname" . }} + port: + number: 8080 diff --git a/services/mobu/values.yaml b/services/mobu/values.yaml index b31295cd3f..9173f69c8a 100644 --- a/services/mobu/values.yaml +++ b/services/mobu/values.yaml @@ -28,9 +28,6 @@ image: tag: "" ingress: - # -- Gafaelfawr auth query string - gafaelfawrAuthQuery: "scope=exec:admin" - # -- Additional annotations to add to the ingress annotations: {} diff --git a/services/moneypenny/README.md b/services/moneypenny/README.md index 584302e731..1cfedae207 100644 --- a/services/moneypenny/README.md +++ b/services/moneypenny/README.md @@ -20,8 +20,7 @@ User provisioning actions | image.pullPolicy | string | `"IfNotPresent"` | Pull policy for the moneypenny image | | image.repository | string | `"lsstsqre/moneypenny"` | moneypenny image to use | | image.tag | string | The appVersion of the chart | Tag of moneypenny image to use | -| ingress.gafaelfawrAuthQuery | string | `"scope=admin:provision"` | Gafaelfawr auth query string | -| ingress.tls | list | `[]` | Configure TLS for the ingress if needed. If multiple ingresses share the same hostname, only one of them needs a TLS configuration. | +| ingress.annotations | object | `{}` | Additional annotations to add to the ingress | | nameOverride | string | `""` | Override the base name for resources | | nodeSelector | object | `{}` | Node selector rules for the vo-cutouts frontend pod | | orders.commission | list | `[{"image":"lsstsqre/farthing","name":"farthing","securityContext":{"allowPrivilegeEscalation":false,"runAsNonRootUser":true,"runAsUser":1000}}]` | List of specifications for containers to run to commission a new user. Each member of the list should set a container `name`, `image`, and `securityContext` and may contain `volumeMounts`. | diff --git a/services/moneypenny/templates/ingress.yaml b/services/moneypenny/templates/ingress.yaml index 408570088d..566f195cd8 100644 --- a/services/moneypenny/templates/ingress.yaml +++ b/services/moneypenny/templates/ingress.yaml @@ -1,26 +1,31 @@ -apiVersion: networking.k8s.io/v1 -kind: Ingress +apiVersion: gafaelfawr.lsst.io/v1alpha1 +kind: GafaelfawrIngress metadata: - annotations: - nginx.ingress.kubernetes.io/auth-method: "GET" - nginx.ingress.kubernetes.io/auth-url: "{{ .Values.global.baseUrl }}/auth?{{ required "ingress.gafaelfawrAuthQuery must be set" .Values.ingress.gafaelfawrAuthQuery }}" - nginx.ingress.kubernetes.io/proxy-read-timeout: "310" - {{- with .Values.ingress.annotations }} - {{- toYaml . | nindent 4 }} - {{- end }} name: {{ template "moneypenny.fullname" . }} labels: {{- include "moneypenny.labels" . | nindent 4 }} -spec: - ingressClassName: "nginx" - rules: - - host: {{ required "global.host must be set" .Values.global.host | quote }} - http: - paths: - - path: "/moneypenny" - pathType: Prefix - backend: - service: - name: {{ include "moneypenny.fullname" . }} - port: - number: 8080 +config: + baseUrl: {{ .Values.global.baseUrl | quote }} + scopes: + all: + - "admin:provision" +template: + metadata: + name: {{ template "moneypenny.fullname" . }} + annotations: + nginx.ingress.kubernetes.io/proxy-read-timeout: "310" + {{- with .Values.ingress.annotations }} + {{- toYaml . | nindent 6 }} + {{- end }} + spec: + rules: + - host: {{ required "global.host must be set" .Values.global.host | quote }} + http: + paths: + - path: "/moneypenny" + pathType: Prefix + backend: + service: + name: {{ include "moneypenny.fullname" . }} + port: + number: 8080 diff --git a/services/moneypenny/values.yaml b/services/moneypenny/values.yaml index 316cd2092d..743e2bc0e9 100644 --- a/services/moneypenny/values.yaml +++ b/services/moneypenny/values.yaml @@ -28,12 +28,8 @@ serviceAccount: name: "" ingress: - # -- Gafaelfawr auth query string - gafaelfawrAuthQuery: "scope=admin:provision" - - # -- Configure TLS for the ingress if needed. If multiple ingresses share - # the same hostname, only one of them needs a TLS configuration. - tls: [] + # -- Additional annotations to add to the ingress + annotations: {} orders: # -- List of specifications for containers to run to commission a new user. diff --git a/services/noteburst/README.md b/services/noteburst/README.md index 73a3f63c1e..174ccf8d55 100644 --- a/services/noteburst/README.md +++ b/services/noteburst/README.md @@ -34,9 +34,6 @@ Noteburst is a notebook execution service for the Rubin Science Platform. | image.tag | string | The appVersion of the chart | Tag of the image | | imagePullSecrets | list | `[]` | Secret names to use for all Docker pulls | | ingress.annotations | object | `{}` | Additional annotations to add to the ingress | -| ingress.enabled | bool | `true` | Enable ingress | -| ingress.gafaelfawrAuthQuery | string | `"scope=exec:admin&auth_type=basic"` | Gafaelfawr auth query string | -| ingress.path | string | `"/noteburst"` | Path prefix where noteburst is hosted | | nameOverride | string | `""` | Override the base name for resources | | nodeSelector | object | `{}` | | | podAnnotations | object | `{}` | Annotations for API and worker pods | diff --git a/services/noteburst/templates/ingress.yaml b/services/noteburst/templates/ingress.yaml index 33a9da1a72..76aa27bef2 100644 --- a/services/noteburst/templates/ingress.yaml +++ b/services/noteburst/templates/ingress.yaml @@ -1,31 +1,32 @@ -{{- if .Values.ingress.enabled -}} -apiVersion: networking.k8s.io/v1 -kind: Ingress +apiVersion: gafaelfawr.lsst.io/v1alpha1 +kind: GafaelfawrIngress metadata: name: {{ template "noteburst.fullname" . }} labels: {{- include "noteburst.labels" . | nindent 4 }} - annotations: - {{- if .Values.ingress.gafaelfawrAuthQuery }} - nginx.ingress.kubernetes.io/auth-method: "GET" - nginx.ingress.kubernetes.io/auth-response-headers: X-Auth-Request-User,X-Auth-Request-Email,X-Auth-Request-Token - nginx.ingress.kubernetes.io/auth-signin: "{{ .Values.global.baseUrl }}/login" - nginx.ingress.kubernetes.io/auth-url: "{{ .Values.global.baseUrl }}/auth?{{ .Values.ingress.gafaelfawrAuthQuery }}" - {{- end }} +config: + baseUrl: {{ .Values.global.baseUrl | quote }} + scopes: + all: + - "exec:admin" + loginRedirect: true +template: + metadata: + name: {{ template "noteburst.fullname" . }} {{- with .Values.ingress.annotations }} - {{- toYaml . | nindent 4 }} + annotations: + {{- toYaml . | nindent 6 }} {{- end }} -spec: - ingressClassName: "nginx" - rules: - - host: {{ required "global.host must be set" .Values.global.host | quote }} - http: - paths: - - path: {{ .Values.ingress.path }} - pathType: "Prefix" - backend: - service: - name: {{ template "noteburst.fullname" . }} - port: - number: {{ .Values.service.port }} -{{- end }} + spec: + ingressClassName: "nginx" + rules: + - host: {{ required "global.host must be set" .Values.global.host | quote }} + http: + paths: + - path: "/noteburst" + pathType: "Prefix" + backend: + service: + name: {{ template "noteburst.fullname" . }} + port: + number: {{ .Values.service.port }} diff --git a/services/noteburst/values.yaml b/services/noteburst/values.yaml index 9b82274d73..e70c452384 100644 --- a/services/noteburst/values.yaml +++ b/services/noteburst/values.yaml @@ -58,18 +58,9 @@ service: port: 80 ingress: - # -- Enable ingress - enabled: true - - # -- Gafaelfawr auth query string - gafaelfawrAuthQuery: "scope=exec:admin&auth_type=basic" - # -- Additional annotations to add to the ingress annotations: {} - # -- Path prefix where noteburst is hosted - path: "/noteburst" - resources: {} # We usually recommend not to specify default resources and to leave this as a conscious # choice for the user. This also increases chances charts run on environments with little diff --git a/services/plot-navigator/README.md b/services/plot-navigator/README.md index e3897a5b3e..68c1660ee7 100644 --- a/services/plot-navigator/README.md +++ b/services/plot-navigator/README.md @@ -17,4 +17,3 @@ Panel-based plot viewer | image.repository | string | `"lsstdm/pipetask-plot-navigator"` | plot-navigator image to use | | image.tag | string | `""` | | | ingress.annotations | object | `{}` | Additional annotations to add to the ingress | -| ingress.gafaelfawrAuthQuery | string | `"scope=exec:portal&delegate_to=plotnavigator"` | Gafaelfawr auth query string | diff --git a/services/plot-navigator/templates/ingress.yaml b/services/plot-navigator/templates/ingress.yaml index f03f655e37..82913fc8c8 100644 --- a/services/plot-navigator/templates/ingress.yaml +++ b/services/plot-navigator/templates/ingress.yaml @@ -1,29 +1,36 @@ -apiVersion: networking.k8s.io/v1 -kind: Ingress +apiVersion: gafaelfawr.lsst.io/v1alpha1 +kind: GafaelfawrIngress metadata: - name: plot-navigator + name: "plot-navigator" labels: {{- include "plot-navigator.labels" . | nindent 4 }} - annotations: - {{- if .Values.ingress.gafaelfawrAuthQuery }} - nginx.ingress.kubernetes.io/auth-method: "GET" - nginx.ingress.kubernetes.io/auth-response-headers: "X-Auth-Request-User,X-Auth-Request-Email,X-Auth-Request-Token" - nginx.ingress.kubernetes.io/auth-signin: "{{ .Values.global.baseUrl }}/login" - nginx.ingress.kubernetes.io/auth-url: "{{ .Values.global.baseUrl }}/auth?{{ .Values.ingress.gafaelfawrAuthQuery }}" - {{- end }} +config: + baseUrl: {{ .Values.global.baseUrl | quote }} + scopes: + all: + - "exec:portal" + loginRedirect: true + delegate: + internal: + scopes: [] + service: "plot-navigator" +template: + metadata: + name: "plot-navigator" {{- with .Values.ingress.annotations }} - {{- toYaml . | nindent 4 }} + annotations: + {{- toYaml . | nindent 6 }} {{- end }} -spec: - ingressClassName: "nginx" - rules: - - host: {{ required "global.host must be set" .Values.global.host | quote }} - http: - paths: - - path: "/plot-navigator" - pathType: ImplementationSpecific - backend: - service: - name: plot-navigator - port: - number: 80 + spec: + ingressClassName: "nginx" + rules: + - host: {{ required "global.host must be set" .Values.global.host | quote }} + http: + paths: + - path: "/plot-navigator" + pathType: "Prefix" + backend: + service: + name: "plot-navigator" + port: + number: 80 diff --git a/services/plot-navigator/values.yaml b/services/plot-navigator/values.yaml index 4498fd0bf4..71f20f907f 100644 --- a/services/plot-navigator/values.yaml +++ b/services/plot-navigator/values.yaml @@ -7,8 +7,6 @@ image: environment: {} ingress: - # -- Gafaelfawr auth query string - gafaelfawrAuthQuery: "scope=exec:portal&delegate_to=plotnavigator" # -- Additional annotations to add to the ingress annotations: {} diff --git a/services/production-tools/README.md b/services/production-tools/README.md index 75a7de56df..cb7fa475cb 100644 --- a/services/production-tools/README.md +++ b/services/production-tools/README.md @@ -20,8 +20,6 @@ A collection of utility pages for monitoring data processing. | image.repository | string | `"lsstdm/production_tools"` | Image to use in the production-tools deployment | | image.tag | string | `""` | Overrides the image tag whose default is the chart appVersion. | | ingress.annotations | object | `{}` | Additional annotations for the ingress rule | -| ingress.gafaelfawrAuthQuery | string | `"scope=exec:portal"` | Gafaelfawr Auth Query string (default, unauthenticated) | -| ingress.pathType | string | `"Prefix"` | Path type for the ingress rule | | nameOverride | string | `""` | Override the base name for resources | | nodeSelector | object | `{}` | Node selection rules for the production-tools deployment pod | | podAnnotations | object | `{}` | Annotations for the production-tools deployment pod | diff --git a/services/production-tools/templates/ingress.yaml b/services/production-tools/templates/ingress.yaml index a5dc3dd120..b7c05f95c3 100644 --- a/services/production-tools/templates/ingress.yaml +++ b/services/production-tools/templates/ingress.yaml @@ -1,30 +1,30 @@ -{{- $fullName := include "production-tools.fullname" . -}} -apiVersion: networking.k8s.io/v1 -kind: Ingress +apiVersion: gafaelfawr.lsst.io/v1alpha1 +kind: GafaelfawrIngress metadata: - name: {{ $fullName }} + name: {{ template "production-tools.fullname" . }} labels: {{- include "production-tools.labels" . | nindent 4 }} - annotations: - {{- if .Values.ingress.gafaelfawrAuthQuery }} - nginx.ingress.kubernetes.io/auth-method: "GET" - nginx.ingress.kubernetes.io/auth-response-headers: "X-Auth-Request-User" - nginx.ingress.kubernetes.io/auth-signin: "{{ .Values.global.baseUrl }}/login" - nginx.ingress.kubernetes.io/auth-url: "{{ .Values.global.baseUrl }}/auth?{{ .Values.ingress.gafaelfawrAuthQuery }}" - {{- end }} +config: + scopes: + all: + - "exec:portal" + loginRedirect: true +template: + metadata: + name: {{ template "production-tools.fullname" . }} {{- with .Values.ingress.annotations }} - {{- toYaml . | nindent 4 }} + annotations: + {{- toYaml . | nindent 6 }} {{- end }} -spec: - ingressClassName: "nginx" - rules: - - host: {{ required ".Values.global.host must be set" .Values.global.host | quote }} - http: - paths: - - path: "/production-tools" - pathType: "Prefix" - backend: - service: - name: {{ template "production-tools.fullname" . }} - port: - number: 8080 + spec: + rules: + - host: {{ required ".Values.global.host must be set" .Values.global.host | quote }} + http: + paths: + - path: "/production-tools" + pathType: "Prefix" + backend: + service: + name: {{ template "production-tools.fullname" . }} + port: + number: 8080 diff --git a/services/production-tools/values.yaml b/services/production-tools/values.yaml index 7c9ae8d70f..d0196e8401 100644 --- a/services/production-tools/values.yaml +++ b/services/production-tools/values.yaml @@ -28,15 +28,9 @@ podAnnotations: {} environment: {} ingress: - # -- Gafaelfawr Auth Query string (default, unauthenticated) - gafaelfawrAuthQuery: "scope=exec:portal" - # -- Additional annotations for the ingress rule annotations: {} - # -- Path type for the ingress rule - pathType: Prefix - # -- Resource limits and requests for the production-tools deployment pod resources: {} diff --git a/services/sherlock/README.md b/services/sherlock/README.md index 4271d73046..459c2c462d 100644 --- a/services/sherlock/README.md +++ b/services/sherlock/README.md @@ -24,7 +24,6 @@ Application ingress status and metrics | image.tag | string | `""` | Overrides the image tag whose default is the chart appVersion. | | imagePullSecrets | list | `[]` | Secret names to use for all Docker pulls | | ingress.annotations | object | `{}` | Additional annotations for the ingress rule | -| ingress.gafaelfawrAuthQuery | string | `"scope=exec:admin"` | Gafaelfawr auth query string (default, unauthenticated) | | nameOverride | string | `""` | Override the base name for resources | | nodeSelector | object | `{}` | Node selection rules for the sherlock deployment pod | | podAnnotations | object | `{}` | Annotations for the sherlock deployment pod | diff --git a/services/sherlock/templates/ingress.yaml b/services/sherlock/templates/ingress.yaml index dde0586daf..68dadd0529 100644 --- a/services/sherlock/templates/ingress.yaml +++ b/services/sherlock/templates/ingress.yaml @@ -1,32 +1,33 @@ -{{- $fullName := include "sherlock.fullname" . -}} -apiVersion: networking.k8s.io/v1 -kind: Ingress +apiVersion: gafaelfawr.lsst.io/v1alpha1 +kind: GafaelfawrIngress metadata: - name: {{ $fullName }} + name: {{ template "sherlock.fullname" . }} labels: {{- include "sherlock.labels" . | nindent 4 }} - annotations: - {{- if .Values.ingress.gafaelfawrAuthQuery }} - nginx.ingress.kubernetes.io/auth-method: GET - nginx.ingress.kubernetes.io/auth-response-headers: X-Auth-Request-User,X-Auth-Request-Email,X-Auth-Request-Token - nginx.ingress.kubernetes.io/auth-signin: "{{ .Values.global.baseUrl }}/login" - nginx.ingress.kubernetes.io/auth-url: "{{ .Values.global.baseUrl }}/auth?{{ .Values.ingress.gafaelfawrAuthQuery }}" - nginx.ingress.kubernetes.io/cors-allow-methods: "GET" - nginx.ingress.kubernetes.io/enable-cors: "true" - {{- end }} - {{- with .Values.ingress.annotations }} - {{- toYaml . | nindent 4 }} - {{- end }} -spec: - ingressClassName: "nginx" - rules: - - host: {{ required "global.host must be set" .Values.global.host | quote }} - http: - paths: - - path: "/sherlock" - pathType: ImplementationSpecific - backend: - service: - name: {{ $fullName }} - port: - number: 8080 +config: + baseUrl: {{ .Values.global.baseUrl | quote }} + scopes: + all: + - "exec:admin" + loginRedirect: true +template: + metadata: + name: {{ template "sherlock.fullname" . }} + annotations: + nginx.ingress.kubernetes.io/cors-allow-methods: "GET" + nginx.ingress.kubernetes.io/enable-cors: "true" + {{- with .Values.ingress.annotations }} + {{- toYaml . | nindent 6 }} + {{- end }} + spec: + rules: + - host: {{ required "global.host must be set" .Values.global.host | quote }} + http: + paths: + - path: "/sherlock" + pathType: "Prefix" + backend: + service: + name: {{ template "sherlock.fullname" . }} + port: + number: 8080 diff --git a/services/sherlock/values.yaml b/services/sherlock/values.yaml index ba2259a9c4..c4756cfadc 100644 --- a/services/sherlock/values.yaml +++ b/services/sherlock/values.yaml @@ -28,9 +28,6 @@ fullnameOverride: "" podAnnotations: {} ingress: - # -- Gafaelfawr auth query string (default, unauthenticated) - gafaelfawrAuthQuery: "scope=exec:admin" - # -- Additional annotations for the ingress rule annotations: {} diff --git a/services/tap/README.md b/services/tap/README.md index 4829936546..f709fc5a44 100644 --- a/services/tap/README.md +++ b/services/tap/README.md @@ -28,7 +28,6 @@ IVOA TAP service | image.tag | string | The appVersion of the chart | Tag of tap image to use | | ingress.anonymousAnnotations | object | `{}` | Additional annotations to use for endpoints that allow anonymous access, such as `/capabilities` and `/availability` | | ingress.authenticatedAnnotations | object | `{}` | Additional annotations to use for endpoints that are authenticated, such as `/sync`, `/async`, and `/tables` | -| ingress.gafaelfawrAuthQuery | string | `"scope=read:tap&auth_type=basic&delegate_to=tap"` | Gafaelfawr auth query string | | nameOverride | string | `""` | Override the base name for resources | | nodeSelector | object | `{}` | Node selector rules for the Gafaelfawr frontend pod | | podAnnotations | object | `{}` | Annotations for the Gafaelfawr frontend pod | diff --git a/services/tap/templates/tap-ingress-authenticated.yaml b/services/tap/templates/tap-ingress-authenticated.yaml index 09a6603182..a39c0f86c1 100644 --- a/services/tap/templates/tap-ingress-authenticated.yaml +++ b/services/tap/templates/tap-ingress-authenticated.yaml @@ -1,37 +1,46 @@ -apiVersion: networking.k8s.io/v1 -kind: Ingress +apiVersion: gafaelfawr.lsst.io/v1alpha1 +kind: GafaelfawrIngress metadata: name: {{ template "cadc-tap.fullname" . }}-authenticated labels: {{- include "cadc-tap.labels" . | nindent 4 }} - annotations: - nginx.ingress.kubernetes.io/auth-method: "GET" - nginx.ingress.kubernetes.io/auth-response-headers: "X-Auth-Request-Token" - nginx.ingress.kubernetes.io/auth-url: "{{ .Values.global.baseUrl }}/auth?{{ .Values.ingress.gafaelfawrAuthQuery }}" - nginx.ingress.kubernetes.io/configuration-snippet: | - auth_request_set $auth_token $upstream_http_x_auth_request_token; - proxy_set_header Authorization "Bearer $auth_token"; - nginx.ingress.kubernetes.io/proxy-connect-timeout: "1800" - nginx.ingress.kubernetes.io/proxy-send-timeout: "1800" - nginx.ingress.kubernetes.io/proxy-read-timeout: "1800" - nginx.ingress.kubernetes.io/rewrite-target: "/tap/$2" - nginx.ingress.kubernetes.io/proxy-redirect-from: "http://$host/tap/" - nginx.ingress.kubernetes.io/proxy-redirect-to: "https://$host/api/tap/" - nginx.ingress.kubernetes.io/ssl-redirect: "true" - nginx.ingress.kubernetes.io/use-regex: "true" - {{- with .Values.ingress.authenticatedAnnotations }} - {{- toYaml . | indent 4}} - {{- end }} -spec: - ingressClassName: "nginx" - rules: - - host: {{ required "global.host must be set" .Values.global.host | quote }} - http: - paths: - - path: "/api/tap(/|$)(.*)" - pathType: "ImplementationSpecific" - backend: - service: - name: {{ template "cadc-tap.fullname" . }} - port: - number: 80 +config: + baseUrl: {{ .Values.global.baseUrl | quote }} + scopes: + all: + - "read:tap" + authType: "basic" + delegate: + internal: + scopes: [] + service: "tap" +template: + metadata: + name: {{ template "cadc-tap.fullname" . }}-authenticated + annotations: + nginx.ingress.kubernetes.io/configuration-snippet: | + auth_request_set $auth_token $upstream_http_x_auth_request_token; + proxy_set_header Authorization "Bearer $auth_token"; + nginx.ingress.kubernetes.io/proxy-connect-timeout: "1800" + nginx.ingress.kubernetes.io/proxy-send-timeout: "1800" + nginx.ingress.kubernetes.io/proxy-read-timeout: "1800" + nginx.ingress.kubernetes.io/rewrite-target: "/tap/$2" + nginx.ingress.kubernetes.io/proxy-redirect-from: "http://$host/tap/" + nginx.ingress.kubernetes.io/proxy-redirect-to: "https://$host/api/tap/" + nginx.ingress.kubernetes.io/ssl-redirect: "true" + nginx.ingress.kubernetes.io/use-regex: "true" + {{- with .Values.ingress.authenticatedAnnotations }} + {{- toYaml . | indent 6 }} + {{- end }} + spec: + rules: + - host: {{ required "global.host must be set" .Values.global.host | quote }} + http: + paths: + - path: "/api/tap(/|$)(.*)" + pathType: "ImplementationSpecific" + backend: + service: + name: {{ template "cadc-tap.fullname" . }} + port: + number: 80 diff --git a/services/tap/values.yaml b/services/tap/values.yaml index 14565d9b39..1aec4d4528 100644 --- a/services/tap/values.yaml +++ b/services/tap/values.yaml @@ -24,9 +24,6 @@ image: # Settings for the ingress rules. ingress: - # -- Gafaelfawr auth query string - gafaelfawrAuthQuery: "scope=read:tap&auth_type=basic&delegate_to=tap" - # -- Additional annotations to use for endpoints that allow anonymous # access, such as `/capabilities` and `/availability` anonymousAnnotations: {} diff --git a/services/times-square/README.md b/services/times-square/README.md index b107fab875..f2dbad9390 100644 --- a/services/times-square/README.md +++ b/services/times-square/README.md @@ -38,11 +38,6 @@ An API service for managing and rendering parameterized Jupyter notebooks. | image.tag | string | `""` | Overrides the image tag whose default is the chart appVersion. | | imagePullSecrets | list | `[]` | Secret names to use for all Docker pulls | | ingress.annotations | object | `{}` | Additional annotations for the ingress rule | -| ingress.className | string | `"nginx"` | Class name that should serve this ingress | -| ingress.enabled | bool | `true` | Create an ingress resource | -| ingress.gafaelfawrAuthQuery | string | `"scope=exec:admin&auth_type=basic"` | Gafaelfawr auth query string | -| ingress.path | string | `"/times-square/api"` | Root URL path prefix for times-square API | -| ingress.pathType | string | `"ImplementationSpecific"` | Path type for the ingress rule | | nameOverride | string | `""` | Override the base name for resources | | nodeSelector | object | `{}` | Node selection rules for the times-square deployment pod | | podAnnotations | object | `{}` | Annotations for the times-square deployment pod | diff --git a/services/times-square/templates/ingress-webhooks.yaml b/services/times-square/templates/ingress-webhooks.yaml index 4ba4ac700c..4f81db39cf 100644 --- a/services/times-square/templates/ingress-webhooks.yaml +++ b/services/times-square/templates/ingress-webhooks.yaml @@ -1,4 +1,3 @@ -{{- if .Values.ingress.enabled -}} apiVersion: networking.k8s.io/v1 kind: Ingress metadata: @@ -10,18 +9,15 @@ metadata: {{- toYaml . | nindent 4 }} {{- end }} spec: - {{- if .Values.ingress.className }} - ingressClassName: {{ .Values.ingress.className }} - {{- end }} + ingressClassName: "nginx" rules: - host: {{ required "global.host must be set" .Values.global.host | quote }} http: paths: - - path: {{ .Values.ingress.path }}/github - pathType: {{ default "Prefix" .Values.ingress.pathType }} + - path: "/times-square/api/github" + pathType: "Prefix" backend: service: name: {{ include "times-square.fullname" . }} port: number: {{ .Values.service.port }} -{{- end }} diff --git a/services/times-square/templates/ingress.yaml b/services/times-square/templates/ingress.yaml index c4c3840aed..96c6ee27eb 100644 --- a/services/times-square/templates/ingress.yaml +++ b/services/times-square/templates/ingress.yaml @@ -1,34 +1,31 @@ -{{- if .Values.ingress.enabled -}} -{{- $fullName := include "times-square.fullname" . -}} -apiVersion: networking.k8s.io/v1 -kind: Ingress +apiVersion: gafaelfawr.lsst.io/v1alpha1 +kind: GafaelfawrIngress metadata: - name: {{ $fullName }} + name: {{ template "times-square.fullname" . }} labels: {{- include "times-square.labels" . | nindent 4 }} - annotations: - {{- if .Values.ingress.gafaelfawrAuthQuery }} - nginx.ingress.kubernetes.io/auth-method: GET - nginx.ingress.kubernetes.io/auth-response-headers: X-Auth-Request-User,X-Auth-Request-Email,X-Auth-Request-Token - nginx.ingress.kubernetes.io/auth-signin: "{{ .Values.global.baseUrl }}/login" - nginx.ingress.kubernetes.io/auth-url: "{{ .Values.global.baseUrl }}/auth?{{ .Values.ingress.gafaelfawrAuthQuery }}" - {{- end }} +config: + baseUrl: {{ .Values.global.baseUrl | quote }} + scopes: + all: + - "exec:admin" + loginRedirect: true +template: + metadata: + name: {{ template "times-square.fullname" . }} {{- with .Values.ingress.annotations }} - {{- toYaml . | nindent 4 }} + annotations: + {{- toYaml . | nindent 6 }} {{- end }} -spec: - {{- if .Values.ingress.className }} - ingressClassName: {{ .Values.ingress.className }} - {{- end }} - rules: - - host: {{ required "global.host must be set" .Values.global.host | quote }} - http: - paths: - - path: {{ .Values.ingress.path }} - pathType: {{ default "Prefix" .Values.ingress.pathType }} - backend: - service: - name: {{ $fullName }} - port: - number: {{ .Values.service.port }} -{{- end }} + spec: + rules: + - host: {{ required "global.host must be set" .Values.global.host | quote }} + http: + paths: + - path: "/times-square/api" + pathType: "Prefix" + backend: + service: + name: {{ template "times-square.fullname" . }} + port: + number: {{ .Values.service.port }} diff --git a/services/times-square/values.yaml b/services/times-square/values.yaml index 252579fbd5..856398e8aa 100644 --- a/services/times-square/values.yaml +++ b/services/times-square/values.yaml @@ -53,24 +53,9 @@ service: port: 8080 ingress: - # -- Create an ingress resource - enabled: true - - # -- Gafaelfawr auth query string - gafaelfawrAuthQuery: "scope=exec:admin&auth_type=basic" - # -- Additional annotations for the ingress rule annotations: {} - # -- Class name that should serve this ingress - className: "nginx" - - # -- Path type for the ingress rule - pathType: ImplementationSpecific - - # -- Root URL path prefix for times-square API - path: "/times-square/api" - # -- Resource limits and requests for the times-square deployment pod resources: {} diff --git a/services/vo-cutouts/README.md b/services/vo-cutouts/README.md index 627fc41beb..05525eb689 100644 --- a/services/vo-cutouts/README.md +++ b/services/vo-cutouts/README.md @@ -47,7 +47,6 @@ Image cutout service complying with IVOA SODA | image.repository | string | `"ghcr.io/lsst-sqre/vo-cutouts"` | vo-cutouts image to use | | image.tag | string | The appVersion of the chart | Tag of vo-cutouts image to use | | ingress.annotations | object | `{}` | Additional annotations to add to the ingress | -| ingress.gafaelfawrAuthQuery | string | `"scope=read:image"` | Gafaelfawr auth query string | | nameOverride | string | `""` | Override the base name for resources | | nodeSelector | object | `{}` | Node selector rules for the vo-cutouts frontend pod | | podAnnotations | object | `{}` | Annotations for the vo-cutouts frontend pod | diff --git a/services/vo-cutouts/templates/ingress.yaml b/services/vo-cutouts/templates/ingress.yaml index 904faad72e..5b40ef4c56 100644 --- a/services/vo-cutouts/templates/ingress.yaml +++ b/services/vo-cutouts/templates/ingress.yaml @@ -1,29 +1,30 @@ -apiVersion: networking.k8s.io/v1 -kind: Ingress +apiVersion: gafaelfawr.lsst.io/v1alpha1 +kind: GafaelfawrIngress metadata: - annotations: - {{- if .Values.ingress.gafaelfawrAuthQuery }} - nginx.ingress.kubernetes.io/auth-method: "GET" - nginx.ingress.kubernetes.io/auth-response-headers: X-Auth-Request-User - nginx.ingress.kubernetes.io/auth-signin: "{{ .Values.global.baseUrl }}/login" - nginx.ingress.kubernetes.io/auth-url: "{{ .Values.global.baseUrl }}/auth?{{ .Values.ingress.gafaelfawrAuthQuery }}" - {{- end }} - {{- with .Values.ingress.annotations }} - {{- toYaml . | nindent 4 }} - {{- end }} name: {{ template "vo-cutouts.fullname" . }} labels: {{- include "vo-cutouts.labels" . | nindent 4 }} -spec: - ingressClassName: "nginx" - rules: - - host: {{ required "global.host must be set" .Values.global.host | quote }} - http: - paths: - - path: "/api/cutout" - pathType: "Prefix" - backend: - service: - name: {{ template "vo-cutouts.fullname" . }} - port: - number: 8080 +config: + baseUrl: {{ .Values.global.baseUrl | quote }} + scopes: + all: + - "read:image" +templates: + metadata: + name: {{ template "vo-cutouts.fullname" . }} + {{- with .Values.ingress.annotations }} + annotations: + {{- toYaml . | nindent 6 }} + {{- end }} + spec: + rules: + - host: {{ required "global.host must be set" .Values.global.host | quote }} + http: + paths: + - path: "/api/cutout" + pathType: "Prefix" + backend: + service: + name: {{ template "vo-cutouts.fullname" . }} + port: + number: 8080 diff --git a/services/vo-cutouts/values.yaml b/services/vo-cutouts/values.yaml index 5d5dbee569..0bf689c0fb 100644 --- a/services/vo-cutouts/values.yaml +++ b/services/vo-cutouts/values.yaml @@ -21,9 +21,6 @@ image: tag: "" ingress: - # -- Gafaelfawr auth query string - gafaelfawrAuthQuery: "scope=read:image" - # -- Additional annotations to add to the ingress annotations: {} From 91a3408fca9ed0b7ca89617ede08120b9d25c6a9 Mon Sep 17 00:00:00 2001 From: Russ Allbery Date: Mon, 5 Dec 2022 16:51:14 -0800 Subject: [PATCH 1361/1479] Fix noteburst ingress path Noteburst was using the ingress path configuraiton in values.yaml. Restore it back to the way it was. --- services/noteburst/README.md | 1 + services/noteburst/templates/ingress.yaml | 2 +- services/noteburst/values.yaml | 3 +++ 3 files changed, 5 insertions(+), 1 deletion(-) diff --git a/services/noteburst/README.md b/services/noteburst/README.md index 174ccf8d55..04f05f173f 100644 --- a/services/noteburst/README.md +++ b/services/noteburst/README.md @@ -34,6 +34,7 @@ Noteburst is a notebook execution service for the Rubin Science Platform. | image.tag | string | The appVersion of the chart | Tag of the image | | imagePullSecrets | list | `[]` | Secret names to use for all Docker pulls | | ingress.annotations | object | `{}` | Additional annotations to add to the ingress | +| ingress.path | string | `"/noteburst"` | Path prefix where noteburst is hosted | | nameOverride | string | `""` | Override the base name for resources | | nodeSelector | object | `{}` | | | podAnnotations | object | `{}` | Annotations for API and worker pods | diff --git a/services/noteburst/templates/ingress.yaml b/services/noteburst/templates/ingress.yaml index 76aa27bef2..62f758459c 100644 --- a/services/noteburst/templates/ingress.yaml +++ b/services/noteburst/templates/ingress.yaml @@ -23,7 +23,7 @@ template: - host: {{ required "global.host must be set" .Values.global.host | quote }} http: paths: - - path: "/noteburst" + - path: {{ .Values.ingress.path | quote }} pathType: "Prefix" backend: service: diff --git a/services/noteburst/values.yaml b/services/noteburst/values.yaml index e70c452384..1ca85b797c 100644 --- a/services/noteburst/values.yaml +++ b/services/noteburst/values.yaml @@ -61,6 +61,9 @@ ingress: # -- Additional annotations to add to the ingress annotations: {} + # -- Path prefix where noteburst is hosted + path: "/noteburst" + resources: {} # We usually recommend not to specify default resources and to leave this as a conscious # choice for the user. This also increases chances charts run on environments with little From 9daa9762019ee6fe53dbcb3a7f99f502d269e42f Mon Sep 17 00:00:00 2001 From: Russ Allbery Date: Mon, 5 Dec 2022 16:54:36 -0800 Subject: [PATCH 1362/1479] Fix times-square ingress path times-square was using the ingress path configuraiton in values.yaml. Restore it back to the way it was. --- services/times-square/README.md | 1 + services/times-square/templates/ingress-webhooks.yaml | 2 +- services/times-square/templates/ingress.yaml | 2 +- services/times-square/values.yaml | 3 +++ 4 files changed, 6 insertions(+), 2 deletions(-) diff --git a/services/times-square/README.md b/services/times-square/README.md index f2dbad9390..4d0187852a 100644 --- a/services/times-square/README.md +++ b/services/times-square/README.md @@ -38,6 +38,7 @@ An API service for managing and rendering parameterized Jupyter notebooks. | image.tag | string | `""` | Overrides the image tag whose default is the chart appVersion. | | imagePullSecrets | list | `[]` | Secret names to use for all Docker pulls | | ingress.annotations | object | `{}` | Additional annotations for the ingress rule | +| ingress.path | string | `"/times-square/api"` | Root URL path prefix for times-square API | | nameOverride | string | `""` | Override the base name for resources | | nodeSelector | object | `{}` | Node selection rules for the times-square deployment pod | | podAnnotations | object | `{}` | Annotations for the times-square deployment pod | diff --git a/services/times-square/templates/ingress-webhooks.yaml b/services/times-square/templates/ingress-webhooks.yaml index 4f81db39cf..4a1d940720 100644 --- a/services/times-square/templates/ingress-webhooks.yaml +++ b/services/times-square/templates/ingress-webhooks.yaml @@ -14,7 +14,7 @@ spec: - host: {{ required "global.host must be set" .Values.global.host | quote }} http: paths: - - path: "/times-square/api/github" + - path: "{{ .Values.ingress.path }}/github" pathType: "Prefix" backend: service: diff --git a/services/times-square/templates/ingress.yaml b/services/times-square/templates/ingress.yaml index 96c6ee27eb..8fd58c6eab 100644 --- a/services/times-square/templates/ingress.yaml +++ b/services/times-square/templates/ingress.yaml @@ -22,7 +22,7 @@ template: - host: {{ required "global.host must be set" .Values.global.host | quote }} http: paths: - - path: "/times-square/api" + - path: {{ .Values.ingress.path | quote }} pathType: "Prefix" backend: service: diff --git a/services/times-square/values.yaml b/services/times-square/values.yaml index 856398e8aa..d900eac846 100644 --- a/services/times-square/values.yaml +++ b/services/times-square/values.yaml @@ -56,6 +56,9 @@ ingress: # -- Additional annotations for the ingress rule annotations: {} + # -- Root URL path prefix for times-square API + path: "/times-square/api" + # -- Resource limits and requests for the times-square deployment pod resources: {} From c91b599416a94311bfc50232e97c1d3f20ec4ee0 Mon Sep 17 00:00:00 2001 From: Russ Allbery Date: Mon, 5 Dec 2022 17:09:11 -0800 Subject: [PATCH 1363/1479] Make times-square NetworkPolicy unconditional There's no longer an option to not install the ingress, so the conditional has to be removed for the NetworkPolicy. --- services/times-square/templates/networkpolicy.yaml | 2 -- 1 file changed, 2 deletions(-) diff --git a/services/times-square/templates/networkpolicy.yaml b/services/times-square/templates/networkpolicy.yaml index 14637aa6bd..dbb7e17403 100644 --- a/services/times-square/templates/networkpolicy.yaml +++ b/services/times-square/templates/networkpolicy.yaml @@ -1,4 +1,3 @@ -{{- if .Values.ingress.enabled -}} apiVersion: networking.k8s.io/v1 kind: NetworkPolicy metadata: @@ -20,4 +19,3 @@ spec: ports: - protocol: "TCP" port: 8080 -{{- end }} From 033566527c1ec33b633fe93e0f3b3f9aaf4b7ff1 Mon Sep 17 00:00:00 2001 From: Russ Allbery Date: Mon, 5 Dec 2022 17:11:18 -0800 Subject: [PATCH 1364/1479] Delete stray ingressClassName in noteburst ingress --- services/noteburst/templates/ingress.yaml | 1 - 1 file changed, 1 deletion(-) diff --git a/services/noteburst/templates/ingress.yaml b/services/noteburst/templates/ingress.yaml index 62f758459c..2fef313df5 100644 --- a/services/noteburst/templates/ingress.yaml +++ b/services/noteburst/templates/ingress.yaml @@ -18,7 +18,6 @@ template: {{- toYaml . | nindent 6 }} {{- end }} spec: - ingressClassName: "nginx" rules: - host: {{ required "global.host must be set" .Values.global.host | quote }} http: From 7c2117a31c0c6bb65aee9d966efc776697c49d78 Mon Sep 17 00:00:00 2001 From: Russ Allbery Date: Tue, 6 Dec 2022 09:51:01 -0800 Subject: [PATCH 1365/1479] Remove stray ingressClassName from plot-navigator This setting isn't used with GafaelfawrIngress. --- services/plot-navigator/templates/ingress.yaml | 1 - 1 file changed, 1 deletion(-) diff --git a/services/plot-navigator/templates/ingress.yaml b/services/plot-navigator/templates/ingress.yaml index 82913fc8c8..081d11c983 100644 --- a/services/plot-navigator/templates/ingress.yaml +++ b/services/plot-navigator/templates/ingress.yaml @@ -22,7 +22,6 @@ template: {{- toYaml . | nindent 6 }} {{- end }} spec: - ingressClassName: "nginx" rules: - host: {{ required "global.host must be set" .Values.global.host | quote }} http: From a1053a099060a7fca67ec1985cda605e5c76b04e Mon Sep 17 00:00:00 2001 From: Russ Allbery Date: Tue, 6 Dec 2022 09:52:21 -0800 Subject: [PATCH 1366/1479] Add missing baseUrl to production-tools ingress --- services/production-tools/templates/ingress.yaml | 1 + 1 file changed, 1 insertion(+) diff --git a/services/production-tools/templates/ingress.yaml b/services/production-tools/templates/ingress.yaml index b7c05f95c3..fbf1fb3bde 100644 --- a/services/production-tools/templates/ingress.yaml +++ b/services/production-tools/templates/ingress.yaml @@ -5,6 +5,7 @@ metadata: labels: {{- include "production-tools.labels" . | nindent 4 }} config: + baseUrl: {{ .Values.global.baseUrl | quote }} scopes: all: - "exec:portal" From 9820c7a6a7a3c50a6bfa7ed26a271f6d6535fdb4 Mon Sep 17 00:00:00 2001 From: Russ Allbery Date: Tue, 6 Dec 2022 09:54:05 -0800 Subject: [PATCH 1367/1479] Fix typo in vo-cutouts ingress definition --- services/vo-cutouts/templates/ingress.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/services/vo-cutouts/templates/ingress.yaml b/services/vo-cutouts/templates/ingress.yaml index 5b40ef4c56..d93540b39a 100644 --- a/services/vo-cutouts/templates/ingress.yaml +++ b/services/vo-cutouts/templates/ingress.yaml @@ -9,7 +9,7 @@ config: scopes: all: - "read:image" -templates: +template: metadata: name: {{ template "vo-cutouts.fullname" . }} {{- with .Values.ingress.annotations }} From 752da4dd29eee63339432be5b5d538ef99bad72a Mon Sep 17 00:00:00 2001 From: adam Date: Wed, 7 Dec 2022 09:02:40 -0700 Subject: [PATCH 1368/1479] update summit to cycle 28 --- services/cachemachine/values-summit.yaml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/services/cachemachine/values-summit.yaml b/services/cachemachine/values-summit.yaml index 0ee5194119..360bbaaa90 100644 --- a/services/cachemachine/values-summit.yaml +++ b/services/cachemachine/values-summit.yaml @@ -8,11 +8,11 @@ autostart: "type": "RubinRepoMan", "registry_url": "ts-dockerhub.lsst.org", "repo": "sal-sciplat-lab", - "recommended_tag": "recommended_c0027", + "recommended_tag": "recommended_c0028", "num_releases": 0, "num_weeklies": 3, "num_dailies": 2, - "cycle": 27, + "cycle": 28, "alias_tags": [ "latest", "latest_daily", From 96e22e6b2dd416d6a010f87656a57a4a4ebe4264 Mon Sep 17 00:00:00 2001 From: Michael Reuter Date: Tue, 6 Dec 2022 10:15:23 -0700 Subject: [PATCH 1369/1479] Add WeatherForecast sink. --- services/sasquatch/values-summit.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/services/sasquatch/values-summit.yaml b/services/sasquatch/values-summit.yaml index 2ad4b2749f..c72631e513 100644 --- a/services/sasquatch/values-summit.yaml +++ b/services/sasquatch/values-summit.yaml @@ -46,7 +46,7 @@ kafka-connect-manager: topicsRegex: ".*CCArchiver|.*CCCamera|.*CCHeaderService|.*CCOODS" eas: enabled: true - topicsRegex: ".*DIMM|.*DSM|.*ESS|.*HVAC|.*WeatherStation" + topicsRegex: ".*DIMM|.*DSM|.*ESS|.*HVAC|.*WeatherForecast|.*WeatherStation" latiss: enabled: true topicsRegex: ".*ATArchiver|.*ATCamera|.*ATHeaderService|.*ATOODS|.*ATSpectrograph" From de106d2915f0385a1abdf494de03eeb8febb984c Mon Sep 17 00:00:00 2001 From: Michael Reuter Date: Tue, 6 Dec 2022 10:19:15 -0700 Subject: [PATCH 1370/1479] Add sink for GCHeaderService and move GenericCamera sink. --- services/sasquatch/values-summit.yaml | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/services/sasquatch/values-summit.yaml b/services/sasquatch/values-summit.yaml index c72631e513..ccae5afd05 100644 --- a/services/sasquatch/values-summit.yaml +++ b/services/sasquatch/values-summit.yaml @@ -58,7 +58,7 @@ kafka-connect-manager: topicsRegex: ".*MTHexapod|.*MTM2|.*MTRotator" obssys: enabled: true - topicsRegex: ".*GenericCamera|.*Scheduler|.*Script|.*ScriptQueue|.*Watcher" + topicsRegex: ".*Scheduler|.*Script|.*ScriptQueue|.*Watcher" ocps: enabled: true topicsRegex: ".*OCPS" @@ -74,6 +74,9 @@ kafka-connect-manager: mtaircompressor: enabled: true topicsRegex: ".*MTAirCompressor" + genericcamera: + enabled: true + topicsRegex: ".*GCHeaderService|.*GenericCamera" kafdrop: ingress: From 16438eed4c7cec89d3434055cb181b4e30079f45 Mon Sep 17 00:00:00 2001 From: adam Date: Wed, 7 Dec 2022 12:35:39 -0700 Subject: [PATCH 1371/1479] Point to external DB --- services/exposurelog/values-summit.yaml | 2 ++ services/gafaelfawr/values-summit.yaml | 2 +- services/narrativelog/values-summit.yaml | 2 ++ services/nublado2/values-summit.yaml | 5 ++++- 4 files changed, 9 insertions(+), 2 deletions(-) diff --git a/services/exposurelog/values-summit.yaml b/services/exposurelog/values-summit.yaml index f11baa0cbf..991b8e96a1 100644 --- a/services/exposurelog/values-summit.yaml +++ b/services/exposurelog/values-summit.yaml @@ -7,3 +7,5 @@ config: nfs_path_2: /repo/LATISS # Mounted as /volume_2 nfs_server_2: auxtel-archiver.cp.lsst.org butler_uri_2: /volume_2 +db: + host: postgresdb01.cp.lsst.org diff --git a/services/gafaelfawr/values-summit.yaml b/services/gafaelfawr/values-summit.yaml index 7140742b64..97e2f7a83f 100644 --- a/services/gafaelfawr/values-summit.yaml +++ b/services/gafaelfawr/values-summit.yaml @@ -4,7 +4,7 @@ redis: config: slackAlerts: true - databaseUrl: "postgresql://gafaelfawr@postgres.postgres/gafaelfawr" + databaseUrl: "postgresql://gafaelfawr@postgresdb01.cp.lsst.org/gafaelfawr" github: clientId: "220d64cbf46f9d2b7873" diff --git a/services/narrativelog/values-summit.yaml b/services/narrativelog/values-summit.yaml index 704dae40b7..04d1372bef 100644 --- a/services/narrativelog/values-summit.yaml +++ b/services/narrativelog/values-summit.yaml @@ -1,2 +1,4 @@ config: site_id: summit +db: + host: postgresdb01.cp.lsst.org diff --git a/services/nublado2/values-summit.yaml b/services/nublado2/values-summit.yaml index cf4f6f6767..de9404621d 100644 --- a/services/nublado2/values-summit.yaml +++ b/services/nublado2/values-summit.yaml @@ -3,7 +3,10 @@ jupyterhub: hosts: ["summit-lsp.lsst.codes"] annotations: nginx.ingress.kubernetes.io/auth-signin: "https://summit-lsp.lsst.codes/login" - + hub: + db: + upgrade: true + url: "postgresql://jovyan@postgresdb01.cp.lsst.org/jupyterhub" singleuser: extraAnnotations: k8s.v1.cni.cncf.io/networks: "kube-system/macvlan-conf" From cfc2dce4aa3ed4e73612b7c48f9fecd90ce851e7 Mon Sep 17 00:00:00 2001 From: Christine Banek Date: Thu, 8 Dec 2022 10:36:55 -0700 Subject: [PATCH 1372/1479] [DM-37254] Have dev and int run 1.4.1 1.4.1 is 1.4.0 but has the debug level turned up one more notch, to hopefully catch more information about IncompleteReads from the TAP server. --- services/tap/values-idfdev.yaml | 3 +++ services/tap/values-idfint.yaml | 3 +++ 2 files changed, 6 insertions(+) diff --git a/services/tap/values-idfdev.yaml b/services/tap/values-idfdev.yaml index 57b4e3d67c..0871d30e45 100644 --- a/services/tap/values-idfdev.yaml +++ b/services/tap/values-idfdev.yaml @@ -6,3 +6,6 @@ qserv: host: "10.136.1.211:4040" mock: enabled: false + +image: + tag: "1.4.1" diff --git a/services/tap/values-idfint.yaml b/services/tap/values-idfint.yaml index 11bab7d2a0..f770393fdf 100644 --- a/services/tap/values-idfint.yaml +++ b/services/tap/values-idfint.yaml @@ -17,3 +17,6 @@ qserv: host: "10.136.1.211:4040" mock: enabled: false + +image: + tag: "1.4.1" From adda6f485d153f63496c670e3432140b30426ea5 Mon Sep 17 00:00:00 2001 From: Christine Banek Date: Thu, 8 Dec 2022 10:38:36 -0700 Subject: [PATCH 1373/1479] [DM-37254] Start TAP mobu on data-dev Since data-dev's TAP service is hooked up to a real TAP service, let's turn on mobu and let it run some queries to test out the TAP service and other things on data-dev. --- services/mobu/values-idfdev.yaml | 10 ++++++++++ 1 file changed, 10 insertions(+) diff --git a/services/mobu/values-idfdev.yaml b/services/mobu/values-idfdev.yaml index 058f7bd051..b256a1954a 100644 --- a/services/mobu/values-idfdev.yaml +++ b/services/mobu/values-idfdev.yaml @@ -11,3 +11,13 @@ autostart: jupyter: image_size: "Small" restart: true + - name: "tap" + count: 1 + users: + - username: "bot-mobu-tap" + scopes: ["read:tap"] + business: "TAPQueryRunner" + restart: true + options: + tap_sync: true + tap_query_set: "dp0.2" From 7c86b786d57191493c55b7016612dde7980c8b3c Mon Sep 17 00:00:00 2001 From: Christine Banek Date: Fri, 9 Dec 2022 11:08:27 -0700 Subject: [PATCH 1374/1479] [DM-37254] Add resources for data-dev tap We're running queries from mobu now, and it has restarted about 2 dozen times over night, and I think that is due to the restrictive default resource limits. Let's make them the same as int since we're expecting what they are expecting, but keep the replica count at 1. --- services/tap/values-idfdev.yaml | 8 ++++++++ 1 file changed, 8 insertions(+) diff --git a/services/tap/values-idfdev.yaml b/services/tap/values-idfdev.yaml index 0871d30e45..f963178b7b 100644 --- a/services/tap/values-idfdev.yaml +++ b/services/tap/values-idfdev.yaml @@ -1,3 +1,11 @@ +resources: + requests: + cpu: 2.0 + memory: "2G" + limits: + cpu: 8.0 + memory: "32G" + config: gcsBucket: "async-results.lsst.codes" gcsBucketUrl: "http://async-results.lsst.codes" From 6c0e846c15eb0c5faba4b156ee506de52c3de15d Mon Sep 17 00:00:00 2001 From: Christine Banek Date: Mon, 12 Dec 2022 10:58:09 -0700 Subject: [PATCH 1375/1479] [DM-37254] Set java heap space correctly I set the resource limits for the container, but I forgot to tell java how much memory it can take, so it wasn't expanding the heap. --- services/tap/values-idfdev.yaml | 1 + 1 file changed, 1 insertion(+) diff --git a/services/tap/values-idfdev.yaml b/services/tap/values-idfdev.yaml index f963178b7b..eb34794465 100644 --- a/services/tap/values-idfdev.yaml +++ b/services/tap/values-idfdev.yaml @@ -9,6 +9,7 @@ resources: config: gcsBucket: "async-results.lsst.codes" gcsBucketUrl: "http://async-results.lsst.codes" + jvmMaxHeapSize: "31G" qserv: host: "10.136.1.211:4040" From 3becab120eaf907bccaf8967b79051ef234ab0f6 Mon Sep 17 00:00:00 2001 From: "renovate[bot]" <29139614+renovate[bot]@users.noreply.github.com> Date: Mon, 12 Dec 2022 18:46:24 +0000 Subject: [PATCH 1376/1479] Update Helm release argo-cd to v5.16.2 --- services/argocd/Chart.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/services/argocd/Chart.yaml b/services/argocd/Chart.yaml index a4961fe3ec..34b780c870 100644 --- a/services/argocd/Chart.yaml +++ b/services/argocd/Chart.yaml @@ -8,5 +8,5 @@ sources: - https://github.com/argoproj/argo-helm dependencies: - name: argo-cd - version: 5.16.1 + version: 5.16.2 repository: https://argoproj.github.io/argo-helm From 1289f409efed9b6c9764bf132586e2bdf108b81e Mon Sep 17 00:00:00 2001 From: "renovate[bot]" <29139614+renovate[bot]@users.noreply.github.com> Date: Mon, 12 Dec 2022 19:56:27 +0000 Subject: [PATCH 1377/1479] Update gcr.io/cloudsql-docker/gce-proxy Docker tag to v1.33.1 --- services/gafaelfawr/values.yaml | 2 +- services/sqlproxy-cross-project/values.yaml | 2 +- services/times-square/values.yaml | 2 +- services/vo-cutouts/values.yaml | 2 +- 4 files changed, 4 insertions(+), 4 deletions(-) diff --git a/services/gafaelfawr/values.yaml b/services/gafaelfawr/values.yaml index 92593233c3..19554710f0 100644 --- a/services/gafaelfawr/values.yaml +++ b/services/gafaelfawr/values.yaml @@ -259,7 +259,7 @@ cloudsql: repository: "gcr.io/cloudsql-docker/gce-proxy" # -- Cloud SQL Auth Proxy tag to use - tag: "1.32.0" + tag: "1.33.1" # -- Pull policy for Cloud SQL Auth Proxy images pullPolicy: "IfNotPresent" diff --git a/services/sqlproxy-cross-project/values.yaml b/services/sqlproxy-cross-project/values.yaml index be19862597..9b4bc9bfd5 100644 --- a/services/sqlproxy-cross-project/values.yaml +++ b/services/sqlproxy-cross-project/values.yaml @@ -14,7 +14,7 @@ image: repository: "gcr.io/cloudsql-docker/gce-proxy" # -- Tag of Cloud SQL Proxy image to use - tag: "1.32.0" + tag: "1.33.1" # -- Pull policy for the Cloud SQL Proxy image pullPolicy: "IfNotPresent" diff --git a/services/times-square/values.yaml b/services/times-square/values.yaml index d900eac846..3ca5992371 100644 --- a/services/times-square/values.yaml +++ b/services/times-square/values.yaml @@ -123,7 +123,7 @@ cloudsql: repository: "gcr.io/cloudsql-docker/gce-proxy" # -- Cloud SQL Auth Proxy tag to use - tag: "1.32.0" + tag: "1.33.1" # -- Pull policy for Cloud SQL Auth Proxy images pullPolicy: "IfNotPresent" diff --git a/services/vo-cutouts/values.yaml b/services/vo-cutouts/values.yaml index 0bf689c0fb..b5281a3c63 100644 --- a/services/vo-cutouts/values.yaml +++ b/services/vo-cutouts/values.yaml @@ -75,7 +75,7 @@ cloudsql: repository: "gcr.io/cloudsql-docker/gce-proxy" # -- Cloud SQL Auth Proxy tag to use - tag: "1.32.0" + tag: "1.33.1" # -- Pull policy for Cloud SQL Auth Proxy images pullPolicy: "IfNotPresent" From 311b46913560057115ced5abeb8ac130d8c6d12a Mon Sep 17 00:00:00 2001 From: Russ Allbery Date: Mon, 12 Dec 2022 11:57:08 -0800 Subject: [PATCH 1378/1479] Update Helm documentation --- services/gafaelfawr/README.md | 2 +- services/sqlproxy-cross-project/README.md | 2 +- services/times-square/README.md | 2 +- services/vo-cutouts/README.md | 2 +- 4 files changed, 4 insertions(+), 4 deletions(-) diff --git a/services/gafaelfawr/README.md b/services/gafaelfawr/README.md index f292d33e3c..1664fafe87 100644 --- a/services/gafaelfawr/README.md +++ b/services/gafaelfawr/README.md @@ -17,7 +17,7 @@ Authentication and identity system | cloudsql.enabled | bool | `false` | Enable the Cloud SQL Auth Proxy, used with CloudSQL databases on Google Cloud. This will be run as a sidecar for the main Gafaelfawr pods, and as a separate service (behind a `NetworkPolicy`) for other, lower-traffic services. | | cloudsql.image.pullPolicy | string | `"IfNotPresent"` | Pull policy for Cloud SQL Auth Proxy images | | cloudsql.image.repository | string | `"gcr.io/cloudsql-docker/gce-proxy"` | Cloud SQL Auth Proxy image to use | -| cloudsql.image.tag | string | `"1.32.0"` | Cloud SQL Auth Proxy tag to use | +| cloudsql.image.tag | string | `"1.33.1"` | Cloud SQL Auth Proxy tag to use | | cloudsql.instanceConnectionName | string | None, must be set if Cloud SQL Auth Proxy is enabled | Instance connection name for a CloudSQL PostgreSQL instance | | cloudsql.nodeSelector | object | `{}` | Node selection rules for the Cloud SQL Proxy pod | | cloudsql.podAnnotations | object | `{}` | Annotations for the Cloud SQL Proxy pod | diff --git a/services/sqlproxy-cross-project/README.md b/services/sqlproxy-cross-project/README.md index 6feb8140b5..e686d30ab7 100644 --- a/services/sqlproxy-cross-project/README.md +++ b/services/sqlproxy-cross-project/README.md @@ -19,7 +19,7 @@ GCP SQL Proxy as a service | fullnameOverride | string | `""` | Override the full name for resources (includes the release name) | | image.pullPolicy | string | `"IfNotPresent"` | Pull policy for the Cloud SQL Proxy image | | image.repository | string | `"gcr.io/cloudsql-docker/gce-proxy"` | Cloud SQL Proxy image to use | -| image.tag | string | `"1.32.0"` | Tag of Cloud SQL Proxy image to use | +| image.tag | string | `"1.33.1"` | Tag of Cloud SQL Proxy image to use | | nameOverride | string | `""` | Override the base name for resources | | nodeSelector | object | `{}` | Node selector rules for the Cloud SQL Proxy pod | | podAnnotations | object | `{}` | Annotations for the Cloud SQL Proxy pod | diff --git a/services/times-square/README.md b/services/times-square/README.md index 4d0187852a..aa321748cf 100644 --- a/services/times-square/README.md +++ b/services/times-square/README.md @@ -18,7 +18,7 @@ An API service for managing and rendering parameterized Jupyter notebooks. | cloudsql.enabled | bool | `false` | Enable the Cloud SQL Auth Proxy sidecar, used with CloudSQL databases on Google Cloud | | cloudsql.image.pullPolicy | string | `"IfNotPresent"` | Pull policy for Cloud SQL Auth Proxy images | | cloudsql.image.repository | string | `"gcr.io/cloudsql-docker/gce-proxy"` | Cloud SQL Auth Proxy image to use | -| cloudsql.image.tag | string | `"1.32.0"` | Cloud SQL Auth Proxy tag to use | +| cloudsql.image.tag | string | `"1.33.1"` | Cloud SQL Auth Proxy tag to use | | cloudsql.instanceConnectionName | string | `""` | Instance connection name for a CloudSQL PostgreSQL instance | | cloudsql.serviceAccount | string | `""` | The Google service account that has an IAM binding to the `times-square` Kubernetes service accounts and has the `cloudsql.client` role | | config.databaseUrl | string | None, must be set | URL for the PostgreSQL database | diff --git a/services/vo-cutouts/README.md b/services/vo-cutouts/README.md index 05525eb689..ffb0516a62 100644 --- a/services/vo-cutouts/README.md +++ b/services/vo-cutouts/README.md @@ -14,7 +14,7 @@ Image cutout service complying with IVOA SODA | cloudsql.enabled | bool | `false` | Enable the Cloud SQL Auth Proxy sidecar, used with CloudSQL databases on Google Cloud | | cloudsql.image.pullPolicy | string | `"IfNotPresent"` | Pull policy for Cloud SQL Auth Proxy images | | cloudsql.image.repository | string | `"gcr.io/cloudsql-docker/gce-proxy"` | Cloud SQL Auth Proxy image to use | -| cloudsql.image.tag | string | `"1.32.0"` | Cloud SQL Auth Proxy tag to use | +| cloudsql.image.tag | string | `"1.33.1"` | Cloud SQL Auth Proxy tag to use | | cloudsql.instanceConnectionName | string | `""` | Instance connection name for a CloudSQL PostgreSQL instance | | cloudsql.serviceAccount | string | None, must be set | The Google service account that has an IAM binding to the `vo-cutouts` Kubernetes service accounts and has the `cloudsql.client` role, access to the GCS bucket, and ability to sign URLs as itself | | config.databaseUrl | string | None, must be set | URL for the PostgreSQL database | From 1de5be834a11c9f19ec0599c1015422cb1fd33be Mon Sep 17 00:00:00 2001 From: Christine Banek Date: Thu, 15 Dec 2022 12:00:14 -0700 Subject: [PATCH 1379/1479] [DM-37318] Roll out TAP 1.4.2 --- services/tap/Chart.yaml | 2 +- services/tap/values-idfdev.yaml | 3 --- services/tap/values-idfint.yaml | 3 --- 3 files changed, 1 insertion(+), 7 deletions(-) diff --git a/services/tap/Chart.yaml b/services/tap/Chart.yaml index c4c818bbaa..16049f9cb0 100644 --- a/services/tap/Chart.yaml +++ b/services/tap/Chart.yaml @@ -5,4 +5,4 @@ description: IVOA TAP service sources: - https://github.com/lsst-sqre/lsst-tap-service - https://github.com/opencadc/tap -appVersion: 1.4.0 +appVersion: 1.4.2 diff --git a/services/tap/values-idfdev.yaml b/services/tap/values-idfdev.yaml index eb34794465..b0a7af3d2f 100644 --- a/services/tap/values-idfdev.yaml +++ b/services/tap/values-idfdev.yaml @@ -15,6 +15,3 @@ qserv: host: "10.136.1.211:4040" mock: enabled: false - -image: - tag: "1.4.1" diff --git a/services/tap/values-idfint.yaml b/services/tap/values-idfint.yaml index f770393fdf..11bab7d2a0 100644 --- a/services/tap/values-idfint.yaml +++ b/services/tap/values-idfint.yaml @@ -17,6 +17,3 @@ qserv: host: "10.136.1.211:4040" mock: enabled: false - -image: - tag: "1.4.1" From c15bb441d29fcd6e91b921ac47ce302ffbc3274a Mon Sep 17 00:00:00 2001 From: Christine Banek Date: Thu, 15 Dec 2022 12:33:01 -0700 Subject: [PATCH 1380/1479] [DM-37318] Try to fix minikube test run --- .github/workflows/ci.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/ci.yaml b/.github/workflows/ci.yaml index 2b7c36786c..c5fb4c1f37 100644 --- a/.github/workflows/ci.yaml +++ b/.github/workflows/ci.yaml @@ -85,7 +85,7 @@ jobs: - name: Setup Minikube if: steps.filter.outputs.minikube == 'true' - uses: manusa/actions-setup-minikube@v2.7.1 + uses: manusa/actions-setup-minikube@v2.7.2 with: minikube version: 'v1.28.0' kubernetes version: 'v1.25.2' From 08a4fe01ab8bc55af260f0bfebb5bfcd10b9de91 Mon Sep 17 00:00:00 2001 From: Russ Allbery Date: Thu, 15 Dec 2022 11:37:45 -0800 Subject: [PATCH 1381/1479] Update to Gafaelfawr 8.0.0 --- services/gafaelfawr/Chart.yaml | 2 +- services/gafaelfawr/crds/ingress.yaml | 95 ++++++++++++++++----------- 2 files changed, 58 insertions(+), 39 deletions(-) diff --git a/services/gafaelfawr/Chart.yaml b/services/gafaelfawr/Chart.yaml index 946674b909..b920cc60cb 100644 --- a/services/gafaelfawr/Chart.yaml +++ b/services/gafaelfawr/Chart.yaml @@ -5,7 +5,7 @@ description: Authentication and identity system home: https://gafaelfawr.lsst.io/ sources: - https://github.com/lsst-sqre/gafaelfawr -appVersion: 7.1.0 +appVersion: 8.0.0 annotations: phalanx.lsst.io/docs: | diff --git a/services/gafaelfawr/crds/ingress.yaml b/services/gafaelfawr/crds/ingress.yaml index da8e858a57..d81837e8f4 100644 --- a/services/gafaelfawr/crds/ingress.yaml +++ b/services/gafaelfawr/crds/ingress.yaml @@ -63,32 +63,6 @@ spec: type: string description: "Base URL for Gafaelfawr APIs." pattern: "^https://[a-z.-]+" - scopes: - type: object - description: >- - The token scope or scopes required to access this - service. May be omitted if the service allows - anonymous access. - properties: - any: - type: array - description: >- - Access is granted if any of the listed scopes are - present. - items: - type: string - all: - type: array - description: >- - Access is granted if all of the listed scopes are - present. - items: - type: string - oneOf: - - required: - - any - - required: - - all authType: type: string enum: @@ -98,18 +72,6 @@ spec: Controls the authentication type in the challenge returned in the `WWW-Authenticate` header if the user is not authenticated. By default, this is `bearer`. - loginRedirect: - type: boolean - description: >- - Whether to redirect to the login flow if the user is - not currently authenticated. - replace403: - type: boolean - description: >- - Whether to replace 403 responses with a custom 403 - response from Gafaelfawr that disables caching and - includes authorization-related errors in the - `WWW-Authenticate` header. delegate: type: object description: >- @@ -148,11 +110,68 @@ spec: Minimum lifetime of delegated token in seconds. If the user's token has less than that time remaining, force them to reauthenticate. + useAuthorization: + type: boolean + description: >- + If set to true, put the delegated token in the + Authorization header of the request as a bearer token, + in addition to X-Auth-Request-Token. oneOf: - required: - internal - required: - notebook + loginRedirect: + type: boolean + description: >- + Whether to redirect to the login flow if the user is + not currently authenticated. + replace403: + type: boolean + description: >- + Whether to replace 403 responses with a custom 403 + response from Gafaelfawr that disables caching and + includes authorization-related errors in the + `WWW-Authenticate` header. + scopes: + type: object + description: >- + The token scope or scopes required to access this + service. May be omitted if the service allows + anonymous access. + properties: + any: + type: array + description: >- + Access is granted if any of the listed scopes are + present. + items: + type: string + all: + type: array + description: >- + Access is granted if all of the listed scopes are + present. + items: + type: string + anonymous: + type: boolean + description: >- + Allow anonymous access to this ingress. No access + control checks will be made and no token delegation is + possible, but Gafaelfawr tokens will still be stripped + from the `Authorization` and `Cookie` headers. + oneOf: + - required: + - any + - required: + - all + - properties: + anonymous: + enum: + - true + required: + - anonymous template: type: object description: "The template used to create the ingress." From 7365f6f20da106a335d3d3dc477aba5b689033ee Mon Sep 17 00:00:00 2001 From: Russ Allbery Date: Thu, 15 Dec 2022 11:38:17 -0800 Subject: [PATCH 1382/1479] Use new Gafaelfawr feature for TAP ingress Gafaelfawr now supports sending the delegated token in the Authorization header. Use that for the TAP ingress instead of an NGINX snippet. --- services/tap/templates/tap-ingress-authenticated.yaml | 4 +--- 1 file changed, 1 insertion(+), 3 deletions(-) diff --git a/services/tap/templates/tap-ingress-authenticated.yaml b/services/tap/templates/tap-ingress-authenticated.yaml index a39c0f86c1..d2ea1ab62d 100644 --- a/services/tap/templates/tap-ingress-authenticated.yaml +++ b/services/tap/templates/tap-ingress-authenticated.yaml @@ -14,13 +14,11 @@ config: internal: scopes: [] service: "tap" + useAuthorization: true template: metadata: name: {{ template "cadc-tap.fullname" . }}-authenticated annotations: - nginx.ingress.kubernetes.io/configuration-snippet: | - auth_request_set $auth_token $upstream_http_x_auth_request_token; - proxy_set_header Authorization "Bearer $auth_token"; nginx.ingress.kubernetes.io/proxy-connect-timeout: "1800" nginx.ingress.kubernetes.io/proxy-send-timeout: "1800" nginx.ingress.kubernetes.io/proxy-read-timeout: "1800" From aa7ed30699647cb604cb51f55e58528d0140e2e9 Mon Sep 17 00:00:00 2001 From: Russ Allbery Date: Thu, 15 Dec 2022 11:40:53 -0800 Subject: [PATCH 1383/1479] Use a Gafaelfawr anonymous ingress for datalinker Change the datalinker anonymous ingress to use the new Gafaelfawr anonymous ingress support. --- .../templates/ingress-anonymous.yaml | 44 +++++++++++-------- 1 file changed, 25 insertions(+), 19 deletions(-) diff --git a/services/datalinker/templates/ingress-anonymous.yaml b/services/datalinker/templates/ingress-anonymous.yaml index a646f7d3e3..8c8ab0c86f 100644 --- a/services/datalinker/templates/ingress-anonymous.yaml +++ b/services/datalinker/templates/ingress-anonymous.yaml @@ -1,23 +1,29 @@ -apiVersion: networking.k8s.io/v1 -kind: Ingress +apiVersion: gafaelfawr.lsst.io/v1alpha1 +kind: GafaelfawrIngress metadata: name: {{ include "datalinker.fullname" . }}-anonymous labels: {{- include "datalinker.labels" . | nindent 4 }} - {{- with .Values.ingress.annotations }} - annotations: - {{- toYaml . | nindent 4 }} - {{- end }} -spec: - ingressClassName: "nginx" - rules: - - host: {{ required "global.host must be set" .Values.global.host | quote }} - http: - paths: - - path: "/api/hips/list" - pathType: "Exact" - backend: - service: - name: {{ include "datalinker.fullname" . }} - port: - number: 8080 +config: + baseUrl: {{ .Values.global.baseUrl | quote }} + scopes: + anonymous: true +template: + metadata: + name: {{ include "datalinker.fullname" . }}-anonymous + {{- with .Values.ingress.annotations }} + annotations: + {{- toYaml . | nindent 6 }} + {{- end }} + spec: + rules: + - host: {{ required "global.host must be set" .Values.global.host | quote }} + http: + paths: + - path: "/api/hips/list" + pathType: "Exact" + backend: + service: + name: {{ include "datalinker.fullname" . }} + port: + number: 8080 From d9c800f9c98677abea2935df3b910e4c8fbaa9e2 Mon Sep 17 00:00:00 2001 From: Christine Banek Date: Wed, 21 Dec 2022 10:29:10 -0700 Subject: [PATCH 1384/1479] [DM-27254] Switch mobu -int back to dp0.1 This should at least let us know if we get errors running the old queries, or is it just the new queries? --- services/mobu/values-idfint.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/services/mobu/values-idfint.yaml b/services/mobu/values-idfint.yaml index 4b6733032f..b82fdb2cc0 100644 --- a/services/mobu/values-idfint.yaml +++ b/services/mobu/values-idfint.yaml @@ -41,4 +41,4 @@ autostart: restart: true options: tap_sync: true - tap_query_set: "dp0.2" + tap_query_set: "dp0.1" From bdff4284febf52bb232be85c89b5341b23d4e187 Mon Sep 17 00:00:00 2001 From: Christine Banek Date: Thu, 22 Dec 2022 10:26:26 -0700 Subject: [PATCH 1385/1479] [DM-37254] Go back to dp0.2, but try async If we're doing async queries, that might get around this connection reset, if the connection reset is between mobu and TAP. If it is somehow related to qserv, then the problem should persist. --- services/mobu/values-idfint.yaml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/services/mobu/values-idfint.yaml b/services/mobu/values-idfint.yaml index b82fdb2cc0..ebb5d3b9fa 100644 --- a/services/mobu/values-idfint.yaml +++ b/services/mobu/values-idfint.yaml @@ -40,5 +40,5 @@ autostart: business: "TAPQueryRunner" restart: true options: - tap_sync: true - tap_query_set: "dp0.1" + tap_sync: false + tap_query_set: "dp0.2" From 801a959b618b03cac0298896c3a985a38d7d6345 Mon Sep 17 00:00:00 2001 From: Angelo Fausti Date: Fri, 16 Dec 2022 17:12:23 -0700 Subject: [PATCH 1386/1479] Add kafka-rest kafka user --- .../charts/strimzi-kafka/templates/users.yaml | 30 +++++++++++++++++++ 1 file changed, 30 insertions(+) diff --git a/services/sasquatch/charts/strimzi-kafka/templates/users.yaml b/services/sasquatch/charts/strimzi-kafka/templates/users.yaml index aed7d28017..c25d660c59 100644 --- a/services/sasquatch/charts/strimzi-kafka/templates/users.yaml +++ b/services/sasquatch/charts/strimzi-kafka/templates/users.yaml @@ -152,3 +152,33 @@ spec: type: allow host: "*" operation: Read +--- +apiVersion: kafka.strimzi.io/v1beta2 +kind: KafkaUser +metadata: + name: kafka-rest + labels: + strimzi.io/cluster: {{ .Values.cluster.name }} +spec: + authentication: + type: scram-sha-512 + password: + valueFrom: + secretKeyRef: + name: sasquatch + key: kafka-rest-password + authorization: + type: simple + acls: + - resource: + type: group + name: "*" + patternType: literal + operation: All + - resource: + type: topic + name: "sasquatch-test" + patternType: literal + type: allow + host: "*" + operation: All From 919114e96fbd7169c56c0abb678a13cdf7d02734 Mon Sep 17 00:00:00 2001 From: Angelo Fausti Date: Fri, 16 Dec 2022 17:12:51 -0700 Subject: [PATCH 1387/1479] Add subchart for deploying Confluent REST proxy --- services/sasquatch/Chart.yaml | 4 + services/sasquatch/README.md | 3 +- .../sasquatch/charts/rest-proxy/Chart.yaml | 7 ++ .../sasquatch/charts/rest-proxy/README.md | 34 +++++++++ .../charts/rest-proxy/templates/_helpers.tpl | 52 +++++++++++++ .../rest-proxy/templates/deployment.yaml | 76 +++++++++++++++++++ .../charts/rest-proxy/templates/ingress.yaml | 27 +++++++ .../charts/rest-proxy/templates/service.yaml | 15 ++++ .../sasquatch/charts/rest-proxy/values.yaml | 70 +++++++++++++++++ .../charts/strimzi-kafka/templates/users.yaml | 4 +- services/sasquatch/values-idfdev.yaml | 6 ++ services/sasquatch/values.yaml | 5 +- 12 files changed, 299 insertions(+), 4 deletions(-) create mode 100644 services/sasquatch/charts/rest-proxy/Chart.yaml create mode 100644 services/sasquatch/charts/rest-proxy/README.md create mode 100644 services/sasquatch/charts/rest-proxy/templates/_helpers.tpl create mode 100644 services/sasquatch/charts/rest-proxy/templates/deployment.yaml create mode 100644 services/sasquatch/charts/rest-proxy/templates/ingress.yaml create mode 100644 services/sasquatch/charts/rest-proxy/templates/service.yaml create mode 100644 services/sasquatch/charts/rest-proxy/values.yaml diff --git a/services/sasquatch/Chart.yaml b/services/sasquatch/Chart.yaml index a98392d95f..ed7fc56ce6 100644 --- a/services/sasquatch/Chart.yaml +++ b/services/sasquatch/Chart.yaml @@ -30,6 +30,10 @@ dependencies: - name: telegraf-kafka-consumer condition: influxdb2.enabled version: 1.0.0 + - name: rest-proxy + condition: rest-proxy.enabled + version: 1.0.0 + annotations: phalanx.lsst.io/docs: | diff --git a/services/sasquatch/README.md b/services/sasquatch/README.md index 7890c319a0..82828b3073 100644 --- a/services/sasquatch/README.md +++ b/services/sasquatch/README.md @@ -67,6 +67,7 @@ Rubin Observatory's telemetry service. | kapacitor.resources.limits.memory | string | `"16Gi"` | | | kapacitor.resources.requests.cpu | int | `1` | | | kapacitor.resources.requests.memory | string | `"1Gi"` | | +| rest-proxy | object | `{"enabled":false}` | Override rest-proxy configuration. | | strimzi-kafka | object | `{}` | Override strimzi-kafka configuration. | | strimzi-registry-operator | object | `{"clusterName":"sasquatch","clusterNamespace":"sasquatch","operatorNamespace":"sasquatch"}` | strimzi-registry-operator configuration. | -| telegraf-kafka-consumer | object | `{}` | Override telegraf-kafka-consumer | +| telegraf-kafka-consumer | object | `{}` | Override telegraf-kafka-consumer configuration. | diff --git a/services/sasquatch/charts/rest-proxy/Chart.yaml b/services/sasquatch/charts/rest-proxy/Chart.yaml new file mode 100644 index 0000000000..54dcab4883 --- /dev/null +++ b/services/sasquatch/charts/rest-proxy/Chart.yaml @@ -0,0 +1,7 @@ +apiVersion: v2 +name: rest-proxy +version: 1.0.0 +description: A subchart to deploy Confluent REST proxy for Sasquatch. +sources: + - https://github.com/confluentinc/kafka-rest +appVersion: 6.2.8 diff --git a/services/sasquatch/charts/rest-proxy/README.md b/services/sasquatch/charts/rest-proxy/README.md new file mode 100644 index 0000000000..eb69b30296 --- /dev/null +++ b/services/sasquatch/charts/rest-proxy/README.md @@ -0,0 +1,34 @@ +# rest-proxy + +A subchart to deploy Confluent REST proxy for Sasquatch. + +## Source Code + +* + +## Values + +| Key | Type | Default | Description | +|-----|------|---------|-------------| +| affinity | object | `{}` | Affinity configuration. | +| configurationOverrides | object | `{"client.sasl.mechanism":"SCRAM-SHA-512","client.security.protocol":"SASL_PLAINTEXT"}` | Kafka REST configuration options | +| customEnv | string | `nil` | Kafka REST additional env variables | +| heapOptions | string | `"-Xms512M -Xmx512M"` | Kafka REST proxy JVM Heap Option | +| image.pullPolicy | string | `"IfNotPresent"` | Image pull policy. | +| image.repository | string | `"confluentinc/cp-kafka-rest"` | Kafka REST proxy image repository. | +| image.tag | string | `"6.2.8"` | Kafka REST proxy image tag. | +| ingress.annotations | object | `{"nginx.ingress.kubernetes.io/rewrite-target":"/$2"}` | Ingress annotations. | +| ingress.enabled | bool | `false` | Enable Ingress. This should be true to create an ingress rule for the application. | +| ingress.hostname | string | `""` | Ingress hostname. | +| ingress.path | string | `"/sasquatch-rest-proxy(/|$)(.*)"` | Ingress path. | +| kafka.bootstrapServers | string | `"SASL_PLAINTEXT://sasquatch-kafka-bootstrap.sasquatch:9092"` | Kafka bootstrap servers, use the internal listerner on port 9092 wit SASL connection. | +| nodeSelector | object | `{}` | Node selector configuration. | +| podAnnotations | object | `{}` | Pod annotations. | +| replicaCount | int | `1` | Number of Kafka REST proxy pods to run in the deployment. | +| resources.limits.cpu | int | `2` | Kafka REST proxy cpu limits | +| resources.limits.memory | string | `"4Gi"` | Kafka REST proxy memory limits | +| resources.requests.cpu | int | `1` | Kafka REST proxy cpu requests | +| resources.requests.memory | string | `"200Mi"` | Kafka REST proxy memory requests | +| schemaregistry.url | string | `"http://sasquatch-schema-registry.sasquatch:8081"` | Schema registry URL | +| service.port | int | `8082` | Kafka REST proxy service port | +| tolerations | list | `[]` | Tolerations configuration. | diff --git a/services/sasquatch/charts/rest-proxy/templates/_helpers.tpl b/services/sasquatch/charts/rest-proxy/templates/_helpers.tpl new file mode 100644 index 0000000000..bc68e03922 --- /dev/null +++ b/services/sasquatch/charts/rest-proxy/templates/_helpers.tpl @@ -0,0 +1,52 @@ +{{/* vim: set filetype=mustache: */}} +{{/* +Expand the name of the chart. +*/}} +{{- define "chart.name" -}} +{{- default .Chart.Name .Values.nameOverride | trunc 63 | trimSuffix "-" -}} +{{- end -}} + +{{/* +Create a default fully qualified app name. +We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec). +If release name contains chart name it will be used as a full name. +*/}} +{{- define "chart.fullname" -}} +{{- if .Values.fullnameOverride -}} +{{- .Values.fullnameOverride | trunc 63 | trimSuffix "-" -}} +{{- else -}} +{{- $name := default .Chart.Name .Values.nameOverride -}} +{{- if contains $name .Release.Name -}} +{{- .Release.Name | trunc 63 | trimSuffix "-" -}} +{{- else -}} +{{- printf "%s-%s" .Release.Name $name | trunc 63 | trimSuffix "-" -}} +{{- end -}} +{{- end -}} +{{- end -}} + +{{/* +Create chart name and version as used by the chart label. +*/}} +{{- define "chart.chart" -}} +{{- printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" -}} +{{- end -}} + +{{/* +Common labels +*/}} +{{- define "rest-proxy.labels" -}} +helm.sh/chart: {{ include "chart.name" . }} +{{ include "rest-proxy.selectorLabels" . }} +{{- if .Chart.AppVersion }} +app.kubernetes.io/version: {{ .Chart.AppVersion | quote }} +{{- end }} +app.kubernetes.io/managed-by: {{ .Release.Service }} +{{- end }} + +{{/* +Selector labels +*/}} +{{- define "rest-proxy.selectorLabels" -}} +app.kubernetes.io/name: {{ include "chart.name" . }} +app.kubernetes.io/instance: {{ .Release.Name }} +{{- end }} \ No newline at end of file diff --git a/services/sasquatch/charts/rest-proxy/templates/deployment.yaml b/services/sasquatch/charts/rest-proxy/templates/deployment.yaml new file mode 100644 index 0000000000..51b41c52a8 --- /dev/null +++ b/services/sasquatch/charts/rest-proxy/templates/deployment.yaml @@ -0,0 +1,76 @@ +apiVersion: apps/v1 +kind: Deployment +metadata: + name: {{ include "chart.fullname" . }} + labels: + {{- include "rest-proxy.labels" . | nindent 4 }} +spec: + replicas: {{ .Values.replicaCount }} + selector: + matchLabels: + {{- include "rest-proxy.selectorLabels" . | nindent 6 }} + template: + metadata: + labels: + {{- include "rest-proxy.selectorLabels" . | nindent 8 }} + annotations: + {{- with .Values.podAnnotations }} + {{ toYaml . | indent 8 }} + {{- end }} + spec: + automountServiceAccountToken: false + securityContext: + runAsNonRoot: true + runAsUser: 1000 + runAsGroup: 1000 + containers: + - name: {{ include "chart.name" . }} + image: "{{ .Values.image.repository }}:{{ .Values.image.tag }}" + imagePullPolicy: "{{ .Values.image.pullPolicy }}" + ports: + - name: rest-proxy + containerPort: {{ .Values.service.port }} + protocol: TCP + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + env: + - name: KAFKA_REST_HOST_NAME + valueFrom: + fieldRef: + fieldPath: status.podIP + - name: KAFKA_REST_BOOTSTRAP_SERVERS + value: "{{ .Values.kafka.bootstrapServers }}" + - name: KAFKA_REST_SCHEMA_REGISTRY_URL + value: "{{ .Values.schemaregistry.url }}" + - name: KAFKA_REST_HEAP_OPTS + value: "{{ .Values.heapOptions }}" + - name: KAFKA_REST_CLIENT_SASL_JAAS_CONFIG + valueFrom: + secretKeyRef: + name: sasquatch + key: rest-proxy-sasl-jass-config + {{- range $key, $value := .Values.configurationOverrides }} + - name: {{ printf "KAFKA_REST_%s" $key | replace "." "_" | upper | quote }} + value: {{ $value | quote }} + {{- end }} + {{- range $key, $value := .Values.customEnv }} + - name: {{ $key | quote }} + value: {{ $value | quote }} + {{- end }} + resources: + {{- toYaml .Values.resources | nindent 12 }} + {{- if .Values.nodeSelector }} + nodeSelector: + {{ toYaml .Values.nodeSelector | indent 8 }} + {{- end }} + {{- if .Values.tolerations }} + tolerations: + {{ toYaml .Values.tolerations | indent 8 }} + {{- end }} + {{- if .Values.affinity }} + affinity: + {{ toYaml .Values.affinity | indent 8 }} + {{- end }} \ No newline at end of file diff --git a/services/sasquatch/charts/rest-proxy/templates/ingress.yaml b/services/sasquatch/charts/rest-proxy/templates/ingress.yaml new file mode 100644 index 0000000000..a08ef2ee0e --- /dev/null +++ b/services/sasquatch/charts/rest-proxy/templates/ingress.yaml @@ -0,0 +1,27 @@ +{{- if .Values.ingress.enabled -}} +{{- $fullName := include "chart.fullname" . -}} +{{- $ingressPath := .Values.ingress.path -}} +apiVersion: networking.k8s.io/v1 +kind: Ingress +metadata: + name: {{ $fullName }} + labels: + {{- include "rest-proxy.labels" . | nindent 4 }} + annotations: + {{- with .Values.ingress.annotations }} + {{ toYaml . | indent 4 }} + {{- end }} +spec: + ingressClassName: "nginx" + rules: + - host: {{ .Values.ingress.hostname | quote }} + http: + paths: + - path: {{ $ingressPath }} + pathType: Prefix + backend: + service: + name: {{ $fullName }} + port: + number: {{ .Values.service.port }} +{{- end }} diff --git a/services/sasquatch/charts/rest-proxy/templates/service.yaml b/services/sasquatch/charts/rest-proxy/templates/service.yaml new file mode 100644 index 0000000000..cc0d190cc7 --- /dev/null +++ b/services/sasquatch/charts/rest-proxy/templates/service.yaml @@ -0,0 +1,15 @@ +apiVersion: v1 +kind: Service +metadata: + name: {{ include "chart.fullname" . }} + labels: + {{- include "rest-proxy.labels" . | nindent 4 }} +spec: + type: ClusterIP + ports: + - port: {{ .Values.service.port }} + targetPort: rest-proxy + protocol: TCP + name: rest-proxy + selector: + {{- include "rest-proxy.selectorLabels" . | nindent 4 }} \ No newline at end of file diff --git a/services/sasquatch/charts/rest-proxy/values.yaml b/services/sasquatch/charts/rest-proxy/values.yaml new file mode 100644 index 0000000000..50fdb6580b --- /dev/null +++ b/services/sasquatch/charts/rest-proxy/values.yaml @@ -0,0 +1,70 @@ +# Default values for kafka REST proxy + +# -- Number of Kafka REST proxy pods to run in the deployment. +replicaCount: 1 + +image: + # -- Kafka REST proxy image repository. + repository: confluentinc/cp-kafka-rest + # -- Image pull policy. + pullPolicy: IfNotPresent + # -- Kafka REST proxy image tag. + tag: 6.2.8 + +service: + # -- Kafka REST proxy service port + port: 8082 + +ingress: + # -- Enable Ingress. This should be true to create an ingress rule for the application. + enabled: false + # -- Ingress annotations. + annotations: + nginx.ingress.kubernetes.io/rewrite-target: /$2 + # -- Ingress hostname. + hostname: "" + # -- Ingress path. + path: /sasquatch-rest-proxy(/|$)(.*) + +# -- Kafka REST proxy JVM Heap Option +heapOptions: "-Xms512M -Xmx512M" + +# -- Kafka REST configuration options +configurationOverrides: + "client.security.protocol": SASL_PLAINTEXT + "client.sasl.mechanism": SCRAM-SHA-512 + +# -- Kafka REST additional env variables +customEnv: + +schemaregistry: + # -- Schema registry URL + url: "http://sasquatch-schema-registry.sasquatch:8081" + +kafka: + # -- Kafka bootstrap servers, use the internal listerner on port 9092 wit SASL connection. + bootstrapServers: "SASL_PLAINTEXT://sasquatch-kafka-bootstrap.sasquatch:9092" + +resources: + requests: + # -- Kafka REST proxy memory requests + memory: 200Mi + # -- Kafka REST proxy cpu requests + cpu: 1 + limits: + # -- Kafka REST proxy memory limits + memory: 4Gi + # -- Kafka REST proxy cpu limits + cpu: 2 + +# -- Node selector configuration. +nodeSelector: {} + +# -- Tolerations configuration. +tolerations: [] + +# -- Affinity configuration. +affinity: {} + +# -- Pod annotations. +podAnnotations: {} diff --git a/services/sasquatch/charts/strimzi-kafka/templates/users.yaml b/services/sasquatch/charts/strimzi-kafka/templates/users.yaml index c25d660c59..360d3cce78 100644 --- a/services/sasquatch/charts/strimzi-kafka/templates/users.yaml +++ b/services/sasquatch/charts/strimzi-kafka/templates/users.yaml @@ -156,7 +156,7 @@ spec: apiVersion: kafka.strimzi.io/v1beta2 kind: KafkaUser metadata: - name: kafka-rest + name: rest-proxy labels: strimzi.io/cluster: {{ .Values.cluster.name }} spec: @@ -166,7 +166,7 @@ spec: valueFrom: secretKeyRef: name: sasquatch - key: kafka-rest-password + key: rest-proxy-password authorization: type: simple acls: diff --git a/services/sasquatch/values-idfdev.yaml b/services/sasquatch/values-idfdev.yaml index b6314343f9..9ffce2cb52 100644 --- a/services/sasquatch/values-idfdev.yaml +++ b/services/sasquatch/values-idfdev.yaml @@ -43,6 +43,12 @@ kafdrop: enabled: true hostname: data-dev.lsst.cloud +rest-proxy: + enabled: true + ingress: + enabled: true + hostname: data-dev.lsst.cloud + chronograf: ingress: enabled: true diff --git a/services/sasquatch/values.yaml b/services/sasquatch/values.yaml index 5229f8e1cc..2fc6f39caf 100644 --- a/services/sasquatch/values.yaml +++ b/services/sasquatch/values.yaml @@ -121,9 +121,12 @@ influxdb2: # -- Override kafka-connect-manager configuration. kafka-connect-manager: {} -# -- Override telegraf-kafka-consumer +# -- Override telegraf-kafka-consumer configuration. telegraf-kafka-consumer: {} +# -- Override rest-proxy configuration. +rest-proxy: + enabled: false chronograf: # -- Chronograf image tag. From 4e2ff986575dcdfa0d8c2e7fe37bb656f711d401 Mon Sep 17 00:00:00 2001 From: Angelo Fausti Date: Wed, 28 Dec 2022 23:53:42 -0700 Subject: [PATCH 1388/1479] Remove Strimzi Kafka bridge - Strimzi Kafka bridge is replaced by the Confluent REST proxy --- .../strimzi-kafka/templates/bridge.yaml | 74 ------------------- 1 file changed, 74 deletions(-) delete mode 100644 services/sasquatch/charts/strimzi-kafka/templates/bridge.yaml diff --git a/services/sasquatch/charts/strimzi-kafka/templates/bridge.yaml b/services/sasquatch/charts/strimzi-kafka/templates/bridge.yaml deleted file mode 100644 index 1185e2841f..0000000000 --- a/services/sasquatch/charts/strimzi-kafka/templates/bridge.yaml +++ /dev/null @@ -1,74 +0,0 @@ -apiVersion: kafka.strimzi.io/v1beta2 -kind: KafkaBridge -metadata: - name: {{ .Values.cluster.name }} -spec: - replicas: 1 - bootstrapServers: {{ .Values.cluster.name }}-kafka-bootstrap:9093 - http: - port: 8080 - tls: - trustedCertificates: - - secretName: {{ .Values.cluster.name }}-cluster-ca-cert - certificate: ca.crt - authentication: - type: tls - certificateAndKey: - secretName: {{ .Values.cluster.name }}-bridge - certificate: user.crt - key: user.key ---- -apiVersion: networking.k8s.io/v1 -kind: Ingress -metadata: - annotations: - nginx.ingress.kubernetes.io/rewrite-target: /$2 - name: {{ .Values.cluster.name }}-bridge -spec: - ingressClassName: nginx - rules: - - host: {{ required "global.host must be set" .Values.global.host | quote }} - http: - paths: - - backend: - service: - name: {{ .Values.cluster.name }}-bridge-service - port: - number: 8080 - path: /{{ .Values.cluster.name }}-bridge(/|$)(.*) - pathType: Prefix ---- -apiVersion: kafka.strimzi.io/v1beta2 -kind: KafkaUser -metadata: - name: {{ .Values.cluster.name }}-bridge - labels: - strimzi.io/cluster: {{ .Values.cluster.name }} -spec: - authentication: - type: tls - authorization: - type: simple - acls: - - resource: - type: group - name: "*" - patternType: literal - operation: All - - resource: - type: topic - name: "object-table-core-metrics" - patternType: literal - type: allow - host: "*" - operation: All ---- -apiVersion: kafka.strimzi.io/v1beta2 -kind: KafkaTopic -metadata: - name: object-table-core-metrics - labels: - strimzi.io/cluster: {{ .Values.cluster.name }} -spec: - partitions: 1 - replicas: 3 From 152c46cf9e9644fb4118cadca23029756db9436a Mon Sep 17 00:00:00 2001 From: "renovate[bot]" <29139614+renovate[bot]@users.noreply.github.com> Date: Thu, 29 Dec 2022 18:11:22 +0000 Subject: [PATCH 1389/1479] Update Helm release argo-cd to v5.16.13 --- services/argocd/Chart.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/services/argocd/Chart.yaml b/services/argocd/Chart.yaml index 34b780c870..5f3df94d8e 100644 --- a/services/argocd/Chart.yaml +++ b/services/argocd/Chart.yaml @@ -8,5 +8,5 @@ sources: - https://github.com/argoproj/argo-helm dependencies: - name: argo-cd - version: 5.16.2 + version: 5.16.13 repository: https://argoproj.github.io/argo-helm From 298c1d54111a2c98b68b65d0f864458e0ca962d1 Mon Sep 17 00:00:00 2001 From: "renovate[bot]" <29139614+renovate[bot]@users.noreply.github.com> Date: Tue, 3 Jan 2023 21:14:04 +0000 Subject: [PATCH 1390/1479] Update Helm release redis to v17.4.0 --- services/noteburst/Chart.yaml | 2 +- services/times-square/Chart.yaml | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/services/noteburst/Chart.yaml b/services/noteburst/Chart.yaml index 1a179e42dd..23dc4b6af4 100644 --- a/services/noteburst/Chart.yaml +++ b/services/noteburst/Chart.yaml @@ -14,7 +14,7 @@ maintainers: # Additional charts that this chart uses dependencies: - name: redis - version: 17.3.14 + version: 17.4.0 repository: https://charts.bitnami.com/bitnami annotations: diff --git a/services/times-square/Chart.yaml b/services/times-square/Chart.yaml index 5dc49215cb..acf4c4686e 100644 --- a/services/times-square/Chart.yaml +++ b/services/times-square/Chart.yaml @@ -12,7 +12,7 @@ appVersion: "0.6.0" dependencies: - name: redis - version: 17.3.14 + version: 17.4.0 repository: https://charts.bitnami.com/bitnami annotations: From 2e1ac5c093bb250af8f864bd68b553aeef76169b Mon Sep 17 00:00:00 2001 From: "renovate[bot]" <29139614+renovate[bot]@users.noreply.github.com> Date: Tue, 3 Jan 2023 21:13:27 +0000 Subject: [PATCH 1391/1479] Update redis Docker tag to v7.0.7 --- services/gafaelfawr/values.yaml | 2 +- services/portal/values.yaml | 2 +- services/vo-cutouts/values.yaml | 2 +- 3 files changed, 3 insertions(+), 3 deletions(-) diff --git a/services/gafaelfawr/values.yaml b/services/gafaelfawr/values.yaml index 19554710f0..3484d073e7 100644 --- a/services/gafaelfawr/values.yaml +++ b/services/gafaelfawr/values.yaml @@ -332,7 +332,7 @@ redis: repository: "redis" # -- Redis image tag to use - tag: "7.0.5" + tag: "7.0.7" # -- Pull policy for the Redis image pullPolicy: "IfNotPresent" diff --git a/services/portal/values.yaml b/services/portal/values.yaml index 0883ebd561..740985f9c7 100644 --- a/services/portal/values.yaml +++ b/services/portal/values.yaml @@ -88,7 +88,7 @@ redis: repository: "redis" # -- Redis image tag to use - tag: "7.0.5" + tag: "7.0.7" # -- Pull policy for the Redis image pullPolicy: "IfNotPresent" diff --git a/services/vo-cutouts/values.yaml b/services/vo-cutouts/values.yaml index b5281a3c63..6ded6f10bd 100644 --- a/services/vo-cutouts/values.yaml +++ b/services/vo-cutouts/values.yaml @@ -144,7 +144,7 @@ redis: repository: "redis" # -- Redis image tag to use - tag: "7.0.5" + tag: "7.0.7" # -- Pull policy for the Redis image pullPolicy: "IfNotPresent" From 92c6e975c1e146bb5d79391b4a88d037e7755094 Mon Sep 17 00:00:00 2001 From: Russ Allbery Date: Tue, 3 Jan 2023 13:25:57 -0800 Subject: [PATCH 1392/1479] Update Helm docs --- services/gafaelfawr/README.md | 2 +- services/portal/README.md | 2 +- services/vo-cutouts/README.md | 2 +- 3 files changed, 3 insertions(+), 3 deletions(-) diff --git a/services/gafaelfawr/README.md b/services/gafaelfawr/README.md index 1664fafe87..5b221822cb 100644 --- a/services/gafaelfawr/README.md +++ b/services/gafaelfawr/README.md @@ -93,7 +93,7 @@ Authentication and identity system | redis.affinity | object | `{}` | Affinity rules for the Redis pod | | redis.image.pullPolicy | string | `"IfNotPresent"` | Pull policy for the Redis image | | redis.image.repository | string | `"redis"` | Redis image to use | -| redis.image.tag | string | `"7.0.5"` | Redis image tag to use | +| redis.image.tag | string | `"7.0.7"` | Redis image tag to use | | redis.nodeSelector | object | `{}` | Node selection rules for the Redis pod | | redis.persistence.accessMode | string | `"ReadWriteOnce"` | Access mode of storage to request | | redis.persistence.enabled | bool | `true` | Whether to persist Redis storage and thus tokens. Setting this to false will use `emptyDir` and reset all tokens on every restart. Only use this for a test deployment. | diff --git a/services/portal/README.md b/services/portal/README.md index f6c1bbaa21..71e64cf486 100644 --- a/services/portal/README.md +++ b/services/portal/README.md @@ -34,7 +34,7 @@ Rubin Science Platform Portal Aspect | redis.affinity | object | `{}` | Affinity rules for the Redis pod | | redis.image.pullPolicy | string | `"IfNotPresent"` | Pull policy for the Redis image | | redis.image.repository | string | `"redis"` | Redis image to use | -| redis.image.tag | string | `"7.0.5"` | Redis image tag to use | +| redis.image.tag | string | `"7.0.7"` | Redis image tag to use | | redis.nodeSelector | object | `{}` | Node selection rules for the Redis pod | | redis.podAnnotations | object | `{}` | Pod annotations for the Redis pod | | redis.resources | object | `{"limits":{"memory":"20Mi"}}` | Resource limits and requests | diff --git a/services/vo-cutouts/README.md b/services/vo-cutouts/README.md index ffb0516a62..e6dd5cfe39 100644 --- a/services/vo-cutouts/README.md +++ b/services/vo-cutouts/README.md @@ -53,7 +53,7 @@ Image cutout service complying with IVOA SODA | redis.affinity | object | `{}` | Affinity rules for the Redis pod | | redis.image.pullPolicy | string | `"IfNotPresent"` | Pull policy for the Redis image | | redis.image.repository | string | `"redis"` | Redis image to use | -| redis.image.tag | string | `"7.0.5"` | Redis image tag to use | +| redis.image.tag | string | `"7.0.7"` | Redis image tag to use | | redis.nodeSelector | object | `{}` | Node selection rules for the Redis pod | | redis.persistence.accessMode | string | `"ReadWriteOnce"` | Access mode of storage to request | | redis.persistence.enabled | bool | `true` | Whether to persist Redis storage and thus tokens. Setting this to false will use `emptyDir` and reset all tokens on every restart. Only use this for a test deployment. | From 133e8072ed7119e2777c393df3a167eb17445bd4 Mon Sep 17 00:00:00 2001 From: Russ Allbery Date: Tue, 3 Jan 2023 16:52:11 -0800 Subject: [PATCH 1393/1479] Use the new Redis chart for Portal Switch from its own deployment to the new simple Redis chart that will be used for Gafaelfawr, with persistence disabled. --- services/portal/Chart.yaml | 6 ++ services/portal/README.md | 8 +- services/portal/templates/deployment.yaml | 1 + .../portal/templates/redis-deployment.yaml | 78 ------------------- .../portal/templates/redis-networkpolicy.yaml | 26 ------- services/portal/templates/redis-service.yaml | 15 ---- services/portal/values.yaml | 28 ++++--- 7 files changed, 28 insertions(+), 134 deletions(-) delete mode 100644 services/portal/templates/redis-deployment.yaml delete mode 100644 services/portal/templates/redis-networkpolicy.yaml delete mode 100644 services/portal/templates/redis-service.yaml diff --git a/services/portal/Chart.yaml b/services/portal/Chart.yaml index 76a6d99501..a2b7f4cdcc 100644 --- a/services/portal/Chart.yaml +++ b/services/portal/Chart.yaml @@ -6,6 +6,12 @@ sources: - https://github.com/lsst/suit - https://github.com/Caltech-IPAC/firefly appVersion: "suit-2022.5.5" + +dependencies: + - name: redis + version: 0.1.4 + repository: https://lsst-sqre.github.io/charts/ + annotations: phalanx.lsst.io/docs: | - id: "DMTN-136" diff --git a/services/portal/README.md b/services/portal/README.md index 71e64cf486..3bcb860a68 100644 --- a/services/portal/README.md +++ b/services/portal/README.md @@ -32,12 +32,12 @@ Rubin Science Platform Portal Aspect | nodeSelector | object | `{}` | Node selector rules for the Portal pod | | podAnnotations | object | `{}` | Annotations for the Portal pod | | redis.affinity | object | `{}` | Affinity rules for the Redis pod | -| redis.image.pullPolicy | string | `"IfNotPresent"` | Pull policy for the Redis image | -| redis.image.repository | string | `"redis"` | Redis image to use | -| redis.image.tag | string | `"7.0.7"` | Redis image tag to use | +| redis.config.secretKey | string | `"ADMIN_PASSWORD"` | Key inside secret from which to get the Redis password (do not change) | +| redis.config.secretName | string | `"portal-secret"` | Name of secret containing Redis password (may require changing if fullnameOverride is set) | | redis.nodeSelector | object | `{}` | Node selection rules for the Redis pod | +| redis.persistance.enabled | bool | `false` | Whether to persist Redis storage. Setting this to false will use `emptyDir` and reset all data on every restart. | | redis.podAnnotations | object | `{}` | Pod annotations for the Redis pod | -| redis.resources | object | `{"limits":{"memory":"20Mi"}}` | Resource limits and requests | +| redis.resources | object | See `values.yaml` | Resource limits and requests for the Redis pod | | redis.tolerations | list | `[]` | Tolerations for the Redis pod | | replicaCount | int | `1` | Number of pods to start | | resources | object | `{"limits":{"cpu":2,"memory":"6Gi"}}` | Resource limits and requests. The Portal will use (by default) 93% of container RAM. This is a smallish Portal; tweak it as you need to in instance definitions in Phalanx. | diff --git a/services/portal/templates/deployment.yaml b/services/portal/templates/deployment.yaml index 2585616ac6..e8dce66935 100644 --- a/services/portal/templates/deployment.yaml +++ b/services/portal/templates/deployment.yaml @@ -19,6 +19,7 @@ spec: labels: {{- include "portal.selectorLabels" . | nindent 8 }} app.kubernetes.io/component: "firefly" + portal-redis-client: "true" spec: automountServiceAccountToken: false containers: diff --git a/services/portal/templates/redis-deployment.yaml b/services/portal/templates/redis-deployment.yaml deleted file mode 100644 index 75e94b0203..0000000000 --- a/services/portal/templates/redis-deployment.yaml +++ /dev/null @@ -1,78 +0,0 @@ -apiVersion: apps/v1 -kind: Deployment -metadata: - name: {{ include "portal.fullname" . }}-redis - labels: - {{- include "portal.labels" . | nindent 4 }} -spec: - replicas: 1 - selector: - matchLabels: - {{- include "portal.selectorLabels" . | nindent 6 }} - app.kubernetes.io/component: "redis" - template: - metadata: - {{- with .Values.redis.podAnnotations }} - annotations: - {{- toYaml . | nindent 8 }} - {{- end }} - labels: - {{- include "portal.selectorLabels" . | nindent 8 }} - app.kubernetes.io/component: "redis" - spec: - automountServiceAccountToken: false - {{- with .Values.imagePullSecrets }} - imagePullSecrets: - {{- toYaml . | nindent 8 }} - {{- end }} - containers: - - name: "redis" - image: "{{ .Values.redis.image.repository }}:{{ .Values.redis.image.tag }}" - imagePullPolicy: {{ .Values.redis.image.pullPolicy | quote }} - args: - - "redis-server" - - "--requirepass" - - "$(REDIS_PASSWORD)" - env: - - name: "REDIS_PASSWORD" - valueFrom: - secretKeyRef: - name: {{ include "portal.fullname" . }}-secret - key: "ADMIN_PASSWORD" - ports: - - containerPort: 6379 - {{- with .Values.redis.resources }} - resources: - {{- toYaml . | nindent 12 }} - {{- end }} - securityContext: - allowPrivilegeEscalation: false - capabilities: - drop: - - "all" - readOnlyRootFilesystem: true - volumeMounts: - - name: "data" - mountPath: "/data" - imagePullSecrets: - - name: "pull-secret" - securityContext: - fsGroup: 999 - runAsNonRoot: true - runAsUser: 999 - runAsGroup: 999 - volumes: - - name: "data" - emptyDir: {} - {{- with .Values.redis.nodeSelector }} - nodeSelector: - {{- toYaml . | nindent 8 }} - {{- end }} - {{- with .Values.redis.affinity }} - affinity: - {{- toYaml . | nindent 8 }} - {{- end }} - {{- with .Values.redis.tolerations }} - tolerations: - {{- toYaml . | nindent 8 }} - {{- end }} diff --git a/services/portal/templates/redis-networkpolicy.yaml b/services/portal/templates/redis-networkpolicy.yaml deleted file mode 100644 index 56d8372d53..0000000000 --- a/services/portal/templates/redis-networkpolicy.yaml +++ /dev/null @@ -1,26 +0,0 @@ -apiVersion: networking.k8s.io/v1 -kind: NetworkPolicy -metadata: - name: {{ template "portal.fullname" . }}-redis - labels: - {{- include "portal.labels" . | nindent 4 }} -spec: - podSelector: - # This policy controls inbound and outbound access to the Redis component. - matchLabels: - {{- include "portal.selectorLabels" . | nindent 6 }} - app.kubernetes.io/component: "redis" - policyTypes: - - Ingress - # Deny all outbound access; Redis doesn't need to talk to anything. - - Egress - ingress: - # Allow inbound access to Redis from all other components. - - from: - - podSelector: - matchLabels: - {{- include "portal.selectorLabels" . | nindent 14 }} - app.kubernetes.io/component: "firefly" - ports: - - protocol: "TCP" - port: 6379 diff --git a/services/portal/templates/redis-service.yaml b/services/portal/templates/redis-service.yaml deleted file mode 100644 index 8a2d9113fd..0000000000 --- a/services/portal/templates/redis-service.yaml +++ /dev/null @@ -1,15 +0,0 @@ -apiVersion: v1 -kind: Service -metadata: - name: {{ include "portal.fullname" . }}-redis - labels: - {{- include "portal.labels" . | nindent 4 }} -spec: - type: "ClusterIP" - ports: - - protocol: "TCP" - port: 6379 - targetPort: 6379 - selector: - {{- include "portal.selectorLabels" . | nindent 4 }} - app.kubernetes.io/component: "redis" diff --git a/services/portal/values.yaml b/services/portal/values.yaml index 740985f9c7..d61ec7da05 100644 --- a/services/portal/values.yaml +++ b/services/portal/values.yaml @@ -83,19 +83,25 @@ config: configNfs: {} redis: - image: - # -- Redis image to use - repository: "redis" - - # -- Redis image tag to use - tag: "7.0.7" - - # -- Pull policy for the Redis image - pullPolicy: "IfNotPresent" - - # -- Resource limits and requests + config: + # -- Name of secret containing Redis password (may require changing if + # fullnameOverride is set) + secretName: "portal-secret" + + # -- Key inside secret from which to get the Redis password (do not + # change) + secretKey: "ADMIN_PASSWORD" + + persistance: + # -- Whether to persist Redis storage. Setting this to false will use + # `emptyDir` and reset all data on every restart. + enabled: false + + # -- Resource limits and requests for the Redis pod + # @default -- See `values.yaml` resources: limits: + cpu: "1" memory: "20Mi" # -- Pod annotations for the Redis pod From 3556f517351098a9fee7eea7c1fc581d109f7643 Mon Sep 17 00:00:00 2001 From: Russ Allbery Date: Tue, 3 Jan 2023 17:05:24 -0800 Subject: [PATCH 1394/1479] Really disable persistence for Portal Redis Spell persistence correctly so that the setting takes effect. --- services/portal/README.md | 2 +- services/portal/values.yaml | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/services/portal/README.md b/services/portal/README.md index 3bcb860a68..ba46958eba 100644 --- a/services/portal/README.md +++ b/services/portal/README.md @@ -35,7 +35,7 @@ Rubin Science Platform Portal Aspect | redis.config.secretKey | string | `"ADMIN_PASSWORD"` | Key inside secret from which to get the Redis password (do not change) | | redis.config.secretName | string | `"portal-secret"` | Name of secret containing Redis password (may require changing if fullnameOverride is set) | | redis.nodeSelector | object | `{}` | Node selection rules for the Redis pod | -| redis.persistance.enabled | bool | `false` | Whether to persist Redis storage. Setting this to false will use `emptyDir` and reset all data on every restart. | +| redis.persistence.enabled | bool | `false` | Whether to persist Redis storage. Setting this to false will use `emptyDir` and reset all data on every restart. | | redis.podAnnotations | object | `{}` | Pod annotations for the Redis pod | | redis.resources | object | See `values.yaml` | Resource limits and requests for the Redis pod | | redis.tolerations | list | `[]` | Tolerations for the Redis pod | diff --git a/services/portal/values.yaml b/services/portal/values.yaml index d61ec7da05..a369100e8c 100644 --- a/services/portal/values.yaml +++ b/services/portal/values.yaml @@ -92,7 +92,7 @@ redis: # change) secretKey: "ADMIN_PASSWORD" - persistance: + persistence: # -- Whether to persist Redis storage. Setting this to false will use # `emptyDir` and reset all data on every restart. enabled: false From 2a791dbcb89627c6db53546122aa78e2f711bf6b Mon Sep 17 00:00:00 2001 From: Russ Allbery Date: Wed, 4 Jan 2023 08:09:07 -0800 Subject: [PATCH 1395/1479] Switch vo-cutouts to the new Redis chart --- services/vo-cutouts/Chart.yaml | 6 + services/vo-cutouts/README.md | 6 +- .../templates/db-worker-deployment.yaml | 1 + services/vo-cutouts/templates/deployment.yaml | 1 + .../templates/redis-networkpolicy.yaml | 34 ------ .../vo-cutouts/templates/redis-service.yml | 16 --- .../templates/redis-statefulset.yaml | 105 ------------------ .../templates/worker-deployment.yaml | 1 + services/vo-cutouts/values.yaml | 21 ++-- 9 files changed, 25 insertions(+), 166 deletions(-) delete mode 100644 services/vo-cutouts/templates/redis-networkpolicy.yaml delete mode 100644 services/vo-cutouts/templates/redis-service.yml delete mode 100644 services/vo-cutouts/templates/redis-statefulset.yaml diff --git a/services/vo-cutouts/Chart.yaml b/services/vo-cutouts/Chart.yaml index 36eec53b4e..53814d4373 100644 --- a/services/vo-cutouts/Chart.yaml +++ b/services/vo-cutouts/Chart.yaml @@ -5,6 +5,12 @@ description: "Image cutout service complying with IVOA SODA" sources: - "https://github.com/lsst-sqre/vo-cutouts" appVersion: 0.4.2 + +dependencies: + - name: redis + version: 0.1.4 + repository: https://lsst-sqre.github.io/charts/ + annotations: phalanx.lsst.io/docs: | - id: "DMTN-208" diff --git a/services/vo-cutouts/README.md b/services/vo-cutouts/README.md index e6dd5cfe39..40ff29b07a 100644 --- a/services/vo-cutouts/README.md +++ b/services/vo-cutouts/README.md @@ -51,9 +51,8 @@ Image cutout service complying with IVOA SODA | nodeSelector | object | `{}` | Node selector rules for the vo-cutouts frontend pod | | podAnnotations | object | `{}` | Annotations for the vo-cutouts frontend pod | | redis.affinity | object | `{}` | Affinity rules for the Redis pod | -| redis.image.pullPolicy | string | `"IfNotPresent"` | Pull policy for the Redis image | -| redis.image.repository | string | `"redis"` | Redis image to use | -| redis.image.tag | string | `"7.0.7"` | Redis image tag to use | +| redis.config.secretKey | string | `"redis-password"` | Key inside secret from which to get the Redis password (do not change) | +| redis.config.secretName | string | `"vo-cutouts-secret"` | Name of secret containing Redis password (may require changing if fullnameOverride is set) | | redis.nodeSelector | object | `{}` | Node selection rules for the Redis pod | | redis.persistence.accessMode | string | `"ReadWriteOnce"` | Access mode of storage to request | | redis.persistence.enabled | bool | `true` | Whether to persist Redis storage and thus tokens. Setting this to false will use `emptyDir` and reset all tokens on every restart. Only use this for a test deployment. | @@ -61,6 +60,7 @@ Image cutout service complying with IVOA SODA | redis.persistence.storageClass | string | `""` | Class of storage to request | | redis.persistence.volumeClaimName | string | `""` | Use an existing PVC, not dynamic provisioning. If this is set, the size, storageClass, and accessMode settings are ignored. | | redis.podAnnotations | object | `{}` | Pod annotations for the Redis pod | +| redis.resources | object | See `values.yaml` | Resource limits and requests for the Redis pod | | redis.tolerations | list | `[]` | Tolerations for the Redis pod | | replicaCount | int | `1` | Number of web frontend pods to start | | resources | object | `{}` | Resource limits and requests for the vo-cutouts frontend pod | diff --git a/services/vo-cutouts/templates/db-worker-deployment.yaml b/services/vo-cutouts/templates/db-worker-deployment.yaml index c34097329d..142017495e 100644 --- a/services/vo-cutouts/templates/db-worker-deployment.yaml +++ b/services/vo-cutouts/templates/db-worker-deployment.yaml @@ -20,6 +20,7 @@ spec: labels: {{- include "vo-cutouts.selectorLabels" . | nindent 8 }} app.kubernetes.io/component: "db-worker" + vo-cutouts-redis-client: "true" spec: {{- if .Values.cloudsql.enabled }} serviceAccountName: {{ include "vo-cutouts.fullname" . }} diff --git a/services/vo-cutouts/templates/deployment.yaml b/services/vo-cutouts/templates/deployment.yaml index 080aaf39b9..5414510289 100644 --- a/services/vo-cutouts/templates/deployment.yaml +++ b/services/vo-cutouts/templates/deployment.yaml @@ -20,6 +20,7 @@ spec: labels: {{- include "vo-cutouts.selectorLabels" . | nindent 8 }} app.kubernetes.io/component: "frontend" + vo-cutouts-redis-client: "true" spec: {{- if .Values.cloudsql.enabled }} serviceAccountName: {{ include "vo-cutouts.fullname" . }} diff --git a/services/vo-cutouts/templates/redis-networkpolicy.yaml b/services/vo-cutouts/templates/redis-networkpolicy.yaml deleted file mode 100644 index 9fed7d7780..0000000000 --- a/services/vo-cutouts/templates/redis-networkpolicy.yaml +++ /dev/null @@ -1,34 +0,0 @@ -apiVersion: networking.k8s.io/v1 -kind: NetworkPolicy -metadata: - name: {{ template "vo-cutouts.fullname" . }}-redis - labels: - {{- include "vo-cutouts.labels" . | nindent 4 }} -spec: - podSelector: - # This policy controls inbound and outbound access to the Redis component. - matchLabels: - {{- include "vo-cutouts.selectorLabels" . | nindent 6 }} - app.kubernetes.io/component: "redis" - policyTypes: - - Ingress - # Deny all outbound access; Redis doesn't need to talk to anything. - - Egress - ingress: - # Allow inbound access to Redis from all other components. - - from: - - podSelector: - matchLabels: - {{- include "vo-cutouts.selectorLabels" . | nindent 14 }} - app.kubernetes.io/component: "frontend" - - podSelector: - matchLabels: - {{- include "vo-cutouts.selectorLabels" . | nindent 14 }} - app.kubernetes.io/component: "worker" - - podSelector: - matchLabels: - {{- include "vo-cutouts.selectorLabels" . | nindent 14 }} - app.kubernetes.io/component: "db-worker" - ports: - - protocol: "TCP" - port: 6379 diff --git a/services/vo-cutouts/templates/redis-service.yml b/services/vo-cutouts/templates/redis-service.yml deleted file mode 100644 index 4e8a6e9c8f..0000000000 --- a/services/vo-cutouts/templates/redis-service.yml +++ /dev/null @@ -1,16 +0,0 @@ -apiVersion: v1 -kind: Service -metadata: - name: {{ template "vo-cutouts.fullname" . }}-redis - labels: - {{- include "vo-cutouts.labels" . | nindent 4 }} -spec: - type: ClusterIP - ports: - - port: 6379 - protocol: "TCP" - targetPort: 6379 - selector: - {{- include "vo-cutouts.selectorLabels" . | nindent 4 }} - app.kubernetes.io/component: "redis" - sessionAffinity: None diff --git a/services/vo-cutouts/templates/redis-statefulset.yaml b/services/vo-cutouts/templates/redis-statefulset.yaml deleted file mode 100644 index 5472d8b914..0000000000 --- a/services/vo-cutouts/templates/redis-statefulset.yaml +++ /dev/null @@ -1,105 +0,0 @@ -apiVersion: apps/v1 -kind: StatefulSet -metadata: - name: {{ template "vo-cutouts.fullname" . }}-redis - labels: - {{- include "vo-cutouts.labels" . | nindent 4 }} -spec: - replicas: 1 - selector: - matchLabels: - {{- include "vo-cutouts.selectorLabels" . | nindent 6 }} - app.kubernetes.io/component: "redis" - serviceName: "redis" - template: - metadata: - {{- with .Values.redis.podAnnotations }} - annotations: - {{- toYaml . | nindent 8 }} - {{- end }} - labels: - {{- include "vo-cutouts.selectorLabels" . | nindent 8 }} - app.kubernetes.io/component: "redis" - spec: - automountServiceAccountToken: false - containers: - - name: "redis" - image: "{{ .Values.redis.image.repository }}:{{ .Values.redis.image.tag }}" - imagePullPolicy: {{ .Values.redis.image.pullPolicy | quote }} - args: - - "redis-server" - - "--appendonly" - - "yes" - - "--requirepass" - - "$(REDIS_PASSWORD)" - env: - - name: "REDIS_PASSWORD" - valueFrom: - secretKeyRef: - name: {{ template "vo-cutouts.fullname" . }}-secret - key: "redis-password" - livenessProbe: - exec: - command: - - "sh" - - "-c" - - "redis-cli -h $(hostname) incr health:counter" - initialDelaySeconds: 15 - periodSeconds: 30 - ports: - - containerPort: 6379 - resources: - limits: - cpu: "1" - requests: - cpu: "100m" - securityContext: - allowPrivilegeEscalation: false - capabilities: - drop: - - "all" - readOnlyRootFilesystem: true - volumeMounts: - - name: {{ template "vo-cutouts.fullname" . }}-redis-data - mountPath: "/data" - securityContext: - fsGroup: 999 - runAsNonRoot: true - runAsUser: 999 - runAsGroup: 999 - {{- if (not .Values.redis.persistence.enabled) }} - volumes: - - name: {{ template "vo-cutouts.fullname" . }}-redis-data - emptyDir: {} - {{- else if .Values.redis.persistence.volumeClaimName }} - volumes: - - name: {{ template "vo-cutouts.fullname" . }}-redis-data - persistentVolumeClaim: - claimName: {{ .Values.redis.persistence.volumeClaimName | quote }} - {{- end }} - {{- with .Values.redis.nodeSelector }} - nodeSelector: - {{- toYaml . | nindent 8 }} - {{- end }} - {{- with .Values.redis.affinity }} - affinity: - {{- toYaml . | nindent 8 }} - {{- end }} - {{- with .Values.redis.tolerations }} - tolerations: - {{- toYaml . | nindent 8 }} - {{- end }} - {{- if (and .Values.redis.persistence.enabled (not .Values.redis.persistence.volumeClaimName)) }} - volumeClaimTemplates: - - metadata: - name: {{ template "vo-cutouts.fullname" . }}-redis-data - spec: - accessModes: - - {{ .Values.redis.persistence.accessMode | quote }} - resources: - requests: - storage: {{ .Values.redis.persistence.size | quote }} - {{- if .Values.redis.persistence.storageClass }} - storageClassName: {{ .Values.redis.persistence.storageClass | quote }} - {{- end }} - {{- end }} diff --git a/services/vo-cutouts/templates/worker-deployment.yaml b/services/vo-cutouts/templates/worker-deployment.yaml index 869617288b..0a5dfa7f80 100644 --- a/services/vo-cutouts/templates/worker-deployment.yaml +++ b/services/vo-cutouts/templates/worker-deployment.yaml @@ -20,6 +20,7 @@ spec: labels: {{- include "vo-cutouts.selectorLabels" . | nindent 8 }} app.kubernetes.io/component: "worker" + vo-cutouts-redis-client: "true" spec: automountServiceAccountToken: false diff --git a/services/vo-cutouts/values.yaml b/services/vo-cutouts/values.yaml index 6ded6f10bd..a553fdfb99 100644 --- a/services/vo-cutouts/values.yaml +++ b/services/vo-cutouts/values.yaml @@ -139,15 +139,14 @@ databaseWorker: affinity: {} redis: - image: - # -- Redis image to use - repository: "redis" - - # -- Redis image tag to use - tag: "7.0.7" + config: + # -- Name of secret containing Redis password (may require changing if + # fullnameOverride is set) + secretName: "vo-cutouts-secret" - # -- Pull policy for the Redis image - pullPolicy: "IfNotPresent" + # -- Key inside secret from which to get the Redis password (do not + # change) + secretKey: "redis-password" persistence: # -- Whether to persist Redis storage and thus tokens. Setting this to @@ -168,6 +167,12 @@ redis: # size, storageClass, and accessMode settings are ignored. volumeClaimName: "" + # -- Resource limits and requests for the Redis pod + # @default -- See `values.yaml` + resources: + limits: + cpu: "1" + # -- Pod annotations for the Redis pod podAnnotations: {} From 41edb39a5f82175fc4e8db590841489afa704101 Mon Sep 17 00:00:00 2001 From: Russ Allbery Date: Wed, 4 Jan 2023 14:17:18 -0800 Subject: [PATCH 1396/1479] Fix Gafaelfawr Redis NetworkPolicy tokens was renamed to operator. --- services/gafaelfawr/templates/redis-networkpolicy.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/services/gafaelfawr/templates/redis-networkpolicy.yaml b/services/gafaelfawr/templates/redis-networkpolicy.yaml index 04c1f6c383..3a7adfb52f 100644 --- a/services/gafaelfawr/templates/redis-networkpolicy.yaml +++ b/services/gafaelfawr/templates/redis-networkpolicy.yaml @@ -32,7 +32,7 @@ spec: - podSelector: matchLabels: {{- include "gafaelfawr.selectorLabels" . | nindent 14 }} - app.kubernetes.io/component: "tokens" + app.kubernetes.io/component: "operator" ports: - protocol: "TCP" port: 6379 From a91a986631e8a05aece9287ba2676e156c0f4ec3 Mon Sep 17 00:00:00 2001 From: Russ Allbery Date: Wed, 4 Jan 2023 15:18:26 -0800 Subject: [PATCH 1397/1479] Convert cachemachine to GafaelfawrIngress --- services/cachemachine/README.md | 5 +- .../templates/ingress-anonymous.yaml | 46 +++++++++++-------- services/cachemachine/templates/ingress.yaml | 32 +++++++------ services/cachemachine/values.yaml | 7 +-- 4 files changed, 47 insertions(+), 43 deletions(-) diff --git a/services/cachemachine/README.md b/services/cachemachine/README.md index 7437701fb7..1ed392e993 100644 --- a/services/cachemachine/README.md +++ b/services/cachemachine/README.md @@ -19,9 +19,8 @@ JupyterLab image prepuller | image.pullPolicy | string | `"IfNotPresent"` | Pull policy for the cachemachine image | | image.repository | string | `"lsstsqre/cachemachine"` | cachemachine image to use | | image.tag | string | The appVersion of the chart | Tag of cachemachine image to use | -| ingress.annotations | object | `{}` | Additional annotations to add for endpoints that are authenticated. | -| ingress.anonymousAnnotations | object | `{}` | Additional annotations to add for endpoints that allow anonymous access, such as `/*/available`. | -| ingress.gafaelfawrAuthQuery | string | `"scope=exec:admin"` | Gafaelfawr auth query string | +| ingress.annotations | object | `{}` | Additional annotations to add for endpoints that are authenticated | +| ingress.anonymousAnnotations | object | `{}` | Additional annotations to add for endpoints that allow anonymous access, such as `/*/available` | | nameOverride | string | `""` | Override the base name for resources | | nodeSelector | object | `{}` | Node selector rules for the cachemachine frontend pod | | podAnnotations | object | `{}` | Annotations for the cachemachine frontend pod | diff --git a/services/cachemachine/templates/ingress-anonymous.yaml b/services/cachemachine/templates/ingress-anonymous.yaml index 081aed5717..4ac68ad654 100644 --- a/services/cachemachine/templates/ingress-anonymous.yaml +++ b/services/cachemachine/templates/ingress-anonymous.yaml @@ -1,24 +1,30 @@ -apiVersion: networking.k8s.io/v1 -kind: Ingress +apiVersion: gafaelfawr.lsst.io/v1alpha1 +kind: GafaelfawrIngress metadata: - annotations: - nginx.ingress.kubernetes.io/use-regex: "true" - {{- with .Values.ingress.anonymousAnnotations }} - {{- toYaml . | nindent 4 }} - {{- end }} name: {{ template "cachemachine.fullname" . }}-anonymous labels: {{- include "cachemachine.labels" . | nindent 4 }} -spec: - ingressClassName: "nginx" - rules: - - host: {{ required "global.host must be set" .Values.global.host | quote }} - http: - paths: - - path: "/cachemachine/.*/(available|desired)" - pathType: "ImplementationSpecific" - backend: - service: - name: {{ template "cachemachine.fullname" . }} - port: - number: 80 +config: + baseUrl: {{ .Values.global.baseUrl | quote }} + scopes: + anonymous: true +template: + metadata: + name: {{ template "cachemachine.fullname" . }}-anonymous + annotations: + nginx.ingress.kubernetes.io/use-regex: "true" + {{- with .Values.ingress.anonymousAnnotations }} + {{- toYaml . | nindent 6 }} + {{- end }} + spec: + rules: + - host: {{ required "global.host must be set" .Values.global.host | quote }} + http: + paths: + - path: "/cachemachine/.*/(available|desired)" + pathType: "ImplementationSpecific" + backend: + service: + name: {{ template "cachemachine.fullname" . }} + port: + number: 80 diff --git a/services/cachemachine/templates/ingress.yaml b/services/cachemachine/templates/ingress.yaml index aaffd33acb..0fe53f9cee 100644 --- a/services/cachemachine/templates/ingress.yaml +++ b/services/cachemachine/templates/ingress.yaml @@ -1,22 +1,24 @@ -apiVersion: networking.k8s.io/v1 -kind: Ingress +apiVersion: gafaelfawr.lsst.io/v1alpha1 +kind: GafaelfawrIngress metadata: - annotations: - {{- if .Values.ingress.gafaelfawrAuthQuery }} - nginx.ingress.kubernetes.io/auth-method: "GET" - nginx.ingress.kubernetes.io/auth-response-headers: "X-Auth-Request-User" - nginx.ingress.kubernetes.io/auth-signin: "{{ .Values.global.baseUrl }}/login" - nginx.ingress.kubernetes.io/auth-url: "{{ .Values.global.baseUrl }}/auth?{{ .Values.ingress.gafaelfawrAuthQuery }}" - {{- end }} - {{- with .Values.ingress.annotations }} - {{- toYaml . | nindent 4 }} - {{- end }} name: {{ template "cachemachine.fullname" . }} labels: {{- include "cachemachine.labels" . | nindent 4 }} -spec: - ingressClassName: "nginx" - rules: +config: + baseUrl: {{ .Values.global.baseUrl | quote }} + scopes: + all: + - "exec:admin" + loginRedirect: true +template: + metadata: + name: {{ template "cachemachine.fullname" . }} + {{- with .Values.ingress.annotations }} + annotations: + {{- toYaml . | nindent 6 }} + {{- end }} + spec: + rules: - host: {{ required "global.host must be set" .Values.global.host | quote }} http: paths: diff --git a/services/cachemachine/values.yaml b/services/cachemachine/values.yaml index 22c629f672..f6c7d38961 100644 --- a/services/cachemachine/values.yaml +++ b/services/cachemachine/values.yaml @@ -27,14 +27,11 @@ serviceAccount: annotations: {} ingress: - # -- Gafaelfawr auth query string - gafaelfawrAuthQuery: "scope=exec:admin" - - # -- Additional annotations to add for endpoints that are authenticated. + # -- Additional annotations to add for endpoints that are authenticated annotations: {} # -- Additional annotations to add for endpoints that allow anonymous - # access, such as `/*/available`. + # access, such as `/*/available` anonymousAnnotations: {} # -- Resource limits and requests for the cachemachine frontend pod From 3e9406dd511e65da465af0de171168b63b39c399 Mon Sep 17 00:00:00 2001 From: Russ Allbery Date: Wed, 4 Jan 2023 15:22:39 -0800 Subject: [PATCH 1398/1479] Convert semaphore to GafaelfawrIngress --- services/semaphore/templates/ingress.yaml | 41 +++++++++++++---------- 1 file changed, 24 insertions(+), 17 deletions(-) diff --git a/services/semaphore/templates/ingress.yaml b/services/semaphore/templates/ingress.yaml index 8074af0fca..9c6a3a8ba1 100644 --- a/services/semaphore/templates/ingress.yaml +++ b/services/semaphore/templates/ingress.yaml @@ -1,25 +1,32 @@ {{- if .Values.ingress.enabled -}} -apiVersion: networking.k8s.io/v1 -kind: Ingress +apiVersion: gafaelfawr.lsst.io/v1alpha1 +kind: GafaelfawrIngress metadata: name: {{ template "semaphore.fullname" . }} labels: {{- include "semaphore.labels" . | nindent 4 }} - annotations: +config: + baseUrl: {{ .Values.global.baseUrl | quote }} + scopes: + anonymous: true +template: + metadata: + name: {{ template "semaphore.fullname" . }} {{- with .Values.ingress.annotations }} - {{- toYaml . | nindent 4 }} + annotations: + {{- toYaml . | nindent 6 }} {{- end }} -spec: - ingressClassName: "nginx" - rules: - - host: {{ required "global.host must be set" .Values.global.host | quote }} - http: - paths: - - path: {{ .Values.ingress.path }} - pathType: "Prefix" - backend: - service: - name: {{ template "semaphore.fullname" . }} - port: - number: 80 + spec: + ingressClassName: "nginx" + rules: + - host: {{ required "global.host must be set" .Values.global.host | quote }} + http: + paths: + - path: {{ .Values.ingress.path | quote }} + pathType: "Prefix" + backend: + service: + name: {{ template "semaphore.fullname" . }} + port: + number: 80 {{- end }} From 979a5b0b2ac60467a985f1f27c84da2efbfb82ac Mon Sep 17 00:00:00 2001 From: Russ Allbery Date: Wed, 4 Jan 2023 15:24:52 -0800 Subject: [PATCH 1399/1479] Convert squareone to GafaelfawrIngress --- services/squareone/templates/ingress.yaml | 61 +++++++++++++---------- 1 file changed, 34 insertions(+), 27 deletions(-) diff --git a/services/squareone/templates/ingress.yaml b/services/squareone/templates/ingress.yaml index 3b5c633c71..0a0d9c8741 100644 --- a/services/squareone/templates/ingress.yaml +++ b/services/squareone/templates/ingress.yaml @@ -1,35 +1,42 @@ {{- if .Values.ingress.enabled -}} {{- $fullName := include "squareone.fullname" . -}} -apiVersion: networking.k8s.io/v1 -kind: Ingress +apiVersion: gafaelfawr.lsst.io/v1alpha1 +kind: GafaelfawrIngress metadata: name: {{ $fullName }} labels: {{- include "squareone.labels" . | nindent 4 }} - annotations: +config: + baseUrl: {{ .Values.global.baseUrl | quote }} + scopes: + anonymous: true +template: + metadata: + name: {{ $fullName }} + annotations: + {{- if .Values.ingress.tls }} + cert-manager.io/cluster-issuer: "letsencrypt-dns" + {{- end }} + {{- with .Values.ingress.annotations }} + {{- toYaml . | nindent 6 }} + {{- end }} + spec: + ingressClassName: "nginx" {{- if .Values.ingress.tls }} - cert-manager.io/cluster-issuer: "letsencrypt-dns" + tls: + - hosts: + - {{ required "global.host must be set" .Values.global.host | quote }} + secretName: "squareone-tls" {{- end }} - {{- with .Values.ingress.annotations }} - {{- toYaml . | nindent 4 }} - {{- end }} -spec: - ingressClassName: "nginx" - {{- if .Values.ingress.tls }} - tls: - - hosts: - - {{ required "global.host must be set" .Values.global.host | quote }} - secretName: squareone-tls - {{- end }} - rules: - - host: {{ required "global.host must be set" .Values.global.host | quote }} - http: - paths: - - path: / - pathType: Prefix - backend: - service: - name: {{ $fullName }} - port: - number: 80 - {{- end }} + rules: + - host: {{ required "global.host must be set" .Values.global.host | quote }} + http: + paths: + - path: "/" + pathType: "Prefix" + backend: + service: + name: {{ $fullName }} + port: + number: 80 +{{- end }} From 006c2f44bbbb43f3232c5a24e8377aa7fe230420 Mon Sep 17 00:00:00 2001 From: Russ Allbery Date: Wed, 4 Jan 2023 15:27:33 -0800 Subject: [PATCH 1400/1479] Convert anonymous TAP ingress to GafaelfawrIngress --- .../tap/templates/tap-ingress-anonymous.yaml | 60 ++++++++++--------- 1 file changed, 33 insertions(+), 27 deletions(-) diff --git a/services/tap/templates/tap-ingress-anonymous.yaml b/services/tap/templates/tap-ingress-anonymous.yaml index 7cf13ecf40..068fcb1f4b 100644 --- a/services/tap/templates/tap-ingress-anonymous.yaml +++ b/services/tap/templates/tap-ingress-anonymous.yaml @@ -1,31 +1,37 @@ -apiVersion: networking.k8s.io/v1 -kind: Ingress +apiVersion: gafaelfawr.lsst.io/v1alpha1 +kind: GafaelfawrIngress metadata: name: {{ template "cadc-tap.fullname" . }}-anonymous labels: {{- include "cadc-tap.labels" . | nindent 4 }} - annotations: - nginx.ingress.kubernetes.io/proxy-connect-timeout: "900" - nginx.ingress.kubernetes.io/proxy-send-timeout: "900" - nginx.ingress.kubernetes.io/proxy-read-timeout: "900" - nginx.ingress.kubernetes.io/rewrite-target: "/tap/$1" - nginx.ingress.kubernetes.io/proxy-redirect-from: "http://$host/tap/" - nginx.ingress.kubernetes.io/proxy-redirect-to: "https://$host/api/tap/" - nginx.ingress.kubernetes.io/ssl-redirect: "true" - nginx.ingress.kubernetes.io/use-regex: "true" - {{- with .Values.ingress.anonymousAnnotations }} - {{- toYaml . | indent 4}} - {{- end }} -spec: - ingressClassName: "nginx" - rules: - - host: {{ required "global.host must be set" .Values.global.host | quote }} - http: - paths: - - path: "/api/tap/(availability|capabilities|swagger-ui.*)" - pathType: "ImplementationSpecific" - backend: - service: - name: {{ template "cadc-tap.fullname" . }} - port: - number: 80 +config: + baseUrl: {{ .Values.global.baseUrl | quote }} + scopes: + anonymous: true +template: + metadata: + name: {{ template "cadc-tap.fullname" . }}-anonymous + annotations: + nginx.ingress.kubernetes.io/proxy-connect-timeout: "900" + nginx.ingress.kubernetes.io/proxy-send-timeout: "900" + nginx.ingress.kubernetes.io/proxy-read-timeout: "900" + nginx.ingress.kubernetes.io/rewrite-target: "/tap/$1" + nginx.ingress.kubernetes.io/proxy-redirect-from: "http://$host/tap/" + nginx.ingress.kubernetes.io/proxy-redirect-to: "https://$host/api/tap/" + nginx.ingress.kubernetes.io/ssl-redirect: "true" + nginx.ingress.kubernetes.io/use-regex: "true" + {{- with .Values.ingress.anonymousAnnotations }} + {{- toYaml . | indent 4}} + {{- end }} + spec: + rules: + - host: {{ required "global.host must be set" .Values.global.host | quote }} + http: + paths: + - path: "/api/tap/(availability|capabilities|swagger-ui.*)" + pathType: "ImplementationSpecific" + backend: + service: + name: {{ template "cadc-tap.fullname" . }} + port: + number: 80 From e3ef5e55140d75c30e88c0adc3e7a54c4147e6ad Mon Sep 17 00:00:00 2001 From: Russ Allbery Date: Wed, 4 Jan 2023 15:27:59 -0800 Subject: [PATCH 1401/1479] Remove some stray ingressClassName settings --- services/semaphore/templates/ingress.yaml | 1 - services/squareone/templates/ingress.yaml | 1 - 2 files changed, 2 deletions(-) diff --git a/services/semaphore/templates/ingress.yaml b/services/semaphore/templates/ingress.yaml index 9c6a3a8ba1..dc174e7aa3 100644 --- a/services/semaphore/templates/ingress.yaml +++ b/services/semaphore/templates/ingress.yaml @@ -17,7 +17,6 @@ template: {{- toYaml . | nindent 6 }} {{- end }} spec: - ingressClassName: "nginx" rules: - host: {{ required "global.host must be set" .Values.global.host | quote }} http: diff --git a/services/squareone/templates/ingress.yaml b/services/squareone/templates/ingress.yaml index 0a0d9c8741..5ee4d13d6a 100644 --- a/services/squareone/templates/ingress.yaml +++ b/services/squareone/templates/ingress.yaml @@ -21,7 +21,6 @@ template: {{- toYaml . | nindent 6 }} {{- end }} spec: - ingressClassName: "nginx" {{- if .Values.ingress.tls }} tls: - hosts: From 83ff406d9496e02c67d65c627d45b3ebd0e840ed Mon Sep 17 00:00:00 2001 From: Russ Allbery Date: Wed, 4 Jan 2023 15:30:52 -0800 Subject: [PATCH 1402/1479] Convert times-square webhook ingress to GafaelfawrIngress --- .../templates/ingress-webhooks.yaml | 41 +++++++++++-------- 1 file changed, 24 insertions(+), 17 deletions(-) diff --git a/services/times-square/templates/ingress-webhooks.yaml b/services/times-square/templates/ingress-webhooks.yaml index 4a1d940720..d969cd18b5 100644 --- a/services/times-square/templates/ingress-webhooks.yaml +++ b/services/times-square/templates/ingress-webhooks.yaml @@ -1,23 +1,30 @@ -apiVersion: networking.k8s.io/v1 -kind: Ingress +apiVersion: gafaelfawr.lsst.io/v1alpha1 +kind: GafaelfawrIngress metadata: name: {{ include "times-square.fullname" . }}-github-webhook labels: {{- include "times-square.labels" . | nindent 4 }} - annotations: +config: + baseUrl: {{ .Values.global.baseUrl | quote }} + scopes: + anonymous: true +template: + metadata: + name: {{ include "times-square.fullname" . }}-github-webhook {{- with .Values.ingress.annotations }} - {{- toYaml . | nindent 4 }} + annotations: + {{- toYaml . | nindent 6 }} {{- end }} -spec: - ingressClassName: "nginx" - rules: - - host: {{ required "global.host must be set" .Values.global.host | quote }} - http: - paths: - - path: "{{ .Values.ingress.path }}/github" - pathType: "Prefix" - backend: - service: - name: {{ include "times-square.fullname" . }} - port: - number: {{ .Values.service.port }} + spec: + ingressClassName: "nginx" + rules: + - host: {{ required "global.host must be set" .Values.global.host | quote }} + http: + paths: + - path: "{{ .Values.ingress.path }}/github" + pathType: "Prefix" + backend: + service: + name: {{ include "times-square.fullname" . }} + port: + number: {{ .Values.service.port }} From 1d7422a8b206c360c25e75996f3d606e9144b116 Mon Sep 17 00:00:00 2001 From: Russ Allbery Date: Thu, 5 Jan 2023 11:30:29 -0800 Subject: [PATCH 1403/1479] Add documentation for ingress-nginx settings --- services/ingress-nginx/README.md | 19 +++++++++---------- services/ingress-nginx/values.yaml | 27 +++++++++++++++++++++++++-- 2 files changed, 34 insertions(+), 12 deletions(-) diff --git a/services/ingress-nginx/README.md b/services/ingress-nginx/README.md index dbf2869d27..424c4c9c2f 100644 --- a/services/ingress-nginx/README.md +++ b/services/ingress-nginx/README.md @@ -13,14 +13,13 @@ Ingress controller | Key | Type | Default | Description | |-----|------|---------|-------------| | global.vaultSecretsPath | string | Set by Argo CD | Base path for Vault secrets | -| ingress-nginx.controller.config.compute-full-forwarded-for | string | `"true"` | | -| ingress-nginx.controller.config.large-client-header-buffers | string | `"4 64k"` | | -| ingress-nginx.controller.config.proxy-body-size | string | `"100m"` | | -| ingress-nginx.controller.config.proxy-buffer-size | string | `"64k"` | | -| ingress-nginx.controller.config.ssl-redirect | string | `"true"` | | -| ingress-nginx.controller.config.use-forwarded-headers | string | `"true"` | | -| ingress-nginx.controller.metrics.enabled | bool | `true` | | -| ingress-nginx.controller.podLabels."gafaelfawr.lsst.io/ingress" | string | `"true"` | | -| ingress-nginx.controller.podLabels."hub.jupyter.org/network-access-proxy-http" | string | `"true"` | | -| ingress-nginx.controller.service.externalTrafficPolicy | string | `"Local"` | | +| ingress-nginx.controller.config.compute-full-forwarded-for | string | `"true"` | Put the complete path in `X-Forwarded-For`, not just the last hop, so that the client IP will be exposed to Gafaelfawr | +| ingress-nginx.controller.config.large-client-header-buffers | string | `"4 64k"` | Increase the buffer size for client headers because we may have JWTs in the client request | +| ingress-nginx.controller.config.proxy-body-size | string | `"100m"` | Maximum size of the client request body (needs to be large enough to allow table uploads) | +| ingress-nginx.controller.config.proxy-buffer-size | string | `"64k"` | Increase the buffer size for responses from backend servers to allow for longer headers | +| ingress-nginx.controller.config.ssl-redirect | string | `"true"` | Redirect all non-SSL access to SSL. | +| ingress-nginx.controller.config.use-forwarded-headers | string | `"true"` | Enable the `X-Forwarded-For` processing | +| ingress-nginx.controller.metrics.enabled | bool | `true` | Enable metrics reporting via Prometheus | +| ingress-nginx.controller.podLabels | object | `{"gafaelfawr.lsst.io/ingress":"true","hub.jupyter.org/network-access-proxy-http":"true"}` | Add labels used by `NetworkPolicy` objects to restrict access to the ingress and thus ensure that auth subrequest handlers run | +| ingress-nginx.controller.service.externalTrafficPolicy | string | `"Local"` | Force traffic routing policy to Local so that the external IP in `X-Forwarded-For` will be correct | | vaultCertificate.enabled | bool | `false` | Whether to store ingress TLS certificate via vault-secrets-operator. Typically "squareone" owns it instead in an RSP. | diff --git a/services/ingress-nginx/values.yaml b/services/ingress-nginx/values.yaml index a7ad11fd0a..aa87dc3415 100644 --- a/services/ingress-nginx/values.yaml +++ b/services/ingress-nginx/values.yaml @@ -1,20 +1,43 @@ -## Ingress configuration -## https://github.com/kubernetes/ingress-nginx/blob/main/charts/ingress-nginx/values.yaml +# Ingress configuration +# https://github.com/kubernetes/ingress-nginx/blob/main/charts/ingress-nginx/values.yaml ingress-nginx: controller: config: + # -- Put the complete path in `X-Forwarded-For`, not just the last hop, + # so that the client IP will be exposed to Gafaelfawr compute-full-forwarded-for: "true" + + # -- Increase the buffer size for client headers because we may have + # JWTs in the client request large-client-header-buffers: "4 64k" + + # -- Maximum size of the client request body (needs to be large enough + # to allow table uploads) proxy-body-size: "100m" + + # -- Increase the buffer size for responses from backend servers to + # allow for longer headers proxy-buffer-size: "64k" + + # -- Redirect all non-SSL access to SSL. ssl-redirect: "true" + + # -- Enable the `X-Forwarded-For` processing use-forwarded-headers: "true" + service: + # -- Force traffic routing policy to Local so that the external IP in + # `X-Forwarded-For` will be correct externalTrafficPolicy: Local + + # -- Add labels used by `NetworkPolicy` objects to restrict access to the + # ingress and thus ensure that auth subrequest handlers run podLabels: gafaelfawr.lsst.io/ingress: "true" hub.jupyter.org/network-access-proxy-http: "true" + metrics: + # -- Enable metrics reporting via Prometheus enabled: true vaultCertificate: From 794c0673f8fb7dc6130388a3ee44a06738472b8b Mon Sep 17 00:00:00 2001 From: "renovate[bot]" <29139614+renovate[bot]@users.noreply.github.com> Date: Mon, 9 Jan 2023 02:25:25 +0000 Subject: [PATCH 1404/1479] Update Helm release argo-cd to v5.16.14 --- services/argocd/Chart.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/services/argocd/Chart.yaml b/services/argocd/Chart.yaml index 5f3df94d8e..ab4cb13e5f 100644 --- a/services/argocd/Chart.yaml +++ b/services/argocd/Chart.yaml @@ -8,5 +8,5 @@ sources: - https://github.com/argoproj/argo-helm dependencies: - name: argo-cd - version: 5.16.13 + version: 5.16.14 repository: https://argoproj.github.io/argo-helm From d9f0182eb5b8dbf6db86801bc8cd2789d3dfbab8 Mon Sep 17 00:00:00 2001 From: "renovate[bot]" <29139614+renovate[bot]@users.noreply.github.com> Date: Mon, 9 Jan 2023 18:19:40 +0000 Subject: [PATCH 1405/1479] Update Helm release ingress-nginx to v4.4.2 --- services/ingress-nginx/Chart.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/services/ingress-nginx/Chart.yaml b/services/ingress-nginx/Chart.yaml index 5128abc18e..c797f1c90a 100644 --- a/services/ingress-nginx/Chart.yaml +++ b/services/ingress-nginx/Chart.yaml @@ -7,5 +7,5 @@ sources: - https://github.com/kubernetes/ingress-nginx dependencies: - name: ingress-nginx - version: 4.4.0 + version: 4.4.2 repository: https://kubernetes.github.io/ingress-nginx From 903fc64d2f069ecb38a41f05177fc631de353e41 Mon Sep 17 00:00:00 2001 From: Russ Allbery Date: Fri, 6 Jan 2023 13:43:14 -0800 Subject: [PATCH 1406/1479] Convert noteburst and times-square to new Redis chart Use the new internal Redis chart that only creates a single instance, since in practice we were only using the master created by the Bitnami chart. Use SSD storage for Redis on IDF dev. Although authentication was enabled in values.yaml for noteburst, Redis authentication was not actually in use so far as I could determine, so do not configure authentication and rely on the NetworkPolicy to control access. (Ideally we should add a secret, but we can tackle this later after we simplify secret management.) --- services/noteburst/Chart.yaml | 5 +-- services/noteburst/README.md | 10 ++++- services/noteburst/templates/configmap.yaml | 2 +- services/noteburst/templates/deployment.yaml | 1 + .../noteburst/templates/worker-configmap.yaml | 4 +- .../templates/worker-deployment.yaml | 1 + services/noteburst/values-idfdev.yaml | 5 +++ services/noteburst/values.yaml | 35 ++++++++++++++++- services/times-square/Chart.yaml | 4 +- services/times-square/README.md | 15 +++++-- .../times-square/templates/deployment.yaml | 1 + .../templates/worker-deployment.yaml | 1 + services/times-square/values-idfdev.yaml | 5 ++- services/times-square/values.yaml | 39 ++++++++++++++++--- 14 files changed, 106 insertions(+), 22 deletions(-) diff --git a/services/noteburst/Chart.yaml b/services/noteburst/Chart.yaml index 23dc4b6af4..c6b06801f8 100644 --- a/services/noteburst/Chart.yaml +++ b/services/noteburst/Chart.yaml @@ -11,11 +11,10 @@ maintainers: - name: jonathansick url: https://github.com/jonathansick -# Additional charts that this chart uses dependencies: - name: redis - version: 17.4.0 - repository: https://charts.bitnami.com/bitnami + version: 0.1.4 + repository: https://lsst-sqre.github.io/charts/ annotations: phalanx.lsst.io/docs: | diff --git a/services/noteburst/README.md b/services/noteburst/README.md index 04f05f173f..446b7626a7 100644 --- a/services/noteburst/README.md +++ b/services/noteburst/README.md @@ -38,7 +38,15 @@ Noteburst is a notebook execution service for the Rubin Science Platform. | nameOverride | string | `""` | Override the base name for resources | | nodeSelector | object | `{}` | | | podAnnotations | object | `{}` | Annotations for API and worker pods | -| redis.auth.enabled | bool | `false` | | +| redis.affinity | object | `{}` | Affinity rules for the Redis pod | +| redis.nodeSelector | object | `{}` | Node selection rules for the Redis pod | +| redis.persistence.enabled | bool | `true` | Whether to persist Redis storage and thus tokens. Setting this to false will use `emptyDir` and reset all tokens on every restart. Only use this for a test deployment. | +| redis.persistence.size | string | `"8Gi"` | Amount of persistent storage to request | +| redis.persistence.storageClass | string | `""` | Class of storage to request | +| redis.persistence.volumeClaimName | string | `""` | Use an existing PVC, not dynamic provisioning. If this is set, the size, storageClass, and accessMode settings are ignored. | +| redis.podAnnotations | object | `{}` | Pod annotations for the Redis pod | +| redis.resources | object | See `values.yaml` | Resource limits and requests for the Redis pod | +| redis.tolerations | list | `[]` | Tolerations for the Redis pod | | replicaCount | int | `1` | Number of API pods to run | | resources | object | `{}` | | | service.port | int | `80` | Port of the service to create and map to the ingress | diff --git a/services/noteburst/templates/configmap.yaml b/services/noteburst/templates/configmap.yaml index 1a1bdfc099..cf31ac9fce 100644 --- a/services/noteburst/templates/configmap.yaml +++ b/services/noteburst/templates/configmap.yaml @@ -8,4 +8,4 @@ data: SAFIR_LOG_LEVEL: {{ .Values.config.logLevel | quote }} NOTEBURST_PATH_PREFIX: {{ .Values.ingress.path | quote }} NOTEBURST_ENVIRONMENT_URL: {{ .Values.global.baseUrl | quote }} - NOTEBURST_REDIS_URL: "redis://{{ include "noteburst.fullname" . }}-redis-master.{{ .Release.Namespace }}:{{ .Values.redis.master.service.ports.redis }}/0" + NOTEBURST_REDIS_URL: "redis://{{ include "noteburst.fullname" . }}-redis.{{ .Release.Namespace }}:6379/0" diff --git a/services/noteburst/templates/deployment.yaml b/services/noteburst/templates/deployment.yaml index de23bbeea3..375d5befa2 100644 --- a/services/noteburst/templates/deployment.yaml +++ b/services/noteburst/templates/deployment.yaml @@ -20,6 +20,7 @@ spec: {{- end }} labels: {{- include "noteburst.selectorLabels" . | nindent 8 }} + noteburst-redis-client: "true" spec: {{- with .Values.imagePullSecrets }} imagePullSecrets: diff --git a/services/noteburst/templates/worker-configmap.yaml b/services/noteburst/templates/worker-configmap.yaml index 21a90ae8eb..1f47d46fdd 100644 --- a/services/noteburst/templates/worker-configmap.yaml +++ b/services/noteburst/templates/worker-configmap.yaml @@ -7,8 +7,8 @@ metadata: data: SAFIR_LOG_LEVEL: {{ .Values.config.logLevel | quote }} NOTEBURST_ENVIRONMENT_URL: {{ .Values.global.baseUrl | quote }} - NOTEBURST_REDIS_URL: "redis://{{ include "noteburst.fullname" . }}-redis-master.{{ .Release.Namespace }}:{{ .Values.redis.master.service.ports.redis }}/0" - NOTEBURST_WORKER_LOCK_REDIS_URL: "redis://{{ include "noteburst.fullname" . }}-redis-master.{{ .Release.Namespace }}:{{ .Values.redis.master.service.ports.redis }}/1" + NOTEBURST_REDIS_URL: "redis://{{ include "noteburst.fullname" . }}-redis.{{ .Release.Namespace }}:6379/0" + NOTEBURST_WORKER_LOCK_REDIS_URL: "redis://{{ include "noteburst.fullname" . }}-redis.