Add docs for creating Helm resources

Author: Ware, Joseph (DLSLtd,RAL,LSCI)

docs/how-to/coverage.md

@@ -1,4 +1,3 @@
-
 # How to check code coverage
 
 Code coverage is reported to the command line and to a `cov.xml` file by the command `tox -e tests`. The file is uploaded to the Codecov service in CI.

docs/how-to/deploy-cluster.md

@@ -0,0 +1,166 @@
+# How to deploy containers to Kubernetes cluster
+
+If your project is a service with a `Dockerfile`, you may wish to deploy it in a Kubernetes cluster.
+
+## Creating a Helm chart
+
+Helm bundles multiple Kubernetes resources into a single top level resource, `Chart`, and templates resources to inject specified `values`.
+
+```
+    service/
+    ├── Chart.yaml    # Definition of the resource
+    ├── values.yaml   # Defaults for templating
+    ├── charts/       # [Optionally] other charts to deploy with
+    └── templates/    # Templated Kubernetes resources
+```
+
+`templates/` may include at least:
+- `deployment.yaml`: creates a pod including your container image
+- `service.yaml`: manages Kubernetes networking, potentially exposing your service
+- `ingress.yaml`:  optionally maps a DNS entry to the Kubernetes networking
+
+Using `helm create` ensures your service is using the latest standards, therefore Helm resources are not included in this template.
+To avoid collisions and to maintain a neat repository, it is recommended to run `helm create <service name>` inside a directory named `helm/` in the root of your repository.
+
+Assuming your container is published to the GitHub container registry, modify your `values.yaml` to deploy your built container.
+
+```yaml
+image:
+  repository: ghcr.io/<organisation>/<service>
+  pullPolicy: Always
+  # Overrides the image tag whose default is the chart appVersion.
+  tag: ""
+```
+
+The container will use the `ENTRYPOINT` and `CMD` defined in your `Dockerfile`.
+
+It is recommended to preserve all of the templates within `templates/`: resources you do not need can be disabled from `values.yaml` while maintaining the ability to deploy or extend the chart.
+
+## Building Helm chart on every release
+
+> ⚠️ **Helm charts require a valid semantic versioning ("semver") version, the following requires that your releases/tags are valid semver.**
+
+If your service is hosted on GitHub, adding the following (with <service> replaced appropriately) to the end of the `_container.yml` workflow will publish the Helm chart as an OCI container image when a new tag or release is added to the default branch of the repository, if the container was built successfully.
+
+```yaml
+      - name: Install Helm
+        uses: Azure/setup-helm@v4
+        id: install
+
+      - name: Log in to GitHub Container Registry
+        if: github.ref_type == 'tag'
+        run: |
+          echo ${{ secrets.GITHUB_TOKEN }} | helm registry login ghcr.io/${{ github.repository }} --username ${{ github.repository_owner }} --password-stdin
+
+      - name: package chart and push it
+        if: github.ref_type == 'tag'
+        run: |
+          helm dependencies update helm/<service>
+          helm package helm/<service> --version ${{ steps.meta.outputs.version }} --app-version ${{ steps.meta.outputs.version }} -d /tmp/
+          helm push /tmp/<service>-${{ steps.meta.outputs.version }}.tgz oci://ghcr.io/<organisation>/charts
+```
+
+## Enabling container debugging
+
+The generated `Dockerfile` installs debugpy and with a few modifications can enable remote debugging of a service deployed inside a cluster.
+
+Adding the following to your `values.yaml` gives a standard way of enabling/disabling debugging and documenting the configuration.
+
+```yaml
+# Use `kubectl port forward` to access from your machine
+debug:
+  # Whether the container should start in debug mode
+  enabled: false
+  # Whether to suspend the process until a debugger connects
+  suspend: false
+  # Port to listen for the debugger on
+  port: 5678
+```
+
+The `ENTRYPOINT` and `CMD` concepts in the Dockerfile are analogous to Kubernetes' `command` and `args`.
+If `command` is set, it overrides `ENTRYPOINT` and uses `args` if set, ignoring `CMD`.
+If `args` is set, `ENTRYPOINT` remains and `CMD` is replaced.
+
+Assuming your `Dockerfile` contains the following, or analogous:
+
+```Dockerfile
+ENTRYPOINT ["python"]
+CMD ["-m", "service", "--version"]
+```
+
+Modifying `deployment.yaml` in the following way allows for your service to enable debugging via the configuration added to `values.yaml`.
+
+```yaml
+      containers:
+        - ...
+          args:
+          {{- if .Values.debug.enabled}}
+          - "-Xfrozen_modules=off"
+          - "-m"
+          - "debugpy"
+          {{- if .Values.debug.suspend }}
+          - "--wait-for-client"
+          {{- end }}
+          - "--listen"
+          - "0.0.0.0:{{ .Values.debug.port }}"
+          {{- end }}
+          - "-m"
+          - "service"
+          - "--version"
+```
+
+## Connecting to debug mode container
+
+`kubectl port forward` forwards your development machine's port 5678 to the container's:
+
+```sh
+$ kubectl get pods
+NAME      READY   STATUS    RESTARTS     AGE
+service   1/1     Running   0 (1h ago)   1h
+$ kubectl port forward pod/service 5678:5678
+Forwarding from 127.0.0.1:5678 -> 5678
+```
+
+Check out the version of your service that was built into the container and configure your IDE to attach to a remote debugpy process:
+
+The following is a launch configuration from VSCode `launch.json`.
+`"remoteRoot"` should match for the version of Python your `Dockerfile` is built from and use your service's name.
+`"justMyCode": False` was found to be required for breakpoints to be active.
+`"autoReload"` Configured hot swapping of code from your developer machine to the deployed instance.
+
+> ⚠️ **Changes made by autoReload are not preserved.** Code changes made while debugging or resolving an issue should be committed, pushed and built into a new container as soon as possible.
+
+
+```json
+{
+  "name": "Python Debugger: Remote Attach",
+  "type": "debugpy",
+  "request": "attach",
+  "connect": {
+    "host": "localhost",
+    "port": 5678
+  },
+  "pathMappings": [
+    {
+      "localRoot": "${workspaceFolder}/src",
+      "remoteRoot": "/venv/lib/<Python version>/site-packages/<service>"
+    }
+  ],
+  "justMyCode": false,
+  "autoReload": {
+    "enable": true,
+    "exclude": [
+      "**/.git/**",
+      "**/__pycache__/**",
+      "**/node_modules/**",
+      "**/.metadata/**",
+      "**/site-packages/**"
+    ],
+    "include": [
+      "**/*.py",
+      "**/*.pyw"
+    ]
+  }
+}
+```
+

template/Dockerfile.jinja

@@ -26,7 +26,7 @@ COPY --from=build /venv/ /venv/
 ENV PATH=/venv/bin:$PATH
 
 # change CMD if it is not the same as the repo
-ENTRYPOINT ["python" "-m"]
+ENTRYPOINT ["python"]
 # Allows for modifying the ENTRYPOINT for debugging, e.g.
-#ENTRYPOINT ["python", "-m", "debugpy", "-m"]
-CMD ["{{ repo_name }}", "--version"]{% endif %}
+#ENTRYPOINT ["python", "-m", "debugpy"]
+CMD ["-m", "{{ repo_name }}", "--version"]{% endif %}