Add Kubernetes Helmchart (#8526)

Closes #8382
ICTU · Jul 15, 2024 · 4ad7327 · 4ad7327
1 parent 9f4ab57
commit 4ad7327
Show file tree

Hide file tree

Showing 33 changed files with 739 additions and 618 deletions.
diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
@@ -73,3 +73,8 @@ jobs:
           push: true
       - name: Anchore SBOM Action
         uses: anchore/[email protected]
+      - name: Package and push Helm chart to Docker Hub
+        run: |
+          cd helm
+          helm package .
+          helm push quality-time-*.tgz oci://registry-1.docker.io/ictu
diff --git a/.gitignore b/.gitignore
@@ -25,6 +25,7 @@ wheels/
 .installed.cfg
 *.egg
 MANIFEST
+/helm/quality-time-*.tgz
 
 # Unit test / coverage reports
 htmlcov/

diff --git a/docs/src/deployment.md b/docs/src/deployment.md
@@ -2,7 +2,9 @@
 
 This document describes how to deploy, and if needed move, the *Quality-time* application. It is aimed at *Quality-time* operators.
 
-*Quality-time* consists of a set of Docker containers that together form the application. See the [software documentation](software.md) for an overview of the different containers. It is assumed the containers are deployed using a Docker-composition. An alternative deployment based on a Helm chart and intended for an OpenShift (Kubernetes) cluster is described in the [Helm for OpenShift README](https://github.com/ICTU/quality-time/tree/master/openshift/helm/README.md).
+*Quality-time* consists of a set of Docker containers that together form the application.
+See the [software documentation](software.md) for an overview of the different containers.
+It is assumed the containers are deployed using a Docker-composition.
 
 *Quality-time* furthermore assumes an LDAP service is available to authenticate users or that forwarded authentication is used.
 
@@ -40,6 +42,12 @@ For example:
       - "1080:${PROXY_PORT:-80}"
 ```
 
+## Kubernetes
+
+The helm chart for deploying on Kubernetes does not support overriding port numbers.
+Although setting port environment variables in the `values.yaml` will change the ports that the app within the pod listens to, it will *not* change the service port mapping and therefore lead to a malfunctioning service.
+Instead, only the ingress should be configured.
+
 ## Configuring authentication (mandatory)
 
 You need to either configure an LDAP server to authenticate users with or configure forwarded authentication.
@@ -48,6 +56,7 @@ You need to either configure an LDAP server to authenticate users with or config
 
 To configure an LDAP server to authenticate users with, set the `LDAP_URL`, `LDAP_ROOT_DN`, `LDAP_LOOKUP_USER_DN`, `LDAP_LOOKUP_USER_PASSWORD`, and `LDAP_SEARCH_FILTER` environment variables.
 Note that `LDAP_URL` may be a comma-separated list of LDAP connection URL(s).
+
 Add the LDAP environment variables to the API-server service in the [compose file](https://github.com/ICTU/quality-time/blob/master/docker/docker-compose.yml):
 
 ```yaml
@@ -60,6 +69,18 @@ Add the LDAP environment variables to the API-server service in the [compose fil
       - LDAP_SEARCH_FILTER=(|(uid=$username)(cn=$username))
 ```
 
+Alternatively, for a Kubernetes deployment, add the LDAP environment variables to the API-server service in the [Helm values.yaml](https://github.com/ICTU/quality-time/blob/master/helm/values.yaml):
+
+```yaml
+api_server:
+  env:
+    LDAP_URL: "ldap://host.docker.internal:389"
+    LDAP_ROOT_DN: "dc=example,dc=org"
+    LDAP_LOOKUP_USER_DN: "cn=admin,dc=example,dc=org"
+    LDAP_LOOKUP_USER_PASSWORD: "admin"
+    LDAP_SEARCH_FILTER: "(|(uid=$$username)(cn=$$username))"
+```
+
 When using the `LDAP_SEARCH_FILTER` as shown above, users can use either their LDAP canonical name (`cn`) or their LDAP user id to login. The `$username` variable is filled by *Quality-time* at run time with the username that the user enters in the login dialog box.
 
