Merge remote-tracking branch 'upstream/main'

mrnicegyu11 · mrnicegyu11 · commit dda6e013b542 · 2025-02-04T11:29:58.000+01:00
diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
@@ -8,24 +8,13 @@ jobs:
 
     steps:
       - name: Checkout repository
-        uses: actions/checkout@v3
+        uses: actions/checkout@v4
 
-      - name: Define python
-        run: echo "PYTHON_VERSION=$(cat .python-version)" >> $GITHUB_ENV
-
-      - name: Install python version
-        uses: gabrielfalcao/pyenv-action@v11
-        with:
-          default: "${{ env.PYTHON_VERSION }}"
-          command: pip install -U pip
+      - name: Set up Python
+        uses: actions/setup-python@v5  # defaults to .python-version
 
       - name: Show python version
         run: python --version
 
-      - name: Install dependencies
-        run: |
-          pip install pre-commit
-          pre-commit install
-
       - name: Run pre-commit
-        run: pre-commit run --all-files
+        uses: pre-commit/action@v3.0.1
diff --git a/.pre-commit-config.yaml b/.pre-commit-config.yaml
@@ -39,7 +39,7 @@ repos:
       - id: pyupgrade
         name: upgrade code
   - repo: https://github.com/hadialqattan/pycln
-    rev: v2.2.2
+    rev: v2.5.0  # https://github.com/hadialqattan/pycln/issues/249
     hooks:
       - id: pycln
         args: [--all, --expand-stars]
diff --git a/scripts/common.Makefile b/scripts/common.Makefile
@@ -207,9 +207,39 @@ clean-default: .check_clean ## Cleans all outputs
 	export DEPLOYMENT_API_DOMAIN_TESTING_CAPTURE_TRAEFIK_RULE='${DEPLOYMENT_API_DOMAIN_TESTING_CAPTURE_TRAEFIK_RULE}'; \
 	export DEPLOYMENT_FQDNS_CAPTURE_INVITATIONS='${DEPLOYMENT_FQDNS_CAPTURE_INVITATIONS}'; \
 	export DOLLAR='$$'; \
+	$(if $(STACK_NAME),export STACK_NAME='$(STACK_NAME)';) \
 	set +o allexport; \
 	envsubst < $< > .env
 
+ifdef STACK_NAME
+
+.PHONY: prune-docker-stack-configs-default
+prune-docker-stack-configs-default: ## Clean all unused stack configs
+	@# Since the introduction of rolling docker config updates old
+	@# [docker config] versions are kept. This target removes them
+	@# https://github.com/docker/cli/issues/203
+	@#
+	@# This should be run before stack update in order to
+	@# keep previous config version for potential rollback
+	@#
+	@# This will not clean "external" configs. To achieve this extend
+	@# this target in related Makefiles.
+	@#
+	@# Long live Kubernetes ConfigMaps!
+
+	@for id in $$(docker config ls --filter "label=com.docker.stack.namespace=${STACK_NAME}" --format '{{.ID}}'); do \
+	    docker config rm "$$id" >/dev/null 2>&1 || true; \
+	done
+
+.PHONY: prune-docker-stack-secrets-default
+prune-docker-stack-secrets-default: ## Clean all unused stack secrets
+	@# Same as for configs
+
+	@for id in $$(docker secret ls --filter "label=com.docker.stack.namespace=${STACK_NAME}" --format '{{.ID}}'); do \
+	    docker secret rm "$$id" >/dev/null 2>&1 || true; \
+	done
+
+endif
 
 # Helpers -------------------------------------------------
 .PHONY: .init
@@ -253,13 +283,16 @@ venv: $(REPO_BASE_DIR)/.venv/bin/activate ## Creates a python virtual environmen
 ifeq ($(shell test -f j2cli_customization.py && echo -n yes),yes)
 
 define jinja
-	$(REPO_BASE_DIR)/.venv/bin/j2 --format=env $(1) $(2) -o $(3) --customize j2cli_customization.py
+	$(REPO_BASE_DIR)/.venv/bin/j2 --format=env $(1) $(2) -o $(3) \
+	--filters $(REPO_BASE_DIR)/scripts/j2cli_global_filters.py \
+	--customize j2cli_customization.py
 endef
 
 else
 
 define jinja
-	$(REPO_BASE_DIR)/.venv/bin/j2 --format=env $(1) $(2) -o $(3)
+	$(REPO_BASE_DIR)/.venv/bin/j2 --format=env $(1) $(2) -o $(3) \
+	--filters $(REPO_BASE_DIR)/scripts/j2cli_global_filters.py
 endef
 
 endif
diff --git a/scripts/j2cli_global_filters.py b/scripts/j2cli_global_filters.py
@@ -0,0 +1,19 @@
+def sha256file(filepath):
+    import hashlib
+
+    _hash = hashlib.sha256()
+
+    # https://stackoverflow.com/a/22058673/12124525
+    with open(filepath, "rb") as f:
+        while True:
+            data = f.read(65536)
+            if not data:
+                break
+
+            _hash.update(data)
+
+    return _hash.hexdigest()
+
+
+def substring(value, start, end):
+    return value[start:end]
diff --git a/services/admin-panels/docker-compose.yml.j2 b/services/admin-panels/docker-compose.yml.j2
@@ -89,7 +89,6 @@ services:
         - traefik.http.services.adminpanels.loadbalancer.server.port=8888
         - traefik.http.routers.adminpanels.rule=Host(`${ADMINPANELS_DOMAIN}`)
         - traefik.http.routers.adminpanels.entrypoints=https
-        - traefik.http.routers.adminpanels.priority=1
         - traefik.http.routers.adminpanels.tls=true
         - traefik.http.routers.adminpanels.middlewares=ops_whitelist_ips@swarm, ops_gzip@swarm
       placement:
diff --git a/services/appmotion_gateway/.gitignore b/services/appmotion_gateway/.gitignore
@@ -1,2 +1,2 @@
-!docker-compose.yml
+docker-compose.yml
 *.secret
diff --git a/services/appmotion_gateway/Makefile b/services/appmotion_gateway/Makefile
@@ -1,30 +1,37 @@
 .DEFAULT_GOAL := help
 
-
-
 # Internal VARIABLES ------------------------------------------------
 # STACK_NAME defaults to name of the current directory. Should not to be changed if you follow GitOps operating procedures.
 STACK_NAME = $(notdir $(shell pwd))
 TEMP_COMPOSE=.stack.${STACK_NAME}.yaml
 REPO_BASE_DIR := $(shell git rev-parse --show-toplevel)
 
+DOCKER_STACK_DEPLOY_COMMON_DEPENDENCIES = .api_env.secret \
+										  prune-docker-stack-configs  \
+										  prune-docker-stack-secrets
+
 # TARGETS --------------------------------------------------
 include ${REPO_BASE_DIR}/scripts/common.Makefile
 
 .PHONY: up-aws ## Deploys stack on aws
-up-aws: .init .env ${TEMP_COMPOSE}-aws .api_env.secret
+up-aws: .init .env ${TEMP_COMPOSE}-aws ${DOCKER_STACK_DEPLOY_COMMON_DEPENDENCIES}
 	@docker stack deploy --with-registry-auth --prune --compose-file ${TEMP_COMPOSE}-aws ${STACK_NAME}
 
 .PHONY: up-master ## Deploys stack on master
-up-master: .init .env ${TEMP_COMPOSE}-master .api_env.secret
+up-master: .init .env ${TEMP_COMPOSE}-master ${DOCKER_STACK_DEPLOY_COMMON_DEPENDENCIES}
 	@docker stack deploy --with-registry-auth --prune --compose-file ${TEMP_COMPOSE}-master ${STACK_NAME}
 
 .PHONY: up-local ## Deploys stack on local
-up-local: .init .env ${TEMP_COMPOSE}-local .api_env.secret
+up-local: .init .env ${TEMP_COMPOSE}-local ${DOCKER_STACK_DEPLOY_COMMON_DEPENDENCIES}
 	@docker stack deploy --with-registry-auth --prune --compose-file ${TEMP_COMPOSE}-local ${STACK_NAME}
 
 # Helpers -------------------------------------------------
 
+docker-compose.yml: .env .api_env.secret
+	@$(call jinja, docker-compose.yml.j2, .env, docker-compose.yml.unlinted) && \
+	$(_yq) docker-compose.yml.unlinted > docker-compose.yml; \
+	rm docker-compose.yml.unlinted >/dev/null 2>&1;
+
 .PHONY: ${TEMP_COMPOSE}-aws
 ${TEMP_COMPOSE}-aws: docker-compose.yml docker-compose.aws.yml
 	@${REPO_BASE_DIR}/scripts/docker-stack-config.bash -e .env $< docker-compose.aws.yml > $@
@@ -37,6 +44,5 @@ ${TEMP_COMPOSE}-master: docker-compose.yml docker-compose.master.yml
 ${TEMP_COMPOSE}-local: docker-compose.yml docker-compose.local.yml
 	@${REPO_BASE_DIR}/scripts/docker-stack-config.bash -e .env $< docker-compose.local.yml > $@
 
-
 .api_env.secret: .env template.api_env ## resolves '.api_env.secret' using '.env'
 	@set -o allexport; source $<; set +o allexport; envsubst < $(word 2,$^) > $@
diff --git a/services/appmotion_gateway/docker-compose.yml.j2 b/services/appmotion_gateway/docker-compose.yml.j2
@@ -103,6 +103,7 @@ configs:
     # SEE https://docs.docker.com/compose/compose-file/05-services/#configs
     api_env_config:
         file: ./.api_env.secret
+        name: ${STACK_NAME}_api_env_config_{{ "./.api_env.secret" | sha256file | substring(0,10) }} # rolling update on content change
 
 volumes:
     # SEE https://docs.docker.com/compose/compose-file/07-volumes/
diff --git a/services/appmotion_gateway/template.env b/services/appmotion_gateway/template.env
@@ -20,5 +20,5 @@ DEPLOYMENT_FQDNS_APPMOTION_CAPTURE_TRAEFIK_RULE='${DEPLOYMENT_FQDNS_APPMOTION_CA
 APPMOTION_NETWORK=${APPMOTION_NETWORK}
 MONITORING_DOMAIN=${MONITORING_DOMAIN}
 PUBLIC_NETWORK=${PUBLIC_NETWORK}
-SWARM_STACK_NAME=${SWARM_STACK_NAME}
+STACK_NAME=${STACK_NAME}
 MACHINE_FQDN=${MACHINE_FQDN}
diff --git a/services/filestash/Makefile b/services/filestash/Makefile
@@ -24,50 +24,39 @@ up-letsencrypt-dns: .init .env filestash_config.json ${TEMP_COMPOSE}-letsencrypt
 	@docker stack deploy --with-registry-auth --prune --compose-file ${TEMP_COMPOSE}-letsencrypt-dns ${STACK_NAME}
 
 .PHONY: up-dalco ## Deploys stack for Dalco Cluster
-up-dalco: .init .env filestash_config.json ${TEMP_COMPOSE}-dalco
-	@docker stack deploy --with-registry-auth --prune --compose-file ${TEMP_COMPOSE}-dalco ${STACK_NAME}
+up-dalco: up
 
 .PHONY: up-aws ## Deploys stack on aws
 up-aws: .init .env ${TEMP_COMPOSE}-aws filestash_config.json ## Deploys stack in aws
 	@docker stack deploy --with-registry-auth --prune --compose-file ${TEMP_COMPOSE}-aws ${STACK_NAME}
 
 .PHONY: up-master ## Deploys stack for master Cluster
-up-master: .init .env filestash_config.json ${TEMP_COMPOSE}-master
-	@docker stack deploy --with-registry-auth --prune --compose-file ${TEMP_COMPOSE}-master ${STACK_NAME}
+up-master: up
 
 .PHONY: up-public ## Deploys stack on public
-up-public: up-dalco
+up-public: up
 
 .PHONY: up-local ## Deploys stack on local deployment
 up-local: up
 
 # Helpers -------------------------------------------------
 
 .PHONY: ${TEMP_COMPOSE}
-${TEMP_COMPOSE}: docker-compose.yml
+${TEMP_COMPOSE}: docker-compose.yml .env
 	@${REPO_BASE_DIR}/scripts/docker-stack-config.bash -e .env $< > $@
 
 .PHONY: ${TEMP_COMPOSE}-letsencrypt-http
-${TEMP_COMPOSE}-letsencrypt-http: docker-compose.yml docker-compose.letsencrypt.http.yml
+${TEMP_COMPOSE}-letsencrypt-http: docker-compose.yml docker-compose.letsencrypt.http.yml .env
 	@${REPO_BASE_DIR}/scripts/docker-stack-config.bash -e .env $< docker-compose.letsencrypt.http.yml  > $@
 
 .PHONY: ${TEMP_COMPOSE}-letsencrypt-dns
-${TEMP_COMPOSE}-letsencrypt-dns: docker-compose.yml docker-compose.letsencrypt.dns.yml
+${TEMP_COMPOSE}-letsencrypt-dns: docker-compose.yml docker-compose.letsencrypt.dns.yml .env
 	@${REPO_BASE_DIR}/scripts/docker-stack-config.bash -e .env $< docker-compose.letsencrypt.dns.yml  > $@
 
-.PHONY: ${TEMP_COMPOSE}-dalco
-${TEMP_COMPOSE}-dalco: docker-compose.yml docker-compose.dalco.yml
-	@${REPO_BASE_DIR}/scripts/docker-stack-config.bash -e .env $< docker-compose.dalco.yml  > $@
-
-.PHONY: ${TEMP_COMPOSE}-master
-${TEMP_COMPOSE}-master: docker-compose.yml docker-compose.master.yml
-	@${REPO_BASE_DIR}/scripts/docker-stack-config.bash -e .env $< docker-compose.master.yml  > $@
-
 .PHONY: ${TEMP_COMPOSE}-aws
-${TEMP_COMPOSE}-aws: docker-compose.yml docker-compose.aws.yml
+${TEMP_COMPOSE}-aws: docker-compose.yml docker-compose.aws.yml .env
 	@${REPO_BASE_DIR}/scripts/docker-stack-config.bash -e .env $< docker-compose.aws.yml > $@
 
-
 filestash_config.json: .env
 	@set -o allexport; \
 	source $(REPO_CONFIG_LOCATION); \
diff --git a/services/filestash/docker-compose.aws.yml b/services/filestash/docker-compose.aws.yml
@@ -3,7 +3,3 @@ services:
   filestash:
     dns: # Add this always for AWS, otherwise we get "No such image: " for docker services
       8.8.8.8
-    deploy:
-      placement:
-        constraints:
-          - node.labels.filestash==true
diff --git a/services/filestash/docker-compose.dalco.yml b/services/filestash/docker-compose.dalco.yml
diff --git a/services/filestash/docker-compose.master.yml b/services/filestash/docker-compose.master.yml
diff --git a/services/filestash/docker-compose.yml b/services/filestash/docker-compose.yml
@@ -26,6 +26,9 @@ services:
         reservations:
           memory: 32M
           cpus: "0.1"
+      placement:
+        constraints:
+          - node.labels.ops==true
   onlyoffice:
     image: onlyoffice/documentserver:7.4.0
     networks:
diff --git a/services/registry/docker-compose.yml.j2 b/services/registry/docker-compose.yml.j2
@@ -54,7 +54,6 @@ services:
         - traefik.http.routers.registry.rule=Host(`${REGISTRY_DOMAIN}`)
         - traefik.http.routers.registry.entrypoints=https
         - traefik.http.routers.registry.tls=true
-        - traefik.http.routers.registry.priority=10
         - traefik.http.routers.registry.middlewares=ops_gzip@swarm, ops_auth@swarm
         - prometheus-job=registry
         - prometheus-port=5001
diff --git a/services/simcore/docker-compose.deploy.local.yml b/services/simcore/docker-compose.deploy.local.yml
@@ -63,12 +63,6 @@ services:
   migration:
     deploy:
       replicas: 1
-  rabbit:
-    deploy:
-      replicas: 1
-  redis:
-    deploy:
-      replicas: 1
   traefik:
     command:
       - "--api=true"
diff --git a/services/simcore/docker-compose.yml b/services/simcore/docker-compose.yml
@@ -94,7 +94,7 @@ services:
         - traefik.http.routers.${SWARM_STACK_NAME}_apiserver_swagger.service=${SWARM_STACK_NAME}_api-server
         - traefik.http.routers.${SWARM_STACK_NAME}_apiserver_swagger.rule=PathPrefix(`/dev/`)
         - traefik.http.routers.${SWARM_STACK_NAME}_apiserver_swagger.entrypoints=simcore_api
-        - traefik.http.routers.${SWARM_STACK_NAME}_apiserver_swagger.priority=2
+        - traefik.http.routers.${SWARM_STACK_NAME}_apiserver_swagger.priority=6
       update_config:
         parallelism: 2
         order: start-first
@@ -153,7 +153,7 @@ services:
         - traefik.http.routers.${SWARM_STACK_NAME}_static_webserver_freshping.service=${SWARM_STACK_NAME}_static_webserver_freshping
         - traefik.http.services.${SWARM_STACK_NAME}_static_webserver_freshping.loadbalancer.server.port=8000
         - traefik.http.routers.${SWARM_STACK_NAME}_static_webserver_freshping.entrypoints=http
-        - traefik.http.routers.${SWARM_STACK_NAME}_static_webserver_freshping.priority=10 # High number means high priority
+        - traefik.http.routers.${SWARM_STACK_NAME}_static_webserver_freshping.priority=12 # High number means high priority
         - traefik.http.routers.${SWARM_STACK_NAME}_static_webserver_freshping.middlewares=${SWARM_STACK_NAME}_gzip@swarm,${SWARM_STACK_NAME}_static_webserver_retry,${SWARM_STACK_NAME}_static_webserver_prefix
       update_config:
         parallelism: 2
@@ -229,7 +229,7 @@ services:
         - traefik.http.routers.${SWARM_STACK_NAME}_webserver_swagger.middlewares=${SWARM_STACK_NAME}_gzip@swarm, ${SWARM_STACK_NAME_NO_HYPHEN}_sslheader
         - traefik.http.routers.${SWARM_STACK_NAME}_webserver_swagger.rule=PathPrefix(`/dev/`)
         - traefik.http.routers.${SWARM_STACK_NAME}_webserver_swagger.entrypoints=http
-        - traefik.http.routers.${SWARM_STACK_NAME}_webserver_swagger.priority=2
