old-portfolio/infra-hideyoshi.com
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Merge pull request #37 from HideyoshiNakazone/implementa-novo-deploy-secrets

Browse Source 
Implementa Novo Formato de Secrets
This commit is contained in:
Vitor Hideyoshi
2023-10-09 02:04:16 -03:00
committed by GitHub
parent f41356c079 45473adec5
commit 7cdff818c7
20 changed files with 287 additions and 6592 deletions
Download Patch File Download Diff File Expand all files Collapse all files

35
.github/workflows/deploy-prod.yml vendored
View File

@@ -17,42 +17,15 @@ jobs:
with: with:
python-version: "3.10" python-version: "3.10"
- name: Make Env File - name: Create Config Json File
uses: SpicyPizza/create-envfile@v2.0 run: |
with: echo ${{ secrets.CONFIG_JSON }} | base64 -d > config.json
envkey_BACKEND_OAUTH_URL: ${{ secrets.BACKEND_OAUTH_URL }}
envkey_BACKEND_URL: ${{ secrets.BACKEND_URL }}
envkey_FRONTEND_PATH: ${{ secrets.FRONTEND_PATH }}
envkey_GOOGLE_CLIENT_ID: ${{ secrets.GOOGLE_CLIENT_ID }}
envkey_GOOGLE_CLIENT_SECRET: ${{ secrets.GOOGLE_CLIENT_SECRET }}
envkey_GOOGLE_REDIRECT_URL: ${{ secrets.GOOGLE_REDIRECT_URL }}
envkey_OAUTH_GITHUB_CLIENT_ID: ${{ secrets.OAUTH_GITHUB_CLIENT_ID }}
envkey_OAUTH_GITHUB_CLIENT_SECRET: ${{ secrets.OAUTH_GITHUB_CLIENT_SECRET }}
envkey_OAUTH_GITHUB_REDIRECT_URL: ${{ secrets.OAUTH_GITHUB_REDIRECT_URL }}
envkey_ACCESS_TOKEN_DURATION: ${{ secrets.ACCESS_TOKEN_DURATION}}
envkey_DEFAULT_USER_EMAIL: ${{ secrets.DEFAULT_USER_EMAIL}}
envkey_DEFAULT_USER_FULLNAME: ${{ secrets.DEFAULT_USER_FULLNAME}}
envkey_DEFAULT_USER_PASSWORD: ${{ secrets.DEFAULT_USER_PASSWORD}}
envkey_DEFAULT_USER_USERNAME: ${{ secrets.DEFAULT_USER_USERNAME}}
envkey_POSTGRES_DB: ${{ secrets.POSTGRES_DB}}
envkey_POSTGRES_PASSWORD: ${{ secrets.POSTGRES_PASSWORD}}
envkey_POSTGRES_USER: ${{ secrets.POSTGRES_USER}}
envkey_REDIS_PASSWORD: ${{ secrets.REDIS_PASSWORD}}
envkey_REFRESH_TOKEN_DURATION: ${{ secrets.REFRESH_TOKEN_DURATION}}
envkey_TOKEN_SECRET: ${{ secrets.TOKEN_SECRET}}
envkey_STORAGE_TYPE: ${{ secrets.STORAGE_TYPE }}
envkey_AWS_ACCESS_KEY_ID: ${{ secrets.AWS_ACCESS_KEY_ID }}
envkey_AWS_SECRET_ACCESS_KEY: ${{ secrets.AWS_SECRET_ACCESS_KEY }}
envkey_AWS_REGION_NAME: ${{ secrets.AWS_REGION_NAME }}
envkey_AWS_BUCKET_NAME: ${{ secrets.AWS_BUCKET_NAME }}
envkey_VIRUS_CHECKER_TYPE: ${{ secrets.VIRUS_CHECKER_TYPE }}
envkey_VIRUS_CHECKER_API_KEY: ${{ secrets.VIRUS_CHECKER_API_KEY }}
- name: Inserts Prod Enviromental Variables - name: Inserts Prod Enviromental Variables
run: | run: |
python -m pip install --upgrade pip pipenv python -m pip install --upgrade pip pipenv
pipenv install pipenv install
pipenv run python setup.py -e prod -f .env pipenv run python setup.py -e prod -f config.json
- name: copy file via ssh - name: copy file via ssh
uses: appleboy/scp-action@master uses: appleboy/scp-action@master

63
.github/workflows/deploy-staging.yml vendored
View File

@@ -17,42 +17,15 @@ jobs:
with: with:
python-version: "3.10" python-version: "3.10"
- name: Make Env File - name: Create Config Json File
uses: SpicyPizza/create-envfile@v2.0 run: |
with: echo ${{ secrets.CONFIG_JSON }} | base64 -d > config.json
envkey_BACKEND_OAUTH_URL: ${{ secrets.BACKEND_OAUTH_URL }}
envkey_BACKEND_URL: ${{ secrets.BACKEND_URL }}
envkey_FRONTEND_PATH: ${{ secrets.FRONTEND_PATH }}
envkey_GOOGLE_CLIENT_ID: ${{ secrets.GOOGLE_CLIENT_ID }}
envkey_GOOGLE_CLIENT_SECRET: ${{ secrets.GOOGLE_CLIENT_SECRET }}
envkey_GOOGLE_REDIRECT_URL: ${{ secrets.GOOGLE_REDIRECT_URL }}
envkey_OAUTH_GITHUB_CLIENT_ID: ${{ secrets.OAUTH_GITHUB_CLIENT_ID }}
envkey_OAUTH_GITHUB_CLIENT_SECRET: ${{ secrets.OAUTH_GITHUB_CLIENT_SECRET }}
envkey_OAUTH_GITHUB_REDIRECT_URL: ${{ secrets.OAUTH_GITHUB_REDIRECT_URL }}
envkey_ACCESS_TOKEN_DURATION: ${{ secrets.ACCESS_TOKEN_DURATION}}
envkey_DEFAULT_USER_EMAIL: ${{ secrets.DEFAULT_USER_EMAIL}}
envkey_DEFAULT_USER_FULLNAME: ${{ secrets.DEFAULT_USER_FULLNAME}}
envkey_DEFAULT_USER_PASSWORD: ${{ secrets.DEFAULT_USER_PASSWORD}}
envkey_DEFAULT_USER_USERNAME: ${{ secrets.DEFAULT_USER_USERNAME}}
envkey_POSTGRES_DB: ${{ secrets.POSTGRES_DB}}
envkey_POSTGRES_PASSWORD: ${{ secrets.POSTGRES_PASSWORD}}
envkey_POSTGRES_USER: ${{ secrets.POSTGRES_USER}}
envkey_REDIS_PASSWORD: ${{ secrets.REDIS_PASSWORD}}
envkey_REFRESH_TOKEN_DURATION: ${{ secrets.REFRESH_TOKEN_DURATION}}
envkey_TOKEN_SECRET: ${{ secrets.TOKEN_SECRET}}
envkey_STORAGE_TYPE: ${{ secrets.STORAGE_TYPE }}
envkey_AWS_ACCESS_KEY_ID: ${{ secrets.AWS_ACCESS_KEY_ID }}
envkey_AWS_SECRET_ACCESS_KEY: ${{ secrets.AWS_SECRET_ACCESS_KEY }}
envkey_AWS_REGION_NAME: ${{ secrets.AWS_REGION_NAME }}
envkey_AWS_BUCKET_NAME: ${{ secrets.AWS_BUCKET_NAME }}
envkey_VIRUS_CHECKER_TYPE: ${{ secrets.VIRUS_CHECKER_TYPE }}
envkey_VIRUS_CHECKER_API_KEY: ${{ secrets.VIRUS_CHECKER_API_KEY }}
# - name: Inserts Prod Enviromental Variables - name: Inserts Prod Enviromental Variables
# run: | run: |
# python -m pip install --upgrade pip pipenv python -m pip install --upgrade pip pipenv
# pipenv install pipenv install
# pipenv run python setup.py -e staging -f .env pipenv run python setup.py -e staging -f config.json
- name: copy file via ssh - name: copy file via ssh
uses: appleboy/scp-action@master uses: appleboy/scp-action@master
@@ -64,13 +37,13 @@ jobs:
source: "." source: "."
target: "infra-hideyoshi.com" target: "infra-hideyoshi.com"
# - name: executing remote ssh commands - name: executing remote ssh commands
# uses: appleboy/ssh-action@master uses: appleboy/ssh-action@master
# with: with:
# host: ${{ secrets.SSH_HOST }} host: ${{ secrets.SSH_HOST }}
# username: ${{ secrets.SSH_USER }} username: ${{ secrets.SSH_USER }}
# port: ${{ secrets.SSH_PORT }} port: ${{ secrets.SSH_PORT }}
# key: ${{ secrets.SSH_KEY }} key: ${{ secrets.SSH_KEY }}
# script: | script: |
# cd infra-hideyoshi.com cd infra-hideyoshi.com
# ./deploy.sh --staging ./deploy.sh --staging

