Loading .gitlab-ci.yml +8 −1 Original line number Diff line number Diff line Loading @@ -64,9 +64,16 @@ variables: # Push all tags - docker push $REPOSITORY only: # Only run build jobs if there is a change to the images # Only run build jobs for branches in the repo, not MRs refs: - branches # Only run build jobs if there is a change to the images or the build changes: - .gitlab-ci.yml - images/**/* except: # Exclude any branches that correspond to external PRs - external_pull_requests build:base: extends: .docker-build Loading deploy/kubernetes/chart/templates/fileServer/deployment.yaml +12 −0 Original line number Diff line number Diff line Loading @@ -77,6 +77,12 @@ spec: readOnly: true - name: nginx-logs mountPath: /var/log/nginx # In order to use a read-only root filesystem, we mount emptyDirs in places # where files are expected to change - name: nginx-cache mountPath: /var/lib/nginx/tmp - name: nginx-run mountPath: /run/nginx {{- include "esgf.data.volumeMounts" . | nindent 12 }} {{- with $fileServer.extraVolumeMounts }} {{- toYaml . | nindent 12 }} Loading Loading @@ -111,6 +117,12 @@ spec: # Each pod gets a directory to hold the named pipes for the logs - name: nginx-logs emptyDir: {} # In order to use a read-only root filesystem, we mount emptyDirs in places # where files are expected to change - name: nginx-cache emptyDir: {} - name: nginx-run emptyDir: {} {{- include "esgf.data.volumes" . | nindent 8 }} {{- with $fileServer.extraVolumes }} {{- toYaml . | nindent 8 }} Loading deploy/kubernetes/chart/templates/thredds/deployment.yaml +15 −5 Original line number Diff line number Diff line Loading @@ -90,7 +90,7 @@ spec: securityContext: {{ toYaml . | nindent 12 }} {{- end }} volumeMounts: - name: thredds-logs - name: tomcat-logs mountPath: /thredds/logs {{- with $thredds.extraInitContainers }} {{- toYaml . | nindent 8 }} Loading Loading @@ -133,8 +133,13 @@ spec: {{- end }} - name: thredds-cache mountPath: /opt/tomcat/content/thredds/cache - name: thredds-logs - name: tomcat-logs mountPath: /opt/tomcat/logs # In order to use a read-only rootfs, we must put emptyDirs where we expect tomcat to write - name: tomcat-temp mountPath: /opt/tomcat/temp - name: tomcat-work mountPath: /opt/tomcat/work {{- include "esgf.data.volumeMounts" . | nindent 12 }} {{- with $thredds.extraVolumeMounts }} {{- toYaml . | nindent 12 }} Loading @@ -153,7 +158,7 @@ spec: securityContext: {{ toYaml . | nindent 12 }} {{- end }} volumeMounts: - name: thredds-logs - name: tomcat-logs mountPath: /thredds/logs {{- end }} {{- with $thredds.nodeSelector }} Loading Loading @@ -181,11 +186,16 @@ spec: configMap: name: {{ include "esgf.component.fullname" (list . "thredds") }} {{- end }} # Each pod gets its own cache directory on the local disk # Each pod gets its own THREDDS cache directory on the local disk - name: thredds-cache emptyDir: {} # Each pod gets a directory to hold the named pipes for log files - name: thredds-logs - name: tomcat-logs emptyDir: {} # In order to use a read-only rootfs, we must put emptyDirs where we expect tomcat to write - name: tomcat-temp emptyDir: {} - name: tomcat-work emptyDir: {} {{- include "esgf.data.volumes" . | nindent 8 }} {{- with $thredds.extraVolumes }} Loading deploy/kubernetes/chart/values.yaml +8 −2 Original line number Diff line number Diff line Loading @@ -87,8 +87,14 @@ data: # See https://kubernetes.io/docs/tasks/configure-pod-container/security-context/ # WARNING: Due to permissions set inside the container, the user *must* belong to group 1000 # in addition to the groups required to access data podSecurityContext: {} securityContext: {} # By default, we run as the esgf user/group podSecurityContext: runAsUser: 1000 runAsGroup: 1000 fsGroup: 1000 securityContext: # Run with a read-only root filesystem by default readOnlyRootFilesystem: true # The resources for log-tailing containers logTailResources: Loading images/thredds/Dockerfile +3 −1 Original line number Diff line number Diff line Loading @@ -30,7 +30,7 @@ USER root # This ensures that Docker named volumes will work correctly # # Create symlinks for log files to stdout RUN mkdir -p ./content/thredds/cache && \ RUN mkdir -p ./content/thredds/{cache,logs,public} && \ chown -R $ESGF_USER:$ESGF_GROUP ./content/thredds && \ chmod -R u+w,g+w,o= ./content/thredds && \ ln -s /dev/stdout ./logs/serverStartup.log && \ Loading @@ -49,5 +49,7 @@ COPY --from=builder /application ./webapps/thredds COPY log4j2.xml ./webapps/thredds/WEB-INF/classes/ COPY threddsConfig.xml catalog.xml ./content/thredds/ COPY catalog-esgcet.xml ./content/thredds/esgcet/catalog.xml # Copy the default wmsConfig.xml into place RUN cp ./webapps/thredds/WEB-INF/altContent/startup/wmsConfig.xml ./content/thredds USER $ESGF_UID Loading
