feat: add prod apps for waves 6-9 (keycloak, auth, services, kong)

clusters/dev/apps/bff-cli/values.yaml

@@ -48,7 +48,6 @@ bff-cli-service:
     CORE_ZONE_LABEL: "Core"
     GREEN_ZONE_LABEL: "Greenroom"
 
-    # TODO: fill when these services are deployed on OVH
     AUDIT_TRAIL_SERVICE: ""
     HPC_SERVICE: ""
     KG_SERVICE: ""
@@ -59,7 +58,6 @@ bff-cli-service:
     # Guacamole CLI auth
     CLI_PUBLIC_KEY_PATH: "/var/run/secrets/guacamole/jwt-key.pub"
 
-    # TODO: replace with OVH pod CIDR when JupyterHub is deployed
     JUPYTER_IP_LOWER: "10.0.0.0"
     JUPYTER_IP_UPPER: "10.255.255.255"
 

clusters/dev/apps/kong-postgresql/application.yaml

@@ -15,10 +15,6 @@ spec:
     helm:
       valueFiles:
         - ../../registry.yaml
-        # TODO: versions.yaml has pg_cron tag for main utility postgres only.
-        # Proper fix: add postgresql-standard key to versions.yaml with standard
-        # bitnami tag, then reference it here. For now, using chart default.
-        # - ../../versions.yaml
         - values.yaml
   destination:
     server: https://kubernetes.default.svc

clusters/prod/apps/approval/Chart.yaml

@@ -0,0 +1,7 @@
+apiVersion: v2
+name: approval
+version: 0.1.0
+dependencies:
+  - name: approval-service
+    version: "0.3.1"
+    repository: https://pilotdataplatform.github.io/helm-charts/

clusters/prod/apps/approval/application.yaml

@@ -0,0 +1,28 @@
+apiVersion: argoproj.io/v1alpha1
+kind: Application
+metadata:
+  name: approval
+  namespace: argocd
+  annotations:
+    argocd.argoproj.io/sync-wave: "8"
+spec:
+  project: default
+  source:
+    repoURL: https://github.com/PilotDataPlatform/pilot-hdc-platform-gitops.git
+    targetRevision: main
+    path: clusters/prod/apps/approval
+    helm:
+      valueFiles:
+        - ../../registry.yaml
+        - ../../versions.yaml
+        - values.yaml
+  destination:
+    server: https://kubernetes.default.svc
+    namespace: utility
+  syncPolicy:
+    automated:
+      prune: true
+      selfHeal: true
+    syncOptions:
+      - CreateNamespace=true
+      - ServerSideApply=true

clusters/prod/apps/approval/templates/external-secret.yaml

@@ -0,0 +1,25 @@
+apiVersion: external-secrets.io/v1
+kind: ExternalSecret
+metadata:
+  name: approval-credentials
+  namespace: utility
+spec:
+  refreshInterval: 1h
+  secretStoreRef:
+    kind: ClusterSecretStore
+    name: vault
+  target:
+    name: approval-credentials
+  data:
+    - secretKey: db-uri
+      remoteRef:
+        key: secret/data/approval
+        property: db-uri
+    - secretKey: rds-password
+      remoteRef:
+        key: secret/data/postgresql
+        property: approval-user-password
+    - secretKey: redis-password
+      remoteRef:
+        key: secret/data/redis
+        property: password

clusters/prod/apps/approval/values.yaml

@@ -0,0 +1,88 @@
+approval-service:
+  image:
+    repository: n47w5524.c1.de1.container-registry.ovh.net/hdc-services-image/approval
+    pullPolicy: IfNotPresent
+    # tag from versions.yaml via valueFile merge
+
+  fullnameOverride: approval
+  replicaCount: 1
+
+  container:
+    port: 8000
+
+  service:
+    type: ClusterIP
+    port: 8000
+
+  imagePullSecrets:
+    - name: docker-registry-secret
+
+  appConfig:
+    env: prod
+    config_center_enabled: "false"
+    config_center_base_url: "http://common.utility:5062/"
+
+  extraEnv:
+    CORE_ZONE_LABEL: "Core"
+    GREENROOM_ZONE_LABEL: "Greenroom"
+    META_SERVICE: "http://metadata.utility:5066"
+    RDS_SCHEMA_DEFAULT: "pilot_approval"
+    AUTH_SERVICE: "http://auth.utility:5061"
+    DATAOPS_SERVICE: "http://dataops.utility:5063"
+    EMAIL_SERVICE: "http://notification.utility:5065"
+    METADATA_SERVICE: "http://metadata.utility:5066"
+    PROJECT_SERVICE: "http://project.utility:5064"
+    NOTIFICATION_SERVICE: "http://notification.utility:5065"
+    REDIS_DB: "0"
+    REDIS_HOST: "redis-master.redis"
+    REDIS_PORT: "6379"
+    RDS_DB: "approval"
+    RDS_HOST: "postgres.utility"
+    RDS_USER: "approval_user"
+    RDS_PORT: "5432"
+
+  extraEnvYaml:
+    - name: DB_URI
+      valueFrom:
+        secretKeyRef:
+          name: approval-credentials
+          key: db-uri
+    - name: RDS_PASSWORD
+      valueFrom:
+        secretKeyRef:
+          name: approval-credentials
+          key: rds-password
+    - name: REDIS_PASSWORD
+      valueFrom:
+        secretKeyRef:
+          name: approval-credentials
+          key: redis-password
+
+  resources:
+    requests:
+      cpu: 10m
+      memory: 50Mi
+    limits:
+      cpu: 500m
+      memory: 500Mi
+
+  readinessProbe:
+    tcpSocket:
+      port: 8000
+    initialDelaySeconds: 5
+    periodSeconds: 10
+    failureThreshold: 3
+
+  livenessProbe:
+    httpGet:
+      path: /v1/health
+      port: 8000
+    periodSeconds: 10
+    timeoutSeconds: 3
+    failureThreshold: 3
+
+  updateStrategy:
+    type: RollingUpdate
+    rollingUpdate:
+      maxSurge: 1
+      maxUnavailable: 0

clusters/prod/apps/auth/Chart.yaml

@@ -0,0 +1,7 @@
+apiVersion: v2
+name: auth
+version: 0.1.0
+dependencies:
+  - name: auth-service
+    version: "1.0.9"
+    repository: https://pilotdataplatform.github.io/helm-charts/

clusters/prod/apps/auth/application.yaml

@@ -0,0 +1,28 @@
+apiVersion: argoproj.io/v1alpha1
+kind: Application
+metadata:
+  name: auth
+  namespace: argocd
+  annotations:
+    argocd.argoproj.io/sync-wave: "7"
+spec:
+  project: default
+  source:
+    repoURL: https://github.com/PilotDataPlatform/pilot-hdc-platform-gitops.git
+    targetRevision: main
+    path: clusters/prod/apps/auth
+    helm:
+      valueFiles:
+        - ../../registry.yaml
+        - ../../versions.yaml
+        - values.yaml
+  destination:
+    server: https://kubernetes.default.svc
+    namespace: utility
+  syncPolicy:
+    automated:
+      prune: true
+      selfHeal: true
+    syncOptions:
+      - CreateNamespace=true
+      - ServerSideApply=true

clusters/prod/apps/auth/templates/external-secret.yaml

@@ -0,0 +1,29 @@
+apiVersion: external-secrets.io/v1
+kind: ExternalSecret
+metadata:
+  name: auth-credentials
+  namespace: utility
+spec:
+  refreshInterval: 1h
+  secretStoreRef:
+    kind: ClusterSecretStore
+    name: vault
+  target:
+    name: auth-credentials
+  data:
+    - secretKey: auth-user-password
+      remoteRef:
+        key: secret/data/postgresql
+        property: auth-user-password
+    - secretKey: redis-password
+      remoteRef:
+        key: secret/data/redis
+        property: password
+    - secretKey: keycloak-client-secret
+      remoteRef:
+        key: secret/data/auth
+        property: keycloak-client-secret
+    - secretKey: freeipa-password
+      remoteRef:
+        key: secret/data/auth
+        property: freeipa-password

clusters/prod/apps/auth/values.yaml

@@ -0,0 +1,103 @@
+auth-service:
+  image:
+    repository: n47w5524.c1.de1.container-registry.ovh.net/hdc-services-image/auth
+    pullPolicy: IfNotPresent
+
+  fullnameOverride: auth
+  replicaCount: 3
+
+  container:
+    port: 5061
+
+  service:
+    type: ClusterIP
+    port: 5061
+    targetPort: 5061
+
+  imagePullSecrets:
+    - name: docker-registry-secret
+
+  appConfig:
+    env: prod
+    WORKERS: 2
+    RDS_HOST: postgres.utility
+    RDS_USER: auth_user
+    RDS_DBNAME: auth
+    RDS_SCHEMA_PREFIX: pilot
+    LDAP_PREFIX: hdc
+    LDAP_COMMON_NAME_PREFIX: hdc
+    AD_USER_GROUP: hdc-users
+    IDENTITY_BACKEND: keycloak
+    KEYCLOAK_SERVER_URL: "https://iam.hdc.ebrains.eu/"
+    KEYCLOAK_CLIENT_ID: kong
+    KEYCLOAK_REALM: hdc
+    KEYCLOAK_ID: hdc
+    REDIS_HOST: redis-master.redis
+    REDIS_PORT: "6379"
+    FREEIPA_URL: "ldap.hdc.ebrains.eu"
+    ENABLE_ACTIVE_DIRECTORY: "false"
+    DOMAIN_NAME: "https://portal.hdc.ebrains.eu"
+    START_PATH: hdc
+    GUIDE_PATH: ""
+    EMAIL_SUPPORT: support@hdc.ebrains.eu
+    EMAIL_ADMIN: admin@hdc.ebrains.eu
+    EMAIL_HELPDESK: helpdesk@hdc.ebrains.eu
+    PLATFORM_NAME: HDC
+    PROJECT_NAME: HDC
+    OPEN_TELEMETRY_ENABLED: "false"
+    config_center_enabled: "false"
+
+  resources:
+    limits:
+      cpu: 500m
+      memory: 500Mi
+    requests:
+      cpu: 25m
+      memory: 10Mi
+
+  extraEnvYaml:
+    - name: RDS_PWD
+      valueFrom:
+        secretKeyRef:
+          name: auth-credentials
+          key: auth-user-password
+    - name: REDIS_PASSWORD
+      valueFrom:
+        secretKeyRef:
+          name: auth-credentials
+          key: redis-password
+    - name: KEYCLOAK_SECRET
+      valueFrom:
+        secretKeyRef:
+          name: auth-credentials
+          key: keycloak-client-secret
+    - name: FREEIPA_PASSWORD
+      valueFrom:
+        secretKeyRef:
+          name: auth-credentials
+          key: freeipa-password
+
+  extraEnv:
+    REDIS_DB: "0"
+    RDS_PRE_PING: "true"
+
+  readinessProbe:
+    tcpSocket:
+      port: 5061
+    initialDelaySeconds: 10
+    periodSeconds: 10
+    failureThreshold: 3
+
+  livenessProbe:
+    httpGet:
+      path: /v1/health
+      port: 5061
+    periodSeconds: 30
+    timeoutSeconds: 5
+    failureThreshold: 3
+
+  updateStrategy:
+    type: RollingUpdate
+    rollingUpdate:
+      maxSurge: 1
+      maxUnavailable: 0

clusters/prod/apps/dataops/Chart.yaml

@@ -0,0 +1,7 @@
+apiVersion: v2
+name: dataops
+version: 0.1.0
+dependencies:
+  - name: dataops-service
+    version: "0.2.1"
+    repository: https://pilotdataplatform.github.io/helm-charts/

clusters/prod/apps/dataops/application.yaml

@@ -0,0 +1,28 @@
+apiVersion: argoproj.io/v1alpha1
+kind: Application
+metadata:
+  name: dataops
+  namespace: argocd
+  annotations:
+    argocd.argoproj.io/sync-wave: "8"
+spec:
+  project: default
+  source:
+    repoURL: https://github.com/PilotDataPlatform/pilot-hdc-platform-gitops.git
+    targetRevision: main
+    path: clusters/prod/apps/dataops
+    helm:
+      valueFiles:
+        - ../../registry.yaml
+        - ../../versions.yaml
+        - values.yaml
+  destination:
+    server: https://kubernetes.default.svc
+    namespace: utility
+  syncPolicy:
+    automated:
+      prune: true
+      selfHeal: true
+    syncOptions:
+      - CreateNamespace=true
+      - ServerSideApply=true