diff --git a/gen3/bin/kube-setup-peregrine.sh b/gen3/bin/kube-setup-peregrine.sh index 751d888c3..25d93baa2 100644 --- a/gen3/bin/kube-setup-peregrine.sh +++ b/gen3/bin/kube-setup-peregrine.sh @@ -26,6 +26,9 @@ if [[ "$(g3kubectl get service peregrine-service -o json | jq -r .spec.type)" == fi g3kubectl apply -f "${GEN3_HOME}/kube/services/peregrine/peregrine-service.yaml" +g3kubectl apply -f "${GEN3_HOME}/kube/services/peregrine/peregrine-nginx.conf" +g3kubectl apply -f "${GEN3_HOME}/kube/services/peregrine/peregrine-gunicorn.yaml" +g3kubectl apply -f "${GEN3_HOME}/kube/services/nginx-sidecar/nginx.conf" gen3 roll peregrine-canary || true g3kubectl apply -f "${GEN3_HOME}/kube/services/peregrine/peregrine-canary-service.yaml" diff --git a/kube/services/peregrine/peregrine-deploy.yaml b/kube/services/peregrine/peregrine-deploy.yaml index 20bba64ad..33d9fe2cc 100644 --- a/kube/services/peregrine/peregrine-deploy.yaml +++ b/kube/services/peregrine/peregrine-deploy.yaml @@ -30,6 +30,10 @@ spec: GEN3_PEREGRINE_VERSION GEN3_DATE_LABEL spec: + securityContext: + runAsUser: 1000 + runAsGroup: 1000 + fsGroup: 1000 affinity: podAntiAffinity: preferredDuringSchedulingIgnoredDuringExecution: @@ -77,11 +81,20 @@ spec: - name: ca-volume secret: secretName: "service-ca" + - name: wsgi-config + configMap: + name: peregrine-wsgi + - name: nginx-config + configMap: + name: peregrine-nginx-configmap + - name: nginx-main-config + configMap: + name: sidecar-nginx-main containers: - name: peregrine GEN3_PEREGRINE_IMAGE ports: - - containerPort: 80 + - containerPort: 8000 - containerPort: 443 env: - name: GEN3_UWSGI_TIMEOUT @@ -180,6 +193,9 @@ spec: readOnly: true mountPath: "/usr/local/share/ca-certificates/cdis-ca.crt" subPath: "ca.pem" + - name: "wsgi-config" + mountPath: "/peregrine/deployment/wsgi/gunicorn.conf.py" + subPath: gunicorn.conf.py imagePullPolicy: Always resources: requests: @@ -190,7 +206,7 @@ spec: livenessProbe: httpGet: path: /_status?timeout=20 - port: 80 + port: 8000 # peregrine can take forever to initialize initialDelaySeconds: 60 periodSeconds: 60 @@ -198,4 +214,21 @@ spec: readinessProbe: httpGet: path: /_status?timeout=2 - port: 80 + port: 8000 + - name: sidecar-nginx + image: quay.io/cdis/nginx-sidecar:nginx-sidecar-feat_nginx-sidecar + imagePullPolicy: IfNotPresent + ports: + - name: http + containerPort: 8080 + readinessProbe: + httpGet: + path: /_status + port: http + volumeMounts: + - name: "nginx-main-config" + mountPath: "/etc/nginx/nginx.conf" + subPath: "nginx.conf" + - name: "nginx-config" + mountPath: "/etc/nginx/conf.d/default.conf" + subPath: default.conf \ No newline at end of file diff --git a/kube/services/peregrine/peregrine-gunicorn.yaml b/kube/services/peregrine/peregrine-gunicorn.yaml new file mode 100644 index 000000000..ce563b636 --- /dev/null +++ b/kube/services/peregrine/peregrine-gunicorn.yaml @@ -0,0 +1,13 @@ +apiVersion: v1 +kind: ConfigMap +metadata: + name: peregrine-wsgi +data: + gunicorn.conf.py: | + wsgi_app = "deployment.wsgi.wsgi:application" + bind = "0.0.0.0:8000" + workers = 1 + user = 'gen3' + group = 'gen3' + timeout = 300 + worker_class = "uvicorn.workers.UvicornWorker" \ No newline at end of file diff --git a/kube/services/peregrine/peregrine-nginx.conf b/kube/services/peregrine/peregrine-nginx.conf new file mode 100644 index 000000000..1b65d97f6 --- /dev/null +++ b/kube/services/peregrine/peregrine-nginx.conf @@ -0,0 +1,13 @@ +apiVersion: v1 +kind: ConfigMap +metadata: + name: peregrine-nginx-configmap +data: + default.conf: | + server { + listen 8080; + server_name localhost; + location / { + proxy_pass http://127.0.0.1:8000; # Gunicorn binds to this address + } + } \ No newline at end of file