feat: add prod workspace-service (wave 12)

clusters/prod/apps/workspace/Chart.yaml

@@ -0,0 +1,7 @@
+apiVersion: v2
+name: workspace
+version: 0.1.0
+dependencies:
+  - name: workspace-service
+    version: "0.2.0"
+    repository: https://pilotdataplatform.github.io/helm-charts/

clusters/prod/apps/workspace/application.yaml

@@ -0,0 +1,28 @@
+apiVersion: argoproj.io/v1alpha1
+kind: Application
+metadata:
+  name: workspace
+  namespace: argocd
+  annotations:
+    argocd.argoproj.io/sync-wave: "12"
+spec:
+  project: default
+  source:
+    repoURL: https://github.com/PilotDataPlatform/pilot-hdc-platform-gitops.git
+    targetRevision: main
+    path: clusters/prod/apps/workspace
+    helm:
+      valueFiles:
+        - ../../registry.yaml
+        - ../../versions.yaml
+        - values.yaml
+  destination:
+    server: https://kubernetes.default.svc
+    namespace: utility
+  syncPolicy:
+    automated:
+      prune: true
+      selfHeal: true
+    syncOptions:
+      - CreateNamespace=true
+      - ServerSideApply=true

clusters/prod/apps/workspace/templates/external-secret.yaml

@@ -0,0 +1,21 @@
+apiVersion: external-secrets.io/v1
+kind: ExternalSecret
+metadata:
+  name: workspace-credentials
+  namespace: utility
+spec:
+  refreshInterval: 1h
+  secretStoreRef:
+    kind: ClusterSecretStore
+    name: vault
+  target:
+    name: workspace-credentials
+  data:
+    - secretKey: guacamole-username
+      remoteRef:
+        key: secret/data/workspace
+        property: guacamole-username
+    - secretKey: guacamole-password
+      remoteRef:
+        key: secret/data/workspace
+        property: guacamole-password

clusters/prod/apps/workspace/values.yaml

@@ -0,0 +1,75 @@
+workspace-service:
+  image:
+    repository: n47w5524.c1.de1.container-registry.ovh.net/hdc-services-image/workspace
+    pullPolicy: IfNotPresent
+    # chart prepends "workspace-" to tag automatically
+
+  fullnameOverride: workspace
+  replicaCount: 1
+
+  container:
+    port: 5068
+
+  service:
+    type: ClusterIP
+    port: 5068
+    targetPort: 5068
+
+  imagePullSecrets:
+    - name: docker-registry-secret
+
+  appConfig:
+    port: 5068
+    env: prod
+    config_center_enabled: "false"
+    config_center_base_url: "http://common.utility:5062/"
+    srv_namespace: service_workspace
+
+  extraEnv:
+    AUTH_SERVICE: "http://auth.utility:5061"
+    GUACAMOLE_HOSTNAME: "hdc.ebrains.eu"
+    GUACAMOLE_URL_PATH: "/workbench/{container_code}/guacamole"
+
+  extraEnvYaml:
+    - name: GUACAMOLE_USERNAME
+      valueFrom:
+        secretKeyRef:
+          name: workspace-credentials
+          key: guacamole-username
+    - name: GUACAMOLE_PASSWORD
+      valueFrom:
+        secretKeyRef:
+          name: workspace-credentials
+          key: guacamole-password
+
+  resources:
+    limits:
+      cpu: "1"
+      memory: 1000Mi
+    requests:
+      cpu: 10m
+      memory: 50Mi
+
+  readinessProbe:
+    failureThreshold: 3
+    initialDelaySeconds: 5
+    periodSeconds: 10
+    successThreshold: 1
+    tcpSocket:
+      port: 5068
+
+  livenessProbe:
+    failureThreshold: 3
+    httpGet:
+      path: /v1/health
+      port: 5068
+      scheme: HTTP
+    periodSeconds: 10
+    successThreshold: 1
+    timeoutSeconds: 3
+
+  updateStrategy:
+    type: RollingUpdate
+    rollingUpdate:
+      maxSurge: 1
+      maxUnavailable: 33%

docs/vault-secrets.md

@@ -123,6 +123,14 @@ vault kv put secret/kg-integration \
   account-secret='<kg-service-account-secret>'
 ```
 
+## Workspace (`secret/workspace`)
+
+```bash
+vault kv put secret/workspace \
+  guacamole-username='guacadmin' \
+  guacamole-password='<guacamole-admin-password>'
+```
+
 ## BFF CLI (`secret/bff-cli`)
 
 ```bash