From 323cb2743b843df6d4f9dbc4b5cb0273acd4a64c Mon Sep 17 00:00:00 2001 From: Russ Allbery Date: Tue, 10 Dec 2024 16:09:47 -0800 Subject: [PATCH] Switch vo-cutouts to use Wobbly for jobs Instead of directly connecting to a database, change the vo-cutouts application to use Wobbly as the backend for job storage. Remove all the schema management and database connection logic from vo-cutouts, which will no longer require it. Bump the application version to the new version that supports Wobbly. --- applications/vo-cutouts/Chart.yaml | 2 +- applications/vo-cutouts/README.md | 11 +- applications/vo-cutouts/secrets.yaml | 4 - .../vo-cutouts/templates/configmap.yaml | 16 +-- .../templates/db-worker-deployment.yaml | 29 ---- .../vo-cutouts/templates/deployment.yaml | 33 ----- .../templates/job-schea-update.yaml | 130 ------------------ .../vo-cutouts/templates/serviceaccount.yaml | 2 - .../templates/worker-deployment.yaml | 4 - applications/vo-cutouts/values-idfdev.yaml | 4 - applications/vo-cutouts/values-idfint.yaml | 4 - applications/vo-cutouts/values-idfprod.yaml | 4 - applications/vo-cutouts/values.yaml | 43 +----- 13 files changed, 8 insertions(+), 278 deletions(-) delete mode 100644 applications/vo-cutouts/templates/job-schea-update.yaml diff --git a/applications/vo-cutouts/Chart.yaml b/applications/vo-cutouts/Chart.yaml index 68d876fb99..1e9da38319 100644 --- a/applications/vo-cutouts/Chart.yaml +++ b/applications/vo-cutouts/Chart.yaml @@ -4,7 +4,7 @@ version: 1.0.0 description: "Image cutout service complying with IVOA SODA" sources: - "https://github.com/lsst-sqre/vo-cutouts" -appVersion: 3.2.0 +appVersion: 4.0.0 dependencies: - name: redis diff --git a/applications/vo-cutouts/README.md b/applications/vo-cutouts/README.md index 0a51e70249..4d6538fc5c 100644 --- a/applications/vo-cutouts/README.md +++ b/applications/vo-cutouts/README.md @@ -10,24 +10,15 @@ Image cutout service complying with IVOA SODA | Key | Type | Default | Description | |-----|------|---------|-------------| -| cloudsql.enabled | bool | `false` | Enable the Cloud SQL Auth Proxy sidecar, used with Cloud SQL databases on Google Cloud | -| cloudsql.image.pullPolicy | string | `"IfNotPresent"` | Pull policy for Cloud SQL Auth Proxy images | -| cloudsql.image.repository | string | `"gcr.io/cloudsql-docker/gce-proxy"` | Cloud SQL Auth Proxy image to use | -| cloudsql.image.schemaUpdateTagSuffix | string | `"-alpine"` | Tag suffix to use for the proxy for schema updates | -| cloudsql.image.tag | string | `"1.37.2"` | Cloud SQL Auth Proxy tag to use | -| cloudsql.instanceConnectionName | string | None, must be set if Cloud SQL is used | Instance connection name for a Cloud SQL PostgreSQL instance | -| cloudsql.resources | object | See `values.yaml` | Resource limits and requests for the Cloud SQL Proxy container | -| config.databaseUrl | string | None, must be set if `cloudsql.enabled` is false | URL for the PostgreSQL database if Cloud SQL is not in use | | config.gracePeriod | int | `60` | Grace period in seconds to wait for cutout worker jobs to finish | | config.lifetime | string | `"30d"` | Lifetime of job results in Safir `parse_timedelta` format | | config.loglevel | string | `"INFO"` | Choose from the text form of Python logging levels | | config.pathPrefix | string | `"/api/cutout"` | URL path prefix for the cutout API | -| config.serviceAccount | string | None, must be set | Google service account with an IAM binding to the `vo-cutouts` Kubernetes service accounts and has the `cloudsql.client` role, access to write to the GCS bucket, and ability to sign URLs as itself | +| config.serviceAccount | string | None, must be set | Google service account with an IAM binding to the `vo-cutouts` Kubernetes