-
Notifications
You must be signed in to change notification settings - Fork 25
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
- Loading branch information
1 parent
0d30648
commit 9fd3069
Showing
35 changed files
with
601 additions
and
0 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,12 @@ | ||
apiVersion: v2 | ||
name: ook | ||
version: 1.0.0 | ||
appVersion: "tickets-DM-39636" | ||
description: Ook is the librarian service for Rubin Observatory. Ook indexes documentation content into the Algolia search engine that powers the Rubin Observatory documentation portal, www.lsst.io. | ||
type: application | ||
home: https://ook.lsst.io/ | ||
sources: | ||
- https://github.com/lsst-sqre/ook | ||
maintainers: | ||
- name: jonathansick | ||
url: https://github.com/jonathansick |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,40 @@ | ||
# ook | ||
|
||
Ook is the librarian service for Rubin Observatory. Ook indexes documentation content into the Algolia search engine that powers the Rubin Observatory documentation portal, www.lsst.io. | ||
|
||
**Homepage:** <https://ook.lsst.io/> | ||
|
||
## Source Code | ||
|
||
* <https://github.com/lsst-sqre/ook> | ||
|
||
## Values | ||
|
||
| Key | Type | Default | Description | | ||
|-----|------|---------|-------------| | ||
| affinity | object | `{}` | | | ||
| config.logLevel | string | `"INFO"` | Logging level: "DEBUG", "INFO", "WARNING", "ERROR", "CRITICAL" | | ||
| config.registryUrl | string | `"http://sasquatch-schema-registry.sasquatch:8081"` | Cluster URL for the Confluent Schema Registry | | ||
| config.subjectCompatibility | string | `"FORWARD"` | Schema subject compatibility. | | ||
| config.subjectSuffix | string | `""` | Schema subject suffix. Should be empty for production but can be set to a value to create unique subjects in the Confluent Schema Registry for testing. | | ||
| config.topics.ingest | string | `"lsst.square-events.ook.ingest"` | Kafka topic name for ingest events | | ||
| fullnameOverride | string | `""` | Override the full name for resources (includes the release name) | | ||
| global.baseUrl | string | Set by Argo CD | Base URL for the environment | | ||
| global.host | string | Set by Argo CD | Host name for ingress | | ||
| image.pullPolicy | string | `"IfNotPresent"` | Image pull policy | | ||
| image.repository | string | `"ghcr.io/lsst-sqre/ook"` | Squarebot image repository | | ||
| image.tag | string | The appVersion of the chart | Tag of the image | | ||
| imagePullSecrets | list | `[]` | Secret names to use for all Docker pulls | | ||
| ingress.annotations | object | `{}` | Additional annotations to add to the ingress | | ||
| ingress.path | string | `"/ook"` | Path prefix where Squarebot is hosted | | ||
| nameOverride | string | `""` | Override the base name for resources | | ||
| nodeSelector | object | `{}` | | | ||
| podAnnotations | object | `{}` | Annotations for API and worker pods | | ||
| replicaCount | int | `1` | Number of API pods to run | | ||
| resources | object | `{}` | | | ||
| service.port | int | `80` | Port of the service to create and map to the ingress | | ||
| service.type | string | `"ClusterIP"` | Type of service to create | | ||
| serviceAccount.annotations | object | `{}` | Annotations to add to the service account | | ||
| serviceAccount.create | bool | `true` | Specifies whether a service account should be created | | ||
| serviceAccount.name | string | `""` | | | ||
| tolerations | list | `[]` | | |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,62 @@ | ||
{{/* | ||
Expand the name of the chart. | ||
*/}} | ||
{{- define "ook.name" -}} | ||
{{- default .Chart.Name .Values.nameOverride | trunc 63 | trimSuffix "-" }} | ||
{{- end }} | ||
|
||
{{/* | ||
Create a default fully qualified app name. | ||
We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec). | ||
If release name contains chart name it will be used as a full name. | ||
*/}} | ||
{{- define "ook.fullname" -}} | ||
{{- if .Values.fullnameOverride }} | ||
{{- .Values.fullnameOverride | trunc 63 | trimSuffix "-" }} | ||
{{- else }} | ||
{{- $name := default .Chart.Name .Values.nameOverride }} | ||
{{- if contains $name .Release.Name }} | ||
{{- .Release.Name | trunc 63 | trimSuffix "-" }} | ||
{{- else }} | ||
{{- printf "%s-%s" .Release.Name $name | trunc 63 | trimSuffix "-" }} | ||
{{- end }} | ||
{{- end }} | ||
{{- end }} | ||
|
||
{{/* | ||
Create chart name and version as used by the chart label. | ||
*/}} | ||
{{- define "ook.chart" -}} | ||
{{- printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" }} | ||
{{- end }} | ||
|
||
{{/* | ||
Common labels | ||
*/}} | ||
{{- define "ook.labels" -}} | ||
helm.sh/chart: {{ include "ook.chart" . }} | ||
{{ include "ook.selectorLabels" . }} | ||
{{- if .Chart.AppVersion }} | ||
app.kubernetes.io/version: {{ .Chart.AppVersion | quote }} | ||
{{- end }} | ||
app.kubernetes.io/managed-by: {{ .Release.Service }} | ||
{{- end }} | ||
|
||
{{/* | ||
Selector labels | ||
*/}} | ||
{{- define "ook.selectorLabels" -}} | ||
app.kubernetes.io/name: {{ include "ook.name" . }} | ||
app.kubernetes.io/instance: {{ .Release.Name }} | ||
{{- end }} | ||
|
||
{{/* | ||
Create the name of the service account to use | ||
*/}} | ||
{{- define "ook.serviceAccountName" -}} | ||
{{- if .Values.serviceAccount.create }} | ||
{{- default (include "ook.fullname" .) .Values.serviceAccount.name }} | ||
{{- else }} | ||
{{- default "default" .Values.serviceAccount.name }} | ||
{{- end }} | ||
{{- end }} |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,16 @@ | ||
apiVersion: v1 | ||
kind: ConfigMap | ||
metadata: | ||
name: {{ include "ook.fullname" . }} | ||
labels: | ||
{{- include "ook.labels" . | nindent 4 }} | ||
data: | ||
SAFIR_LOG_LEVEL: {{ .Values.config.logLevel | quote }} | ||
SAFIR_PATH_PREFIX: {{ .Values.ingress.path | quote }} | ||
SAFIR_ENVIRONMENT_URL: {{ .Values.global.baseUrl | quote }} | ||
SAFIR_PROFILE: "production" | ||
OOK_REGISTRY_URL: {{ .Values.config.registryUrl | quote }} | ||
OOK_SUBJECT_SUFFIX: {{ .Values.config.subjectSuffix | quote }} | ||
OOK_SUBJECT_COMPATIBILITY: {{ .Values.config.subjectCompatibility | quote }} | ||
OOK_INGEST_KAFKA_TOPIC: {{ .Values.config.topics.ingest | quote }} | ||
ALGOLIA_DOCUMENT_INDEX: "ook_documents_test" |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,139 @@ | ||
apiVersion: apps/v1 | ||
kind: Deployment | ||
metadata: | ||
name: {{ include "ook.fullname" . }} | ||
labels: | ||
{{- include "ook.labels" . | nindent 4 }} | ||
app.kubernetes.io/component: "server" | ||
app.kubernetes.io/part-of: "ook" | ||
spec: | ||
replicas: {{ .Values.replicaCount }} | ||
selector: | ||
matchLabels: | ||
{{- include "ook.selectorLabels" . | nindent 6 }} | ||
template: | ||
metadata: | ||
annotations: | ||
checksum/config: {{ include (print $.Template.BasePath "/configmap.yaml") . | sha256sum }} | ||
{{- with .Values.podAnnotations }} | ||
{{- toYaml . | nindent 8 }} | ||
{{- end }} | ||
