From ba432e8891910a7d0a9de8e48cdb2fa4b90bcd9f Mon Sep 17 00:00:00 2001 From: Devon Mackay Date: Thu, 5 Jul 2018 17:56:14 -0400 Subject: [PATCH 01/50] Add initial kubernetes test file --- kubernetes/atst.yml | 67 +++++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 67 insertions(+) create mode 100644 kubernetes/atst.yml diff --git a/kubernetes/atst.yml b/kubernetes/atst.yml new file mode 100644 index 00000000..94743aec --- /dev/null +++ b/kubernetes/atst.yml @@ -0,0 +1,67 @@ +--- +apiVersion: v1 +kind: Namespace +metadata: + name: atat +--- +apiVersion: extensions/v1beta1 +kind: Deployment +metadata: + labels: + app: atst + name: atst + namespace: atat +spec: + replicas: 1 + strategy: + type: RollingUpdate + template: + metadata: + labels: + app: atst + spec: + containers: + - name: atst + image: registry.atat.codes:443/atst-prod:c06b0f6 + ports: + - containerPort: 8000 + imagePullSecrets: + - name: regcred +--- +apiVersion: v1 +kind: Service +metadata: + labels: + app: atst + name: atst + namespace: atat +spec: + ports: + - name: "80" + port: 80 + targetPort: 8000 + selector: + app: atst +--- +apiVersion: extensions/v1beta1 +kind: Ingress +metadata: + name: atst + namespace: atat + annotations: + kubernetes.io/tls-acme: "true" + kubernetes.io/ingress.class: "nginx" + nginx.ingress.kubernetes.io/proxy-body-size: 10m +spec: + tls: + - hosts: + - www.atat.codes + secretName: atst-ingress-tls + rules: + - host: www.atat.codes + http: + paths: + - path: / + backend: + serviceName: atst + servicePort: 80 From c756afec8e03ef9d389b077166a04522d651b3bd Mon Sep 17 00:00:00 2001 From: Devon Mackay Date: Wed, 25 Jul 2018 10:44:53 -0400 Subject: [PATCH 02/50] Move kubernetes directory --- {kubernetes => deploy/kubernetes}/atst.yml | 0 1 file changed, 0 insertions(+), 0 deletions(-) rename {kubernetes => deploy/kubernetes}/atst.yml (100%) diff --git a/kubernetes/atst.yml b/deploy/kubernetes/atst.yml similarity index 100% rename from kubernetes/atst.yml rename to deploy/kubernetes/atst.yml From 87f3c1117ed02a58be98ee304aaf0dba0afd4a06 Mon Sep 17 00:00:00 2001 From: Devon Mackay Date: Fri, 27 Jul 2018 10:55:56 -0400 Subject: [PATCH 03/50] Add second ingress for atst that is passthrough Used for CAC auth so SSL termination and client cert validation can be done by the app --- deploy/kubernetes/atst.yml | 18 ++++++++++++++++++ 1 file changed, 18 insertions(+) diff --git a/deploy/kubernetes/atst.yml b/deploy/kubernetes/atst.yml index 94743aec..c7152663 100644 --- a/deploy/kubernetes/atst.yml +++ b/deploy/kubernetes/atst.yml @@ -65,3 +65,21 @@ spec: backend: serviceName: atst servicePort: 80 +--- +apiVersion: extensions/v1beta1 +kind: Ingress +metadata: + name: atst-cac + namespace: atat + annotations: + nginx.ingress.kubernetes.io/proxy-body-size: 10m + ingress.kubernetes.io/ssl-passthrough: "true" +spec: + rules: + - host: cac.atat.codes + http: + paths: + - path: / + backend: + serviceName: atst + servicePort: 443 From 91d56fff0e982c8d696ed6dc9fcfe91533b5f234 Mon Sep 17 00:00:00 2001 From: Devon Mackay Date: Mon, 6 Aug 2018 11:15:19 -0400 Subject: [PATCH 04/50] Switch client cert checking subdomain to auth (from cac) --- deploy/kubernetes/atst.yml | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/deploy/kubernetes/atst.yml b/deploy/kubernetes/atst.yml index c7152663..33c0f6eb 100644 --- a/deploy/kubernetes/atst.yml +++ b/deploy/kubernetes/atst.yml @@ -67,16 +67,17 @@ spec: servicePort: 80 --- apiVersion: extensions/v1beta1 +apiVersion: extensions/v1beta1 kind: Ingress metadata: - name: atst-cac + name: atst-auth namespace: atat annotations: nginx.ingress.kubernetes.io/proxy-body-size: 10m ingress.kubernetes.io/ssl-passthrough: "true" spec: rules: - - host: cac.atat.codes + - host: auth.atat.codes http: paths: - path: / From ea853a7b28834da5d6cc24c8d9a08d07db5dfd90 Mon Sep 17 00:00:00 2001 From: Devon Mackay Date: Tue, 7 Aug 2018 10:51:24 -0400 Subject: [PATCH 05/50] Add configmap for ATST settings and env vars --- deploy/kubernetes/atst-configmap.yml | 22 ++++++++++++++++++++++ 1 file changed, 22 insertions(+) create mode 100644 deploy/kubernetes/atst-configmap.yml diff --git a/deploy/kubernetes/atst-configmap.yml b/deploy/kubernetes/atst-configmap.yml new file mode 100644 index 00000000..4953bfe9 --- /dev/null +++ b/deploy/kubernetes/atst-configmap.yml @@ -0,0 +1,22 @@ +--- +apiVersion: v1 +kind: ConfigMap +metadata: + name: atst-config + namespace: atat +data: + uwsgi-config: |- + [uwsgi] + module = main + callable = app + socket = /var/run/uwsgi/uwsgi.socket + plugins = python3 + atst-config: |- + [default] + CAC_URL=https://auth.atat.codes + COOKIE_SECRET=a12c87558f85566f846ea53fd3f1611dd207d71677966d4d04a8e59d4d8c6737 + ENVIRONMENT=production + PGHOST=postgres-master.atat.svc.cluster.local + REDIS_URI=redis://redis-master.atat.svc.cluster.local:6379 + SECRET=92d2ef2aedf518e1e04a2a99445e6649539a91f06c977f3d69980c63e4e0fb45 + SECRET_KEY=beb178f9e4e83066ec0baa471cea36151f26bd3779902ae2c24eb5bb66e28c15 From 9262c0f346198375d0dc7cf775c8801c627e22d7 Mon Sep 17 00:00:00 2001 From: Devon Mackay Date: Tue, 7 Aug 2018 10:51:55 -0400 Subject: [PATCH 06/50] Add configmap for nginx settings and config --- deploy/kubernetes/atst-nginx-configmap.yml | 73 ++++++++++++++++++++++ 1 file changed, 73 insertions(+) create mode 100644 deploy/kubernetes/atst-nginx-configmap.yml diff --git a/deploy/kubernetes/atst-nginx-configmap.yml b/deploy/kubernetes/atst-nginx-configmap.yml new file mode 100644 index 00000000..47b6d5b0 --- /dev/null +++ b/deploy/kubernetes/atst-nginx-configmap.yml @@ -0,0 +1,73 @@ +--- +apiVersion: v1 +kind: ConfigMap +metadata: + name: atst-nginx + namespace: atat +data: + htpasswd: | + atat:$apr1$D9ZQ6.AS$BwgIHxTMbRQsv4LbbAGAT/ + nginx-config: |- + server { + server_name www.atat.codes atat.codes; + listen 80 http2; + #if ($http_x_forwarded_proto != 'https') { + # return 301 https://$host$request_uri; + #} + location /login-dev { + auth_basic "Developer Access"; + auth_basic_user_file /etc/nginx/.htpasswd; + try_files $uri @app; + } + location / { + try_files $uri @app; + } + location @app { + include uwsgi_params; + uwsgi_pass unix:///var/run/atst_uwsgi.sock; + } + } + server { + server_name auth.atat.codes; + listen 443 ssl http2; + listen [::]:443 ssl http2 ipv6only=on; + # SSL server certificate and private key + ssl_certificate /etc/ssl/private/auth.atat.crt + ssl_certificate_key /etc/ssl/private/auth.atat.key + # Set SSL protocols, ciphers, and related options + ssl_protocols TLSv1.3 TLSv1.2; + ssl_ciphers 'ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256'; + ssl_prefer_server_ciphers on; + ssl_ecdh_curve secp384r1; + ssl_dhparam /etc/ssl/dhparam.pem; + # SSL session options + ssl_session_timeout 4h; + ssl_session_cache shared:SSL:10m; # 1mb = ~4000 sessions + ssl_session_tickets off; + # OCSP Stapling + ssl_stapling on; + ssl_stapling_verify on; + resolver 8.8.8.8 8.8.4.4; + # Request and validate client certificate + #ssl_verify_client on; + #ssl_verify_depth 10; + #ssl_client_certificate /etc/nginx/ssl/ca/client-ca.pem; + # Guard against HTTPS -> HTTP downgrade + add_header Strict-Transport-Security "max-age=31536000; includeSubDomains; always"; + location / { + return 301 https://www.atat.codes$request_uri; + } + location /login-redirect { + try_files $uri @app; + } + location @app { + include uwsgi_params; + uwsgi_pass unix:///var/run/atst_uwsgi.sock; + uwsgi_param HTTP_X_SSL_CLIENT_VERIFY $ssl_client_verify; + uwsgi_param HTTP_X_SSL_CLIENT_CERT $ssl_client_raw_cert; + uwsgi_param HTTP_X_SSL_CLIENT_S_DN $ssl_client_s_dn; + uwsgi_param HTTP_X_SSL_CLIENT_S_DN_LEGACY $ssl_client_s_dn_legacy; + uwsgi_param HTTP_X_SSL_CLIENT_I_DN $ssl_client_i_dn; + uwsgi_param HTTP_X_SSL_CLIENT_I_DN_LEGACY $ssl_client_i_dn_legacy; + } + } From d7cf09decc37dc69a7bcd47d59af7bf7ff646a00 Mon Sep 17 00:00:00 2001 From: Devon Mackay Date: Tue, 7 Aug 2018 10:52:19 -0400 Subject: [PATCH 07/50] Add helperscript showing dhparam secret creation --- deploy/kubernetes/create_secret.sh | 3 +++ 1 file changed, 3 insertions(+) create mode 100644 deploy/kubernetes/create_secret.sh diff --git a/deploy/kubernetes/create_secret.sh b/deploy/kubernetes/create_secret.sh new file mode 100644 index 00000000..90ab3552 --- /dev/null +++ b/deploy/kubernetes/create_secret.sh @@ -0,0 +1,3 @@ +#!/bin/bash + +kubectl -n atat create secret generic dhparam-4096 --from-file=./dhparam.pem From 2369d839e49d231743489f9c772cc24f0c362b09 Mon Sep 17 00:00:00 2001 From: Devon Mackay Date: Tue, 7 Aug 2018 10:53:19 -0400 Subject: [PATCH 08/50] Add nginx container and volume mounts --- deploy/kubernetes/atst.yml | 71 ++++++++++++++++++++++++++++++++++++-- 1 file changed, 68 insertions(+), 3 deletions(-) diff --git a/deploy/kubernetes/atst.yml b/deploy/kubernetes/atst.yml index 33c0f6eb..9591db2a 100644 --- a/deploy/kubernetes/atst.yml +++ b/deploy/kubernetes/atst.yml @@ -23,10 +23,72 @@ spec: containers: - name: atst image: registry.atat.codes:443/atst-prod:c06b0f6 + volumeMounts: + - name: atst-config + mountPath: "/opt/atat" + - name: uswgi-socket-dir + mountPath: "/var/run/uwsgi" + - name: atst-nginx + image: nginx:alpine ports: - - containerPort: 8000 + - containerPort: 8080 + name: http + - containerPort: 8443 + name: http + volumeMounts: + - name: nginx-auth-tls + mountPath: "/etc/ssl/private" + - name: nginx-config + mountPath: "/etc/nginx/conf.d" + - name: nginx-dhparam + mountPath: "/etc/ssl" + - name: nginx-htpasswd + mountPath: "/etc/nginx" + - name: uswgi-socket-dir + mountPath: "/var/run/uwsgi" imagePullSecrets: - name: regcred + volumes: + - name: atst-config + configMap: + name: atst + items: + - key: atst-config + path: atst-overrides.ini + mode: 0644 + - name: nginx-auth-tls + secret: + secretName: auth-atst-ingress-tls + items: + - key: tls.crt + path: auth.atat.crt + mode: 0644 + - key: tls.key + path: auth.atat.crt + mode: 0640 + - name: nginx-config + configMap: + name: atst-nginx + items: + - key: nginx-config + path: atst.conf + - name: nginx-dhparam + secret: + secretName: dhparam-4096 + items: + - key: dhparam.pem + path: dhparam.pem + mode: 0640 + - name: nginx-htpasswd + configMap: + name: atst-nginx + items: + - key: httpasswd + path: .htpasswd + mode: 0640 + - name: uswgi-socket-dir + emptyDir: + medium: Memory --- apiVersion: v1 kind: Service @@ -37,9 +99,12 @@ metadata: namespace: atat spec: ports: - - name: "80" + - name: "http" port: 80 - targetPort: 8000 + targetPort: 8080 + - name: "https" + port: 443 + targetPort: 8443 selector: app: atst --- From 525a629993c1c0a71db510c8f67e9c40409a9367 Mon Sep 17 00:00:00 2001 From: Devon Mackay Date: Tue, 7 Aug 2018 10:58:01 -0400 Subject: [PATCH 09/50] Copy over virtualenv but not deploy dir --- .dockerignore | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/.dockerignore b/.dockerignore index e9ff2bac..8bad9296 100644 --- a/.dockerignore +++ b/.dockerignore @@ -16,12 +16,14 @@ log/* LICENSE *.md -# Skip pipenv/virtualenv related things +# Skip envrc .envrc -.venv # Skip ansible-container stuff ansible* container.yml meta.yml requirements.yml + +# Skip kubernetes and Docker config stuff +deploy From 319ac897a72819efb53c043bf3f3fec6f0097465 Mon Sep 17 00:00:00 2001 From: Devon Mackay Date: Tue, 7 Aug 2018 10:58:24 -0400 Subject: [PATCH 10/50] Update entry to launch uwsgi server --- deploy/docker/prod/Dockerfile | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/deploy/docker/prod/Dockerfile b/deploy/docker/prod/Dockerfile index ea4bdbcc..cad745fa 100644 --- a/deploy/docker/prod/Dockerfile +++ b/deploy/docker/prod/Dockerfile @@ -21,7 +21,7 @@ EXPOSE "${APP_PORT}" ENTRYPOINT ["/usr/bin/dumb-init", "--"] # Default command is to launch the server -CMD ["bash", "-c", "${APP_DIR}/script/server"] +CMD ["bash", "-c", "${APP_DIR}/script/uwsgi_server"] ### Items that will change almost every build ############################################# From cffb99ca2aae020aead15a3ad1b50d2fd10d4cd3 Mon Sep 17 00:00:00 2001 From: Devon Mackay Date: Tue, 7 Aug 2018 11:00:12 -0400 Subject: [PATCH 11/50] Update to latest scriptz master --- script/include | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/script/include b/script/include index 8cf96c97..7b768d8e 160000 --- a/script/include +++ b/script/include @@ -1 +1 @@ -Subproject commit 8cf96c9776e7fd73c11d57160d26fc1715bf00da +Subproject commit 7b768d8e19f1b475553eecbb280b318ebf85a66c From f17fe77e4d76835c91a5e8cab1932fee0f83a005 Mon Sep 17 00:00:00 2001 From: Devon Mackay Date: Tue, 7 Aug 2018 11:41:20 -0400 Subject: [PATCH 12/50] Rearrange keys (alpha) --- deploy/kubernetes/atst-configmap.yml | 12 ++++++------ 1 file changed, 6 insertions(+), 6 deletions(-) diff --git a/deploy/kubernetes/atst-configmap.yml b/deploy/kubernetes/atst-configmap.yml index 4953bfe9..21049ee6 100644 --- a/deploy/kubernetes/atst-configmap.yml +++ b/deploy/kubernetes/atst-configmap.yml @@ -5,12 +5,6 @@ metadata: name: atst-config namespace: atat data: - uwsgi-config: |- - [uwsgi] - module = main - callable = app - socket = /var/run/uwsgi/uwsgi.socket - plugins = python3 atst-config: |- [default] CAC_URL=https://auth.atat.codes @@ -20,3 +14,9 @@ data: REDIS_URI=redis://redis-master.atat.svc.cluster.local:6379 SECRET=92d2ef2aedf518e1e04a2a99445e6649539a91f06c977f3d69980c63e4e0fb45 SECRET_KEY=beb178f9e4e83066ec0baa471cea36151f26bd3779902ae2c24eb5bb66e28c15 + uwsgi-config: |- + [uwsgi] + module = main + callable = app + socket = /var/run/uwsgi/uwsgi.socket + plugins = python3 From 2eeb492c5ca7f15c1fcede5665a647bc13e33bdc Mon Sep 17 00:00:00 2001 From: Devon Mackay Date: Tue, 7 Aug 2018 11:42:51 -0400 Subject: [PATCH 13/50] Fix types; add uwsgi config; add env vars --- deploy/kubernetes/atst.yml | 20 ++++++++++++++++---- 1 file changed, 16 insertions(+), 4 deletions(-) diff --git a/deploy/kubernetes/atst.yml b/deploy/kubernetes/atst.yml index 9591db2a..8918bb59 100644 --- a/deploy/kubernetes/atst.yml +++ b/deploy/kubernetes/atst.yml @@ -23,10 +23,15 @@ spec: containers: - name: atst image: registry.atat.codes:443/atst-prod:c06b0f6 + envFrom: + - configMapRef: + name: atst-envvars volumeMounts: - name: atst-config - mountPath: "/opt/atat" - - name: uswgi-socket-dir + mountPath: "/opt/atat/atst" + - name: uwsgi-config + mountPath: "/opt/atat/atst" + - name: uwsgi-socket-dir mountPath: "/var/run/uwsgi" - name: atst-nginx image: nginx:alpine @@ -44,7 +49,7 @@ spec: mountPath: "/etc/ssl" - name: nginx-htpasswd mountPath: "/etc/nginx" - - name: uswgi-socket-dir + - name: uwsgi-socket-dir mountPath: "/var/run/uwsgi" imagePullSecrets: - name: regcred @@ -86,7 +91,14 @@ spec: - key: httpasswd path: .htpasswd mode: 0640 - - name: uswgi-socket-dir + - name: uwsgi-config + configMap: + name: atst-config + items: + - key: uwsgi-config + path: uwsgi-config.ini + mode: 0644 + - name: uwsgi-socket-dir emptyDir: medium: Memory --- From a86eb405ead72c924565a404dfe073dce505b72b Mon Sep 17 00:00:00 2001 From: Devon Mackay Date: Tue, 7 Aug 2018 11:43:33 -0400 Subject: [PATCH 14/50] Add configmap for atst env vars --- deploy/kubernetes/atst-envvars-configmap.yml | 9 +++++++++ 1 file changed, 9 insertions(+) create mode 100644 deploy/kubernetes/atst-envvars-configmap.yml diff --git a/deploy/kubernetes/atst-envvars-configmap.yml b/deploy/kubernetes/atst-envvars-configmap.yml new file mode 100644 index 00000000..7e6df66c --- /dev/null +++ b/deploy/kubernetes/atst-envvars-configmap.yml @@ -0,0 +1,9 @@ +--- +apiVersion: v1 +kind: ConfigMap +metadata: + name: atst-envvars + namespace: atat +data: + OVERRIDE_CONFIG_FULLPATH: /opt/atat/atst-overrides.ini + UWSGI_CONFIG_FULLPATH: /opt/atat/uwsgi-config.ini From f0a84ceb8ab2262785110f7fe1a7366502dc8e80 Mon Sep 17 00:00:00 2001 From: Devon Mackay Date: Tue, 7 Aug 2018 11:44:38 -0400 Subject: [PATCH 15/50] Add postgres client libs to containers --- script/alpine_setup | 3 +++ 1 file changed, 3 insertions(+) diff --git a/script/alpine_setup b/script/alpine_setup index 28f836c2..70b3922d 100755 --- a/script/alpine_setup +++ b/script/alpine_setup @@ -9,5 +9,8 @@ source "$(dirname "${0}")"/../script/include/global_header.inc.sh APP_USER="atst" APP_UID="8010" +# Add additional packages required by app dependencies +ADDITIONAL_PACKAGES="postgresql-libs" + # Run the shared alpine setup script source ./script/include/run_alpine_setup From e17c4ca0a272624481587618052fb741c81942fe Mon Sep 17 00:00:00 2001 From: Devon Mackay Date: Tue, 7 Aug 2018 11:44:57 -0400 Subject: [PATCH 16/50] Add uwsgi server launching script --- script/uwsgi_server | 8 ++++++++ 1 file changed, 8 insertions(+) create mode 100755 script/uwsgi_server diff --git a/script/uwsgi_server b/script/uwsgi_server new file mode 100755 index 00000000..e9633892 --- /dev/null +++ b/script/uwsgi_server @@ -0,0 +1,8 @@ +#!/bin/bash + +# script/uwsgi_server: Launch the UWSGI server + +source "$(dirname "${0}")"/../script/include/global_header.inc.sh + +# Launch UWSGI +run_command "uwsgi --ini ${UWSGI_CONFIG_FULLPATH}" From 609719025fa2a341eb4ec7904d45df4087719f64 Mon Sep 17 00:00:00 2001 From: Devon Mackay Date: Tue, 7 Aug 2018 12:17:09 -0400 Subject: [PATCH 17/50] Add FLASK_ENV var --- deploy/kubernetes/atst-envvars-configmap.yml | 1 + 1 file changed, 1 insertion(+) diff --git a/deploy/kubernetes/atst-envvars-configmap.yml b/deploy/kubernetes/atst-envvars-configmap.yml index 7e6df66c..06bdf0ee 100644 --- a/deploy/kubernetes/atst-envvars-configmap.yml +++ b/deploy/kubernetes/atst-envvars-configmap.yml @@ -5,5 +5,6 @@ metadata: name: atst-envvars namespace: atat data: + FLASK_ENV: prod OVERRIDE_CONFIG_FULLPATH: /opt/atat/atst-overrides.ini UWSGI_CONFIG_FULLPATH: /opt/atat/uwsgi-config.ini From f2a4d59e0ae23613f3315d8c3fff5b05a4652650 Mon Sep 17 00:00:00 2001 From: Devon Mackay Date: Tue, 7 Aug 2018 13:40:23 -0400 Subject: [PATCH 18/50] Add uwsgi packages to container --- script/alpine_setup | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/script/alpine_setup b/script/alpine_setup index 70b3922d..e95d3134 100755 --- a/script/alpine_setup +++ b/script/alpine_setup @@ -10,7 +10,7 @@ APP_USER="atst" APP_UID="8010" # Add additional packages required by app dependencies -ADDITIONAL_PACKAGES="postgresql-libs" +ADDITIONAL_PACKAGES="postgresql-libs uwsgi uwsgi-python3" # Run the shared alpine setup script source ./script/include/run_alpine_setup From c995a232c6e13d4de308ea80fb9fb1523849c97b Mon Sep 17 00:00:00 2001 From: Devon Mackay Date: Tue, 7 Aug 2018 13:41:38 -0400 Subject: [PATCH 19/50] Add local/bin files to the container so pipenv works --- deploy/docker/prod/Dockerfile | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/deploy/docker/prod/Dockerfile b/deploy/docker/prod/Dockerfile index cad745fa..480812c6 100644 --- a/deploy/docker/prod/Dockerfile +++ b/deploy/docker/prod/Dockerfile @@ -7,12 +7,12 @@ ARG APP_USER=atst ARG APP_GROUP=atat ARG APP_DIR=/opt/atat/atst ARG APP_PORT=8000 +ARG LOCAL_BIN_DIR=/usr/local/bin ARG SITE_PACKAGES_DIR=/usr/local/lib/python3.6/site-packages ENV APP_USER "${APP_USER}" ENV APP_GROUP "${APP_GROUP}" ENV APP_DIR "${APP_DIR}" -ENV SKIP_PIPENV true # Set port to open EXPOSE "${APP_PORT}" @@ -28,6 +28,9 @@ CMD ["bash", "-c", "${APP_DIR}/script/uwsgi_server"] # Copy installed python packages from the tester image COPY --from=atst-tester:latest "${SITE_PACKAGES_DIR}" "${SITE_PACKAGES_DIR}" +# Copy local bin directory (contains python system package wrappers) +COPY --from=atst-tester:latest "${LOCAL_BIN_DIR}" "${LOCAL_BIN_DIR}" + # Copy the app directory contents from the tester image (includes node modules) COPY --from=atst-tester:latest "${APP_DIR}" "${APP_DIR}" From 91857d7779d8439f4729911b7ed11ddde757c976 Mon Sep 17 00:00:00 2001 From: Devon Mackay Date: Tue, 7 Aug 2018 15:14:32 -0400 Subject: [PATCH 20/50] Switch to generic alpine for base image and fix python dirs --- deploy/docker/prod/Dockerfile | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/deploy/docker/prod/Dockerfile b/deploy/docker/prod/Dockerfile index 480812c6..37a36859 100644 --- a/deploy/docker/prod/Dockerfile +++ b/deploy/docker/prod/Dockerfile @@ -1,4 +1,4 @@ -FROM python:3.6.5-alpine +FROM alpine:3.8 ### Very low chance of changing ############################### @@ -7,8 +7,8 @@ ARG APP_USER=atst ARG APP_GROUP=atat ARG APP_DIR=/opt/atat/atst ARG APP_PORT=8000 -ARG LOCAL_BIN_DIR=/usr/local/bin -ARG SITE_PACKAGES_DIR=/usr/local/lib/python3.6/site-packages +ARG LOCAL_BIN_DIR=/usr/bin +ARG SITE_PACKAGES_DIR=/usr/lib/python3.6/site-packages ENV APP_USER "${APP_USER}" ENV APP_GROUP "${APP_GROUP}" From 6e6dddb507ba9ccef4c976feb6d4d109b6ada582 Mon Sep 17 00:00:00 2001 From: Devon Mackay Date: Tue, 7 Aug 2018 15:14:55 -0400 Subject: [PATCH 21/50] Fix module name and set venv location --- deploy/kubernetes/atst-configmap.yml | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/deploy/kubernetes/atst-configmap.yml b/deploy/kubernetes/atst-configmap.yml index 21049ee6..a8c8a11e 100644 --- a/deploy/kubernetes/atst-configmap.yml +++ b/deploy/kubernetes/atst-configmap.yml @@ -16,7 +16,8 @@ data: SECRET_KEY=beb178f9e4e83066ec0baa471cea36151f26bd3779902ae2c24eb5bb66e28c15 uwsgi-config: |- [uwsgi] - module = main callable = app + module = app socket = /var/run/uwsgi/uwsgi.socket plugins = python3 + virtualenv = /opt/atat/atst/.venv From d1f99765e0aad8ccf6db03a989b5172ff477571d Mon Sep 17 00:00:00 2001 From: Devon Mackay Date: Tue, 7 Aug 2018 15:15:14 -0400 Subject: [PATCH 22/50] Add python3 package --- script/alpine_setup | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/script/alpine_setup b/script/alpine_setup index e95d3134..b9eeb9a7 100755 --- a/script/alpine_setup +++ b/script/alpine_setup @@ -10,7 +10,7 @@ APP_USER="atst" APP_UID="8010" # Add additional packages required by app dependencies -ADDITIONAL_PACKAGES="postgresql-libs uwsgi uwsgi-python3" +ADDITIONAL_PACKAGES="postgresql-libs python3 uwsgi uwsgi-python3" # Run the shared alpine setup script source ./script/include/run_alpine_setup From c7c812be05bb7090d8623c054233ca15f1cd8a82 Mon Sep 17 00:00:00 2001 From: Devon Mackay Date: Tue, 7 Aug 2018 15:40:00 -0400 Subject: [PATCH 23/50] Fix collisions and typos --- deploy/kubernetes/atst.yml | 12 ++++++------ 1 file changed, 6 insertions(+), 6 deletions(-) diff --git a/deploy/kubernetes/atst.yml b/deploy/kubernetes/atst.yml index 8918bb59..abba5086 100644 --- a/deploy/kubernetes/atst.yml +++ b/deploy/kubernetes/atst.yml @@ -22,15 +22,15 @@ spec: spec: containers: - name: atst - image: registry.atat.codes:443/atst-prod:c06b0f6 + image: registry.atat.codes:443/atst-prod:cc680fa envFrom: - configMapRef: name: atst-envvars volumeMounts: - name: atst-config - mountPath: "/opt/atat/atst" + mountPath: "/opt/atat/atst/atst-overrides.ini" - name: uwsgi-config - mountPath: "/opt/atat/atst" + mountPath: "/opt/atat/atst/uwsgi-config.ini" - name: uwsgi-socket-dir mountPath: "/var/run/uwsgi" - name: atst-nginx @@ -39,7 +39,7 @@ spec: - containerPort: 8080 name: http - containerPort: 8443 - name: http + name: https volumeMounts: - name: nginx-auth-tls mountPath: "/etc/ssl/private" @@ -56,7 +56,7 @@ spec: volumes: - name: atst-config configMap: - name: atst + name: atst-config items: - key: atst-config path: atst-overrides.ini @@ -88,7 +88,7 @@ spec: configMap: name: atst-nginx items: - - key: httpasswd + - key: htpasswd path: .htpasswd mode: 0640 - name: uwsgi-config From fb155fbc614e94aa41cf34957b4ea75f492d9471 Mon Sep 17 00:00:00 2001 From: Devon Mackay Date: Tue, 7 Aug 2018 15:40:12 -0400 Subject: [PATCH 24/50] Switch nginx listeners to proper ports --- deploy/kubernetes/atst-nginx-configmap.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/deploy/kubernetes/atst-nginx-configmap.yml b/deploy/kubernetes/atst-nginx-configmap.yml index 47b6d5b0..e7ac0bb5 100644 --- a/deploy/kubernetes/atst-nginx-configmap.yml +++ b/deploy/kubernetes/atst-nginx-configmap.yml @@ -10,7 +10,7 @@ data: nginx-config: |- server { server_name www.atat.codes atat.codes; - listen 80 http2; + listen 8080 http2; #if ($http_x_forwarded_proto != 'https') { # return 301 https://$host$request_uri; #} @@ -29,7 +29,7 @@ data: } server { server_name auth.atat.codes; - listen 443 ssl http2; + listen 8443 ssl http2; listen [::]:443 ssl http2 ipv6only=on; # SSL server certificate and private key ssl_certificate /etc/ssl/private/auth.atat.crt From a53c480b58574d0e74f7d3f60dfb64d1c972380c Mon Sep 17 00:00:00 2001 From: Devon Mackay Date: Tue, 7 Aug 2018 15:47:31 -0400 Subject: [PATCH 25/50] Add missing semicolons --- deploy/kubernetes/atst-nginx-configmap.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/deploy/kubernetes/atst-nginx-configmap.yml b/deploy/kubernetes/atst-nginx-configmap.yml index e7ac0bb5..70b91042 100644 --- a/deploy/kubernetes/atst-nginx-configmap.yml +++ b/deploy/kubernetes/atst-nginx-configmap.yml @@ -32,8 +32,8 @@ data: listen 8443 ssl http2; listen [::]:443 ssl http2 ipv6only=on; # SSL server certificate and private key - ssl_certificate /etc/ssl/private/auth.atat.crt - ssl_certificate_key /etc/ssl/private/auth.atat.key + ssl_certificate /etc/ssl/private/auth.atat.crt; + ssl_certificate_key /etc/ssl/private/auth.atat.key; # Set SSL protocols, ciphers, and related options ssl_protocols TLSv1.3 TLSv1.2; ssl_ciphers 'ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256'; From 97569985a865f8dbff166a70ed19326ae3da68cc Mon Sep 17 00:00:00 2001 From: Devon Mackay Date: Tue, 7 Aug 2018 16:01:59 -0400 Subject: [PATCH 26/50] Fix mount paths and typos --- deploy/kubernetes/atst.yml | 11 ++++++++--- 1 file changed, 8 insertions(+), 3 deletions(-) diff --git a/deploy/kubernetes/atst.yml b/deploy/kubernetes/atst.yml index abba5086..34d05fe2 100644 --- a/deploy/kubernetes/atst.yml +++ b/deploy/kubernetes/atst.yml @@ -29,8 +29,10 @@ spec: volumeMounts: - name: atst-config mountPath: "/opt/atat/atst/atst-overrides.ini" + subPath: atst-overrides.ini - name: uwsgi-config mountPath: "/opt/atat/atst/uwsgi-config.ini" + subPath: uwsgi-config.ini - name: uwsgi-socket-dir mountPath: "/var/run/uwsgi" - name: atst-nginx @@ -44,11 +46,14 @@ spec: - name: nginx-auth-tls mountPath: "/etc/ssl/private" - name: nginx-config - mountPath: "/etc/nginx/conf.d" + mountPath: "/etc/nginx/conf.d/atst.conf" + subPath: atst.conf - name: nginx-dhparam mountPath: "/etc/ssl" + subPath: dhparam.pem - name: nginx-htpasswd - mountPath: "/etc/nginx" + mountPath: "/etc/nginx/.htpasswd" + subPath: .htpasswd - name: uwsgi-socket-dir mountPath: "/var/run/uwsgi" imagePullSecrets: @@ -69,7 +74,7 @@ spec: path: auth.atat.crt mode: 0644 - key: tls.key - path: auth.atat.crt + path: auth.atat.key mode: 0640 - name: nginx-config configMap: From 23d6f6bf5290915180f9baad75759ad605e8b12a Mon Sep 17 00:00:00 2001 From: Devon Mackay Date: Tue, 7 Aug 2018 16:38:59 -0400 Subject: [PATCH 27/50] Update uwsgi socket location --- deploy/kubernetes/atst-nginx-configmap.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/deploy/kubernetes/atst-nginx-configmap.yml b/deploy/kubernetes/atst-nginx-configmap.yml index 70b91042..50bc622b 100644 --- a/deploy/kubernetes/atst-nginx-configmap.yml +++ b/deploy/kubernetes/atst-nginx-configmap.yml @@ -24,7 +24,7 @@ data: } location @app { include uwsgi_params; - uwsgi_pass unix:///var/run/atst_uwsgi.sock; + uswgi_pass unix:///var/run/uwsgi/uwsgi.socket } } server { @@ -62,7 +62,7 @@ data: } location @app { include uwsgi_params; - uwsgi_pass unix:///var/run/atst_uwsgi.sock; + uswgi_pass unix:///var/run/uwsgi/uwsgi.socket uwsgi_param HTTP_X_SSL_CLIENT_VERIFY $ssl_client_verify; uwsgi_param HTTP_X_SSL_CLIENT_CERT $ssl_client_raw_cert; uwsgi_param HTTP_X_SSL_CLIENT_S_DN $ssl_client_s_dn; From bddb59630e6cd180c896af0b1f0e1eddb46ecc17 Mon Sep 17 00:00:00 2001 From: Devon Mackay Date: Tue, 7 Aug 2018 16:40:42 -0400 Subject: [PATCH 28/50] Add missing semi-colons --- deploy/kubernetes/atst-nginx-configmap.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/deploy/kubernetes/atst-nginx-configmap.yml b/deploy/kubernetes/atst-nginx-configmap.yml index 50bc622b..2d6a8eb6 100644 --- a/deploy/kubernetes/atst-nginx-configmap.yml +++ b/deploy/kubernetes/atst-nginx-configmap.yml @@ -24,7 +24,7 @@ data: } location @app { include uwsgi_params; - uswgi_pass unix:///var/run/uwsgi/uwsgi.socket + uswgi_pass unix:///var/run/uwsgi/uwsgi.socket; } } server { @@ -62,7 +62,7 @@ data: } location @app { include uwsgi_params; - uswgi_pass unix:///var/run/uwsgi/uwsgi.socket + uswgi_pass unix:///var/run/uwsgi/uwsgi.socket; uwsgi_param HTTP_X_SSL_CLIENT_VERIFY $ssl_client_verify; uwsgi_param HTTP_X_SSL_CLIENT_CERT $ssl_client_raw_cert; uwsgi_param HTTP_X_SSL_CLIENT_S_DN $ssl_client_s_dn; From 35be729378b3e86b5473f7b66c55beaa913ce59b Mon Sep 17 00:00:00 2001 From: Devon Mackay Date: Tue, 7 Aug 2018 16:41:08 -0400 Subject: [PATCH 29/50] Update config file paths --- deploy/kubernetes/atst-envvars-configmap.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/deploy/kubernetes/atst-envvars-configmap.yml b/deploy/kubernetes/atst-envvars-configmap.yml index 06bdf0ee..23a25061 100644 --- a/deploy/kubernetes/atst-envvars-configmap.yml +++ b/deploy/kubernetes/atst-envvars-configmap.yml @@ -6,5 +6,5 @@ metadata: namespace: atat data: FLASK_ENV: prod - OVERRIDE_CONFIG_FULLPATH: /opt/atat/atst-overrides.ini - UWSGI_CONFIG_FULLPATH: /opt/atat/uwsgi-config.ini + OVERRIDE_CONFIG_FULLPATH: /opt/atat/atst/atst-overrides.ini + UWSGI_CONFIG_FULLPATH: /opt/atat/atst/uwsgi-config.ini From 10efcb98b8ec881a59b8014e8d59c572278586fc Mon Sep 17 00:00:00 2001 From: Devon Mackay Date: Tue, 7 Aug 2018 16:41:25 -0400 Subject: [PATCH 30/50] Fix mountPath to be file not directory --- deploy/kubernetes/atst.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/deploy/kubernetes/atst.yml b/deploy/kubernetes/atst.yml index 34d05fe2..3c552854 100644 --- a/deploy/kubernetes/atst.yml +++ b/deploy/kubernetes/atst.yml @@ -49,7 +49,7 @@ spec: mountPath: "/etc/nginx/conf.d/atst.conf" subPath: atst.conf - name: nginx-dhparam - mountPath: "/etc/ssl" + mountPath: "/etc/ssl/dhparam.pem" subPath: dhparam.pem - name: nginx-htpasswd mountPath: "/etc/nginx/.htpasswd" From 55c08d11881e11aa5748d9e95777e1ac81dffa80 Mon Sep 17 00:00:00 2001 From: Devon Mackay Date: Tue, 7 Aug 2018 16:43:00 -0400 Subject: [PATCH 31/50] Fix typo --- deploy/kubernetes/atst-nginx-configmap.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/deploy/kubernetes/atst-nginx-configmap.yml b/deploy/kubernetes/atst-nginx-configmap.yml index 2d6a8eb6..8f5a0d8a 100644 --- a/deploy/kubernetes/atst-nginx-configmap.yml +++ b/deploy/kubernetes/atst-nginx-configmap.yml @@ -24,7 +24,7 @@ data: } location @app { include uwsgi_params; - uswgi_pass unix:///var/run/uwsgi/uwsgi.socket; + uwsgi_pass unix:///var/run/uwsgi/uwsgi.socket; } } server { @@ -62,7 +62,7 @@ data: } location @app { include uwsgi_params; - uswgi_pass unix:///var/run/uwsgi/uwsgi.socket; + uwsgi_pass unix:///var/run/uwsgi/uwsgi.socket; uwsgi_param HTTP_X_SSL_CLIENT_VERIFY $ssl_client_verify; uwsgi_param HTTP_X_SSL_CLIENT_CERT $ssl_client_raw_cert; uwsgi_param HTTP_X_SSL_CLIENT_S_DN $ssl_client_s_dn; From 9cb5f88239932a9db48c381ab48102af40edb467 Mon Sep 17 00:00:00 2001 From: Devon Mackay Date: Tue, 7 Aug 2018 17:01:40 -0400 Subject: [PATCH 32/50] Move http traffic to port 8442 --- deploy/kubernetes/atst-nginx-configmap.yml | 5 +++-- deploy/kubernetes/atst.yml | 4 ++-- 2 files changed, 5 insertions(+), 4 deletions(-) diff --git a/deploy/kubernetes/atst-nginx-configmap.yml b/deploy/kubernetes/atst-nginx-configmap.yml index 8f5a0d8a..2d7fbd93 100644 --- a/deploy/kubernetes/atst-nginx-configmap.yml +++ b/deploy/kubernetes/atst-nginx-configmap.yml @@ -10,7 +10,8 @@ data: nginx-config: |- server { server_name www.atat.codes atat.codes; - listen 8080 http2; + listen 8442 http2; + listen [::]:8442 http2 ipv6only=on; #if ($http_x_forwarded_proto != 'https') { # return 301 https://$host$request_uri; #} @@ -30,7 +31,7 @@ data: server { server_name auth.atat.codes; listen 8443 ssl http2; - listen [::]:443 ssl http2 ipv6only=on; + listen [::]:8443 ssl http2 ipv6only=on; # SSL server certificate and private key ssl_certificate /etc/ssl/private/auth.atat.crt; ssl_certificate_key /etc/ssl/private/auth.atat.key; diff --git a/deploy/kubernetes/atst.yml b/deploy/kubernetes/atst.yml index 3c552854..b26aa989 100644 --- a/deploy/kubernetes/atst.yml +++ b/deploy/kubernetes/atst.yml @@ -38,7 +38,7 @@ spec: - name: atst-nginx image: nginx:alpine ports: - - containerPort: 8080 + - containerPort: 8442 name: http - containerPort: 8443 name: https @@ -118,7 +118,7 @@ spec: ports: - name: "http" port: 80 - targetPort: 8080 + targetPort: 8442 - name: "https" port: 443 targetPort: 8443 From d74609798166a463da3026757a341e0e597f1d69 Mon Sep 17 00:00:00 2001 From: Devon Mackay Date: Tue, 7 Aug 2018 17:02:17 -0400 Subject: [PATCH 33/50] Allow nginx and atst socket access --- deploy/kubernetes/atst-configmap.yml | 1 + 1 file changed, 1 insertion(+) diff --git a/deploy/kubernetes/atst-configmap.yml b/deploy/kubernetes/atst-configmap.yml index a8c8a11e..f3d428cb 100644 --- a/deploy/kubernetes/atst-configmap.yml +++ b/deploy/kubernetes/atst-configmap.yml @@ -21,3 +21,4 @@ data: socket = /var/run/uwsgi/uwsgi.socket plugins = python3 virtualenv = /opt/atat/atst/.venv + chmod-socket = 666 From b83b62aea0625abf7d3e11ca5b7ab7b9d34f8107 Mon Sep 17 00:00:00 2001 From: Devon Mackay Date: Tue, 7 Aug 2018 18:05:57 -0400 Subject: [PATCH 34/50] Downgrade from http2 for testing --- deploy/kubernetes/atst-nginx-configmap.yml | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/deploy/kubernetes/atst-nginx-configmap.yml b/deploy/kubernetes/atst-nginx-configmap.yml index 2d7fbd93..ca80bec7 100644 --- a/deploy/kubernetes/atst-nginx-configmap.yml +++ b/deploy/kubernetes/atst-nginx-configmap.yml @@ -10,8 +10,8 @@ data: nginx-config: |- server { server_name www.atat.codes atat.codes; - listen 8442 http2; - listen [::]:8442 http2 ipv6only=on; + listen 8442; + listen [::]:8442 ipv6only=on; #if ($http_x_forwarded_proto != 'https') { # return 301 https://$host$request_uri; #} @@ -30,8 +30,8 @@ data: } server { server_name auth.atat.codes; - listen 8443 ssl http2; - listen [::]:8443 ssl http2 ipv6only=on; + listen 8443 ssl; + listen [::]:8443 ssl ipv6only=on; # SSL server certificate and private key ssl_certificate /etc/ssl/private/auth.atat.crt; ssl_certificate_key /etc/ssl/private/auth.atat.key; From e9c43f61e33b1847706bebd8567e295ba3a0cc18 Mon Sep 17 00:00:00 2001 From: Devon Mackay Date: Wed, 8 Aug 2018 08:27:38 -0400 Subject: [PATCH 35/50] Temp: remove basic auth for testing --- deploy/kubernetes/atst-nginx-configmap.yml | 14 +++++++++----- 1 file changed, 9 insertions(+), 5 deletions(-) diff --git a/deploy/kubernetes/atst-nginx-configmap.yml b/deploy/kubernetes/atst-nginx-configmap.yml index ca80bec7..d210d7c3 100644 --- a/deploy/kubernetes/atst-nginx-configmap.yml +++ b/deploy/kubernetes/atst-nginx-configmap.yml @@ -15,11 +15,9 @@ data: #if ($http_x_forwarded_proto != 'https') { # return 301 https://$host$request_uri; #} - location /login-dev { - auth_basic "Developer Access"; - auth_basic_user_file /etc/nginx/.htpasswd; - try_files $uri @app; - } + #location /login-dev { + # try_files $uri @appbasicauth; + #} location / { try_files $uri @app; } @@ -27,6 +25,12 @@ data: include uwsgi_params; uwsgi_pass unix:///var/run/uwsgi/uwsgi.socket; } + location @appbasicauth { + include uwsgi_params; + uwsgi_pass unix:///var/run/uwsgi/uwsgi.socket; + #auth_basic "Developer Access"; + #auth_basic_user_file /etc/nginx/.htpasswd; + } } server { server_name auth.atat.codes; From f628460001ecf79c9ec2f77c8546879569f3601d Mon Sep 17 00:00:00 2001 From: Devon Mackay Date: Wed, 8 Aug 2018 08:28:09 -0400 Subject: [PATCH 36/50] Rename reference script --- deploy/kubernetes/{create_secret.sh => set_dhparam_secret.sh} | 0 1 file changed, 0 insertions(+), 0 deletions(-) rename deploy/kubernetes/{create_secret.sh => set_dhparam_secret.sh} (100%) diff --git a/deploy/kubernetes/create_secret.sh b/deploy/kubernetes/set_dhparam_secret.sh similarity index 100% rename from deploy/kubernetes/create_secret.sh rename to deploy/kubernetes/set_dhparam_secret.sh From 84b0bda701fbfc7400948949614e7d6c28c45223 Mon Sep 17 00:00:00 2001 From: Devon Mackay Date: Wed, 8 Aug 2018 08:28:52 -0400 Subject: [PATCH 37/50] Move atst ini config into secret --- deploy/kubernetes/atst-configmap.yml | 9 --------- deploy/kubernetes/set_atstconfig_secret.sh | 3 +++ 2 files changed, 3 insertions(+), 9 deletions(-) create mode 