fix everything except search service, analyze service and upload service, and...

fix everything except search service, analyze service and upload service, and identity service needs still some manuel patching

fix everything except search service, analyze service and upload service, and...
4f18ff12 · Manuel Esberger · 4ae4b30f · 4f18ff12 · 4f18ff12 · 4f18ff12
Commit 4f18ff12 authored 11 months ago by Manuel Esberger
--- a/helm/analyze_volume.sh
+++ b/helm/analyze_volume.sh
+oc run -i --rm --tty volpod --overrides='                                                                                                                                                                                   ─╯
+{
+    "apiVersion": "v1",
+    "kind": "Pod",
+    "metadata": {
+        "name": "volpod"
+    },
+    "spec": {
+        "containers": [{
+            "command": [
+                "cat",
+                "/mnt/data/grastate.dat"
+            ],
+            "image": "bitnami/minideb",
+            "name": "mycontainer",
+            "volumeMounts": [{
+                "mountPath": "/mnt",
+                "name": "galeradata"
+            }],
+            "resources": {
+                "requests": {
+                  "cpu": "50m",
+                  "memory": "512Mi"
+                },
+                "limits": {
+                  "cpu": "250m",
+                  "memory": "768Mi"
+                }
+            }
+        }],
+        "restartPolicy": "Never",
+        "volumes": [{
+            "name": "galeradata",
+            "persistentVolumeClaim": {
+                "claimName": "data-metadata-db-0"
+            }
+        }]
+    }
+}' --image="bitnami/minideb"
+
+
+# or minified
+oc run -i --rm --tty volpod --overrides='{"apiVersion":"v1","kind":"Pod","metadata":{"name":"volpod"},"spec":{"containers":[{"command":["cat","/mnt/data/grastate.dat"],"image":"bitnami/minideb","name":"mycontainer","volumeMounts":[{"mountPath":"/mnt","name":"galeradata"}],"resources":{"requests":{"cpu":"50m","memory":"512Mi"},"limits":{"cpu":"250m","memory":"768Mi"}}}],"restartPolicy":"Never","volumes":[{"name":"galeradata","persistentVolumeClaim":{"claimName":"data-metadata-db-0"}}]}}' --image="bitnami/minideb"
--- a/helm/dbrepo/Chart.lock
+++ b/helm/dbrepo/Chart.lock
 dependencies:
 - name: opensearch
  repository: https://charts.bitnami.com/bitnami
-  version: 1.2.2
+  version: 1.2.10
 - name: keycloak
  repository: https://charts.bitnami.com/bitnami
  version: 21.6.1
@@ -17,5 +17,5 @@ dependencies:
 - name: openldap-stack-ha
  repository: https://jp-gouin.github.io/helm-openldap/
  version: 4.2.5
-digest: sha256:0e5b13ddfd50c6d7b22de57db4b9c15401aa25c447b274567209083481a104f2
-generated: "2024-07-31T21:17:50.377126847+02:00"
+digest: sha256:3dc3749d40e45e1edc88ca116bdc7e66ba2e6a05467ec6619b96a0c1ac42f004
+generated: "2024-08-20T09:20:55.800765444+02:00"
--- a/helm/dbrepo/Chart.yaml
+++ b/helm/dbrepo/Chart.yaml
@@ -18,7 +18,7 @@ icon: https://gitlab.phaidra.org/fair-data-austria-db-repository/fda-services/-/
 dependencies:
  - name: opensearch
    alias: searchdb
-    version: 1.2.2
+    version: 1.2.10
    repository: https://charts.bitnami.com/bitnami
    condition: searchdb.enabled
  - name: keycloak

--- a/helm/dbrepo/charts/opensearch-1.2.10.tgz
+++ b/helm/dbrepo/charts/opensearch-1.2.10.tgz
--- a/helm/dbrepo/charts/opensearch-1.2.2.tgz
+++ b/helm/dbrepo/charts/opensearch-1.2.2.tgz
--- a/helm/dbrepo/get_event_log_for_pod.sh
+++ b/helm/dbrepo/get_event_log_for_pod.sh
+oc get events --sort-by=.metadata.creationTimestamp --field-selector involvedObject.kind=Pod,involvedObject.name=search-db-data-0
+#
+oc get events --sort-by=.metadata.creationTimestamp --field-selector involvedObject.kind=Pod,involvedObject.name=upload-service-78d96bc466-92l4z
+
+
+psql -d bitnami_keycloak -p 5432 -U bn_keycloak
+
+psql -d bitnami_keyck -p 3333 -U bn_keycloak
\ No newline at end of file
--- a/helm/dbrepo/templates/analyse-secret.yaml
+++ b/helm/dbrepo/templates/analyse-secret.yaml
@@ -16,9 +16,4 @@ stringData:
  GATEWAY_SERVICE_ENDPOINT: "{{ .Values.gateway }}"
  JWT_PUBKEY: "{{ .Values.authservice.jwt.pubkey }}"
  LOG_LEVEL: "{{ ternary "DEBUG" "INFO" .Values.analyseservice.image.debug }}"
-  S3_ACCESS_KEY_ID: "{{ .Values.storageservice.s3.auth.adminAccessKeyId }}"
-  S3_ENDPOINT: "{{ .Values.analyseservice.s3.endpoint }}"
-  S3_EXPORT_BUCKET: "{{ .Values.storageservice.s3.bucket.export }}"
-  S3_IMPORT_BUCKET: "{{ .Values.storageservice.s3.bucket.import }}"
-  S3_SECRET_ACCESS_KEY: "{{ .Values.storageservice.s3.auth.adminSecretAccessKey }}"
 {{- end }}
--- a/helm/dbrepo/templates/search-deployment.yaml
+++ b/helm/dbrepo/templates/search-deployment.yaml
@@ -41,7 +41,6 @@ spec:
          image: {{ .Values.searchservice.image.name }}
          imagePullPolicy: {{ .Values.searchservice.image.pullPolicy | default "IfNotPresent" }}
          securityContext:
-            allowPrivilegeEscalation: false
            runAsNonRoot: true
 #          readOnlyRootFilesystem: true
            allowPrivilegeEscalation: false

--- a/helm/dbrepo/values.yaml
+++ b/helm/dbrepo/values.yaml
@@ -30,7 +30,7 @@ resourcesWStorage:
    memory: 756Mi
  requests:
    cpu: 100m
-    ephemeral-storage: 20Mi
+    ephemeral-storage: 10Mi
    memory: 256Mi

 resourcesLittle:
@@ -84,6 +84,9 @@ metadatadb:
      user: backup
      ## @param metadatadb.galera.mariabackup.password The database backup user password
      password: backup
+    bootstrap:
+      forceBootstrap: true
+      forceSafeToBootstrap: true
  ## @param metadatadb.jdbcExtraArgs The extra arguments for JDBC connections in the microservices.
  jdbcExtraArgs: ""
  metrics:
@@ -121,10 +124,9 @@ metadatadb:
      ephemeral-storage: 10Mi
      memory: 512Mi
    limits:
-      cpu: 150m
+      cpu: 250m
      ephemeral-storage: 20Mi
      memory: 768Mi
-
 ## @section Auth Service

 authservice:
@@ -139,15 +141,16 @@ authservice:
  endpoint: http://auth-service
  auth:
    ## @param authservice.auth.adminUser The admin username.
-    adminUser: admin
+    adminUser: bn_keycloak
    ## @param authservice.auth.adminPassword The admin user password.
-    adminPassword: de4aingohyohveeRooZe
+    adminPassword: "admin"
  ## @skip authservice.postgresql
  postgresql:
    enabled: true
    fullnameOverride: auth-db
    auth:
-      postgresPassword: Zaethie2gai3phogh3wa
+      password: "admin"
+      postgresPassword: "admin"
  ## @skip authservice.extraStartupArgs
  extraStartupArgs: "--import-realm"
  jwt:
@@ -167,7 +170,7 @@ authservice:
    ## @param authservice.client.id The client id for the microservices.
    id: dbrepo-client
    ## @param authservice.client.secret The client secret for the microservices.
-    secret: MUwRc7yfXSJwX8AdRMWaQC3Nep1VjwgG
+    secret: admin
  ## @skip authservice.extraEnvVarsCM
  extraEnvVarsCM: auth-service-config
  ## @skip authservice.extraVolumes
@@ -189,7 +192,6 @@ authservice:
      cpu: 250m
      ephemeral-storage: 10Mi
      memory: 768Mi
-
  replicaCount: 2

