From 64288a5218965f00d9521aebd923c6e18f0d5c82 Mon Sep 17 00:00:00 2001 From: thenav56 Date: Wed, 4 Feb 2026 11:45:48 +0545 Subject: [PATCH 1/3] chore(eoapi): staging configs cleanups --- .../montandon-eoapi/application.yaml | 114 ++++------ .../internal/montandon-eoapi-spc.yaml | 4 + .../internal/pgstac-load-samples.yaml | 90 -------- .../internal/pgstac-migrate-job.yaml | 98 --------- .../internal/pgstac-queryables-job.yaml | 207 ------------------ .../internal/queryables-cm.yaml | 4 + 6 files changed, 53 insertions(+), 464 deletions(-) delete mode 100644 applications/argocd/staging/applications/montandon-eoapi/internal/pgstac-load-samples.yaml delete mode 100644 applications/argocd/staging/applications/montandon-eoapi/internal/pgstac-migrate-job.yaml delete mode 100644 applications/argocd/staging/applications/montandon-eoapi/internal/pgstac-queryables-job.yaml diff --git a/applications/argocd/staging/applications/montandon-eoapi/application.yaml b/applications/argocd/staging/applications/montandon-eoapi/application.yaml index 74588b5c..19b6b03a 100644 --- a/applications/argocd/staging/applications/montandon-eoapi/application.yaml +++ b/applications/argocd/staging/applications/montandon-eoapi/application.yaml @@ -8,25 +8,46 @@ metadata: spec: project: default sources: + - repoURL: https://devseed.com/eoapi-k8s/ chart: eoapi targetRevision: 0.10.0 helm: valuesObject: - ingress: + postgrescluster: + # Using azure databae + enabled: false + vector: enabled: false - # host: "montandon-eoapi-stage.ifrc.org" - # tls: - # enabled: true - # secretName: montandon-eoapi-helm-secret-cert - # annotations: - # # increase the max body size to 100MB - # nginx.ingress.kubernetes.io/proxy-body-size: "100m" - # nginx.ingress.kubernetes.io/proxy-read-timeout: "600" - # nginx.ingress.kubernetes.io/proxy-send-timeout: "600" - # nginx.ingress.kubernetes.io/proxy-connect-timeout: "600" raster: enabled: false + ingress: + # Using stac-auth-proxy + enabled: false + + serviceAccount: + create: true + automount: true + annotations: + azure.workload.identity/client-id : "9b1f12a8-4ae9-4281-afa9-948451f77dce" + labels: + azure.workload.identity/use: "true" + + postgresql: + type: "external-secret" + external: + existingSecret: + # Defined here: internal/montandon-eoapi-spc.yaml + name: pgstac-secrets-montandon-eoapi + keys: + username: "DB_USER" + password: "DB_PASSWORD" + # Optional: if these are provided in the secret + # Note: These values override external.host, external.port and external.database if defined + host: "DB_HOST" + database: "DB_NAME" + port: "DB_PORT" + stac: image: tag: 6.1.2 @@ -59,75 +80,29 @@ spec: mountPath: /mnt/secrets-store readOnly: true extraVolumes: + # Not required for eoAPI, but secrets-store.csi.k8s.io needs at least one pod to mount SecretProviderClass to sync Azure Key Vault with the Kubernetes secret pgstac-secrets-montandon-eoapi - name: azure-keyvault-secrets csi: driver: secrets-store.csi.k8s.io readOnly: true volumeAttributes: secretProviderClass: azure-secret-provider-montandon-eoapi - vector: - enabled: false - - serviceAccount: - create: true - automount: true - annotations: - azure.workload.identity/client-id : "9b1f12a8-4ae9-4281-afa9-948451f77dce" - labels: - azure.workload.identity/use: "true" - # pgstacBootstrap: - # enabled: true - # settings: - # annotations: - # argocd.argoproj.io/hook: Sync - # # labels: - # # azure.workload.identity/use: "true" - # # extraVolumes: - # # - name: azure-keyvault-secrets - # # csi: - # # driver: secrets-store.csi.k8s.io - # # readOnly: true - # # volumeAttributes: - # # secretProviderClass: azure-secret-provider-montandon-eoapi - # queryables: - # # configMap - # - name: "stac-queryables.json" - # configMapRef: - # name: montandon-eoapi-stac-queryables - # key: stac_queryables.json - # indexFields: ["monty:hazard_codes", "monty:country_codes", "roles"] - # deleteMissing: true - postgresql: - type: "external-secret" - external: - existingSecret: - name: pgstac-secrets-montandon-eoapi - keys: - username: "DB_USER" - password: "DB_PASSWORD" - # Optional: if these are provided in the secret - # Note: These values override external.host, external.port and external.database if defined - host: "DB_HOST" - database: "DB_NAME" - port: "DB_PORT" + pgstacBootstrap: + enabled: true + loadSamples: false + queryables: + - name: "stac_queryables.json" + indexFields: ["monty:hazard_codes","monty:country_codes","roles"] + deleteMissing: true + configMapRef: + name: montandon-eoapi-stac-queryables + key: stac_queryables.json - postgrescluster: - enabled: false - # instances: - # - name: eoapi - # replicas: 1 - # dataVolumeClaimSpec: - # accessModes: - # - "ReadWriteOnce" - # resources: - # requests: - # storage: "600Gi" - # cpu: "1024m" - # memory: "3048Mi" - path: applications/argocd/staging/applications/montandon-eoapi/internal/ targetRevision: develop repoURL: https://github.com/IFRCGo/go-deploy.git + - repoURL: https://github.com/developmentseed/stac-auth-proxy.git targetRevision: v0.9.2 path: helm/ @@ -147,6 +122,7 @@ spec: enabled: "true" secretName: "montandon-eoapi-helm-secret-cert" replicaCount: 1 + destination: server: https://kubernetes.default.svc namespace: montandon-eoapi diff --git a/applications/argocd/staging/applications/montandon-eoapi/internal/montandon-eoapi-spc.yaml b/applications/argocd/staging/applications/montandon-eoapi/internal/montandon-eoapi-spc.yaml index c3ac04e5..e811ba08 100644 --- a/applications/argocd/staging/applications/montandon-eoapi/internal/montandon-eoapi-spc.yaml +++ b/applications/argocd/staging/applications/montandon-eoapi/internal/montandon-eoapi-spc.yaml @@ -2,6 +2,10 @@ apiVersion: secrets-store.csi.x-k8s.io/v1 kind: SecretProviderClass metadata: name: azure-secret-provider-montandon-eoapi + annotations: + argocd.argoproj.io/hook: "PreSync" + argocd.argoproj.io/sync-wave: "-7" + argocd.argoproj.io/hook-delete-policy: "BeforeHookCreation" spec: provider: azure parameters: diff --git a/applications/argocd/staging/applications/montandon-eoapi/internal/pgstac-load-samples.yaml b/applications/argocd/staging/applications/montandon-eoapi/internal/pgstac-load-samples.yaml deleted file mode 100644 index 461677ca..00000000 --- a/applications/argocd/staging/applications/montandon-eoapi/internal/pgstac-load-samples.yaml +++ /dev/null @@ -1,90 +0,0 @@ -# Static job for loading PgSTAC sample data -# This job can be used to load sample data into PgSTAC -# Currently, this is a dummy job to fix dependencies in STAC API start ---- -apiVersion: batch/v1 -kind: Job -metadata: - name: montandon-eoapi-pgstac-load-samples - labels: - app: montandon-eoapi-pgstac-load-samples - component: database -spec: - template: - metadata: - labels: - app: montandon-eoapi-pgstac-load-samples - component: database - spec: - restartPolicy: Never - containers: - - name: dummy-load-samples - image: ghcr.io/stac-utils/pgstac-pypgstac:v0.9.8 # Customize: image version - command: - - "/bin/sh" - - "-c" - args: - - | - # Wait for database readiness - echo "Double-checking database readiness..." - pypgstac pgready - env: - # Database connection settings - - name: POSTGRES_HOST - valueFrom: - secretKeyRef: - name: pgstac-secrets-montandon-eoapi - key: DB_HOST - - name: PGHOST - valueFrom: - secretKeyRef: - name: pgstac-secrets-montandon-eoapi - key: DB_HOST - - name: POSTGRES_PORT - valueFrom: - secretKeyRef: - name: pgstac-secrets-montandon-eoapi - key: DB_PORT - - name: PGPORT - valueFrom: - secretKeyRef: - name: pgstac-secrets-montandon-eoapi - key: DB_PORT - - name: POSTGRES_USER - valueFrom: - secretKeyRef: - name: pgstac-secrets-montandon-eoapi - key: DB_USER - - name: PGUSER - valueFrom: - secretKeyRef: - name: pgstac-secrets-montandon-eoapi - key: DB_USER - - name: POSTGRES_DB - valueFrom: - secretKeyRef: - name: pgstac-secrets-montandon-eoapi - key: DB_NAME - - name: PGDATABASE - valueFrom: - secretKeyRef: - name: pgstac-secrets-montandon-eoapi - key: DB_NAME - - name: POSTGRES_PASSWORD - valueFrom: - secretKeyRef: - name: pgstac-secrets-montandon-eoapi - key: DB_PASSWORD - - name: PGPASSWORD - valueFrom: - secretKeyRef: - name: pgstac-secrets-montandon-eoapi - key: DB_PASSWORD - - # Optional PgSTAC settings - - name: PGSTAC_USE_QUEUE - value: "false" # Customize: enable/disable queue - - name: PGSTAC_QUEUE_TIMEOUT - value: "30" # Customize: queue timeout in seconds - - backoffLimit: 3 # Customize: number of retries diff --git a/applications/argocd/staging/applications/montandon-eoapi/internal/pgstac-migrate-job.yaml b/applications/argocd/staging/applications/montandon-eoapi/internal/pgstac-migrate-job.yaml deleted file mode 100644 index abc7cbbb..00000000 --- a/applications/argocd/staging/applications/montandon-eoapi/internal/pgstac-migrate-job.yaml +++ /dev/null @@ -1,98 +0,0 @@ -# Static job for PgSTAC schema migration -# This job can be used independently of the pgstacBootstrap feature -# Uncomment and customize the values below for your deployment ---- -apiVersion: batch/v1 -kind: Job -metadata: - name: montandon-eoapi-pgstac-migrate - labels: - app: montandon-eoapi-pgstac-migrate - component: database -spec: - template: - metadata: - labels: - app: montandon-eoapi-pgstac-migrate - component: database - spec: - restartPolicy: Never - containers: - - name: pgstac-migrate - image: ghcr.io/stac-utils/pgstac-pypgstac:v0.9.8 # Customize: image version - command: - - "/bin/sh" - - "-c" - args: - - | - # Exit on any error - set -e - - # Wait for database readiness - echo "Double-checking database readiness..." - pypgstac pgready - # Run PgSTAC migrations - echo "Running PgSTAC migrations..." - pypgstac migrate - - echo "PgSTAC migration complete" - env: - # Database connection settings - - name: POSTGRES_HOST - valueFrom: - secretKeyRef: - name: pgstac-secrets-montandon-eoapi - key: DB_HOST - - name: PGHOST - valueFrom: - secretKeyRef: - name: pgstac-secrets-montandon-eoapi - key: DB_HOST - - name: POSTGRES_PORT - valueFrom: - secretKeyRef: - name: pgstac-secrets-montandon-eoapi - key: DB_PORT - - name: PGPORT - valueFrom: - secretKeyRef: - name: pgstac-secrets-montandon-eoapi - key: DB_PORT - - name: POSTGRES_USER - valueFrom: - secretKeyRef: - name: pgstac-secrets-montandon-eoapi - key: DB_USER - - name: PGUSER - valueFrom: - secretKeyRef: - name: pgstac-secrets-montandon-eoapi - key: DB_USER - - name: POSTGRES_DB - valueFrom: - secretKeyRef: - name: pgstac-secrets-montandon-eoapi - key: DB_NAME - - name: PGDATABASE - valueFrom: - secretKeyRef: - name: pgstac-secrets-montandon-eoapi - key: DB_NAME - - name: POSTGRES_PASSWORD - valueFrom: - secretKeyRef: - name: pgstac-secrets-montandon-eoapi - key: DB_PASSWORD - - name: PGPASSWORD - valueFrom: - secretKeyRef: - name: pgstac-secrets-montandon-eoapi - key: DB_PASSWORD - - # Optional PgSTAC settings - - name: PGSTAC_USE_QUEUE - value: "false" # Customize: enable/disable queue - - name: PGSTAC_QUEUE_TIMEOUT - value: "30" # Customize: queue timeout in seconds - - backoffLimit: 3 # Customize: number of retries diff --git a/applications/argocd/staging/applications/montandon-eoapi/internal/pgstac-queryables-job.yaml b/applications/argocd/staging/applications/montandon-eoapi/internal/pgstac-queryables-job.yaml deleted file mode 100644 index a1a2d1ef..00000000 --- a/applications/argocd/staging/applications/montandon-eoapi/internal/pgstac-queryables-job.yaml +++ /dev/null @@ -1,207 +0,0 @@ -# Static job for loading PgSTAC queryables -# This job should run after pgstac-migrate completes -# Uncomment and customize the values below for your deployment ---- -apiVersion: batch/v1 -kind: Job -metadata: - name: montandon-eoapi-load-queryables - labels: - app: montandon-eoapi-load-queryables - component: database - # annotations: - # Optional: Add FluxCD/ArgoCD annotations here - # For FluxCD HelmRelease dependencies, use dependsOn field instead - # argocd.argoproj.io/hook: "PreSync" - # argocd.argoproj.io/sync-wave: "0" # Run after migrate (wave -1) -spec: - template: - metadata: - labels: - app: montandon-eoapi-load-queryables - component: database - spec: - restartPolicy: Never - initContainers: - - name: wait-for-pgstac-schema - image: postgres:16-alpine - command: - - "/bin/sh" - - "-c" - args: - - | - echo "Waiting for PgSTAC schema to be ready..." - until psql -c "SELECT 1 FROM pgstac.migrations WHERE version IS NOT NULL LIMIT 1;" > /dev/null 2>&1; do - echo "PgSTAC schema not ready, waiting..." - sleep 10 - done - echo "PgSTAC schema is ready!" - env: - # Database connection settings - - name: POSTGRES_HOST - valueFrom: - secretKeyRef: - name: pgstac-secrets-montandon-eoapi - key: DB_HOST - - name: PGHOST - valueFrom: - secretKeyRef: - name: pgstac-secrets-montandon-eoapi - key: DB_HOST - - name: POSTGRES_PORT - valueFrom: - secretKeyRef: - name: pgstac-secrets-montandon-eoapi - key: DB_PORT - - name: PGPORT - valueFrom: - secretKeyRef: - name: pgstac-secrets-montandon-eoapi - key: DB_PORT - - name: POSTGRES_USER - valueFrom: - secretKeyRef: - name: pgstac-secrets-montandon-eoapi - key: DB_USER - - name: PGUSER - valueFrom: - secretKeyRef: - name: pgstac-secrets-montandon-eoapi - key: DB_USER - - name: POSTGRES_DB - valueFrom: - secretKeyRef: - name: pgstac-secrets-montandon-eoapi - key: DB_NAME - - name: PGDATABASE - valueFrom: - secretKeyRef: - name: pgstac-secrets-montandon-eoapi - key: DB_NAME - - name: POSTGRES_PASSWORD - valueFrom: - secretKeyRef: - name: pgstac-secrets-montandon-eoapi - key: DB_PASSWORD - - name: PGPASSWORD - valueFrom: - secretKeyRef: - name: pgstac-secrets-montandon-eoapi - key: DB_PASSWORD - containers: - - name: pgstac-load-queryables - image: ghcr.io/stac-utils/pgstac-pypgstac:v0.9.8 # Customize: image version - command: - - "/bin/sh" - - "-c" - args: - - | - # Exit on any error - set -e - - # Wait for database readiness (redundant check) - echo "Checking database readiness..." - pypgstac pgready - - echo "Loading queryables configurations..." - - # Example queryables loading - customize as needed - # Replace with your actual queryables files/configurations - - pypgstac load-queryables /opt/queryables/stac_queryables.json \ - --index-fields ["monty:hazard_codes","monty:country_codes","roles"] \ - --delete-missing - - echo "Queryables loading complete" - env: - # Database connection settings - - name: POSTGRES_HOST - valueFrom: - secretKeyRef: - name: pgstac-secrets-montandon-eoapi - key: DB_HOST - - name: PGHOST - valueFrom: - secretKeyRef: - name: pgstac-secrets-montandon-eoapi - key: DB_HOST - - name: POSTGRES_PORT - valueFrom: - secretKeyRef: - name: pgstac-secrets-montandon-eoapi - key: DB_PORT - - name: PGPORT - valueFrom: - secretKeyRef: - name: pgstac-secrets-montandon-eoapi - key: DB_PORT - - name: POSTGRES_USER - valueFrom: - secretKeyRef: - name: pgstac-secrets-montandon-eoapi - key: DB_USER - - name: PGUSER - valueFrom: - secretKeyRef: - name: pgstac-secrets-montandon-eoapi - key: DB_USER - - name: POSTGRES_DB - valueFrom: - secretKeyRef: - name: pgstac-secrets-montandon-eoapi - key: DB_NAME - - name: PGDATABASE - valueFrom: - secretKeyRef: - name: pgstac-secrets-montandon-eoapi - key: DB_NAME - - name: POSTGRES_PASSWORD - valueFrom: - secretKeyRef: - name: pgstac-secrets-montandon-eoapi - key: DB_PASSWORD - - name: PGPASSWORD - valueFrom: - secretKeyRef: - name: pgstac-secrets-montandon-eoapi - key: DB_PASSWORD - - # resources: - # requests: - # memory: "256Mi" - # cpu: "100m" - # limits: - # memory: "512Mi" - # cpu: "250m" - volumeMounts: - - name: queryables-config - mountPath: /opt/queryables - readOnly: true - volumes: - - name: queryables-config - configMap: - name: montandon-eoapi-stac-queryables # Customize: ConfigMap name - # Optional: specify specific files - # items: - # - key: test-queryables.json - # path: test-queryables.json - # - key: custom-queryables.json - # path: custom-queryables.json - - # Optional: Node affinity and tolerations - # affinity: - # nodeAffinity: - # preferredDuringSchedulingIgnoredDuringExecution: - # - weight: 100 - # preference: - # matchExpressions: - # - key: node-type - # operator: In - # values: ["database"] - # tolerations: - # - key: "database" - # operator: "Equal" - # value: "true" - # effect: "NoSchedule" - backoffLimit: 3 # Customize: number of retries - # activeDeadlineSeconds: 600 # Customize: job timeout (10 minutes) diff --git a/applications/argocd/staging/applications/montandon-eoapi/internal/queryables-cm.yaml b/applications/argocd/staging/applications/montandon-eoapi/internal/queryables-cm.yaml index 53b601c4..85365e80 100644 --- a/applications/argocd/staging/applications/montandon-eoapi/internal/queryables-cm.yaml +++ b/applications/argocd/staging/applications/montandon-eoapi/internal/queryables-cm.yaml @@ -2,6 +2,10 @@ apiVersion: v1 kind: ConfigMap metadata: name: montandon-eoapi-stac-queryables + annotations: + argocd.argoproj.io/hook: "PreSync" + argocd.argoproj.io/sync-wave: "-7" + argocd.argoproj.io/hook-delete-policy: "BeforeHookCreation" data: stac_queryables.json: | { From 2541dc07c6262de779f7aa0aa79bc08d72091cc1 Mon Sep 17 00:00:00 2001 From: thenav56 Date: Fri, 13 Feb 2026 10:00:36 +0545 Subject: [PATCH 2/3] fixup! chore(eoapi): staging configs cleanups --- .../montandon-eoapi/application.yaml | 17 +++++++++-------- 1 file changed, 9 insertions(+), 8 deletions(-) diff --git a/applications/argocd/staging/applications/montandon-eoapi/application.yaml b/applications/argocd/staging/applications/montandon-eoapi/application.yaml index 19b6b03a..109d5a11 100644 --- a/applications/argocd/staging/applications/montandon-eoapi/application.yaml +++ b/applications/argocd/staging/applications/montandon-eoapi/application.yaml @@ -90,14 +90,15 @@ spec: pgstacBootstrap: enabled: true - loadSamples: false - queryables: - - name: "stac_queryables.json" - indexFields: ["monty:hazard_codes","monty:country_codes","roles"] - deleteMissing: true - configMapRef: - name: montandon-eoapi-stac-queryables - key: stac_queryables.json + settings: + loadSamples: false + queryables: + - name: "stac_queryables.json" + indexFields: ["monty:hazard_codes","monty:country_codes","roles"] + deleteMissing: true + configMapRef: + name: montandon-eoapi-stac-queryables + key: stac_queryables.json - path: applications/argocd/staging/applications/montandon-eoapi/internal/ targetRevision: develop From 3c1c38f9bac240978dc8eee3f4a815bf7631c373 Mon Sep 17 00:00:00 2001 From: thenav56 Date: Fri, 13 Feb 2026 10:04:12 +0545 Subject: [PATCH 3/3] feat(monty-eoapi): use latest eoapi chart with argocd support --- .../staging/applications/montandon-eoapi/application.yaml | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/applications/argocd/staging/applications/montandon-eoapi/application.yaml b/applications/argocd/staging/applications/montandon-eoapi/application.yaml index 109d5a11..e49bc617 100644 --- a/applications/argocd/staging/applications/montandon-eoapi/application.yaml +++ b/applications/argocd/staging/applications/montandon-eoapi/application.yaml @@ -11,8 +11,10 @@ spec: - repoURL: https://devseed.com/eoapi-k8s/ chart: eoapi - targetRevision: 0.10.0 + targetRevision: 0.11.1 helm: + valueFiles: + - values/argocd.yaml valuesObject: postgrescluster: # Using azure databae