feat: add prod workbench AppSets and charts (wave 13)

clusters/prod/apps/workbench/appset-guacamole.yaml

@@ -0,0 +1,48 @@
+apiVersion: argoproj.io/v1alpha1
+kind: ApplicationSet
+metadata:
+  name: guacamole
+  namespace: argocd
+spec:
+  goTemplate: true
+  goTemplateOptions: ["missingkey=error"]
+  generators:
+    - git:
+        repoURL: https://github.com/PilotDataPlatform/pilot-hdc-platform-gitops.git
+        revision: main
+        files:
+          - path: "clusters/prod/workbench/projects/*.yaml"
+  syncPolicy:
+    applicationsSync: create-update
+  template:
+    metadata:
+      name: 'guacamole-{{ .name }}'
+      namespace: argocd
+      annotations:
+        argocd.argoproj.io/sync-wave: "13"
+      # NO finalizer — stateful app with PVC
+    spec:
+      project: default
+      source:
+        repoURL: https://github.com/PilotDataPlatform/pilot-hdc-platform-gitops.git
+        targetRevision: main
+        path: clusters/prod/workbench/guacamole-stack
+        helm:
+          valueFiles:
+            - ../../registry.yaml
+            - values.yaml
+          parameters:
+            - name: projectName
+              value: '{{ .name }}'
+            - name: domain
+              value: 'hdc.ebrains.eu'
+      destination:
+        server: https://kubernetes.default.svc
+        namespace: 'project-{{ .name }}'
+      syncPolicy:
+        automated:
+          prune: false
+          selfHeal: true
+        syncOptions:
+          - CreateNamespace=true
+          - ServerSideApply=true

clusters/prod/apps/workbench/appset-jupyterhub.yaml

@@ -0,0 +1,51 @@
+apiVersion: argoproj.io/v1alpha1
+kind: ApplicationSet
+metadata:
+  name: jupyterhub
+  namespace: argocd
+spec:
+  goTemplate: true
+  goTemplateOptions: ["missingkey=error"]
+  generators:
+    - git:
+        repoURL: https://github.com/PilotDataPlatform/pilot-hdc-platform-gitops.git
+        revision: main
+        files:
+          - path: "clusters/prod/workbench/projects/*.yaml"
+  syncPolicy:
+    applicationsSync: create-update
+  template:
+    metadata:
+      name: 'jupyterhub-{{ .name }}'
+      namespace: argocd
+      annotations:
+        argocd.argoproj.io/sync-wave: "13"
+      # NO finalizer — stateful app (hub PVC + user PVCs)
+    spec:
+      project: default
+      source:
+        repoURL: https://github.com/PilotDataPlatform/pilot-hdc-platform-gitops.git
+        targetRevision: main
+        path: clusters/prod/workbench/jupyterhub
+        helm:
+          releaseName: jupyterhub
+          valueFiles:
+            - ../../registry.yaml
+            - values.yaml
+          parameters:
+            - name: projectName
+              value: '{{ .name }}'
+            - name: domain
+              value: 'hdc.ebrains.eu'
+            - name: jupyterhub.hub.baseUrl
+              value: '/workbench/{{ .name }}/j/'
+      destination:
+        server: https://kubernetes.default.svc
+        namespace: 'project-{{ .name }}'
+      syncPolicy:
+        automated:
+          prune: false
+          selfHeal: true
+        syncOptions:
+          - CreateNamespace=true
+          - ServerSideApply=true

clusters/prod/apps/workbench/appset-project-resources.yaml

@@ -0,0 +1,47 @@
+apiVersion: argoproj.io/v1alpha1
+kind: ApplicationSet
+metadata:
+  name: project-resources
+  namespace: argocd
+spec:
+  goTemplate: true
+  goTemplateOptions: ["missingkey=error"]
+  generators:
+    - git:
+        repoURL: https://github.com/PilotDataPlatform/pilot-hdc-platform-gitops.git
+        revision: main
+        files:
+          - path: "clusters/prod/workbench/projects/*.yaml"
+  syncPolicy:
+    applicationsSync: create-update
+  template:
+    metadata:
+      name: 'project-resources-{{ .name }}'
+      namespace: argocd
+      annotations:
+        argocd.argoproj.io/sync-wave: "11"
+      # NO finalizer — manages PVCs
+    spec:
+      project: default
+      source:
+        repoURL: https://github.com/PilotDataPlatform/pilot-hdc-platform-gitops.git
+        targetRevision: main
+        path: clusters/prod/workbench/project-resources
+        helm:
+          releaseName: project-resources
+          valueFiles:
+            - ../../registry.yaml
+            - values.yaml
+          parameters:
+            - name: projectName
+              value: '{{ .name }}'
+      destination:
+        server: https://kubernetes.default.svc
+        namespace: 'project-{{ .name }}'
+      syncPolicy:
+        automated:
+          prune: false
+          selfHeal: true
+        syncOptions:
+          - CreateNamespace=true
+          - ServerSideApply=true

clusters/prod/apps/workbench/appset-superset.yaml

@@ -0,0 +1,49 @@
+apiVersion: argoproj.io/v1alpha1
+kind: ApplicationSet
+metadata:
+  name: superset
+  namespace: argocd
+spec:
+  goTemplate: true
+  goTemplateOptions: ["missingkey=error"]
+  generators:
+    - git:
+        repoURL: https://github.com/PilotDataPlatform/pilot-hdc-platform-gitops.git
+        revision: main
+        files:
+          - path: "clusters/prod/workbench/projects/*.yaml"
+  syncPolicy:
+    applicationsSync: create-update
+  template:
+    metadata:
+      name: 'superset-{{ .name }}'
+      namespace: argocd
+      annotations:
+        argocd.argoproj.io/sync-wave: "13"
+      # NO finalizer — stateful app with PVC
+    spec:
+      project: default
+      source:
+        repoURL: https://github.com/PilotDataPlatform/pilot-hdc-platform-gitops.git
+        targetRevision: main
+        path: clusters/prod/workbench/superset
+        helm:
+          releaseName: superset
+          valueFiles:
+            - ../../registry.yaml
+            - values.yaml
+          parameters:
+            - name: projectName
+              value: '{{ .name }}'
+            - name: domain
+              value: 'hdc.ebrains.eu'
+      destination:
+        server: https://kubernetes.default.svc
+        namespace: 'project-{{ .name }}'
+      syncPolicy:
+        automated:
+          prune: false
+          selfHeal: true
+        syncOptions:
+          - CreateNamespace=true
+          - ServerSideApply=true

clusters/prod/workbench/guacamole-stack/Chart.yaml

@@ -0,0 +1,8 @@
+apiVersion: v2
+name: guacamole-stack
+version: 0.1.0
+dependencies:
+  - name: postgresql
+    version: "15.5.17"
+    repository: https://pilotdataplatform.github.io/helm-charts/
+    alias: guacamole-postgresql

clusters/prod/workbench/guacamole-stack/templates/_helpers.tpl

@@ -0,0 +1,8 @@
+{{/*
+Common labels
+*/}}
+{{- define "guacamole-stack.labels" -}}
+helm.sh/chart: {{ .Chart.Name }}
+app.kubernetes.io/instance: {{ .Release.Name }}
+app.kubernetes.io/managed-by: {{ .Release.Service }}
+{{- end }}

clusters/prod/workbench/guacamole-stack/templates/guacamole-configmap.yaml

@@ -0,0 +1,11 @@
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  name: guacamole-configuration
+  labels:
+    app.kubernetes.io/name: guacamole
+    {{- include "guacamole-stack.labels" . | nindent 4 }}
+data:
+  guacamole.properties: |
+    enable-environment-properties: true
+    postgresql-auto-create-accounts: true

