Merge pull request #4052 from lsst-sqre/tickets/DM-45694

DM-45694: Create prototype Real-Bogus Labeling Service

applications/tasso/.helmignore

@@ -0,0 +1,23 @@
+# Patterns to ignore when building packages.
+# This supports shell glob matching, relative path matching, and
+# negation (prefixed with !). Only one pattern per line.
+.DS_Store
+# Common VCS dirs
+.git/
+.gitignore
+.bzr/
+.bzrignore
+.hg/
+.hgignore
+.svn/
+# Common backup files
+*.swp
+*.bak
+*.tmp
+*.orig
+*~
+# Various IDEs
+.project
+.idea/
+*.tmproj
+.vscode/

applications/tasso/Chart.yaml

@@ -0,0 +1,8 @@
+apiVersion: v2
+appVersion: 0.1.0
+description: Cutout labeling service
+name: tasso
+sources:
+- https://github.com/lsst-dm/tasso
+type: application
+version: 1.0.0

applications/tasso/README.md

@@ -0,0 +1,29 @@
+# tasso
+
+Cutout labeling service
+
+## Source Code
+
+* <https://github.com/lsst-dm/tasso>
+
+## Values
+
+| Key | Type | Default | Description |
+|-----|------|---------|-------------|
+| affinity | object | `{}` | Affinity rules for the tasso deployment pod |
+| config.logLevel | string | `"INFO"` | Logging level |
+| config.logProfile | string | `"production"` | Logging profile (`production` for JSON, `development` for human-friendly) |
+| config.pathPrefix | string | `"/tasso"` | URL path prefix |
+| config.slackAlerts | bool | `false` | Whether to send Slack alerts for unexpected failures |
+| global.baseUrl | string | Set by Argo CD | Base URL for the environment |
+| global.host | string | Set by Argo CD | Host name for ingress |
+| global.vaultSecretsPath | string | Set by Argo CD | Base path for Vault secrets |
+| image.pullPolicy | string | `"IfNotPresent"` | Pull policy for the tasso image |
+| image.repository | string | `"ghcr.io/lsst-dm/tasso"` | Image to use in the tasso deployment |
+| image.tag | string | The appVersion of the chart | Tag of image to use |
+| ingress.annotations | object | `{}` | Additional annotations for the ingress rule |
+| nodeSelector | object | `{}` | Node selection rules for the tasso deployment pod |
+| podAnnotations | object | `{}` | Annotations for the tasso deployment pod |
+| replicaCount | int | `1` | Number of web deployment pods to start |
+| resources | object | See `values.yaml` | Resource limits and requests for the tasso deployment pod |
+| tolerations | list | `[]` | Tolerations for the tasso deployment pod |

applications/tasso/secrets.yaml

@@ -0,0 +1,8 @@
+slack-webhook:
+  description: >-
+    Slack web hook used to report internal errors to Slack. This secret may be
+    changed at any time.
+  if: config.slackAlerts
+  copy:
+    application: mobu
+    key: app-alert-webhook

applications/tasso/templates/_helpers.tpl

@@ -0,0 +1,26 @@
+{{/*
+Create chart name and version as used by the chart label.
+*/}}
+{{- define "tasso.chart" -}}
+{{- printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" }}
+{{- end }}
+
+{{/*
+Common labels
+*/}}
+{{- define "tasso.labels" -}}
+helm.sh/chart: {{ include "tasso.chart" . }}
+{{ include "tasso.selectorLabels" . }}
+{{- if .Chart.AppVersion }}
+app.kubernetes.io/version: {{ .Chart.AppVersion | quote }}
+{{- end }}
+app.kubernetes.io/managed-by: {{ .Release.Service }}
+{{- end }}
+
+{{/*
+Selector labels
+*/}}
+{{- define "tasso.selectorLabels" -}}
+app.kubernetes.io/name: "tasso"
+app.kubernetes.io/instance: {{ .Release.Name }}
+{{- end }}

applications/tasso/templates/configmap.yaml

@@ -0,0 +1,10 @@
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  name: "tasso"
+  labels:
+    {{- include "tasso.labels" . | nindent 4 }}
+data:
+  TASSO_LOG_LEVEL: {{ .Values.config.logLevel | quote }}
+  TASSO_PATH_PREFIX: {{ .Values.config.pathPrefix | quote }}
+  TASSO_PROFILE: {{ .Values.config.logProfile | quote }}

applications/tasso/templates/deployment.yaml

@@ -0,0 +1,69 @@
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: "tasso"
+  labels:
+    {{- include "tasso.labels" . | nindent 4 }}
+spec:
+  replicas: {{ .Values.replicaCount }}
+  selector:
+    matchLabels:
+      {{- include "tasso.selectorLabels" . | nindent 6 }}
+  template:
+    metadata:
+      annotations:
+        checksum/config: {{ include (print $.Template.BasePath "/configmap.yaml") . | sha256sum }}
+        {{- with .Values.podAnnotations }}
+        {{- toYaml . | nindent 8 }}
+        {{- end }}
+      labels:
+        {{- include "tasso.selectorLabels" . | nindent 8 }}
+    spec:
+      {{- with .Values.affinity }}
+      affinity:
+        {{- toYaml . | nindent 8 }}
+      {{- end }}
+      automountServiceAccountToken: false
+      containers:
+        - name: {{ .Chart.Name }}
+          {{- if .Values.config.slackAlerts }}
+          env:
+            - name: "TASSO_SLACK_WEBHOOK"
+              valueFrom:
+                secretKeyRef:
+                  name: "tasso"
+                  key: "slack-webhook"
+          {{- end }}
+          envFrom:
+            - configMapRef:
+                name: "tasso"
+          image: "{{ .Values.image.repository }}:{{ .Values.image.tag | default .Chart.AppVersion }}"
+          imagePullPolicy: {{ .Values.image.pullPolicy }}
+          ports:
+            - name: "http"
+              containerPort: 8080
+              protocol: "TCP"
+          readinessProbe:
+            httpGet:
+              path: "/"
+              port: "http"
+          resources:
+            {{- toYaml .Values.resources | nindent 12 }}
+          securityContext:
+            allowPrivilegeEscalation: false
+            capabilities:
+              drop:
+                - "all"
+            readOnlyRootFilesystem: true
+      {{- with .Values.nodeSelector }}
+      nodeSelector:
+        {{- toYaml . | nindent 8 }}
+      {{- end }}
+      {{- with .Values.tolerations }}
+      tolerations:
+        {{- toYaml . | nindent 8 }}
+      {{- end }}
+      securityContext:
+        runAsNonRoot: true
+        runAsUser: 1000
+        runAsGroup: 1000

applications/tasso/templates/ingress.yaml

@@ -0,0 +1,38 @@
+apiVersion: gafaelfawr.lsst.io/v1alpha1
+kind: GafaelfawrIngress
+metadata:
+  name: "tasso"
+  labels:
+    {{- include "tasso.labels" . | nindent 4 }}
+config:
+  baseUrl: {{ .Values.global.baseUrl | quote }}
+  scopes:
+    all:
+      - "read:image"
+  service: "tasso"
+template:
+  metadata:
+    name: "tasso"
+    {{- with .Values.ingress.annotations }}
+    annotations:
+      {{- toYaml . | nindent 6 }}
+    {{- end }}
+  spec:
+    rules:
+      - host: {{ required "global.host must be set" .Values.global.host | quote }}
+        http:
+          paths:
+            - path: {{ .Values.config.pathPrefix | quote }}
+              pathType: "Prefix"
+              backend:
+                service:
+                  name: "tasso"
+                  port:
+                    number: 8080
+            - path: "/webapp"
+              pathType: "Prefix"
+              backend:
+                service:
+                  name: "tasso"
+                  port:
+                    number: 8080

applications/tasso/templates/networkpolicy.yaml

@@ -0,0 +1,21 @@
+apiVersion: networking.k8s.io/v1
+kind: NetworkPolicy
+metadata:
+  name: "tasso"
+spec:
+  podSelector:
+    matchLabels:
+      {{- include "tasso.selectorLabels" . | nindent 6 }}
+  policyTypes:
+    - "Ingress"
+  ingress:
+    # Allow inbound access from pods (in any namespace) labeled
+    # gafaelfawr.lsst.io/ingress: true.
+    - from:
+        - namespaceSelector: {}
+          podSelector:
+            matchLabels:
+              gafaelfawr.lsst.io/ingress: "true"
+      ports:
+        - protocol: "TCP"
+          port: 8080

applications/tasso/templates/service.yaml

@@ -0,0 +1,15 @@
+apiVersion: v1
+kind: Service
+metadata:
+  name: "tasso"
+  labels:
+    {{- include "tasso.labels" . | nindent 4 }}
+spec:
+  type: "ClusterIP"
+  ports:
+    - port: 8080
+      targetPort: "http"
+      protocol: "TCP"
+      name: "http"
+  selector:
+    {{- include "tasso.selectorLabels" . | nindent 4 }}

applications/tasso/templates/vault-secrets.yaml

@@ -0,0 +1,11 @@
+{{- if .Values.config.slackAlerts -}}
+apiVersion: ricoberger.de/v1alpha1
+kind: VaultSecret
+metadata:
+  name: "tasso"
+  labels:
+    {{- include "tasso.labels" . | nindent 4 }}
+spec:
+  path: "{{ .Values.global.vaultSecretsPath }}/tasso"
+  type: Opaque
+{{- end }}

applications/tasso/values-usdfdev.yaml

@@ -0,0 +1,10 @@
+image:
+  # -- Pull policy for the tasso image
+  pullPolicy: Always
+
+  # -- Tag of image to use
+  # @default -- The appVersion of the chart
+  tag: tickets-DM-45694
+
+config:
+  logLevel: "DEBUG"

applications/tasso/values.yaml

@@ -0,0 +1,66 @@
+# Default values for tasso.
+# This is a YAML-formatted file.
+# Declare variables to be passed into your templates.
+
+# -- Number of web deployment pods to start
+replicaCount: 1
+
+image:
+  # -- Image to use in the tasso deployment
+  repository: "ghcr.io/lsst-dm/tasso"
+
+  # -- Pull policy for the tasso image
+  pullPolicy: "IfNotPresent"
+
+  # -- Tag of image to use
+  # @default -- The appVersion of the chart
+  tag: null
+
+config:
+  # -- Logging level
+  logLevel: "INFO"
+
+  # -- Logging profile (`production` for JSON, `development` for
+  # human-friendly)
+  logProfile: "production"
+
+  # -- URL path prefix
+  pathPrefix: "/tasso"
+
+  # -- Whether to send Slack alerts for unexpected failures
+  slackAlerts: false
+
+ingress:
+  # -- Additional annotations for the ingress rule
+  annotations: {}
+
+# -- Affinity rules for the tasso deployment pod
+affinity: {}
+
+# -- Node selection rules for the tasso deployment pod
+nodeSelector: {}
+
+# -- Annotations for the tasso deployment pod
+podAnnotations: {}
+
+# -- Resource limits and requests for the tasso deployment pod
+# @default -- See `values.yaml`
+resources: {}
+
+# -- Tolerations for the tasso deployment pod
+tolerations: []
+
+# The following will be set by parameters injected by Argo CD and should not
+# be set in the individual environment values files.
+global:
+  # -- Base URL for the environment
+  # @default -- Set by Argo CD
+  baseUrl: null
+
+  # -- Host name for ingress
+  # @default -- Set by Argo CD
+  host: null
+
+  # -- Base path for Vault secrets
+  # @default -- Set by Argo CD
+  vaultSecretsPath: null

docs/applications/rubin.rst

@@ -25,3 +25,4 @@ Argo CD project: ``rubin``
    rubintv-dev/index
    s3proxy/index
    schedview-snapshot/index
+   tasso/index

docs/applications/tasso/index.rst

@@ -0,0 +1,19 @@
+.. px-app:: tasso
+
+###############################
+tasso — Cutout labeling service
+###############################
+
+Tasso is a small service that allows users to label static cutout images of DIASources for training machine-learned Real/Bogus models.
+It is conceptually similar to Zooniverse but allows us to work with embargoed data.
+
+.. jinja:: tasso
+   :file: applications/_summary.rst.jinja
+
+Guides
+======
+
+.. toctree::
+   :maxdepth: 1
+
+   values

docs/applications/tasso/values.md

@@ -0,0 +1,12 @@
+```{px-app-values} tasso
+```
+
+# tasso Helm values reference
+
+Helm values reference table for the {px-app}`tasso` application.
+
+```{include} ../../../applications/tasso/README.md
+---
+start-after: "## Values"
+---
+```

environments/README.md

@@ -69,6 +69,7 @@
 | applications.strimzi | bool | `false` | Enable the strimzi application |
 | applications.strimzi-access-operator | bool | `false` | Enable the strimzi-access-operator application |
 | applications.tap | bool | `false` | Enable the tap application |
+| applications.tasso | bool | `false` | Enable the tasso application |
 | applications.telegraf | bool | `false` | Enable the telegraf application |
 | applications.telegraf-ds | bool | `false` | Enable the telegraf-ds application |
 | applications.templatebot | bool | `false` | Enable the templatebot application |