pk/atst
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Merge pull request #141 from dod-ccpo/kube-deploy

Browse Source 
Kube deploy
This commit is contained in:
Devon 2018-08-08 11:01:33 -04:00 committed by GitHub
commit df773855d5
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
13 changed files with 306 additions and 7 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

6
.dockerignore
View File

@ -16,12 +16,14 @@ log/*
LICENSE
*.md
# Skip pipenv/virtualenv related things
# Skip envrc
.envrc
.venv
# Skip ansible-container stuff
ansible*
container.yml
meta.yml
requirements.yml
# Skip kubernetes and Docker config stuff
deploy

11
deploy/docker/prod/Dockerfile
View File

@ -1,4 +1,4 @@
FROM python:3.6.5-alpine
FROM alpine:3.8
### Very low chance of changing
###############################
@ -7,12 +7,12 @@ ARG APP_USER=atst
ARG APP_GROUP=atat
ARG APP_DIR=/opt/atat/atst
ARG APP_PORT=8000
ARG SITE_PACKAGES_DIR=/usr/local/lib/python3.6/site-packages
ARG LOCAL_BIN_DIR=/usr/bin
ARG SITE_PACKAGES_DIR=/usr/lib/python3.6/site-packages
ENV APP_USER "${APP_USER}"
ENV APP_GROUP "${APP_GROUP}"
ENV APP_DIR "${APP_DIR}"
ENV SKIP_PIPENV true
# Set port to open
EXPOSE "${APP_PORT}"
@ -21,13 +21,16 @@ EXPOSE "${APP_PORT}"
ENTRYPOINT ["/usr/bin/dumb-init", "--"]
# Default command is to launch the server
CMD ["bash", "-c", "${APP_DIR}/script/server"]
CMD ["bash", "-c", "${APP_DIR}/script/uwsgi_server"]
### Items that will change almost every build
#############################################
# Copy installed python packages from the tester image
COPY --from=atst-tester:latest "${SITE_PACKAGES_DIR}" "${SITE_PACKAGES_DIR}"
# Copy local bin directory (contains python system package wrappers)
COPY --from=atst-tester:latest "${LOCAL_BIN_DIR}" "${LOCAL_BIN_DIR}"
# Copy the app directory contents from the tester image (includes node modules)
COPY --from=atst-tester:latest "${APP_DIR}" "${APP_DIR}"

15
deploy/kubernetes/atst-configmap.yml Normal file
View File

@ -0,0 +1,15 @@
---
apiVersion: v1
kind: ConfigMap
metadata:
name: atst-config
namespace: atat
data:
uwsgi-config: |-
[uwsgi]
callable = app
module = app
socket = /var/run/uwsgi/uwsgi.socket
plugins = python3
virtualenv = /opt/atat/atst/.venv
chmod-socket = 666

10
deploy/kubernetes/atst-envvars-configmap.yml Normal file
View File

@ -0,0 +1,10 @@
---
apiVersion: v1
kind: ConfigMap
metadata:
name: atst-envvars
namespace: atat
data:
FLASK_ENV: dev
OVERRIDE_CONFIG_FULLPATH: /opt/atat/atst/atst-overrides.ini
UWSGI_CONFIG_FULLPATH: /opt/atat/atst/uwsgi-config.ini

79
deploy/kubernetes/atst-nginx-configmap.yml Normal file
View File

@ -0,0 +1,79 @@
---
apiVersion: v1
kind: ConfigMap
metadata:
name: atst-nginx
namespace: atat
data:
nginx-config: |-
server {
server_name www.atat.codes atat.codes;
listen 8442;
listen [::]:8442 ipv6only=on;
if ($http_x_forwarded_proto != 'https') {
return 301 https://$host$request_uri;
}
location /login-redirect {
return 301 https://auth.atat.codes$request_uri;
}
location /login-dev {
try_files $uri @appbasicauth;
}
location / {
try_files $uri @app;
}
location @app {
include uwsgi_params;
uwsgi_pass unix:///var/run/uwsgi/uwsgi.socket;
}
location @appbasicauth {
include uwsgi_params;
uwsgi_pass unix:///var/run/uwsgi/uwsgi.socket;
auth_basic "Developer Access";
auth_basic_user_file /etc/nginx/.htpasswd;
}
}
server {
server_name auth.atat.codes;
listen 8443 ssl;
listen [::]:8443 ssl ipv6only=on;
# SSL server certificate and private key
ssl_certificate /etc/ssl/private/auth.atat.crt;
ssl_certificate_key /etc/ssl/private/auth.atat.key;
# Set SSL protocols, ciphers, and related options
ssl_protocols TLSv1.3 TLSv1.2;
ssl_ciphers 'ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256';
ssl_prefer_server_ciphers on;
ssl_ecdh_curve secp384r1;
ssl_dhparam /etc/ssl/dhparam.pem;
# SSL session options
ssl_session_timeout 4h;
ssl_session_cache shared:SSL:10m; # 1mb = ~4000 sessions
ssl_session_tickets off;
# OCSP Stapling
ssl_stapling on;
ssl_stapling_verify on;
resolver 8.8.8.8 8.8.4.4;
# Request and validate client certificate
#ssl_verify_client on;
#ssl_verify_depth 10;
#ssl_client_certificate /etc/nginx/ssl/ca/client-ca.pem;
# Guard against HTTPS -> HTTP downgrade
add_header Strict-Transport-Security "max-age=31536000; includeSubDomains; always";
location / {
return 301 https://www.atat.codes$request_uri;
}
location /login-redirect {
try_files $uri @app;
}
location @app {
include uwsgi_params;
uwsgi_pass unix:///var/run/uwsgi/uwsgi.socket;
uwsgi_param HTTP_X_SSL_CLIENT_VERIFY $ssl_client_verify;
uwsgi_param HTTP_X_SSL_CLIENT_CERT $ssl_client_raw_cert;
uwsgi_param HTTP_X_SSL_CLIENT_S_DN $ssl_client_s_dn;
uwsgi_param HTTP_X_SSL_CLIENT_S_DN_LEGACY $ssl_client_s_dn_legacy;
uwsgi_param HTTP_X_SSL_CLIENT_I_DN $ssl_client_i_dn;
uwsgi_param HTTP_X_SSL_CLIENT_I_DN_LEGACY $ssl_client_i_dn_legacy;
}
}

