old-portfolio/infra-hideyoshi.com
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Merge pull request #36 from HideyoshiNakazone/implementa-novo-deploy-secrets

Browse Source 
Implementa Novo Deploy Secrets
This commit is contained in:
Vitor Hideyoshi
2023-09-14 07:31:25 -03:00
committed by GitHub
parent cabc2960d6 11ffc7e49b
commit f41356c079
7 changed files with 88 additions and 49 deletions
Download Patch File Download Diff File Expand all files Collapse all files

2
.github/workflows/deploy-prod.yml vendored
View File

@@ -45,6 +45,8 @@ jobs:
envkey_AWS_SECRET_ACCESS_KEY: ${{ secrets.AWS_SECRET_ACCESS_KEY }} envkey_AWS_SECRET_ACCESS_KEY: ${{ secrets.AWS_SECRET_ACCESS_KEY }}
envkey_AWS_REGION_NAME: ${{ secrets.AWS_REGION_NAME }} envkey_AWS_REGION_NAME: ${{ secrets.AWS_REGION_NAME }}
envkey_AWS_BUCKET_NAME: ${{ secrets.AWS_BUCKET_NAME }} envkey_AWS_BUCKET_NAME: ${{ secrets.AWS_BUCKET_NAME }}
envkey_VIRUS_CHECKER_TYPE: ${{ secrets.VIRUS_CHECKER_TYPE }}
envkey_VIRUS_CHECKER_API_KEY: ${{ secrets.VIRUS_CHECKER_API_KEY }}
- name: Inserts Prod Enviromental Variables - name: Inserts Prod Enviromental Variables
run: | run: |

32
.github/workflows/deploy-staging.yml vendored
View File

@@ -45,12 +45,14 @@ jobs:
envkey_AWS_SECRET_ACCESS_KEY: ${{ secrets.AWS_SECRET_ACCESS_KEY }} envkey_AWS_SECRET_ACCESS_KEY: ${{ secrets.AWS_SECRET_ACCESS_KEY }}
envkey_AWS_REGION_NAME: ${{ secrets.AWS_REGION_NAME }} envkey_AWS_REGION_NAME: ${{ secrets.AWS_REGION_NAME }}
envkey_AWS_BUCKET_NAME: ${{ secrets.AWS_BUCKET_NAME }} envkey_AWS_BUCKET_NAME: ${{ secrets.AWS_BUCKET_NAME }}
envkey_VIRUS_CHECKER_TYPE: ${{ secrets.VIRUS_CHECKER_TYPE }}
envkey_VIRUS_CHECKER_API_KEY: ${{ secrets.VIRUS_CHECKER_API_KEY }}
- name: Inserts Prod Enviromental Variables # - name: Inserts Prod Enviromental Variables
run: | # run: |
python -m pip install --upgrade pip pipenv # python -m pip install --upgrade pip pipenv
pipenv install # pipenv install
pipenv run python setup.py -e staging -f .env # pipenv run python setup.py -e staging -f .env
- name: copy file via ssh - name: copy file via ssh
uses: appleboy/scp-action@master uses: appleboy/scp-action@master
@@ -62,13 +64,13 @@ jobs:
source: "." source: "."
target: "infra-hideyoshi.com" target: "infra-hideyoshi.com"
- name: executing remote ssh commands # - name: executing remote ssh commands
uses: appleboy/ssh-action@master # uses: appleboy/ssh-action@master
with: # with:
host: ${{ secrets.SSH_HOST }} # host: ${{ secrets.SSH_HOST }}
username: ${{ secrets.SSH_USER }} # username: ${{ secrets.SSH_USER }}
port: ${{ secrets.SSH_PORT }} # port: ${{ secrets.SSH_PORT }}
key: ${{ secrets.SSH_KEY }} # key: ${{ secrets.SSH_KEY }}
script: | # script: |
cd infra-hideyoshi.com # cd infra-hideyoshi.com
./deploy.sh --staging # ./deploy.sh --staging

2
.gitignore vendored
View File

@@ -1,4 +1,4 @@
.env .env*
.secret* .secret*

47
deployment/storage/storage-processor.yaml
View File

@@ -16,7 +16,8 @@ spec:
containers: containers:
- name: storage-processor - name: storage-processor
image: yoshiunfriendly/storage-hideyoshi.com:latest image: yoshiunfriendly/storage-hideyoshi.com:latest
command: [ "poetry", "run", "rq", "worker", " --with-scheduler" ] command: [ "./run-queue.sh" ]
args: [ "-q" ]
imagePullPolicy: "Always" imagePullPolicy: "Always"
env: env:
- name: REDIS_BASE_URL - name: REDIS_BASE_URL
@@ -38,4 +39,46 @@ spec:
key: redis-password key: redis-password
- name: REDIS_URL - name: REDIS_URL
value: "redis://:$(REDIS_PASSWORD)@$(REDIS_BASE_URL):$(REDIS_PORT)" value: "redis://:$(REDIS_PASSWORD)@$(REDIS_BASE_URL):$(REDIS_PORT)"
- name: STORAGE_TYPE
valueFrom:
secretKeyRef:
name: storage-secret
key: storage_type
- name: AWS_ACCESS_KEY_ID
valueFrom:
secretKeyRef:
name: storage-secret
key: aws_access_key_id
- name: AWS_SECRET_ACCESS_KEY
valueFrom:
secretKeyRef:
name: storage-secret
key: aws_access_access_key
- name: AWS_REGION_NAME
valueFrom:
secretKeyRef:
name: storage-secret
key: aws_region_name
- name: AWS_BUCKET_NAME
valueFrom:
secretKeyRef:
name: storage-secret
key: aws_bucket_name
- name: VIRUS_CHECKER_TYPE
valueFrom:
secretKeyRef:
name: storage-secret
key: virus_checker_type
- name: VIRUS_CHECKER_API_KEY
valueFrom:
secretKeyRef:
name: storage-secret
key: virus_checher_api_key

12
deployment/storage/storage.yaml
View File

@@ -86,6 +86,18 @@ spec:
name: storage-secret name: storage-secret
key: aws_bucket_name key: aws_bucket_name
- name: VIRUS_CHECKER_TYPE
valueFrom:
secretKeyRef:
name: storage-secret
key: virus_checker_type
- name: VIRUS_CHECKER_API_KEY
valueFrom:
secretKeyRef:
name: storage-secret
key: virus_checher_api_key
--- ---
apiVersion: v1 apiVersion: v1
kind: Service kind: Service

38
setup.py
View File

@@ -31,38 +31,19 @@ ENV_VARIABLES = [
"AWS_SECRET_ACCESS_KEY", "AWS_SECRET_ACCESS_KEY",
"AWS_REGION_NAME", "AWS_REGION_NAME",
"AWS_BUCKET_NAME", "AWS_BUCKET_NAME",
"VIRUS_CHECKER_TYPE",
"VIRUS_CHECKER_API_KEY",
] ]
FORCE_BASE64_FIELD = [
"OAUTH_GITHUB_CLIENT_ID",
"OAUTH_GITHUB_CLIENT_SECRET",
"AWS_ACCESS_KEY_ID",
"AWS_SECRET_ACCESS_KEY",
]
def is_force_base64_fields(field: str) -> bool:
return field in FORCE_BASE64_FIELD
def is_validate_base64(value: str) -> bool:
if not isinstance(value, str):
return False
try:
if b64encode(b64decode(value)).decode() == value:
return True
except:
pass
return False
def setting_environment(environment: str): def setting_environment(environment: str):
if not environment in ("prod", "staging", "dev"): if not environment in ("prod", "staging", "local", "dev"):
raise ValueError("Invalid Environment Selected") raise ValueError("Invalid Environment Selected")
match environment: match environment:
case "local":
DOMAIN = "local.hideyoshi.com.br"
API_DOMAIN = "api.local.hideyoshi.com.br"
case "staging": case "staging":
DOMAIN = "staging.hideyoshi.com.br" DOMAIN = "staging.hideyoshi.com.br"
API_DOMAIN = "api.staging.hideyoshi.com.br" API_DOMAIN = "api.staging.hideyoshi.com.br"
@@ -85,11 +66,8 @@ def load_secret_file(file: str):
def fetch_env_variables(): def fetch_env_variables():
for env in ENV_VARIABLES: for env in ENV_VARIABLES:
value = os.environ[env] value = os.environ[env]
if not is_force_base64_fields(env) and is_validate_base64(value): value = value.encode("utf-8")
os.environ[env] = value os.environ[env] = b64encode(value).decode()
else:
value = value.encode("utf-8")
os.environ[env] = b64encode(value).decode()
def envsubst_file(file: PosixPath): def envsubst_file(file: PosixPath):

4
template/storage/storage-secret.template.yaml
View File

@@ -9,4 +9,6 @@ data:
aws_access_key_id: $AWS_ACCESS_KEY_ID aws_access_key_id: $AWS_ACCESS_KEY_ID
aws_access_access_key: $AWS_SECRET_ACCESS_KEY aws_access_access_key: $AWS_SECRET_ACCESS_KEY
aws_region_name: $AWS_REGION_NAME aws_region_name: $AWS_REGION_NAME
aws_bucket_name: $AWS_BUCKET_NAME aws_bucket_name: $AWS_BUCKET_NAME
virus_checker_type: $VIRUS_CHECKER_TYPE
virus_checher_api_key: $VIRUS_CHECKER_API_KEY