Add the ook application

applications/ook/Chart.yaml

@@ -0,0 +1,12 @@
+apiVersion: v2
+name: ook
+version: 1.0.0
+appVersion: "tickets-DM-39636"
+description: Ook is the librarian service for Rubin Observatory. Ook indexes documentation content into the Algolia search engine that powers the Rubin Observatory documentation portal, www.lsst.io.
+type: application
+home: https://ook.lsst.io/
+sources:
+  - https://github.com/lsst-sqre/ook
+maintainers:
+  - name: jonathansick
+    url: https://github.com/jonathansick

applications/ook/README.md

@@ -0,0 +1,40 @@
+# ook
+
+Ook is the librarian service for Rubin Observatory. Ook indexes documentation content into the Algolia search engine that powers the Rubin Observatory documentation portal, www.lsst.io.
+
+**Homepage:** <https://ook.lsst.io/>
+
+## Source Code
+
+* <https://github.com/lsst-sqre/ook>
+
+## Values
+
+| Key | Type | Default | Description |
+|-----|------|---------|-------------|
+| affinity | object | `{}` |  |
+| config.logLevel | string | `"INFO"` | Logging level: "DEBUG", "INFO", "WARNING", "ERROR", "CRITICAL" |
+| config.registryUrl | string | `"http://sasquatch-schema-registry.sasquatch:8081"` | Cluster URL for the Confluent Schema Registry |
+| config.subjectCompatibility | string | `"FORWARD"` | Schema subject compatibility. |
+| config.subjectSuffix | string | `""` | Schema subject suffix. Should be empty for production but can be set to a value to create unique subjects in the Confluent Schema Registry for testing. |
+| config.topics.ingest | string | `"lsst.square-events.ook.ingest"` | Kafka topic name for ingest events |
+| fullnameOverride | string | `""` | Override the full name for resources (includes the release name) |
+| global.baseUrl | string | Set by Argo CD | Base URL for the environment |
+| global.host | string | Set by Argo CD | Host name for ingress |
+| image.pullPolicy | string | `"IfNotPresent"` | Image pull policy |
+| image.repository | string | `"ghcr.io/lsst-sqre/ook"` | Squarebot image repository |
+| image.tag | string | The appVersion of the chart | Tag of the image |
+| imagePullSecrets | list | `[]` | Secret names to use for all Docker pulls |
+| ingress.annotations | object | `{}` | Additional annotations to add to the ingress |
+| ingress.path | string | `"/ook"` | Path prefix where Squarebot is hosted |
+| nameOverride | string | `""` | Override the base name for resources |
+| nodeSelector | object | `{}` |  |
+| podAnnotations | object | `{}` | Annotations for API and worker pods |
+| replicaCount | int | `1` | Number of API pods to run |
+| resources | object | `{}` |  |
+| service.port | int | `80` | Port of the service to create and map to the ingress |
+| service.type | string | `"ClusterIP"` | Type of service to create |
+| serviceAccount.annotations | object | `{}` | Annotations to add to the service account |
+| serviceAccount.create | bool | `true` | Specifies whether a service account should be created |
+| serviceAccount.name | string | `""` |  |
+| tolerations | list | `[]` |  |

applications/ook/templates/_helpers.tpl

@@ -0,0 +1,62 @@
+{{/*
+Expand the name of the chart.
+*/}}
+{{- define "ook.name" -}}
+{{- default .Chart.Name .Values.nameOverride | trunc 63 | trimSuffix "-" }}
+{{- end }}
+
+{{/*
+Create a default fully qualified app name.
+We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec).
+If release name contains chart name it will be used as a full name.
+*/}}
+{{- define "ook.fullname" -}}
+{{- if .Values.fullnameOverride }}
+{{- .Values.fullnameOverride | trunc 63 | trimSuffix "-" }}
+{{- else }}
+{{- $name := default .Chart.Name .Values.nameOverride }}
+{{- if contains $name .Release.Name }}
+{{- .Release.Name | trunc 63 | trimSuffix "-" }}
+{{- else }}
+{{- printf "%s-%s" .Release.Name $name | trunc 63 | trimSuffix "-" }}
+{{- end }}
+{{- end }}
+{{- end }}
+
+{{/*
+Create chart name and version as used by the chart label.
+*/}}
+{{- define "ook.chart" -}}
+{{- printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" }}
+{{- end }}
+
+{{/*
+Common labels
+*/}}
+{{- define "ook.labels" -}}
+helm.sh/chart: {{ include "ook.chart" . }}
+{{ include "ook.selectorLabels" . }}
+{{- if .Chart.AppVersion }}
+app.kubernetes.io/version: {{ .Chart.AppVersion | quote }}
+{{- end }}
+app.kubernetes.io/managed-by: {{ .Release.Service }}
+{{- end }}
+
+{{/*
+Selector labels
+*/}}
+{{- define "ook.selectorLabels" -}}
+app.kubernetes.io/name: {{ include "ook.name" . }}
+app.kubernetes.io/instance: {{ .Release.Name }}
+{{- end }}
+
+{{/*
+Create the name of the service account to use
+*/}}
+{{- define "ook.serviceAccountName" -}}
+{{- if .Values.serviceAccount.create }}
+{{- default (include "ook.fullname" .) .Values.serviceAccount.name }}
+{{- else }}
+{{- default "default" .Values.serviceAccount.name }}
+{{- end }}
+{{- end }}

applications/ook/templates/configmap.yaml

@@ -0,0 +1,16 @@
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  name: {{ include "ook.fullname" . }}
+  labels:
+    {{- include "ook.labels" . | nindent 4 }}
+data:
+  SAFIR_LOG_LEVEL: {{ .Values.config.logLevel | quote }}
+  SAFIR_PATH_PREFIX: {{ .Values.ingress.path | quote }}
+  SAFIR_ENVIRONMENT_URL: {{ .Values.global.baseUrl | quote }}
+  SAFIR_PROFILE: "production"
+  OOK_REGISTRY_URL: {{ .Values.config.registryUrl | quote }}
+  OOK_SUBJECT_SUFFIX: {{ .Values.config.subjectSuffix | quote }}
+  OOK_SUBJECT_COMPATIBILITY: {{ .Values.config.subjectCompatibility | quote }}
+  OOK_INGEST_KAFKA_TOPIC: {{ .Values.config.topics.ingest | quote }}
+  ALGOLIA_DOCUMENT_INDEX: "ook_documents_test"

applications/ook/templates/deployment.yaml

@@ -0,0 +1,139 @@
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: {{ include "ook.fullname" . }}
+  labels:
+    {{- include "ook.labels" . | nindent 4 }}
+    app.kubernetes.io/component: "server"
+    app.kubernetes.io/part-of: "ook"
+spec:
+  replicas: {{ .Values.replicaCount }}
+  selector:
+    matchLabels:
+      {{- include "ook.selectorLabels" . | nindent 6 }}
+  template:
+    metadata:
+      annotations:
+        checksum/config: {{ include (print $.Template.BasePath "/configmap.yaml") . | sha256sum }}
+        {{- with .Values.podAnnotations }}
+          {{- toYaml . | nindent 8 }}
+        {{- end }}
+      labels:
+        {{- include "ook.selectorLabels" . | nindent 8 }}
+        app.kubernetes.io/component: "server"
+        app.kubernetes.io/part-of: "ook"
+    spec:
+      {{- with .Values.imagePullSecrets }}
+      imagePullSecrets:
+        {{- toYaml . | nindent 8 }}
+      {{- end }}
+      serviceAccountName: {{ include "ook.serviceAccountName" . }}
+      securityContext:
+        runAsNonRoot: true
+        runAsUser: 1000
+        runAsGroup: 1000
+      containers:
+        - name: {{ .Chart.Name }}
+          image: "{{ .Values.image.repository }}:{{ .Values.image.tag | default .Chart.AppVersion }}"
+          imagePullPolicy: {{ .Values.image.pullPolicy }}
+          ports:
+            - name: http
+              containerPort: 8080
+              protocol: TCP
+          livenessProbe:
+            httpGet:
+              path: /
+              port: http
+          readinessProbe:
+            httpGet:
+              path: /
+              port: http
+          resources:
+            {{- toYaml .Values.resources | nindent 12 }}
+          envFrom:
+            - configMapRef:
+                name: {{ include "ook.fullname" . }}
+          env:
+            # Writeable directory for concatenating certs. See "tmp" volume.
+            - name: "KAFKA_CERT_TEMP_DIR"
+              value: "/tmp/kafka_certs"
+            # From KafkaAccess
+            - name: "KAFKA_BOOTSTRAP_SERVERS"
+              valueFrom:
+                secretKeyRef:
+                  name: {{ template "ook.fullname" . }}-kafka
+                  key: "bootstrapServers"
+            - name: "KAFKA_SECURITY_PROTOCOL"
+              value: "SSL"
+            # From replicated KafkaUser secret
+            - name: "KAFKA_SSL_CLUSTER_CAFILE"
+              value: "/etc/kafkacluster/ca.crt"
+            - name: "KAFKA_SSL_CLIENT_CAFILE"
+              value: "/etc/kafkauser/ca.crt"
+            - name: "KAFKA_SSL_CLIENT_CERTFILE"
+              value: "/etc/kafkauser/user.crt"
+            - name: "KAFKA_SSL_CLIENT_KEYFILE"
+              value: "/etc/kafkauser/user.key"
+            # From Vault secrets
+            - name: "ALGOLIA_APP_ID"
+              valueFrom:
+                secretKeyRef:
+                  name: {{ template "ook.fullname" . }}
+                  key: "ALGOLIA_APP_ID"
+            - name: "ALGOLIA_API_KEY"
+              valueFrom:
+                secretKeyRef:
+                  name: {{ template "ook.fullname" . }}
+                  key: "ALGOLIA_API_KEY"
+            - name: "OOK_GITHUB_APP_ID"
+              valueFrom:
+                secretKeyRef:
+                  name: {{ template "ook.fullname" . }}
+                  key: "OOK_GITHUB_APP_ID"
+            - name: "OOK_GITHUB_APP_PRIVATE_KEY"
+              valueFrom:
+                secretKeyRef:
+                  name: {{ template "ook.fullname" . }}
+                  key: "OOK_GITHUB_APP_PRIVATE_KEY"
+          securityContext:
+            allowPrivilegeEscalation: false
+            capabilities:
+              drop:
+                - ALL
+            readOnlyRootFilesystem: true
+          volumeMounts:
+            - name: "{{ template "ook.fullname" . }}"
+              mountPath: "/etc/kafkacluster/ca.crt"
+              subPath: "ca.crt"
+            - name: "kafka-user"
+              mountPath: "/etc/kafkauser/ca.crt"
+              subPath: "ca.crt"
+            - name: "kafka-user"
+              mountPath: "/etc/kafkauser/user.crt"
+              subPath: "user.crt"
+            - name: "kafka-user"
+              mountPath: "/etc/kafkauser/user.key"
+              subPath: "user.key"
+            - name: "tmp"
+              mountPath: "/tmp/kafka_certs"
+      {{- with .Values.nodeSelector }}
+      nodeSelector:
+        {{- toYaml . | nindent 8 }}
+      {{- end }}
+      {{- with .Values.affinity }}
+      affinity:
+        {{- toYaml . | nindent 8 }}
+      {{- end }}
+      {{- with .Values.tolerations }}
+      tolerations:
+        {{- toYaml . | nindent 8 }}
+      {{- end }}
+      volumes:
+        - name: "kafka-user"
+          secret:
+            secretName: {{ template "ook.fullname" . }}-kafka-user
+        - name: "{{ template "ook.fullname" . }}"
+          secret:
+            secretName: {{ template "ook.fullname" . }}
+        - name: "tmp"
+          emptyDir: {}

applications/ook/templates/ingress.yaml

@@ -0,0 +1,31 @@
+apiVersion: gafaelfawr.lsst.io/v1alpha1
+kind: GafaelfawrIngress
+metadata:
+  name: {{ template "ook.fullname" . }}
+  labels:
+    {{- include "ook.labels" . | nindent 4 }}
+config:
+  baseUrl: {{ .Values.global.baseUrl | quote }}
+  scopes:
+    all:
+      - "exec:admin"
+  loginRedirect: true
+template:
+  metadata:
+    name: {{ template "ook.fullname" . }}
+    {{- with .Values.ingress.annotations }}
+    annotations:
+      {{- toYaml . | nindent 6 }}
+    {{- end }}
+  spec:
+    rules:
+      - host: {{ required "global.host must be set" .Values.global.host | quote }}
+        http:
+          paths:
+            - path: {{ .Values.ingress.path | quote }}
+              pathType: "Prefix"
+              backend:
+                service:
+                  name: {{ template "ook.fullname" . }}
+                  port:
+                    number: {{ .Values.service.port }}

applications/ook/templates/kafkaaccess.yaml

@@ -0,0 +1,14 @@
+apiVersion: access.strimzi.io/v1alpha1
+kind: KafkaAccess
+metadata:
+  name: {{ include "ook.fullname" . }}-kafka
+spec:
+  kafka:
+    name: sasquatch
+    namespace: sasquatch
+    listener: tls
+  user:
+    kind: KafkaUser
+    apiGroup: kafka.strimzi.io
+    name: ook
+    namespace: sasquatch

applications/ook/templates/kafkauser-secret.yaml

@@ -0,0 +1,8 @@
+apiVersion: v1
+kind: Secret
+metadata:
+  name: {{ include "ook.fullname" . }}-kafka-user
+  annotations:
+    replicator.v1.mittwald.de/replicate-from: sasquatch/ook
+    replicator.v1.mittwald.de/strip-labels: "true"
+data: {}

applications/ook/templates/networkpolicy.yaml

@@ -0,0 +1,21 @@
+apiVersion: networking.k8s.io/v1
+kind: NetworkPolicy
+metadata:
+  name: {{ include "ook.fullname" . }}
+spec:
+  podSelector:
+    matchLabels:
+      {{- include "ook.selectorLabels" . | nindent 6 }}
+  policyTypes:
+    - Ingress
+  ingress:
+    # Allow inbound access from pods (in any namespace) labeled
+    # gafaelfawr.lsst.io/ingress: true.
+    - from:
+        - namespaceSelector: {}
+          podSelector:
+            matchLabels:
+              gafaelfawr.lsst.io/ingress: "true"
+      ports:
+        - protocol: "TCP"
+          port: 8080

applications/ook/templates/service.yaml

@@ -0,0 +1,15 @@
+apiVersion: v1
+kind: Service
+metadata:
+  name: {{ include "ook.fullname" . }}
+  labels:
+    {{- include "ook.labels" . | nindent 4 }}
+spec:
+  type: {{ .Values.service.type }}
+  ports:
+    - port: {{ .Values.service.port }}
+      targetPort: http
+      protocol: TCP
+      name: http
+  selector:
+    {{- include "ook.selectorLabels" . | nindent 4 }}

applications/ook/templates/serviceaccount.yaml

@@ -0,0 +1,12 @@
+{{- if .Values.serviceAccount.create -}}
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: {{ include "ook.serviceAccountName" . }}
+  labels:
+    {{- include "ook.labels" . | nindent 4 }}
+  {{- with .Values.serviceAccount.annotations }}
+  annotations:
+    {{- toYaml . | nindent 4 }}
+  {{- end }}
+{{- end }}

applications/ook/templates/tests/test-connection.yaml

@@ -0,0 +1,15 @@
+apiVersion: v1
+kind: Pod
+metadata:
+  name: "{{ include "ook.fullname" . }}-test-connection"
+  labels:
+    {{- include "ook.labels" . | nindent 4 }}
+  annotations:
+    "helm.sh/hook": test
+spec:
+  containers:
+    - name: wget
+      image: busybox
+      command: ['wget']
+      args: ['{{ include "ook.fullname" . }}:{{ .Values.service.port }}']
+  restartPolicy: Never