From ed3a44e54a6210164d67eba569ba75c2e1aa1a0d Mon Sep 17 00:00:00 2001 From: Fritz Mueller Date: Mon, 10 Jun 2024 17:54:13 -0700 Subject: [PATCH] Updates to cm-service chart * Add redis and cnpg postgress to the app * Add secrets management * Move env vars from configmap into deployment * Remove gafaelfawr ingress for time being (until gf gets deployed to usdf cm vclusters) * Add volume configuration support for service output dir * Adjust to run service as user `lsstsvc1` * Add condor-capable worker deployment * Move deployment from `idfdemo` to `usdf-cm` --- applications/cm-service/Chart.yaml | 5 + applications/cm-service/README.md | 46 ++++-- applications/cm-service/secrets.yaml | 16 ++ .../cm-service/templates/configmap.yaml | 10 -- .../cm-service/templates/deployment.yaml | 57 +++++-- .../cm-service/templates/ingress.yaml | 30 ---- .../cm-service/templates/postgres.yaml | 16 ++ applications/cm-service/templates/pvc.yaml | 34 ++++ .../cm-service/templates/service.yaml | 1 + .../cm-service/templates/vault-secrets.yaml | 26 ++++ .../templates/worker-configmap.yaml | 15 ++ .../templates/worker-deployment.yaml | 108 +++++++++++++ applications/cm-service/values-idfdemo.yaml | 0 applications/cm-service/values-usdf-cm.yaml | 31 ++++ applications/cm-service/values.yaml | 145 ++++++++++++++---- environments/values-idfdemo.yaml | 1 - environments/values-usdf-cm.yaml | 2 + 17 files changed, 448 insertions(+), 95 deletions(-) create mode 100644 applications/cm-service/secrets.yaml delete mode 100644 applications/cm-service/templates/configmap.yaml delete mode 100644 applications/cm-service/templates/ingress.yaml create mode 100644 applications/cm-service/templates/postgres.yaml create mode 100644 applications/cm-service/templates/pvc.yaml create mode 100644 applications/cm-service/templates/vault-secrets.yaml create mode 100644 applications/cm-service/templates/worker-configmap.yaml create mode 100644 applications/cm-service/templates/worker-deployment.yaml delete mode 100644 applications/cm-service/values-idfdemo.yaml create mode 100644 applications/cm-service/values-usdf-cm.yaml diff --git a/applications/cm-service/Chart.yaml b/applications/cm-service/Chart.yaml index ede07c7126..5077630f61 100644 --- a/applications/cm-service/Chart.yaml +++ b/applications/cm-service/Chart.yaml @@ -6,3 +6,8 @@ sources: - https://github.com/lsst-dm/cm-service type: application version: 1.0.0 + +dependencies: +- name: redis + version: 1.0.12 + repository: https://lsst-sqre.github.io/charts/ diff --git a/applications/cm-service/README.md b/applications/cm-service/README.md index e89e497a63..88b43969e7 100644 --- a/applications/cm-service/README.md +++ b/applications/cm-service/README.md @@ -10,19 +10,41 @@ Campaign Management for Rubin Data Release Production | Key | Type | Default | Description | |-----|------|---------|-------------| -| affinity | object | `{}` | Affinity rules for the cm-service deployment pod | -| config.logLevel | string | `"INFO"` | Logging level | +| config.databaseEcho | bool | `false` | Whether to echo SQLAlchemy generated SQL to the log | +| config.logLevel | string | `"INFO"` | Logging level (`DEBUG`, `INFO`, `WARNING`, `ERROR`, or `CRITICAL`) | | config.logProfile | string | `"production"` | Logging profile (`production` for JSON, `development` for human-friendly) | -| config.pathPrefix | string | `"/cm-service"` | URL path prefix | +| config.outputVolume.storage | string | `"1Gi"` | Minimum storage requested in service output area PVC | +| config.outputVolume.storageClassName | string | `nil` | If specified, name of storage class requested in service output area PVC | +| config.outputVolume.subPath | string | `nil` | If specified, sub-path within bound PV to be mounted at service output area | +| config.pathPrefix | string | `"/cm-service/v1"` | URL path prefix | +| frontend.affinity | object | `{}` | Affinity rules for the frontend pods | +| frontend.nodeSelector | object | `{}` | Node selector rules for the frontend pods | +| frontend.podAnnotations | object | `{}` | Annotations for the frontend pods | +| frontend.replicaCount | int | `1` | Number of frontend pods to start | +| frontend.resources | object | See `values.yaml` | Resource limits and requests for the frontend pods | +| frontend.tolerations | list | `[]` | Tolerations for the frontend pods | | global.baseUrl | string | Set by Argo CD | Base URL for the environment | | global.host | string | Set by Argo CD | Host name for ingress | | global.vaultSecretsPath | string | Set by Argo CD | Base path for Vault secrets | -| image.pullPolicy | string | `"IfNotPresent"` | Pull policy for the cm-service image | -| image.repository | string | `"ghcr.io/lsst-dm/cm-service"` | Image to use in the cm-service deployment | -| image.tag | string | The appVersion of the chart | Tag of image to use | -| ingress.annotations | object | `{}` | Additional annotations for the ingress rule | -| nodeSelector | object | `{}` | Node selection rules for the cm-service deployment pod | -| podAnnotations | object | `{}` | Annotations for the cm-service deployment pod | -| replicaCount | int | `1` | Number of web deployment pods to start | -| resources | object | See `values.yaml` | Resource limits and requests for the cm-service deployment pod | -| tolerations | list | `[]` | Tolerations for the cm-service deployment pod | +| image.pullPolicy | string | `"IfNotPresent"` | Pull policy for the frontend image | +| image.repository | string | `"ghcr.io/lsst-dm/cm-service"` | Image to use for frontend containers | +| image.tag | string | The appVersion of the chart | Tag of frontend image to use | +| ingress.annotations | object | `{}` | Additional annotations for the frontend ingress rule | +| redis.config.secretKey | string | `"password"` | Key inside secret from which to get the Redis password (do not change) | +| redis.config.secretName | string | `"redis-secret"` | Name of secret containing Redis password | +| worker.affinity | object | `{}` | Affinity rules for the worker pods | +| worker.htcondor.config.contents | string | `nil` | If specified, contents of htcondor config file to be injected into worker containers | +| worker.htcondor.config.mountPath | string | `nil` | If specified, location for htcondor config file to be injected into worker containers | +| worker.htcondor.fsRemoteDir.storage | string | `"1Gi"` | Minimum storage requested in the condor remote area PVC | +| worker.htcondor.fsRemoteDir.storageClassName | string | `nil` | If specified, name of storage class requested in condor remote area PVC | +| worker.htcondor.fsRemoteDir.subPath | string | `nil` | If specified, sub-path within bound PV to be mounted as condor remote area | +| worker.htcondor.scheddAddress.contents | string | `nil` | If specified, location for htcondor schedd address file to be injected into worker pods | +| worker.htcondor.scheddAddress.mountPath | string | `nil` | If specified, contents of htcondor schedd address file to be injected into worker pods | +| worker.image.pullPolicy | string | `"IfNotPresent"` | Pull policy for the worker image | +| worker.image.repository | string | `"ghcr.io/lsst-dm/cm-service-worker"` | Image to use for worker containers | +| worker.image.tag | string | The appVersion of the chart | Tag of worker image to use | +| worker.nodeSelector | object | `{}` | Node selection rules for the worker pods | +| worker.podAnnotations | object | `{}` | Annotations for the worker pods | +| worker.replicaCount | int | `1` | Number of worker pods to start | +| worker.resources | object | See `values.yaml` | Resource limits and requests for the worker pods | +| worker.tolerations | list | `[]` | Tolerations for the worker pods | diff --git a/applications/cm-service/secrets.yaml b/applications/cm-service/secrets.yaml new file mode 100644 index 0000000000..414e59c34f --- /dev/null +++ b/applications/cm-service/secrets.yaml @@ -0,0 +1,16 @@ +redis-password: + description: >- + Password used to authenticate cm-service to its internal Redis server, + deployed as part of the same Argo CD application. This secret can be + changed at any time, but both the Redis server and the cm-service + deployments will then have to be restarted to pick up the new value. + generate: + type: password +postgres-password: + description: >- + Password used to authenticate cm-service to its internal cnpg Postgres + server, deployed as part of the same Argo CD application. This secret can + be changed at any time, but both the Redis server and the cm-service + deployments will then have to be restarted to pick up the new value. + generate: + type: password diff --git a/applications/cm-service/templates/configmap.yaml b/applications/cm-service/templates/configmap.yaml deleted file mode 100644 index 2f6e731121..0000000000 --- a/applications/cm-service/templates/configmap.yaml +++ /dev/null @@ -1,10 +0,0 @@ -apiVersion: v1 -kind: ConfigMap -metadata: - name: "cm-service" - labels: - {{- include "cm-service.labels" . | nindent 4 }} -data: - CM_SERVICE_LOG_LEVEL: {{ .Values.config.logLevel | quote }} - CM_SERVICE_PATH_PREFIX: {{ .Values.config.pathPrefix | quote }} - CM_SERVICE_PROFILE: {{ .Values.config.logProfile | quote }} diff --git a/applications/cm-service/templates/deployment.yaml b/applications/cm-service/templates/deployment.yaml index 95c94be474..b50e8277eb 100644 --- a/applications/cm-service/templates/deployment.yaml +++ b/applications/cm-service/templates/deployment.yaml @@ -5,30 +5,51 @@ metadata: labels: {{- include "cm-service.labels" . | nindent 4 }} spec: - replicas: {{ .Values.replicaCount }} + replicas: {{ .Values.frontend.replicaCount }} selector: matchLabels: {{- include "cm-service.selectorLabels" . | nindent 6 }} + app.kubernetes.io/component: "frontend" template: metadata: annotations: - checksum/config: {{ include (print $.Template.BasePath "/configmap.yaml") . | sha256sum }} - {{- with .Values.podAnnotations }} + {{- with .Values.frontend.podAnnotations }} {{- toYaml . | nindent 8 }} {{- end }} labels: {{- include "cm-service.selectorLabels" . | nindent 8 }} + app.kubernetes.io/component: "frontend" spec: - {{- with .Values.affinity }} + {{- with .Values.frontend.affinity }} affinity: {{- toYaml . | nindent 8 }} {{- end }} automountServiceAccountToken: false containers: - - name: {{ .Chart.Name }} - envFrom: - - configMapRef: - name: "cm-service" + - name: "cm-service" + env: + - name: CM_ARQ_REDIS_PASSWORD + valueFrom: + secretKeyRef: + name: redis-secret + key: password + - name: CM_DATABASE_PASSWORD + valueFrom: + secretKeyRef: + name: postgres-secret + key: password + - name: CM_URL_PREFIX + value: {{ .Values.config.pathPrefix | quote }} + - name: CM_DATABASE_URL + value: "postgresql://cm-service@cm-service-pg-rw/cm-service" + - name: CM_DATABASE_ECHO + value: {{ .Values.config.databaseEcho | quote }} + - name: CM_LOG_PROFILE + value: {{ .Values.config.logProfile | quote }} + - name: CM_LOG_LEVEL + value: {{ .Values.config.logLevel | quote }} + - name: CM_ARQ_REDIS_URL + value: "redis://cm-service-redis/1" image: "{{ .Values.image.repository }}:{{ .Values.image.tag | default .Chart.AppVersion }}" imagePullPolicy: {{ .Values.image.pullPolicy }} ports: @@ -40,22 +61,28 @@ spec: path: "/" port: "http" resources: - {{- toYaml .Values.resources | nindent 12 }} + {{- toYaml .Values.frontend.resources | nindent 12 }} securityContext: allowPrivilegeEscalation: false capabilities: drop: - "all" readOnlyRootFilesystem: true - {{- with .Values.nodeSelector }} + volumeMounts: + - mountPath: "/output" + name: "output-volume" + {{- with .Values.config.outputVolume.subPath }} + subPath: {{ . }} + {{- end }} + volumes: + - name: output-volume + persistentVolumeClaim: + claimName: cm-service-output + {{- with .Values.frontend.nodeSelector }} nodeSelector: {{- toYaml . | nindent 8 }} {{- end }} - {{- with .Values.tolerations }} + {{- with .Values.frontend.tolerations }} tolerations: {{- toYaml . | nindent 8 }} {{- end }} - securityContext: - runAsNonRoot: true - runAsUser: 1000 - runAsGroup: 1000 diff --git a/applications/cm-service/templates/ingress.yaml b/applications/cm-service/templates/ingress.yaml deleted file mode 100644 index 3cba7dacab..0000000000 --- a/applications/cm-service/templates/ingress.yaml +++ /dev/null @@ -1,30 +0,0 @@ -apiVersion: gafaelfawr.lsst.io/v1alpha1 -kind: GafaelfawrIngress -metadata: - name: "cm-service" - labels: - {{- include "cm-service.labels" . | nindent 4 }} -config: - baseUrl: {{ .Values.global.baseUrl | quote }} - scopes: - all: - - "read:image" -template: - metadata: - name: "cm-service" - {{- with .Values.ingress.annotations }} - annotations: - {{- toYaml . | nindent 6 }} - {{- end }} - spec: - rules: - - host: {{ required "global.host must be set" .Values.global.host | quote }} - http: - paths: - - path: {{ .Values.config.pathPrefix | quote }} - pathType: "Prefix" - backend: - service: - name: "cm-service" - port: - number: 8080 diff --git a/applications/cm-service/templates/postgres.yaml b/applications/cm-service/templates/postgres.yaml new file mode 100644 index 0000000000..805ab34f46 --- /dev/null +++ b/applications/cm-service/templates/postgres.yaml @@ -0,0 +1,16 @@ +apiVersion: postgresql.cnpg.io/v1 +kind: Cluster +metadata: + name: cm-service-pg + labels: + {{- include "cm-service.labels" . | nindent 4 }} +spec: + instances: 1 + bootstrap: + initdb: + database: cm-service + owner: cm-service + secret: + name: postgres-secret + storage: + size: 1Gi diff --git a/applications/cm-service/templates/pvc.yaml b/applications/cm-service/templates/pvc.yaml new file mode 100644 index 0000000000..7de9bb006a --- /dev/null +++ b/applications/cm-service/templates/pvc.yaml @@ -0,0 +1,34 @@ +--- +apiVersion: v1 +kind: PersistentVolumeClaim +metadata: + name: cm-service-output + labels: + {{- include "cm-service.labels" . | nindent 4 }} +spec: + {{- with .Values.config.outputVolume.storageClassName }} + storageClassName: {{ . }} + {{- end }} + accessModes: + - ReadWriteMany + resources: + requests: + storage: {{ .Values.config.outputVolume.storage }} +{{- with .Values.worker.htcondor.fsRemoteDir }} +--- +apiVersion: v1 +kind: PersistentVolumeClaim +metadata: + name: cm-service-htcondor + labels: + {{- include "cm-service.labels" $ | nindent 4 }} +spec: + {{- with .storageClassName }} + storageClassName: {{ . }} + {{- end }} + accessModes: + - ReadWriteMany + resources: + requests: + storage: {{ .storage }} +{{- end }} diff --git a/applications/cm-service/templates/service.yaml b/applications/cm-service/templates/service.yaml index 22b74097d9..1db992917a 100644 --- a/applications/cm-service/templates/service.yaml +++ b/applications/cm-service/templates/service.yaml @@ -13,3 +13,4 @@ spec: name: "http" selector: {{- include "cm-service.selectorLabels" . | nindent 4 }} + app.kubernetes.io/component: "frontend" diff --git a/applications/cm-service/templates/vault-secrets.yaml b/applications/cm-service/templates/vault-secrets.yaml new file mode 100644 index 0000000000..26f72b46e6 --- /dev/null +++ b/applications/cm-service/templates/vault-secrets.yaml @@ -0,0 +1,26 @@ +apiVersion: ricoberger.de/v1alpha1 +kind: VaultSecret +metadata: + name: redis-secret + labels: + {{- include "cm-service.labels" . | nindent 4 }} +spec: + path: "{{ .Values.global.vaultSecretsPath }}/cm-service" + templates: + password: >- + {% index .Secrets "redis-password" %} + type: Opaque +--- +apiVersion: ricoberger.de/v1alpha1 +kind: VaultSecret +metadata: + name: postgres-secret + labels: + {{- include "cm-service.labels" . | nindent 4 }} +spec: + path: "{{ .Values.global.vaultSecretsPath }}/cm-service" + templates: + username: cm-service + password: >- + {% index .Secrets "postgres-password" %} + type: kubernetes.io/basic-auth diff --git a/applications/cm-service/templates/worker-configmap.yaml b/applications/cm-service/templates/worker-configmap.yaml new file mode 100644 index 0000000000..2178125409 --- /dev/null +++ b/applications/cm-service/templates/worker-configmap.yaml @@ -0,0 +1,15 @@ +apiVersion: v1 +kind: ConfigMap +metadata: + name: "cm-service-config-worker" + labels: + {{- include "cm-service.labels" . | nindent 4 }} +data: + {{- with .Values.worker.htcondor.config }} + config: | + {{- .contents | nindent 4 }} + {{- end }} + {{- with .Values.worker.htcondor.scheddAddress }} + scheddAddress: | + {{- .contents | nindent 4 }} + {{- end }} diff --git a/applications/cm-service/templates/worker-deployment.yaml b/applications/cm-service/templates/worker-deployment.yaml new file mode 100644 index 0000000000..e0bce6f8c1 --- /dev/null +++ b/applications/cm-service/templates/worker-deployment.yaml @@ -0,0 +1,108 @@ +apiVersion: apps/v1 +kind: Deployment +metadata: + name: "cm-service-worker" + labels: + {{- include "cm-service.labels" . | nindent 4 }} +spec: + replicas: {{ .Values.worker.replicaCount }} + selector: + matchLabels: + {{- include "cm-service.selectorLabels" . | nindent 6 }} + app.kubernetes.io/component: "worker" + template: + metadata: + annotations: + {{- with .Values.worker.podAnnotations }} + {{- toYaml . | nindent 8 }} + {{- end }} + labels: + {{- include "cm-service.selectorLabels" . | nindent 8 }} + app.kubernetes.io/component: "worker" + spec: + {{- with .Values.worker.affinity }} + affinity: + {{- toYaml . | nindent 8 }} + {{- end }} + automountServiceAccountToken: false + containers: + - name: "cm-service-worker" + env: + - name: CM_ARQ_REDIS_PASSWORD + valueFrom: + secretKeyRef: + name: redis-secret + key: password + - name: CM_ARQ_REDIS_URL + value: "redis://cm-service-redis/1" + image: "{{ .Values.worker.image.repository }}:{{ .Values.worker.image.tag | default .Chart.AppVersion }}" + imagePullPolicy: {{ .Values.image.pullPolicy }} + resources: + {{- toYaml .Values.worker.resources | nindent 12 }} + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - "all" + readOnlyRootFilesystem: true + volumeMounts: + - mountPath: "/output" + name: "output-volume" + {{- with .Values.config.outputVolume.subPath }} + subPath: {{ . }} + {{- end }} + - mountPath: "/tmp" + name: "tmp-volume" + {{- with .Values.worker.htcondor.config }} + - mountPath: {{ .mountPath }} + name: "condor-config-volume" + readOnly: true + {{- end }} + {{- with .Values.worker.htcondor.fsRemoteDir }} + - mountPath: {{ .mountPath }} + name: "condor-remote-volume" + {{- with .subPath }} + subPath: {{ . }} + {{- end }} + {{- end }} + {{- with .Values.worker.htcondor.scheddAddress }} + - mountPath: {{ .mountPath }} + name: "condor-schedd-volume" + readOnly: true + {{- end }} + volumes: + - name: output-volume + persistentVolumeClaim: + claimName: cm-service-output + - name: tmp-volume + emptyDir: + sizeLimit: 500Mi + {{- with .Values.worker.htcondor.config }} + - name: condor-config-volume + configMap: + name: cm-service-config-worker + items: + - key: config + path: condor-config + {{- end }} + {{- with .Values.worker.htcondor.fsRemoteDir }} + - name: condor-remote-volume + persistentVolumeClaim: + claimName: cm-service-htcondor + {{- end }} + {{- with .Values.worker.htcondor.scheddAddress }} + - name: condor-schedd-volume + configMap: + name: cm-service-config-worker + items: + - key: scheddAddress + path: schedd-address + {{- end }} + {{- with .Values.worker.nodeSelector }} + nodeSelector: + {{- toYaml . | nindent 8 }} + {{- end }} + {{- with .Values.worker.tolerations }} + tolerations: + {{- toYaml . | nindent 8 }} + {{- end }} diff --git a/applications/cm-service/values-idfdemo.yaml b/applications/cm-service/values-idfdemo.yaml deleted file mode 100644 index e69de29bb2..0000000000 diff --git a/applications/cm-service/values-usdf-cm.yaml b/applications/cm-service/values-usdf-cm.yaml new file mode 100644 index 0000000000..d1da944f93 --- /dev/null +++ b/applications/cm-service/values-usdf-cm.yaml @@ -0,0 +1,31 @@ +config: + logLevel: "INFO" + logProfile: "development" + databaseEcho: true + outputVolume: + storageClassName: "sdf-data-rubin" + subPath: "shared/campaigns/users/usdf-cm-prod" +worker: + htcondor: + config: + mountPath: "/opt/lsst/software/stack/conda/envs/lsst-scipipe-9.0.0/etc/condor/config.d" + contents: | + CONDOR_HOST = sdfiana012.sdf.slac.stanford.edu + COLLECTOR_HOST = sdfiana012.sdf.slac.stanford.edu + SEC_CLIENT_AUTHENTICATION_METHODS = FS, FS_REMOTE + use security:recommended_v9_0 + SEC_DEFAULT_AUTHENTICATION_METHODS = FS_REMOTE, IDTOKENS, FS + SEC_DAEMON_AUTHENTICATION_METHODS = FS_REMOTE, IDTOKENS, FS + SEC_READ_AUTHENTICATION_METHODS = FS_REMOTE, IDTOKENS, FS + FS_REMOTE_DIR = /sdf/group/rubin/services/htcondor/shared + SCHEDD_ADDRESS_FILE = /config/schedd-address + fsRemoteDir: + storageClassName: "sdf-group-rubin" + subPath: "services/htcondor/shared" + mountPath: "/sdf/group/rubin/services/htcondor/shared" + scheddAddress: + mountPath: "/config" + contents: | + <172.24.49.173:5935?addrs=172.24.49.173-5935&alias=sdfiana012.sdf.slac.stanford.edu> + $CondorVersion: 23.0.12 2024-06-13 BuildID: 739441 PackageID: 23.0.12-1 $ + $CondorPlatform: x86_64_AlmaLinux8 $ diff --git a/applications/cm-service/values.yaml b/applications/cm-service/values.yaml index c426cf72c5..363b8a4e25 100644 --- a/applications/cm-service/values.yaml +++ b/applications/cm-service/values.yaml @@ -2,50 +2,141 @@ # This is a YAML-formatted file. # Declare variables to be passed into your templates. -# -- Number of web deployment pods to start -replicaCount: 1 +config: + + # -- Whether to echo SQLAlchemy generated SQL to the log + databaseEcho: false + + # -- Logging level (`DEBUG`, `INFO`, `WARNING`, `ERROR`, or `CRITICAL`) + logLevel: "INFO" + + # -- Logging profile (`production` for JSON, `development` for human-friendly) + logProfile: "production" + + outputVolume: + # -- If specified, name of storage class requested in service output area PVC + storageClassName: null + + # -- Minimum storage requested in service output area PVC + storage: 1Gi + + # -- If specified, sub-path within bound PV to be mounted at service output area + subPath: null + + # -- URL path prefix + pathPrefix: "/cm-service/v1" image: - # -- Image to use in the cm-service deployment + # -- Image to use for frontend containers repository: "ghcr.io/lsst-dm/cm-service" - # -- Pull policy for the cm-service image + # -- Pull policy for the frontend image pullPolicy: "IfNotPresent" - # -- Tag of image to use + # -- Tag of frontend image to use # @default -- The appVersion of the chart tag: null -config: - # -- Logging level - logLevel: "INFO" +ingress: + # -- Additional annotations for the frontend ingress rule + annotations: {} - # -- Logging profile (`production` for JSON, `development` for - # human-friendly) - logProfile: "production" +frontend: + # -- Number of frontend pods to start + replicaCount: 1 - # -- URL path prefix - pathPrefix: "/cm-service" + # -- Resource limits and requests for the frontend pods + # @default -- See `values.yaml` + resources: + limits: + cpu: "0.5" + memory: "500Mi" + requests: + cpu: "0.1" + memory: "230Mi" -ingress: - # -- Additional annotations for the ingress rule - annotations: {} + # -- Affinity rules for the frontend pods + affinity: {} + + # -- Node selector rules for the frontend pods + nodeSelector: {} + + # -- Annotations for the frontend pods + podAnnotations: {} + + # -- Tolerations for the frontend pods + tolerations: [] + +worker: + # -- Number of worker pods to start + replicaCount: 1 + + image: + # -- Image to use for worker containers + repository: "ghcr.io/lsst-dm/cm-service-worker" + + # -- Pull policy for the worker image + pullPolicy: "IfNotPresent" + + # -- Tag of worker image to use + # @default -- The appVersion of the chart + tag: null + + # -- Resource limits and requests for the worker pods + # @default -- See `values.yaml` + resources: + limits: + cpu: "1" + memory: "1Gi" + requests: + cpu: "0.1" + memory: "550Mi" + + # -- Affinity rules for the worker pods + affinity: {} + + # -- Node selection rules for the worker pods + nodeSelector: {} + + # -- Annotations for the worker pods + podAnnotations: {} + + # -- Tolerations for the worker pods + tolerations: [] + + htcondor: + config: + # -- If specified, location for htcondor config file to be injected into worker containers + mountPath: null + + # -- If specified, contents of htcondor config file to be injected into worker containers + contents: null + + fsRemoteDir: + # -- If specified, name of storage class requested in condor remote area PVC + storageClassName: null + + # -- Minimum storage requested in the condor remote area PVC + storage: 1Gi -# -- Affinity rules for the cm-service deployment pod -affinity: {} + # -- If specified, sub-path within bound PV to be mounted as condor remote area + subPath: null -# -- Node selection rules for the cm-service deployment pod -nodeSelector: {} + scheddAddress: + # -- If specified, contents of htcondor schedd address file to be injected into worker pods + mountPath: null -# -- Annotations for the cm-service deployment pod -podAnnotations: {} + # -- If specified, location for htcondor schedd address file to be injected into worker pods + contents: null -# -- Resource limits and requests for the cm-service deployment pod -# @default -- See `values.yaml` -resources: {} +redis: + config: + # -- Name of secret containing Redis password + secretName: "redis-secret" -# -- Tolerations for the cm-service deployment pod -tolerations: [] + # -- Key inside secret from which to get the Redis password (do not + # change) + secretKey: "password" # The following will be set by parameters injected by Argo CD and should not # be set in the individual environment values files. diff --git a/environments/values-idfdemo.yaml b/environments/values-idfdemo.yaml index 82ecc3c21c..fdd3487c5c 100644 --- a/environments/values-idfdemo.yaml +++ b/environments/values-idfdemo.yaml @@ -22,4 +22,3 @@ applications: squareone: true times-square: true vault-secrets-operator: true - cm-service: true diff --git a/environments/values-usdf-cm.yaml b/environments/values-usdf-cm.yaml index 2fb30966d6..3eac3a6f9d 100644 --- a/environments/values-usdf-cm.yaml +++ b/environments/values-usdf-cm.yaml @@ -10,3 +10,5 @@ applications: cert-manager: false gafaelfawr: false ingress-nginx: false + + cm-service: true