diff --git a/deploy/azure/azure.yml b/deploy/azure/azure.yml index 02952029..cf91cf58 100644 --- a/deploy/azure/azure.yml +++ b/deploy/azure/azure.yml @@ -50,6 +50,8 @@ spec: - name: uwsgi-config mountPath: "/opt/atat/atst/uwsgi.ini" subPath: uwsgi.ini + - name: flask-secret + mountPath: "/config" - name: nginx image: nginx:alpine ports: @@ -141,6 +143,16 @@ spec: keyvaultobjectaliases: "dhparam.pem;atat.key;atat.crt" keyvaultobjecttypes: "secret;secret;secret" tenantid: $TENANT_ID + - name: flask-secret + flexVolume: + driver: "azure/kv" + options: + usepodidentity: "true" + keyvaultname: "atat-vault-test" + keyvaultobjectnames: "master-AZURE-STORAGE-KEY;master-MAIL-PASSWORD;master-PGPASSWORD;master-REDIS-PASSWORD;master-SECRET-KEY" + keyvaultobjectaliases: "AZURE_STORAGE_KEY;MAIL_PASSWORD;PGPASSWORD;REDIS_PASSWORD;SECRET_KEY" + keyvaultobjecttypes: "secret;secret;secret;secret;key" + tenantid: $TENANT_ID --- apiVersion: extensions/v1beta1 kind: Deployment @@ -161,6 +173,7 @@ spec: labels: app: atst role: worker + aadpodidbinding: atat-kv-id-binding spec: securityContext: fsGroup: 101 @@ -188,6 +201,8 @@ spec: - name: pgsslrootcert mountPath: "/opt/atat/atst/ssl/pgsslrootcert.crt" subPath: pgsslrootcert.crt + - name: flask-secret + mountPath: "/config" volumes: - name: atst-config secret: @@ -203,6 +218,16 @@ spec: - key: cert path: pgsslrootcert.crt mode: 0666 + - name: flask-secret + flexVolume: + driver: "azure/kv" + options: + usepodidentity: "true" + keyvaultname: "atat-vault-test" + keyvaultobjectnames: "master-AZURE-STORAGE-KEY;master-MAIL-PASSWORD;master-PGPASSWORD;master-REDIS-PASSWORD;master-SECRET-KEY" + keyvaultobjectaliases: "AZURE_STORAGE_KEY;MAIL_PASSWORD;PGPASSWORD;REDIS_PASSWORD;SECRET_KEY" + keyvaultobjecttypes: "secret;secret;secret;secret;key" + tenantid: $TENANT_ID --- apiVersion: extensions/v1beta1 kind: Deployment @@ -223,6 +248,7 @@ spec: labels: app: atst role: beat + aadpodidbinding: atat-kv-id-binding spec: securityContext: fsGroup: 101 @@ -250,6 +276,8 @@ spec: - name: pgsslrootcert mountPath: "/opt/atat/atst/ssl/pgsslrootcert.crt" subPath: pgsslrootcert.crt + - name: flask-secret + mountPath: "/config" volumes: - name: atst-config secret: @@ -265,6 +293,16 @@ spec: - key: cert path: pgsslrootcert.crt mode: 0666 + - name: flask-secret + flexVolume: + driver: "azure/kv" + options: + usepodidentity: "true" + keyvaultname: "atat-vault-test" + keyvaultobjectnames: "master-AZURE-STORAGE-KEY;master-MAIL-PASSWORD;master-PGPASSWORD;master-REDIS-PASSWORD;master-SECRET-KEY" + keyvaultobjectaliases: "AZURE_STORAGE_KEY;MAIL_PASSWORD;PGPASSWORD;REDIS_PASSWORD;SECRET_KEY" + keyvaultobjecttypes: "secret;secret;secret;secret;key" + tenantid: $TENANT_ID --- apiVersion: v1 kind: Service diff --git a/deploy/azure/crls-sync.yaml b/deploy/azure/crls-sync.yaml index 5e95e331..c2a07327 100644 --- a/deploy/azure/crls-sync.yaml +++ b/deploy/azure/crls-sync.yaml @@ -10,6 +10,11 @@ spec: jobTemplate: spec: template: + metadata: + labels: + app: atst + role: crl-sync + aadpodidbinding: atat-kv-id-binding spec: restartPolicy: OnFailure containers: @@ -32,6 +37,8 @@ spec: subPath: atst-overrides.ini - name: crls-vol mountPath: "/opt/atat/atst/crls" + - name: flask-secret + mountPath: "/config" volumes: - name: atst-config secret: @@ -43,3 +50,13 @@ spec: - name: crls-vol persistentVolumeClaim: claimName: crls-vol-claim + - name: flask-secret + flexVolume: + driver: "azure/kv" + options: + usepodidentity: "true" + keyvaultname: "atat-vault-test" + keyvaultobjectnames: "master-AZURE-STORAGE-KEY;master-MAIL-PASSWORD;master-PGPASSWORD;master-REDIS-PASSWORD;master-SECRET-KEY" + keyvaultobjectaliases: "AZURE_STORAGE_KEY;MAIL_PASSWORD;PGPASSWORD;REDIS_PASSWORD;SECRET_KEY" + keyvaultobjecttypes: "secret;secret;secret;secret;key" + tenantid: $TENANT_ID diff --git a/deploy/overlays/staging/flex_vol.yml b/deploy/overlays/staging/flex_vol.yml index 0ebeea84..0efa4044 100644 --- a/deploy/overlays/staging/flex_vol.yml +++ b/deploy/overlays/staging/flex_vol.yml @@ -11,3 +11,52 @@ spec: options: keyvaultname: "atat-vault-test" keyvaultobjectnames: "dhparam4096;staging-cert;staging-cert" + - name: flask-secret + flexVolume: + options: + keyvaultname: "atat-vault-test" + keyvaultobjectnames: "staging-AZURE-STORAGE-KEY;staging-MAIL-PASSWORD;staging-PGPASSWORD;staging-REDIS-PASSWORD;staging-SECRET-KEY" +--- +apiVersion: extensions/v1beta1 +kind: Deployment +metadata: + name: atst-worker +spec: + template: + spec: + volumes: + - name: flask-secret + flexVolume: + options: + keyvaultname: "atat-vault-test" + keyvaultobjectnames: "staging-AZURE-STORAGE-KEY;staging-MAIL-PASSWORD;staging-PGPASSWORD;staging-REDIS-PASSWORD;staging-SECRET-KEY" +--- +apiVersion: extensions/v1beta1 +kind: Deployment +metadata: + name: atst-beat +spec: + template: + spec: + volumes: + - name: flask-secret + flexVolume: + options: + keyvaultname: "atat-vault-test" + keyvaultobjectnames: "staging-AZURE-STORAGE-KEY;staging-MAIL-PASSWORD;staging-PGPASSWORD;staging-REDIS-PASSWORD;staging-SECRET-KEY" +--- +apiVersion: batch/v1beta1 +kind: CronJob +metadata: + name: crls +spec: + jobTemplate: + spec: + template: + spec: + volumes: + - name: flask-secret + flexVolume: + options: + keyvaultname: "atat-vault-test" + keyvaultobjectnames: "staging-AZURE-STORAGE-KEY;staging-MAIL-PASSWORD;staging-PGPASSWORD;staging-REDIS-PASSWORD;staging-SECRET-KEY" diff --git a/deploy/shared/migration.yaml b/deploy/shared/migration.yaml index d571c84d..b5161114 100644 --- a/deploy/shared/migration.yaml +++ b/deploy/shared/migration.yaml @@ -7,6 +7,11 @@ spec: ttlSecondsAfterFinished: 100 backoffLimit: 2 template: + metadata: + labels: + app: atst + role: migration + aadpodidbinding: atat-kv-id-binding spec: containers: - name: migration @@ -28,20 +33,12 @@ spec: - configMapRef: name: atst-worker-envvars volumeMounts: - - name: atst-config - mountPath: "/opt/atat/atst/atst-overrides.ini" - subPath: atst-overrides.ini - name: pgsslrootcert mountPath: "/opt/atat/atst/ssl/pgsslrootcert.crt" subPath: pgsslrootcert.crt + - name: flask-secret + mountPath: "/config" volumes: - - name: atst-config - secret: - secretName: atst-config-ini - items: - - key: override.ini - path: atst-overrides.ini - mode: 0644 - name: pgsslrootcert configMap: name: pgsslrootcert @@ -49,4 +46,14 @@ spec: - key: cert path: pgsslrootcert.crt mode: 0666 + - name: flask-secret + flexVolume: + driver: "azure/kv" + options: + usepodidentity: "true" + keyvaultname: "atat-vault-test" + keyvaultobjectnames: "master-AZURE-STORAGE-KEY;master-MAIL-PASSWORD;master-PGPASSWORD;master-REDIS-PASSWORD;master-SECRET-KEY" + keyvaultobjectaliases: "AZURE_STORAGE_KEY;MAIL_PASSWORD;PGPASSWORD;REDIS_PASSWORD;SECRET_KEY" + keyvaultobjecttypes: "secret;secret;secret;secret;key" + tenantid: $TENANT_ID restartPolicy: Never