stack_car 0.9.0 → 0.12.0

data/templates/chart-fcrepo/fcrepo-env-cm.yaml

@@ -0,0 +1,8 @@
+---
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  name: {{ template "app.fcrepo-env.name" . }}
+data:
+  DATABASE_USER: {{ .Values.env.configmap.DATABASE_USER }}
+  DATABASE_NAME: {{ .Values.env.configmap.FC_DATABASE_NAME }}

data/templates/chart-fcrepo/fcrepo-env-secret.yaml.tt

@@ -0,0 +1,10 @@
+---
+apiVersion: v1
+kind: Secret
+metadata:
+  name: {{ template "app.fcrepo-env.name" . }}
+data:
+  DATABASE_PASSWORD: {{ .Values.env.secret.DATABASE_PASSWORD | b64enc }}
+  <% if options[:postgres] %>
+  JAVA_OPTS: {{ printf "-Dfcrepo.modeshape.configuration=\"classpath:/config/jdbc-postgresql/repository.json\" -Dfcrepo.postgresql.host=\"%s\" -Dfcrepo.postgresql.username=\"%s\" -Dfcrepo.postgresql.password=\"%s\" -Dfcrepo.object.directory=\"/data/objects\" -Dfcrepo.binary.directory=\"/data/binaries\"" ( include "app.postgres.name" . ) .Values.env.configmap.DATABASE_USER .Values.env.secret.DATABASE_PASSWORD | b64enc }}
+  <% end %>

data/templates/chart-fcrepo/fcrepo-pvc.yaml

@@ -0,0 +1,20 @@
+---
+kind: PersistentVolumeClaim
+apiVersion: v1
+metadata:
+  name: {{ template "app.fcrepo.name" . }}
+  labels:
+    app: {{ template "app.name" . }}
+    chart: {{ template "app.chart" . }}
+    release: {{ .Release.Name }}
+    heritage: {{ .Release.Service }}
+    component: fcrepo
+spec:
+  accessModes:
+    - ReadWriteOnce
+  resources:
+    requests:
+      storage: {{ .Values.fcrepo.storage.size }}
+  {{- if .Values.fcrepo.storage.className }}
+  storageClassName: "{{ .Values.fcrepo.storage.ClassName }}"
+  {{- end }}

data/templates/chart-fcrepo/fcrepo-svc.yaml

@@ -0,0 +1,19 @@
+---
+apiVersion: v1
+kind: Service
+metadata:
+  name: {{ template "app.fcrepo.name" . }}
+  labels:
+    app: {{ template "app.name" . }}
+    chart: {{ template "app.chart" . }}
+    release: {{ .Release.Name }}
+    heritage: {{ .Release.Service }}
+    component: fcrepo
+spec:
+  ports:
+    - protocol: TCP
+      port: 8080
+  selector:
+    app: {{ template "app.name" . }}
+    release: {{ .Release.Name }}
+    component: fcrepo

data/templates/chart-sidekiq/sidekiq-deploy.yaml

@@ -0,0 +1,80 @@
+---
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: {{ template "app.sidekiq.name" . }}
+  labels:
+    app: {{ template "app.name" . }}
+    chart: {{ template "app.chart" . }}
+    release: {{ .Release.Name }}
+    heritage: {{ .Release.Service }}
+    component: sidekiq
+spec:
+  replicas: {{ .Values.sidekiq.replicas }}
+  selector:
+    matchLabels:
+      app: {{ template "app.name" . }}
+      release: {{ .Release.Name }}
+      component: sidekiq
+  template:
+    metadata:
+      labels:
+        app: {{ template "app.name" . }}
+        release: {{ .Release.Name }}
+        component: sidekiq
+      annotations:
+        checksum/rails-env-cm: {{ include (print $.Template.BasePath "/rails-env-cm.yaml") . | sha256sum }}
+        checksum/rails-env-secret: {{ include (print $.Template.BasePath "/rails-env-secret.yaml") . | sha256sum }}
+    spec:
+      restartPolicy: Always
+      terminationGracePeriodSeconds: {{ .Values.sidekiq.timeout | add 5 }}
+      {{- if .Values.rails.imagePullSecrets }}
+      imagePullSecrets:
+        {{ toYaml .Values.rails.imagePullSecrets }}
+      {{- end }}
+      volumes:
+        - name: shared
+          persistentVolumeClaim:
+            claimName: {{ template "app.rails-env.name" . }}-shared
+      containers:
+        - name: sidekiq
+          image: {{ .Values.rails.image.repository }}:{{ .Values.rails.image.tag }}
+          imagePullPolicy: Always
+          command: ["/bin/bash"]
+          args:
+            - "-l"
+            - "-c"
+            - "bundle exec sidekiq"
+          # livenessProbe:
+          #   exec:
+          #     command:
+          #       - ./bin/rails runner ./chart/bin/check_sidekiq.rb
+          #   initialDelaySeconds: 30
+          # Use sub-path for individual folders
+          volumeMounts:
+            - mountPath: /home/app/webapp/tmp/imports
+              name: shared
+              subPath: import_path
+            - mountPath: /home/app/webapp/tmp/exports
+              name: shared
+              subPath: export_path
+            - mountPath: /home/app/webapp/tmp/derivatives_path
+              name: shared
+              subPath: derivatives_path
+            - mountPath: /home/app/webapp/tmp/uploads
+              name: shared
+              subPath: upload_path
+            - mountPath: /home/app/webapp/public/uploads
+              name: shared
+              subPath: uploads
+            - mountPath: /home/app/webapp/public/assets
+              name: shared
+              subPath: assets
+            - mountPath: /home/app/webapp/public/branding
+              name: shared
+              subPath: branding
+          envFrom:
+            - configMapRef:
+                name: {{ template "app.rails-env.name" . }}
+            - secretRef:
+                name: {{ template "app.rails-env.name" . }}

data/templates/chart/.gitignore

@@ -0,0 +1,3 @@
+server.pem
+server.key
+*values.yaml

data/templates/chart/.helmignore

@@ -0,0 +1,23 @@
+# Patterns to ignore when building packages.
+# This supports shell glob matching, relative path matching, and
+# negation (prefixed with !). Only one pattern per line.
+.DS_Store
+# Common VCS dirs
+.git/
+.gitignore
+.bzr/
+.bzrignore
+.hg/
+.hgignore
+.svn/
+# Common backup files
+*.swp
+*.bak
+*.tmp
+*~
+# Various IDEs
+.project
+.idea/
+*.tmproj
+server.pem
+server.key

data/templates/chart/Chart.yaml.tt

@@ -0,0 +1,29 @@
+apiVersion: v1
+appVersion: "0.0.1"
+description: A Helm chart for <%= @project_name %>
+name: <%= @project_name %>
+version: 0.0.1
+dependencies:
+<%- if options[:solr] %>
+  - name: solr 
+    version: 1.3.3
+    repository: https://storage.googleapis.com/kubernetes-charts-incubator
+<%- end %>
+<%- if options[:redis] %>
+  - name: redis
+    version: 10.3.1
+    repository: https://kubernetes-charts.storage.googleapis.com/
+    condition: redis.enabled
+<%- end %>
+<%- if options[:postgres] %>
+  - name: postgresql
+    version: 8.1.2
+    repository: https://kubernetes-charts.storage.googleapis.com/
+    condition: postgresql.enabled
+<%- end %>
+<%- if options[:mysql] %>
+- name: mariadb
+  version: 5.x.x
+  repository: https://kubernetes-charts.storage.googleapis.com/
+  condition: mariadb.enabled
+<%- end %>

data/templates/chart/README.md

@@ -0,0 +1,223 @@
+Helm Chart
+==========
+
+This is a Rails Helm Chart which can be used to deploy a Rails instance to a Kubernetes cluster.
+
+# Requirements
+
+* helm
+```
+brew install helm
+```
+
+* kubernetes
+Kubectl is the command line tool for controlling Kubernetes clusters. It is available via (https://docs.docker.com/docker-for-mac/)[Docker for Mac]
+
+Alternatively:
+```
+brew install kubectl
+```
+
+# Getting Started Locally using Docker for Mac
+
+## Setup
+
+Install Docker for Mac (DfM)
+
+Enable the Kubernetes Cluster in the DfM Settings
+
+In the menu bar item for DfM you'll 'Kubernetes', this will list the available clusters. For local deployment make sure docker-desktop is selected.
+
+## KubeConfig
+
+Kubernetetes creates a config file at `~/.kube/config`. When we come to setting up access to external clusters, we will be editing this file. That will add clusters to the DfM Kubernetes list. Remember that if you are running deployment actions using helm or kubectl they will use the cluster selected in that list, so if you were deploying to a production server yesterday, that will still be selected. It is a good practice to run `kubectl cluster-info` or `kubectl config current-context` before starting any deployment to make sure you are deploying to the right cluster.
+
+## GitLab Secret
+
+To pull images from a private registry, you'll need a secret 
+
+For GitLab, create a Personal Access Token in GitLab with read access.
+
+Create your secret (called gitlab) in kubectl, substituting the items in {} with your data:
+```
+create secret docker-registry gitlab --docker-server=https://registry.gitlab.com --docker-username={YOUR USERNAME} --docker-password={PERSONAL ACCESS TOKEN} --docker-email={YOUR EMAIL} --namespace {NAMESPACE eg. hyku-staging}
+```
+
+Reference the secret in `imagePullSecrets`, see the sample.yamnl file for an example.
+
+For other private registries, please consult their documentation on access tokens.
+
+## TLS Secret
+
+We also need to setup a secret for TLS certificates.
+
+```
+# this command will generate self signed server certificate and key: server.pem, server.key
+# key and cert are stored in Secret object named `demoapp-puma-tls`.
+# you can confirm this object by `kubectl describe secret demoapp-puma-tls`
+export COMMON_NAME=localhost
+openssl req -new -x509 -nodes -keyout server.key -days 3650 \
+  -subj "/CN=${COMMON_NAME}" \
+  -extensions v3_req \
+  -config <(cat openssl.conf | sed s/\${COMMON_NAME}/$COMMON_NAME/) > server.pem
+```
+
+NOTE: you may need change openssl.conf to point to your local path, eg. /System/Library/OpenSSL/openssl.cnf
+
+```
+kubectl create secret tls demoapp-puma-tls --key server.key --cert server.pem
+```
+
+## Add Helm Chart Repository
+
+We are going to need to install a couple of things on our local cluster. For this we need to install charts from the Helm stable chart repository.
+
+One off installation of the repository:
+```
+helm repo add stable https://kubernetes-charts.storage.googleapis.com
+```
+
+## Install NFS
+
+To run locally and use NFS file mounts we'll need an NFS server:
+
+Helm install to run the nfs server on kubernetes:
+```
+helm install stable/nfs-server-provisioner --generate-name
+```
+
+NOTE: you can substitute --generate-name with --name followed by your chosen name for the resource
+
+NOTE: stop / remove it with helm uninstall {name} --namespace default
+
+### Ingress
+
+To run locally we'll need an Ingress controller - this provides us with the ability to access the application on the web:
+
+Helm install to run the ingress controller on kubernetes:
+```
+helm install stable/nginx-ingress --generate-name
+```
+
+NOTE: you can substitute --generate-name with --name followed by your chosen name for the resource
+
+NOTE: stop / remove it with helm uninstall {name} --namespace default
+
+## Values
+
+When deploying the Helm chart we will provide a yaml file containing various configurations choices.
+
+A sample values file is provided to give defaults: `sample.yaml`. Copy this file (eg. to development-values.yamnl) and change values as appropriate.
+
+**Handling values files**
+
+Since values files are likely to contain sensitive information like API keys, they are included in `.gitignore` and MUST NOT be added to the repository. Encrypt the file before committing them to the repository, using the provided bin scripts in this directory.
+
+Example workflow (given values file is already created):
+- Edit values file
+- `chart/bin/encrypt staging <keybase-team-name>`
+  - This command will create `staging-values.yaml.enc`
+- `git add staging-values.yaml.enc`
+- Commit and push
+
+When pulling down a repo or branch, you will need to start by decrypting.
+
+Example:
+- `chart/bin/decrypt staging`
+
+## Deploy using Helm
+
+From ./chart/
+
+```
+./bin/deploy development latest
+```
+
+Open demoapp in browser
+```
+open locaallhost
+```
+
+## Cleanup
+helm uninstall development --namespace REPO_NAME
+
+eg. `helm uninstall development --namespace project-env`
+
+Tip: add the --dry-run to see what will be deleted
+
+## Kubernetes Dashboard
+
+Kubernetes provides a web-based dashboard for viewing and managing the deployed resources.
+
+# Install it:
+```
+helm install stable/kubernetes-dashboard --generate-name
+```
+
+Make a note of the start command printed on install. It includes the release name (eg. kubernetes-dashboard-1579333192).
+
+Tip: You can replace --generate-name with --name and supply a name for the release to give you a stable name. 
+
+Start it:
+```
+(RELEASE_NAME will be the value from your installation - find it with helm ls)
+
+export POD_NAME=$(kubectl get pods -n default -l "app=kubernetes-dashboard,release=RELEASE_NAME" -o jsonpath="{.items[0].metadata.name}")
+echo https://127.0.0.1:8443/
+kubectl -n default port-forward $POD_NAME 8443:8443
+```
+
+Open it:
+```
+https://127.0.0.1:8443/
+```
+
+It will ask you to login by one of two methods. Opt for 'access token'.
+
+Print your access token in a console as follwos, and then copy paste it into the token box on the dashboard login:
+```
+kubectl -n kube-system describe secret $(kubectl -n kube-system get secret | awk '/^deployment-controller-token-/{print $1}') | awk '$1=="token:"{print $2}'
+```
+
+# Deploying to Staging and Production clusters
+
+Staging and Production deployment require the following steps:
+
+1. Add the necessary kube config for your remote cluster
+
+2. Switch kubernetes context
+
+Either using the list in DfM Kubernetes, or with the following:
+
+```
+# check the current context
+kubectl config current-context
+# find the context you want in the list
+kubectl config get-contexts
+# switch
+kubectl config use-context CONTEXT_NAME
+```
+
+3. Setup the *-values.yaml for staging or production
+
+4. Deploy
+
+```
+# bin/deploy ENVIRONMENT TAG
+bin/deploy staging latest
+```
+
+NOTE: the TAG will be used to pull the latest image from the GitLab repository. If the code has changed, make sure it's been pushed and the tagged image in the repository updated.
+
+The namespace will be set to the git repository name, eg. project-env. Make sure the namespace exists in your cluster. Create it with `kubectl create namespace project-env`
+
+# Troubleshooting
+
+The Kubernetes Dashboard (locally) allows you to view logs and access a shell session. If problems occur during deployment, there is an event history that can provide more information. 
+
+There are equivalent kubectl commands for logs and accessing a shell, eg.
+
+```
+kubectl kubectl exec -it POD --namespace NAMESPACE -- /bin/bash
+kubectl kubectl logs POD --namespace NAMESPACE
+```

data/templates/chart/bin/decrypt

@@ -0,0 +1,17 @@
+#!/bin/bash
+DIR="$( cd "$( dirname "${BASH_SOURCE[0]}" )" >/dev/null 2>&1 && pwd )"
+cd $DIR/../../chart
+
+echo $DIR
+
+REPO=$(basename $(git config --get remote.origin.url))
+NAMESPACE=${REPO%.git} 
+
+if [ -z "$1" ]
+then
+    echo './chart/bin/decrypt ENVIRONMENT'
+    exit 1
+fi
+
+keybase decrypt -i $1-values.yaml.enc -o $1-values.yaml
+