staging: Migrate web-cassandra to be the main staging webapp
This migrates to use the webapp-cassandra as the main backend for webapp.staging.swh.network.
This keeps the webapp-postgresql instance though.
Some work on the rp is still required for this to actually be ok.
make swh-helm-diff
[swh] Comparing changes between branches production and migrate-webapp-to-cassandra (per environment)...
Switched to branch 'production'
Your branch is up to date with 'origin/production'.
[swh] Generate config in production branch for environment staging, namespace swh...
[swh] Generate config in production branch for environment staging, namespace swh-cassandra...
[swh] Generate config in production branch for environment staging, namespace swh-cassandra-next-version...
Switched to branch 'migrate-webapp-to-cassandra'
[swh] Generate config in migrate-webapp-to-cassandra branch for environment staging...
[swh] Generate config in migrate-webapp-to-cassandra branch for environment staging...
[swh] Generate config in migrate-webapp-to-cassandra branch for environment staging...
Switched to branch 'production'
Your branch is up to date with 'origin/production'.
[swh] Generate config in production branch for environment production, namespace swh...
[swh] Generate config in production branch for environment production, namespace swh-cassandra...
[swh] Generate config in production branch for environment production, namespace swh-cassandra-next-version...
Switched to branch 'migrate-webapp-to-cassandra'
[swh] Generate config in migrate-webapp-to-cassandra branch for environment production...
[swh] Generate config in migrate-webapp-to-cassandra branch for environment production...
[swh] Generate config in migrate-webapp-to-cassandra branch for environment production...
------------- diff for environment staging namespace swh -------------
--- /tmp/swh-chart.swh.aBMs3T8r/staging-swh.before 2023-11-21 11:43:32.033742934 +0100
+++ /tmp/swh-chart.swh.aBMs3T8r/staging-swh.after 2023-11-21 11:43:32.713742581 +0100
@@ -4504,45 +4504,30 @@
if [ -e "${DB_VERSION}" ]; then
echo "Unable to find the code version"
exit 1
fi
if [ "$DB_VERSION" -ne "$CODE_VERSION" ]; then
echo "code and DB versions are different. Blocking the deployment"
exit 1
fi
---
-# Source: swh/templates/web/configmap-pgservice.yaml
-apiVersion: v1
-kind: ConfigMap
-metadata:
- namespace: swh
- name: pgservice-configuration-template
-data:
- pg-service-conf: |
- [syncmailmaps]
- dbname=swh
- host=db1.internal.staging.swh.network
- port=5432
- user=swhmailmap
----
# Source: swh/templates/web/configmap.yaml
apiVersion: v1
kind: ConfigMap
metadata:
namespace: swh
name: web-configuration-template
data:
config.yml.template: |
- instance_name: webapp.staging.swh.network
+ instance_name: webapp-postgresql.internal.staging.swh.network
allowed_hosts:
- - webapp.staging.swh.network
- webapp-postgresql.internal.staging.swh.network
storage:
cls: remote
url: http://storage1.internal.staging.swh.network:5002
search:
cls: remote
url: http://search-rpc-ingress
scheduler:
cls: remote
url: http://scheduler.internal.staging.swh.network
@@ -23789,21 +23774,21 @@
app: web
strategy:
type: RollingUpdate
rollingUpdate:
maxSurge: 1
template:
metadata:
labels:
app: web
annotations:
- checksum/config: f5bc233e775b04a77cfe29b8f95c8e459edd25efbbdc18ae77ade760b89b85fa
+ checksum/config: 407b483aaa9910f4935118877967eb3c461da8e45c27bcffd4240c5e35e69f0e
spec:
affinity:
nodeAffinity:
requiredDuringSchedulingIgnoredDuringExecution:
nodeSelectorTerms:
- matchExpressions:
- key: swh/web
operator: In
values:
- "true"
@@ -23926,32 +23911,32 @@
imagePullPolicy: IfNotPresent
ports:
- containerPort: 5004
name: webapp
readinessProbe:
httpGet:
path: /
port: webapp
httpHeaders:
- name: Host
- value: webapp.staging.swh.network
+ value: webapp-postgresql.internal.staging.swh.network
initialDelaySeconds: 5
failureThreshold: 30
periodSeconds: 10
timeoutSeconds: 30
livenessProbe:
httpGet:
path: /
port: webapp
httpHeaders:
- name: Host
- value: webapp.staging.swh.network
+ value: webapp-postgresql.internal.staging.swh.network
initialDelaySeconds: 3
periodSeconds: 10
timeoutSeconds: 30
command:
- /bin/bash
args:
- -c
- /opt/swh/entrypoint.sh
env:
- name: STATSD_HOST
@@ -24185,324 +24170,20 @@
- name: configuration
emptyDir: {}
- name: configuration-template
configMap:
name: scheduler-update-metrics-configuration-template
items:
- key: "config.yml.template"
path: "config.yml.template"
restartPolicy: OnFailure
---
-# Source: swh/templates/web/refresh-savecodenow-statuses-cronjob.yaml
-apiVersion: batch/v1
-kind: CronJob
-metadata:
- name: refresh-savecodenow-statuses-cronjob
-spec:
- schedule: "*/2 * * * *"
- concurrencyPolicy: Forbid
- jobTemplate:
- spec:
- template:
- spec:
- priorityClassName: swh-frontend-rpc-workload
-
- initContainers:
- - name: prepare-web-configuration
- image: debian:bullseye
- imagePullPolicy: IfNotPresent
- command:
- - /bin/bash
- args:
- - -c
- - eval echo "\"$(</etc/swh/configuration-template/config.yml.template)\"" > /etc/swh/config.yml
- env:
-
- - name: POSTGRESQL_PASSWORD
- valueFrom:
- secretKeyRef:
- name: swh-postgresql-web-secrets
- key: postgres-swh-web-password
- # 'name' secret must exist & include that ^ key
- optional: false
-
- - name: DJANGO_SECRET_KEY
- valueFrom:
- secretKeyRef:
- name: swh-webapp-django-secret
- key: webapp-django-secret-key
- # 'name' secret must exist & include that ^ key
- optional: false
-
-
- - name: DEPOSIT_PASSWORD
- valueFrom:
- secretKeyRef:
- name: deposit-secrets
- key: password
- # 'name' secret must exist & include that ^ key
- optional: false
- - name: DEPOSIT_USERNAME
- valueFrom:
- secretKeyRef:
- name: deposit-secrets
- key: username
- # 'name' secret must exist & include that ^ key
- optional: false
-
-
- - name: GIVE_PRIVATE_TOKEN
- valueFrom:
- secretKeyRef:
- name: web-give-secrets
- key: private-token
- # 'name' secret must exist & include that ^ key
- optional: false
- - name: GIVE_PUBLIC_KEY
- valueFrom:
- secretKeyRef:
- name: web-give-secrets
- key: public-key
- # 'name' secret must exist & include that ^ key
- optional: false
-
- - name: SWH_SENTRY_DSN
- valueFrom:
- secretKeyRef:
- name: common-secrets
- key: web-sentry-dsn
- # 'name' secret should exist & include key
- # if the setting doesn't exist, sentry pushes will be disabled
- optional: true
-
- volumeMounts:
- - name: configuration
- mountPath: /etc/swh
- - name: web-configuration-template
- mountPath: /etc/swh/configuration-template
- containers:
- - name: refresh-savecodenow-statuses
- resources:
- requests:
- memory: 512Mi
- cpu: 500m
- image: container-registry.softwareheritage.org/swh/infra/swh-apps/web:20231120.4
- command:
- - /opt/swh/entrypoint.sh
- args:
- - refresh
- env:
- - name: STATSD_HOST
- value: prometheus-statsd-exporter
- - name: STATSD_PORT
- value: "9125"
- - name: SWH_CONFIG_FILENAME
- value: /etc/swh/config.yml
- - name: LOG_LEVEL
- value: INFO
- - name: SWH_SENTRY_ENVIRONMENT
- value: staging
- - name: SWH_MAIN_PACKAGE
- value: swh.web
- - name: SWH_SENTRY_DSN
- valueFrom:
- secretKeyRef:
- name: common-secrets
- key: web-sentry-dsn
- # if the setting doesn't exist, sentry issue pushes will be disabled
- optional: false
- - name: SWH_SENTRY_DISABLE_LOGGING_EVENTS
- value: "true"
- imagePullPolicy: IfNotPresent
- volumeMounts:
- - name: configuration
- mountPath: /etc/swh
- volumes:
- - name: configuration
- emptyDir: {}
- - name: web-configuration-template
- configMap:
- name: web-configuration-template
- items:
- - key: "config.yml.template"
- path: "config.yml.template"
- restartPolicy: OnFailure
----
-# Source: swh/templates/web/sync-mailmaps-cronjob.yaml
-apiVersion: batch/v1
-kind: CronJob
-metadata:
- name: sync-mailmaps-cronjob
-spec:
- schedule: "15 * * * *"
- concurrencyPolicy: Forbid
- jobTemplate:
- spec:
- template:
- spec:
- priorityClassName: swh-frontend-rpc-workload
-
