Installation via a Helm chart and configuration to deploy the WES service as well as MongoDB, Celery, RabbitMQ, Flower and Autocert. This was tested with Helm v3.0.0.
- A working kubernetes cluster and access to the
kubectlcommand. - A dynamic storage provisioner (StorageClass) that can provide volumes in ReadWriteMany (RWM) access mode. You can find a list of internal provisioners that support this. We deployed cwl-WES successfully with an external NFS volume provisioner.
- If you are planning to use cwl-WES in FTP mode you need an FTP server that supports TLS encryption. Choose from options:
- Use system wide certificate manager, see Jetstack for install. Instance of ClusterIssuer is needed, YAML could look like:
Also you need system wide ingress and load balancer configuration, see Rancher Nginx and K8S RKE. If you choose this option, in
apiVersion: cert-manager.io/v1alpha2 kind: ClusterIssuer metadata: name: [name] labels: name: [name] spec: acme: email: [email protected] privateKeySecretRef: name: [name] server: https://acme-v02.api.letsencrypt.org/directory solvers: - http01: ingress: class: nginx
values.yamlsetautocert.createJob: "false"andingress.letsencryptSystem: "true" - Install ingress and autocert from WES (set
autocert.createJob: "true"andingress.letsencryptSystem: "false"). For Autocert, see section below.
- Use system wide certificate manager, see Jetstack for install. Instance of ClusterIssuer is needed, YAML could look like:
- A working TES installation like TESK or Funnel exposed via an endpoint. If you are planning to use cwl-WES in FTP mode, then your TES endpoint must also support FTP.
- Create a new namespace in Kubernetes in which to deploy WES:
kubectl create namespace <new-namespace-name>- Change the following values in
values.yaml(for a detailed list of configuration values look further down):clusterType: Set to "kubernetes".wes.netrcMachine: the endpoint of your FTP service.wes.netrcLogin: the username of your FTP service.wes.netrcPassword: the password of your FTP service. It is important that your FTP login and password do not contain any special characters used in URLs like (#,&,?,etc) because they can cause errors to be produced.
- Change the application configuration:
- Change the following values in /cwl_wes/config/app_config.yaml:
storage.remote_storage_url: The endpoint and folder of the FTP service that will be used for remote storage:ftp://endpoint//pathtesk.url: The endpoint of your TES Service.
- Change the following values in /cwl_wes/config/app_config.yaml:
- Navigate into the
deployment/directory and issue the following command:
helm install <name-of-your-deployment> . -f values.yaml -n <new-namespace-name>Helm should provision volumes for Rabbitmq, MongoDB and cwl-WES:
kubectl -n <new-namespace-name> get pvc Moreover you should see 5 new pods created in the new namespace (they should all settle in Running status after a while):
kubectl -n <new-namespace-name> get podsTODO
curl -X POST \
--header 'Content-Type: multipart/form-data' \
--header 'Accept: application/json' \
-F workflow_params='{"input":{"class":"File","path":"<add_a_path_to_a_file_here>"}}' \
-F workflow_type='CWL' \
-F workflow_type_version='v1.0' \
-F workflow_url='https://github.com/uniqueg/cwl-example-workflows/blob/master/hashsplitter-workflow.cwl' \
'<wes_endpoint>/ga4gh/wes/v1/runs'The helm chart utilizes scheduled TLS certificate fetching from Let's Encrypt.
- Test autocert with vanilla Kubernetes
Description of values in values.yaml
See values.yaml for default values.
| Key | Type | Description |
|---|---|---|
| applicationDomain | string | where to reach the Kubernetes cluster |
| autocert.apiServer | string | where to reach the Kubernetes API server |
| autocert.createJob | string | create autocert cronjob |
| autocert.email | string | email to inject into the certificate |
| autocert.image | string | container image to be used to run Autocert |
| autocert.schedule | string | schedule for certificate refreshment |
| autocert.testCert | string | whether to use Let's Encrypt staging so as not to exceed quota |
| celeryWorker.appName | string | name of the Celery app on Kubernetes cluster |
| celeryWorker.image | string | container image to be used for the Celery application |
| clusterType | string | type of Kubernetes cluster; either 'kubernetes' or 'openshift' |
| ingress.letsencryptSystem | string | for K8S, whether use system LetsEncrypt or not |
| ingress.nginx_image | string | for K8S, container image to be used to run nginx |
| ingress.scope.annotations.clusterissuer | string | for K8S, name of instance of letsencrypt cert manager |
| ingress.scope.annotations.ingressclass | string | for K8S, name of class that takes care of ingress |
| ingress.scope.annotations.tlsacme | string | for K8S, true if letsencrypt should be used |
| mongodb.appName | string | name of MongoDB app on Kubernetes cluster |
| mongodb.databaseAdminPassword | string | admin password for MongoDB |
| mongodb.databaseName | string | name of MongoDB database to be used in application |
| mongodb.databasePassword | string | user password for MongoDB |
| mongodb.databaseUser | string | username for MongoDB |
| mongodb.image | string | container image to be used to run MongoDB |
| mongodb.mountPath | string | for K8S, where to mount the PVC |
| mongodb.pullPolicy | string | pull Policy for container image |
| mongodb.securityContext.enabled | string | for K8S, whether security is enabled (to solve issues with newly created PVC) |
| mongodb.securityContext.fsGroup | string | for K8S, fsGroup that can access the PVC |
| mongodb.securityContext.runAsUser | string | for K8S, user that can access the PVC |
| mongodb.securityContext.runAsNonRoot | string | for K8S, run as non root |
| mongodb.volumeSize | string | size of volume reserved for MongoDB database |
| rabbitmq.appName | string | name of RabbitMQ app on Kubernetes cluster |
| rabbitmq.image | string | container image to be used to run RabbitMQ |
| rabbitmq.volumeSize | string | size of volume reserved for RabbitMQ broker |
| storageAccessMode | string | access mode for MongoDB and RabbitMQ PVC |
| tlsSecret | string | secret for TLS encryption |
| wes.appName | string | name of the main application on Kubernetes cluster |
| wes.image | string | containger image to be used for the main application |
| wes.netrcLogin | string | login name for accessing the sFTP server |
| wes.netrcMachine | string | host name of sFTP server |
| wes.netrcPassword | string | password for accessing the sFTP server |
| wes.storageClass | string | type of storageClass for WES, must have RWX capability |
| wes.volumeSize | string | size of volume reserved for the main application |
| wes.redirect | boolean | Activate/deactivate the '/' to '/ga4gh/wes/v1/ui/' redirection |