pk/atst
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Add k8s networking.

Browse Source 
- bind static azure IPs
- Add load balancers for both CSPs
This commit is contained in:
dandds 2019-07-30 10:59:01 -04:00
parent d056191b01
commit 4c70d59c5d
5 changed files with 182 additions and 76 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

28
.circleci/config.yml
View File

@ -96,20 +96,6 @@ workflows:
branches: branches:
only: only:
- master - master
- azure-aks/update-container-image:
cluster-name: atat-cluster
container-image-updates: "atst=${AZURE_SERVER_NAME}/atat:${CIRCLE_SHA1}"
namespace: atat
resource-name: deployment.apps/atst
resource-group: atat
# uncomment below for debugging
# show-kubectl-command: true
requires:
- azure-acr/build_and_push_image
filters:
branches:
only:
- master
- azure-aks/update-container-image: - azure-aks/update-container-image:
cluster-name: atat-cluster cluster-name: atat-cluster
container-image-updates: "atst-worker=${AZURE_SERVER_NAME}/atat:${CIRCLE_SHA1}" container-image-updates: "atst-worker=${AZURE_SERVER_NAME}/atat:${CIRCLE_SHA1}"
@ -147,17 +133,3 @@ workflows:
branches: branches:
only: only:
- master - master
- aws-eks/update-container-image:
cluster-name: atat
container-image-updates: "atst-worker=${AWS_ECR_ACCOUNT_URL}/atat:${CIRCLE_SHA1}"
namespace: atat
resource-name: deployment.apps/atst-worker
aws-region: "${AWS_REGION}"
# uncomment below for debugging
# show-kubectl-command: true
requires:
- aws-ecr/build_and_push_image
filters:
branches:
only:
- master

85
k8s/aws/atst-nginx-configmap.yml
View File

@ -7,31 +7,78 @@ metadata:
data: data:
nginx-config: |- nginx-config: |-
server { server {
server_name aws.atat.code.mil;
# access_log /var/log/nginx/access.log json;
listen 8442; listen 8442;
server_name localhost; listen [::]:8442 ipv6only=on;
# if ($http_x_forwarded_proto != 'https') {
# return 301 https://$host$request_uri;
# }
location /login-redirect {
return 301 https://auth-aws.atat.code.mil$request_uri;
}
location /login-dev {
try_files $uri @appbasicauth;
}
location / { location / {
try_files $uri @app; try_files $uri @app;
} }
location @app { location @app {
include uwsgi_params;
uwsgi_pass unix:///var/run/uwsgi/uwsgi.socket; uwsgi_pass unix:///var/run/uwsgi/uwsgi.socket;
uwsgi_param QUERY_STRING $query_string; uwsgi_param HTTP_X_REQUEST_ID $request_id;
uwsgi_param REQUEST_METHOD $request_method; }
uwsgi_param CONTENT_TYPE $content_type; location @appbasicauth {
uwsgi_param CONTENT_LENGTH $content_length; include uwsgi_params;
uwsgi_pass unix:///var/run/uwsgi/uwsgi.socket;
uwsgi_param REQUEST_URI $request_uri; auth_basic "Developer Access";
uwsgi_param PATH_INFO $document_uri; auth_basic_user_file /etc/nginx/.htpasswd;
uwsgi_param DOCUMENT_ROOT $document_root; uwsgi_param HTTP_X_REQUEST_ID $request_id;
uwsgi_param SERVER_PROTOCOL $server_protocol; }
uwsgi_param REQUEST_SCHEME $scheme; }
uwsgi_param HTTPS $https if_not_empty; server {
# access_log /var/log/nginx/access.log json;
uwsgi_param REMOTE_ADDR $remote_addr; server_name auth-aws.atat.code.mil;
uwsgi_param REMOTE_PORT $remote_port; listen 8443;
uwsgi_param SERVER_PORT $server_port; listen [::]:8443 ipv6only=on;
uwsgi_param SERVER_NAME $server_name; # SSL server certificate and private key
# ssl_certificate /etc/ssl/private/auth.atat.crt;
# ssl_certificate_key /etc/ssl/private/auth.atat.key;
# Set SSL protocols, ciphers, and related options
# ssl_protocols TLSv1.3 TLSv1.2;
# ssl_ciphers 'ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256';
# ssl_prefer_server_ciphers on;
# ssl_ecdh_curve secp384r1;
# ssl_dhparam /etc/ssl/dhparam.pem;
# SSL session options
# ssl_session_timeout 4h;
# ssl_session_cache shared:SSL:10m; # 1mb = ~4000 sessions
# ssl_session_tickets off;
# OCSP Stapling
# ssl_stapling on;
# ssl_stapling_verify on;
# resolver 8.8.8.8 8.8.4.4;
# Request and validate client certificate
# ssl_verify_client on;
# ssl_verify_depth 10;
# ssl_client_certificate /etc/ssl/client-ca-bundle.pem;
# Guard against HTTPS -> HTTP downgrade
add_header Strict-Transport-Security "max-age=31536000; includeSubDomains; always";
location / {
return 301 https://aws.atat.code.mil$request_uri;
}
location /login-redirect {
try_files $uri @app;
}
location @app {
include uwsgi_params;
uwsgi_pass unix:///var/run/uwsgi/uwsgi.socket;
# uwsgi_param HTTP_X_SSL_CLIENT_VERIFY $ssl_client_verify;
# uwsgi_param HTTP_X_SSL_CLIENT_CERT $ssl_client_raw_cert;
# uwsgi_param HTTP_X_SSL_CLIENT_S_DN $ssl_client_s_dn;
# uwsgi_param HTTP_X_SSL_CLIENT_S_DN_LEGACY $ssl_client_s_dn_legacy;
# uwsgi_param HTTP_X_SSL_CLIENT_I_DN $ssl_client_i_dn;
# uwsgi_param HTTP_X_SSL_CLIENT_I_DN_LEGACY $ssl_client_i_dn_legacy;
uwsgi_param HTTP_X_REQUEST_ID $request_id; uwsgi_param HTTP_X_REQUEST_ID $request_id;
} }
} }

25
k8s/aws/aws.yml
View File

@ -48,7 +48,9 @@ spec:
image: nginx:alpine image: nginx:alpine
ports: ports:
- containerPort: 8442 - containerPort: 8442
name: http name: main
- containerPort: 8443
name: auth
volumeMounts: volumeMounts:
- name: nginx-config - name: nginx-config
mountPath: "/etc/nginx/conf.d/atst.conf" mountPath: "/etc/nginx/conf.d/atst.conf"
@ -137,8 +139,10 @@ kind: Service
metadata: metadata:
labels: labels:
app: atst app: atst
name: atst name: atst-main
namespace: atat namespace: atat
annotations:
service.beta.kubernetes.io/aws-load-balancer-type: "nlb"
spec: spec:
ports: ports:
- port: 80 - port: 80
@ -146,3 +150,20 @@ spec:
selector: selector:
role: web role: web
type: LoadBalancer type: LoadBalancer
---
apiVersion: v1
kind: Service
metadata:
labels:
app: atst
name: atst-auth
namespace: atat
annotations:
service.beta.kubernetes.io/aws-load-balancer-type: "nlb"
spec:
ports:
- port: 80
targetPort: 8443
selector:
role: web
type: LoadBalancer

85
k8s/azure/atst-nginx-configmap.yml
View File

@ -7,31 +7,78 @@ metadata:
data: data:
nginx-config: |- nginx-config: |-
server { server {
server_name azure.atat.code.mil;
# access_log /var/log/nginx/access.log json;
listen 8442; listen 8442;
server_name localhost; listen [::]:8442 ipv6only=on;
# if ($http_x_forwarded_proto != 'https') {
# return 301 https://$host$request_uri;
# }
location /login-redirect {
return 301 https://auth-azure.atat.code.mil$request_uri;
}
location /login-dev {
try_files $uri @appbasicauth;
}
location / { location / {
try_files $uri @app; try_files $uri @app;
} }
location @app { location @app {
include uwsgi_params;
uwsgi_pass unix:///var/run/uwsgi/uwsgi.socket; uwsgi_pass unix:///var/run/uwsgi/uwsgi.socket;
uwsgi_param QUERY_STRING $query_string; uwsgi_param HTTP_X_REQUEST_ID $request_id;
uwsgi_param REQUEST_METHOD $request_method; }
uwsgi_param CONTENT_TYPE $content_type; location @appbasicauth {
uwsgi_param CONTENT_LENGTH $content_length; include uwsgi_params;
uwsgi_pass unix:///var/run/uwsgi/uwsgi.socket;
uwsgi_param REQUEST_URI $request_uri; auth_basic "Developer Access";
uwsgi_param PATH_INFO $document_uri; auth_basic_user_file /etc/nginx/.htpasswd;
uwsgi_param DOCUMENT_ROOT $document_root; uwsgi_param HTTP_X_REQUEST_ID $request_id;
uwsgi_param SERVER_PROTOCOL $server_protocol; }
uwsgi_param REQUEST_SCHEME $scheme; }
uwsgi_param HTTPS $https if_not_empty; server {
# access_log /var/log/nginx/access.log json;
uwsgi_param REMOTE_ADDR $remote_addr; server_name auth-azure.atat.code.mil;
uwsgi_param REMOTE_PORT $remote_port; listen 8443;
uwsgi_param SERVER_PORT $server_port; listen [::]:8443 ipv6only=on;
uwsgi_param SERVER_NAME $server_name; # SSL server certificate and private key
# ssl_certificate /etc/ssl/private/auth.atat.crt;
# ssl_certificate_key /etc/ssl/private/auth.atat.key;
# Set SSL protocols, ciphers, and related options
# ssl_protocols TLSv1.3 TLSv1.2;
# ssl_ciphers 'ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256';
# ssl_prefer_server_ciphers on;
# ssl_ecdh_curve secp384r1;
# ssl_dhparam /etc/ssl/dhparam.pem;
# SSL session options
# ssl_session_timeout 4h;
# ssl_session_cache shared:SSL:10m; # 1mb = ~4000 sessions
# ssl_session_tickets off;
# OCSP Stapling
# ssl_stapling on;
# ssl_stapling_verify on;
# resolver 8.8.8.8 8.8.4.4;
# Request and validate client certificate
# ssl_verify_client on;
# ssl_verify_depth 10;
# ssl_client_certificate /etc/ssl/client-ca-bundle.pem;
# Guard against HTTPS -> HTTP downgrade
add_header Strict-Transport-Security "max-age=31536000; includeSubDomains; always";
location / {
return 301 https://azure.atat.code.mil$request_uri;
}
location /login-redirect {
try_files $uri @app;
}
location @app {
include uwsgi_params;
uwsgi_pass unix:///var/run/uwsgi/uwsgi.socket;
# uwsgi_param HTTP_X_SSL_CLIENT_VERIFY $ssl_client_verify;
# uwsgi_param HTTP_X_SSL_CLIENT_CERT $ssl_client_raw_cert;
# uwsgi_param HTTP_X_SSL_CLIENT_S_DN $ssl_client_s_dn;
# uwsgi_param HTTP_X_SSL_CLIENT_S_DN_LEGACY $ssl_client_s_dn_legacy;
# uwsgi_param HTTP_X_SSL_CLIENT_I_DN $ssl_client_i_dn;
# uwsgi_param HTTP_X_SSL_CLIENT_I_DN_LEGACY $ssl_client_i_dn_legacy;
uwsgi_param HTTP_X_REQUEST_ID $request_id; uwsgi_param HTTP_X_REQUEST_ID $request_id;
} }
} }

23
k8s/azure/azure.yml
View File

@ -48,7 +48,9 @@ spec:
image: nginx:alpine image: nginx:alpine
ports: ports:
- containerPort: 8442 - containerPort: 8442
name: http name: main
- containerPort: 8443
name: auth
volumeMounts: volumeMounts:
- name: nginx-config - name: nginx-config
mountPath: "/etc/nginx/conf.d/atst.conf" mountPath: "/etc/nginx/conf.d/atst.conf"
@ -137,12 +139,29 @@ kind: Service
metadata: metadata:
labels: labels:
app: atst app: atst
name: atst name: atst-main
namespace: atat namespace: atat
spec: spec:
loadBalancerIP: 13.92.235.6
ports: ports:
- port: 80 - port: 80
targetPort: 8442 targetPort: 8442
selector: selector:
role: web role: web
type: LoadBalancer type: LoadBalancer
---
apiVersion: v1
kind: Service
metadata:
labels:
app: atst
name: atst-auth
namespace: atat
spec:
loadBalancerIP: 23.100.24.41
ports:
- port: 80
targetPort: 8443
selector:
role: web
type: LoadBalancer