feat (molgenis-vault): Switch backup storage to s3.

We can host s3 compatible storage locally by deploying the stable/minio chart. Ran into https://github.com/coreos/etcd-operator/issues/1980 and therefore downgrade the backup and restore operator images to 0.8.3.
Merge branch 'add-pvs-to-molgenis' of p281392/molgenis-ops-docker-helm into master
2018-09-17 08:44:31 +02:00 · 2018-09-12 09:50:34 +02:00 · 2018-09-12 08:19:48 +02:00 · 2018-09-12 08:17:34 +02:00 · 2018-09-12 08:15:38 +02:00 · 2018-09-12 08:13:33 +02:00
28 changed files with 344 additions and 361 deletions
--- a/molgenis-jenkins/README.md
+++ b/molgenis-jenkins/README.md
@ -40,57 +40,62 @@ You can use [all configuration values of the jenkins subchart](https://github.co
 ### GitHub Authentication delegation
 You need to setup a MOLGENIS - Jenkins GitHub OAuth App. You can do this by accessing this url: [add new OAuth app](https://github.com/settings/applications/new).

-### Additional configuration
-There is one additional group of configuration items specific for this chart, so not prefixed with `jenkins`:
+### Secrets

-* PipelineSecrets
-
-   When deployed, the chart creates a couple of kubernetes secrets that get used by jenkins and mounted in the jenkins 
-   build pods. The secrets, like the rest of the deployment, is namespaced so multiple instances can run beside
-   each other with their own secrets.
+   When deployed, the chart creates a couple of kubernetes secrets that get used by jenkins.

   You can override the values at deploy time but otherwise also configure them 
   [in Rancher](https://rancher.molgenis.org:7443/p/c-mhkqb:project-2pf45/secrets) or through kubectl.

-*  Vault
+#### Vault

-   New vault token to be used by the pods to retrieve their tokens from the vault.
+The vault secret gets mounted in the vault pod so pipeline scripts can retrieve secrets from the vault.
+
+| Parameter                 | Description                                | Default                                        |
+| ------------------------- | ------------------------------------------ | ---------------------------------------------- |
+| `secret.vault.token`      | Token to log into the hashicorp vault      | `xxxx`                                         |
+| `secret.vault.addr`       | Address of the vault                       | `https:vault-operator.vault-operator.svc:8200` |
+| `secret.vault.skipVerify` | Skip verification of the https connection  | `1`                                            |
+
+#### GitHub
+
+Token used by Jenkins to authenticate on GitHub.
+
+| Parameter             | Description              | Default            |
+| --------------------- | ------------------------ | ------------------ |
+| `secret.gitHub.user`  | username for the account | `molgenis-jenkins` |
+| `secret.gitHub.token` | token for the account    | `xxxx`             |
+
+#### Gogs
+
+Token used by Jenkins to authenticate on the [RuG Webhosting Gogs](https://git.webhosting.rug.nl).
+
+| Parameter           | Description              | Default   |
+| ------------------- | ------------------------ | --------- |
+| `secret.gogs.user`  | username for the account | `p281392` |
+| `secret.gogs.token` | token for the account    | `xxxx`    |
+
+#### Legacy:
+
+##### Docker Hub
   
-   | Parameter                          | Description                                | Default                                        |
-   | ---------------------------------- | ------------------------------------------ | ---------------------------------------------- |
-   | `PipelineSecrets.Vault.Replace`    | Replace the molgenis-pipeline-vault secret | `true`                                         |
-   | `PipelineSecrets.Vault.Token`      | Token to log into the hashicorp vault      | `xxxx`                                         |
-   | `PipelineSecrets.Vault.Addr`       | Address of the vault                       | `https:vault-operator.vault-operator.svc:8200` |
-   | `PipelineSecrets.Vault.SkipVerify` | Skip verification of the https connection  | `1`                                            |
+Account used in pipeline builds to push docker images to `hub.docker.com`.
+> They should read `secret/gcc/account/dockerhub` from vault instead!

-*  Env
+| Parameter                   | Description              | Default         |
+| --------------------------- | ------------------------ | --------------- |
+| `secret.dockerHub.user`     | username for the account | `molgenisci`    |
+| `secret.dockerHub.password` | password for the account | `xxxx`          |
+
+##### Registry
   
-   Environment variables stored in molgenis-pipeline-env secret, to be added as environment variables
-   in the slave pods.
+Account used in pipeline builds to push docker images to `registry.molgenis.org`.
+> They should read `secret/ops/account/nexus` from vault instead!

-   | Parameter                               | Description                               | Default         |
-   | --------------------------------------- | ----------------------------------------- | --------------- |
-   | `PipelineSecrets.Env.Replace`           | Replace molgenis-pipeline-env secret      | `true`          |
-   | `PipelineSecrets.Env.PGPPassphrase`     | passphrase for the pgp signing key        | `literal:xxxx`  |
-   | `PipelineSecrets.Env.CodecovToken`      | token for codecov.io                      | `xxxx`          |
-   | `PipelineSecrets.Env.GitHubToken`       | token for GH molgenis-jenkins user        | `xxxx`          |
-   | `PipelineSecrets.Env.NexusPassword`     | token for molgenis-jenkins user in NEXUS  | `xxxx`          |
-   | `PipelineSecrets.Env.DockerHubPassword` | token for molgenis user in hub.docker.com | `xxxx`          |
-   | `PipelineSecrets.Env.SonarToken`        | token for sonarcloud.io                   | `xxxx`          |
-   | `PipelineSecrets.Env.NpmToken`          | token for npmjs.org                       | `xxxx`          | 
-   | `PipelineSecrets.Env.SauceAccessKey`    | token for saucelabs.com                   | `xxxx`          |
-
-* File
-
-  Environment variables stored in molgenis-pipeline-file secret, to be mounted as files
-  in the `/root/.m2` directory of the slave pods.
-  > The settings.xml file references the 
-
-  | Parameter                              | Description                           | Default                                                                         |
-  | -------------------------------------- | ------------------------------------- | ------------------------------------------------------------------------------- |
-  | `PipelineSecrets.File.Replace`         | Replace molgenis-pipeline-file secret | `true`                                                                          |
-  | `PipelineSecrets.File.PGPPrivateKeyAsc`| pgp signing key in ascii form         | `-----BEGIN PGP PRIVATE KEY BLOCK-----xxxxx-----END PGP PRIVATE KEY BLOCK-----` |
-  | `PipelineSecrets.File.MavenSettingsXML`| Maven settings.xml file               | `<settings>[...]</settings>` (see actual [values.yaml](values.yaml))            |
+| Parameter                   | Description              | Default   |
+| --------------------------- | ------------------------ | --------- |
+| `secret.dockerHub.user`     | username for the account | `admin`   |
+| `secret.dockerHub.password` | password for the account | `xxxx`    |

 ## Command line use
 Specify each parameter using the `--set key=value[,key=value]` argument to `helm install`.
--- a/molgenis-jenkins/templates/molgenis-jenkins-dockerhub-secret.yaml
+++ b/molgenis-jenkins/templates/molgenis-jenkins-dockerhub-secret.yaml
@ -8,9 +8,9 @@ metadata:
    "jenkins.io/credentials-type": "usernamePassword"
  annotations: {
 # description - can not be a label as spaces are not allowed
-    "jenkins.io/credentials-description" : "user to authenticate against Docker Hub (hub.docker.com)"
+    "jenkins.io/credentials-description" : "(deprecated by vault) Account used in pipeline builds to push docker images to Docker Hub (hub.docker.com)"
  }
 type: Opaque
 data:
-  username: {{ "molgenisci" | b64enc | quote }}
-  password: {{ .Values.PipelineSecrets.Env.DockerHubPassword | b64enc | quote }}
+  username: {{ .Values.secret.registry.user | b64enc | quote }}
+  password: {{ .Values.secret.registry.password | b64enc | quote }}
--- a/molgenis-jenkins/templates/molgenis-jenkins-github-secret.yaml
+++ b/molgenis-jenkins/templates/molgenis-jenkins-github-secret.yaml
@ -8,9 +8,9 @@ metadata:
    "jenkins.io/credentials-type": "usernamePassword"
  annotations: {
 # description - can not be a label as spaces are not allowed
-    "jenkins.io/credentials-description" : "oauth token for the molgenis-jenkins github user"
+    "jenkins.io/credentials-description" : "Oauth token for the {{.Values.secret.gitHub.user}} GitHub user"
  }
 type: Opaque
 data:
-  username: {{ "molgenis-jenkins" | b64enc | quote }}
-  password: {{ .Values.PipelineSecrets.Env.GitHubToken | b64enc | quote }}
+  username: {{ .Values.secret.gitHub.user | b64enc | quote }}
+  password: {{ .Values.secret.gitHub.token | b64enc | quote }}
--- a/molgenis-jenkins/templates/molgenis-jenkins-gogs-secret.yaml
+++ b/molgenis-jenkins/templates/molgenis-jenkins-gogs-secret.yaml
@ -8,9 +8,9 @@ metadata:
    "jenkins.io/credentials-type": "usernamePassword"
  annotations: {
 # description - can not be a label as spaces are not allowed
-    "jenkins.io/credentials-description" : "user to authenticate against GOGS (git.webhosting.rug.nl)"
+    "jenkins.io/credentials-description" : "Account used to authenticate against RuG Webhosting Gogs."
  }
 type: Opaque
 data:
-  username: {{ "p281392" | b64enc | quote }}
-  password: {{ .Values.PipelineSecrets.Env.GogsToken | b64enc | quote }}
+  username: {{ .Values.secret.gogs.user | b64enc | quote }}
+  password: {{ .Values.secret.gogs.token | b64enc | quote }}
--- a/molgenis-jenkins/templates/molgenis-jenkins-nexus-secret.yaml
+++ b/molgenis-jenkins/templates/molgenis-jenkins-nexus-secret.yaml
@ -1,16 +0,0 @@
-apiVersion: v1
-kind: Secret
-metadata:
-# this is the jenkins id.
-  name: "molgenis-jenkins-nexus-secret"
-  labels:
-# so we know what type it is.
-    "jenkins.io/credentials-type": "usernamePassword"
-  annotations: {
-# description - can not be a label as spaces are not allowed
-    "jenkins.io/credentials-description" : "user to authenticate against NEXUS"
-  }
-type: Opaque
-data:
-  username: {{ "admin" | b64enc | quote }}
-  password: {{ .Values.PipelineSecrets.Env.NexusPassword | b64enc | quote }}
--- a/molgenis-jenkins/templates/molgenis-jenkins-registry-secret.yaml
+++ b/molgenis-jenkins/templates/molgenis-jenkins-registry-secret.yaml
@ -0,0 +1,17 @@
+apiVersion: v1
+kind: Secret
+metadata:
+  name: molgenis-jenkins-registry-secret
+  labels:
+    app: {{ template "jenkins.fullname" . }}
+    chart: "{{ .Chart.Name }}-{{ .Chart.Version }}"
+    release: "{{ .Release.Name }}"
+    heritage: "{{ .Release.Service }}"
+  annotations: {
+# description - can not be a label as spaces are not allowed
+    "jenkins.io/credentials-description" : "(deprecated by vault) Account used in pipeline builds to push docker images to registry.molgenis.org."
+  }
+type: Opaque
+data:
+  username: {{ .Values.secret.registry.user | b64enc | quote }}
+  password: {{ .Values.secret.registry.password | b64enc | quote }}
--- a/molgenis-jenkins/templates/molgenis-jenkins-saucelabs-secret.yaml
+++ b/molgenis-jenkins/templates/molgenis-jenkins-saucelabs-secret.yaml
@ -1,16 +0,0 @@
-apiVersion: v1
-kind: Secret
-metadata:
-# this is the jenkins id.
-  name: "molgenis-jenkins-saucelabs-secret"
-  labels:
-# so we know what type it is.
-    "jenkins.io/credentials-type": "usernamePassword"
-  annotations: {
-# description - can not be a label as spaces are not allowed
-    "jenkins.io/credentials-description" : "user to authenticate against Saucelabs (saucelabs.com)"
-  }
-type: Opaque
-data:
-  username: {{ "molgenis-jenkins" | b64enc | quote }}
-  password: {{ .Values.PipelineSecrets.Env.SauceAccessKey | b64enc | quote }}
--- a/molgenis-jenkins/templates/molgenis-pipeline-env-secret.yaml
+++ b/molgenis-jenkins/templates/molgenis-pipeline-env-secret.yaml
@ -1,18 +0,0 @@
-{{- if .Values.PipelineSecrets.Env.Replace }}
-apiVersion: v1
-kind: Secret
-metadata:
-  name: molgenis-pipeline-env-secret
-  labels:
-    app: {{ template "jenkins.fullname" . }}
-    chart: "{{ .Chart.Name }}-{{ .Chart.Version }}"
-    release: "{{ .Release.Name }}"
-    heritage: "{{ .Release.Service }}"
-type: Opaque
-data:
-  pgpPassphrase: {{ .Values.PipelineSecrets.Env.PGPPassphrase | b64enc | quote }}
-  codecovToken: {{ .Values.PipelineSecrets.Env.CodecovToken | b64enc | quote }}
-  githubToken: {{ .Values.PipelineSecrets.Env.GitHubToken | b64enc | quote }}
-  sonarToken: {{ .Values.PipelineSecrets.Env.SonarToken | b64enc | quote }}
-  npmToken: {{ .Values.PipelineSecrets.Env.NpmToken | b64enc | quote }}
-{{- end }}
--- a/molgenis-jenkins/templates/molgenis-pipeline-file-secret.yaml
+++ b/molgenis-jenkins/templates/molgenis-pipeline-file-secret.yaml
@ -1,15 +0,0 @@
-{{- if .Values.PipelineSecrets.File.Replace }}
-apiVersion: v1
-kind: Secret
-metadata:
-  name: molgenis-pipeline-file-secret
-  labels:
-    app: {{ template "jenkins.fullname" . }}
-    chart: "{{ .Chart.Name }}-{{ .Chart.Version }}"
-    release: "{{ .Release.Name }}"
-    heritage: "{{ .Release.Service }}"
-type: Opaque
-data:
-  key.asc: {{ .Values.PipelineSecrets.File.PGPPrivateKeyAsc | b64enc | quote }}
-  settings.xml: {{ .Values.PipelineSecrets.File.MavenSettingsXML | b64enc | quote }}
-{{- end }}
--- a/molgenis-jenkins/templates/molgenis-pipeline-vault-secret.yaml
+++ b/molgenis-jenkins/templates/molgenis-pipeline-vault-secret.yaml
@ -1,4 +1,3 @@
-{{- if .Values.PipelineSecrets.Vault.Replace }}
 apiVersion: v1
 kind: Secret
 metadata:
@ -10,7 +9,6 @@ metadata:
    heritage: "{{ .Release.Service }}"
 type: Opaque
 data:
-  token: {{ .Values.PipelineSecrets.Vault.Token | b64enc | quote }}
-  addr: {{ .Values.PipelineSecrets.Vault.Addr | b64enc | quote }}
-  skipVerify: {{ .Values.PipelineSecrets.Vault.SkipVerify | b64enc | quote }}
-{{- end }}
+  token: {{ .Values.secret.vault.token | b64enc | quote }}
+  addr: {{ .Values.secret.vault.addr | b64enc | quote }}
+  skipVerify: {{ .Values.secret.vault.skipVerify | b64enc | quote }}
--- a/molgenis-jenkins/values.yaml
+++ b/molgenis-jenkins/values.yaml
@ -368,8 +368,8 @@ jenkins:
    install: true
  Pods:
    molgenis:
-      Label: molgenisv2
-      NodeUsageMode: EXCLUSIVE
+      Label: molgenis
+      NodeUsageMode: NORMAL
      volumes:
        - type: HostPath
          hostPath: "/var/run/docker.sock"
@ -417,39 +417,6 @@ jenkins:
              secretName: molgenis-pipeline-vault-secret
              secretKey: addr
      NodeSelector: {}
-    molgenis-legacy:
-      InheritFrom: molgenis
-      Label: molgenis
-      NodeUsageMode: NORMAL
-      volumes:
-        - type: Secret
-          secretName: molgenis-pipeline-file-secret
-          mountPath: "/home/jenkins/.m2"
-      Containers:
-      EnvVars:
-        - type: Secret
-          key: PGP_PASSPHRASE
-          secretName: molgenis-pipeline-env-secret
-          secretKey: pgpPassphrase
-        - type: KeyValue
-          key: PGP_SECRETKEY
-          value: "keyfile:/home.jenkins/.m2/key.asc"
-        - type: KeyValue
-          key: npm_config_registry
-          value: "http://nexus.molgenis-nexus:8081/repository/npm-central/"
-        - type: Secret
-          key: SONAR_TOKEN
-          secretName: molgenis-pipeline-env-secret
-          secretKey: sonarToken
-        - type: Secret
-          key: CODECOV_TOKEN
-          secretName: molgenis-pipeline-env-secret
-          secretKey: codecovToken
-        - type: Secret
-          key: GITHUB_TOKEN
-          secretName: molgenis-pipeline-env-secret
-          secretKey: githubToken
-      NodeSelector: {}
    node:
      Label: node-carbon
      NodeUsageMode: EXCLUSIVE
@ -461,155 +428,45 @@ jenkins:
          Command: cat
          WorkingDir: /home/jenkins
          TTY: true
-      EnvVars:
-        - type: KeyValue
-          key: npm_config_registry
-          value: "http://nexus.molgenis-nexus:8081/repository/npm-central/"
-        - type: Secret
-          key: CODECOV_TOKEN
-          secretName: molgenis-pipeline-env-secret
-          secretKey: codecovToken
-        - type: Secret
-          key: GITHUB_TOKEN
-          secretName: molgenis-pipeline-env-secret
-          secretKey: githubToken
-        - type: Secret
-          key: NPM_TOKEN
-          secretName: molgenis-pipeline-env-secret
-          secretKey: npmToken
-      NodeSelector: {}
-    molgenis-it:
-      InheritFrom: molgenis
-      Label: molgenis-it
-      NodeUsageMode: EXCLUSIVE
-      Containers:
-        elasticsearch:
-          Image: docker.elastic.co/elasticsearch/elasticsearch
-          ImageTag: 5.5.3
-          resources:
-            requests:
-              cpu: "100m"
-              memory: "1Gi"
-            limits:
-              cpu: "1"
-              memory: "1500Mi"
+        vault:
+          Image: "vault"
+          Command: cat
+          WorkingDir: /home/jenkins
+          TTY: true
          EnvVars:
-          - type: KeyValue
-            key: ES_JAVA_OPTS
-            value: "-Xms512m -Xmx512m"
-          - type: KeyValue
-            key: cluster.name
-            value: molgenis
-          - type: KeyValue
-            key: bootstrap.memory_lock
-            value: "true"
-          - type: KeyValue
-            key: xpack.security.enabled
-            value: "false"
-          - type: KeyValue
-            key: discovery.type
-            value: single-node
-        postgres:
-          Image: postgres
-          ImageTag: 9.6-alpine
-          resources:
-            requests:
-              cpu: "100m"
-              memory: "250Mi"
-            limits:
-              cpu: "1"
-              memory: "250Mi"
-          EnvVars:
-          - type: KeyValue
-            key: POSTGRES_USER
-            value: molgenis
-          - type: KeyValue
-            key: POSTGRES_PASSWORD
-            value: molgenis
-          - type: KeyValue
-            key: POSTGRES_DB
-            value: molgenis
-        opencpu:
-          Image: molgenis/opencpu
-          AlwaysPullImage: true
-          resources:
-            requests:
-              cpu: "100m"
-              memory: "256Mi"
-            limits:
-              cpu: "1"
-              memory: "512Mi"
+            - type: Secret
+              key: VAULT_TOKEN
+              secretName: molgenis-pipeline-vault-secret
+              secretKey: token
+            - type: Secret
+              key: VAULT_SKIP_VERIFY
+              secretName: molgenis-pipeline-vault-secret
+              secretKey: skipVerify
+            - type: Secret
+              key: VAULT_ADDR
+              secretName: molgenis-pipeline-vault-secret
+              secretKey: addr
      NodeSelector: {}
-PipelineSecrets:
-  Vault:
-    Replace: true
-    Token: xxxx
-    Addr: "https://vault-operator.vault-operator.svc:8200"
-    SkipVerify: 1
-  Env:
-    # Set to false to keep existing secret
-    Replace: true
-    # Passphrase for the pgp private key file, prefixed with literal:
-    PGPPassphrase: literal:xxxx
-    # Token for codecov.io service
-    CodecovToken: xxxx
-    # Token for github bot account
-    GitHubToken: xxxx
-    # Token for github bot account
-    GogsToken: xxxx
-    # Token for sonarcloud.io
-    SonarToken: xxxx
-    # Token for npmjs.org
-    NpmToken: xxxx
-    # Password Local NEXUS
-    NexusPassword: xxxx
-    # Password hub.docker.com
-    DockerHubPassword: xxxx
-    # Access key for saucelabs.com
-    SauceAccessKey: xxxx
-  File:
-    # Set to false to keep existing secret
-    Replace: true
-    # PGP Private key in ascii format used to sign artifacts
-    PGPPrivateKeyAsc: |-
-      -----BEGIN PGP PRIVATE KEY BLOCK-----
-      xxxxx
-      -----END PGP PRIVATE KEY BLOCK-----
-    # maven.settings file
-    MavenSettingsXML: |-
-      <settings>
-        <localRepository>${user.home}/.mvnrepository</localRepository>
-        <interactiveMode>false</interactiveMode>
-        <mirrors>
-          <mirror>
-            <id>nexus</id>
-            <mirrorOf>external:*</mirrorOf>
-            <url>http://nexus.molgenis-nexus:8081/repository/maven-central/</url>
-          </mirror>
-        </mirrors>
-        <servers>
-          <!-- for snapshot builds of the master -->
-          <server>
-            <id>sonatype-nexus-staging</id>
-            <username>molgenis</username>
-            <password>xxxx</password>
-          </server>
-          <server>
-            <id>local-nexus</id>
-            <url>http://nexus.molgenis-nexus:8081/repository/maven-snapshots/</url>
-            <username>admin</username>
-            <password>xxxxx</password>
-          </server>
-          <!-- for docker images-->
-          <server>
-            <id>registry.molgenis.org</id>
-            <username>admin</username>
-            <password>xxxx</password>
-          </server>
-          <server>
-            <id>registry.hub.docker.com</id>
-            <username>molgenisci</username>
-            <password>xxxx</password>
-          </server>
-        </servers>
-      </settings>
+#secret contains configuration for the kubernetes secrets that jenkins can access
+secret:
+  # vault configures the vault secret
+  vault:
+    token: xxxx
+    addr: "https://vault-operator.vault-operator.svc:8200"
+    skipVerify: "1"
+  # githubToken contains access token for jenkins bot account on github.com
+  gitHub:
+    user: "molgenis-jenkins"
+    token: xxxx
+  # gogs contains access token for jenkins bot account on RuG GoGs
+  gogs:
+    user: p281392
+    token: xxxx
+  # registry contains credentials for registry.molgenis.org
+  registry:
+    user: admin
+    password: xxxx
+  # dockerHubPassword contains password for hub.docker.com
+  dockerHub:
+    user: molgenisci
+    password: xxxx
--- a/molgenis-vault/Chart.yaml
+++ b/molgenis-vault/Chart.yaml
@ -2,5 +2,5 @@ apiVersion: v1
 appVersion: "1.0"
 description: MOLGENIS vault
 name: molgenis-vault
-version: 0.1.1
+version: 0.2.1
 icon: https://git.webhosting.rug.nl/molgenis/molgenis-ops-docker-helm/raw/master/molgenis-vault/catalogIcon-molgenis-vault.svg
--- a/molgenis-vault/README.md
+++ b/molgenis-vault/README.md
@ -13,21 +13,25 @@ See https://github.com/coreos/vault-operator/blob/master/doc/user/vault.md
 ## Parameters

