Updates to cm-service chart

* Add redis and cnpg postgress to the app * Add secrets management * Move env vars from configmap into deployment * Remove gafaelfawr ingress for time being (until gf gets deployed to usdf cm vclusters) * Add volume configuration support for service output dir * Adjust to run service as user `lsstsvc1` * Add condor-capable worker deployment * Move deployment from `idfdemo` to `usdf-cm`
lsst-sqre · Aug 24, 2024 · ed3a44e · ed3a44e
1 parent 45c43ab
commit ed3a44e
Show file tree

Hide file tree

Showing 17 changed files with 448 additions and 95 deletions.
diff --git a/applications/cm-service/Chart.yaml b/applications/cm-service/Chart.yaml
@@ -6,3 +6,8 @@ sources:
 - https://github.com/lsst-dm/cm-service
 type: application
 version: 1.0.0
+
+dependencies:
+- name: redis
+  version: 1.0.12
+  repository: https://lsst-sqre.github.io/charts/
diff --git a/applications/cm-service/README.md b/applications/cm-service/README.md
@@ -10,19 +10,41 @@ Campaign Management for Rubin Data Release Production
 
 | Key | Type | Default | Description |
 |-----|------|---------|-------------|
-| affinity | object | `{}` | Affinity rules for the cm-service deployment pod |
-| config.logLevel | string | `"INFO"` | Logging level |
+| config.databaseEcho | bool | `false` | Whether to echo SQLAlchemy generated SQL to the log |
+| config.logLevel | string | `"INFO"` | Logging level (`DEBUG`, `INFO`, `WARNING`, `ERROR`, or `CRITICAL`) |
 | config.logProfile | string | `"production"` | Logging profile (`production` for JSON, `development` for human-friendly) |
-| config.pathPrefix | string | `"/cm-service"` | URL path prefix |
+| config.outputVolume.storage | string | `"1Gi"` | Minimum storage requested in service output area PVC |
+| config.outputVolume.storageClassName | string | `nil` | If specified, name of storage class requested in service output area PVC |
+| config.outputVolume.subPath | string | `nil` | If specified, sub-path within bound PV to be mounted at service output area |
+| config.pathPrefix | string | `"/cm-service/v1"` | URL path prefix |
+| frontend.affinity | object | `{}` | Affinity rules for the frontend pods |
+| frontend.nodeSelector | object | `{}` | Node selector rules for the frontend pods |
+| frontend.podAnnotations | object | `{}` | Annotations for the frontend pods |
+| frontend.replicaCount | int | `1` | Number of frontend pods to start |
+| frontend.resources | object | See `values.yaml` | Resource limits and requests for the frontend pods |
+| frontend.tolerations | list | `[]` | Tolerations for the frontend pods |
 | global.baseUrl | string | Set by Argo CD | Base URL for the environment |
 | global.host | string | Set by Argo CD | Host name for ingress |
 | global.vaultSecretsPath | string | Set by Argo CD | Base path for Vault secrets |
-| image.pullPolicy | string | `"IfNotPresent"` | Pull policy for the cm-service image |
-| image.repository | string | `"ghcr.io/lsst-dm/cm-service"` | Image to use in the cm-service deployment |
-| image.tag | string | The appVersion of the chart | Tag of image to use |
-| ingress.annotations | object | `{}` | Additional annotations for the ingress rule |
-| nodeSelector | object | `{}` | Node selection rules for the cm-service deployment pod |
-| podAnnotations | object | `{}` | Annotations for the cm-service deployment pod |
-| replicaCount | int | `1` | Number of web deployment pods to start |
-| resources | object | See `values.yaml` | Resource limits and requests for the cm-service deployment pod |
-| tolerations | list | `[]` | Tolerations for the cm-service deployment pod |
+| image.pullPolicy | string | `"IfNotPresent"` | Pull policy for the frontend image |
+| image.repository | string | `"ghcr.io/lsst-dm/cm-service"` | Image to use for frontend containers |
+| image.tag | string | The appVersion of the chart | Tag of frontend image to use |
+| ingress.annotations | object | `{}` | Additional annotations for the frontend ingress rule |
+| redis.config.secretKey | string | `"password"` | Key inside secret from which to get the Redis password (do not change) |
+| redis.config.secretName | string | `"redis-secret"` | Name of secret containing Redis password |
+| worker.affinity | object | `{}` | Affinity rules for the worker pods |
+| worker.htcondor.config.contents | string | `nil` | If specified, contents of htcondor config file to be injected into worker containers |
+| worker.htcondor.config.mountPath | string | `nil` | If specified, location for htcondor config file to be injected into worker containers |
+| worker.htcondor.fsRemoteDir.storage | string | `"1Gi"` | Minimum storage requested in the condor remote area PVC |
+| worker.htcondor.fsRemoteDir.storageClassName | string | `nil` | If specified, name of storage class requested in condor remote area PVC |
+| worker.htcondor.fsRemoteDir.subPath | string | `nil` | If specified, sub-path within bound PV to be mounted as condor remote area |
+| worker.htcondor.scheddAddress.contents | string | `nil` | If specified, location for htcondor schedd address file to be injected into worker pods |
+| worker.htcondor.scheddAddress.mountPath | string | `nil` | If specified, contents of htcondor schedd address file to be injected into worker pods |
+| worker.image.pullPolicy | string | `"IfNotPresent"` | Pull policy for the worker image |
+| worker.image.repository | string | `"ghcr.io/lsst-dm/cm-service-worker"` | Image to use for worker containers |
+| worker.image.tag | string | The appVersion of the chart | Tag of worker image to use |
+| worker.nodeSelector | object | `{}` | Node selection rules for the worker pods |
+| worker.podAnnotations | object | `{}` | Annotations for the worker pods |
+| worker.replicaCount | int | `1` | Number of worker pods to start |
+| worker.resources | object | See `values.yaml` | Resource limits and requests for the worker pods |
+| worker.tolerations | list | `[]` | Tolerations for the worker pods |
diff --git a/applications/cm-service/secrets.yaml b/applications/cm-service/secrets.yaml
@@ -0,0 +1,16 @@
+redis-password:
+  description: >-
+    Password used to authenticate cm-service to its internal Redis server,
+    deployed as part of the same Argo CD application. This secret can be
+    changed at any time, but both the Redis server and the cm-service
+    deployments will then have to be restarted to pick up the new value.
+  generate:
+    type: password
+postgres-password:
+  description: >-
+    Password used to authenticate cm-service to its internal cnpg Postgres
+    server, deployed as part of the same Argo CD application. This secret can
+    be changed at any time, but both the Redis server and the cm-service
+    deployments will then have to be restarted to pick up the new value.
+  generate:
+    type: password
diff --git a/applications/cm-service/templates/configmap.yaml b/applications/cm-service/templates/configmap.yaml
diff --git a/applications/cm-service/templates/deployment.yaml b/applications/cm-service/templates/deployment.yaml
@@ -5,30 +5,51 @@ metadata:
   labels:
     {{- include "cm-service.labels" . | nindent 4 }}
 spec:
-  replicas: {{ .Values.replicaCount }}
+  replicas: {{ .Values.frontend.replicaCount }}
   selector:
     matchLabels:
       {{- include "cm-service.selectorLabels" . | nindent 6 }}
+      app.kubernetes.io/component: "frontend"
   template:
     metadata:
       annotations:
-        checksum/config: {{ include (print $.Template.BasePath "/configmap.yaml") . | sha256sum }}
-        {{- with .Values.podAnnotations }}
+        {{- with .Values.frontend.podAnnotations }}
         {{- toYaml . | nindent 8 }}
         {{- end }}
       labels:
         {{- include "cm-service.selectorLabels" . | nindent 8 }}
+        app.kubernetes.io/component: "frontend"
     spec:
-      {{- with .Values.affinity }}
+      {{- with .Values.frontend.affinity }}
       affinity:
         {{- toYaml . | nindent 8 }}
       {{- end }}
       automountServiceAccountToken: false
       containers:
-        - name: {{ .Chart.Name }}
-          envFrom:
-            - configMapRef:
-                name: "cm-service"
+        - name: "cm-service"
+          env:
+            - name: CM_ARQ_REDIS_PASSWORD
+              valueFrom:
+                secretKeyRef:
+                  name: redis-secret
+                  key: password
+            - name: CM_DATABASE_PASSWORD
+              valueFrom:
+                secretKeyRef:
+                  name: postgres-secret
+                  key: password
+            - name: CM_URL_PREFIX
+              value: {{ .Values.config.pathPrefix | quote }}
+            - name: CM_DATABASE_URL
+              value: "postgresql://cm-service@cm-service-pg-rw/cm-service"
+            - name: CM_DATABASE_ECHO
+              value: {{ .Values.config.databaseEcho | quote }}
+            - name: CM_LOG_PROFILE
+              value: {{ .Values.config.logProfile | quote }}
+            - name: CM_LOG_LEVEL
+              value: {{ .Values.config.logLevel | quote }}
+            - name: CM_ARQ_REDIS_URL
+              value: "redis://cm-service-redis/1"
           image: "{{ .Values.image.repository }}:{{ .Values.image.tag | default .Chart.AppVersion }}"
           imagePullPolicy: {{ .Values.image.pullPolicy }}
           ports:
@@ -40,22 +61,28 @@ spec:
               path: "/"
               port: "http"
           resources:
-            {{- toYaml .Values.resources | nindent 12 }}
+            {{- toYaml .Values.frontend.resources | nindent 12 }}
           securityContext:
             allowPrivilegeEscalation: false
             capabilities:
               drop:
                 - "all"
             readOnlyRootFilesystem: true
-      {{- with .Values.nodeSelector }}
+          volumeMounts:
+            - mountPath: "/output"
+              name: "output-volume"
+              {{- with .Values.config.outputVolume.subPath }}
+              subPath: {{ . }}
+              {{- end }}
+      volumes:
+        - name: output-volume
+          persistentVolumeClaim:
+            claimName: cm-service-output
+      {{- with .Values.frontend.nodeSelector }}
       nodeSelector:
         {{- toYaml . | nindent 8 }}
       {{- end }}
-      {{- with .Values.tolerations }}
+      {{- with .Values.frontend.tolerations }}
       tolerations:
         {{- toYaml . | nindent 8 }}
       {{- end }}
-      securityContext:
-        runAsNonRoot: true
-        runAsUser: 1000
-        runAsGroup: 1000
diff --git a/applications/cm-service/templates/ingress.yaml b/applications/cm-service/templates/ingress.yaml
diff --git a/applications/cm-service/templates/postgres.yaml b/applications/cm-service/templates/postgres.yaml
@@ -0,0 +1,16 @@
+apiVersion: postgresql.cnpg.io/v1
+kind: Cluster
+metadata:
+  name: cm-service-pg
+  labels:
+    {{- include "cm-service.labels" . | nindent 4 }}
+spec:
+  instances: 1
+  bootstrap:
+    initdb:
+      database: cm-service
+      owner: cm-service
+      secret:
+        name: postgres-secret
+  storage:
+    size: 1Gi
diff --git a/applications/cm-service/templates/pvc.yaml b/applications/cm-service/templates/pvc.yaml
@@ -0,0 +1,34 @@
+---
+apiVersion: v1
+kind: PersistentVolumeClaim
+metadata:
+  name: cm-service-output
+  labels:
+    {{- include "cm-service.labels" . | nindent 4 }}
+spec:
+  {{- with .Values.config.outputVolume.storageClassName }}
+  storageClassName: {{ . }}
+  {{- end }}
+  accessModes:
+    - ReadWriteMany
+  resources:
+    requests:
+      storage: {{ .Values.config.outputVolume.storage }}
+{{- with .Values.worker.htcondor.fsRemoteDir }}
+---
+apiVersion: v1
+kind: PersistentVolumeClaim
+metadata:
+  name: cm-service-htcondor
+  labels:
+    {{- include "cm-service.labels" $ | nindent 4 }}
+spec:
+  {{- with .storageClassName }}
+  storageClassName: {{ . }}
+  {{- end }}
+  accessModes:
+    - ReadWriteMany
+  resources:
+    requests:
+      storage: {{ .storage }}
+{{- end }}
diff --git a/applications/cm-service/templates/service.yaml b/applications/cm-service/templates/service.yaml
@@ -13,3 +13,4 @@ spec:
       name: "http"
   selector:
     {{- include "cm-service.selectorLabels" . | nindent 4 }}
+    app.kubernetes.io/component: "frontend"
diff --git a/applications/cm-service/templates/vault-secrets.yaml b/applications/cm-service/templates/vault-secrets.yaml
@@ -0,0 +1,26 @@
+apiVersion: ricoberger.de/v1alpha1
+kind: VaultSecret
+metadata:
+  name: redis-secret
+  labels:
+    {{- include "cm-service.labels" . | nindent 4 }}
+spec:
+  path: "{{ .Values.global.vaultSecretsPath }}/cm-service"
+  templates:
+    password: >-
+      {% index .Secrets "redis-password" %}
+  type: Opaque
+---
+apiVersion: ricoberger.de/v1alpha1
+kind: VaultSecret
+metadata:
+  name: postgres-secret
+  labels:
+    {{- include "cm-service.labels" . | nindent 4 }}
+spec:
+  path: "{{ .Values.global.vaultSecretsPath }}/cm-service"
+  templates:
+    username: cm-service
+    password: >-
+      {% index .Secrets "postgres-password" %}
+  type: kubernetes.io/basic-auth
diff --git a/applications/cm-service/templates/worker-configmap.yaml b/applications/cm-service/templates/worker-configmap.yaml
@@ -0,0 +1,15 @@
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  name: "cm-service-config-worker"
+  labels:
+    {{- include "cm-service.labels" . | nindent 4 }}
+data:
+  {{- with .Values.worker.htcondor.config }}
+  config: |
+    {{- .contents | nindent 4 }}
+  {{- end }}
+  {{- with .Values.worker.htcondor.scheddAddress }}
+  scheddAddress: |
+    {{- .contents | nindent 4 }}
+  {{- end }}