stfc · anish-mudaraddi · Feb 26, 2025
diff --git a/charts/materials-galaxy/Chart.yaml b/charts/materials-galaxy/Chart.yaml
@@ -1,6 +1,6 @@
 apiVersion: v2
 name: materials-galaxy
-version: 1.0.0
+version: 1.1.0
 dependencies:
 # https://github.com/galaxyproject/galaxy-helm
   - repository: https://raw.githubusercontent.com/CloudVE/helm-charts/master/

diff --git a/charts/materials-galaxy/README.md b/charts/materials-galaxy/README.md
@@ -82,7 +82,42 @@ Then edit `galaxy.configs.tool_conf.xml` to make it available to users - add a x
  ```xml
  <tool file="{{.Values.persistence.mountPath}}/my-tools/my-tool-1/my-tool-1.xml>
 ``` 
-where `file` is a filepath to the galaxy tool config you want to make available
+where `file` is a filepath to the galaxy tool config you want to make available 
+
+### Private repos
+
+To deploy tools from a private repo - you need to create a git deploy key for that repo so that we can access it
+more about deploy keys here - https://docs.github.com/en/authentication/connecting-to-github-with-ssh/managing-deploy-keys#deploy-keys
+Deploy keys are useful as they only grant access to a single repository, limiting attack vectors, additionally, we can set them to be read-only which is recommended for this use-case.
+
+Once you create a deploy key, you need to add it to the secrets file under - be careful not to publish this as plaintext
+```
+gitRepos:
+  - name: repo-name
+    deployKey: |-
+    -----BEGIN OPENSSH PRIVATE KEY-----
+    ... private key content for repo1 ...
+    -----END OPENSSH PRIVATE KEY-----
+```
+
+then you'll need to create a container image to install from private repo like so:
+```
+- name: repo-name-tools
+  applyToJob: false
+  applyToWeb: true
+  applyToWorkflow: false
+  image: "alpine/git:latest"
+  env:
+  - name: SSH_PRIVATE_KEY
+    valueFrom:
+      secretKeyRef:
+        name: git-deploy-keys
+        key: repo-name
+  command: ['sh', '-c', 'mkdir -p /root/.ssh && echo "${SSH_PRIVATE_KEY}" > /root/.ssh/id_rsa && chmod 600 /root/.ssh/id_rsa && ssh-keyscan github.com >> /root/.ssh/known_hosts && git clone [email protected]:my-org/my-repo.git --depth 1 --branch main {{.Values.persistence.mountPath}}/my-repo-tools || true']
+  volumeMounts:
+    - name: galaxy-data
+      mountPath: "{{.Values.persistence.mountPath}}"
+```
 
 ## Configuring main page
 

diff --git a/charts/materials-galaxy/secret-values.yaml.template b/charts/materials-galaxy/secret-values.yaml.template
@@ -33,4 +33,10 @@ galaxy:
         # comma spaced list of admin emails
         admin_users: "[email protected],[email protected]"
 
-
+  # any git repo deploy keys - to access private repos
+  gitRepos:
+    - name: first-repo
+      deployKey: |-
+        -----BEGIN OPENSSH PRIVATE KEY-----
+        ... private key content for repo1 ...
+        -----END OPENSSH PRIVATE KEY-----
diff --git a/charts/materials-galaxy/templates/repo-deploy-keys-secret.yaml b/charts/materials-galaxy/templates/repo-deploy-keys-secret.yaml
@@ -0,0 +1,11 @@
+---
+apiVersion: v1
+kind: Secret
+metadata:
+  name: git-deploy-keys
+  namespace: {{ .Release.Namespace }}
+type: Opaque
+data:
+  {{- range $index, $repo := .Values.repos }}
+  {{ $repo.name }}-key: {{ $repo.deployKey | b64enc }}
+  {{- end }}
diff --git a/charts/materials-galaxy/values.yaml b/charts/materials-galaxy/values.yaml
@@ -41,7 +41,22 @@ galaxy:
       volumeMounts:
         - name: galaxy-data
           mountPath: "{{.Values.persistence.mountPath}}"
-
+    - name: clf-vepac-tools
+      applyToJob: false
+      applyToWeb: true
+      applyToWorkflow: false
+      image: "alpine/git:latest"
+      env:
+      - name: SSH_PRIVATE_KEY
+        valueFrom:
+          secretKeyRef:
+            name: git-deploy-keys
+            key: clf-vepac-key
+      command: ['sh', '-c', 'mkdir -p /root/.ssh && echo "${SSH_PRIVATE_KEY}" > /root/.ssh/id_rsa && chmod 600 /root/.ssh/id_rsa && ssh-keyscan github.com >> /root/.ssh/known_hosts && git clone [email protected]:CLF-vEPAC/Galaxy-tools.git --depth 1 --branch main {{.Values.persistence.mountPath}}/clf-vepac-tools || true']
+      volumeMounts:
+        - name: galaxy-data
+          mountPath: "{{.Values.persistence.mountPath}}"
+
   ingress:
     # used in galaxy configuration
     path: "/"
@@ -123,6 +138,8 @@ galaxy:
         </section>
         <section id="muon_other" name="Other Muon Tools">
         </section>
+        <section id="clf_vpac" name="CLF vEPAC Tools">
+        </section>
         <label id="xas_label" text="xas" />
         <label id="other_tools" text="Other Tools" />
         <section id="file_conversion" name="File Conversion">
@@ -154,6 +171,10 @@ galaxy:
           <tool file="{{.Values.persistence.mountPath}}/muon-galaxy-tools/pm_asephonons/pm_asephonons.xml"/>
           <tool file="{{.Values.persistence.mountPath}}/muon-galaxy-tools/pm_nq/pm_nq.xml"/>
         </section>
+        <section id="clf_vepac" name="CLF vEPAC Tools">
+          <tool file="{{.Values.persistence.mountPath}}/clf-vepac-tools/geant4-plot/geant4_plot.xml"/>
+          <tool file="{{.Values.persistence.mountPath}}/clf-vepac-tools/geant4-sim/geant4_particles.xml"/>
+        </section>
         <label id="xas_label" text="xas" />
         <tool file="{{.Values.persistence.mountPath}}/larch-tools/larch_select_paths/larch_select_paths.xml" />
         <tool file="{{.Values.persistence.mountPath}}/larch-tools/larch_plot/larch_plot.xml" />