Merge pull request #166 from eccenca/feature/helm-deployment

helm deployment

Author: seebi

.gitignore

@@ -8,3 +8,4 @@ tmp
 .DS_Store
 .vscode/
 .python-version
+

docs/deploy-and-configure/installation/.pages

@@ -2,5 +2,6 @@ nav:
     - Installation: index.md
     - "Scenario: Single Node Cloud Installation": scenario-single-node-cloud-installation
     - "Scenario: Local Installation": scenario-local-installation
+    - "Scenario: Kubernetes Deployment": scenario-k8s-deployment
     - Migrating Stores: migrating-stores
 

docs/deploy-and-configure/installation/scenario-k8s-deployment/files/cmem-values.yaml

@@ -0,0 +1,77 @@
+# Default values for cmem.
+nameOverride: ""
+
+ingress:
+  enabled: true
+  className: nginx
+  annotations:
+    #kubernetes.io/tls-acme: "true"
+    cert-manager.io/cluster-issuer: OVERRIDDEN_BY_TASKFILE
+
+  hosts:
+    - host: "OVERRIDDEN_BY_TASKFILE"
+      paths:
+        - path: /
+          pathType: Prefix
+          serviceName: explore
+          servicePort: 8080
+        - path: /dataintegration
+          pathType: Prefix
+          serviceName: dataintegration
+          servicePort: 8080
+  tls:
+    - hosts:
+         - "OVERRIDDEN_BY_TASKFILE"
+      secretName:  cmem-ingress-cert
+
+global:
+  # The OAuth client that will be used to load the workspace initially and run the schedulers.
+  # In order to enable that feature, you have to enable the service account feature in the Keycloak
+  # OIDC client "cmem-service-client". Furthermore, an AccessCondition that maps with `eccauth:requiresClient :cmem-service-account`
+  # is required.
+
+  protocol: "https"
+  cmemClientId: cmem-service-account
+  cmemClientSecret: c8c12828-000c-467b-9b6d-2d6b5e16df4a
+  hostname: "OVERRIDDEN_BY_TASKFILE"
+  # This is the base keycloak realm url, e.g. https://cmem.example.com/auth/realms/cmem
+  # license: cmem-license
+  disablePythonInstallFromOutside: false
+
+bootstrap:
+  enabled: true
+
+explore:
+  config:
+    # disabeld by default
+    # create Objects of kind Pod- or SeviceMonitor see 
+    # https://github.com/prometheus-operator/prometheus-operator/blob/main/Documentation/developer/getting-started.md#deploying-a-sample-application
+    serviceMonitorEnabaled: false
+    podMonitorEnabled: true
+  store:
+    graphdb:
+      enabled: true
+      repository: cmem
+      user: provisioner
+      password: "iHaveSuperpowers"
+      # With Dataplatform 22.2, we have a "host" property
+      host: "graphdb.graphdb"
+      sslEnabled: false
+      createRepoOnStartup: true
+      changeTrackingActive: true
+      changeTrackingMaxQuadsMem: 1000
+
+dataintegration:
+  config:
+    # pwgen 16 1
+    passwordCryptKey: "Peek1uh1Ui8viequ"
+    # pwgen 40 1
+    playHTTPSecret: "waejai5aiMoShuvahcai3iaC3eefeichahYaemac"
+  persistence:
+    storageClassName: local-path
+  tmp:
+    storageClassName: local-path
+  initContainer:
+    pythonPluginImageInstall:
+      enabled: true
+  automountServiceAccountToken: true

docs/deploy-and-configure/installation/scenario-k8s-deployment/files/graphdb-values.yaml

@@ -0,0 +1,37 @@
+---
+
+# We use a separate, simpler ingress definition
+ingress:
+  enabled: false
+
+license:
+  # Reference to a secret containing 'graphdb.license' file that will be mounted in the GraphDB pod.
+  # The value is processed as a Helm template.
+  existingSecret: "graphdb-license"
+  # File name of the GraphDB license file in the existing license secret.
+  # The default is graphdb.license, but it can be changed to map to a different secret key.
+  licenseFilename: graphdb.license
+
+resources:
+  limits:
+    memory: 4Gi
+    cpu: 2000m
+  requests:
+    memory: 4Gi
+    cpu: 500m
+
+security:
+  enabled: true
+  provisioningUsername: provisioner
+  # bcrypt encrypted password. default: iHaveSuperpowers
+  provisioningPassword: iHaveSuperpowers
+
+persistence:
+  enabled: true
+  volumeClaimTemplate:
+    name: "storage"
+    spec:
+      accessModes: [ "ReadWriteOnce" ]
+      resources:
+        requests:
+          storage: 5Gi

docs/deploy-and-configure/installation/scenario-k8s-deployment/files/keycloak-values.yaml

@@ -0,0 +1,29 @@
+---
+postgres:
+  internal: true
+  provisioning:
+    enabled: true
+    # If true, this will drop the public schema and re-provision the database on every start.
+    force: true
+
+ingress:
+  enabled: true
+  className: nginx
+  annotations:
+    cert-manager.io/common-name: "kc.docker.localhost"
+  hosts:
+    - host: "kc.docker.localhost"
+      paths:
+        - path: /auth
+          pathType: Prefix
+          serviceName: keycloak
+          servicePort: 8080
+  tls:
+    - hosts:
+         - "kc.docker.localhost"
+      secretName:  keycloak-ingress-cert
+
+tests:
+  # Change this to your ingress controller IP in case you are using
+  # kind/docker-desktop/k3d with host.docker.internal or docker.localhost
+  ingressControllerIP: "10.43.82.133"