Skip to content

Kubernetes #299

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
antarcticrainforest merged 11 commits into from
Jun 10, 2026
Merged

Kubernetes #299

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
11 commits
Select commit Hold shift + click to select a range
a20d0fc
Enable secrets files.
antarcticrainforest Jun 5, 2026
4970e8b
Enable secrets files
antarcticrainforest Jun 5, 2026
a1212af
Make OIDC variables secrets.
antarcticrainforest Jun 5, 2026
d9d04fb
Allow for setting the master password in config
antarcticrainforest Jun 5, 2026
59137d2
Fix variable
antarcticrainforest Jun 5, 2026
5fcbb41
Update k8s templates.
antarcticrainforest Jun 5, 2026
341d050
Adjust types.
antarcticrainforest Jun 5, 2026
40d9e0f
Bump version.
antarcticrainforest Jun 5, 2026
ea6a3f0
Update to new deployment.
antarcticrainforest Jun 9, 2026
b85a4a0
Merge branch 'main' of github.com:freva-org/freva-admin into kubernetes
antarcticrainforest Jun 9, 2026
58a0ba9
Do not warn on unused ignore.
antarcticrainforest Jun 10, 2026
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
6 changes: 6 additions & 0 deletions assets/share/freva/deployment/config/inventory.toml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -8,6 +8,12 @@ project_name = "freva"
## Choose between: "docker", "podman", "conda", "k8s"
deployment_method = "podman"

## The `master_password` is used as the admin password for the web admin
## interface and the mysql root password. It *can* be set in the config file
## but it is reocmmended to leave this key blank and set enter it during
## the setup.
master_password = ""

## Kubernetes deployment settings
[kubernetes]
## Set the group ID for all volmes used by pods
Expand Down
7 changes: 7 additions & 0 deletions assets/share/freva/deployment/k8s-deployment/templates/01-secrets.yaml.j2
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -17,7 +17,14 @@ stringData:
MYSQL_PASSWORD: "{{ db_passwd }}"
REDIS_USERNAME: "{{ redis_username }}"
REDIS_PASSWORD: "{{ redis_password }}"
OIDC_DISCOVERY_URL: "{{ freva_rest_oidc_url }}"
OIDC_CLIENT_SECRET: "{{ freva_rest_oidc_client_secret }}"
OIDC_CLIENT_ID : "{{ freva_rest_oidc_client }}"
OIDC_DISCOVERY_URL: "{{ freva_rest_oidc_client }}"
OIDC_TOKEN_CLAIMS: "{{ freva_rest_oidc_token_claims | join(',')}}"
OIDC_ADMIN_CLAIMS: "{{ freva_rest_oidc_admin_claims | join(",") }}"
OIDC_SYSTEM_USER_CLAIM: "{{ freva_rest_oidc_systemuser_claim }}"
OIDC_SCOPES: "{{ freva_rest_oidc_scopes }}"
FREVA_REST_DB_USER: "{{ freva_rest_db_user }}"
FREVA_REST_DB_PASSWORD: "{{ freva_rest_db_passwd }}"
MONGO_APP_USER: "{{ mongodb_server_db_user }}"
Expand Down
67 changes: 42 additions & 25 deletions assets/share/freva/deployment/k8s-deployment/templates/10-mysql.yaml.j2
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -11,9 +11,9 @@ metadata:
app.kubernetes.io/instance: database-server
app.kubernetes.io/component: web-app
app.kubernetes.io/part-of: freva
app.kubernetes.io/version: {{ db_version }}
app.kubernetes.io/version: "{{ db_version }}"
app.kubernetes.io/managed-by: ansible
freva.org/stateful: 'true'
freva.org/stateful: "true"
freva.org/tier: database
spec:
type: ClusterIP
Expand All @@ -36,54 +36,71 @@ metadata:
app.kubernetes.io/instance: database-server
app.kubernetes.io/component: web-app
app.kubernetes.io/part-of: freva
app.kubernetes.io/version: {{ db_version }}
app.kubernetes.io/version: "{{ db_version }}"
app.kubernetes.io/managed-by: ansible
freva.org/stateful: 'true'
freva.org/stateful: "true"
freva.org/tier: database
spec:
serviceName: database-server
replicas: 1
strategy:
revisionHistoryLimit: 1
updateStrategy:
type: RollingUpdate
rollingUpdate:
maxSurge: 0
maxUnavailable: 1
selector: { matchLabels: { app: database-server } }
selector:
matchLabels:
app: database-server
template:
metadata:
name: database-server
namespace: {{ ns }}
labels:
app: database-server
app.kubernetes.io/name: freva
app.kubernetes.io/instance: database-server
app.kubernetes.io/component: web-app
app.kubernetes.io/part-of: freva
app.kubernetes.io/version: {{ db_version }}
app.kubernetes.io/version: "{{ db_version }}"
app.kubernetes.io/managed-by: ansible
freva.org/stateful: 'true'
freva.org/stateful: "true"
freva.org/tier: database
spec:
securityContext: { fsGroup: {{ fs_group }} }
securityContext:
fsGroup: {{ fs_group }}
containers:
- name: mysql
image: ghcr.io/freva-org/freva-mysql:{{ db_version }}
imagePullPolicy: {{ image_pull_policy }}
ports: [{ containerPort: 3306, name: mysql }]
resources: {{ resources['database-server'] }}
ports:
- containerPort: 3306
name: mysql
resources:
{{ resources['database-server'] | to_nice_yaml | indent(12, true) }}
env:
- name: ROOT_PW
valueFrom: { secretKeyRef: { name: freva-secrets, key: MYSQL_ROOT_PASSWORD } }
valueFrom:
secretKeyRef:
name: freva-secrets
key: MYSQL_ROOT_PASSWORD
- name: MYSQL_ROOT_PASSWORD
valueFrom: { secretKeyRef: { name: freva-secrets, key: MYSQL_ROOT_PASSWORD } }
- { name: MYSQL_USER, value: "{{ db_user }}" }
valueFrom:
secretKeyRef:
name: freva-secrets
key: MYSQL_ROOT_PASSWORD
- name: MYSQL_USER
value: "{{ db_user }}"
- name: MYSQL_PASSWORD
valueFrom: { secretKeyRef: { name: freva-secrets, key: MYSQL_PASSWORD } }
- { name: MYSQL_DATABASE, value: "{{ db }}" }
- { name: HOST, value: "{{ db_host }}" }
- { name: PROJECT, value: "{{ project_name }}" }
valueFrom:
secretKeyRef:
name: freva-secrets
key: MYSQL_PASSWORD
- name: MYSQL_DATABASE
value: "{{ db }}"
- name: HOST
value: "{{ db_host }}"
- name: PROJECT
value: "{{ project_name }}"
volumeMounts:
- { name: db-data, mountPath: /data/db }
- name: db-data
mountPath: /data/db
volumes:
- name: db-data
persistentVolumeClaim: { claimName: db-data }
persistentVolumeClaim:
claimName: db-data
1 change: 1 addition & 0 deletions assets/share/freva/deployment/k8s-deployment/templates/11-redis.yaml.j2
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -37,6 +37,7 @@ metadata:
freva.org/tier: database
spec:
replicas: 1
revisionHistoryLimit: 1
strategy:
type: RollingUpdate
rollingUpdate:
Expand Down
56 changes: 33 additions & 23 deletions assets/share/freva/deployment/k8s-deployment/templates/12-solr.yaml.j2
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -11,15 +11,19 @@ metadata:
app.kubernetes.io/instance: search-server
app.kubernetes.io/component: backend
app.kubernetes.io/part-of: freva
app.kubernetes.io/version: {{ solr_version }}
app.kubernetes.io/version: "{{ solr_version }}"
app.kubernetes.io/managed-by: ansible
freva.org/stateful: 'true'
freva.org/stateful: "true"
freva.org/tier: database

spec:
type: ClusterIP
selector: { app: search-server }
ports: [{ port: 8983, targetPort: 8983, name: http }]
selector:
app: search-server
ports:
- port: 8983
targetPort: 8983
name: http

---
apiVersion: apps/v1
kind: StatefulSet
Expand All @@ -32,46 +36,52 @@ metadata:
app.kubernetes.io/instance: search-server
app.kubernetes.io/component: backend
app.kubernetes.io/part-of: freva
app.kubernetes.io/version: {{ solr_version }}
app.kubernetes.io/version: "{{ solr_version }}"
app.kubernetes.io/managed-by: ansible
freva.org/stateful: 'true'
freva.org/stateful: "true"
freva.org/tier: database
spec:
serviceName: search-server
replicas: 1
strategy:
revisionHistoryLimit: 1
updateStrategy:
type: RollingUpdate
rollingUpdate:
maxSurge: 0
maxUnavailable: 1
selector: { matchLabels: { app: search-server } }
selector:
matchLabels:
app: search-server
template:
metadata:
name: search-server
namespace: {{ ns }}
labels:
app: search-server
app.kubernetes.io/name: freva
app.kubernetes.io/instance: search-server
app.kubernetes.io/component: backend
app.kubernetes.io/part-of: freva
app.kubernetes.io/version: {{ solr_version }}
app.kubernetes.io/version: "{{ solr_version }}"
app.kubernetes.io/managed-by: ansible
freva.org/stateful: 'true'
freva.org/stateful: "true"
freva.org/tier: database
spec:
securityContext: { fsGroup: {{ fs_group }} }
securityContext:
fsGroup: {{ fs_group }}
containers:
- name: solr
image: ghcr.io/freva-org/freva-solr:{{ solr_version }}
imagePullPolicy: {{ image_pull_policy }}
ports: [{ containerPort: 8983, name: http }]
resources: {{ resources['search-server'] }}
ports:
- containerPort: 8983
name: http
resources:
{{ resources['search-server'] | to_nice_yaml | indent(12, true) }}
env:
- { name: API_SOLR_PORT, value: "8983" }
- { name: API_SOLR_HEAP, value: "{{ search_server_solr_mem }}" }
- name: API_SOLR_PORT
value: "8983"
- name: API_SOLR_HEAP
value: "{{ search_server_solr_mem }}"
volumeMounts:
- { name: solr-data, mountPath: /data/db }
- name: solr-data
mountPath: /data/db
volumes:
- name: solr-data
persistentVolumeClaim: { claimName: solr-data }
persistentVolumeClaim:
claimName: solr-data
59 changes: 36 additions & 23 deletions assets/share/freva/deployment/k8s-deployment/templates/13-vault.yaml.j2
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -11,14 +11,19 @@ metadata:
app.kubernetes.io/instance: vault-server
app.kubernetes.io/component: web-app
app.kubernetes.io/part-of: freva
app.kubernetes.io/version: {{ vault_version }}
app.kubernetes.io/version: "{{ vault_version }}"
app.kubernetes.io/managed-by: ansible
freva.org/stateful: 'true'
freva.org/stateful: "true"
freva.org/tier: backend
spec:
type: ClusterIP
selector: { app: vault-server }
ports: [{ port: 5002, targetPort: 5002, name: vault }]
selector:
app: vault-server
ports:
- port: 5002
targetPort: 5002
name: vault

---
apiVersion: apps/v1
kind: StatefulSet
Expand All @@ -31,47 +36,55 @@ metadata:
app.kubernetes.io/instance: vault-server
app.kubernetes.io/component: web-app
app.kubernetes.io/part-of: freva
app.kubernetes.io/version: {{ vault_version }}
app.kubernetes.io/version: "{{ vault_version }}"
app.kubernetes.io/managed-by: ansible
freva.org/stateful: 'true'
freva.org/stateful: "true"
freva.org/tier: backend
spec:
serviceName: vault-server
replicas: 1
strategy:
revisionHistoryLimit: 1
updateStrategy:
type: RollingUpdate
rollingUpdate:
maxSurge: 0
maxUnavailable: 1
selector: { matchLabels: { app: vault-server } }
selector:
matchLabels:
app: vault-server
template:
metadata:
name: vault-server
namespace: {{ ns }}
labels:
app: vault-server
app.kubernetes.io/name: freva
app.kubernetes.io/instance: vault-server
app.kubernetes.io/component: web-app
app.kubernetes.io/part-of: freva
app.kubernetes.io/version: {{ vault_version }}
app.kubernetes.io/version: "{{ vault_version }}"
app.kubernetes.io/managed-by: ansible
freva.org/stateful: 'true'
freva.org/stateful: "true"
freva.org/tier: backend
spec:
securityContext: { fsGroup: {{ fs_group }} }
securityContext:
fsGroup: {{ fs_group }}
containers:
- name: vault
image: ghcr.io/freva-org/freva-vault:{{vault_version}}
image: ghcr.io/freva-org/freva-vault:{{ vault_version }}
imagePullPolicy: {{ image_pull_policy }}
ports: [{ containerPort: 5002, name: vault }]
resources: {{ resources['vault-server'] }}
ports:
- containerPort: 5002
name: vault
resources:
{{ resources['vault-server'] | to_nice_yaml | indent(12, true) }}
env:
- name: ROOT_PWD
valueFrom: { secretKeyRef: { name: freva-secrets, key: ADMIN_PASSWORD } }
- { name: KEY_FILE, value: "/vault/file/keys" }
valueFrom:
secretKeyRef:
name: freva-secrets
key: ADMIN_PASSWORD
- name: KEY_FILE
value: "/vault/file/keys"
volumeMounts:
- { name: vault-data, mountPath: /vault/file }
- name: vault-data
mountPath: /vault/file
volumes:
- name: vault-data
persistentVolumeClaim: { claimName: vault-data }
persistentVolumeClaim:
claimName: vault-data
Loading
Loading