diff --git a/docs/src/deployment.md b/docs/src/deployment.md index f3a82f456d..9e07ed320c 100644 --- a/docs/src/deployment.md +++ b/docs/src/deployment.md @@ -2,7 +2,9 @@ This document describes how to deploy, and if needed move, the *Quality-time* application. It is aimed at *Quality-time* operators. -*Quality-time* consists of a set of Docker containers that together form the application. See the [software documentation](software.md) for an overview of the different containers. It is assumed the containers are deployed using a Docker-composition. An alternative deployment based on a Helm chart and intended for an OpenShift (Kubernetes) cluster is described in the [Helm for OpenShift README](https://github.com/ICTU/quality-time/tree/master/openshift/helm/README.md). +*Quality-time* consists of a set of Docker containers that together form the application. +See the [software documentation](software.md) for an overview of the different containers. +It is assumed the containers are deployed using a Docker-composition. *Quality-time* furthermore assumes an LDAP service is available to authenticate users or that forwarded authentication is used. @@ -43,7 +45,7 @@ For example: ## Kubernetes The helm chart for deploying on Kubernetes does not support overriding port numbers. -Setting port environment variables in the `values.yaml` will not change the service port mapping, while the app within the pod will listen on the altered port. +Although setting port environment variables in the `values.yaml` will change the ports that the app within the pod listens to, it will *not* change the service port mapping and therefore lead to a malfunctioning service. Instead, only the ingress should be configured. ## Configuring authentication (mandatory) diff --git a/openshift/dockerfiles/Dockerfile.apiserver b/openshift/dockerfiles/Dockerfile.apiserver deleted file mode 100644 index 7c96bccbc5..0000000000 --- a/openshift/dockerfiles/Dockerfile.apiserver +++ /dev/null @@ -1,7 +0,0 @@ -ARG IMAGE_NAME=docker.io/ictu/quality-time_api_server -FROM $IMAGE_NAME -USER root -COPY *.crt /usr/local/share/ca-certificates/ -RUN /usr/sbin/update-ca-certificates -RUN cd /usr/local/share/ca-certificates/ ; for key in $(ls *.crt) ;do cat $key >> /ca-cert.pem ; done -ENV REQUESTS_CA_BUNDLE /ca-cert.pem diff --git a/openshift/dockerfiles/Dockerfile.collector b/openshift/dockerfiles/Dockerfile.collector deleted file mode 100644 index 6665ee0e30..0000000000 --- a/openshift/dockerfiles/Dockerfile.collector +++ /dev/null @@ -1,9 +0,0 @@ -ARG IMAGE_NAME=docker.io/ictu/quality-time_collector -FROM $IMAGE_NAME -USER root -COPY *.crt /usr/local/share/ca-certificates/ -COPY *.crt /etc/ssl/certs/ -RUN /usr/sbin/update-ca-certificates -RUN cd /usr/local/share/ca-certificates/ ; for key in $(ls *.crt) ;do cat $key >> /usr/lib/ssl/cert.pem ; done -RUN chgrp -R 0 /home/collector && chmod -R g=u /home/collector -ENV REQUESTS_CA_BUNDLE /usr/lib/ssl/cert.pem diff --git a/openshift/dockerfiles/Dockerfile.frontend b/openshift/dockerfiles/Dockerfile.frontend deleted file mode 100644 index c767bd08e8..0000000000 --- a/openshift/dockerfiles/Dockerfile.frontend +++ /dev/null @@ -1,8 +0,0 @@ -ARG IMAGE_NAME=docker.io/ictu/quality-time_frontend -FROM $IMAGE_NAME -USER root -COPY *.crt /usr/local/share/ca-certificates/ -RUN /usr/sbin/update-ca-certificates -RUN cd /usr/local/share/ca-certificates/ ; for key in $(ls *.crt) ;do cat $key >> /ca-cert.pem ; done -ENV REQUESTS_CA_BUNDLE /ca-cert.pem - diff --git a/openshift/dockerfiles/Dockerfile.proxy b/openshift/dockerfiles/Dockerfile.proxy deleted file mode 100644 index 85b71cde1e..0000000000 --- a/openshift/dockerfiles/Dockerfile.proxy +++ /dev/null @@ -1,12 +0,0 @@ -ARG IMAGE_NAME=registry.access.redhat.com/ubi8/nginx-120 -FROM $IMAGE_NAME - -ENV FRONTEND_HOST frontend -ENV FRONTEND_PORT 5000 -ENV API_SERVER_HOST api_server -ENV API_SERVER_PORT 5001 - -EXPOSE 8080 - -ADD nginx.conf "${NGINX_CONF_PATH}" -CMD nginx -g "daemon off;" \ No newline at end of file diff --git a/openshift/dockerfiles/README.md b/openshift/dockerfiles/README.md deleted file mode 100644 index 5d1bbe492c..0000000000 --- a/openshift/dockerfiles/README.md +++ /dev/null @@ -1,44 +0,0 @@ -# Docker - Podman rebuild for Enterprises - -For companies that use their own certificate authorities, the Dockerfiles supplied in this directory can be used as an example to add ca certificates to trust stores. -Also the proxy image is adjusted so it will be able to run as non-root on OpenShift. - -## podman build - -You can build the images from the ICTU base images. so either pull those images or first build these images. Then you can build and tag your extensions. - - podman build -t containers.local/somenamespace/quality-time_proxy:v4.5.0 --build-arg IMAGE_NAME=registry.access.redhat.com/ubi8/nginx-120 -f Dockerfile.proxy . - podman build -t containers.local/somenamespace/quality-time_collector:v4.5.0 --build-arg IMAGE_NAME=docker.io/ictu/quality-time_collector:v4.5.0 -f Dockerfile.collector . - # and more builds followed by login and pushes to containers.local repo - -Make sure to adjust the [docker-compose.yml](../../docker/docker-compose.yml) or the helm chart [values.yaml](../helm/values.yaml) with your extension images (such as containers.local/somenamespace/quality-time_collector:v4.5.0). - -## Changes for custom Certificate Authorities - -If your organization uses its own certificate authority, you need to add the certificate to the correct trust stores in the images that have connections to the resources that have certificates that were issued by this certificate authority. - - USER root - COPY *.crt /usr/local/share/ca-certificates/ - COPY *.crt /etc/ssl/certs/ - RUN /usr/sbin/update-ca-certificates - RUN cd /usr/local/share/ca-certificates/ ; for key in $(ls *.crt) ;do cat $key >> /usr/lib/ssl/cert.pem ; done - ENV REQUESTS_CA_BUNDLE /usr/lib/ssl/cert.pem - -[Dockerfile.apiserver](./Dockerfile.apiserver) shows how to add the certificate and enable it at OS level and Python application level. - -## Changes for non-root process - -If you use a strict OpenShift environment it will not be allowed to start processes as a root user or with a fixed user id. The original nginx proxy image is using a root user. - - FROM registry.access.redhat.com/ubi8/nginx-120 - -[Dockerfile.proxy](./Dockerfile.proxy) uses a different and OpenShift compliant base image from Red Hat. - -## Changes due to non random user id - -If you use a strict OpenShift environment it will not be allowed to access files created by a user with a fixed user id. You can rebuild an image to allow access to such files or directories. - - RUN chgrp -R 0 /home/collector && chmod -R g=u /home/collector - -[Dockerfile.collector](./Dockerfile.collector) shows the fix for this in the collector image. - diff --git a/openshift/dockerfiles/nginx.conf b/openshift/dockerfiles/nginx.conf deleted file mode 100644 index 22608e33fa..0000000000 --- a/openshift/dockerfiles/nginx.conf +++ /dev/null @@ -1,91 +0,0 @@ -# For more information on configuration, see: -# * Official English Documentation: http://nginx.org/en/docs/ -# * Official Russian Documentation: http://nginx.org/ru/docs/ - - -worker_processes auto; -error_log /var/log/nginx/error.log; -pid /run/nginx.pid; - -# Load dynamic modules. See /usr/share/doc/nginx/README.dynamic. -include /usr/share/nginx/modules/*.conf; - -events { - worker_connections 1024; -} - -http { - # perl_modules /opt/app-root/etc/perl; - # perl_require Version.pm; - # perl_set $perl_version