P129679/molgenis-ops-docker-helm
1
0
Fork 0
Code Releases Activity

Compare commits

base: P129679:8d81b873b736f30eb19ce08d0dd93ce12c96bc15
Branches Tags
P129679:master P129679:fix/links P129679:chore/pipeline P129679:revert/nodeSelector P129679:chore/nodeSelector P129679:chore/jenkins-gitsource P129679:fix/75 P129679:chore/upgrade-jenkins P129679:feature/molgenis-it P129679:feat/helm-in-jenkins P129679:doc/helm-role P129679:feature/helm-role P129679:feature/s3 P129679:chore/remove-secrets P129679:feature/vault P129679:deploy-test
..
compare: P129679:chore/remove-secrets
Branches Tags
P129679:fix/links P129679:master P129679:chore/pipeline P129679:revert/nodeSelector P129679:chore/nodeSelector P129679:chore/jenkins-gitsource P129679:fix/75 P129679:chore/upgrade-jenkins P129679:feature/molgenis-it P129679:feat/helm-in-jenkins P129679:doc/helm-role P129679:feature/helm-role P129679:feature/s3 P129679:chore/remove-secrets P129679:feature/vault P129679:deploy-test

1 Commits
8d81b873b7 ... chore/remo

Author SHA1 Message Date
Fleur Kelpin
a836ab4e6e chore (molgenis-jenkins): Retrieve pipeline secrets from vault when possible. 2018-09-10 17:28:42 +02:00
24 changed files with 240 additions and 1804 deletions
Expand all files Collapse all files

87
molgenis-jenkins/README.md
View File

@ -40,57 +40,62 @@ You can use [all configuration values of the jenkins subchart](https://github.co
### GitHub Authentication delegation
You need to setup a MOLGENIS - Jenkins GitHub OAuth App. You can do this by accessing this url: [add new OAuth app](https://github.com/settings/applications/new).
### Additional configuration
There is one additional group of configuration items specific for this chart, so not prefixed with `jenkins`:
### Secrets
* PipelineSecrets
When deployed, the chart creates a couple of kubernetes secrets that get used by jenkins and mounted in the jenkins
build pods. The secrets, like the rest of the deployment, is namespaced so multiple instances can run beside
each other with their own secrets.
When deployed, the chart creates a couple of kubernetes secrets that get used by jenkins.
You can override the values at deploy time but otherwise also configure them
[in Rancher](https://rancher.molgenis.org:7443/p/c-mhkqb:project-2pf45/secrets) or through kubectl.
* Vault
#### Vault
New vault token to be used by the pods to retrieve their tokens from the vault.
The vault secret gets mounted in the vault pod so pipeline scripts can retrieve secrets from the vault.
| Parameter | Description | Default |
| ------------------------- | ------------------------------------------ | ---------------------------------------------- |
| `secret.vault.token` | Token to log into the hashicorp vault | `xxxx` |
| `secret.vault.addr` | Address of the vault | `https:vault-operator.vault-operator.svc:8200` |
| `secret.vault.skipVerify` | Skip verification of the https connection | `1` |
#### GitHub
Token used by Jenkins to authenticate on GitHub.
| Parameter | Description | Default |
| --------------------- | ------------------------ | ------------------ |
| `secret.gitHub.user` | username for the account | `molgenis-jenkins` |
| `secret.gitHub.token` | token for the account | `xxxx` |
#### Gogs
Token used by Jenkins to authenticate on the [RuG Webhosting Gogs](https://git.webhosting.rug.nl).
| Parameter | Description | Default |
| ------------------- | ------------------------ | --------- |
| `secret.gogs.user` | username for the account | `p281392` |
| `secret.gogs.token` | token for the account | `xxxx` |
#### Legacy:
##### Docker Hub
| Parameter | Description | Default |
| ---------------------------------- | ------------------------------------------ | ---------------------------------------------- |
| `PipelineSecrets.Vault.Replace` | Replace the molgenis-pipeline-vault secret | `true` |
| `PipelineSecrets.Vault.Token` | Token to log into the hashicorp vault | `xxxx` |
| `PipelineSecrets.Vault.Addr` | Address of the vault | `https:vault-operator.vault-operator.svc:8200` |
| `PipelineSecrets.Vault.SkipVerify` | Skip verification of the https connection | `1` |
Account used in pipeline builds to push docker images to `hub.docker.com`.
> They should read `secret/gcc/account/dockerhub` from vault instead!
* Env
| Parameter | Description | Default |
| --------------------------- | ------------------------ | --------------- |
| `secret.dockerHub.user` | username for the account | `molgenisci` |
| `secret.dockerHub.password` | password for the account | `xxxx` |
##### Registry
Environment variables stored in molgenis-pipeline-env secret, to be added as environment variables
in the slave pods.
Account used in pipeline builds to push docker images to `registry.molgenis.org`.
> They should read `secret/ops/account/nexus` from vault instead!
| Parameter | Description | Default |
| --------------------------------------- | ----------------------------------------- | --------------- |
| `PipelineSecrets.Env.Replace` | Replace molgenis-pipeline-env secret | `true` |
| `PipelineSecrets.Env.PGPPassphrase` | passphrase for the pgp signing key | `literal:xxxx` |
| `PipelineSecrets.Env.CodecovToken` | token for codecov.io | `xxxx` |
| `PipelineSecrets.Env.GitHubToken` | token for GH molgenis-jenkins user | `xxxx` |
| `PipelineSecrets.Env.NexusPassword` | token for molgenis-jenkins user in NEXUS | `xxxx` |
| `PipelineSecrets.Env.DockerHubPassword` | token for molgenis user in hub.docker.com | `xxxx` |
| `PipelineSecrets.Env.SonarToken` | token for sonarcloud.io | `xxxx` |
| `PipelineSecrets.Env.NpmToken` | token for npmjs.org | `xxxx` |
| `PipelineSecrets.Env.SauceAccessKey` | token for saucelabs.com | `xxxx` |
* File
Environment variables stored in molgenis-pipeline-file secret, to be mounted as files
in the `/root/.m2` directory of the slave pods.
> The settings.xml file references the
| Parameter | Description | Default |
| -------------------------------------- | ------------------------------------- | ------------------------------------------------------------------------------- |
| `PipelineSecrets.File.Replace` | Replace molgenis-pipeline-file secret | `true` |
| `PipelineSecrets.File.PGPPrivateKeyAsc`| pgp signing key in ascii form | `-----BEGIN PGP PRIVATE KEY BLOCK-----xxxxx-----END PGP PRIVATE KEY BLOCK-----` |
| `PipelineSecrets.File.MavenSettingsXML`| Maven settings.xml file | `<settings>[...]</settings>` (see actual [values.yaml](values.yaml)) |
| Parameter | Description | Default |
| --------------------------- | ------------------------ | --------- |
| `secret.dockerHub.user` | username for the account | `admin` |
| `secret.dockerHub.password` | password for the account | `xxxx` |
## Command line use
Specify each parameter using the `--set key=value[,key=value]` argument to `helm install`.

6
molgenis-jenkins/templates/molgenis-jenkins-dockerhub-secret.yaml
View File

@ -8,9 +8,9 @@ metadata:
"jenkins.io/credentials-type": "usernamePassword"
annotations: {
# description - can not be a label as spaces are not allowed
"jenkins.io/credentials-description" : "user to authenticate against Docker Hub (hub.docker.com)"
"jenkins.io/credentials-description" : "(deprecated by vault) Account used in pipeline builds to push docker images to Docker Hub (hub.docker.com)"
}
type: Opaque
data:
username: {{ "molgenisci" | b64enc | quote }}
password: {{ .Values.PipelineSecrets.Env.DockerHubPassword | b64enc | quote }}
username: {{ .Values.secret.registry.user | b64enc | quote }}
password: {{ .Values.secret.registry.password | b64enc | quote }}

6
molgenis-jenkins/templates/molgenis-jenkins-github-secret.yaml
View File

@ -8,9 +8,9 @@ metadata:
"jenkins.io/credentials-type": "usernamePassword"
annotations: {
# description - can not be a label as spaces are not allowed
"jenkins.io/credentials-description" : "oauth token for the molgenis-jenkins github user"
"jenkins.io/credentials-description" : "Oauth token for the {{.Values.secret.gitHub.user}} GitHub user"
}
type: Opaque
data:
username: {{ "molgenis-jenkins" | b64enc | quote }}
password: {{ .Values.PipelineSecrets.Env.GitHubToken | b64enc | quote }}
username: {{ .Values.secret.gitHub.user | b64enc | quote }}
password: {{ .Values.secret.gitHub.token | b64enc | quote }}

6
molgenis-jenkins/templates/molgenis-jenkins-gogs-secret.yaml
View File

@ -8,9 +8,9 @@ metadata:
"jenkins.io/credentials-type": "usernamePassword"
annotations: {
# description - can not be a label as spaces are not allowed
"jenkins.io/credentials-description" : "user to authenticate against GOGS (git.webhosting.rug.nl)"
"jenkins.io/credentials-description" : "Account used to authenticate against RuG Webhosting Gogs."
}
type: Opaque
data:
username: {{ "p281392" | b64enc | quote }}
password: {{ .Values.PipelineSecrets.Env.GogsToken | b64enc | quote }}
username: {{ .Values.secret.gogs.user | b64enc | quote }}
password: {{ .Values.secret.gogs.token | b64enc | quote }}

16
molgenis-jenkins/templates/molgenis-jenkins-nexus-secret.yaml
View File

@ -1,16 +0,0 @@
apiVersion: v1
kind: Secret
metadata:
# this is the jenkins id.
name: "molgenis-jenkins-nexus-secret"
labels:
# so we know what type it is.
"jenkins.io/credentials-type": "usernamePassword"
annotations: {
# description - can not be a label as spaces are not allowed
"jenkins.io/credentials-description" : "user to authenticate against NEXUS"
}
type: Opaque
data:
username: {{ "admin" | b64enc | quote }}
password: {{ .Values.PipelineSecrets.Env.NexusPassword | b64enc | quote }}

17
molgenis-jenkins/templates/molgenis-jenkins-registry-secret.yaml Normal file
View File

@ -0,0 +1,17 @@
apiVersion: v1
kind: Secret
metadata:
name: molgenis-jenkins-registry-secret
labels:
app: {{ template "jenkins.fullname" . }}
chart: "{{ .Chart.Name }}-{{ .Chart.Version }}"
release: "{{ .Release.Name }}"
heritage: "{{ .Release.Service }}"
annotations: {
# description - can not be a label as spaces are not allowed
"jenkins.io/credentials-description" : "(deprecated by vault) Account used in pipeline builds to push docker images to registry.molgenis.org."
}
type: Opaque
data:
username: {{ .Values.secret.registry.user | b64enc | quote }}
password: {{ .Values.secret.registry.password | b64enc | quote }}

16
molgenis-jenkins/templates/molgenis-jenkins-saucelabs-secret.yaml
View File

@ -1,16 +0,0 @@
apiVersion: v1
kind: Secret
metadata:
# this is the jenkins id.
name: "molgenis-jenkins-saucelabs-secret"
labels:
# so we know what type it is.
"jenkins.io/credentials-type": "usernamePassword"
annotations: {
# description - can not be a label as spaces are not allowed
"jenkins.io/credentials-description" : "user to authenticate against Saucelabs (saucelabs.com)"
}
type: Opaque
data:
username: {{ "molgenis-jenkins" | b64enc | quote }}
password: {{ .Values.PipelineSecrets.Env.SauceAccessKey | b64enc | quote }}

18
molgenis-jenkins/templates/molgenis-pipeline-env-secret.yaml
View File

@ -1,18 +0,0 @@
{{- if .Values.PipelineSecrets.Env.Replace }}
apiVersion: v1
kind: Secret
metadata:
name: molgenis-pipeline-env-secret
labels:
app: {{ template "jenkins.fullname" . }}
chart: "{{ .Chart.Name }}-{{ .Chart.Version }}"
release: "{{ .Release.Name }}"
heritage: "{{ .Release.Service }}"
type: Opaque
data:
pgpPassphrase: {{ .Values.PipelineSecrets.Env.PGPPassphrase | b64enc | quote }}
codecovToken: {{ .Values.PipelineSecrets.Env.CodecovToken | b64enc | quote }}
githubToken: {{ .Values.PipelineSecrets.Env.GitHubToken | b64enc | quote }}
sonarToken: {{ .Values.PipelineSecrets.Env.SonarToken | b64enc | quote }}
npmToken: {{ .Values.PipelineSecrets.Env.NpmToken | b64enc | quote }}
{{- end }}

15
molgenis-jenkins/templates/molgenis-pipeline-file-secret.yaml
View File

@ -1,15 +0,0 @@
{{- if .Values.PipelineSecrets.File.Replace }}
apiVersion: v1
kind: Secret
metadata:
name: molgenis-pipeline-file-secret
labels:
app: {{ template "jenkins.fullname" . }}
chart: "{{ .Chart.Name }}-{{ .Chart.Version }}"
release: "{{ .Release.Name }}"
heritage: "{{ .Release.Service }}"
type: Opaque
data:
key.asc: {{ .Values.PipelineSecrets.File.PGPPrivateKeyAsc | b64enc | quote }}
settings.xml: {{ .Values.PipelineSecrets.File.MavenSettingsXML | b64enc | quote }}
{{- end }}

8
molgenis-jenkins/templates/molgenis-pipeline-vault-secret.yaml
View File

@ -1,4 +1,3 @@
{{- if .Values.PipelineSecrets.Vault.Replace }}
apiVersion: v1
kind: Secret
metadata:
@ -10,7 +9,6 @@ metadata:
heritage: "{{ .Release.Service }}"
type: Opaque
data:
token: {{ .Values.PipelineSecrets.Vault.Token | b64enc | quote }}
addr: {{ .Values.PipelineSecrets.Vault.Addr | b64enc | quote }}
skipVerify: {{ .Values.PipelineSecrets.Vault.SkipVerify | b64enc | quote }}
{{- end }}
token: {{ .Values.secret.vault.token | b64enc | quote }}
addr: {{ .Values.secret.vault.addr | b64enc | quote }}
skipVerify: {{ .Values.secret.vault.skipVerify | b64enc | quote }}

227
molgenis-jenkins/values.yaml
View File

@ -368,8 +368,8 @@ jenkins:
install: true
Pods:
molgenis:
Label: molgenisv2
NodeUsageMode: EXCLUSIVE
Label: molgenis
NodeUsageMode: NORMAL
volumes:
- type: HostPath
hostPath: "/var/run/docker.sock"
@ -417,39 +417,6 @@ jenkins:
secretName: molgenis-pipeline-vault-secret
secretKey: addr
NodeSelector: {}
molgenis-legacy:
InheritFrom: molgenis
Label: molgenis
NodeUsageMode: NORMAL
volumes:
- type: Secret
secretName: molgenis-pipeline-file-secret
mountPath: "/home/jenkins/.m2"
Containers:
EnvVars:
- type: Secret
key: PGP_PASSPHRASE
secretName: molgenis-pipeline-env-secret
secretKey: pgpPassphrase
- type: KeyValue
key: PGP_SECRETKEY
value: "keyfile:/home.jenkins/.m2/key.asc"
- type: KeyValue
key: npm_config_registry
value: "http://nexus.molgenis-nexus:8081/repository/npm-central/"
- type: Secret
key: SONAR_TOKEN
secretName: molgenis-pipeline-env-secret
secretKey: sonarToken
- type: Secret
key: CODECOV_TOKEN
secretName: molgenis-pipeline-env-secret
secretKey: codecovToken
- type: Secret
key: GITHUB_TOKEN
secretName: molgenis-pipeline-env-secret
secretKey: githubToken
NodeSelector: {}
node:
Label: node-carbon
NodeUsageMode: EXCLUSIVE
@ -461,155 +428,45 @@ jenkins:
Command: cat
WorkingDir: /home/jenkins
TTY: true
EnvVars:
- type: KeyValue
key: npm_config_registry
value: "http://nexus.molgenis-nexus:8081/repository/npm-central/"
- type: Secret
key: CODECOV_TOKEN
secretName: molgenis-pipeline-env-secret
secretKey: codecovToken
- type: Secret
key: GITHUB_TOKEN
secretName: molgenis-pipeline-env-secret
secretKey: githubToken
- type: Secret
key: NPM_TOKEN
secretName: molgenis-pipeline-env-secret
secretKey: npmToken
NodeSelector: {}
molgenis-it:
InheritFrom: molgenis
Label: molgenis-it
NodeUsageMode: EXCLUSIVE
Containers:
elasticsearch:
Image: docker.elastic.co/elasticsearch/elasticsearch
ImageTag: 5.5.3
resources:
requests:
cpu: "100m"
memory: "1Gi"
limits:
cpu: "1"
memory: "1500Mi"
vault:
Image: "vault"
Command: cat
WorkingDir: /home/jenkins
TTY: true
EnvVars:
- type: KeyValue
key: ES_JAVA_OPTS
value: "-Xms512m -Xmx512m"
- type: KeyValue
key: cluster.name
value: molgenis
- type: KeyValue
key: bootstrap.memory_lock
value: "true"
- type: KeyValue
key: xpack.security.enabled
value: "false"
- type: KeyValue
key: discovery.type
value: single-node
postgres:
Image: postgres
ImageTag: 9.6-alpine
resources:
requests:
cpu: "100m"
memory: "250Mi"
limits:
cpu: "1"
memory: "250Mi"
EnvVars:
- type: KeyValue
key: POSTGRES_USER
value: molgenis
- type: KeyValue
key: POSTGRES_PASSWORD
value: molgenis
- type: KeyValue
key: POSTGRES_DB
value: molgenis
opencpu:
Image: molgenis/opencpu
AlwaysPullImage: true
resources:
requests:
cpu: "100m"
memory: "256Mi"
limits:
cpu: "1"
memory: "512Mi"
- type: Secret
key: VAULT_TOKEN
secretName: molgenis-pipeline-vault-secret
secretKey: token
- type: Secret
key: VAULT_SKIP_VERIFY
secretName: molgenis-pipeline-vault-secret
secretKey: skipVerify
- type: Secret
key: VAULT_ADDR
secretName: molgenis-pipeline-vault-secret
secretKey: addr
NodeSelector: {}
PipelineSecrets:
Vault:
Replace: true
Token: xxxx
Addr: "https://vault-operator.vault-operator.svc:8200"
SkipVerify: 1
Env:
# Set to false to keep existing secret
Replace: true
# Passphrase for the pgp private key file, prefixed with literal:
PGPPassphrase: literal:xxxx
# Token for codecov.io service
CodecovToken: xxxx
# Token for github bot account
GitHubToken: xxxx
# Token for github bot account
GogsToken: xxxx
# Token for sonarcloud.io
SonarToken: xxxx
# Token for npmjs.org
NpmToken: xxxx
# Password Local NEXUS
NexusPassword: xxxx
# Password hub.docker.com
DockerHubPassword: xxxx
# Access key for saucelabs.com
SauceAccessKey: xxxx
File:
# Set to false to keep existing secret
Replace: true
# PGP Private key in ascii format used to sign artifacts
PGPPrivateKeyAsc: |-
-----BEGIN PGP PRIVATE KEY BLOCK-----
xxxxx
-----END PGP PRIVATE KEY BLOCK-----
# maven.settings file
MavenSettingsXML: |-
<settings>
<localRepository>${user.home}/.mvnrepository</localRepository>
<interactiveMode>false</interactiveMode>
<mirrors>
<mirror>
<id>nexus</id>
<mirrorOf>external:*</mirrorOf>
<url>http://nexus.molgenis-nexus:8081/repository/maven-central/</url>
</mirror>
</mirrors>
<servers>
<!-- for snapshot builds of the master -->
<server>
<id>sonatype-nexus-staging</id>
<username>molgenis</username>
<password>xxxx</password>
</server>
<server>
<id>local-nexus</id>
<url>http://nexus.molgenis-nexus:8081/repository/maven-snapshots/</url>
<username>admin</username>
<password>xxxxx</password>
</server>
<!-- for docker images-->
<server>
<id>registry.molgenis.org</id>
<username>admin</username>
<password>xxxx</password>
</server>
<server>
<id>registry.hub.docker.com</id>
<username>molgenisci</username>
<password>xxxx</password>
</server>
</servers>
</settings>
#secret contains configuration for the kubernetes secrets that jenkins can access
secret:
# vault configures the vault secret
vault:
token: xxxx
addr: "https://vault-operator.vault-operator.svc:8200"
skipVerify: "1"
# githubToken contains access token for jenkins bot account on github.com
gitHub:
user: "molgenis-jenkins"
token: xxxx
# gogs contains access token for jenkins bot account on RuG GoGs
gogs:
user: p281392
token: xxxx
# registry contains credentials for registry.molgenis.org
registry:
user: admin
password: xxxx
# dockerHubPassword contains password for hub.docker.com
dockerHub:
user: molgenisci
password: xxxx

