diff --git a/docker/Dockerfile b/docker/Dockerfile index 81b171313..794468183 100644 --- a/docker/Dockerfile +++ b/docker/Dockerfile @@ -1,12 +1,12 @@ -FROM ubuntu:20.04 -MAINTAINER Klavs Klavsen +FROM ubuntu:24.04 +LABEL maintainer="Klavs Klavsen " WORKDIR /tmp - +ENV DEBIAN_FRONTEND=noninteractive RUN apt-get update && \ apt-get install -y \ python3-pip \ - python3.8-venv \ + python3-venv \ build-essential \ postgresql-server-dev-all @@ -15,9 +15,10 @@ RUN curl -fsSL https://deb.nodesource.com/setup_16.x | bash - RUN apt-get update; DEBIAN_FRONTEND=noninteractive apt-get install -y nodejs WORKDIR /var/www +RUN python3 -m venv relate-venv +RUN DEBIAN_FRONTEND=noninteractive apt-get install -y python3-poetry + -RUN python3 -m venv relate-venv -RUN pip install poetry RUN git clone https://github.com/inducer/relate.git ENV VENV_PATH=/var/www/relate-venv WORKDIR /var/www/relate @@ -29,4 +30,4 @@ COPY local_settings_template.py /var/www/relate/local_settings_template.py COPY run-relate.sh /run-relate.sh RUN chmod 755 /run-relate.sh -CMD ['/run-relate.sh'] +CMD ["/run-relate.sh"] diff --git a/docker/docker-compose.yml b/docker/docker-compose.yml index 2b9c52690..0c841c7ca 100644 --- a/docker/docker-compose.yml +++ b/docker/docker-compose.yml @@ -2,12 +2,15 @@ version: '3' services: app: - image: relate:latest + image: relate:latest + restart: unless-stopped command: /run-relate.sh environment: DBHOST: db - DBUSER: myuser - DBPASS: mypass + DBUSER: postgres + DBPASS: LocalPassword + ports: + - 8000:8000 links: - db @@ -18,3 +21,5 @@ services: - 5432:5432 environment: POSTGRES_PASSWORD: LocalPassword + POSTGRES_DB: relate + diff --git a/docker/local_settings_template.py b/docker/local_settings_template.py index 33cc1c9b1..b1187fdab 100644 --- a/docker/local_settings_template.py +++ b/docker/local_settings_template.py @@ -1,6 +1,7 @@ # See https://docs.djangoproject.com/en/dev/howto/deployment/checklist/ import os.path as path +import os _BASEDIR = path.dirname(path.abspath(__file__)) @@ -58,7 +59,7 @@ # } # SECURITY WARNING: don't run with debug turned on in production! -DEBUG = True +DEBUG = False TIME_ZONE = "Europe/Copenhagen" @@ -208,10 +209,10 @@ # {{{ sign-in methods -RELATE_SIGN_IN_BY_EMAIL_ENABLED = True +RELATE_SIGN_IN_BY_EMAIL_ENABLED = False RELATE_SIGN_IN_BY_USERNAME_ENABLED = True RELATE_REGISTRATION_ENABLED = False -RELATE_SIGN_IN_BY_EXAM_TICKETS_ENABLED = True +RELATE_SIGN_IN_BY_EXAM_TICKETS_ENABLED = False # If you enable this, you must also have saml_config.py in this directory. # See saml_config.py.example for help. @@ -220,17 +221,27 @@ RELATE_SOCIAL_AUTH_BACKENDS = ( # See https://python-social-auth.readthedocs.io/en/latest/ # for full list. - # "social_core.backends.google.GoogleOAuth2", - + 'social_core.backends.keycloak.KeycloakOAuth2', + 'django.contrib.auth.backends.ModelBackend', # CAUTION: Relate uses emails returned by the backend to match # users. Only use backends that return verified emails. ) -# Your Google "Client ID" -# SOCIAL_AUTH_GOOGLE_OAUTH2_KEY = '' -# Your Google "Client Secret" -# SOCIAL_AUTH_GOOGLE_OAUTH2_SECRET = '' -SOCIAL_AUTH_GOOGLE_OAUTH2_USE_UNIQUE_USER_ID = True +# you can configure your social auth by referencing this https://python-social-auth.readthedocs.io/en/latest/backends/ +# we configured it for keyclaok as a demo +SOCIAL_AUTH_KEYCLOAK_ID_KEY = 'email' +SOCIAL_AUTH_KEYCLOAK_PUBLIC_KEY= os.environ.get('KEYCLOAK_PUBLICKEY') +SOCIAL_AUTH_KEYCLOAK_KEY = 'relate' +SOCIAL_AUTH_KEYCLOAK_SECRET = os.environ.get('KEYCLOAK_SECRET') +SOCIAL_AUTH_KEYCLOAK_SERVER_URL = 'https:///realms/test-relate/' # required to fill +SOCIAL_AUTH_KEYCLOAK_AUTHORIZATION_URL = \ + 'https:///auth/realms/test-relate/protocol/openid-connect/auth' # required to fill +SOCIAL_AUTH_KEYCLOAK_ACCESS_TOKEN_URL = \ + 'https:///auth/realms/test-relate/protocol/openid-connect/token' # required to fill +SOCIAL_AUTH_REDIRECT_IS_HTTPS = True +SOCIAL_AUTH_SESSION_EXPIRATION = True + + # When registering your OAuth2 app (and consent screen) with Google, # specify the following authorized redirect URI: @@ -377,7 +388,7 @@ # A string containing the image ID of the docker image to be used to run # student Python code. Docker should download the image on first run. -RELATE_DOCKER_RUNPY_IMAGE = "inducer/relate-runcode-python" +RELATE_DOCKER_RUNPY_IMAGE = "inducer/relate-runcode-python-amd64" # RELATE_DOCKER_RUNPY_IMAGE = "inducer/relate-runpy-amd64-tensorflow" # (bigger, but includes TensorFlow) diff --git a/docker/run-relate.sh b/docker/run-relate.sh index d0f83f7d4..0f9884ea3 100755 --- a/docker/run-relate.sh +++ b/docker/run-relate.sh @@ -46,7 +46,7 @@ envsubst /var/www/relate/local_sett cd /var/www/relate # create initial db setup if necessary - and superuser -poetry run python manage.py migrate +poetry run python manage.py migrate --verbosity 3 poetry run python manage.py createsuperuser --username=relateadmin # run directly instead of via uwsgi diff --git a/helm/relate/readme.md b/helm/relate/readme.md index e23b11d82..84b3cd3c5 100644 --- a/helm/relate/readme.md +++ b/helm/relate/readme.md @@ -2,13 +2,17 @@ This Helm chart expects you to have the following Helm charts installed: - - https://opensource.zalando.com/postgres-operator/charts/postgres-operator/ + - https://cloudnative-pg.github.io/charts - https://github.com/bitnami/charts/tree/master/bitnami/rabbitmq-cluster-operator AND you need to have a working mail server to point it to. - IF you do not have one - you can use this chart to setup a mailrelay service in your Kubernetes cluster: https://github.com/bokysan/docker-postfix/blob/master/helm/mail - and currently no image is pushed to any dockerhub - so you need to do that - and point to it. + and currently no image is pushed to any dockerhub - so you need to do that - and point to it. you can find the ``Dockerfile`` in ``Docker`` folder. + +For additional configuration options for social authentication using Python, refer to these docs. These changes should be made in the ``local_settings_template.py`` file present in ``docker`` folder. currently it is configured to use keycloak authentication. +- https://python-social-auth.readthedocs.io/en/latest/backends/keycloak.html +- https://python-social-auth.readthedocs.io/en/latest/configuration/settings.html#urls-options # After installing diff --git a/helm/relate/templates/backup.yaml b/helm/relate/templates/backup.yaml new file mode 100644 index 000000000..c5dbba05b --- /dev/null +++ b/helm/relate/templates/backup.yaml @@ -0,0 +1,10 @@ +apiVersion: postgresql.cnpg.io/v1 +kind: ScheduledBackup +metadata: + name: relate-pg-backup # Name of the backup +spec: + immediate: true # Backup starts immediately after ScheduledBackup has been created + backupOwnerReference: self + schedule: "0 0 0 * * *" + cluster: + name: relate-pgsql # Cluster name \ No newline at end of file diff --git a/helm/relate/templates/deployment.yaml b/helm/relate/templates/deployment.yaml index e8885be88..1f7e5559f 100644 --- a/helm/relate/templates/deployment.yaml +++ b/helm/relate/templates/deployment.yaml @@ -49,6 +49,11 @@ spec: httpHeaders: - name: Host value: relate + initialDelaySeconds: 10 + periodSeconds: 60 + timeoutSeconds: 300 + failureThreshold: 30 + successThreshold: 1 readinessProbe: httpGet: path: / @@ -56,6 +61,11 @@ spec: httpHeaders: - name: Host value: relate + initialDelaySeconds: 10 + periodSeconds: 60 + timeoutSeconds: 300 + failureThreshold: 30 + successThreshold: 1 {{- if .Values.resources }} resources: {{- toYaml .Values.resources | nindent 12 }} {{- end }} diff --git a/helm/relate/templates/postgres.yaml b/helm/relate/templates/postgres.yaml index 796716c57..a7228e54b 100644 --- a/helm/relate/templates/postgres.yaml +++ b/helm/relate/templates/postgres.yaml @@ -1,19 +1,102 @@ -apiVersion: "acid.zalan.do/v1" -kind: postgresql +{{- if not (.Values.postgresql).enabled }} + +apiVersion: postgresql.cnpg.io/v1 +kind: Cluster metadata: - name: obmondo-postgresql - namespace: relate + {{ if (.Values.cnpg).recover }} + name: relate-pgsql-recover + {{ else }} + name: relate-pgsql + {{ end }} spec: - teamId: obmondo - volume: - size: 2Gi - numberOfInstances: 1 - users: - relate_admin: # database owner - - superuser - - createdb - databases: - relate: relate_admin - postgresql: - version: "14" - enableMasterLoadBalancer: false + instances: {{ ((.Values.cnpg).instance) | default 1 }} + {{ if (.Values.cnpg).recover }} + bootstrap: + recovery: + source: relate-pgsql + {{ else }} + bootstrap: + initdb: + database: relate + owner: relate + {{ end }} + resources: + limits: + memory: {{ (((.Values.cnpg).resources).limits).memory | default "800Mi" }} + requests: + memory: {{ (((.Values.cnpg).resources).requests).memory | default "500Mi" }} + cpu: {{ (((.Values.cnpg).resources).requests).cpu | default "100m" }} + storage: + size: {{ (.Values.cnpg).size | default "4Gi" }} + {{- if (.Values.cnpg).storageClass }} + storageClass: {{ (.Values.cnpg).storageClass }} + {{- end }} + {{- if (.Values.cnpg).recover }} + externalClusters: + - name: relate-pgsql + barmanObjectStore: + destinationPath: {{ ((.Values.cnpg).backup).destinationPath }} + endpointURL: {{ ((.Values.cnpg).backup).endpointURL }} + {{- if eq ((.Values.cnpg).backup).cloud "aws" }} + s3Credentials: + accessKeyId: + name: relate-pgsql-backup-creds + key: ACCESS_KEY_ID + secretAccessKey: + name: relate-pgsql-backup-creds + key: ACCESS_SECRET_KEY + {{- end }} + {{- if eq ((.Values.cnpg).backup).cloud "azure" }} + azureCredentials: + connectionString: + name: relate-pgsql-backup-creds + key: AZURE_CONNECTION_STRING + storageAccount: + name: relate-pgsql-backup-creds + key: AZURE_STORAGE_ACCOUNT + storageKey: + name: relate-pgsql-backup-creds + key: AZURE_STORAGE_KEY + storageSasToken: + name: relate-pgsql-backup-creds + key: AZURE_STORAGE_SAS_TOKEN + {{- end }} + wal: + maxParallel: 8 + {{- end }} + {{- if (.Values.cnpg).backup }} + backup: + barmanObjectStore: + destinationPath: {{ ((.Values.cnpg).backup).destinationPath }} + endpointURL: {{ ((.Values.cnpg).backup).endpointURL }} + {{- if eq ((.Values.cnpg).backup).cloud "aws" }} + s3Credentials: + accessKeyId: + name: relate-secret + key: ACCESS_KEY_ID + secretAccessKey: + name: relate-secret + key: ACCESS_SECRET_KEY + {{- end }} + {{- if eq ((.Values.cnpg).backup).cloud "azure" }} + azureCredentials: + connectionString: + name: relate-pgsql-backup-creds + key: AZURE_CONNECTION_STRING + storageAccount: + name: relate-pgsql-backup-creds + key: AZURE_STORAGE_ACCOUNT + storageKey: + name: relate-pgsql-backup-creds + key: AZURE_STORAGE_KEY + storageSasToken: + name: relate-pgsql-backup-creds + key: AZURE_STORAGE_SAS_TOKEN + {{- end }} + wal: + encryption: "" + data: + encryption: "" + retentionPolicy: "30d" + {{ end }} +{{ end }} diff --git a/helm/relate/templates/pvc.yaml b/helm/relate/templates/pvc.yaml index 520398d77..bf72fe73a 100644 --- a/helm/relate/templates/pvc.yaml +++ b/helm/relate/templates/pvc.yaml @@ -3,6 +3,7 @@ kind: PersistentVolumeClaim apiVersion: v1 metadata: name: {{ template "relate.fullname" . }} + namespace: {{ include "relate.namespace" . }} labels: app: {{ template "relate.name" . }} chart: "{{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }}" diff --git a/helm/relate/templates/rabbitmq.yaml b/helm/relate/templates/rabbitmq.yaml index 82bcec612..77eb7f469 100644 --- a/helm/relate/templates/rabbitmq.yaml +++ b/helm/relate/templates/rabbitmq.yaml @@ -2,3 +2,11 @@ apiVersion: rabbitmq.com/v1beta1 kind: RabbitmqCluster metadata: name: rabbitmq +spec: + resources: + requests: + cpu: 500m + memory: 200Mi + limits: + cpu: 500m + memory: 400Mi diff --git a/helm/relate/values.yaml b/helm/relate/values.yaml index dfa15dc81..525c82fb3 100644 --- a/helm/relate/values.yaml +++ b/helm/relate/values.yaml @@ -1,4 +1,5 @@ # nameOverride: "" + ## @param fullnameOverride String to fully override relate.fullname ## # fullnameOverride: "" @@ -39,7 +40,7 @@ persistence: enabled: true accessMode: ReadWriteOnce size: 100Mi - storageClass: + storageClass: # default settings for emptydir volume emptyDir: {}