- initContainers:
- - name: prepare-pgservice-configuration
- image: debian:bullseye
- imagePullPolicy: IfNotPresent
- command:
- - /bin/bash
- args:
- - -c
- - eval "cp /etc/swh/config/pg_service.conf /etc/swh/.pg_service.conf"
- volumeMounts:
- - name: configuration
- mountPath: /etc/swh
- - name: pgservice-configuration-template
- mountPath: /etc/swh/config
-
- - name: prepare-web-configuration
- image: debian:bullseye
- imagePullPolicy: IfNotPresent
- command:
- - /bin/bash
- args:
- - -c
- - eval echo "\"$(</etc/swh/configuration-template/config.yml.template)\"" > /etc/swh/config.yml
- env:
-
- - name: POSTGRESQL_PASSWORD
- valueFrom:
- secretKeyRef:
- name: swh-postgresql-web-secrets
- key: postgres-swh-web-password
- # 'name' secret must exist & include that ^ key
- optional: false
-
- - name: DJANGO_SECRET_KEY
- valueFrom:
- secretKeyRef:
- name: swh-webapp-django-secret
- key: webapp-django-secret-key
- # 'name' secret must exist & include that ^ key
- optional: false
-
-
- - name: DEPOSIT_PASSWORD
- valueFrom:
- secretKeyRef:
- name: deposit-secrets
- key: password
- # 'name' secret must exist & include that ^ key
- optional: false
- - name: DEPOSIT_USERNAME
- valueFrom:
- secretKeyRef:
- name: deposit-secrets
- key: username
- # 'name' secret must exist & include that ^ key
- optional: false
-
-
- - name: GIVE_PRIVATE_TOKEN
- valueFrom:
- secretKeyRef:
- name: web-give-secrets
- key: private-token
- # 'name' secret must exist & include that ^ key
- optional: false
- - name: GIVE_PUBLIC_KEY
- valueFrom:
- secretKeyRef:
- name: web-give-secrets
- key: public-key
- # 'name' secret must exist & include that ^ key
- optional: false
-
- - name: SWH_SENTRY_DSN
- valueFrom:
- secretKeyRef:
- name: common-secrets
- key: web-sentry-dsn
- # 'name' secret should exist & include key
- # if the setting doesn't exist, sentry pushes will be disabled
- optional: true
-
- volumeMounts:
- - name: configuration
- mountPath: /etc/swh
- - name: web-configuration-template
- mountPath: /etc/swh/configuration-template
- containers:
- - name: sync-mailmaps
- resources:
- requests:
- memory: 512Mi
- cpu: 500m
- image: container-registry.softwareheritage.org/swh/infra/swh-apps/web:20231120.4
- command:
- - /opt/swh/entrypoint.sh
- args:
- - sync-mailmaps
- - service=syncmailmaps
- env:
- - name: STATSD_HOST
- value: prometheus-statsd-exporter
- - name: STATSD_PORT
- value: "9125"
- - name: SWH_CONFIG_FILENAME
- value: /etc/swh/config.yml
- - name: LOG_LEVEL
- value: INFO
- - name: SWH_SENTRY_ENVIRONMENT
- value: staging
- - name: SWH_MAIN_PACKAGE
- value: swh.web
- - name: SWH_SENTRY_DSN
- valueFrom:
- secretKeyRef:
- name: common-secrets
- key: web-sentry-dsn
- # if the setting doesn't exist, sentry issue pushes will be disabled
- optional: false
- - name: SWH_SENTRY_DISABLE_LOGGING_EVENTS
- value: "true"
- - name: PGSERVICEFILE
- value: /etc/swh/.pg_service.conf
-
- - name: PGPASSWORD
- valueFrom:
- secretKeyRef:
- name: swh-postgresql-syncmailmap-secret
- key: postgres-syncmailmap-password
- # 'name' secret must exist & include that ^ key
- optional: false
-
-
- imagePullPolicy: IfNotPresent
- volumeMounts:
- - name: configuration
- mountPath: /etc/swh
- volumes:
- - name: configuration
- emptyDir: {}
- - name: web-configuration-template
- configMap:
- name: web-configuration-template
- items:
- - key: "config.yml.template"
- path: "config.yml.template"
- - name: pgservice-configuration-template
- configMap:
- name: pgservice-configuration-template
- items:
- - key: "pg-service-conf"
- path: "pg_service.conf"
-
- restartPolicy: OnFailure
----
# Source: swh/templates/graphql/ingress.yaml
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
namespace: swh
name: graphql-ingress-default
annotations:
nginx.ingress.kubernetes.io/preserve-trailing-slash: "true"
nginx.ingress.kubernetes.io/rewrite-target: /
@@ -24653,60 +24334,33 @@
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
namespace: swh
name: web-ingress-authenticated
annotations:
cert-manager.io/cluster-issuer: letsencrypt-production-gandi
kubernetes.io/ingress.class: nginx
kubernetes.io/tls-acme: "true"
- nginx.ingress.kubernetes.io/ssl-redirect: "false"
+ nginx.ingress.kubernetes.io/ssl-redirect: "true"
# type of authentication
nginx.ingress.kubernetes.io/auth-type: basic
# an htpasswd file in the key auth within the secret
nginx.ingress.kubernetes.io/auth-secret-type: auth-file
# name of the secret that contains the user/password definitions
nginx.ingress.kubernetes.io/auth-secret: swh-cassandra/web-auth-secrets
# message to display with an appropriate context why the authentication is required
nginx.ingress.kubernetes.io/auth-realm: 'Authentication Required'
spec:
rules:
- - host: webapp.staging.swh.network
- http:
- paths:
- - path: /api/1/provenance/
- pathType: Prefix
- backend:
- service:
- name: web
- port:
- number: 5004
-
- - path: /api/1/entity/
- pathType: Prefix
- backend:
- service:
- name: web
- port:
- number: 5004
-
- - path: /api/1/content/[^/]+/symbol/
- pathType: Prefix
- backend:
- service:
- name: web
- port:
- number: 5004
-
- host: webapp-postgresql.internal.staging.swh.network
http:
paths:
- path: /api/1/provenance/
pathType: Prefix
backend:
service:
name: web
port:
number: 5004
@@ -24722,59 +24376,39 @@
- path: /api/1/content/[^/]+/symbol/
pathType: Prefix
backend:
service:
name: web
port:
number: 5004
tls:
- hosts:
- - webapp.staging.swh.network
- webapp-postgresql.internal.staging.swh.network
secretName: swh-web-crt
---
# Source: swh/templates/web/ingress.yaml
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
namespace: swh
name: web-ingress-default
annotations:
cert-manager.io/cluster-issuer: letsencrypt-production-gandi
kubernetes.io/ingress.class: nginx
kubernetes.io/tls-acme: "true"
- nginx.ingress.kubernetes.io/ssl-redirect: "false"
+ nginx.ingress.kubernetes.io/ssl-redirect: "true"
spec:
rules:
- - host: webapp.staging.swh.network
- http:
- paths:
- - path: /
- pathType: Prefix
- backend:
- service:
- name: web
- port:
- number: 5004
-
- - path: /static
- pathType: Prefix
- backend:
- service:
- name: web
- port:
- number: 80
-
- host: webapp-postgresql.internal.staging.swh.network
http:
paths:
- path: /
pathType: Prefix
backend:
service:
name: web
port:
number: 5004
@@ -24782,21 +24416,20 @@
- path: /static
pathType: Prefix
backend:
service:
name: web
port:
number: 80
tls:
- hosts:
- - webapp.staging.swh.network
- webapp-postgresql.internal.staging.swh.network
secretName: swh-web-crt
---
# Source: swh/charts/keda/templates/metrics-server/apiservice.yaml
apiVersion: apiregistration.k8s.io/v1
kind: APIService
metadata:
annotations:
labels:
app.kubernetes.io/name: v1beta1.external.metrics.k8s.io
------------- diff for environment staging namespace swh-cassandra -------------
--- /tmp/swh-chart.swh.aBMs3T8r/staging-swh-cassandra.before 2023-11-21 11:43:32.265742813 +0100
+++ /tmp/swh-chart.swh.aBMs3T8r/staging-swh-cassandra.after 2023-11-21 11:43:32.961742452 +0100
@@ -4338,50 +4338,69 @@
url: http://storage1.internal.staging.swh.network:5003
cache:
cls: azure
compression: none
connection_string: DefaultEndpointsProtocol=https;AccountName=swhvaultstoragestaging;AccountKey=${ACCOUNT_KEY};EndpointSuffix=core.windows.net
container_name: contents-uncompressed
smtp:
host: smtp.inria.fr
port: 25
---
+# Source: swh/templates/web/configmap-pgservice.yaml
+apiVersion: v1
+kind: ConfigMap
+metadata:
+ namespace: swh-cassandra
+ name: pgservice-configuration-template
+data:
+ pg-service-conf: |
+ [syncmailmaps]
+ dbname=swh
+ host=db1.internal.staging.swh.network
+ port=5432
+ user=swhmailmap
+---
# Source: swh/templates/web/configmap.yaml
apiVersion: v1
kind: ConfigMap
metadata:
namespace: swh-cassandra
name: web-configuration-template
data:
config.yml.template: |
- instance_name: webapp-cassandra.internal.staging.swh.network
+ instance_name: webapp.staging.swh.network
allowed_hosts:
+ - webapp.staging.swh.network
- webapp-cassandra.internal.staging.swh.network
storage:
cls: remote
url: http://storage:5002
search:
cls: remote
url: http://search-rpc-ingress
scheduler:
cls: remote
url: http://scheduler.internal.staging.swh.network
vault:
cls: remote
url: http://vault-rpc-ingress
indexer_storage:
cls: remote
url: http://indexer-storage-rpc-ingress
counters_backend: swh-counters
counters:
cls: remote
url: http://counters0.internal.staging.swh.network:5011/
+ deposit:
+ private_api_url: https://deposit-rp.internal.staging.swh.network/1/private/
+ private_api_user: ${DEPOSIT_USERNAME}
+ private_api_password: ${DEPOSIT_PASSWORD}
add_forge_now:
email_address: add-forge-now@webapp.staging.swh.network
gitlab_pipeline:
gitlab_token: ${GITLAB_AFN_TOKEN}
trigger_url: https://gitlab.softwareheritage.org/api/v4/projects/474/trigger/pipeline
secret_key: ${DJANGO_SECRET_KEY}
production_db:
host: db1.internal.staging.swh.network
@@ -22209,21 +22228,21 @@
app: web
strategy:
type: RollingUpdate
rollingUpdate:
maxSurge: 1
template:
metadata:
labels:
app: web
annotations:
- checksum/config: 39367f82fc5191f75d68157a566999b7a7a4fab2834864686f7a3706247c73f2
+ checksum/config: 220c5a6b3d84e909d86164c40cb351a075f3e1eb0ddba264e69268ee016af86a
spec:
affinity:
nodeAffinity:
requiredDuringSchedulingIgnoredDuringExecution:
nodeSelectorTerms:
- matchExpressions:
- key: swh/web
operator: In
values:
- "true"
@@ -22250,20 +22269,36 @@
- name: DJANGO_SECRET_KEY
valueFrom:
secretKeyRef:
name: swh-webapp-django-secret
key: webapp-django-secret-key
# 'name' secret must exist & include that ^ key
optional: false
+ - name: DEPOSIT_PASSWORD
+ valueFrom:
+ secretKeyRef:
+ name: deposit-secrets
+ key: password
+ # 'name' secret must exist & include that ^ key
+ optional: false
+ - name: DEPOSIT_USERNAME
+ valueFrom:
+ secretKeyRef:
+ name: deposit-secrets
+ key: username
+ # 'name' secret must exist & include that ^ key
+ optional: false
+
+
- name: GIVE_PRIVATE_TOKEN
valueFrom:
secretKeyRef:
name: web-give-secrets
key: private-token
# 'name' secret must exist & include that ^ key
optional: false
- name: GIVE_PUBLIC_KEY
valueFrom:
secretKeyRef:
@@ -22330,32 +22365,32 @@
imagePullPolicy: IfNotPresent
ports:
- containerPort: 5004
name: webapp
readinessProbe:
httpGet:
path: /
port: webapp
httpHeaders:
- name: Host
- value: webapp-cassandra.internal.staging.swh.network
+ value: webapp.staging.swh.network
initialDelaySeconds: 5
failureThreshold: 30
periodSeconds: 10
timeoutSeconds: 30
livenessProbe:
httpGet:
path: /
port: webapp
httpHeaders:
- name: Host
- value: webapp-cassandra.internal.staging.swh.network
+ value: webapp.staging.swh.network
initialDelaySeconds: 3
periodSeconds: 10
timeoutSeconds: 30
command:
- /bin/bash
args:
- -c
- /opt/swh/entrypoint.sh
env:
- name: STATSD_HOST
@@ -22516,20 +22551,324 @@
minReplicas: 1
maxReplicas: 3
metrics:
- type: Resource
resource:
name: cpu
target:
type: Utilization
averageUtilization: 50
---
+# Source: swh/templates/web/refresh-savecodenow-statuses-cronjob.yaml
+apiVersion: batch/v1
+kind: CronJob
+metadata:
+ name: refresh-savecodenow-statuses-cronjob
+spec:
+ schedule: "*/2 * * * *"
+ concurrencyPolicy: Forbid
+ jobTemplate:
+ spec:
+ template:
+ spec:
+ priorityClassName: swh-cassandra-frontend-rpc-workload
+
+ initContainers:
+ - name: prepare-web-configuration
+ image: debian:bullseye
+ imagePullPolicy: IfNotPresent
+ command:
+ - /bin/bash
+ args:
+ - -c
+ - eval echo "\"$(</etc/swh/configuration-template/config.yml.template)\"" > /etc/swh/config.yml
+ env:
+
+ - name: POSTGRESQL_PASSWORD
+ valueFrom:
+ secretKeyRef:
+ name: swh-postgresql-web-secrets
+ key: postgres-swh-web-password
+ # 'name' secret must exist & include that ^ key
+ optional: false
+
+ - name: DJANGO_SECRET_KEY
+ valueFrom:
+ secretKeyRef:
+ name: swh-webapp-django-secret
+ key: webapp-django-secret-key
+ # 'name' secret must exist & include that ^ key
+ optional: false
+
+
