Merge pull request #1 from ImperialCollegeLondon/imperial_deployment

Imperial deployment

README-Kubernetes.md

@@ -2,7 +2,7 @@
 
 1. [Docker credentials](#docker-credentials)
 2. [Routing](#routing)
-2. [Instance setup](#instance-setup)
+3. [Instance setup](#instance-setup)
 
 ## Pre-requisites
 
@@ -33,7 +33,7 @@ web:
 
 ## Routing
 
-Before installing you need to configure a few things in a
+Before installing, you need to configure a few things in a
 `values-overrides.yaml` file.
 
 ```yaml
@@ -43,11 +43,11 @@ ingress:
 
 The ingress is configured using the following variables:
 
-Parameter | Description | Default
-----------|-------------|--------
-`ingress.enabled` | Whether to enable ingress | `true`
-`ingress.class` | Class of the ingress if enabled | `nginx-internal`
-`ingress.sslSecretName` | The ingress ssl secret for HTTPS | `your-ssl-secret`
+| Parameter               | Description                      | Default           |
+|-------------------------|----------------------------------|-------------------|
+| `ingress.enabled`       | Whether to enable ingress        | `true`            |
+| `ingress.class`         | Class of the ingress if enabled  | `nginx-internal`  |
+| `ingress.sslSecretName` | The ingress ssl secret for HTTPS | `your-ssl-secret` |
 
 ## Instance setup
 
@@ -58,15 +58,15 @@ kubectl get pods --namespace invenio
 kubectl exec -it <web-pod> bash --namespace invenio  # <web-pod> is found with the previous command
 ```
 
-Then you can run invenio commands and setup your instance
+Then you can run invenio commands and set up your instance
 
 ```bash
 . scl_source enable rh-python36
 invenio db init # If the db does not exist already
 invenio db create
 invenio index init
 invenio index queue init purge
-invenio files location --default 'default-location'  $(invenio shell --no-term-title -c "print(app.instance_path)")'/data'
+invenio files location --default 'default-location' $(invenio shell --no-term-title -c "print(app.instance_path)")'/data'
 invenio roles create admin
 invenio access allow superuser-access role admin
 invenio rdm-records demo

README.md

@@ -1,4 +1,4 @@
-# [Beta] Invenio Helm Chart
+# [Beta] Invenio Helm Chart v. 0.2.1
 
 This repository contains the helm chart to deploy an Invenio instance.
 
@@ -21,6 +21,16 @@ change.
 - [Kubernetes](README-Kubernetes.md)
 - [OpenShift](README-OpenShift.md)
 
+## Dependencies
+This Helm chart uses Bitnami charts as [dependencies](https://helm.sh/docs/chart_best_practices/dependencies/)
+for the following exact pinned versions:
+* Opensearch 1.0.0 ([values.yaml](https://github.com/bitnami/charts/blob/opensearch/1.0.0/bitnami/opensearch/values.yaml))
+* PostgreSQL 14.0.1 ([values.yaml](https://github.com/bitnami/charts/blob/postgresql/14.0.1/bitnami/postgresql/values.yaml))
+* RabbitMQ 12.9.3 ([values.yaml](https://github.com/bitnami/charts/blob/rabbitmq/12.9.3/bitnami/rabbitmq/values.yaml))
+* Redis 18.12.0 ([values.yaml](https://github.com/bitnami/charts/blob/redis/18.12.0/bitnami/redis/values.yaml))
+
+Each one of them has a persistent volume claim for 8gb by default. Note that by default Redis will spin up 3 replicas.
+
 ## Configuration
 
 :warning: Before installing you need to configure two things in your
@@ -30,7 +40,7 @@ change.
 - The web/worker docker images. If you need credentials you can see how to set
   them up in [Kubernetes](README-Kubernetes/#docker-credentials).
 
-``` yaml
+```yaml
 host: yourhost.localhost
 
 web:
@@ -52,21 +62,16 @@ invenio:
     demo_data: true  # for a demo set of records
     default_users: # for creating users on install
         "[email protected]": "password"
-    secret-key: "my-very-safe-secret"
+    secret_key: "my-very-safe-secret"
 
 rabbitmq:
-    default_password: "mq_password"
-    # Edit the following URI with the values from just above
-    celery_broker_uri: "amqp://guest:mq_password@mq:5672/"
+    auth:
+        password: "mq_password"
 
 postgresql:
-    user: "invenio"
-    password: "db_password"
-    host: "db"
-    port: "5432"
-    database: "invenio"
-    # Edit the following URI with the values from just above
-    sqlalchemy_db_uri: "postgresql+psycopg2://invenio:db_password@db:5432/invenio"
+    auth:
+        password: "db_password"
+
 ```
 
 It's however **strongly advised** to override them either through a value file
@@ -80,8 +85,8 @@ flags can be used in the same command.
 ```bash
 DB_PASSWORD=$(openssl rand -hex 8)
 helm install -f safe-values.yaml \
-  --set search.password=$SEARCH_PASSWORD \
-  --set postgresql.password=$DB_PASSWORD \
+  --set rabbitmq.auth.password=$RABBITMQ_PASSWORD \
+  --set postgresql.auth.password=$DB_PASSWORD \
   invenio ./invenio-k8s --namespace invenio
 ```
 

charts/invenio/templates/azure-file-sc.yaml

@@ -0,0 +1,17 @@
+kind: StorageClass
+apiVersion: storage.k8s.io/v1
+metadata:
+  name: azure-invenio-storage-class
+provisioner: file.csi.azure.com
+allowVolumeExpansion: true
+mountOptions:
+ - dir_mode=0777
+ - file_mode=0777
+ - uid=0
+ - gid=0
+ - mfsymlinks
+ - cache=strict
+ - actimeo=30
+ - nobrl  # disable sending byte range lock requests to the server and for applications which have challenges with posix locks
+parameters:
+  skuName: Standard_LRS

charts/invenio/templates/install-init-job.yaml

@@ -10,17 +10,29 @@ metadata:
     "helm.sh/hook": post-install
     "helm.sh/hook-weight": "1"
 {{/*    "helm.sh/hook-delete-policy": hook-succeeded*/}}
-{{- $cmd := "invenio db init && invenio db create && invenio index init && invenio index queue init purge && invenio files location --default 'default-location'  $(invenio shell --no-term-title -c \"print(app.instance_path)\")'/data' && invenio roles create admin && invenio access allow superuser-access role admin" -}}
+  {{- $cmd := "invenio db init && invenio db create && invenio index init && invenio index queue init purge && invenio files location --default 'default-location'  $(invenio shell --no-term-title -c \"print(app.instance_path)\")'/data' && invenio roles create admin && invenio access allow superuser-access role admin" -}}
 {{- range $usr, $pass := .Values.invenio.default_users -}}
-  {{- $cmd = printf "%s && invenio users create --active --password=%s %s" $cmd $pass $usr -}}
+  {{- $cmd = printf "%s && invenio users create --active --confirm --password=%s %s" $cmd $pass $usr -}}
 {{- end -}}
 {{- if and .Values.invenio.demo_data .Values.invenio.default_users -}}
   {{- $cmd = cat $cmd "&& invenio rdm-records demo" -}}
 {{- end -}}
+{{- if .Values.invenio.create_fixtures -}}
+  {{- $cmd = cat $cmd "&& invenio rdm-records fixtures" -}}
+
+  {{- if .Values.invenio.import_test_data -}}
+    {{- $cmd = cat $cmd "&& cd test_data && python download_test_data.py && python create_test_data_records.py" -}}
+  {{- end -}}
+{{- end -}}
 
 spec:
   template:
     spec:
+      initContainers:
+      - name: wait-for-opensearch
+        image: busybox
+        command: [ "/bin/sh","-c" ]
+        args: [ "until echo 'Waiting for opensearch...' && nc -vz -w 5 {{ include "invenio.opensearch.hostname" $ }} 9200; do sleep 10; done;" ]
       containers:
       - name: install-init
         image: {{ required "Missing .Values.web.image" .Values.web.image }}

charts/invenio/templates/worker-beat-deployment.yaml

@@ -92,7 +92,7 @@ spec:
               - /bin/bash
               - -c
               - "celery -A {{ .Values.worker.app }} inspect ping"
-          initialDelaySeconds: 20
+          initialDelaySeconds: {{ .Values.worker.livenessProbe.initialDelaySeconds }}
           timeoutSeconds: 30
         {{- if .Values.worker.resources }}
         resources: {{- toYaml .Values.workerBeat.resources | nindent 10 }}

charts/invenio/templates/worker-deployment.yaml

@@ -97,7 +97,7 @@ spec:
                 - /bin/bash
                 - -c
                 - "celery -A {{ .Values.worker.app }} inspect ping -d celery@$(hostname)"
-            initialDelaySeconds: 20
+            initialDelaySeconds: {{ .Values.worker.livenessProbe.initialDelaySeconds }}
             timeoutSeconds: 30
           volumeMounts:
             {{- if .Values.persistence.enabled }}

charts/invenio/values-overrides-imperial.yaml

@@ -0,0 +1,65 @@
+
+invenio:
+    init: true  # initiates db, index, and admin roles
+    hostname: "icl-invenio-dev.uksouth.cloudapp.azure.com"
+    secret_key: "REPLACE-ME"
+    security_login_salt: "REPLACE-ME"
+    csrf_secret_salt: "REPLACE-ME"
+    create_fixtures: true
+    import_test_data: true
+
+web:
+  image: "ghcr.io/imperialcollegelondon/fair-data-repository:develop"
+  readinessProbe:
+    failureThreshold: 3
+    initialDelaySeconds: 60
+    periodSeconds: 15
+    successThreshold: 1
+    timeoutSeconds: 1
+  startupProbe:
+    failureThreshold: 3
+    initialDelaySeconds: 60
+    periodSeconds: 15
+    successThreshold: 1
+    timeoutSeconds: 5
+  resources:
+    requests:
+      cpu: 750m
+      memory: 1Gi
+    limits:
+      cpu: 1000m
+      memory: 2Gi
+
+worker:
+  image: "ghcr.io/imperialcollegelondon/fair-data-repository:develop"
+  livenessProbe:
+    initialDelaySeconds: 120
+
+persistence:
+  enabled: true
+  storage_class: "azure-invenio-storage-class"
+
+haproxy:
+  enabled: false
+
+flower:
+  enabled: false
+
+rabbitmq:
+    auth:
+      password: "REPLACE-ME"
+
+postgresql:
+    auth:
+      password: "REPLACE-ME"
+
+ingress:
+  enabled: true
+  class: "webapprouting.kubernetes.azure.com"
+
+# Certmanager
+podLabels:
+  azure.workload.identity/use: "true"
+serviceAccount:
+  labels:
+    azure.workload.identity/use: "true"

charts/invenio/values.yaml

@@ -1,7 +1,7 @@
 ---
 
 global:
-  timezone: "Europe/Zurich"
+  timezone: "Europe/London"
 
 ingress:
   annotations: {}
@@ -18,6 +18,8 @@ invenio:
   init: false
   default_users: []  # Requires invenio.init=true
   demo_data: false  # Setting invenio.demo_data=true requires also setting default_users!
+  create_fixtures: false # Also requires invenio.init=true. Indexing can take several minutes!!
+  import_test_data: false # Download and import Imperial test data. Requires create_fixtures.
   sentry:
     enabled: false
     existing_secret: false
@@ -145,6 +147,8 @@ worker:
       memory: 1Gi
   volumes:
     enabled: false
+  livenessProbe:
+    initialDelaySeconds: 20
 
 workerBeat:
   resources:
@@ -168,7 +172,6 @@ redis:
   auth:
     enabled: false  # Dangerous! This lets Invenio connect to Redis unauthenticated!
   master:
-    disableCommands: []  # Dangerous! This lets us run the `FLUSHALL` and `FLUSHDB` commands! Unfortunately, they are required by the wipe_recreate.sh script when installing Invenio.
     resources:
       limits:
         cpu: "1"
@@ -177,14 +180,15 @@ redis:
         cpu: 500m
         memory: 500Mi
   replica:
-    disableCommands: []  # Dangerous! This lets us run the `FLUSHALL` and `FLUSHDB` commands! Unfortunately, they are required by the wipe_recreate.sh script when installing Invenio.
     resources:
       limits:
         cpu: "1"
         memory: 2Gi
       requests:
         cpu: 500m
         memory: 500Mi
+  persistence:
+    size: 8Gi
 
 rabbitmq:
   enabled: true
@@ -197,6 +201,8 @@ rabbitmq:
     requests:
       cpu: "1"
       memory: 2Gi
+  persistence:
+    size: 8Gi
 
 rabbitmqExternal: {}
 
@@ -220,11 +226,15 @@ postgresql:
   auth:
     username: invenio
     database: invenio
+  persistence:
+    size: 8Gi
 
 postgresqlExternal: {}
 
 opensearch:
   enabled: true
+  persistence:
+    size: 8Gi
 
 externalOpensearch: {}