pk/atst
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Move k8s config dir to deploy dir

Browse Source
This commit is contained in:
dandds
2019-08-08 08:30:14 -04:00
parent 3558e23a5e
commit c100cc8d1f
32 changed files with 0 additions and 841 deletions
Download Patch File Download Diff File Expand all files Collapse all files

0
deploy/kubernetes/atst-configmap.yml → deploy/aws/atst-configmap.yml
View File

2
deploy/kubernetes/atst-envvars-configmap.yml → deploy/aws/atst-envvars-configmap.yml
View File

@@ -8,6 +8,6 @@ data:
TZ: UTC
FLASK_ENV: dev
OVERRIDE_CONFIG_FULLPATH: /opt/atat/atst/atst-overrides.ini
UWSGI_CONFIG_FULLPATH: /opt/atat/atst/uwsgi-config.ini
UWSGI_CONFIG_FULLPATH: /opt/atat/atst/uwsgi.ini
CRL_STORAGE_PROVIDER: CLOUDFILES
LOG_JSON: "true"

78
deploy/aws/atst-nginx-configmap.yml Normal file
View File

@@ -0,0 +1,78 @@
---
apiVersion: v1
kind: ConfigMap
metadata:
name: atst-nginx
namespace: atat
data:
nginx-config: |-
server {
listen 8342;
server_name aws.atat.code.mil;
return 301 https://$host$request_uri;
}
server {
listen 8343;
server_name auth-aws.atat.code.mil;
return 301 https://$host$request_uri;
}
server {
server_name aws.atat.code.mil;
# access_log /var/log/nginx/access.log json;
listen 8442 ssl;
listen [::]:8442 ssl ipv6only=on;
ssl_certificate /etc/ssl/private/atat.crt;
ssl_certificate_key /etc/ssl/private/atat.key;
location /login-redirect {
return 301 https://auth-aws.atat.code.mil$request_uri;
}
location /login-dev {
try_files $uri @appbasicauth;
}
location / {
try_files $uri @app;
}
location @app {
include uwsgi_params;
uwsgi_pass unix:///var/run/uwsgi/uwsgi.socket;
uwsgi_param HTTP_X_REQUEST_ID $request_id;
}
location @appbasicauth {
include uwsgi_params;
uwsgi_pass unix:///var/run/uwsgi/uwsgi.socket;
auth_basic "Developer Access";
auth_basic_user_file /etc/nginx/.htpasswd;
uwsgi_param HTTP_X_REQUEST_ID $request_id;
}
}
server {
# access_log /var/log/nginx/access.log json;
server_name auth-aws.atat.code.mil;
listen 8443 ssl;
listen [::]:8443 ssl ipv6only=on;
ssl_certificate /etc/ssl/private/atat.crt;
ssl_certificate_key /etc/ssl/private/atat.key;
# Request and validate client certificate
ssl_verify_client on;
ssl_verify_depth 10;
ssl_client_certificate /etc/ssl/client-ca-bundle.pem;
# Guard against HTTPS -> HTTP downgrade
add_header Strict-Transport-Security "max-age=31536000; includeSubDomains; always";
location / {
return 301 https://aws.atat.code.mil$request_uri;
}
location /login-redirect {
try_files $uri @app;
}
location @app {
include uwsgi_params;
uwsgi_pass unix:///var/run/uwsgi/uwsgi.socket;
uwsgi_param HTTP_X_SSL_CLIENT_VERIFY $ssl_client_verify;
uwsgi_param HTTP_X_SSL_CLIENT_CERT $ssl_client_raw_cert;
uwsgi_param HTTP_X_SSL_CLIENT_S_DN $ssl_client_s_dn;
uwsgi_param HTTP_X_SSL_CLIENT_S_DN_LEGACY $ssl_client_s_dn_legacy;
uwsgi_param HTTP_X_SSL_CLIENT_I_DN $ssl_client_i_dn;
uwsgi_param HTTP_X_SSL_CLIENT_I_DN_LEGACY $ssl_client_i_dn_legacy;
uwsgi_param HTTP_X_REQUEST_ID $request_id;
}
}

0
deploy/kubernetes/atst-worker-envvars-configmap.yml → deploy/aws/atst-worker-envvars-configmap.yml
View File

144
deploy/kubernetes/atst.yml → deploy/aws/aws.yml
View File

@@ -15,7 +15,7 @@ spec:
selector:
matchLabels:
role: web
replicas: 2
replicas: 1
strategy:
type: RollingUpdate
template:
@@ -28,10 +28,10 @@ spec:
fsGroup: 101
containers:
- name: atst
image: registry.atat.code.mil:443/atst-prod:bf4eb235
image: 904153757533.dkr.ecr.us-east-2.amazonaws.com/atat:884d95ada21a5097f5c07f305d8e4e24d0f2a03f
resources:
requests:
memory: "2500Mi"
memory: "500Mi"
envFrom:
- configMapRef:
name: atst-envvars
@@ -42,40 +42,34 @@ spec:
- name: nginx-client-ca-bundle
mountPath: "/opt/atat/atst/ssl/server-certs/ca-chain.pem"
subPath: client-ca-bundle.pem
- name: uwsgi-config
mountPath: "/opt/atat/atst/uwsgi-config.ini"
subPath: uwsgi-config.ini
- name: uwsgi-socket-dir
mountPath: "/var/run/uwsgi"
- name: atst-nginx
- name: crls-vol
mountPath: "/opt/atat/atst/crls"
- name: nginx
image: nginx:alpine
ports:
- containerPort: 8342
name: main-upgrade
- containerPort: 8442
name: http
name: main
- containerPort: 8343
name: auth-upgrade
- containerPort: 8443
name: https
name: auth
volumeMounts:
- name: nginx-auth-tls
mountPath: "/etc/ssl/private"
- name: nginx-client-ca-bundle
mountPath: "/etc/ssl/client-ca-bundle.pem"
subPath: client-ca-bundle.pem
- name: nginx-config
mountPath: "/etc/nginx/conf.d/atst.conf"
subPath: atst.conf
- name: nginx-config
mountPath: "/etc/nginx/conf.d/00json_log.conf"
subPath: 00json_log.conf
- name: nginx-dhparam
mountPath: "/etc/ssl/dhparam.pem"
subPath: dhparam.pem
- name: uwsgi-socket-dir
mountPath: "/var/run/uwsgi"
- name: nginx-htpasswd
mountPath: "/etc/nginx/.htpasswd"
subPath: .htpasswd
- name: uwsgi-socket-dir
mountPath: "/var/run/uwsgi"
imagePullSecrets:
- name: regcred
- name: tls
mountPath: "/etc/ssl/private"
- name: nginx-client-ca-bundle
mountPath: "/etc/ssl/"
volumes:
- name: atst-config
secret:
@@ -84,16 +78,6 @@ spec:
- key: override.ini
path: atst-overrides.ini
mode: 0644
- name: nginx-auth-tls
secret:
secretName: auth-atst-ingress-tls
items:
- key: tls.crt
path: auth.atat.crt
mode: 0644
- key: tls.key
path: auth.atat.key
mode: 0640
- name: nginx-client-ca-bundle
secret:
secretName: nginx-client-ca-bundle
@@ -107,15 +91,9 @@ spec:
items:
- key: nginx-config
path: atst.conf
- key: nginx-json-log-config
path: 00json_log.conf
- name: nginx-dhparam
secret:
secretName: dhparam-4096
items:
- key: dhparam.pem
path: dhparam.pem
mode: 0640
- name: uwsgi-socket-dir
emptyDir:
medium: Memory
- name: nginx-htpasswd
secret:
secretName: atst-nginx-htpasswd
@@ -123,16 +101,19 @@ spec:
- key: htpasswd
path: .htpasswd
mode: 0640
- name: uwsgi-config
configMap:
name: atst-config
- name: tls
secret:
secretName: aws-atat-code-mil-tls
items:
- key: uwsgi-config
path: uwsgi-config.ini
- key: tls.crt
path: atat.crt
mode: 0644
- name: uwsgi-socket-dir
emptyDir:
medium: Memory
- key: tls.key
path: atat.key
mode: 0640
- name: crls-vol
persistentVolumeClaim:
claimName: efs
---
apiVersion: extensions/v1beta1
kind: Deployment
@@ -158,8 +139,13 @@ spec:
fsGroup: 101
containers:
- name: atst-worker
image: registry.atat.code.mil:443/atst-prod:bf4eb235
args: ["/bin/bash", "-c", "/opt/atat/atst/script/rq_worker"]
image: 904153757533.dkr.ecr.us-east-2.amazonaws.com/atat:884d95ada21a5097f5c07f305d8e4e24d0f2a03f
args: [
"/opt/atat/atst/.venv/bin/python",
"/opt/atat/atst/.venv/bin/flask",
"rq",
"worker"
]
resources:
requests:
memory: "500Mi"
@@ -172,8 +158,6 @@ spec:
- name: atst-config
mountPath: "/opt/atat/atst/atst-overrides.ini"
subPath: atst-overrides.ini
imagePullSecrets:
- name: regcred
volumes:
- name: atst-config
secret:
@@ -188,15 +172,21 @@ kind: Service
metadata:
labels:
app: atst
name: atst
name: atst-main
namespace: atat
annotations:
service.beta.kubernetes.io/aws-load-balancer-type: "nlb"
spec:
ports:
- name: http
port: 80
- port: 80
targetPort: 8342
name: http
- port: 443
targetPort: 8442
name: https
selector:
role: web
type: LoadBalancer
---
apiVersion: v1
kind: Service
@@ -205,36 +195,16 @@ metadata:
app: atst
name: atst-auth
namespace: atat
annotations:
service.beta.kubernetes.io/aws-load-balancer-type: "nlb"
spec:
type: NodePort
ports:
- name: https
protocol: TCP
nodePort: 32751
port: 8443
- port: 80
targetPort: 8343
name: http
- port: 443
targetPort: 8443
name: https
selector:
role: web
---
apiVersion: extensions/v1beta1
kind: Ingress
metadata:
name: atst
namespace: atat
annotations:
kubernetes.io/tls-acme: "true"
kubernetes.io/ingress.class: "nginx"
nginx.ingress.kubernetes.io/proxy-body-size: 10m
spec:
tls:
- secretName: atst-ingress-tls
hosts:
- atat.code.mil
- www.atat.code.mil
rules:
- host: www.atat.code.mil
http:
paths:
- path: /
backend:
serviceName: atst
servicePort: 80
type: LoadBalancer

43
deploy/aws/crls-sync.yaml Normal file
View File

@@ -0,0 +1,43 @@
apiVersion: batch/v1beta1
kind: CronJob
metadata:
name: crls
namespace: atat
spec:
schedule: "0 * * * *"
jobTemplate:
spec:
template:
spec:
restartPolicy: OnFailure
containers:
- name: crls
image: 904153757533.dkr.ecr.us-east-2.amazonaws.com/atat:8f1c8b5633ca70168837c885010e7d66d93562dc
command: [
"/bin/sh", "-c"
]
args: [
"/opt/atat/atst/script/sync-crls",
]
envFrom:
- configMapRef:
name: atst-envvars
- configMapRef:
name: atst-worker-envvars
volumeMounts:
- name: atst-config
mountPath: "/opt/atat/atst/atst-overrides.ini"
subPath: atst-overrides.ini
- name: crls-vol
mountPath: "/opt/atat/atst/crls"
volumes:
- name: atst-config
secret:
secretName: atst-config-ini
items:
- key: override.ini
path: atst-overrides.ini
mode: 0644
- name: crls-vol
persistentVolumeClaim:
claimName: efs

