Add pigeon chart

Author: mfraezz

osf-pigeon/Chart.yaml

@@ -0,0 +1,15 @@
+apiVersion: v1
+description: A Helm chart for Kubernetes
+name: osf-pigeon
+version: 0.0.1
+sources:
+  - https://github.com/CenterForOpenScience/osf-pigeon/
+maintainers:
+  - name: Matt Frazier
+    email: matt@cos.io
+    url: https://github.com/mfraezz
+  - name: Matt Clark
+    email: mattclark@cos.io
+    url: https://github.com/mattclark
+engine: gotpl
+tillerVersion: '>=2.7.0'

osf-pigeon/files/robots.txt

@@ -0,0 +1,2 @@
+User-agent: *
+Disallow: /

osf-pigeon/templates/NOTES.txt

@@ -0,0 +1,17 @@
+1. Get the application URL by running these commands:
+{{- if .Values.ingress.hostname }}
+  http://{{- .Values.ingress.hostname }}
+{{- else if contains "NodePort" .Values.service.type }}
+  export NODE_PORT=$(kubectl get --namespace {{ .Release.Namespace }} -o jsonpath="{.spec.ports[0].nodePort}" services {{ template "osf-pigeon.fullname" . }})
+  export NODE_IP=$(kubectl get nodes --namespace {{ .Release.Namespace }} -o jsonpath="{.items[0].status.addresses[0].address}")
+  echo http://$NODE_IP:$NODE_PORT
+{{- else if contains "LoadBalancer" .Values.service.type }}
+     NOTE: It may take a few minutes for the LoadBalancer IP to be available.
+           You can watch the status of by running 'kubectl get svc -w {{ template "osf-pigeon.fullname" . }}'
+  export SERVICE_IP=$(kubectl get svc --namespace {{ .Release.Namespace }} {{ template "osf-pigeon.fullname" . }} -o jsonpath='{.status.loadBalancer.ingress[0].ip}')
+  echo http://$SERVICE_IP:{{ .Values.service.externalPort }}
+{{- else if contains "ClusterIP"  .Values.service.type }}
+  export POD_NAME=$(kubectl get pods --namespace {{ .Release.Namespace }} -l "app={{ template "osf-pigeon.fullname" . }}" -o jsonpath="{.items[0].metadata.name}")
+  echo "Visit http://127.0.0.1:8080 to use your application"
+  kubectl port-forward $POD_NAME 8080:{{ .Values.service.externalPort }}
+{{- end }}

osf-pigeon/templates/_helpers.tpl

@@ -0,0 +1,51 @@
+{{/* vim: set filetype=mustache: */}}
+{{/*
+Expand the name of the chart.
+*/}}
+{{- define "osf-pigeon.name" -}}
+{{- default .Chart.Name .Values.nameOverride | trunc 63 | trimSuffix "-" -}}
+{{- end -}}
+
+{{/*
+Create a default fully qualified app name.
+We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec).
+*/}}
+{{- define "osf-pigeon.fullname" -}}
+{{- $name := default .Chart.Name .Values.nameOverride -}}
+{{- printf "%s-%s" .Release.Name $name | trunc 63 | trimSuffix "-" -}}
+{{- end -}}
+
+{{/*
+Create a default fully qualified certificate name.
+We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec).
+*/}}
+{{- define "osf-pigeon.certificate.fullname" -}}
+{{- $name := default .Chart.Name .Values.nameOverride -}}
+{{- printf "%s-%s-%s" .Release.Name $name .Values.certificate.name | trunc 63 | trimSuffix "-" -}}
+{{- end -}}
+
+{{/*
+Overridable deployment annotations
+*/}}
+{{- define "osf-pigeon.deploymentAnnotations" -}}
+checksum/config: {{ include (print $.Template.BasePath "/configmap.yaml") . | sha256sum }}
+checksum/secret: {{ include (print $.Template.BasePath "/secret.yaml") . | sha256sum }}
+{{- end -}}
+
+{{- define "osf-pigeon.environment" -}}
+{{- $fullname := include "osf-pigeon.fullname" . -}}
+{{- range $key, $value := .Values.configEnvs }}
+- name: {{ $key }}
+  valueFrom:
+    configMapKeyRef:
+      name: {{ $fullname }}
+      key: {{ $key }}
+{{- end }}
+{{- range $key, $value := .Values.secretEnvs }}
+- name: {{ $key }}
+  valueFrom:
+    secretKeyRef:
+      name: {{ $fullname }}
+      key: {{ $key }}
+{{- end }}
+{{- end -}}

osf-pigeon/templates/certificate-networkpolicy.yaml

@@ -0,0 +1,21 @@
+{{- if (and .Values.networkPolicy.enabled .Values.certificate.enabled) }}
+apiVersion: networking.k8s.io/v1
+kind: NetworkPolicy
+metadata:
+  name: "{{ template "osf-pigeon.certificate.fullname" . }}"
+  labels:
+    app: {{ template "osf-pigeon.name" . }}
+    chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }}
+    component: "{{ .Values.certificate.name }}"
+    heritage: {{ .Release.Service }}
+    release: {{ .Release.Name }}
+spec:
+  policyTypes:
+  - Ingress
+  podSelector:
+    matchExpressions:
+    - {key: certmanager.k8s.io/acme-http-domain, operator: Exists}
+    - {key: certmanager.k8s.io/acme-http-token, operator: Exists}
+  ingress:
+  - from: []
+{{- end }}

osf-pigeon/templates/certificate.yaml

@@ -0,0 +1,34 @@
+{{- if .Values.certificate.enabled -}}
+apiVersion: certmanager.k8s.io/v1alpha1
+kind: Certificate
+metadata:
+  name: "{{ template "osf-pigeon.certificate.fullname" . }}"
+  labels:
+    app: {{ template "osf-pigeon.name" . }}
+    chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }}
+    component: "{{ .Values.certificate.name }}"
+    heritage: {{ .Release.Service }}
+    release: {{ .Release.Name }}
+spec:
+  secretName: "{{ template "osf-pigeon.certificate.fullname" . }}"
+  issuerRef:
+    name: {{ .Values.certificate.issuerRef.name }}
+    kind: {{ .Values.certificate.issuerRef.kind }}
+  commonName: {{ .Values.certificate.commonName }}
+  dnsNames:
+    {{- range .Values.certificate.dnsNames }}
+    - {{ . }}
+    {{- end }}
+  acme:
+    config:
+      - http01:
+          {{- if hasKey .Values.certificate.acmeConfig.http01 "ingress" }}
+          ingress: {{ .Values.certificate.acmeConfig.http01.ingress }}
+          {{- else }}
+          ingress: {{ template "osf-pigeon.fullname" . }}
+          {{- end }}
+        domains:
+          {{- range .Values.certificate.acmeConfig.domains }}
+          - {{ . }}
+          {{- end }}
+{{- end -}}

osf-pigeon/templates/configmap.yaml

@@ -0,0 +1,137 @@
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  name: {{ template "osf-pigeon.fullname" . }}
+  labels:
+    app: {{ template "osf-pigeon.name" . }}
+    chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }}
+    heritage: {{ .Release.Service }}
+    release: {{ .Release.Name }}
+data:
+  {{- define "osf-pigeon.inlineconfigs" }}
+nginx.conf: |-
+  user  nginx;
+  worker_processes  {{ .Values.nginx.workerCount }};
+
+  load_module /usr/lib/nginx/modules/ngx_http_brotli_filter_module.so;
+  {{- if .Values.nginx.vts.enabled }}
+  load_module /usr/lib/nginx/modules/ngx_http_geoip_module.so;
+  load_module /usr/lib/nginx/modules/ngx_http_vhost_traffic_status_module.so;
+  {{- end }}
+
+  error_log  /var/log/nginx/error.log warn;
+  pid        /var/run/nginx.pid;
+
+  events {
+      worker_connections 1024;
+  }
+
+  http {
+      include       /etc/nginx/mime.types;
+      default_type  application/octet-stream;
+
+      log_format main '$remote_addr - $upstream_cache_status $remote_user [$time_local] '
+                      '"$request" $status $body_bytes_sent '
+                      '"$http_referer" "$http_user_agent" "$http_x_forwarded_for" '
+                      'rt=$request_time uct="$upstream_connect_time" uht="$upstream_header_time" urt="$upstream_response_time"';
+      access_log  /var/log/nginx/access.log  main;
+
+      real_ip_header {{ .Values.nginx.realIpHeader }};
+      real_ip_recursive {{ .Values.nginx.realIpRecursive }};
+      {{- range .Values.nginx.proxySourceRanges }}
+      set_real_ip_from {{ . }};
+      {{- end }}
+
+      {{- if .Values.nginx.vts.enabled }}
+      geoip_country       /etc/nginx/GeoIP.dat;
+      geoip_city          /etc/nginx/GeoLiteCity.dat;
+      geoip_proxy_recursive on;
+      {{- range .Values.nginx.proxySourceRanges }}
+      geoip_proxy {{ . }};
+      {{- end }}
+
+      vhost_traffic_status_zone shared:vhost_traffic_status:{{ .Values.nginx.vts.statusZoneSize }};
+      vhost_traffic_status_filter_by_set_key {{ .Values.nginx.vts.defaultFilterKey }};
+      {{- end }}
+
+      sendfile on;
+      tcp_nopush on;
+      tcp_nodelay on;
+      keepalive_timeout 620s;
+      keepalive_requests 10000;
+      types_hash_max_size 2048;
+      server_tokens off;
+
+      gzip on;
+      gzip_proxied any;
+      gzip_disable "msie6";
+      gzip_min_length 1400;
+      gzip_vary on;
+      gzip_buffers 4 32k;
+      gzip_types text/plain text/css image/svg+xml application/javascript application/x-javascript text/xml text/javascript application/json application/vnd.api+json;
+
+      brotli on;
+      brotli_types text/plain text/css image/svg+xml application/javascript application/x-javascript text/xml text/javascript application/json application/vnd.api+json;
+
+      {{- if .Values.nginx.vts.enabled }}
+      server {
+          listen {{ .Values.nginx.vts.internalPort }};
+          server_name _;
+
+          location /healthz {
+              access_log off;
+              return 200;
+          }
+
+          location /nginx_status {
+              vhost_traffic_status_display;
+              vhost_traffic_status_display_format html;
+          }
+      }
+      {{- end }}
+
+      server {
+          listen {{ .Values.service.internalPort }};
+          keepalive_timeout 620s;
+          client_max_body_size 25M;
+          server_name _;
+
+          if ($http_x_forwarded_proto = "http") {
+              return 301 https://$host$request_uri;
+          }
+
+          location = /healthz {
+              access_log off;
+              return 200;
+          }
+
+          location = /robots.txt {
+              alias /usr/share/nginx/html/robots.txt;
+          }
+
+          location / {
+              # Disable caching of application requests
+              add_header Cache-Control "no-cache, no-store, max-age=0, must-revalidate";
+              add_header Expires "Mon, 01 Jan 1990 00:00:00 GMT";
+              add_header Pragma "no-cache";
+
+              # Mitigate HTTPoxy Vulnerability
+              # https://www.nginx.com/blog/mitigating-the-httpoxy-vulnerability-with-nginx/
+              proxy_set_header Proxy                  "";
+
+              proxy_buffering off;
+              proxy_request_buffering off;
+              proxy_set_header Host $host;
+              proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+              proxy_pass http://127.0.0.1:{{ .Values.service.externalPort }};
+          }
+      }
+  }
+{{- end -}}
+  {{- range $key, $value := .Values.configEnvs }}
+    {{ $key }}: {{ $value | quote }}
+  {{- end }}
+  {{- range $key, $value := merge .Values.configFiles (include "osf-pigeon.inlineconfigs" . | fromYaml) ((.Files.Glob "files/*").AsConfig | fromYaml) }}
+  {{ $key }}: |-
+    {{- $value | nindent 4 }}
+  {{- end }}

osf-pigeon/templates/deployment.yaml

@@ -0,0 +1,113 @@
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: {{ template "osf-pigeon.fullname" . }}
+  labels:
+    app: {{ template "osf-pigeon.name" . }}
+    chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }}
+    heritage: {{ .Release.Service }}
+    release: {{ .Release.Name }}
+spec:
+  selector:
+    matchLabels:
+      app: {{ template "osf-pigeon.name" . }}
+      release: {{ .Release.Name }}
+  replicas: {{ .Values.replicaCount }}
+  {{- if .Values.strategy }}
+  strategy:
+    {{- toYaml .Values.strategy | nindent 4 }}
+  {{- end }}
+  template:
+    metadata:
+      labels:
+        app: {{ template "osf-pigeon.name" . }}
+        release: {{ .Release.Name }}
+      annotations:
+        {{- include "osf-pigeon.deploymentAnnotations" . | nindent 8 }}
+    spec:
+      affinity:
+        {{- if .Values.additionalAffinities }}
+        {{- toYaml .Values.additionalAffinities | nindent 8 }}
+        {{- end }}
+        {{- if eq .Values.antiAffinity "hard" }}
+        podAntiAffinity:
+          requiredDuringSchedulingIgnoredDuringExecution:
+            - topologyKey: kubernetes.io/hostname
+              labelSelector:
+                matchLabels:
+                  app: {{ template "osf-pigeon.name" . }}
+                  release: {{ .Release.Name }}
+        {{- else if eq .Values.antiAffinity "soft" }}
+        podAntiAffinity:
+          preferredDuringSchedulingIgnoredDuringExecution:
+            - weight: 1
+              podAffinityTerm:
+                topologyKey: kubernetes.io/hostname
+                labelSelector:
+                  matchLabels:
+                    app: {{ template "osf-pigeon.name" . }}
+                    release: {{ .Release.Name }}
+        {{- end }}
+      containers:
+        - name: nginx
+          image: "{{ .Values.nginx.image.repository }}:{{ .Values.nginx.image.tag }}"
+          imagePullPolicy: {{ .Values.nginx.image.pullPolicy }}
+          command:
+            - nginx
+            - -c
+            - /etc/nginx/nginx.conf
+            - -g
+            - daemon off;
+          ports:
+            - name: http-internal
+              containerPort: {{ .Values.service.internalPort }}
+          readinessProbe:
+            httpGet:
+              path: /healthz
+              port: {{ .Values.service.internalPort }}
+            initialDelaySeconds: 10
+          volumeMounts:
+            - name: config
+              subPath: nginx.conf
+              mountPath: /etc/nginx/nginx.conf
+              readOnly: true
+            - name: config
+              subPath: robots.txt
+              mountPath: /usr/share/nginx/html/robots.txt
+              readOnly: true
+          resources:
+            {{- toYaml .Values.nginx.resources | nindent 12 }}
+        - name: sanic
+          image: "{{ .Values.image.repository }}:{{ .Values.image.tag }}"
+          imagePullPolicy: {{ .Values.image.pullPolicy }}
+          command:
+            - /bin/sh
+            - -c
+            - python3 -m osf_pigeon
+          env:
+            {{- include "osf-pigeon.environment" . | nindent 12 }}
+          ports:
+            - name: http-external
+              containerPort: {{ .Values.service.externalPort }}
+          readinessProbe:
+            httpGet:
+              path: /
+              port: {{ .Values.service.externalPort }}
+          volumeMounts:
+            - name: localcache
+              mountPath: /tmp/pigeonlocalcache
+          resources:
+            {{- toYaml .Values.sanic.resources | nindent 12 }}
+      volumes:
+        - name: localcache
+          emptyDir: {}
+        - name: config
+          configMap:
+            name: {{ template "osf-pigeon.fullname" . }}
+        - name: secret
+          secret:
+            secretName: {{ template "osf-pigeon.fullname" . }}
+      {{- if .Values.nodeSelector }}
+      nodeSelector:
+        {{- toYaml .Values.nodeSelector | nindent 8 }}
+      {{- end }}