swh/production: Add web-webhooks deployment
Related to swh/infra/sysadm-environment#5374 (closed)
These modifications will delete the current ingress web-archive-ingress-webhooks pointing to the web-archive service and will create a deployment web-webhooks and an ingress web-webhooks-ingress-webhooks to be used by Svix-server as a endpoint.
Helm-diff
[swh] Comparing changes between branches production and web_webhooks_production (per environment)...
Your branch is up to date with 'origin/production'.
[swh] Generate config in production branch for environment staging, namespace swh...
[swh] Generate config in production branch for environment staging, namespace swh-cassandra...
[swh] Generate config in production branch for environment staging, namespace swh-cassandra-next-version...
Your branch is up to date with 'origin/web_webhooks_production'.
[swh] Generate config in web_webhooks_production branch for environment staging...
[swh] Generate config in web_webhooks_production branch for environment staging...
[swh] Generate config in web_webhooks_production branch for environment staging...
Your branch is up to date with 'origin/production'.
[swh] Generate config in production branch for environment production, namespace swh...
[swh] Generate config in production branch for environment production, namespace swh-cassandra...
[swh] Generate config in production branch for environment production, namespace swh-cassandra-next-version...
Your branch is up to date with 'origin/web_webhooks_production'.
[swh] Generate config in web_webhooks_production branch for environment production...
[swh] Generate config in web_webhooks_production branch for environment production...
[swh] Generate config in web_webhooks_production branch for environment production...
------------- diff for environment staging namespace swh -------------
No differences
------------- diff for environment staging namespace swh-cassandra -------------
No differences
------------- diff for environment staging namespace swh-cassandra-next-version -------------
No differences
------------- diff for environment production namespace swh -------------
--- /tmp/swh-chart.swh.3yn1YBE1/production-swh.before 2024-08-09 15:45:10.864877729 +0200
+++ /tmp/swh-chart.swh.3yn1YBE1/production-swh.after 2024-08-09 15:45:11.484892375 +0200
@@ -8515,20 +8515,168 @@
- swh.web.banners
- swh.web.deposit
- swh.web.inbound_email
- swh.web.jslicenses
- swh.web.mailmap
- swh.web.metrics
- swh.web.save_code_now
- swh.web.save_origin_webhooks
- swh.web.vault
---
+# Source: swh/templates/web/configmap.yaml
+apiVersion: v1
+kind: ConfigMap
+metadata:
+ namespace: swh
+ name: web-webhooks-configuration-template
+data:
+ config.yml.template: |
+ instance_name: archive.softwareheritage.org
+ allowed_hosts:
+ - archive.softwareheritage.org
+ - archive.internal.softwareheritage.org
+ - ${POD_IP}
+ production_server_names:
+ - archive.softwareheritage.org
+ - archive.internal.softwareheritage.org
+ - ${POD_IP}
+ storage:
+ cls: remote
+ url: http://storage-azure-read-only-rpc-ingress
+ search:
+ cls: remote
+ url: http://search-rpc-ingress
+ scheduler:
+ cls: remote
+ url: http://scheduler.internal.softwareheritage.org
+ vault:
+ cls: remote
+ url: http://vault-rpc-ingress
+ indexer_storage:
+ cls: remote
+ url: http://indexer-storage-read-only-rpc-ingress
+ counters_backend: swh-counters
+ counters:
+ cls: remote
+ url: http://counters-rpc-ingress
+ deposit:
+ private_api_url: https://deposit.softwareheritage.org/1/private/
+ private_api_user: ${DEPOSIT_USERNAME}
+ private_api_password: ${DEPOSIT_PASSWORD}
+ add_forge_now:
+ email_address: add-forge-now@archive.softwareheritage.org
+ gitlab_pipeline:
+ token: ${GITLAB_AFN_TOKEN}
+ trigger_url: https://gitlab.softwareheritage.org/api/v4/projects/474/trigger/pipeline
+
+ secret_key: "${DJANGO_SECRET_KEY}"
+ secret_key_fallbacks:
+ - "${DJANGO_SECRET_KEY_FALLBACK_1}"
+ - "${DJANGO_SECRET_KEY_FALLBACK_2}"
+ production_db:
+
+ host: postgresql-web-rw.internal.softwareheritage.org
+ port: 5432
+ name: swh-web
+ user: swh-web
+ password: ${POSTGRESQL_PASSWORD}
+ client_config:
+ sentry_dsn: ${SWH_SENTRY_DSN}
+ throttling:
+ cache_uri: memcached:11211
+ scopes:
+ swh_api:
+ exempted_networks:
+ - 10.42.0.0/16
+ - 10.43.0.0/16
+ - 127.0.0.0/8
+ - 128.93.166.14
+ - 131.107.174.0/24
+ - 192.168.100.0/24
+ - 192.168.200.0/22
+ - 213.135.60.145
+ - 213.135.60.146
+ - 37.187.137.47
+ - 37.187.96.121
+ limiter_rate:
+ default: 120/h
+ swh_save_origin:
+ exempted_networks:
+ - 10.42.0.0/16
+ - 10.43.0.0/16
+ - 127.0.0.0/8
+ - 128.93.166.14
+ - 131.107.174.0/24
+ - 192.168.100.0/24
+ - 192.168.200.0/22
+ - 213.135.60.145
+ - 213.135.60.146
+ - 37.187.96.121
+ limiter_rate:
+ POST: 10/h
+ default: 120/h
+ swh_vault_cooking:
+ exempted_networks:
+ - 10.42.0.0/16
+ - 10.43.0.0/16
+ - 127.0.0.0/8
+ - 128.93.166.14
+ - 131.107.174.0/24
+ - 192.168.100.0/24
+ - 192.168.200.0/22
+ - 213.135.60.145
+ - 213.135.60.146
+ - 37.187.96.121
+ limiter_rate:
+ GET: 60/m
+ default: 120/h
+ swh_api_origin_search:
+ limiter_rate:
+ default: 10/m
+ swh_api_origin_visit_latest:
+ limiter_rate:
+ default: 700/m
+ swh_raw_object:
+ limiter_rate:
+ default: 120/h
+ keycloak:
+ realm_name: SoftwareHeritage
+ server_url: https://auth.softwareheritage.org/auth/
+
+ content_display_max_size: 5242880
+ es_workers_index_url: http://esnode1.internal.softwareheritage.org:9200/swh_workers-*
+ give:
+ public_key: ${GIVE_PUBLIC_KEY}
+ token: ${GIVE_PRIVATE_TOKEN}
+ history_counters_url: http://counters-rpc-ingress/counters_history/history.json#
+ inbound_email:
+ shared_key: ${INBOUND_EMAIL_SHARED_KEY}
+ matomo:
+ site_id: 59
+ url: https://piwik.inria.fr/
+ save_code_now_webhook_secret: ${WEBHOOKS_SECRET}
+ search_config:
+ metadata_backend: swh-search
+ swh_extra_django_apps:
+ - swh.web.add_forge_now
+ - swh.web.archive_coverage
+ - swh.web.badges
+ - swh.web.banners
+ - swh.web.deposit
+ - swh.web.inbound_email
+ - swh.web.jslicenses
+ - swh.web.mailmap
+ - swh.web.metrics
+ - swh.web.save_code_now
+ - swh.web.save_origin_webhooks
+ - swh.web.vault
+---
# Source: swh/templates/alter/deployment.yaml
apiVersion: v1
kind: PersistentVolumeClaim
metadata:
name: alter-recovery-bundles-pvc
namespace: swh
spec:
storageClassName: cephfs
accessModes:
- ReadWriteMany
@@ -8996,20 +9144,41 @@
app: web-archive
ports:
- port: 5004
targetPort: 5004
name: rpc
- port: 80
targetPort: 80
name: webstatic
---
+# Source: swh/templates/web/service.yaml
+apiVersion: v1
+kind: Service
+metadata:
+ name: web-webhooks
+ namespace: swh
+ labels:
+ app: web-webhooks
+spec:
+ type: ClusterIP
+ selector:
+ app: web-webhooks
+ ports:
+ - port: 5004
+ targetPort: 5004
+ name: rpc
+
+ - port: 80
+ targetPort: 80
+ name: webstatic
+---
# Source: swh/templates/alter/deployment.yaml
apiVersion: apps/v1
kind: Deployment
metadata:
labels:
app: alter
name: alter
namespace: swh
spec:
replicas: 1
@@ -25459,20 +25628,281 @@
items:
- key: "config.yml.template"
path: "config.yml.template"
- name: static
emptyDir: {}
- name: config-utils
configMap:
name: config-utils
defaultMode: 0555
---
+# Source: swh/templates/web/deployment.yaml
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+ namespace: swh
+ name: web-webhooks
+ labels:
+ app: web-webhooks
+spec:
+ revisionHistoryLimit: 2
+ selector:
+ matchLabels:
+ app: web-webhooks
+ strategy:
+ type: RollingUpdate
+ rollingUpdate:
+ maxSurge: 1
+ template:
+ metadata:
+ labels:
+ app: web-webhooks
+ annotations:
+ checksum/config: 18507c7556a59eba244275998dc690153d18aa2f5cab2cb21bb5f30adcee7abe
+ checksum/config-utils: d75ca13b805bce6a8ab59c8e24c938f2283108f6a79134f6e71db86308651dc6
+ spec:
+ affinity:
+ nodeAffinity:
+ requiredDuringSchedulingIgnoredDuringExecution:
+ nodeSelectorTerms:
+ - matchExpressions:
+ - key: swh/web
+ operator: In
+ values:
+ - "true"
+ priorityClassName: swh-frontend-rpc
+
+ initContainers:
+ - name: prepare-configuration
+ image: container-registry.softwareheritage.org/swh/infra/swh-apps/utils:20231211.1
+ imagePullPolicy: IfNotPresent
+ command:
+ - /entrypoints/prepare-configuration.sh
+ env:
+ - name: SWH_SENTRY_DSN
+ valueFrom:
+ secretKeyRef:
+ name: common-secrets
+ key: web-sentry-dsn
+ # 'name' secret should exist & include key
+ # if the setting doesn't exist, sentry pushes will be disabled
+ optional: false
+ - name: DEPOSIT_PASSWORD
+ valueFrom:
+ secretKeyRef:
+ key: password
+ name: deposit-secrets
+ optional: false
+ - name: DEPOSIT_USERNAME
+ valueFrom:
+ secretKeyRef:
+ key: username
+ name: deposit-secrets
+ optional: false
+ - name: DJANGO_SECRET_KEY
+ valueFrom:
+ secretKeyRef:
+ key: webapp-django-secret-key
+ name: swh-webapp-django-secret
+ optional: false
+ - name: DJANGO_SECRET_KEY_FALLBACK_1
+ valueFrom:
+ secretKeyRef:
+ key: webapp-django-secret-key-fallback-1
+ name: swh-webapp-django-secret
+ optional: false
+ - name: DJANGO_SECRET_KEY_FALLBACK_2
+ valueFrom:
+ secretKeyRef:
+ key: webapp-django-secret-key-fallback-2
+ name: swh-webapp-django-secret
+ optional: false
+ - name: GITLAB_AFN_TOKEN
+ valueFrom:
+ secretKeyRef:
+ key: gitlab_afn_token
+ name: common-secrets
+ optional: false
+ - name: GIVE_PRIVATE_TOKEN
+ valueFrom:
+ secretKeyRef:
+ key: private-token
+ name: web-give-secrets
+ optional: false
+ - name: GIVE_PUBLIC_KEY
+ valueFrom:
+ secretKeyRef:
+ key: public-key
+ name: web-give-secrets
+ optional: false
+ - name: INBOUND_EMAIL_SHARED_KEY
+ valueFrom:
+ secretKeyRef:
+ key: web-inbound-email-shared-key
+ name: common-secrets
+ optional: false
+ - name: POSTGRESQL_PASSWORD
+ valueFrom:
+ secretKeyRef:
+ key: postgres-swh-web-password
+ name: swh-postgresql-web-secrets
+ optional: false
+ - name: WEBHOOKS_SECRET
+ valueFrom:
+ secretKeyRef:
+ key: webhooks-secret
+ name: common-secrets
+ optional: false
+ volumeMounts:
+ - name: configuration
+ mountPath: /etc/swh
+ - name: configuration-template
+ mountPath: /etc/swh/configuration-template
+ - name: config-utils
+ mountPath: /entrypoints
+ readOnly: true
+ - name: do-migration
+ image: container-registry.softwareheritage.org/swh/infra/swh-apps/web:20240806.1
+ imagePullPolicy: IfNotPresent
+ env:
+ - name: SWH_CONFIG_FILENAME
+ value: /etc/swh/config.yml
+ command:
+ - django-admin
+ args:
+ - migrate
+ - --settings=swh.web.settings.production
+ volumeMounts:
+ - name: configuration
+ mountPath: /etc/swh
+
+ - name: prepare-static
+ image: container-registry.softwareheritage.org/swh/infra/swh-apps/web:20240806.1
+ imagePullPolicy: IfNotPresent
+ command:
+ - /bin/bash
+ args:
+ - -c
+ - cp -r $PWD/.local/share/swh/web/static/ /usr/share/swh/web/static/
+ volumeMounts:
+ - name: static
+ mountPath: /usr/share/swh/web/static
+ containers:
+ - name: web-webhooks
+ resources:
+ requests:
+ memory: 6Gi
+ cpu: 500m
+ image: container-registry.softwareheritage.org/swh/infra/swh-apps/web:20240806.1
+ imagePullPolicy: IfNotPresent
+ ports:
+ - containerPort: 5004
+ name: webapp
+ readinessProbe:
+ httpGet:
+ path: /
+ port: webapp
+ httpHeaders:
+ - name: Host
+ value: archive.softwareheritage.org
+ initialDelaySeconds: 5
+ failureThreshold: 30
+ periodSeconds: 10
+ timeoutSeconds: 30
+ livenessProbe:
+ tcpSocket:
+ port: webapp
+ initialDelaySeconds: 3
+ periodSeconds: 10
+ timeoutSeconds: 30
+ command:
+ - /bin/bash
+ args:
+ - -c
+ - /opt/swh/entrypoint.sh
+ env:
+ - name: WORKERS
+ value: "4"
+ - name: THREADS
+ value: "2"
+ - name: TIMEOUT
+ value: "3600"
+ - name: STATSD_HOST
+ value: prometheus-statsd-exporter
+ - name: STATSD_PORT
+ value: "9125"
+ - name: STATSD_TAGS
+ value: deployment:web-webhooks
+ - name: SWH_LOG_LEVEL
+ value: "INFO"
+ - name: SWH_CONFIG_FILENAME
+ value: /etc/swh/config.yml
+ - name: SWH_SENTRY_ENVIRONMENT
+ value: production
+ - name: SWH_MAIN_PACKAGE
+ value: swh.web
+ - name: SWH_SENTRY_DSN
+ valueFrom:
+ secretKeyRef:
+ name: common-secrets
+ key: web-sentry-dsn
+ # 'name' secret should exist & include key
+ # if the setting doesn't exist, sentry pushes will be disabled
+ optional: true
+ - name: SWH_SENTRY_DISABLE_LOGGING_EVENTS
+ value: "true"
+ volumeMounts:
+ - name: configuration
+ mountPath: /etc/swh
+ readOnly: true
+ - name: nginx
+ resources:
+ requests:
+ memory: 50Mi
+ cpu: 10m
+ image: nginx:bullseye
+ imagePullPolicy: IfNotPresent
+ ports:
+ - containerPort: 80
+ name: webstatic
+ readinessProbe:
+ httpGet:
+ path: static/robots.txt
+ port: webstatic
+ initialDelaySeconds: 5
+ failureThreshold: 30
+ periodSeconds: 10
+ livenessProbe:
+ httpGet:
+ path: static/robots.txt
+ port: webstatic
+ initialDelaySeconds: 3
+ periodSeconds: 10
+ volumeMounts:
+ - name: static
+ mountPath: /usr/share/nginx/html
+ volumes:
+ - name: configuration
+ emptyDir: {}
+ - name: configuration-template
+ configMap:
+ name: web-webhooks-configuration-template
+ items:
+ - key: "config.yml.template"
+ path: "config.yml.template"
+ - name: static
+ emptyDir: {}
+ - name: config-utils
+ configMap:
+ name: config-utils
+ defaultMode: 0555
+---
# Source: swh/templates/indexer-storage/autoscaling.yaml
apiVersion: autoscaling/v2
kind: HorizontalPodAutoscaler
metadata:
namespace: swh
name: indexer-storage-read-only
labels:
app: indexer-storage-read-only
spec:
scaleTargetRef:
@@ -25574,20 +26004,43 @@
minReplicas: 8
maxReplicas: 10
metrics:
- type: Resource
resource:
name: cpu
target:
type: Utilization
averageUtilization: 100
---
+# Source: swh/templates/web/autoscaling.yaml
+apiVersion: autoscaling/v2
+kind: HorizontalPodAutoscaler
+metadata:
+ namespace: swh
+ name: web-webhooks
+ labels:
+ app: web-webhooks
+spec:
+ scaleTargetRef:
+ apiVersion: apps/v1
+ kind: Deployment
+ name: web-webhooks
+ minReplicas: 4
+ maxReplicas: 8
+ metrics:
+ - type: Resource
+ resource:
+ name: cpu
+ target:
+ type: Utilization
+ averageUtilization: 100
+---
# Source: swh/templates/counters/refresh-counters-cache-cronjob.yaml
apiVersion: batch/v1
kind: CronJob
metadata:
name: counters-refresh-counters-cache-cronjob
spec:
# By default, every 4h
schedule: "0 */1 * * *"
concurrencyPolicy: Forbid
jobTemplate:
@@ -27727,84 +28180,60 @@
service:
name: web-archive
port:
number: 80
---
# Source: swh/templates/web/ingress.yaml
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
namespace: swh
- name: web-archive-ingress-webhooks
+ name: web-webhooks-ingress-webhooks
labels:
- app: web-archive
+ app: web-webhooks
endpoint-definition: webhooks
annotations:
cert-manager.io/cluster-issuer: letsencrypt-production-gandi
kubernetes.io/ingress.class: nginx
kubernetes.io/tls-acme: "true"
nginx.ingress.kubernetes.io/limit-connections: "10"
nginx.ingress.kubernetes.io/service-upstream: "true"
nginx.ingress.kubernetes.io/ssl-redirect: "true"
nginx.ingress.kubernetes.io/whitelist-source-range: 128.93.166.2/32,192.168.100.0/24
spec:
rules:
- host: archive.softwareheritage.org
http:
paths:
- path: /save/origin/visit/webhook
pathType: Prefix
backend:
service:
- name: web-archive
- port:
- number: 5004
-
- - host: base.softwareheritage.org
- http:
- paths:
- - path: /save/origin/visit/webhook
- pathType: Prefix
- backend:
- service:
- name: web-archive
+ name: web-webhooks
port:
number: 5004
- host: archive.internal.softwareheritage.org
http:
paths:
- path: /save/origin/visit/webhook
pathType: Prefix
backend:
service:
- name: web-archive
- port:
- number: 5004
-
- - host: archive-dynamic.internal.softwareheritage.org
- http:
- paths:
- - path: /save/origin/visit/webhook
- pathType: Prefix
- backend:
- service:
- name: web-archive
+ name: web-webhooks
port:
number: 5004
tls:
- hosts:
- archive.softwareheritage.org
- - base.softwareheritage.org
- archive.internal.softwareheritage.org
- - archive-dynamic.internal.softwareheritage.org
secretName: swh-web-archive-crt
---
# Source: swh/templates/cookers/deployment.yaml
# Set useJsonLogger to false to let the logs be plain text
---
# Source: swh/templates/listers/deployment.yaml
# Set useJsonLogger to false to let the logs be plain text
---
# Source: swh/templates/loaders/deployment.yaml
# if defined at the "typed" loader level
@@ -30791,20 +31220,39 @@
port: rpc
interval: 300s
scrapeTimeout: 60s
selector:
matchLabels:
app: web-archive
namespaceSelector:
matchNames:
- swh
---
+# Source: swh/templates/web/monitoring.yaml
+apiVersion: monitoring.coreos.com/v1
+kind: ServiceMonitor
+metadata:
+ name: web-webhooks-metrics
+ namespace: swh
+spec:
+ endpoints:
+ - path: /metrics/prometheus/
+ port: rpc
+ interval: 300s
+ scrapeTimeout: 60s
+ selector:
+ matchLabels:
+ app: web-webhooks
+ namespaceSelector:
+ matchNames:
+ - swh
+---
# Source: swh/templates/checker-deposit/keda-autoscaling.yaml
apiVersion: keda.sh/v1alpha1
kind: TriggerAuthentication
metadata:
name: amqp-authentication-checker-deposit
namespace: swh
spec:
secretTargetRef:
- parameter: host # "host" is required by the scalerObject trigger metadata
name: common-secrets
------------- diff for environment production namespace swh-cassandra -------------
No differences
I've removed unnecessary host names from the new ingress.