From 93dd128c4d60290fc9813bcc47cb3c8021e8d655 Mon Sep 17 00:00:00 2001 From: Devon Mackay Date: Wed, 8 Aug 2018 13:55:30 -0400 Subject: [PATCH 01/23] Switch to language:minimal since everything is in a container --- .travis.yml | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/.travis.yml b/.travis.yml index 94b83396..47168f0a 100644 --- a/.travis.yml +++ b/.travis.yml @@ -1,6 +1,5 @@ sudo: required -language: python -python: "3.6" +language: minimal services: - docker git: From bad0e1f098aff9987c6feb141abaf29be6f45a93 Mon Sep 17 00:00:00 2001 From: Devon Mackay Date: Wed, 8 Aug 2018 14:06:26 -0400 Subject: [PATCH 02/23] Add script for managing client ca bundle --- deploy/kubernetes/set_clientca_secret.sh | 4 ++++ 1 file changed, 4 insertions(+) create mode 100755 deploy/kubernetes/set_clientca_secret.sh diff --git a/deploy/kubernetes/set_clientca_secret.sh b/deploy/kubernetes/set_clientca_secret.sh new file mode 100755 index 00000000..b27fbb2d --- /dev/null +++ b/deploy/kubernetes/set_clientca_secret.sh @@ -0,0 +1,4 @@ +#!/bin/bash + +kubectl -n atat delete secret atst-config-ini +kubectl -n atat create secret generic nginx-client-ca-bundle --from-file="${1}" From 5bd39e1a152e3c8223895d11652e6c597b8d6e31 Mon Sep 17 00:00:00 2001 From: Devon Mackay Date: Wed, 8 Aug 2018 14:06:43 -0400 Subject: [PATCH 03/23] Add client ca bundle to nginx container --- deploy/kubernetes/atst.yml | 10 ++++++++++ 1 file changed, 10 insertions(+) diff --git a/deploy/kubernetes/atst.yml b/deploy/kubernetes/atst.yml index c302f8af..773dbf37 100644 --- a/deploy/kubernetes/atst.yml +++ b/deploy/kubernetes/atst.yml @@ -47,6 +47,9 @@ spec: volumeMounts: - name: nginx-auth-tls mountPath: "/etc/ssl/private" + - name: nginx-client-ca-bundle + mountPath: "/etc/ssl/client-ca-bundle.pem" + subPath: client-ca-bundle.pem - name: nginx-config mountPath: "/etc/nginx/conf.d/atst.conf" subPath: atst.conf @@ -78,6 +81,13 @@ spec: - key: tls.key path: auth.atat.key mode: 0640 + - name: nginx-ca-bundle + secret: + secretName: nginx-client-ca-bundle + items: + - key: client-ca-bundle.pem + path: client-ca-bundle.pem + mode: 0666 - name: nginx-config configMap: name: atst-nginx From c00db63f40df52fefbafb4b65ba6cad77a99d80d Mon Sep 17 00:00:00 2001 From: Devon Mackay Date: Wed, 8 Aug 2018 14:06:57 -0400 Subject: [PATCH 04/23] Enable client cert validation --- deploy/kubernetes/atst-nginx-configmap.yml | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/deploy/kubernetes/atst-nginx-configmap.yml b/deploy/kubernetes/atst-nginx-configmap.yml index 6e2b1d69..29133d4d 100644 --- a/deploy/kubernetes/atst-nginx-configmap.yml +++ b/deploy/kubernetes/atst-nginx-configmap.yml @@ -55,9 +55,9 @@ data: ssl_stapling_verify on; resolver 8.8.8.8 8.8.4.4; # Request and validate client certificate - #ssl_verify_client on; - #ssl_verify_depth 10; - #ssl_client_certificate /etc/nginx/ssl/ca/client-ca.pem; + ssl_verify_client on; + ssl_verify_depth 10; + ssl_client_certificate /etc/nginx/ssl/client-ca-bundle.pem; # Guard against HTTPS -> HTTP downgrade add_header Strict-Transport-Security "max-age=31536000; includeSubDomains; always"; location / { From 323eefd121e118c3c8e31df9393ddcdcdfeaaa8b Mon Sep 17 00:00:00 2001 From: Devon Mackay Date: Wed, 8 Aug 2018 14:09:52 -0400 Subject: [PATCH 05/23] Update code version deployed --- deploy/kubernetes/atst.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/deploy/kubernetes/atst.yml b/deploy/kubernetes/atst.yml index 773dbf37..296e6b3f 100644 --- a/deploy/kubernetes/atst.yml +++ b/deploy/kubernetes/atst.yml @@ -24,7 +24,7 @@ spec: fsGroup: 101 containers: - name: atst - image: registry.atat.codes:443/atst-prod:e9b6f76 + image: registry.atat.codes:443/atst-prod:2030b4d envFrom: - configMapRef: name: atst-envvars From be653fd702c34a1b26d1237d68dd78dcea39a126 Mon Sep 17 00:00:00 2001 From: Devon Mackay Date: Wed, 8 Aug 2018 14:11:22 -0400 Subject: [PATCH 06/23] Fix reference --- deploy/kubernetes/atst.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/deploy/kubernetes/atst.yml b/deploy/kubernetes/atst.yml index 296e6b3f..a055580c 100644 --- a/deploy/kubernetes/atst.yml +++ b/deploy/kubernetes/atst.yml @@ -81,7 +81,7 @@ spec: - key: tls.key path: auth.atat.key mode: 0640 - - name: nginx-ca-bundle + - name: nginx-client-ca-bundle secret: secretName: nginx-client-ca-bundle items: From e098dc86193e0730b0f490384343b8eca4e93cbf Mon Sep 17 00:00:00 2001 From: Devon Mackay Date: Wed, 8 Aug 2018 14:18:13 -0400 Subject: [PATCH 07/23] Fix file path --- deploy/kubernetes/atst-nginx-configmap.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/deploy/kubernetes/atst-nginx-configmap.yml b/deploy/kubernetes/atst-nginx-configmap.yml index 29133d4d..553bb30b 100644 --- a/deploy/kubernetes/atst-nginx-configmap.yml +++ b/deploy/kubernetes/atst-nginx-configmap.yml @@ -57,7 +57,7 @@ data: # Request and validate client certificate ssl_verify_client on; ssl_verify_depth 10; - ssl_client_certificate /etc/nginx/ssl/client-ca-bundle.pem; + ssl_client_certificate /etc/ssl/client-ca-bundle.pem; # Guard against HTTPS -> HTTP downgrade add_header Strict-Transport-Security "max-age=31536000; includeSubDomains; always"; location / { From bfe3e18531a5a2c29653ffa560a698e4f8f33353 Mon Sep 17 00:00:00 2001 From: Devon Mackay Date: Wed, 8 Aug 2018 14:45:05 -0400 Subject: [PATCH 08/23] Update atst code version --- deploy/kubernetes/atst.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/deploy/kubernetes/atst.yml b/deploy/kubernetes/atst.yml index a055580c..141cc86b 100644 --- a/deploy/kubernetes/atst.yml +++ b/deploy/kubernetes/atst.yml @@ -24,7 +24,7 @@ spec: fsGroup: 101 containers: - name: atst - image: registry.atat.codes:443/atst-prod:2030b4d + image: registry.atat.codes:443/atst-prod:93b9317 envFrom: - configMapRef: name: atst-envvars From 60d3379fe7e18cc7a40dd86d4f9b80da4bd882af Mon Sep 17 00:00:00 2001 From: Devon Mackay Date: Wed, 8 Aug 2018 14:58:46 -0400 Subject: [PATCH 09/23] Sync CRLs and cache them --- .travis.yml | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/.travis.yml b/.travis.yml index 47168f0a..bcd1fa52 100644 --- a/.travis.yml +++ b/.travis.yml @@ -26,6 +26,10 @@ before_script: script: - docker run --add-host "postgreshost:${postgres_ip}" --add-host "redishost:${redis_ip}" "${TESTER_IMAGE_NAME}" + - docker run -d --entrypoint='/bin/sh' --name current-atst-tester "${TESTER_IMAGE_NAME}" + - docker container exec -t current-atst-tester script/sync-crls + - docker cp current-atst-tester:crl ./crl + - docker container stop current-atst-tester before_deploy: - docker build --tag "${PROD_IMAGE_NAME}" . -f deploy/docker/prod/Dockerfile From 1fb037a6be4d1e2c38cce84fc97afd47ebdb423b Mon Sep 17 00:00:00 2001 From: Devon Mackay Date: Wed, 8 Aug 2018 15:18:46 -0400 Subject: [PATCH 10/23] Add tty so container does not automatically stop right away --- .travis.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.travis.yml b/.travis.yml index bcd1fa52..c3fa7dcd 100644 --- a/.travis.yml +++ b/.travis.yml @@ -26,7 +26,7 @@ before_script: script: - docker run --add-host "postgreshost:${postgres_ip}" --add-host "redishost:${redis_ip}" "${TESTER_IMAGE_NAME}" - - docker run -d --entrypoint='/bin/sh' --name current-atst-tester "${TESTER_IMAGE_NAME}" + - docker run -d --entrypoint='/bin/sh' -t --name current-atst-tester "${TESTER_IMAGE_NAME}" - docker container exec -t current-atst-tester script/sync-crls - docker cp current-atst-tester:crl ./crl - docker container stop current-atst-tester From 4168956f882ddb0c1d31e0f0b3642f66ab58c268 Mon Sep 17 00:00:00 2001 From: Devon Mackay Date: Wed, 8 Aug 2018 16:04:34 -0400 Subject: [PATCH 11/23] Add rsync package for sync-crl script --- script/alpine_setup | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/script/alpine_setup b/script/alpine_setup index b9eeb9a7..41096326 100755 --- a/script/alpine_setup +++ b/script/alpine_setup @@ -10,7 +10,7 @@ APP_USER="atst" APP_UID="8010" # Add additional packages required by app dependencies -ADDITIONAL_PACKAGES="postgresql-libs python3 uwsgi uwsgi-python3" +ADDITIONAL_PACKAGES="postgresql-libs python3 rsync uwsgi uwsgi-python3" # Run the shared alpine setup script source ./script/include/run_alpine_setup From 6a3b569c09e73531b3c86ee74b1fd825172bfdd6 Mon Sep 17 00:00:00 2001 From: Devon Mackay Date: Wed, 8 Aug 2018 16:11:54 -0400 Subject: [PATCH 12/23] Update crl copy to use full path --- .travis.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.travis.yml b/.travis.yml index c3fa7dcd..21de5c1f 100644 --- a/.travis.yml +++ b/.travis.yml @@ -28,7 +28,7 @@ script: - docker run --add-host "postgreshost:${postgres_ip}" --add-host "redishost:${redis_ip}" "${TESTER_IMAGE_NAME}" - docker run -d --entrypoint='/bin/sh' -t --name current-atst-tester "${TESTER_IMAGE_NAME}" - docker container exec -t current-atst-tester script/sync-crls - - docker cp current-atst-tester:crl ./crl + - docker cp current-atst-tester:/opt/atat/atst/crl ./crl - docker container stop current-atst-tester before_deploy: From 8c52e53679d9141398e0427714c676bbb97b8361 Mon Sep 17 00:00:00 2001 From: Devon Mackay Date: Wed, 8 Aug 2018 16:22:14 -0400 Subject: [PATCH 13/23] Cache the crl subdir --- .travis.yml | 3 +++ 1 file changed, 3 insertions(+) diff --git a/.travis.yml b/.travis.yml index 21de5c1f..0f1ddfe1 100644 --- a/.travis.yml +++ b/.travis.yml @@ -8,6 +8,9 @@ env: global: - TESTER_IMAGE_NAME=atst-tester - PROD_IMAGE_NAME=atst-prod +cache: + directories: + - crl before_install: # Use sed to replace the SSH URL with the public URL From a20df689f8f91279e2bb47536ca40b30468e902d Mon Sep 17 00:00:00 2001 From: Devon Mackay Date: Wed, 8 Aug 2018 16:39:08 -0400 Subject: [PATCH 14/23] Save container with CRLs added --- .travis.yml | 10 ++++++---- 1 file changed, 6 insertions(+), 4 deletions(-) diff --git a/.travis.yml b/.travis.yml index 0f1ddfe1..defa6b90 100644 --- a/.travis.yml +++ b/.travis.yml @@ -6,8 +6,9 @@ git: submodules: false env: global: - - TESTER_IMAGE_NAME=atst-tester - PROD_IMAGE_NAME=atst-prod + - TESTER_IMAGE1_NAME=atst-tester-nocrls + - TESTER_IMAGE2_NAME=atst-tester cache: directories: - crl @@ -25,14 +26,15 @@ before_script: - export postgres_ip="$(docker inspect -f "{{ .NetworkSettings.IPAddress }}" postgres96)" - export redis_ip="$(docker inspect -f "{{ .NetworkSettings.IPAddress }}" redis)" - docker login -u $ATAT_DOCKER_REGISTRY_USERNAME -p $ATAT_DOCKER_REGISTRY_PASSWORD $ATAT_DOCKER_REGISTRY_URL - - docker build --tag "${TESTER_IMAGE_NAME}" --add-host "postgreshost:${postgres_ip}" --add-host "redishost:${redis_ip}" . -f deploy/docker/tester/Dockerfile + - docker build --tag "${TESTER_IMAGE1_NAME}" --add-host "postgreshost:${postgres_ip}" --add-host "redishost:${redis_ip}" . -f deploy/docker/tester/Dockerfile script: - - docker run --add-host "postgreshost:${postgres_ip}" --add-host "redishost:${redis_ip}" "${TESTER_IMAGE_NAME}" - - docker run -d --entrypoint='/bin/sh' -t --name current-atst-tester "${TESTER_IMAGE_NAME}" + - docker run -d --entrypoint='/bin/sh' -t --name current-atst-tester "${TESTER_IMAGE1_NAME}" - docker container exec -t current-atst-tester script/sync-crls + - docker commit current-atst-tester "${TESTER_IMAGE2_NAME}" - docker cp current-atst-tester:/opt/atat/atst/crl ./crl - docker container stop current-atst-tester + - docker run --add-host "postgreshost:${postgres_ip}" --add-host "redishost:${redis_ip}" "${TESTER_IMAGE2_NAME}" before_deploy: - docker build --tag "${PROD_IMAGE_NAME}" . -f deploy/docker/prod/Dockerfile From 0619e020424f6a95a001d819d6e4277d2e42f55f Mon Sep 17 00:00:00 2001 From: Devon Mackay Date: Wed, 8 Aug 2018 17:31:37 -0400 Subject: [PATCH 15/23] Pull ca-chain.pem from Kubernetes --- deploy/kubernetes/atst.yml | 3 +++ 1 file changed, 3 insertions(+) diff --git a/deploy/kubernetes/atst.yml b/deploy/kubernetes/atst.yml index 141cc86b..de812fa3 100644 --- a/deploy/kubernetes/atst.yml +++ b/deploy/kubernetes/atst.yml @@ -32,6 +32,9 @@ spec: - name: atst-config mountPath: "/opt/atat/atst/atst-overrides.ini" subPath: atst-overrides.ini + - name: nginx-client-ca-bundle + mountPath: "/opt/atat/atst/ssl/server-certs/ca-chain.pem" + subPath: client-ca-bundle.pem - name: uwsgi-config mountPath: "/opt/atat/atst/uwsgi-config.ini" subPath: uwsgi-config.ini From bc0521fba9695acc1c2ebcfffc1cf60642eeabd9 Mon Sep 17 00:00:00 2001 From: Devon Mackay Date: Thu, 9 Aug 2018 08:36:08 -0400 Subject: [PATCH 16/23] Remove deploy branch restriction to push testable image --- .travis.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.travis.yml b/.travis.yml index defa6b90..8071ea06 100644 --- a/.travis.yml +++ b/.travis.yml @@ -48,4 +48,4 @@ deploy: provider: script script: echo "** Image push only for now... stay tuned! **" on: - branch: master + all_branches: true From 6f1cd6276d868338e3c398bceb5a6ec490bdb879 Mon Sep 17 00:00:00 2001 From: Devon Mackay Date: Fri, 10 Aug 2018 17:40:34 -0400 Subject: [PATCH 17/23] Update deployed code version --- deploy/kubernetes/atst.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/deploy/kubernetes/atst.yml b/deploy/kubernetes/atst.yml index de812fa3..f62a0eca 100644 --- a/deploy/kubernetes/atst.yml +++ b/deploy/kubernetes/atst.yml @@ -24,7 +24,7 @@ spec: fsGroup: 101 containers: - name: atst - image: registry.atat.codes:443/atst-prod:93b9317 + image: registry.atat.codes:443/atst-prod:5ac3343 envFrom: - configMapRef: name: atst-envvars From ed3a49a8279b8e833c58b5c46cd2c6291e8e9df4 Mon Sep 17 00:00:00 2001 From: Devon Mackay Date: Sat, 11 Aug 2018 13:12:33 -0400 Subject: [PATCH 18/23] Fix crl file copying Old syntax copied the container crl directory into the local crl directory as a subdir, resulting in the content being in ./crl/crl/ --- .travis.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.travis.yml b/.travis.yml index 8071ea06..27b95c6c 100644 --- a/.travis.yml +++ b/.travis.yml @@ -32,7 +32,7 @@ script: - docker run -d --entrypoint='/bin/sh' -t --name current-atst-tester "${TESTER_IMAGE1_NAME}" - docker container exec -t current-atst-tester script/sync-crls - docker commit current-atst-tester "${TESTER_IMAGE2_NAME}" - - docker cp current-atst-tester:/opt/atat/atst/crl ./crl + - docker cp current-atst-tester:/opt/atat/atst/crl/* ./crl/ - docker container stop current-atst-tester - docker run --add-host "postgreshost:${postgres_ip}" --add-host "redishost:${redis_ip}" "${TESTER_IMAGE2_NAME}" From ac1f403313be681a785d324e649a4a7369e976d1 Mon Sep 17 00:00:00 2001 From: Devon Mackay Date: Sat, 11 Aug 2018 13:15:09 -0400 Subject: [PATCH 19/23] Purge the CRL cache directory --- .travis.yml | 1 + 1 file changed, 1 insertion(+) diff --git a/.travis.yml b/.travis.yml index 27b95c6c..28b540f0 100644 --- a/.travis.yml +++ b/.travis.yml @@ -20,6 +20,7 @@ before_install: - git submodule update --init --recursive before_script: + - rm -rf ./crl/* - docker run -d --name postgres96 postgres:9.6-alpine - docker run -d --name redis redis:4.0.10-alpine - docker run --link postgres96:postgres96 --link redis:redis waisbrot/wait From 094bb1467a19aabba2564e290c7303c8674951b1 Mon Sep 17 00:00:00 2001 From: Devon Mackay Date: Sat, 11 Aug 2018 13:38:54 -0400 Subject: [PATCH 20/23] Fix syntax (docker uses . not * for dir contents) --- .travis.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.travis.yml b/.travis.yml index 28b540f0..fca656f6 100644 --- a/.travis.yml +++ b/.travis.yml @@ -33,7 +33,7 @@ script: - docker run -d --entrypoint='/bin/sh' -t --name current-atst-tester "${TESTER_IMAGE1_NAME}" - docker container exec -t current-atst-tester script/sync-crls - docker commit current-atst-tester "${TESTER_IMAGE2_NAME}" - - docker cp current-atst-tester:/opt/atat/atst/crl/* ./crl/ + - docker cp current-atst-tester:/opt/atat/atst/crl/. ./crl/ - docker container stop current-atst-tester - docker run --add-host "postgreshost:${postgres_ip}" --add-host "redishost:${redis_ip}" "${TESTER_IMAGE2_NAME}" From d741c4e37ce812fb3bd29b5013110f0df14cb15e Mon Sep 17 00:00:00 2001 From: Devon Mackay Date: Sun, 12 Aug 2018 13:53:15 -0400 Subject: [PATCH 21/23] Add pod spec for debuggable ATST container --- deploy/kubernetes/atst-debugger.yml | 43 +++++++++++++++++++++++++++++ 1 file changed, 43 insertions(+) create mode 100644 deploy/kubernetes/atst-debugger.yml diff --git a/deploy/kubernetes/atst-debugger.yml b/deploy/kubernetes/atst-debugger.yml new file mode 100644 index 00000000..d86abd0f --- /dev/null +++ b/deploy/kubernetes/atst-debugger.yml @@ -0,0 +1,43 @@ +apiVersion: v1 +kind: Pod +metadata: + name: atst-debugger + namespace: atat +spec: + securityContext: + fsGroup: 101 + containers: + - name: atst-debugger + image: registry.atat.codes:443/atst-prod:a1916b1 + args: ["/bin/bash", "-c", "while true; do date; sleep 45; done"] + envFrom: + - configMapRef: + name: atst-envvars + volumeMounts: + - name: atst-config + mountPath: "/opt/atat/atst/atst-overrides.ini" + subPath: atst-overrides.ini + - name: uwsgi-config + mountPath: "/opt/atat/atst/uwsgi-config.ini" + subPath: uwsgi-config.ini + - name: uwsgi-socket-dir + mountPath: "/var/run/uwsgi" + volumes: + - name: atst-config + secret: + secretName: atst-config-ini + items: + - key: atst-overrides.ini + path: atst-overrides.ini + mode: 0644 + - name: uwsgi-config + configMap: + name: atst-config + items: + - key: uwsgi-config + path: uwsgi-config.ini + mode: 0644 + - name: uwsgi-socket-dir + emptyDir: + medium: Memory + restartPolicy: Never From b18c853f62a8186f48f5b8565b667534334fa662 Mon Sep 17 00:00:00 2001 From: Devon Mackay Date: Sun, 12 Aug 2018 14:09:05 -0400 Subject: [PATCH 22/23] Update code version and add memory requirement --- deploy/kubernetes/atst.yml | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/deploy/kubernetes/atst.yml b/deploy/kubernetes/atst.yml index f62a0eca..c62d7a6a 100644 --- a/deploy/kubernetes/atst.yml +++ b/deploy/kubernetes/atst.yml @@ -24,7 +24,10 @@ spec: fsGroup: 101 containers: - name: atst - image: registry.atat.codes:443/atst-prod:5ac3343 + image: registry.atat.codes:443/atst-prod:a1916b1 + resources: + requests: + memory: "2500Mi" envFrom: - configMapRef: name: atst-envvars From 8c43b60bba05dc78ddeb7b7b062ec49e873bfebb Mon Sep 17 00:00:00 2001 From: Devon Mackay Date: Sun, 12 Aug 2018 14:14:11 -0400 Subject: [PATCH 23/23] Revert container publishing to master branch only --- .travis.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.travis.yml b/.travis.yml index fca656f6..5a0734c2 100644 --- a/.travis.yml +++ b/.travis.yml @@ -49,4 +49,4 @@ deploy: provider: script script: echo "** Image push only for now... stay tuned! **" on: - all_branches: true + branch: master