From 972cf14a66792e219ba97a36714bc5cc3935356b Mon Sep 17 00:00:00 2001 From: dandds Date: Thu, 5 Dec 2019 13:18:28 -0500 Subject: [PATCH] K8s configuration for mounting application config. This adds an additional volume mount for Flask application secrets. These will be mounted into the ATST container so that their values can be read in as config. --- deploy/azure/azure.yml | 38 +++++++++++++++++++++ deploy/azure/crls-sync.yaml | 17 ++++++++++ deploy/overlays/staging/flex_vol.yml | 49 ++++++++++++++++++++++++++++ deploy/shared/migration.yaml | 27 +++++++++------ 4 files changed, 121 insertions(+), 10 deletions(-) diff --git a/deploy/azure/azure.yml b/deploy/azure/azure.yml index 02952029..cf91cf58 100644 --- a/deploy/azure/azure.yml +++ b/deploy/azure/azure.yml @@ -50,6 +50,8 @@ spec: - name: uwsgi-config mountPath: "/opt/atat/atst/uwsgi.ini" subPath: uwsgi.ini + - name: flask-secret + mountPath: "/config" - name: nginx image: nginx:alpine ports: @@ -141,6 +143,16 @@ spec: keyvaultobjectaliases: "dhparam.pem;atat.key;atat.crt" keyvaultobjecttypes: "secret;secret;secret" tenantid: $TENANT_ID + - name: flask-secret + flexVolume: + driver: "azure/kv" + options: + usepodidentity: "true" + keyvaultname: "atat-vault-test" + keyvaultobjectnames: "master-AZURE-STORAGE-KEY;master-MAIL-PASSWORD;master-PGPASSWORD;master-REDIS-PASSWORD;master-SECRET-KEY" + keyvaultobjectaliases: "AZURE_STORAGE_KEY;MAIL_PASSWORD;PGPASSWORD;REDIS_PASSWORD;SECRET_KEY" + keyvaultobjecttypes: "secret;secret;secret;secret;key" + tenantid: $TENANT_ID --- apiVersion: extensions/v1beta1 kind: Deployment @@ -161,6 +173,7 @@ spec: labels: app: atst role: worker + aadpodidbinding: atat-kv-id-binding spec: securityContext: fsGroup: 101 @@ -188,6 +201,8 @@ spec: - name: pgsslrootcert mountPath: "/opt/atat/atst/ssl/pgsslrootcert.crt" subPath: pgsslrootcert.crt + - name: flask-secret + mountPath: "/config" volumes: - name: atst-config secret: @@ -203,6 +218,16 @@ spec: - key: cert path: pgsslrootcert.crt mode: 0666 + - name: flask-secret + flexVolume: + driver: "azure/kv" + options: + usepodidentity: "true" + keyvaultname: "atat-vault-test" + keyvaultobjectnames: "master-AZURE-STORAGE-KEY;master-MAIL-PASSWORD;master-PGPASSWORD;master-REDIS-PASSWORD;master-SECRET-KEY" + keyvaultobjectaliases: "AZURE_STORAGE_KEY;MAIL_PASSWORD;PGPASSWORD;REDIS_PASSWORD;SECRET_KEY" + keyvaultobjecttypes: "secret;secret;secret;secret;key" + tenantid: $TENANT_ID --- apiVersion: extensions/v1beta1 kind: Deployment @@ -223,6 +248,7 @@ spec: labels: app: atst role: beat + aadpodidbinding: atat-kv-id-binding spec: securityContext: fsGroup: 101 @@ -250,6 +276,8 @@ spec: - name: pgsslrootcert mountPath: "/opt/atat/atst/ssl/pgsslrootcert.crt" subPath: pgsslrootcert.crt + - name: flask-secret + mountPath: "/config" volumes: - name: atst-config secret: @@ -265,6 +293,16 @@ spec: - key: cert path: pgsslrootcert.crt mode: 0666 + - name: flask-secret + flexVolume: + driver: "azure/kv" + options: + usepodidentity: "true" + keyvaultname: "atat-vault-test" + keyvaultobjectnames: "master-AZURE-STORAGE-KEY;master-MAIL-PASSWORD;master-PGPASSWORD;master-REDIS-PASSWORD;master-SECRET-KEY" + keyvaultobjectaliases: "AZURE_STORAGE_KEY;MAIL_PASSWORD;PGPASSWORD;REDIS_PASSWORD;SECRET_KEY" + keyvaultobjecttypes: "secret;secret;secret;secret;key" + tenantid: $TENANT_ID --- apiVersion: v1 kind: Service diff --git a/deploy/azure/crls-sync.yaml b/deploy/azure/crls-sync.yaml index 5e95e331..c2a07327 100644 --- a/deploy/azure/crls-sync.yaml +++ b/deploy/azure/crls-sync.yaml @@ -10,6 +10,11 @@ spec: jobTemplate: spec: template: + metadata: + labels: + app: atst + role: crl-sync + aadpodidbinding: atat-kv-id-binding spec: restartPolicy: OnFailure containers: @@ -32,6 +37,8 @@ spec: subPath: atst-overrides.ini - name: crls-vol mountPath: "/opt/atat/atst/crls" + - name: flask-secret + mountPath: "/config" volumes: - name: atst-config secret: @@ -43,3 +50,13 @@ spec: - name: crls-vol persistentVolumeClaim: claimName: crls-vol-claim + - name: flask-secret + flexVolume: + driver: "azure/kv" + options: + usepodidentity: "true" + keyvaultname: "atat-vault-test" + keyvaultobjectnames: "master-AZURE-STORAGE-KEY;master-MAIL-PASSWORD;master-PGPASSWORD;master-REDIS-PASSWORD;master-SECRET-KEY" + keyvaultobjectaliases: "AZURE_STORAGE_KEY;MAIL_PASSWORD;PGPASSWORD;REDIS_PASSWORD;SECRET_KEY" + keyvaultobjecttypes: "secret;secret;secret;secret;key" + tenantid: $TENANT_ID diff --git a/deploy/overlays/staging/flex_vol.yml b/deploy/overlays/staging/flex_vol.yml index 0ebeea84..0efa4044 100644 --- a/deploy/overlays/staging/flex_vol.yml +++ b/deploy/overlays/staging/flex_vol.yml @@ -11,3 +11,52 @@ spec: options: keyvaultname: "atat-vault-test" keyvaultobjectnames: "dhparam4096;staging-cert;staging-cert" + - name: flask-secret + flexVolume: + options: + keyvaultname: "atat-vault-test" + keyvaultobjectnames: "staging-AZURE-STORAGE-KEY;staging-MAIL-PASSWORD;staging-PGPASSWORD;staging-REDIS-PASSWORD;staging-SECRET-KEY" +--- +apiVersion: extensions/v1beta1 +kind: Deployment +metadata: + name: atst-worker +spec: + template: + spec: + volumes: + - name: flask-secret + flexVolume: + options: + keyvaultname: "atat-vault-test" + keyvaultobjectnames: "staging-AZURE-STORAGE-KEY;staging-MAIL-PASSWORD;staging-PGPASSWORD;staging-REDIS-PASSWORD;staging-SECRET-KEY" +--- +apiVersion: extensions/v1beta1 +kind: Deployment +metadata: + name: atst-beat +spec: + template: + spec: + volumes: + - name: flask-secret + flexVolume: + options: + keyvaultname: "atat-vault-test" + keyvaultobjectnames: "staging-AZURE-STORAGE-KEY;staging-MAIL-PASSWORD;staging-PGPASSWORD;staging-REDIS-PASSWORD;staging-SECRET-KEY" +--- +apiVersion: batch/v1beta1 +kind: CronJob +metadata: + name: crls +spec: + jobTemplate: + spec: + template: + spec: + volumes: + - name: flask-secret + flexVolume: + options: + keyvaultname: "atat-vault-test" + keyvaultobjectnames: "staging-AZURE-STORAGE-KEY;staging-MAIL-PASSWORD;staging-PGPASSWORD;staging-REDIS-PASSWORD;staging-SECRET-KEY" diff --git a/deploy/shared/migration.yaml b/deploy/shared/migration.yaml index d571c84d..b5161114 100644 --- a/deploy/shared/migration.yaml +++ b/deploy/shared/migration.yaml @@ -7,6 +7,11 @@ spec: ttlSecondsAfterFinished: 100 backoffLimit: 2 template: + metadata: + labels: + app: atst + role: migration + aadpodidbinding: atat-kv-id-binding spec: containers: - name: migration @@ -28,20 +33,12 @@ spec: - configMapRef: name: atst-worker-envvars volumeMounts: - - name: atst-config - mountPath: "/opt/atat/atst/atst-overrides.ini" - subPath: atst-overrides.ini - name: pgsslrootcert mountPath: "/opt/atat/atst/ssl/pgsslrootcert.crt" subPath: pgsslrootcert.crt + - name: flask-secret + mountPath: "/config" volumes: - - name: atst-config - secret: - secretName: atst-config-ini - items: - - key: override.ini - path: atst-overrides.ini - mode: 0644 - name: pgsslrootcert configMap: name: pgsslrootcert @@ -49,4 +46,14 @@ spec: - key: cert path: pgsslrootcert.crt mode: 0666 + - name: flask-secret + flexVolume: + driver: "azure/kv" + options: + usepodidentity: "true" + keyvaultname: "atat-vault-test" + keyvaultobjectnames: "master-AZURE-STORAGE-KEY;master-MAIL-PASSWORD;master-PGPASSWORD;master-REDIS-PASSWORD;master-SECRET-KEY" + keyvaultobjectaliases: "AZURE_STORAGE_KEY;MAIL_PASSWORD;PGPASSWORD;REDIS_PASSWORD;SECRET_KEY" + keyvaultobjecttypes: "secret;secret;secret;secret;key" + tenantid: $TENANT_ID restartPolicy: Never