adding fence

gen3/bin/kube-setup-fence.sh

@@ -62,6 +62,9 @@ fi
 # deploy fence
 gen3 roll fence
 g3kubectl apply -f "${GEN3_HOME}/kube/services/fence/fence-service.yaml"
+g3kubectl apply -f "${GEN3_HOME}/kube/services/fence/fence-nginx.conf"
+g3kubectl apply -f "${GEN3_HOME}/kube/services/fence/fence-gunicorn.yaml"
+g3kubectl apply -f "${GEN3_HOME}/kube/services/nginx-sidecar/nginx.conf"
 
 portalApp="$(g3k_manifest_lookup .global.portal_app)"
 if ! [[ "$portalApp" =~ ^GEN3-WORKSPACE ]]; then

kube/services/fence/fence-deploy.yaml

@@ -32,6 +32,10 @@ spec:
         GEN3_DATE_LABEL
     spec:
       serviceAccountName: fence-sa
+      securityContext:
+        runAsUser: 1000
+        runAsGroup: 1000
+        fsGroup: 1000
       affinity:
         podAntiAffinity:
           preferredDuringSchedulingIgnoredDuringExecution:
@@ -106,6 +110,15 @@ spec:
         - name: yaml-merge
           configMap:
             name: "fence-yaml-merge"
+        - name: wsgi-config
+          configMap:
+            name: fence-wsgi
+        - name: nginx-config
+          configMap:
+            name: fence-nginx-configmap
+        - name: nginx-main-config
+          configMap:
+            name: sidecar-nginx-main 
       securityContext:
         # nginx group in current images
         fsGroup: 101
@@ -163,16 +176,16 @@ spec:
         livenessProbe:
           httpGet:
             path: /_status
-            port: 80
+            port: 8000
           initialDelaySeconds: 30
           periodSeconds: 60
           timeoutSeconds: 30
         readinessProbe:
           httpGet:
             path: /_status
-            port: 80
+            port: 8000
         ports:
-        - containerPort: 80
+        - containerPort: 8000
         - containerPort: 443
         - containerPort: 6567
         volumeMounts:
@@ -238,6 +251,9 @@ spec:
             readOnly: true
             mountPath: "/fence/jwt-keys.tar"
             subPath: "jwt-keys.tar"
+          - name: "wsgi-config"
+            mountPath: "/fence/deployment/wsgi/gunicorn.conf.py"
+            subPath: gunicorn.conf.py
         resources:
             requests:
               cpu: 0.4
@@ -252,6 +268,23 @@ spec:
             echo "${FENCE_PUBLIC_CONFIG:-""}" > "/var/www/fence/fence-config-public.yaml"
             python /var/www/fence/yaml_merge.py /var/www/fence/fence-config-public.yaml /var/www/fence/fence-config-secret.yaml > /var/www/fence/fence-config.yaml
             bash /fence/dockerrun.bash && if [[ -f /dockerrun.sh ]]; then bash /dockerrun.sh; fi
+      - name: sidecar-nginx
+        image: quay.io/cdis/nginx-sidecar:nginx-sidecar-feat_nginx-sidecar
+        imagePullPolicy: IfNotPresent
+        ports:
+          - name: http
+            containerPort: 8080
+        readinessProbe:
+          httpGet:
+            path: /_status
+            port: http
+        volumeMounts:
+          - name: "nginx-main-config"
+            mountPath: "/etc/nginx/nginx.conf"
+            subPath: "nginx.conf"
+          - name: "nginx-config"
+            mountPath: "/etc/nginx/conf.d/default.conf"
+            subPath: default.conf
       initContainers:
       - name: fence-init
         GEN3_FENCE_IMAGE

kube/services/fence/fence-gunicorn.yaml

@@ -0,0 +1,13 @@
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  name: fence-wsgi
+data:
+  gunicorn.conf.py: |
+    wsgi_app = "deployment.wsgi.wsgi:application"
+    bind = "0.0.0.0:8000"
+    workers = 1
+    user = 'gen3'
+    group = 'gen3'
+    timeout = 300
+    worker_class = "uvicorn.workers.UvicornWorker"

kube/services/fence/fence-nginx.conf

@@ -0,0 +1,13 @@
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  name: fence-nginx-configmap
+data:
+  default.conf: |
+      server {
+          listen 8080;
+          server_name localhost;
+          location / {
+              proxy_pass http://127.0.0.1:8000;  # Gunicorn binds to this address
+          }
+      }