diff --git a/.github/workflows/workflow-docker.yaml b/.github/workflows/workflow-docker.yaml index ec63563..21c8f88 100644 --- a/.github/workflows/workflow-docker.yaml +++ b/.github/workflows/workflow-docker.yaml @@ -2,6 +2,8 @@ name: Run CI/CD Workflow on: push: + paths-ignore: + - "k8s/**" workflow_dispatch: jobs: @@ -14,4 +16,3 @@ jobs: repo_project: "rcsb" docker_image_name: "rcsb-chemsearch" docker_build_context: "." - mainline_branch: "k8s-staging" diff --git a/k8s/helm/Chart.yaml b/k8s/helm/Chart.yaml index d448c81..352d4ce 100644 --- a/k8s/helm/Chart.yaml +++ b/k8s/helm/Chart.yaml @@ -15,12 +15,12 @@ type: application # This is the chart version. This version number should be incremented each time you make changes # to the chart and its templates, including the app version. # Versions are expected to follow Semantic Versioning (https://semver.org/) -version: 0.1.0 +version: 1.0.0 # This is the version number of the application being deployed. This version number should be # incremented each time you make changes to the application. Versions are not expected to # follow Semantic Versioning. They should reflect the version the application is using. # It is recommended to use it with quotes. -appVersion: "latest" +appVersion: "1.0.0" icon: https://cdn.rcsb.org/rcsb-pdb/v2/common/images/rcsb_logo.png diff --git a/k8s/helm/templates/_helpers.tpl b/k8s/helm/templates/_helpers.tpl index d808866..cf44da0 100644 --- a/k8s/helm/templates/_helpers.tpl +++ b/k8s/helm/templates/_helpers.tpl @@ -3,7 +3,7 @@ Create a default fully qualified app name. We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec). If release name contains chart name it will be used as a full name. */}} -{{- define "chemsearch.fullname" -}} +{{- define "helm_chart.fullname" -}} {{- if contains .Chart.Name .Release.Name }} {{- .Release.Name | trunc 63 | trimSuffix "-" }} {{- else }} @@ -14,16 +14,16 @@ If release name contains chart name it will be used as a full name. {{/* Create chart name and version as used by the chart label. */}} -{{- define "chemsearch.chart" -}} +{{- define "helm_chart.chart" -}} {{- printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" }} {{- end }} {{/* Common labels */}} -{{- define "chemsearch.labels" -}} -helm.sh/chart: {{ include "chemsearch.chart" . }} -{{ include "chemsearch.selectorLabels" . }} +{{- define "helm_chart.labels" -}} +helm.sh/chart: {{ include "helm_chart.chart" . }} +{{ include "helm_chart.selectorLabels" . }} {{- if .Chart.AppVersion }} app.kubernetes.io/version: {{ .Chart.AppVersion | quote }} {{- end }} @@ -33,14 +33,21 @@ app.kubernetes.io/managed-by: {{ .Release.Service }} {{/* Selector labels */}} -{{- define "chemsearch.selectorLabels" -}} +{{- define "helm_chart.selectorLabels" -}} app.kubernetes.io/name: {{ .Chart.Name }} app.kubernetes.io/instance: {{ .Release.Name }} {{- end }} {{/* -ConfigMap resource name. Ensure names conform to character limits in Kubernetes +Persistent volume name. Utilize namespace aware naming to allow deployments of cluster resources for different environments. */}} -{{- define "chemsearch.configmapName" -}} -{{- printf "%s-config" (include "chemsearch.fullname" . | trunc 56 | trimSuffix "-") }} +{{- define "helm_chart.pvname" -}} +{{- printf "%s-%s" .Release.Namespace .Chart.Name | trunc 63 | trimSuffix "-" }} {{- end }} + +{{/* +ConfigMap resource name. Ensure names conform to character limits in Kubernetes +*/}} +{{- define "helm_chart.configmapName" -}} +{{- printf "%s-config" (include "helm_chart.fullname" . | trunc 56 | trimSuffix "-") }} +{{- end }} \ No newline at end of file diff --git a/k8s/helm/templates/configmap.yaml b/k8s/helm/templates/configmap.yaml deleted file mode 100644 index 494f840..0000000 --- a/k8s/helm/templates/configmap.yaml +++ /dev/null @@ -1,13 +0,0 @@ -{{- if .Values.useAppConfigs }} -apiVersion: v1 -kind: ConfigMap -metadata: - name: {{ include "chemsearch.configmapName" . }} - labels: - {{- include "chemsearch.labels" . | nindent 4 }} -data: -{{- range $file, $_ := .Values.appConfigs }} - {{ $file }}: | -{{ $_.value | indent 4 }} -{{- end -}} -{{- end }} diff --git a/k8s/helm/templates/deployment.yaml b/k8s/helm/templates/deployment.yaml index 220fbf1..497df67 100644 --- a/k8s/helm/templates/deployment.yaml +++ b/k8s/helm/templates/deployment.yaml @@ -3,17 +3,16 @@ apiVersion: apps/v1 kind: Deployment metadata: - name: {{ include "chemsearch.fullname" $ }}-{{ . }} + name: {{ include "helm_chart.fullname" $ }}-{{ . }} labels: - {{- include "chemsearch.labels" $ | nindent 4 }} + {{- include "helm_chart.labels" $ | nindent 4 }} rcsb.org/path: {{ . | quote }} spec: - {{- if not $.Values.autoscaling.enabled }} replicas: {{ $.Values.replicaCount }} - {{- end }} + revisionHistoryLimit: {{ $.Values.revisionHistoryLimit}} selector: matchLabels: - {{- include "chemsearch.selectorLabels" $ | nindent 6 }} + {{- include "helm_chart.selectorLabels" $ | nindent 6 }} rcsb.org/path: {{ . | quote }} strategy: type: {{ $.Values.deploymentStrategy.type }} @@ -25,7 +24,7 @@ spec: template: metadata: labels: - {{- include "chemsearch.selectorLabels" $ | nindent 8 }} + {{- include "helm_chart.selectorLabels" $ | nindent 8 }} rcsb.org/path: {{ . | quote }} spec: affinity: @@ -34,7 +33,7 @@ spec: - podAffinityTerm: labelSelector: matchLabels: - {{- include "chemsearch.selectorLabels" $ | nindent 20 }} + {{- include "helm_chart.selectorLabels" $ | nindent 20 }} topologyKey: kubernetes.io/hostname weight: 1 imagePullSecrets: @@ -43,24 +42,27 @@ spec: {{- toYaml $.Values.podSecurityContext | nindent 8 }} containers: - name: {{ $.Chart.Name }} - securityContext: - {{- toYaml $.Values.securityContext | nindent 12 }} image: "{{ $.Values.image.repository }}:{{ $.Values.image.tag | default $.Chart.AppVersion }}" imagePullPolicy: {{ $.Values.image.pullPolicy }} + securityContext: + {{- toYaml $.Values.containerSecurityContext | nindent 12 }} ports: - - name: http - containerPort: 8000 + - containerPort: {{ $.Values.service.containerPort }} protocol: TCP livenessProbe: - initialDelaySeconds: {{ $.Values.initialDelaySeconds }} + initialDelaySeconds: {{ $.Values.initialLivenessDelaySeconds }} + failureThreshold: {{ $.Values.livenessProbe.failureThreshold }} + periodSeconds: {{ $.Values.livenessProbe.periodSeconds }} httpGet: - path: /alive - port: http + path: {{ $.Values.livenessProbe.http.path }} + port: {{ $.Values.service.containerPort }} readinessProbe: - initialDelaySeconds: {{ $.Values.initialDelaySeconds }} + initialDelaySeconds: {{ $.Values.initialReadinessDelaySeconds }} + failureThreshold: {{ $.Values.readinessProbe.failureThreshold }} + periodSeconds: {{ $.Values.readinessProbe.periodSeconds }} httpGet: - path: /alive - port: http + path: {{ $.Values.readinessProbe.http.path }} + port: {{ $.Values.service.containerPort }} env: {{- with $.Values.podEnvVars }} {{- toYaml . | nindent 12 }} @@ -77,7 +79,7 @@ spec: readOnly: true {{- end }} {{- end }} - {{- if $.Values.useSecretsVolume }} + {{- if $.Values.useSecretsVolume }} volumes: {{- range $.Values.secretVolumes }} - name: {{ .name | quote }} diff --git a/k8s/helm/templates/externalSecrets.yaml b/k8s/helm/templates/externalSecrets.yaml index 99eb369..8994778 100644 --- a/k8s/helm/templates/externalSecrets.yaml +++ b/k8s/helm/templates/externalSecrets.yaml @@ -2,7 +2,7 @@ apiVersion: external-secrets.io/v1beta1 kind: ExternalSecret metadata: - name: {{ include "chemsearch.fullname" . }} + name: {{ include "helm_chart.fullname" . }} spec: refreshInterval: 15s secretStoreRef: diff --git a/k8s/helm/templates/hpa.yaml b/k8s/helm/templates/hpa.yaml deleted file mode 100644 index e3e8210..0000000 --- a/k8s/helm/templates/hpa.yaml +++ /dev/null @@ -1,28 +0,0 @@ -{{- if .Values.autoscaling.enabled }} -apiVersion: autoscaling/v2beta1 -kind: HorizontalPodAutoscaler -metadata: - name: {{ include "chemsearch.fullname" . }} - labels: - {{- include "chemsearch.labels" . | nindent 4 }} -spec: - scaleTargetRef: - apiVersion: apps/v1 - kind: Deployment - name: {{ include "chemsearch.fullname" . }} - minReplicas: {{ .Values.autoscaling.minReplicas }} - maxReplicas: {{ .Values.autoscaling.maxReplicas }} - metrics: - {{- if .Values.autoscaling.targetCPUUtilizationPercentage }} - - type: Resource - resource: - name: cpu - targetAverageUtilization: {{ .Values.autoscaling.targetCPUUtilizationPercentage }} - {{- end }} - {{- if .Values.autoscaling.targetMemoryUtilizationPercentage }} - - type: Resource - resource: - name: memory - targetAverageUtilization: {{ .Values.autoscaling.targetMemoryUtilizationPercentage }} - {{- end }} -{{- end }} diff --git a/k8s/helm/templates/ingress.yaml b/k8s/helm/templates/ingress.yaml deleted file mode 100644 index 070fb68..0000000 --- a/k8s/helm/templates/ingress.yaml +++ /dev/null @@ -1,29 +0,0 @@ -{{- if .Values.ingress.enabled -}} -apiVersion: networking.k8s.io/v1 -kind: Ingress -metadata: - name: {{ include "chemsearch.fullname" . }} - labels: - {{- include "chemsearch.labels" . | nindent 4 }} - {{- with .Values.ingress.annotations }} - annotations: - {{- toYaml . | nindent 4 }} - {{- end }} -spec: - ingressClassName: {{ .Values.ingress.className }} - tls: - - hosts: - - {{ .Values.ingress.host | quote }} - secretName: {{ .Values.ingress.host }}-tls - rules: - - host: {{ .Values.ingress.host | quote }} - http: - paths: - - path: {{ .Values.ingress.path }} - pathType: {{ .Values.ingress.pathType }} - backend: - service: - name: "http" - port: - number: {{ .Values.service.port }} -{{- end }} diff --git a/k8s/helm/templates/service.yaml b/k8s/helm/templates/service.yaml index 4dabcbe..faf88db 100644 --- a/k8s/helm/templates/service.yaml +++ b/k8s/helm/templates/service.yaml @@ -3,36 +3,35 @@ apiVersion: v1 kind: Service metadata: - name: {{ include "chemsearch.fullname" $ }}-{{ . }} + name: {{ include "helm_chart.fullname" $ }}-{{ . }} labels: - {{- include "chemsearch.labels" $ | nindent 4 }} + {{- include "helm_chart.labels" $ | nindent 4 }} rcsb.org/path: {{ . | quote }} spec: type: {{ $.Values.service.type }} ports: - port: {{ $.Values.service.port }} - targetPort: http + targetPort: {{ $.Values.service.containerPort }} protocol: TCP name: http selector: - {{- include "chemsearch.selectorLabels" $ | nindent 4 }} + {{- include "helm_chart.selectorLabels" $ | nindent 4 }} rcsb.org/path: {{ . | quote }} {{- end }} --- apiVersion: v1 kind: Service metadata: - name: {{ include "chemsearch.fullname" . }} + name: {{ include "helm_chart.fullname" . }} annotations: rcsb.org/path-operator-managed: "true" labels: - {{- include "chemsearch.labels" . | nindent 4 }} + {{- include "helm_chart.labels" . | nindent 4 }} spec: type: {{ .Values.service.type }} ports: - port: {{ .Values.service.port }} - targetPort: http + targetPort: {{ .Values.service.containerPort }} protocol: TCP - name: http selector: - {{- include "chemsearch.selectorLabels" . | nindent 4 }} + {{- include "helm_chart.selectorLabels" . | nindent 4 }} diff --git a/k8s/helm/values/production.yaml b/k8s/helm/values/production.yaml index c2b0999..0587748 100644 --- a/k8s/helm/values/production.yaml +++ b/k8s/helm/values/production.yaml @@ -1,14 +1,37 @@ -replicaCount: 2 +# Default values for prerelease. +# This is a YAML-formatted file. +# Declare variables to be passed into your templates. +replicaCount: 2 +revisionHistoryLimit: 3 + # vaultSecretStoreName is the name of the ClusterSecretStore resource to pull secret credentials vaultSecretStoreName: "rcsb-vault" +# Define container liveness and readiness checks +# A Pod is considered "live" when it is able to respond to client requests. +# A Pod is considered "ready" when it has completed initialization and should be one of the backends for a K8s Service resource. +livenessProbe: + enable: false + initialDelaySeconds: 30 + periodSeconds: 30 + failureThreshold: 6 + http: + path: / +readinessProbe: + enable: false + initialDelaySeconds: 30 + periodSeconds: 30 + failureThreshold: 6 + http: + path: /api/alive + + image: repository: "harbor.devops.k8s.rcsb.org/rcsb/rcsb-chemsearch" - pullPolicy: IfNotPresent + pullPolicy: Always tag: "production" -initialDelaySeconds: 300 imagePullSecrets: "harbor-docker-registry-conf" deploymentStrategy: @@ -22,28 +45,20 @@ deploymentStrategy: podSecurityContext: fsGroup: 1000 - -securityContext: - capabilities: - drop: - - ALL - readOnlyRootFilesystem: false runAsNonRoot: true runAsUser: 1000 + runAsGroup: 1000 + seccompProfile: + type: RuntimeDefault + +containerSecurityContext: + readOnlyRootFilesystem: true + allowPrivilegeEscalation: false service: type: ClusterIP port: 80 - -ingress: - enabled: true - className: "haproxy" - annotations: - cert-manager.io/cluster-issuer: rutgers-acme - kubernetes.io/tls-acme: "true" - host: chemsearch.west.k8s.rcsb.org - path: / - pathType: ImplementationSpecific + containerPort: 8000 resources: limits: diff --git a/skaffold.yaml b/skaffold.yaml deleted file mode 100644 index bc58f55..0000000 --- a/skaffold.yaml +++ /dev/null @@ -1,34 +0,0 @@ -apiVersion: skaffold/v3 -kind: Config -profiles: - - name: dev - deploy: - helm: - flags: - upgrade: - - --install - releases: - - name: skaffold-chemsearch - chartPath: k8s/helm - - name: staging - deploy: - helm: - flags: - upgrade: - - --install - releases: - - name: skaffold-chemsearch - chartPath: k8s/helm - valuesFiles: - - k8s/helm/values/staging.yaml - - name: production - deploy: - helm: - flags: - upgrade: - - --install - releases: - - name: skaffold-chemsearch - chartPath: k8s/helm - valuesFiles: - - k8s/helm/values/production.yaml