Merge pull request #2863 from lsst-sqre/tickets/DM-42460

DM-42460: Add new jira-data-proxy application

applications/jira-data-proxy/.helmignore

@@ -0,0 +1,23 @@
+# Patterns to ignore when building packages.
+# This supports shell glob matching, relative path matching, and
+# negation (prefixed with !). Only one pattern per line.
+.DS_Store
+# Common VCS dirs
+.git/
+.gitignore
+.bzr/
+.bzrignore
+.hg/
+.hgignore
+.svn/
+# Common backup files
+*.swp
+*.bak
+*.tmp
+*.orig
+*~
+# Various IDEs
+.project
+.idea/
+*.tmproj
+.vscode/

applications/jira-data-proxy/Chart.yaml

@@ -0,0 +1,8 @@
+apiVersion: v2
+appVersion: "tickets-DM-42460"
+description: Jira API read-only proxy for Times Square users.
+name: jira-data-proxy
+sources:
+  - https://github.com/lsst-sqre/jira-data-proxy
+type: application
+version: 1.0.0

applications/jira-data-proxy/README.md

@@ -0,0 +1,32 @@
+# jira-data-proxy
+
+Jira API read-only proxy for Times Square users.
+
+## Source Code
+
+* <https://github.com/lsst-sqre/jira-data-proxy>
+
+## Values
+
+| Key | Type | Default | Description |
+|-----|------|---------|-------------|
+| affinity | object | `{}` | Affinity rules for the jira-data-proxy deployment pod |
+| autoscaling.enabled | bool | `false` | Enable autoscaling of jira-data-proxy deployment |
+| autoscaling.maxReplicas | int | `100` | Maximum number of jira-data-proxy deployment pods |
+| autoscaling.minReplicas | int | `1` | Minimum number of jira-data-proxy deployment pods |
+| autoscaling.targetCPUUtilizationPercentage | int | `80` | Target CPU utilization of jira-data-proxy deployment pods |
+| config.jiraUrl | string | `"https://jira.lsstcorp.org/"` | Jira base URL |
+| config.logLevel | string | `"info"` | Logging level |
+| global.baseUrl | string | Set by Argo CD | Base URL for the environment |
+| global.host | string | Set by Argo CD | Host name for ingress |
+| global.vaultSecretsPathPrefix | string | Set by Argo CD | Base path for Vault secrets |
+| image.pullPolicy | string | `"IfNotPresent"` | Pull policy for the jira-data-proxy image |
+| image.repository | string | `"ghcr.io/lsst-sqre/jira-data-proxy"` | Image to use in the jira-data-proxy deployment |
+| image.tag | string | `""` | Overrides the image tag whose default is the chart appVersion. |
+| ingress.annotations | object | `{}` | Additional annotations for the ingress rule |
+| ingress.path | string | `"/jira-data-proxy"` | Path prefix where jira-data-proxy is served |
+| nodeSelector | object | `{}` | Node selection rules for the jira-data-proxy deployment pod |
+| podAnnotations | object | `{}` | Annotations for the jira-data-proxy deployment pod |
+| replicaCount | int | `1` | Number of web deployment pods to start |
+| resources | object | `{}` | Resource limits and requests for the jira-data-proxy deployment pod |
+| tolerations | list | `[]` | Tolerations for the jira-data-proxy deployment pod |

applications/jira-data-proxy/secrets.yaml

@@ -0,0 +1,4 @@
+JIRA_USERNAME:
+  description: JIRA account username.
+JIRA_PASSWORD:
+  description: JIRA account password.

applications/jira-data-proxy/templates/_helpers.tpl

@@ -0,0 +1,26 @@
+{{/*
+Create chart name and version as used by the chart label.
+*/}}
+{{- define "jira-data-proxy.chart" -}}
+{{- printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" }}
+{{- end }}
+
+{{/*
+Common labels
+*/}}
+{{- define "jira-data-proxy.labels" -}}
+helm.sh/chart: {{ include "jira-data-proxy.chart" . }}
+{{ include "jira-data-proxy.selectorLabels" . }}
+{{- if .Chart.AppVersion }}
+app.kubernetes.io/version: {{ .Chart.AppVersion | quote }}
+{{- end }}
+app.kubernetes.io/managed-by: {{ .Release.Service }}
+{{- end }}
+
+{{/*
+Selector labels
+*/}}
+{{- define "jira-data-proxy.selectorLabels" -}}
+app.kubernetes.io/name: "jira-data-proxy"
+app.kubernetes.io/instance: {{ .Release.Name }}
+{{- end }}

applications/jira-data-proxy/templates/configmap.yaml

@@ -0,0 +1,10 @@
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  name: "jira-data-proxy"
+  labels:
+    {{- include "jira-data-proxy.labels" . | nindent 4 }}
+data:
+  SAFIR_LOG_LEVEL: {{ .Values.config.logLevel | quote }}
+  SAFIR_PATH_PREFIX: {{ .Values.ingress.path | quote }}
+  JIRA_BASE_URL: {{ .Values.config.jiraUrl | quote }}

applications/jira-data-proxy/templates/deployment.yaml

@@ -0,0 +1,77 @@
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: "jira-data-proxy"
+  labels:
+    {{- include "jira-data-proxy.labels" . | nindent 4 }}
+    app.kubernetes.io/component: "server"
+    app.kubernetes.io/part-of: "jira-data-proxy"
+spec:
+  {{- if not .Values.autoscaling.enabled }}
+  replicas: {{ .Values.replicaCount }}
+  {{- end }}
+  selector:
+    matchLabels:
+      {{- include "jira-data-proxy.selectorLabels" . | nindent 6 }}
+  template:
+    metadata:
+      {{- with .Values.podAnnotations }}
+      annotations:
+        {{- toYaml . | nindent 8 }}
+      {{- end }}
+      labels:
+        {{- include "jira-data-proxy.selectorLabels" . | nindent 8 }}
+        app.kubernetes.io/component: "server"
+        app.kubernetes.io/part-of: "jira-data-proxy"
+    spec:
+      automountServiceAccountToken: false
+      containers:
+        - name: {{ .Chart.Name }}
+          securityContext:
+            allowPrivilegeEscalation: false
+            capabilities:
+              drop:
+                - "all"
+            readOnlyRootFilesystem: true
+          image: "{{ .Values.image.repository }}:{{ .Values.image.tag | default .Chart.AppVersion }}"
+          imagePullPolicy: {{ .Values.image.pullPolicy }}
+          ports:
+            - name: "http"
+              containerPort: 8080
+              protocol: "TCP"
+          readinessProbe:
+            httpGet:
+              path: "/"
+              port: "http"
+          resources:
+            {{- toYaml .Values.resources | nindent 12 }}
+          envFrom:
+            - configMapRef:
+                name: "jira-data-proxy"
+          env:
+            - name: "JIRA_USERNAME"
+              valueFrom:
+                secretKeyRef:
+                  name: "jira-data-proxy"
+                  key: "JIRA_USERNAME"
+            - name: "JIRA_PASSWORD"
+              valueFrom:
+                secretKeyRef:
+                  name: "jira-data-proxy"
+                  key: "JIRA_PASSWORD"
+      securityContext:
+        runAsNonRoot: true
+        runAsUser: 1000
+        runAsGroup: 1000
+      {{- with .Values.nodeSelector }}
+      nodeSelector:
+        {{- toYaml . | nindent 8 }}
+      {{- end }}
+      {{- with .Values.affinity }}
+      affinity:
+        {{- toYaml . | nindent 8 }}
+      {{- end }}
+      {{- with .Values.tolerations }}
+      tolerations:
+        {{- toYaml . | nindent 8 }}
+      {{- end }}

applications/jira-data-proxy/templates/hpa.yaml

@@ -0,0 +1,28 @@
+{{- if .Values.autoscaling.enabled }}
+apiVersion: autoscaling/v2beta1
+kind: HorizontalPodAutoscaler
+metadata:
+  name: "jira-data-proxy"
+  labels:
+    {{- include "jira-data-proxy.labels" . | nindent 4 }}
+spec:
+  scaleTargetRef:
+    apiVersion: apps/v1
+    kind: Deployment
+    name: "jira-data-proxy"
+  minReplicas: {{ .Values.autoscaling.minReplicas }}
+  maxReplicas: {{ .Values.autoscaling.maxReplicas }}
+  metrics:
+    {{- if .Values.autoscaling.targetCPUUtilizationPercentage }}
+    - type: Resource
+      resource:
+        name: "cpu"
+        targetAverageUtilization: {{ .Values.autoscaling.targetCPUUtilizationPercentage }}
+    {{- end }}
+    {{- if .Values.autoscaling.targetMemoryUtilizationPercentage }}
+    - type: Resource
+      resource:
+        name: "memory"
+        targetAverageUtilization: {{ .Values.autoscaling.targetMemoryUtilizationPercentage }}
+    {{- end }}
+{{- end }}

applications/jira-data-proxy/templates/ingress.yaml

@@ -0,0 +1,31 @@
+apiVersion: gafaelfawr.lsst.io/v1alpha1
+kind: GafaelfawrIngress
+metadata:
+  name: "jira-data-proxy"
+  labels:
+    {{- include "jira-data-proxy.labels" . | nindent 4 }}
+config:
+  baseUrl: {{ .Values.global.baseUrl | quote }}
+  scopes:
+    all:
+      - "exec:notebook"
+  loginRedirect: false # endpoint is for API use only
+template:
+  metadata:
+    name: "jira-data-proxy"
+    {{- with .Values.ingress.annotations }}
+    annotations:
+      {{- toYaml . | nindent 6 }}
+    {{- end }}
+  spec:
+    rules:
+      - host: {{ required "global.host must be set" .Values.global.host | quote }}
+        http:
+          paths:
+            - path: {{ .Values.ingress.path | quote }}
+              pathType: "Prefix"
+              backend:
+                service:
+                  name: "jira-data-proxy"
+                  port:
+                    number: 8080

applications/jira-data-proxy/templates/networkpolicy.yaml

@@ -0,0 +1,21 @@
+apiVersion: networking.k8s.io/v1
+kind: NetworkPolicy
+metadata:
+  name: "jira-data-proxy"
+spec:
+  podSelector:
+    matchLabels:
+      {{- include "jira-data-proxy.selectorLabels" . | nindent 6 }}
+  policyTypes:
+    - Ingress
+  ingress:
+    # Allow inbound access from pods (in any namespace) labeled
+    # gafaelfawr.lsst.io/ingress: true.
+    - from:
+        - namespaceSelector: {}
+          podSelector:
+            matchLabels:
+              gafaelfawr.lsst.io/ingress: "true"
+      ports:
+        - protocol: "TCP"
+          port: 8080

applications/jira-data-proxy/templates/service.yaml

@@ -0,0 +1,15 @@
+apiVersion: v1
+kind: Service
+metadata:
+  name: "jira-data-proxy"
+  labels:
+    {{- include "jira-data-proxy.labels" . | nindent 4 }}
+spec:
+  type: "ClusterIP"
+  ports:
+    - port: 8080
+      targetPort: "http"
+      protocol: "TCP"
+      name: "http"
+  selector:
+    {{- include "jira-data-proxy.selectorLabels" . | nindent 4 }}

applications/jira-data-proxy/templates/vault-secret.yaml

@@ -0,0 +1,9 @@
+apiVersion: ricoberger.de/v1alpha1
+kind: VaultSecret
+metadata:
+  name: "jira-data-proxy"
+  labels:
+    {{- include "jira-data-proxy.labels" . | nindent 4 }}
+spec:
+  path: "{{ .Values.global.vaultSecretsPathPrefix }}/jira-data-proxy"
+  type: Opaque

applications/jira-data-proxy/values-idfdev.yaml

@@ -0,0 +1,4 @@
+image:
+  pullPolicy: Always
+config:
+  logLevel: "DEBUG"

applications/jira-data-proxy/values-usdfdev.yaml

@@ -0,0 +1,4 @@
+image:
+  pullPolicy: Always
+config:
+  logLevel: "DEBUG"

applications/jira-data-proxy/values.yaml

@@ -0,0 +1,74 @@
+# Default values for jira-data-proxy.
+# This is a YAML-formatted file.
+# Declare variables to be passed into your templates.
+
+config:
+  # -- Logging level
+  logLevel: "info"
+
+  # -- Jira base URL
+  jiraUrl: "https://jira.lsstcorp.org/"
+
+# -- Number of web deployment pods to start
+replicaCount: 1
+
+image:
+  # -- Image to use in the jira-data-proxy deployment
+  repository: "ghcr.io/lsst-sqre/jira-data-proxy"
+
+  # -- Pull policy for the jira-data-proxy image
+  pullPolicy: "IfNotPresent"
+
+  # -- Overrides the image tag whose default is the chart appVersion.
+  tag: ""
+
+ingress:
+  # -- Additional annotations for the ingress rule
+  annotations: {}
+
+  # -- Path prefix where jira-data-proxy is served
+  path: "/jira-data-proxy"
+
+autoscaling:
+  # -- Enable autoscaling of jira-data-proxy deployment
+  enabled: false
+
+  # -- Minimum number of jira-data-proxy deployment pods
+  minReplicas: 1
+
+  # -- Maximum number of jira-data-proxy deployment pods
+  maxReplicas: 100
+
+  # -- Target CPU utilization of jira-data-proxy deployment pods
+  targetCPUUtilizationPercentage: 80
+  # targetMemoryUtilizationPercentage: 80
+
+# -- Annotations for the jira-data-proxy deployment pod
+podAnnotations: {}
+
+# -- Resource limits and requests for the jira-data-proxy deployment pod
+resources: {}
+
+# -- Node selection rules for the jira-data-proxy deployment pod
+nodeSelector: {}
+
+# -- Tolerations for the jira-data-proxy deployment pod
+tolerations: []
+
+# -- Affinity rules for the jira-data-proxy deployment pod
+affinity: {}
+
+# The following will be set by parameters injected by Argo CD and should not
+# be set in the individual environment values files.
+global:
+  # -- Base URL for the environment
+  # @default -- Set by Argo CD
+  baseUrl: ""
+
+  # -- Host name for ingress
+  # @default -- Set by Argo CD
+  host: ""
+
+  # -- Base path for Vault secrets
+  # @default -- Set by Argo CD
+  vaultSecretsPathPrefix: ""

docs/applications/index.rst

@@ -49,6 +49,7 @@ To learn how to develop applications for Phalanx, see the :doc:`/developers/inde
    argo-workflows/index
    alert-stream-broker/index
    exposurelog/index
+   jira-data-proxy/index
    narrativelog/index
    obsloctap/index
    plot-navigator/index