Skip to content

Parent charts for CryoSPARC service #327

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
ZQyou wants to merge 2 commits into
base: main
Choose a base branch
from
Open

Parent charts for CryoSPARC service #327

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
2 commits
Select commit Hold shift + click to select a range
17e22a5
Add cryosparc parent charts
ZQyou Dec 2, 2025
7070b9a
Update templates and values
ZQyou Dec 11, 2025
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
23 changes: 23 additions & 0 deletions charts/cryosparc/.helmignore
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,23 @@
# Patterns to ignore when building packages.
# This supports shell glob matching, relative path matching, and
# negation (prefixed with !). Only one pattern per line.
.DS_Store
# Common VCS dirs
.git/
.gitignore
.bzr/
.bzrignore
.hg/
.hgignore
.svn/
# Common backup files
*.swp
*.bak
*.tmp
*.orig
*~
# Various IDEs
.project
.idea/
*.tmproj
.vscode/
13 changes: 13 additions & 0 deletions charts/cryosparc/Chart.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,13 @@
apiVersion: v2
name: cryosparc

Check failure on line 2 in charts/cryosparc/Chart.yaml

View workflow job for this annotation

GitHub Actions / Lint Helm Charts 

2:16 [trailing-spaces] trailing spaces
description: OSC CryoSPARC bootstrap Helm Chart
type: application
version: 0.0.1
appVersion: "0.1.0"
maintainers:
- name: zyou
dependencies:
- name: osc-common
version: 0.7.0
repository: https://osc.github.io/osc-helm-charts/
# repository: file://../common
32 changes: 32 additions & 0 deletions charts/cryosparc/ci/test-values.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,32 @@
global:
oscServiceAccount: cryosciapps
imagePullSecret:
password: IMAGE-PULL-PASSWORD
nodeSelectorRole: test
storageClass: standard
maintenance:
groups:
- foo
- bar
nodeSelector:
kubernetes.io/os: linux
auth:
clientSecret: b8a873d4-e662-496c-ad43-26596eaff68c
cookieSecret: PwRlaBzY3aBtKvshJzlMpxyfAp6AZg7orRoKz3NtuJw=
oidcIssuerURL: http://keycloak.keycloak.svc.cluster.local/realms/master
alert:
receiver: test
debugGroups:
- foobar
image:
tag: latest
ingress:
host: cryosciapps.osc.edu
Copy link
Contributor

@treydock treydock Dec 16, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Be good to add hostAlias here too for testing. Though I'd recommend using not OSC addresses, they don't need to be real as this CI folder is for automated tests that don't need to be accessible.

For testing locally you could do -f <path to this file> --set ingress.host=<osc address>

podSecurityContext:
runAsUser: 48527
runAsGroup: 5511
fsGroup: 5511
service:
basePort: 31010
license: xxx-xxx-xxx
project: PAS0710
182 changes: 182 additions & 0 deletions charts/cryosparc/templates/_helpers.tpl
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,182 @@
{{/*
Expand the name of the chart.
*/}}
{{- define "cryosparc.name" -}}
{{- default .Release.Name .Values.nameOverride | trunc 63 | trimSuffix "-" }}
{{- end }}

{{/*
Auth resource name
*/}}
{{- define "cryosparc.auth.name" -}}
{{- printf "%s-auth" (include "cryosparc.name" .) }}
{{- end }}

{{/*
Create a default fully qualified app name.
We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec).
If release name contains chart name it will be used as a full name.
*/}}
{{- define "cryosparc.fullname" -}}
{{- if .Values.fullnameOverride }}
{{- .Values.fullnameOverride | trunc 63 | trimSuffix "-" }}
{{- else }}
{{- $name := default .Chart.Name .Values.nameOverride }}
{{- if contains $name .Release.Name }}
{{- .Release.Name | trunc 63 | trimSuffix "-" }}
{{- else }}
{{- printf "%s-%s" .Release.Name $name | trunc 63 | trimSuffix "-" }}
{{- end }}
{{- end }}
{{- end }}

{{/*
Create chart name and version as used by the chart label.
*/}}
{{- define "cryosparc.chart" -}}
{{- printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" }}
{{- end }}

{{/*
Common labels
*/}}
{{- define "cryosparc.labels" -}}
helm.sh/chart: {{ include "cryosparc.chart" . }}
{{ include "cryosparc.selectorLabels" . }}
{{- if .Chart.AppVersion }}
app.kubernetes.io/version: {{ .Chart.AppVersion | quote }}
{{- end }}
app.kubernetes.io/managed-by: {{ .Release.Service }}
{{- end }}

{{/*
Auth labels
*/}}
{{- define "cryosparc.auth.labels" -}}
helm.sh/chart: {{ include "cryosparc.chart" . }}
{{ include "cryosparc.auth.selectorLabels" . }}
{{- if .Chart.AppVersion }}
app.kubernetes.io/version: {{ .Chart.AppVersion | quote }}
{{- end }}
app.kubernetes.io/managed-by: {{ .Release.Service }}
{{- end }}

