pk/atst
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

K8s configuration for mounting application config.

Browse Source 
This adds an additional volume mount for Flask application secrets.
These will be mounted into the ATST container so that their values can
be read in as config.
This commit is contained in:
dandds 2019-12-05 13:18:28 -05:00
parent 2d714cae39
commit 972cf14a66
4 changed files with 121 additions and 10 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

38
deploy/azure/azure.yml
View File

@ -50,6 +50,8 @@ spec:
- name: uwsgi-config - name: uwsgi-config
mountPath: "/opt/atat/atst/uwsgi.ini" mountPath: "/opt/atat/atst/uwsgi.ini"
subPath: uwsgi.ini subPath: uwsgi.ini
- name: flask-secret
mountPath: "/config"
- name: nginx - name: nginx
image: nginx:alpine image: nginx:alpine
ports: ports:
@ -141,6 +143,16 @@ spec:
keyvaultobjectaliases: "dhparam.pem;atat.key;atat.crt" keyvaultobjectaliases: "dhparam.pem;atat.key;atat.crt"
keyvaultobjecttypes: "secret;secret;secret" keyvaultobjecttypes: "secret;secret;secret"
tenantid: $TENANT_ID tenantid: $TENANT_ID
- name: flask-secret
flexVolume:
driver: "azure/kv"
options:
usepodidentity: "true"
keyvaultname: "atat-vault-test"
keyvaultobjectnames: "master-AZURE-STORAGE-KEY;master-MAIL-PASSWORD;master-PGPASSWORD;master-REDIS-PASSWORD;master-SECRET-KEY"
keyvaultobjectaliases: "AZURE_STORAGE_KEY;MAIL_PASSWORD;PGPASSWORD;REDIS_PASSWORD;SECRET_KEY"
keyvaultobjecttypes: "secret;secret;secret;secret;key"
tenantid: $TENANT_ID
--- ---
apiVersion: extensions/v1beta1 apiVersion: extensions/v1beta1
kind: Deployment kind: Deployment
@ -161,6 +173,7 @@ spec:
labels: labels:
app: atst app: atst
role: worker role: worker
aadpodidbinding: atat-kv-id-binding
spec: spec:
securityContext: securityContext:
fsGroup: 101 fsGroup: 101
@ -188,6 +201,8 @@ spec:
- name: pgsslrootcert - name: pgsslrootcert
mountPath: "/opt/atat/atst/ssl/pgsslrootcert.crt" mountPath: "/opt/atat/atst/ssl/pgsslrootcert.crt"
subPath: pgsslrootcert.crt subPath: pgsslrootcert.crt
- name: flask-secret
mountPath: "/config"
volumes: volumes:
- name: atst-config - name: atst-config
secret: secret:
@ -203,6 +218,16 @@ spec:
- key: cert - key: cert
path: pgsslrootcert.crt path: pgsslrootcert.crt
mode: 0666 mode: 0666
- name: flask-secret
flexVolume:
driver: "azure/kv"
options:
usepodidentity: "true"
keyvaultname: "atat-vault-test"
keyvaultobjectnames: "master-AZURE-STORAGE-KEY;master-MAIL-PASSWORD;master-PGPASSWORD;master-REDIS-PASSWORD;master-SECRET-KEY"
keyvaultobjectaliases: "AZURE_STORAGE_KEY;MAIL_PASSWORD;PGPASSWORD;REDIS_PASSWORD;SECRET_KEY"
keyvaultobjecttypes: "secret;secret;secret;secret;key"
tenantid: $TENANT_ID
--- ---
apiVersion: extensions/v1beta1 apiVersion: extensions/v1beta1
kind: Deployment kind: Deployment
@ -223,6 +248,7 @@ spec:
labels: labels:
app: atst app: atst
role: beat role: beat
aadpodidbinding: atat-kv-id-binding
spec: spec:
securityContext: securityContext:
fsGroup: 101 fsGroup: 101
@ -250,6 +276,8 @@ spec:
- name: pgsslrootcert - name: pgsslrootcert
mountPath: "/opt/atat/atst/ssl/pgsslrootcert.crt" mountPath: "/opt/atat/atst/ssl/pgsslrootcert.crt"
subPath: pgsslrootcert.crt subPath: pgsslrootcert.crt
- name: flask-secret
mountPath: "/config"
volumes: volumes:
- name: atst-config - name: atst-config
secret: secret:
@ -265,6 +293,16 @@ spec:
- key: cert - key: cert
path: pgsslrootcert.crt path: pgsslrootcert.crt
mode: 0666 mode: 0666
- name: flask-secret
flexVolume:
driver: "azure/kv"
options:
usepodidentity: "true"
keyvaultname: "atat-vault-test"
keyvaultobjectnames: "master-AZURE-STORAGE-KEY;master-MAIL-PASSWORD;master-PGPASSWORD;master-REDIS-PASSWORD;master-SECRET-KEY"
keyvaultobjectaliases: "AZURE_STORAGE_KEY;MAIL_PASSWORD;PGPASSWORD;REDIS_PASSWORD;SECRET_KEY"
keyvaultobjecttypes: "secret;secret;secret;secret;key"
tenantid: $TENANT_ID
--- ---
apiVersion: v1 apiVersion: v1
kind: Service kind: Service

17
deploy/azure/crls-sync.yaml
View File

@ -10,6 +10,11 @@ spec:
jobTemplate: jobTemplate:
spec: spec:
template: template:
metadata:
labels:
app: atst
role: crl-sync
aadpodidbinding: atat-kv-id-binding
spec: spec:
restartPolicy: OnFailure restartPolicy: OnFailure
containers: containers:
@ -32,6 +37,8 @@ spec:
subPath: atst-overrides.ini subPath: atst-overrides.ini
- name: crls-vol - name: crls-vol
mountPath: "/opt/atat/atst/crls" mountPath: "/opt/atat/atst/crls"
- name: flask-secret
mountPath: "/config"
volumes: volumes:
- name: atst-config - name: atst-config
secret: secret:
@ -43,3 +50,13 @@ spec:
- name: crls-vol - name: crls-vol
persistentVolumeClaim: persistentVolumeClaim:
claimName: crls-vol-claim claimName: crls-vol-claim
- name: flask-secret
flexVolume:
driver: "azure/kv"
options:
usepodidentity: "true"
keyvaultname: "atat-vault-test"
keyvaultobjectnames: "master-AZURE-STORAGE-KEY;master-MAIL-PASSWORD;master-PGPASSWORD;master-REDIS-PASSWORD;master-SECRET-KEY"
keyvaultobjectaliases: "AZURE_STORAGE_KEY;MAIL_PASSWORD;PGPASSWORD;REDIS_PASSWORD;SECRET_KEY"
keyvaultobjecttypes: "secret;secret;secret;secret;key"
tenantid: $TENANT_ID

49
deploy/overlays/staging/flex_vol.yml
View File

@ -11,3 +11,52 @@ spec:
options: options:
keyvaultname: "atat-vault-test" keyvaultname: "atat-vault-test"
keyvaultobjectnames: "dhparam4096;staging-cert;staging-cert" keyvaultobjectnames: "dhparam4096;staging-cert;staging-cert"
- name: flask-secret
flexVolume:
options:
keyvaultname: "atat-vault-test"
keyvaultobjectnames: "staging-AZURE-STORAGE-KEY;staging-MAIL-PASSWORD;staging-PGPASSWORD;staging-REDIS-PASSWORD;staging-SECRET-KEY"
---
apiVersion: extensions/v1beta1
kind: Deployment
metadata:
name: atst-worker
spec:
template:
spec:
volumes:
- name: flask-secret
flexVolume:
options:
keyvaultname: "atat-vault-test"
keyvaultobjectnames: "staging-AZURE-STORAGE-KEY;staging-MAIL-PASSWORD;staging-PGPASSWORD;staging-REDIS-PASSWORD;staging-SECRET-KEY"
---
apiVersion: extensions/v1beta1
kind: Deployment
metadata:
name: atst-beat
spec:
template:
spec:
volumes:
- name: flask-secret
flexVolume:
options:
keyvaultname: "atat-vault-test"
keyvaultobjectnames: "staging-AZURE-STORAGE-KEY;staging-MAIL-PASSWORD;staging-PGPASSWORD;staging-REDIS-PASSWORD;staging-SECRET-KEY"
---
apiVersion: batch/v1beta1
kind: CronJob
metadata:
name: crls
spec:
jobTemplate:
spec:
template:
spec:
volumes:
- name: flask-secret
flexVolume:
options:
keyvaultname: "atat-vault-test"
keyvaultobjectnames: "staging-AZURE-STORAGE-KEY;staging-MAIL-PASSWORD;staging-PGPASSWORD;staging-REDIS-PASSWORD;staging-SECRET-KEY"

27
deploy/shared/migration.yaml
View File

@ -7,6 +7,11 @@ spec:
ttlSecondsAfterFinished: 100 ttlSecondsAfterFinished: 100
backoffLimit: 2 backoffLimit: 2
template: template:
metadata:
labels:
app: atst
role: migration
aadpodidbinding: atat-kv-id-binding
spec: spec:
containers: containers:
- name: migration - name: migration
@ -28,20 +33,12 @@ spec:
- configMapRef: - configMapRef:
name: atst-worker-envvars name: atst-worker-envvars
volumeMounts: volumeMounts:
- name: atst-config
mountPath: "/opt/atat/atst/atst-overrides.ini"
subPath: atst-overrides.ini
- name: pgsslrootcert - name: pgsslrootcert
mountPath: "/opt/atat/atst/ssl/pgsslrootcert.crt" mountPath: "/opt/atat/atst/ssl/pgsslrootcert.crt"
subPath: pgsslrootcert.crt subPath: pgsslrootcert.crt
- name: flask-secret
mountPath: "/config"
volumes: volumes:
- name: atst-config
secret:
secretName: atst-config-ini
items:
- key: override.ini
path: atst-overrides.ini
mode: 0644
- name: pgsslrootcert - name: pgsslrootcert
configMap: configMap:
name: pgsslrootcert name: pgsslrootcert
@ -49,4 +46,14 @@ spec:
- key: cert - key: cert
path: pgsslrootcert.crt path: pgsslrootcert.crt
mode: 0666 mode: 0666
- name: flask-secret
flexVolume:
driver: "azure/kv"
options:
usepodidentity: "true"
keyvaultname: "atat-vault-test"
keyvaultobjectnames: "master-AZURE-STORAGE-KEY;master-MAIL-PASSWORD;master-PGPASSWORD;master-REDIS-PASSWORD;master-SECRET-KEY"
keyvaultobjectaliases: "AZURE_STORAGE_KEY;MAIL_PASSWORD;PGPASSWORD;REDIS_PASSWORD;SECRET_KEY"
keyvaultobjecttypes: "secret;secret;secret;secret;key"
tenantid: $TENANT_ID
restartPolicy: Never restartPolicy: Never