adding sheepdog

gen3/bin/kube-setup-sheepdog.sh

@@ -65,6 +65,9 @@ fi
 # deploy sheepdog 
 gen3 roll sheepdog
 g3kubectl apply -f "${GEN3_HOME}/kube/services/sheepdog/sheepdog-service.yaml"
+g3kubectl apply -f "${GEN3_HOME}/kube/services/sheepdog/sheepdog-nginx.conf"
+g3kubectl apply -f "${GEN3_HOME}/kube/services/sheepdog/sheepdog-gunicorn.yaml"
+g3kubectl apply -f "${GEN3_HOME}/kube/services/nginx-sidecar/nginx.conf"
 gen3 roll sheepdog-canary || true
 g3kubectl apply -f "${GEN3_HOME}/kube/services/sheepdog/sheepdog-canary-service.yaml"
 

kube/services/sheepdog/sheepdog-deploy.yaml

@@ -28,6 +28,10 @@ spec:
         GEN3_SHEEPDOG_VERSION
         GEN3_DATE_LABEL
     spec:
+      securityContext:
+        runAsUser: 1000
+        runAsGroup: 1000
+        fsGroup: 1000
       affinity:
         podAntiAffinity:
           preferredDuringSchedulingIgnoredDuringExecution:
@@ -73,6 +77,15 @@ spec:
         - name: ca-volume
           secret:
             secretName: "service-ca"
+        - name: wsgi-config
+          configMap:
+            name: sheepdog-wsgi
+        - name: nginx-config
+          configMap:
+            name: sheepdog-nginx-configmap
+        - name: nginx-main-config
+          configMap:
+            name: sidecar-nginx-main 
       # sheepdog transactions take forever -
       # try to let the complete before termination
       terminationGracePeriodSeconds: 50
@@ -82,16 +95,16 @@ spec:
           livenessProbe:
             httpGet:
               path: /_status?timeout=20
-              port: 80
+              port: 8000
             initialDelaySeconds: 30
             periodSeconds: 60
             timeoutSeconds: 30
           readinessProbe:
             httpGet:
               path: /_status?timeout=2
-              port: 80
+              port: 8000
           ports:
-          - containerPort: 80
+          - containerPort: 8000
           - containerPort: 443
           env:
           - name: GEN3_UWSGI_TIMEOUT
@@ -195,10 +208,30 @@ spec:
               readOnly: true
               mountPath: "/usr/local/share/ca-certificates/cdis/cdis-ca.crt"
               subPath: "ca.pem"
+            - name: "wsgi-config"
+              mountPath: "/sheepdog/deployment/wsgi/gunicorn.conf.py"
+              subPath: gunicorn.conf.py
           imagePullPolicy: Always
           resources:
             requests:
               cpu: 100m
               memory: 200Mi
             limits:
               memory: 800Mi
+        - name: sidecar-nginx
+          image: quay.io/cdis/nginx-sidecar:nginx-sidecar-feat_nginx-sidecar
+          imagePullPolicy: IfNotPresent
+          ports:
+            - name: http
+              containerPort: 8080
+          readinessProbe:
+            httpGet:
+              path: /_status
+              port: http
+          volumeMounts:
+            - name: "nginx-main-config"
+              mountPath: "/etc/nginx/nginx.conf"
+              subPath: "nginx.conf"
+            - name: "nginx-config"
+              mountPath: "/etc/nginx/conf.d/default.conf"
+              subPath: default.conf

kube/services/sheepdog/sheepdog-gunicorn.yaml

@@ -0,0 +1,13 @@
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  name: sheepdog-wsgi
+data:
+  gunicorn.conf.py: |
+    wsgi_app = "deployment.wsgi.wsgi:application"
+    bind = "0.0.0.0:8000"
+    workers = 1
+    user = 'gen3'
+    group = 'gen3'
+    timeout = 300
+    worker_class = "uvicorn.workers.UvicornWorker"

kube/services/sheepdog/sheepdog-nginx.conf

@@ -0,0 +1,13 @@
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  name: sheepdog-nginx-configmap
+data:
+  default.conf: |
+      server {
+          listen 8080;
+          server_name localhost;
+          location / {
+              proxy_pass http://127.0.0.1:8000;  # Gunicorn binds to this address
+          }
+      }