Skip to content

Commit d815413

Browse files
sshi100sshi100
authored
rename ci-user (#7)
* rename ci-user * set deployer role for ci and fix db-user creation * resume to number version 0.0.3
1 parent 8ea944d commit d815413

File tree

5 files changed

+29
-26
lines changed

5 files changed

+29
-26
lines changed

Makefile

Lines changed: 2 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -8,8 +8,8 @@ GITHUB_REPO := $(shell echo ${REPOSITORY} | cut -d "/" -f 3)
88

99
run: create-db-user
1010
@echo "Set CIRCLECI environment variables\n"
11-
export AWS_ACCESS_KEY_ID=$(shell aws secretsmanager get-secret-value --region ${region} --secret-id=ci-user-aws-keys${randomSeed} | jq -r '.SecretString'| jq -r .access_key_id)
12-
export AWS_SECRET_ACCESS_KEY=$(shell aws secretsmanager get-secret-value --region ${region} --secret-id=ci-user-aws-keys${randomSeed} | jq -r '.SecretString'| jq -r .secret_key)
11+
export AWS_ACCESS_KEY_ID=$(shell aws secretsmanager get-secret-value --region ${region} --secret-id=${PROJECT_NAME}-ci-user-aws-keys${randomSeed} | jq -r '.SecretString'| jq -r .access_key_id)
12+
export AWS_SECRET_ACCESS_KEY=$(shell aws secretsmanager get-secret-value --region ${region} --secret-id=${PROJECT_NAME}-ci-user-aws-keys${randomSeed} | jq -r '.SecretString'| jq -r .secret_key)
1313
curl -X POST --header "Content-Type: application/json" -d '{"name":"CIRCLECI_API_KEY", "value":"${CIRCLECI_API_KEY}"}' https://circleci.com/api/v1.1/project/github/${GITHUB_ORG}/${GITHUB_REPO}/envvar?circle-token=${CIRCLECI_API_KEY}
1414
curl -X POST --header "Content-Type: application/json" -d '{"name":"AWS_ACCESS_KEY_ID", "value":"${AWS_ACCESS_KEY_ID}"}' https://circleci.com/api/v1.1/project/github/${GITHUB_ORG}/${GITHUB_REPO}/envvar?circle-token=${CIRCLECI_API_KEY}
1515
curl -X POST --header "Content-Type: application/json" -d '{"name":"AWS_SECRET_ACCESS_KEY", "value":"${AWS_SECRET_ACCESS_KEY}"}' https://circleci.com/api/v1.1/project/github/${GITHUB_ORG}/${GITHUB_REPO}/envvar?circle-token=${CIRCLECI_API_KEY}

db-ops/create-db-user.sh

Lines changed: 8 additions & 7 deletions
Original file line numberDiff line numberDiff line change
@@ -13,19 +13,20 @@ DB_APP_USERNAME=$DB_NAME
1313
DB_APP_PASSWORD=$(LC_ALL=C tr -dc 'A-Za-z0-9' < /dev/urandom | base64 | head -c 16)
1414

1515
# Fill in env-vars to db user creation manifest
16+
JOB_ID=$(LC_ALL=C tr -dc 'a-z0-9' < /dev/urandom | head -c 8)
1617
eval "echo \"$(cat ./db-ops/job-create-db-$DATABASE.yml.tpl)\"" > ./k8s-job-create-db.yml
1718
# the manifest creates 4 things
18-
# 1. Namespace: db-ops
19+
# 1. Namespace: db-ops
1920
# 2. Secret in db-ops: db-create-users (with master password, and a .sql file
2021
# 3. Job in db-ops: db-create-users (runs the .sql file against the RDS given master_password from env)
21-
# 4. Secret in Application namespace with DB_USERNAME / DB_PASSWORD
22+
# 4. Secret in Application namespace with DB_USERNAME / DB_PASSWORD
2223
kubectl apply -f ./k8s-job-create-db.yml
2324

2425
# Deleting the entire db-ops namespace, leaving ONLY application-namespace's secret behind
25-
kubectl -n db-ops wait --for=condition=complete --timeout=10s job db-create-users
26+
kubectl -n db-ops wait --for=condition=complete --timeout=10s job db-create-users-${JOB_ID}
2627
if [ $? -eq 0 ]
27-
then
28-
kubectl get namespace db-ops
29-
else
30-
echo "Failed to create application database user, please see 'kubectl logs -n db-ops -l job-name=db-create-users'"
28+
then
29+
kubectl delete namespace db-ops
30+
else
31+
echo "Failed to create application database user, please see 'kubectl logs -n db-ops -l job-name=db-create-users-${JOB_ID}'"
3132
fi

db-ops/job-create-db-mysql.yml.tpl

Lines changed: 8 additions & 7 deletions
Original file line numberDiff line numberDiff line change
@@ -9,8 +9,9 @@ metadata:
99
name: db-create-users
1010
namespace: db-ops
1111
type: Opaque
12-
stringData:
12+
stringData:
1313
create-user.sql: |
14+
DROP USER '$DB_APP_USERNAME';
1415
CREATE USER '$DB_APP_USERNAME' IDENTIFIED BY '$DB_APP_PASSWORD';
1516
GRANT ALL PRIVILEGES ON $DB_NAME.* TO '$DB_APP_USERNAME';
1617
RDS_MASTER_PASSWORD: $SECRET_PASSWORD
@@ -26,25 +27,25 @@ metadata:
2627
name: $PROJECT_NAME
2728
namespace: $PROJECT_NAME
2829
type: Opaque
29-
stringData:
30+
stringData:
3031
DATABASE_USERNAME: $DB_APP_USERNAME
3132
DATABASE_PASSWORD: $DB_APP_PASSWORD
3233
---
3334
apiVersion: batch/v1
3435
kind: Job
3536
metadata:
36-
name: db-create-users
37+
name: db-create-users-$JOB_ID
3738
namespace: db-ops
3839
spec:
3940
template:
4041
spec:
4142
containers:
4243
- name: create-rds-user
4344
image: $DOCKER_IMAGE_TAG
44-
command:
45+
command:
4546
- sh
46-
args:
47-
- '-c'
47+
args:
48+
- '-c'
4849
- mysql -u$MASTER_RDS_USERNAME -h $DB_ENDPOINT $DB_NAME < /db-ops/create-user.sql
4950
env:
5051
- name: DB_ENDPOINT
@@ -87,7 +88,7 @@ spec:
8788
containers:
8889
- command:
8990
- sh
90-
args:
91+
args:
9192
- "-c"
9293
# long running task so the pod doesn't exit with 0
9394
- tail -f /dev/null

db-ops/job-create-db-postgres.yml.tpl

Lines changed: 8 additions & 7 deletions
Original file line numberDiff line numberDiff line change
@@ -9,8 +9,9 @@ metadata:
99
name: db-create-users
1010
namespace: db-ops
1111
type: Opaque
12-
stringData:
12+
stringData:
1313
create-user.sql: |
14+
drop user $DB_APP_USERNAME
1415
create user $DB_APP_USERNAME with encrypted password '$DB_APP_PASSWORD';
1516
grant all privileges on database $DB_NAME to $DB_APP_USERNAME;
1617
RDS_MASTER_PASSWORD: $SECRET_PASSWORD
@@ -26,25 +27,25 @@ metadata:
2627
name: $PROJECT_NAME
2728
namespace: $PROJECT_NAME
2829
type: Opaque
29-
stringData:
30+
stringData:
3031
DATABASE_USERNAME: $DB_APP_USERNAME
3132
DATABASE_PASSWORD: $DB_APP_PASSWORD
3233
---
3334
apiVersion: batch/v1
3435
kind: Job
3536
metadata:
36-
name: db-create-users
37+
name: db-create-users-$JOB_ID
3738
namespace: db-ops
3839
spec:
3940
template:
4041
spec:
4142
containers:
4243
- name: create-rds-user
4344
image: $DOCKER_IMAGE_TAG
44-
command:
45+
command:
4546
- sh
46-
args:
47-
- '-c'
47+
args:
48+
- '-c'
4849
- psql -U$MASTER_RDS_USERNAME -h $DB_ENDPOINT $DB_NAME -a -f/db-ops/create-user.sql > /dev/null
4950
env:
5051
- name: PGPASSWORD
@@ -83,7 +84,7 @@ spec:
8384
containers:
8485
- command:
8586
- sh
86-
args:
87+
args:
8788
- "-c"
8889
# long running task so the pod doesn't exit with 0
8990
- tail -f /dev/null

templates/.circleci/config.yml

Lines changed: 3 additions & 3 deletions
Original file line numberDiff line numberDiff line change
@@ -6,7 +6,7 @@ orbs:
66
aws-eks: circleci/aws-eks@0.2.3
77
aws-s3: circleci/aws-s3@1.0.11
88
aws-cli: circleci/aws-cli@0.1.18
9-
queue: eddiewebb/queue@1.3.0
9+
queue: eddiewebb/queue@1.5.0
1010
slack: circleci/slack@3.4.2
1111
version-tag: commitdev/version-tag@0.0.3
1212

@@ -295,7 +295,7 @@ workflows:
295295
repo: "<% .Name %>"
296296
cluster-name: "<% .Name %>-stage-<% index .Params `region` %>"
297297
config-environment: "staging"
298-
cluster-authentication-role-arn: "arn:aws:iam::<% index .Params `accountId` %>:role/<% .Name %>-kubernetes-admin-stage"
298+
cluster-authentication-role-arn: "arn:aws:iam::<% index .Params `accountId` %>:role/<% .Name %>-kubernetes-deployer-stage"
299299
region: "<% index .Params `region` %>"
300300
namespace: "<% .Name %>"
301301
tag: "${VERSION_TAG}"
@@ -318,7 +318,7 @@ workflows:
318318
repo: "<% .Name %>"
319319
cluster-name: "<% .Name %>-prod-<% index .Params `region` %>"
320320
config-environment: "production"
321-
cluster-authentication-role-arn: "arn:aws:iam::<% index .Params `accountId` %>:role/<% .Name %>-kubernetes-admin-prod"
321+
cluster-authentication-role-arn: "arn:aws:iam::<% index .Params `accountId` %>:role/<% .Name %>-kubernetes-deployer-prod"
322322
region: "<% index .Params `region` %>"
323323
namespace: "<% .Name %>"
324324
tag: "${VERSION_TAG}"

0 commit comments

Comments
 (0)