Update 2 files

- /helm/orchard/values-stage.yaml - /.gitlab-ci.yml
2026-01-06 15:23:20 -07:00
parent 7cfad28f67
commit 2ebea2f7e3
2 changed files with 253 additions and 21 deletions
--- a/.gitlab-ci.yml
+++ b/.gitlab-ci.yml
@@ -27,25 +27,67 @@ python_tests:
    - cd backend
    - python -m pytest -v || echo "No tests yet"

-# deploy_helm_charts:
-#   stage: deploy
-#   image:
-#     name: deps.global.bsf.tools/registry-1.docker.io/alpine/k8s:1.29.12
-#   parallel:
-#     matrix:
-#       # - ENV: "prod"
-#       #   VALUES_FILE: "helm/values-prod.yaml"
-#       #   CONTEXT: "esv/bsf/bsf-services/gitlab-kaas-agent-config:services-prod-agent"
-#       #   NAMESPACE: "bsf-services-namespace"
-#         # ONLY: "main"
-#       - ENV: "dev"
-#         VALUES_FILE: "helm/orchard/values.yaml"
-#         CONTEXT: "esv/bsf/bsf-services/gitlab-kaas-agent-config:services-prod-agent"
-#         NAMESPACE: "bsf-services-dev-namespace"
-#         # ONLY: ["branches", "!main"]
-#   script:
-#     - kubectl config use-context $CONTEXT
-#     - echo "Deploy - buildah push ${IMAGE_NAME}:latest"
-#     - |
-#       helm upgrade --install orchard-dev ./helm/orchard --namespace $NAMESPACE -f $VALUES_FILE
+deploy_helm_charts:
+  stage: deploy
+  image:
+    name: deps.global.bsf.tools/registry-1.docker.io/alpine/k8s:1.29.12
+  parallel:
+    matrix:
+      # - ENV: "prod"
+      #   VALUES_FILE: "helm/values-prod.yaml"
+      #   CONTEXT: "esv/bsf/bsf-services/gitlab-kaas-agent-config:services-prod-agent"
+      #   NAMESPACE: "bsf-services-namespace"
+        # ONLY: "main"
+      - ENV: "dev"
+        VALUES_FILE: "helm/orchard/values.yaml"
+        CONTEXT: "esv/bsf/bsf-services/gitlab-kaas-agent-config:services-prod-agent"
+        NAMESPACE: "bsf-services-dev-namespace"
+        # ONLY: ["branches", "!main"]
+  script:
+    - kubectl config use-context $CONTEXT
+    - echo "Deploy - buildah push ${IMAGE_NAME}:latest"
+    - |
+      helm upgrade --install orchard-dev ./helm/orchard --namespace $NAMESPACE -f $VALUES_FILE

