From 8e4e9f7e5b86ebedf4543046bc1f518cbc74fef0 Mon Sep 17 00:00:00 2001 From: Kevin Lin Date: Tue, 24 Apr 2018 11:07:13 -0700 Subject: [PATCH] helm: Add a Helm chart for installing Arvados This commit adds a Helm chart for installing most of Arvados, except for the Git server and SLURM. No issue # Arvados-DCO-1.1-Signed-off-by: Kevin Lin --- .licenseignore | 7 + arvados/.helmignore | 21 + arvados/Chart.yaml | 9 + arvados/README.md | 150 +++++ arvados/cert-gen.sh | 31 ++ arvados/config/api-server/90-init-db.sh | 34 ++ arvados/config/api-server/application.yml | 527 ++++++++++++++++++ .../api-server/create-workbench-api-client.rb | 10 + arvados/config/api-server/database.yml | 33 ++ arvados/config/api-server/nginx.conf | 66 +++ arvados/config/postgres/create_dbs.sh | 18 + arvados/config/shell-server/99-init-keep.sh | 36 ++ arvados/config/shell-server/99-trust-cert.sh | 6 + arvados/config/ssl/cert | 1 + arvados/config/ssl/key | 1 + arvados/config/sso/90-init-db.sh | 33 ++ arvados/config/sso/92-init-client.sh | 7 + arvados/config/sso/application.yml | 94 ++++ arvados/config/sso/database.yml | 33 ++ arvados/config/sso/init-client.rb | 13 + arvados/config/sso/nginx.conf | 15 + arvados/config/workbench/application.yml | 42 ++ arvados/config/workbench/database.yml | 51 ++ arvados/config/workbench/nginx.conf | 51 ++ arvados/config/ws/ws.yml | 13 + arvados/templates/NOTES.txt | 19 + arvados/templates/_helpers.tpl | 37 ++ arvados/templates/api-server-configmap.yaml | 15 + arvados/templates/api-server-deployment.yaml | 65 +++ arvados/templates/api-server-service.yaml | 23 + arvados/templates/keep-proxy-deployment.yaml | 42 ++ arvados/templates/keep-proxy-https.yaml | 109 ++++ arvados/templates/keep-proxy-service.yaml | 21 + arvados/templates/keep-store-configmap.yaml | 15 + arvados/templates/keep-store-deployment.yaml | 43 ++ arvados/templates/keep-store-service.yaml | 22 + arvados/templates/keep-web-deployment.yaml | 42 ++ arvados/templates/keep-web-https.yaml | 109 ++++ arvados/templates/keep-web-service.yaml | 21 + arvados/templates/postgres-configmap.yaml | 15 + arvados/templates/postgres-deployment.yaml | 37 ++ arvados/templates/postgres-service.yaml | 19 + arvados/templates/shell-server-configmap.yaml | 15 + .../templates/shell-server-deployment.yaml | 65 +++ arvados/templates/ssl-configmap.yaml | 15 + arvados/templates/sso-configmap.yaml | 15 + arvados/templates/sso-deployment.yaml | 59 ++ arvados/templates/sso-service.yaml | 23 + arvados/templates/workbench-configmap.yaml | 15 + arvados/templates/workbench-deployment.yaml | 56 ++ arvados/templates/workbench-service.yaml | 23 + arvados/templates/ws-configmap.yaml | 15 + arvados/templates/ws-deployment.yaml | 41 ++ arvados/templates/ws-https.yaml | 109 ++++ arvados/templates/ws-service.yaml | 21 + arvados/values.yaml | 49 ++ 56 files changed, 2477 insertions(+) create mode 100644 arvados/.helmignore create mode 100644 arvados/Chart.yaml create mode 100644 arvados/README.md create mode 100755 arvados/cert-gen.sh create mode 100644 arvados/config/api-server/90-init-db.sh create mode 100644 arvados/config/api-server/application.yml create mode 100644 arvados/config/api-server/create-workbench-api-client.rb create mode 100644 arvados/config/api-server/database.yml create mode 100644 arvados/config/api-server/nginx.conf create mode 100644 arvados/config/postgres/create_dbs.sh create mode 100644 arvados/config/shell-server/99-init-keep.sh create mode 100644 arvados/config/shell-server/99-trust-cert.sh create mode 100644 arvados/config/ssl/cert create mode 100644 arvados/config/ssl/key create mode 100644 arvados/config/sso/90-init-db.sh create mode 100644 arvados/config/sso/92-init-client.sh create mode 100644 arvados/config/sso/application.yml create mode 100644 arvados/config/sso/database.yml create mode 100644 arvados/config/sso/init-client.rb create mode 100644 arvados/config/sso/nginx.conf create mode 100644 arvados/config/workbench/application.yml create mode 100644 arvados/config/workbench/database.yml create mode 100644 arvados/config/workbench/nginx.conf create mode 100644 arvados/config/ws/ws.yml create mode 100644 arvados/templates/NOTES.txt create mode 100644 arvados/templates/_helpers.tpl create mode 100644 arvados/templates/api-server-configmap.yaml create mode 100644 arvados/templates/api-server-deployment.yaml create mode 100644 arvados/templates/api-server-service.yaml create mode 100644 arvados/templates/keep-proxy-deployment.yaml create mode 100644 arvados/templates/keep-proxy-https.yaml create mode 100644 arvados/templates/keep-proxy-service.yaml create mode 100644 arvados/templates/keep-store-configmap.yaml create mode 100644 arvados/templates/keep-store-deployment.yaml create mode 100644 arvados/templates/keep-store-service.yaml create mode 100644 arvados/templates/keep-web-deployment.yaml create mode 100644 arvados/templates/keep-web-https.yaml create mode 100644 arvados/templates/keep-web-service.yaml create mode 100644 arvados/templates/postgres-configmap.yaml create mode 100644 arvados/templates/postgres-deployment.yaml create mode 100644 arvados/templates/postgres-service.yaml create mode 100644 arvados/templates/shell-server-configmap.yaml create mode 100644 arvados/templates/shell-server-deployment.yaml create mode 100644 arvados/templates/ssl-configmap.yaml create mode 100644 arvados/templates/sso-configmap.yaml create mode 100644 arvados/templates/sso-deployment.yaml create mode 100644 arvados/templates/sso-service.yaml create mode 100644 arvados/templates/workbench-configmap.yaml create mode 100644 arvados/templates/workbench-deployment.yaml create mode 100644 arvados/templates/workbench-service.yaml create mode 100644 arvados/templates/ws-configmap.yaml create mode 100644 arvados/templates/ws-deployment.yaml create mode 100644 arvados/templates/ws-https.yaml create mode 100644 arvados/templates/ws-service.yaml create mode 100644 arvados/values.yaml diff --git a/.licenseignore b/.licenseignore index 0e78077..3712913 100644 --- a/.licenseignore +++ b/.licenseignore @@ -1,4 +1,11 @@ +.licenseignore agpl-3.0.txt apache-2.0.txt AUTHORS +COPYING cc-by-sa-3.0.txt +charts/arvados/.helmignore +charts/arvados/config/ssl/cert +charts/arvados/config/ssl/key +charts/arvados/templates/NOTES.txt +charts/arvados/templates/_helpers.tpl diff --git a/arvados/.helmignore b/arvados/.helmignore new file mode 100644 index 0000000..f0c1319 --- /dev/null +++ b/arvados/.helmignore @@ -0,0 +1,21 @@ +# Patterns to ignore when building packages. +# This supports shell glob matching, relative path matching, and +# negation (prefixed with !). Only one pattern per line. +.DS_Store +# Common VCS dirs +.git/ +.gitignore +.bzr/ +.bzrignore +.hg/ +.hgignore +.svn/ +# Common backup files +*.swp +*.bak +*.tmp +*~ +# Various IDEs +.project +.idea/ +*.tmproj diff --git a/arvados/Chart.yaml b/arvados/Chart.yaml new file mode 100644 index 0000000..a0d4e0f --- /dev/null +++ b/arvados/Chart.yaml @@ -0,0 +1,9 @@ +# Copyright (C) The Arvados Authors. All rights reserved. +# +# SPDX-License-Identifier: Apache-2.0 + +apiVersion: v1 +appVersion: "1.0" +description: A Helm chart for Kubernetes +name: arvados +version: 0.1.0 diff --git a/arvados/README.md b/arvados/README.md new file mode 100644 index 0000000..487e495 --- /dev/null +++ b/arvados/README.md @@ -0,0 +1,150 @@ +[//]: # Copyright (C) The Arvados Authors. All rights reserved. +[//]: # +[//]: # SPDX-License-Identifier: Apache-2.0 + +# Arvados Helm Chart + +This directory contains a simple Helm chart for Arvados, excluding the Git +server and SLURM. It's more or less a port of the Kubernetes config generated +by the Arvados Kelda blueprint. + +The files should only be considered an example of what a Kubernetes deployment +might look like -- this is my first Helm chart, and there are definitely things +that could be cleaner. + +## Usage + +1. Boot a [GKE cluster](https://console.cloud.google.com/kubernetes/) with at least 3 nodes. + - I tested with 3 n1-standard-1 (1 vCPU, 3.75GB RAM) machines on Kubernetes v1.8.8. + - It takes a few minutes for the cluster to be initialized. + +2. Reserve a [static IP](https://console.cloud.google.com/networking/addresses) in GCE. + - Make sure the IP is in the same region as your GKE cluster, and is of the + "Regional" type. + +3. Install `gcloud`, `kubectl`, and `helm` on your development machine. + `gcloud` is used to setup the connection to your GKE cluster. `kubectl` is + used to interact with the Kubernetes cluster. `helm` is used to deploy to + the cluster. + - Follow the instructions [here](https://cloud.google.com/sdk/downloads) to install `gcloud`. + - `gcloud components install kubectl` to install `kubectl`. + - `brew install kubernetes-helm` to install `helm`. + - If that doesn't work, see the official installation instructions for + [kubectl](https://kubernetes.io/docs/tasks/tools/install-kubectl/#install-kubectl) + and [helm](https://docs.helm.sh/using_helm/#installing-helm). + +3. Connect to the GKE cluster. + - Click the "Connect" button next to your [GKE cluster](https://console.cloud.google.com/kubernetes/). + - Execute the "Command-line access" command on your development machine. + - Run `kubectl get nodes` to test your connection to the GKE cluster. The + nodes you specified in step 1 should show up in the output. + +4. Install `helm` on the cluster. + - Run the following commands from your development machine. The last three + commands are necessary since GKE clusters use RBAC for authentication, so + the default `helm` installation doesn't have sufficient permissions to + deploy to the cluster: + - `helm init` + - `kubectl create serviceaccount --namespace kube-system tiller` + - `kubectl create clusterrolebinding tiller-cluster-rule --clusterrole=cluster-admin --serviceaccount=kube-system:tiller` + - `kubectl patch deploy --namespace kube-system tiller-deploy -p '{"spec":{"template":{"spec":{"serviceAccount":"tiller"}}}}'` + - Wait until the `tiller` container's status is "Running" in `kubectl get pods --namespace kube-system` + - Test `helm` by running `helm ls`. There shouldn't be any errors. + +5. Generate an SSL certificate. + - Run `./cert-gen.sh ` where `` is the IP allocated in step 1. + +6. *Optional*: Trust the generated certificate. By default, browsers treat + self-signed certificates as insecure. Therefore, the generated certificate + must be manually trusted through the OS settings. If you skip this step, + you'll have to manually override browser SSL warnings when connecting to + workbench. + + To do this on On Mac OS: + 1. Open the "Keychain Access" application. + 2. Click "File" in the menu at the top left. + 3. Click "Import Items...". + 4. Navigate to the generated `cert` and click "Open". + 5. Double click on the certificate and change the trust level to "Always + Trust". The certificate will be named "arvados-test-cert". + +7. Modify the Kubernetes configs to reference your static IP. + - Replace all references to the IP `8.8.8.8` with the IP allocated in step 1. + - This can be done automatically with the following command: + ``` + grep -lr --exclude README.md '8.8.8.8' . | xargs sed -i '' 's/8.8.8.8//g' + ``` +8. Install the Arvados Kubernetes configs. + - Run `helm install --name arvados .