Merge pull request #150 from IQSS/149-upgrade-4.19

149 upgrade 4.19
gdcc · Jan 23, 2020 · 4f82681 · 4f82681
2 parents f61ad90 + 909c312
commit 4f82681
Show file tree

Hide file tree

Showing 24 changed files with 130 additions and 36 deletions.
diff --git a/README.rst b/README.rst
@@ -26,7 +26,7 @@ for details.
 
 
 
-.. |Dataverse badge| image:: https://img.shields.io/badge/Dataverse-v4.17-important.svg
+.. |Dataverse badge| image:: https://img.shields.io/badge/Dataverse-v4.18-important.svg
    :target: https://dataverse.org
 .. |Validation badge| image:: https://jenkins.dataverse.org/job/dataverse-k8s/job/Kubeval%20Linting/job/master/badge/icon?subject=kubeval&status=valid&color=purple
    :target: https://jenkins.dataverse.org/blue/organizations/jenkins/dataverse-k8s%2FKubeval%20Linting/activity?branch=master

diff --git a/dataverse b/dataverse
diff --git a/docker/dataverse-k8s/bin/bootstrap-job.sh b/docker/dataverse-k8s/bin/bootstrap-job.sh
@@ -59,7 +59,11 @@ curl -sS -X PUT -d "${SOLR_K8S_HOST}:8983" "${DATAVERSE_URL}/api/admin/settings/
 curl -sS -X PUT -d "${ADMIN_MAIL}" "${DATAVERSE_URL}/api/admin/settings/:SystemEmail"
 
 # 6.) Block access to the API endpoints, but allow for request with key from secret
-curl -sS -X DELETE "${DATAVERSE_URL}/api/admin/settings/BuiltinUsers.KEY"
+if [ -s "${SECRETS_DIR}/api/userskey" ]; then
+  curl -sS -X PUT -d "`cat ${SECRETS_DIR}/api/userskey`" "${DATAVERSE_URL}/api/admin/settings/BuiltinUsers.KEY"
+else
+  curl -sS -X DELETE "${DATAVERSE_URL}/api/admin/settings/BuiltinUsers.KEY"
+fi
 curl -sS -X PUT -d "`cat ${SECRETS_DIR}/api/key`" "${DATAVERSE_URL}/api/admin/settings/:BlockedApiKey"
 curl -sS -X PUT -d unblock-key "${DATAVERSE_URL}/api/admin/settings/:BlockedApiPolicy"
 curl -sS -X PUT -d admin,test "${DATAVERSE_URL}/api/admin/settings/:BlockedApiEndpoints"
diff --git a/docker/dataverse-k8s/glassfish/Dockerfile b/docker/dataverse-k8s/glassfish/Dockerfile
@@ -9,7 +9,8 @@ FROM centos:7
 LABEL maintainer="FDM FZJ <forschungsdaten@fz-juelich.de>"
 
 ARG TINI_VERSION=v0.18.0
-ARG VERSION=4.17
+ARG JMX_EXPORTER_VERSION=0.12.0
+ARG VERSION=4.18
 ARG DOMAIN=domain1
 
 ENV HOME_DIR=/opt/dataverse\
@@ -19,14 +20,15 @@ ENV HOME_DIR=/opt/dataverse\
     DATA_DIR=/data\
     DOCROOT_DIR=/docroot\
     METADATA_DIR=/metadata\
-    SECRETS_DIR=/opt/dataverse/secrets\
+    SECRETS_DIR=/secrets\
     GLASSFISH_PKG=http://download.java.net/glassfish/4.1/release/glassfish-4.1.zip\
     GLASSFISH_SHA1=704a90899ec5e3b5007d310b13a6001575827293\
     WELD_PKG=https://repo1.maven.org/maven2/org/jboss/weld/weld-osgi-bundle/2.2.10.SP1/weld-osgi-bundle-2.2.10.SP1-glassfish4.jar\
     GRIZZLY_PKG=http://guides.dataverse.org/en/latest/_downloads/glassfish-grizzly-extra-all.jar\
     PGDRIVER_PKG=https://jdbc.postgresql.org/download/postgresql-42.2.5.jar\
     DATAVERSE_VERSION=${VERSION}\
-    DATAVERSE_PKG=https://github.com/IQSS/dataverse/releases/download/v${VERSION}/dvinstall.zip
+    DATAVERSE_PKG=https://github.com/IQSS/dataverse/releases/download/v${VERSION}/dvinstall.zip\
+    JMX_EXPORTER_PKG=https://repo1.maven.org/maven2/io/prometheus/jmx/jmx_prometheus_javaagent/${JMX_EXPORTER_VERSION}/jmx_prometheus_javaagent-${JMX_EXPORTER_VERSION}.jar
 ENV PATH="${PATH}:${GLASSFISH_DIR}/bin"
 
