Skip to content

Deploy vault instance in dynamic infrastructure

Antoine R. Dumont requested to merge deploy-vault-workload into production

This deploys a new vault instance in the production dynamic infrastructure. This targets the production:

  • postgresql: same db instance as the actual vault 'vangogh'
  • scheduler: production instance scheduler.internal.s.o
  • storage: storage-azure-read-only-rpc-ingress
  • objstorage: a multiplexer instance using in order:
      1. aws
      1. objstorage-read-only-rpc-ingress
      1. azure-prefixed blobstorage (16 hex prefixed blobstorages) [1]
  • cache: azure blobstorage: same as vangogh too

Note: Another commit refactors the deployment template to reuse the prepare-configuration docker image to align with other templates.

[1] azure storage is last fallback as the vault will no longer be running in azure, so to reduce the reading cost if any.

make swh-helm-diff
[swh] Comparing changes between branches production and deploy-vault-workload (per environment)...
Your branch is up to date with 'origin/production'.
[swh] Generate config in production branch for environment staging, namespace swh...
[swh] Generate config in production branch for environment staging, namespace swh-cassandra...
[swh] Generate config in production branch for environment staging, namespace swh-cassandra-next-version...
[swh] Generate config in deploy-vault-workload branch for environment staging...
[swh] Generate config in deploy-vault-workload branch for environment staging...
[swh] Generate config in deploy-vault-workload branch for environment staging...
Your branch is up to date with 'origin/production'.
[swh] Generate config in production branch for environment production, namespace swh...
[swh] Generate config in production branch for environment production, namespace swh-cassandra...
[swh] Generate config in production branch for environment production, namespace swh-cassandra-next-version...
[swh] Generate config in deploy-vault-workload branch for environment production...
[swh] Generate config in deploy-vault-workload branch for environment production...
[swh] Generate config in deploy-vault-workload branch for environment production...


------------- diff for environment staging namespace swh -------------

No differences


------------- diff for environment staging namespace swh-cassandra -------------

--- /tmp/swh-chart.swh.V9tW0YuK/staging-swh-cassandra.before    2024-01-16 15:03:34.729598319 +0100
+++ /tmp/swh-chart.swh.V9tW0YuK/staging-swh-cassandra.after     2024-01-16 15:03:35.405597988 +0100
@@ -22812,51 +22812,53 @@
             nodeSelectorTerms:
             - matchExpressions:
               - key: swh/rpc
                 operator: In
                 values:
                 - "true"
       priorityClassName: swh-cassandra-frontend-rpc

       initContainers:
         - name: prepare-configuration
-          image: debian:bullseye
+          image: container-registry.softwareheritage.org/swh/infra/swh-apps/utils:20231211.1
           imagePullPolicy: IfNotPresent
           command:
-          - /bin/bash
-          args:
-          - -c
-          - eval echo "\"$(</etc/swh/configuration-template/config.yml.template)\"" > /etc/swh/config.yml
+          - /entrypoints/prepare-configuration.sh
           env:


             - name: POSTGRESQL_PASSWORD
               valueFrom:
                 secretKeyRef:
                   name: swh-vault-postgresql-secret
                   key: postgres-swh-vault-password
                   # 'name' secret must exist & include that ^ key
                   optional: false


             - name: ACCOUNT_KEY
               valueFrom:
                 secretKeyRef:
                   name: swh-vault-azure-secret
                   key: azure-swh-vault-key
                   # 'name' secret must exist & include that ^ key
                   optional: false
+
+
           volumeMounts:
           - name: configuration
             mountPath: /etc/swh
           - name: configuration-template
             mountPath: /etc/swh/configuration-template
+          - name: config-utils
+            mountPath: /entrypoints
+            readOnly: true
       containers:
         - name: vault-rpc
           resources:
             requests:
               memory: 512Mi
               cpu: 500m
           image: container-registry.softwareheritage.org/swh/infra/swh-apps/vault:20240108.1
           imagePullPolicy: IfNotPresent
           ports:
             - containerPort: 5005
@@ -22910,20 +22912,24 @@
             mountPath: /etc/swh
       volumes:
       - name: configuration
         emptyDir: {}
       - name: configuration-template
         configMap:
           name: vault-rpc-configuration-template
           items:
           - key: "config.yml.template"
             path: "config.yml.template"
+      - name: config-utils
+        configMap:
+          name: config-utils
+          defaultMode: 0555
 ---
 # Source: swh/templates/web/deployment.yaml
 apiVersion: apps/v1
 kind: Deployment
 metadata:
   namespace: swh-cassandra
   name: web-cassandra
   labels:
     app: web-cassandra
 spec:


------------- diff for environment staging namespace swh-cassandra-next-version -------------

--- /tmp/swh-chart.swh.V9tW0YuK/staging-swh-cassandra-next-version.before       2024-01-16 15:03:34.933598218 +0100
+++ /tmp/swh-chart.swh.V9tW0YuK/staging-swh-cassandra-next-version.after        2024-01-16 15:03:35.609597888 +0100
@@ -20988,51 +20988,53 @@
             nodeSelectorTerms:
             - matchExpressions:
               - key: swh/rpc
                 operator: In
                 values:
                 - "true"
       priorityClassName: swh-cassandra-next-version-frontend-rpc

       initContainers:
         - name: prepare-configuration
-          image: debian:bullseye
+          image: container-registry.softwareheritage.org/swh/infra/swh-apps/utils:20231211.1
           imagePullPolicy: IfNotPresent
           command:
-          - /bin/bash
-          args:
-          - -c
-          - eval echo "\"$(</etc/swh/configuration-template/config.yml.template)\"" > /etc/swh/config.yml
+          - /entrypoints/prepare-configuration.sh
           env:


             - name: POSTGRESQL_PASSWORD
               valueFrom:
                 secretKeyRef:
                   name: swh-vault-postgresql-secret
                   key: postgres-swh-vault-password
                   # 'name' secret must exist & include that ^ key
                   optional: false


             - name: ACCOUNT_KEY
               valueFrom:
                 secretKeyRef:
                   name: swh-vault-azure-secret
                   key: azure-swh-vault-key
                   # 'name' secret must exist & include that ^ key
                   optional: false
+
+
           volumeMounts:
           - name: configuration
             mountPath: /etc/swh
           - name: configuration-template
             mountPath: /etc/swh/configuration-template
+          - name: config-utils
+            mountPath: /entrypoints
+            readOnly: true
       containers:
         - name: vault-rpc
           resources:
             requests:
               memory: 512Mi
               cpu: 500m
           image: container-registry.softwareheritage.org/swh/infra/swh-apps/vault:20240108.1
           imagePullPolicy: IfNotPresent
           ports:
             - containerPort: 5005
@@ -21086,20 +21088,24 @@
             mountPath: /etc/swh
       volumes:
       - name: configuration
         emptyDir: {}
       - name: configuration-template
         configMap:
           name: vault-rpc-configuration-template
           items:
           - key: "config.yml.template"
             path: "config.yml.template"
+      - name: config-utils
+        configMap:
+          name: config-utils
+          defaultMode: 0555
 ---
 # Source: swh/templates/web/deployment.yaml
 apiVersion: apps/v1
 kind: Deployment
 metadata:
   namespace: swh-cassandra-next-version
   name: web-cassandra
   labels:
     app: web-cassandra
 spec:


------------- diff for environment production namespace swh -------------

--- /tmp/swh-chart.swh.V9tW0YuK/production-swh.before   2024-01-16 15:03:35.889597751 +0100
+++ /tmp/swh-chart.swh.V9tW0YuK/production-swh.after    2024-01-16 15:03:36.341597530 +0100
@@ -6193,20 +6193,136 @@
     if [ -e "${DB_VERSION}" ]; then
       echo "Unable to find the code version"
       exit 1
     fi

