diff --git a/README-Kubernetes.md b/README-Kubernetes.md index a534f53..38dc72f 100644 --- a/README-Kubernetes.md +++ b/README-Kubernetes.md @@ -2,7 +2,7 @@ 1. [Docker credentials](#docker-credentials) 2. [Routing](#routing) -2. [Instance setup](#instance-setup) +3. [Instance setup](#instance-setup) ## Pre-requisites @@ -33,7 +33,7 @@ web: ## Routing -Before installing you need to configure a few things in a +Before installing, you need to configure a few things in a `values-overrides.yaml` file. ```yaml @@ -43,11 +43,11 @@ ingress: The ingress is configured using the following variables: -Parameter | Description | Default -----------|-------------|-------- -`ingress.enabled` | Whether to enable ingress | `true` -`ingress.class` | Class of the ingress if enabled | `nginx-internal` -`ingress.sslSecretName` | The ingress ssl secret for HTTPS | `your-ssl-secret` +| Parameter | Description | Default | +|-------------------------|----------------------------------|-------------------| +| `ingress.enabled` | Whether to enable ingress | `true` | +| `ingress.class` | Class of the ingress if enabled | `nginx-internal` | +| `ingress.sslSecretName` | The ingress ssl secret for HTTPS | `your-ssl-secret` | ## Instance setup @@ -58,7 +58,7 @@ kubectl get pods --namespace invenio kubectl exec -it bash --namespace invenio # is found with the previous command ``` -Then you can run invenio commands and setup your instance +Then you can run invenio commands and set up your instance ```bash . scl_source enable rh-python36 @@ -66,7 +66,7 @@ invenio db init # If the db does not exist already invenio db create invenio index init invenio index queue init purge -invenio files location --default 'default-location' $(invenio shell --no-term-title -c "print(app.instance_path)")'/data' +invenio files location --default 'default-location' $(invenio shell --no-term-title -c "print(app.instance_path)")'/data' invenio roles create admin invenio access allow superuser-access role admin invenio rdm-records demo diff --git a/README.md b/README.md index ae53222..6dff080 100644 --- a/README.md +++ b/README.md @@ -1,4 +1,4 @@ -# [Beta] Invenio Helm Chart +# [Beta] Invenio Helm Chart v. 0.2.1 This repository contains the helm chart to deploy an Invenio instance. @@ -21,6 +21,16 @@ change. - [Kubernetes](README-Kubernetes.md) - [OpenShift](README-OpenShift.md) +## Dependencies +This Helm chart uses Bitnami charts as [dependencies](https://helm.sh/docs/chart_best_practices/dependencies/) +for the following exact pinned versions: +* Opensearch 1.0.0 ([values.yaml](https://github.com/bitnami/charts/blob/opensearch/1.0.0/bitnami/opensearch/values.yaml)) +* PostgreSQL 14.0.1 ([values.yaml](https://github.com/bitnami/charts/blob/postgresql/14.0.1/bitnami/postgresql/values.yaml)) +* RabbitMQ 12.9.3 ([values.yaml](https://github.com/bitnami/charts/blob/rabbitmq/12.9.3/bitnami/rabbitmq/values.yaml)) +* Redis 18.12.0 ([values.yaml](https://github.com/bitnami/charts/blob/redis/18.12.0/bitnami/redis/values.yaml)) + +Each one of them has a persistent volume claim for 8gb by default. Note that by default Redis will spin up 3 replicas. + ## Configuration :warning: Before installing you need to configure two things in your @@ -30,7 +40,7 @@ change. - The web/worker docker images. If you need credentials you can see how to set them up in [Kubernetes](README-Kubernetes/#docker-credentials). -``` yaml +```yaml host: yourhost.localhost web: @@ -52,21 +62,16 @@ invenio: demo_data: true # for a demo set of records default_users: # for creating users on install "user@example.com": "password" - secret-key: "my-very-safe-secret" + secret_key: "my-very-safe-secret" rabbitmq: - default_password: "mq_password" - # Edit the following URI with the values from just above - celery_broker_uri: "amqp://guest:mq_password@mq:5672/" + auth: + password: "mq_password" postgresql: - user: "invenio" - password: "db_password" - host: "db" - port: "5432" - database: "invenio" - # Edit the following URI with the values from just above - sqlalchemy_db_uri: "postgresql+psycopg2://invenio:db_password@db:5432/invenio" + auth: + password: "db_password" + ``` It's however **strongly advised** to override them either through a value file @@ -80,8 +85,8 @@ flags can be used in the same command. ```bash DB_PASSWORD=$(openssl rand -hex 8) helm install -f safe-values.yaml \ - --set search.password=$SEARCH_PASSWORD \ - --set postgresql.password=$DB_PASSWORD \ + --set rabbitmq.auth.password=$RABBITMQ_PASSWORD \ + --set postgresql.auth.password=$DB_PASSWORD \ invenio ./invenio-k8s --namespace invenio ``` diff --git a/charts/invenio/templates/azure-file-sc.yaml b/charts/invenio/templates/azure-file-sc.yaml new file mode 100644 index 0000000..b6e66f4 --- /dev/null +++ b/charts/invenio/templates/azure-file-sc.yaml @@ -0,0 +1,17 @@ +kind: StorageClass +apiVersion: storage.k8s.io/v1 +metadata: + name: azure-invenio-storage-class +provisioner: file.csi.azure.com +allowVolumeExpansion: true +mountOptions: + - dir_mode=0777 + - file_mode=0777 + - uid=0 + - gid=0 + - mfsymlinks + - cache=strict + - actimeo=30 + - nobrl # disable sending byte range lock requests to the server and for applications which have challenges with posix locks +parameters: + skuName: Standard_LRS \ No newline at end of file diff --git a/charts/invenio/templates/install-init-job.yaml b/charts/invenio/templates/install-init-job.yaml index ca8a2e5..0b44db7 100644 --- a/charts/invenio/templates/install-init-job.yaml +++ b/charts/invenio/templates/install-init-job.yaml @@ -10,17 +10,29 @@ metadata: "helm.sh/hook": post-install "helm.sh/hook-weight": "1" {{/* "helm.sh/hook-delete-policy": hook-succeeded*/}} -{{- $cmd := "invenio db init && invenio db create && invenio index init && invenio index queue init purge && invenio files location --default 'default-location' $(invenio shell --no-term-title -c \"print(app.instance_path)\")'/data' && invenio roles create admin && invenio access allow superuser-access role admin" -}} + {{- $cmd := "invenio db init && invenio db create && invenio index init && invenio index queue init purge && invenio files location --default 'default-location' $(invenio shell --no-term-title -c \"print(app.instance_path)\")'/data' && invenio roles create admin && invenio access allow superuser-access role admin" -}} {{- range $usr, $pass := .Values.invenio.default_users -}} - {{- $cmd = printf "%s && invenio users create --active --password=%s %s" $cmd $pass $usr -}} + {{- $cmd = printf "%s && invenio users create --active --confirm --password=%s %s" $cmd $pass $usr -}} {{- end -}} {{- if and .Values.invenio.demo_data .Values.invenio.default_users -}} {{- $cmd = cat $cmd "&& invenio rdm-records demo" -}} {{- end -}} +{{- if .Values.invenio.create_fixtures -}} + {{- $cmd = cat $cmd "&& invenio rdm-records fixtures" -}} + + {{- if .Values.invenio.import_test_data -}} + {{- $cmd = cat $cmd "&& cd test_data && python download_test_data.py && python create_test_data_records.py" -}} + {{- end -}} +{{- end -}} spec: template: spec: + initContainers: + - name: wait-for-opensearch + image: busybox + command: [ "/bin/sh","-c" ] + args: [ "until echo 'Waiting for opensearch...' && nc -vz -w 5 {{ include "invenio.opensearch.hostname" $ }} 9200; do sleep 10; done;" ] containers: - name: install-init image: {{ required "Missing .Values.web.image" .Values.web.image }} diff --git a/charts/invenio/templates/worker-beat-deployment.yaml b/charts/invenio/templates/worker-beat-deployment.yaml index 73a0021..e85b141 100644 --- a/charts/invenio/templates/worker-beat-deployment.yaml +++ b/charts/invenio/templates/worker-beat-deployment.yaml @@ -92,7 +92,7 @@ spec: - /bin/bash - -c - "celery -A {{ .Values.worker.app }} inspect ping" - initialDelaySeconds: 20 + initialDelaySeconds: {{ .Values.worker.livenessProbe.initialDelaySeconds }} timeoutSeconds: 30 {{- if .Values.worker.resources }} resources: {{- toYaml .Values.workerBeat.resources | nindent 10 }} diff --git a/charts/invenio/templates/worker-deployment.yaml b/charts/invenio/templates/worker-deployment.yaml index c9ae703..5f2a320 100644 --- a/charts/invenio/templates/worker-deployment.yaml +++ b/charts/invenio/templates/worker-deployment.yaml @@ -97,7 +97,7 @@ spec: - /bin/bash - -c - "celery -A {{ .Values.worker.app }} inspect ping -d celery@$(hostname)" - initialDelaySeconds: 20 + initialDelaySeconds: {{ .Values.worker.livenessProbe.initialDelaySeconds }} timeoutSeconds: 30 volumeMounts: {{- if .Values.persistence.enabled }} diff --git a/charts/invenio/values-overrides-imperial.yaml b/charts/invenio/values-overrides-imperial.yaml new file mode 100644 index 0000000..8c3d6fb --- /dev/null +++ b/charts/invenio/values-overrides-imperial.yaml @@ -0,0 +1,65 @@ + +invenio: + init: true # initiates db, index, and admin roles + hostname: "icl-invenio-dev.uksouth.cloudapp.azure.com" + secret_key: "REPLACE-ME" + security_login_salt: "REPLACE-ME" + csrf_secret_salt: "REPLACE-ME" + create_fixtures: true + import_test_data: true + +web: + image: "ghcr.io/imperialcollegelondon/fair-data-repository:develop" + readinessProbe: + failureThreshold: 3 + initialDelaySeconds: 60 + periodSeconds: 15 + successThreshold: 1 + timeoutSeconds: 1 + startupProbe: + failureThreshold: 3 + initialDelaySeconds: 60 + periodSeconds: 15 + successThreshold: 1 + timeoutSeconds: 5 + resources: + requests: + cpu: 750m + memory: 1Gi + limits: + cpu: 1000m + memory: 2Gi + +worker: + image: "ghcr.io/imperialcollegelondon/fair-data-repository:develop" + livenessProbe: + initialDelaySeconds: 120 + +persistence: + enabled: true + storage_class: "azure-invenio-storage-class" + +haproxy: + enabled: false + +flower: + enabled: false + +rabbitmq: + auth: + password: "REPLACE-ME" + +postgresql: + auth: + password: "REPLACE-ME" + +ingress: + enabled: true + class: "webapprouting.kubernetes.azure.com" + +# Certmanager +podLabels: + azure.workload.identity/use: "true" +serviceAccount: + labels: + azure.workload.identity/use: "true" \ No newline at end of file diff --git a/charts/invenio/values.yaml b/charts/invenio/values.yaml index 25bb52d..73b3512 100644 --- a/charts/invenio/values.yaml +++ b/charts/invenio/values.yaml @@ -1,7 +1,7 @@ --- global: - timezone: "Europe/Zurich" + timezone: "Europe/London" ingress: annotations: {} @@ -18,6 +18,8 @@ invenio: init: false default_users: [] # Requires invenio.init=true demo_data: false # Setting invenio.demo_data=true requires also setting default_users! + create_fixtures: false # Also requires invenio.init=true. Indexing can take several minutes!! + import_test_data: false # Download and import Imperial test data. Requires create_fixtures. sentry: enabled: false existing_secret: false @@ -145,6 +147,8 @@ worker: memory: 1Gi volumes: enabled: false + livenessProbe: + initialDelaySeconds: 20 workerBeat: resources: @@ -168,7 +172,6 @@ redis: auth: enabled: false # Dangerous! This lets Invenio connect to Redis unauthenticated! master: - disableCommands: [] # Dangerous! This lets us run the `FLUSHALL` and `FLUSHDB` commands! Unfortunately, they are required by the wipe_recreate.sh script when installing Invenio. resources: limits: cpu: "1" @@ -177,7 +180,6 @@ redis: cpu: 500m memory: 500Mi replica: - disableCommands: [] # Dangerous! This lets us run the `FLUSHALL` and `FLUSHDB` commands! Unfortunately, they are required by the wipe_recreate.sh script when installing Invenio. resources: limits: cpu: "1" @@ -185,6 +187,8 @@ redis: requests: cpu: 500m memory: 500Mi + persistence: + size: 8Gi rabbitmq: enabled: true @@ -197,6 +201,8 @@ rabbitmq: requests: cpu: "1" memory: 2Gi + persistence: + size: 8Gi rabbitmqExternal: {} @@ -220,11 +226,15 @@ postgresql: auth: username: invenio database: invenio + persistence: + size: 8Gi postgresqlExternal: {} opensearch: enabled: true + persistence: + size: 8Gi externalOpensearch: {}