From 32c2a4c53c02ae4584ff94070b0a41e9c134aaa3 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Wa=C3=ABl=20Ammar?= Date: Tue, 8 Nov 2022 21:49:43 +0100 Subject: [PATCH] =?UTF-8?q?=E2=9C=A8(helm)=20Add=20ralph's=20chart?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit used to deploy Ralph on k8s --- src/helm/README.md | 43 ++++++++ src/helm/ralph/Chart.yaml | 24 +++++ src/helm/ralph/templates/_helpers.tpl | 53 ++++++++++ src/helm/ralph/templates/cronjob.yaml | 74 ++++++++++++++ src/helm/ralph/templates/deployment.yaml | 98 ++++++++++++++++++ src/helm/ralph/templates/hpa.yaml | 28 ++++++ src/helm/ralph/templates/ingress.yaml | 29 ++++++ src/helm/ralph/templates/pvc.yml | 14 +++ src/helm/ralph/templates/secrets.yaml | 54 ++++++++++ src/helm/ralph/templates/service.yaml | 18 ++++ src/helm/ralph/values.yaml | 120 +++++++++++++++++++++++ src/helm/ralph/vault.yaml | 31 ++++++ 12 files changed, 586 insertions(+) create mode 100644 src/helm/README.md create mode 100644 src/helm/ralph/Chart.yaml create mode 100644 src/helm/ralph/templates/_helpers.tpl create mode 100644 src/helm/ralph/templates/cronjob.yaml create mode 100644 src/helm/ralph/templates/deployment.yaml create mode 100644 src/helm/ralph/templates/hpa.yaml create mode 100644 src/helm/ralph/templates/ingress.yaml create mode 100644 src/helm/ralph/templates/pvc.yml create mode 100644 src/helm/ralph/templates/secrets.yaml create mode 100644 src/helm/ralph/templates/service.yaml create mode 100644 src/helm/ralph/values.yaml create mode 100644 src/helm/ralph/vault.yaml diff --git a/src/helm/README.md b/src/helm/README.md new file mode 100644 index 000000000..8aa010a9c --- /dev/null +++ b/src/helm/README.md @@ -0,0 +1,43 @@ +# Ralph Helm Chart + +This is the helm chart used to deploy ralph application. + +All default values are in `values.yaml`. + +⚠️ This helm chart is still under active development and is not suitable for production use. + +## Review manifest + +To generate and review your manifest, under `./src/helm` run the following command: +``` +$ helm template . +``` + +## Deploy chart +### Requirements +* Helm +* Needed Kubernetes context selected + + +### Environments + +Please note that with Helm, you can extend the values files. There is no need to copy/paste all the default values and you can replace a value by setting it in your env file. + +You can add an environment values file under the root of the chart, _e.g._ `dev-values.yaml` and set only needed customizations. + + +This chart use the file `vaul.yaml` to set the mandatory secrets for the application + +### How to + +Under `./src/helm` + +``` +$ helm upgrade --install RELEASE_NAME ralph/. --values ralph/dev-values.yaml +``` + +Tips: + +* use `--values` to pass an env values file to extend and/or replace the default values +* `--set var=value` to replace one var/value +* `--dry-run` to verify your manifest before deploying diff --git a/src/helm/ralph/Chart.yaml b/src/helm/ralph/Chart.yaml new file mode 100644 index 000000000..04a846f58 --- /dev/null +++ b/src/helm/ralph/Chart.yaml @@ -0,0 +1,24 @@ +apiVersion: v2 +name: ralph +description: A Helm chart for Ralph + +# A chart can be either an 'application' or a 'library' chart. +# +# Application charts are a collection of templates that can be packaged into versioned archives +# to be deployed. +# +# Library charts provide useful utilities or functions for the chart developer. They're included as +# a dependency of application charts to inject those utilities and functions into the rendering +# pipeline. Library charts do not define any templates and therefore cannot be deployed. +type: application + +# This is the chart version. This version number should be incremented each time you make changes +# to the chart and its templates, including the app version. +# Versions are expected to follow Semantic Versioning (https://semver.org/) +version: 0.1.0 + +# This is the version number of the application being deployed. This version number should be +# incremented each time you make changes to the application. Versions are not expected to +# follow Semantic Versioning. They should reflect the version the application is using. +# It is recommended to use it with quotes. +appVersion: "3.0.0" diff --git a/src/helm/ralph/templates/_helpers.tpl b/src/helm/ralph/templates/_helpers.tpl new file mode 100644 index 000000000..98f152b0b --- /dev/null +++ b/src/helm/ralph/templates/_helpers.tpl @@ -0,0 +1,53 @@ +{{/* +Expand the name of the chart. +*/}} +{{- define "ralph.name" -}} +{{- default .Chart.Name .Values.nameOverride | trunc 63 | trimSuffix "-" }} +{{- end }} + +{{/* +Create a default fully qualified app name. +We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec). +If release name contains chart name it will be used as a full name. +*/}} +{{- define "ralph.fullname" -}} +{{- if .Values.fullnameOverride }} +{{- .Values.fullnameOverride | trunc 63 | trimSuffix "-" }} +{{- else }} +{{- $name := default .Chart.Name .Values.nameOverride }} +{{- if contains $name .Release.Name }} +{{- .Release.Name | trunc 63 | trimSuffix "-" }} +{{- else }} +{{- printf "%s-%s" .Release.Name $name | trunc 63 | trimSuffix "-" }} +{{- end }} +{{- end }} +{{- end }} + +{{/* +Create chart name and version as used by the chart label. +*/}} +{{- define "ralph.chart" -}} +{{- printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" }} +{{- end }} + +{{/* +Common labels +*/}} +{{- define "ralph.labels" -}} +helm.sh/chart: {{ include "ralph.chart" . }} +{{ include "ralph.selectorLabels" . }} +{{- if .Chart.AppVersion }} +app.kubernetes.io/version: {{ .Chart.AppVersion | quote }} +{{- end }} +app.kubernetes.io/managed-by: {{ .Release.Service }} +{{- end }} + +{{/* +Selector labels +*/}} +{{- define "ralph.selectorLabels" -}} +app.kubernetes.io/name: {{ include "ralph.name" . }} +app.kubernetes.io/instance: {{ .Release.Name }} +app: ralph +service: app +{{- end }} diff --git a/src/helm/ralph/templates/cronjob.yaml b/src/helm/ralph/templates/cronjob.yaml new file mode 100644 index 000000000..825bb2803 --- /dev/null +++ b/src/helm/ralph/templates/cronjob.yaml @@ -0,0 +1,74 @@ +{{- if .Values.ralph_cronjobs }} +{{- range $job := .Values.ralph_cronjobs }} +{{- with $ -}} +--- +apiVersion: batch/v1 +kind: CronJob +metadata: + name: "ralph-job-{{ $job.name }}" + namespace: {{ .Values.namespace }} + labels: + {{- include "ralph.labels" . | nindent 4 }} + type: job +spec: + schedule: {{ $job.schedule | quote }} + successfulJobsHistoryLimit: 2 + concurrencyPolicy: Forbid + failedJobsHistoryLimit: 1 + suspend: false + jobTemplate: + spec: + template: + metadata: + name: "ralph-job-{{ $job.name }}" + labels: + {{- include "ralph.labels" . | nindent 12 }} + type: job + spec: + restartPolicy: Never + {{- with .Values.imagePullSecrets }} + imagePullSecrets: + {{- toYaml . | nindent 12 }} + {{- end }} + securityContext: + {{- toYaml .Values.securityContext | nindent 12 }} + containers: + - name: "ralph-job-{{ $job.name }}" + image: "{{ .Values.image.repository }}:{{ .Values.image.tag | default .Chart.AppVersion }}" + imagePullPolicy: {{ .Values.image.pullPolicy }} + command: + - bash + - "-c" + {{- with $job.command }} + {{ toYaml . | nindent 16 }} + {{- end }} + env: + - name: RALPH_APP_DIR + value: "/app/.ralph" + envFrom: + - secretRef: + name: {{ .Values.ralph.secret_name }} + volumeMounts: + - name: ralph-v-history + mountPath: /app/.ralph + {{- if .Values.ralph.elastic.mount_ca_secret }} + - name: es-ca-certificate + mountPath: /usr/local/share/ca-certificates/ + {{- end }} + - name: lrs-auth + mountPath: /var/run/ralph/ + volumes: + - name: ralph-v-history + persistentVolumeClaim: + claimName: ralph-pvc-history + {{- if .Values.ralph.elastic.mount_ca_secret }} + - name: es-ca-certificate + secret: + secretName: {{ .Values.ralph.elastic.ca_secret_name }} + {{- end }} + - name: lrs-auth + secret: + secretName: {{ .Values.ralph_lrs.auth_secret_name }} +{{- end }} +{{- end }} +{{- end }} diff --git a/src/helm/ralph/templates/deployment.yaml b/src/helm/ralph/templates/deployment.yaml new file mode 100644 index 000000000..a078d8255 --- /dev/null +++ b/src/helm/ralph/templates/deployment.yaml @@ -0,0 +1,98 @@ +apiVersion: apps/v1 +kind: Deployment +metadata: + name: {{ include "ralph.fullname" . }} + namespace: {{ .Values.namespace }} + labels: + {{- include "ralph.labels" . | nindent 4 }} +spec: + {{- if not .Values.autoscaling.enabled }} + replicas: {{ .Values.replicaCount }} + {{- end }} + selector: + matchLabels: + {{- include "ralph.selectorLabels" . | nindent 6 }} + template: + metadata: + {{- with .Values.podAnnotations }} + annotations: + {{- toYaml . | nindent 8 }} + {{- end }} + labels: + {{- include "ralph.selectorLabels" . | nindent 8 }} + spec: + {{- with .Values.imagePullSecrets }} + imagePullSecrets: + {{- toYaml . | nindent 8 }} + {{- end }} + securityContext: + {{- toYaml .Values.securityContext | nindent 8 }} + containers: + - name: {{ .Chart.Name }} + image: "{{ .Values.image.repository }}:{{ .Values.image.tag | default .Chart.AppVersion }}" + imagePullPolicy: {{ .Values.image.pullPolicy }} + command: + {{- toYaml .Values.ralph_lrs.command | nindent 12 }} + resources: + {{- toYaml .Values.resources | nindent 12 }} + livenessProbe: + httpGet: + path: /__heartbeat__ + port: {{ .Values.ralph_lrs.port }} + httpHeaders: + - name: Host + value: "lrs.{{ .Values.namespace }}.{{ .Values.ralph_lrs.domain_name }}" + initialDelaySeconds: 15 + periodSeconds: 30 + readinessProbe: + httpGet: + path: /__lbheartbeat__ + port: {{ .Values.ralph_lrs.port }} + httpHeaders: + - name: Host + value: "lrs.{{ .Values.namespace }}.