search

PacoVK / tapir-helm

Official Helm charts repo for Tapir - Private Terraform Registry
Apache License 2.0
2 stars 1 forks source link

Unable to start without AWS definitons #5

Open tim-chaffin opened 5 months ago

tim-chaffin commented 5 months ago

What we're trying to do, is spin up Tapir in an Azure Kubernetes Service, with local configurations for the backend. We're using the Helm chart deployment, with the full config value is below.

What we've tried:

Note: Ignore the IdP error for now. We'll be adding that in later. Trying to sort out the AWS related issue right now.

Full config.yml

## Tapir configuration
## Ref: https://github.com/PacoVK/tapir
##

# -- Provide a name in place of `tapir`
nameOverride: ""
# -- String to fully override `"tapir.fullname`
fullnameOverride: ""
# -- Create roles for cluster-wide installation
createClusterRoles: true

## Deployment
deployment:
  # -- Default image used by `tapir` deployment
  image:
    # -- Repository to use for tapir
    repository: "pacovk/tapir"
    # -- Tag to use for tapir
    tag: ""
    # -- Image pull policy for tapi
    imagePullPolicy: Always

  # -- Annotations to be added to `tapir` deployment
  annotations: {}

  # -- Labels to be added to `tapir` deployment
  labels: {}

  # -- Deployment strategy for the deployment
  strategy: {}
    # type: RollingUpdate
    # rollingUpdate:
    #   maxSurge: 25%
    #   maxUnavailable: 25%

  # -- The number of application pods to run
  ## Doesn't apply if autoscaling.enabled is set to true
  replicas: 1

  # -- Number of old deployment ReplicaSets to retain. The rest will be garbage collected.
  revisionHistoryLimit: 3

  # -- Secrets with credentials to pull images from a private registry
  imagePullSecrets: []

  # -- Annotations to be added to all deployed pods
  podAnnotations: {}

  # -- Labels  to be added to all deployed pods
  podLabels: {}

  # -- Additional entries that will be injected in the pod's /etc/hosts file
  hostAliases: []

  # -- Pod level security context
  securityContext: {}
    # runAsNonRoot: true
    # runAsUser: 185

  # -- Priority class for the tapir pods
  priorityClassName: ""

  # -- terminationGracePeriodSeconds for container lifecycle hook
  terminationGracePeriodSeconds: 30

  # -- Environment variables to pass to the `tapir` pods, other than ones defined in deployment.configuration object
  extraEnv: {}

  # -- envFrom to pass to the `tapir` pods
  envFrom: {}

  # -- Tapir container port
  containerPort: 8080

  # -- Readiness and liveness probes for `tapir`
  ## Ref: https://kubernetes.io/docs/tasks/configure-pod-container/configure-liveness-readiness-probes/
  livenessProbe: {}
  readinessProbe: {}

  # -- Resource limits and requests for the `tapir`` pods
  resources: {}
  #  limits:
  #    cpu: 500m
  #    memory: 1Gi
  #  requests:
  #    cpu: 500m
  #    memory: 1Gi

  # -- Container level security context
  containerSecurityContext: {}
    # runAsNonRoot: true
    # readOnlyRootFilesystem: true
    # allowPrivilegeEscalation: false
    # capabilities:
    #   drop:
    #   - ALL

  # -- Specify postStart and preStop lifecycle hooks for your `tapir` container
  lifecycle: {}

  # -- Assign custom affinity rules to the deployment
  ## Ref: https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/#node-affinity
  affinity: {}

  # -- [Node selector]
  nodeSelector: {}

  # -- [Tolerations]
  tolerations: []

  # -- Assign custom topologySpreadConstraints rules to the `tapir` pods
  ## Ref: https://kubernetes.io/docs/concepts/scheduling-eviction/topology-spread-constraints/
  topologySpreadConstraints: []

  # -- Host network for `tapir` pods
  hostNetwork: false

  # -- [DNS configuration]
  dnsConfig: {}
  # -- Alternative DNS policy
  dnsPolicy: "ClusterFirst"

  # -- Deployment's configuration, populates all the required environmental variables
  ## Ref: https://github.com/PacoVK/tapir/blob/main/docs/configuration.md
  configuration:
    # -- Database backend configuration
    backend:
      # -- One of: elasticsearch,dynamodb,cosmosdb
      type: ""

      # -- Elasticsearch backend configuration
      ## Applies if backend.type is equal to "elasticsearch"
      elasticsearch:
        # -- Elasticsearch host
        host: ""

      # -- CosmosDB backend configuration
      ## Applies if backend.type is equal to "cosmosdb"
      cosmosDB:
        # -- CosmosDB endpoint
        endpoint: ""
        # -- CosmosDB master key
        masterKey: ""

    # -- Storage configuration
    storage:
      # -- One of: "s3,azureBlob,local"
      type: "s3"
      # -- Amount of minutes the signed download url is valid
      storageAccessDuration: 5

      # -- S3 storage configuration
      ## Applies if storage.type is equal to "s3"
      s3:
        # -- S3 bucket name
        bucketName: "tf-registry"
        # -- S3 bucket region
        bucketRegion: "eu-central-1"

      # -- Azure Blob storage configuration
      ## Applies if storage.type is equal to "azureBlob"
      azureBlob:
        # -- Azure Blob bucket name
        bucketName: "tf-registry"
        # -- Azure Blob connection string
        connectionString: ""

      # -- Tapir's local storage configuration
      ## Applies if storage.type is equal to "local"
      localRegistry:
        # -- Tapir's DNS record
        hostname: localhost
        # -- Tapir's external port
        port: 443

    # -- The maximum payload size for module/providers to be uploaded
    apiMaxBodySize: 100M

    # -- GPG configuration
    gpg:
      # -- GPG key ID of the key to be used (eg. D17C807B4156558133A1FB843C7461473EB779BD)
      keyID: ""
      # -- Ascii armored and bas64 encoded GPG public key (only RSA/DSA supported)
      keyArmor: ""

    # -- OpenID Connect (OIDC) configuration
    auth:
      # -- The base URL of the OIDC server
      endpoint: ""
      # -- Client ID
      clientID: ""
      # -- Client secret if required by client
      clientSecret: ""
      # -- Relative path or absolute URL of the OIDC token endpoint which issues access and refresh tokens
      tokenPath: ""
      # -- Relative path or absolute URL of the OIDC authorization endpoint
      path: ""
      # -- The source of the role claim in the access token
      roleSource: "accesstoken"
      # -- OIDC attribute names
      attribute:
        # -- The attribute name in the token where the email is placed in
        email: "email"
        # -- The attribute name in the token where the given name is placed in
        givenName: "given_name"
        # -- The attribute name in the token where the family name is placed in
        familyName: "family_name"
        # -- The attribute name in the token where the preferred username is placed in
        prefUsername: "preferred_username"
      # -- IDP end session path, which will be used to logout
      endSessionPath: "/protocol/openid-connect/logout"

## Persistence configuration for `local` storage
## If `local` storage is configured and persistence is not enabled
## then emptyDir is used as a volume to enable readOnlyFilesystem security context
persistence:
  # -- Create a persistent volume claim for `tapir` deployment
  enabled: true
  # -- Use existing persistent volume claim instead of creating a new one
  existingClaim: ""
  # -- Resource policy annotation, if set to keep it adds annotation `helm.sh/resource-policy: keep`
  resourcePolicy: ""
  # -- Set access mode for the persistent volume claim
  ## Ref: https://kubernetes.io/docs/concepts/storage/persistent-volumes/#access-modes
  accessMode: "ReadWriteOnce"
  # -- Set requests.storage value
  size: "10Gi"
  # Specify the `storageClass` used to provision the volume.
  # If not specified the default StorageClass will be used.
  # Set to "-" to disable dynamic provisioning
  storageClass: "managed-premium"
  # -- Annotations applied to created persistent volume claim
  annotations: {}
  # -- Labels applied to created persistent volume claim
  labels: {}

## Service Account
serviceAccount:
  # -- Create a service account for `tapir` deployment
  create: true
  # -- Service account name
  name: "tapir"
  # -- Annotations applied to created service account
  annotations: {}
  # -- Labels applied to created service account
  labels: {}
  # -- Automount API credentials for the service account
  automountServiceAccountToken: false

## Horizontal Pod Autoscaler
autoscaling:
  # -- Enable Horizontal Pod Autoscaler ([HPA]) for the `tapir` deployment
  enabled: false
  # -- Minimum number of replicas for the `tapir` deployment [HPA]
  minReplicas: 1
  # -- Maximum number of replicas for the `tapir` deployment [HPA]
  maxReplicas: 1
  # -- Average CPU utilization percentage for the `tapir` deployment [HPA]
  targetCPUUtilizationPercentage: ""
  # -- Average memory utilization percentage for the `tapir` deployment [HPA]
  targetMemoryUtilizationPercentage: ""
  # -- Configures scaling behavior of the target in both Up and Down directions
  behavior: {}
    # scaleDown:
    #  stabilizationWindowSeconds: 300
    #  policies:
    #   - type: Pods
    #     value: 1
    #     periodSeconds: 180
    # scaleUp:
    #   stabilizationWindowSeconds: 300
    #   policies:
    #   - type: Pods
    #     value: 2
    #     periodSeconds: 60
  # -- Configures custom HPA metrics for the `tapir` deployment
  # Ref: https://kubernetes.io/docs/tasks/run-application/horizontal-pod-autoscale/
  metrics: {}

## Service configuration
service:
  # -- Service annotations
  annotations: {}
  # -- Service labels
  labels: {}
  # -- Service type
  type: ClusterIP
  # -- Service https port
  portHttps: 443
  # -- Service https port for NodePort service type (only if `service.type` is set to "NodePort")
  nodePortHttps: 30443
  # -- LoadBalancer will be created with the IP specified in this field
  loadBalancerIP: ""
  # -- Source IP ranges to allow access to service from
  loadBalancerSourceRanges: []
  # -- Service external IPs
  externalIPs: []
  # -- Denotes if the service desires to route external traffic to node-local or cluster-wide endpoints
  externalTrafficPolicy: ""
  # -- Used to maintain session affinity. Supports `ClientIP` and `None`
  sessionAffinity: ""

## Ingress configuration
ingress:
  # -- Enable an ingress resource for the `tapir` registry
  enabled: false
  # -- Additional ingress annotations
  annotations: {}
  # -- Additional ingress labels
  labels: {}
  # -- Defines which ingress controller will implement the resource
  ingressClassName: "kong"

  # -- List of ingress hosts
  ## Hostnames must be enabled if Ingress is enabled
  ## TLS secrets must be manually created in the namespace or created using Certificate resource
  hosts: 
    - tapir.dev.eap.ihc.com

  # -- List of ingress paths
  paths:
    - /
  # -- Ingress path type. One of `Exact`, `Prefix` or `ImplementationSpecific`
  pathType: ImplementationSpecific
  # -- Additional ingress paths
  extraPaths: []
    #- path: /test
    #    pathType: Prefix
    #    backend:
    #      service:
    #        name: tapir
    #        port:
    #          name: https

  # -- Ingress TLS configuration
  tls: []
    # - secretName: tapir-tls
    #   hosts:
    #     - tapir.example.com

## TLS certificate configuration via cert-manager
## Ref: https://cert-manager.io/docs/usage/certificate/
certificate:
  # -- Deploy a Certificate resource (requires cert-manager)
  enabled: false
  # -- The name of the Secret that will be created and managed by this Certificate resource
  secretName: "tapir-tls"
  # -- Certificate primary domain (CommonName)
  domain: "tapir.example.com"
  # -- Certificate Subject Alternate Names (SANs)
  additionalHosts: []
  # -- The requested 'duration' (i.e. lifetime) of the certificate.
  # @default -- `""` (defaults to 2160h = 90d if not specified)
  ## Ref: https://cert-manager.io/docs/usage/certificate/#renewal
  duration: ""
  # -- How long before the expiry a certificate should be renewed.
  # @default -- `""` (defaults to 360h = 15d if not specified)
  ## Ref: https://cert-manager.io/docs/usage/certificate/#renewal
  renewBefore: ""
  ## Ref: https://cert-manager.io/docs/concepts/issuer
  issuer:
    # -- Certificate issuer group. Set if using an external issuer.
    group: ""
    # -- Certificate issuer kind. Either `Issuer` or `ClusterIssuer`
    kind: ""
    # -- Certificate issuer name. Eg. `letsencrypt`
    name: ""
  # -- Private key of the certificate
  privateKey:
    # -- Rotation policy of private key when certificate is re-issued. Either: `Never` or `Always`
    rotationPolicy: Never
    # -- The private key cryptography standards (PKCS) encoding for private key. Either: `PCKS1` or `PKCS8`
    encoding: PKCS1
    # -- Algorithm used to generate certificate private key. One of: `RSA`, `Ed25519` or `ECDSA`
    algorithm: RSA
    # -- Key bit size of the private key. If algorithm is set to `Ed25519`, size is ignored.
    size: 2048
  # -- Annotations to be applied to the `tapir` Certificate
  annotations: {}
  # -- Usages for the certificate
  ### Ref: https://cert-manager.io/docs/reference/api-docs/#cert-manager.io/v1.KeyUsage
  usages: []

## Pod Distruption Budget
## Ref: https://kubernetes.io/docs/tasks/run-application/configure-pdb/
pdb:
  # -- Deploy a [PodDistruptionBudget] for the `tapir` deployment
  enabled: false
  # - Labels to be added to `tapir` pdb
  labels: {}
  # -- Annotations to be added to `tapir` pdb
  annotations: {}
  # -- Number of pods that are available after eviction as number or percentage (eg.: 50%)
  # @default -- `""` (defaults to 0 if not specified)
  minAvailable: ""
  # -- Number of pods that are unavailable after eviction as number or percentage (eg.: 50%).
  ## Has higher precedence over `repoServer.pdb.minAvailable`
  maxUnavailable: ""

Error encountered:

2024-04-22 20:16:41,748 WARN  [io.qua.oid.run.OidcRecorder] (vert.x-eventloop-thread-1) OIDC server is not available at the '
[http://localhost:8089/realms/tapir'](http://localhost:8089/realms/tapir%27)
URL. Please make sure it is correct. Note it has to end with a realm value if you work with Keycloak, for example: '
[https://localhost:8180/auth/realms/quarkus'](https://localhost:8180/auth/realms/quarkus%27)
2024-04-22 20:16:41,748 WARN  [io.qua.oid.run.OidcRecorder] (vert.x-eventloop-thread-1) Tenant 'Default': 'OIDC Server is not available'. OIDC server is not available yet, an attempt to connect will be made during the first request. Access to resources protected by this tenant may fail if OIDC server will not become available
2024-04-22 20:16:41,926 INFO  [io.quarkus] (main) tapir 0.6.3 on JVM (powered by Quarkus 3.6.4) started in 1.554s. Listening on:
http://0.0.0.0:8080/
2024-04-22 20:16:41,927 INFO  [io.quarkus] (main) Profile prod activated.
2024-04-22 20:16:41,927 INFO  [io.quarkus] (main) Installed features: [amazon-dynamodb, amazon-s3, amazon-sts, cdi, config-yaml, elasticsearch-rest-client, hibernate-validator, oidc, quinoa, resteasy-reactive, resteasy-reactive-jackson, security, smallrye-context-propagation, smallrye-openapi, vertx]
2024-04-22 20:16:41,931 INFO  [cor.Bootstrap] (main) Validate GPG key configuration provided
2024-04-22 20:16:41,933 INFO  [cor.Bootstrap] (main) Start to bootstrap registry database [dynamodb]
2024-04-22 20:16:42,059 WARN  [sof.ama.aws.reg.int.uti.EC2MetadataUtils] (main) Unable to retrieve the requested metadata.
2024-04-22 20:16:42,060 ERROR [io.qua.run.Application] (main) Failed to start application (with profile [prod]): software.amazon.awssdk.core.exception.SdkClientException: Unable to load region from any of the providers in the chain software.amazon.awssdk.regions.providers.DefaultAwsRegionProviderChain@6f930e0: [software.amazon.awssdk.regions.providers.SystemSettingsRegionProvider@4b41587d: Unable to load region from system settings. Region must be specified either via environment variable (AWS_REGION) or  system property (aws.region)., software.amazon.awssdk.regions.providers.AwsProfileRegionProvider@697a0948: No region provided in profile: default, software.amazon.awssdk.regions.providers.InstanceProfileRegionProvider@c412556: Unable to retrieve region information from EC2 Metadata service. Please make sure the application is running on EC2.]
    at software.amazon.awssdk.core.exception.SdkClientException$BuilderImpl.build(SdkClientException.java:111)
    at software.amazon.awssdk.regions.providers.AwsRegionProviderChain.getRegion(AwsRegionProviderChain.java:70)
PacoVK commented 5 months ago

@tim-chaffin thanks for raising this issue. I think there is one thing to explain here:

It is not possible to use local storage for backend. Valid options are one of elasticsearch,dynamodb,cosmosdb. CosmosDB uses SQL-dialect. Thanks for the hint, i think this should be part of the docs.

In your case set configuration.backend.type = cosmosdb and also bear in mind to set configuration.backend.cosmosDB.endpoint and configuration.backend.cosmosDB.masterKey

tim-chaffin commented 5 months ago

Thank you for helping, and clarifying these points. This helps significantly.

I'd be happy to help write this up? If you have a branch you'd like me to contribute to? Or I can fork and PR?

Additionally where would you like all of this documented specifically?

PacoVK commented 5 months ago

You are welcome :) Help would be really appreciated. For now the docs are still in the main repo

If you would contribute best way to achieve that is to fork and create a PR against the upstream.

tim-chaffin commented 5 months ago

PR for review: https://github.com/PacoVK/tapir/pull/396