Update compute charts

charts/compute/Chart.yaml

@@ -1,9 +1,8 @@
 apiVersion: v2
 name: gdi-funnel
-version: 0.1
-appVersion: 0.1
+version: "0.8.2"
+appVersion: "0.3"
 description: gdi-funnel
 maintainers:
 - name: CERIT-SC
   email: [email protected]
-engine: gotpl

charts/compute/files/funnel-server-config.yml

@@ -6,95 +6,112 @@ BoltDB:
 Compute: {{ .Values.compute }}
 
 Logger:
-  Level: debug
+  Level: {{ .Values.logLevel | quote }}
 
 HTSGETStorage:
-  Disabled: {{ .Values.htsget.disabled }}
-  Protocol: {{ .Values.htsget.protocol }}
-  SendPublicKey: {{ .Values.htsget.sendpublickey }}
+  ServiceURL: {{ .Values.htsget.serviceURL | quote }}
+  Timeout: {{ .Values.htsget.timeout | quote }}
+
+SDAStorage:
+  ServiceURL: {{ .Values.sda.serviceURL | quote }}
+  Timeout: {{ .Values.sda.timeout | quote }}
 
 Server:
   # Require Bearer JWT authentication for the server APIs.
   # Server won't launch when configuration URL cannot be loaded.
   OidcAuth:
     # URL of the OIDC service configuration:
-    ServiceConfigUrl: {{ .Values.oidc.url }}
-    # Client ID and secret are sent with the token introspection request 
+    ServiceConfigURL: {{ .Values.oidc.url }}
+    # Client ID and secret are sent with the token introspection request
     # (Basic authentication):
     ClientId: {{ .Values.oidc.clientid }}
     ClientSecret: {{ .Values.oidc.clientsecret }}
+    # This is irrelevant when only backend is deployed but needs be non-empty
+    RedirectURL: "http://localhost:8000/login"
     # Optional: if specified, this scope value must be in the token:
     # RequireScope:
     # Optional: if specified, this audience value must be in the token:
     RequireAudience: {{ .Values.oidc.audience | quote }}
   BasicAuth:
     - User: {{ .Values.basicauth.user | quote }}
       Password: {{ .Values.basicauth.password | quote }}
-
+      Admin: true
+
   HostName: 0.0.0.0
-  
+
 RPCClient:
   User: {{ .Values.basicauth.user | quote }}
   Password: {{ .Values.basicauth.password | quote }}
 
+AmazonS3:
+  Disabled: {{ .Values.awsS3.disabled }}
+  Key: {{ .Values.awsS3.key | quote }}
+  Secret: {{ .Values.awsS3.secret | quote }}
+
+GenericS3:
+  - Disabled: {{ .Values.genericS3.disabled }}
+    Endpoint: {{ .Values.genericS3.endpoint | quote }}
+    Key: {{ .Values.genericS3.key | quote }}
+    Secret: {{ .Values.genericS3.secret | quote }}
+
 Kubernetes:
   DisableJobCleanup: false
   DisableReconciler: false
   ReconcileRate: 5m
   Namespace: {{ .Release.Namespace }}
-  Template: | 
+  Template: |
     apiVersion: batch/v1
     kind: Job
     metadata:
       ## DO NOT CHANGE NAME
       name: {{ print "{{.TaskId}}" }}
       namespace: {{ print "{{.Namespace}}" }}
-    spec: 
+    spec:
       backoffLimit: 0
       completions: 1
       template:
+        metadata:
+            labels:
+              kubernetes.io/job.executor: "true"
         spec:
-          serviceAccountName: funnel-sa
+          serviceAccountName: {{ .Release.Name }}-sa
           restartPolicy: Never
           securityContext:
-            runAsUser: 1000
+            fsGroup: {{ .Values.securityContext.master.fsGroup}}
+            runAsUser: {{ .Values.securityContext.master.runAsUser}}
             runAsNonRoot: true
             seccompProfile:
               type: RuntimeDefault
-          containers: 
+          containers:
             - name: funnel-worker-{{ print "{{.TaskId}}" }}
               image: {{ .Values.image }}
               imagePullPolicy: Always
-              args:
-                - "worker"
-                - "run"
-                - "--config"
-                - "/etc/config/funnel-worker-config.yml"
-                - "--taskID"
-                - {{ print "{{.TaskId}}" }}
+              command: ["/app/funnel"]
+              args: ["worker", "run", "--config", "/etc/config/funnel-worker-config.yml", "--taskID", {{ print "{{.TaskId}}" }}]
               resources:
                 requests:
                   cpu: {{ print "{{if ne .Cpus 0 -}}{{.Cpus}}{{ else }}{{\"100m\"}}{{end}}" }}
                   memory: {{ print "{{if ne .RamGb 0.0 -}}{{printf \"%.0fG\" .RamGb}}{{else}}{{\"16M\"}}{{end}}" }}
                   ephemeral-storage: {{ print "{{if ne .DiskGb 0.0 -}}{{printf \"%.0fG\" .DiskGb}}{{else}}{{\"100M\"}}{{end}}" }}
                 limits:
-                  cpu: 1000m
-                  memory: 1G
+                  cpu: {{ .Values.computeResourceLimits.master.cpu | quote }}
+                  memory: {{ .Values.computeResourceLimits.master.memory | quote }}
+                  ephemeral-storage: {{ .Values.computeResourceLimits.master.ephemeralStorage | quote }}
               securityContext:
                 allowPrivilegeEscalation: false
                 capabilities:
                   drop:
                     - ALL
+                privileged: false
               volumeMounts:
                 - name: funnel-storage-{{ print "{{.TaskId}}" }}
-                  mountPath: /opt/funnel/funnel-work-dir/{{ print "{{.TaskId}}" }}
-                  subPath: {{ print "{{.TaskId}}" }}
+                  mountPath: /opt/funnel/funnel-work-dir
                 - name: config-volume
                   mountPath: /etc/config
                 - name: keys
                   mountPath: /keys
-    
-          volumes: 
+
+          volumes:
             - name: config-volume
               secret:
                 secretName: {{ .Release.Name }}-worker-config

charts/compute/files/funnel-worker-config.yml

@@ -3,12 +3,15 @@ Database: boltdb
 Compute: {{ .Values.compute }}
 
 Logger:
-  Level: debug
+  Level: {{ .Values.logLevel | quote }}
 
 HTSGETStorage:
-  Disabled: {{ .Values.htsget.disabled }}
-  Protocol: {{ .Values.htsget.protocol }}
-  SendPublicKey: {{ .Values.htsget.sendpublickey }}
+  ServiceURL: {{ .Values.htsget.serviceURL | quote }}
+  Timeout: {{ .Values.htsget.timeout | quote }}
+
+SDAStorage:
+  ServiceURL: {{ .Values.sda.serviceURL | quote }}
+  Timeout: {{ .Values.sda.timeout | quote }}
 
 RPCClient:
   MaxRetries: 3
@@ -24,11 +27,21 @@ Server:
   HostName: {{ .Release.Name }}
   RPCPort: 9090
 
+AmazonS3:
+  Disabled: {{ .Values.awsS3.disabled }}
+  Key: {{ .Values.awsS3.key | quote }}
+  Secret: {{ .Values.awsS3.secret | quote }}
+
+GenericS3:
+  - Disabled: {{ .Values.genericS3.disabled }}
+    Endpoint: {{ .Values.genericS3.endpoint | quote }}
+    Key: {{ .Values.genericS3.key | quote }}
+    Secret: {{ .Values.genericS3.secret | quote }}
 
 Kubernetes:
   # Change to "kubernetes" to use the kubernetes executor
   Executor: {{ .Values.compute }}
-  Namespace: {{ .Release.Namespace }} 
+  Namespace: {{ .Release.Namespace }}
   ExecutorTemplate: |
     apiVersion: batch/v1
     kind: Job
@@ -37,49 +50,53 @@ Kubernetes:
       namespace: {{ print "{{.Namespace}}" }}
       labels:
         job-name: {{ print "{{.TaskId}}-{{.JobId}}" }}
-    spec: 
+    spec:
       backoffLimit: 0
       completions: 1
       template:
         spec:
           restartPolicy: Never
           securityContext:
-            runAsUser: 1000
+            fsGroup: {{ .Values.securityContext.worker.fsGroup}}
+            runAsUser: {{ .Values.securityContext.worker.runAsUser}}
+            runAsGroup: {{ .Values.securityContext.worker.runAsGroup}}
             runAsNonRoot: true
             seccompProfile:
               type: RuntimeDefault
-          containers: 
+          containers:
           - name: funnel-worker-{{ print "{{.TaskId}}" }}
             image: {{ print "{{.Image}}" }}
             imagePullPolicy: Always
             command: ["/bin/sh", "-c"]
-            args: {{.Command}}
+            args: {{ print "{{.Command}}" }}
             workingDir: {{ print "{{.Workdir}}" }}
             resources:
               requests:
                 cpu: {{ print "{{if ne .Cpus 0 -}}{{.Cpus}}{{ else }}{{\"100m\"}}{{end}}" }}
                 memory: {{ print "{{if ne .RamGb 0.0 -}}{{printf \"%.0fG\" .RamGb}}{{else}}{{\"16M\"}}{{end}}" }}
                 ephemeral-storage: {{ print "{{if ne .DiskGb 0.0 -}}{{printf \"%.0fG\" .DiskGb}}{{else}}{{\"100M\"}}{{end}}" }}
               limits:
-                cpu: 1000m
-                memory: 5G
+                cpu: {{ .Values.computeResourceLimits.worker.cpu | quote}}
+                memory: {{ .Values.computeResourceLimits.worker.memory | quote }}
+                ephemeral-storage: {{ .Values.computeResourceLimits.worker.ephemeralStorage | quote}}
             securityContext:
               allowPrivilegeEscalation: false
               capabilities:
                 drop:
                   - ALL
+              privileged: false
             volumeMounts:
             - name: storage
               mountPath: /shared
               subPath: shared
             ### DO NOT CHANGE THIS
             {{ print "{{range $idx, $item := .Volumes}}" }}
-            - name: storage 
+            - name: storage
               mountPath: {{ print "{{$item.ContainerPath}}" }}
               subPath: {{ print "{{$.TaskId}}{{$item.ContainerPath}}" }}
             {{ print "{{end}}" }}
 
-          volumes: 
+          volumes:
           - name: storage
             persistentVolumeClaim:
               claimName: {{ .Values.pvc.name }}

charts/compute/templates/funnel-deployment.yaml

@@ -23,44 +23,51 @@ spec:
         app: {{ .Release.Name }}
     spec:
       containers:
-        - args:
-            - server
-            - run
-            - '--config'
-            - /etc/config/funnel-server-config.yml
+        - name: funnel
+          command: ["/app/funnel"]
+          args: ["server", "run", "--config", "/etc/config/funnel-server-config.yml"]
           image: {{ .Values.image }}
           imagePullPolicy: Always
-          name: funnel
           ports:
             - containerPort: 8000
               protocol: TCP
             - containerPort: 9090
               protocol: TCP
           resources:
-            {{- toYaml $.Values.resources | nindent 12 }}
+            {{- toYaml $.Values.funnel.resources | nindent 12 }}
           securityContext:
             allowPrivilegeEscalation: false
             capabilities:
               drop:
                 - ALL
+            privileged: false
           volumeMounts:
             - mountPath: /opt/funnel/funnel-work-dir
               name: funnel-deployment-storage
             - mountPath: /etc/config
               name: config-volume
+  {{- if .Values.funnel.readinessProbeEnabled }}
+          readinessProbe:
+            httpGet:
+              path: /health.html
+              port: 8000
+            initialDelaySeconds: 1
+            periodSeconds: 5
+  {{- end }}
       securityContext:
+        fsGroup: 1000
         runAsNonRoot: true
         runAsUser: {{ .Values.funnel.runAsUser }}
 {{- if .Values.funnel.seccompProfile }}
         seccompProfile:
           type: RuntimeDefault
 {{- end }}
-      serviceAccount: {{ .Values.serviceAccount }}
+      serviceAccount: {{ .Release.Name }}-sa
       volumes:
         - name: funnel-deployment-storage
           persistentVolumeClaim:
             claimName: {{ .Values.pvc.name }}
-        - secret:
+        - name: config-volume
+          secret:
             defaultMode: 420
-            secretName: {{ .Release.Name }}-server-config 
-          name: config-volume
+            secretName: {{ .Release.Name }}-server-config

charts/compute/templates/funnel-ingress.yaml

@@ -7,10 +7,12 @@ metadata:
     {{- toYaml $.Values.ingress.annotations | nindent 4 }}
 spec:
   ingressClassName: {{ .Values.ingress.className }}
+  {{- if .Values.ingress.tlsEnabled }}
   tls:
    - hosts:
        - {{ .Values.ingress.host }}
      secretName: {{ .Values.ingress.host | replace "." "-" }}
+  {{- end }}
   rules:
   - host: {{ .Values.ingress.host }}
     http:

charts/compute/templates/funnel-rbac.yaml

@@ -0,0 +1,30 @@
+{{- if .Values.createRole }}
+kind: Role
+apiVersion: rbac.authorization.k8s.io/v1
+metadata:
+  name: {{ .Release.Name }}-role
+  namespace: {{ .Release.Namespace }}
+rules:
+- apiGroups: [""]
+  resources: ["pods", "pods/log"]
+  verbs: ["get", "list", "watch"]
+- apiGroups: ["batch", "extensions"]
+  resources: ["jobs"]
+  verbs: ["get", "list", "watch", "create", "update", "patch", "delete"]
+- apiGroups: ["extensions", "apps"]
+  resources: ["deployments"]
+  verbs: ["get", "list", "watch", "create", "update", "patch", "delete"]
+---
+kind: RoleBinding
+apiVersion: rbac.authorization.k8s.io/v1
+metadata:
+  name: {{ .Release.Name }}-rolebinding
+  namespace: {{ .Release.Namespace }}
+subjects:
+- kind: ServiceAccount
+  name: {{ .Release.Name }}-sa
+roleRef:
+  kind: Role
+  name: {{ .Release.Name }}-role
+  apiGroup: rbac.authorization.k8s.io
+{{- end }}

charts/compute/templates/serviceaccount.yaml

@@ -0,0 +1,7 @@
+{{- if .Values.rbacEnabled }}
+kind: ServiceAccount
+apiVersion: v1
+metadata:
+  name: {{ .Release.Name }}-sa
+  namespace: {{ .Release.Namespace }}
+{{- end }}