diff --git a/.kustomanager.lock.yaml b/.kustomanager.lock.yaml
index 5d3e4c0..912d461 100644
--- a/.kustomanager.lock.yaml
+++ b/.kustomanager.lock.yaml
@@ -360,15 +360,6 @@ builds:
buildPath: builds/local/crossplane
cluster: local
name: crossplane
- - timestamp: 1712732160
- sourceHash: 0485e2af8727ea81e44258a1ac2f66f3cd0c8fc3cd9785ca65536453c7a83aa4
- sourceHashType: sha256
- sourcePath: cluster-local/keycloak-provider
- buildHash: cef1acc572dc9bbef1d420951a4790b0ef0fed79c7a4543eeea71a4db262163d
- buildHashType: sha256
- buildPath: builds/local/keycloak-provider
- cluster: local
- name: keycloak-provider
- timestamp: 1712733461
sourceHash: 297e1c519318064b1e7153c6a9757030b92fbec07fb66e360ad0e77384ceb969
sourceHashType: sha256
@@ -378,12 +369,57 @@ builds:
buildPath: builds/local/argocd
cluster: local
name: argocd
- - timestamp: 1712733843
- sourceHash: 412870b42f20fb711df278bd8cd23f6ec21e0565546db63cd8bd61b638ce4c22
+ - timestamp: 1712738100
+ sourceHash: 28cc87faa5b6cf853aac1f36b1affa688adc81a837f7a4bb32d988e136b53381
sourceHashType: sha256
sourcePath: cluster-local/keycloak
- buildHash: d574e3b130aa52da336642ac185de1eb338c3e865a046994b8d47d73b8434190
+ buildHash: 707d98f6ffa862540c7e14cef95a853886d71d1a1fcf7026ffc1fa8c81f143cc
buildHashType: sha256
buildPath: builds/local/keycloak
cluster: local
name: keycloak
+ - timestamp: 1712738100
+ sourceHash: 1d963b880ab57521602a8dc5141a53d2723651eb16a9f9fded52d77d548eb5cd
+ sourceHashType: sha256
+ sourcePath: cluster-local/keycloak-provider
+ buildHash: 89f5d2c352c304da1c4e4113d3236a6f5d9b056f4eba23d3cd7eaecea7cce90e
+ buildHashType: sha256
+ buildPath: builds/local/keycloak-provider
+ cluster: local
+ name: keycloak-provider
+ - timestamp: 1712739145
+ sourceHash: bac871a181b2998769e2c4330f99d63b175f7d640e658b4b39969679b31441d3
+ sourceHashType: sha256
+ sourcePath: cluster-local/whoami
+ buildHash: c9476984c1290eb30c3c108dfc0deb8dc796846f4eb69325f80831075231afe9
+ buildHashType: sha256
+ buildPath: builds/local/whoami
+ cluster: local
+ name: whoami
+ - timestamp: 1712739305
+ sourceHash: 08eaed4a08dc1acf68afe4be08c2667498da2e6289ff152a296cee6edeb652fb
+ sourceHashType: sha256
+ sourcePath: cluster-local/debug
+ buildHash: 6fc3be83c4d3738f2e1b1e1b054749040853d1b4134cc4d0df5693da0cba4193
+ buildHashType: sha256
+ buildPath: builds/local/debug
+ cluster: local
+ name: debug
+ - timestamp: 1712740463
+ sourceHash: 03debff110bc8b4ad4ba170e4ea4aecd33e3e88c89ee03936131337ebf047af2
+ sourceHashType: sha256
+ sourcePath: cluster-local/coredns
+ buildHash: d1a1cf717c14046d3689a6e853d7605c1a033480b2791862999f27a8eedadf3a
+ buildHashType: sha256
+ buildPath: builds/local/coredns
+ cluster: local
+ name: coredns
+ - timestamp: 1712751942
+ sourceHash: 9bc3fa06cb2a087ec674003fb6c24d663a54fd84831ff14b906038982017f6a8
+ sourceHashType: sha256
+ sourcePath: cluster-local/deeppharmgraph
+ buildHash: 6ef763f0026e641344901a914f25234eebfedcee213f0a007b14710a9d2637a5
+ buildHashType: sha256
+ buildPath: builds/local/deeppharmgraph
+ cluster: local
+ name: deeppharmgraph
diff --git a/builds/local/coredns/build.yaml b/builds/local/coredns/build.yaml
new file mode 100644
index 0000000..0d0a86c
--- /dev/null
+++ b/builds/local/coredns/build.yaml
@@ -0,0 +1,8 @@
+apiVersion: v1
+data:
+ keycloak.override: |
+ rewrite name substring id.dev.lan.shamrock.systems keycloak.keycloak.svc.cluster.local
+kind: ConfigMap
+metadata:
+ name: coredns-custom
+ namespace: kube-system
diff --git a/builds/local/coredns/kustomization.yaml b/builds/local/coredns/kustomization.yaml
new file mode 100644
index 0000000..a54eb2e
--- /dev/null
+++ b/builds/local/coredns/kustomization.yaml
@@ -0,0 +1,6 @@
+# Automatically generated by Kustomanager
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+
+resources:
+ - ./build.yaml
diff --git a/builds/local/debug/build.yaml b/builds/local/debug/build.yaml
new file mode 100644
index 0000000..4c8b717
--- /dev/null
+++ b/builds/local/debug/build.yaml
@@ -0,0 +1,24 @@
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+ labels:
+ app.kubernetes.io/name: curl-debug
+ name: curl-debug
+ namespace: default
+spec:
+ replicas: 1
+ selector:
+ matchLabels:
+ app.kubernetes.io/name: curl-debug
+ template:
+ metadata:
+ labels:
+ app.kubernetes.io/name: curl-debug
+ spec:
+ containers:
+ - args:
+ - infinity
+ command:
+ - sleep
+ image: quay.io/curl/curl:latest
+ name: curl
diff --git a/builds/local/debug/kustomization.yaml b/builds/local/debug/kustomization.yaml
new file mode 100644
index 0000000..a54eb2e
--- /dev/null
+++ b/builds/local/debug/kustomization.yaml
@@ -0,0 +1,6 @@
+# Automatically generated by Kustomanager
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+
+resources:
+ - ./build.yaml
diff --git a/builds/local/deeppharmgraph/build.yaml b/builds/local/deeppharmgraph/build.yaml
new file mode 100644
index 0000000..c18e263
--- /dev/null
+++ b/builds/local/deeppharmgraph/build.yaml
@@ -0,0 +1,2319 @@
+apiVersion: v1
+kind: Namespace
+metadata:
+ labels:
+ name: deeppharmgraph
+ name: deeppharmgraph
+---
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+ labels:
+ app: airflow
+ chart: airflow-8.8.0
+ heritage: Helm
+ release: dpg-processing-airflow
+ name: dpg-processing-airflow
+ namespace: deeppharmgraph
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: Role
+metadata:
+ labels:
+ app: airflow
+ chart: airflow-8.8.0
+ heritage: Helm
+ release: dpg-processing-airflow
+ name: dpg-processing-airflow
+ namespace: deeppharmgraph
+rules:
+- apiGroups:
+ - ""
+ resources:
+ - events
+ verbs:
+ - get
+ - list
+- apiGroups:
+ - ""
+ resources:
+ - pods
+ verbs:
+ - create
+ - get
+ - delete
+ - list
+ - patch
+ - watch
+- apiGroups:
+ - ""
+ resources:
+ - pods/log
+ verbs:
+ - get
+ - list
+- apiGroups:
+ - ""
+ resources:
+ - pods/exec
+ verbs:
+ - create
+ - get
+---
+apiVersion: role.keycloak.crossplane.io/v1alpha1
+kind: Role
+metadata:
+ name: airflow-admin
+spec:
+ forProvider:
+ clientIdRef:
+ name: dpg-airflow-client
+ name: admin
+ realmId: deeppharmgraph
+ providerConfigRef:
+ name: keycloak-config
+---
+apiVersion: role.keycloak.crossplane.io/v1alpha1
+kind: Role
+metadata:
+ name: airflow-op
+spec:
+ forProvider:
+ clientIdRef:
+ name: dpg-airflow-client
+ name: op
+ realmId: deeppharmgraph
+ providerConfigRef:
+ name: keycloak-config
+---
+apiVersion: role.keycloak.crossplane.io/v1alpha1
+kind: Role
+metadata:
+ name: airflow-public
+spec:
+ forProvider:
+ clientIdRef:
+ name: dpg-airflow-client
+ name: public
+ realmId: deeppharmgraph
+ providerConfigRef:
+ name: keycloak-config
+---
+apiVersion: role.keycloak.crossplane.io/v1alpha1
+kind: Role
+metadata:
+ name: airflow-user
+spec:
+ forProvider:
+ clientIdRef:
+ name: dpg-airflow-client
+ name: user
+ realmId: deeppharmgraph
+ providerConfigRef:
+ name: keycloak-config
+---
+apiVersion: role.keycloak.crossplane.io/v1alpha1
+kind: Role
+metadata:
+ name: airflow-viewer
+spec:
+ forProvider:
+ clientIdRef:
+ name: dpg-airflow-client
+ name: viewer
+ realmId: deeppharmgraph
+ providerConfigRef:
+ name: keycloak-config
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: RoleBinding
+metadata:
+ labels:
+ app: airflow
+ chart: airflow-8.8.0
+ heritage: Helm
+ release: dpg-processing-airflow
+ name: dpg-processing-airflow
+ namespace: deeppharmgraph
+roleRef:
+ apiGroup: rbac.authorization.k8s.io
+ kind: Role
+ name: dpg-processing-airflow
+subjects:
+- kind: ServiceAccount
+ name: dpg-processing-airflow
+ namespace: deeppharmgraph
+---
+apiVersion: v1
+data:
+ AIRFLOW__WEBSERVER__ENABLE_PROXY_FIX: "true"
+ AUTH_KEYCLOAK_ACCESS_TOKEN_URL: http://id.dev.lan.shamrock.systems/realms/deeppharmgraph/protocol/openid-connect/token
+ AUTH_KEYCLOAK_AIRFLOW_BASE_URL: http://dpg-processing.dev.lan.shamrock.systems/
+ AUTH_KEYCLOAK_API_BASE_URL: http://id.dev.lan.shamrock.systems/realms/deeppharmgraph/protocol/
+ AUTH_KEYCLOAK_AUTHORIZE_URL: http://id.dev.lan.shamrock.systems/realms/deeppharmgraph/protocol/openid-connect/auth
+ AUTH_KEYCLOAK_CLIENT_ID: application-airflow
+ AUTH_KEYCLOAK_JWKS_URL: http://id.dev.lan.shamrock.systems/realms/deeppharmgraph/protocol/openid-connect/certs
+ AUTH_KEYCLOAK_SCOPE: openid
+kind: ConfigMap
+metadata:
+ name: airflow-env-configmap
+ namespace: deeppharmgraph
+---
+apiVersion: v1
+data:
+ pod_template.yaml: "\napiVersion: v1\nkind: Pod\nmetadata:\n name: dummy-name\nspec:\n
+ \ restartPolicy: Never\n serviceAccountName: dpg-processing-airflow\n shareProcessNamespace:
+ false\n nodeSelector:\n {}\n affinity:\n {}\n tolerations:\n []\n
+ \ securityContext:\n fsGroup: 0\n containers:\n - name: base \n image:
+ apache/airflow:2.6.3-python3.9\n imagePullPolicy: IfNotPresent\n securityContext:\n
+ \ runAsUser: 50000\n runAsGroup: 0\n envFrom: \n -
+ secretRef:\n name: dpg-processing-airflow-config-envs\n env:\n
+ \ ## KubernetesExecutor Pods use LocalExecutor internally\n - name:
+ AIRFLOW__CORE__EXECUTOR\n value: LocalExecutor \n - name:
+ DATABASE_USER\n valueFrom:\n secretKeyRef:\n name:
+ airflow-postgres-app\n key: user\n - name: DATABASE_PASSWORD\n
+ \ valueFrom:\n secretKeyRef:\n name: airflow-postgres-app\n
+ \ key: password\n - name: CONNECTION_CHECK_MAX_COUNT\n value:
+ \"20\"\n - name: AIRFLOW__CORE__FERNET_KEY\n valueFrom:\n secretKeyRef:\n
+ \ key: AIRFLOW__CORE__FERNET_KEY\n name: airflow-env-secret\n
+ \ - name: AIRFLOW__WEBSERVER__SECRET_KEY\n valueFrom:\n secretKeyRef:\n
+ \ key: AIRFLOW__WEBSERVER__SECRET_KEY\n name: airflow-env-secret\n
+ \ - name: AIRFLOW__WEBSERVER__ENABLE_PROXY_FIX\n valueFrom:\n configMapKeyRef:\n
+ \ key: AIRFLOW__WEBSERVER__ENABLE_PROXY_FIX\n name: airflow-env-configmap\n
+ \ - name: AUTH_KEYCLOAK_API_BASE_URL\n valueFrom:\n configMapKeyRef:\n
+ \ key: AUTH_KEYCLOAK_API_BASE_URL\n name: airflow-env-configmap\n
+ \ - name: AUTH_KEYCLOAK_SCOPE\n valueFrom:\n configMapKeyRef:\n
+ \ key: AUTH_KEYCLOAK_SCOPE\n name: airflow-env-configmap\n
+ \ - name: AUTH_KEYCLOAK_ACCESS_TOKEN_URL\n valueFrom:\n configMapKeyRef:\n
+ \ key: AUTH_KEYCLOAK_ACCESS_TOKEN_URL\n name: airflow-env-configmap\n
+ \ - name: AUTH_KEYCLOAK_AUTHORIZE_URL\n valueFrom:\n configMapKeyRef:\n
+ \ key: AUTH_KEYCLOAK_AUTHORIZE_URL\n name: airflow-env-configmap\n
+ \ - name: AUTH_KEYCLOAK_JWKS_URL\n valueFrom:\n configMapKeyRef:\n
+ \ key: AUTH_KEYCLOAK_JWKS_URL\n name: airflow-env-configmap\n
+ \ - name: AUTH_KEYCLOAK_CLIENT_ID\n valueFrom:\n configMapKeyRef:\n
+ \ key: AUTH_KEYCLOAK_CLIENT_ID\n name: airflow-env-configmap\n
+ \ - name: AUTH_KEYCLOAK_CLIENT_SECRET\n valueFrom:\n secretKeyRef:\n
+ \ key: AUTH_KEYCLOAK_CLIENT_SECRET\n name: airflow-env-secret\n
+ \ - name: AUTH_KEYCLOAK_AIRFLOW_BASE_URL\n valueFrom:\n configMapKeyRef:\n
+ \ key: AUTH_KEYCLOAK_AIRFLOW_BASE_URL\n name: airflow-env-configmap\n
+ \ ports: []\n command: []\n args: []\n volumeMounts: \n
+ \ - name: logs-data\n mountPath: /opt/airflow/logs\n volumes:
+ \ \n - name: logs-data\n emptyDir: {}"
+kind: ConfigMap
+metadata:
+ labels:
+ app: airflow
+ chart: airflow-8.8.0
+ heritage: Helm
+ release: dpg-processing-airflow
+ name: dpg-processing-airflow-pod-template
+ namespace: deeppharmgraph
+---
+apiVersion: v1
+kind: Secret
+metadata:
+ name: airflow-env-secret
+ namespace: deeppharmgraph
+stringData:
+ AIRFLOW__CORE__FERNET_KEY: su8TakfoyJ3Mv6i136Y-i6vcJqhlthL8Q60F9M6GLJM=
+ AIRFLOW__WEBSERVER__SECRET_KEY: e5EqEnDH4wkWxnMf97n7RK7mAyBG2qdu
+ AUTH_KEYCLOAK_CLIENT_SECRET: HxLbmeGmDDcDGuC5eh9MrkQFWYAE3cZE
+---
+apiVersion: v1
+kind: Secret
+metadata:
+ name: dpg-admin-secret
+ namespace: deeppharmgraph
+stringData:
+ password: password
+---
+apiVersion: v1
+data:
+ AIRFLOW__CELERY__FLOWER_PORT: NTU1NQ==
+ AIRFLOW__CORE__DAGS_FOLDER: L29wdC9haXJmbG93L2RhZ3M=
+ AIRFLOW__CORE__EXECUTOR: S3ViZXJuZXRlc0V4ZWN1dG9y
+ AIRFLOW__CORE__SQL_ALCHEMY_CONN_CMD: YmFzaCAtYyAnZXZhbCAiJERBVEFCQVNFX1NRTEFMQ0hFTVlfQ01EIic=
+ AIRFLOW__DATABASE__SQL_ALCHEMY_CONN_CMD: YmFzaCAtYyAnZXZhbCAiJERBVEFCQVNFX1NRTEFMQ0hFTVlfQ01EIic=
+ AIRFLOW__KUBERNETES__NAMESPACE: ZGVlcHBoYXJtZ3JhcGg=
+ AIRFLOW__KUBERNETES__POD_TEMPLATE_FILE: L29wdC9haXJmbG93L3BvZF90ZW1wbGF0ZXMvcG9kX3RlbXBsYXRlLnlhbWw=
+ AIRFLOW__KUBERNETES__WORKER_CONTAINER_REPOSITORY: YXBhY2hlL2FpcmZsb3c=
+ AIRFLOW__KUBERNETES__WORKER_CONTAINER_TAG: Mi42LjMtcHl0aG9uMy45
+ AIRFLOW__KUBERNETES_EXECUTOR__NAMESPACE: ZGVlcHBoYXJtZ3JhcGg=
+ AIRFLOW__KUBERNETES_EXECUTOR__POD_TEMPLATE_FILE: L29wdC9haXJmbG93L3BvZF90ZW1wbGF0ZXMvcG9kX3RlbXBsYXRlLnlhbWw=
+ AIRFLOW__KUBERNETES_EXECUTOR__WORKER_CONTAINER_REPOSITORY: YXBhY2hlL2FpcmZsb3c=
+ AIRFLOW__KUBERNETES_EXECUTOR__WORKER_CONTAINER_TAG: Mi42LjMtcHl0aG9uMy45
+ AIRFLOW__LOGGING__BASE_LOG_FOLDER: L29wdC9haXJmbG93L2xvZ3M=
+ AIRFLOW__LOGGING__DAG_PROCESSOR_MANAGER_LOG_LOCATION: L29wdC9haXJmbG93L2xvZ3MvZGFnX3Byb2Nlc3Nvcl9tYW5hZ2VyL2RhZ19wcm9jZXNzb3JfbWFuYWdlci5sb2c=
+ AIRFLOW__SCHEDULER__CHILD_PROCESS_LOG_DIRECTORY: L29wdC9haXJmbG93L2xvZ3Mvc2NoZWR1bGVy
+ AIRFLOW__TRIGGERER__DEFAULT_CAPACITY: MTAwMA==
+ AIRFLOW__WEBSERVER__WEB_SERVER_PORT: ODA4MA==
+ DATABASE_CELERY_CMD: ZWNobyAtbiAiZGIrcG9zdGdyZXNxbDovLyQoZXZhbCAkREFUQUJBU0VfVVNFUl9DTUQpOiQoZXZhbCAkREFUQUJBU0VfUEFTU1dPUkRfQ01EKUAke0RBVEFCQVNFX0hPU1R9OiR7REFUQUJBU0VfUE9SVH0vJHtEQVRBQkFTRV9EQn0ke0RBVEFCQVNFX1BST1BFUlRJRVN9Ig==
+ DATABASE_DB: YXBw
+ DATABASE_HOST: ZHBnLXByb2Nlc3NpbmctYWlyZmxvdy1wZ2JvdW5jZXIuZGVlcHBoYXJtZ3JhcGguc3ZjLmNsdXN0ZXIubG9jYWw=
+ DATABASE_PASSWORD_CMD: ZWNobyAiJHtEQVRBQkFTRV9QQVNTV09SRH0iIHwgcHl0aG9uMyAtYyAiaW1wb3J0IHVybGxpYi5wYXJzZTsgZW5jb2RlZF9wYXNzID0gdXJsbGliLnBhcnNlLnF1b3RlKGlucHV0KCkpOyBwcmludChlbmNvZGVkX3Bhc3MpIg==
+ DATABASE_PORT: NjQzMg==
+ DATABASE_PROPERTIES: ""
+ DATABASE_PSQL_CMD: ZWNobyAtbiAicG9zdGdyZXNxbDovLyQoZXZhbCAkREFUQUJBU0VfVVNFUl9DTUQpOiQoZXZhbCAkREFUQUJBU0VfUEFTU1dPUkRfQ01EKUAxMjcuMC4wLjE6JHtEQVRBQkFTRV9QT1JUfS8ke0RBVEFCQVNFX0RCfSR7REFUQUJBU0VfUFJPUEVSVElFU30i
+ DATABASE_SQLALCHEMY_CMD: ZWNobyAtbiAicG9zdGdyZXNxbCtwc3ljb3BnMjovLyQoZXZhbCAkREFUQUJBU0VfVVNFUl9DTUQpOiQoZXZhbCAkREFUQUJBU0VfUEFTU1dPUkRfQ01EKUAke0RBVEFCQVNFX0hPU1R9OiR7REFUQUJBU0VfUE9SVH0vJHtEQVRBQkFTRV9EQn0ke0RBVEFCQVNFX1BST1BFUlRJRVN9Ig==
+ DATABASE_USER_CMD: ZWNobyAiJHtEQVRBQkFTRV9VU0VSfSIgfCBweXRob24zIC1jICJpbXBvcnQgdXJsbGliLnBhcnNlOyBlbmNvZGVkX3VzZXIgPSB1cmxsaWIucGFyc2UucXVvdGUoaW5wdXQoKSk7IHByaW50KGVuY29kZWRfdXNlciki
+ TZ: RXRjL1VUQw==
+kind: Secret
+metadata:
+ labels:
+ app: airflow
+ chart: airflow-8.8.0
+ heritage: Helm
+ release: dpg-processing-airflow
+ name: dpg-processing-airflow-config-envs
+ namespace: deeppharmgraph
+---
+apiVersion: v1
+data:
+ db_migrations.py: CiMjIyMjIyMjIyMjIyMKIyMgSW1wb3J0cyAjIwojIyMjIyMjIyMjIyMjCmltcG9ydCBsb2dnaW5nCmltcG9ydCB0aW1lCmZyb20gYWlyZmxvdy51dGlscy5kYiBpbXBvcnQgdXBncmFkZWRiCgoKIyMjIyMjIyMjIyMjIwojIyBDb25maWdzICMjCiMjIyMjIyMjIyMjIyMKbG9nID0gbG9nZ2luZy5nZXRMb2dnZXIoX19maWxlX18pCmxvZy5zZXRMZXZlbCgiSU5GTyIpCgojIGhvdyBmcmVxdWVudGx5IHRvIGNoZWNrIGZvciB1bmFwcGxpZWQgbWlncmF0aW9ucwpDT05GX19DSEVDS19NSUdSQVRJT05TX0lOVEVSVkFMID0gMzAwCgoKIyMjIyMjIyMjIyMjIyMjCiMjIEZ1bmN0aW9ucyAjIwojIyMjIyMjIyMjIyMjIyMKZnJvbSBhaXJmbG93LnV0aWxzLmRiIGltcG9ydCBjaGVja19taWdyYXRpb25zCgoKZGVmIG5lZWRzX2RiX21pZ3JhdGlvbnMoKSAtPiBib29sOgogICAgIiIiCiAgICBSZXR1cm4gYSBib29sZWFuIHJlcHJlc2VudGluZyBpZiB0aGUgZGF0YWJhc2UgaGFzIHVuYXBwbGllZCBtaWdyYXRpb25zLgogICAgIiIiCiAgICBsb2dfYWxlbWJpYyA9IGxvZ2dpbmcuZ2V0TG9nZ2VyKCJhbGVtYmljLnJ1bnRpbWUubWlncmF0aW9uIikKICAgIGxvZ19hbGVtYmljX2xldmVsID0gbG9nX2FsZW1iaWMubGV2ZWwKICAgIHRyeToKICAgICAgICBsb2dfYWxlbWJpYy5zZXRMZXZlbCgiV0FSTiIpCiAgICAgICAgY2hlY2tfbWlncmF0aW9ucygxKQogICAgICAgIGxvZ19hbGVtYmljLnNldExldmVsKGxvZ19hbGVtYmljX2xldmVsKQogICAgICAgIHJldHVybiBGYWxzZQogICAgZXhjZXB0IFRpbWVvdXRFcnJvcjoKICAgICAgICByZXR1cm4gVHJ1ZQoKCmRlZiBhcHBseV9kYl9taWdyYXRpb25zKCkgLT4gTm9uZToKICAgICIiIgogICAgQXBwbHkgYW55IHBlbmRpbmcgREIgbWlncmF0aW9ucy4KICAgICIiIgogICAgbG9nLmluZm8oIi0tLS0tLS0tIFNUQVJUIC0gQVBQTFkgREIgTUlHUkFUSU9OUyAtLS0tLS0tLSIpCiAgICB1cGdyYWRlZGIoKQogICAgbG9nLmluZm8oIi0tLS0tLS0tIEZJTklTSCAtIEFQUExZIERCIE1JR1JBVElPTlMgLS0tLS0tLS0iKQoKCmRlZiBtYWluKHN5bmNfZm9yZXZlcjogYm9vbCk6CiAgICAjIGluaXRpYWwgY2hlY2sgJiBhcHBseQogICAgaWYgbmVlZHNfZGJfbWlncmF0aW9ucygpOgogICAgICAgIGxvZy53YXJuaW5nKCJ0aGVyZSBhcmUgdW5hcHBsaWVkIGRiIG1pZ3JhdGlvbnMsIHRyaWdnZXJpbmcgYXBwbHkuLi4iKQogICAgICAgIGFwcGx5X2RiX21pZ3JhdGlvbnMoKQogICAgZWxzZToKICAgICAgICBsb2cuaW5mbygidGhlcmUgYXJlIG5vIHVuYXBwbGllZCBkYiBtaWdyYXRpb25zLCBjb250aW51aW5nLi4uIikKCiAgICBpZiBzeW5jX2ZvcmV2ZXI6CiAgICAgICAgIyBkZWZpbmUgdmFyaWFibGUgdG8gdHJhY2sgaG93IGxvbmcgc2luY2UgbGFzdCBtaWdyYXRpb25zIGNoZWNrCiAgICAgICAgbWlncmF0aW9uc19jaGVja19lcG9jaCA9IHRpbWUudGltZSgpCgogICAgICAgICMgbWFpbiBsb29wCiAgICAgICAgd2hpbGUgVHJ1ZToKICAgICAgICAgICAgaWYgKHRpbWUudGltZSgpIC0gbWlncmF0aW9uc19jaGVja19lcG9jaCkgPiBDT05GX19DSEVDS19NSUdSQVRJT05TX0lOVEVSVkFMOgogICAgICAgICAgICAgICAgbG9nLmRlYnVnKGYiY2hlY2sgaW50ZXJ2YWwgcmVhY2hlZCwgY2hlY2tpbmcgZm9yIHVuYXBwbGllZCBkYiBtaWdyYXRpb25zLi4uIikKICAgICAgICAgICAgICAgIGlmIG5lZWRzX2RiX21pZ3JhdGlvbnMoKToKICAgICAgICAgICAgICAgICAgICBsb2cud2FybmluZygidGhlcmUgYXJlIHVuYXBwbGllZCBkYiBtaWdyYXRpb25zLCB0cmlnZ2VyaW5nIGFwcGx5Li4uIikKICAgICAgICAgICAgICAgICAgICBhcHBseV9kYl9taWdyYXRpb25zKCkKICAgICAgICAgICAgICAgIG1pZ3JhdGlvbnNfY2hlY2tfZXBvY2ggPSB0aW1lLnRpbWUoKQoKICAgICAgICAgICAgIyBlbnN1cmUgd2UgZG9udCBsb29wIHRvbyBmYXN0CiAgICAgICAgICAgIHRpbWUuc2xlZXAoMC41KQoKCiMjIyMjIyMjIyMjIyMjCiMjIFJ1biBNYWluICMjCiMjIyMjIyMjIyMjIyMjCm1haW4oc3luY19mb3JldmVyPVRydWUp
+kind: Secret
+metadata:
+ labels:
+ app: airflow
+ chart: airflow-8.8.0
+ component: db-migrations
+ heritage: Helm
+ release: dpg-processing-airflow
+ name: dpg-processing-airflow-db-migrations
+ namespace: deeppharmgraph
+---
+apiVersion: v1
+data:
+ gen_auth_file.sh: CiMhL2Jpbi9zaCAtZQoKIyBERVNDUklQVElPTjoKIyAtIHVwZGF0ZXMgdGhlIHBnYm91bmNlciBgYXV0aF9maWxlYCBmcm9tIGVudmlyb25tZW50IHZhcmlhYmxlcwojIC0gY2FsbGVkIGluIG1haW4gcGdib3VuY2VyIGNvbnRhaW5lciBzdGFydC1jb21tYW5kIHNvIHRoYXQgYGF1dGhfZmlsZWAgaXMgdXBkYXRlZCBlYWNoIHJlc3RhcnQsCiMgICBmb3IgZXhhbXBsZSwgd2hlbiB0aGUgbGl2ZW5lc3NQcm9iZSBmYWlscyBkdWUgdG8gYSBEQVRBQkFTRV9QQVNTV09SRCBzZWNyZXQgdXBkYXRlCgojIHZhcmlhYmxlcyB0byBpbmNyZWFzZSBjbGFyaXR5IG9mIHBhdHRlcm4gbWF0Y2hpbmcKT05FX1FVT1RFPSciJwpUV09fUVVPVEU9JyIiJwoKIyBwZ2JvdW5jZXIgcmVxdWlyZXMgYCJgIHRvIGJlIGVzY2FwZWQgYXMgYCIiYApFU0NBUEVEX0RBVEFCQVNFX1VTRVI9IiR7REFUQUJBU0VfVVNFUi8kT05FX1FVT1RFLyRUV09fUVVPVEV9IgpFU0NBUEVEX0RBVEFCQVNFX1BBU1NXT1JEPSIke0RBVEFCQVNFX1BBU1NXT1JELyRPTkVfUVVPVEUvJFRXT19RVU9URX0iCgojIHBnYm91bmNlciByZXF1aXJlcyBhdXRoX2ZpbGUgaW4gZm9ybWF0IGAibXktdXNlcm5hbWUiICJteS1wYXNzd29yZCJgCmVjaG8gXCIkRVNDQVBFRF9EQVRBQkFTRV9VU0VSXCIgXCIkRVNDQVBFRF9EQVRBQkFTRV9QQVNTV09SRFwiID4gL2hvbWUvcGdib3VuY2VyL3VzZXJzLnR4dAplY2hvICJTdWNjZXNzZnVsbHkgZ2VuZXJhdGVkIGF1dGhfZmlsZTogL2hvbWUvcGdib3VuY2VyL3VzZXJzLnR4dCI=
+ gen_self_signed_cert.sh: CiMhL2Jpbi9zaCAtZQoKQ0VSVF9ESVI9Ii9ob21lL3BnYm91bmNlci9nZW5lcmF0ZWQtY2VydHMiCktFWV9GSUxFPSIkQ0VSVF9ESVIvY2xpZW50LmtleSIKQ0VSVF9GSUxFPSIkQ0VSVF9ESVIvY2xpZW50LmNydCIKCiMgY3JlYXRlIHRoZSBkaXJlY3RvcnkgZm9yIHRoZSBzZWxmLXNpZ25lZCBjZXJ0aWZpY2F0ZQpta2RpciAtcCAiJENFUlRfRElSIgoKIyB2YXJpYWJsZXMgZm9yIGNlcnRpZmljYXRlIGdlbmVyYXRpb24KQ09NTU9OX05BTUU9ImxvY2FsaG9zdCIKREFZU19WQUxJRD0zNjUKCiMgZ2VuZXJhdGUgdGhlIHNlbGYtc2lnbmVkIGNlcnRpZmljYXRlIGFuZCBhIHByaXZhdGUga2V5Cm9wZW5zc2wgcmVxIC14NTA5IFwKICAtbmV3a2V5IHJzYTo0MDk2IFwKICAta2V5b3V0ICIkS0VZX0ZJTEUiIFwKICAtb3V0ICIkQ0VSVF9GSUxFIiBcCiAgLWRheXMgIiREQVlTX1ZBTElEIiBcCiAgLXN1YmogIi9DTj0kQ09NTU9OX05BTUUiIFwKICAtbm9kZXMKCiMgc2V0IHBlcm1pc3Npb25zIGZvciB0aGUgcHJpdmF0ZSBrZXkgZmlsZQpjaG1vZCA2MDAgIiRLRVlfRklMRSIKCmVjaG8gIlN1Y2Nlc3NmdWxseSBnZW5lcmF0ZWQgc2VsZi1zaWduZWQgY2VydGlmaWNhdGU6ICRDRVJUX0ZJTEUiCmVjaG8gIlN1Y2Nlc3NmdWxseSBnZW5lcmF0ZWQgc2VsZi1zaWduZWQgY2VydGlmaWNhdGUga2V5OiAkS0VZX0ZJTEUi
+ pgbouncer.ini: CltkYXRhYmFzZXNdCiogPSBob3N0PWFpcmZsb3ctcG9zdGdyZXMtcncgcG9ydD01NDMyCgpbcGdib3VuY2VyXQpwb29sX21vZGUgPSB0cmFuc2FjdGlvbgptYXhfY2xpZW50X2Nvbm4gPSAxMDAwCmRlZmF1bHRfcG9vbF9zaXplID0gIDIwCmlnbm9yZV9zdGFydHVwX3BhcmFtZXRlcnMgPSBleHRyYV9mbG9hdF9kaWdpdHMKCmxpc3Rlbl9wb3J0ID0gNjQzMgpsaXN0ZW5fYWRkciA9ICoKCmF1dGhfdHlwZSA9IG1kNQphdXRoX2ZpbGUgPSAvaG9tZS9wZ2JvdW5jZXIvdXNlcnMudHh0Cgpsb2dfZGlzY29ubmVjdGlvbnMgPSAwCmxvZ19jb25uZWN0aW9ucyA9IDAKCiMgbG9ja3Mgd2lsbCBuZXZlciBiZSByZWxlYXNlZCB3aGVuIGBwb29sX21vZGU9dHJhbnNhY3Rpb25gIChhaXJmbG93IGluaXRkYi91cGdyYWRlZGIgc2NyaXB0cyBjcmVhdGUgbG9ja3MpCnNlcnZlcl9yZXNldF9xdWVyeSA9IFNFTEVDVCBwZ19hZHZpc29yeV91bmxvY2tfYWxsKCkKc2VydmVyX3Jlc2V0X3F1ZXJ5X2Fsd2F5cyA9IDEKCiMjIENMSUVOVCBUTFMgU0VUVElOR1MgIyMKY2xpZW50X3Rsc19zc2xtb2RlID0gcHJlZmVyCmNsaWVudF90bHNfY2lwaGVycyA9IG5vcm1hbApjbGllbnRfdGxzX2tleV9maWxlID0gL2hvbWUvcGdib3VuY2VyL2dlbmVyYXRlZC1jZXJ0cy9jbGllbnQua2V5CmNsaWVudF90bHNfY2VydF9maWxlID0gL2hvbWUvcGdib3VuY2VyL2dlbmVyYXRlZC1jZXJ0cy9jbGllbnQuY3J0CgojIyBTRVJWRVIgVExTIFNFVFRJTkdTICMjCnNlcnZlcl90bHNfc3NsbW9kZSA9IHByZWZlcgpzZXJ2ZXJfdGxzX2NpcGhlcnMgPSBub3JtYWw=
+kind: Secret
+metadata:
+ labels:
+ app: airflow
+ chart: airflow-8.8.0
+ component: pgbouncer
+ heritage: Helm
+ release: dpg-processing-airflow
+ name: dpg-processing-airflow-pgbouncer
+ namespace: deeppharmgraph
+---
+apiVersion: v1
+data:
+ webserver_config.py: aW1wb3J0IG9zCmZyb20gdHlwaW5nIGltcG9ydCBBbnksIFVuaW9uCgpmcm9tIGFpcmZsb3cud3d3LnNlY3VyaXR5IGltcG9ydCBBaXJmbG93U2VjdXJpdHlNYW5hZ2VyCmZyb20gZmxhc2tfYXBwYnVpbGRlci5zZWN1cml0eS5tYW5hZ2VyIGltcG9ydCBBVVRIX09BVVRICgoKY2xhc3MgS2V5Y2xvYWtBdXRob3JpemVyKEFpcmZsb3dTZWN1cml0eU1hbmFnZXIpOgogICAgZGVmIGdldF9vYXV0aF91c2VyX2luZm8oCiAgICAgICAgc2VsZiwgcHJvdmlkZXI6IHN0ciwgcmVzcDogQW55CiAgICApIC0+IGRpY3Rbc3RyLCBVbmlvbltzdHIsIGxpc3Rbc3RyXV1dOgogICAgICAgIG1lID0gc2VsZi5hcHBidWlsZGVyLnNtLm9hdXRoX3JlbW90ZXNbcHJvdmlkZXJdLmdldCgib3BlbmlkLWNvbm5lY3QvdXNlcmluZm8iKQogICAgICAgIG1lLnJhaXNlX2Zvcl9zdGF0dXMoKQogICAgICAgIGRhdGEgPSBtZS5qc29uKCkKICAgICAgICBwYXlsb2FkID0gewogICAgICAgICAgICAiZmlyc3RfbmFtZSI6IGRhdGEuZ2V0KCJnaXZlbl9uYW1lIiwgIiIpLAogICAgICAgICAgICAibGFzdF9uYW1lIjogZGF0YS5nZXQoImZhbWlseV9uYW1lIiwgIiIpLAogICAgICAgICAgICAiZW1haWwiOiBkYXRhLmdldCgiZW1haWwiLCAiIiksCiAgICAgICAgICAgICJuYW1lIjogZGF0YS5nZXQoIm5hbWUiLCAiIiksCiAgICAgICAgICAgICJ1c2VybmFtZSI6IGRhdGEuZ2V0KCJwcmVmZXJyZWRfdXNlcm5hbWUiLCAiIiksCiAgICAgICAgICAgICJyb2xlX2tleXMiOiBkYXRhLmdldCgicm9sZXMiLCBbXSksCiAgICAgICAgfQogICAgICAgIHByaW50KHBheWxvYWQpCiAgICAgICAgcmV0dXJuIHBheWxvYWQKCgpBVVRIX1RZUEUgPSBBVVRIX09BVVRICgpBVVRIX1JPTEVTX01BUFBJTkcgPSB7CiAgICAiYWRtaW4iOiBbIkFkbWluIl0sCiAgICAicHVibGljIjogWyJQdWJsaWMiXSwKICAgICJ2aWV3ZXIiOiBbIlZpZXdlciJdLAogICAgInVzZXIiOiBbIlVzZXIiXSwKICAgICJvcCI6IFsiT3AiXSwKfQoKQVVUSF9ST0xFU19TWU5DX0FUX0xPR0lOID0gVHJ1ZQpBVVRIX1VTRVJfUkVHSVNUUkFUSU9OID0gVHJ1ZQoKT0FVVEhfUFJPVklERVJTID0gWwogICAgewogICAgICAgICJuYW1lIjogImtleWNsb2FrIiwKICAgICAgICAiaWNvbiI6ICJmYS1rZXkiLAogICAgICAgICJ0b2tlbl9rZXkiOiAiYWNjZXNzX3Rva2VuIiwKICAgICAgICAicmVtb3RlX2FwcCI6IHsKICAgICAgICAgICAgImFwaV9iYXNlX3VybCI6IG9zLmVudmlyb25bIkFVVEhfS0VZQ0xPQUtfQVBJX0JBU0VfVVJMIl0sCiAgICAgICAgICAgICJjbGllbnRfa3dhcmdzIjogeyJzY29wZSI6IG9zLmVudmlyb25bIkFVVEhfS0VZQ0xPQUtfU0NPUEUiXX0sCiAgICAgICAgICAgICJyZXF1ZXN0X3Rva2VuX3VybCI6IE5vbmUsCiAgICAgICAgICAgICJhY2Nlc3NfdG9rZW5fdXJsIjogb3MuZW52aXJvblsiQVVUSF9LRVlDTE9BS19BQ0NFU1NfVE9LRU5fVVJMIl0sCiAgICAgICAgICAgICJhdXRob3JpemVfdXJsIjogb3MuZW52aXJvblsiQVVUSF9LRVlDTE9BS19BVVRIT1JJWkVfVVJMIl0sCiAgICAgICAgICAgICJqd2tzX3VyaSI6IG9zLmVudmlyb25bIkFVVEhfS0VZQ0xPQUtfSldLU19VUkwiXSwKICAgICAgICAgICAgImNsaWVudF9pZCI6IG9zLmVudmlyb25bIkFVVEhfS0VZQ0xPQUtfQ0xJRU5UX0lEIl0sCiAgICAgICAgICAgICJjbGllbnRfc2VjcmV0Ijogb3MuZW52aXJvblsiQVVUSF9LRVlDTE9BS19DTElFTlRfU0VDUkVUIl0sCiAgICAgICAgICAgICJhaXJmbG93X2Jhc2VfdXJsIjogb3MuZW52aXJvblsiQVVUSF9LRVlDTE9BS19BSVJGTE9XX0JBU0VfVVJMIl0sCiAgICAgICAgfSwKICAgIH0KXQoKU0VDVVJJVFlfTUFOQUdFUl9DTEFTUyA9IEtleWNsb2FrQXV0aG9yaXplcgo=
+kind: Secret
+metadata:
+ labels:
+ app: airflow
+ chart: airflow-8.8.0
+ heritage: Helm
+ release: dpg-processing-airflow
+ name: dpg-processing-airflow-webserver-config
+ namespace: deeppharmgraph
+---
+apiVersion: v1
+kind: Service
+metadata:
+ name: dpg-datastore-primary
+ namespace: deeppharmgraph
+spec:
+ ports:
+ - name: http
+ port: 80
+ protocol: TCP
+ targetPort: 7878
+ selector:
+ app.kubernetes.io/name: oxigraph-primary
+ type: ClusterIP
+---
+apiVersion: v1
+kind: Service
+metadata:
+ labels:
+ app: airflow
+ chart: airflow-8.8.0
+ component: pgbouncer
+ heritage: Helm
+ release: dpg-processing-airflow
+ name: dpg-processing-airflow-pgbouncer
+ namespace: deeppharmgraph
+spec:
+ ports:
+ - name: pgbouncer
+ port: 6432
+ protocol: TCP
+ selector:
+ app: airflow
+ component: pgbouncer
+ release: dpg-processing-airflow
+ type: ClusterIP
+---
+apiVersion: v1
+kind: Service
+metadata:
+ labels:
+ app: airflow
+ chart: airflow-8.8.0
+ component: web
+ heritage: Helm
+ release: dpg-processing-airflow
+ name: dpg-processing-airflow-web
+ namespace: deeppharmgraph
+spec:
+ ports:
+ - name: web
+ port: 8080
+ protocol: TCP
+ targetPort: 8080
+ selector:
+ app: airflow
+ component: web
+ release: dpg-processing-airflow
+ sessionAffinity: None
+ type: ClusterIP
+---
+apiVersion: v1
+kind: PersistentVolumeClaim
+metadata:
+ name: oxigraph-primary-pvc
+ namespace: deeppharmgraph
+spec:
+ accessModes:
+ - ReadWriteOnce
+ resources:
+ requests:
+ storage: 32Gi
+---
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+ labels:
+ app: airflow
+ chart: airflow-8.8.0
+ component: db-migrations
+ heritage: Helm
+ release: dpg-processing-airflow
+ name: dpg-processing-airflow-db-migrations
+ namespace: deeppharmgraph
+spec:
+ replicas: 1
+ selector:
+ matchLabels:
+ app: airflow
+ component: db-migrations
+ release: dpg-processing-airflow
+ strategy:
+ type: Recreate
+ template:
+ metadata:
+ annotations:
+ checksum/db-migrations-script: 37898f38b90abd06081105d992362ec9e0d0015123b69e758e59031a9e6ddfc9
+ checksum/secret-config-envs: 858f363428dd71df9353344009e3328775b49a39540c4652c12f6310419f5d51
+ checksum/secret-local-settings: e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
+ cluster-autoscaler.kubernetes.io/safe-to-evict: "true"
+ labels:
+ app: airflow
+ component: db-migrations
+ release: dpg-processing-airflow
+ spec:
+ affinity: {}
+ containers:
+ - args:
+ - python
+ - -u
+ - /mnt/scripts/db_migrations.py
+ command:
+ - /usr/bin/dumb-init
+ - --
+ - /entrypoint
+ env:
+ - name: DATABASE_USER
+ valueFrom:
+ secretKeyRef:
+ key: user
+ name: airflow-postgres-app
+ - name: DATABASE_PASSWORD
+ valueFrom:
+ secretKeyRef:
+ key: password
+ name: airflow-postgres-app
+ - name: CONNECTION_CHECK_MAX_COUNT
+ value: "0"
+ - name: AIRFLOW__CORE__FERNET_KEY
+ valueFrom:
+ secretKeyRef:
+ key: AIRFLOW__CORE__FERNET_KEY
+ name: airflow-env-secret
+ - name: AIRFLOW__WEBSERVER__SECRET_KEY
+ valueFrom:
+ secretKeyRef:
+ key: AIRFLOW__WEBSERVER__SECRET_KEY
+ name: airflow-env-secret
+ - name: AIRFLOW__WEBSERVER__ENABLE_PROXY_FIX
+ valueFrom:
+ configMapKeyRef:
+ key: AIRFLOW__WEBSERVER__ENABLE_PROXY_FIX
+ name: airflow-env-configmap
+ - name: AUTH_KEYCLOAK_API_BASE_URL
+ valueFrom:
+ configMapKeyRef:
+ key: AUTH_KEYCLOAK_API_BASE_URL
+ name: airflow-env-configmap
+ - name: AUTH_KEYCLOAK_SCOPE
+ valueFrom:
+ configMapKeyRef:
+ key: AUTH_KEYCLOAK_SCOPE
+ name: airflow-env-configmap
+ - name: AUTH_KEYCLOAK_ACCESS_TOKEN_URL
+ valueFrom:
+ configMapKeyRef:
+ key: AUTH_KEYCLOAK_ACCESS_TOKEN_URL
+ name: airflow-env-configmap
+ - name: AUTH_KEYCLOAK_AUTHORIZE_URL
+ valueFrom:
+ configMapKeyRef:
+ key: AUTH_KEYCLOAK_AUTHORIZE_URL
+ name: airflow-env-configmap
+ - name: AUTH_KEYCLOAK_JWKS_URL
+ valueFrom:
+ configMapKeyRef:
+ key: AUTH_KEYCLOAK_JWKS_URL
+ name: airflow-env-configmap
+ - name: AUTH_KEYCLOAK_CLIENT_ID
+ valueFrom:
+ configMapKeyRef:
+ key: AUTH_KEYCLOAK_CLIENT_ID
+ name: airflow-env-configmap
+ - name: AUTH_KEYCLOAK_CLIENT_SECRET
+ valueFrom:
+ secretKeyRef:
+ key: AUTH_KEYCLOAK_CLIENT_SECRET
+ name: airflow-env-secret
+ - name: AUTH_KEYCLOAK_AIRFLOW_BASE_URL
+ valueFrom:
+ configMapKeyRef:
+ key: AUTH_KEYCLOAK_AIRFLOW_BASE_URL
+ name: airflow-env-configmap
+ envFrom:
+ - secretRef:
+ name: dpg-processing-airflow-config-envs
+ image: apache/airflow:2.6.3-python3.9
+ imagePullPolicy: IfNotPresent
+ name: db-migrations
+ resources: {}
+ securityContext:
+ runAsGroup: 0
+ runAsUser: 50000
+ volumeMounts:
+ - mountPath: /opt/airflow/logs
+ name: logs-data
+ - mountPath: /mnt/scripts
+ name: scripts
+ readOnly: true
+ initContainers:
+ - args:
+ - bash
+ - -c
+ - exec timeout 60s airflow db check
+ command:
+ - /usr/bin/dumb-init
+ - --
+ - /entrypoint
+ env:
+ - name: DATABASE_USER
+ valueFrom:
+ secretKeyRef:
+ key: user
+ name: airflow-postgres-app
+ - name: DATABASE_PASSWORD
+ valueFrom:
+ secretKeyRef:
+ key: password
+ name: airflow-postgres-app
+ - name: CONNECTION_CHECK_MAX_COUNT
+ value: "0"
+ - name: AIRFLOW__CORE__FERNET_KEY
+ valueFrom:
+ secretKeyRef:
+ key: AIRFLOW__CORE__FERNET_KEY
+ name: airflow-env-secret
+ - name: AIRFLOW__WEBSERVER__SECRET_KEY
+ valueFrom:
+ secretKeyRef:
+ key: AIRFLOW__WEBSERVER__SECRET_KEY
+ name: airflow-env-secret
+ - name: AIRFLOW__WEBSERVER__ENABLE_PROXY_FIX
+ valueFrom:
+ configMapKeyRef:
+ key: AIRFLOW__WEBSERVER__ENABLE_PROXY_FIX
+ name: airflow-env-configmap
+ - name: AUTH_KEYCLOAK_API_BASE_URL
+ valueFrom:
+ configMapKeyRef:
+ key: AUTH_KEYCLOAK_API_BASE_URL
+ name: airflow-env-configmap
+ - name: AUTH_KEYCLOAK_SCOPE
+ valueFrom:
+ configMapKeyRef:
+ key: AUTH_KEYCLOAK_SCOPE
+ name: airflow-env-configmap
+ - name: AUTH_KEYCLOAK_ACCESS_TOKEN_URL
+ valueFrom:
+ configMapKeyRef:
+ key: AUTH_KEYCLOAK_ACCESS_TOKEN_URL
+ name: airflow-env-configmap
+ - name: AUTH_KEYCLOAK_AUTHORIZE_URL
+ valueFrom:
+ configMapKeyRef:
+ key: AUTH_KEYCLOAK_AUTHORIZE_URL
+ name: airflow-env-configmap
+ - name: AUTH_KEYCLOAK_JWKS_URL
+ valueFrom:
+ configMapKeyRef:
+ key: AUTH_KEYCLOAK_JWKS_URL
+ name: airflow-env-configmap
+ - name: AUTH_KEYCLOAK_CLIENT_ID
+ valueFrom:
+ configMapKeyRef:
+ key: AUTH_KEYCLOAK_CLIENT_ID
+ name: airflow-env-configmap
+ - name: AUTH_KEYCLOAK_CLIENT_SECRET
+ valueFrom:
+ secretKeyRef:
+ key: AUTH_KEYCLOAK_CLIENT_SECRET
+ name: airflow-env-secret
+ - name: AUTH_KEYCLOAK_AIRFLOW_BASE_URL
+ valueFrom:
+ configMapKeyRef:
+ key: AUTH_KEYCLOAK_AIRFLOW_BASE_URL
+ name: airflow-env-configmap
+ envFrom:
+ - secretRef:
+ name: dpg-processing-airflow-config-envs
+ image: apache/airflow:2.6.3-python3.9
+ imagePullPolicy: IfNotPresent
+ name: check-db
+ securityContext:
+ runAsGroup: 0
+ runAsUser: 50000
+ volumeMounts:
+ - mountPath: /opt/airflow/logs
+ name: logs-data
+ nodeSelector: {}
+ restartPolicy: Always
+ securityContext:
+ fsGroup: 0
+ serviceAccountName: dpg-processing-airflow
+ tolerations: []
+ volumes:
+ - emptyDir: {}
+ name: logs-data
+ - name: scripts
+ secret:
+ secretName: dpg-processing-airflow-db-migrations
+---
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+ labels:
+ app: airflow
+ chart: airflow-8.8.0
+ component: pgbouncer
+ heritage: Helm
+ release: dpg-processing-airflow
+ name: dpg-processing-airflow-pgbouncer
+ namespace: deeppharmgraph
+spec:
+ replicas: 1
+ selector:
+ matchLabels:
+ app: airflow
+ component: pgbouncer
+ release: dpg-processing-airflow
+ strategy:
+ rollingUpdate:
+ maxSurge: 1
+ maxUnavailable: 0
+ template:
+ metadata:
+ annotations:
+ checksum/secret-config-envs: 858f363428dd71df9353344009e3328775b49a39540c4652c12f6310419f5d51
+ checksum/secret-pgbouncer: 4e9f8069d3409019804aa33f690710e2b9e381ea88a829a848b20d8ee46fba38
+ cluster-autoscaler.kubernetes.io/safe-to-evict: "true"
+ labels:
+ app: airflow
+ component: pgbouncer
+ release: dpg-processing-airflow
+ spec:
+ affinity: {}
+ containers:
+ - args:
+ - /bin/sh
+ - -c
+ - |-
+ /home/pgbouncer/config/gen_self_signed_cert.sh && \
+ /home/pgbouncer/config/gen_auth_file.sh && \
+ exec pgbouncer /home/pgbouncer/config/pgbouncer.ini
+ command:
+ - /usr/bin/dumb-init
+ - --rewrite=15:2
+ - --
+ env:
+ - name: DATABASE_USER
+ valueFrom:
+ secretKeyRef:
+ key: user
+ name: airflow-postgres-app
+ - name: DATABASE_PASSWORD
+ valueFrom:
+ secretKeyRef:
+ key: password
+ name: airflow-postgres-app
+ - name: CONNECTION_CHECK_MAX_COUNT
+ value: "0"
+ - name: AIRFLOW__CORE__FERNET_KEY
+ valueFrom:
+ secretKeyRef:
+ key: AIRFLOW__CORE__FERNET_KEY
+ name: airflow-env-secret
+ - name: AIRFLOW__WEBSERVER__SECRET_KEY
+ valueFrom:
+ secretKeyRef:
+ key: AIRFLOW__WEBSERVER__SECRET_KEY
+ name: airflow-env-secret
+ - name: AIRFLOW__WEBSERVER__ENABLE_PROXY_FIX
+ valueFrom:
+ configMapKeyRef:
+ key: AIRFLOW__WEBSERVER__ENABLE_PROXY_FIX
+ name: airflow-env-configmap
+ - name: AUTH_KEYCLOAK_API_BASE_URL
+ valueFrom:
+ configMapKeyRef:
+ key: AUTH_KEYCLOAK_API_BASE_URL
+ name: airflow-env-configmap
+ - name: AUTH_KEYCLOAK_SCOPE
+ valueFrom:
+ configMapKeyRef:
+ key: AUTH_KEYCLOAK_SCOPE
+ name: airflow-env-configmap
+ - name: AUTH_KEYCLOAK_ACCESS_TOKEN_URL
+ valueFrom:
+ configMapKeyRef:
+ key: AUTH_KEYCLOAK_ACCESS_TOKEN_URL
+ name: airflow-env-configmap
+ - name: AUTH_KEYCLOAK_AUTHORIZE_URL
+ valueFrom:
+ configMapKeyRef:
+ key: AUTH_KEYCLOAK_AUTHORIZE_URL
+ name: airflow-env-configmap
+ - name: AUTH_KEYCLOAK_JWKS_URL
+ valueFrom:
+ configMapKeyRef:
+ key: AUTH_KEYCLOAK_JWKS_URL
+ name: airflow-env-configmap
+ - name: AUTH_KEYCLOAK_CLIENT_ID
+ valueFrom:
+ configMapKeyRef:
+ key: AUTH_KEYCLOAK_CLIENT_ID
+ name: airflow-env-configmap
+ - name: AUTH_KEYCLOAK_CLIENT_SECRET
+ valueFrom:
+ secretKeyRef:
+ key: AUTH_KEYCLOAK_CLIENT_SECRET
+ name: airflow-env-secret
+ - name: AUTH_KEYCLOAK_AIRFLOW_BASE_URL
+ valueFrom:
+ configMapKeyRef:
+ key: AUTH_KEYCLOAK_AIRFLOW_BASE_URL
+ name: airflow-env-configmap
+ envFrom:
+ - secretRef:
+ name: dpg-processing-airflow-config-envs
+ image: ghcr.io/airflow-helm/pgbouncer:1.18.0-patch.1
+ imagePullPolicy: IfNotPresent
+ livenessProbe:
+ exec:
+ command:
+ - /bin/sh
+ - -c
+ - psql $(eval $DATABASE_PSQL_CMD) --tuples-only --command="SELECT 1;"
+ | grep -q "1"
+ failureThreshold: 3
+ initialDelaySeconds: 5
+ periodSeconds: 30
+ timeoutSeconds: 60
+ name: pgbouncer
+ ports:
+ - containerPort: 6432
+ name: pgbouncer
+ protocol: TCP
+ resources: {}
+ securityContext:
+ runAsGroup: 1001
+ runAsUser: 1001
+ startupProbe:
+ failureThreshold: 30
+ initialDelaySeconds: 5
+ periodSeconds: 10
+ tcpSocket:
+ port: 6432
+ timeoutSeconds: 15
+ volumeMounts:
+ - mountPath: /home/pgbouncer/config
+ name: pgbouncer-config
+ readOnly: true
+ nodeSelector: {}
+ restartPolicy: Always
+ securityContext:
+ fsGroup: 0
+ serviceAccountName: dpg-processing-airflow
+ terminationGracePeriodSeconds: 120
+ tolerations: []
+ volumes:
+ - name: pgbouncer-config
+ secret:
+ items:
+ - key: gen_auth_file.sh
+ mode: 493
+ path: gen_auth_file.sh
+ - key: gen_self_signed_cert.sh
+ mode: 493
+ path: gen_self_signed_cert.sh
+ - key: pgbouncer.ini
+ path: pgbouncer.ini
+ secretName: dpg-processing-airflow-pgbouncer
+---
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+ labels:
+ app: airflow
+ chart: airflow-8.8.0
+ component: scheduler
+ heritage: Helm
+ release: dpg-processing-airflow
+ name: dpg-processing-airflow-scheduler
+ namespace: deeppharmgraph
+spec:
+ replicas: 1
+ selector:
+ matchLabels:
+ app: airflow
+ component: scheduler
+ release: dpg-processing-airflow
+ strategy:
+ rollingUpdate:
+ maxSurge: 25%
+ maxUnavailable: 0
+ type: RollingUpdate
+ template:
+ metadata:
+ annotations:
+ checksum/config-pod-template: 7eb8c18e40789e086be46f5739e74888c5c7f69c149ab70dd2d4dde3b6d1a4c3
+ checksum/secret-config-envs: 858f363428dd71df9353344009e3328775b49a39540c4652c12f6310419f5d51
+ checksum/secret-local-settings: e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
+ cluster-autoscaler.kubernetes.io/safe-to-evict: "true"
+ labels:
+ app: airflow
+ component: scheduler
+ release: dpg-processing-airflow
+ spec:
+ affinity: {}
+ containers:
+ - args:
+ - bash
+ - -c
+ - exec airflow scheduler -n -1
+ command:
+ - /usr/bin/dumb-init
+ - --
+ - /entrypoint
+ env:
+ - name: DATABASE_USER
+ valueFrom:
+ secretKeyRef:
+ key: user
+ name: airflow-postgres-app
+ - name: DATABASE_PASSWORD
+ valueFrom:
+ secretKeyRef:
+ key: password
+ name: airflow-postgres-app
+ - name: CONNECTION_CHECK_MAX_COUNT
+ value: "0"
+ - name: AIRFLOW__CORE__FERNET_KEY
+ valueFrom:
+ secretKeyRef:
+ key: AIRFLOW__CORE__FERNET_KEY
+ name: airflow-env-secret
+ - name: AIRFLOW__WEBSERVER__SECRET_KEY
+ valueFrom:
+ secretKeyRef:
+ key: AIRFLOW__WEBSERVER__SECRET_KEY
+ name: airflow-env-secret
+ - name: AIRFLOW__WEBSERVER__ENABLE_PROXY_FIX
+ valueFrom:
+ configMapKeyRef:
+ key: AIRFLOW__WEBSERVER__ENABLE_PROXY_FIX
+ name: airflow-env-configmap
+ - name: AUTH_KEYCLOAK_API_BASE_URL
+ valueFrom:
+ configMapKeyRef:
+ key: AUTH_KEYCLOAK_API_BASE_URL
+ name: airflow-env-configmap
+ - name: AUTH_KEYCLOAK_SCOPE
+ valueFrom:
+ configMapKeyRef:
+ key: AUTH_KEYCLOAK_SCOPE
+ name: airflow-env-configmap
+ - name: AUTH_KEYCLOAK_ACCESS_TOKEN_URL
+ valueFrom:
+ configMapKeyRef:
+ key: AUTH_KEYCLOAK_ACCESS_TOKEN_URL
+ name: airflow-env-configmap
+ - name: AUTH_KEYCLOAK_AUTHORIZE_URL
+ valueFrom:
+ configMapKeyRef:
+ key: AUTH_KEYCLOAK_AUTHORIZE_URL
+ name: airflow-env-configmap
+ - name: AUTH_KEYCLOAK_JWKS_URL
+ valueFrom:
+ configMapKeyRef:
+ key: AUTH_KEYCLOAK_JWKS_URL
+ name: airflow-env-configmap
+ - name: AUTH_KEYCLOAK_CLIENT_ID
+ valueFrom:
+ configMapKeyRef:
+ key: AUTH_KEYCLOAK_CLIENT_ID
+ name: airflow-env-configmap
+ - name: AUTH_KEYCLOAK_CLIENT_SECRET
+ valueFrom:
+ secretKeyRef:
+ key: AUTH_KEYCLOAK_CLIENT_SECRET
+ name: airflow-env-secret
+ - name: AUTH_KEYCLOAK_AIRFLOW_BASE_URL
+ valueFrom:
+ configMapKeyRef:
+ key: AUTH_KEYCLOAK_AIRFLOW_BASE_URL
+ name: airflow-env-configmap
+ envFrom:
+ - secretRef:
+ name: dpg-processing-airflow-config-envs
+ image: apache/airflow:2.6.3-python3.9
+ imagePullPolicy: IfNotPresent
+ livenessProbe:
+ exec:
+ command:
+ - /usr/bin/dumb-init
+ - --
+ - /entrypoint
+ - python
+ - -Wignore
+ - -c
+ - |
+ import os
+ import sys
+
+ # suppress logs triggered from importing airflow packages
+ os.environ["AIRFLOW__LOGGING__LOGGING_LEVEL"] = "ERROR"
+
+ # shared imports
+ try:
+ from airflow.jobs.job import Job
+ except ImportError:
+ # `BaseJob` was renamed to `Job` in airflow 2.6.0
+ from airflow.jobs.base_job import BaseJob as Job
+ from airflow.utils.db import create_session
+ from airflow.utils.net import get_hostname
+
+ # heartbeat check imports
+ try:
+ from airflow.jobs.scheduler_job_runner import SchedulerJobRunner
+ except ImportError:
+ # `SchedulerJob` is wrapped by `SchedulerJobRunner` since airflow 2.6.0
+ from airflow.jobs.scheduler_job import SchedulerJob as SchedulerJobRunner
+
+ with create_session() as session:
+ ########################
+ # heartbeat check
+ ########################
+ # ensure the SchedulerJob with most recent heartbeat for this `hostname` is alive
+ hostname = get_hostname()
+ scheduler_job = session \
+ .query(Job) \
+ .filter_by(job_type=SchedulerJobRunner.job_type) \
+ .filter_by(hostname=hostname) \
+ .order_by(Job.latest_heartbeat.desc()) \
+ .limit(1) \
+ .first()
+ if (scheduler_job is not None) and scheduler_job.is_alive():
+ pass
+ else:
+ sys.exit(f"The SchedulerJob (id={scheduler_job.id}) for hostname '{hostname}' is not alive")
+ failureThreshold: 5
+ initialDelaySeconds: 10
+ periodSeconds: 30
+ timeoutSeconds: 60
+ name: airflow-scheduler
+ resources: {}
+ securityContext:
+ runAsGroup: 0
+ runAsUser: 50000
+ volumeMounts:
+ - mountPath: /opt/airflow/logs
+ name: logs-data
+ - mountPath: /opt/airflow/pod_templates/pod_template.yaml
+ name: pod-template
+ readOnly: true
+ subPath: pod_template.yaml
+ - args:
+ - bash
+ - -c
+ - |
+ set -euo pipefail
+
+ # break the infinite loop when we receive SIGINT or SIGTERM
+ trap "exit 0" SIGINT SIGTERM
+
+ while true; do
+ START_EPOCH=$(date --utc +%s)
+ echo "[$(date --utc +%FT%T.%3N)] deleting log files older than $RETENTION_MINUTES minutes..."
+
+ # delete all writable files ending in ".log" with modified-time older than $RETENTION_MINUTES
+ # NOTE: `-printf "."` prints a "." for each deleted file, which we count the bytes of with `wc -c`
+ DELETED_COUNT=$(
+ find "$LOG_PATH" \
+ -type f \
+ -name "*.log" \
+ -mmin +"$RETENTION_MINUTES" \
+ -writable \
+ -delete \
+ -printf "." \
+ | wc -c
+ )
+
+ END_EPOCH=$(date --utc +%s)
+ LOOP_DURATION=$((END_EPOCH - START_EPOCH))
+ echo "[$(date --utc +%FT%T.%3N)] deleted $DELETED_COUNT files in $LOOP_DURATION seconds"
+
+ SECONDS_TO_SLEEP=$((INTERVAL_SECONDS - LOOP_DURATION))
+ if (( SECONDS_TO_SLEEP > 0 )); then
+ echo "[$(date --utc +%FT%T.%3N)] waiting $SECONDS_TO_SLEEP seconds..."
+ sleep $SECONDS_TO_SLEEP
+ fi
+ done
+ command:
+ - /usr/bin/dumb-init
+ - --
+ - /entrypoint
+ env:
+ - name: LOG_PATH
+ value: /opt/airflow/logs
+ - name: RETENTION_MINUTES
+ value: "21600"
+ - name: INTERVAL_SECONDS
+ value: "900"
+ - name: DATABASE_USER
+ valueFrom:
+ secretKeyRef:
+ key: user
+ name: airflow-postgres-app
+ - name: DATABASE_PASSWORD
+ valueFrom:
+ secretKeyRef:
+ key: password
+ name: airflow-postgres-app
+ - name: CONNECTION_CHECK_MAX_COUNT
+ value: "0"
+ - name: AIRFLOW__CORE__FERNET_KEY
+ valueFrom:
+ secretKeyRef:
+ key: AIRFLOW__CORE__FERNET_KEY
+ name: airflow-env-secret
+ - name: AIRFLOW__WEBSERVER__SECRET_KEY
+ valueFrom:
+ secretKeyRef:
+ key: AIRFLOW__WEBSERVER__SECRET_KEY
+ name: airflow-env-secret
+ - name: AIRFLOW__WEBSERVER__ENABLE_PROXY_FIX
+ valueFrom:
+ configMapKeyRef:
+ key: AIRFLOW__WEBSERVER__ENABLE_PROXY_FIX
+ name: airflow-env-configmap
+ - name: AUTH_KEYCLOAK_API_BASE_URL
+ valueFrom:
+ configMapKeyRef:
+ key: AUTH_KEYCLOAK_API_BASE_URL
+ name: airflow-env-configmap
+ - name: AUTH_KEYCLOAK_SCOPE
+ valueFrom:
+ configMapKeyRef:
+ key: AUTH_KEYCLOAK_SCOPE
+ name: airflow-env-configmap
+ - name: AUTH_KEYCLOAK_ACCESS_TOKEN_URL
+ valueFrom:
+ configMapKeyRef:
+ key: AUTH_KEYCLOAK_ACCESS_TOKEN_URL
+ name: airflow-env-configmap
+ - name: AUTH_KEYCLOAK_AUTHORIZE_URL
+ valueFrom:
+ configMapKeyRef:
+ key: AUTH_KEYCLOAK_AUTHORIZE_URL
+ name: airflow-env-configmap
+ - name: AUTH_KEYCLOAK_JWKS_URL
+ valueFrom:
+ configMapKeyRef:
+ key: AUTH_KEYCLOAK_JWKS_URL
+ name: airflow-env-configmap
+ - name: AUTH_KEYCLOAK_CLIENT_ID
+ valueFrom:
+ configMapKeyRef:
+ key: AUTH_KEYCLOAK_CLIENT_ID
+ name: airflow-env-configmap
+ - name: AUTH_KEYCLOAK_CLIENT_SECRET
+ valueFrom:
+ secretKeyRef:
+ key: AUTH_KEYCLOAK_CLIENT_SECRET
+ name: airflow-env-secret
+ - name: AUTH_KEYCLOAK_AIRFLOW_BASE_URL
+ valueFrom:
+ configMapKeyRef:
+ key: AUTH_KEYCLOAK_AIRFLOW_BASE_URL
+ name: airflow-env-configmap
+ envFrom:
+ - secretRef:
+ name: dpg-processing-airflow-config-envs
+ image: apache/airflow:2.6.3-python3.9
+ imagePullPolicy: IfNotPresent
+ name: log-cleanup
+ resources: {}
+ securityContext:
+ runAsGroup: 0
+ runAsUser: 50000
+ volumeMounts:
+ - mountPath: /opt/airflow/logs
+ name: logs-data
+ initContainers:
+ - args:
+ - bash
+ - -c
+ - exec timeout 60s airflow db check
+ command:
+ - /usr/bin/dumb-init
+ - --
+ - /entrypoint
+ env:
+ - name: DATABASE_USER
+ valueFrom:
+ secretKeyRef:
+ key: user
+ name: airflow-postgres-app
+ - name: DATABASE_PASSWORD
+ valueFrom:
+ secretKeyRef:
+ key: password
+ name: airflow-postgres-app
+ - name: CONNECTION_CHECK_MAX_COUNT
+ value: "0"
+ - name: AIRFLOW__CORE__FERNET_KEY
+ valueFrom:
+ secretKeyRef:
+ key: AIRFLOW__CORE__FERNET_KEY
+ name: airflow-env-secret
+ - name: AIRFLOW__WEBSERVER__SECRET_KEY
+ valueFrom:
+ secretKeyRef:
+ key: AIRFLOW__WEBSERVER__SECRET_KEY
+ name: airflow-env-secret
+ - name: AIRFLOW__WEBSERVER__ENABLE_PROXY_FIX
+ valueFrom:
+ configMapKeyRef:
+ key: AIRFLOW__WEBSERVER__ENABLE_PROXY_FIX
+ name: airflow-env-configmap
+ - name: AUTH_KEYCLOAK_API_BASE_URL
+ valueFrom:
+ configMapKeyRef:
+ key: AUTH_KEYCLOAK_API_BASE_URL
+ name: airflow-env-configmap
+ - name: AUTH_KEYCLOAK_SCOPE
+ valueFrom:
+ configMapKeyRef:
+ key: AUTH_KEYCLOAK_SCOPE
+ name: airflow-env-configmap
+ - name: AUTH_KEYCLOAK_ACCESS_TOKEN_URL
+ valueFrom:
+ configMapKeyRef:
+ key: AUTH_KEYCLOAK_ACCESS_TOKEN_URL
+ name: airflow-env-configmap
+ - name: AUTH_KEYCLOAK_AUTHORIZE_URL
+ valueFrom:
+ configMapKeyRef:
+ key: AUTH_KEYCLOAK_AUTHORIZE_URL
+ name: airflow-env-configmap
+ - name: AUTH_KEYCLOAK_JWKS_URL
+ valueFrom:
+ configMapKeyRef:
+ key: AUTH_KEYCLOAK_JWKS_URL
+ name: airflow-env-configmap
+ - name: AUTH_KEYCLOAK_CLIENT_ID
+ valueFrom:
+ configMapKeyRef:
+ key: AUTH_KEYCLOAK_CLIENT_ID
+ name: airflow-env-configmap
+ - name: AUTH_KEYCLOAK_CLIENT_SECRET
+ valueFrom:
+ secretKeyRef:
+ key: AUTH_KEYCLOAK_CLIENT_SECRET
+ name: airflow-env-secret
+ - name: AUTH_KEYCLOAK_AIRFLOW_BASE_URL
+ valueFrom:
+ configMapKeyRef:
+ key: AUTH_KEYCLOAK_AIRFLOW_BASE_URL
+ name: airflow-env-configmap
+ envFrom:
+ - secretRef:
+ name: dpg-processing-airflow-config-envs
+ image: apache/airflow:2.6.3-python3.9
+ imagePullPolicy: IfNotPresent
+ name: check-db
+ securityContext:
+ runAsGroup: 0
+ runAsUser: 50000
+ volumeMounts:
+ - mountPath: /opt/airflow/logs
+ name: logs-data
+ - args:
+ - bash
+ - -c
+ - exec airflow db check-migrations -t 60
+ command:
+ - /usr/bin/dumb-init
+ - --
+ - /entrypoint
+ env:
+ - name: DATABASE_USER
+ valueFrom:
+ secretKeyRef:
+ key: user
+ name: airflow-postgres-app
+ - name: DATABASE_PASSWORD
+ valueFrom:
+ secretKeyRef:
+ key: password
+ name: airflow-postgres-app
+ - name: CONNECTION_CHECK_MAX_COUNT
+ value: "0"
+ - name: AIRFLOW__CORE__FERNET_KEY
+ valueFrom:
+ secretKeyRef:
+ key: AIRFLOW__CORE__FERNET_KEY
+ name: airflow-env-secret
+ - name: AIRFLOW__WEBSERVER__SECRET_KEY
+ valueFrom:
+ secretKeyRef:
+ key: AIRFLOW__WEBSERVER__SECRET_KEY
+ name: airflow-env-secret
+ - name: AIRFLOW__WEBSERVER__ENABLE_PROXY_FIX
+ valueFrom:
+ configMapKeyRef:
+ key: AIRFLOW__WEBSERVER__ENABLE_PROXY_FIX
+ name: airflow-env-configmap
+ - name: AUTH_KEYCLOAK_API_BASE_URL
+ valueFrom:
+ configMapKeyRef:
+ key: AUTH_KEYCLOAK_API_BASE_URL
+ name: airflow-env-configmap
+ - name: AUTH_KEYCLOAK_SCOPE
+ valueFrom:
+ configMapKeyRef:
+ key: AUTH_KEYCLOAK_SCOPE
+ name: airflow-env-configmap
+ - name: AUTH_KEYCLOAK_ACCESS_TOKEN_URL
+ valueFrom:
+ configMapKeyRef:
+ key: AUTH_KEYCLOAK_ACCESS_TOKEN_URL
+ name: airflow-env-configmap
+ - name: AUTH_KEYCLOAK_AUTHORIZE_URL
+ valueFrom:
+ configMapKeyRef:
+ key: AUTH_KEYCLOAK_AUTHORIZE_URL
+ name: airflow-env-configmap
+ - name: AUTH_KEYCLOAK_JWKS_URL
+ valueFrom:
+ configMapKeyRef:
+ key: AUTH_KEYCLOAK_JWKS_URL
+ name: airflow-env-configmap
+ - name: AUTH_KEYCLOAK_CLIENT_ID
+ valueFrom:
+ configMapKeyRef:
+ key: AUTH_KEYCLOAK_CLIENT_ID
+ name: airflow-env-configmap
+ - name: AUTH_KEYCLOAK_CLIENT_SECRET
+ valueFrom:
+ secretKeyRef:
+ key: AUTH_KEYCLOAK_CLIENT_SECRET
+ name: airflow-env-secret
+ - name: AUTH_KEYCLOAK_AIRFLOW_BASE_URL
+ valueFrom:
+ configMapKeyRef:
+ key: AUTH_KEYCLOAK_AIRFLOW_BASE_URL
+ name: airflow-env-configmap
+ envFrom:
+ - secretRef:
+ name: dpg-processing-airflow-config-envs
+ image: apache/airflow:2.6.3-python3.9
+ imagePullPolicy: IfNotPresent
+ name: wait-for-db-migrations
+ securityContext:
+ runAsGroup: 0
+ runAsUser: 50000
+ volumeMounts:
+ - mountPath: /opt/airflow/logs
+ name: logs-data
+ nodeSelector: {}
+ restartPolicy: Always
+ securityContext:
+ fsGroup: 0
+ serviceAccountName: dpg-processing-airflow
+ tolerations: []
+ volumes:
+ - emptyDir: {}
+ name: logs-data
+ - configMap:
+ name: dpg-processing-airflow-pod-template
+ name: pod-template
+---
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+ labels:
+ app: airflow
+ chart: airflow-8.8.0
+ component: triggerer
+ heritage: Helm
+ release: dpg-processing-airflow
+ name: dpg-processing-airflow-triggerer
+ namespace: deeppharmgraph
+spec:
+ replicas: 1
+ selector:
+ matchLabels:
+ app: airflow
+ component: triggerer
+ release: dpg-processing-airflow
+ strategy:
+ rollingUpdate:
+ maxSurge: 25%
+ maxUnavailable: 0
+ type: RollingUpdate
+ template:
+ metadata:
+ annotations:
+ checksum/secret-config-envs: 858f363428dd71df9353344009e3328775b49a39540c4652c12f6310419f5d51
+ checksum/secret-local-settings: e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
+ cluster-autoscaler.kubernetes.io/safe-to-evict: "true"
+ labels:
+ app: airflow
+ component: triggerer
+ release: dpg-processing-airflow
+ spec:
+ affinity: {}
+ containers:
+ - args:
+ - bash
+ - -c
+ - exec airflow triggerer
+ command:
+ - /usr/bin/dumb-init
+ - --
+ - /entrypoint
+ env:
+ - name: DATABASE_USER
+ valueFrom:
+ secretKeyRef:
+ key: user
+ name: airflow-postgres-app
+ - name: DATABASE_PASSWORD
+ valueFrom:
+ secretKeyRef:
+ key: password
+ name: airflow-postgres-app
+ - name: CONNECTION_CHECK_MAX_COUNT
+ value: "0"
+ - name: AIRFLOW__CORE__FERNET_KEY
+ valueFrom:
+ secretKeyRef:
+ key: AIRFLOW__CORE__FERNET_KEY
+ name: airflow-env-secret
+ - name: AIRFLOW__WEBSERVER__SECRET_KEY
+ valueFrom:
+ secretKeyRef:
+ key: AIRFLOW__WEBSERVER__SECRET_KEY
+ name: airflow-env-secret
+ - name: AIRFLOW__WEBSERVER__ENABLE_PROXY_FIX
+ valueFrom:
+ configMapKeyRef:
+ key: AIRFLOW__WEBSERVER__ENABLE_PROXY_FIX
+ name: airflow-env-configmap
+ - name: AUTH_KEYCLOAK_API_BASE_URL
+ valueFrom:
+ configMapKeyRef:
+ key: AUTH_KEYCLOAK_API_BASE_URL
+ name: airflow-env-configmap
+ - name: AUTH_KEYCLOAK_SCOPE
+ valueFrom:
+ configMapKeyRef:
+ key: AUTH_KEYCLOAK_SCOPE
+ name: airflow-env-configmap
+ - name: AUTH_KEYCLOAK_ACCESS_TOKEN_URL
+ valueFrom:
+ configMapKeyRef:
+ key: AUTH_KEYCLOAK_ACCESS_TOKEN_URL
+ name: airflow-env-configmap
+ - name: AUTH_KEYCLOAK_AUTHORIZE_URL
+ valueFrom:
+ configMapKeyRef:
+ key: AUTH_KEYCLOAK_AUTHORIZE_URL
+ name: airflow-env-configmap
+ - name: AUTH_KEYCLOAK_JWKS_URL
+ valueFrom:
+ configMapKeyRef:
+ key: AUTH_KEYCLOAK_JWKS_URL
+ name: airflow-env-configmap
+ - name: AUTH_KEYCLOAK_CLIENT_ID
+ valueFrom:
+ configMapKeyRef:
+ key: AUTH_KEYCLOAK_CLIENT_ID
+ name: airflow-env-configmap
+ - name: AUTH_KEYCLOAK_CLIENT_SECRET
+ valueFrom:
+ secretKeyRef:
+ key: AUTH_KEYCLOAK_CLIENT_SECRET
+ name: airflow-env-secret
+ - name: AUTH_KEYCLOAK_AIRFLOW_BASE_URL
+ valueFrom:
+ configMapKeyRef:
+ key: AUTH_KEYCLOAK_AIRFLOW_BASE_URL
+ name: airflow-env-configmap
+ envFrom:
+ - secretRef:
+ name: dpg-processing-airflow-config-envs
+ image: apache/airflow:2.6.3-python3.9
+ imagePullPolicy: IfNotPresent
+ livenessProbe:
+ exec:
+ command:
+ - /usr/bin/dumb-init
+ - --
+ - /entrypoint
+ - python
+ - -Wignore
+ - -c
+ - |
+ import os
+ import sys
+
+ # suppress logs triggered from importing airflow packages
+ os.environ["AIRFLOW__LOGGING__LOGGING_LEVEL"] = "ERROR"
+
+ # shared imports
+ try:
+ from airflow.jobs.job import Job
+ except ImportError:
+ # `BaseJob` was renamed to `Job` in airflow 2.6.0
+ from airflow.jobs.base_job import BaseJob as Job
+ from airflow.utils.db import create_session
+ from airflow.utils.net import get_hostname
+
+ # heartbeat check imports
+ try:
+ from airflow.jobs.triggerer_job_runner import TriggererJobRunner
+ except ImportError:
+ # `TriggererJob` is wrapped by `TriggererJobRunner` since airflow 2.6.0
+ from airflow.jobs.triggerer_job import TriggererJob as TriggererJobRunner
+
+ with create_session() as session:
+ # ensure the TriggererJob with most recent heartbeat for this `hostname` is alive
+ hostname = get_hostname()
+ triggerer_job = session \
+ .query(Job) \
+ .filter_by(job_type=TriggererJobRunner.job_type) \
+ .filter_by(hostname=hostname) \
+ .order_by(Job.latest_heartbeat.desc()) \
+ .limit(1) \
+ .first()
+ if (triggerer_job is not None) and triggerer_job.is_alive():
+ pass
+ else:
+ sys.exit(f"The TriggererJob (id={triggerer_job.id}) for hostname '{hostname}' is not alive")
+ failureThreshold: 5
+ initialDelaySeconds: 10
+ periodSeconds: 30
+ timeoutSeconds: 60
+ name: airflow-triggerer
+ resources: {}
+ securityContext:
+ runAsGroup: 0
+ runAsUser: 50000
+ volumeMounts:
+ - mountPath: /opt/airflow/logs
+ name: logs-data
+ initContainers:
+ - args:
+ - bash
+ - -c
+ - exec timeout 60s airflow db check
+ command:
+ - /usr/bin/dumb-init
+ - --
+ - /entrypoint
+ env:
+ - name: DATABASE_USER
+ valueFrom:
+ secretKeyRef:
+ key: user
+ name: airflow-postgres-app
+ - name: DATABASE_PASSWORD
+ valueFrom:
+ secretKeyRef:
+ key: password
+ name: airflow-postgres-app
+ - name: CONNECTION_CHECK_MAX_COUNT
+ value: "0"
+ - name: AIRFLOW__CORE__FERNET_KEY
+ valueFrom:
+ secretKeyRef:
+ key: AIRFLOW__CORE__FERNET_KEY
+ name: airflow-env-secret
+ - name: AIRFLOW__WEBSERVER__SECRET_KEY
+ valueFrom:
+ secretKeyRef:
+ key: AIRFLOW__WEBSERVER__SECRET_KEY
+ name: airflow-env-secret
+ - name: AIRFLOW__WEBSERVER__ENABLE_PROXY_FIX
+ valueFrom:
+ configMapKeyRef:
+ key: AIRFLOW__WEBSERVER__ENABLE_PROXY_FIX
+ name: airflow-env-configmap
+ - name: AUTH_KEYCLOAK_API_BASE_URL
+ valueFrom:
+ configMapKeyRef:
+ key: AUTH_KEYCLOAK_API_BASE_URL
+ name: airflow-env-configmap
+ - name: AUTH_KEYCLOAK_SCOPE
+ valueFrom:
+ configMapKeyRef:
+ key: AUTH_KEYCLOAK_SCOPE
+ name: airflow-env-configmap
+ - name: AUTH_KEYCLOAK_ACCESS_TOKEN_URL
+ valueFrom:
+ configMapKeyRef:
+ key: AUTH_KEYCLOAK_ACCESS_TOKEN_URL
+ name: airflow-env-configmap
+ - name: AUTH_KEYCLOAK_AUTHORIZE_URL
+ valueFrom:
+ configMapKeyRef:
+ key: AUTH_KEYCLOAK_AUTHORIZE_URL
+ name: airflow-env-configmap
+ - name: AUTH_KEYCLOAK_JWKS_URL
+ valueFrom:
+ configMapKeyRef:
+ key: AUTH_KEYCLOAK_JWKS_URL
+ name: airflow-env-configmap
+ - name: AUTH_KEYCLOAK_CLIENT_ID
+ valueFrom:
+ configMapKeyRef:
+ key: AUTH_KEYCLOAK_CLIENT_ID
+ name: airflow-env-configmap
+ - name: AUTH_KEYCLOAK_CLIENT_SECRET
+ valueFrom:
+ secretKeyRef:
+ key: AUTH_KEYCLOAK_CLIENT_SECRET
+ name: airflow-env-secret
+ - name: AUTH_KEYCLOAK_AIRFLOW_BASE_URL
+ valueFrom:
+ configMapKeyRef:
+ key: AUTH_KEYCLOAK_AIRFLOW_BASE_URL
+ name: airflow-env-configmap
+ envFrom:
+ - secretRef:
+ name: dpg-processing-airflow-config-envs
+ image: apache/airflow:2.6.3-python3.9
+ imagePullPolicy: IfNotPresent
+ name: check-db
+ securityContext:
+ runAsGroup: 0
+ runAsUser: 50000
+ volumeMounts:
+ - mountPath: /opt/airflow/logs
+ name: logs-data
+ - args:
+ - bash
+ - -c
+ - exec airflow db check-migrations -t 60
+ command:
+ - /usr/bin/dumb-init
+ - --
+ - /entrypoint
+ env:
+ - name: DATABASE_USER
+ valueFrom:
+ secretKeyRef:
+ key: user
+ name: airflow-postgres-app
+ - name: DATABASE_PASSWORD
+ valueFrom:
+ secretKeyRef:
+ key: password
+ name: airflow-postgres-app
+ - name: CONNECTION_CHECK_MAX_COUNT
+ value: "0"
+ - name: AIRFLOW__CORE__FERNET_KEY
+ valueFrom:
+ secretKeyRef:
+ key: AIRFLOW__CORE__FERNET_KEY
+ name: airflow-env-secret
+ - name: AIRFLOW__WEBSERVER__SECRET_KEY
+ valueFrom:
+ secretKeyRef:
+ key: AIRFLOW__WEBSERVER__SECRET_KEY
+ name: airflow-env-secret
+ - name: AIRFLOW__WEBSERVER__ENABLE_PROXY_FIX
+ valueFrom:
+ configMapKeyRef:
+ key: AIRFLOW__WEBSERVER__ENABLE_PROXY_FIX
+ name: airflow-env-configmap
+ - name: AUTH_KEYCLOAK_API_BASE_URL
+ valueFrom:
+ configMapKeyRef:
+ key: AUTH_KEYCLOAK_API_BASE_URL
+ name: airflow-env-configmap
+ - name: AUTH_KEYCLOAK_SCOPE
+ valueFrom:
+ configMapKeyRef:
+ key: AUTH_KEYCLOAK_SCOPE
+ name: airflow-env-configmap
+ - name: AUTH_KEYCLOAK_ACCESS_TOKEN_URL
+ valueFrom:
+ configMapKeyRef:
+ key: AUTH_KEYCLOAK_ACCESS_TOKEN_URL
+ name: airflow-env-configmap
+ - name: AUTH_KEYCLOAK_AUTHORIZE_URL
+ valueFrom:
+ configMapKeyRef:
+ key: AUTH_KEYCLOAK_AUTHORIZE_URL
+ name: airflow-env-configmap
+ - name: AUTH_KEYCLOAK_JWKS_URL
+ valueFrom:
+ configMapKeyRef:
+ key: AUTH_KEYCLOAK_JWKS_URL
+ name: airflow-env-configmap
+ - name: AUTH_KEYCLOAK_CLIENT_ID
+ valueFrom:
+ configMapKeyRef:
+ key: AUTH_KEYCLOAK_CLIENT_ID
+ name: airflow-env-configmap
+ - name: AUTH_KEYCLOAK_CLIENT_SECRET
+ valueFrom:
+ secretKeyRef:
+ key: AUTH_KEYCLOAK_CLIENT_SECRET
+ name: airflow-env-secret
+ - name: AUTH_KEYCLOAK_AIRFLOW_BASE_URL
+ valueFrom:
+ configMapKeyRef:
+ key: AUTH_KEYCLOAK_AIRFLOW_BASE_URL
+ name: airflow-env-configmap
+ envFrom:
+ - secretRef:
+ name: dpg-processing-airflow-config-envs
+ image: apache/airflow:2.6.3-python3.9
+ imagePullPolicy: IfNotPresent
+ name: wait-for-db-migrations
+ securityContext:
+ runAsGroup: 0
+ runAsUser: 50000
+ volumeMounts:
+ - mountPath: /opt/airflow/logs
+ name: logs-data
+ nodeSelector: {}
+ restartPolicy: Always
+ securityContext:
+ fsGroup: 0
+ serviceAccountName: dpg-processing-airflow
+ tolerations: []
+ volumes:
+ - emptyDir: {}
+ name: logs-data
+---
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+ labels:
+ app: airflow
+ chart: airflow-8.8.0
+ component: web
+ heritage: Helm
+ release: dpg-processing-airflow
+ name: dpg-processing-airflow-web
+ namespace: deeppharmgraph
+spec:
+ replicas: 1
+ selector:
+ matchLabels:
+ app: airflow
+ component: web
+ release: dpg-processing-airflow
+ strategy:
+ rollingUpdate:
+ maxSurge: 25%
+ maxUnavailable: 0
+ type: RollingUpdate
+ template:
+ metadata:
+ annotations:
+ checksum/config-webserver-config: 0c55e7421113d4db2812f65670e5c92075d1884fb1099f0bf7695e7e88af9824
+ checksum/secret-config-envs: 858f363428dd71df9353344009e3328775b49a39540c4652c12f6310419f5d51
+ checksum/secret-local-settings: e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
+ cluster-autoscaler.kubernetes.io/safe-to-evict: "true"
+ labels:
+ app: airflow
+ component: web
+ release: dpg-processing-airflow
+ spec:
+ affinity: {}
+ containers:
+ - args:
+ - bash
+ - -c
+ - exec airflow webserver
+ command:
+ - /usr/bin/dumb-init
+ - --
+ - /entrypoint
+ env:
+ - name: DATABASE_USER
+ valueFrom:
+ secretKeyRef:
+ key: user
+ name: airflow-postgres-app
+ - name: DATABASE_PASSWORD
+ valueFrom:
+ secretKeyRef:
+ key: password
+ name: airflow-postgres-app
+ - name: CONNECTION_CHECK_MAX_COUNT
+ value: "0"
+ - name: AIRFLOW__CORE__FERNET_KEY
+ valueFrom:
+ secretKeyRef:
+ key: AIRFLOW__CORE__FERNET_KEY
+ name: airflow-env-secret
+ - name: AIRFLOW__WEBSERVER__SECRET_KEY
+ valueFrom:
+ secretKeyRef:
+ key: AIRFLOW__WEBSERVER__SECRET_KEY
+ name: airflow-env-secret
+ - name: AIRFLOW__WEBSERVER__ENABLE_PROXY_FIX
+ valueFrom:
+ configMapKeyRef:
+ key: AIRFLOW__WEBSERVER__ENABLE_PROXY_FIX
+ name: airflow-env-configmap
+ - name: AUTH_KEYCLOAK_API_BASE_URL
+ valueFrom:
+ configMapKeyRef:
+ key: AUTH_KEYCLOAK_API_BASE_URL
+ name: airflow-env-configmap
+ - name: AUTH_KEYCLOAK_SCOPE
+ valueFrom:
+ configMapKeyRef:
+ key: AUTH_KEYCLOAK_SCOPE
+ name: airflow-env-configmap
+ - name: AUTH_KEYCLOAK_ACCESS_TOKEN_URL
+ valueFrom:
+ configMapKeyRef:
+ key: AUTH_KEYCLOAK_ACCESS_TOKEN_URL
+ name: airflow-env-configmap
+ - name: AUTH_KEYCLOAK_AUTHORIZE_URL
+ valueFrom:
+ configMapKeyRef:
+ key: AUTH_KEYCLOAK_AUTHORIZE_URL
+ name: airflow-env-configmap
+ - name: AUTH_KEYCLOAK_JWKS_URL
+ valueFrom:
+ configMapKeyRef:
+ key: AUTH_KEYCLOAK_JWKS_URL
+ name: airflow-env-configmap
+ - name: AUTH_KEYCLOAK_CLIENT_ID
+ valueFrom:
+ configMapKeyRef:
+ key: AUTH_KEYCLOAK_CLIENT_ID
+ name: airflow-env-configmap
+ - name: AUTH_KEYCLOAK_CLIENT_SECRET
+ valueFrom:
+ secretKeyRef:
+ key: AUTH_KEYCLOAK_CLIENT_SECRET
+ name: airflow-env-secret
+ - name: AUTH_KEYCLOAK_AIRFLOW_BASE_URL
+ valueFrom:
+ configMapKeyRef:
+ key: AUTH_KEYCLOAK_AIRFLOW_BASE_URL
+ name: airflow-env-configmap
+ envFrom:
+ - secretRef:
+ name: dpg-processing-airflow-config-envs
+ image: apache/airflow:2.6.3-python3.9
+ imagePullPolicy: IfNotPresent
+ livenessProbe:
+ failureThreshold: 6
+ httpGet:
+ path: /health
+ port: web
+ scheme: HTTP
+ initialDelaySeconds: 10
+ periodSeconds: 10
+ timeoutSeconds: 5
+ name: airflow-web
+ ports:
+ - containerPort: 8080
+ name: web
+ protocol: TCP
+ readinessProbe:
+ failureThreshold: 6
+ httpGet:
+ path: /health
+ port: web
+ scheme: HTTP
+ initialDelaySeconds: 10
+ periodSeconds: 10
+ timeoutSeconds: 5
+ resources: {}
+ securityContext:
+ runAsGroup: 0
+ runAsUser: 50000
+ volumeMounts:
+ - mountPath: /opt/airflow/logs
+ name: logs-data
+ - mountPath: /opt/airflow/webserver_config.py
+ name: webserver-config
+ readOnly: true
+ subPath: webserver_config.py
+ initContainers:
+ - args:
+ - bash
+ - -c
+ - exec timeout 60s airflow db check
+ command:
+ - /usr/bin/dumb-init
+ - --
+ - /entrypoint
+ env:
+ - name: DATABASE_USER
+ valueFrom:
+ secretKeyRef:
+ key: user
+ name: airflow-postgres-app
+ - name: DATABASE_PASSWORD
+ valueFrom:
+ secretKeyRef:
+ key: password
+ name: airflow-postgres-app
+ - name: CONNECTION_CHECK_MAX_COUNT
+ value: "0"
+ - name: AIRFLOW__CORE__FERNET_KEY
+ valueFrom:
+ secretKeyRef:
+ key: AIRFLOW__CORE__FERNET_KEY
+ name: airflow-env-secret
+ - name: AIRFLOW__WEBSERVER__SECRET_KEY
+ valueFrom:
+ secretKeyRef:
+ key: AIRFLOW__WEBSERVER__SECRET_KEY
+ name: airflow-env-secret
+ - name: AIRFLOW__WEBSERVER__ENABLE_PROXY_FIX
+ valueFrom:
+ configMapKeyRef:
+ key: AIRFLOW__WEBSERVER__ENABLE_PROXY_FIX
+ name: airflow-env-configmap
+ - name: AUTH_KEYCLOAK_API_BASE_URL
+ valueFrom:
+ configMapKeyRef:
+ key: AUTH_KEYCLOAK_API_BASE_URL
+ name: airflow-env-configmap
+ - name: AUTH_KEYCLOAK_SCOPE
+ valueFrom:
+ configMapKeyRef:
+ key: AUTH_KEYCLOAK_SCOPE
+ name: airflow-env-configmap
+ - name: AUTH_KEYCLOAK_ACCESS_TOKEN_URL
+ valueFrom:
+ configMapKeyRef:
+ key: AUTH_KEYCLOAK_ACCESS_TOKEN_URL
+ name: airflow-env-configmap
+ - name: AUTH_KEYCLOAK_AUTHORIZE_URL
+ valueFrom:
+ configMapKeyRef:
+ key: AUTH_KEYCLOAK_AUTHORIZE_URL
+ name: airflow-env-configmap
+ - name: AUTH_KEYCLOAK_JWKS_URL
+ valueFrom:
+ configMapKeyRef:
+ key: AUTH_KEYCLOAK_JWKS_URL
+ name: airflow-env-configmap
+ - name: AUTH_KEYCLOAK_CLIENT_ID
+ valueFrom:
+ configMapKeyRef:
+ key: AUTH_KEYCLOAK_CLIENT_ID
+ name: airflow-env-configmap
+ - name: AUTH_KEYCLOAK_CLIENT_SECRET
+ valueFrom:
+ secretKeyRef:
+ key: AUTH_KEYCLOAK_CLIENT_SECRET
+ name: airflow-env-secret
+ - name: AUTH_KEYCLOAK_AIRFLOW_BASE_URL
+ valueFrom:
+ configMapKeyRef:
+ key: AUTH_KEYCLOAK_AIRFLOW_BASE_URL
+ name: airflow-env-configmap
+ envFrom:
+ - secretRef:
+ name: dpg-processing-airflow-config-envs
+ image: apache/airflow:2.6.3-python3.9
+ imagePullPolicy: IfNotPresent
+ name: check-db
+ securityContext:
+ runAsGroup: 0
+ runAsUser: 50000
+ volumeMounts:
+ - mountPath: /opt/airflow/logs
+ name: logs-data
+ - args:
+ - bash
+ - -c
+ - exec airflow db check-migrations -t 60
+ command:
+ - /usr/bin/dumb-init
+ - --
+ - /entrypoint
+ env:
+ - name: DATABASE_USER
+ valueFrom:
+ secretKeyRef:
+ key: user
+ name: airflow-postgres-app
+ - name: DATABASE_PASSWORD
+ valueFrom:
+ secretKeyRef:
+ key: password
+ name: airflow-postgres-app
+ - name: CONNECTION_CHECK_MAX_COUNT
+ value: "0"
+ - name: AIRFLOW__CORE__FERNET_KEY
+ valueFrom:
+ secretKeyRef:
+ key: AIRFLOW__CORE__FERNET_KEY
+ name: airflow-env-secret
+ - name: AIRFLOW__WEBSERVER__SECRET_KEY
+ valueFrom:
+ secretKeyRef:
+ key: AIRFLOW__WEBSERVER__SECRET_KEY
+ name: airflow-env-secret
+ - name: AIRFLOW__WEBSERVER__ENABLE_PROXY_FIX
+ valueFrom:
+ configMapKeyRef:
+ key: AIRFLOW__WEBSERVER__ENABLE_PROXY_FIX
+ name: airflow-env-configmap
+ - name: AUTH_KEYCLOAK_API_BASE_URL
+ valueFrom:
+ configMapKeyRef:
+ key: AUTH_KEYCLOAK_API_BASE_URL
+ name: airflow-env-configmap
+ - name: AUTH_KEYCLOAK_SCOPE
+ valueFrom:
+ configMapKeyRef:
+ key: AUTH_KEYCLOAK_SCOPE
+ name: airflow-env-configmap
+ - name: AUTH_KEYCLOAK_ACCESS_TOKEN_URL
+ valueFrom:
+ configMapKeyRef:
+ key: AUTH_KEYCLOAK_ACCESS_TOKEN_URL
+ name: airflow-env-configmap
+ - name: AUTH_KEYCLOAK_AUTHORIZE_URL
+ valueFrom:
+ configMapKeyRef:
+ key: AUTH_KEYCLOAK_AUTHORIZE_URL
+ name: airflow-env-configmap
+ - name: AUTH_KEYCLOAK_JWKS_URL
+ valueFrom:
+ configMapKeyRef:
+ key: AUTH_KEYCLOAK_JWKS_URL
+ name: airflow-env-configmap
+ - name: AUTH_KEYCLOAK_CLIENT_ID
+ valueFrom:
+ configMapKeyRef:
+ key: AUTH_KEYCLOAK_CLIENT_ID
+ name: airflow-env-configmap
+ - name: AUTH_KEYCLOAK_CLIENT_SECRET
+ valueFrom:
+ secretKeyRef:
+ key: AUTH_KEYCLOAK_CLIENT_SECRET
+ name: airflow-env-secret
+ - name: AUTH_KEYCLOAK_AIRFLOW_BASE_URL
+ valueFrom:
+ configMapKeyRef:
+ key: AUTH_KEYCLOAK_AIRFLOW_BASE_URL
+ name: airflow-env-configmap
+ envFrom:
+ - secretRef:
+ name: dpg-processing-airflow-config-envs
+ image: apache/airflow:2.6.3-python3.9
+ imagePullPolicy: IfNotPresent
+ name: wait-for-db-migrations
+ securityContext:
+ runAsGroup: 0
+ runAsUser: 50000
+ volumeMounts:
+ - mountPath: /opt/airflow/logs
+ name: logs-data
+ nodeSelector: {}
+ restartPolicy: Always
+ securityContext:
+ fsGroup: 0
+ serviceAccountName: dpg-processing-airflow
+ tolerations: []
+ volumes:
+ - emptyDir: {}
+ name: logs-data
+ - name: webserver-config
+ secret:
+ defaultMode: 420
+ secretName: dpg-processing-airflow-webserver-config
+---
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+ labels:
+ app.kubernetes.io/name: oxigraph-primary
+ name: oxigraph-primary
+ namespace: deeppharmgraph
+spec:
+ replicas: 1
+ selector:
+ matchLabels:
+ app.kubernetes.io/name: oxigraph-primary
+ strategy:
+ type: Recreate
+ template:
+ metadata:
+ labels:
+ app.kubernetes.io/name: oxigraph-primary
+ spec:
+ containers:
+ - args:
+ - serve
+ - --location
+ - /data
+ - --bind
+ - 0.0.0.0:7878
+ image: ghcr.io/oxigraph/oxigraph:0.4.0-alpha.3
+ name: oxigraph
+ ports:
+ - containerPort: 7878
+ volumeMounts:
+ - mountPath: /data
+ name: oxigraph-data
+ volumes:
+ - name: oxigraph-data
+ persistentVolumeClaim:
+ claimName: oxigraph-primary-pvc
+ - emptyDir: {}
+ name: busybox
+---
+apiVersion: client.keycloak.crossplane.io/v1alpha1
+kind: ProtocolMapper
+metadata:
+ name: airflow-role-mapper
+ namespace: deeppharmgraph
+spec:
+ forProvider:
+ clientIdRef:
+ name: dpg-airflow-client
+ config:
+ access.token.claim: "true"
+ claim.name: roles
+ multivalued: "true"
+ userinfo.token.claim: "true"
+ name: role-mapper
+ protocol: openid-connect
+ protocolMapper: oidc-usermodel-client-role-mapper
+ realmId: deeppharmgraph
+ providerConfigRef:
+ name: keycloak-config
+---
+apiVersion: gateway.networking.k8s.io/v1
+kind: HTTPRoute
+metadata:
+ name: http-datastore
+ namespace: deeppharmgraph
+spec:
+ hostnames:
+ - dpg-datastore.dev.lan.shamrock.systems
+ parentRefs:
+ - group: gateway.networking.k8s.io
+ kind: Gateway
+ name: eg
+ namespace: envoy-gateway-system
+ rules:
+ - backendRefs:
+ - name: dpg-datastore-primary
+ port: 80
+ matches:
+ - path:
+ type: PathPrefix
+ value: /
+---
+apiVersion: gateway.networking.k8s.io/v1
+kind: HTTPRoute
+metadata:
+ name: http-processing-webserver
+ namespace: deeppharmgraph
+spec:
+ hostnames:
+ - dpg-processing.dev.lan.shamrock.systems
+ parentRefs:
+ - group: gateway.networking.k8s.io
+ kind: Gateway
+ name: eg
+ namespace: envoy-gateway-system
+ rules:
+ - backendRefs:
+ - name: dpg-processing-airflow-web
+ port: 8080
+ matches:
+ - path:
+ type: PathPrefix
+ value: /
+---
+apiVersion: group.keycloak.crossplane.io/v1alpha1
+kind: Group
+metadata:
+ name: airflow-admin-group
+ namespace: deeppharmgraph
+spec:
+ deletionPolicy: Delete
+ forProvider:
+ name: AirflowAdmin
+ realmId: deeppharmgraph
+ providerConfigRef:
+ name: keycloak-config
+---
+apiVersion: group.keycloak.crossplane.io/v1alpha1
+kind: Group
+metadata:
+ name: airflow-op-group
+ namespace: deeppharmgraph
+spec:
+ deletionPolicy: Delete
+ forProvider:
+ name: AirflowOp
+ realmId: deeppharmgraph
+ providerConfigRef:
+ name: keycloak-config
+---
+apiVersion: group.keycloak.crossplane.io/v1alpha1
+kind: Group
+metadata:
+ name: airflow-public-group
+ namespace: deeppharmgraph
+spec:
+ deletionPolicy: Delete
+ forProvider:
+ name: AirflowPublic
+ realmId: deeppharmgraph
+ providerConfigRef:
+ name: keycloak-config
+---
+apiVersion: group.keycloak.crossplane.io/v1alpha1
+kind: Group
+metadata:
+ name: airflow-user-group
+ namespace: deeppharmgraph
+spec:
+ deletionPolicy: Delete
+ forProvider:
+ name: AirflowUser
+ realmId: deeppharmgraph
+ providerConfigRef:
+ name: keycloak-config
+---
+apiVersion: group.keycloak.crossplane.io/v1alpha1
+kind: Group
+metadata:
+ name: airflow-viewer-group
+ namespace: deeppharmgraph
+spec:
+ deletionPolicy: Delete
+ forProvider:
+ name: AirflowViewer
+ realmId: deeppharmgraph
+ providerConfigRef:
+ name: keycloak-config
+---
+apiVersion: group.keycloak.crossplane.io/v1alpha1
+kind: Memberships
+metadata:
+ name: airflow-admin-membership
+ namespace: deeppharmgraph
+spec:
+ forProvider:
+ groupIdRef:
+ name: airflow-admin-group
+ members:
+ - admin
+ realmId: deeppharmgraph
+ providerConfigRef:
+ name: keycloak-config
+---
+apiVersion: group.keycloak.crossplane.io/v1alpha1
+kind: Roles
+metadata:
+ name: airflow-admin-group-roles
+ namespace: deeppharmgraph
+spec:
+ forProvider:
+ groupIdRef:
+ name: airflow-admin-group
+ realmId: deeppharmgraph
+ roleIdsRefs:
+ - name: airflow-admin
+ providerConfigRef:
+ name: keycloak-config
+---
+apiVersion: group.keycloak.crossplane.io/v1alpha1
+kind: Roles
+metadata:
+ name: airflow-op-group-roles
+ namespace: deeppharmgraph
+spec:
+ forProvider:
+ groupIdRef:
+ name: airflow-op-group
+ realmId: deeppharmgraph
+ roleIdsRefs:
+ - name: airflow-op
+ providerConfigRef:
+ name: keycloak-config
+---
+apiVersion: group.keycloak.crossplane.io/v1alpha1
+kind: Roles
+metadata:
+ name: airflow-public-group-roles
+ namespace: deeppharmgraph
+spec:
+ forProvider:
+ groupIdRef:
+ name: airflow-public-group
+ realmId: deeppharmgraph
+ roleIdsRefs:
+ - name: airflow-public
+ providerConfigRef:
+ name: keycloak-config
+---
+apiVersion: group.keycloak.crossplane.io/v1alpha1
+kind: Roles
+metadata:
+ name: airflow-user-group-roles
+ namespace: deeppharmgraph
+spec:
+ forProvider:
+ groupIdRef:
+ name: airflow-user-group
+ realmId: deeppharmgraph
+ roleIdsRefs:
+ - name: airflow-user
+ providerConfigRef:
+ name: keycloak-config
+---
+apiVersion: group.keycloak.crossplane.io/v1alpha1
+kind: Roles
+metadata:
+ name: airflow-viewer-group-roles
+ namespace: deeppharmgraph
+spec:
+ forProvider:
+ groupIdRef:
+ name: airflow-viewer-group
+ realmId: deeppharmgraph
+ roleIdsRefs:
+ - name: airflow-viewer
+ providerConfigRef:
+ name: keycloak-config
+---
+apiVersion: openidclient.keycloak.crossplane.io/v1alpha1
+kind: Client
+metadata:
+ name: dpg-airflow-client
+ namespace: deeppharmgraph
+spec:
+ deletionPolicy: Delete
+ forProvider:
+ accessType: CONFIDENTIAL
+ clientId: application-airflow
+ clientSecretSecretRef:
+ key: AUTH_KEYCLOAK_CLIENT_SECRET
+ name: airflow-env-secret
+ namespace: deeppharmgraph
+ realmId: deeppharmgraph
+ standardFlowEnabled: true
+ validRedirectUris:
+ - http://dpg-processing.dev.lan.shamrock.systems/oauth-authorized/keycloak
+ providerConfigRef:
+ name: keycloak-config
+---
+apiVersion: postgresql.cnpg.io/v1
+kind: Cluster
+metadata:
+ name: airflow-postgres
+ namespace: deeppharmgraph
+spec:
+ instances: 1
+ storage:
+ size: 16Gi
+---
+apiVersion: realm.keycloak.crossplane.io/v1alpha1
+kind: Realm
+metadata:
+ name: dpg-keycloak-realm
+ namespace: deeppharmgraph
+spec:
+ forProvider:
+ displayName: DeepPharmGraph Barrier
+ displayNameHtml: DeepPharmGraph Barrier
+ enabled: true
+ realm: deeppharmgraph
+ registrationAllowed: false
+ registrationEmailAsUsername: false
+ rememberMe: true
+ resetPasswordAllowed: true
+ providerConfigRef:
+ name: keycloak-config
+---
+apiVersion: user.keycloak.crossplane.io/v1alpha1
+kind: User
+metadata:
+ name: dpg-admin
+ namespace: deeppharmgraph
+spec:
+ forProvider:
+ email: example@example.com
+ emailVerified: true
+ firstName: John
+ initialPassword:
+ - temporary: false
+ valueSecretRef:
+ key: password
+ name: dpg-admin-secret
+ namespace: deeppharmgraph
+ lastName: Doe
+ realmId: deeppharmgraph
+ username: admin
+ providerConfigRef:
+ name: keycloak-config
diff --git a/builds/local/deeppharmgraph/kustomization.yaml b/builds/local/deeppharmgraph/kustomization.yaml
new file mode 100644
index 0000000..a54eb2e
--- /dev/null
+++ b/builds/local/deeppharmgraph/kustomization.yaml
@@ -0,0 +1,6 @@
+# Automatically generated by Kustomanager
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+
+resources:
+ - ./build.yaml
diff --git a/builds/local/keycloak-provider/build.yaml b/builds/local/keycloak-provider/build.yaml
index e5e2fbe..0d20410 100644
--- a/builds/local/keycloak-provider/build.yaml
+++ b/builds/local/keycloak-provider/build.yaml
@@ -28,9 +28,8 @@ spec:
value: |
{
"client_id": "crossplane",
- "url": "https://auth.shamrock.systems",
+ "client_secret": "ShamroclLocalDevSecret",
+ "url": "http://id.dev.lan.shamrock.systems",
"realm": "master"
}
- - name: KEYCLOAK_CLIENT_SECRET
- value: ShamroclLocalDevSecret
name: package-runtime
diff --git a/builds/local/keycloak/build.yaml b/builds/local/keycloak/build.yaml
index 6b0b54b..72ba3ae 100644
--- a/builds/local/keycloak/build.yaml
+++ b/builds/local/keycloak/build.yaml
@@ -2161,7 +2161,7 @@ spec:
spec:
containers:
- args:
- - start
+ - start-dev
env:
- name: KEYCLOAK_ADMIN
value: admin
@@ -2169,10 +2169,6 @@ spec:
value: password
- name: KC_HOSTNAME
value: id.dev.lan.shamrock.systems
- - name: KC_PROXY
- value: edge
- - name: KC_HOSTNAME_STRICT_HTTPS
- value: "false"
- name: KC_DB
value: postgres
- name: KC_DB_URL
diff --git a/builds/local/whoami/build.yaml b/builds/local/whoami/build.yaml
new file mode 100644
index 0000000..a9b88b1
--- /dev/null
+++ b/builds/local/whoami/build.yaml
@@ -0,0 +1,70 @@
+apiVersion: v1
+kind: Namespace
+metadata:
+ labels:
+ name: whoami
+ name: whoami
+---
+apiVersion: v1
+kind: Service
+metadata:
+ name: whoami
+ namespace: whoami
+spec:
+ ports:
+ - port: 80
+ protocol: TCP
+ targetPort: 80
+ selector:
+ app: whoami
+---
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+ name: whoami
+ namespace: whoami
+spec:
+ replicas: 1
+ selector:
+ matchLabels:
+ app: whoami
+ template:
+ metadata:
+ labels:
+ app: whoami
+ spec:
+ containers:
+ - image: traefik/whoami:latest
+ imagePullPolicy: IfNotPresent
+ name: whoami
+ ports:
+ - containerPort: 80
+ resources:
+ limits:
+ cpu: 100m
+ memory: 100Mi
+ requests:
+ cpu: 50m
+ memory: 60Mi
+---
+apiVersion: gateway.networking.k8s.io/v1
+kind: HTTPRoute
+metadata:
+ name: http-whoami
+ namespace: whoami
+spec:
+ hostnames:
+ - whoami.dev.lan.shamrock.systems
+ parentRefs:
+ - group: gateway.networking.k8s.io
+ kind: Gateway
+ name: eg
+ namespace: envoy-gateway-system
+ rules:
+ - backendRefs:
+ - name: whoami
+ port: 80
+ matches:
+ - path:
+ type: PathPrefix
+ value: /
diff --git a/builds/local/whoami/kustomization.yaml b/builds/local/whoami/kustomization.yaml
new file mode 100644
index 0000000..a54eb2e
--- /dev/null
+++ b/builds/local/whoami/kustomization.yaml
@@ -0,0 +1,6 @@
+# Automatically generated by Kustomanager
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+
+resources:
+ - ./build.yaml
diff --git a/cluster-local/coredns/configmap.yaml b/cluster-local/coredns/configmap.yaml
new file mode 100644
index 0000000..7941a73
--- /dev/null
+++ b/cluster-local/coredns/configmap.yaml
@@ -0,0 +1,8 @@
+apiVersion: v1
+kind: ConfigMap
+metadata:
+ name: coredns-custom
+ namespace: kube-system
+data:
+ keycloak.override: |
+ rewrite name substring id.dev.lan.shamrock.systems keycloak.keycloak.svc.cluster.local
diff --git a/cluster-local/coredns/kustomization.yaml b/cluster-local/coredns/kustomization.yaml
new file mode 100644
index 0000000..5ef224a
--- /dev/null
+++ b/cluster-local/coredns/kustomization.yaml
@@ -0,0 +1,5 @@
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+
+resources:
+ - ./configmap.yaml
diff --git a/cluster-local/debug/deployment.yaml b/cluster-local/debug/deployment.yaml
new file mode 100644
index 0000000..705616d
--- /dev/null
+++ b/cluster-local/debug/deployment.yaml
@@ -0,0 +1,22 @@
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+ name: curl-debug
+ namespace: default
+ labels:
+ app.kubernetes.io/name: curl-debug
+spec:
+ replicas: 1
+ selector:
+ matchLabels:
+ app.kubernetes.io/name: curl-debug
+ template:
+ metadata:
+ labels:
+ app.kubernetes.io/name: curl-debug
+ spec:
+ containers:
+ - name: curl
+ image: quay.io/curl/curl:latest
+ command: ["sleep"]
+ args: ["infinity"]
diff --git a/cluster-local/debug/kustomization.yaml b/cluster-local/debug/kustomization.yaml
new file mode 100644
index 0000000..51fa9bd
--- /dev/null
+++ b/cluster-local/debug/kustomization.yaml
@@ -0,0 +1,5 @@
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+
+resources:
+ - ./deployment.yaml
diff --git a/cluster-local/deeppharmgraph/authentication/client.yaml b/cluster-local/deeppharmgraph/authentication/client.yaml
new file mode 100644
index 0000000..b204733
--- /dev/null
+++ b/cluster-local/deeppharmgraph/authentication/client.yaml
@@ -0,0 +1,20 @@
+apiVersion: openidclient.keycloak.crossplane.io/v1alpha1
+kind: Client
+metadata:
+ name: dpg-airflow-client
+ namespace: deeppharmgraph
+spec:
+ deletionPolicy: Delete
+ forProvider:
+ accessType: CONFIDENTIAL
+ clientId: application-airflow
+ clientSecretSecretRef:
+ key: AUTH_KEYCLOAK_CLIENT_SECRET
+ name: airflow-env-secret
+ namespace: deeppharmgraph
+ realmId: deeppharmgraph
+ standardFlowEnabled: true
+ validRedirectUris:
+ - http://dpg-processing.dev.lan.shamrock.systems/oauth-authorized/keycloak
+ providerConfigRef:
+ name: keycloak-config
diff --git a/cluster-local/deeppharmgraph/authentication/group.yaml b/cluster-local/deeppharmgraph/authentication/group.yaml
new file mode 100644
index 0000000..58cb8e2
--- /dev/null
+++ b/cluster-local/deeppharmgraph/authentication/group.yaml
@@ -0,0 +1,64 @@
+apiVersion: group.keycloak.crossplane.io/v1alpha1
+kind: Group
+metadata:
+ name: airflow-admin-group
+ namespace: deeppharmgraph
+spec:
+ deletionPolicy: Delete
+ forProvider:
+ name: AirflowAdmin
+ realmId: deeppharmgraph
+ providerConfigRef:
+ name: keycloak-config
+---
+apiVersion: group.keycloak.crossplane.io/v1alpha1
+kind: Group
+metadata:
+ name: airflow-public-group
+ namespace: deeppharmgraph
+spec:
+ deletionPolicy: Delete
+ forProvider:
+ name: AirflowPublic
+ realmId: deeppharmgraph
+ providerConfigRef:
+ name: keycloak-config
+---
+apiVersion: group.keycloak.crossplane.io/v1alpha1
+kind: Group
+metadata:
+ name: airflow-viewer-group
+ namespace: deeppharmgraph
+spec:
+ deletionPolicy: Delete
+ forProvider:
+ name: AirflowViewer
+ realmId: deeppharmgraph
+ providerConfigRef:
+ name: keycloak-config
+---
+apiVersion: group.keycloak.crossplane.io/v1alpha1
+kind: Group
+metadata:
+ name: airflow-user-group
+ namespace: deeppharmgraph
+spec:
+ deletionPolicy: Delete
+ forProvider:
+ name: AirflowUser
+ realmId: deeppharmgraph
+ providerConfigRef:
+ name: keycloak-config
+---
+apiVersion: group.keycloak.crossplane.io/v1alpha1
+kind: Group
+metadata:
+ name: airflow-op-group
+ namespace: deeppharmgraph
+spec:
+ deletionPolicy: Delete
+ forProvider:
+ name: AirflowOp
+ realmId: deeppharmgraph
+ providerConfigRef:
+ name: keycloak-config
diff --git a/cluster-local/deeppharmgraph/authentication/kustomization.yaml b/cluster-local/deeppharmgraph/authentication/kustomization.yaml
new file mode 100644
index 0000000..81ceaf6
--- /dev/null
+++ b/cluster-local/deeppharmgraph/authentication/kustomization.yaml
@@ -0,0 +1,13 @@
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+
+resources:
+ - ./realm.yaml
+ - ./client.yaml
+ - ./secret.admin.yaml
+ - ./role.yaml
+ - ./protocolmapper.yaml
+ - ./user.yaml
+ - ./group.yaml
+ - ./membership.yaml
+ - ./roles.group.yaml
diff --git a/cluster-local/deeppharmgraph/authentication/membership.yaml b/cluster-local/deeppharmgraph/authentication/membership.yaml
new file mode 100644
index 0000000..11ce349
--- /dev/null
+++ b/cluster-local/deeppharmgraph/authentication/membership.yaml
@@ -0,0 +1,14 @@
+apiVersion: group.keycloak.crossplane.io/v1alpha1
+kind: Memberships
+metadata:
+ name: airflow-admin-membership
+ namespace: deeppharmgraph
+spec:
+ forProvider:
+ groupIdRef:
+ name: airflow-admin-group
+ members:
+ - admin
+ realmId: deeppharmgraph
+ providerConfigRef:
+ name: keycloak-config
diff --git a/cluster-local/deeppharmgraph/authentication/protocolmapper.yaml b/cluster-local/deeppharmgraph/authentication/protocolmapper.yaml
new file mode 100644
index 0000000..6f04231
--- /dev/null
+++ b/cluster-local/deeppharmgraph/authentication/protocolmapper.yaml
@@ -0,0 +1,20 @@
+apiVersion: client.keycloak.crossplane.io/v1alpha1
+kind: ProtocolMapper
+metadata:
+ name: airflow-role-mapper
+ namespace: deeppharmgraph
+spec:
+ forProvider:
+ clientIdRef:
+ name: dpg-airflow-client
+ config:
+ claim.name: roles
+ multivalued: "true"
+ userinfo.token.claim: "true"
+ access.token.claim: "true"
+ name: role-mapper
+ protocol: openid-connect
+ protocolMapper: oidc-usermodel-client-role-mapper
+ realmId: deeppharmgraph
+ providerConfigRef:
+ name: keycloak-config
diff --git a/cluster-local/deeppharmgraph/authentication/realm.yaml b/cluster-local/deeppharmgraph/authentication/realm.yaml
new file mode 100644
index 0000000..888d1be
--- /dev/null
+++ b/cluster-local/deeppharmgraph/authentication/realm.yaml
@@ -0,0 +1,17 @@
+apiVersion: realm.keycloak.crossplane.io/v1alpha1
+kind: Realm
+metadata:
+ name: dpg-keycloak-realm
+ namespace: deeppharmgraph
+spec:
+ forProvider:
+ realm: deeppharmgraph
+ displayName: DeepPharmGraph Barrier
+ displayNameHtml: DeepPharmGraph Barrier
+ enabled: true
+ registrationAllowed: false
+ registrationEmailAsUsername: false
+ rememberMe: true
+ resetPasswordAllowed: true
+ providerConfigRef:
+ name: keycloak-config
diff --git a/cluster-local/deeppharmgraph/authentication/role.yaml b/cluster-local/deeppharmgraph/authentication/role.yaml
new file mode 100644
index 0000000..75f29b5
--- /dev/null
+++ b/cluster-local/deeppharmgraph/authentication/role.yaml
@@ -0,0 +1,64 @@
+apiVersion: role.keycloak.crossplane.io/v1alpha1
+kind: Role
+metadata:
+ name: airflow-admin
+spec:
+ forProvider:
+ clientIdRef:
+ name: dpg-airflow-client
+ name: admin
+ realmId: deeppharmgraph
+ providerConfigRef:
+ name: keycloak-config
+---
+apiVersion: role.keycloak.crossplane.io/v1alpha1
+kind: Role
+metadata:
+ name: airflow-public
+spec:
+ forProvider:
+ clientIdRef:
+ name: dpg-airflow-client
+ name: public
+ realmId: deeppharmgraph
+ providerConfigRef:
+ name: keycloak-config
+---
+apiVersion: role.keycloak.crossplane.io/v1alpha1
+kind: Role
+metadata:
+ name: airflow-viewer
+spec:
+ forProvider:
+ clientIdRef:
+ name: dpg-airflow-client
+ name: viewer
+ realmId: deeppharmgraph
+ providerConfigRef:
+ name: keycloak-config
+---
+apiVersion: role.keycloak.crossplane.io/v1alpha1
+kind: Role
+metadata:
+ name: airflow-user
+spec:
+ forProvider:
+ clientIdRef:
+ name: dpg-airflow-client
+ name: user
+ realmId: deeppharmgraph
+ providerConfigRef:
+ name: keycloak-config
+---
+apiVersion: role.keycloak.crossplane.io/v1alpha1
+kind: Role
+metadata:
+ name: airflow-op
+spec:
+ forProvider:
+ clientIdRef:
+ name: dpg-airflow-client
+ name: op
+ realmId: deeppharmgraph
+ providerConfigRef:
+ name: keycloak-config
diff --git a/cluster-local/deeppharmgraph/authentication/roles.group.yaml b/cluster-local/deeppharmgraph/authentication/roles.group.yaml
new file mode 100644
index 0000000..3bae871
--- /dev/null
+++ b/cluster-local/deeppharmgraph/authentication/roles.group.yaml
@@ -0,0 +1,74 @@
+apiVersion: group.keycloak.crossplane.io/v1alpha1
+kind: Roles
+metadata:
+ name: airflow-admin-group-roles
+ namespace: deeppharmgraph
+spec:
+ forProvider:
+ groupIdRef:
+ name: airflow-admin-group
+ realmId: deeppharmgraph
+ roleIdsRefs:
+ - name: airflow-admin
+ providerConfigRef:
+ name: keycloak-config
+---
+apiVersion: group.keycloak.crossplane.io/v1alpha1
+kind: Roles
+metadata:
+ name: airflow-public-group-roles
+ namespace: deeppharmgraph
+spec:
+ forProvider:
+ groupIdRef:
+ name: airflow-public-group
+ realmId: deeppharmgraph
+ roleIdsRefs:
+ - name: airflow-public
+ providerConfigRef:
+ name: keycloak-config
+---
+apiVersion: group.keycloak.crossplane.io/v1alpha1
+kind: Roles
+metadata:
+ name: airflow-viewer-group-roles
+ namespace: deeppharmgraph
+spec:
+ forProvider:
+ groupIdRef:
+ name: airflow-viewer-group
+ realmId: deeppharmgraph
+ roleIdsRefs:
+ - name: airflow-viewer
+ providerConfigRef:
+ name: keycloak-config
+---
+apiVersion: group.keycloak.crossplane.io/v1alpha1
+kind: Roles
+metadata:
+ name: airflow-user-group-roles
+ namespace: deeppharmgraph
+spec:
+ forProvider:
+ groupIdRef:
+ name: airflow-user-group
+ realmId: deeppharmgraph
+ roleIdsRefs:
+ - name: airflow-user
+ providerConfigRef:
+ name: keycloak-config
+---
+apiVersion: group.keycloak.crossplane.io/v1alpha1
+kind: Roles
+metadata:
+ name: airflow-op-group-roles
+ namespace: deeppharmgraph
+spec:
+ forProvider:
+ groupIdRef:
+ name: airflow-op-group
+ realmId: deeppharmgraph
+ roleIdsRefs:
+ - name: airflow-op
+ providerConfigRef:
+ name: keycloak-config
diff --git a/cluster-local/deeppharmgraph/authentication/secret.admin.yaml b/cluster-local/deeppharmgraph/authentication/secret.admin.yaml
new file mode 100644
index 0000000..54c3217
--- /dev/null
+++ b/cluster-local/deeppharmgraph/authentication/secret.admin.yaml
@@ -0,0 +1,7 @@
+apiVersion: v1
+kind: Secret
+metadata:
+ name: dpg-admin-secret
+ namespace: deeppharmgraph
+stringData:
+ password: "password"
diff --git a/cluster-local/deeppharmgraph/authentication/user.yaml b/cluster-local/deeppharmgraph/authentication/user.yaml
new file mode 100644
index 0000000..c2fe7ea
--- /dev/null
+++ b/cluster-local/deeppharmgraph/authentication/user.yaml
@@ -0,0 +1,21 @@
+apiVersion: user.keycloak.crossplane.io/v1alpha1
+kind: User
+metadata:
+ name: dpg-admin
+ namespace: deeppharmgraph
+spec:
+ forProvider:
+ initialPassword:
+ - temporary: false
+ valueSecretRef:
+ key: password
+ name: dpg-admin-secret
+ namespace: deeppharmgraph
+ realmId: deeppharmgraph
+ username: admin
+ firstName: John
+ lastName: Doe
+ email: example@example.com
+ emailVerified: true
+ providerConfigRef:
+ name: keycloak-config
diff --git a/cluster-local/deeppharmgraph/datastore/deployment.yaml b/cluster-local/deeppharmgraph/datastore/deployment.yaml
new file mode 100644
index 0000000..bfe7610
--- /dev/null
+++ b/cluster-local/deeppharmgraph/datastore/deployment.yaml
@@ -0,0 +1,38 @@
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+ name: oxigraph-primary
+ labels:
+ app.kubernetes.io/name: oxigraph-primary
+spec:
+ strategy:
+ type: Recreate
+ replicas: 1
+ selector:
+ matchLabels:
+ app.kubernetes.io/name: oxigraph-primary
+ template:
+ metadata:
+ labels:
+ app.kubernetes.io/name: oxigraph-primary
+ spec:
+ volumes:
+ - name: oxigraph-data
+ persistentVolumeClaim:
+ claimName: oxigraph-primary-pvc
+ - name: busybox
+ emptyDir: {}
+ containers:
+ - name: oxigraph
+ image: ghcr.io/oxigraph/oxigraph:0.4.0-alpha.3
+ args:
+ - serve
+ - --location
+ - /data
+ - --bind
+ - 0.0.0.0:7878
+ ports:
+ - containerPort: 7878
+ volumeMounts:
+ - mountPath: /data
+ name: oxigraph-data
diff --git a/cluster-local/deeppharmgraph/datastore/httproute.yaml b/cluster-local/deeppharmgraph/datastore/httproute.yaml
new file mode 100644
index 0000000..af1ab00
--- /dev/null
+++ b/cluster-local/deeppharmgraph/datastore/httproute.yaml
@@ -0,0 +1,20 @@
+apiVersion: gateway.networking.k8s.io/v1
+kind: HTTPRoute
+metadata:
+ name: http-datastore
+ namespace: deeppharmgraph
+spec:
+ parentRefs:
+ - group: gateway.networking.k8s.io
+ kind: Gateway
+ name: eg
+ namespace: envoy-gateway-system
+ hostnames: [dpg-datastore.dev.lan.shamrock.systems]
+ rules:
+ - matches:
+ - path:
+ type: PathPrefix
+ value: /
+ backendRefs:
+ - name: dpg-datastore-primary
+ port: 80
diff --git a/cluster-local/deeppharmgraph/datastore/kustomization.yaml b/cluster-local/deeppharmgraph/datastore/kustomization.yaml
new file mode 100644
index 0000000..8abb750
--- /dev/null
+++ b/cluster-local/deeppharmgraph/datastore/kustomization.yaml
@@ -0,0 +1,9 @@
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+
+namespace: deeppharmgraph
+resources:
+ - ./persistentvolumeclaim.yaml
+ - ./deployment.yaml
+ - ./service.yaml
+ - ./httproute.yaml
diff --git a/cluster-local/deeppharmgraph/datastore/persistentvolumeclaim.yaml b/cluster-local/deeppharmgraph/datastore/persistentvolumeclaim.yaml
new file mode 100644
index 0000000..e50f9c5
--- /dev/null
+++ b/cluster-local/deeppharmgraph/datastore/persistentvolumeclaim.yaml
@@ -0,0 +1,10 @@
+apiVersion: v1
+kind: PersistentVolumeClaim
+metadata:
+ name: oxigraph-primary-pvc
+spec:
+ resources:
+ requests:
+ storage: 32Gi
+ accessModes:
+ - ReadWriteOnce
diff --git a/cluster-local/deeppharmgraph/datastore/service.yaml b/cluster-local/deeppharmgraph/datastore/service.yaml
new file mode 100644
index 0000000..d1a9b57
--- /dev/null
+++ b/cluster-local/deeppharmgraph/datastore/service.yaml
@@ -0,0 +1,14 @@
+apiVersion: v1
+kind: Service
+metadata:
+ name: dpg-datastore-primary
+ namespace: deeppharmgraph
+spec:
+ type: ClusterIP
+ selector:
+ app.kubernetes.io/name: oxigraph-primary
+ ports:
+ - name: http
+ protocol: TCP
+ port: 80
+ targetPort: 7878
diff --git a/cluster-local/deeppharmgraph/kustomization.yaml b/cluster-local/deeppharmgraph/kustomization.yaml
new file mode 100644
index 0000000..6ba658c
--- /dev/null
+++ b/cluster-local/deeppharmgraph/kustomization.yaml
@@ -0,0 +1,8 @@
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+
+resources:
+ - ./namespace.yaml
+ - ./authentication
+ - ./datastore
+ - ./processing
diff --git a/cluster-local/deeppharmgraph/namespace.yaml b/cluster-local/deeppharmgraph/namespace.yaml
new file mode 100644
index 0000000..6f4ad55
--- /dev/null
+++ b/cluster-local/deeppharmgraph/namespace.yaml
@@ -0,0 +1,6 @@
+apiVersion: v1
+kind: Namespace
+metadata:
+ name: deeppharmgraph
+ labels:
+ name: deeppharmgraph
diff --git a/cluster-local/deeppharmgraph/processing/cluster.postgres.yaml b/cluster-local/deeppharmgraph/processing/cluster.postgres.yaml
new file mode 100644
index 0000000..aa72c01
--- /dev/null
+++ b/cluster-local/deeppharmgraph/processing/cluster.postgres.yaml
@@ -0,0 +1,9 @@
+apiVersion: postgresql.cnpg.io/v1
+kind: Cluster
+metadata:
+ name: airflow-postgres
+ namespace: deeppharmgraph
+spec:
+ instances: 1
+ storage:
+ size: 16Gi
diff --git a/cluster-local/deeppharmgraph/processing/configmap.yaml b/cluster-local/deeppharmgraph/processing/configmap.yaml
new file mode 100644
index 0000000..987a838
--- /dev/null
+++ b/cluster-local/deeppharmgraph/processing/configmap.yaml
@@ -0,0 +1,14 @@
+apiVersion: v1
+kind: ConfigMap
+metadata:
+ name: airflow-env-configmap
+ namespace: deeppharmgraph
+data:
+ AIRFLOW__WEBSERVER__ENABLE_PROXY_FIX: "true"
+ AUTH_KEYCLOAK_API_BASE_URL: "http://id.dev.lan.shamrock.systems/realms/deeppharmgraph/protocol/"
+ AUTH_KEYCLOAK_SCOPE: "openid"
+ AUTH_KEYCLOAK_ACCESS_TOKEN_URL: "http://id.dev.lan.shamrock.systems/realms/deeppharmgraph/protocol/openid-connect/token"
+ AUTH_KEYCLOAK_AUTHORIZE_URL: "http://id.dev.lan.shamrock.systems/realms/deeppharmgraph/protocol/openid-connect/auth"
+ AUTH_KEYCLOAK_JWKS_URL: "http://id.dev.lan.shamrock.systems/realms/deeppharmgraph/protocol/openid-connect/certs"
+ AUTH_KEYCLOAK_CLIENT_ID: "application-airflow"
+ AUTH_KEYCLOAK_AIRFLOW_BASE_URL: "http://dpg-processing.dev.lan.shamrock.systems/"
diff --git a/cluster-local/deeppharmgraph/processing/httproute.yaml b/cluster-local/deeppharmgraph/processing/httproute.yaml
new file mode 100644
index 0000000..c76589b
--- /dev/null
+++ b/cluster-local/deeppharmgraph/processing/httproute.yaml
@@ -0,0 +1,20 @@
+apiVersion: gateway.networking.k8s.io/v1
+kind: HTTPRoute
+metadata:
+ name: http-processing-webserver
+ namespace: deeppharmgraph
+spec:
+ parentRefs:
+ - group: gateway.networking.k8s.io
+ kind: Gateway
+ name: eg
+ namespace: envoy-gateway-system
+ hostnames: [dpg-processing.dev.lan.shamrock.systems]
+ rules:
+ - matches:
+ - path:
+ type: PathPrefix
+ value: /
+ backendRefs:
+ - name: dpg-processing-airflow-web
+ port: 8080
diff --git a/cluster-local/deeppharmgraph/processing/kustomization.yaml b/cluster-local/deeppharmgraph/processing/kustomization.yaml
new file mode 100644
index 0000000..86eecdb
--- /dev/null
+++ b/cluster-local/deeppharmgraph/processing/kustomization.yaml
@@ -0,0 +1,18 @@
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+
+namespace: deeppharmgraph
+
+resources:
+ - ./secret.airflow.yaml
+ - ./configmap.yaml
+ - ./cluster.postgres.yaml
+ - ./httproute.yaml
+
+helmCharts:
+ - releaseName: dpg-processing-airflow
+ namespace: deeppharmgraph
+ name: airflow
+ repo: https://airflow-helm.github.io/charts
+ version: 8.8.0
+ valuesFile: values.airflow.yaml
diff --git a/cluster-local/deeppharmgraph/processing/secret.airflow.yaml b/cluster-local/deeppharmgraph/processing/secret.airflow.yaml
new file mode 100644
index 0000000..83b16d4
--- /dev/null
+++ b/cluster-local/deeppharmgraph/processing/secret.airflow.yaml
@@ -0,0 +1,9 @@
+apiVersion: v1
+kind: Secret
+metadata:
+ name: airflow-env-secret
+ namespace: deeppharmgraph
+stringData:
+ AIRFLOW__CORE__FERNET_KEY: "su8TakfoyJ3Mv6i136Y-i6vcJqhlthL8Q60F9M6GLJM="
+ AIRFLOW__WEBSERVER__SECRET_KEY: "e5EqEnDH4wkWxnMf97n7RK7mAyBG2qdu"
+ AUTH_KEYCLOAK_CLIENT_SECRET: "HxLbmeGmDDcDGuC5eh9MrkQFWYAE3cZE"
diff --git a/cluster-local/deeppharmgraph/processing/values.airflow.yaml b/cluster-local/deeppharmgraph/processing/values.airflow.yaml
new file mode 100644
index 0000000..df88214
--- /dev/null
+++ b/cluster-local/deeppharmgraph/processing/values.airflow.yaml
@@ -0,0 +1,2368 @@
+########################################
+## CONFIG | Airflow Configs
+########################################
+airflow:
+ ## if we use legacy 1.10 airflow commands
+ ##
+ legacyCommands: false
+
+ ## configs for the airflow container image
+ ##
+ image:
+ repository: apache/airflow
+ tag: 2.6.3-python3.9
+ pullPolicy: IfNotPresent
+ pullSecret: ""
+ uid: 50000
+ gid: 0
+
+ ## the airflow executor type to use
+ ## - allowed values: "CeleryExecutor", "KubernetesExecutor", "CeleryKubernetesExecutor"
+ ## - customize the "KubernetesExecutor" pod-template with `airflow.kubernetesPodTemplate.*`
+ ##
+ executor: KubernetesExecutor
+
+ ## the fernet encryption key (sets `AIRFLOW__CORE__FERNET_KEY`)
+ ## - [WARNING] you must change this value to ensure the security of your airflow
+ ## - set `AIRFLOW__CORE__FERNET_KEY` with `airflow.extraEnv` from a Secret to avoid storing this in your values
+ ## - use this command to generate your own fernet key:
+ ## python -c "from cryptography.fernet import Fernet; FERNET_KEY = Fernet.generate_key().decode(); print(FERNET_KEY)"
+ ##
+ fernetKey: ~
+
+ ## the secret_key for flask (sets `AIRFLOW__WEBSERVER__SECRET_KEY`)
+ ## - [WARNING] you must change this value to ensure the security of your airflow
+ ## - set `AIRFLOW__WEBSERVER__SECRET_KEY` with `airflow.extraEnv` from a Secret to avoid storing this in your values
+ ##
+ webserverSecretKey: ~
+
+ ## environment variables for airflow configs
+ ## - airflow env-vars are structured: "AIRFLOW__{config_section}__{config_name}"
+ ## - airflow configuration reference:
+ ## https://airflow.apache.org/docs/apache-airflow/stable/configurations-ref.html
+ ##
+ ## ____ EXAMPLE _______________
+ ## config:
+ ## # dag configs
+ ## AIRFLOW__CORE__LOAD_EXAMPLES: "False"
+ ## AIRFLOW__SCHEDULER__DAG_DIR_LIST_INTERVAL: "30"
+ ##
+ ## # email configs
+ ## AIRFLOW__EMAIL__EMAIL_BACKEND: "airflow.utils.email.send_email_smtp"
+ ## AIRFLOW__SMTP__SMTP_HOST: "smtpmail.example.com"
+ ## AIRFLOW__SMTP__SMTP_MAIL_FROM: "admin@example.com"
+ ## AIRFLOW__SMTP__SMTP_PORT: "25"
+ ## AIRFLOW__SMTP__SMTP_SSL: "False"
+ ## AIRFLOW__SMTP__SMTP_STARTTLS: "False"
+ ##
+ ## # domain used in airflow emails
+ ## AIRFLOW__WEBSERVER__BASE_URL: "http://airflow.example.com"
+ ##
+ ## # ether environment variables
+ ## HTTP_PROXY: "http://proxy.example.com:8080"
+ ##
+ config: {}
+
+ ## a list of users to create
+ ## - templates can ONLY be used in: `password`, `email`, `firstName`, `lastName`
+ ## - templates used a bash-like syntax: ${MY_USERNAME}, $MY_USERNAME
+ ## - templates are defined in `usersTemplates`
+ ## - `role` can be a single role or a list of roles
+ ##
+ users: []
+
+ ## bash-like templates to be used in `airflow.users`
+ ## - [WARNING] if a Secret or ConfigMap is missing, the sync Pod will crash
+ ## - [WARNING] all keys must match the regex: ^[a-zA-Z_][a-zA-Z0-9_]*$
+ ##
+ ## ____ EXAMPLE _______________
+ ## usersTemplates
+ ## MY_USERNAME:
+ ## kind: configmap
+ ## name: my-configmap
+ ## key: username
+ ## MY_PASSWORD:
+ ## kind: secret
+ ## name: my-secret
+ ## key: password
+ ##
+ usersTemplates: {}
+
+ ## if we create a Deployment to perpetually sync `airflow.users`
+ ## - when `true`, users are updated in real-time, as ConfigMaps/Secrets change
+ ## - when `true`, users changes from the WebUI will be reverted automatically
+ ## - when `false`, users will only update one-time, after each `helm upgrade`
+ ##
+ usersUpdate: true
+
+ ## a list airflow connections to create
+ ## - templates can ONLY be used in: `host`, `login`, `password`, `schema`, `extra`
+ ## - templates used a bash-like syntax: ${AWS_ACCESS_KEY} or $AWS_ACCESS_KEY
+ ## - templates are defined in `connectionsTemplates`
+ ##
+ ## ____ EXAMPLE _______________
+ ## connections:
+ ## - id: my_aws
+ ## type: aws
+ ## description: my AWS connection
+ ## extra: |-
+ ## { "aws_access_key_id": "${AWS_KEY_ID}",
+ ## "aws_secret_access_key": "${AWS_ACCESS_KEY}",
+ ## "region_name":"eu-central-1" }
+ ##
+ connections: []
+
+ ## bash-like templates to be used in `airflow.connections`
+ ## - see docs for `airflow.usersTemplates`
+ ##
+ connectionsTemplates: {}
+
+ ## if we create a Deployment to perpetually sync `airflow.connections`
+ ## - see docs for `airflow.usersUpdate`
+ ##
+ connectionsUpdate: true
+
+ ## a list airflow variables to create
+ ## - templates can ONLY be used in: `value`
+ ## - templates used a bash-like syntax: ${MY_VALUE} or $MY_VALUE
+ ## - templates are defined in `connectionsTemplates`
+ ##
+ ## ____ EXAMPLE _______________
+ ## variables:
+ ## - key: "var_1"
+ ## value: "my_value_1"
+ ## - key: "var_2"
+ ## value: "my_value_2"
+ ##
+ variables: []
+
+ ## bash-like templates to be used in `airflow.variables`
+ ## - see docs for `airflow.usersTemplates`
+ ##
+ variablesTemplates: {}
+
+ ## if we create a Deployment to perpetually sync `airflow.variables`
+ ## - see docs for `airflow.usersUpdate`
+ ##
+ variablesUpdate: true
+
+ ## a list airflow pools to create
+ ##
+ ## ____ EXAMPLE _______________
+ ## pools:
+ ## - name: "pool_1"
+ ## description: "example pool with 5 slots"
+ ## slots: 5
+ ## - name: "pool_2"
+ ## description: "example pool with 2 cron policies"
+ ## slots: 0
+ ## ## if deferred tasks count towards the slot limit, requires airflow 2.7.0+ (default: false)
+ ## include_deferred: false
+ ## ## at each sync interval, the policy with the most recently past `recurrence` is applied
+ ## policies:
+ ## - name: "scale up at 7pm UTC"
+ ## slots: 50
+ ## recurrence: "0 19 * * *"
+ ## - name: "scale down at 6am UTC"
+ ## slots: 10
+ ## recurrence: "0 6 * * *"
+ ##
+ pools: []
+
+ ## if we create a Deployment to perpetually sync `airflow.pools`
+ ## - see docs for `airflow.usersUpdate`
+ ##
+ poolsUpdate: true
+
+ ## default nodeSelector for airflow Pods (is overridden by pod-specific values)
+ ## - docs for nodeSelector:
+ ## https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/#nodeselector
+ ##
+ defaultNodeSelector: {}
+
+ ## default affinity configs for airflow Pods (is overridden by pod-specific values)
+ ## - spec for Affinity:
+ ## https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.20/#affinity-v1-core
+ ##
+ defaultAffinity: {}
+
+ ## default toleration configs for airflow Pods (is overridden by pod-specific values)
+ ## - spec for Toleration:
+ ## https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.20/#toleration-v1-core
+ ##
+ defaultTolerations: []
+
+ ## default securityContext configs for airflow Pods (is overridden by pod-specific values)
+ ## - spec for PodSecurityContext:
+ ## https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.20/#podsecuritycontext-v1-core
+ ##
+ defaultSecurityContext:
+ ## sets the filesystem owner group of files/folders in mounted volumes
+ ## this does NOT give root permissions to Pods, only the "root" group
+ fsGroup: 0
+
+ ## extra annotations for airflow Pods
+ ##
+ podAnnotations: {}
+
+ ## extra pip packages to install in airflow Pods
+ ##
+ ## ____ EXAMPLE _______________
+ ## extraPipPackages:
+ ## - "SomeProject==1.0.0"
+ ##
+ extraPipPackages: []
+
+ ## pip packages that are protected from upgrade/downgrade by `extraPipPackages`
+ ## - [WARNING] Pods will fail to start if `extraPipPackages` would cause these packages to change versions
+ ##
+ protectedPipPackages:
+ - "apache-airflow"
+
+ ## extra environment variables for the airflow Pods
+ ## - spec for EnvVar:
+ ## https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.20/#envvar-v1-core
+ ##
+ extraEnv:
+ - name: AIRFLOW__CORE__FERNET_KEY
+ valueFrom:
+ secretKeyRef:
+ name: airflow-env-secret
+ key: AIRFLOW__CORE__FERNET_KEY
+ - name: AIRFLOW__WEBSERVER__SECRET_KEY
+ valueFrom:
+ secretKeyRef:
+ name: airflow-env-secret
+ key: AIRFLOW__WEBSERVER__SECRET_KEY
+ - name: AIRFLOW__WEBSERVER__ENABLE_PROXY_FIX
+ valueFrom:
+ configMapKeyRef:
+ name: airflow-env-configmap
+ key: AIRFLOW__WEBSERVER__ENABLE_PROXY_FIX
+ - name: AUTH_KEYCLOAK_API_BASE_URL
+ valueFrom:
+ configMapKeyRef:
+ name: airflow-env-configmap
+ key: AUTH_KEYCLOAK_API_BASE_URL
+ - name: AUTH_KEYCLOAK_SCOPE
+ valueFrom:
+ configMapKeyRef:
+ name: airflow-env-configmap
+ key: AUTH_KEYCLOAK_SCOPE
+ - name: AUTH_KEYCLOAK_ACCESS_TOKEN_URL
+ valueFrom:
+ configMapKeyRef:
+ name: airflow-env-configmap
+ key: AUTH_KEYCLOAK_ACCESS_TOKEN_URL
+ - name: AUTH_KEYCLOAK_AUTHORIZE_URL
+ valueFrom:
+ configMapKeyRef:
+ name: airflow-env-configmap
+ key: AUTH_KEYCLOAK_AUTHORIZE_URL
+ - name: AUTH_KEYCLOAK_JWKS_URL
+ valueFrom:
+ configMapKeyRef:
+ name: airflow-env-configmap
+ key: AUTH_KEYCLOAK_JWKS_URL
+ - name: AUTH_KEYCLOAK_CLIENT_ID
+ valueFrom:
+ configMapKeyRef:
+ name: airflow-env-configmap
+ key: AUTH_KEYCLOAK_CLIENT_ID
+ - name: AUTH_KEYCLOAK_CLIENT_SECRET
+ valueFrom:
+ secretKeyRef:
+ name: airflow-env-secret
+ key: AUTH_KEYCLOAK_CLIENT_SECRET
+ - name: AUTH_KEYCLOAK_AIRFLOW_BASE_URL
+ valueFrom:
+ configMapKeyRef:
+ name: airflow-env-configmap
+ key: AUTH_KEYCLOAK_AIRFLOW_BASE_URL
+
+ ## extra containers for the airflow Pods
+ ## - spec for Container:
+ ## https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.20/#container-v1-core
+ ##
+ extraContainers: []
+
+ ## extra VolumeMounts for the airflow Pods
+ ## - spec for VolumeMount:
+ ## https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.20/#volumemount-v1-core
+ ##
+ extraVolumeMounts: []
+
+ ## extra Volumes for the airflow Pods
+ ## - spec for Volume:
+ ## https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.20/#volume-v1-core
+ ##
+ extraVolumes: []
+
+ ## kubernetes cluster domain name
+ ## - configured in the kubelet with `--cluster-domain` flag (deprecated):
+ ## https://kubernetes.io/docs/reference/command-line-tools-reference/kubelet/
+ ## - or configured in the kubelet with configuration file `clusterDomain` option:
+ ## https://kubernetes.io/docs/tasks/administer-cluster/kubelet-config-file/
+ ##
+ clusterDomain: "cluster.local"
+
+ ########################################
+ ## FILE | airflow_local_settings.py
+ ########################################
+ ##
+ localSettings:
+ ## the full content of the `airflow_local_settings.py` file (as a string)
+ ## - docs for airflow cluster policies:
+ ## https://airflow.apache.org/docs/apache-airflow/stable/concepts/cluster-policies.html
+ ##
+ ## ____ EXAMPLE _______________
+ ## stringOverride: |
+ ## # use a custom `xcom_sidecar` image for KubernetesPodOperator()
+ ## from airflow.kubernetes.pod_generator import PodDefaults
+ ## PodDefaults.SIDECAR_CONTAINER.image = "gcr.io/PROJECT-ID/custom-sidecar-image"
+ ##
+ stringOverride: ""
+
+ ## the name of a Secret containing a `airflow_local_settings.py` key
+ ## - if set, this disables `airflow.localSettings.stringOverride`
+ ##
+ existingSecret: ""
+
+ ########################################
+ ## FILE | pod_template.yaml
+ ########################################
+ ## - generates a file for `AIRFLOW__KUBERNETES__POD_TEMPLATE_FILE`
+ ## - the `dags.gitSync` values will create a git-sync init-container in the pod
+ ## - the `airflow.extraPipPackages` will NOT be installed
+ ##
+ kubernetesPodTemplate:
+ ## the full content of the pod-template file (as a string)
+ ## - [WARNING] all other `kubernetesPodTemplate.*` are disabled when this is set
+ ## - docs for pod-template file:
+ ## https://airflow.apache.org/docs/apache-airflow/stable/executor/kubernetes.html#pod-template-file
+ ##
+ ## ____ EXAMPLE _______________
+ ## stringOverride: |-
+ ## apiVersion: v1
+ ## kind: Pod
+ ## spec: ...
+ ##
+ stringOverride: ""
+
+ ## resource requests/limits for the Pod template "base" container
+ ## - spec for ResourceRequirements:
+ ## https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.20/#resourcerequirements-v1-core
+ ##
+ resources: {}
+
+ ## the nodeSelector configs for the Pod template
+ ## - docs for nodeSelector:
+ ## https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/#nodeselector
+ ##
+ nodeSelector: {}
+
+ ## the affinity configs for the Pod template
+ ## - spec for Affinity:
+ ## https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.20/#affinity-v1-core
+ ##
+ affinity: {}
+
+ ## the toleration configs for the Pod template
+ ## - spec for Toleration:
+ ## https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.20/#toleration-v1-core
+ ##
+ tolerations: []
+
+ ## labels for the Pod template
+ ##
+ podLabels: {}
+
+ ## annotations for the Pod template
+ ##
+ podAnnotations: {}
+
+ ## the security context for the Pod template
+ ## - spec for PodSecurityContext:
+ ## https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.20/#podsecuritycontext-v1-core
+ ##
+ securityContext: {}
+
+ ## the shareProcessNamespace config for the Pod template
+ ## - docs for shareProcessNamespace:
+ ## https://kubernetes.io/docs/tasks/configure-pod-container/share-process-namespace/
+ ##
+ shareProcessNamespace: false
+
+ ## extra pip packages to install in the Pod template
+ ##
+ ## ____ EXAMPLE _______________
+ ## extraPipPackages:
+ ## - "SomeProject==1.0.0"
+ ##
+ extraPipPackages: []
+
+ ## extra containers for the pod template
+ ## - spec for Container:
+ ## https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.20/#container-v1-core
+ ##
+ extraContainers: []
+
+ ## extra init-containers for the Pod template
+ ## - spec of Container:
+ ## https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.20/#container-v1-core
+ ##
+ extraInitContainers: []
+
+ ## extra VolumeMounts for the Pod template
+ ## - spec for VolumeMount:
+ ## https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.20/#volumemount-v1-core
+ ##
+ extraVolumeMounts: []
+
+ ## extra Volumes for the Pod template
+ ## - spec for Volume:
+ ## https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.20/#volume-v1-core
+ ##
+ extraVolumes: []
+
+ ########################################
+ ## COMPONENT | db-migrations Deployment
+ ########################################
+ dbMigrations:
+ ## if the db-migrations Deployment/Job is created
+ ## - [WARNING] if `false`, you have to MANUALLY run `airflow db upgrade` when required
+ ##
+ enabled: true
+
+ ## if a post-install helm Job should be used (instead of a Deployment)
+ ## - [WARNING] setting `true` will NOT work with the helm `--wait` flag,
+ ## this is because post-install helm Jobs run AFTER the main resources become Ready,
+ ## which will cause a deadlock, as other resources require db-migrations to become Ready
+ ##
+ runAsJob: false
+
+ ## resource requests/limits for the db-migrations Pods
+ ## - spec for ResourceRequirements:
+ ## https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.20/#resourcerequirements-v1-core
+ ##
+ resources: {}
+
+ ## the nodeSelector configs for the db-migrations Pods
+ ## - docs for nodeSelector:
+ ## https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/#nodeselector
+ ##
+ nodeSelector: {}
+
+ ## the affinity configs for the db-migrations Pods
+ ## - spec for Affinity:
+ ## https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.20/#affinity-v1-core
+ ##
+ affinity: {}
+
+ ## the toleration configs for the db-migrations Pods
+ ## - spec for Toleration:
+ ## https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.20/#toleration-v1-core
+ ##
+ tolerations: []
+
+ ## the security context for the db-migrations Pods
+ ## - spec for PodSecurityContext:
+ ## https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.20/#podsecuritycontext-v1-core
+ ##
+ securityContext: {}
+
+ ## Labels for the db-migrations Deployment
+ ##
+ labels: {}
+
+ ## Pod labels for the db-migrations Deployment
+ ##
+ podLabels: {}
+
+ ## annotations for the db-migrations Deployment/Job
+ ##
+ annotations: {}
+
+ ## Pod annotations for the db-migrations Deployment/Job
+ ##
+ podAnnotations: {}
+
+ ## if we add the annotation: "cluster-autoscaler.kubernetes.io/safe-to-evict" = "true"
+ ##
+ safeToEvict: true
+
+ ## the number of seconds between checks for unapplied db migrations
+ ## - only applies if `airflow.dbMigrations.runAsJob` is `false`
+ ##
+ checkInterval: 300
+
+ ########################################
+ ## COMPONENT | Sync Deployments
+ ########################################
+ ## - used by the Deployments/Jobs used by `airflow.{connections,pools,users,variables}`
+ ##
+ sync:
+ ## resource requests/limits for the sync Pods
+ ## - spec for ResourceRequirements:
+ ## https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.20/#resourcerequirements-v1-core
+ ##
+ resources: {}
+
+ ## the nodeSelector configs for the sync Pods
+ ## - docs for nodeSelector:
+ ## https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/#nodeselector
+ ##
+ nodeSelector: {}
+
+ ## the affinity configs for the sync Pods
+ ## - spec for Affinity:
+ ## https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.20/#affinity-v1-core
+ ##
+ affinity: {}
+
+ ## the toleration configs for the sync Pods
+ ## - spec for Toleration:
+ ## https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.20/#toleration-v1-core
+ ##
+ tolerations: []
+
+ ## the security context for the sync Pods
+ ## - spec for PodSecurityContext:
+ ## https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.20/#podsecuritycontext-v1-core
+ ##
+ securityContext: {}
+
+ ## Labels for the sync Deployments/Jobs
+ ##
+ labels: {}
+
+ ## Pod labels for the sync Deployments/Jobs
+ ##
+ podLabels: {}
+
+ ## annotations for the sync Deployments/Jobs
+ ##
+ annotations: {}
+
+ ## Pod annotations for the sync Deployments/Jobs
+ ##
+ podAnnotations: {}
+
+ ## if we add the annotation: "cluster-autoscaler.kubernetes.io/safe-to-evict" = "true"
+ ##
+ safeToEvict: true
+
+###################################
+## COMPONENT | Airflow Scheduler
+###################################
+scheduler:
+ ## the number of scheduler Pods to run
+ ## - if you set this >1 we recommend defining a `scheduler.podDisruptionBudget`
+ ##
+ replicas: 1
+
+ ## resource requests/limits for the scheduler Pod
+ ## - spec of ResourceRequirements:
+ ## https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.20/#resourcerequirements-v1-core
+ ##
+ resources: {}
+
+ ## the nodeSelector configs for the scheduler Pods
+ ## - docs for nodeSelector:
+ ## https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/#nodeselector
+ ##
+ nodeSelector: {}
+
+ ## the affinity configs for the scheduler Pods
+ ## - spec of Affinity:
+ ## https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.20/#affinity-v1-core
+ ##
+ affinity: {}
+
+ ## the toleration configs for the scheduler Pods
+ ## - spec of Toleration:
+ ## https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.20/#toleration-v1-core
+ ##
+ tolerations: []
+
+ ## the security context for the scheduler Pods
+ ## - spec of PodSecurityContext:
+ ## https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.20/#podsecuritycontext-v1-core
+ ##
+ securityContext: {}
+
+ ## labels for the scheduler Deployment
+ ##
+ labels: {}
+
+ ## Pod labels for the scheduler Deployment
+ ##
+ podLabels: {}
+
+ ## annotations for the scheduler Deployment
+ ##
+ annotations: {}
+
+ ## Pod annotations for the scheduler Deployment
+ ##
+ podAnnotations: {}
+
+ ## if we add the annotation: "cluster-autoscaler.kubernetes.io/safe-to-evict" = "true"
+ ##
+ safeToEvict: true
+
+ ## configs for the PodDisruptionBudget of the scheduler
+ ##
+ podDisruptionBudget:
+ ## if a PodDisruptionBudget resource is created for the scheduler
+ ##
+ enabled: false
+
+ ## the `apiVersion` to use for PodDisruptionBudget resources
+ ## - for Kubernetes 1.21 and later: "policy/v1"
+ ## - for Kubernetes 1.20 and before: "policy/v1beta1"
+ ##
+ apiVersion: policy/v1
+
+ ## the maximum unavailable pods/percentage for the scheduler
+ ##
+ maxUnavailable: ""
+
+ ## the minimum available pods/percentage for the scheduler
+ ##
+ minAvailable: ""
+
+ ## configs for the log-cleanup sidecar of the scheduler
+ ## - helps prevent excessive log buildup by regularly deleting old files
+ ##
+ logCleanup:
+ ## if the log-cleanup sidecar is enabled
+ ## - [WARNING] must be disabled if `logs.persistence.enabled` is `true`
+ ##
+ enabled: true
+
+ ## resource requests/limits for the log-cleanup container
+ ## - spec of ResourceRequirements:
+ ## https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.20/#resourcerequirements-v1-core
+ ##
+ resources: {}
+
+ ## the number of minutes to retain log files (by last-modified time)
+ ##
+ retentionMinutes: 21600
+
+ ## the number of seconds between each check for files to delete
+ ##
+ intervalSeconds: 900
+
+ ## sets `airflow --num_runs` parameter used to run the airflow scheduler
+ ##
+ numRuns: -1
+
+ ## configs for the scheduler Pods' liveness probe
+ ## - "unhealthy" means the SchedulerJob has not had a heartbeat for
+ ## AIRFLOW__SCHEDULER__SCHEDULER_HEALTH_CHECK_THRESHOLD seconds
+ ## - `periodSeconds` x `failureThreshold` = max seconds a scheduler can be in an "unhealthy" state
+ ##
+ livenessProbe:
+ enabled: true
+ initialDelaySeconds: 10
+ periodSeconds: 30
+ timeoutSeconds: 60
+ failureThreshold: 5
+
+ ## configs for an additional check that ensures tasks are being created by the scheduler
+ ## - this check works by ensuring that the most recent LocalTaskJob had a `start_date` no more than
+ ## `taskCreationCheck.thresholdSeconds` seconds ago
+ ## - this check is useful because the scheduler can deadlock with a heartbeat, but not be scheduling new tasks:
+ ## https://github.com/apache/airflow/issues/7935 - patched in airflow `2.0.2`
+ ## https://github.com/apache/airflow/issues/15938 - patched in airflow `2.1.1`
+ ##
+ taskCreationCheck:
+ ## if the task creation check is enabled
+ ##
+ enabled: false
+
+ ## the maximum number of seconds since the start_date of the most recent LocalTaskJob
+ ## - [WARNING] must be AT LEAST equal to your shortest DAG schedule_interval
+ ## - [WARNING] DummyOperator tasks will NOT be seen by this probe
+ ##
+ thresholdSeconds: 300
+
+ ## minimum number of seconds the scheduler must have run before the task creation check begins
+ ## - [WARNING] must be long enough for the scheduler to boot and create a task
+ ##
+ schedulerAgeBeforeCheck: 180
+
+ ## extra pip packages to install in the scheduler Pods
+ ##
+ ## ____ EXAMPLE _______________
+ ## extraPipPackages:
+ ## - "SomeProject==1.0.0"
+ ##
+ extraPipPackages: []
+
+ ## extra VolumeMounts for the scheduler Pods
+ ## - spec of VolumeMount:
+ ## https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.20/#volumemount-v1-core
+ ##
+ extraVolumeMounts: []
+
+ ## extra Volumes for the scheduler Pods
+ ## - spec of Volume:
+ ## https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.20/#volume-v1-core
+ ##
+ extraVolumes: []
+
+ ## extra init containers to run in the scheduler Pods
+ ## - spec of Container:
+ ## https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.20/#container-v1-core
+ ##
+ extraInitContainers: []
+
+###################################
+## COMPONENT | Airflow Webserver
+###################################
+web:
+ ########################################
+ ## FILE | webserver_config.py
+ ########################################
+ ##
+ webserverConfig:
+ ## if the `webserver_config.py` file is mounted
+ ## - set to false if you wish to mount your own `webserver_config.py` file
+ ##
+ enabled: true
+
+ ## the full content of the `webserver_config.py` file (as a string)
+ ## - docs for Flask-AppBuilder security configs:
+ ## https://flask-appbuilder.readthedocs.io/en/latest/security.html
+ ##
+ ## ____ EXAMPLE _______________
+ ## stringOverride: |
+ ## from airflow import configuration as conf
+ ## from flask_appbuilder.security.manager import AUTH_DB
+ ##
+ ## # the SQLAlchemy connection string
+ ## SQLALCHEMY_DATABASE_URI = conf.get('core', 'SQL_ALCHEMY_CONN')
+ ##
+ ## # use embedded DB for auth
+ ## AUTH_TYPE = AUTH_DB
+ ##
+ stringOverride: |
+ import os
+ from typing import Any, Union
+
+ from airflow.www.security import AirflowSecurityManager
+ from flask_appbuilder.security.manager import AUTH_OAUTH
+
+
+ class KeycloakAuthorizer(AirflowSecurityManager):
+ def get_oauth_user_info(
+ self, provider: str, resp: Any
+ ) -> dict[str, Union[str, list[str]]]:
+ me = self.appbuilder.sm.oauth_remotes[provider].get("openid-connect/userinfo")
+ me.raise_for_status()
+ data = me.json()
+ payload = {
+ "first_name": data.get("given_name", ""),
+ "last_name": data.get("family_name", ""),
+ "email": data.get("email", ""),
+ "name": data.get("name", ""),
+ "username": data.get("preferred_username", ""),
+ "role_keys": data.get("roles", []),
+ }
+ print(payload)
+ return payload
+
+
+ AUTH_TYPE = AUTH_OAUTH
+
+ AUTH_ROLES_MAPPING = {
+ "admin": ["Admin"],
+ "public": ["Public"],
+ "viewer": ["Viewer"],
+ "user": ["User"],
+ "op": ["Op"],
+ }
+
+ AUTH_ROLES_SYNC_AT_LOGIN = True
+ AUTH_USER_REGISTRATION = True
+
+ OAUTH_PROVIDERS = [
+ {
+ "name": "keycloak",
+ "icon": "fa-key",
+ "token_key": "access_token",
+ "remote_app": {
+ "api_base_url": os.environ["AUTH_KEYCLOAK_API_BASE_URL"],
+ "client_kwargs": {"scope": os.environ["AUTH_KEYCLOAK_SCOPE"]},
+ "request_token_url": None,
+ "access_token_url": os.environ["AUTH_KEYCLOAK_ACCESS_TOKEN_URL"],
+ "authorize_url": os.environ["AUTH_KEYCLOAK_AUTHORIZE_URL"],
+ "jwks_uri": os.environ["AUTH_KEYCLOAK_JWKS_URL"],
+ "client_id": os.environ["AUTH_KEYCLOAK_CLIENT_ID"],
+ "client_secret": os.environ["AUTH_KEYCLOAK_CLIENT_SECRET"],
+ "airflow_base_url": os.environ["AUTH_KEYCLOAK_AIRFLOW_BASE_URL"],
+ },
+ }
+ ]
+
+ SECURITY_MANAGER_CLASS = KeycloakAuthorizer
+
+## the name of a Secret containing a `webserver_config.py` key
+##
+existingSecret: ""
+
+## the number of web Pods to run
+## - if you set this >1 we recommend defining a `web.podDisruptionBudget`
+##
+replicas: 1
+
+## resource requests/limits for the web Pod
+## - spec for ResourceRequirements:
+## https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.20/#resourcerequirements-v1-core
+##
+resources: {}
+
+## the nodeSelector configs for the web Pods
+## - docs for nodeSelector:
+## https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/#nodeselector
+##
+nodeSelector: {}
+
+## the affinity configs for the web Pods
+## - spec for Affinity:
+## https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.20/#affinity-v1-core
+##
+affinity: {}
+
+## the toleration configs for the web Pods
+## - spec for Toleration:
+## https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.20/#toleration-v1-core
+##
+tolerations: []
+
+## the security context for the web Pods
+## - spec for PodSecurityContext:
+## https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.20/#podsecuritycontext-v1-core
+##
+securityContext: {}
+
+## labels for the web Deployment
+##
+labels: {}
+
+## Pod labels for the web Deployment
+##
+podLabels: {}
+
+## annotations for the web Deployment
+##
+annotations: {}
+
+## Pod annotations for the web Deployment
+##
+podAnnotations: {}
+
+## if we add the annotation: "cluster-autoscaler.kubernetes.io/safe-to-evict" = "true"
+##
+safeToEvict: true
+
+## configs for the PodDisruptionBudget of the web Deployment
+##
+podDisruptionBudget:
+ ## if a PodDisruptionBudget resource is created for the web Deployment
+ ##
+ enabled: false
+
+ ## the `apiVersion` to use for PodDisruptionBudget resources
+ ## - for Kubernetes 1.21 and later: "policy/v1"
+ ## - for Kubernetes 1.20 and before: "policy/v1beta1"
+ ##
+ apiVersion: policy/v1
+
+ ## the maximum unavailable pods/percentage for the web Deployment
+ ##
+ maxUnavailable: ""
+
+ ## the minimum available pods/percentage for the web Deployment
+ ##
+ minAvailable: ""
+
+## configs for the Service of the web Pods
+##
+service:
+ annotations: {}
+ sessionAffinity: "None"
+ sessionAffinityConfig: {}
+ type: ClusterIP
+ externalPort: 8080
+ loadBalancerIP: ""
+ loadBalancerSourceRanges: []
+ nodePort:
+ http: ""
+
+## configs for the web Pods' readiness probe
+##
+readinessProbe:
+ enabled: true
+ initialDelaySeconds: 10
+ periodSeconds: 10
+ timeoutSeconds: 5
+ failureThreshold: 6
+
+## configs for the web Pods' liveness probe
+##
+livenessProbe:
+ enabled: true
+ initialDelaySeconds: 10
+ periodSeconds: 10
+ timeoutSeconds: 5
+ failureThreshold: 6
+
+## extra pip packages to install in the web Pods
+##
+## ____ EXAMPLE _______________
+## extraPipPackages:
+## - "SomeProject==1.0.0"
+##
+extraPipPackages: []
+
+## extra VolumeMounts for the web Pods
+## - spec for VolumeMount:
+## https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.20/#volumemount-v1-core
+##
+extraVolumeMounts: []
+
+## extra Volumes for the web Pods
+## - spec for Volume:
+## https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.20/#volume-v1-core
+##
+extraVolumes: []
+
+###################################
+## COMPONENT | Airflow Workers
+###################################
+workers:
+ ## if the airflow workers StatefulSet should be deployed
+ ##
+ enabled: false
+
+ ## the number of worker Pods to run
+ ## - if you set this >1 we recommend defining a `workers.podDisruptionBudget`
+ ## - this is the minimum when `workers.autoscaling.enabled` is true
+ ##
+ replicas: 1
+
+ ## resource requests/limits for the worker Pod
+ ## - spec for ResourceRequirements:
+ ## https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.20/#resourcerequirements-v1-core
+ ##
+ resources: {}
+
+ ## the nodeSelector configs for the worker Pods
+ ## - docs for nodeSelector:
+ ## https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/#nodeselector
+ ##
+ nodeSelector: {}
+
+ ## the affinity configs for the worker Pods
+ ## - spec for Affinity:
+ ## https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.20/#affinity-v1-core
+ ##
+ affinity: {}
+
+ ## the toleration configs for the worker Pods
+ ## - spec for Toleration:
+ ## https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.20/#toleration-v1-core
+ ##
+ tolerations: []
+
+ ## the security context for the worker Pods
+ ## - spec for PodSecurityContext:
+ ## https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.20/#podsecuritycontext-v1-core
+ ##
+ securityContext: {}
+
+ ## labels for the worker StatefulSet
+ ##
+ labels: {}
+
+ ## Pod labels for the worker StatefulSet
+ ##
+ podLabels: {}
+
+ ## annotations for the worker StatefulSet
+ ##
+ annotations: {}
+
+ ## Pod annotations for the worker StatefulSet
+ ##
+ podAnnotations: {}
+
+ ## if we add the annotation: "cluster-autoscaler.kubernetes.io/safe-to-evict" = "true"
+ ##
+ safeToEvict: true
+
+ ## configs for the PodDisruptionBudget of the worker StatefulSet
+ ##
+ podDisruptionBudget:
+ ## if a PodDisruptionBudget resource is created for the worker StatefulSet
+ ##
+ enabled: false
+
+ ## the `apiVersion` to use for PodDisruptionBudget resources
+ ## - for Kubernetes 1.21 and later: "policy/v1"
+ ## - for Kubernetes 1.20 and before: "policy/v1beta1"
+ ##
+ apiVersion: policy/v1
+
+ ## the maximum unavailable pods/percentage for the worker StatefulSet
+ ##
+ maxUnavailable: ""
+
+ ## the minimum available pods/percentage for the worker StatefulSet
+ ##
+ minAvailable: ""
+
+ ## configs for the HorizontalPodAutoscaler of the worker Pods
+ ## - [WARNING] if using git-sync, ensure `dags.gitSync.resources` is set
+ ## - [WARNING] if using worker log-cleanup, ensure `workers.logCleanup.resources` is set
+ ##
+ ## ____ EXAMPLE _______________
+ ## autoscaling:
+ ## enabled: true
+ ## maxReplicas: 16
+ ## metrics:
+ ## - type: Resource
+ ## resource:
+ ## name: memory
+ ## target:
+ ## type: Utilization
+ ## averageUtilization: 80
+ ##
+ autoscaling:
+ enabled: false
+ maxReplicas: 2
+ metrics: []
+
+ ## the `apiVersion` to use for HorizontalPodAutoscaler resources
+ ## - for Kubernetes 1.23 and later: "autoscaling/v2"
+ ## - for Kubernetes 1.22 and before: "autoscaling/v2beta2"
+ ##
+ apiVersion: autoscaling/v2
+
+ ## configs for the celery worker Pods
+ ##
+ celery:
+ ## if celery worker Pods are gracefully terminated
+ ## - consider defining a `workers.podDisruptionBudget` to prevent there not being
+ ## enough available workers during graceful termination waiting periods
+ ##
+ ## graceful termination process:
+ ## 1. prevent worker accepting new tasks
+ ## 2. wait AT MOST `workers.celery.gracefullTerminationPeriod` for tasks to finish
+ ## 3. send SIGTERM to worker
+ ## 4. wait AT MOST `workers.terminationPeriod` for kill to finish
+ ## 5. send SIGKILL to worker
+ ##
+ gracefullTermination: false
+
+ ## how many seconds to wait for tasks to finish before SIGTERM of the celery worker
+ ##
+ gracefullTerminationPeriod: 600
+
+ ## how many seconds to wait after SIGTERM before SIGKILL of the celery worker
+ ## - [WARNING] tasks that are still running during SIGKILL will be orphaned, this is important
+ ## to understand with KubernetesPodOperator(), as Pods may continue running
+ ##
+ terminationPeriod: 60
+
+ ## configs for the log-cleanup sidecar of the worker Pods
+ ## - helps prevent excessive log buildup by regularly deleting old files
+ ##
+ logCleanup:
+ ## if the log-cleanup sidecar is enabled
+ ## - [WARNING] must be disabled if `logs.persistence.enabled` is `true`
+ ##
+ enabled: true
+
+ ## resource requests/limits for the log-cleanup container
+ ## - spec of ResourceRequirements:
+ ## https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.20/#resourcerequirements-v1-core
+ ##
+ resources: {}
+
+ ## the number of minutes to retain log files (by last-modified time)
+ ##
+ retentionMinutes: 21600
+
+ ## the number of seconds between each check for files to delete
+ ##
+ intervalSeconds: 900
+
+ ## configs for the worker Pods' liveness probe
+ ##
+ livenessProbe:
+ enabled: true
+ initialDelaySeconds: 10
+ periodSeconds: 30
+ timeoutSeconds: 60
+ failureThreshold: 5
+
+ ## extra pip packages to install in the worker Pod
+ ##
+ ## ____ EXAMPLE _______________
+ ## extraPipPackages:
+ ## - "SomeProject==1.0.0"
+ ##
+ extraPipPackages: []
+
+ ## extra VolumeMounts for the worker Pods
+ ## - spec for VolumeMount:
+ ## https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.20/#volumemount-v1-core
+ ##
+ extraVolumeMounts: []
+
+ ## extra Volumes for the worker Pods
+ ## - spec for Volume:
+ ## https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.20/#volume-v1-core
+ ##
+ extraVolumes: []
+
+###################################
+## COMPONENT | Triggerer
+###################################
+triggerer:
+ ## if the airflow triggerer should be deployed
+ ## - [WARNING] the triggerer component was added in airflow 2.2.0
+ ## - [WARNING] if `airflow.legacyCommands` is `true` the triggerer will NOT be deployed
+ ##
+ enabled: true
+
+ ## the number of triggerer Pods to run
+ ## - if you set this >1 we recommend defining a `triggerer.podDisruptionBudget`
+ ##
+ replicas: 1
+
+ ## resource requests/limits for the triggerer Pods
+ ## - spec for ResourceRequirements:
+ ## https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.20/#resourcerequirements-v1-core
+ ##
+ resources: {}
+
+ ## the nodeSelector configs for the triggerer Pods
+ ## - docs for nodeSelector:
+ ## https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/#nodeselector
+ ##
+ nodeSelector: {}
+
+ ## the affinity configs for the triggerer Pods
+ ## - spec for Affinity:
+ ## https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.20/#affinity-v1-core
+ ##
+ affinity: {}
+
+ ## the toleration configs for the triggerer Pods
+ ## - spec for Toleration:
+ ## https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.20/#toleration-v1-core
+ ##
+ tolerations: []
+
+ ## the security context for the triggerer Pods
+ ## - spec for PodSecurityContext:
+ ## https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.20/#podsecuritycontext-v1-core
+ ##
+ securityContext: {}
+
+ ## labels for the triggerer Deployment
+ ##
+ labels: {}
+
+ ## Pod labels for the triggerer Deployment
+ ##
+ podLabels: {}
+
+ ## annotations for the triggerer Deployment
+ ##
+ annotations: {}
+
+ ## Pod annotations for the triggerer Deployment
+ ##
+ podAnnotations: {}
+
+ ## if we add the annotation: "cluster-autoscaler.kubernetes.io/safe-to-evict" = "true"
+ ##
+ safeToEvict: true
+
+ ## configs for the PodDisruptionBudget of the triggerer Deployment
+ ##
+ podDisruptionBudget:
+ ## if a PodDisruptionBudget resource is created for the triggerer Deployment
+ ##
+ enabled: false
+
+ ## the `apiVersion` to use for PodDisruptionBudget resources
+ ## - for Kubernetes 1.21 and later: "policy/v1"
+ ## - for Kubernetes 1.20 and before: "policy/v1beta1"
+ ##
+ apiVersion: policy/v1
+
+ ## the maximum unavailable pods/percentage for the triggerer Deployment
+ ##
+ maxUnavailable: ""
+
+ ## the minimum available pods/percentage for the triggerer Deployment
+ ##
+ minAvailable: ""
+
+ ## maximum number of triggers each triggerer will run at once (sets `AIRFLOW__TRIGGERER__DEFAULT_CAPACITY`)
+ ##
+ capacity: 1000
+
+ ## configs for the triggerer Pods' liveness probe
+ ##
+ livenessProbe:
+ enabled: true
+ initialDelaySeconds: 10
+ periodSeconds: 30
+ timeoutSeconds: 60
+ failureThreshold: 5
+
+ ## extra pip packages to install in the triggerer Pod
+ ##
+ ## ____ EXAMPLE _______________
+ ## extraPipPackages:
+ ## - "SomeProject==1.0.0"
+ ##
+ extraPipPackages: []
+
+ ## extra VolumeMounts for the triggerer Pods
+ ## - spec for VolumeMount:
+ ## https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.20/#volumemount-v1-core
+ ##
+ extraVolumeMounts: []
+
+ ## extra Volumes for the triggerer Pods
+ ## - spec for Volume:
+ ## https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.20/#volume-v1-core
+ ##
+ extraVolumes: []
+
+###################################
+## COMPONENT | Flower
+###################################
+flower:
+ ## if the airflow flower UI should be deployed
+ ##
+ enabled: false
+
+ ## the number of flower Pods to run
+ ## - if you set this >1 we recommend defining a `flower.podDisruptionBudget`
+ ##
+ replicas: 1
+
+ ## resource requests/limits for the flower Pod
+ ## - spec for ResourceRequirements:
+ ## https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.20/#resourcerequirements-v1-core
+ ##
+ resources: {}
+
+ ## the nodeSelector configs for the flower Pods
+ ## - docs for nodeSelector:
+ ## https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/#nodeselector
+ ##
+ nodeSelector: {}
+
+ ## the affinity configs for the flower Pods
+ ## - spec for Affinity:
+ ## https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.20/#affinity-v1-core
+ ##
+ affinity: {}
+
+ ## the toleration configs for the flower Pods
+ ## - spec for Toleration:
+ ## https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.20/#toleration-v1-core
+ ##
+ tolerations: []
+
+ ## the security context for the flower Pods
+ ## - spec for PodSecurityContext:
+ ## https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.20/#podsecuritycontext-v1-core
+ ##
+ securityContext: {}
+
+ ## labels for the flower Deployment
+ ##
+ labels: {}
+
+ ## Pod labels for the flower Deployment
+ ##
+ podLabels: {}
+
+ ## annotations for the flower Deployment
+ ##
+ annotations: {}
+
+ ## Pod annotations for the flower Deployment
+ ##
+ podAnnotations: {}
+
+ ## if we add the annotation: "cluster-autoscaler.kubernetes.io/safe-to-evict" = "true"
+ ##
+ safeToEvict: true
+
+ ## configs for the PodDisruptionBudget of the flower Deployment
+ ##
+ podDisruptionBudget:
+ ## if a PodDisruptionBudget resource is created for the flower Deployment
+ ##
+ enabled: false
+
+ ## the `apiVersion` to use for PodDisruptionBudget resources
+ ## - for Kubernetes 1.21 and later: "policy/v1"
+ ## - for Kubernetes 1.20 and before: "policy/v1beta1"
+ ##
+ apiVersion: policy/v1
+
+ ## the maximum unavailable pods/percentage for the flower Deployment
+ ##
+ maxUnavailable: ""
+
+ ## the minimum available pods/percentage for the flower Deployment
+ ##
+ minAvailable: ""
+
+ ## the name of a pre-created secret containing the basic authentication value for flower
+ ## - this will override any value of `config.AIRFLOW__CELERY__FLOWER_BASIC_AUTH`
+ ##
+ basicAuthSecret: ""
+
+ ## the key within `flower.basicAuthSecret` containing the basic authentication string
+ ##
+ basicAuthSecretKey: ""
+
+ ## configs for the Service of the flower Pods
+ ##
+ service:
+ annotations: {}
+ type: ClusterIP
+ externalPort: 5555
+ loadBalancerIP: ""
+ loadBalancerSourceRanges: []
+ nodePort:
+ http:
+
+ ## configs for the flower Pods' readinessProbe probe
+ ##
+ readinessProbe:
+ enabled: true
+ initialDelaySeconds: 10
+ periodSeconds: 10
+ timeoutSeconds: 5
+ failureThreshold: 6
+
+ ## configs for the flower Pods' liveness probe
+ ##
+ livenessProbe:
+ enabled: true
+ initialDelaySeconds: 10
+ periodSeconds: 10
+ timeoutSeconds: 5
+ failureThreshold: 6
+
+ ## extra pip packages to install in the flower Pod
+ ##
+ ## ____ EXAMPLE _______________
+ ## extraPipPackages:
+ ## - "SomeProject==1.0.0"
+ ##
+ extraPipPackages: []
+
+ ## extra VolumeMounts for the flower Pods
+ ## - spec for VolumeMount:
+ ## https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.20/#volumemount-v1-core
+ ##
+ extraVolumeMounts: []
+
+ ## extra Volumes for the flower Pods
+ ## - spec for Volume:
+ ## https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.20/#volume-v1-core
+ ##
+ extraVolumes: []
+
+###################################
+## CONFIG | Airflow Logs
+###################################
+logs:
+ ## the airflow logs folder
+ ##
+ path: /opt/airflow/logs
+
+ ## configs for the logs PVC
+ ##
+ persistence:
+ ## if a persistent volume is mounted at `logs.path`
+ ##
+ enabled: false
+
+ ## the name of an existing PVC to use
+ ##
+ existingClaim: ""
+
+ ## sub-path under `logs.persistence.existingClaim` to use
+ ##
+ subPath: ""
+
+ ## the name of the StorageClass used by the PVC
+ ## - if set to "", then `PersistentVolumeClaim/spec.storageClassName` is omitted
+ ## - if set to "-", then `PersistentVolumeClaim/spec.storageClassName` is set to ""
+ ##
+ storageClass: ""
+
+ ## the access mode of the PVC
+ ## - [WARNING] must be "ReadWriteMany" or airflow pods will fail to start
+ ##
+ accessMode: ReadWriteMany
+
+ ## the size of PVC to request
+ ##
+ size: 1Gi
+
+###################################
+## CONFIG | Airflow DAGs
+###################################
+dags:
+ ## the airflow dags folder
+ ##
+ path: /opt/airflow/dags
+
+ ## configs for the dags PVC
+ ##
+ persistence:
+ ## if a persistent volume is mounted at `dags.path`
+ ##
+ enabled: false
+
+ ## the name of an existing PVC to use
+ ##
+ existingClaim: ""
+
+ ## sub-path under `dags.persistence.existingClaim` to use
+ ##
+ subPath: ""
+
+ ## the name of the StorageClass used by the PVC
+ ## - if set to "", then `PersistentVolumeClaim/spec.storageClassName` is omitted
+ ## - if set to "-", then `PersistentVolumeClaim/spec.storageClassName` is set to ""
+ ##
+ storageClass: ""
+
+ ## the access mode of the PVC
+ ## - [WARNING] must be "ReadOnlyMany" or "ReadWriteMany" otherwise airflow pods will fail to start
+ ##
+ accessMode: ReadOnlyMany
+
+ ## the size of PVC to request
+ ##
+ size: 1Gi
+
+ ## configs for the git-sync sidecar (https://github.com/kubernetes/git-sync)
+ ##
+ gitSync:
+ ## if the git-sync sidecar container is enabled
+ ##
+ enabled: false
+
+ ## the git-sync container image
+ ##
+ image:
+ repository: registry.k8s.io/git-sync/git-sync
+ tag: v3.6.5
+ pullPolicy: IfNotPresent
+ uid: 65533
+ gid: 65533
+
+ ## resource requests/limits for the git-sync container
+ ## - spec for ResourceRequirements:
+ ## https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.20/#resourcerequirements-v1-core
+ ##
+ resources: {}
+
+ ## the url of the git repo
+ ##
+ ## ____ EXAMPLE _______________
+ ## # https git repo
+ ## repo: "https://github.com/USERNAME/REPOSITORY.git"
+ ##
+ ## ____ EXAMPLE _______________
+ ## # ssh git repo
+ ## repo: "git@github.com:USERNAME/REPOSITORY.git"
+ ##
+ repo: "https://github.com/DeepPharmGraph/dpg-processing-dags"
+
+ ## the sub-path within your repo where dags are located
+ ## - only dags under this path within your repo will be seen by airflow,
+ ## (note, the full repo will still be cloned)
+ ##
+ repoSubPath: "dags"
+
+ ## the git branch to check out
+ ##
+ branch: forging.cc
+
+ ## the git revision (tag or hash) to check out
+ ##
+ revision: HEAD
+
+ ## shallow clone with a history truncated to the specified number of commits
+ ##
+ depth: 1
+
+ ## the number of seconds between syncs
+ ##
+ syncWait: 60
+
+ ## the max number of seconds allowed for a complete sync
+ ##
+ syncTimeout: 120
+
+ ## the git submodule behavior
+ ## - allowed values: "recursive", "shallow", "off"
+ ##
+ submodules: recursive
+
+ ## the name of a pre-created Secret with git http credentials
+ ##
+ httpSecret: ""
+
+ ## the key in `dags.gitSync.httpSecret` with your git username
+ ##
+ httpSecretUsernameKey: username
+
+ ## the key in `dags.gitSync.httpSecret` with your git password/token
+ ##
+ httpSecretPasswordKey: password
+
+ ## the name of a pre-created Secret with git ssh credentials
+ ##
+ sshSecret: ""
+
+ ## the key in `dags.gitSync.sshSecret` with your ssh-key file
+ ##
+ sshSecretKey: id_rsa
+
+ ## the string value of a "known_hosts" file (for SSH only)
+ ## - [WARNING] known_hosts verification will be disabled if left empty, making you more
+ ## vulnerable to repo spoofing attacks
+ ##
+ ## ____ EXAMPLE _______________
+ ## sshKnownHosts: |-
+ ## ssh-rsa
+ ##
+ sshKnownHosts: ""
+
+ ## the number of consecutive failures allowed before aborting
+ ## - the first sync must succeed
+ ## - a value of -1 will retry forever after the initial sync
+ ##
+ maxFailures: 0
+
+###################################
+## CONFIG | Kubernetes Ingress
+###################################
+ingress:
+ ## if we should deploy Ingress resources
+ ##
+ enabled: false
+
+ ## the `apiVersion` to use for Ingress resources
+ ## - for Kubernetes 1.19 and later: "networking.k8s.io/v1"
+ ## - for Kubernetes 1.18 and before: "networking.k8s.io/v1beta1"
+ ##
+ apiVersion: networking.k8s.io/v1
+
+ ## configs for the Ingress of the web Service
+ ##
+ web:
+ ## annotations for the web Ingress
+ ##
+ annotations: {}
+
+ ## additional labels for the web Ingress
+ ##
+ labels: {}
+
+ ## the path for the web Ingress
+ ## - [WARNING] do NOT include the trailing slash (for root, set an empty string)
+ ##
+ ## ____ EXAMPLE _______________
+ ## # webserver URL: http://example.com/airflow
+ ## path: "/airflow"
+ ##
+ path: ""
+
+ ## the hostname for the web Ingress
+ ##
+ host: ""
+
+ ## the Ingress Class for the web Ingress
+ ## - [WARNING] requires Kubernetes 1.18 or later, use "kubernetes.io/ingress.class" annotation for older versions
+ ##
+ ingressClassName: ""
+
+ ## configs for web Ingress TLS
+ ##
+ tls:
+ ## enable TLS termination for the web Ingress
+ ##
+ enabled: false
+
+ ## the name of a pre-created Secret containing a TLS private key and certificate
+ ##
+ secretName: ""
+
+ ## http paths to add to the web Ingress before the default path
+ ##
+ ## ____ EXAMPLE _______________
+ ## precedingPaths:
+ ## - path: "/*"
+ ## serviceName: "my-service"
+ ## servicePort: "port-name"
+ ##
+ precedingPaths: []
+
+ ## http paths to add to the web Ingress after the default path
+ ##
+ ## ____ EXAMPLE _______________
+ ## succeedingPaths:
+ ## - path: "/extra-service"
+ ## serviceName: "my-service"
+ ## servicePort: "port-name"
+ ##
+ succeedingPaths: []
+
+ ## configs for the Ingress of the flower Service
+ ##
+ flower:
+ ## annotations for the flower Ingress
+ ##
+ annotations: {}
+
+ ## additional labels for the flower Ingress
+ ##
+ labels: {}
+
+ ## the path for the flower Ingress
+ ## - [WARNING] do NOT include the trailing slash (for root, set an empty string)
+ ##
+ ## ____ EXAMPLE _______________
+ ## # flower URL: http://example.com/airflow/flower
+ ## path: "/airflow/flower"
+ ##
+ path: ""
+
+ ## the hostname for the flower Ingress
+ ##
+ host: ""
+
+ ## the Ingress Class for the flower Ingress
+ ## - [WARNING] requires Kubernetes 1.18 or later, use "kubernetes.io/ingress.class" annotation for older versions
+ ##
+ ingressClassName: ""
+
+ ## configs for flower Ingress TLS
+ ##
+ tls:
+ ## enable TLS termination for the flower Ingress
+ ##
+ enabled: false
+
+ ## the name of a pre-created Secret containing a TLS private key and certificate
+ ##
+ secretName: ""
+
+ ## http paths to add to the flower Ingress before the default path
+ ##
+ ## ____ EXAMPLE _______________
+ ## precedingPaths:
+ ## - path: "/*"
+ ## serviceName: "my-service"
+ ## servicePort: "port-name"
+ ##
+ precedingPaths: []
+
+ ## http paths to add to the flower Ingress after the default path
+ ##
+ ## ____ EXAMPLE _______________
+ ## succeedingPaths:
+ ## - path: "/extra-service"
+ ## serviceName: "my-service"
+ ## servicePort: "port-name"
+ ##
+ succeedingPaths: []
+
+###################################
+## CONFIG | Kubernetes RBAC
+###################################
+rbac:
+ ## if Kubernetes RBAC resources are created
+ ## - these allow the service account to create/delete Pods in the airflow namespace,
+ ## which is required for the KubernetesPodOperator() to function
+ ##
+ create: true
+
+ ## if the created RBAC Role has GET/LIST on Event resources
+ ## - this is needed for KubernetesPodOperator() to use `log_events_on_failure=True`
+ ##
+ events: true
+
+###################################
+## CONFIG | Kubernetes ServiceAccount
+###################################
+serviceAccount:
+ ## if a Kubernetes ServiceAccount is created
+ ## - if `false`, you must create the service account outside this chart with name: `serviceAccount.name`
+ ##
+ create: true
+
+ ## the name of the ServiceAccount
+ ## - by default the name is generated using the `airflow.serviceAccountName` template in `_helpers/common.tpl`
+ ##
+ name: ""
+
+ ## annotations for the ServiceAccount
+ ##
+ ## ____ EXAMPLE _______________
+ ## # EKS - IAM Roles for Service Accounts
+ ## annotations:
+ ## eks.amazonaws.com/role-arn: "arn:aws:iam::XXXXXXXXXX:role/<>"
+ ##
+ ## ____ EXAMPLE _______________
+ ## # GKE - WorkloadIdentity
+ ## annotations:
+ ## iam.gke.io/gcp-service-account: "<>@<>.iam.gserviceaccount.com"
+ ##
+ annotations: {}
+
+###################################
+## CONFIG | Kubernetes Extra Manifests
+###################################
+## a list of extra Kubernetes manifests that will be deployed alongside the chart
+## - helm templates within these strings will be rendered
+##
+## ____ EXAMPLE _______________
+## extraManifests:
+## - |
+## apiVersion: v1
+## kind: Secret
+## metadata:
+## name: airflow-postgres
+## data:
+## postgresql-password: {{ `password1` | b64enc | quote }}
+## - |
+## apiVersion: apps/v1
+## kind: Deployment
+## metadata:
+## name: {{ include "airflow.fullname" . }}-busybox
+## labels:
+## app: {{ include "airflow.labels.app" . }}
+## component: busybox
+## chart: {{ include "airflow.labels.chart" . }}
+## release: {{ .Release.Name }}
+## heritage: {{ .Release.Service }}
+## spec:
+## replicas: 1
+## selector:
+## matchLabels:
+## app: {{ include "airflow.labels.app" . }}
+## component: busybox
+## release: {{ .Release.Name }}
+## template:
+## metadata:
+## labels:
+## app: {{ include "airflow.labels.app" . }}
+## component: busybox
+## release: {{ .Release.Name }}
+## spec:
+## containers:
+## - name: busybox
+## image: busybox:1.35
+## command:
+## - "/bin/sh"
+## - "-c"
+## args:
+## - |
+## ## to break the infinite loop when we receive SIGTERM
+## trap "exit 0" SIGTERM;
+## ## keep the container running (so people can `kubectl exec -it` into it)
+## while true; do
+## echo "I am alive...";
+## sleep 30;
+## done
+##
+extraManifests: []
+
+###################################
+## DATABASE | PgBouncer
+###################################
+pgbouncer:
+ ## if the pgbouncer Deployment is created
+ ##
+ enabled: true
+
+ ## configs for the pgbouncer container image
+ ##
+ image:
+ repository: ghcr.io/airflow-helm/pgbouncer
+ tag: 1.18.0-patch.1
+ pullPolicy: IfNotPresent
+ uid: 1001
+ gid: 1001
+
+ ## resource requests/limits for the pgbouncer Pods
+ ## - spec for ResourceRequirements:
+ ## https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.20/#resourcerequirements-v1-core
+ ##
+ resources: {}
+
+ ## the nodeSelector configs for the pgbouncer Pods
+ ## - docs for nodeSelector:
+ ## https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/#nodeselector
+ ##
+ nodeSelector: {}
+
+ ## the affinity configs for the pgbouncer Pods
+ ## - spec for Affinity:
+ ## https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.20/#affinity-v1-core
+ ##
+ affinity: {}
+
+ ## the toleration configs for the pgbouncer Pods
+ ## - spec for Toleration:
+ ## https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.20/#toleration-v1-core
+ ##
+ tolerations: []
+
+ ## the security context for the pgbouncer Pods
+ ## - spec for PodSecurityContext:
+ ## https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.20/#podsecuritycontext-v1-core
+ ##
+ securityContext: {}
+
+ ## Labels for the pgbouncer Deployment
+ ##
+ labels: {}
+
+ ## Pod labels for the pgbouncer Deployment
+ ##
+ podLabels: {}
+
+ ## annotations for the pgbouncer Deployment
+ ##
+ annotations: {}
+
+ ## Pod annotations for the pgbouncer Deployment
+ ##
+ podAnnotations: {}
+
+ ## if we add the annotation: "cluster-autoscaler.kubernetes.io/safe-to-evict" = "true"
+ ##
+ safeToEvict: true
+
+ ## configs for the PodDisruptionBudget of the pgbouncer Deployment
+ ##
+ podDisruptionBudget:
+ ## if a PodDisruptionBudget resource is created for the pgbouncer Deployment
+ ##
+ enabled: false
+
+ ## the `apiVersion` to use for PodDisruptionBudget resources
+ ## - for Kubernetes 1.21 and later: "policy/v1"
+ ## - for Kubernetes 1.20 and before: "policy/v1beta1"
+ ##
+ apiVersion: policy/v1
+
+ ## the maximum unavailable pods/percentage for the pgbouncer Deployment
+ ##
+ maxUnavailable:
+
+ ## the minimum available pods/percentage for the pgbouncer Deployment
+ ##
+ minAvailable:
+
+ ## configs for the pgbouncer Pods' liveness probe
+ ##
+ livenessProbe:
+ enabled: true
+ initialDelaySeconds: 5
+ periodSeconds: 30
+ timeoutSeconds: 60
+ failureThreshold: 3
+
+ ## configs for the pgbouncer Pods' startup probe
+ ##
+ startupProbe:
+ enabled: true
+ initialDelaySeconds: 5
+ periodSeconds: 10
+ timeoutSeconds: 15
+ failureThreshold: 30
+
+ ## the maximum number of seconds to wait for queries upon pod termination, before force killing
+ ##
+ terminationGracePeriodSeconds: 120
+
+ ## sets pgbouncer config: `auth_type`
+ ##
+ authType: md5
+
+ ## sets pgbouncer config: `max_client_conn`
+ ##
+ maxClientConnections: 1000
+
+ ## sets pgbouncer config: `default_pool_size`
+ ##
+ poolSize: 20
+
+ ## sets pgbouncer config: `log_disconnections`
+ ##
+ logDisconnections: 0
+
+ ## sets pgbouncer config: `log_connections`
+ ##
+ logConnections: 0
+
+ ## ssl configs for: clients -> pgbouncer
+ ##
+ clientSSL:
+ ## sets pgbouncer config: `client_tls_sslmode`
+ ##
+ mode: prefer
+
+ ## sets pgbouncer config: `client_tls_ciphers`
+ ##
+ ciphers: normal
+
+ ## sets pgbouncer config: `client_tls_ca_file`
+ ##
+ caFile:
+ existingSecret: ""
+ existingSecretKey: root.crt
+
+ ## sets pgbouncer config: `client_tls_key_file`
+ ## - [WARNING] a self-signed cert & key are generated if left empty
+ ##
+ keyFile:
+ existingSecret: ""
+ existingSecretKey: client.key
+
+ ## sets pgbouncer config: `client_tls_cert_file`
+ ## - [WARNING] a self-signed cert & key are generated if left empty
+ ##
+ certFile:
+ existingSecret: ""
+ existingSecretKey: client.crt
+
+ ## ssl configs for: pgbouncer -> postgres
+ ##
+ serverSSL:
+ ## sets pgbouncer config: `server_tls_sslmode`
+ ##
+ mode: prefer
+
+ ## sets pgbouncer config: `server_tls_ciphers`
+ ##
+ ciphers: normal
+
+ ## sets pgbouncer config: `server_tls_ca_file`
+ ##
+ caFile:
+ existingSecret: ""
+ existingSecretKey: root.crt
+
+ ## sets pgbouncer config: `server_tls_key_file`
+ ##
+ keyFile:
+ existingSecret: ""
+ existingSecretKey: server.key
+
+ ## sets pgbouncer config: `server_tls_cert_file`
+ ##
+ certFile:
+ existingSecret: ""
+ existingSecretKey: server.crt
+
+###################################
+## DATABASE | Embedded Postgres
+###################################
+postgresql:
+ ## if the `stable/postgresql` chart is used
+ ## - [WARNING] the embedded Postgres is NOT SUITABLE for production deployments of Airflow
+ ## - [WARNING] consider using an external database with `externalDatabase.*`
+ ## - set to `false` if using `externalDatabase.*`
+ ##
+ enabled: false
+
+ ## configs for the postgres container image
+ ##
+ image:
+ registry: ghcr.io
+ repository: airflow-helm/postgresql-bitnami
+ tag: 11.16-patch.0
+ pullPolicy: IfNotPresent
+
+ ## the postgres database to use
+ ##
+ postgresqlDatabase: airflow
+
+ ## the postgres user to create
+ ##
+ postgresqlUsername: postgres
+
+ ## the postgres user's password
+ ##
+ postgresqlPassword: airflow
+
+ ## the name of a pre-created secret containing the postgres password
+ ##
+ existingSecret: ""
+
+ ## the key within `postgresql.existingSecret` containing the password string
+ ##
+ existingSecretKey: "postgresql-password"
+
+ ## configs for the PVC of postgresql
+ ##
+ persistence:
+ ## if postgres will use Persistent Volume Claims to store data
+ ## - [WARNING] if false, data will be LOST as postgres Pods restart
+ ##
+ enabled: true
+
+ ## the name of the StorageClass used by the PVC
+ ##
+ storageClass: ""
+
+ ## the access modes of the PVC
+ ##
+ accessModes:
+ - ReadWriteOnce
+
+ ## the size of PVC to request
+ ##
+ size: 8Gi
+
+ ## configs for the postgres StatefulSet
+ ##
+ master:
+ ## the nodeSelector configs for the postgres Pods
+ ## - docs for nodeSelector:
+ ## https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/#nodeselector
+ ##
+ nodeSelector: {}
+
+ ## the affinity configs for the postgres Pods
+ ## - spec for Affinity:
+ ## https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.20/#affinity-v1-core
+ ##
+ affinity: {}
+
+ ## the toleration configs for the postgres Pods
+ ## - spec for Toleration:
+ ## https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.20/#toleration-v1-core
+ ##
+ tolerations: []
+
+ ## annotations for the postgres Pods
+ ##
+ podAnnotations:
+ cluster-autoscaler.kubernetes.io/safe-to-evict: "true"
+
+###################################
+## DATABASE | External Database
+###################################
+externalDatabase:
+ ## the type of external database
+ ## - allowed values: "mysql", "postgres"
+ ##
+ type: postgres
+
+ ## the host of the external database
+ ##
+ host: airflow-postgres-rw
+
+ ## the port of the external database
+ ##
+ port: 5432
+
+ ## the database/scheme to use within the external database
+ ##
+ database: app
+
+ ## the username for the external database
+ ##
+ user: ""
+
+ ## the name of a pre-created secret containing the external database user
+ ## - if set, this overrides `externalDatabase.user`
+ ##
+ userSecret: "airflow-postgres-app"
+
+ ## the key within `externalDatabase.userSecret` containing the user string
+ ##
+ userSecretKey: "user"
+
+ ## the password for the external database
+ ## - [WARNING] to avoid storing the password in plain-text within your values,
+ ## create a Kubernetes secret and use `externalDatabase.passwordSecret`
+ ##
+ password: ""
+
+ ## the name of a pre-created secret containing the external database password
+ ## - if set, this overrides `externalDatabase.password`
+ ##
+ passwordSecret: "airflow-postgres-app"
+
+ ## the key within `externalDatabase.passwordSecret` containing the password string
+ ##
+ passwordSecretKey: "password"
+
+ ## extra connection-string properties for the external database
+ ##
+ ## ____ EXAMPLE _______________
+ ## # require SSL (only for Postgres)
+ ## properties: "?sslmode=require"
+ ##
+ properties: ""
+
+###################################
+## DATABASE | Embedded Redis
+###################################
+redis:
+ ## if the `stable/redis` chart is used
+ ## - set to `false` if `airflow.executor` is `KubernetesExecutor`
+ ## - set to `false` if using `externalRedis.*`
+ ##
+ enabled: false
+
+ ## configs for the redis container image
+ ##
+ image:
+ registry: docker.io
+ repository: bitnami/redis
+ tag: 5.0.14-debian-10-r173
+ pullPolicy: IfNotPresent
+
+ ## the redis password
+ ##
+ password: airflow
+
+ ## the name of a pre-created secret containing the redis password
+ ##
+ existingSecret: ""
+
+ ## the key within `redis.existingSecret` containing the password string
+ ##
+ existingSecretPasswordKey: "redis-password"
+
+ ## configs for redis cluster mode
+ ##
+ cluster:
+ ## if redis runs in cluster mode
+ ##
+ enabled: false
+
+ ## the number of redis slaves
+ ##
+ slaveCount: 1
+
+ ## configs for the redis master StatefulSet
+ ##
+ master:
+ ## resource requests/limits for the redis master Pods
+ ## - spec for ResourceRequirements:
+ ## https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.20/#resourcerequirements-v1-core
+ ##
+ resources: {}
+
+ ## the nodeSelector configs for the redis master Pods
+ ## - docs for nodeSelector:
+ ## https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/#nodeselector
+ ##
+ nodeSelector: {}
+
+ ## the affinity configs for the redis master Pods
+ ## - spec for Affinity:
+ ## https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.20/#affinity-v1-core
+ ##
+ affinity: {}
+
+ ## the toleration configs for the redis master Pods
+ ## - spec for Toleration:
+ ## https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.20/#toleration-v1-core
+ ##
+ tolerations: []
+
+ ## annotations for the redis master Pods
+ ##
+ podAnnotations:
+ cluster-autoscaler.kubernetes.io/safe-to-evict: "true"
+
+ ## configs for the PVC of the redis master Pods
+ ##
+ persistence:
+ ## use a PVC to persist data
+ ##
+ enabled: false
+
+ ## the name of the StorageClass used by the PVC
+ ##
+ storageClass: ""
+
+ ## the access mode of the PVC
+ ##
+ accessModes:
+ - ReadWriteOnce
+
+ ## the size of PVC to request
+ ##
+ size: 8Gi
+
+ ## configs for the redis slave StatefulSet
+ ## - only used if `redis.cluster.enabled` is `true`
+ ##
+ slave:
+ ## resource requests/limits for the slave Pods
+ ## - spec for ResourceRequirements:
+ ## https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.20/#resourcerequirements-v1-core
+ ##
+ resources: {}
+
+ ## the nodeSelector configs for the redis slave Pods
+ ## - docs for nodeSelector:
+ ## https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/#nodeselector
+ ##
+ nodeSelector: {}
+
+ ## the affinity configs for the redis slave Pods
+ ## - spec for Affinity:
+ ## https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.20/#affinity-v1-core
+ ##
+ affinity: {}
+
+ ## the toleration configs for the redis slave Pods
+ ## - spec for Toleration:
+ ## https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.20/#toleration-v1-core
+ ##
+ tolerations: []
+
+ ## annotations for the slave Pods
+ ##
+ podAnnotations:
+ cluster-autoscaler.kubernetes.io/safe-to-evict: "true"
+
+ ## configs for the PVC of the redis slave Pods
+ ##
+ persistence:
+ ## use a PVC to persist data
+ ##
+ enabled: false
+
+ ## the name of the StorageClass used by the PVC
+ ##
+ storageClass: ""
+
+ ## the access mode of the PVC
+ ##
+ accessModes:
+ - ReadWriteOnce
+
+ ## the size of PVC to request
+ ##
+ size: 8Gi
+
+###################################
+## DATABASE | External Redis
+###################################
+externalRedis:
+ ## the host of the external redis
+ ##
+ host: ~
+
+ ## the port of the external redis
+ ##
+ port: ~
+
+ ## the database number to use within the external redis
+ ##
+ databaseNumber: 1
+
+ ## the password for the external redis
+ ## - [WARNING] to avoid storing the password in plain-text within your values,
+ ## create a Kubernetes secret and use `externalRedis.passwordSecret`
+ ##
+ password: ""
+
+ ## the name of a pre-created secret containing the external redis password
+ ## - if set, this overrides `externalRedis.password`
+ ##
+ passwordSecret: ~
+
+ ## the key within `externalRedis.passwordSecret` containing the password string
+ ##
+ passwordSecretKey: ~
+
+ ## extra connection-string properties for the external redis
+ ##
+ ## ____ EXAMPLE _______________
+ ## properties: "?ssl_cert_reqs=CERT_OPTIONAL"
+ ##
+ properties: ""
+
+###################################
+## CONFIG | ServiceMonitor (Prometheus Operator)
+###################################
+serviceMonitor:
+ ## if ServiceMonitor resources should be deployed for airflow webserver
+ ## - [WARNING] you will need a metrics exporter in your `airflow.image`, for example:
+ ## https://github.com/epoch8/airflow-exporter
+ ## - ServiceMonitor is a resource from prometheus-operator:
+ ## https://github.com/prometheus-operator/prometheus-operator
+ ##
+ enabled: false
+
+ ## labels for ServiceMonitor, so that Prometheus can select it
+ ##
+ selector:
+ prometheus: kube-prometheus
+
+ ## the ServiceMonitor web endpoint path
+ ##
+ path: /admin/metrics
+
+ ## the ServiceMonitor web endpoint interval
+ ##
+ interval: "30s"
+
+###################################
+## CONFIG | PrometheusRule (Prometheus Operator)
+###################################
+prometheusRule:
+ ## if PrometheusRule resources should be deployed for airflow webserver
+ ## - [WARNING] you will need a metrics exporter in your `airflow.image`, for example:
+ ## https://github.com/epoch8/airflow-exporter
+ ## - PrometheusRule is a resource from prometheus-operator:
+ ## https://github.com/prometheus-operator/prometheus-operator
+ ##
+ enabled: false
+
+ ## labels for PrometheusRule, so that Prometheus can select it
+ ##
+ additionalLabels: {}
+
+ ## alerting rules for Prometheus
+ ## - docs for alerting rules: https://prometheus.io/docs/prometheus/latest/configuration/alerting_rules/
+ ##
+ groups: []
diff --git a/cluster-local/keycloak-provider/deploymentruntimeconfig.yaml b/cluster-local/keycloak-provider/deploymentruntimeconfig.yaml
index 7e561f1..b3b48ea 100644
--- a/cluster-local/keycloak-provider/deploymentruntimeconfig.yaml
+++ b/cluster-local/keycloak-provider/deploymentruntimeconfig.yaml
@@ -18,8 +18,7 @@ spec:
value: |
{
"client_id": "crossplane",
- "url": "https://auth.shamrock.systems",
+ "client_secret": "ShamroclLocalDevSecret",
+ "url": "http://id.dev.lan.shamrock.systems",
"realm": "master"
}
- - name: KEYCLOAK_CLIENT_SECRET
- value: ShamroclLocalDevSecret
diff --git a/cluster-local/keycloak/deployment.yaml b/cluster-local/keycloak/deployment.yaml
index 37d2726..2faa251 100644
--- a/cluster-local/keycloak/deployment.yaml
+++ b/cluster-local/keycloak/deployment.yaml
@@ -21,7 +21,7 @@ spec:
containers:
- name: keycloak
image: quay.io/keycloak/keycloak:23.0
- args: ["start"]
+ args: ["start-dev"]
env:
- name: KEYCLOAK_ADMIN
value: "admin"
@@ -29,10 +29,6 @@ spec:
value: "password"
- name: KC_HOSTNAME
value: "id.dev.lan.shamrock.systems"
- - name: KC_PROXY
- value: "edge"
- - name: KC_HOSTNAME_STRICT_HTTPS
- value: "false"
- name: KC_DB
value: "postgres"
- name: KC_DB_URL
diff --git a/cluster-local/whoami/deployment.yaml b/cluster-local/whoami/deployment.yaml
new file mode 100644
index 0000000..c77a560
--- /dev/null
+++ b/cluster-local/whoami/deployment.yaml
@@ -0,0 +1,28 @@
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+ name: whoami
+ namespace: whoami
+spec:
+ replicas: 1
+ selector:
+ matchLabels:
+ app: whoami
+ template:
+ metadata:
+ labels:
+ app: whoami
+ spec:
+ containers:
+ - name: whoami
+ image: traefik/whoami:latest
+ imagePullPolicy: IfNotPresent
+ resources:
+ requests:
+ cpu: 50m
+ memory: 60Mi
+ limits:
+ cpu: 100m
+ memory: 100Mi
+ ports:
+ - containerPort: 80
diff --git a/cluster-local/whoami/httproute.yaml b/cluster-local/whoami/httproute.yaml
new file mode 100644
index 0000000..6a2384d
--- /dev/null
+++ b/cluster-local/whoami/httproute.yaml
@@ -0,0 +1,20 @@
+apiVersion: gateway.networking.k8s.io/v1
+kind: HTTPRoute
+metadata:
+ name: http-whoami
+ namespace: whoami
+spec:
+ parentRefs:
+ - group: gateway.networking.k8s.io
+ kind: Gateway
+ name: eg
+ namespace: envoy-gateway-system
+ hostnames: [whoami.dev.lan.shamrock.systems]
+ rules:
+ - matches:
+ - path:
+ type: PathPrefix
+ value: /
+ backendRefs:
+ - name: whoami
+ port: 80
diff --git a/cluster-local/whoami/kustomization.yaml b/cluster-local/whoami/kustomization.yaml
new file mode 100644
index 0000000..42e8fa2
--- /dev/null
+++ b/cluster-local/whoami/kustomization.yaml
@@ -0,0 +1,8 @@
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+
+resources:
+ - ./namespace.yaml
+ - ./deployment.yaml
+ - ./service.yaml
+ - ./httproute.yaml
diff --git a/cluster-local/whoami/namespace.yaml b/cluster-local/whoami/namespace.yaml
new file mode 100644
index 0000000..435d009
--- /dev/null
+++ b/cluster-local/whoami/namespace.yaml
@@ -0,0 +1,6 @@
+apiVersion: v1
+kind: Namespace
+metadata:
+ name: whoami
+ labels:
+ name: whoami
diff --git a/cluster-local/whoami/service.yaml b/cluster-local/whoami/service.yaml
new file mode 100644
index 0000000..686bc94
--- /dev/null
+++ b/cluster-local/whoami/service.yaml
@@ -0,0 +1,12 @@
+apiVersion: v1
+kind: Service
+metadata:
+ name: whoami
+ namespace: whoami
+spec:
+ selector:
+ app: whoami
+ ports:
+ - protocol: TCP
+ port: 80
+ targetPort: 80
diff --git a/kustomanager/templates/cluster-local.localgen.yaml.j2 b/kustomanager/templates/cluster-local.localgen.yaml.j2
index a1209bd..af08135 100644
--- a/kustomanager/templates/cluster-local.localgen.yaml.j2
+++ b/kustomanager/templates/cluster-local.localgen.yaml.j2
@@ -24,6 +24,9 @@ ports:
- # Envoy Gateway
port: 80:30000
nodeFilters: ["server:0:direct"]
+registries:
+ create:
+ name: registry.dev.lan.shamrock.systems
options:
k3d:
disableLoadbalancer: true