11
.gitignore vendored
View File

@@ -6,18 +6,11 @@
.vscode/ .vscode/
**/storage-secret.yaml **/*.json
**/backend-secret.yaml
**/frontend-secret.yaml
**/postgres-secret.yaml
**/redis-secret.yaml
**/cert-manager-certificate.yaml **/cert-manager-certificate.yaml
**/deployment/nginx-ingress/nginx-ingress-api.yaml **/deployment/nginx-ingress/nginx-ingress-api.yaml
**/deployment/nginx-ingress/nginx-ingress-root.yaml **/deployment/nginx-ingress/nginx-ingress-root.yaml
*.patch

120
deploy.sh
View File

@@ -1,72 +1,67 @@
#!/bin/bash #!/bin/bash
function check_k3s_installation() { function configure_nginx_ingress() {
if [ ! -f /usr/local/bin/k3s ]; then kubectl apply -f https://raw.githubusercontent.com/kubernetes/ingress-nginx/controller-v1.9.0/deploy/static/provider/cloud/deploy.yaml
curl -sfL https://get.k3s.io | sh - kubectl wait --namespace ingress-nginx \
sudo chmod 644 /etc/rancher/k3s/k3s.yaml; --for=condition=ready pod \
fi --selector=app.kubernetes.io/component=controller \
--timeout=120s
} }
function start_cert_manager() { function configure_cert_manager() {
kubectl apply -f https://github.com/cert-manager/cert-manager/releases/download/v1.12.5/cert-manager.yaml
kubectl apply -f ./deployment/cert-manager/cert-manager.yaml;
kubectl wait --for=condition=available \ kubectl wait --for=condition=available \
--timeout=600s \ --timeout=600s \
deployment.apps/cert-manager \ deployment.apps/cert-manager \
deployment.apps/cert-manager-cainjector \ deployment.apps/cert-manager-cainjector \
deployment.apps/cert-manager-webhook \ deployment.apps/cert-manager-webhook \
-n cert-manager; -n cert-manager
} }
function application_deploy() { function application_deploy() {
kubectl apply -f ./deployment/portfolio-namespace.yaml; kubectl apply -f ./deployment/portfolio-namespace.yaml
kubectl create secret generic backend-secret -n portfolio --from-env-file <(jq -r "to_entries|map(\"\(.key)=\(.value|tostring)\")|.[]" ./deployment/secrets/backendSecret.json)
kubectl create secret generic frontend-secret -n portfolio --from-env-file <(jq -r "to_entries|map(\"\(.key)=\(.value|tostring)\")|.[]" ./deployment/secrets/frontendSecret.json)
kubectl create secret generic postgres-secret -n portfolio --from-env-file <(jq -r "to_entries|map(\"\(.key)=\(.value|tostring)\")|.[]" ./deployment/secrets/postgresSecret.json)
kubectl create secret generic redis-secret -n portfolio --from-env-file <(jq -r "to_entries|map(\"\(.key)=\(.value|tostring)\")|.[]" ./deployment/secrets/redisSecret.json)
kubectl create secret generic storage-secret -n portfolio --from-env-file <(jq -r "to_entries|map(\"\(.key)=\(.value|tostring)\")|.[]" ./deployment/secrets/storageSecret.json)
kubectl apply -f ./deployment/postgres/postgres-secret.yaml; kubectl apply -f ./deployment/postgres
kubectl apply -f ./deployment/redis/redis-secret.yaml;
kubectl apply -f ./deployment/storage/storage-secret.yaml;
kubectl apply -f ./deployment/backend/backend-secret.yaml;
kubectl apply -f ./deployment/frontend/frontend-secret.yaml;
kubectl apply -f \
./deployment/cert-manager/cert-manager-certificate.yaml;
kubectl apply -f ./deployment/postgres;
kubectl wait --for=condition=available \ kubectl wait --for=condition=available \
--timeout=600s \ --timeout=600s \
deployment.apps/postgres-deployment \ deployment.apps/postgres-deployment \
-n portfolio; -n portfolio
kubectl apply -f ./deployment/redis; kubectl apply -f ./deployment/redis
kubectl wait --for=condition=available \ kubectl wait --for=condition=available \
--timeout=600s \ --timeout=600s \
deployment.apps/redis-deployment \ deployment.apps/redis-deployment \
-n portfolio; -n portfolio
kubectl apply -f ./deployment/frontend; kubectl apply -f ./deployment/frontend
kubectl wait --for=condition=available \ kubectl wait --for=condition=available \
--timeout=600s \ --timeout=600s \
deployment.apps/frontend-deployment \ deployment.apps/frontend-deployment \
-n portfolio; -n portfolio
kubectl apply -f ./deployment/storage; kubectl apply -f ./deployment/storage
kubectl wait --for=condition=available \ kubectl wait --for=condition=available \
--timeout=600s \ --timeout=600s \
deployment.apps/storage-deployment \ deployment.apps/storage-deployment \
-n portfolio; -n portfolio
kubectl apply -f ./deployment/backend; kubectl apply -f ./deployment/backend
kubectl wait --for=condition=available \ kubectl wait --for=condition=available \
--timeout=600s \ --timeout=600s \
deployment.apps/backend-deployment \ deployment.apps/backend-deployment \
-n portfolio; -n portfolio
kubectl apply -f \ kubectl apply -f \
./deployment/nginx-ingress/nginx-ingress-root.yaml; ./deployment/nginx-ingress/nginx-ingress-root.yaml
kubectl apply -f \ kubectl apply -f \
./deployment/nginx-ingress/nginx-ingress-api.yaml; ./deployment/nginx-ingress/nginx-ingress-api.yaml
} }
@@ -78,52 +73,45 @@ function main() {
minikube kubectl -- $@ minikube kubectl -- $@
} }
minikube start --driver kvm2; minikube start --driver kvm2
minikube addons enable ingress-dns; minikube addons enable ingress-dns
minikube addons enable ingress; minikube addons enable ingress
start_cert_manager application_deploy
configure_cert_manager
kubectl apply -f ./deployment/cert-manager/cert-manager-issuer-dev.yaml
kubectl apply -f \ kubectl apply -f \
./deployment/cert-manager/cert-manager-issuer-dev.yaml; ./deployment/cert-manager/cert-manager-certificate.yaml
application_deploy echo "http://$(/usr/bin/minikube ip)"
echo "http://$(/usr/bin/minikube ip)";
elif [[ $1 == "--staging" || $1 == "-s" ]]; then
check_k3s_installation
kubectl apply -f ./deployment/nginx-ingress/nginx-ingress.yaml;
kubectl wait --namespace ingress-nginx \
--for=condition=ready pod \
--selector=app.kubernetes.io/component=controller \
--timeout=120s;
start_cert_manager
kubectl apply -f ./deployment/cert-manager/cert-manager-issuer.yaml;
application_deploy
else else
check_k3s_installation configure_nginx_ingress
kubectl apply -f ./deployment/nginx-ingress/nginx-ingress.yaml;
kubectl wait --namespace ingress-nginx \
--for=condition=ready pod \
--selector=app.kubernetes.io/component=controller \
--timeout=120s;
start_cert_manager
kubectl apply -f ./deployment/cert-manager/cert-manager-issuer.yaml;
application_deploy application_deploy
external_ip=""
while [ -z $external_ip ]; do
echo "Waiting for end point..."
external_ip=$(kubectl get svc --namespace=ingress-nginx ingress-nginx-controller --template="{{range .status.loadBalancer.ingress}}{{.ip}}{{end}}")
[ -z "$external_ip" ] && sleep 10
done
configure_cert_manager
kubectl apply -f \
./deployment/cert-manager/cert-manager-issuer.yaml
kubectl apply -f \
./deployment/cert-manager/cert-manager-certificate.yaml
fi fi
exit 0; exit 0
} }

