grycap · micafer · Mar 23, 2026 · Mar 23, 2026 · Mar 25, 2026 · Mar 25, 2026
diff --git a/artifacts/k8s_galaxy.yml b/artifacts/k8s_galaxy.yml
@@ -181,6 +181,8 @@
                   annotations:
                     nginx.ingress.kubernetes.io/connection-proxy-header: "keep-alive"
                     nginx.ingress.kubernetes.io/enable-websockets: "true"
+                    traefik.ingress.kubernetes.io/router.entrypoints: "websecure"
+                    traefik.ingress.kubernetes.io/router.tls: "true"
               # try to pack all the pods in the same nodes
               {{ AFFINITY | to_yaml }}
 

diff --git a/artifacts/yprovstore.yml b/artifacts/yprovstore.yml
@@ -0,0 +1,112 @@
+---
+- name: Install yProvStore
+  hosts: localhost
+  connection: local
+  vars:
+    branch: "v2.0.1"
+    traefik_letsencrypt_email: "{{ letsencrypt_email | default('server@yprovstore.fedcloud.eu') }}"
+    traefik_dns_name: "{{ vscode_dns_name | default('yprovstore.fedcloud.eu') }}"
+    traefik_public_ip: "{{ vscode_public_ip | default(ansible_default_ipv4.address) }}"
+  roles:
+    - role: 'grycap.docker'
+  tasks:
+    - name: check if yProvStore files are already downloaded
+      stat:
+        path: /opt/yProvStore/docker-compose.yml
+      register: docker_file_stat
+
+    - name: Download yProvStore files
+      git:
+        repo: 'https://github.com/HPCI-Lab/yProvStore'
+        dest: /opt/yProvStore
+        version: "{{ branch }}"
+      when: not docker_file_stat.stat.exists
+
+    - name: copy .env.example to .env
+      copy:
+        src: /opt/yProvStore/.env.example
+        dest: /opt/yProvStore/.env
+        remote_src: yes
+        mode: '644'
+        force: false
+
+    - name: Create keys directory
+      file:
+        path: /opt/yProvStore/keys/
+        state: directory
+        mode: '644'
+
+    - name: Create private key file for
+      copy:
+        content: ""
+        dest: /opt/yProvStore/keys/user_private.pem
+        mode: '644'
+        force: false
+
+    - name: Update .env file
+      lineinfile:
+        path: /opt/yProvStore/.env
+        regexp: '^{{ item.var }}='
+        line: '{{ item.var }}={{ item.value }}'
+      loop:
+        - { var: 'USE_LOCAL_PID_SERVICE', value: 'True' }
+        - { var: 'MINIO_ROOT_USER', value: 'minio' }
+        - { var: 'MINIO_ROOT_PASSWORD', value: '{{ minio_root_password | default("minio123") }}' }
+        - { var: 'MINIO_BUCKET_NAME', value: 'yprov-documents' }
+        - { var: 'MINIO_ENDPOINT', value: 'localhost:9000' }
+        - { var: 'MINIO_SECURE', value: 'False' }
+        - { var: 'POSTGRES_USER', value: 'postgres' }
+        - { var: 'POSTGRES_PASSWORD', value: 'postgres123' }
+        - { var: 'POSTGRES_DB', value: 'yprovstore' }
+        - { var: 'APP_PORT', value: '8000' }
+
+    - name: Update docker-compose.yml with Traefik configuration
+      blockinfile:
+        path: /opt/yProvStore/docker-compose.yml
+        insertbefore: '^  minio:'
+        prepend_newline: true
+        block: |
+          # Traefik reverse proxy configuration
+              labels:
+                - "traefik.enable=true"
+                - "traefik.http.routers.api.service=api"
+                - "traefik.http.routers.api.rule=Host(`{{ traefik_dns_name }}`, `{{ traefik_public_ip }}`)"
+                - "traefik.http.routers.api.entrypoints=websecure"
+                - "traefik.http.routers.api.tls.certresolver=myresolver"
+                - "traefik.http.services.api.loadbalancer.server.port=8000"
+            traefik:
+              image: "traefik:v2.11"
+              container_name: "traefik"
+              command:
+                # - "--log.level=DEBUG"
+                - "--api.insecure=true"
+                - "--providers.docker=true"
+                - "--providers.docker.exposedbydefault=false"
+                - "--entrypoints.web.address=:80"
+                - "--entrypoints.websecure.address=:443"
+                - "--entrypoints.web.http.redirections.entryPoint.to=websecure"
+                - "--entrypoints.web.http.redirections.entryPoint.scheme=https"
+                - "--entrypoints.web.http.redirections.entrypoint.permanent=true"
+                - "--certificatesresolvers.myresolver.acme.httpchallenge=true"
+                - "--certificatesresolvers.myresolver.acme.httpchallenge.entrypoint=web"
+                #- "--certificatesresolvers.myresolver.acme.caserver=https://acme-staging-v02.api.letsencrypt.org/directory"
+                - "--certificatesresolvers.myresolver.acme.email={{ traefik_letsencrypt_email }}"
+                - "--certificatesresolvers.myresolver.acme.storage=/letsencrypt/acme.json"
+              ports:
+                - "80:80"
+                - "443:443"
+                - "8080:8080"
+              volumes:
+                - "./letsencrypt:/letsencrypt"
+                - "/var/run/docker.sock:/var/run/docker.sock:ro"
+
+    - name: Add curl package in Dockerfile
+      lineinfile:
+        path: /opt/yProvStore/Dockerfile
+        line: '    curl \'
+        insertafter: '    dos2unix \\'
+
+    - name: Exec docker-compose up
+      docker_compose:
+        project_src: /opt/yProvStore/
+        state: present
diff --git a/templates/enes.yaml b/templates/enes.yaml
@@ -78,7 +78,7 @@ topology_template:
           configure:
             implementation: https://raw.githubusercontent.com/grycap/tosca/main/artifacts/enes/enes.yml
             inputs:
-              enes_dns_name: { get_input: kube_public_dns_name }
+              enes_dns_name: { get_property: [ lrms_front_end, public_additional_dns_names, 0 ] }
               storage_size: { get_input: storage_size }
               enes_jupyterhub_crypt_key: { get_input: jupyterhub_crypt_key }
               enes_oidc_issuer: { get_input: enes_oidc_issuer }
@@ -90,4 +90,4 @@ topology_template:
 
   outputs:
     enes_web:
-      value: { concat: [ 'https://', get_input: kube_public_dns_name, '/' ] }
+      value: { concat: [ 'https://', get_property: [ lrms_front_end, public_additional_dns_names, 0 ], '/' ] }
diff --git a/templates/kubernetes.yaml b/templates/kubernetes.yaml
@@ -7,7 +7,7 @@ description: Deploy a Kubernetes Virtual Cluster.
 
 metadata:
   template_name: Kubernetes
-  template_version: "1.2.6"
+  template_version: "1.3.0"
   display_name: Deploy a Kubernetes Virtual Cluster
   icon: images/kubernetes.png
   order: 3
@@ -22,10 +22,12 @@ metadata:
       - kube_cert_user_email:
           enabled_by: kube_cert_manager
           tag_type: email
-      - kube_public_dns_name
+      - kube_public_additional_dns_names
       - kube_allowed_cidr:
           pattern: '([0-9]{1,3}\.){3}[0-9]{1,3}\/[0-9]{1,2}'
       - kube_csi_driver
+      - kube_ingress_type
+      - kube_install_gateway_api
 
   childs:
     - kubeapps.yml
@@ -171,10 +173,25 @@ topology_template:
       type: string
       description: Email to be used in the Let's Encrypt issuer
       default: "jhondoe@server.com"
-    kube_public_dns_name:
+    kube_public_additional_dns_names:
+      type: list
+      description: DNS names to set to the Kubernetes Front-end
+      entry_schema:
+        type: string
+      default: ['']
+
+    kube_ingress_type:
       type: string
-      description: DNS name to set to the Kubernetes Front-end
-      default: ""
+      description: Select the type of controller to install
+      default: "nginx"
+      constraints:
+        - valid_values: [ "nginx", "traefik" ]
+    kube_install_gateway_api:
+      type: boolean
+      description: Flag to install Gateway API instead of Ingress
+      default: false
+      constraints:
+        - valid_values: [ false, true ]
 
     kube_allowed_cidr:
       type: string
@@ -213,9 +230,12 @@ topology_template:
         nvidia_support: { get_input: fe_kube_nvidia_support }
         cert_manager: { get_input: kube_cert_manager }
         cert_user_email: { get_input: kube_cert_user_email }
-        public_dns_name: { get_input: kube_public_dns_name}
+        public_dns_name: ""
+        public_additional_dns_names: { get_input: kube_public_additional_dns_names }
         cri_runtime: { get_input: kube_cri_runtime }
         csi_driver: { get_input: kube_csi_driver }
+        ingress_type: { get_input: kube_ingress_type }
+        install_gateway_api: { get_input: kube_install_gateway_api }
       requirements:
         - host: front
 
@@ -225,11 +245,11 @@ topology_template:
         endpoint:
           properties:
             dns_name: kubeserver
-            additional_dns_names:
-              - { get_input: kube_public_dns_name}
+            additional_dns_names: { get_input: kube_public_additional_dns_names}
             network_name: PUBLIC
         host:
           properties:
+            disk_size: { get_input: wn_disk_size }
             num_cpus: { get_input: fe_cpus }
             mem_size: { get_input: fe_mem }
             instance_type: { get_input: fe_instance_type }
@@ -286,7 +306,7 @@ topology_template:
     dashboard_endpoint:
       value: { concat: [ 'https://', get_attribute: [ front, public_address, 0 ], '/dashboard/' ] }
     dashboard_dns_endpoint:
-      value: { concat: [ 'https://', get_input: kube_public_dns_name, '/dashboard/' ] }
+      value: { concat: [ 'https://', get_property: [ lrms_front_end, public_additional_dns_names ], '/dashboard/' ] }
     api_endpoint:
       value: { concat: [ 'https://', get_attribute: [ front, public_address, 0 ], ':6443' ] }
     kubeconfig: