From e580b66264bd2ec26f5a3dc2b8240c6453a95a58 Mon Sep 17 00:00:00 2001
From: Giles Knap <giles.knap@diamond.ac.uk>
Date: Fri, 23 Aug 2024 11:20:14 +0100
Subject: [PATCH] add a cagateway

---
 services/cagateway/Chart.yaml                |  7 ++
 services/cagateway/compose.yml               | 59 ++++++++++++++
 services/cagateway/config/access             |  6 ++
 services/cagateway/config/pvlist             |  9 +++
 services/cagateway/templates/configmap.yaml  | 10 +++
 services/cagateway/templates/deployment.yaml | 83 ++++++++++++++++++++
 services/cagateway/values.yaml               |  1 +
 services/values.yaml                         |  2 +-
 8 files changed, 176 insertions(+), 1 deletion(-)
 create mode 100644 services/cagateway/Chart.yaml
 create mode 100644 services/cagateway/compose.yml
 create mode 100644 services/cagateway/config/access
 create mode 100644 services/cagateway/config/pvlist
 create mode 100644 services/cagateway/templates/configmap.yaml
 create mode 100644 services/cagateway/templates/deployment.yaml
 create mode 100644 services/cagateway/values.yaml

diff --git a/services/cagateway/Chart.yaml b/services/cagateway/Chart.yaml
new file mode 100644
index 0000000..864539e
--- /dev/null
+++ b/services/cagateway/Chart.yaml
@@ -0,0 +1,7 @@
+# A Helm Chart for a ca-gateway service
+# This is hard coded into the module right now TODO: make a oci chart for this
+apiVersion: v2
+name: ec-gateway
+version: 1.0.0
+
+type: application
diff --git a/services/cagateway/compose.yml b/services/cagateway/compose.yml
new file mode 100644
index 0000000..ae4db31
--- /dev/null
+++ b/services/cagateway/compose.yml
@@ -0,0 +1,59 @@
+# When deploying IOCs to a server with docker, the choice is:
+#
+# 1. Use host network so their PVs available on the subnet
+# 2. Run a ca-gateway on each server and add all servers to client's
+#    EPICS_CA_ADDR_LIST
+#
+# at present the only available option for podman is to use host network
+
+services:
+
+  # ca-gateway for development #################################################
+
+  ca-gateway: &ca-gateway
+
+    image: ghcr.io/epics-containers/docker-ca-gateway:2.1.3ec1
+
+    expose:
+      - 5064-5065/udp
+      - 5064-5065
+
+    ports:
+      # bind to localhost to isolate channel access to this host only
+      - 127.0.0.1:5064:5064/udp
+      - 127.0.0.1:5064-5065:5064-5065
+
+    restart: unless-stopped
+
+    networks:
+      channel_access:
+        ipv4_address: 172.20.255.254
+
+    configs:
+      - source: ca-gateway_config
+        target: /config
+
+    command: -cip 172.20.255.255 -pvlist /config/pvlist -access /config/access -log /dev/stdout -debug 1
+
+    profiles:
+      - develop
+
+  # per server ca-gateway for deployment #######################################
+  ca-gateway-deploy:
+
+    <<: *ca-gateway
+
+    ports:
+    # TODO - drop the IP address but also set up pvlist to make sure there
+    # are no loops - I need to look into safe config for per server ca-gateways
+    - 127.0.0.1:5064:5064/udp
+    - 127.0.0.1:5064-5065:5064-5065
+
+    command: -cip 172.20.255.255 -pvlist /config/pvlist -access /config/access -log /dev/stdout -debug 1
+
+    profiles:
+      - deploy
+
+configs:
+  ca-gateway_config:
+    file: ./config
diff --git a/services/cagateway/config/access b/services/cagateway/config/access
new file mode 100644
index 0000000..f69d0e8
--- /dev/null
+++ b/services/cagateway/config/access
@@ -0,0 +1,6 @@
+# See /EPICS/extensions/src/gateway/GATEWAY.access for more detailed example
+
+ASG(DEFAULT) {
+   RULE(1,READ)
+   RULE(1,WRITE)
+}
diff --git a/services/cagateway/config/pvlist b/services/cagateway/config/pvlist
new file mode 100644
index 0000000..3dc8d4c
--- /dev/null
+++ b/services/cagateway/config/pvlist
@@ -0,0 +1,9 @@
+# See /EPICS/extensions/src/gateway/GATEWAY.pvlist for more detailed example
+
+EVALUATION ORDER ALLOW, DENY
+
+BL47P.*            ALLOW
+
+# [0-9].*          ALLOW
+# [a-z].*          ALLOW
+# [A-Z].*          ALLOW
diff --git a/services/cagateway/templates/configmap.yaml b/services/cagateway/templates/configmap.yaml
new file mode 100644
index 0000000..3b4c418
--- /dev/null
+++ b/services/cagateway/templates/configmap.yaml
@@ -0,0 +1,10 @@
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  name:  {{ .Release.Name }}-config
+  labels:
+    app: {{ .Release.Name }}
+data:
+
+# contents of the ioc instance config folder
+{{ (.Files.Glob "config/*").AsConfig | indent 2 }}
\ No newline at end of file
diff --git a/services/cagateway/templates/deployment.yaml b/services/cagateway/templates/deployment.yaml
new file mode 100644
index 0000000..98ab293
--- /dev/null
+++ b/services/cagateway/templates/deployment.yaml
@@ -0,0 +1,83 @@
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  labels:
+    app: {{ .Release.Name }}
+    enabled: 'true'
+    ioc_group: p47
+    is_ioc: 'true'
+    location: bl47p
+  name: {{ .Release.Name }}
+  namespace: p47-beamline
+spec:
+  replicas: 1
+  selector:
+    matchLabels:
+      app: {{ .Release.Name }}
+  template:
+    metadata:
+      creationTimestamp: null
+      labels:
+        app: {{ .Release.Name }}
+        ioc_group: p47
+        is_ioc: 'true'
+        location: bl47p
+        rollme: goWO0
+    spec:
+      affinity:
+        nodeAffinity:
+          requiredDuringSchedulingIgnoredDuringExecution:
+            nodeSelectorTerms:
+              - matchExpressions:
+                  - key: beamline
+                    operator: In
+                    values:
+                      - bl47p
+      containers:
+        - command:
+            - -sport 6064 -cip 172.23.255.255 -pvlist /config/pvlist -access /config/access -log /dev/stdout -debug 1
+          env:
+            - name: IOC_NAME
+              value: {{ .Release.Name }}
+            - name: IOC_LOCATION
+              value: bl47p
+            - name: IOC_GROUP
+              value: p47
+          image: {{ .Values.image }}
+          imagePullPolicy: Always
+          name: {{ .Release.Name }}
+          resources:
+            limits:
+              cpu: 500m
+              memory: 256Mi
+            requests:
+              cpu: 100m
+              memory: 64Mi
+          securityContext:
+            allowPrivilegeEscalation: false
+          stdin: true
+          tty: true
+          volumeMounts:
+            - mountPath: /config
+              name: config-volume
+      hostNetwork: true
+      restartPolicy: Always
+      terminationGracePeriodSeconds: 3
+      tolerations:
+        - effect: NoSchedule
+          key: beamline
+          operator: Equal
+          value: bl47p
+        - effect: NoSchedule
+          key: location
+          operator: Equal
+          value: bl47p
+        - effect: NoSchedule
+          key: nodetype
+          operator: Equal
+          value: training-rig
+      volumes:
+        - configMap:
+            defaultMode: 420
+            name: {{ .Release.Name }}-config
+          name: config-volume
\ No newline at end of file
diff --git a/services/cagateway/values.yaml b/services/cagateway/values.yaml
new file mode 100644
index 0000000..bc1d616
--- /dev/null
+++ b/services/cagateway/values.yaml
@@ -0,0 +1 @@
+image: ghcr.io/epics-containers/docker-ca-gateway:2.1.3ec1
diff --git a/services/values.yaml b/services/values.yaml
index 12e82c2..37667b3 100644
--- a/services/values.yaml
+++ b/services/values.yaml
@@ -10,7 +10,7 @@ global:
 ioc-instance:
   # useHostNetwork - use host network for IOC - required for Channel Access
   # to work outside of the cluster
-  hostNetwork: true
+  hostNetwork: false
 
   # affinity and tolerations to get the right nodes on pollux
   securityContext: