Add kubernetes config and scripts for syncing CRLs.

This adds a previous version of the CRL sync functionality back to the repo, with some small adjustments. We now grab the CRLs directly from their DISA URLs. The CRL sync is handled by a kubernetes cronjob that sync the files to a persistent volume that is mounted into each Flask app container.
2019-08-05 09:39:47 -04:00
parent e333f32aea
commit b1cf89051a
5 changed files with 245 additions and 12 deletions
--- a/k8s/azure/azure.yml
+++ b/k8s/azure/azure.yml
@@ -44,6 +44,8 @@ spec:
              subPath: client-ca-bundle.pem
            - name: uwsgi-socket-dir
              mountPath: "/var/run/uwsgi"
+            - name: crls-vol
+              mountPath: "/opt/atat/atst/crls"
        - name: nginx
          image: nginx:alpine
          ports:
@@ -109,6 +111,10 @@ spec:
            - key: tls.key
              path: atat.key
              mode: 0640
+        - name: crls-vol
+          persistentVolumeClaim:
+            claimName: crls-vol-claim
+
 ---
 apiVersion: extensions/v1beta1
 kind: Deployment
--- a/k8s/azure/storage-class.yml
+++ b/k8s/azure/storage-class.yml
@@ -0,0 +1,46 @@
+kind: StorageClass
+apiVersion: storage.k8s.io/v1
+metadata:
+  name: azurefile
+provisioner: kubernetes.io/azure-file
+mountOptions:
+  - dir_mode=0777
+  - file_mode=0777
+  - uid=1000
+  - gid=1000
+parameters:
+  skuName: Standard_LRS
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+  name: system:azure-cloud-provider
+rules:
+- apiGroups: ['']
+  resources: ['secrets']
+  verbs:     ['get','create']
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRoleBinding
+metadata:
+  name: system:azure-cloud-provider
+roleRef:
+  kind: ClusterRole
+  apiGroup: rbac.authorization.k8s.io
+  name: system:azure-cloud-provider
+subjects:
+- kind: ServiceAccount
+  name: persistent-volume-binder
+  namespace: kube-system
+---
+apiVersion: v1
+kind: PersistentVolumeClaim
+metadata:
+  name: crls-vol-claim
+spec:
+  accessModes:
+    - ReadWriteMany
+  storageClassName: azurefile
+  resources:
+    requests:
+      storage: 1Gi
--- a/k8s/shared/crls-sync.yaml
+++ b/k8s/shared/crls-sync.yaml
@@ -0,0 +1,42 @@
+apiVersion: batch/v1
+kind: CronJob
+metadata:
+  name: crls
+  namespace: atat
+spec:
+  schedule: "0 * * * *"
+  jobTemplate:
+    spec:
+      template:
+        spec:
+          containers:
+          - name: crls
+            image: $CONTAINER_IMAGE
+            command: [
+              "/bin/sh", "-c"
+            ]
+            args: [
+              "/opt/atat/atst/script/sync-crls"
+            ]
+            envFrom:
+            - configMapRef:
+                name: atst-envvars
+            - configMapRef:
+                name: atst-worker-envvars
+            volumeMounts:
+              - name: atst-config
+                mountPath: "/opt/atat/atst/atst-overrides.ini"
+                subPath: atst-overrides.ini
+              - name: crls-vol
+                mountPath: "/opt/atat/atst/crls"
+          volumes:
+            - name: atst-config
+              secret:
+                secretName: atst-config-ini
+                items:
+                - key: override.ini
+                  path: atst-overrides.ini
+                  mode: 0644
+            - name: crls-vol
+              persistentVolumeClaim:
+                claimName: crls-vol-claim