Skip to content

swh/staging: Add web-webhooks deployment

Guillaume Samson requested to merge swh_webhooks_staging into production

Related to swh/infra/sysadm-environment#5374 (closed)

These modifications will delete the current ingress web-cassandra-ingress-webhooks associated with the deployement web-cassandra in staging environment and create a deployment web-webhooks with its configmap, service, hpa, servive monitor and ingress web-webhooks-ingress-webhooks.
These deployment and ingress will process all the request from svix-server to the endpoint https://webapp.staging.swh.network/save/origin/visit/webhook/.
The new deployment has the same configuration (autoscaling, resources, swh-config,...) as the deployment web-cassandra.

helm diff
------------- diff for environment staging namespace swh -------------

No differences


------------- diff for environment staging namespace swh-cassandra -------------

--- /tmp/swh-chart.swh.uGWp4hM6/staging-swh-cassandra.before	2024-08-07 10:53:45.669011236 +0200
+++ /tmp/swh-chart.swh.uGWp4hM6/staging-swh-cassandra.after	2024-08-07 10:53:46.529026323 +0200
@@ -6804,20 +6804,133 @@
     - swh.web.banners
     - swh.web.deposit
     - swh.web.inbound_email
     - swh.web.jslicenses
     - swh.web.mailmap
     - swh.web.metrics
     - swh.web.save_code_now
     - swh.web.save_origin_webhooks
     - swh.web.vault
 ---
+# Source: swh/templates/web/configmap.yaml
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  namespace: swh-cassandra
+  name: web-webhooks-configuration-template
+data:
+  config.yml.template: |
+    instance_name: webapp.staging.swh.network
+    allowed_hosts:
+      - webapp.staging.swh.network
+      - webapp-cassandra.internal.staging.swh.network
+      - ${POD_IP}
+    storage:
+      cls: remote
+      url: http://storage-cassandra-read-only-ingress
+    search:
+      cls: remote
+      url: http://search-rpc-ingress
+    scheduler:
+      cls: remote
+      url: http://scheduler.internal.staging.swh.network
+    vault:
+      cls: remote
+      url: http://vault-rpc-ingress
+    indexer_storage:
+      cls: remote
+      url: http://indexer-storage-rpc-ingress
+    counters_backend: swh-counters
+    counters:
+      cls: remote
+      url: http://counters-rpc-ingress
+    deposit:
+      private_api_url: https://deposit.staging.swh.network/1/private/
+      private_api_user: ${DEPOSIT_USERNAME}
+      private_api_password: ${DEPOSIT_PASSWORD}
+    add_forge_now:
+      email_address: add-forge-now@webapp.staging.swh.network
+
+    secret_key: "${DJANGO_SECRET_KEY}"
+    production_db:
+    
+      host: db1.internal.staging.swh.network
+      port: 5432
+      name: swh-web
+      user: swh-web
+      password: ${POSTGRESQL_PASSWORD}
+    client_config:
+      sentry_dsn: ${SWH_SENTRY_DSN}
+    throttling:
+      cache_uri: memcached:11211
+      scopes:
+        swh_api:
+          exempted_networks:
+          - 10.42.0.0/16
+          - 10.43.0.0/16
+          - 192.168.100.29/32
+          - 192.168.130.0/24
+          - 192.168.50.0/24
+          limiter_rate:
+            default: 120/h
+        swh_vault_cooking:
+          exempted_networks:
+          - 10.42.0.0/16
+          - 10.43.0.0/16
+          - 192.168.100.29/32
+          - 192.168.130.0/24
+          - 192.168.50.0/24
+          limiter_rate:
+            GET: 60/m
+            default: 120/h
+        swh_api_origin_search:
+          limiter_rate:
+            default: 10/m
+        swh_api_origin_visit_latest:
+          limiter_rate:
+            default: 700/m
+        swh_save_origin:
+          limiter_rate:
+            POST: 10/h
+            default: 120/h
+    keycloak:
+      realm_name: SoftwareHeritageStaging
+      server_url: https://auth.softwareheritage.org/auth/
+    
+    content_display_max_size: 5242880
+    give:
+      public_key: ${GIVE_PUBLIC_KEY}
+      token: ${GIVE_PRIVATE_TOKEN}
+    history_counters_url: http://counters-rpc-ingress/counters_history/history.json
+    inbound_email:
+      shared_key: ${INBOUND_EMAIL_SHARED_KEY}
+    keycloak:
+      realm_name: SoftwareHeritageStaging
+      server_url: https://auth.softwareheritage.org/auth/
+    matomo: {}
+    save_code_now_webhook_secret: ${WEBHOOKS_SECRET}
+    search_config:
+      metadata_backend: swh-search
+    swh_extra_django_apps:
+    - swh.web.add_forge_now
+    - swh.web.archive_coverage
+    - swh.web.badges
+    - swh.web.banners
+    - swh.web.deposit
+    - swh.web.inbound_email
+    - swh.web.jslicenses
+    - swh.web.mailmap
+    - swh.web.metrics
+    - swh.web.save_code_now
+    - swh.web.save_origin_webhooks
+    - swh.web.vault
+---
 # Source: swh/templates/webhooks/configmap.yaml
 apiVersion: v1
 kind: ConfigMap
 metadata:
   namespace: swh-cassandra
   name: webhooks-origin-visit-status-template
 data:
   config.yml.template: |
     webhooks:
       event_retention_period: 7
@@ -7305,20 +7418,41 @@
     app: web-cassandra
   ports:
     - port: 5004
       targetPort: 5004
       name: rpc
     