+ - name: DEPOSIT_PASSWORD
+ valueFrom:
+ secretKeyRef:
+ name: deposit-secrets
+ key: password
+ # 'name' secret must exist & include that ^ key
+ optional: false
+ - name: DEPOSIT_USERNAME
+ valueFrom:
+ secretKeyRef:
+ name: deposit-secrets
+ key: username
+ # 'name' secret must exist & include that ^ key
+ optional: false
+
+
+ - name: GIVE_PRIVATE_TOKEN
+ valueFrom:
+ secretKeyRef:
+ name: web-give-secrets
+ key: private-token
+ # 'name' secret must exist & include that ^ key
+ optional: false
+ - name: GIVE_PUBLIC_KEY
+ valueFrom:
+ secretKeyRef:
+ name: web-give-secrets
+ key: public-key
+ # 'name' secret must exist & include that ^ key
+ optional: false
+
+ - name: SWH_SENTRY_DSN
+ valueFrom:
+ secretKeyRef:
+ name: common-secrets
+ key: web-sentry-dsn
+ # 'name' secret should exist & include key
+ # if the setting doesn't exist, sentry pushes will be disabled
+ optional: true
+
+ volumeMounts:
+ - name: configuration
+ mountPath: /etc/swh
+ - name: web-configuration-template
+ mountPath: /etc/swh/configuration-template
+ containers:
+ - name: refresh-savecodenow-statuses
+ resources:
+ requests:
+ memory: 512Mi
+ cpu: 500m
+ image: container-registry.softwareheritage.org/swh/infra/swh-apps/web:20231120.4
+ command:
+ - /opt/swh/entrypoint.sh
+ args:
+ - refresh
+ env:
+ - name: STATSD_HOST
+ value: prometheus-statsd-exporter
+ - name: STATSD_PORT
+ value: "9125"
+ - name: SWH_CONFIG_FILENAME
+ value: /etc/swh/config.yml
+ - name: LOG_LEVEL
+ value: INFO
+ - name: SWH_SENTRY_ENVIRONMENT
+ value: staging
+ - name: SWH_MAIN_PACKAGE
+ value: swh.web
+ - name: SWH_SENTRY_DSN
+ valueFrom:
+ secretKeyRef:
+ name: common-secrets
+ key: web-sentry-dsn
+ # if the setting doesn't exist, sentry issue pushes will be disabled
+ optional: false
+ - name: SWH_SENTRY_DISABLE_LOGGING_EVENTS
+ value: "true"
+ imagePullPolicy: IfNotPresent
+ volumeMounts:
+ - name: configuration
+ mountPath: /etc/swh
+ volumes:
+ - name: configuration
+ emptyDir: {}
+ - name: web-configuration-template
+ configMap:
+ name: web-configuration-template
+ items:
+ - key: "config.yml.template"
+ path: "config.yml.template"
+ restartPolicy: OnFailure
+---
+# Source: swh/templates/web/sync-mailmaps-cronjob.yaml
+apiVersion: batch/v1
+kind: CronJob
+metadata:
+ name: sync-mailmaps-cronjob
+spec:
+ schedule: "15 * * * *"
+ concurrencyPolicy: Forbid
+ jobTemplate:
+ spec:
+ template:
+ spec:
+ priorityClassName: swh-cassandra-frontend-rpc-workload
+
+ initContainers:
+ - name: prepare-pgservice-configuration
+ image: debian:bullseye
+ imagePullPolicy: IfNotPresent
+ command:
+ - /bin/bash
+ args:
+ - -c
+ - eval "cp /etc/swh/config/pg_service.conf /etc/swh/.pg_service.conf"
+ volumeMounts:
+ - name: configuration
+ mountPath: /etc/swh
+ - name: pgservice-configuration-template
+ mountPath: /etc/swh/config
+
+ - name: prepare-web-configuration
+ image: debian:bullseye
+ imagePullPolicy: IfNotPresent
+ command:
+ - /bin/bash
+ args:
+ - -c
+ - eval echo "\"$(</etc/swh/configuration-template/config.yml.template)\"" > /etc/swh/config.yml
+ env:
+
+ - name: POSTGRESQL_PASSWORD
+ valueFrom:
+ secretKeyRef:
+ name: swh-postgresql-web-secrets
+ key: postgres-swh-web-password
+ # 'name' secret must exist & include that ^ key
+ optional: false
+
+ - name: DJANGO_SECRET_KEY
+ valueFrom:
+ secretKeyRef:
+ name: swh-webapp-django-secret
+ key: webapp-django-secret-key
+ # 'name' secret must exist & include that ^ key
+ optional: false
+
+
+ - name: DEPOSIT_PASSWORD
+ valueFrom:
+ secretKeyRef:
+ name: deposit-secrets
+ key: password
+ # 'name' secret must exist & include that ^ key
+ optional: false
+ - name: DEPOSIT_USERNAME
+ valueFrom:
+ secretKeyRef:
+ name: deposit-secrets
+ key: username
+ # 'name' secret must exist & include that ^ key
+ optional: false
+
+
+ - name: GIVE_PRIVATE_TOKEN
+ valueFrom:
+ secretKeyRef:
+ name: web-give-secrets
+ key: private-token
+ # 'name' secret must exist & include that ^ key
+ optional: false