 ## @section Data Database
@@ -218,18 +220,18 @@ datadb:
        ephemeral-storage: 10Mi
        memory: 512Mi
      limits:
-        cpu: 150m
+        cpu: 100m
        ephemeral-storage: 10Mi
        memory: 768Mi
  ## @skip datadb.primary
  primary:
    resources:
      requests:
-        cpu: 25m
+        cpu: 100m
        ephemeral-storage: 10Mi
        memory: 512Mi
      limits:
-        cpu: 100m
+        cpu: 200m
        ephemeral-storage: 10Mi
        memory: 768Mi
    service:
@@ -313,6 +315,8 @@ datadb:
 searchdb:
  ## @param searchdb.enabled Enable the Data Database.
  enabled: true
+  sysctlImage:
+    enabled: false
  ## @skip searchdb.fullnameOverride
  fullnameOverride: search-db
  ## @skip searchdb.servicenameOverride
@@ -328,7 +332,40 @@ searchdb:
    adminPassword: admin
  ## @param searchdb.clusterName The cluster name.
  clusterName: search-db
-
+  master:
+    resources:
+      requests:
+        cpu: 100m
+        memory: 256Mi
+      limits:
+        cpu: 250m
+        memory: 512Mi
+  coordinating:
+    resources:
+      requests:
+        cpu: 100m
+        memory: 256Mi
+      limits:
+        cpu: 250m
+        memory: 512Mi
+  ingest:
+    resources:
+      requests:
+        cpu: 100m
+        memory: 256Mi
+      limits:
+        cpu: 250m
+        memory: 512Mi
+  data:
+    resources:
+      limits:
+        cpu: 250m
+        ephemeral-storage: 700Mi
+        memory: 1536Mi
+      requests:
+        cpu: 100m
+        ephemeral-storage: 50Mi
+        memory: 512Mi
 ## @section Upload Service

 uploadservice:
@@ -439,12 +476,12 @@ brokerservice:
  ## @param brokerservice.replicaCount The number of replicas.
  resources:
    requests:
-      cpu: 50m
+      cpu: 200m
      ephemeral-storage: 10Mi
      memory: 512Mi
    limits:
      cpu: 300m
-      ephemeral-storage: 100Mi
+      ephemeral-storage: 50Mi
      memory: 768Mi
  replicaCount: 1

@@ -452,7 +489,7 @@ brokerservice:

 analyseservice:
  ## @param analyseservice.enabled Enable the Broker Service.
-  enabled: true
+  enabled: false
  image:
    ## @skip analyseservice.image.name
    name: registry.datalab.tuwien.ac.at/dbrepo/analyse-service:1.4.5
@@ -499,7 +536,7 @@ analyseservice:
      cpu: 250m
      memory: 512Mi
    limits:
-      cpu: 500m
+      cpu: 250m
      memory: 2048Mi

  ## @param analyseservice.endpoint The url of the endpoint.
@@ -560,7 +597,7 @@ metadataservice:
      cpu: 250m
      memory: 512Mi
    limits:
-      cpu: 500m
+      cpu: 250m
      memory: 1024Mi
  ## @param metadataservice.endpoint The Metadata Service endpoint.
  endpoint: http://metadata-service
@@ -706,16 +743,16 @@ searchservice:
    ## @param searchservice.podSecurityContext.supplementalGroups Set filesystem extra groups
    supplementalGroups: [ ]
    ## @param searchservice.podSecurityContext.fsGroup Set RabbitMQ pod's Security Context fsGroup
-    # fsGroup: 1001
+    fsGroup: 1001
  containerSecurityContext:
    ## @param searchservice.containerSecurityContext.enabled Enabled containers' Security Context
    enabled: true
    ## @param searchservice.containerSecurityContext.seLinuxOptions Set SELinux options in container
    seLinuxOptions: { }
    ## @param searchservice.containerSecurityContext.runAsUser Set RabbitMQ containers' Security Context runAsUser
-    # runAsUser: 1001
+    runAsUser: 1000
    ## @param searchservice.containerSecurityContext.runAsGroup Set RabbitMQ containers' Security Context runAsGroup
-    # runAsGroup: 1001
+    runAsGroup: 1001
    ## @param searchservice.containerSecurityContext.runAsNonRoot Set RabbitMQ container's Security Context runAsNonRoot
    runAsNonRoot: true
    ## @param searchservice.containerSecurityContext.allowPrivilegeEscalation Set container's privilege escalation
@@ -724,7 +761,8 @@ searchservice:
    readOnlyRootFilesystem: true
    capabilities:
      ## @param searchservice.containerSecurityContext.capabilities.drop Set container's Security Context runAsNonRoot
-      drop: [ "ALL" ]
+      add:
+        - NET_BIND_SERVICE
    seccompProfile:
      ## @param searchservice.containerSecurityContext.seccompProfile.type Set container's Security Context seccomp profile
      type: "RuntimeDefault"
@@ -733,7 +771,7 @@ searchservice:
      cpu: 250m
      memory: 512Mi
    limits:
-      cpu: 500m
+      cpu: 250m
      memory: 1024Mi
  ## @skip searchservice.init
  init:
@@ -743,47 +781,6 @@ searchservice:
  ## @param searchservice.replicaCount The number of replicas.
  replicaCount: 2

-## @section Storage Service
-
-storageservice:
-  ## @param storageservice.enabled Enable the Storage Service.
-  enabled: true
-  ## @skip storageservice.fullnameOverride
-  fullnameOverride: storage-service
-  mariadb:
-    ## @skip storageservice.mariadb.fullnameOverride
-    fullnameOverride: storage-service-db
-    ## @skip storageservice.mariadb.enabled
-    enabled: true
-  master:
-    ## @skip storageservice.master.enabled
-    enabled: true
-  filer:
-    ## @param storageservice.filer.enabled Enable the storage service filer which is required for S3.
-    enabled: true
-  volume:
-    ## @skip storageservice.volume.enabled
-    enabled: false
-  s3:
-    ## @skip storageservice.s3.enabled
-    enabled: true
-    ## @param storageservice.s3.replicaCount The number of replicas.
-    replicaCount: 2
-    bucket:
-      import: dbrepo-upload
-      export: dbrepo-download
-    auth:
-      ## @param storageservice.s3.auth.enabled Enable the S3 service.
-      enabled: true
-      ## @param storageservice.s3.auth.adminAccessKeyId The S3 access key id for the admin user. In some systems this is named `username`.
-      adminAccessKeyId: seaweedfsadmin
-      ## @param storageservice.s3.auth.adminSecretAccessKey The S3 secret access key for the admin user. In some systems this is named `password`.
-      adminSecretAccessKey: seaweedfsadmin
-  ## @skip storageservice.init
-  init:
-    image: registry.datalab.tuwien.ac.at/dbrepo/storage-service-init:1.4.5
-    pullPolicy: Always
-
 ## @section Identity Service

 identityservice:
@@ -808,7 +805,7 @@ identityservice:
    ## @param identityservice.global.ldapDomain The LDAP domain name in domain "dbrepo.at" form or explicit in "dc=dbrepo,dc=at" form.
    ldapDomain: dc=dbrepo,dc=at
    ## @param identityservice.global.adminUser The admin username that is used to bind.
-    adminUser: admin
+    adminUser:
    ## @param identityservice.global.adminPassword The admin user password that is used to bind.
    adminPassword: admin
    ## @skip identityservice.global.configUserEnabled
@@ -900,7 +897,7 @@ ui:
      cpu: 250m
      memory: 512Mi
    limits:
-      cpu: 500m
+      cpu: 250m
      memory: 1024Mi
  public:
    api:
@@ -966,7 +963,7 @@ ui:

 ingress:
  enabled: true
-  className: nginx
+  className: "openshift-default"
  tls:
    enabled: true
    secretName: dbrepo-ingress-tls-cert