WIP: Adjust runtime envsubst

2024-02-15 21:05:43 -06:00
21 changed files with 59 additions and 1098 deletions
--- a/.gitea/workflows/test-container-registry.yml
+++ b/.gitea/workflows/test-container-registry.yml
@ -1,54 +0,0 @@
 name: Container Registry Test
 on:
  push:
    branches: '*'
    paths:
      - '!**'
      - '.gitea/workflows/triggers/test-container-registry'
      - '.gitea/workflows/test-container-registry.yml'
      - 'tests/container-registry/run-test.sh'
  schedule: # Note: coordinate with other tests to not overload runners at the same time of day
    - cron: '6 19 * * *'
 jobs:
  test:
    name: "Run contaier registry hosting test on kind/k8s"
    runs-on: ubuntu-22.04
    steps:
      - name: "Clone project repository"
        uses: actions/checkout@v3
      # At present the stock setup-python action fails on Linux/aarch64
      # Conditional steps below workaroud this by using deadsnakes for that case only
      - name: "Install Python for ARM on Linux"
        if: ${{ runner.arch == 'arm64' && runner.os == 'Linux' }}
        uses: deadsnakes/action@v3.0.1
        with:
          python-version: '3.8'
      - name: "Install Python cases other than ARM on Linux"
        if: ${{ ! (runner.arch == 'arm64' && runner.os == 'Linux') }}
        uses: actions/setup-python@v4
        with:
          python-version: '3.8'
      - name: "Print Python version"
        run: python3 --version
      - name: "Install shiv"
        run: pip install shiv
      - name: "Generate build version file"
        run: ./scripts/create_build_tag_file.sh
      - name: "Build local shiv package"
        run: ./scripts/build_shiv_package.sh
      - name: "Check cgroups version"
        run: mount | grep cgroup
      - name: "Install kind"
        run: ./tests/scripts/install-kind.sh
      - name: "Install Kubectl"
        run: ./tests/scripts/install-kubectl.sh
      - name: "Install ed" # Only needed until we remove the need to edit the spec file
        run: apt update && apt install -y ed
      - name: "Run container registry deployment test"
        run: |
          source /opt/bash-utils/cgroup-helper.sh
          join_cgroup
          ./tests/container-registry/run-test.sh
--- a/.gitea/workflows/triggers/test-container-registry
+++ b/.gitea/workflows/triggers/test-container-registry
@ -1 +0,0 @@
 Change this file to trigger running the test-container-registry CI job
--- a/scripts/quick-deploy-test.sh
+++ b/scripts/quick-deploy-test.sh
@ -12,8 +12,8 @@ spec_file_name="${stack_name}-spec.yml"
 deployment_dir_name="${stack_name}-deployment"
 rm -f ${spec_file_name}
 rm -rf ${deployment_dir_name}
-laconic-so --stack ${stack_name} deploy --deploy-to compose init --output ${spec_file_name}
+laconic-so --stack ${stack_name} deploy --deploy-to k8s-kind init --output ${spec_file_name}
-laconic-so --stack ${stack_name} deploy --deploy-to compose create --deployment-dir ${deployment_dir_name} --spec-file ${spec_file_name}
+laconic-so --stack ${stack_name} deploy --deploy-to k8s-kind create --deployment-dir ${deployment_dir_name} --spec-file ${spec_file_name}
 #laconic-so deployment --dir ${deployment_dir_name} start
 #laconic-so deployment --dir ${deployment_dir_name} ps
 #laconic-so deployment --dir ${deployment_dir_name} stop
--- a/stack_orchestrator/build/build_containers.py
+++ b/stack_orchestrator/build/build_containers.py
@ -27,7 +27,7 @@ import subprocess
 import click
 import importlib.resources
 from pathlib import Path
-from stack_orchestrator.util import include_exclude_check, get_parsed_stack_config, stack_is_external, warn_exit
+from stack_orchestrator.util import include_exclude_check, get_parsed_stack_config, stack_is_external
 from stack_orchestrator.base import get_npm_registry_url
 # TODO: find a place for this
@ -164,8 +164,6 @@ def command(ctx, include, exclude, force_rebuild, extra_build_args):
    containers_in_scope = []
    if stack:
        stack_config = get_parsed_stack_config(stack)
        if "containers" not in stack_config or stack_config["containers"] is None:
            warn_exit(f"stack {stack} does not define any containers")
        containers_in_scope = stack_config['containers']
    else:
        containers_in_scope = all_containers
--- a/stack_orchestrator/data/compose/docker-compose-container-registry.yml
+++ b/stack_orchestrator/data/compose/docker-compose-container-registry.yml
@ -1,13 +0,0 @@
 services:
  registry:
    image: registry:2.8
    restart: always
    environment:
      REGISTRY_LOG_LEVEL: ${REGISTRY_LOG_LEVEL}
    volumes:
      - registry-data:/var/lib/registry
    ports:
      - "5000"
 volumes:
  registry-data:
--- a/stack_orchestrator/data/compose/docker-compose-mars-v2.yml
+++ b/stack_orchestrator/data/compose/docker-compose-mars-v2.yml
@ -1,12 +0,0 @@
 version: "3.2"
 services:
  mars:
    image: cerc/mars-v2:local
    restart: always
    ports:
      - "3000:3000"
    environment:
      - URL_OSMOSIS_REST=https://lcd-osmosis.blockapsis.com
      - URL_OSMOSIS_RPC=https://rpc-osmosis.blockapsis.com
      - WALLET_CONNECT_ID=0x0x0x0x0x0x0x0x0x0x0x0x0x0x0x0x0x0x0x0x
--- a/stack_orchestrator/data/container-build/cerc-mars-v2/build.sh
+++ b/stack_orchestrator/data/container-build/cerc-mars-v2/build.sh
@ -1,4 +0,0 @@
 #!/usr/bin/env bash
 # Build the mars-v2 image
 source ${CERC_CONTAINER_BASE_DIR}/build-base.sh
 docker build -t cerc/mars-v2:local -f ${CERC_REPO_BASE_DIR}/mars-v2-frontend/Dockerfile ${build_command_args} ${CERC_REPO_BASE_DIR}/mars-v2-frontend
--- a/stack_orchestrator/data/container-build/cerc-nextjs-base/scripts/apply-runtime-env.sh
+++ b/stack_orchestrator/data/container-build/cerc-nextjs-base/scripts/apply-runtime-env.sh
@ -33,8 +33,8 @@ if [ -f ".env" ]; then
  rm -f $TMP_ENV
 fi
-for f in $(find . -type f \( -regex '.*.html?' -or -regex ".*.[tj]s\(x\|on\)?$" \) | grep -v 'node_modules' | grep -v '.git'); do
+for f in $(find "$TRG_DIR" -regex ".*.[tj]sx?$" -type f | grep -v 'node_modules'); do
-  for e in $(cat "${f}" | tr -s '[:blank:]' '\n' | tr -s '["/\\{},();]' '\n' | tr -s "[']" '\n' | egrep -o -e '^CERC_RUNTIME_ENV_.+$' -e '^LACONIC_HOSTED_CONFIG_.+$'); do
+  for e in $(cat "${f}" | tr -s '[:blank:]' '\n' | tr -s '[{},();]' '\n' | egrep -o '^"CERC_RUNTIME_ENV_[^\"]+"'); do
    orig_name=$(echo -n "${e}" | sed 's/"//g')
    cur_name=$(echo -n "${orig_name}" | sed 's/CERC_RUNTIME_ENV_//g')
    cur_val=$(echo -n "\$${cur_name}" | envsubst)
--- a/stack_orchestrator/data/container-build/cerc-webapp-base/scripts/apply-runtime-env.sh
+++ b/stack_orchestrator/data/container-build/cerc-webapp-base/scripts/apply-runtime-env.sh
@ -18,8 +18,9 @@ if [ -f ".env" ]; then
  rm -f $TMP_ENV
 fi
-for f in $(find . -type f \( -regex '.*.html?' -or -regex ".*.[tj]s\(x\|on\)?$" \) | grep -v 'node_modules' | grep -v '.git'); do
+
-  for e in $(cat "${f}" | tr -s '[:blank:]' '\n' | tr -s '["/\\{},();]' '\n' | tr -s "[']" '\n' | egrep -o -e '^CERC_RUNTIME_ENV_.+$' -e '^LACONIC_HOSTED_CONFIG_.+$'); do
+for f in $(find . -type f \( -name '*.html' -or -regex ".*.[tj]s\(x\|on\)?$" \) | grep -v 'node_modules' | grep -v '.git'); do
  for e in $(cat "${f}" | tr -s '[:blank:]' '\n' | tr -s '[\\/{},();"]' '\n' | egrep -o -e '^CERC_RUNTIME_ENV_.+'); do
    orig_name=$(echo -n "${e}" | sed 's/"//g')
    cur_name=$(echo -n "${orig_name}" | sed 's/CERC_RUNTIME_ENV_//g')
    cur_val=$(echo -n "\$${cur_name}" | envsubst)
@ -31,3 +32,19 @@ for f in $(find . -type f \( -regex '.*.html?' -or -regex ".*.[tj]s\(x\|on\)?$"
    sed -i "s/$orig_name/$esc_val/g" $f
  done
 done
 for f in $(find . -type f \( -name '*.html' -or -regex ".*.[tj]s\(x\|on\)?$" \) | grep -v 'node_modules' | grep -v '.git'); do
  for cur_name in `env | egrep -o -e '^LACONIC_HOSTED_CONFIG_.+' | cut -d"=" -f1 | sort -u`; do
    grep "$e" $f >/dev/null
    if [ $? -ne 0 ]; then
      continue
    fi
    cur_val=$(echo -n "\$${cur_name}" | envsubst)
    if [ "$CERC_RETAIN_ENV_QUOTES" != "true" ]; then
      cur_val=$(sed "s/^[\"']//" <<< "$cur_val" | sed "s/[\"']//")
    fi
    esc_val=$(sed 's/[&/\]/\\&/g' <<< "$cur_val")
    echo "$f: $cur_name=$cur_val"
    sed -i "s/$cur_name/$esc_val/g" $f
  done
 done
--- a/stack_orchestrator/data/container-build/cerc-webapp-base/scripts/build-app.sh
+++ b/stack_orchestrator/data/container-build/cerc-webapp-base/scripts/build-app.sh
@ -33,10 +33,4 @@ else
  mv "${WORK_DIR}" "${DEST_DIR}"
 fi
 # One special fix ...
 cd "${DEST_DIR}"
 for f in $(find . -type f -name '*.htm*'); do
  sed -i -e 's#/LACONIC_HOSTED_CONFIG_homepage/#LACONIC_HOSTED_CONFIG_homepage/#g' "$f"
 done
 exit 0
--- a/stack_orchestrator/data/k8s/components/ingress/ingress-nginx-kind-deploy.yaml
+++ b/stack_orchestrator/data/k8s/components/ingress/ingress-nginx-kind-deploy.yaml
@ -1,673 +0,0 @@
 # from: https://raw.githubusercontent.com/kubernetes/ingress-nginx/main/deploy/static/provider/kind/deploy.yaml
 # via: https://kind.sigs.k8s.io/docs/user/ingress/#ingress-nginx
 apiVersion: v1
 kind: Namespace
 metadata:
  labels:
    app.kubernetes.io/instance: ingress-nginx
    app.kubernetes.io/name: ingress-nginx
  name: ingress-nginx
 ---
 apiVersion: v1
 automountServiceAccountToken: true
 kind: ServiceAccount
 metadata:
  labels:
    app.kubernetes.io/component: controller
    app.kubernetes.io/instance: ingress-nginx
    app.kubernetes.io/name: ingress-nginx
    app.kubernetes.io/part-of: ingress-nginx
    app.kubernetes.io/version: 1.9.6
  name: ingress-nginx
  namespace: ingress-nginx
 ---
 apiVersion: v1
 kind: ServiceAccount
 metadata:
  labels:
    app.kubernetes.io/component: admission-webhook
    app.kubernetes.io/instance: ingress-nginx
    app.kubernetes.io/name: ingress-nginx
    app.kubernetes.io/part-of: ingress-nginx
    app.kubernetes.io/version: 1.9.6
  name: ingress-nginx-admission
  namespace: ingress-nginx
 ---
 apiVersion: rbac.authorization.k8s.io/v1
 kind: Role
 metadata:
  labels:
    app.kubernetes.io/component: controller
    app.kubernetes.io/instance: ingress-nginx
    app.kubernetes.io/name: ingress-nginx
    app.kubernetes.io/part-of: ingress-nginx
    app.kubernetes.io/version: 1.9.6
  name: ingress-nginx
  namespace: ingress-nginx
 rules:
 - apiGroups:
  - ""
  resources:
  - namespaces
  verbs:
  - get
 - apiGroups:
  - ""
  resources:
  - configmaps
  - pods
  - secrets
  - endpoints
  verbs:
  - get
  - list
  - watch
 - apiGroups:
  - ""
  resources:
  - services
  verbs:
  - get
  - list
  - watch
 - apiGroups:
  - networking.k8s.io
  resources:
  - ingresses
  verbs:
  - get
  - list
  - watch
 - apiGroups:
  - networking.k8s.io
  resources:
  - ingresses/status
  verbs:
  - update
 - apiGroups:
  - networking.k8s.io
  resources:
  - ingressclasses
  verbs:
  - get
  - list
  - watch
 - apiGroups:
  - coordination.k8s.io
  resourceNames:
  - ingress-nginx-leader
  resources:
  - leases
  verbs:
  - get
  - update
 - apiGroups:
  - coordination.k8s.io
  resources:
  - leases
  verbs:
  - create
 - apiGroups:
  - ""
  resources:
  - events
  verbs:
  - create
  - patch
 - apiGroups:
  - discovery.k8s.io
  resources:
  - endpointslices
  verbs:
  - list
  - watch
  - get
 ---
 apiVersion: rbac.authorization.k8s.io/v1
 kind: Role
 metadata:
  labels:
    app.kubernetes.io/component: admission-webhook
    app.kubernetes.io/instance: ingress-nginx
    app.kubernetes.io/name: ingress-nginx
    app.kubernetes.io/part-of: ingress-nginx
    app.kubernetes.io/version: 1.9.6
  name: ingress-nginx-admission
  namespace: ingress-nginx
 rules:
 - apiGroups:
  - ""
  resources:
  - secrets
  verbs:
  - get
  - create
 ---
 apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRole
 metadata:
  labels:
    app.kubernetes.io/instance: ingress-nginx
    app.kubernetes.io/name: ingress-nginx
    app.kubernetes.io/part-of: ingress-nginx
    app.kubernetes.io/version: 1.9.6
  name: ingress-nginx
 rules:
 - apiGroups:
  - ""
  resources:
  - configmaps
  - endpoints
  - nodes
  - pods
  - secrets
  - namespaces
  verbs:
  - list
  - watch
 - apiGroups:
  - coordination.k8s.io
  resources:
  - leases
  verbs:
  - list
  - watch
 - apiGroups:
  - ""
  resources:
  - nodes
  verbs:
  - get
 - apiGroups:
  - ""
  resources:
  - services
  verbs:
  - get
  - list
  - watch
 - apiGroups:
  - networking.k8s.io
  resources:
  - ingresses
  verbs:
  - get
  - list
  - watch
 - apiGroups:
  - ""
  resources:
  - events
  verbs:
  - create
  - patch
 - apiGroups:
  - networking.k8s.io
  resources:
  - ingresses/status
  verbs:
  - update
 - apiGroups:
  - networking.k8s.io
  resources:
  - ingressclasses
  verbs:
  - get
  - list
  - watch
 - apiGroups:
  - discovery.k8s.io
  resources:
  - endpointslices
  verbs:
  - list
  - watch
  - get
 ---
 apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRole
 metadata:
  labels:
    app.kubernetes.io/component: admission-webhook
    app.kubernetes.io/instance: ingress-nginx
    app.kubernetes.io/name: ingress-nginx
    app.kubernetes.io/part-of: ingress-nginx
    app.kubernetes.io/version: 1.9.6
  name: ingress-nginx-admission
 rules:
 - apiGroups:
  - admissionregistration.k8s.io
  resources:
  - validatingwebhookconfigurations
  verbs:
  - get
  - update
 ---
 apiVersion: rbac.authorization.k8s.io/v1
 kind: RoleBinding
 metadata:
  labels:
    app.kubernetes.io/component: controller
    app.kubernetes.io/instance: ingress-nginx
    app.kubernetes.io/name: ingress-nginx
    app.kubernetes.io/part-of: ingress-nginx
    app.kubernetes.io/version: 1.9.6
  name: ingress-nginx
  namespace: ingress-nginx
 roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: Role
  name: ingress-nginx
 subjects:
 - kind: ServiceAccount
  name: ingress-nginx
  namespace: ingress-nginx
 ---
 apiVersion: rbac.authorization.k8s.io/v1
 kind: RoleBinding
 metadata:
  labels:
    app.kubernetes.io/component: admission-webhook
    app.kubernetes.io/instance: ingress-nginx
    app.kubernetes.io/name: ingress-nginx
    app.kubernetes.io/part-of: ingress-nginx
    app.kubernetes.io/version: 1.9.6
  name: ingress-nginx-admission
  namespace: ingress-nginx
 roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: Role
  name: ingress-nginx-admission
 subjects:
 - kind: ServiceAccount
  name: ingress-nginx-admission
  namespace: ingress-nginx
 ---
 apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRoleBinding
 metadata:
  labels:
    app.kubernetes.io/instance: ingress-nginx
    app.kubernetes.io/name: ingress-nginx
    app.kubernetes.io/part-of: ingress-nginx
    app.kubernetes.io/version: 1.9.6
  name: ingress-nginx
 roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: ClusterRole
  name: ingress-nginx
 subjects:
 - kind: ServiceAccount
  name: ingress-nginx
  namespace: ingress-nginx
 ---
 apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRoleBinding
 metadata:
  labels:
    app.kubernetes.io/component: admission-webhook
    app.kubernetes.io/instance: ingress-nginx
    app.kubernetes.io/name: ingress-nginx
    app.kubernetes.io/part-of: ingress-nginx
    app.kubernetes.io/version: 1.9.6
  name: ingress-nginx-admission
 roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: ClusterRole
  name: ingress-nginx-admission
 subjects:
 - kind: ServiceAccount
  name: ingress-nginx-admission
  namespace: ingress-nginx
 ---
 apiVersion: v1
 data:
  allow-snippet-annotations: "false"
 kind: ConfigMap
 metadata:
  labels:
    app.kubernetes.io/component: controller
    app.kubernetes.io/instance: ingress-nginx
    app.kubernetes.io/name: ingress-nginx
    app.kubernetes.io/part-of: ingress-nginx
    app.kubernetes.io/version: 1.9.6
  name: ingress-nginx-controller
  namespace: ingress-nginx
 ---
 apiVersion: v1
 kind: Service
 metadata:
  labels:
    app.kubernetes.io/component: controller
    app.kubernetes.io/instance: ingress-nginx
    app.kubernetes.io/name: ingress-nginx
    app.kubernetes.io/part-of: ingress-nginx
    app.kubernetes.io/version: 1.9.6
  name: ingress-nginx-controller
  namespace: ingress-nginx
 spec:
  ipFamilies:
  - IPv4
  ipFamilyPolicy: SingleStack
  ports:
  - appProtocol: http
    name: http
    port: 80
    protocol: TCP
    targetPort: http
  - appProtocol: https
    name: https
    port: 443
    protocol: TCP
    targetPort: https
  selector:
    app.kubernetes.io/component: controller
    app.kubernetes.io/instance: ingress-nginx
    app.kubernetes.io/name: ingress-nginx
  type: NodePort
 ---
 apiVersion: v1
 kind: Service
 metadata:
  labels:
    app.kubernetes.io/component: controller
    app.kubernetes.io/instance: ingress-nginx
    app.kubernetes.io/name: ingress-nginx
    app.kubernetes.io/part-of: ingress-nginx
    app.kubernetes.io/version: 1.9.6
  name: ingress-nginx-controller-admission
  namespace: ingress-nginx
 spec:
  ports:
  - appProtocol: https
    name: https-webhook
    port: 443
    targetPort: webhook
  selector:
    app.kubernetes.io/component: controller
    app.kubernetes.io/instance: ingress-nginx
    app.kubernetes.io/name: ingress-nginx
  type: ClusterIP
 ---
 apiVersion: apps/v1
 kind: Deployment
 metadata:
  labels:
    app.kubernetes.io/component: controller
    app.kubernetes.io/instance: ingress-nginx
    app.kubernetes.io/name: ingress-nginx
    app.kubernetes.io/part-of: ingress-nginx
    app.kubernetes.io/version: 1.9.6
  name: ingress-nginx-controller
  namespace: ingress-nginx
 spec:
  minReadySeconds: 0
  revisionHistoryLimit: 10
  selector:
    matchLabels:
      app.kubernetes.io/component: controller
      app.kubernetes.io/instance: ingress-nginx
      app.kubernetes.io/name: ingress-nginx
  strategy:
    rollingUpdate:
      maxUnavailable: 1
    type: RollingUpdate
  template:
    metadata:
      labels:
        app.kubernetes.io/component: controller
        app.kubernetes.io/instance: ingress-nginx
        app.kubernetes.io/name: ingress-nginx
        app.kubernetes.io/part-of: ingress-nginx
        app.kubernetes.io/version: 1.9.6
    spec:
      containers:
      - args:
        - /nginx-ingress-controller
        - --election-id=ingress-nginx-leader
        - --controller-class=k8s.io/ingress-nginx
        - --ingress-class=nginx
        - --configmap=$(POD_NAMESPACE)/ingress-nginx-controller
        - --validating-webhook=:8443
        - --validating-webhook-certificate=/usr/local/certificates/cert
        - --validating-webhook-key=/usr/local/certificates/key
        - --watch-ingress-without-class=true
        - --publish-status-address=localhost
        env:
        - name: POD_NAME
          valueFrom:
            fieldRef:
              fieldPath: metadata.name
        - name: POD_NAMESPACE
          valueFrom:
            fieldRef:
              fieldPath: metadata.namespace
        - name: LD_PRELOAD
          value: /usr/local/lib/libmimalloc.so
        image: registry.k8s.io/ingress-nginx/controller:v1.9.6@sha256:1405cc613bd95b2c6edd8b2a152510ae91c7e62aea4698500d23b2145960ab9c
        imagePullPolicy: IfNotPresent
        lifecycle:
          preStop:
            exec:
              command:
              - /wait-shutdown
        livenessProbe:
          failureThreshold: 5
          httpGet:
            path: /healthz
            port: 10254
            scheme: HTTP
          initialDelaySeconds: 10
          periodSeconds: 10
          successThreshold: 1
          timeoutSeconds: 1
        name: controller
        ports:
        - containerPort: 80
          hostPort: 80
          name: http
          protocol: TCP
        - containerPort: 443
          hostPort: 443
          name: https
          protocol: TCP
        - containerPort: 8443
          name: webhook
          protocol: TCP
        readinessProbe:
          failureThreshold: 3
          httpGet:
            path: /healthz
            port: 10254
            scheme: HTTP
          initialDelaySeconds: 10
          periodSeconds: 10
          successThreshold: 1
          timeoutSeconds: 1
        resources:
          requests:
            cpu: 100m
            memory: 90Mi
        securityContext:
          allowPrivilegeEscalation: false
          capabilities:
            add:
            - NET_BIND_SERVICE
            drop:
            - ALL
          readOnlyRootFilesystem: false
          runAsNonRoot: true
          runAsUser: 101
          seccompProfile:
            type: RuntimeDefault
        volumeMounts:
        - mountPath: /usr/local/certificates/
          name: webhook-cert
          readOnly: true
      dnsPolicy: ClusterFirst
      nodeSelector:
        ingress-ready: "true"
        kubernetes.io/os: linux
      serviceAccountName: ingress-nginx
      terminationGracePeriodSeconds: 0
      tolerations:
      - effect: NoSchedule
        key: node-role.kubernetes.io/master
        operator: Equal
      - effect: NoSchedule
        key: node-role.kubernetes.io/control-plane
        operator: Equal
      volumes:
      - name: webhook-cert
        secret:
          secretName: ingress-nginx-admission
 ---
 apiVersion: batch/v1
 kind: Job
 metadata:
  labels:
    app.kubernetes.io/component: admission-webhook
    app.kubernetes.io/instance: ingress-nginx
    app.kubernetes.io/name: ingress-nginx
    app.kubernetes.io/part-of: ingress-nginx
    app.kubernetes.io/version: 1.9.6
  name: ingress-nginx-admission-create
  namespace: ingress-nginx
 spec:
  template:
    metadata:
      labels:
        app.kubernetes.io/component: admission-webhook
        app.kubernetes.io/instance: ingress-nginx
        app.kubernetes.io/name: ingress-nginx
        app.kubernetes.io/part-of: ingress-nginx
        app.kubernetes.io/version: 1.9.6
      name: ingress-nginx-admission-create
    spec:
      containers:
      - args:
        - create
        - --host=ingress-nginx-controller-admission,ingress-nginx-controller-admission.$(POD_NAMESPACE).svc
        - --namespace=$(POD_NAMESPACE)
        - --secret-name=ingress-nginx-admission
        env:
        - name: POD_NAMESPACE
          valueFrom:
            fieldRef:
              fieldPath: metadata.namespace
        image: registry.k8s.io/ingress-nginx/kube-webhook-certgen:v20231226-1a7112e06@sha256:25d6a5f11211cc5c3f9f2bf552b585374af287b4debf693cacbe2da47daa5084
        imagePullPolicy: IfNotPresent
        name: create
        securityContext:
          allowPrivilegeEscalation: false
          capabilities:
            drop:
            - ALL
          readOnlyRootFilesystem: true
          runAsNonRoot: true
          runAsUser: 65532
          seccompProfile:
            type: RuntimeDefault
      nodeSelector:
        kubernetes.io/os: linux
      restartPolicy: OnFailure
      serviceAccountName: ingress-nginx-admission
 ---
 apiVersion: batch/v1
 kind: Job
 metadata:
  labels:
    app.kubernetes.io/component: admission-webhook
    app.kubernetes.io/instance: ingress-nginx
    app.kubernetes.io/name: ingress-nginx
    app.kubernetes.io/part-of: ingress-nginx
    app.kubernetes.io/version: 1.9.6
  name: ingress-nginx-admission-patch
  namespace: ingress-nginx
 spec:
  template:
    metadata:
      labels:
        app.kubernetes.io/component: admission-webhook
        app.kubernetes.io/instance: ingress-nginx
        app.kubernetes.io/name: ingress-nginx
        app.kubernetes.io/part-of: ingress-nginx
        app.kubernetes.io/version: 1.9.6
      name: ingress-nginx-admission-patch
    spec:
      containers:
      - args:
        - patch
        - --webhook-name=ingress-nginx-admission
        - --namespace=$(POD_NAMESPACE)
        - --patch-mutating=false
        - --secret-name=ingress-nginx-admission
        - --patch-failure-policy=Fail
        env:
        - name: POD_NAMESPACE
          valueFrom:
            fieldRef:
              fieldPath: metadata.namespace
        image: registry.k8s.io/ingress-nginx/kube-webhook-certgen:v20231226-1a7112e06@sha256:25d6a5f11211cc5c3f9f2bf552b585374af287b4debf693cacbe2da47daa5084
        imagePullPolicy: IfNotPresent
        name: patch
        securityContext:
          allowPrivilegeEscalation: false
          capabilities:
            drop:
            - ALL
          readOnlyRootFilesystem: true
          runAsNonRoot: true
          runAsUser: 65532
          seccompProfile:
            type: RuntimeDefault
      nodeSelector:
        kubernetes.io/os: linux
      restartPolicy: OnFailure
      serviceAccountName: ingress-nginx-admission
 ---
 apiVersion: networking.k8s.io/v1
 kind: IngressClass
 metadata:
  labels:
    app.kubernetes.io/component: controller
    app.kubernetes.io/instance: ingress-nginx
    app.kubernetes.io/name: ingress-nginx
    app.kubernetes.io/part-of: ingress-nginx
    app.kubernetes.io/version: 1.9.6
  name: nginx
 spec:
  controller: k8s.io/ingress-nginx
 ---
 apiVersion: admissionregistration.k8s.io/v1
 kind: ValidatingWebhookConfiguration
 metadata:
  labels:
    app.kubernetes.io/component: admission-webhook
    app.kubernetes.io/instance: ingress-nginx
    app.kubernetes.io/name: ingress-nginx
    app.kubernetes.io/part-of: ingress-nginx
    app.kubernetes.io/version: 1.9.6
  name: ingress-nginx-admission
 webhooks:
 - admissionReviewVersions:
  - v1
  clientConfig:
    service:
      name: ingress-nginx-controller-admission
      namespace: ingress-nginx
      path: /networking/v1/ingresses
  failurePolicy: Fail
  matchPolicy: Equivalent
  name: validate.nginx.ingress.kubernetes.io
  rules:
  - apiGroups:
    - networking.k8s.io
    apiVersions:
    - v1
    operations:
    - CREATE
    - UPDATE
    resources:
    - ingresses
  sideEffects: None
--- a/stack_orchestrator/data/stacks/container-registry/README.md
+++ b/stack_orchestrator/data/stacks/container-registry/README.md
@ -1,3 +0,0 @@
 # Container Registry Stack
 Host a container image registry
--- a/stack_orchestrator/data/stacks/container-registry/stack.yml
+++ b/stack_orchestrator/data/stacks/container-registry/stack.yml
@ -1,5 +0,0 @@
 version: "1.0"
 name: container-registry
 description: "Container registry stack"
 pods:
  - container-registry
--- a/stack_orchestrator/data/stacks/mars-v2/README.md
+++ b/stack_orchestrator/data/stacks/mars-v2/README.md
@ -1,16 +0,0 @@
 # mars
 On a fresh Digital Ocean droplet with Ubuntu:
 ```
 git clone https://github.com/cerc-io/stack-orchestrator
 cd stack-orchestrator
 ./scripts/quick-install-linux.sh
 ```
 Read and follow the instructions output from the above output to complete installation, then:
 ```
 laconic-so --stack mars-v2 setup-repositories
 laconic-so --stack mars-v2 build-containers
 laconic-so --stack mars-v2 deploy up
 ```
--- a/stack_orchestrator/data/stacks/mars-v2/stack.yml
+++ b/stack_orchestrator/data/stacks/mars-v2/stack.yml
@ -1,8 +0,0 @@
 version: "0.1"
 name: mars-v2
 repos:
  - github.com/mars-protocol/mars-v2-frontend
 containers:
  - cerc/mars-v2
 pods:
  - mars-v2
--- a/stack_orchestrator/deploy/k8s/cluster_info.py
+++ b/stack_orchestrator/deploy/k8s/cluster_info.py
@ -78,30 +78,7 @@ class ClusterInfo:
        if (opts.o.debug):
            print(f"Env vars: {self.environment_variables.map}")
-    def get_nodeport(self):
+    def get_ingress(self):
        for pod_name in self.parsed_pod_yaml_map:
            pod = self.parsed_pod_yaml_map[pod_name]
            services = pod["services"]
            for service_name in services:
                service_info = services[service_name]
                if "ports" in service_info:
                    port = int(service_info["ports"][0])
                    if opts.o.debug:
                        print(f"service port: {port}")
        service = client.V1Service(
            metadata=client.V1ObjectMeta(name=f"{self.app_name}-nodeport"),
            spec=client.V1ServiceSpec(
                type="NodePort",
                ports=[client.V1ServicePort(
                    port=port,
                    target_port=port
                )],
                selector={"app": self.app_name}
            )
        )
        return service
    def get_ingress(self, use_tls=False):
        # No ingress for a deployment that has no http-proxy defined, for now
        http_proxy_info_list = self.spec.get_http_proxy()
        ingress = None
@ -116,7 +93,7 @@ class ClusterInfo:
            tls = [client.V1IngressTLS(
                hosts=[host_name],
                secret_name=f"{self.app_name}-tls"
-            )] if use_tls else None
+            )]
            paths = []
            for route in http_proxy_info["routes"]:
                path = route["path"]
--- a/stack_orchestrator/deploy/k8s/deploy_k8s.py
+++ b/stack_orchestrator/deploy/k8s/deploy_k8s.py
@ -20,7 +20,6 @@ from kubernetes import client, config
 from stack_orchestrator import constants
 from stack_orchestrator.deploy.deployer import Deployer, DeployerConfigGenerator
 from stack_orchestrator.deploy.k8s.helpers import create_cluster, destroy_cluster, load_images_into_kind
 from stack_orchestrator.deploy.k8s.helpers import install_ingress_for_kind, wait_for_ingress_in_kind
 from stack_orchestrator.deploy.k8s.helpers import pods_in_deployment, containers_in_pod, log_stream_from_string
 from stack_orchestrator.deploy.k8s.helpers import generate_kind_config
 from stack_orchestrator.deploy.k8s.cluster_info import ClusterInfo
@ -177,20 +176,15 @@ class K8sDeployer(Deployer):
                # Ensure the referenced containers are copied into kind
                load_images_into_kind(self.kind_cluster_name, self.cluster_info.image_set)
            self.connect_api()
            if self.is_kind():
                # Now configure an ingress controller (not installed by default in kind)
                install_ingress_for_kind()
                # Wait for ingress to start (deployment provisioning will fail unless this is done)
                wait_for_ingress_in_kind()
        else:
            print("Dry run mode enabled, skipping k8s API connect")
        self._create_volume_data()
        self._create_deployment()
-        # Note: at present we don't support tls for kind (and enabling tls causes errors)
+        if not self.is_kind():
-        ingress: client.V1Ingress = self.cluster_info.get_ingress(use_tls=not self.is_kind())
+            ingress: client.V1Ingress = self.cluster_info.get_ingress()
            if ingress:
                if opts.o.debug:
                    print(f"Sending this ingress: {ingress}")
@ -206,19 +200,6 @@ class K8sDeployer(Deployer):
                if opts.o.debug:
                    print("No ingress configured")
        nodeport: client.V1Service = self.cluster_info.get_nodeport()
        if nodeport:
            if opts.o.debug:
                print(f"Sending this nodeport: {nodeport}")
            if not opts.o.dry_run:
                nodeport_resp = self.core_api.create_namespaced_service(
                    namespace=self.k8s_namespace,
                    body=nodeport
                )
                if opts.o.debug:
                    print("NodePort created:")
                    print(f"{nodeport_resp}")
    def down(self, timeout, volumes):  # noqa: C901
        self.connect_api()
        # Delete the k8s objects
@ -288,7 +269,8 @@ class K8sDeployer(Deployer):
        except client.exceptions.ApiException as e:
            _check_delete_exception(e)
-        ingress: client.V1Ingress = self.cluster_info.get_ingress(use_tls=not self.is_kind())
+        if not self.is_kind():
            ingress: client.V1Ingress = self.cluster_info.get_ingress()
            if ingress:
                if opts.o.debug:
                    print(f"Deleting this ingress: {ingress}")
@ -302,21 +284,6 @@ class K8sDeployer(Deployer):
                if opts.o.debug:
                    print("No ingress to delete")
        nodeport: client.V1Service = self.cluster_info.get_nodeport()
        if nodeport:
            if opts.o.debug:
                print(f"Deleting this nodeport: {ingress}")
            try:
                self.core_api.delete_namespaced_service(
                    namespace=self.k8s_namespace,
                    name=nodeport.metadata.name
                )
            except client.exceptions.ApiException as e:
                _check_delete_exception(e)
        else:
            if opts.o.debug:
                print("No nodeport to delete")
        if self.is_kind():
            # Destroy the kind cluster
            destroy_cluster(self.kind_cluster_name)
--- a/stack_orchestrator/deploy/k8s/helpers.py
+++ b/stack_orchestrator/deploy/k8s/helpers.py
@ -13,14 +13,13 @@
 # You should have received a copy of the GNU Affero General Public License
 # along with this program.  If not, see <http:#www.gnu.org/licenses/>.
-from kubernetes import client, utils, watch
+from kubernetes import client
 import os
 from pathlib import Path
 import subprocess
 import re
 from typing import Set, Mapping, List
 from stack_orchestrator.util import get_k8s_dir, error_exit
 from stack_orchestrator.opts import opts
 from stack_orchestrator.deploy.deploy_util import parsed_pod_files_map_from_file_names
 from stack_orchestrator.deploy.deployer import DeployerException
@ -45,33 +44,6 @@ def destroy_cluster(name: str):
    _run_command(f"kind delete cluster --name {name}")
 def wait_for_ingress_in_kind():
    core_v1 = client.CoreV1Api()
    for i in range(20):
        warned_waiting = False
        w = watch.Watch()
        for event in w.stream(func=core_v1.list_namespaced_pod,
                              namespace="ingress-nginx",
                              label_selector="app.kubernetes.io/component=controller",
                              timeout_seconds=30):
            if event['object'].status.container_statuses:
                if event['object'].status.container_statuses[0].ready is True:
                    if warned_waiting:
                        print("Ingress controller is ready")
                    return
            print("Waiting for ingress controller to become ready...")
            warned_waiting = True
    error_exit("ERROR: Timed out waiting for ingress to become ready")
 def install_ingress_for_kind():
    api_client = client.ApiClient()
    ingress_install = os.path.abspath(get_k8s_dir().joinpath("components", "ingress", "ingress-nginx-kind-deploy.yaml"))
    if opts.o.debug:
        print("Installing nginx ingress controller in kind cluster")
    utils.create_from_yaml(api_client, yaml_file=ingress_install)
 def load_images_into_kind(kind_cluster_name: str, image_set: Set[str]):
    for image in image_set:
        result = _run_command(f"kind load docker-image {image} --name {kind_cluster_name}")
@ -226,8 +198,7 @@ def _generate_kind_mounts(parsed_pod_files, deployment_dir, deployment_context):
    )
-# TODO: decide if we need this functionality
+def _generate_kind_port_mappings(parsed_pod_files):
 def _generate_kind_port_mappings_from_services(parsed_pod_files):
    port_definitions = []
    for pod in parsed_pod_files:
        parsed_pod_file = parsed_pod_files[pod]
@ -249,19 +220,6 @@ def _generate_kind_port_mappings_from_services(parsed_pod_files):
    )
 def _generate_kind_port_mappings(parsed_pod_files):
    port_definitions = []
    # For now we just map port 80 for the nginx ingress controller we install in kind
    port_string = "80"
    port_definitions.append(f"  - containerPort: {port_string}\n    hostPort: {port_string}\n")
    return (
        "" if len(port_definitions) == 0 else (
            "  extraPortMappings:\n"
            f"{''.join(port_definitions)}"
        )
    )
 # Note: this makes any duplicate definition in b overwrite a
 def merge_envs(a: Mapping[str, str], b: Mapping[str, str]) -> Mapping[str, str]:
    result = {**a, **b}
@ -326,12 +284,6 @@ def generate_kind_config(deployment_dir: Path, deployment_context):
        "apiVersion: kind.x-k8s.io/v1alpha4\n"
        "nodes:\n"
        "- role: control-plane\n"
        "  kubeadmConfigPatches:\n"
        "    - |\n"
        "      kind: InitConfiguration\n"
        "      nodeRegistration:\n"
        "        kubeletExtraArgs:\n"
        "          node-labels: \"ingress-ready=true\"\n"
        f"{port_mappings_yml}\n"
        f"{mounts_yml}\n"
    )
--- a/stack_orchestrator/util.py
+++ b/stack_orchestrator/util.py
@ -146,12 +146,6 @@ def get_config_file_dir():
    return source_config_dir
 def get_k8s_dir():
    data_dir = Path(__file__).absolute().parent.joinpath("data")
    source_config_dir = data_dir.joinpath("k8s")
    return source_config_dir
 def get_parsed_deployment_spec(spec_file):
    spec_file_path = Path(spec_file)
    try:
--- a/tests/container-registry/run-test.sh
+++ b/tests/container-registry/run-test.sh
@ -1,146 +0,0 @@
 #!/usr/bin/env bash
 set -e
 if [ -n "$CERC_SCRIPT_DEBUG" ]; then
    set -x
    # Dump environment variables for debugging
    echo "Environment variables:"
    env
 fi
 stack="container-registry"
 # Helper functions: TODO move into a separate file
 wait_for_pods_started () {
    for i in {1..50}
    do
        local ps_output=$( $TEST_TARGET_SO deployment --dir $test_deployment_dir ps )
        if [[ "$ps_output" == *"Running containers:"* ]]; then
            # if ready, return
            return
        else
            # if not ready, wait
            sleep 5
        fi
    done
    # Timed out, error exit
    echo "waiting for pods to start: FAILED"
    delete_cluster_exit
 }
 wait_for_log_output () {
    for i in {1..50}
    do
        local log_output=$( $TEST_TARGET_SO deployment --dir $test_deployment_dir logs )
        if [[ ! -z "$log_output" ]]; then
            # if ready, return
            return
        else
            # if not ready, wait
            sleep 5
        fi
    done
    # Timed out, error exit
    echo "waiting for pods log content: FAILED"
    delete_cluster_exit
 }
 delete_cluster_exit () {
    $TEST_TARGET_SO deployment --dir $test_deployment_dir stop --delete-volumes
    exit 1
 }
 # Note: eventually this test should be folded into ../deploy/
 # but keeping it separate for now for convenience
 TEST_TARGET_SO=$( ls -t1 ./package/laconic-so* | head -1 )
 # Set a non-default repo dir
 export CERC_REPO_BASE_DIR=~/stack-orchestrator-test/repo-base-dir
 echo "Testing this package: $TEST_TARGET_SO"
 echo "Test version command"
 reported_version_string=$( $TEST_TARGET_SO version )
 echo "Version reported is: ${reported_version_string}"
 echo "Cloning repositories into: $CERC_REPO_BASE_DIR"
 rm -rf $CERC_REPO_BASE_DIR
 mkdir -p $CERC_REPO_BASE_DIR
 $TEST_TARGET_SO --stack ${stack} setup-repositories
 $TEST_TARGET_SO --stack ${stack} build-containers
 # Test basic stack-orchestrator deploy to k8s
 test_deployment_dir=$CERC_REPO_BASE_DIR/${stack}-deployment-dir
 test_deployment_spec=$CERC_REPO_BASE_DIR/${stack}-deployment-spec.yml
 $TEST_TARGET_SO --stack ${stack} deploy --deploy-to k8s-kind init --output $test_deployment_spec --config CERC_TEST_PARAM_1=PASSED
 # Check the file now exists
 if [ ! -f "$test_deployment_spec" ]; then
    echo "deploy init test: spec file not present"
    echo "deploy init test: FAILED"
    exit 1
 fi
 echo "deploy init test: passed"
 # Switch to a full path for bind mount.
 volume_name="registry-data"
 sed -i "s|^\(\s*${volume_name}:$\)$|\1 ${test_deployment_dir}/data/${volume_name}|" $test_deployment_spec
 # Add ingress config to the spec file
 ed $test_deployment_spec <<IngressSpec
 /network:/
 a
  http-proxy:
    - host-name: localhost
      routes:
        - path: /
          proxy-to: registry:5000
 .
 w
 q
 IngressSpec
 $TEST_TARGET_SO --stack ${stack} deploy create --spec-file $test_deployment_spec --deployment-dir $test_deployment_dir
 # Check the deployment dir exists
 if [ ! -d "$test_deployment_dir" ]; then
    echo "deploy create test: deployment directory not present"
    echo "deploy create test: FAILED"
    exit 1
 fi
 echo "deploy create test: passed"
 # Note: this isn't strictly necessary, except we end up trying to push the image into
 # the kind cluster then fails because it can't be found locally
 docker pull registry:2.8
 # Try to start the deployment
 $TEST_TARGET_SO deployment --dir $test_deployment_dir start
 wait_for_pods_started
 # Check logs command works
 wait_for_log_output
 sleep 1
 log_output_3=$( $TEST_TARGET_SO deployment --dir $test_deployment_dir logs )
 if [[ "$log_output_3" == *"listening on"* ]]; then
    echo "deployment logs test: passed"
 else
    echo "deployment logs test: FAILED"
    echo $log_output_3
    delete_cluster_exit
 fi
 # Check that we can use the registry
 # Note: since this pulls from the DockerCo registry without auth it's possible it'll run into rate limiting issues
 docker pull hello-world
 docker tag hello-world localhost:80/hello-world
 docker push localhost:80/hello-world
 # Then do a quick check that we actually pushed something there
 # See: https://stackoverflow.com/questions/31251356/how-to-get-a-list-of-images-on-docker-registry-v2
 registry_response=$(curl -s -X GET http://localhost:80/v2/_catalog)
 if [[ "$registry_response" == *"{\"repositories\":[\"hello-world\"]}"* ]]; then
    echo "registry content test: passed"
 else
    echo "registry content test: FAILED"
    echo $registry_response
    delete_cluster_exit
 fi
 # Stop and clean up
 $TEST_TARGET_SO deployment --dir $test_deployment_dir stop --delete-volumes
 echo "Test passed"
--- a/tests/database/run-test.sh
+++ b/tests/database/run-test.sh
@ -73,8 +73,8 @@ mkdir -p $CERC_REPO_BASE_DIR
 $TEST_TARGET_SO --stack ${stack} setup-repositories
 $TEST_TARGET_SO --stack ${stack} build-containers
 # Test basic stack-orchestrator deploy to k8s
-test_deployment_dir=$CERC_REPO_BASE_DIR/${deployment_dir}
+test_deployment_dir=$CERC_REPO_BASE_DIR/test-${deployment_dir}
-test_deployment_spec=$CERC_REPO_BASE_DIR/${spec_file}
+test_deployment_spec=$CERC_REPO_BASE_DIR/test-${spec_file}
 $TEST_TARGET_SO --stack ${stack} deploy --deploy-to k8s-kind init --output $test_deployment_spec
 # Check the file now exists
@ -85,9 +85,6 @@ if [ ! -f "$test_deployment_spec" ]; then
 fi
 echo "deploy init test: passed"
 # Switch to a full path for the data dir so it gets provisioned as a host bind mounted volume and preserved beyond cluster lifetime
 sed -i "s|^\(\s*db-data:$\)$|\1 ${test_deployment_dir}/data/db-data|" $test_deployment_spec
 $TEST_TARGET_SO --stack ${stack} deploy create --spec-file $test_deployment_spec --deployment-dir $test_deployment_dir
 # Check the deployment dir exists
 if [ ! -d "$test_deployment_dir" ]; then
		`@ -1 +0,0 @@`
			`Change this file to trigger running the test-container-registry CI job`
		`@ -1,3 +0,0 @@`
			`# Container Registry Stack`

			`Host a container image registry`