{{ .Release.Namespace }}:6379/1" NOTEBURST_WORKER_JOB_TIMEOUT: {{ .Values.config.worker.jobTimeout | quote }} NOTEBURST_WORKER_TOKEN_LIFETIME: {{ .Values.config.worker.tokenLifetime | quote }} NOTEBURST_WORKER_IMAGE_SELECTOR: {{ .Values.config.worker.imageSelector | quote }} diff --git a/services/noteburst/templates/worker-deployment.yaml b/services/noteburst/templates/worker-deployment.yaml index c47ac58c4f..12b75fb4fa 100644 --- a/services/noteburst/templates/worker-deployment.yaml +++ b/services/noteburst/templates/worker-deployment.yaml @@ -20,6 +20,7 @@ spec: {{- end }} labels: {{- include "noteburst.selectorLabels" . | nindent 8 }} + noteburst-redis-client: "true" spec: {{- with .Values.imagePullSecrets }} imagePullSecrets: diff --git a/services/noteburst/values-idfdev.yaml b/services/noteburst/values-idfdev.yaml index cff0a8417f..2226548fca 100644 --- a/services/noteburst/values-idfdev.yaml +++ b/services/noteburst/values-idfdev.yaml @@ -13,3 +13,8 @@ config: - username: "bot-noteburst90003" - username: "bot-noteburst90004" - username: "bot-noteburst90005" + +# Use SSD for Redis storage. +redis: + persistence: + storageClass: "premium-rwo" diff --git a/services/noteburst/values.yaml b/services/noteburst/values.yaml index 1ca85b797c..b6ae64c659 100644 --- a/services/noteburst/values.yaml +++ b/services/noteburst/values.yaml @@ -120,5 +120,36 @@ config: keepAlive: "normal" redis: - auth: - enabled: false + persistence: + # -- Whether to persist Redis storage and thus tokens. Setting this to + # false will use `emptyDir` and reset all tokens on every restart. Only + # use this for a test deployment. + enabled: true + + # -- Amount of persistent storage to request + size: "8Gi" + + # -- Class of storage to request + storageClass: "" + + # -- Use an existing PVC, not dynamic provisioning. If this is set, the + # size, storageClass, and accessMode settings are ignored. + volumeClaimName: "" + + # -- Resource limits and requests for the Redis pod + # @default -- See `values.yaml` + resources: + limits: + cpu: "1" + + # -- Pod annotations for the Redis pod + podAnnotations: {} + + # -- Node selection rules for the Redis pod + nodeSelector: {} + + # -- Tolerations for the Redis pod + tolerations: [] + + # -- Affinity rules for the Redis pod + affinity: {} diff --git a/services/times-square/Chart.yaml b/services/times-square/Chart.yaml index acf4c4686e..03ffaa3db7 100644 --- a/services/times-square/Chart.yaml +++ b/services/times-square/Chart.yaml @@ -12,8 +12,8 @@ appVersion: "0.6.0" dependencies: - name: redis - version: 17.4.0 - repository: https://charts.bitnami.com/bitnami + version: 0.1.4 + repository: https://lsst-sqre.github.io/charts/ annotations: phalanx.lsst.io/docs: | diff --git a/services/times-square/README.md b/services/times-square/README.md index aa321748cf..c788c0549b 100644 --- a/services/times-square/README.md +++ b/services/times-square/README.md @@ -27,8 +27,8 @@ An API service for managing and rendering parameterized Jupyter notebooks. | config.logLevel | string | `"INFO"` | Logging level: "DEBUG", "INFO", "WARNING", "ERROR", "CRITICAL" | | config.name | string | `"times-square"` | Name of the service. | | config.profile | string | `"production"` | Run profile: "production" or "development" | -| config.queueRedisUrl | string | Points to embedded Redis | URL for Redis arq queue database | -| config.redisUrl | string | Points to embedded Redis | URL for Redis html / noteburst job cache database | +| config.redisCacheUrl | string | Points to embedded Redis | URL for Redis html / noteburst job cache database | +| config.redisQueueUrl | string | Points to embedded Redis | URL for Redis arq queue database | | fullnameOverride | string | `""` | Override the full name for resources (includes the release name) | | global.baseUrl | string | Set by times-square Argo CD Application | Base URL for the environment | | global.host | string | Set by times-square Argo CD Application | Host name for ingress | @@ -42,8 +42,15 @@ An API service for managing and rendering parameterized Jupyter notebooks. | nameOverride | string | `""` | Override the base name for resources | | nodeSelector | object | `{}` | Node selection rules for the times-square deployment pod | | podAnnotations | object | `{}` | Annotations for the times-square deployment pod | -| redis.auth.enabled | bool | `false` | | -| redis.fullnameOverride | string | `"times-square-redis"` | | +| redis.affinity | object | `{}` | Affinity rules for the Redis pod | +| redis.nodeSelector | object | `{}` | Node selection rules for the Redis pod | +| redis.persistence.enabled | bool | `true` | Whether to persist Redis storage and thus tokens. Setting this to false will use `emptyDir` and reset all tokens on every restart. Only use this for a test deployment. | +| redis.persistence.size | string | `"8Gi"` | Amount of persistent storage to request | +| redis.persistence.storageClass | string | `""` | Class of storage to request | +| redis.persistence.volumeClaimName | string | `""` | Use an existing PVC, not dynamic provisioning. If this is set, the size, storageClass, and accessMode settings are ignored. | +| redis.podAnnotations | object | `{}` | Pod annotations for the Redis pod | +| redis.resources | object | See `values.yaml` | Resource limits and requests for the Redis pod | +| redis.tolerations | list | `[]` | Tolerations for the Redis pod | | replicaCount.api | int | `1` | Number of API deployment pods to start | | replicaCount.worker | int | `1` | Number of worker deployment pods to start | | resources | object | `{}` | Resource limits and requests for the times-square deployment pod | diff --git a/services/times-square/templates/deployment.yaml b/services/times-square/templates/deployment.yaml index 27fedfed56..4d344f49f2 100644 --- a/services/times-square/templates/deployment.yaml +++ b/services/times-square/templates/deployment.yaml @@ -20,6 +20,7 @@ spec: {{- end }} labels: {{- include "times-square.selectorLabels" . | nindent 8 }} + times-square-redis-client: "true" spec: {{- with .Values.imagePullSecrets }} imagePullSecrets: diff --git a/services/times-square/templates/worker-deployment.yaml b/services/times-square/templates/worker-deployment.yaml index d028654312..4d40031f97 100644 --- a/services/times-square/templates/worker-deployment.yaml +++ b/services/times-square/templates/worker-deployment.yaml @@ -20,6 +20,7 @@ spec: {{- end }} labels: {{- include "times-square.selectorLabels" . | nindent 8 }} + times-square-redis-client: "true" spec: {{- with .Values.imagePullSecrets }} imagePullSecrets: diff --git a/services/times-square/values-idfdev.yaml b/services/times-square/values-idfdev.yaml index 57d97ac65d..ccd4620735 100644 --- a/services/times-square/values-idfdev.yaml +++ b/services/times-square/values-idfdev.yaml @@ -5,9 +5,10 @@ config: databaseUrl: "postgresql://times-square@localhost/times-square" githubAppId: "196798" enableGitHubApp: "True" - redisCacheUrl: "redis://times-square-redis-master:6379/0" - redisQueueUrl: "redis://times-square-redis-master:6379/1" cloudsql: enabled: true instanceConnectionName: "science-platform-dev-7696:us-central1:science-platform-dev-e9e11de2" serviceAccount: "times-square@science-platform-dev-7696.iam.gserviceaccount.com" +redis: + persistence: + storageClass: "premium-rwo" diff --git a/services/times-square/values.yaml b/services/times-square/values.yaml index 3ca5992371..1197f23519 100644 --- a/services/times-square/values.yaml +++ b/services/times-square/values.yaml @@ -101,11 +101,11 @@ config: # -- URL for Redis html / noteburst job cache database # @default -- Points to embedded Redis - redisUrl: "redis://times-square-redis-master:6379/0" + redisCacheUrl: "redis://times-square-redis:6379/0" # -- URL for Redis arq queue database # @default -- Points to embedded Redis - queueRedisUrl: "redis://times-square-redis-master:6379/1" + redisQueueUrl: "redis://times-square-redis:6379/1" # -- GitHub application ID githubAppId: "" @@ -136,10 +136,39 @@ cloudsql: serviceAccount: "" redis: - fullnameOverride: times-square-redis + persistence: + # -- Whether to persist Redis storage and thus tokens. Setting this to + # false will use `emptyDir` and reset all tokens on every restart. Only + # use this for a test deployment. + enabled: true - auth: - enabled: false + # -- Amount of persistent storage to request + size: "8Gi" + + # -- Class of storage to request + storageClass: "" + + # -- Use an existing PVC, not dynamic provisioning. If this is set, the + # size, storageClass, and accessMode settings are ignored. + volumeClaimName: "" + + # -- Resource limits and requests for the Redis pod + # @default -- See `values.yaml` + resources: + limits: + cpu: "1" + + # -- Pod annotations for the Redis pod + podAnnotations: {} + + # -- Node selection rules for the Redis pod + nodeSelector: {} + + # -- Tolerations for the Redis pod + tolerations: [] + + # -- Affinity rules for the Redis pod + affinity: {} global: # -- Base URL for the environment From d110885543590032214856877780736f1c41e0e2 Mon Sep 17 00:00:00 2001 From: Russ Allbery Date: Mon, 9 Jan 2023 13:54:53 -0800 Subject: [PATCH 1407/1479] Remove stray ingressClassName in times-square --- services/times-square/templates/ingress-webhooks.yaml | 1 - 1 file changed, 1 deletion(-) diff --git a/services/times-square/templates/ingress-webhooks.yaml b/services/times-square/templates/ingress-webhooks.yaml index d969cd18b5..af29673def 100644 --- a/services/times-square/templates/ingress-webhooks.yaml +++ b/services/times-square/templates/ingress-webhooks.yaml @@ -16,7 +16,6 @@ template: {{- toYaml . | nindent 6 }} {{- end }} spec: - ingressClassName: "nginx" rules: - host: {{ required "global.host must be set" .Values.global.host | quote }} http: From 4413c44b7740e08942a593b4969a6452e810b45d Mon Sep 17 00:00:00 2001 From: Russ Allbery Date: Fri, 6 Jan 2023 12:38:55 -0800 Subject: [PATCH 1408/1479] Add autherror location to each NGINX server The NGINX support for an auth_request subhandler is very limited. It only allows 401 and 403 returns, and doesn't even include the WWW-Authenticate header on 403 replies. We want to use it to do many more things, so we need to add some custom configuration. Use server-snippet to add an autherror block to every server in the NGINX configuration. This will be used as the target for an error_page directive introduced by Gafaelfawr and will read the actual status and error body out of headers. It will also always set Cache-Control and WWW-Authenticate. As is, this block won't be used by anything. The other half of this change will introduced Ingress annotations that will use the block for Ingresses that are Gafaelfawr-protected. --- .github/workflows/ci.yaml | 1 + services/ingress-nginx/README.md | 3 ++- services/ingress-nginx/values.yaml | 15 +++++++++++++++ 3 files changed, 18 insertions(+), 1 deletion(-) diff --git a/.github/workflows/ci.yaml b/.github/workflows/ci.yaml index c5fb4c1f37..392431d196 100644 --- a/.github/workflows/ci.yaml +++ b/.github/workflows/ci.yaml @@ -81,6 +81,7 @@ jobs: - "science-platform/values-minikube.yaml" - "services/*/Chart.yaml" - "services/*/templates/**" + - "services/*/values.yaml" - "services/*/values-minikube.yaml" - name: Setup Minikube diff --git a/services/ingress-nginx/README.md b/services/ingress-nginx/README.md index 424c4c9c2f..a42e73f147 100644 --- a/services/ingress-nginx/README.md +++ b/services/ingress-nginx/README.md @@ -17,9 +17,10 @@ Ingress controller | ingress-nginx.controller.config.large-client-header-buffers | string | `"4 64k"` | Increase the buffer size for client headers because we may have JWTs in the client request | | ingress-nginx.controller.config.proxy-body-size | string | `"100m"` | Maximum size of the client request body (needs to be large enough to allow table uploads) | | ingress-nginx.controller.config.proxy-buffer-size | string | `"64k"` | Increase the buffer size for responses from backend servers to allow for longer headers | +| ingress-nginx.controller.config.server-snippet | string | See `values.yaml` | Add additional configuration used by Gafaelfawr to report errors from the authorization layer | | ingress-nginx.controller.config.ssl-redirect | string | `"true"` | Redirect all non-SSL access to SSL. | | ingress-nginx.controller.config.use-forwarded-headers | string | `"true"` | Enable the `X-Forwarded-For` processing | | ingress-nginx.controller.metrics.enabled | bool | `true` | Enable metrics reporting via Prometheus | -| ingress-nginx.controller.podLabels | object | `{"gafaelfawr.lsst.io/ingress":"true","hub.jupyter.org/network-access-proxy-http":"true"}` | Add labels used by `NetworkPolicy` objects to restrict access to the ingress and thus ensure that auth subrequest handlers run | +| ingress-nginx.controller.podLabels | object | See `values.yaml` | Add labels used by `NetworkPolicy` objects to restrict access to the ingress and thus ensure that auth subrequest handlers run | | ingress-nginx.controller.service.externalTrafficPolicy | string | `"Local"` | Force traffic routing policy to Local so that the external IP in `X-Forwarded-For` will be correct | | vaultCertificate.enabled | bool | `false` | Whether to store ingress TLS certificate via vault-secrets-operator. Typically "squareone" owns it instead in an RSP. | diff --git a/services/ingress-nginx/values.yaml b/services/ingress-nginx/values.yaml index aa87dc3415..35bd3998b0 100644 --- a/services/ingress-nginx/values.yaml +++ b/services/ingress-nginx/values.yaml @@ -25,6 +25,20 @@ ingress-nginx: # -- Enable the `X-Forwarded-For` processing use-forwarded-headers: "true" + # -- Add additional configuration used by Gafaelfawr to report errors + # from the authorization layer + # @default -- See `values.yaml` + server-snippet: | + location @autherror { + add_header Cache-Control "no-cache, must-revalidate" always; + add_header WWW-Authenticate $auth_www_authenticate always; + if ($auth_status = 400) { + add_header Content-Type "application/json" always; + return 400 $auth_error_body; + } + return 403; + } + service: # -- Force traffic routing policy to Local so that the external IP in # `X-Forwarded-For` will be correct @@ -32,6 +46,7 @@ ingress-nginx: # -- Add labels used by `NetworkPolicy` objects to restrict access to the # ingress and thus ensure that auth subrequest handlers run + # @default -- See `values.yaml` podLabels: gafaelfawr.lsst.io/ingress: "true" hub.jupyter.org/network-access-proxy-http: "true" From 3b034dcdb94acbc94c8bbcb6b62d31c44c324b95 Mon Sep 17 00:00:00 2001 From: Russ Allbery Date: Fri, 6 Jan 2023 16:50:22 -0800 Subject: [PATCH 1409/1479] Convert nublado2 to the new Gafaelfawr configuration Add the new configuration snippet for nublado2 and remove the old reference to /auth/forbidden, which will no longer be supported in the new Gafaelfawr version. --- services/nublado2/README.md | 5 +---- services/nublado2/values.yaml | 12 +++++++++--- 2 files changed, 10 insertions(+), 7 deletions(-) diff --git a/services/nublado2/README.md b/services/nublado2/README.md index 550696da67..9caffa00d5 100644 --- a/services/nublado2/README.md +++ b/services/nublado2/README.md @@ -62,10 +62,7 @@ JupyterHub for the Rubin Science Platform | jupyterhub.hub.resources.limits.cpu | string | `"900m"` | | | jupyterhub.hub.resources.limits.memory | string | `"1Gi"` | | | jupyterhub.imagePullSecrets[0].name | string | `"pull-secret"` | | -| jupyterhub.ingress.annotations."nginx.ingress.kubernetes.io/auth-method" | string | `"GET"` | | -| jupyterhub.ingress.annotations."nginx.ingress.kubernetes.io/auth-response-headers" | string | `"X-Auth-Request-Token"` | | -| jupyterhub.ingress.annotations."nginx.ingress.kubernetes.io/auth-url" | string | `"http://gafaelfawr.gafaelfawr.svc.cluster.local:8080/auth?scope=exec:notebook¬ebook=true&minimum_lifetime=2160000"` | | -| jupyterhub.ingress.annotations."nginx.ingress.kubernetes.io/configuration-snippet" | string | `"error_page 403 = \"/auth/forbidden?scope=exec:notebook\";\n"` | | +| jupyterhub.ingress.annotations | object | See `values.yaml` | Extra annotations to add to the ingress | | jupyterhub.ingress.enabled | bool | `true` | | | jupyterhub.ingress.ingressClassName | string | `"nginx"` | | | jupyterhub.ingress.pathSuffix | string | `"*"` | | diff --git a/services/nublado2/values.yaml b/services/nublado2/values.yaml index 292425e56a..80f478df35 100644 --- a/services/nublado2/values.yaml +++ b/services/nublado2/values.yaml @@ -143,12 +143,18 @@ jupyterhub: # appropriate fully-qualified URLs for the Gafaelfawr /login route. ingress: enabled: true + + # -- Extra annotations to add to the ingress + # @default -- See `values.yaml` annotations: - nginx.ingress.kubernetes.io/auth-method: GET - nginx.ingress.kubernetes.io/auth-response-headers: "X-Auth-Request-Token" + nginx.ingress.kubernetes.io/auth-method: "GET" + nginx.ingress.kubernetes.io/auth-response-headers: "Authorization,Cookie,X-Auth-Request-Email,X-Auth-Request-User,X-Auth-Request-Token" nginx.ingress.kubernetes.io/auth-url: "http://gafaelfawr.gafaelfawr.svc.cluster.local:8080/auth?scope=exec:notebook¬ebook=true&minimum_lifetime=2160000" nginx.ingress.kubernetes.io/configuration-snippet: | - error_page 403 = "/auth/forbidden?scope=exec:notebook"; + auth_request_set $auth_www_authenticate $upstream_http_www_authenticate; + auth_request_set $auth_status $upstream_http_x_error_status; + auth_request_set $auth_error_body $upstream_http_x_error_body; + error_page 403 = @autherror; ingressClassName: "nginx" pathSuffix: "*" From 78d261300cc0a72f21ee4f9cf48cf4d3920fad0e Mon Sep 17 00:00:00 2001 From: Russ Allbery Date: Mon, 9 Jan 2023 13:02:08 -0800 Subject: [PATCH 1410/1479] Update ingress-nginx server block if statements in NGINX are very odd and don't necessarily pick up directives outside the body of the if statement. Reiterate add_header directives inside the if statement and change the order to hopefully ensure Cache-Control and WWW-Authenticate are set properly for 400 responses. --- services/ingress-nginx/values.yaml | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/services/ingress-nginx/values.yaml b/services/ingress-nginx/values.yaml index 35bd3998b0..fe33f725a9 100644 --- a/services/ingress-nginx/values.yaml +++ b/services/ingress-nginx/values.yaml @@ -30,12 +30,14 @@ ingress-nginx: # @default -- See `values.yaml` server-snippet: | location @autherror { - add_header Cache-Control "no-cache, must-revalidate" always; - add_header WWW-Authenticate $auth_www_authenticate always; if ($auth_status = 400) { + add_header Cache-Control "no-cache, must-revalidate" always; + add_header WWW-Authenticate $auth_www_authenticate always; add_header Content-Type "application/json" always; return 400 $auth_error_body; } + add_header Cache-Control "no-cache, must-revalidate" always; + add_header WWW-Authenticate $auth_www_authenticate always; return 403; } From 4553ed8518db84e015411bdd8778ec434cab2bbb Mon Sep 17 00:00:00 2001 From: Russ Allbery Date: Mon, 9 Jan 2023 13:06:12 -0800 Subject: [PATCH 1411/1479] Fix Content-Type for 400 replies add_header apparently doesn't work for the Content-Type header. Try using default_type instead. --- services/ingress-nginx/values.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/services/ingress-nginx/values.yaml b/services/ingress-nginx/values.yaml index fe33f725a9..567f571555 100644 --- a/services/ingress-nginx/values.yaml +++ b/services/ingress-nginx/values.yaml @@ -30,10 +30,10 @@ ingress-nginx: # @default -- See `values.yaml` server-snippet: | location @autherror { + default_type application/json; if ($auth_status = 400) { add_header Cache-Control "no-cache, must-revalidate" always; add_header WWW-Authenticate $auth_www_authenticate always; - add_header Content-Type "application/json" always; return 400 $auth_error_body; } add_header Cache-Control "no-cache, must-revalidate" always; From 62b3cbacff1e729fa04849ecdd817a07ff9a4f0f Mon Sep 17 00:00:00 2001 From: Russ Allbery Date: Mon, 9 Jan 2023 14:18:23 -0800 Subject: [PATCH 1412/1479] Bump Gafaelfawr version to 9.0.0 --- services/gafaelfawr/Chart.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/services/gafaelfawr/Chart.yaml b/services/gafaelfawr/Chart.yaml index b920cc60cb..841c79e7e8 100644 --- a/services/gafaelfawr/Chart.yaml +++ b/services/gafaelfawr/Chart.yaml @@ -5,7 +5,7 @@ description: Authentication and identity system home: https://gafaelfawr.lsst.io/ sources: - https://github.com/lsst-sqre/gafaelfawr -appVersion: 8.0.0 +appVersion: 9.0.0 annotations: phalanx.lsst.io/docs: | From 95d457d58fd299d83a113ef8d9bbf785ca9ec62a Mon Sep 17 00:00:00 2001 From: Christine Banek Date: Wed, 11 Jan 2023 11:47:17 -0700 Subject: [PATCH 1413/1479] [DM-26505] Add in a service for the linters Have it only run on data-int for now, since we only need it to run in one place since it's checking global state. --- science-platform/values-idfint.yaml | 2 + science-platform/values.yaml | 2 + services/linters/Chart.yaml | 7 ++ .../linters/templates/cronjob-dns-linter.yaml | 64 +++++++++++++++++++ services/linters/values.yaml | 39 +++++++++++ 5 files changed, 114 insertions(+) create mode 100644 services/linters/Chart.yaml create mode 100644 services/linters/templates/cronjob-dns-linter.yaml create mode 100644 services/linters/values.yaml diff --git a/science-platform/values-idfint.yaml b/science-platform/values-idfint.yaml index 10342c9daf..60750530f0 100644 --- a/science-platform/values-idfint.yaml +++ b/science-platform/values-idfint.yaml @@ -19,6 +19,8 @@ hips: enabled: true ingress_nginx: enabled: true +linters: + enabled: true mobu: enabled: true moneypenny: diff --git a/science-platform/values.yaml b/science-platform/values.yaml index d1f5f5ca66..bb5c66285c 100644 --- a/science-platform/values.yaml +++ b/science-platform/values.yaml @@ -14,6 +14,8 @@ hips: enabled: false ingress_nginx: enabled: false +linters: + enabled: false mobu: enabled: false moneypenny: diff --git a/services/linters/Chart.yaml b/services/linters/Chart.yaml new file mode 100644 index 0000000000..fbee60bfa6 --- /dev/null +++ b/services/linters/Chart.yaml @@ -0,0 +1,7 @@ +apiVersion: v2 +name: linters +version: 1.0.0 +description: Linters running for operational reasons +sources: + - https://github.com/lsst-sqre/ops-linters +appVersion: 0.1.0 diff --git a/services/linters/templates/cronjob-dns-linter.yaml b/services/linters/templates/cronjob-dns-linter.yaml new file mode 100644 index 0000000000..146fd1792c --- /dev/null +++ b/services/linters/templates/cronjob-dns-linter.yaml @@ -0,0 +1,64 @@ +apiVersion: batch/v1 +kind: CronJob +metadata: + name: {{ template "linters.fullname" . }}-maintenance + labels: + {{- include "linters.labels" . | nindent 4 }} +spec: + schedule: {{ .Values.linterSchedule | quote }} + concurrencyPolicy: "Forbid" + jobTemplate: + spec: + template: + metadata: + {{- with .Values.podAnnotations }} + annotations: + {{- toYaml . | nindent 12 }} + {{- end }} + labels: + {{- include "linters.selectorLabels" . | nindent 12 }} + app.kubernetes.io/component: "linter" + spec: + restartPolicy: "Never" + automountServiceAccountToken: false + containers: + - name: "linters" + command: + - "python" + - "checker.py" + image: "{{ .Values.image.repository }}:{{ .Values.image.tag | default .Chart.AppVersion }}" + imagePullPolicy: {{ .Values.image.pullPolicy | quote }} + {{- with .Values.resources }} + resources: + {{- toYaml . | nindent 16 }} + {{- end }} + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - "all" + readOnlyRootFilesystem: true + volumeMounts: + - name: "aws-secret" + mountPath: "/etc/linters/aws-secrets" + readOnly: true + securityContext: + runAsNonRoot: true + runAsUser: 1000 + runAsGroup: 1000 + volumes: + - name: "secret" + secret: + secretName: {{ template "linters.fullname" . }}-secret + {{- with .Values.nodeSelector }} + nodeSelector: + {{- toYaml . | nindent 12 }} + {{- end }} + {{- with .Values.affinity }} + affinity: + {{- toYaml . | nindent 12 }} + {{- end }} + {{- with .Values.tolerations }} + tolerations: + {{- toYaml . | nindent 12 }} + {{- end }} diff --git a/services/linters/values.yaml b/services/linters/values.yaml new file mode 100644 index 0000000000..efd069973f --- /dev/null +++ b/services/linters/values.yaml @@ -0,0 +1,39 @@ +# Default values for Gafaelfawr. + +# -- Override the base name for resources +nameOverride: "" + +# -- Override the full name for resources (includes the release name) +fullnameOverride: "" + +# -- Number of web frontend pods to start +replicaCount: 1 + +image: + # -- Gafaelfawr image to use + repository: "ghcr.io/lsst-sqre/linters" + + # -- Pull policy for the Gafaelfawr image + pullPolicy: "IfNotPresent" + + # -- Tag of linter image to use + # @default -- The appVersion of the chart + tag: "" + +# -- Resource limits and requests for the Gafaelfawr frontend pod +resources: {} + +# -- Annotations for the Gafaelfawr frontend pod +podAnnotations: {} + +# -- Node selector rules for the Gafaelfawr frontend pod +nodeSelector: {} + +# -- Tolerations for the Gafaelfawr frontend pod +tolerations: [] + +# -- Affinity rules for the Gafaelfawr frontend pod +affinity: {} + +# -- Cron schedule string for Gafaelfawr periodic maintenance (in UTC) +linterSchedule: "0 0 1 * *" From 39365cd23089b16958769ef647762ce35d653ccd Mon Sep 17 00:00:00 2001 From: Christine Banek Date: Wed, 11 Jan 2023 11:51:19 -0700 Subject: [PATCH 1414/1479] [DM-26505] Fix readme for science platform --- science-platform/README.md | 1 + 1 file changed, 1 insertion(+) diff --git a/science-platform/README.md b/science-platform/README.md index 1c1a38276a..0050d72612 100644 --- a/science-platform/README.md +++ b/science-platform/README.md @@ -12,6 +12,7 @@ | gafaelfawr.enabled | bool | `false` | | | hips.enabled | bool | `false` | | | ingress_nginx.enabled | bool | `false` | | +| linters.enabled | bool | `false` | | | mobu.enabled | bool | `false` | | | moneypenny.enabled | bool | `false` | | | narrativelog.enabled | bool | `false` | | From dc5d25c890e7604f90b6b56d1e87eb14353d2b6c Mon Sep 17 00:00:00 2001 From: Christine Banek Date: Wed, 11 Jan 2023 11:53:51 -0700 Subject: [PATCH 1415/1479] [DM-26505] Add in helpers so I can use fullname --- services/linters/templates/_helpers.tpl | 52 +++++++++++++++++++++++++ 1 file changed, 52 insertions(+) create mode 100644 services/linters/templates/_helpers.tpl diff --git a/services/linters/templates/_helpers.tpl b/services/linters/templates/_helpers.tpl new file mode 100644 index 0000000000..cdbd80f67b --- /dev/null +++ b/services/linters/templates/_helpers.tpl @@ -0,0 +1,52 @@ +{{/* vim: set filetype=mustache: */}} +{{/* +Expand the name of the chart. +*/}} +{{- define "linters.name" -}} +{{- default .Chart.Name .Values.nameOverride | trunc 63 | trimSuffix "-" }} +{{- end }} + +{{/* +Create a default fully qualified app name. +We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec). +If release name contains chart name it will be used as a full name. +*/}} +{{- define "linters.fullname" -}} +{{- if .Values.fullnameOverride }} +{{- .Values.fullnameOverride | trunc 63 | trimSuffix "-" }} +{{- else }} +{{- $name := default .Chart.Name .Values.nameOverride }} +{{- if contains $name .Release.Name }} +{{- .Release.Name | trunc 63 | trimSuffix "-" }} +{{- else }} +{{- printf "%s-%s" .Release.Name $name | trunc 63 | trimSuffix "-" }} +{{- end }} +{{- end }} +{{- end }} + +{{/* +Create chart name and version as used by the chart label. +*/}} +{{- define "linters.chart" -}} +{{- printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" }} +{{- end }} + +{{/* +Common labels +*/}} +{{- define "linters.labels" -}} +helm.sh/chart: {{ include "linters.chart" . }} +{{ include "linters.selectorLabels" . }} +{{- if .Chart.AppVersion }} +app.kubernetes.io/version: {{ .Chart.AppVersion | quote }} +{{- end }} +app.kubernetes.io/managed-by: {{ .Release.Service }} +{{- end }} + +{{/* +Selector labels +*/}} +{{- define "linters.selectorLabels" -}} +app.kubernetes.io/name: {{ include "linters.name" . }} +app.kubernetes.io/instance: {{ .Release.Name }} +{{- end }} From 290e873a2a2ef2708d62c590bb149b09be2fa8e5 Mon Sep 17 00:00:00 2001 From: Christine Banek Date: Wed, 11 Jan 2023 12:05:51 -0700 Subject: [PATCH 1416/1479] [DM-26505] Add in a readme and get rid of references to Gafaelfawr --- services/linters/README.md | 26 ++++++++++++++++++++++++++ services/linters/values.yaml | 18 +++++++++--------- 2 files changed, 35 insertions(+), 9 deletions(-) create mode 100644 services/linters/README.md diff --git a/services/linters/README.md b/services/linters/README.md new file mode 100644 index 0000000000..b9fcbd4dcc --- /dev/null +++ b/services/linters/README.md @@ -0,0 +1,26 @@ +# Linters + +Automatically run linters checking ops data and environments, like DNS records +that may be dangling. + +## Source Code + +* + +## Values + +| Key | Type | Default | Description | +|-----|------|---------|-------------| +| affinity | object | `{}` | Affinity rules for the linter pod | +| global.baseUrl | string | Set by Argo CD | Base URL for the environment | +| global.host | string | Set by Argo CD | Host name for ingress | +| global.vaultSecretsPath | string | Set by Argo CD | Base path for Vault secrets | +| image.pullPolicy | string | `"IfNotPresent"` | Pull policy for the linter image | +| image.repository | string | `"ghcr.io/lsst-sqre/linters"` | linter image to use | +| image.tag | string | The appVersion of the chart | Tag of linter image to use | +| nameOverride | string | `""` | Override the base name for resources | +| nodeSelector | object | `{}` | Node selector rules for the linter pod | +| podAnnotations | object | `{}` | Annotations for the linter pod | +| replicaCount | int | `1` | Number of web frontend pods to start | +| resources | object | `{}` | Resource limits and requests for the linter pod | +| tolerations | list | `[]` | Tolerations for the linter frontend pod | diff --git a/services/linters/values.yaml b/services/linters/values.yaml index efd069973f..2c8ad67d62 100644 --- a/services/linters/values.yaml +++ b/services/linters/values.yaml @@ -1,4 +1,4 @@ -# Default values for Gafaelfawr. +# Default values for linter. # -- Override the base name for resources nameOverride: "" @@ -10,30 +10,30 @@ fullnameOverride: "" replicaCount: 1 image: - # -- Gafaelfawr image to use + # -- linter image to use repository: "ghcr.io/lsst-sqre/linters" - # -- Pull policy for the Gafaelfawr image + # -- Pull policy for the linter image pullPolicy: "IfNotPresent" # -- Tag of linter image to use # @default -- The appVersion of the chart tag: "" -# -- Resource limits and requests for the Gafaelfawr frontend pod +# -- Resource limits and requests for the linter pod resources: {} -# -- Annotations for the Gafaelfawr frontend pod +# -- Annotations for the linter pod podAnnotations: {} -# -- Node selector rules for the Gafaelfawr frontend pod +# -- Node selector rules for the linter pod nodeSelector: {} -# -- Tolerations for the Gafaelfawr frontend pod +# -- Tolerations for the linter pod tolerations: [] -# -- Affinity rules for the Gafaelfawr frontend pod +# -- Affinity rules for the linter pod affinity: {} -# -- Cron schedule string for Gafaelfawr periodic maintenance (in UTC) +# -- Cron schedule string for linter checking (in UTC) linterSchedule: "0 0 1 * *" From 88191bef81d0d39fe73e50d25036c320f14f76a8 Mon Sep 17 00:00:00 2001 From: Christine Banek Date: Wed, 11 Jan 2023 12:10:55 -0700 Subject: [PATCH 1417/1479] [DM-26505] Fix more linter errors --- services/linters/README.md | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/services/linters/README.md b/services/linters/README.md index b9fcbd4dcc..156870a222 100644 --- a/services/linters/README.md +++ b/services/linters/README.md @@ -1,4 +1,4 @@ -# Linters +# linters Automatically run linters checking ops data and environments, like DNS records that may be dangling. @@ -15,12 +15,14 @@ that may be dangling. | global.baseUrl | string | Set by Argo CD | Base URL for the environment | | global.host | string | Set by Argo CD | Host name for ingress | | global.vaultSecretsPath | string | Set by Argo CD | Base path for Vault secrets | +| fullnameOverride | string | `""` | Override the full name for resources (includes the release name) | | image.pullPolicy | string | `"IfNotPresent"` | Pull policy for the linter image | | image.repository | string | `"ghcr.io/lsst-sqre/linters"` | linter image to use | | image.tag | string | The appVersion of the chart | Tag of linter image to use | +| linterSchedule | string | `"0 0 1 * *"` | Cron schedule string for linter checking (in UTC) | | nameOverride | string | `""` | Override the base name for resources | | nodeSelector | object | `{}` | Node selector rules for the linter pod | | podAnnotations | object | `{}` | Annotations for the linter pod | | replicaCount | int | `1` | Number of web frontend pods to start | | resources | object | `{}` | Resource limits and requests for the linter pod | -| tolerations | list | `[]` | Tolerations for the linter frontend pod | +| tolerations | list | `[]` | Tolerations for the linter pod | From 878fa486531545fab163071266a0d5bd60f337c1 Mon Sep 17 00:00:00 2001 From: Christine Banek Date: Wed, 11 Jan 2023 12:12:06 -0700 Subject: [PATCH 1418/1479] [DM-26505] Continue fixing errors --- services/linters/README.md | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/services/linters/README.md b/services/linters/README.md index 156870a222..c591f2bc19 100644 --- a/services/linters/README.md +++ b/services/linters/README.md @@ -1,7 +1,6 @@ # linters -Automatically run linters checking ops data and environments, like DNS records -that may be dangling. +Linters running for operational reasons ## Source Code From b360438fef465b84724d6dfe3e14e68dad23d7e9 Mon Sep 17 00:00:00 2001 From: Christine Banek Date: Wed, 11 Jan 2023 12:19:22 -0700 Subject: [PATCH 1419/1479] [DM-26505] Get rid of global vars, the linter doesn't seem to like them --- services/linters/README.md | 3 --- 1 file changed, 3 deletions(-) diff --git a/services/linters/README.md b/services/linters/README.md index c591f2bc19..8325305387 100644 --- a/services/linters/README.md +++ b/services/linters/README.md @@ -11,9 +11,6 @@ Linters running for operational reasons | Key | Type | Default | Description | |-----|------|---------|-------------| | affinity | object | `{}` | Affinity rules for the linter pod | -| global.baseUrl | string | Set by Argo CD | Base URL for the environment | -| global.host | string | Set by Argo CD | Host name for ingress | -| global.vaultSecretsPath | string | Set by Argo CD | Base path for Vault secrets | | fullnameOverride | string | `""` | Override the full name for resources (includes the release name) | | image.pullPolicy | string | `"IfNotPresent"` | Pull policy for the linter image | | image.repository | string | `"ghcr.io/lsst-sqre/linters"` | linter image to use | From 5260035b12de1b25458b6dc84ce4be0a66675189 Mon Sep 17 00:00:00 2001 From: Christine Banek Date: Wed, 11 Jan 2023 12:31:36 -0700 Subject: [PATCH 1420/1479] [DM-26505] Found the right way to inject the global parameters --- services/linters/values.yaml | 15 +++++++++++++++ 1 file changed, 15 insertions(+) diff --git a/services/linters/values.yaml b/services/linters/values.yaml index 2c8ad67d62..c70913e436 100644 --- a/services/linters/values.yaml +++ b/services/linters/values.yaml @@ -37,3 +37,18 @@ affinity: {} # -- Cron schedule string for linter checking (in UTC) linterSchedule: "0 0 1 * *" + +# The following will be set by parameters injected by Argo CD and should not +# be set in the individual environment values files. +global: + # -- Base URL for the environment + # @default -- Set by Argo CD + baseUrl: "" + + # -- Host name for ingress + # @default -- Set by Argo CD + host: "" + + # -- Base path for Vault secrets + # @default -- Set by Argo CD + vaultSecretsPath: "" From 01d31aa92b24fe1c0e3f006afdb7e2bce6768cc8 Mon Sep 17 00:00:00 2001 From: Christine Banek Date: Wed, 11 Jan 2023 12:38:36 -0700 Subject: [PATCH 1421/1479] [DM-26505] Add back in the global variables --- services/linters/README.md | 3 +++ 1 file changed, 3 insertions(+) diff --git a/services/linters/README.md b/services/linters/README.md index 8325305387..dee69605b6 100644 --- a/services/linters/README.md +++ b/services/linters/README.md @@ -12,6 +12,9 @@ Linters running for operational reasons |-----|------|---------|-------------| | affinity | object | `{}` | Affinity rules for the linter pod | | fullnameOverride | string | `""` | Override the full name for resources (includes the release name) | +| global.baseUrl | string | Set by Argo CD | Base URL for the environment | +| global.host | string | Set by Argo CD | Host name for ingress | +| global.vaultSecretsPath | string | Set by Argo CD | Base path for Vault secrets | | image.pullPolicy | string | `"IfNotPresent"` | Pull policy for the linter image | | image.repository | string | `"ghcr.io/lsst-sqre/linters"` | linter image to use | | image.tag | string | The appVersion of the chart | Tag of linter image to use | From ab4062a9d5893da941a3ef55fe39167cf8bbbcfc Mon Sep 17 00:00:00 2001 From: Christine Banek Date: Wed, 11 Jan 2023 13:11:06 -0700 Subject: [PATCH 1422/1479] [DM-26505] Add another set of docs for linter This is what was causing the check to fail on github. --- docs/applications/linters/index.rst | 21 +++++++++++++++++++++ docs/applications/linters/values.md | 12 ++++++++++++ 2 files changed, 33 insertions(+) create mode 100644 docs/applications/linters/index.rst create mode 100644 docs/applications/linters/values.md diff --git a/docs/applications/linters/index.rst b/docs/applications/linters/index.rst new file mode 100644 index 0000000000..e91f97b9c2 --- /dev/null +++ b/docs/applications/linters/index.rst @@ -0,0 +1,21 @@ +.. px-app:: linters + +###################################### +linters - automated chechking of DNS +###################################### + +Linters provides a way to automatically and repeatedly check things in ops, such as if DNS entries +are pointing to IP addresses that we are using, or are they dangling. We use the route53 API +as well as the Google API to cross-reference these configuration details and alert on things that +don't look right. + +.. jinja:: linters + :file: applications/_summary.rst.jinja + +Guides +====== + +.. toctree:: + :maxdepth: 1 + + values diff --git a/docs/applications/linters/values.md b/docs/applications/linters/values.md new file mode 100644 index 0000000000..bd47e34e7a --- /dev/null +++ b/docs/applications/linters/values.md @@ -0,0 +1,12 @@ +```{px-app-values} linters +``` + +# Linters Helm values reference + +Helm values reference table for the {px-app}`linters` application. + +```{include} ../../../services/linters/README.md +--- +start-after: "## Values" +--- +``` From dd0aaf21de0537aab7d57d2886a47a2064b23d04 Mon Sep 17 00:00:00 2001 From: Christine Banek Date: Wed, 11 Jan 2023 15:09:34 -0700 Subject: [PATCH 1423/1479] [DM-26505] Add linters to the TOC --- docs/applications/index.rst | 1 + 1 file changed, 1 insertion(+) diff --git a/docs/applications/index.rst b/docs/applications/index.rst index e9e954db32..c1130ba7af 100644 --- a/docs/applications/index.rst +++ b/docs/applications/index.rst @@ -26,6 +26,7 @@ To learn how to develop applications for Phalanx, see the :doc:`/developers/inde cachemachine/index datalinker/index hips/index + linters/index mobu/index moneypenny/index noteburst/index From 55031ba1c5b149028f4bf494ee0c5437cbb41778 Mon Sep 17 00:00:00 2001 From: Christine Banek Date: Wed, 11 Jan 2023 15:11:43 -0700 Subject: [PATCH 1424/1479] [DM-26505] Disable linkcheck when doing the doc building --- .github/workflows/docs.