Installation via a Helm chart and configuration to deploy the WES service as well as MongoDB, Celery, RabbitMQ, Flower and Autocert. This was tested with Helm v3.0.0.
- A working kubernetes cluster and access to the
kubectl
command. - A dynamic storage provisioner (StorageClass) that can provide volumes in ReadWriteMany (RWM) access mode. You can find a list of internal provisioners that support this. We deployed cwl-WES successfully with an external NFS volume provisioner.
- If you are planning to use cwl-WES in FTP mode you need an FTP server that supports TLS encryption. Choose from options:
- Use system wide certificate manager, see Jetstack for install. Instance of ClusterIssuer is needed, YAML could look like:
Also you need system wide ingress and load balancer configuration, see Rancher Nginx and K8S RKE. If you choose this option, in
apiVersion: cert-manager.io/v1alpha2 kind: ClusterIssuer metadata: name: [name] labels: name: [name] spec: acme: email: email@example.com privateKeySecretRef: name: [name] server: https://acme-v02.api.letsencrypt.org/directory solvers: - http01: ingress: class: nginx
values.yaml
setautocert.createJob: "false"
andingress.letsencryptSystem: "true"
- Install ingress and autocert from WES (set
autocert.createJob: "true"
andingress.letsencryptSystem: "false"
). For Autocert, see section below.
- Use system wide certificate manager, see Jetstack for install. Instance of ClusterIssuer is needed, YAML could look like:
- A working TES installation like TESK or Funnel exposed via an endpoint. If you are planning to use cwl-WES in FTP mode, then your TES endpoint must also support FTP.
- Create a new namespace in Kubernetes in which to deploy WES:
kubectl create namespace <new-namespace-name>
- Change the following values in
values.yaml
(for a detailed list of configuration values look further down):clusterType
: Set to "kubernetes".wes.netrcMachine
: the endpoint of your FTP service.wes.netrcLogin
: the username of your FTP service.wes.netrcPassword
: the password of your FTP service. It is important that your FTP login and password do not contain any special characters used in URLs like (#,&,?,etc) because they can cause errors to be produced.
- Change the application configuration:
- Change the following values in /cwl_wes/config/app_config.yaml:
storage.remote_storage_url
: The endpoint and folder of the FTP service that will be used for remote storage:ftp://endpoint//path
tesk.url
: The endpoint of your TES Service.
- Change the following values in /cwl_wes/config/app_config.yaml:
- Navigate into the
deployment/
directory and issue the following command:
helm install <name-of-your-deployment> . -f values.yaml -n <new-namespace-name>
Helm should provision volumes for Rabbitmq, MongoDB and cwl-WES:
kubectl -n <new-namespace-name> get pvc
Moreover you should see 5 new pods created in the new namespace (they should all settle in Running status after a while):
kubectl -n <new-namespace-name> get pods
TODO
curl -X POST \
--header 'Content-Type: multipart/form-data' \
--header 'Accept: application/json' \
-F workflow_params='{"input":{"class":"File","path":"<add_a_path_to_a_file_here>"}}' \
-F workflow_type='CWL' \
-F workflow_type_version='v1.0' \
-F workflow_url='https://github.com/uniqueg/cwl-example-workflows/blob/master/hashsplitter-workflow.cwl' \
'<wes_endpoint>/ga4gh/wes/v1/runs'
The helm chart utilizes scheduled TLS certificate fetching from Let's Encrypt.
- Test autocert with vanilla Kubernetes
Description of values in values.yaml
See values.yaml
for default values.
Key | Type | Description |
---|---|---|
applicationDomain | string | where to reach the Kubernetes cluster |
autocert.apiServer | string | where to reach the Kubernetes API server |
autocert.createJob | string | create autocert cronjob |
autocert.email | string | email to inject into the certificate |
autocert.image | string | container image to be used to run Autocert |
autocert.schedule | string | schedule for certificate refreshment |
autocert.testCert | string | whether to use Let's Encrypt staging so as not to exceed quota |
celeryWorker.appName | string | name of the Celery app on Kubernetes cluster |
celeryWorker.image | string | container image to be used for the Celery application |
clusterType | string | type of Kubernetes cluster; either 'kubernetes' or 'openshift' |
ingress.letsencryptSystem | string | for K8S, whether use system LetsEncrypt or not |
ingress.nginx_image | string | for K8S, container image to be used to run nginx |
ingress.scope.annotations.clusterissuer | string | for K8S, name of instance of letsencrypt cert manager |
ingress.scope.annotations.ingressclass | string | for K8S, name of class that takes care of ingress |
ingress.scope.annotations.tlsacme | string | for K8S, true if letsencrypt should be used |
mongodb.appName | string | name of MongoDB app on Kubernetes cluster |
mongodb.databaseAdminPassword | string | admin password for MongoDB |
mongodb.databaseName | string | name of MongoDB database to be used in application |
mongodb.databasePassword | string | user password for MongoDB |
mongodb.databaseUser | string | username for MongoDB |
mongodb.image | string | container image to be used to run MongoDB |
mongodb.mountPath | string | for K8S, where to mount the PVC |
mongodb.pullPolicy | string | pull Policy for container image |
mongodb.securityContext.enabled | string | for K8S, whether security is enabled (to solve issues with newly created PVC) |
mongodb.securityContext.fsGroup | string | for K8S, fsGroup that can access the PVC |
mongodb.securityContext.runAsUser | string | for K8S, user that can access the PVC |
mongodb.securityContext.runAsNonRoot | string | for K8S, run as non root |
mongodb.volumeSize | string | size of volume reserved for MongoDB database |
rabbitmq.appName | string | name of RabbitMQ app on Kubernetes cluster |
rabbitmq.image | string | container image to be used to run RabbitMQ |
rabbitmq.volumeSize | string | size of volume reserved for RabbitMQ broker |
storageAccessMode | string | access mode for MongoDB and RabbitMQ PVC |
tlsSecret | string | secret for TLS encryption |
wes.appName | string | name of the main application on Kubernetes cluster |
wes.image | string | containger image to be used for the main application |
wes.netrcLogin | string | login name for accessing the sFTP server |
wes.netrcMachine | string | host name of sFTP server |
wes.netrcPassword | string | password for accessing the sFTP server |
wes.storageClass | string | type of storageClass for WES, must have RWX capability |
wes.volumeSize | string | size of volume reserved for the main application |
wes.redirect | boolean | Activate/deactivate the '/' to '/ga4gh/wes/v1/ui/' redirection |