` + - If you make a change to the Kubernetes manifests and want to reinstall + the configs, run `helm delete --purge arvados`, followed by the `helm + install` command. + +9. Wait for everything to boot in the cluster. This takes a few minutes from my + testing. + - `kubectl get pods` should show all the pods as running. + - `kubectl get services` shouldn't show anything as ``. + - If some services are stuck in `` check their status with + `kubectl describe service/serviceName` (e.g. `kubectl describe + service/arvados-api-server`). If there's an error along the lines of + "Specified IP address is in-use and would result in a conflict.", + manually delete all entries under "Forwarding rules" and "Target + pools" in the [console UI](https://console.cloud.google.com/net-services/loadbalancing/advanced/targetPools/list). + - Even after the containers are running, they take a couple minutes to + download and install various packages. If some components seem down, + check its logs with `kubectl logs ` and see if it's fully + initialized. In my testing, the container has been inaccessible for up to + 10 minutes after starting. + +10. Connect to the Workbench. + - Navigate to `https://` in your browser. + +11. Destroy the GKE cluster when finished. + +## Future Work + +- The Arvados Dockerfiles need to be rebuilt so that they have the latest `apt` + metadata. As a workaround, some pods, such as `keep-web` are running `apt-get + update` when they start. +- Set the floating IP through `./values.yaml` and have Helm handling templating + it, rather than manually replacing references to the IP. + - There may be other values worth templating, such as the number of Keep + containers to deploy, or the versions of the Arvados packages to install. +- Figure out a better way of setting API tokens. It's currently hardcoded in + the config files, and changing it in one location will cause the other + references to fail. + ``` + $ grep -r 'thisisnotavery' . + ./config/api-server/90-init-db.sh: bundle exec script/create_superuser_token.rb thisisnotaverygoodsuperusersecretstring00000000000 + ./config/api-server/90-init-db.sh: bundle exec get_anonymous_user_token.rb -t thisisnotaverygoodanonymoussecretstring00000000000 || true + ./config/sso/90-init-db.sh: bundle exec script/create_superuser_token.rb thisisnotaverygoodsuperusersecretstring00000000000 + ./config/sso/90-init-db.sh: bundle exec get_anonymous_user_token.rb -t thisisnotaverygoodanonymoussecretstring00000000000 || true + ./templates/keep-proxy-deployment.yaml: value: "thisisnotaverygoodanonymoussecretstring00000000000" + ./templates/keep-web-deployment.yaml: value: "thisisnotaverygoodanonymoussecretstring00000000000" + ./templates/shell-server-deployment.yaml: value: "thisisnotaverygoodsuperusersecretstring00000000000" + ``` +- Figure out how to reduce redundant YAML files. + - The Nginx SSL proxies (`./templates/keep-web-https.yaml`, + `./templates/keep-proxy-https.yaml`, `./templates/ws-https.yaml`) are + extremely similar. Only a couple lines related to hostnames and + ports different. + - The configmap YAMLs are all basically the same. + - This might be possible with partials (a Helm templating feature). Or in a + different templating language such as ksonnet. +- Add SLURM support +- Support changing keep-store scale. Right now the scale is set to `replicas: + 2` in `templates/keep-store-deployment.yaml`. Unfortunately, increasing the scale + isn't as simple as changing the number since the hostnames are hardcoded in + `config/shell-server/99-init-keep.sh`. +- Consider adding healthchecks and readiness checks. + - They would make the deployment more robust. Readiness checks would make + it so services weren't exposed until they're ready to receive traffic. + Healthchecks would make it so containers are restarted when they enter a + failure state. +- Add minimum CPU and RAM requirements to the containers. + - This will prevent out of memory errors, for example. This is especially + important if autoscaling is added. +- Get the SSL certificate automatically using Lets Encrypt, eliminating the + need for the self-signed certificate generated by the `cert-gen.sh` script. +- Add SSL to SSO server + - It's currently being hosted on only HTTP. diff --git a/arvados/cert-gen.sh b/arvados/cert-gen.sh new file mode 100755 index 0000000..aba4432 --- /dev/null +++ b/arvados/cert-gen.sh @@ -0,0 +1,31 @@ +# Copyright (C) The Arvados Authors. All rights reserved. +# +# SPDX-License-Identifier: Apache-2.0 + +# Usage: ./cert-gen.sh + +if [[ -z $1 ]] ; then + echo "ERROR: A floating IP must be supplied." + echo "Usage: $0 " + exit 1 +fi + +cat > ssl.conf <&1 || true) + if echo "$DB_MIGRATE_STATUS" | grep -qF 'Schema migrations table does not exist yet.'; then + # The database exists, but the migrations table doesn't. + bundle exec rake "$RAILSPKG_DATABASE_LOAD_TASK" db:seed + elif echo "$DB_MIGRATE_STATUS" | grep -q '^database: '; then + bundle exec rake db:migrate + elif echo "$DB_MIGRATE_STATUS" | grep -q 'database .* does not exist'; then + bundle exec rake db:setup + else + echo "Warning: Database is not ready to set up." >&2 + exit 1 + fi + + if [[ -f "/create-workbench-api-client.rb" ]]; then + # This is the API server + cd /var/www/arvados-api/current + bundle exec script/create_superuser_token.rb thisisnotaverygoodsuperusersecretstring00000000000 + cd script + bundle exec get_anonymous_user_token.rb -t thisisnotaverygoodanonymoussecretstring00000000000 || true + bundle exec rails runner /create-workbench-api-client.rb + fi + +} + +prepare_database "db:structure:load" + diff --git a/arvados/config/api-server/application.yml b/arvados/config/api-server/application.yml new file mode 100644 index 0000000..4616d27 --- /dev/null +++ b/arvados/config/api-server/application.yml @@ -0,0 +1,527 @@ +# Copyright (C) The Arvados Authors. All rights reserved. +# +# SPDX-License-Identifier: AGPL-3.0 + +# Do not use this file for site configuration. Create application.yml +# instead (see application.yml.example). +# +# The order of precedence is: +# 1. config/environments/{RAILS_ENV}.rb (deprecated) +# 2. Section in application.yml corresponding to RAILS_ENV (e.g., development) +# 3. Section in application.yml called "common" +# 4. Section in application.default.yml corresponding to RAILS_ENV +# 5. Section in application.default.yml called "common" + +common: + ### + ### Essential site configuration + ### + + # The prefix used for all database identifiers to identify the record as + # originating from this site. Must be exactly 5 alphanumeric characters + # (lowercase ASCII letters and digits). + uuid_prefix: vwxyz + + # secret_token is a string of alphanumeric characters used by Rails + # to sign session tokens. IMPORTANT: This is a site secret. It + # should be at least 50 characters. + secret_token: changeme + + # blob_signing_key is a string of alphanumeric characters used to + # generate permission signatures for Keep locators. It must be + # identical to the permission key given to Keep. IMPORTANT: This is + # a site secret. It should be at least 50 characters. + # + # Modifying blob_signing_key will invalidate all existing + # signatures, which can cause programs to fail (e.g., arv-put, + # arv-get, and Crunch jobs). To avoid errors, rotate keys only when + # no such processes are running. + blob_signing_key: key + + # These settings are provided by your OAuth2 provider (e.g., + # sso-provider). + sso_app_secret: app_secret + sso_app_id: arvados-server + sso_provider_url: http://8.8.8.8:3002 + + # If this is not false, HTML requests at the API server's root URL + # are redirected to this location, and it is provided in the text of + # user activation notification email messages to remind them where + # to log in. + workbench_address: false + + # Client-facing URI for websocket service. Nginx should be + # configured to proxy this URI to arvados-ws; see + # http://doc.arvados.org/install/install-ws.html + # + # If websocket_address is false (which is the default), no websocket + # server will be advertised to clients. This configuration is not + # supported. + # + # Example: + #websocket_address: wss://ws.zzzzz.arvadosapi.com/websocket + websocket_address: wss://8.8.8.8:9003/websocket + + # Maximum number of websocket connections allowed + websocket_max_connections: 500 + + # Maximum number of events a single connection can be backlogged + websocket_max_notify_backlog: 1000 + + # Maximum number of subscriptions a single websocket connection can have + # active. + websocket_max_filters: 10 + + # Git repositories must be readable by api server, or you won't be + # able to submit crunch jobs. To pass the test suites, put a clone + # of the arvados tree in {git_repositories_dir}/arvados.git or + # {git_repositories_dir}/arvados/.git + git_repositories_dir: /var/lib/arvados/git/repositories + + # This is a (bare) repository that stores commits used in jobs. When a job + # runs, the source commits are first fetched into this repository, then this + # repository is used to deploy to compute nodes. This should NOT be a + # subdirectory of {git_repositiories_dir}. + git_internal_dir: /var/lib/arvados/internal.git + + # Default replication level for collections. This is used when a + # collection's replication_desired attribute is nil. + default_collection_replication: 2 + + + ### + ### Overriding default advertised hostnames/URLs + ### + + # If not false, this is the hostname that will be used for root_url and + # advertised in the discovery document. By default, use the default Rails + # logic for deciding on a hostname. + host: false + + # Base part of SSH git clone url given with repository resources. If + # true, the default "git@git.(uuid_prefix).arvadosapi.com:" is + # used. If false, SSH clone URLs are not advertised. Include a + # trailing ":" or "/" if needed: it will not be added automatically. + git_repo_ssh_base: true + + # Base part of HTTPS git clone urls given with repository + # resources. This is expected to be an arv-git-httpd service which + # accepts API tokens as HTTP-auth passwords. If true, the default + # "https://git.(uuid_prefix).arvadosapi.com/" is used. If false, + # HTTPS clone URLs are not advertised. Include a trailing ":" or "/" + # if needed: it will not be added automatically. + git_repo_https_base: true + + + ### + ### New user and & email settings + ### + + # Config parameters to automatically setup new users. + # The params auto_setup_new_users_with_* are meaningful only when auto_setup_new_users is turned on. + # auto_setup_name_blacklist is a list of usernames to be blacklisted for auto setup. + auto_setup_new_users: true + auto_setup_new_users_with_vm_uuid: false + auto_setup_new_users_with_repository: false + auto_setup_name_blacklist: [arvados, git, gitolite, gitolite-admin, root, syslog] + + # When new_users_are_active is set to true, the user agreement check is skipped. + new_users_are_active: true + + # The e-mail address of the user you would like to become marked as an admin + # user on their first login. + # In the default configuration, authentication happens through the Arvados SSO + # server, which uses OAuth2 against Google's servers, so in that case this + # should be an address associated with a Google account. + auto_admin_user: false + + # If auto_admin_first_user is set to true, the first user to log in when no + # other admin users exist will automatically become an admin user. + auto_admin_first_user: true + + # Email address to notify whenever a user creates a profile for the + # first time + user_profile_notification_address: false + + admin_notifier_email_from: arvados@example.com + email_subject_prefix: "[ARVADOS] " + user_notifier_email_from: arvados@example.com + new_user_notification_recipients: [ ] + new_inactive_user_notification_recipients: [ ] + + + ### + ### Limits, timeouts and durations + ### + + # Lifetime (in seconds) of blob permission