add clf-vepac tools to materials-galaxy

alter chart to allow reading galaxy tool from private repo.

Uses a github deploy key to setup connection

Needs testing - hence creating an alpha chart

Author: anish-mudaraddi

charts/materials-galaxy/Chart.yaml

@@ -1,6 +1,6 @@
 apiVersion: v2
 name: materials-galaxy
-version: 1.0.0
+version: 1.1.0
 dependencies:
 # https://github.com/galaxyproject/galaxy-helm
   - repository: https://raw.githubusercontent.com/CloudVE/helm-charts/master/

charts/materials-galaxy/README.md

@@ -82,7 +82,42 @@ Then edit `galaxy.configs.tool_conf.xml` to make it available to users - add a x
  ```xml
  <tool file="{{.Values.persistence.mountPath}}/my-tools/my-tool-1/my-tool-1.xml>
 ``` 
-where `file` is a filepath to the galaxy tool config you want to make available
+where `file` is a filepath to the galaxy tool config you want to make available 
+
+### Private repos
+
+To deploy tools from a private repo - you need to create a git deploy key for that repo so that we can access it
+more about deploy keys here - https://docs.github.com/en/authentication/connecting-to-github-with-ssh/managing-deploy-keys#deploy-keys
+Deploy keys are useful as they only grant access to a single repository, limiting attack vectors, additionally, we can set them to be read-only which is recommended for this use-case.
+
+Once you create a deploy key, you need to add it to the secrets file under - be careful not to publish this as plaintext
+```
+gitRepos:
+  - name: repo-name
+    deployKey: |-
+    -----BEGIN OPENSSH PRIVATE KEY-----
+    ... private key content for repo1 ...
+    -----END OPENSSH PRIVATE KEY-----
+```
+
+then you'll need to create a container image to install from private repo like so:
+```
+- name: repo-name-tools
+  applyToJob: false
+  applyToWeb: true
+  applyToWorkflow: false
+  image: "alpine/git:latest"
+  env:
+  - name: SSH_PRIVATE_KEY
+    valueFrom:
+      secretKeyRef:
+        name: git-deploy-keys
+        key: repo-name
+  command: ['sh', '-c', 'mkdir -p /root/.ssh && echo "${SSH_PRIVATE_KEY}" > /root/.ssh/id_rsa && chmod 600 /root/.ssh/id_rsa && ssh-keyscan github.com >> /root/.ssh/known_hosts && git clone [email protected]:my-org/my-repo.git --depth 1 --branch main {{.Values.persistence.mountPath}}/my-repo-tools || true']
+  volumeMounts:
+    - name: galaxy-data
+      mountPath: "{{.Values.persistence.mountPath}}"
+```
 
 ## Configuring main page
 

charts/materials-galaxy/secret-values.yaml.template

@@ -33,4 +33,10 @@ galaxy:
         # comma spaced list of admin emails
         admin_users: "[email protected],[email protected]"
 
-
+  # any git repo deploy keys - to access private repos
+  gitRepos:
+    - name: first-repo
+      deployKey: |-
+        -----BEGIN OPENSSH PRIVATE KEY-----
+        ... private key content for repo1 ...
+        -----END OPENSSH PRIVATE KEY-----

charts/materials-galaxy/templates/repo-deploy-keys-secret,yaml

@@ -0,0 +1,11 @@
+---
+apiVersion: v1
+kind: Secret
+metadata:
+  name: git-deploy-keys
+  namespace: {{ .Release.Namespace }}
+type: Opaque
+data:
+  {{- range $index, $repo := .Values.repos }}
+  {{ $repo.name }}-key: {{ $repo.deployKey | b64enc }}
+  {{- end }}

charts/materials-galaxy/values.yaml

@@ -41,7 +41,22 @@ galaxy:
       volumeMounts:
         - name: galaxy-data
           mountPath: "{{.Values.persistence.mountPath}}"
-
+    - name: clf-vepac-tools
+      applyToJob: false
+      applyToWeb: true
+      applyToWorkflow: false
+      image: "alpine/git:latest"
+      env:
+      - name: SSH_PRIVATE_KEY
+        valueFrom:
+          secretKeyRef:
+            name: git-deploy-keys
+            key: clf-vepac-key
+      command: ['sh', '-c', 'mkdir -p /root/.ssh && echo "${SSH_PRIVATE_KEY}" > /root/.ssh/id_rsa && chmod 600 /root/.ssh/id_rsa && ssh-keyscan github.com >> /root/.ssh/known_hosts && git clone [email protected]:CLF-vEPAC/Galaxy-tools.git --depth 1 --branch main {{.Values.persistence.mountPath}}/clf-vepac-tools || true']
+      volumeMounts:
+        - name: galaxy-data
+          mountPath: "{{.Values.persistence.mountPath}}"
+  
   ingress:
     # used in galaxy configuration
     path: "/"
@@ -123,6 +138,8 @@ galaxy:
         </section>
         <section id="muon_other" name="Other Muon Tools">
         </section>
+        <section id="clf_vpac" name="CLF vEPAC Tools">
+        </section>
         <label id="xas_label" text="xas" />
         <label id="other_tools" text="Other Tools" />
         <section id="file_conversion" name="File Conversion">
@@ -154,6 +171,10 @@ galaxy:
           <tool file="{{.Values.persistence.mountPath}}/muon-galaxy-tools/pm_asephonons/pm_asephonons.xml"/>
           <tool file="{{.Values.persistence.mountPath}}/muon-galaxy-tools/pm_nq/pm_nq.xml"/>
         </section>
+        <section id="clf_vepac" name="CLF vEPAC Tools">
+          <tool file="{{.Values.persistence.mountPath}}/clf-vepac-tools/geant4-plot/geant4_plot.xml"/>
+          <tool file="{{.Values.persistence.mountPath}}/clf-vepac-tools/geant4-sim/geant4_particles.xml"/>
+        </section>
         <label id="xas_label" text="xas" />
         <tool file="{{.Values.persistence.mountPath}}/larch-tools/larch_select_paths/larch_select_paths.xml" />
         <tool file="{{.Values.persistence.mountPath}}/larch-tools/larch_plot/larch_plot.xml" />

charts/stfc-cloud-openstack-cluster/README.md

@@ -25,7 +25,7 @@ This will create a `/tmp/capi/secret-values.yaml` file with your cluster secrets
 
 ```bash
 export CLUSTER_NAME="demo-cluster"  # or your cluster name
-helm upgrade $CLUSTER_NAME cloud-charts/stfc-cloud-openstack-cluster --install -f values.yaml -f user-values.yaml -f flavors.yaml -f /tmp/capi/secret-values -n clusters 
+helm upgrade $CLUSTER_NAME cloud-charts/stfc-cloud-openstack-cluster --install -f values.yaml -f nodes.yaml -f addons.yaml -f /tmp/capi/secret-values -n clusters 
 ```
 5. Perform move to self-managed cluster 
 

charts/stfc-cloud-openstack-cluster/user-values.yaml renamed to charts/stfc-cloud-openstack-cluster/addons.yaml

@@ -1,25 +1,25 @@
-
 openstack-cluster:
   # List of comma separated additional packages to install on cluster nodes
   additionalPackages: []
-
-  controlPlane:
-    # The number of control plane machines to deploy
-    # For high-availability, this should be greater than 1
-    # For etcd quorum, it should be odd - usually 3, or 5 for very large clusters
-    machineCount: 5
-    # The flavor to use for control plane machines
-    machineFlavor: l3.nano
-
-    # defaults cause OutofSync issues in argocd
-    remediationStrategy:
-      retryPeriod: 20m0s
-      minHealthyPeriod: 1h0m0s
-
+  
   addons:
     # Monitoring sets up kube-prometheus-stack and loki-stack.
+    # For configuration values 
     monitoring:
       enabled: false
+      
+      loki-stack:
+        enabled: false
+        release:
+          values:
+            # for values see - https://github.com/grafana/helm-charts/tree/main/charts/loki-stack
+      
+      kubePrometheusStack:
+        enabled: false
+        release:
+           values:
+            # for values see - https://github.com/prometheus-community/helm-charts/tree/main/charts/kube-prometheus-stack
+
 
