GraceDB Local Istance¶
GraceDB is the GRAvitational-wave Candidate Event Database. For developing purpose one have two possibilities, deploy a basic working istance based on GraceDB Helm Charts or deploy a custom image.
GraceDB deployment¶
Hereafter we assume that igwn-kube or igwn-k3s is in status Running (see here).
Basic deployment¶
The deployment depends on the helm charts defined in GraceDB Helm Charts and Helm Charts defined in this repository.
the first step it to add repository address to Helm. In the following command substitute <username>
with your albert.einstein username, while as password use the token string for a read_api
scoped personal acces
(see Prerequisites).
helm repo add --force-update --username <username> gracedb-helm \
https://git.ligo.org/api/v4/projects/15655/packages/helm/stable
additional command for *igwn-kube* (minikube) installation
Please not that menikube does not have the threafik service included. The gracedb chart will automaticaly instal this service, but require to add the corresponding helm repository.Hopskotch and GraceDB charts can be installed in the default namespace (obtaining a SandBoxed) installation of the igwn-alert and gracedb services in this way:
helm install -n default hopskotch gracedb-helm/hopskotch
helm install -n default gracedb gracedb-helm/gracedb
Depending on the architecture, additional setting may need to be passed to the chart installation (see here for teh possible configuration). Here some examples:
*igwn-kube*
The installation status and the k8s cluster can be monitored using the [k8s dashboard](prerequisites.md)*igwn-k3s*
The main difference of the K3S system is that the "standard" storage class is not defined and the only availabe storage class is the "local-path" ones. The hostname are also differents. That means that their valuse must be specified. ** 1: (only on CIT virtual machine) create secrets, use your _albert.einstein_ credential**kubectl --kubeconfig /etc/rancher/k3s/k3s.yaml create secret docker-registry regcred \
--docker-username=<username> --docker-password=<password> \
--docker-server=containers.ligo.org
At this point, the local sandboxed deployment of GraceDB is available in the cluster, nevertheless some additional configurations are needed before to be able to access to it.
Running a specific version of gracedb
If one want to deploy back a different server version of GraceDB server, the command is (to deploy version 2.27.2):Running a custom image on minikube
To create a custum GraceDB image into the `ignw-kube` deployment (and using the tag:mytag) from a local fork of the gracedb server one has to run the followimg command: To run this image in the minikube deployment:Check helm deployment in k3s
To check Helm deployment status use the command to do some troubleshooting this commad may helpAccessing your local GraceDB deployment¶
The local SandBoxed GraceDB can be accessed at the URL https://gracedb.default.svc.cluster.local/. Before to be able to access to the website some operation must be followed
- configuring
/etc/hosts
- open a tunnel minikube service
- setting the user permissions
- installing the CA certificate in the browser
- Finalize the user configuration
Configuring /etc/hosts
¶
This is a local address that redirect to the web-server running inside igwn-kube
.
To allow the access, the address should be present in the local /etc/hosts
file since the authetication need a logical address with full reverse naming.
Example of /etc/hosts
file content
##
# Host Database
#
# localhost is used to configure the loopback interface
# when the system is booting. Do not change this entry.
##
127.0.0.1 localhost
255.255.255.255 broadcasthost
::1 localhost
# Added by Docker Desktop
# To allow the same kube context to work on the host and the container:
127.0.0.1 kubernetes.docker.internal
# End of section
127.0.0.1 gracedb.default.svc.cluster.local
127.0.0.1 hopskotch
127.0.0.1 redis-server
Open a tunnel minikube service (for igwn-kube only)¶
A tunnel between the local machine and the k8s cluster have to be open with the command (execute in a separate terminal, closing it or killing the process will result in interruption of the tunnel connection):
Depending on the driver used when executing minikube this command may be required to be executed assudo
(see, e.g., this comment).
If a password is required, use the actual user (sudoer) password (this should be required three
times: for gracedb-traefik
, hopskotch-server
, and traefik
).
Without this tunnel active the next step will fails.
Setting the user permissions¶
To add your username (e.h. albert.einstein@ligo.org) to the list of GraceDB users give the following command
In this way your local albert.einstein@ligo.org account will be active on the sandboxed installation (with all the permission). albert.einstein now can access the GraceDB database using its own X509 certificate (That can be created by theligo-proxy-init -H 2400000 albert.einstein
command)
or using the web interface as described below.
utility folder is inside llai-deploy-sandboxed git folder.
installing the CA certificate in the browser¶
The access to GraceDB using the gracedb client needs to provide the signature of the
CA autority used to create the certificate of the sandboxed instance.
The needed certificate bundle cacerts.pem
can be retrived using the command:
REQUESTS_CA_BUNDLE=cacerts.pem gracedb -s https://gracedb.default.svc.cluster.local/api credentials server
Finalize the user configuration¶
The last step is the finalization of the permission setting for your local albert.einstein@ligo.org account. Access the admin interface of local sandboxed deployment of GraceDB at the URL https://gracedb.default.svc.cluster.local/admin/ (Username:admin, Password:mypassword). from Authentication and Authorization administration->Users search your local albert.einstein@ligo.org account. After entering in the Change user interface, in the permission section, choose all available groups, and Save.
Now you are an happy owner of a local instance of GraceDB
To see che global configuration deployed so far
Clean-up a GraceDB deployment¶
To clean up the local depolyment
helm uninstall gracedb
helm uninstall hopskotch
helm uninstall meg
kubectl delete secrets gracedb-cert-manager-webhook-ca gracedb-ca gracedb-cert-tls
kubectl delete pvc postgres-persistent-storage-gracedb-postgres-0 db-data-gracedb-0 meg-data-meg-0
## kubectl delete secrets gracedb-cert-tls gracedb-postgres client-ca gracedb
## kubectl delete secrets gracedb-cert-manager-webhook-ca gracedb-ca