.gitlab-ci.yml +8 −1 Original line number Diff line number Diff line Loading @@ -64,9 +64,16 @@ variables: # Push all tags - docker push $REPOSITORY only: # Only run build jobs if there is a change to the images # Only run build jobs for branches in the repo, not MRs refs: - branches # Only run build jobs if there is a change to the images or the build changes: - .gitlab-ci.yml - images/**/* except: # Exclude any branches that correspond to external PRs - external_pull_requests build:base: extends: .docker-build Loading
deploy/kubernetes/chart/templates/fileServer/deployment.yaml +12 −0 Original line number Diff line number Diff line Loading @@ -77,6 +77,12 @@ spec: readOnly: true - name: nginx-logs mountPath: /var/log/nginx # In order to use a read-only root filesystem, we mount emptyDirs in places # where files are expected to change - name: nginx-cache mountPath: /var/lib/nginx/tmp - name: nginx-run mountPath: /run/nginx {{- include "esgf.data.volumeMounts" . | nindent 12 }} {{- with $fileServer.extraVolumeMounts }} {{- toYaml . | nindent 12 }} Loading Loading @@ -111,6 +117,12 @@ spec: # Each pod gets a directory to hold the named pipes for the logs - name: nginx-logs emptyDir: {} # In order to use a read-only root filesystem, we mount emptyDirs in places # where files are expected to change - name: nginx-cache emptyDir: {} - name: nginx-run emptyDir: {} {{- include "esgf.data.volumes" . | nindent 8 }} {{- with $fileServer.extraVolumes }} {{- toYaml . | nindent 8 }} Loading
deploy/kubernetes/chart/templates/thredds/deployment.yaml +15 −5 Original line number Diff line number Diff line Loading @@ -90,7 +90,7 @@ spec: securityContext: {{ toYaml . | nindent 12 }} {{- end }} volumeMounts: - name: thredds-logs - name: tomcat-logs mountPath: /thredds/logs {{- with $thredds.extraInitContainers }} {{- toYaml . | nindent 8 }} Loading Loading @@ -133,8 +133,13 @@ spec: {{- end }} - name: thredds-cache mountPath: /opt/tomcat/content/thredds/cache - name: thredds-logs - name: tomcat-logs mountPath: /opt/tomcat/logs # In order to use a read-only rootfs, we must put emptyDirs where we expect tomcat to write - name: tomcat-temp mountPath: /opt/tomcat/temp - name: tomcat-work mountPath: /opt/tomcat/work {{- include "esgf.data.volumeMounts" . | nindent 12 }} {{- with $thredds.extraVolumeMounts }} {{- toYaml . | nindent 12 }} Loading @@ -153,7 +158,7 @@ spec: securityContext: {{ toYaml . | nindent 12 }} {{- end }} volumeMounts: - name: thredds-logs - name: tomcat-logs mountPath: /thredds/logs {{- end }} {{- with $thredds.nodeSelector }} Loading Loading @@ -181,11 +186,16 @@ spec: configMap: name: {{ include "esgf.component.fullname" (list . "thredds") }} {{- end }} # Each pod gets its own cache directory on the local disk # Each pod gets its own THREDDS cache directory on the local disk - name: thredds-cache emptyDir: {} # Each pod gets a directory to hold the named pipes for log files - name: thredds-logs - name: tomcat-logs emptyDir: {} # In order to use a read-only rootfs, we must put emptyDirs where we expect tomcat to write - name: tomcat-temp emptyDir: {} - name: tomcat-work emptyDir: {} {{- include "esgf.data.volumes" . | nindent 8 }} {{- with $thredds.extraVolumes }} Loading
deploy/kubernetes/chart/values.yaml +8 −2 Original line number Diff line number Diff line Loading @@ -87,8 +87,14 @@ data: # See https://kubernetes.io/docs/tasks/configure-pod-container/security-context/ # WARNING: Due to permissions set inside the container, the user *must* belong to group 1000 # in addition to the groups required to access data podSecurityContext: {} securityContext: {} # By default, we run as the esgf user/group podSecurityContext: runAsUser: 1000 runAsGroup: 1000 fsGroup: 1000 securityContext: # Run with a read-only root filesystem by default readOnlyRootFilesystem: true # The resources for log-tailing containers logTailResources: Loading
images/thredds/Dockerfile +3 −1 Original line number Diff line number Diff line Loading @@ -30,7 +30,7 @@ USER root # This ensures that Docker named volumes will work correctly # # Create symlinks for log files to stdout RUN mkdir -p ./content/thredds/cache && \ RUN mkdir -p ./content/thredds/{cache,logs,public} && \ chown -R $ESGF_USER:$ESGF_GROUP ./content/thredds && \ chmod -R u+w,g+w,o= ./content/thredds && \ ln -s /dev/stdout ./logs/serverStartup.log && \ Loading @@ -49,5 +49,7 @@ COPY --from=builder /application ./webapps/thredds COPY log4j2.xml ./webapps/thredds/WEB-INF/classes/ COPY threddsConfig.xml catalog.xml ./content/thredds/ COPY catalog-esgcet.xml ./content/thredds/esgcet/catalog.xml # Copy the default wmsConfig.xml into place RUN cp ./webapps/thredds/WEB-INF/altContent/startup/wmsConfig.xml ./content/thredds USER $ESGF_UID
