From 0124b74ff235149fdf04e9d206940b7f8a3d4113 Mon Sep 17 00:00:00 2001 From: Jan Weil Date: Wed, 14 Jul 2021 17:12:37 +0200 Subject: [PATCH 01/23] Add first draft of k8s manifest files Environment management is not yet implemented. --- k8s/00-clair-berlin-namespace.yaml | 4 + k8s/01-clair-berlin-config-map.yaml | 23 +++ ...clairchen-forwarder-access-key-secret.yaml | 8 + k8s/01-ers-forwarder-access-key-secret.yaml | 8 + k8s/01-ingestair-secret-key-secret.yaml | 8 + k8s/01-managair-secret-key-secret.yaml | 8 + k8s/01-sentry-url-secret.yaml | 8 + k8s/01-smtp-password-secret.yaml | 8 + k8s/01-sql-password-secret.yaml | 8 + k8s/11-db-pvc.yaml | 11 ++ k8s/12-db-service.yaml | 10 ++ k8s/13-db-deployment.yaml | 47 ++++++ k8s/22-redis-service.yaml | 10 ++ k8s/23-redis-deployment.yaml | 23 +++ k8s/32-ingestair-service.yaml | 10 ++ k8s/33-ingestair-deployment.yaml | 155 +++++++++++++++++ k8s/42-managair-service.yaml | 10 ++ k8s/43-managair-deployment.yaml | 157 ++++++++++++++++++ k8s/53-clairchen-forwarder-deployment.yaml | 43 +++++ k8s/63-ers-forwarder-deployment.yaml | 42 +++++ k8s/72-static-frontend-service.yaml | 10 ++ k8s/73-static-frontend-deployment.yaml | 23 +++ k8s/99-clair-berlin-ingress.yaml | 45 +++++ 23 files changed, 679 insertions(+) create mode 100644 k8s/00-clair-berlin-namespace.yaml create mode 100644 k8s/01-clair-berlin-config-map.yaml create mode 100644 k8s/01-clairchen-forwarder-access-key-secret.yaml create mode 100644 k8s/01-ers-forwarder-access-key-secret.yaml create mode 100644 k8s/01-ingestair-secret-key-secret.yaml create mode 100644 k8s/01-managair-secret-key-secret.yaml create mode 100644 k8s/01-sentry-url-secret.yaml create mode 100644 k8s/01-smtp-password-secret.yaml create mode 100644 k8s/01-sql-password-secret.yaml create mode 100644 k8s/11-db-pvc.yaml create mode 100644 k8s/12-db-service.yaml create mode 100644 k8s/13-db-deployment.yaml create mode 100644 k8s/22-redis-service.yaml create mode 100644 k8s/23-redis-deployment.yaml create mode 100644 k8s/32-ingestair-service.yaml create mode 100644 k8s/33-ingestair-deployment.yaml create mode 100644 k8s/42-managair-service.yaml create mode 100644 k8s/43-managair-deployment.yaml create mode 100644 k8s/53-clairchen-forwarder-deployment.yaml create mode 100644 k8s/63-ers-forwarder-deployment.yaml create mode 100644 k8s/72-static-frontend-service.yaml create mode 100644 k8s/73-static-frontend-deployment.yaml create mode 100644 k8s/99-clair-berlin-ingress.yaml diff --git a/k8s/00-clair-berlin-namespace.yaml b/k8s/00-clair-berlin-namespace.yaml new file mode 100644 index 0000000..5ab394b --- /dev/null +++ b/k8s/00-clair-berlin-namespace.yaml @@ -0,0 +1,4 @@ +apiVersion: v1 +kind: Namespace +metadata: + name: clair-berlin diff --git a/k8s/01-clair-berlin-config-map.yaml b/k8s/01-clair-berlin-config-map.yaml new file mode 100644 index 0000000..14be18e --- /dev/null +++ b/k8s/01-clair-berlin-config-map.yaml @@ -0,0 +1,23 @@ +apiVersion: v1 +kind: ConfigMap +metadata: + name: config-map + namespace: clair-berlin +data: + clair-domain: "clair-berlin.de" + debug: "0" + sentry: "1" + debug-toolbar: "0" + django-log-level: "WARNING" + django-db-log-level: "WARNING" + log-level: "WARNING" + managair-db-migrate: "true" + managair-collect-static-files: "true" + ingestair-db-migrate: "false" + sql-database: "managairdb_dev" + sql-user: "managair_dev" + email-host: "mx2ed5.netcup.net" + email-port: "587" + email-host-user: "clair-sender@clair-berlin.de" + email-use-tls: "True" + default-from-email: "kontakt@clair-berlin.de" diff --git a/k8s/01-clairchen-forwarder-access-key-secret.yaml b/k8s/01-clairchen-forwarder-access-key-secret.yaml new file mode 100644 index 0000000..d9b58f6 --- /dev/null +++ b/k8s/01-clairchen-forwarder-access-key-secret.yaml @@ -0,0 +1,8 @@ +apiVersion: v1 +data: + clairchen-access-key: VE9ETwo= +kind: Secret +metadata: + name: clairchen-access-key + namespace: clair-berlin +type: Opaque diff --git a/k8s/01-ers-forwarder-access-key-secret.yaml b/k8s/01-ers-forwarder-access-key-secret.yaml new file mode 100644 index 0000000..09b9c36 --- /dev/null +++ b/k8s/01-ers-forwarder-access-key-secret.yaml @@ -0,0 +1,8 @@ +apiVersion: v1 +data: + ers-access-key: VE9ETwo= +kind: Secret +metadata: + name: ers-access-key + namespace: clair-berlin +type: Opaque diff --git a/k8s/01-ingestair-secret-key-secret.yaml b/k8s/01-ingestair-secret-key-secret.yaml new file mode 100644 index 0000000..abf7df9 --- /dev/null +++ b/k8s/01-ingestair-secret-key-secret.yaml @@ -0,0 +1,8 @@ +apiVersion: v1 +data: + ingestair-secret-key: VE9ETwo= +kind: Secret +metadata: + name: ingestair-secret-key + namespace: clair-berlin +type: Opaque diff --git a/k8s/01-managair-secret-key-secret.yaml b/k8s/01-managair-secret-key-secret.yaml new file mode 100644 index 0000000..f6e8dff --- /dev/null +++ b/k8s/01-managair-secret-key-secret.yaml @@ -0,0 +1,8 @@ +apiVersion: v1 +data: + managair-secret-key: VE9ETwo= +kind: Secret +metadata: + name: managair-secret-key + namespace: clair-berlin +type: Opaque diff --git a/k8s/01-sentry-url-secret.yaml b/k8s/01-sentry-url-secret.yaml new file mode 100644 index 0000000..7421ec9 --- /dev/null +++ b/k8s/01-sentry-url-secret.yaml @@ -0,0 +1,8 @@ +apiVersion: v1 +data: + sentry-url: VE9ETwo= +kind: Secret +metadata: + name: sentry-url + namespace: clair-berlin +type: Opaque diff --git a/k8s/01-smtp-password-secret.yaml b/k8s/01-smtp-password-secret.yaml new file mode 100644 index 0000000..e66cb17 --- /dev/null +++ b/k8s/01-smtp-password-secret.yaml @@ -0,0 +1,8 @@ +apiVersion: v1 +data: + smtp-password: VE9ETwo= +kind: Secret +metadata: + name: smtp-password + namespace: clair-berlin +type: Opaque diff --git a/k8s/01-sql-password-secret.yaml b/k8s/01-sql-password-secret.yaml new file mode 100644 index 0000000..2ff2e7a --- /dev/null +++ b/k8s/01-sql-password-secret.yaml @@ -0,0 +1,8 @@ +apiVersion: v1 +data: + sql-password: VE9ETwo= +kind: Secret +metadata: + name: sql-password + namespace: clair-berlin +type: Opaque diff --git a/k8s/11-db-pvc.yaml b/k8s/11-db-pvc.yaml new file mode 100644 index 0000000..18a3da4 --- /dev/null +++ b/k8s/11-db-pvc.yaml @@ -0,0 +1,11 @@ +apiVersion: v1 +kind: PersistentVolumeClaim +metadata: + name: db-data + namespace: clair-berlin +spec: + accessModes: + - ReadWriteOnce + resources: + requests: + storage: 10Gi \ No newline at end of file diff --git a/k8s/12-db-service.yaml b/k8s/12-db-service.yaml new file mode 100644 index 0000000..d46a179 --- /dev/null +++ b/k8s/12-db-service.yaml @@ -0,0 +1,10 @@ +apiVersion: v1 +kind: Service +metadata: + name: db + namespace: clair-berlin +spec: + selector: + app: db + ports: + - port: 5432 diff --git a/k8s/13-db-deployment.yaml b/k8s/13-db-deployment.yaml new file mode 100644 index 0000000..a890c47 --- /dev/null +++ b/k8s/13-db-deployment.yaml @@ -0,0 +1,47 @@ +apiVersion: apps/v1 +kind: Deployment +metadata: + labels: + app: db + name: db + namespace: clair-berlin +spec: + replicas: 1 + selector: + matchLabels: + app: db + strategy: + type: Recreate + template: + metadata: + labels: + app: db + spec: + containers: + - env: + - name: POSTGRES_DB + valueFrom: + configMapKeyRef: + name: config-map + key: sql-database + - name: POSTGRES_PASSWORD + valueFrom: + secretKeyRef: + name: sql-password + key: sql-password + - name: POSTGRES_USER + valueFrom: + configMapKeyRef: + name: config-map + key: sql-user + image: postgres:13.1 + name: db + resources: {} + volumeMounts: + - mountPath: /var/lib/postgresql/data + name: db-data + restartPolicy: Always + volumes: + - name: db-data + persistentVolumeClaim: + claimName: db-data diff --git a/k8s/22-redis-service.yaml b/k8s/22-redis-service.yaml new file mode 100644 index 0000000..0ccd063 --- /dev/null +++ b/k8s/22-redis-service.yaml @@ -0,0 +1,10 @@ +apiVersion: v1 +kind: Service +metadata: + name: redis + namespace: clair-berlin +spec: + selector: + app: redis + ports: + - port: 6379 \ No newline at end of file diff --git a/k8s/23-redis-deployment.yaml b/k8s/23-redis-deployment.yaml new file mode 100644 index 0000000..5074345 --- /dev/null +++ b/k8s/23-redis-deployment.yaml @@ -0,0 +1,23 @@ +apiVersion: apps/v1 +kind: Deployment +metadata: + labels: + app: redis + name: redis + namespace: clair-berlin +spec: + replicas: 1 + selector: + matchLabels: + app: redis + strategy: {} + template: + metadata: + labels: + app: redis + spec: + containers: + - image: redis:6.0.9 + name: redis + resources: {} + restartPolicy: Always diff --git a/k8s/32-ingestair-service.yaml b/k8s/32-ingestair-service.yaml new file mode 100644 index 0000000..c19bfa0 --- /dev/null +++ b/k8s/32-ingestair-service.yaml @@ -0,0 +1,10 @@ +apiVersion: v1 +kind: Service +metadata: + name: ingestair + namespace: clair-berlin +spec: + selector: + app: ingestair + ports: + - port: 8888 diff --git a/k8s/33-ingestair-deployment.yaml b/k8s/33-ingestair-deployment.yaml new file mode 100644 index 0000000..91d619c --- /dev/null +++ b/k8s/33-ingestair-deployment.yaml @@ -0,0 +1,155 @@ + +apiVersion: apps/v1 +kind: Deployment +metadata: + labels: + app: ingestair + name: ingestair + namespace: clair-berlin +spec: + replicas: 1 + selector: + matchLabels: + app: ingestair + strategy: {} + template: + metadata: + labels: + app: ingestair + spec: + containers: + - args: + - python + - manage.py + - runserver + - 0.0.0.0:8888 + env: + - name: SECRET_KEY_FILE + value: "/var/secrets/ingestair-secret-key/ingestair-secret-key" + - name: SENTRY + value: "0" + - name: SENTRY_URL_FILE + value: "/var/secrets/sentry-url/sentry-url" + - name: DEBUG + value: "0" + - name: DJANGO_LOG_LEVEL + valueFrom: + configMapKeyRef: + name: config-map + key: django-log-level + - name: DJANGO_DB_LOG_LEVEL + valueFrom: + configMapKeyRef: + name: config-map + key: django-db-log-level + - name: LOG_LEVEL + valueFrom: + configMapKeyRef: + name: config-map + key: log-level + - name: SQL_ENGINE + value: "django.db.backends.postgresql" + - name: SQL_HOST + value: "db" + - name: SQL_PORT + value: "5432" + - name: SQL_DATABASE + valueFrom: + configMapKeyRef: + name: config-map + key: sql-database + - name: SQL_USER + valueFrom: + configMapKeyRef: + name: config-map + key: sql-user + - name: SQL_PASSWORD_FILE + value: "/var/secrets/sql-password/sql-password" + # XXX why doesn't this work? + # - name: SQL_PASSWORD + # valueFrom: + # secretKeyRef: + # name: sql-password + # key: sql-password + - name: DATABASE + value: "postgresql" + - name: DB_MIGRATE + valueFrom: + configMapKeyRef: + name: config-map + key: ingestair-db-migrate + - name: COLLECT_STATIC_FILES + value: "false" + - name: NODE_FIDELITY + value: "1" + - name: DJANGO_ALLOWED_HOSTS + value: "ingestair localhost 127.0.0.1 [::1]" + - name: EMAIL_HOST + valueFrom: + configMapKeyRef: + name: config-map + key: email-host + - name: EMAIL_PORT + valueFrom: + configMapKeyRef: + name: config-map + key: email-port + - name: EMAIL_HOST_USER + valueFrom: + configMapKeyRef: + name: config-map + key: email-host-user + - name: EMAIL_HOST_PASSWORD_FILE + value: "/var/secrets/smtp-password/smtp-password" + - name: EMAIL_USE_TLS + valueFrom: + configMapKeyRef: + name: config-map + key: email-use-tls + - name: DEFAULT_FROM_EMAIL + valueFrom: + configMapKeyRef: + name: config-map + key: default-from-email + image: clairberlin/managair:0.6.5 + name: ingestair-server + resources: {} + volumeMounts: + - mountPath: "/var/secrets/ingestair-secret-key" + name: ingestair-secret-key + readOnly: true + - mountPath: "/var/secrets/sentry-url" + name: sentry-url + readOnly: true + - mountPath: "/var/secrets/sql-password" + name: sql-password + readOnly: true + - mountPath: "/var/secrets/smtp-password" + name: smtp-password + readOnly: true + restartPolicy: Always + volumes: + - name: ingestair-secret-key + secret: + items: + - key: ingestair-secret-key + path: ingestair-secret-key + secretName: ingestair-secret-key + - name: sentry-url + secret: + items: + - key: sentry-url + path: sentry-url + secretName: sentry-url + - name: sql-password + secret: + items: + - key: sql-password + path: sql-password + secretName: sql-password + - name: smtp-password + secret: + items: + - key: smtp-password + path: smtp-password + secretName: smtp-password diff --git a/k8s/42-managair-service.yaml b/k8s/42-managair-service.yaml new file mode 100644 index 0000000..0405aae --- /dev/null +++ b/k8s/42-managair-service.yaml @@ -0,0 +1,10 @@ +apiVersion: v1 +kind: Service +metadata: + name: managair-server + namespace: clair-berlin +spec: + selector: + app: managair-server + ports: + - port: 8888 \ No newline at end of file diff --git a/k8s/43-managair-deployment.yaml b/k8s/43-managair-deployment.yaml new file mode 100644 index 0000000..ef8eedb --- /dev/null +++ b/k8s/43-managair-deployment.yaml @@ -0,0 +1,157 @@ +apiVersion: apps/v1 +kind: Deployment +metadata: + labels: + app: managair-server + name: managair-server + namespace: clair-berlin +spec: + replicas: 1 + selector: + matchLabels: + app: managair-server + strategy: {} + template: + metadata: + labels: + app: managair-server + spec: + containers: + - args: + - python + - manage.py + - runserver + - 0.0.0.0:8888 + env: + - name: SECRET_KEY_FILE + value: "/var/secrets/managair-secret-key/managair-secret-key" + - name: SENTRY + value: "0" + - name: SENTRY_URL_FILE + value: "/var/secrets/sentry-url/sentry-url" + - name: DEBUG + value: "0" + - name: DJANGO_LOG_LEVEL + valueFrom: + configMapKeyRef: + name: config-map + key: django-log-level + - name: DJANGO_DB_LOG_LEVEL + valueFrom: + configMapKeyRef: + name: config-map + key: django-db-log-level + - name: LOG_LEVEL + valueFrom: + configMapKeyRef: + name: config-map + key: log-level + - name: SQL_ENGINE + value: "django.db.backends.postgresql" + - name: SQL_HOST + value: "db" + - name: SQL_PORT + value: "5432" + - name: SQL_DATABASE + valueFrom: + configMapKeyRef: + name: config-map + key: sql-database + - name: SQL_USER + valueFrom: + configMapKeyRef: + name: config-map + key: sql-user + - name: SQL_PASSWORD_FILE + value: "/var/secrets/sql-password/sql-password" + # XXX why doesn't this work? + # - name: SQL_PASSWORD + # valueFrom: + # secretKeyRef: + # name: sql-password + # key: sql-password + - name: DATABASE + value: "postgresql" + - name: DB_MIGRATE + valueFrom: + configMapKeyRef: + name: config-map + key: managair-db-migrate + - name: COLLECT_STATIC_FILES + valueFrom: + configMapKeyRef: + name: config-map + key: managair-collect-static-files + - name: NODE_FIDELITY + value: "1" + - name: DJANGO_ALLOWED_HOSTS + value: " localhost 127.0.0.1 [::1]" + - name: EMAIL_HOST + valueFrom: + configMapKeyRef: + name: config-map + key: email-host + - name: EMAIL_PORT + valueFrom: + configMapKeyRef: + name: config-map + key: email-port + - name: EMAIL_HOST_USER + valueFrom: + configMapKeyRef: + name: config-map + key: email-host-user + - name: EMAIL_HOST_PASSWORD_FILE + value: "/var/secrets/smtp-password/smtp-password" + - name: EMAIL_USE_TLS + valueFrom: + configMapKeyRef: + name: config-map + key: email-use-tls + - name: DEFAULT_FROM_EMAIL + valueFrom: + configMapKeyRef: + name: config-map + key: default-from-email + image: clairberlin/managair:0.6.5 + name: managair-server + resources: {} + volumeMounts: + - mountPath: "/var/secrets/managair-secret-key" + name: managair-secret-key + readOnly: true + - mountPath: "/var/secrets/sentry-url" + name: sentry-url + readOnly: true + - mountPath: "/var/secrets/sql-password" + name: sql-password + readOnly: true + - mountPath: "/var/secrets/smtp-password" + name: smtp-password + readOnly: true + restartPolicy: Always + volumes: + - name: managair-secret-key + secret: + items: + - key: managair-secret-key + path: managair-secret-key + secretName: managair-secret-key + - name: sentry-url + secret: + items: + - key: sentry-url + path: sentry-url + secretName: sentry-url + - name: sql-password + secret: + items: + - key: sql-password + path: sql-password + secretName: sql-password + - name: smtp-password + secret: + items: + - key: smtp-password + path: smtp-password + secretName: smtp-password diff --git a/k8s/53-clairchen-forwarder-deployment.yaml b/k8s/53-clairchen-forwarder-deployment.yaml new file mode 100644 index 0000000..0033bc6 --- /dev/null +++ b/k8s/53-clairchen-forwarder-deployment.yaml @@ -0,0 +1,43 @@ +apiVersion: apps/v1 +kind: Deployment +metadata: + labels: + app: clairchen-forwarder + name: clairchen-forwarder + namespace: clair-berlin +spec: + replicas: 1 + selector: + matchLabels: + app: clairchen-forwarder + strategy: {} + template: + metadata: + labels: + app: clairchen-forwarder + spec: + containers: + - env: + - name: CLAIR_API_ROOT + value: "http://ingestair:8888/ingest/v1/" + - name: CLAIR_MODE + value: "clairchen-forward" + - name: CLAIR_TTN_ACCESS_KEY_FILE + value: "/var/secrets/clairchen-access-key/clairchen-access-key" + - name: CLAIR_TTN_APP_ID + value: "clairberlinproto" + image: clairberlin/clairttn:1 + name: clairchen-forwarder + resources: {} + volumeMounts: + - mountPath: "/var/secrets/clairchen-access-key" + name: clairchen-access-key + readOnly: true + restartPolicy: Always + volumes: + - name: clairchen-access-key + secret: + items: + - key: clairchen-access-key + path: clairchen-access-key + secretName: clairchen-access-key diff --git a/k8s/63-ers-forwarder-deployment.yaml b/k8s/63-ers-forwarder-deployment.yaml new file mode 100644 index 0000000..421d91a --- /dev/null +++ b/k8s/63-ers-forwarder-deployment.yaml @@ -0,0 +1,42 @@ +apiVersion: apps/v1 +kind: Deployment +metadata: + labels: + app: ers-forwarder + name: ers-forwarder + namespace: clair-berlin +spec: + replicas: 1 + selector: + matchLabels: + app: ers-forwarder + strategy: {} + template: + metadata: + labels: + app: ers-forwarder + spec: + containers: + - env: + - name: CLAIR_API_ROOT + value: "http://ingestair:8888/ingest/v1/" + - name: CLAIR_MODE + value: "ers-forward" + - name: CLAIR_TTN_ACCESS_KEY_FILE + value: "/var/secrets/ers-access-key/ers-access-key" + - name: CLAIR_TTN_APP_ID + value: "clair-berlin-ers-co2" + image: clairberlin/clairttn:1 + name: ers-forwarder + resources: {} + volumeMounts: + - mountPath: "/var/secrets/ers-access-key" + name: ers-access-key + restartPolicy: Always + volumes: + - name: ers-access-key + secret: + items: + - key: ers-access-key + path: ers-access-key + secretName: ers-access-key diff --git a/k8s/72-static-frontend-service.yaml b/k8s/72-static-frontend-service.yaml new file mode 100644 index 0000000..2624bfc --- /dev/null +++ b/k8s/72-static-frontend-service.yaml @@ -0,0 +1,10 @@ +apiVersion: v1 +kind: Service +metadata: + name: static-frontend + namespace: clair-berlin +spec: + selector: + app: static-frontend + ports: + - port: 80 \ No newline at end of file diff --git a/k8s/73-static-frontend-deployment.yaml b/k8s/73-static-frontend-deployment.yaml new file mode 100644 index 0000000..d498580 --- /dev/null +++ b/k8s/73-static-frontend-deployment.yaml @@ -0,0 +1,23 @@ +apiVersion: apps/v1 +kind: Deployment +metadata: + labels: + app: static-frontend + name: static-frontend + namespace: clair-berlin +spec: + replicas: 1 + selector: + matchLabels: + app: static-frontend + strategy: {} + template: + metadata: + labels: + app: static-frontend + spec: + containers: + - image: clairberlin/website:15 + name: static-frontend + resources: {} + restartPolicy: Always diff --git a/k8s/99-clair-berlin-ingress.yaml b/k8s/99-clair-berlin-ingress.yaml new file mode 100644 index 0000000..7321b65 --- /dev/null +++ b/k8s/99-clair-berlin-ingress.yaml @@ -0,0 +1,45 @@ +apiVersion: networking.k8s.io/v1 +kind: Ingress +metadata: + name: ingress + namespace: clair-berlin +spec: + rules: + - http: + paths: + - path: / + pathType: Prefix + backend: + service: + name: static-frontend + port: + number: 80 + - path: /admin + pathType: Prefix + backend: + service: + name: managair-server + port: + number: 8888 + - path: /static + pathType: Prefix + backend: + service: + name: managair-server + port: + number: 8888 + - path: /accounts + pathType: Prefix + backend: + service: + name: managair-server + port: + number: 8888 + - path: /api + pathType: Prefix + backend: + service: + name: managair-server + port: + number: 8888 + From 2d1fe4fefc9e828c633a67b4c64ab70e9d01e178 Mon Sep 17 00:00:00 2001 From: Jan Weil Date: Sat, 17 Jul 2021 19:37:54 +0200 Subject: [PATCH 02/23] Use kustomize to generate config map and secret --- k8s/01-clair-berlin-config-map.yaml | 23 ----- ...clairchen-forwarder-access-key-secret.yaml | 8 -- k8s/01-ers-forwarder-access-key-secret.yaml | 8 -- k8s/01-ingestair-secret-key-secret.yaml | 8 -- k8s/01-managair-secret-key-secret.yaml | 8 -- k8s/01-sentry-url-secret.yaml | 8 -- k8s/01-smtp-password-secret.yaml | 8 -- k8s/01-sql-password-secret.yaml | 8 -- k8s/{ => base}/00-clair-berlin-namespace.yaml | 0 k8s/{ => base}/11-db-pvc.yaml | 0 k8s/{ => base}/12-db-service.yaml | 0 k8s/{ => base}/13-db-deployment.yaml | 12 +-- k8s/{ => base}/22-redis-service.yaml | 0 k8s/{ => base}/23-redis-deployment.yaml | 0 k8s/{ => base}/32-ingestair-service.yaml | 0 k8s/{ => base}/33-ingestair-deployment.yaml | 90 ++++++------------ k8s/{ => base}/42-managair-service.yaml | 0 k8s/{ => base}/43-managair-deployment.yaml | 94 +++++++------------ .../53-clairchen-forwarder-deployment.yaml | 13 +-- .../63-ers-forwarder-deployment.yaml | 14 ++- .../72-static-frontend-service.yaml | 0 .../73-static-frontend-deployment.yaml | 0 k8s/{ => base}/99-clair-berlin-ingress.yaml | 0 k8s/base/config.env | 24 +++++ k8s/base/kustomization.yaml | 34 +++++++ .../clairchen-forwarder-access-key.txt | 1 + k8s/base/secrets/ers-forwarder-access-key.txt | 1 + k8s/base/secrets/ingestair-secret-key.txt | 1 + k8s/base/secrets/managair-secret-key.txt | 1 + k8s/base/secrets/sentry-url.txt | 1 + k8s/base/secrets/smtp-password.txt | 1 + k8s/base/secrets/sql-password.txt | 1 + 32 files changed, 144 insertions(+), 223 deletions(-) delete mode 100644 k8s/01-clair-berlin-config-map.yaml delete mode 100644 k8s/01-clairchen-forwarder-access-key-secret.yaml delete mode 100644 k8s/01-ers-forwarder-access-key-secret.yaml delete mode 100644 k8s/01-ingestair-secret-key-secret.yaml delete mode 100644 k8s/01-managair-secret-key-secret.yaml delete mode 100644 k8s/01-sentry-url-secret.yaml delete mode 100644 k8s/01-smtp-password-secret.yaml delete mode 100644 k8s/01-sql-password-secret.yaml rename k8s/{ => base}/00-clair-berlin-namespace.yaml (100%) rename k8s/{ => base}/11-db-pvc.yaml (100%) rename k8s/{ => base}/12-db-service.yaml (100%) rename k8s/{ => base}/13-db-deployment.yaml (79%) rename k8s/{ => base}/22-redis-service.yaml (100%) rename k8s/{ => base}/23-redis-deployment.yaml (100%) rename k8s/{ => base}/32-ingestair-service.yaml (100%) rename k8s/{ => base}/33-ingestair-deployment.yaml (54%) rename k8s/{ => base}/42-managair-service.yaml (100%) rename k8s/{ => base}/43-managair-deployment.yaml (53%) rename k8s/{ => base}/53-clairchen-forwarder-deployment.yaml (69%) rename k8s/{ => base}/63-ers-forwarder-deployment.yaml (71%) rename k8s/{ => base}/72-static-frontend-service.yaml (100%) rename k8s/{ => base}/73-static-frontend-deployment.yaml (100%) rename k8s/{ => base}/99-clair-berlin-ingress.yaml (100%) create mode 100644 k8s/base/config.env create mode 100644 k8s/base/kustomization.yaml create mode 100644 k8s/base/secrets/clairchen-forwarder-access-key.txt create mode 100644 k8s/base/secrets/ers-forwarder-access-key.txt create mode 100644 k8s/base/secrets/ingestair-secret-key.txt create mode 100644 k8s/base/secrets/managair-secret-key.txt create mode 100644 k8s/base/secrets/sentry-url.txt create mode 100644 k8s/base/secrets/smtp-password.txt create mode 100644 k8s/base/secrets/sql-password.txt diff --git a/k8s/01-clair-berlin-config-map.yaml b/k8s/01-clair-berlin-config-map.yaml deleted file mode 100644 index 14be18e..0000000 --- a/k8s/01-clair-berlin-config-map.yaml +++ /dev/null @@ -1,23 +0,0 @@ -apiVersion: v1 -kind: ConfigMap -metadata: - name: config-map - namespace: clair-berlin -data: - clair-domain: "clair-berlin.de" - debug: "0" - sentry: "1" - debug-toolbar: "0" - django-log-level: "WARNING" - django-db-log-level: "WARNING" - log-level: "WARNING" - managair-db-migrate: "true" - managair-collect-static-files: "true" - ingestair-db-migrate: "false" - sql-database: "managairdb_dev" - sql-user: "managair_dev" - email-host: "mx2ed5.netcup.net" - email-port: "587" - email-host-user: "clair-sender@clair-berlin.de" - email-use-tls: "True" - default-from-email: "kontakt@clair-berlin.de" diff --git a/k8s/01-clairchen-forwarder-access-key-secret.yaml b/k8s/01-clairchen-forwarder-access-key-secret.yaml deleted file mode 100644 index d9b58f6..0000000 --- a/k8s/01-clairchen-forwarder-access-key-secret.yaml +++ /dev/null @@ -1,8 +0,0 @@ -apiVersion: v1 -data: - clairchen-access-key: VE9ETwo= -kind: Secret -metadata: - name: clairchen-access-key - namespace: clair-berlin -type: Opaque diff --git a/k8s/01-ers-forwarder-access-key-secret.yaml b/k8s/01-ers-forwarder-access-key-secret.yaml deleted file mode 100644 index 09b9c36..0000000 --- a/k8s/01-ers-forwarder-access-key-secret.yaml +++ /dev/null @@ -1,8 +0,0 @@ -apiVersion: v1 -data: - ers-access-key: VE9ETwo= -kind: Secret -metadata: - name: ers-access-key - namespace: clair-berlin -type: Opaque diff --git a/k8s/01-ingestair-secret-key-secret.yaml b/k8s/01-ingestair-secret-key-secret.yaml deleted file mode 100644 index abf7df9..0000000 --- a/k8s/01-ingestair-secret-key-secret.yaml +++ /dev/null @@ -1,8 +0,0 @@ -apiVersion: v1 -data: - ingestair-secret-key: VE9ETwo= -kind: Secret -metadata: - name: ingestair-secret-key - namespace: clair-berlin -type: Opaque diff --git a/k8s/01-managair-secret-key-secret.yaml b/k8s/01-managair-secret-key-secret.yaml deleted file mode 100644 index f6e8dff..0000000 --- a/k8s/01-managair-secret-key-secret.yaml +++ /dev/null @@ -1,8 +0,0 @@ -apiVersion: v1 -data: - managair-secret-key: VE9ETwo= -kind: Secret -metadata: - name: managair-secret-key - namespace: clair-berlin -type: Opaque diff --git a/k8s/01-sentry-url-secret.yaml b/k8s/01-sentry-url-secret.yaml deleted file mode 100644 index 7421ec9..0000000 --- a/k8s/01-sentry-url-secret.yaml +++ /dev/null @@ -1,8 +0,0 @@ -apiVersion: v1 -data: - sentry-url: VE9ETwo= -kind: Secret -metadata: - name: sentry-url - namespace: clair-berlin -type: Opaque diff --git a/k8s/01-smtp-password-secret.yaml b/k8s/01-smtp-password-secret.yaml deleted file mode 100644 index e66cb17..0000000 --- a/k8s/01-smtp-password-secret.yaml +++ /dev/null @@ -1,8 +0,0 @@ -apiVersion: v1 -data: - smtp-password: VE9ETwo= -kind: Secret -metadata: - name: smtp-password - namespace: clair-berlin -type: Opaque diff --git a/k8s/01-sql-password-secret.yaml b/k8s/01-sql-password-secret.yaml deleted file mode 100644 index 2ff2e7a..0000000 --- a/k8s/01-sql-password-secret.yaml +++ /dev/null @@ -1,8 +0,0 @@ -apiVersion: v1 -data: - sql-password: VE9ETwo= -kind: Secret -metadata: - name: sql-password - namespace: clair-berlin -type: Opaque diff --git a/k8s/00-clair-berlin-namespace.yaml b/k8s/base/00-clair-berlin-namespace.yaml similarity index 100% rename from k8s/00-clair-berlin-namespace.yaml rename to k8s/base/00-clair-berlin-namespace.yaml diff --git a/k8s/11-db-pvc.yaml b/k8s/base/11-db-pvc.yaml similarity index 100% rename from k8s/11-db-pvc.yaml rename to k8s/base/11-db-pvc.yaml diff --git a/k8s/12-db-service.yaml b/k8s/base/12-db-service.yaml similarity index 100% rename from k8s/12-db-service.yaml rename to k8s/base/12-db-service.yaml diff --git a/k8s/13-db-deployment.yaml b/k8s/base/13-db-deployment.yaml similarity index 79% rename from k8s/13-db-deployment.yaml rename to k8s/base/13-db-deployment.yaml index a890c47..ffd40dd 100644 --- a/k8s/13-db-deployment.yaml +++ b/k8s/base/13-db-deployment.yaml @@ -22,18 +22,18 @@ spec: - name: POSTGRES_DB valueFrom: configMapKeyRef: - name: config-map - key: sql-database + name: clair-config-map + key: SQL_DATABASE - name: POSTGRES_PASSWORD valueFrom: secretKeyRef: - name: sql-password - key: sql-password + name: clair-secret + key: sql-password.txt - name: POSTGRES_USER valueFrom: configMapKeyRef: - name: config-map - key: sql-user + name: clair-config-map + key: SQL_USER image: postgres:13.1 name: db resources: {} diff --git a/k8s/22-redis-service.yaml b/k8s/base/22-redis-service.yaml similarity index 100% rename from k8s/22-redis-service.yaml rename to k8s/base/22-redis-service.yaml diff --git a/k8s/23-redis-deployment.yaml b/k8s/base/23-redis-deployment.yaml similarity index 100% rename from k8s/23-redis-deployment.yaml rename to k8s/base/23-redis-deployment.yaml diff --git a/k8s/32-ingestair-service.yaml b/k8s/base/32-ingestair-service.yaml similarity index 100% rename from k8s/32-ingestair-service.yaml rename to k8s/base/32-ingestair-service.yaml diff --git a/k8s/33-ingestair-deployment.yaml b/k8s/base/33-ingestair-deployment.yaml similarity index 54% rename from k8s/33-ingestair-deployment.yaml rename to k8s/base/33-ingestair-deployment.yaml index 91d619c..9f7bd95 100644 --- a/k8s/33-ingestair-deployment.yaml +++ b/k8s/base/33-ingestair-deployment.yaml @@ -25,28 +25,28 @@ spec: - 0.0.0.0:8888 env: - name: SECRET_KEY_FILE - value: "/var/secrets/ingestair-secret-key/ingestair-secret-key" + value: "/var/secrets/clair-secret/ingestair-secret-key.txt" - name: SENTRY value: "0" - name: SENTRY_URL_FILE - value: "/var/secrets/sentry-url/sentry-url" + value: "/var/secrets/clair-secret/sentry-url.txt" - name: DEBUG value: "0" - name: DJANGO_LOG_LEVEL valueFrom: configMapKeyRef: - name: config-map - key: django-log-level + name: clair-config-map + key: DJANGO_LOG_LEVEL - name: DJANGO_DB_LOG_LEVEL valueFrom: configMapKeyRef: - name: config-map - key: django-db-log-level + name: clair-config-map + key: DJANGO_DB_LOG_LEVEL - name: LOG_LEVEL valueFrom: configMapKeyRef: - name: config-map - key: log-level + name: clair-config-map + key: LOG_LEVEL - name: SQL_ENGINE value: "django.db.backends.postgresql" - name: SQL_HOST @@ -56,15 +56,15 @@ spec: - name: SQL_DATABASE valueFrom: configMapKeyRef: - name: config-map - key: sql-database + name: clair-config-map + key: SQL_DATABASE - name: SQL_USER valueFrom: configMapKeyRef: - name: config-map - key: sql-user + name: clair-config-map + key: SQL_USER - name: SQL_PASSWORD_FILE - value: "/var/secrets/sql-password/sql-password" + value: "/var/secrets/clair-secret/sql-password.txt" # XXX why doesn't this work? # - name: SQL_PASSWORD # valueFrom: @@ -76,8 +76,8 @@ spec: - name: DB_MIGRATE valueFrom: configMapKeyRef: - name: config-map - key: ingestair-db-migrate + name: clair-config-map + key: INGESTAIR_DB_MIGRATE - name: COLLECT_STATIC_FILES value: "false" - name: NODE_FIDELITY @@ -87,69 +87,39 @@ spec: - name: EMAIL_HOST valueFrom: configMapKeyRef: - name: config-map - key: email-host + name: clair-config-map + key: EMAIL_HOST - name: EMAIL_PORT valueFrom: configMapKeyRef: - name: config-map - key: email-port + name: clair-config-map + key: EMAIL_PORT - name: EMAIL_HOST_USER valueFrom: configMapKeyRef: - name: config-map - key: email-host-user + name: clair-config-map + key: EMAIL_HOST_USER - name: EMAIL_HOST_PASSWORD_FILE - value: "/var/secrets/smtp-password/smtp-password" + value: "/var/secrets/clair-secret/smtp-password.txt" - name: EMAIL_USE_TLS valueFrom: configMapKeyRef: - name: config-map - key: email-use-tls + name: clair-config-map + key: EMAIL_USE_TLS - name: DEFAULT_FROM_EMAIL valueFrom: configMapKeyRef: - name: config-map - key: default-from-email + name: clair-config-map + key: DEFAULT_FROM_EMAIL image: clairberlin/managair:0.6.5 name: ingestair-server resources: {} volumeMounts: - - mountPath: "/var/secrets/ingestair-secret-key" - name: ingestair-secret-key - readOnly: true - - mountPath: "/var/secrets/sentry-url" - name: sentry-url - readOnly: true - - mountPath: "/var/secrets/sql-password" - name: sql-password - readOnly: true - - mountPath: "/var/secrets/smtp-password" - name: smtp-password + - mountPath: "/var/secrets/clair-secret" + name: clair-secret readOnly: true restartPolicy: Always volumes: - - name: ingestair-secret-key - secret: - items: - - key: ingestair-secret-key - path: ingestair-secret-key - secretName: ingestair-secret-key - - name: sentry-url - secret: - items: - - key: sentry-url - path: sentry-url - secretName: sentry-url - - name: sql-password - secret: - items: - - key: sql-password - path: sql-password - secretName: sql-password - - name: smtp-password + - name: clair-secret secret: - items: - - key: smtp-password - path: smtp-password - secretName: smtp-password + secretName: clair-secret diff --git a/k8s/42-managair-service.yaml b/k8s/base/42-managair-service.yaml similarity index 100% rename from k8s/42-managair-service.yaml rename to k8s/base/42-managair-service.yaml diff --git a/k8s/43-managair-deployment.yaml b/k8s/base/43-managair-deployment.yaml similarity index 53% rename from k8s/43-managair-deployment.yaml rename to k8s/base/43-managair-deployment.yaml index ef8eedb..9568547 100644 --- a/k8s/43-managair-deployment.yaml +++ b/k8s/base/43-managair-deployment.yaml @@ -24,28 +24,28 @@ spec: - 0.0.0.0:8888 env: - name: SECRET_KEY_FILE - value: "/var/secrets/managair-secret-key/managair-secret-key" + value: "/var/secrets/clair-secret/managair-secret-key.txt" - name: SENTRY value: "0" - name: SENTRY_URL_FILE - value: "/var/secrets/sentry-url/sentry-url" + value: "/var/secrets/clair-secret/sentry-url.txt" - name: DEBUG value: "0" - name: DJANGO_LOG_LEVEL valueFrom: configMapKeyRef: - name: config-map - key: django-log-level + name: clair-config-map + key: DJANGO_LOG_LEVEL - name: DJANGO_DB_LOG_LEVEL valueFrom: configMapKeyRef: - name: config-map - key: django-db-log-level + name: clair-config-map + key: DJANGO_DB_LOG_LEVEL - name: LOG_LEVEL valueFrom: configMapKeyRef: - name: config-map - key: log-level + name: clair-config-map + key: LOG_LEVEL - name: SQL_ENGINE value: "django.db.backends.postgresql" - name: SQL_HOST @@ -55,15 +55,15 @@ spec: - name: SQL_DATABASE valueFrom: configMapKeyRef: - name: config-map - key: sql-database + name: clair-config-map + key: SQL_DATABASE - name: SQL_USER valueFrom: configMapKeyRef: - name: config-map - key: sql-user + name: clair-config-map + key: SQL_USER - name: SQL_PASSWORD_FILE - value: "/var/secrets/sql-password/sql-password" + value: "/var/secrets/clair-secret/sql-password.txt" # XXX why doesn't this work? # - name: SQL_PASSWORD # valueFrom: @@ -75,13 +75,13 @@ spec: - name: DB_MIGRATE valueFrom: configMapKeyRef: - name: config-map - key: managair-db-migrate + name: clair-config-map + key: MANAGAIR_DB_MIGRATE - name: COLLECT_STATIC_FILES valueFrom: configMapKeyRef: - name: config-map - key: managair-collect-static-files + name: clair-config-map + key: MANAGAIR_COLLECT_STATIC_FILES - name: NODE_FIDELITY value: "1" - name: DJANGO_ALLOWED_HOSTS @@ -89,69 +89,39 @@ spec: - name: EMAIL_HOST valueFrom: configMapKeyRef: - name: config-map - key: email-host + name: clair-config-map + key: EMAIL_HOST - name: EMAIL_PORT valueFrom: configMapKeyRef: - name: config-map - key: email-port + name: clair-config-map + key: EMAIL_PORT - name: EMAIL_HOST_USER valueFrom: configMapKeyRef: - name: config-map - key: email-host-user + name: clair-config-map + key: EMAIL_HOST_USER - name: EMAIL_HOST_PASSWORD_FILE - value: "/var/secrets/smtp-password/smtp-password" + value: "/var/secrets/clair-secret/smtp-password.txt" - name: EMAIL_USE_TLS valueFrom: configMapKeyRef: - name: config-map - key: email-use-tls + name: clair-config-map + key: EMAIL_USE_TLS - name: DEFAULT_FROM_EMAIL valueFrom: configMapKeyRef: - name: config-map - key: default-from-email + name: clair-config-map + key: DEFAULT_FROM_EMAIL image: clairberlin/managair:0.6.5 name: managair-server resources: {} volumeMounts: - - mountPath: "/var/secrets/managair-secret-key" - name: managair-secret-key - readOnly: true - - mountPath: "/var/secrets/sentry-url" - name: sentry-url - readOnly: true - - mountPath: "/var/secrets/sql-password" - name: sql-password - readOnly: true - - mountPath: "/var/secrets/smtp-password" - name: smtp-password + - mountPath: "/var/secrets/clair-secret" + name: clair-secret readOnly: true restartPolicy: Always volumes: - - name: managair-secret-key - secret: - items: - - key: managair-secret-key - path: managair-secret-key - secretName: managair-secret-key - - name: sentry-url - secret: - items: - - key: sentry-url - path: sentry-url - secretName: sentry-url - - name: sql-password - secret: - items: - - key: sql-password - path: sql-password - secretName: sql-password - - name: smtp-password + - name: clair-secret secret: - items: - - key: smtp-password - path: smtp-password - secretName: smtp-password + secretName: clair-secret diff --git a/k8s/53-clairchen-forwarder-deployment.yaml b/k8s/base/53-clairchen-forwarder-deployment.yaml similarity index 69% rename from k8s/53-clairchen-forwarder-deployment.yaml rename to k8s/base/53-clairchen-forwarder-deployment.yaml index 0033bc6..a91aa91 100644 --- a/k8s/53-clairchen-forwarder-deployment.yaml +++ b/k8s/base/53-clairchen-forwarder-deployment.yaml @@ -23,21 +23,18 @@ spec: - name: CLAIR_MODE value: "clairchen-forward" - name: CLAIR_TTN_ACCESS_KEY_FILE - value: "/var/secrets/clairchen-access-key/clairchen-access-key" + value: "/var/secrets/clair-secret/clairchen-forwarder-access-key.txt" - name: CLAIR_TTN_APP_ID value: "clairberlinproto" image: clairberlin/clairttn:1 name: clairchen-forwarder resources: {} volumeMounts: - - mountPath: "/var/secrets/clairchen-access-key" - name: clairchen-access-key + - mountPath: "/var/secrets/clair-secret" + name: clair-secret readOnly: true restartPolicy: Always volumes: - - name: clairchen-access-key + - name: clair-secret secret: - items: - - key: clairchen-access-key - path: clairchen-access-key - secretName: clairchen-access-key + secretName: clair-secret diff --git a/k8s/63-ers-forwarder-deployment.yaml b/k8s/base/63-ers-forwarder-deployment.yaml similarity index 71% rename from k8s/63-ers-forwarder-deployment.yaml rename to k8s/base/63-ers-forwarder-deployment.yaml index 421d91a..211db0b 100644 --- a/k8s/63-ers-forwarder-deployment.yaml +++ b/k8s/base/63-ers-forwarder-deployment.yaml @@ -23,20 +23,18 @@ spec: - name: CLAIR_MODE value: "ers-forward" - name: CLAIR_TTN_ACCESS_KEY_FILE - value: "/var/secrets/ers-access-key/ers-access-key" + value: "/var/secrets/clair-secret/ers-forwarder-access-key.txt" - name: CLAIR_TTN_APP_ID value: "clair-berlin-ers-co2" image: clairberlin/clairttn:1 name: ers-forwarder resources: {} volumeMounts: - - mountPath: "/var/secrets/ers-access-key" - name: ers-access-key + - mountPath: "/var/secrets/clair-secret" + name: clair-secret + readOnly: true restartPolicy: Always volumes: - - name: ers-access-key + - name: clair-secret secret: - items: - - key: ers-access-key - path: ers-access-key - secretName: ers-access-key + secretName: clair-secret diff --git a/k8s/72-static-frontend-service.yaml b/k8s/base/72-static-frontend-service.yaml similarity index 100% rename from k8s/72-static-frontend-service.yaml rename to k8s/base/72-static-frontend-service.yaml diff --git a/k8s/73-static-frontend-deployment.yaml b/k8s/base/73-static-frontend-deployment.yaml similarity index 100% rename from k8s/73-static-frontend-deployment.yaml rename to k8s/base/73-static-frontend-deployment.yaml diff --git a/k8s/99-clair-berlin-ingress.yaml b/k8s/base/99-clair-berlin-ingress.yaml similarity index 100% rename from k8s/99-clair-berlin-ingress.yaml rename to k8s/base/99-clair-berlin-ingress.yaml diff --git a/k8s/base/config.env b/k8s/base/config.env new file mode 100644 index 0000000..93b0dc1 --- /dev/null +++ b/k8s/base/config.env @@ -0,0 +1,24 @@ +CLAIR_DOMAIN=clair-berlin.de + +DEBUG=0 +SENTRY=1 +DEBUG_TOOLBAR=0 + +DJANGO_LOG_LEVEL=WARNING +DJANGO_DB_LOG_LEVEL=WARNING +LOG_LEVEL=WARNING + +MANAGAIR_DB_MIGRATE=true +MANAGAIR_COLLECT_STATIC_FILES=true + +INGESTAIR_DB_MIGRATE=false + +SQL_DATABASE=managairdb_dev +SQL_USER=managair_dev +SQL_PASSWORD=postgres + +EMAIL_HOST=mx2ed5.netcup.net +EMAIL_PORT=587 +EMAIL_HOST_USER=clair-sender@clair-berlin.de +EMAIL_USE_TLS=True +DEFAULT_FROM_EMAIL=kontakt@clair-berlin.de diff --git a/k8s/base/kustomization.yaml b/k8s/base/kustomization.yaml new file mode 100644 index 0000000..cc2d438 --- /dev/null +++ b/k8s/base/kustomization.yaml @@ -0,0 +1,34 @@ +resources: + - 00-clair-berlin-namespace.yaml + - 11-db-pvc.yaml + - 12-db-service.yaml + - 13-db-deployment.yaml + - 22-redis-service.yaml + - 23-redis-deployment.yaml + - 32-ingestair-service.yaml + - 33-ingestair-deployment.yaml + - 42-managair-service.yaml + - 43-managair-deployment.yaml + - 53-clairchen-forwarder-deployment.yaml + - 63-ers-forwarder-deployment.yaml + - 72-static-frontend-service.yaml + - 73-static-frontend-deployment.yaml + - 99-clair-berlin-ingress.yaml + +configMapGenerator: + - name: clair-config-map + namespace: clair-berlin + envs: + - config.env + +secretGenerator: + - name: clair-secret + namespace: clair-berlin + files: + - secrets/clairchen-forwarder-access-key.txt + - secrets/ers-forwarder-access-key.txt + - secrets/ingestair-secret-key.txt + - secrets/managair-secret-key.txt + - secrets/sentry-url.txt + - secrets/smtp-password.txt + - secrets/sql-password.txt diff --git a/k8s/base/secrets/clairchen-forwarder-access-key.txt b/k8s/base/secrets/clairchen-forwarder-access-key.txt new file mode 100644 index 0000000..1333ed7 --- /dev/null +++ b/k8s/base/secrets/clairchen-forwarder-access-key.txt @@ -0,0 +1 @@ +TODO diff --git a/k8s/base/secrets/ers-forwarder-access-key.txt b/k8s/base/secrets/ers-forwarder-access-key.txt new file mode 100644 index 0000000..1333ed7 --- /dev/null +++ b/k8s/base/secrets/ers-forwarder-access-key.txt @@ -0,0 +1 @@ +TODO diff --git a/k8s/base/secrets/ingestair-secret-key.txt b/k8s/base/secrets/ingestair-secret-key.txt new file mode 100644 index 0000000..1333ed7 --- /dev/null +++ b/k8s/base/secrets/ingestair-secret-key.txt @@ -0,0 +1 @@ +TODO diff --git a/k8s/base/secrets/managair-secret-key.txt b/k8s/base/secrets/managair-secret-key.txt new file mode 100644 index 0000000..1333ed7 --- /dev/null +++ b/k8s/base/secrets/managair-secret-key.txt @@ -0,0 +1 @@ +TODO diff --git a/k8s/base/secrets/sentry-url.txt b/k8s/base/secrets/sentry-url.txt new file mode 100644 index 0000000..1333ed7 --- /dev/null +++ b/k8s/base/secrets/sentry-url.txt @@ -0,0 +1 @@ +TODO diff --git a/k8s/base/secrets/smtp-password.txt b/k8s/base/secrets/smtp-password.txt new file mode 100644 index 0000000..1333ed7 --- /dev/null +++ b/k8s/base/secrets/smtp-password.txt @@ -0,0 +1 @@ +TODO diff --git a/k8s/base/secrets/sql-password.txt b/k8s/base/secrets/sql-password.txt new file mode 100644 index 0000000..1333ed7 --- /dev/null +++ b/k8s/base/secrets/sql-password.txt @@ -0,0 +1 @@ +TODO From f4aec4217f499c08ebac4e2a946e74a927e88695 Mon Sep 17 00:00:00 2001 From: Jan Weil Date: Sat, 17 Jul 2021 20:32:34 +0200 Subject: [PATCH 03/23] Add first README draft --- k8s/README.md | 29 +++++++++++++++++++++++++++++ 1 file changed, 29 insertions(+) create mode 100644 k8s/README.md diff --git a/k8s/README.md b/k8s/README.md new file mode 100644 index 0000000..e685aa4 --- /dev/null +++ b/k8s/README.md @@ -0,0 +1,29 @@ +# Kubernetes Deployment + +This directory contains Kubernetes manifest files to deploy the Clair Berlin stack to a Kubernetes cluster. + +## Environment and Configuration Management + +We use [Kustomize](https://kustomize.io/) to configure the stack for different environments. An environment's configuration consists of a set of environment variables used to generate a config map called `clair-config-map` and a set of password files used go generate a secret called `clair-secret`. + +You can use the following shell script to generate the skeleton of a new environment (set ENV_NAME accordingly): + +```shell +ENV_NAME=staging +ENV_DIR=environmemnts/$ENV_NAME +mkdir -p $ENV_DIR +cp -R base/config.env base/secrets $ENV_DIR +``` + +After that, edit `$ENV_DIR/config.env` and the files in `$ENV_DIR/secrets` to adapt the evironment's configuration. + +To deploy an environment do the following: + +1) activate the target cluster's context using +```shell +kubectl config use-context $STAGING_CONTEXT +``` +2) apply the kustomized manifest files +```shell +kubectly apply -k $ENV_DIR +``` From 7be663d23a8d4c45a500c038b3cfc8e82ac2befb Mon Sep 17 00:00:00 2001 From: Jan Weil Date: Sat, 17 Jul 2021 20:38:24 +0200 Subject: [PATCH 04/23] Add link to Kustomize overlay docs --- k8s/README.md | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/k8s/README.md b/k8s/README.md index e685aa4..ba15856 100644 --- a/k8s/README.md +++ b/k8s/README.md @@ -1,10 +1,10 @@ # Kubernetes Deployment -This directory contains Kubernetes manifest files to deploy the Clair Berlin stack to a Kubernetes cluster. +The `base` directory contains Kubernetes manifest files to deploy the Clair Berlin stack to a Kubernetes cluster. ## Environment and Configuration Management -We use [Kustomize](https://kustomize.io/) to configure the stack for different environments. An environment's configuration consists of a set of environment variables used to generate a config map called `clair-config-map` and a set of password files used go generate a secret called `clair-secret`. +We use [Kustomize](https://kustomize.io/) to configure the stack for different environments. An environment's configuration consists of a set of environment variables used to generate a config map called `clair-config-map` and a set of password files used to generate a secret called `clair-secret`. The secret files in `base/secrets` do not contain any real passwords. You will have to create a [Kustomize overlay](https://kubernetes.io/docs/tasks/manage-kubernetes-objects/kustomization/#bases-and-overlays) to override them. You can use the following shell script to generate the skeleton of a new environment (set ENV_NAME accordingly): @@ -16,6 +16,7 @@ cp -R base/config.env base/secrets $ENV_DIR ``` After that, edit `$ENV_DIR/config.env` and the files in `$ENV_DIR/secrets` to adapt the evironment's configuration. +## Deployment To deploy an environment do the following: From 2151b8e6e2f9082bd012b13f1cc1a7f6d176106a Mon Sep 17 00:00:00 2001 From: Jan Weil Date: Sat, 17 Jul 2021 20:41:54 +0200 Subject: [PATCH 05/23] Document overlay kustomization file --- k8s/README.md | 29 ++++++++++++++++++++++++++++- 1 file changed, 28 insertions(+), 1 deletion(-) diff --git a/k8s/README.md b/k8s/README.md index ba15856..68407c5 100644 --- a/k8s/README.md +++ b/k8s/README.md @@ -15,7 +15,34 @@ mkdir -p $ENV_DIR cp -R base/config.env base/secrets $ENV_DIR ``` -After that, edit `$ENV_DIR/config.env` and the files in `$ENV_DIR/secrets` to adapt the evironment's configuration. +After that, create `$ENV_DIR/kustomization.yaml` with the following content: + +```yaml +resources: + - ../../base + +configMapGenerator: + - name: clair-config-map + namespace: clair-berlin + behavior: replace + envs: + - config.env + +secretGenerator: + - name: clair-secret + namespace: clair-berlin + behavior: replace + files: + - secrets/clairchen-forwarder-access-key.txt + - secrets/ers-forwarder-access-key.txt + - secrets/ingestair-secret-key.txt + - secrets/managair-secret-key.txt + - secrets/sentry-url.txt + - secrets/smtp-password.txt + - secrets/sql-password.txt +``` + +Finally, edit `$ENV_DIR/config.env` and the files in `$ENV_DIR/secrets` to adapt the evironment's configuration. ## Deployment To deploy an environment do the following: From 120b2bf4163b378f403b7f3cefd6a6849637be5e Mon Sep 17 00:00:00 2001 From: Jan Weil Date: Sat, 17 Jul 2021 20:45:16 +0200 Subject: [PATCH 06/23] Add dev config --- k8s/README.md | 2 +- k8s/environments/dev/config.env | 24 ++++++++++++++++++++++++ 2 files changed, 25 insertions(+), 1 deletion(-) create mode 100644 k8s/environments/dev/config.env diff --git a/k8s/README.md b/k8s/README.md index 68407c5..456d5d8 100644 --- a/k8s/README.md +++ b/k8s/README.md @@ -49,7 +49,7 @@ To deploy an environment do the following: 1) activate the target cluster's context using ```shell -kubectl config use-context $STAGING_CONTEXT +kubectl config use-context $ENV_CONTEXT ``` 2) apply the kustomized manifest files ```shell diff --git a/k8s/environments/dev/config.env b/k8s/environments/dev/config.env new file mode 100644 index 0000000..aa4ab48 --- /dev/null +++ b/k8s/environments/dev/config.env @@ -0,0 +1,24 @@ +CLAIR_DOMAIN=localhost + +DEBUG=1 +SENTRY=0 +DEBUG_TOOLBAR=1 + +DJANGO_LOG_LEVEL=DEBUG +DJANGO_DB_LOG_LEVEL=DEBUG +LOG_LEVEL=DEBUG + +MANAGAIR_DB_MIGRATE=true +MANAGAIR_COLLECT_STATIC_FILES=true + +INGESTAIR_DB_MIGRATE=false + +SQL_DATABASE=managairdb_dev +SQL_USER=managair_dev +SQL_PASSWORD=postgres + +EMAIL_HOST=mx2ed5.netcup.net +EMAIL_PORT=587 +EMAIL_HOST_USER=clair-sender@clair-berlin.de +EMAIL_USE_TLS=True +DEFAULT_FROM_EMAIL=kontakt@clair-berlin.de From 71a33ade89e2c97bf820a5448224501d81941c21 Mon Sep 17 00:00:00 2001 From: Jan Weil Date: Sat, 17 Jul 2021 20:54:32 +0200 Subject: [PATCH 07/23] Add dev env kustomization file --- k8s/environments/dev/kustomization.yaml | 22 ++++++++++++++++++++++ 1 file changed, 22 insertions(+) create mode 100644 k8s/environments/dev/kustomization.yaml diff --git a/k8s/environments/dev/kustomization.yaml b/k8s/environments/dev/kustomization.yaml new file mode 100644 index 0000000..f2e5be3 --- /dev/null +++ b/k8s/environments/dev/kustomization.yaml @@ -0,0 +1,22 @@ +resources: + - ../../base + +configMapGenerator: + - name: clair-config-map + namespace: clair-berlin + behavior: replace + envs: + - config.env + +secretGenerator: + - name: clair-secret + namespace: clair-berlin + behavior: replace + files: + - secrets/clairchen-forwarder-access-key.txt + - secrets/ers-forwarder-access-key.txt + - secrets/ingestair-secret-key.txt + - secrets/managair-secret-key.txt + - secrets/sentry-url.txt + - secrets/smtp-password.txt + - secrets/sql-password.txt From 2a47c3c03e3cb53a0ca76d344b34eb57fd55b7e1 Mon Sep 17 00:00:00 2001 From: Jan Weil Date: Sat, 17 Jul 2021 21:14:57 +0200 Subject: [PATCH 08/23] Divide clair-secret into service-specific secrets --- k8s/README.md | 29 ++++++++++++++---- k8s/base/13-db-deployment.yaml | 2 +- k8s/base/33-ingestair-deployment.yaml | 16 +++++----- k8s/base/43-managair-deployment.yaml | 16 +++++----- .../53-clairchen-forwarder-deployment.yaml | 10 +++---- k8s/base/63-ers-forwarder-deployment.yaml | 10 +++---- k8s/base/kustomization.yaml | 26 +++++++++++++--- k8s/environments/dev/kustomization.yaml | 30 ++++++++++++++++--- 8 files changed, 99 insertions(+), 40 deletions(-) diff --git a/k8s/README.md b/k8s/README.md index 456d5d8..ee0dec7 100644 --- a/k8s/README.md +++ b/k8s/README.md @@ -29,18 +29,37 @@ configMapGenerator: - config.env secretGenerator: - - name: clair-secret + - name: db-secret + namespace: clair-berlin + behavior: replace + files: + - secrets/sql-password.txt + - name: managair-secret namespace: clair-berlin behavior: replace files: - - secrets/clairchen-forwarder-access-key.txt - - secrets/ers-forwarder-access-key.txt - - secrets/ingestair-secret-key.txt - secrets/managair-secret-key.txt + - secrets/sql-password.txt - secrets/sentry-url.txt - secrets/smtp-password.txt + - name: ingestair-secret + namespace: clair-berlin + behavior: replace + files: + - secrets/ingestair-secret-key.txt - secrets/sql-password.txt -``` + - secrets/smtp-password.txt + - name: clairchen-forwarder-secret + namespace: clair-berlin + behavior: replace + files: + - secrets/clairchen-forwarder-access-key.txt + - name: ers-forwarder-secret + namespace: clair-berlin + behavior: replace + files: + - secrets/ers-forwarder-access-key.txt + ``` Finally, edit `$ENV_DIR/config.env` and the files in `$ENV_DIR/secrets` to adapt the evironment's configuration. ## Deployment diff --git a/k8s/base/13-db-deployment.yaml b/k8s/base/13-db-deployment.yaml index ffd40dd..4bbbc40 100644 --- a/k8s/base/13-db-deployment.yaml +++ b/k8s/base/13-db-deployment.yaml @@ -27,7 +27,7 @@ spec: - name: POSTGRES_PASSWORD valueFrom: secretKeyRef: - name: clair-secret + name: db-secret key: sql-password.txt - name: POSTGRES_USER valueFrom: diff --git a/k8s/base/33-ingestair-deployment.yaml b/k8s/base/33-ingestair-deployment.yaml index 9f7bd95..fc0499d 100644 --- a/k8s/base/33-ingestair-deployment.yaml +++ b/k8s/base/33-ingestair-deployment.yaml @@ -25,11 +25,11 @@ spec: - 0.0.0.0:8888 env: - name: SECRET_KEY_FILE - value: "/var/secrets/clair-secret/ingestair-secret-key.txt" + value: "/var/secrets/ingestair-secret/ingestair-secret-key.txt" - name: SENTRY value: "0" - name: SENTRY_URL_FILE - value: "/var/secrets/clair-secret/sentry-url.txt" + value: "/var/secrets/ingestair-secret/sentry-url.txt" - name: DEBUG value: "0" - name: DJANGO_LOG_LEVEL @@ -64,7 +64,7 @@ spec: name: clair-config-map key: SQL_USER - name: SQL_PASSWORD_FILE - value: "/var/secrets/clair-secret/sql-password.txt" + value: "/var/secrets/ingestair-secret/sql-password.txt" # XXX why doesn't this work? # - name: SQL_PASSWORD # valueFrom: @@ -100,7 +100,7 @@ spec: name: clair-config-map key: EMAIL_HOST_USER - name: EMAIL_HOST_PASSWORD_FILE - value: "/var/secrets/clair-secret/smtp-password.txt" + value: "/var/secrets/ingestair-secret/smtp-password.txt" - name: EMAIL_USE_TLS valueFrom: configMapKeyRef: @@ -115,11 +115,11 @@ spec: name: ingestair-server resources: {} volumeMounts: - - mountPath: "/var/secrets/clair-secret" - name: clair-secret + - mountPath: "/var/secrets/ingestair-secret" + name: ingestair-secret readOnly: true restartPolicy: Always volumes: - - name: clair-secret + - name: ingestair-secret secret: - secretName: clair-secret + secretName: ingestair-secret diff --git a/k8s/base/43-managair-deployment.yaml b/k8s/base/43-managair-deployment.yaml index 9568547..cccccc1 100644 --- a/k8s/base/43-managair-deployment.yaml +++ b/k8s/base/43-managair-deployment.yaml @@ -24,11 +24,11 @@ spec: - 0.0.0.0:8888 env: - name: SECRET_KEY_FILE - value: "/var/secrets/clair-secret/managair-secret-key.txt" + value: "/var/secrets/managair-secret/managair-secret-key.txt" - name: SENTRY value: "0" - name: SENTRY_URL_FILE - value: "/var/secrets/clair-secret/sentry-url.txt" + value: "/var/secrets/managair-secret/sentry-url.txt" - name: DEBUG value: "0" - name: DJANGO_LOG_LEVEL @@ -63,7 +63,7 @@ spec: name: clair-config-map key: SQL_USER - name: SQL_PASSWORD_FILE - value: "/var/secrets/clair-secret/sql-password.txt" + value: "/var/secrets/managair-secret/sql-password.txt" # XXX why doesn't this work? # - name: SQL_PASSWORD # valueFrom: @@ -102,7 +102,7 @@ spec: name: clair-config-map key: EMAIL_HOST_USER - name: EMAIL_HOST_PASSWORD_FILE - value: "/var/secrets/clair-secret/smtp-password.txt" + value: "/var/secrets/managair-secret/smtp-password.txt" - name: EMAIL_USE_TLS valueFrom: configMapKeyRef: @@ -117,11 +117,11 @@ spec: name: managair-server resources: {} volumeMounts: - - mountPath: "/var/secrets/clair-secret" - name: clair-secret + - mountPath: "/var/secrets/managair-secret" + name: managair-secret readOnly: true restartPolicy: Always volumes: - - name: clair-secret + - name: managair-secret secret: - secretName: clair-secret + secretName: managair-secret diff --git a/k8s/base/53-clairchen-forwarder-deployment.yaml b/k8s/base/53-clairchen-forwarder-deployment.yaml index a91aa91..7efea68 100644 --- a/k8s/base/53-clairchen-forwarder-deployment.yaml +++ b/k8s/base/53-clairchen-forwarder-deployment.yaml @@ -23,18 +23,18 @@ spec: - name: CLAIR_MODE value: "clairchen-forward" - name: CLAIR_TTN_ACCESS_KEY_FILE - value: "/var/secrets/clair-secret/clairchen-forwarder-access-key.txt" + value: "/var/secrets/clairchen-forwarder-secret/clairchen-forwarder-access-key.txt" - name: CLAIR_TTN_APP_ID value: "clairberlinproto" image: clairberlin/clairttn:1 name: clairchen-forwarder resources: {} volumeMounts: - - mountPath: "/var/secrets/clair-secret" - name: clair-secret + - mountPath: "/var/secrets/clairchen-forwarder-secret" + name: clairchen-forwarder-secret readOnly: true restartPolicy: Always volumes: - - name: clair-secret + - name: clairchen-forwarder-secret secret: - secretName: clair-secret + secretName: clairchen-forwarder-secret diff --git a/k8s/base/63-ers-forwarder-deployment.yaml b/k8s/base/63-ers-forwarder-deployment.yaml index 211db0b..5c4b2a5 100644 --- a/k8s/base/63-ers-forwarder-deployment.yaml +++ b/k8s/base/63-ers-forwarder-deployment.yaml @@ -23,18 +23,18 @@ spec: - name: CLAIR_MODE value: "ers-forward" - name: CLAIR_TTN_ACCESS_KEY_FILE - value: "/var/secrets/clair-secret/ers-forwarder-access-key.txt" + value: "/var/secrets/ers-forwarder-secret/ers-forwarder-access-key.txt" - name: CLAIR_TTN_APP_ID value: "clair-berlin-ers-co2" image: clairberlin/clairttn:1 name: ers-forwarder resources: {} volumeMounts: - - mountPath: "/var/secrets/clair-secret" - name: clair-secret + - mountPath: "/var/secrets/ers-forwarder-secret" + name: ers-forwarder-secret readOnly: true restartPolicy: Always volumes: - - name: clair-secret + - name: ers-forwarder-secret secret: - secretName: clair-secret + secretName: ers-forwarder-secret diff --git a/k8s/base/kustomization.yaml b/k8s/base/kustomization.yaml index cc2d438..a8c4ac3 100644 --- a/k8s/base/kustomization.yaml +++ b/k8s/base/kustomization.yaml @@ -22,13 +22,31 @@ configMapGenerator: - config.env secretGenerator: - - name: clair-secret + - name: db-secret + namespace: clair-berlin + files: + - secrets/sql-password.txt + - name: managair-secret namespace: clair-berlin files: - - secrets/clairchen-forwarder-access-key.txt - - secrets/ers-forwarder-access-key.txt - - secrets/ingestair-secret-key.txt - secrets/managair-secret-key.txt + - secrets/sql-password.txt - secrets/sentry-url.txt - secrets/smtp-password.txt + - name: ingestair-secret + namespace: clair-berlin + files: + - secrets/ingestair-secret-key.txt + - secrets/smtp-password.txt - secrets/sql-password.txt + - name: clairchen-forwarder-secret + namespace: clair-berlin + files: + - secrets/clairchen-forwarder-access-key.txt + - name: ers-forwarder-secret + namespace: clair-berlin + files: + - secrets/ers-forwarder-access-key.txt + + + diff --git a/k8s/environments/dev/kustomization.yaml b/k8s/environments/dev/kustomization.yaml index f2e5be3..cff3792 100644 --- a/k8s/environments/dev/kustomization.yaml +++ b/k8s/environments/dev/kustomization.yaml @@ -9,14 +9,36 @@ configMapGenerator: - config.env secretGenerator: - - name: clair-secret + - name: db-secret + namespace: clair-berlin + behavior: replace + files: + - secrets/sql-password.txt + - name: managair-secret namespace: clair-berlin behavior: replace files: - - secrets/clairchen-forwarder-access-key.txt - - secrets/ers-forwarder-access-key.txt - - secrets/ingestair-secret-key.txt - secrets/managair-secret-key.txt + - secrets/sql-password.txt - secrets/sentry-url.txt - secrets/smtp-password.txt + - name: ingestair-secret + namespace: clair-berlin + behavior: replace + files: + - secrets/ingestair-secret-key.txt - secrets/sql-password.txt + - secrets/smtp-password.txt + - name: clairchen-forwarder-secret + namespace: clair-berlin + behavior: replace + files: + - secrets/clairchen-forwarder-access-key.txt + - name: ers-forwarder-secret + namespace: clair-berlin + behavior: replace + files: + - secrets/ers-forwarder-access-key.txt + + + \ No newline at end of file From 76efd25ae307b67dc859571c4168ce49811baf86 Mon Sep 17 00:00:00 2001 From: Jan Weil Date: Sat, 17 Jul 2021 21:18:39 +0200 Subject: [PATCH 09/23] Document service-specific secrets --- k8s/README.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/k8s/README.md b/k8s/README.md index ee0dec7..6534c33 100644 --- a/k8s/README.md +++ b/k8s/README.md @@ -4,7 +4,7 @@ The `base` directory contains Kubernetes manifest files to deploy the Clair Berl ## Environment and Configuration Management -We use [Kustomize](https://kustomize.io/) to configure the stack for different environments. An environment's configuration consists of a set of environment variables used to generate a config map called `clair-config-map` and a set of password files used to generate a secret called `clair-secret`. The secret files in `base/secrets` do not contain any real passwords. You will have to create a [Kustomize overlay](https://kubernetes.io/docs/tasks/manage-kubernetes-objects/kustomization/#bases-and-overlays) to override them. +We use [Kustomize](https://kustomize.io/) to configure the stack for different environments. An environment's configuration consists of a set of environment variables used to generate a config map called `clair-config-map` and a set of password files used to generate service-specific secrets. The secret files in `base/secrets` do not contain any real passwords. You will have to create a [Kustomize overlay](https://kubernetes.io/docs/tasks/manage-kubernetes-objects/kustomization/#bases-and-overlays) to override them. You can use the following shell script to generate the skeleton of a new environment (set ENV_NAME accordingly): @@ -15,7 +15,7 @@ mkdir -p $ENV_DIR cp -R base/config.env base/secrets $ENV_DIR ``` -After that, create `$ENV_DIR/kustomization.yaml` with the following content: +After that, create `$ENV_DIR/kustomization.yaml` with the following content (or copy `environments/dev/kustomization.yaml`): ```yaml resources: From 21cbaa25e3153b6c1dac7bf54cbef69c405bda39 Mon Sep 17 00:00:00 2001 From: Jan Weil Date: Sat, 17 Jul 2021 21:24:05 +0200 Subject: [PATCH 10/23] Avoid explicit doc of env/kustomization.yaml --- k8s/README.md | 52 +++------------------------------------------------ 1 file changed, 3 insertions(+), 49 deletions(-) diff --git a/k8s/README.md b/k8s/README.md index 6534c33..f3368b1 100644 --- a/k8s/README.md +++ b/k8s/README.md @@ -9,59 +9,13 @@ We use [Kustomize](https://kustomize.io/) to configure the stack for different e You can use the following shell script to generate the skeleton of a new environment (set ENV_NAME accordingly): ```shell -ENV_NAME=staging +ENV_NAME=my-env ENV_DIR=environmemnts/$ENV_NAME mkdir -p $ENV_DIR -cp -R base/config.env base/secrets $ENV_DIR +cp -R base/config.env base/secrets environments/dev/kustomization.yaml $ENV_DIR ``` -After that, create `$ENV_DIR/kustomization.yaml` with the following content (or copy `environments/dev/kustomization.yaml`): - -```yaml -resources: - - ../../base - -configMapGenerator: - - name: clair-config-map - namespace: clair-berlin - behavior: replace - envs: - - config.env - -secretGenerator: - - name: db-secret - namespace: clair-berlin - behavior: replace - files: - - secrets/sql-password.txt - - name: managair-secret - namespace: clair-berlin - behavior: replace - files: - - secrets/managair-secret-key.txt - - secrets/sql-password.txt - - secrets/sentry-url.txt - - secrets/smtp-password.txt - - name: ingestair-secret - namespace: clair-berlin - behavior: replace - files: - - secrets/ingestair-secret-key.txt - - secrets/sql-password.txt - - secrets/smtp-password.txt - - name: clairchen-forwarder-secret - namespace: clair-berlin - behavior: replace - files: - - secrets/clairchen-forwarder-access-key.txt - - name: ers-forwarder-secret - namespace: clair-berlin - behavior: replace - files: - - secrets/ers-forwarder-access-key.txt - ``` - -Finally, edit `$ENV_DIR/config.env` and the files in `$ENV_DIR/secrets` to adapt the evironment's configuration. +After that, edit `$ENV_DIR/config.env` and the files in `$ENV_DIR/secrets` to adapt the evironment's configuration. ## Deployment To deploy an environment do the following: From 36acd066997f4423b8b7a3b1537fa8b2d8c86b87 Mon Sep 17 00:00:00 2001 From: Jan Weil Date: Mon, 19 Jul 2021 20:16:14 +0200 Subject: [PATCH 11/23] Add $CLAIR_DOMAIN to Django's ALLOWED_HOSTS --- k8s/base/33-ingestair-deployment.yaml | 2 +- k8s/base/43-managair-deployment.yaml | 7 ++++++- 2 files changed, 7 insertions(+), 2 deletions(-) diff --git a/k8s/base/33-ingestair-deployment.yaml b/k8s/base/33-ingestair-deployment.yaml index fc0499d..e2d8d02 100644 --- a/k8s/base/33-ingestair-deployment.yaml +++ b/k8s/base/33-ingestair-deployment.yaml @@ -83,7 +83,7 @@ spec: - name: NODE_FIDELITY value: "1" - name: DJANGO_ALLOWED_HOSTS - value: "ingestair localhost 127.0.0.1 [::1]" + value: " ingestair localhost 127.0.0.1 [::1]" - name: EMAIL_HOST valueFrom: configMapKeyRef: diff --git a/k8s/base/43-managair-deployment.yaml b/k8s/base/43-managair-deployment.yaml index cccccc1..eee56bc 100644 --- a/k8s/base/43-managair-deployment.yaml +++ b/k8s/base/43-managair-deployment.yaml @@ -84,8 +84,13 @@ spec: key: MANAGAIR_COLLECT_STATIC_FILES - name: NODE_FIDELITY value: "1" + - name: CLAIR_DOMAIN + valueFrom: + configMapKeyRef: + name: clair-config-map + key: CLAIR_DOMAIN - name: DJANGO_ALLOWED_HOSTS - value: " localhost 127.0.0.1 [::1]" + value: " $(CLAIR_DOMAIN) localhost 127.0.0.1 [::1]" - name: EMAIL_HOST valueFrom: configMapKeyRef: From ff0eb07e6b99cafc40702747070d86ce9ab18efb Mon Sep 17 00:00:00 2001 From: Jan Weil Date: Tue, 28 Sep 2021 14:25:54 +0200 Subject: [PATCH 12/23] Fix typo --- k8s/README.md | 6 +++++- 1 file changed, 5 insertions(+), 1 deletion(-) diff --git a/k8s/README.md b/k8s/README.md index f3368b1..bca4190 100644 --- a/k8s/README.md +++ b/k8s/README.md @@ -16,15 +16,19 @@ cp -R base/config.env base/secrets environments/dev/kustomization.yaml $ENV_DIR ``` After that, edit `$ENV_DIR/config.env` and the files in `$ENV_DIR/secrets` to adapt the evironment's configuration. + ## Deployment To deploy an environment do the following: 1) activate the target cluster's context using + ```shell kubectl config use-context $ENV_CONTEXT ``` + 2) apply the kustomized manifest files + ```shell -kubectly apply -k $ENV_DIR +kubectl apply -k $ENV_DIR ``` From 915a6b836915603abcb7ac2a75cdff9ad6b11857 Mon Sep 17 00:00:00 2001 From: Jan Weil Date: Tue, 28 Sep 2021 15:29:18 +0200 Subject: [PATCH 13/23] Add v3 forwarders - upgrade clair-ttn to v5 - rename existing forwarders to forwarder-v2 - add CLAIR_TTN_STACK environment variable - add v3 forwarder deployments - add missing secret templates - adapt kustomization --- ...53-clairchen-forwarder-v2-deployment.yaml} | 24 ++++++----- ...ml => 54-ers-forwarder-v2-deployment.yaml} | 24 ++++++----- .../55-clairchen-forwarder-v3-deployment.yaml | 42 +++++++++++++++++++ k8s/base/56-ers-forwarder-v3-deployment.yaml | 42 +++++++++++++++++++ k8s/base/kustomization.yaml | 25 +++++++---- ... => clairchen-forwarder-v2-access-key.txt} | 0 ... => clairchen-forwarder-v3-access-key.txt} | 0 .../secrets/ers-forwarder-v2-access-key.txt | 1 + .../secrets/ers-forwarder-v3-access-key.txt | 1 + k8s/environments/dev/kustomization.yaml | 21 ++++++---- 10 files changed, 142 insertions(+), 38 deletions(-) rename k8s/base/{53-clairchen-forwarder-deployment.yaml => 53-clairchen-forwarder-v2-deployment.yaml} (52%) rename k8s/base/{63-ers-forwarder-deployment.yaml => 54-ers-forwarder-v2-deployment.yaml} (54%) create mode 100644 k8s/base/55-clairchen-forwarder-v3-deployment.yaml create mode 100644 k8s/base/56-ers-forwarder-v3-deployment.yaml rename k8s/base/secrets/{clairchen-forwarder-access-key.txt => clairchen-forwarder-v2-access-key.txt} (100%) rename k8s/base/secrets/{ers-forwarder-access-key.txt => clairchen-forwarder-v3-access-key.txt} (100%) create mode 100644 k8s/base/secrets/ers-forwarder-v2-access-key.txt create mode 100644 k8s/base/secrets/ers-forwarder-v3-access-key.txt diff --git a/k8s/base/53-clairchen-forwarder-deployment.yaml b/k8s/base/53-clairchen-forwarder-v2-deployment.yaml similarity index 52% rename from k8s/base/53-clairchen-forwarder-deployment.yaml rename to k8s/base/53-clairchen-forwarder-v2-deployment.yaml index 7efea68..a5a88be 100644 --- a/k8s/base/53-clairchen-forwarder-deployment.yaml +++ b/k8s/base/53-clairchen-forwarder-v2-deployment.yaml @@ -2,19 +2,19 @@ apiVersion: apps/v1 kind: Deployment metadata: labels: - app: clairchen-forwarder - name: clairchen-forwarder + app: clairchen-forwarder-v2 + name: clairchen-forwarder-v2 namespace: clair-berlin spec: replicas: 1 selector: matchLabels: - app: clairchen-forwarder + app: clairchen-forwarder-v2 strategy: {} template: metadata: labels: - app: clairchen-forwarder + app: clairchen-forwarder-v2 spec: containers: - env: @@ -23,18 +23,20 @@ spec: - name: CLAIR_MODE value: "clairchen-forward" - name: CLAIR_TTN_ACCESS_KEY_FILE - value: "/var/secrets/clairchen-forwarder-secret/clairchen-forwarder-access-key.txt" + value: "/var/secrets/clairchen-forwarder-v2-secret/clairchen-forwarder-v2-access-key.txt" - name: CLAIR_TTN_APP_ID value: "clairberlinproto" - image: clairberlin/clairttn:1 - name: clairchen-forwarder + - name: CLAIR_TTN_STACK + value: "ttn-v2" + image: clairberlin/clairttn:5 + name: clairchen-forwarder-v2 resources: {} volumeMounts: - - mountPath: "/var/secrets/clairchen-forwarder-secret" - name: clairchen-forwarder-secret + - mountPath: "/var/secrets/clairchen-forwarder-v2-secret" + name: clairchen-forwarder-v2-secret readOnly: true restartPolicy: Always volumes: - - name: clairchen-forwarder-secret + - name: clairchen-forwarder-v2-secret secret: - secretName: clairchen-forwarder-secret + secretName: clairchen-forwarder-v2-secret diff --git a/k8s/base/63-ers-forwarder-deployment.yaml b/k8s/base/54-ers-forwarder-v2-deployment.yaml similarity index 54% rename from k8s/base/63-ers-forwarder-deployment.yaml rename to k8s/base/54-ers-forwarder-v2-deployment.yaml index 5c4b2a5..dbd6244 100644 --- a/k8s/base/63-ers-forwarder-deployment.yaml +++ b/k8s/base/54-ers-forwarder-v2-deployment.yaml @@ -2,19 +2,19 @@ apiVersion: apps/v1 kind: Deployment metadata: labels: - app: ers-forwarder - name: ers-forwarder + app: ers-forwarder-v2 + name: ers-forwarder-v2 namespace: clair-berlin spec: replicas: 1 selector: matchLabels: - app: ers-forwarder + app: ers-forwarder-v2 strategy: {} template: metadata: labels: - app: ers-forwarder + app: ers-forwarder-v2 spec: containers: - env: @@ -23,18 +23,20 @@ spec: - name: CLAIR_MODE value: "ers-forward" - name: CLAIR_TTN_ACCESS_KEY_FILE - value: "/var/secrets/ers-forwarder-secret/ers-forwarder-access-key.txt" + value: "/var/secrets/ers-forwarder-v2-secret/ers-forwarder-v2-access-key.txt" - name: CLAIR_TTN_APP_ID value: "clair-berlin-ers-co2" - image: clairberlin/clairttn:1 - name: ers-forwarder + - name: CLAIR_TTN_STACK + value: "ttn-v2" + image: clairberlin/clairttn:5 + name: ers-forwarder-v2 resources: {} volumeMounts: - - mountPath: "/var/secrets/ers-forwarder-secret" - name: ers-forwarder-secret + - mountPath: "/var/secrets/ers-forwarder-v2-secret" + name: ers-forwarder-v2-secret readOnly: true restartPolicy: Always volumes: - - name: ers-forwarder-secret + - name: ers-forwarder-v2-secret secret: - secretName: ers-forwarder-secret + secretName: ers-forwarder-v2-secret diff --git a/k8s/base/55-clairchen-forwarder-v3-deployment.yaml b/k8s/base/55-clairchen-forwarder-v3-deployment.yaml new file mode 100644 index 0000000..705bbd9 --- /dev/null +++ b/k8s/base/55-clairchen-forwarder-v3-deployment.yaml @@ -0,0 +1,42 @@ +apiVersion: apps/v1 +kind: Deployment +metadata: + labels: + app: clairchen-forwarder-v3 + name: clairchen-forwarder-v3 + namespace: clair-berlin +spec: + replicas: 1 + selector: + matchLabels: + app: clairchen-forwarder-v3 + strategy: {} + template: + metadata: + labels: + app: clairchen-forwarder-v3 + spec: + containers: + - env: + - name: CLAIR_API_ROOT + value: "http://ingestair:8888/ingest/v1/" + - name: CLAIR_MODE + value: "clairchen-forward" + - name: CLAIR_TTN_ACCESS_KEY_FILE + value: "/var/secrets/clairchen-forwarder-v3-secret/clairchen-forwarder-v3-access-key.txt" + - name: CLAIR_TTN_APP_ID + value: "clairchen-test" + - name: CLAIR_TTN_STACK + value: "ttn-v3" + image: clairberlin/clairttn:5 + name: clairchen-forwarder-v3 + resources: {} + volumeMounts: + - mountPath: "/var/secrets/clairchen-forwarder-v3-secret" + name: clairchen-forwarder-v3-secret + readOnly: true + restartPolicy: Always + volumes: + - name: clairchen-forwarder-v3-secret + secret: + secretName: clairchen-forwarder-v3-secret diff --git a/k8s/base/56-ers-forwarder-v3-deployment.yaml b/k8s/base/56-ers-forwarder-v3-deployment.yaml new file mode 100644 index 0000000..56df2bb --- /dev/null +++ b/k8s/base/56-ers-forwarder-v3-deployment.yaml @@ -0,0 +1,42 @@ +apiVersion: apps/v1 +kind: Deployment +metadata: + labels: + app: ers-forwarder-v3 + name: ers-forwarder-v3 + namespace: clair-berlin +spec: + replicas: 1 + selector: + matchLabels: + app: ers-forwarder-v3 + strategy: {} + template: + metadata: + labels: + app: ers-forwarder-v3 + spec: + containers: + - env: + - name: CLAIR_API_ROOT + value: "http://ingestair:8888/ingest/v1/" + - name: CLAIR_MODE + value: "ers-forward" + - name: CLAIR_TTN_ACCESS_KEY_FILE + value: "/var/secrets/ers-forwarder-v3-secret/ers-forwarder-v3-access-key.txt" + - name: CLAIR_TTN_APP_ID + value: "elsys-ers-co2" + - name: CLAIR_TTN_STACK + value: "ttn-v3" + image: clairberlin/clairttn:5 + name: ers-forwarder-v3 + resources: {} + volumeMounts: + - mountPath: "/var/secrets/ers-forwarder-v3-secret" + name: ers-forwarder-v3-secret + readOnly: true + restartPolicy: Always + volumes: + - name: ers-forwarder-v3-secret + secret: + secretName: ers-forwarder-v3-secret diff --git a/k8s/base/kustomization.yaml b/k8s/base/kustomization.yaml index a8c4ac3..20b9072 100644 --- a/k8s/base/kustomization.yaml +++ b/k8s/base/kustomization.yaml @@ -9,8 +9,10 @@ resources: - 33-ingestair-deployment.yaml - 42-managair-service.yaml - 43-managair-deployment.yaml - - 53-clairchen-forwarder-deployment.yaml - - 63-ers-forwarder-deployment.yaml + - 53-clairchen-forwarder-v2-deployment.yaml + - 54-ers-forwarder-v2-deployment.yaml + - 55-clairchen-forwarder-v3-deployment.yaml + - 56-ers-forwarder-v3-deployment.yaml - 72-static-frontend-service.yaml - 73-static-frontend-deployment.yaml - 99-clair-berlin-ingress.yaml @@ -39,14 +41,19 @@ secretGenerator: - secrets/ingestair-secret-key.txt - secrets/smtp-password.txt - secrets/sql-password.txt - - name: clairchen-forwarder-secret + - name: clairchen-forwarder-v2-secret namespace: clair-berlin files: - - secrets/clairchen-forwarder-access-key.txt - - name: ers-forwarder-secret + - secrets/clairchen-forwarder-v2-access-key.txt + - name: ers-forwarder-v2-secret namespace: clair-berlin files: - - secrets/ers-forwarder-access-key.txt - - - + - secrets/ers-forwarder-v3-access-key.txt + - name: clairchen-forwarder-v3-secret + namespace: clair-berlin + files: + - secrets/clairchen-forwarder-v3-access-key.txt + - name: ers-forwarder-v3-secret + namespace: clair-berlin + files: + - secrets/ers-forwarder-v3-access-key.txt diff --git a/k8s/base/secrets/clairchen-forwarder-access-key.txt b/k8s/base/secrets/clairchen-forwarder-v2-access-key.txt similarity index 100% rename from k8s/base/secrets/clairchen-forwarder-access-key.txt rename to k8s/base/secrets/clairchen-forwarder-v2-access-key.txt diff --git a/k8s/base/secrets/ers-forwarder-access-key.txt b/k8s/base/secrets/clairchen-forwarder-v3-access-key.txt similarity index 100% rename from k8s/base/secrets/ers-forwarder-access-key.txt rename to k8s/base/secrets/clairchen-forwarder-v3-access-key.txt diff --git a/k8s/base/secrets/ers-forwarder-v2-access-key.txt b/k8s/base/secrets/ers-forwarder-v2-access-key.txt new file mode 100644 index 0000000..1333ed7 --- /dev/null +++ b/k8s/base/secrets/ers-forwarder-v2-access-key.txt @@ -0,0 +1 @@ +TODO diff --git a/k8s/base/secrets/ers-forwarder-v3-access-key.txt b/k8s/base/secrets/ers-forwarder-v3-access-key.txt new file mode 100644 index 0000000..1333ed7 --- /dev/null +++ b/k8s/base/secrets/ers-forwarder-v3-access-key.txt @@ -0,0 +1 @@ +TODO diff --git a/k8s/environments/dev/kustomization.yaml b/k8s/environments/dev/kustomization.yaml index cff3792..c638bcb 100644 --- a/k8s/environments/dev/kustomization.yaml +++ b/k8s/environments/dev/kustomization.yaml @@ -29,16 +29,23 @@ secretGenerator: - secrets/ingestair-secret-key.txt - secrets/sql-password.txt - secrets/smtp-password.txt - - name: clairchen-forwarder-secret + - name: clairchen-forwarder-v2-secret namespace: clair-berlin behavior: replace files: - - secrets/clairchen-forwarder-access-key.txt - - name: ers-forwarder-secret + - secrets/clairchen-forwarder-v2-access-key.txt + - name: ers-forwarder-v2-secret namespace: clair-berlin behavior: replace files: - - secrets/ers-forwarder-access-key.txt - - - \ No newline at end of file + - secrets/ers-forwarder-v2-access-key.txt + - name: clairchen-forwarder-v3-secret + namespace: clair-berlin + behavior: replace + files: + - secrets/clairchen-forwarder-v3-access-key.txt + - name: ers-forwarder-v3-secret + namespace: clair-berlin + behavior: replace + files: + - secrets/ers-forwarder-v3-access-key.txt From 5e4d19807651c58ccd71802d59e3c3187a6d40e3 Mon Sep 17 00:00:00 2001 From: Jan Weil Date: Tue, 28 Sep 2021 21:23:05 +0200 Subject: [PATCH 14/23] Add simple db dump and restore tools for k8s --- tools/k8s-dump-db.sh | 6 ++++++ tools/k8s-restore-db-dump.sh | 27 +++++++++++++++++++++++++++ 2 files changed, 33 insertions(+) create mode 100755 tools/k8s-dump-db.sh create mode 100755 tools/k8s-restore-db-dump.sh diff --git a/tools/k8s-dump-db.sh b/tools/k8s-dump-db.sh new file mode 100755 index 0000000..f219b30 --- /dev/null +++ b/tools/k8s-dump-db.sh @@ -0,0 +1,6 @@ +#!/usr/bin/env zsh + +DB_POD=$(kubectl --namespace clair-berlin get pod -l app=db -o name) +DB_POD=${DB_POD#pod/} + +kubectl --namespace clair-berlin exec $DB_POD -- pg_dump -U managair_dev managairdb_dev diff --git a/tools/k8s-restore-db-dump.sh b/tools/k8s-restore-db-dump.sh new file mode 100755 index 0000000..f092b60 --- /dev/null +++ b/tools/k8s-restore-db-dump.sh @@ -0,0 +1,27 @@ +#!/usr/bin/env zsh + +SQL_FILE=$1 + +if [ -z "$SQL_FILE" -o ! -f $SQL_FILE ]; then + echo "file '$SQL_FILE' does not exist" + exit 1 +fi + +function scale_db_deployments () { + echo "scaling db deployments to $1" + for deployment in ers-forwarder-v3 ers-forwarder-v2 clairchen-forwarder-v3 clairchen-forwarder-v2 ingestair managair-server; do + kubectl --namespace clair-berlin scale deployment $deployment --replicas $1 + done +} + +scale_db_deployments 0 + +DB_POD=$(kubectl --namespace clair-berlin get pod -l app=db -o name) +DB_POD=${DB_POD#pod/} + +kubectl --namespace clair-berlin cp $SQL_FILE clair-berlin/$DB_POD:/tmp +kubectl --namespace clair-berlin exec $DB_POD -- dropdb -U managair_dev managairdb_dev +kubectl --namespace clair-berlin exec $DB_POD -- createdb -U managair_dev managairdb_dev +kubectl --namespace clair-berlin exec $DB_POD -- bash -c "psql -U managair_dev managairdb_dev < /tmp/$SQL_FILE" + +scale_db_deployments 1 From 3f149a70139e9417ca9462accf0b7ca52fbc7461 Mon Sep 17 00:00:00 2001 From: Jan Weil Date: Tue, 28 Sep 2021 21:38:55 +0200 Subject: [PATCH 15/23] Add liveness probes for clair-ttn forwarders --- k8s/base/53-clairchen-forwarder-v2-deployment.yaml | 6 ++++++ k8s/base/54-ers-forwarder-v2-deployment.yaml | 6 ++++++ k8s/base/55-clairchen-forwarder-v3-deployment.yaml | 6 ++++++ k8s/base/56-ers-forwarder-v3-deployment.yaml | 6 ++++++ 4 files changed, 24 insertions(+) diff --git a/k8s/base/53-clairchen-forwarder-v2-deployment.yaml b/k8s/base/53-clairchen-forwarder-v2-deployment.yaml index a5a88be..de975ab 100644 --- a/k8s/base/53-clairchen-forwarder-v2-deployment.yaml +++ b/k8s/base/53-clairchen-forwarder-v2-deployment.yaml @@ -29,6 +29,12 @@ spec: - name: CLAIR_TTN_STACK value: "ttn-v2" image: clairberlin/clairttn:5 + livenessProbe: + exec: + command: + - /opt/clairttn/healthcheck.sh + initialDelaySeconds: 10 + periodSeconds: 5 name: clairchen-forwarder-v2 resources: {} volumeMounts: diff --git a/k8s/base/54-ers-forwarder-v2-deployment.yaml b/k8s/base/54-ers-forwarder-v2-deployment.yaml index dbd6244..b0410af 100644 --- a/k8s/base/54-ers-forwarder-v2-deployment.yaml +++ b/k8s/base/54-ers-forwarder-v2-deployment.yaml @@ -29,6 +29,12 @@ spec: - name: CLAIR_TTN_STACK value: "ttn-v2" image: clairberlin/clairttn:5 + livenessProbe: + exec: + command: + - /opt/clairttn/healthcheck.sh + initialDelaySeconds: 10 + periodSeconds: 5 name: ers-forwarder-v2 resources: {} volumeMounts: diff --git a/k8s/base/55-clairchen-forwarder-v3-deployment.yaml b/k8s/base/55-clairchen-forwarder-v3-deployment.yaml index 705bbd9..e2eb881 100644 --- a/k8s/base/55-clairchen-forwarder-v3-deployment.yaml +++ b/k8s/base/55-clairchen-forwarder-v3-deployment.yaml @@ -29,6 +29,12 @@ spec: - name: CLAIR_TTN_STACK value: "ttn-v3" image: clairberlin/clairttn:5 + livenessProbe: + exec: + command: + - /opt/clairttn/healthcheck.sh + initialDelaySeconds: 10 + periodSeconds: 5 name: clairchen-forwarder-v3 resources: {} volumeMounts: diff --git a/k8s/base/56-ers-forwarder-v3-deployment.yaml b/k8s/base/56-ers-forwarder-v3-deployment.yaml index 56df2bb..fe4440e 100644 --- a/k8s/base/56-ers-forwarder-v3-deployment.yaml +++ b/k8s/base/56-ers-forwarder-v3-deployment.yaml @@ -29,6 +29,12 @@ spec: - name: CLAIR_TTN_STACK value: "ttn-v3" image: clairberlin/clairttn:5 + livenessProbe: + exec: + command: + - /opt/clairttn/healthcheck.sh + initialDelaySeconds: 10 + periodSeconds: 5 name: ers-forwarder-v3 resources: {} volumeMounts: From bbfc11601744d30ae5d4ec68e6f046782097ada4 Mon Sep 17 00:00:00 2001 From: Jan Weil Date: Wed, 29 Sep 2021 13:45:31 +0200 Subject: [PATCH 16/23] Make git ignore Apple's Desktop Services Store --- .gitignore | 2 ++ 1 file changed, 2 insertions(+) diff --git a/.gitignore b/.gitignore index 75f6d4f..372eee1 100644 --- a/.gitignore +++ b/.gitignore @@ -144,3 +144,5 @@ cython_debug/ # Secrets secrets/ !secrets/.keep_me + +.DS_Store From 528cb859651381904135e2b1d0ce51cfacb529d6 Mon Sep 17 00:00:00 2001 From: Jan Weil Date: Thu, 30 Sep 2021 11:59:21 +0200 Subject: [PATCH 17/23] Fix dump file path --- tools/k8s-restore-db-dump.sh | 10 ++++++---- 1 file changed, 6 insertions(+), 4 deletions(-) diff --git a/tools/k8s-restore-db-dump.sh b/tools/k8s-restore-db-dump.sh index f092b60..c9eab56 100755 --- a/tools/k8s-restore-db-dump.sh +++ b/tools/k8s-restore-db-dump.sh @@ -1,12 +1,14 @@ #!/usr/bin/env zsh -SQL_FILE=$1 +SQL_PATH=$1 -if [ -z "$SQL_FILE" -o ! -f $SQL_FILE ]; then - echo "file '$SQL_FILE' does not exist" +if [ -z "$SQL_PATH" -o ! -f $SQL_PATH ]; then + echo "file '$SQL_PATH' does not exist" exit 1 fi +SQL_FILE=$(basename $SQL_PATH) + function scale_db_deployments () { echo "scaling db deployments to $1" for deployment in ers-forwarder-v3 ers-forwarder-v2 clairchen-forwarder-v3 clairchen-forwarder-v2 ingestair managair-server; do @@ -19,7 +21,7 @@ scale_db_deployments 0 DB_POD=$(kubectl --namespace clair-berlin get pod -l app=db -o name) DB_POD=${DB_POD#pod/} -kubectl --namespace clair-berlin cp $SQL_FILE clair-berlin/$DB_POD:/tmp +kubectl --namespace clair-berlin cp $SQL_PATH clair-berlin/$DB_POD:/tmp kubectl --namespace clair-berlin exec $DB_POD -- dropdb -U managair_dev managairdb_dev kubectl --namespace clair-berlin exec $DB_POD -- createdb -U managair_dev managairdb_dev kubectl --namespace clair-berlin exec $DB_POD -- bash -c "psql -U managair_dev managairdb_dev < /tmp/$SQL_FILE" From d09016b869a046d1405aacfb233a333b7cbbfdcd Mon Sep 17 00:00:00 2001 From: Jan Weil Date: Thu, 30 Sep 2021 11:59:48 +0200 Subject: [PATCH 18/23] Add IngressClass annotation --- k8s/base/99-clair-berlin-ingress.yaml | 2 ++ 1 file changed, 2 insertions(+) diff --git a/k8s/base/99-clair-berlin-ingress.yaml b/k8s/base/99-clair-berlin-ingress.yaml index 7321b65..ab20c57 100644 --- a/k8s/base/99-clair-berlin-ingress.yaml +++ b/k8s/base/99-clair-berlin-ingress.yaml @@ -3,6 +3,8 @@ kind: Ingress metadata: name: ingress namespace: clair-berlin + annotations: + kubernetes.io/ingress.class: "nginx" spec: rules: - http: From a11d02b9683acea15f143ab7936799a4064393da Mon Sep 17 00:00:00 2001 From: Jan Weil Date: Thu, 30 Sep 2021 12:00:00 +0200 Subject: [PATCH 19/23] Document stack deletion --- k8s/README.md | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/k8s/README.md b/k8s/README.md index bca4190..f592182 100644 --- a/k8s/README.md +++ b/k8s/README.md @@ -32,3 +32,9 @@ kubectl config use-context $ENV_CONTEXT ```shell kubectl apply -k $ENV_DIR ``` + +To delete the stack call + +```shell +kubectl delete -k $ENV_DIR +``` From d7dfc9926af9c87c7c59b24d5b35a309499b9a08 Mon Sep 17 00:00:00 2001 From: Jan Weil Date: Fri, 8 Oct 2021 08:08:54 +0200 Subject: [PATCH 20/23] Mount partent directory for db k8s was complaining about a lost and found directory. --- k8s/base/13-db-deployment.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/k8s/base/13-db-deployment.yaml b/k8s/base/13-db-deployment.yaml index 4bbbc40..10a31bd 100644 --- a/k8s/base/13-db-deployment.yaml +++ b/k8s/base/13-db-deployment.yaml @@ -38,7 +38,7 @@ spec: name: db resources: {} volumeMounts: - - mountPath: /var/lib/postgresql/data + - mountPath: /var/lib/postgresql name: db-data restartPolicy: Always volumes: From 3209b98f27b96445078931644514df8eafa1f76b Mon Sep 17 00:00:00 2001 From: Jan Weil Date: Sun, 10 Oct 2021 15:42:44 +0200 Subject: [PATCH 21/23] Upgrade clair-ttn to v6 --- k8s/base/53-clairchen-forwarder-v2-deployment.yaml | 2 +- k8s/base/54-ers-forwarder-v2-deployment.yaml | 2 +- k8s/base/55-clairchen-forwarder-v3-deployment.yaml | 2 +- k8s/base/56-ers-forwarder-v3-deployment.yaml | 2 +- 4 files changed, 4 insertions(+), 4 deletions(-) diff --git a/k8s/base/53-clairchen-forwarder-v2-deployment.yaml b/k8s/base/53-clairchen-forwarder-v2-deployment.yaml index de975ab..33a4770 100644 --- a/k8s/base/53-clairchen-forwarder-v2-deployment.yaml +++ b/k8s/base/53-clairchen-forwarder-v2-deployment.yaml @@ -28,7 +28,7 @@ spec: value: "clairberlinproto" - name: CLAIR_TTN_STACK value: "ttn-v2" - image: clairberlin/clairttn:5 + image: clairberlin/clairttn:6 livenessProbe: exec: command: diff --git a/k8s/base/54-ers-forwarder-v2-deployment.yaml b/k8s/base/54-ers-forwarder-v2-deployment.yaml index b0410af..bc79319 100644 --- a/k8s/base/54-ers-forwarder-v2-deployment.yaml +++ b/k8s/base/54-ers-forwarder-v2-deployment.yaml @@ -28,7 +28,7 @@ spec: value: "clair-berlin-ers-co2" - name: CLAIR_TTN_STACK value: "ttn-v2" - image: clairberlin/clairttn:5 + image: clairberlin/clairttn:6 livenessProbe: exec: command: diff --git a/k8s/base/55-clairchen-forwarder-v3-deployment.yaml b/k8s/base/55-clairchen-forwarder-v3-deployment.yaml index e2eb881..8be76fa 100644 --- a/k8s/base/55-clairchen-forwarder-v3-deployment.yaml +++ b/k8s/base/55-clairchen-forwarder-v3-deployment.yaml @@ -28,7 +28,7 @@ spec: value: "clairchen-test" - name: CLAIR_TTN_STACK value: "ttn-v3" - image: clairberlin/clairttn:5 + image: clairberlin/clairttn:6 livenessProbe: exec: command: diff --git a/k8s/base/56-ers-forwarder-v3-deployment.yaml b/k8s/base/56-ers-forwarder-v3-deployment.yaml index fe4440e..38b02be 100644 --- a/k8s/base/56-ers-forwarder-v3-deployment.yaml +++ b/k8s/base/56-ers-forwarder-v3-deployment.yaml @@ -28,7 +28,7 @@ spec: value: "elsys-ers-co2" - name: CLAIR_TTN_STACK value: "ttn-v3" - image: clairberlin/clairttn:5 + image: clairberlin/clairttn:6 livenessProbe: exec: command: From 816794a396683355f7352d0a36e7eb59d4808ebe Mon Sep 17 00:00:00 2001 From: Jan Weil Date: Sun, 10 Oct 2021 16:26:52 +0200 Subject: [PATCH 22/23] Add SysEleven TLS config --- .../syseleven/95-cert-issuer.yaml | 14 +++++ k8s/environments/syseleven/add_tls.yaml | 52 ++++++++++++++++++ k8s/environments/syseleven/config.env | 24 ++++++++ k8s/environments/syseleven/kustomization.yaml | 55 +++++++++++++++++++ 4 files changed, 145 insertions(+) create mode 100644 k8s/environments/syseleven/95-cert-issuer.yaml create mode 100644 k8s/environments/syseleven/add_tls.yaml create mode 100644 k8s/environments/syseleven/config.env create mode 100644 k8s/environments/syseleven/kustomization.yaml diff --git a/k8s/environments/syseleven/95-cert-issuer.yaml b/k8s/environments/syseleven/95-cert-issuer.yaml new file mode 100644 index 0000000..c839482 --- /dev/null +++ b/k8s/environments/syseleven/95-cert-issuer.yaml @@ -0,0 +1,14 @@ +apiVersion: cert-manager.io/v1 +kind: ClusterIssuer +metadata: + name: letsencrypt-prod +spec: + acme: + server: https://acme-v02.api.letsencrypt.org/directory + email: jan.weil@web.de + privateKeySecretRef: + name: letsencrypt-prod + solvers: + - http01: + ingress: + class: nginx diff --git a/k8s/environments/syseleven/add_tls.yaml b/k8s/environments/syseleven/add_tls.yaml new file mode 100644 index 0000000..3c8caf8 --- /dev/null +++ b/k8s/environments/syseleven/add_tls.yaml @@ -0,0 +1,52 @@ +apiVersion: networking.k8s.io/v1 +kind: Ingress +metadata: + name: ingress + namespace: clair-berlin + annotations: + cert-manager.io/cluster-issuer: letsencrypt-prod +spec: + tls: + - hosts: + - clair.jawebada.de + secretName: ingress-tls-secret + rules: + - host: clair.jawebada.de + http: + paths: + - path: / + pathType: Prefix + backend: + service: + name: static-frontend + port: + number: 80 + - path: /admin + pathType: Prefix + backend: + service: + name: managair-server + port: + number: 8888 + - path: /static + pathType: Prefix + backend: + service: + name: managair-server + port: + number: 8888 + - path: /accounts + pathType: Prefix + backend: + service: + name: managair-server + port: + number: 8888 + - path: /api + pathType: Prefix + backend: + service: + name: managair-server + port: + number: 8888 + diff --git a/k8s/environments/syseleven/config.env b/k8s/environments/syseleven/config.env new file mode 100644 index 0000000..37f3679 --- /dev/null +++ b/k8s/environments/syseleven/config.env @@ -0,0 +1,24 @@ +CLAIR_DOMAIN=clair.jawebada.de + +DEBUG=0 +SENTRY=1 +DEBUG_TOOLBAR=0 + +DJANGO_LOG_LEVEL=WARNING +DJANGO_DB_LOG_LEVEL=WARNING +LOG_LEVEL=WARNING + +MANAGAIR_DB_MIGRATE=true +MANAGAIR_COLLECT_STATIC_FILES=true + +INGESTAIR_DB_MIGRATE=false + +SQL_DATABASE=managairdb_dev +SQL_USER=managair_dev +SQL_PASSWORD=postgres + +EMAIL_HOST=mx2ed5.netcup.net +EMAIL_PORT=587 +EMAIL_HOST_USER=clair-sender@clair-berlin.de +EMAIL_USE_TLS=True +DEFAULT_FROM_EMAIL=kontakt@clair-berlin.de diff --git a/k8s/environments/syseleven/kustomization.yaml b/k8s/environments/syseleven/kustomization.yaml new file mode 100644 index 0000000..9e9246c --- /dev/null +++ b/k8s/environments/syseleven/kustomization.yaml @@ -0,0 +1,55 @@ +resources: + - ../../base + - 95-cert-issuer.yaml + +patchesStrategicMerge: + - add_tls.yaml + +configMapGenerator: + - name: clair-config-map + namespace: clair-berlin + behavior: replace + envs: + - config.env + +secretGenerator: + - name: db-secret + namespace: clair-berlin + behavior: replace + files: + - secrets/sql-password.txt + - name: managair-secret + namespace: clair-berlin + behavior: replace + files: + - secrets/managair-secret-key.txt + - secrets/sql-password.txt + - secrets/sentry-url.txt + - secrets/smtp-password.txt + - name: ingestair-secret + namespace: clair-berlin + behavior: replace + files: + - secrets/ingestair-secret-key.txt + - secrets/sql-password.txt + - secrets/smtp-password.txt + - name: clairchen-forwarder-v2-secret + namespace: clair-berlin + behavior: replace + files: + - secrets/clairchen-forwarder-v2-access-key.txt + - name: ers-forwarder-v2-secret + namespace: clair-berlin + behavior: replace + files: + - secrets/ers-forwarder-v2-access-key.txt + - name: clairchen-forwarder-v3-secret + namespace: clair-berlin + behavior: replace + files: + - secrets/clairchen-forwarder-v3-access-key.txt + - name: ers-forwarder-v3-secret + namespace: clair-berlin + behavior: replace + files: + - secrets/ers-forwarder-v3-access-key.txt From 9dee8ea6447c61f15e0cf895a230bc34e2e4be01 Mon Sep 17 00:00:00 2001 From: Jan Weil Date: Sun, 10 Oct 2021 16:31:43 +0200 Subject: [PATCH 23/23] Document SysEleven TLS configuration example --- k8s/README.md | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/k8s/README.md b/k8s/README.md index f592182..a27c73c 100644 --- a/k8s/README.md +++ b/k8s/README.md @@ -17,6 +17,10 @@ cp -R base/config.env base/secrets environments/dev/kustomization.yaml $ENV_DIR After that, edit `$ENV_DIR/config.env` and the files in `$ENV_DIR/secrets` to adapt the evironment's configuration. +## cert-manager configuration + +The [SysEleven environment](environments/syseleven) contains an example how a cluster issuer and its corresponding annotation can be added to the Ingress object of the base layer. + ## Deployment To deploy an environment do the following: