Commit 3c249939 authored by Vincent Rondot's avatar Vincent Rondot
Browse files

Add Azure Helm Chart

parent ae725705
# Patterns to ignore when building packages.
# This supports shell glob matching, relative path matching, and
# negation (prefixed with !). Only one pattern per line.
.DS_Store
# Common VCS dirs
.git/
.gitignore
.bzr/
.bzrignore
.hg/
.hgignore
.svn/
# Common backup files
*.swp
*.bak
*.tmp
*.orig
*~
# Various IDEs
.project
.idea/
*.tmproj
.vscode/
deploy-chart.sh
apiVersion: v2
name: wdms
description: OSDU Wellbore DDMS Service
# A chart can be either an 'application' or a 'library' chart.
#
# Application charts are a collection of templates that can be packaged into versioned archives
# to be deployed.
#
# Library charts provide useful utilities or functions for the chart developer. They're included as
# a dependency of application charts to inject those utilities and functions into the rendering
# pipeline. Library charts do not define any templates and therefore cannot be deployed.
type: application
# This is the chart version. This version number should be incremented each time you make changes
# to the chart and its templates, including the app version.
# Versions are expected to follow Semantic Versioning (https://semver.org/)
version: 0.1.0
{{/*
Common Annotations
*/}}
{{- define "os-wellbore-ddms.commonAnnotations" -}}
build-number: {{ .Values.annotations.buildNumber | quote }}
build-origin: {{ .Values.annotations.buildOrigin | quote }}
commit-branch: {{ .Values.annotations.commitBranch | quote }}
commit-id: {{ .Values.annotations.commitId | quote }}
{{- end}}
{{/*
Common Labels
*/}}
{{- define "os-wellbore-ddms.commonLabels" -}}
app: os-wellbore-ddms{{ include "os-wellbore-ddms.name-suffix" . }}
env: {{ .Values.labels.env }}
{{ include "os-wellbore-ddms.deploymentTypeLabels" . }}
{{- end }}
{{/*
Creates a dynamic set of labels based on if the deployment is a temp Deployment or not.
*/}}
{{- define "os-wellbore-ddms.deploymentTypeLabels" -}}
{{- if .Values.tempDeployment.enabled -}}
temporary-deployment: "{{ .Values.tempDeployment.name }}"
deployment-type: temporary
{{- else }}
deployment-type: standard
{{- end }}
{{- end }}
{{/*
Renders the namespace.
*/}}
{{- define "os-wellbore-ddms.namespace" -}}
namespace: {{.Values.namespace}}
{{- end }}
{{/*
Renders the pathPrefix and suffix if there is any
*/}}
{{- define "os-wellbore-ddms.prefix" -}}
{{ .Values.ingress.hosts.pathPrefix }}{{ include "os-wellbore-ddms.name-suffix" . }}
{{- end }}
{{/*
Creates a string suffix if the deployment is marked as temporary.
*/}}
{{- define "os-wellbore-ddms.name-suffix" -}}
{{- if .Values.tempDeployment.enabled -}}
{{- printf "---%s" .Values.tempDeployment.name -}}
{{- end -}}
{{- end -}}
\ No newline at end of file
apiVersion: security.istio.io/v1beta1
kind: AuthorizationPolicy
metadata:
annotations:
{{ include "os-wellbore-ddms.commonAnnotations" . | indent 4}}
labels:
{{ include "os-wellbore-ddms.commonLabels" . | indent 4}}
name: {{ .Values.authorizationPolicy.name }}{{ include "os-wellbore-ddms.name-suffix" . }}
{{ include "os-wellbore-ddms.namespace" . | indent 2}}
spec:
action: DENY
rules:
- from:
- source:
notRequestPrincipals:
- '*'
to:
- operation:
notPaths:
- {{ include "os-wellbore-ddms.prefix" . }}/
- {{ include "os-wellbore-ddms.prefix" . }}/ddms/v2/about
- {{ include "os-wellbore-ddms.prefix" . }}/docs
- {{ include "os-wellbore-ddms.prefix" . }}/openapi.json
selector:
matchLabels:
{{ include "os-wellbore-ddms.commonLabels" . | indent 6}}
{{$nameSuffix := include "os-wellbore-ddms.name-suffix" .}}
apiVersion: v1
data:
CLOUD_PROVIDER: az
OPENAPI_PREFIX: {{ include "os-wellbore-ddms.prefix" . }}
SERVICE_HOST_ENTITLEMENTS: {{ .Values.configMap.data.entitlementsEndpoint }}
SERVICE_HOST_STORAGE: {{ .Values.configMap.data.storageEndpoint }}
SERVICE_HOST_SEARCH: {{ .Values.configMap.data.searchEndpoint }}
SERVICE_HOST_PARTITION: {{ .Values.configMap.data.partitionEndpoint }}
USE_PARTITION_SERVICE: {{ .Values.configMap.data.usePartitionService }}
AZ_LOGGER_LEVEL: {{ .Values.configMap.data.loggerLevel }}
kind: ConfigMap
metadata:
annotations:
{{ include "os-wellbore-ddms.commonAnnotations" . | indent 4}}
labels:
{{ include "os-wellbore-ddms.commonLabels" . | indent 4}}
name: {{ .Values.configMap.name }}{{ $nameSuffix }}
{{ include "os-wellbore-ddms.namespace" . | indent 2}}
\ No newline at end of file
{{$nameSuffix := include "os-wellbore-ddms.name-suffix" .}}
apiVersion: apps/v1
kind: Deployment
metadata:
annotations:
{{ include "os-wellbore-ddms.commonAnnotations" . | indent 4}}
labels:
{{ include "os-wellbore-ddms.commonLabels" . | indent 4}}
name: {{ .Values.deployment.name }}{{ $nameSuffix }}
{{ include "os-wellbore-ddms.namespace" . | indent 2}}
spec:
replicas: {{ .Values.replicaCount }}
selector:
matchLabels:
{{ include "os-wellbore-ddms.commonLabels" . | indent 6}}
template:
metadata:
annotations:
{{ include "os-wellbore-ddms.commonAnnotations" . | indent 8}}
labels:
aadpodidbinding: "{{ .Values.labels.aadpodidbinding }}"
{{ include "os-wellbore-ddms.commonLabels" . | indent 8}}
spec:
volumes:
# Note:
# This volume is required for pod-identity access mode (https://github.com/Azure/secrets-store-csi-driver-provider-azure/blob/master/docs/pod-identity-mode.md)
# Even if not directly used by the application, it is still required indirectly to allow the secretProviderClass to sync the secret, because the secret is only created as a side effect of workload mounting its content.
#
# Some more explanation:
# https://github.com/Azure/secrets-store-csi-driver-provider-azure/issues/132#issuecomment-646349209
# "It's not possible to only sync as a kubernetes secret and not have the contents mounted as files in the pod. The sync as K8s secret is done by getting the contents from the fs."
- name: azure-keyvault
csi:
driver: secrets-store.csi.k8s.io
readOnly: true
volumeAttributes:
secretProviderClass: "azure-keyvault"
containers:
- name: {{ .Values.deployment.name }}
image: "{{ .Values.image.repository }}:{{ .Values.image.tag | default .Chart.AppVersion }}"
ports:
- containerPort: 8080
# This preStop hook has been added as a temporary workaround to minimize downtime during deployments until this limitation is addressed at the AGIC level
lifecycle:
preStop:
exec:
command: ["sleep", "15"]
envFrom:
- configMapRef:
name: {{ .Values.configMap.name }}{{ $nameSuffix }}
env:
- name: AZ_AI_INSTRUMENTATION_KEY
valueFrom:
secretKeyRef:
name: {{ .Values.deployment.instrumentationKey.secretName }}
key: appinsights
- name: KEYVAULT_URL
valueFrom:
configMapKeyRef:
name: {{ .Values.deployment.osduSvcProperties }}
key: {{ .Values.deployment.keyvaultUrlPropertyName }}
- name: SERVICE_NAME
valueFrom:
fieldRef:
apiVersion: v1
fieldPath: metadata.labels['app']
volumeMounts:
# This mount is not used by the application but is required for the secretProviderClass
# See more comment on the Volume definion
- mountPath: /azure-keyvault
name: azure-keyvault
readOnly: true
livenessProbe:
httpGet:
path: {{ include "os-wellbore-ddms.prefix" . }}/healthz
port: 8080
initialDelaySeconds: 15
periodSeconds: 5
timeoutSeconds: 1
failureThreshold: 3
readinessProbe:
httpGet:
path: {{ include "os-wellbore-ddms.prefix" . }}/healthz
port: 8080
initialDelaySeconds: 5
timeoutSeconds: 5
terminationGracePeriodSeconds: 45
\ No newline at end of file
{{- if .Values.ingress.enabled -}}
{{$nameSuffix := include "os-wellbore-ddms.name-suffix" .}}
apiVersion: networking.k8s.io/v1beta1
kind: Ingress
metadata:
annotations:
{{ include "os-wellbore-ddms.commonAnnotations" . | indent 4}}
appgw.ingress.kubernetes.io/ssl-redirect: "true"
appgw.ingress.kubernetes.io/connection-draining: "true"
appgw.ingress.kubernetes.io/connection-draining-timeout: "30"
kubernetes.io/ingress.class: azure/application-gateway
{{ if .Values.ingress.hosts.host }}
cert-manager.io/acme-challenge-type: http01
cert-manager.io/cluster-issuer: letsencrypt
{{ end }}
labels:
{{ include "os-wellbore-ddms.commonLabels" . | indent 4}}
name: {{ .Values.deployment.name }}{{ $nameSuffix }}
{{ include "os-wellbore-ddms.namespace" . | indent 2}}
spec:
rules:
- http:
paths:
- backend:
serviceName: {{ .Values.deployment.name }}{{ $nameSuffix }}
servicePort: 80
path: {{ include "os-wellbore-ddms.prefix" . }}/*
{{ if .Values.ingress.hosts.host }}
host: {{ .Values.ingress.hosts.host }}
{{ end }}
tls:
- secretName: {{ .Values.ingress.tlsSecret }}
{{ if .Values.ingress.hosts.host }}
hosts:
- {{ .Values.ingress.hosts.host }}
{{ end }}
{{- end -}}
\ No newline at end of file
apiVersion: v1
kind: Service
metadata:
annotations:
{{ include "os-wellbore-ddms.commonAnnotations" . | indent 4}}
labels:
{{ include "os-wellbore-ddms.commonLabels" . | indent 4}}
name: {{ .Values.deployment.name }}{{ include "os-wellbore-ddms.name-suffix" . }}
{{ include "os-wellbore-ddms.namespace" . | indent 2}}
spec:
ports:
- name: http
port: 80
targetPort: 8080
selector:
{{ include "os-wellbore-ddms.commonLabels" . | indent 4}}
\ No newline at end of file
# Default values for os-wellbore-ddms.
# This is a YAML-formatted file.
# Declare variables to be passed into your templates.
namespace: osdu
deployment:
instrumentationKey:
secretName: central-logging
osduSvcProperties: osdu-svc-properties
keyvaultUrlPropertyName: ENV_KEYVAULT
name: os-wellbore-ddms
replicaCount: 2
annotations:
buildNumber: #{Build.BuildNumber}#
buildOrigin: AzureDevops build/#{Build.DefinitionName}#
commitBranch: #{Build.SourceBranch}#
commitId: #{Build.SourceVersion}#
image:
repository: #{CONTAINER_REGISTRY_NAME}#.azurecr.io/#{app}#-#{env}#
# Overrides the image tag whose default is the chart appVersion.
tag: #{Build.SourceVersion}#
tempDeployment:
enabled: false
name: prxxxx
labels:
aadpodidbinding: osdu-identity
env: #{env}#
configMap:
data:
entitlementsEndpoint: http://entitlements-azure.osdu/api/entitlements
storageEndpoint: http://storage.osdu/api/storage
searchEndpoint: http://search-service.osdu/api/search
partitionEndpoint: http://partition.osdu/api/partition
usePartitionService: 'enabled'
loggerLevel: 'INFO'
name: os-wellbore-ddms-envs
ingress:
enabled: false
hosts:
host: # leave it empty for our dev cluster
pathPrefix: /api/os-wellbore-ddms
tlsSecret: osdu-certificate
authorizationPolicy:
name: wellbore-jwt-authz
\ No newline at end of file
Markdown is supported
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment