Merge branch 'main' into 2025/add/chatVendorService

Author: mrnicegyu11

.github/PULL_REQUEST_TEMPLATE.md

@@ -19,10 +19,11 @@
 - [ ] Service is restartable
 - [ ] Service restart is zero-downtime
 - [ ] Service has >1 replicas in PROD
-- [ ] Service has docker heathlcheck enabled
+- [ ] Service has docker healthcheck enabled
 - [ ] Service is monitored (via prometheus and grafana)
 - [ ] Service is not bound to one specific node (e.g. via files or volumes)
 - [ ] Relevant OPS E2E Test are added
+- [ ] Grafana dashboards updated accordingly
 
 If exposed via traefik
 - [ ] Service's Public URL is included in maintenance mode

charts/Makefile

@@ -50,9 +50,12 @@ helmfile-sync: .check-helmfile-installed helmfile.yaml ## Syncs the helmfile con
 	fi
 
 .PHONY: configure-local-hosts
-configure-local-hosts: ## Adds local hosts entries for the machine
-	@echo "Adding $(MACHINE_FQDN) hosts to /etc/hosts ..."
-	@grep -q '127.0.0.1 k8s.monitoring.$(MACHINE_FQDN)' /etc/hosts || echo '127.0.0.1 k8s.monitoring.$(MACHINE_FQDN)' | sudo tee -a /etc/hosts
+configure-local-hosts: $(REPO_CONFIG_LOCATION) ## Adds local hosts entries for the machine
+	# "Updating /etc/hosts with k8s $(MACHINE_FQDN) hosts ..."
+	@set -a; source $(REPO_CONFIG_LOCATION); set +a; \
+	grep -q "127.0.0.1 $$K8S_MONITORING_FQDN" /etc/hosts || echo "127.0.0.1 $$K8S_MONITORING_FQDN" | sudo tee -a /etc/hosts
+	@set -a; source $(REPO_CONFIG_LOCATION); set +a; \
+	grep -q "127.0.0.1 $$K8S_PRIVATE_FQDN" /etc/hosts || echo "127.0.0.1 $$K8S_PRIVATE_FQDN" | sudo tee -a /etc/hosts
 
 .PHONY: helmfile-diff
 helmfile-diff: .check-helmfile-installed helmfile.yaml ## Shows the differences that would be applied by helmfile

services/simcore/docker-compose.yml.j2

@@ -337,6 +337,34 @@ services:
           cpus: "1.0"
           memory: "512M"
 
+  wb-auth:
+    networks:
+      - monitored  # traces
+      - public  # public service use auth
+    deploy:
+      replicas: ${WB_AUTH_REPLICAS}
+      update_config:
+        parallelism: 2
+        order: start-first
+        failure_action: rollback
+        delay: 10s
+      restart_policy:
+        condition: any
+        delay: 5s
+        max_attempts: 3
+        window: 120s
+      placement:
+        constraints:
+          - node.labels.simcore==true
+      resources:
+        reservations:
+          cpus: "0.1"
+          memory: "256M"
+        limits:
+          cpus: "1"
+          memory: "1G"
+      # healthcheck: defined in image
+
   storage:
     environment:
       - S3_ENDPOINT=${S3_ENDPOINT}

services/traefik/docker-compose.yml.j2

@@ -131,7 +131,7 @@ services:
         - traefik.http.middlewares.ops_ratelimit.ratelimit.sourcecriterion.ipstrategy.depth=1
         # Platform user auth: Use this middleware to enforce only authenticated users
         # https://doc.traefik.io/traefik/middlewares/http/forwardauth
-        - traefik.http.middlewares.authenticated_platform_user.forwardauth.address=http://${WEBSERVER_HOST}:${WEBSERVER_PORT}/v0/auth:check
+        - traefik.http.middlewares.authenticated_platform_user.forwardauth.address=http://${WB_AUTH_WEBSERVER_HOST}:${WB_AUTH_WEBSERVER_PORT}/v0/auth:check
         - traefik.http.middlewares.authenticated_platform_user.forwardauth.trustForwardHeader=true
         - traefik.http.middlewares.authenticated_platform_user.forwardauth.authResponseHeaders=Set-Cookie,osparc-sc2
         #

services/traefik/template.env

@@ -34,8 +34,8 @@ DEPLOYMENT_FQDNS_WWW_CAPTURE_TRAEFIK_RULE='${DEPLOYMENT_FQDNS_WWW_CAPTURE_TRAEFI
 PUBLIC_NETWORK=${PUBLIC_NETWORK}
 MONITORED_NETWORK=${MONITORED_NETWORK}
 
-WEBSERVER_HOST=${WEBSERVER_HOST}
-WEBSERVER_PORT=${WEBSERVER_PORT}
+WB_AUTH_WEBSERVER_HOST=${WB_AUTH_WEBSERVER_HOST}
+WB_AUTH_WEBSERVER_PORT=${WB_AUTH_WEBSERVER_PORT}
 
 TRAEFIK_DOMAINS_REDIRECT_FROM=${TRAEFIK_DOMAINS_REDIRECT_FROM}
 TRAEFIK_DOMAINS_REDIRECT_TO=${TRAEFIK_DOMAINS_REDIRECT_TO}