+stages:
+  - deploy
+
+.deploy_template: &deploy_template
+  image: deps.global.bsf.tools/registry-1.docker.io/alpine/k8s:1.29.12
+  before_script:
+    - helm version
+    - helm repo add stable https://charts.helm.sh/stable
+    - helm repo add bitnami https://charts.bitnami.com/bitnami
+    - cd helm/orchard
+    - helm dependency update
+    - helm repo update
+  script:
+    - echo "Deploying to $ENV environment in namespace $NAMESPACE using chart $VALUES_FILE with agent $AGENT"
+    - helm upgrade --install orchard-$ENV ./helm/orchard --namespace $NAMESPACE -f $VALUES_FILE --set image.tag=$IMAGE
+  kubernetes:
+    agent: $AGENT
+  environment:
+    name: $ENV
+
+deploy:
+  stage: deploy
+  parallel:
+    matrix:
+      # - ENV: dev
+      #   NAMESPACE: dev
+      #   CHART: ./charts/chart-a
+      #   AGENT: dev-agent
+      - ENV: stage
+        NAMESPACE: orch-stage-namespace
+        VALUES_FILE: "helm/orchard/values-stage.yaml"
+        AGENT: orchard-stage
+        IMAGE: git.linux-amd64-81458b3bcb5ace97109ba4c16f4afa6e55b1b8bd
+  rules:
+    # - if: '$CI_COMMIT_TAG && $CI_JOB_NAME == "deploy (production)"'
+    #   when: always
+    # - if: '$CI_COMMIT_BRANCH == "main" && $CI_JOB_NAME == "deploy (stage)" && $CI_COMMIT_TAG == null'
+    #   when: always
+    - if: '$CI_COMMIT_BRANCH && $CI_COMMIT_BRANCH != "main" && $CI_COMMIT_TAG == null && $CI_JOB_NAME == "deploy (stage)"'
+      when: always
+    - when: never
+  <<: *deploy_template
--- a/helm/orchard/values-stage.yaml
+++ b/helm/orchard/values-stage.yaml
@@ -0,0 +1,190 @@
+# Default values for orchard
+replicaCount: 1
+
+image:
+  repository: registry.global.bsf.tools/esv/bsf/bsf-integration/orchard/orchard-mvp
+  pullPolicy: Always
+  tag: "latest"  # Defaults to chart appVersion
+
+imagePullSecrets:
+  - name: orchard-pull-secret
+
+# Init container image (used for wait-for-db, wait-for-minio)
+initContainer:
+  image:
+    repository: containers.global.bsf.tools/busybox
+    tag: "1.36"
+    pullPolicy: IfNotPresent
+
+serviceAccount:
+  create: true
+  automount: true
+  annotations: {}
+  name: "orchard"
+
+podAnnotations: {}
+podLabels: {}
+
+podSecurityContext: {}
+
+securityContext:
+  readOnlyRootFilesystem: false  # Python needs to write __pycache__
+  runAsNonRoot: true
+  runAsUser: 1000
+
+service:
+  type: ClusterIP
+  port: 8080
+
+ingress:
+  enabled: true
+  className: "nginx"
+  annotations:
+    cert-manager.io/cluster-issuer: "letsencrypt"
+  hosts:
+    - host: orchard-stage.common.global.bsf.tools
+      paths:
+        - path: /
+          pathType: Prefix
+  tls: 
+    - secretName: orchard-tls
+      hosts:
+        - orchard-stage.common.global.bsf.tools
+
+resources:
+  limits:
+    cpu: 500m
+    memory: 512Mi
+  requests:
+    cpu: 500m
+    memory: 512Mi
+
+livenessProbe:
+  httpGet:
+    path: /health
+    port: http
+  initialDelaySeconds: 10
+  periodSeconds: 10
+
+readinessProbe:
+  httpGet:
+    path: /health
+    port: http
+  initialDelaySeconds: 5
+  periodSeconds: 5
+
+autoscaling:
+  enabled: false
+  minReplicas: 1
+  maxReplicas: 10
+  targetCPUUtilizationPercentage: 80
+  targetMemoryUtilizationPercentage: 80
+
+nodeSelector: {}
+
+tolerations: []
+
+affinity: {}
+
+# Orchard server configuration
+orchard:
+  server:
+    host: "0.0.0.0"
+    port: 8080
+
+  # Database configuration (used when postgresql.enabled is false)
+  database:
+    host: ""
+    port: 5432
+    user: orchard
+    password: ""
+    dbname: orchard
+    sslmode: disable
+    existingSecret: ""
+    existingSecretPasswordKey: "password"
+
+  # S3 configuration (used when minio.enabled is false)
+  s3:
+    endpoint: ""
+    region: us-east-1
+    bucket: orchard-artifacts
+    accessKeyId: ""
+    secretAccessKey: ""
+    usePathStyle: true
+    existingSecret: ""
+    existingSecretAccessKeyKey: "access-key-id"
+    existingSecretSecretKeyKey: "secret-access-key"
+
+  # Download configuration
+  download:
+    mode: "presigned"  # presigned, redirect, or proxy
+    presignedUrlExpiry: 3600  # Presigned URL expiry in seconds
+
+# PostgreSQL subchart configuration
+postgresql:
+  enabled: true
+  image:
+    registry: containers.global.bsf.tools
+    repository: bitnami/postgresql
+    tag: "15"
+    pullPolicy: IfNotPresent
+  auth:
+    username: orchard
+    password: orchard-password
+    database: orchard
+  primary:
+    persistence:
+      enabled: false
+      size: 10Gi
+
+# MinIO subchart configuration
+minio:
+  enabled: true
+  image:
+    registry: containers.global.bsf.tools
+    repository: bitnami/minio
+    tag: "latest"
+    pullPolicy: IfNotPresent
+  auth:
+    rootUser: minioadmin
+    rootPassword: minioadmin
+  defaultBuckets: "orchard-artifacts"
+  persistence:
+    enabled: false
+    size: 50Gi
+
+# MinIO external ingress for presigned URL access (separate from subchart ingress)
+minioIngress:
+  enabled: true
+  className: "nginx"
+  annotations:
+    cert-manager.io/cluster-issuer: "letsencrypt"
+    nginx.ingress.kubernetes.io/proxy-body-size: "0"  # Disable body size limit for uploads
+  host: "minio-orch-stage.common.global.bsf.tools"
+  tls:
+    enabled: true
+    secretName: minio-tls
+
+# Redis subchart configuration (for future caching)
+redis:
+  enabled: false
+  image:
+    registry: containers.global.bsf.tools
+    repository: bitnami/redis
+    tag: "7.2"
+    pullPolicy: IfNotPresent
+  auth:
+    enabled: true
+    password: redis-password
+  architecture: standalone
+  master:
+    persistence:
+      enabled: true
+      size: 1Gi
+
+# Wait for database before starting (SQLAlchemy creates tables on startup)
+waitForDatabase: true
+
+global:
+  security:
+    allowInsecureImages: true