{{/*
Selector labels
*/}}
{{- define "cryosparc.selectorLabels" -}}
app.kubernetes.io/instance: {{ .Release.Name }}
app.kubernetes.io/name: {{ include "cryosparc.name" . }}
{{- end }}

{{/*
Auth Selector labels
*/}}
{{- define "cryosparc.auth.selectorLabels" -}}
app.kubernetes.io/instance: {{ .Release.Name }}
app.kubernetes.io/name: {{ printf "%s-auth" (include "cryosparc.name" .) }}
{{- end }}

{{- define "cryosparc.auth.secretName" }}
{{- printf "%s-auth" (include "cryosparc.name" .) }}
{{- end }}

{{- define "cryosparc.imageTag" }}
{{- if .Values.image.tag }}
{{- .Values.image.tag }}
{{- else if .Values.global.env }}
{{- index .Values.global.env (include "osc.common.environment" .) "image" "tag" }}
{{- end }}
{{- end }}

{{- define "cryosparc.replicas" }}
{{- if .Values.replicas }}
{{- .Values.replicas }}
{{- else if .Values.global.env }}
{{- if (index .Values.global.env (include "osc.common.environment" .) "replicas") }}
{{- index .Values.global.env (include "osc.common.environment" .) "replicas" }}
{{- end }}
{{- end }}
{{- end }}

{{- define "cryosparc.auth.replicas" }}
{{- if .Values.auth.replicas }}
{{- .Values.auth.replicas }}
{{- else if .Values.global.env }}
{{- if (index .Values.global.env (include "osc.common.environment" .) "auth") }}
{{- index .Values.global.env (include "osc.common.environment" .) "auth" "replicas" }}
{{- end }}
{{- end }}
{{- end }}

{{- define "cryosparc.idpHost" }}
{{- if .Values.auth.idpHost }}
{{- .Values.auth.idpHost }}
{{- else if .Values.global.env }}
{{- if (index .Values.global.env (include "osc.common.environment" .) "auth") }}
{{- index .Values.global.env (include "osc.common.environment" .) "auth" "idpHost" }}
{{- end }}
{{- end }}
{{- end }}

{{- define "cryosparc.accessGroup" }}
{{- if .Values.auth.accessGroup }}
{{- .Values.auth.accessGroup }}
{{- else if .Values.global.env }}
{{- if (index .Values.global.env (include "osc.common.environment" .) "auth") }}
{{- index .Values.global.env (include "osc.common.environment" .) "auth" "accessGroup" }}
{{- end }}
{{- end }}
{{- end }}

{{- define "cryosparc.ingressHost" }}
{{- if .Values.ingress.host }}
{{- .Values.ingress.host }}
{{- else if and .Values.global.env }}
{{- if and (index .Values.global.env (include "osc.common.environment" .)) }}
{{- if (index .Values.global.env (include "osc.common.environment" .) "ingress") }}
{{- index .Values.global.env (include "osc.common.environment" .) "ingress" "host" }}
{{- end }}
{{- end }}
{{- end }}
{{- end }}

{{- define "cryosparc.ingressHostAlias" }}
{{- if .Values.ingress.hostAlias }}
{{- .Values.ingress.hostAlias }}
{{- else if and .Values.global.env }}
{{- if and (index .Values.global.env (include "osc.common.environment" .)) }}
{{- if (index .Values.global.env (include "osc.common.environment" .) "ingress") }}
{{- index .Values.global.env (include "osc.common.environment" .) "ingress" "hostAlias" }}
{{- end }}
{{- end }}
{{- end }}
{{- end }}

{{- define "cryosparc.data.name" }}
{{- printf "%s-data" (include "cryosparc.name" .) }}
{{- end }}

{{- define "cryosparc.alert.receiver" }}
{{- if .Values.alert.receiver }}
{{- .Values.alert.receiver }}
{{- else if and .Values.global.env }}
{{- if and (index .Values.global.env (include "osc.common.environment" .)) }}
{{- if (index .Values.global.env (include "osc.common.environment" .) "alert") }}
{{- index .Values.global.env (include "osc.common.environment" .) "alert" "receiver" }}
{{- end }}
{{- end }}
{{- end }}
{{- end }}

{{- define "cryosparc.maintenance.groups" }}
{{- if and .Values.maintenance .Values.maintenance.groups }}
{{- .Values.maintenance.groups | toJson | nindent 0 }}
{{- else if .Values.global.env }}
{{- if and (index .Values.global.env (include "osc.common.environment" .)) }}
{{- if (index .Values.global.env (include "osc.common.environment" .) "maintenance") }}
{{- index .Values.global.env (include "osc.common.environment" .) "maintenance" "groups" | toJson | nindent 0 }}
{{- end }}
{{- end }}
{{- end }}
{{- end }}
121 changes: 121 additions & 0 deletions charts/cryosparc/templates/auth-deployment.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,121 @@
{{ if .Values.auth.enable }}
apiVersion: apps/v1
kind: Deployment
metadata:
name: {{ include "cryosparc.auth.name" . }}
labels:
{{ include "osc.common.serviceAccount" . }}
{{- include "cryosparc.auth.labels" . | nindent 4 }}
{{- if (include "cryosparc.alert.receiver" .) }}
receiver: {{ include "cryosparc.alert.receiver" . }}
{{- end }}
spec:
selector:
matchLabels:
{{- include "cryosparc.auth.selectorLabels" . | nindent 6 }}
replicas: {{ include "cryosparc.auth.replicas" . | default 1 }}
strategy:
rollingUpdate:
maxSurge: 1
maxUnavailable: 40%
type: RollingUpdate
template:
metadata:
labels:
{{ include "osc.common.serviceAccount" . }}
{{- include "cryosparc.auth.selectorLabels" . | nindent 8 }}
{{- if (include "cryosparc.alert.receiver" .) }}
receiver: {{ include "cryosparc.alert.receiver" . }}
{{- end }}
spec:
serviceAccountName: {{ include "cryosparc.name" . }}
securityContext: {{ toYaml .Values.podSecurityContext | nindent 8 }}
hostNetwork: false
hostIPC: false
hostPID: false
containers:
- name: {{ include "cryosparc.auth.name" . }}
image: "{{ .Values.auth.image.repository }}:{{ .Values.auth.image.tag }}"
imagePullPolicy: {{ .Values.auth.image.pullPolicy }}
env:
- name: OAUTH2_PROXY_CLIENT_SECRET
valueFrom:
secretKeyRef:
name: {{ include "cryosparc.auth.secretName" . }}
key: client-secret
- name: OAUTH2_PROXY_COOKIE_SECRET
valueFrom:
secretKeyRef:
name: {{ include "cryosparc.auth.secretName" . }}
key: cookie-secret
- name: IDP_HOST
value: {{ include "cryosparc.idpHost" . }}
args:
- --provider=oidc
- --http-address=0.0.0.0:{{ .Values.auth.service.port }}
- --reverse-proxy=true
- --oidc-issuer-url={{ .Values.auth.oidcIssuerURL }}
- --client-id={{ tpl .Values.auth.clientID . }}
- --cookie-httponly=false
- --cookie-secure=true
- --cookie-samesite=none
- --cookie-refresh=180s
- --cookie-name={{ tpl .Values.auth.cookieName . }}
- --email-domain=*
- --insecure-oidc-allow-unverified-email=true
- --skip-provider-button
- --silence-ping-logging
{{- $root := . }}
{{- range $idx, $container := .Values.containers }}
{{- $path := "" }}
{{- if ne $container.ingressPath "/" }}
{{- $path = $container.ingressPath }}
{{- end }}
- --upstream=http://{{ include "cryosparc.name" $root }}.{{ $root.Release.Namespace }}.svc.cluster.local:{{ $container.port | default (add $root.Values.service.port $idx) }}{{ $path }}
{{- end }}
- --metrics-address=:{{ .Values.auth.metricsService.port }}
{{- if (include "cryosparc.idpHost" .) }}
- --whitelist-domain=$(IDP_HOST)
{{- end }}
{{- if (include "cryosparc.accessGroup" .) }}
- --allowed-group={{ include "cryosparc.accessGroup" . }}
{{- end }}
{{- range .Values.auth.allowGroups }}
- --allowed-group={{ tpl . $ }}
{{- end }}
{{- if .Values.auth.skipAuthRoute }}
- --skip-auth-route="{{ .Values.auth.skipAuthRoute }}"
{{- end }}
ports:
- containerPort: {{ .Values.auth.service.port }}
name: http
- containerPort: {{ .Values.auth.metricsService.port }}
name: metrics
livenessProbe:
httpGet:
path: /ping
port: http
initialDelaySeconds: 5
periodSeconds: 30
readinessProbe:
httpGet:
path: /ping
port: http
initialDelaySeconds: 10
periodSeconds: 30
resources: {{ toYaml .Values.auth.podResources | nindent 10 }}
securityContext:
allowPrivilegeEscalation: false
capabilities:
drop:
- ALL
seccompProfile:
type: RuntimeDefault
privileged: false
readOnlyRootFilesystem: true
nodeSelector:
{{ include "osc.common.nodeSelectorRole" . }}
{{- with .Values.nodeSelector }}
{{- toYaml . | nindent 8 }}
{{- end }}
{{ end }}
20 changes: 20 additions & 0 deletions charts/cryosparc/templates/auth-networkpolicy.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,20 @@
{{ if .Values.auth.enable }}
kind: NetworkPolicy
apiVersion: networking.k8s.io/v1
metadata:
name: {{ include "cryosparc.auth.name" . }}
labels:
{{- include "cryosparc.auth.labels" . | nindent 4 }}
spec:
podSelector:
matchLabels:
{{- include "cryosparc.auth.selectorLabels" . | nindent 6 }}
ingress:
- from:
- namespaceSelector:
matchLabels:
app.kubernetes.io/name: {{ .Values.ingressName }}
- namespaceSelector:
matchLabels:
app.kubernetes.io/name: {{ .Values.prometheusName }}
{{ end }}
Loading
Loading