     # Ingress is preferred, as it allows you to use DNS to locate multiple
     # services behind a single FIP, and makes TLS trivial

charts/stfc-cloud-openstack-cluster/flavors.yaml

@@ -0,0 +1,31 @@
+openstack-cluster:
+  # The control plane for the cluster
+  controlPlane:
+    # The number of control plane machines to deploy
+    # For high-availability, this should be greater than 1
+    # For etcd quorum, it should be odd - usually 3, or 5 for very large clusters
+    machineCount: 5
+    # The flavor to use for control plane machines
+    machineFlavor: l3.nano
+
+    # for configuration values see here 
+    # https://github.com/azimuth-cloud/capi-helm-charts/blob/main/charts/openstack-cluster/values.yaml#L217
+
+  # The worker node groups for the cluster
+  nodeGroups:
+    # This group uses details found in nodeGroupDefault below
+    # and is enabled by default
+    - name: default-md-0
+      # The number of machines in the node group if autoscale is false
+      machineCount: 2
+
+    # The following node groups are optional and can be enabled by uncommenting them
+    # For values you can configure separately for each set of nodegroups can be seen here
+    # https://github.com/azimuth-cloud/capi-helm-charts/blob/main/charts/openstack-cluster/values.yaml#L357
+  
+    # - name: md-l3-small
+    #   machineFlavor: l3.small
+    #   machineCount: 1
+    # - name: md-rtx4000
+    #   machineFlavor: g-rtx4000.x1
+    #   machineCount: 1

charts/stfc-cloud-openstack-cluster/nodes.yaml

@@ -134,6 +134,14 @@ openstack-cluster:
   # The name of the cloud to use from the specified clouds.yaml
   cloudName: openstack
 
+  # The Kubernetes version of the cluster
+  # This should match the version of kubelet and kubeadm in the image
+  # and will be automatically updated by us
+  # we aim to keep n-1 of latest K8s version
+  kubernetesVersion: "1.31.4"
+  # The name of the image to use for cluster machines
+  machineImage: "capi-ubuntu-2204-kube-v1.31.4-2025-01-24"
+
   # Values for the Kubernetes cluster network
   kubeNetwork:
     # By default, use the private network range 10.0.0.0/12 for the cluster network
@@ -164,6 +172,46 @@ openstack-cluster:
     # The port to use for the API server
     port: 6443
 
+  # Defaults for node groups
+  nodeGroupDefaults:
+    # Indicates if the node group should be autoscaled
+    autoscale: false
+    # The flavor to use for machines in the node group
+    machineFlavor: l3.micro
+
+    rolloutStrategy:
+      type: RollingUpdate
+      rollingUpdate:
+        # The maximum number of node group machines that can be unavailable during the update
+        # Can be an absolute number or a percentage of the desired count
+        maxUnavailable: 0
+        # The maximum number of machines that can be scheduled above the desired count for
+        # the group during an update
+        # Can be an absolute number or a percentage of the desired count
+        maxSurge: 1
+        # One of Random, Newest, Oldest
+        deletePolicy: Random
+
+    healthCheck:
+      # Indicates if the machine health check should be enabled
+      enabled: true
+      # The spec for the health check
+      spec:
+        # By default, 20% unhealthy worker nodes remediated at a time
+        # https://cluster-api.sigs.k8s.io/tasks/automated-machine-management/healthchecking#max-unhealthy
+        maxUnhealthy: 20%
+        # If a node takes longer than 10 mins to startup, remediate it
+        nodeStartupTimeout: 10m0s
+        # By default, consider a worker node that has not been Ready for
+        # more than 5 mins unhealthy
+        unhealthyConditions:
+          - type: Ready
+            status: Unknown
+            timeout: 10m0s
+          - type: Ready
+            status: "False"
+            timeout: 10m0s
+
   addons:
     # Enable monitoring by default, this deploys
     # https://github.com/stackhpc/capi-helm-charts/blob/main/charts/cluster-addons/README.md#monitoring-and-logging