     if [ "$DB_VERSION" -ne "$CODE_VERSION" ]; then
       echo "code and DB versions are different. Blocking the deployment"
       exit 1
     fi
 ---
+# Source: swh/templates/vault/rpc-configmap.yaml
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  namespace: swh
+  name: vault-rpc-configuration-template
+data:
+  config.yml.template: |
+    vault:
+      cls: postgresql
+      db: host=db.internal.softwareheritage.org port=5432 user=swh-vault dbname=swh-vault password=${POSTGRESQL_PASSWORD}
+    storage:
+      cls: pipeline
+      steps:
+      - cls: retry
+      - cls: remote
+        url: http://storage-azure-read-only-rpc-ingress
+    scheduler:
+      cls: remote
+      url: http://scheduler.internal.softwareheritage.org
+    objstorage:
+      cls: multiplexer
+      objstorages:
+      - cls: filtered
+        filters_conf:
+        - type: readonly
+        storage_conf:
+          cls: http
+          compression: gzip
+          timeout: 120
+          url: https://softwareheritage.s3.amazonaws.com/content/
+      - cls: filtered
+        filters_conf:
+        - type: readonly
+        storage_conf:
+          cls: remote
+          url: http://objstorage-read-only-rpc-ingress
+      - cls: filtered
+        filters_conf:
+        - type: readonly
+        storage_conf:
+          accounts:
+            "0":
+              account_name: ${ACCOUNT_NAME_0}
+              api_secret_key: ${API_SECRET_KEY_0}
+              container_name: contents
+            "1":
+              account_name: ${ACCOUNT_NAME_1}
+              api_secret_key: ${API_SECRET_KEY_1}
+              container_name: contents
+            "2":
+              account_name: ${ACCOUNT_NAME_2}
+              api_secret_key: ${API_SECRET_KEY_2}
+              container_name: contents
+            "3":
+              account_name: ${ACCOUNT_NAME_3}
+              api_secret_key: ${API_SECRET_KEY_3}
+              container_name: contents
+            "4":
+              account_name: ${ACCOUNT_NAME_4}
+              api_secret_key: ${API_SECRET_KEY_4}
+              container_name: contents
+            "5":
+              account_name: ${ACCOUNT_NAME_5}
+              api_secret_key: ${API_SECRET_KEY_5}
+              container_name: contents
+            "6":
+              account_name: ${ACCOUNT_NAME_6}
+              api_secret_key: ${API_SECRET_KEY_6}
+              container_name: contents
+            "7":
+              account_name: ${ACCOUNT_NAME_7}
+              api_secret_key: ${API_SECRET_KEY_7}
+              container_name: contents
+            "8":
+              account_name: ${ACCOUNT_NAME_8}
+              api_secret_key: ${API_SECRET_KEY_8}
+              container_name: contents
+            "9":
+              account_name: ${ACCOUNT_NAME_9}
+              api_secret_key: ${API_SECRET_KEY_9}
+              container_name: contents
+            a:
+              account_name: ${ACCOUNT_NAME_10}
+              api_secret_key: ${API_SECRET_KEY_10}
+              container_name: contents
+            b:
+              account_name: ${ACCOUNT_NAME_11}
+              api_secret_key: ${API_SECRET_KEY_11}
+              container_name: contents
+            c:
+              account_name: ${ACCOUNT_NAME_12}
+              api_secret_key: ${API_SECRET_KEY_12}
+              container_name: contents
+            d:
+              account_name: ${ACCOUNT_NAME_13}
+              api_secret_key: ${API_SECRET_KEY_13}
+              container_name: contents
+            e:
+              account_name: ${ACCOUNT_NAME_14}
+              api_secret_key: ${API_SECRET_KEY_14}
+              container_name: contents
+            f:
+              account_name: ${ACCOUNT_NAME_15}
+              api_secret_key: ${API_SECRET_KEY_15}
+              container_name: contents
+          cls: azure-prefixed
+    cache:
+      api_secret_key: ${API_SECRET_KEY}
+      cls: azure
+      connection_string: DefaultEndpointsProtocol=https;AccountName=swhvaultstorage;AccountKey=${ACCOUNT_KEY};EndpointSuffix=core.windows.net
+      container_name: contents-uncompressed
+    smtp:
+      host: smtp.inria.fr
+      port: 25
+---
 # Source: swh/templates/web/configmap-pgservice.yaml
 apiVersion: v1
 kind: ConfigMap
 metadata:
   name: pgservice-archive-configuration-template
   namespace: swh
 data:
   pg-service-conf: |
     [syncmailmaps]
     dbname=softwareheritage
@@ -16105,20 +16221,30 @@
 # Source: swh/templates/external-services/cname.yaml
 apiVersion: v1
 kind: Service
 metadata:
   name: storage-azure-read-only-rpc-ingress
   namespace: swh
 spec:
   type: ExternalName
   externalName: archive-production-rke2-ingress-nginx-controller.ingress-nginx.svc.cluster.local
 ---
+# Source: swh/templates/external-services/cname.yaml
+apiVersion: v1
+kind: Service
+metadata:
+  name: vault-rpc-ingress
+  namespace: swh
+spec:
+  type: ExternalName
+  externalName: archive-production-rke2-ingress-nginx-controller.ingress-nginx.svc.cluster.local
+---
 # Source: swh/templates/graphql/service.yaml
 apiVersion: v1
 kind: Service
 metadata:
   name: graphql-archive
   namespace: swh
 spec:
   type: ClusterIP
   selector:
     app: graphql-archive
@@ -16267,20 +16393,35 @@
   namespace: swh
 spec:
   type: ClusterIP
   selector:
     app: storage-postgresql-azure-readonly
   ports:
     - port: 5002
       targetPort: 5002
       name: rpc
 ---
+# Source: swh/templates/vault/rpc-service.yaml
+apiVersion: v1
+kind: Service
+metadata:
+  name: vault-rpc
+  namespace: swh
+spec:
+  type: ClusterIP
+  selector:
+    app: vault-rpc
+  ports:
+    - port: 5005
+      targetPort: 5005
+      name: rpc
+---
 # Source: swh/templates/web/service.yaml
 apiVersion: v1
 kind: Service
 metadata:
   name: web-app1
   namespace: swh
 spec:
   type: ClusterIP
   selector:
     app: web-app1
@@ -29220,20 +29361,387 @@
           defaultMode: 0777
           items:
           - key: "config.yml.template"
             path: "config.yml.template"

       - name: toolbox-script-utils
         configMap:
           name: toolbox-script-utils
           defaultMode: 0555
 ---
+# Source: swh/templates/vault/rpc-deployment.yaml
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  namespace: swh
+  name: vault-rpc
+  labels:
+    app: vault-rpc
+spec:
+  revisionHistoryLimit: 2
+  replicas: 2
+  selector:
+    matchLabels:
+      app: vault-rpc
+  strategy:
+    type: RollingUpdate
+    rollingUpdate:
+      maxSurge: 1
+  template:
+    metadata:
+      labels:
+        app: vault-rpc
+      annotations:
+        checksum/config: 632783e6b23a77d8638d1d807a469881296690704cbc14e85987b34b88ded75f
+    spec:
+      affinity:
+        nodeAffinity:
+          requiredDuringSchedulingIgnoredDuringExecution:
+            nodeSelectorTerms:
+            - matchExpressions:
+              - key: swh/rpc
+                operator: In
+                values:
+                - "true"
+      priorityClassName: swh-frontend-rpc
+
+      initContainers:
+        - name: prepare-configuration
+          image: container-registry.softwareheritage.org/swh/infra/swh-apps/utils:20231211.1
+          imagePullPolicy: IfNotPresent
+          command:
+          - /entrypoints/prepare-configuration.sh
+          env:
+
+
+            - name: POSTGRESQL_PASSWORD
+              valueFrom:
+                secretKeyRef:
+                  name: swh-vault-postgresql-secret
+                  key: postgres-swh-vault-password
+                  # 'name' secret must exist & include that ^ key
+                  optional: false
+
+
+            - name: API_SECRET_KEY
+              valueFrom:
+                secretKeyRef:
+                  name: swh-vault-azure-secret
+                  key: azure-swh-vault
+                  # 'name' secret must exist & include that ^ key
+                  optional: false
+
+
+            - name: ACCOUNT_NAME_0
+              valueFrom:
+                secretKeyRef:
+                  name: swh-objstorage-config
+                  key: 0_account_name
+                  # 'name' secret must exist & include that ^ key
+                  optional: false
+            - name: ACCOUNT_NAME_1
+              valueFrom:
+                secretKeyRef:
+                  name: swh-objstorage-config
+                  key: 1_account_name
+                  # 'name' secret must exist & include that ^ key
+                  optional: false
+            - name: ACCOUNT_NAME_10
+              valueFrom:
+                secretKeyRef:
+                  name: swh-objstorage-config
+                  key: 10_account_name
+                  # 'name' secret must exist & include that ^ key
+                  optional: false
+            - name: ACCOUNT_NAME_11
+              valueFrom:
+                secretKeyRef:
+                  name: swh-objstorage-config
+                  key: 11_account_name
+                  # 'name' secret must exist & include that ^ key
+                  optional: false
+            - name: ACCOUNT_NAME_12
+              valueFrom:
+                secretKeyRef:
+                  name: swh-objstorage-config
+                  key: 12_account_name
+                  # 'name' secret must exist & include that ^ key
+                  optional: false
+            - name: ACCOUNT_NAME_13
+              valueFrom:
+                secretKeyRef:
+                  name: swh-objstorage-config
+                  key: 13_account_name
+                  # 'name' secret must exist & include that ^ key
+                  optional: false
+            - name: ACCOUNT_NAME_14
+              valueFrom:
+                secretKeyRef:
+                  name: swh-objstorage-config
+                  key: 14_account_name
+                  # 'name' secret must exist & include that ^ key
+                  optional: false
+            - name: ACCOUNT_NAME_15
+              valueFrom:
+                secretKeyRef:
+                  name: swh-objstorage-config
+                  key: 15_account_name
+                  # 'name' secret must exist & include that ^ key
+                  optional: false
+            - name: ACCOUNT_NAME_2
+              valueFrom:
+                secretKeyRef:
+                  name: swh-objstorage-config
+                  key: 2_account_name
+                  # 'name' secret must exist & include that ^ key
+                  optional: false
+            - name: ACCOUNT_NAME_3
+              valueFrom:
+                secretKeyRef:
+                  name: swh-objstorage-config
+                  key: 3_account_name
+                  # 'name' secret must exist & include that ^ key
+                  optional: false
+            - name: ACCOUNT_NAME_4
+              valueFrom:
+                secretKeyRef:
+                  name: swh-objstorage-config
+                  key: 4_account_name
+                  # 'name' secret must exist & include that ^ key
+                  optional: false
+            - name: ACCOUNT_NAME_5
+              valueFrom:
+                secretKeyRef:
+                  name: swh-objstorage-config
+                  key: 5_account_name
+                  # 'name' secret must exist & include that ^ key
+                  optional: false
+            - name: ACCOUNT_NAME_6
+              valueFrom:
+                secretKeyRef:
+                  name: swh-objstorage-config
+                  key: 6_account_name
+                  # 'name' secret must exist & include that ^ key
+                  optional: false
+            - name: ACCOUNT_NAME_7
+              valueFrom:
+                secretKeyRef:
+                  name: swh-objstorage-config
+                  key: 7_account_name
+                  # 'name' secret must exist & include that ^ key
+                  optional: false
+            - name: ACCOUNT_NAME_8
+              valueFrom:
+                secretKeyRef:
+                  name: swh-objstorage-config
+                  key: 8_account_name
+                  # 'name' secret must exist & include that ^ key
+                  optional: false
+            - name: ACCOUNT_NAME_9
+              valueFrom:
+                secretKeyRef:
+                  name: swh-objstorage-config
+                  key: 9_account_name
+                  # 'name' secret must exist & include that ^ key
+                  optional: false
+            - name: API_SECRET_KEY_0
+              valueFrom:
+                secretKeyRef:
+                  name: swh-objstorage-config
+                  key: 0_api_secret_key
+                  # 'name' secret must exist & include that ^ key
+                  optional: false
+            - name: API_SECRET_KEY_1
+              valueFrom:
+                secretKeyRef:
+                  name: swh-objstorage-config
+                  key: 1_api_secret_key
+                  # 'name' secret must exist & include that ^ key
+                  optional: false
+            - name: API_SECRET_KEY_10
+              valueFrom:
+                secretKeyRef:
+                  name: swh-objstorage-config
+                  key: 10_api_secret_key
+                  # 'name' secret must exist & include that ^ key
+                  optional: false
+            - name: API_SECRET_KEY_11
+              valueFrom:
+                secretKeyRef:
+                  name: swh-objstorage-config
+                  key: 11_api_secret_key
+                  # 'name' secret must exist & include that ^ key
+                  optional: false
+            - name: API_SECRET_KEY_12
+              valueFrom:
+                secretKeyRef:
+                  name: swh-objstorage-config
+                  key: 12_api_secret_key
+                  # 'name' secret must exist & include that ^ key
+                  optional: false
+            - name: API_SECRET_KEY_13
+              valueFrom:
+                secretKeyRef:
+                  name: swh-objstorage-config
+                  key: 13_api_secret_key
+                  # 'name' secret must exist & include that ^ key
+                  optional: false
+            - name: API_SECRET_KEY_14
+              valueFrom:
+                secretKeyRef:
+                  name: swh-objstorage-config
+                  key: 14_api_secret_key
+                  # 'name' secret must exist & include that ^ key
+                  optional: false
+            - name: API_SECRET_KEY_15
+              valueFrom:
+                secretKeyRef:
+                  name: swh-objstorage-config
+                  key: 15_api_secret_key
+                  # 'name' secret must exist & include that ^ key
+                  optional: false
+            - name: API_SECRET_KEY_2
+              valueFrom:
+                secretKeyRef:
+                  name: swh-objstorage-config
+                  key: 2_api_secret_key
+                  # 'name' secret must exist & include that ^ key
+                  optional: false
+            - name: API_SECRET_KEY_3
+              valueFrom:
+                secretKeyRef:
+                  name: swh-objstorage-config
+                  key: 3_api_secret_key
+                  # 'name' secret must exist & include that ^ key
+                  optional: false
+            - name: API_SECRET_KEY_4
+              valueFrom:
+                secretKeyRef:
+                  name: swh-objstorage-config
+                  key: 4_api_secret_key
+                  # 'name' secret must exist & include that ^ key
+                  optional: false
+            - name: API_SECRET_KEY_5
+              valueFrom:
+                secretKeyRef:
+                  name: swh-objstorage-config
+                  key: 5_api_secret_key
+                  # 'name' secret must exist & include that ^ key
+                  optional: false
+            - name: API_SECRET_KEY_6
+              valueFrom:
+                secretKeyRef:
+                  name: swh-objstorage-config
+                  key: 6_api_secret_key
+                  # 'name' secret must exist & include that ^ key
+                  optional: false
+            - name: API_SECRET_KEY_7
+              valueFrom:
+                secretKeyRef:
+                  name: swh-objstorage-config
+                  key: 7_api_secret_key
+                  # 'name' secret must exist & include that ^ key
+                  optional: false
+            - name: API_SECRET_KEY_8
+              valueFrom:
+                secretKeyRef:
+                  name: swh-objstorage-config
+                  key: 8_api_secret_key
+                  # 'name' secret must exist & include that ^ key
+                  optional: false
+            - name: API_SECRET_KEY_9
+              valueFrom:
+                secretKeyRef:
+                  name: swh-objstorage-config
+                  key: 9_api_secret_key
+                  # 'name' secret must exist & include that ^ key
+                  optional: false
+          volumeMounts:
+          - name: configuration
+            mountPath: /etc/swh
+          - name: configuration-template
+            mountPath: /etc/swh/configuration-template
+          - name: config-utils
+            mountPath: /entrypoints
+            readOnly: true
+      containers:
+        - name: vault-rpc
+          resources:
+            requests:
+              memory: 512Mi
+              cpu: 500m
+          image: container-registry.softwareheritage.org/swh/infra/swh-apps/vault:20240108.1
+          imagePullPolicy: IfNotPresent
+          ports:
+            - containerPort: 5005
+              name: rpc
+          readinessProbe:
+            httpGet:
+              path: /
+              port: rpc
+            initialDelaySeconds: 15
+            failureThreshold: 30
+            periodSeconds: 5
+          livenessProbe:
+            httpGet:
+              path: /
+              port: rpc
+            initialDelaySeconds: 10
+            periodSeconds: 5
+          command:
+            - /bin/bash
+          args:
+            - -c
+            - /opt/swh/entrypoint.sh
+          env:
+            - name: THREADS
+              value: "5"
+            - name: WORKERS
+              value: "4"
+            - name: TIMEOUT
+              value: "3600"
+            - name: STATSD_HOST
+              value: prometheus-statsd-exporter
+            - name: STATSD_PORT
+              value: "9125"
+            - name: LOG_LEVEL
+              value: INFO
+            - name: SWH_SENTRY_ENVIRONMENT
+              value: production
+            - name: SWH_MAIN_PACKAGE
+              value: swh.vault
+            - name: SWH_SENTRY_DSN
+              valueFrom:
+                secretKeyRef:
+                  name: swh-vault-sentry-secret
+                  key: sentry-dsn
+                  # if the setting doesn't exist, sentry issue pushes will be disabled
+                  optional: false
+            - name: SWH_SENTRY_DISABLE_LOGGING_EVENTS
+              value: "true"
+          volumeMounts:
+          - name: configuration
+            mountPath: /etc/swh
+      volumes:
+      - name: configuration
+        emptyDir: {}
+      - name: configuration-template
+        configMap:
+          name: vault-rpc-configuration-template
+          items:
+          - key: "config.yml.template"
+            path: "config.yml.template"
+      - name: config-utils
+        configMap:
+          name: config-utils
+          defaultMode: 0555
+---
 # Source: swh/templates/web/deployment.yaml
 apiVersion: apps/v1
 kind: Deployment
 metadata:
   namespace: swh
   name: web-app1
   labels:
     app: web-app1
 spec:
   revisionHistoryLimit: 2
@@ -30618,20 +31126,49 @@
     http:
       paths:
       - path: /
         pathType: Prefix
         backend:
           service:
             name: storage-postgresql-azure-readonly
             port:
               number: 5002
 ---
+# Source: swh/templates/vault/rpc-ingress.yaml
+apiVersion: networking.k8s.io/v1
+kind: Ingress
+metadata:
+  namespace: swh
+  name: vault-rpc-ingress-default
+  annotations:
+    nginx.ingress.kubernetes.io/service-upstream: "true"
+    nginx.ingress.kubernetes.io/whitelist-source-range: 10.42.0.0/16,10.43.0.0/16
+    kubernetes.io/ingress.class: nginx
+    nginx.ingress.kubernetes.io/proxy-body-size: 4G
+    nginx.ingress.kubernetes.io/proxy-connect-timeout: "90"
+    nginx.ingress.kubernetes.io/proxy-read-timeout: "3600"
+    nginx.ingress.kubernetes.io/proxy-request-buffering: "on"
+    nginx.ingress.kubernetes.io/proxy-send-timeout: "90"
+
+spec:
+  rules:
+  - host: vault-rpc-ingress
+    http:
+      paths:
+      - path: /
+        pathType: Prefix
+        backend:
+          service:
+            name: vault-rpc
+            port:
+              number: 5005
+---
 # Source: swh/templates/web/ingress.yaml
 apiVersion: networking.k8s.io/v1
 kind: Ingress
 metadata:
   namespace: swh
   name: web-app1-ingress-authenticated
   annotations:
     nginx.ingress.kubernetes.io/service-upstream: "true"
     cert-manager.io/cluster-issuer: letsencrypt-production-gandi
     kubernetes.io/ingress.class: nginx


------------- diff for environment production namespace swh-cassandra -------------

--- /tmp/swh-chart.swh.V9tW0YuK/production-swh-cassandra.before 2024-01-16 15:03:36.057597669 +0100
+++ /tmp/swh-chart.swh.V9tW0YuK/production-swh-cassandra.after  2024-01-16 15:03:36.505597450 +0100
@@ -11260,20 +11260,30 @@
 # Source: swh/templates/external-services/cname.yaml
 apiVersion: v1
 kind: Service
 metadata:
   name: storage-azure-read-only-rpc-ingress
   namespace: swh-cassandra
 spec:
   type: ExternalName
   externalName: archive-production-rke2-ingress-nginx-controller.ingress-nginx.svc.cluster.local
 ---
+# Source: swh/templates/external-services/cname.yaml
+apiVersion: v1
+kind: Service
+metadata:
+  name: vault-rpc-ingress
+  namespace: swh-cassandra
+spec:
+  type: ExternalName
+  externalName: archive-production-rke2-ingress-nginx-controller.ingress-nginx.svc.cluster.local
+---
 # Source: swh/templates/graphql/service.yaml
 apiVersion: v1
 kind: Service
 metadata:
   name: graphql-cassandra
   namespace: swh-cassandra
 spec:
   type: ClusterIP
   selector:
     app: graphql-cassandra

Refs. swh/infra/sysadm-environment#5211 (closed)

Merge request reports

Loading