Merge pull request #23 from stackhpc/feature/helm-install-nfs

Convert Rook NFS to a Helm chart and install it as a Slurm chart dependency

.github/workflows/publish-helm-chart.yml

@@ -1,37 +1,26 @@
-name: Release Charts
-
-on:
-  push:
-    branches:
-      - main
-
+name: Publish charts
+# Run the tasks on every push
+on: push
 jobs:
-  release:
-    # depending on default permission settings for your org (contents being read-only or read-write for workloads), you will have to add permissions
-    # see: https://docs.github.com/en/actions/security-guides/automatic-token-authentication#modifying-the-permissions-for-the-github_token
-    permissions:
-      contents: write
+  publish_charts:
+    name: Build and push Helm charts
     runs-on: ubuntu-latest
     steps:
-      - name: Checkout
-        uses: actions/checkout@v3
+      - name: Check out the repository
+        uses: actions/checkout@v2
         with:
+          # This is important for the semver action to work correctly
+          # when determining the number of commits since the last tag
           fetch-depth: 0
+          submodules: true
 
-      - name: Configure Git
-        run: |
-          git config user.name "$GITHUB_ACTOR"
-          git config user.email "$GITHUB_ACTOR@users.noreply.github.com"
-
-      - name: Install Helm
-        uses: azure/setup-helm@v3
-        env:
-          GITHUB_TOKEN: "${{ secrets.GITHUB_TOKEN }}"
+      - name: Get SemVer version for current commit
+        id: semver
+        uses: stackhpc/github-actions/semver@master
 
-      - name: Run chart-releaser
-        uses: helm/chart-releaser-action@v1.5.0
+      - name: Publish Helm charts
+        uses: stackhpc/github-actions/helm-publish@master
         with:
-          charts_dir: .
-        env:
-          CR_TOKEN: "${{ secrets.GITHUB_TOKEN }}"
-
+          token: ${{ secrets.GITHUB_TOKEN }}
+          version: ${{ steps.semver.outputs.version }}
+          app-version: ${{ steps.semver.outputs.short-sha }}

.gitignore

@@ -0,0 +1,3 @@
+# Build artifacts from local helm install
+slurm-cluster-chart/Chart.lock
+slurm-cluster-chart/charts/

README.md

@@ -1,8 +1,7 @@
 # Slurm Docker Cluster
 
-This is a multi-container Slurm cluster using Kubernetes.  The Helm chart
-creates a named volume for persistent storage of MySQL data files as well as
-an NFS volume for shared storage.
+This is a multi-container Slurm cluster using Kubernetes. The Slurm cluster Helm chart creates a named volume for persistent storage of MySQL data files. By default, it also installs the
+RookNFS Helm chart (also in this repo) to provide shared storage across the Slurm cluster nodes.
 
 ## Dependencies
 
@@ -27,47 +26,51 @@ The Helm chart will create the following named volumes:
 
 * var_lib_mysql     ( -> /var/lib/mysql )
 
-A named ReadWriteMany (RWX) volume mounted to `/home` is also expected, this can be external or can be deployed using the scripts in the `/nfs` directory (See "Deploying the Cluster")
+A named ReadWriteMany (RWX) volume mounted to `/home` is also expected, this can be external or can be deployed using the provided `rooknfs` chart directory (See "Deploying the Cluster").
 
 ## Configuring the Cluster
 
-All config files in `slurm-cluster-chart/files` will be mounted into the container to configure their respective services on startup. Note that changes to these files will not all be propagated to existing deployments (see "Reconfiguring the Cluster").
-Additional parameters can be found in the `values.yaml` file, which will be applied on a Helm chart deployment. Note that some of these values will also not propagate until the cluster is restarted (see "Reconfiguring the Cluster").
+All config files in `slurm-cluster-chart/files` will be mounted into the container to configure their respective services on startup. Note that changes to these files will not all be propagated to existing deployments (see "Reconfiguring the Cluster"). Additional parameters can be found in the `values.yaml` file for the Helm chart. Note that some of these values will also not propagate until the cluster is restarted (see "Reconfiguring the Cluster").
 
 ## Deploying the Cluster
 
 ### Generating Cluster Secrets
 
 On initial deployment ONLY, run
 ```console
-./generate-secrets.sh
+./generate-secrets.sh [<target-namespace>]
 ```
-This generates a set of secrets. If these need to be regenerated, see "Reconfiguring the Cluster"
+This generates a set of secrets in the target namespace to be used by the Slurm cluster. If these need to be regenerated, see "Reconfiguring the Cluster"
 
 Be sure to take note of the Open Ondemand credentials, you will need them to access the cluster through a browser
 
 ### Connecting RWX Volume
 
-A ReadWriteMany (RWX) volume is required, if a named volume exists, set `nfs.claimName` in the `values.yaml` file to its name. If not, manifests to deploy a Rook NFS volume are provided in the `/nfs` directory. You can deploy this by running
-```console
-./nfs/deploy-nfs.sh
-```
-and leaving `nfs.claimName` as the provided value.
+A ReadWriteMany (RWX) volume is required for shared storage across cluster nodes. By default, the Rook NFS Helm chart is installed as a dependency of the Slurm cluster chart in order to provide a RWX capable Storage Class for the required shared volume. If the target Kubernetes cluster has an existing storage class which should be used instead, then `storageClass` in `values.yaml` should be set to the name of this existing class and the RookNFS dependency should be disabled by setting `rooknfs.enabled = false`. In either case, the storage capacity of the provisioned RWX volume can be configured by setting the value of `storage.capacity`.
+
+See the separate RookNFS chart [values.yaml](./rooknfs/values.yaml) for further configuration options when using the RookNFS to provide the shared storage volume.
 
 ### Supplying Public Keys
 
 To access the cluster via `ssh`, you will need to make your public keys available. All your public keys from localhost can be added by running
 
 ```console
-./publish-keys.sh
+./publish-keys.sh [<target-namespace>]
 ```
+where `<target-namespace>` is the namespace in which the Slurm cluster chart will be deployed (i.e. using `helm install -n <target-namespace> ...`). This will create a Kubernetes Secret in the appropriate namespace for the Slurm cluster to use. Omitting the namespace arg will install the secrets in the default namespace.
 
 ### Deploying with Helm
 
 After configuring `kubectl` with the appropriate `kubeconfig` file, deploy the cluster using the Helm chart:
 ```console
 helm install <deployment-name> slurm-cluster-chart
 ```
+
+NOTE: If using the RookNFS dependency, then the following must be run before installing the Slurm cluster chart
+```console
+helm dependency update slurm-cluster-chart
+```
+
 Subsequent releases can be deployed using:
 
 ```console
@@ -130,6 +133,7 @@ srun singularity exec docker://ghcr.io/stackhpc/mpitests-container:${MPI_CONTAIN
 ```
 
 Note: The mpirun script assumes you are running as user 'rocky'. If you are running as root, you will need to include the --allow-run-as-root argument
+
 ## Reconfiguring the Cluster
 
 ### Changes to config files
@@ -173,3 +177,5 @@ and then restart the other dependent deployments to propagate changes:
 ```console
 kubectl rollout restart deployment slurmd slurmctld login slurmdbd
 ```
+
+# Known Issues

generate-secrets.sh

@@ -1,35 +1,39 @@
 #!/bin/bash
+NAMESPACE="$1"
+if [[ -z $1 ]]; then
+    NAMESPACE=default
+fi
 
-kubectl create secret generic database-auth-secret \
+kubectl -n $NAMESPACE create secret generic database-auth-secret \
 --dry-run=client \
 --from-literal=password=$(tr -dc 'A-Za-z0-9' </dev/urandom | head -c 32) \
 -o yaml | \
-kubectl apply -f -
+kubectl -n $NAMESPACE apply -f -
 
-kubectl create secret generic munge-key-secret \
+kubectl -n $NAMESPACE create secret generic munge-key-secret \
 --dry-run=client \
 --from-literal=munge.key=$(dd if=/dev/urandom bs=1 count=1024 2>/dev/null | base64 -w 0) \
 -o yaml | \
-kubectl apply -f -
+kubectl -n $NAMESPACE apply -f -
 
 mkdir -p ./temphostkeys/etc/ssh
 ssh-keygen -A -f ./temphostkeys
-kubectl create secret generic host-keys-secret \
+kubectl -n $NAMESPACE create secret generic host-keys-secret \
 --dry-run=client \
 --from-file=./temphostkeys/etc/ssh \
 -o yaml | \
-kubectl apply -f -
+kubectl -n $NAMESPACE apply -f -
 rm -rf ./temphostkeys
 
 OOD_PASS=$(tr -dc 'A-Za-z0-9' </dev/urandom | head -c 16)
 
-kubectl create secret generic htdbm-secret \
+kubectl -n $NAMESPACE create secret generic htdbm-secret \
 --dry-run=client \
 --from-literal=password=$OOD_PASS \
 -o yaml | \
-kubectl apply -f -
+kubectl -n $NAMESPACE apply -f -
 
 echo "Open Ondemand Credentials:"
 echo "Username: rocky"
 echo "Password: $OOD_PASS"
-OOD_PASS=""
+OOD_PASS=""

publish-keys.sh

@@ -1,3 +1,8 @@
-kubectl create configmap authorized-keys-configmap \
+NAMESPACE="$1"
+if [[ -z $1 ]]; then
+    NAMESPACE=default
+fi
+echo Installing in namespace $NAMESPACE
+kubectl -n $NAMESPACE create configmap authorized-keys-configmap \
 "--from-literal=authorized_keys=$(cat ~/.ssh/*.pub)" --dry-run=client -o yaml | \
-kubectl apply -f -
+kubectl  -n $NAMESPACE apply -f -

rooknfs/Chart.yaml

@@ -0,0 +1,4 @@
+apiVersion: v2
+name: rooknfs
+version: 0.0.1
+description: A packaged installation of Rook NFS for Kubernetes.

rooknfs/README.md

@@ -0,0 +1,3 @@
+# RookNFS Helm Chart
+
+See `values.yaml` for available config options.

rooknfs/templates/hooks/pre-delete.yaml

@@ -0,0 +1,50 @@
+# NOTE: The cleanup jobs defined here are required to ensure that things which
+# Rook NFS is responsible for cleaning up are deleted before deleting the Rook
+# pods which do the actual clean up of NFS resources. For example, the RWM PVC
+# must be deleted before the Rook StorageClass and provisioner pod. However,
+# the PVC cannot be deleted until the pods which are using it are deleted, so
+# the various Slurm node pods must actually be the first resources deleted.
+---
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: rook-nfs-cleanup
+---
+# TODO: Create a job-specific ClusterRole for the ServiceAccount
+# instead of using the cluster-admin role here
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRoleBinding
+metadata:
+  name: rook-nfs-cleanup
+subjects:
+- kind: ServiceAccount
+  name: rook-nfs-cleanup
+  namespace: {{ .Release.Namespace }}
+roleRef:
+  kind: ClusterRole
+  name: cluster-admin
+---
+apiVersion: batch/v1
+kind: Job
+metadata:
+  name: rook-nfs-pre-delete-cleanup
+  annotations:
+    "helm.sh/hook": pre-delete
+    "helm.sh/hook-delete-policy": hook-succeeded
+    "helm.sh/hook-weight": "10"
+spec:
+  template:
+    metadata:
+      name: rook-nfs-pre-delete-cleanup
+    spec:
+      serviceAccountName:  rook-nfs-cleanup
+      containers:
+      - name: tester
+        image: bitnami/kubectl
+        command:
+         - "bin/bash"
+         - "-c"
+         - | 
+            kubectl delete -n {{ .Values.serverNamespace }} nfsservers {{ .Values.serverName }} --wait
+      restartPolicy: Never
+---

nfs/nfs.yaml → rooknfs/templates/nfs.yaml

@@ -3,30 +3,34 @@
 apiVersion: v1
 kind: PersistentVolumeClaim
 metadata:
-  name: nfs-default-claim
-  namespace: rook-nfs
+  name: {{ .Values.claimName }}
+  namespace: {{ .Values.serverNamespace }}
 spec:
+  {{- if .Values.backingStorageClass }}
+  storageClassName: {{ .Values.backingStorageClass }}
+  {{- end }}
   accessModes:
   - ReadWriteMany
   resources:
     requests:
-      storage: 1Gi
+      storage: {{ .Values.storageCapacity }}
 ---
 apiVersion: nfs.rook.io/v1alpha1
 kind: NFSServer
 metadata:
-  name: rook-nfs
-  namespace: rook-nfs
+  name: {{ .Values.serverName }}
+  namespace: {{ .Values.serverNamespace }}
 spec:
   replicas: 1
   exports:
-  - name: share1
+  - name: {{ .Values.shareName }}
     server:
       accessMode: ReadWrite
       squash: "none"
     # A Persistent Volume Claim must be created before creating NFS CRD instance.
     persistentVolumeClaim:
-      claimName: nfs-default-claim
+      claimName: {{ .Values.claimName }}
   # A key/value list of annotations
   annotations:
     rook: nfs
+---

nfs/operator.yaml → rooknfs/templates/operator.yaml

@@ -1,13 +1,14 @@
+---
 apiVersion: v1
 kind: Namespace
 metadata:
-  name: rook-nfs-system # namespace:operator
+  name: {{ .Values.systemNamespace }}
 ---
 apiVersion: v1
 kind: ServiceAccount
 metadata:
   name: rook-nfs-operator
-  namespace: rook-nfs-system # namespace:operator
+  namespace: {{ .Values.systemNamespace }}
 ---
 kind: ClusterRoleBinding
 apiVersion: rbac.authorization.k8s.io/v1
@@ -20,7 +21,7 @@ roleRef:
 subjects:
   - kind: ServiceAccount
     name: rook-nfs-operator
-    namespace: rook-nfs-system # namespace:operator
+    namespace:  {{ .Values.systemNamespace }}
 ---
 apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRole
@@ -106,7 +107,7 @@ apiVersion: apps/v1
 kind: Deployment
 metadata:
   name: rook-nfs-operator
-  namespace: rook-nfs-system # namespace:operator
+  namespace: {{ .Values.systemNamespace }}
   labels:
     app: rook-nfs-operator
 spec:
@@ -134,3 +135,4 @@ spec:
               valueFrom:
                 fieldRef:
                   fieldPath: metadata.namespace
+---