+ - name: GIVE_PUBLIC_KEY
+ valueFrom:
+ secretKeyRef:
+ name: web-give-secrets
+ key: public-key
+ # 'name' secret must exist & include that ^ key
+ optional: false
+
+ - name: SWH_SENTRY_DSN
+ valueFrom:
+ secretKeyRef:
+ name: common-secrets
+ key: web-sentry-dsn
+ # 'name' secret should exist & include key
+ # if the setting doesn't exist, sentry pushes will be disabled
+ optional: true
+
+ volumeMounts:
+ - name: configuration
+ mountPath: /etc/swh
+ - name: web-configuration-template
+ mountPath: /etc/swh/configuration-template
+ containers:
+ - name: sync-mailmaps
+ resources:
+ requests:
+ memory: 512Mi
+ cpu: 500m
+ image: container-registry.softwareheritage.org/swh/infra/swh-apps/web:20231120.4
+ command:
+ - /opt/swh/entrypoint.sh
+ args:
+ - sync-mailmaps
+ - service=syncmailmaps
+ env:
+ - name: STATSD_HOST
+ value: prometheus-statsd-exporter
+ - name: STATSD_PORT
+ value: "9125"
+ - name: SWH_CONFIG_FILENAME
+ value: /etc/swh/config.yml
+ - name: LOG_LEVEL
+ value: INFO
+ - name: SWH_SENTRY_ENVIRONMENT
+ value: staging
+ - name: SWH_MAIN_PACKAGE
+ value: swh.web
+ - name: SWH_SENTRY_DSN
+ valueFrom:
+ secretKeyRef:
+ name: common-secrets
+ key: web-sentry-dsn
+ # if the setting doesn't exist, sentry issue pushes will be disabled
+ optional: false
+ - name: SWH_SENTRY_DISABLE_LOGGING_EVENTS
+ value: "true"
+ - name: PGSERVICEFILE
+ value: /etc/swh/.pg_service.conf
+
+ - name: PGPASSWORD
+ valueFrom:
+ secretKeyRef:
+ name: swh-postgresql-syncmailmap-secret
+ key: postgres-syncmailmap-password
+ # 'name' secret must exist & include that ^ key
+ optional: false
+
+
+ imagePullPolicy: IfNotPresent
+ volumeMounts:
+ - name: configuration
+ mountPath: /etc/swh
+ volumes:
+ - name: configuration
+ emptyDir: {}
+ - name: web-configuration-template
+ configMap:
+ name: web-configuration-template
+ items:
+ - key: "config.yml.template"
+ path: "config.yml.template"
+ - name: pgservice-configuration-template
+ configMap:
+ name: pgservice-configuration-template
+ items:
+ - key: "pg-service-conf"
+ path: "pg_service.conf"
+
+ restartPolicy: OnFailure
+---
# Source: swh/templates/deposit/ingress.yaml
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
namespace: swh-cassandra
name: deposit-ingress-authenticated
annotations:
cert-manager.io/cluster-issuer: letsencrypt-production-gandi
kubernetes.io/ingress.class: nginx
@@ -22743,38 +23082,64 @@
port:
number: 5005
---
# Source: swh/templates/web/ingress.yaml
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
namespace: swh-cassandra
name: web-ingress-authenticated
annotations:
- nginx.ingress.kubernetes.io/whitelist-source-range: 10.42.0.0/16,10.43.0.0/16,192.168.101.0/24,192.168.130.0/24,192.168.50.0/24
cert-manager.io/cluster-issuer: letsencrypt-production-gandi
kubernetes.io/ingress.class: nginx
kubernetes.io/tls-acme: "true"
nginx.ingress.kubernetes.io/force-ssl-redirect: "true"
# type of authentication
nginx.ingress.kubernetes.io/auth-type: basic
# an htpasswd file in the key auth within the secret
nginx.ingress.kubernetes.io/auth-secret-type: auth-file
# name of the secret that contains the user/password definitions
nginx.ingress.kubernetes.io/auth-secret: swh-cassandra/web-auth-secrets
# message to display with an appropriate context why the authentication is required
nginx.ingress.kubernetes.io/auth-realm: 'Authentication Required'
spec:
rules:
+ - host: webapp.staging.swh.network
+ http:
+ paths:
+ - path: /api/1/provenance/
+ pathType: Prefix
+ backend:
+ service:
+ name: web
+ port:
+ number: 5004
+
+ - path: /api/1/entity/
+ pathType: Prefix
+ backend:
+ service:
+ name: web
+ port:
+ number: 5004
+
+ - path: /api/1/content/[^/]+/symbol/
+ pathType: Prefix
+ backend:
+ service:
+ name: web
+ port:
+ number: 5004
+
- host: webapp-cassandra.internal.staging.swh.network
http:
paths:
- path: /api/1/provenance/
pathType: Prefix
backend:
service:
name: web
port:
number: 5004
@@ -22790,40 +23155,59 @@
- path: /api/1/content/[^/]+/symbol/
pathType: Prefix
backend:
service:
name: web
port:
number: 5004
tls:
- hosts:
+ - webapp.staging.swh.network
- webapp-cassandra.internal.staging.swh.network
secretName: swh-web-crt
---
# Source: swh/templates/web/ingress.yaml
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
namespace: swh-cassandra
name: web-ingress-default
annotations:
- nginx.ingress.kubernetes.io/whitelist-source-range: 10.42.0.0/16,10.43.0.0/16,192.168.101.0/24,192.168.130.0/24,192.168.50.0/24
cert-manager.io/cluster-issuer: letsencrypt-production-gandi
kubernetes.io/ingress.class: nginx
kubernetes.io/tls-acme: "true"
nginx.ingress.kubernetes.io/force-ssl-redirect: "true"
spec:
rules:
+ - host: webapp.staging.swh.network
+ http:
+ paths:
+ - path: /
+ pathType: Prefix
+ backend:
+ service:
+ name: web
+ port:
+ number: 5004
+
+ - path: /static
+ pathType: Prefix
+ backend:
+ service:
+ name: web
+ port:
+ number: 80
+
- host: webapp-cassandra.internal.staging.swh.network
http:
paths:
- path: /
pathType: Prefix
backend:
service:
name: web
port:
number: 5004
@@ -22831,20 +23215,21 @@
- path: /static
pathType: Prefix
backend:
service:
name: web
port:
number: 80
tls:
- hosts:
+ - webapp.staging.swh.network
- webapp-cassandra.internal.staging.swh.network
secretName: swh-web-crt
---
# Source: swh/charts/keda/templates/metrics-server/apiservice.yaml
apiVersion: apiregistration.k8s.io/v1
kind: APIService
metadata:
annotations:
labels:
app.kubernetes.io/name: v1beta1.external.metrics.k8s.io
------------- diff for environment staging namespace swh-cassandra-next-version -------------
--- /tmp/swh-chart.swh.aBMs3T8r/staging-swh-cassandra-next-version.before 2023-11-21 11:43:32.469742708 +0100
+++ /tmp/swh-chart.swh.aBMs3T8r/staging-swh-cassandra-next-version.after 2023-11-21 11:43:33.161742349 +0100
@@ -3930,20 +3930,24 @@
vault:
cls: remote
url: http://vault-rpc-ingress-next-version
indexer_storage:
cls: remote
url: http://indexer-storage-rpc-ingress
counters_backend: swh-counters
counters:
cls: remote
url: http://counters0.internal.staging.swh.network:5011/
+ deposit:
+ private_api_url: https://deposit-rp.internal.staging.swh.network/1/private/
+ private_api_user: ${DEPOSIT_USERNAME}
+ private_api_password: ${DEPOSIT_PASSWORD}
add_forge_now:
email_address: add-forge-now@webapp.staging.swh.network
gitlab_pipeline:
gitlab_token: ${GITLAB_AFN_TOKEN}
trigger_url: https://gitlab.softwareheritage.org/api/v4/projects/474/trigger/pipeline
secret_key: ${DJANGO_SECRET_KEY}
production_db:
host: db1.internal.staging.swh.network
@@ -20654,21 +20658,21 @@
app: web
strategy:
type: RollingUpdate
rollingUpdate:
maxSurge: 1
template:
metadata:
labels:
app: web
annotations:
- checksum/config: f7976ed704efcc7b15b1da998487f7c4ae69a886a35036321c2c6e5563227b4b
+ checksum/config: d61bb8898915d105e9ffd9c25ea3793d1fc9498761d11b0fb198785dec988ac6
spec:
affinity:
nodeAffinity:
requiredDuringSchedulingIgnoredDuringExecution:
nodeSelectorTerms:
- matchExpressions:
- key: swh/web
operator: In
values:
- "true"
@@ -20695,20 +20699,36 @@
- name: DJANGO_SECRET_KEY
valueFrom:
secretKeyRef:
name: swh-webapp-django-secret
key: webapp-django-secret-key
# 'name' secret must exist & include that ^ key
optional: false
+ - name: DEPOSIT_PASSWORD
+ valueFrom:
+ secretKeyRef:
+ name: deposit-secrets
+ key: password
+ # 'name' secret must exist & include that ^ key
+ optional: false
+ - name: DEPOSIT_USERNAME
+ valueFrom:
+ secretKeyRef:
+ name: deposit-secrets
+ key: username
+ # 'name' secret must exist & include that ^ key
+ optional: false
+
+
- name: GIVE_PRIVATE_TOKEN
valueFrom:
secretKeyRef:
name: web-give-secrets
key: private-token
# 'name' secret must exist & include that ^ key
optional: false
- name: GIVE_PUBLIC_KEY
valueFrom:
secretKeyRef:
------------- diff for environment production namespace swh -------------
No differences
------------- diff for environment production namespace swh-cassandra -------------
No differences