 ### Azure cloud credentials
-Define credentials for backup to the Azure Blob Store.
-See [etcd-operator documentation](https://github.com/coreos/etcd-operator/blob/master/doc/user/abs_backup.md).
+Define credentials for an S3 compatible backup bucket.
+See [etcd-operator documentation](https://github.com/coreos/etcd-operator/blob/master/doc/user/walkthrough/backup-operator.md).
+> Default values backup to the minio play server.
+You can host the stable/minio chart to backup to a bucket on the cluster.

-| Parameter       | Description                   | Default            |
-| --------------- | ----------------------------- | ------------------ |
-| `abs.account`   | name of storage account       | `fdlkops`          |
-| `abs.accessKey` | access key of storage account | `xxxx`             |
-| `abs.cloud`     | name of cloud environment     | `AzurePublicCloud` |
+| Parameter            | Description                              | Default                                    |
+| -------------------- | ---------------------------------------- | ------------------------------------------ |
+| `s3.accessKeyId`     | key id storage account                   | `Q3AM3UQ867SPQQA43P2F`                     |
+| `s3.secretAccessKey` | secret access key of storage account     | `zuf+tfteSlswRu7BJ86wekitnifILbZam1KYY3TG` |
+| `s3.region`          | region of the storage server             | `us-east-1`                                |
+| `s3.endpoint`        | endpoint for the storage server          | `https://play.minio.io:9000`               |
+| `s3.bucket`          | name of the bucket on the storage server | `vault`                                    |

 ### Backup job
 Define the schedule of the backup job

 | Parameter            | Description                  | Default       |
 | -------------------- | ---------------------------- | ------------- |
-| `backupJob.enable`   | Enable backup cronjob        | `true`        |
+| `backupJob.suspend`  | Suspend backup cronjob       | `false`       |
 | `backupJob.schedule` | cron schedule for the backup | `0 12 * * 1`  |

 ### UI
--- a/molgenis-vault/resources/backup.yaml
+++ b/molgenis-vault/resources/backup.yaml
@ -0,0 +1,13 @@
+apiVersion: "etcd.database.coreos.com/v1beta2"
+kind: "EtcdBackup"
+metadata:
+  name: vault-backup
+  namespace: "vault-operator"
+spec:
+  etcdEndpoints: ["https://vault-etcd-client:2379"]
+  storageType: S3
+  clientTLSSecret: vault-etcd-client-tls
+  s3:
+    path: vault/backup-manual
+    awsSecret: aws
+    endpoint: http://minio.minio.svc:9000
--- a/molgenis-vault/resources/restore.yaml
+++ b/molgenis-vault/resources/restore.yaml
@ -9,7 +9,8 @@ spec:
  etcdCluster:
    # The namespace is the same as this EtcdRestore CR
    name: vault-etcd
-  backupStorageType: ABS
-  abs:
-    path: vault/backup-<specify the backup name>
-    absSecret: abs
+  backupStorageType: S3
+  s3:
+    path: vault/backup-<name>
+    awsSecret: aws
+    endpoint: http://minio.minio.svc:9000
--- a/molgenis-vault/templates/NOTES.txt
+++ b/molgenis-vault/templates/NOTES.txt
@ -3,11 +3,17 @@ Vault operator created
 Next steps:

 * Manually create a vault using resources/vault.yaml
-* Manually restore a backup using resources/backup.yaml
+* Manually restore a backup using resources/restore.yaml
 * Unseal the vault pods

-{{ if .Values.backupJob.enable }}
-!! Make sure to check if the backups succeed !!
+{{ if .Values.backupJob.suspend }}
+!!!!!! BACKUP JOB SUSPENDED !!!!!!
 {{ else }}
-!!!!!! NO BACKUPS CONFIGURED !!!!!!
+{{- if .Values.s3.endpoint -}}
+Backing up to non-standard s3 endpoint {{ .Values.s3.endpoint }}
+{{- else }}
+Backing up to S3 on aws
+{{- end }}
+ in bucket {{ .Values.s3.bucket }}.
+!! Make sure to check if the backups succeed !!
 {{ end }}
--- a/molgenis-vault/templates/abs-secret.yaml
+++ b/molgenis-vault/templates/abs-secret.yaml
@ -1,10 +0,0 @@
-# Secret to access microsoft azure blob store
-apiVersion: v1
-kind: Secret
-metadata:
-  name: abs
-type: Opaque
-stringData:
-  storage-account: {{ .Values.abs.account }}
-  storage-key: {{ .Values.abs.accessKey }}
-  cloud: {{ .Values.abs.cloud }}
--- a/molgenis-vault/templates/aws-secret.yaml
+++ b/molgenis-vault/templates/aws-secret.yaml
@ -0,0 +1,10 @@
+# Secret to access s3 compatible store
+apiVersion: v1
+kind: Secret
+metadata:
+  name: aws
+type: Opaque
+data:
+  config: {{ printf "[default]\nregion = %s" .Values.s3.region | b64enc | quote }}
+  credentials: {{ printf "[default]\naws_access_key_id = %s\naws_secret_access_key = %s\n" .Values.s3.accessKeyId .Values.s3.secretAccessKey | b64enc | quote }}
+
--- a/molgenis-vault/templates/backup-configmap.yaml
+++ b/molgenis-vault/templates/backup-configmap.yaml
@ -11,8 +11,11 @@ data:
      generateName: vault-backup-
    spec:
      etcdEndpoints: ["https://vault-etcd-client:2379"]
-      storageType: ABS
+      storageType: S3
      clientTLSSecret: vault-etcd-client-tls
-      abs:
-        path: vault/backup.<NOW>
-        absSecret: abs
+      s3:
+        path: {{ .Values.s3.bucket }}/backup.<NOW>
+        awsSecret: aws
+{{- if .Values.s3.endpoint }}
+        endpoint: {{ .Values.s3.endpoint }}
+{{- end }}
--- a/molgenis-vault/templates/backup-cronjob.yaml
+++ b/molgenis-vault/templates/backup-cronjob.yaml
@ -1,10 +1,10 @@
-{{- if .Values.backupJob.enable }}
 # cronjob that creates etcdbackups using the etcd backup serviceaccount
 apiVersion: batch/v1beta1
 kind: CronJob
 metadata:
  name: etcd-backup
 spec:
+  suspend: {{ .Values.backupJob.suspend }}
  schedule: {{ .Values.backupJob.schedule | quote }}
  jobTemplate:
    spec:
@ -26,5 +26,4 @@ spec:
          volumes:
          - name: backup-config
            configMap:
-              name: backup-config
-{{- end }}
+              name: backup-config
--- a/molgenis-vault/values.yaml
+++ b/molgenis-vault/values.yaml
@ -2,19 +2,23 @@
 # This is a YAML-formatted file.
 # Declare variables to be passed into your templates.

-# abs gives details of the credentials to reach the azure backup storage
-abs:
-  # account is the name of the Storage account
-  account: fdlkops
-  # access key for the Storage account
-  accessKey: xxxx
-  # default cloud
-  cloud: AzurePublicCloud
+# s3 configures s3 backup storage
+s3:
+  # accessKey for the s3 storage account
+  accessKeyId: Q3AM3UQ867SPQQA43P2F
+  # secretAccessKey for the s3 storage account
+  secretAccessKey: zuf+tfteSlswRu7BJ86wekitnifILbZam1KYY3TG
+  # region
+  region: us-east-1
+  # endpoint for the s3 storage
+  endpoint: https://play.minio.io:9000
+  # bucket is the name of the bucket
+  bucket: vault

 # backupjob describes the backup cronjob
 backupJob:
-  # enable enables the backup job
-  enable: true
+  # suspend suspends the backup job
+  suspend: false
  # schedule gives the cron schedule for the backup job
  schedule: "0 12 * * 1"

@ -40,10 +44,10 @@ etcd-operator:
      tag: v0.9.2
  backupOperator:
    image:
-      tag: v0.9.2
+      tag: v0.8.3
  restoreOperator:
    image:
-      tag: v0.9.2
+      tag: v0.8.3

 ui:
  name: "vault-ui"
--- a/molgenis/Chart.yaml
+++ b/molgenis/Chart.yaml
@ -2,7 +2,7 @@ apiVersion: v1
 appVersion: "1.0"
 description: MOLGENIS - helm stack (in BETA)
 name: molgenis-beta
-version: 0.1.0
+version: 0.3.0
 sources:
 - https://git.webhosting.rug.nl/molgenis/molgenis-ops-docker-helm.git
 icon: https://git.webhosting.rug.nl/molgenis/molgenis-ops-docker-helm/raw/master/molgenis/catalogIcon-molgenis.svg
--- a/molgenis/README.md
+++ b/molgenis/README.md
@ -79,5 +79,44 @@ Specify memory usage for Java JVM:

 Select the resources you need dependant on the customer you need to serve.

+## Persistence
+You can enable persistence on your MOLGENIS stack by specifying the following property.
+
+- ```persistence.enabled```
+
+You can also choose to retain the volume of the NFS.
+- ```persistence.retain```
+
+The size and claim name can be specified per service. There are now two services that can be persist.
+
+- MOLGENIS
+- ElasticSearch
+
+MOLGENIS persistent properties.
+- ```molgenis.persistence.claim```
+- ```molgenis.persistence.size```
+
+ElasticSearch persistent properties.
+- ```elasticsearch.persistence.claim```
+- ```elasticsearch.persistence.size```
+
+
+### Resolve you persistent volume
+You do not know which volume is attached to your MOLGENIS instance. You can resolve this by executing:
+
+```
+kubectl get pv
+```
+
+You can now view the persistent volume claims and the attached volumes.
+
+| NAME | CAPACITY | ACCESS | MODES | RECLAIM | POLICY | STATUS | CLAIM | STORAGECLASS | REASON | AGE |
+| ---- | -------- | ------ | ----- | ------- | ------ | ------ | ----- | ------------ | ------ | --- |
+| pvc-45988f55-900f-11e8-a0b4-005056a51744 | 30G | RWX | | Retain | Bound | molgenis-solverd/molgenis-nfs-claim | nfs-provisioner-retain | | | 33d |
+| pvc-3984723d-220f-14e8-a98a-skjhf88823kk | 30G | RWO | | Delete | Bound | molgenis-test/molgenis-nfs-claim | nfs-provisioner | | | 33d |
+
+You see the ```molgenis-test/molgenis-nfs-claim``` is bound to the volume: ```pvc-3984723d-220f-14e8-a98a-skjhf88823kk```.
+When you want to view the data in the this volume you can go to the nfs-provisioning pod and execute the shell. Go to the directory ```export``` and lookup the directory ```pvc-3984723d-220f-14e8-a98a-skjhf88823kk```. 
+
 ## Firewall
 Is defined at cluster level. This chart does not facilitate firewall configuration.
--- a/molgenis/questions.yml
+++ b/molgenis/questions.yml
@ -81,7 +81,7 @@ questions:
 - variable: molgenis.resources.requests.memory
  label: Container memory reservation
  default: 1250Mi
-  description: "Memory reservation for this MOLGENIS container"
+  description: "Memory reservation for this MOLGENIS container (must fit in the selected memory limit for the container)"
  type: enum
  options:
  - "1250Mi"
@ -96,4 +96,36 @@ questions:
  options:
  - "1g"
  - "2g"
-  group: "Resources"
+  group: "Resources"
+- variable: persistence.enabled
+  default: false
+  description: "Do you want to use persistence"
+  type: boolean
+  required: true
+  group: "Persistence"
+  label: Persistence
+  show_subquestion_if: true
+  subquestions:
+  - variable: persistence.retain
+    default: false
+    description: "Do you want to retain the persistent volume"
+    type: boolean
+    label: Retain volume
+  - variable: molgenis.persistence.size
+    default: "30Gi"
+    description: "Size of MOLGENIS filestore (PostgreSQL and ElasticSearch excluded)"
+    type: enum
+    options:
+    - "30Gi"
+    - "50Gi"
+    - "100Gi"
+    label: Size MOLGENIS filestore
+  - variable: elasticsearch.persistence.size
+    default: "50Gi"
+    description: "Size of ElasticSearch data (directory that is persist: /usr/share/elasticsearch/data)"
+    type: enum
+    options:
+    - "50Gi"
+    - "100Gi"
+    - "200Gi"
+    label: Size for ElasticSearch data
--- a/molgenis/templates/deployment.yaml
+++ b/molgenis/templates/deployment.yaml
@ -49,6 +49,11 @@ spec:
              value: "-Xmx{{ .javaOpts.maxHeapSpace }} -XX:+UseConcMarkSweepGC -XX:+CMSClassUnloadingEnabled"
          ports:
            - containerPort: 8080
+          {{- if $.Values.persistence.enabled }}
+          volumeMounts:
+          - name: molgenis-nfs
+            mountPath: /home/molgenis
+          {{- end }}
          livenessProbe:
            httpGet:
              path: /
@ -87,10 +92,25 @@ spec:
          ports:
            - containerPort: 9200
            - containerPort: 9300
+          {{- if $.Values.persistence.enabled }}
+          volumeMounts:
+          - name: elasticsearch-nfs
+            mountPath: /usr/share/elasticsearch/data
+          {{- end }}
+
          resources:
 {{ toYaml .resources | indent 12 }}
        {{- end }}

+{{- if .Values.persistence.enabled }}
+      volumes:
+        - name: molgenis-nfs
+          persistentVolumeClaim:
+            claimName: {{ .Values.molgenis.persistence.claim }}
+        - name: elasticsearch-nfs
+          persistentVolumeClaim:
+            claimName: {{ .Values.elasticsearch.persistence.claim }}
+{{- end }}

    {{- with .Values.nodeSelector }}
      nodeSelector:
--- a/molgenis/templates/persistence/elasticsearchPVC.yaml
+++ b/molgenis/templates/persistence/elasticsearchPVC.yaml
@ -0,0 +1,19 @@
+{{- if .Values.persistence.enabled -}}
+apiVersion: extensions/v1beta1
+kind: PersistentVolumeClaim
+apiVersion: v1
+metadata:
+  name: {{ .Values.elasticsearch.persistence.claim }}
+  annotations:
+    {{- if .Values.persistence.retain }}
+    volume.beta.kubernetes.io/storage-class: "nfs-provisioner-retain"
+    {{- else }}
+    volume.beta.kubernetes.io/storage-class: "nfs-provisioner"
+    {{- end }}
+spec:
+  accessModes:
+    - ReadWriteMany
+  resources:
+    requests:
+      storage: {{ .Values.elasticsearch.persistence.size }}
+{{- end }}
--- a/molgenis/templates/persistence/molgenisPVC.yaml
+++ b/molgenis/templates/persistence/molgenisPVC.yaml
@ -0,0 +1,19 @@
+{{- if .Values.persistence.enabled -}}
+apiVersion: extensions/v1beta1
+kind: PersistentVolumeClaim
+apiVersion: v1
+metadata:
+  name: {{ .Values.molgenis.persistence.claim }}
+  annotations:
+    {{- if .Values.persistence.retain }}
+    volume.beta.kubernetes.io/storage-class: "nfs-provisioner-retain"
+    {{- else }}
+    volume.beta.kubernetes.io/storage-class: "nfs-provisioner"
+    {{- end }}
+spec:
+  accessModes:
+    - ReadWriteMany
+  resources:
+    requests:
+      storage: {{ .Values.molgenis.persistence.size }}
+{{- end }}
--- a/molgenis/values.yaml
+++ b/molgenis/values.yaml
@ -25,12 +25,15 @@ molgenis:
  javaOpts:
    maxHeapSpace: "1g"
  resources:
-   limits:
-    cpu: 1
-    memory: 1250Mi
-   requests:
-    cpu: 200m
-    memory: 1250Mi
+    limits:
+      cpu: 1
+      memory: 1250Mi
+    requests:
+      cpu: 200m
+      memory: 1250Mi
+  persistence:
+    claim: molgenis-nfs-claim
+    size: 30Gi
  services:
    opencpu:
      host: localhost
@ -57,8 +60,17 @@ elasticsearch:
   requests:
    cpu: 100m
    memory: 1Gi
+  persistence:
+    claim: elasticsearch-nfs-claim
+    size: 50Gi

-nodeSelector: {}
+persistence:
+  enabled: false
+  retain: false
+
+nodeSelector: {
+  deployPod: "true"
+}

 tolerations: []
Author	SHA1	Message	Date
Fleur Kelpin	3162da416f	feat (molgenis-vault): Switch backup storage to s3. We can host s3 compatible storage locally by deploying the stable/minio chart. Ran into https://github.com/coreos/etcd-operator/issues/1980 and therefore downgrade the backup and restore operator images to 0.8.3.	2018-09-17 08:44:31 +02:00
Fleur Kelpin	16f2701fd2	Merge branch 'add-pvs-to-molgenis' of p281392/molgenis-ops-docker-helm into master	2018-09-12 09:50:34 +02:00
sido	501982ca53	removed redunant volume entry in deployment	2018-09-12 08:19:48 +02:00
sido	7305d54630	updated volume name	2018-09-12 08:17:34 +02:00
sido	c28f08bedd	one end to much	2018-09-12 08:15:38 +02:00
sido	321af8f2f2	updated labels and desc	2018-09-12 08:13:33 +02:00
sido	d17c137dd5	added elasticsearch persistence	2018-09-12 08:04:59 +02:00
Sido Haakma	6f0262d2d9	Merge branch 'chore/remove-secrets' of P129679/molgenis-ops-docker-helm into master	2018-09-11 17:10:10 +02:00
sido	34c8f048b9	also upgraded the default value in values.yaml	2018-09-11 17:08:44 +02:00
sido	d7ccab34c4	version bump and enumerized values for sizing volumes	2018-09-11 17:07:14 +02:00
sido	5fd05f505a	updated docs	2018-09-11 16:59:40 +02:00
sido	61d5505126	updated persistence README.md	2018-09-11 16:56:27 +02:00
sido	e5cbcdf933	added retainability for pv's	2018-09-11 15:48:56 +02:00
sido	04bd9cd653	added persistence to questions and bumped chart	2018-09-11 13:51:58 +02:00
sido	88134dbccb	Merge branch 'master' of https://git.webhosting.rug.nl/molgenis/molgenis-ops-docker-helm into add-pvs-to-molgenis	2018-09-11 13:46:37 +02:00
sido	947e389b92	moved volumes down below in deployment	2018-09-10 22:06:20 +02:00
sido	ed948c40aa	referred to right config values.yaml	2018-09-10 22:02:18 +02:00
sido	bfb2e45877	added volumes	2018-09-10 22:00:51 +02:00
sido	59d99deab5	restrcuture deployment	2018-09-10 21:57:39 +02:00
sido	a660aff355	udpated structure	2018-09-10 21:53:29 +02:00
sido	846df81522	udpated structure	2018-09-10 21:49:12 +02:00
sido	a2922c4d49	persistence keys in deploymeny	2018-09-10 21:47:12 +02:00
sido	0c9548069c	add subquestion heading	2018-09-10 21:44:34 +02:00
sido	5a98e35273	added persistence properties to values and deployment	2018-09-10 21:41:54 +02:00
sido	d9053b656c	updated volume claims	2018-09-10 17:37:50 +02:00
Fleur Kelpin	a836ab4e6e	chore (molgenis-jenkins): Retrieve pipeline secrets from vault when possible.	2018-09-10 17:28:42 +02:00
sido	14b27fc043	updated persistence configuration	2018-09-10 17:05:10 +02:00
sido	cf47b432e2	added persistence to questions	2018-09-10 16:59:14 +02:00
sido	11b25a5df6	added initialDelay	2018-09-10 16:53:58 +02:00