Merge pull request #2349 from lsst-sqre/tickets/DM-40060a

DM-40060: Add explicit Nublado setting for internal database
lsst-sqre · Jul 25, 2023 · bb213c1 · bb213c1
2 parents fde8592 + 654419b
commit bb213c1
Show file tree

Hide file tree

Showing 57 changed files with 67 additions and 56 deletions.
diff --git a/.pre-commit-config.yaml b/.pre-commit-config.yaml
@@ -14,7 +14,7 @@ repos:
           - -c=.yamllint.yml
 
   - repo: https://github.com/norwoodj/helm-docs
-    rev: v1.11.0
+    rev: v1.11.1
     hooks:
       - id: helm-docs
         args:
@@ -24,7 +24,7 @@ repos:
           - --document-dependency-values=true
 
   - repo: https://github.com/astral-sh/ruff-pre-commit
-    rev: v0.0.278
+    rev: v0.0.280
     hooks:
       - id: ruff
         args: [--fix, --exit-non-zero-on-fix]

diff --git a/applications/alert-stream-broker/README.md b/applications/alert-stream-broker/README.md
@@ -107,4 +107,4 @@ Alert transmission to community brokers
 | alert-stream-simulator.replayTopicReplicas | int | `2` |  |
 | alert-stream-simulator.schemaID | int | `1` | Integer ID to use in the prefix of alert data packets. This should be a valid Confluent Schema Registry ID associated with the schema used. |
 | alert-stream-simulator.staticTopicName | string | `"alerts-static"` | Name of the topic which will hold a static single visit of sample data. |
-| alert-stream-simulator.strimziAPIVersion | string | `"v1beta2"` | API version of the Strimzi installation's custom resource definitions |
+| alert-stream-simulator.strimziAPIVersion | string | `"v1beta2"` | API version of the Strimzi installation's custom resource definitions |
diff --git a/applications/alert-stream-broker/charts/alert-database/README.md b/applications/alert-stream-broker/charts/alert-database/README.md
@@ -38,4 +38,4 @@ Archival database of alerts sent through the alert stream.
 | server.serviceAccountName | string | `"alertdb-reader"` | The name of the Kubernetes ServiceAccount (*not* the Google Cloud IAM service account!) which is used by the alert database server. |
 | storage.gcp.alertBucket | string | `""` | Name of a Google Cloud Storage bucket in GCP with alert data |
 | storage.gcp.project | string | `""` | Name of a GCP project that has a bucket for database storage |
-| storage.gcp.schemaBucket | string | `""` | Name of a Google Cloud Storage bucket in GCP with schema data |
+| storage.gcp.schemaBucket | string | `""` | Name of a Google Cloud Storage bucket in GCP with schema data |
diff --git a/applications/alert-stream-broker/charts/alert-stream-broker/README.md b/applications/alert-stream-broker/charts/alert-stream-broker/README.md
@@ -38,4 +38,4 @@ Kafka broker cluster for distributing alerts
 | vaultSecretsPath | string | `""` | Path to the secret resource in Vault |
 | zookeeper.replicas | int | `3` | Number of Zookeeper replicas to run. |
 | zookeeper.storage.size | string | `"1000Gi"` | Size of the backing storage disk for each of the Zookeeper instances. |
-| zookeeper.storage.storageClassName | string | `"standard"` | Name of a StorageClass to use when requesting persistent volumes. |
+| zookeeper.storage.storageClassName | string | `"standard"` | Name of a StorageClass to use when requesting persistent volumes. |
diff --git a/applications/alert-stream-broker/charts/alert-stream-schema-registry/README.md b/applications/alert-stream-broker/charts/alert-stream-schema-registry/README.md
@@ -15,4 +15,4 @@ Confluent Schema Registry for managing schema versions for the Alert Stream
 | schemaSync.image.tag | string | `"tickets-DM-32743"` | Version of the container to use |
 | schemaSync.subject | string | `"alert-packet"` | Subject name to use when inserting data into the Schema Registry |
 | schemaTopic | string | `"registry-schemas"` | Name of the topic used by the Schema Registry to store data. |
-| strimziAPIVersion | string | `"v1beta2"` | Version of the Strimzi Custom Resource API. The correct value depends on the deployed version of Strimzi. See [this blog post](https://strimzi.io/blog/2021/04/29/api-conversion/) for more. |
+| strimziAPIVersion | string | `"v1beta2"` | Version of the Strimzi Custom Resource API. The correct value depends on the deployed version of Strimzi. See [this blog post](https://strimzi.io/blog/2021/04/29/api-conversion/) for more. |
diff --git a/applications/alert-stream-broker/charts/alert-stream-simulator/README.md b/applications/alert-stream-broker/charts/alert-stream-simulator/README.md
@@ -22,4 +22,4 @@ Producer which repeatedly publishes a static set of alerts into a Kafka topic
 | replayTopicReplicas | int | `2` |  |
 | schemaID | int | `1` | Integer ID to use in the prefix of alert data packets. This should be a valid Confluent Schema Registry ID associated with the schema used. |
 | staticTopicName | string | `"alerts-static"` | Name of the topic which will hold a static single visit of sample data. |
-| strimziAPIVersion | string | `"v1beta2"` | API version of the Strimzi installation's custom resource definitions |
+| strimziAPIVersion | string | `"v1beta2"` | API version of the Strimzi installation's custom resource definitions |
diff --git a/applications/argo-workflows/README.md b/applications/argo-workflows/README.md
@@ -22,4 +22,4 @@ Kubernetes workflow engine
 | global.vaultSecretsPath | string | Set by Argo CD | Base path for Vault secrets |
 | ingress.annotations."nginx.ingress.kubernetes.io/rewrite-target" | string | `"/$2"` |  |
 | ingress.annotations."nginx.ingress.kubernetes.io/use-regex" | string | `"true"` |  |
-| ingress.scopes[0] | string | `"exec:admin"` |  |
+| ingress.scopes[0] | string | `"exec:admin"` |  |
diff --git a/applications/argocd/README.md b/applications/argocd/README.md
@@ -30,4 +30,4 @@ Kubernetes application manager
