Merge branch 'main' into features/helm-gcr

.github/workflows/helm-release.yml

@@ -4,54 +4,39 @@ on:
   push:
     branches:
       - main
+
+env:
+  GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
 
 ## REF: https://faun.pub/semantic-version-of-helm-charts-in-github-actions-using-conventional-commits-ce5e0a587ce8
 jobs:
   release:
+    # depending on default permission settings for your org (contents being read-only or read-write for workloads), you will have to add permissions
+    # see: https://docs.github.com/en/actions/security-guides/automatic-token-authentication#modifying-the-permissions-for-the-github_token
+    permissions:
+      contents: write
     runs-on: ubuntu-latest
 
     steps:
       - name: Checkout source code                   # Checkout source code
-        uses: 'actions/checkout@v2'
+        uses: 'actions/checkout@v3'
         with:
           ref: ${{ github.ref }}
           fetch-depth: 0
+
+
+      - name: Configure Git
+        run: |
+          git config user.name "$GITHUB_ACTOR"
+          git config user.email "$GITHUB_ACTOR@users.noreply.github.com"
 
-      - name: Get specific changed files                  # To check if any files changed in charts/pacman-rancher directory
-        id: changed-files-specific
-        uses: tj-actions/changed-files@v14.5
-        with:
-          since_last_remote_commit: true
-          files: |
-            charts/pacman-rancher/*
 
-      - name: Automated Version Bump                      # Bump version in package.json
-        if: steps.changed-files-specific.outputs.any_modified == 'true'
-        id: version-bump
-        uses: 'phips28/gh-action-bump-version@master'
-        env:
-          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
-          PACKAGEJSON_DIR:  'charts/pacman-rancher'
-        with:
-          skip-tag:  'true'
-          commit-message: 'CI: Bump Helm chart version to {{version}}'
+      - name: Install Helm
+        uses: azure/setup-helm@v3
 
-      - name: update Chart.yaml                              # Update chart.yaml with new version and other fields
-        if: steps.changed-files-specific.outputs.any_modified == 'true'
-        working-directory: charts/pacman-rancher
-        run: |
-          sed -i'.oldVersion' -e "/^version:/s;[^ ]*$;${{ steps.version-bump.outputs.newTag }};" Chart.yaml
-          sed -i'.oldAppVersion' -e "/^appVersion:/s;[^ ]*$;${{ steps.version-bump.outputs.newTag }};" Chart.yaml
-
-      - name: commit the new Chart.yml                   # commit the new Chart.yaml to main branch
-        if: steps.changed-files-specific.outputs.any_modified == 'true'
-        uses: stefanzweifel/git-auto-commit-action@v4
-        with:
-          commit_message: Automated Change
 
       - name: Run chart-releaser
-        if: steps.changed-files-specific.outputs.any_modified == 'true'
-        uses: helm/chart-releaser-action@v1.4.0
+        uses: helm/chart-releaser-action@v1.5.0
         with:
           charts_dir: charts
         env:

Documentation/kubernetes.md

@@ -165,16 +165,6 @@ see the [nginx ingress docs](https://kubernetes.github.io/ingress-nginx/)
 The persistentvolumeClaim directory has a single resource definition aimed at
 telling the cluster to provision some storage use by the database container. 
 
-### security 
-
-The security directory contains some encrypted secrets that our application will
-use. Note that this example uses open encryption (anyone with openssl or a
-similar encryption tool can read the plain text values they hide). In a real
-production application, you would not upload secrets like this to a public git
-repository. Instead, you would use something called sealed-secrets to further
-control access to the hidden values.
-
-The rbac resource definition is not pertinent to our discussion.
 
 ### services 
 

Makefile

@@ -1,18 +1,11 @@
 SHELL := /usr/bin/env bash
 
-MONGODB_DATA_VOLUME := ./localdev/mongodb
 
-.PHONY:
-data_volume:
-	mkdir -p $(MONGODB_DATA_VOLUME)
-	chown -R 1001:1001 $(MONGODB_DATA_VOLUME)
-
-# use make docker-desktop for MAC, not yet tested on Linux
 .PHONY:
 docker-deskop:
 	docker volume create mongodb
 	docker-compose -f localdev/docker-compose.yml up
 
 .PHONY:
 clean:
-	rm -rf $(MONGODB_DATA_VOLUME)
+	docker volume rm mongodb

charts/pacman-rancher/Chart.yaml.oldVersion

@@ -3,4 +3,4 @@ name: pacman-rancher
 description: A Helm chart to provide pacman deployment.
 type: application
 version: 0.2.0
-appVersion: "0.0.6"
+appVersion: "0.0.7"

charts/pacman-rancher/README.md

@@ -4,5 +4,7 @@ helm chart for pacman
 This is the chart for deploying the austrian open cloud community version of 
 [pacman](https://github.com/AustrianDataLAB/pacman).
 
+Dont forget to configure the source branch of your github pages in Settings-Pages src-branch=gh-pages
+
 Note: for testing purposes the placeholder variable <your-host-name> must be
 replaced with a realistic value.

kind/Taskfile.yml

@@ -0,0 +1,48 @@
+
+version: '3'
+
+vars:
+  #KUBECONFIG: /home/runner/.kube/config
+  pacman: constanze
+
+tasks:
+  cluster:
+    cmds:
+      - kind create cluster 
+    silent: false
+
+
+  namespace:
+    cmds:
+      - kubectl create namespace {{.pacman}}
+    silent: false
+
+  envsubst:
+    cmds:
+      - |
+        export PACMAN="{{.pacman}}"
+        sed "s/\$pacman/$PACMAN/g" ../kubernetes/persistentvolumeclaim/mongo-pvc.txt.yaml > manifests/mongo-pvc.yaml
+        sed "s/\$pacman/$PACMAN/g" ../kubernetes/security/secret.txt.yaml > manifests/secret.yaml
+    silent: false
+
+  deploy-manifests:
+    cmds:
+      - for i in manifests/*; do kubectl apply -f $i -n {{.pacman}}; done
+
+  delete-manifests:
+    cmds:
+      - for i in manifests/*; do kubectl delete -f $i -n {{.pacman}}; done
+
+  port-forward:
+    cmds:
+      - kubectl port-forward -n {{.pacman}} service/pacman 8000:80 
+    silent: false
+
+  ephemeral-debug:
+    cmds:
+      - |
+        export POD_NAME=$(kubectl get pods -n {{.pacman}} -l name=mongo -o jsonpath="{.items[0].metadata.name}")
+        kubectl debug -n {{.pacman}} -it $POD_NAME --image=alpine --  bash
+        #read the secret.yaml to understand where these values are coming from:
+        #kubectl debug -n {{.pacman}} -it $POD_NAME --image=mongo -- sh -c "mongosh mongodb://blinky:pinky@localhost:27017/pacman"
+    silent: false

kind/manifests/mongo-deployment.yaml

@@ -0,0 +1,120 @@
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  labels:
+    name: mongo
+  name: mongo
+  annotations:
+    source: "https://github.com/saintdle/pacman-tanzu"
+spec:
+  progressDeadlineSeconds: 600
+  replicas: 1
+  revisionHistoryLimit: 10
+  selector:
+    matchLabels:
+      name: mongo
+  strategy:
+    rollingUpdate:
+      maxSurge: 25%
+      maxUnavailable: 25%
+    type: RollingUpdate
+  template:
+    metadata:
+      creationTimestamp: null
+      labels:
+        name: mongo
+    spec:
+      containers:
+      - env:
+        - name: BITNAMI_DEBUG
+          value: "false"
+        - name: MONGODB_ROOT_PASSWORD
+          valueFrom:
+            secretKeyRef:
+              key: database-admin-password
+              name: mongodb-users-secret
+        - name: MONGODB_DATABASE
+          valueFrom:
+            secretKeyRef:
+              key: database-name
+              name: mongodb-users-secret
+        - name: MONGODB_PASSWORD
+          valueFrom:
+            secretKeyRef:
+              key: database-password
+              name: mongodb-users-secret
+        - name: MONGODB_USERNAME
+          valueFrom:
+            secretKeyRef:
+              key: database-user
+              name: mongodb-users-secret
+        - name: ALLOW_EMPTY_PASSWORD
+          value: "no"
+        - name: MONGODB_SYSTEM_LOG_VERBOSITY
+          value: "0"
+        - name: MONGODB_DISABLE_SYSTEM_LOG
+          value: "no"
+        - name: MONGODB_DISABLE_JAVASCRIPT
+          value: "no"
+        - name: MONGODB_ENABLE_JOURNAL
+          value: "yes"
+        - name: MONGODB_PORT_NUMBER
+          value: "27017"
+        - name: MONGODB_ENABLE_IPV6
+          value: "no"
+        - name: MONGODB_ENABLE_DIRECTORY_PER_DB
+          value: "no"
+        image: bitnami/mongodb:4.4.14
+        imagePullPolicy: IfNotPresent
+        name: mongo
+        readinessProbe:
+          exec:
+            command:
+              - /bitnami/common-scripts/readiness-probe.sh
+          initialDelaySeconds: 5
+          periodSeconds: 20
+        livenessProbe:
+          exec:
+            command:
+              - /bitnami/common-scripts/ping-mongodb.sh
+          initialDelaySeconds: 15
+          periodSeconds: 20
+        startupProbe:
+          exec:
+            command:
+              - /bitnami/common-scripts/startup-probe.sh
+          initialDelaySeconds: 5
+          failureThreshold: 5
+          periodSeconds: 10
+        ports:
+        - containerPort: 27017
+          name: mongo
+          protocol: TCP
+        securityContext: 
+          runAsNonRoot: true
+          runAsUser: 1001
+        terminationMessagePath: /dev/termination-log
+        terminationMessagePolicy: File
+        volumeMounts:
+          - name: mongo-db
+            subPath: mongodb
+            mountPath: /bitnami/mongodb/
+          - name: pacman-mongo-common-scripts-volume
+            mountPath: /bitnami/common-scripts/
+      dnsPolicy: ClusterFirst
+      restartPolicy: Always
+      schedulerName: default-scheduler
+      securityContext:
+        fsGroup: 1001
+      serviceAccount: default
+      serviceAccountName: default
+      terminationGracePeriodSeconds: 30
+      volumes:
+      - name: pacman-mongo-common-scripts-volume
+        configMap:
+          defaultMode: 0755
+          name: pacman-mongo-common-scripts
+      - name: mongo-db
+        persistentVolumeClaim:
+          claimName: mongo-storage
+

kind/manifests/mongo-service.yaml

@@ -0,0 +1,13 @@
+apiVersion: v1
+kind: Service
+metadata:
+  labels:
+    name: mongo
+  name: mongo
+spec:
+  type: ClusterIP
+  ports:
+    - port: 27017
+      targetPort: 27017
+  selector:
+    name: mongo

kind/manifests/pacman-deployment.yaml

@@ -0,0 +1,59 @@
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  labels:
+    name: pacman
+  name: pacman
+  annotations:
+    source: "https://gitlab.tuwien.ac.at/ADLS/services-k8s/pacman/"
+spec:
+  replicas: 1
+  selector:
+    matchLabels:
+      name: pacman
+  template:
+    metadata:
+      labels:
+        name: pacman
+    spec:
+      containers:
+      - image: ghcr.io/austriandatalab/pacman:v0.0.6
+        name: pacman
+        ports:
+        - containerPort: 8080
+          name: http-server
+          protocol: TCP
+        livenessProbe:
+          httpGet:
+            path: /
+            port: 8080
+        readinessProbe:
+          httpGet:
+            path: /
+            port: 8080
+        env:
+        - name: MONGO_SERVICE_HOST
+          value: mongo
+        - name: MONGO_AUTH_USER
+          valueFrom:
+            secretKeyRef:
+              key: database-user
+              name: mongodb-users-secret
+        - name: MONGO_AUTH_PWD
+          valueFrom:
+            secretKeyRef:
+              key: database-password
+              name: mongodb-users-secret
+        - name: MONGO_DATABASE
+          value: pacman
+        - name: MY_MONGO_PORT
+          value: "27017"
+        - name: MONGO_USE_SSL
+          value: "false"
+        - name: MONGO_VALIDATE_SSL
+          value: "false"
+        - name: MY_NODE_NAME
+          valueFrom:
+            fieldRef:
+              apiVersion: v1
+              fieldPath: spec.nodeName

kind/manifests/pacman-mongo-common-scripts.yaml

@@ -0,0 +1,18 @@
+apiVersion: v1
+data:
+  ping-mongodb.sh: |
+    #!/bin/bash
+    mongo --port $MONGODB_PORT_NUMBER --eval "db.adminCommand('ping')"
+  readiness-probe.sh: |
+    #!/bin/bash
+    mongo --port $MONGODB_PORT_NUMBER --eval 'db.isMaster().ismaster || db.isMaster().secondary' | grep -q 'true'
+  startup-probe.sh: |
+    #!/bin/bash
+    mongo --port $MONGODB_PORT_NUMBER --eval 'db.hello().isWritablePrimary || db.hello().secondary' | grep 'true'
+kind: ConfigMap
+metadata:
+  labels:
+    app.kubernetes.io/component: mongo
+    app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/name: mongo
+  name: pacman-mongo-common-scripts