4
molgenis-preview/Chart.yaml
View File

@ -1,7 +1,7 @@
apiVersion: v1
appVersion: "1.0"
description: MOLGENIS - helm stack for testing purposes
name: molgenis-preview
description: A Helm chart for Kubernetes
name: molgenis
version: 0.2.0
sources:
- https://git.webhosting.rug.nl/molgenis/molgenis-ops-docker-helm.git

7
molgenis-preview/README.md
View File

@ -1,5 +1,5 @@
# MOLGENIS preview
This chart is used for testing purposes. It can be used by data managers or developers to test MOLGENIS (e.g. integration testing).
Is used for integration testing purposes.
## Containers
This chart spins up a complete stack to run MOLGENIS. The created containers are:
@ -9,8 +9,3 @@ This chart spins up a complete stack to run MOLGENIS. The created containers are
- Elasticsearch
- OpenCPU
## Rancher
You can spin up a test instance by navigating to https://rancher.molgenis.org:7777 and login with your LDAP-account.
Go to the test-environment and click on "Launch". Search for MOLGENIS.

120
molgenis-preview/test.yaml Normal file
View File

@ -0,0 +1,120 @@
# Source: molgenis/templates/deployment.yaml
apiVersion: apps/v1beta2
kind: Deployment
metadata:
name: lanky-ragdoll-molgenis
labels:
app: molgenis
chart: molgenis-0.1.0
release: lanky-ragdoll
heritage: Tiller
spec:
replicas: 1
selector:
matchLabels:
app: molgenis
release: lanky-ragdoll
template:
metadata:
labels:
app: molgenis
release: lanky-ragdoll
spec:
containers:
- name: molgenis
image: "registry.molgenis.org/molgenis/molgenis-app:latest"
imagePullPolicy: Always
env:
- name: molgenis.home
value: /home/molgenis
- name: opencpu.uri.host
value: opencpu
- name: elasticsearch.transport.addresses
value: elasticsearch:9300
- name: elasticsearch.cluster.name
value: molgenis
- name: db_uri
value: "jdbc:postgresql://postgres/molgenis"
- name: db_user
value: molgenis
- name: db_password
value: molgenis
- name: admin.password
value: admin
- name: CATALINA_OPTS
value: "-Xmx1g -XX:+UseConcMarkSweepGC -XX:+CMSClassUnloadingEnabled"
ports:
- containerPort: 8080
livenessProbe:
httpGet:
path: /
port: http
readinessProbe:
httpGet:
path: /api/v2/version
port: http
resources:
limits:
cpu: 1
memory: 1250Mi
requests:
cpu: 200m
memory: 1Gi
- name: elasticsearch
image: "docker.elastic.co/elasticsearch/elasticsearch:5.5.3"
imagePullPolicy: IfNotPresent
env:
- name: cluster.name
value: molgenis
- name: bootstrap.memory_lock
value: true
- name: ES_JAVA_OPTS
value: "-Xms512m -Xmx512m"
- name: xpack.security.enabled
value: false
- name: discovery.type
value: single-node
ports:
- containerPort: 9200
- containerPort: 9300
limits:
cpu: 1
memory: 1500Mi
requests:
cpu: 100m
memory: 1Gi
- name: postgres
image: "postgres:9.6-alpine"
imagePullPolicy: IfNotPresent
env:
- name: POSTGRES_USER
value: molgenis
- name: POSTGRES_PASSWORD
value: molgenis
- name: POSTGRES_DB
value: molgenis
ports:
- containerPort: 5432
limits:
cpu: 1
memory: 250Mi
requests:
cpu: 100m
memory: 250Mi
- name: opencpu
image: "molgenis/opencpu:latest"
imagePullPolicy: Always
ports:
- containerPort: 8004
limits:
cpu: 1
memory: 512Mi
requests:
cpu: 100m
memory: 256Mi

8
molgenis/Chart.yaml
View File

@ -1,8 +0,0 @@
apiVersion: v1
appVersion: "1.0"
description: MOLGENIS - helm stack (in BETA)
name: molgenis-beta
version: 0.1.0
sources:
- https://git.webhosting.rug.nl/molgenis/molgenis-ops-docker-helm.git
icon: https://git.webhosting.rug.nl/molgenis/molgenis-ops-docker-helm/raw/master/molgenis/catalogIcon-molgenis.svg

83
molgenis/README.md
View File

@ -1,83 +0,0 @@
# MOLGENIS
This chart is used for acceptance and production use cases.
## Containers
This chart spins up a MOLGENIS instance with HTTPD. The created containers are:
- MOLGENIS
## Provisioning
You can choose from which registry you want to pull. There are 2 registries:
- https://registry.molgenis.org
- https://hub.docker.com
The registry.molgenis.org contains the bleeding edge versions (PR's and master merges). The hub.docker.com contains the released artifacts (MOLGENIS releases and release candidates).
The three properties you need to specify are:
- ```molgenis.image.repository```
- ```molgenis.image.name```
- ```molgenis.image.tag```
Besides determining which image you want to pull, you also have to set an administrator password. You can do this by specifying the following property.
- ```molgenis.adminPassword```
## Services
When you start MOLGENIS you need:
- an elasticsearch instance (5.5.6)
- an postgres instance (9.6)
You can attach additional services like:
- an opencpu instance
### Elasticsearch
You can configure elasticsearch by giving in the cluster location.
To configure the transport address you can address the node communication channel but also the native JAVA API. Which MOLGENIS uses to communicate with Elasticsearch.
From Elasticsearch version 6 and further the JAVA API is not supported anymore. At this moment you can only use Elastic instance till major version 5.
- ```molgenis.services.elasticsearch.transportAddresses: localhost:9300```
To configure the index on a Elasticsearch cluster you can specify the clusterName property.
- ```molgenis.services.elasticsearch.clusterName: molgenis```
### Postgres
You can specify the location of the postgres instance by specify the following property:
- ```molgenis.services.postgres.host: localhost```
You can specify the schema by filling out this property:
- ```molgenis.services.postgres.scheme: molgenis```
You can specify credentials for the database scheme by specifying the following properties:
- ```molgenis.services.postgres.user: molgenis```
- ```molgenis.services.postgres.password: molgenis```
To test you can use the **PostgreSQL**-helm chart of Kubernetes and specify these answers:
```bash
# answers for postgresql chart
postgresUser=molgenis
postgresPassword=molgenis
postgresDatabase=molgenis
persistence.enabled=false
```
### OpenCPU
You can specify the location of the OpenCPU cluster by specifying this property:
- ```molgenis.services.opencpu.host: localhost```
You can test OpenCPU settings using the **OpenCPU**-helm chart of MOLGENIS.
## Resources
You can specify resources by resource type. There are 2 resource types.
- memory of container
- maximum heap space JVM
Specify memory usage of container:
- ```molgenis.resources.limits.memory```
Specify memory usage for Java JVM:
- ```molgenis.javaOpts.maxHeapSpace```
Select the resources you need dependant on the customer you need to serve.
## Firewall
Is defined at cluster level. This chart does not facilitate firewall configuration.

1024
molgenis/catalogIcon-molgenis.svg
View File

File diff suppressed because it is too large Load Diff
Side by Side

Before

Width:  |  Height:  |  Size: 77 KiB

99
molgenis/questions.yml
View File

@ -1,99 +0,0 @@
categories:
- MOLGENIS
questions:
- variable: ingress.hosts[0].name
label: Hostname
default: "test.molgenis.org"
description: "Hostname for your stack"
type: hostname
required: true
group: "Load Balancing"
- variable: molgenis.image.repository
label: Registry
default: "registry.hub.docker.com"
description: "Select a registry to pull from"
type: enum
options:
- "registry.hub.docker.com"
- "registry.molgenis.org"
required: true
group: "Provisioning"
- variable: molgenis.image.tag
label: Version
default: ""
description: "Select a MOLGENIS version (check the registry.molgenis.org or hub.docker.com for released tags)"
type: string
required: true
group: "Provisioning"
- variable: molgenis.adminPassword
label: Administrator password
default: ""
description: "Enter an administrator password"
type: password
required: true
group: "Provisioning"
- variable: molgenis.services.opencpu.host
