From c9dab33f8387b944925127eaf435e301ec83dd7a Mon Sep 17 00:00:00 2001 From: Nicolas Giard Date: Mon, 15 Jul 2024 17:32:47 -0400 Subject: [PATCH] ci: migrate to using secret instead of configmap (#7685) --- k8s/README.md | 5 ++ k8s/auth.yaml | 58 ++++++++++++------------ k8s/beat.yaml | 7 ++- k8s/celery.yaml | 54 +++++++++++----------- k8s/datatracker.yaml | 54 +++++++++++----------- k8s/kustomization.yaml | 1 - k8s/memcached.yaml | 36 +++++++++------ k8s/rabbitmq.yaml | 41 +++++++++-------- k8s/{django-config.yaml => secrets.yaml} | 10 ++-- 9 files changed, 141 insertions(+), 125 deletions(-) create mode 100644 k8s/README.md rename k8s/{django-config.yaml => secrets.yaml} (93%) diff --git a/k8s/README.md b/k8s/README.md new file mode 100644 index 000000000..73b597867 --- /dev/null +++ b/k8s/README.md @@ -0,0 +1,5 @@ +# Kustomize deployment + +## Run locally + +The `secrets.yaml` file is provided as a reference only and must be referenced manually in the `kustomization.yaml` file. \ No newline at end of file diff --git a/k8s/auth.yaml b/k8s/auth.yaml index 8aa1d53cb..bc99af79d 100644 --- a/k8s/auth.yaml +++ b/k8s/auth.yaml @@ -19,34 +19,9 @@ spec: runAsNonRoot: true containers: # ----------------------------------------------------- - # ScoutAPM Container + # Auth Container # ----------------------------------------------------- - - name: scoutapm - image: "scoutapp/scoutapm:version-1.4.0" - imagePullPolicy: IfNotPresent - # Replace command with one that will shut down on a TERM signal - # The ./core-agent start command line is from the scoutapm docker image - command: - - "sh" - - "-c" - - >- - trap './core-agent shutdown --tcp 0.0.0.0:6590' TERM; - ./core-agent start --daemonize false --log-level debug --tcp 0.0.0.0:6590 & - wait $! - livenessProbe: - exec: - command: - - "sh" - - "-c" - - "./core-agent probe --tcp 0.0.0.0:6590 | grep -q 'Agent found'" - securityContext: - readOnlyRootFilesystem: true - runAsUser: 65534 # "nobody" user by default - runAsGroup: 65534 # "nogroup" group by default - # ----------------------------------------------------- - # Datatracker Container - # ----------------------------------------------------- - - name: datatracker + - name: auth image: "ghcr.io/ietf-tools/datatracker:$APP_IMAGE_TAG" imagePullPolicy: Always ports: @@ -72,8 +47,8 @@ spec: - name: "DEPLOY_UID" value: "$DEPLOY_UID" envFrom: - - configMapRef: - name: django-config + - secretRef: + name: dt-secrets-env securityContext: allowPrivilegeEscalation: false capabilities: @@ -82,6 +57,31 @@ spec: readOnlyRootFilesystem: true runAsUser: 1000 runAsGroup: 1000 + # ----------------------------------------------------- + # ScoutAPM Container + # ----------------------------------------------------- + - name: scoutapm + image: "scoutapp/scoutapm:version-1.4.0" + imagePullPolicy: IfNotPresent + # Replace command with one that will shut down on a TERM signal + # The ./core-agent start command line is from the scoutapm docker image + command: + - "sh" + - "-c" + - >- + trap './core-agent shutdown --tcp 0.0.0.0:6590' TERM; + ./core-agent start --daemonize false --log-level debug --tcp 0.0.0.0:6590 & + wait $! + livenessProbe: + exec: + command: + - "sh" + - "-c" + - "./core-agent probe --tcp 0.0.0.0:6590 | grep -q 'Agent found'" + securityContext: + readOnlyRootFilesystem: true + runAsUser: 65534 # "nobody" user by default + runAsGroup: 65534 # "nogroup" group by default volumes: # To be overriden with the actual shared volume - name: dt-vol diff --git a/k8s/beat.yaml b/k8s/beat.yaml index 99317ab77..72d74e11e 100644 --- a/k8s/beat.yaml +++ b/k8s/beat.yaml @@ -20,6 +20,9 @@ spec: securityContext: runAsNonRoot: true containers: + # ----------------------------------------------------- + # Beat Container + # ----------------------------------------------------- - name: beat image: "ghcr.io/ietf-tools/datatracker:$APP_IMAGE_TAG" imagePullPolicy: Always @@ -39,8 +42,8 @@ spec: - name: "CONTAINER_ROLE" value: "beat" envFrom: - - configMapRef: - name: django-config + - secretRef: + name: dt-secrets-env securityContext: allowPrivilegeEscalation: false capabilities: diff --git a/k8s/celery.yaml b/k8s/celery.yaml index dfb20fa40..10f58f016 100644 --- a/k8s/celery.yaml +++ b/k8s/celery.yaml @@ -21,31 +21,6 @@ spec: runAsNonRoot: true containers: # ----------------------------------------------------- - # ScoutAPM Container - # ----------------------------------------------------- - - name: scoutapm - image: "scoutapp/scoutapm:version-1.4.0" - imagePullPolicy: IfNotPresent - # Replace command with one that will shut down on a TERM signal - # The ./core-agent start command line is from the scoutapm docker image - command: - - "sh" - - "-c" - - >- - trap './core-agent shutdown --tcp 0.0.0.0:6590' TERM; - ./core-agent start --daemonize false --log-level debug --tcp 0.0.0.0:6590 & - wait $! - livenessProbe: - exec: - command: - - "sh" - - "-c" - - "./core-agent probe --tcp 0.0.0.0:6590 | grep -q 'Agent found'" - securityContext: - readOnlyRootFilesystem: true - runAsUser: 65534 # "nobody" user by default - runAsGroup: 65534 # "nogroup" group by default - # ----------------------------------------------------- # Celery Container # ----------------------------------------------------- - name: celery @@ -71,8 +46,8 @@ spec: - name: "CONTAINER_ROLE" value: "celery" envFrom: - - configMapRef: - name: django-config + - secretRef: + name: dt-secrets-env securityContext: allowPrivilegeEscalation: false capabilities: @@ -81,6 +56,31 @@ spec: readOnlyRootFilesystem: true runAsUser: 1000 runAsGroup: 1000 + # ----------------------------------------------------- + # ScoutAPM Container + # ----------------------------------------------------- + - name: scoutapm + image: "scoutapp/scoutapm:version-1.4.0" + imagePullPolicy: IfNotPresent + # Replace command with one that will shut down on a TERM signal + # The ./core-agent start command line is from the scoutapm docker image + command: + - "sh" + - "-c" + - >- + trap './core-agent shutdown --tcp 0.0.0.0:6590' TERM; + ./core-agent start --daemonize false --log-level debug --tcp 0.0.0.0:6590 & + wait $! + livenessProbe: + exec: + command: + - "sh" + - "-c" + - "./core-agent probe --tcp 0.0.0.0:6590 | grep -q 'Agent found'" + securityContext: + readOnlyRootFilesystem: true + runAsUser: 65534 # "nobody" user by default + runAsGroup: 65534 # "nogroup" group by default volumes: # To be overriden with the actual shared volume - name: dt-vol diff --git a/k8s/datatracker.yaml b/k8s/datatracker.yaml index 5ad433661..81dc048d0 100644 --- a/k8s/datatracker.yaml +++ b/k8s/datatracker.yaml @@ -19,31 +19,6 @@ spec: runAsNonRoot: true containers: # ----------------------------------------------------- - # ScoutAPM Container - # ----------------------------------------------------- - - name: scoutapm - image: "scoutapp/scoutapm:version-1.4.0" - imagePullPolicy: IfNotPresent - # Replace command with one that will shut down on a TERM signal - # The ./core-agent start command line is from the scoutapm docker image - command: - - "sh" - - "-c" - - >- - trap './core-agent shutdown --tcp 0.0.0.0:6590' TERM; - ./core-agent start --daemonize false --log-level debug --tcp 0.0.0.0:6590 & - wait $! - livenessProbe: - exec: - command: - - "sh" - - "-c" - - "./core-agent probe --tcp 0.0.0.0:6590 | grep -q 'Agent found'" - securityContext: - readOnlyRootFilesystem: true - runAsUser: 65534 # "nobody" user by default - runAsGroup: 65534 # "nogroup" group by default - # ----------------------------------------------------- # Datatracker Container # ----------------------------------------------------- - name: datatracker @@ -72,8 +47,8 @@ spec: - name: "DEPLOY_UID" value: "$DEPLOY_UID" envFrom: - - configMapRef: - name: django-config + - secretRef: + name: dt-secrets-env securityContext: allowPrivilegeEscalation: false capabilities: @@ -82,6 +57,31 @@ spec: readOnlyRootFilesystem: true runAsUser: 1000 runAsGroup: 1000 + # ----------------------------------------------------- + # ScoutAPM Container + # ----------------------------------------------------- + - name: scoutapm + image: "scoutapp/scoutapm:version-1.4.0" + imagePullPolicy: IfNotPresent + # Replace command with one that will shut down on a TERM signal + # The ./core-agent start command line is from the scoutapm docker image + command: + - "sh" + - "-c" + - >- + trap './core-agent shutdown --tcp 0.0.0.0:6590' TERM; + ./core-agent start --daemonize false --log-level debug --tcp 0.0.0.0:6590 & + wait $! + livenessProbe: + exec: + command: + - "sh" + - "-c" + - "./core-agent probe --tcp 0.0.0.0:6590 | grep -q 'Agent found'" + securityContext: + readOnlyRootFilesystem: true + runAsUser: 65534 # "nobody" user by default + runAsGroup: 65534 # "nogroup" group by default initContainers: - name: migration image: "ghcr.io/ietf-tools/datatracker:$APP_IMAGE_TAG" diff --git a/k8s/kustomization.yaml b/k8s/kustomization.yaml index cfc17f35d..ab381369b 100644 --- a/k8s/kustomization.yaml +++ b/k8s/kustomization.yaml @@ -9,6 +9,5 @@ resources: - beat.yaml - celery.yaml - datatracker.yaml - - django-config.yaml - memcached.yaml - rabbitmq.yaml diff --git a/k8s/memcached.yaml b/k8s/memcached.yaml index e94066c9e..4b362c88c 100644 --- a/k8s/memcached.yaml +++ b/k8s/memcached.yaml @@ -16,21 +16,9 @@ spec: securityContext: runAsNonRoot: true containers: - - image: "quay.io/prometheus/memcached-exporter:v0.14.3" - imagePullPolicy: IfNotPresent - name: memcached-exporter - ports: - - name: metrics - containerPort: 9150 - protocol: TCP - securityContext: - allowPrivilegeEscalation: false - capabilities: - drop: - - ALL - readOnlyRootFilesystem: true - runAsUser: 65534 # nobody - runAsGroup: 65534 # nobody + # ----------------------------------------------------- + # Memcached + # ----------------------------------------------------- - image: "memcached:1.6-alpine" imagePullPolicy: IfNotPresent args: ["-m", "1024"] @@ -48,6 +36,24 @@ spec: # memcached image sets up uid/gid 11211 runAsUser: 11211 runAsGroup: 11211 + # ----------------------------------------------------- + # Memcached Exporter for Prometheus + # ----------------------------------------------------- + - image: "quay.io/prometheus/memcached-exporter:v0.14.3" + imagePullPolicy: IfNotPresent + name: memcached-exporter + ports: + - name: metrics + containerPort: 9150 + protocol: TCP + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + readOnlyRootFilesystem: true + runAsUser: 65534 # nobody + runAsGroup: 65534 # nobody dnsPolicy: ClusterFirst restartPolicy: Always terminationGracePeriodSeconds: 30 diff --git a/k8s/rabbitmq.yaml b/k8s/rabbitmq.yaml index 132ca79de..b016b3a5a 100644 --- a/k8s/rabbitmq.yaml +++ b/k8s/rabbitmq.yaml @@ -15,23 +15,6 @@ spec: spec: securityContext: runAsNonRoot: true - initContainers: - # ----------------------------------------------------- - # Init RabbitMQ data - # ----------------------------------------------------- - - name: init-rabbitmq - image: busybox:stable - command: - - "sh" - - "-c" - - "mkdir -p -m700 /mnt/rabbitmq && chown 100:101 /mnt/rabbitmq" - securityContext: - runAsNonRoot: false - runAsUser: 0 - readOnlyRootFilesystem: true - volumeMounts: - - name: "rabbitmq-data" - mountPath: "/mnt" containers: # ----------------------------------------------------- # RabbitMQ Container @@ -52,8 +35,11 @@ spec: - name: rabbitmq-config mountPath: "/etc/rabbitmq" env: - - name: "CELERY_PASSWORD" - value: "this-is-a-secret" + - name: CELERY_PASSWORD + valueFrom: + secretKeyRef: + name: dt-secrets-env + key: CELERY_PASSWORD livenessProbe: exec: command: ["rabbitmq-diagnostics", "-q", "ping"] @@ -76,6 +62,23 @@ spec: # rabbitmq image sets up uid/gid 100/101 runAsUser: 100 runAsGroup: 101 + initContainers: + # ----------------------------------------------------- + # Init RabbitMQ data + # ----------------------------------------------------- + - name: init-rabbitmq + image: busybox:stable + command: + - "sh" + - "-c" + - "mkdir -p -m700 /mnt/rabbitmq && chown 100:101 /mnt/rabbitmq" + securityContext: + runAsNonRoot: false + runAsUser: 0 + readOnlyRootFilesystem: true + volumeMounts: + - name: "rabbitmq-data" + mountPath: "/mnt" volumes: - name: rabbitmq-tmp emptyDir: diff --git a/k8s/django-config.yaml b/k8s/secrets.yaml similarity index 93% rename from k8s/django-config.yaml rename to k8s/secrets.yaml index 07e2d710d..4e76a86a5 100644 --- a/k8s/django-config.yaml +++ b/k8s/secrets.yaml @@ -1,9 +1,9 @@ apiVersion: v1 -kind: ConfigMap +kind: Secret metadata: - name: django-config -data: - # n.b., these are debug values / non-secret secrets + name: secrets-env +type: Opaque +stringData: DATATRACKER_SERVER_MODE: "development" # development for staging, production for production DATATRACKER_ADMINS: |- Robert Sparks @@ -80,4 +80,4 @@ data: # Scout configuration DATATRACKER_SCOUT_KEY: "this-is-the-scout-key" - DATATRACKER_SCOUT_NAME: "StagingDatatracker" + DATATRACKER_SCOUT_NAME: "StagingDatatracker" \ No newline at end of file