 # Install prerequisites
@@ -92,6 +94,10 @@ RUN ${GLASSFISH_DIR}/bin/asadmin start-domain && \
 RUN wget --no-verbose -O postgresql.jar ${PGDRIVER_PKG} && \
     mv postgresql.jar ${GLASSFISH_DIR}/glassfish/lib
 
+# Get Prometheus JMX Exporter Java Agent (see https://github.com/prometheus/jmx_exporter)
+RUN wget --no-verbose -O ${HOME}/jmx_exporter_agent.jar ${JMX_EXPORTER_PKG} && \
+    echo -e "---\n{}" > ${HOME}/jmx_exporter_config.yaml
+
 # Retrieve the Dataverse install package, extract and remove ZIP,
 #   remove Harvard custom metadatablocks
 RUN wget --no-verbose -O dvinstall.zip ${DATAVERSE_PKG} && \

diff --git a/docker/dataverse-k8s/glassfish/bin/default.config b/docker/dataverse-k8s/glassfish/bin/default.config
@@ -10,6 +10,9 @@ CONTACT_MAIL=${CONTACT_MAIL:-"dataverse-k8s-contact@mailinator.com"}
 ADMIN_MAIL=${ADMIN_MAIL:-"Dataverse on K8S <dataverse-k8s-admin@mailinator.com>"}
 ADMIN_PASSWORD=${ADMIN_PASSWORD:-admin1}
 MAX_RAM_PERCENTAGE=${MAX_RAM_PERCENTAGE:-25}
+ENABLE_JMX_EXPORT=${ENABLE_JMX_EXPORT:-0}
+JMX_EXPORTER_PORT=${JMX_EXPORTER_PORT:-8081}
+JMX_EXPORTER_CONFIG=${JMX_EXPORTER_CONFIG:-"${HOME}/jmx_exporter_config.yaml"}
 
 # System properties based Dataverse configuration options
 # (Exporting needed as they cannot be seen by `env` otherwise)

diff --git a/docker/dataverse-k8s/glassfish/bin/init_1_conf_glassfish.sh b/docker/dataverse-k8s/glassfish/bin/init_1_conf_glassfish.sh
@@ -97,6 +97,12 @@ asadmin set server-config.network-config.protocols.protocol.http-listener-1.http
 asadmin create-jvm-options "\-Djavax.xml.parsers.SAXParserFactory=com.sun.org.apache.xerces.internal.jaxp.SAXParserFactoryImpl"
 # Set Max Heap Space (see also https://www.eclipse.org/openj9/docs/xxinitialrampercentage)
 asadmin create-jvm-options "\-XX\:MaxRAMPercentage=${MAX_RAM_PERCENTAGE%.*}.00"
+# If configured, enable Prometheus JMX agent
+# 3. Enable JDWP (debugger)
+if [ "x${ENABLE_JMX_EXPORT}" = "x1" ]; then
+  echo "Enabling Prometheus JMX Exporter Java Agent on port ${JMX_EXPORTER_PORT} and config at ${JMX_EXPORTER_CONFIG}."
+  asadmin create-jvm-options "\-javaagent\:${HOME}/jmx_exporter_agent.jar=${JMX_EXPORTER_PORT}\:${JMX_EXPORTER_CONFIG}"
+fi
 
 # 3. Domain based configuration options
 # Set Dataverse environment variables

diff --git a/docker/solr-k8s/Dockerfile b/docker/solr-k8s/Dockerfile
@@ -10,7 +10,7 @@ LABEL maintainer="FDM FZJ <forschungsdaten@fz-juelich.de>"
 
 ARG WEBHOOK_VERSION=2.6.11
 ARG TINI_VERSION=v0.18.0
-ARG VERSION=4.17
+ARG VERSION=4.18
 ARG COLLECTION=collection1
 ENV SOLR_OPTS="-Dsolr.jetty.request.header.size=102400"\
     COLLECTION_DIR=/opt/solr/server/solr/${COLLECTION}\

diff --git a/docs/conf.py b/docs/conf.py
@@ -25,7 +25,7 @@
 author = u'Oliver Bertuch'
 
 # The short X.Y version
-version = u'4.17'
+version = u'4.18'
 # The full version, including alpha/beta/rc tags
 release = version
 

diff --git a/docs/day1/secrets.rst b/docs/day1/secrets.rst
@@ -82,7 +82,7 @@ username, password and database name for the Dataverse PostgreSQL service:
                       optional: true
               volumeMounts:
                 - name: db-secret
-                  mountPath: "/opt/dataverse/secrets/db"
+                  mountPath: "/secrets/db"
                   readOnly: true
           volumes:
             - name: db-secret
@@ -131,6 +131,34 @@ variable `ADMIN_PASSWORD`.
    2. This is a bootstrap-time-only option. You cannot reset your password this way.
 
 
+Example: Builtin Users API Key
+^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
+
+By default, your installation is secured to not allow other builtin users next
+to ``dataverseAdmin``. If you need or want to change this, you can provision a
+secret value to the ``BuiltinUsers.KEY`` setting when bootstrapping.
+
+As this is an extension to the API, you need to extend your API secret as
+shown below.
+
+.. code-block:: yaml
+
+   kind: Secret
+   # ...
+   metadata:
+     name: dataverse-api
+     # ...
+   stringData:
+     key: your-super-secret-unblock-key
+     userskey: your-even-more-secure-BuiltinUsers.KEY-value
+
+During bootstrap, the mounted secret at `${SECRETS_DIR}/api/userskey` is read
+and provisioned.
+
+.. note::
+
+  This is a bootstrap-time-only option. This cannot be set by configuration job
+  by design. You still could use a manual ``curl`` call.
 
 
 

diff --git a/docs/day2/examples/metadata-update-w-init.yaml b/docs/day2/examples/metadata-update-w-init.yaml
@@ -25,7 +25,7 @@ spec:
                 name: dataverse
           volumeMounts:
             - name: api-secret
-              mountPath: "/opt/dataverse/secrets/api"
+              mountPath: "/secrets/api"
               readOnly: true
             - name: custom-metadata
               mountPath: /metadata

diff --git a/docs/day2/index.rst b/docs/day2/index.rst
@@ -9,6 +9,7 @@ Day 2 - Operations
 
     ../day1/config
     ../day1/secrets
+    ./monitoring
     ./upgrade
     ./job-metadata
     ./job-index
diff --git a/docs/day2/monitoring.rst b/docs/day2/monitoring.rst
@@ -0,0 +1,44 @@
+==========
+Monitoring
+==========
+
+This section of the guide is about presenting some ideas how you could enable
+monitoring for your running Dataverse application. Some modern monitoring
+systems are supported, as always, on a community basis. Feel free to extend.
+
+Monitoring Dataverse application server
+---------------------------------------
+Easiest way forward is by using `Prometheus <https://prometheus.io>`_. The
+:doc:`/images/dataverse-k8s` ships with the
+`official JMX exporter <https://github.com/prometheus/jmx_exporter>`_, which
+allows you to monitor the complete JVM statistics as necessary.
+
+Enable JMX exports
+^^^^^^^^^^^^^^^^^^
+
+JMX exporter Java agent is included and started by the JVM when booting the
+container and enabled. To enable, modify your ``ConfigMap`` (see also
+:doc:`/day1/config`).
+
+.. code-block:: yaml
+
+  # ...
+  data:
+    ENABLE_JMX_EXPORT: "1"
+
+By default, the agent is reachable at port ``8081`` and uses the default ``{}``
+configuration as suggested by upstream. You can override the listening
+port via environment variable and configuration via mounting a file.
+
+.. code-block:: yaml
+
+  # ...
+  data:
+    ENABLE_JMX_EXPORT: "1"
+    JMX_EXPORTER_PORT: "12345"
+    JMX_EXPORTER_CONFIG: "/my/place/where/i/mounted/config.yaml"
+
+.. note::
+
+  You can put your config in some ``ConfigMap`` and mount  as a file.
+  Examples can be found on the internet, e. g. at https://carlos.mendible.com/2019/02/10/kubernetes-mount-file-pod-with-configmap
diff --git a/docs/get-started/index.rst b/docs/get-started/index.rst
@@ -75,7 +75,8 @@ If you never used Kubernetes, but want to deploy to production, you definitely
 should be reading some docs first. Some starting points:
 
 - https://kubernetes.io/docs/tutorials/kubernetes-basics/
-- https://ramitsurana.github.io/awesome-kubernetes/
+- https://ramitsurana.github.io/awesome-kubernetes
+- https://kubernetes-on-aws.readthedocs.io/en/latest/admin-guide/kubernetes-in-production.html
 
 | **4. Grab a cluster**
 

diff --git a/docs/images/build.rst b/docs/images/build.rst
@@ -19,8 +19,8 @@ Simple with Docker (or Podman) after cloning the project and accessing the sourc
 
 .. code-block:: shell
 
-  docker build -t iqss/dataverse-k8s:4.17 -f docker/dataverse-k8s/glassfish/Dockerfile .
-  docker build -t iqss/solr-k8s:4.17 docker/solr-k8s
+  docker build -t iqss/dataverse-k8s:4.18 -f docker/dataverse-k8s/glassfish/Dockerfile .
+  docker build -t iqss/solr-k8s:4.18 docker/solr-k8s
 
 
 *Please remember to change the tag above as appropriate. You should be*

diff --git a/docs/images/dataverse-k8s.md b/docs/images/dataverse-k8s.md
@@ -1,6 +1,6 @@
 # Image "dataverse-k8s"
 
-[![Upstream](https://img.shields.io/badge/Dataverse-v4.17-important.svg)](https://github.com/IQSS/dataverse/releases/v4.17)
+[![Upstream](https://img.shields.io/badge/Dataverse-v4.18-important.svg)](https://github.com/IQSS/dataverse/releases/v4.18)
 [![Hub](https://img.shields.io/static/v1.svg?label=image&message=dataverse-k8s&logo=docker)](https://hub.docker.com/r/iqss/dataverse-k8s)
 ![Pulls](https://img.shields.io/docker/pulls/iqss/dataverse-k8s)
 [![RTD](https://img.shields.io/readthedocs/dataverse-k8s)](https://dataverse-k8s.readthedocs.io)
@@ -17,11 +17,11 @@ like [Docker](https://docker.io) or [podman](https://podman.io).
 
 - `latest`: master branch based build ([`Dockerfile`](https://github.com/IQSS/dataverse-kubernetes/blob/master/docker/dataverse-k8s/glassfish/Dockerfile))
 - `build-cache`: a maven cache image to speedup dev builds, refreshed every night based on latest upstream `develop`. ([`Dockerfile`](https://github.com/IQSS/dataverse-kubernetes/blob/master/docker/dataverse-k8s/build-cache/Dockerfile), [`Jenkinsfile`](https://github.com/IQSS/dataverse-kubernetes/blob/master/docker/dataverse-k8s/build-cache/Jenkinsfile))
-- `4.17`, ..., `4.15.1`, ..., `4.11`: stable (tagged) releases
+- `4.18`, ..., `4.15.1`, ..., `4.11`: stable (tagged) releases
   - Using [upstream release schema](https://github.com/IQSS/dataverse/releases/) down to `4.11`.
   - See also [list on Docker Hub](https://hub.docker.com/r/iqss/dataverse-k8s/tags?page=1&ordering=last_updated&name=4.)
     for releases
-  - Last stable tag ([`Dockerfile`](https://github.com/IQSS/dataverse-kubernetes/blob/v4.17/docker/dataverse-k8s/glassfish/Dockerfile))
+  - Last stable tag ([`Dockerfile`](https://github.com/IQSS/dataverse-kubernetes/blob/v4.18/docker/dataverse-k8s/glassfish/Dockerfile))
 
 ## Quick reference
 
@@ -36,7 +36,7 @@ This image possesses a user `dataverse` with `uid=1000`. The application server
 is running as `dataverse`, **not** `root`. Please remember to grant write permission
 to this user on any volumes (except secrets) used for the below directories.
 
-- **/opt/dataverse/secrets** <br />
+- **/secrets** <br />
   Mount [secrets](#secrets-and-credentials) tree here. Also available as `$SECRETS_DIR`.
 
 - **/data** <br />
@@ -71,6 +71,7 @@ above) as a tree of directories and files:
 4. `api/key` - required because you want the *unblock-key* for anything serious.
 5. `s3/access-key` and `s3/secret-key` - needed when you want to use S3 storage. See docs on using S3.
 6. `admin/password` - optional, provision a password for the `dataverseAdmin` account. Defaults to `admin1`.
+7. `api/userskey` - optional, provision a `BuiltinUsers.KEY`, which is necessary to create builtin users via API. Defaults to not available.
 
 A [password alias](https://docs.oracle.com/cd/E19798-01/821-1751/ghgqc/index.html)
 is automatically created and used for those that are set via JVM options, no need

diff --git a/docs/images/solr-k8s.md b/docs/images/solr-k8s.md
@@ -1,6 +1,6 @@
 # Image "solr-k8s"
 
-[![Upstream](https://img.shields.io/badge/Dataverse-v4.17-important.svg)](https://github.com/IQSS/dataverse/releases/v4.17)
+[![Upstream](https://img.shields.io/badge/Dataverse-v4.18-important.svg)](https://github.com/IQSS/dataverse/releases/v4.18)
 [![Hub](https://img.shields.io/static/v1.svg?label=image&message=solr-k8s&logo=docker)](https://hub.docker.com/r/iqss/solr-k8s)
 [![Solr](https://img.shields.io/static/v1.svg?label=upstream&message=7.3.1&logo=docker)](https://hub.docker.com/_/solr)
 ![Pulls](https://img.shields.io/docker/pulls/iqss/solr-k8s)
@@ -10,7 +10,7 @@
 This container image includes a dependency service to run [Dataverse](https://dataverse.org), a
 Java EE based web application for research data management, on a container platform.
 It is derived from [upstream Solr images](https://hub.docker.com/_/solr), [using the
-required version](http://guides.dataverse.org/en/4.17/installation/prerequisites.html#solr).
+required version](http://guides.dataverse.org/en/4.18/installation/prerequisites.html#solr).
 
 It is primarily targeted to be used in production on [Kubernetes](https://kubernetes.io),
 but if you follow the same conventions, you should be able to use it with other tools
@@ -19,11 +19,11 @@ like [Docker](https://docker.io) or [podman](https://podman.io).
 ## Supported tags
 
 - `latest`: master branch based build ([`Dockerfile`](https://github.com/IQSS/dataverse-kubernetes/blob/master/docker/dataverse-k8s/glassfish/Dockerfile))
-- `4.17`, ..., `4.15.1`, ..., `4.11`: stable (tagged) releases
+- `4.18`, ..., `4.15.1`, ..., `4.11`: stable (tagged) releases
   - Using [upstream release schema](https://github.com/IQSS/dataverse/releases/) down to `4.11`.
   - See also [list on Docker Hub](https://hub.docker.com/r/iqss/dataverse-k8s/tags?page=1&ordering=last_updated&name=4.)
     for releases
-  - Last stable tag ([`Dockerfile`](https://github.com/IQSS/dataverse-kubernetes/blob/v4.17/docker/solr-k8s/Dockerfile))
+  - Last stable tag ([`Dockerfile`](https://github.com/IQSS/dataverse-kubernetes/blob/v4.18/docker/solr-k8s/Dockerfile))
 
 ## Quick reference
 
@@ -54,8 +54,8 @@ to this user on any volumes used for the below directories.
   Also available as `$SCHEMA_DIR`
 
   Please read the detailed docs about Solr schema provisioning:
-   - [Upstream: updating Solr schema](http://guides.dataverse.org/en/4.17/admin/metadatacustomization.html#updating-the-solr-schema).
-   - [Kubernetes `Job`s for Search Index](https://dataverse-k8s.rtfd.io/en/4.17/day2/job-index.html)
+   - [Upstream: updating Solr schema](http://guides.dataverse.org/en/4.18/admin/metadatacustomization.html#updating-the-solr-schema).
+   - [Kubernetes `Job`s for Search Index](https://dataverse-k8s.rtfd.io/en/4.18/day2/job-index.html)
 - **/scripts** <br />
   A collection of scripts for init containers and sidecars. See guide for more
   information on those scripts. Also available as `$SCRIPT_DIR`.

diff --git a/k8s/dataverse/deployment.yaml b/k8s/dataverse/deployment.yaml
@@ -5,7 +5,7 @@ metadata:
   name: dataverse
   labels:
     app.kubernetes.io/name: dataverse
-    app.kubernetes.io/version: "4.17"
+    app.kubernetes.io/version: "4.18"
     app.kubernetes.io/component: appserver
     app.kubernetes.io/part-of: dataverse
     app.kubernetes.io/managed-by: kubectl
@@ -56,10 +56,10 @@ spec:
             - name: docroot
               mountPath: /docroot
             - name: db-secret
-              mountPath: "/opt/dataverse/secrets/db"
+              mountPath: "/secrets/db"
               readOnly: true
             - name: doi-secret
-              mountPath: "/opt/dataverse/secrets/doi"
+              mountPath: "/secrets/doi"
               readOnly: true
           readinessProbe:
             httpGet:

diff --git a/k8s/dataverse/jobs/bootstrap.yaml b/k8s/dataverse/jobs/bootstrap.yaml
@@ -37,13 +37,13 @@ spec:
                   optional: true
           volumeMounts:
             - name: db-secret
-              mountPath: "/opt/dataverse/secrets/db"
+              mountPath: "/secrets/db"
               readOnly: true
             - name: api-secret
-              mountPath: "/opt/dataverse/secrets/api"
+              mountPath: "/secrets/api"
               readOnly: true
             - name: admin-secret
-              mountPath: "/opt/dataverse/secrets/admin"
+              mountPath: "/secrets/admin"
               readOnly: true
       initContainers:
         - name: check-db-ready

diff --git a/k8s/dataverse/jobs/configure.yaml b/k8s/dataverse/jobs/configure.yaml
@@ -25,7 +25,7 @@ spec:
                 name: dataverse
           volumeMounts:
             - name: api-secret
-              mountPath: "/opt/dataverse/secrets/api"
+              mountPath: "/secrets/api"
               readOnly: true
       initContainers:
         - name: check-dataverse-ready

diff --git a/k8s/dataverse/jobs/metadata-update.yaml b/k8s/dataverse/jobs/metadata-update.yaml
@@ -25,7 +25,7 @@ spec:
                 name: dataverse
           volumeMounts:
             - name: api-secret
-              mountPath: "/opt/dataverse/secrets/api"
+              mountPath: "/secrets/api"
               readOnly: true
       initContainers:
         - name: check-solr-ready

diff --git a/k8s/dataverse/kustomization.yaml b/k8s/dataverse/kustomization.yaml
@@ -9,4 +9,4 @@ resources:
 
 images:
   - name: iqss/dataverse-k8s
-    newTag: "4.17"
+    newTag: "4.18"
diff --git a/k8s/kustomization.yaml b/k8s/kustomization.yaml
@@ -7,6 +7,6 @@ bases:
 
 images:
   - name: iqss/dataverse-k8s
-    newTag: "4.17"
+    newTag: "4.18"
   - name: iqss/solr-k8s
-    newTag: "4.17"
+    newTag: "4.18"
diff --git a/k8s/solr/deployment.yaml b/k8s/solr/deployment.yaml
@@ -5,7 +5,7 @@ metadata:
   name: solr
   labels:
     app.kubernetes.io/name: solr
-    app.kubernetes.io/version: "4.17"
+    app.kubernetes.io/version: "4.18"
     app.kubernetes.io/component: searchindex
     app.kubernetes.io/part-of: dataverse
     app.kubernetes.io/managed-by: kubectl

diff --git a/k8s/solr/kustomization.yaml b/k8s/solr/kustomization.yaml
@@ -8,4 +8,4 @@ resources:
 
 images:
   - name: iqss/solr-k8s
-    newTag: "4.17"
+    newTag: "4.18"