swh/staging: Add web-webhooks deployment
Related to swh/infra/sysadm-environment#5374 (closed)
These modifications will delete the current ingress web-cassandra-ingress-webhooks
associated with the deployement web-cassandra
in staging environment and create a deployment web-webhooks
with its configmap, service, hpa, servive monitor and ingress web-webhooks-ingress-webhooks
.
These deployment and ingress will process all the request from svix-server
to the endpoint https://webapp.staging.swh.network/save/origin/visit/webhook/
.
The new deployment has the same configuration (autoscaling, resources, swh-config,...) as the deployment web-cassandra
.
helm diff
------------- diff for environment staging namespace swh -------------
No differences
------------- diff for environment staging namespace swh-cassandra -------------
--- /tmp/swh-chart.swh.uGWp4hM6/staging-swh-cassandra.before 2024-08-07 10:53:45.669011236 +0200
+++ /tmp/swh-chart.swh.uGWp4hM6/staging-swh-cassandra.after 2024-08-07 10:53:46.529026323 +0200
@@ -6804,20 +6804,133 @@
- swh.web.banners
- swh.web.deposit
- swh.web.inbound_email
- swh.web.jslicenses
- swh.web.mailmap
- swh.web.metrics
- swh.web.save_code_now
- swh.web.save_origin_webhooks
- swh.web.vault
---
+# Source: swh/templates/web/configmap.yaml
+apiVersion: v1
+kind: ConfigMap
+metadata:
+ namespace: swh-cassandra
+ name: web-webhooks-configuration-template
+data:
+ config.yml.template: |
+ instance_name: webapp.staging.swh.network
+ allowed_hosts:
+ - webapp.staging.swh.network
+ - webapp-cassandra.internal.staging.swh.network
+ - ${POD_IP}
+ storage:
+ cls: remote
+ url: http://storage-cassandra-read-only-ingress
+ search:
+ cls: remote
+ url: http://search-rpc-ingress
+ scheduler:
+ cls: remote
+ url: http://scheduler.internal.staging.swh.network
+ vault:
+ cls: remote
+ url: http://vault-rpc-ingress
+ indexer_storage:
+ cls: remote
+ url: http://indexer-storage-rpc-ingress
+ counters_backend: swh-counters
+ counters:
+ cls: remote
+ url: http://counters-rpc-ingress
+ deposit:
+ private_api_url: https://deposit.staging.swh.network/1/private/
+ private_api_user: ${DEPOSIT_USERNAME}
+ private_api_password: ${DEPOSIT_PASSWORD}
+ add_forge_now:
+ email_address: add-forge-now@webapp.staging.swh.network
+
+ secret_key: "${DJANGO_SECRET_KEY}"
+ production_db:
+
+ host: db1.internal.staging.swh.network
+ port: 5432
+ name: swh-web
+ user: swh-web
+ password: ${POSTGRESQL_PASSWORD}
+ client_config:
+ sentry_dsn: ${SWH_SENTRY_DSN}
+ throttling:
+ cache_uri: memcached:11211
+ scopes:
+ swh_api:
+ exempted_networks:
+ - 10.42.0.0/16
+ - 10.43.0.0/16
+ - 192.168.100.29/32
+ - 192.168.130.0/24
+ - 192.168.50.0/24
+ limiter_rate:
+ default: 120/h
+ swh_vault_cooking:
+ exempted_networks:
+ - 10.42.0.0/16
+ - 10.43.0.0/16
+ - 192.168.100.29/32
+ - 192.168.130.0/24
+ - 192.168.50.0/24
+ limiter_rate:
+ GET: 60/m
+ default: 120/h
+ swh_api_origin_search:
+ limiter_rate:
+ default: 10/m
+ swh_api_origin_visit_latest:
+ limiter_rate:
+ default: 700/m
+ swh_save_origin:
+ limiter_rate:
+ POST: 10/h
+ default: 120/h
+ keycloak:
+ realm_name: SoftwareHeritageStaging
+ server_url: https://auth.softwareheritage.org/auth/
+
+ content_display_max_size: 5242880
+ give:
+ public_key: ${GIVE_PUBLIC_KEY}
