k8s branch clean up

.github/workflows/workflow-docker.yaml

@@ -2,6 +2,8 @@ name: Run CI/CD Workflow
 
 on:
   push:
+    paths-ignore:
+      - "k8s/**"
   workflow_dispatch:
 
 jobs:
@@ -14,4 +16,3 @@ jobs:
       repo_project: "rcsb"
       docker_image_name: "rcsb-chemsearch"
       docker_build_context: "."
-      mainline_branch: "k8s-staging"

k8s/helm/Chart.yaml

@@ -15,12 +15,12 @@ type: application
 # This is the chart version. This version number should be incremented each time you make changes
 # to the chart and its templates, including the app version.
 # Versions are expected to follow Semantic Versioning (https://semver.org/)
-version: 0.1.0
+version: 1.0.0
 
 # This is the version number of the application being deployed. This version number should be
 # incremented each time you make changes to the application. Versions are not expected to
 # follow Semantic Versioning. They should reflect the version the application is using.
 # It is recommended to use it with quotes.
-appVersion: "latest"
+appVersion: "1.0.0"
 
 icon: https://cdn.rcsb.org/rcsb-pdb/v2/common/images/rcsb_logo.png

k8s/helm/templates/_helpers.tpl

@@ -3,7 +3,7 @@ Create a default fully qualified app name.
 We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec).
 If release name contains chart name it will be used as a full name.
 */}}
-{{- define "chemsearch.fullname" -}}
+{{- define "helm_chart.fullname" -}}
 {{- if contains .Chart.Name .Release.Name }}
 {{- .Release.Name | trunc 63 | trimSuffix "-" }}
 {{- else }}
@@ -14,16 +14,16 @@ If release name contains chart name it will be used as a full name.
 {{/*
 Create chart name and version as used by the chart label.
 */}}
-{{- define "chemsearch.chart" -}}
+{{- define "helm_chart.chart" -}}
 {{- printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" }}
 {{- end }}
 
 {{/*
 Common labels
 */}}
-{{- define "chemsearch.labels" -}}
-helm.sh/chart: {{ include "chemsearch.chart" . }}
-{{ include "chemsearch.selectorLabels" . }}
+{{- define "helm_chart.labels" -}}
+helm.sh/chart: {{ include "helm_chart.chart" . }}
+{{ include "helm_chart.selectorLabels" . }}
 {{- if .Chart.AppVersion }}
 app.kubernetes.io/version: {{ .Chart.AppVersion | quote }}
 {{- end }}
@@ -33,14 +33,21 @@ app.kubernetes.io/managed-by: {{ .Release.Service }}
 {{/*
 Selector labels
 */}}
-{{- define "chemsearch.selectorLabels" -}}
+{{- define "helm_chart.selectorLabels" -}}
 app.kubernetes.io/name: {{ .Chart.Name }}
 app.kubernetes.io/instance: {{ .Release.Name }}
 {{- end }}
 
 {{/*
-ConfigMap resource name. Ensure names conform to character limits in Kubernetes
+Persistent volume name. Utilize namespace aware naming to allow deployments of cluster resources for different environments.
 */}}
-{{- define "chemsearch.configmapName" -}}
-{{- printf "%s-config" (include "chemsearch.fullname" . | trunc 56 | trimSuffix "-") }}
+{{- define "helm_chart.pvname" -}}
+{{- printf "%s-%s" .Release.Namespace .Chart.Name | trunc 63 | trimSuffix "-" }}
 {{- end }}
+
+{{/*
+ConfigMap resource name. Ensure names conform to character limits in Kubernetes
+*/}}
+{{- define "helm_chart.configmapName" -}}
+{{- printf "%s-config" (include "helm_chart.fullname" . | trunc 56 | trimSuffix "-") }}
+{{- end }}

k8s/helm/templates/deployment.yaml

@@ -3,17 +3,16 @@
 apiVersion: apps/v1
 kind: Deployment
 metadata:
-  name: {{ include "chemsearch.fullname" $ }}-{{ . }}
+  name: {{ include "helm_chart.fullname" $ }}-{{ . }}
   labels:
-    {{- include "chemsearch.labels" $ | nindent 4 }}
+    {{- include "helm_chart.labels" $ | nindent 4 }}
     rcsb.org/path: {{ . | quote }}
 spec:
-  {{- if not $.Values.autoscaling.enabled }}
   replicas: {{ $.Values.replicaCount }}
-  {{- end }}
+  revisionHistoryLimit: {{ $.Values.revisionHistoryLimit}}
   selector:
     matchLabels:
-      {{- include "chemsearch.selectorLabels" $ | nindent 6 }}
+      {{- include "helm_chart.selectorLabels" $ | nindent 6 }}
       rcsb.org/path: {{ . | quote }}
   strategy:
     type: {{ $.Values.deploymentStrategy.type }}
@@ -25,7 +24,7 @@ spec:
   template:
     metadata:
       labels:
-        {{- include "chemsearch.selectorLabels" $ | nindent 8 }}
+        {{- include "helm_chart.selectorLabels" $ | nindent 8 }}
         rcsb.org/path: {{ . | quote }}
     spec:
       affinity:
@@ -34,7 +33,7 @@ spec:
             - podAffinityTerm:
                 labelSelector:
                   matchLabels:
-                    {{- include "chemsearch.selectorLabels" $ | nindent 20 }}
+                    {{- include "helm_chart.selectorLabels" $ | nindent 20 }}
                 topologyKey: kubernetes.io/hostname
               weight: 1
       imagePullSecrets:
@@ -43,24 +42,27 @@ spec:
         {{- toYaml $.Values.podSecurityContext | nindent 8 }}
       containers:
         - name: {{ $.Chart.Name }}
-          securityContext:
-            {{- toYaml $.Values.securityContext | nindent 12 }}
           image: "{{ $.Values.image.repository }}:{{ $.Values.image.tag | default $.Chart.AppVersion }}"
           imagePullPolicy: {{ $.Values.image.pullPolicy }}
+          securityContext:
+            {{- toYaml $.Values.containerSecurityContext | nindent 12 }}
           ports:
-            - name: http
-              containerPort: 8000
+            - containerPort: {{ $.Values.service.containerPort }}
               protocol: TCP
           livenessProbe:
-            initialDelaySeconds: {{ $.Values.initialDelaySeconds }}
+            initialDelaySeconds: {{ $.Values.initialLivenessDelaySeconds }}
+            failureThreshold: {{ $.Values.livenessProbe.failureThreshold }}
+            periodSeconds: {{ $.Values.livenessProbe.periodSeconds }}
             httpGet:
-              path: /alive
-              port: http
+              path: {{ $.Values.livenessProbe.http.path }}
+              port: {{ $.Values.service.containerPort }}
           readinessProbe:
-            initialDelaySeconds: {{ $.Values.initialDelaySeconds }}
+            initialDelaySeconds: {{ $.Values.initialReadinessDelaySeconds }}
+            failureThreshold: {{ $.Values.readinessProbe.failureThreshold }}
+            periodSeconds: {{ $.Values.readinessProbe.periodSeconds }}
             httpGet:
-              path: /alive
-              port: http
+              path: {{ $.Values.readinessProbe.http.path }}
+              port: {{ $.Values.service.containerPort }}
           env:
             {{- with $.Values.podEnvVars }}
             {{- toYaml . | nindent 12 }}
@@ -77,7 +79,7 @@ spec:
               readOnly: true
             {{- end }}
           {{- end }}
-      {{- if $.Values.useSecretsVolume }}
+          {{- if $.Values.useSecretsVolume }}
       volumes:
         {{- range $.Values.secretVolumes }}
           - name: {{ .name | quote }}

k8s/helm/templates/externalSecrets.yaml

@@ -2,7 +2,7 @@
 apiVersion: external-secrets.io/v1beta1
 kind: ExternalSecret
 metadata:
-  name: {{ include "chemsearch.fullname" . }}
+  name: {{ include "helm_chart.fullname" . }}
 spec:
   refreshInterval: 15s
   secretStoreRef:

k8s/helm/templates/service.yaml

@@ -3,36 +3,35 @@
 apiVersion: v1
 kind: Service
 metadata:
-  name: {{ include "chemsearch.fullname" $ }}-{{ . }}
+  name: {{ include "helm_chart.fullname" $ }}-{{ . }}
   labels:
-    {{- include "chemsearch.labels" $ | nindent 4 }}
+    {{- include "helm_chart.labels" $ | nindent 4 }}
     rcsb.org/path: {{ . | quote }}
 spec:
   type: {{ $.Values.service.type }}
   ports:
     - port: {{ $.Values.service.port }}
-      targetPort: http
+      targetPort: {{ $.Values.service.containerPort }}
       protocol: TCP
       name: http
   selector:
-    {{- include "chemsearch.selectorLabels" $ | nindent 4 }}
+    {{- include "helm_chart.selectorLabels" $ | nindent 4 }}
     rcsb.org/path: {{ . | quote }}
 {{- end }}
 ---
 apiVersion: v1
 kind: Service
 metadata:
-  name: {{ include "chemsearch.fullname" . }}
+  name: {{ include "helm_chart.fullname" . }}
   annotations:
     rcsb.org/path-operator-managed: "true"
   labels:
-    {{- include "chemsearch.labels" . | nindent 4 }}
+    {{- include "helm_chart.labels" . | nindent 4 }}
 spec:
   type: {{ .Values.service.type }}
   ports:
     - port: {{ .Values.service.port }}
-      targetPort: http
+      targetPort: {{ .Values.service.containerPort }}
       protocol: TCP
-      name: http
   selector:
-    {{- include "chemsearch.selectorLabels" . | nindent 4 }}
+    {{- include "helm_chart.selectorLabels" . | nindent 4 }}

k8s/helm/values/production.yaml

@@ -1,14 +1,37 @@
-replicaCount: 2
+# Default values for prerelease.
+# This is a YAML-formatted file.
+# Declare variables to be passed into your templates.
 
+replicaCount: 2
+revisionHistoryLimit: 3
+
 # vaultSecretStoreName is the name of the ClusterSecretStore resource to pull secret credentials
 vaultSecretStoreName: "rcsb-vault"
 
+# Define container liveness and readiness checks
+# A Pod is considered "live" when it is able to respond to client requests.
+# A Pod is considered "ready" when it has completed initialization and should be one of the backends for a K8s Service resource.
+livenessProbe:
+  enable: false
+  initialDelaySeconds: 30
+  periodSeconds: 30
+  failureThreshold: 6
+  http:
+    path: /
+readinessProbe:
+  enable: false
+  initialDelaySeconds: 30
+  periodSeconds: 30
+  failureThreshold: 6
+  http:
+    path: /api/alive
+
+
 image:
   repository: "harbor.devops.k8s.rcsb.org/rcsb/rcsb-chemsearch"
-  pullPolicy: IfNotPresent
+  pullPolicy: Always
   tag: "production"
 
-initialDelaySeconds: 300
 imagePullSecrets: "harbor-docker-registry-conf"
 
 deploymentStrategy:
@@ -22,28 +45,20 @@ deploymentStrategy:
 
 podSecurityContext:
   fsGroup: 1000
-
-securityContext:
-  capabilities:
-    drop:
-      - ALL
-  readOnlyRootFilesystem: false
   runAsNonRoot: true
   runAsUser: 1000
+  runAsGroup: 1000
+  seccompProfile:
+    type: RuntimeDefault
+
+containerSecurityContext:
+  readOnlyRootFilesystem: true
+  allowPrivilegeEscalation: false
 
 service:
   type: ClusterIP
   port: 80
-
-ingress:
-  enabled: true
-  className: "haproxy"
-  annotations:
-    cert-manager.io/cluster-issuer: rutgers-acme
-    kubernetes.io/tls-acme: "true"
-  host: chemsearch.west.k8s.rcsb.org
-  path: /
-  pathType: ImplementationSpecific
+  containerPort: 8000
 
 resources:
   limits: