Add flag to annotate direct butler support & make direct butler secre…

…ts conditional
lsst-sqre · Oct 29, 2024 · 5bd073f · 5bd073f
1 parent c91b2d4
commit 5bd073f
Show file tree

Hide file tree

Showing 6 changed files with 19 additions and 3 deletions.
diff --git a/applications/sia/Chart.yaml b/applications/sia/Chart.yaml
@@ -1,5 +1,5 @@
 apiVersion: v2
-appVersion: 0.1.1
+appVersion: 0.1.2
 description: Simple Image Access (SIA) IVOA Service using Butler
 name: sia
 sources:

diff --git a/applications/sia/README.md b/applications/sia/README.md
@@ -12,6 +12,7 @@ Simple Image Access (SIA) IVOA Service using Butler
 |-----|------|---------|-------------|
 | affinity | object | `{}` | Affinity rules for the sia deployment pod |
 | config.butlerDataCollections | list | `[]` | List of data (Butler) Collections Expected attributes: `config`, `label`, `name`, `butler_type`, `repository`, `datalink_url` & `default_instrument` |
+| config.directButlerEnabled | bool | `false` | Whether direct butler access is enabled |
 | config.logLevel | string | `"INFO"` | Logging level |
 | config.logProfile | string | `"production"` | Logging profile (`production` for JSON, `development` for human-friendly) |
 | config.pathPrefix | string | `"/api/sia"` | URL path prefix |

diff --git a/applications/sia/secrets.yaml b/applications/sia/secrets.yaml
@@ -1,12 +1,15 @@
 "aws-credentials.ini":
+  if: config.directButlerEnabled
   copy:
     application: nublado
     key: "aws-credentials.ini"
 "butler-gcs-idf-creds.json":
+  if: config.directButlerEnabled
   copy:
     application: nublado
     key: "butler-gcs-idf-creds.json"
 "postgres-credentials.txt":
+  if: config.directButlerEnabled
   copy:
     application: nublado
     key: "postgres-credentials.txt"

diff --git a/applications/sia/templates/deployment.yaml b/applications/sia/templates/deployment.yaml
@@ -24,6 +24,7 @@ spec:
         {{- toYaml . | nindent 8 }}
       {{- end }}
       automountServiceAccountToken: false
+      {{- if .Values.config.directButlerEnabled }}
       initContainers:
         - name: fix-secret-permissions
           image: "{{ .Values.image.repository }}:{{ .Values.image.tag | default .Chart.AppVersion }}"
@@ -44,6 +45,7 @@ spec:
               mountPath: "/etc/butler/secrets"
             - name: "secrets-raw"
               mountPath: "/tmp/secrets-raw"
+      {{- end }}
       containers:
         - name: {{ .Chart.Name }}
           envFrom:
@@ -71,6 +73,7 @@ spec:
                   name: "sia"
                   key: "slack-webhook"
             {{- end }}
+            {{- if .Values.config.directButlerEnabled }}
             - name: "AWS_SHARED_CREDENTIALS_FILE"
               value: "/tmp/secrets/aws-credentials.ini"
             - name: "PGUSER"
@@ -79,10 +82,13 @@ spec:
               value: "/etc/butler/secrets/postgres-credentials.txt"
             - name: "GOOGLE_APPLICATION_CREDENTIALS"
               value: "/tmp/secrets/butler-gcs-idf-creds.json"
+            {{- end }}
+          {{- if .Values.config.directButlerEnabled }}
           volumeMounts:
             - name: "secrets"
               mountPath: "/etc/butler/secrets"
               readOnly: true
+          {{- end }}
           securityContext:
             allowPrivilegeEscalation: false
             capabilities:
@@ -97,12 +103,14 @@ spec:
       tolerations:
         {{- toYaml . | nindent 8 }}
       {{- end }}
+      {{- if .Values.config.directButlerEnabled }}
       volumes:
         - name: "secrets-raw"
           secret:
             secretName: "sia"
         - name: "secrets"
           emptyDir: {}
+      {{- end }}
       securityContext:
         runAsNonRoot: true
         runAsUser: 1000

diff --git a/applications/sia/templates/ingress-anonymous.yaml b/applications/sia/templates/ingress-anonymous.yaml
@@ -13,6 +13,7 @@ template:
     name: {{ template "sia.fullname" . }}-anonymous
     {{- with .Values.ingress.annotations }}
     annotations:
+      nginx.ingress.kubernetes.io/use-regex: "true"
       {{- toYaml . | nindent 6 }}
     {{- end }}
   spec:
@@ -28,14 +29,14 @@ template:
                   port:
                     number: 8080
             - path: "{{ .Values.ingress.path }}/.+/capabilities"
-              pathType: "Exact"
+              pathType: "ImplementationSpecific"
               backend:
                 service:
                   name: {{ template "sia.fullname" . }}
                   port:
                     number: 8080
             - path: "{{ .Values.ingress.path }}/.+/availability"
-              pathType: "Exact"
+              pathType: "ImplementationSpecific"
               backend:
                 service:
                   name: {{ template "sia.fullname" . }}

diff --git a/applications/sia/values.yaml b/applications/sia/values.yaml
@@ -36,6 +36,9 @@ config:
   # -- URL path prefix
   pathPrefix: "/api/sia"
 
+  # -- Whether direct butler access is enabled
+  directButlerEnabled: false
+
   # -- List of data (Butler) Collections
   # Expected attributes: `config`, `label`, `name`, `butler_type`, `repository`, `datalink_url` & `default_instrument`
   butlerDataCollections: []