Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Add basic Kubernetes installation documentation #220

Draft
wants to merge 16 commits into
base: master
Choose a base branch
from
Original file line number Diff line number Diff line change
@@ -0,0 +1,70 @@
<!-- This partial uses HTML ol to force a configurable step number -->

<ol start={props.step || '2'}>
<li>
Deploy the cron service:

:::caution
This manifest includes an init container that creates the required database schema the first time it instantiates. This process can take a few minutes to complete and must finish before you instantiate the Seqera backend. Ensure this container is in the `READY` state before proceeding to the next step.
:::

1. Apply the `tower-cron.yml` manifest:

```
kubectl apply -f tower-cron.yml
```

<details>
<summary>View command output</summary>
```
deployment.apps/cron configured
```
</details>

1. Confirm that cron service deployed successfully:

```
kubectl rollout status deployment/cron
```

<details>
<summary>View command output</summary>
deployment "cron" successfully rolled out
</details>
</li>
<li>
Deploy the backend and frontend services:

1. Apply the `tower-svc.yml` manifest:

```
kubectl apply -f tower-svc.yml
```

<details>
<summary>View command output</summary>
```
deployment.apps/backend configured
deployment.apps/frontend configured
service/backend configured
service/frontend configured
```
</details>

1. Confirm that cron service deployed successfully:

```
kubectl get deployments
```

<details>
<summary>View command output</summary>
```
NAME READY UP-TO-DATE AVAILABLE AGE
backend 1/1 1 1 2d6h
cron 1/1 1 1 2d6h
frontend 1/1 1 1 2d6h
```
</details>
</li>
</ol>
Original file line number Diff line number Diff line change
@@ -0,0 +1,24 @@
Create a namespace to isolate Kubernetes resources used by Seqera Platform from the other resources on your cluster.

:::tip
This installation guide assumes the use of `seqera-platform` as the installation namespace. Consider using a different one that better fits your cluster naming convention.
:::

1. Create a namespace for the Seqera resources:

```
kubectl create namespace seqera-platform
```

<details>
<summary>View command output</summary>
```
namespace/seqera-platform created
```
</details>

1. Switch to the namespace:

```
kubectl config set-context --current --namespace=seqera-platform
```
Original file line number Diff line number Diff line change
@@ -0,0 +1,70 @@
Seqera Enterprise is distributed as a collection of Docker containers available through the Seqera container registry [`cr.seqera.io`](https://cr.seqera.io). Contact [support](https://support.seqera.io) to get your container access credentials. After you've received your credentials, grant your cluster access to the registry:

1. Retrieve the `name` and `secret` values from the JSON file that you received from Seqera support.

1. Create a [secret][kubectl-secret] for the image pull secret:

```
kubectl create secret docker-registry cr.seqera.io \
--docker-server=cr.seqera.io \
--docker-username='<name>' \
--docker-password='<secret>'
```

The credential `name` contains a dollar `$` character. Wrap the name in single quotes to prevent the Linux shell from interpreting this value as an environment variable.

<details>
<summary>View command output</summary>
```
secret/cr.seqera.io created
```
</details>

1. Confirm that the secret exists:

```
kubectl get secrets cr.seqera.io
```

<details>
<summary>View command output</summary>
```
NAME TYPE DATA AGE
cr.seqera.io kubernetes.io/dockerconfigjson 1 26s
```
</details>

1. Confirm that you can pull containers from `cr.seqera.io`:

1. Pull a container from the private repository:

```
kubectl run pull-test --command --restart=Never --image-pull-policy=Always \
--image cr.seqera.io/private/nf-tower-enterprise/backend:v24.1.4 \
--overrides='{ "spec": { "imagePullSecrets": [ { "name": "cr.seqera.io" } ] } }' \
--override-type=strategic -- /bin/true
```

<details>
<summary>View command output</summary>
```
pod/pull-test created
```
</details>

1. Confirm that the container was pulled:

```
kubectl get pods/pull-test -o=custom-columns=NAME:.metadata.name,STATUS:.status.phase
```

<details>
<summary>View command output</summary>
```
NAME STATUS
pull-test Succeeded
```
</details>

<!-- links -->
[kubectl-secret]: https://kubernetes.io/docs/tasks/configmap-secret/managing-secret-using-kubectl/
Original file line number Diff line number Diff line change
Expand Up @@ -5,34 +5,22 @@ metadata:
labels:
app: backend-cfg
data:
TOWER_SERVER_URL: "https://<YOUR PUBLIC TOWER HOST NAME>"
TOWER_CONTACT_EMAIL: "support@tower.nf"
TOWER_JWT_SECRET: "ReplaceThisWithALongSecretString"
TOWER_DB_URL: "jdbc:mysql://<YOUR DB HOST NAME AND PORT>/tower"
TOWER_SERVER_URL: "https://<seqera_platform_hostname>"
TOWER_CONTACT_EMAIL: "<system_email_address>"
TOWER_REDIS_URL: "redis://<redis_host_name>:6379"
TOWER_DB_URL: "jdbc:mysql://<database_host_name>:3306/tower?permitMysqlScheme=true"
TOWER_DB_DRIVER: "org.mariadb.jdbc.Driver"
TOWER_DB_USER: "tower"
TOWER_DB_PASSWORD: "<YOUR DB PASSWORD>"
TOWER_DB_DIALECT: "io.seqera.util.MySQL55DialectCollateBin"
TOWER_DB_MIN_POOL_SIZE: "2"
TOWER_DB_MAX_POOL_SIZE: "10"
TOWER_DB_MAX_LIFETIME: "180000"
TOWER_SMTP_HOST: "<YOUR SMTP SERVER HOST NAME>"
TOWER_SMTP_USER: "<YOUR SMTP USER NAME>"
TOWER_SMTP_PASSWORD: "<YOUR SMTP USER PASSWORD>"
TOWER_CRYPTO_SECRETKEY: "<YOUR CRYPTO SECRET>"
TOWER_LICENSE: "<YOUR TOWER LICENSE KEY>"
TOWER_DB_USER: "<db_username>"
TOWER_DB_PASSWORD: "<db_password>"
TOWER_SMTP_HOST: "<smtp_host_name>"
TOWER_SMTP_USER: "<smtp_username>"
TOWER_SMTP_PASSWORD: "<smtp_password>"
TOWER_JWT_SECRET: "<jwt_secret>"
TOWER_CRYPTO_SECRETKEY: "<crypt_secret>"
TOWER_LICENSE: "<license>"
TOWER_ENABLE_PLATFORMS: "awsbatch-platform,gls-platform,googlebatch-platform,azbatch-platform,uge-platform,slurm-platform"
FLYWAY_LOCATIONS: "classpath:db-schema/mysql"
TOWER_REDIS_URL: "redis://<YOUR REDIS IP>:6379" # For a managed Redis service, specify the IP address or DNS name of the service endpoint. If you use the containerized Redis service, specify "redis" instead of an IP address.
# Data Studios configuration variables
TOWER_OIDC_REGISTRATION_INITIAL_ACCESS_TOKEN: '<YOUR_RANDOMLY_GENERATED_STRING>' # This must match the value of CONNECT_OIDC_CLIENT_REGISTRATION_TOKEN in your proxy.yml file.
TOWER_DATA_STUDIO_CONNECT_URL: 'https://connect.<YOUR PUBLIC TOWER HOST NAME>' #
TOWER_DATA_STUDIO_TEMPLATES_JUPYTER_REPOSITORY: 'cr.seqera.io/public/data-studio-jupyter:0.7.0'
TOWER_DATA_STUDIO_TEMPLATES_JUPYTER_ICON: 'jupyter'
TOWER_DATA_STUDIO_TEMPLATES_RSTUDIO_REPOSITORY: 'cr.seqera.io/public/data-studio-rstudio:0.7.0'
TOWER_DATA_STUDIO_TEMPLATES_RSTUDIO_ICON: 'rstudio'
TOWER_DATA_STUDIO_TEMPLATES_VSCODE_REPOSITORY: 'cr.seqera.io/public/data-studio-vscode:0.7.0'
TOWER_DATA_STUDIO_TEMPLATES_VSCODE_ICON: 'vscode'
---
kind: ConfigMap
apiVersion: v1
Expand All @@ -41,23 +29,4 @@ metadata:
labels:
app: backend-cfg
data:
tower.yml: |
mail:
smtp:
auth: true
# FIXME `starttls` should be enabled with a production SMTP host
starttls:
enable: true
required: true
ssl:
protocols: "TLSv1.2"

auth:
mail:
duration: 30m

# Set a custom application name for the Micronaut environment to deploy multiple instances from the same Enterprise account
# Required for AWS Parameter Store configuration. For more information, see https://docs.seqera.io/platform/latest/enterprise/configuration/aws_parameter_store
micronaut:
application:
name: tower-app
tower.yml: |-
Original file line number Diff line number Diff line change
Expand Up @@ -5,44 +5,32 @@ metadata:
annotations:
kubernetes.io/ingress.class: alb
alb.ingress.kubernetes.io/scheme: internet-facing
alb.ingress.kubernetes.io/certificate-arn: <YOUR-CERTIFICATE-ARN>
alb.ingress.kubernetes.io/certificate-arn: <YOUR_CERTIFICATE_ARN>
alb.ingress.kubernetes.io/listen-ports: '[{"HTTP": 80}, {"HTTPS":443}]'
alb.ingress.kubernetes.io/actions.ssl-redirect: '{"Type": "redirect", "RedirectConfig": { "Protocol": "HTTPS", "Port": "443", "StatusCode": "HTTP_301"}}'
alb.ingress.kubernetes.io/actions.ssl-redirect: '{"Type": "redirect", "RedirectConfig": { "Protocol": "HTTPS", "Port": "443", "StatusCode": "HTTP_301" }}'
alb.ingress.kubernetes.io/ssl-policy: ELBSecurityPolicy-TLS-1-2-Ext-2018-06
alb.ingress.kubernetes.io/load-balancer-attributes: >
idle_timeout.timeout_seconds=301,
routing.http2.enabled=false,
access_logs.s3.enabled=true,
access_logs.s3.bucket=YOUR-LOGS-S3-BUCKET,
access_logs.s3.prefix=YOUR-LOGS-PREFIX
access_logs.s3.bucket=<YOUR_LOGS_S3_BUCKET>,
access_logs.s3.prefix=<YOUR_LOGS_PREFIX>
spec:
rules:
- host: <YOUR-TOWER-HOST-NAME>
- host: <YOUR_SEQERA_HOST_NAME>
http:
paths:
- path: /*
pathType: ImplementationSpecific
backend:
service:
name: ssl-redirect
port:
name: use-annotation
- path: /*
pathType: ImplementationSpecific
backend:
service:
name: frontend
port:
number: 80

# Uncomment the host section below to enable Data Studios. Replace <YOUR-TOWER-HOST-NAME> with the base domain of your Platform installation. See [Data Studios configuration](https://docs.seqera.io/platform/24.1.1/enterprise/data-studios) for more information.
# - host: "*.<YOUR-TOWER-HOST-NAME>"
# http:
# paths:
# - backend:
# service:
# name: connect-proxy
# port:
# number: 80
# pathType: ImplementationSpecific
# path: /*
- path: /*
pathType: ImplementationSpecific
backend:
service:
name: ssl-redirect
port:
name: use-annotation
- path: /*
pathType: ImplementationSpecific
backend:
service:
name: frontend
port:
number: 80
Original file line number Diff line number Diff line change
@@ -0,0 +1,41 @@
---
kind: ConfigMap
apiVersion: v1
metadata:
name: tower-backend-cfg
labels:
app: backend-cfg
data:
TOWER_ENABLE_UNSAFE_MODE: "true"
TOWER_ROOT_USERS: "<root_users>"
TOWER_SERVER_URL: "http://localhost:8080"
TOWER_CONTACT_EMAIL: "user@example.com"
TOWER_REDIS_URL: "redis://redis:6379"
TOWER_DB_URL: "jdbc:mysql://mysql:3306/tower?permitMysqlScheme=true"
TOWER_DB_DRIVER: "org.mariadb.jdbc.Driver"
TOWER_DB_USER: "tower"
TOWER_DB_PASSWORD: "tower"
TOWER_DB_DIALECT: "io.seqera.util.MySQL55DialectCollateBin"
TOWER_SMTP_HOST: "mailcatcher"
TOWER_SMTP_USER: ""
TOWER_SMTP_PASSWORD: ""
TOWER_JWT_SECRET: "<jwt_secret>"
TOWER_CRYPTO_SECRETKEY: "<crypt_secret>"
TOWER_LICENSE: "<license>"
TOWER_ENABLE_PLATFORMS: "local-platform"
FLYWAY_LOCATIONS: "classpath:db-schema/mysql"
---
kind: ConfigMap
apiVersion: v1
metadata:
name: tower-yml
labels:
app: backend-cfg
data:
tower.yml: |
mail:
smtp:
auth: false
starttls:
enable: false
required: false
Original file line number Diff line number Diff line change
@@ -0,0 +1,32 @@
---
apiVersion: v1
kind: Pod
metadata:
name: mailcatcher
labels:
app: mailcatcher
spec:
containers:
- name: mailcatcher
image: sj26/mailcatcher
ports:
- containerPort: 1025
- containerPort: 1080
---
apiVersion: v1
kind: Service
metadata:
name: mailcatcher
spec:
selector:
app: mailcatcher
ports:
- name: smtp
protocol: TCP
port: 587
targetPort: 1025
- name: http
protocol: TCP
port: 1080
targetPort: 1080
type: ClusterIP
Loading