+        - traefik.http.routers.${SWARM_STACK_NAME}_webserver_swagger.priority=6
         - traefik.http.middlewares.${SWARM_STACK_NAME_NO_HYPHEN}_webserver_swagger_auth.basicauth.users=${TRAEFIK_USER}:${TRAEFIK_PASSWORD}
         - traefik.http.routers.${SWARM_STACK_NAME}_webserver_swagger.middlewares=${SWARM_STACK_NAME_NO_HYPHEN}_webserver_swagger_auth, ${SWARM_STACK_NAME_NO_HYPHEN}_sslheader
       update_config: &webserver_update_config
@@ -584,6 +584,7 @@ services:
     volumes:
       - rabbit_data:/var/lib/rabbitmq
     deploy:
+      replicas: ${RABBIT_SELF_HOSTED_REPLICAS}
       labels:
         - traefik.enable=true
         - traefik.docker.network=${PUBLIC_NETWORK}
@@ -619,6 +620,7 @@ services:
     networks:
       - monitored
     deploy:
+      replicas: ${REDIS_SELF_HOSTED_REPLICAS}
       update_config:
         parallelism: 2
         order: start-first
@@ -726,7 +728,7 @@ services:
         - traefik.http.routers.${SWARM_STACK_NAME}_simcore_http.middlewares=ops_gzip@swarm, ops_sslheader@swarm, ops_ratelimit@swarm
         - traefik.http.routers.${SWARM_STACK_NAME}_simcore_http.service=${SWARM_STACK_NAME}_simcore_http
         - traefik.http.routers.${SWARM_STACK_NAME}_simcore_http.rule=((${DEPLOYMENT_FQDNS_CAPTURE_TRAEFIK_RULE_CATCHALL}) && PathPrefix(`/`)) || ( (PathPrefix(`/dashboard`) || PathPrefix(`/api`) ) && Host(`traefikdashboard.${MACHINE_FQDN}`))
-        - traefik.http.routers.${SWARM_STACK_NAME}_simcore_http.priority=1 # Lowest possible priority, maintenance page takes priority "2" (higher, maintenance page has precedent) if it is up
+        - traefik.http.routers.${SWARM_STACK_NAME}_simcore_http.priority=3
         # oSparc publicAPI
         - traefik.http.routers.${SWARM_STACK_NAME}_simcore_api.rule=(${DEPLOYMENT_API_DOMAIN_CAPTURE_TRAEFIK_RULE}) && PathPrefix(`/`)
         - traefik.http.routers.${SWARM_STACK_NAME}_simcore_api.entrypoints=https
@@ -785,7 +787,7 @@ services:
         - traefik.http.routers.${SWARM_STACK_NAME}_traefik_api.service=api@internal
         - traefik.http.routers.${SWARM_STACK_NAME}_traefik_api.rule=(PathPrefix(`/dashboard`) || PathPrefix(`/api`) ) && Host(`traefikdashboard.${MACHINE_FQDN}`)
         - traefik.http.routers.${SWARM_STACK_NAME}_traefik_api.entrypoints=http
-        - traefik.http.routers.${SWARM_STACK_NAME}_traefik_api.priority=2
+        - traefik.http.routers.${SWARM_STACK_NAME}_traefik_api.priority=6
         - traefik.http.routers.${SWARM_STACK_NAME}_traefik_api.middlewares=${SWARM_STACK_NAME}_auth@swarm, ${SWARM_STACK_NAME}_whitelist_ips@swarm
         - traefik.http.services.${SWARM_STACK_NAME}_traefik_api.loadbalancer.server.port=8080
         # Middlewares
@@ -829,7 +831,7 @@ services:
         - traefik.http.services.${SWARM_STACK_NAME}_whoami.loadbalancer.server.port=80
         - traefik.http.routers.${SWARM_STACK_NAME}_whoami.rule=PathPrefix(`/whoami`)
         - traefik.http.routers.${SWARM_STACK_NAME}_whoami.entrypoints=http
-        - traefik.http.routers.${SWARM_STACK_NAME}_whoami.priority=2
+        - traefik.http.routers.${SWARM_STACK_NAME}_whoami.priority=6
         - traefik.http.routers.${SWARM_STACK_NAME}_whoami.middlewares=${SWARM_STACK_NAME}_auth@swarm,${SWARM_STACK_NAME}_gzip@swarm
       update_config:
         parallelism: 2
diff --git a/services/traefik/j2cli_customization.py b/services/traefik/j2cli_customization.py
@@ -11,6 +11,7 @@ def _generate_domain_capture_all_rule(domain: str) -> str:
         f"Host(`api.{domain}`)",
         f"Host(`api.testing.{domain}`)",
         f"Host(`testing.{domain}`)",
+        f"Host(`manual.{domain}`)",
     ]
     return " || ".join(rules)
 

Original file line number	Diff line number	Diff line change
`@@ -1,2 +1,2 @@`
`1`		`-!docker-compose.yml`
	`1`	`+docker-compose.yml`
`2`	`2`	`*.secret`