old-portfolio/infra-hideyoshi.com
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Implements Better Deployment System (#4) (#5)

Browse Source 
* Initial Work of Better Deployment Script

* Checks if .secret is Present on Test Setup

* Implements Custom Routing per Profile

* Rewriting Setup Tools - Adds Postgres and Redis

* Rewriting Setup Tools - Adds Frontend

* Rewriting Setup Tools - Adds Backend

* Rewriting Setup Tools - Adds CertManager

* Rewriting Setup Tools - Adds Frontend

* Adds Nginx-Ingress and Fixes Staging Environment

* Updates CertManager and Nginx-Ingress

* Implements New Setup Process


Initial Adjustments to CI/CD


Adjusts CI/CD


test

* Adds CI/CD for Prod Environment
This commit is contained in:
Vitor Hideyoshi
2023-07-10 06:14:42 -03:00
committed by GitHub
parent 7c928b3ace
commit 2b92706be0
31 changed files with 1407 additions and 1037 deletions
Download Patch File Download Diff File Expand all files Collapse all files

62
.github/workflows/deploy-prod.yml vendored Normal file
View File

@@ -0,0 +1,62 @@
name: remote ssh command
on:
push:
branches:
- "main"
jobs:
build:
name: Build
environment: prod
runs-on: ubuntu-latest
steps:
- name: checkout
uses: actions/checkout@v2
- name: Make Env File
uses: SpicyPizza/create-envfile@v2.0
with:
envkey_FRONTEND_PATH: ${{ secrets.FRONTEND_PATH }}
envkey_TOKEN_SECRET: ${{ secrets.TOKEN_SECRET }}
envkey_ACCESS_TOKEN_DURATION: ${{ secrets.ACCESS_TOKEN_DURATION }}
envkey_REFRESH_TOKEN_DURATION: ${{ secrets.REFRESH_TOKEN_DURATION }}
envkey_DEFAULT_USER_FULLNAME: ${{ secrets.DEFAULT_USER_FULLNAME }}
envkey_DEFAULT_USER_EMAIL: ${{ secrets.DEFAULT_USER_EMAIL }}
envkey_DEFAULT_USER_USERNAME: ${{ secrets.DEFAULT_USER_USERNAME }}
envkey_DEFAULT_USER_PASSWORD: ${{ secrets.DEFAULT_USER_PASSWORD }}
envkey_GOOGLE_CLIENT_ID: ${{ secrets.GOOGLE_CLIENT_ID }}
envkey_GOOGLE_CLIENT_SECRET: ${{ secrets.GOOGLE_CLIENT_SECRET }}
envkey_GOOGLE_REDIRECT_URL: ${{ secrets.GOOGLE_REDIRECT_URL }}
envkey_OAUTH_GITHUB_CLIENT_ID: ${{ secrets.OAUTH_GITHUB_CLIENT_ID }}
envkey_OAUTH_GITHUB_CLIENT_SECRET: ${{ secrets.OAUTH_GITHUB_CLIENT_SECRET }}
envkey_OAUTH_GITHUB_REDIRECT_URL: ${{ secrets.OAUTH_GITHUB_REDIRECT_URL }}
envkey_POSTGRES_USER: ${{ secrets.POSTGRES_USER }}
envkey_POSTGRES_PASSWORD: ${{ secrets.POSTGRES_PASSWORD }}
envkey_POSTGRES_DB: ${{ secrets.POSTGRES_DB }}
envkey_REDIS_PASSWORD: ${{ secrets.REDIS_PASSWORD }}
- name: Inserts Prod Enviromental Variables
run: |
./setup.sh --prod .env
- name: copy file via ssh
uses: appleboy/scp-action@master
with:
host: ${{ secrets.SSH_HOST }}
username: ${{ secrets.SSH_USER }}
port: ${{ secrets.SSH_PORT }}
key: ${{ secrets.SSH_KEY }}
source: "."
target: "infra-hideyoshi.com"
- name: executing remote ssh commands
uses: appleboy/ssh-action@master
with:
host: ${{ secrets.SSH_HOST }}
username: ${{ secrets.SSH_USER }}
port: ${{ secrets.SSH_PORT }}
key: ${{ secrets.SSH_KEY }}
script: |
cd infra-hideyoshi.com
./deploy.sh

62
.github/workflows/deploy-staging.yml vendored Normal file
View File

@@ -0,0 +1,62 @@
name: remote ssh command
on:
push:
branches:
- "staging"
jobs:
build:
name: Build
environment: staging
runs-on: ubuntu-latest
steps:
- name: checkout
uses: actions/checkout@v2
- name: Make Env File
uses: SpicyPizza/create-envfile@v2.0
with:
envkey_FRONTEND_PATH: ${{ secrets.FRONTEND_PATH }}
envkey_TOKEN_SECRET: ${{ secrets.TOKEN_SECRET }}
envkey_ACCESS_TOKEN_DURATION: ${{ secrets.ACCESS_TOKEN_DURATION }}
envkey_REFRESH_TOKEN_DURATION: ${{ secrets.REFRESH_TOKEN_DURATION }}
envkey_DEFAULT_USER_FULLNAME: ${{ secrets.DEFAULT_USER_FULLNAME }}
envkey_DEFAULT_USER_EMAIL: ${{ secrets.DEFAULT_USER_EMAIL }}
envkey_DEFAULT_USER_USERNAME: ${{ secrets.DEFAULT_USER_USERNAME }}
envkey_DEFAULT_USER_PASSWORD: ${{ secrets.DEFAULT_USER_PASSWORD }}
envkey_GOOGLE_CLIENT_ID: ${{ secrets.GOOGLE_CLIENT_ID }}
envkey_GOOGLE_CLIENT_SECRET: ${{ secrets.GOOGLE_CLIENT_SECRET }}
envkey_GOOGLE_REDIRECT_URL: ${{ secrets.GOOGLE_REDIRECT_URL }}
envkey_OAUTH_GITHUB_CLIENT_ID: ${{ secrets.OAUTH_GITHUB_CLIENT_ID }}
envkey_OAUTH_GITHUB_CLIENT_SECRET: ${{ secrets.OAUTH_GITHUB_CLIENT_SECRET }}
envkey_OAUTH_GITHUB_REDIRECT_URL: ${{ secrets.OAUTH_GITHUB_REDIRECT_URL }}
envkey_POSTGRES_USER: ${{ secrets.POSTGRES_USER }}
envkey_POSTGRES_PASSWORD: ${{ secrets.POSTGRES_PASSWORD }}
envkey_POSTGRES_DB: ${{ secrets.POSTGRES_DB }}
envkey_REDIS_PASSWORD: ${{ secrets.REDIS_PASSWORD }}
- name: Inserts Prod Enviromental Variables
run: |
./setup.sh --staging .env
- name: copy file via ssh
uses: appleboy/scp-action@master
with:
host: ${{ secrets.SSH_HOST }}
username: ${{ secrets.SSH_USER }}
port: ${{ secrets.SSH_PORT }}
key: ${{ secrets.SSH_KEY }}
source: "."
target: "infra-hideyoshi.com"
- name: executing remote ssh commands
uses: appleboy/ssh-action@master
with:
host: ${{ secrets.SSH_HOST }}
username: ${{ secrets.SSH_USER }}
port: ${{ secrets.SSH_PORT }}
key: ${{ secrets.SSH_KEY }}
script: |
cd infra-hideyoshi.com
./deploy.sh --staging

66
.github/workflows/deploy.yml vendored
View File

@@ -1,66 +0,0 @@
name: remote ssh command
on:
push:
branches:
- "main"
env:
FRONTEND_PATH: ${{ secrets.FRONTEND_PATH }}
TOKEN_SECRET: ${{ secrets.TOKEN_SECRET }}
ACCESS_TOKEN_DURATION: ${{ secrets.ACCESS_TOKEN_DURATION }}
REFRESH_TOKEN_DURATION: ${{ secrets.REFRESH_TOKEN_DURATION }}
DEFAULT_USER_FULLNAME: ${{ secrets.DEFAULT_USER_FULLNAME }}
DEFAULT_USER_EMAIL: ${{ secrets.DEFAULT_USER_EMAIL }}
DEFAULT_USER_USERNAME: ${{ secrets.DEFAULT_USER_USERNAME }}
DEFAULT_USER_PASSWORD: ${{ secrets.DEFAULT_USER_PASSWORD }}
GOOGLE_CLIENT_ID: ${{ secrets.GOOGLE_CLIENT_ID }}
GOOGLE_CLIENT_SECRET: ${{ secrets.GOOGLE_CLIENT_SECRET }}
GOOGLE_REDIRECT_URL: ${{ secrets.GOOGLE_REDIRECT_URL }}
OAUTH_GITHUB_CLIENT_ID: ${{ secrets.OAUTH_GITHUB_CLIENT_ID }}
OAUTH_GITHUB_CLIENT_SECRET: ${{ secrets.OAUTH_GITHUB_CLIENT_SECRET }}
OAUTH_GITHUB_REDIRECT_URL: ${{ secrets.OAUTH_GITHUB_REDIRECT_URL }}
POSTGRES_USER: ${{ secrets.POSTGRES_USER }}
POSTGRES_PASSWORD: ${{ secrets.POSTGRES_PASSWORD }}
POSTGRES_DB: ${{ secrets.POSTGRES_DB }}
REDIS_PASSWORD: ${{ secrets.REDIS_PASSWORD }}
jobs:
build:
name: Build
runs-on: ubuntu-latest
steps:
- name: checkout
uses: actions/checkout@v2
- name: Inserts Prod Enviromental Variables
run: |
envsubst < $GITHUB_WORKSPACE/frontend/frontend-secret.template.yaml > $GITHUB_WORKSPACE/frontend/frontend-secret.yaml;
envsubst < $GITHUB_WORKSPACE/backend/backend-secret.template.yaml > $GITHUB_WORKSPACE/backend/backend-secret.yaml;
envsubst < $GITHUB_WORKSPACE/postgres/postgres-secret.template.yaml > $GITHUB_WORKSPACE/postgres/postgres-secret.yaml;
envsubst < $GITHUB_WORKSPACE/redis/redis-secret.template.yaml > $GITHUB_WORKSPACE/redis/redis-secret.yaml;
rm $GITHUB_WORKSPACE/frontend/frontend-secret.template.yaml;
rm $GITHUB_WORKSPACE/redis/redis-secret.template.yaml;
rm $GITHUB_WORKSPACE/postgres/postgres-secret.template.yaml;
rm $GITHUB_WORKSPACE/backend/backend-secret.template.yaml;
- name: copy file via ssh
uses: appleboy/scp-action@master
with:
host: ${{ secrets.HOST }}
username: ${{ secrets.USERNAME }}
key: ${{ secrets.SSH_KEY }}
port: ${{ secrets.PORT }}
source: "."
target: "infra-hideyoshi.com"
- name: executing remote ssh commands using password
uses: appleboy/ssh-action@master
with:
host: ${{ secrets.HOST }}
username: ${{ secrets.USERNAME }}
key: ${{ secrets.SSH_KEY }}
port: ${{ secrets.PORT }}
script: |
cd infra-hideyoshi.com;
./deploy.sh

21
.gitignore vendored
View File

@@ -1,6 +1,21 @@
.env
backend/backend-secret.yaml .secret*
postgres/postgres-secret.yaml .idea/
redis/redis-secret.yaml .vscode/
**/backend-secret.yaml
**/frontend-secret.yaml
**/postgres-secret.yaml
**/redis-secret.yaml
**/cert-manager-certificate.yaml
**/deployment/nginx-ingress/nginx-ingress-api.yaml
**/deployment/nginx-ingress/nginx-ingress-root.yaml

14
cert-manager/cert-manager-issuer-staging.yaml
View File

@@ -1,14 +0,0 @@
apiVersion: cert-manager.io/v1
kind: ClusterIssuer
metadata:
name: cluster-certificate-issuer
spec:
acme:
server: https://acme-staging-v02.api.letsencrypt.org/directory
email: vitor.h.n.batista@gmail.com
privateKeySecretRef:
name: cluster-certificate-issuer
solvers:
- http01:
ingress:
class: nginx

40
deploy.sh
View File

@@ -2,15 +2,14 @@
function check_k3s_installation() { function check_k3s_installation() {
if [ ! -f /usr/local/bin/k3s ]; then if [ ! -f /usr/local/bin/k3s ]; then
export INSTALL_K3S_EXEC="--no-deploy traefik"; curl -sfL https://get.k3s.io | sh -
curl -sfL https://get.k3s.io | sh - ;
sudo chmod 644 /etc/rancher/k3s/k3s.yaml; sudo chmod 644 /etc/rancher/k3s/k3s.yaml;
fi fi
} }
function start_cert_manager { function start_cert_manager() {
kubectl apply -f ./cert-manager/cert-manager.yaml; kubectl apply -f ./deployment/cert-manager/cert-manager.yaml;
kubectl wait --for=condition=available \ kubectl wait --for=condition=available \
--timeout=600s \ --timeout=600s \
deployment.apps/cert-manager \ deployment.apps/cert-manager \
@@ -20,45 +19,45 @@ function start_cert_manager {
} }
function application_deploy { function application_deploy() {
kubectl apply -f ./portfolio-namespace.yaml; kubectl apply -f ./deployment/portfolio-namespace.yaml;
kubectl apply -f \ kubectl apply -f \
./cert-manager/cert-manager-certificate.yaml; ./deployment/cert-manager/cert-manager-certificate.yaml;
kubectl apply -f ./postgres; kubectl apply -f ./deployment/postgres;
kubectl wait --for=condition=available \ kubectl wait --for=condition=available \
--timeout=600s \ --timeout=600s \
deployment.apps/postgres-deployment \ deployment.apps/postgres-deployment \
-n portfolio; -n portfolio;
kubectl apply -f ./redis; kubectl apply -f ./deployment/redis;
kubectl wait --for=condition=available \ kubectl wait --for=condition=available \
--timeout=600s \ --timeout=600s \
deployment.apps/redis-deployment \ deployment.apps/redis-deployment \
-n portfolio; -n portfolio;
kubectl apply -f ./frontend; kubectl apply -f ./deployment/frontend;
kubectl wait --for=condition=available \ kubectl wait --for=condition=available \
--timeout=600s \ --timeout=600s \
deployment.apps/frontend-deployment \ deployment.apps/frontend-deployment \
-n portfolio; -n portfolio;
kubectl apply -f ./backend; kubectl apply -f ./deployment/backend;
kubectl wait --for=condition=available \ kubectl wait --for=condition=available \
--timeout=600s \ --timeout=600s \
deployment.apps/backend-deployment \ deployment.apps/backend-deployment \
-n portfolio; -n portfolio;
kubectl apply -f \ kubectl apply -f \
./nginx-ingress/nginx-ingress-root.yaml; ./deployment/nginx-ingress/nginx-ingress-root.yaml;
kubectl apply -f \ kubectl apply -f \
./nginx-ingress/nginx-ingress-api.yaml; ./deployment/nginx-ingress/nginx-ingress-api.yaml;
} }
function main { function main() {
if [[ $1 == "--test" || $1 == "-t" ]]; then if [[ $1 == "--test" || $1 == "-t" ]]; then
@@ -67,29 +66,30 @@ function main {
} }
minikube start --driver kvm2; minikube start --driver kvm2;
minikube addons enable ingress-dns;
minikube addons enable ingress; minikube addons enable ingress;
start_cert_manager start_cert_manager
kubectl apply -f \ kubectl apply -f \
./cert-manager/cert-manager-issuer-dev.yaml; ./deployment/cert-manager/cert-manager-issuer-dev.yaml;
application_deploy application_deploy
echo "http://$(/usr/local/bin/minikube ip)"; echo "http://$(/usr/bin/minikube ip)";
elif [[ $1 == "--staging" || $1 == "-s" ]]; then elif [[ $1 == "--staging" || $1 == "-s" ]]; then
check_k3s_installation check_k3s_installation
kubectl apply -f ./nginx-ingress/nginx-ingress.yaml; kubectl apply -f ./deployment/nginx-ingress/nginx-ingress.yaml;
kubectl wait --namespace ingress-nginx \ kubectl wait --namespace ingress-nginx \
--for=condition=ready pod \ --for=condition=ready pod \
--selector=app.kubernetes.io/component=controller \ --selector=app.kubernetes.io/component=controller \
--timeout=120s; --timeout=120s;
start_cert_manager start_cert_manager
kubectl apply -f ./cert-manager/cert-manager-issuer-staging.yaml; kubectl apply -f ./deployment/cert-manager/cert-manager-issuer.yaml;
application_deploy application_deploy
@@ -97,14 +97,14 @@ function main {
check_k3s_installation check_k3s_installation
kubectl apply -f ./nginx-ingress/nginx-ingress.yaml; kubectl apply -f ./deployment/nginx-ingress/nginx-ingress.yaml;
kubectl wait --namespace ingress-nginx \ kubectl wait --namespace ingress-nginx \
--for=condition=ready pod \ --for=condition=ready pod \
--selector=app.kubernetes.io/component=controller \ --selector=app.kubernetes.io/component=controller \
--timeout=120s; --timeout=120s;
start_cert_manager start_cert_manager
kubectl apply -f ./cert-manager/cert-manager-issuer-prod.yaml; kubectl apply -f ./deployment/cert-manager/cert-manager-issuer.yaml;
application_deploy application_deploy

3
backend/backend-config.yaml → deployment/backend/backend-config.yaml
View File

@@ -5,5 +5,4 @@ metadata:
name: backend-config name: backend-config
data: data:
backend_url: backend-service backend_url: backend-service
backend_port: "8070" backend_port: "8070"

0
backend/backend.yaml → deployment/backend/backend.yaml
View File

0
cert-manager/cert-manager-issuer-dev.yaml → deployment/cert-manager/cert-manager-issuer-dev.yaml
View File

0
cert-manager/cert-manager-issuer-prod.yaml → deployment/cert-manager/cert-manager-issuer.yaml
View File

662
cert-manager/cert-manager.yaml → deployment/cert-manager/cert-manager.yaml
View File

File diff suppressed because it is too large Load Diff

0
frontend/frontend-config.yaml → deployment/frontend/frontend-config.yaml
View File

12
frontend/frontend.yaml → deployment/frontend/frontend.yaml
View File

@@ -24,6 +24,16 @@ spec:
env: env:
- name: PORT - name: PORT
value: "5000" value: "5000"
- name: BACKEND_URL
valueFrom:
secretKeyRef:
name: frontend-secret
key: backend_url
- name: BACKEND_OAUTH_URL
valueFrom:
secretKeyRef:
name: frontend-secret
key: backend_oauth_url
--- ---
apiVersion: v1 apiVersion: v1
@@ -38,4 +48,4 @@ spec:
- port: 5000 - port: 5000
protocol: TCP protocol: TCP
targetPort: 5000 targetPort: 5000
type: ClusterIP type: ClusterIP

645
deployment/nginx-ingress/nginx-ingress.yaml Normal file
View File

@@ -0,0 +1,645 @@
apiVersion: v1
kind: Namespace
metadata:
labels:
app.kubernetes.io/instance: ingress-nginx
app.kubernetes.io/name: ingress-nginx
name: ingress-nginx
---
apiVersion: v1
automountServiceAccountToken: true
kind: ServiceAccount
metadata:
labels:
app.kubernetes.io/component: controller
app.kubernetes.io/instance: ingress-nginx
app.kubernetes.io/name: ingress-nginx
app.kubernetes.io/part-of: ingress-nginx
app.kubernetes.io/version: 1.8.0
name: ingress-nginx
namespace: ingress-nginx
---
apiVersion: v1
kind: ServiceAccount
metadata:
labels:
app.kubernetes.io/component: admission-webhook
app.kubernetes.io/instance: ingress-nginx
app.kubernetes.io/name: ingress-nginx
app.kubernetes.io/part-of: ingress-nginx
app.kubernetes.io/version: 1.8.0
name: ingress-nginx-admission
namespace: ingress-nginx
---
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
labels:
app.kubernetes.io/component: controller
app.kubernetes.io/instance: ingress-nginx
app.kubernetes.io/name: ingress-nginx
app.kubernetes.io/part-of: ingress-nginx
app.kubernetes.io/version: 1.8.0
name: ingress-nginx
namespace: ingress-nginx
rules:
- apiGroups:
- ""
resources:
- namespaces
verbs:
- get
- apiGroups:
- ""
resources:
- configmaps
- pods
- secrets
- endpoints
verbs:
- get
- list
- watch
- apiGroups:
- ""
resources:
- services
verbs:
- get
- list
- watch
- apiGroups:
- networking.k8s.io
resources:
- ingresses
verbs:
- get
- list
- watch
- apiGroups:
- networking.k8s.io
resources:
- ingresses/status
verbs:
- update
- apiGroups:
- networking.k8s.io
resources:
- ingressclasses
verbs:
- get
- list
- watch
- apiGroups:
- coordination.k8s.io
resourceNames:
- ingress-nginx-leader
resources:
- leases
verbs:
- get
- update
- apiGroups:
- coordination.k8s.io
resources:
- leases
verbs:
- create
- apiGroups:
- ""
resources:
- events
verbs:
- create
- patch
- apiGroups:
- discovery.k8s.io
resources:
- endpointslices
verbs:
- list
- watch
- get
---
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
labels:
app.kubernetes.io/component: admission-webhook
app.kubernetes.io/instance: ingress-nginx
app.kubernetes.io/name: ingress-nginx
app.kubernetes.io/part-of: ingress-nginx
app.kubernetes.io/version: 1.8.0
name: ingress-nginx-admission
namespace: ingress-nginx
rules:
- apiGroups:
- ""
resources:
- secrets
verbs:
- get
- create
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
labels:
app.kubernetes.io/instance: ingress-nginx
app.kubernetes.io/name: ingress-nginx
app.kubernetes.io/part-of: ingress-nginx
app.kubernetes.io/version: 1.8.0
name: ingress-nginx
rules:
- apiGroups:
- ""
resources:
- configmaps
- endpoints
- nodes
- pods
- secrets
- namespaces
verbs:
- list
- watch
- apiGroups:
- coordination.k8s.io
resources:
- leases
verbs:
- list
- watch
- apiGroups:
- ""
resources:
- nodes
verbs:
- get
- apiGroups:
- ""
resources:
- services
verbs:
- get
- list
- watch
- apiGroups:
- networking.k8s.io
resources:
- ingresses
verbs:
- get
- list
- watch
- apiGroups:
- ""
resources:
- events
verbs:
- create
- patch
- apiGroups:
- networking.k8s.io
resources:
- ingresses/status
verbs:
- update
- apiGroups:
- networking.k8s.io
resources:
- ingressclasses
verbs:
- get
- list
- watch
- apiGroups:
- discovery.k8s.io
resources:
- endpointslices
verbs:
- list
- watch
- get
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
labels:
app.kubernetes.io/component: admission-webhook
app.kubernetes.io/instance: ingress-nginx
app.kubernetes.io/name: ingress-nginx
app.kubernetes.io/part-of: ingress-nginx
app.kubernetes.io/version: 1.8.0
name: ingress-nginx-admission
rules:
- apiGroups:
- admissionregistration.k8s.io
resources:
- validatingwebhookconfigurations
verbs:
- get
- update
---
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
labels:
app.kubernetes.io/component: controller
app.kubernetes.io/instance: ingress-nginx
app.kubernetes.io/name: ingress-nginx
app.kubernetes.io/part-of: ingress-nginx
app.kubernetes.io/version: 1.8.0
name: ingress-nginx
namespace: ingress-nginx
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: Role
name: ingress-nginx
subjects:
- kind: ServiceAccount
name: ingress-nginx
namespace: ingress-nginx
---
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
labels:
app.kubernetes.io/component: admission-webhook
app.kubernetes.io/instance: ingress-nginx
app.kubernetes.io/name: ingress-nginx
app.kubernetes.io/part-of: ingress-nginx
app.kubernetes.io/version: 1.8.0
name: ingress-nginx-admission
namespace: ingress-nginx
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: Role
name: ingress-nginx-admission
subjects:
- kind: ServiceAccount
name: ingress-nginx-admission
namespace: ingress-nginx
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
labels:
app.kubernetes.io/instance: ingress-nginx
app.kubernetes.io/name: ingress-nginx
app.kubernetes.io/part-of: ingress-nginx
app.kubernetes.io/version: 1.8.0
name: ingress-nginx
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: ingress-nginx
subjects:
- kind: ServiceAccount
name: ingress-nginx
namespace: ingress-nginx
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
labels:
app.kubernetes.io/component: admission-webhook
app.kubernetes.io/instance: ingress-nginx
app.kubernetes.io/name: ingress-nginx
app.kubernetes.io/part-of: ingress-nginx
app.kubernetes.io/version: 1.8.0
name: ingress-nginx-admission
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: ingress-nginx-admission
subjects:
- kind: ServiceAccount
name: ingress-nginx-admission
namespace: ingress-nginx
---
apiVersion: v1
data:
allow-snippet-annotations: "true"
kind: ConfigMap
metadata:
labels:
app.kubernetes.io/component: controller
app.kubernetes.io/instance: ingress-nginx
app.kubernetes.io/name: ingress-nginx
app.kubernetes.io/part-of: ingress-nginx
app.kubernetes.io/version: 1.8.0
name: ingress-nginx-controller
namespace: ingress-nginx
---
apiVersion: v1
kind: Service
metadata:
labels:
app.kubernetes.io/component: controller
app.kubernetes.io/instance: ingress-nginx
app.kubernetes.io/name: ingress-nginx
app.kubernetes.io/part-of: ingress-nginx
app.kubernetes.io/version: 1.8.0
name: ingress-nginx-controller
namespace: ingress-nginx
spec:
externalTrafficPolicy: Local
ipFamilies:
- IPv4
ipFamilyPolicy: SingleStack
ports:
- appProtocol: http
name: http
port: 80
protocol: TCP
targetPort: http
- appProtocol: https
name: https
port: 443
protocol: TCP
targetPort: https
selector:
app.kubernetes.io/component: controller
app.kubernetes.io/instance: ingress-nginx
app.kubernetes.io/name: ingress-nginx
type: LoadBalancer
---
apiVersion: v1
kind: Service
metadata:
labels:
app.kubernetes.io/component: controller
app.kubernetes.io/instance: ingress-nginx
app.kubernetes.io/name: ingress-nginx
app.kubernetes.io/part-of: ingress-nginx
app.kubernetes.io/version: 1.8.0
name: ingress-nginx-controller-admission
namespace: ingress-nginx
spec:
ports:
- appProtocol: https
name: https-webhook
port: 443
targetPort: webhook
selector:
app.kubernetes.io/component: controller
app.kubernetes.io/instance: ingress-nginx
app.kubernetes.io/name: ingress-nginx
type: ClusterIP
---
apiVersion: apps/v1
kind: Deployment
metadata:
labels:
app.kubernetes.io/component: controller
app.kubernetes.io/instance: ingress-nginx
app.kubernetes.io/name: ingress-nginx
app.kubernetes.io/part-of: ingress-nginx
app.kubernetes.io/version: 1.8.0
name: ingress-nginx-controller
namespace: ingress-nginx
spec:
minReadySeconds: 0
revisionHistoryLimit: 10
selector:
matchLabels:
app.kubernetes.io/component: controller
app.kubernetes.io/instance: ingress-nginx
app.kubernetes.io/name: ingress-nginx
template:
metadata:
labels:
app.kubernetes.io/component: controller
app.kubernetes.io/instance: ingress-nginx
app.kubernetes.io/name: ingress-nginx
app.kubernetes.io/part-of: ingress-nginx
app.kubernetes.io/version: 1.8.0
spec:
containers:
- args:
- /nginx-ingress-controller
- --publish-service=$(POD_NAMESPACE)/ingress-nginx-controller
- --election-id=ingress-nginx-leader
- --controller-class=k8s.io/ingress-nginx
- --ingress-class=nginx
- --configmap=$(POD_NAMESPACE)/ingress-nginx-controller
- --validating-webhook=:8443
- --validating-webhook-certificate=/usr/local/certificates/cert
- --validating-webhook-key=/usr/local/certificates/key
env:
- name: POD_NAME
valueFrom:
fieldRef:
fieldPath: metadata.name
- name: POD_NAMESPACE
valueFrom:
fieldRef:
fieldPath: metadata.namespace
- name: LD_PRELOAD
value: /usr/local/lib/libmimalloc.so
image: registry.k8s.io/ingress-nginx/controller:v1.8.0@sha256:744ae2afd433a395eeb13dc03d3313facba92e96ad71d9feaafc85925493fee3
imagePullPolicy: IfNotPresent
lifecycle:
preStop:
exec:
command:
- /wait-shutdown
livenessProbe:
failureThreshold: 5
httpGet:
path: /healthz
port: 10254
scheme: HTTP
initialDelaySeconds: 10
periodSeconds: 10
successThreshold: 1
timeoutSeconds: 1
name: controller
ports:
- containerPort: 80
name: http
protocol: TCP
- containerPort: 443
name: https
protocol: TCP
- containerPort: 8443
name: webhook
protocol: TCP
readinessProbe:
failureThreshold: 3
httpGet:
path: /healthz
port: 10254
scheme: HTTP
initialDelaySeconds: 10
periodSeconds: 10
successThreshold: 1
timeoutSeconds: 1
resources:
requests:
cpu: 100m
memory: 90Mi
securityContext:
allowPrivilegeEscalation: true
capabilities:
add:
- NET_BIND_SERVICE
drop:
- ALL
runAsUser: 101
volumeMounts:
- mountPath: /usr/local/certificates/
name: webhook-cert
readOnly: true
dnsPolicy: ClusterFirst
nodeSelector:
kubernetes.io/os: linux
serviceAccountName: ingress-nginx
terminationGracePeriodSeconds: 300
volumes:
- name: webhook-cert
secret:
secretName: ingress-nginx-admission
---
apiVersion: batch/v1
kind: Job
metadata:
labels:
app.kubernetes.io/component: admission-webhook
app.kubernetes.io/instance: ingress-nginx
app.kubernetes.io/name: ingress-nginx
app.kubernetes.io/part-of: ingress-nginx
app.kubernetes.io/version: 1.8.0
name: ingress-nginx-admission-create
namespace: ingress-nginx
spec:
template:
metadata:
labels:
app.kubernetes.io/component: admission-webhook
app.kubernetes.io/instance: ingress-nginx
app.kubernetes.io/name: ingress-nginx
app.kubernetes.io/part-of: ingress-nginx
app.kubernetes.io/version: 1.8.0
name: ingress-nginx-admission-create
spec:
containers:
- args:
- create
- --host=ingress-nginx-controller-admission,ingress-nginx-controller-admission.$(POD_NAMESPACE).svc
- --namespace=$(POD_NAMESPACE)
- --secret-name=ingress-nginx-admission
env:
- name: POD_NAMESPACE
valueFrom:
fieldRef:
fieldPath: metadata.namespace
image: registry.k8s.io/ingress-nginx/kube-webhook-certgen:v20230407@sha256:543c40fd093964bc9ab509d3e791f9989963021f1e9e4c9c7b6700b02bfb227b
imagePullPolicy: IfNotPresent
name: create
securityContext:
allowPrivilegeEscalation: false
nodeSelector:
kubernetes.io/os: linux
restartPolicy: OnFailure
securityContext:
fsGroup: 2000
runAsNonRoot: true
runAsUser: 2000
serviceAccountName: ingress-nginx-admission
---
apiVersion: batch/v1
kind: Job
metadata:
labels:
app.kubernetes.io/component: admission-webhook
app.kubernetes.io/instance: ingress-nginx
app.kubernetes.io/name: ingress-nginx
app.kubernetes.io/part-of: ingress-nginx
app.kubernetes.io/version: 1.8.0
name: ingress-nginx-admission-patch
namespace: ingress-nginx
spec:
template:
metadata:
labels:
app.kubernetes.io/component: admission-webhook
app.kubernetes.io/instance: ingress-nginx
app.kubernetes.io/name: ingress-nginx
app.kubernetes.io/part-of: ingress-nginx
app.kubernetes.io/version: 1.8.0
name: ingress-nginx-admission-patch
spec:
containers:
- args:
- patch
- --webhook-name=ingress-nginx-admission
- --namespace=$(POD_NAMESPACE)
- --patch-mutating=false
- --secret-name=ingress-nginx-admission
- --patch-failure-policy=Fail
env:
- name: POD_NAMESPACE
valueFrom:
fieldRef:
fieldPath: metadata.namespace
image: registry.k8s.io/ingress-nginx/kube-webhook-certgen:v20230407@sha256:543c40fd093964bc9ab509d3e791f9989963021f1e9e4c9c7b6700b02bfb227b
imagePullPolicy: IfNotPresent
name: patch
securityContext:
allowPrivilegeEscalation: false
nodeSelector:
kubernetes.io/os: linux
restartPolicy: OnFailure
securityContext:
fsGroup: 2000
runAsNonRoot: true
runAsUser: 2000
serviceAccountName: ingress-nginx-admission
---
apiVersion: networking.k8s.io/v1
kind: IngressClass
metadata:
labels:
app.kubernetes.io/component: controller
app.kubernetes.io/instance: ingress-nginx
app.kubernetes.io/name: ingress-nginx
app.kubernetes.io/part-of: ingress-nginx
app.kubernetes.io/version: 1.8.0
name: nginx
spec:
controller: k8s.io/ingress-nginx
---
apiVersion: admissionregistration.k8s.io/v1
kind: ValidatingWebhookConfiguration
metadata:
labels:
app.kubernetes.io/component: admission-webhook
app.kubernetes.io/instance: ingress-nginx
app.kubernetes.io/name: ingress-nginx
app.kubernetes.io/part-of: ingress-nginx
app.kubernetes.io/version: 1.8.0
name: ingress-nginx-admission
webhooks:
- admissionReviewVersions:
- v1
clientConfig:
service:
name: ingress-nginx-controller-admission
namespace: ingress-nginx
path: /networking/v1/ingresses
failurePolicy: Fail
matchPolicy: Equivalent
name: validate.nginx.ingress.kubernetes.io
rules:
- apiGroups:
- networking.k8s.io
apiVersions:
- v1
operations:
- CREATE
- UPDATE
resources:
- ingresses
sideEffects: None

0
portfolio-namespace.yaml → deployment/portfolio-namespace.yaml
View File

2
postgres/postgres-config.yaml → deployment/postgres/postgres-config.yaml
View File

@@ -4,4 +4,4 @@ metadata:
namespace: portfolio namespace: portfolio
name: postgres-config name: postgres-config
data: data:
postgres_url: postgres-service postgres_url: postgres-service

0
postgres/postgres-storage.yaml → deployment/postgres/postgres-storage.yaml
View File

4
postgres/postgres.yaml → deployment/postgres/postgres.yaml
View File

@@ -40,4 +40,6 @@ spec:
app: postgres app: postgres
ports: ports:
- port: 5432 - port: 5432
type: ClusterIP protocol: TCP
targetPort: 5432
type: ClusterIP

0
redis/redis-config.yaml → deployment/redis/redis-config.yaml
View File

2
redis/redis.yaml → deployment/redis/redis.yaml
View File

@@ -37,4 +37,4 @@ spec:
app: redis app: redis
ports: ports:
- port: 6379 - port: 6379
type: ClusterIP type: ClusterIP

34
nginx-ingress/nginx-ingress-api.yaml
View File

@@ -1,34 +0,0 @@
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
namespace: portfolio
name: nginx-ingress-api
annotations:
kubernetes.io/ingress.class: nginx
nginx.ingress.kubernetes.io/use-regex: "true"
nginx.ingress.kubernetes.io/rewrite-target: /$2
spec:
tls:
- hosts:
- hideyoshi.com.br
secretName: letsencrypt-cluster-certificate-tls
rules:
- host: hideyoshi.com.br
http:
paths:
- path: /api(/|$)(.*)
pathType: Prefix
backend:
service:
name: backend-service
port:
number: 8070
- http:
paths:
- path: /api(/|$)(.*)
pathType: Prefix
backend:
service:
name: backend-service
port:
number: 8070

45
nginx-ingress/nginx-ingress-root.yaml
View File

@@ -1,45 +0,0 @@
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
namespace: portfolio
name: nginx-ingress
annotations:
kubernetes.io/ingress.class: nginx
nginx.ingress.kubernetes.io/use-regex: "true"
nginx.ingress.kubernetes.io/rewrite-target: /
spec:
tls:
- hosts:
- hideyoshi.com.br
- api.hideyoshi.com.br
secretName: letsencrypt-cluster-certificate-tls
rules:
- host: hideyoshi.com.br
http:
paths:
- path: /
pathType: Prefix
backend:
service:
name: frontend-service
port:
number: 5000
- host: api.hideyoshi.com.br
http:
paths:
- path: /
pathType: Prefix
backend:
service:
name: backend-service
port:
number: 8070
- http:
paths:
- path: /
pathType: Prefix
backend:
service:
name: frontend-service
port:
number: 5000

617
nginx-ingress/nginx-ingress.yaml
View File

@@ -1,617 +0,0 @@
apiVersion: v1
kind: Namespace
metadata:
labels:
app.kubernetes.io/instance: ingress-nginx
app.kubernetes.io/name: ingress-nginx
name: ingress-nginx
---
apiVersion: v1
automountServiceAccountToken: true
kind: ServiceAccount
metadata:
labels:
app.kubernetes.io/component: controller
app.kubernetes.io/instance: ingress-nginx
app.kubernetes.io/name: ingress-nginx
app.kubernetes.io/part-of: ingress-nginx
app.kubernetes.io/version: 1.2.0
name: ingress-nginx
namespace: ingress-nginx
---
apiVersion: v1
kind: ServiceAccount
metadata:
labels:
app.kubernetes.io/component: admission-webhook
app.kubernetes.io/instance: ingress-nginx
app.kubernetes.io/name: ingress-nginx
app.kubernetes.io/part-of: ingress-nginx
app.kubernetes.io/version: 1.2.0
name: ingress-nginx-admission
namespace: ingress-nginx
---
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
labels:
app.kubernetes.io/component: controller
app.kubernetes.io/instance: ingress-nginx
app.kubernetes.io/name: ingress-nginx
app.kubernetes.io/part-of: ingress-nginx
app.kubernetes.io/version: 1.2.0
name: ingress-nginx
namespace: ingress-nginx
rules:
- apiGroups:
- ""
resources:
- namespaces
verbs:
- get
- apiGroups:
- ""
resources:
- configmaps
- pods
- secrets
- endpoints
verbs:
- get
- list
- watch
- apiGroups:
- ""
resources:
- services
verbs:
- get
- list
- watch
- apiGroups:
- networking.k8s.io
resources:
- ingresses
verbs:
- get
- list
- watch
- apiGroups:
- networking.k8s.io
resources:
- ingresses/status
verbs:
- update
- apiGroups:
- networking.k8s.io
resources:
- ingressclasses
verbs:
- get
- list
- watch
- apiGroups:
- ""
resourceNames:
- ingress-controller-leader
resources:
- configmaps
verbs:
- get
- update
- apiGroups:
- ""
resources:
- configmaps
verbs:
- create
- apiGroups:
- ""
resources:
- events
verbs:
- create
- patch
---
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
labels:
app.kubernetes.io/component: admission-webhook
app.kubernetes.io/instance: ingress-nginx
app.kubernetes.io/name: ingress-nginx
app.kubernetes.io/part-of: ingress-nginx
app.kubernetes.io/version: 1.2.0
name: ingress-nginx-admission
namespace: ingress-nginx
rules:
- apiGroups:
- ""
resources:
- secrets
verbs:
- get
- create
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
labels:
app.kubernetes.io/instance: ingress-nginx
app.kubernetes.io/name: ingress-nginx
app.kubernetes.io/part-of: ingress-nginx
app.kubernetes.io/version: 1.2.0
name: ingress-nginx
rules:
- apiGroups:
- ""
resources:
- configmaps
- endpoints
- nodes
- pods
- secrets
- namespaces
verbs:
- list
- watch
- apiGroups:
- ""
resources:
- nodes
verbs:
- get
- apiGroups:
- ""
resources:
- services
verbs:
- get
- list
- watch
- apiGroups:
- networking.k8s.io
resources:
- ingresses
verbs:
- get
- list
- watch
- apiGroups:
- ""
resources:
- events
verbs:
- create
- patch
- apiGroups:
- networking.k8s.io
resources:
- ingresses/status
verbs:
- update
- apiGroups:
- networking.k8s.io
resources:
- ingressclasses
verbs:
- get
- list
- watch
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
labels:
app.kubernetes.io/component: admission-webhook
app.kubernetes.io/instance: ingress-nginx
app.kubernetes.io/name: ingress-nginx
app.kubernetes.io/part-of: ingress-nginx
app.kubernetes.io/version: 1.2.0
name: ingress-nginx-admission
rules:
- apiGroups:
- admissionregistration.k8s.io
resources:
- validatingwebhookconfigurations
verbs:
- get
- update
---
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
labels:
app.kubernetes.io/component: controller
app.kubernetes.io/instance: ingress-nginx
app.kubernetes.io/name: ingress-nginx
app.kubernetes.io/part-of: ingress-nginx
app.kubernetes.io/version: 1.2.0
name: ingress-nginx
namespace: ingress-nginx
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: Role
name: ingress-nginx
subjects:
- kind: ServiceAccount
name: ingress-nginx
namespace: ingress-nginx
---
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
labels:
app.kubernetes.io/component: admission-webhook
app.kubernetes.io/instance: ingress-nginx
app.kubernetes.io/name: ingress-nginx
app.kubernetes.io/part-of: ingress-nginx
app.kubernetes.io/version: 1.2.0
name: ingress-nginx-admission
namespace: ingress-nginx
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: Role
name: ingress-nginx-admission
subjects:
- kind: ServiceAccount
name: ingress-nginx-admission
namespace: ingress-nginx
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
labels:
app.kubernetes.io/instance: ingress-nginx
app.kubernetes.io/name: ingress-nginx
app.kubernetes.io/part-of: ingress-nginx
app.kubernetes.io/version: 1.2.0
name: ingress-nginx
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: ingress-nginx
subjects:
- kind: ServiceAccount
name: ingress-nginx
namespace: ingress-nginx
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
labels:
app.kubernetes.io/component: admission-webhook
app.kubernetes.io/instance: ingress-nginx
app.kubernetes.io/name: ingress-nginx
app.kubernetes.io/part-of: ingress-nginx
app.kubernetes.io/version: 1.2.0
name: ingress-nginx-admission
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: ingress-nginx-admission
subjects:
- kind: ServiceAccount
name: ingress-nginx-admission
namespace: ingress-nginx
---
apiVersion: v1
data:
allow-snippet-annotations: "true"
kind: ConfigMap
metadata:
labels:
app.kubernetes.io/component: controller
app.kubernetes.io/instance: ingress-nginx
app.kubernetes.io/name: ingress-nginx
app.kubernetes.io/part-of: ingress-nginx
app.kubernetes.io/version: 1.2.0
name: ingress-nginx-controller
namespace: ingress-nginx
---
apiVersion: v1
kind: Service
metadata:
labels:
app.kubernetes.io/component: controller
app.kubernetes.io/instance: ingress-nginx
app.kubernetes.io/name: ingress-nginx
app.kubernetes.io/part-of: ingress-nginx
app.kubernetes.io/version: 1.2.0
name: ingress-nginx-controller
namespace: ingress-nginx
spec:
externalTrafficPolicy: Local
ports:
- appProtocol: http
name: http
port: 80
protocol: TCP
targetPort: http
- appProtocol: https
name: https
port: 443
protocol: TCP
targetPort: https
selector:
app.kubernetes.io/component: controller
app.kubernetes.io/instance: ingress-nginx
app.kubernetes.io/name: ingress-nginx
type: LoadBalancer
---
apiVersion: v1
kind: Service
metadata:
labels:
app.kubernetes.io/component: controller
app.kubernetes.io/instance: ingress-nginx
app.kubernetes.io/name: ingress-nginx
app.kubernetes.io/part-of: ingress-nginx
app.kubernetes.io/version: 1.2.0
name: ingress-nginx-controller-admission
namespace: ingress-nginx
spec:
ports:
- appProtocol: https
name: https-webhook
port: 443
targetPort: webhook
selector:
app.kubernetes.io/component: controller
app.kubernetes.io/instance: ingress-nginx
app.kubernetes.io/name: ingress-nginx
type: ClusterIP
---
apiVersion: apps/v1
kind: Deployment
metadata:
labels:
app.kubernetes.io/component: controller
app.kubernetes.io/instance: ingress-nginx
app.kubernetes.io/name: ingress-nginx
app.kubernetes.io/part-of: ingress-nginx
app.kubernetes.io/version: 1.2.0
name: ingress-nginx-controller
namespace: ingress-nginx
spec:
minReadySeconds: 0
revisionHistoryLimit: 10
selector:
matchLabels:
app.kubernetes.io/component: controller
app.kubernetes.io/instance: ingress-nginx
app.kubernetes.io/name: ingress-nginx
template:
metadata:
labels:
app.kubernetes.io/component: controller
app.kubernetes.io/instance: ingress-nginx
app.kubernetes.io/name: ingress-nginx
spec:
containers:
- args:
- /nginx-ingress-controller
- --publish-service=$(POD_NAMESPACE)/ingress-nginx-controller
- --election-id=ingress-controller-leader
- --controller-class=k8s.io/ingress-nginx
- --ingress-class=nginx
- --configmap=$(POD_NAMESPACE)/ingress-nginx-controller
- --validating-webhook=:8443
- --validating-webhook-certificate=/usr/local/certificates/cert
- --validating-webhook-key=/usr/local/certificates/key
env:
- name: POD_NAME
valueFrom:
fieldRef:
fieldPath: metadata.name
- name: POD_NAMESPACE
valueFrom:
fieldRef:
fieldPath: metadata.namespace
- name: LD_PRELOAD
value: /usr/local/lib/libmimalloc.so
image: k8s.gcr.io/ingress-nginx/controller:v1.2.0@sha256:d8196e3bc1e72547c5dec66d6556c0ff92a23f6d0919b206be170bc90d5f9185
imagePullPolicy: IfNotPresent
lifecycle:
preStop:
exec:
command:
- /wait-shutdown
livenessProbe:
failureThreshold: 5
httpGet:
path: /healthz
port: 10254
scheme: HTTP
initialDelaySeconds: 10
periodSeconds: 10
successThreshold: 1
timeoutSeconds: 1
name: controller
ports:
- containerPort: 80
name: http
protocol: TCP
- containerPort: 443
name: https
protocol: TCP
- containerPort: 8443
name: webhook
protocol: TCP
readinessProbe:
failureThreshold: 3
httpGet:
path: /healthz
port: 10254
scheme: HTTP
initialDelaySeconds: 10
periodSeconds: 10
successThreshold: 1
timeoutSeconds: 1
resources:
requests:
cpu: 100m
memory: 90Mi
securityContext:
allowPrivilegeEscalation: true
capabilities:
add:
- NET_BIND_SERVICE
drop:
- ALL
runAsUser: 101
volumeMounts:
- mountPath: /usr/local/certificates/
name: webhook-cert
readOnly: true
dnsPolicy: ClusterFirst
nodeSelector:
kubernetes.io/os: linux
serviceAccountName: ingress-nginx
terminationGracePeriodSeconds: 300
volumes:
- name: webhook-cert
secret:
secretName: ingress-nginx-admission
---
apiVersion: batch/v1
kind: Job
metadata:
labels:
app.kubernetes.io/component: admission-webhook
app.kubernetes.io/instance: ingress-nginx
app.kubernetes.io/name: ingress-nginx
app.kubernetes.io/part-of: ingress-nginx
app.kubernetes.io/version: 1.2.0
name: ingress-nginx-admission-create
namespace: ingress-nginx
spec:
template:
metadata:
labels:
app.kubernetes.io/component: admission-webhook
app.kubernetes.io/instance: ingress-nginx
app.kubernetes.io/name: ingress-nginx
app.kubernetes.io/part-of: ingress-nginx
app.kubernetes.io/version: 1.2.0
name: ingress-nginx-admission-create
spec:
containers:
- args:
- create
- --host=ingress-nginx-controller-admission,ingress-nginx-controller-admission.$(POD_NAMESPACE).svc
- --namespace=$(POD_NAMESPACE)
- --secret-name=ingress-nginx-admission
env:
- name: POD_NAMESPACE
valueFrom:
fieldRef:
fieldPath: metadata.namespace
image: k8s.gcr.io/ingress-nginx/kube-webhook-certgen:v1.1.1@sha256:64d8c73dca984af206adf9d6d7e46aa550362b1d7a01f3a0a91b20cc67868660
imagePullPolicy: IfNotPresent
name: create
securityContext:
allowPrivilegeEscalation: false
nodeSelector:
kubernetes.io/os: linux
restartPolicy: OnFailure
securityContext:
fsGroup: 2000
runAsNonRoot: true
runAsUser: 2000
serviceAccountName: ingress-nginx-admission
---
apiVersion: batch/v1
kind: Job
metadata:
labels:
app.kubernetes.io/component: admission-webhook
app.kubernetes.io/instance: ingress-nginx
app.kubernetes.io/name: ingress-nginx
app.kubernetes.io/part-of: ingress-nginx
app.kubernetes.io/version: 1.2.0
name: ingress-nginx-admission-patch
namespace: ingress-nginx
spec:
template:
metadata:
labels:
app.kubernetes.io/component: admission-webhook
app.kubernetes.io/instance: ingress-nginx
app.kubernetes.io/name: ingress-nginx
app.kubernetes.io/part-of: ingress-nginx
app.kubernetes.io/version: 1.2.0
name: ingress-nginx-admission-patch
spec:
containers:
- args:
- patch
- --webhook-name=ingress-nginx-admission
- --namespace=$(POD_NAMESPACE)
- --patch-mutating=false
- --secret-name=ingress-nginx-admission
- --patch-failure-policy=Fail
env:
- name: POD_NAMESPACE
valueFrom:
fieldRef:
fieldPath: metadata.namespace
image: k8s.gcr.io/ingress-nginx/kube-webhook-certgen:v1.1.1@sha256:64d8c73dca984af206adf9d6d7e46aa550362b1d7a01f3a0a91b20cc67868660
imagePullPolicy: IfNotPresent
name: patch
securityContext:
allowPrivilegeEscalation: false
nodeSelector:
kubernetes.io/os: linux
restartPolicy: OnFailure
securityContext:
fsGroup: 2000
runAsNonRoot: true
runAsUser: 2000
serviceAccountName: ingress-nginx-admission
---
apiVersion: networking.k8s.io/v1
kind: IngressClass
metadata:
labels:
app.kubernetes.io/component: controller
app.kubernetes.io/instance: ingress-nginx
app.kubernetes.io/name: ingress-nginx
app.kubernetes.io/part-of: ingress-nginx
app.kubernetes.io/version: 1.2.0
name: nginx
spec:
controller: k8s.io/ingress-nginx
---
apiVersion: admissionregistration.k8s.io/v1
kind: ValidatingWebhookConfiguration
metadata:
labels:
app.kubernetes.io/component: admission-webhook
app.kubernetes.io/instance: ingress-nginx
app.kubernetes.io/name: ingress-nginx
app.kubernetes.io/part-of: ingress-nginx
app.kubernetes.io/version: 1.2.0
name: ingress-nginx-admission
webhooks:
- admissionReviewVersions:
- v1
clientConfig:
service:
name: ingress-nginx-controller-admission
namespace: ingress-nginx
path: /networking/v1/ingresses
failurePolicy: Fail
matchPolicy: Equivalent
name: validate.nginx.ingress.kubernetes.io
rules:
- apiGroups:
- networking.k8s.io
apiVersions:
- v1
operations:
- CREATE
- UPDATE
resources:
- ingresses
sideEffects: None

62
setup.sh Executable file
View File

@@ -0,0 +1,62 @@
#!/bin/bash
TEMPLATE='./template'
WORK_DIR='./deployment'
function set_working_dir {
mkdir -p $WORK_DIR;
mkdir -p $WORK_DIR/redis;
mkdir -p $WORK_DIR/postgres;
mkdir -p $WORK_DIR/frontend;
mkdir -p $WORK_DIR/backend;
envsubst < $TEMPLATE/redis/redis-secret.template.yaml > $WORK_DIR/redis/redis-secret.yaml;
envsubst < $TEMPLATE/postgres/postgres-secret.template.yaml > $WORK_DIR/postgres/postgres-secret.yaml;
envsubst < $TEMPLATE/frontend/frontend-secret.template.yaml > $WORK_DIR/frontend/frontend-secret.yaml;
envsubst < $TEMPLATE/backend/backend-secret.template.yaml > $WORK_DIR/backend/backend-secret.yaml;
envsubst < $TEMPLATE/nginx-ingress/nginx-ingress-api.yaml > $WORK_DIR/nginx-ingress/nginx-ingress-api.yaml;
envsubst < $TEMPLATE/nginx-ingress/nginx-ingress-root.yaml > $WORK_DIR/nginx-ingress/nginx-ingress-root.yaml;
envsubst < $TEMPLATE/cert-manager/cert-manager-certificate.template.yaml > $WORK_DIR/cert-manager/cert-manager-certificate.yaml;
}
function main {
if [[ $1 == "--prod" || $1 == "-a" ]]; then
DOMAIN="hideyoshi.com.br"
API_DOMAIN="api.hideyoshi.com.br"
elif [[ $1 == "--staging" || $1 == "-a" ]]; then
DOMAIN="staging.hideyoshi.com.br"
API_DOMAIN="api.staging.hideyoshi.com.br"
elif [[ $1 == "--dev" || $1 == "-d" ]]; then
DOMAIN="hideyoshi.com.br"
API_DOMAIN="api.hideyoshi.com.br"
fi
[[ -z $2 ]] && secret_file=".secret" || secret_file=$2
if [[ -e $secret_file ]]; then
set -a
while read line; do
if [[ $line != "" ]]; then
variable=$(echo -n "$line" | cut -f 1 -d '=')
value=$(echo -n $(echo -n "$line" | cut -f 2- -d '=') | base64 -w 0)
declare "$variable=$value"
fi
done < $secret_file
set +a
else
echo "ERROR: Secret file not found.";
exit 1;
fi
set_working_dir
}
main $@

2
backend/backend-secret.template.yaml → template/backend/backend-secret.template.yaml
View File

@@ -17,4 +17,4 @@ data:
google_redirect_url: $GOOGLE_REDIRECT_URL google_redirect_url: $GOOGLE_REDIRECT_URL
github_client_id: $OAUTH_GITHUB_CLIENT_ID github_client_id: $OAUTH_GITHUB_CLIENT_ID
github_client_secret: $OAUTH_GITHUB_CLIENT_SECRET github_client_secret: $OAUTH_GITHUB_CLIENT_SECRET
github_redirect_url: $OAUTH_GITHUB_REDIRECT_URL github_redirect_url: $OAUTH_GITHUB_REDIRECT_URL

4
cert-manager/cert-manager-certificate.yaml → template/cert-manager/cert-manager-certificate.template.yaml
View File

@@ -5,8 +5,8 @@ metadata:
namespace: portfolio namespace: portfolio
spec: spec:
dnsNames: dnsNames:
- hideyoshi.com.br - ${DOMAIN}
- api.hideyoshi.com.br - ${API_DOMAIN}
secretName: letsencrypt-cluster-certificate-tls secretName: letsencrypt-cluster-certificate-tls
issuerRef: issuerRef:
name: cluster-certificate-issuer name: cluster-certificate-issuer

4
frontend/frontend-secret.template.yaml → template/frontend/frontend-secret.template.yaml
View File

@@ -5,4 +5,6 @@ metadata:
name: frontend-secret name: frontend-secret
type: Opaque type: Opaque
data: data:
frontend_path: $FRONTEND_PATH frontend_path: $FRONTEND_PATH
backend_url: $BACKEND_URL
backend_oauth_url: $BACKEND_OAUTH_URL

34
template/nginx-ingress/nginx-ingress-api.yaml Normal file
View File

@@ -0,0 +1,34 @@
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
namespace: portfolio
name: nginx-ingress-api
annotations:
kubernetes.io/ingress.class: nginx
nginx.ingress.kubernetes.io/use-regex: "true"
nginx.ingress.kubernetes.io/rewrite-target: /$2
spec:
tls:
- hosts:
- ${API_DOMAIN}
secretName: letsencrypt-cluster-certificate-tls
rules:
- host: ${DOMAIN}
http:
paths:
- path: /api(/|$)(.*)
pathType: Prefix
backend:
service:
name: backend-service
port:
number: 8070
- http:
paths:
- path: /api(/|$)(.*)
pathType: Prefix
backend:
service:
name: backend-service
port:
number: 8070

45
template/nginx-ingress/nginx-ingress-root.yaml Normal file
View File

@@ -0,0 +1,45 @@
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
namespace: portfolio
name: nginx-ingress
annotations:
kubernetes.io/ingress.class: nginx
nginx.ingress.kubernetes.io/use-regex: "true"
nginx.ingress.kubernetes.io/rewrite-target: /
spec:
tls:
- hosts:
- ${DOMAIN}
- ${API_DOMAIN}
secretName: letsencrypt-cluster-certificate-tls
rules:
- host: ${DOMAIN}
http:
paths:
- path: /
pathType: Prefix
backend:
service:
name: frontend-service
port:
number: 5000
- host: ${API_DOMAIN}
http:
paths:
- path: /
pathType: Prefix
backend:
service:
name: backend-service
port:
number: 8070
- http:
paths:
- path: /
pathType: Prefix
backend:
service:
name: frontend-service
port:
number: 5000

2
postgres/postgres-secret.template.yaml → template/postgres/postgres-secret.template.yaml
View File

@@ -7,4 +7,4 @@ type: Opaque
data: data:
POSTGRES_USER: $POSTGRES_USER POSTGRES_USER: $POSTGRES_USER
POSTGRES_PASSWORD: $POSTGRES_PASSWORD POSTGRES_PASSWORD: $POSTGRES_PASSWORD
POSTGRES_DB: $POSTGRES_DB POSTGRES_DB: $POSTGRES_DB

0
redis/redis-secret.template.yaml → template/redis/redis-secret.template.yaml
View File