From d6eb141b9c9abd59b2e636fbf53a385c713dc0fd Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Wa=C3=ABl=20Ammar?= Date: Sat, 5 Nov 2022 11:31:57 +0100 Subject: [PATCH] :sparkles:(helm) Add ralph's chart used to deploy Ralph on k8s --- src/helm/README.md | 37 +++++++ src/helm/ralph/Chart.yaml | 24 +++++ src/helm/ralph/templates/_helpers.tpl | 53 ++++++++++ src/helm/ralph/templates/cronjob.yaml | 71 +++++++++++++ src/helm/ralph/templates/deployment.yaml | 95 ++++++++++++++++++ src/helm/ralph/templates/hpa.yaml | 28 ++++++ src/helm/ralph/templates/ingress.yaml | 29 ++++++ src/helm/ralph/templates/pvc.yml | 14 +++ src/helm/ralph/templates/secrets.yaml | 59 +++++++++++ src/helm/ralph/templates/service.yaml | 18 ++++ src/helm/ralph/values.yaml | 121 +++++++++++++++++++++++ src/helm/ralph/vault.yaml | 30 ++++++ 12 files changed, 579 insertions(+) create mode 100644 src/helm/README.md create mode 100644 src/helm/ralph/Chart.yaml create mode 100644 src/helm/ralph/templates/_helpers.tpl create mode 100644 src/helm/ralph/templates/cronjob.yaml create mode 100644 src/helm/ralph/templates/deployment.yaml create mode 100644 src/helm/ralph/templates/hpa.yaml create mode 100644 src/helm/ralph/templates/ingress.yaml create mode 100644 src/helm/ralph/templates/pvc.yml create mode 100644 src/helm/ralph/templates/secrets.yaml create mode 100644 src/helm/ralph/templates/service.yaml create mode 100644 src/helm/ralph/values.yaml create mode 100644 src/helm/ralph/vault.yaml diff --git a/src/helm/README.md b/src/helm/README.md new file mode 100644 index 000000000..2363e9d6f --- /dev/null +++ b/src/helm/README.md @@ -0,0 +1,37 @@ +# Ralph Helm Chart + +This is the helm chart used to deploy ralph application. + +All default values are in `values.yaml` +## Review manisfest +To generate and review your manifest, under `./src/helm` +``` +helm template . +``` + +## Deploy chart +### Requirements +* Helm +* Needed Kubernetes context selected + + +### Environments +Please note that with Helm, you can extend the values files. There is no need to copy/paste all the default values and you can replace a value by setting it in your env file. + +You can add an environments values files under the root of the chart, eg. `dev-values.yaml` and set only the needed customization. + + +This chart use the file `vaul.yaml` to set the mandatory secrets for the application + +### How to + +Under `./src/helm` + +``` +helm upgrade --install RELEASE_NAME ralph/. --values ralph/dev-values.yaml +``` + +Tips: +* use `--values` to pass an env values files to extend and/or replace the default values +* `--set var=value` to replace one var/value +* `--dry-run` to verify your manifest before deploying diff --git a/src/helm/ralph/Chart.yaml b/src/helm/ralph/Chart.yaml new file mode 100644 index 000000000..a83e6e0fd --- /dev/null +++ b/src/helm/ralph/Chart.yaml @@ -0,0 +1,24 @@ +apiVersion: v2 +name: ralph +description: A Helm chart for Ralph + +# A chart can be either an 'application' or a 'library' chart. +# +# Application charts are a collection of templates that can be packaged into versioned archives +# to be deployed. +# +# Library charts provide useful utilities or functions for the chart developer. They're included as +# a dependency of