adding gunicorn changes for peregrine, requestor, wts

uc-cdis · Nov 28, 2023 · da0ab38 · da0ab38
1 parent dceb8f0
commit da0ab38
Show file tree

Hide file tree

Showing 19 changed files with 257 additions and 43 deletions.
diff --git a/.secrets.baseline b/.secrets.baseline
@@ -3,7 +3,7 @@
     "files": "^.secrets.baseline$",
     "lines": null
   },
-  "generated_at": "2023-11-27T22:42:44Z",
+  "generated_at": "2023-11-28T14:38:50Z",
   "plugins_used": [
     {
       "name": "AWSKeyDetector"
@@ -470,7 +470,7 @@
         "type": "Secret Keyword"
       },
       {
-        "hashed_secret": "ffa29bb5e69093c793d39762da0340f0bcf3fe53",
+        "hashed_secret": "44cb746036385723dde2ac36e53da8932a69bfe2",
         "is_secret": false,
         "is_verified": false,
         "line_number": 104,
@@ -488,10 +488,10 @@
     ],
     "helm/manifestservice/README.md": [
       {
-        "hashed_secret": "611f2e9064b518afdb23f201321f39029dd28917",
+        "hashed_secret": "3231d1a39e7956e9e5e7b59c5f3bef462f71333c",
         "is_secret": false,
         "is_verified": false,
-        "line_number": 74,
+        "line_number": 78,
         "type": "Secret Keyword"
       }
     ],
@@ -564,10 +564,10 @@
         "type": "Secret Keyword"
       },
       {
-        "hashed_secret": "7d4e263f1ae83868444f5327219830493a7d1486",
+        "hashed_secret": "489e396b7c68f95c6018f7b98ef7b1b94587ef29",
         "is_secret": false,
         "is_verified": false,
-        "line_number": 96,
+        "line_number": 100,
         "type": "Secret Keyword"
       }
     ],

diff --git a/helm/peregrine/Chart.yaml b/helm/peregrine/Chart.yaml
@@ -15,7 +15,7 @@ type: application
 # This is the chart version. This version number should be incremented each time you make changes
 # to the chart and its templates, including the app version.
 # Versions are expected to follow Semantic Versioning (https://semver.org/)
-version: 0.1.9
+version: 0.1.10
 
 # This is the version number of the application being deployed. This version number should be
 # incremented each time you make changes to the application. Versions are not expected to

diff --git a/helm/peregrine/README.md b/helm/peregrine/README.md
@@ -1,6 +1,6 @@
 # peregrine
 
-![Version: 0.1.9](https://img.shields.io/badge/Version-0.1.9-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: 2023.01](https://img.shields.io/badge/AppVersion-2023.01-informational?style=flat-square)
+![Version: 0.1.10](https://img.shields.io/badge/Version-0.1.10-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: 2023.01](https://img.shields.io/badge/AppVersion-2023.01-informational?style=flat-square)
 
 A Helm chart for gen3 Peregrine service
 
@@ -91,9 +91,13 @@ A Helm chart for gen3 Peregrine service
 | serviceAccount.annotations | map | `{}` | Annotations to add to the service account. |
 | serviceAccount.create | bool | `true` | Specifies whether a service account should be created. |
 | serviceAccount.name | string | `""` | The name of the service account |
+| sidecar | map | `{"enabled":true,"image":"quay.io/cdis/nginx-sidecar","pullPolicy":"IfNotPresent","tag":"nginx-sidecar-feat_nginx-sidecar"}` | Configuration for Nginx sidecar container to be deployed with gunicorn. |
+| sidecar.image | string | `"quay.io/cdis/nginx-sidecar"` | The Docker image repository for nginx |
+| sidecar.pullPolicy | string | `"IfNotPresent"` | When to pull the image. |
+| sidecar.tag | string | `"nginx-sidecar-feat_nginx-sidecar"` | Image tag. |
 | tolerations | list | `[]` | Tolerations for the pods |
-| volumeMounts | list | `nil` | Volumes to mount to the container. |
-| volumes | list | `[{"emptyDir":{},"name":"shared-data"},{"name":"config-volume","secret":{"secretName":"peregrine-secret"}}]` | Volumes to attach to the container. |
+| volumeMounts | list | `[{"mountPath":"/peregrine/deployment/wsgi/wsgi.py","name":"config-volume","readOnly":true,"subPath":"settings.py"},{"mountPath":"/peregrine/deployment/wsgi/gunicorn.conf.py","name":"wsgi-config","subPath":"gunicorn.conf.py"}]` | Volumes to mount to the container. |
+| volumes | list | `[{"emptyDir":{},"name":"shared-data"},{"name":"config-volume","secret":{"secretName":"peregrine-secret"}},{"configMap":{"name":"peregrine-wsgi"},"name":"wsgi-config"},{"configMap":{"name":"peregrine-nginx-configmap"},"name":"nginx-config"}]` | Volumes to attach to the container. |
 
 ----------------------------------------------
 Autogenerated from chart metadata using [helm-docs v1.11.0](https://github.com/norwoodj/helm-docs/releases/v1.11.0)
diff --git a/helm/peregrine/templates/deployment.yaml b/helm/peregrine/templates/deployment.yaml
@@ -26,6 +26,10 @@ spec:
         {{- include "common.datadogLabels" . | nindent 8 }}
         {{- end }}
     spec:
+      securityContext:
+        runAsUser: 1000
+        runAsGroup: 1000
+        fsGroup: 1000    
       {{- with .Values.volumes }}
       volumes:
         {{- toYaml . | nindent 8 }}
@@ -147,29 +151,42 @@ spec:
               value: "False"
             - name: CONF_HOSTNAME
               value: {{ .Values.global.hostname }}
+          {{- with .Values.volumeMounts }}
           volumeMounts:
-            - name: "config-volume"
-              readOnly: true
-              mountPath: "/var/www/peregrine/wsgi.py"
-              subPath: "settings.py"
+            {{- toYaml . | nindent 10 }}
+          {{- end }}    
           ports:
-            - name: http
-              containerPort: 80
-              protocol: TCP
+            - containerPort: 8000
           livenessProbe:
             httpGet:
               path: /_status?timeout=20
-              port: http
+              port: 8000
             # peregrine can take forever to initialize
             initialDelaySeconds: 60
             periodSeconds: 60
             timeoutSeconds: 30
           readinessProbe:
             httpGet:
               path: /_status?timeout=2
-              port: http
+              port: 8000
           resources:
             {{- toYaml .Values.resources | nindent 12 }}
+        {{- if .Values.sidecar.enabled }}
+        - name: sidecar-nginx
+          image: {{ .Values.sidecar.image }}:{{ .Values.sidecar.tag }}
+          imagePullPolicy: {{ .Values.sidecar.pullPolicy }}
+          ports:
+            - name: http
+              containerPort: 8080
+          readinessProbe:
+            httpGet:
+              path: /_status
+              port: http
+          volumeMounts:
+            - name: "nginx-config"
+              mountPath: "/etc/nginx/conf.d/default.conf"
+              subPath: default.conf
+        {{- end }}        
       {{- with .Values.nodeSelector }}
       nodeSelector:
         {{- toYaml . | nindent 8 }}

diff --git a/helm/peregrine/templates/nginx_config.yaml b/helm/peregrine/templates/nginx_config.yaml
@@ -0,0 +1,13 @@
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  name: peregrine-nginx-configmap
+data:
+  default.conf: |
+      server {
+          listen 8080;
+          server_name localhost;
+          location / {
+              proxy_pass http://127.0.0.1:8000;  # Gunicorn binds to this address
+          }
+      }
diff --git a/helm/peregrine/templates/wsgi.yaml b/helm/peregrine/templates/wsgi.yaml
@@ -0,0 +1,13 @@
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  name: peregrine-wsgi
+data:
+  gunicorn.conf.py: |
+    wsgi_app = "deployment.wsgi.wsgi:application"
+    bind = "0.0.0.0:8000"
+    workers = 1
+    user = 'gen3'
+    group = 'gen3'
+    timeout = 300
+    worker_class = "uvicorn.workers.UvicornWorker"
diff --git a/helm/peregrine/values.yaml b/helm/peregrine/values.yaml
@@ -94,6 +94,16 @@ image:
   # -- (string) Overrides the image tag whose default is the chart appVersion.
   tag: ""
 
+# -- (map) Configuration for Nginx sidecar container to be deployed with gunicorn.
+sidecar:
+  enabled: true
+  # -- (string) The Docker image repository for nginx
+  image: quay.io/cdis/nginx-sidecar
+  # -- (string) When to pull the image.
+  pullPolicy: IfNotPresent
+  # -- (string) Image tag.
+  tag: "nginx-sidecar-feat_nginx-sidecar"
+
 # -- (list) Docker image pull secrets.
 imagePullSecrets: []
 
@@ -182,9 +192,22 @@ volumes:
 - name: config-volume
   secret:
     secretName: "peregrine-secret"
+- name: wsgi-config
+  configMap:
+    name: peregrine-wsgi
+- name: nginx-config
+  configMap:
+    name: peregrine-nginx-configmap    
 
 # -- (list) Volumes to mount to the container.
 volumeMounts:
+  - name: "config-volume"
+    readOnly: true
+    mountPath: "/peregrine/deployment/wsgi/wsgi.py"
+    subPath: "settings.py"
+  - name: "wsgi-config"
+    mountPath: "/peregrine/deployment/wsgi/gunicorn.conf.py"
+    subPath: gunicorn.conf.py
 
 # Values to determine the labels that are used for the deployment, pod, etc.
 # -- (string) Valid options are "production" or "dev". If invalid option is set- the value will default to "dev".

diff --git a/helm/requestor/Chart.yaml b/helm/requestor/Chart.yaml
@@ -15,7 +15,7 @@ type: application
 # This is the chart version. This version number should be incremented each time you make changes
 # to the chart and its templates, including the app version.
 # Versions are expected to follow Semantic Versioning (https://semver.org/)
-version: 0.1.8
+version: 0.1.9
 
 # This is the version number of the application being deployed. This version number should be
 # incremented each time you make changes to the application. Versions are not expected to

diff --git a/helm/requestor/README.md b/helm/requestor/README.md
@@ -1,6 +1,6 @@
 # requestor
 
-![Version: 0.1.8](https://img.shields.io/badge/Version-0.1.8-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: master](https://img.shields.io/badge/AppVersion-master-informational?style=flat-square)
+![Version: 0.1.9](https://img.shields.io/badge/Version-0.1.9-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: master](https://img.shields.io/badge/AppVersion-master-informational?style=flat-square)
 
 A Helm chart for gen3 Requestor Service
 
@@ -105,10 +105,14 @@ A Helm chart for gen3 Requestor Service
 | service | map | `{"port":[{"name":"http","port":80,"protocol":"TCP","targetPort":80}],"type":"ClusterIP"}` | Kubernetes service information. |
 | service.port | int | `[{"name":"http","port":80,"protocol":"TCP","targetPort":80}]` | The port number that the service exposes. |
 | service.type | string | `"ClusterIP"` | Type of service. Valid values are "ClusterIP", "NodePort", "LoadBalancer", "ExternalName". |
+| sidecar | map | `{"enabled":true,"image":"quay.io/cdis/nginx-sidecar","pullPolicy":"IfNotPresent","tag":"nginx-sidecar-feat_nginx-sidecar"}` | Configuration for Nginx sidecar container to be deployed with gunicorn. |
+| sidecar.image | string | `"quay.io/cdis/nginx-sidecar"` | The Docker image repository for nginx |
+| sidecar.pullPolicy | string | `"IfNotPresent"` | When to pull the image. |
+| sidecar.tag | string | `"nginx-sidecar-feat_nginx-sidecar"` | Image tag. |
 | strategy | map | `{"rollingUpdate":{"maxSurge":1,"maxUnavailable":0},"type":"RollingUpdate"}` | Rolling update deployment strategy |
 | strategy.rollingUpdate.maxSurge | int | `1` | Number of additional replicas to add during rollout. |
 | strategy.rollingUpdate.maxUnavailable | int | `0` | Maximum amount of pods that can be unavailable during the update. |
-| volumeMounts | list | `nil` | Volumes to mount to the container. |
+| volumeMounts | list | `[{"mountPath":"/requestor/deployment/wsgi/gunicorn.conf.py","name":"wsgi-config","subPath":"gunicorn.conf.py"}]` | Volumes to mount to the container. |
 
 ----------------------------------------------
 Autogenerated from chart metadata using [helm-docs v1.11.0](https://github.com/norwoodj/helm-docs/releases/v1.11.0)
diff --git a/helm/requestor/templates/deployment.yaml b/helm/requestor/templates/deployment.yaml
@@ -31,6 +31,10 @@ spec:
         {{- include "common.datadogLabels" . | nindent 8 }}
         {{- end }}
     spec:
+      securityContext:
+        runAsUser: 1000
+        runAsGroup: 1000
+        fsGroup: 1000    
       {{- with .Values.affinity }}
       affinity:
         {{- toYaml . | nindent 8 }}
@@ -40,6 +44,12 @@ spec:
         - name: config-volume
           secret:
             secretName: "requestor-g3auto"
+        - name: wsgi-config
+          configMap:
+            name: requestor-wsgi
+        - name: nginx-config
+          configMap:
+            name: requestor-nginx-configmap            
       containers:
         - name: requestor
           image: "{{ .Values.image.repository }}:{{ .Values.image.tag | default .Chart.AppVersion }}"
@@ -86,16 +96,16 @@ spec:
           livenessProbe:
             httpGet:
               path: /_status
-              port: 80
+              port: 8000
             initialDelaySeconds: 30
             periodSeconds: 60
             timeoutSeconds: 30
           readinessProbe:
             httpGet:
               path: /_status
-              port: 80
+              port: 8000
           ports:
-            - containerPort: 80
+            - containerPort: 8000
           {{- with .Values.volumeMounts }}
           volumeMounts:
             {{- toYaml . | nindent 10 }}
@@ -104,6 +114,22 @@ spec:
           resources:
             {{- toYaml . | nindent 12 }}
           {{- end }}
+        {{- if .Values.sidecar.enabled }}
+        - name: sidecar-nginx
+          image: {{ .Values.sidecar.image }}:{{ .Values.sidecar.tag }}
+          imagePullPolicy: {{ .Values.sidecar.pullPolicy }}
+          ports:
+            - name: http
+              containerPort: 8080
+          readinessProbe:
+            httpGet:
+              path: /_status
+              port: http
+          volumeMounts:
+            - name: "nginx-config"
+              mountPath: "/etc/nginx/conf.d/default.conf"
+              subPath: default.conf
+        {{- end }}            
       initContainers:
         - name: requestor-db-migrate
           image: "{{ .Values.image.repository }}:{{ .Values.image.tag | default .Chart.AppVersion }}"
@@ -156,4 +182,4 @@ spec:
           args:
             - "-c"
             - |
-              /env/bin/alembic upgrade head
+              alembic upgrade head
diff --git a/helm/requestor/templates/nginx_config.yaml b/helm/requestor/templates/nginx_config.yaml
@@ -0,0 +1,13 @@
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  name: requestor-nginx-configmap
+data:
+  default.conf: |
+      server {
+          listen 8080;
+          server_name localhost;
+          location / {
+              proxy_pass http://127.0.0.1:8000;  # Gunicorn binds to this address
+          }
+      }
diff --git a/helm/requestor/templates/wsgi.yaml b/helm/requestor/templates/wsgi.yaml
@@ -0,0 +1,13 @@
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  name: requestor-wsgi
+data:
+  gunicorn.conf.py: |
+    wsgi_app = "deployment.wsgi.wsgi:application"
+    bind = "0.0.0.0:8000"
+    workers = 1
+    user = 'gen3'
+    group = 'gen3'
+    timeout = 300
+    worker_class = "uvicorn.workers.UvicornWorker"
diff --git a/helm/requestor/values.yaml b/helm/requestor/values.yaml
@@ -159,16 +159,25 @@ image:
   # -- (string) Overrides the image tag whose default is the chart appVersion.
   tag: "master"
 
+# -- (map) Configuration for Nginx sidecar container to be deployed with gunicorn.
+sidecar:
+  enabled: true
+  # -- (string) The Docker image repository for nginx
+  image: quay.io/cdis/nginx-sidecar
+  # -- (string) When to pull the image.
+  pullPolicy: IfNotPresent
+  # -- (string) Image tag.
+  tag: "nginx-sidecar-feat_nginx-sidecar"
+
 # Environment Variables
 # -- (string) Arborist service URL.
 arboristUrl: http://arborist-service
 
 # -- (list) Volumes to mount to the container.
 volumeMounts:
-  # - name: "config-volume"
-  #   readOnly: true
-  #   mountPath: "/src/requestor-config.yaml"
-  #   subPath: "requestor-config.yaml"
+  - name: "wsgi-config"
+    mountPath: "/requestor/deployment/wsgi/gunicorn.conf.py"
+    subPath: gunicorn.conf.py
 
 # -- (map) Resource requests and limits for the containers in the pod
 resources:

diff --git a/helm/wts/Chart.yaml b/helm/wts/Chart.yaml
@@ -15,7 +15,7 @@ type: application
 # This is the chart version. This version number should be incremented each time you make changes
 # to the chart and its templates, including the app version.
 # Versions are expected to follow Semantic Versioning (https://semver.org/)
-version: 0.1.10
+version: 0.1.11
 
 # This is the version number of the application being deployed. This version number should be
 # incremented each time you make changes to the application. Versions are not expected to