adding peregrine

gen3/bin/kube-setup-peregrine.sh

@@ -26,6 +26,9 @@ if [[ "$(g3kubectl get service peregrine-service -o json | jq -r .spec.type)" ==
 fi
 
 g3kubectl apply -f "${GEN3_HOME}/kube/services/peregrine/peregrine-service.yaml"
+g3kubectl apply -f "${GEN3_HOME}/kube/services/peregrine/peregrine-nginx.conf"
+g3kubectl apply -f "${GEN3_HOME}/kube/services/peregrine/peregrine-gunicorn.yaml"
+g3kubectl apply -f "${GEN3_HOME}/kube/services/nginx-sidecar/nginx.conf"
 gen3 roll peregrine-canary || true
 g3kubectl apply -f "${GEN3_HOME}/kube/services/peregrine/peregrine-canary-service.yaml"
 

kube/services/peregrine/peregrine-deploy.yaml

@@ -30,6 +30,10 @@ spec:
         GEN3_PEREGRINE_VERSION
         GEN3_DATE_LABEL
     spec:
+      securityContext:
+        runAsUser: 1000
+        runAsGroup: 1000
+        fsGroup: 1000
       affinity:
         podAntiAffinity:
           preferredDuringSchedulingIgnoredDuringExecution:
@@ -77,11 +81,20 @@ spec:
         - name: ca-volume
           secret:
             secretName: "service-ca"
+        - name: wsgi-config
+          configMap:
+            name: peregrine-wsgi
+        - name: nginx-config
+          configMap:
+            name: peregrine-nginx-configmap
+        - name: nginx-main-config
+          configMap:
+            name: sidecar-nginx-main 
       containers:
         - name: peregrine
           GEN3_PEREGRINE_IMAGE
           ports:
-          - containerPort: 80
+          - containerPort: 8000
           - containerPort: 443
           env:
           - name: GEN3_UWSGI_TIMEOUT
@@ -180,6 +193,9 @@ spec:
               readOnly: true
               mountPath: "/usr/local/share/ca-certificates/cdis-ca.crt"
               subPath: "ca.pem"
+            - name: "wsgi-config"
+              mountPath: "/peregrine/deployment/wsgi/gunicorn.conf.py"
+              subPath: gunicorn.conf.py
           imagePullPolicy: Always
           resources:
             requests:
@@ -190,12 +206,29 @@ spec:
           livenessProbe:
             httpGet:
               path: /_status?timeout=20
-              port: 80
+              port: 8000
             # peregrine can take forever to initialize
             initialDelaySeconds: 60
             periodSeconds: 60
             timeoutSeconds: 30
           readinessProbe:
             httpGet:
               path: /_status?timeout=2
-              port: 80
+              port: 8000
+        - name: sidecar-nginx
+          image: quay.io/cdis/nginx-sidecar:nginx-sidecar-feat_nginx-sidecar
+          imagePullPolicy: IfNotPresent
+          ports:
+            - name: http
+              containerPort: 8080
+          readinessProbe:
+            httpGet:
+              path: /_status
+              port: http
+          volumeMounts:
+            - name: "nginx-main-config"
+              mountPath: "/etc/nginx/nginx.conf"
+              subPath: "nginx.conf"
+            - name: "nginx-config"
+              mountPath: "/etc/nginx/conf.d/default.conf"
+              subPath: default.conf

kube/services/peregrine/peregrine-gunicorn.yaml

@@ -0,0 +1,13 @@
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  name: peregrine-wsgi
+data:
+  gunicorn.conf.py: |
+    wsgi_app = "deployment.wsgi.wsgi:application"
+    bind = "0.0.0.0:8000"
+    workers = 1
+    user = 'gen3'
+    group = 'gen3'
+    timeout = 300
+    worker_class = "uvicorn.workers.UvicornWorker"

kube/services/peregrine/peregrine-nginx.conf

@@ -0,0 +1,13 @@
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  name: peregrine-nginx-configmap
+data:
+  default.conf: |
+      server {
+          listen 8080;
+          server_name localhost;
+          location / {
+              proxy_pass http://127.0.0.1:8000;  # Gunicorn binds to this address
+          }
+      }