+ token: ${GIVE_PRIVATE_TOKEN}
+ history_counters_url: http://counters-rpc-ingress/counters_history/history.json
+ inbound_email:
+ shared_key: ${INBOUND_EMAIL_SHARED_KEY}
+ keycloak:
+ realm_name: SoftwareHeritageStaging
+ server_url: https://auth.softwareheritage.org/auth/
+ matomo: {}
+ save_code_now_webhook_secret: ${WEBHOOKS_SECRET}
+ search_config:
+ metadata_backend: swh-search
+ swh_extra_django_apps:
+ - swh.web.add_forge_now
+ - swh.web.archive_coverage
+ - swh.web.badges
+ - swh.web.banners
+ - swh.web.deposit
+ - swh.web.inbound_email
+ - swh.web.jslicenses
+ - swh.web.mailmap
+ - swh.web.metrics
+ - swh.web.save_code_now
+ - swh.web.save_origin_webhooks
+ - swh.web.vault
+---
# Source: swh/templates/webhooks/configmap.yaml
apiVersion: v1
kind: ConfigMap
metadata:
namespace: swh-cassandra
name: webhooks-origin-visit-status-template
data:
config.yml.template: |
webhooks:
event_retention_period: 7
@@ -7305,20 +7418,41 @@
app: web-cassandra
ports:
- port: 5004
targetPort: 5004
name: rpc
- port: 80
targetPort: 80
name: webstatic
---
+# Source: swh/templates/web/service.yaml
+apiVersion: v1
+kind: Service
+metadata:
+ name: web-webhooks
+ namespace: swh-cassandra
+ labels:
+ app: web-webhooks
+spec:
+ type: ClusterIP
+ selector:
+ app: web-webhooks
+ ports:
+ - port: 5004
+ targetPort: 5004
+ name: rpc
+
+ - port: 80
+ targetPort: 80
+ name: webstatic
+---
# Source: swh/templates/alter/deployment.yaml
apiVersion: apps/v1
kind: Deployment
metadata:
labels:
app: alter
name: alter
namespace: swh-cassandra
spec:
replicas: 1
@@ -20161,20 +20295,263 @@
items:
- key: "config.yml.template"
path: "config.yml.template"
- name: static
emptyDir: {}
- name: config-utils
configMap:
name: config-utils
defaultMode: 0555
---
+# Source: swh/templates/web/deployment.yaml
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+ namespace: swh-cassandra
+ name: web-webhooks
+ labels:
+ app: web-webhooks
+spec:
+ revisionHistoryLimit: 2
+ selector:
+ matchLabels:
+ app: web-webhooks
+ strategy:
+ type: RollingUpdate
+ rollingUpdate:
+ maxSurge: 1
+ template:
+ metadata:
+ labels:
+ app: web-webhooks
+ annotations:
+ checksum/config: b492d35d393b0319b8e306ccd0a62e693297531c416701c94244c551fbb61efb
+ checksum/config-utils: 13a26f6add17e96ce01550153c77dcd48de60241a3f4db3c93d5467234be2a7f
+ spec:
+ affinity:
+ nodeAffinity:
+ requiredDuringSchedulingIgnoredDuringExecution:
+ nodeSelectorTerms:
+ - matchExpressions:
+ - key: swh/web
+ operator: In
+ values:
+ - "true"
+ priorityClassName: swh-cassandra-frontend-rpc
+
+ initContainers:
+ - name: prepare-configuration
+ image: container-registry.softwareheritage.org/swh/infra/swh-apps/utils:20231211.1
+ imagePullPolicy: IfNotPresent
+ command:
+ - /entrypoints/prepare-configuration.sh
+ env:
+ - name: SWH_SENTRY_DSN
+ valueFrom:
+ secretKeyRef:
+ name: common-secrets
+ key: web-sentry-dsn
+ # 'name' secret should exist & include key
+ # if the setting doesn't exist, sentry pushes will be disabled
+ optional: false
+ - name: DEPOSIT_PASSWORD
+ valueFrom:
+ secretKeyRef:
+ key: password
+ name: deposit-secrets
+ optional: false
+ - name: DEPOSIT_USERNAME
+ valueFrom:
+ secretKeyRef:
+ key: username
+ name: deposit-secrets
+ optional: false
+ - name: DJANGO_SECRET_KEY
+ valueFrom:
+ secretKeyRef:
+ key: webapp-django-secret-key
+ name: swh-webapp-django-secret
+ optional: false
+ - name: GIVE_PRIVATE_TOKEN
+ valueFrom:
+ secretKeyRef:
+ key: private-token
+ name: web-give-secrets
+ optional: false
+ - name: GIVE_PUBLIC_KEY
+ valueFrom:
+ secretKeyRef:
+ key: public-key
+ name: web-give-secrets
+ optional: false
+ - name: INBOUND_EMAIL_SHARED_KEY
+ valueFrom:
+ secretKeyRef:
+ key: web-inbound-email-shared-key
+ name: common-secrets
+ optional: false
+ - name: POSTGRESQL_PASSWORD
+ valueFrom:
+ secretKeyRef:
+ key: postgres-swh-web-password
+ name: swh-postgresql-web-secrets
+ optional: false
+ - name: WEBHOOKS_SECRET
+ valueFrom:
+ secretKeyRef:
+ key: webhooks-secret
+ name: common-secrets
+ optional: false
+ volumeMounts:
+ - name: configuration
+ mountPath: /etc/swh
+ - name: configuration-template
+ mountPath: /etc/swh/configuration-template
+ - name: config-utils
+ mountPath: /entrypoints
+ readOnly: true
+ - name: do-migration
+ image: container-registry.softwareheritage.org/swh/infra/swh-apps/web:20240718.1
+ imagePullPolicy: IfNotPresent
+ env:
+ - name: SWH_CONFIG_FILENAME
+ value: /etc/swh/config.yml
+ command:
+ - django-admin
+ args:
+ - migrate
+ - --settings=swh.web.settings.production
+ volumeMounts:
+ - name: configuration
+ mountPath: /etc/swh
+
+ - name: prepare-static
+ image: container-registry.softwareheritage.org/swh/infra/swh-apps/web:20240718.1
+ imagePullPolicy: IfNotPresent
+ command:
+ - /bin/bash
+ args:
+ - -c
+ - cp -r $PWD/.local/share/swh/web/static/ /usr/share/swh/web/static/
+ volumeMounts:
+ - name: static
+ mountPath: /usr/share/swh/web/static
+ containers:
+ - name: web-webhooks
+ resources:
+ requests:
+ memory: 512Mi
+ cpu: 100m
+ image: container-registry.softwareheritage.org/swh/infra/swh-apps/web:20240718.1
+ imagePullPolicy: IfNotPresent
+ ports:
+ - containerPort: 5004
+ name: webapp
+ readinessProbe:
+ httpGet:
+ path: /
+ port: webapp
+ httpHeaders:
+ - name: Host
+ value: webapp.staging.swh.network
+ initialDelaySeconds: 5
+ failureThreshold: 30
+ periodSeconds: 10
+ timeoutSeconds: 30
+ livenessProbe:
+ tcpSocket:
+ port: webapp
+ initialDelaySeconds: 3
+ periodSeconds: 10
+ timeoutSeconds: 30
+ command:
+ - /bin/bash
+ args:
+ - -c
+ - /opt/swh/entrypoint.sh
+ env:
+ - name: WORKERS
+ value: "4"
+ - name: THREADS
+ value: "2"
+ - name: TIMEOUT
+ value: "3600"
+ - name: STATSD_HOST
+ value: prometheus-statsd-exporter
+ - name: STATSD_PORT
+ value: "9125"
+ - name: STATSD_TAGS
+ value: deployment:web-webhooks
+ - name: SWH_LOG_LEVEL
+ value: "INFO"
+ - name: SWH_CONFIG_FILENAME
+ value: /etc/swh/config.yml
+ - name: SWH_SENTRY_ENVIRONMENT
+ value: staging
+ - name: SWH_MAIN_PACKAGE
+ value: swh.web
+ - name: SWH_SENTRY_DSN
+ valueFrom:
+ secretKeyRef:
+ name: common-secrets
+ key: web-sentry-dsn
+ # 'name' secret should exist & include key
+ # if the setting doesn't exist, sentry pushes will be disabled
+ optional: true
+ - name: SWH_SENTRY_DISABLE_LOGGING_EVENTS
+ value: "true"
+ volumeMounts:
+ - name: configuration
+ mountPath: /etc/swh
+ readOnly: true
+ - name: nginx
+ resources:
+ requests:
+ memory: 50Mi
+ cpu: 10m
+ image: nginx:bullseye
+ imagePullPolicy: IfNotPresent
+ ports:
+ - containerPort: 80
+ name: webstatic
+ readinessProbe:
+ httpGet:
+ path: static/robots.txt
+ port: webstatic
+ initialDelaySeconds: 5
+ failureThreshold: 30
+ periodSeconds: 10
+ livenessProbe:
+ httpGet:
+ path: static/robots.txt
+ port: webstatic
+ initialDelaySeconds: 3
+ periodSeconds: 10
+ volumeMounts:
+ - name: static
+ mountPath: /usr/share/nginx/html
+ volumes:
+ - name: configuration
+ emptyDir: {}
+ - name: configuration-template
+ configMap:
+ name: web-webhooks-configuration-template
+ items:
+ - key: "config.yml.template"
+ path: "config.yml.template"
+ - name: static
+ emptyDir: {}
+ - name: config-utils
+ configMap:
+ name: config-utils
+ defaultMode: 0555
+---
# Source: swh/templates/webhooks/deployment.yaml
apiVersion: apps/v1
kind: Deployment
metadata:
name: webhooks-origin-visit-status
namespace: swh-cassandra
labels:
app: webhooks-origin-visit-status
spec:
revisionHistoryLimit: 2
@@ -20441,20 +20818,43 @@
minReplicas: 2
maxReplicas: 4
metrics:
- type: Resource
resource:
name: cpu
target:
type: Utilization
averageUtilization: 75
---
+# Source: swh/templates/web/autoscaling.yaml
+apiVersion: autoscaling/v2
+kind: HorizontalPodAutoscaler
+metadata:
+ namespace: swh-cassandra
+ name: web-webhooks
+ labels:
+ app: web-webhooks
+spec:
+ scaleTargetRef:
+ apiVersion: apps/v1
+ kind: Deployment
+ name: web-webhooks
+ minReplicas: 2
+ maxReplicas: 4
+ metrics:
+ - type: Resource
+ resource:
+ name: cpu
+ target:
+ type: Utilization
+ averageUtilization: 75
+---
# Source: swh/templates/counters/refresh-counters-cache-cronjob.yaml
apiVersion: batch/v1
kind: CronJob
metadata:
name: counters-refresh-counters-cache-cronjob
spec:
# By default, every 4h
schedule: "0 */1 * * *"
concurrencyPolicy: Forbid
jobTemplate:
@@ -22027,53 +22427,53 @@
- hosts:
- webapp.staging.swh.network
- webapp-cassandra.internal.staging.swh.network
secretName: swh-web-crt
---
# Source: swh/templates/web/ingress.yaml
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
namespace: swh-cassandra
- name: web-cassandra-ingress-webhooks
+ name: web-webhooks-ingress-webhooks
labels:
- app: web-cassandra
+ app: web-webhooks
endpoint-definition: webhooks
annotations:
cert-manager.io/cluster-issuer: letsencrypt-production-gandi
kubernetes.io/ingress.class: nginx
kubernetes.io/tls-acme: "true"
nginx.ingress.kubernetes.io/force-ssl-redirect: "true"
nginx.ingress.kubernetes.io/limit-connections: "3"
nginx.ingress.kubernetes.io/service-upstream: "true"
nginx.ingress.kubernetes.io/whitelist-source-range: 192.168.130.1,192.168.130.2
spec:
rules:
- host: webapp.staging.swh.network
http:
paths:
- path: /save/origin/visit/webhook
pathType: Prefix
backend:
service:
- name: web-cassandra
+ name: web-webhooks
port:
number: 5004
- host: webapp-cassandra.internal.staging.swh.network
http:
paths:
- path: /save/origin/visit/webhook
pathType: Prefix
backend:
service:
- name: web-cassandra
+ name: web-webhooks
port:
number: 5004
tls:
- hosts:
- webapp.staging.swh.network
- webapp-cassandra.internal.staging.swh.network
secretName: swh-web-crt
---
# Source: swh/templates/cookers/deployment.yaml
@@ -24742,20 +25142,39 @@
port: rpc
interval: 300s
scrapeTimeout: 60s
selector:
matchLabels:
app: web-cassandra
namespaceSelector:
matchNames:
- swh-cassandra
---
+# Source: swh/templates/web/monitoring.yaml
+apiVersion: monitoring.coreos.com/v1
+kind: ServiceMonitor
+metadata:
+ name: web-webhooks-metrics
+ namespace: swh-cassandra
+spec:
+ endpoints:
+ - path: /metrics/prometheus/
+ port: rpc
+ interval: 300s
+ scrapeTimeout: 60s
+ selector:
+ matchLabels:
+ app: web-webhooks
+ namespaceSelector:
+ matchNames:
+ - swh-cassandra
+---
# Source: swh/templates/checker-deposit/keda-autoscaling.yaml
apiVersion: keda.sh/v1alpha1
kind: TriggerAuthentication
metadata:
name: amqp-authentication-checker-deposit
namespace: swh-cassandra
spec:
secretTargetRef:
- parameter: host # "host" is required by the scalerObject trigger metadata
name: common-secrets
------------- diff for environment staging namespace swh-cassandra-next-version -------------
--- /tmp/swh-chart.swh.uGWp4hM6/staging-swh-cassandra-next-version.before 2024-08-07 10:53:45.985016779 +0200
+++ /tmp/swh-chart.swh.uGWp4hM6/staging-swh-cassandra-next-version.after 2024-08-07 10:53:46.901032848 +0200
@@ -18652,55 +18652,20 @@
service:
name: web-cassandra
port:
number: 80
tls:
- hosts:
- webapp-cassandra-next-version.internal.staging.swh.network
secretName: swh-web-crt
---
-# Source: swh/templates/web/ingress.yaml
-apiVersion: networking.k8s.io/v1
-kind: Ingress
-metadata:
- namespace: swh-cassandra-next-version
- name: web-cassandra-ingress-webhooks
- labels:
- app: web-cassandra
- endpoint-definition: webhooks
- annotations:
- cert-manager.io/cluster-issuer: letsencrypt-production-gandi
- kubernetes.io/ingress.class: nginx
- kubernetes.io/tls-acme: "true"
- nginx.ingress.kubernetes.io/force-ssl-redirect: "true"
- nginx.ingress.kubernetes.io/limit-connections: "3"
- nginx.ingress.kubernetes.io/service-upstream: "true"
- nginx.ingress.kubernetes.io/whitelist-source-range: 10.42.0.0/16,10.43.0.0/16,192.168.100.29/32,192.168.130.0/24,192.168.130.1,192.168.130.2,192.168.50.0/24
-spec:
- rules:
- - host: webapp-cassandra-next-version.internal.staging.swh.network
- http:
- paths:
- - path: /save/origin/visit/webhook
- pathType: Prefix
- backend:
- service:
- name: web-cassandra
- port:
- number: 5004
-
- tls:
- - hosts:
- - webapp-cassandra-next-version.internal.staging.swh.network
- secretName: swh-web-crt
----
# Source: swh/templates/cookers/deployment.yaml
# Set useJsonLogger to false to let the logs be plain text
---
# Source: swh/templates/listers/deployment.yaml
# Set useJsonLogger to false to let the logs be plain text
---
# Source: swh/templates/loaders/deployment.yaml
# if defined at the "typed" loader level
# otherwise use the global image is defined First this needs to replace - in
# $loader_type with "" to find the proper image name.
------------- diff for environment production namespace swh -------------
No differences
------------- diff for environment production namespace swh-cassandra -------------
No differences
Note that modifications on web templates monitoring.yaml
and autoscaling.yaml
is to avoid these inconsistent output:
spec.metrics.0.resource.target.averageUtilization (autoscaling/v2/HorizontalPodAutoscaler/swh-cassandra/web-cassandra)
± type change from int to string
- 75
+ 75---
spec.namespaceSelector.matchNames.0 (monitoring.coreos.com/v1/ServiceMonitor/swh-cassandra/web-cassandra-metrics)
± value change
- swh-cassandra
+ swh-cassandra---
Edited by Guillaume Samson