labels: | ||
{{- include "ook.selectorLabels" . | nindent 8 }} | ||
app.kubernetes.io/component: "server" | ||
app.kubernetes.io/part-of: "ook" | ||
spec: | ||
{{- with .Values.imagePullSecrets }} | ||
imagePullSecrets: | ||
{{- toYaml . | nindent 8 }} | ||
{{- end }} | ||
serviceAccountName: {{ include "ook.serviceAccountName" . }} | ||
securityContext: | ||
runAsNonRoot: true | ||
runAsUser: 1000 | ||
runAsGroup: 1000 | ||
containers: | ||
- name: {{ .Chart.Name }} | ||
image: "{{ .Values.image.repository }}:{{ .Values.image.tag | default .Chart.AppVersion }}" | ||
imagePullPolicy: {{ .Values.image.pullPolicy }} | ||
ports: | ||
- name: http | ||
containerPort: 8080 | ||
protocol: TCP | ||
livenessProbe: | ||
httpGet: | ||
path: / | ||
port: http | ||
readinessProbe: | ||
httpGet: | ||
path: / | ||
port: http | ||
resources: | ||
{{- toYaml .Values.resources | nindent 12 }} | ||
envFrom: | ||
- configMapRef: | ||
name: {{ include "ook.fullname" . }} | ||
env: | ||
# Writeable directory for concatenating certs. See "tmp" volume. | ||
- name: "KAFKA_CERT_TEMP_DIR" | ||
value: "/tmp/kafka_certs" | ||
# From KafkaAccess | ||
- name: "KAFKA_BOOTSTRAP_SERVERS" | ||
valueFrom: | ||
secretKeyRef: | ||
name: {{ template "ook.fullname" . }}-kafka | ||
key: "bootstrapServers" | ||
- name: "KAFKA_SECURITY_PROTOCOL" | ||
value: "SSL" | ||
# From replicated KafkaUser secret | ||
- name: "KAFKA_SSL_CLUSTER_CAFILE" | ||
value: "/etc/kafkacluster/ca.crt" | ||
- name: "KAFKA_SSL_CLIENT_CAFILE" | ||
value: "/etc/kafkauser/ca.crt" | ||
- name: "KAFKA_SSL_CLIENT_CERTFILE" | ||
value: "/etc/kafkauser/user.crt" | ||
- name: "KAFKA_SSL_CLIENT_KEYFILE" | ||
value: "/etc/kafkauser/user.key" | ||
# From Vault secrets | ||
- name: "ALGOLIA_APP_ID" | ||
valueFrom: | ||
secretKeyRef: | ||
name: {{ template "ook.fullname" . }} | ||
key: "ALGOLIA_APP_ID" | ||
- name: "ALGOLIA_API_KEY" | ||
valueFrom: | ||
secretKeyRef: | ||
name: {{ template "ook.fullname" . }} | ||
key: "ALGOLIA_API_KEY" | ||
- name: "OOK_GITHUB_APP_ID" | ||
valueFrom: | ||
secretKeyRef: | ||
name: {{ template "ook.fullname" . }} | ||
key: "OOK_GITHUB_APP_ID" | ||
- name: "OOK_GITHUB_APP_PRIVATE_KEY" | ||
valueFrom: | ||
secretKeyRef: | ||
name: {{ template "ook.fullname" . }} | ||
key: "OOK_GITHUB_APP_PRIVATE_KEY" | ||
securityContext: | ||
allowPrivilegeEscalation: false | ||
capabilities: | ||
drop: | ||
- ALL | ||
readOnlyRootFilesystem: true | ||
volumeMounts: | ||
- name: "{{ template "ook.fullname" . }}" | ||
mountPath: "/etc/kafkacluster/ca.crt" | ||
subPath: "ca.crt" | ||
- name: "kafka-user" | ||
mountPath: "/etc/kafkauser/ca.crt" | ||
subPath: "ca.crt" | ||
- name: "kafka-user" | ||
mountPath: "/etc/kafkauser/user.crt" | ||
subPath: "user.crt" | ||
- name: "kafka-user" | ||
mountPath: "/etc/kafkauser/user.key" | ||
subPath: "user.key" | ||
- name: "tmp" | ||
mountPath: "/tmp/kafka_certs" | ||
{{- with .Values.nodeSelector }} | ||
nodeSelector: | ||
{{- toYaml . | nindent 8 }} | ||
{{- end }} | ||
{{- with .Values.affinity }} | ||
affinity: | ||
{{- toYaml . | nindent 8 }} | ||
{{- end }} | ||
{{- with .Values.tolerations }} | ||
tolerations: | ||
{{- toYaml . | nindent 8 }} | ||
{{- end }} | ||
volumes: | ||
- name: "kafka-user" | ||
secret: | ||
secretName: {{ template "ook.fullname" . }}-kafka-user | ||
- name: "{{ template "ook.fullname" . }}" | ||
secret: | ||
secretName: {{ template "ook.fullname" . }} | ||
- name: "tmp" | ||
emptyDir: {} |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,31 @@ | ||
apiVersion: gafaelfawr.lsst.io/v1alpha1 | ||
kind: GafaelfawrIngress | ||
metadata: | ||
name: {{ template "ook.fullname" . }} | ||
labels: | ||
{{- include "ook.labels" . | nindent 4 }} | ||
config: | ||
baseUrl: {{ .Values.global.baseUrl | quote }} | ||
scopes: | ||
all: | ||
- "exec:admin" | ||
loginRedirect: true | ||
template: | ||
metadata: | ||
name: {{ template "ook.fullname" . }} | ||
{{- with .Values.ingress.annotations }} | ||
annotations: | ||
{{- toYaml . | nindent 6 }} | ||
{{- end }} | ||
spec: | ||
rules: | ||
- host: {{ required "global.host must be set" .Values.global.host | quote }} | ||
http: | ||
paths: | ||
- path: {{ .Values.ingress.path | quote }} | ||
pathType: "Prefix" | ||
backend: | ||
service: | ||
name: {{ template "ook.fullname" . }} | ||
port: | ||
number: {{ .Values.service.port }} |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,14 @@ | ||
apiVersion: access.strimzi.io/v1alpha1 | ||
kind: KafkaAccess | ||
metadata: | ||
name: {{ include "ook.fullname" . }}-kafka | ||
spec: | ||
kafka: | ||
name: sasquatch | ||
namespace: sasquatch | ||
listener: tls | ||
user: | ||
kind: KafkaUser | ||
apiGroup: kafka.strimzi.io | ||
name: ook | ||
namespace: sasquatch |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,8 @@ | ||
apiVersion: v1 | ||
kind: Secret | ||
metadata: | ||
name: {{ include "ook.fullname" . }}-kafka-user | ||
annotations: | ||
replicator.v1.mittwald.de/replicate-from: sasquatch/ook | ||
replicator.v1.mittwald.de/strip-labels: "true" | ||
data: {} |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,21 @@ | ||
apiVersion: networking.k8s.io/v1 | ||
kind: NetworkPolicy | ||
metadata: | ||
name: {{ include "ook.fullname" . }} | ||
spec: | ||
podSelector: | ||
matchLabels: | ||
{{- include "ook.selectorLabels" . | nindent 6 }} | ||
policyTypes: | ||
- Ingress | ||
ingress: | ||
# Allow inbound access from pods (in any namespace) labeled | ||
# gafaelfawr.lsst.io/ingress: true. | ||
- from: | ||
- namespaceSelector: {} | ||
podSelector: | ||
matchLabels: | ||
gafaelfawr.lsst.io/ingress: "true" | ||
ports: | ||
- protocol: "TCP" | ||
port: 8080 |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,15 @@ | ||
apiVersion: v1 | ||
kind: Service | ||
metadata: | ||
name: {{ include "ook.fullname" . }} | ||
labels: | ||
{{- include "ook.labels" . | nindent 4 }} | ||
spec: | ||
type: {{ .Values.service.type }} | ||
ports: | ||
- port: {{ .Values.service.port }} | ||
targetPort: http | ||
protocol: TCP | ||
name: http | ||
selector: | ||
{{- include "ook.selectorLabels" . | nindent 4 }} |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,12 @@ | ||
{{- if .Values.serviceAccount.create -}} | ||
apiVersion: v1 | ||
kind: ServiceAccount | ||
metadata: | ||
name: {{ include "ook.serviceAccountName" . }} | ||
labels: | ||
{{- include "ook.labels" . | nindent 4 }} | ||
{{- with .Values.serviceAccount.annotations }} | ||
annotations: | ||
{{- toYaml . | nindent 4 }} | ||
{{- end }} | ||
{{- end }} |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,15 @@ | ||
apiVersion: v1 | ||
kind: Pod | ||
metadata: | ||
name: "{{ include "ook.fullname" . }}-test-connection" | ||
labels: | ||
{{- include "ook.labels" . | nindent 4 }} | ||
annotations: | ||
"helm.sh/hook": test | ||
spec: | ||
containers: | ||
- name: wget | ||
image: busybox | ||
command: ['wget'] | ||
args: ['{{ include "ook.fullname" . }}:{{ .Values.service.port }}'] | ||
restartPolicy: Never |
Oops, something went wrong.