application charts to inject those utilities and functions into the rendering +# pipeline. Library charts do not define any templates and therefore cannot be deployed. +type: application + +# This is the chart version. This version number should be incremented each time you make changes +# to the chart and its templates, including the app version. +# Versions are expected to follow Semantic Versioning (https://semver.org/) +version: 0.1.0 + +# This is the version number of the application being deployed. This version number should be +# incremented each time you make changes to the application. Versions are not expected to +# follow Semantic Versioning. They should reflect the version the application is using. +# It is recommended to use it with quotes. +appVersion: "1.16.0" diff --git a/src/helm/ralph/templates/_helpers.tpl b/src/helm/ralph/templates/_helpers.tpl new file mode 100644 index 000000000..5221bb4fa --- /dev/null +++ b/src/helm/ralph/templates/_helpers.tpl @@ -0,0 +1,53 @@ +{{/* +Expand the name of the chart. +*/}} +{{- define "ralph.name" -}} +{{- default .Chart.Name .Values.nameOverride | trunc 63 | trimSuffix "-" }} +{{- end }} + +{{/* +Create a default fully qualified app name. +We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec). +If release name contains chart name it will be used as a full name. +*/}} +{{- define "ralph.fullname" -}} +{{- if .Values.fullnameOverride }} +{{- .Values.fullnameOverride | trunc 63 | trimSuffix "-" }} +{{- else }} +{{- $name := default .Chart.Name .Values.nameOverride }} +{{- if contains $name .Release.Name }} +{{- .Release.Name | trunc 63 | trimSuffix "-" }} +{{- else }} +{{- printf "%s-%s" .Release.Name $name | trunc 63 | trimSuffix "-" }} +{{- end }} +{{- end }} +{{- end }} + +{{/* +Create chart name and version as used by the chart label. +*/}} +{{- define "ralph.chart" -}} +{{- printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" }} +{{- end }} + +{{/* +Common labels +*/}} +{{- define "ralph.labels" -}} +helm.sh/chart: {{ include "ralph.chart" . }} +{{ include "ralph.selectorLabels" . }} +{{- if .Chart.AppVersion }} +app.kubernetes.io/version: {{ .Chart.AppVersion | quote }} +{{- end }} +app.kubernetes.io/managed-by: {{ .Release.Service }} +{{- end }} + +{{/* +Selector labels +*/}} +{{- define "ralph.selectorLabels" -}} +app.kubernetes.io/name: {{ include "ralph.name" . }} +app.kubernetes.io/instance: {{ .Release.Name }} +app: ralph +service: app +{{- end }} \ No newline at end of file diff --git a/src/helm/ralph/templates/cronjob.yaml b/src/helm/ralph/templates/cronjob.yaml new file mode 100644 index 000000000..d2c82d204 --- /dev/null +++ b/src/helm/ralph/templates/cronjob.yaml @@ -0,0 +1,71 @@ +{{- if .Values.ralph_cronjobs }} +{{- range $job := .Values.ralph_cronjobs }} +{{- with $ -}} +--- +apiVersion: batch/v1beta1 +kind: CronJob +metadata: + name: "ralph-job-{{ $job.name }}" + namespace: {{ .Values.namespace }} + labels: + {{- include "ralph.labels" . | nindent 4 }} + type: job +spec: + schedule: {{ $job.schedule | quote }} + successfulJobsHistoryLimit: 2 + concurrencyPolicy: Forbid + failedJobsHistoryLimit: 1 + suspend: false + jobTemplate: + spec: + template: + metadata: + name: "ralph-job-{{ $job.name }}" + labels: + {{- include "ralph.labels" . | nindent 12 }} + type: job + spec: + restartPolicy: Never + {{- with .Values.imagePullSecrets }} + imagePullSecrets: + {{- toYaml . | nindent 12 }} + {{- end }} + securityContext: + {{- toYaml .Values.securityContext | nindent 12 }} + containers: + - name: "ralph-job-{{ $job.name }}" + image: "{{ .Values.image.repository }}:{{ .Values.image.tag | default .Chart.AppVersion }}" + imagePullPolicy: {{ .Values.image.pullPolicy }} + command: + - bash + - "-c" + {{- with $job.command }} + {{ toYaml . | nindent 16 }} + {{- end }} + env: + - name: RALPH_APP_DIR + value: "/app/.ralph" + envFrom: + - secretRef: + name: {{ .Values.ralph.secret_name }} + volumeMounts: + - name: ralph-v-history + mountPath: /app/.ralph + {{- if .Values.ralph.elastic.mount_ca_secret }} + - name: es-ca-certificate + mountPath: /usr/local/share/ca-certificates/ + {{- end }} + - name: lrs-auth + mountPath: /var/run/ralph/ + volumes: + - name: ralph-v-history + persistentVolumeClaim: + claimName: ralph-pvc-history + {{- if .Values.ralph.elastic.mount_ca_secret }} + - name: es-ca-certificate + secret: + secretName: {{ .Values.ralph.elastic.ca_secret_name }} + {{- end }} +{{- end }} +{{- end }} +{{- end }} \ No newline at end of file diff --git a/src/helm/ralph/templates/deployment.yaml b/src/helm/ralph/templates/deployment.yaml new file mode 100644 index 000000000..7d749eb3d --- /dev/null +++ b/src/helm/ralph/templates/deployment.yaml @@ -0,0 +1,95 @@ +apiVersion: apps/v1 +kind: Deployment +metadata: + name: {{ include "ralph.fullname" . }} + namespace: {{ .Values.namespace }} + labels: + {{- include "ralph.labels" . | nindent 4 }} +spec: + {{- if not .Values.autoscaling.enabled }} + replicas: {{ .Values.replicaCount }} + {{- end }} + selector: + matchLabels: + {{- include "ralph.selectorLabels" . | nindent 6 }} + template: + metadata: + {{- with .Values.podAnnotations }} + annotations: + {{- toYaml . | nindent 8 }} + {{- end }} + labels: + {{- include "ralph.selectorLabels" . | nindent 8 }} + spec: + {{- with .Values.imagePullSecrets }} + imagePullSecrets: + {{- toYaml . | nindent 8 }} + {{- end }} + securityContext: + {{- toYaml .Values.securityContext | nindent 8 }} + containers: + - name: {{ .Chart.Name }} + image: "{{ .Values.image.repository }}:{{ .Values.image.tag | default .Chart.AppVersion }}" + imagePullPolicy: {{ .Values.image.pullPolicy }} + command: {{ .Values.ralph_lrs.command }} + livenessProbe: + httpGet: + path: /__heartbeat__ + port: {{ .Values.ralph_lrs.port }} + httpHeaders: + - name: Host + value: "lrs.{{ .Values.namespace }}.{{ .Values.ralph_lrs.domain_name }}" + initialDelaySeconds: 15 + periodSeconds: 30 + readinessProbe: + httpGet: + path: /__lbheartbeat__ + port: {{ .Values.ralph_lrs.port }} + httpHeaders: + - name: Host + value: "lrs.{{ .Values.namespace }}.{{ .Values.ralph_lrs.domain_name }}" + initialDelaySeconds: 5 + periodSeconds: 5 + env: + - name: RALPH_APP_DIR + value: "/app/.ralph" + - name: RALPH_AUTH_FILE + value: "/var/run/ralph/auth.json" + envFrom: + - secretRef: + name: {{ .Values.ralph.secret_name }} + volumeMounts: + - name: ralph-v-history + mountPath: /app/.ralph + {{- if .Values.ralph.elastic.mount_ca_secret }} + - name: es-ca-certificate + mountPath: /usr/local/share/ca-certificates/ + {{- end }} + - name: lrs-auth + mountPath: /var/run/ralph/ + volumes: + - name: ralph-v-history + persistentVolumeClaim: + claimName: ralph-pvc-history + {{- if .Values.ralph.elastic.mount_ca_secret }} + - name: es-ca-certificate + secret: + secretName: {{ .Values.ralph.elastic.ca_secret_name }} + {{- end }} + - name: lrs-auth + secret: + secretName: {{ .Values.ralph_lrs.auth_secret_name }} + resources: + {{- toYaml .Values.resources | nindent 12 }} + {{- with .Values.nodeSelector }} + nodeSelector: + {{- toYaml . | nindent 8 }} + {{- end }} + {{- with .Values.affinity }} + affinity: + {{- toYaml . | nindent 8 }} + {{- end }} + {{- with .Values.tolerations }} + tolerations: + {{- toYaml . | nindent 8 }} + {{- end }} diff --git a/src/helm/ralph/templates/hpa.yaml b/src/helm/ralph/templates/hpa.yaml new file mode 100644 index 000000000..654157fc0 --- /dev/null +++ b/src/helm/ralph/templates/hpa.yaml @@ -0,0 +1,28 @@ +{{- if .Values.autoscaling.enabled }} +apiVersion: autoscaling/v2beta1 +kind: HorizontalPodAutoscaler +metadata: + name: {{ include "ralph.fullname" . }} + labels: + {{- include "ralph.labels" . | nindent 4 }} +spec: + scaleTargetRef: + apiVersion: apps/v1 + kind: Deployment + name: {{ include "ralph.fullname" . }} + minReplicas: {{ .Values.autoscaling.minReplicas }} + maxReplicas: {{ .Values.autoscaling.maxReplicas }} + metrics: + {{- if .Values.autoscaling.targetCPUUtilizationPercentage }} + - type: Resource + resource: + name: cpu + targetAverageUtilization: {{ .Values.autoscaling.targetCPUUtilizationPercentage }} + {{- end }} + {{- if .Values.autoscaling.targetMemoryUtilizationPercentage }} + - type: Resource + resource: + name: memory + targetAverageUtilization: {{ .Values.autoscaling.targetMemoryUtilizationPercentage }} + {{- end }} +{{- end }} diff --git a/src/helm/ralph/templates/ingress.yaml b/src/helm/ralph/templates/ingress.yaml new file mode 100644 index 000000000..ff536c7a5 --- /dev/null +++ b/src/helm/ralph/templates/ingress.yaml @@ -0,0 +1,29 @@ +{{- if .Values.ingress.enabled -}} +apiVersion: networking.k8s.io/v1 +kind: Ingress +metadata: + name: "ralph-app-{{ .Values.ralph.prefix }}" + labels: + {{- include "ralph.labels" . | nindent 4 }} + {{- with .Values.ingress.annotations }} + annotations: + {{- toYaml . | nindent 4 }} + {{- end }} +spec: + ingressClassName: {{ .Values.ingress.className }} + tls: + - hosts: + - {{ .Values.ingress.host | quote }} + secretName: "ralph-app-tls-{{ .Values.ralph.prefix }}" + rules: + - host: {{ .Values.ingress.host | quote }} + http: + paths: + - path: / + pathType: Prefix + backend: + service: + name: "ralph-app-{{ .Values.ralph.prefix }}" + port: + number: {{ .Values.ralph_lrs.port }} +{{- end }} diff --git a/src/helm/ralph/templates/pvc.yml b/src/helm/ralph/templates/pvc.yml new file mode 100644 index 000000000..8dbff4fe2 --- /dev/null +++ b/src/helm/ralph/templates/pvc.yml @@ -0,0 +1,14 @@ +apiVersion: v1 +kind: PersistentVolumeClaim +metadata: + name: ralph-pvc-history + namespace: {{ .Values.namespace }} + labels: + {{- include "ralph.labels" . | nindent 4 }} +spec: + accessModes: + - {{ .Values.ralph.volume_history.access_modes }} + resources: + requests: + storage: {{ .Values.ralph.volume_history.size }} + storageClassName: {{ .Values.ralph.volume_history.storage_class }} diff --git a/src/helm/ralph/templates/secrets.yaml b/src/helm/ralph/templates/secrets.yaml new file mode 100644 index 000000000..d3b3b04a9 --- /dev/null +++ b/src/helm/ralph/templates/secrets.yaml @@ -0,0 +1,59 @@ +--- +apiVersion: v1 +kind: Secret +metadata: + name: {{ .Values.ralph.secret_name }} + namespace: {{ .Values.namespace }} + labels: + {{- include "ralph.labels" . | nindent 4 }} + annotations: + checksum/config: {{ (tpl (.Files.Glob "vault.yaml").AsSecrets . ) | sha256sum }} +type: Opaque +data: +{{- $v := $.Files.Get "vault.yaml" | fromYaml }} +{{- range $key, $val := $v }} + {{ if contains "RALPH_" $key }} + {{ $key | nindent 2 }}: {{ $val | b64enc }} + {{- end }} +{{- end }} + +--- +apiVersion: v1 +kind: Secret +metadata: + name: {{ .Values.ralph_lrs.auth_secret_name }} + namespace: {{ .Values.namespace }} + labels: + {{- include "ralph.labels" . | nindent 4 }} + annotations: + checksum/config: {{ (tpl (.Files.Glob "vault.yaml").AsSecrets . ) | sha256sum }} +type: Opaque +data: +{{- $v := $.Files.Get "vault.yaml" | fromYaml }} +{{- range $key, $val := $v }} + {{ if eq "LRS_AUTH" $key }} + {{ "auth.json:" | nindent 2 }}: {{ $val | toJson | b64enc }} + {{- end }} +{{- end }} + + +{{- if .Values.ralph.elastic.mount_ca_secret }} +--- +apiVersion: v1 +kind: Secret +metadata: + name: {{ .Values.ralph.elastic.ca_secret_name }} + namespace: {{ .Values.namespace }} + labels: + {{- include "ralph.labels" . | nindent 4 }} + annotations: + checksum/config: {{ (tpl (.Files.Glob "vault.yaml").AsSecrets . ) | sha256sum }} +type: Opaque +data: +{{- $v := $.Files.Get "vault.yaml" | fromYaml }} +{{- range $key, $val := $v }} + {{ if eq "ES_CA_CERTIFICATE" $key }} + {{ "es-cluster.pem:" | nindent 2 }}: {{ $val | b64enc }} + {{- end }} +{{- end }} +{{- end }} \ No newline at end of file diff --git a/src/helm/ralph/templates/service.yaml b/src/helm/ralph/templates/service.yaml new file mode 100644 index 000000000..bfaa8aa1e --- /dev/null +++ b/src/helm/ralph/templates/service.yaml @@ -0,0 +1,18 @@ +--- +apiVersion: v1 +kind: Service +metadata: + labels: + {{- include "ralph.labels" . | nindent 4 }} + service_prefix: {{ .Values.ralph.prefix }} + name: "ralph-app-{{ .Values.ralph.prefix }}" + namespace: {{ .Values.namespace }} +spec: + ports: + - name: "{{ .Values.service.port }}-tcp" + port: {{ .Values.service.port }} + protocol: TCP + targetPort: {{ .Values.service.port }} + type: ClusterIP + selector: + {{- include "ralph.selectorLabels" . | nindent 4 }} diff --git a/src/helm/ralph/values.yaml b/src/helm/ralph/values.yaml new file mode 100644 index 000000000..2cd9e7a12 --- /dev/null +++ b/src/helm/ralph/values.yaml @@ -0,0 +1,121 @@ +# Default values for ralph. +# This is a YAML-formatted file. +# Declare variables to be passed into your templates. + +########################### +### CHART CONFIGURATION ### +########################### + +namespace: default + +replicaCount: 1 + +image: + repository: fundocker/ralph + pullPolicy: Always + # Overrides the image tag whose default is the chart appVersion. + tag: "" + +imagePullSecrets: [] +nameOverride: "" +fullnameOverride: "" + +podAnnotations: {} + +securityContext: + runAsUser: 1000 + runAsGroup: 1000 + +service: + type: ClusterIP + port: 8000 + +ingress: + enabled: true + className: "traefik" + annotations: + kubernetes.io/ingress.class: traefik + cert-manager.io/issuer: letsencrypt + host: ralph.example.com + +affinity: + podAntiAffinity: + preferredDuringSchedulingIgnoredDuringExecution: + - weight: 100 + podAffinityTerm: + labelSelector: + matchExpressions: + - key: deployment + operator: In + values: + - "ralph-app" + topologyKey: kubernetes.io/hostname + +autoscaling: + enabled: false + minReplicas: 1 + maxReplicas: 10 + targetCPUUtilizationPercentage: 80 + # targetMemoryUtilizationPercentage: 80 + +nodeSelector: {} + +tolerations: [] + +resources: + {} + # We usually recommend not to specify default resources and to leave this as a conscious + # choice for the user. This also increases chances charts run on environments with little + # resources, such as Minikube. If you do want to specify resources, uncomment the following + # lines, adjust them as necessary, and remove the curly braces after 'resources:'. + # limits: + # cpu: 100m + # memory: 128Mi + # requests: + # cpu: 100m + # memory: 128Mi + +########################### +### RALPH CONFIGURATION ### +########################### + +ralph: + customer: "" + env_type: "" + prefix: "traefik" + acme_enabled_route_prefix: "traefik.acme" + secret_name: "secret-ralph" + volume_history: + size: 2Gi + access_modes: ReadWriteMany + storage_class: "local-storage" + elastic: + mount_ca_secret: true + ca_secret_name: "ralph-es-ca" + +ralph_lrs: + domain_name: "example" + port: 8080 + auth_secret_name: "ralph-lrs-auth" + command: + - uvicorn + - "ralph.api:app" + - "--proxy-headers" + - "--host" + - "0.0.0.0" + - "--port" + - "8000" + +# ralph_cronjobs: [] +ralph_cronjobs: + - name: daily-ldp-to-es + schedule: "30 2 * * *" + command: + - ralph list --backend ldp --new | + xargs -I {} -n 1 bash -c " + ralph fetch --backend ldp {} | + gunzip | + ralph extract -p gelf | + ralph push \ + --backend es \ + --es-client-options ca_certs=/usr/local/share/ca-certificates/es-cluster.pem" diff --git a/src/helm/ralph/vault.yaml b/src/helm/ralph/vault.yaml new file mode 100644 index 000000000..8a3f0aef0 --- /dev/null +++ b/src/helm/ralph/vault.yaml @@ -0,0 +1,30 @@ +RALPH_BACKENDS__DATABASE__ES__HOSTS: http://elasticsearch:9200 +RALPH_BACKENDS__DATABASE__ES__INDEX: statements +RALPH_SENTRY_DSN: https://fake@key.ingest.sentry.io/1234567 +RALPH_EXECUTION_ENVIRONMENT: production + +# If you have self-generated a CA certificate for your ES cluster nodes, you may +# also need this CA certificate to check certificates while requesting the +# cluster. If defined, this CA certificate will be mounted to +# /usr/local/share/ca-certificates/es-cluster.pem +# +# We expect this certificate to be pasted in PEM format +ES_CA_CERTIFICATE: "" + +# Authentication +# +# For each entry, we expect the following keys: +# - username (str) +# - hash (str) +# - scopes (list) +# +# Example: +# LRS_AUTH: +# - username: "foo" +# hash: "thehash" +# scopes: +# - "foo_scope" +# +# For more information about hash generation, see Ralph's documentation: +# https://openfun.github.io/ralph/api/#creating_a_credentials_file +LRS_AUTH: []