     - port: 80
       targetPort: 80
       name: webstatic
 ---
+# Source: swh/templates/web/service.yaml
+apiVersion: v1
+kind: Service
+metadata:
+  name: web-webhooks
+  namespace: swh-cassandra
+  labels:
+    app: web-webhooks
+spec:
+  type: ClusterIP
+  selector:
+    app: web-webhooks
+  ports:
+    - port: 5004
+      targetPort: 5004
+      name: rpc
+    
+    - port: 80
+      targetPort: 80
+      name: webstatic
+---
 # Source: swh/templates/alter/deployment.yaml
 apiVersion: apps/v1
 kind: Deployment
 metadata:
   labels:
     app: alter
   name: alter
   namespace: swh-cassandra
 spec:
   replicas: 1
@@ -20161,20 +20295,263 @@
          items:
          - key: "config.yml.template"
            path: "config.yml.template"
       - name: static
         emptyDir: {}
       - name: config-utils
         configMap:
           name: config-utils
           defaultMode: 0555
 ---
+# Source: swh/templates/web/deployment.yaml
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  namespace: swh-cassandra
+  name: web-webhooks
+  labels:
+    app: web-webhooks
+spec:
+  revisionHistoryLimit: 2
+  selector:
+    matchLabels:
+      app: web-webhooks
+  strategy:
+    type: RollingUpdate
+    rollingUpdate:
+      maxSurge: 1
+  template:
+    metadata:
+      labels:
+        app: web-webhooks
+      annotations:
+        checksum/config: b492d35d393b0319b8e306ccd0a62e693297531c416701c94244c551fbb61efb
+        checksum/config-utils: 13a26f6add17e96ce01550153c77dcd48de60241a3f4db3c93d5467234be2a7f
+    spec:
+      affinity:
+        nodeAffinity:
+          requiredDuringSchedulingIgnoredDuringExecution:
+            nodeSelectorTerms:
+            - matchExpressions:
+              - key: swh/web
+                operator: In
+                values:
+                - "true"
+      priorityClassName: swh-cassandra-frontend-rpc
+      
+      initContainers:
+        - name: prepare-configuration
+          image: container-registry.softwareheritage.org/swh/infra/swh-apps/utils:20231211.1
+          imagePullPolicy: IfNotPresent
+          command:
+          - /entrypoints/prepare-configuration.sh
+          env:
+            - name: SWH_SENTRY_DSN
+              valueFrom:
+                secretKeyRef:
+                  name: common-secrets
+                  key: web-sentry-dsn
+                  # 'name' secret should exist & include key
+                  # if the setting doesn't exist, sentry pushes will be disabled
+                  optional: false
+            - name: DEPOSIT_PASSWORD
+              valueFrom:
+                secretKeyRef:
+                  key: password
+                  name: deposit-secrets
+                  optional: false
+            - name: DEPOSIT_USERNAME
+              valueFrom:
+                secretKeyRef:
+                  key: username
+                  name: deposit-secrets
+                  optional: false
+            - name: DJANGO_SECRET_KEY
+              valueFrom:
+                secretKeyRef:
+                  key: webapp-django-secret-key
+                  name: swh-webapp-django-secret
+                  optional: false
+            - name: GIVE_PRIVATE_TOKEN
+              valueFrom:
+                secretKeyRef:
+                  key: private-token
+                  name: web-give-secrets
+                  optional: false
+            - name: GIVE_PUBLIC_KEY
+              valueFrom:
+                secretKeyRef:
+                  key: public-key
+                  name: web-give-secrets
+                  optional: false
+            - name: INBOUND_EMAIL_SHARED_KEY
+              valueFrom:
+                secretKeyRef:
+                  key: web-inbound-email-shared-key
+                  name: common-secrets
+                  optional: false
+            - name: POSTGRESQL_PASSWORD
+              valueFrom:
+                secretKeyRef:
+                  key: postgres-swh-web-password
+                  name: swh-postgresql-web-secrets
+                  optional: false
+            - name: WEBHOOKS_SECRET
+              valueFrom:
+                secretKeyRef:
+                  key: webhooks-secret
+                  name: common-secrets
+                  optional: false
+          volumeMounts:
+            - name: configuration
+              mountPath: /etc/swh
+            - name: configuration-template
+              mountPath: /etc/swh/configuration-template
+            - name: config-utils
+              mountPath: /entrypoints
+              readOnly: true
+        - name: do-migration
+          image: container-registry.softwareheritage.org/swh/infra/swh-apps/web:20240718.1
+          imagePullPolicy: IfNotPresent
+          env:
+            - name: SWH_CONFIG_FILENAME
+              value: /etc/swh/config.yml
+          command:
+            - django-admin
+          args:
+            - migrate
+            - --settings=swh.web.settings.production
+          volumeMounts:
+            - name: configuration
+              mountPath: /etc/swh
+        
+        - name: prepare-static
+          image: container-registry.softwareheritage.org/swh/infra/swh-apps/web:20240718.1
+          imagePullPolicy: IfNotPresent
+          command:
+            - /bin/bash
+          args:
+            - -c
+            - cp -r $PWD/.local/share/swh/web/static/ /usr/share/swh/web/static/
+          volumeMounts:
+          - name: static
+            mountPath: /usr/share/swh/web/static
+      containers:
+        - name: web-webhooks
+          resources:
+            requests:
+              memory: 512Mi
+              cpu: 100m
+          image: container-registry.softwareheritage.org/swh/infra/swh-apps/web:20240718.1
+          imagePullPolicy: IfNotPresent
+          ports:
+            - containerPort: 5004
+              name: webapp
+          readinessProbe:
+            httpGet:
+              path: /
+              port: webapp
+              httpHeaders:
+                - name: Host
+                  value: webapp.staging.swh.network
+            initialDelaySeconds: 5
+            failureThreshold: 30
+            periodSeconds: 10
+            timeoutSeconds: 30
+          livenessProbe:
+            tcpSocket:
+              port: webapp
+            initialDelaySeconds: 3
+            periodSeconds: 10
+            timeoutSeconds: 30
+          command:
+            - /bin/bash
+          args:
+            - -c
+            - /opt/swh/entrypoint.sh
+          env:
+            - name: WORKERS
+              value: "4"
+            - name: THREADS
+              value: "2"
+            - name: TIMEOUT
+              value: "3600"
+            - name: STATSD_HOST
+              value: prometheus-statsd-exporter
+            - name: STATSD_PORT
+              value: "9125"
+            - name: STATSD_TAGS
+              value: deployment:web-webhooks
+            - name: SWH_LOG_LEVEL
+              value: "INFO"
+            - name: SWH_CONFIG_FILENAME
+              value: /etc/swh/config.yml
+            - name: SWH_SENTRY_ENVIRONMENT
+              value: staging
+            - name: SWH_MAIN_PACKAGE
+              value: swh.web
+            - name: SWH_SENTRY_DSN
+              valueFrom:
+                secretKeyRef:
+                  name: common-secrets
+                  key: web-sentry-dsn
+                  # 'name' secret should exist & include key
+                  # if the setting doesn't exist, sentry pushes will be disabled
+                  optional: true
+            - name: SWH_SENTRY_DISABLE_LOGGING_EVENTS
+              value: "true"
+          volumeMounts:
+          - name: configuration
+            mountPath: /etc/swh
+            readOnly: true
+        - name: nginx
+          resources:
+            requests:
+              memory: 50Mi
+              cpu: 10m
+          image: nginx:bullseye
+          imagePullPolicy: IfNotPresent
+          ports:
+            - containerPort: 80
+              name: webstatic
+          readinessProbe:
+            httpGet:
+              path: static/robots.txt
+              port: webstatic
+            initialDelaySeconds: 5
+            failureThreshold: 30
+            periodSeconds: 10
+          livenessProbe:
+            httpGet:
+              path: static/robots.txt
+              port: webstatic
+            initialDelaySeconds: 3
+            periodSeconds: 10
+          volumeMounts:
+            - name: static
+              mountPath: /usr/share/nginx/html
+      volumes:
+      - name: configuration
+        emptyDir: {}
+      - name: configuration-template
+        configMap:
+         name: web-webhooks-configuration-template
+         items:
+         - key: "config.yml.template"
+           path: "config.yml.template"
+      - name: static
+        emptyDir: {}
+      - name: config-utils
+        configMap:
+          name: config-utils
+          defaultMode: 0555
+---
 # Source: swh/templates/webhooks/deployment.yaml
 apiVersion: apps/v1
 kind: Deployment
 metadata:
   name: webhooks-origin-visit-status
   namespace: swh-cassandra
   labels:
     app: webhooks-origin-visit-status
 spec:
   revisionHistoryLimit: 2
@@ -20441,20 +20818,43 @@
   minReplicas: 2
   maxReplicas: 4
   metrics:
   - type: Resource
     resource:
       name: cpu
       target:
         type: Utilization
         averageUtilization: 75
 ---
+# Source: swh/templates/web/autoscaling.yaml
+apiVersion: autoscaling/v2
+kind: HorizontalPodAutoscaler
+metadata:
+  namespace: swh-cassandra
+  name: web-webhooks
+  labels:
+    app: web-webhooks
+spec:
+  scaleTargetRef:
+    apiVersion: apps/v1
+    kind: Deployment
+    name: web-webhooks
+  minReplicas: 2
+  maxReplicas: 4
+  metrics:
+  - type: Resource
+    resource:
+      name: cpu
+      target:
+        type: Utilization
+        averageUtilization: 75
+---
 # Source: swh/templates/counters/refresh-counters-cache-cronjob.yaml
 apiVersion: batch/v1
 kind: CronJob
 metadata:
   name: counters-refresh-counters-cache-cronjob
 spec:
   # By default, every 4h
   schedule: "0 */1 * * *"
   concurrencyPolicy: Forbid
   jobTemplate:
@@ -22027,53 +22427,53 @@
   - hosts:
     - webapp.staging.swh.network
     - webapp-cassandra.internal.staging.swh.network
     secretName: swh-web-crt
 ---
 # Source: swh/templates/web/ingress.yaml
 apiVersion: networking.k8s.io/v1
 kind: Ingress
 metadata:
   namespace: swh-cassandra
-  name: web-cassandra-ingress-webhooks
+  name: web-webhooks-ingress-webhooks
   labels:
-    app: web-cassandra
+    app: web-webhooks
     endpoint-definition: webhooks
   annotations: 
     cert-manager.io/cluster-issuer: letsencrypt-production-gandi
     kubernetes.io/ingress.class: nginx
     kubernetes.io/tls-acme: "true"
     nginx.ingress.kubernetes.io/force-ssl-redirect: "true"
     nginx.ingress.kubernetes.io/limit-connections: "3"
     nginx.ingress.kubernetes.io/service-upstream: "true"
     nginx.ingress.kubernetes.io/whitelist-source-range: 192.168.130.1,192.168.130.2
 spec:
   rules:
   - host: webapp.staging.swh.network
     http:
       paths:
       - path: /save/origin/visit/webhook
         pathType: Prefix
         backend:
           service:
-            name: web-cassandra
+            name: web-webhooks
             port:
               number: 5004
       
   - host: webapp-cassandra.internal.staging.swh.network
     http:
       paths:
       - path: /save/origin/visit/webhook
         pathType: Prefix
         backend:
           service:
-            name: web-cassandra
+            name: web-webhooks
             port:
               number: 5004
       
   tls:
   - hosts:
     - webapp.staging.swh.network
     - webapp-cassandra.internal.staging.swh.network
     secretName: swh-web-crt
 ---
 # Source: swh/templates/cookers/deployment.yaml
@@ -24742,20 +25142,39 @@
     port: rpc
     interval: 300s
     scrapeTimeout: 60s
   selector:
     matchLabels:
       app: web-cassandra
   namespaceSelector:
     matchNames:
       - swh-cassandra
 ---
+# Source: swh/templates/web/monitoring.yaml
+apiVersion: monitoring.coreos.com/v1
+kind: ServiceMonitor
+metadata:
+  name: web-webhooks-metrics
+  namespace: swh-cassandra
+spec:
+  endpoints:
+  - path: /metrics/prometheus/
+    port: rpc
+    interval: 300s
+    scrapeTimeout: 60s
+  selector:
+    matchLabels:
+      app: web-webhooks
+  namespaceSelector:
+    matchNames:
+      - swh-cassandra
+---
 # Source: swh/templates/checker-deposit/keda-autoscaling.yaml
 apiVersion: keda.sh/v1alpha1
 kind: TriggerAuthentication
 metadata:
   name: amqp-authentication-checker-deposit
   namespace: swh-cassandra
 spec:
   secretTargetRef:
   - parameter: host            # "host" is required by the scalerObject trigger metadata
     name: common-secrets


------------- diff for environment staging namespace swh-cassandra-next-version -------------

--- /tmp/swh-chart.swh.uGWp4hM6/staging-swh-cassandra-next-version.before	2024-08-07 10:53:45.985016779 +0200
+++ /tmp/swh-chart.swh.uGWp4hM6/staging-swh-cassandra-next-version.after	2024-08-07 10:53:46.901032848 +0200
@@ -18652,55 +18652,20 @@
           service:
             name: web-cassandra
             port:
               number: 80
       
   tls:
   - hosts:
     - webapp-cassandra-next-version.internal.staging.swh.network
     secretName: swh-web-crt
 ---
-# Source: swh/templates/web/ingress.yaml
-apiVersion: networking.k8s.io/v1
-kind: Ingress
-metadata:
-  namespace: swh-cassandra-next-version
-  name: web-cassandra-ingress-webhooks
-  labels:
-    app: web-cassandra
-    endpoint-definition: webhooks
-  annotations: 
-    cert-manager.io/cluster-issuer: letsencrypt-production-gandi
-    kubernetes.io/ingress.class: nginx
-    kubernetes.io/tls-acme: "true"
-    nginx.ingress.kubernetes.io/force-ssl-redirect: "true"
-    nginx.ingress.kubernetes.io/limit-connections: "3"
-    nginx.ingress.kubernetes.io/service-upstream: "true"
-    nginx.ingress.kubernetes.io/whitelist-source-range: 10.42.0.0/16,10.43.0.0/16,192.168.100.29/32,192.168.130.0/24,192.168.130.1,192.168.130.2,192.168.50.0/24
-spec:
-  rules:
-  - host: webapp-cassandra-next-version.internal.staging.swh.network
-    http:
-      paths:
-      - path: /save/origin/visit/webhook
-        pathType: Prefix
-        backend:
-          service:
-            name: web-cassandra
-            port:
-              number: 5004
-      
-  tls:
-  - hosts:
-    - webapp-cassandra-next-version.internal.staging.swh.network
-    secretName: swh-web-crt
----
 # Source: swh/templates/cookers/deployment.yaml
 # Set useJsonLogger to false to let the logs be plain text
 ---
 # Source: swh/templates/listers/deployment.yaml
 # Set useJsonLogger to false to let the logs be plain text
 ---
 # Source: swh/templates/loaders/deployment.yaml
 # if defined at the "typed" loader level
 # otherwise use the global image is defined First this needs to replace - in
 # $loader_type with "" to find the proper image name.


------------- diff for environment production namespace swh -------------

No differences


------------- diff for environment production namespace swh-cassandra -------------

No differences

Note that modifications on web templates monitoring.yaml and autoscaling.yaml is to avoid these inconsistent output:

spec.metrics.0.resource.target.averageUtilization  (autoscaling/v2/HorizontalPodAutoscaler/swh-cassandra/web-cassandra)
  ± type change from int to string
    - 75
    + 75---

spec.namespaceSelector.matchNames.0  (monitoring.coreos.com/v1/ServiceMonitor/swh-cassandra/web-cassandra-metrics)
  ± value change
    - swh-cassandra
    + swh-cassandra---
Edited by Guillaume Samson

Merge request reports

Loading