Fixes to the lib and migrate mfr chart to use the lib

Author: olehavramenko

angular-osf/values.yaml

@@ -158,8 +158,9 @@ main:
 
 
 # ------- Pod Annotations -------
-# Checksum for configmap and secret will be added automatically
-  podAnnotations: []
+  podAnnotations:
+    checksum/main-config: '{{ include "cos-common.componentChecksum" (dict "root" . "name" "" "values" .Values.main "resource" "configmap") }}'
+    checksum/main-config-env: '{{ include "cos-common.componentChecksum" (dict "root" . "name" "env" "values" .Values.main "resource" "configmap") }}'
 
 
 # ------- Service configuration -------

cos-common/README.md

@@ -143,6 +143,7 @@ app:
 - **NetworkPolicy**: defaults to namespace-local ingress allow; egress only if `allowEgress: true` or `extraEgressRules` present. Use `componentScoped: false` to drop the component label when you want one policy to cover multiple components. `additionalNetworkPolicies[]` supported.
 - **Certificates**: renders cert-manager `Certificate`; `issuerRef` required when enabled. `certificate.acmeConfig` maps to `spec.acme.config[]` (defaults `http01.ingress` to the chart fullname when not set). `additionalCertificates[]` available.
 - **Persistence**: component-level `persistence` or `volumes[].persistence` can auto-create PVCs (unless `existingClaim`); per-volume persistence forbids `emptyDir` and wires the volume to the claim automatically.
+- **Additional containers**: `sidecars`/`additionalContainers` can inherit mounts or resources from another container in the same component via `inheritVolumeMountsFrom` / `inheritResourcesFrom` (explicit fields on the child override inherited ones).
 - **CronJob**: `schedule` is required; job-spec knobs (`parallelism`, `backoffLimit`, `podFailurePolicy`, etc.) live directly under the component block.
 - **Annotations**: `annotations` apply broadly by default; set `annotationsWorkloadOnly: true` or use `workloadAnnotations` to scope/override annotations on the workload resources only (deployment/statefulset/job/cronjob), e.g., for Helm hooks.
 - **StatefulSet**: define `serviceName` and `volumeClaimTemplates` as needed; supports `persistentVolumeClaimRetentionPolicy`.

cos-common/templates/_deployment.tpl

@@ -35,16 +35,8 @@ spec:
   {{ end }}
   template:
     metadata:
-      labels:
-        {{- include "cos-common.podLabels" . | nindent 8 }}
-        {{- with $vals.podLabels }}
-        {{- tpl (toYaml .) $.root | nindent 8 }}
-        {{- end }}
-      annotations:
-        {{- with $vals.podAnnotations }}
-        {{- tpl (toYaml .) $.root | nindent 8 }}
-        {{- end }}
-        {{- include "cos-common.podChecksums" . | nindent 8 }}
+      {{- /* Pod labels/annotations stay aligned with selectors. */}}
+      {{- include "cos-common.podMetadata" . | nindent 6 }}
     spec:
       {{- /* Shared pod spec helper wires containers, volumes, TLS, affinities, etc. */}}
       {{- include "cos-common.podSpec" . | nindent 6 }}

cos-common/templates/_helpers.tpl

@@ -235,51 +235,26 @@ workload-specific additions via `workloadAnnotations`.
 {{- end }}
 {{- end }}
 
-{{/*
-Compute pod checksum annotations for resources that affect runtime.
-Currently:
-- ConfigMap
-- Secret
-*/}}
-{{- define "cos-common.podChecksums" -}}
-
-{{- /* ConfigMap checksum */ -}}
-{{- if and .values.configMap (default false .values.configMap.enabled) }}
-checksum/configmap: {{ include "cos-common.componentChecksum" (dict
-    "root" .root
-    "name" .name
-    "values" .values
-    "resource" "configmap"
-) }}
-{{- end }}
-
-{{- /* Secret checksum */ -}}
-{{- if and .values.secret (default false .values.secret.enabled) }}
-checksum/secret: {{ include "cos-common.componentChecksum" (dict
-    "root" .root
-    "name" .name
-    "values" .values
-    "resource" "secret"
-) }}
-{{- end }}
-
-{{- end }}
-
 {{/*
 Render pod metadata labels and annotations.
 */}}
 {{- define "cos-common.podMetadata" -}}
 labels:
   {{- include "cos-common.podLabels" . | nindent 2 }}
   {{- with .values.podLabels }}
-  {{ tpl (toYaml .) .root | nindent 2 }}
-  {{ end }}
+  {{- range $k, $v := . }}
+  {{ $k }}: {{ tpl (printf "%s" $v) $.root | quote }}
+  {{- end }}
+  {{- end }}
+
 {{- with .values.podAnnotations }}
 annotations:
-  {{- $podAnns := tpl (toYaml .) .root | trimSuffix "\n" }}
-  {{ $podAnns | nindent 2 }}
-{{ end }}
-{{ end }}
+  {{- range $k, $v := . }}
+  {{ $k }}: {{ tpl (printf "%s" $v) $.root | quote }}
+  {{- end }}
+{{- end }}
+{{- end }}
+
 
 {{/*
 Helper to render list values with tpl evaluation.
@@ -462,7 +437,7 @@ resources:
 
 {{/*
 Render additional containers (sidecars/extra).
-Merges sidecars and additionalContainers, lets you inherit mounts from another container,
+Merges sidecars and additionalContainers, lets you inherit mounts/resources from another container,
 adds TLS mounts, normalizes ports/probes, and strips helper-only keys before render.
 */}}
 {{- define "cos-common.additionalContainers" -}}
@@ -480,6 +455,7 @@ adds TLS mounts, normalizes ports/probes, and strips helper-only keys before ren
   {{- $c := deepCopy . -}}
   {{- $name := default "" $c.name -}}
   {{- $volumeMounts := list -}}
+  {{- $inheritedResources := dict -}}
   {{- if $c.inheritVolumeMountsFrom }}
     {{- /* copy mounts from another named container section (e.g., main.daphne) */ -}}
     {{- $inheritFrom := tpl (toString $c.inheritVolumeMountsFrom) $.root -}}
@@ -493,8 +469,18 @@ adds TLS mounts, normalizes ports/probes, and strips helper-only keys before ren
       {{- end }}
     {{- end }}
   {{- end }}
+  {{- if $c.inheritResourcesFrom }}
+    {{- $inheritResourcesFrom := tpl (toString $c.inheritResourcesFrom) $.root -}}
+    {{- $src := index $vals $inheritResourcesFrom -}}
+    {{- if kindIs "map" $src }}
+      {{- with $src.resources }}
+        {{- $inheritedResources = merge (dict) $inheritedResources . -}}
+      {{- end }}
+    {{- end }}
+  {{- end }}
   {{- /* remove helper-only key so it doesn't reach k8s */ -}}
   {{- $_ := unset $c "inheritVolumeMountsFrom" -}}
+  {{- $_ := unset $c "inheritResourcesFrom" -}}
   {{- $volumeMounts = concat $volumeMounts (default (list) $c.volumeMounts) -}}
   {{- if $tlsConfigs }}
     {{- range $app, $cfg := $tlsConfigs }}
@@ -506,6 +492,10 @@ adds TLS mounts, normalizes ports/probes, and strips helper-only keys before ren
   {{- if gt (len $volumeMounts) 0 }}
     {{- $_ := set $c "volumeMounts" $volumeMounts -}}
   {{- end }}
+  {{- $resources := merge (dict) $inheritedResources (default (dict) $c.resources) -}}
+  {{- if gt (len $resources) 0 }}
+    {{- $_ := set $c "resources" $resources -}}
+  {{- end }}
   {{- if $c.ports }}
     {{- $ports := list }}
     {{- range $c.ports }}

cos-common/values.schema.json

@@ -262,6 +262,10 @@
           "type": "object",
           "additionalProperties": true
         },
+        "inheritResourcesFrom": {
+          "type": "string",
+          "description": "Name of another container entry in this component whose resources should be merged into this container."
+        },
         "securityContext": {
           "type": "object",
           "additionalProperties": true
@@ -272,6 +276,10 @@
             "$ref": "#/definitions/volumeMount"
           }
         },
+        "inheritVolumeMountsFrom": {
+          "type": "string",
+          "description": "Name of another container entry in this component whose volumeMounts should be copied into this container."
+        },
         "livenessProbe": {
           "$ref": "#/definitions/probe"
         },