{{ .Values.ralph_lrs.domain_name }}" + initialDelaySeconds: 5 + periodSeconds: 5 + env: + - name: RALPH_APP_DIR + value: "/app/.ralph" + - name: RALPH_AUTH_FILE + value: "/var/run/ralph/auth.json" + - name: RALPH_BACKENDS__DATABASE__ES__CLIENT_OPTIONS__ca_certs + value: "/usr/local/share/ca-certificates/es-cluster.pem" + envFrom: + - secretRef: + name: {{ .Values.ralph.secret_name }} + volumeMounts: + - name: ralph-v-history + mountPath: /app/.ralph + {{- if .Values.ralph.elastic.mount_ca_secret }} + - name: es-ca-certificate + mountPath: /usr/local/share/ca-certificates/ + {{- end }} + - name: lrs-auth + mountPath: /var/run/ralph/ + volumes: + - name: ralph-v-history + persistentVolumeClaim: + claimName: ralph-pvc-history + {{- if .Values.ralph.elastic.mount_ca_secret }} + - name: es-ca-certificate + secret: + secretName: {{ .Values.ralph.elastic.ca_secret_name }} + {{- end }} + - name: lrs-auth + secret: + secretName: {{ .Values.ralph_lrs.auth_secret_name }} + {{- with .Values.nodeSelector }} + nodeSelector: + {{- toYaml . | nindent 8 }} + {{- end }} + {{- with .Values.affinity }} + affinity: + {{- toYaml . | nindent 8 }} + {{- end }} + {{- with .Values.tolerations }} + tolerations: + {{- toYaml . | nindent 8 }} + {{- end }} diff --git a/src/helm/ralph/templates/hpa.yaml b/src/helm/ralph/templates/hpa.yaml new file mode 100644 index 000000000..654157fc0 --- /dev/null +++ b/src/helm/ralph/templates/hpa.yaml @@ -0,0 +1,28 @@ +{{- if .Values.autoscaling.enabled }} +apiVersion: autoscaling/v2beta1 +kind: HorizontalPodAutoscaler +metadata: + name: {{ include "ralph.fullname" . }} + labels: + {{- include "ralph.labels" . | nindent 4 }} +spec: + scaleTargetRef: + apiVersion: apps/v1 + kind: Deployment + name: {{ include "ralph.fullname" . }} + minReplicas: {{ .Values.autoscaling.minReplicas }} + maxReplicas: {{ .Values.autoscaling.maxReplicas }} + metrics: + {{- if .Values.autoscaling.targetCPUUtilizationPercentage }} + - type: Resource + resource: + name: cpu + targetAverageUtilization: {{ .Values.autoscaling.targetCPUUtilizationPercentage }} + {{- end }} + {{- if .Values.autoscaling.targetMemoryUtilizationPercentage }} + - type: Resource + resource: + name: memory + targetAverageUtilization: {{ .Values.autoscaling.targetMemoryUtilizationPercentage }} + {{- end }} +{{- end }} diff --git a/src/helm/ralph/templates/ingress.yaml b/src/helm/ralph/templates/ingress.yaml new file mode 100644 index 000000000..265b0a257 --- /dev/null +++ b/src/helm/ralph/templates/ingress.yaml @@ -0,0 +1,29 @@ +{{- if .Values.ingress.enabled -}} +apiVersion: networking.k8s.io/v1 +kind: Ingress +metadata: + name: "ralph-app-{{ .Values.ralph.prefix }}" + labels: + {{- include "ralph.labels" . | nindent 4 }} + {{- with .Values.ingress.annotations }} + annotations: + {{- toYaml . | nindent 4 }} + {{- end }} +spec: + ingressClassName: {{ .Values.ingress.className }} + tls: + - hosts: + - {{ .Values.ralph_lrs.host | quote }} + secretName: "ralph-app-tls-{{ .Values.ralph.prefix }}" + rules: + - host: {{ .Values.ralph_lrs.host | quote }} + http: + paths: + - path: / + pathType: Prefix + backend: + service: + name: "ralph-app-{{ .Values.ralph.prefix }}" + port: + number: {{ .Values.ralph_lrs.port }} +{{- end }} diff --git a/src/helm/ralph/templates/pvc.yml b/src/helm/ralph/templates/pvc.yml new file mode 100644 index 000000000..8dbff4fe2 --- /dev/null +++ b/src/helm/ralph/templates/pvc.yml @@ -0,0 +1,14 @@ +apiVersion: v1 +kind: PersistentVolumeClaim +metadata: + name: ralph-pvc-history + namespace: {{ .Values.namespace }} + labels: + {{- include "ralph.labels" . | nindent 4 }} +spec: + accessModes: + - {{ .Values.ralph.volume_history.access_modes }} + resources: + requests: + storage: {{ .Values.ralph.volume_history.size }} + storageClassName: {{ .Values.ralph.volume_history.storage_class }} diff --git a/src/helm/ralph/templates/secrets.yaml b/src/helm/ralph/templates/secrets.yaml new file mode 100644 index 000000000..77d094ce7 --- /dev/null +++ b/src/helm/ralph/templates/secrets.yaml @@ -0,0 +1,54 @@ +--- +apiVersion: v1 +kind: Secret +metadata: + name: {{ .Values.ralph.secret_name }} + namespace: {{ .Values.namespace }} + labels: + {{- include "ralph.labels" . | nindent 4 }} + annotations: + checksum/config: {{ (tpl (.Files.Glob "vault.yaml").AsSecrets . ) | sha256sum }} +type: Opaque +data: +{{- $v := $.Files.Get "vault.yaml" | fromYaml }} +{{- range $key, $val := $v }} + {{ if contains "RALPH_" $key }} + {{ $key | nindent 2 }}: {{ $val | b64enc }} + {{- end }} +{{- end }} + +--- +apiVersion: v1 +kind: Secret +metadata: + name: {{ .Values.ralph_lrs.auth_secret_name }} + namespace: {{ .Values.namespace }} + labels: + {{- include "ralph.labels" . | nindent 4 }} + annotations: + checksum/config: {{ (tpl (.Files.Glob "vault.yaml").AsSecrets . ) | sha256sum }} +type: Opaque +data: +{{- $v := $.Files.Get "vault.yaml" | fromYaml }} +{{ if get $v "LRS_AUTH" }} + auth.json: {{ get $v "LRS_AUTH" | toJson | b64enc }} +{{- end }} + +{{- if .Values.ralph.elastic.mount_ca_secret }} +--- +apiVersion: v1 +kind: Secret +metadata: + name: {{ .Values.ralph.elastic.ca_secret_name }} + namespace: {{ .Values.namespace }} + labels: + {{- include "ralph.labels" . | nindent 4 }} + annotations: + checksum/config: {{ (tpl (.Files.Glob "vault.yaml").AsSecrets . ) | sha256sum }} +type: Opaque +data: +{{- $v := $.Files.Get "vault.yaml" | fromYaml }} +{{ if get $v "ES_CA_CERTIFICATE" }} + es-cluster.pem: {{ get $v "ES_CA_CERTIFICATE" | b64enc }} +{{- end }} +{{- end }} diff --git a/src/helm/ralph/templates/service.yaml b/src/helm/ralph/templates/service.yaml new file mode 100644 index 000000000..a143f2265 --- /dev/null +++ b/src/helm/ralph/templates/service.yaml @@ -0,0 +1,18 @@ +--- +apiVersion: v1 +kind: Service +metadata: + labels: + {{- include "ralph.labels" . | nindent 4 }} + service_prefix: {{ .Values.ralph.prefix }} + name: "ralph-app-{{ .Values.ralph.prefix }}" + namespace: {{ .Values.namespace }} +spec: + ports: + - name: "{{ .Values.ralph_lrs.port }}-tcp" + port: {{ .Values.ralph_lrs.port }} + protocol: TCP + targetPort: {{ .Values.ralph_lrs.port }} + type: ClusterIP + selector: + {{- include "ralph.selectorLabels" . | nindent 4 }} diff --git a/src/helm/ralph/values.yaml b/src/helm/ralph/values.yaml new file mode 100644 index 000000000..8fdb9034a --- /dev/null +++ b/src/helm/ralph/values.yaml @@ -0,0 +1,120 @@ +# Default values for ralph. +# This is a YAML-formatted file. +# Declare variables to be passed into your templates. + +########################### +### CHART CONFIGURATION ### +########################### + +namespace: default + +replicaCount: 1 + +image: + repository: fundocker/ralph + pullPolicy: Always + # Overrides the image tag whose default is the chart appVersion. + tag: "" + +imagePullSecrets: [] +nameOverride: "" +fullnameOverride: "" + +podAnnotations: {} + +securityContext: + runAsUser: 1000 + runAsGroup: 1000 + +service: + type: ClusterIP + port: 8080 + +ingress: + enabled: false + className: "traefik" + annotations: + # kubernetes.io/ingress.class: traefik + cert-manager.io/issuer: letsencrypt + +affinity: + podAntiAffinity: + preferredDuringSchedulingIgnoredDuringExecution: + - weight: 100 + podAffinityTerm: + labelSelector: + matchExpressions: + - key: deployment + operator: In + values: + - "ralph-app" + topologyKey: kubernetes.io/hostname + +autoscaling: + enabled: false + minReplicas: 1 + maxReplicas: 10 + targetCPUUtilizationPercentage: 80 + # targetMemoryUtilizationPercentage: 80 + +nodeSelector: {} + +tolerations: [] + +resources: + {} + # We usually recommend not to specify default resources and to leave this as a conscious + # choice for the user. This also increases chances charts run on environments with little + # resources, such as Minikube. If you do want to specify resources, uncomment the following + # lines, adjust them as necessary, and remove the curly braces after 'resources:'. + # limits: + # cpu: 100m + # memory: 128Mi + # requests: + # cpu: 100m + # memory: 128Mi + +########################### +### RALPH CONFIGURATION ### +########################### + +ralph: + customer: "" + env_type: "" + prefix: "traefik" + acme_enabled_route_prefix: "traefik.acme" + secret_name: "secret-ralph" + volume_history: + size: 2Gi + access_modes: ReadWriteMany + storage_class: "local-storage" + elastic: + mount_ca_secret: true + ca_secret_name: "ralph-es-ca" + +ralph_lrs: + host: ralph.example.com + port: 8080 + auth_secret_name: "ralph-lrs-auth" + command: + - uvicorn + - "ralph.api:app" + - "--proxy-headers" + - "--host" + - "0.0.0.0" + - "--port" + - "8080" + +# ralph_cronjobs: [] +ralph_cronjobs: + - name: daily-ldp-to-es + schedule: "30 2 * * *" + command: + - ralph list --backend ldp --new | + xargs -I {} -n 1 bash -c " + ralph fetch --backend ldp {} | + gunzip | + ralph extract -p gelf | + ralph push \ + --backend es \ + --es-client-options ca_certs=/usr/local/share/ca-certificates/es-cluster.pem" diff --git a/src/helm/ralph/vault.yaml b/src/helm/ralph/vault.yaml new file mode 100644 index 000000000..e682464bd --- /dev/null +++ b/src/helm/ralph/vault.yaml @@ -0,0 +1,31 @@ +RALPH_BACKENDS__DATABASE__ES__HOSTS: http://elasticsearch:9200 +RALPH_BACKENDS__DATABASE__ES__INDEX: statements +RALPH_SENTRY_DSN: https://fake@key.ingest.sentry.io/1234567 +RALPH_EXECUTION_ENVIRONMENT: production + +# If you have self-generated a CA certificate for your ES cluster nodes, you may +# also need this CA certificate to check certificates while requesting the +# cluster. If defined, this CA certificate will be mounted to +# /usr/local/share/ca-certificates/es-cluster.pem +# +# We expect this certificate to be pasted in PEM format +ES_CA_CERTIFICATE: "" + +# Authentication +# +# For each entry, we expect the following keys: +# - username (str) +# - hash (str) +# - scopes (list) +# +# Example: +# +# LRS_AUTH: +# - username: "foo" +# hash: "thehash" +# scopes: +# - "foo_scope" +# +# For more information about hash generation, see Ralph's documentation: +# https://openfun.github.io/ralph/api/#creating_a_credentials_file +LRS_AUTH: []