diff --git a/.changeset/slow-news-dream.md b/.changeset/slow-news-dream.md new file mode 100644 index 0000000000..a845151cc8 --- /dev/null +++ b/.changeset/slow-news-dream.md @@ -0,0 +1,2 @@ +--- +--- diff --git a/.github/workflows/test-k8s-nightly.yaml b/.github/workflows/test-k8s-nightly.yaml index 51bb098a7c..9fa764dc02 100644 --- a/.github/workflows/test-k8s-nightly.yaml +++ b/.github/workflows/test-k8s-nightly.yaml @@ -14,7 +14,7 @@ jobs: run: needs: - init - uses: milaboratory/github-ci/.github/workflows/node-simple-pnpm-k8s.yaml@v4 + uses: milaboratory/github-ci/.github/workflows/node-simple-pnpm-k8s.yaml@v4-beta with: app-name: Platforma SDK Google Batch Int Tests app-name-slug: 'platforma-sdk-gcp' @@ -23,8 +23,8 @@ jobs: pl-version: 'main' pnpm-build-command: '--filter "*/workflow-tengo*"' pnpm-test-command: '--filter="@platforma-sdk/workflow-tengo-tests" -- --maxConcurrency=5 --maxWorkers=5 --testTimeout=1800000 --no-cache' - helm-release-name: 'pl-dev-gcp' - helm-chart-values-file: 'helm/gcp/values.yaml' + helm-release-name: 'ci-platforma-nightly-${{ github.run_id }}' + helm-chart-values-file: 'helm/gcp/ci-nightly-tests.yaml' notify-slack: true namespace: 'dev-gke' npmrc-config: | @@ -46,9 +46,13 @@ jobs: "TEST_CACHE_CRUTCH": "${{ github.sha }}-${{ github.run_id }}" } secrets: env: | - { "PL_CI_TEST_USER": ${{ toJSON(secrets.PL_CI_TEST_USER) }}, - "PL_CI_TEST_PASSWORD": ${{ toJSON(secrets.PL_CI_TEST_PASSWORD) }}, + { "PL_CI_TEST_USER": "testuser1", + "PL_CI_TEST_PASSWORD": "testpassword1", + "NPMJS_TOKEN": ${{ toJSON(secrets.NPMJS_TOKEN) }}, + "AWS_CI_IAM_MONOREPO_SIMPLE_ROLE": ${{ toJSON(secrets.AWS_CI_IAM_MONOREPO_SIMPLE_ROLE) }}, + "AWS_CI_TURBOREPO_S3_BUCKET": ${{ toJSON(secrets.AWS_CI_TURBOREPO_S3_BUCKET) }}, + "GCLOUD_CI_GKE_BUCKET_NAME": ${{ toJSON(secrets.GCLOUD_CI_GKE_BUCKET_NAME) }}, "QUAY_USERNAME": ${{ toJSON(secrets.QUAY_USERNAME) }}, "QUAY_ROBOT_TOKEN": ${{ toJSON(secrets.QUAY_ROBOT_TOKEN) }} } diff --git a/helm/gcp/ci-nightly-tests.yaml b/helm/gcp/ci-nightly-tests.yaml new file mode 100644 index 0000000000..ecdccd7ba1 --- /dev/null +++ b/helm/gcp/ci-nightly-tests.yaml @@ -0,0 +1,121 @@ +# ============================================================================= +# Platforma Helm Chart Configuration +# ============================================================================= + +# -- Number of replicas for the deployment +replicaCount: 1 + +# -- Image configuration +image: + repository: europe-west3-docker.pkg.dev/mik8s-euwe3-prod-gke-project/pl/pl + pullPolicy: Always + tag: "main" # or Chart.AppVersion + +# -- Service Account configuration +serviceAccount: + create: false + name: "platforma-ci-sa" + annotations: {} + # eks.amazonaws.com/role-arn: arn:aws:iam::123456789012:role/my-platforma-iam-role + # iam.gke.io/sa-name: my-platforma-gsa # For Workload Identity on GKE + +deployment: + redeployOnUpgrade: true + securityContext: + privileged: false + runAsUser: 0 + runAsGroup: 0 + runAsNonRoot: false + capabilities: + add: [] + drop: [ "ALL" ] + + podSecurityContext: + fsGroup: 3000 # Group ID for volume ownership + +resources: + limits: + cpu: 2000m + memory: 8Gi + requests: + cpu: 1000m + memory: 4Gi + +env: + variables: + PL_ENVIRONMENT: "CI" + + secretVariables: + - name: PL_LICENSE + secretKeyRef: + name: pl-license-secret + key: pl-license-key + +logging: + # Supported values: + # - "stream://stdout" (default): Logs are sent to the standard output of the container. + # - "stream://stderr": Logs are sent to the standard error of the container. + # - "dir:///var/log/platforma": Logs are written to files in the specified directory, + # which can be backed by a persistent volume. The path should match `persistence.mountPath`. + destination: "stream://stderr" + +monitoring: + enabled: true + +debug: + enabled: true + +persistence: + mainRoot: + enabled: false + + dbDir: + enabled: true + storageClass: "standard-rwo" + mountPath: /data/rocksdb + +gcp: + serviceAccount: "mik8s-platforma-ci-access@mik8s-euwe3-prod-gke-project.iam.gserviceaccount.com" + projectId: "mik8s-euwe3-prod-gke-project" + +primaryStorage: + gcs: + enabled: true + url: "gs://mik8s-platforma-ci-euwe3-dev-gke/platforma-ci-primary/" # e.g., gs://[/] + +dataLibrary: + gcs: + - id: "test-assets" + enabled: true + url: "gs://mik8s-platforma-ci-euwe3-dev-gke/test-assets/" + +authOptions: + ldap: + enabled: true + server: "ldap://pl-dev-glauth.dev-gke.svc.cluster.local:3893" + dn: "cn=%u,ou=users,ou=users,dc=pldev,dc=io" + +extraArgs: + - --skip-extended-self-check +# - --log-level=debug +# - --log-dst=dir:///var/log/platforma +# - --log-rotation-size=100MiB + +googleBatch: + enabled: true + region: "europe-west3" + + network: "projects/mik8s-euwe3-prod-gke-project/global/networks/mik8s-euwe3-prod-gke-vpc" + subnetwork: "projects/mik8s-euwe3-prod-gke-project/regions/europe-west3/subnetworks/mik8s-euwe3-prod-gke-private-1" + + storage: "/data/nfs=nfs://10.244.108.130/nfs_share" + volumes: + enabled: true + name: "nfs-volume" + mountPath: "/data/nfs" + workDirName: "ci/custom-nightly-run/work" # altered by CI, look for googleBatch.volumes.workDirName + packagesDirName: "ci/custom-nightly-run/packages" # altered by CI, look for googleBatch.volumes.packagesDirName + existingClaim: "filestore-ci-fast-pvc" + + jobNamePrefix: "platforma-nightly-tests" + provisioning: "SPOT" diff --git a/helm/gcp/values.yaml b/helm/gcp/values.yaml deleted file mode 100644 index 4ae7afe39d..0000000000 --- a/helm/gcp/values.yaml +++ /dev/null @@ -1,717 +0,0 @@ -# ============================================================================= -# Platforma Helm Chart Configuration -# ============================================================================= - -# -- Number of replicas for the deployment -replicaCount: 1 - -# -- Image configuration -image: - repository: europe-west3-docker.pkg.dev/mik8s-euwe3-prod-gke-project/pl/pl - pullPolicy: Always - tag: "main" # or Chart.AppVersion - -# -- Image pull secrets for private registries -imagePullSecrets: [] # - name: regcred - -# -- Service Account configuration -serviceAccount: - create: false - name: "platforma-ci-sa" - annotations: {} - # eks.amazonaws.com/role-arn: arn:aws:iam::123456789012:role/my-platforma-iam-role - # iam.gke.io/sa-name: my-platforma-gsa # For Workload Identity on GKE - -# -- Service configuration -service: - type: ClusterIP # ClusterIP, NodePort, LoadBalancer - port: 6345 # Matches --listen-port default - # loadBalancerIP: "" # Specific static IP for the load balancer - # annotations: {} # e.g., for AWS ALB: "service.beta.kubernetes.io/aws-load-balancer-type": "nlb" - -# -- Ingress configuration -ingress: - enabled: false - className: "nginx" # Or your specific IngressClass (e.g., "gce", "traefik") - annotations: {} - # kubernetes.io/ingress.class: nginx - # cert-manager.io/cluster-issuer: letsencrypt-prod - # -- The hostname to be used for the Ingress resource. - host: platforma.local - # -- TLS configuration for the Ingress. - tls: - enabled: false - # -- The name of the Kubernetes secret that contains the TLS certificate. - secretName: "" - # -- Path configurations for the Ingress. - paths: - # -- Configuration for the main gRPC service path. - grpc: - enabled: true - path: / - pathType: Prefix - # -- Configuration for the HTTP service path. - # This path is ONLY added to the Ingress if `primaryStorage.fs.enabled` is also true. - http: - enabled: true - path: /http - pathType: Prefix - -# -- Health check probes -probes: - liveness: - enabled: true - # -- Type of probe. Can be 'httpGet', 'tcpSocket', or 'grpc'. - type: grpc - # -- Common probe settings - initialDelaySeconds: 30 - periodSeconds: 10 - timeoutSeconds: 5 - successThreshold: 1 - failureThreshold: 6 - # -- Configuration for httpGet probe - httpGet: - path: /health - port: 8080 # Port for httpGet probe - # -- Configuration for tcpSocket probe - tcpSocket: - port: 6345 # Port for tcpSocket probe - # -- Configuration for grpc probe - grpc: - port: 6345 # Port for gRPC probe - # -- Service name for gRPC probe. Required for headless services. - service: "" - readiness: - enabled: true - # -- Type of probe. Can be 'httpGet', 'tcpSocket', or 'grpc'. - type: grpc - # -- Common probe settings - initialDelaySeconds: 10 - periodSeconds: 5 - timeoutSeconds: 3 - successThreshold: 1 - failureThreshold: 3 - # -- Configuration for httpGet probe - httpGet: - path: /health - port: 8080 # Port for httpGet probe - # -- Configuration for tcpSocket probe - tcpSocket: - port: 6345 # Port for tcpSocket probe - # -- Configuration for grpc probe - grpc: - port: 6345 # Port for gRPC probe - # -- Service name for gRPC probe. Required for headless services. - service: "" - -# -- Environment Variables for the application container -env: - # -- Simple key-value environment variables - variables: - PL_ENVIRONMENT: "CI" - # PLATFORMA_APP_ENV: "production" - # FEATURE_TOGGLE_X: "true" - - # -- Environment variables populated from Kubernetes Secrets (recommended for sensitive data) - # Ensure the referenced Secret exists in the same namespace. - # See: https://kubernetes.io/docs/concepts/configuration/secret/#using-secrets-as-environment-variables - secretVariables: - - name: PL_LICENSE - secretKeyRef: - name: pl-license-secret - key: pl-license-key - # - name: DB_PASSWORD # Name of the environment variable in the container - # secretKeyRef: - # name: my-database-secret # Name of the Kubernetes Secret - # key: password # Key within the Secret that holds the value - # # optional: true # Set to true if the secret or its key can be missing (Kubernetes 1.20+) - - # - name: S3_ACCESS_KEY_ID # Example for S3 credentials from a secret - # secretKeyRef: - # name: platforma-s3-credentials - # key: access_key - - # - name: S3_SECRET_ACCESS_KEY # Example for S3 credentials from a secret - # secretKeyRef: - # name: platforma-s3-credentials - # key: secret_key - - # -- Environment variables populated from Kubernetes ConfigMaps (for non-sensitive configuration) - # Ensure the referenced ConfigMap exists in the same namespace. - # See: https://kubernetes.io/docs/concepts/configuration/configmap/#using-configmaps-as-environment-variables - configMapVariables: - # - name: APP_MODE # Name of the environment variable in the container - # configMapKeyRef: - # name: my-app-configmap # Name of the Kubernetes ConfigMap - # key: application_mode # Key within the ConfigMap that holds the value - # # optional: true # Set to true if the configmap or its key can be missing (Kubernetes 1.20+) - - # - name: PLATFORMA_API_BASE_URL - # configMapKeyRef: - # name: platforma-backend-config - # key: api_base_url - - # -- Deployment-level configuration -deployment: - priorityClassName: "" # Assigns a PriorityClass (e.g., "high-priority") to the Pod. - schedulerName: "" # Use an alternate scheduler, e.g., "stork-scheduler". - # -- Override the default container entrypoint by specifying a command. - # By default, this is disabled, and the chart passes arguments directly - # to the container's predefined ENTRYPOINT. - command: - enabled: false - # -- The command to execute. - # Example: ["/opt/platforma/bin/platforma"] - command: [] - # -- Only Pod's additional labels - podLabels: {} - # -- Only Pod's annotations (e.g., for Prometheus scraping) - podAnnotations: {} - # prometheus.io/scrape: "true" - # prometheus.io/port: {{ .Values.service.monitoringPort | quote }} - # prometheus.io/path: "/metrics" - redeployOnUpgrade: true - # -- Deployment strategy ref: https://kubernetes.io/docs/concepts/workloads/controllers/deployment/#strategy - strategy: - type: Recreate # Or Recreate. RollingUpdate is generally preferred for zero-downtime updates. - # If type is RollingUpdate: - rollingUpdate: - maxSurge: 25% # Max number of pods that can be created above desired count - maxUnavailable: 25% # Max number of pods that can be unavailable during update - # maxSurge: 1 # Example for fixed numbers - # maxUnavailable: 0 - # -- Container-level security context. - # ref: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/ - securityContext: - privileged: false # Grants all capabilities. Use with extreme caution. - runAsUser: 0 # Run as root user inside the container - runAsGroup: 0 # Run as root group inside the container - runAsNonRoot: false # Allow running as root user - readOnlyRootFilesystem: false # Allow writing to the container's root filesystem - allowPrivilegeEscalation: false # Allow processes to gain more privileges - # privileged: false # Grants all capabilities. Use with extreme caution. - # runAsUser: 0 # Run as root user inside the container - # runAsGroup: 0 # Run as root group inside the container - # runAsNonRoot: false # Allow running as root user - # readOnlyRootFilesystem: false # Allow writing to the container's root filesystem - # allowPrivilegeEscalation: false # Allow processes to gain more privileges - capabilities: - add: [] # Add all Linux capabilities. Use with extreme caution. - drop: [ "ALL" ] # Drop no capabilities. Consider dropping unnecessary capabilities. - # -- Pod-level security context. - # ref: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/ - podSecurityContext: - fsGroup: 3000 # Group ID for volume ownership - # fsGroup: 3000 # Group ID for volume ownership - # Additional pod security context fields: - # runAsUser: 1000 # If running as non-root - # runAsGroup: 1000 # If running as non-root - # runAsNonRoot: true # Set to true if runAsUser/runAsGroup are non-root - # supplementalGroups: [1001, 1002] # Additional groups for the pod - # seccompProfile: # Linux Seccomp profile - # type: RuntimeDefault # Or "Localhost" with specific path - - # -- Sidecar Containers - # This section defines containers that run alongside your main application container. - # In Kubernetes v1.28+, native sidecar support is achieved by setting `restartPolicy: Always` - # on initContainers. These sidecars start before the main application container - # and remain running throughout its lifecycle, terminating gracefully after the main container exits. - # Useful for logging agents, monitoring exporters, network proxies, etc. - # See: https://kubernetes.io/docs/concepts/workloads/pods/init-containers/#sharing-volumes- Con sidecar-containers -sidecarContainers: [] - # - name: my-log-shipper - # image: fluent/fluentd:v1.16-debian-1.0 - # imagePullPolicy: IfNotPresent - # command: ["fluentd", "-c", "/fluentd/etc/fluentd.conf"] - # restartPolicy: Always # Essential for native sidecar behavior - # volumeMounts: - # - name: log-dir-volume # Mount the application's log directory - # mountPath: /var/log/platforma # Fluentd will read logs from here - # # You'd also need a ConfigMap for fluentd.conf and mount it. - # resources: - # limits: - # cpu: 100m - # memory: 128Mi - # requests: - # cpu: 50m - # memory: 64Mi - # - name: my-monitoring-exporter - # image: prom/node-exporter:latest - # imagePullPolicy: IfNotPresent - # command: ["node_exporter"] - # restartPolicy: Always - # resources: - # limits: - # cpu: 50m - # memory: 64Mi - # requests: - # cpu: 25m - # memory: 32Mi - -# ============================================================================= -# Platforma CLI Options -# ============================================================================= - -# -- Main Options (--version, --full-version, --only-verify-config, --get-queue-limits) -mainOptions: - # -- License file configuration - licenseFile: - enabled: false - path: "/etc/platforma/.pl-license" - # Secret configuration for license file - secretRef: - enabled: false - name: "" # Name of the secret containing license file - key: "license" # Key in secret for license content - -# -- Local Storage Options (using PVCs) -persistence: - # -- Configuration for the main data volume (simple setup). - # If enabled, this creates a single PVC for all application data. - # The `dbDir`, `workDir`, and `packagesDir` options below will be ignored. - mainRoot: - enabled: false - # -- If true, a PVC will be created for the main root directory. - createPvc: true - # -- Use an existing PVC for the main root directory. If specified, `size` and `storageClass` are ignored. - existingClaim: "" - accessMode: ReadWriteOnce - size: 100Gi - # storageClass: "standard" - mountPath: /data/platforma-data - # -- Configuration for the database volume (advanced setup). - # Only used if `persistence.mainRoot.enabled` is false. - dbDir: - enabled: true - # -- If true, a PVC will be created for the database directory. - createPvc: true - # -- Use an existing PVC for the database directory. If specified, `size` and `storageClass` are ignored. - existingClaim: "" - accessMode: ReadWriteOnce - size: 20Gi - storageClass: "standard-rwo" - mountPath: /data/platforma-data/rocksdb - # -- Configuration for the working directory volume (advanced setup). - # Only used if `persistence.mainRoot.enabled` is false. - workDir: - enabled: false - # -- If true, a PVC will be created for the working directory. - createPvc: true - # -- Use an existing PVC for the working directory. If specified, `size` and `storageClass` are ignored. - existingClaim: "" - accessMode: ReadWriteOnce - size: 50Gi - storageClass: "standard-rwo" - mountPath: /data/platforma-data/work - # -- Configuration for the packages volume (advanced setup). - # Only used if `persistence.mainRoot.enabled` is false. - packagesDir: - enabled: false - # -- If true, a PVC will be created for the packages directory. - createPvc: true - # -- Use an existing PVC for the packages directory. If specified, `size` and `storageClass` are ignored. - existingClaim: "" - accessMode: ReadWriteOnce - size: 50Gi - storageClass: "standard-rwo" - mountPath: /data/platforma-data/packages - -# -- Listen Options (--listen-port, --listen-http-port, --listen-address, TLS options) -listenOptions: - port: 6345 # Should match service.port - # -- The HTTP port. This is only used if `primaryStorage.fs.enabled` is true. - httpPort: 6347 - ip: "0.0.0.0" - # -- TLS configuration for listening - tls: - enabled: false - certPath: "" - keyPath: "" - org: "Platforma" - domains: [] - ips: [] - # -- Self-signed TLS options - selfSignedTls: false - selfSignedTlsOrg: "" - selfSignedTlsDomains: [] - selfSignedTlsIps: [] - -# -- GCP shared settings -gcp: - serviceAccount: "mik8s-platforma-ci-access@mik8s-euwe3-prod-gke-project.iam.gserviceaccount.com" - projectId: "mik8s-euwe3-prod-gke-project" - -# -- Primary Storage Options -# NOTE: Only one primary storage can be enabled at a time (s3, fs, or gcs) -primaryStorage: - # -- S3 primary storage configuration - s3: - enabled: false - url: "s3://milab-euce1-prod-data-s3-platforma-ci/platforma-ci-primary/" - region: "eu-central-1" - key: "" # It's better to use SecretKeyRef for sensitive keys - secret: "" # It's better to use SecretKeyRef for sensitive secrets - externalEndpoint: "" - noDataIntegrity: false - # Secret configuration for S3 credentials - secretRef: - enabled: false - name: "" # Name of the secret containing S3 credentials - keyKey: "access-key" # Key in secret for access key - secretKey: "secret-key" # Key in secret for secret key - # -- Filesystem storage option - fs: - enabled: false - url: "" - # Auto-generate URL from listen settings - autoUrl: true - # -- Service configuration for the HTTP endpoint needed for FS primary storage. - # This service is only created if primaryStorage.fs.enabled is true. - httpService: - type: ClusterIP - annotations: {} - # PVC configuration for filesystem storage - pvc: - enabled: false - # -- Use an existing PVC for the filesystem primary storage. If specified, `size` and `storageClass` are ignored. - existingClaim: "" - accessMode: ReadWriteOnce - size: 100Gi - # storageClass: "standard" - mountPath: /data/primary-storage - # -- GCS primary storage configuration - gcs: - enabled: true - url: "gs://mik8s-platforma-ci-euwe3-dev-gke/platforma-ci-primary/" # e.g., gs://[/] - # serviceAccount centralized via top-level gcp.serviceAccount - - # -- Data Library Options (--no-data-library, --no-host-data-library, --data-library-fs, --data-library-s3, --data-library-gcs) -dataLibrary: - noDataLibrary: false - noHostDataLibrary: false - # -- S3 data libraries - s3: - - id: "library" - enabled: false - url: "s3://milab-euce1-prod-data-s3-platforma-ci/platforma-ci-library/" - region: "eu-central-1" - key: "" # It's better to use SecretKeyRef for sensitive keys - secret: "" # It's better to use SecretKeyRef for sensitive secrets - externalEndpoint: "" - noDataIntegrity: false - # Secret configuration for S3 credentials - secretRef: - enabled: false - name: "" # Name of the secret containing S3 credentials - keyKey: "access-key" # Key in secret for access key - secretKey: "secret-key" # Key in secret for secret key - # -- Filesystem data libraries. Each item in this list will create a corresponding PVC. - fs: [] - # - id: "my-fs-library" - # path: "/data/fs-library-1" # Mount path inside the container - # pvc: - # enabled: true - # # -- Use an existing PVC for this filesystem data library. If specified, `size` and `storageClass` are ignored. - # existingClaim: "" - # accessMode: ReadWriteOnce - # size: 10Gi - # storageClass: "standard" - # -- GCS data libraries - gcs: - # serviceAccount centralized via top-level gcp.serviceAccount - - id: "test-assets" - enabled: true - url: "gs://mik8s-platforma-ci-euwe3-dev-gke/test-assets/" - # serviceAccount centralized via top-level gcp.serviceAccount - # - id: "my-gcs-library" - # enabled: true - # url: "gs://my-gcs-bucket/library" - # projectId: "" # GCP project ID - # serviceAccount: "" # GCP service account name - # jsonKeyFilePath: "" # Path to GCP service account JSON key file - - # -- Authentication Options -authOptions: - # -- Htpasswd authentication (--auth-htpasswd) - htpasswd: - enabled: false - # -- Manually specify the full path to the htpasswd file in the container. - # NOTE: This is only used if `secretRef.enabled` is false. - path: "" - # -- Provide the htpasswd file via a Kubernetes secret (recommended). - secretRef: - enabled: false - # -- Name of the Secret containing the htpasswd file. - # This secret will be mounted to the directory `/etc/platforma/secrets/htpasswd`. - name: "" - # -- The key in the secret that contains the htpasswd file content. - # The final path used by the application will be `/etc/platforma/secrets/htpasswd/{{ .Values.authOptions.htpasswd.secretRef.key }}`. - key: "htpasswd" - # -- LDAP authentication - ldap: - enabled: true - server: "ldap://pl-dev-glauth.dev-gke.svc.cluster.local:3893" - dn: "cn=%u,ou=users,ou=users,dc=pldev,dc=io" - startTls: false - # -- LDAP search password configuration. - # Used for LDAP bind operations when searching for users. - # The password can be provided via a Kubernetes Secret as an environment variable (PL_AUTH_LDAP_SEARCH_PASSWORD). - # Alternatively, you can pass it directly via the --auth-ldap-search-password CLI argument in extraArgs. - searchPassword: - # -- Provide search password from a Secret as an environment variable. - # When enabled, the password will be available as PL_AUTH_LDAP_SEARCH_PASSWORD env var. - # Note: If you prefer to pass the password directly via CLI, use extraArgs instead: - # extraArgs: - # - "--auth-ldap-search-password=your-password" - envRef: - enabled: false - name: "" # Name of the Secret containing the LDAP search password - key: "password" # Key within the Secret that holds the password value - # -- LDAP TLS configuration. - # Enables client-side TLS for the LDAP connection. - # You can mix and match how certificates are provided. For example, you can - # provide the client cert/key via a secret and the CA certificate via `casPath`. - tls: - enabled: false - # -- Configuration for the Certificate Authority (CA). - # Used to verify the LDAP server's certificate. This is useful for servers - # with self-signed certificates or private CAs. - ca: - # -- Provide CA cert from a Secret. - secretRef: - enabled: false - name: "" - key: "ca.crt" - # -- Provide CA cert from a ConfigMap. - configMapRef: - enabled: false - name: "" - key: "ca.crt" - # -- Provide CA cert via a direct path in the container. - # This is only used if `secretRef` and `configMapRef` are disabled. - path: "" - - # -- Configuration for the client certificate and key (for mTLS). - # Provide a client certificate and private key if the LDAP server requires it. - client: - # -- Provide client cert and key from a Secret (recommended for private keys). - secretRef: - enabled: false - name: "" - certKey: "tls.crt" - keyKey: "tls.key" - # -- Provide client cert and key from a ConfigMap. - configMapRef: - enabled: false - name: "" - certKey: "tls.crt" - keyKey: "tls.key" - # -- Provide client cert and key via direct paths in the container. - # This is only used if `secretRef` and `configMapRef` for the client are disabled. - certPath: "" - keyPath: "" - # -- Configuration for system root CA certificates for LDAP. - # This is evaluated by the application independently of the client TLS configuration above. - # You can provide the root CA certificates via Secret, ConfigMap, or direct path. - rootCas: - # -- Provide root CA certificates from a Secret. - secretRef: - enabled: false - name: "" - key: "ca.crt" - # -- Provide root CA certificates from a ConfigMap. - configMapRef: - enabled: false - name: "" - key: "ca.crt" - # -- Provide root CA certificates via a direct path in the container. - # This is only used if `secretRef` and `configMapRef` are disabled. - # Example: /etc/ssl/certs/ca-certificates.crt - path: "" - -# -- A list of extra command-line arguments to pass to the Platforma container. -# This provides a flexible way to set CLI options that are not explicitly -# defined elsewhere in this values file. -# -# Example for runner options: -# extraArgs: -# - --runner-local-cpu=8 -# - --runner-local-ram=16GiB -# -# Example for debugging and special modes: -# extraArgs: -# - --use-restricted-network-mode -# - --skip-extended-self-check -# - --only-verify-config -# - --cancel-running-blocks -# - --get-queue-limits -# -# Example for file-based logging (when logging.stdout is false): -# extraArgs: -# - --log-level=warn -# - --log-dir=/var/log/platforma -# - --log-rotation-size=100MiB -extraArgs: -- --skip-extended-self-check - -# -- Google Batch Options (--google-batch-storage, --google-batch-project, --google-batch-region, --google-batch-job-name-prefix, --google-batch-job-image, --google-batch-network, --google-batch-subnetwork, --google-batch-provisioning) -googleBatch: - enabled: true - storage: "/data/platforma-data=nfs://10.244.108.130/nfs_share" - region: "europe-west3" - jobNamePrefix: "pl-ci" - jobImage: "" - network: "projects/mik8s-euwe3-prod-gke-project/global/networks/mik8s-euwe3-prod-gke-vpc" - subnetwork: "projects/mik8s-euwe3-prod-gke-project/regions/europe-west3/subnetworks/mik8s-euwe3-prod-gke-private-1" - provisioning: "SPOT" - # serviceAccount centralized via top-level gcp.serviceAccount - # -- Volumes for Google Batch. This is used to mount the shared NFS volume. - volumes: - enabled: true - # -- The name of the volume. - name: "nfs-volume" - # -- The path where the volume will be mounted inside the container. - mountPath: "/data/platforma-data" - # -- The name of the working directory subdirectory inside the NFS volume. - workDirName: "pl-ci/work" - # -- The name of the packages directory subdirectory inside the NFS volume. - packagesDirName: "pl-ci/packages" - # -- Use an existing PVC for the Google Batch volume. If specified, the `storageClass` option is ignored. - existingClaim: "filestore-ci-fast-pvc" - # -- The storage class to use for dynamic provisioning. - storageClass: "" - # -- The size of the volume to create. This is only used for dynamic provisioning. - size: "1Ti" - # -- The access mode for the volume. - accessMode: "ReadWriteMany" - -# -- Logging Options -# This section configures the application's logging behavior using the --log-dst flag. -logging: - # -- Specifies the logging destination. - # Supported values: - # - "stream://stdout" (default): Logs are sent to the standard output of the container. - # - "stream://stderr": Logs are sent to the standard error of the container. - # - "dir:///var/log/platforma": Logs are written to files in the specified directory, - # which can be backed by a persistent volume. The path should match `persistence.mountPath`. - destination: "stream://stderr" - - # -- Persistence configuration for directory-based logging (`dir://`). - # This is only used if `destination` is set to a `dir://` path. - persistence: - # -- Enable a PersistentVolumeClaim to store log files. - enabled: false - # -- Use an existing PVC for logs. If specified, other PVC settings are ignored. - existingClaim: "" - accessMode: ReadWriteOnce - size: 5Gi - # storageClass: "standard" - mountPath: "/var/log/platforma" - -# -- Monitoring options for Prometheus endpoint -monitoring: - # -- Enable the /metrics endpoint and its dedicated Service for Prometheus scraping. - enabled: true - # -- Port for the monitoring endpoint. - port: 9090 - # -- Service configuration for the monitoring endpoint. - service: - # -- Type of Service for monitoring. ClusterIP is recommended. - type: ClusterIP - # -- Annotations for the monitoring Service, e.g., for Prometheus Operator. - annotations: {} - # prometheus.io/scrape: "true" - # prometheus.io/path: "/metrics" - -# -- Debug options for pprof endpoint -debug: - # -- Enable the debug endpoint and its dedicated Service. - enabled: true - # -- Port for the debug endpoint. - port: 9091 - # -- Service configuration for the debug endpoint. - service: - # -- Type of Service for debug. ClusterIP is recommended. - type: ClusterIP - # -- Annotations for the debug service. - annotations: {} - -# ============================================================================= -# Kubernetes Resource Configuration -# ============================================================================= - -# -- Network Policy settings -# See: https://kubernetes.io/docs/concepts/services-networking/network-policies/ -networkPolicy: - # -- Enable or disable the creation of NetworkPolicy resource. - # Requires a NetworkPolicy-enabled CNI plugin (e.g., Calico, Cilium, Weave Net). - enabled: false - # -- Specify the policy types. - # This defaults to ["Ingress", "Egress"] but can be overridden. - policyTypes: - - Ingress - - Egress - # -- Ingress rules for the application. - # By default, denies all ingress traffic unless explicitly allowed. - # Allow traffic from: - # - Pods in the same namespace with specific labels - # - Pods in other namespaces - # - IP blocks - ingress: [] - # - from: - # - podSelector: {} # Allow all pods in the same namespace - # - namespaceSelector: {} # Allow all pods in all namespaces - # - from: # Allow traffic from other pods in the same namespace with specific labels - # - podSelector: - # matchLabels: - # app.kubernetes.io/name: my-other-app - # app.kubernetes.io/instance: my-release - # ports: # Specify ports that traffic is allowed on - # - protocol: TCP - # port: 6345 # Allow HTTP traffic to the application port - - # -- Egress rules for the application. - # By default, denies all egress traffic unless explicitly allowed. - # Allow traffic to: - # - Pods in the same namespace - # - Pods in other namespaces - # - IP blocks (e.g., external databases, cloud APIs) - egress: [] - # - to: - # - ipBlock: - # cidr: 0.0.0.0/0 # Allow all outbound traffic (caution: broad access) - # ports: - # - protocol: TCP - # port: 80 - # - protocol: TCP - # port: 443 - # - to: # Allow egress to DNS services (crucial for most applications) - # - namespaceSelector: {} # Select all namespaces (for DNS in kube-system) - # podSelector: - # matchLabels: - # k8s-app: kube-dns # Example selector for default CoreDNS/kube-dns - # ports: - # - protocol: UDP - # port: 53 - -# -- Resource limits and requests -resources: - limits: - cpu: 2000m - memory: 8Gi - requests: - cpu: 1000m - memory: 4Gi - -# -- Node selector, affinity, and tolerations -nodeSelector: {} -affinity: {} -tolerations: {} -# -- If you are struggling with the computer use either medium (4 cpu 16 gb) or large (8 cpu 32 gb) -# nodeSelector: -# node.milab.io/pool: large -# tolerations: -# - key: "dedicated" -# operator: "Equal" -# value: "large" -# effect: "NoSchedule"