 | argo-cd.server.ingress.pathType | string | `"ImplementationSpecific"` | Type of path expression for Argo CD ingress |
 | argo-cd.server.ingress.paths | list | `["/argo-cd(/|$)(.*)"]` | Paths to route to Argo CD |
 | argo-cd.server.metrics.enabled | bool | `true` | Enable server metrics service |
-| global.vaultSecretsPath | string | Set by Argo CD | Base path for Vault secrets |
+| global.vaultSecretsPath | string | Set by Argo CD | Base path for Vault secrets |
diff --git a/applications/cachemachine/README.md b/applications/cachemachine/README.md
@@ -28,4 +28,4 @@ JupyterLab image prepuller
 | serviceAccount | object | `{"annotations":{},"name":""}` | Secret names to use for all Docker pulls |
 | serviceAccount.annotations | object | `{}` | Annotations to add to the service account |
 | serviceAccount.name | string | Name based on the fullname template | Name of the service account to use |
-| tolerations | list | `[]` | Tolerations for the cachemachine frontend pod |
+| tolerations | list | `[]` | Tolerations for the cachemachine frontend pod |
diff --git a/applications/cert-manager/README.md b/applications/cert-manager/README.md
@@ -20,4 +20,4 @@ TLS certificate manager
 | config.email | string | sqre-admin | Contact email address registered with Let's Encrypt |
 | config.route53.awsAccessKeyId | string | None, must be set if `createIssuer` is true | AWS access key ID for Route 53 (must match `aws-secret-access-key` in Vault secret referenced by `config.vaultSecretPath`) |
 | config.route53.hostedZone | string | None, must be set if `createIssuer` is true | Route 53 hosted zone in which to create challenge records |
-| global.vaultSecretsPath | string | Set by Argo CD | Base path for Vault secrets |
+| global.vaultSecretsPath | string | Set by Argo CD | Base path for Vault secrets |
diff --git a/applications/datalinker/README.md b/applications/datalinker/README.md
@@ -30,4 +30,4 @@ IVOA DataLink-based service and data discovery
 | podAnnotations | object | `{}` | Annotations for the datalinker deployment pod |
 | replicaCount | int | `1` | Number of web deployment pods to start |
 | resources | object | `{}` | Resource limits and requests for the datalinker deployment pod |
-| tolerations | list | `[]` | Tolerations for the datalinker deployment pod |
+| tolerations | list | `[]` | Tolerations for the datalinker deployment pod |
diff --git a/applications/exposurelog/README.md b/applications/exposurelog/README.md
@@ -47,4 +47,4 @@ Log messages related to an exposure
 | replicaCount | int | `1` | How many exposurelog pods to run |
 | resources | object | `{}` | Resource limits and requests for the exposurelog pod |
 | securityContext | object | `{}` | Security context for the exposurelog deployment |
-| tolerations | list | `[]` | Tolerations for the exposurelog pod |
+| tolerations | list | `[]` | Tolerations for the exposurelog pod |
diff --git a/applications/gafaelfawr/README.md b/applications/gafaelfawr/README.md
@@ -110,4 +110,4 @@ Authentication and identity system
 | redis.tolerations | list | `[]` | Tolerations for the Redis pod |
 | replicaCount | int | `1` | Number of web frontend pods to start |
 | resources | object | `{}` | Resource limits and requests for the Gafaelfawr frontend pod |
-| tolerations | list | `[]` | Tolerations for the Gafaelfawr frontend pod |
+| tolerations | list | `[]` | Tolerations for the Gafaelfawr frontend pod |
diff --git a/applications/giftless/README.md b/applications/giftless/README.md
@@ -30,4 +30,4 @@ Git-LFS server with GCS S3 backend, with Rubin-specific auth
 | server.debug | bool | `false` | Turn on debugging mode |
 | server.processes | int | `2` | Number of processes for server |
 | server.threads | int | `2` | Number of threads per process |
-| tolerations | list | `[]` | Tolerations for the giftless frontend pod |
+| tolerations | list | `[]` | Tolerations for the giftless frontend pod |
diff --git a/applications/hips/README.md b/applications/hips/README.md
@@ -29,4 +29,4 @@ HiPS tile server backed by Google Cloud Storage
 | podAnnotations | object | `{}` | Annotations for the hips deployment pod |
 | replicaCount | int | `1` | Number of web deployment pods to start |
 | resources | object | `{}` | Resource limits and requests for the hips deployment pod |
-| tolerations | list | `[]` | Tolerations for the hips deployment pod |
+| tolerations | list | `[]` | Tolerations for the hips deployment pod |
diff --git a/applications/ingress-nginx/README.md b/applications/ingress-nginx/README.md
@@ -21,4 +21,4 @@ Ingress controller
 | ingress-nginx.controller.metrics.enabled | bool | `true` | Enable metrics reporting via Prometheus |
 | ingress-nginx.controller.podLabels | object | See `values.yaml` | Add labels used by `NetworkPolicy` objects to restrict access to the ingress and thus ensure that auth subrequest handlers run |
 | ingress-nginx.controller.service.externalTrafficPolicy | string | `"Local"` | Force traffic routing policy to Local so that the external IP in `X-Forwarded-For` will be correct |
-| vaultCertificate.enabled | bool | `false` | Whether to store ingress TLS certificate via vault-secrets-operator.  Typically "squareone" owns it instead in an RSP. |
+| vaultCertificate.enabled | bool | `false` | Whether to store ingress TLS certificate via vault-secrets-operator.  Typically "squareone" owns it instead in an RSP. |
diff --git a/applications/kubernetes-replicator/README.md b/applications/kubernetes-replicator/README.md
@@ -25,4 +25,4 @@ Kafka secret replicator
 | kubernetes-replicator.serviceAccount.privileges[0].apiGroups[1] | string | `"apps"` |  |
 | kubernetes-replicator.serviceAccount.privileges[0].apiGroups[2] | string | `"extensions"` |  |
 | kubernetes-replicator.serviceAccount.privileges[0].resources[0] | string | `"secrets"` |  |
-| kubernetes-replicator.serviceAccount.privileges[0].resources[1] | string | `"configmaps"` |  |
+| kubernetes-replicator.serviceAccount.privileges[0].resources[1] | string | `"configmaps"` |  |
diff --git a/applications/linters/README.md b/applications/linters/README.md
@@ -24,4 +24,4 @@ Linters running for operational reasons
 | podAnnotations | object | `{}` | Annotations for the linter pod |
 | replicaCount | int | `1` | Number of web frontend pods to start |
 | resources | object | `{}` | Resource limits and requests for the linter pod |
-| tolerations | list | `[]` | Tolerations for the linter pod |
+| tolerations | list | `[]` | Tolerations for the linter pod |
diff --git a/applications/livetap/README.md b/applications/livetap/README.md
@@ -62,4 +62,4 @@ IVOA TAP service
 | uws.podAnnotations | object | `{}` | Annotations for the UWS databse pod |
 | uws.resources | object | `{}` | Resource limits and requests for the UWS database pod |
 | uws.tolerations | list | `[]` | Tolerations for the UWS database pod |
-| vaultSecretsPath | string | None, must be set | Path to the Vault secret (`secret/k8s_operator/<host>/tap`, for example) |
+| vaultSecretsPath | string | None, must be set | Path to the Vault secret (`secret/k8s_operator/<host>/tap`, for example) |
diff --git a/applications/mobu/README.md b/applications/mobu/README.md
@@ -27,4 +27,4 @@ Continuous integration testing
 | nodeSelector | object | `{}` | Node selector rules for the mobu frontend pod |
 | podAnnotations | object | `{}` | Annotations for the mobu frontend pod |
 | resources | object | `{}` | Resource limits and requests for the mobu frontend pod |
-| tolerations | list | `[]` | Tolerations for the mobu frontend pod |
+| tolerations | list | `[]` | Tolerations for the mobu frontend pod |
diff --git a/applications/moneypenny/README.md b/applications/moneypenny/README.md
@@ -31,4 +31,4 @@ User provisioning actions
 | replicaCount | int | `1` | Number of pods to start |
 | resources | object | `{}` | Resource limits and requests for the vo-cutouts frontend pod |
 | serviceAccount.name | string | Name based on the fullname template | Name of the service account to use |
-| tolerations | list | `[]` | Tolerations for the vo-cutouts frontend pod |
+| tolerations | list | `[]` | Tolerations for the vo-cutouts frontend pod |
diff --git a/applications/narrativelog/README.md b/applications/narrativelog/README.md
@@ -38,4 +38,4 @@ Narrative log service
 | replicaCount | int | `1` | Number of narrativelog replicas to run |
 | resources | object | `{}` | Resource limits and requests for the narrativelog pod |
 | securityContext | object | `{}` | Security context for the narrativelog deployment |
-| tolerations | list | `[]` | Tolerations for the narrativelog pod |
+| tolerations | list | `[]` | Tolerations for the narrativelog pod |
diff --git a/applications/noteburst/README.md b/applications/noteburst/README.md
@@ -56,4 +56,4 @@ Noteburst is a notebook execution service for the Rubin Science Platform.
 | serviceAccount.annotations | object | `{}` | Annotations to add to the service account |
 | serviceAccount.create | bool | `true` | Specifies whether a service account should be created |
 | serviceAccount.name | string | `""` |  |
-| tolerations | list | `[]` |  |
+| tolerations | list | `[]` |  |
diff --git a/applications/nublado/README.md b/applications/nublado/README.md
@@ -50,6 +50,7 @@ JupyterHub and custom spawner for the Rubin Science Platform
 | global.baseUrl | string | Set by Argo CD | Base URL for the environment |
 | global.host | string | Set by Argo CD | Host name for ingress |
 | global.vaultSecretsPath | string | Set by Argo CD | Base path for Vault secrets |
+| hub.internalDatabase | bool | `true` | Whether to use the cluster-internal PostgreSQL server instead of an external server. This is not used directly by the Nublado chart, but controls how the database password is managed. |
 | hub.timeout.spawn | int | `600` | Timeout for the Kubernetes spawn process in seconds. (Allow long enough to pull uncached images if needed.) |
 | hub.timeout.startup | int | `90` | Timeout for JupyterLab to start. Currently this sometimes takes over 60 seconds for reasons we don't understand. |
 | jupyterhub.cull.enabled | bool | `true` | Enable the lab culler. |
@@ -83,4 +84,4 @@ JupyterHub and custom spawner for the Rubin Science Platform
 | jupyterhub.singleuser.cloudMetadata.blockWithIptables | bool | `false` | Whether to configure iptables to block cloud metadata endpoints. This is unnecessary in our environments (they are blocked by cluster configuration) and thus is disabled to reduce complexity. |
 | jupyterhub.singleuser.cmd | string | `"/opt/lsst/software/jupyterlab/runlab.sh"` | Start command for labs |
 | jupyterhub.singleuser.defaultUrl | string | `"/lab"` | Default URL prefix for lab endpoints |
-| proxy.ingress.annotations | object | Increase `proxy-read-timeout` and `proxy-send-timeout` to 5m | Additional annotations to add to the proxy ingress (also used to talk to JupyterHub and all user labs) |
+| proxy.ingress.annotations | object | Increase `proxy-read-timeout` and `proxy-send-timeout` to 5m | Additional annotations to add to the proxy ingress (also used to talk to JupyterHub and all user labs) |
diff --git a/applications/nublado/values.yaml b/applications/nublado/values.yaml
@@ -257,6 +257,11 @@ controller:
 # JupyterHub configuration handled directly by this chart rather than by Zero
 # to JupyterHub.
 hub:
+  # -- Whether to use the cluster-internal PostgreSQL server instead of an
+  # external server. This is not used directly by the Nublado chart, but
+  # controls how the database password is managed.
+  internalDatabase: true
+
   timeout:
     # -- Timeout for the Kubernetes spawn process in seconds. (Allow long
     # enough to pull uncached images if needed.)

diff --git a/applications/nublado2/README.md b/applications/nublado2/README.md
@@ -15,6 +15,7 @@ JupyterHub for the Rubin Science Platform
 | config.base_url | string | `""` | base_url must be set in each instantiation of this chart to the URL of the primary ingress.  It's used to construct API requests to the authentication service (which should go through the ingress). |
 | config.butler_secret_path | string | `""` | butler_secret_path must be set here, because it's passed through to the lab rather than being part of the Hub configuration. |
 | config.cachemachine_image_policy | string | `"available"` | Cachemachine image policy: "available" or "desired".  Use "desired" at instances with streaming image support. |
+| config.internalDatabase | bool | `true` | Whether to use the cluster-internal PostgreSQL server instead of an external server. This is not used directly by the Nublado chart, but controls how the database password is managed. |
 | config.lab_environment | object | See `values.yaml` | Environment variables to set in spawned lab containers. Each value will be expanded using Jinja 2 templating. |
 | config.pinned_images | list | `[]` | images to pin to spawner menu |
 | config.pull_secret_path | string | `""` | pull_secret_path must also be set here; it specifies resources in the lab namespace |
@@ -115,4 +116,4 @@ JupyterHub for the Rubin Science Platform
 | jupyterhub.singleuser.storage.extraVolumes[6].configMap.name | string | `"group"` |  |
 | jupyterhub.singleuser.storage.extraVolumes[6].name | string | `"group"` |  |
 | jupyterhub.singleuser.storage.type | string | `"none"` |  |
-| network_policy.enabled | bool | `true` |  |
+| network_policy.enabled | bool | `true` |  |
diff --git a/applications/nublado2/values.yaml b/applications/nublado2/values.yaml
@@ -178,6 +178,10 @@ jupyterhub:
       enabled: false
 
 config:
+  # -- Whether to use the cluster-internal PostgreSQL server instead of an
+  # external server. This is not used directly by the Nublado chart, but
+  # controls how the database password is managed.
+  internalDatabase: true
   # -- base_url must be set in each instantiation of this chart to the URL of
   # the primary ingress.  It's used to construct API requests to the
   # authentication service (which should go through the ingress).

diff --git a/applications/obsloctap/README.md b/applications/obsloctap/README.md
@@ -20,4 +20,4 @@ Publish observing schedule
 | image.pullPolicy | string | `"IfNotPresent"` | Pull policy for the obsloctap image |
 | image.repository | string | `"ghcr.io/lsst-dm/obsloctap"` | obsloctap image to use |
 | image.tag | string | The appVersion of the chart | Tag of obsloctap image to use |
-| ingress.annotations | object | `{}` | Additional annotations to add to the ingress |
+| ingress.annotations | object | `{}` | Additional annotations to add to the ingress |
diff --git a/applications/ook/README.md b/applications/ook/README.md
@@ -37,4 +37,4 @@ Ook is the librarian service for Rubin Observatory. Ook indexes documentation co
 | serviceAccount.annotations | object | `{}` | Annotations to add to the service account |
 | serviceAccount.create | bool | `true` | Specifies whether a service account should be created |
 | serviceAccount.name | string | `""` |  |
-| tolerations | list | `[]` |  |
+| tolerations | list | `[]` |  |
diff --git a/applications/plot-navigator/README.md b/applications/plot-navigator/README.md
@@ -19,4 +19,4 @@ Panel-based plot viewer
 | global.vaultSecretsPath | string | Set by Argo CD | Base path for Vault secrets |
 | image.repository | string | `"ghcr.io/lsst-dm/pipetask-plot-navigator"` | plot-navigator image to use |
 | image.tag | string | `""` |  |
-| ingress.annotations | object | `{}` | Additional annotations to add to the ingress |
+| ingress.annotations | object | `{}` | Additional annotations to add to the ingress |
diff --git a/applications/portal/README.md b/applications/portal/README.md
@@ -43,4 +43,4 @@ Rubin Science Platform Portal Aspect
 | replicaCount | int | `1` | Number of pods to start |
 | resources | object | `{"limits":{"cpu":2,"memory":"6Gi"}}` | Resource limits and requests. The Portal will use (by default) 93% of container RAM.  This is a smallish Portal; tweak it as you need to in instance definitions in Phalanx. |
 | securityContext | object | `{}` | Security context for the Portal pod |
-| tolerations | list | `[]` | Tolerations for the Portal pod |
+| tolerations | list | `[]` | Tolerations for the Portal pod |