From 52f04dd08e24409042d2d15bfdb623ba385d2226 Mon Sep 17 00:00:00 2001 From: Jonathan Sick Date: Mon, 13 Jan 2025 12:04:17 -0500 Subject: [PATCH] Add times-square database migration job This job is based on the same one developed for Gafaelfaawr and will be part of a semi-manual process for running Alembic migrations when needed (e.g. following https://phalanx.lsst.io/applications/gafaelfawr/manage-schema.html#updating-the-database-schema). See also the Times Square PR: https://github.com/lsst-sqre/times-square/pull/88 --- applications/times-square/Chart.yaml | 2 +- applications/times-square/README.md | 1 + .../templates/job-schema-update.yaml | 150 ++++++++++++++++++ applications/times-square/values.yaml | 4 + 4 files changed, 156 insertions(+), 1 deletion(-) create mode 100644 applications/times-square/templates/job-schema-update.yaml diff --git a/applications/times-square/Chart.yaml b/applications/times-square/Chart.yaml index 00567c3136..0e842d48b1 100644 --- a/applications/times-square/Chart.yaml +++ b/applications/times-square/Chart.yaml @@ -8,7 +8,7 @@ sources: type: application # The default version tag of the times-square docker image -appVersion: "0.13.0" +appVersion: "tickets-DM-48385" dependencies: - name: redis diff --git a/applications/times-square/README.md b/applications/times-square/README.md index d8e5141587..fd6e53da07 100644 --- a/applications/times-square/README.md +++ b/applications/times-square/README.md @@ -33,6 +33,7 @@ An API service for managing and rendering parameterized Jupyter notebooks. | config.profile | string | `"production"` | Run profile: "production" or "development" | | config.redisCacheUrl | string | Points to embedded Redis | URL for Redis html / noteburst job cache database | | config.redisQueueUrl | string | Points to embedded Redis | URL for Redis arq queue database | +| config.updateSchema | bool | false to disable schema upgrades | Whether to run the database migration job | | config.worker.enableLivenessCheck | bool | `true` | Enable liveness checks for the arq queue | | fullnameOverride | string | `""` | Override the full name for resources (includes the release name) | | global.baseUrl | string | Set by times-square Argo CD Application | Base URL for the environment | diff --git a/applications/times-square/templates/job-schema-update.yaml b/applications/times-square/templates/job-schema-update.yaml new file mode 100644 index 0000000000..16bfca921c --- /dev/null +++ b/applications/times-square/templates/job-schema-update.yaml @@ -0,0 +1,150 @@ +{{- if .Values.config.updateSchema -}} +apiVersion: batch/v1 +kind: Job +metadata: + name: "times-square-schema-update" + annotations: + annotations: + helm.sh/hook: "pre-install,pre-upgrade" + helm.sh/hook-delete-policy: "hook-succeeded" + helm.sh/hook-weight: "1" + labels: + {{- include "times-square.labels" . | nindent 4 }} +spec: + template: + metadata: + {{- with .Values.podAnnotations }} + annotations: + {{- toYaml . | nindent 8 }} + {{- end }} + labels: + {{- include "times-square.selectorLabels" . | nindent 8 }} + app.kubernetes.io/component: "schema-update" + times-square-redis-client: "true" + spec: + {{- if .Values.cloudsql.enabled }} + serviceAccountName: "times-square" + {{- else }} + automountServiceAccountToken: false + {{- end }} + containers: + {{- if .Values.cloudsql.enabled }} + - name: "cloud-sql-proxy" + # Running the sidecar as normal causes it to keep running and thus + # the Pod never exits, the Job never finishes, and the hook blocks + # the sync. Have the main pod signal the sidecar by writing to a + # file on a shared emptyDir file system, and use a simple watcher + # loop in shell in the sidecar container to terminate the proxy when + # the main container finishes. + # + # Based on https://stackoverflow.com/questions/41679364/ + command: + - "/bin/sh" + - "-c" + args: + - | + /cloud_sql_proxy -ip_address_types=PRIVATE -log_debug_stdout=true -structured_logs=true -instances={{ required "cloudsql.instanceConnectionName must be specified" .Values.cloudsql.instanceConnectionName }}=tcp:5432 & + PID=$! + while true; do + if [[ -f "/lifecycle/main-terminated" ]]; then + kill $PID + exit 0 + fi + sleep 1 + done + image: "{{ .Values.cloudsql.image.repository }}:{{ .Values.cloudsql.image.tag }}{{ .Values.cloudsql.image.schemaUpdateTagSuffix }}" + imagePullPolicy: {{ .Values.cloudsql.image.pullPolicy | quote }} + {{- with .Values.cloudsql.resources }} + resources: + {{- toYaml . | nindent 12 }} + {{- end }} + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - "all" + readOnlyRootFilesystem: true + runAsNonRoot: true + runAsUser: 65532 + runAsGroup: 65532 + volumeMounts: + - name: "lifecycle" + mountPath: "/lifecycle" + {{- end }} + - name: "times-square" + command: + - "/bin/sh" + - "-c" + - | + times-square update-db-schema + touch /lifecycle/main-terminated + image: "{{ .Values.image.repository }}:{{ .Values.image.tag | default .Chart.AppVersion }}" + imagePullPolicy: {{ .Values.image.pullPolicy | quote }} + {{- with .Values.resources }} + resources: + {{- toYaml . | nindent 12 }} + {{- end }} + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - "all" + readOnlyRootFilesystem: true + envFrom: + - configMapRef: + name: {{ include "times-square.fullname" . }} + env: + - name: "TS_GAFAELFAWR_TOKEN" + valueFrom: + secretKeyRef: + name: {{ template "times-square.fullname" . }}-gafaelfawr-token + key: "token" + - name: "TS_DATABASE_PASSWORD" + valueFrom: + secretKeyRef: + name: {{ template "times-square.fullname" . }}-secret + key: "TS_DATABASE_PASSWORD" + - name: "TS_GITHUB_WEBHOOK_SECRET" + valueFrom: + secretKeyRef: + name: {{ template "times-square.fullname" . }}-secret + key: "TS_GITHUB_WEBHOOK_SECRET" + - name: "TS_GITHUB_WEBHOOK_SECRET" + valueFrom: + secretKeyRef: + name: {{ template "times-square.fullname" . }}-secret + key: "TS_GITHUB_WEBHOOK_SECRET" + - name: "TS_GITHUB_APP_PRIVATE_KEY" + valueFrom: + secretKeyRef: + name: {{ template "times-square.fullname" . }}-secret + key: "TS_GITHUB_APP_PRIVATE_KEY" + - name: "TS_SLACK_WEBHOOK_URL" + valueFrom: + secretKeyRef: + name: {{ template "times-square.fullname" . }}-secret + key: "TS_SLACK_WEBHOOK_URL" + volumeMounts: + - name: "lifecycle" + mountPath: "/lifecycle" + restartPolicy: "Never" + securityContext: + runAsNonRoot: true + runAsUser: 1000 + runAsGroup: 1000 + volumes: + - name: "lifecycle" + emptyDir: {} + {{- with .Values.nodeSelector }} + nodeSelector: + {{- toYaml . | nindent 8 }} + {{- end }} + {{- with .Values.affinity }} + affinity: + {{- toYaml . | nindent 8 }} + {{- end }} + {{- with .Values.tolerations }} + tolerations: + {{- toYaml . | nindent 8 }} + {{- end }} +{{- end }} diff --git a/applications/times-square/values.yaml b/applications/times-square/values.yaml index 5e5437af72..6faa761145 100644 --- a/applications/times-square/values.yaml +++ b/applications/times-square/values.yaml @@ -119,6 +119,10 @@ config: # @default -- None, must be set databaseUrl: "" + # -- Whether to run the database migration job + # @default -- false to disable schema upgrades + updateSchema: false + # -- URL for Redis html / noteburst job cache database # @default -- Points to embedded Redis redisCacheUrl: "redis://times-square-redis:6379/0"