Merge pull request #47 from chrisburr/chart-prod-improvements

Improvements for deploying non-demo chart

.pre-commit-config.yaml

@@ -16,18 +16,20 @@ repos:
     - id: helm-docs
       name: helm-docs
       language: docker_image
-      entry: jnorwood/helm-docs:v1.11.2 --chart-search-root=diracx --output-file=../README.md --template-files=../README.md.gotmpl
+      entry: jnorwood/helm-docs:v1.11.2 --chart-search-root=diracx --output-file=../README.md --template-files=../README.md.gotmpl --chart-to-generate=diracx
       always_run: true
       pass_filenames: false
 
     - id: helm-lint
       name: helm-lint
       language: docker_image
-      entry: alpine/helm:3.11.1 lint diracx/
+      entry: alpine/helm:3.11.1 lint diracx/ --set diracx.hostname=diracx.invalid
       always_run: true
       pass_filenames: false
 
   - repo: https://github.com/koalaman/shellcheck-precommit
     rev: v0.9.0
     hooks:
     - id: shellcheck
+      # TODO: Render demo in CI and run the scripts through shell-check
+      exclude: '\.tpl$'

README.md

@@ -52,9 +52,11 @@ TODO
 
 | Repository | Name | Version |
 |------------|------|---------|
+|  | cert-manager-issuer | *.*.* |
 | https://charts.bitnami.com/bitnami/ | mysql | 9.11.0 |
 | https://charts.bitnami.com/bitnami/ | rabbitmq | 12.0.10 |
 | https://charts.dexidp.io/ | dex | 0.14.2 |
+| https://charts.jetstack.io | cert-manager | 1.13.1 |
 | https://charts.min.io/ | minio | 5.0.11 |
 | https://opensearch-project.github.io/helm-charts/ | opensearch | 2.13.1 |
 
@@ -67,10 +69,16 @@ TODO
 | autoscaling.maxReplicas | int | `100` |  |
 | autoscaling.minReplicas | int | `1` |  |
 | autoscaling.targetCPUUtilizationPercentage | int | `80` |  |
+| cert-manager-issuer.enabled | bool | `true` |  |
+| cert-manager.enabled | bool | `true` |  |
+| cert-manager.installCRDs | bool | `true` |  |
+| developer.autoReload | bool | `true` |  |
 | developer.enableCoverage | bool | `false` |  |
 | developer.enabled | bool | `true` |  |
+| developer.localCSPath | string | `"/local_cs_store"` |  |
+| developer.nodeImage | string | `"node:16-alpine"` |  |
 | developer.nodeModuleToInstall | string | `nil` |  |
-| developer.pythonModulesToInstall | list | `[]` |  |
+| developer.pythonModulesToEditableInstall | list | `[]` |  |
 | developer.sourcePath | string | `"/diracx_source"` |  |
 | developer.urls | object | `{}` |  |
 | dex."https.enabled" | bool | `false` |  |
@@ -95,44 +103,42 @@ TODO
 | dex.service.ports.http.nodePort | int | `32002` |  |
 | dex.service.ports.http.port | int | `8000` |  |
 | dex.service.type | string | `"NodePort"` |  |
-| diracx.csVolumeName | string | `"pv-cs-store"` |  |
-| diracx.ingress.className | string | `"nginx"` |  |
-| diracx.ingress.enabled | bool | `true` |  |
-| diracx.ingress.hosts[0].paths[0].backend.service.port.number | int | `8000` |  |
-| diracx.ingress.hosts[0].paths[0].path | string | `"/api"` |  |
-| diracx.ingress.hosts[0].paths[0].pathType | string | `"Prefix"` |  |
-| diracx.ingress.hosts[0].paths[1].backend.service.port.number | int | `8000` |  |
-| diracx.ingress.hosts[0].paths[1].path | string | `"/.well-known"` |  |
-| diracx.ingress.hosts[0].paths[1].pathType | string | `"Prefix"` |  |
-| diracx.ingress.tls | list | `[]` |  |
 | diracx.manageOSIndices | bool | `true` |  |
-| diracx.manageSQLSchema | bool | `true` |  |
 | diracx.mysqlDatabases[0] | string | `"AuthDB"` |  |
 | diracx.mysqlDatabases[1] | string | `"JobDB"` |  |
 | diracx.mysqlDatabases[2] | string | `"JobLoggingDB"` |  |
 | diracx.mysqlDatabases[3] | string | `"SandboxMetadataDB"` |  |
 | diracx.mysqlDatabases[4] | string | `"TaskQueueDB"` |  |
 | diracx.osDatabases[0] | string | `"JobParametersDB"` |  |
+| diracx.pythonModulesToInstall | list | `[]` |  |
+| diracx.service.port | int | `8000` |  |
+| diracx.service.type | string | `"ClusterIP"` |  |
 | diracx.settings.DIRACX_CONFIG_BACKEND_URL | string | `"git+file:///cs_store/initialRepo"` |  |
 | diracx.settings.DIRACX_SERVICE_AUTH_ALLOWED_REDIRECTS | string | `"[\"http://anything:8000/docs/oauth2-redirect\"]"` |  |
-| diracx.settings.DIRACX_SERVICE_AUTH_TOKEN_KEY | string | `"file:///signing-key/rs256.key"` |  |
-| diracxWeb.image.pullPolicy | string | `"IfNotPresent"` |  |
-| diracxWeb.image.repository | string | `"ghcr.io/diracgrid/diracx-web/client"` |  |
+| diracx.settings.DIRACX_SERVICE_AUTH_TOKEN_KEY | string | `"file:///signing-key/rsa256.key"` |  |
+| diracxWeb.image.pullPolicy | string | `"Always"` |  |
+| diracxWeb.image.repository | string | `"ghcr.io/diracgrid/diracx-web/static"` |  |
 | diracxWeb.image.tag | string | `"latest"` |  |
-| diracxWeb.ingress.className | string | `"nginx"` |  |
-| diracxWeb.ingress.enabled | bool | `true` |  |
-| diracxWeb.ingress.hosts[0].paths[0].backend.service.port.number | int | `3000` |  |
-| diracxWeb.ingress.hosts[0].paths[0].path | string | `"/"` |  |
-| diracxWeb.ingress.hosts[0].paths[0].pathType | string | `"Prefix"` |  |
-| diracxWeb.ingress.tls | list | `[]` |  |
-| diracxWeb.service.port | int | `3000` |  |
+| diracxWeb.service.port | int | `8080` |  |
 | diracxWeb.service.type | string | `"ClusterIP"` |  |
-| diracxWeb.settings.DEFAULT_SCOPE | string | `"vo:diracAdmin"` |  |
-| diracxWeb.settings.DIRACX_CLIENT_ID | string | `"myDIRACClientID"` |  |
 | fullnameOverride | string | `""` |  |
-| image.pullPolicy | string | `"IfNotPresent"` |  |
+| global.batchJobTTL | int | `600` |  |
+| image.pullPolicy | string | `"Always"` |  |
 | image.repository | string | `"ghcr.io/diracgrid/diracx/server"` |  |
 | image.tag | string | `"latest"` |  |
+| ingress.annotations | object | `{}` |  |
+| ingress.className | string | `"nginx"` |  |
+| ingress.enabled | bool | `true` |  |
+| ingress.tlsSecretName | string | `"myingress-cert"` |  |
+| init-cs.defaultUsers | list | `[]` |  |
+| init-cs.enabled | bool | `true` |  |
+| init-secrets.enabled | bool | `true` |  |
+| init-secrets.rbac.create | bool | `true` |  |
+| init-secrets.serviceAccount.create | bool | `true` |  |
+| init-secrets.serviceAccount.enabled | bool | `true` |  |
+| init-secrets.serviceAccount.name | string | `nil` |  |
+| init-sql.enabled | bool | `true` |  |
+| init-sql.env | object | `{}` |  |
 | minio.consoleIngress.enabled | bool | `false` |  |
 | minio.consoleService.type | string | `"NodePort"` |  |
 | minio.enabled | bool | `true` |  |
@@ -146,33 +152,28 @@ TODO
 | minio.rootUser | string | `"rootuser"` |  |
 | minio.service.type | string | `"NodePort"` |  |
 | mysql.auth.createDatabase | bool | `false` |  |
-| mysql.auth.password | string | `"mysqlDevInsecure"` |  |
-| mysql.auth.rootPassword | string | `"mysqlRootDevInsecure"` |  |
+| mysql.auth.existingSecret | string | `"mysql-secret"` |  |
 | mysql.auth.username | string | `"sqldiracx"` |  |
 | mysql.enabled | bool | `true` |  |
 | mysql.initdbScriptsConfigMap | string | `"mysql-init-diracx-dbs"` |  |
 | nameOverride | string | `""` | type=kubernetes.io/dockerconfigjson imagePullSecrets:   - name: regcred |
 | nodeSelector | object | `{}` |  |
-| opensearch.config."cluster.routing.allocation.disk.threshold_enabled" | string | `"true"` |  |
-| opensearch.config."cluster.routing.allocation.disk.watermark.flood_stage" | string | `"200mb"` |  |
-| opensearch.config."cluster.routing.allocation.disk.watermark.high" | string | `"300mb"` |  |
-| opensearch.config."cluster.routing.allocation.disk.watermark.low" | string | `"500mb"` |  |
-| opensearch.config."plugins.security.disabled" | string | `"true"` |  |
+| opensearch.config."opensearch.yml" | string | `"cluster.name: opensearch-cluster\n\n# Bind to all interfaces because we don't know what IP address Docker will assign to us.\nnetwork.host: 0.0.0.0\n\n# Setting network.host to a non-loopback address enables the annoying bootstrap checks. \"Single-node\" mode disables them again.\n# Implicitly done if \".singleNode\" is set to \"true\".\n# discovery.type: single-node\n\n# Start OpenSearch Security Demo Configuration\n# WARNING: revise all the lines below before you go into production\nplugins:\n  security:\n    ssl:\n      transport:\n        pemcert_filepath: esnode.pem\n        pemkey_filepath: esnode-key.pem\n        pemtrustedcas_filepath: root-ca.pem\n        enforce_hostname_verification: false\n      http:\n        enabled: true\n        pemcert_filepath: esnode.pem\n        pemkey_filepath: esnode-key.pem\n        pemtrustedcas_filepath: root-ca.pem\n    allow_unsafe_democertificates: true\n    allow_default_init_securityindex: true\n    authcz:\n      admin_dn:\n        - CN=kirk,OU=client,O=client,L=test,C=de\n    audit.type: internal_opensearch\n    enable_snapshot_restore_privilege: true\n    check_snapshot_restore_write_privileges: true\n    restapi:\n      roles_enabled: [\"all_access\", \"security_rest_api_access\"]\n    system_indices:\n      enabled: true\n      indices:\n        [\n          \".opendistro-alerting-config\",\n          \".opendistro-alerting-alert*\",\n          \".opendistro-anomaly-results*\",\n          \".opendistro-anomaly-detector*\",\n          \".opendistro-anomaly-checkpoints\",\n          \".opendistro-anomaly-detection-state\",\n          \".opendistro-reports-*\",\n          \".opendistro-notifications-*\",\n          \".opendistro-notebooks\",\n          \".opendistro-asynchronous-search-response*\",\n        ]\n######## End OpenSearch Security Demo Configuration ########\ncluster:\n  routing:\n    allocation:\n      disk:\n        threshold_enabled: \"true\"\n        watermark:\n          flood_stage: 200mb\n          low: 500mb\n          high: 300mb\n"` |  |
 | opensearch.enabled | bool | `true` |  |
 | opensearch.opensearchJavaOpts | string | `"-Xms256m -Xmx256m"` |  |
 | opensearch.resources.requests.cpu | string | `"100m"` |  |
 | opensearch.resources.requests.memory | string | `"100Mi"` |  |
 | opensearch.singleNode | bool | `true` |  |
 | podAnnotations | object | `{}` |  |
 | podSecurityContext | object | `{}` |  |
+| rabbitmq.auth.existingErlangSecret | string | `"rabbitmq-secret"` |  |
+| rabbitmq.auth.existingPasswordSecret | string | `"rabbitmq-secret"` |  |
 | rabbitmq.containerSecurityContext.enabled | bool | `false` |  |
 | rabbitmq.enabled | bool | `true` |  |
 | rabbitmq.podSecurityContext.enabled | bool | `false` |  |
 | replicaCount | int | `1` |  |
 | resources | object | `{}` |  |
 | securityContext | object | `{}` |  |
-| service.port | int | `8000` |  |
-| service.type | string | `"ClusterIP"` |  |
 | serviceAccount.annotations | object | `{}` |  |
 | serviceAccount.create | bool | `true` |  |
 | serviceAccount.name | string | `""` |  |

demo/demo_cluster_conf.tpl.yaml

@@ -12,21 +12,18 @@ nodes:
       kubeletExtraArgs:
         node-labels: "ingress-ready=true"
   extraMounts:
-  # Mount the local CS repo in the controle plane
-  # Then the PV will mount it from this controle plane "local" directory
-  # - hostPath: /home/chaen/dirac/diracx-project/chris-hackaton-cs/
-  #   containerPath: /local_cs_store
+  # Mount the directories in the control plane
+  # Then the PV will mount it from this control plane "local" directory
+  - hostPath: {{ csStorePath }}
+    containerPath: /local_cs_store
   # For developer to be able to edit
 {{ hostPaths }}
 
   # Expose the ingress port
   extraPortMappings:
-  - containerPort: 80
+  - containerPort: 443
     hostPort: 8000
     protocol: TCP
-  - containerPort: 3000
-    hostPort: 3000
-    protocol: TCP
   - containerPort: 32000
     hostPort: 32000
     protocol: TCP

demo/values.tpl.yaml

@@ -1,24 +1,28 @@
 developer:
   urls:
-    diracx: http://{{ hostname }}:8000
+    diracx: https://{{ hostname }}:8000
     minio: http://{{ hostname }}:32000
     dex: http://{{ hostname }}:32002
   demoDir: {{ demo_dir }}
-  pythonModulesToInstall: {{ python_modules_to_mount }}
+  pythonModulesToEditableInstall: {{ python_modules_to_mount }}
   nodeModuleToInstall: {{ node_module_to_mount }}
 
+init-cs:
+  defaultUsers:
+    - vo: diracAdmin
+      userGroup: admin
+      sub: EgVsb2NhbA
+      preferredUsername: admin
+      # TODO: Integrate with dex
+
 diracx:
+  hostname: {{ hostname }}
   settings:
-    DIRACX_SERVICE_AUTH_ALLOWED_REDIRECTS: '["http://localhost:8000/api/docs/oauth2-redirect", "http://localhost:8000/dashboard/#authentication-callback"]'
+    DIRACX_SERVICE_AUTH_ALLOWED_REDIRECTS: '["https://{{ hostname }}:8000/api/docs/oauth2-redirect", "https://{{ hostname }}:8000/#authentication-callback"]'
     DIRACX_SANDBOX_STORE_BUCKET_NAME: demo-sandboxes
     DIRACX_SANDBOX_STORE_S3_CLIENT_KWARGS: '{"endpoint_url": "http://{{ hostname }}:32000", "aws_access_key_id": "console", "aws_secret_access_key": "console123"}'
     DIRACX_SANDBOX_STORE_AUTO_CREATE_BUCKET: "true"
 
-diracxWeb:
-  settings:
-    REDIRECT_URI: http://localhost:8000/dashboard/#authentication-callback
-    NEXT_PUBLIC_DIRACX_URL: http://{{ hostname }}:8000
-
 minio:
   environment:
     MINIO_BROWSER_REDIRECT_URL: http://{{ hostname }}:32001/
@@ -32,8 +36,8 @@ dex:
       public: true
       name: 'CLI app'
       redirectURIs:
-        - 'http://{{ hostname }}:8000/api/auth/device/complete'
-        - http://{{ hostname }}:8000/api/auth/authorize/complete
+        - 'https://{{ hostname }}:8000/api/auth/device/complete'
+        - https://{{ hostname }}:8000/api/auth/authorize/complete
 
     staticPasswords:
       - email: "[email protected]"

diracx/Chart.lock

@@ -14,5 +14,11 @@ dependencies:
 - name: mysql
   repository: https://charts.bitnami.com/bitnami/
   version: 9.11.0
-digest: sha256:7e4213564b48cd4dbd66776499a16bc137a3b7dca8f93ab35d1a91fbeab19bcc
-generated: "2023-09-08T04:46:28.916039+02:00"
+- name: cert-manager
+  repository: https://charts.jetstack.io
+  version: v1.13.1
+- name: cert-manager-issuer
+  repository: ""
+  version: '*.*.*'
+digest: sha256:8edaf32185389bd3fd8a87370a82718bc94dfacf6acf1d7cc9f8e8742d58695a
+generated: "2023-10-06T18:09:31.379575+02:00"

diracx/Chart.yaml

@@ -46,3 +46,12 @@ dependencies:
   version: 9.11.0
   repository: https://charts.bitnami.com/bitnami/
   condition: mysql.enabled
+
+- name: cert-manager
+  version: 1.13.1
+  repository: https://charts.jetstack.io
+  condition: cert-manager.enabled
+
+- name: cert-manager-issuer
+  version: '*.*.*'
+  condition: cert-manager-issuer.enabled

diracx/charts/cert-manager-issuer/Chart.yaml

@@ -0,0 +1,5 @@
+apiVersion: v1
+name: cert-manager-issuer
+version: 0.0.1
+appVersion: 0.0.1
+description: Configuration Job to add an Issuer to cert-manager

diracx/charts/cert-manager-issuer/templates/_create_issuer.sh.tpl

@@ -0,0 +1,12 @@
+#!/bin/bash
+set -e ;
+
+issuer_file=$1
+namespace={{ .Release.Namespace }}
+
+echo "Creating the certmanager issuer..."
+set +e ; # The CRD may not exist yet. We need to retry until this passes
+while ! kubectl --namespace=$namespace apply -f ${issuer_file:=issuer.yml}; do
+  sleep 1;
+done ;
+set -e ; # reset `e` as active

diracx/charts/cert-manager-issuer/templates/_helpers.tpl

@@ -0,0 +1,40 @@
+{{/* vim: set filetype=mustache: */}}
+{{/*
+Expand the name of the chart.
+*/}}
+{{- define "cert-manager-issuer.name" -}}
+{{- default .Chart.Name .Values.nameOverride | trunc 63 | trimSuffix "-" -}}
+{{- end -}}
+
+{{/*
+Create a default fully qualified app name.
+We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec).
+*/}}
+{{- define "cert-manager-issuer.fullname" -}}
+{{- $name := default .Chart.Name .Values.nameOverride -}}
+{{- printf "%s-%s" .Release.Name $name | trunc 63 | trimSuffix "-" -}}
+{{- end -}}
+
+{{/*
+Create a default fully qualified job name.
+Due to the job only being allowed to run once, we add the chart revision so helm
+upgrades don't cause errors trying to create the already ran job.
+Due to the helm delete not cleaning up these jobs, we add a random value to
+reduce collision
+*/}}
+{{- define "cert-manager-issuer.jobname" -}}
+{{- $name := printf "%s-issuer" .Release.Name | trunc 55 | trimSuffix "-" -}}
+{{- printf "%s-%d" $name .Release.Revision | trunc 63 | trimSuffix "-" -}}
+{{- end -}}
+
+{{/*
+Returns the http01 solver's ingress class field. Takes the IngressClass as paramter.
+If the IngressClass is "none", the field is not set.
+  See: https://cert-manager.io/docs/configuration/acme/http01/#class
+*/}}
+{{- define "cert-manager-issuer.http01.ingress.class.field" -}}
+{{- $ingressClass := . | default "" -}}
+{{- if ne "none" $ingressClass -}}
+class: {{ $ingressClass }}
+{{- end -}}
+{{- end -}}

diracx/charts/cert-manager-issuer/templates/_issuer.yaml

@@ -0,0 +1,57 @@
+{{- if .Values.acme.enabled }}
+{{- $ingressCfg := dict "global" $.Values.global.ingress "local" .ingress "context" $ -}}
+{{- $ingressClassName := include "ingress.class.name" $ingressCfg -}}
+apiVersion: cert-manager.io/v1
+kind: Issuer
+metadata:
+  name: {{ .Release.Name }}-issuer
+  namespace: {{ $.Release.Namespace }}
+spec:
+  acme:
+    # The ACME server URL
+    server: {{ .Values.acme.server | quote }}
+    # Email address used for ACME registration
+    email: {{ required "You must provide an email to associate with your TLS certificates. Please set certmanager-issuer.email" .Values.acme.email | quote }}
+    # Name of a secret used to store the ACME account private key
+    privateKeySecretRef:
+      name: {{ .Release.Name }}-acme-key
+    # Enable the HTTP-01 challenge provider
+    solvers:
+    - selector: {}
+      http01:
+        ingress:
+          {{ include "cert-manager-issuer.http01.ingress.class.field" $ingressClassName -}}
+{{- end }}
+---
+{{- if index .Values "self-signed" "enabled" }}
+apiVersion: cert-manager.io/v1
+kind: Issuer
+metadata:
+  name: selfsigned-issuer
+spec:
+  selfSigned: {}
+---
+apiVersion: cert-manager.io/v1
+kind: Certificate
+metadata:
+  name: diracx-selfsigned-ca
+spec:
+  isCA: true
+  commonName: diracx-selfsigned-ca
+  secretName: root-secret
+  privateKey:
+    algorithm: ECDSA
+    size: 256
+  issuerRef:
+    name: selfsigned-issuer
+    kind: Issuer
+    group: cert-manager.io
+---
+apiVersion: cert-manager.io/v1
+kind: Issuer
+metadata:
+  name: diracx-ca-issuer
+spec:
+  ca:
+    secretName: root-secret
+{{- end }}

diracx/charts/cert-manager-issuer/templates/cert-manager.yml

@@ -0,0 +1,10 @@
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  name: {{ template "diracx.fullname" . }}-certmanager
+  namespace: {{ $.Release.Namespace }}
+data:
+  create-issuer: |
+{{ include (print $.Template.BasePath "/_create_issuer.sh.tpl") . | indent 4 }}
+  issuer.yml: |
+{{ include (print $.Template.BasePath "/_issuer.yaml") . | indent 4 }}