deployment refactoring

- update CI to correctly build docker images
- add requirement.txt
- update Dockerfile to correctly build the app

Author: ntarocco

.gitignore

@@ -3,6 +3,7 @@ __pycache__
 *.egg-info
 *.DS_Store
 *.pyc
+dist
 
 # Editor stuff
 *.swp
@@ -18,4 +19,4 @@ app-config/openshift/caimira-test
 app-config/openshift/caimira-prod
 
 # documentation build folder
-caimira/docs/_build
+caimira/docs/_build

.gitlab-ci.yml

@@ -1,7 +1,7 @@
 stages:
   - test
   - docker-build
-  - oc-tag
+  - deploy
 
 # Use the acc-py-devtools templates found at
 # https://gitlab.cern.ch/-/ide/project/acc-co/devops/python/acc-py-devtools/blob/master/-/acc_py_devtools/templates/gitlab-ci/python.yml.
@@ -18,6 +18,8 @@ variables:
 .test-base:
   image: registry.cern.ch/docker.io/library/python:${PY_VERSION}
   stage: test
+  except:
+    - live/caimira-test  # do not run tests on live/caimira-test branch
 
 .test-run:
   extends:
@@ -62,11 +64,7 @@ test-cern-caimira-py39:
 
 .test_openshift_config:
   stage: test
-  rules:
-    - if: '$OC_TOKEN && $CI_MERGE_REQUEST_SOURCE_BRANCH_NAME == $BRANCH'
-      allow_failure: true  # The branch must represent what is deployed.  FIXME: change to true because of a diff between ConfigMaps
-    - if: '$OC_TOKEN && $CI_MERGE_REQUEST_EVENT_TYPE != "detached"'
-      allow_failure: true   # Anything other than the branch may fail without blocking the pipeline.
+  allow_failure: true
   image: registry.cern.ch/docker.io/mambaorg/micromamba
   before_script:
     - micromamba create --yes -p $HOME/env python=3.9 ruamel.yaml wget -c conda-forge
@@ -86,6 +84,9 @@ test-cern-caimira-py39:
     paths:
       - ./app-config/openshift/${CAIMIRA_INSTANCE}/actual
       - ./app-config/openshift/${CAIMIRA_INSTANCE}/expected
+  only:
+    - master
+    - live/caimira-test  # do not run tests on live/caimira-test branch
 
 check_openshift_config_test:
   extends: .test_openshift_config
@@ -108,6 +109,7 @@ check_openshift_config_test:
 # ###################################################################################################
 # Build docker images
 
+# base
 .docker-build:
   stage: docker-build
   image:
@@ -116,6 +118,7 @@ check_openshift_config_test:
     name: gcr.io/kaniko-project/executor:debug
     entrypoint: [""]
   script:
+    - echo "Building image for ${CI_COMMIT_REF_NAME} branch with tag ${IMAGE_TAG}"
     # Prepare Kaniko configuration file
     - echo "{\"auths\":{\"$CI_REGISTRY\":{\"username\":\"$CI_REGISTRY_USER\",\"password\":\"$CI_REGISTRY_PASSWORD\"}}}" > /kaniko/.docker/config.json
     - echo "Building ${CI_REGISTRY_IMAGE}/${IMAGE_NAME}:latest Docker image..."
@@ -124,67 +127,95 @@ check_openshift_config_test:
     # Print the full registry path of the pushed image
     - echo "Image pushed successfully to ${CI_REGISTRY_IMAGE}/${IMAGE_NAME}:${IMAGE_TAG}"
 
-.docker-build-live-test:
+.docker-build-auth-service:
   variables:
-    IMAGE_TAG: caimira-test-latest
+    IMAGE_NAME: auth-service
+    DOCKERFILE_DIRECTORY: app-config/auth-service
+    DOCKER_CONTEXT_DIRECTORY: app-config/auth-service
   extends: .docker-build
-  before_script:
-    - echo "Branch is $CI_COMMIT_REF_NAME"
-    - echo "Building image for live/caimira-test branch with tag ${IMAGE_TAG}"
+
+.docker-build-calculator-app:
+  variables:
+    IMAGE_NAME: calculator-app
+    DOCKERFILE_DIRECTORY: app-config/calculator-app
+    DOCKER_CONTEXT_DIRECTORY: ""
+  extends: .docker-build
+
+# on push to live/caimira-test
+.docker-build-test:
+  variables:
+    IMAGE_TAG: caimira-test-latest
+
+docker-build-auth-service-test:
+  extends:
+    - .docker-build-test
+    - .docker-build-auth-service
+  only:
+    - live/caimira-test
+
+docker-build-calculator-app-test:
+  extends:
+    - .docker-build-test
+    - .docker-build-calculator-app
   only:
     - live/caimira-test
 
+# on release
 .docker-build-release:
-  extends: .docker-build
   before_script:
-    - echo "Tag is $CI_COMMIT_REF_NAME"
     # Extract version number without 'v' prefix as IMAGE_TAG
     - IMAGE_TAG=$(echo "$CI_COMMIT_REF_NAME" | sed 's/^v//')
     - echo "Version is $IMAGE_TAG"
-  only:
-    - tags
 
-build-auth-service-image:
+docker-build-auth-service-release:
   extends:
-    - .docker-build-live-test
     - .docker-build-release
-  variables:
-    IMAGE_NAME: auth-service
-    DOCKERFILE_DIRECTORY: app-config/auth-service
-    DOCKER_CONTEXT_DIRECTORY: app-config/auth-service
+    - .docker-build-auth-service
+  only:
+    - tag
 
-build-calculator-app-image:
+docker-build-calculator-app-release:
   extends:
-    - .docker-build-live-test
     - .docker-build-release
-  variables:
-    IMAGE_NAME: calculator-app
-    DOCKERFILE_DIRECTORY: app-config/calculator-app
-    DOCKER_CONTEXT_DIRECTORY: ""
+    - .docker-build-calculator-app
+  only:
+    - tag
 
 # ###################################################################################################
-# Link build Docker images OpenShift <-> GitLab registry
-
-.link_docker_images_with_gitlab_registry:
-  stage: oc-tag
-  image: gitlab-registry.cern.ch/paas-tools/openshift-client:latest
+# Deploy to OpenShift
+.deploy:
+  stage: deploy
+  image: gitlab-registry.cern.ch/paas-tools/openshift-client
   variables:
-    OC_PROJECT: "caimira-test"
-    OC_TOKEN: ${OPENSHIFT_CAIMIRA_TEST_DEPLOY_TOKEN}
     IMAGE_TAG: caimira-test-latest
+    OPENSHIFT_SERVER: https://api.paas.okd.cern.ch
+    OPENSHIFT_PROJECT: caimira-test
   script:
-     - oc tag --source=docker ${CI_REGISTRY_IMAGE}/${IMAGE_NAME}:${IMAGE_TAG} ${IMAGE_NAME}:latest --token ${OC_TOKEN} --server=https://api.paas.okd.cern.ch -n ${OC_PROJECT}
+    - echo "Deploying ${CI_REGISTRY_IMAGE}/${IMAGE_NAME}:${IMAGE_TAG} to OpenShift"
+    - oc login $OPENSHIFT_SERVER --token=$OPENSHIFT_CAIMIRA_TEST_DEPLOY_TOKEN
+    - oc project $OPENSHIFT_PROJECT
+    - oc set image dc/$OPENSHIFT_DEPLOYMENT $OPENSHIFT_CONTAINER_NAME=${CI_REGISTRY_IMAGE}/${IMAGE_NAME}:${IMAGE_TAG}
+    - oc rollout status dc/$OPENSHIFT_DEPLOYMENT
   only:
-    - live/caimira-test  # for prod, we want to manually deploy the tag that we need
+    - live/caimira-test
 
-link_auth-service_with_gitlab_registry:
-  extends:
-    - .link_docker_images_with_gitlab_registry
+deploy-auth-service-test:
+  extends: .deploy
   variables:
     IMAGE_NAME: auth-service
+    OPENSHIFT_DEPLOYMENT: auth-service
+    OPENSHIFT_CONTAINER_NAME: auth-service
 
-link_calculator-app_with_gitlab_registry:
-  extends:
-    - .link_docker_images_with_gitlab_registry
+deploy-calculator-app-test:
+  extends: .deploy
+  variables:
+    IMAGE_NAME: calculator-app
+    OPENSHIFT_DEPLOYMENT: calculator-app
+    OPENSHIFT_CONTAINER_NAME: calculator-app
+
+deploy-calculator-open-app-test:
+  extends: .deploy
   variables:
     IMAGE_NAME: calculator-app
+    OPENSHIFT_DEPLOYMENT: calculator-open-app
+    OPENSHIFT_CONTAINER_NAME: calculator-open-app

README.md

@@ -103,25 +103,25 @@ pip install -e .   # At the root of the repository
 ### Running the Calculator app in development mode
 
 ```
-python -m ui.apps.calculator
+python -m cern_caimira.apps.calculator
 ```
 
 To run with a specific template theme created:
 
 ```
-python -m ui.apps.calculator --theme=ui/apps/templates/{theme}
+python -m cern_caimira.apps.calculator --theme=ui/apps/templates/{theme}
 ```
 
 To run the entire app in a different `APPLICATION_ROOT` path:
 
 ```
-python -m ui.apps.calculator --app_root=/myroot
+python -m cern_caimira.apps.calculator --app_root=/myroot
 ```
 
 To run the calculator on a different URL path:
 
 ```
-python -m ui.apps.calculator --prefix=/mycalc
+python -m cern_caimira.apps.calculator --prefix=/mycalc
 ```
 
 Each of these commands will start a local version of CAiMIRA, which can be visited at http://localhost:8080/.

app-config/calculator-app/Dockerfile

@@ -1,22 +1,33 @@
-FROM registry.cern.ch/docker.io/condaforge/mambaforge as conda
+FROM registry.cern.ch/docker.io/condaforge/mambaforge AS conda
+
+ARG PYTHON_VERSION=3.12
+RUN mamba create --yes -p /opt/app python=${PYTHON_VERSION}
 
-RUN mamba create --yes -p /opt/app python=3.9
 COPY . /opt/app-source
-RUN cd /opt/app-source && conda run -p /opt/app python -m pip install -r ./requirements.txt .[app]
+WORKDIR /opt/app-source
+# install Python deps
+RUN cd cern_caimira \
+    && conda run -p /opt/app python -m pip install -r requirements.txt
+RUN cd caimira \
+    && conda run -p /opt/app python -m pip install .
+RUN cd cern_caimira \
+    && conda run -p /opt/app python -m pip install .
+
 COPY app-config/calculator-app/app.sh /opt/app/bin/calculator-app.sh
+
 RUN cd /opt/app \
- && find -name '*.a' -delete \
- && rm -rf /opt/app/conda-meta \
- && rm -rf /opt/app/include \
- && find -name '__pycache__' -type d -exec rm -rf '{}' '+' \
- && rm -rf /opt/app/lib/python*/site-packages/pip /opt/app/lib/python*/idlelib /opt/app/lib/python*/ensurepip \
-        /opt/app/bin/x86_64-conda-linux-gnu-ld \
-        /opt/app/bin/sqlite3 \
-        /opt/app/bin/openssl \
-        /opt/app/share/terminfo \
-&& find /opt/app/lib/ -name 'tests' -type d -exec rm -rf '{}' '+' \
-&& find /opt/app/lib -name '*.pyx' -delete \
-;
+    && find -name '*.a' -delete \
+    && rm -rf /opt/app/conda-meta \
+    && rm -rf /opt/app/include \
+    && find -name '__pycache__' -type d -exec rm -rf '{}' '+' \
+    && rm -rf /opt/app/lib/python*/site-packages/pip /opt/app/lib/python*/idlelib /opt/app/lib/python*/ensurepip \
+          /opt/app/bin/x86_64-conda-linux-gnu-ld \
+          /opt/app/bin/sqlite3 \
+          /opt/app/bin/openssl \
+          /opt/app/share/terminfo \
+    && find /opt/app/lib/ -name 'tests' -type d -exec rm -rf '{}' '+' \
+    && find /opt/app/lib -name '*.pyx' -delete \
+    ;
 
 FROM registry.cern.ch/docker.io/library/debian
 
@@ -25,12 +36,10 @@ ENV PATH=/opt/app/bin/:$PATH
 # Make a convenient location to the installed CAiMIRA package (i.e. a directory called caimira in the CWD).
 # It is important that this directory is also writable by a non-root user.
 RUN mkdir -p /scratch \
- && chmod a+wx /scratch
+  && chmod a+wx /scratch
 # Set the HOME directory to something that anybody can write to (to support non root users, such as on openshift).
 ENV HOME=/scratch
 WORKDIR /scratch
-RUN CAIMIRA_INIT_FILE=$(/opt/app/bin/python -c "import caimira; print(caimira.__file__)") \
- && ln -s $(dirname ${CAIMIRA_INIT_FILE}) /scratch/caimira
-CMD [ \
-  "calculator-app.sh" \
-]
+RUN CERN_CAIMIRA_INIT_FILE=$(python -c "import cern_caimira; print(cern_caimira.__file__)") \
+    && ln -s $(dirname ${CERN_CAIMIRA_INIT_FILE}) /scratch/cern_caimira
+CMD [ "calculator-app.sh" ]

app-config/calculator-app/app.sh

@@ -16,7 +16,7 @@ if [[ "$APP_NAME" == "calculator-app" ]]; then
     if [ ! -z "$CAIMIRA_THEME" ]; then
         args+=("--theme=${CAIMIRA_THEME}")
     fi
-    
+
     export "ARVE_API_KEY"="$ARVE_API_KEY"
     export "ARVE_CLIENT_ID"="$ARVE_CLIENT_ID"
     export "ARVE_CLIENT_SECRET"="$ARVE_CLIENT_SECRET"
@@ -26,8 +26,8 @@ if [[ "$APP_NAME" == "calculator-app" ]]; then
     export "DATA_SERVICE_ENABLED"="${DATA_SERVICE_ENABLED:=0}"
     export "CAIMIRA_PROFILER_ENABLED"="${CAIMIRA_PROFILER_ENABLED:=0}"
 
-    echo "Starting the caimira webservice with: python -m ui.apps.calculator ${args[@]}"
-    python -m ui.apps.calculator "${args[@]}"
+    echo "Starting the caimira webservice with: python -m cern_caimira.apps.calculator ${args[@]}"
+    python -m cern_caimira.apps.calculator "${args[@]}"
 
 else
     echo "No APP_NAME specified"