altf4arnold/datatracker
1
0
Fork 0
Code Issues Pull requests Actions6 Packages Projects Releases Wiki Activity

ci: migrate to using secret instead of configmap ()

Browse source
This commit is contained in:
Nicolas Giard 2024-07-15 17:32:47 -04:00 committed by GitHub
parent 475cf2fc85
commit c9dab33f83
No known key found for this signature in database
GPG key ID: B5690EEEBB952194
9 changed files with 141 additions and 125 deletions

5
k8s/README.md Normal file
View file

@ -0,0 +1,5 @@
# Kustomize deployment
## Run locally
The `secrets.yaml` file is provided as a reference only and must be referenced manually in the `kustomization.yaml` file.

58
k8s/auth.yaml
View file

@ -19,34 +19,9 @@ spec:
runAsNonRoot: true runAsNonRoot: true
containers: containers:
# ----------------------------------------------------- # -----------------------------------------------------
# ScoutAPM Container # Auth Container
# ----------------------------------------------------- # -----------------------------------------------------
- name: scoutapm - name: auth
image: "scoutapp/scoutapm:version-1.4.0"
imagePullPolicy: IfNotPresent
# Replace command with one that will shut down on a TERM signal
# The ./core-agent start command line is from the scoutapm docker image
command:
- "sh"
- "-c"
- >-
trap './core-agent shutdown --tcp 0.0.0.0:6590' TERM;
./core-agent start --daemonize false --log-level debug --tcp 0.0.0.0:6590 &
wait $!
livenessProbe:
exec:
command:
- "sh"
- "-c"
- "./core-agent probe --tcp 0.0.0.0:6590 | grep -q 'Agent found'"
securityContext:
readOnlyRootFilesystem: true
runAsUser: 65534 # "nobody" user by default
runAsGroup: 65534 # "nogroup" group by default
# -----------------------------------------------------
# Datatracker Container
# -----------------------------------------------------
- name: datatracker
image: "ghcr.io/ietf-tools/datatracker:$APP_IMAGE_TAG" image: "ghcr.io/ietf-tools/datatracker:$APP_IMAGE_TAG"
imagePullPolicy: Always imagePullPolicy: Always
ports: ports:
@ -72,8 +47,8 @@ spec:
- name: "DEPLOY_UID" - name: "DEPLOY_UID"
value: "$DEPLOY_UID" value: "$DEPLOY_UID"
envFrom: envFrom:
- configMapRef: - secretRef:
name: django-config name: dt-secrets-env
securityContext: securityContext:
allowPrivilegeEscalation: false allowPrivilegeEscalation: false
capabilities: capabilities:
@ -82,6 +57,31 @@ spec:
readOnlyRootFilesystem: true readOnlyRootFilesystem: true
runAsUser: 1000 runAsUser: 1000
runAsGroup: 1000 runAsGroup: 1000
# -----------------------------------------------------
# ScoutAPM Container
# -----------------------------------------------------
- name: scoutapm
image: "scoutapp/scoutapm:version-1.4.0"
imagePullPolicy: IfNotPresent
# Replace command with one that will shut down on a TERM signal
# The ./core-agent start command line is from the scoutapm docker image
command:
- "sh"
- "-c"
- >-
trap './core-agent shutdown --tcp 0.0.0.0:6590' TERM;
./core-agent start --daemonize false --log-level debug --tcp 0.0.0.0:6590 &
wait $!
livenessProbe:
exec:
command:
- "sh"
- "-c"
- "./core-agent probe --tcp 0.0.0.0:6590 | grep -q 'Agent found'"
securityContext:
readOnlyRootFilesystem: true
runAsUser: 65534 # "nobody" user by default
runAsGroup: 65534 # "nogroup" group by default
volumes: volumes:
# To be overriden with the actual shared volume # To be overriden with the actual shared volume
- name: dt-vol - name: dt-vol

7
k8s/beat.yaml
View file

@ -20,6 +20,9 @@ spec:
securityContext: securityContext:
runAsNonRoot: true runAsNonRoot: true
containers: containers:
# -----------------------------------------------------
# Beat Container
# -----------------------------------------------------
- name: beat - name: beat
image: "ghcr.io/ietf-tools/datatracker:$APP_IMAGE_TAG" image: "ghcr.io/ietf-tools/datatracker:$APP_IMAGE_TAG"
imagePullPolicy: Always imagePullPolicy: Always
@ -39,8 +42,8 @@ spec:
- name: "CONTAINER_ROLE" - name: "CONTAINER_ROLE"
value: "beat" value: "beat"
envFrom: envFrom:
- configMapRef: - secretRef:
name: django-config name: dt-secrets-env
securityContext: securityContext:
allowPrivilegeEscalation: false allowPrivilegeEscalation: false
capabilities: capabilities:

54
k8s/celery.yaml
View file

@ -21,31 +21,6 @@ spec:
runAsNonRoot: true runAsNonRoot: true
containers: containers:
# ----------------------------------------------------- # -----------------------------------------------------
# ScoutAPM Container
# -----------------------------------------------------
- name: scoutapm
image: "scoutapp/scoutapm:version-1.4.0"
imagePullPolicy: IfNotPresent
# Replace command with one that will shut down on a TERM signal
# The ./core-agent start command line is from the scoutapm docker image
command:
- "sh"
- "-c"
- >-
trap './core-agent shutdown --tcp 0.0.0.0:6590' TERM;
./core-agent start --daemonize false --log-level debug --tcp 0.0.0.0:6590 &
wait $!
livenessProbe:
exec:
command:
- "sh"
- "-c"
- "./core-agent probe --tcp 0.0.0.0:6590 | grep -q 'Agent found'"
securityContext:
readOnlyRootFilesystem: true
runAsUser: 65534 # "nobody" user by default
runAsGroup: 65534 # "nogroup" group by default
# -----------------------------------------------------
# Celery Container # Celery Container
# ----------------------------------------------------- # -----------------------------------------------------
- name: celery - name: celery
@ -71,8 +46,8 @@ spec:
- name: "CONTAINER_ROLE" - name: "CONTAINER_ROLE"
value: "celery" value: "celery"
envFrom: envFrom:
- configMapRef: - secretRef:
name: django-config name: dt-secrets-env
securityContext: securityContext:
allowPrivilegeEscalation: false allowPrivilegeEscalation: false
capabilities: capabilities:
@ -81,6 +56,31 @@ spec:
readOnlyRootFilesystem: true readOnlyRootFilesystem: true
runAsUser: 1000 runAsUser: 1000
runAsGroup: 1000 runAsGroup: 1000
# -----------------------------------------------------
# ScoutAPM Container
# -----------------------------------------------------
- name: scoutapm
image: "scoutapp/scoutapm:version-1.4.0"
imagePullPolicy: IfNotPresent
# Replace command with one that will shut down on a TERM signal
# The ./core-agent start command line is from the scoutapm docker image
command:
- "sh"
- "-c"
- >-
trap './core-agent shutdown --tcp 0.0.0.0:6590' TERM;
./core-agent start --daemonize false --log-level debug --tcp 0.0.0.0:6590 &
wait $!
livenessProbe:
exec:
command:
- "sh"
- "-c"
- "./core-agent probe --tcp 0.0.0.0:6590 | grep -q 'Agent found'"
securityContext:
readOnlyRootFilesystem: true
runAsUser: 65534 # "nobody" user by default
runAsGroup: 65534 # "nogroup" group by default
volumes: volumes:
# To be overriden with the actual shared volume # To be overriden with the actual shared volume
- name: dt-vol - name: dt-vol

54
k8s/datatracker.yaml
View file

@ -19,31 +19,6 @@ spec:
runAsNonRoot: true runAsNonRoot: true
containers: containers:
# ----------------------------------------------------- # -----------------------------------------------------
# ScoutAPM Container
# -----------------------------------------------------
- name: scoutapm
image: "scoutapp/scoutapm:version-1.4.0"
imagePullPolicy: IfNotPresent
# Replace command with one that will shut down on a TERM signal
# The ./core-agent start command line is from the scoutapm docker image
command:
- "sh"
- "-c"
- >-
trap './core-agent shutdown --tcp 0.0.0.0:6590' TERM;
./core-agent start --daemonize false --log-level debug --tcp 0.0.0.0:6590 &
wait $!
livenessProbe:
exec:
command:
- "sh"
- "-c"
- "./core-agent probe --tcp 0.0.0.0:6590 | grep -q 'Agent found'"
securityContext:
readOnlyRootFilesystem: true
runAsUser: 65534 # "nobody" user by default
runAsGroup: 65534 # "nogroup" group by default
# -----------------------------------------------------
# Datatracker Container # Datatracker Container
# ----------------------------------------------------- # -----------------------------------------------------
- name: datatracker - name: datatracker
@ -72,8 +47,8 @@ spec:
- name: "DEPLOY_UID" - name: "DEPLOY_UID"
value: "$DEPLOY_UID" value: "$DEPLOY_UID"
envFrom: envFrom:
- configMapRef: - secretRef:
name: django-config name: dt-secrets-env
securityContext: securityContext:
allowPrivilegeEscalation: false allowPrivilegeEscalation: false
capabilities: capabilities:
@ -82,6 +57,31 @@ spec:
readOnlyRootFilesystem: true readOnlyRootFilesystem: true
runAsUser: 1000 runAsUser: 1000
runAsGroup: 1000 runAsGroup: 1000
# -----------------------------------------------------
# ScoutAPM Container
# -----------------------------------------------------
- name: scoutapm
image: "scoutapp/scoutapm:version-1.4.0"
imagePullPolicy: IfNotPresent
# Replace command with one that will shut down on a TERM signal
# The ./core-agent start command line is from the scoutapm docker image
command:
- "sh"
- "-c"
- >-
trap './core-agent shutdown --tcp 0.0.0.0:6590' TERM;
./core-agent start --daemonize false --log-level debug --tcp 0.0.0.0:6590 &
wait $!
livenessProbe:
exec:
command:
- "sh"
- "-c"
- "./core-agent probe --tcp 0.0.0.0:6590 | grep -q 'Agent found'"
securityContext:
readOnlyRootFilesystem: true
runAsUser: 65534 # "nobody" user by default
runAsGroup: 65534 # "nogroup" group by default
initContainers: initContainers:
- name: migration - name: migration
image: "ghcr.io/ietf-tools/datatracker:$APP_IMAGE_TAG" image: "ghcr.io/ietf-tools/datatracker:$APP_IMAGE_TAG"

1
k8s/kustomization.yaml
View file

@ -9,6 +9,5 @@ resources:
- beat.yaml - beat.yaml
- celery.yaml - celery.yaml
- datatracker.yaml - datatracker.yaml
- django-config.yaml
- memcached.yaml - memcached.yaml
- rabbitmq.yaml - rabbitmq.yaml

36
k8s/memcached.yaml
View file

@ -16,21 +16,9 @@ spec:
securityContext: securityContext:
runAsNonRoot: true runAsNonRoot: true
containers: containers:
- image: "quay.io/prometheus/memcached-exporter:v0.14.3" # -----------------------------------------------------
imagePullPolicy: IfNotPresent # Memcached
name: memcached-exporter # -----------------------------------------------------
ports:
- name: metrics
containerPort: 9150
protocol: TCP
securityContext:
allowPrivilegeEscalation: false
capabilities:
drop:
- ALL
readOnlyRootFilesystem: true
runAsUser: 65534 # nobody
runAsGroup: 65534 # nobody
- image: "memcached:1.6-alpine" - image: "memcached:1.6-alpine"
imagePullPolicy: IfNotPresent imagePullPolicy: IfNotPresent
args: ["-m", "1024"] args: ["-m", "1024"]
@ -48,6 +36,24 @@ spec:
# memcached image sets up uid/gid 11211 # memcached image sets up uid/gid 11211
runAsUser: 11211 runAsUser: 11211
runAsGroup: 11211 runAsGroup: 11211
# -----------------------------------------------------
# Memcached Exporter for Prometheus
# -----------------------------------------------------
- image: "quay.io/prometheus/memcached-exporter:v0.14.3"
imagePullPolicy: IfNotPresent
name: memcached-exporter
ports:
- name: metrics
containerPort: 9150
protocol: TCP
securityContext:
allowPrivilegeEscalation: false
capabilities:
drop:
- ALL
readOnlyRootFilesystem: true
runAsUser: 65534 # nobody
runAsGroup: 65534 # nobody
dnsPolicy: ClusterFirst dnsPolicy: ClusterFirst
restartPolicy: Always restartPolicy: Always
terminationGracePeriodSeconds: 30 terminationGracePeriodSeconds: 30

41
k8s/rabbitmq.yaml
View file

@ -15,23 +15,6 @@ spec:
spec: spec:
securityContext: securityContext:
runAsNonRoot: true runAsNonRoot: true
initContainers:
# -----------------------------------------------------
# Init RabbitMQ data
# -----------------------------------------------------
- name: init-rabbitmq
image: busybox:stable
command:
- "sh"
- "-c"
- "mkdir -p -m700 /mnt/rabbitmq && chown 100:101 /mnt/rabbitmq"
securityContext:
runAsNonRoot: false
runAsUser: 0
readOnlyRootFilesystem: true
volumeMounts:
- name: "rabbitmq-data"
mountPath: "/mnt"
containers: containers:
# ----------------------------------------------------- # -----------------------------------------------------
# RabbitMQ Container # RabbitMQ Container
@ -52,8 +35,11 @@ spec:
- name: rabbitmq-config - name: rabbitmq-config
mountPath: "/etc/rabbitmq" mountPath: "/etc/rabbitmq"
env: env:
- name: "CELERY_PASSWORD" - name: CELERY_PASSWORD
value: "this-is-a-secret" valueFrom:
secretKeyRef:
name: dt-secrets-env
key: CELERY_PASSWORD
livenessProbe: livenessProbe:
exec: exec:
command: ["rabbitmq-diagnostics", "-q", "ping"] command: ["rabbitmq-diagnostics", "-q", "ping"]
@ -76,6 +62,23 @@ spec:
# rabbitmq image sets up uid/gid 100/101 # rabbitmq image sets up uid/gid 100/101
runAsUser: 100 runAsUser: 100
runAsGroup: 101 runAsGroup: 101
initContainers:
# -----------------------------------------------------
# Init RabbitMQ data
# -----------------------------------------------------
- name: init-rabbitmq
image: busybox:stable
command:
- "sh"
- "-c"
- "mkdir -p -m700 /mnt/rabbitmq && chown 100:101 /mnt/rabbitmq"
securityContext:
runAsNonRoot: false
runAsUser: 0
readOnlyRootFilesystem: true
volumeMounts:
- name: "rabbitmq-data"
mountPath: "/mnt"
volumes: volumes:
- name: rabbitmq-tmp - name: rabbitmq-tmp
emptyDir: emptyDir:

10
k8s/django-config.yaml → k8s/secrets.yaml
View file

@ -1,9 +1,9 @@
apiVersion: v1 apiVersion: v1
kind: ConfigMap kind: Secret
metadata: metadata:
name: django-config name: secrets-env
data: type: Opaque
# n.b., these are debug values / non-secret secrets stringData:
DATATRACKER_SERVER_MODE: "development" # development for staging, production for production DATATRACKER_SERVER_MODE: "development" # development for staging, production for production
DATATRACKER_ADMINS: |- DATATRACKER_ADMINS: |-
Robert Sparks <rjsparks@nostrum.com> Robert Sparks <rjsparks@nostrum.com>
@ -80,4 +80,4 @@ data:
# Scout configuration # Scout configuration
DATATRACKER_SCOUT_KEY: "this-is-the-scout-key" DATATRACKER_SCOUT_KEY: "this-is-the-scout-key"
DATATRACKER_SCOUT_NAME: "StagingDatatracker" DATATRACKER_SCOUT_NAME: "StagingDatatracker"