old-portfolio/infra-hideyoshi.com
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Merge pull request #37 from HideyoshiNakazone/implementa-novo-deploy-secrets

Browse Source 
Implementa Novo Formato de Secrets
This commit is contained in:
Vitor Hideyoshi
2023-10-09 02:04:16 -03:00
committed by GitHub
parent f41356c079 45473adec5
commit 7cdff818c7
20 changed files with 287 additions and 6592 deletions
Download Patch File Download Diff File Expand all files Collapse all files

35
.github/workflows/deploy-prod.yml vendored
View File

@@ -17,42 +17,15 @@ jobs:
with:
python-version: "3.10"
- name: Make Env File
uses: SpicyPizza/create-envfile@v2.0
with:
envkey_BACKEND_OAUTH_URL: ${{ secrets.BACKEND_OAUTH_URL }}
envkey_BACKEND_URL: ${{ secrets.BACKEND_URL }}
envkey_FRONTEND_PATH: ${{ secrets.FRONTEND_PATH }}
envkey_GOOGLE_CLIENT_ID: ${{ secrets.GOOGLE_CLIENT_ID }}
envkey_GOOGLE_CLIENT_SECRET: ${{ secrets.GOOGLE_CLIENT_SECRET }}
envkey_GOOGLE_REDIRECT_URL: ${{ secrets.GOOGLE_REDIRECT_URL }}
envkey_OAUTH_GITHUB_CLIENT_ID: ${{ secrets.OAUTH_GITHUB_CLIENT_ID }}
envkey_OAUTH_GITHUB_CLIENT_SECRET: ${{ secrets.OAUTH_GITHUB_CLIENT_SECRET }}
envkey_OAUTH_GITHUB_REDIRECT_URL: ${{ secrets.OAUTH_GITHUB_REDIRECT_URL }}
envkey_ACCESS_TOKEN_DURATION: ${{ secrets.ACCESS_TOKEN_DURATION}}
envkey_DEFAULT_USER_EMAIL: ${{ secrets.DEFAULT_USER_EMAIL}}
envkey_DEFAULT_USER_FULLNAME: ${{ secrets.DEFAULT_USER_FULLNAME}}
envkey_DEFAULT_USER_PASSWORD: ${{ secrets.DEFAULT_USER_PASSWORD}}
envkey_DEFAULT_USER_USERNAME: ${{ secrets.DEFAULT_USER_USERNAME}}
envkey_POSTGRES_DB: ${{ secrets.POSTGRES_DB}}
envkey_POSTGRES_PASSWORD: ${{ secrets.POSTGRES_PASSWORD}}
envkey_POSTGRES_USER: ${{ secrets.POSTGRES_USER}}
envkey_REDIS_PASSWORD: ${{ secrets.REDIS_PASSWORD}}
envkey_REFRESH_TOKEN_DURATION: ${{ secrets.REFRESH_TOKEN_DURATION}}
envkey_TOKEN_SECRET: ${{ secrets.TOKEN_SECRET}}
envkey_STORAGE_TYPE: ${{ secrets.STORAGE_TYPE }}
envkey_AWS_ACCESS_KEY_ID: ${{ secrets.AWS_ACCESS_KEY_ID }}
envkey_AWS_SECRET_ACCESS_KEY: ${{ secrets.AWS_SECRET_ACCESS_KEY }}
envkey_AWS_REGION_NAME: ${{ secrets.AWS_REGION_NAME }}
envkey_AWS_BUCKET_NAME: ${{ secrets.AWS_BUCKET_NAME }}
envkey_VIRUS_CHECKER_TYPE: ${{ secrets.VIRUS_CHECKER_TYPE }}
envkey_VIRUS_CHECKER_API_KEY: ${{ secrets.VIRUS_CHECKER_API_KEY }}
- name: Create Config Json File
run: |
echo ${{ secrets.CONFIG_JSON }} | base64 -d > config.json
- name: Inserts Prod Enviromental Variables
run: |
python -m pip install --upgrade pip pipenv
pipenv install
pipenv run python setup.py -e prod -f .env
pipenv run python setup.py -e prod -f config.json
- name: copy file via ssh
uses: appleboy/scp-action@master

