canfar: reinstall science-portal

apiVersion: external-secrets.io/v1

kind: ExternalSecret

metadata:

  name: scienceportal-es

  namespace: skaha-system

spec:

  refreshInterval: 1h

  secretStoreRef:

    name: vault-backend

    kind: ClusterSecretStore

  target:

    name: scienceportal-credentials

    creationPolicy: Owner

  data:

  - secretKey: clientSecret

    remoteRef:

      key: canfar

      property: portalClientSecret

apiVersion: kustomize.config.k8s.io/v1beta1

kind: Kustomization

resources:

- es-scienceportal.yaml

helmCharts:

  - name: scienceportal

    repo: https://images.opencadc.org/chartrepo/platform

    version: 1.0.0

    namespace: skaha-system

    valuesFile: values-scienceportal.yaml

patches:

  - target:

      version: v1

      kind: Deployment

      name: science-portal-tomcat

    path: patch-science-portal.yaml

- op: add

  path: /spec/template/spec/initContainers

  value:

    - name: patch-secrets

      image: envsubst/envsubst

      command:

        - "sh"

        - "-c"

        - |

          cp /config/* /patched-config/ && \

          cp /patched-config/org.opencadc.science-portal.properties /patched-config/org.opencadc.science-portal.properties.orig && \

          envsubst < /patched-config/org.opencadc.science-portal.properties.orig > /patched-config/org.opencadc.science-portal.properties

      env:

        - name: CLIENT_SECRET

          valueFrom:

            secretKeyRef:

              name: scienceportal-credentials

              key: clientSecret

      volumeMounts:

        - name: config-volume

          mountPath: /config

        - name: patched-config

          mountPath: /patched-config

- op: replace

  path: /spec/template/spec/containers/0/volumeMounts/0

  value:

    mountPath: "/config"

    name: patched-config

- op: add

  path: /spec/template/spec/volumes/-

  value:

    name: patched-config

    emptyDir: {}

kubernetesClusterDomain: cluster.local

# Tell Kubernetes to spin up multiple instances.  Defaults to 1.

replicaCount: 3

# @param securityContext - Optional security context for the container.  This is a security feature to restrict system calls.

# securityContext: {}

#

# Example:

# securityContext:

#   seccompProfile:

#     type: RuntimeDefault

securityContext: {}

# @param podSecurityContext - Optional pod security context for the deployment.

# podSecurityContext: {}

#

# Example:

# podSecurityContext:

#   fsGroup: 1000

#   runAsUser: 1000

#   allowPrivilegeEscalation: false

podSecurityContext: {}

# @param applicationName - The name of the application.  This will rename the underlying WAR file, thus changing the endpoint.  Defaults to science-portal.

# applicationName: science-portal

# Science Portal web service deployment

deployment:

  hostname: canfar.itsrc.ext.cineca.it

  sciencePortal:

    image: images.opencadc.org/platform/science-portal:1.0.1

    imagePullPolicy: Always

    tabLabels:

      - "Standard"

      - "Advanced"

    # Optionally set the DEBUG port.

    # extraEnv:

    # - name: CATALINA_OPTS

    #   value: "-agentlib:jdwp=transport=dt_socket,server=y,suspend=n,address=0.0.0.0:5555"

    # - name: JAVA_OPTS

    #   value: "-agentlib:jdwp=transport=dt_socket,server=y,suspend=n,address=0.0.0.0:5555"

    # Uncomment to debug.  Requires options above as well as service port exposure below.

    # extraPorts:

    # - containerPort: 5555

    #   protocol: TCP

    # Resources provided to the Science Portal Kubernetes Pod.

    resources:

      requests:

        memory: "500M"

        cpu: "500m"

      limits:

        memory: "1G"

        cpu: "1"

    # The Resource ID of the Service that contains the URL of the Skaha service in the IVOA Registry

    # Example:

    # skahaResourceID: ivo://example.org/skaha

    skahaResourceID: ivo://canfar.itsrc.ext.cineca.it/skaha

    # ID (URI) of the GMS Service.

    # gmsID: ivo://example.org/gms

    gmsID: ivo://skao.int/gms

    # OIDC (IAM) server configuration.  These are required

    oidc:

      # Location of the OpenID Provider (OIdP)

      uri: https://ska-iam.stfc.ac.uk/

      # The Client ID as listed on the OIdP.

      clientID: 830b713c-0a8c-4c7f-8482-6d401954e325

      # The Client Secret, which should be generated by the OIdP.

      clientSecret: ${CLIENT_SECRET} # patched by kustomize

      # Name of existing secret containing 'clientSecret' key with value of Client Secret, which should be generated by the OIdP.

      # This is an alternative to providing the 'clientSecret' in cleartext in the chart.

      # existingSecretName: scienceportal-credentials

      # Where the OIdP should send the User after successful authentication (redirect_uri)

      redirectURI: https://canfar.itsrc.ext.cineca.it/science-portal/oidc-callback

      # Where to redirect to after the redirectURI callback has completed.  This will usually be the URL to the /science-portal main page.

      callbackURI: https://canfar.itsrc.ext.cineca.it/science-portal/

      # The standard OpenID scopes for token requests.  This is required.

      scope: "openid profile offline_access"

    # Set the Registry URL pointing to the desired registry (https:// URL)

    registryURL: https://spsrc27.iaa.csic.es/reg

    # This applies to the Science Portal itself.  Meaning, this Pod will be scheduled as described

    # by the nodeAffinity clause.

    # See https://kubernetes.io/docs/tasks/configure-pod-container/assign-pods-nodes-using-node-affinity/

    # nodeAffinity: {}

    # The IdentityManager class handling authentication.  This should generally be left alone

    identityManagerClass: org.opencadc.auth.StandardIdentityManager

    # Optionally mount a custom CA certificate

    # extraVolumeMounts:

    # - mountPath: "/config/cacerts"

    #   name: cacert-volume

    # Create the CA certificate volume to be mounted in extraVolumeMounts

    # extraVolumes:

    # - name: cacert-volume

    #   secret:

    #     defaultMode: 420

    #     secretName: science-portal-cacert-secret

    # Supported theme name (src or canfar).

    # Example:

    # themeName: canfar

    themeName: src

experimentalFeatures:

  enabled: false

  # Required. The absolute URL of the /home folder containing the user's home directories.  This is used to query the storage quota information.

  # A typical value would be the /nodes/home endpoint of the Cavern service.

  # Example:

  #   storageHomeURL: https://example.org/cavern/nodes/home

  # storageHomeURL:

# This is a list of tolerations that will be added to the Pod spec of the Science Portal UI.

# @see https://kubernetes.io/docs/concepts/configuration/taint-and-toleration/

#

# Example:

# tolerations:

# - key: "key1"

#   operator: "Equal"

#   value: "value1"

#   effect: "NoSchedule"

#

tolerations: []

# secrets:

  # Uncomment to enable local or self-signed CA certificates for your domain to be trusted.

  # science-portal-cacert-secret:

  #   ca.crt: <base64 encoded ca crt>

# For the token caching

redis:

  image:

    repository: redis

    tag: 8.2.2-bookworm

  architecture: 'standalone'

  auth:

    enabled: false

  master:

    persistence:

      enabled: false

      helm:

        valueFiles:

          - $repo/apps/canfar/values-cavern.yaml

    - repoURL: https://www.ict.inaf.it/gitlab/itsrc/itsrc-services-cd.git

      path: apps/canfar/scienceportal

      targetRevision: HEAD

    - repoURL: https://www.ict.inaf.it/gitlab/itsrc/itsrc-services-cd.git

      path: apps/canfar

      targetRevision: HEAD