f58bbc3caa
* ci: parameterize gunicorn in datatracker-start.sh * fix: typo * ci: update settings_local for helm chart * ci: Add todo comment * ci: Drop redundant USE_TZ setting * ci: Require secrets in production * ci: fix indentation * style: Black * ci: memcached cfg from env in settings.py * ci: set SITE_URL in settings.py * refactor: /www/htpasswd -> /a/www/htpasswd (it's a symlink on production) * refactor: Remove obsolete SECR_ settings * refactor: SECR_MAX_UPLOAD_SIZE -> DATATRACKER_... * refactor: SECR_PPT2PDF_COMMAND -> PPT2PDF_COMMAND * ci: Fix up helm/settings_local * ci: Remove commented-out settings * ci: Refactor/improve env var guards * ci: More env refactoring / guards
596 lines
16 KiB
YAML
596 lines
16 KiB
YAML
# Default values for datatracker.
|
|
# This is a YAML-formatted file.
|
|
# Declare variables to be passed into your templates.
|
|
|
|
## Define serviceAccount names for components. Defaults to component's fully qualified name.
|
|
##
|
|
serviceAccounts:
|
|
datatracker:
|
|
create: true
|
|
name: datatracker
|
|
annotations: {}
|
|
celery:
|
|
create: true
|
|
name: celery
|
|
annotations: {}
|
|
beat:
|
|
create: true
|
|
name: beat
|
|
annotations: {}
|
|
rabbitmq:
|
|
create: true
|
|
name: rabbitmq
|
|
annotations: {}
|
|
memcached:
|
|
create: true
|
|
name: memcached
|
|
annotations: {}
|
|
|
|
# -------------------------------------------------------------
|
|
# DATATRACKER
|
|
# -------------------------------------------------------------
|
|
|
|
datatracker:
|
|
name: datatracker
|
|
image:
|
|
repository: "ghcr.io/ietf-tools/datatracker"
|
|
pullPolicy: IfNotPresent
|
|
# Overrides the image tag whose default is the chart appVersion.
|
|
# tag: "v1.1.0"
|
|
|
|
imagePullSecrets: []
|
|
nameOverride: ""
|
|
fullnameOverride: ""
|
|
|
|
ingress:
|
|
enabled: false
|
|
className: ""
|
|
annotations: {}
|
|
# kubernetes.io/ingress.class: nginx
|
|
# kubernetes.io/tls-acme: "true"
|
|
hosts:
|
|
- host: datatracker.local
|
|
paths:
|
|
- path: /
|
|
pathType: ImplementationSpecific
|
|
tls: []
|
|
# - secretName: chart-example-tls
|
|
# hosts:
|
|
# - chart-example.local
|
|
|
|
# livenessProbe:
|
|
# httpGet:
|
|
# # /submit/tool-instructions/ just happens to be cheap until we get a real health endpoint
|
|
# path: /submit/tool-instructions/
|
|
# port: http
|
|
|
|
podAnnotations: {}
|
|
podLabels: {}
|
|
|
|
podSecurityContext: {}
|
|
# fsGroup: 2000
|
|
|
|
#readinessProbe:
|
|
# httpGet:
|
|
# # /submit/tool-instructions/ just happens to be cheap until we get a real health endpoint
|
|
# path: /submit/tool-instructions/
|
|
# port: http
|
|
|
|
replicaCount: 1
|
|
|
|
resources: {}
|
|
# We usually recommend not to specify default resources and to leave this as a conscious
|
|
# choice for the user. This also increases chances charts run on environments with little
|
|
# resources, such as Minikube. If you do want to specify resources, uncomment the following
|
|
# lines, adjust them as necessary, and remove the curly braces after 'resources:'.
|
|
# limits:
|
|
# cpu: 100m
|
|
# memory: 128Mi
|
|
# requests:
|
|
# cpu: 100m
|
|
# memory: 128Mi
|
|
|
|
securityContext: {}
|
|
# capabilities:
|
|
# drop:
|
|
# - ALL
|
|
# readOnlyRootFilesystem: true
|
|
# runAsNonRoot: true
|
|
# runAsUser: 1000
|
|
|
|
service:
|
|
type: ClusterIP
|
|
port: 80
|
|
|
|
serviceAccount:
|
|
# Specifies whether a service account should be created
|
|
create: true
|
|
# Automatically mount a ServiceAccount's API credentials?
|
|
automount: true
|
|
# Annotations to add to the service account
|
|
annotations: {}
|
|
# The name of the service account to use.
|
|
# If not set and create is true, a name is generated using the fullname template
|
|
name: ""
|
|
|
|
# startupProbe:
|
|
# initialDelaySeconds: 15
|
|
# periodSeconds: 5
|
|
# timeoutSeconds: 5
|
|
# successThreshold: 1
|
|
# failureThreshold: 60
|
|
# httpGet:
|
|
# # /submit/tool-instructions/ just happens to be cheap until we get a real health endpoint
|
|
# path: /submit/tool-instructions/
|
|
# port: http
|
|
|
|
# Additional volumes on the output Deployment definition.
|
|
volumes:
|
|
- name: settings-local-volume
|
|
configMap:
|
|
name: django-configmap
|
|
- name: cache-volume
|
|
emptyDir:
|
|
sizeLimit: 1Gi
|
|
- name: staging-volume
|
|
emptyDir:
|
|
sizeLimit: 1Gi
|
|
# - name: foo
|
|
# secret:
|
|
# secretName: mysecret
|
|
# optional: false
|
|
|
|
# Additional volumeMounts on the output Deployment definition.
|
|
volumeMounts:
|
|
- name: settings-local-volume
|
|
mountPath: /workspace/ietf/settings_local.py
|
|
subPath: settings_local.py
|
|
readOnly: true
|
|
- name: cache-volume
|
|
mountPath: "/a/cache"
|
|
- name: staging-volume
|
|
mountPath: "/test/staging"
|
|
# - name: foo
|
|
# mountPath: "/etc/foo"
|
|
# readOnly: true
|
|
|
|
tolerations: []
|
|
|
|
nodeSelector: {}
|
|
|
|
affinity: {}
|
|
|
|
# -------------------------------------------------------------
|
|
# CELERY
|
|
# -------------------------------------------------------------
|
|
|
|
celery:
|
|
name: celery
|
|
image: {}
|
|
# defaults to datatracker settings if not specified separately
|
|
#repository: "ghcr.io/ietf-tools/datatracker"
|
|
#pullPolicy: IfNotPresent
|
|
# Overrides the image tag whose default is the chart appVersion.
|
|
# tag: "v1.1.0"
|
|
|
|
imagePullSecrets: []
|
|
nameOverride: ""
|
|
fullnameOverride: ""
|
|
|
|
livenessProbe:
|
|
exec:
|
|
command: ["celery", "-A", "ietf", "inspect", "ping"]
|
|
periodSeconds: 30
|
|
timeoutSeconds: 5
|
|
|
|
podAnnotations: {}
|
|
podLabels: {}
|
|
|
|
podSecurityContext: {}
|
|
# fsGroup: 2000
|
|
|
|
replicaCount: 1
|
|
|
|
resources: {}
|
|
# We usually recommend not to specify default resources and to leave this as a conscious
|
|
# choice for the user. This also increases chances charts run on environments with little
|
|
# resources, such as Minikube. If you do want to specify resources, uncomment the following
|
|
# lines, adjust them as necessary, and remove the curly braces after 'resources:'.
|
|
# limits:
|
|
# cpu: 100m
|
|
# memory: 128Mi
|
|
# requests:
|
|
# cpu: 100m
|
|
# memory: 128Mi
|
|
|
|
securityContext: {}
|
|
# capabilities:
|
|
# drop:
|
|
# - ALL
|
|
# readOnlyRootFilesystem: true
|
|
# runAsNonRoot: true
|
|
# runAsUser: 1000
|
|
|
|
service:
|
|
type: ClusterIP
|
|
port: 80
|
|
|
|
serviceAccount:
|
|
# Specifies whether a service account should be created
|
|
create: true
|
|
# Automatically mount a ServiceAccount's API credentials?
|
|
automount: true
|
|
# Annotations to add to the service account
|
|
annotations: {}
|
|
# The name of the service account to use.
|
|
# If not set and create is true, a name is generated using the fullname template
|
|
name: ""
|
|
|
|
startupProbe:
|
|
initialDelaySeconds: 15
|
|
periodSeconds: 5
|
|
timeoutSeconds: 5
|
|
successThreshold: 1
|
|
failureThreshold: 60
|
|
exec:
|
|
command: ["celery", "-A", "ietf", "inspect", "ping"]
|
|
|
|
# Additional volumes on the output Deployment definition.
|
|
volumes:
|
|
- name: settings-local-volume
|
|
configMap:
|
|
name: django-configmap
|
|
- name: cache-volume
|
|
emptyDir:
|
|
sizeLimit: 1Gi
|
|
- name: staging-volume
|
|
emptyDir:
|
|
sizeLimit: 1Gi
|
|
# - name: foo
|
|
# secret:
|
|
# secretName: mysecret
|
|
# optional: false
|
|
|
|
# Additional volumeMounts on the output Deployment definition.
|
|
volumeMounts:
|
|
- name: settings-local-volume
|
|
mountPath: /workspace/ietf/settings_local.py
|
|
subPath: settings_local.py
|
|
readOnly: true
|
|
- name: cache-volume
|
|
mountPath: "/a/cache"
|
|
- name: staging-volume
|
|
mountPath: "/test/staging"
|
|
# - name: foo
|
|
# mountPath: "/etc/foo"
|
|
# readOnly: true
|
|
|
|
tolerations: []
|
|
|
|
nodeSelector: {}
|
|
|
|
affinity: {}
|
|
|
|
# -------------------------------------------------------------
|
|
# BEAT
|
|
# -------------------------------------------------------------
|
|
|
|
beat:
|
|
name: beat
|
|
image: {}
|
|
# defaults to datatracker settings if not specified separately
|
|
# repository: "ghcr.io/ietf-tools/datatracker"
|
|
# pullPolicy: IfNotPresent
|
|
# Overrides the image tag whose default is the chart appVersion.
|
|
# tag: "v1.1.0"
|
|
|
|
imagePullSecrets: []
|
|
nameOverride: ""
|
|
fullnameOverride: ""
|
|
|
|
livenessProbe:
|
|
exec:
|
|
command: ["celery", "-A", "ietf", "inspect", "ping"]
|
|
periodSeconds: 30
|
|
timeoutSeconds: 5
|
|
|
|
podAnnotations: {}
|
|
podLabels: {}
|
|
|
|
podSecurityContext: {}
|
|
# fsGroup: 2000
|
|
|
|
replicaCount: 1
|
|
|
|
resources: {}
|
|
# We usually recommend not to specify default resources and to leave this as a conscious
|
|
# choice for the user. This also increases chances charts run on environments with little
|
|
# resources, such as Minikube. If you do want to specify resources, uncomment the following
|
|
# lines, adjust them as necessary, and remove the curly braces after 'resources:'.
|
|
# limits:
|
|
# cpu: 100m
|
|
# memory: 128Mi
|
|
# requests:
|
|
# cpu: 100m
|
|
# memory: 128Mi
|
|
|
|
securityContext: {}
|
|
# capabilities:
|
|
# drop:
|
|
# - ALL
|
|
# readOnlyRootFilesystem: true
|
|
# runAsNonRoot: true
|
|
# runAsUser: 1000
|
|
|
|
service:
|
|
type: ClusterIP
|
|
port: 80
|
|
|
|
serviceAccount:
|
|
# Specifies whether a service account should be created
|
|
create: true
|
|
# Automatically mount a ServiceAccount's API credentials?
|
|
automount: true
|
|
# Annotations to add to the service account
|
|
annotations: {}
|
|
# The name of the service account to use.
|
|
# If not set and create is true, a name is generated using the fullname template
|
|
name: ""
|
|
|
|
startupProbe:
|
|
initialDelaySeconds: 15
|
|
periodSeconds: 5
|
|
timeoutSeconds: 5
|
|
successThreshold: 1
|
|
failureThreshold: 60
|
|
exec:
|
|
command: ["celery", "-A", "ietf", "inspect", "ping"]
|
|
|
|
# Additional volumes on the output Deployment definition.
|
|
volumes:
|
|
- name: settings-local-volume
|
|
configMap:
|
|
name: django-configmap
|
|
- name: cache-volume
|
|
emptyDir:
|
|
sizeLimit: 1Gi
|
|
- name: staging-volume
|
|
emptyDir:
|
|
sizeLimit: 1Gi
|
|
# - name: foo
|
|
# secret:
|
|
# secretName: mysecret
|
|
# optional: false
|
|
|
|
# Additional volumeMounts on the output Deployment definition.
|
|
volumeMounts:
|
|
- name: settings-local-volume
|
|
mountPath: /workspace/ietf/settings_local.py
|
|
subPath: settings_local.py
|
|
readOnly: true
|
|
- name: cache-volume
|
|
mountPath: "/a/cache"
|
|
- name: staging-volume
|
|
mountPath: "/test/staging"
|
|
# - name: foo
|
|
# mountPath: "/etc/foo"
|
|
# readOnly: true
|
|
|
|
tolerations: []
|
|
|
|
nodeSelector: {}
|
|
|
|
affinity: {}
|
|
|
|
# -------------------------------------------------------------
|
|
# RABBITMQ
|
|
# -------------------------------------------------------------
|
|
|
|
rabbitmq:
|
|
name: "rabbitmq"
|
|
image:
|
|
repository: "ghcr.io/ietf-tools/datatracker-mq"
|
|
pullPolicy: IfNotPresent
|
|
tag: "3.12-alpine"
|
|
|
|
imagePullSecrets: []
|
|
nameOverride: ""
|
|
fullnameOverride: ""
|
|
|
|
livenessProbe:
|
|
exec:
|
|
command: ["rabbitmq-diagnostics", "-q", "ping"]
|
|
periodSeconds: 30
|
|
timeoutSeconds: 5
|
|
|
|
podAnnotations: {}
|
|
podLabels: {}
|
|
|
|
podSecurityContext: {}
|
|
# fsGroup: 2000
|
|
|
|
replicaCount: 1
|
|
|
|
resources: {}
|
|
# We usually recommend not to specify default resources and to leave this as a conscious
|
|
# choice for the user. This also increases chances charts run on environments with little
|
|
# resources, such as Minikube. If you do want to specify resources, uncomment the following
|
|
# lines, adjust them as necessary, and remove the curly braces after 'resources:'.
|
|
# limits:
|
|
# cpu: 100m
|
|
# memory: 128Mi
|
|
# requests:
|
|
# cpu: 100m
|
|
# memory: 128Mi
|
|
|
|
securityContext: {}
|
|
# capabilities:
|
|
# drop:
|
|
# - ALL
|
|
# readOnlyRootFilesystem: true
|
|
# runAsNonRoot: true
|
|
# runAsUser: 1000
|
|
|
|
service:
|
|
type: ClusterIP
|
|
port: 5672
|
|
|
|
serviceAccount:
|
|
# Specifies whether a service account should be created
|
|
create: true
|
|
# Automatically mount a ServiceAccount's API credentials?
|
|
automount: true
|
|
# Annotations to add to the service account
|
|
annotations: {}
|
|
# The name of the service account to use.
|
|
# If not set and create is true, a name is generated using the fullname template
|
|
name: ""
|
|
|
|
startupProbe:
|
|
initialDelaySeconds: 15
|
|
periodSeconds: 5
|
|
timeoutSeconds: 5
|
|
successThreshold: 1
|
|
failureThreshold: 60
|
|
exec:
|
|
command: ["rabbitmq-diagnostics", "-q", "ping"]
|
|
|
|
# Additional volumes on the output Deployment definition.
|
|
volumes:
|
|
- name: "rabbitmq-data"
|
|
persistentVolumeClaim:
|
|
claimName: "rabbitmq-data-claim"
|
|
- name: "rabbitmq-config"
|
|
configMap:
|
|
name: "rabbitmq-configmap"
|
|
# - name: foo
|
|
# secret:
|
|
# secretName: mysecret
|
|
# optional: false
|
|
|
|
# Additional volumeMounts on the output Deployment definition.
|
|
volumeMounts:
|
|
- name: "rabbitmq-data"
|
|
mountPath: "/var/lib/rabbitmq/mnesia"
|
|
- name: "rabbitmq-config"
|
|
mountPath: "/etc/rabbitmq"
|
|
# - name: foo
|
|
# mountPath: "/etc/foo"
|
|
# readOnly: true
|
|
|
|
tolerations: []
|
|
|
|
nodeSelector: {}
|
|
|
|
affinity: {}
|
|
|
|
# -------------------------------------------------------------
|
|
# MEMCACHED
|
|
# -------------------------------------------------------------
|
|
|
|
memcached:
|
|
name: memcached
|
|
image:
|
|
repository: "memcached"
|
|
pullPolicy: IfNotPresent
|
|
tag: "1.6-alpine"
|
|
|
|
imagePullSecrets: []
|
|
nameOverride: ""
|
|
fullnameOverride: ""
|
|
|
|
podAnnotations: {}
|
|
podLabels: {}
|
|
|
|
podSecurityContext: {}
|
|
# fsGroup: 2000
|
|
|
|
replicaCount: 1
|
|
|
|
resources: {}
|
|
# We usually recommend not to specify default resources and to leave this as a conscious
|
|
# choice for the user. This also increases chances charts run on environments with little
|
|
# resources, such as Minikube. If you do want to specify resources, uncomment the following
|
|
# lines, adjust them as necessary, and remove the curly braces after 'resources:'.
|
|
# limits:
|
|
# cpu: 100m
|
|
# memory: 128Mi
|
|
# requests:
|
|
# cpu: 100m
|
|
# memory: 128Mi
|
|
|
|
securityContext: {}
|
|
# capabilities:
|
|
# drop:
|
|
# - ALL
|
|
# readOnlyRootFilesystem: true
|
|
# runAsNonRoot: true
|
|
# runAsUser: 1000
|
|
|
|
service:
|
|
type: ClusterIP
|
|
port: 11211
|
|
|
|
serviceAccount:
|
|
# Specifies whether a service account should be created
|
|
create: true
|
|
# Automatically mount a ServiceAccount's API credentials?
|
|
automount: true
|
|
# Annotations to add to the service account
|
|
annotations: {}
|
|
# The name of the service account to use.
|
|
# If not set and create is true, a name is generated using the fullname template
|
|
name: ""
|
|
|
|
tolerations: []
|
|
|
|
nodeSelector: {}
|
|
|
|
affinity: {}
|
|
|
|
# -------------------------------------------------------------
|
|
# COMMON
|
|
# -------------------------------------------------------------
|
|
|
|
autoscaling:
|
|
enabled: false
|
|
minReplicas: 1
|
|
maxReplicas: 100
|
|
targetCPUUtilizationPercentage: 80
|
|
# targetMemoryUtilizationPercentage: 80
|
|
|
|
env:
|
|
# n.b., these are debug values / non-secret secrets
|
|
DATATRACKER_SERVER_MODE: "development" # defaults to "production"
|
|
DATATRACKER_ADMINS: |-
|
|
Robert Sparks <rjsparks@nostrum.com>
|
|
Ryan Cross <rcross@amsl.com>
|
|
Kesara Rathnayake <kesara@staff.ietf.org>
|
|
Jennifer Richards <jennifer@staff.ietf.org>
|
|
Nicolas Giard <nick@staff.ietf.org>
|
|
DATATRACKER_ALLOWED_HOSTS: "*" # empty for production
|
|
# DATATRACKER_DATATRACKER_DEBUG: "false"
|
|
# DATATRACKER_DBHOST: "db"
|
|
# DATATRACKER_DBPORT: "5432"
|
|
# DATATRACKER_DBNAME: "datatracker"
|
|
# DATATRACKER_DBUSER: "django"
|
|
DATATRACKER_DBPASS: "RkTkDPFnKpko"
|
|
DATATRACKER_DJANGO_SECRET_KEY: "PDwXboUq!=hPjnrtG2=ge#N$Dwy+wn@uivrugwpic8mxyPfHk"
|
|
DATATRACKER_EMAIL_DEBUG: "true"
|
|
DATATRACKER_EMAIL_HOST: "localhost"
|
|
DATATRACKER_EMAIL_PORT: "2025"
|
|
# DATATRACKER_NOMCOM_APP_SECRET_B64: "<base64-encoded bytes>"
|
|
DATATRACKER_IANA_SYNC_PASSWORD: "this-is-the-iana-sync-password"
|
|
DATATRACKER_RFC_EDITOR_SYNC_PASSWORD: "this-is-the-rfc-editor-sync-password"
|
|
DATATRACKER_YOUTUBE_API_KEY: "this-is-the-youtube-api-key"
|
|
DATATRACKER_GITHUB_BACKUP_API_KEY: "this-is-the-github-backup-api-key"
|
|
# DATATRACKER_API_KEY_TYPE: "ES265"
|
|
# DATATRACKER_API_PUBLIC_KEY_PEM_B64: "<base64-encoded PEM"
|
|
# DATATRACKER_API_PRIVATE_KEY_PEM_B64: "<base64-encoded PEM"
|
|
# DATATRACKER_MEETECHO_API_BASE: "https://meetings.conf.meetecho.com/api/v1/"
|
|
DATATRACKER_MEETECHO_CLIENT_ID: "this-is-the-meetecho-client-id"
|
|
DATATRACKER_MEETECHO_CLIENT_SECRET: "this-is-the-meetecho-client-secret"
|
|
# DATATRACKER_MATOMO_SITE_ID: "7" # must be present to enable Matomo
|
|
# DATATRACKER_MATOMO_DOMAIN_PATH: "analytics.ietf.org"
|
|
CELERY_PASSWORD: "this-is-a-secret"
|