feat: add crac service helm chart

SwissDataScienceCenter · May 10, 2023 · b223f5f · b223f5f
1 parent d74e859
commit b223f5f
Show file tree

Hide file tree

Showing 8 changed files with 244 additions and 0 deletions.
diff --git a/helm-chart/renku/templates/configmap.yaml b/helm-chart/renku/templates/configmap.yaml
@@ -146,3 +146,22 @@ data:
         grant all privileges on schema "public" to "{{ .Values.global.graph.tokenRepository.postgresUser }}";
       EOSQL
   {{- end }}
+
+  init-renku-db.sh: |-
+    #!/bin/bash
+    set -x
+
+    PASSWORD=$(cat /db-common-password/password)
+    DB_NAME=renku
+
+    psql -v ON_ERROR_STOP=1 <<-EOSQL
+      create database "$DB_NAME";
+      create user "{{ .Values.global.db.common.username }}" password '$PASSWORD';
+    EOSQL
+
+    psql postgres -v ON_ERROR_STOP=1 --dbname "$DB_NAME" <<-EOSQL
+      create extension if not exists "pg_trgm";
+      revoke all on schema "public" from "public";
+      grant all privileges on database "$DB_NAME" to "{{ .Values.global.db.common.username }}";
+      grant all privileges on schema "public" to "{{ .Values.global.db.common.username }}";
+    EOSQL
diff --git a/helm-chart/renku/templates/crac/deployment.yaml b/helm-chart/renku/templates/crac/deployment.yaml
@@ -0,0 +1,92 @@
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: {{ template "renku.fullname" . }}-crac
+  labels:
+    app: {{ template "renku.fullname" . }}-crac
+    chart: {{ template "renku.chart" . }}
+    release: {{ .Release.Name }}
+    heritage: {{ .Release.Service }}
+spec:
+  {{- if not .Values.crac.autoscaling.enabled }}
+  replicas: {{ .Values.crac.replicaCount }}
+  {{- end }}
+  strategy: 
+    {{- toYaml .Values.crac.updateStrategy | nindent 4 }}
+  selector:
+    matchLabels:
+      app: {{ template "renku.name" . }}-crac
+      release: {{ .Release.Name }}
+  template:
+    metadata:
+      labels:
+        app: {{ template "renku.name" . }}-crac
+        release: {{ .Release.Name }}
+      {{- with .Values.crac.podAnnotations }}
+      annotations:
+        {{- toYaml . | nindent 8 }}
+      {{- end }}
+    spec:
+      securityContext:
+        {{- toYaml .Values.podSecurityContext | nindent 8 }}
+      automountServiceAccountToken: {{ .Values.global.debug }}
+      initContainers:
+        {{- include "certificates.initContainer" . | nindent 8 }}
+      containers:
+        - name: crac
+          image: "{{ .Values.crac.image.repository }}:{{ .Values.crac.image.tag }}"
+          imagePullPolicy: {{ .Values.crac.image.pullPolicy }}
+          securityContext:
+            {{- toYaml .Values.securityContext | nindent 12 }}
+          ports:
+            - name: http
+              containerPort: 8000
+              protocol: TCP
+          env:
+            - name: DB_HOST
+              value: {{ template "postgresql.fullname" . }}
+            - name: DB_USER
+              value: {{ .Values.global.db.common.username }}
+            - name: DB_PASSWORD
+              valueFrom:
+                secretKeyRef:
+                  name: {{ .Values.global.db.common.passwordSecretName }}
+                  key: password
+          volumeMounts:
+            {{- include "certificates.volumeMounts.system" . | nindent 12 }}
+          livenessProbe:
+            httpGet:
+              path: /api/data/version
+              port: http
+            initialDelaySeconds: 10
+            periodSeconds: 10
+            failureThreshold: 6
+          readinessProbe:
+            httpGet:
+              path: /api/data/version
+              port: http
+            initialDelaySeconds: 10
+            periodSeconds: 2
+            failureThreshold: 2
+          startupProbe:
+            httpGet:
+              path: /api/data/version
+              port: http
+            periodSeconds: 5
+            failureThreshold: 60
+          resources:
+            {{ toYaml .Values.crac.resources | nindent 12 }}
+    {{- with .Values.crac.nodeSelector }}
+      nodeSelector:
+        {{ toYaml . | nindent 8 }}
+    {{- end }}
+    {{- with .Values.crac.affinity }}
+      affinity:
+        {{ toYaml . | nindent 8 }}
+    {{- end }}
+    {{- with .Values.crac.tolerations }}
+      tolerations:
+        {{ toYaml . | nindent 8 }}
+    {{- end }}
+      volumes:
+        {{- include "certificates.volumes" . | nindent 8 }}
diff --git a/helm-chart/renku/templates/crac/hpa.yaml b/helm-chart/renku/templates/crac/hpa.yaml
@@ -0,0 +1,39 @@
+{{- if .Values.crac.autoscaling.enabled }}
+{{- if semverCompare ">=1.23.0-0" .Capabilities.KubeVersion.GitVersion -}}
+apiVersion: autoscaling/v2
+{{- else -}}
+apiVersion: autoscaling/v2beta2
+{{- end }}
+kind: HorizontalPodAutoscaler
+metadata:
+  name: {{ template "renku.fullname" . }}-crac
+  labels:
+    app: {{ template "renku.name" . }}-crac
+    chart: {{ template "renku.chart" . }}
+    release: {{ .Release.Name }}
+    heritage: {{ .Release.Service }}
+spec:
+  scaleTargetRef:
+    apiVersion: apps/v1
+    kind: Deployment
+    name: {{ template "renku.fullname" . }}-crac
+  minReplicas: {{ .Values.crac.autoscaling.minReplicas }}
+  maxReplicas: {{ .Values.crac.autoscaling.maxReplicas }}
+  metrics:
+    {{- if .Values.crac.autoscaling.targetCPUUtilizationPercentage }}
+    - type: Resource
+      resource:
+        name: cpu
+        target:
+          type: Utilization
+          averageUtilization: {{ .Values.crac.autoscaling.targetCPUUtilizationPercentage }}
+    {{- end }}
+    {{- if .Values.crac.autoscaling.targetMemoryUtilizationPercentage }}
+    - type: Resource
+      resource:
+        name: memory
+        target:
+          type: Utilization
+          averageUtilization: {{ .Values.crac.autoscaling.targetMemoryUtilizationPercentage }}
+    {{- end }}
+{{- end }}
diff --git a/helm-chart/renku/templates/crac/pdb.yaml b/helm-chart/renku/templates/crac/pdb.yaml
@@ -0,0 +1,17 @@
+{{- if or (gt (int .Values.crac.replicaCount) 1) (and .Values.crac.autoscaling.enabled (gt (int .Values.crac.autoscaling.minReplicas) 1)) }}
+apiVersion: policy/v1
+kind: PodDisruptionBudget
+metadata:
+  name: {{ template "renku.fullname" . }}-crac
+  labels:
+    app: {{ template "renku.name" . }}-crac
+    chart: {{ template "renku.chart" . }}
+    release: {{ .Release.Name }}
+    heritage: {{ .Release.Service }}
+spec:
+  maxUnavailable: 50%
+  selector:
+    matchLabels:
+      app: {{ template "renku.name" . }}-crac
+      release: {{ .Release.Name }}
+{{- end }}
diff --git a/helm-chart/renku/templates/crac/service.yaml b/helm-chart/renku/templates/crac/service.yaml
@@ -0,0 +1,19 @@
+apiVersion: v1
+kind: Service
+metadata:
+  name: {{ template "renku.name" . }}-crac
+  labels:
+    app: {{ template "renku.name" . }}-crac
+    chart: {{ template "renku.chart" . }}
+    release: {{ .Release.Name }}
+    heritage: {{ .Release.Service }}
+spec:
+  type: {{ .Values.crac.service.type }}
+  ports:
+    - port: {{ .Values.crac.service.port }}
+      targetPort: http
+      protocol: TCP
+      name: http
+  selector:
+    app: {{ template "renku.name" . }}-crac
+    release: {{ .Release.Name }}
diff --git a/helm-chart/renku/templates/post-install-job-postgres.yaml b/helm-chart/renku/templates/post-install-job-postgres.yaml
@@ -50,6 +50,9 @@ spec:
             - name: graph-token-postgres
               mountPath: /graph-token-postgres
               readOnly: true
+            - name: db-common-password
+              mountPath: /db-common-password
+              readOnly: true
           env:
           - name: PGHOST
             value: {{ template "postgresql.fullname" . }}
@@ -94,3 +97,6 @@ spec:
         - name: graph-token-postgres
           secret:
             secretName: {{ template "renku.fullname" . }}-graph-token-postgres
+        - name: db-common-password
+          secret:
+            secretName: {{ .Values.global.db.common.passwordSecretName }}
diff --git a/helm-chart/renku/templates/secrets.yaml b/helm-chart/renku/templates/secrets.yaml
@@ -37,3 +37,15 @@ type: Opaque
 data:
   {{ .Values.redis.auth.existingSecretPasswordKey }}: {{ .Values.redis.password | b64enc | quote }}
 {{- end }}
+
+apiVersion: v1
+kind: Secret
+metadata:
+  name: {{ .Values.global.db.common.passwordSecretName }}
+  namespace: {{ .Release.Namespace }}
+type: Opaque
+data:
+  {{- $secretObj := (lookup "v1" "Secret" .Release.Namespace .Values.global.db.common.passwordSecretName) | default dict }}
+  {{- $secretData := (get $secretObj "data") | default dict }}
+  {{- $secretVal := (get $secretData "password") | default (randAlphaNum 32 | b64enc) }}
+  password: {{ $secretVal | quote }}
diff --git a/helm-chart/renku/values.yaml b/helm-chart/renku/values.yaml
@@ -143,6 +143,16 @@ global:
       tag: "0.0.2"
     customCAs: []
       # - secret:
+
+  ## Database credentials for postgres
+  db:
+    ## Used by the renku-data-services and potentially other backend services
+    common:
+      username: renku
+      ## If the secret name below does not exist it will be automatically and randomly generated.
+      ## The contents of the 'password' key is used.
+      ## The secret is not re-generated or modified in any way if it already exists.
+      passwordSecretName: renku-db-common-password
 
 ## Ingress configuration
 ## See: https://kubernetes.io/docs/concepts/services-networking/ingress/
@@ -886,3 +896,33 @@ initDb:
   image:
     repository: renku/init-db
     tag: "latest"
+
+crac:
+  image: 
+    repository: renku/renku-crac
+    tag: main
+    pullPolicy: IfNotPresent
+  service:
+    type: ClusterIP
+    port: 80
+  replicaCount: 2
+  podAnnotations: {}
+  resources: {}
+  autoscaling:
+    enabled: false
+    minReplicas: 2
+    maxReplicas: 5
+    targetMemoryUtilizationPercentage: 75
+    targetCPUUtilizationPercentage: 75
+  updateStrategy: {}
+  nodeSelector: {}
+  tolerations: []
+  affinity: {}
+
+podSecurityContext: {}
+
+securityContext:
+  runAsUser: 1000
+  runAsGroup: 1000
+  runAsNonRoot: true
+  allowPrivilegeEscalation: false