63
.github/workflows/deploy-staging.yml vendored
View File

@@ -17,42 +17,15 @@ jobs:
with:
python-version: "3.10"
- name: Make Env File
uses: SpicyPizza/create-envfile@v2.0
with:
envkey_BACKEND_OAUTH_URL: ${{ secrets.BACKEND_OAUTH_URL }}
envkey_BACKEND_URL: ${{ secrets.BACKEND_URL }}
envkey_FRONTEND_PATH: ${{ secrets.FRONTEND_PATH }}
envkey_GOOGLE_CLIENT_ID: ${{ secrets.GOOGLE_CLIENT_ID }}
envkey_GOOGLE_CLIENT_SECRET: ${{ secrets.GOOGLE_CLIENT_SECRET }}
envkey_GOOGLE_REDIRECT_URL: ${{ secrets.GOOGLE_REDIRECT_URL }}
envkey_OAUTH_GITHUB_CLIENT_ID: ${{ secrets.OAUTH_GITHUB_CLIENT_ID }}
envkey_OAUTH_GITHUB_CLIENT_SECRET: ${{ secrets.OAUTH_GITHUB_CLIENT_SECRET }}
envkey_OAUTH_GITHUB_REDIRECT_URL: ${{ secrets.OAUTH_GITHUB_REDIRECT_URL }}
envkey_ACCESS_TOKEN_DURATION: ${{ secrets.ACCESS_TOKEN_DURATION}}
envkey_DEFAULT_USER_EMAIL: ${{ secrets.DEFAULT_USER_EMAIL}}
envkey_DEFAULT_USER_FULLNAME: ${{ secrets.DEFAULT_USER_FULLNAME}}
envkey_DEFAULT_USER_PASSWORD: ${{ secrets.DEFAULT_USER_PASSWORD}}
envkey_DEFAULT_USER_USERNAME: ${{ secrets.DEFAULT_USER_USERNAME}}
envkey_POSTGRES_DB: ${{ secrets.POSTGRES_DB}}
envkey_POSTGRES_PASSWORD: ${{ secrets.POSTGRES_PASSWORD}}
envkey_POSTGRES_USER: ${{ secrets.POSTGRES_USER}}
envkey_REDIS_PASSWORD: ${{ secrets.REDIS_PASSWORD}}
envkey_REFRESH_TOKEN_DURATION: ${{ secrets.REFRESH_TOKEN_DURATION}}
envkey_TOKEN_SECRET: ${{ secrets.TOKEN_SECRET}}
envkey_STORAGE_TYPE: ${{ secrets.STORAGE_TYPE }}
envkey_AWS_ACCESS_KEY_ID: ${{ secrets.AWS_ACCESS_KEY_ID }}
envkey_AWS_SECRET_ACCESS_KEY: ${{ secrets.AWS_SECRET_ACCESS_KEY }}
envkey_AWS_REGION_NAME: ${{ secrets.AWS_REGION_NAME }}
envkey_AWS_BUCKET_NAME: ${{ secrets.AWS_BUCKET_NAME }}
envkey_VIRUS_CHECKER_TYPE: ${{ secrets.VIRUS_CHECKER_TYPE }}
envkey_VIRUS_CHECKER_API_KEY: ${{ secrets.VIRUS_CHECKER_API_KEY }}
- name: Create Config Json File
run: |
echo ${{ secrets.CONFIG_JSON }} | base64 -d > config.json
# - name: Inserts Prod Enviromental Variables
# run: |
# python -m pip install --upgrade pip pipenv
# pipenv install
# pipenv run python setup.py -e staging -f .env
- name: Inserts Prod Enviromental Variables
run: |
python -m pip install --upgrade pip pipenv
pipenv install
pipenv run python setup.py -e staging -f config.json
- name: copy file via ssh
uses: appleboy/scp-action@master
@@ -64,13 +37,13 @@ jobs:
source: "."
target: "infra-hideyoshi.com"
# - name: executing remote ssh commands
# uses: appleboy/ssh-action@master
# with:
# host: ${{ secrets.SSH_HOST }}
# username: ${{ secrets.SSH_USER }}
# port: ${{ secrets.SSH_PORT }}
# key: ${{ secrets.SSH_KEY }}
# script: |
# cd infra-hideyoshi.com
# ./deploy.sh --staging
- name: executing remote ssh commands
uses: appleboy/ssh-action@master
with:
host: ${{ secrets.SSH_HOST }}
username: ${{ secrets.SSH_USER }}
port: ${{ secrets.SSH_PORT }}
key: ${{ secrets.SSH_KEY }}
script: |
cd infra-hideyoshi.com
./deploy.sh --staging

11
.gitignore vendored
View File

@@ -6,18 +6,11 @@
.vscode/
**/storage-secret.yaml
**/backend-secret.yaml
**/frontend-secret.yaml
**/postgres-secret.yaml
**/redis-secret.yaml
**/*.json
**/cert-manager-certificate.yaml
**/deployment/nginx-ingress/nginx-ingress-api.yaml
**/deployment/nginx-ingress/nginx-ingress-root.yaml
*.patch

120
deploy.sh
View File

@@ -1,72 +1,67 @@
#!/bin/bash
function check_k3s_installation() {
if [ ! -f /usr/local/bin/k3s ]; then
curl -sfL https://get.k3s.io | sh -
sudo chmod 644 /etc/rancher/k3s/k3s.yaml;
fi
function configure_nginx_ingress() {
kubectl apply -f https://raw.githubusercontent.com/kubernetes/ingress-nginx/controller-v1.9.0/deploy/static/provider/cloud/deploy.yaml
kubectl wait --namespace ingress-nginx \
--for=condition=ready pod \
--selector=app.kubernetes.io/component=controller \
--timeout=120s
}
function start_cert_manager() {
kubectl apply -f ./deployment/cert-manager/cert-manager.yaml;
function configure_cert_manager() {
kubectl apply -f https://github.com/cert-manager/cert-manager/releases/download/v1.12.5/cert-manager.yaml
kubectl wait --for=condition=available \
--timeout=600s \
deployment.apps/cert-manager \
deployment.apps/cert-manager-cainjector \
deployment.apps/cert-manager-webhook \
-n cert-manager;
-n cert-manager
}
function application_deploy() {
kubectl apply -f ./deployment/portfolio-namespace.yaml;
kubectl apply -f ./deployment/portfolio-namespace.yaml
kubectl create secret generic backend-secret -n portfolio --from-env-file <(jq -r "to_entries|map(\"\(.key)=\(.value|tostring)\")|.[]" ./deployment/secrets/backendSecret.json)
kubectl create secret generic frontend-secret -n portfolio --from-env-file <(jq -r "to_entries|map(\"\(.key)=\(.value|tostring)\")|.[]" ./deployment/secrets/frontendSecret.json)
kubectl create secret generic postgres-secret -n portfolio --from-env-file <(jq -r "to_entries|map(\"\(.key)=\(.value|tostring)\")|.[]" ./deployment/secrets/postgresSecret.json)
kubectl create secret generic redis-secret -n portfolio --from-env-file <(jq -r "to_entries|map(\"\(.key)=\(.value|tostring)\")|.[]" ./deployment/secrets/redisSecret.json)
kubectl create secret generic storage-secret -n portfolio --from-env-file <(jq -r "to_entries|map(\"\(.key)=\(.value|tostring)\")|.[]" ./deployment/secrets/storageSecret.json)
kubectl apply -f ./deployment/postgres/postgres-secret.yaml;
kubectl apply -f ./deployment/redis/redis-secret.yaml;
kubectl apply -f ./deployment/storage/storage-secret.yaml;
kubectl apply -f ./deployment/backend/backend-secret.yaml;
kubectl apply -f ./deployment/frontend/frontend-secret.yaml;
kubectl apply -f \
./deployment/cert-manager/cert-manager-certificate.yaml;
kubectl apply -f ./deployment/postgres;
kubectl apply -f ./deployment/postgres
kubectl wait --for=condition=available \
--timeout=600s \
deployment.apps/postgres-deployment \
-n portfolio;
-n portfolio
kubectl apply -f ./deployment/redis;
kubectl apply -f ./deployment/redis
kubectl wait --for=condition=available \
--timeout=600s \
deployment.apps/redis-deployment \
-n portfolio;
-n portfolio
kubectl apply -f ./deployment/frontend;
kubectl apply -f ./deployment/frontend
kubectl wait --for=condition=available \
--timeout=600s \
deployment.apps/frontend-deployment \
-n portfolio;
-n portfolio
kubectl apply -f ./deployment/storage;
kubectl apply -f ./deployment/storage
kubectl wait --for=condition=available \
--timeout=600s \
deployment.apps/storage-deployment \
-n portfolio;
-n portfolio
kubectl apply -f ./deployment/backend;
kubectl apply -f ./deployment/backend
kubectl wait --for=condition=available \
--timeout=600s \
deployment.apps/backend-deployment \
-n portfolio;
-n portfolio
kubectl apply -f \
./deployment/nginx-ingress/nginx-ingress-root.yaml;
./deployment/nginx-ingress/nginx-ingress-root.yaml
kubectl apply -f \
./deployment/nginx-ingress/nginx-ingress-api.yaml;
./deployment/nginx-ingress/nginx-ingress-api.yaml
}
@@ -78,52 +73,45 @@ function main() {
minikube kubectl -- $@
}
minikube start --driver kvm2;
minikube addons enable ingress-dns;
minikube addons enable ingress;
minikube start --driver kvm2
minikube addons enable ingress-dns
minikube addons enable ingress
start_cert_manager
application_deploy
configure_cert_manager
kubectl apply -f ./deployment/cert-manager/cert-manager-issuer-dev.yaml
kubectl apply -f \
./deployment/cert-manager/cert-manager-issuer-dev.yaml;
./deployment/cert-manager/cert-manager-certificate.yaml
application_deploy
echo "http://$(/usr/bin/minikube ip)";
elif [[ $1 == "--staging" || $1 == "-s" ]]; then
check_k3s_installation
kubectl apply -f ./deployment/nginx-ingress/nginx-ingress.yaml;
kubectl wait --namespace ingress-nginx \
--for=condition=ready pod \
--selector=app.kubernetes.io/component=controller \
--timeout=120s;
start_cert_manager
kubectl apply -f ./deployment/cert-manager/cert-manager-issuer.yaml;
application_deploy
echo "http://$(/usr/bin/minikube ip)"
else
check_k3s_installation
kubectl apply -f ./deployment/nginx-ingress/nginx-ingress.yaml;
kubectl wait --namespace ingress-nginx \
--for=condition=ready pod \
--selector=app.kubernetes.io/component=controller \
--timeout=120s;
start_cert_manager
kubectl apply -f ./deployment/cert-manager/cert-manager-issuer.yaml;
configure_nginx_ingress
application_deploy
external_ip=""
while [ -z $external_ip ]; do
echo "Waiting for end point..."
external_ip=$(kubectl get svc --namespace=ingress-nginx ingress-nginx-controller --template="{{range .status.loadBalancer.ingress}}{{.ip}}{{end}}")
[ -z "$external_ip" ] && sleep 10
done
configure_cert_manager
kubectl apply -f \
./deployment/cert-manager/cert-manager-issuer.yaml
kubectl apply -f \
./deployment/cert-manager/cert-manager-certificate.yaml
fi
exit 0;
exit 0
}

36
deployment/backend/backend.yaml
View File

@@ -24,49 +24,49 @@ spec:
valueFrom:
secretKeyRef:
name: frontend-secret
key: frontend_path
key: frontendPath
- name: TOKEN_SECRET
valueFrom:
secretKeyRef:
name: backend-secret
key: token_secret
key: tokenSecret
- name: ACCESS_TOKEN_DURATION
valueFrom:
secretKeyRef:
name: backend-secret
key: access_token_duration
key: accessTokenDuration
- name: REFRESH_TOKEN_DURATION
valueFrom:
secretKeyRef:
name: backend-secret
key: refresh_token_duration
key: refreshTokenDuration
- name: DEFAULT_USER_FULLNAME
valueFrom:
secretKeyRef:
name: backend-secret
key: default_user_fullname
key: defaultUserFullName
- name: DEFAULT_USER_EMAIL
valueFrom:
secretKeyRef:
name: backend-secret
key: default_user_email
key: defaultUserEmail
- name: DEFAULT_USER_USERNAME
valueFrom:
secretKeyRef:
name: backend-secret
key: default_user_username
key: defaultUserUsername
- name: DEFAULT_USER_PASSWORD
valueFrom:
secretKeyRef:
name: backend-secret
key: default_user_password
key: defaultUserPassword
- name: PORT
valueFrom:
@@ -78,37 +78,37 @@ spec:
valueFrom:
secretKeyRef:
name: backend-secret
key: google_client_id
key: googleClientId
- name: GOOGLE_CLIENT_SECRET
valueFrom:
secretKeyRef:
name: backend-secret
key: google_client_secret
key: googleClientSecret
- name: GOOGLE_REDIRECT_URL
valueFrom:
secretKeyRef:
name: backend-secret
key: google_redirect_url
key: googleRedirectUrl
- name: GITHUB_CLIENT_ID
valueFrom:
secretKeyRef:
name: backend-secret
key: github_client_id
key: githubClientId
- name: GITHUB_CLIENT_SECRET
valueFrom:
secretKeyRef:
name: backend-secret
key: github_client_secret
key: githubClientSecret
- name: GITHUB_REDIRECT_URL
valueFrom:
secretKeyRef:
name: backend-secret
key: github_redirect_url
key: githubRedirectUrl
- name: POSTGRES_URL
valueFrom:
@@ -120,7 +120,7 @@ spec:
valueFrom:
secretKeyRef:
name: postgres-secret
key: POSTGRES_DB
key: postgresDatabase
- name: DATABASE_URL
value: "postgresql://$(POSTGRES_URL):5432/$(POSTGRES_DB)"
@@ -129,13 +129,13 @@ spec:
valueFrom:
secretKeyRef:
name: postgres-secret
key: POSTGRES_USER
key: postgresUser
- name: DATABASE_PASSWORD
valueFrom:
secretKeyRef:
name: postgres-secret
key: POSTGRES_PASSWORD
key: postgresPassword
- name: REDIS_URL
valueFrom:
@@ -153,7 +153,7 @@ spec:
valueFrom:
secretKeyRef:
name: redis-secret
key: redis-password
key: redisPassword
- name: STORAGE_SERVICE_URL
valueFrom:

5596
deployment/cert-manager/cert-manager.yaml
View File

File diff suppressed because it is too large Load Diff

4
deployment/frontend/frontend.yaml
View File

@@ -28,12 +28,12 @@ spec:
valueFrom:
secretKeyRef:
name: frontend-secret
key: backend_url
key: backendUrl
- name: BACKEND_OAUTH_URL
valueFrom:
secretKeyRef:
name: frontend-secret
key: backend_oauth_url
key: backendOAuthUrl
---
apiVersion: v1

20
deployment/nginx-ingress/nginx-ingress-load-balancer.yaml Normal file
View File

@@ -0,0 +1,20 @@
apiVersion: v1
kind: Service
metadata:
name: ingress-nginx-controller-loadbalancer
namespace: ingress-nginx
spec:
selector:
app.kubernetes.io/component: controller
app.kubernetes.io/instance: ingress-nginx
app.kubernetes.io/name: ingress-nginx
ports:
- name: http
port: 80
protocol: TCP
targetPort: 80
- name: https
port: 443
protocol: TCP
targetPort: 443
type: LoadBalancer

645
deployment/nginx-ingress/nginx-ingress.yaml
View File

@@ -1,645 +0,0 @@
apiVersion: v1
kind: Namespace
metadata:
labels:
app.kubernetes.io/instance: ingress-nginx
app.kubernetes.io/name: ingress-nginx
name: ingress-nginx
---
apiVersion: v1
automountServiceAccountToken: true
kind: ServiceAccount
metadata:
labels:
app.kubernetes.io/component: controller
app.kubernetes.io/instance: ingress-nginx
app.kubernetes.io/name: ingress-nginx
app.kubernetes.io/part-of: ingress-nginx
app.kubernetes.io/version: 1.8.0
name: ingress-nginx
namespace: ingress-nginx
---
apiVersion: v1
kind: ServiceAccount
metadata:
labels:
app.kubernetes.io/component: admission-webhook
app.kubernetes.io/instance: ingress-nginx
app.kubernetes.io/name: ingress-nginx
app.kubernetes.io/part-of: ingress-nginx
app.kubernetes.io/version: 1.8.0
name: ingress-nginx-admission
namespace: ingress-nginx
---
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
labels:
app.kubernetes.io/component: controller
app.kubernetes.io/instance: ingress-nginx
app.kubernetes.io/name: ingress-nginx
app.kubernetes.io/part-of: ingress-nginx
app.kubernetes.io/version: 1.8.0
name: ingress-nginx
namespace: ingress-nginx
rules:
- apiGroups:
- ""
resources:
- namespaces
verbs:
- get
- apiGroups:
- ""
resources:
- configmaps
- pods
- secrets
- endpoints
verbs:
- get
- list
- watch
- apiGroups:
- ""
resources:
- services
verbs:
- get
- list
- watch
- apiGroups:
- networking.k8s.io
resources:
- ingresses
verbs:
- get
- list
- watch
- apiGroups:
- networking.k8s.io
resources:
- ingresses/status
verbs:
- update
- apiGroups:
- networking.k8s.io
resources:
- ingressclasses
verbs:
- get
- list
- watch
- apiGroups:
- coordination.k8s.io
resourceNames:
- ingress-nginx-leader
resources:
- leases
verbs:
- get
- update
- apiGroups:
- coordination.k8s.io
resources:
- leases
verbs:
- create
- apiGroups:
- ""
resources:
- events
verbs:
- create
- patch
- apiGroups:
- discovery.k8s.io
resources:
- endpointslices
verbs:
- list
- watch
- get
---
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
labels:
app.kubernetes.io/component: admission-webhook
app.kubernetes.io/instance: ingress-nginx
app.kubernetes.io/name: ingress-nginx
app.kubernetes.io/part-of: ingress-nginx
app.kubernetes.io/version: 1.8.0
name: ingress-nginx-admission
namespace: ingress-nginx
rules:
- apiGroups:
- ""
resources:
- secrets
verbs:
- get
- create
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
labels:
app.kubernetes.io/instance: ingress-nginx
app.kubernetes.io/name: ingress-nginx
app.kubernetes.io/part-of: ingress-nginx
app.kubernetes.io/version: 1.8.0
name: ingress-nginx
rules:
- apiGroups:
- ""
resources:
- configmaps
- endpoints
- nodes
- pods
- secrets
- namespaces
verbs:
- list
- watch
- apiGroups:
- coordination.k8s.io
resources:
- leases
verbs:
- list
- watch
- apiGroups:
- ""
resources:
- nodes
verbs:
- get
- apiGroups:
- ""
resources:
- services
verbs:
- get
- list
- watch
- apiGroups:
- networking.k8s.io
resources:
- ingresses
verbs:
- get
- list
- watch
- apiGroups:
- ""
resources:
- events
verbs:
- create
- patch
- apiGroups:
- networking.k8s.io
resources:
- ingresses/status
verbs:
- update
- apiGroups:
- networking.k8s.io
resources:
- ingressclasses
verbs:
- get
- list
- watch
- apiGroups:
- discovery.k8s.io
resources:
- endpointslices
verbs:
- list
- watch
- get
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
labels:
app.kubernetes.io/component: admission-webhook
app.kubernetes.io/instance: ingress-nginx
app.kubernetes.io/name: ingress-nginx
app.kubernetes.io/part-of: ingress-nginx
app.kubernetes.io/version: 1.8.0
name: ingress-nginx-admission
rules:
- apiGroups:
- admissionregistration.k8s.io
resources:
- validatingwebhookconfigurations
verbs:
- get
- update
---
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
labels:
app.kubernetes.io/component: controller
app.kubernetes.io/instance: ingress-nginx
app.kubernetes.io/name: ingress-nginx
app.kubernetes.io/part-of: ingress-nginx
app.kubernetes.io/version: 1.8.0
name: ingress-nginx
namespace: ingress-nginx
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: Role
name: ingress-nginx
subjects:
- kind: ServiceAccount
name: ingress-nginx
namespace: ingress-nginx
---
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
labels:
app.kubernetes.io/component: admission-webhook
app.kubernetes.io/instance: ingress-nginx
app.kubernetes.io/name: ingress-nginx
app.kubernetes.io/part-of: ingress-nginx
app.kubernetes.io/version: 1.8.0
name: ingress-nginx-admission
namespace: ingress-nginx
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: Role
name: ingress-nginx-admission
subjects:
- kind: ServiceAccount
name: ingress-nginx-admission
namespace: ingress-nginx
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
labels:
app.kubernetes.io/instance: ingress-nginx
app.kubernetes.io/name: ingress-nginx
app.kubernetes.io/part-of: ingress-nginx
app.kubernetes.io/version: 1.8.0
name: ingress-nginx
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: ingress-nginx
subjects:
- kind: ServiceAccount
name: ingress-nginx
namespace: ingress-nginx
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
labels:
app.kubernetes.io/component: admission-webhook
app.kubernetes.io/instance: ingress-nginx
app.kubernetes.io/name: ingress-nginx
app.kubernetes.io/part-of: ingress-nginx
app.kubernetes.io/version: 1.8.0
name: ingress-nginx-admission
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: ingress-nginx-admission
subjects:
- kind: ServiceAccount
name: ingress-nginx-admission
namespace: ingress-nginx
---
apiVersion: v1
data:
allow-snippet-annotations: "true"
kind: ConfigMap
metadata:
labels:
app.kubernetes.io/component: controller
app.kubernetes.io/instance: ingress-nginx
app.kubernetes.io/name: ingress-nginx
app.kubernetes.io/part-of: ingress-nginx
app.kubernetes.io/version: 1.8.0
name: ingress-nginx-controller
namespace: ingress-nginx
---
apiVersion: v1
kind: Service
metadata:
labels:
app.kubernetes.io/component: controller
app.kubernetes.io/instance: ingress-nginx
app.kubernetes.io/name: ingress-nginx
app.kubernetes.io/part-of: ingress-nginx
app.kubernetes.io/version: 1.8.0
name: ingress-nginx-controller
namespace: ingress-nginx
spec:
externalTrafficPolicy: Local
ipFamilies:
- IPv4
ipFamilyPolicy: SingleStack
ports:
- appProtocol: http
name: http
port: 80
protocol: TCP
targetPort: http
- appProtocol: https
name: https
port: 443
protocol: TCP
targetPort: https
selector:
app.kubernetes.io/component: controller
app.kubernetes.io/instance: ingress-nginx
app.kubernetes.io/name: ingress-nginx
type: LoadBalancer
---
apiVersion: v1
kind: Service
metadata:
labels:
app.kubernetes.io/component: controller
app.kubernetes.io/instance: ingress-nginx
app.kubernetes.io/name: ingress-nginx
app.kubernetes.io/part-of: ingress-nginx
app.kubernetes.io/version: 1.8.0
name: ingress-nginx-controller-admission
namespace: ingress-nginx
spec:
ports:
- appProtocol: https
name: https-webhook
port: 443
targetPort: webhook
selector:
app.kubernetes.io/component: controller
app.kubernetes.io/instance: ingress-nginx
app.kubernetes.io/name: ingress-nginx
type: ClusterIP
---
apiVersion: apps/v1
kind: Deployment
metadata:
labels:
app.kubernetes.io/component: controller
app.kubernetes.io/instance: ingress-nginx
app.kubernetes.io/name: ingress-nginx
app.kubernetes.io/part-of: ingress-nginx
app.kubernetes.io/version: 1.8.0
name: ingress-nginx-controller
namespace: ingress-nginx
spec:
minReadySeconds: 0
revisionHistoryLimit: 10
selector:
matchLabels:
app.kubernetes.io/component: controller
app.kubernetes.io/instance: ingress-nginx
app.kubernetes.io/name: ingress-nginx
template:
metadata:
labels:
app.kubernetes.io/component: controller
app.kubernetes.io/instance: ingress-nginx
app.kubernetes.io/name: ingress-nginx
app.kubernetes.io/part-of: ingress-nginx
app.kubernetes.io/version: 1.8.0
spec:
containers:
- args:
- /nginx-ingress-controller
- --publish-service=$(POD_NAMESPACE)/ingress-nginx-controller
- --election-id=ingress-nginx-leader
- --controller-class=k8s.io/ingress-nginx
- --ingress-class=nginx
- --configmap=$(POD_NAMESPACE)/ingress-nginx-controller
- --validating-webhook=:8443
- --validating-webhook-certificate=/usr/local/certificates/cert
- --validating-webhook-key=/usr/local/certificates/key
env:
- name: POD_NAME
valueFrom:
fieldRef:
fieldPath: metadata.name
- name: POD_NAMESPACE
valueFrom:
fieldRef:
fieldPath: metadata.namespace
- name: LD_PRELOAD
value: /usr/local/lib/libmimalloc.so
image: registry.k8s.io/ingress-nginx/controller:v1.8.0@sha256:744ae2afd433a395eeb13dc03d3313facba92e96ad71d9feaafc85925493fee3
imagePullPolicy: IfNotPresent
lifecycle:
preStop:
exec:
command:
- /wait-shutdown
livenessProbe:
failureThreshold: 5
httpGet:
path: /healthz
port: 10254
scheme: HTTP
initialDelaySeconds: 10
periodSeconds: 10
successThreshold: 1
timeoutSeconds: 1
name: controller
ports:
- containerPort: 80
name: http
protocol: TCP
- containerPort: 443
name: https
protocol: TCP
- containerPort: 8443
name: webhook
protocol: TCP
readinessProbe:
failureThreshold: 3
httpGet:
path: /healthz
port: 10254
scheme: HTTP
initialDelaySeconds: 10
periodSeconds: 10
successThreshold: 1
timeoutSeconds: 1
resources:
requests:
cpu: 100m
memory: 90Mi
securityContext:
allowPrivilegeEscalation: true
capabilities:
add:
- NET_BIND_SERVICE
drop:
- ALL
runAsUser: 101
volumeMounts:
- mountPath: /usr/local/certificates/
name: webhook-cert
readOnly: true
dnsPolicy: ClusterFirst
nodeSelector:
kubernetes.io/os: linux
serviceAccountName: ingress-nginx
terminationGracePeriodSeconds: 300
volumes:
- name: webhook-cert
secret:
secretName: ingress-nginx-admission
---
apiVersion: batch/v1
kind: Job
metadata:
labels:
app.kubernetes.io/component: admission-webhook
app.kubernetes.io/instance: ingress-nginx
app.kubernetes.io/name: ingress-nginx
app.kubernetes.io/part-of: ingress-nginx
app.kubernetes.io/version: 1.8.0
name: ingress-nginx-admission-create
namespace: ingress-nginx
spec:
template:
metadata:
labels:
app.kubernetes.io/component: admission-webhook
app.kubernetes.io/instance: ingress-nginx
app.kubernetes.io/name: ingress-nginx
app.kubernetes.io/part-of: ingress-nginx
app.kubernetes.io/version: 1.8.0
name: ingress-nginx-admission-create
spec:
containers:
- args:
- create
- --host=ingress-nginx-controller-admission,ingress-nginx-controller-admission.$(POD_NAMESPACE).svc
- --namespace=$(POD_NAMESPACE)
- --secret-name=ingress-nginx-admission
env:
- name: POD_NAMESPACE
valueFrom:
fieldRef:
fieldPath: metadata.namespace
image: registry.k8s.io/ingress-nginx/kube-webhook-certgen:v20230407@sha256:543c40fd093964bc9ab509d3e791f9989963021f1e9e4c9c7b6700b02bfb227b
imagePullPolicy: IfNotPresent
name: create
securityContext:
allowPrivilegeEscalation: false
nodeSelector:
kubernetes.io/os: linux
restartPolicy: OnFailure
securityContext:
fsGroup: 2000
runAsNonRoot: true
runAsUser: 2000
serviceAccountName: ingress-nginx-admission
---
apiVersion: batch/v1
kind: Job
metadata:
labels:
app.kubernetes.io/component: admission-webhook
app.kubernetes.io/instance: ingress-nginx
app.kubernetes.io/name: ingress-nginx
app.kubernetes.io/part-of: ingress-nginx
app.kubernetes.io/version: 1.8.0
name: ingress-nginx-admission-patch
namespace: ingress-nginx
spec:
template:
metadata:
labels:
app.kubernetes.io/component: admission-webhook
app.kubernetes.io/instance: ingress-nginx
app.kubernetes.io/name: ingress-nginx
app.kubernetes.io/part-of: ingress-nginx
app.kubernetes.io/version: 1.8.0
name: ingress-nginx-admission-patch
spec:
containers:
- args:
- patch
- --webhook-name=ingress-nginx-admission
- --namespace=$(POD_NAMESPACE)
- --patch-mutating=false
- --secret-name=ingress-nginx-admission
- --patch-failure-policy=Fail
env:
- name: POD_NAMESPACE
valueFrom:
fieldRef:
fieldPath: metadata.namespace
image: registry.k8s.io/ingress-nginx/kube-webhook-certgen:v20230407@sha256:543c40fd093964bc9ab509d3e791f9989963021f1e9e4c9c7b6700b02bfb227b
imagePullPolicy: IfNotPresent
name: patch
securityContext:
allowPrivilegeEscalation: false
nodeSelector:
kubernetes.io/os: linux
restartPolicy: OnFailure
securityContext:
fsGroup: 2000
runAsNonRoot: true
runAsUser: 2000
serviceAccountName: ingress-nginx-admission
---
apiVersion: networking.k8s.io/v1
kind: IngressClass
metadata:
labels:
app.kubernetes.io/component: controller
app.kubernetes.io/instance: ingress-nginx
app.kubernetes.io/name: ingress-nginx
app.kubernetes.io/part-of: ingress-nginx
app.kubernetes.io/version: 1.8.0
name: nginx
spec:
controller: k8s.io/ingress-nginx
---
apiVersion: admissionregistration.k8s.io/v1
kind: ValidatingWebhookConfiguration
metadata:
labels:
app.kubernetes.io/component: admission-webhook
app.kubernetes.io/instance: ingress-nginx
app.kubernetes.io/name: ingress-nginx
app.kubernetes.io/part-of: ingress-nginx
app.kubernetes.io/version: 1.8.0
name: ingress-nginx-admission
webhooks:
- admissionReviewVersions:
- v1
clientConfig:
service:
name: ingress-nginx-controller-admission
namespace: ingress-nginx
path: /networking/v1/ingresses
failurePolicy: Fail
matchPolicy: Equivalent
name: validate.nginx.ingress.kubernetes.io
rules:
- apiGroups:
- networking.k8s.io
apiVersions:
- v1
operations:
- CREATE
- UPDATE
resources:
- ingresses
sideEffects: None

21
deployment/postgres/postgres.yaml
View File

@@ -19,9 +19,24 @@ spec:
imagePullPolicy: "IfNotPresent"
ports:
- containerPort: 5432
envFrom:
- secretRef:
name: postgres-secret
env:
- name: POSTGRES_PASSWORD
valueFrom:
secretKeyRef:
name: postgres-secret
key: postgresPassword
- name: POSTGRES_USER
valueFrom:
secretKeyRef:
name: postgres-secret
key: postgresUser
- name: POSTGRES_DB
valueFrom:
secretKeyRef:
name: postgres-secret
key: postgresDatabase
volumeMounts:
- mountPath: /var/lib/postgresql/data
name: postgredb

2
deployment/redis/redis.yaml
View File

@@ -24,7 +24,7 @@ spec:
valueFrom:
secretKeyRef:
name: redis-secret
key: redis-password
key: redisPassword
---
apiVersion: v1

18
deployment/storage/storage-processor.yaml
View File

@@ -36,49 +36,49 @@ spec:
valueFrom:
secretKeyRef:
name: redis-secret
key: redis-password
key: redisPassword
- name: REDIS_URL
value: "redis://:$(REDIS_PASSWORD)@$(REDIS_BASE_URL):$(REDIS_PORT)"
value: "redis://:$(REDIS_PASSWORD)@$(REDIS_BASE_URL):$(REDIS_PORT)/rq"
- name: STORAGE_TYPE
valueFrom:
secretKeyRef:
name: storage-secret
key: storage_type
key: storageType
- name: AWS_ACCESS_KEY_ID
valueFrom:
secretKeyRef:
name: storage-secret
key: aws_access_key_id
key: awsAccessKeyId
- name: AWS_SECRET_ACCESS_KEY
valueFrom:
secretKeyRef:
name: storage-secret
key: aws_access_access_key
key: awsSecretAccessKey
- name: AWS_REGION_NAME
valueFrom:
secretKeyRef:
name: storage-secret
key: aws_region_name
key: awsRegion
- name: AWS_BUCKET_NAME
valueFrom:
secretKeyRef:
name: storage-secret
key: aws_bucket_name
key: awsBucket
- name: VIRUS_CHECKER_TYPE
valueFrom:
secretKeyRef:
name: storage-secret
key: virus_checker_type
key: virusCheckerType
- name: VIRUS_CHECKER_API_KEY
valueFrom:
secretKeyRef:
name: storage-secret
key: virus_checher_api_key
key: virusCheckerApiKey

20
deployment/storage/storage.yaml
View File

@@ -24,13 +24,13 @@ spec:
valueFrom:
secretKeyRef:
name: frontend-secret
key: backend_url
key: backendUrl
- name: EXPIRES_IN
valueFrom:
secretKeyRef:
name: backend-secret
key: access_token_duration
key: accessTokenDuration
- name: SERVER_PORT
valueFrom:
@@ -54,49 +54,49 @@ spec:
valueFrom:
secretKeyRef:
name: redis-secret
key: redis-password
key: redisPassword
- name: STORAGE_TYPE
valueFrom:
secretKeyRef:
name: storage-secret
key: storage_type
key: storageType
- name: AWS_ACCESS_KEY_ID
valueFrom:
secretKeyRef:
name: storage-secret
key: aws_access_key_id
key: awsAccessKeyId
- name: AWS_SECRET_ACCESS_KEY
valueFrom:
secretKeyRef:
name: storage-secret
key: aws_access_access_key
key: awsSecretAccessKey
- name: AWS_REGION_NAME
valueFrom:
secretKeyRef:
name: storage-secret
key: aws_region_name
key: awsRegion
- name: AWS_BUCKET_NAME
valueFrom:
secretKeyRef:
name: storage-secret
key: aws_bucket_name
key: awsBucket
- name: VIRUS_CHECKER_TYPE
valueFrom:
secretKeyRef:
name: storage-secret
key: virus_checker_type
key: virusCheckerType
- name: VIRUS_CHECKER_API_KEY
valueFrom:
secretKeyRef:
name: storage-secret
key: virus_checher_api_key
key: virusCheckerApiKey
---
apiVersion: v1

186
setup.py
View File

@@ -3,40 +3,17 @@ from dotenv import load_dotenv
from envsubst import envsubst
from pathlib import Path, PosixPath
import argparse
import warnings
import json
import os
ENV_VARIABLES = [
"FRONTEND_PATH",
"BACKEND_URL",
"BACKEND_OAUTH_URL",
"TOKEN_SECRET",
"ACCESS_TOKEN_DURATION",
"REFRESH_TOKEN_DURATION",
"DEFAULT_USER_FULLNAME",
"DEFAULT_USER_EMAIL",
"DEFAULT_USER_USERNAME",
"DEFAULT_USER_PASSWORD",
"GOOGLE_CLIENT_ID",
"GOOGLE_CLIENT_SECRET",
"GOOGLE_REDIRECT_URL",
"OAUTH_GITHUB_CLIENT_ID",
"OAUTH_GITHUB_CLIENT_SECRET",
"OAUTH_GITHUB_REDIRECT_URL",
"POSTGRES_USER",
"POSTGRES_PASSWORD",
"POSTGRES_DB",
"REDIS_PASSWORD",
"STORAGE_TYPE",
"AWS_ACCESS_KEY_ID",
"AWS_SECRET_ACCESS_KEY",
"AWS_REGION_NAME",
"AWS_BUCKET_NAME",
"VIRUS_CHECKER_TYPE",
"VIRUS_CHECKER_API_KEY",
]
def write_template(template: str, output: str):
with open(template, 'r') as template,\
open(output, 'w') as output:
output.write(envsubst(template.read()))
def setting_environment(environment: str):
def configure_templates(environment: str):
if not environment in ("prod", "staging", "local", "dev"):
raise ValueError("Invalid Environment Selected")
@@ -54,48 +31,141 @@ def setting_environment(environment: str):
os.environ["DOMAIN"] = DOMAIN
os.environ["API_DOMAIN"] = API_DOMAIN
write_template(
"template/cert-manager/cert-manager-certificate.template.yaml",
"deployment/cert-manager/cert-manager-certificate.yaml"
)
def load_secret_file(file: str):
secret_file_path = Path(file)
if not secret_file_path.exists():
raise FileNotFoundError("Secret File Doesn't Exists")
load_dotenv(dotenv_path=secret_file_path)
write_template(
"template/nginx-ingress/nginx-ingress-root.yaml",
"deployment/nginx-ingress/nginx-ingress-root.yaml"
)
def fetch_env_variables():
for env in ENV_VARIABLES:
value = os.environ[env]
value = value.encode("utf-8")
os.environ[env] = b64encode(value).decode()
def validate_backend_secret(secret: str):
required_keys = [
'tokenSecret',
'accessTokenDuration',
'refreshTokenDuration',
'defaultUserFullName',
'defaultUserEmail',
'defaultUserUsername',
'defaultUserPassword',
'googleClientId',
'googleClientSecret',
'googleRedirectUrl',
'githubClientId',
'githubClientSecret',
'githubRedirectUrl'
]
for key in required_keys:
if key not in secret:
raise ValueError(f"Key {key} not found in backendSecret")
def envsubst_file(file: PosixPath):
with open(file) as f:
formated_file = envsubst(f.read())
def validate_frontend_secret(secret: str):
required_keys = [
'frontendPath',
'backendUrl',
'backendOAuthUrl',
]
new_file = Path("deployment") \
.joinpath(*[part.split('.')[0] for part in file.parts if part != "template"]) \
.with_suffix(".yaml")
with open(new_file, 'w') as f:
f.write(formated_file)
for key in required_keys:
if key not in secret:
raise ValueError(f"Key {key} not found in frontendSecret")
def substitute_secrets_from_templates():
for subdir in Path("template").glob("*"):
for file in subdir.glob("*.yaml"):
envsubst_file(file)
def validate_postgres_secret(secret: str):
required_keys = [
'postgresUser',
'postgresPassword',
'postgresDatabase'
]
for key in required_keys:
if key not in secret:
raise ValueError(f"Key {key} not found in postgresSecret")
def validate_redis_secret(secret: str):
required_keys = [
'redisPassword',
]
for key in required_keys:
if key not in secret:
raise ValueError(f"Key {key} not found in redisSecret")
def validate_storage_secret(secret: str):
required_keys = [
'storageType',
'awsAccessKeyId',
'awsSecretAccessKey',
'awsRegion',
'awsBucket',
'virusCheckerType',
'virusCheckerApiKey',
]
for key in required_keys:
if key not in secret:
raise ValueError(f"Key {key} not found in storageSecret")
def validate_env(env: dict):
required_secrets = [
'backendSecret',
'frontendSecret',
'postgresSecret',
'redisSecret',
'storageSecret',
]
for secret in required_secrets:
if secret not in env:
raise ValueError(f"Secret {secret} not found in env.json")
if secret == 'backendSecret':
validate_backend_secret(env[secret])
if secret == 'frontendSecret':
validate_frontend_secret(env[secret])
if secret == 'postgresSecret':
validate_postgres_secret(env[secret])
if secret == 'redisSecret':
validate_redis_secret(env[secret])
if secret == 'storageSecret':
validate_storage_secret(env[secret])
def write_secrets_to_file(env: dict):
for key, secret in env.items():
secrets_dir = Path("deployment", "secrets")
if not secrets_dir.exists():
secrets_dir.mkdir()
with open(secrets_dir.joinpath(f"{key}.json"), "w") as f:
json.dump(secret, f, indent=4)
def read_env_json(file: str) -> dict:
with open(file, "r") as f:
return json.load(f)
def main(file, environment):
setting_environment(environment)
env = read_env_json(file)
load_secret_file(file)
validate_env(env)
fetch_env_variables()
write_secrets_to_file(env)
substitute_secrets_from_templates()
configure_templates(environment)
if __name__ == "__main__":

20
template/backend/backend-secret.template.yaml
View File

@@ -1,20 +0,0 @@
apiVersion: v1
kind: Secret
metadata:
namespace: portfolio
name: backend-secret
type: Opaque
data:
token_secret: $TOKEN_SECRET
access_token_duration: $ACCESS_TOKEN_DURATION
refresh_token_duration: $REFRESH_TOKEN_DURATION
default_user_fullname: $DEFAULT_USER_FULLNAME
default_user_email: $DEFAULT_USER_EMAIL
default_user_username: $DEFAULT_USER_USERNAME
default_user_password: $DEFAULT_USER_PASSWORD
google_client_id: $GOOGLE_CLIENT_ID
google_client_secret: $GOOGLE_CLIENT_SECRET
google_redirect_url: $GOOGLE_REDIRECT_URL
github_client_id: $OAUTH_GITHUB_CLIENT_ID
github_client_secret: $OAUTH_GITHUB_CLIENT_SECRET
github_redirect_url: $OAUTH_GITHUB_REDIRECT_URL

10
template/frontend/frontend-secret.template.yaml
View File

@@ -1,10 +0,0 @@
apiVersion: v1
kind: Secret
metadata:
namespace: portfolio
name: frontend-secret
type: Opaque
data:
frontend_path: $FRONTEND_PATH
backend_url: $BACKEND_URL
backend_oauth_url: $BACKEND_OAUTH_URL

34
template/nginx-ingress/nginx-ingress-api.yaml
View File

@@ -1,34 +0,0 @@
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
namespace: portfolio
name: nginx-ingress-api
annotations:
kubernetes.io/ingress.class: nginx
nginx.ingress.kubernetes.io/use-regex: "true"
nginx.ingress.kubernetes.io/rewrite-target: /$2
spec:
tls:
- hosts:
- ${API_DOMAIN}
secretName: letsencrypt-cluster-certificate-tls
rules:
- host: ${DOMAIN}
http:
paths:
- path: /api(/|$)(.*)
pathType: Prefix
backend:
service:
name: backend-service
port:
number: 8070
- http:
paths:
- path: /api(/|$)(.*)
pathType: Prefix
backend:
service:
name: backend-service
port:
number: 8070

10
template/postgres/postgres-secret.template.yaml
View File

@@ -1,10 +0,0 @@
apiVersion: v1
kind: Secret
metadata:
namespace: portfolio
name: postgres-secret
type: Opaque
data:
POSTGRES_USER: $POSTGRES_USER
POSTGRES_PASSWORD: $POSTGRES_PASSWORD
POSTGRES_DB: $POSTGRES_DB

8
template/redis/redis-secret.template.yaml
View File

@@ -1,8 +0,0 @@
apiVersion: v1
kind: Secret
metadata:
namespace: portfolio
name: redis-secret
type: Opaque
data:
redis-password: $REDIS_PASSWORD

14
template/storage/storage-secret.template.yaml
View File

@@ -1,14 +0,0 @@
apiVersion: v1
kind: Secret
metadata:
namespace: portfolio
name: storage-secret
type: Opaque
data:
storage_type: $STORAGE_TYPE
aws_access_key_id: $AWS_ACCESS_KEY_ID
aws_access_access_key: $AWS_SECRET_ACCESS_KEY
aws_region_name: $AWS_REGION_NAME
aws_bucket_name: $AWS_BUCKET_NAME
virus_checker_type: $VIRUS_CHECKER_TYPE
virus_checher_api_key: $VIRUS_CHECKER_API_KEY