165
deploy/kubernetes/atst.yml Normal file
View File

@ -0,0 +1,165 @@
---
apiVersion: v1
kind: Namespace
metadata:
name: atat
---
apiVersion: extensions/v1beta1
kind: Deployment
metadata:
labels:
app: atst
name: atst
namespace: atat
spec:
replicas: 1
strategy:
type: RollingUpdate
template:
metadata:
labels:
app: atst
spec:
securityContext:
fsGroup: 101
containers:
- name: atst
image: registry.atat.codes:443/atst-prod:e9b6f76
envFrom:
- configMapRef:
name: atst-envvars
volumeMounts:
- name: atst-config
mountPath: "/opt/atat/atst/atst-overrides.ini"
subPath: atst-overrides.ini
- name: uwsgi-config
mountPath: "/opt/atat/atst/uwsgi-config.ini"
subPath: uwsgi-config.ini
- name: uwsgi-socket-dir
mountPath: "/var/run/uwsgi"
- name: atst-nginx
image: nginx:alpine
ports:
- containerPort: 8442
name: http
- containerPort: 8443
name: https
volumeMounts:
- name: nginx-auth-tls
mountPath: "/etc/ssl/private"
- name: nginx-config
mountPath: "/etc/nginx/conf.d/atst.conf"
subPath: atst.conf
- name: nginx-dhparam
mountPath: "/etc/ssl/dhparam.pem"
subPath: dhparam.pem
- name: nginx-htpasswd
mountPath: "/etc/nginx/.htpasswd"
subPath: .htpasswd
- name: uwsgi-socket-dir
mountPath: "/var/run/uwsgi"
imagePullSecrets:
- name: regcred
volumes:
- name: atst-config
secret:
secretName: atst-config-ini
items:
- key: atst-overrides.ini
path: atst-overrides.ini
mode: 0644
- name: nginx-auth-tls
secret:
secretName: auth-atst-ingress-tls
items:
- key: tls.crt
path: auth.atat.crt
mode: 0644
- key: tls.key
path: auth.atat.key
mode: 0640
- name: nginx-config
configMap:
name: atst-nginx
items:
- key: nginx-config
path: atst.conf
- name: nginx-dhparam
secret:
secretName: dhparam-4096
items:
- key: dhparam.pem
path: dhparam.pem
mode: 0640
- name: nginx-htpasswd
secret:
secretName: atst-nginx-htpasswd
items:
- key: htpasswd
path: .htpasswd
mode: 0640
- name: uwsgi-config
configMap:
name: atst-config
items:
- key: uwsgi-config
path: uwsgi-config.ini
mode: 0644
- name: uwsgi-socket-dir
emptyDir:
medium: Memory
---
apiVersion: v1
kind: Service
metadata:
labels:
app: atst
name: atst
namespace: atat
spec:
ports:
- name: http
port: 80
targetPort: 8442
selector:
app: atst
---
apiVersion: v1
kind: Service
metadata:
labels:
app: atst
name: atst-auth
namespace: atat
spec:
type: NodePort
ports:
- name: https
protocol: TCP
nodePort: 32751
port: 8443
selector:
app: atst
---
apiVersion: extensions/v1beta1
kind: Ingress
metadata:
name: atst
namespace: atat
annotations:
kubernetes.io/tls-acme: "true"
kubernetes.io/ingress.class: "nginx"
nginx.ingress.kubernetes.io/proxy-body-size: 10m
spec:
tls:
- hosts:
- www.atat.codes
secretName: atst-ingress-tls
rules:
- host: www.atat.codes
http:
paths:
- path: /
backend:
serviceName: atst
servicePort: 80

4
deploy/kubernetes/set_atstconfig_secret.sh Executable file
View File

@ -0,0 +1,4 @@
#!/bin/bash
kubectl -n atat delete secret atst-config-ini
kubectl -n atat create secret generic atst-config-ini --from-file="${1}"

4
deploy/kubernetes/set_dhparam_secret.sh Executable file
View File

@ -0,0 +1,4 @@
#!/bin/bash
kubectl -n atat delete secret dhparam-4096
kubectl -n atat create secret generic dhparam-4096 --from-file="${1}"

4
deploy/kubernetes/set_htpasswd_secret.sh Executable file
View File

@ -0,0 +1,4 @@
#!/bin/bash
kubectl -n atat delete secret atst-nginx-htpasswd
kubectl -n atat create secret generic atst-nginx-htpasswd --from-file="${1}"

3
script/alpine_setup
View File

@ -9,5 +9,8 @@ source "$(dirname "${0}")"/../script/include/global_header.inc.sh
APP_USER="atst"
APP_UID="8010"
# Add additional packages required by app dependencies
ADDITIONAL_PACKAGES="postgresql-libs python3 uwsgi uwsgi-python3"
# Run the shared alpine setup script
source ./script/include/run_alpine_setup

2
script/include

@ -1 +1 @@
Subproject commit 8cf96c9776e7fd73c11d57160d26fc1715bf00da
Subproject commit c44ca5070da78fd522a2e485aaa225cc638e11d3

2
script/setup
View File

@ -16,3 +16,5 @@ source ./script/include/run_setup
# Fetch and import the PE numbers
run_command "python script/ingest_pe_numbers.py"
yarn build

8
script/uwsgi_server Executable file
View File

@ -0,0 +1,8 @@
#!/bin/bash
# script/uwsgi_server: Launch the UWSGI server
source "$(dirname "${0}")"/../script/include/global_header.inc.sh
# Launch UWSGI
run_command "uwsgi --ini ${UWSGI_CONFIG_FULLPATH}"