diff --git a/helm-chart/renku/templates/configmap.yaml b/helm-chart/renku/templates/configmap.yaml index bee034029..f37675fae 100644 --- a/helm-chart/renku/templates/configmap.yaml +++ b/helm-chart/renku/templates/configmap.yaml @@ -146,3 +146,22 @@ data: grant all privileges on schema "public" to "{{ .Values.global.graph.tokenRepository.postgresUser }}"; EOSQL {{- end }} + + init-renku-db.sh: |- + #!/bin/bash + set -x + + PASSWORD=$(cat /db-common-password/password) + DB_NAME=renku + + psql -v ON_ERROR_STOP=1 <<-EOSQL + create database "$DB_NAME"; + create user "{{ .Values.global.db.common.username }}" password '$PASSWORD'; + EOSQL + + psql postgres -v ON_ERROR_STOP=1 --dbname "$DB_NAME" <<-EOSQL + create extension if not exists "pg_trgm"; + revoke all on schema "public" from "public"; + grant all privileges on database "$DB_NAME" to "{{ .Values.global.db.common.username }}"; + grant all privileges on schema "public" to "{{ .Values.global.db.common.username }}"; + EOSQL diff --git a/helm-chart/renku/templates/crac/deployment.yaml b/helm-chart/renku/templates/crac/deployment.yaml new file mode 100644 index 000000000..89ad1fc7a --- /dev/null +++ b/helm-chart/renku/templates/crac/deployment.yaml @@ -0,0 +1,92 @@ +apiVersion: apps/v1 +kind: Deployment +metadata: + name: {{ template "renku.fullname" . }}-crac + labels: + app: {{ template "renku.fullname" . }}-crac + chart: {{ template "renku.chart" . }} + release: {{ .Release.Name }} + heritage: {{ .Release.Service }} +spec: + {{- if not .Values.crac.autoscaling.enabled }} + replicas: {{ .Values.crac.replicaCount }} + {{- end }} + strategy: + {{- toYaml .Values.crac.updateStrategy | nindent 4 }} + selector: + matchLabels: + app: {{ template "renku.name" . }}-crac + release: {{ .Release.Name }} + template: + metadata: + labels: + app: {{ template "renku.name" . }}-crac + release: {{ .Release.Name }} + {{- with .Values.crac.podAnnotations }} + annotations: + {{- toYaml . | nindent 8 }} + {{- end }} + spec: + securityContext: + {{- toYaml .Values.podSecurityContext | nindent 8 }} + automountServiceAccountToken: {{ .Values.global.debug }} + initContainers: + {{- include "certificates.initContainer" . | nindent 8 }} + containers: + - name: crac + image: "{{ .Values.crac.image.repository }}:{{ .Values.crac.image.tag }}" + imagePullPolicy: {{ .Values.crac.image.pullPolicy }} + securityContext: + {{- toYaml .Values.securityContext | nindent 12 }} + ports: + - name: http + containerPort: 8000 + protocol: TCP + env: + - name: DB_HOST + value: {{ template "postgresql.fullname" . }} + - name: DB_USER + value: {{ .Values.global.db.common.username }} + - name: DB_PASSWORD + valueFrom: + secretKeyRef: + name: {{ .Values.global.db.common.passwordSecretName }} + key: password + volumeMounts: + {{- include "certificates.volumeMounts.system" . | nindent 12 }} + livenessProbe: + httpGet: + path: /api/data/version + port: http + initialDelaySeconds: 10 + periodSeconds: 10 + failureThreshold: 6 + readinessProbe: + httpGet: + path: /api/data/version + port: http + initialDelaySeconds: 10 + periodSeconds: 2 + failureThreshold: 2 + startupProbe: + httpGet: + path: /api/data/version + port: http + periodSeconds: 5 + failureThreshold: 60 + resources: + {{ toYaml .Values.crac.resources | nindent 12 }} + {{- with .Values.crac.nodeSelector }} + nodeSelector: + {{ toYaml . | nindent 8 }} + {{- end }} + {{- with .Values.crac.affinity }} + affinity: + {{ toYaml . | nindent 8 }} + {{- end }} + {{- with .Values.crac.tolerations }} + tolerations: + {{ toYaml . | nindent 8 }} + {{- end }} + volumes: + {{- include "certificates.volumes" . | nindent 8 }} diff --git a/helm-chart/renku/templates/crac/hpa.yaml b/helm-chart/renku/templates/crac/hpa.yaml new file mode 100644 index 000000000..ea3d561a5 --- /dev/null +++ b/helm-chart/renku/templates/crac/hpa.yaml @@ -0,0 +1,39 @@ +{{- if .Values.crac.autoscaling.enabled }} +{{- if semverCompare ">=1.23.0-0" .Capabilities.KubeVersion.GitVersion -}} +apiVersion: autoscaling/v2 +{{- else -}} +apiVersion: autoscaling/v2beta2 +{{- end }} +kind: HorizontalPodAutoscaler +metadata: + name: {{ template "renku.fullname" . }}-crac + labels: + app: {{ template "renku.name" . }}-crac + chart: {{ template "renku.chart" . }} + release: {{ .Release.Name }} + heritage: {{ .Release.Service }} +spec: + scaleTargetRef: + apiVersion: apps/v1 + kind: Deployment + name: {{ template "renku.fullname" . }}-crac + minReplicas: {{ .Values.crac.autoscaling.minReplicas }} + maxReplicas: {{ .Values.crac.autoscaling.maxReplicas }} + metrics: + {{- if .Values.crac.autoscaling.targetCPUUtilizationPercentage }} + - type: Resource + resource: + name: cpu + target: + type: Utilization + averageUtilization: {{ .Values.crac.autoscaling.targetCPUUtilizationPercentage }} + {{- end }} + {{- if .Values.crac.autoscaling.targetMemoryUtilizationPercentage }} + - type: Resource + resource: + name: memory + target: + type: Utilization + averageUtilization: {{ .Values.crac.autoscaling.targetMemoryUtilizationPercentage }} + {{- end }} +{{- end }} diff --git a/helm-chart/renku/templates/crac/pdb.yaml b/helm-chart/renku/templates/crac/pdb.yaml new file mode 100644 index 000000000..b85839e77 --- /dev/null +++ b/helm-chart/renku/templates/crac/pdb.yaml @@ -0,0 +1,17 @@ +{{- if or (gt (int .Values.crac.replicaCount) 1) (and .Values.crac.autoscaling.enabled (gt (int .Values.crac.autoscaling.minReplicas) 1)) }} +apiVersion: policy/v1 +kind: PodDisruptionBudget +metadata: + name: {{ template "renku.fullname" . }}-crac + labels: + app: {{ template "renku.name" . }}-crac + chart: {{ template "renku.chart" . }} + release: {{ .Release.Name }} + heritage: {{ .Release.Service }} +spec: + maxUnavailable: 50% + selector: + matchLabels: + app: {{ template "renku.name" . }}-crac + release: {{ .Release.Name }} +{{- end }} diff --git a/helm-chart/renku/templates/crac/service.yaml b/helm-chart/renku/templates/crac/service.yaml new file mode 100644 index 000000000..8af837fca --- /dev/null +++ b/helm-chart/renku/templates/crac/service.yaml @@ -0,0 +1,19 @@ +apiVersion: v1 +kind: Service +metadata: + name: {{ template "renku.name" . }}-crac + labels: + app: {{ template "renku.name" . }}-crac + chart: {{ template "renku.chart" . }} + release: {{ .Release.Name }} + heritage: {{ .Release.Service }} +spec: + type: {{ .Values.crac.service.type }} + ports: + - port: {{ .Values.crac.service.port }} + targetPort: http + protocol: TCP + name: http + selector: + app: {{ template "renku.name" . }}-crac + release: {{ .Release.Name }} diff --git a/helm-chart/renku/templates/post-install-job-postgres.yaml b/helm-chart/renku/templates/post-install-job-postgres.yaml index 34a86ae66..c1652dace 100644 --- a/helm-chart/renku/templates/post-install-job-postgres.yaml +++ b/helm-chart/renku/templates/post-install-job-postgres.yaml @@ -50,6 +50,9 @@ spec: - name: graph-token-postgres mountPath: /graph-token-postgres readOnly: true + - name: db-common-password + mountPath: /db-common-password + readOnly: true env: - name: PGHOST value: {{ template "postgresql.fullname" . }} @@ -94,3 +97,6 @@ spec: - name: graph-token-postgres secret: secretName: {{ template "renku.fullname" . }}-graph-token-postgres + - name: db-common-password + secret: + secretName: {{ .Values.global.db.common.passwordSecretName }} diff --git a/helm-chart/renku/templates/secrets.yaml b/helm-chart/renku/templates/secrets.yaml index ea00b7ad2..513d9fec0 100644 --- a/helm-chart/renku/templates/secrets.yaml +++ b/helm-chart/renku/templates/secrets.yaml @@ -37,3 +37,15 @@ type: Opaque data: {{ .Values.redis.auth.existingSecretPasswordKey }}: {{ .Values.redis.password | b64enc | quote }} {{- end }} + +apiVersion: v1 +kind: Secret +metadata: + name: {{ .Values.global.db.common.passwordSecretName }} + namespace: {{ .Release.Namespace }} +type: Opaque +data: + {{- $secretObj := (lookup "v1" "Secret" .Release.Namespace .Values.global.db.common.passwordSecretName) | default dict }} + {{- $secretData := (get $secretObj "data") | default dict }} + {{- $secretVal := (get $secretData "password") | default (randAlphaNum 32 | b64enc) }} + password: {{ $secretVal | quote }} diff --git a/helm-chart/renku/values.yaml b/helm-chart/renku/values.yaml index f7dbbab37..42a3bc596 100644 --- a/helm-chart/renku/values.yaml +++ b/helm-chart/renku/values.yaml @@ -143,6 +143,16 @@ global: tag: "0.0.2" customCAs: [] # - secret: + + ## Database credentials for postgres + db: + ## Used by the renku-data-services and potentially other backend services + common: + username: renku + ## If the secret name below does not exist it will be automatically and randomly generated. + ## The contents of the 'password' key is used. + ## The secret is not re-generated or modified in any way if it already exists. + passwordSecretName: renku-db-common-password ## Ingress configuration ## See: https://kubernetes.io/docs/concepts/services-networking/ingress/ @@ -886,3 +896,33 @@ initDb: image: repository: renku/init-db tag: "latest" + +crac: + image: + repository: renku/renku-crac + tag: main + pullPolicy: IfNotPresent + service: + type: ClusterIP + port: 80 + replicaCount: 2 + podAnnotations: {} + resources: {} + autoscaling: + enabled: false + minReplicas: 2 + maxReplicas: 5 + targetMemoryUtilizationPercentage: 75 + targetCPUUtilizationPercentage: 75 + updateStrategy: {} + nodeSelector: {} + tolerations: [] + affinity: {} + +podSecurityContext: {} + +securityContext: + runAsUser: 1000 + runAsGroup: 1000 + runAsNonRoot: true + allowPrivilegeEscalation: false