diff --git a/.github/lintconfig.yaml b/.github/lintconfig.yaml new file mode 100644 index 00000000..e2d687d7 --- /dev/null +++ b/.github/lintconfig.yaml @@ -0,0 +1,8 @@ +chart-dirs: helm +check-version-increment: true +debug: false +remote: origin +target-branch: main +validate-chart-schema: true +validate-maintainers: false +validate-yaml: true \ No newline at end of file diff --git a/.github/workflows/lint_helm.yaml b/.github/workflows/lint_helm.yaml new file mode 100644 index 00000000..c83a6d8a --- /dev/null +++ b/.github/workflows/lint_helm.yaml @@ -0,0 +1,35 @@ +name: Lint Helm Charts + +on: + workflow_dispatch: + push: + branches: [ ] + pull_request: [] + + +jobs: + lint-test: + runs-on: ubuntu-latest + steps: + - name: Checkout + uses: actions/checkout@v3 + with: + fetch-depth: 0 + + - name: Set up Helm + uses: azure/setup-helm@v2 + with: + version: v3.4.0 + + - uses: actions/setup-python@v4 + with: + python-version: 3.7 + + - name: Helm Chart Testing + uses: helm/chart-testing-action@v2.1.0 + + - name: Run chart-testing (lint) + run: | + CHANGED=`ct list-changed --config .github/lintconfig.yaml;`; + LINTCONF=$CT_CONFIG_DIR/lintconf.yaml; + for c in $CHANGED; do echo "$c/Chart.yaml"; yamllint --config-file $LINTCONF $c/Chart.yaml; echo "$c/values.yaml"; yamllint --config-file $LINTCONF $c/values.yaml; done; \ No newline at end of file diff --git a/.github/workflows/sphinx.yaml b/.github/workflows/pages.yaml similarity index 76% rename from .github/workflows/sphinx.yaml rename to .github/workflows/pages.yaml index f6ba64e5..bdb309d7 100644 --- a/.github/workflows/sphinx.yaml +++ b/.github/workflows/pages.yaml @@ -1,9 +1,10 @@ -name: Deploy Sphinx site to Pages +name: Deploy Pages +# Builds and deploys docs and helm charts on: - # Runs on pushes targeting the default branch - push: - branches: [ "main" ] + # Runs on publication of a release or prerelease + release: + types: [ released, prereleased ] # Allows you to run this workflow manually from the Actions tab workflow_dispatch: @@ -33,10 +34,16 @@ jobs: python-version: "3.9" - name: Install dependencies run: | - sudo apt-get update + sudo apt-get update sudo apt-get install -y python-dev-is-python3 libldap2-dev libsasl2-dev libssl-dev python -m pip install --upgrade pip - pip install -r docs/requirements.txt + pip install -e ".[docs]" + - name: Build with Charts + # Outputs to the './_site' directory by default + run: | + helm dependency update helm + helm package -d ./_site/charts helm + helm repo index ./_site/charts - name: Setup Pages id: pages uses: actions/configure-pages@v2 diff --git a/README.md b/README.md index 1f8e9f08..c9b2d5eb 100644 --- a/README.md +++ b/README.md @@ -1,6 +1,7 @@ [![.github/workflows/tests.yml](https://github.com/NGEET/ngt-archive/actions/workflows/tests.yml/badge.svg)](https://github.com/NGEET/ngt-archive/actions/workflows/tests.yml) [![Deploy Sphinx site to Pages](https://github.com/NGEET/ngt-archive/actions/workflows/sphinx.yaml/badge.svg)](https://github.com/NGEET/ngt-archive/actions/workflows/sphinx.yaml) [![Docker Image CI](https://github.com/NGEET/ngt-archive/actions/workflows/docker-image.yaml/badge.svg?branch=main)](https://github.com/NGEET/ngt-archive/actions/workflows/docker-image.yaml) +[![Lint Helm Charts](https://github.com/NGEET/ngt-archive/actions/workflows/lint_helm.yaml/badge.svg)](https://github.com/NGEET/ngt-archive/actions/workflows/lint_helm.yaml) # NGEE Tropics Archive Service diff --git a/docs/helm_chart.rst b/docs/helm_chart.rst new file mode 100644 index 00000000..3e3a3293 --- /dev/null +++ b/docs/helm_chart.rst @@ -0,0 +1,4 @@ +.. _helmchart: + +.. include:: ../helm/README.md + :parser: myst_parser.docutils_ \ No newline at end of file diff --git a/docs/index.rst b/docs/index.rst index 6a0bd90d..5cca4a42 100644 --- a/docs/index.rst +++ b/docs/index.rst @@ -13,6 +13,7 @@ Contents: intro quickstart + helm_chart releases contact license diff --git a/docs/requirements.txt b/docs/requirements.txt deleted file mode 100644 index 1b3a6e86..00000000 --- a/docs/requirements.txt +++ /dev/null @@ -1 +0,0 @@ -sphinx \ No newline at end of file diff --git a/helm/.gitignore b/helm/.gitignore new file mode 100644 index 00000000..e69de29b diff --git a/helm/.helmignore b/helm/.helmignore new file mode 100644 index 00000000..0e8a0eb3 --- /dev/null +++ b/helm/.helmignore @@ -0,0 +1,23 @@ +# Patterns to ignore when building packages. +# This supports shell glob matching, relative path matching, and +# negation (prefixed with !). Only one pattern per line. +.DS_Store +# Common VCS dirs +.git/ +.gitignore +.bzr/ +.bzrignore +.hg/ +.hgignore +.svn/ +# Common backup files +*.swp +*.bak +*.tmp +*.orig +*~ +# Various IDEs +.project +.idea/ +*.tmproj +.vscode/ diff --git a/helm/Chart.yaml b/helm/Chart.yaml new file mode 100644 index 00000000..c7da1ad1 --- /dev/null +++ b/helm/Chart.yaml @@ -0,0 +1,23 @@ +apiVersion: v2 +name: ngt-archive +description: NGEE-Tropics Archive + +# A chart can be either an 'application' or a 'library' chart. +# +# Application charts are a collection of templates that can be packaged into versioned archives +# to be deployed. +# +# Library charts provide useful utilities or functions for the chart developer. They're included as +# a dependency of application charts to inject those utilities and functions into the rendering +# pipeline. Library charts do not define any templates and therefore cannot be deployed. +type: application + +# This is the chart version. This version number should be incremented each time you make changes +# to the chart and its templates, including the app version. +# Versions are expected to follow Semantic Versioning (https://semver.org/ +version: 2.0.0 + +# This is the version number of the application being deployed. This version number should be +# incremented each time you make changes to the application. Versions are not expected to +# follow Semantic Versioning. They should reflect the version the application is using. +appVersion: 3.0.0-p119 diff --git a/helm/README.md b/helm/README.md new file mode 100644 index 00000000..c3c66368 --- /dev/null +++ b/helm/README.md @@ -0,0 +1,167 @@ +# Helm Chart + +Next-Generation Ecosystem Experiments–Tropics (NGEE-Tropics) is a DOE-funded, +multi-institutional project led by Berkeley Lab, focused on how +tropical forests interact with Earth’s climate. This helm chart deploys the +The NGEE-Tropics archive service sits in the middle of the *NGEE Tropics data workflow*. + +* Place to upload datasets and metadata. +* Datasets should consist of related data collections, not individual files (e.g. Sapflow collected at Manaus) +* Datasets will receive a DOI, and can be updated with new data. +* Datasets will be available for search to NGEE Tropics team, and (if policy allows) to public +* Makes NGEE-Tropics compliant with DOE Data Management Plan + + +## Get Access + +```bash +$ helm repo add ngt-archive https://ngeet.github.io/ngt-archive/charts/ +$ helm search repo ngt-archive +``` + +## Introduction + +This chart bootstraps a **NGEE-Tropics Archive** deployment on either a [Kubernetes](http://kubernetes.io) +or [Rancher](https://rancher.com/) cluster using the [Helm](https://helm.sh) package manager. + +## Installing the Chart + +To install the chart with the release name ``: + +```bash +$ helm upgrade --install ngt-archive/ngt-archive +``` + +The command deploys ESS-DIVE Fusion Database on the Kubernetes cluster in the default configuration. + +> **Tip**: List all releases using `helm ls` + +## Uninstalling the Chart + +To uninstall/delete the `` deployment: + +```bash +$ helm delete +``` + +The command removes all the Kubernetes components associated with the chart and deletes the release. + + +## Configuration + +The following table lists the configurable parameters of the ESS-DIVE Fusion Db chart and their default values. + +| Parameter | Description | Default | +| :----------------------- | :---------------------- | -------------- | +| `ka8.creatorId` | Kubernetes user id | `""` | +| `k8.clustername` | Kubernates cluster name | `""` | +| `uid` | User id of the ngt-archive containers | `""` | +| `gid` | Group id of the ngt-archive containers | `""` | +| `readOnly` | Is the archive in read-only mode? | `"false"` | +| `teamEmail` | The email address for the - No Reply | `""` | +| `celeryConcurrency` | The concurrency number for the celery worker | `3` | +| `emailSubjectPrefix` | Subject prefix for emails sent by the application | `""` | +| `image.repository` | docker image for this helm chart | `"registry.nersc.gov/m2690/ngt-archive"` | +| `image.tag` | docker image tag. Overrides the image tag whose default is the chart appVersion. | `""` | +| `imagePullSecrets` | Global registries for image pull secrets | `[]` | +| `nameOverride` | overrides ngt-archive.name template | `""` | +| `fullnameOverride` | The name of the service account to use. If not set and create is true, a name is generated using the fullname template | `""` | +| `restore.importFile` | Restore from a backup. Set the name of the file to import. | `""` | +| `secretName.application` | Application secrets (auth-bind-ldap-password, google-maps-key, secret-key) | `""` | +| `secretName.database` | Database Password (db-password) | `""` | +| `secretName.certificate` | The secret that points to the certificate for this deployment (ngt-data) | `""` | +| `volume.dbClaim` | Postgres db volume name (change this name when restoring from backups) | `""` | +| `volume.backupDirectory` | the postgres db backup directory | `""` | +| `volume.importDirectory` | the directory under the backup to import (e.g. 20221016T230006) | `""` | +| `volume.dataDirectory` | directory where archive data is stored | `""` | +| `volume.dataImportDirectory` | directory where archive data is imported from | `""` | +| `ingress.name` | Name of the ingres. (Defaults to fullname) | `""` | +| `ingress.enabled` | manage external access to services (https://kubernetes.io/docs/concepts/services-networking/ingress/) | `false` | +| `ingress.annotations` | annotations for this ingress | `{}` | +| `ingress.hosts` | list of hosts for the ingress | `[{"host": "chart-example.local", "paths": []}]` | +| `ingress.tls` | transport layer security | `[]` | +| `env` | environment variables for deployment | `"[]"` | +| `web.serverName` | The server name of this host | `"localhost"` | +| `web.realIp.enabled` | enable configuration for real ips | `false` | +| `web.realIp.fromIps` | the list subnet addresses to accept real ips from (e.g. [ '10.42.0.0/16', '144.44.138.155/25' ]) | `[]` | +| `web.locations.root` | root location declarations (e.g. `[{"name": "proxy_set_header", "value": "X-Forwarded-Proto https", "comment": "Set protocol to HTTPS"}]`) | `[]` | + + +### Examples +The examples below are minimal installations. You will likely need to configure more parameters. + +Basic installation. + +```bash +$ helm install ngt-archive/ngt-archive +``` + +## People + ++ [Contributors](https://github.com/NGEET/ngt-archive/graphs/contributors) + +## Copyright + +NGEE Tropics Archive (NGT Archive) Copyright (c) 2017, The +Regents of the University of California, through Lawrence Berkeley National +Laboratory (subject to receipt of any required approvals from the U.S. +Dept. of Energy). All rights reserved. + +If you have questions about your rights to use or distribute this software, +please contact Berkeley Lab's Intellectual Property Office at +IPO@lbl.gov. + +NOTICE. This Software was developed under funding from the U.S. Department +of Energy and the U.S. Government consequently retains certain rights. As +such, the U.S. Government has been granted for itself and others acting on +its behalf a paid-up, nonexclusive, irrevocable, worldwide license in the +Software to reproduce, distribute copies to the public, prepare derivative +works + +# License + +``` +NGEE Tropics Archive (NGT Archive) Copyright (c) 2017, +The Regents of the University of California, through +Lawrence Berkeley National Laboratory (subject to receipt of any required +approvals from the U.S. Dept. of Energy). All rights reserved. + +Redistribution and use in source and binary forms, with or without +modification, are permitted provided that the following conditions are met: + +(1) Redistributions of source code must retain the above copyright notice, +this list of conditions and the following disclaimer. + +(2) Redistributions in binary form must reproduce the above copyright +notice, this list of conditions and the following disclaimer in the +documentation and/or other materials provided with the distribution. + +(3) Neither the name of the University of California, Lawrence Berkeley +National Laboratory, U.S. Dept. of Energy nor the names of its contributors +may be used to endorse or promote products derived from this software +without specific prior written permission. + + +THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" +AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE +IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE +ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS BE +LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR +CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF +SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS +INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN +CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) +ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE +POSSIBILITY OF SUCH DAMAGE. + +You are under no obligation whatsoever to provide any bug fixes, patches, +or upgrades to the features, functionality or performance of the source +code ("Enhancements") to anyone; however, if you choose to make your +Enhancements available either publicly, or directly to Lawrence Berkeley +National Laboratory, without imposing a separate written license agreement +for such Enhancements, then you hereby grant the following license: a +non-exclusive, royalty-free perpetual license to install, use, modify, +prepare derivative works, incorporate into other computer software, +distribute, and sublicense such enhancements or derivative works thereof, +in binary and source code form. +``` \ No newline at end of file diff --git a/helm/config/error503.html b/helm/config/error503.html new file mode 100644 index 00000000..37997418 --- /dev/null +++ b/helm/config/error503.html @@ -0,0 +1,24 @@ + + + + NGEE-Tropics Archive Service -- Down For Maintenance + + + + +

NGEE-Tropics Data Service

+

Down For Maintenance

+

Sorry for the inconvenience, but we are performing a maintenance at the moment.

+

We will be back online shortly!

+

For questions contact: + + ngee-tropics-archive at + lbl dot + gov +

+ + \ No newline at end of file diff --git a/helm/config/nginx.conf b/helm/config/nginx.conf new file mode 100644 index 00000000..9a5e2d4e --- /dev/null +++ b/helm/config/nginx.conf @@ -0,0 +1,30 @@ +user nginx; +worker_processes auto; + +error_log /var/log/nginx/error.log notice; +pid /var/tmp/nginx.pid; + +events { + worker_connections 1024; +} + + +http { + include /etc/nginx/mime.types; + default_type application/octet-stream; + + log_format main '$remote_addr - $remote_user [$time_local] "$request" ' + '$status $body_bytes_sent "$http_referer" ' + '"$http_user_agent" "$http_x_forwarded_for"'; + + access_log /var/log/nginx/access.log main; + + sendfile on; + #tcp_nopush on; + + keepalive_timeout 65; + + #gzip on; + + include /etc/nginx/conf.d/*.conf; +} \ No newline at end of file diff --git a/helm/config/passwd b/helm/config/passwd new file mode 100644 index 00000000..da76a641 --- /dev/null +++ b/helm/config/passwd @@ -0,0 +1,29 @@ +root:x:0:0:root:/root:/bin/ash +bin:x:1:1:bin:/bin:/sbin/nologin +daemon:x:2:2:daemon:/sbin:/sbin/nologin +adm:x:3:4:adm:/var/adm:/sbin/nologin +lp:x:4:7:lp:/var/spool/lpd:/sbin/nologin +sync:x:5:0:sync:/sbin:/bin/sync +shutdown:x:6:0:shutdown:/sbin:/sbin/shutdown +halt:x:7:0:halt:/sbin:/sbin/halt +mail:x:8:12:mail:/var/mail:/sbin/nologin +news:x:9:13:news:/usr/lib/news:/sbin/nologin +uucp:x:10:14:uucp:/var/spool/uucppublic:/sbin/nologin +operator:x:11:0:operator:/root:/sbin/nologin +man:x:13:15:man:/usr/man:/sbin/nologin +postmaster:x:14:12:postmaster:/var/mail:/sbin/nologin +cron:x:16:16:cron:/var/spool/cron:/sbin/nologin +ftp:x:21:21::/var/lib/ftp:/sbin/nologin +sshd:x:22:22:sshd:/dev/null:/sbin/nologin +at:x:25:25:at:/var/spool/cron/atjobs:/sbin/nologin +squid:x:31:31:Squid:/var/cache/squid:/sbin/nologin +xfs:x:33:33:X Font Server:/etc/X11/fs:/sbin/nologin +games:x:35:35:games:/usr/games:/sbin/nologin +cyrus:x:85:12::/usr/cyrus:/sbin/nologin +vpopmail:x:89:89::/var/vpopmail:/sbin/nologin +ntp:x:123:123:NTP:/var/empty:/sbin/nologin +smmsp:x:209:209:smmsp:/var/spool/mqueue:/sbin/nologin +guest:x:405:100:guest:/dev/null:/sbin/nologin +nobody:x:65534:65534:nobody:/:/sbin/nologin +postgres:x:70:70:Linux User,,,:/var/lib/postgresql:/bin/sh +postgresuser:x:{{ .Values.uid }}:{{ .Values.gid }}:postgresuser:/:/sbin/nologin \ No newline at end of file diff --git a/helm/config/portal.conf.tpl b/helm/config/portal.conf.tpl new file mode 100644 index 00000000..518af610 --- /dev/null +++ b/helm/config/portal.conf.tpl @@ -0,0 +1,62 @@ + + +# Move the cache paths from /var/nginx/cache to /tmp +client_body_temp_path /tmp/client_temp; +proxy_temp_path /tmp/proxy_temp 1 2; +fastcgi_temp_path /tmp/fastcgi_temp 1 2; +uwsgi_temp_path /tmp//uwsgi_temp 1 2; +scgi_temp_path /tmp/scgi_temp 1 2; + + +upstream portal { + ip_hash; + server app:8080; +} + +# portal +server { + # The max file size is 2GB + a little extra for overhead + # The django ap will return an error on 2048 + client_max_body_size 2050M; + + location / { + proxy_pass http://portal/; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + proxy_set_header Host $http_host; + proxy_redirect off; + + + # Add and root location declarations + {{- range .Values.web.locations.root }} + # {{ .comment }} + {{ .name }} {{ .value }}; + {{- end -}} + + } + + error_page 501 502 503 404 302 /error503.html; + location = /error503.html { + root /usr/local/nginx/html; + } + + # Protected path for data downloads + # This requires the data to be mounted + # read-only at /data + location /data { + internal; + alias /data; + } + + {{- if .Values.web.realIp.enabled }} + # obtain client IP from proxy headers + real_ip_header X-Forwarded-For; + + {{- range .Values.web.realIp.fromIps }} + set_real_ip_from {{ . }}; + {{- end }} + {{- end -}}{{- /* end web.realIp.enabled */}} + + listen 8000; + server_name {{ tpl .Values.web.serverName . }}; + +} \ No newline at end of file diff --git a/helm/config/web_etc_passwd b/helm/config/web_etc_passwd new file mode 100644 index 00000000..64b26831 --- /dev/null +++ b/helm/config/web_etc_passwd @@ -0,0 +1,21 @@ +root:x:0:0:root:/root:/bin/bash +daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin +bin:x:2:2:bin:/bin:/usr/sbin/nologin +sys:x:3:3:sys:/dev:/usr/sbin/nologin +sync:x:4:65534:sync:/bin:/bin/sync +games:x:5:60:games:/usr/games:/usr/sbin/nologin +man:x:6:12:man:/var/cache/man:/usr/sbin/nologin +lp:x:7:7:lp:/var/spool/lpd:/usr/sbin/nologin +mail:x:8:8:mail:/var/mail:/usr/sbin/nologin +news:x:9:9:news:/var/spool/news:/usr/sbin/nologin +uucp:x:10:10:uucp:/var/spool/uucp:/usr/sbin/nologin +proxy:x:13:13:proxy:/bin:/usr/sbin/nologin +www-data:x:33:33:www-data:/var/www:/usr/sbin/nologin +backup:x:34:34:backup:/var/backups:/usr/sbin/nologin +list:x:38:38:Mailing List Manager:/var/list:/usr/sbin/nologin +irc:x:39:39:ircd:/run/ircd:/usr/sbin/nologin +gnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/usr/sbin/nologin +nobody:x:65534:65534:nobody:/nonexistent:/usr/sbin/nologin +_apt:x:100:65534::/nonexistent:/usr/sbin/nologin +nginx:x:101:101:nginx user,,,:/nonexistent:/bin/false +web:x:{{ .Values.uid }}:101:Web User:/home/web:/bin/sh \ No newline at end of file diff --git a/helm/templates/NOTES.txt b/helm/templates/NOTES.txt new file mode 100644 index 00000000..86cb3046 --- /dev/null +++ b/helm/templates/NOTES.txt @@ -0,0 +1,9 @@ + +Thank you for installing {{ .Chart.Name }}. + +Your release is named {{ .Release.Name }}. + +To learn more about the release, try: + + $ helm status -n {{ .Release.Namespace }} {{ .Release.Name }} + $ helm get -n {{ .Release.Namespace }} all {{ .Release.Name }} \ No newline at end of file diff --git a/helm/templates/_helpers.tpl b/helm/templates/_helpers.tpl new file mode 100644 index 00000000..3ac57033 --- /dev/null +++ b/helm/templates/_helpers.tpl @@ -0,0 +1,156 @@ +{{/* +Expand the name of the chart. +*/}} +{{- define "ngt-archive.name" -}} +{{- default .Chart.Name .Values.nameOverride | trunc 63 | trimSuffix "-" }} +{{- end }} + +{{/* +Create a default fully qualified app name. +We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec). +If release name contains chart name it will be used as a full name. +*/}} +{{- define "ngt-archive.fullname" -}} +{{- if .Values.fullnameOverride }} +{{- .Values.fullnameOverride | trunc 63 | trimSuffix "-" }} +{{- else }} +{{- $name := default .Chart.Name .Values.nameOverride }} +{{- if contains $name .Release.Name }} +{{- .Release.Name | trunc 63 | trimSuffix "-" }} +{{- else }} +{{- printf "%s-%s" .Release.Name $name | trunc 63 | trimSuffix "-" }} +{{- end }} +{{- end }} +{{- end }} + +{{/* +Create chart name and version as used by the chart label. +*/}} +{{- define "ngt-archive.chart" -}} +{{- printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" }} +{{- end }} + +{{/* +Common labels +*/}} +{{- define "ngt-archive.labels" -}} +helm.sh/chart: {{ include "ngt-archive.chart" . }} +{{ include "ngt-archive.selectorLabels" . }} +{{- if .Chart.AppVersion }} +app.kubernetes.io/version: {{ .Chart.AppVersion | quote }} +{{- end }} +app.kubernetes.io/managed-by: {{ .Release.Service }} +{{- end }} + +{{/* +Selector labels +*/}} +{{- define "ngt-archive.selectorLabels" -}} +app.kubernetes.io/name: {{ include "ngt-archive.name" . }} +app.kubernetes.io/instance: {{ .Release.Name }} +{{- end }} + +{{/* +Create the name of the service account to use +*/}} +{{- define "ngt-archive.serviceAccountName" -}} +{{- if .Values.serviceAccount.create }} +{{- default (include "ngt-archive.fullname" .) .Values.serviceAccount.name }} +{{- else }} +{{- default "default" .Values.serviceAccount.name }} +{{- end }} +{{- end }} + +{/* +Rancher 2 annotations for annotations +*/}} +{{- define "ngt-archive.annotations" -}} +field.cattle.io/creatorId: {{ required "Please set .Values.k8.creatorId" .Values.k8.creatorId }} +{{- end }} + + +{{/* +Rancher 2 Ingress annotations +*/}} +{{- define "ngt-archive.annotations.ingress" -}} +nersc.gov/clustername: {{ required "Please set .Values.k8.clustername" .Values.k8.clustername }} +nersc.gov/serveralias: svc +nginx.ingress.kubernetes.io/enable-real-ip: "true" +nginx.ingress.kubernetes.io/proxy-real-ip-cidr: 10.42.0.0/16 +nginx.ingress.kubernetes.io/use-forwarded-headers: "true" +nginx.ingress.kubernetes.io/proxy-body-size: "2096m" +{{- end }} + +{{/* +The application version - allows it to be overridden by the image tag +*/}} +{{- define "ngt-archive.version" -}} +{{ default .Chart.AppVersion .Values.image.tag }} +{{- end }} + + +{{/* +Postgres Dump template definition +*/}} +{{- define "ngt-archive.pgdump-template" -}} +containers: +- name: pgdump + env: + - name: POSTGRES_DB + value: ngeet + - name: POSTGRES_DUMP_DIR + value: /pg_dump + - name: POSTGRES_DUMP_FILE_BASE + value: ngeet-archive.sql.gz + - name: POSTGRES_DUMP_RETAIN_DAYS + value: "7" + - name: POSTGRES_HOST + value: db + - name: POSTGRES_PASSWORD_FILE + value: /secrets/db/db-password + - name: POSTGRES_USER + value: ngeet + - name: TZ + value: US/Pacific + image: registry.nersc.gov/library/spin/postgres-pg_dump:12-alpine + imagePullPolicy: Always + resources: {} + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + privileged: false + readOnlyRootFilesystem: false + runAsNonRoot: false + runAsUser: {{ .Values.uid }} + stdin: true + terminationMessagePath: /dev/termination-log + terminationMessagePolicy: File + tty: true + volumeMounts: + - mountPath: /pg_dump + name: vol1 + - mountPath: /secrets/db + name: vol2 + readOnly: true +dnsPolicy: ClusterFirst +{{- with .Values.imagePullSecrets }} +imagePullSecrets: +{{- toYaml . | nindent 2 }} +{{- end }} +restartPolicy: Never +securityContext: + fsGroup: {{ .Values.gid }} +terminationGracePeriodSeconds: 30 +volumes: +- hostPath: + path: {{ tpl .Values.volume.backupDirectory . }} + type: Directory + name: vol1 +- name: vol2 + secret: + defaultMode: 256 + optional: false + secretName: {{ .Values.secretName.database }} +{{- end}} \ No newline at end of file diff --git a/helm/templates/app-deployment.yaml b/helm/templates/app-deployment.yaml new file mode 100644 index 00000000..1c6ef4f6 --- /dev/null +++ b/helm/templates/app-deployment.yaml @@ -0,0 +1,225 @@ +apiVersion: apps/v1 +kind: Deployment +metadata: + annotations: + {{- include "ngt-archive.annotations" . | nindent 4 }} + labels: + workload.user.cattle.io/workloadselector: deployment-{{ .Release.Namespace }}-app + {{- include "ngt-archive.labels" . | nindent 4 }} + namespace: {{ .Release.Namespace }} + name: app +spec: + progressDeadlineSeconds: 600 + replicas: 1 + revisionHistoryLimit: 10 + selector: + matchLabels: + workload.user.cattle.io/workloadselector: deployment-{{ .Release.Namespace }}-app + strategy: + rollingUpdate: + maxSurge: 1 + maxUnavailable: 0 + type: RollingUpdate + template: + metadata: + labels: + workload.user.cattle.io/workloadselector: deployment-{{ .Release.Namespace }}-app + spec: + containers: + - args: + - uwsgi + - --module + - ngt_archive.wsgi:application + - --http-socket + - 0.0.0.0:8080 + - --static-map + - /static=/app/static + env: + - name: SQL_PASSWORD_FILE + value: /secrets/db/db-password + - name: STATIC_ROOT + value: /app/static + - name: DATASET_ARCHIVE_ROOT + value: /data + - name: DATASET_ARCHIVE_SENDFILE_METHOD + value: X-Accel-Redirect + - name: DJANGO_USERS_JSON_FILE + value: /app/backup/ngt-archive-import.json + - name: EMAIL_NGEET_TEAM + value: {{ .Values.teamEmail | quote }} + - name: EMAIL_SUBJECT_PREFIX + value: {{ .Values.emailSubjectPrefix | quote }} + - name: FILE_UPLOAD_TEMP_DIR + value: /tmp + - name: GOOGLE_MAPS_KEY_FILE + value: /secrets/app/google-maps-key + - name: READ_ONLY + value: {{ default "false" .Values.readOnly | quote }} + - name: SECRET_KEY_FILE + value: /secrets/app/secret-key + - name: SERVICE_ACCOUNT_SECRET_KEY + valueFrom: + secretKeyRef: + name: app-secrets + key: service-account-secret-key + {{- tpl (toYaml .Values.env) . | nindent 8 }} + image: {{ .Values.image.repository }}:{{- include "ngt-archive.version" . }} + imagePullPolicy: Always + name: app + ports: + - containerPort: 8080 + name: http + protocol: TCP + resources: {} + securityContext: + allowPrivilegeEscalation: false + capabilities: + add: + - NET_BIND_SERVICE + drop: + - ALL + privileged: false + readOnlyRootFilesystem: false + runAsNonRoot: true + runAsUser: {{ .Values.uid }} + stdin: true + terminationMessagePath: /dev/termination-log + terminationMessagePolicy: File + tty: true + volumeMounts: + - mountPath: /secrets/app + name: vol-secret-app + readOnly: true + - mountPath: /secrets/db + name: vol-secret-db + readOnly: true + {{- if .Values.volume.dataDirectory }} + - mountPath: /data + name: vol-data + {{- end -}} + {{- if .Values.volume.dataImportDirectory }} + - mountPath: /app/import + name: vol-import + readOnly: true + {{- end }} + - name: rabbitmq + image: rabbitmq + ports: + - containerPort: 5672 + name: rabbitmq + protocol: TCP + securityContext: + allowPrivilegeEscalation: false + capabilities: + add: + - NET_BIND_SERVICE + drop: + - ALL + privileged: false + readOnlyRootFilesystem: false + runAsNonRoot: true + runAsUser: {{ .Values.uid }} + stdin: true + terminationMessagePath: /dev/termination-log + terminationMessagePolicy: File + tty: true + - command: + - docker-manage-entrypoint.sh + - celery + - -A + - ngt_archive + - worker + - -l + - INFO + - --concurrency + - {{ .Values.celeryConcurrency | quote }} + env: + - name: SQL_PASSWORD_FILE + value: /secrets/db/db-password + - name: STATIC_ROOT + value: /app/static + - name: DATASET_ARCHIVE_ROOT + value: /data + - name: DATASET_ARCHIVE_SENDFILE_METHOD + value: X-Accel-Redirect + - name: DJANGO_USERS_JSON_FILE + value: /app/import/ngt-archive-import.json + - name: EMAIL_NGEET_TEAM + value: {{ .Values.teamEmail | quote }} + - name: EMAIL_SUBJECT_PREFIX + value: {{ .Values.emailSubjectPrefix | quote }} + - name: FILE_UPLOAD_TEMP_DIR + value: /tmp + - name: GOOGLE_MAPS_KEY_FILE + value: /secrets/app/google-maps-key + - name: SECRET_KEY_FILE + value: /secrets/app/secret-key + - name: SERVICE_ACCOUNT_SECRET_KEY + valueFrom: + secretKeyRef: + name: app-secrets + key: service-account-secret-key + {{- tpl (toYaml .Values.env) . | nindent 8 }} + image: {{ .Values.image.repository }}:{{- include "ngt-archive.version" . }} + imagePullPolicy: Always + name: celery + resources: {} + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + privileged: false + readOnlyRootFilesystem: false + runAsNonRoot: true + runAsUser: {{ .Values.uid }} + stdin: true + terminationMessagePath: /dev/termination-log + terminationMessagePolicy: File + tty: true + volumeMounts: + - mountPath: /secrets/app + name: vol-secret-app + readOnly: true + - mountPath: /secrets/db + name: vol-secret-db + readOnly: true + {{- if .Values.volume.dataDirectory }} + - mountPath: /data + name: vol-data + readOnly: true + {{- end }} + dnsConfig: {} + dnsPolicy: ClusterFirst + {{- with .Values.imagePullSecrets }} + imagePullSecrets: + {{- toYaml . | nindent 8 }} + {{- end }} + restartPolicy: Always + schedulerName: default-scheduler + securityContext: + fsGroup: {{ .Values.gid }} + terminationGracePeriodSeconds: 30 + volumes: + - name: vol-secret-app + secret: + defaultMode: 256 + optional: false + secretName: {{ .Values.secretName.application }} + - name: vol-secret-db + secret: + defaultMode: 256 + optional: false + secretName: {{ .Values.secretName.database }} + {{- if .Values.volume.dataImportDirectory }} + - name: vol-import + hostPath: + path: {{ tpl .Values.volume.dataImportDirectory . }} + type: Directory + {{- end }} + {{- if .Values.volume.dataDirectory }} + - name: vol-data + hostPath: + path: {{ tpl .Values.volume.dataDirectory . }} + type: Directory + {{- end }} diff --git a/helm/templates/configmap.yaml b/helm/templates/configmap.yaml new file mode 100644 index 00000000..9eb1e358 --- /dev/null +++ b/helm/templates/configmap.yaml @@ -0,0 +1,23 @@ +####################################### +# All configuration files +# Supports running as a (mostly) arbitrary user via --user on docker run. +# The main caveat to note is that postgres doesn't care what UID it runs +# as (as long as the owner of /var/lib/postgresql/data matches), but initdb +# does care (and needs the user to exist in /etc/passwd) +apiVersion: v1 +kind: ConfigMap +metadata: + annotations: + {{- include "ngt-archive.annotations" . | nindent 4 }} + labels: + {{- include "ngt-archive.labels" . | nindent 4 }} + namespace: {{ .Release.Namespace }} + name: {{ include "ngt-archive.fullname" . }} +data: + {{- $files := .Files }} + {{- range $key, $value := .Files }} + {{- if hasPrefix "config/" $key }} {{/* only when in config/ */}} + {{ $key | trimPrefix "config/" }}: | + {{- tpl ( $files.Get $key ) $ | nindent 4 }} + {{- end }} + {{- end }} diff --git a/helm/templates/db-deployment.yaml b/helm/templates/db-deployment.yaml new file mode 100644 index 00000000..e89c188f --- /dev/null +++ b/helm/templates/db-deployment.yaml @@ -0,0 +1,117 @@ +apiVersion: apps/v1 +kind: Deployment +metadata: + annotations: + {{- include "ngt-archive.annotations" . | nindent 4 }} + labels: + workload.user.cattle.io/workloadselector: deployment-{{ .Release.Namespace }}-db + {{- include "ngt-archive.labels" . | nindent 4 }} + namespace: {{ .Release.Namespace }} + name: db +spec: + progressDeadlineSeconds: 600 + replicas: 1 + revisionHistoryLimit: 10 + selector: + matchLabels: + workload.user.cattle.io/workloadselector: deployment-{{ .Release.Namespace }}-db + strategy: + rollingUpdate: + maxSurge: 1 + maxUnavailable: 0 + type: RollingUpdate + template: + metadata: + annotations: + # Checksum the values that would affect the configuration files ( this forces a upgrade on a changes) + checksum/config: {{ printf "%s:%s" .Values.gid .Values.uid | sha256sum }} + labels: + workload.user.cattle.io/workloadselector: deployment-{{ .Release.Namespace }}-db + spec: + initContainers: + - name: {{ include "ngt-archive.fullname" . }}-set-volume-permissions + image: ubuntu + # Give `postgres` uid/gid permissions a mounted volume + command: [ "/bin/bash" ] + args: + - -c + - chown -Rv {{ .Values.uid }}:{{ .Values.gid }} /var/run/postgresql //var/lib/postgresql/data; + volumeMounts: + - mountPath: /var/lib/postgresql/data + name: db-ngt + - name: vol-varrun + mountPath: /var/run/postgresql + containers: + - env: + - name: POSTGRES_DB + value: ngeet + - name: POSTGRES_PASSWORD_FILE + value: /secrets/db-password + - name: POSTGRES_USER + value: ngeet + image: postgres:12-alpine + imagePullPolicy: Always + name: db + resources: {} + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + privileged: false + readOnlyRootFilesystem: false + runAsNonRoot: false + runAsUser: {{ .Values.uid }} + runAsGroup: {{ .Values.gid }} + stdin: true + terminationMessagePath: /dev/termination-log + terminationMessagePolicy: File + tty: true + volumeMounts: + - mountPath: /secrets + name: vol1 + - mountPath: /var/lib/postgresql/data + name: db-ngt + - name: vol-varrun + mountPath: /var/run/postgresql + - mountPath: /etc/passwd + name: vol-config + subPath: passwd + {{- if and .Values.volume.backupDirectory .Values.volume.importDirectory }} + - name: vol-initdb + mountPath: /docker-entrypoint-initdb.d + readOnly: True + {{- end }} + dnsConfig: {} + dnsPolicy: ClusterFirst + hostname: db + restartPolicy: Always + schedulerName: default-scheduler + securityContext: + fsGroup: {{ .Values.gid }} + terminationGracePeriodSeconds: 30 + volumes: + - name: vol-config + configMap: + name: {{ include "ngt-archive.fullname" . }} + # An array of keys from the ConfigMap to create as files + items: + - key: passwd + path: passwd + - name: vol-varrun + persistentVolumeClaim: + claimName: {{ .Values.volume.dbClaim }}-varrun + - name: vol1 + secret: + defaultMode: 256 + optional: false + secretName: {{ .Values.secretName.database }} + - name: db-ngt + persistentVolumeClaim: + claimName: {{ .Values.volume.dbClaim }} + {{- if and .Values.volume.backupDirectory .Values.volume.importDirectory }} + - name: vol-initdb + hostPath: + path: {{ tpl .Values.volume.backupDirectory . }}/{{ .Values.volume.importDirectory}} + type: Directory + {{- end }} diff --git a/helm/templates/db-volume.yaml b/helm/templates/db-volume.yaml new file mode 100644 index 00000000..a4da5bf7 --- /dev/null +++ b/helm/templates/db-volume.yaml @@ -0,0 +1,33 @@ +apiVersion: v1 +kind: PersistentVolumeClaim +metadata: + annotations: + {{- include "ngt-archive.annotations" . | nindent 4 }} + # Do not remove on upgrade + helm.sh/resource-policy: keep + namespace: {{ .Release.Namespace }} + name: {{ .Values.volume.dbClaim }} +spec: + accessModes: + - ReadWriteOnce + resources: + requests: + storage: 1Gi + storageClassName: nfs-client +--- +apiVersion: v1 +kind: PersistentVolumeClaim +metadata: + namespace: {{ .Release.Namespace }} + annotations: + {{- include "ngt-archive.annotations" . | nindent 4 }} + name: {{ .Values.volume.dbClaim }}-varrun + labels: + {{- include "ngt-archive.labels" . | nindent 4 }} +spec: + accessModes: + - ReadWriteOnce + resources: + requests: + storage: 50Mi + storageClassName: nfs-client \ No newline at end of file diff --git a/helm/templates/ingress.yaml b/helm/templates/ingress.yaml new file mode 100644 index 00000000..a3e6b07b --- /dev/null +++ b/helm/templates/ingress.yaml @@ -0,0 +1,43 @@ +{{- if .Values.ingress.enabled -}} +{{- $fullName := include "ngt-archive.fullname" . -}} +{{- if semverCompare ">=1.14-0" .Capabilities.KubeVersion.GitVersion -}} +apiVersion: networking.k8s.io/v1beta1 +{{- else -}} +apiVersion: extensions/v1beta1 +{{- end }} +kind: Ingress +metadata: + annotations: + {{- include "ngt-archive.annotations" . | nindent 4 }} + {{- include "ngt-archive.annotations.ingress" . | nindent 4 }} + {{- with .Values.ingress.annotations }} + {{- toYaml . | nindent 4 }} + {{- end }} + namespace: {{ .Release.Namespace }} + name: web +spec: + ingressClassName: nginx + rules: + {{- range .Values.ingress.hosts }} + - host: {{ tpl .host $ | quote }} + http: + paths: + {{- range .paths }} + - path: {{ tpl .path $ }} + backend: + serviceName: web + servicePort: 8000 + {{- end }} + {{- end }} + + {{- if .Values.ingress.tls }} + tls: + {{- range .Values.ingress.tls }} + - hosts: + {{- range .hosts }} + - {{ tpl . $ | quote }} + {{- end }} + secretName: {{ tpl .secretName $ }} + {{- end }} + {{- end }} + {{- end }} diff --git a/helm/templates/pgdump-cronjob.yaml b/helm/templates/pgdump-cronjob.yaml new file mode 100644 index 00000000..1f5542db --- /dev/null +++ b/helm/templates/pgdump-cronjob.yaml @@ -0,0 +1,22 @@ +apiVersion: batch/v1beta1 +kind: CronJob +metadata: + annotations: + {{- include "ngt-archive.annotations" . | nindent 4 }} + labels: + workload.user.cattle.io/workloadselector: deployment-{{ .Release.Namespace }}-pgdump + {{- include "ngt-archive.labels" . | nindent 4 }} + namespace: {{ .Release.Namespace }} + name: pgdump-cron +spec: + concurrencyPolicy: Allow + failedJobsHistoryLimit: 1 + jobTemplate: + spec: + template: + spec: + schedulerName: default-scheduler +{{ include "ngt-archive.pgdump-template" . | indent 10 }} + schedule: 0 6 * * * + successfulJobsHistoryLimit: 3 + suspend: false diff --git a/helm/templates/pgdump-job.yaml b/helm/templates/pgdump-job.yaml new file mode 100644 index 00000000..29a1a37f --- /dev/null +++ b/helm/templates/pgdump-job.yaml @@ -0,0 +1,19 @@ +apiVersion: batch/v1 +kind: Job +metadata: + annotations: + {{- include "ngt-archive.annotations" . | nindent 4 }} + # This is what defines this resource as a hook. Without this line, the + # job is considered part of the release. + "helm.sh/hook": pre-delete, pre-upgrade + "helm.sh/hook-weight": "-5" + namespace: {{.Release.Namespace }} + name: pgdump-job + labels: + workload.user.cattle.io/workloadselector: deployment-{{ .Release.Namespace }}-pgdump-job + {{- include "ngt-archive.labels" . | nindent 4 }} +spec: + template: + spec: +{{ include "ngt-archive.pgdump-template" . | indent 6 }} + diff --git a/helm/templates/tests/test-connection.yaml b/helm/templates/tests/test-connection.yaml new file mode 100644 index 00000000..663c1006 --- /dev/null +++ b/helm/templates/tests/test-connection.yaml @@ -0,0 +1,15 @@ +apiVersion: v1 +kind: Pod +metadata: + name: "{{ include "ngt-archive.fullname" . }}-test-connection" + labels: + {{- include "ngt-archive.labels" . | nindent 4 }} + annotations: + "helm.sh/hook": test-success +spec: + containers: + - name: wget + image: busybox + command: ['wget'] + args: ['app:8080'] + restartPolicy: Never diff --git a/helm/templates/web-deployment.yaml b/helm/templates/web-deployment.yaml new file mode 100644 index 00000000..120fc8d9 --- /dev/null +++ b/helm/templates/web-deployment.yaml @@ -0,0 +1,107 @@ +apiVersion: apps/v1 +kind: Deployment +metadata: + annotations: + {{- include "ngt-archive.annotations" . | nindent 4 }} + {{- include "ngt-archive.annotations.ingress" . | nindent 4 }} + labels: + namespace: {{ .Release.Namespace }} + name: web +spec: + progressDeadlineSeconds: 600 + replicas: 1 + revisionHistoryLimit: 10 + selector: + matchLabels: + workload.user.cattle.io/workloadselector: deployment-{{ .Release.Namespace }}-web + strategy: + rollingUpdate: + maxSurge: 1 + maxUnavailable: 0 + type: RollingUpdate + template: + metadata: + annotations: + # Check the values that would affect the configuration files ( this forces a upgrade on a changes) + checksum/config: {{ printf "%s:%s:%s" (tpl (toString .Values.web) . ) .Values.gid .Values.uid | sha256sum }} + labels: + workload.user.cattle.io/workloadselector: deployment-{{ .Release.Namespace }}-web + spec: + containers: + - image: nginx + imagePullPolicy: Always + name: web + ports: + - containerPort: 8000 + name: http + protocol: TCP + resources: {} + securityContext: + allowPrivilegeEscalation: false + capabilities: + add: + - NET_BIND_SERVICE + drop: + - ALL + privileged: false + readOnlyRootFilesystem: false + runAsNonRoot: true + runAsUser: {{ .Values.uid }} + stdin: true + terminationMessagePath: /dev/termination-log + terminationMessagePolicy: File + tty: true + volumeMounts: + {{- if .Values.volume.dataDirectory }} + - mountPath: /data + name: vol2 + readOnly: true + {{- end }} + - mountPath: /etc/nginx/conf.d/portal.conf + name: config-volume + subPath: portal.conf + readOnly: true + - mountPath: /usr/local/nginx/html/error503.html + name: config-volume + subPath: error503.html + readOnly: true + - mountPath: /etc/passwd + name: config-volume + subPath: web_etc_passwd + readOnly: true + - mountPath: /etc/nginx/nginx.conf + name: config-volume + subPath: nginx.conf + readOnly: true + dnsConfig: {} + dnsPolicy: ClusterFirst + {{- with .Values.imagePullSecrets }} + imagePullSecrets: + {{- toYaml . | nindent 8 }} + {{- end }} + restartPolicy: Always + schedulerName: default-scheduler + securityContext: + fsGroup: {{ .Values.gid }} + terminationGracePeriodSeconds: 500 + volumes: + - name: config-volume + configMap: + name: {{ include "ngt-archive.fullname" . }} + # An array of keys from the ConfigMap to create as files + items: + - key: portal.conf.tpl + path: portal.conf + - key: error503.html + path: error503.html + - key: web_etc_passwd + path: web_etc_passwd + - key: nginx.conf + path: nginx.conf + {{- if .Values.volume.dataDirectory }} + - hostPath: + path: {{ tpl .Values.volume.dataDirectory . }} + type: Directory + name: vol2 + {{- end }} + diff --git a/helm/values.yaml b/helm/values.yaml new file mode 100644 index 00000000..fdbee999 --- /dev/null +++ b/helm/values.yaml @@ -0,0 +1,114 @@ +# Default values for ngt-archive. +# This is a YAML-formatted file. +# Declare variables to be passed into your templates. + + +# imagePullSecrets - Global registries for image pull secrets +imagePullSecrets: [] + +# nameOverride - Override the name of the Chart (.Chart.Name) +nameOverride: "" + +# fullnameOverride - Override the fully qualified app name. +fullnameOverride: "" + +# uid - Filesystem uid +uid: "" +# gid - Filesystem gid +gid: "" + +# readOnly - is the archive in readonly mode? (true|false +readOnly: false + +# teamEmail - The email address for the - No Reply +teamEmail: "" + +# celeryConcurrency - The concurrency number for the celery worker +celeryConcurrency: 3 + +# emailSubjectPrefix - Subject prefix for emails sent by the application +emailSubjectPrefix: "" + +# image - Docker image information +image: + # image.repository - The image repository + repository: ghcr.io/ngeet/ngt-archive + # image.tag - This will used override .Chart.appVersion + tag: "" + +# k8 - Kubernetes values +k8: {} +# # k8.creatorId - Kubernetes user id +# creatorId: "" +# # k8.clustername - Kubernates cluster name +# clustername: "" + +# restore - Restore from a backup. Set the name of the file to import in +restore: {} +# # restore.importFile - Import file name +# importFile: "" + +# secretName - The secret names expected. The secrets expect a specific structure. +# (Currently these need to be setup in advance.) +secretName: + # secretName.application - Application secrets (auth-bind-ldap-password, google-maps-key, secret-key) + application: app-secrets + # secretName.database - Database Password (db-password) + database: db-password + # secretName.certificate - The secret that points to the certificate for this deployment (ngt-data) + certificate: ngt-data + +# volume - Volume directory information +volume: + # volume.dbClaim - Postgres db volume name (change this name when restoring from backups) + dbClaim: db + # volume.backupDirectory - the postgres db backup directory + backupDirectory: '' + # volume.importDirectory - the directory under the backup to import (e.g. 20221016T230006) + importDirectory: "" + # volume.dataDirectory - directory where archive data is stored + dataDirectory: "" + # volume.dataImportDirectory - directory where archive data is imported from + dataImportDirectory: "" + +# ingress - manage external access to services +# (https://kubernetes.io/docs/concepts/services-networking/ingress/) +ingress: + # ingress.name - Name of the ingres. (Defaults to fullname) + name: "" + # ingress.enabled - enable the ingress + enabled: false + # ingress.annotations - annotations for this ingress + annotations: {} + # kubernetes.io/ingress.class: nginx + # kubernetes.io/tls-acme: "true" + # ingress.hosts - list of hosts for the ingress + hosts: + - host: chart-example.local + paths: [] + # ingress.tls - transport layer security + tls: [] + # - secretName: -cert + # hosts: + # - www..com + +# env - environment variables for deployment +env: [] + +# web - The web deployment configuration for nginx +web: + # web.serverName - The server name of this host + serverName: localhost + # web.realIp - obtain client IP from proxy headers + realIp: + # web.realIp.enabled - enable configuration for real ips + enabled: false + # web.realIp.fromIps - the list subnet addresses to accept real ips from (e.g. [ '10.42.0.0/16', '144.44.138.155/25' ]) + fromIps: [] + # web.locations - configuration for locations + locations: + # web.locations.root - root location declarations + root: [] +# - name: proxy_set_header +# value: "X-Forwarded-Proto https" +# comment: "Set protocol to HTTPS" diff --git a/pyproject.toml b/pyproject.toml index 6cd1e35d..d085a11f 100644 --- a/pyproject.toml +++ b/pyproject.toml @@ -36,6 +36,8 @@ dev = ["flake8", "pytest", "pytest-celery", "pytest-django", "pytest-flake8", "pytest-mypy", "pytest-cov", "pytest-asyncio", "types-PyYAML", "types-chardet", "types-cryptography", "types-requests"] deploy = ["psycopg2-binary", "uwsgi"] +docs = ["sphinx", + "myst-parser"] [tool.setuptools] py-modules = ["manage"]