webservice docs

charts/prometheus/Chart.yaml

@@ -2,7 +2,7 @@ apiVersion: v2
 name: prometheus
 description: OSC Prometheus deployment
 type: application
-version: 0.18.2
+version: 0.18.3
 appVersion: "v2.44.0"
 maintainers:
   - name: treydock

charts/prometheus/templates/config.yaml

@@ -313,6 +313,10 @@ data:
         regex: '(.+)'
         replacement: '$1'
         target_label: receiver
+      - source_labels: [__name__,label_osc_edu_role]
+        regex: 'kube_pod_labels;(.+)'
+        replacement: '$1'
+        target_label: role
       - regex: "label_receiver"
         action: labeldrop
     - job_name: kube-state-metrics-telemetry

charts/webservice/Chart.yaml

@@ -2,17 +2,17 @@ apiVersion: v2
 name: webservice
 description: OSC webservice bootstrap Helm Chart
 type: application
-version: 0.33.0
+version: 0.34.0
 appVersion: "0.1.0"
 maintainers:
   - name: treydock
 dependencies:
   - name: database
-    version: 0.9.0
+    version: 0.12.0
     repository: https://osc.github.io/osc-helm-charts/
     # repository: file://../database
-    condition: database.mariadb.enable, database.postgresql.enable
+    condition: database.enable
   - name: osc-common
-    version: 0.5.0
+    version: 0.7.0
     repository: https://osc.github.io/osc-helm-charts/
     # repository: file://../common

