Skip to content
Snippets Groups Projects
Select Git revision
  • main default protected
  • test
2 results
user avatar
update to CERN registry images
Panna Liptak authored
cfe02e0d
History
user avatar cfe02e0d
History
Name Last commit Last update
am-deploy
images/clamav
src
.gitmodules
AUTHORS
LICENSE
README.md
preserve-dev-am.yaml
preserve-prod-am.yaml
preserve-qa-am.yaml
values.yaml
README.md

Archivematica-k8s

Helm charts to deploy Archivematica on a Kubernetes cluster.

No managed instances are used (standard volumes are used for storage) so this should provide a quite generic setup.

We target Archivematica 1.16.x and Archivematica Storage Service 0.22.x.

Usage

You need Helm, your K8s orchestrator cli (e.g. the oc cli tool for OpenShift) and optionally Docker if you want to build the images yourself.

  1. Configure values.yaml
  2. Configure secrets
  3. Install the release through Helm:
git clone https://gitlab.cern.ch/digitalmemory/archivematica-helm
cd archivematica-helm
helm install <release-name> am-deploy --values=values.yaml

A more detailed walkthrough on how to create projects and deploy on OpenShift can be found here.

Configuration

Most of the configuration values can be set in values.yaml. Depending on your deployment, you will need to change the hostname for which we'll create a route and user_uid under which the processes will run (note: ranges for allowed user_uids are per-project on CERN OpenShift).

Value Description
route/hostname Hostname for the Dashboard
route/ss_hostname Hostname for the Storage Service
general/user_uid Pick this based on your OpenShift project's allowed range

Example values for hostname on CERN Openshift are <NAME>.web.cern.ch.

The MYSQL database configuration also has to be set in values.yaml, under the mysql section (host, port, db, user). The password is part of the archivematica-settings secret (see below).

Secrets

Some other values need to be set as secrets in the OpenShift project:

oc create secret generic \
  --from-literal="DB_PASSWORD=<VALUE>" \
  --from-literal="AM_DASHBOARD_USERNAME=<VALUE>" \
  --from-literal="AM_DASHBOARD_PASSWORD=<VALUE>" \
  --from-literal="AM_DASHBOARD_API_KEY=<VALUE>" \
  --from-literal="AM_SS_USERNAME=<VALUE>" \
  --from-literal="AM_SS_PASSWORD=<VALUE>" \
  --from-literal="AM_SS_API_KEY=<VALUE>" \
  --from-literal="DJANGO_SECRET_KEY=<VALUE>" \
  archivematica-settings

Set up the credentials to mount EOS:

oc create secret generic 
  --from-literal="KEYTAB_USER=<USERNAME>"
  --from-literal="KEYTAB_PWD=<PASSWORD>"
  eos-credentials

Note that two different users are created for the dashboard and the storage service.

Docker images

You shouldn't need anything different here, as the provided values.yaml is set to use the docker images we build and push to our container registry.

  • Archivematica images are unmodified versions from the upstream repositories, which are copied here as git submodules (check the src folders) and pinned to our target versions;
  • The ClamAV image is a slightly modified version of the base one, we just added permissions on some common folders so the resulting container won't need to run under root (as we user will be the one set in values.yaml -> general/user_uid);
  • More images are used (e.g. Redis ..). For those, we use standard images published on canonical registries.

Build

If you wish to build them yourself, here's a quick overview:

Service name Dockerfile Context
archivematica-mcp-server src/archivematica/src/MCPServer.Dockerfile src/archivematica/src/
archivematica-mcp-client src/archivematica/src/MCPClient.Dockerfile src/archivematica/src/
archivematica-dashboard src/archivematica/src/dashboard.Dockerfile src/archivematica/src/
archivematica-storage-service src/archivematica-storage-service/Dockerfile src/archivematica-storage-service/
am-clamav images/clamav/Dockerfile images/clamav

In this case, replace the image values in the values.yaml.

Deployment

Pushing to openshift creates the following deployments with the following containers

Deployment Replicas Containers
archivematica-all 1 Storage Service, Dashboard, MCP Server, ClamAV
archivematica-gearmand 1 Gearman
archivematica-mcp-client 2+ MCP Client
archivematica-redis 1 Redis
redis 1 Redis

Email reports

Archivematica can send email reports about the failed transfers. The configurations are need to be set for MCP Client and the values for the CERN smtp can be found here.

In the values.yaml the mcp_client.email_report_user can be set which is the sender of the email report. The recipient is every AM user who has the 'Send system emails?' set to true (default we create one user called archivematica). In general, the sender is the OAIS service account and the recipient should be the oais-admin egroup.

References