 ```{seealso}

diff --git a/helm/Chart.yaml b/helm/Chart.yaml
@@ -0,0 +1,9 @@
+---
+apiVersion: v2
+name: quality-time
+version: 5.14.0
+appVersion: "v5.14.0"
+description: Helm chart for Quality-time, an automated quality system for software development and maintenance
+type: application
+home: https://github.com/ICTU/Quality-time
+icon: https://raw.githubusercontent.com/ICTU/quality-time/master/docs/src/_static/Quality-time.png
diff --git a/helm/templates/_helpers.tpl b/helm/templates/_helpers.tpl
@@ -0,0 +1,35 @@
+{{/* Returns the name of the api_server component service */}}
+{{/* Abbreviated to "api", because this string may not contain underscores */}}
+{{- define "api_server_name" -}}
+api
+{{- end -}}
+
+{{/* Returns the name of the collector component service */}}
+{{- define "collector_name" -}}
+collector
+{{- end -}}
+
+{{/* Returns the name of the database component service */}}
+{{- define "database_name" -}}
+database
+{{- end -}}
+
+{{/* Returns the name of the frontend component service */}}
+{{- define "frontend_name" -}}
+frontend
+{{- end -}}
+
+{{/* Returns the name of the notifier component service */}}
+{{- define "notifier_name" -}}
+notifier
+{{- end -}}
+
+{{/* Returns the name of the renderer component service */}}
+{{- define "renderer_name" -}}
+renderer
+{{- end -}}
+
+{{/* Returns the name of the www service running the proxy component */}}
+{{- define "www_name" -}}
+www
+{{- end -}}
diff --git a/helm/templates/api_server.yaml b/helm/templates/api_server.yaml
@@ -0,0 +1,102 @@
+---
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: {{ .Release.Name }}-{{ template "api_server_name" . }}
+  labels:
+    app.kubernetes.io/name: {{ .Chart.Name }}
+    app.kubernetes.io/instance: {{ .Release.Name }}
+    app.kubernetes.io/component: {{ template "api_server_name" . }}
+spec:
+  replicas: 1
+  selector:
+    matchLabels:
+      app.kubernetes.io/name: {{ .Chart.Name }}
+      app.kubernetes.io/instance: {{ .Release.Name }}
+      app.kubernetes.io/component: {{ template "api_server_name" . }}
+  strategy: {}
+  template:
+    metadata:
+      labels:
+        app.kubernetes.io/name: {{ .Chart.Name }}
+        app.kubernetes.io/instance: {{ .Release.Name }}
+        app.kubernetes.io/component: {{ template "api_server_name" . }}
+    spec:
+      containers:
+        - name: {{ template "api_server_name" . }}
+          image: "{{ .Values.api_server.image.repository }}:{{ .Values.api_server.image.tag | default .Chart.AppVersion }}"
+          imagePullPolicy: Always
+          envFrom:
+            - configMapRef:
+                name: {{ .Release.Name }}-{{ template "api_server_name" . }}-env
+                optional: true
+          env:
+            - name: DATABASE_HOST
+              value: {{ .Release.Name }}-{{ template "database_name" . }}
+            - name: DATABASE_USERNAME
+              valueFrom:
+                secretKeyRef:
+                  name: {{ .Values.secrets.dbCredential }}
+                  key: DATABASE_USERNAME
+                  optional: true
+            - name: DATABASE_PASSWORD
+              valueFrom:
+                secretKeyRef:
+                  name: {{ .Values.secrets.dbCredential }}
+                  key: DATABASE_PASSWORD
+                  optional: true
+            - name: LDAP_LOOKUP_USER_DN
+              valueFrom:
+                secretKeyRef:
+                  name: {{ .Values.secrets.ldapCredential }}
+                  key: LDAP_LOOKUP_USER_DN
+                  optional: true
+            - name: LDAP_LOOKUP_USER_PASSWORD
+              valueFrom:
+                secretKeyRef:
+                  name: {{ .Values.secrets.ldapCredential }}
+                  key: LDAP_LOOKUP_USER_PASSWORD
+                  optional: true
+            - name: LDAP_SEARCH_FILTER  # override to make sure that double dollar signs are processed like in docker
+              value: {{ .Values.api_server.env.LDAP_SEARCH_FILTER }}
+{{- with .Values.api_server.resources }}
+          resources: {{- toYaml . | nindent 12 }}
+{{- end }}
+          securityContext:
+            capabilities:
+              drop:
+                - ALL
+      restartPolicy: Always
+---
+apiVersion: v1
+kind: Service
+metadata:
+  name: {{ .Release.Name }}-{{ template "api_server_name" . }}
+  labels:
+    app.kubernetes.io/name: {{ .Chart.Name }}
+    app.kubernetes.io/instance: {{ .Release.Name }}
+    app.kubernetes.io/component: {{ template "api_server_name" . }}
+spec:
+  type: ClusterIP
+  selector:
+    app.kubernetes.io/name: {{ .Chart.Name }}
+    app.kubernetes.io/instance: {{ .Release.Name }}
+    app.kubernetes.io/component: {{ template "api_server_name" . }}
+  ports:
+    - protocol: TCP
+      port: 5001
+      targetPort: 5001
+  sessionAffinity: None
+---
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  name: {{ .Release.Name }}-{{ template "api_server_name" . }}-env
+  labels:
+    app.kubernetes.io/name: {{ .Chart.Name }}
+    app.kubernetes.io/instance: {{ .Release.Name }}
+    app.kubernetes.io/component: {{ template "api_server_name" . }}
+data:
+{{- range $key, $val := .Values.api_server.env }}
+  {{ $key }}: "{{ $val }}"
+{{- end }}
diff --git a/helm/templates/collector.yaml b/helm/templates/collector.yaml
@@ -0,0 +1,68 @@
+---
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: {{ .Release.Name }}-{{ template "collector_name" . }}
+  labels:
+    app.kubernetes.io/name: {{ .Chart.Name }}
+    app.kubernetes.io/instance: {{ .Release.Name }}
+    app.kubernetes.io/component: {{ template "collector_name" . }}
+spec:
+  replicas: 1
+  selector:
+    matchLabels:
+      app.kubernetes.io/name: {{ .Chart.Name }}
+      app.kubernetes.io/instance: {{ .Release.Name }}
+      app.kubernetes.io/component: {{ template "collector_name" . }}
+  strategy: {}
+  template:
+    metadata:
+      labels:
+        app.kubernetes.io/name: {{ .Chart.Name }}
+        app.kubernetes.io/instance: {{ .Release.Name }}
+        app.kubernetes.io/component: {{ template "collector_name" . }}
+    spec:
+      containers:
+        - name: {{ template "collector_name" . }}
+          image: "{{ .Values.collector.image.repository }}:{{ .Values.collector.image.tag | default .Chart.AppVersion }}"
+          imagePullPolicy: Always
+          envFrom:
+            - configMapRef:
+                name: {{ .Release.Name }}-{{ template "collector_name" . }}-env
+                optional: true
+          env:
+            - name: DATABASE_HOST
+              value: {{ .Release.Name }}-{{ template "database_name" . }}
+            - name: DATABASE_USERNAME
+              valueFrom:
+                secretKeyRef:
+                  name: {{ .Values.secrets.dbCredential }}
+                  key: DATABASE_USERNAME
+                  optional: true
+            - name: DATABASE_PASSWORD
+              valueFrom:
+                secretKeyRef:
+                  name: {{ .Values.secrets.dbCredential }}
+                  key: DATABASE_PASSWORD
+                  optional: true
+{{- with .Values.collector.resources }}
+          resources: {{- toYaml . | nindent 12 }}
+{{- end }}
+          securityContext:
+            capabilities:
+              drop:
+                - ALL
+      restartPolicy: Always
+---
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  name: {{ .Release.Name }}-{{ template "collector_name" . }}-env
+  labels:
+    app.kubernetes.io/name: {{ .Chart.Name }}
+    app.kubernetes.io/instance: {{ .Release.Name }}
+    app.kubernetes.io/component: {{ template "collector_name" . }}
+data:
+{{- range $key, $val := .Values.collector.env }}
+  {{ $key }}: "{{ $val }}"
+{{- end }}