Loading deploy/kubernetes/chart/templates/fileServer/deployment.yaml +12 −0 Original line number Diff line number Diff line Loading @@ -77,6 +77,12 @@ spec: readOnly: true - name: nginx-logs mountPath: /var/log/nginx # In order to use a read-only root filesystem, we mount emptyDirs in places # where files are expected to change - name: nginx-cache mountPath: /var/lib/nginx/tmp - name: nginx-run mountPath: /run/nginx {{- include "esgf.data.volumeMounts" . | nindent 12 }} {{- with $fileServer.extraVolumeMounts }} {{- toYaml . | nindent 12 }} Loading Loading @@ -111,6 +117,12 @@ spec: # Each pod gets a directory to hold the named pipes for the logs - name: nginx-logs emptyDir: {} # In order to use a read-only root filesystem, we mount emptyDirs in places # where files are expected to change - name: nginx-cache emptyDir: {} - name: nginx-run emptyDir: {} {{- include "esgf.data.volumes" . | nindent 8 }} {{- with $fileServer.extraVolumes }} {{- toYaml . | nindent 8 }} Loading deploy/kubernetes/chart/templates/thredds/deployment.yaml +15 −5 Original line number Diff line number Diff line Loading @@ -90,7 +90,7 @@ spec: securityContext: {{ toYaml . | nindent 12 }} {{- end }} volumeMounts: - name: thredds-logs - name: tomcat-logs mountPath: /thredds/logs {{- with $thredds.extraInitContainers }} {{- toYaml . | nindent 8 }} Loading Loading @@ -133,8 +133,13 @@ spec: {{- end }} - name: thredds-cache mountPath: /opt/tomcat/content/thredds/cache - name: thredds-logs - name: tomcat-logs mountPath: /opt/tomcat/logs # In order to use a read-only rootfs, we must put emptyDirs where we expect tomcat to write - name: tomcat-temp mountPath: /opt/tomcat/temp - name: tomcat-work mountPath: /opt/tomcat/work {{- include "esgf.data.volumeMounts" . | nindent 12 }} {{- with $thredds.extraVolumeMounts }} {{- toYaml . | nindent 12 }} Loading @@ -153,7 +158,7 @@ spec: securityContext: {{ toYaml . | nindent 12 }} {{- end }} volumeMounts: - name: thredds-logs - name: tomcat-logs mountPath: /thredds/logs {{- end }} {{- with $thredds.nodeSelector }} Loading Loading @@ -181,11 +186,16 @@ spec: configMap: name: {{ include "esgf.component.fullname" (list . "thredds") }} {{- end }} # Each pod gets its own cache directory on the local disk # Each pod gets its own THREDDS cache directory on the local disk - name: thredds-cache emptyDir: {} # Each pod gets a directory to hold the named pipes for log files - name: thredds-logs - name: tomcat-logs emptyDir: {} # In order to use a read-only rootfs, we must put emptyDirs where we expect tomcat to write - name: tomcat-temp emptyDir: {} - name: tomcat-work emptyDir: {} {{- include "esgf.data.volumes" . | nindent 8 }} {{- with $thredds.extraVolumes }} Loading deploy/kubernetes/chart/values.yaml +8 −2 Original line number Diff line number Diff line Loading @@ -87,8 +87,14 @@ data: # See https://kubernetes.io/docs/tasks/configure-pod-container/security-context/ # WARNING: Due to permissions set inside the container, the user *must* belong to group 1000 # in addition to the groups required to access data podSecurityContext: {} securityContext: {} # By default, we run as the esgf user/group podSecurityContext: runAsUser: 1000 runAsGroup: 1000 fsGroup: 1000 securityContext: # Run with a read-only root filesystem by default readOnlyRootFilesystem: true # The resources for log-tailing containers logTailResources: Loading images/thredds/Dockerfile +3 −1 Original line number Diff line number Diff line Loading @@ -30,7 +30,7 @@ USER root # This ensures that Docker named volumes will work correctly # # Create symlinks for log files to stdout RUN mkdir -p ./content/thredds/cache && \ RUN mkdir -p ./content/thredds/{cache,logs,public} && \ chown -R $ESGF_USER:$ESGF_GROUP ./content/thredds && \ chmod -R u+w,g+w,o= ./content/thredds && \ ln -s /dev/stdout ./logs/serverStartup.log && \ Loading @@ -49,5 +49,7 @@ COPY --from=builder /application ./webapps/thredds COPY log4j2.xml ./webapps/thredds/WEB-INF/classes/ COPY threddsConfig.xml catalog.xml ./content/thredds/ COPY catalog-esgcet.xml ./content/thredds/esgcet/catalog.xml # Copy the default wmsConfig.xml into place RUN cp ./webapps/thredds/WEB-INF/altContent/startup/wmsConfig.xml ./content/thredds USER $ESGF_UID images/tomcat/server.xml +4 −2 Original line number Diff line number Diff line Loading @@ -169,10 +169,12 @@ <!-- Access log processes all example. Documentation at: /docs/config/valve.html Note: The pattern used is equivalent to using pattern="common" --> We use a pattern that makes Tomcat access logs match the Nginx access logs as this makes later analysis easier. --> <Valve className="org.apache.catalina.valves.AccessLogValve" directory="logs" prefix="localhost_access_log" suffix=".txt" pattern="combined" pattern="%a - %u [%t] "%r" %s %B "%{Referer}i" "%{User-Agent}i" "%{X-Forwarded-For}i"" rotatable="false" /> Loading Loading
deploy/kubernetes/chart/templates/fileServer/deployment.yaml +12 −0 Original line number Diff line number Diff line Loading @@ -77,6 +77,12 @@ spec: readOnly: true - name: nginx-logs mountPath: /var/log/nginx # In order to use a read-only root filesystem, we mount emptyDirs in places # where files are expected to change - name: nginx-cache mountPath: /var/lib/nginx/tmp - name: nginx-run mountPath: /run/nginx {{- include "esgf.data.volumeMounts" . | nindent 12 }} {{- with $fileServer.extraVolumeMounts }} {{- toYaml . | nindent 12 }} Loading Loading @@ -111,6 +117,12 @@ spec: # Each pod gets a directory to hold the named pipes for the logs - name: nginx-logs emptyDir: {} # In order to use a read-only root filesystem, we mount emptyDirs in places # where files are expected to change - name: nginx-cache emptyDir: {} - name: nginx-run emptyDir: {} {{- include "esgf.data.volumes" . | nindent 8 }} {{- with $fileServer.extraVolumes }} {{- toYaml . | nindent 8 }} Loading
deploy/kubernetes/chart/templates/thredds/deployment.yaml +15 −5 Original line number Diff line number Diff line Loading @@ -90,7 +90,7 @@ spec: securityContext: {{ toYaml . | nindent 12 }} {{- end }} volumeMounts: - name: thredds-logs - name: tomcat-logs mountPath: /thredds/logs {{- with $thredds.extraInitContainers }} {{- toYaml . | nindent 8 }} Loading Loading @@ -133,8 +133,13 @@ spec: {{- end }} - name: thredds-cache mountPath: /opt/tomcat/content/thredds/cache - name: thredds-logs - name: tomcat-logs mountPath: /opt/tomcat/logs # In order to use a read-only rootfs, we must put emptyDirs where we expect tomcat to write - name: tomcat-temp mountPath: /opt/tomcat/temp - name: tomcat-work mountPath: /opt/tomcat/work {{- include "esgf.data.volumeMounts" . | nindent 12 }} {{- with $thredds.extraVolumeMounts }} {{- toYaml . | nindent 12 }} Loading @@ -153,7 +158,7 @@ spec: securityContext: {{ toYaml . | nindent 12 }} {{- end }} volumeMounts: - name: thredds-logs - name: tomcat-logs mountPath: /thredds/logs {{- end }} {{- with $thredds.nodeSelector }} Loading Loading @@ -181,11 +186,16 @@ spec: configMap: name: {{ include "esgf.component.fullname" (list . "thredds") }} {{- end }} # Each pod gets its own cache directory on the local disk # Each pod gets its own THREDDS cache directory on the local disk - name: thredds-cache emptyDir: {} # Each pod gets a directory to hold the named pipes for log files - name: thredds-logs - name: tomcat-logs emptyDir: {} # In order to use a read-only rootfs, we must put emptyDirs where we expect tomcat to write - name: tomcat-temp emptyDir: {} - name: tomcat-work emptyDir: {} {{- include "esgf.data.volumes" . | nindent 8 }} {{- with $thredds.extraVolumes }} Loading
deploy/kubernetes/chart/values.yaml +8 −2 Original line number Diff line number Diff line Loading @@ -87,8 +87,14 @@ data: # See https://kubernetes.io/docs/tasks/configure-pod-container/security-context/ # WARNING: Due to permissions set inside the container, the user *must* belong to group 1000 # in addition to the groups required to access data podSecurityContext: {} securityContext: {} # By default, we run as the esgf user/group podSecurityContext: runAsUser: 1000 runAsGroup: 1000 fsGroup: 1000 securityContext: # Run with a read-only root filesystem by default readOnlyRootFilesystem: true # The resources for log-tailing containers logTailResources: Loading
images/thredds/Dockerfile +3 −1 Original line number Diff line number Diff line Loading @@ -30,7 +30,7 @@ USER root # This ensures that Docker named volumes will work correctly # # Create symlinks for log files to stdout RUN mkdir -p ./content/thredds/cache && \ RUN mkdir -p ./content/thredds/{cache,logs,public} && \ chown -R $ESGF_USER:$ESGF_GROUP ./content/thredds && \ chmod -R u+w,g+w,o= ./content/thredds && \ ln -s /dev/stdout ./logs/serverStartup.log && \ Loading @@ -49,5 +49,7 @@ COPY --from=builder /application ./webapps/thredds COPY log4j2.xml ./webapps/thredds/WEB-INF/classes/ COPY threddsConfig.xml catalog.xml ./content/thredds/ COPY catalog-esgcet.xml ./content/thredds/esgcet/catalog.xml # Copy the default wmsConfig.xml into place RUN cp ./webapps/thredds/WEB-INF/altContent/startup/wmsConfig.xml ./content/thredds USER $ESGF_UID
images/tomcat/server.xml +4 −2 Original line number Diff line number Diff line Loading @@ -169,10 +169,12 @@ <!-- Access log processes all example. Documentation at: /docs/config/valve.html Note: The pattern used is equivalent to using pattern="common" --> We use a pattern that makes Tomcat access logs match the Nginx access logs as this makes later analysis easier. --> <Valve className="org.apache.catalina.valves.AccessLogValve" directory="logs" prefix="localhost_access_log" suffix=".txt" pattern="combined" pattern="%a - %u [%t] "%r" %s %B "%{Referer}i" "%{User-Agent}i" "%{X-Forwarded-For}i"" rotatable="false" /> Loading