signatures generated by + # the API server. This determines how long a client can take (after + # retrieving a collection record) to retrieve the collection data + # from Keep. If the client needs more time than that (assuming the + # collection still has the same content and the relevant user/token + # still has permission) the client can retrieve the collection again + # to get fresh signatures. + # + # This must be exactly equal to the -blob-signature-ttl flag used by + # keepstore servers. Otherwise, reading data blocks and saving + # collections will fail with HTTP 403 permission errors. + # + # Modifying blob_signature_ttl invalidates existing signatures; see + # blob_signing_key note above. + # + # The default is 2 weeks. + blob_signature_ttl: 1209600 + + # Default lifetime for ephemeral collections: 2 weeks. This must not + # be less than blob_signature_ttl. + default_trash_lifetime: 1209600 + + # Interval (seconds) between trash sweeps. During a trash sweep, + # collections are marked as trash if their trash_at time has + # arrived, and deleted if their delete_at time has arrived. + trash_sweep_interval: 60 + + # Maximum characters of (JSON-encoded) query parameters to include + # in each request log entry. When params exceed this size, they will + # be JSON-encoded, truncated to this size, and logged as + # params_truncated. + max_request_log_params_size: 2000 + + # Maximum size (in bytes) allowed for a single API request. This + # limit is published in the discovery document for use by clients. + # Note: You must separately configure the upstream web server or + # proxy to actually enforce the desired maximum request size on the + # server side. + max_request_size: 134217728 + + # Limit the number of bytes read from the database during an index + # request (by retrieving and returning fewer rows than would + # normally be returned in a single response). + # Note 1: This setting never reduces the number of returned rows to + # zero, no matter how big the first data row is. + # Note 2: Currently, this is only checked against a specific set of + # columns that tend to get large (collections.manifest_text, + # containers.mounts, workflows.definition). Other fields (e.g., + # "properties" hashes) are not counted against this limit. + max_index_database_read: 134217728 + + # Maximum number of items to return when responding to a APIs that + # can return partial result sets using limit and offset parameters + # (e.g., *.index, groups.contents). If a request specifies a "limit" + # parameter higher than this value, this value is used instead. + max_items_per_response: 1000 + + # When you run the db:delete_old_job_logs task, it will find jobs that + # have been finished for at least this many seconds, and delete their + # stderr logs from the logs table. + clean_job_log_rows_after: <%= 30.days %> + + # When you run the db:delete_old_container_logs task, it will find + # containers that have been finished for at least this many seconds, + # and delete their stdout, stderr, arv-mount, crunch-run, and + # crunchstat logs from the logs table. + clean_container_log_rows_after: <%= 30.days %> + + # Time to keep audit logs, in seconds. (An audit log is a row added + # to the "logs" table in the PostgreSQL database each time an + # Arvados object is created, modified, or deleted.) + # + # Currently, websocket event notifications rely on audit logs, so + # this should not be set lower than 600 (5 minutes). + max_audit_log_age: 1209600 + + # Maximum number of log rows to delete in a single SQL transaction. + # + # If max_audit_log_delete_batch is 0, log entries will never be + # deleted by Arvados. Cleanup can be done by an external process + # without affecting any Arvados system processes, as long as very + # recent (<5 minutes old) logs are not deleted. + # + # 100000 is a reasonable batch size for most sites. + max_audit_log_delete_batch: 0 + + # The maximum number of compute nodes that can be in use simultaneously + # If this limit is reduced, any existing nodes with slot number >= new limit + # will not be counted against the new limit. In other words, the new limit + # won't be strictly enforced until those nodes with higher slot numbers + # go down. + max_compute_nodes: 64 + + # These two settings control how frequently log events are flushed to the + # database. Log lines are buffered until either crunch_log_bytes_per_event + # has been reached or crunch_log_seconds_between_events has elapsed since + # the last flush. + crunch_log_bytes_per_event: 4096 + crunch_log_seconds_between_events: 1 + + # The sample period for throttling logs, in seconds. + crunch_log_throttle_period: 60 + + # Maximum number of bytes that job can log over crunch_log_throttle_period + # before being silenced until the end of the period. + crunch_log_throttle_bytes: 65536 + + # Maximum number of lines that job can log over crunch_log_throttle_period + # before being silenced until the end of the period. + crunch_log_throttle_lines: 1024 + + # Maximum bytes that may be logged by a single job. Log bytes that are + # silenced by throttling are not counted against this total. + crunch_limit_log_bytes_per_job: 67108864 + + crunch_log_partial_line_throttle_period: 5 + + # Attributes to suppress in events and audit logs. Notably, + # specifying ["manifest_text"] here typically makes the database + # smaller and faster. + # + # Warning: Using any non-empty value here can have undesirable side + # effects for any client or component that relies on event logs. + # Use at your own risk. + unlogged_attributes: [] + + # API methods to disable. Disabled methods are not listed in the + # discovery document, and respond 404 to all requests. + # Example: ["jobs.create", "pipeline_instances.create"] + disable_api_methods: [] + + ### + ### Crunch, DNS & compute node management + ### + + # Docker image to be used when none found in runtime_constraints of a job + default_docker_image_for_jobs: false + + # List of supported Docker Registry image formats that compute nodes + # are able to use. `arv keep docker` will error out if a user tries + # to store an image with an unsupported format. Use an empty array + # to skip the compatibility check (and display a warning message to + # that effect). + # + # Example for sites running docker < 1.10: ["v1"] + # Example for sites running docker >= 1.10: ["v2"] + # Example for disabling check: [] + docker_image_formats: ["v2"] + + # :none or :slurm_immediate + crunch_job_wrapper: :none + + # username, or false = do not set uid when running jobs. + crunch_job_user: crunch + + # The web service must be able to create/write this file, and + # crunch-job must be able to stat() it. + crunch_refresh_trigger: /tmp/crunch_refresh_trigger + + # Path to dns server configuration directory + # (e.g. /etc/unbound.d/conf.d). If false, do not write any config + # files or touch restart.txt (see below). + dns_server_conf_dir: false + + # Template file for the dns server host snippets. See + # unbound.template in this directory for an example. If false, do + # not write any config files. + dns_server_conf_template: false + + # String to write to {dns_server_conf_dir}/restart.txt (with a + # trailing newline) after updating local data. If false, do not + # open or write the restart.txt file. + dns_server_reload_command: false + + # Command to run after each DNS update. Template variables will be + # substituted; see the "unbound" example below. If false, do not run + # a command. + dns_server_update_command: false + + ## Example for unbound: + #dns_server_conf_dir: /etc/unbound/conf.d + #dns_server_conf_template: /path/to/your/api/server/config/unbound.template + ## ...plus one of the following two methods of reloading: + #dns_server_reload_command: unbound-control reload + #dns_server_update_command: echo %{hostname} %{hostname}.%{uuid_prefix} %{hostname}.%{uuid_prefix}.arvadosapi.com %{ptr_domain} | xargs -n 1 unbound-control local_data_remove && unbound-control local_data %{hostname} IN A %{ip_address} && unbound-control local_data %{hostname}.%{uuid_prefix} IN A %{ip_address} && unbound-control local_data %{hostname}.%{uuid_prefix}.arvadosapi.com IN A %{ip_address} && unbound-control local_data %{ptr_domain}. IN PTR %{hostname}.%{uuid_prefix}.arvadosapi.com + + compute_node_domain: false + compute_node_nameservers: + - 192.168.1.1 + + # Hostname to assign to a compute node when it sends a "ping" and the + # hostname in its Node record is nil. + # During bootstrapping, the "ping" script is expected to notice the + # hostname given in the ping response, and update its unix hostname + # accordingly. + # If false, leave the hostname alone (this is appropriate if your compute + # nodes' hostnames are already assigned by some other mechanism). + # + # One way or another, the hostnames of your node records should agree + # with your DNS records and your /etc/slurm-llnl/slurm.conf files. + # + # Example for compute0000, compute0001, ....: + # assign_node_hostname: compute%04d + # (See http://ruby-doc.org/core-2.2.2/Kernel.html#method-i-format for more.) + assign_node_hostname: compute%d + + + ### + ### Job and container reuse logic. + ### + + # Include details about job reuse decisions in the server log. This + # causes additional database queries to run, so it should not be + # enabled unless you expect to examine the resulting logs for + # troubleshooting purposes. + log_reuse_decisions: false + + # Control job reuse behavior when two completed jobs match the + # search criteria and have different outputs. + # + # If true, in case of a conflict, reuse the earliest job (this is + # similar to container reuse behavior). + # + # If false, in case of a conflict, do not reuse any completed job, + # but do reuse an already-running job if available (this is the + # original job reuse behavior, and is still the default). + reuse_job_if_outputs_differ: false + + ### + ### Federation support. + ### + + # You can enable use of this cluster by users who are authenticated + # by a remote Arvados site. Control which remote hosts are trusted + # to authenticate which user IDs by configuring remote_hosts, + # remote_hosts_via_dns, or both. The default configuration disables + # remote authentication. + + # Map known prefixes to hosts. For example, if user IDs beginning + # with "zzzzz-" should be authenticated by the Arvados server at + # "zzzzz.example.com", use: + # + # remote_hosts: + # zzzzz: zzzzz.example.com + remote_hosts: {} + + # Use {prefix}.arvadosapi.com for any prefix not given in + # remote_hosts above. + remote_hosts_via_dns: false + + ### + ### Remaining assorted configuration options. + ### + + arvados_theme: default + + # Permit insecure (OpenSSL::SSL::VERIFY_NONE) connections to the + # Single Sign On (sso) server and remote Arvados sites. Should only + # be enabled during development when the SSO server is using a + # self-signed cert. + sso_insecure: true # TODO: Make this false. + + ## Set Time.zone default to the specified zone and make Active + ## Record auto-convert to this zone. Run "rake -D time" for a list + ## of tasks for finding time zone names. Default is UTC. + #time_zone: Central Time (US & Canada) + + ## Default encoding used in templates for Ruby 1.9. + encoding: utf-8 + + # Enable the asset pipeline + assets.enabled: true + + # Version of your assets, change this if you want to expire all your assets + assets.version: "1.0" + + # Allow clients to create collections by providing a manifest with + # unsigned data blob locators. IMPORTANT: This effectively disables + # access controls for data stored in Keep: a client who knows a hash + # can write a manifest that references the hash, pass it to + # collections.create (which will create a permission link), use + # collections.get to obtain a signature for that data locator, and + # use that signed locator to retrieve the data from Keep. Therefore, + # do not turn this on if your users expect to keep data private from + # one another! + permit_create_collection_with_unsigned_manifest: false + + default_openid_prefix: https://www.google.com/accounts/o8/id + + # Override the automatic version string. With the default value of + # false, the version string is read from git-commit.version in + # Rails.root (included in vendor packages) or determined by invoking + # "git log". + source_version: false + + # Enable asynchronous permission graph rebuild. Must run + # script/permission-updater.rb as a separate process. When the permission + # cache is invalidated, the background process will update the permission + # graph cache. This feature is experimental! + async_permissions_update: false + + # Default value for container_count_max for container requests. This is the + # number of times Arvados will create a new container to satisfy a container + # request. If a container is cancelled it will retry a new container if + # container_count < container_count_max on any container requests associated + # with the cancelled container. + container_count_max: 3 + + # Default value for keep_cache_ram of a container's runtime_constraints. + container_default_keep_cache_ram: 268435456 + + # Token to be included in all healthcheck requests. Disabled by default. + # Server expects request header of the format "Authorization: Bearer xxx" + ManagementToken: false + + # URL of keep-web service. Provides read/write access to collections via + # HTTP and WebDAV protocols. + # + # Example: + # keep_web_service_url: https://download.uuid_prefix.arvadosapi.com/ + keep_web_service_url: false + +development: + force_ssl: false + cache_classes: false + whiny_nils: true + consider_all_requests_local: true + action_controller.perform_caching: false + action_mailer.raise_delivery_errors: false + action_mailer.perform_deliveries: false + active_support.deprecation: :log + action_dispatch.best_standards_support: :builtin + active_record.auto_explain_threshold_in_seconds: 0.5 + assets.compress: false + assets.debug: true + +production: + force_ssl: true + cache_classes: true + consider_all_requests_local: false + action_controller.perform_caching: true + serve_static_files: false + assets.compress: true + assets.compile: false + assets.digest: true + +test: + force_ssl: false + cache_classes: true + serve_static_files: true + static_cache_control: public, max-age=3600 + whiny_nils: true + consider_all_requests_local: true + action_controller.perform_caching: false + action_dispatch.show_exceptions: false + action_controller.allow_forgery_protection: false + action_mailer.delivery_method: :test + active_support.deprecation: :stderr + uuid_prefix: zzzzz + sso_app_id: arvados-server + sso_app_secret: <%= rand(2**512).to_s(36) %> + sso_provider_url: http://localhost:3002 + secret_token: <%= rand(2**512).to_s(36) %> + blob_signing_key: zfhgfenhffzltr9dixws36j1yhksjoll2grmku38mi7yxd66h5j4q9w4jzanezacp8s6q0ro3hxakfye02152hncy6zml2ed0uc + user_profile_notification_address: arvados@example.com + workbench_address: https://localhost:3001/ + git_repositories_dir: <%= Rails.root.join 'tmp', 'git', 'test' %> + git_internal_dir: <%= Rails.root.join 'tmp', 'internal.git' %> + websocket_address: "wss://0.0.0.0:<%= ENV['ARVADOS_TEST_WSS_PORT'] %>/websocket" + trash_sweep_interval: -1 + docker_image_formats: ["v2"] diff --git a/arvados/config/api-server/create-workbench-api-client.rb b/arvados/config/api-server/create-workbench-api-client.rb new file mode 100644 index 0000000..b5fdf30 --- /dev/null +++ b/arvados/config/api-server/create-workbench-api-client.rb @@ -0,0 +1,10 @@ +# Copyright (C) The Arvados Authors. All rights reserved. +# +# SPDX-License-Identifier: Apache-2.0 + +include CurrentApiClient +act_as_system_user do + wb = ApiClient.new(:url_prefix => "8.8.8.8") + wb.save! + wb.update_attributes!(is_trusted: true) +end diff --git a/arvados/config/api-server/database.yml b/arvados/config/api-server/database.yml new file mode 100644 index 0000000..8b1ad41 --- /dev/null +++ b/arvados/config/api-server/database.yml @@ -0,0 +1,33 @@ +# Copyright (C) The Arvados Authors. All rights reserved. +# +# SPDX-License-Identifier: Apache-2.0 + +production: + adapter: postgresql + encoding: utf8 + database: arvados_production + username: arvados + password: pw + host: arvados-postgres + template: template0 + +development: + adapter: postgresql + encoding: utf8 + database: arvados_sso_development + username: arvados_sso + password: xxxxxxxx + host: localhost + template: template0 + +# Warning: The database defined as "test" will be erased and +# re-generated from your development database when you run "rake". +# Do not set this db to the same as development or production. +test: + adapter: postgresql + encoding: utf8 + database: arvados_sso_test + username: arvados_sso + password: xxxxxxxx + host: localhost + template: template0 diff --git a/arvados/config/api-server/nginx.conf b/arvados/config/api-server/nginx.conf new file mode 100644 index 0000000..69967ad --- /dev/null +++ b/arvados/config/api-server/nginx.conf @@ -0,0 +1,66 @@ +# Copyright (C) The Arvados Authors. All rights reserved. +# +# SPDX-License-Identifier: Apache-2.0 + +server { + listen 127.0.0.1:8000; + server_name localhost-api; + + root /var/www/arvados-api/current/public; + index index.html index.htm index.php; + + passenger_enabled on; + # If you're using RVM, uncomment the line below. + passenger_ruby /usr/local/rvm/wrappers/default/ruby; + + # This value effectively limits the size of API objects users can + # create, especially collections. If you change this, you should + # also ensure the following settings match it: + # * `client_max_body_size` in the server section below + # * `client_max_body_size` in the Workbench Nginx configuration (twice) + # * `max_request_size` in the API server's application.yml file + client_max_body_size 128m; +} + +upstream api { + server 127.0.0.1:8000 fail_timeout=10s; +} + +proxy_http_version 1.1; + +# When Keep clients request a list of Keep services from the API server, the +# server will automatically return the list of available proxies if +# the request headers include X-External-Client: 1. Following the example +# here, at the end of this section, add a line for each netmask that has +# direct access to Keep storage daemons to set this header value to 0. +geo $external_client { + default 1; + 10.0.0.0/8 0; +} + +server { + listen 0.0.0.0:444 ssl; + server_name public-api; + + ssl on; + ssl_certificate /etc/ssl/certs/api-server.pem; + ssl_certificate_key /etc/ssl/private/api-server.key; + + index index.html index.htm index.php; + + # Refer to the comment about this setting in the server section above. + client_max_body_size 128m; + + location / { + proxy_pass http://api; + proxy_redirect off; + proxy_connect_timeout 90s; + proxy_read_timeout 300s; + + proxy_set_header X-Forwarded-Proto https; + proxy_set_header Host $http_host; + proxy_set_header X-External-Client $external_client; + proxy_set_header X-Real-IP $remote_addr; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + } +} diff --git a/arvados/config/postgres/create_dbs.sh b/arvados/config/postgres/create_dbs.sh new file mode 100644 index 0000000..9f37880 --- /dev/null +++ b/arvados/config/postgres/create_dbs.sh @@ -0,0 +1,18 @@ +#!/bin/bash +# Copyright (C) The Arvados Authors. All rights reserved. +# +# SPDX-License-Identifier: Apache-2.0 + +function create_user_and_database() { + local database=$1 + local user=$2 + local password=$3 + echo "Creating database '$database'" + psql -v ON_ERROR_STOP=1 --username "$POSTGRES_USER" <<-EOSQL + CREATE USER $user WITH CREATEDB PASSWORD '$password'; + CREATE DATABASE $database OWNER $user; +EOSQL +} + +create_user_and_database arvados_sso_production arvados_sso pw +create_user_and_database arvados_production arvados pw diff --git a/arvados/config/shell-server/99-init-keep.sh b/arvados/config/shell-server/99-init-keep.sh new file mode 100644 index 0000000..1a20c1f --- /dev/null +++ b/arvados/config/shell-server/99-init-keep.sh @@ -0,0 +1,36 @@ +#!/bin/bash +# Copyright (C) The Arvados Authors. All rights reserved. +# +# SPDX-License-Identifier: Apache-2.0 + +set -e +export HOME="/root" +arv keep_service create --keep-service "$(cat <> /etc/ssl/certs/ca-certificates.crt diff --git a/arvados/config/ssl/cert b/arvados/config/ssl/cert new file mode 100644 index 0000000..8f839af --- /dev/null +++ b/arvados/config/ssl/cert @@ -0,0 +1 @@ +Generate me with the cert-gen.sh script. diff --git a/arvados/config/ssl/key b/arvados/config/ssl/key new file mode 100644 index 0000000..8f839af --- /dev/null +++ b/arvados/config/ssl/key @@ -0,0 +1 @@ +Generate me with the cert-gen.sh script. diff --git a/arvados/config/sso/90-init-db.sh b/arvados/config/sso/90-init-db.sh new file mode 100644 index 0000000..3d8a878 --- /dev/null +++ b/arvados/config/sso/90-init-db.sh @@ -0,0 +1,33 @@ +#!/bin/bash +# Copyright (C) The Arvados Authors. All rights reserved. +# +# SPDX-License-Identifier: Apache-2.0 + +set -e + +prepare_database() { + RAILSPKG_DATABASE_LOAD_TASK="$1" + DB_MIGRATE_STATUS=$($COMMAND_PREFIX bundle exec rake db:migrate:status 2>&1 || true) + if echo "$DB_MIGRATE_STATUS" | grep -qF 'Schema migrations table does not exist yet.'; then + # The database exists, but the migrations table doesn't. + bundle exec rake "$RAILSPKG_DATABASE_LOAD_TASK" db:seed + elif echo "$DB_MIGRATE_STATUS" | grep -q '^database: '; then + bundle exec rake db:migrate + elif echo "$DB_MIGRATE_STATUS" | grep -q 'database .* does not exist'; then + bundle exec rake db:setup + else + echo "Warning: Database is not ready to set up." >&2 + exit 1 + fi + + if [[ -f "/create-workbench-api-client.rb" ]]; then + # This is the API server + cd /var/www/arvados-api/current + bundle exec script/create_superuser_token.rb thisisnotaverygoodsuperusersecretstring00000000000 + cd script + bundle exec get_anonymous_user_token.rb -t thisisnotaverygoodanonymoussecretstring00000000000 || true + bundle exec rails runner /create-workbench-api-client.rb + fi +} + +prepare_database "db:schema:load" diff --git a/arvados/config/sso/92-init-client.sh b/arvados/config/sso/92-init-client.sh new file mode 100644 index 0000000..9acf827 --- /dev/null +++ b/arvados/config/sso/92-init-client.sh @@ -0,0 +1,7 @@ +#!/bin/bash +# Copyright (C) The Arvados Authors. All rights reserved. +# +# SPDX-License-Identifier: Apache-2.0 + +set -e +bundle exec rails runner /init-client.rb diff --git a/arvados/config/sso/application.yml b/arvados/config/sso/application.yml new file mode 100644 index 0000000..474151d --- /dev/null +++ b/arvados/config/sso/application.yml @@ -0,0 +1,94 @@ +# Copyright (C) The Arvados Authors. All rights reserved. +# +# SPDX-License-Identifier: Apache-2.0 + +# Copy this file to application.yml and edit to suit. +# +# Consult application.default.yml for the full list of configuration +# settings. +# +# The order of precedence is: +# 1. config/environments/{RAILS_ENV}.rb (deprecated) +# 2. Section in application.yml corresponding to RAILS_ENV (e.g., development) +# 3. Section in application.yml called "common" +# 4. Section in application.default.yml corresponding to RAILS_ENV +# 5. Section in application.default.yml called "common" + +common: + uuid_prefix: abcde + secret_token: zzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzz + + # The site name that will be used in text such as "Sign in to site_title" + site_title: Arvados + + # After logging in, the title and URL of the link that will be presented to + # the user as the default destination on the welcome page. + default_link_title: Arvados + default_link_url: "http://localhost:3000" + + ### + ### Local account configuration. This is enabled if neither + ### google_oauth2 or LDAP are enabled below. + ### + # If true, allow new creation of new accounts in the SSO server's internal + # user database. + allow_account_registration: false + + # If true, send an email confirmation before activating new accounts in the + # SSO server's internal user database. + require_email_confirmation: false + + + ### + ### Google+ OAuth2 authentication. + ### + # Google API tokens required for OAuth2 login. + # + # See https://github.com/zquestz/omniauth-google-oauth2 + # + # and https://developers.google.com/accounts/docs/OAuth2 + google_oauth2_client_id: false + google_oauth2_client_secret: false + + # Set this to your OpenId 2.0 realm to enable migration from Google OpenId + # 2.0 to Google OAuth2 OpenId Connect (Google will provide OpenId 2.0 user + # identifiers via the openid.realm parameter in the OAuth2 flow until 2017). + google_openid_realm: false + + + ### + ### LDAP authentication. + ### + # + # If you want to use LDAP, you need to provide + # the following set of fields under the use_ldap key. + # + # If 'email_domain' field is set, it will be stripped from the email address + # entered by the user prior attempting LDAP binding on 'uid'. This supports + # the case where it is not possible to look up 'bob@example.com' but instead + # must be looked up as 'uid=bob'. + # + # If it is possible to look up the email address directly (for example + # setting "uid: mail") you should prefer that and leave 'email_domain' unset. + # + # If 'username' is set, this specifies the LDAP field that will be propagated + # to the "username" field in the users table. This should be a + # posix-compatible username (which may be different from the username part of + # the email address.) + # + # Provide 'bind_dn' and 'password' if your LDAP server requires + # a login before authenticating a user. + # + # use_ldap: + # title: Example LDAP + # host: ldap.example.com + # port: 636 + # method: ssl + # base: "ou=Users, dc=example, dc=com" + # uid: uid + # username: uid + # #email_domain: example.com + # #bind_dn: "some_user" + # #password: "some_password" + # + use_ldap: false diff --git a/arvados/config/sso/database.yml b/arvados/config/sso/database.yml new file mode 100644 index 0000000..7045747 --- /dev/null +++ b/arvados/config/sso/database.yml @@ -0,0 +1,33 @@ +# Copyright (C) The Arvados Authors. All rights reserved. +# +# SPDX-License-Identifier: Apache-2.0 + +production: + adapter: postgresql + encoding: utf8 + database: arvados_sso_production + username: arvados_sso + password: pw + host: arvados-postgres + template: template0 + +development: + adapter: postgresql + encoding: utf8 + database: arvados_sso_development + username: arvados_sso + password: xxxxxxxx + host: localhost + template: template0 + +# Warning: The database defined as "test" will be erased and +# re-generated from your development database when you run "rake". +# Do not set this db to the same as development or production. +test: + adapter: postgresql + encoding: utf8 + database: arvados_sso_test + username: arvados_sso + password: xxxxxxxx + host: localhost + template: template0 diff --git a/arvados/config/sso/init-client.rb b/arvados/config/sso/init-client.rb new file mode 100644 index 0000000..a37eeb5 --- /dev/null +++ b/arvados/config/sso/init-client.rb @@ -0,0 +1,13 @@ +# Copyright (C) The Arvados Authors. All rights reserved. +# +# SPDX-License-Identifier: Apache-2.0 + +c = Client.new +c.name = "joshid" +c.app_id = "arvados-server" +c.app_secret = "app_secret" +c.save! + +User.find_or_create_by_email(email: "test@example.com") do |user| + user.password = "passw0rd" +end diff --git a/arvados/config/sso/nginx.conf b/arvados/config/sso/nginx.conf new file mode 100644 index 0000000..9b5340e --- /dev/null +++ b/arvados/config/sso/nginx.conf @@ -0,0 +1,15 @@ +# Copyright (C) The Arvados Authors. All rights reserved. +# +# SPDX-License-Identifier: Apache-2.0 + +server { + listen 0.0.0.0:3002; + server_name insecure-sso; + + root /var/www/arvados-sso/current/public; + index index.html index.htm index.php; + + passenger_enabled on; + # If you're using RVM, uncomment the line below. + passenger_ruby /usr/local/rvm/wrappers/default/ruby; +} diff --git a/arvados/config/workbench/application.yml b/arvados/config/workbench/application.yml new file mode 100644 index 0000000..111a3da --- /dev/null +++ b/arvados/config/workbench/application.yml @@ -0,0 +1,42 @@ +# Copyright (C) The Arvados Authors. All rights reserved. +# +# SPDX-License-Identifier: AGPL-3.0 + +# Copy this file to application.yml and edit to suit. +# +# Consult application.default.yml for the full list of configuration +# settings. +# +# The order of precedence is: +# 1. config/environments/{RAILS_ENV}.rb (deprecated) +# 2. Section in application.yml corresponding to RAILS_ENV (e.g., development) +# 3. Section in application.yml called "common" +# 4. Section in application.default.yml corresponding to RAILS_ENV +# 5. Section in application.default.yml called "common" + +development: + # At minimum, you need a nice long randomly generated secret_token here. + secret_token: ~ + + # You probably also want to point to your API server. + arvados_login_base: https://arvados.local:3030/login + arvados_v1_base: https://arvados.local:3030/arvados/v1 + arvados_insecure_https: true + + # You need to configure at least one of these: + keep_web_url: false + keep_web_download_url: false + +production: + # At minimum, you need a nice long randomly generated secret_token here. + secret_token: 69f1fd650250e925cb1d9428094add92 + + # You probably also want to point to your API server. + arvados_login_base: https://8.8.8.8:444/login + arvados_v1_base: https://8.8.8.8:444/arvados/v1 + arvados_insecure_https: true # TODO: Change this to false. + + # You need to configure at least one of these: + keep_web_url: https://8.8.8.8:9002/c=%{uuid_or_pdh} + keep_web_download_url: https://8.8.8.8:9002/c=%{uuid_or_pdh} + trust_all_content: true # TODO: remove this. diff --git a/arvados/config/workbench/database.yml b/arvados/config/workbench/database.yml new file mode 100644 index 0000000..b2e59cf --- /dev/null +++ b/arvados/config/workbench/database.yml @@ -0,0 +1,51 @@ +# Copyright (C) The Arvados Authors. All rights reserved. +# +# SPDX-License-Identifier: Apache-2.0 + +server { + listen 127.0.0.1:9000; + server_name localhost-workbench; + + root /var/www/arvados-workbench/current/public; + index index.html index.htm index.php; + + passenger_enabled on; + # If you're using RVM, uncomment the line below. + passenger_ruby /usr/local/rvm/wrappers/default/ruby; + + # `client_max_body_size` should match the corresponding setting in + # the API server's Nginx configuration. + client_max_body_size 128m; +} + +upstream workbench { + server 127.0.0.1:9000 fail_timeout=10s; +} + +proxy_http_version 1.1; + +server { + listen 0.0.0.0:443 ssl; + server_name public-workbench; + + ssl on; + ssl_certificate /etc/ssl/certs/workbench.pem; + ssl_certificate_key /etc/ssl/private/workbench.key; + + index index.html index.htm index.php; + # `client_max_body_size` should match the corresponding setting in + # the API server's Nginx configuration. + client_max_body_size 128m; + + location / { + proxy_pass http://workbench; + proxy_redirect off; + proxy_connect_timeout 90s; + proxy_read_timeout 300s; + + proxy_set_header X-Forwarded-Proto https; + proxy_set_header Host $http_host; + proxy_set_header X-Real-IP $remote_addr; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + } +} diff --git a/arvados/config/workbench/nginx.conf b/arvados/config/workbench/nginx.conf new file mode 100644 index 0000000..b2e59cf --- /dev/null +++ b/arvados/config/workbench/nginx.conf @@ -0,0 +1,51 @@ +# Copyright (C) The Arvados Authors. All rights reserved. +# +# SPDX-License-Identifier: Apache-2.0 + +server { + listen 127.0.0.1:9000; + server_name localhost-workbench; + + root /var/www/arvados-workbench/current/public; + index index.html index.htm index.php; + + passenger_enabled on; + # If you're using RVM, uncomment the line below. + passenger_ruby /usr/local/rvm/wrappers/default/ruby; + + # `client_max_body_size` should match the corresponding setting in + # the API server's Nginx configuration. + client_max_body_size 128m; +} + +upstream workbench { + server 127.0.0.1:9000 fail_timeout=10s; +} + +proxy_http_version 1.1; + +server { + listen 0.0.0.0:443 ssl; + server_name public-workbench; + + ssl on; + ssl_certificate /etc/ssl/certs/workbench.pem; + ssl_certificate_key /etc/ssl/private/workbench.key; + + index index.html index.htm index.php; + # `client_max_body_size` should match the corresponding setting in + # the API server's Nginx configuration. + client_max_body_size 128m; + + location / { + proxy_pass http://workbench; + proxy_redirect off; + proxy_connect_timeout 90s; + proxy_read_timeout 300s; + + proxy_set_header X-Forwarded-Proto https; + proxy_set_header Host $http_host; + proxy_set_header X-Real-IP $remote_addr; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + } +} diff --git a/arvados/config/ws/ws.yml b/arvados/config/ws/ws.yml new file mode 100644 index 0000000..ccf79aa --- /dev/null +++ b/arvados/config/ws/ws.yml @@ -0,0 +1,13 @@ +# Copyright (C) The Arvados Authors. All rights reserved. +# +# SPDX-License-Identifier: Apache-2.0 + +Client: + APIHost: arvados-ws:443 +Listen: ":9003" +Postgres: + dbname: arvados_production + host: arvados-postgres + password: pw + user: arvados + sslmode: disable diff --git a/arvados/templates/NOTES.txt b/arvados/templates/NOTES.txt new file mode 100644 index 0000000..8bef514 --- /dev/null +++ b/arvados/templates/NOTES.txt @@ -0,0 +1,19 @@ +1. Get the application URL by running these commands: +{{- if .Values.ingress.enabled }} +{{- range .Values.ingress.hosts }} + http{{ if $.Values.ingress.tls }}s{{ end }}://{{ . }}{{ $.Values.ingress.path }} +{{- end }} +{{- else if contains "NodePort" .Values.service.type }} + export NODE_PORT=$(kubectl get --namespace {{ .Release.Namespace }} -o jsonpath="{.spec.ports[0].nodePort}" services {{ template "arvados.fullname" . }}) + export NODE_IP=$(kubectl get nodes --namespace {{ .Release.Namespace }} -o jsonpath="{.items[0].status.addresses[0].address}") + echo http://$NODE_IP:$NODE_PORT +{{- else if contains "LoadBalancer" .Values.service.type }} + NOTE: It may take a few minutes for the LoadBalancer IP to be available. + You can watch the status of by running 'kubectl get svc -w {{ template "arvados.fullname" . }}' + export SERVICE_IP=$(kubectl get svc --namespace {{ .Release.Namespace }} {{ template "arvados.fullname" . }} -o jsonpath='{.status.loadBalancer.ingress[0].ip}') + echo http://$SERVICE_IP:{{ .Values.service.port }} +{{- else if contains "ClusterIP" .Values.service.type }} + export POD_NAME=$(kubectl get pods --namespace {{ .Release.Namespace }} -l "app={{ template "arvados.name" . }},release={{ .Release.Name }}" -o jsonpath="{.items[0].metadata.name}") + echo "Visit http://127.0.0.1:8080 to use your application" + kubectl port-forward $POD_NAME 8080:80 +{{- end }} diff --git a/arvados/templates/_helpers.tpl b/arvados/templates/_helpers.tpl new file mode 100644 index 0000000..7b9b93b --- /dev/null +++ b/arvados/templates/_helpers.tpl @@ -0,0 +1,37 @@ +{{/* vim: set filetype=mustache: */}} +{{/* +Copyright (C) The Arvados Authors. All rights reserved. + +SPDX-License-Identifier: Apache-2.0 +*/}} +{{/* +Expand the name of the chart. +*/}} +{{- define "arvados.name" -}} +{{- default .Chart.Name .Values.nameOverride | trunc 63 | trimSuffix "-" -}} +{{- end -}} + +{{/* +Create a default fully qualified app name. +We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec). +If release name contains chart name it will be used as a full name. +*/}} +{{- define "arvados.fullname" -}} +{{- if .Values.fullnameOverride -}} +{{- .Values.fullnameOverride | trunc 63 | trimSuffix "-" -}} +{{- else -}} +{{- $name := default .Chart.Name .Values.nameOverride -}} +{{- if contains $name .Release.Name -}} +{{- .Release.Name | trunc 63 | trimSuffix "-" -}} +{{- else -}} +{{- printf "%s-%s" .Release.Name $name | trunc 63 | trimSuffix "-" -}} +{{- end -}} +{{- end -}} +{{- end -}} + +{{/* +Create chart name and version as used by the chart label. +*/}} +{{- define "arvados.chart" -}} +{{- printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" -}} +{{- end -}} diff --git a/arvados/templates/api-server-configmap.yaml b/arvados/templates/api-server-configmap.yaml new file mode 100644 index 0000000..d1f3818 --- /dev/null +++ b/arvados/templates/api-server-configmap.yaml @@ -0,0 +1,15 @@ +# Copyright (C) The Arvados Authors. All rights reserved. +# +# SPDX-License-Identifier: Apache-2.0 + +apiVersion: v1 +kind: ConfigMap +metadata: + name: arvados-api-server-configmap + labels: + app: arvados-api-server + chart: {{ template "arvados.chart" . }} + release: {{ .Release.Name }} + heritage: {{ .Release.Service }} +data: +{{ (.Files.Glob "config/api-server/*").AsConfig | indent 2 }} diff --git a/arvados/templates/api-server-deployment.yaml b/arvados/templates/api-server-deployment.yaml new file mode 100644 index 0000000..95027ce --- /dev/null +++ b/arvados/templates/api-server-deployment.yaml @@ -0,0 +1,65 @@ +# Copyright (C) The Arvados Authors. All rights reserved. +# +# SPDX-License-Identifier: Apache-2.0 + +apiVersion: apps/v1beta2 +kind: Deployment +metadata: + name: "arvados-api-server" + labels: + app: arvados-api-server + chart: {{ template "arvados.chart" . }} + release: {{ .Release.Name }} + heritage: {{ .Release.Service }} +spec: + replicas: 1 + selector: + matchLabels: + app: arvados-api-server + release: {{ .Release.Name }} + template: + metadata: + labels: + app: arvados-api-server + release: {{ .Release.Name }} + spec: + containers: + - name: arvados-api-server + image: "cure/arvados-rails-runtime" + imagePullPolicy: {{ .Values.image.pullPolicy }} + command: + - "sh" + - "-c" + - "install /init-scripts/*.sh /etc/my_init.d && /usr/local/bin/bootstrap.sh arvados-api-server=1.1.3.20180405021932* && cd /var/www/arvados-api/current && exec /sbin/my_init" + env: + - name: RAILS_ENV + value: "production" + volumeMounts: + - name: api-server-configmap + mountPath: /init-scripts/90-init-db.sh + subPath: 90-init-db.sh + - name: api-server-configmap + mountPath: /etc/arvados/api/database.yml + subPath: database.yml + - name: api-server-configmap + mountPath: /etc/arvados/api/application.yml + subPath: application.yml + - name: api-server-configmap + mountPath: /create-workbench-api-client.rb + subPath: create-workbench-api-client.rb + - name: api-server-configmap + mountPath: /etc/nginx/sites-enabled/api-server.conf + subPath: nginx.conf + - name: ssl-configmap + mountPath: /etc/ssl/certs/api-server.pem + subPath: cert + - name: ssl-configmap + mountPath: /etc/ssl/private/api-server.key + subPath: key + volumes: + - name: api-server-configmap + configMap: + name: arvados-api-server-configmap + - name: ssl-configmap + configMap: + name: ssl-configmap diff --git a/arvados/templates/api-server-service.yaml b/arvados/templates/api-server-service.yaml new file mode 100644 index 0000000..bbb003f --- /dev/null +++ b/arvados/templates/api-server-service.yaml @@ -0,0 +1,23 @@ +# Copyright (C) The Arvados Authors. All rights reserved. +# +# SPDX-License-Identifier: Apache-2.0 + +apiVersion: v1 +kind: Service +metadata: + name: arvados-api-server + labels: + app: {{ template "arvados.name" . }} + chart: {{ template "arvados.chart" . }} + release: {{ .Release.Name }} + heritage: {{ .Release.Service }} +spec: + type: LoadBalancer + loadBalancerIP: "8.8.8.8" + ports: + - name: http + port: 444 + targetPort: 444 + protocol: TCP + selector: + app: arvados-api-server diff --git a/arvados/templates/keep-proxy-deployment.yaml b/arvados/templates/keep-proxy-deployment.yaml new file mode 100644 index 0000000..dad4fac --- /dev/null +++ b/arvados/templates/keep-proxy-deployment.yaml @@ -0,0 +1,42 @@ +# Copyright (C) The Arvados Authors. All rights reserved. +# +# SPDX-License-Identifier: Apache-2.0 + +apiVersion: apps/v1beta2 +kind: Deployment +metadata: + name: "arvados-keep-proxy" + labels: + app: arvados-keep-proxy + chart: {{ template "arvados.chart" . }} + release: {{ .Release.Name }} + heritage: {{ .Release.Service }} +spec: + replicas: 1 + selector: + matchLabels: + app: arvados-keep-proxy + release: {{ .Release.Name }} + template: + metadata: + labels: + app: arvados-keep-proxy + release: {{ .Release.Name }} + spec: + replicas: 1 + containers: + - name: arvados-keep-proxy + image: "cure/arvados-runtime" + imagePullPolicy: {{ .Values.image.pullPolicy }} + command: + - "sh" + - "-c" + # TODO: the apt-get update should be run in the Dockerfile + - "apt-get update && /usr/local/bin/bootstrap.sh keepproxy=1.1.3.20180404192345* && keepproxy" + env: + - name : ARVADOS_API_HOST + value: "8.8.8.8:444" + - name : ARVADOS_API_HOST_INSECURE + value: "true" + - name : ARVADOS_API_TOKEN + value: "thisisnotaverygoodanonymoussecretstring00000000000" diff --git a/arvados/templates/keep-proxy-https.yaml b/arvados/templates/keep-proxy-https.yaml new file mode 100644 index 0000000..2a90519 --- /dev/null +++ b/arvados/templates/keep-proxy-https.yaml @@ -0,0 +1,109 @@ +# Copyright (C) The Arvados Authors. All rights reserved. +# +# SPDX-License-Identifier: Apache-2.0 + +--- +apiVersion: apps/v1beta2 +kind: Deployment +metadata: + name: arvados-keep-proxy-https + labels: + app: arvados-keep-proxy-https + chart: {{ template "arvados.chart" . }} + release: {{ .Release.Name }} + heritage: {{ .Release.Service }} +spec: + replicas: 1 + selector: + matchLabels: + app: arvados-keep-proxy-https + release: {{ .Release.Name }} + template: + metadata: + labels: + app: arvados-keep-proxy-https + release: {{ .Release.Name }} + spec: + containers: + - name: {{ .Chart.Name }} + image: "nginx:1.10" + imagePullPolicy: {{ .Values.image.pullPolicy }} + volumeMounts: + - name: nginx-configmap + mountPath: /etc/nginx/conf.d/default.conf + subPath: nginx.conf + - name: ssl-configmap + mountPath: /etc/nginx/ssl.crt + subPath: cert + - name: ssl-configmap + mountPath: /etc/nginx/ssl.key + subPath: key + volumes: + - name: ssl-configmap + configMap: + name: ssl-configmap + - name: nginx-configmap + configMap: + name: arvados-keep-proxy-https-configmap +--- +apiVersion: v1 +kind: ConfigMap +metadata: + name: arvados-keep-proxy-https-configmap + labels: + app: {{ template "arvados.name" . }} + chart: {{ template "arvados.chart" . }} + release: {{ .Release.Name }} + heritage: {{ .Release.Service }} +data: + nginx.conf: | + upstream httpContainer { + server arvados-keep-proxy:25107; + } + + server { + listen 0.0.0.0:25107 ssl; + server_name arvados-keep-proxy-https; + + proxy_connect_timeout 90s; + proxy_read_timeout 300s; + proxy_set_header X-Real-IP $remote_addr; + + ssl on; + ssl_certificate /etc/nginx/ssl.crt; + ssl_certificate_key /etc/nginx/ssl.key; + + # Clients need to be able to upload blocks of data up to 64MiB in size. + client_max_body_size 64m; + + # Redirect plain HTTP requests to HTTPS. + error_page 497 301 =307 https://$host:$server_port$request_uri; + + location / { + proxy_pass http://httpContainer; + proxy_set_header Upgrade $http_upgrade; + proxy_set_header Connection "upgrade"; + proxy_set_header Host $host:$server_port; + proxy_set_header X-Forwarded-For $remote_addr; + } + } +--- +apiVersion: v1 +kind: Service +metadata: + name: arvados-keep-proxy-https + labels: + app: {{ template "arvados.name" . }} + chart: {{ template "arvados.chart" . }} + release: {{ .Release.Name }} + heritage: {{ .Release.Service }} +spec: + type: LoadBalancer + loadBalancerIP: "8.8.8.8" + ports: + - name: https + port: 25107 + targetPort: 25107 + protocol: TCP + selector: + app: arvados-keep-proxy-https diff --git a/arvados/templates/keep-proxy-service.yaml b/arvados/templates/keep-proxy-service.yaml new file mode 100644 index 0000000..79e2356 --- /dev/null +++ b/arvados/templates/keep-proxy-service.yaml @@ -0,0 +1,21 @@ +# Copyright (C) The Arvados Authors. All rights reserved. +# +# SPDX-License-Identifier: Apache-2.0 + +apiVersion: v1 +kind: Service +metadata: + name: arvados-keep-proxy + labels: + app: {{ template "arvados.name" . }} + chart: {{ template "arvados.chart" . }} + release: {{ .Release.Name }} + heritage: {{ .Release.Service }} +spec: + ports: + - name: http + port: 25107 + targetPort: 25107 + protocol: TCP + selector: + app: arvados-keep-proxy diff --git a/arvados/templates/keep-store-configmap.yaml b/arvados/templates/keep-store-configmap.yaml new file mode 100644 index 0000000..c17c01d --- /dev/null +++ b/arvados/templates/keep-store-configmap.yaml @@ -0,0 +1,15 @@ +# Copyright (C) The Arvados Authors. All rights reserved. +# +# SPDX-License-Identifier: Apache-2.0 + +apiVersion: v1 +kind: ConfigMap +metadata: + name: arvados-keep-store-configmap + labels: + app: {{ template "arvados.name" . }} + chart: {{ template "arvados.chart" . }} + release: {{ .Release.Name }} + heritage: {{ .Release.Service }} +data: + blob-signing.key: key diff --git a/arvados/templates/keep-store-deployment.yaml b/arvados/templates/keep-store-deployment.yaml new file mode 100644 index 0000000..92a80e3 --- /dev/null +++ b/arvados/templates/keep-store-deployment.yaml @@ -0,0 +1,43 @@ +# Copyright (C) The Arvados Authors. All rights reserved. +# +# SPDX-License-Identifier: Apache-2.0 + +apiVersion: apps/v1beta2 +kind: StatefulSet +metadata: + name: "arvados-keep-store" + labels: + app: arvados-keep-store + chart: {{ template "arvados.chart" . }} + release: {{ .Release.Name }} + heritage: {{ .Release.Service }} +spec: + replicas: 2 + serviceName: arvados-keep-store + selector: + matchLabels: + app: arvados-keep-store + release: {{ .Release.Name }} + template: + metadata: + labels: + app: arvados-keep-store + release: {{ .Release.Name }} + spec: + containers: + - name: arvados-keep-store + image: "cure/arvados-runtime" + imagePullPolicy: {{ .Values.image.pullPolicy }} + command: + - "sh" + - "-c" + # TODO: the apt-get update should be run in the Dockerfile + - "apt-get update && mkdir /keepdata && /usr/local/bin/bootstrap.sh keepstore=1.1.3.20180404192345* && GOGC=10 keepstore -enforce-permissions=true -blob-signing-key-file=/etc/keepstore/blob-signing.key -max-buffers=100 -serialize=true -never-delete=false -volume=/keepdata" + volumeMounts: + - name: keep-store-configmap + mountPath: /etc/keepstore/blob-signing.key + subPath: blob-signing.key + volumes: + - name: keep-store-configmap + configMap: + name: arvados-keep-store-configmap diff --git a/arvados/templates/keep-store-service.yaml b/arvados/templates/keep-store-service.yaml new file mode 100644 index 0000000..32c8ebc --- /dev/null +++ b/arvados/templates/keep-store-service.yaml @@ -0,0 +1,22 @@ +# Copyright (C) The Arvados Authors. All rights reserved. +# +# SPDX-License-Identifier: Apache-2.0 + +apiVersion: v1 +kind: Service +metadata: + name: arvados-keep-store + labels: + app: {{ template "arvados.name" . }} + chart: {{ template "arvados.chart" . }} + release: {{ .Release.Name }} + heritage: {{ .Release.Service }} +spec: + ports: + - name: http + port: 25107 + targetPort: 25107 + protocol: TCP + clusterIP: None + selector: + app: arvados-keep-store diff --git a/arvados/templates/keep-web-deployment.yaml b/arvados/templates/keep-web-deployment.yaml new file mode 100644 index 0000000..6758cae --- /dev/null +++ b/arvados/templates/keep-web-deployment.yaml @@ -0,0 +1,42 @@ +# Copyright (C) The Arvados Authors. All rights reserved. +# +# SPDX-License-Identifier: Apache-2.0 + +apiVersion: apps/v1beta2 +kind: Deployment +metadata: + name: "arvados-keep-web" + labels: + app: arvados-keep-web + chart: {{ template "arvados.chart" . }} + release: {{ .Release.Name }} + heritage: {{ .Release.Service }} +spec: + replicas: 1 + selector: + matchLabels: + app: arvados-keep-web + release: {{ .Release.Name }} + template: + metadata: + labels: + app: arvados-keep-web + release: {{ .Release.Name }} + spec: + replicas: 1 + containers: + - name: arvados-keep-web + image: "cure/arvados-runtime" + imagePullPolicy: {{ .Values.image.pullPolicy }} + command: + - "sh" + - "-c" + # TODO: the apt-get update should be run in the Dockerfile + - "apt-get update && /usr/local/bin/bootstrap.sh keep-web=1.1.3.20180404192345* && keep-web -listen=:9002 -trust-all-content" + env: + - name : ARVADOS_API_HOST + value: "8.8.8.8:444" + - name : ARVADOS_API_HOST_INSECURE + value: "true" + - name : ARVADOS_API_TOKEN + value: "thisisnotaverygoodanonymoussecretstring00000000000" diff --git a/arvados/templates/keep-web-https.yaml b/arvados/templates/keep-web-https.yaml new file mode 100644 index 0000000..1fa54e2 --- /dev/null +++ b/arvados/templates/keep-web-https.yaml @@ -0,0 +1,109 @@ +# Copyright (C) The Arvados Authors. All rights reserved. +# +# SPDX-License-Identifier: Apache-2.0 + +--- +apiVersion: apps/v1beta2 +kind: Deployment +metadata: + name: arvados-keep-web-https + labels: + app: arvados-keep-web-https + chart: {{ template "arvados.chart" . }} + release: {{ .Release.Name }} + heritage: {{ .Release.Service }} +spec: + replicas: 1 + selector: + matchLabels: + app: arvados-keep-web-https + release: {{ .Release.Name }} + template: + metadata: + labels: + app: arvados-keep-web-https + release: {{ .Release.Name }} + spec: + containers: + - name: {{ .Chart.Name }} + image: "nginx:1.10" + imagePullPolicy: {{ .Values.image.pullPolicy }} + volumeMounts: + - name: nginx-configmap + mountPath: /etc/nginx/conf.d/default.conf + subPath: nginx.conf + - name: ssl-configmap + mountPath: /etc/nginx/ssl.crt + subPath: cert + - name: ssl-configmap + mountPath: /etc/nginx/ssl.key + subPath: key + volumes: + - name: ssl-configmap + configMap: + name: ssl-configmap + - name: nginx-configmap + configMap: + name: arvados-keep-web-https-configmap +--- +apiVersion: v1 +kind: ConfigMap +metadata: + name: arvados-keep-web-https-configmap + labels: + app: {{ template "arvados.name" . }} + chart: {{ template "arvados.chart" . }} + release: {{ .Release.Name }} + heritage: {{ .Release.Service }} +data: + nginx.conf: | + upstream httpContainer { + server arvados-keep-web:9002; + } + + server { + listen 0.0.0.0:9002 ssl; + server_name arvados-keep-web-https; + + proxy_connect_timeout 90s; + proxy_read_timeout 300s; + proxy_set_header X-Real-IP $remote_addr; + + ssl on; + ssl_certificate /etc/nginx/ssl.crt; + ssl_certificate_key /etc/nginx/ssl.key; + + # Clients need to be able to upload blocks of data up to 64MiB in size. + client_max_body_size 64m; + + # Redirect plain HTTP requests to HTTPS. + error_page 497 301 =307 https://$host:$server_port$request_uri; + + location / { + proxy_pass http://httpContainer; + proxy_set_header Upgrade $http_upgrade; + proxy_set_header Connection "upgrade"; + proxy_set_header Host $host:$server_port; + proxy_set_header X-Forwarded-For $remote_addr; + } + } +--- +apiVersion: v1 +kind: Service +metadata: + name: arvados-keep-web-https + labels: + app: {{ template "arvados.name" . }} + chart: {{ template "arvados.chart" . }} + release: {{ .Release.Name }} + heritage: {{ .Release.Service }} +spec: + type: LoadBalancer + loadBalancerIP: "8.8.8.8" + ports: + - name: https + port: 9002 + targetPort: 9002 + protocol: TCP + selector: + app: arvados-keep-web-https diff --git a/arvados/templates/keep-web-service.yaml b/arvados/templates/keep-web-service.yaml new file mode 100644 index 0000000..2d4f964 --- /dev/null +++ b/arvados/templates/keep-web-service.yaml @@ -0,0 +1,21 @@ +# Copyright (C) The Arvados Authors. All rights reserved. +# +# SPDX-License-Identifier: Apache-2.0 + +apiVersion: v1 +kind: Service +metadata: + name: arvados-keep-web + labels: + app: {{ template "arvados.name" . }} + chart: {{ template "arvados.chart" . }} + release: {{ .Release.Name }} + heritage: {{ .Release.Service }} +spec: + ports: + - name: http + port: 9002 + targetPort: 9002 + protocol: TCP + selector: + app: arvados-keep-web diff --git a/arvados/templates/postgres-configmap.yaml b/arvados/templates/postgres-configmap.yaml new file mode 100644 index 0000000..93e73c6 --- /dev/null +++ b/arvados/templates/postgres-configmap.yaml @@ -0,0 +1,15 @@ +# Copyright (C) The Arvados Authors. All rights reserved. +# +# SPDX-License-Identifier: Apache-2.0 + +apiVersion: v1 +kind: ConfigMap +metadata: + name: postgres-configmap + labels: + app: {{ template "arvados.name" . }} + chart: {{ template "arvados.chart" . }} + release: {{ .Release.Name }} + heritage: {{ .Release.Service }} +data: +{{ (.Files.Glob "config/postgres/*").AsConfig | indent 2 }} diff --git a/arvados/templates/postgres-deployment.yaml b/arvados/templates/postgres-deployment.yaml new file mode 100644 index 0000000..e00eb88 --- /dev/null +++ b/arvados/templates/postgres-deployment.yaml @@ -0,0 +1,37 @@ +# Copyright (C) The Arvados Authors. All rights reserved. +# +# SPDX-License-Identifier: Apache-2.0 + +apiVersion: apps/v1beta2 +kind: Deployment +metadata: + name: "arvados-postgres" + labels: + app: arvados-postgres + chart: {{ template "arvados.chart" . }} + release: {{ .Release.Name }} + heritage: {{ .Release.Service }} +spec: + replicas: 1 + selector: + matchLabels: + app: arvados-postgres + release: {{ .Release.Name }} + template: + metadata: + labels: + app: arvados-postgres + release: {{ .Release.Name }} + spec: + containers: + - name: {{ .Chart.Name }} + image: "postgres:9.5" + imagePullPolicy: {{ .Values.image.pullPolicy }} + volumeMounts: + - name: postgres-configmap + mountPath: /docker-entrypoint-initdb.d/create_dbs.sh + subPath: create_dbs.sh + volumes: + - name: postgres-configmap + configMap: + name: postgres-configmap diff --git a/arvados/templates/postgres-service.yaml b/arvados/templates/postgres-service.yaml new file mode 100644 index 0000000..067d3b6 --- /dev/null +++ b/arvados/templates/postgres-service.yaml @@ -0,0 +1,19 @@ +# Copyright (C) The Arvados Authors. All rights reserved. +# +# SPDX-License-Identifier: Apache-2.0 + +apiVersion: v1 +kind: Service +metadata: + name: arvados-postgres + labels: + app: {{ template "arvados.name" . }} + chart: {{ template "arvados.chart" . }} + release: {{ .Release.Name }} + heritage: {{ .Release.Service }} +spec: + ports: + - port: 5432 + protocol: TCP + selector: + app: arvados-postgres diff --git a/arvados/templates/shell-server-configmap.yaml b/arvados/templates/shell-server-configmap.yaml new file mode 100644 index 0000000..b5ac2f0 --- /dev/null +++ b/arvados/templates/shell-server-configmap.yaml @@ -0,0 +1,15 @@ +# Copyright (C) The Arvados Authors. All rights reserved. +# +# SPDX-License-Identifier: Apache-2.0 + +apiVersion: v1 +kind: ConfigMap +metadata: + name: arvados-shell-server-configmap + labels: + app: {{ template "arvados.name" . }} + chart: {{ template "arvados.chart" . }} + release: {{ .Release.Name }} + heritage: {{ .Release.Service }} +data: +{{ (.Files.Glob "config/shell-server/*").AsConfig | indent 2 }} diff --git a/arvados/templates/shell-server-deployment.yaml b/arvados/templates/shell-server-deployment.yaml new file mode 100644 index 0000000..b4df56d --- /dev/null +++ b/arvados/templates/shell-server-deployment.yaml @@ -0,0 +1,65 @@ +# Copyright (C) The Arvados Authors. All rights reserved. +# +# SPDX-License-Identifier: Apache-2.0 + +apiVersion: apps/v1beta2 +kind: Deployment +metadata: + name: "arvados-shell-server" + labels: + app: arvados-shell-server + chart: {{ template "arvados.chart" . }} + release: {{ .Release.Name }} + heritage: {{ .Release.Service }} +spec: + replicas: 1 + selector: + matchLabels: + app: arvados-shell-server + release: {{ .Release.Name }} + template: + metadata: + labels: + app: arvados-shell-server + release: {{ .Release.Name }} + spec: + containers: + - name: arvados-shell-server + image: "cure/arvados-shell-server-runtime" + imagePullPolicy: {{ .Values.image.pullPolicy }} + command: + - "sh" + - "-c" + # TODO: the apt-get update should be run in the Dockerfile + - "apt-get update && /usr/local/bin/bootstrap.sh python-arvados-python-client=1.1.3.20180404223512* gem:arvados-cli=1.1.4.20180412190507 gem:arvados-login-sync=1.1.4.20180412190507 crunchrunner=1.1.3.20180403215323* python-arvados-fuse=1.1.3.20180404223512* && install /init-scripts-staging/* /etc/my_init.d && /sbin/my_init" + env: + - name: RAILS_ENV + value: "production" + - name: ARVADOS_API_HOST + value: "8.8.8.8:444" + - name : ARVADOS_API_HOST_INSECURE + value: "true" + - name : ARVADOS_API_TOKEN + value: "thisisnotaverygoodsuperusersecretstring00000000000" + volumeMounts: + - name: shell-server-configmap + mountPath: /init-scripts-staging/99-init-keep.sh + subPath: 99-init-keep.sh + - name: shell-server-configmap + mountPath: /init-scripts-staging/99-trust-cert.sh + subPath: 99-trust-cert.sh + - name: ssl-configmap + mountPath: /self-signed-cert.pem + subPath: cert + - mountPath: /var/run/docker.sock + name: docker + volumes: + - name: shell-server-configmap + configMap: + name: arvados-shell-server-configmap + - name: ssl-configmap + configMap: + name: ssl-configmap + - name: docker + hostPath: + path: /var/run/docker.sock diff --git a/arvados/templates/ssl-configmap.yaml b/arvados/templates/ssl-configmap.yaml new file mode 100644 index 0000000..4e53ce4 --- /dev/null +++ b/arvados/templates/ssl-configmap.yaml @@ -0,0 +1,15 @@ +# Copyright (C) The Arvados Authors. All rights reserved. +# +# SPDX-License-Identifier: Apache-2.0 + +apiVersion: v1 +kind: ConfigMap +metadata: + name: ssl-configmap + labels: + app: {{ template "arvados.name" . }} + chart: {{ template "arvados.chart" . }} + release: {{ .Release.Name }} + heritage: {{ .Release.Service }} +data: +{{ (.Files.Glob "config/ssl/*").AsConfig | indent 2 }} diff --git a/arvados/templates/sso-configmap.yaml b/arvados/templates/sso-configmap.yaml new file mode 100644 index 0000000..cf9ba1a --- /dev/null +++ b/arvados/templates/sso-configmap.yaml @@ -0,0 +1,15 @@ +# Copyright (C) The Arvados Authors. All rights reserved. +# +# SPDX-License-Identifier: Apache-2.0 + +apiVersion: v1 +kind: ConfigMap +metadata: + name: arvados-sso-configmap + labels: + app: {{ template "arvados.name" . }} + chart: {{ template "arvados.chart" . }} + release: {{ .Release.Name }} + heritage: {{ .Release.Service }} +data: +{{ (.Files.Glob "config/sso/*").AsConfig | indent 2 }} diff --git a/arvados/templates/sso-deployment.yaml