36
deployment/backend/backend.yaml
View File

@@ -24,49 +24,49 @@ spec:
valueFrom: valueFrom:
secretKeyRef: secretKeyRef:
name: frontend-secret name: frontend-secret
key: frontend_path key: frontendPath
- name: TOKEN_SECRET - name: TOKEN_SECRET
valueFrom: valueFrom:
secretKeyRef: secretKeyRef:
name: backend-secret name: backend-secret
key: token_secret key: tokenSecret
- name: ACCESS_TOKEN_DURATION - name: ACCESS_TOKEN_DURATION
valueFrom: valueFrom:
secretKeyRef: secretKeyRef:
name: backend-secret name: backend-secret
key: access_token_duration key: accessTokenDuration
- name: REFRESH_TOKEN_DURATION - name: REFRESH_TOKEN_DURATION
valueFrom: valueFrom:
secretKeyRef: secretKeyRef:
name: backend-secret name: backend-secret
key: refresh_token_duration key: refreshTokenDuration
- name: DEFAULT_USER_FULLNAME - name: DEFAULT_USER_FULLNAME
valueFrom: valueFrom:
secretKeyRef: secretKeyRef:
name: backend-secret name: backend-secret
key: default_user_fullname key: defaultUserFullName
- name: DEFAULT_USER_EMAIL - name: DEFAULT_USER_EMAIL
valueFrom: valueFrom:
secretKeyRef: secretKeyRef:
name: backend-secret name: backend-secret
key: default_user_email key: defaultUserEmail
- name: DEFAULT_USER_USERNAME - name: DEFAULT_USER_USERNAME
valueFrom: valueFrom:
secretKeyRef: secretKeyRef:
name: backend-secret name: backend-secret
key: default_user_username key: defaultUserUsername
- name: DEFAULT_USER_PASSWORD - name: DEFAULT_USER_PASSWORD
valueFrom: valueFrom:
secretKeyRef: secretKeyRef:
name: backend-secret name: backend-secret
key: default_user_password key: defaultUserPassword
- name: PORT - name: PORT
valueFrom: valueFrom:
@@ -78,37 +78,37 @@ spec:
valueFrom: valueFrom:
secretKeyRef: secretKeyRef:
name: backend-secret name: backend-secret
key: google_client_id key: googleClientId
- name: GOOGLE_CLIENT_SECRET - name: GOOGLE_CLIENT_SECRET
valueFrom: valueFrom:
secretKeyRef: secretKeyRef:
name: backend-secret name: backend-secret
key: google_client_secret key: googleClientSecret
- name: GOOGLE_REDIRECT_URL - name: GOOGLE_REDIRECT_URL
valueFrom: valueFrom:
secretKeyRef: secretKeyRef:
name: backend-secret name: backend-secret
key: google_redirect_url key: googleRedirectUrl
- name: GITHUB_CLIENT_ID - name: GITHUB_CLIENT_ID
valueFrom: valueFrom:
secretKeyRef: secretKeyRef:
name: backend-secret name: backend-secret
key: github_client_id key: githubClientId
- name: GITHUB_CLIENT_SECRET - name: GITHUB_CLIENT_SECRET
valueFrom: valueFrom:
secretKeyRef: secretKeyRef:
name: backend-secret name: backend-secret
key: github_client_secret key: githubClientSecret
- name: GITHUB_REDIRECT_URL - name: GITHUB_REDIRECT_URL
valueFrom: valueFrom:
secretKeyRef: secretKeyRef:
name: backend-secret name: backend-secret
key: github_redirect_url key: githubRedirectUrl
- name: POSTGRES_URL - name: POSTGRES_URL
valueFrom: valueFrom:
@@ -120,7 +120,7 @@ spec:
valueFrom: valueFrom:
secretKeyRef: secretKeyRef:
name: postgres-secret name: postgres-secret
key: POSTGRES_DB key: postgresDatabase
- name: DATABASE_URL - name: DATABASE_URL
value: "postgresql://$(POSTGRES_URL):5432/$(POSTGRES_DB)" value: "postgresql://$(POSTGRES_URL):5432/$(POSTGRES_DB)"
@@ -129,13 +129,13 @@ spec:
valueFrom: valueFrom:
secretKeyRef: secretKeyRef:
name: postgres-secret name: postgres-secret
key: POSTGRES_USER key: postgresUser
- name: DATABASE_PASSWORD - name: DATABASE_PASSWORD
valueFrom: valueFrom:
secretKeyRef: secretKeyRef:
name: postgres-secret name: postgres-secret
key: POSTGRES_PASSWORD key: postgresPassword
- name: REDIS_URL - name: REDIS_URL
valueFrom: valueFrom:
@@ -153,7 +153,7 @@ spec:
valueFrom: valueFrom:
secretKeyRef: secretKeyRef:
name: redis-secret name: redis-secret
key: redis-password key: redisPassword
- name: STORAGE_SERVICE_URL - name: STORAGE_SERVICE_URL
valueFrom: valueFrom:

5596
deployment/cert-manager/cert-manager.yaml
View File

File diff suppressed because it is too large Load Diff

4
deployment/frontend/frontend.yaml
View File

@@ -28,12 +28,12 @@ spec:
valueFrom: valueFrom:
secretKeyRef: secretKeyRef:
name: frontend-secret name: frontend-secret
key: backend_url key: backendUrl
- name: BACKEND_OAUTH_URL - name: BACKEND_OAUTH_URL
valueFrom: valueFrom:
secretKeyRef: secretKeyRef:
name: frontend-secret name: frontend-secret
key: backend_oauth_url key: backendOAuthUrl
--- ---
apiVersion: v1 apiVersion: v1

20
deployment/nginx-ingress/nginx-ingress-load-balancer.yaml Normal file
View File

@@ -0,0 +1,20 @@
apiVersion: v1
kind: Service
metadata:
name: ingress-nginx-controller-loadbalancer
namespace: ingress-nginx
spec:
selector:
app.kubernetes.io/component: controller
app.kubernetes.io/instance: ingress-nginx
app.kubernetes.io/name: ingress-nginx
ports:
- name: http
port: 80
protocol: TCP
targetPort: 80
- name: https
port: 443
protocol: TCP
targetPort: 443
type: LoadBalancer

645
deployment/nginx-ingress/nginx-ingress.yaml
View File

@@ -1,645 +0,0 @@
apiVersion: v1
kind: Namespace
metadata:
labels:
app.kubernetes.io/instance: ingress-nginx
app.kubernetes.io/name: ingress-nginx
name: ingress-nginx
---
apiVersion: v1
automountServiceAccountToken: true
kind: ServiceAccount
metadata:
labels:
app.kubernetes.io/component: controller
app.kubernetes.io/instance: ingress-nginx
app.kubernetes.io/name: ingress-nginx
app.kubernetes.io/part-of: ingress-nginx
app.kubernetes.io/version: 1.8.0
name: ingress-nginx
namespace: ingress-nginx
---
apiVersion: v1
kind: ServiceAccount
metadata:
labels:
app.kubernetes.io/component: admission-webhook
app.kubernetes.io/instance: ingress-nginx
app.kubernetes.io/name: ingress-nginx
app.kubernetes.io/part-of: ingress-nginx
app.kubernetes.io/version: 1.8.0
name: ingress-nginx-admission
namespace: ingress-nginx
---
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
labels:
app.kubernetes.io/component: controller
app.kubernetes.io/instance: ingress-nginx
app.kubernetes.io/name: ingress-nginx
app.kubernetes.io/part-of: ingress-nginx
app.kubernetes.io/version: 1.8.0
name: ingress-nginx
namespace: ingress-nginx
rules:
- apiGroups:
- ""
resources:
- namespaces
verbs:
- get
- apiGroups:
- ""
resources:
- configmaps
- pods
- secrets
- endpoints
verbs:
- get
- list
- watch
- apiGroups:
- ""
resources:
- services
verbs:
- get
- list
- watch
- apiGroups:
- networking.k8s.io
resources:
- ingresses
verbs:
- get
- list
- watch
- apiGroups:
- networking.k8s.io
resources:
- ingresses/status
verbs:
- update
- apiGroups:
- networking.k8s.io
resources:
- ingressclasses
verbs:
- get
- list
- watch
- apiGroups:
- coordination.k8s.io
resourceNames:
- ingress-nginx-leader
resources:
- leases
verbs:
- get
- update
- apiGroups:
- coordination.k8s.io
resources:
- leases
verbs:
- create
- apiGroups:
- ""
resources:
- events
verbs:
- create
- patch
- apiGroups:
- discovery.k8s.io
resources:
- endpointslices
verbs:
- list
- watch
- get
---
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
labels:
app.kubernetes.io/component: admission-webhook
app.kubernetes.io/instance: ingress-nginx
app.kubernetes.io/name: ingress-nginx
app.kubernetes.io/part-of: ingress-nginx
app.kubernetes.io/version: 1.8.0
name: ingress-nginx-admission
namespace: ingress-nginx
rules:
- apiGroups:
- ""
resources:
- secrets
verbs:
- get
- create
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
labels:
app.kubernetes.io/instance: ingress-nginx
app.kubernetes.io/name: ingress-nginx
app.kubernetes.io/part-of: ingress-nginx
app.kubernetes.io/version: 1.8.0
name: ingress-nginx
rules:
- apiGroups:
- ""
resources:
- configmaps
- endpoints
- nodes
- pods
- secrets
- namespaces
verbs:
- list
- watch
- apiGroups:
- coordination.k8s.io
resources:
- leases
verbs:
- list
- watch
- apiGroups:
- ""
resources:
- nodes
verbs:
- get
- apiGroups:
- ""
resources:
- services
verbs:
- get
- list
- watch
- apiGroups:
- networking.k8s.io
resources:
- ingresses
verbs:
- get
- list
- watch
- apiGroups:
- ""
resources:
- events
verbs:
- create
- patch
- apiGroups:
- networking.k8s.io
resources:
- ingresses/status
verbs:
- update
- apiGroups:
- networking.k8s.io
resources:
- ingressclasses
verbs:
- get
- list
- watch
- apiGroups:
- discovery.k8s.io
resources:
- endpointslices
verbs:
- list
- watch
- get
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
labels:
app.kubernetes.io/component: admission-webhook
app.kubernetes.io/instance: ingress-nginx
app.kubernetes.io/name: ingress-nginx
app.kubernetes.io/part-of: ingress-nginx
app.kubernetes.io/version: 1.8.0
name: ingress-nginx-admission
rules:
- apiGroups:
- admissionregistration.k8s.io
resources:
- validatingwebhookconfigurations
verbs:
- get
- update
---
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
labels:
app.kubernetes.io/component: controller
app.kubernetes.io/instance: ingress-nginx
app.kubernetes.io/name: ingress-nginx
app.kubernetes.io/part-of: ingress-nginx
app.kubernetes.io/version: 1.8.0
name: ingress-nginx
namespace: ingress-nginx
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: Role
name: ingress-nginx
subjects:
- kind: ServiceAccount
name: ingress-nginx
namespace: ingress-nginx
---
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
labels:
app.kubernetes.io/component: admission-webhook
app.kubernetes.io/instance: ingress-nginx
app.kubernetes.io/name: ingress-nginx
app.kubernetes.io/part-of: ingress-nginx
app.kubernetes.io/version: 1.8.0
name: ingress-nginx-admission
namespace: ingress-nginx
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: Role
name: ingress-nginx-admission
subjects:
- kind: ServiceAccount
name: ingress-nginx-admission
namespace: ingress-nginx
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
labels:
app.kubernetes.io/instance: ingress-nginx
app.kubernetes.io/name: ingress-nginx
app.kubernetes.io/part-of: ingress-nginx
app.kubernetes.io/version: 1.8.0
name: ingress-nginx
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: ingress-nginx
subjects:
- kind: ServiceAccount
name: ingress-nginx
namespace: ingress-nginx
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
labels:
app.kubernetes.io/component: admission-webhook
app.kubernetes.io/instance: ingress-nginx
app.kubernetes.io/name: ingress-nginx
app.kubernetes.io/part-of: ingress-nginx
app.kubernetes.io/version: 1.8.0
name: ingress-nginx-admission
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: ingress-nginx-admission
subjects:
- kind: ServiceAccount
name: ingress-nginx-admission
namespace: ingress-nginx
---
apiVersion: v1
data:
allow-snippet-annotations: "true"
kind: ConfigMap
metadata:
labels:
app.kubernetes.io/component: controller
app.kubernetes.io/instance: ingress-nginx
app.kubernetes.io/name: ingress-nginx
app.kubernetes.io/part-of: ingress-nginx
app.kubernetes.io/version: 1.8.0
name: ingress-nginx-controller
namespace: ingress-nginx
---
apiVersion: v1
kind: Service
metadata:
labels:
app.kubernetes.io/component: controller
app.kubernetes.io/instance: ingress-nginx
app.kubernetes.io/name: ingress-nginx
app.kubernetes.io/part-of: ingress-nginx
app.kubernetes.io/version: 1.8.0
name: ingress-nginx-controller
namespace: ingress-nginx
spec:
externalTrafficPolicy: Local
ipFamilies:
- IPv4
ipFamilyPolicy: SingleStack
ports:
- appProtocol: http
name: http
port: 80
protocol: TCP
targetPort: http
- appProtocol: https
name: https
port: 443
protocol: TCP
targetPort: https
selector:
app.kubernetes.io/component: controller
app.kubernetes.io/instance: ingress-nginx
app.kubernetes.io/name: ingress-nginx
type: LoadBalancer
---
apiVersion: v1
kind: Service
metadata:
labels:
app.kubernetes.io/component: controller
app.kubernetes.io/instance: ingress-nginx
app.kubernetes.io/name: ingress-nginx
app.kubernetes.io/part-of: ingress-nginx
app.kubernetes.io/version: 1.8.0
name: ingress-nginx-controller-admission
namespace: ingress-nginx
spec:
ports:
- appProtocol: https
name: https-webhook
port: 443
targetPort: webhook
selector:
app.kubernetes.io/component: controller
app.kubernetes.io/instance: ingress-nginx
app.kubernetes.io/name: ingress-nginx
type: ClusterIP
---
apiVersion: apps/v1
kind: Deployment
metadata:
labels:
app.kubernetes.io/component: controller
app.kubernetes.io/instance: ingress-nginx
app.kubernetes.io/name: ingress-nginx
app.kubernetes.io/part-of: ingress-nginx
app.kubernetes.io/version: 1.8.0
name: ingress-nginx-controller
namespace: ingress-nginx
spec:
minReadySeconds: 0
revisionHistoryLimit: 10
selector:
matchLabels:
app.kubernetes.io/component: controller
app.kubernetes.io/instance: ingress-nginx
app.kubernetes.io/name: ingress-nginx
template:
metadata:
labels:
app.kubernetes.io/component: controller
app.kubernetes.io/instance: ingress-nginx
app.kubernetes.io/name: ingress-nginx
app.kubernetes.io/part-of: ingress-nginx
app.kubernetes.io/version: 1.8.0
spec:
containers:
- args:
- /nginx-ingress-controller
- --publish-service=$(POD_NAMESPACE)/ingress-nginx-controller
- --election-id=ingress-nginx-leader
- --controller-class=k8s.io/ingress-nginx
- --ingress-class=nginx
- --configmap=$(POD_NAMESPACE)/ingress-nginx-controller
- --validating-webhook=:8443
- --validating-webhook-certificate=/usr/local/certificates/cert
- --validating-webhook-key=/usr/local/certificates/key
env:
- name: POD_NAME
valueFrom:
fieldRef:
fieldPath: metadata.name
- name: POD_NAMESPACE
valueFrom:
fieldRef:
fieldPath: metadata.namespace
- name: LD_PRELOAD
value: /usr/local/lib/libmimalloc.so
image: registry.k8s.io/ingress-nginx/controller:v1.8.0@sha256:744ae2afd433a395eeb13dc03d3313facba92e96ad71d9feaafc85925493fee3
imagePullPolicy: IfNotPresent
lifecycle:
preStop:
exec:
command:
- /wait-shutdown
livenessProbe:
failureThreshold: 5
httpGet:
path: /healthz
port: 10254
scheme: HTTP
initialDelaySeconds: 10
periodSeconds: 10
successThreshold: 1
timeoutSeconds: 1
name: controller
ports:
- containerPort: 80
name: http
protocol: TCP
- containerPort: 443
name: https
protocol: TCP
- containerPort: 8443
name: webhook
protocol: TCP
readinessProbe:
failureThreshold: 3
httpGet:
path: /healthz
port: 10254
scheme: HTTP
initialDelaySeconds: 10
periodSeconds: 10
successThreshold: 1
timeoutSeconds: 1
resources:
requests:
cpu: 100m
memory: 90Mi
securityContext:
allowPrivilegeEscalation: true
capabilities:
add:
- NET_BIND_SERVICE
drop:
- ALL
runAsUser: 101
volumeMounts:
- mountPath: /usr/local/certificates/
name: webhook-cert
readOnly: true
dnsPolicy: ClusterFirst
nodeSelector:
kubernetes.io/os: linux
serviceAccountName: ingress-nginx
terminationGracePeriodSeconds: 300
volumes:
- name: webhook-cert
secret:
secretName: ingress-nginx-admission
---
apiVersion: batch/v1
kind: Job
metadata:
labels:
app.kubernetes.io/component: admission-webhook
app.kubernetes.io/instance: ingress-nginx
app.kubernetes.io/name: ingress-nginx
app.kubernetes.io/part-of: ingress-nginx
app.kubernetes.io/version: 1.8.0
name: ingress-nginx-admission-create
namespace: ingress-nginx
spec:
template:
metadata:
labels:
app.kubernetes.io/component: admission-webhook
app.kubernetes.io/instance: ingress-nginx
app.kubernetes.io/name: ingress-nginx
app.kubernetes.io/part-of: ingress-nginx
app.kubernetes.io/version: 1.8.0
name: ingress-nginx-admission-create
spec:
containers:
- args:
- create
- --host=ingress-nginx-controller-admission,ingress-nginx-controller-admission.$(POD_NAMESPACE).svc
- --namespace=$(POD_NAMESPACE)
- --secret-name=ingress-nginx-admission
env:
- name: POD_NAMESPACE
valueFrom:
fieldRef:
fieldPath: metadata.namespace
image: registry.k8s.io/ingress-nginx/kube-webhook-certgen:v20230407@sha256:543c40fd093964bc9ab509d3e791f9989963021f1e9e4c9c7b6700b02bfb227b
imagePullPolicy: IfNotPresent
name: create
securityContext:
allowPrivilegeEscalation: false
nodeSelector:
kubernetes.io/os: linux
restartPolicy: OnFailure
securityContext:
fsGroup: 2000
runAsNonRoot: true
runAsUser: 2000
serviceAccountName: ingress-nginx-admission
---
apiVersion: batch/v1
kind: Job
metadata:
labels:
app.kubernetes.io/component: admission-webhook
app.kubernetes.io/instance: ingress-nginx
app.kubernetes.io/name: ingress-nginx
app.kubernetes.io/part-of: ingress-nginx
app.kubernetes.io/version: 1.8.0
name: ingress-nginx-admission-patch
namespace: ingress-nginx
spec:
template:
metadata:
labels:
app.kubernetes.io/component: admission-webhook
app.kubernetes.io/instance: ingress-nginx
app.kubernetes.io/name: ingress-nginx
app.kubernetes.io/part-of: ingress-nginx
app.kubernetes.io/version: 1.8.0
name: ingress-nginx-admission-patch
spec:
containers:
- args:
- patch
- --webhook-name=ingress-nginx-admission
- --namespace=$(POD_NAMESPACE)
- --patch-mutating=false
- --secret-name=ingress-nginx-admission
- --patch-failure-policy=Fail
env:
- name: POD_NAMESPACE
valueFrom:
fieldRef:
fieldPath: metadata.namespace
image: registry.k8s.io/ingress-nginx/kube-webhook-certgen:v20230407@sha256:543c40fd093964bc9ab509d3e791f9989963021f1e9e4c9c7b6700b02bfb227b
imagePullPolicy: IfNotPresent
name: patch
securityContext:
allowPrivilegeEscalation: false
nodeSelector:
kubernetes.io/os: linux
restartPolicy: OnFailure
securityContext:
fsGroup: 2000
runAsNonRoot: true
runAsUser: 2000
serviceAccountName: ingress-nginx-admission
---
apiVersion: networking.k8s.io/v1
kind: IngressClass
metadata:
labels:
app.kubernetes.io/component: controller
app.kubernetes.io/instance: ingress-nginx
app.kubernetes.io/name: ingress-nginx
app.kubernetes.io/part-of: ingress-nginx
app.kubernetes.io/version: 1.8.0
name: nginx
spec:
controller: k8s.io/ingress-nginx
---
apiVersion: admissionregistration.k8s.io/v1
kind: ValidatingWebhookConfiguration
metadata:
labels:
app.kubernetes.io/component: admission-webhook
app.kubernetes.io/instance: ingress-nginx
app.kubernetes.io/name: ingress-nginx
app.kubernetes.io/part-of: ingress-nginx
app.kubernetes.io/version: 1.8.0
name: ingress-nginx-admission
webhooks:
- admissionReviewVersions:
- v1
clientConfig:
service:
name: ingress-nginx-controller-admission
namespace: ingress-nginx
path: /networking/v1/ingresses
failurePolicy: Fail
matchPolicy: Equivalent
name: validate.nginx.ingress.kubernetes.io
rules:
- apiGroups:
- networking.k8s.io
apiVersions:
- v1
operations:
- CREATE
- UPDATE
resources:
- ingresses
sideEffects: None