clusters/prod/workbench/guacamole-stack/templates/guacamole-deployment.yaml

@@ -0,0 +1,86 @@
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: guacamole
+  labels:
+    app.kubernetes.io/name: guacamole
+    {{- include "guacamole-stack.labels" . | nindent 4 }}
+spec:
+  replicas: {{ .Values.guacamole.replicaCount }}
+  selector:
+    matchLabels:
+      app.kubernetes.io/name: guacamole
+      app.kubernetes.io/instance: {{ .Release.Name }}
+  template:
+    metadata:
+      labels:
+        app.kubernetes.io/name: guacamole
+        {{- include "guacamole-stack.labels" . | nindent 8 }}
+    spec:
+      imagePullSecrets:
+        - name: docker-registry-secret
+      containers:
+        - name: guacamole
+          image: "{{ .Values.global.imageRegistry }}/{{ .Values.guacamole.image.repository }}:{{ .Values.guacamole.image.tag }}"
+          imagePullPolicy: {{ .Values.guacamole.image.pullPolicy }}
+          ports:
+            - name: http
+              containerPort: 8080
+              protocol: TCP
+          env:
+            - name: GUACAMOLE_HOME
+              value: /etc/guacamole
+            - name: GUACD_HOSTNAME
+              value: guacd.{{ .Release.Namespace }}.svc.cluster.local
+            - name: GUACD_PORT
+              value: "4822"
+            - name: POSTGRES_HOSTNAME
+              value: postgres-guacamole.{{ .Release.Namespace }}.svc.cluster.local
+            - name: POSTGRES_PORT
+              value: "5432"
+            - name: POSTGRES_DATABASE
+              value: guacamole_db
+            - name: POSTGRES_USER
+              value: guacamole_user
+            - name: POSTGRES_PASSWORD
+              valueFrom:
+                secretKeyRef:
+                  name: guacamole-pg-credentials
+                  key: password
+            - name: POSTGRES_ABSOLUTE_MAX_CONNECTIONS
+              value: "{{ .Values.guacamoleProperties.postgresqlAbsoluteMaxConnections }}"
+            - name: OPENID_AUTHORIZATION_ENDPOINT
+              value: https://{{ .Values.keycloakDomain }}/realms/hdc/protocol/openid-connect/auth
+            - name: OPENID_JWKS_ENDPOINT
+              value: https://{{ .Values.keycloakDomain }}/realms/hdc/protocol/openid-connect/certs
+            - name: OPENID_ISSUER
+              value: https://{{ .Values.keycloakDomain }}/realms/hdc
+            - name: OPENID_CLIENT_ID
+              value: guacamole-{{ .Values.projectName }}
+            - name: OPENID_REDIRECT_URI
+              value: https://{{ .Values.domain }}/workbench/{{ .Values.projectName }}/guacamole/
+            - name: OPENID_USERNAME_CLAIM_TYPE
+              value: {{ .Values.oidc.usernameClaim }}
+            - name: OPENID_SCOPE
+              value: {{ .Values.oidc.scope }}
+          volumeMounts:
+            - name: guacamole-config
+              mountPath: /etc/guacamole
+          livenessProbe:
+            httpGet:
+              path: /
+              port: http
+            initialDelaySeconds: 30
+            periodSeconds: 10
+          readinessProbe:
+            httpGet:
+              path: /
+              port: http
+            initialDelaySeconds: 15
+            periodSeconds: 5
+          resources:
+            {{- toYaml .Values.guacamole.resources | nindent 12 }}
+      volumes:
+        - name: guacamole-config
+          configMap:
+            name: guacamole-configuration

clusters/prod/workbench/guacamole-stack/templates/guacamole-service.yaml

@@ -0,0 +1,17 @@
+apiVersion: v1
+kind: Service
+metadata:
+  name: guacamole
+  labels:
+    app.kubernetes.io/name: guacamole
+    {{- include "guacamole-stack.labels" . | nindent 4 }}
+spec:
+  type: ClusterIP
+  ports:
+    - port: 8080
+      targetPort: http
+      protocol: TCP
+      name: http
+  selector:
+    app.kubernetes.io/name: guacamole
+    app.kubernetes.io/instance: {{ .Release.Name }}

clusters/prod/workbench/guacamole-stack/templates/guacd-deployment.yaml

@@ -0,0 +1,41 @@
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: guacd
+  labels:
+    app.kubernetes.io/name: guacd
+    {{- include "guacamole-stack.labels" . | nindent 4 }}
+spec:
+  replicas: {{ .Values.guacd.replicaCount }}
+  selector:
+    matchLabels:
+      app.kubernetes.io/name: guacd
+      app.kubernetes.io/instance: {{ .Release.Name }}
+  template:
+    metadata:
+      labels:
+        app.kubernetes.io/name: guacd
+        {{- include "guacamole-stack.labels" . | nindent 8 }}
+    spec:
+      imagePullSecrets:
+        - name: docker-registry-secret
+      containers:
+        - name: guacd
+          image: "{{ .Values.global.imageRegistry }}/{{ .Values.guacd.image.repository }}:{{ .Values.guacd.image.tag }}"
+          imagePullPolicy: {{ .Values.guacd.image.pullPolicy }}
+          ports:
+            - name: guacd
+              containerPort: 4822
+              protocol: TCP
+          livenessProbe:
+            tcpSocket:
+              port: guacd
+            initialDelaySeconds: 10
+            periodSeconds: 10
+          readinessProbe:
+            tcpSocket:
+              port: guacd
+            initialDelaySeconds: 5
+            periodSeconds: 5
+          resources:
+            {{- toYaml .Values.guacd.resources | nindent 12 }}

clusters/prod/workbench/guacamole-stack/templates/guacd-service.yaml

@@ -0,0 +1,17 @@
+apiVersion: v1
+kind: Service
+metadata:
+  name: guacd
+  labels:
+    app.kubernetes.io/name: guacd
+    {{- include "guacamole-stack.labels" . | nindent 4 }}
+spec:
+  type: ClusterIP
+  ports:
+    - port: 4822
+      targetPort: guacd
+      protocol: TCP
+      name: guacd
+  selector:
+    app.kubernetes.io/name: guacd
+    app.kubernetes.io/instance: {{ .Release.Name }}