Version::installed; - - log_format main '$remote_addr - $remote_user [$time_local] "$request" ' - '$status $body_bytes_sent "$http_referer" ' - '"$http_user_agent" "$http_x_forwarded_for"'; - - - sendfile on; - tcp_nopush on; - tcp_nodelay on; - keepalive_timeout 65; - types_hash_max_size 2048; - - include /etc/nginx/mime.types; - default_type application/octet-stream; - - # Load modular configuration files from the /etc/nginx/conf.d directory. - # See http://nginx.org/en/docs/ngx_core_module.html#include - # for more information. - include /opt/app-root/etc/nginx.d/*.conf; - - server { - listen 8080 default_server; - listen [::]:8080 default_server; - server_name _; - root /opt/app-root/src; - add_header Strict-Transport-Security "max-age=31536000;"; - add_header X-XSS-Protection "1; mode=block"; - add_header X-Content-Type-Options "nosniff"; - add_header X-Frame-Options "DENY"; - gzip on; - server_tokens off; - - # Load configuration files for the default server block. - include /opt/app-root/etc/nginx.default.d/*.conf; - - location /api/internal/nr_measurements { - gzip off; - proxy_http_version 1.1; - proxy_read_timeout 24h; - proxy_set_header Connection ""; - proxy_pass http://apiserver:5001/api/internal/nr_measurements; - } - location /api/internal/datamodel { - add_header Cache-Control "no-cache"; - proxy_pass http://apiserver:5001/api/internal/datamodel; - } - location /api/internal/logo { - add_header Cache-Control "no-cache"; - proxy_pass http://apiserver:5001/api/internal/logo; - } - location /api { - add_header Cache-Control "no-store"; - proxy_pass http://apiserver:5001/api; - } - location / { - add_header Cache-Control "no-store"; - proxy_pass http://frontend:5000/; - } - - error_page 404 /404.html; - location = /40x.html { - } - - error_page 500 502 503 504 /50x.html; - location = /50x.html { - } - } - - -} - diff --git a/openshift/helm/Chart.yaml b/openshift/helm/Chart.yaml deleted file mode 100644 index f5ba1723ae..0000000000 --- a/openshift/helm/Chart.yaml +++ /dev/null @@ -1,6 +0,0 @@ -apiVersion: v2 -name: quality-time -description: A Helm Chart for running ICTU quality-time on OpenShift -type: application -version: 0.0.2 -appVersion: "v5.0.0" diff --git a/openshift/helm/README.md b/openshift/helm/README.md deleted file mode 100644 index 01ca8b9aa2..0000000000 --- a/openshift/helm/README.md +++ /dev/null @@ -1,32 +0,0 @@ -# Helm chart - -A Helm chart allows for a simple deployment on a Kubernetes cluster. The Helm chart in this directory is based on the docker-compose.yml and the standard images and settings from ICTU. -Except for the Route these are all standard kubernetes elements. The Route defines the main entry point for the application on OpenShift. It is added as the last element in the [templates/www-service.yaml](templates/www-service.yaml). -Also in a corporate environment, it is usually required to define credentials for pulling the images. For this a [templates/pull-secret.yaml](templates/pull-secret.yaml) file is provided. -All templates refer to standard values from [values.yaml](values.yaml) unless these are overridden using the Helm way of value overrides. (Either by defining seperate values or your own values.yaml file). - -## Prerequisites - -You need the following CLI tools: - -+ OC CLI the OpenShift cli -+ Helm the Helm CLI - -Login with the OC CLI and select a project/namespace. Then the helm commands can be used. - -## Install - -```console -$ helm install quality-time . -$ helm install --set pullsecret=mybase64encodeddockerjson quality-time . -$ helm install --values myoverride-values.yaml quality-time . -``` - -## Uninstall - -```console -$ helm uninstall quality-time -``` - -In a corporate environment with custom certificate authorities, you can create custom images as described in the [Custom docker files Readme](../dockerfiles/README.md). -The adjusted image names can then be set in the myoverride-values.yaml which would be a kind of copy of the values.yaml. diff --git a/openshift/helm/templates/apiserver-deployment.yaml b/openshift/helm/templates/apiserver-deployment.yaml deleted file mode 100644 index e3d10efef1..0000000000 --- a/openshift/helm/templates/apiserver-deployment.yaml +++ /dev/null @@ -1,52 +0,0 @@ -apiVersion: apps/v1 -kind: Deployment -metadata: - labels: - app: {{ .Values.api_server.name }} - name: {{ .Values.api_server.name }} -spec: - replicas: 1 - selector: - matchLabels: - app: {{ .Values.api_server.name }} - strategy: {} - template: - metadata: - labels: - app: {{ .Values.api_server.name }} - spec: - containers: - - env: - - name: DATABASE_URL - value: mongodb://root:root@{{ .Values.database.name }}:27017 - - name: API_SERVER_PORT - value: "5001" - - name: FORWARD_AUTH_ENABLED - value: "False" - - name: FORWARD_AUTH_HEADER - value: X-Forwarded-User - - name: LDAP_LOOKUP_USER_DN - value: {{ .Values.ldap.lookupUserDN }} - - name: LDAP_LOOKUP_USER_PASSWORD - value: {{ .Values.ldap.lookupUserPassword }} - - name: LDAP_ROOT_DN - value: {{ .Values.ldap.rootDN }} - - name: LDAP_SEARCH_FILTER - value: {{ .Values.ldap.search }} - - name: LDAP_URL - value: {{ .Values.ldap.url }} - - name: LOAD_EXAMPLE_REPORTS - value: "True" - - name: USER_SESSION_DURATION - value: "120" - image: {{ .Values.api_server.image }} - imagePullPolicy: Always - name: {{ .Values.api_server.name }} - resources: {} - securityContext: - capabilities: - drop: - - ALL - restartPolicy: Always - imagePullSecrets: - - name: quality-time-pullsecret diff --git a/openshift/helm/templates/collector-deployment.yaml b/openshift/helm/templates/collector-deployment.yaml deleted file mode 100644 index 33b22f5352..0000000000 --- a/openshift/helm/templates/collector-deployment.yaml +++ /dev/null @@ -1,32 +0,0 @@ -apiVersion: apps/v1 -kind: Deployment -metadata: - labels: - app: {{ .Values.collector.name }} - name: {{ .Values.collector.name }} -spec: - replicas: 1 - selector: - matchLabels: - app: {{ .Values.collector.name }} - strategy: {} - template: - metadata: - labels: - app: {{ .Values.collector.name }} - spec: - containers: - - env: - - name: DATABASE_URL - value: mongodb://root:root@{{ .Values.database.name }}:27017 - image: {{ .Values.collector.image }} - imagePullPolicy: Always - name: {{ .Values.collector.name }} - resources: {} - securityContext: - capabilities: - drop: - - ALL - restartPolicy: Always - imagePullSecrets: - - name: quality-time-pullsecret diff --git a/openshift/helm/templates/database-deployment.yaml b/openshift/helm/templates/database-deployment.yaml deleted file mode 100644 index 8d7c15ba8d..0000000000 --- a/openshift/helm/templates/database-deployment.yaml +++ /dev/null @@ -1,45 +0,0 @@ -apiVersion: apps/v1 -kind: Deployment -metadata: - labels: - app: {{ .Values.database.name }} - name: {{ .Values.database.name }} -spec: - replicas: 1 - selector: - matchLabels: - app: {{ .Values.database.name }} - strategy: - type: Recreate - template: - metadata: - labels: - app: {{ .Values.database.name }} - spec: - volumes: - - name: {{ .Values.database.claimName }} - persistentVolumeClaim: - claimName: {{ .Values.database.claimName }} - containers: - - env: - - name: MONGO_INITDB_ROOT_PASSWORD - value: root - - name: MONGO_INITDB_ROOT_USERNAME - value: root - resources: - limits: - cpu: '2' - memory: 2Gi - requests: - cpu: '1' - memory: 1Gi - image: {{ .Values.database.image }} - imagePullPolicy: Always - name: {{ .Values.database.name }} - resources: {} - volumeMounts: - - mountPath: /data/db - name: {{ .Values.database.claimName }} - restartPolicy: Always - imagePullSecrets: - - name: quality-time-pullsecret diff --git a/openshift/helm/templates/dbdata-persistentvolumeclaim.yaml b/openshift/helm/templates/dbdata-persistentvolumeclaim.yaml deleted file mode 100644 index b36ce3b1c4..0000000000 --- a/openshift/helm/templates/dbdata-persistentvolumeclaim.yaml +++ /dev/null @@ -1,13 +0,0 @@ -apiVersion: v1 -kind: PersistentVolumeClaim -metadata: - labels: - app: {{ .Values.database.claimName }} - name: {{ .Values.database.claimName }} -spec: - accessModes: - - {{ .Values.database.accessMode }} - resources: - requests: - storage: {{ .Values.database.storageSize }} - storageClassName: {{ .Values.database.storageClassName }} diff --git a/openshift/helm/templates/frontend-deployment.yaml b/openshift/helm/templates/frontend-deployment.yaml deleted file mode 100644 index 5bb9e0b966..0000000000 --- a/openshift/helm/templates/frontend-deployment.yaml +++ /dev/null @@ -1,32 +0,0 @@ -apiVersion: apps/v1 -kind: Deployment -metadata: - labels: - app: {{ .Values.frontend.name }} - name: {{ .Values.frontend.name }} -spec: - replicas: 1 - selector: - matchLabels: - app: {{ .Values.frontend.name }} - strategy: {} - template: - metadata: - labels: - app: {{ .Values.frontend.name }} - spec: - containers: - - env: - - name: FRONTEND_PORT - value: "5000" - image: {{ .Values.frontend.image }} - imagePullPolicy: Always - name: {{ .Values.frontend.name }} - resources: {} - securityContext: - capabilities: - drop: - - ALL - restartPolicy: Always - imagePullSecrets: - - name: quality-time-pullsecret diff --git a/openshift/helm/templates/notifier-deployment.yaml b/openshift/helm/templates/notifier-deployment.yaml deleted file mode 100644 index a598d6f0d0..0000000000 --- a/openshift/helm/templates/notifier-deployment.yaml +++ /dev/null @@ -1,34 +0,0 @@ -apiVersion: apps/v1 -kind: Deployment -metadata: - labels: - app: {{ .Values.notifier.name }} - name: {{ .Values.notifier.name }} -spec: - replicas: 1 - selector: - matchLabels: - app: {{ .Values.notifier.name }} - strategy: {} - template: - metadata: - labels: - app: {{ .Values.notifier.name }} - spec: - containers: - - env: - - name: DATABASE_URL - value: mongodb://root:root@{{ .Values.database.name }}:27017 - - name: NOTIFIER_SLEEP_DURATION - value: "60" - image: {{ .Values.notifier.image }} - imagePullPolicy: Always - name: {{ .Values.notifier.name }} - resources: {} - securityContext: - capabilities: - drop: - - ALL - restartPolicy: Always - imagePullSecrets: - - name: quality-time-pullsecret diff --git a/openshift/helm/templates/pull-secret.yaml b/openshift/helm/templates/pull-secret.yaml deleted file mode 100644 index 753173b2aa..0000000000 --- a/openshift/helm/templates/pull-secret.yaml +++ /dev/null @@ -1,15 +0,0 @@ -apiVersion: v1 -data: - .dockerconfigjson: {{ .Values.pullsecret }} -kind: Secret -metadata: - name: quality-time-pullsecret -type: kubernetes.io/dockerconfigjson ---- -apiVersion: v1 -imagePullSecrets: -- name: quality-time-pullsecret -kind: ServiceAccount -metadata: - name: quality-time-sa - \ No newline at end of file diff --git a/openshift/helm/templates/renderer-deployment.yaml b/openshift/helm/templates/renderer-deployment.yaml deleted file mode 100644 index bcecdbfe7f..0000000000 --- a/openshift/helm/templates/renderer-deployment.yaml +++ /dev/null @@ -1,36 +0,0 @@ -apiVersion: apps/v1 -kind: Deployment -metadata: - labels: - app: {{ .Values.renderer.name }} - name: {{ .Values.renderer.name }} -spec: - replicas: 1 - selector: - matchLabels: - app: {{ .Values.renderer.name }} - strategy: {} - template: - metadata: - labels: - app: {{ .Values.renderer.name }} - spec: - containers: - - env: - - name: LC_ALL - value: en_GB.UTF-8 - - name: PROXY_HOST - value: {{ .Values.www.name }} - - name: PROXY_PORT - value: "80" - - name: PROXY_PROTOCOL - value: "http" - - name: TZ - value: Europe/Amsterdam - image: {{ .Values.renderer.image }} - imagePullPolicy: Always - name: {{ .Values.renderer.name }} - resources: {} - restartPolicy: Always - imagePullSecrets: - - name: quality-time-pullsecret diff --git a/openshift/helm/templates/www-deployment.yaml b/openshift/helm/templates/www-deployment.yaml deleted file mode 100644 index 66e9dc439a..0000000000 --- a/openshift/helm/templates/www-deployment.yaml +++ /dev/null @@ -1,36 +0,0 @@ -apiVersion: apps/v1 -kind: Deployment -metadata: - labels: - app: {{ .Values.www.name }} - name: {{ .Values.www.name }} -spec: - replicas: 1 - selector: - matchLabels: - app: {{ .Values.www.name }} - strategy: {} - template: - metadata: - labels: - app: {{ .Values.www.name }} - spec: - containers: - - env: - - name: API_SERVER_HOST - value: {{ .Values.api_server.name }} - - name: API_SERVER_PORT - value: "5001" - - name: FRONTEND_HOST - value: {{ .Values.frontend.name }} - - name: FRONTEND_PORT - value: "5000" - image: {{ .Values.www.image }} - imagePullPolicy: Always - name: {{ .Values.www.name }} - ports: - - containerPort: 8080 - resources: {} - restartPolicy: Always - imagePullSecrets: - - name: quality-time-pullsecret diff --git a/openshift/helm/templates/www-service.yaml b/openshift/helm/templates/www-service.yaml deleted file mode 100644 index 4bb2e9de20..0000000000 --- a/openshift/helm/templates/www-service.yaml +++ /dev/null @@ -1,72 +0,0 @@ -apiVersion: v1 -kind: Service -metadata: - name: {{ .Values.database.name }} -spec: - ports: - - name: 27017-tcp - port: 27017 - protocol: TCP - targetPort: 27017 - selector: - app: {{ .Values.database.name }} - sessionAffinity: None ---- -apiVersion: v1 -kind: Service -metadata: - name: {{ .Values.frontend.name }} -spec: - ports: - - name: 5000-tcp - port: 5000 - protocol: TCP - targetPort: 5000 - selector: - app: {{ .Values.frontend.name }} - sessionAffinity: None ---- -apiVersion: v1 -kind: Service -metadata: - name: {{ .Values.api_server.name }} -spec: - ports: - - name: 5001-tcp - port: 5001 - protocol: TCP - targetPort: 5001 - selector: - app: {{ .Values.api_server.name }} - sessionAffinity: None ---- -apiVersion: v1 -kind: Service -metadata: - name: {{ .Values.www.name }} -spec: - ports: - - name: 8080-tcp - port: 8080 - protocol: TCP - targetPort: 8080 - selector: - app: {{ .Values.www.name }} - sessionAffinity: None ---- -apiVersion: route.openshift.io/v1 -kind: Route -metadata: - name: quality-route -spec: - tls: - termination: edge - insecureEdgeTerminationPolicy: Redirect - path: / - port: - targetPort: 8080 - to: - kind: Service - name: {{ .Values.www.name }} - weight: 100 - wildcardPolicy: None diff --git a/openshift/helm/values.yaml b/openshift/helm/values.yaml deleted file mode 100644 index 6a450399f5..0000000000 --- a/openshift/helm/values.yaml +++ /dev/null @@ -1,41 +0,0 @@ -pullsecret: mybase64encodedsecret - -collector: - name: collector - image: docker.io/ictu/quality-time_collector:v5.0.0 - -database: - name: database - image: docker.io/ictu/quality-time_database:v5.0.0 - claimName: database - accessMode: ReadWriteOnce - storageSize: 5Gi - storageClassName: ocs-storagecluster-cephfs - -api_server: - name: apiserver - image: docker.io/ictu/quality-time_api_server:v5.0.0 - -frontend: - name: frontend - image: docker.io/ictu/quality-time_frontend:v5.0.0 - -ldap: - rootDN: dc=example,dc=org - lookupUserDN: cn=admin,dc=example,dc=org - lookupUserPassword: admin - search: (|(uid=$$username)(cn=$$username)) - url: ldap://ldap:389 - -notifier: - name: notifier - image: docker.io/ictu/quality-time_notifier:v5.0.0 - -renderer: - name: renderer - image: docker.io/ictu/quality-time_renderer:v5.0.0 - -www: - name: www - image: docker.io/ictu/quality-time_proxy:v5.0.0 -