Kubernetes config for api and worker for minikube

biosimulators · Jan 15, 2025 · fe21ddf · fe21ddf
1 parent 841729b
commit fe21ddf
Show file tree

Hide file tree

Showing 12 changed files with 203 additions and 0 deletions.
diff --git a/kustomize/README_minikube.md b/kustomize/README_minikube.md
@@ -0,0 +1,22 @@
+### Sealed Secrets setup
+
+install sealed secrets and the controller
+
+```bash
+brew install kubeseal
+helm repo add sealed-secrets https://bitnami-labs.github.io/sealed-secrets
+helm install sealed-secrets -n kube-system \
+     --set-string fullnameOverride=sealed-secrets-controller sealed-secrets/sealed-secrets
+```
+
+create a secret and seal it
+
+```bash
+kubectl create secret generic secret-name --dry-run=client --from-literal=foo=bar -o yaml | \
+    kubeseal \
+      --controller-name=sealed-secrets-controller \
+      --controller-namespace=kube-system \
+      --format yaml > mysealedsecret.yaml
+
+kubectl apply -f mysealedsecret.yaml
+```
diff --git a/kustomize/base/api.yaml b/kustomize/base/api.yaml
@@ -0,0 +1,41 @@
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: api
+  labels:
+    app: api
+spec:
+  replicas: 3
+  selector:
+    matchLabels:
+      app: api
+  template:
+    metadata:
+      labels:
+        app: api
+    spec:
+      containers:
+      - name: api
+        image: ghcr.io/biosimulations/biosim-api:latest
+        ports:
+        - containerPort: 8000
+        envFrom:
+          - configMapRef:
+              name: api-config
+      imagePullSecrets:
+        - name: ghcr-secret
+
+---
+apiVersion: v1
+kind: Service
+metadata:
+  labels:
+    app: api
+  name: api
+spec:
+  ports:
+    - name: "8000"
+      port: 8000
+      targetPort: 8000
+  selector:
+    app: api
diff --git a/kustomize/base/kustomization.yaml b/kustomize/base/kustomization.yaml
@@ -0,0 +1,6 @@
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+
+resources:
+  - api.yaml
+  - worker.yaml
diff --git a/kustomize/base/worker.yaml b/kustomize/base/worker.yaml
@@ -0,0 +1,39 @@
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: worker
+  labels:
+    app: worker
+spec:
+  replicas: 3
+  selector:
+    matchLabels:
+      app: worker
+  template:
+    metadata:
+      labels:
+        app: worker
+    spec:
+      containers:
+      - name: worker
+        image: ghcr.io/biosimulations/biosim-worker:latest
+        envFrom:
+          - configMapRef:
+              name: worker-config
+      imagePullSecrets:
+        - name: ghcr-secret
+
+#---
+#apiVersion: v1
+#kind: Service
+#metadata:
+#  labels:
+#    app: api
+#  name: api
+#spec:
+#  ports:
+#    - name: "8080"
+#      port: 8080
+#      targetPort: 8080
+#  selector:
+#    app: api
diff --git a/kustomize/config/biosim-local/api.env b/kustomize/config/biosim-local/api.env
diff --git a/kustomize/config/biosim-local/kustomization.yaml b/kustomize/config/biosim-local/kustomization.yaml
@@ -0,0 +1,12 @@
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+
+configMapGenerator:
+  - name: api-config
+    envs:
+      - api.env
+      - shared.env
+  - name: worker-config
+    envs:
+      - worker.env
+      - shared.env
diff --git a/kustomize/config/biosim-local/shared.env b/kustomize/config/biosim-local/shared.env
@@ -0,0 +1 @@
+TEMPORAL_SERVICE_URL=temporal.temporal.svc.cluster.local:7233
diff --git a/kustomize/config/biosim-local/worker.env b/kustomize/config/biosim-local/worker.env
diff --git a/kustomize/overlays/biosim-local/ingress.yaml b/kustomize/overlays/biosim-local/ingress.yaml
@@ -0,0 +1,18 @@
+apiVersion: networking.k8s.io/v1
+kind: Ingress
+metadata:
+  name: api-ingress
+  annotations:
+    nginx.ingress.kubernetes.io/rewrite-target: /
+spec:
+  rules:
+  - host: api.biosim-local
+    http:
+      paths:
+      - path: /
+        pathType: Prefix
+        backend:
+          service:
+            name: api
+            port:
+              number: 8000
diff --git a/kustomize/overlays/biosim-local/kustomization.yaml b/kustomize/overlays/biosim-local/kustomization.yaml
@@ -0,0 +1,22 @@
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+
+namespace: biosim-local
+
+images:
+- name: ghcr.io/biosimulators/bsvs-server-api
+  newTag: 7.7.0.11
+- name: ghcr.io/biosimulators/bsvs-server-worker
+  newTag: 7.7.0.11
+
+replicas:
+- count: 1
+  name: api
+- count: 1
+  name: worker
+
+resources:
+- ingress.yaml
+- secret-ghcr.yaml
+- ../../config/biosim-local
+- ../../base
diff --git a/kustomize/overlays/biosim-local/secret-ghcr.yaml b/kustomize/overlays/biosim-local/secret-ghcr.yaml
@@ -0,0 +1,16 @@
+---
+apiVersion: bitnami.com/v1alpha1
+kind: SealedSecret
+metadata:
+  creationTimestamp: null
+  name: ghcr-secret
+  namespace: biosim-local
+spec:
+  encryptedData:
+    .dockerconfigjson: AgC4B1MD5CAG+umOrfqqt/wdgCWqhtSXnZJae0o3ozUPNPvkU5vo9/SsItqZERjNIUlfFNEnAD3G9L1JMmzOqEEvk9wChwUVT3uOYYnEJ++YBJsYXTfZZY95emDJfQqN/kw6Ggyg7AQibT/u+Zcpz0OXZXQHDN3BnfiOCac680aA22kaL1VpqI+87z+8u4bG1RKO5cnbsjw8qeKW/FdlJxOB+koqJcIQf1/UynuuPC5BJwND4U6r0hl8WhKVhCgT6/JS2oZ21vx2HH2W5NXIfECb5ggcyASktvtmoW3xD3mS97P7xH71yCrrOum4dp0JCRRX0LoPwo7cRf1HGuLjxT/bk4PXnRkyAoYkjkXkyq6Y+Qn54qsK9qY0cjhdTGPdotXEZDQ2EyzJdiq9wrK6ShRaHfJW4O6xanLC8UNPiCpu6E1Dk4R0XUd/oz0sxRMyiKjnwq4tQCCv/ZwsRwloGshZiadt9rfsA6DEZl4/+BDN7CE+DKjHFXr11tV19TEFwbLLEViH1rndfmCK+hCEhHTz4qdWiSKiN2kfJ8UMb+kfMDT28nbvQUpskFLZ0wNNsUeGby+GUpSYLZGAioqT7+IWmZNWC1SR0A5Yh4HPBPEVswGkzfaAzrMF+ttvl+9ft2ViC/ILHaJj7VivX9esnutVMLQvtr759rodDOZiiyJ1NcL5Ez49oabw2rKcwi/nLlyEPxXsl0vAT9o0vaMx0wI7uzE+OBVvvhe56M6ggsTv5wKB2xnXytgMIHOINcU+rnmd2L4AaAVY5l7mDr2j+nkWza6AjBuPyJaK6vpg1sg+P1XkMrREvmNiSZ/jkT2GRZU9HVkbxFawRn0uzx/wu9XduC5z5miOjvdg1hbEHlJLYWSOlbfpmLgd9CY0EYhdXGQhtZ0lR2rWffO9sR0IJKWolpkCEBkk48WvHYiwcf2qfBSldp68QiKzAJI8AZ4GLxhTqsji5BHL4ljosqAFo92e
+  template:
+    metadata:
+      creationTimestamp: null
+      name: ghcr-secret
+      namespace: biosim-local
+    type: kubernetes.io/dockerconfigjson
diff --git a/kustomize/scripts/sealed_secret_ghcr.sh b/kustomize/scripts/sealed_secret_ghcr.sh
@@ -0,0 +1,26 @@
+#!/usr/bin/env bash
+
+# This script is used to create a sealed secret for the ghcr.io credentials
+# this script should take 3 arguments as input: namespace, github username, github user email, and github token and output a sealed secret to stdout
+# Example: ./sealed_secret_ghcr.sh remote GH_USERNAME GH_USER_EMAIL GH_PAT > output.yaml
+
+# validate the number of arguments
+if [ "$#" -ne 4 ]; then
+    echo "Illegal number of parameters"
+    echo "Usage: ./sealed_secret_ghcr.sh <namespace> <github_user> <github_user_email> <github_token>"
+    exit 1
+fi
+
+SECRET_NAME="ghcr-secret"
+SERVER="ghcr.io"
+NAMESPACE=$1
+USERNAME=$2
+EMAIL=$3
+PASSWORD=$4
+
+kubectl create secret docker-registry ${SECRET_NAME} --dry-run=client \
+      --docker-server="${SERVER}" \
+      --docker-username="${USERNAME}" \
+      --docker-email="${EMAIL}" \
+      --docker-password="${PASSWORD}" \
+      --namespace="${NAMESPACE}" -o yaml | kubeseal --format yaml
Original file line number	Diff line number	Diff line change
		@@ -0,0 +1 @@
		TEMPORAL_SERVICE_URL=temporal.temporal.svc.cluster.local:7233