100644 deploy/kubernetes/set_atstconfig_secret.sh diff --git a/deploy/kubernetes/atst-configmap.yml b/deploy/kubernetes/atst-configmap.yml index f3d428cb..a9584fc5 100644 --- a/deploy/kubernetes/atst-configmap.yml +++ b/deploy/kubernetes/atst-configmap.yml @@ -5,15 +5,6 @@ metadata: name: atst-config namespace: atat data: - atst-config: |- - [default] - CAC_URL=https://auth.atat.codes - COOKIE_SECRET=a12c87558f85566f846ea53fd3f1611dd207d71677966d4d04a8e59d4d8c6737 - ENVIRONMENT=production - PGHOST=postgres-master.atat.svc.cluster.local - REDIS_URI=redis://redis-master.atat.svc.cluster.local:6379 - SECRET=92d2ef2aedf518e1e04a2a99445e6649539a91f06c977f3d69980c63e4e0fb45 - SECRET_KEY=beb178f9e4e83066ec0baa471cea36151f26bd3779902ae2c24eb5bb66e28c15 uwsgi-config: |- [uwsgi] callable = app diff --git a/deploy/kubernetes/set_atstconfig_secret.sh b/deploy/kubernetes/set_atstconfig_secret.sh new file mode 100644 index 00000000..926fa1a0 --- /dev/null +++ b/deploy/kubernetes/set_atstconfig_secret.sh @@ -0,0 +1,3 @@ +#!/bin/bash + +kubectl -n atat create secret generic atst-config-ini --from-file=${1} From e1a49b2e729b9c703036eca9d09e9139c3ebc459 Mon Sep 17 00:00:00 2001 From: Devon Mackay Date: Wed, 8 Aug 2018 08:29:38 -0400 Subject: [PATCH 38/50] Switch auth.atat to direct nodeport service --- deploy/kubernetes/atst.yml | 43 +++++++++++++++++--------------------- 1 file changed, 19 insertions(+), 24 deletions(-) diff --git a/deploy/kubernetes/atst.yml b/deploy/kubernetes/atst.yml index b26aa989..bb3b19e0 100644 --- a/deploy/kubernetes/atst.yml +++ b/deploy/kubernetes/atst.yml @@ -22,7 +22,7 @@ spec: spec: containers: - name: atst - image: registry.atat.codes:443/atst-prod:cc680fa + image: registry.atat.codes:443/atst-prod:e9b6f76 envFrom: - configMapRef: name: atst-envvars @@ -116,12 +116,26 @@ metadata: namespace: atat spec: ports: - - name: "http" + - name: http port: 80 targetPort: 8442 - - name: "https" - port: 443 - targetPort: 8443 + selector: + app: atst +--- +apiVersion: v1 +kind: Service +metadata: + labels: + app: atst + name: atst-auth + namespace: atat +spec: + type: NodePort + ports: + - name: https + protocol: TCP + nodePort: 32751 + port: 8443 selector: app: atst --- @@ -147,22 +161,3 @@ spec: backend: serviceName: atst servicePort: 80 ---- -apiVersion: extensions/v1beta1 -apiVersion: extensions/v1beta1 -kind: Ingress -metadata: - name: atst-auth - namespace: atat - annotations: - nginx.ingress.kubernetes.io/proxy-body-size: 10m - ingress.kubernetes.io/ssl-passthrough: "true" -spec: - rules: - - host: auth.atat.codes - http: - paths: - - path: / - backend: - serviceName: atst - servicePort: 443 From 880b14574783e484133727b99649ed5cbb60410a Mon Sep 17 00:00:00 2001 From: Devon Mackay Date: Wed, 8 Aug 2018 08:49:58 -0400 Subject: [PATCH 39/50] Make helper scripts executable --- deploy/kubernetes/set_atstconfig_secret.sh | 0 deploy/kubernetes/set_dhparam_secret.sh | 0 2 files changed, 0 insertions(+), 0 deletions(-) mode change 100644 => 100755 deploy/kubernetes/set_atstconfig_secret.sh mode change 100644 => 100755 deploy/kubernetes/set_dhparam_secret.sh diff --git a/deploy/kubernetes/set_atstconfig_secret.sh b/deploy/kubernetes/set_atstconfig_secret.sh old mode 100644 new mode 100755 diff --git a/deploy/kubernetes/set_dhparam_secret.sh b/deploy/kubernetes/set_dhparam_secret.sh old mode 100644 new mode 100755 From e5567bf3c3e035eaed1bf83ddf16dc41d38524d0 Mon Sep 17 00:00:00 2001 From: Devon Mackay Date: Wed, 8 Aug 2018 08:50:34 -0400 Subject: [PATCH 40/50] Switch to passing in the file name --- deploy/kubernetes/set_dhparam_secret.sh | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/deploy/kubernetes/set_dhparam_secret.sh b/deploy/kubernetes/set_dhparam_secret.sh index 90ab3552..ac93d348 100755 --- a/deploy/kubernetes/set_dhparam_secret.sh +++ b/deploy/kubernetes/set_dhparam_secret.sh @@ -1,3 +1,3 @@ #!/bin/bash -kubectl -n atat create secret generic dhparam-4096 --from-file=./dhparam.pem +kubectl -n atat create secret generic dhparam-4096 --from-file=${1} From 3a377dcb11cc94c8861d66a6abdbc61e577c7703 Mon Sep 17 00:00:00 2001 From: Devon Mackay Date: Wed, 8 Aug 2018 08:55:35 -0400 Subject: [PATCH 41/50] Convert atst ini config into a secret --- deploy/kubernetes/atst.yml | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/deploy/kubernetes/atst.yml b/deploy/kubernetes/atst.yml index bb3b19e0..150518ae 100644 --- a/deploy/kubernetes/atst.yml +++ b/deploy/kubernetes/atst.yml @@ -60,10 +60,10 @@ spec: - name: regcred volumes: - name: atst-config - configMap: - name: atst-config + secret: + secretName: atst-config-ini items: - - key: atst-config + - key: atst-overrides.ini path: atst-overrides.ini mode: 0644 - name: nginx-auth-tls From 90970367c830572374b77275e8d71de3c3b9771b Mon Sep 17 00:00:00 2001 From: Devon Mackay Date: Wed, 8 Aug 2018 08:56:07 -0400 Subject: [PATCH 42/50] Add yarn build after setup is completed --- script/setup | 2 ++ 1 file changed, 2 insertions(+) diff --git a/script/setup b/script/setup index 23a2fce3..f3b5b616 100755 --- a/script/setup +++ b/script/setup @@ -16,3 +16,5 @@ source ./script/include/run_setup # Fetch and import the PE numbers run_command "python script/ingest_pe_numbers.py" + +yarn build From bde339871a98227d1fe20555c424b9a6109ab2ee Mon Sep 17 00:00:00 2001 From: Devon Mackay Date: Wed, 8 Aug 2018 09:57:30 -0400 Subject: [PATCH 43/50] Add delete secret before recreating --- deploy/kubernetes/set_atstconfig_secret.sh | 3 ++- deploy/kubernetes/set_dhparam_secret.sh | 3 ++- 2 files changed, 4 insertions(+), 2 deletions(-) diff --git a/deploy/kubernetes/set_atstconfig_secret.sh b/deploy/kubernetes/set_atstconfig_secret.sh index 926fa1a0..0dcb90b0 100755 --- a/deploy/kubernetes/set_atstconfig_secret.sh +++ b/deploy/kubernetes/set_atstconfig_secret.sh @@ -1,3 +1,4 @@ #!/bin/bash -kubectl -n atat create secret generic atst-config-ini --from-file=${1} +kubectl -n atat delete secret atst-config-ini +kubectl -n atat create secret generic atst-config-ini --from-file="${1}" diff --git a/deploy/kubernetes/set_dhparam_secret.sh b/deploy/kubernetes/set_dhparam_secret.sh index ac93d348..dfc9401a 100755 --- a/deploy/kubernetes/set_dhparam_secret.sh +++ b/deploy/kubernetes/set_dhparam_secret.sh @@ -1,3 +1,4 @@ #!/bin/bash -kubectl -n atat create secret generic dhparam-4096 --from-file=${1} +kubectl -n atat delete secret dhparam-4096 +kubectl -n atat create secret generic dhparam-4096 --from-file="${1}" From 2822ff16c56eb82e2b97c90223d4eefdf98d76fb Mon Sep 17 00:00:00 2001 From: Devon Mackay Date: Wed, 8 Aug 2018 09:58:01 -0400 Subject: [PATCH 44/50] Set FLASK_DEV to dev for staging --- deploy/kubernetes/atst-envvars-configmap.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/deploy/kubernetes/atst-envvars-configmap.yml b/deploy/kubernetes/atst-envvars-configmap.yml index 23a25061..e7bfec14 100644 --- a/deploy/kubernetes/atst-envvars-configmap.yml +++ b/deploy/kubernetes/atst-envvars-configmap.yml @@ -5,6 +5,6 @@ metadata: name: atst-envvars namespace: atat data: - FLASK_ENV: prod + FLASK_ENV: dev OVERRIDE_CONFIG_FULLPATH: /opt/atat/atst/atst-overrides.ini UWSGI_CONFIG_FULLPATH: /opt/atat/atst/uwsgi-config.ini From ae2c6b01ffb5dd8b6156ba577e07b083e6f52b36 Mon Sep 17 00:00:00 2001 From: Devon Mackay Date: Wed, 8 Aug 2018 09:58:25 -0400 Subject: [PATCH 45/50] Enable basic auth for /login-dev --- deploy/kubernetes/atst-nginx-configmap.yml | 10 +++++----- 1 file changed, 5 insertions(+), 5 deletions(-) diff --git a/deploy/kubernetes/atst-nginx-configmap.yml b/deploy/kubernetes/atst-nginx-configmap.yml index d210d7c3..b30ff73d 100644 --- a/deploy/kubernetes/atst-nginx-configmap.yml +++ b/deploy/kubernetes/atst-nginx-configmap.yml @@ -15,9 +15,9 @@ data: #if ($http_x_forwarded_proto != 'https') { # return 301 https://$host$request_uri; #} - #location /login-dev { - # try_files $uri @appbasicauth; - #} + location /login-dev { + try_files $uri @appbasicauth; + } location / { try_files $uri @app; } @@ -28,8 +28,8 @@ data: location @appbasicauth { include uwsgi_params; uwsgi_pass unix:///var/run/uwsgi/uwsgi.socket; - #auth_basic "Developer Access"; - #auth_basic_user_file /etc/nginx/.htpasswd; + auth_basic "Developer Access"; + auth_basic_user_file /etc/nginx/.htpasswd; } } server { From aecb310a9be0e3dbaf35ca589c4761317c5ea435 Mon Sep 17 00:00:00 2001 From: Devon Mackay Date: Wed, 8 Aug 2018 10:04:19 -0400 Subject: [PATCH 46/50] Set gid for mounted files to 101 (nginx) --- deploy/kubernetes/atst.yml | 2 ++ 1 file changed, 2 insertions(+) diff --git a/deploy/kubernetes/atst.yml b/deploy/kubernetes/atst.yml index 150518ae..842558dc 100644 --- a/deploy/kubernetes/atst.yml +++ b/deploy/kubernetes/atst.yml @@ -20,6 +20,8 @@ spec: labels: app: atst spec: + securityContext: + fsGroup: 101 containers: - name: atst image: registry.atat.codes:443/atst-prod:e9b6f76 From 3277386ae1d8802210752699ebb655df7c31a271 Mon Sep 17 00:00:00 2001 From: Devon Mackay Date: Wed, 8 Aug 2018 10:10:37 -0400 Subject: [PATCH 47/50] Add reference script for setting the htpasswd file contents --- deploy/kubernetes/set_htpasswd_secret.sh | 4 ++++ 1 file changed, 4 insertions(+) create mode 100755 deploy/kubernetes/set_htpasswd_secret.sh diff --git a/deploy/kubernetes/set_htpasswd_secret.sh b/deploy/kubernetes/set_htpasswd_secret.sh new file mode 100755 index 00000000..540048ca --- /dev/null +++ b/deploy/kubernetes/set_htpasswd_secret.sh @@ -0,0 +1,4 @@ +#!/bin/bash + +kubectl -n atat delete secret atst-nginx-htpasswd +kubectl -n atat create secret generic atst-nginx-htpasswd --from-file="${1}" From 5c647a5c4126d64ca24908a213b34a412342b171 Mon Sep 17 00:00:00 2001 From: Devon Mackay Date: Wed, 8 Aug 2018 10:11:51 -0400 Subject: [PATCH 48/50] Switch htpasswd to use a secret --- deploy/kubernetes/atst-nginx-configmap.yml | 2 -- deploy/kubernetes/atst.yml | 4 ++-- 2 files changed, 2 insertions(+), 4 deletions(-) diff --git a/deploy/kubernetes/atst-nginx-configmap.yml b/deploy/kubernetes/atst-nginx-configmap.yml index b30ff73d..eef7b377 100644 --- a/deploy/kubernetes/atst-nginx-configmap.yml +++ b/deploy/kubernetes/atst-nginx-configmap.yml @@ -5,8 +5,6 @@ metadata: name: atst-nginx namespace: atat data: - htpasswd: | - atat:$apr1$D9ZQ6.AS$BwgIHxTMbRQsv4LbbAGAT/ nginx-config: |- server { server_name www.atat.codes atat.codes; diff --git a/deploy/kubernetes/atst.yml b/deploy/kubernetes/atst.yml index 842558dc..c302f8af 100644 --- a/deploy/kubernetes/atst.yml +++ b/deploy/kubernetes/atst.yml @@ -92,8 +92,8 @@ spec: path: dhparam.pem mode: 0640 - name: nginx-htpasswd - configMap: - name: atst-nginx + secret: + secretName: atst-nginx-htpasswd items: - key: htpasswd path: .htpasswd From df6c563262bba6ae7b89ca012ad105f52b342a21 Mon Sep 17 00:00:00 2001 From: Devon Mackay Date: Wed, 8 Aug 2018 10:49:26 -0400 Subject: [PATCH 49/50] Enable redirects for login route and non-ssl traffic --- deploy/kubernetes/atst-nginx-configmap.yml | 9 ++++++--- 1 file changed, 6 insertions(+), 3 deletions(-) diff --git a/deploy/kubernetes/atst-nginx-configmap.yml b/deploy/kubernetes/atst-nginx-configmap.yml index eef7b377..6e2b1d69 100644 --- a/deploy/kubernetes/atst-nginx-configmap.yml +++ b/deploy/kubernetes/atst-nginx-configmap.yml @@ -10,9 +10,12 @@ data: server_name www.atat.codes atat.codes; listen 8442; listen [::]:8442 ipv6only=on; - #if ($http_x_forwarded_proto != 'https') { - # return 301 https://$host$request_uri; - #} + if ($http_x_forwarded_proto != 'https') { + return 301 https://$host$request_uri; + } + location /login-redirect { + return 301 https://auth.atat.codes$request_uri; + } location /login-dev { try_files $uri @appbasicauth; } From 22a7c53db66acaa166382b05b8e731adad994ef9 Mon Sep 17 00:00:00 2001 From: Devon Mackay Date: Wed, 8 Aug 2018 10:52:40 -0400 Subject: [PATCH 50/50] Fastforward script/include to most recent master --- script/include | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/script/include b/script/include index 7b768d8e..c44ca507 160000 --- a/script/include +++ b/script/include @@ -1 +1 @@ -Subproject commit 7b768d8e19f1b475553eecbb280b318ebf85a66c +Subproject commit c44ca5070da78fd522a2e485aaa225cc638e11d3