Add Azure Helm Chart

devops/azure/chart/.helmignore

+# Patterns to ignore when building packages.
+# This supports shell glob matching, relative path matching, and
+# negation (prefixed with !). Only one pattern per line.
+.DS_Store
+# Common VCS dirs
+.git/
+.gitignore
+.bzr/
+.bzrignore
+.hg/
+.hgignore
+.svn/
+# Common backup files
+*.swp
+*.bak
+*.tmp
+*.orig
+*~
+# Various IDEs
+.project
+.idea/
+*.tmproj
+.vscode/
+deploy-chart.sh

devops/azure/chart/Chart.yaml

+apiVersion: v2
+name: wdms
+description: OSDU Wellbore DDMS Service
+
+# A chart can be either an 'application' or a 'library' chart.
+#
+# Application charts are a collection of templates that can be packaged into versioned archives
+# to be deployed.
+#
+# Library charts provide useful utilities or functions for the chart developer. They're included as
+# a dependency of application charts to inject those utilities and functions into the rendering
+# pipeline. Library charts do not define any templates and therefore cannot be deployed.
+type: application
+
+# This is the chart version. This version number should be incremented each time you make changes
+# to the chart and its templates, including the app version.
+# Versions are expected to follow Semantic Versioning (https://semver.org/)
+version: 0.1.0

devops/azure/chart/templates/_helpers.tpl

+
+{{/*
+Common Annotations
+*/}}
+{{- define "os-wellbore-ddms.commonAnnotations" -}}
+build-number: {{ .Values.annotations.buildNumber | quote }}
+build-origin: {{ .Values.annotations.buildOrigin | quote }}
+commit-branch: {{ .Values.annotations.commitBranch | quote }}
+commit-id: {{ .Values.annotations.commitId | quote }}
+{{- end}}
+
+{{/*
+Common Labels
+*/}}
+{{- define "os-wellbore-ddms.commonLabels" -}}
+app: os-wellbore-ddms{{ include "os-wellbore-ddms.name-suffix" . }}
+env: {{ .Values.labels.env }}
+{{ include "os-wellbore-ddms.deploymentTypeLabels" . }}
+{{- end }}
+
+{{/*
+ Creates a dynamic set of labels based on if the deployment is a temp Deployment or not.
+*/}}
+{{- define "os-wellbore-ddms.deploymentTypeLabels" -}}
+{{- if .Values.tempDeployment.enabled -}}
+temporary-deployment: "{{ .Values.tempDeployment.name }}"
+deployment-type: temporary
+{{- else }}
+deployment-type: standard
+{{- end }}
+{{- end }}
+
+{{/*
+ Renders the namespace. 
+*/}}
+{{- define "os-wellbore-ddms.namespace" -}}
+namespace: {{.Values.namespace}}
+{{- end }}
+
+{{/*
+ Renders the pathPrefix and suffix if there is any 
+*/}}
+{{- define "os-wellbore-ddms.prefix" -}}
+{{ .Values.ingress.hosts.pathPrefix }}{{ include "os-wellbore-ddms.name-suffix" . }}
+{{- end }}
+
+{{/*
+ Creates a string suffix if the deployment is marked as temporary. 
+*/}}
+{{- define "os-wellbore-ddms.name-suffix" -}}
+{{- if .Values.tempDeployment.enabled -}}
+{{- printf "---%s" .Values.tempDeployment.name -}}
+{{- end -}}
+{{- end -}}
\ No newline at end of file

devops/azure/chart/templates/authorization.yaml

+apiVersion: security.istio.io/v1beta1
+kind: AuthorizationPolicy
+metadata:
+  annotations:
+{{ include "os-wellbore-ddms.commonAnnotations" . | indent 4}}
+  labels:
+{{ include "os-wellbore-ddms.commonLabels" . | indent 4}}
+  name: {{ .Values.authorizationPolicy.name }}{{ include "os-wellbore-ddms.name-suffix" . }}
+{{ include "os-wellbore-ddms.namespace" . | indent 2}}
+spec:
+  action: DENY
+  rules:
+  - from:
+    - source:
+        notRequestPrincipals:
+        - '*'
+    to:
+    - operation:
+        notPaths:
+        - {{ include "os-wellbore-ddms.prefix" . }}/
+        - {{ include "os-wellbore-ddms.prefix" . }}/ddms/v2/about
+        - {{ include "os-wellbore-ddms.prefix" . }}/docs
+        - {{ include "os-wellbore-ddms.prefix" . }}/openapi.json
+  selector:
+    matchLabels:
+{{ include "os-wellbore-ddms.commonLabels" . | indent 6}}

devops/azure/chart/templates/configmap.yaml

+{{$nameSuffix := include "os-wellbore-ddms.name-suffix" .}}
+apiVersion: v1
+data:
+  CLOUD_PROVIDER: az
+  OPENAPI_PREFIX: {{ include "os-wellbore-ddms.prefix" . }}
+  SERVICE_HOST_ENTITLEMENTS: {{ .Values.configMap.data.entitlementsEndpoint }}
+  SERVICE_HOST_STORAGE: {{ .Values.configMap.data.storageEndpoint }}
+  SERVICE_HOST_SEARCH: {{ .Values.configMap.data.searchEndpoint }}
+  SERVICE_HOST_PARTITION: {{ .Values.configMap.data.partitionEndpoint }}
+  USE_PARTITION_SERVICE: {{ .Values.configMap.data.usePartitionService }}
+  AZ_LOGGER_LEVEL: {{ .Values.configMap.data.loggerLevel }}
+kind: ConfigMap
+metadata:
+  annotations:
+{{ include "os-wellbore-ddms.commonAnnotations" . | indent 4}}
+  labels:
+{{ include "os-wellbore-ddms.commonLabels" . | indent 4}}
+  name: {{ .Values.configMap.name }}{{ $nameSuffix }}
+{{ include "os-wellbore-ddms.namespace" . | indent 2}}
\ No newline at end of file

devops/azure/chart/templates/deployment.yaml

+{{$nameSuffix := include "os-wellbore-ddms.name-suffix" .}}
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  annotations:
+{{ include "os-wellbore-ddms.commonAnnotations" . | indent 4}}
+  labels:
+{{ include "os-wellbore-ddms.commonLabels" . | indent 4}}
+  name: {{ .Values.deployment.name }}{{ $nameSuffix }}
+{{ include "os-wellbore-ddms.namespace" . | indent 2}}
+spec:
+  replicas: {{ .Values.replicaCount }}
+  selector:
+    matchLabels:
+{{ include "os-wellbore-ddms.commonLabels" . | indent 6}}
+  template:
+    metadata:
+      annotations:
+{{ include "os-wellbore-ddms.commonAnnotations" . | indent 8}}
+      labels:
+        aadpodidbinding: "{{ .Values.labels.aadpodidbinding }}"
+{{ include "os-wellbore-ddms.commonLabels" . | indent 8}}
+    spec:
+      volumes:
+        # Note:
+        # This volume is required for pod-identity access mode (https://github.com/Azure/secrets-store-csi-driver-provider-azure/blob/master/docs/pod-identity-mode.md)
+        # Even if not directly used by the application, it is still required indirectly to allow the secretProviderClass to sync the secret, because the secret is only created as a side effect of workload mounting its content. 
+        # 
+        # Some more explanation:
+        # https://github.com/Azure/secrets-store-csi-driver-provider-azure/issues/132#issuecomment-646349209
+        # "It's not possible to only sync as a kubernetes secret and not have the contents mounted as files in the pod. The sync as K8s secret is done by getting the contents from the fs."
+        - name: azure-keyvault
+          csi:
+            driver: secrets-store.csi.k8s.io
+            readOnly: true
+            volumeAttributes:
+              secretProviderClass: "azure-keyvault"
+      containers:
+      - name: {{ .Values.deployment.name }}
+        image: "{{ .Values.image.repository }}:{{ .Values.image.tag | default .Chart.AppVersion }}"
+        ports:
+          - containerPort: 8080
+        # This preStop hook has been added as a temporary workaround to minimize downtime during deployments until this limitation is addressed at the AGIC level
+        lifecycle:
+          preStop:
+            exec:
+              command: ["sleep", "15"]
+        envFrom:
+        - configMapRef:
+            name: {{ .Values.configMap.name }}{{ $nameSuffix }}
+        env:
+        - name: AZ_AI_INSTRUMENTATION_KEY
+          valueFrom:
+            secretKeyRef:
+              name: {{ .Values.deployment.instrumentationKey.secretName }}
+              key: appinsights
+        - name: KEYVAULT_URL
+          valueFrom:
+            configMapKeyRef:
+              name: {{ .Values.deployment.osduSvcProperties }}
+              key: {{ .Values.deployment.keyvaultUrlPropertyName }}
+        - name: SERVICE_NAME
+          valueFrom:
+            fieldRef:
+              apiVersion: v1
+              fieldPath: metadata.labels['app']
+        volumeMounts:
+          # This mount is not used by the application but is required for the secretProviderClass
+          # See more comment on the Volume definion
+          - mountPath: /azure-keyvault
+            name: azure-keyvault
+            readOnly: true
+        livenessProbe:
+          httpGet:
+            path: {{ include "os-wellbore-ddms.prefix" . }}/healthz
+            port: 8080
+          initialDelaySeconds: 15
+          periodSeconds: 5
+          timeoutSeconds: 1
+          failureThreshold: 3
+        readinessProbe:
+          httpGet:
+            path: {{ include "os-wellbore-ddms.prefix" . }}/healthz
+            port: 8080
+          initialDelaySeconds: 5
+          timeoutSeconds: 5
+      terminationGracePeriodSeconds: 45
\ No newline at end of file

devops/azure/chart/templates/ingress.yaml

+{{- if .Values.ingress.enabled -}}
+{{$nameSuffix := include "os-wellbore-ddms.name-suffix" .}}
+apiVersion: networking.k8s.io/v1beta1
+kind: Ingress
+metadata:
+  annotations:
+{{ include "os-wellbore-ddms.commonAnnotations" . | indent 4}}      
+    appgw.ingress.kubernetes.io/ssl-redirect: "true"
+    appgw.ingress.kubernetes.io/connection-draining: "true"    
+    appgw.ingress.kubernetes.io/connection-draining-timeout: "30"
+    kubernetes.io/ingress.class: azure/application-gateway
+{{ if .Values.ingress.hosts.host }}
+    cert-manager.io/acme-challenge-type: http01
+    cert-manager.io/cluster-issuer: letsencrypt
+{{ end }}    
+
+  labels:
+{{ include "os-wellbore-ddms.commonLabels" . | indent 4}}
+  name: {{ .Values.deployment.name }}{{ $nameSuffix }}
+{{ include "os-wellbore-ddms.namespace" . | indent 2}}
+spec:
+  rules:
+  - http:
+      paths:
+      - backend:
+          serviceName: {{ .Values.deployment.name }}{{ $nameSuffix }}
+          servicePort: 80
+        path: {{ include "os-wellbore-ddms.prefix" . }}/*
+{{ if .Values.ingress.hosts.host }}
+    host: {{ .Values.ingress.hosts.host }}
+{{ end }}  
+  tls:
+  - secretName: {{ .Values.ingress.tlsSecret }}
+{{ if .Values.ingress.hosts.host }}
+    hosts:
+    - {{ .Values.ingress.hosts.host }}
+{{ end }}    
+{{- end -}}
\ No newline at end of file

devops/azure/chart/templates/service.yaml

+apiVersion: v1
+kind: Service
+metadata:
+  annotations:
+{{ include "os-wellbore-ddms.commonAnnotations" . | indent 4}}
+  labels:
+{{ include "os-wellbore-ddms.commonLabels" . | indent 4}}
+  name: {{ .Values.deployment.name }}{{ include "os-wellbore-ddms.name-suffix" . }}
+{{ include "os-wellbore-ddms.namespace" . | indent 2}}
+spec:
+  ports:
+  - name: http
+    port: 80
+    targetPort: 8080
+  selector:
+{{ include "os-wellbore-ddms.commonLabels" . | indent 4}}
\ No newline at end of file

devops/azure/chart/values.yaml

+# Default values for os-wellbore-ddms.
+# This is a YAML-formatted file.
+# Declare variables to be passed into your templates.
+
+namespace: osdu
+deployment:
+  instrumentationKey:
+    secretName: central-logging
+  osduSvcProperties: osdu-svc-properties
+  keyvaultUrlPropertyName: ENV_KEYVAULT
+  name: os-wellbore-ddms
+
+replicaCount: 2
+
+annotations:
+  buildNumber: #{Build.BuildNumber}#
+  buildOrigin: AzureDevops build/#{Build.DefinitionName}#
+  commitBranch: #{Build.SourceBranch}#
+  commitId: #{Build.SourceVersion}#
+
+image:
+  repository: #{CONTAINER_REGISTRY_NAME}#.azurecr.io/#{app}#-#{env}#
+  # Overrides the image tag whose default is the chart appVersion.
+  tag: #{Build.SourceVersion}#
+
+tempDeployment:
+  enabled: false
+  name: prxxxx
+
+labels:
+  aadpodidbinding: osdu-identity
+  env: #{env}#
+
+configMap:
+  data:
+    entitlementsEndpoint: http://entitlements-azure.osdu/api/entitlements
+    storageEndpoint: http://storage.osdu/api/storage
+    searchEndpoint: http://search-service.osdu/api/search
+    partitionEndpoint: http://partition.osdu/api/partition
+    usePartitionService: 'enabled'
+    loggerLevel: 'INFO'
+  name: os-wellbore-ddms-envs
+
+ingress:
+  enabled: false
+  hosts:
+    host: # leave it empty for our dev cluster
+    pathPrefix: /api/os-wellbore-ddms
+  tlsSecret: osdu-certificate
+
+authorizationPolicy:
+  name: wellbore-jwt-authz
\ No newline at end of file