66
deploy/aws/efs-rbac.yml Normal file
View File

@@ -0,0 +1,66 @@
# This can't be run without substituting the EFSID environment variable.
# from https://github.com/kubernetes-incubator/external-storage/blob/master/aws/efs/deploy/rbac.yaml
---
kind: ServiceAccount
apiVersion: v1
metadata:
name: efs-provisioner
---
kind: ClusterRole
apiVersion: rbac.authorization.k8s.io/v1
metadata:
name: efs-provisioner-runner
rules:
- apiGroups: [""]
resources: ["persistentvolumes"]
verbs: ["get", "list", "watch", "create", "delete", "describe"]
- apiGroups: [""]
resources: ["persistentvolumeclaims"]
verbs: ["get", "list", "watch", "update"]
- apiGroups: ["storage.k8s.io"]
resources: ["storageclasses"]
verbs: ["get", "list", "watch"]
- apiGroups: [""]
resources: ["events"]
verbs: ["create", "update", "patch"]
- apiGroups: [""]
resources: ["endpoints"]
verbs: ["get", "list", "watch", "create", "update", "patch"]
---
kind: ClusterRoleBinding
apiVersion: rbac.authorization.k8s.io/v1
metadata:
name: run-efs-provisioner
subjects:
- kind: ServiceAccount
name: efs-provisioner
# replace with namespace where provisioner is deployed
namespace: atat
roleRef:
kind: ClusterRole
name: efs-provisioner-runner
apiGroup: rbac.authorization.k8s.io
---
kind: Role
apiVersion: rbac.authorization.k8s.io/v1
metadata:
name: leader-locking-efs-provisioner
rules:
- apiGroups: [""]
resources: ["endpoints"]
verbs: ["get", "list", "watch", "create", "update", "patch"]
---
kind: RoleBinding
apiVersion: rbac.authorization.k8s.io/v1
metadata:
name: leader-locking-efs-provisioner
subjects:
- kind: ServiceAccount
name: efs-provisioner
# replace with namespace where provisioner is deployed
namespace: atat
roleRef:
kind: Role
name: leader-locking-efs-provisioner
apiGroup: rbac.authorization.k8s.io

80
deploy/aws/storage-class.yml Normal file
View File

@@ -0,0 +1,80 @@
# from https://github.com/kubernetes-incubator/external-storage/blob/master/aws/efs/deploy/manifest.yaml
---
apiVersion: v1
kind: ConfigMap
metadata:
name: efs-provisioner
data:
file.system.id: $EFSID
aws.region: us-east-2
provisioner.name: example.com/aws-efs
dns.name: $EFSID.efs.us-east-2.amazonaws.com
---
kind: Deployment
apiVersion: extensions/v1beta1
metadata:
name: efs-provisioner
spec:
replicas: 1
strategy:
type: Recreate
template:
metadata:
labels:
app: efs-provisioner
spec:
serviceAccountName: efs-provisioner
containers:
- name: efs-provisioner
image: quay.io/external_storage/efs-provisioner:latest
env:
- name: FILE_SYSTEM_ID
valueFrom:
configMapKeyRef:
name: efs-provisioner
key: file.system.id
- name: AWS_REGION
valueFrom:
configMapKeyRef:
name: efs-provisioner
key: aws.region
- name: DNS_NAME
valueFrom:
configMapKeyRef:
name: efs-provisioner
key: dns.name
optional: true
- name: PROVISIONER_NAME
valueFrom:
configMapKeyRef:
name: efs-provisioner
key: provisioner.name
volumeMounts:
- name: pv-volume
mountPath: /persistentvolumes
volumes:
- name: pv-volume
nfs:
server: $EFSID.efs.us-east-2.amazonaws.com
path: /
---
kind: StorageClass
apiVersion: storage.k8s.io/v1
metadata:
name: aws-efs
provisioner: example.com/aws-efs
---
kind: PersistentVolumeClaim
apiVersion: v1
metadata:
name: efs
annotations:
volume.beta.kubernetes.io/storage-class: "aws-efs"
spec:
accessModes:
- ReadWriteMany
storageClassName: aws-efs
resources:
requests:
storage: 1Mi
---

35
deploy/azure/atst-configmap.yml Normal file
View File

@@ -0,0 +1,35 @@
---
apiVersion: v1
kind: ConfigMap
metadata:
name: atst-config
namespace: atat
data:
uwsgi-config: |-
[uwsgi]
callable = app
module = app
socket = /var/run/uwsgi/uwsgi.socket
plugin = python3
plugin = logfile
virtualenv = /opt/atat/atst/.venv
chmod-socket = 666
; logger config
; application logs: log without modifying
logger = secondlogger stdio
log-route = secondlogger atst
log-encoder = format:secondlogger ${msg}
; default uWSGI messages (start, stop, etc.)
logger = default stdio
log-route = default ^((?!atst).)*$
log-encoder = json:default {"timestamp":"${strftime:%%FT%%T}","source":"uwsgi","severity":"DEBUG","message":"${msg}"}
log-encoder = nl
; uWSGI request logs
logger-req = stdio
log-format = request_id=%(var.HTTP_X_REQUEST_ID), pid=%(pid), remote_add=%(addr), request=%(method) %(uri), status=%(status), body_bytes_sent=%(rsize), referer=%(referer), user_agent=%(uagent), http_x_forwarded_for=%(var.HTTP_X_FORWARDED_FOR)
log-req-encoder = json {"timestamp":"${strftime:%%FT%%T}","source":"req","severity":"INFO","message":"${msg}"}
log-req-encoder = nl

13
deploy/azure/atst-envvars-configmap.yml Normal file
View File

@@ -0,0 +1,13 @@
---
apiVersion: v1
kind: ConfigMap
metadata:
name: atst-envvars
namespace: atat
data:
TZ: UTC
FLASK_ENV: dev
OVERRIDE_CONFIG_FULLPATH: /opt/atat/atst/atst-overrides.ini
UWSGI_CONFIG_FULLPATH: /opt/atat/atst/uwsgi.ini
CRL_STORAGE_PROVIDER: CLOUDFILES
LOG_JSON: "true"

78
deploy/azure/atst-nginx-configmap.yml Normal file
View File

@@ -0,0 +1,78 @@
---
apiVersion: v1
kind: ConfigMap
metadata:
name: atst-nginx
namespace: atat
data:
nginx-config: |-
server {
listen 8342;
server_name azure.atat.code.mil;
return 301 https://$host$request_uri;
}
server {
listen 8343;
server_name auth-azure.atat.code.mil;
return 301 https://$host$request_uri;
}
server {
server_name azure.atat.code.mil;
# access_log /var/log/nginx/access.log json;
listen 8442 ssl;
listen [::]:8442 ssl ipv6only=on;
ssl_certificate /etc/ssl/private/atat.crt;
ssl_certificate_key /etc/ssl/private/atat.key;
location /login-redirect {
return 301 https://auth-azure.atat.code.mil$request_uri;
}
location /login-dev {
try_files $uri @appbasicauth;
}
location / {
try_files $uri @app;
}
location @app {
include uwsgi_params;
uwsgi_pass unix:///var/run/uwsgi/uwsgi.socket;
uwsgi_param HTTP_X_REQUEST_ID $request_id;
}
location @appbasicauth {
include uwsgi_params;
uwsgi_pass unix:///var/run/uwsgi/uwsgi.socket;
auth_basic "Developer Access";
auth_basic_user_file /etc/nginx/.htpasswd;
uwsgi_param HTTP_X_REQUEST_ID $request_id;
}
}
server {
# access_log /var/log/nginx/access.log json;
server_name auth-azure.atat.code.mil;
listen 8443 ssl;
listen [::]:8443 ssl ipv6only=on;
ssl_certificate /etc/ssl/private/atat.crt;
ssl_certificate_key /etc/ssl/private/atat.key;
# Request and validate client certificate
ssl_verify_client on;
ssl_verify_depth 10;
ssl_client_certificate /etc/ssl/client-ca-bundle.pem;
# Guard against HTTPS -> HTTP downgrade
add_header Strict-Transport-Security "max-age=31536000; includeSubDomains; always";
location / {
return 301 https://azure.atat.code.mil$request_uri;
}
location /login-redirect {
try_files $uri @app;
}
location @app {
include uwsgi_params;
uwsgi_pass unix:///var/run/uwsgi/uwsgi.socket;
uwsgi_param HTTP_X_SSL_CLIENT_VERIFY $ssl_client_verify;
uwsgi_param HTTP_X_SSL_CLIENT_CERT $ssl_client_raw_cert;
uwsgi_param HTTP_X_SSL_CLIENT_S_DN $ssl_client_s_dn;
uwsgi_param HTTP_X_SSL_CLIENT_S_DN_LEGACY $ssl_client_s_dn_legacy;
uwsgi_param HTTP_X_SSL_CLIENT_I_DN $ssl_client_i_dn;
uwsgi_param HTTP_X_SSL_CLIENT_I_DN_LEGACY $ssl_client_i_dn_legacy;
uwsgi_param HTTP_X_REQUEST_ID $request_id;
}
}

10
deploy/azure/atst-worker-envvars-configmap.yml Normal file
View File

@@ -0,0 +1,10 @@
---
apiVersion: v1
kind: ConfigMap
metadata:
name: atst-worker-envvars
namespace: atat
data:
TZ: UTC
DISABLE_CRL_CHECK: "True"
CRL_STORAGE_PROVIDER: CLOUDFILES

209
deploy/azure/azure.yml Normal file
View File

@@ -0,0 +1,209 @@
---
apiVersion: v1
kind: Namespace
metadata:
name: atat
---
apiVersion: extensions/v1beta1
kind: Deployment
metadata:
labels:
app: atst
name: atst
namespace: atat
spec:
selector:
matchLabels:
role: web
replicas: 1
strategy:
type: RollingUpdate
template:
metadata:
labels:
app: atst
role: web
spec:
securityContext:
fsGroup: 101
containers:
- name: atst
image: pwatat.azurecr.io/atat:884d95ada21a5097f5c07f305d8e4e24d0f2a03f
resources:
requests:
memory: "500Mi"
envFrom:
- configMapRef:
name: atst-envvars
volumeMounts:
- name: atst-config
mountPath: "/opt/atat/atst/atst-overrides.ini"
subPath: atst-overrides.ini
- name: nginx-client-ca-bundle
mountPath: "/opt/atat/atst/ssl/server-certs/ca-chain.pem"
subPath: client-ca-bundle.pem
- name: uwsgi-socket-dir
mountPath: "/var/run/uwsgi"
- name: crls-vol
mountPath: "/opt/atat/atst/crls"
- name: nginx
image: nginx:alpine
ports:
- containerPort: 8342
name: main-upgrade
- containerPort: 8442
name: main
- containerPort: 8343
name: auth-upgrade
- containerPort: 8443
name: auth
volumeMounts:
- name: nginx-config
mountPath: "/etc/nginx/conf.d/atst.conf"
subPath: atst.conf
- name: uwsgi-socket-dir
mountPath: "/var/run/uwsgi"
- name: nginx-htpasswd
mountPath: "/etc/nginx/.htpasswd"
subPath: .htpasswd
- name: tls
mountPath: "/etc/ssl/private"
- name: nginx-client-ca-bundle
mountPath: "/etc/ssl/"
volumes:
- name: atst-config
secret:
secretName: atst-config-ini
items:
- key: override.ini
path: atst-overrides.ini
mode: 0644
- name: nginx-client-ca-bundle
secret:
secretName: nginx-client-ca-bundle
items:
- key: client-ca-bundle.pem
path: client-ca-bundle.pem
mode: 0666
- name: nginx-config
configMap:
name: atst-nginx
items:
- key: nginx-config
path: atst.conf
- name: uwsgi-socket-dir
emptyDir:
medium: Memory
- name: nginx-htpasswd
secret:
secretName: atst-nginx-htpasswd
items:
- key: htpasswd
path: .htpasswd
mode: 0640
- name: tls
secret:
secretName: azure-atat-code-mil-tls
items:
- key: tls.crt
path: atat.crt
mode: 0644
- key: tls.key
path: atat.key
mode: 0640
- name: crls-vol
persistentVolumeClaim:
claimName: crls-vol-claim
---
apiVersion: extensions/v1beta1
kind: Deployment
metadata:
labels:
app: atst
name: atst-worker
namespace: atat
spec:
selector:
matchLabels:
role: worker
replicas: 1
strategy:
type: RollingUpdate
template:
metadata:
labels:
app: atst
role: worker
spec:
securityContext:
fsGroup: 101
containers:
- name: atst-worker
image: pwatat.azurecr.io/atat:884d95ada21a5097f5c07f305d8e4e24d0f2a03f
args: [
"/opt/atat/atst/.venv/bin/python",
"/opt/atat/atst/.venv/bin/flask",
"rq",
"worker"
]
resources:
requests:
memory: "500Mi"
envFrom:
- configMapRef:
name: atst-envvars
- configMapRef:
name: atst-worker-envvars
volumeMounts:
- name: atst-config
mountPath: "/opt/atat/atst/atst-overrides.ini"
subPath: atst-overrides.ini
volumes:
- name: atst-config
secret:
secretName: atst-config-ini
items:
- key: override.ini
path: atst-overrides.ini
mode: 0644
---
apiVersion: v1
kind: Service
metadata:
labels:
app: atst
name: atst-main
namespace: atat
spec:
loadBalancerIP: 13.92.235.6
ports:
- port: 80
targetPort: 8342
name: http
- port: 443
targetPort: 8442
name: https
selector:
role: web
type: LoadBalancer
---
apiVersion: v1
kind: Service
metadata:
labels:
app: atst
name: atst-auth
namespace: atat
spec:
loadBalancerIP: 23.100.24.41
ports:
- port: 80
targetPort: 8343
name: http
- port: 443
targetPort: 8443
name: https
selector:
role: web
type: LoadBalancer

43
deploy/azure/crls-sync.yaml Normal file
View File

@@ -0,0 +1,43 @@
apiVersion: batch/v1beta1
kind: CronJob
metadata:
name: crls
namespace: atat
spec:
schedule: "0 * * * *"
jobTemplate:
spec:
template:
spec:
restartPolicy: OnFailure
containers:
- name: crls
image: pwatat.azurecr.io/atat:8f1c8b5633ca70168837c885010e7d66d93562dc
command: [
"/bin/sh", "-c"
]
args: [
"/opt/atat/atst/script/sync-crls",
]
envFrom:
- configMapRef:
name: atst-envvars
- configMapRef:
name: atst-worker-envvars
volumeMounts:
- name: atst-config
mountPath: "/opt/atat/atst/atst-overrides.ini"
subPath: atst-overrides.ini
- name: crls-vol
mountPath: "/opt/atat/atst/crls"
volumes:
- name: atst-config
secret:
secretName: atst-config-ini
items:
- key: override.ini
path: atst-overrides.ini
mode: 0644
- name: crls-vol
persistentVolumeClaim:
claimName: crls-vol-claim

46
deploy/azure/storage-class.yml Normal file
View File

@@ -0,0 +1,46 @@
kind: StorageClass
apiVersion: storage.k8s.io/v1
metadata:
name: azurefile
provisioner: kubernetes.io/azure-file
mountOptions:
- dir_mode=0777
- file_mode=0777
- uid=1000
- gid=1000
parameters:
skuName: Standard_LRS
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
name: system:azure-cloud-provider
rules:
- apiGroups: ['']
resources: ['secrets']
verbs: ['get','create']
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
name: system:azure-cloud-provider
roleRef:
kind: ClusterRole
apiGroup: rbac.authorization.k8s.io
name: system:azure-cloud-provider
subjects:
- kind: ServiceAccount
name: persistent-volume-binder
namespace: kube-system
---
apiVersion: v1
kind: PersistentVolumeClaim
metadata:
name: crls-vol-claim
spec:
accessModes:
- ReadWriteMany
storageClassName: azurefile
resources:
requests:
storage: 1Gi

24
deploy/docker/sample.nginx.conf
View File

@@ -1,24 +0,0 @@
server {
listen 80;
server_name localhost;
#charset koi8-r;
#access_log /var/log/nginx/host.access.log main;
location / {
try_files $uri @app;
}
location @app {
include uwsgi_params;
uwsgi_pass unix:///var/run/uwsgi/uwsgi.socket;
uwsgi_param HTTP_X_SSL_CLIENT_VERIFY $ssl_client_verify;
uwsgi_param HTTP_X_SSL_CLIENT_CERT $ssl_client_raw_cert;
uwsgi_param HTTP_X_SSL_CLIENT_S_DN $ssl_client_s_dn;
uwsgi_param HTTP_X_SSL_CLIENT_S_DN_LEGACY $ssl_client_s_dn_legacy;
uwsgi_param HTTP_X_SSL_CLIENT_I_DN $ssl_client_i_dn;
uwsgi_param HTTP_X_SSL_CLIENT_I_DN_LEGACY $ssl_client_i_dn_legacy;
uwsgi_param HTTP_X_REQUEST_ID $request_id;
}
}

81
deploy/kubernetes/README.md
View File

@@ -1,81 +0,0 @@
# Adding a New Environment
## New Config
Add a new subfolder to this directory. You can copy `uat` or `tests`. You'll need to change any references to the previous environment name (i.e., `uat`) to your new environment name. This includes things like the k8s namespace and the subdomain for the new site.
## New Load Balancers
You need two new load balancers. Currently, these are managed in Rackspace. You will need one for the regular site and one for the auth domain. They should have all of the Kubernetes worker nodes attached. When attached to the LB for the main site domain, the nodes should point to port 32761, which is the port where all our NGINX ingress is managed. The auth LB nodes should point to a new port in the 32700 - 32799 range. The `nodePort` specified in your new environment's config should match this port.
## Initially Apply the New Config
Apply your new environment config to create the namespace. Pod creation will fail at this point.
```
kubectl -n my-new-env apply -f deploy/kubernetes/my-new-env/
```
## Create New Secrets
You should then copy and duplicate the secrets from another environment.
### Adjust the INI Config for the New Site
You can duplicate the override.ini file from one of the existing sites. For instance, to get the `atst-config-ini` secret for the UAT env:
```
kubectl -n atat-uat get secret atst-config-ini -o yaml > uat-secrets.yml
```
You can copy the base64 secret content from the `uat-secrets.yml` file. Decode it into a new `override.ini` file:
```
echo '[Paste in the long base64 string here]' | base64 --decode > override.ini
```
Edit and adjust the application config as needed for your new site. Then add it as a secret:
```
kubectl -n my-new-env create secret generic atst-config-ini --from-file=override.ini
```
### Add a New htpasswd
Create a new htpasswd to protect the dev login of the new site:
```
htpasswd -c htpasswd atat
```
You'll be prompted for the new password. Then add it as a secret:
```
kubectl -n my-new-env create secret generic atst-nginx-htpasswd --from-file=htpasswd
```
### Duplicate the Rest
You should also the `dhparam-4096` and `nginx-client-ca-bundle` secrets. These can be copied from an existing environment to yours without any changes. The TLS secrets and token will be handled by another service.
## Disable SSL
In order for [kube-lego](https://github.com/jetstack/kube-lego) to generate new certs for your site, you have to temporarily disable SSL for your new load balancers.
For both your LBs, set them to use HTTP/80. Delete the attached nodes for both and re-add them, setting them to use port 32760. This will allow kube-lego to do its job.
To monitor the process, find the pod ID for the kube-lego worker. To find it, look in the output for:
```
kubectl -n kube-system get all
```
Then once you know the pod name:
```
kubectl -n kube-system --kubeconfig ~/.kube/atat log kube-lego-b96b7bc5c-9fmcv -f --tail=10
```
You will see output about kube-lego attempts to create certs for your new site.
Once kube-lego is successful, you should restore your load balancers to the config they had initially. Additionally, you should enable HTTPS redirects.

38
deploy/kubernetes/atst-check-deploy.sh
View File

@@ -1,38 +0,0 @@
#!/usr/bin/env bash
#
set -o pipefail
set -o errexit
set -o nounset
# Decode and save the K8S CA cert
echo "${K8S_CA_CRT}" | base64 -d - > "${HOME}/k8s_ca.crt"
# Setup the local kubectl client
kubectl config set-context atst-deployer \
--cluster=atat-cluster \
--user=atat-deployer \
--namespace=atat
kubectl config set-cluster atat-cluster \
--embed-certs=true \
--server="${K8S_ENDPOINT}" \
--certificate-authority="${HOME}/k8s_ca.crt"
kubectl config set-credentials atat-deployer --token="$(echo ${K8S_USER_TOKEN} | base64 -d -)"
kubectl config use-context atst-deployer
kubectl config current-context
echo
echo "Current ATST Deployment Details:"
kubectl -n atat get deployment.apps/atst -o yaml
# Remove the K8S CA file when the script exits
function cleanup {
printf "Cleaning up...\n"
rm -vf "${HOME}/k8s_ca.crt"
printf "Cleaning done."
}
trap cleanup EXIT

126
deploy/kubernetes/atst-debugger.yml
View File

@@ -1,126 +0,0 @@
apiVersion: v1
kind: Pod
metadata:
labels:
app: atst-debugger
name: atst-debugger-v1
namespace: atat
spec:
securityContext:
fsGroup: 101
containers:
- name: atst
image: registry.atat.code.mil:443/atst-prod:6329f8e
args: ["/bin/bash", "-c", "while true; do date; sleep 45; done"]
envFrom:
- configMapRef:
name: atst-envvars
volumeMounts:
- name: atst-config
mountPath: "/opt/atat/atst/atst-overrides.ini"
subPath: atst-overrides.ini
- name: nginx-client-ca-bundle
mountPath: "/opt/atat/atst/ssl/server-certs/ca-chain.pem"
subPath: client-ca-bundle.pem
- name: uwsgi-config
mountPath: "/opt/atat/atst/uwsgi-config.ini"
subPath: uwsgi-config.ini
- name: uwsgi-socket-dir
mountPath: "/var/run/uwsgi"
- name: atst-nginx
image: nginx:alpine
ports:
- containerPort: 8442
name: http
- containerPort: 8443
name: https
volumeMounts:
- name: nginx-auth-tls
mountPath: "/etc/ssl/private"
- name: nginx-client-ca-bundle
mountPath: "/etc/ssl/client-ca-bundle.pem"
subPath: client-ca-bundle.pem
- name: nginx-config
mountPath: "/etc/nginx/conf.d/atst.conf"
subPath: atst.conf
- name: nginx-dhparam
mountPath: "/etc/ssl/dhparam.pem"
subPath: dhparam.pem
- name: nginx-htpasswd
mountPath: "/etc/nginx/.htpasswd"
subPath: .htpasswd
- name: uwsgi-socket-dir
mountPath: "/var/run/uwsgi"
imagePullSecrets:
- name: regcred
volumes:
- name: atst-config
secret:
secretName: atst-config-ini
items:
- key: override.ini
path: atst-overrides.ini
mode: 0644
- name: nginx-auth-tls
secret:
secretName: auth-atst-ingress-tls
items:
- key: tls.crt
path: auth.atat.crt
mode: 0644
- key: tls.key
path: auth.atat.key
mode: 0640
- name: nginx-client-ca-bundle
secret:
secretName: nginx-client-ca-bundle
items:
- key: client-ca-bundle.pem
path: client-ca-bundle.pem
mode: 0666
- name: nginx-config
configMap:
name: atst-nginx
items:
- key: nginx-config
path: atst.conf
- name: nginx-dhparam
secret:
secretName: dhparam-4096
items:
- key: dhparam.pem
path: dhparam.pem
mode: 0640
- name: nginx-htpasswd
secret:
secretName: atst-nginx-htpasswd
items:
- key: htpasswd
path: .htpasswd
mode: 0640
- name: uwsgi-config
configMap:
name: atst-config
items:
- key: uwsgi-config
path: uwsgi-config.ini
mode: 0644
- name: uwsgi-socket-dir
emptyDir:
medium: Memory
restartPolicy: Never
---
apiVersion: v1
kind: Service
metadata:
labels:
app: atst-debugger
name: atst-debugger
namespace: atat
spec:
ports:
- name: http
port: 80
targetPort: 8442
selector:
app: atst-debugger

41
deploy/kubernetes/atst-deployer.yml
View File

@@ -1,41 +0,0 @@
apiVersion: v1
kind: ServiceAccount
metadata:
name: atat-deployer
namespace: atat
---
kind: Role
apiVersion: rbac.authorization.k8s.io/v1beta1
metadata:
namespace: atat
name: atat-deploy-role
rules:
- apiGroups: ["extensions", "apps"]
resources: ["deployments"]
verbs: ["get", "watch", "create", "update", "patch"]
- apiGroups: [""]
resources: ["services"]
verbs: ["get", "create", "update", "patch"]
- apiGroups: [""]
resources: ["configmaps"]
verbs: ["get", "create", "update", "patch"]
- apiGroups: ["extensions", "apps"]
resources: ["ingresses"]
verbs: ["get", "create", "update", "patch"]
---
kind: RoleBinding
apiVersion: rbac.authorization.k8s.io/v1beta1
metadata:
name: atst-role-binding
namespace: atat
subjects:
- kind: ServiceAccount
name: atat-deployer
namespace: atat
- kind: ServiceAccount
name: atat-deployer
namespace: atat-test
roleRef:
kind: Role
name: atat-deploy-role
apiGroup: rbac.authorization.k8s.io

99
deploy/kubernetes/atst-nginx-configmap.yml
View File

@@ -1,99 +0,0 @@
---
apiVersion: v1
kind: ConfigMap
metadata:
name: atst-nginx
namespace: atat
data:
nginx-config: |-
server {
server_name www.atat.code.mil atat.code.mil;
access_log /var/log/nginx/access.log json;
listen 8442;
listen [::]:8442 ipv6only=on;
if ($http_x_forwarded_proto != 'https') {
return 301 https://$host$request_uri;
}
location /login-redirect {
return 301 https://auth.atat.code.mil$request_uri;
}
location /login-dev {
try_files $uri @appbasicauth;
}
location / {
try_files $uri @app;
}
location @app {
include uwsgi_params;
uwsgi_pass unix:///var/run/uwsgi/uwsgi.socket;
uwsgi_param HTTP_X_REQUEST_ID $request_id;
}
location @appbasicauth {
include uwsgi_params;
uwsgi_pass unix:///var/run/uwsgi/uwsgi.socket;
auth_basic "Developer Access";
auth_basic_user_file /etc/nginx/.htpasswd;
uwsgi_param HTTP_X_REQUEST_ID $request_id;
}
}
server {
access_log /var/log/nginx/access.log json;
server_name auth.atat.code.mil;
listen 8443 ssl;
listen [::]:8443 ssl ipv6only=on;
# SSL server certificate and private key
ssl_certificate /etc/ssl/private/auth.atat.crt;
ssl_certificate_key /etc/ssl/private/auth.atat.key;
# Set SSL protocols, ciphers, and related options
ssl_protocols TLSv1.3 TLSv1.2;
ssl_ciphers 'ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256';
ssl_prefer_server_ciphers on;
ssl_ecdh_curve secp384r1;
ssl_dhparam /etc/ssl/dhparam.pem;
# SSL session options
ssl_session_timeout 4h;
ssl_session_cache shared:SSL:10m; # 1mb = ~4000 sessions
ssl_session_tickets off;
# OCSP Stapling
ssl_stapling on;
ssl_stapling_verify on;
resolver 8.8.8.8 8.8.4.4;
# Request and validate client certificate
ssl_verify_client on;
ssl_verify_depth 10;
ssl_client_certificate /etc/ssl/client-ca-bundle.pem;
# Guard against HTTPS -> HTTP downgrade
add_header Strict-Transport-Security "max-age=31536000; includeSubDomains; always";
location / {
return 301 https://www.atat.code.mil$request_uri;
}
location /login-redirect {
try_files $uri @app;
}
location @app {
include uwsgi_params;
uwsgi_pass unix:///var/run/uwsgi/uwsgi.socket;
uwsgi_param HTTP_X_SSL_CLIENT_VERIFY $ssl_client_verify;
uwsgi_param HTTP_X_SSL_CLIENT_CERT $ssl_client_raw_cert;
uwsgi_param HTTP_X_SSL_CLIENT_S_DN $ssl_client_s_dn;
uwsgi_param HTTP_X_SSL_CLIENT_S_DN_LEGACY $ssl_client_s_dn_legacy;
uwsgi_param HTTP_X_SSL_CLIENT_I_DN $ssl_client_i_dn;
uwsgi_param HTTP_X_SSL_CLIENT_I_DN_LEGACY $ssl_client_i_dn_legacy;
uwsgi_param HTTP_X_REQUEST_ID $request_id;
}
}
nginx-json-log-config: |-
log_format json escape=json
'{'
'"timestamp":"$time_iso8601",'
'"msec":"$msec",'
'"request_id":"$request_id",'
'"remote_addr":"$remote_addr",'
'"remote_user":"$remote_user",'
'"request":"$request",'
'"status":$status,'
'"body_bytes_sent":$body_bytes_sent,'
'"referer":"$http_referer",'
'"user_agent":"$http_user_agent",'
'"http_x_forwarded_for":"$http_x_forwarded_for"'
'}';

54
deploy/kubernetes/atst-reset-sample-data.sh
View File

@@ -1,54 +0,0 @@
#!/usr/bin/env bash
#
# deploy/kubernetes/atst-update-deploy.sh: Resets the sample data on the target
# environment.
set -o pipefail
set -o errexit
set -o nounset
# set -o xtrace
# Config
MAX_DEPLOY_WAIT='300'
if [[ $# -eq 0 ]]; then
NAMESPACE=atat
else
NAMESPACE=$1
fi
# Remove the K8S CA file when the script exits
function cleanup {
printf "Cleaning up...\n"
rm -vf "${HOME}/k8s_ca.crt"
printf "Cleaning done."
}
trap cleanup EXIT
# Decode and save the K8S CA cert
echo "${K8S_CA_CRT}" | base64 -d - > "${HOME}/k8s_ca.crt"
# Setup the local kubectl client
kubectl config set-context atst-deployer \
--cluster=atat-cluster \
--user=atat-deployer \
--namespace=${NAMESPACE}
kubectl config set-cluster atat-cluster \
--embed-certs=true \
--server="${K8S_ENDPOINT}" \
--certificate-authority="${HOME}/k8s_ca.crt"
kubectl config set-credentials atat-deployer --token="$(echo ${K8S_USER_TOKEN} | base64 -d -)"
kubectl config use-context atst-deployer
kubectl config current-context
# we only need to run these commands against one existing pod
ATST_POD=$(kubectl -n ${NAMESPACE} get pods -l app=atst -o custom-columns=NAME:.metadata.name --no-headers | sed -n 1p)
# echo "kubectl -n ${NAMESPACE} exec ${ATST_POD} -- pipenv run python script/remove_sample_data.py"
echo "removing sample data on pod ${ATST_POD}"
kubectl -n ${NAMESPACE} exec ${ATST_POD} -- pipenv run python script/remove_sample_data.py
echo "seeding sample data on pod ${ATST_POD}"
kubectl -n ${NAMESPACE} exec ${ATST_POD} -- pipenv run python script/seed_sample.py

64
deploy/kubernetes/atst-update-deploy.sh
View File

@@ -1,64 +0,0 @@
#!/usr/bin/env bash
#
# deploy/kubernetes/atst-update-deploy.sh: Updates the existing ATST deployment
# with a new source image
set -o pipefail
set -o errexit
set -o nounset
# set -o xtrace
# Config
MAX_DEPLOY_WAIT='300'
if [[ $# -eq 0 ]]; then
NAMESPACE=atat
else
NAMESPACE=$1
fi
if [ "${IMAGE_NAME}x" = "x" ]
then
IMAGE_NAME="${ATAT_DOCKER_REGISTRY_URL}/${PROD_IMAGE_NAME}:${GIT_SHA}"
fi
# Remove the K8S CA file when the script exits
function cleanup {
printf "Cleaning up...\n"
rm -vf "${HOME}/k8s_ca.crt"
printf "Cleaning done."
}
trap cleanup EXIT
# Decode and save the K8S CA cert
echo "${K8S_CA_CRT}" | base64 -d - > "${HOME}/k8s_ca.crt"
# Setup the local kubectl client
kubectl config set-context atst-deployer \
--cluster=atat-cluster \
--user=atat-deployer \
--namespace=${NAMESPACE}
kubectl config set-cluster atat-cluster \
--embed-certs=true \
--server="${K8S_ENDPOINT}" \
--certificate-authority="${HOME}/k8s_ca.crt"
kubectl config set-credentials atat-deployer --token="$(echo ${K8S_USER_TOKEN} | base64 -d -)"
kubectl config use-context atst-deployer
kubectl config current-context
# Update the ATST deployment
kubectl -n ${NAMESPACE} set image deployment.apps/atst atst="${IMAGE_NAME}"
kubectl -n ${NAMESPACE} set image deployment.apps/atst-worker atst-worker="${IMAGE_NAME}"
# Wait for deployment to finish
if ! timeout -t "${MAX_DEPLOY_WAIT}" -s INT kubectl -n ${NAMESPACE} rollout status deployment/atst
then
# Deploy did not finish before max wait time; abort and rollback the deploy
kubectl -n ${NAMESPACE} rollout undo deployment/atst
kubectl -n ${NAMESPACE} rollout undo deployment/atst-worker
# Exit with a non-zero return code
exit 2
fi

4
deploy/kubernetes/set_atstconfig_secret.sh
View File

@@ -1,4 +0,0 @@
#!/bin/bash
kubectl -n atat delete secret atst-config-ini
kubectl -n atat create secret generic atst-config-ini --from-file="${1}"

4
deploy/kubernetes/set_clientca_secret.sh
View File

@@ -1,4 +0,0 @@
#!/bin/bash
kubectl -n atat delete secret atst-config-ini
kubectl -n atat create secret generic nginx-client-ca-bundle --from-file="${1}"

4
deploy/kubernetes/set_dhparam_secret.sh
View File

@@ -1,4 +0,0 @@
#!/bin/bash
kubectl -n atat delete secret dhparam-4096
kubectl -n atat create secret generic dhparam-4096 --from-file="${1}"

4
deploy/kubernetes/set_htpasswd_secret.sh
View File

@@ -1,4 +0,0 @@
#!/bin/bash
kubectl -n atat delete secret atst-nginx-htpasswd
kubectl -n atat create secret generic atst-nginx-htpasswd --from-file="${1}"

42
deploy/shared/migration.yaml Normal file
View File

@@ -0,0 +1,42 @@
apiVersion: batch/v1
kind: Job
metadata:
name: migration
namespace: atat
spec:
ttlSecondsAfterFinished: 100
backoffLimit: 2
template:
spec:
containers:
- name: migration
image: $CONTAINER_IMAGE
command: [
"/bin/sh", "-c"
]
args:
- |
/opt/atat/atst/.venv/bin/python \
/opt/atat/atst/.venv/bin/alembic \
upgrade head \
&& \
/opt/atat/atst/.venv/bin/python \
/opt/atat/atst/script/seed_roles.py
envFrom:
- configMapRef:
name: atst-envvars
- configMapRef:
name: atst-worker-envvars
volumeMounts:
- name: atst-config
mountPath: "/opt/atat/atst/atst-overrides.ini"
subPath: atst-overrides.ini
volumes:
- name: atst-config
secret:
secretName: atst-config-ini
items:
- key: override.ini
path: atst-overrides.ini
mode: 0644
restartPolicy: Never