Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

feat(helm): add live logs deployment (#827) #827

Merged
merged 3 commits into from
Oct 23, 2024
Merged

feat(helm): add live logs deployment (#827) #827

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
3 commits
Select commit Hold shift + click to select a range
21a525a
feat(helm): add OpenSearch deployment (#827)
jlemesh Aug 27, 2024
9504101
feat(helm): add FluentBit DaemonSet (#827)
jlemesh Aug 30, 2024
467be7a
feat(reana-dev): prevent Helm value string wrapping by PyYAML (#827)
jlemesh Aug 30, 2024
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
42 changes: 42 additions & 0 deletions helm/configurations/values-dev.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -14,6 +14,8 @@ components:
image: docker.io/reanahub/reana-workflow-controller
environment:
REANA_RUNTIME_KUBERNETES_KEEP_ALIVE_JOBS_WITH_STATUSES: failed
REANA_OPENSEARCH_USE_SSL: false
REANA_OPENSEARCH_ENABLED: false
reana_workflow_engine_cwl:
image: docker.io/reanahub/reana-workflow-engine-cwl
reana_workflow_engine_yadage:
Expand All @@ -31,3 +33,43 @@ components:

pgbouncer:
enabled: true

# OpenSearch configuration for dev environment
opensearch:
enabled: false
tls:
generate: false
singleNode: true
config:
opensearch.yml: |
cluster.name: reana-opensearch
network.host: 0.0.0.0
plugins.security.disabled: true
securityConfig:
enabled: false
internalUsersSecret:
rolesSecret:
rolesMappingSecret:
resources:
requests:
cpu: "500m"
memory: "2Gi"
extraEnvs:
- name: DISABLE_INSTALL_DEMO_CONFIG
value: "false"
- name: OPENSEARCH_INITIAL_ADMIN_PASSWORD
valueFrom:
secretKeyRef:
name: reana-opensearch-secrets
key: OPENSEARCH_INITIAL_ADMIN_PASSWORD
secretMounts: []
customSecurityConfig:

# FluentBit configuration for dev environment
fluent-bit:
enabled: false
outputConfig:
tls: "Off"
tlsCaFile: ""
extraVolumes: []
extraVolumeMounts: []
8 changes: 8 additions & 0 deletions helm/reana/Chart.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -35,3 +35,11 @@ dependencies:
condition: traefik.enabled
tags:
- ingress
- name: opensearch
version: 2.22.1
repository: https://opensearch-project.github.io/helm-charts/
condition: opensearch.enabled
- name: fluent-bit
version: 0.47.7
repository: https://fluent.github.io/helm-charts
condition: fluent-bit.enabled
43 changes: 43 additions & 0 deletions helm/reana/README.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -51,6 +51,14 @@ This Helm automatically prefixes all names using the release name to avoid colli
| `components.reana_workflow_controller.environment.REANA_JOB_HOSTPATH_MOUNTS` | JSON list of optional hostPath mounts, for all user jobs. Each mount object has a key `name` (name of the mount), `hostPath` (path to the directory to be mounted from the Kubernetes nodes) and `mountPath` (path inside the job containers where the `hostPath` will be mounted) | None |
| `components.reana_workflow_controller.environment.REANA_RUNTIME_KUBERNETES_KEEP_ALIVE_JOBS_WITH_STATUSES` | Keep alive Kubernetes user runtime jobs depending on status (`finished` and/or `failed`). | None |
| `components.reana_workflow_controller.environment.REANA_JOB_STATUS_CONSUMER_PREFETCH_COUNT` | Define max number of unacknowledged deliveries that are permitted on `jobs-status` queue consumer. | 10 |
| `components.reana_workflow_controller.environment.REANA_OPENSEARCH_ENABLED` | Enable workflow and job log retrieval from OpenSearch. | false |
| `components.reana_workflow_controller.environment.REANA_OPENSEARCH_HOST` | OpenSearch host. | None |
| `components.reana_workflow_controller.environment.REANA_OPENSEARCH_PORT` | OpenSearch port. | None |
| `components.reana_workflow_controller.environment.REANA_OPENSEARCH_URL_PREFIX` | OpenSearch URL prefix. | None |
| `components.reana_workflow_controller.environment.REANA_OPENSEARCH_USE_SSL` | Use SSL when connecting to OpenSearch instance. | true |
| `components.reana_workflow_controller.environment.REANA_OPENSEARCH_CA_CERTS` | Path to a file with OpenSearch root CA certificates. | "/code/certs/ca.crt" |
| `components.reana_workflow_controller.environment.REANA_OPENSEARCH_USER` | OpenSearch user name for Basic Authentication. | reana |
| `components.reana_workflow_controller.environment.REANA_OPENSEARCH_PASSWORD` | OpenSearch password for Basic Authentication. Set this value in the Helm command. | "" |
| `components.reana_workflow_engine_cwl.environment` | [REANA-Workflow-Engine-CWL](https://github.com/reanahub/reana-workflow-engine-cwl) environment variables | `{}` |
| `components.reana_workflow_engine_cwl.image` | [REANA-Workflow-Engine-CWL image](https://hub.docker.com/r/reanahub/reana-workflow-engine-cwl) to use | `docker.io/reanahub/reana-workflow-engine-cwl:<chart-release-version>` |
| `components.reana_workflow_engine_serial.environment` | [REANA-Workflow-Engine-Serial](https://github.com/reanahub/reana-workflow-engine-serial) environment variables | `{}` |
Expand All @@ -65,6 +73,29 @@ This Helm automatically prefixes all names using the release name to avoid colli
| `db_env_config.REANA_DB_PORT` | Environment variable to connect to external databases | "5432" |
| `debug.enabled` | Instantiate a [wdb](https://github.com/Kozea/wdb) remote debugger inside the cluster, accessible in port `31984` | false |
| `eos.enabled` | **[CERN only]** Enable EOS support inside the cluster | false |
| `fluent-bit.enabled` | Enable FluentBit | false |
| `fluent-bit.inputConfig.*` | Pass certain `tail` input [configuration parameters](https://docs.fluentbit.io/manual/pipeline/inputs/tail#config)| |
| `fluent-bit.inputConfig.refreshInterval` | `tail` input configuration parameter `Refresh_Interval` | 2 |
| `fluent-bit.inputConfig.rotateWait` | `tail` input configuration parameter `Rotate_Wait` | 5 |
| `fluent-bit.inputConfig.skipLongLines` | `tail` input configuration parameter `Skip_Long_Lines` | On |
| `fluent-bit.inputConfig.skipEmptyLines` | `tail` input configuration parameter `Skip_Empty_Lines` | On |
| `fluent-bit.filterConfig.*` | Pass certain `kubernetes` filter [configuration parameters](https://docs.fluentbit.io/manual/pipeline/filters/kubernetes#configuration-parameters)| |
| `fluent-bit.filterConfig.bufferSize` | `kubernetes` filter configuration parameter `Buffer_Size` | 512k |
| `fluent-bit.filterConfig.kubeUrl` | `kubernetes` filter configuration parameter `Kube_URL` | https://kubernetes.default.svc:443 |
| `fluent-bit.filterConfig.kubeCaFile` | `kubernetes` filter configuration parameter `Kube_CA_File` | /var/run/secrets/kubernetes.io/serviceaccount/ca.crt |
| `fluent-bit.filterConfig.kubeTokenFile` | `kubernetes` filter configuration parameter `Kube_Token_File` | /var/run/secrets/kubernetes.io/serviceaccount/token |
| `fluent-bit.outputConfig.*` | Pass certain `opensearch` output [configuration parameters](https://docs.fluentbit.io/manual/pipeline/outputs/opensearch#configuration-parameters)| |
| `fluent-bit.outputConfig.host` | `opensearch` output configuration parameter `Host` | reana-opensearch-master |
| `fluent-bit.outputConfig.httpUser` | `opensearch` output configuration parameter `HTTP_User` | fluentbit |
| `fluent-bit.outputConfig.httpPasswd` | `opensearch` output configuration parameter `HTTP_Passwd` | None |
| `fluent-bit.outputConfig.tls` | `opensearch` output configuration parameter `tls` | "On" |
| `fluent-bit.outputConfig.tlsVerify` | `opensearch` output configuration parameter `tls.verify` | "On" |
| `fluent-bit.outputConfig.tlsVerifyHostname` | `opensearch` output configuration parameter `tls.verify_hostname` | "Off" |
| `fluent-bit.outputConfig.tlsCaFile` | `opensearch` output configuration parameter `tls.ca_file` | /fluent-bit/etc/certs/ca.crt |
| `fluent-bit.outputConfig.tlsCrtFile` | `opensearch` output configuration parameter `tls.crt_file` | "" |
| `fluent-bit.outputConfig.tlsKeyFile` | `opensearch` output configuration parameter `tls.key_file` | "" |
| `fluent-bit.outputConfig.tlsKeyPassword` | `opensearch` output configuration parameter `tls.key_passwd` | "" |
| `fluent-bit.priority` | Priority class value for FluentBit pods | 1000000 |
| `fullnameOverride` | Name to override the `reana.prefix` | None |
| `infrastructure_storage` | Optional volume used by REANA's infrastructure (i.e. database and message broker). It has the same settings as `shared_storage` | {} |
| `ingress.annotations.traefik.ingress.kubernetes.io/router.entrypoints` | Entrypoints allowed by the ingress controller | "web,websecure" |
Expand Down Expand Up @@ -98,6 +129,18 @@ This Helm automatically prefixes all names using the release name to avoid colli
| `reana_hostname` | REANA hostname (e.g. reana.example.org) | None |
| `namespace_runtime` | Namespace in which the REANA runtime pods (workflow engines, jobs etc...) will run | `.Release.Namespace` |
| `naming_scheme` | REANA component naming scheme | None |
| `opensearch.*` | Pass any value from [OpenSearch Helm chart values](https://github.com/opensearch-project/helm-charts/tree/main/charts/opensearch#configuration) here | - |
| `opensearch.enabled` | Enable OpenSearch | false |
| `opensearch.tls.generate` | Enable the generation of a self-signed TLS certificates for OpenSearch | true |
| `opensearch.tls.ca.cn` | OpenSearch root CA certificate common name (CN) | reana.io |
| `opensearch.tls.ca.ttl` | OpenSearch root CA certificate TTL in days | 365 |
| `opensearch.tls.cert.cn` | OpenSearch node certificate common name (CN) | reana-opensearch-master.default.svc.cluster.local |
| `opensearch.tls.cert.ttl` | OpenSearch node certificate TTL in days | 180 |
| `opensearch.tls.admin.cn` | OpenSearch admin certificate common name (CN) | opensearch-admin.reana.io |
| `opensearch.tls.admin.ttl` | OpenSearch admin certificate TTL in days | 180 |
| `opensearch.customSecurityConfig.internalUsers` | Provide YAML users configuration for `internal_users.yaml` file; see [documentation](https://opensearch.org/docs/latest/security/configuration/yaml/#internal_usersyml) | None |
| `opensearch.customSecurityConfig.roles` | Provide YAML roles configuration for `roles.yaml` file; see [documentation](https://opensearch.org/docs/latest/security/configuration/yaml/#rolesyml) | None |
| `opensearch.customSecurityConfig.rolesMapping` | Provide YAML roles mapping configuration for `roles_mapping.yaml` file; see [documentation](https://opensearch.org/docs/latest/security/configuration/yaml/#roles_mappingyml) | None |
| `pgbouncer.enabled` | Instantiate PgBouncer inside the cluster to pool database connections | false |
| `pgbouncer.image` | [PgBouncer image](https://hub.docker.com/r/bitnami/pgbouncer/) to use | `bitnami/pgbouncer:1.23.1` |
| `pgbouncer.pool_mode` | Pool mode to use (session, transaction, statement) | transaction |
Expand Down
11 changes: 11 additions & 0 deletions helm/reana/templates/priority-classes.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,11 @@
{{- if index .Values "fluent-bit" "enabled" }}
---
apiVersion: scheduling.k8s.io/v1
kind: PriorityClass
metadata:
name: {{ include "reana.prefix" . }}-fluent-bit-priority-class
value: {{ index .Values "fluent-bit" "priority" | default 1000000 }}
preemptionPolicy: Never
globalDefault: false
description: "PriorityClass for FluentBit DaemonSet pods. This priority class will not cause other pods to be preempted."
{{- end }}
23 changes: 23 additions & 0 deletions helm/reana/templates/reana-workflow-controller.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,3 +1,6 @@
{{- $opensearchEnv := .Values.components.reana_workflow_controller.environment }}
{{- $opensearchEnabled := $opensearchEnv.REANA_OPENSEARCH_ENABLED }}
{{- $opensearchTlsEnabled := and $opensearchEnabled $opensearchEnv.REANA_OPENSEARCH_USE_SSL }}
---
apiVersion: v1
kind: Service
Expand Down Expand Up @@ -83,6 +86,11 @@ spec:
mountPath: {{ $workspace_path._1 }}
{{- end }}
{{- end }}
{{- if $opensearchTlsEnabled }}
- name: {{ include "reana.prefix" . }}-opensearch-tls-secrets
mountPath: /code/certs
readOnly: true
{{- end }}
envFrom:
- configMapRef:
name: {{ include "reana.prefix" . }}-database-config
Expand Down Expand Up @@ -216,6 +224,13 @@ spec:
secretKeyRef:
name: {{ include "reana.prefix" . }}-db-secrets
key: password
{{- if $opensearchEnabled }}
- name: REANA_OPENSEARCH_PASSWORD
valueFrom:
secretKeyRef:
name: {{ include "reana.prefix" . }}-opensearch-secrets
key: REANA_OPENSEARCH_PASSWORD
{{- end }}
- name: job-status-consumer
image: {{ .Values.components.reana_workflow_controller.image }}
imagePullPolicy: {{ .Values.components.reana_workflow_controller.imagePullPolicy }}
Expand Down Expand Up @@ -287,6 +302,14 @@ spec:
hostPath:
path: {{ .Values.shared_storage.hostpath.root_path }}
{{- end }}
{{- if $opensearchTlsEnabled }}
- name: {{ include "reana.prefix" . }}-opensearch-tls-secrets
secret:
secretName: {{ include "reana.prefix" . }}-opensearch-tls-secrets
items:
- key: ca.crt
path: ca.crt
{{- end }}
{{- if .Values.debug.enabled }}
- name: reana-code
hostPath:
Expand Down
Loading
Loading