tutor/tutor-cairn
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
tutor-cairn/tutorcairn/patches/k8s-deployments
Florian du Garage Num 1a9977e454
Some checks failed
Sync with private repo / sync (push) Has been cancelled
Details
Run tests / tests (3.12) (push) Has been cancelled
Details
Run tests / tests (3.9) (push) Has been cancelled
Details
remove hard-coded uid 1000
2025-09-30 21:41:58 +02:00

383 lines
10 KiB
Plaintext
Raw Blame History

---
####### Cairn plugin
# log collection
# https://vector.dev/docs/setup/installation/platforms/kubernetes/
# https://github.com/vectordotdev/vector/blame/master/distribution/kubernetes/vector-agent/rbac.yaml
apiVersion: v1
kind: ServiceAccount
metadata:
name: cairn-vector
labels:
app.kubernetes.io/name: cairn-vector
automountServiceAccountToken: true
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
name: cairn-vector
rules:
- apiGroups:
- ""
resources:
- namespaces
- nodes
- pods
verbs:
- list
- watch
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
name: cairn-vector
labels:
app.kubernetes.io/name: cairn-vector
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: cairn-vector
subjects:
- kind: ServiceAccount
name: cairn-vector
---
apiVersion: apps/v1
kind: DaemonSet
metadata:
name: cairn-vector
labels:
app.kubernetes.io/name: cairn-vector
spec:
selector:
matchLabels:
name: cairn-vector
template:
metadata:
labels:
name: cairn-vector
spec:
serviceAccountName: cairn-vector
# Run vector next to LMS
affinity:
podAffinity:
requiredDuringSchedulingIgnoredDuringExecution:
- labelSelector:
matchExpressions:
- key: app.kubernetes.io/name
operator: In
values:
- lms
topologyKey: kubernetes.io/hostname
containers:
- name: cairn-vector
image: {{ CAIRN_VECTOR_DOCKER_IMAGE }}
env:
- name: VECTOR_SELF_NODE_NAME
valueFrom:
fieldRef:
fieldPath: spec.nodeName
- name: VECTOR_SELF_POD_NAME
valueFrom:
fieldRef:
fieldPath: metadata.name
- name: VECTOR_SELF_POD_NAMESPACE
valueFrom:
fieldRef:
fieldPath: metadata.namespace
- name: PROCFS_ROOT
value: /host/proc
- name: SYSFS_ROOT
value: /host/sys
- name: VECTOR_LOG
value: warn
volumeMounts:
- name: data
mountPath: /var/lib/vector
- name: var-log
mountPath: /var/log/
readOnly: true
- mountPath: /etc/vector/vector.toml
name: config
subPath: k8s.toml
readOnly: true
securityContext:
allowPrivilegeEscalation: false
volumes:
- name: data
persistentVolumeClaim:
claimName: cairn-vector
- name: var-log
hostPath:
path: /var/log/
- name: config
configMap:
name: cairn-vector-config
{% if CAIRN_RUN_CLICKHOUSE %}
---
# data storage
apiVersion: apps/v1
kind: Deployment
metadata:
name: cairn-clickhouse
labels:
app.kubernetes.io/name: cairn-clickhouse
spec:
selector:
matchLabels:
app.kubernetes.io/name: cairn-clickhouse
template:
metadata:
labels:
app.kubernetes.io/name: cairn-clickhouse
spec:
securityContext:
runAsUser: {{ APP_USER_ID }}
runAsGroup: {{ APP_USER_ID }}
fsGroup: {{ APP_USER_ID }}
fsGroupChangePolicy: "OnRootMismatch"
containers:
- name: cairn-clickhouse
image: {{ CAIRN_CLICKHOUSE_DOCKER_IMAGE }}
env:
- name: CLICKHOUSE_DO_NOT_CHOWN
value: "1"
volumeMounts:
- mountPath: /var/lib/clickhouse
name: data
- mountPath: /etc/clickhouse-server/users.d/cairn.xml
name: user-config
subPath: cairn.xml
- mountPath: /scripts/clickhouse-auth.json
name: clickhouse-auth
subPath: auth.json
ports:
- containerPort: 8123
- containerPort: 9000
securityContext:
allowPrivilegeEscalation: false
volumes:
- name: data
persistentVolumeClaim:
claimName: cairn-clickhouse
- name: user-config
configMap:
name: cairn-clickhouse-user-config
- name: clickhouse-auth
configMap:
name: cairn-clickhouse-auth
{% endif %}
---
# cairn frontend
apiVersion: apps/v1
kind: Deployment
metadata:
name: cairn-superset
labels:
app.kubernetes.io/name: cairn-superset
spec:
selector:
matchLabels:
app.kubernetes.io/name: cairn-superset
template:
metadata:
labels:
app.kubernetes.io/name: cairn-superset
spec:
securityContext:
runAsUser: {{ APP_USER_ID }}
runAsGroup: {{ APP_USER_ID }}
containers:
- name: cairn-superset
image: {{ CAIRN_SUPERSET_DOCKER_IMAGE }}
volumeMounts:
- mountPath: /app/superset_config.py
name: config
subPath: superset_config.py
- mountPath: /app/bootstrap/
name: bootstrap
- mountPath: /app/superset/cairn/clickhouse-auth.json
name: clickhouse-auth
subPath: auth.json
securityContext:
allowPrivilegeEscalation: false
volumes:
- name: config
configMap:
name: cairn-superset-config
- name: bootstrap
configMap:
name: cairn-superset-bootstrap
- name: clickhouse-auth
configMap:
name: cairn-clickhouse-auth
---
# frontend worker
apiVersion: apps/v1
kind: Deployment
metadata:
name: cairn-superset-worker
labels:
app.kubernetes.io/name: cairn-superset-worker
spec:
selector:
matchLabels:
app.kubernetes.io/name: cairn-superset-worker
template:
metadata:
labels:
app.kubernetes.io/name: cairn-superset-worker
spec:
securityContext:
runAsUser: {{ APP_USER_ID }}
runAsGroup: {{ APP_USER_ID }}
containers:
- name: cairn-superset-worker
image: {{ CAIRN_SUPERSET_DOCKER_IMAGE }}
args: ["celery", "--app=superset.tasks.celery_app:app", "worker", "-Ofair", "-l", "INFO"]
volumeMounts:
- mountPath: /app/superset_config.py
name: config
subPath: superset_config.py
securityContext:
allowPrivilegeEscalation: false
volumes:
- name: config
configMap:
name: cairn-superset-config
---
# frontend celery beat
apiVersion: apps/v1
kind: Deployment
metadata:
name: cairn-superset-worker-beat
labels:
app.kubernetes.io/name: cairn-superset-worker-beat
spec:
selector:
matchLabels:
app.kubernetes.io/name: cairn-superset-worker-beat
template:
metadata:
labels:
app.kubernetes.io/name: cairn-superset-worker-beat
spec:
securityContext:
runAsUser: {{ APP_USER_ID }}
runAsGroup: {{ APP_USER_ID }}
containers:
- name: cairn-superset-worker-beat
image: {{ CAIRN_SUPERSET_DOCKER_IMAGE }}
args: ["celery", "--app=superset.tasks.celery_app:app", "beat", "--pidfile", "/tmp/celerybeat.pid", "-l", "INFO", "--schedule=/tmp/celerybeat-schedule"]
volumeMounts:
- mountPath: /app/superset_config.py
name: config
subPath: superset_config.py
securityContext:
allowPrivilegeEscalation: false
volumes:
- name: config
configMap:
name: cairn-superset-config
{% if CAIRN_RUN_POSTGRESQL %}
---
apiVersion: apps/v1
kind: Deployment
metadata:
name: cairn-postgresql
labels:
app.kubernetes.io/name: cairn-postgresql
spec:
selector:
matchLabels:
app.kubernetes.io/name: cairn-postgresql
strategy:
type: Recreate
template:
metadata:
labels:
app.kubernetes.io/name: cairn-postgresql
spec:
securityContext:
runAsUser: 70
runAsGroup: 70
fsGroup: 70
fsGroupChangePolicy: "OnRootMismatch"
containers:
- name: cairn-postgresql
image: docker.io/postgres:9.6-alpine
env:
- name: POSTGRES_USER
value: "{{ CAIRN_POSTGRESQL_USERNAME }}"
- name: POSTGRES_PASSWORD
value: "{{ CAIRN_POSTGRESQL_PASSWORD }}"
- name: POSTGRES_DB
value: "{{ CAIRN_POSTGRESQL_DATABASE }}"
# The following is required, otherwise postgresql refuses to
# write to the non-empty directory which contains "lost+found".
- name: PGDATA
value: /var/lib/postgresql/data/pgdata
ports:
- containerPort: 5432
volumeMounts:
- mountPath: /var/lib/postgresql/data
name: data
securityContext:
allowPrivilegeEscalation: false
volumes:
- name: data
persistentVolumeClaim:
claimName: cairn-postgresql
{% endif %}
---
apiVersion: apps/v1
kind: Deployment
metadata:
name: cairn-watchcourses
labels:
app.kubernetes.io/name: cairn-watchcourses
spec:
selector:
matchLabels:
app.kubernetes.io/name: cairn-watchcourses
template:
metadata:
labels:
app.kubernetes.io/name: cairn-watchcourses
spec:
containers:
- name: cairn-watchcourses
image: {{ DOCKER_IMAGE_OPENEDX }}
command: ["/bin/bash"]
args: ["-c", "python /openedx/scripts/server.py"]
volumeMounts:
- mountPath: /openedx/edx-platform/lms/envs/tutor/
name: settings-lms
- mountPath: /openedx/edx-platform/cms/envs/tutor/
name: settings-cms
- mountPath: /openedx/config
name: config
- mountPath: /openedx/scripts
name: scripts
- mountPath: /openedx/clickhouse-auth.json
name: clickhouse-auth
subPath: auth.json
securityContext:
allowPrivilegeEscalation: false
ports:
- containerPort: 9282
volumes:
- name: settings-lms
configMap:
name: openedx-settings-lms
- name: settings-cms
configMap:
name: openedx-settings-cms
- name: config
configMap:
name: openedx-config
- name: scripts
configMap:
name: cairn-openedx-scripts
- name: clickhouse-auth
configMap:
name: cairn-clickhouse-auth
Reference in New Issue View Git Blame Copy Permalink