Merge pull request #1405 from dod-ccpo/dev-tenant

K8s dev config

deploy/azure/kustomization.yaml

@@ -10,6 +10,5 @@ resources:
   - volume-claim.yml
   - nginx-client-ca-bundle.yml
   - acme-challenges.yml
-  - aadpodidentity.yml
   - nginx-snippets.yml
   - autoscaling.yml

deploy/overlays/cloudzero-dev/envvars.yml

@@ -4,19 +4,30 @@ kind: ConfigMap
 metadata:
   name: atst-worker-envvars
 data:
+  AZURE_ACCOUNT_NAME: jeditasksatat
   CELERY_DEFAULT_QUEUE: celery-staging
-  SERVER_NAME: staging.atat.code.mil
   FLASK_ENV: staging
+  PGDATABASE: cloudzero_jedidev_atat
+  PGHOST: 191.238.6.43
+  PGUSER: atat@cloudzero-jedidev-sql
+  PGSSLMODE: require
+  REDIS_HOST: 10.1.3.34:6380
+  SERVER_NAME: dev.atat.cloud.mil
 ---
 apiVersion: v1
 kind: ConfigMap
 metadata:
   name: atst-envvars
 data:
-  ASSETS_URL: https://atat-cdn-staging.azureedge.net/
+  ASSETS_URL: ""
-  CDN_ORIGIN: https://staging.atat.code.mil
+  AZURE_ACCOUNT_NAME: jeditasksatat
+  CAC_URL: https://auth-dev.atat.cloud.mil
+  CDN_ORIGIN: https://dev.atat.cloud.mil
   CELERY_DEFAULT_QUEUE: celery-staging
   FLASK_ENV: staging
-  STATIC_URL: https://atat-cdn-staging.azureedge.net/static/
+  PGDATABASE: cloudzero_jedidev_atat
-  PGHOST: cloudzero-dev-sql.postgres.database.azure.com
+  PGHOST: 191.238.6.43
-  REDIS_HOST: cloudzero-dev-redis.redis.cache.windows.net:6380
+  PGUSER: atat@cloudzero-jedidev-sql
+  PGSSLMODE: require
+  REDIS_HOST: 10.1.3.34:6380
+  SESSION_COOKIE_DOMAIN: atat.cloud.mil

deploy/overlays/cloudzero-dev/flex_vol.yml

@@ -9,23 +9,19 @@ spec:
         - name: nginx-secret
           flexVolume:
             options:
-              keyvaultname: "cloudzero-dev-keyvault"
-              # keyvaultobjectnames: "dhparam4096;cert;cert"
-              keyvaultobjectnames: "foo"
-              keyvaultobjectaliases: "FOO"
-              keyvaultobjecttypes: "secret"
-              usevmmanagedidentity: "true"
               usepodidentity: "false"
+              usevmmanagedidentity: "true"
+              vmmanagedidentityclientid: $VMSS_CLIENT_ID
+              keyvaultname: "cz-jedidev-keyvault"
+              keyvaultobjectnames: "dhparam4096;ATATCERT;ATATCERT"
         - name: flask-secret
           flexVolume:
             options:
-              keyvaultname: "cloudzero-dev-keyvault"
-              # keyvaultobjectnames: "AZURE-STORAGE-KEY;MAIL-PASSWORD;PGPASSWORD;REDIS-PASSWORD;SECRET-KEY"
-              keyvaultobjectnames: "master-PGPASSWORD"
-              keyvaultobjectaliases: "PGPASSWORD"
-              keyvaultobjecttypes: "secret"
-              usevmmanagedidentity: "true"
               usepodidentity: "false"
+              usevmmanagedidentity: "true"
+              vmmanagedidentityclientid: $VMSS_CLIENT_ID
+              keyvaultname: "cz-jedidev-keyvault"
+              keyvaultobjectnames: "AZURE-STORAGE-KEY;MAIL-PASSWORD;PGPASSWORD;REDIS-PASSWORD;SECRET-KEY"
 ---
 apiVersion: extensions/v1beta1
 kind: Deployment
@@ -38,10 +34,11 @@ spec:
         - name: flask-secret
           flexVolume:
             options:
-              keyvaultname: "cloudzero-dev-keyvault"
-              keyvaultobjectnames: "AZURE-STORAGE-KEY;MAIL-PASSWORD;PGPASSWORD;REDIS-PASSWORD;SECRET-KEY"
-              usevmmanagedidentity: "true"
               usepodidentity: "false"
+              usevmmanagedidentity: "true"
+              vmmanagedidentityclientid: $VMSS_CLIENT_ID
+              keyvaultname: "cz-jedidev-keyvault"
+              keyvaultobjectnames: "AZURE-STORAGE-KEY;MAIL-PASSWORD;PGPASSWORD;REDIS-PASSWORD;SECRET-KEY"
 ---
 apiVersion: extensions/v1beta1
 kind: Deployment
@@ -54,10 +51,11 @@ spec:
         - name: flask-secret
           flexVolume:
             options:
-              keyvaultname: "cloudzero-dev-keyvault"
-              keyvaultobjectnames: "AZURE-STORAGE-KEY;MAIL-PASSWORD;PGPASSWORD;REDIS-PASSWORD;SECRET-KEY"
-              usevmmanagedidentity: "true"
               usepodidentity: "false"
+              usevmmanagedidentity: "true"
+              vmmanagedidentityclientid: $VMSS_CLIENT_ID
+              keyvaultname: "cz-jedidev-keyvault"
+              keyvaultobjectnames: "AZURE-STORAGE-KEY;MAIL-PASSWORD;PGPASSWORD;REDIS-PASSWORD;SECRET-KEY"
 ---
 apiVersion: batch/v1beta1
 kind: CronJob
@@ -72,7 +70,8 @@ spec:
             - name: flask-secret
               flexVolume:
                 options:
-                  keyvaultname: "cloudzero-dev-keyvault"
-                  keyvaultobjectnames: "AZURE-STORAGE-KEY;MAIL-PASSWORD;PGPASSWORD;REDIS-PASSWORD;SECRET-KEY"
-                  usevmmanagedidentity: "true"
                   usepodidentity: "false"
+                  usevmmanagedidentity: "true"
+                  vmmanagedidentityclientid: $VMSS_CLIENT_ID
+                  keyvaultname: "cz-jedidev-keyvault"
+                  keyvaultobjectnames: "AZURE-STORAGE-KEY;MAIL-PASSWORD;PGPASSWORD;REDIS-PASSWORD;SECRET-KEY"

deploy/overlays/cloudzero-dev/kustomization.yaml

@@ -1,9 +1,8 @@
-namespace: staging
+namespace: cloudzero-dev
 bases:
   - ../../azure/
 resources:
   - namespace.yml
-  - reset-cron-job.yml
 patchesStrategicMerge:
   - ports.yml
   - envvars.yml

deploy/overlays/cloudzero-dev/namespace.yml

@@ -1,4 +1,4 @@
 apiVersion: v1
 kind: Namespace
 metadata:
-  name: staging
+  name: cloudzero-dev

deploy/overlays/cloudzero-dev/ports.yml

@@ -5,7 +5,7 @@ metadata:
   name: atst-main
   annotations:
     service.beta.kubernetes.io/azure-load-balancer-internal: "true"
-    service.beta.kubernetes.io/azure-load-balancer-internal-subnet: "cloudzero-dev-public"
+    service.beta.kubernetes.io/azure-load-balancer-internal-subnet: "cloudzero-jedidev-public"
 spec:
   loadBalancerIP: ""
   ports:
@@ -22,7 +22,7 @@ metadata:
   name: atst-auth
   annotations:
     service.beta.kubernetes.io/azure-load-balancer-internal: "true"
-    service.beta.kubernetes.io/azure-load-balancer-internal-subnet: "cloudzero-dev-public"
+    service.beta.kubernetes.io/azure-load-balancer-internal-subnet: "cloudzero-jedidev-public"
 spec:
   loadBalancerIP: ""
   ports:

deploy/overlays/cloudzero-dev/reset-cron-job.yml

@@ -1,46 +0,0 @@
-apiVersion: batch/v1beta1
-kind: CronJob
-metadata:
-  name: reset-db
-  namespace: atat
-spec:
-  schedule: "0 4 * * *"
-  concurrencyPolicy: Replace
-  successfulJobsHistoryLimit: 1
-  jobTemplate:
-    spec:
-      template:
-        metadata:
-          labels:
-            app: atst
-            role: reset-db
-            aadpodidbinding: atat-kv-id-binding
-        spec:
-          restartPolicy: OnFailure
-          containers:
-          - name: reset
-            image: $CONTAINER_IMAGE
-            command: [
-              "/bin/sh", "-c"
-            ]
-            args: [
-              "/opt/atat/atst/.venv/bin/python",
-              "/opt/atat/atst/script/reset_database.py"
-            ]
-            envFrom:
-            - configMapRef:
-                name: atst-worker-envvars
-            volumeMounts:
-              - name: flask-secret
-                mountPath: "/config"
-          volumes:
-            - name: flask-secret
-              flexVolume:
-                driver: "azure/kv"
-                options:
-                  usepodidentity: "true"
-                  keyvaultname: "atat-vault-test"
-                  keyvaultobjectnames: "staging-AZURE-STORAGE-KEY;staging-MAIL-PASSWORD;staging-PGPASSWORD;staging-REDIS-PASSWORD;staging-SECRET-KEY"
-                  keyvaultobjectaliases: "AZURE_STORAGE_KEY;MAIL_PASSWORD;PGPASSWORD;REDIS_PASSWORD;SECRET_KEY"
-                  keyvaultobjecttypes: "secret;secret;secret;secret;key"
-                  tenantid: $TENANT_ID

deploy/overlays/migration-cloudzero-dev/kustomization.yaml

@@ -0,0 +1,5 @@
+namespace: cloudzero-dev
+bases:
+  - ../../shared/
+patchesStrategicMerge:
+  - migration.yaml

deploy/overlays/migration-cloudzero-dev/migration.yaml

@@ -0,0 +1,16 @@
+apiVersion: batch/v1
+kind: Job
+metadata:
+  name: migration
+spec:
+  template:
+    spec:
+      volumes:
+        - name: flask-secret
+          flexVolume:
+            options:
+              usepodidentity: "false"
+              usevmmanagedidentity: "true"
+              vmmanagedidentityclientid: $VMSS_CLIENT_ID
+              keyvaultname: "cz-jedidev-keyvault"
+              keyvaultobjectnames: "AZURE-STORAGE-KEY;MAIL-PASSWORD;PGPASSWORD;REDIS-PASSWORD;SECRET-KEY"

deploy/shared/kustomization.yaml

@@ -0,0 +1,3 @@
+namespace: atat
+resources:
+  - migration.yaml

script/database_setup.py

@@ -16,16 +16,14 @@ from reset_database import reset_database
 
 
 def database_setup(username, password, dbname, ccpo_users):
+    print("Applying schema and seeding roles and permissions.")
+    reset_database()
+
     print(
         f"Creating Postgres user role for '{username}' and granting all privileges to database '{dbname}'."
     )
-    try:
     _create_database_user(username, password, dbname)
-    except sqlalchemy.exc.ProgrammingError as err:
-        print(f"Postgres user role '{username}' already exists.")
 
-    print("Applying schema and seeding roles and permissions.")
-    reset_database()
     print("Creating initial set of CCPO users.")
     _add_ccpo_users(ccpo_users)
 
@@ -47,6 +45,22 @@ def _create_database_user(username, password, dbname):
         f"ALTER DEFAULT PRIVILEGES IN SCHEMA public GRANT ALL PRIVILEGES ON FUNCTIONS TO {username}; \n"
     )
 
+    try:
+        # TODO: make this more configurable
+        engine.execute(f"GRANT {username} TO azure_pg_admin;")
+    except sqlalchemy.exc.ProgrammingError as err:
+        print(f"Cannot grant new role {username} to azure_pg_admin")
+
+    for table in meta.tables:
+        engine.execute(f"ALTER TABLE {table} OWNER TO {username};\n")
+
+    sequence_results = engine.execute(
+        "SELECT c.relname FROM pg_class c WHERE c.relkind = 'S';"
+    ).fetchall()
+    sequences = [p[0] for p in sequence_results]
+    for sequence in sequences:
+        engine.execute(f"ALTER SEQUENCE {sequence} OWNER TO {username};\n")
+
     trans.commit()
 
 

script/k8s_config

@@ -13,6 +13,7 @@ SETTINGS=(
   AUTH_DOMAIN
   KV_MI_ID
   KV_MI_CLIENT_ID
+  VMSS_CLIENT_ID
   TENANT_ID
 )