First version of VRE integrated chart #2
Conversation
| ingress.kubernetes.io/ssl-redirect: "true" | ||
| meta.helm.sh/release-name: reana | ||
| meta.helm.sh/release-namespace: reana | ||
| traefik.frontend.entryPoints: http,https |
There was a problem hiding this comment.
Doesn't hurt as it's just an annotation, but need to support ingress != traefik ?
vre/values-custom.yaml
Outdated
| @@ -0,0 +1,7 @@ | |||
| reana: | |||
There was a problem hiding this comment.
Wishlist to add
hostbase or similar, that is templated for the jhub and reana host names
Make indigo IAM client secret available for jhub too
Indigo IAM authorise, token and callback URLs for reana and jhub
nfs storage classes, both the default for persistent, and the reana shared storage class
common (postgres)db secret
Rucio host (template the extraEnv and rucio.cfg file generation ?)
There was a problem hiding this comment.
Note that it is not that straightforward to remove all duplication from values. It is not possible to use template within values file itself.
It is possible to use yaml anchors but it's not for all cases (e.g. not when substring need to be templated).
Usually to avoid duplication like that, it is necessary to modify the chart itself, in this case the dependency charts.
I will see what can be done without being too invasive.
We could also template values ourselves, but it means adding a custom tool on top of helm and this will be less portable.
| deploy: | ||
| helm: | ||
| releases: | ||
| - name: cern-vre |
There was a problem hiding this comment.
maybe "escape-vre" is better, or even "my-escape-vre" as a default release name. Whatever this thing is, it won't actually be the CERN VRE :)
There was a problem hiding this comment.
I see, interesting question.
For me, "VRE" is a generic term which I see throughout the related domains. So I assumed that name of the software product is "CERN VRE". Since it is a particular kind of a Virtual Research Environment, the kind made by CERN. See also the logo:
.
It also coincides with the name of the CERN instance.
However, we have now ESCAPE VRE, CERN VRE, ETAP VRE, and I wonder.
@garciagenrique @Soap2G what do you think? Should "CERN" be anywhere in the name of the generic VRE chart?
There was a problem hiding this comment.
Thanks for raising this point.
IMO, each VRE deployment should keep their institution or "brand". In the way I imagine things, we should aim for a common "helm base layer" (let's call it vre or escape-vre). Then, each of the specific installations (CERN, ET, etc) could name their respective inherited chart as they want :)
There was a problem hiding this comment.
With respect to the logo @Soap2G was the master mind behind the design. If you like it, we can create an ET VRE one, or feel free to create one based on the cern-vre one :)
| RucioAuthenticator: | ||
| # client_id: "" # set through secret | ||
| # client_secret: "" # set through secret | ||
| authorize_url: https://iam-escape.cloud.cnaf.infn.it/authorize |
There was a problem hiding this comment.
Can the indigo client info, including callback urls (if there is a hostbase name) be factorised for reana and jhub?
There was a problem hiding this comment.
I think this could be possible. Not sure whether is a good idea in terms of security - you might want to have different authorization policies for Jupyter and REANA.
Using different clients isn't (shouldn't be) that difficult. However, it's true that it would just required the creation and maintenance (propagating IdP secrets) of two(+) different clients.
garciagenrique
left a comment
garciagenrique
left a comment
There was a problem hiding this comment.
Thanks for opening this PR. Let me add some general comments here.
I see that there are a lot of annotations that are cern-vre specific - which in the end are cern infrastructure specific. For example, the names of the volume and storage class naming, as well as the rucio env vars (among others).
Let me share here my (biased) vision of how I envision this repo (which doesn't need to be like this of course).
What would you think of creating an agnostic "base helm layer" (let's call it vre) which only deploys the "main services" - JupyterHub, Rucio and Reana? Then each vre flavor, that ideally inherits from the base layer, would add their own or specific services (nfs, grafana, EOS, CERN MONIT, etc.), change the chart values to point to their specific services (storage, network, db, idp, rucio and REANA server, etc), and name the charts as desired (cern-vre, etap, etc).
| deploy: | ||
| helm: | ||
| releases: | ||
| - name: cern-vre |
There was a problem hiding this comment.
Thanks for raising this point.
IMO, each VRE deployment should keep their institution or "brand". In the way I imagine things, we should aim for a common "helm base layer" (let's call it vre or escape-vre). Then, each of the specific installations (CERN, ET, etc) could name their respective inherited chart as they want :)
| deploy: | ||
| helm: | ||
| releases: | ||
| - name: cern-vre |
There was a problem hiding this comment.
With respect to the logo @Soap2G was the master mind behind the design. If you like it, we can create an ET VRE one, or feel free to create one based on the cern-vre one :)
|
|
||
| * <https://github.com/vre-hub/vre> | ||
|
|
||
| ## Requirements |
There was a problem hiding this comment.
See general comment about the different vre flavors
| RucioAuthenticator: | ||
| # client_id: "" # set through secret | ||
| # client_secret: "" # set through secret | ||
| authorize_url: https://iam-escape.cloud.cnaf.infn.it/authorize |
There was a problem hiding this comment.
I think this could be possible. Not sure whether is a good idea in terms of security - you might want to have different authorization policies for Jupyter and REANA.
Using different clients isn't (shouldn't be) that difficult. However, it's true that it would just required the creation and maintenance (propagating IdP secrets) of two(+) different clients.
|
There is a question right now if it makes sense to use try using new pre-release reana 0.95.0, or port the CRM changes back onto 0.9.4. |
I think it is always a good idea to try the latest version @volodymyrss. Any reason to use 0.9.4 ? |
The latest version is not released, it's in alpha. Right now I am having an issue with it, related to parsing user token info from IAM . I think it was working before though, so it's strange the issue appeared both in dev and staging setup. Maybe IAM changed. Anyway, alpha is not stable and will require continuous updates to our development. When we last talked with @tiborsimko I think it was said it's too early to try 0.95.0, but I also did not see a huge number of changes in reana github org since, and the latest release is 0.95.0-alpha.2 is in Feb. Or @garciagenrique you probably know of what is the plan for REANA version adoption in the VRE? |
This reverts commit 1cd5a9b.
|
I remembered why we moved to alpha version of REANA. It's partly because we wanted to use included DB, but I saw this https://github.com/reanahub/reana/blob/0.9.4/helm/reana/templates/reana-db.yaml#L45 which seems to set debug values only in non-debug environment - so there seems to be maybe a bug? Of course we could use external db but it seems strange. Second reason is that we are actually developing reana chart, so it's weird to start from old version. But then, current alpha version stopped working, so this needs some investigation. edit: I think alpha version is not compatible with Indigo IAM, because recent versions of I am sure it is possible to adjust In principle until 0.95.0 is stable, we could use 0.9.4 with a patch for the DB credentials in debug mode. Overall, it seems that to finish our project, we need a bit deeper changes to involvement reana and invenio_oauthclient, and count on new reana to be released. An advice from @tiborsimko would be welcome, but I can also look myself deeper and propose further reana PRs. |
volodymyrss
force-pushed
the
first-version-vre-chart
branch
from
b6e35a9 to
32decf0
Compare
|
We discussed we need to talk about storage usage. To avoid duplication of data. We are also thinking about using RSE per VRE instance. |
Postpone for later:
We'll make an issue splitting some of the features for next MR.
TODO: check SWAN charts.