From de9c2af6e1817f34de444f6f95149e52a4cbc82f Mon Sep 17 00:00:00 2001
From: Jing Huang <71466688+jingh8@users.noreply.github.com>
Date: Wed, 9 Jun 2021 12:51:37 -0500
Subject: [PATCH] deploy thor to gen3 commons kubernetes cluster (#1622)

* add thor deploy and service

* add thor-service.conf

* modify name to thor-service

* add authz config to thor
---
 .../gen3.nginx.conf/thor-service.conf         | 19 +++++++++
 kube/services/thor/thor-deploy.yaml           | 39 +++++++++++++++++++
 kube/services/thor/thor-service.yaml          | 13 +++++++
 3 files changed, 71 insertions(+)
 create mode 100644 kube/services/revproxy/gen3.nginx.conf/thor-service.conf
 create mode 100644 kube/services/thor/thor-deploy.yaml
 create mode 100644 kube/services/thor/thor-service.yaml

diff --git a/kube/services/revproxy/gen3.nginx.conf/thor-service.conf b/kube/services/revproxy/gen3.nginx.conf/thor-service.conf
new file mode 100644
index 000000000..e5f522ebb
--- /dev/null
+++ b/kube/services/revproxy/gen3.nginx.conf/thor-service.conf
@@ -0,0 +1,19 @@
+          location /thor/ {
+              if ($csrf_check !~ ^ok-\S.+$) {
+                return 403 "failed csrf check";
+              }
+              
+              error_page 403 @errorworkspace;
+              set $authz_resource "/thor";
+              set $authz_method "access";
+              set $authz_service "thor";
+              # be careful - sub-request runs in same context as this request
+              auth_request /gen3-authz;
+
+              set $proxy_service  "thor-service";
+              set $upstream http://thor-service$des_domain;
+              rewrite ^/thor/(.*) /$1 break;
+              proxy_pass $upstream;
+              proxy_redirect http://$host/ https://$host/thor/;
+          }
+
diff --git a/kube/services/thor/thor-deploy.yaml b/kube/services/thor/thor-deploy.yaml
new file mode 100644
index 000000000..024e8fe01
--- /dev/null
+++ b/kube/services/thor/thor-deploy.yaml
@@ -0,0 +1,39 @@
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: thor-deployment
+spec:
+  selector:
+    # Only select pods based on the 'app' label
+    matchLabels:
+      app: thor
+  revisionHistoryLimit: 2
+  strategy:
+    type: RollingUpdate
+    rollingUpdate:
+      maxSurge: 1
+      maxUnavailable: 0
+  template:
+    metadata:
+      labels:
+        app: thor
+        public: "yes"
+    spec:
+      affinity:
+        podAntiAffinity:
+          preferredDuringSchedulingIgnoredDuringExecution:
+          - weight: 100
+            podAffinityTerm:
+              labelSelector:
+                matchExpressions:
+                - key: app
+                  operator: In
+                  values:
+                  - thor
+              topologyKey: "kubernetes.io/hostname"
+      automountServiceAccountToken: false
+      containers:
+      - name: thor
+        image: quay.io/cdis/thor:master
+        imagePullPolicy: Always
+
diff --git a/kube/services/thor/thor-service.yaml b/kube/services/thor/thor-service.yaml
new file mode 100644
index 000000000..66a0ffab8
--- /dev/null
+++ b/kube/services/thor/thor-service.yaml
@@ -0,0 +1,13 @@
+kind: Service
+apiVersion: v1
+metadata:
+  name: thor-service
+spec:
+  selector:
+    app: thor
+  ports:
+    - protocol: TCP
+      port: 80
+      targetPort: 80 
+      name: http
+