support database connection for mysql/postgres (#5)

* support database connection for mysql/postgres

Author: davidcheung

Makefile

@@ -6,7 +6,7 @@
 GITHUB_ORG := $(shell echo ${REPOSITORY} | cut -d "/" -f 2)
 GITHUB_REPO := $(shell echo ${REPOSITORY} | cut -d "/" -f 3)
 
-run:
+run: create-db-user
 	@echo "Set CIRCLECI environment variables\n"
 	export AWS_ACCESS_KEY_ID=$(shell aws secretsmanager get-secret-value --region ${region} --secret-id=ci-user-aws-keys${randomSeed} | jq -r '.SecretString'| jq -r .access_key_id)
 	export AWS_SECRET_ACCESS_KEY=$(shell aws secretsmanager get-secret-value --region ${region} --secret-id=ci-user-aws-keys${randomSeed} | jq -r '.SecretString'| jq -r .secret_key)
@@ -17,6 +17,14 @@ run:
 	curl -X POST https://circleci.com/api/v1.1/project/github/${GITHUB_ORG}/${GITHUB_REPO}/follow?circle-token=${CIRCLECI_API_KEY}
 	@echo "\nDone"
 
+create-db-user:
+	export REGION=${region}; \
+	export SEED=${randomSeed}; \
+	export PROJECT_NAME=${PROJECT_NAME}; \
+	export ENVIRONMENT=${ENVIRONMENT}; \
+	export DATABASE=${database}; \
+	sh ./db-ops/create-db-user.sh
+
 summary:
 	@echo "zero-deployable-node-backend:"
 	@echo "- Repository URL: ${REPOSITORY}"

db-ops/create-db-user.sh

@@ -0,0 +1,31 @@
+#!/bin/sh
+
+# docker image with postgres.mysql client
+DOCKER_IMAGE_TAG=commitdev/zero-k8s-utilities:0.0.3
+DB_ENDPOINT=database.$PROJECT_NAME
+DB_NAME=$(aws rds describe-db-instances --region=$REGION --query "DBInstances[?DBInstanceIdentifier=='$PROJECT_NAME-$ENVIRONMENT'].DBName" | jq -r '.[0]')
+SECRET_ID=$(aws secretsmanager list-secrets --region $REGION  --query "SecretList[?Name=='$PROJECT_NAME-$ENVIRONMENT-rds-$SEED'].Name" | jq -r ".[0]")
+# RDS MASTER
+MASTER_RDS_USERNAME=master_user
+SECRET_PASSWORD=$(aws secretsmanager get-secret-value --region=$REGION --secret-id=$SECRET_ID | jq -r ".SecretString")
+# APPLICATION DB ADMIN
+DB_APP_USERNAME=$DB_NAME
+DB_APP_PASSWORD=$(LC_ALL=C tr -dc 'A-Za-z0-9' < /dev/urandom | base64 | head -c 16)
+
+# Fill in env-vars to db user creation manifest
+eval "echo \"$(cat ./db-ops/job-create-db-$DATABASE.yml.tpl)\"" > ./k8s-job-create-db.yml
+# the manifest creates 4 things
+# 1. Namespace: db-ops
+# 2. Secret in db-ops: db-create-users (with master password, and a .sql file
+# 3. Job in db-ops: db-create-users (runs the .sql file against the RDS given master_password from env)
+# 4. Secret in Application namespace with DB_USERNAME / DB_PASSWORD
+kubectl apply -f ./k8s-job-create-db.yml
+
+# Deleting the entire db-ops namespace, leaving ONLY application-namespace's secret behind
+kubectl -n db-ops wait --for=condition=complete --timeout=10s job db-create-users
+if [ $? -eq 0 ]
+then
+  kubectl get namespace db-ops
+else
+  echo "Failed to create application database user, please see 'kubectl logs -n db-ops -l job-name=db-create-users'"
+fi

db-ops/job-create-db-mysql.yml.tpl

@@ -0,0 +1,111 @@
+apiVersion: v1
+kind: Namespace
+metadata:
+  name: db-ops
+---
+apiVersion: v1
+kind: Secret
+metadata:
+  name: db-create-users
+  namespace: db-ops
+type: Opaque
+stringData:
+  create-user.sql: |
+    CREATE USER '$DB_APP_USERNAME' IDENTIFIED BY '$DB_APP_PASSWORD';
+    GRANT ALL PRIVILEGES ON $DB_NAME.* TO '$DB_APP_USERNAME';
+  RDS_MASTER_PASSWORD: $SECRET_PASSWORD
+---
+apiVersion: v1
+kind: Namespace
+metadata:
+  name: $PROJECT_NAME
+---
+apiVersion: v1
+kind: Secret
+metadata:
+  name: $PROJECT_NAME
+  namespace: $PROJECT_NAME
+type: Opaque
+stringData:
+  DATABASE_USERNAME: $DB_APP_USERNAME
+  DATABASE_PASSWORD: $DB_APP_PASSWORD
+---
+apiVersion: batch/v1
+kind: Job
+metadata:
+  name: db-create-users
+  namespace: db-ops
+spec:
+  template:
+    spec:
+      containers:
+      - name: create-rds-user
+        image: $DOCKER_IMAGE_TAG
+        command:
+        - sh
+        args:
+        - '-c'
+        - mysql -u$MASTER_RDS_USERNAME -h $DB_ENDPOINT $DB_NAME < /db-ops/create-user.sql
+        env:
+        - name: DB_ENDPOINT
+          value: $DB_ENDPOINT
+        - name: DB_NAME
+          value: $DB_NAME
+        - name: MYSQL_PWD
+          valueFrom:
+            secretKeyRef:
+              name: db-create-users
+              key: RDS_MASTER_PASSWORD
+        volumeMounts:
+        - mountPath: /db-ops/create-user.sql
+          name: db-create-users
+          subPath: create-user.sql
+      volumes:
+        - name: db-create-users
+          secret:
+            secretName: db-create-users
+      restartPolicy: Never
+  backoffLimit: 1
+---
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: db-pod
+  namespace: $PROJECT_NAME
+spec:
+# this is purposely left at 0 so it can be enabled for troubleshooting purposes
+  replicas: 0
+  selector:
+    matchLabels:
+      app: db-pod
+  template:
+    metadata:
+      labels:
+        app: db-pod
+    spec:
+      automountServiceAccountToken: false
+      containers:
+      - command:
+        - sh
+        args:
+        - "-c"
+        # long running task so the pod doesn't exit with 0
+        - tail -f /dev/null
+        image: $DOCKER_IMAGE_TAG
+        imagePullPolicy: Always
+        name: db-pod
+        env:
+        - name: DB_ENDPOINT
+          value: $DB_ENDPOINT
+        - name: DB_NAME
+          value: $DB_NAME
+        - name: DB_USERNAME
+          valueFrom:
+            secretKeyRef:
+              name: $PROJECT_NAME
+              key: DATABASE_USERNAME
+        - name: DB_PASSWORD
+          valueFrom:
+            secretKeyRef:
+              name: $PROJECT_NAME
+              key: DATABASE_PASSWORD

db-ops/job-create-db-postgres.yml.tpl

@@ -0,0 +1,107 @@
+apiVersion: v1
+kind: Namespace
+metadata:
+  name: db-ops
+---
+apiVersion: v1
+kind: Secret
+metadata:
+  name: db-create-users
+  namespace: db-ops
+type: Opaque
+stringData:
+  create-user.sql: |
+    create user $DB_APP_USERNAME with encrypted password '$DB_APP_PASSWORD';
+    grant all privileges on database $DB_NAME to $DB_APP_USERNAME;
+  RDS_MASTER_PASSWORD: $SECRET_PASSWORD
+---
+apiVersion: v1
+kind: Namespace
+metadata:
+  name: $PROJECT_NAME
+---
+apiVersion: v1
+kind: Secret
+metadata:
+  name: $PROJECT_NAME
+  namespace: $PROJECT_NAME
+type: Opaque
+stringData:
+  DATABASE_USERNAME: $DB_APP_USERNAME
+  DATABASE_PASSWORD: $DB_APP_PASSWORD
+---
+apiVersion: batch/v1
+kind: Job
+metadata:
+  name: db-create-users
+  namespace: db-ops
+spec:
+  template:
+    spec:
+      containers:
+      - name: create-rds-user
+        image: $DOCKER_IMAGE_TAG
+        command:
+        - sh
+        args:
+        - '-c'
+        - psql -U$MASTER_RDS_USERNAME -h $DB_ENDPOINT $DB_NAME -a -f/db-ops/create-user.sql > /dev/null
+        env:
+        - name: PGPASSWORD
+          valueFrom:
+            secretKeyRef:
+              name: db-create-users
+              key: RDS_MASTER_PASSWORD
+        volumeMounts:
+        - mountPath: /db-ops/create-user.sql
+          name: db-create-users
+          subPath: create-user.sql
+      volumes:
+        - name: db-create-users
+          secret:
+            secretName: db-create-users
+      restartPolicy: Never
+  backoffLimit: 1
+---
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: db-pod
+  namespace: $PROJECT_NAME
+spec:
+# this is purposely left at 0 so it can be enabled for troubleshooting purposes
+  replicas: 0
+  selector:
+    matchLabels:
+      app: db-pod
+  template:
+    metadata:
+      labels:
+        app: db-pod
+    spec:
+      automountServiceAccountToken: false
+      containers:
+      - command:
+        - sh
+        args:
+        - "-c"
+        # long running task so the pod doesn't exit with 0
+        - tail -f /dev/null
+        image: $DOCKER_IMAGE_TAG
+        imagePullPolicy: Always
+        name: db-pod
+        env:
+        - name: DB_ENDPOINT
+          value: $DB_ENDPOINT
+        - name: DB_NAME
+          value: $DB_NAME
+        - name: DB_USERNAME
+          valueFrom:
+            secretKeyRef:
+              name: $PROJECT_NAME
+              key: DATABASE_USERNAME
+        - name: DB_PASSWORD
+          valueFrom:
+            secretKeyRef:
+              name: $PROJECT_NAME
+              key: DATABASE_PASSWORD

templates/.circleci/config.yml

@@ -232,11 +232,23 @@ jobs:
       - run:
           name: Deploy
           command: |
-            kubectl create namespace << parameters.namespace >> || echo "Namespace already exists"
+            DEPLOYMENT=<< parameters.repo >>
+            NAMESPACE=<< parameters.namespace >>
+            kubectl create namespace $NAMESPACE || echo "Namespace already exists"
             cd kubernetes/overlays/<< parameters.config-environment >>
             IMAGE=<< parameters.account-id >>.dkr.ecr.<< parameters.region >>.amazonaws.com/<< parameters.repo >>
             kustomize edit set image fake-image=${IMAGE}:${VERSION_TAG}
-            kustomize build . | kubectl apply -f - -n << parameters.namespace >>
+            kustomize build . | kubectl apply -f - -n $NAMESPACE
+            if ! kubectl -n $NAMESPACE rollout status deployment/$DEPLOYMENT -w --timeout=180s ; then
+              echo "$DEPLOYMENT rollout check failed:"
+              echo "$DEPLOYMENT deployment:"
+              kubectl -n $NAMESPACE describe deployment $DEPLOYMENT
+              echo "$DEPLOYMENT replicaset:"
+              kubectl -n $NAMESPACE describe rs -l app=$DEPLOYMENT
+              echo "$DEPLOYMENT pods:"
+              kubectl -n $NAMESPACE describe pod -l app=$DEPLOYMENT
+              exit 1
+            fi
 workflows:
     version: 2
     # The main workflow. Check out the code, build it, push it, deploy to staging, test, deploy to production

templates/.env.example

@@ -1,6 +1,6 @@
 DATABASE_ENGINE=
 DATABASE_HOST=
-DATABASE_HOST=
+DATABASE_PORT=
 DATABASE_PASSWORD=
 DATABASE_USERNAME=
 DATABASE_NAME=

templates/Makefile

@@ -1,5 +1,7 @@
 install:
 	npm i
+	# See https://sequelize.org/master/manual/getting-started.html for supported db drivers
+	<%if eq (index .Params `database`) "postgres" %>npm i --save pg pg-hstore<% else if eq (index .Params `database`) "mysql" %>npm i --save mysql2<% end %>
 
 run:
-	PORT=80 node app.js
+	PORT=80 node src/app.js

templates/kubernetes/base/deployment.yml

@@ -57,6 +57,16 @@ spec:
                 secretKeyRef:
                   name: cf-keypair
                   key: private_key
+          - name: DATABASE_USERNAME
+            valueFrom:
+                secretKeyRef:
+                  name: <% .Name %>
+                  key: DATABASE_USERNAME
+          - name: DATABASE_PASSWORD
+            valueFrom:
+                secretKeyRef:
+                  name: <% .Name %>
+                  key: DATABASE_PASSWORD
 ---
 apiVersion: autoscaling/v1
 kind: HorizontalPodAutoscaler