19
deployment/postgres/postgres.yaml
View File

@@ -19,9 +19,24 @@ spec:
imagePullPolicy: "IfNotPresent" imagePullPolicy: "IfNotPresent"
ports: ports:
- containerPort: 5432 - containerPort: 5432
envFrom: env:
- secretRef: - name: POSTGRES_PASSWORD
valueFrom:
secretKeyRef:
name: postgres-secret name: postgres-secret
key: postgresPassword
- name: POSTGRES_USER
valueFrom:
secretKeyRef:
name: postgres-secret
key: postgresUser
- name: POSTGRES_DB
valueFrom:
secretKeyRef:
name: postgres-secret
key: postgresDatabase
volumeMounts: volumeMounts:
- mountPath: /var/lib/postgresql/data - mountPath: /var/lib/postgresql/data
name: postgredb name: postgredb

2
deployment/redis/redis.yaml
View File

@@ -24,7 +24,7 @@ spec:
valueFrom: valueFrom:
secretKeyRef: secretKeyRef:
name: redis-secret name: redis-secret
key: redis-password key: redisPassword
--- ---
apiVersion: v1 apiVersion: v1

18
deployment/storage/storage-processor.yaml
View File

@@ -36,49 +36,49 @@ spec:
valueFrom: valueFrom:
secretKeyRef: secretKeyRef:
name: redis-secret name: redis-secret
key: redis-password key: redisPassword
- name: REDIS_URL - name: REDIS_URL
value: "redis://:$(REDIS_PASSWORD)@$(REDIS_BASE_URL):$(REDIS_PORT)" value: "redis://:$(REDIS_PASSWORD)@$(REDIS_BASE_URL):$(REDIS_PORT)/rq"
- name: STORAGE_TYPE - name: STORAGE_TYPE
valueFrom: valueFrom:
secretKeyRef: secretKeyRef:
name: storage-secret name: storage-secret
key: storage_type key: storageType
- name: AWS_ACCESS_KEY_ID - name: AWS_ACCESS_KEY_ID
valueFrom: valueFrom:
secretKeyRef: secretKeyRef:
name: storage-secret name: storage-secret
key: aws_access_key_id key: awsAccessKeyId
- name: AWS_SECRET_ACCESS_KEY - name: AWS_SECRET_ACCESS_KEY
valueFrom: valueFrom:
secretKeyRef: secretKeyRef:
name: storage-secret name: storage-secret
key: aws_access_access_key key: awsSecretAccessKey
- name: AWS_REGION_NAME - name: AWS_REGION_NAME
valueFrom: valueFrom:
secretKeyRef: secretKeyRef:
name: storage-secret name: storage-secret
key: aws_region_name key: awsRegion
- name: AWS_BUCKET_NAME - name: AWS_BUCKET_NAME
valueFrom: valueFrom:
secretKeyRef: secretKeyRef:
name: storage-secret name: storage-secret
key: aws_bucket_name key: awsBucket
- name: VIRUS_CHECKER_TYPE - name: VIRUS_CHECKER_TYPE
valueFrom: valueFrom:
secretKeyRef: secretKeyRef:
name: storage-secret name: storage-secret
key: virus_checker_type key: virusCheckerType
- name: VIRUS_CHECKER_API_KEY - name: VIRUS_CHECKER_API_KEY
valueFrom: valueFrom:
secretKeyRef: secretKeyRef:
name: storage-secret name: storage-secret
key: virus_checher_api_key key: virusCheckerApiKey

20
deployment/storage/storage.yaml
View File

@@ -24,13 +24,13 @@ spec:
valueFrom: valueFrom:
secretKeyRef: secretKeyRef:
name: frontend-secret name: frontend-secret
key: backend_url key: backendUrl
- name: EXPIRES_IN - name: EXPIRES_IN
valueFrom: valueFrom:
secretKeyRef: secretKeyRef:
name: backend-secret name: backend-secret
key: access_token_duration key: accessTokenDuration
- name: SERVER_PORT - name: SERVER_PORT
valueFrom: valueFrom:
@@ -54,49 +54,49 @@ spec:
valueFrom: valueFrom:
secretKeyRef: secretKeyRef:
name: redis-secret name: redis-secret
key: redis-password key: redisPassword
- name: STORAGE_TYPE - name: STORAGE_TYPE
valueFrom: valueFrom:
secretKeyRef: secretKeyRef:
name: storage-secret name: storage-secret
key: storage_type key: storageType
- name: AWS_ACCESS_KEY_ID - name: AWS_ACCESS_KEY_ID
valueFrom: valueFrom:
secretKeyRef: secretKeyRef:
name: storage-secret name: storage-secret
key: aws_access_key_id key: awsAccessKeyId
- name: AWS_SECRET_ACCESS_KEY - name: AWS_SECRET_ACCESS_KEY
valueFrom: valueFrom:
secretKeyRef: secretKeyRef:
name: storage-secret name: storage-secret
key: aws_access_access_key key: awsSecretAccessKey
- name: AWS_REGION_NAME - name: AWS_REGION_NAME
valueFrom: valueFrom:
secretKeyRef: secretKeyRef:
name: storage-secret name: storage-secret
key: aws_region_name key: awsRegion
- name: AWS_BUCKET_NAME - name: AWS_BUCKET_NAME
valueFrom: valueFrom:
secretKeyRef: secretKeyRef:
name: storage-secret name: storage-secret
key: aws_bucket_name key: awsBucket
- name: VIRUS_CHECKER_TYPE - name: VIRUS_CHECKER_TYPE
valueFrom: valueFrom:
secretKeyRef: secretKeyRef:
name: storage-secret name: storage-secret
key: virus_checker_type key: virusCheckerType
- name: VIRUS_CHECKER_API_KEY - name: VIRUS_CHECKER_API_KEY
valueFrom: valueFrom:
secretKeyRef: secretKeyRef:
name: storage-secret name: storage-secret
key: virus_checher_api_key key: virusCheckerApiKey
--- ---
apiVersion: v1 apiVersion: v1

186
setup.py
View File

@@ -3,40 +3,17 @@ from dotenv import load_dotenv
from envsubst import envsubst from envsubst import envsubst
from pathlib import Path, PosixPath from pathlib import Path, PosixPath
import argparse import argparse
import warnings
import json
import os import os
ENV_VARIABLES = [
"FRONTEND_PATH",
"BACKEND_URL",
"BACKEND_OAUTH_URL",
"TOKEN_SECRET",
"ACCESS_TOKEN_DURATION",
"REFRESH_TOKEN_DURATION",
"DEFAULT_USER_FULLNAME",
"DEFAULT_USER_EMAIL",
"DEFAULT_USER_USERNAME",
"DEFAULT_USER_PASSWORD",
"GOOGLE_CLIENT_ID",
"GOOGLE_CLIENT_SECRET",
"GOOGLE_REDIRECT_URL",
"OAUTH_GITHUB_CLIENT_ID",
"OAUTH_GITHUB_CLIENT_SECRET",
"OAUTH_GITHUB_REDIRECT_URL",
"POSTGRES_USER",
"POSTGRES_PASSWORD",
"POSTGRES_DB",
"REDIS_PASSWORD",
"STORAGE_TYPE",
"AWS_ACCESS_KEY_ID",
"AWS_SECRET_ACCESS_KEY",
"AWS_REGION_NAME",
"AWS_BUCKET_NAME",
"VIRUS_CHECKER_TYPE",
"VIRUS_CHECKER_API_KEY",
]
def write_template(template: str, output: str):
with open(template, 'r') as template,\
open(output, 'w') as output:
output.write(envsubst(template.read()))
def setting_environment(environment: str): def configure_templates(environment: str):
if not environment in ("prod", "staging", "local", "dev"): if not environment in ("prod", "staging", "local", "dev"):
raise ValueError("Invalid Environment Selected") raise ValueError("Invalid Environment Selected")
@@ -54,48 +31,141 @@ def setting_environment(environment: str):
os.environ["DOMAIN"] = DOMAIN os.environ["DOMAIN"] = DOMAIN
os.environ["API_DOMAIN"] = API_DOMAIN os.environ["API_DOMAIN"] = API_DOMAIN
write_template(
"template/cert-manager/cert-manager-certificate.template.yaml",
"deployment/cert-manager/cert-manager-certificate.yaml"
)
def load_secret_file(file: str): write_template(
secret_file_path = Path(file) "template/nginx-ingress/nginx-ingress-root.yaml",
if not secret_file_path.exists(): "deployment/nginx-ingress/nginx-ingress-root.yaml"
raise FileNotFoundError("Secret File Doesn't Exists") )
load_dotenv(dotenv_path=secret_file_path)
def fetch_env_variables(): def validate_backend_secret(secret: str):
for env in ENV_VARIABLES: required_keys = [
value = os.environ[env] 'tokenSecret',
value = value.encode("utf-8") 'accessTokenDuration',
os.environ[env] = b64encode(value).decode() 'refreshTokenDuration',
'defaultUserFullName',
'defaultUserEmail',
'defaultUserUsername',
'defaultUserPassword',
'googleClientId',
'googleClientSecret',
'googleRedirectUrl',
'githubClientId',
'githubClientSecret',
'githubRedirectUrl'
]
for key in required_keys:
if key not in secret:
raise ValueError(f"Key {key} not found in backendSecret")
def envsubst_file(file: PosixPath): def validate_frontend_secret(secret: str):
with open(file) as f: required_keys = [
formated_file = envsubst(f.read()) 'frontendPath',
'backendUrl',
'backendOAuthUrl',
]
new_file = Path("deployment") \ for key in required_keys:
.joinpath(*[part.split('.')[0] for part in file.parts if part != "template"]) \ if key not in secret:
.with_suffix(".yaml") raise ValueError(f"Key {key} not found in frontendSecret")
with open(new_file, 'w') as f:
f.write(formated_file)
def substitute_secrets_from_templates(): def validate_postgres_secret(secret: str):
for subdir in Path("template").glob("*"): required_keys = [
for file in subdir.glob("*.yaml"): 'postgresUser',
envsubst_file(file) 'postgresPassword',
'postgresDatabase'
]
for key in required_keys:
if key not in secret:
raise ValueError(f"Key {key} not found in postgresSecret")
def validate_redis_secret(secret: str):
required_keys = [
'redisPassword',
]
for key in required_keys:
if key not in secret:
raise ValueError(f"Key {key} not found in redisSecret")
def validate_storage_secret(secret: str):
required_keys = [
'storageType',
'awsAccessKeyId',
'awsSecretAccessKey',
'awsRegion',
'awsBucket',
'virusCheckerType',
'virusCheckerApiKey',
]
for key in required_keys:
if key not in secret:
raise ValueError(f"Key {key} not found in storageSecret")
def validate_env(env: dict):
required_secrets = [
'backendSecret',
'frontendSecret',
'postgresSecret',
'redisSecret',
'storageSecret',
]
for secret in required_secrets:
if secret not in env:
raise ValueError(f"Secret {secret} not found in env.json")
if secret == 'backendSecret':
validate_backend_secret(env[secret])
if secret == 'frontendSecret':
validate_frontend_secret(env[secret])
if secret == 'postgresSecret':
validate_postgres_secret(env[secret])
if secret == 'redisSecret':
validate_redis_secret(env[secret])
if secret == 'storageSecret':
validate_storage_secret(env[secret])
def write_secrets_to_file(env: dict):
for key, secret in env.items():
secrets_dir = Path("deployment", "secrets")
if not secrets_dir.exists():
secrets_dir.mkdir()
with open(secrets_dir.joinpath(f"{key}.json"), "w") as f:
json.dump(secret, f, indent=4)
def read_env_json(file: str) -> dict:
with open(file, "r") as f:
return json.load(f)
def main(file, environment): def main(file, environment):
setting_environment(environment) env = read_env_json(file)
load_secret_file(file) validate_env(env)
fetch_env_variables() write_secrets_to_file(env)
substitute_secrets_from_templates() configure_templates(environment)
if __name__ == "__main__": if __name__ == "__main__":

20
template/backend/backend-secret.template.yaml
View File

@@ -1,20 +0,0 @@
apiVersion: v1
kind: Secret
metadata:
namespace: portfolio
name: backend-secret
type: Opaque
data:
token_secret: $TOKEN_SECRET
access_token_duration: $ACCESS_TOKEN_DURATION
refresh_token_duration: $REFRESH_TOKEN_DURATION
default_user_fullname: $DEFAULT_USER_FULLNAME
default_user_email: $DEFAULT_USER_EMAIL
default_user_username: $DEFAULT_USER_USERNAME
default_user_password: $DEFAULT_USER_PASSWORD
google_client_id: $GOOGLE_CLIENT_ID
google_client_secret: $GOOGLE_CLIENT_SECRET
google_redirect_url: $GOOGLE_REDIRECT_URL
github_client_id: $OAUTH_GITHUB_CLIENT_ID
github_client_secret: $OAUTH_GITHUB_CLIENT_SECRET
github_redirect_url: $OAUTH_GITHUB_REDIRECT_URL

10
template/frontend/frontend-secret.template.yaml
View File

@@ -1,10 +0,0 @@
apiVersion: v1
kind: Secret
metadata:
namespace: portfolio
name: frontend-secret
type: Opaque
data:
frontend_path: $FRONTEND_PATH
backend_url: $BACKEND_URL
backend_oauth_url: $BACKEND_OAUTH_URL

34
template/nginx-ingress/nginx-ingress-api.yaml
View File

@@ -1,34 +0,0 @@
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
namespace: portfolio
name: nginx-ingress-api
annotations:
kubernetes.io/ingress.class: nginx
nginx.ingress.kubernetes.io/use-regex: "true"
nginx.ingress.kubernetes.io/rewrite-target: /$2
spec:
tls:
- hosts:
- ${API_DOMAIN}
secretName: letsencrypt-cluster-certificate-tls
rules:
- host: ${DOMAIN}
http:
paths:
- path: /api(/|$)(.*)
pathType: Prefix
backend:
service:
name: backend-service
port:
number: 8070
- http:
paths:
- path: /api(/|$)(.*)
pathType: Prefix
backend:
service:
name: backend-service
port:
number: 8070

10
template/postgres/postgres-secret.template.yaml
View File

@@ -1,10 +0,0 @@
apiVersion: v1
kind: Secret
metadata:
namespace: portfolio
name: postgres-secret
type: Opaque
data:
POSTGRES_USER: $POSTGRES_USER
POSTGRES_PASSWORD: $POSTGRES_PASSWORD
POSTGRES_DB: $POSTGRES_DB

8
template/redis/redis-secret.template.yaml
View File

@@ -1,8 +0,0 @@
apiVersion: v1
kind: Secret
metadata:
namespace: portfolio
name: redis-secret
type: Opaque
data:
redis-password: $REDIS_PASSWORD

14
template/storage/storage-secret.template.yaml
View File

@@ -1,14 +0,0 @@
apiVersion: v1
kind: Secret
metadata:
namespace: portfolio
name: storage-secret
type: Opaque
data:
storage_type: $STORAGE_TYPE
aws_access_key_id: $AWS_ACCESS_KEY_ID
aws_access_access_key: $AWS_SECRET_ACCESS_KEY
aws_region_name: $AWS_REGION_NAME
aws_bucket_name: $AWS_BUCKET_NAME
virus_checker_type: $VIRUS_CHECKER_TYPE
virus_checher_api_key: $VIRUS_CHECKER_API_KEY