Refactor cm-service helm chart

cm-service: Add vault-secrets template

cm-service: Add preinstall hook for db migration

Author: tcjennings

applications/cm-service/Chart.yaml

@@ -1,8 +1,8 @@
 apiVersion: v2
-appVersion: 0.1.2
+appVersion: 0.2.0
 description: Campaign Management for Rubin Data Release Production
 name: cm-service
 sources:
-- https://github.com/lsst-dm/cm-service
+  - https://github.com/lsst-dm/cm-service
 type: application
 version: 1.0.0

applications/cm-service/README.md

@@ -10,14 +10,21 @@ Campaign Management for Rubin Data Release Production
 
 | Key | Type | Default | Description |
 |-----|------|---------|-------------|
-| config.databaseEcho | bool | `false` | Whether to echo SQLAlchemy generated SQL to the log |
+| config.db.echo | bool | `false` | Whether to echo SQLAlchemy generated SQL to the log |
+| config.db.hostname | string | `""` | Name of the database host |
+| config.db.name | string | `"cmservice"` | Name of the database to use for the application |
+| config.db.port | int | `5432` | Port number of the database host |
+| config.db.username | string | `"cmservice"` | Name of the database user to use for the application |
 | config.logLevel | string | `"INFO"` | Logging level (`DEBUG`, `INFO`, `WARNING`, `ERROR`, or `CRITICAL`) |
 | config.logProfile | string | `"production"` | Logging profile (`production` for JSON, `development` for human-friendly) |
 | config.outputVolume.storage | string | `"1Gi"` | Minimum storage requested in service output area PVC |
 | config.outputVolume.storageClassName | string | `nil` | If specified, name of storage class requested in service output area PVC |
 | config.outputVolume.subPath | string | `nil` | If specified, sub-path within bound PV to be mounted at service output area |
-| config.pathPrefix | string | `"/cm-service/v1"` | URL path prefix |
+| config.pathPrefix | string | `"/cm-service"` | URL path prefix |
 | frontend.affinity | object | `{}` | Affinity rules for the frontend pods |
+| frontend.image.pullPolicy | string | `"IfNotPresent"` | Pull policy for the frontend image |
+| frontend.image.repository | string | `"ghcr.io/lsst-dm/cm-service"` | Image to use for frontend containers |
+| frontend.image.tag | string | The appVersion of the chart | Tag of frontend image to use |
 | frontend.nodeSelector | object | `{}` | Node selector rules for the frontend pods |
 | frontend.podAnnotations | object | `{}` | Annotations for the frontend pods |
 | frontend.replicaCount | int | `1` | Number of frontend pods to start |
@@ -30,6 +37,7 @@ Campaign Management for Rubin Data Release Production
 | image.repository | string | `"ghcr.io/lsst-dm/cm-service"` | Image to use for frontend containers |
 | image.tag | string | The appVersion of the chart | Tag of frontend image to use |
 | ingress.annotations | object | `{}` | Additional annotations for the frontend ingress rule |
+| internalDB | bool | `false` | Whether to use the internal (phalanx) database |
 | worker.affinity | object | `{}` | Affinity rules for the worker pods |
 | worker.htcondor.config.contents | string | `nil` | If specified, contents of htcondor config file to be injected into worker containers |
 | worker.htcondor.config.mountPath | string | `nil` | If specified, location for htcondor config file to be injected into worker containers |
@@ -39,7 +47,7 @@ Campaign Management for Rubin Data Release Production
 | worker.htcondor.scheddAddress.contents | string | `nil` | If specified, location for htcondor schedd address file to be injected into worker pods |
 | worker.htcondor.scheddAddress.mountPath | string | `nil` | If specified, contents of htcondor schedd address file to be injected into worker pods |
 | worker.image.pullPolicy | string | `"IfNotPresent"` | Pull policy for the worker image |
-| worker.image.repository | string | `"ghcr.io/lsst-dm/cm-service-worker"` | Image to use for worker containers |
+| worker.image.repository | string | `"ghcr.io/lsst-dm/cm-worker"` | Image to use for worker containers |
 | worker.image.tag | string | The appVersion of the chart | Tag of worker image to use |
 | worker.nodeSelector | object | `{}` | Node selection rules for the worker pods |
 | worker.podAnnotations | object | `{}` | Annotations for the worker pods |

applications/cm-service/secrets.yaml

@@ -1,8 +1,8 @@
-postgres-password:
-  description: >-
-    Password used to authenticate cm-service to its internal cnpg Postgres
-    server, deployed as part of the same Argo CD application. This secret can be
-    changed at any time, but the cm-service deployments will then have to be
-    restarted to pick up the new value.
-  generate:
-    type: password
+# the database password has been generated in the postgres application; copy
+# the secret from there if `internalDB` is set.
+internalDatabasePassword:
+  description: "Password for the internal phalanx postgres database"
+  if: internalDB
+  copy:
+    application: postgres
+    key: cmservice_password

applications/cm-service/templates/_helpers.tpl

@@ -1,16 +1,16 @@
 {{/*
 Create chart name and version as used by the chart label.
 */}}
-{{- define "cm-service.chart" -}}
+{{- define "application.chart" -}}
 {{- printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" }}
 {{- end }}
 
 {{/*
 Common labels
 */}}
-{{- define "cm-service.labels" -}}
-helm.sh/chart: {{ include "cm-service.chart" . }}
-{{ include "cm-service.selectorLabels" . }}
+{{- define "application.labels" -}}
+helm.sh/chart: {{ include "application.chart" . }}
+{{ include "application.selectorLabels" . }}
 {{- if .Chart.AppVersion }}
 app.kubernetes.io/version: {{ .Chart.AppVersion | quote }}
 {{- end }}
@@ -20,7 +20,7 @@ app.kubernetes.io/managed-by: {{ .Release.Service }}
 {{/*
 Selector labels
 */}}
-{{- define "cm-service.selectorLabels" -}}
-app.kubernetes.io/name: "cm-service"
+{{- define "application.selectorLabels" -}}
+app.kubernetes.io/name: {{ .Chart.Name }}
 app.kubernetes.io/instance: {{ .Release.Name }}
 {{- end }}

applications/cm-service/templates/deployment.yaml renamed to applications/cm-service/templates/api-deployment.yaml

@@ -1,14 +1,14 @@
 apiVersion: apps/v1
 kind: Deployment
 metadata:
-  name: "cm-service"
+  name: {{ .Chart.Name }}-server
   labels:
-    {{- include "cm-service.labels" . | nindent 4 }}
+    {{- include "application.labels" . | nindent 4 }}
 spec:
   replicas: {{ .Values.frontend.replicaCount }}
   selector:
     matchLabels:
-      {{- include "cm-service.selectorLabels" . | nindent 6 }}
+      {{- include "application.selectorLabels" . | nindent 6 }}
       app.kubernetes.io/component: "frontend"
   template:
     metadata:
@@ -17,7 +17,7 @@ spec:
         {{- toYaml . | nindent 8 }}
         {{- end }}
       labels:
-        {{- include "cm-service.selectorLabels" . | nindent 8 }}
+        {{- include "application.selectorLabels" . | nindent 8 }}
         app.kubernetes.io/component: "frontend"
     spec:
       {{- with .Values.frontend.affinity }}
@@ -26,23 +26,16 @@ spec:
       {{- end }}
       automountServiceAccountToken: false
       containers:
-        - name: "cm-service"
+        - name: {{ .Chart.Name }}
+          envFrom:
+            - configMapRef:
+                name: {{ .Chart.Name }}-env
           env:
-            - name: CM_DATABASE_PASSWORD
+            - name: DB__PASSWORD
               valueFrom:
                 secretKeyRef:
-                  name: postgres-secret
-                  key: password
-            - name: CM_URL_PREFIX
-              value: {{ .Values.config.pathPrefix | quote }}
-            - name: CM_DATABASE_URL
-              value: "postgresql://cm-service@cm-service-pg-rw/cm-service"
-            - name: CM_DATABASE_ECHO
-              value: {{ .Values.config.databaseEcho | quote }}
-            - name: CM_LOG_PROFILE
-              value: {{ .Values.config.logProfile | quote }}
-            - name: CM_LOG_LEVEL
-              value: {{ .Values.config.logLevel | quote }}
+                  name: cm-service
+                  key: internalDatabasePassword
           image: "{{ .Values.image.repository }}:{{ .Values.image.tag | default .Chart.AppVersion }}"
           imagePullPolicy: {{ .Values.image.pullPolicy }}
           ports:
@@ -51,7 +44,7 @@ spec:
               protocol: "TCP"
           readinessProbe:
             httpGet:
-              path: "/"
+              path: "/healthz"
               port: "http"
           resources:
             {{- toYaml .Values.frontend.resources | nindent 12 }}
@@ -70,7 +63,7 @@ spec:
       volumes:
         - name: output-volume
           persistentVolumeClaim:
-            claimName: cm-service-output
+            claimName: {{ .Chart.Name }}-output
       {{- with .Values.frontend.nodeSelector }}
       nodeSelector:
         {{- toYaml . | nindent 8 }}

applications/cm-service/templates/configmap.yaml

@@ -0,0 +1,23 @@
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  name: "{{ .Chart.Name }}-env"
+  labels:
+    {{- include "application.labels" . | nindent 4 }}
+data:
+  ASGI__PREFIX: {{ .Values.config.pathPrefix | quote }}
+  {{- with .Values.config.db }}
+  DB__URL: "postgresql://{{ .username }}@{{ .hostname }}:{{ .port }}/{{ .name }}"
+  DB__ECHO: {{ .echo | quote }}
+  {{- end }}
+  LOGGING__PROFILE: {{ .Values.config.logProfile | quote }}
+  LOGGING__LEVEL: {{ .Values.config.logLevel | quote }}
+---
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  name: "{{ .Chart.Name }}-htcondor-env"
+  labels:
+    {{- include "application.labels" . | nindent 4 }}
+data:
+  CONDOR_CONFIG: /home/lsstsvc1/.config/condor/condor-config

applications/cm-service/templates/ingress.yaml

@@ -1,19 +1,19 @@
 apiVersion: gafaelfawr.lsst.io/v1alpha1
 kind: GafaelfawrIngress
 metadata:
-  name: "cm-service"
+  name: {{ .Chart.Name }}
   labels:
-    {{- include "cm-service.labels" . | nindent 4 }}
+    {{- include "application.labels" . | nindent 4 }}
 config:
   baseUrl: {{ .Values.global.baseUrl | quote }}
   loginRedirect: true
   scopes:
     all:
       - "exec:internal-tools"
-  service: "cm-service"
+  service: {{ .Chart.Name }}
 template:
   metadata:
-    name: "cm-service"
+    name: {{ .Chart.Name }}
     {{- with .Values.ingress.annotations }}
     annotations:
       {{- toYaml . | nindent 6 }}
@@ -27,13 +27,20 @@ template:
               pathType: "Prefix"
               backend:
                 service:
-                  name: "cm-service"
+                  name: {{ .Chart.Name }}
                   port:
-                    number: 8080
+                    name: "http"
+            - path: "/docs"
+              pathType: "Prefix"
+              backend:
+                service:
+                  name: {{ .Chart.Name }}
+                  port:
+                    name: "http"
             - path: "/web_app"
               pathType: "Prefix"
               backend:
                 service:
-                  name: "cm-service"
+                  name: {{ .Chart.Name }}
                   port:
-                    number: 8080
+                    name: "http"

applications/cm-service/templates/networkpolicy.yaml

@@ -1,11 +1,11 @@
 apiVersion: networking.k8s.io/v1
 kind: NetworkPolicy
 metadata:
-  name: "cm-service"
+  name: {{ .Chart.Name }}
 spec:
   podSelector:
     matchLabels:
-      {{- include "cm-service.selectorLabels" . | nindent 6 }}
+      {{- include "application.selectorLabels" . | nindent 6 }}
   policyTypes:
     - "Ingress"
   ingress:

applications/cm-service/templates/postgres.yaml

@@ -0,0 +1,30 @@
+apiVersion: batch/v1
+kind: Job
+metadata:
+  name: "{{ .Chart.Name }}-db-alembic-migration"
+  labels:
+    {{- include "application.labels" . | nindent 4 }}
+  annotations:
+    "helm.sh/hook": pre-install
+    "helm.sh/hook-weight": "0"
+    "helm.sh/hook-delete-policy": before-hook-creation
+spec:
+  template:
+    metadata: {}
+    spec:
+      restartPolicy: Never
+      containers:
+        - name: db-alembic-migration
+          image: "{{ .Values.image.repository }}:{{ .Values.image.tag | default .Chart.AppVersion }}"
+          command: ["alembic"]
+          args: ["upgrade", "head"]
+{{- with .Values.config.db }}
+          env:
+            - name: DB__URL
+              value: "postgresql://{{ .username }}@{{ .hostname }}:{{ .port }}/{{ .name }}"
+{{- end }}
+            - name: DB__PASSWORD
+              valueFrom:
+                secretKeyRef:
+                  name: cm-service
+                  key: internalDatabasePassword

applications/cm-service/templates/pre-install-hooks.yaml

@@ -2,33 +2,31 @@
 apiVersion: v1
 kind: PersistentVolumeClaim
 metadata:
-  name: cm-service-output
+  name: {{ .Chart.Name }}-output
   labels:
-    {{- include "cm-service.labels" . | nindent 4 }}
+    {{- include "application.labels" . | nindent 4 }}
 spec:
-  {{- with .Values.config.outputVolume.storageClassName }}
-  storageClassName: {{ . }}
-  {{- end }}
+  {{- with .Values.config.outputVolume }}
+  storageClassName: {{ .storageClassName  }}
   accessModes:
     - ReadWriteMany
   resources:
     requests:
-      storage: {{ .Values.config.outputVolume.storage }}
-{{- with .Values.worker.htcondor.fsRemoteDir }}
+      storage: {{ .storage }}
+  {{- end }}
 ---
 apiVersion: v1
 kind: PersistentVolumeClaim
 metadata:
-  name: cm-service-htcondor
+  name: {{ $.Chart.Name }}-htcondor
   labels:
-    {{- include "cm-service.labels" $ | nindent 4 }}
+    {{- include "application.labels" $ | nindent 4 }}
 spec:
-  {{- with .storageClassName }}
-  storageClassName: {{ . }}
-  {{- end }}
+  {{- with .Values.worker.htcondor.fsRemoteDir }}
+  storageClassName: {{ .storageClassName }}
   accessModes:
     - ReadWriteMany
   resources:
     requests:
       storage: {{ .storage }}
-{{- end }}
+  {{- end }}

applications/cm-service/templates/pvc.yaml

@@ -1,9 +1,9 @@
 apiVersion: v1
 kind: Service
 metadata:
-  name: "cm-service"
+  name: {{ .Chart.Name }}
   labels:
-    {{- include "cm-service.labels" . | nindent 4 }}
+    {{- include "application.labels" . | nindent 4 }}
 spec:
   type: "ClusterIP"
   ports:
@@ -12,5 +12,5 @@ spec:
       protocol: "TCP"
       name: "http"
   selector:
-    {{- include "cm-service.selectorLabels" . | nindent 4 }}
+    {{- include "application.selectorLabels" . | nindent 4 }}
     app.kubernetes.io/component: "frontend"

applications/cm-service/templates/service.yaml

@@ -1,13 +1,10 @@
+---
 apiVersion: ricoberger.de/v1alpha1
 kind: VaultSecret
 metadata:
-  name: postgres-secret
+  name: {{ .Chart.Name }}
   labels:
-    {{- include "cm-service.labels" . | nindent 4 }}
+    {{- include "application.labels" . | nindent 4 }}
 spec:
-  path: "{{ .Values.global.vaultSecretsPath }}/cm-service"
-  templates:
-    username: cm-service
-    password: >-
-      {% index .Secrets "postgres-password" %}
-  type: kubernetes.io/basic-auth
+  path: "{{ .Values.global.vaultSecretsPath }}/{{ .Chart.Name }}"
+  type: Opaque