mfr/Chart.yaml

@@ -1,7 +1,8 @@
-apiVersion: v1
-description: A Helm chart for Kubernetes
+apiVersion: v2
 name: mfr
-version: 0.9.3
+description: Modular File Renderer
+type: application
+version: 1.0.0
 keywords:
   - renderer
 sources:
@@ -10,5 +11,18 @@ maintainers:
   - name: Matt Frazier
     email: matt@cos.io
     url: https://github.com/mfraezz
-engine: gotpl
-tillerVersion: '>=2.7.0'
+dependencies:
+  - name: cos-common
+    version: 1.0.0
+    repository: https://centerforopenscience.github.io/helm-charts/
+  # - name: cos-common
+  #   version: 1.0.0
+  #   repository: "file://../cos-common"
+  - name: maintenance
+    version: 0.2.0
+    repository: https://centerforopenscience.github.io/helm-charts/
+    condition: maintenance.enabled, global.maintenance.enabled
+  - name: rabbitmq
+    version: 6.9.1
+    repository: https://centerforopenscience.github.io/helm-charts/
+    condition: rabbitmq.enabled, global.rabbitmq.enabled

mfr/files/nginx.conf

@@ -0,0 +1,117 @@
+user  nginx;
+worker_processes  {{ .Values.nginx.workerCount }};
+
+load_module /usr/lib/nginx/modules/ngx_http_brotli_filter_module.so;
+{{- if .Values.nginx.vts.enabled }}
+load_module /usr/lib/nginx/modules/ngx_http_geoip_module.so;
+load_module /usr/lib/nginx/modules/ngx_http_vhost_traffic_status_module.so;
+{{- end }}
+
+error_log  /var/log/nginx/error.log warn;
+pid        /var/run/nginx.pid;
+
+events {
+    worker_connections 1024;
+}
+
+http {
+    include       /etc/nginx/mime.types;
+    default_type  application/octet-stream;
+
+    log_format main '$remote_addr - $upstream_cache_status $remote_user [$time_local] '
+                    '"$request" $status $body_bytes_sent '
+                    '"$http_referer" "$http_user_agent" "$http_x_forwarded_for" '
+                    'rt=$request_time uct="$upstream_connect_time" uht="$upstream_header_time" urt="$upstream_response_time"';
+    access_log  /var/log/nginx/access.log  main;
+
+    real_ip_header {{ .Values.nginx.realIpHeader }};
+    real_ip_recursive {{ .Values.nginx.realIpRecursive }};
+    {{- range .Values.nginx.proxySourceRanges }}
+    set_real_ip_from {{ . }};
+    {{- end }}
+
+    {{- if .Values.nginx.vts.enabled }}
+    geoip_country       /etc/nginx/GeoIP.dat;
+    geoip_city          /etc/nginx/GeoLiteCity.dat;
+    geoip_proxy_recursive on;
+    {{- range .Values.nginx.proxySourceRanges }}
+    geoip_proxy {{ . }};
+    {{- end }}
+
+    vhost_traffic_status_zone shared:vhost_traffic_status:{{ .Values.nginx.vts.statusZoneSize }};
+    vhost_traffic_status_filter_by_set_key {{ .Values.nginx.vts.defaultFilterKey }};
+    {{- end }}
+
+    sendfile on;
+    tcp_nopush on;
+    tcp_nodelay on;
+    keepalive_timeout 620s;
+    keepalive_requests 10000;
+    types_hash_max_size 2048;
+    server_tokens off;
+
+    gzip on;
+    gzip_proxied any;
+    gzip_disable "msie6";
+    gzip_min_length 1400;
+    gzip_vary on;
+    gzip_buffers 4 32k;
+    gzip_types text/plain text/css image/svg+xml application/javascript application/x-javascript text/xml text/javascript application/json application/vnd.api+json;
+
+    brotli on;
+    brotli_types text/plain text/css image/svg+xml application/javascript application/x-javascript text/xml text/javascript application/json application/vnd.api+json;
+
+    {{- if .Values.nginx.vts.enabled }}
+    server {
+        listen {{ .Values.nginx.vts.internalPort }};
+        server_name _;
+
+        location /healthz {
+            access_log off;
+            return 200;
+        }
+
+        location /nginx_status {
+            vhost_traffic_status_display;
+            vhost_traffic_status_display_format html;
+        }
+    }
+    {{- end }}
+
+    server {
+        listen {{ .Values.main.http.containers.nginx.internalPort }};
+        keepalive_timeout 620s;
+        client_max_body_size 25M;
+        server_name _;
+
+        if ($http_x_forwarded_proto = "http") {
+            return 301 https://$host$request_uri;
+        }
+
+        location = /healthz {
+            access_log off;
+            return 200;
+        }
+
+        location = /robots.txt {
+            alias /usr/share/nginx/html/robots.txt;
+        }
+
+        location / {
+            # Disable caching of application requests
+            add_header Cache-Control "no-cache, no-store, max-age=0, must-revalidate";
+            add_header Expires "-1";
+            add_header Pragma "no-cache";
+
+            # Mitigate HTTPoxy Vulnerability
+            # https://www.nginx.com/blog/mitigating-the-httpoxy-vulnerability-with-nginx/
+            proxy_set_header Proxy                  "";
+
+            proxy_buffering off;
+            proxy_request_buffering off;
+            proxy_set_header Host $host;
+            proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+            proxy_pass http://127.0.0.1:{{ .Values.main.http.containers.nginx.externalPort }};
+        }
+    }
+}

mfr/requirements.lock

@@ -1,17 +1,23 @@
-1. Get the application URL by running these commands:
-{{- if .Values.ingress.hostname }}
-  http://{{- .Values.ingress.hostname }}
-{{- else if contains "NodePort" .Values.service.type }}
-  export NODE_PORT=$(kubectl get --namespace {{ .Release.Namespace }} -o jsonpath="{.spec.ports[0].nodePort}" services {{ template "mfr.fullname" . }})
-  export NODE_IP=$(kubectl get nodes --namespace {{ .Release.Namespace }} -o jsonpath="{.items[0].status.addresses[0].address}")
-  echo http://$NODE_IP:$NODE_PORT
-{{- else if contains "LoadBalancer" .Values.service.type }}
-     NOTE: It may take a few minutes for the LoadBalancer IP to be available.
-           You can watch the status of by running 'kubectl get svc -w {{ template "mfr.fullname" . }}'
-  export SERVICE_IP=$(kubectl get svc --namespace {{ .Release.Namespace }} {{ template "mfr.fullname" . }} -o jsonpath='{.status.loadBalancer.ingress[0].ip}')
-  echo http://$SERVICE_IP:{{ .Values.service.externalPort }}
-{{- else if contains "ClusterIP"  .Values.service.type }}
-  export POD_NAME=$(kubectl get pods --namespace {{ .Release.Namespace }} -l "app={{ template "mfr.fullname" . }}" -o jsonpath="{.items[0].metadata.name}")
-  echo "Visit http://127.0.0.1:8080 to use your application"
-  kubectl port-forward $POD_NAME 8080:{{ .Values.service.externalPort }}
+{{- $fullname := include "cos-common.fullname" (dict "root" . "name" "") | trim -}}
+{{- $service := .Values.main.service -}}
+{{- $externalPort := .Values.main.http.containers.nginx.externalPort -}}
+{{- $internalPort := .Values.main.http.containers.nginx.internalPort -}}
+
+1. Main service: {{ $fullname }}
+{{- if and $service (eq $service.enabled true) }}
+{{- if contains "LoadBalancer" $service.type }}
+   Wait for the external IP, then:
+   export SERVICE_IP=$(kubectl get svc --namespace {{ .Release.Namespace }} {{ $fullname }} -o jsonpath='{.status.loadBalancer.ingress[0].ip}')
+   echo http://$SERVICE_IP:{{ $externalPort }}
+{{- else if contains "NodePort" $service.type }}
+   export NODE_PORT=$(kubectl get --namespace {{ .Release.Namespace }} -o jsonpath="{.spec.ports[0].nodePort}" services {{ $fullname }})
+   export NODE_IP=$(kubectl get nodes --namespace {{ .Release.Namespace }} -o jsonpath="{.items[0].status.addresses[0].address}")
+   echo http://$NODE_IP:$NODE_PORT
+{{- else }}
+   export POD_NAME=$(kubectl get pods --namespace {{ .Release.Namespace }} -l "app.kubernetes.io/name={{ include "cos-common.chartName" (dict "root" .) }},app.kubernetes.io/instance={{ .Release.Name }}" -o jsonpath="{.items[0].metadata.name}")
+   echo "Visit http://127.0.0.1:8080 to use your application"
+   kubectl port-forward $POD_NAME 8080:{{ $internalPort }}
+{{- end }}
+{{- else }}
+   Service disabled.
 {{- end }}