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/docs.yaml b/.github/workflows/docs.yaml index f6f58c47ee..8ecb1ec9e3 100644 --- a/.github/workflows/docs.yaml +++ b/.github/workflows/docs.yaml @@ -48,7 +48,7 @@ jobs: uses: lsst-sqre/run-tox@v1 with: python-version: "3.10" - tox-envs: "docs,docs-linkcheck" + tox-envs: "docs" # Only attempt documentation uploads for long-lived branches, tagged # releases, and pull requests from ticket branches. This avoids version From 7edcc15a3ad250c1dbb080679b97cdbf36d1f68c Mon Sep 17 00:00:00 2001 From: Christine Banek Date: Thu, 12 Jan 2023 10:49:24 -0700 Subject: [PATCH 1425/1479] [DM-26505] Add in linters application This part creates the namespace and uses the stuff in the services directory. --- .../templates/linters-application.yaml | 37 +++++++++++++++++++ 1 file changed, 37 insertions(+) create mode 100644 science-platform/templates/linters-application.yaml diff --git a/science-platform/templates/linters-application.yaml b/science-platform/templates/linters-application.yaml new file mode 100644 index 0000000000..9a5e62c435 --- /dev/null +++ b/science-platform/templates/linters-application.yaml @@ -0,0 +1,37 @@ +{{- if .Values.linters.enabled -}} +apiVersion: v1 +kind: Namespace +metadata: + name: "linters" +spec: + finalizers: + - "kubernetes" +--- +apiVersion: argoproj.io/v1alpha1 +kind: Application +metadata: + name: "linters" + namespace: "argocd" + finalizers: + - "resources-finalizer.argocd.argoproj.io" +spec: + destination: + namespace: "linters" + server: "https://kubernetes.default.svc" + project: "default" + source: + path: "services/linters" + repoURL: {{ .Values.repoURL | quote }} + targetRevision: {{ .Values.revision | quote }} + helm: + parameters: + - name: "global.host" + value: {{ .Values.fqdn | quote }} + - name: "global.baseUrl" + value: "https://{{ .Values.fqdn }}" + - name: "global.vaultSecretsPath" + value: {{ .Values.vault_path_prefix | quote }} + valueFiles: + - "values.yaml" + - "values-{{ .Values.environment }}.yaml" +{{- end -}} From 1f6be6340041976cc3bc1c433a6e0b7776b8e4bf Mon Sep 17 00:00:00 2001 From: Christine Banek Date: Thu, 12 Jan 2023 11:02:09 -0700 Subject: [PATCH 1426/1479] [DM-26505] Add in values file for idfint --- services/linters/values-idfint.yaml | 0 1 file changed, 0 insertions(+), 0 deletions(-) create mode 100644 services/linters/values-idfint.yaml diff --git a/services/linters/values-idfint.yaml b/services/linters/values-idfint.yaml new file mode 100644 index 0000000000..e69de29bb2 From dbecd6311636a6ac9feab51bf0c0a3bb6d4cf03f Mon Sep 17 00:00:00 2001 From: Christine Banek Date: Thu, 12 Jan 2023 11:11:30 -0700 Subject: [PATCH 1427/1479] [DM-26505] Add in vault secret --- services/linters/templates/cronjob-dns-linter.yaml | 2 +- services/linters/templates/vault-secrets.yaml | 9 +++++++++ 2 files changed, 10 insertions(+), 1 deletion(-) create mode 100644 services/linters/templates/vault-secrets.yaml diff --git a/services/linters/templates/cronjob-dns-linter.yaml b/services/linters/templates/cronjob-dns-linter.yaml index 146fd1792c..53359c7039 100644 --- a/services/linters/templates/cronjob-dns-linter.yaml +++ b/services/linters/templates/cronjob-dns-linter.yaml @@ -47,7 +47,7 @@ spec: runAsUser: 1000 runAsGroup: 1000 volumes: - - name: "secret" + - name: "aws-secret" secret: secretName: {{ template "linters.fullname" . }}-secret {{- with .Values.nodeSelector }} diff --git a/services/linters/templates/vault-secrets.yaml b/services/linters/templates/vault-secrets.yaml new file mode 100644 index 0000000000..ae5c0892a9 --- /dev/null +++ b/services/linters/templates/vault-secrets.yaml @@ -0,0 +1,9 @@ +apiVersion: ricoberger.de/v1alpha1 +kind: VaultSecret +metadata: + name: {{ template "linters.fullname" . }}-secret + labels: + {{- include "linters.labels" . | nindent 4 }} +spec: + path: "{{ .Values.global.vaultSecretsPath }}/linters" + type: Opaque From c22783523b458d083f06c2e7ac4b38498ef3367e Mon Sep 17 00:00:00 2001 From: Christine Banek Date: Thu, 12 Jan 2023 12:14:09 -0700 Subject: [PATCH 1428/1479] [DM-26505] Use repository name for images This should change the permissions to make them match the repo, or at least that's what I'm hoping. --- services/linters/values.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/services/linters/values.yaml b/services/linters/values.yaml index c70913e436..7346e315ca 100644 --- a/services/linters/values.yaml +++ b/services/linters/values.yaml @@ -11,7 +11,7 @@ replicaCount: 1 image: # -- linter image to use - repository: "ghcr.io/lsst-sqre/linters" + repository: "ghcr.io/lsst-sqre/ops-linters" # -- Pull policy for the linter image pullPolicy: "IfNotPresent" From 68fb6977421369a1317ba3ba823243b2e96f0a77 Mon Sep 17 00:00:00 2001 From: Christine Banek Date: Thu, 12 Jan 2023 12:21:31 -0700 Subject: [PATCH 1429/1479] [DM-26505] Fix readme to update to new docker repository name --- services/linters/README.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/services/linters/README.md b/services/linters/README.md index dee69605b6..44d4fbf5c1 100644 --- a/services/linters/README.md +++ b/services/linters/README.md @@ -16,7 +16,7 @@ Linters running for operational reasons | global.host | string | Set by Argo CD | Host name for ingress | | global.vaultSecretsPath | string | Set by Argo CD | Base path for Vault secrets | | image.pullPolicy | string | `"IfNotPresent"` | Pull policy for the linter image | -| image.repository | string | `"ghcr.io/lsst-sqre/linters"` | linter image to use | +| image.repository | string | `"ghcr.io/lsst-sqre/ops-linters"` | linter image to use | | image.tag | string | The appVersion of the chart | Tag of linter image to use | | linterSchedule | string | `"0 0 1 * *"` | Cron schedule string for linter checking (in UTC) | | nameOverride | string | `""` | Override the base name for resources | From 0fd0cd0ebcf155d7891303e2110cadc2bdfe4f8c Mon Sep 17 00:00:00 2001 From: Christine Banek Date: Thu, 12 Jan 2023 14:54:11 -0700 Subject: [PATCH 1430/1479] [DM-26505] Bump version to 0.1.2 --- services/linters/Chart.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/services/linters/Chart.yaml b/services/linters/Chart.yaml index fbee60bfa6..588dbceba4 100644 --- a/services/linters/Chart.yaml +++ b/services/linters/Chart.yaml @@ -4,4 +4,4 @@ version: 1.0.0 description: Linters running for operational reasons sources: - https://github.com/lsst-sqre/ops-linters -appVersion: 0.1.0 +appVersion: 0.1.2 From 2721e2eb8883ad340719c75a39bf4cd98e8988a9 Mon Sep 17 00:00:00 2001 From: Christine Banek Date: Thu, 12 Jan 2023 15:28:39 -0700 Subject: [PATCH 1431/1479] [DM-26505] Run the default command line for the linter image Get rid of the command line override here --- services/linters/templates/cronjob-dns-linter.yaml | 3 --- 1 file changed, 3 deletions(-) diff --git a/services/linters/templates/cronjob-dns-linter.yaml b/services/linters/templates/cronjob-dns-linter.yaml index 53359c7039..b1294fa0d1 100644 --- a/services/linters/templates/cronjob-dns-linter.yaml +++ b/services/linters/templates/cronjob-dns-linter.yaml @@ -23,9 +23,6 @@ spec: automountServiceAccountToken: false containers: - name: "linters" - command: - - "python" - - "checker.py" image: "{{ .Values.image.repository }}:{{ .Values.image.tag | default .Chart.AppVersion }}" imagePullPolicy: {{ .Values.image.pullPolicy | quote }} {{- with .Values.resources }} From 586c2bb56c8db244eaf624e0e2f7cad8dbc85daf Mon Sep 17 00:00:00 2001 From: Christine Banek Date: Thu, 12 Jan 2023 15:38:30 -0700 Subject: [PATCH 1432/1479] [DM-26505] Change secret mounting path Since the file is named aws, seems silly to put aws in the path. --- services/linters/templates/cronjob-dns-linter.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/services/linters/templates/cronjob-dns-linter.yaml b/services/linters/templates/cronjob-dns-linter.yaml index b1294fa0d1..e072259c1c 100644 --- a/services/linters/templates/cronjob-dns-linter.yaml +++ b/services/linters/templates/cronjob-dns-linter.yaml @@ -37,7 +37,7 @@ spec: readOnlyRootFilesystem: true volumeMounts: - name: "aws-secret" - mountPath: "/etc/linters/aws-secrets" + mountPath: "/etc/linters/secrets" readOnly: true securityContext: runAsNonRoot: true From 526b60bc4398888e54618ec008983790b985cc21 Mon Sep 17 00:00:00 2001 From: Christine Banek Date: Thu, 12 Jan 2023 15:58:28 -0700 Subject: [PATCH 1433/1479] [DM-26505] Version 0.1.3 This version should source the secrets for AWS. --- services/linters/Chart.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/services/linters/Chart.yaml b/services/linters/Chart.yaml index 588dbceba4..9e0660bb34 100644 --- a/services/linters/Chart.yaml +++ b/services/linters/Chart.yaml @@ -4,4 +4,4 @@ version: 1.0.0 description: Linters running for operational reasons sources: - https://github.com/lsst-sqre/ops-linters -appVersion: 0.1.2 +appVersion: 0.1.3 From 72f9ad9cad6430a7da58e9b7c84fc6742ee62648 Mon Sep 17 00:00:00 2001 From: Russ Allbery Date: Thu, 12 Jan 2023 16:06:26 -0800 Subject: [PATCH 1434/1479] Update vo-cutouts and its Redis dependency --- services/vo-cutouts/Chart.yaml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/services/vo-cutouts/Chart.yaml b/services/vo-cutouts/Chart.yaml index 53814d4373..17c9632a60 100644 --- a/services/vo-cutouts/Chart.yaml +++ b/services/vo-cutouts/Chart.yaml @@ -4,11 +4,11 @@ version: 1.0.0 description: "Image cutout service complying with IVOA SODA" sources: - "https://github.com/lsst-sqre/vo-cutouts" -appVersion: 0.4.2 +appVersion: 1.0.0 dependencies: - name: redis - version: 0.1.4 + version: 1.0.0 repository: https://lsst-sqre.github.io/charts/ annotations: From cfc630013be9823741e2bb376aa52b045e3e2008 Mon Sep 17 00:00:00 2001 From: Russ Allbery Date: Thu, 12 Jan 2023 16:51:09 -0800 Subject: [PATCH 1435/1479] Bump version of crawlspace --- services/hips/Chart.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/services/hips/Chart.yaml b/services/hips/Chart.yaml index 5789b5f727..53328e149e 100644 --- a/services/hips/Chart.yaml +++ b/services/hips/Chart.yaml @@ -4,7 +4,7 @@ version: 1.0.0 description: HiPS tile server backed by Google Cloud Storage sources: - https://github.com/lsst-sqre/crawlspace -appVersion: 0.2.1 +appVersion: 1.0.0 annotations: phalanx.lsst.io/docs: | - id: "DMTN-230" From 9f08292dd3e4c1d9a159e3a321e9ebc371025ac7 Mon Sep 17 00:00:00 2001 From: Russ Allbery Date: Fri, 13 Jan 2023 11:39:04 -0800 Subject: [PATCH 1436/1479] Bump version of datalinker --- services/datalinker/Chart.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/services/datalinker/Chart.yaml b/services/datalinker/Chart.yaml index bc8a18ea85..554eef143b 100644 --- a/services/datalinker/Chart.yaml +++ b/services/datalinker/Chart.yaml @@ -4,7 +4,7 @@ version: 1.0.0 description: IVOA DataLink-based service and data discovery sources: - https://github.com/lsst-sqre/datalinker -appVersion: 1.5.0 +appVersion: 1.5.1 annotations: phalanx.lsst.io/docs: | - id: "DMTN-238" From 60f9185cf574d51fac0f866f63d1715e472f1d8c Mon Sep 17 00:00:00 2001 From: Russ Allbery Date: Wed, 11 Jan 2023 16:08:48 -0800 Subject: [PATCH 1437/1479] Simplify IDF dev and IDF int group rules No need to explicitly give access to g_admins to the things accessible by g_users, since everyone in g_admins will be in g_users. Likewise for g_developers. Change the IDF dev group names to match IDF int. --- services/gafaelfawr/values-idfdev.yaml | 16 ++++++++-------- services/gafaelfawr/values-idfint.yaml | 10 +--------- 2 files changed, 9 insertions(+), 17 deletions(-) diff --git a/services/gafaelfawr/values-idfdev.yaml b/services/gafaelfawr/values-idfdev.yaml index 45a724911d..f09c754003 100644 --- a/services/gafaelfawr/values-idfdev.yaml +++ b/services/gafaelfawr/values-idfdev.yaml @@ -32,23 +32,23 @@ config: groupMapping: "admin:jupyterlab": - - "g_science-platform-idf-dev" + - "g_admins" "admin:provision": - - "g_science-platform-idf-dev" + - "g_admins" "exec:admin": - - "g_science-platform-idf-dev" + - "g_admins" "exec:notebook": - - "g_science-platform-idf-dev" + - "g_users" "exec:portal": - - "g_science-platform-idf-dev" + - "g_users" "read:image": - - "g_science-platform-idf-dev" + - "g_users" "read:tap": - - "g_science-platform-idf-dev" + - "g_users" initialAdmins: - - "afausti" - "adam" + - "afausti" - "cbanek" - "frossie" - "jsick" diff --git a/services/gafaelfawr/values-idfint.yaml b/services/gafaelfawr/values-idfint.yaml index 6a02fdcbf7..da26bf4891 100644 --- a/services/gafaelfawr/values-idfint.yaml +++ b/services/gafaelfawr/values-idfint.yaml @@ -36,28 +36,20 @@ config: "exec:admin": - "g_admins" "exec:notebook": - - "g_admins" - - "g_developers" - "g_users" "exec:portal": - - "g_admins" - - "g_developers" - "g_users" "read:alertdb": - "g_admins" - "g_developers" "read:image": - - "g_admins" - - "g_developers" - "g_users" "read:tap": - - "g_admins" - - "g_developers" - "g_users" initialAdmins: - - "afausti" - "adam" + - "afausti" - "cbanek" - "frossie" - "jsick" From 5cc433b0bceb71af188531fadd7ff66c631b9fee Mon Sep 17 00:00:00 2001 From: Russ Allbery Date: Fri, 13 Jan 2023 12:37:35 -0800 Subject: [PATCH 1438/1479] Add exec:internal-tools scope This will eventually be used to control access to project-internal tools. --- services/gafaelfawr/values-base.yaml | 13 +++++++++++++ services/gafaelfawr/values-ccin2p3.yaml | 2 ++ services/gafaelfawr/values-idfdev.yaml | 2 ++ services/gafaelfawr/values-idfint.yaml | 2 ++ services/gafaelfawr/values-idfprod.yaml | 10 ++++++++++ services/gafaelfawr/values-minikube.yaml | 4 ++++ services/gafaelfawr/values-roe.yaml | 14 +++++++++----- services/gafaelfawr/values-summit.yaml | 13 +++++++++++++ services/gafaelfawr/values-tucson-teststand.yaml | 13 +++++++++++++ services/gafaelfawr/values.yaml | 2 ++ 10 files changed, 70 insertions(+), 5 deletions(-) diff --git a/services/gafaelfawr/values-base.yaml b/services/gafaelfawr/values-base.yaml index 13f12583f9..5752f7d963 100644 --- a/services/gafaelfawr/values-base.yaml +++ b/services/gafaelfawr/values-base.yaml @@ -19,6 +19,19 @@ config: - github: organization: "lsst-sqre" team: "square" + "exec:internal-tools": + - github: + organization: "lsst-sqre" + team: "square" + - github: + organization: "lsst-sqre" + team: "friends" + - github: + organization: "lsst-ts" + team: "base-access" + - github: + organization: "rubin-summit" + team: "rsp-access" "exec:notebook": - github: organization: "lsst-sqre" diff --git a/services/gafaelfawr/values-ccin2p3.yaml b/services/gafaelfawr/values-ccin2p3.yaml index 3d1fcf3066..0326a102a3 100644 --- a/services/gafaelfawr/values-ccin2p3.yaml +++ b/services/gafaelfawr/values-ccin2p3.yaml @@ -39,6 +39,8 @@ config: "exec:admin": "lsst" "read:all": - "lsst" + "exec:internal-tools": + - "lsst" "exec:notebook": - "lsst" "exec:portal": diff --git a/services/gafaelfawr/values-idfdev.yaml b/services/gafaelfawr/values-idfdev.yaml index f09c754003..a9ddcc1469 100644 --- a/services/gafaelfawr/values-idfdev.yaml +++ b/services/gafaelfawr/values-idfdev.yaml @@ -37,6 +37,8 @@ config: - "g_admins" "exec:admin": - "g_admins" + "exec:internal-tools": + - "g_users" "exec:notebook": - "g_users" "exec:portal": diff --git a/services/gafaelfawr/values-idfint.yaml b/services/gafaelfawr/values-idfint.yaml index da26bf4891..b1b8c4ba65 100644 --- a/services/gafaelfawr/values-idfint.yaml +++ b/services/gafaelfawr/values-idfint.yaml @@ -35,6 +35,8 @@ config: - "g_admins" "exec:admin": - "g_admins" + "exec:internal-tools": + - "g_users" "exec:notebook": - "g_users" "exec:portal": diff --git a/services/gafaelfawr/values-idfprod.yaml b/services/gafaelfawr/values-idfprod.yaml index 6afd5476c6..46ced602f4 100644 --- a/services/gafaelfawr/values-idfprod.yaml +++ b/services/gafaelfawr/values-idfprod.yaml @@ -21,6 +21,16 @@ config: - github: organization: "lsst-sqre" team: "square" + "exec:internal-tools": + - github: + organization: "lsst" + team: "data-management" + - github: + organization: "lsst" + team: "ops" + - github: + organization: "lsst-sqre" + team: "square" "exec:notebook": - github: organization: "lsst" diff --git a/services/gafaelfawr/values-minikube.yaml b/services/gafaelfawr/values-minikube.yaml index 6b56f79f5e..a40c7713f5 100644 --- a/services/gafaelfawr/values-minikube.yaml +++ b/services/gafaelfawr/values-minikube.yaml @@ -23,6 +23,10 @@ config: - github: organization: "lsst-sqre" team: "square" + "exec:internal-tools": + - github: + organization: "lsst-sqre" + team: "square" "exec:notebook": - github: organization: "lsst-sqre" diff --git a/services/gafaelfawr/values-roe.yaml b/services/gafaelfawr/values-roe.yaml index 3e07eeb73e..5f7c2128f4 100644 --- a/services/gafaelfawr/values-roe.yaml +++ b/services/gafaelfawr/values-roe.yaml @@ -18,23 +18,27 @@ config: - github: organization: "lsp-uk" team: "dev" - "read:workspace": + "exec:internal-tools": - github: organization: "lsp-uk" team: "dev" - "read:workspace/user": + "exec:portal": - github: organization: "lsp-uk" team: "dev" - "write:workspace/user": + "exec:user": - github: organization: "lsp-uk" team: "dev" - "exec:portal": + "read:workspace": - github: organization: "lsp-uk" team: "dev" - "exec:user": + "read:workspace/user": + - github: + organization: "lsp-uk" + team: "dev" + "write:workspace/user": - github: organization: "lsp-uk" team: "dev" diff --git a/services/gafaelfawr/values-summit.yaml b/services/gafaelfawr/values-summit.yaml index 97e2f7a83f..1798c04d76 100644 --- a/services/gafaelfawr/values-summit.yaml +++ b/services/gafaelfawr/values-summit.yaml @@ -24,6 +24,19 @@ config: organization: "lsst-sqre" team: "square" - "lsst-sqre-square" + "exec:internal-tools": + - github: + organization: "lsst-sqre" + team: "square" + - github: + organization: "lsst-sqre" + team: "friends" + - github: + organization: "lsst-ts" + team: "summit-access" + - github: + organization: "rubin-summit" + team: "rsp-access" "exec:notebook": - github: organization: "lsst-sqre" diff --git a/services/gafaelfawr/values-tucson-teststand.yaml b/services/gafaelfawr/values-tucson-teststand.yaml index 02596337f6..2fe8208cb8 100644 --- a/services/gafaelfawr/values-tucson-teststand.yaml +++ b/services/gafaelfawr/values-tucson-teststand.yaml @@ -25,6 +25,19 @@ config: organization: "lsst-sqre" team: "square" - "lsst-sqre-square" + "exec:internal-tools": + - github: + organization: "lsst-sqre" + team: "square" + - github: + organization: "lsst-sqre" + team: "friends" + - github: + organization: "lsst-ts" + team: "base-access" + - github: + organization: "rubin-summit" + team: "rsp-access" "exec:notebook": - github: organization: "lsst-sqre" diff --git a/services/gafaelfawr/values.yaml b/services/gafaelfawr/values.yaml index 3484d073e7..2602dafcf8 100644 --- a/services/gafaelfawr/values.yaml +++ b/services/gafaelfawr/values.yaml @@ -223,6 +223,8 @@ config: Can perform privileged user provisioning "exec:admin": >- Administrative access to all APIs + "exec:internal-tools": >- + Use project-internal tools. "exec:notebook": >- Use the Notebook Aspect "exec:portal": >- From 6b72878e706936ed44dd8b3a518909fb7002386b Mon Sep 17 00:00:00 2001 From: Russ Allbery Date: Fri, 13 Jan 2023 13:04:39 -0800 Subject: [PATCH 1439/1479] Drop NGINX header buffer changes on minikube, IDF dev Move the header buffer changes out of values.yaml into the per-environment values files and leave them off of IDF dev and minikube so that we can test whether they're needed. Clean up some duplicated settings in the values files for ccin2p3 and roe. --- services/ingress-nginx/README.md | 2 -- services/ingress-nginx/values-base.yaml | 3 +++ services/ingress-nginx/values-ccin2p3.yaml | 5 ----- services/ingress-nginx/values-idfint.yaml | 3 +++ services/ingress-nginx/values-idfprod.yaml | 3 +++ services/ingress-nginx/values-roe.yaml | 7 +------ services/ingress-nginx/values-summit.yaml | 3 +++ services/ingress-nginx/values-tucson-teststand.yaml | 3 +++ services/ingress-nginx/values.yaml | 8 -------- 9 files changed, 16 insertions(+), 21 deletions(-) diff --git a/services/ingress-nginx/README.md b/services/ingress-nginx/README.md index a42e73f147..c695a75304 100644 --- a/services/ingress-nginx/README.md +++ b/services/ingress-nginx/README.md @@ -14,9 +14,7 @@ Ingress controller |-----|------|---------|-------------| | global.vaultSecretsPath | string | Set by Argo CD | Base path for Vault secrets | | ingress-nginx.controller.config.compute-full-forwarded-for | string | `"true"` | Put the complete path in `X-Forwarded-For`, not just the last hop, so that the client IP will be exposed to Gafaelfawr | -| ingress-nginx.controller.config.large-client-header-buffers | string | `"4 64k"` | Increase the buffer size for client headers because we may have JWTs in the client request | | ingress-nginx.controller.config.proxy-body-size | string | `"100m"` | Maximum size of the client request body (needs to be large enough to allow table uploads) | -| ingress-nginx.controller.config.proxy-buffer-size | string | `"64k"` | Increase the buffer size for responses from backend servers to allow for longer headers | | ingress-nginx.controller.config.server-snippet | string | See `values.yaml` | Add additional configuration used by Gafaelfawr to report errors from the authorization layer | | ingress-nginx.controller.config.ssl-redirect | string | `"true"` | Redirect all non-SSL access to SSL. | | ingress-nginx.controller.config.use-forwarded-headers | string | `"true"` | Enable the `X-Forwarded-For` processing | diff --git a/services/ingress-nginx/values-base.yaml b/services/ingress-nginx/values-base.yaml index 2b9fc4eeab..430a3efeed 100644 --- a/services/ingress-nginx/values-base.yaml +++ b/services/ingress-nginx/values-base.yaml @@ -1,4 +1,7 @@ ingress-nginx: controller: + config: + large-client-header-buffers: "4 64k" + proxy-buffer-size: "64k" service: loadBalancerIP: "139.229.146.150" diff --git a/services/ingress-nginx/values-ccin2p3.yaml b/services/ingress-nginx/values-ccin2p3.yaml index b8755081a0..25731ebefd 100644 --- a/services/ingress-nginx/values-ccin2p3.yaml +++ b/services/ingress-nginx/values-ccin2p3.yaml @@ -10,14 +10,9 @@ ingress-nginx: effect: "NoSchedule" config: - compute-full-forwarded-for: "true" large-client-header-buffers: "4 64k" - proxy-body-size: "100m" proxy-buffer-size: "64k" - ssl-redirect: "true" - use-forwarded-headers: "true" service: - externalTrafficPolicy: Local externalIPs: - 134.158.237.2 type: NodePort diff --git a/services/ingress-nginx/values-idfint.yaml b/services/ingress-nginx/values-idfint.yaml index d80561ff45..233a5c9f91 100644 --- a/services/ingress-nginx/values-idfint.yaml +++ b/services/ingress-nginx/values-idfint.yaml @@ -1,4 +1,7 @@ ingress-nginx: controller: + config: + large-client-header-buffers: "4 64k" + proxy-buffer-size: "64k" service: loadBalancerIP: "35.238.192.49" diff --git a/services/ingress-nginx/values-idfprod.yaml b/services/ingress-nginx/values-idfprod.yaml index 04deedff94..a1289fb904 100644 --- a/services/ingress-nginx/values-idfprod.yaml +++ b/services/ingress-nginx/values-idfprod.yaml @@ -1,4 +1,7 @@ ingress-nginx: controller: + config: + large-client-header-buffers: "4 64k" + proxy-buffer-size: "64k" service: loadBalancerIP: "35.202.181.164" diff --git a/services/ingress-nginx/values-roe.yaml b/services/ingress-nginx/values-roe.yaml index 8706c8926c..b5e4203299 100644 --- a/services/ingress-nginx/values-roe.yaml +++ b/services/ingress-nginx/values-roe.yaml @@ -1,12 +1,8 @@ ingress-nginx: controller: config: - compute-full-forwarded-for: "true" large-client-header-buffers: "4 64k" - proxy-body-size: "100m" proxy-buffer-size: "64k" - ssl-redirect: "true" - use-forwarded-headers: "true" service: externalTrafficPolicy: null type: ClusterIP @@ -24,7 +20,6 @@ ingress-nginx: hostNetwork: true extraArgs: default-ssl-certificate: ingress-nginx/ingress-certificate - podLabels: - hub.jupyter.org/network-access-proxy-http: "true" + vaultCertificate: enabled: true diff --git a/services/ingress-nginx/values-summit.yaml b/services/ingress-nginx/values-summit.yaml index d74b046fbb..489f86ec1a 100644 --- a/services/ingress-nginx/values-summit.yaml +++ b/services/ingress-nginx/values-summit.yaml @@ -1,4 +1,7 @@ ingress-nginx: controller: + config: + large-client-header-buffers: "4 64k" + proxy-buffer-size: "64k" service: loadBalancerIP: "139.229.160.150" diff --git a/services/ingress-nginx/values-tucson-teststand.yaml b/services/ingress-nginx/values-tucson-teststand.yaml index 6b8f9b5d34..32b357a265 100644 --- a/services/ingress-nginx/values-tucson-teststand.yaml +++ b/services/ingress-nginx/values-tucson-teststand.yaml @@ -1,4 +1,7 @@ ingress-nginx: controller: + config: + large-client-header-buffers: "4 64k" + proxy-buffer-size: "64k" service: loadBalancerIP: "140.252.146.50" diff --git a/services/ingress-nginx/values.yaml b/services/ingress-nginx/values.yaml index 567f571555..132daa5e69 100644 --- a/services/ingress-nginx/values.yaml +++ b/services/ingress-nginx/values.yaml @@ -7,18 +7,10 @@ ingress-nginx: # so that the client IP will be exposed to Gafaelfawr compute-full-forwarded-for: "true" - # -- Increase the buffer size for client headers because we may have - # JWTs in the client request - large-client-header-buffers: "4 64k" - # -- Maximum size of the client request body (needs to be large enough # to allow table uploads) proxy-body-size: "100m" - # -- Increase the buffer size for responses from backend servers to - # allow for longer headers - proxy-buffer-size: "64k" - # -- Redirect all non-SSL access to SSL. ssl-redirect: "true" From 05d5c9405ddd8756d81613558df7dc228ea14266 Mon Sep 17 00:00:00 2001 From: "renovate[bot]" <29139614+renovate[bot]@users.noreply.github.com> Date: Fri, 13 Jan 2023 21:18:55 +0000 Subject: [PATCH 1440/1479] Update Helm release strimzi-kafka-operator to v0.32.0 --- services/strimzi/Chart.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/services/strimzi/Chart.yaml b/services/strimzi/Chart.yaml index 1f020ba2ff..43139f0845 100644 --- a/services/strimzi/Chart.yaml +++ b/services/strimzi/Chart.yaml @@ -7,5 +7,5 @@ home: https://strimzi.io appVersion: "0.26.0" dependencies: - name: strimzi-kafka-operator - version: "0.31.1" + version: "0.32.0" repository: https://strimzi.io/charts/ From 6a67357d7f420f4972a078cedb8f8ed6a0da2974 Mon Sep 17 00:00:00 2001 From: Angelo Fausti Date: Fri, 13 Jan 2023 13:05:45 -0700 Subject: [PATCH 1441/1479] Update Kafka to 3.3.1 - Strimzi operator 0.32.0 requires new Kafka version --- services/sasquatch/charts/strimzi-kafka/README.md | 4 ++-- .../charts/strimzi-kafka/templates/mirrormaker2.yaml | 2 +- services/sasquatch/charts/strimzi-kafka/values.yaml | 4 ++-- 3 files changed, 5 insertions(+), 5 deletions(-) diff --git a/services/sasquatch/charts/strimzi-kafka/README.md b/services/sasquatch/charts/strimzi-kafka/README.md index 83e4526e3f..3c3272de9c 100644 --- a/services/sasquatch/charts/strimzi-kafka/README.md +++ b/services/sasquatch/charts/strimzi-kafka/README.md @@ -7,7 +7,7 @@ A subchart to deploy Strimzi Kafka components for Sasquatch. | Key | Type | Default | Description | |-----|------|---------|-------------| | cluster.name | string | `"sasquatch"` | Name used for the Kafka cluster, and used by Strimzi for many annotations. | -| connect.image | string | `"lsstsqre/strimzi-0.29.0-kafka-3.1.1:1.0.0"` | Custom strimzi-kafka image with connector plugins used by sasquatch. | +| connect.image | string | `"lsstsqre/strimzi-0.32.0-kafka-3.3.1:1.0.1"` | Custom strimzi-kafka image with connector plugins used by sasquatch. | | connect.replicas | int | `3` | Number of Kafka Connect replicas to run. | | kafka.config | object | `{"log.retention.bytes":"429496729600","log.retention.hours":72,"offsets.retention.minutes":4320}` | Configuration overrides for the Kafka server. | | kafka.config."log.retention.bytes" | string | `"429496729600"` | Maximum retained number of bytes for a topic's data. | @@ -22,7 +22,7 @@ A subchart to deploy Strimzi Kafka components for Sasquatch. | kafka.replicas | int | `3` | Number of Kafka broker replicas to run. | | kafka.storage.size | string | `"500Gi"` | Size of the backing storage disk for each of the Kafka brokers. | | kafka.storage.storageClassName | string | `""` | Name of a StorageClass to use when requesting persistent volumes. | -| kafka.version | string | `"3.1.1"` | Version of Kafka to deploy. | +| kafka.version | string | `"3.3.1"` | Version of Kafka to deploy. | | mirrormaker2.enabled | bool | `false` | Enable replication in the target (passive) cluster. | | mirrormaker2.source.bootstrapServer | string | `""` | Source (active) cluster to replicate from. | | mirrormaker2.source.topicsPattern | string | `"registry-schemas, lsst.sal.*"` | Topic replication from the source cluster defined as a comma-separated list or regular expression pattern. | diff --git a/services/sasquatch/charts/strimzi-kafka/templates/mirrormaker2.yaml b/services/sasquatch/charts/strimzi-kafka/templates/mirrormaker2.yaml index b599b91922..61ca7fa661 100644 --- a/services/sasquatch/charts/strimzi-kafka/templates/mirrormaker2.yaml +++ b/services/sasquatch/charts/strimzi-kafka/templates/mirrormaker2.yaml @@ -6,7 +6,7 @@ kind: KafkaMirrorMaker2 metadata: name: replicator spec: - version: 3.2.0 + version: {{ .Values.kafka.version | quote }} replicas: 1 # In the unidirectional (active/passive) replication scenario # it is recommended to deploy MirrorMaker2 on the target (passive) cluster. diff --git a/services/sasquatch/charts/strimzi-kafka/values.yaml b/services/sasquatch/charts/strimzi-kafka/values.yaml index 4fafcd1fed..e62e72e0fa 100644 --- a/services/sasquatch/charts/strimzi-kafka/values.yaml +++ b/services/sasquatch/charts/strimzi-kafka/values.yaml @@ -5,7 +5,7 @@ cluster: kafka: # -- Version of Kafka to deploy. - version: "3.1.1" + version: "3.3.1" # -- Number of Kafka broker replicas to run. replicas: 3 storage: @@ -67,7 +67,7 @@ zookeeper: connect: # -- Custom strimzi-kafka image with connector plugins used by sasquatch. - image: lsstsqre/strimzi-0.29.0-kafka-3.1.1:1.0.0 + image: lsstsqre/strimzi-0.32.0-kafka-3.3.1:1.0.1 # -- Number of Kafka Connect replicas to run. replicas: 3 From 85b26d5b6f4e255807f3e90d1c949bb871fd3dbf Mon Sep 17 00:00:00 2001 From: Angelo Fausti Date: Fri, 13 Jan 2023 16:23:51 -0700 Subject: [PATCH 1442/1479] Create topics for butler metric datasets --- .../sasquatch/charts/rest-proxy/templates/topics.yaml | 9 +++++++++ .../sasquatch/charts/strimzi-kafka/templates/users.yaml | 4 ++-- 2 files changed, 11 insertions(+), 2 deletions(-) create mode 100644 services/sasquatch/charts/rest-proxy/templates/topics.yaml diff --git a/services/sasquatch/charts/rest-proxy/templates/topics.yaml b/services/sasquatch/charts/rest-proxy/templates/topics.yaml new file mode 100644 index 0000000000..3b0960a60b --- /dev/null +++ b/services/sasquatch/charts/rest-proxy/templates/topics.yaml @@ -0,0 +1,9 @@ +apiVersion: kafka.strimzi.io/v1beta1 +kind: KafkaTopic +metadata: + name: lsst.dm.sky-flux-visit-statistic-metric + labels: + strimzi.io/cluster: sasquatch +spec: + replicas: 3 + partitions: 1 diff --git a/services/sasquatch/charts/strimzi-kafka/templates/users.yaml b/services/sasquatch/charts/strimzi-kafka/templates/users.yaml index 360d3cce78..6ef6be6ed6 100644 --- a/services/sasquatch/charts/strimzi-kafka/templates/users.yaml +++ b/services/sasquatch/charts/strimzi-kafka/templates/users.yaml @@ -177,8 +177,8 @@ spec: operation: All - resource: type: topic - name: "sasquatch-test" - patternType: literal + name: "lsst.dm" + patternType: prefix type: allow host: "*" operation: All From 2dbbc1f4e421e08c2fd6250519fbad751858e68a Mon Sep 17 00:00:00 2001 From: "renovate[bot]" <29139614+renovate[bot]@users.noreply.github.com> Date: Mon, 16 Jan 2023 02:29:44 +0000 Subject: [PATCH 1443/1479] Update Helm release telegraf-ds to v1.1.6 --- services/telegraf-ds/Chart.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/services/telegraf-ds/Chart.yaml b/services/telegraf-ds/Chart.yaml index fc695fb61c..9205380673 100644 --- a/services/telegraf-ds/Chart.yaml +++ b/services/telegraf-ds/Chart.yaml @@ -8,7 +8,7 @@ sources: - https://github.com/influxdata/helm-charts dependencies: - name: telegraf-ds - version: 1.1.5 + version: 1.1.6 repository: https://helm.influxdata.com/ annotations: phalanx.lsst.io/docs: | From 976497a96194b18c5ca35d1cd1e82fafe34463c0 Mon Sep 17 00:00:00 2001 From: "renovate[bot]" <29139614+renovate[bot]@users.noreply.github.com> Date: Tue, 17 Jan 2023 16:57:58 +0000 Subject: [PATCH 1444/1479] Update Helm release telegraf to v1.8.24 --- services/telegraf/Chart.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/services/telegraf/Chart.yaml b/services/telegraf/Chart.yaml index 1cd9a4e30b..7ae4166856 100644 --- a/services/telegraf/Chart.yaml +++ b/services/telegraf/Chart.yaml @@ -8,7 +8,7 @@ sources: - https://github.com/influxdata/helm-charts dependencies: - name: telegraf - version: 1.8.23 + version: 1.8.24 repository: https://helm.influxdata.com/ annotations: phalanx.lsst.io/docs: | From 59d45ca98a320a5aca9b1a2e461f4a22fa3656b5 Mon Sep 17 00:00:00 2001 From: Christine Banek Date: Tue, 17 Jan 2023 13:18:50 -0700 Subject: [PATCH 1445/1479] [DM-26505] Linter version to 0.1.5 Since now the vault secret also has the slack webhook, I got rid of the aws part there --- services/linters/Chart.yaml | 2 +- services/linters/templates/cronjob-dns-linter.yaml | 4 ++-- 2 files changed, 3 insertions(+), 3 deletions(-) diff --git a/services/linters/Chart.yaml b/services/linters/Chart.yaml index 9e0660bb34..39db6711d8 100644 --- a/services/linters/Chart.yaml +++ b/services/linters/Chart.yaml @@ -4,4 +4,4 @@ version: 1.0.0 description: Linters running for operational reasons sources: - https://github.com/lsst-sqre/ops-linters -appVersion: 0.1.3 +appVersion: 0.1.5 diff --git a/services/linters/templates/cronjob-dns-linter.yaml b/services/linters/templates/cronjob-dns-linter.yaml index e072259c1c..a8699850e0 100644 --- a/services/linters/templates/cronjob-dns-linter.yaml +++ b/services/linters/templates/cronjob-dns-linter.yaml @@ -36,7 +36,7 @@ spec: - "all" readOnlyRootFilesystem: true volumeMounts: - - name: "aws-secret" + - name: "secret" mountPath: "/etc/linters/secrets" readOnly: true securityContext: @@ -44,7 +44,7 @@ spec: runAsUser: 1000 runAsGroup: 1000 volumes: - - name: "aws-secret" + - name: "secret" secret: secretName: {{ template "linters.fullname" . }}-secret {{- with .Values.nodeSelector }} From d65aca34b116a7e1094af23f8908fd9ed350a137 Mon Sep 17 00:00:00 2001 From: Christine Banek Date: Wed, 18 Jan 2023 12:32:29 -0700 Subject: [PATCH 1446/1479] [DM-26505] Use linters 0.1.6 --- services/linters/Chart.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/services/linters/Chart.yaml b/services/linters/Chart.yaml index 39db6711d8..5bb2e14e5e 100644 --- a/services/linters/Chart.yaml +++ b/services/linters/Chart.yaml @@ -4,4 +4,4 @@ version: 1.0.0 description: Linters running for operational reasons sources: - https://github.com/lsst-sqre/ops-linters -appVersion: 0.1.5 +appVersion: 0.1.6 From 5c8e69c74c85f8ccc2b94b2da8ce09376441b833 Mon Sep 17 00:00:00 2001 From: Christine Banek Date: Wed, 18 Jan 2023 14:00:06 -0700 Subject: [PATCH 1447/1479] [DM-26505] Make a service account for the workload identity permissions --- services/linters/templates/cronjob-dns-linter.yaml | 1 + services/linters/templates/serviceaccount.yaml | 8 ++++++++ services/linters/values-idfint.yaml | 1 + 3 files changed, 10 insertions(+) create mode 100644 services/linters/templates/serviceaccount.yaml diff --git a/services/linters/templates/cronjob-dns-linter.yaml b/services/linters/templates/cronjob-dns-linter.yaml index a8699850e0..47c98a62fb 100644 --- a/services/linters/templates/cronjob-dns-linter.yaml +++ b/services/linters/templates/cronjob-dns-linter.yaml @@ -21,6 +21,7 @@ spec: spec: restartPolicy: "Never" automountServiceAccountToken: false + serviceAccountName: {{ include "linters.fullname" . }} containers: - name: "linters" image: "{{ .Values.image.repository }}:{{ .Values.image.tag | default .Chart.AppVersion }}" diff --git a/services/linters/templates/serviceaccount.yaml b/services/linters/templates/serviceaccount.yaml new file mode 100644 index 0000000000..6e817d7759 --- /dev/null +++ b/services/linters/templates/serviceaccount.yaml @@ -0,0 +1,8 @@ +apiVersion: v1 +kind: ServiceAccount +metadata: + name: {{ include "linters.fullname" . }} + labels: + {{- include "linters.labels" . | nindent 4 }} + annotations: + iam.gke.io/gcp-service-account: {{ required ".Values.serviceAccount must be set to a valid Google service account" .Values.serviceAccount | quote }} diff --git a/services/linters/values-idfint.yaml b/services/linters/values-idfint.yaml index e69de29bb2..6de1a37299 100644 --- a/services/linters/values-idfint.yaml +++ b/services/linters/values-idfint.yaml @@ -0,0 +1 @@ +serviceAccount: "dns-validator-wi@science-platform-int-dc5d.iam.gserviceaccount.com" From 89f53ddf3f40f362f2e126fdd6ba8156fe861e0a Mon Sep 17 00:00:00 2001 From: Christine Banek Date: Wed, 18 Jan 2023 14:14:47 -0700 Subject: [PATCH 1448/1479] [DM-26505] Fix schedule to run once a day --- services/linters/values.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/services/linters/values.yaml b/services/linters/values.yaml index 7346e315ca..9261041e4f 100644 --- a/services/linters/values.yaml +++ b/services/linters/values.yaml @@ -36,7 +36,7 @@ tolerations: [] affinity: {} # -- Cron schedule string for linter checking (in UTC) -linterSchedule: "0 0 1 * *" +linterSchedule: "0 0 * * *" # The following will be set by parameters injected by Argo CD and should not # be set in the individual environment values files. From f33d3cc8a51ee168c1b04525416b62a8ed703765 Mon Sep 17 00:00:00 2001 From: Christine Banek Date: Wed, 18 Jan 2023 14:18:29 -0700 Subject: [PATCH 1449/1479] [DM-26505] Fix README.md --- services/linters/README.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/services/linters/README.md b/services/linters/README.md index 44d4fbf5c1..facd3c1375 100644 --- a/services/linters/README.md +++ b/services/linters/README.md @@ -18,7 +18,7 @@ Linters running for operational reasons | image.pullPolicy | string | `"IfNotPresent"` | Pull policy for the linter image | | image.repository | string | `"ghcr.io/lsst-sqre/ops-linters"` | linter image to use | | image.tag | string | The appVersion of the chart | Tag of linter image to use | -| linterSchedule | string | `"0 0 1 * *"` | Cron schedule string for linter checking (in UTC) | +| linterSchedule | string | `"0 0 * * *"` | Cron schedule string for linter checking (in UTC) | | nameOverride | string | `""` | Override the base name for resources | | nodeSelector | object | `{}` | Node selector rules for the linter pod | | podAnnotations | object | `{}` | Annotations for the linter pod | From c1c6cf7562fc31344a25066fb3b80ec5f1f64eb2 Mon Sep 17 00:00:00 2001 From: Russ Allbery Date: Thu, 19 Jan 2023 10:01:01 -0800 Subject: [PATCH 1450/1479] Bump version of datalinker Pick up dependency fixes. --- services/datalinker/Chart.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/services/datalinker/Chart.yaml b/services/datalinker/Chart.yaml index 554eef143b..90e29e1e7f 100644 --- a/services/datalinker/Chart.yaml +++ b/services/datalinker/Chart.yaml @@ -4,7 +4,7 @@ version: 1.0.0 description: IVOA DataLink-based service and data discovery sources: - https://github.com/lsst-sqre/datalinker -appVersion: 1.5.1 +appVersion: 1.5.2 annotations: phalanx.lsst.io/docs: | - id: "DMTN-238" From cb970b5d2c781791f30c314433d2fbf382ed89bd Mon Sep 17 00:00:00 2001 From: Brianna Smart Date: Tue, 6 Dec 2022 14:57:52 -0800 Subject: [PATCH 1451/1479] Update IP and add tls in values-idfint.yaml Add TLS auth Added static broker IPs Static broker IPs are needed to access the alert-broker from the outside, otherwise every time Kafka is restarted a new is is assigned and the SSL certificates no longer get validated. TLS auth is also needed for the brokers to be able to talk with users. --- services/alert-stream-broker/README.md | 1 + services/alert-stream-broker/values-idfint.yaml | 13 ++++++++++++- services/alert-stream-broker/values.yaml | 1 + 3 files changed, 14 insertions(+), 1 deletion(-) diff --git a/services/alert-stream-broker/README.md b/services/alert-stream-broker/README.md index 8e0c22f653..cffc94fec9 100644 --- a/services/alert-stream-broker/README.md +++ b/services/alert-stream-broker/README.md @@ -12,5 +12,6 @@ Alert transmission to community brokers | Key | Type | Default | Description | |-----|------|---------|-------------| | strimzi-registry-operator.clusterName | string | `"alert-broker"` | | +| strimzi-registry-operator.clusterNamespace | string | `"alert-stream-broker"` | | | strimzi-registry-operator.operatorNamespace | string | `"alert-stream-broker"` | | | strimzi-registry-operator.watchNamespace | string | `"alert-stream-broker"` | | diff --git a/services/alert-stream-broker/values-idfint.yaml b/services/alert-stream-broker/values-idfint.yaml index 4950d97edd..84791f748e 100644 --- a/services/alert-stream-broker/values-idfint.yaml +++ b/services/alert-stream-broker/values-idfint.yaml @@ -6,9 +6,20 @@ alert-stream-broker: # Addresses based on the state as of 2021-12-02; these were assigned by # Google and now we're pinning them. externalListener: + tls: + enabled: true bootstrap: - ip: 35.224.176.103 + ip: "35.224.176.103" host: alert-stream-int.lsst.cloud + brokers: + - ip: "34.28.80.188" + host: alert-stream-int-broker-0.lsst.cloud + - ip: "35.188.136.140" + host: alert-stream-int-broker-1.lsst.cloud + - ip: "35.238.84.221" + host: alert-stream-int-broker-2.lsst.cloud + + storage: size: 1500Gi diff --git a/services/alert-stream-broker/values.yaml b/services/alert-stream-broker/values.yaml index 787942fa0c..f7ebb0373b 100644 --- a/services/alert-stream-broker/values.yaml +++ b/services/alert-stream-broker/values.yaml @@ -1,6 +1,7 @@ strimzi-registry-operator: # Should match the cluster name used by the alert-stream-broker clusterName: alert-broker + clusterNamespace: alert-stream-broker # Should match the namespace where the alert-broker cluster runs watchNamespace: alert-stream-broker From 8e57024d5882f2c5a7c75856b1fcb71d3a1ab8aa Mon Sep 17 00:00:00 2001 From: Brianna Smart Date: Fri, 13 Jan 2023 10:56:53 -0800 Subject: [PATCH 1452/1479] Lowered partition byte limit to 24 GB The current alert-simulator is creating too many alerts for the allotted storage. For testing purposes, we will be deleting messages after 4 hours. Adjust retention and offset to 4 hours Change into ms instead of hours because ms seems to be overriding the hours setting. Add retention.minutes and retention.ms only the log.retention was being set. Added retention.ms and retention.minutes to see if that fixes the retention overrides. Change retention to 8 hours to test stability Add segmet.ms Moved log retention settings into kafka.yaml Adjust offset retention and log retention Move retention values out of kafka.yaml to values.yaml Update bytes retention Lower bytes retention to 42 gigs to test if removal is successful. Update broker and topic configs Update topic values Changed retention back to 7 days, lowered partition byte limit to 24 GB --- .../charts/alert-stream-broker/README.md | 10 +++++----- .../charts/alert-stream-broker/values.yaml | 9 +++++---- .../charts/alert-stream-simulator/README.md | 2 +- .../charts/alert-stream-simulator/values.yaml | 2 +- 4 files changed, 12 insertions(+), 11 deletions(-) diff --git a/services/alert-stream-broker/charts/alert-stream-broker/README.md b/services/alert-stream-broker/charts/alert-stream-broker/README.md index 14f48a94ef..12a267cb30 100644 --- a/services/alert-stream-broker/charts/alert-stream-broker/README.md +++ b/services/alert-stream-broker/charts/alert-stream-broker/README.md @@ -8,15 +8,15 @@ Kafka broker cluster for distributing alerts |-----|------|---------|-------------| | cluster.name | string | `"alert-broker"` | Name used for the Kafka broker, and used by Strimzi for many annotations. | | fullnameOverride | string | `""` | Override for the full name used for Kubernetes resources; by default one will be created based on the chart name and helm release name. | -| kafka.config | object | `{"log.retention.bytes":"644245094400","log.retention.hours":168,"offsets.retention.minutes":10080}` | Configuration overrides for the Kafka server. | -| kafka.config."log.retention.bytes" | string | `"644245094400"` | to avoid YAML type conversion issues for large numbers. | -| kafka.config."log.retention.hours" | int | `168` | Number of days for a topic's data to be retained. | -| kafka.config."offsets.retention.minutes" | int | `10080` | Number of minutes for a consumer group's offsets to be retained. | +| kafka.config | object | `{"log.retention.bytes":"42949672960","log.retention.hours":168,"offsets.retention.minutes":1440}` | Configuration overrides for the Kafka server. | +| kafka.config."log.retention.bytes" | string | `"42949672960"` | to avoid YAML type conversion issues for large numbers. | +| kafka.config."log.retention.hours" | int | `168` | Number of hours for a brokers data to be retained. | +| kafka.config."offsets.retention.minutes" | int | `1440` | Number of minutes for a consumer group's offsets to be retained. | | kafka.externalListener.bootstrap.annotations | object | `{}` | | | kafka.externalListener.bootstrap.host | string | `""` | Hostname that should be used by clients who want to connect to the broker through the bootstrap address. | | kafka.externalListener.bootstrap.ip | string | `""` | IP address that should be used by the broker's external bootstrap load balancer for access from the internet. The format of this is a string like "192.168.1.1". | | kafka.externalListener.brokers | list | `[]` | List of hostname and IP for each broker. The format of this is a list of maps with 'ip' and 'host' keys. For example: - ip: "192.168.1.1" host: broker-0.example - ip: "192.168.1.2" host: broker-1.example Each replica should get a host and IP. If these are unset, then IP addresses will be chosen automatically by the Kubernetes cluster's LoadBalancer controller, and hostnames will be unset, which will break TLS connections. | -| kafka.externalListener.tls.certIssuerName | string | `"letsencrypt-dns"` | | +| kafka.externalListener.tls.certIssuerName | string | `"letsencrypt-dns"` | Name of the certificate issuer. | | kafka.externalListener.tls.enabled | bool | `false` | Whether TLS encryption is enabled. | | kafka.interBrokerProtocolVersion | float | `3.2` | Version of the protocol for inter-broker communication, see https://strimzi.io/docs/operators/latest/deploying.html#ref-kafka-versions-str. | | kafka.logMessageFormatVersion | float | `3.2` | Encoding version for messages, see https://strimzi.io/docs/operators/latest/deploying.html#ref-kafka-versions-str. | diff --git a/services/alert-stream-broker/charts/alert-stream-broker/values.yaml b/services/alert-stream-broker/charts/alert-stream-broker/values.yaml index ab248cc3b0..767eef60db 100644 --- a/services/alert-stream-broker/charts/alert-stream-broker/values.yaml +++ b/services/alert-stream-broker/charts/alert-stream-broker/values.yaml @@ -29,17 +29,18 @@ kafka: # -- Configuration overrides for the Kafka server. config: # -- Number of minutes for a consumer group's offsets to be retained. - offsets.retention.minutes: 10080 - # -- Number of days for a topic's data to be retained. + offsets.retention.minutes: 1440 + # -- Number of hours for a brokers data to be retained. log.retention.hours: 168 - # -- Maximum retained number of bytes for a topic's data. This is a string + # -- Maximum retained number of bytes for a brokers's data. This is a string # -- to avoid YAML type conversion issues for large numbers. - log.retention.bytes: "644245094400" + log.retention.bytes: "42949672960" externalListener: tls: # -- Whether TLS encryption is enabled. enabled: false + # -- Name of the certificate issuer. certIssuerName: "letsencrypt-dns" bootstrap: # -- IP address that should be used by the broker's external bootstrap load diff --git a/services/alert-stream-broker/charts/alert-stream-simulator/README.md b/services/alert-stream-broker/charts/alert-stream-simulator/README.md index f1aa446e52..cb9016f6af 100644 --- a/services/alert-stream-broker/charts/alert-stream-simulator/README.md +++ b/services/alert-stream-broker/charts/alert-stream-simulator/README.md @@ -13,7 +13,7 @@ Producer which repeatedly publishes a static set of alerts into a Kafka topic | image.repository | string | `"lsstdm/alert-stream-simulator"` | Source repository for the image which holds the rubin-alert-stream program. | | image.tag | string | `"v1.2.1"` | Tag to use for the rubin-alert-stream container. | | kafkaUserName | string | `"alert-stream-simulator"` | The username of the Kafka user identity used to connect to the broker. | -| maxBytesRetained | string | `"100000000000"` | Maximum number of bytes for the replay topic, per partition, per replica. Default is 100GB | +| maxBytesRetained | string | `"24000000000"` | Maximum number of bytes for the replay topic, per partition, per replica. Default is 100GB | | maxMillisecondsRetained | string | `"604800000"` | Maximum amount of time to save simulated alerts in the replay topic, in milliseconds. Default is 7 days. | | nameOverride | string | `""` | Explicitly sets the name of the deployment and job. | | repeatInterval | int | `37` | How often (in seconds) to repeat the sample data into the replay topic. | diff --git a/services/alert-stream-broker/charts/alert-stream-simulator/values.yaml b/services/alert-stream-broker/charts/alert-stream-simulator/values.yaml index b41680e248..fde16bbcfa 100644 --- a/services/alert-stream-broker/charts/alert-stream-simulator/values.yaml +++ b/services/alert-stream-broker/charts/alert-stream-simulator/values.yaml @@ -45,7 +45,7 @@ maxMillisecondsRetained: "604800000" # -- Maximum number of bytes for the replay topic, per partition, per replica. # Default is 100GB -maxBytesRetained: "100000000000" +maxBytesRetained: "24000000000" replayTopicPartitions: 8 From db11082038d2f24ff7fc43136c29ef0bd981c105 Mon Sep 17 00:00:00 2001 From: Brianna Smart Date: Tue, 17 Jan 2023 14:22:16 -0800 Subject: [PATCH 1453/1479] Update documentation --- services/alert-stream-broker/charts/alert-database/Chart.yaml | 4 ++-- .../alert-stream-broker/charts/alert-stream-broker/Chart.yaml | 4 ++-- .../alert-stream-broker/charts/alert-stream-broker/README.md | 2 +- .../charts/alert-stream-broker/values.yaml | 4 ++-- .../charts/alert-stream-schema-registry/Chart.yaml | 4 ++-- .../charts/alert-stream-simulator/Chart.yaml | 4 ++-- .../charts/alert-stream-simulator/README.md | 2 +- .../charts/alert-stream-simulator/values.yaml | 2 +- 8 files changed, 13 insertions(+), 13 deletions(-) diff --git a/services/alert-stream-broker/charts/alert-database/Chart.yaml b/services/alert-stream-broker/charts/alert-database/Chart.yaml index 374d21b33e..b2f94ebad0 100644 --- a/services/alert-stream-broker/charts/alert-database/Chart.yaml +++ b/services/alert-stream-broker/charts/alert-database/Chart.yaml @@ -3,7 +3,7 @@ name: alert-database version: 2.1.0 description: Archival database of alerts sent through the alert stream. maintainers: - - name: swnelson - email: swnelson@uw.edu + - name: bsmart + email: drbsmart@uw.edu appVersion: 1.0.0 type: application diff --git a/services/alert-stream-broker/charts/alert-stream-broker/Chart.yaml b/services/alert-stream-broker/charts/alert-stream-broker/Chart.yaml index b0a41f0a55..41df3cce85 100644 --- a/services/alert-stream-broker/charts/alert-stream-broker/Chart.yaml +++ b/services/alert-stream-broker/charts/alert-stream-broker/Chart.yaml @@ -3,7 +3,7 @@ name: alert-stream-broker version: 2.5.1 description: Kafka broker cluster for distributing alerts maintainers: - - name: swnelson - email: swnelson@uw.edu + - name: bsmart + email: drbsmart@uw.edu appVersion: 1.0.0 type: application diff --git a/services/alert-stream-broker/charts/alert-stream-broker/README.md b/services/alert-stream-broker/charts/alert-stream-broker/README.md index 12a267cb30..394f840d4c 100644 --- a/services/alert-stream-broker/charts/alert-stream-broker/README.md +++ b/services/alert-stream-broker/charts/alert-stream-broker/README.md @@ -9,7 +9,7 @@ Kafka broker cluster for distributing alerts | cluster.name | string | `"alert-broker"` | Name used for the Kafka broker, and used by Strimzi for many annotations. | | fullnameOverride | string | `""` | Override for the full name used for Kubernetes resources; by default one will be created based on the chart name and helm release name. | | kafka.config | object | `{"log.retention.bytes":"42949672960","log.retention.hours":168,"offsets.retention.minutes":1440}` | Configuration overrides for the Kafka server. | -| kafka.config."log.retention.bytes" | string | `"42949672960"` | to avoid YAML type conversion issues for large numbers. | +| kafka.config."log.retention.bytes" | string | `"42949672960"` | Maximum retained number of bytes for a broker's data. This is a string to avoid YAML type conversion issues for large numbers. | | kafka.config."log.retention.hours" | int | `168` | Number of hours for a brokers data to be retained. | | kafka.config."offsets.retention.minutes" | int | `1440` | Number of minutes for a consumer group's offsets to be retained. | | kafka.externalListener.bootstrap.annotations | object | `{}` | | diff --git a/services/alert-stream-broker/charts/alert-stream-broker/values.yaml b/services/alert-stream-broker/charts/alert-stream-broker/values.yaml index 767eef60db..35e107ae7a 100644 --- a/services/alert-stream-broker/charts/alert-stream-broker/values.yaml +++ b/services/alert-stream-broker/charts/alert-stream-broker/values.yaml @@ -32,8 +32,8 @@ kafka: offsets.retention.minutes: 1440 # -- Number of hours for a brokers data to be retained. log.retention.hours: 168 - # -- Maximum retained number of bytes for a brokers's data. This is a string - # -- to avoid YAML type conversion issues for large numbers. + # -- Maximum retained number of bytes for a broker's data. This is a string + # to avoid YAML type conversion issues for large numbers. log.retention.bytes: "42949672960" externalListener: diff --git a/services/alert-stream-broker/charts/alert-stream-schema-registry/Chart.yaml b/services/alert-stream-broker/charts/alert-stream-schema-registry/Chart.yaml index fa14e7ae03..7cc9618d20 100644 --- a/services/alert-stream-broker/charts/alert-stream-schema-registry/Chart.yaml +++ b/services/alert-stream-broker/charts/alert-stream-schema-registry/Chart.yaml @@ -3,7 +3,7 @@ name: alert-stream-schema-registry version: 2.1.0 description: Confluent Schema Registry for managing schema versions for the Alert Stream maintainers: - - name: swnelson - email: swnelson@uw.edu + - name: bsmart + email: drbsmart@uw.edu appVersion: 1.0.0 type: application diff --git a/services/alert-stream-broker/charts/alert-stream-simulator/Chart.yaml b/services/alert-stream-broker/charts/alert-stream-simulator/Chart.yaml index 668b29606f..c2255fd9ac 100644 --- a/services/alert-stream-broker/charts/alert-stream-simulator/Chart.yaml +++ b/services/alert-stream-broker/charts/alert-stream-simulator/Chart.yaml @@ -3,7 +3,7 @@ name: alert-stream-simulator version: 1.6.2 description: Producer which repeatedly publishes a static set of alerts into a Kafka topic maintainers: - - name: swnelson - email: swnelson@uw.edu + - name: bsmart + email: drbsmart@uw.edu appVersion: 1.2.1 type: application diff --git a/services/alert-stream-broker/charts/alert-stream-simulator/README.md b/services/alert-stream-broker/charts/alert-stream-simulator/README.md index cb9016f6af..e0833c4138 100644 --- a/services/alert-stream-broker/charts/alert-stream-simulator/README.md +++ b/services/alert-stream-broker/charts/alert-stream-simulator/README.md @@ -13,7 +13,7 @@ Producer which repeatedly publishes a static set of alerts into a Kafka topic | image.repository | string | `"lsstdm/alert-stream-simulator"` | Source repository for the image which holds the rubin-alert-stream program. | | image.tag | string | `"v1.2.1"` | Tag to use for the rubin-alert-stream container. | | kafkaUserName | string | `"alert-stream-simulator"` | The username of the Kafka user identity used to connect to the broker. | -| maxBytesRetained | string | `"24000000000"` | Maximum number of bytes for the replay topic, per partition, per replica. Default is 100GB | +| maxBytesRetained | string | `"24000000000"` | Maximum number of bytes for the replay topic, per partition, per replica. Default is 100GB, but should be lower to not fill storage. | | maxMillisecondsRetained | string | `"604800000"` | Maximum amount of time to save simulated alerts in the replay topic, in milliseconds. Default is 7 days. | | nameOverride | string | `""` | Explicitly sets the name of the deployment and job. | | repeatInterval | int | `37` | How often (in seconds) to repeat the sample data into the replay topic. | diff --git a/services/alert-stream-broker/charts/alert-stream-simulator/values.yaml b/services/alert-stream-broker/charts/alert-stream-simulator/values.yaml index fde16bbcfa..ef7ad6ddaa 100644 --- a/services/alert-stream-broker/charts/alert-stream-simulator/values.yaml +++ b/services/alert-stream-broker/charts/alert-stream-simulator/values.yaml @@ -44,7 +44,7 @@ repeatInterval: 37 maxMillisecondsRetained: "604800000" # -- Maximum number of bytes for the replay topic, per partition, per replica. -# Default is 100GB +# Default is 100GB, but should be lower to not fill storage. maxBytesRetained: "24000000000" replayTopicPartitions: 8 From a8fab5f1ebfe755036a29d278e975e0853005913 Mon Sep 17 00:00:00 2001 From: "renovate[bot]" <29139614+renovate[bot]@users.noreply.github.com> Date: Mon, 23 Jan 2023 02:22:12 +0000 Subject: [PATCH 1454/1479] Update gcr.io/cloudsql-docker/gce-proxy Docker tag to v1.33.2 --- services/gafaelfawr/values.yaml | 2 +- services/sqlproxy-cross-project/values.yaml | 2 +- services/times-square/values.yaml | 2 +- services/vo-cutouts/values.yaml | 2 +- 4 files changed, 4 insertions(+), 4 deletions(-) diff --git a/services/gafaelfawr/values.yaml b/services/gafaelfawr/values.yaml index 2602dafcf8..7c5aac70e9 100644 --- a/services/gafaelfawr/values.yaml +++ b/services/gafaelfawr/values.yaml @@ -261,7 +261,7 @@ cloudsql: repository: "gcr.io/cloudsql-docker/gce-proxy" # -- Cloud SQL Auth Proxy tag to use - tag: "1.33.1" + tag: "1.33.2" # -- Pull policy for Cloud SQL Auth Proxy images pullPolicy: "IfNotPresent" diff --git a/services/sqlproxy-cross-project/values.yaml b/services/sqlproxy-cross-project/values.yaml index 9b4bc9bfd5..af3a655f68 100644 --- a/services/sqlproxy-cross-project/values.yaml +++ b/services/sqlproxy-cross-project/values.yaml @@ -14,7 +14,7 @@ image: repository: "gcr.io/cloudsql-docker/gce-proxy" # -- Tag of Cloud SQL Proxy image to use - tag: "1.33.1" + tag: "1.33.2" # -- Pull policy for the Cloud SQL Proxy image pullPolicy: "IfNotPresent" diff --git a/services/times-square/values.yaml b/services/times-square/values.yaml index 1197f23519..7abb126d69 100644 --- a/services/times-square/values.yaml +++ b/services/times-square/values.yaml @@ -123,7 +123,7 @@ cloudsql: repository: "gcr.io/cloudsql-docker/gce-proxy" # -- Cloud SQL Auth Proxy tag to use - tag: "1.33.1" + tag: "1.33.2" # -- Pull policy for Cloud SQL Auth Proxy images pullPolicy: "IfNotPresent" diff --git a/services/vo-cutouts/values.yaml b/services/vo-cutouts/values.yaml index a553fdfb99..5261de2cd7 100644 --- a/services/vo-cutouts/values.yaml +++ b/services/vo-cutouts/values.yaml @@ -75,7 +75,7 @@ cloudsql: repository: "gcr.io/cloudsql-docker/gce-proxy" # -- Cloud SQL Auth Proxy tag to use - tag: "1.33.1" + tag: "1.33.2" # -- Pull policy for Cloud SQL Auth Proxy images pullPolicy: "IfNotPresent" From d97c2648938ce0f7477eb123910915a62974a89d Mon Sep 17 00:00:00 2001 From: Russ Allbery Date: Tue, 24 Jan 2023 09:17:17 -0800 Subject: [PATCH 1455/1479] Regenerate Helm docs --- services/gafaelfawr/README.md | 2 +- services/sqlproxy-cross-project/README.md | 2 +- services/times-square/README.md | 2 +- services/vo-cutouts/README.md | 2 +- 4 files changed, 4 insertions(+), 4 deletions(-) diff --git a/services/gafaelfawr/README.md b/services/gafaelfawr/README.md index 5b221822cb..9aa74ca019 100644 --- a/services/gafaelfawr/README.md +++ b/services/gafaelfawr/README.md @@ -17,7 +17,7 @@ Authentication and identity system | cloudsql.enabled | bool | `false` | Enable the Cloud SQL Auth Proxy, used with CloudSQL databases on Google Cloud. This will be run as a sidecar for the main Gafaelfawr pods, and as a separate service (behind a `NetworkPolicy`) for other, lower-traffic services. | | cloudsql.image.pullPolicy | string | `"IfNotPresent"` | Pull policy for Cloud SQL Auth Proxy images | | cloudsql.image.repository | string | `"gcr.io/cloudsql-docker/gce-proxy"` | Cloud SQL Auth Proxy image to use | -| cloudsql.image.tag | string | `"1.33.1"` | Cloud SQL Auth Proxy tag to use | +| cloudsql.image.tag | string | `"1.33.2"` | Cloud SQL Auth Proxy tag to use | | cloudsql.instanceConnectionName | string | None, must be set if Cloud SQL Auth Proxy is enabled | Instance connection name for a CloudSQL PostgreSQL instance | | cloudsql.nodeSelector | object | `{}` | Node selection rules for the Cloud SQL Proxy pod | | cloudsql.podAnnotations | object | `{}` | Annotations for the Cloud SQL Proxy pod | diff --git a/services/sqlproxy-cross-project/README.md b/services/sqlproxy-cross-project/README.md index e686d30ab7..7764bd010b 100644 --- a/services/sqlproxy-cross-project/README.md +++ b/services/sqlproxy-cross-project/README.md @@ -19,7 +19,7 @@ GCP SQL Proxy as a service | fullnameOverride | string | `""` | Override the full name for resources (includes the release name) | | image.pullPolicy | string | `"IfNotPresent"` | Pull policy for the Cloud SQL Proxy image | | image.repository | string | `"gcr.io/cloudsql-docker/gce-proxy"` | Cloud SQL Proxy image to use | -| image.tag | string | `"1.33.1"` | Tag of Cloud SQL Proxy image to use | +| image.tag | string | `"1.33.2"` | Tag of Cloud SQL Proxy image to use | | nameOverride | string | `""` | Override the base name for resources | | nodeSelector | object | `{}` | Node selector rules for the Cloud SQL Proxy pod | | podAnnotations | object | `{}` | Annotations for the Cloud SQL Proxy pod | diff --git a/services/times-square/README.md b/services/times-square/README.md index c788c0549b..dfa03521ec 100644 --- a/services/times-square/README.md +++ b/services/times-square/README.md @@ -18,7 +18,7 @@ An API service for managing and rendering parameterized Jupyter notebooks. | cloudsql.enabled | bool | `false` | Enable the Cloud SQL Auth Proxy sidecar, used with CloudSQL databases on Google Cloud | | cloudsql.image.pullPolicy | string | `"IfNotPresent"` | Pull policy for Cloud SQL Auth Proxy images | | cloudsql.image.repository | string | `"gcr.io/cloudsql-docker/gce-proxy"` | Cloud SQL Auth Proxy image to use | -| cloudsql.image.tag | string | `"1.33.1"` | Cloud SQL Auth Proxy tag to use | +| cloudsql.image.tag | string | `"1.33.2"` | Cloud SQL Auth Proxy tag to use | | cloudsql.instanceConnectionName | string | `""` | Instance connection name for a CloudSQL PostgreSQL instance | | cloudsql.serviceAccount | string | `""` | The Google service account that has an IAM binding to the `times-square` Kubernetes service accounts and has the `cloudsql.client` role | | config.databaseUrl | string | None, must be set | URL for the PostgreSQL database | diff --git a/services/vo-cutouts/README.md b/services/vo-cutouts/README.md index 40ff29b07a..7fd791fa78 100644 --- a/services/vo-cutouts/README.md +++ b/services/vo-cutouts/README.md @@ -14,7 +14,7 @@ Image cutout service complying with IVOA SODA | cloudsql.enabled | bool | `false` | Enable the Cloud SQL Auth Proxy sidecar, used with CloudSQL databases on Google Cloud | | cloudsql.image.pullPolicy | string | `"IfNotPresent"` | Pull policy for Cloud SQL Auth Proxy images | | cloudsql.image.repository | string | `"gcr.io/cloudsql-docker/gce-proxy"` | Cloud SQL Auth Proxy image to use | -| cloudsql.image.tag | string | `"1.33.1"` | Cloud SQL Auth Proxy tag to use | +| cloudsql.image.tag | string | `"1.33.2"` | Cloud SQL Auth Proxy tag to use | | cloudsql.instanceConnectionName | string | `""` | Instance connection name for a CloudSQL PostgreSQL instance | | cloudsql.serviceAccount | string | None, must be set | The Google service account that has an IAM binding to the `vo-cutouts` Kubernetes service accounts and has the `cloudsql.client` role, access to the GCS bucket, and ability to sign URLs as itself | | config.databaseUrl | string | None, must be set | URL for the PostgreSQL database | From 662d02b7e96cc597014b4bd4601f75047091d048 Mon Sep 17 00:00:00 2001 From: "renovate[bot]" <29139614+renovate[bot]@users.noreply.github.com> Date: Tue, 24 Jan 2023 17:24:43 +0000 Subject: [PATCH 1456/1479] Update redis Docker tag to v7.0.8 --- services/gafaelfawr/values.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/services/gafaelfawr/values.yaml b/services/gafaelfawr/values.yaml index 7c5aac70e9..7439a72e94 100644 --- a/services/gafaelfawr/values.yaml +++ b/services/gafaelfawr/values.yaml @@ -334,7 +334,7 @@ redis: repository: "redis" # -- Redis image tag to use - tag: "7.0.7" + tag: "7.0.8" # -- Pull policy for the Redis image pullPolicy: "IfNotPresent" From 921007ab1c79a6c9727d39caf85913d38bb8d201 Mon Sep 17 00:00:00 2001 From: Russ Allbery Date: Tue, 24 Jan 2023 09:32:41 -0800 Subject: [PATCH 1457/1479] Regenerate Helm docs --- services/gafaelfawr/README.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/services/gafaelfawr/README.md b/services/gafaelfawr/README.md index 9aa74ca019..301bb5dd89 100644 --- a/services/gafaelfawr/README.md +++ b/services/gafaelfawr/README.md @@ -93,7 +93,7 @@ Authentication and identity system | redis.affinity | object | `{}` | Affinity rules for the Redis pod | | redis.image.pullPolicy | string | `"IfNotPresent"` | Pull policy for the Redis image | | redis.image.repository | string | `"redis"` | Redis image to use | -| redis.image.tag | string | `"7.0.7"` | Redis image tag to use | +| redis.image.tag | string | `"7.0.8"` | Redis image tag to use | | redis.nodeSelector | object | `{}` | Node selection rules for the Redis pod | | redis.persistence.accessMode | string | `"ReadWriteOnce"` | Access mode of storage to request | | redis.persistence.enabled | bool | `true` | Whether to persist Redis storage and thus tokens. Setting this to false will use `emptyDir` and reset all tokens on every restart. Only use this for a test deployment. | From 4642d5b4da2a03cde5362a770ebeefbffcc89956 Mon Sep 17 00:00:00 2001 From: Jonathan Sick Date: Mon, 23 Jan 2023 18:00:46 -0500 Subject: [PATCH 1458/1479] Handle apps with names that have _ in values It was a practice in environment values.yaml files to use _ in place of - in app names. e.g. times_square: enabled: true Instead of using the actual app name: times-square: enabled: true This change handles that situation so that many missing apps with `-` in their names now appear in environment pages. --- src/phalanx/docs/models.py | 10 +++++++--- 1 file changed, 7 insertions(+), 3 deletions(-) diff --git a/src/phalanx/docs/models.py b/src/phalanx/docs/models.py index 4aecccfdd5..c39d1e1805 100644 --- a/src/phalanx/docs/models.py +++ b/src/phalanx/docs/models.py @@ -326,11 +326,15 @@ def load( apps.append(app) continue - try: + if app.name in values: if values[app.name]["enabled"] is True: apps.append(app) - except KeyError: - continue + elif (app_name_underscore := app.name.replace("-", "_")) in values: + # Many keys in an env's values.yaml use underscores instead of + # dashes, so they don't match the actual application name + if values[app_name_underscore]["enabled"] is True: + apps.append(app) + apps.sort(key=lambda a: a.name) return Environment( From 16cdd4489e9af30da362add37823aef1d03dba91 Mon Sep 17 00:00:00 2001 From: Russ Allbery Date: Tue, 24 Jan 2023 13:04:23 -0800 Subject: [PATCH 1459/1479] Deploy cutout service on IDF dev We should now have access to Butler, so this will hopefully work properly. --- science-platform/values-idfdev.