service accounts and has access to write to the GCS bucket and ability to sign URLs as itself | | config.slackAlerts | bool | `true` | Whether to send Slack alerts for unexpected failures | | config.storageBucketUrl | string | None, must be set | URL for the GCS bucket for results (must start with `gs`) | | config.syncTimeout | string | `"1m"` | Timeout for results from a sync cutout in Safir `parse_timedelta` format | | config.timeout | int | 600 (10 minutes) | Timeout for a single cutout job in seconds | -| config.updateSchema | bool | `false` | Whether to automatically update the vo-cutouts database schema | | cutoutWorker.affinity | object | `{}` | Affinity rules for the cutout worker pod | | cutoutWorker.image.pullPolicy | string | `"IfNotPresent"` | Pull policy for cutout workers | | cutoutWorker.image.repository | string | `"ghcr.io/lsst-sqre/vo-cutouts-worker"` | Stack image to use for cutouts | diff --git a/applications/vo-cutouts/secrets.yaml b/applications/vo-cutouts/secrets.yaml index 5f86138f03..2e597bb11c 100644 --- a/applications/vo-cutouts/secrets.yaml +++ b/applications/vo-cutouts/secrets.yaml @@ -1,7 +1,3 @@ -database-password: - description: >- - Password used to authenticate to the PostgreSQL database used to store job - information. This password may be changed at any time. redis-password: description: >- Password used to authenticate vo-cutouts to its internal Redis server, diff --git a/applications/vo-cutouts/templates/configmap.yaml b/applications/vo-cutouts/templates/configmap.yaml index 8a0a3a4dc4..6aee74106a 100644 --- a/applications/vo-cutouts/templates/configmap.yaml +++ b/applications/vo-cutouts/templates/configmap.yaml @@ -2,25 +2,17 @@ apiVersion: v1 kind: ConfigMap metadata: name: vo-cutouts - {{- if .Values.config.updateSchema }} - annotations: - helm.sh/hook: "pre-install,pre-upgrade" - helm.sh/hook-delete-policy: "before-hook-creation" - helm.sh/hook-weight: "0" - {{- end }} labels: {{- include "vo-cutouts.labels" . | nindent 4 }} data: CUTOUT_ARQ_QUEUE_URL: "redis://vo-cutouts-redis.{{ .Release.Namespace }}" - {{- if .Values.cloudsql.enabled }} - CUTOUT_DATABASE_URL: "postgresql://vo-cutouts@localhost/vo-cutouts" - {{- end }} CUTOUT_GRACE_PERIOD: {{ .Values.config.gracePeriod | quote }} CUTOUT_LIFETIME: {{ .Values.config.lifetime | quote }} + CUTOUT_LOG_LEVEL: {{ .Values.config.loglevel | quote }} + CUTOUT_PATH_PREFIX: {{ .Values.config.pathPrefix | quote }} + CUTOUT_PROFILE: "production" CUTOUT_SERVICE_ACCOUNT: {{ required "config.serviceAccount must be set" .Values.config.serviceAccount | quote }} CUTOUT_STORAGE_URL: {{ required "config.storageBucketUrl must be set" .Values.config.storageBucketUrl | quote }} CUTOUT_SYNC_TIMEOUT: {{ .Values.config.syncTimeout | quote }} CUTOUT_TIMEOUT: {{ .Values.config.timeout | quote }} - CUTOUT_PATH_PREFIX: {{ .Values.config.pathPrefix | quote }} - CUTOUT_PROFILE: "production" - CUTOUT_LOG_LEVEL: {{ .Values.config.loglevel | quote }} + CUTOUT_WOBBLY_URL: "{{ .Values.global.baseUrl }}/wobbly" diff --git a/applications/vo-cutouts/templates/db-worker-deployment.yaml b/applications/vo-cutouts/templates/db-worker-deployment.yaml index 189dec201e..362cdb4dca 100644 --- a/applications/vo-cutouts/templates/db-worker-deployment.yaml +++ b/applications/vo-cutouts/templates/db-worker-deployment.yaml @@ -26,32 +26,8 @@ spec: affinity: {{- toYaml . | nindent 8 }} {{- end }} - {{- if .Values.cloudsql.enabled }} - serviceAccountName: "vo-cutouts" - {{- else }} automountServiceAccountToken: false - {{- end }} containers: - {{- if .Values.cloudsql.enabled }} - - name: "cloud-sql-proxy" - securityContext: - allowPrivilegeEscalation: false - capabilities: - drop: - - "all" - readOnlyRootFilesystem: true - runAsNonRoot: true - runAsUser: 65532 - runAsGroup: 65532 - image: "{{ .Values.cloudsql.image.repository }}:{{ .Values.cloudsql.image.tag }}" - imagePullPolicy: {{ .Values.cloudsql.image.pullPolicy | quote }} - command: - - "/cloud_sql_proxy" - - "-ip_address_types=PRIVATE" - - "-log_debug_stdout=true" - - "-structured_logs=true" - - "-instances={{ required "cloudsql.instanceConnectionName must be specified" .Values.cloudsql.instanceConnectionName }}=tcp:5432" - {{- end }} - name: "db-worker" securityContext: allowPrivilegeEscalation: false @@ -70,11 +46,6 @@ spec: secretKeyRef: name: "vo-cutouts" key: "redis-password" - - name: "CUTOUT_DATABASE_PASSWORD" - valueFrom: - secretKeyRef: - name: "vo-cutouts" - key: "database-password" {{- if .Values.config.slackAlerts }} - name: "CUTOUT_SLACK_WEBHOOK" valueFrom: diff --git a/applications/vo-cutouts/templates/deployment.yaml b/applications/vo-cutouts/templates/deployment.yaml index bfda982167..68e2358bee 100644 --- a/applications/vo-cutouts/templates/deployment.yaml +++ b/applications/vo-cutouts/templates/deployment.yaml @@ -26,40 +26,12 @@ spec: affinity: {{- toYaml . | nindent 8 }} {{- end }} - {{- if .Values.cloudsql.enabled }} serviceAccountName: "vo-cutouts" - {{- else }} - automountServiceAccountToken: false - {{- end }} securityContext: runAsNonRoot: true runAsUser: 1000 runAsGroup: 1000 containers: - {{- if .Values.cloudsql.enabled }} - - name: "cloud-sql-proxy" - command: - - "/cloud_sql_proxy" - - "-ip_address_types=PRIVATE" - - "-log_debug_stdout=true" - - "-structured_logs=true" - - "-instances={{ required "cloudsql.instanceConnectionName must be specified" .Values.cloudsql.instanceConnectionName }}=tcp:5432" - image: "{{ .Values.cloudsql.image.repository }}:{{ .Values.cloudsql.image.tag }}" - imagePullPolicy: {{ .Values.cloudsql.image.pullPolicy | quote }} - {{- with .Values.cloudsql.resources }} - resources: - {{- toYaml . | nindent 12 }} - {{- end }} - securityContext: - allowPrivilegeEscalation: false - capabilities: - drop: - - "all" - readOnlyRootFilesystem: true - runAsNonRoot: true - runAsUser: 65532 - runAsGroup: 65532 - {{- end }} - name: "vo-cutouts" securityContext: allowPrivilegeEscalation: false @@ -79,11 +51,6 @@ spec: secretKeyRef: name: "vo-cutouts" key: "redis-password" - - name: "CUTOUT_DATABASE_PASSWORD" - valueFrom: - secretKeyRef: - name: "vo-cutouts" - key: "database-password" {{- if .Values.config.slackAlerts }} - name: "CUTOUT_SLACK_WEBHOOK" valueFrom: diff --git a/applications/vo-cutouts/templates/job-schea-update.yaml b/applications/vo-cutouts/templates/job-schea-update.yaml deleted file mode 100644 index b59461e887..0000000000 --- a/applications/vo-cutouts/templates/job-schea-update.yaml +++ /dev/null @@ -1,130 +0,0 @@ -{{- if .Values.config.updateSchema -}} -apiVersion: batch/v1 -kind: Job -metadata: - name: "vo-cutouts-schema-update" - annotations: - annotations: - helm.sh/hook: "pre-install,pre-upgrade" - helm.sh/hook-delete-policy: "hook-succeeded" - helm.sh/hook-weight: "1" - labels: - {{- include "vo-cutouts.labels" . | nindent 4 }} -spec: - template: - metadata: - {{- with .Values.podAnnotations }} - annotations: - {{- toYaml . | nindent 8 }} - {{- end }} - labels: - {{- include "vo-cutouts.selectorLabels" . | nindent 8 }} - app.kubernetes.io/component: "schema-update" - vo-cutouts-redis-client: "true" - spec: - {{- with .Values.affinity }} - affinity: - {{- toYaml . | nindent 8 }} - {{- end }} - {{- if .Values.cloudsql.enabled }} - serviceAccountName: "vo-cutouts" - {{- else }} - automountServiceAccountToken: false - {{- end }} - containers: - {{- if .Values.cloudsql.enabled }} - - name: "cloud-sql-proxy" - # Running the sidecar as normal causes it to keep running and thus - # the Pod never exits, the Job never finishes, and the hook blocks - # the sync. Have the main pod signal the sidecar by writing to a - # file on a shared emptyDir file system, and use a simple watcher - # loop in shell in the sidecar container to terminate the proxy when - # the main container finishes. - # - # Based on https://stackoverflow.com/questions/41679364/ - command: - - "/bin/sh" - - "-c" - args: - - | - /cloud_sql_proxy -ip_address_types=PRIVATE -log_debug_stdout=true -structured_logs=true -instances={{ required "cloudsql.instanceConnectionName must be specified" .Values.cloudsql.instanceConnectionName }}=tcp:5432 & - PID=$! - while true; do - if [[ -f "/lifecycle/main-terminated" ]]; then - kill $PID - exit 0 - fi - sleep 1 - done - image: "{{ .Values.cloudsql.image.repository }}:{{ .Values.cloudsql.image.tag }}{{ .Values.cloudsql.image.schemaUpdateTagSuffix }}" - imagePullPolicy: {{ .Values.cloudsql.image.pullPolicy | quote }} - {{- with .Values.cloudsql.resources }} - resources: - {{- toYaml . | nindent 12 }} - {{- end }} - securityContext: - allowPrivilegeEscalation: false - capabilities: - drop: - - "all" - readOnlyRootFilesystem: true - runAsNonRoot: true - runAsUser: 65532 - runAsGroup: 65532 - volumeMounts: - - name: "lifecycle" - mountPath: "/lifecycle" - {{- end }} - - name: "vo-cutouts" - command: - - "/bin/sh" - - "-c" - - | - vo-cutouts update-schema - touch /lifecycle/main-terminated - env: - - name: "CUTOUT_ARQ_QUEUE_PASSWORD" - valueFrom: - secretKeyRef: - name: "vo-cutouts" - key: "redis-password" - - name: "CUTOUT_DATABASE_PASSWORD" - valueFrom: - secretKeyRef: - name: "vo-cutouts" - key: "database-password" - envFrom: - - configMapRef: - name: "vo-cutouts" - image: "{{ .Values.image.repository }}:{{ .Values.image.tag | default .Chart.AppVersion }}" - imagePullPolicy: {{ .Values.image.pullPolicy | quote }} - {{- with .Values.resources }} - resources: - {{- toYaml . | nindent 12 }} - {{- end }} - securityContext: - allowPrivilegeEscalation: false - capabilities: - drop: - - "all" - readOnlyRootFilesystem: true - volumeMounts: - - name: "lifecycle" - mountPath: "/lifecycle" - {{- with .Values.nodeSelector }} - nodeSelector: - {{- toYaml . | nindent 8 }} - {{- end }} - restartPolicy: "Never" - securityContext: - runAsNonRoot: true - runAsUser: 1000 - runAsGroup: 1000 - {{- with .Values.tolerations }} - tolerations: - {{- toYaml . | nindent 8 }} - {{- end }} - volumes: - - name: "lifecycle" - emptyDir: {} -{{- end }} diff --git a/applications/vo-cutouts/templates/serviceaccount.yaml b/applications/vo-cutouts/templates/serviceaccount.yaml index c2c43cfbbd..611d73acab 100644 --- a/applications/vo-cutouts/templates/serviceaccount.yaml +++ b/applications/vo-cutouts/templates/serviceaccount.yaml @@ -1,4 +1,3 @@ -{{- if (or .Values.config.serviceAccount .Values.cloudsql.enabled) }} apiVersion: v1 kind: ServiceAccount metadata: @@ -12,4 +11,3 @@ metadata: helm.sh/hook-weight: "0" {{- end }} iam.gke.io/gcp-service-account: {{ required "config.serviceAccount must be set to a valid Google service account" .Values.config.serviceAccount | quote }} -{{- end }} diff --git a/applications/vo-cutouts/templates/worker-deployment.yaml b/applications/vo-cutouts/templates/worker-deployment.yaml index 4a44081a65..0c63e28bb7 100644 --- a/applications/vo-cutouts/templates/worker-deployment.yaml +++ b/applications/vo-cutouts/templates/worker-deployment.yaml @@ -26,11 +26,7 @@ spec: affinity: {{- toYaml . | nindent 8 }} {{- end }} - {{- if .Values.config.serviceAccount }} serviceAccountName: "vo-cutouts" - {{- else }} - automountServiceAccountToken: false - {{- end }} containers: - name: "worker" securityContext: diff --git a/applications/vo-cutouts/values-idfdev.yaml b/applications/vo-cutouts/values-idfdev.yaml index d65f4f8bbe..180b197260 100644 --- a/applications/vo-cutouts/values-idfdev.yaml +++ b/applications/vo-cutouts/values-idfdev.yaml @@ -1,7 +1,3 @@ config: serviceAccount: "vo-cutouts@science-platform-dev-7696.iam.gserviceaccount.com" storageBucketUrl: "gs://rubin-cutouts-dev-us-central1-output/" - -cloudsql: - enabled: true - instanceConnectionName: "science-platform-dev-7696:us-central1:science-platform-dev-e9e11de2" diff --git a/applications/vo-cutouts/values-idfint.yaml b/applications/vo-cutouts/values-idfint.yaml index b7e41291fd..a4aed866f3 100644 --- a/applications/vo-cutouts/values-idfint.yaml +++ b/applications/vo-cutouts/values-idfint.yaml @@ -1,7 +1,3 @@ config: serviceAccount: "vo-cutouts@science-platform-int-dc5d.iam.gserviceaccount.com" storageBucketUrl: "gs://rubin-cutouts-int-us-central1-output/" - -cloudsql: - enabled: true - instanceConnectionName: "science-platform-int-dc5d:us-central1:science-platform-int-8f439af2" diff --git a/applications/vo-cutouts/values-idfprod.yaml b/applications/vo-cutouts/values-idfprod.yaml index 461cb96fe5..d6d7511db1 100644 --- a/applications/vo-cutouts/values-idfprod.yaml +++ b/applications/vo-cutouts/values-idfprod.yaml @@ -1,7 +1,3 @@ config: serviceAccount: "vo-cutouts@science-platform-stable-6994.iam.gserviceaccount.com" storageBucketUrl: "gs://rubin-cutouts-stable-us-central1-output/" - -cloudsql: - enabled: true - instanceConnectionName: "science-platform-stable-6994:us-central1:science-platform-stable-0c29612b" diff --git a/applications/vo-cutouts/values.yaml b/applications/vo-cutouts/values.yaml index 40e4a9aa56..a2ede6b0bb 100644 --- a/applications/vo-cutouts/values.yaml +++ b/applications/vo-cutouts/values.yaml @@ -9,10 +9,6 @@ config: # -- URL path prefix for the cutout API pathPrefix: "/api/cutout" - # -- URL for the PostgreSQL database if Cloud SQL is not in use - # @default -- None, must be set if `cloudsql.enabled` is false - databaseUrl: null - # -- Grace period in seconds to wait for cutout worker jobs to finish gracePeriod: 60 @@ -20,8 +16,8 @@ config: lifetime: "30d" # -- Google service account with an IAM binding to the `vo-cutouts` - # Kubernetes service accounts and has the `cloudsql.client` role, access - # to write to the GCS bucket, and ability to sign URLs as itself + # Kubernetes service accounts and has access to write to the GCS bucket and + # ability to sign URLs as itself # @default -- None, must be set serviceAccount: null @@ -40,9 +36,6 @@ config: # @default -- 600 (10 minutes) timeout: 600 - # -- Whether to automatically update the vo-cutouts database schema - updateSchema: false - image: # -- vo-cutouts image to use for the frontend and database workers repository: "ghcr.io/lsst-sqre/vo-cutouts" @@ -84,38 +77,6 @@ frontend: # -- Tolerations for the vo-cutouts frontend pod tolerations: [] -cloudsql: - # -- Enable the Cloud SQL Auth Proxy sidecar, used with Cloud SQL databases - # on Google Cloud - enabled: false - - image: - # -- Cloud SQL Auth Proxy image to use - repository: "gcr.io/cloudsql-docker/gce-proxy" - - # -- Cloud SQL Auth Proxy tag to use - tag: "1.37.2" - - # -- Tag suffix to use for the proxy for schema updates - schemaUpdateTagSuffix: "-alpine" - - # -- Pull policy for Cloud SQL Auth Proxy images - pullPolicy: "IfNotPresent" - - # -- Instance connection name for a Cloud SQL PostgreSQL instance - # @default -- None, must be set if Cloud SQL is used - instanceConnectionName: null - - # -- Resource limits and requests for the Cloud SQL Proxy container - # @default -- See `values.yaml` - resources: - limits: - cpu: "100m" - memory: "20Mi" - requests: - cpu: "5m" - memory: "7Mi" - cutoutWorker: # -- Number of cutout worker pods to start replicaCount: 2