Skip to content

staging: Migrate web-cassandra to be the main staging webapp

Antoine R. Dumont requested to merge migrate-webapp-to-cassandra into production

This migrates to use the webapp-cassandra as the main backend for webapp.staging.swh.network.

This keeps the webapp-postgresql instance though.

Some work on the rp is still required for this to actually be ok.

make swh-helm-diff
[swh] Comparing changes between branches production and migrate-webapp-to-cassandra (per environment)...
Switched to branch 'production'
Your branch is up to date with 'origin/production'.
[swh] Generate config in production branch for environment staging, namespace swh...
[swh] Generate config in production branch for environment staging, namespace swh-cassandra...
[swh] Generate config in production branch for environment staging, namespace swh-cassandra-next-version...
Switched to branch 'migrate-webapp-to-cassandra'
[swh] Generate config in migrate-webapp-to-cassandra branch for environment staging...
[swh] Generate config in migrate-webapp-to-cassandra branch for environment staging...
[swh] Generate config in migrate-webapp-to-cassandra branch for environment staging...
Switched to branch 'production'
Your branch is up to date with 'origin/production'.
[swh] Generate config in production branch for environment production, namespace swh...
[swh] Generate config in production branch for environment production, namespace swh-cassandra...
[swh] Generate config in production branch for environment production, namespace swh-cassandra-next-version...
Switched to branch 'migrate-webapp-to-cassandra'
[swh] Generate config in migrate-webapp-to-cassandra branch for environment production...
[swh] Generate config in migrate-webapp-to-cassandra branch for environment production...
[swh] Generate config in migrate-webapp-to-cassandra branch for environment production...


------------- diff for environment staging namespace swh -------------

--- /tmp/swh-chart.swh.aBMs3T8r/staging-swh.before      2023-11-21 11:43:32.033742934 +0100
+++ /tmp/swh-chart.swh.aBMs3T8r/staging-swh.after       2023-11-21 11:43:32.713742581 +0100
@@ -4504,45 +4504,30 @@
     if [ -e "${DB_VERSION}" ]; then
       echo "Unable to find the code version"
       exit 1
     fi

     if [ "$DB_VERSION" -ne "$CODE_VERSION" ]; then
       echo "code and DB versions are different. Blocking the deployment"
       exit 1
     fi
 ---
-# Source: swh/templates/web/configmap-pgservice.yaml
-apiVersion: v1
-kind: ConfigMap
-metadata:
-  namespace: swh
-  name: pgservice-configuration-template
-data:
-  pg-service-conf: |
-    [syncmailmaps]
-    dbname=swh
-    host=db1.internal.staging.swh.network
-    port=5432
-    user=swhmailmap
----
 # Source: swh/templates/web/configmap.yaml
 apiVersion: v1
 kind: ConfigMap
 metadata:
   namespace: swh
   name: web-configuration-template
 data:
   config.yml.template: |
-    instance_name: webapp.staging.swh.network
+    instance_name: webapp-postgresql.internal.staging.swh.network
     allowed_hosts:
-      - webapp.staging.swh.network
       - webapp-postgresql.internal.staging.swh.network
     storage:
       cls: remote
       url: http://storage1.internal.staging.swh.network:5002
     search:
       cls: remote
       url: http://search-rpc-ingress
     scheduler:
       cls: remote
       url: http://scheduler.internal.staging.swh.network
@@ -23789,21 +23774,21 @@
       app: web
   strategy:
     type: RollingUpdate
     rollingUpdate:
       maxSurge: 1
   template:
     metadata:
       labels:
         app: web
       annotations:
-        checksum/config: f5bc233e775b04a77cfe29b8f95c8e459edd25efbbdc18ae77ade760b89b85fa
+        checksum/config: 407b483aaa9910f4935118877967eb3c461da8e45c27bcffd4240c5e35e69f0e
     spec:
       affinity:
         nodeAffinity:
           requiredDuringSchedulingIgnoredDuringExecution:
             nodeSelectorTerms:
             - matchExpressions:
               - key: swh/web
                 operator: In
                 values:
                 - "true"
@@ -23926,32 +23911,32 @@
           imagePullPolicy: IfNotPresent
           ports:
             - containerPort: 5004
               name: webapp
           readinessProbe:
             httpGet:
               path: /
               port: webapp
               httpHeaders:
                 - name: Host
-                  value: webapp.staging.swh.network
+                  value: webapp-postgresql.internal.staging.swh.network
             initialDelaySeconds: 5
             failureThreshold: 30
             periodSeconds: 10
             timeoutSeconds: 30
           livenessProbe:
             httpGet:
               path: /
               port: webapp
               httpHeaders:
                 - name: Host
-                  value: webapp.staging.swh.network
+                  value: webapp-postgresql.internal.staging.swh.network
             initialDelaySeconds: 3
             periodSeconds: 10
             timeoutSeconds: 30
           command:
             - /bin/bash
           args:
             - -c
             - /opt/swh/entrypoint.sh
           env:
             - name: STATSD_HOST
@@ -24185,324 +24170,20 @@
           - name: configuration
             emptyDir: {}
           - name: configuration-template
             configMap:
               name: scheduler-update-metrics-configuration-template
               items:
               - key: "config.yml.template"
                 path: "config.yml.template"
           restartPolicy: OnFailure
 ---
-# Source: swh/templates/web/refresh-savecodenow-statuses-cronjob.yaml
-apiVersion: batch/v1
-kind: CronJob
-metadata:
-  name: refresh-savecodenow-statuses-cronjob
-spec:
-  schedule: "*/2 * * * *"
-  concurrencyPolicy: Forbid
-  jobTemplate:
-    spec:
-      template:
-        spec:
-          priorityClassName: swh-frontend-rpc-workload
-
-          initContainers:
-            - name: prepare-web-configuration
-              image: debian:bullseye
-              imagePullPolicy: IfNotPresent
-              command:
-              - /bin/bash
-              args:
-              - -c
-              - eval echo "\"$(</etc/swh/configuration-template/config.yml.template)\"" > /etc/swh/config.yml
-              env:
-
-                - name: POSTGRESQL_PASSWORD
-                  valueFrom:
-                    secretKeyRef:
-                      name: swh-postgresql-web-secrets
-                      key: postgres-swh-web-password
-                      # 'name' secret must exist & include that ^ key
-                      optional: false
-
-                - name: DJANGO_SECRET_KEY
-                  valueFrom:
-                    secretKeyRef:
-                      name: swh-webapp-django-secret
-                      key: webapp-django-secret-key
-                      # 'name' secret must exist & include that ^ key
-                      optional: false
-
-
-                - name: DEPOSIT_PASSWORD
-                  valueFrom:
-                    secretKeyRef:
-                      name: deposit-secrets
-                      key: password
-                      # 'name' secret must exist & include that ^ key
-                      optional: false
-                - name: DEPOSIT_USERNAME
-                  valueFrom:
-                    secretKeyRef:
-                      name: deposit-secrets
-                      key: username
-                      # 'name' secret must exist & include that ^ key
-                      optional: false
-
-
-                - name: GIVE_PRIVATE_TOKEN
-                  valueFrom:
-                    secretKeyRef:
-                      name: web-give-secrets
-                      key: private-token
-                      # 'name' secret must exist & include that ^ key
-                      optional: false
-                - name: GIVE_PUBLIC_KEY
-                  valueFrom:
-                    secretKeyRef:
-                      name: web-give-secrets
-                      key: public-key
-                      # 'name' secret must exist & include that ^ key
-                      optional: false
-
-                - name: SWH_SENTRY_DSN
-                  valueFrom:
-                    secretKeyRef:
-                      name: common-secrets
-                      key: web-sentry-dsn
-                      # 'name' secret should exist & include key
-                      # if the setting doesn't exist, sentry pushes will be disabled
-                      optional: true
-
-              volumeMounts:
-              - name: configuration
-                mountPath: /etc/swh
-              - name: web-configuration-template
-                mountPath: /etc/swh/configuration-template
-          containers:
-            - name: refresh-savecodenow-statuses
-              resources:
-                requests:
-                  memory: 512Mi
-                  cpu: 500m
-              image: container-registry.softwareheritage.org/swh/infra/swh-apps/web:20231120.4
-              command:
-              - /opt/swh/entrypoint.sh
-              args:
-              - refresh
-              env:
-                - name: STATSD_HOST
-                  value: prometheus-statsd-exporter
-                - name: STATSD_PORT
-                  value: "9125"
-                - name: SWH_CONFIG_FILENAME
-                  value: /etc/swh/config.yml
-                - name: LOG_LEVEL
-                  value: INFO
-                - name: SWH_SENTRY_ENVIRONMENT
-                  value: staging
-                - name: SWH_MAIN_PACKAGE
-                  value: swh.web
-                - name: SWH_SENTRY_DSN
-                  valueFrom:
-                    secretKeyRef:
-                      name: common-secrets
-                      key: web-sentry-dsn
-                      # if the setting doesn't exist, sentry issue pushes will be disabled
-                      optional: false
-                - name: SWH_SENTRY_DISABLE_LOGGING_EVENTS
-                  value: "true"
-              imagePullPolicy: IfNotPresent
-              volumeMounts:
-              - name: configuration
-                mountPath: /etc/swh
-          volumes:
-          - name: configuration
-            emptyDir: {}
-          - name: web-configuration-template
-            configMap:
-              name: web-configuration-template
-              items:
-              - key: "config.yml.template"
-                path: "config.yml.template"
-          restartPolicy: OnFailure
----
-# Source: swh/templates/web/sync-mailmaps-cronjob.yaml
-apiVersion: batch/v1
-kind: CronJob
-metadata:
-  name: sync-mailmaps-cronjob
-spec:
-  schedule: "15 * * * *"
-  concurrencyPolicy: Forbid
-  jobTemplate:
-    spec:
-      template:
-        spec:
-          priorityClassName: swh-frontend-rpc-workload
-
-          initContainers:
-            - name: prepare-pgservice-configuration
-              image: debian:bullseye
-              imagePullPolicy: IfNotPresent
-              command:
-              - /bin/bash
-              args:
-              - -c
-              - eval "cp /etc/swh/config/pg_service.conf /etc/swh/.pg_service.conf"
-              volumeMounts:
-              - name: configuration
-                mountPath: /etc/swh
-              - name: pgservice-configuration-template
-                mountPath: /etc/swh/config
-
-            - name: prepare-web-configuration
-              image: debian:bullseye
-              imagePullPolicy: IfNotPresent
-              command:
-              - /bin/bash
-              args:
-              - -c
-              - eval echo "\"$(</etc/swh/configuration-template/config.yml.template)\"" > /etc/swh/config.yml
-              env:
-
-                - name: POSTGRESQL_PASSWORD
-                  valueFrom:
-                    secretKeyRef:
-                      name: swh-postgresql-web-secrets
-                      key: postgres-swh-web-password
-                      # 'name' secret must exist & include that ^ key
-                      optional: false
-
-                - name: DJANGO_SECRET_KEY
-                  valueFrom:
-                    secretKeyRef:
-                      name: swh-webapp-django-secret
-                      key: webapp-django-secret-key
-                      # 'name' secret must exist & include that ^ key
-                      optional: false
-
-
-                - name: DEPOSIT_PASSWORD
-                  valueFrom:
-                    secretKeyRef:
-                      name: deposit-secrets
-                      key: password
-                      # 'name' secret must exist & include that ^ key
-                      optional: false
-                - name: DEPOSIT_USERNAME
-                  valueFrom:
-                    secretKeyRef:
-                      name: deposit-secrets
-                      key: username
-                      # 'name' secret must exist & include that ^ key
-                      optional: false
-
-
-                - name: GIVE_PRIVATE_TOKEN
-                  valueFrom:
-                    secretKeyRef:
-                      name: web-give-secrets
-                      key: private-token
-                      # 'name' secret must exist & include that ^ key
-                      optional: false
-                - name: GIVE_PUBLIC_KEY
-                  valueFrom:
-                    secretKeyRef:
-                      name: web-give-secrets
-                      key: public-key
-                      # 'name' secret must exist & include that ^ key
-                      optional: false
-
-                - name: SWH_SENTRY_DSN
-                  valueFrom:
-                    secretKeyRef:
-                      name: common-secrets
-                      key: web-sentry-dsn
-                      # 'name' secret should exist & include key
-                      # if the setting doesn't exist, sentry pushes will be disabled
-                      optional: true
-
-              volumeMounts:
-              - name: configuration
-                mountPath: /etc/swh
-              - name: web-configuration-template
-                mountPath: /etc/swh/configuration-template
-          containers:
-            - name: sync-mailmaps
-              resources:
-                requests:
-                  memory: 512Mi
-                  cpu: 500m
-              image: container-registry.softwareheritage.org/swh/infra/swh-apps/web:20231120.4
-              command:
-              - /opt/swh/entrypoint.sh
-              args:
-              - sync-mailmaps
-              - service=syncmailmaps
-              env:
-                - name: STATSD_HOST
-                  value: prometheus-statsd-exporter
-                - name: STATSD_PORT
-                  value: "9125"
-                - name: SWH_CONFIG_FILENAME
-                  value: /etc/swh/config.yml
-                - name: LOG_LEVEL
-                  value: INFO
-                - name: SWH_SENTRY_ENVIRONMENT
-                  value: staging
-                - name: SWH_MAIN_PACKAGE
-                  value: swh.web
-                - name: SWH_SENTRY_DSN
-                  valueFrom:
-                    secretKeyRef:
-                      name: common-secrets
-                      key: web-sentry-dsn
-                      # if the setting doesn't exist, sentry issue pushes will be disabled
-                      optional: false
-                - name: SWH_SENTRY_DISABLE_LOGGING_EVENTS
-                  value: "true"
-                - name: PGSERVICEFILE
-                  value: /etc/swh/.pg_service.conf
-
-                - name: PGPASSWORD
-                  valueFrom:
-                    secretKeyRef:
-                      name: swh-postgresql-syncmailmap-secret
-                      key: postgres-syncmailmap-password
-                      # 'name' secret must exist & include that ^ key
-                      optional: false
-
-
-              imagePullPolicy: IfNotPresent
-              volumeMounts:
-              - name: configuration
-                mountPath: /etc/swh
-          volumes:
-          - name: configuration
-            emptyDir: {}
-          - name: web-configuration-template
-            configMap:
-              name: web-configuration-template
-              items:
-              - key: "config.yml.template"
-                path: "config.yml.template"
-          - name: pgservice-configuration-template
-            configMap:
-              name: pgservice-configuration-template
-              items:
-              - key: "pg-service-conf"
-                path: "pg_service.conf"
-
-          restartPolicy: OnFailure
----
 # Source: swh/templates/graphql/ingress.yaml
 apiVersion: networking.k8s.io/v1
 kind: Ingress
 metadata:
   namespace: swh
   name: graphql-ingress-default
   annotations:

     nginx.ingress.kubernetes.io/preserve-trailing-slash: "true"
     nginx.ingress.kubernetes.io/rewrite-target: /
@@ -24653,60 +24334,33 @@
 apiVersion: networking.k8s.io/v1
 kind: Ingress
 metadata:
   namespace: swh
   name: web-ingress-authenticated
   annotations:

     cert-manager.io/cluster-issuer: letsencrypt-production-gandi
     kubernetes.io/ingress.class: nginx
     kubernetes.io/tls-acme: "true"
-    nginx.ingress.kubernetes.io/ssl-redirect: "false"
+    nginx.ingress.kubernetes.io/ssl-redirect: "true"

     # type of authentication
     nginx.ingress.kubernetes.io/auth-type: basic
     # an htpasswd file in the key auth within the secret
     nginx.ingress.kubernetes.io/auth-secret-type: auth-file
     # name of the secret that contains the user/password definitions
     nginx.ingress.kubernetes.io/auth-secret: swh-cassandra/web-auth-secrets
     # message to display with an appropriate context why the authentication is required
     nginx.ingress.kubernetes.io/auth-realm: 'Authentication Required'

 spec:
   rules:
-  - host: webapp.staging.swh.network
-    http:
-      paths:
-      - path: /api/1/provenance/
-        pathType: Prefix
-        backend:
-          service:
-            name: web
-            port:
-              number: 5004
-
-      - path: /api/1/entity/
-        pathType: Prefix
-        backend:
-          service:
-            name: web
-            port:
-              number: 5004
-
-      - path: /api/1/content/[^/]+/symbol/
-        pathType: Prefix
-        backend:
-          service:
-            name: web
-            port:
-              number: 5004
-
   - host: webapp-postgresql.internal.staging.swh.network
     http:
       paths:
       - path: /api/1/provenance/
         pathType: Prefix
         backend:
           service:
             name: web
             port:
               number: 5004
@@ -24722,59 +24376,39 @@
       - path: /api/1/content/[^/]+/symbol/
         pathType: Prefix
         backend:
           service:
             name: web
             port:
               number: 5004

   tls:
   - hosts:
-    - webapp.staging.swh.network
     - webapp-postgresql.internal.staging.swh.network
     secretName: swh-web-crt
 ---
 # Source: swh/templates/web/ingress.yaml
 apiVersion: networking.k8s.io/v1
 kind: Ingress
 metadata:
   namespace: swh
   name: web-ingress-default
   annotations:

     cert-manager.io/cluster-issuer: letsencrypt-production-gandi
     kubernetes.io/ingress.class: nginx
     kubernetes.io/tls-acme: "true"
-    nginx.ingress.kubernetes.io/ssl-redirect: "false"
+    nginx.ingress.kubernetes.io/ssl-redirect: "true"


 spec:
   rules:
-  - host: webapp.staging.swh.network
-    http:
-      paths:
-      - path: /
-        pathType: Prefix
-        backend:
-          service:
-            name: web
-            port:
-              number: 5004
-
-      - path: /static
-        pathType: Prefix
-        backend:
-          service:
-            name: web
-            port:
-              number: 80
-
   - host: webapp-postgresql.internal.staging.swh.network
     http:
       paths:
       - path: /
         pathType: Prefix
         backend:
           service:
             name: web
             port:
               number: 5004
@@ -24782,21 +24416,20 @@
       - path: /static
         pathType: Prefix
         backend:
           service:
             name: web
             port:
               number: 80

   tls:
   - hosts:
-    - webapp.staging.swh.network
     - webapp-postgresql.internal.staging.swh.network
     secretName: swh-web-crt
 ---
 # Source: swh/charts/keda/templates/metrics-server/apiservice.yaml
 apiVersion: apiregistration.k8s.io/v1
 kind: APIService
 metadata:
   annotations:
   labels:
     app.kubernetes.io/name: v1beta1.external.metrics.k8s.io


------------- diff for environment staging namespace swh-cassandra -------------

--- /tmp/swh-chart.swh.aBMs3T8r/staging-swh-cassandra.before    2023-11-21 11:43:32.265742813 +0100
+++ /tmp/swh-chart.swh.aBMs3T8r/staging-swh-cassandra.after     2023-11-21 11:43:32.961742452 +0100
@@ -4338,50 +4338,69 @@
         url: http://storage1.internal.staging.swh.network:5003
     cache:
       cls: azure
       compression: none
       connection_string: DefaultEndpointsProtocol=https;AccountName=swhvaultstoragestaging;AccountKey=${ACCOUNT_KEY};EndpointSuffix=core.windows.net
       container_name: contents-uncompressed
     smtp:
       host: smtp.inria.fr
       port: 25
 ---
+# Source: swh/templates/web/configmap-pgservice.yaml
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  namespace: swh-cassandra
+  name: pgservice-configuration-template
+data:
+  pg-service-conf: |
+    [syncmailmaps]
+    dbname=swh
+    host=db1.internal.staging.swh.network
+    port=5432
+    user=swhmailmap
+---
 # Source: swh/templates/web/configmap.yaml
 apiVersion: v1
 kind: ConfigMap
 metadata:
   namespace: swh-cassandra
   name: web-configuration-template
 data:
   config.yml.template: |
-    instance_name: webapp-cassandra.internal.staging.swh.network
+    instance_name: webapp.staging.swh.network
     allowed_hosts:
+      - webapp.staging.swh.network
       - webapp-cassandra.internal.staging.swh.network
     storage:
       cls: remote
       url: http://storage:5002
     search:
       cls: remote
       url: http://search-rpc-ingress
     scheduler:
       cls: remote
       url: http://scheduler.internal.staging.swh.network
     vault:
       cls: remote
       url: http://vault-rpc-ingress
     indexer_storage:
       cls: remote
       url: http://indexer-storage-rpc-ingress
     counters_backend: swh-counters
     counters:
       cls: remote
       url: http://counters0.internal.staging.swh.network:5011/
+    deposit:
+      private_api_url: https://deposit-rp.internal.staging.swh.network/1/private/
+      private_api_user: ${DEPOSIT_USERNAME}
+      private_api_password: ${DEPOSIT_PASSWORD}
     add_forge_now:
       email_address: add-forge-now@webapp.staging.swh.network
       gitlab_pipeline:
         gitlab_token: ${GITLAB_AFN_TOKEN}
         trigger_url: https://gitlab.softwareheritage.org/api/v4/projects/474/trigger/pipeline

     secret_key: ${DJANGO_SECRET_KEY}
     production_db:

       host: db1.internal.staging.swh.network
@@ -22209,21 +22228,21 @@
       app: web
   strategy:
     type: RollingUpdate
     rollingUpdate:
       maxSurge: 1
   template:
     metadata:
       labels:
         app: web
       annotations:
-        checksum/config: 39367f82fc5191f75d68157a566999b7a7a4fab2834864686f7a3706247c73f2
+        checksum/config: 220c5a6b3d84e909d86164c40cb351a075f3e1eb0ddba264e69268ee016af86a
     spec:
       affinity:
         nodeAffinity:
           requiredDuringSchedulingIgnoredDuringExecution:
             nodeSelectorTerms:
             - matchExpressions:
               - key: swh/web
                 operator: In
                 values:
                 - "true"
@@ -22250,20 +22269,36 @@

             - name: DJANGO_SECRET_KEY
               valueFrom:
                 secretKeyRef:
                   name: swh-webapp-django-secret
                   key: webapp-django-secret-key
                   # 'name' secret must exist & include that ^ key
                   optional: false


+            - name: DEPOSIT_PASSWORD
+              valueFrom:
+                secretKeyRef:
+                  name: deposit-secrets
+                  key: password
+                  # 'name' secret must exist & include that ^ key
+                  optional: false
+            - name: DEPOSIT_USERNAME
+              valueFrom:
+                secretKeyRef:
+                  name: deposit-secrets
+                  key: username
+                  # 'name' secret must exist & include that ^ key
+                  optional: false
+
+
             - name: GIVE_PRIVATE_TOKEN
               valueFrom:
                 secretKeyRef:
                   name: web-give-secrets
                   key: private-token
                   # 'name' secret must exist & include that ^ key
                   optional: false
             - name: GIVE_PUBLIC_KEY
               valueFrom:
                 secretKeyRef:
@@ -22330,32 +22365,32 @@
           imagePullPolicy: IfNotPresent
           ports:
             - containerPort: 5004
               name: webapp
           readinessProbe:
             httpGet:
               path: /
               port: webapp
               httpHeaders:
                 - name: Host
-                  value: webapp-cassandra.internal.staging.swh.network
+                  value: webapp.staging.swh.network
             initialDelaySeconds: 5
             failureThreshold: 30
             periodSeconds: 10
             timeoutSeconds: 30
           livenessProbe:
             httpGet:
               path: /
               port: webapp
               httpHeaders:
                 - name: Host
-                  value: webapp-cassandra.internal.staging.swh.network
+                  value: webapp.staging.swh.network
             initialDelaySeconds: 3
             periodSeconds: 10
             timeoutSeconds: 30
           command:
             - /bin/bash
           args:
             - -c
             - /opt/swh/entrypoint.sh
           env:
             - name: STATSD_HOST
@@ -22516,20 +22551,324 @@
   minReplicas: 1
   maxReplicas: 3
   metrics:
   - type: Resource
     resource:
       name: cpu
       target:
         type: Utilization
         averageUtilization: 50
 ---
+# Source: swh/templates/web/refresh-savecodenow-statuses-cronjob.yaml
+apiVersion: batch/v1
+kind: CronJob
+metadata:
+  name: refresh-savecodenow-statuses-cronjob
+spec:
+  schedule: "*/2 * * * *"
+  concurrencyPolicy: Forbid
+  jobTemplate:
+    spec:
+      template:
+        spec:
+          priorityClassName: swh-cassandra-frontend-rpc-workload
+
+          initContainers:
+            - name: prepare-web-configuration
+              image: debian:bullseye
+              imagePullPolicy: IfNotPresent
+              command:
+              - /bin/bash
+              args:
+              - -c
+              - eval echo "\"$(</etc/swh/configuration-template/config.yml.template)\"" > /etc/swh/config.yml
+              env:
+
+                - name: POSTGRESQL_PASSWORD
+                  valueFrom:
+                    secretKeyRef:
+                      name: swh-postgresql-web-secrets
+                      key: postgres-swh-web-password
+                      # 'name' secret must exist & include that ^ key
+                      optional: false
+
+                - name: DJANGO_SECRET_KEY
+                  valueFrom:
+                    secretKeyRef:
+                      name: swh-webapp-django-secret
+                      key: webapp-django-secret-key
+                      # 'name' secret must exist & include that ^ key
+                      optional: false
+
+
+                - name: DEPOSIT_PASSWORD
+                  valueFrom:
+                    secretKeyRef:
+                      name: deposit-secrets
+                      key: password
+                      # 'name' secret must exist & include that ^ key
+                      optional: false
+                - name: DEPOSIT_USERNAME
+                  valueFrom:
+                    secretKeyRef:
+                      name: deposit-secrets
+                      key: username
+                      # 'name' secret must exist & include that ^ key
+                      optional: false
+
+
+                - name: GIVE_PRIVATE_TOKEN
+                  valueFrom:
+                    secretKeyRef:
+                      name: web-give-secrets
+                      key: private-token
+                      # 'name' secret must exist & include that ^ key
+                      optional: false
+                - name: GIVE_PUBLIC_KEY
+                  valueFrom:
+                    secretKeyRef:
+                      name: web-give-secrets
+                      key: public-key
+                      # 'name' secret must exist & include that ^ key
+                      optional: false
+
+                - name: SWH_SENTRY_DSN
+                  valueFrom:
+                    secretKeyRef:
+                      name: common-secrets
+                      key: web-sentry-dsn
+                      # 'name' secret should exist & include key
+                      # if the setting doesn't exist, sentry pushes will be disabled
+                      optional: true
+
+              volumeMounts:
+              - name: configuration
+                mountPath: /etc/swh
+              - name: web-configuration-template
+                mountPath: /etc/swh/configuration-template
+          containers:
+            - name: refresh-savecodenow-statuses
+              resources:
+                requests:
+                  memory: 512Mi
+                  cpu: 500m
+              image: container-registry.softwareheritage.org/swh/infra/swh-apps/web:20231120.4
+              command:
+              - /opt/swh/entrypoint.sh
+              args:
+              - refresh
+              env:
+                - name: STATSD_HOST
+                  value: prometheus-statsd-exporter
+                - name: STATSD_PORT
+                  value: "9125"
+                - name: SWH_CONFIG_FILENAME
+                  value: /etc/swh/config.yml
+                - name: LOG_LEVEL
+                  value: INFO
+                - name: SWH_SENTRY_ENVIRONMENT
+                  value: staging
+                - name: SWH_MAIN_PACKAGE
+                  value: swh.web
+                - name: SWH_SENTRY_DSN
+                  valueFrom:
+                    secretKeyRef:
+                      name: common-secrets
+                      key: web-sentry-dsn
+                      # if the setting doesn't exist, sentry issue pushes will be disabled
+                      optional: false
+                - name: SWH_SENTRY_DISABLE_LOGGING_EVENTS
+                  value: "true"
+              imagePullPolicy: IfNotPresent
+              volumeMounts:
+              - name: configuration
+                mountPath: /etc/swh
+          volumes:
+          - name: configuration
+            emptyDir: {}
+          - name: web-configuration-template
+            configMap:
+              name: web-configuration-template
+              items:
+              - key: "config.yml.template"
+                path: "config.yml.template"
+          restartPolicy: OnFailure
+---
+# Source: swh/templates/web/sync-mailmaps-cronjob.yaml
+apiVersion: batch/v1
+kind: CronJob
+metadata:
+  name: sync-mailmaps-cronjob
+spec:
+  schedule: "15 * * * *"
+  concurrencyPolicy: Forbid
+  jobTemplate:
+    spec:
+      template:
+        spec:
+          priorityClassName: swh-cassandra-frontend-rpc-workload
+
+          initContainers:
+            - name: prepare-pgservice-configuration
+              image: debian:bullseye
+              imagePullPolicy: IfNotPresent
+              command:
+              - /bin/bash
+              args:
+              - -c
+              - eval "cp /etc/swh/config/pg_service.conf /etc/swh/.pg_service.conf"
+              volumeMounts:
+              - name: configuration
+                mountPath: /etc/swh
+              - name: pgservice-configuration-template
+                mountPath: /etc/swh/config
+
+            - name: prepare-web-configuration
+              image: debian:bullseye
+              imagePullPolicy: IfNotPresent
+              command:
+              - /bin/bash
+              args:
+              - -c
+              - eval echo "\"$(</etc/swh/configuration-template/config.yml.template)\"" > /etc/swh/config.yml
+              env:
+
+                - name: POSTGRESQL_PASSWORD
+                  valueFrom:
+                    secretKeyRef:
+                      name: swh-postgresql-web-secrets
+                      key: postgres-swh-web-password
+                      # 'name' secret must exist & include that ^ key
+                      optional: false
+
+                - name: DJANGO_SECRET_KEY
+                  valueFrom:
+                    secretKeyRef:
+                      name: swh-webapp-django-secret
+                      key: webapp-django-secret-key
+                      # 'name' secret must exist & include that ^ key
+                      optional: false
+
+
+                - name: DEPOSIT_PASSWORD
+                  valueFrom:
+                    secretKeyRef:
+                      name: deposit-secrets
+                      key: password
+                      # 'name' secret must exist & include that ^ key
+                      optional: false
+                - name: DEPOSIT_USERNAME
+                  valueFrom:
+                    secretKeyRef:
+                      name: deposit-secrets
+                      key: username
+                      # 'name' secret must exist & include that ^ key
+                      optional: false
+
+
+                - name: GIVE_PRIVATE_TOKEN
+                  valueFrom:
+                    secretKeyRef:
+                      name: web-give-secrets
+                      key: private-token
+                      # 'name' secret must exist & include that ^ key
+                      optional: false
+                - name: GIVE_PUBLIC_KEY
+                  valueFrom:
+                    secretKeyRef:
+                      name: web-give-secrets
+                      key: public-key
+                      # 'name' secret must exist & include that ^ key
+                      optional: false
+
+                - name: SWH_SENTRY_DSN
+                  valueFrom:
+                    secretKeyRef:
+                      name: common-secrets
+                      key: web-sentry-dsn
+                      # 'name' secret should exist & include key
+                      # if the setting doesn't exist, sentry pushes will be disabled
+                      optional: true
+
+              volumeMounts:
+              - name: configuration
+                mountPath: /etc/swh
+              - name: web-configuration-template
+                mountPath: /etc/swh/configuration-template
+          containers:
+            - name: sync-mailmaps
+              resources:
+                requests:
+                  memory: 512Mi
+                  cpu: 500m
+              image: container-registry.softwareheritage.org/swh/infra/swh-apps/web:20231120.4
+              command:
+              - /opt/swh/entrypoint.sh
+              args:
+              - sync-mailmaps
+              - service=syncmailmaps
+              env:
+                - name: STATSD_HOST
+                  value: prometheus-statsd-exporter
+                - name: STATSD_PORT
+                  value: "9125"
+                - name: SWH_CONFIG_FILENAME
+                  value: /etc/swh/config.yml
+                - name: LOG_LEVEL
+                  value: INFO
+                - name: SWH_SENTRY_ENVIRONMENT
+                  value: staging
+                - name: SWH_MAIN_PACKAGE
+                  value: swh.web
+                - name: SWH_SENTRY_DSN
+                  valueFrom:
+                    secretKeyRef:
+                      name: common-secrets
+                      key: web-sentry-dsn
+                      # if the setting doesn't exist, sentry issue pushes will be disabled
+                      optional: false
+                - name: SWH_SENTRY_DISABLE_LOGGING_EVENTS
+                  value: "true"
+                - name: PGSERVICEFILE
+                  value: /etc/swh/.pg_service.conf
+
+                - name: PGPASSWORD
+                  valueFrom:
+                    secretKeyRef:
+                      name: swh-postgresql-syncmailmap-secret
+                      key: postgres-syncmailmap-password
+                      # 'name' secret must exist & include that ^ key
+                      optional: false
+
+
+              imagePullPolicy: IfNotPresent
+              volumeMounts:
+              - name: configuration
+                mountPath: /etc/swh
+          volumes:
+          - name: configuration
+            emptyDir: {}
+          - name: web-configuration-template
+            configMap:
+              name: web-configuration-template
+              items:
+              - key: "config.yml.template"
+                path: "config.yml.template"
+          - name: pgservice-configuration-template
+            configMap:
+              name: pgservice-configuration-template
+              items:
+              - key: "pg-service-conf"
+                path: "pg_service.conf"
+
+          restartPolicy: OnFailure
+---
 # Source: swh/templates/deposit/ingress.yaml
 apiVersion: networking.k8s.io/v1
 kind: Ingress
 metadata:
   namespace: swh-cassandra
   name: deposit-ingress-authenticated
   annotations:

     cert-manager.io/cluster-issuer: letsencrypt-production-gandi
     kubernetes.io/ingress.class: nginx
@@ -22743,38 +23082,64 @@
             port:
               number: 5005
 ---
 # Source: swh/templates/web/ingress.yaml
 apiVersion: networking.k8s.io/v1
 kind: Ingress
 metadata:
   namespace: swh-cassandra
   name: web-ingress-authenticated
   annotations:
-    nginx.ingress.kubernetes.io/whitelist-source-range: 10.42.0.0/16,10.43.0.0/16,192.168.101.0/24,192.168.130.0/24,192.168.50.0/24

     cert-manager.io/cluster-issuer: letsencrypt-production-gandi
     kubernetes.io/ingress.class: nginx
     kubernetes.io/tls-acme: "true"
     nginx.ingress.kubernetes.io/force-ssl-redirect: "true"

     # type of authentication
     nginx.ingress.kubernetes.io/auth-type: basic
     # an htpasswd file in the key auth within the secret
     nginx.ingress.kubernetes.io/auth-secret-type: auth-file
     # name of the secret that contains the user/password definitions
     nginx.ingress.kubernetes.io/auth-secret: swh-cassandra/web-auth-secrets
     # message to display with an appropriate context why the authentication is required
     nginx.ingress.kubernetes.io/auth-realm: 'Authentication Required'

 spec:
   rules:
+  - host: webapp.staging.swh.network
+    http:
+      paths:
+      - path: /api/1/provenance/
+        pathType: Prefix
+        backend:
+          service:
+            name: web
+            port:
+              number: 5004
+
+      - path: /api/1/entity/
+        pathType: Prefix
+        backend:
+          service:
+            name: web
+            port:
+              number: 5004
+
+      - path: /api/1/content/[^/]+/symbol/
+        pathType: Prefix
+        backend:
+          service:
+            name: web
+            port:
+              number: 5004
+
   - host: webapp-cassandra.internal.staging.swh.network
     http:
       paths:
       - path: /api/1/provenance/
         pathType: Prefix
         backend:
           service:
             name: web
             port:
               number: 5004
@@ -22790,40 +23155,59 @@
       - path: /api/1/content/[^/]+/symbol/
         pathType: Prefix
         backend:
           service:
             name: web
             port:
               number: 5004

   tls:
   - hosts:
+    - webapp.staging.swh.network
     - webapp-cassandra.internal.staging.swh.network
     secretName: swh-web-crt
 ---
 # Source: swh/templates/web/ingress.yaml
 apiVersion: networking.k8s.io/v1
 kind: Ingress
 metadata:
   namespace: swh-cassandra
   name: web-ingress-default
   annotations:
-    nginx.ingress.kubernetes.io/whitelist-source-range: 10.42.0.0/16,10.43.0.0/16,192.168.101.0/24,192.168.130.0/24,192.168.50.0/24

     cert-manager.io/cluster-issuer: letsencrypt-production-gandi
     kubernetes.io/ingress.class: nginx
     kubernetes.io/tls-acme: "true"
     nginx.ingress.kubernetes.io/force-ssl-redirect: "true"


 spec:
   rules:
+  - host: webapp.staging.swh.network
+    http:
+      paths:
+      - path: /
+        pathType: Prefix
+        backend:
+          service:
+            name: web
+            port:
+              number: 5004
+
+      - path: /static
+        pathType: Prefix
+        backend:
+          service:
+            name: web
+            port:
+              number: 80
+
   - host: webapp-cassandra.internal.staging.swh.network
     http:
       paths:
       - path: /
         pathType: Prefix
         backend:
           service:
             name: web
             port:
               number: 5004
@@ -22831,20 +23215,21 @@
       - path: /static
         pathType: Prefix
         backend:
           service:
             name: web
             port:
               number: 80

   tls:
   - hosts:
+    - webapp.staging.swh.network
     - webapp-cassandra.internal.staging.swh.network
     secretName: swh-web-crt
 ---
 # Source: swh/charts/keda/templates/metrics-server/apiservice.yaml
 apiVersion: apiregistration.k8s.io/v1
 kind: APIService
 metadata:
   annotations:
   labels:
     app.kubernetes.io/name: v1beta1.external.metrics.k8s.io


------------- diff for environment staging namespace swh-cassandra-next-version -------------

--- /tmp/swh-chart.swh.aBMs3T8r/staging-swh-cassandra-next-version.before       2023-11-21 11:43:32.469742708 +0100
+++ /tmp/swh-chart.swh.aBMs3T8r/staging-swh-cassandra-next-version.after        2023-11-21 11:43:33.161742349 +0100
@@ -3930,20 +3930,24 @@
     vault:
       cls: remote
       url: http://vault-rpc-ingress-next-version
     indexer_storage:
       cls: remote
       url: http://indexer-storage-rpc-ingress
     counters_backend: swh-counters
     counters:
       cls: remote
       url: http://counters0.internal.staging.swh.network:5011/
+    deposit:
+      private_api_url: https://deposit-rp.internal.staging.swh.network/1/private/
+      private_api_user: ${DEPOSIT_USERNAME}
+      private_api_password: ${DEPOSIT_PASSWORD}
     add_forge_now:
       email_address: add-forge-now@webapp.staging.swh.network
       gitlab_pipeline:
         gitlab_token: ${GITLAB_AFN_TOKEN}
         trigger_url: https://gitlab.softwareheritage.org/api/v4/projects/474/trigger/pipeline

     secret_key: ${DJANGO_SECRET_KEY}
     production_db:

       host: db1.internal.staging.swh.network
@@ -20654,21 +20658,21 @@
       app: web
   strategy:
     type: RollingUpdate
     rollingUpdate:
       maxSurge: 1
   template:
     metadata:
       labels:
         app: web
       annotations:
-        checksum/config: f7976ed704efcc7b15b1da998487f7c4ae69a886a35036321c2c6e5563227b4b
+        checksum/config: d61bb8898915d105e9ffd9c25ea3793d1fc9498761d11b0fb198785dec988ac6
     spec:
       affinity:
         nodeAffinity:
           requiredDuringSchedulingIgnoredDuringExecution:
             nodeSelectorTerms:
             - matchExpressions:
               - key: swh/web
                 operator: In
                 values:
                 - "true"
@@ -20695,20 +20699,36 @@

             - name: DJANGO_SECRET_KEY
               valueFrom:
                 secretKeyRef:
                   name: swh-webapp-django-secret
                   key: webapp-django-secret-key
                   # 'name' secret must exist & include that ^ key
                   optional: false


+            - name: DEPOSIT_PASSWORD
+              valueFrom:
+                secretKeyRef:
+                  name: deposit-secrets
+                  key: password
+                  # 'name' secret must exist & include that ^ key
+                  optional: false
+            - name: DEPOSIT_USERNAME
+              valueFrom:
+                secretKeyRef:
+                  name: deposit-secrets
+                  key: username
+                  # 'name' secret must exist & include that ^ key
+                  optional: false
+
+
             - name: GIVE_PRIVATE_TOKEN
               valueFrom:
                 secretKeyRef:
                   name: web-give-secrets
                   key: private-token
                   # 'name' secret must exist & include that ^ key
                   optional: false
             - name: GIVE_PUBLIC_KEY
               valueFrom:
                 secretKeyRef:


------------- diff for environment production namespace swh -------------

No differences


------------- diff for environment production namespace swh-cassandra -------------

No differences
Refs. swh/infra/sysadm-environment#5160 (closed)

Merge request reports

Loading