Support s3 data downloads and setup ingress #48
Conversation
This allows the service to generate presigned urls for data downloads
trey-stafford
force-pushed
the
support-s3-data-downloads
branch
6 times, most recently
from
04017e9 to
9b24da2
Compare
trey-stafford
changed the title
| port: | ||
| number: 8000 | ||
| # TODO: this will need some re-thinking based on how we deal with | ||
| # https://github.com/QGreenland-Net/ogdc-helm/issues/46. |
There was a problem hiding this comment.
Currently we point to the minio service, but the ceph-based s3 storage we would be migrating to as part of #46 will need to be handled differently.
| resourceName: ingress-nginx-controller | ||
| namespace: ingress-nginx | ||
| port: 80 | ||
| localPort: 7777 |
There was a problem hiding this comment.
For local development, I exposed on port 7777 just because I couldn't seem to point to 80. For TLS (below), I exposed on port 7443.
trey-stafford
force-pushed
the
support-s3-data-downloads
branch
from
9b24da2 to
4d2a5c2
Compare
Instead, we manage ingress with the ingress resource directly. And we no longer expose argo workflows via ingress.
trey-stafford
force-pushed
the
support-s3-data-downloads
branch
from
4d2a5c2 to
ed937e4
Compare
helm/templates/deployment.yaml
Outdated
| - name: "INTERNAL_S3_ENDPOINT_URL" | ||
| value: "{{ .Values.ogdc_s3_endpoint }}" | ||
| - name: "PUBLIC_S3_ENDPOINT_URL" | ||
| value: "https://{{ .Values.ogdc_public_host }}/ogdc/storage" |
There was a problem hiding this comment.
The two envvars above, INTERNAL_S3_ENDPOINT_URL and PUBLIC_S3_ENDPOINT_URL are separated because:
INTERNAL_S3_ENDPOINT_URLis something likehttp://qgnet-ogdc-minio:9000. We use the k8s service name for the minio instance as the address to communicate over the internal network our stack is running on.PUBLIC_S3_ENDPOINT_URLis the publicly-accessible endpoint that data will be served from. It'll look something likehttps://api.dataone.org/ogdc/storagein production.
Behind the scenes, our service is using the INTERNAL_S3_ENDPOINT_URL to communicate with the s3 backend and generate signed URLs. When the service returns the signed URL, it replaces the internal URL with the public one.
| - api.test.dataone.org | ||
| - localhost | ||
| secretName: "ingress-nginx-tls-cert" | ||
| ingressClassName: "nginx" |
There was a problem hiding this comment.
I've setup ingress with the nginx ingress controller (README has directions on setting this up locally), since this is what ADC currently uses.
Note that ingress via nginx is being phased out in favor of the Gateway API. Support for nginx ingress is being dropped in March 2026. The ADC has an open issue to address this: DataONEorg/k8s-cluster#78
We can plan to revisit this later, once an established pattern for using the Gateway API has been developed
trey-stafford
requested review from
rmarow and
rushirajnenuji
and removed request for
rmarow
trey-stafford
changed the title
Others are from secrets and not sure about adding to configmap.
|
|
||
| environment: "prod" | ||
|
|
||
| ogdc_public_host: "api.dataone.org" |
There was a problem hiding this comment.
can we remove this from values file if we've moved the setup to configMap?
There was a problem hiding this comment.
This gets injected into the configmap and differs based on env. In dev this value is the value ``api.test.dataone.organd in local it'slocalhost:7443`. So I think keeping this here & configurable via values still makes sense, although if we wanted to we could add some logic to the configmap to inject the appropriate value based on environment.
2 participants
This PR adds ingress configuration for the OGDC service API (
<HOST>/ogdc/api) and the s3 compatible storage backend (<HOST>/ogdc/storage).This PR also adds new envvars to the service deployment that are needed by QGreenland-Net/ogdc-runner#146 (e.g., s3 backend credentials).
Component of QGreenland-Net/ogdc-runner#110.
See also: QGreenland-Net/ogdc-runner#146