b/arvados/templates/sso-deployment.yaml new file mode 100644 index 0000000..d407b83 --- /dev/null +++ b/arvados/templates/sso-deployment.yaml @@ -0,0 +1,59 @@ +# Copyright (C) The Arvados Authors. All rights reserved. +# +# SPDX-License-Identifier: Apache-2.0 + +apiVersion: apps/v1beta2 +kind: Deployment +metadata: + name: "arvados-sso" + labels: + app: arvados-sso + chart: {{ template "arvados.chart" . }} + release: {{ .Release.Name }} + heritage: {{ .Release.Service }} +spec: + replicas: 1 + selector: + matchLabels: + app: arvados-sso + release: {{ .Release.Name }} + template: + metadata: + labels: + app: arvados-sso + release: {{ .Release.Name }} + spec: + containers: + - name: {{ .Chart.Name }} + image: "cure/arvados-rails-runtime" + imagePullPolicy: {{ .Values.image.pullPolicy }} + command: + - "sh" + - "-c" + - "install /init-scripts/*.sh /etc/my_init.d && /usr/local/bin/bootstrap.sh arvados-sso-server=0.1.20171122141118.ba584a7* && cd /var/www/arvados-sso/current && exec /sbin/my_init" + env: + - name: RAILS_ENV + value: "production" + volumeMounts: + - name: sso-configmap + mountPath: /etc/arvados/sso/database.yml + subPath: database.yml + - name: sso-configmap + mountPath: /etc/arvados/sso/application.yml + subPath: application.yml + - name: sso-configmap + mountPath: /etc/nginx/sites-enabled/sso.conf + subPath: nginx.conf + - name: sso-configmap + mountPath: /init-client.rb + subPath: init-client.rb + - name: sso-configmap + mountPath: /init-scripts/90-init-db.sh + subPath: 90-init-db.sh + - name: sso-configmap + mountPath: /init-scripts/92-init-client.sh + subPath: 92-init-client.sh + volumes: + - name: sso-configmap + configMap: + name: arvados-sso-configmap diff --git a/arvados/templates/sso-service.yaml b/arvados/templates/sso-service.yaml new file mode 100644 index 0000000..43cdc08 --- /dev/null +++ b/arvados/templates/sso-service.yaml @@ -0,0 +1,23 @@ +# Copyright (C) The Arvados Authors. All rights reserved. +# +# SPDX-License-Identifier: Apache-2.0 + +apiVersion: v1 +kind: Service +metadata: + name: arvados-sso + labels: + app: {{ template "arvados.name" . }} + chart: {{ template "arvados.chart" . }} + release: {{ .Release.Name }} + heritage: {{ .Release.Service }} +spec: + type: LoadBalancer + loadBalancerIP: "8.8.8.8" + ports: + - name: http + port: 3002 + targetPort: 3002 + protocol: TCP + selector: + app: arvados-sso diff --git a/arvados/templates/workbench-configmap.yaml b/arvados/templates/workbench-configmap.yaml new file mode 100644 index 0000000..0929859 --- /dev/null +++ b/arvados/templates/workbench-configmap.yaml @@ -0,0 +1,15 @@ +# Copyright (C) The Arvados Authors. All rights reserved. +# +# SPDX-License-Identifier: Apache-2.0 + +apiVersion: v1 +kind: ConfigMap +metadata: + name: arvados-workbench-configmap + labels: + app: {{ template "arvados.name" . }} + chart: {{ template "arvados.chart" . }} + release: {{ .Release.Name }} + heritage: {{ .Release.Service }} +data: +{{ (.Files.Glob "config/workbench/*").AsConfig | indent 2 }} diff --git a/arvados/templates/workbench-deployment.yaml b/arvados/templates/workbench-deployment.yaml new file mode 100644 index 0000000..1b1e0f8 --- /dev/null +++ b/arvados/templates/workbench-deployment.yaml @@ -0,0 +1,56 @@ +# Copyright (C) The Arvados Authors. All rights reserved. +# +# SPDX-License-Identifier: Apache-2.0 + +apiVersion: apps/v1beta2 +kind: Deployment +metadata: + name: "arvados-workbench" + labels: + app: arvados-workbench + chart: {{ template "arvados.chart" . }} + release: {{ .Release.Name }} + heritage: {{ .Release.Service }} +spec: + replicas: 1 + selector: + matchLabels: + app: arvados-workbench + release: {{ .Release.Name }} + template: + metadata: + labels: + app: arvados-workbench + release: {{ .Release.Name }} + spec: + containers: + - name: arvados-workbench + image: "cure/arvados-rails-runtime" + imagePullPolicy: {{ .Values.image.pullPolicy }} + command: + - "sh" + - "-c" + - "/usr/local/bin/bootstrap.sh arvados-workbench=1.1.3.20180323182125* && exec /sbin/my_init" + env: + - name: RAILS_ENV + value: "production" + volumeMounts: + - name: workbench-configmap + mountPath: /etc/arvados/workbench/application.yml + subPath: application.yml + - name: workbench-configmap + mountPath: /etc/nginx/sites-enabled/workbench.conf + subPath: nginx.conf + - name: ssl-configmap + mountPath: /etc/ssl/certs/workbench.pem + subPath: cert + - name: ssl-configmap + mountPath: /etc/ssl/private/workbench.key + subPath: key + volumes: + - name: workbench-configmap + configMap: + name: arvados-workbench-configmap + - name: ssl-configmap + configMap: + name: ssl-configmap diff --git a/arvados/templates/workbench-service.yaml b/arvados/templates/workbench-service.yaml new file mode 100644 index 0000000..05fed6e --- /dev/null +++ b/arvados/templates/workbench-service.yaml @@ -0,0 +1,23 @@ +# Copyright (C) The Arvados Authors. All rights reserved. +# +# SPDX-License-Identifier: Apache-2.0 + +apiVersion: v1 +kind: Service +metadata: + name: arvados-workbench + labels: + app: {{ template "arvados.name" . }} + chart: {{ template "arvados.chart" . }} + release: {{ .Release.Name }} + heritage: {{ .Release.Service }} +spec: + type: LoadBalancer + loadBalancerIP: "8.8.8.8" + ports: + - name: http + port: 443 + targetPort: 443 + protocol: TCP + selector: + app: arvados-workbench diff --git a/arvados/templates/ws-configmap.yaml b/arvados/templates/ws-configmap.yaml new file mode 100644 index 0000000..0a1cc34 --- /dev/null +++ b/arvados/templates/ws-configmap.yaml @@ -0,0 +1,15 @@ +# Copyright (C) The Arvados Authors. All rights reserved. +# +# SPDX-License-Identifier: Apache-2.0 + +apiVersion: v1 +kind: ConfigMap +metadata: + name: arvados-ws-configmap + labels: + app: {{ template "arvados.name" . }} + chart: {{ template "arvados.chart" . }} + release: {{ .Release.Name }} + heritage: {{ .Release.Service }} +data: +{{ (.Files.Glob "config/ws/*").AsConfig | indent 2 }} diff --git a/arvados/templates/ws-deployment.yaml b/arvados/templates/ws-deployment.yaml new file mode 100644 index 0000000..dd918b2 --- /dev/null +++ b/arvados/templates/ws-deployment.yaml @@ -0,0 +1,41 @@ +# Copyright (C) The Arvados Authors. All rights reserved. +# +# SPDX-License-Identifier: Apache-2.0 + +apiVersion: apps/v1beta2 +kind: Deployment +metadata: + name: "arvados-ws" + labels: + app: arvados-ws + chart: {{ template "arvados.chart" . }} + release: {{ .Release.Name }} + heritage: {{ .Release.Service }} +spec: + replicas: 1 + selector: + matchLabels: + app: arvados-ws + release: {{ .Release.Name }} + template: + metadata: + labels: + app: arvados-ws + release: {{ .Release.Name }} + spec: + containers: + - name: arvados-ws + image: "cure/arvados-rails-runtime" + imagePullPolicy: {{ .Values.image.pullPolicy }} + command: + - "sh" + - "-c" + - "/usr/local/bin/bootstrap.sh arvados-ws=1.1.3.20180403215323* && arvados-ws" + volumeMounts: + - name: ws-configmap + mountPath: /etc/arvados/ws/ws.yml + subPath: ws.yml + volumes: + - name: ws-configmap + configMap: + name: arvados-ws-configmap diff --git a/arvados/templates/ws-https.yaml b/arvados/templates/ws-https.yaml new file mode 100644 index 0000000..41215db --- /dev/null +++ b/arvados/templates/ws-https.yaml @@ -0,0 +1,109 @@ +# Copyright (C) The Arvados Authors. All rights reserved. +# +# SPDX-License-Identifier: Apache-2.0 + +--- +apiVersion: apps/v1beta2 +kind: Deployment +metadata: + name: arvados-ws-https + labels: + app: arvados-ws-https + chart: {{ template "arvados.chart" . }} + release: {{ .Release.Name }} + heritage: {{ .Release.Service }} +spec: + replicas: 1 + selector: + matchLabels: + app: arvados-ws-https + release: {{ .Release.Name }} + template: + metadata: + labels: + app: arvados-ws-https + release: {{ .Release.Name }} + spec: + containers: + - name: {{ .Chart.Name }} + image: "nginx:1.10" + imagePullPolicy: {{ .Values.image.pullPolicy }} + volumeMounts: + - name: nginx-configmap + mountPath: /etc/nginx/conf.d/default.conf + subPath: nginx.conf + - name: ssl-configmap + mountPath: /etc/nginx/ssl.crt + subPath: cert + - name: ssl-configmap + mountPath: /etc/nginx/ssl.key + subPath: key + volumes: + - name: ssl-configmap + configMap: + name: ssl-configmap + - name: nginx-configmap + configMap: + name: arvados-ws-https-configmap +--- +apiVersion: v1 +kind: ConfigMap +metadata: + name: arvados-ws-https-configmap + labels: + app: {{ template "arvados.name" . }} + chart: {{ template "arvados.chart" . }} + release: {{ .Release.Name }} + heritage: {{ .Release.Service }} +data: + nginx.conf: | + upstream httpContainer { + server arvados-ws:9003; + } + + server { + listen 0.0.0.0:9003 ssl; + server_name arvados-ws-https; + + proxy_connect_timeout 90s; + proxy_read_timeout 300s; + proxy_set_header X-Real-IP $remote_addr; + + ssl on; + ssl_certificate /etc/nginx/ssl.crt; + ssl_certificate_key /etc/nginx/ssl.key; + + # Clients need to be able to upload blocks of data up to 64MiB in size. + client_max_body_size 64m; + + # Redirect plain HTTP requests to HTTPS. + error_page 497 301 =307 https://$host:$server_port$request_uri; + + location / { + proxy_pass http://httpContainer; + proxy_set_header Upgrade $http_upgrade; + proxy_set_header Connection "upgrade"; + proxy_set_header Host $host:$server_port; + proxy_set_header X-Forwarded-For $remote_addr; + } + } +--- +apiVersion: v1 +kind: Service +metadata: + name: arvados-ws-https + labels: + app: {{ template "arvados.name" . }} + chart: {{ template "arvados.chart" . }} + release: {{ .Release.Name }} + heritage: {{ .Release.Service }} +spec: + type: LoadBalancer + loadBalancerIP: "8.8.8.8" + ports: + - name: https + port: 9003 + targetPort: 9003 + protocol: TCP + selector: + app: arvados-ws-https diff --git a/arvados/templates/ws-service.yaml b/arvados/templates/ws-service.yaml new file mode 100644 index 0000000..0930ffb --- /dev/null +++ b/arvados/templates/ws-service.yaml @@ -0,0 +1,21 @@ +# Copyright (C) The Arvados Authors. All rights reserved. +# +# SPDX-License-Identifier: Apache-2.0 + +apiVersion: v1 +kind: Service +metadata: + name: arvados-ws + labels: + app: {{ template "arvados.name" . }} + chart: {{ template "arvados.chart" . }} + release: {{ .Release.Name }} + heritage: {{ .Release.Service }} +spec: + ports: + - name: http + port: 9003 + targetPort: 9003 + protocol: TCP + selector: + app: arvados-ws diff --git a/arvados/values.yaml b/arvados/values.yaml new file mode 100644 index 0000000..b7fc0f2 --- /dev/null +++ b/arvados/values.yaml @@ -0,0 +1,49 @@ +# Copyright (C) The Arvados Authors. All rights reserved. +# +# SPDX-License-Identifier: Apache-2.0 + +# Default values for arvados. +# This is a YAML-formatted file. +# Declare variables to be passed into your templates. + +replicaCount: 1 + +image: + repository: nginx + tag: stable + pullPolicy: IfNotPresent + +service: + type: ClusterIP + port: 80 + +ingress: + enabled: false + annotations: {} + # kubernetes.io/ingress.class: nginx + # kubernetes.io/tls-acme: "true" + path: / + hosts: + - chart-example.local + tls: [] + # - secretName: chart-example-tls + # hosts: + # - chart-example.local + +resources: {} + # We usually recommend not to specify default resources and to leave this as a conscious + # choice for the user. This also increases chances charts run on environments with little + # resources, such as Minikube. If you do want to specify resources, uncomment the following + # lines, adjust them as necessary, and remove the curly braces after 'resources:'. + # limits: + # cpu: 100m + # memory: 128Mi + # requests: + # cpu: 100m + # memory: 128Mi + +nodeSelector: {} + +tolerations: [] + +affinity: {} -- 2.30.2