charts/webservice/README.md

@@ -0,0 +1,106 @@
+# webservice
+
+![Version: 0.34.0](https://img.shields.io/badge/Version-0.34.0-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: 0.1.0](https://img.shields.io/badge/AppVersion-0.1.0-informational?style=flat-square)
+
+OSC webservice bootstrap Helm Chart
+
+## Maintainers
+
+| Name | Email | Url |
+| ---- | ------ | --- |
+| treydock |  |  |
+
+## Requirements
+
+| Repository | Name | Version |
+|------------|------|---------|
+| https://osc.github.io/osc-helm-charts/ | database | 0.12.0 |
+| https://osc.github.io/osc-helm-charts/ | osc-common | 0.7.0 |
+
+## Usage
+
+## Values
+
+| Key | Description | Default |
+|-----|-------------|---------|
+| global.imagePullSecret.name | image pull secret name | `"osc-registry"` |
+| global.imagePullSecret.registry | OSC registry address | `"docker-registry.osc.edu"` |
+| global.imagePullSecret.username | OSC registry username | `"robot$webservices-read"` |
+| global.imagePullSecret.password | The image pull secret password for database images | **required** |
+| global.nodeSelectorRole | The nodeSelector role | `"webservices"` |
+| global.storageClass | The persistent storage class | `"webservices-nfs-client"` |
+| global.ingressName | The name of IGNIX Ingress | `"ingress-nginx"` |
+| appType | The webservice application type. Choices currently are `rails`, `rshiny` and `none`. This is used to set the default command and args | `"rails"` |
+| command | Command to start webservice | `[]` |
+| args | Args to start webservice | `[]` |
+| workingDir | webservice working directory | `nil` |
+| env | List environment variables, eg: `{"name": "<name>", "value": "<value>"}` | `[]` |
+| defaultCommand.rails | Default command when `appType` is `rails` | `["bundle","exec","passenger","start"]` |
+| defaultCommand.rshiny | Default command when `appType` is `rshiny` | `["/bin/passenger","start"]` |
+| defaultCommand.none | Default command when `appType` is `none` | `[]` |
+| defaultArgs.rails | Default args when `appType` is `rails` | `["--port={{ .Values.service.port }}","--min-instances=1","--sticky-sessions","--start-timeout=180","--environment=production","--disable-security-update-check","--disable-anonymous-telemetry","--log-file=/dev/stdout","--pid-file=/tmp/passenger.pid"]` |
+| defaultArgs.rshiny | Default args when `appType` is `rshiny` | `["--port={{ .Values.service.port }}","--min-instances=1","--sticky-sessions","--start-timeout=180","--environment=production","--disable-security-update-check","--disable-anonymous-telemetry","--log-file=/dev/stdout","--pid-file=/tmp/passenger.pid","--app-start-command","R --no-save --slave -f /app/entrypoint.R --args $$PORT"]` |
+| defaultArgs.none | Default args when `appType` is `none` | `[]` |
+| image.repository | Image repository. | **required** |
+| image.tag | Image tag. Also pulled from `global.env.<env>.image.tag`. | **required** |
+| image.pullPolicy | imagePullPolicy.  **Forced to `Always` when image tag contains `:latest`**. | `"IfNotPresent"` |
+| mounts.home | webservice home mount that is mounted at same location inside pod | `""` |
+| mounts.roDir | Read-only directory volumes, `name=path`. | `{}` |
+| mounts.rwDir | Read-write directory volumes, `name=path`. | `{}` |
+| mounts.socket | Socket volumes, `name=path`. | `{}` |
+| mounts.roFile | Read-only file volumes, `name=path`. | `{}` |
+| nodeSelector | Additional nodeSelector that is added to existing role selection. | `{}` |
+| podResources | The pod resource limits | `{"limits":{"cpu":4,"memory":"4Gi"},"requests":{"cpu":1,"memory":"256Mi"}}` |
+| replicas | Number of replicas. Also pulled from `global.env.<env>.replicas` | 1 |
+| secrets | Secrets for this webservice, eg `{"name": "value"}` | `{}` |
+| envSecrets | Environment secrets for this webservice, eg `{"NAME": "value"}` | `{}` |
+| debugGroups | List of OSC groups that are authorized to perform debug actions like query pod logs. | `[]` |
+| maintenance.groups | Groups who can perform maintenance operations like deployment scaling. Also pulled from `global.env.<env>.maintenance.groups`. | `[]` |
+| alert.receiver | Prometheus alert receiver. Also pulled from `global.env.<env>.alert.receiver` | `nil` |
+| service.port | The port the webservice listens on | `3000` |
+| service.annotations | Service annotations | `{}` |
+| service.typeAnnotations.rshiny | Default Service annotations when `appType` is `rshiny` | `{"prometheus.io/probe_module":"http","prometheus.io/probe_scheme":"http"}` |
+| probes.type | Type of probes to use, eg `httpGet` or `tcpSocket` | `"httpGet"` |
+| probes.typeDefaults.rshiny | This overrides probes.type | `"tcpSocket"` |
+| startupProbe.httpGet | Config for httpGet startupProbe | `{"path":"/","port":"http"}` |
+| startupProbe.tcpSocket | Config for tcpSocket startupProbe | `{"port":"http"}` |
+| startupProbe.failureThreshold | startupProbe failureThreshold | `12` |
+| startupProbe.periodSeconds | startupProbe periodSeconds | `10` |
+| startupProbe.timeoutSeconds | startupProbe timeoutSeconds | `5` |
+| livenessProbe.httpGet | Config for httpGet livenessProbe | `{"path":"/","port":"http"}` |
+| livenessProbe.tcpSocket | Config for tcpSocket livenessProbe | `{"port":"http"}` |
+| livenessProbe.failureThreshold | livenessProbe failureThreshold | `6` |
+| livenessProbe.periodSeconds | livenessProbe periodSeconds | `10` |
+| livenessProbe.timeoutSeconds | livenessProbe timeoutSeconds | `5` |
+| readinessProbe.httpGet | Config for httpGet readinessProbe | `{"path":"/","port":"http"}` |
+| readinessProbe.tcpSocket | Config for tcpSocket readinessProbe | `{"port":"http"}` |
+| readinessProbe.failureThreshold | readinessProbe failureThreshold | `6` |
+| readinessProbe.periodSeconds | readinessProbe periodSeconds | `10` |
+| readinessProbe.timeoutSeconds | readinessProbe timeoutSeconds | `5` |
+| initContainers | webservice init containers | `{}` |
+| init.podResources | init container pod resource limits | `{"limits":{"cpu":1,"memory":"1Gi"},"requests":{"cpu":"200m","memory":"256Mi"}}` |
+| ingress.host | ingress host, also pulled from `global.env.<env>.ingress.host` | `""` |
+| ingress.hostAlias | ingress host alias, also pulled from `global.env.<env>.ingress.hostAlias` | `""` |
+| ingress.annotations | ingress annotations | `{"kubernetes.io/ingress.class":"nginx","nginx.ingress.kubernetes.io/proxy-buffer-size":"8k"}` |
+| ingress.rShinyAnnotations | ingress annotations used when `appType` is `rshiny` | `{"nginx.ingress.kubernetes.io/proxy-read-timeout":"86400","nginx.ingress.kubernetes.io/proxy-send-timeout":"3600","nginx.ingress.kubernetes.io/server-snippets":"location / {\n  proxy_http_version 1.1;\n  proxy_set_header Upgrade $http_upgrade;\n  proxy_set_header Connection $connection_upgrade;\n  proxy_buffering off;\n }\n"}` |
+| auth.enable | Enable oauth proxy authentication with Keycloak | `true` |
+| auth.clientSecret | Keycloak client secret | **required** |
+| auth.cookieSecret | Oauth cookie secret | **required** |
+| auth.idpHost | The Keycloak IDP host, also pulled from `global.env.<env>.auth.idpHost` | `nil` |
+| auth.accessGroup | Restrict webservice access to this group. Also pulled from `global.env.<env>.auth.accessGroup` | `""` |
+| auth.allowGroups | Additional groups to allow access | `[]` |
+| auth.replicas | Number of auth replicas. Also pulled from `global.env.<env>.auth.replicas` | 1 |
+| data.enable | Enable use of persistent data volume | `false` |
+| data.storageSize | Persistent data volume size | `"10Gi"` |
+| data.path | Persistent data volume mount path | `"/data"` |
+| database.enable | Enable database subchart | `false` |
+| database.mariadb.enable | Enable MariaDB database | `false` |
+| database.mariadb.auth.rootPassword | The root user admin password | **required** |
+| database.mariadb.auth.database | The database name | **required** |
+| database.mariadb.auth.username | The database username | **required** |
+| database.mariadb.auth.password | The database password | **required** |
+| database.postgresql.enable | Enable PostgreSQL database | `false` |
+| database.postgresql.auth.postgresPassword | The postgres user admin password | **required** |
+| database.postgresql.auth.database | The database name | **required** |
+| database.postgresql.auth.username | The database username | **required** |
+| database.postgresql.auth.password | The database password | **required** |

charts/webservice/README.md.gotmpl

@@ -0,0 +1,27 @@
+{{ template "chart.header" . }}
+{{ template "chart.deprecationWarning" . }}
+
+{{ template "chart.badgesSection" . }}
+
+{{ template "chart.description" . }}
+
+{{ template "chart.homepageLine" . }}
+
+{{ template "chart.maintainersSection" . }}
+
+{{ template "chart.sourcesSection" . }}
+
+{{ template "chart.requirementsSection" . }}
+
+## Usage
+
+
+{{ define "chart.valuesTable" -}}
+| Key | Description | Default |
+|-----|-------------|---------|
+{{- range .Values }}
+| {{ .Key }} | {{ if .Description }}{{ .Description }}{{ else }}{{ .AutoDescription }}{{ end }} | {{ if .Default }}{{ .Default }}{{ else }}{{ .AutoDefault }}{{ end }} |
+{{- end }}
+{{- end -}}
+
+{{ template "chart.valuesSection" . }}

charts/webservice/ci/test-postgresql-values.yaml

@@ -0,0 +1,65 @@
+global:
+  oscServiceAccount: nobody
+  imagePullSecret:
+    password: IMAGE-PULL-PASSWORD
+  nodeSelectorRole: test
+  storageClass: standard
+maintenance:
+  groups:
+    - foo
+    - bar
+nodeSelector:
+  kubernetes.io/os: linux
+auth:
+  clientSecret: b8a873d4-e662-496c-ad43-26596eaff68c
+  cookieSecret: PwRlaBzY3aBtKvshJzlMpxyfAp6AZg7orRoKz3NtuJw=
+  oidcIssuerURL: http://keycloak.keycloak.svc.cluster.local/realms/master
+appType: none
+command: ['/http-echo']
+args:
+  - "-listen=:{{ .Values.service.port }}"
+  - "-text=Hello World"
+alert:
+  receiver: test
+debugGroups:
+  - foobar
+image:
+  repository: hashicorp/http-echo
+  tag: latest
+envSecrets:
+  TEST: secret
+ingress:
+  host: webservice.example.com
+podSecurityContext:
+  runAsUser: 1000
+  runAsGroup: 1000
+  fsGroup: 1000
+podResources:
+  limits:
+    cpu: 200m
+    memory: 256Mi
+  requests:
+    cpu: 100m
+    memory: 128Mi
+data:
+  enable: true
+  size: 50Mi
+database:
+  enable: true
+  postgresql:
+    enable: true
+    auth:
+      postgresPassword: secret
+      database: name
+      username: name
+      password: secret
+    primary:
+      persistence:
+        size: 50Mi
+      resources:
+        limits:
+          cpu: 500m
+          memory: 512Mi
+        requests:
+          cpu: 200m
+          memory: 256Mi

charts/webservice/ci/test-values.yaml

@@ -14,12 +14,11 @@ auth:
   clientSecret: b8a873d4-e662-496c-ad43-26596eaff68c
   cookieSecret: PwRlaBzY3aBtKvshJzlMpxyfAp6AZg7orRoKz3NtuJw=
   oidcIssuerURL: http://keycloak.keycloak.svc.cluster.local/realms/master
+appType: none
 command: ['/http-echo']
 args:
   - "-listen=:{{ .Values.service.port }}"
   - "-text=Hello World"
-defaultArgs:
-  type: none
 alert:
   receiver: test
 debugGroups:
@@ -46,20 +45,14 @@ data:
   enable: true
   size: 50Mi
 database:
+  enable: true
   mariadb:
     enable: true
-    primary:
-      persistence:
-        size: 50Mi
-      resources:
-        limits:
-          cpu: 500m
-          memory: 512Mi
-        requests:
-          cpu: 200m
-          memory: 256Mi
-  postgresql:
-    enable: true
+    auth:
+      rootPassword: secret
+      database: name
+      username: name
+      password: secret
     primary:
       persistence:
         size: 50Mi

charts/webservice/templates/_helpers.tpl

@@ -67,6 +67,7 @@ Selector labels
 {{- define "webservice.selectorLabels" -}}
 app.kubernetes.io/instance: {{ .Release.Name }}
 app.kubernetes.io/name: {{ include "webservice.name" . }}
+{{ include "osc.common.role" . }}
 {{- end }}
 
 {{/*
@@ -75,18 +76,55 @@ Auth Selector labels
 {{- define "webservice.auth.selectorLabels" -}}
 app.kubernetes.io/instance: {{ .Release.Name }}
 app.kubernetes.io/name: {{ printf "%s-auth" (include "webservice.name" .) }}
+{{ include "osc.common.role" . }}
 {{- end }}
 
 {{- define "webservice.auth.secretName" }}
 {{- printf "%s-auth" (include "webservice.name" .) }}
 {{- end }}
 
+{{- define "webservice.database.databaseName" -}}
+{{- if .Values.database.mariadb.enable -}}
+{{ required "Must provide database name" .Values.database.mariadb.auth.database }}
+{{- else if .Values.database.postgresql.enable -}}
+{{ required "Must provide database name" .Values.database.postgresql.auth.database }}
+{{- end -}}
+{{- end -}}
+
+{{- define "webservice.database.username" -}}
+{{- if .Values.database.mariadb.enable -}}
+{{ required "Must provide database username" .Values.database.mariadb.auth.username }}
+{{- else if .Values.database.postgresql.enable -}}
+{{ required "Must provide database username" .Values.database.postgresql.auth.username }}
+{{- end -}}
+{{- end -}}
+
+{{- define "webservice.database.password" -}}
+{{- if .Values.database.mariadb.enable -}}
+{{ required "Must provide database password" .Values.database.mariadb.auth.password }}
+{{- else if .Values.database.postgresql.enable -}}
+{{ required "Must provide database password" .Values.database.postgresql.auth.password }}
+{{- end -}}
+{{- end -}}
+
+{{- define "webservice.database.url" -}}
+{{- if .Values.database.mariadb.enable -}}
+{{- $mysqlProtocol := "mysql://" -}}
+{{- if eq .Values.appType "rails" -}}
+{{- $mysqlProtocol = "mysql2://" -}}
+{{- end -}}
+{{ printf "%s%s:%s@%s/%s" $mysqlProtocol (include "webservice.database.username" .) (include "webservice.database.password" .) (printf "%s-mariadb" (include "webservice.name" .)) (include "webservice.database.databaseName" .) }}
+{{- else if .Values.database.postgresql.enable -}}
+{{ printf "postgresql://%s:%s@%s/%s" (include "webservice.database.username" .) (include "webservice.database.password" .) (printf "%s-postgresql" (include "webservice.name" .)) (include "webservice.database.databaseName" .) }}
+{{- end -}}
+{{- end -}}
+
 {{- define "webservice.imageTag" }}
-{{- if .Values.image.tag }}
-{{- .Values.image.tag }}
-{{- else if .Values.global.env }}
-{{- index .Values.global.env (include "osc.common.environment" .) "image" "tag" }}
+{{- $tag := .Values.image.tag }}
+{{- if .Values.global.env }}
+{{- $tag = index .Values.global.env (include "osc.common.environment" .) "image" "tag" }}
 {{- end }}
+{{- required "Must provide image tag" $tag }}
 {{- end }}
 
 {{- define "webservice.replicas" }}