EPIC: Metacat Kubernetes/Helm Deployment MVP Release

[artntek]

See Epic #1623

TODO: For MVP Release, in Priority Order

1. Migration steps to k8s from legacy: test, refine & document for:

   • 1753

   • 1754

---

DONE

• Dev cluster: run tests against metacat+indexer setup
• Dev cluster: test DataONE MN setup (need cross-signed cert) for:
• * SYNCHRONIZATION (aka HARVESTING) and
• * REPLICATION
• Cross-signing CA to update DataONE CA weak signature mechanism (nginx ingress)
• Ensure HTTP AUTHORIZATION Header handled correctly by nginx ingress (formerly Apache rewrite rule)
• Indexer**: add auth for solr access (indexer chart & metacat code) defer - not exposed outside cluster
• DEPLOY HELM ON DEV CLUSTER
• get dataone_indexer working a subchart
• test auth for rabbitmq access
• #1662
• Mount secret (metacat container) for dataONE client cert
• Allow setting non-default memory limits for tomcat
• Figure out how to do client side cert authentication via k8s ingress without apache mod-jk
• ask ESS-DIVE if proposed setup serves their admin page and metacatui needs
  • asked 7/19/23. Fine as-is, except need to be able to submit updated settings to CN via DataONE Configuration admin page. See Issue #1662
• Create Ingress (may solve some of the log/test issues)
• don't run webapp as root
• using secrets for passwords
• defining site properties overwriting behavior for new vs. existing helm deployments
• if path to metacat-site.properties has been changed from the default, provide a helm-friendly way to avoid having to set it again via admin interface.
• Persistent Volume mounted at /var/metacat - working, but not poss to reconnect to same PV if Claim deleted when deployment deleted - so now creating claim only once, outside of deployment. Need to review with @mbjones Solved - changed to statefulset

[artntek]

MVP Assumptions & Notes

• Separate DataONE Indexer instance will be available by release time, so no need to provide solr sub-chart
• Metacatui - leave in but don't expose via ingress
• Database upgrades: OK to keep doing via curl for initial release
• Don't need to make these available (from admin replication settings page):
  • Generate System Metadata
  • Generate ORE
  • Remove Invalid Replicas
  • Sync access policies ... but Update DOIs (by ID or by formatId) is needed

[artntek]

Post-MVP items moved to #1666