Merge pull request #5726 from lsst-sqre/tickets/OSW-1509

OSW-1509: Inject AWS credentials to nightlydigest-backend.

Author: sebastian-aranda

applications/nightlydigest/charts/nightlydigest-backend/templates/deployment.yaml

@@ -20,6 +20,10 @@ spec:
     spec:
       imagePullSecrets:
         - name: "pull-secret"
+      securityContext:
+        runAsUser: 73006
+        runAsGroup: 73006
+        fsGroup: 73006
       containers:
         - name: {{ .Chart.Name }}
           image: "{{ .Values.image.repository }}:{{ .Values.image.tag | default .Chart.AppVersion }}"
@@ -53,6 +57,9 @@ spec:
             {{- end }}
           {{- if .Values.pvcMountpoints}}
           volumeMounts:
+          - name: nightlydigest-backend-secrets
+            mountPath: "/etc/secrets"
+            readOnly: true
           {{- range $vol := .Values.pvcMountpoints }}
           - name: {{ $vol.name }}
             readOnly: {{ $vol.mount.readOnly | default true }}
@@ -64,6 +71,10 @@ spec:
           {{- end }}
       {{- if .Values.pvcMountpoints}}
       volumes:
+      - name: nightlydigest-backend-secrets
+        secret:
+          secretName: nightlydigest
+          defaultMode: 0400
       {{- range $vol := .Values.pvcMountpoints }}
       - name: {{ $vol.name | quote }}
         persistentVolumeClaim:

applications/nightlydigest/charts/nightlydigest-nginx/templates/deployment.yaml

@@ -23,7 +23,8 @@ spec:
         imagePullPolicy: {{ .Values.initContainers.frontend.image.pullPolicy }}
         command: ["/bin/sh", "-c", "mkdir -p /usr/src/nightlydigest; cp -Rv /usr/src/app/dist/* /usr/src/nightlydigest/"]
         volumeMounts:
-          - mountPath: /usr/src
+          - mountPath: /usr/src/nightlydigest
+            subPath: {{ .Values.staticStore.subPath }}
             name: {{ .Values.staticStore.name }}
       containers:
       - name: {{ include "nightlydigest-nginx.name" . }}
@@ -35,7 +36,8 @@ spec:
           - mountPath: /etc/nginx/conf.d
             readOnly: true
             name: nginx-conf
-          - mountPath: /usr/src
+          - mountPath: /usr/src/nightlydigest
+            subPath: {{ .Values.staticStore.subPath }}
             name: {{ .Values.staticStore.name }}
         {{- with $.Values.resources }}
         resources:

applications/nightlydigest/secrets.yaml

@@ -1,2 +1,9 @@
 jira-api-token:
   description: "Jira REST API token."
+aws-credentials-butler.ini:
+  description: >-
+    S3 butler credentials to the Butler data store, formatted using
+    AWS syntax for use with boto.
+  copy:
+    application: nublado
+    key: "aws-credentials.ini"

applications/nightlydigest/values-base.yaml

@@ -18,6 +18,7 @@ nightlydigest-nginx:
     storageClass: rook-ceph-block
     accessMode: ReadWriteOnce
     claimSize: 2Gi
+    subPath: nightlydigest
   resources:
     requests:
       cpu: 50m

applications/nightlydigest/values-usdfdev.yaml

@@ -18,6 +18,7 @@ nightlydigest-nginx:
     storageClass: sdf-data-rubin
     accessMode: ReadWriteMany
     claimSize: 1Gi
+    subPath: nightlydigest-dev
   resources:
     requests:
       cpu: 50m
@@ -60,6 +61,12 @@ nightlydigest-backend:
       value: https://usdf-rsp-dev.slac.stanford.edu
     - name: RUBIN_SIM_DATA_DIR
       value: &rsd /sdf/data/rubin/shared/rubin_sim_data
+    - name: AWS_SHARED_CREDENTIALS_FILE
+      value: /etc/secrets/aws-credentials-butler.ini
+    - name: S3_ENDPOINT_URL
+      value: https://s3dfrgw.slac.stanford.edu
+    - name: LSST_DISABLE_BUCKET_VALIDATION
+      value: "1"
   envSecrets:
     - name: JIRA_API_TOKEN
       secretName: nightlydigest

applications/nightlydigest/values-usdfprod.yaml

@@ -18,6 +18,7 @@ nightlydigest-nginx:
     storageClass: sdf-data-rubin
     accessMode: ReadWriteMany
     claimSize: 1Gi
+    subPath: nightlydigest-prod
   resources:
     requests:
       cpu: 50m