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/science-platform/values-idfdev.yaml b/science-platform/values-idfdev.yaml index 880584d281..942fa3cfa6 100644 --- a/science-platform/values-idfdev.yaml +++ b/science-platform/values-idfdev.yaml @@ -65,4 +65,4 @@ times_square: vault_secrets_operator: enabled: true vo_cutouts: - enabled: false + enabled: true From 3c0e35491c1daab3a13e15d89668392253640b14 Mon Sep 17 00:00:00 2001 From: Russ Allbery Date: Tue, 24 Jan 2023 13:11:44 -0800 Subject: [PATCH 1460/1479] Add Butler configuration for IDF dev Allow Butler applications such as vo-cutouts to be deployed on IDF dev using the same Butler as IDF int. --- science-platform/values-idfdev.yaml | 1 + 1 file changed, 1 insertion(+) diff --git a/science-platform/values-idfdev.yaml b/science-platform/values-idfdev.yaml index 942fa3cfa6..50b2a0a67d 100644 --- a/science-platform/values-idfdev.yaml +++ b/science-platform/values-idfdev.yaml @@ -1,6 +1,7 @@ environment: idfdev fqdn: data-dev.lsst.cloud vault_path_prefix: secret/k8s_operator/data-dev.lsst.cloud +butlerRepositoryIndex: "s3://butler-us-central1-repo-locations/data-int-repos.yaml" alert_stream_broker: enabled: false From 40d8225a74daaf44029b5c96587440344a06c06a Mon Sep 17 00:00:00 2001 From: "renovate[bot]" <29139614+renovate[bot]@users.noreply.github.com> Date: Wed, 25 Jan 2023 00:31:15 +0000 Subject: [PATCH 1461/1479] Run helm-docs --- services/sasquatch/charts/strimzi-kafka/README.md | 2 +- services/sasquatch/charts/strimzi-kafka/values.yaml | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/services/sasquatch/charts/strimzi-kafka/README.md b/services/sasquatch/charts/strimzi-kafka/README.md index 3c3272de9c..9e1c0b03a3 100644 --- a/services/sasquatch/charts/strimzi-kafka/README.md +++ b/services/sasquatch/charts/strimzi-kafka/README.md @@ -7,7 +7,7 @@ A subchart to deploy Strimzi Kafka components for Sasquatch. | Key | Type | Default | Description | |-----|------|---------|-------------| | cluster.name | string | `"sasquatch"` | Name used for the Kafka cluster, and used by Strimzi for many annotations. | -| connect.image | string | `"lsstsqre/strimzi-0.32.0-kafka-3.3.1:1.0.1"` | Custom strimzi-kafka image with connector plugins used by sasquatch. | +| connect.image | string | `"lsstsqre/strimzi-0.32.0-kafka-3.3.1:1.0.2"` | Custom strimzi-kafka image with connector plugins used by sasquatch. | | connect.replicas | int | `3` | Number of Kafka Connect replicas to run. | | kafka.config | object | `{"log.retention.bytes":"429496729600","log.retention.hours":72,"offsets.retention.minutes":4320}` | Configuration overrides for the Kafka server. | | kafka.config."log.retention.bytes" | string | `"429496729600"` | Maximum retained number of bytes for a topic's data. | diff --git a/services/sasquatch/charts/strimzi-kafka/values.yaml b/services/sasquatch/charts/strimzi-kafka/values.yaml index e62e72e0fa..f51ca51c70 100644 --- a/services/sasquatch/charts/strimzi-kafka/values.yaml +++ b/services/sasquatch/charts/strimzi-kafka/values.yaml @@ -67,7 +67,7 @@ zookeeper: connect: # -- Custom strimzi-kafka image with connector plugins used by sasquatch. - image: lsstsqre/strimzi-0.32.0-kafka-3.3.1:1.0.1 + image: lsstsqre/strimzi-0.32.0-kafka-3.3.1:1.0.2 # -- Number of Kafka Connect replicas to run. replicas: 3 From 97576b31a54f33390ae46a4518f9b4886958c1c3 Mon Sep 17 00:00:00 2001 From: "renovate[bot]" <29139614+renovate[bot]@users.noreply.github.com> Date: Wed, 25 Jan 2023 15:52:38 +0000 Subject: [PATCH 1462/1479] Update lsstsqre/kafkaconnect Docker tag to v1.0.2 --- services/sasquatch/charts/kafka-connect-manager/values.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/services/sasquatch/charts/kafka-connect-manager/values.yaml b/services/sasquatch/charts/kafka-connect-manager/values.yaml index 64122bc81a..d3f74b3f47 100644 --- a/services/sasquatch/charts/kafka-connect-manager/values.yaml +++ b/services/sasquatch/charts/kafka-connect-manager/values.yaml @@ -2,7 +2,7 @@ # See also https://kafka-connect-manager.lsst.io image: repository: lsstsqre/kafkaconnect - tag: 1.0.0 + tag: 1.0.2 pullPolicy: IfNotPresent influxdbSink: From 319eab349b9760269e01f7c87750f30effcbac2b Mon Sep 17 00:00:00 2001 From: Angelo Fausti Date: Wed, 25 Jan 2023 08:56:19 -0700 Subject: [PATCH 1463/1479] Update image tag for kafka-connect-manager to 1.0.2 --- services/sasquatch/charts/kafka-connect-manager/README.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/services/sasquatch/charts/kafka-connect-manager/README.md b/services/sasquatch/charts/kafka-connect-manager/README.md index a7bb05341a..f03f7b4344 100644 --- a/services/sasquatch/charts/kafka-connect-manager/README.md +++ b/services/sasquatch/charts/kafka-connect-manager/README.md @@ -11,7 +11,7 @@ A subchart to deploy the Kafka connectors used by Sasquatch. | env.kafkaUsername | string | `"kafka-connect-manager"` | Username for SASL authentication. | | image.pullPolicy | string | `"IfNotPresent"` | | | image.repository | string | `"lsstsqre/kafkaconnect"` | | -| image.tag | string | `"1.0.0"` | | +| image.tag | string | `"1.0.2"` | | | influxdbSink.autoUpdate | bool | `true` | If autoUpdate is enabled, check for new kafka topics. | | influxdbSink.checkInterval | string | `"15000"` | The interval, in milliseconds, to check for new topics and update the connector. | | influxdbSink.connectInfluxDb | string | `"efd"` | InfluxDB database to write to. | From e9aee54ca4cb84693d1c17b70da5b8173f30a65e Mon Sep 17 00:00:00 2001 From: Russ Allbery Date: Wed, 25 Jan 2023 11:47:32 -0800 Subject: [PATCH 1464/1479] Add more Gafaelfawr documentation Add a link to SQR-055 and add a troubleshooting section for the problem with enrollment attributes we ran into. --- docs/applications/gafaelfawr/troubleshoot.rst | 10 ++++++++++ services/gafaelfawr/Chart.yaml | 3 +++ 2 files changed, 13 insertions(+) diff --git a/docs/applications/gafaelfawr/troubleshoot.rst b/docs/applications/gafaelfawr/troubleshoot.rst index 0a7ec6ba2b..0428201946 100644 --- a/docs/applications/gafaelfawr/troubleshoot.rst +++ b/docs/applications/gafaelfawr/troubleshoot.rst @@ -25,6 +25,16 @@ Usually this means they weren't added or (in the case of groups from GitHub team For a new GitHub configuration, it's possible that the organizational membership is private and the user didn't release it. See :doc:`github-organizations` for more details about that problem. +COmanage enrollment fails after prompting for attributes +======================================================== + +If all attempts to enroll new users in COmanage fail after the user enters their name and email address with the error "Please recheck the highlighted fields," the issue is probably with the enrollment attribute configuration. +If there is a problem with the configuration of a hidden field, the error message may be very confusing and non-specific. + +Double-check the configuration of the "Self Signup With Approval" enrollment flow against :sqr:`055`. +Pay careful attention to the enrollment attributes, particularly the "Users group" configuration, which has a hidden value. +There is currently a bug in COmanage that causes it to not display the default values for attributes properly, so you may need to edit the enrollment attribute and set the default value again to be certain it's correct. + Viewing logs ============ diff --git a/services/gafaelfawr/Chart.yaml b/services/gafaelfawr/Chart.yaml index 841c79e7e8..ab5af9c92d 100644 --- a/services/gafaelfawr/Chart.yaml +++ b/services/gafaelfawr/Chart.yaml @@ -15,6 +15,9 @@ annotations: - id: "DMTN-224" title: "RSP identity management implementation strategy" url: "https://dmtn-224.lsst.io/" + - id: "SQR-055" + title: "COmanage configuration for Rubin Science Platform" + url: "https://sqr-055.lsst.io/" - id: "SQR-069" title: "Implementation decisions for RSP identity management" url: "https://sqr-069.lsst.io/" From 72d8596ebd176070003830eed594b7045920ed55 Mon Sep 17 00:00:00 2001 From: Russ Allbery Date: Thu, 26 Jan 2023 08:05:43 -0800 Subject: [PATCH 1465/1479] Fix URL for mobu system-test on data-int Use the same repository that we use everywhere else. --- services/mobu/values-idfint.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/services/mobu/values-idfint.yaml b/services/mobu/values-idfint.yaml index ebb5d3b9fa..a1d5b30fea 100644 --- a/services/mobu/values-idfint.yaml +++ b/services/mobu/values-idfint.yaml @@ -12,7 +12,7 @@ autostart: - "read:tap" business: "NotebookRunner" options: - repo_url: "https://github.com/SimonKrughoff/system-test.git" + repo_url: "https://github.com/lsst-sqre/system-test.git" repo_branch: "prod" max_executions: 1 restart: true From 4b7267778a4223d245db16a4dbf7fde0ea3a5cc6 Mon Sep 17 00:00:00 2001 From: roby Date: Thu, 5 Jan 2023 13:29:00 -0700 Subject: [PATCH 1466/1479] portal 2022.6.0 --- services/portal/templates/deployment.yaml | 7 ++++++- services/portal/values-idfdev.yaml | 3 +++ services/portal/values-idfint.yaml | 3 +++ 3 files changed, 12 insertions(+), 1 deletion(-) diff --git a/services/portal/templates/deployment.yaml b/services/portal/templates/deployment.yaml index e8dce66935..60f6147ba1 100644 --- a/services/portal/templates/deployment.yaml +++ b/services/portal/templates/deployment.yaml @@ -88,7 +88,12 @@ spec: ], "label": "Rubin Featured MOC" } - } + }, + "searchActionsCmdMask": [ + "tableHiPS", "tapRadius", "tapArea", "tableTapRadius", + "HiPS", "lsstObsCoreTap", "lsstTruthSummaryRadius", "lsstTruthSummaryArea", + "lsstObsCoreTapTable", "lsstTruthSummaryRadiusTable" + ] }' - name: "SERVER_CONFIG_DIR" value: "/firefly/config" diff --git a/services/portal/values-idfdev.yaml b/services/portal/values-idfdev.yaml index b8d18401c0..b8b3ea0bd2 100644 --- a/services/portal/values-idfdev.yaml +++ b/services/portal/values-idfdev.yaml @@ -1,5 +1,8 @@ replicaCount: 2 +image: + tag: "suit-2022.6.0" + config: volumes: workareaNfs: diff --git a/services/portal/values-idfint.yaml b/services/portal/values-idfint.yaml index bbff39a615..5098a43654 100644 --- a/services/portal/values-idfint.yaml +++ b/services/portal/values-idfint.yaml @@ -1,5 +1,8 @@ replicaCount: 4 +image: + tag: "suit-2022.6.0" + config: volumes: workareaNfs: From 0b88791e6d2a970576aa528ebc04c3bc4ee0af56 Mon Sep 17 00:00:00 2001 From: Angelo Fausti Date: Wed, 25 Jan 2023 09:19:18 -0700 Subject: [PATCH 1467/1479] Add prompt-processing KafkaUser resource - Enable SASL authentication - Allow full control of the `test.next-visit` topic --- .../charts/strimzi-kafka/templates/users.yaml | 31 +++++++++++++++++++ 1 file changed, 31 insertions(+) diff --git a/services/sasquatch/charts/strimzi-kafka/templates/users.yaml b/services/sasquatch/charts/strimzi-kafka/templates/users.yaml index 6ef6be6ed6..be54e7d114 100644 --- a/services/sasquatch/charts/strimzi-kafka/templates/users.yaml +++ b/services/sasquatch/charts/strimzi-kafka/templates/users.yaml @@ -182,3 +182,34 @@ spec: type: allow host: "*" operation: All +--- +apiVersion: kafka.strimzi.io/v1beta2 +kind: KafkaUser +metadata: + name: prompt-processing + labels: + strimzi.io/cluster: {{ .Values.cluster.name }} +spec: + authentication: + type: scram-sha-512 + password: + valueFrom: + secretKeyRef: + name: sasquatch + key: prompt-processing-password + authorization: + type: simple + acls: + - resource: + type: group + name: "*" + patternType: literal + operation: All + - resource: + type: topic + name: "test.next-visit" + patternType: literal + type: allow + host: "*" + operation: All + From a7cf7a401f1a0bf0fb994de852fa0803b9f79eb8 Mon Sep 17 00:00:00 2001 From: Angelo Fausti Date: Wed, 25 Jan 2023 09:21:56 -0700 Subject: [PATCH 1468/1479] Add the test.next-visit topic --- .../sasquatch/charts/rest-proxy/templates/topics.yaml | 11 +++++++++++ 1 file changed, 11 insertions(+) diff --git a/services/sasquatch/charts/rest-proxy/templates/topics.yaml b/services/sasquatch/charts/rest-proxy/templates/topics.yaml index 3b0960a60b..3c0a147768 100644 --- a/services/sasquatch/charts/rest-proxy/templates/topics.yaml +++ b/services/sasquatch/charts/rest-proxy/templates/topics.yaml @@ -7,3 +7,14 @@ metadata: spec: replicas: 3 partitions: 1 +--- +apiVersion: kafka.strimzi.io/v1beta1 +kind: KafkaTopic +metadata: + name: test.next-visit + labels: + strimzi.io/cluster: sasquatch +spec: + replicas: 3 + partitions: 1 + From ced0c4ceb7fdbc824332967105781f31c4192e6e Mon Sep 17 00:00:00 2001 From: Angelo Fausti Date: Wed, 25 Jan 2023 09:24:43 -0700 Subject: [PATCH 1469/1479] Give the REST proxy user full control of the `test.next-visit` topic --- .../sasquatch/charts/strimzi-kafka/templates/users.yaml | 7 +++++++ 1 file changed, 7 insertions(+) diff --git a/services/sasquatch/charts/strimzi-kafka/templates/users.yaml b/services/sasquatch/charts/strimzi-kafka/templates/users.yaml index be54e7d114..6b43ffa569 100644 --- a/services/sasquatch/charts/strimzi-kafka/templates/users.yaml +++ b/services/sasquatch/charts/strimzi-kafka/templates/users.yaml @@ -182,6 +182,13 @@ spec: type: allow host: "*" operation: All + - resource: + type: topic + name: "test.next-visit" + patternType: literal + type: allow + host: "*" + operation: All --- apiVersion: kafka.strimzi.io/v1beta2 kind: KafkaUser From 953f63e83c9614d410bc79547cb36c92c9569bfe Mon Sep 17 00:00:00 2001 From: Angelo Fausti Date: Fri, 27 Jan 2023 11:57:33 -0700 Subject: [PATCH 1470/1479] Configure topics exposed in the REST proxy API - Add kafa.topics parameter to rest-proxy values.yaml - Create KafkaTopic resources and give full permission for the rest-proxy user on the configured topics - Also configure the kafka.cluster.name used to annotate the Strimzi resources --- .../charts/rest-proxy/templates/topics.yaml | 18 +++------ .../charts/rest-proxy/templates/user.yaml | 31 ++++++++++++++++ .../sasquatch/charts/rest-proxy/values.yaml | 5 +++ .../charts/strimzi-kafka/templates/users.yaml | 37 ------------------- services/sasquatch/values-idfdev.yaml | 4 ++ 5 files changed, 46 insertions(+), 49 deletions(-) create mode 100644 services/sasquatch/charts/rest-proxy/templates/user.yaml diff --git a/services/sasquatch/charts/rest-proxy/templates/topics.yaml b/services/sasquatch/charts/rest-proxy/templates/topics.yaml index 3c0a147768..e46d717fb8 100644 --- a/services/sasquatch/charts/rest-proxy/templates/topics.yaml +++ b/services/sasquatch/charts/rest-proxy/templates/topics.yaml @@ -1,20 +1,14 @@ -apiVersion: kafka.strimzi.io/v1beta1 -kind: KafkaTopic -metadata: - name: lsst.dm.sky-flux-visit-statistic-metric - labels: - strimzi.io/cluster: sasquatch -spec: - replicas: 3 - partitions: 1 + +{{- $cluster := .Values.kafka.cluster.name }} +{{- range $topic := .Values.kafka.topics }} --- apiVersion: kafka.strimzi.io/v1beta1 kind: KafkaTopic metadata: - name: test.next-visit + name: {{ $topic }} labels: - strimzi.io/cluster: sasquatch + strimzi.io/cluster: {{ $cluster }} spec: replicas: 3 partitions: 1 - +{{- end }} diff --git a/services/sasquatch/charts/rest-proxy/templates/user.yaml b/services/sasquatch/charts/rest-proxy/templates/user.yaml new file mode 100644 index 0000000000..a489c2a49c --- /dev/null +++ b/services/sasquatch/charts/rest-proxy/templates/user.yaml @@ -0,0 +1,31 @@ +apiVersion: kafka.strimzi.io/v1beta2 +kind: KafkaUser +metadata: + name: rest-proxy + labels: + strimzi.io/cluster: {{ .Values.kafka.cluster.name }} +spec: + authentication: + type: scram-sha-512 + password: + valueFrom: + secretKeyRef: + name: sasquatch + key: rest-proxy-password + authorization: + type: simple + acls: + - resource: + type: group + name: "*" + patternType: literal + operation: All + {{- range $topic := .Values.kafka.topics }} + - resource: + type: topic + name: {{ $topic }} + patternType: literal + type: allow + host: "*" + operation: All + {{- end }} diff --git a/services/sasquatch/charts/rest-proxy/values.yaml b/services/sasquatch/charts/rest-proxy/values.yaml index 50fdb6580b..38a8d8eac4 100644 --- a/services/sasquatch/charts/rest-proxy/values.yaml +++ b/services/sasquatch/charts/rest-proxy/values.yaml @@ -42,8 +42,13 @@ schemaregistry: url: "http://sasquatch-schema-registry.sasquatch:8081" kafka: + cluster: + # -- Name of the Strimzi Kafka cluster. + name: sasquatch # -- Kafka bootstrap servers, use the internal listerner on port 9092 wit SASL connection. bootstrapServers: "SASL_PLAINTEXT://sasquatch-kafka-bootstrap.sasquatch:9092" + # -- List of Kafka topics to create and expose through the REST proxy API + topics: resources: requests: diff --git a/services/sasquatch/charts/strimzi-kafka/templates/users.yaml b/services/sasquatch/charts/strimzi-kafka/templates/users.yaml index 6b43ffa569..3ceb1e8eb1 100644 --- a/services/sasquatch/charts/strimzi-kafka/templates/users.yaml +++ b/services/sasquatch/charts/strimzi-kafka/templates/users.yaml @@ -155,43 +155,6 @@ spec: --- apiVersion: kafka.strimzi.io/v1beta2 kind: KafkaUser -metadata: - name: rest-proxy - labels: - strimzi.io/cluster: {{ .Values.cluster.name }} -spec: - authentication: - type: scram-sha-512 - password: - valueFrom: - secretKeyRef: - name: sasquatch - key: rest-proxy-password - authorization: - type: simple - acls: - - resource: - type: group - name: "*" - patternType: literal - operation: All - - resource: - type: topic - name: "lsst.dm" - patternType: prefix - type: allow - host: "*" - operation: All - - resource: - type: topic - name: "test.next-visit" - patternType: literal - type: allow - host: "*" - operation: All ---- -apiVersion: kafka.strimzi.io/v1beta2 -kind: KafkaUser metadata: name: prompt-processing labels: diff --git a/services/sasquatch/values-idfdev.yaml b/services/sasquatch/values-idfdev.yaml index 9ffce2cb52..a104dc5298 100644 --- a/services/sasquatch/values-idfdev.yaml +++ b/services/sasquatch/values-idfdev.yaml @@ -48,6 +48,10 @@ rest-proxy: ingress: enabled: true hostname: data-dev.lsst.cloud + kafka: + topics: + - lsst.dm.sky-flux-visit-statistic-metric + - test.next-visit chronograf: ingress: From 6c59f94491cee98e6c5ff48ed318fe57a093c3e0 Mon Sep 17 00:00:00 2001 From: Angelo Fausti Date: Fri, 27 Jan 2023 11:58:17 -0700 Subject: [PATCH 1471/1479] Update helm-docs --- services/sasquatch/charts/rest-proxy/README.md | 2 ++ 1 file changed, 2 insertions(+) diff --git a/services/sasquatch/charts/rest-proxy/README.md b/services/sasquatch/charts/rest-proxy/README.md index eb69b30296..757f30220b 100644 --- a/services/sasquatch/charts/rest-proxy/README.md +++ b/services/sasquatch/charts/rest-proxy/README.md @@ -22,6 +22,8 @@ A subchart to deploy Confluent REST proxy for Sasquatch. | ingress.hostname | string | `""` | Ingress hostname. | | ingress.path | string | `"/sasquatch-rest-proxy(/|$)(.*)"` | Ingress path. | | kafka.bootstrapServers | string | `"SASL_PLAINTEXT://sasquatch-kafka-bootstrap.sasquatch:9092"` | Kafka bootstrap servers, use the internal listerner on port 9092 wit SASL connection. | +| kafka.cluster.name | string | `"sasquatch"` | Name of the Strimzi Kafka cluster. | +| kafka.topics | string | `nil` | List of Kafka topics to create and expose through the REST proxy API | | nodeSelector | object | `{}` | Node selector configuration. | | podAnnotations | object | `{}` | Pod annotations. | | replicaCount | int | `1` | Number of Kafka REST proxy pods to run in the deployment. | From fb22b4e95f366b50108a6a1fc01242d35a563d37 Mon Sep 17 00:00:00 2001 From: Russ Allbery Date: Thu, 26 Jan 2023 16:30:47 -0800 Subject: [PATCH 1472/1479] Convert to 1Password Connect API Rather than using third-party onepassword Python API, which is not pip-installable and doesn't work on all platforms, use the 1Password Connect API against the new server that we're installing on Roundtable. --- docs/developers/add-a-onepassword-secret.rst | 7 +- installer/generate_secrets.py | 72 ++++++++------------ installer/requirements.txt | 2 +- installer/update_secrets.sh | 8 ++- installer/vault_key.py | 13 ++-- 5 files changed, 50 insertions(+), 52 deletions(-) diff --git a/docs/developers/add-a-onepassword-secret.rst b/docs/developers/add-a-onepassword-secret.rst index 6981c6ae96..d0b69900e9 100644 --- a/docs/developers/add-a-onepassword-secret.rst +++ b/docs/developers/add-a-onepassword-secret.rst @@ -14,8 +14,8 @@ This page provides steps for adding an application secret through 1Password. .. note:: - This document only covers creating a 1Password-backed Secret for the first time for an application. - If you want to update a Secret, either by adding new 1Password secrets or by changing their secret values, you should follow the instructions in :doc:`/developers/update-a-onepassword-secret`. + This document only covers creating a 1Password-backed secret for the first time for an application. + If you want to update a secret, either by adding new 1Password secrets or by changing their secret values, you should follow the instructions in :doc:`/developers/update-a-onepassword-secret`. Part 1. Open the 1Password vault ================================ @@ -62,6 +62,9 @@ Part 3. Sync 1Password items into Vault Once an application's secrets are stored in 1Password, you need to sync them into Vault. +First, set the ``OP_CONNECT_TOKEN`` environment variable to the access token for the SQuaRE 1Password Connect service. +This is stored in the SQuaRE 1Password vault under the item named ``SQuaRE Integration Access Token: Argo``. + Open Phalanx's ``installer/`` directory: .. code-block:: sh diff --git a/installer/generate_secrets.py b/installer/generate_secrets.py index 464cfec712..1412b47b3c 100755 --- a/installer/generate_secrets.py +++ b/installer/generate_secrets.py @@ -14,7 +14,7 @@ from cryptography.hazmat.backends import default_backend from cryptography.hazmat.primitives import serialization from cryptography.hazmat.primitives.asymmetric import rsa -from onepassword import OnePassword +from onepasswordconnectsdk.client import new_client_from_environment class SecretGenerator: @@ -398,7 +398,7 @@ class OnePasswordSecretGenerator(SecretGenerator): def __init__(self, environment, regenerate): super().__init__(environment, regenerate) self.op_secrets = {} - self.op = OnePassword() + self.op = new_client_from_environment() self.parse_vault() def parse_vault(self): @@ -408,60 +408,44 @@ def parse_vault(self): This method is called automatically when initializing a `OnePasswordSecretGenerator`. """ - items = self.op.list_items("RSP-Vault") + vault = self.op.get_vault_by_title("RSP-Vault") + items = self.op.get_items(vault.id) - for i in items: + for item_summary in items: key = None + secret_notes = None + secret_password = None environments = [] - uuid = i["uuid"] - doc = self.op.get_item(uuid=uuid) - - logging.debug(f"Looking at {uuid}") - logging.debug(f"{doc}") - - for section in doc["details"]["sections"]: - if "fields" not in section: - continue - - for field in section["fields"]: - if field["t"] == "generate_secrets_key": - if key is None: - key = field["v"] - else: - raise Exception( - "Found two generate_secrets_keys for {key}" - ) - elif field["t"] == "environment": - environments.append(field["v"]) - - # If we don't find a generate_secrets_key somewhere, then we - # shouldn't bother with this document in the vault. - if not key: - logging.debug( - "Skipping because of no generate_secrets_key, %s", uuid - ) - continue + item = self.op.get_item(item_summary.id, vault.id) + + logging.debug(f"Looking at {item.id}") - # The type of secret is either a note or a password login. - # First, check the notes. - secret_value = doc["details"]["notesPlain"] + for field in item.fields: + if field.label == "generate_secrets_key": + if key is None: + key = field.value + else: + msg = "Found two generate_secrets_keys for {key}" + raise Exception(msg) + elif field.label == "environment": + environments.append(field.value) + elif field.label == "notesPlain": + secret_notes = field.value + elif field.purpose == "PASSWORD": + secret_password = field.value - # If we don't find anything, pull the password from a login item. - if not secret_value: - for f in doc["details"]["fields"]: - if f["designation"] == "password": - secret_value = f["value"] + secret_value = secret_notes or secret_password - logging.debug("Environments are %s for %s", environments, uuid) + logging.debug("Environments are %s for %s", environments, item.id) if self.environment in environments: self.op_secrets[key] = secret_value - logging.debug("Storing %s (matching environment)", uuid) + logging.debug("Storing %s (matching environment)", item.id) elif not environments and key not in self.op_secrets: self.op_secrets[key] = secret_value - logging.debug("Storing %s (applicable to all envs)", uuid) + logging.debug("Storing %s (applicable to all envs)", item.id) else: - logging.debug("Ignoring %s", uuid) + logging.debug("Ignoring %s", item.id) def input_field(self, component, name, description): """Query for a secret's value from 1Password (`op_secrets` attribute). diff --git a/installer/requirements.txt b/installer/requirements.txt index b1e85a2719..73e8efa191 100644 --- a/installer/requirements.txt +++ b/installer/requirements.txt @@ -1,5 +1,5 @@ bcrypt cryptography +onepasswordconnectsdk pyyaml yq -1password diff --git a/installer/update_secrets.sh b/installer/update_secrets.sh index d55d051e2f..4c30c4b570 100755 --- a/installer/update_secrets.sh +++ b/installer/update_secrets.sh @@ -4,6 +4,12 @@ ENVIRONMENT=$1 export VAULT_DOC_UUID=`yq -r .onepassword_uuid ../science-platform/values.yaml` export VAULT_ADDR=https://vault.lsst.codes export VAULT_TOKEN=`./vault_key.py $ENVIRONMENT write` +export OP_CONNECT_HOST=https://roundtable.lsst.codes/1password + +if [ -z "$OP_CONNECT_TOKEN" ]; then + echo 'OP_CONNECT_TOKEN must be set to a 1Password Connect token' >&2 + exit 1 +fi echo "Clear out any existing secrets" rm -rf secrets @@ -11,7 +17,7 @@ rm -rf secrets echo "Reading current secrets from vault" ./read_secrets.sh $ENVIRONMENT -echo "Generating missing secrets with values from onepassword" +echo "Generating missing secrets with values from 1Password" ./generate_secrets.py $ENVIRONMENT --op echo "Writing secrets to vault" diff --git a/installer/vault_key.py b/installer/vault_key.py index f90e4933e8..f7f47b4bad 100755 --- a/installer/vault_key.py +++ b/installer/vault_key.py @@ -3,14 +3,19 @@ import json import os -from onepassword import OnePassword +from onepasswordconnectsdk import new_client_from_environment class VaultKeyRetriever: def __init__(self): - self.op = OnePassword() - vault_keys_doc = self.op.get_item(uuid=os.environ["VAULT_DOC_UUID"]) - vault_keys_json = vault_keys_doc["details"]["notesPlain"] + self.op = new_client_from_environment() + vault_keys = self.op.get_item( + os.environ["VAULT_DOC_UUID"], "RSP-Vault" + ) + for field in vault_keys.fields: + if field.label == "notesPlain": + vault_keys_json = field.value + break self.vault_keys = json.loads(vault_keys_json) def retrieve_key(self, environment, key_type): From fb5a995704e41110ba0d448554fb6a96408da056 Mon Sep 17 00:00:00 2001 From: Russ Allbery Date: Fri, 27 Jan 2023 11:29:05 -0800 Subject: [PATCH 1473/1479] Improve bootstrapping documentation for secrets There's no longer any need to omit the 1Password dependency for the installer since we use the first-party SDK that's always pip-installable and will do no harm. Mention that updating secrets also requires a 1Password access token if you're using 1Password as a secret store. --- docs/admin/bootstrapping.rst | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/docs/admin/bootstrapping.rst b/docs/admin/bootstrapping.rst index 1ec89a5414..51ee579c2c 100644 --- a/docs/admin/bootstrapping.rst +++ b/docs/admin/bootstrapping.rst @@ -25,7 +25,6 @@ Checklist #. Fork the `Phalanx repository`_ if this work is separate from the SQuaRE-managed environments. #. Create a virtual environment with the tools you will need from the installer's `requirements.txt `__. - If you are not using 1Password as your source of truth (which, if you are not in a SQuaRE-managed environment, you probably are not) then you may omit ``1password``. #. Create a new ``values-.yaml`` file in `/science-platform `__. Start with a template copied from an existing environment that's similar to the new environment. @@ -58,6 +57,8 @@ Checklist #. Generate the secrets for the new environment and store them in Vault with `/installer/update_secrets.sh `__. You will need the write key for the Vault enclave you are using for this environment. + If you are using 1Password as a source of secrets, you will also need the access token for the 1Password Connect server. + (For SQuaRE-managed deployments, this is in the ``SQuaRE Integration Access Token: Argo`` 1Password item in the SQuaRE vault.) #. Run the installer script at `/installer/install.sh `__. Debug any problems. From f0356c1711281203235690de434c4a5f625d7fc6 Mon Sep 17 00:00:00 2001 From: Russ Allbery Date: Fri, 27 Jan 2023 15:33:09 -0800 Subject: [PATCH 1474/1479] Fix some secret generation bugs Ignore 1Password items with no generate_secrets_key field, since there are several that are used for other purposes. Warn about items with a generate_secrets_key but no value. --- installer/generate_secrets.py | 7 +++++++ 1 file changed, 7 insertions(+) diff --git a/installer/generate_secrets.py b/installer/generate_secrets.py index 1412b47b3c..9ce0360385 100755 --- a/installer/generate_secrets.py +++ b/installer/generate_secrets.py @@ -434,8 +434,15 @@ def parse_vault(self): elif field.purpose == "PASSWORD": secret_password = field.value + if not key: + continue + secret_value = secret_notes or secret_password + if not secret_value: + logging.error("No value found for %s", item.title) + continue + logging.debug("Environments are %s for %s", environments, item.id) if self.environment in environments: From 2f67ad46ab81985fa6661daf9c78b37e02dab394 Mon Sep 17 00:00:00 2001 From: "renovate[bot]" <29139614+renovate[bot]@users.noreply.github.com> Date: Mon, 30 Jan 2023 02:49:34 +0000 Subject: [PATCH 1475/1479] Update Helm release argo-cd to v5.19.12 --- services/argocd/Chart.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/services/argocd/Chart.yaml b/services/argocd/Chart.yaml index ab4cb13e5f..99dfa8454d 100644 --- a/services/argocd/Chart.yaml +++ b/services/argocd/Chart.yaml @@ -8,5 +8,5 @@ sources: - https://github.com/argoproj/argo-helm dependencies: - name: argo-cd - version: 5.16.14 + version: 5.19.12 repository: https://argoproj.github.io/argo-helm From 5d4c9230c5ed8b281c6ce8d687105e10ec8e35fb Mon Sep 17 00:00:00 2001 From: Russ Allbery Date: Mon, 30 Jan 2023 08:13:21 -0800 Subject: [PATCH 1476/1479] Update pre-commit hook versions --- .pre-commit-config.yaml | 14 +++++++------- 1 file changed, 7 insertions(+), 7 deletions(-) diff --git a/.pre-commit-config.yaml b/.pre-commit-config.yaml index 01fd1a447e..8452563f31 100644 --- a/.pre-commit-config.yaml +++ b/.pre-commit-config.yaml @@ -1,12 +1,12 @@ repos: - repo: https://github.com/pre-commit/pre-commit-hooks - rev: v4.3.0 + rev: v4.4.0 hooks: - id: trailing-whitespace - id: check-toml - repo: https://github.com/adrienverge/yamllint.git - rev: v1.27.1 + rev: v1.29.0 hooks: - id: yamllint args: @@ -22,24 +22,24 @@ repos: - "--template-files=./helm-docs.md.gotmpl" - repo: https://github.com/PyCQA/isort - rev: 5.10.1 + rev: 5.12.0 hooks: - id: isort additional_dependencies: - toml - repo: https://github.com/psf/black - rev: 22.6.0 + rev: 23.1a1 hooks: - id: black - repo: https://github.com/asottile/blacken-docs - rev: v1.12.1 + rev: 1.13.0 hooks: - id: blacken-docs - additional_dependencies: [black==22.3.0] + additional_dependencies: [black==23.1a1] - repo: https://github.com/PyCQA/flake8 - rev: 5.0.4 + rev: 6.0.0 hooks: - id: flake8 From 67544c3ac4829bcdd28a95f766a950f1e28118f5 Mon Sep 17 00:00:00 2001 From: "renovate[bot]" <29139614+renovate[bot]@users.noreply.github.com> Date: Mon, 30 Jan 2023 16:40:48 +0000 Subject: [PATCH 1477/1479] Update Helm release cert-manager to v1.11.0 --- services/cert-manager/Chart.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/services/cert-manager/Chart.yaml b/services/cert-manager/Chart.yaml index a9d778c149..cc4e84074c 100644 --- a/services/cert-manager/Chart.yaml +++ b/services/cert-manager/Chart.yaml @@ -7,5 +7,5 @@ sources: - https://github.com/cert-manager/cert-manager dependencies: - name: cert-manager - version: v1.10.1 + version: v1.11.0 repository: https://charts.jetstack.io From 4d5bc9432c80e38dafd7d4984f44477c49a4c73d Mon Sep 17 00:00:00 2001 From: Michael Reuter Date: Fri, 27 Jan 2023 10:39:02 -0700 Subject: [PATCH 1478/1479] TTS: cachemachine updates for cycle 29. --- services/cachemachine/values-tucson-teststand.yaml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/services/cachemachine/values-tucson-teststand.yaml b/services/cachemachine/values-tucson-teststand.yaml index 3e5b2797b5..e53cdba1fa 100644 --- a/services/cachemachine/values-tucson-teststand.yaml +++ b/services/cachemachine/values-tucson-teststand.yaml @@ -8,11 +8,11 @@ autostart: "type": "RubinRepoMan", "registry_url": "ts-dockerhub.lsst.org", "repo": "sal-sciplat-lab", - "recommended_tag": "recommended_c0028", + "recommended_tag": "recommended_c0029", "num_releases": 1, "num_weeklies": 3, "num_dailies": 2, - "cycle": 28, + "cycle": 29, "alias_tags": [ "latest", "latest_daily", From 5942d29ab43c0b7c51819c53096f68fc7e8874a4 Mon Sep 17 00:00:00 2001 From: Michael Reuter Date: Fri, 27 Jan 2023 10:45:57 -0700 Subject: [PATCH 1479/1479] TTS: sasquatch kafka consumer and connector updates for cycle 29. --- .../sasquatch/values-tucson-teststand.yaml | 20 +++++++++---------- 1 file changed, 10 insertions(+), 10 deletions(-) diff --git a/services/sasquatch/values-tucson-teststand.yaml b/services/sasquatch/values-tucson-teststand.yaml index 8b5ac1357a..a3c3bf6717 100644 --- a/services/sasquatch/values-tucson-teststand.yaml +++ b/services/sasquatch/values-tucson-teststand.yaml @@ -43,15 +43,15 @@ telegraf-kafka-consumer: comcam: enabled: true topicRegexps: | - [ ".*CCArchiver", ".*CCCamera", ".*CCHeaderService", ".*CCOODS" ] + [ ".*CCCamera", ".*CCHeaderService", ".*CCOODS" ] eas: enabled: true topicRegexps: | - [ ".*DIMM", ".*DSM", ".*WeatherStation" ] + [ ".*DIMM", ".*DSM", ".*WeatherForecast", ".*WeatherStation" ] latiss: enabled: true topicRegexps: | - [ ".*ATArchiver", ".*ATCamera", ".*ATHeaderService", ".*ATOODS", ".*ATSpectrograph" ] + [ ".*ATCamera", ".*ATHeaderService", ".*ATOODS", ".*ATSpectrograph" ] m1m3: enabled: true flush_interval: "0.1s" @@ -86,10 +86,10 @@ telegraf-kafka-consumer: enabled: true topicRegexps: | [ ".*Authorize" ] - mtalignment: + lasertracker: enabled: true topicRegexps: | - [ ".*MTAlignment" ] + [ ".*LaserTracker" ] test: enabled: true topicRegexps: | @@ -115,13 +115,13 @@ kafka-connect-manager: topicsRegex: ".*MTMount" comcam: enabled: true - topicsRegex: ".*CCArchiver|.*CCCamera|.*CCHeaderService|.*CCOODS" + topicsRegex: ".*CCCamera|.*CCHeaderService|.*CCOODS" eas: enabled: true - topicsRegex: ".*DIMM|.*DSM|.*WeatherStation" + topicsRegex: ".*DIMM|.*DSM|.*WeatherForecast|.*WeatherStation" latiss: enabled: true - topicsRegex: ".*ATArchiver|.*ATCamera|.*ATHeaderService|.*ATOODS|.*ATSpectrograph" + topicsRegex: ".*ATCamera|.*ATHeaderService|.*ATOODS|.*ATSpectrograph" m1m3: enabled: true topicsRegex: ".*MTM1M3" @@ -149,9 +149,9 @@ kafka-connect-manager: authorize: enabled: true topicsRegex: ".*Authorize" - mtalignment: + lasertracker: enabled: true - topicsRegex: ".*MTAlignment" + topicsRegex: ".*LaserTracker" genericcamera: enabled: true topicsRegex: ".*GCHeaderService|.*GenericCamera"