label: OpenCPU cluster
default: "localhost"
description: "Specify the OpenCPU cluster"
type: string
required: true
group: "Services"
- variable: molgenis.services.postgres.host
label: Postgres cluster location
default: "postgresql.molgenis-postgresql.svc"
description: "Set the location of the postgres cluster"
type: string
required: true
group: "Services"
- variable: molgenis.services.postgres.scheme
label: Database scheme
default: "molgenis"
description: "Set the database scheme"
type: string
required: true
group: "Services"
- variable: molgenis.services.postgres.user
label: Database username
default: "molgenis"
description: "Set user of the database scheme"
type: string
required: true
group: "Services"
- variable: molgenis.services.postgres.password
label: Database password
default: "molgenis"
description: "Set the password of the database scheme"
type: string
required: true
group: "Services"
- variable: molgenis.resources.limits.memory
label: Container memory limit
default: 1250Mi
description: "Memory limit for this MOLGENIS container"
type: enum
options:
- "1250Mi"
- "2500Mi"
required: true
group: "Resources"
- variable: molgenis.resources.requests.memory
label: Container memory reservation
default: 1250Mi
description: "Memory reservation for this MOLGENIS container"
type: enum
options:
- "1250Mi"
- "2500Mi"
required: true
group: "Resources"
- variable: molgenis.javaOpts.maxHeapSpace
label: Maximum heap space (JVM)
default: "1g"
description: "Maximum heap space MOLGENIS container JVM. Please not this should fit in your container memory limit"
type: enum
options:
- "1g"
- "2g"
group: "Resources"

19
molgenis/templates/NOTES.txt
View File

@ -1,19 +0,0 @@
1. Get the application URL by running these commands:
{{- if .Values.ingress.enabled }}
{{- range .Values.ingress.hosts }}
http{{ if $.Values.ingress.tls }}s{{ end }}://{{ . }}{{ $.Values.ingress.path }}
{{- end }}
{{- else if contains "NodePort" .Values.service.type }}
export NODE_PORT=$(kubectl get --namespace {{ .Release.Namespace }} -o jsonpath="{.spec.ports[0].nodePort}" services {{ template "molgenis.fullname" . }})
export NODE_IP=$(kubectl get nodes --namespace {{ .Release.Namespace }} -o jsonpath="{.items[0].status.addresses[0].address}")
echo http://$NODE_IP:$NODE_PORT
{{- else if contains "LoadBalancer" .Values.service.type }}
NOTE: It may take a few minutes for the LoadBalancer IP to be available.
You can watch the status of by running 'kubectl get svc -w {{ template "molgenis.fullname" . }}'
export SERVICE_IP=$(kubectl get svc --namespace {{ .Release.Namespace }} {{ template "molgenis.fullname" . }} -o jsonpath='{.status.loadBalancer.ingress[0].ip}')
echo http://$SERVICE_IP:{{ .Values.service.port }}
{{- else if contains "ClusterIP" .Values.service.type }}
export POD_NAME=$(kubectl get pods --namespace {{ .Release.Namespace }} -l "app={{ template "molgenis.name" . }},release={{ .Release.Name }}" -o jsonpath="{.items[0].metadata.name}")
echo "Visit http://127.0.0.1:8080 to use your application"
kubectl port-forward $POD_NAME 8080:80
{{- end }}

32
molgenis/templates/_helpers.tpl
View File

@ -1,32 +0,0 @@
{{/* vim: set filetype=mustache: */}}
{{/*
Expand the name of the chart.
*/}}
{{- define "molgenis.name" -}}
{{- default .Chart.Name .Values.nameOverride | trunc 63 | trimSuffix "-" -}}
{{- end -}}
{{/*
Create a default fully qualified app name.
We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec).
If release name contains chart name it will be used as a full name.
*/}}
{{- define "molgenis.fullname" -}}
{{- if .Values.fullnameOverride -}}
{{- .Values.fullnameOverride | trunc 63 | trimSuffix "-" -}}
{{- else -}}
{{- $name := default .Chart.Name .Values.nameOverride -}}
{{- if contains $name .Release.Name -}}
{{- .Release.Name | trunc 63 | trimSuffix "-" -}}
{{- else -}}
{{- printf "%s-%s" .Release.Name $name | trunc 63 | trimSuffix "-" -}}
{{- end -}}
{{- end -}}
{{- end -}}
{{/*
Create chart name and version as used by the chart label.
*/}}
{{- define "molgenis.chart" -}}
{{- printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" -}}
{{- end -}}

106
molgenis/templates/deployment.yaml
View File

@ -1,106 +0,0 @@
apiVersion: apps/v1beta2
kind: Deployment
metadata:
{{- with .Values.ingress.annotations }}
annotations:
{{ toYaml . | indent 4 }}
{{- end }}
name: {{ template "molgenis.fullname" . }}
labels:
app: {{ template "molgenis.name" . }}
chart: {{ template "molgenis.chart" . }}
release: {{ .Release.Name }}
heritage: {{ .Release.Service }}
spec:
replicas: {{ .Values.replicaCount }}
selector:
matchLabels:
app: {{ template "molgenis.name" . }}
release: {{ .Release.Name }}
template:
metadata:
labels:
app: {{ template "molgenis.name" . }}
release: {{ .Release.Name }}
spec:
containers:
- name: molgenis
{{- with .Values.molgenis }}
image: {{ .image.repository }}/{{ .image.name }}:{{ .image.tag }}
imagePullPolicy: {{ .image.pullPolicy }}
env:
- name: molgenis.home
value: /home/molgenis
- name: opencpu.uri.host
value: {{ .services.opencpu.host }}
- name: elasticsearch.transport.addresses
value: {{ .services.elasticsearch.transportAddresses }}
- name: elasticsearch.cluster.name
value: {{ .services.elasticsearch.clusterName }}
- name: db_uri
value: jdbc:postgresql://{{ .services.postgres.host }}/{{ .services.postgres.scheme }}
- name: db_user
value: {{ .services.postgres.user }}
- name: db_password
value: {{ .services.postgres.password }}
- name: admin.password
value: {{ .adminPassword }}
- name: CATALINA_OPTS
value: "-Xmx{{ .javaOpts.maxHeapSpace }} -XX:+UseConcMarkSweepGC -XX:+CMSClassUnloadingEnabled"
ports:
- containerPort: 8080
livenessProbe:
httpGet:
path: /
port: 8080
initialDelaySeconds: 60
periodSeconds: 5
failureThreshold: 25
successThreshold: 1
readinessProbe:
httpGet:
path: /api/v2/version
port: 8080
initialDelaySeconds: 120
periodSeconds: 30
failureThreshold: 3
successThreshold: 1
resources:
{{ toYaml .resources | indent 12 }}
{{- end }}
- name: elasticsearch
{{- with .Values.elasticsearch }}
image: "{{ .image.repository }}:{{ .image.tag }}"
imagePullPolicy: {{ .image.pullPolicy }}
env:
- name: cluster.name
value: {{ .clusterName }}
- name: bootstrap.memory_lock
value: "true"
- name: ES_JAVA_OPTS
value: "{{ .javaOpts }}"
- name: xpack.security.enabled
value: "false"
- name: discovery.type
value: single-node
ports:
- containerPort: 9200
- containerPort: 9300
resources:
{{ toYaml .resources | indent 12 }}
{{- end }}
{{- with .Values.nodeSelector }}
nodeSelector:
{{ toYaml . | indent 8 }}
{{- end }}
{{- with .Values.affinity }}
affinity:
{{ toYaml . | indent 8 }}
{{- end }}
{{- with .Values.tolerations }}
tolerations:
{{ toYaml . | indent 8 }}
{{- end }}

38
molgenis/templates/ingress.yaml
View File

@ -1,38 +0,0 @@
{{- if .Values.ingress.enabled -}}
{{- $fullName := include "molgenis.fullname" . -}}
{{- $ingressPath := .Values.ingress.path -}}
apiVersion: extensions/v1beta1
kind: Ingress
metadata:
name: {{ $fullName }}
labels:
app: {{ template "molgenis.name" . }}
chart: {{ template "molgenis.chart" . }}
release: {{ .Release.Name }}
heritage: {{ .Release.Service }}
{{- with .Values.ingress.annotations }}
annotations:
{{ toYaml . | indent 4 }}
{{- end }}
spec:
{{- if .Values.ingress.tls }}
tls:
{{- range .Values.ingress.tls }}
- hosts:
{{- range .hosts }}
- {{ . }}
{{- end }}
secretName: {{ .secretName }}
{{- end }}
{{- end }}
rules:
{{- range .Values.ingress.hosts }}
- host: {{ .name }}
http:
paths:
- path: {{ $ingressPath }}
backend:
serviceName: {{ $fullName }}
servicePort: 8080
{{- end }}
{{- end }}

17
molgenis/templates/service.yaml
View File

@ -1,17 +0,0 @@
apiVersion: v1
kind: Service
metadata:
name: {{ template "molgenis.fullname" . }}
labels:
app: {{ template "molgenis.name" . }}
chart: {{ template "molgenis.chart" . }}
release: {{ .Release.Name }}
heritage: {{ .Release.Service }}
spec:
type: {{ .Values.service.type }}
ports:
- name: molgenis
port: {{ .Values.service.port }}
selector:
app: {{ template "molgenis.name" . }}
release: {{ .Release.Name }}

65
molgenis/values.yaml
View File

@ -1,65 +0,0 @@
# Default values for molgenis.
replicaCount: 1
service:
type: LoadBalancer
port: 8080
ingress:
enabled: true
annotations:
nginx.ingress.kubernetes.io/proxy-body-size: "0"
path: /
hosts:
- name: test.molgenis.org
tls: []
molgenis:
image:
repository: registry.hub.docker.com
name: molgenis/molgenis-app
tag: stable
pullPolicy: Always
adminPassword:
javaOpts:
maxHeapSpace: "1g"
resources:
limits:
cpu: 1
memory: 1250Mi
requests:
cpu: 200m
memory: 1250Mi
services:
opencpu:
host: localhost
elasticsearch:
transportAddresses: localhost:9300
clusterName: molgenis
postgres:
host: localhost
scheme: molgenis
user: molgenis
password: molgenis
elasticsearch:
image:
repository: docker.elastic.co/elasticsearch/elasticsearch
tag: 5.5.3
pullPolicy: IfNotPresent
javaOpts: "-Xms1g -Xmx1g"
clusterName: molgenis
resources:
limits:
cpu: 2
memory: 3Gi
requests:
cpu: 100m
memory: 1Gi
nodeSelector: {}
tolerations: []
affinity: {}