From 8c998f98fb567739888d418eab6fc9a3dd91b592 Mon Sep 17 00:00:00 2001 From: Garry O'Donnell Date: Mon, 25 Mar 2024 19:39:34 +0000 Subject: [PATCH] Add helm chart --- charts/.gitignore | 2 + charts/sessions/Chart.lock | 9 +++ charts/sessions/Chart.yaml | 15 ++++ charts/sessions/charts/sessions/Chart.yaml | 8 ++ .../charts/sessions/templates/_helpers.tpl | 73 +++++++++++++++++++ .../charts/sessions/templates/deployment.yaml | 67 +++++++++++++++++ .../charts/sessions/templates/service.yaml | 15 ++++ .../sessions/templates/serviceaccount.yaml | 12 +++ charts/sessions/charts/sessions/values.yaml | 47 ++++++++++++ charts/sessions/templates/bundler-secret.yaml | 15 ++++ charts/sessions/templates/ispyb-secret.yaml | 15 ++++ charts/sessions/values.yaml | 48 ++++++++++++ 12 files changed, 326 insertions(+) create mode 100644 charts/.gitignore create mode 100644 charts/sessions/Chart.lock create mode 100644 charts/sessions/Chart.yaml create mode 100644 charts/sessions/charts/sessions/Chart.yaml create mode 100644 charts/sessions/charts/sessions/templates/_helpers.tpl create mode 100644 charts/sessions/charts/sessions/templates/deployment.yaml create mode 100644 charts/sessions/charts/sessions/templates/service.yaml create mode 100644 charts/sessions/charts/sessions/templates/serviceaccount.yaml create mode 100644 charts/sessions/charts/sessions/values.yaml create mode 100644 charts/sessions/templates/bundler-secret.yaml create mode 100644 charts/sessions/templates/ispyb-secret.yaml create mode 100644 charts/sessions/values.yaml diff --git a/charts/.gitignore b/charts/.gitignore new file mode 100644 index 0000000..cc7994c --- /dev/null +++ b/charts/.gitignore @@ -0,0 +1,2 @@ +# Chart Bundles +*.tgz diff --git a/charts/sessions/Chart.lock b/charts/sessions/Chart.lock new file mode 100644 index 0000000..da65b75 --- /dev/null +++ b/charts/sessions/Chart.lock @@ -0,0 +1,9 @@ +dependencies: + - name: sessions + repository: "" + version: 0.1.0 + - name: opa + repository: oci://ghcr.io/diamondlightsource/authz-opa + version: 0.1.1 +digest: sha256:95017c41b0ce1a885a24cbf1cb84ec8c933fe7cc0da54ec8ab8feb83067ee3a4 +generated: "2024-03-15T14:42:56.472367672Z" diff --git a/charts/sessions/Chart.yaml b/charts/sessions/Chart.yaml new file mode 100644 index 0000000..b91e5ce --- /dev/null +++ b/charts/sessions/Chart.yaml @@ -0,0 +1,15 @@ +apiVersion: v2 +name: sessions +description: A deployment providing beamline session information as part of the graph federation +type: application + +version: 0.1.0 + +dependencies: + - name: sessions + version: 0.1.0 + condition: sessions.enabled + - name: opa + version: 0.1.1 + repository: oci://ghcr.io/diamondlightsource/authz-opa + condition: opa.enabled diff --git a/charts/sessions/charts/sessions/Chart.yaml b/charts/sessions/charts/sessions/Chart.yaml new file mode 100644 index 0000000..08fb74b --- /dev/null +++ b/charts/sessions/charts/sessions/Chart.yaml @@ -0,0 +1,8 @@ +apiVersion: v2 +name: sessions +description: A service providing beamline session information as part of the graph federation +type: application + +version: 0.1.0 + +appVersion: 0.1.0-rc3 diff --git a/charts/sessions/charts/sessions/templates/_helpers.tpl b/charts/sessions/charts/sessions/templates/_helpers.tpl new file mode 100644 index 0000000..ce22e78 --- /dev/null +++ b/charts/sessions/charts/sessions/templates/_helpers.tpl @@ -0,0 +1,73 @@ +{{/* +Expand the name of the chart. +*/}} +{{- define "sessions.name" -}} +{{- default .Chart.Name .Values.nameOverride | trunc 63 | trimSuffix "-" }} +{{- end }} + +{{/* +Create a default fully qualified app name. +We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec). +If release name contains chart name it will be used as a full name. +*/}} +{{- define "sessions.fullname" -}} +{{- if .Values.fullnameOverride }} +{{- .Values.fullnameOverride | trunc 63 | trimSuffix "-" }} +{{- else }} +{{- $name := default .Chart.Name .Values.nameOverride }} +{{- if contains $name .Release.Name }} +{{- .Release.Name | trunc 63 | trimSuffix "-" }} +{{- else }} +{{- printf "%s-%s" .Release.Name $name | trunc 63 | trimSuffix "-" }} +{{- end }} +{{- end }} +{{- end }} + +{{/* +Create chart name and version as used by the chart label. +*/}} +{{- define "sessions.chart" -}} +{{- printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" }} +{{- end }} + +{{/* +Common labels +*/}} +{{- define "sessions.labels" -}} +helm.sh/chart: {{ include "sessions.chart" . }} +{{ include "sessions.selectorLabels" . }} +{{- if .Chart.AppVersion }} +app.kubernetes.io/version: {{ .Chart.AppVersion | quote }} +{{- end }} +app.kubernetes.io/managed-by: {{ .Release.Service }} +{{- end }} + +{{/* +Selector labels +*/}} +{{- define "sessions.selectorLabels" -}} +app.kubernetes.io/name: {{ include "sessions.name" . }} +app.kubernetes.io/instance: {{ .Release.Name }} +{{- end }} + +{{/* +Create the name of the service account to use +*/}} +{{- define "sessions.serviceAccountName" -}} +{{- if .Values.serviceAccount.create }} +{{- default (include "sessions.fullname" .) .Values.serviceAccount.name }} +{{- else }} +{{- default "default" .Values.serviceAccount.name }} +{{- end }} +{{- end }} + +{{/* +Create the database URL string +*/}} +{{- define "sessions.databaseURL" -}} +{{- $host_parts := urlParse .Values.database.host }} +{{- $raw_user_info := printf "%s:$DATABASE_PASSWORD" .Values.database.user }} +{{- $url_parts := set $host_parts "userinfo" $raw_user_info }} +{{- $raw_database_url := urlJoin $url_parts }} +{{- replace "$DATABASE_PASSWORD" "$(DATABASE_PASSWORD)" $raw_database_url }} +{{- end }} \ No newline at end of file diff --git a/charts/sessions/charts/sessions/templates/deployment.yaml b/charts/sessions/charts/sessions/templates/deployment.yaml new file mode 100644 index 0000000..6a84e2f --- /dev/null +++ b/charts/sessions/charts/sessions/templates/deployment.yaml @@ -0,0 +1,67 @@ +apiVersion: apps/v1 +kind: Deployment +metadata: + name: {{ include "sessions.fullname" . }} + labels: + {{- include "sessions.labels" . | nindent 4 }} +spec: + replicas: {{ .Values.replicaCount }} + selector: + matchLabels: + {{- include "sessions.selectorLabels" . | nindent 6 }} + template: + metadata: + {{- with .Values.podAnnotations }} + annotations: + {{- toYaml . | nindent 8 }} + {{- end }} + labels: + {{- include "sessions.selectorLabels" . | nindent 8 }} + spec: + {{- with .Values.imagePullSecrets }} + imagePullSecrets: + {{- toYaml . | nindent 8 }} + {{- end }} + serviceAccountName: {{ include "sessions.serviceAccountName" . }} + securityContext: + {{- toYaml .Values.podSecurityContext | nindent 8 }} + containers: + - name: {{ .Chart.Name }} + securityContext: + {{- toYaml .Values.securityContext | nindent 12 }} + image: "{{ .Values.image.repository }}:{{ .Values.image.tag | default .Chart.AppVersion }}" + imagePullPolicy: {{ .Values.image.pullPolicy }} + args: + - serve + env: + - name: DATABASE_PASSWORD + valueFrom: + secretKeyRef: + name: {{ .Values.database.password.secretName }} + key: {{ .Values.database.password.secretKey }} + - name: DATABASE_URL + value: {{ include "sessions.databaseURL" . }} + - name: OPA_URL + value: {{ tpl .Values.opa.url . }} + - name: LOG_LEVEL + value: {{ .Values.logLevel }} + - name: OTEL_COLLECTOR_URL + value: {{ tpl .Values.otelCollectorUrl . }} + ports: + - name: http + containerPort: {{ .Values.service.port }} + protocol: TCP + resources: + {{- toYaml .Values.resources | nindent 12 }} + {{- with .Values.nodeSelector }} + nodeSelector: + {{- toYaml . | nindent 8 }} + {{- end }} + {{- with .Values.affinity }} + affinity: + {{- toYaml . | nindent 8 }} + {{- end }} + {{- with .Values.tolerations }} + tolerations: + {{- toYaml . | nindent 8 }} + {{- end }} diff --git a/charts/sessions/charts/sessions/templates/service.yaml b/charts/sessions/charts/sessions/templates/service.yaml new file mode 100644 index 0000000..27ad4b3 --- /dev/null +++ b/charts/sessions/charts/sessions/templates/service.yaml @@ -0,0 +1,15 @@ +apiVersion: v1 +kind: Service +metadata: + name: {{ include "sessions.fullname" . }} + labels: + {{- include "sessions.labels" . | nindent 4 }} +spec: + type: {{ .Values.service.type }} + ports: + - port: {{ .Values.service.port }} + targetPort: http + protocol: TCP + name: http + selector: + {{- include "sessions.selectorLabels" . | nindent 4 }} \ No newline at end of file diff --git a/charts/sessions/charts/sessions/templates/serviceaccount.yaml b/charts/sessions/charts/sessions/templates/serviceaccount.yaml new file mode 100644 index 0000000..d82153c --- /dev/null +++ b/charts/sessions/charts/sessions/templates/serviceaccount.yaml @@ -0,0 +1,12 @@ +{{- if .Values.serviceAccount.create -}} +apiVersion: v1 +kind: ServiceAccount +metadata: + name: {{ include "sessions.serviceAccountName" . }} + labels: + {{- include "sessions.labels" . | nindent 4 }} + {{- with .Values.serviceAccount.annotations }} + annotations: + {{- toYaml . | nindent 4 }} + {{- end }} +{{- end }} diff --git a/charts/sessions/charts/sessions/values.yaml b/charts/sessions/charts/sessions/values.yaml new file mode 100644 index 0000000..6d0d210 --- /dev/null +++ b/charts/sessions/charts/sessions/values.yaml @@ -0,0 +1,47 @@ +nameOverride: "" +fullnameOverride: "" + +image: + repository: ghcr.io/diamondlightsource/graph-sessions + pullPolicy: Always + tag: "" + +imagePullSecrets: [] + +logLevel: Warn +otelCollectorUrl: "" + +database: + host: "" + user: "" + password: + secretName: "" + secretKey: "" + +opa: + url: "" + +replicaCount: 1 + +service: + type: ClusterIP + port: 80 + +serviceAccount: + create: true + annotations: {} + name: "" + +podAnnotations: {} + +podSecurityContext: {} + +securityContext: {} + +resources: {} + +nodeSelector: {} + +tolerations: [] + +affinity: {} diff --git a/charts/sessions/templates/bundler-secret.yaml b/charts/sessions/templates/bundler-secret.yaml new file mode 100644 index 0000000..0e99ffe --- /dev/null +++ b/charts/sessions/templates/bundler-secret.yaml @@ -0,0 +1,15 @@ +apiVersion: bitnami.com/v1alpha1 +kind: SealedSecret +metadata: + creationTimestamp: null + name: bundler + namespace: graph +spec: + encryptedData: + bearer-token: AgC5sw7J7xp39lnBhhJZ+hmWiPrAmCqoLt8SNxmWlM+CzxJSi4p1mdnNmbedpI13u9YztPpohW7g3JrnVzB4VXVndtsAX0Qg/rLh5ZmQz0uXUaGxyyTVSdLPXXONjJEKooRkXXkVRmo7mDKiXIsR6m28j5i6Xj57hR7cCKfdT25nbWBGkdPDTJBCbaUeHewTcNDLtCZu+T/ShXvExC9MVNTci6NfKzPs83AENtTJIkL836N+ATzlZIRN7a2lXfCjgJqENI0kn55W2Xq2+YuCJwJq2tFy7H4H57to4jRv4k+iqm4B5XJk6LnxAZAABud5nYU9jrVBCJ25V3jHx9z9g4DN0/1znQaTeYIHIPPkZPFSAUSQ9j9QoJ3Y1epy6n7ixyY1LTxe2AbsMj31ZEivafPcNRx8kyOyyuFInzPAS7tPPX8PRz9EZifs6K49szU1Cn/5uGWbEXZFaGxr7v6soxYBcZuTH9FAk4jPwr3c76QnPGJouO3tHLS1iZrsPqdzLWmeAT3m4trPysPveN8vou567t7lVtvnty/dIntCKsLxDo1nywigFAI9mnpCrbLzJBs0reNafEX/WKybFiuFvdmDDykwlLhB6i63virqpc0BxaVtX2EMoeq4JNDupuqGj9QKL4tgGUjdKP4zMS5EpZZm1Ft681q6y71qHI3ectzeXiK44WH9Lxhw+8T84x42bNsNfsAMfBLzbVaKyvcwCcriNV5OpFFGb8mWkjX0p7l0H75Squ4= + template: + metadata: + creationTimestamp: null + name: bundler + namespace: graph + diff --git a/charts/sessions/templates/ispyb-secret.yaml b/charts/sessions/templates/ispyb-secret.yaml new file mode 100644 index 0000000..2a9141f --- /dev/null +++ b/charts/sessions/templates/ispyb-secret.yaml @@ -0,0 +1,15 @@ +apiVersion: bitnami.com/v1alpha1 +kind: SealedSecret +metadata: + creationTimestamp: null + name: ispyb + namespace: graph +spec: + encryptedData: + password: AgBDmQTx19FQjg6HcynJbDV6Tz3kqFasD2og3OyX8MXqVmexGKGvj7bcv1EXmEjugjeBx6sQeuTLHLnZ7Y4ckG4bTx18tq++V8tG+D3qpkjoEilNDR6NeoRT3bw+l7s9G83TBZ5ZRwAZZ4WghTcQZXinOByVqYLe+xblB2JHfdD/dZE4HUmrFljIcDIOetc4AN3L2zpfYsYsO3XotQfu2JtTw4duM+Kxxstw+GsJjSILZoBhAiZfQTQ5NubeYHeKgOwyqF/T8QlyEYGY2to4p9W9QuPCtSNECG8bhOqQB9xQjCWVP/rmf5ZuHaUVH04UeRwxhw8z5z7e7uX0TddTLtQFzZmmbjUkHvrYoHJTWA0kM/4b6YiE0PoT6P5mLSR+Yova78zEu9hNmAT5X7QUxP9STDuxPyea0RguwNzX3Mja9ROZEKBTz9/WORRyBGK3v0MQKIK3pfYuur+rR4XFYQ7N1ekQyVso0uxXt6Rk6GTNpMhskfHYcYiOhWKPHipNITSBlXPEr3HEHQTAneSliUNFY+AeRgSaacCRXbCrkPrYCZhSrOZ6QXu3miLAxU4eE5ayVe08dpRkzjo4rfivHThMe385xHCr5ifOefw6E/nYPE4dintuYwFJBdgZQSSbDjOE5wogeIEs/UKioD2tVZmzrnRmF5fyFOyKRCCTi0JreG2+bMWvbv/+gRABwCmYuxPMo4wZsZfaEMr3aIM= + template: + metadata: + creationTimestamp: null + name: ispyb + namespace: graph + diff --git a/charts/sessions/values.yaml b/charts/sessions/values.yaml new file mode 100644 index 0000000..0df58f4 --- /dev/null +++ b/charts/sessions/values.yaml @@ -0,0 +1,48 @@ +sessions: + enabled: true + logLevel: Debug + database: + host: mysql://ispybdbproxy.diamond.ac.uk:4306/ispyb + user: ispyb_ro + password: + secretName: ispyb + secretKey: password + otelCollectorUrl: http://federation-opentelemetry-collector:4317 + opa: + url: http://{{ .Release.Name }}-opa-opa + +opa: + opa: + enabled: true + configOverride: + decision_logs: + console: true + services: + diamond-bundler: + url: https://authz.diamond.ac.uk + credentials: + bearer: + token: ${BUNDLER_BEARER_TOKEN} + ghcr: + url: https://ghcr.io + type: oci + bundles: + diamond-permissionables: + service: diamond-bundler + resource: bundle.tar.gz + polling: + min_delay_seconds: 10 + max_delay_seconds: 60 + sessions-policy: + service: ghcr + resource: ghcr.io/diamondlightsource/graph-sessions-policy:0.1.0-rc3 + polling: + min_delay_seconds: 30 + max_delay_seconds: 120 + distributed_tracing: + type: grpc + address: federation-opentelemetry-collector:4317 + service_name: sessions-opa + extraEnv: + - name: JWKS_ENDPOINT + value: https://authn.diamond.ac.uk/realms/master/protocol/openid-connect/certs