Skip to content

GraceDB Local Istance

GraceDB is the GRAvitational-wave Candidate Event Database. For developing purpose one have two possibilities, deploy a basic working istance based on GraceDB Helm Charts or deploy a custom image.

GraceDB deployment

Hereafter we assume that igwn-kube is in status Running (see here)

Basic deployment

The deployment depends on the helm charts defined in GraceDB Helm Charts and Helm Charts defined in this repository.

In the following command substitute <username> with your albert.einstein username, while as password use the token string for a read_api scoped personal acces (see Prerequisites).

helm repo add --force-update --username <username> gracedb-helm \

helm repo add --force-update traefik

After adding the Helm repository with the command above, the two charts can be installed in the default namespace in this way:

helm install -n default hopskotch gracedb-helm/hopskotch
helm install -n default gracedb gracedb-helm/gracedb

The installation status and the k8s cluster can be monitored using the k8s dashboard

At this point, the local sandboxed deployment of GraceDB is available in the cluster, nevertheless some additional configurations are needed before to be able to access to it.

Running a custom image

To create a custum GraceDB image into the minikube deployment (and using the tag:mytag) from a local fork of the gracedb server one has to run the followimg command

minikube -p igwn-kube image build -t "gracedb-custom/development:mytag" .

To run this image in the minikube deployment:

helm upgrade --install gracedb gracedb-helm/gracedb --reuse-values   \ 
                      --set gracedb.image="gracedb-custom/development:mytag"

If one want to deploy back the official server version (or any other officila version) of GraceDB server, the command is (to deploy version 2.27.2):

helm upgrade --install gracedb gracedb-helm/gracedb --reuse-values \
             --set gracedb.image=""

Accessing your local GraceDB deployment

GraceDB can be accessed at the URL https://gracedb.default.svc.cluster.local/. Before to be able to access to the website some operation must be followed

configuring /etc/hosts

This is a local address that redirect to the web-server running inside igwn-kube. To allow the access, the address should be present in the local /etc/hosts file since the authetication need a logical address with full reverse naming.

Example of /etc/hosts file content

# Host Database
# localhost is used to configure the loopback interface
# when the system is booting.  Do not change this entry.
##   localhost broadcasthost
::1             localhost
# Added by Docker Desktop
# To allow the same kube context to work on the host and the container: kubernetes.docker.internal
# End of section gracedb.default.svc.cluster.local hopskotch redis-server

open a tunnel minikube service

A tunnel between the local machine and the k8s cluster have to be open with the command (execute in a separate terminal, closing it or killing the process will result in interruption of the tunnel connection):

minikube -p igwn-kube tunnel 
Depending on the driver used when executing minikube this command may be required to be executed as sudo (see, e.g., this comment). If a password is required, use the actual user (sudoer) password (this should be required three times: for gracedb-traefik, hopskotch-server, and traefik). Without this tunnel active the next step will fails.

setting the user permissions

To add your username (e.h. to the list of GraceDB users give the following command

ALL_PERMS=True ./utility/
In this way your local account will be active on the sandboxed installation (with all the permission). albert.einstein now can access the GraceDB database using its own X509 certificate (That can be created by the ligo-proxy-init -H 2400000 albert.einstein command) or using the web interface as described below.

installing the CA certificate in the browser

The access to GraceDB using the gracedb client needs to provide the signature of the CA autority used to create the certificate of the sandboxed instance. The needed certificate bundle cacerts.pem can be retrived using the command:

That would create the certificate in the current directory. With this certificate bundle the following command will give access to the sandboxed GraceDB server:
REQUESTS_CA_BUNDLE=cacerts.pem  gracedb -s https://gracedb.default.svc.cluster.local/api credentials server

Finalize the user configuration

The last step is the finalization of the permission setting for your local account. Access the admin interface of local sandboxed deployment of GraceDB at the URL https://gracedb.default.svc.cluster.local/admin/ (Username:admin, Password:mypassword). from Authentication and Authorization administration->Users search your local account. After entering in the Change user interface, in the permission section, choose all available groups, and Save.

Now you are an happy owner of a local instance of GraceDB

Note on the K3S System at CIT

To clean up the local K3S depolyment

helm uninstall gracedb
helm uninstall hopskotch
helm uninstall meg
kubectl delete secrets gracedb-cert-manager-webhook-ca gracedb-ca gracedb-cert-tls
kubectl delete pvc postgres-persistent-storage-gracedb-postgres-0 db-data-gracedb-0 meg-data-meg-0
## kubectl delete secrets gracedb-cert-tls gracedb-postgres client-ca gracedb
## kubectl delete secrets gracedb-cert-manager-webhook-ca  gracedb-ca

The main difference of the K3S system is that the "standard" storage class is not defined and the only availabe storage class is the "local-path" ones. The hostname are also differents. That means that their valuse must be specified. The installation commands should be modified according to the following examples:

kubectl create secret docker-registry regcred \
       --docker-username=RDP --docker-password=.......\
helm upgrade --install -n default \
     --set storageClassName=local-path \
     hopskotch gracedb-helm/hopskotch
helm upgrade --install -n default \
     --set traefik.install=false \
     --set storageClassName=local-path \
     --set publicName="gracedb-dev.ldas.cit" \
     gracedb gracedb-helm/gracedb
helm upgrade --install -n default \
     --set storageClassName=local-path \
     --set gracedb.hostAlias.hostname="gracedb-dev.ldas.cit" \
     --set gracedb.hostAlias.ip="" \
     meg meg
ALL_PERMS=True ./utility/
kubectl get pods,svc,deployment,pv,pvc,secrets,jobs --all-namespaces

Inside the meg-0 container (that may be started with the command),

kubectl exec -it meg-0 -- bash
The basic fuctionality may be tested giving the commands:
pip install hop-client igwn-alert
.local/bin/hop list-topics  --no-auth   kafka://hopskotch:9092
.local/bin/hop list-topics  --no-auth   kafka://gracedb-dev.ldas.cit:9092
.local/bin/igwn-alert  --no-auth  -g default -s   kafka://gracedb-dev.ldas.cit:9092 topics
meg ca-certificate /tmp/ca.crt 
cat $(python -m requests.certs) /tmp/ca.crt > cacerts.pem
REQUESTS_CA_BUNDLE=cacerts.pem gracedb -s https://gracedb-dev.ldas.cit/api credentials server
To copy the server certificate on the local directory (to use in the host)
kubectl cp default/meg-0:cacerts.pem cacerts.pem